mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-09 16:01:19 +01:00
03172c2b49
- 6to4(stf) interface configuration. - Static route configuration. - Comment additions. - Replaced a still existed '@' to '%' in IPv6 scoped addr format. (This became necessary as previous IPv6 scoped addr format change.) Much thanks to ume, who helped me reviewing, testing, and finding problems with these changes. Approved by: jkh Reviewed by: ume
330 lines
7.7 KiB
Bash
330 lines
7.7 KiB
Bash
#! /bin/sh
|
|
# $FreeBSD$
|
|
|
|
# Note that almost all of the user-configurable behavior is not in this
|
|
# file, but rather in /etc/defaults/rc.conf. Please check that file
|
|
# first before contemplating any changes here. If you do need to change
|
|
# this file for some reason, we would like to know about it.
|
|
|
|
# IPv6 startup
|
|
|
|
network6_pass1() {
|
|
echo -n 'Doing IPv6 network setup:'
|
|
|
|
case ${ipv6_gateway_enable} in
|
|
[Yy][Ee][Ss])
|
|
#
|
|
# list of interfaces, and prefix for interfaces
|
|
#
|
|
case ${ipv6_network_interfaces} in
|
|
[Aa][Uu][Tt][Oo])
|
|
ipv6_network_interfaces="`ifconfig -l`"
|
|
;;
|
|
esac
|
|
;;
|
|
*)
|
|
#
|
|
# manual configurations - in case ip6_gateway_enable=NO
|
|
# you can configure only single interface,
|
|
# as specification assumes that
|
|
# autoconfigured host has single interface only.
|
|
#
|
|
case ${ipv6_network_interfaces} in
|
|
[Aa][Uu][Tt][Oo])
|
|
ipv6_network_interfaces="`ifconfig -l \
|
|
| sed -e 's/ .*//'`"
|
|
;;
|
|
esac
|
|
;;
|
|
esac
|
|
|
|
# just to make sure
|
|
ifconfig lo0 up
|
|
|
|
# disallow "internal" addresses to appear on the wire
|
|
route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
|
|
route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
|
|
|
|
case ${ipv6_gateway_enable} in
|
|
[Yy][Ee][Ss])
|
|
# act as a router
|
|
sysctl -w net.inet6.ip6.forwarding=1
|
|
sysctl -w net.inet6.ip6.accept_rtadv=0
|
|
|
|
# wait for DAD
|
|
for i in $ipv6_network_interfaces; do
|
|
ifconfig $i up
|
|
done
|
|
sleep `sysctl -n net.inet6.ip6.dad_count`
|
|
sleep 1
|
|
|
|
# setting up interfaces
|
|
for i in $ipv6_network_interfaces; do
|
|
eval prefix=\$ipv6_prefix_$i
|
|
case ${prefix} in
|
|
'')
|
|
continue;
|
|
;;
|
|
esac
|
|
for j in ${prefix}; do
|
|
case ${prefixcmd_enable} in
|
|
[Yy][Ee][Ss])
|
|
prefix $i $j::
|
|
;;
|
|
*)
|
|
laddr=`ifconfig $i inet6 \
|
|
| grep 'inet6 fe80:' \
|
|
| head -1 | awk '{print $2}'`
|
|
hostid=`echo ${laddr} | sed \
|
|
-e 's/fe80:[0-9a-fA-F]+::/fe80::/' \
|
|
-e 's/fe80:://' -e 's/%.*//'`
|
|
address=$j\:${hostid}
|
|
|
|
eval hostid_$i=${hostid}
|
|
eval address_$i=${address}
|
|
|
|
ifconfig $i inet6 ${address} \
|
|
prefixlen 64 alias
|
|
;;
