xref: /openbsd/etc/netstart (revision db3296cf) 
1#!/bin/sh -
2#
3#	$OpenBSD: netstart,v 1.86 2003/02/16 23:25:40 krw Exp $
4
5# Returns true if $1 contains only alphanumerics
6isalphanumeric() {
7	local _n
8	_n=$1
9	while [ ${#_n} != 0 ]; do
10		case $_n in
11			[A-Za-z0-9]*)	;;
12			*)		return 1;;
13		esac
14		_n=${_n#?}
15	done
16	return 0
17}
18
19# Start the $1 interface
20ifstart() {
21	if=$1
22	# Interface names must be alphanumeric only.  We check to avoid
23	# configuring backup or temp files, and to catch the "*" case.
24	if ! isalphanumeric "$if"; then
25		return
26	fi
27
28	ifconfig $if > /dev/null 2>&1
29	if [ "$?" != "0" ]; then
30		return
31	fi
32
33	# Now parse the hostname.* file
34	while :; do
35		if [ "$cmd2" ]; then
36			# We are carrying over from the 'read dt dtaddr'
37			# last time.
38			set -- $cmd2
39			af="$1" name="$2" mask="$3" bcaddr="$4" ext1="$5" cmd2=
40			# Make sure and get any remaining args in ext2,
41			# like the read below
42			i=1
43			while [ i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
44			ext2="$@"
45		else
46			# Read the next line or exit the while loop.
47			read af name mask bcaddr ext1 ext2 || break
48		fi
49		# $af can be "dhcp", "up", "rtsol", an address family,
50		# commands, or a comment.
51		case "$af" in
52		"#"*|"") # skip comments and empty lines
53			continue
54			;;
55		"!"*) # parse commands
56			cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
57			;;
58		"bridge")
59			cmd="echo /etc/hostname.$if: bridges now supported via bridgename.* files"
60			;;
61		"dhcp")
62			[ "$name" = "NONE" ] && name=
63			[ "$mask" = "NONE" ] && mask=
64			[ "$bcaddr" = "NONE" ] && bcaddr=
65			ifconfig $if $name $mask $bcaddr $ext1 $ext2 down
66			cmd="dhclient $if"
67			;;
68		"rtsol")
69			ifconfig $if $name $mask $bcaddr $ext1 $ext2 up
70			rtsolif="$rtsolif $if"
71			cmd=
72			;;
73		"up")
74			# The only one of these guaranteed to be set is $if.
75			# The remaining ones exist so that media controls work.
76			cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
77			;;
78		*)
79			read dt dtaddr
80			if [ "$name"  = "alias" ]; then
81				# perform a 'shift' of sorts
82				alias=$name
83				name=$mask
84				mask=$bcaddr
85				bcaddr=$ext1
86				ext1=$ext2
87				ext2=
88			else
89				alias=
90			fi
91			cmd="ifconfig $if $af $alias $name "
92			case "$dt" in
93			dest)
94				cmd="$cmd $dtaddr"
95				;;
96			[a-z!]*)
97				cmd2="$dt $dtaddr"
98				;;
99			esac
100			if [ ! -n "$name" ]; then
101				echo "/etc/hostname.$if: invalid network configuration file"
102				return
103			fi
104			case $af in
105			inet)
106				[ "$mask" ] && cmd="$cmd netmask $mask"
107				if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
108					cmd="$cmd broadcast $bcaddr"
109				fi
110				[ "$alias" ] && rtcmd=";route -n add -host $name 127.0.0.1"
111				;;
112			inet6) [ "$mask" ] && cmd="$cmd prefixlen $mask"
113				cmd="$cmd $bcaddr"
114				;;
115			*)
116				cmd="$cmd $mask $bcaddr"
117				;;
118			esac
119			cmd="$cmd $ext1 $ext2$rtcmd" rtcmd=
120			;;
121		esac
122		eval "$cmd"
123	done < /etc/hostname.$if
124}
125
126# Start the $1 bridge
127bridgestart() {
128	# Interface names must be alphanumeric only.  We check to avoid
129	# configuring backup or temp files, and to catch the "*" case.
130	if ! isalphanumeric "$1"; then
131		return
132	fi
133	brconfig $1 > /dev/null 2>&1
134	if [ "$?" != "0" ]; then
135		return
136	fi
137
138	# Now parse the bridgename.* file
139	# All lines are run as brconfig(8) commands.
140	while read line ; do
141		line=${line%%#*}		# strip comments
142		test -z "$line" && continue
143		case "$line" in
144		"!"*)
145			cmd="${line#*!}"
146			;;
147		*)
148			cmd="brconfig $1 $line"
149			;;
150		esac
151		eval "$cmd"
152	done < /etc/bridgename.$1
153}
154
155# Re-read /etc/rc.conf
156. /etc/rc.conf
157
158# If we were invoked with a list of interface names, just reconfigure these
159# interfaces (or bridges) and return.
160if [ $1x = autobootx ]; then
161	shift
162fi
163if [ $# -gt 0 ]; then
164	while [ $# -gt 0 ]; do
165		if [ -f /etc/bridgename.$1 ]; then
166			bridgestart $1
167		else
168			ifstart $1
169		fi
170		shift
171	done
172	return
173fi
174
175# Otherwise, process with the complete network initialization.
