3 # Copyright (c) 2000 The KAME Project
6 # Redistribution and use in source and binary forms, with or without
7 # modification, are permitted provided that the following conditions
9 # 1. Redistributions of source code must retain the above copyright
10 # notice, this list of conditions and the following disclaimer.
11 # 2. Redistributions in binary form must reproduce the above copyright
12 # notice, this list of conditions and the following disclaimer in the
13 # documentation and/or other materials provided with the distribution.
15 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 # Note that almost all of the user-configurable behavior is not in this
31 # file, but rather in /etc/defaults/rc.conf. Please check that file
32 # first before contemplating any changes here. If you do need to change
33 # this file for some reason, we would like to know about it.
36 if [ $1 -lt 10 ]; then
54 dig=`hexdigit $((${val} & 15))`
57 while [ ${val} -gt 0 ]; do
58 dig=`hexdigit $((${val} & 15))`
69 echo -n 'Doing IPv6 network setup:'
71 # Initialize IP filtering using ip6fw
73 if /sbin/ip6fw -q flush > /dev/null 2>&1; then
74 ipv6_firewall_in_kernel=1
76 ipv6_firewall_in_kernel=0
79 case ${ipv6_firewall_enable} in
81 if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then
82 ipv6_firewall_in_kernel=1
83 echo "Kernel IPv6 firewall module loaded."
84 elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then
85 echo "Warning: IPv6 firewall kernel module failed to load."
90 # Load the filters if required
92 case ${ipv6_firewall_in_kernel} in
94 if [ -z "${ipv6_firewall_script}" ]; then
95 ipv6_firewall_script=/etc/rc.firewall6
98 case ${ipv6_firewall_enable} in
100 if [ -r "${ipv6_firewall_script}" ]; then
101 . "${ipv6_firewall_script}"
102 echo -n 'IPv6 Firewall rules loaded.'
103 elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
104 echo -n "Warning: kernel has IPv6 firewall functionality, "
105 echo "but IPv6 firewall rules are not enabled."
106 echo " All ipv6 services are disabled."
109 case ${ipv6_firewall_logging} in
111 echo 'IPv6 Firewall logging=YES'
112 sysctl net.inet6.ip6.fw.verbose=1 >/dev/null
123 case ${ipv6_network_interfaces} in
126 # list of interfaces, and prefix for interfaces
128 ipv6_network_interfaces="`ifconfig -l`"
131 ipv6_network_interfaces=''
138 # disallow "internal" addresses to appear on the wire
139 route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
140 route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
142 case ${ipv6_gateway_enable} in
145 sysctl net.inet6.ip6.forwarding=1
146 sysctl net.inet6.ip6.accept_rtadv=0
149 for i in $ipv6_network_interfaces; do
152 sleep `sysctl -n net.inet6.ip6.dad_count`
156 # act as endhost - start with manual configuration
157 # Setup of net.inet6.ip6.accept_rtadv is done later by
158 # network6_interface_setup.
159 sysctl net.inet6.ip6.forwarding=0
163 if [ -n "${ipv6_network_interfaces}" ]; then
164 # setting up interfaces
165 network6_interface_setup $ipv6_network_interfaces
167 # wait for DAD's completion (for global addrs)
168 sleep `sysctl -n net.inet6.ip6.dad_count`
172 case ${ipv6_gateway_enable} in
174 # Filter out interfaces on which IPv6 addr init failed.
175 ipv6_working_interfaces=""
176 for i in ${ipv6_network_interfaces}; do
177 laddr=`network6_getladdr $i exclude_tentative`
182 ipv6_working_interfaces="$i \
183 ${ipv6_working_interfaces}"
187 ipv6_network_interfaces=${ipv6_working_interfaces}
194 # install the "default interface" to kernel, which will be used
195 # as the default route when there's no router.
196 network6_default_interface_setup
198 # setup static routes
199 network6_static_routes_setup
204 case ${ipv6_gateway_enable} in
207 case ${ipv6_router_enable} in
209 if [ -x ${ipv6_router} ]; then
210 echo -n " ${ipv6_router}"
211 ${ipv6_router} ${ipv6_router_flags}
217 # This should enabled with a great care.
218 # You may want to fine-tune /etc/rtadvd.conf.
220 # And if you wish your rtadvd to receive and process
221 # router renumbering messages, specify your Router Renumbering
222 # security policy by -R option.
224 # See `man 3 ipsec_set_policy` for IPsec policy specification
226 # (CAUTION: This enables your routers prefix renumbering
227 # from another machine, so if you enable this, do it with
230 case ${rtadvd_enable} in
233 case ${rtadvd_interfaces} in
235 for i in ${ipv6_network_interfaces}; do
237 lo0|gif[0-9]*|stf[0-9]*|faith[0-9]*|lp[0-9]*|sl[0-9]*|tun[0-9]*)
241 rtadvd_interfaces="${rtadvd_interfaces} ${i}"
247 rtadvd ${rtadvd_interfaces}
249 # Enable Router Renumbering, unicast case
250 # (use correct src/dst addr)
251 # rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
252 # ${ipv6_network_interfaces}
253 # Enable Router Renumbering, multicast case
254 # (use correct src addr)
255 # rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
256 # ${ipv6_network_interfaces}
261 case ${mroute6d_enable} in
263 if [ -x ${mroute6d_program} ]; then
264 echo -n " ${mroute6d_program}"
265 ${mroute6d_program} ${mroute6d_flags}
272 case ${ipv6_ipv4mapping} in
274 echo -n ' IPv4 mapped IPv6 address support=YES'
275 sysctl net.inet6.ip6.v6only=0 >/dev/null
278 echo -n ' IPv4 mapped IPv6 address support=NO'
279 sysctl net.inet6.ip6.v6only=1 >/dev/null
285 # Let future generations know we made it.
