net-init revision db5ca0bda7f0c1698f5046285dec0f0dce9d3704
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# CDDL HEADER START
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# The contents of this file are subject to the terms of the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Common Development and Distribution License (the "License").
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# You may not use this file except in compliance with the License.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# See the License for the specific language governing permissions
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# and limitations under the License.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# When distributing Covered Code, include this CDDL HEADER in each
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# If applicable, add the following below this CDDL HEADER, with the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# fields enclosed by brackets "[]" replaced with your own identifying
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# information: Portions Copyright [yyyy] [name of copyright owner]
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# CDDL HEADER END
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Use is subject to license terms.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# ident "%Z%%M% %I% %E% SMI"
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# This is the second phase of TCP/IP configuration. The first part is
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# run by the svc:/network/physical service and includes configuring the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# interfaces and setting the machine's hostname. The svc:/network/initial
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# service does all configuration that can be done before name services are
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# started, bar configuring IP routing (this is carried out by the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# svc:/network/routing-setup service). The final part, run by the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# svc:/network/service service, does all configuration that may require
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# name services. This includes a final re-configuration of the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# interfaces.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# In a shared-IP zone we need this service to be up, but all of the work
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# it tries to do is irrelevant (and will actually lead to the service
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# failing if we try to do it), so just bail out.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# In the global zone and exclusive-IP zones we proceed.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Configure IPv6 Default Address Selection.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Now that /usr is mounted, see if in.mpathd needs to be started by firing it
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# up in "adopt" mode; if there are no interfaces it needs to manage, it will
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# automatically exit. Note that it may already be running if we're not
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# executing as part of system boot.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync/usr/bin/pgrep -x -u 0 -z `smf_zonename` in.mpathd >/dev/null 2>&1 || \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Pass to the kernel the list of supported IPsec protocols and algorithms.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# This will not cause IPsec to be loaded.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Initialize IPsec only if ipsecinit.conf exists. Otherwise, save the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# kernel memory that'll be consumed if IPsec is loaded. See below for more
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# IPsec-related commands.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Set the RFC 1948 entropy, regardless of if I'm using it or not. If present,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# use the encrypted root password as a source of entropy. Otherwise,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# just use the pre-set (and hopefully difficult to guess) entropy that
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# tcp used when it loaded.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncencr=`/usr/bin/awk -F: '/^root:/ {print $2}' /etc/shadow`
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync[ -z "$encr" ] || /usr/sbin/ndd -set /dev/tcp tcp_1948_phrase $encr
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Get values for TCP_STRONG_ISS, ACCEPT6TO4RELAY and RELAY6TO4ADDR.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync[ -f /etc/default/inetinit ] && . /etc/default/inetinit
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Set the SDP system Policy. This needs to happen after basic
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# networking is up but before any networking services that might
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# want to use SDP are enabled
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncif [ -f /usr/sbin/sdpadm -a -f /etc/sdp.conf ]; then
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Set TCP ISS generation. By default the ISS generation is
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# time + random()-delta. This might not be strong enough for some users.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# See /etc/default/inetinit for settings and further info on TCP_STRONG_ISS.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# If not set, use TCP's internal default setting.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync /usr/sbin/ndd -set /dev/tcp tcp_strong_iss $TCP_STRONG_ISS
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# In spite of global policy, there may be a need for IPsec because of
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# per-socket policy or tunnelled policy. With that in mind, check for manual
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# keys in /etc/inet/secret/ipseckeys, or check for IKE configuration in
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# /etc/inet/ike/config. Either of these will also load and initialize IPsec,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# thereby consuming kernel memory.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Configure tunnels which were deferred by /lib/svc/method/net-physical
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# (the svc:/network/physical service) since it depends on the tunnel endpoints
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# being reachable i.e. routing must be running.
# Also, if names are used in the /etc/hostname.ip.tun* file, those names
if [ -n "$interface_names" ]; then
while [ $# -ge 1 ]; do
while read ifcmds; do
if [ -n "$interface_names" ]; then
while [ $# -ge 1 ]; do
while read ifcmds; do
exit $SMF_EXIT_OK