bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit.

Browse Source
This commit is contained in:
Bogdan Stoica
2021-05-24 22:18:33 +03:00
commit e2954d55f4
3701 changed files with 330017 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sysconfig/anaconda Normal file
View File

@@ -0,0 +1,5 @@
# This file has been generated by the Anaconda Installer 29.19.2.17
[General]
post_install_tools_disabled = 1

4
sysconfig/arpwatch Normal file
View File

@@ -0,0 +1,4 @@
# -u <username> : defines with what user id arpwatch should run
# -e <email> : the <email> where to send the reports
# -s <from> : the <from>-address
OPTIONS="-u arpwatch -e bogdan@898.ro -s 'root@zira.898.ro'"

9
sysconfig/atd Normal file
View File

@@ -0,0 +1,9 @@
# specify additional command line arguments for atd
#
# -l Specifies a limiting load factor, over which batch jobs should not be run, instead of the compile-time
# choice of 0.8. For an SMP system with n CPUs, you will probably want to set this higher than n-1.
#
# -b Specifiy the minimum interval in seconds between the start of two batch jobs (60 default).
#example:
#OPTS="-l 4 -b 120"

2
sysconfig/authconfig Normal file
View File

@@ -0,0 +1,2 @@
PASSWDALGORITHM=sha512
USESHADOW=yes

1
sysconfig/cbq/avpkt Normal file
View File

@@ -0,0 +1 @@
AVPKT=3000

5
sysconfig/cbq/cbq-0000.example Normal file
View File

@@ -0,0 +1,5 @@
DEVICE=eth0,10Mbit,1Mbit
RATE=128Kbit
WEIGHT=10Kbit
PRIO=5
RULE=192.168.1.0/24

48
sysconfig/certbot Normal file
View File

@@ -0,0 +1,48 @@
## NOTE ##
# If a hook is set here then it will be used for all
# certificates and will override any per certificate
# hook configuration in place.
# Command to be run in a shell before obtaining any
# certificates. Intended primarily for renewal, where it
# can be used to temporarily shut down a webserver that
# might conflict with the standalone plugin. This will
# only be called if a certificate is actually to be
# obtained/renewed. When renewing several certificates
# that have identical pre-hooks, only the first will be
# executed.
#
# An example to stop the MTA before updating certs would be
# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
PRE_HOOK=""
# Command to be run in a shell after attempting to
# obtain/renew certificates. Can be used to deploy
# renewed certificates, or to restart any servers that
# were stopped by --pre-hook. This is only run if an
# attempt was made to obtain/renew a certificate. If
# multiple renewed certificates have identical post-
# hooks, only one will be run.
#
# An example to restart httpd would be:
# POST_HOOK="--post-hook 'systemctl restart httpd'"
POST_HOOK=""
# Command to be run in a shell once for each
# successfully renewed certificate. For this command,
# the shell variable $RENEWED_LINEAGE will point to the
# config live subdirectory containing the new certs and
# keys; the shell variable $RENEWED_DOMAINS will contain
# a space-delimited list of renewed cert domains
#
# An example to run a script to alert each cert would be:
# DEPLOY_HOOK="--deploy-hook /usr/local/bin/cert-notifier.sh"
DEPLOY_HOOK=""
# Any other misc arguments for the renewal
# See certbot -h renew for full list
#
# An example to force renewal for certificates not due yet
# CERTBOT_ARGS="--force-renewal"
CERTBOT_ARGS=""

2
sysconfig/chronyd Normal file
View File

@@ -0,0 +1,2 @@
# Command-line options for chronyd
OPTIONS="-u chrony"

3
sysconfig/cpupower Normal file
View File

@@ -0,0 +1,3 @@
# See 'cpupower help' and cpupower(1) for more info
CPUPOWER_START_OPTS="frequency-set -g performance"
CPUPOWER_STOP_OPTS="frequency-set -g ondemand"

3
sysconfig/crond Normal file
View File

@@ -0,0 +1,3 @@
# Settings for the CRON daemon.
# CRONDARGS= : any extra command-line startup arguments for crond
CRONDARGS=

11
sysconfig/ebtables-config Normal file
View File

@@ -0,0 +1,11 @@
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets stopped
# (e.g. on system shutdown).
EBTABLES_SAVE_ON_STOP="no"
# Save (and restore) rule counters.
# Value: yes|no, default: no
# Save rule counters when saving a kernel table to a file. If the
# rule counters were saved, they will be restored when restoring the table.
EBTABLES_SAVE_COUNTER="no"

3
sysconfig/firewalld Normal file
View File

@@ -0,0 +1,3 @@
# firewalld command line args
# possible values: --debug
FIREWALLD_ARGS=

1
sysconfig/firstboot Normal file
View File

@@ -0,0 +1 @@
RUN_FIRSTBOOT=NO

16
sysconfig/garb Normal file
View File

@@ -0,0 +1,16 @@
# Copyright (C) 2012 Codership Oy
# This config file is to be sourced by garb service script.
# A comma-separated list of node addresses (address[:port]) in the cluster
# GALERA_NODES=""
# Galera cluster name, should be the same as on the rest of the nodes.
# GALERA_GROUP=""
# Optional Galera internal options string (e.g. SSL settings)
# see http://galeracluster.com/documentation-webpages/galeraparameters.html
# GALERA_OPTIONS=""
# Log file for garbd. Optional, by default logs to syslog
# LOG_FILE=""

1
sysconfig/grub Symbolic link
View File

@@ -0,0 +1 @@
../default/grub

16
sysconfig/htcacheclean Normal file
View File

@@ -0,0 +1,16 @@
#
# Configuration options for systemd service, htcacheclean.service.
# See htcacheclean(8) for more information on available options.
#
# Interval between cache clean runs, in minutes
INTERVAL=15
# Default cache root.
CACHE_ROOT=/var/cache/httpd/proxy
# Cache size limit in bytes (K=Kbytes, M=Mbytes)
LIMIT=100M
# Any other options...
OPTIONS=

59
sysconfig/ip6tables-config Normal file
View File

@@ -0,0 +1,59 @@
# Load additional ip6tables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IP6TABLES_MODULES=""
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets stopped
# (e.g. on system shutdown).
IP6TABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets
# restarted.
IP6TABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/ip6tables if
# 'service ip6tables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IP6TABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IP6TABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IP6TABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IP6TABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IP6TABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
# Set wait option for ip6tables-restore calls in seconds
# Default: 600
# Set to 0 to deactivate the wait.
#IP6TABLES_RESTORE_WAIT=600
# Set wait interval option for ip6tables-restore calls in microseconds
# Default: 1000000
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
# second.
# Only usable with IP6TABLES_RESTORE_WAIT > 0
#IP6TABLES_RESTORE_WAIT_INTERVAL=1000000

59
sysconfig/iptables-config Normal file
View File

@@ -0,0 +1,59 @@
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
# Set wait option for iptables-restore calls in seconds
# Default: 600
# Set to 0 to deactivate the wait.
#IPTABLES_RESTORE_WAIT=600
# Set wait interval option for iptables-restore calls in microseconds
# Default: 1000000
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
# second.
# Only usable with IPTABLES_RESTORE_WAIT > 0
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000

