net-init revision f4b3ec61df05330d25f55a36b975b4d7519fdeb1
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# CDDL HEADER START
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# The contents of this file are subject to the terms of the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Common Development and Distribution License (the "License").
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# You may not use this file except in compliance with the License.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# or http://www.opensolaris.org/os/licensing.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# See the License for the specific language governing permissions
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# and limitations under the License.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner]
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# CDDL HEADER END
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Use is subject to license terms.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# ident "%Z%%M% %I% %E% SMI"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# This is the second phase of TCP/IP configuration. The first part is
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy# run by the svc:/network/physical service and includes configuring the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# interfaces and setting the machine's hostname. The svc:/network/initial
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# service does all configuration that can be done before name services are
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# started, bar configuring IP routing (this is carried out by the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# svc:/network/routing-setup service). The final part, run by the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# svc:/network/service service, does all configuration that may require
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# name services. This includes a final re-configuration of the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# In a shared-IP zone we need this service to be up, but all of the work
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy# it tries to do is irrelevant (and will actually lead to the service
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# failing if we try to do it), so just bail out.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# In the global zone and exclusive-IP zones we proceed.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Configure IPv6 Default Address Selection.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy /usr/sbin/ipaddrsel -f /etc/inet/ipaddrsel.conf
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Now that /usr is mounted, see if in.mpathd needs to be started by firing it
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# up in "adopt" mode; if there are no interfaces it needs to manage, it will
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# automatically exit. Note that it may already be running if we're not
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# executing as part of system boot.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy/usr/bin/pgrep -x -u 0 -z `smf_zonename` in.mpathd >/dev/null 2>&1 || \
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy# Pass to the kernel the list of supported IPsec protocols and algorithms.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# This will not cause IPsec to be loaded.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Initialize IPsec only if ipsecinit.conf exists. Otherwise, save the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# kernel memory that'll be consumed if IPsec is loaded. See below for more
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# IPsec-related commands.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy /usr/sbin/ipsecconf -qa /etc/inet/ipsecinit.conf
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Set the RFC 1948 entropy, regardless of if I'm using it or not. If present,
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# use the encrypted root password as a source of entropy. Otherwise,
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# just use the pre-set (and hopefully difficult to guess) entropy that
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# tcp used when it loaded.
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedyencr=`/usr/bin/awk -F: '/^root:/ {print $2}' /etc/shadow`
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy[ -z "$encr" ] || /usr/sbin/ndd -set /dev/tcp tcp_1948_phrase $encr
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Get values for TCP_STRONG_ISS, ACCEPT6TO4RELAY and RELAY6TO4ADDR.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy[ -f /etc/default/inetinit ] && . /etc/default/inetinit
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Set TCP ISS generation. By default the ISS generation is
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# time + random()-delta. This might not be strong enough for some users.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# See /etc/default/inetinit for settings and further info on TCP_STRONG_ISS.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# If not set, use TCP's internal default setting.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy /usr/sbin/ndd -set /dev/tcp tcp_strong_iss $TCP_STRONG_ISS
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# In spite of global policy, there may be a need for IPsec because of
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# per-socket policy or tunnelled policy. With that in mind, check for manual
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# keys in /etc/inet/secret/ipseckeys, or check for IKE configuration in
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# /etc/inet/ike/config. Either of these will also load and initialize IPsec,
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# thereby consuming kernel memory.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedyif [ -f /etc/inet/secret/ipseckeys ] ; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy /usr/sbin/ipseckey -f /etc/inet/secret/ipseckeys
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Configure tunnels which were deferred by /lib/svc/method/net-physical
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# (the svc:/network/physical service) since it depends on the tunnel endpoints
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# being reachable i.e. routing must be running.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# WARNING: you may wish to turn OFF forwarding if you haven't already, because
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# of various possible security vulnerabilities when configuring tunnels for
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Virtual Private Network (VPN) construction.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Also, if names are used in the /etc/hostname.ip.tun* file, those names
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy# have to be in either DNS (and DNS is used) or in /etc/hosts, because this
if [ -n "$interface_names" ]; then
while [ $# -ge 1 ]; do
while read ifcmds; do
if [ -n "$interface_names" ]; then
while [ $# -ge 1 ]; do
while read ifcmds; do
exit $SMF_EXIT_OK