Annotation of src/etc/netstart, Revision 1.175
1.1 deraadt 1: #!/bin/sh -
2: #
1.175 ! rpe 3: # $OpenBSD: netstart,v 1.174 2017/04/07 22:15:17 rpe Exp $
1.153 rpe 4:
5: # Turn off Strict Bourne shell mode.
6: set +o sh
1.101 millert 7:
1.173 rpe 8: # Echo file $1 to stdout. Skip comment lines and delete everything
9: # after the first '#' from other lines. Strip leading and trailing
10: # whitespace if IFS is set.
1.160 rpe 11: # Usage: stripcom /path/to/file
1.101 millert 12: stripcom() {
1.160 rpe 13: local _file=$1 _line
14:
15: [[ -f $_file ]] || return
16:
17: while read _line; do
18: [[ -n ${_line%%#*} ]] && print -r -- "$_line"
19: done <$_file
1.101 millert 20: }
1.45 millert 21:
1.160 rpe 22: # Start a single interface.
23: # Usage: ifstart if1
1.83 miod 24: ifstart() {
1.174 rpe 25: # Note: Do not rename the 'if' variable which is documented as being
26: # usable in hostname.if(5) files.
1.84 deraadt 27: if=$1
1.174 rpe 28:
1.83 miod 29: # Interface names must be alphanumeric only. We check to avoid
30: # configuring backup or temp files, and to catch the "*" case.
1.137 rpe 31: [[ $if != +([[:alpha:]])+([[:digit:]]) ]] && return
1.83 miod 32:
1.119 deraadt 33: file=/etc/hostname.$if
1.121 todd 34: if ! [ -f $file ]; then
35: echo "netstart: $file: No such file or directory"
36: return
37: fi
1.146 rpe 38: # Not using stat(1), we can't rely on having /usr yet.
1.166 rpe 39: set -A stat -- $(ls -nL $file)
1.123 sthen 40: if [ "${stat[0]#???????} ${stat[2]} ${stat[3]}" != "--- 0 0" ]; then
1.119 deraadt 41: echo "WARNING: $file is insecure, fixing permissions"
1.122 sthen 42: chmod -LR o-rwx $file
43: chown -LR root.wheel $file
1.119 deraadt 44: fi
1.136 rpe 45: # Check for ifconfig'able interface.
46: (ifconfig $if || ifconfig $if create) >/dev/null 2>&1 || return
1.83 miod 47:
1.146 rpe 48: # Now parse the hostname.* file.
1.83 miod 49: while :; do
50: if [ "$cmd2" ]; then
51: # We are carrying over from the 'read dt dtaddr'
52: # last time.
53: set -- $cmd2
1.175 ! rpe 54: af=$1 name=$2 mask=$3 bcaddr=$4 ext1=$5 cmd2=
1.83 miod 55: # Make sure and get any remaining args in ext2,
1.146 rpe 56: # like the read below.
1.83 miod 57: i=1
1.126 simon 58: while [ $i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
1.83 miod 59: ext2="$@"
60: else
61: # Read the next line or exit the while loop.
62: read af name mask bcaddr ext1 ext2 || break
63: fi
1.146 rpe 64: # $af can be "dhcp", "up", "rtsol", an address family, commands,
65: # or a comment.
1.83 miod 66: case "$af" in
1.175 ! rpe 67: "#"*|"")
! 68: # Skip comments and empty lines.
1.83 miod 69: continue
70: ;;
1.146 rpe 71: "!"*) # Parse commands.
1.83 miod 72: cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
73: ;;
74: "dhcp")
75: [ "$name" = "NONE" ] && name=
76: [ "$mask" = "NONE" ] && mask=
77: [ "$bcaddr" = "NONE" ] && bcaddr=
1.143 claudio 78: cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 down"
1.106 todd 79: cmd="$cmd;dhclient $if"
1.110 todd 80: dhcpif="$dhcpif $if"
1.83 miod 81: ;;
82: "rtsol")
1.84 deraadt 83: rtsolif="$rtsolif $if"
1.106 todd 84: cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
1.83 miod 85: ;;
86: *)
87: read dt dtaddr
1.175 ! rpe 88: if [ "$name" = "alias" ]; then
1.146 rpe 89: # Perform a 'shift' of sorts.
