diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 8bf64a0ca320..1457ed852cb0 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -1,394 +1,393 @@ #!/bin/sh # # This is rc.conf - a file full of useful variables that you can set # to change the default startup behavior of your system. You should # not edit this file! Put any overrides into one of the ${rc_conf_files} # instead and you will be able to update these defaults later without # spamming your local configuration information. # # The ${rc_conf_files} files should only contain values which override # values set in this file. This eases the upgrade path when defaults # are changed and new features are added. # # All arguments must be in double or single quotes. # # $FreeBSD$ ############################################################## ### Important initial Boot-time options #################### ############################################################## swapfile="NO" # Set to name of swapfile if aux swapfile desired. apm_enable="NO" # Set to YES to enable APM BIOS functions (or NO). apmd_enable="NO" # Run apmd to handle APM event from userland. apmd_flags="" # Flags to apmd (if enabled). pccard_enable="NO" # Set to YES if you want to configure PCCARD devices. pccard_mem="DEFAULT" # If pccard_enable=YES, this is card memory address. pccard_beep="2" # pccard beep type. pccard_ifconfig="NO" # Specialized pccard ethernet configuration (or NO). pccardd_flags="" # Additional flags for pccardd. pccard_conf="/etc/defaults/pccard.conf" # pccardd(8) config file pccard_ether_delay="5" # Delay before trying to start dhclient in pccard_ether removable_interfaces="" # Removable network interfaces for /etc/pccard_ether. local_startup="/usr/local/etc/rc.d /usr/X11R6/etc/rc.d" # startup script dirs. script_name_sep=" " # Change if your startup scripts' names contain spaces rc_conf_files="/etc/rc.conf /etc/rc.conf.local" fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails. background_fsck="YES" # Attempt to run fsck in the background where possible. ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network and firewall/security options: ### hostname="" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). dhcp_program="/sbin/dhclient" # Path to dhcp client program. dhcp_flags="" # Additional flags to pass to dhcp client. firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ipsec_enable="NO" # Set to YES to run setkey on ipsec_file ipsec_file="/etc/ipsec.conf" # Name of config file for setkey natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. ipfilter_enable="NO" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf -Fa -f" # program and how to specify the rules file, # see /etc/rc.network (pass1) for details ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module # (i.e. compiled into the kernel) to # avoid a warning about "already initialized" ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too! ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too! ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). # For the following two options, you need to have TCP_DROP_SYNFIN and # TCP_RESTRICT_RST set in your kernel. Please refer to LINT for details. tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). cloned_interfaces="" # List of cloned network interfaces to create. #cloned_interfaces="gif0 gif1 gif2 gif3" # Pre-cloning GENERIC config. ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. #ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry. # # If you have any sppp(4) interfaces above, you might also want to set # the following parameters. Refer to spppcontrol(8) for their meaning. sppp_interfaces="" # List of sppp interfaces. #sppp_interfaces="isp0" # example: sppp over ISDN #spppconfig_isp0="authproto=chap myauthname=foo myauthsecret='top secret' hisauthname=some-gw hisauthsecret='another secret'" gif_interfaces="NO" # List of GIF tunnels (or "NO"). #gif_interfaces="gif0 gif1" # Examples typically for a router. # Choose correct tunnel addrs. #gifconfig_gif0="10.1.1.1 10.1.2.1" # Examples typically for a router. #gifconfig_gif1="10.1.1.2 10.1.2.2" # Examples typically for a router. # User ppp configuration. ppp_enable="NO" # Start user-ppp (or NO). ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated". # For details see man page for ppp(8). Default is auto. ppp_nat="YES" # Use PPP's internal network address translation or NO. ppp_profile="papchap" # Which profile to use from /etc/ppp/ppp.conf. ppp_user="root" # Which user to run ppp as ### Network daemon (miscellaneous) ### syslogd_enable="YES" # Run syslog daemon (or NO). syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one. syslogd_flags="-s" # Flags to syslogd (if enabled). #syslogd_flags="-ss" # Syslogd flags to not bind an inet socket inetd_enable="NO" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags="-wW" # Optional flags to inetd # # named. It may be possible to run named in a sandbox, man security for # details. # named_enable="NO" # Run named, the DNS server (or NO). named_program="named" # path to named, if you want a different one. named_flags="-u bind -g bind" # Flags for named # # kerberos. Do not run the admin daemons on slave servers # kerberos4_server_enable="NO" # Run a kerberos IV master server (or NO). kerberos4_server="/usr/sbin/kerberos" # path to kerberos IV KDC kadmind4_server_enable="NO" # Run kadmind (or NO) kadmind4_server="/usr/sbin/kadmind" # path to kerberos IV admin daemon kerberos5_server_enable="NO" # Run a kerberos 5 master server (or NO). kerberos5_server="/usr/libexec/kdc" # path to kerberos 5 KDC kadmind5_server_enable="NO" # Run kadmind (or NO) kadmind5_server="/usr/libexec/k5admind" # path to kerberos 5 admin daemon kerberos_stash="" # Is the kerberos master key stashed? rwhod_enable="NO" # Run the rwho daemon (or NO). rwhod_flags="" # Flags for rwhod rarpd_enable="NO" # Run rarpd (or NO). rarpd_flags="" # Flags to rarpd. xtend_enable="NO" # Run the X-10 power controller daemon. xtend_flags="" # Flags to xtend (if enabled). pppoed_enable="NO" # Run the PPP over Ethernet daemon. pppoed_provider="*" # Provider and ppp(8) config file entry. pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled). pppoed_interface="fxp0" # The interface that pppoed runs on. sshd_enable="NO" # Enable sshd sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags="" # Additional flags for sshd. ### Network daemon (NFS) Need all portmap_enable="YES" ### amd_enable="NO" # Run amd service with $amd_flags (or NO). amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map" amd_map_program="NO" # Can be set to "ypcat -k amd.master" nfs_client_enable="NO" # This host is an NFS client (or NO). -nfs_client_flags="-n 4" # Flags to nfsiod (if enabled). nfs_access_cache="2" # Client cache timeout in seconds nfs_server_enable="NO" # This host is an NFS server (or NO). nfs_server_flags="-u -t -n 4" # Flags to nfsd (if enabled). single_mountd_enable="NO" # Run mountd only (or NO). mountd_flags="-r" # Flags to mountd (if NFS server enabled). weak_mountd_authentication="NO" # Allow non-root mount requests to be served. nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO). nfs_bufpackets="DEFAULT" # bufspace (in packets) for client (or DEFAULT) rpc_lockd_enable="NO" # Run NFS rpc.lockd (*broken!*) if nfs_server. rpc_statd_enable="NO" # Run NFS rpc.statd if nfs_server (or NO). portmap_enable="NO" # Run the portmapper service (YES/NO). portmap_program="/usr/sbin/rpcbind" # path to portmap, if you want a different one. portmap_flags="" # Flags to portmap (if enabled). rpc_ypupdated_enable="NO" # Run if NIS master and SecureRPC (or NO). keyserv_enable="NO" # Run the SecureRPC keyserver (or NO). keyserv_flags="" # Flags to keyserv (if enabled). ### Network Time Services options: ### timed_enable="NO" # Run the time daemon (or NO). timed_flags="" # Flags to timed (if enabled). ntpdate_enable="NO" # Run ntpdate to sync time on boot (or NO). ntpdate_program="ntpdate" # path to ntpdate, if you want a different one. ntpdate_flags="-b" # Flags to ntpdate (if enabled). xntpd_enable="NO" # Run ntpd Network Time Protocol (or NO). xntpd_program="ntpd" # path to ntpd, if you want a different one. xntpd_flags="-p /var/run/ntpd.pid" # Flags to ntpd (if enabled). # Network Information Services (NIS) options: Need all portmap_enable="YES" ### nis_client_enable="NO" # We're an NIS client (or NO). nis_client_flags="" # Flags to ypbind (if enabled). nis_ypset_enable="NO" # Run ypset at boot time (or NO). nis_ypset_flags="" # Flags to ypset (if enabled). nis_server_enable="NO" # We're an NIS server (or NO). nis_server_flags="" # Flags to ypserv (if enabled). nis_ypxfrd_enable="NO" # Run rpc.ypxfrd at boot time (or NO). nis_ypxfrd_flags="" # Flags to rpc.ypxfrd (if enabled). nis_yppasswdd_enable="NO" # Run rpc.yppasswdd at boot time (or NO). nis_yppasswdd_flags="" # Flags to rpc.yppasswdd (if enabled). ### Network routing options: ### defaultrouter="NO" # Set to default gateway (or NO). static_routes="" # Set to static route list (or leave empty). gateway_enable="NO" # Set to YES if this host will be a gateway. router_enable="NO" # Set to YES to enable a routing daemon. router="routed" # Name of routing daemon to use if enabled. router_flags="-q" # Flags for routing daemon. mrouted_enable="NO" # Do multicast routing (see /etc/mrouted.conf). mrouted_flags="" # Flags for multicast routing daemon. ipxgateway_enable="NO" # Set to YES to enable IPX routing. ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon. ipxrouted_flags="" # Flags for IPX routing daemon. arpproxy_all="NO" # replaces obsolete kernel option ARP_PROXYALL. forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES") accept_sourceroute="NO" # accept source routed packets to us ### ATM interface options: ### atm_enable="NO" # Configure ATM interfaces (or NO). #atm_netif_hea0="atm 1" # Network interfaces for physical interface. #atm_sigmgr_hea0="uni31" # Signalling manager for physical interface. #atm_prefix_hea0="ILMI" # NSAP prefix (UNI interfaces only) (or ILMI). #atm_macaddr_hea0="NO" # Override physical MAC address (or NO). #atm_arpserver_atm0="0x47.0005.80.999999.9999.9999.9999.999999999999.00" # ATMARP server address (or local). #atm_scsparp_atm0="NO" # Run SCSP/ATMARP on network interface (or NO). atm_pvcs="" # Set to PVC list (or leave empty). atm_arps="" # Set to permanent ARP list (or leave empty). ### ISDN interface options: (see also: /usr/share/examples/isdn) ### isdn_enable="NO" # Enable the ISDN subsystem (or NO). isdn_fsdev="NO" # Output device for fullscreen mode (or NO for daemon mode). isdn_flags="-dn -d0x1f9" # Flags for isdnd isdn_ttype="cons25" # terminal type for fullscreen mode isdn_screenflags="NO" # screenflags for ${isdn_fsdev} isdn_trace="NO" # Enable the ISDN trace subsystem (or NO). isdn_traceflags="-f /var/tmp/isdntrace0" # Flags for isdntrace ### Miscellaneous network options: ### icmp_bmcastecho="NO" # respond to broadcast ping packets ### IPv6 options: ### ipv6_enable="NO" # Set to YES to set up for IPv6. ipv6_network_interfaces="auto" # List of network interfaces (or "auto"). ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO). ipv6_static_routes="" # Set to static route list (or leave empty). #ipv6_static_routes="xxx" # An example to set fec0:0000:0000:0006::/64 # route toward loopback interface. #ipv6_route_xxx="fec0:0000:0000:0006:: -prefixlen 64 ::1" ipv6_gateway_enable="NO" # Set to YES if this host will be a gateway. ipv6_router_enable="NO" # Set to YES to enable an IPv6 routing daemon. ipv6_router="/usr/sbin/route6d" # Name of IPv6 routing daemon. ipv6_router_flags="" # Flags to IPv6 routing daemon. #ipv6_router_flags="-l" # Example for route6d with only IPv6 site local # addrs. #ipv6_network_interfaces="ed0 ep0" # Examples for router # or static configuration for end node. # Choose correct prefix value. #ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr. #ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr. #ipv6_ifconfig_ed0="fec0:0:0:5::1 prefixlen 64" # Sample manual assign entry #ipv6_ifconfig_ed0_alias0="fec0:0:0:5::2 prefixlen 64" # Sample alias entry. ipv6_default_interface="NO" # Default output interface for scoped addrs. # Now this works only for IPv6 link local # multicast addrs. rtadvd_enable="NO" # Set to YES to enable an IPv6 router # advertisement daemon. If set to YES, # this router becomes a possible candidate # IPv6 default router for local subnets. rtadvd_interfaces="" # Interfaces rtadvd sends RA packets. mroute6d_enable="NO" # Do IPv6 multicast routing. mroute6d_program="/usr/local/sbin/pim6dd" # Name of IPv6 multicast # routing daemon. You need to # install it from package or # port. mroute6d_flags="" # Flags to IPv6 multicast routing daemon. stf_interface_ipv4addr="" # Local IPv4 addr for 6to4 IPv6 over IPv4 # tunneling interface. Specify this entry # to enable 6to4 interface. stf_interface_ipv4plen="0" # Prefix length for 6to4 IPv4 addr, # to limit peer addr range. Effective value # is 0-31. stf_interface_ipv6_ifid="0:0:0:1" # IPv6 interface id for stf0. # If you like, you can set "AUTO" for this. stf_interface_ipv6_slaid="0000" # IPv6 Site Level Aggregator for stf0 ipv6_faith_prefix="NO" # Set faith prefix to enable a FAITH # IPv6-to-IPv4 TCP translator. You also need # faithd(8) setup. ipv6_ipv4mapping="YES" # Leave empty to disable IPv4 mapped IPv6 addr # communication. (like ::ffff:a.b.c.d) ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall # functionality ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file ############################################################## ### System console options ################################# ############################################################## keymap="NO" # keymap in /usr/share/syscons/keymaps/* (or NO). keyrate="NO" # keyboard rate to: slow, normal, fast (or NO). keybell="NO" # bell to duration.pitch or normal or visual (or NO). keychange="NO" # function keys default values (or NO). cursor="NO" # cursor type {normal|blink|destructive} (or NO). scrnmap="NO" # screen map in /usr/share/syscons/scrnmaps/* (or NO). font8x16="NO" # font 8x16 from /usr/share/syscons/fonts/* (or NO). font8x14="NO" # font 8x14 from /usr/share/syscons/fonts/* (or NO). font8x8="NO" # font 8x8 from /usr/share/syscons/fonts/* (or NO). blanktime="300" # blank time (in seconds) or "NO" to turn it off. saver="NO" # screen saver: Uses /modules/${saver}_saver.ko moused_enable="NO" # Run the mouse daemon. moused_type="auto" # See man page for rc.conf(5) for available settings. moused_port="/dev/psm0" # Set to your mouse port. moused_flags="" # Any additional flags to moused. mousechar_start="NO" # if 0xd0-0xd3 default range is occuped in your # language code table, specify alternative range # start like mousechar_start=3, see vidcontrol(1) allscreens_flags="" # Set this vidcontrol mode for all virtual screens allscreens_kbdflags="" # Set this kbdcontrol mode for all virtual screens ############################################################## ### Miscellaneous administrative options ################### ############################################################## cron_enable="YES" # Run the periodic job daemon. cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled). cron_flags="" # Which options to pass to the cron daemon. lpd_enable="NO" # Run the line printer daemon. lpd_program="/usr/sbin/lpd" # path to lpd, if you want a different one. lpd_flags="" # Flags to lpd (if enabled). usbd_enable="NO" # Run the usbd daemon. usbd_flags="" # Flags to usbd (if enabled). sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO). sendmail_flags="-bd -q30m" # Flags to sendmail (as a server) sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO). sendmail_outbound_flags="-q30m" # Flags to sendmail (outbound only) dumpdev="NO" # Device name to crashdump to (or NO). dumpdir="/var/crash" # Directory where crash dumps are to be stored savecore_flags="" # Used if dumpdev is enabled above, and present. enable_quotas="NO" # turn on quotas on startup (or NO). check_quotas="YES" # Check quotas on startup (or NO). accounting_enable="NO" # Turn on process accounting (or NO). ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup (or NO). ibcs2_loaders="coff" # List of additional Ibcs2 loaders (or NO). sysvipc_enable="NO" # Load System V IPC primitives at startup (or NO). linux_enable="NO" # Linux binary compatibility loaded at startup (or NO). svr4_enable="NO" # SysVR4 emulation loaded at startup (or NO). osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup (or NO). clear_tmp_enable="NO" # Clear /tmp at startup. ldconfig_insecure="NO" # Set to YES to disable ldconfig security checks ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib" # shared library search paths ldconfig_paths_aout="/usr/lib/compat/aout /usr/X11R6/lib/aout /usr/local/lib/aout" # a.out shared library search paths kern_securelevel_enable="NO" # kernel security level (see init(8)), kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure update_motd="YES" # update version info in /etc/motd (or NO) start_vinum="NO" # set to YES to start vinum unaligned_print="YES" # print unaligned access warnings on the alpha (or NO). entropy_file="/entropy" # Set to NO to disable caching entropy through reboots. # /var/db/entropy is preferred if / is not available. entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron. entropy_save_sz="2048" # Size of the entropy cache files. entropy_save_num="8" # Number of entropy cache files to save. harvest_interrupt="YES" # Entropy device harvests interrupt randomness harvest_ethernet="YES" # Entropy device harvests ethernet randomness harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## ### scripts