287 network6_pass1_done=YES
290 network6_interface_setup() {
293 case ${ipv6_gateway_enable} in
301 for i in $interfaces; do
303 eval prefix=\$ipv6_prefix_$i
304 if [ -n "${prefix}" ]; then
307 laddr=`network6_getladdr $i`
308 hostid=`expr "${laddr}" : 'fe80::\(.*\)%\(.*\)'`
309 for j in ${prefix}; do
310 address=$j\:${hostid}
311 ifconfig $i inet6 ${address} prefixlen 64 alias
313 case ${ipv6_gateway_enable} in
315 # subnet-router anycast address
317 ifconfig $i inet6 $j:: prefixlen 64 \
323 eval ipv6_ifconfig=\$ipv6_ifconfig_$i
324 if [ -n "${ipv6_ifconfig}" ]; then
327 ifconfig $i inet6 ${ipv6_ifconfig} alias
330 if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ]
333 lo0|gif[0-9]*|stf[0-9]*|faith[0-9]*|lp[0-9]*|sl[0-9]*|tun[0-9]*)
336 rtsol_interfaces="${rtsol_interfaces} ${i}"
344 if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then
345 # Act as endhost - automatically configured.
346 # You can configure only single interface, as
347 # specification assumes that autoconfigured host has
348 # single interface only.
349 sysctl net.inet6.ip6.accept_rtadv=1
350 set ${rtsol_interfaces}
355 for i in $interfaces; do
358 eval ipv6_ifconfig=\$ipv6_ifconfig_${i}_alias${alias}
359 if [ -z "${ipv6_ifconfig}" ]; then
362 ifconfig $i inet6 ${ipv6_ifconfig} alias
363 alias=$((${alias} + 1))
368 network6_stf_setup() {
369 case ${stf_interface_ipv4addr} in
373 # assign IPv6 addr and interface route for 6to4 interface
374 stf_prefixlen=$((16+${stf_interface_ipv4plen:-0}))
377 set ${stf_interface_ipv4addr}
379 hexfrag1=`hexprint $(($1*256 + $2))`
380 hexfrag2=`hexprint $(($3*256 + $4))`
381 ipv4_in_hexformat="${hexfrag1}:${hexfrag2}"
382 case ${stf_interface_ipv6_ifid} in
383 [Aa][Uu][Tt][Oo] | '')
384 for i in ${ipv6_network_interfaces}; do
385 laddr=`network6_getladdr ${i}`
394 stf_interface_ipv6_ifid=`expr "${laddr}" : \
395 'fe80::\(.*\)%\(.*\)'`
396 case ${stf_interface_ipv6_ifid} in
398 stf_interface_ipv6_ifid=0:0:0:1
403 ifconfig stf0 create >/dev/null 2>&1
404 ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \
405 prefixlen ${stf_prefixlen}
406 # disallow packets to malicious 6to4 prefix
407 route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
408 route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
409 route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
410 route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
415 network6_static_routes_setup() {
416 # Set up any static routes.
417 case ${ipv6_defaultrouter} in
421 ipv6_static_routes="default ${ipv6_static_routes}"
422 ipv6_route_default="default ${ipv6_defaultrouter}"
425 case ${ipv6_static_routes} in
429 for i in ${ipv6_static_routes}; do
430 eval ipv6_route_args=\$ipv6_route_${i}
431 route add -inet6 ${ipv6_route_args}
437 network6_faith_setup() {
438 case ${ipv6_faith_prefix} in
442 sysctl net.inet6.ip6.keepfaith=1
443 ifconfig faith0 create >/dev/null 2>&1
445 for prefix in ${ipv6_faith_prefix}; do
446 prefixlen=`expr "${prefix}" : ".*/\(.*\)"`
452 prefix=`expr "${prefix}" : \
453 "\(.*\)/${prefixlen}"`
456 route add -inet6 ${prefix} -prefixlen ${prefixlen} ::1
457 route change -inet6 ${prefix} -prefixlen ${prefixlen} \
464 network6_default_interface_setup() {
465 # Choose IPv6 default interface if it is not clearly specified.
466 case ${ipv6_default_interface} in
468 for i in ${ipv6_network_interfaces}; do
474 laddr=`network6_getladdr $i exclude_tentative`
479 ipv6_default_interface=$i
487 # Disallow unicast packets without outgoing scope identifiers,
488 # or route such packets to a "default" interface, if it is specified.
489 route add -inet6 fe80:: -prefixlen 10 ::1 -reject
490 case ${ipv6_default_interface} in
492 route add -inet6 ff02:: -prefixlen 16 ::1 -reject
495 laddr=`network6_getladdr ${ipv6_default_interface}`
496 route add -inet6 ff02:: ${laddr} -prefixlen 16 -interface \
499 # Disable installing the default interface with the
500 # case net.inet6.ip6.forwarding=0 and
501 # net.inet6.ip6.accept_rtadv=0, due to avoid conflict
502 # between the default router list and the manual
503 # configured default route.
504 case ${ipv6_gateway_enable} in
508 if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ]
510 ndp -I ${ipv6_default_interface}
518 network6_getladdr() {
519 ifconfig $1 2>/dev/null | while read proto addr rest; do