1.83 miod 90: alias=$name
91: name=$mask
92: mask=$bcaddr
93: bcaddr=$ext1
94: ext1=$ext2
95: ext2=
96: else
97: alias=
98: fi
1.114 todd 99: cmd="ifconfig $if $af $alias $name"
1.83 miod 100: case "$dt" in
101: dest)
102: cmd="$cmd $dtaddr"
103: ;;
1.130 todd 104: *)
1.83 miod 105: cmd2="$dt $dtaddr"
106: ;;
107: esac
108: case $af in
109: inet)
1.128 todd 110: if [ ! -n "$name" ]; then
111: echo "/etc/hostname.$if: inet alone is invalid"
112: return
113: fi
1.83 miod 114: [ "$mask" ] && cmd="$cmd netmask $mask"
115: if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
116: cmd="$cmd broadcast $bcaddr"
117: fi
118: ;;
1.128 todd 119: inet6)
120: if [ ! -n "$name" ]; then
121: echo "/etc/hostname.$if: inet6 alone is invalid"
122: return
123: fi
124: [ "$mask" ] && cmd="$cmd prefixlen $mask"
1.83 miod 125: cmd="$cmd $bcaddr"
126: ;;
127: *)
128: cmd="$cmd $mask $bcaddr"
129: ;;
130: esac
1.139 mpi 131: cmd="$cmd $ext1 $ext2"
1.83 miod 132: ;;
133: esac
134: eval "$cmd"
1.175 ! rpe 135: done <$file
1.83 miod 136: }
137:
1.161 rpe 138: # Start multiple interfaces by driver name.
139: # Usage: ifmstart "em iwm" "trunk vlan"
1.146 rpe 140: # Start "$1" interfaces in order or all interfaces if empty.
1.161 rpe 141: # Don't start "$2" interfaces. "$2" is optional.
1.105 todd 142: ifmstart() {
1.161 rpe 143: local _sifs=$1 _xifs=$2 _hn _if _sif _xif
144:
145: for _sif in ${_sifs:-ALL}; do
146: for _hn in /etc/hostname.*; do
147: _if=${_hn#/etc/hostname.}
148: [[ $_if == '*' ]] && continue
1.113 david 149:
1.146 rpe 150: # Skip unwanted ifs.
1.161 rpe 151: for _xif in $_xifs; do
152: [[ $_xif == ${_if%%[0-9]*} ]] && continue 2
1.105 todd 153: done
154:
1.146 rpe 155: # Start wanted ifs.
1.161 rpe 156: [[ $_sif == @(ALL|${_if%%[0-9]*}) ]] && ifstart $_if
1.105 todd 157: done
158: done
159: }
160:
1.162 rpe 161: # IPv6 autoconf the interfaces in the $rtsolif list.
162: # Usage: ifv6autoconf
163: ifv6autoconf() {
164: local _if
165:
1.156 sthen 166: # $ip6kernel will not have been set if we were invoked with a
167: # list of interface names
1.162 rpe 168: ifconfig lo0 inet6 >/dev/null 2>&1 || return 0
169:
170: for _if in $rtsolif; do
171: ifconfig $_if inet6 autoconf
172: done
1.154 sthen 173: }
1.170 jasper 174:
1.172 mpi 175: # Parse /etc/mygate and add default routes for IPv4 and IPv6
176: # Usage: defaultroute
177: defaultroute() {
178: [[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do
179: [[ $gw == @(*:*) ]] && continue
180: route -qn delete default >/dev/null 2>&1
181: route -qn add -host default $gw && break
182: done
183: [[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do
184: [[ $gw == !(*:*) ]] && continue
185: route -qn delete -inet6 default >/dev/null 2>&1
186: route -qn add -host -inet6 default $gw && break
187: done
188: }
189:
1.170 jasper 190: # Make sure the invoking user has the right privileges.
191: if (($(id -u) != 0)); then
192: echo "${0##*/}: need root privileges"
193: exit 1
194: fi
1.154 sthen 195:
1.151 rpe 196: # Get network related vars from rc.conf using the parsing routine from rc.subr.
197: FUNCS_ONLY=1 . /etc/rc.d/rc.subr
1.150 ajacouto 198: _rc_parse_conf
1.1 deraadt 199:
1.83 miod 200: # If we were invoked with a list of interface names, just reconfigure these
1.172 mpi 201: # interfaces (or bridges), add default routes and return.
1.159 rpe 202: if (($# > 0)); then
203: for _if; do ifstart $_if; done
1.162 rpe 204: ifv6autoconf
1.172 mpi 205: defaultroute
1.83 miod 206: return
207: fi
208:
209: # Otherwise, process with the complete network initialization.
210:
1.146 rpe 211: # /etc/myname contains my symbolic name.
1.159 rpe 212: [[ -f /etc/myname ]] && hostname "$(stripcom /etc/myname)"
1.4 dm 213:
1.131 sobrado 214: # Set the address for the loopback interface. Bringing the interface up,
215: # automatically invokes the IPv6 address ::1.
1.129 henning 216: ifconfig lo0 inet 127.0.0.1/8
1.24 kstailey 217:
1.54 itojun 218: if ifconfig lo0 inet6 >/dev/null 2>&1; then
219: # IPv6 configurations.