246
sysconfig/iptables.old-2020-10-20-17_37_02 Normal file
View File

@@ -0,0 +1,246 @@
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:HONEYPOT - [0:0]
:DSHIELD - [0:0]
:BDEALL - [0:0]
:SPAMDROP - [0:0]
:CRYPTOPHP - [0:0]
:EMAILSPAMMERS - [0:0]
:BFB - [0:0]
:BOGON - [0:0]
:BDE - [0:0]
:BADBOTS - [0:0]
:SPAMEDROP - [0:0]
:TOREXITNODES - [0:0]
:MAXMIND - [0:0]
:PORTFLOOD - [0:0]
:LOGDROPIN - [0:0]
:LOGDROPOUT - [0:0]
:DENYIN - [0:0]
:DENYOUT - [0:0]
:ALLOWIN - [0:0]
:ALLOWOUT - [0:0]
:LOCALINPUT - [0:0]
:LOCALOUTPUT - [0:0]
:INVDROP - [0:0]
:INVALID - [0:0]
:SMTPOUTPUT - [0:0]
:DOCKER - [0:0]
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -m recent --set --name 25 --mask 255.255.255.255 --rsource
-A INPUT ! -i lo -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 5 --hitcount 15 --name 25 --mask 255.255.255.255 --rsource -j PORTFLOOD
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -j LOGDROPIN
-A INPUT ! -i lo -p icmp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 26 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 88 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 904 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 953 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 992 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1907:1909 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1723 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1986 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2082 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2083 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2086 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2087 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2095 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2096 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8800 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8988 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 9391 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 65534 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5665 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 52222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 40000:40100 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 11898 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 67 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 68 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 161 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 500 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 514 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 517 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 518 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1194 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1514 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1701 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1981 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 4500 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 33434:33523 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 8889 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 8888 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1:65535 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 1:65535 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A HONEYPOT -m set --match-set bl_HONEYPOT src -j DROP
-A DSHIELD -m set --match-set bl_DSHIELD src -j DROP
-A BDEALL -m set --match-set bl_BDEALL src -j DROP
-A SPAMDROP -m set --match-set bl_SPAMDROP src -j DROP
-A CRYPTOPHP -m set --match-set bl_CRYPTOPHP src -j DROP
-A EMAILSPAMMERS -m set --match-set bl_EMAILSPAMMERS src -j DROP
-A BFB -m set --match-set bl_BFB src -j DROP
-A BOGON -m set --match-set bl_BOGON src -j DROP
-A BDE -m set --match-set bl_BDE src -j DROP
-A BADBOTS -m set --match-set bl_BADBOTS src -j DROP
-A SPAMEDROP -m set --match-set bl_SPAMEDROP src -j DROP
-A TOREXITNODES -m set --match-set bl_TOREXITNODES src -j DROP
-A MAXMIND -m set --match-set bl_MAXMIND src -j DROP
-A PORTFLOOD -m limit --limit 30/min -j LOG --log-prefix "Firewall: *Port Flood* "
-A PORTFLOOD -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp-port-unreachable
-A DENYIN -m set --match-set chain_DENY src -j DROP
-A DENYOUT -m set --match-set chain_DENY dst -j LOGDROPOUT
-A ALLOWIN -s 194.63.143.34/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -s 134.19.177.221/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -s 91.210.104.27/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -m set --match-set chain_ALLOW src -j ACCEPT
-A ALLOWOUT -m set --match-set chain_ALLOW dst -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALINPUT ! -i lo -j HONEYPOT
-A LOCALINPUT ! -i lo -j DSHIELD
-A LOCALINPUT ! -i lo -j BDEALL
-A LOCALINPUT ! -i lo -j SPAMDROP
-A LOCALINPUT ! -i lo -j CRYPTOPHP
-A LOCALINPUT ! -i lo -j EMAILSPAMMERS
-A LOCALINPUT ! -i lo -j BFB
-A LOCALINPUT ! -i lo -j BOGON
-A LOCALINPUT ! -i lo -j BDE
-A LOCALINPUT ! -i lo -j BADBOTS
-A LOCALINPUT ! -i lo -j SPAMEDROP
-A LOCALINPUT ! -i lo -j TOREXITNODES
-A LOCALINPUT ! -i lo -j MAXMIND
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -m conntrack --ctstate INVALID -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INVALID* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AN* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AA* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_SFSF* "
-A INVDROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_SRSR* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_FRFR* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AFF* "
-A INVDROP -p tcp -m tcp --tcp-flags PSH,ACK PSH -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_APP* "
-A INVDROP -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AUU* "
-A INVDROP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_NOSYN* "
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 65534 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 65534 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 101 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 89 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING ! -i lo -p tcp -m set --match-set MESSENGER src -m multiport --dports 80,2082,2093,2095 -j REDIRECT --to-ports 8888
-A PREROUTING ! -i lo -p tcp -m set --match-set MESSENGER src -m multiport --dports 21 -j REDIRECT --to-ports 8889
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 20 17:37:31 2020

262
sysconfig/iptables.rpmsave Normal file
View File

@@ -0,0 +1,262 @@
# Modified by hwdsl2 VPN script
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:HONEYPOT - [0:0]
:DSHIELD - [0:0]
:BDEALL - [0:0]
:SPAMDROP - [0:0]
:CRYPTOPHP - [0:0]
:EMAILSPAMMERS - [0:0]
:BFB - [0:0]
:BOGON - [0:0]
:BDE - [0:0]
:BADBOTS - [0:0]
:SPAMEDROP - [0:0]
:TOREXITNODES - [0:0]
:MAXMIND - [0:0]
:PORTFLOOD - [0:0]
:LOGDROPIN - [0:0]
:LOGDROPOUT - [0:0]
:DENYIN - [0:0]
:DENYOUT - [0:0]
:ALLOWIN - [0:0]
:ALLOWOUT - [0:0]
:LOCALINPUT - [0:0]
:LOCALOUTPUT - [0:0]
:INVDROP - [0:0]
:INVALID - [0:0]
:SMTPOUTPUT - [0:0]
:DOCKER - [0:0]
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -m recent --set --name 25 --mask 255.255.255.255 --rsource
-A INPUT ! -i lo -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 5 --hitcount 15 --name 25 --mask 255.255.255.255 --rsource -j PORTFLOOD
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -j LOGDROPIN
-A INPUT ! -i lo -p icmp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 26 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 88 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 904 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 953 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 992 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1907:1909 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1723 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1986 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2082 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2083 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2086 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2087 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2095 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2096 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8800 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 8988 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 9391 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 65534 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5665 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 52222 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 40000:40100 -j ACCEPT
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 11898 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 67 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 68 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 161 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 500 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 514 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 517 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 518 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1194 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1514 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1701 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 1981 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 4500 -j ACCEPT
-A INPUT ! -i lo -p udp -m conntrack --ctstate NEW -m udp --dport 33434:33523 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -s 192.168.42.0/24 -d 192.168.42.0/24 -i ppp+ -o ppp+ -j ACCEPT
-A FORWARD -d 192.168.43.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.43.0/24 -o eth0 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT ! -o lo -p tcp -m tcp --sport 8889 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 8888 -m limit --limit 15/min --limit-burst 150 -j ACCEPT
-A OUTPUT ! -o lo -j LOCALOUTPUT
-A OUTPUT ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -j SMTPOUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT ! -o lo -p tcp -j INVALID
-A OUTPUT ! -o lo -p icmp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT
-A OUTPUT ! -o lo -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 1:65535 -j ACCEPT
-A OUTPUT ! -o lo -p udp -m conntrack --ctstate NEW -m udp --dport 1:65535 -j ACCEPT
-A OUTPUT ! -o lo -j LOGDROPOUT
-A HONEYPOT -m set --match-set bl_HONEYPOT src -j DROP
-A DSHIELD -m set --match-set bl_DSHIELD src -j DROP
-A BDEALL -m set --match-set bl_BDEALL src -j DROP
-A SPAMDROP -m set --match-set bl_SPAMDROP src -j DROP
-A CRYPTOPHP -m set --match-set bl_CRYPTOPHP src -j DROP
-A EMAILSPAMMERS -m set --match-set bl_EMAILSPAMMERS src -j DROP
-A BFB -m set --match-set bl_BFB src -j DROP
-A BOGON -m set --match-set bl_BOGON src -j DROP
-A BDE -m set --match-set bl_BDE src -j DROP
-A BADBOTS -m set --match-set bl_BADBOTS src -j DROP
-A SPAMEDROP -m set --match-set bl_SPAMEDROP src -j DROP
-A TOREXITNODES -m set --match-set bl_TOREXITNODES src -j DROP
-A MAXMIND -m set --match-set bl_MAXMIND src -j DROP
-A PORTFLOOD -m limit --limit 30/min -j LOG --log-prefix "Firewall: *Port Flood* "
-A PORTFLOOD -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 67 -j DROP
-A LOGDROPIN -p udp -m udp --dport 67 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP
-A LOGDROPIN -p udp -m udp --dport 68 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 111 -j DROP
-A LOGDROPIN -p udp -m udp --dport 111 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 113 -j DROP
-A LOGDROPIN -p udp -m udp --dport 113 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 445 -j DROP
-A LOGDROPIN -p udp -m udp --dport 445 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP
-A LOGDROPIN -p udp -m udp --dport 500 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 513 -j DROP
-A LOGDROPIN -p udp -m udp --dport 513 -j DROP
-A LOGDROPIN -p tcp -m tcp --dport 520 -j DROP
-A LOGDROPIN -p udp -m udp --dport 520 -j DROP
-A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_IN Blocked* "
-A LOGDROPIN -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* "
-A LOGDROPIN -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN Blocked* "
-A LOGDROPIN -j DROP
-A LOGDROPOUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *TCP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p udp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* " --log-uid
-A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid
-A LOGDROPOUT -j REJECT --reject-with icmp-port-unreachable
-A DENYIN -m set --match-set chain_DENY src -j DROP
-A DENYOUT -m set --match-set chain_DENY dst -j LOGDROPOUT
-A ALLOWIN -s 194.63.143.34/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -s 134.19.177.221/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -s 91.210.104.27/32 ! -i lo -p tcp -m tcp --dport 5666 -j ACCEPT
-A ALLOWIN -m set --match-set chain_ALLOW src -j ACCEPT
-A ALLOWOUT -m set --match-set chain_ALLOW dst -j ACCEPT
-A LOCALINPUT ! -i lo -j ALLOWIN
-A LOCALINPUT ! -i lo -j DENYIN
-A LOCALINPUT ! -i lo -j HONEYPOT
-A LOCALINPUT ! -i lo -j DSHIELD
-A LOCALINPUT ! -i lo -j BDEALL
-A LOCALINPUT ! -i lo -j SPAMDROP
-A LOCALINPUT ! -i lo -j CRYPTOPHP
-A LOCALINPUT ! -i lo -j EMAILSPAMMERS
-A LOCALINPUT ! -i lo -j BFB
-A LOCALINPUT ! -i lo -j BOGON
-A LOCALINPUT ! -i lo -j BDE
-A LOCALINPUT ! -i lo -j BADBOTS
-A LOCALINPUT ! -i lo -j SPAMEDROP
-A LOCALINPUT ! -i lo -j TOREXITNODES
-A LOCALINPUT ! -i lo -j MAXMIND
-A LOCALOUTPUT ! -o lo -j ALLOWOUT
-A LOCALOUTPUT ! -o lo -j DENYOUT
-A INVDROP -m conntrack --ctstate INVALID -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INVALID* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AN* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AA* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_SFSF* "
-A INVDROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_SRSR* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_FRFR* "
-A INVDROP -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AFF* "
-A INVDROP -p tcp -m tcp --tcp-flags PSH,ACK PSH -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_APP* "
-A INVDROP -p tcp -m tcp --tcp-flags ACK,URG URG -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_AUU* "
-A INVDROP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m limit --limit 30/min -j LOG --log-prefix "Firewall: *INV_NOSYN* "
-A INVDROP -j DROP
-A INVALID -m conntrack --ctstate INVALID -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,ACK FIN -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags PSH,ACK PSH -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags ACK,URG URG -j INVDROP
-A INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP
-A SMTPOUTPUT -o lo -p tcp -m multiport --dports 25,465,587 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 65534 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner 12 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 65534 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 101 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 89 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 0 -j ACCEPT
-A SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
-A OUTPUT -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Oct 20 17:37:31 2020
# Generated by iptables-save v1.8.4 on Tue Oct 20 17:37:31 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING ! -i lo -p tcp -m set --match-set MESSENGER src -m multiport --dports 80,2082,2093,2095 -j REDIRECT --to-ports 8888
-A PREROUTING ! -i lo -p tcp -m set --match-set MESSENGER src -m multiport --dports 21 -j REDIRECT --to-ports 8889
-A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.43.0/24 -o eth0 -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 20 17:37:31 2020

