xref: /openbsd/etc/netstart (revision 2fcef345)

#!/bin/sh -
#
#	$OpenBSD: netstart,v 1.97 2004/05/29 07:01:03 deraadt Exp $

# Returns true if $1 contains only alphanumerics
isalphanumeric() {
	local _n
	_n=$1
	while [ ${#_n} != 0 ]; do
		case $_n in
			[A-Za-z0-9]*)	;;
			*)		return 1;;
		esac
		_n=${_n#?}
	done
	return 0
}

# Start the $1 interface
ifstart() {
	if=$1
	# Interface names must be alphanumeric only.  We check to avoid
	# configuring backup or temp files, and to catch the "*" case.
	if ! isalphanumeric "$if"; then
		return
	fi

	ifconfig $if > /dev/null 2>&1
	if [ "$?" != "0" ]; then
		# Try to create interface if it does not exist
		ifconfig $if create > /dev/null 2>&1
		if [ "$?" != "0" ]; then
			return
		fi
	fi

	# Now parse the hostname.* file
	while :; do
		if [ "$cmd2" ]; then
			# We are carrying over from the 'read dt dtaddr'
			# last time.
			set -- $cmd2
			af="$1" name="$2" mask="$3" bcaddr="$4" ext1="$5" cmd2=
			# Make sure and get any remaining args in ext2,
			# like the read below
			i=1
			while [ i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
			ext2="$@"
		else
			# Read the next line or exit the while loop.
			read af name mask bcaddr ext1 ext2 || break
		fi
		# $af can be "dhcp", "up", "rtsol", an address family,
		# commands, or a comment.
		case "$af" in
		"#"*|"") # skip comments and empty lines
			continue
			;;
		"!"*) # parse commands
			cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
			;;
		"bridge")
			cmd="echo /etc/hostname.$if: bridges now supported via bridgename.* files"
			;;
		"dhcp")
			[ "$name" = "NONE" ] && name=
			[ "$mask" = "NONE" ] && mask=
			[ "$bcaddr" = "NONE" ] && bcaddr=
			ifconfig $if $name $mask $bcaddr $ext1 $ext2 down
			cmd="dhclient $if"
			;;
		"rtsol")
			ifconfig $if $name $mask $bcaddr $ext1 $ext2 up
			rtsolif="$rtsolif $if"
			cmd=
			;;
		"up")
			# The only one of these guaranteed to be set is $if.
			# The remaining ones exist so that media controls work.
			cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
			;;
		*)
			read dt dtaddr
			if [ "$name"  = "alias" ]; then
				# perform a 'shift' of sorts
				alias=$name
				name=$mask
				mask=$bcaddr
				bcaddr=$ext1
				ext1=$ext2
				ext2=
			else
				alias=
			fi
			cmd="ifconfig $if $af $alias $name "
			case "$dt" in
			dest)
				cmd="$cmd $dtaddr"
				;;
			[a-z!]*)
				cmd2="$dt $dtaddr"
				;;
			esac
			if [ ! -n "$name" ]; then
				echo "/etc/hostname.$if: invalid network configuration file"
				return
			fi
			case $af in
			inet)
				[ "$mask" ] && cmd="$cmd netmask $mask"
				if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
					cmd="$cmd broadcast $bcaddr"
				fi
				[ "$alias" ] && rtcmd=";route -qn add -host $name 127.0.0.1"
				;;
			inet6) [ "$mask" ] && cmd="$cmd prefixlen $mask"
				cmd="$cmd $bcaddr"
				;;
			*)
				cmd="$cmd $mask $bcaddr"
				;;
			esac
			cmd="$cmd $ext1 $ext2$rtcmd" rtcmd=
			;;
		esac
		eval "$cmd"
	done < /etc/hostname.$if
}

# Start the $1 bridge
bridgestart() {
	# Interface names must be alphanumeric only.  We check to avoid
	# configuring backup or temp files, and to catch the "*" case.
	if ! isalphanumeric "$1"; then
		return
	fi
	brconfig $1 > /dev/null 2>&1
	if [ "$?" != "0" ]; then
		# Try to create interface if it does not exist
		ifconfig $if create > /dev/null 2>&1
		if [ "$?" != "0" ]; then
			return
		fi
	fi

	# Now parse the bridgename.* file
	# All lines are run as brconfig(8) commands.
	while read line ; do
		line=${line%%#*}		# strip comments
		test -z "$line" && continue
		case "$line" in
		"!"*)
			cmd="${line#*!}"
			;;
		*)
			cmd="brconfig $1 $line"
			;;
		esac
		eval "$cmd"
	done < /etc/bridgename.$1
}

# Re-read /etc/rc.conf
. /etc/rc.conf

# If we were invoked with a list of interface names, just reconfigure these
# interfaces (or bridges) and return.
if [ $1x = autobootx ]; then
	shift
fi
if [ $# -gt 0 ]; then
	while [ $# -gt 0 ]; do
		if [ -f /etc/bridgename.$1 ]; then
			bridgestart $1
		else
			ifstart $1
		fi
		shift
	done
	return
fi