220: ip6kernel=YES
221:
1.83 miod 222: # Disallow link-local unicast dest without outgoing scope identifiers.
1.147 rpe 223: route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject >/dev/null
1.66 itojun 224:
1.83 miod 225: # Disallow site-local unicast dest without outgoing scope identifiers.
1.66 itojun 226: # If you configure site-locals without scope id (it is permissible
227: # config for routers that are not on scope boundary), you may want
228: # to comment the line out.
1.147 rpe 229: route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject >/dev/null
1.66 itojun 230:
1.83 miod 231: # Disallow "internal" addresses to appear on the wire.
1.147 rpe 232: route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null
1.66 itojun 233:
1.83 miod 234: # Disallow packets to malicious IPv4 compatible prefix.
1.147 rpe 235: route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject >/dev/null
236: route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject >/dev/null
237: route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject >/dev/null
238: route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject >/dev/null
1.66 itojun 239:
1.83 miod 240: # Disallow packets to malicious 6to4 prefix.
1.147 rpe 241: route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject >/dev/null
242: route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject >/dev/null
243: route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject >/dev/null
244: route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject >/dev/null
1.115 itojun 245:
246: # Disallow packets without scope identifier.
1.147 rpe 247: route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject >/dev/null
248: route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject >/dev/null
1.66 itojun 249:
250: # Completely disallow packets to IPv4 compatible prefix.
1.146 rpe 251: #
1.66 itojun 252: # This may conflict with RFC1933 under following circumstances:
253: # (1) An IPv6-only KAME node tries to originate packets to IPv4
1.77 deraadt 254: # compatible destination. The KAME node has no IPv4 compatible
1.66 itojun 255: # support. Under RFC1933, it should transmit native IPv6
256: # packets toward IPv4 compatible destination, hoping it would
257: # reach a router that forwards the packet toward auto-tunnel
258: # interface.
1.77 deraadt 259: # (2) An IPv6-only node originates a packet to an IPv4 compatible
1.66 itojun 260: # destination. A KAME node is acting as an IPv6 router, and
261: # asked to forward it.
1.146 rpe 262: #
1.77 deraadt 263: # Due to rare use of IPv4 compatible addresses, and security issues
1.66 itojun 264: # with it, we disable it by default.
1.147 rpe 265: route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null
1.56 itojun 266:
267: rtsolif=""
1.54 itojun 268: else
269: ip6kernel=NO
270: fi
271:
1.105 todd 272:
273: # Configure all the non-loopback interfaces which we know about, but
1.127 deraadt 274: # do not start interfaces which must be delayed. Refer to hostname.if(5)
1.171 rzalamen 275: ifmstart "" "trunk svlan vlan carp gif gre pfsync pppoe tun bridge switch pflow"
1.56 itojun 276:
1.118 brad 277: # The trunk interfaces need to come up first in this list.
1.132 mpf 278: # The (s)vlan interfaces need to come up after trunk.
1.118 brad 279: # Configure all the carp interfaces which we know about before default route.
1.132 mpf 280: ifmstart "trunk svlan vlan carp"
1.118 brad 281:
1.154 sthen 282: # Now that $rtsolif has been populated, IPv6 autoconf those interfaces
1.162 rpe 283: ifv6autoconf
1.102 mcbride 284:
1.138 todd 285: # Look for default routes in /etc/mygate.
1.172 mpi 286: defaultroute
1.44 deraadt 287:
1.48 niklas 288: # Multicast routing.
1.168 sthen 289: if [[ $multicast != YES ]]; then
290: route -qn delete 224.0.0.0/4 >/dev/null 2>&1
1.147 rpe 291: route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject >/dev/null
1.168 sthen 292: fi
1.105 todd 293:
1.152 florian 294: # Configure PPPoE, GIF, GRE, TUN and PFLOW interfaces, delayed because they
295: # require routes to be set. TUN might depend on PPPoE, and GIF or GRE may
296: # depend on either of them. PFLOW might bind to ip addresses configured
297: # on either of them.
1.171 rzalamen 298: ifmstart "pppoe tun gif gre bridge switch pflow"
1.92 deraadt 299:
1.146 rpe 300: # Reject 127/8 other than 127.0.0.1.
1.147 rpe 301: route -qn add -net 127 127.0.0.1 -reject >/dev/null
1.116 david 302:
1.159 rpe 303: if [[ $ip6kernel == YES ]]; then
1.146 rpe 304: # This is to make sure DAD is completed before going further.
1.124 markus 305: count=0
1.159 rpe 306: while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) != 0)); do
1.124 markus 307: sleep 1
308: done
1.116 david 309: fi