28
sysconfig/irqbalance Normal file
View File

@@ -0,0 +1,28 @@
# irqbalance is a daemon process that distributes interrupts across
# CPUS on SMP systems. The default is to rebalance once every 10
# seconds. This is the environment file that is specified to systemd via the
# EnvironmentFile key in the service unit file (or via whatever method the init
# system you're using has.
#
# ONESHOT=yes
# after starting, wait for a minute, then look at the interrupt
# load and balance it once; after balancing exit and do not change
# it again.
#IRQBALANCE_ONESHOT=
#
# IRQBALANCE_BANNED_CPUS
# 64 bit bitmask which allows you to indicate which cpu's should
# be skipped when reblancing irqs. Cpu numbers which have their
# corresponding bits set to one in this mask will not have any
# irq's assigned to them on rebalance
#
#IRQBALANCE_BANNED_CPUS=
#
# IRQBALANCE_ARGS
# append any args here to the irqbalance daemon as documented in the man page
#
#IRQBALANCE_ARGS=

6
sysconfig/kernel Normal file
View File

@@ -0,0 +1,6 @@
# UPDATEDEFAULT specifies if new-kernel-pkg should make
# new kernels the default
UPDATEDEFAULT=yes
# DEFAULTKERNEL specifies the default kernel package type
DEFAULTKERNEL=kernel$

12
sysconfig/maldet Normal file
View File

@@ -0,0 +1,12 @@
##
# Linux Malware Detect v1.6.4
# (C) 2002-2019, R-fx Networks <proj@rfxn.com>
# (C) 2019, Ryan MacDonald <ryan@rfxn.com>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
# MONITOR_MODE
# users | monitor all local unix users
# PATH FILE | read path file, line spaced, for local paths to monitor
#MONITOR_MODE="users"
#MONITOR_MODE="/usr/local/maldetect/monitor_paths"

10
sysconfig/man-db Normal file
View File

@@ -0,0 +1,10 @@
# Set this to "no" to disable man-db update triggered by installation
# of any package containing manual pages
SERVICE="yes"
# Set this to "no" to disable daily man-db update run by
# /etc/cron.daily/man-db.cron
CRON="yes"
# Options used by mandb, we use "-q" as default, too much noise without it
OPTS="-q"

5
sysconfig/memcached Normal file
View File

@@ -0,0 +1,5 @@
PORT="11211"
USER="memcached"
MAXCONN="256"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1 -U 0"

17
sysconfig/named Normal file
View File

@@ -0,0 +1,17 @@
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, enable proper
# -chroot.service unit file.
#
# NAMEDCONF=/etc/named/alternate.conf
# -- Don't use -c to change configuration file.
# Extend systemd named.service instead or use this
# variable.
#
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
# utility for every zone to ensure all zones are
# valid before named starts. If you set this option
# to 'yes' then service file doesn't perform those
# checks.

2
sysconfig/network Normal file
View File

@@ -0,0 +1,2 @@
NETWORKING=yes
NOZEROCONF=yes

7
sysconfig/network-scripts/ifcfg-eth0 Normal file
View File

@@ -0,0 +1,7 @@
DEVICE=eth0
BOOTPROTO=static
NM_CONTROLLED=no
TYPE=Ethernet
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.2

9
sysconfig/network-scripts/ifcfg-lo Normal file
View File

@@ -0,0 +1,9 @@
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
# If you're having problems with gated making 127.0.0.0/8 a martian,
# you can change this to something else (255.255.255.255, for example)
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback

77
sysconfig/network-scripts/ifdown Executable file
View File

@@ -0,0 +1,77 @@
#!/bin/bash
unset WINDOW # defined by screen, conflicts with our usage
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=$1
[ -z "$CONFIG" ] && {
echo $"usage: ifdown <configuration>" >&2
exit 1
}
if ! [ -f /etc/sysconfig/disable-deprecation-warnings ] && ! is_true ${DEPRECATION_WARNING_ISSUED}; then
net_log $"You are using 'ifdown' script provided by 'network-scripts', which are now deprecated." warning ifdown >&2
net_log $"'network-scripts' will be removed in one of the next major releases of RHEL." warning ifdown >&2
net_log $"It is advised to switch to 'NetworkManager' instead - it provides 'ifup/ifdown' scripts as well." warning ifdown >&2
fi
need_config "${CONFIG}"
[ -f "$CONFIG" ] || {
echo $"usage: ifdown <configuration>" >&2
exit 1
}
if [ $UID != 0 ]; then
if [ -x /usr/sbin/usernetctl ]; then
source_config
if /usr/sbin/usernetctl ${CONFIG} report ; then
exec /usr/sbin/usernetctl ${CONFIG} down
fi
fi
echo $"Users cannot control this device." >&2
exit 1
fi
source_config
if [ -n "$IN_HOTPLUG" ] && [ "${HOTPLUG}" = "no" -o "${HOTPLUG}" = "NO" ]
then
exit 0
fi
if [ "$_use_nm" = "true" ]; then
if [ -n "$UUID" -a -z "$DEVICE" ]; then
DEVICE=$(nmcli -t --fields uuid,device con show --active | awk -F ':' "\$1 == \"$UUID\" { print \$2 }")
fi
if [ -n "$DEVICE" ] && ! is_nm_device_unmanaged "$DEVICE" ; then
if ! LC_ALL=C nmcli -t -f STATE,DEVICE dev status | grep -Eq "^(failed|disconnected|unmanaged|unavailable):$DEVICE$"; then
nmcli dev disconnect "$DEVICE"
exit $?
fi
exit 0
fi
fi
if [ -x /sbin/ifdown-pre-local ]; then
/sbin/ifdown-pre-local ${DEVICE}
fi
OTHERSCRIPT="/etc/sysconfig/network-scripts/ifdown-${DEVICETYPE}"
if [ ! -x ${OTHERSCRIPT} ]; then
OTHERSCRIPT="/etc/sysconfig/network-scripts/ifdown-${TYPE}"
fi
if [ ! -x ${OTHERSCRIPT} ]; then
OTHERSCRIPT="/etc/sysconfig/network-scripts/ifdown-eth"
fi
exec ${OTHERSCRIPT} ${CONFIG} $2

