xref: /illumos-gate/usr/src/cmd/svc/milestone/net-init (revision 65a89a64c60f3061bbe2381edaacc81660af9a95)
1#!/sbin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License, Version 1.0 only
7# (the "License").  You may not use this file except in compliance
8# with the License.
9#
10# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11# or http://www.opensolaris.org/os/licensing.
12# See the License for the specific language governing permissions
13# and limitations under the License.
14#
15# When distributing Covered Code, include this CDDL HEADER in each
16# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17# If applicable, add the following below this CDDL HEADER, with the
18# fields enclosed by brackets "[]" replaced with your own identifying
19# information: Portions Copyright [yyyy] [name of copyright owner]
20#
21# CDDL HEADER END
22#
23#
24# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
25# Use is subject to license terms.
26#
27# ident	"%Z%%M%	%I%	%E% SMI"
28#
29# This is the second phase of TCP/IP configuration.  The first part is
30# run by the /lib/svc/method/net-physical script (the svc:/network/physical
31# service) and includes configuring the interfaces and setting the machine's
32# hostname.  This script (the svc:/network/initial service), does all
33# configuration that can be done before name services are started. This
34# includes configuring IP routing, and setting any tunable parameters.
35# The third part, run by the /lib/svc/method/net-svc script (the
36# svc:/network/service service), does all configuration that may require
37# name services.  This includes a final re-configuration of the interfaces.
38#
39
40. /lib/svc/share/smf_include.sh
41
42case "$1" in
43'start')
44	#
45	# In a zone we need this service to be up, but all of the work
46	# it tries to do is irrelevant (and will actually lead to the service
47	# failing if we try to do it), so just bail out.
48	#
49	if [ `/sbin/zonename` != "global" ]; then
50		exit 0
51	fi
52	;; # Fall through -- rest of script is the initialization code
53
54'stop')
55	if [ `/sbin/zonename` != "global" ]; then
56		exit 0
57	fi
58	#
59	# If we were routing dynamically, we will note this with
60	# the .dynamic_routing file, so that we can leave the routes
61	# in place without thinking they're static route entries
62	# when we come back into states 2 or 3.
63	#
64	if /usr/bin/pgrep -x -u 0 'in.routed|in.rdisc' >/dev/null 2>&1; then
65		/usr/bin/pkill -z `/sbin/zonename` -x -u 0 'in.routed|in.rdisc'
66		> /etc/.dynamic_routing
67	fi
68	/usr/bin/pkill -z `/sbin/zonename` -x -u 0 'in.ndpd|in.ripngd'
69	exit 0
70	;;
71
72*)
73	echo "Usage: $0 { start | stop }"
74	exit 1
75	;;
76esac
77
78# Configure IPv6 Default Address Selection.
79if [ -f /etc/inet/ipaddrsel.conf ]; then
80	/usr/sbin/ipaddrsel -f /etc/inet/ipaddrsel.conf
81fi
82
83/usr/sbin/ifconfig -a6u >/etc/svc/volatile/ifconfig.$$
84numv6ifs=`/usr/bin/grep -c inet6 /etc/svc/volatile/ifconfig.$$`
85if  [ $numv6ifs -gt 1 ]; then
86	#
87	# Add a static route for multicast packets out of a link-local
88	# interface, although would like to specify multicast interface using
89	# an interface name!
90	#
91	set -- `/usr/bin/awk '
92		/inet6 fe80:/ {
93			print substr($2, 1, index($2, "/") - 1)
94		}' /etc/svc/volatile/ifconfig.$$`
95
96	if [ -n "$1" ]; then
97		echo "Setting default IPv6 interface for multicast:" \
98		    "add net ff00::/8: gateway $1"
99		/usr/sbin/route -n add -interface -inet6 "ff00::/8" "$1" \
100		    >/dev/null
101	fi
102fi
103/usr/bin/rm -f /etc/svc/volatile/ifconfig.$$
104
105#
106# Now that /usr is mounted, see if in.mpathd needs to be started by firing it
107# up in "adopt" mode; if there are no interfaces it needs to manage, it will
108# automatically exit.  Note that it may already be running if we're not
109# executing as part of system boot.
110#
111/usr/bin/pgrep -x -u 0 in.mpathd >/dev/null 2>&1 || /usr/lib/inet/in.mpathd -a
112
113#
114# Pass to the kernel the list of supported IPsec protocols and algorithms.
115# This will not cause IPsec to be loaded.
116#
117/usr/sbin/ipsecalgs -s
118
119#
120# Initialize IPsec only if ipsecinit.conf exists.  Otherwise, save the
121# kernel memory that'll be consumed if IPsec is loaded.  See below for more
122# IPsec-related commands.
123#
124if [ -f /etc/inet/ipsecinit.conf ] ; then
125	/usr/sbin/ipsecconf -qa /etc/inet/ipsecinit.conf
126fi
127
128#
129# Set the RFC 1948 entropy, regardless of if I'm using it or not.  If present,
130# use the encrypted root password as a source of entropy.  Otherwise,
131# just use the pre-set (and hopefully difficult to guess) entropy that
132# tcp used when it loaded.
