3 # $OpenBSD: netstart,v 1.130 2010/06/16 23:45:57 todd Exp $
5 # Strip comments (and leading/trailing whitespace if IFS is set)
6 # from a file and spew to stdout
11 [[ -n ${_l%%#*} ]] && echo $_l
15 # Returns true if $1 contains only alphanumerics
19 while [ ${#_n} != 0 ]; do
29 # Start the $1 interface
32 # Interface names must be alphanumeric only. We check to avoid
33 # configuring backup or temp files, and to catch the "*" case.
34 if ! isalphanumeric "$if"; then
38 file=/etc/hostname.$if
39 if ! [ -f $file ]; then
40 echo "netstart: $file: No such file or directory"
43 # Not using stat(1), we can't rely on having /usr yet
44 set -A stat -- `ls -nL $file`
45 if [ "${stat[0]#???????} ${stat[2]} ${stat[3]}" != "--- 0 0" ]; then
46 echo "WARNING: $file is insecure, fixing permissions"
48 chown -LR root.wheel $file
50 ifconfig $if > /dev/null 2>&1
51 if [ "$?" != "0" ]; then
52 # Try to create interface if it does not exist
53 ifconfig $if create > /dev/null 2>&1
54 if [ "$?" != "0" ]; then
59 # Now parse the hostname.* file
62 # We are carrying over from the 'read dt dtaddr'
65 af="$1" name="$2" mask="$3" bcaddr="$4" ext1="$5" cmd2=
66 # Make sure and get any remaining args in ext2,
69 while [ $i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
72 # Read the next line or exit the while loop.
73 read af name mask bcaddr ext1 ext2 || break
75 # $af can be "dhcp", "up", "rtsol", an address family,
76 # commands, or a comment.
78 "#"*|"") # skip comments and empty lines
81 "!"*) # parse commands
82 cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
85 [ "$name" = "NONE" ] && name=
86 [ "$mask" = "NONE" ] && mask=
87 [ "$bcaddr" = "NONE" ] && bcaddr=
88 cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 down"
89 cmd="$cmd;dhclient $if"
93 rtsolif="$rtsolif $if"
94 cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
98 if [ "$name" = "alias" ]; then
99 # perform a 'shift' of sorts
109 cmd="ifconfig $if $af $alias $name"
120 if [ ! -n "$name" ]; then
121 echo "/etc/hostname.$if: inet alone is invalid"
124 [ "$mask" ] && cmd="$cmd netmask $mask"
125 if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
126 cmd="$cmd broadcast $bcaddr"
128 [ "$alias" ] && rtcmd=";route -qn add -host $name 127.0.0.1"
131 if [ ! -n "$name" ]; then
132 echo "/etc/hostname.$if: inet6 alone is invalid"
135 [ "$mask" ] && cmd="$cmd prefixlen $mask"
139 cmd="$cmd $mask $bcaddr"
142 cmd="$cmd $ext1 $ext2$rtcmd" rtcmd=
146 done < /etc/hostname.$if
150 # start "$1" interfaces in order or all interfaces if empty
151 # don't start "$2" interfaces
153 for sif in ${1:-ALL}; do
154 for hn in /etc/hostname.*; do
155 # Strip off /etc/hostname. prefix
156 if=${hn#/etc/hostname.}
157 test "$if" = "*" && continue
162 test "$xf" = "${if%%[0-9]*}" && s="1" && break
164 test "$s" = "1" && continue
167 test "$sif" = "ALL" -o \
168 "$sif" = "${if%%[0-9]*}" \
174 # Re-read /etc/rc.conf
177 # If we were invoked with a list of interface names, just reconfigure these
178 # interfaces (or bridges) and return.
179 if [ $1x = autobootx ]; then
182 if [ $# -gt 0 ]; then
183 while [ $# -gt 0 ]; do
190 # Otherwise, process with the complete network initialization.
192 # /etc/myname contains my symbolic name
193 if [ -f /etc/myname ]; then
194 hostname=`stripcom /etc/myname`
200 if [ -f /etc/defaultdomain ]; then
201 domainname `stripcom /etc/defaultdomain`
204 # Set the address for the loopback interface. Bringing the
205 # interface up, automatically invokes the IPv6 address ::1)
206 ifconfig lo0 inet 127.0.0.1/8
208 if ifconfig lo0 inet6 >/dev/null 2>&1; then
209 # IPv6 configurations.