49
sysconfig/network-scripts/ifdown-Team Executable file
View File

@@ -0,0 +1,49 @@
#!/bin/sh
# Copyright (C) 2012-2015 Jiri Pirko <jiri@resnulli.us>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
need_config "${CONFIG}"
source_config
if [ "${DEVICETYPE}" = "Team" ]; then
# This means that this was called directly, not via ifdown-eth
# so execute ifdown-eth now.
/etc/sysconfig/network-scripts/ifdown-eth ${CONFIG} $2
fi
if [ -n "${TEAM_CONFIG}" ]; then
if [ ! -x /usr/bin/teamd ]; then
net_log $"Team support not available: teamd not found"
exit 1
fi
# Bring down all existing port devices now
for device in $(LANG=C egrep -l "^[[:space:]]*TEAM_MASTER=\"?${DEVICE}\"?" /etc/sysconfig/network-scripts/ifcfg-*) ; do
is_ignored_file "$device" && continue
/sbin/ifdown ${device##*/}
done
/usr/bin/systemctl stop teamd@${DEVICE}.service --ignore-dependencies || exit 1
fi

49
sysconfig/network-scripts/ifdown-TeamPort Executable file
View File

@@ -0,0 +1,49 @@
#!/bin/sh
# Copyright (C) 2012-2015 Jiri Pirko <jiri@resnulli.us>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
need_config "${CONFIG}"
source_config
if [ -n "${TEAM_MASTER}" ]; then
if [ ! -x /usr/bin/teamdctl ]; then
net_log $"Team support not available: teamdctl not found"
exit 1
fi
/sbin/ip link show ${TEAM_MASTER} > /dev/null 2>&1
if [ $? -ne 0 ]; then
net_log $"Team master is not present, skipping port device removal from master" info
exit 0
fi
/usr/bin/teamdctl ${TEAM_MASTER} port remove ${DEVICE} || exit 1
fi
if [ "${DEVICETYPE}" = "TeamPort" ]; then
# This means that this was called directly, not via ifdown-eth
# so execute ifdown-eth now.
exec /etc/sysconfig/network-scripts/ifdown-eth ${CONFIG} $2
fi

49
sysconfig/network-scripts/ifdown-bnep Executable file
View File

@@ -0,0 +1,49 @@
#! /bin/bash
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
source_config
# On hotplug events, just bring the virtual device up as if it's normal Ethernet
if [ -n "$IN_HOTPLUG" ]; then
exec /etc/sysconfig/network-scripts/ifdown-eth ${CONFIG} $2
fi
stop_panu()
{
kill -TERM $(cat /run/pand-${DEVICE}.pid)
}
stop_nap()
{
kill -TERM $(cat /run/pand-${DEVICE}.pid)
/usr/bin/pand -K
}
stop_gn()
{
:
}
case "$ROLE" in
PANU)
stop_panu
;;
NAP)
stop_nap
;;
GN)
stop_gn
;;
*)
echo Unknown BNEP mode :$ROLE
;;
esac

183
sysconfig/network-scripts/ifdown-eth Executable file
View File

@@ -0,0 +1,183 @@
#!/bin/bash
# Network Interface Configuration System
# Copyright (c) 1996-2009 Red Hat, Inc. all rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
source_config
. /etc/sysconfig/network
# Check to make sure the device is actually up
check_device_down ${DEVICE} && [ "$BOOTPROTO" != "dhcp" -a "$BOOTPROTO" != "bootp" ] && [ -n "$VLAN" -a "$VLAN" != "yes" ] && exit 0
if [ -n "${TEAM_MASTER}" ] && [ ! "${DEVICETYPE}" = "TeamPort" ] && [ -x ./ifdown-TeamPort ]; then
./ifdown-TeamPort ${CONFIG} $2
fi
if [ "${SLAVE}" != "yes" -o -z "${MASTER}" ]; then
if [ -n "${HWADDR}" -a -z "${MACADDR}" ]; then
FOUNDMACADDR=$(get_hwaddr ${REALDEVICE})
if [ -n "${FOUNDMACADDR}" -a "${FOUNDMACADDR}" != "${HWADDR}" ]; then
NEWCONFIG=$(get_config_by_hwaddr ${FOUNDMACADDR})
if [ -n "${NEWCONFIG}" ]; then
eval $(LANG=C grep -F "DEVICE=" $NEWCONFIG)
else
net_log $"Device ${DEVICE} has MAC address ${FOUNDMACADDR}, instead of configured address ${HWADDR}. Ignoring."
exit 1
fi
if [ -n "${NEWCONFIG}" -a "${NEWCONFIG##*/}" != "${CONFIG##*/}" -a "${DEVICE}" = "${REALDEVICE}" ]; then
exec /sbin/ifdown ${NEWCONFIG}
else
net_log $"Device ${DEVICE} has MAC address ${FOUNDMACADDR}, instead of configured address ${HWADDR}. Ignoring."
exit 1
fi
fi
fi
fi
if is_bonding_device ${DEVICE} ; then
for device in $(LANG=C grep -l "^[[:space:]]*MASTER=['\"]\?${DEVICE}['\"]\?\([[:space:]#]\|$\)" /etc/sysconfig/network-scripts/ifcfg-*) ; do
is_ignored_file "$device" && continue
/sbin/ifdown ${device##*/}
done
for arg in $BONDING_OPTS ; do
key=${arg%%=*};
[[ "${key}" != "arp_ip_target" ]] && continue
value=${arg##*=};
if [ "${value:0:1}" != "" ]; then
OLDIFS=$IFS;
IFS=',';
for arp_ip in $value; do
if grep -q $arp_ip /sys/class/net/${DEVICE}/bonding/arp_ip_target; then
echo "-$arp_ip" > /sys/class/net/${DEVICE}/bonding/arp_ip_target
fi
done
IFS=$OLDIFS;
else
value=${value#+};
if grep -q $value /sys/class/net/${DEVICE}/bonding/arp_ip_target; then
echo "-$value" > /sys/class/net/${DEVICE}/bonding/arp_ip_target
fi
fi
done
fi
/etc/sysconfig/network-scripts/ifdown-ipv6 ${CONFIG}
retcode=0
for VER in "" 6 ; do
if [ -f "/run/dhclient$VER-${DEVICE}.pid" ]; then
dhcpid=$(cat /run/dhclient$VER-${DEVICE}.pid)
generate_lease_file_name $VER
if is_true "$DHCPRELEASE"; then
/sbin/dhclient -r -lf ${LEASEFILE} -pf /run/dhclient$VER-${DEVICE}.pid ${DEVICE} >/dev/null 2>&1
retcode=$?
else
kill $dhcpid >/dev/null 2>&1
retcode=$?
reason=STOP$VER interface=${DEVICE} /sbin/dhclient-script
fi
if [ -f "/run/dhclient$VER-${DEVICE}.pid" ]; then
rm -f /run/dhclient$VER-${DEVICE}.pid
kill $dhcpid >/dev/null 2>&1
fi
fi
done
# we can't just delete the configured address because that address
# may have been changed in the config file since the device was
# brought up. Flush all addresses associated with this
# instance instead.
if [ -d "/sys/class/net/${REALDEVICE}" ]; then
LABEL=
if [ "${REALDEVICE}" != "${DEVICE}" ]; then
LABEL="label ${DEVICE}"
fi
if [ "${REALDEVICE}" = "lo" ]; then
TIMEOUT=""
[ -x /usr/bin/timeout ] && TIMEOUT="/usr/bin/timeout --signal=SIGQUIT 4"
$TIMEOUT ip addr flush dev ${REALDEVICE} ${LABEL} scope global 2>/dev/null
$TIMEOUT ip addr flush dev ${REALDEVICE} ${LABEL} scope host 2>/dev/null
else
ip addr flush dev ${REALDEVICE} ${LABEL} scope global 2>/dev/null
ip -4 addr flush dev ${REALDEVICE} ${LABEL} scope host 2>/dev/null
fi
if [ "${SLAVE}" = "yes" -a -n "${MASTER}" ]; then
echo "-${DEVICE}" > /sys/class/net/${MASTER}/bonding/slaves 2>/dev/null
fi
if [ "${REALDEVICE}" = "${DEVICE}" ]; then
ip link set dev ${DEVICE} down 2>/dev/null
fi
fi
[ "$retcode" = "0" ] && retcode=$?
if [ -n "${BRIDGE}" ]; then
ip link set dev ${DEVICE} nomaster down
# Upon removing a device from a bridge,
# it's necessary to make radvd reload its config
[ -r /run/radvd/radvd.pid ] && kill -HUP $(cat /run/radvd/radvd.pid)
if [ -d /sys/class/net/${BRIDGE}/brif ] && [ $(ls -1 /sys/class/net/${BRIDGE}/brif | wc -l) -eq 0 ]; then
ip link del ${BRIDGE}
fi
fi
if [ "${TYPE}" = "Tap" ]; then
TUNMODE="mode tap"
[[ ${DEVICE} == tun* ]] && TUNMODE="mode tun"
ip tuntap del ${TUNMODE} dev ${DEVICE} >/dev/null
fi
if [ -n "${TEAM_CONFIG}" ] && [ ! "${DEVICETYPE}" = "Team" ] && [ -x ./ifdown-Team ]; then
./ifdown-Team ${CONFIG} $2
fi
# wait up to 5 seconds for device to actually come down...
waited=0
while ! check_device_down ${DEVICE} && [ "$waited" -lt 50 ] ; do
sleep 0.01
waited=$(($waited+1))
done
# don't leave an outdated key sitting around
if [ -n "${WIRELESS_ENC_KEY}" ] && [ -x /sbin/iwconfig ]; then
/sbin/iwconfig ${DEVICE} enc 0 >/dev/null 2>&1
fi
if [ "$retcode" = 0 ] ; then
/etc/sysconfig/network-scripts/ifdown-post $CONFIG
# do NOT use $? because ifdown should return whether or not
# the interface went down.
fi
if [ -n "$VLAN" ]; then
# 802.1q VLAN
if [ -f /proc/net/vlan/${DEVICE} ]; then
ip link delete ${DEVICE} type vlan
fi
fi
exit $retcode