# Otherwise, process with the complete network initialization.

# /etc/myname contains my symbolic name
if [ -f /etc/myname ]; then
	hostname=`cat /etc/myname`
	hostname $hostname
else
	hostname=`hostname`
fi

if [ -f /etc/defaultdomain ]; then
	domainname `cat /etc/defaultdomain`
fi

# Set the address for the loopback interface.  Bringing the
# interface up, automatically invokes the IPv6 address ::1)
ifconfig lo0 inet 127.0.0.1

if ifconfig lo0 inet6 >/dev/null 2>&1; then
	# IPv6 configurations.
	ip6kernel=YES

	# Disallow link-local unicast dest without outgoing scope identifiers.
	route -q add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null

	# Disallow site-local unicast dest without outgoing scope identifiers.
	# If you configure site-locals without scope id (it is permissible
	# config for routers that are not on scope boundary), you may want
	# to comment the line out.
	route -q add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null

	# Disallow "internal" addresses to appear on the wire.
	route -q add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null

	# Disallow packets to malicious IPv4 compatible prefix.
	route -q add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null
	route -q add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
	route -q add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
	route -q add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null

	# Disallow packets to malicious 6to4 prefix.
	route -q add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null
	route -q add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null
	route -q add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null
	route -q add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null

	# Completely disallow packets to IPv4 compatible prefix.
	# This may conflict with RFC1933 under following circumstances:
	# (1) An IPv6-only KAME node tries to originate packets to IPv4
	#     compatible destination.  The KAME node has no IPv4 compatible
	#     support.  Under RFC1933, it should transmit native IPv6
	#     packets toward IPv4 compatible destination, hoping it would
	#     reach a router that forwards the packet toward auto-tunnel
	#     interface.
	# (2) An IPv6-only node originates a packet to an IPv4 compatible
	#     destination.  A KAME node is acting as an IPv6 router, and
	#     asked to forward it.
	# Due to rare use of IPv4 compatible addresses, and security issues
	# with it, we disable it by default.
	route -q add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null

	rtsolif=""
else
	ip6kernel=NO
fi

# Configure all the non-loopback interfaces which we know about.
# Refer to hostname.if(5) and bridgename.if(5)
for hn in /etc/hostname.*; do
	# Strip off /etc/hostname. prefix
	if=${hn#/etc/hostname.}
	test "$if" = "*" && continue

	case $if in
	"carp"*|"gif"*|"gre"*|"pfsync"*)
		# CARP, GIF, GRE and PFSYNC interfaces need the routes to be setup
		# before they are configured.
		continue
		;;
	*)
		ifstart $if
		;;
	esac
done

if [ "$ip6kernel" = "YES" -a "x$rtsolif" != "x" ]; then
	fw=`sysctl -n net.inet6.ip6.forwarding`
	ra=`sysctl -n net.inet6.ip6.accept_rtadv`
	if [ "x$fw" = "x0" -a "x$ra" = "x1" ]; then
		echo "IPv6 autoconf:$rtsolif"
		rtsol $rtsolif
	else
		echo "WARNING: inconsistent config - check /etc/sysctl.conf for IPv6 autoconf"
	fi
fi
if [ "$ip6kernel" = "YES" ]; then
	# this is to make sure DAD is completed before going further.
	sleep `sysctl -n net.inet6.ip6.dad_count`
fi

# /etc/mygate, if it exists, contains the name of my gateway host
# that name must be in /etc/hosts.
if [ -f /etc/mygate ]; then
	route -qn delete default > /dev/null 2>&1
	route -qn add -host default `cat /etc/mygate`
fi

# Multicast routing.
#
# The routing to the 224.0.0.0/4 net is setup according to these rules:
# multicast_host	multicast_router	route		comment
# NO			NO			-reject		no multicast
# NO			YES			none installed	daemon will run
# YES/interface		NO			-interface	YES=def. iface
#	   Any other combination		-reject		config error
case "$multicast_host:$multicast_router" in
NO:NO)
	route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
	;;
NO:YES)
	;;
*:NO)
	set `if [ $multicast_host = YES ]; then
		ed -s '!route -qn show -inet' <<EOF
/^default/p
EOF
	else
		ed -s "!ifconfig $multicast_host" <<EOF
/^	inet /p
EOF
	fi`
	route -qn add -net 224.0.0.0/4 -interface $2 > /dev/null
	;;
*:*)
	echo 'config error, multicasting disabled until rc.conf is fixed'
	route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
	;;
esac

# The pfsync interface needs to come up before carp.
if [ -f /etc/hostname.pfsync0 ]; then
		ifstart pfsync0
fi

# Configure all the carp, gif and gre interfaces which we know about.
# They were delayed because they require the routes to be set.
for hn in /etc/hostname.*; do
	# Strip off /etc/hostname. prefix
	if=${hn#/etc/hostname.}
	test "$if" = "*" && continue

	case $if in
	"carp"*|"gif"*|"gre"*)
		ifstart $if
		;;
	*)
		# Regular interfaces have already been configured.
		continue
		;;
	esac
done

# Use loopback, not the wire.
route -qn add -host $hostname 127.0.0.1 > /dev/null
route -qn add -net 127 127.0.0.1 -reject > /dev/null

# Configure all the bridges.
for bn in /etc/bridgename.*; do
	# Strip off /etc/bridgename. prefix
	if=${bn#/etc/bridgename.}
	test "$if" = "*" && continue

	bridgestart $if
done