133#
134encr=`/usr/bin/awk -F: '/^root:/ {print $2}' /etc/shadow`
135[ -z "$encr" ] || /usr/sbin/ndd -set /dev/tcp tcp_1948_phrase $encr
136unset encr
137
138#
139# Get values for TCP_STRONG_ISS, ACCEPT6TO4RELAY and RELAY6TO4ADDR.
140#
141[ -f /etc/default/inetinit ] && . /etc/default/inetinit
142
143#
144# Set TCP ISS generation.  By default the ISS generation is
145# time + random()-delta.  This might not be strong enough for some users.
146# See /etc/default/inetinit for settings and further info on TCP_STRONG_ISS.
147# If not set, use TCP's internal default setting.
148#
149if [ $TCP_STRONG_ISS ]; then
150	/usr/sbin/ndd -set /dev/tcp tcp_strong_iss $TCP_STRONG_ISS
151fi
152
153#
154# Configure default IPv4 routers using the local "/etc/defaultrouter"
155# configuration file.  The file can contain the hostnames or IP
156# addresses of one or more default routers.  If hostnames are used,
157# each hostname must also be listed in the local "/etc/hosts" file
158# because NIS and NIS+ are not running at the time that this script is
159# run.  Each router name or address is listed on a single line by
160# itself in the file.  Anything else on that line after the router's
161# name or address is ignored.  Lines that begin with "#" are
162# considered comments and ignored.
163#
164# The default routes listed in the "/etc/defaultrouter" file will
165# replace those added by the kernel during diskless booting.  An
166# empty "/etc/defaultrouter" file will cause the default route
167# added by the kernel to be deleted.
168#
169# Note that the default router file is ignored if we received routes
170# from a DHCP server.  Our policy is to always trust DHCP over local
171# administration.
172#
173smf_netstrategy
174
175if [ "$_INIT_NET_STRATEGY" = "dhcp" ] && [ -n "`/sbin/dhcpinfo Router`" ]; then
176	defrouters=`/sbin/dhcpinfo Router`
177elif [ -f /etc/defaultrouter ]; then
178	defrouters=`/usr/bin/grep -v \^\# /etc/defaultrouter | \
179	    /usr/bin/awk '{print $1}'`
180	if [ -n "$defrouters" ]; then
181		#
182		# We want the default router(s) listed in /etc/defaultrouter
183		# to replace the one added from the BOOTPARAMS WHOAMI response
184		# but we must avoid flushing the last route between the running
185		# system and its /usr file system.
186		#
187
188		# First, remember the original route.
189		shift $#
190		set -- `/usr/bin/netstat -rn -f inet | /usr/bin/grep '^default'`
191		route_IP="$2"
192
193		#
194		# Next, add those from /etc/defaultrouter.  While doing this,
195		# if one of the routes we add is for the route previously
196		# added as a result of the BOOTPARAMS response, we will see
197		# a message of the form:
198		#	"add net default: gateway a.b.c.d: entry exists"
199		#
200		do_delete=yes
201		for router in $defrouters; do
202			set -- `/usr/sbin/route -n add default -gateway $router`
203			[ $? -ne 0 -a "x$5" = "x$route_IP:" ] && do_delete=no
204		done
205
206		#
207		# Finally, delete the original default route unless it was
208		# also listed in the defaultrouter file.
209		#
210		if [ -n "$route_IP" -a $do_delete = yes ]; then
211			/usr/sbin/route -n delete default -gateway $route_IP \
212			    >/dev/null
213		fi
214	else
215		/usr/sbin/route -fn > /dev/null
216	fi
217else
218	defrouters=
219fi
220
221#
222# Use routeadm(1M) to configure forwarding and launch routing daemons for
223# IPv4 and IPv6 based on preset values.  These settings only apply to the
224# global zone.  For IPv4 dynamic routing, the system will default to
225# disabled if a default route was previously added via BOOTP, DHCP, or
226# the /etc/defaultrouter file.  routeadm also starts in.ndpd.
227#
228if [ ! -f /etc/.dynamic_routing ] && [ -z "$defrouters" ]; then
229	#
230	# No default routes were setup by "route" command above.
231	# Check the kernel routing table for any other default
232	# routes.
233	#
234	/usr/bin/netstat -rn -f inet | \
235	    /usr/bin/grep default >/dev/null 2>&1 && defrouters=yes
236fi
237[ -f /etc/.dynamic_routing ] && /usr/bin/rm -f /etc/.dynamic_routing
238if [ -z "$defrouters" ]; then
239	routeadmstr="-e ipv4-routing"
240else
241	routeadmstr="-d ipv4-routing"
242fi
243#
244# The -b option used here tells routeadm that the ipv4-routing
245# option in $routeadmstr is the boot-time default.  The
246# boot-time default is used if the administrator has not
247# explicitly enabled or disabled ipv4-routing using the -e or
248# -d routeadm option.