34
sysconfig/network-scripts/ifdown-ippp Executable file
View File

@@ -0,0 +1,34 @@
#! /bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin
# Get global network configuration
[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
CONFIG=$1
. ./$CONFIG
# stopping ibod daemon for channel bundling
if [ -f /var/lock/subsys/ibod ] ; then
kill -9 $(pidof ibod) >/dev/null 2>&1
rm -f /var/lock/subsys/ibod
fi
# Shut down IPv6
/etc/sysconfig/network-scripts/ifdown-ipv6 $CONFIG
# shutdown isdn device
isdnctrl hangup $DEVICE >/dev/null 2>&1
sleep 1
ip link set dev $DEVICE down >/dev/null 2>&1
# delete isdn device
isdnctrl delif $DEVICE >/dev/null 2>&1
# kill ipppd daemon
if [ -f /run/ipppd.$DEVICE.pid ] ; then
pppdpid=$(cat /run/ipppd.$DEVICE.pid)
kill -9 $pppdpid > /dev/null 2>&1
rm -f /run/ipppd.$DEVICE.pid > /dev/null 2>&1
fi

139
sysconfig/network-scripts/ifdown-ipv6 Executable file
View File

@@ -0,0 +1,139 @@
#!/bin/sh
#
# ifdown-ipv6
#
#
# Taken from:
# (P) & (C) 2000-2004 by Peter Bieringer <pb@bieringer.de>
#
# You will find more information on the initscripts-ipv6 homepage at
# http://www.deepspace6.net/projects/initscripts-ipv6.html
#
# RHL integration assistance by Pekka Savola <pekkas@netcore.fi>
#
# Version 2005-09-22
#
# Note: if called as (like normally) by /etc/sysconfig/network-scripts/ifdown
# exit codes aren't handled by "ifdown"
#
# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1:
# DEVICE=<device>
# IPV6INIT=yes|no: controls IPv6 configuration for this interface
#
# Optional for 6to4 tunneling:
# IPV6TO4_RELAY=<IPv4 address>: IPv4 address of the remote 6to4 relay [default: 192.88.99.1]
# IPV6TO4_ROUTING="<device>-<suffix>/<prefix length> ...": information to setup internal interfaces
#
# Optional for 6to4 tunneling links to trigger radvd:
# IPV6_CONTROL_RADVD=yes|no: controls radvd triggering [optional]
# IPV6_RADVD_PIDFILE=<file>: PID file of radvd for sending signals, default is "/run/radvd/radvd.pid" [optional]
# IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP: how to trigger radvd [optional, default is SIGHUP]
#
# Required version of radvd to use 6to4 prefix recalculation
# 0.6.2p3 or newer supporting option "Base6to4Interface"
# Required version of radvd to use dynamic ppp links
# 0.7.0 + fixes or newer
#
. /etc/sysconfig/network
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG
source_config
REALDEVICE=${DEVICE%%:*}
DEVICE=$REALDEVICE
[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1
. /etc/sysconfig/network-scripts/network-functions-ipv6
# IPv6 test, no module loaded, exit if system is not IPv6-ready
ipv6_test testonly || exit 0
# Test device status
ipv6_test_device_status $DEVICE
if [ $? != 0 -a $? != 11 ]; then
# device doesn't exist or other problem occurs
exit 1
fi
if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then
# Switch some sysctls to secure mode
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.forwarding=0 >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_ra=0 >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_redirects=0 >/dev/null 2>&1
fi
/sbin/ip link set $DEVICE addrgenmode eui64 >/dev/null 2>&1
# Test status of tun6to4 device
ipv6_test_device_status tun6to4
if [ $? = 0 -o $? = 11 ]; then
# Device exists
valid6to4config="yes"
if [ -z "$IPV6TO4_RELAY" ]; then
IPV6TO4_RELAY="192.88.99.1"
fi
# Get IPv4 address from interface
if [ -n "$IPV6TO4_IPV4ADDR" ]; then
# Take special configured from config file (precedence 1)
ipv4addr="$IPV6TO4_IPV4ADDR"
# Get IPv4 address from interface first
ipv4addrlocal="$(ipv6_get_ipv4addr_of_device $DEVICE)"
if [ -z "$ipv4addrlocal" ]; then
# Take configured from config file
ipv4addrlocal="$IPADDR"
fi
else
# Get IPv4 address from interface first (has precedence 2)
ipv4addr="$(ipv6_get_ipv4addr_of_device $DEVICE)"
if [ -z "$ipv4addr" ]; then
# Take configured from config file (precedence 3)
ipv4addr="$IPADDR"
fi
ipv4addrlocal="$ipv4addr"
fi
# Get local IPv4 address of dedicated tunnel
ipv4addr6to4local="$(ipv6_get_ipv4addr_of_tunnel tun6to4 local)"
if [ -z "$ipv4addrlocal" -o -z "$ipv4addr6to4local" ]; then
# no IPv4 addresses given, 6to4 sure not configured
valid6to4config="no"
else
# Check against configured 6to4 tunnel to see if this interface was
# used before
if [ "$ipv4addrlocal" != "$ipv4addr6to4local" ]; then
# IPv4 address of interface does't match local tunnel address,
# interface was not used for current 6to4 setup
valid6to4config="no"
fi
fi
fi
# Shutdown of 6to4, if configured
if [ "$valid6to4config" = "yes" ]; then
if [ -n "$IPV6TO4_ROUTING" ]; then
# Delete routes to local networks
for devsuf in $IPV6TO4_ROUTING; do
dev="${devsuf%%-*}"
ipv6_cleanup_6to4_device $dev
done
fi
# Delete all configured 6to4 address
ipv6_cleanup_6to4_tunnels tun6to4
# Control running radvd
ipv6_trigger_radvd down "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE
fi
# Delete all current configured IPv6 addresses on this interface
ipv6_cleanup_device $DEVICE