to source rc_conf_files overrides safely. ## ############################################################## if [ -z "${source_rc_confs_defined}" ]; then source_rc_confs_defined=yes source_rc_confs () { local i sourced_files for i in ${rc_conf_files}; do case ${sourced_files} in *:$i:*) ;; *) sourced_files="${sourced_files}:$i:" if [ -r $i ]; then . $i fi ;; esac done } fi diff --git a/etc/network.subr b/etc/network.subr index b71553999701..67c88a0f805b 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf } diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index b71553999701..67c88a0f805b 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf } diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index b71553999701..67c88a0f805b 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf } diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index b71553999701..67c88a0f805b 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf } diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index b71553999701..67c88a0f805b 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf } diff --git a/etc/rc.d/routing b/etc/rc.d/routing index b71553999701..67c88a0f805b 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf } diff --git a/etc/rc.network b/etc/rc.network index b71553999701..67c88a0f805b 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -1,830 +1,829 @@ #!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Convert host.conf to nsswitch.conf if necessary if [ -f "/etc/host.conf" ]; then echo '' echo 'Warning: /etc/host.conf is no longer used' if [ -f "/etc/nsswitch.conf" ]; then echo ' /etc/nsswitch.conf will be used instead' else echo ' /etc/nsswitch.conf will be created for you' convert_host_conf /etc/host.conf /etc/nsswitch.conf fi fi # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # if /sbin/ipfstat -i > /dev/null 2>&1; then ipfilter_in_kernel=1 else ipfilter_in_kernel=0 fi case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then ipfilter_in_kernel=1 echo "Kernel ipfilter module loaded." elif [ "${ipfilter_in_kernel}" -eq 0 ]; then echo "Warning: ipfilter kernel module failed to load." fi if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-/sbin/ipf -Fa -f} \ "${ipfilter_rules}" ${ipfilter_flags} case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; eval ${ipnat_program:-/sbin/ipnat -CF -f} \ "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then natd_ifarg="-a ${natd_interface}" else natd_ifarg="-n ${natd_interface}" fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} fi ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl -w net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl -w net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl -w net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl -w net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ ${portmap_flags} # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC # and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${portmap_enable} in [Yy][Ee][Ss]) case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl -w vfs.nfsrv.nfs_privport=1 > /dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) - #echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval\ ${amd_map_program}`" ;; esac if [ -n "${amd_flags}" ]; then amd -p ${amd_flags}\ > /var/run/amd.pid 2> /dev/null else amd 2> /dev/null fi ;; esac ;; esac case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos4_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash=-n ;; *) stash= ;; esac echo -n ' kerberosIV' ${kerberos4_server} ${stash} >> /var/log/kerberos.log & case ${kadmind4_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; ${kadmind4_server} ${stash} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh DSA host key'; /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') ;; *) echo -n ' log_in_vain=YES' sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null sysctl -w net.inet.udp.log_in_vain=1 >/dev/null ;; esac echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ;; esac done ;; esac } convert_host_conf() { host_conf=$1; shift; nsswitch_conf=$1; shift; awk ' \ /^[:blank:]*#/ { next } \ /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ /nis/ { nsswitch[c] = "nis"; c++; next } \ { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ END { \ printf "hosts: "; \ for (i in nsswitch) printf "%s ", nsswitch[i]; \ printf "\n"; \ }' < $host_conf > $nsswitch_conf }