=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/etc/rc,v retrieving revision 1.463 retrieving revision 1.464 diff -c -r1.463 -r1.464 *** src/etc/rc 2015/09/13 13:29:22 1.463 --- src/etc/rc 2015/09/29 17:40:56 1.464 *************** *** 1,4 **** ! # $OpenBSD: rc,v 1.463 2015/09/13 13:29:22 rpe Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the --- 1,4 ---- ! # $OpenBSD: rc,v 1.464 2015/09/29 17:40:56 rpe Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the *************** *** 267,279 **** echo 'setting tty flags' ttyflags -a ! if [ -f /sbin/kbd -a -f /etc/kbdtype ]; then ! kbd `cat /etc/kbdtype` fi wsconsctl_conf ! if [ X"${pf}" != X"NO" ]; then RULES="block all" RULES="$RULES\npass on lo0" RULES="$RULES\npass in proto tcp from any to any port ssh keep state" --- 267,281 ---- echo 'setting tty flags' ttyflags -a ! # Set keyboard encoding. ! if [[ -x /sbin/kbd && -s /etc/kbdtype ]]; then ! kbd "$(cat /etc/kbdtype)" fi wsconsctl_conf ! # Set initial temporary pf rule set. ! if [[ $pf != NO ]]; then RULES="block all" RULES="$RULES\npass on lo0" RULES="$RULES\npass in proto tcp from any to any port ssh keep state" *************** *** 291,297 **** fi RULES="$RULES\npass in proto carp keep state (no-sync)" RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)" ! case `sysctl vfs.mounts.nfs 2>/dev/null` in *[1-9]*) # Don't kill NFS. RULES="set reassemble yes no-df\n$RULES" --- 293,299 ---- fi RULES="$RULES\npass in proto carp keep state (no-sync)" RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)" ! case $(sysctl vfs.mounts.nfs 2>/dev/null) in *[1-9]*) # Don't kill NFS. RULES="set reassemble yes no-df\n$RULES" *************** *** 299,305 **** RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" ;; esac ! echo $RULES | pfctl -f - pfctl -e fi --- 301,307 ---- RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" ;; esac ! print -- "$RULES" | pfctl -f - pfctl -e fi *************** *** 309,331 **** sysctl_conf - # Set hostname, turn on network. echo 'starting network' ifconfig -g carp carpdemote 128 ! if [ -f /etc/resolv.conf.save ]; then mv -f /etc/resolv.conf.save /etc/resolv.conf touch /etc/resolv.conf fi sh /etc/netstart dmesg >/dev/random # Any write triggers a rekey. # Load pf rules and bring up pfsync interface. ! if [ X"${pf}" != X"NO" ]; then ! if [ -f /etc/pf.conf ]; then pfctl -f /etc/pf.conf fi ! # Bring up pfsync after the working ruleset has been loaded. ! if [ -f /etc/hostname.pfsync0 ]; then sh /etc/netstart pfsync0 fi fi --- 311,338 ---- sysctl_conf echo 'starting network' + + # Set carp interlock by increasing the demotion counter. + # Prevents carp from preempting until the system is booted. ifconfig -g carp carpdemote 128 ! ! # Recover resolv.conf in case dhclient died hard. ! if [[ -f /etc/resolv.conf.save ]]; then mv -f /etc/resolv.conf.save /etc/resolv.conf touch /etc/resolv.conf fi + sh /etc/netstart + dmesg >/dev/random # Any write triggers a rekey. # Load pf rules and bring up pfsync interface. ! if [[ $pf != NO ]]; then ! if [[ -f /etc/pf.conf ]]; then pfctl -f /etc/pf.conf fi ! if [[ -f /etc/hostname.pfsync0 ]]; then sh /etc/netstart pfsync0 fi fi *************** *** 340,347 **** (cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; }) (cd /var/authpf && rm -rf -- *) ! # Save a copy of the boot messages. ! dmesg >/var/run/dmesg.boot make_keys --- 347,353 ---- (cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; }) (cd /var/authpf && rm -rf -- *) ! dmesg >/var/run/dmesg.boot # Save a copy of the boot messages. make_keys *************** *** 351,392 **** echo '.' # Load IPsec rules. ! if [ X"${ipsec}" != X"NO" ]; then ! if [ -f /etc/ipsec.conf ]; then ! ipsecctl -f /etc/ipsec.conf ! fi fi echo -n 'starting RPC daemons:' start_daemon portmap ypldap ! if [ X"`domainname`" != X"" ]; then start_daemon ypserv ypbind yppasswdd fi start_daemon mountd nfsd lockd statd amd echo '.' mount -a swapctl -A -t noblk - - # Check and mount networked filesystems. do_fsck -N mount -a -N # /var/crash should be a directory or a symbolic link to the crash directory # if core dumps are to be saved. ! if [ -d /var/crash ]; then ! savecore ${savecore_flags} /var/crash fi ! if [ X"${check_quotas}" = X"YES" ]; then echo -n 'checking quotas:' quotacheck -a echo ' done.' quotaon -a fi ! kvm_mkdb # build kvm(3) databases dev_mkdb chmod 666 /dev/tty[pqrstuvwxyzPQRST]* chown root:wheel /dev/tty[pqrstuvwxyzPQRST]* --- 357,398 ---- echo '.' # Load IPsec rules. ! if [[ $ipsec != NO && -f /etc/ipsec.conf ]]; then ! ipsecctl -f /etc/ipsec.conf fi echo -n 'starting RPC daemons:' start_daemon portmap ypldap ! if [[ -n $(domainname) ]]; then start_daemon ypserv ypbind yppasswdd fi start_daemon mountd nfsd lockd statd amd echo '.' + # Check and mount remaining file systems and enable additional swap. mount -a swapctl -A -t noblk do_fsck -N mount -a -N # /var/crash should be a directory or a symbolic link to the crash directory # if core dumps are to be saved. ! if [[ -d /var/crash ]]; then ! savecore $savecore_flags /var/crash fi ! if [[ $check_quotas == YES ]]; then echo -n 'checking quotas:' quotacheck -a echo ' done.' quotaon -a fi ! # Build kvm(3) and /dev databases. ! kvm_mkdb dev_mkdb + + # Set proper permission for the tty device files. chmod 666 /dev/tty[pqrstuvwxyzPQRST]* chown root:wheel /dev/tty[pqrstuvwxyzPQRST]*