1
sysconfig/network-scripts/ifdown-isdn Symbolic link
View File

@@ -0,0 +1 @@
ifdown-ippp

69
sysconfig/network-scripts/ifdown-post Executable file
View File

@@ -0,0 +1,69 @@
#!/bin/sh
# This should be called whenever an interface goes down, not just when
# it is brought down explicitly.
cd /etc/sysconfig/network-scripts
. ./network-functions
unset REALDEVICE
if [ "$1" = --realdevice ] ; then
REALDEVICE=$2
shift 2
fi
CONFIG=$1
source_config
[ -z "$REALDEVICE" ] && REALDEVICE=$DEVICE
/etc/sysconfig/network-scripts/ifdown-routes ${REALDEVICE} ${DEVNAME}
# Remove duplicate DNS entries and shift them,
# to have always correct condition below...
update_DNS_entries
if ! is_false "${PEERDNS}" || is_true "${RESOLV_MODS}" && \
[ "${DEVICETYPE}" = "ppp" -o "${DEVICETYPE}" = "ippp" -o -n "${DNS1}" \
-o "${BOOTPROTO}" = "bootp" -o "${BOOTPROTO}" = "dhcp" ] ; then
if [ -f /etc/resolv.conf.save ]; then
change_resolv_conf /etc/resolv.conf.save
rm -f /etc/resolv.conf.save
fi
if [ "${DEVICETYPE}" = "ppp" -o "${DEVICETYPE}" = "ippp" ]; then
if [ -f /etc/ppp/peers/$DEVICE ] ; then
rm -f /etc/ppp/peers/$DEVICE
fi
fi
fi
# Reset the default route if this interface had a special one
if ! check_default_route ; then
# ISDN device needs special handling dial on demand
if [ "${DEVICETYPE}" = "ippp" -o "${DEVICETYPE}" = "isdn" ] && \
[ "$DIALMODE" = "auto" ] ; then
if [ -z "$GATEWAY" ] ; then
/sbin/ip route add default ${METRIC:+metric} \
${WINDOW:+window $WINDOW} dev ${DEVICE}
else
/sbin/ip route add default ${METRIC:+metric} \
${WINDOW:+window $WINDOW} via ${GATEWAY}
fi
else
add_default_route ${DEVICE}
fi
fi
# Reset firewall zone (empty ZONE means default):
if [ "${REALDEVICE}" != "lo" ]; then
dbus-send --print-reply --system --dest=org.fedoraproject.FirewallD1 \
/org/fedoraproject/FirewallD1 \
org.fedoraproject.FirewallD1.zone.removeInterface \
string:"" string:"${DEVICE}" \
> /dev/null 2>&1
fi
if [ -x /sbin/ifdown-local ]; then
/sbin/ifdown-local ${DEVICE}
fi
exit 0

33
sysconfig/network-scripts/ifdown-routes Executable file
View File

@@ -0,0 +1,33 @@
#! /bin/bash
#
# Drops static routes which go through device $1
if [ -z "$1" ]; then
echo $"usage: ifdown-routes <net-device> [<nickname>]"
exit 1
fi
# The routes are actually dropped just by setting the link down, so nothing
# needs to be done
MATCH='^[[:space:]]*(\#.*)?$'
# Routing rules
FILES="/etc/sysconfig/network-scripts/rule-$1 /etc/sysconfig/network-scripts/rule6-$1"
if [ -n "$2" -a "$2" != "$1" ]; then
FILES="$FILES /etc/sysconfig/network-scripts/rule-$2 /etc/sysconfig/network-scripts/rule6-$2"
fi
for file in $FILES; do
if [ -f "$file" ]; then
proto=
if [ "$file" != "${file##*/rule6-}" ]; then
proto="-6"
fi
{ cat "$file" ; echo ; } | while read line; do
if [[ ! "$line" =~ $MATCH ]]; then
/sbin/ip $proto rule del $line
fi
done
fi
done

58
sysconfig/network-scripts/ifdown-sit Executable file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#
# ifdown-sit
#
#
# Taken from:
# (P) & (C) 2000-2003 by Peter Bieringer <pb@bieringer.de>
#
# You will find more information on the initscripts-ipv6 homepage at
# http://www.deepspace6.net/projects/initscripts-ipv6.html
#
# RHL integration assistance by Pekka Savola <pekkas@netcore.fi>
#
# Version 2002-11-01
#
# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1:
# DEVICE=<device>
#
. /etc/sysconfig/network
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG
source_config
# IPv6 don't need aliases anymore, config is skipped
REALDEVICE=${DEVICE%%:*}
[ "$DEVICE" != "$REALDEVICE" ] && exit 0
[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1
. /etc/sysconfig/network-scripts/network-functions-ipv6
# Generic tunnel device sit0 is not supported here
if [ "$DEVICE" = "sit0" ]; then
net_log $"Device '$DEVICE' isn't supported here, use IPV6_AUTOTUNNEL setting and restart (IPv6) networking"
exit 1
fi
# IPv6 test, no module loaded, exit if system is not IPv6-ready
ipv6_test testonly || exit 0
# Test device status
ipv6_test_device_status $DEVICE
if [ $? != 0 -a $? != 11 ]; then
# device doesn't exist or other problem occurs
exit 0
fi
# Cleanup additional static routes
/etc/sysconfig/network-scripts/ifdown-routes ${REALDEVICE}
# Cleanup and shut down IPv6-in-IPv4 tunnel device
ipv6_del_tunnel_device $DEVICE

45
sysconfig/network-scripts/ifdown-tunnel Executable file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# Copyright (C) 1996-2006 Red Hat, Inc. all rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# Thanks to:
# - Razvan Corneliu C.R. Vilt <razvan.vilt@linux360.ro>
# - Aaron Hope <aaron.hope@unh.edu>
# - Sean Millichamp <sean@enertronllc.com>
# for providing the scripts this one is based on
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=$1
need_config "$CONFIG"
source_config
# Generic tunnel devices are not supported here
if [ "$DEVICE" = gre0 -o "$DEVICE" = tunl0 -o "$DEVICE" = ip6tnl0 ]; then
net_log $"Device '$DEVICE' isn't supported as a valid GRE device name."
exit 1
fi
check_device_down "$DEVICE" && exit 0
/sbin/ip link set dev "$DEVICE" down
/sbin/ip tunnel del "$DEVICE"
exec /etc/sysconfig/network-scripts/ifdown-post "$CONFIG"

170
sysconfig/network-scripts/ifup Executable file
View File

@@ -0,0 +1,170 @@
#!/bin/bash
# Network Interface Configuration System
# Copyright (c) 1996-2009 Red Hat, Inc. all rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
unset WINDOW # defined by screen, conflicts with our usage
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
[ -z "${CONFIG}" ] && {
echo $"Usage: ifup <configuration>" >&2
exit 1
}
if ! [ -f /etc/sysconfig/disable-deprecation-warnings ] && ! is_true ${DEPRECATION_WARNING_ISSUED}; then
net_log $"You are using 'ifup' script provided by 'network-scripts', which are now deprecated." warning ifup >&2
net_log $"'network-scripts' will be removed in one of the next major releases of RHEL." warning ifup >&2
net_log $"It is advised to switch to 'NetworkManager' instead - it provides 'ifup/ifdown' scripts as well." warning ifup >&2
fi
need_config "${CONFIG}"
[ -f "${CONFIG}" ] || {
echo $"$0: configuration for ${1} not found." >&2
echo $"Usage: ifup <configuration>" >&2
exit 1
}
if [ ${UID} != 0 ]; then
if [ -x /usr/sbin/usernetctl ]; then
source_config
if /usr/sbin/usernetctl ${CONFIG} report ; then
exec /usr/sbin/usernetctl ${CONFIG} up
fi
fi
echo $"Users cannot control this device." >&2
exit 1
fi
source_config
if [ "foo$2" = "fooboot" ] && [ "${ONBOOT}" = "no" -o "${ONBOOT}" = "NO" ]
then
exit 0
fi
if [ -n "$IN_HOTPLUG" ] && [ "${HOTPLUG}" = "no" -o "${HOTPLUG}" = "NO" ]
then
exit 0
fi
if [ -n "$IN_HOTPLUG" -a "${TYPE}" = "Bridge" ];
then
exit 0
fi
if [ "$_use_nm" = "true" -a -n "$UUID" -a "$REALDEVICE" != "lo" ]; then
if [ "foo$2" = "fooboot" ] && [ "${TYPE}" = "Wireless" ]; then
exit 0
fi
[ -n "${DEVICE}" ] && is_nm_handling ${DEVICE} && exit 0
nmcli con up uuid "$UUID"
exit $?
fi
# Ethernet 802.1Q VLAN support
if [ "${VLAN}" = "yes" ] && [ "$ISALIAS" = "no" ] && [ -n "$DEVICE" ]; then
if [ -n "${VID}" ]; then
if test -z "$PHYSDEV"; then
net_log $"PHYSDEV should be set for device ${DEVICE}"
exit 1
fi
else
VID=""
MATCH='^.+\.[0-9]{1,4}$'
if [[ "${DEVICE}" =~ $MATCH ]]; then
VID=$(echo "${DEVICE}" | LC_ALL=C sed 's/^.*\.\([0-9]\+\)/\1/')
PHYSDEV=${DEVICE%.*}
fi
MATCH='^vlan[0-9]{1,4}?'
if [[ "${DEVICE}" =~ $MATCH ]]; then
VID=$(echo "${DEVICE}" | LC_ALL=C sed 's/^vlan0*//')
# PHYSDEV should be set in ifcfg-vlan* file
if test -z "$PHYSDEV"; then
net_log $"PHYSDEV should be set for device ${DEVICE}"
exit 1
fi
fi
fi
if [ -n "$VID" ]; then
if [ ! -d /proc/net/vlan ]; then
if ! modprobe 8021q >/dev/null 2>&1 ; then
net_log $"No 802.1Q VLAN support available in kernel for device ${DEVICE}"
exit 1
fi
fi
is_available_wait ${PHYSDEV} ${DEVTIMEOUT} || {
if [ "$?" = "1" ] ; then
net_log $"$alias device ${DEVICE} does not seem to be present, delaying initialization."
exit 1
else
exit 0
fi
}
# Link on Physical device needs to be up but no ip required
check_device_down ${PHYSDEV} && { ip -o link set dev ${PHYSDEV} up; }
if [ ! -f /proc/net/vlan/${DEVICE} ]; then
if [ "${REORDER_HDR}" = "no" -o "${REORDER_HDR}" = "0" ]; then
FLAG_REORDER_HDR="reorder_hdr off"
fi
if [ "${GVRP}" = "yes" -o "${GVRP}" = "1" ]; then
FLAG_GVRP="gvrp on"
fi
ip link add dev ${DEVICE} link ${PHYSDEV} type vlan id ${VID} ${FLAG_REORDER_HDR} ${FLAG_GVRP} || {
(/usr/bin/logger -p daemon.info -t ifup \
$"ERROR: could not add vlan ${VID} as ${DEVICE} on dev ${PHYSDEV}" &) &
net_log $"ERROR: could not add vlan ${VID} as ${DEVICE} on dev ${PHYSDEV}"
exit 1
}
[ -n "${VLAN_EGRESS_PRIORITY_MAP}" ] && ip link set dev ${DEVICE} type vlan egress ${VLAN_EGRESS_PRIORITY_MAP}
fi
fi
/usr/lib/systemd/systemd-sysctl \
--prefix "/proc/sys/net/ipv4/conf/${DEVICE}" \
--prefix "/proc/sys/net/ipv6/conf/${DEVICE}"
fi
if [ "${BOOTPROTO}" = "bootp" -o "${BOOTPROTO}" = "dhcp" ]; then
DYNCONFIG=true
fi
if [ -x /sbin/ifup-pre-local ]; then
/sbin/ifup-pre-local ${CONFIG} $2
fi
OTHERSCRIPT="/etc/sysconfig/network-scripts/ifup-${DEVICETYPE}"
if [ ! -x ${OTHERSCRIPT} ]; then
OTHERSCRIPT="/etc/sysconfig/network-scripts/ifup-${TYPE}"
fi
if [ ! -x ${OTHERSCRIPT} ]; then
OTHERSCRIPT="/etc/sysconfig/network-scripts/ifup-eth"
fi
exec ${OTHERSCRIPT} ${CONFIG} $2