|
|
esac
|
|
|
|
# subnet-router anycast address (rfc2373)
|
|
ifconfig $i inet6 $j:: prefixlen 64 \
|
|
alias anycast
|
|
done
|
|
|
|
ifconfig $i inet6
|
|
done
|
|
|
|
# again, wait for DAD's completion (for global addrs)
|
|
sleep `sysctl -n net.inet6.ip6.dad_count`
|
|
sleep 1
|
|
|
|
# Filter out interfaces on which IPv6 addr init failed.
|
|
ipv6_working_interfaces=""
|
|
for i in ${ipv6_network_interfaces}; do
|
|
laddr=`ifconfig $i inet6 2>/dev/null | \
|
|
grep 'inet6 fe80:' | \
|
|
head -1 | grep -v tentative`
|
|
case ${laddr} in
|
|
'')
|
|
;;
|
|
*)
|
|
ipv6_working_interfaces="$i \
|
|
${ipv6_working_interfaces}"
|
|
;;
|
|
esac
|
|
done
|
|
ipv6_network_interfaces=${ipv6_working_interfaces}
|
|
|
|
# gifconfig
|
|
network6_gif_setup
|
|
|
|
# 6to4 setup
|
|
network6_stf_setup
|
|
|
|
# install the "default interface" to kernel, which will be used
|
|
# as the default route when there's no router.
|
|
network6_default_interface_setup
|
|
|
|
# setup static routes
|
|
network6_static_routes_setup
|
|
|
|
# ipv6_router
|
|
case ${ipv6_router_enable} in
|
|
[Yy][Ee][Ss])
|
|
if [ -x ${ipv6_router} ]; then
|
|
echo -n " ${ipv6_router}"
|
|
${ipv6_router} ${ipv6_router_flags}
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
# rtadvd
|
|
# This should enabled with a great care.
|
|
# You may want to fine-tune /etc/rtadvd.conf.
|
|
#
|
|
# And if you wish your rtadvd to receive and process
|
|
# router renumbering messages, specify your Router Renumbering
|
|
# security policy by -P option.
|
|
#
|
|
# See `man 3 ipsec_set_policy` for IPsec policy specification
|
|
# details.
|
|
# (CAUTION: This enables your routers prefix renumbering
|
|
# from another machine, so if you enable this, do it with
|
|
# enough care.)
|
|
#
|
|
case ${rtadvd_enable} in
|
|
[Yy][Ee][Ss])
|
|
# default
|
|
rtadvd_interfaces=`echo ${ipv6_network_interfaces} | \
|
|
sed -e 's/ stf0//'`
|
|
rtadvd ${rtadvd_interfaces}
|
|
#
|
|
# Enable Router Renumbering, unicast case
|
|
# (use correct src/dst addr)
|
|
# rtadvd -P "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
|
|
# ${ipv6_network_interfaces}
|
|
# Enable Router Renumbering, multicast case
|
|
# (use correct src addr)
|
|
# rtadvd -P "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
|
|
# ${ipv6_network_interfaces}
|
|
;;
|
|
esac
|
|
|
|
# mroute6d
|
|
case ${mroute6d_enable} in
|
|
[Yy][Ee][Ss])
|
|
if [ -x ${mroute6d_program} ]; then
|
|
echo -n " ${mroute6d_program}"
|
|
${mroute6d_program} ${mroute6d_flags}
|
|
fi
|
|
;;
|
|
esac
|
|
;;
|
|
*)
|
|
# act as endhost - automatically configured
|
|
sysctl -w net.inet6.ip6.forwarding=0
|
|
sysctl -w net.inet6.ip6.accept_rtadv=1
|
|
|
|
ifconfig ${ipv6_network_interfaces} up
|
|
rtsol ${ipv6_network_interfaces}
|
|
|
|
|
|
|
|
# wait for DAD's completion (for global addrs)
|
|
sleep `sysctl -n net.inet6.ip6.dad_count`
|
|
sleep 1
|
|
|
|
# gifconfig
|
|
network6_gif_setup
|
|
|
|
# 6to4 setup
|
|
network6_stf_setup
|
|
|
|
# install the "default interface" to kernel, which will be used
|
|
# as the default route when there's no router.
|
|
# ndp -I ${ipv6_default_interface}
|
|
network6_default_interface_setup
|
|
|
|
# setup static routes
|
|
network6_static_routes_setup
|
|
;;
|
|
esac
|
|
|
|
echo '.'