249#
250/usr/sbin/routeadm -u -b $routeadmstr
251
252#
253# In spite of global policy, there may be a need for IPsec because of
254# per-socket policy or tunnelled policy.  With that in mind, check for manual
255# keys in /etc/inet/secret/ipseckeys, or check for IKE configuration in
256# /etc/inet/ike/config.  Either of these will also load and initialize IPsec,
257# thereby consuming kernel memory.
258#
259
260if [ -f /etc/inet/secret/ipseckeys ] ; then
261	/usr/sbin/ipseckey -f /etc/inet/secret/ipseckeys
262fi
263
264if [ -f /etc/inet/ike/config ] ; then
265	/usr/lib/inet/in.iked
266fi
267
268#
269# Configure tunnels which were deferred by /lib/svc/method/net-physical
270# (the svc:/network/physical service) since it depends on the tunnel endpoints
271# being reachable i.e. routing must be running.
272#
273# WARNING: you may wish to turn OFF forwarding if you haven't already, because
274# of various possible security vulnerabilities when configuring tunnels for
275# Virtual Private Network (VPN) construction.
276#
277# Also, if names are used in the /etc/hostname.ip.tun* file, those names
278# have to be in either DNS (and DNS is used) or in /etc/hosts, because this
279# file is executed before NIS or NIS+ is started.
280#
281
282#
283# IPv4 tunnels
284# The second component of the name must be either "ip" or "ip6".
285#
286interface_names="`/usr/bin/ls /etc/hostname.ip*.*[0-9] 2>/dev/null | \
287    /usr/bin/grep '/etc/hostname\.ip6\{0,1\}\.'`"
288if [ -n "$interface_names" ]; then
289	(
290		echo "configuring IPv4 tunnels:\c"
291		# Extract the part after the first '.'
292		set -- `for intr in $interface_names; do \
293		    /usr/bin/expr //$intr : '[^.]*\.\(.*\)$'; done`
294		while [ $# -ge 1 ]; do
295			# Skip empty files
296			if [ ! -s /etc/hostname\.$1 ]; then
297				shift
298				continue
299			fi
300			/usr/sbin/ifconfig $1 plumb
301			while read ifcmds; do
302				if [ -n "$ifcmds" ]; then
303					/usr/sbin/ifconfig $1 inet $ifcmds
304				fi
305			done </etc/hostname\.$1 >/dev/null
306			echo " $1\c"
307			shift
308		done
309		echo "."
310	)
311fi
312
313#
314# IPv6 Tunnels
315# The second component of the name must be either "ip" or "ip6".
316#
317interface_names="`/usr/bin/ls /etc/hostname6.ip*.*[0-9] 2>/dev/null | \
318    /usr/bin/grep '/etc/hostname6\.ip6\{0,1\}\.'`"
319if [ -n "$interface_names" ]; then
320	(
321		echo "configuring IPv6 tunnels:\c"
322		# Extract the part after the first '.'
323		set -- `for intr in $interface_names; do \
324		    /usr/bin/expr //$intr : '[^.]*\.\(.*\)$'; done`
325		while [ $# -ge 1 ]; do
326			# Skip empty files
327			if [ ! -s /etc/hostname6\.$1 ]; then
328				shift
329				continue
330			fi
331			/usr/sbin/ifconfig $1 inet6 plumb
332			while read ifcmds; do
333				if [ -n "$ifcmds" ]; then
334					/usr/sbin/ifconfig $1 inet6 $ifcmds
335				fi
336			done </etc/hostname6\.$1 > /dev/null
337			echo " $1\c"
338			shift
339		done
340		echo "."
341	)
342fi
343
344#
345# Set 6to4 Relay Router communication support policy and, if applicable,
346# the destination Relay Router IPv4 address.  See /etc/default/inetinit for
347# setting and further info on ACCEPT6TO4RELAY and RELAY6TO4ADDR.
348# If ACCEPT6TO4RELAY=NO, the default value in the kernel will
349# be used.
350#
351ACCEPT6TO4RELAY=`echo "$ACCEPT6TO4RELAY" | /usr/bin/tr '[A-Z]' '[a-z]'`
352if [ "$ACCEPT6TO4RELAY" = yes ]; then
353        if [ "$RELAY6TO4ADDR" ]; then
354                /usr/sbin/6to4relay -e -a $RELAY6TO4ADDR
355        else
356                /usr/sbin/6to4relay -e
357        fi
358fi
359
360#
361# Read /etc/inet/static_routes and add each route.
362#
363if [ -f /etc/inet/static_routes ]; then
364	echo "Adding persistent routes:"
365	/usr/bin/egrep -v "^(#|$)" /etc/inet/static_routes | while read line; do
366		/usr/sbin/route add $line
367	done
368fi
369
370# Clear exit status.
371exit 0
372