52
sysconfig/network-scripts/ifup-Team Executable file
View File

@@ -0,0 +1,52 @@
#!/bin/sh
# Copyright (C) 2012-2015 Jiri Pirko <jiri@resnulli.us>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
need_config "${CONFIG}"
source_config
# If the device is a team, create it with teamd, if available.
if [ -n "${TEAM_CONFIG}" ]; then
if [ ! -x /usr/bin/teamd ]; then
net_log $"Team support not available: teamd not found"
exit 1
fi
mkdir -p /run/teamd/ || exit 1
echo "${TEAM_CONFIG}" > /run/teamd/${DEVICE}.conf || exit 1
/usr/bin/systemctl start teamd@${DEVICE}.service || exit 1
# Bring up all existing port devices now
for device in $(LANG=C egrep -l "^[[:space:]]*TEAM_MASTER=\"?${DEVICE}\"?" /etc/sysconfig/network-scripts/ifcfg-*) ; do
is_ignored_file "$device" && continue
/sbin/ifup ${device##*/}
done
fi
if [ "${DEVICETYPE}" = "Team" ]; then
# This means that this was called directly, not via ifup-eth
# so execute ifup-eth now.
exec /etc/sysconfig/network-scripts/ifup-eth ${CONFIG} $2
fi

58
sysconfig/network-scripts/ifup-TeamPort Executable file
View File

@@ -0,0 +1,58 @@
#!/bin/sh
# Copyright (C) 2012-2015 Jiri Pirko <jiri@resnulli.us>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
need_config "${CONFIG}"
source_config
if [ "${DEVICETYPE}" = "TeamPort" ]; then
# This means that this was called directly, not via ifup-eth
# so execute ifup-eth now.
/etc/sysconfig/network-scripts/ifup-eth ${CONFIG} $2
fi
if [ -n "${TEAM_MASTER}" ]; then
if [ ! -x /usr/bin/teamdctl ]; then
net_log $"Team support not available: teamdctl not found"
exit 1
fi
/sbin/ip link show ${TEAM_MASTER} > /dev/null 2>&1
if [ $? -ne 0 ]; then
net_log $"Team master is not present yet, delaying port device initialization" info
exit 0
fi
/usr/bin/teamdctl ${TEAM_MASTER} port present ${DEVICE} 2> /dev/null
if [ $? -eq 0 ]; then
# port is already part of the team, nothing to do
exit 0
fi
/sbin/ip link set dev ${DEVICE} down
if [ -n "${TEAM_PORT_CONFIG}" ]; then
/usr/bin/teamdctl ${TEAM_MASTER} port config update ${DEVICE} "${TEAM_PORT_CONFIG}" || exit 1
fi
/usr/bin/teamdctl ${TEAM_MASTER} port add ${DEVICE} || exit 1
fi

