3 # Copyright (c) 2000 The KAME Project
6 # Redistribution and use in source and binary forms, with or without
7 # modification, are permitted provided that the following conditions
9 # 1. Redistributions of source code must retain the above copyright
10 # notice, this list of conditions and the following disclaimer.
11 # 2. Redistributions in binary form must reproduce the above copyright
12 # notice, this list of conditions and the following disclaimer in the
13 # documentation and/or other materials provided with the distribution.
15 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 # Note that almost all of the user-configurable behavior is not in this
31 # file, but rather in /etc/defaults/rc.conf. Please check that file
32 # first before contemplating any changes here. If you do need to change
33 # this file for some reason, we would like to know about it.
36 if [ $1 -lt 10 ]; then
54 dig=`hexdigit $((${val} & 15))`
57 while [ ${val} -gt 0 ]; do
58 dig=`hexdigit $((${val} & 15))`
69 echo -n 'Doing IPv6 network setup:'
71 # Initialize IP filtering using ip6fw
73 if /sbin/ip6fw -q flush > /dev/null 2>&1; then
74 ipv6_firewall_in_kernel=1
76 ipv6_firewall_in_kernel=0
79 case ${ipv6_firewall_enable} in
81 if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then
82 ipv6_firewall_in_kernel=1
83 echo "Kernel IPv6 firewall module loaded."
84 elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then
85 echo "Warning: IPv6 firewall kernel module failed to load."
90 # Load the filters if required
92 case ${ipv6_firewall_in_kernel} in
94 if [ -z "${ipv6_firewall_script}" ]; then
95 ipv6_firewall_script=/etc/rc.firewall6
98 case ${ipv6_firewall_enable} in
100 if [ -r "${ipv6_firewall_script}" ]; then
101 . "${ipv6_firewall_script}"
102 echo -n 'IPv6 Firewall rules loaded.'
103 elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
104 echo -n "Warning: kernel has IPv6 firewall functionality, "
105 echo "but IPv6 firewall rules are not enabled."
106 echo " All ipv6 services are disabled."
109 case ${ipv6_firewall_logging} in
111 echo 'IPv6 Firewall logging=YES'
112 sysctl net.inet6.ip6.fw.verbose=1 >/dev/null
123 case ${ipv6_network_interfaces} in
126 # list of interfaces, and prefix for interfaces
128 ipv6_network_interfaces="`ifconfig -l`"
131 ipv6_network_interfaces=''
138 # disallow "internal" addresses to appear on the wire
139 route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
140 route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
142 case ${ipv6_gateway_enable} in
145 sysctl net.inet6.ip6.forwarding=1
146 sysctl net.inet6.ip6.accept_rtadv=0
149 for i in $ipv6_network_interfaces; do
152 sleep `sysctl -n net.inet6.ip6.dad_count`
156 # act as endhost - start with manual configuration
157 # Setup of net.inet6.ip6.accept_rtadv is done later by
158 # network6_interface_setup.
159 sysctl net.inet6.ip6.forwarding=0
163 if [ -n "${ipv6_network_interfaces}" ]; then
164 # setting up interfaces
165 network6_interface_setup $ipv6_network_interfaces
167 # wait for DAD's completion (for global addrs)
168 sleep `sysctl -n net.inet6.ip6.dad_count`
172 case ${ipv6_gateway_enable} in
174 # Filter out interfaces on which IPv6 addr init failed.
175 ipv6_working_interfaces=""
176 for i in ${ipv6_network_interfaces}; do
177 laddr=`network6_getladdr $i exclude_tentative`
182 ipv6_working_interfaces="$i \
183 ${ipv6_working_interfaces}"
187 ipv6_network_interfaces=${ipv6_working_interfaces}
194 # install the "default interface" to kernel, which will be used
195 # as the default route when there's no router.
196 network6_default_interface_setup
198 # setup static routes
199 network6_static_routes_setup
205 case ${ipv6_router_enable} in
207 if [ -x ${ipv6_router} ]; then
208 echo -n " ${ipv6_router}"
209 ${ipv6_router} ${ipv6_router_flags}
215 case ${ipv6_gateway_enable} in
218 # This should enabled with a great care.
219 # You may want to fine-tune /etc/rtadvd.conf.
221 # And if you wish your rtadvd to receive and process
222 # router renumbering messages, specify your Router Renumbering
223 # security policy by -R option.
225 # See `man 3 ipsec_set_policy` for IPsec policy specification
227 # (CAUTION: This enables your routers prefix renumbering
228 # from another machine, so if you enable this, do it with
231 case ${rtadvd_enable} in
234 case ${rtadvd_interfaces} in
236 for i in ${ipv6_network_interfaces}; do
238 lo0|gif[0-9]*|stf[0-9]*|faith[0-9]*|lp[0-9]*|sl[0-9]*|tun[0-9]*)
242 rtadvd_interfaces="${rtadvd_interfaces} ${i}"
248 rtadvd ${rtadvd_interfaces}
250 # Enable Router Renumbering, unicast case
251 # (use correct src/dst addr)
252 # rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
253 # ${ipv6_network_interfaces}
254 # Enable Router Renumbering, multicast case
255 # (use correct src addr)
256 # rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
257 # ${ipv6_network_interfaces}
262 case ${mroute6d_enable} in
264 if [ -x ${mroute6d_program} ]; then
265 echo -n " ${mroute6d_program}"
266 ${mroute6d_program} ${mroute6d_flags}
273 case ${ipv6_ipv4mapping} in
275 echo -n ' IPv4 mapped IPv6 address support=YES'
276 sysctl net.inet6.ip6.v6only=0 >/dev/null
279 echo -n ' IPv4 mapped IPv6 address support=NO'
280 sysctl net.inet6.ip6.v6only=1 >/dev/null
286 # Let future generations know we made it.