176
177# /etc/myname contains my symbolic name
178hostname=`cat /etc/myname`
179hostname $hostname
180if [ -f /etc/defaultdomain ]; then
181	domainname `cat /etc/defaultdomain`
182fi
183
184# Set the address for the loopback interface.
185# It will also initialize IPv6 address for lo0 (::1 and others).
186ifconfig lo0 inet localhost
187
188# Use loopback, not the wire.
189route -n add -host $hostname localhost > /dev/null
190route -n add -net 127 127.0.0.1 -reject > /dev/null
191
192if ifconfig lo0 inet6 >/dev/null 2>&1; then
193	# IPv6 configurations.
194	ip6kernel=YES
195
196	# Disallow link-local unicast dest without outgoing scope identifiers.
197	route add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null
198
199	# Disallow site-local unicast dest without outgoing scope identifiers.
200	# If you configure site-locals without scope id (it is permissible
201	# config for routers that are not on scope boundary), you may want
202	# to comment the line out.
203	route add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null
204
205	# Disallow "internal" addresses to appear on the wire.
206	route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
207
208	# Disallow packets to malicious IPv4 compatible prefix.
209	route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null
210	route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
211	route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
212	route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
213
214	# Disallow packets to malicious 6to4 prefix.
215	route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null
216	route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null
217	route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null
218	route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null
219
220	# Completely disallow packets to IPv4 compatible prefix.
221	# This may conflict with RFC1933 under following circumstances:
222	# (1) An IPv6-only KAME node tries to originate packets to IPv4
223	#     compatible destination.  The KAME node has no IPv4 compatible
224	#     support.  Under RFC1933, it should transmit native IPv6
225	#     packets toward IPv4 compatible destination, hoping it would
226	#     reach a router that forwards the packet toward auto-tunnel
227	#     interface.
228	# (2) An IPv6-only node originates a packet to an IPv4 compatible
229	#     destination.  A KAME node is acting as an IPv6 router, and
230	#     asked to forward it.
231	# Due to rare use of IPv4 compatible addresses, and security issues
232	# with it, we disable it by default.
233	route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
234
235	rtsolif=""
236else
237	ip6kernel=NO
238fi
239
240# Configure all the non-loopback interfaces which we know about.
241# Refer to hostname.if(5) and bridgename.if(5)
242for hn in /etc/hostname.*; do
243	# Strip off /etc/hostname. prefix
244	if=${hn#/etc/hostname.}
245	test "$if" = "*" && continue
246
247	case $if in
248	"gif"*|"gre"*)
249		# GIF and GRE interfaces need the routes to be setup before
250		# they are configured.
251		continue
252		;;
253	*)
254		ifstart $if
255		;;
256	esac
257done
258
259if [ "$ip6kernel" = "YES" -a "x$rtsolif" != "x" ]; then
260	fw=`sysctl -n net.inet6.ip6.forwarding`
261	ra=`sysctl -n net.inet6.ip6.accept_rtadv`
262	if [ "x$fw" = "x0" -a "x$ra" = "x1" ]; then
263		echo "IPv6 autoconf:$rtsolif"
264		rtsol $rtsolif
265	else
266		echo "WARNING: inconsistent config - check /etc/sysctl.conf for IPv6 autoconf"
267	fi
268fi
269if [ "$ip6kernel" = "YES" ]; then
270	# this is to make sure DAD is completed before going further.
271	sleep `sysctl -n net.inet6.ip6.dad_count`
272	sleep 1
273fi
274
275# /etc/mygate, if it exists, contains the name of my gateway host
276# that name must be in /etc/hosts.
277if [ -f /etc/mygate ]; then
278	route delete default > /dev/null 2>&1
279	route -n add -host default `cat /etc/mygate`
280fi
281
282# Multicast routing.
283#
284# The routing to the 224.0.0.0/4 net is setup according to these rules:
285# multicast_host	multicast_router	route		comment
286# NO			NO			-reject		no multicast
287# NO			YES			none installed	daemon will run
288# YES/interface		NO			-interface	YES=def. iface
289#	   Any other combination		-reject		config error
290case "$multicast_host:$multicast_router" in
291NO:NO)
292	route -n add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
293	;;
294NO:YES)
295	;;
296*:NO)
297	set `if [ $multicast_host = YES ]; then
298		ed -s '!route -n show -inet' <<EOF
299/^default/p
300EOF
301	else
302		ed -s "!ifconfig $multicast_host" <<EOF
303/^	inet /p
304EOF
305	fi`
306	route -n add -net 224.0.0.0/4 -interface $2 > /dev/null
307	;;
308*:*)
309	echo 'config error, multicasting disabled until rc.conf is fixed'
310	route -n add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
311	;;
312esac
313
314# Configure all the gif and gre interfaces which we know about.
315# They were delayed because they require the routes to be set.
316for hn in /etc/hostname.*; do
317	# Strip off /etc/hostname. prefix
318	if=${hn#/etc/hostname.}
319	test "$if" = "*" && continue
320
321	case $if in
322	"gif"*|"gre"*)
323		ifstart $if
324		;;
325	*)
326		# Regular interfaces have already been configured.
327		continue
328		;;
329	esac
330done
331
332# Configure all the bridges.
333for bn in /etc/bridgename.*; do
334	# Strip off /etc/bridgename. prefix
335	if=${bn#/etc/bridgename.}
336	test "$if" = "*" && continue
337
338	bridgestart $if
339done
340