Index: etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.81 diff -u -r1.81 rc.conf --- etc/defaults/rc.conf 2000/10/16 04:45:47 1.81 +++ etc/defaults/rc.conf 2000/10/21 16:26:02 @@ -84,7 +84,6 @@ network_interfaces="auto" # List of network interfaces (or "auto"). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. -#ifconfig_ed0_alias0="inet6 fec0:0000:0000:0005::1 prefixlen 64" # Sample alias entry for IPv6. #ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry. # # If you have any sppp(4) interfaces above, you might also want to set @@ -216,6 +215,7 @@ ### IPv6 options: ### ipv6_enable="NO" # Set to YES to set up for IPv6. ipv6_network_interfaces="auto" # List of network interfaces (or "auto"). +ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO). ipv6_static_routes="" # Set to static route list (or leave empty). #ipv6_static_routes="xxx" # An example to set fec0:0000:0000:0006::/64 # route toward loopback interface. @@ -226,10 +226,12 @@ ipv6_router_flags="" # Flags to IPv6 routing daemon. #ipv6_router_flags="-l" # Example for route6d with only IPv6 site local # addrs. -#ipv6_network_interfaces="ed0 ep0" # Examples for router. +#ipv6_network_interfaces="ed0 ep0" # Examples for router + # or static configuration for end node. # Choose correct prefix value. #ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr. #ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr. +#ipv6_ifconfig_ed0="fec0:0:0:5::1 prefixlen 64" # Sample alias entry ipv6_default_interface="" # Default output interface for scoped addrs. # Now this works only for IPv6 link local # multicast addrs. @@ -256,8 +258,15 @@ stf_interface_ipv6_ifid="0:0:0:1" # IPv6 interface id for stf0. # If you like, you can set "AUTO" for this. stf_interface_ipv6_slaid="0000" # IPv6 Site Level Aggregator for stf0 -ipv6_ipv4mapping="YES"; # Leave empty to disable IPv4 mapped IPv6 addr +ipv6_ipv4mapping="YES" # Leave empty to disable IPv4 mapped IPv6 addr # communication. (like ::ffff:a.b.c.d) +ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall + # functionality +ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall +ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) +ipv6_firewall_quiet="NO" # Set to YES to suppress rule display +ipv6_firewall_logging="NO" # Set to YES to enable events logging +ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file ############################################################## ### System console options ################################# Index: etc/rc.network6 =================================================================== RCS file: /home/ncvs/src/etc/rc.network6,v retrieving revision 1.13 diff -u -r1.13 rc.network6 --- etc/rc.network6 2000/10/08 19:18:24 1.13 +++ etc/rc.network6 2000/10/21 16:26:04 @@ -37,26 +37,74 @@ network6_pass1() { echo -n 'Doing IPv6 network setup:' - case ${ipv6_gateway_enable} in + # Initialize IP filtering using ip6fw + # + if /sbin/ip6fw -q flush > /dev/null 2>&1; then + ipv6_firewall_in_kernel=1 + else + ipv6_firewall_in_kernel=0 + fi + + case ${ipv6_firewall_enable} in [Yy][Ee][Ss]) - # - # list of interfaces, and prefix for interfaces - # - case ${ipv6_network_interfaces} in - [Aa][Uu][Tt][Oo]) - ipv6_network_interfaces="`ifconfig -l`" + if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then + ipv6_firewall_in_kernel=1 + echo "Kernel IPv6 firewall module loaded." + elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then + echo "Warning: IPv6 firewall kernel module failed to load." + fi + ;; + esac + + # Load the filters if required + # + case ${ipv6_firewall_in_kernel} in + 1) + if [ -z "${ipv6_firewall_script}" ]; then + ipv6_firewall_script=/etc/rc.firewall6 + fi + + case ${ipv6_firewall_enable} in + [Yy][Ee][Ss]) + if [ -r "${ipv6_firewall_script}" ]; then + . "${ipv6_firewall_script}" + echo -n 'IPv6 Firewall rules loaded.' + elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then + echo -n "Warning: kernel has IPv6 firewall functionality, " + echo "but IPv6 firewall rules are not enabled." + echo " All ipv6 services are disabled." + fi + + case ${ipv6_firewall_logging} in + [Yy][Ee][Ss] | '') + echo 'IPv6 Firewall logging=YES' + sysctl -w net.inet6.ip6.fw.verbose=1 >/dev/null + ;; + *) + ;; + esac + ;; esac ;; - *) - # - # manual configurations - in case ip6_gateway_enable=NO - # you can configure only single interface, - # as specification assumes that - # autoconfigured host has single interface only. - # - case ${ipv6_network_interfaces} in - [Aa][Uu][Tt][Oo]) + esac + + case ${ipv6_network_interfaces} in + [Aa][Uu][Tt][Oo]) + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + # + # list of interfaces, and prefix for interfaces + # + ipv6_network_interfaces="`ifconfig -l`" + ;; + *) + # + # manual configurations - in case ip6_gateway_enable=NO + # you can configure only single interface, + # as specification assumes that + # autoconfigured host has single interface only. + # set `ifconfig -l` ipv6_network_interfaces="$1" ;; @@ -83,46 +131,26 @@ done sleep `sysctl -n net.inet6.ip6.dad_count` sleep 1 - - # setting up interfaces - for i in $ipv6_network_interfaces; do - eval prefix=\$ipv6_prefix_$i - case ${prefix} in - '') - continue; - ;; - esac - for j in ${prefix}; do - case ${prefixcmd_enable} in - [Yy][Ee][Ss]) - prefix $i $j:: - ;; - *) - laddr=`network6_getladdr $i` - hostid=`expr "${laddr}" : \ - 'fe80::\(.*\)%\(.*\)'` - address=$j\:${hostid} - - eval hostid_$i=${hostid} - eval address_$i=${address} - - ifconfig $i inet6 ${address} \ - prefixlen 64 alias - ;; - esac + ;; + *) + # act as endhost - start with manual configuration + sysctl -w net.inet6.ip6.forwarding=0 + sysctl -w net.inet6.ip6.accept_rtadv=0 + ;; + esac - # subnet-router anycast address (rfc2373) - ifconfig $i inet6 $j:: prefixlen 64 \ - alias anycast - done + # gifconfig + network6_gif_setup - ifconfig $i inet6 - done + # setting up interfaces + network6_interface_setup - # again, wait for DAD's completion (for global addrs) - sleep `sysctl -n net.inet6.ip6.dad_count` - sleep 1 + # wait for DAD's completion (for global addrs) + sleep `sysctl -n net.inet6.ip6.dad_count` + sleep 1 + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) # Filter out interfaces on which IPv6 addr init failed. ipv6_working_interfaces="" for i in ${ipv6_network_interfaces}; do @@ -137,20 +165,21 @@ esac done ipv6_network_interfaces=${ipv6_working_interfaces} - - # gifconfig - network6_gif_setup + ;; + esac - # 6to4 setup - network6_stf_setup + # 6to4 setup + network6_stf_setup - # install the "default interface" to kernel, which will be used - # as the default route when there's no router. - network6_default_interface_setup + # install the "default interface" to kernel, which will be used + # as the default route when there's no router. + network6_default_interface_setup - # setup static routes - network6_static_routes_setup + # setup static routes + network6_static_routes_setup + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) # ipv6_router case ${ipv6_router_enable} in [Yy][Ee][Ss]) @@ -178,16 +207,20 @@ case ${rtadvd_enable} in [Yy][Ee][Ss]) # default - for i in ${ipv6_network_interfaces}; do - case $i in - stf*) - continue - ;; - *) - rtadvd_interfaces="${rtadvd_interfaces} ${i}" - ;; - esac - done + case ${rtadvd_interfaces} in + '') + for i in ${ipv6_network_interfaces}; do + case $i in + stf*) + continue + ;; + *) + rtadvd_interfaces="${rtadvd_interfaces} ${i}" + ;; + esac + done + ;; + esac rtadvd ${rtadvd_interfaces} # # Enable Router Renumbering, unicast case @@ -211,38 +244,6 @@ ;; esac ;; - *) - # act as endhost - automatically configured - sysctl -w net.inet6.ip6.forwarding=0 - sysctl -w net.inet6.ip6.accept_rtadv=1 - - case ${ipv6_network_interfaces} in - lo0|gif*|stf*|faith*) - ;; - *) - ifconfig ${ipv6_network_interfaces} up - rtsol ${ipv6_network_interfaces} - ;; - esac - - # wait for DAD's completion (for global addrs) - sleep `sysctl -n net.inet6.ip6.dad_count` - sleep 1 - - # gifconfig - network6_gif_setup - - # 6to4 setup - network6_stf_setup - - # install the "default interface" to kernel, which will be used - # as the default route when there's no router. - # ndp -I ${ipv6_default_interface} - network6_default_interface_setup - - # setup static routes - network6_static_routes_setup - ;; esac case ${ipv6_ipv4mapping} in @@ -263,6 +264,85 @@ network6_pass1_done=YES } +network6_interface_setup() { + rtsol_interfaces='' + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + rtsol_available=no + ;; + *) + rtsol_available=yes + prefixcmd_enable=NO + ;; + esac + for i in $ipv6_network_interfaces; do + rtsol_interface=yes + eval prefix=\$ipv6_prefix_$i + if [ -n "${prefix}" ]; then + rtsol_available=no + rtsol_interface=no + for j in ${prefix}; do + case ${prefixcmd_enable} in + [Yy][Ee][Ss]) + prefix $i $j:: + ;; + *) + laddr=`network6_getladdr $i` + hostid=`expr "${laddr}" : \ + 'fe80::\(.*\)%\(.*\)'` + address=$j\:${hostid} + + eval hostid_$i=${hostid} + eval address_$i=${address} + + ifconfig $i inet6 ${address} \ + prefixlen 64 alias + ;; + esac + + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + # subnet-router anycast address + # (rfc2373) + ifconfig $i inet6 $j:: prefixlen 64 \ + alias anycast + ;; + esac + done + fi + eval ipv6_ifconfig=\$ipv6_ifconfig_$i + if [ -n "${ipv6_ifconfig}" ]; then + rtsol_available=no + rtsol_interface=no + ifconfig $i inet6 ${ipv6_ifconfig} alias + fi + + if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ] + then + case ${i} in + lo0|gif*|stf*|faith*) + ;; + *) + rtsol_interfaces="${rtsol_interfaces} ${i}" + ;; + esac + else + ifconfig $i inet6 + fi + done + + if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then + # Act as endhost - automatically configured. + # You can configure only single interface, as + # specification assumes that autoconfigured host has + # single interface only. + sysctl -w net.inet6.ip6.accept_rtadv=1 + set ${rtsol_interfaces} + ifconfig $1 up + rtsol $1 + fi +} + network6_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') @@ -330,6 +410,14 @@ network6_static_routes_setup() { # Set up any static routes. + case ${ipv6_defaultrouter} in + [Nn][Oo] | '') + ;; + *) + ipv6_static_routes="default ${ipv6_static_routes}" + ipv6_route_default="default ${ipv6_defaultrouter}" + ;; + esac case ${ipv6_static_routes} in [Nn][Oo] | '') ;; @@ -362,16 +450,32 @@ # Disallow unicast packets without outgoing scope identifiers, # or route such packets to a "default" interface, if it is specified. + route add -inet6 fe80:: -prefixlen 10 ::1 -reject case ${ipv6_default_interface} in [Nn][Oo] | '') - route add -inet6 fe80:: -prefixlen 10 ::1 -reject route add -inet6 fec0:: -prefixlen 10 ::1 -reject ;; *) laddr=`network6_getladdr ${ipv6_default_interface}` route add -inet6 fec0:: ${laddr} -prefixlen 10 -interface \ -cloning - ndp -I ${ipv6_default_interface} + + # Disable installing the default interface with the + # case net.inet6.ip6.forwarding=0 and + # net.inet6.ip6.accept_rtadv=0, due to avoid conflict + # between the default router list and the manual + # configured default route. + case ${ipv6_gateway_enable} in + [Yy][Ee][Ss]) + ndp -I ${ipv6_default_interface} + ;; + *) + if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ] + then + ndp -I ${ipv6_default_interface} + fi + ;; + esac ;; esac }