xref: /titanic_50/usr/src/cmd/svc/milestone/net-init (revision 6bb0858833ad931216a3c40682436131bec0007f)
1#!/sbin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24# Use is subject to license terms.
25#
26# ident	"%Z%%M%	%I%	%E% SMI"
27#
28# This is the second phase of TCP/IP configuration.  The first part is
29# run by the svc:/network/physical service and includes configuring the
30# interfaces and setting the machine's hostname.  The svc:/network/initial
31# service does all configuration that can be done before name services are
32# started, bar configuring IP routing (this is carried out by the
33# svc:/network/routing-setup service).  The final part, run by the
34# svc:/network/service service,  does all configuration that may require
35# name services.  This includes a final re-configuration of the
36# interfaces.
37#
38
39. /lib/svc/share/smf_include.sh
40
41#
42# In a shared-IP zone we need this service to be up, but all of the work
43# it tries to do is irrelevant (and will actually lead to the service
44# failing if we try to do it), so just bail out.
45# In the global zone and exclusive-IP zones we proceed.
46#
47smf_configure_ip || exit $SMF_EXIT_OK
48
49# Configure IPv6 Default Address Selection.
50if [ -f /etc/inet/ipaddrsel.conf ]; then
51	/usr/sbin/ipaddrsel -f /etc/inet/ipaddrsel.conf
52fi
53
54#
55# Now that /usr is mounted, see if in.mpathd needs to be started by firing it
56# up in "adopt" mode; if there are no interfaces it needs to manage, it will
57# automatically exit.  Note that it may already be running if we're not
58# executing as part of system boot.
59#
60/usr/bin/pgrep -x -u 0 -z `smf_zonename` in.mpathd >/dev/null 2>&1 || \
61    /usr/lib/inet/in.mpathd -a
62
63#
64# Pass to the kernel the list of supported IPsec protocols and algorithms.
65# This will not cause IPsec to be loaded.
66#
67/usr/sbin/ipsecalgs -s
68
69#
70# Initialize IPsec only if ipsecinit.conf exists.  Otherwise, save the
71# kernel memory that'll be consumed if IPsec is loaded.  See below for more
72# IPsec-related commands.
73#
74if [ -f /etc/inet/ipsecinit.conf ] ; then
75	/usr/sbin/ipsecconf -qa /etc/inet/ipsecinit.conf
76fi
77
78#
79# Set the RFC 1948 entropy, regardless of if I'm using it or not.  If present,
80# use the encrypted root password as a source of entropy.  Otherwise,
81# just use the pre-set (and hopefully difficult to guess) entropy that
82# tcp used when it loaded.
83#
84encr=`/usr/bin/awk -F: '/^root:/ {print $2}' /etc/shadow`
85[ -z "$encr" ] || /usr/sbin/ndd -set /dev/tcp tcp_1948_phrase $encr
86unset encr
87
88#
89# Get values for TCP_STRONG_ISS, ACCEPT6TO4RELAY and RELAY6TO4ADDR.
90#
91[ -f /etc/default/inetinit ] && . /etc/default/inetinit
92
93# Set the SDP system Policy.  This needs to happen after basic
94# networking is up but before any networking services that might
95# want to use SDP are enabled
96if [ -f /usr/sbin/sdpadm -a -f /etc/sdp.conf ]; then
97	. /etc/sdp.conf
98	if [ "$sysenable" = "1" ]; then
99		/usr/sbin/sdpadm enable
100	fi
101fi
102
103#
104# Set TCP ISS generation.  By default the ISS generation is
105# time + random()-delta.  This might not be strong enough for some users.
106# See /etc/default/inetinit for settings and further info on TCP_STRONG_ISS.
107# If not set, use TCP's internal default setting.
108#
109if [ $TCP_STRONG_ISS ]; then
110	/usr/sbin/ndd -set /dev/tcp tcp_strong_iss $TCP_STRONG_ISS
111fi
112
113#
114# In spite of global policy, there may be a need for IPsec because of
115# per-socket policy or tunnelled policy.  With that in mind, check for manual
116# keys in /etc/inet/secret/ipseckeys, or check for IKE configuration in
117# /etc/inet/ike/config.  Either of these will also load and initialize IPsec,
118# thereby consuming kernel memory.
119#
120
121if [ -f /etc/inet/secret/ipseckeys ] ; then
122	/usr/sbin/ipseckey -f /etc/inet/secret/ipseckeys
123fi
124
125if [ -f /etc/inet/ike/config ] ; then
126	/usr/lib/inet/in.iked
127fi
128
129#
130# Configure tunnels which were deferred by /lib/svc/method/net-physical
131# (the svc:/network/physical service) since it depends on the tunnel endpoints
132# being reachable i.e. routing must be running.
133#
134# WARNING: you may wish to turn OFF forwarding if you haven't already, because
135# of various possible security vulnerabilities when configuring tunnels for
136# Virtual Private Network (VPN) construction.
137#
138# Also, if names are used in the /etc/hostname.ip.tun* file, those names
139# have to be in either DNS (and DNS is used) or in /etc/hosts, because this
140# file is executed before NIS or NIS+ is started.
141#
142
143#
144# IPv4 tunnels
145# The second component of the name must be either "ip" or "ip6".
146#
147interface_names="`/usr/bin/ls /etc/hostname.ip*.*[0-9] 2>/dev/null | \
148    /usr/bin/grep '/etc/hostname\.ip6\{0,1\}\.'`"
149if [ -n "$interface_names" ]; then
150	(
151		echo "configuring IPv4 tunnels:\c"
152		# Extract the part after the first '.'
153		set -- `for intr in $interface_names; do \
154		    /usr/bin/expr //$intr : '[^.]*\.\(.*\)$'; done`
155		while [ $# -ge 1 ]; do
156			# Skip empty files
157			if [ ! -s /etc/hostname\.$1 ]; then
158				shift
159				continue
160			fi
161			/usr/sbin/ifconfig $1 plumb
162			while read ifcmds; do
163				if [ -n "$ifcmds" ]; then
164					/usr/sbin/ifconfig $1 inet $ifcmds
165				fi
166			done </etc/hostname\.$1 >/dev/null
167			echo " $1\c"
168			shift
169		done
170		echo "."
171	)
172fi
173
174#
175# IPv6 Tunnels
176# The second component of the name must be either "ip" or "ip6".
177#
178interface_names="`/usr/bin/ls /etc/hostname6.ip*.*[0-9] 2>/dev/null | \
179    /usr/bin/grep '/etc/hostname6\.ip6\{0,1\}\.'`"
180if [ -n "$interface_names" ]; then
181	(
182		echo "configuring IPv6 tunnels:\c"
183		# Extract the part after the first '.'
184		set -- `for intr in $interface_names; do \
185		    /usr/bin/expr //$intr : '[^.]*\.\(.*\)$'; done`
186		while [ $# -ge 1 ]; do
187			# Skip empty files
188			if [ ! -s /etc/hostname6\.$1 ]; then
189				shift
190				continue
191			fi
192			/usr/sbin/ifconfig $1 inet6 plumb
193			while read ifcmds; do
194				if [ -n "$ifcmds" ]; then
195					/usr/sbin/ifconfig $1 inet6 $ifcmds
196				fi
197			done </etc/hostname6\.$1 > /dev/null
198			echo " $1\c"
199			shift
200		done
201		echo "."
202	)
203fi
204
205# Clear exit status.
206exit $SMF_EXIT_OK
207