#!/sbin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # Copyright 2007 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" # # This is the second phase of TCP/IP configuration. The first part is # run by the svc:/network/physical service and includes configuring the # interfaces and setting the machine's hostname. The svc:/network/initial # service does all configuration that can be done before name services are # started, bar configuring IP routing (this is carried out by the # svc:/network/routing-setup service). The final part, run by the # svc:/network/service service, does all configuration that may require # name services. This includes a final re-configuration of the # interfaces. # . /lib/svc/share/smf_include.sh # # In a shared-IP zone we need this service to be up, but all of the work # it tries to do is irrelevant (and will actually lead to the service # failing if we try to do it), so just bail out. # In the global zone and exclusive-IP zones we proceed. # smf_configure_ip || exit $SMF_EXIT_OK # Configure IPv6 Default Address Selection. if [ -f /etc/inet/ipaddrsel.conf ]; then /usr/sbin/ipaddrsel -f /etc/inet/ipaddrsel.conf fi # # Now that /usr is mounted, see if in.mpathd needs to be started by firing it # up in "adopt" mode; if there are no interfaces it needs to manage, it will # automatically exit. Note that it may already be running if we're not # executing as part of system boot. # /usr/bin/pgrep -x -u 0 -z `smf_zonename` in.mpathd >/dev/null 2>&1 || \ /usr/lib/inet/in.mpathd -a # # Pass to the kernel the list of supported IPsec protocols and algorithms. # This will not cause IPsec to be loaded. # /usr/sbin/ipsecalgs -s # # Initialize IPsec only if ipsecinit.conf exists. Otherwise, save the # kernel memory that'll be consumed if IPsec is loaded. See below for more # IPsec-related commands. # if [ -f /etc/inet/ipsecinit.conf ] ; then /usr/sbin/ipsecconf -qa /etc/inet/ipsecinit.conf fi # # Set the RFC 1948 entropy, regardless of if I'm using it or not. If present, # use the encrypted root password as a source of entropy. Otherwise, # just use the pre-set (and hopefully difficult to guess) entropy that # tcp used when it loaded. # encr=`/usr/bin/awk -F: '/^root:/ {print $2}' /etc/shadow` [ -z "$encr" ] || /usr/sbin/ndd -set /dev/tcp tcp_1948_phrase $encr unset encr # # Get values for TCP_STRONG_ISS, ACCEPT6TO4RELAY and RELAY6TO4ADDR. # [ -f /etc/default/inetinit ] && . /etc/default/inetinit # Set the SDP system Policy. This needs to happen after basic # networking is up but before any networking services that might # want to use SDP are enabled if [ -f /usr/sbin/sdpadm -a -f /etc/sdp.conf ]; then . /etc/sdp.conf if [ "$sysenable" = "1" ]; then /usr/sbin/sdpadm enable fi fi # # Set TCP ISS generation. By default the ISS generation is # time + random()-delta. This might not be strong enough for some users. # See /etc/default/inetinit for settings and further info on TCP_STRONG_ISS. # If not set, use TCP's internal default setting. # if [ $TCP_STRONG_ISS ]; then /usr/sbin/ndd -set /dev/tcp tcp_strong_iss $TCP_STRONG_ISS fi # # In spite of global policy, there may be a need for IPsec because of # per-socket policy or tunnelled policy. With that in mind, check for manual # keys in /etc/inet/secret/ipseckeys, or check for IKE configuration in # /etc/inet/ike/config. Either of these will also load and initialize IPsec, # thereby consuming kernel memory. # if [ -f /etc/inet/secret/ipseckeys ] ; then /usr/sbin/ipseckey -f /etc/inet/secret/ipseckeys fi if [ -f /etc/inet/ike/config ] ; then /usr/lib/inet/in.iked fi # # Configure tunnels which were deferred by /lib/svc/method/net-physical # (the svc:/network/physical service) since it depends on the tunnel endpoints # being reachable i.e. routing must be running. # # WARNING: you may wish to turn OFF forwarding if you haven't already, because # of various possible security vulnerabilities when configuring tunnels for # Virtual Private Network (VPN) construction. # # Also, if names are used in the /etc/hostname.ip.tun* file, those names # have to be in either DNS (and DNS is used) or in /etc/hosts, because this # file is executed before NIS or NIS+ is started. # # # IPv4 tunnels # The second component of the name must be either "ip" or "ip6". # interface_names="`/usr/bin/ls /etc/hostname.ip*.*[0-9] 2>/dev/null | \ /usr/bin/grep '/etc/hostname\.ip6\{0,1\}\.'`" if [ -n "$interface_names" ]; then ( echo "configuring IPv4 tunnels:\c" # Extract the part after the first '.' set -- `for intr in $interface_names; do \ /usr/bin/expr //$intr : '[^.]*\.\(.*\)$'; done` while [ $# -ge 1 ]; do # Skip empty files if [ ! -s /etc/hostname\.$1 ]; then shift continue fi /usr/sbin/ifconfig $1 plumb while read ifcmds; do if [ -n "$ifcmds" ]; then /usr/sbin/ifconfig $1 inet $ifcmds fi done /dev/null echo " $1\c" shift done echo "." ) fi # # IPv6 Tunnels # The second component of the name must be either "ip" or "ip6". # interface_names="`/usr/bin/ls /etc/hostname6.ip*.*[0-9] 2>/dev/null | \ /usr/bin/grep '/etc/hostname6\.ip6\{0,1\}\.'`" if [ -n "$interface_names" ]; then ( echo "configuring IPv6 tunnels:\c" # Extract the part after the first '.' set -- `for intr in $interface_names; do \ /usr/bin/expr //$intr : '[^.]*\.\(.*\)$'; done` while [ $# -ge 1 ]; do # Skip empty files if [ ! -s /etc/hostname6\.$1 ]; then shift continue fi /usr/sbin/ifconfig $1 inet6 plumb while read ifcmds; do if [ -n "$ifcmds" ]; then /usr/sbin/ifconfig $1 inet6 $ifcmds fi done /dev/null echo " $1\c" shift done echo "." ) fi # Clear exit status. exit $SMF_EXIT_OK