212 # Disallow link-local unicast dest without outgoing scope identifiers.
213 route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null
215 # Disallow site-local unicast dest without outgoing scope identifiers.
216 # If you configure site-locals without scope id (it is permissible
217 # config for routers that are not on scope boundary), you may want
218 # to comment the line out.
219 route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null
221 # Disallow "internal" addresses to appear on the wire.
222 route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
224 # Disallow packets to malicious IPv4 compatible prefix.
225 route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null
226 route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
227 route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
228 route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
230 # Disallow packets to malicious 6to4 prefix.
231 route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null
232 route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null
233 route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null
234 route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null
236 # Disallow packets without scope identifier.
237 route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject > /dev/null
238 route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject > /dev/null
240 # Completely disallow packets to IPv4 compatible prefix.
241 # This may conflict with RFC1933 under following circumstances:
242 # (1) An IPv6-only KAME node tries to originate packets to IPv4
243 # compatible destination. The KAME node has no IPv4 compatible
244 # support. Under RFC1933, it should transmit native IPv6
245 # packets toward IPv4 compatible destination, hoping it would
246 # reach a router that forwards the packet toward auto-tunnel
248 # (2) An IPv6-only node originates a packet to an IPv4 compatible
249 # destination. A KAME node is acting as an IPv6 router, and
250 # asked to forward it.
251 # Due to rare use of IPv4 compatible addresses, and security issues
252 # with it, we disable it by default.
253 route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
261 # Configure all the non-loopback interfaces which we know about, but
262 # do not start interfaces which must be delayed. Refer to hostname.if(5)
263 ifmstart "" "trunk vlan carp gif gre pfsync pppoe tun bridge"
265 # The trunk interfaces need to come up first in this list.
266 # The vlan interfaces need to come up after trunk.
267 # Configure all the carp interfaces which we know about before default route.
268 ifmstart "trunk vlan carp"
270 if [ "$ip6kernel" = "YES" -a "x$rtsolif" != "x" ]; then
271 fw=`sysctl -n net.inet6.ip6.forwarding`
272 ra=`sysctl -n net.inet6.ip6.accept_rtadv`
273 if [ "x$fw" = "x0" -a "x$ra" = "x1" ]; then
274 echo "IPv6 autoconf:$rtsolif"
277 echo "WARNING: inconsistent config - check /etc/sysctl.conf for IPv6 autoconf"
281 # /etc/mygate, if it exists, contains the name of my gateway host
282 # that name must be in /etc/hosts.
283 [[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do
284 [[ $gw == @(*:*) ]] && continue
285 route -qn delete default > /dev/null 2>&1
286 route -qn add -host default $gw && break
288 [[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do
289 [[ $gw == !(*:*) ]] && continue
290 route -qn delete -inet6 default > /dev/null 2>&1
291 route -qn add -host -inet6 default $gw && break
296 # The routing to the 224.0.0.0/4 net is setup according to these rules:
297 # multicast_host multicast_router route comment
298 # NO NO -reject no multicast
299 # NO YES none installed daemon will run
300 # YES/interface NO -interface YES=def. iface
301 # Any other combination -reject config error
302 route -qn delete 224.0.0.0/4 > /dev/null 2>&1
303 case "$multicast_host:$multicast_router" in
305 route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
310 maddr=`if [ "$multicast_host" = "YES" ]; then
311 ed -s '!route -qn show -inet' <<EOF
315 ed -s "!ifconfig $multicast_host" <<EOF
319 if [ "X${maddr}" != "X" ]; then
321 route -qn add -net 224.0.0.0/4 -interface $2 > /dev/null
323 route -qn add -net 224.0.0.0/4 -interface \
324 127.0.0.1 -reject > /dev/null
328 echo 'config error, multicasting disabled until rc.conf is fixed'
329 route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
334 # Configure PPPoE, GIF, GRE and TUN interfaces, delayed because they require
335 # routes to be set. TUN might depend on PPPoE, and GIF or GRE may depend on
337 ifmstart "pppoe tun gif gre bridge"
339 # reject 127/8 other than 127.0.0.1
340 route -qn add -net 127 127.0.0.1 -reject > /dev/null
342 if [ "$ip6kernel" = "YES" ]; then
343 # this is to make sure DAD is completed before going further.
345 while [ $((count++)) -lt 10 -a "x"`sysctl -n net.inet6.ip6.dad_pending` != "x0" ]; do