|
|
|
|
# Let future generations know we made it.
|
|
#
|
|
network6_pass1_done=YES
|
|
}
|
|
|
|
network6_gif_setup() {
|
|
case ${gif_interfaces} in
|
|
[Nn][Oo] | '')
|
|
;;
|
|
*)
|
|
for i in ${gif_interfaces}; do
|
|
eval peers=\$gifconfig_$i
|
|
case ${peers} in
|
|
'')
|
|
continue
|
|
;;
|
|
*)
|
|
gifconfig $i ${peers}
|
|
;;
|
|
esac
|
|
done
|
|
;;
|
|
esac
|
|
}
|
|
|
|
network6_stf_setup() {
|
|
case ${stf_interface_ipv4addr} in
|
|
[Nn][Oo] | '')
|
|
;;
|
|
*)
|
|
# setup outer IPv4 addrs
|
|
gifconfig stf0 ${stf_interface_ipv4addr} 255.255.255.255
|
|
# assign IPv6 addr and interface route for 6to4 interface
|
|
stf_prefixlen=$((16+${stf_interface_ipv4plen:-0}))
|
|
ipv4_in_hexformat=`echo ${stf_interface_ipv4addr} | \
|
|
sed -e s/"\."/" "/g | \
|
|
awk '{$5 = $1*256 + $2; $6 = $3*256 + $4; \
|
|
printf "%x:%x\n", $5, $6}'`
|
|
case ${stf_interface_ipv6_ifid} in
|
|
[Aa][Uu][Tt][Oo] | '')
|
|
laddr=`ifconfig stf0 inet6 | grep 'inet6 fe80:' \
|
|
| head -1 | awk '{print $2}'`
|
|
stf_interface_ipv6_ifid=`echo ${laddr} | sed \
|
|
-e 's/fe80:[0-9a-fA-F]+::/fe80::/' \
|
|
-e 's/fe80:://' -e 's/%.*//'`
|
|
case ${stf_interface_ipv6_ifid} in
|
|
'')
|
|
stf_interface_ipv6_ifid=0:0:0:1
|
|
;;
|
|
esac
|
|
;;
|
|
esac
|
|
ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \
|
|
prefixlen ${stf_prefixlen}
|
|
# disallow packets to malicious 6to4 prefix
|
|
route add -inet6 2002:7f00:0000:: -prefixlen 24 ::1 -reject
|
|
route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject
|
|
route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject
|
|
;;
|
|
esac
|
|
}
|
|
|
|
network6_static_routes_setup() {
|
|
# Set up any static routes.
|
|
case ${ipv6_static_routes} in
|
|
[Nn][Oo] | '')
|
|
;;
|
|
*)
|
|
for i in ${ipv6_static_routes}; do
|
|
eval ipv6_route_args=\$ipv6_route_${i}
|
|
route add -inet6 ${ipv6_route_args}
|
|
done
|
|
;;
|
|
esac
|
|
}
|
|
|
|
network6_default_interface_setup() {
|
|
# Choose IPv6 default interface if it is not clearly specified.
|
|
case ${ipv6_default_interface} in
|
|
[Nn][Oo] | '')
|
|
for i in ${ipv6_network_interfaces}; do
|
|
laddr=`ifconfig $i inet6 2>/dev/null \
|
|
| grep 'inet6 fe80:' | \
|
|
head -1 | grep -v tentative`
|
|
case ${laddr} in
|
|
'')
|
|
;;
|
|
*)
|
|
ipv6_default_interface=$i
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
;;
|
|
esac
|
|
|
|
# Disallow unicast packets without outgoing scope identifiers,
|
|
# or route such packets to a "default" interface, if it is specified.
|
|
case ${ipv6_default_interface} in
|
|
[Nn][Oo] | '')
|
|
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
|
|
route add -inet6 ff02:: -prefixlen 16 ::1 -reject
|
|
;;
|
|
*)
|
|
laddr=`ifconfig ${ipv6_default_interface} inet6 \
|
|
| grep 'inet6 fe80:' | head -1 | awk '{print $2}'`
|
|
route add -inet6 fe80:: ${laddr} -prefixlen 10 -interface \
|
|
-cloning
|
|
route add -inet6 ff02:: ${laddr} -prefixlen 16 -interface \
|
|
-cloning
|
|
;;
|
|
esac
|
|
}
|