288 network6_pass1_done=YES
291 network6_interface_setup() {
294 case ${ipv6_gateway_enable} in
302 for i in $interfaces; do
304 eval prefix=\$ipv6_prefix_$i
305 if [ -n "${prefix}" ]; then
308 laddr=`network6_getladdr $i`
309 hostid=`expr "${laddr}" : 'fe80::\(.*\)%\(.*\)'`
310 for j in ${prefix}; do
311 address=$j\:${hostid}
312 ifconfig $i inet6 ${address} prefixlen 64 alias
314 case ${ipv6_gateway_enable} in
316 # subnet-router anycast address
318 ifconfig $i inet6 $j:: prefixlen 64 \
324 eval ipv6_ifconfig=\$ipv6_ifconfig_$i
325 if [ -n "${ipv6_ifconfig}" ]; then
328 ifconfig $i inet6 ${ipv6_ifconfig} alias
331 if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ]
334 lo0|gif[0-9]*|stf[0-9]*|faith[0-9]*|lp[0-9]*|sl[0-9]*|tun[0-9]*)
337 rtsol_interfaces="${rtsol_interfaces} ${i}"
345 if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then
346 # Act as endhost - automatically configured.
347 # You can configure only single interface, as
348 # specification assumes that autoconfigured host has
349 # single interface only.
350 sysctl net.inet6.ip6.accept_rtadv=1
351 set ${rtsol_interfaces}
356 for i in $interfaces; do
359 eval ipv6_ifconfig=\$ipv6_ifconfig_${i}_alias${alias}
360 if [ -z "${ipv6_ifconfig}" ]; then
363 ifconfig $i inet6 ${ipv6_ifconfig} alias
364 alias=$((${alias} + 1))
369 network6_stf_setup() {
370 case ${stf_interface_ipv4addr} in
374 # assign IPv6 addr and interface route for 6to4 interface
375 stf_prefixlen=$((16+${stf_interface_ipv4plen:-0}))
378 set ${stf_interface_ipv4addr}
380 hexfrag1=`hexprint $(($1*256 + $2))`
381 hexfrag2=`hexprint $(($3*256 + $4))`
382 ipv4_in_hexformat="${hexfrag1}:${hexfrag2}"
383 case ${stf_interface_ipv6_ifid} in
384 [Aa][Uu][Tt][Oo] | '')
385 for i in ${ipv6_network_interfaces}; do
386 laddr=`network6_getladdr ${i}`
395 stf_interface_ipv6_ifid=`expr "${laddr}" : \
396 'fe80::\(.*\)%\(.*\)'`
397 case ${stf_interface_ipv6_ifid} in
399 stf_interface_ipv6_ifid=0:0:0:1
404 ifconfig stf0 create >/dev/null 2>&1
405 ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \
406 prefixlen ${stf_prefixlen}
407 # disallow packets to malicious 6to4 prefix
408 route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
409 route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
410 route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
411 route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
416 network6_static_routes_setup() {
417 # Set up any static routes.
418 case ${ipv6_defaultrouter} in
422 ipv6_static_routes="default ${ipv6_static_routes}"
423 ipv6_route_default="default ${ipv6_defaultrouter}"
426 case ${ipv6_static_routes} in
430 for i in ${ipv6_static_routes}; do
431 eval ipv6_route_args=\$ipv6_route_${i}
432 route add -inet6 ${ipv6_route_args}
438 network6_faith_setup() {
439 case ${ipv6_faith_prefix} in
443 sysctl net.inet6.ip6.keepfaith=1
444 ifconfig faith0 create >/dev/null 2>&1
446 for prefix in ${ipv6_faith_prefix}; do
447 prefixlen=`expr "${prefix}" : ".*/\(.*\)"`
453 prefix=`expr "${prefix}" : \
454 "\(.*\)/${prefixlen}"`
457 route add -inet6 ${prefix} -prefixlen ${prefixlen} ::1
458 route change -inet6 ${prefix} -prefixlen ${prefixlen} \
465 network6_default_interface_setup() {
466 # Choose IPv6 default interface if it is not clearly specified.
467 case ${ipv6_default_interface} in
469 for i in ${ipv6_network_interfaces}; do
475 laddr=`network6_getladdr $i exclude_tentative`
480 ipv6_default_interface=$i
488 # Disallow unicast packets without outgoing scope identifiers,
489 # or route such packets to a "default" interface, if it is specified.
490 route add -inet6 fe80:: -prefixlen 10 ::1 -reject
491 case ${ipv6_default_interface} in
493 route add -inet6 ff02:: -prefixlen 16 ::1 -reject
496 laddr=`network6_getladdr ${ipv6_default_interface}`
497 route add -inet6 ff02:: ${laddr} -prefixlen 16 -interface \
500 # Disable installing the default interface with the
501 # case net.inet6.ip6.forwarding=0 and
502 # net.inet6.ip6.accept_rtadv=0, due to avoid conflict
503 # between the default router list and the manual
504 # configured default route.
505 case ${ipv6_gateway_enable} in
509 if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ]
511 ndp -I ${ipv6_default_interface}
519 network6_getladdr() {
520 ifconfig $1 2>/dev/null | while read proto addr rest; do