370
sysconfig/network-scripts/ifup-aliases Executable file
View File

@@ -0,0 +1,370 @@
#!/bin/bash
#
# configures aliases of device $1
#
# This script goes out of its way to arrive at the configuration of ip
# aliases described in the ifcfg-$DEV:* and ifcfg-$DEV-range* files from
# whatever existing configuration it may be given: existing aliases not
# specified in the configuration will be removed, netmasks and broadcast
# addrs will be updated on existing aliases, and new aliases will be setup.
#
# range specification files:
#
# One can specify ranges of alised ipaddress using ifcfg-$DEV-range* files.
# Specify multiple ranges using multiple files, such as ifcfg-eth0-range0 and
# ifcfg-eth0-range1, etc. In these files, the following configuration variables
# specify the range:
#
# IPADDR_START -- ipaddr to start range at. eg "192.168.30.1"
# IPADDR_END -- ipaddr to end range at. eg "192.168.30.254"
# CLONENUM_START -- interface clone number to start using for this range. eg "0"
#
# The above example values create the interfaces eth0:0 through eth0:253 using
# ipaddrs 192.168.30.1 through 192.168.30.254, inclusive.
#
# Other configuration variables such as NETMASK and BROADCAST may be specified
# in the range file and will apply to all of the ipaddresses in the range. Range
# files also inherit configuration from the ifcfg-$DEV file just like normal.
#
# Note that IPADDR_START and IPADR_END are required to be in the same class-c
# block. I.e. IPADDR_START=192.168.30.1 and IPADDR_END=192.168.31.255 is
# not valid.
#
# speed with large sets of interfaces:
#
# Considerable effort was spent making this script fast. It can efficiently
# handle a thousand ip aliases on one interface.
#
# With large sets of ipaddresses the NO_ALIASROUTING=yes configuration is
# highly recommended. (This can be specified in ifcfg-$DEV and inherited.) This
# prevents this script from setting up routing details for the virtual
# interfaces, which I don't think is needed, because outgoing traffic can use the
# main interface. However, make your own conclusions on what you need.
#
# My test setup of four class C address blocks on a P166 took 25 seconds of
# which 16 seconds of this was spent in the ifcconfig calls. Without the
# NO_ALIASROUTING=yes config an additional 12 seconds is spent in route calls.
#
# notes on internals:
#
# This script uses the bash "eval" command to lookup shell variables with names
# which are generated from other shell variables. This allows us to, in effect,
# create hashes using the shell variable namesspace by just including the hash
# key in the name of the variable.
#
# This script originally written by: David Harris <dharris@drh.net>
# Principal Engineer, DRH Internet
# June 30, 1999
#
# modified by: Bill Nottingham <notting@redhat.com>
TEXTDOMAIN=initscripts
TEXTDOMAINDIR=/etc/locale
device=$1
if [ "$device" = "" ]; then
echo $"usage: ifup-aliases <net-device> [<parent-config>]\n"
exit 1
fi
PARENTCONFIG=${2:-ifcfg-$device}
parent_device=$device
cd /etc/sysconfig/network-scripts
. ./network-functions
# Grab the current configuration of any running aliases, place device info
# into variables of the form:
# rdev_<index>_addr = <ip address>
# rdev_<index>_pb = <prefix>_<broadcast>
# rdevip_<ipaddress> = <index>
# Example:
# rdev_0_addr=192.168.1.1
# rdev_0_pb=24_192.16.1.255
# rdevip_192_168_1_1=0
#
# A list of all the devices is created in rdev_LIST.
eval $( ip addr show $device label $device:* | \
awk 'BEGIN { COUNT=0;LAST_DEV="" } /inet / {
# Split IP address into address/prefix
split($2,IPADDR,"/");
# Create A_B_C_D IP address form
IP_ADDR=IPADDR[1];
gsub(/\./,"_",IP_ADDR);
# Split device into device:index
split($NF,DEV,":");
# Update last device
LAST_DEV=LAST_DEV " " DEV[2];
printf("rdev_%s_addr=%s\nrdevip_%s=%s\nrdev_%s_pb=%s_%s\nrdev_LIST=\"%s\"\n",
DEV[2],IPADDR[1],IP_ADDR,DEV[2],DEV[2],IPADDR[2],$4,LAST_DEV);
} END {
if(LAST_DEV == "") print "no_devices_are_up=yes"
}' );
#
# Store configuration of the parent device and network
#
# read from the /etc/sysconfig/network
eval ` (
. /etc/sysconfig/network;
echo network_GATEWAY=$GATEWAY\;;
echo network_GATEWAYDEV=$GATEWAYDEV\;;
) `
# read defaults from the parent config file
[ -f $PARENTCONFIG ] || {
net_log $"Missing config file $PARENTCONFIG."
exit 1
}
eval ` (
. ./$PARENTCONFIG;
echo default_PREFIX=$PREFIX\;;
echo default_NETMASK=$NETMASK\;;
echo default_BROADCAST=$BROADCAST\;;
echo default_GATEWAY=$GATEWAY\;;
echo default_NO_ALIASROUTING=$NO_ALIASROUTING\;;
echo default_ARPCHECK=$ARPCHECK\;;
echo default_ARPUPDATE=$ARPUPDATE\;;
) `
[ -z "$default_GATEWAY" ] && default_GATEWAY=$network_GATEWAY
function ini_env ()
{
DEVICE=""
IPADDR=""
IPV6ADDR=""
PREFIX=$default_PREFIX
NETMASK=$default_NETMASK
BROADCAST=$default_BROADCAST
GATEWAY=$default_GATEWAY
NO_ALIASROUTING=$default_NO_ALIASROUTING
ONPARENT=""
ARPCHECK=$default_ARPCHECK
ARPUPDATE=$default_ARPUPDATE
}
function is_default_gateway ()
{
LC_ALL=C /sbin/ip route ls default scope global \
| awk '$3 == "'"$1"'" { found = 1; } END { exit found == 0; }'
}
#
# Read the alias configuration files and enable each aliased
# device using new_interface()
#
function new_interface ()
{
ipa=$IPADDR; ipb=${ipa#*.}; ipc=${ipb#*.};
IPGLOP="${ipa%%.*}_${ipb%%.*}_${ipc%%.*}_${ipc#*.}";
DEVNUM=${DEVICE#*:}
MATCH='^[0-9A-Za-z_]*$'
if (LC_ALL=C; [[ ! "$DEVNUM" =~ $MATCH ]]); then
net_log $"error in $FILE: invalid alias number"
return 1
fi
eval "
ipseen=\$ipseen_${IPGLOP}; devseen=\$devseen_${DEVNUM};
ipseen_${IPGLOP}=$FILE; devseen_${DEVNUM}=$FILE;
";
if [ -n "$ipseen" ]; then
net_log $"error in $FILE: already seen ipaddr $IPADDR in $ipseen"
return 1
fi
if [ -n "$devseen" ]; then
net_log $"error in $FILE: already seen device $parent_device:$DEVNUM in $devseen"
return 1
fi
if [ -z "$DEVICE" -o -z "$IPADDR" ]; then
if [ -n "$IPV6ADDR" -a -n "$DEVICE" ] && ! is_false "$IPV6INIT"; then
/etc/sysconfig/network-scripts/ifup-ipv6 ${DEVICE}
return $?
fi
net_log $"error in $FILE: didn't specify device or ipaddr"
return 1
fi
if [ -z "$NETMASK" -a -z "$PREFIX" ]; then
net_log $"error iN $FILE: didn't specify netmask or prefix"
fi
if [ -z "$PREFIX" ]; then
eval $(/bin/ipcalc --prefix ${IPADDR} ${NETMASK})
fi
if [ -z "$BROADCAST" -o "$BROADCAST" = "$default_BROADCAST" ]; then
eval $(/bin/ipcalc --broadcast ${IPADDR}/${PREFIX})
fi
if [ "$no_devices_are_up" = "yes" ]; then
setup_this=yes
else
setup_this=""
eval "
rdev_addr=\$rdev_${DEVNUM}_addr;
rdev_pb=\$rdev_${DEVNUM}_pb;
rdev_mark=\$rdev_${DEVNUM}_mark;
rdevip=\$rdevip_${IPGLOP};
";
if [ -n "$rdev_addr" ]; then
if [ "$rdev_addr" = "${IPADDR}" ]; then
newmark=keep
if [ "$rdev_pb" != "${PREFIX}_${BROADCAST}" ]; then
setup_this=freshen
else
setup_this=no
fi
else
if [ "$rdev_mark" != "remove" ]; then
/sbin/ip addr flush dev $parent_device label $parent_device:${DEVNUM}
fi
newmark=remove
setup_this=yes
fi
if [ -n "$rdev_mark" -a "$rdev_mark" != "$newmark" ]; then
net_log $"error in ifcfg-${parent_device}: files"
return 1
fi
eval " rdev_${DEVNUM}_mark=\$newmark ";
else
setup_this=yes
fi
if [ -n "$rdevip" -a "$rdevip" != "${DEVNUM}" ]; then
eval " mark_remove=\$rdev_${rdevip}_mark ";
if [ -n "$mark_remove" -a "$mark_remove" != "remove" ]; then
net_log $"error in ifcfg-${parent_device}: files"
return 1
fi
if [ "$mark_remove" != "remove" ]; then
eval " rdev_${rdevip}_mark=remove ";
/sbin/ip addr flush dev $parent_device label $parent_device:$rdevip
fi
fi
fi
if [ "$setup_this" = "freshen" ] ; then
# we can do the freshen stuff right now
/sbin/ip addr change ${IPADDR}/${PREFIX} brd ${BROADCAST}
fi
if [ "$setup_this" = "yes" ] ; then
if [ "${parent_device}" != "lo" ] && [ "${ARPCHECK}" != "no" ] && \
is_available ${parent_device} && \
( grep -qswi "up" /sys/class/net/${parent_device}/operstate || grep -qswi "1" /sys/class/net/${parent_device}/carrier ) ; then
echo $"Determining if ip address ${IPADDR} is already in use for device ${parent_device}..."
ARPING=$(/sbin/arping -c 2 -w ${ARPING_WAIT:-3} -D -I ${parent_device} ${IPADDR})
if [ $? = 1 ]; then
ARPINGMAC=$(echo $ARPING | sed -ne 's/.*\[\(.*\)\].*/\1/p')
net_log $"Error, some other host ($ARPINGMAC) already uses address ${IPADDR}."
return 1
fi
fi
/sbin/ip addr add ${IPADDR}/${PREFIX} brd ${BROADCAST} \
dev ${parent_device} label ${DEVICE}
# update ARP cache of neighboring computers:
if ! is_false "${ARPUPDATE}" && [ "${REALDEVICE}" != "lo" ]; then
/sbin/arping -q -A -c 1 -I ${parent_device} ${IPADDR}
( sleep 2; /sbin/arping -q -U -c 1 -I ${parent_device} ${IPADDR} ) > /dev/null 2>&1 < /dev/null &
fi
! is_false "$IPV6INIT" && \
/etc/sysconfig/network-scripts/ifup-ipv6 ${DEVICE}
if [ "$NO_ALIASROUTING" != yes ]; then
GATEWAYDEV=$network_GATEWAYDEV;
if [ -n "${GATEWAY}" -a \
\( -z "${GATEWAYDEV}" -o "${GATEWAYDEV}" = "${DEVICE}" \) ]; then
# set up default gateway, if it isn't already there
if ! is_default_gateway "$GATEWAY"; then
ip route replace default ${METRIC:+metric $METRIC} via ${GATEWAY} dev ${DEVICE}
fi
fi
/etc/sysconfig/network-scripts/ifup-routes ${DEVICE} ${NAME}
ifuplocal_queue="$ifuplocal_queue $DEVICE"
fi
fi
}
if [ "$BASH_VERSINFO" ]; then
shopt -s nullglob
else
allow_null_glob_expansion=foo
fi
for FILE in ifcfg-${parent_device}:* ; do
is_ignored_file "$FILE" && continue
ini_env
. ./$FILE
[ -z "$DEVICE" ] && DEVICE=${FILE##ifcfg-}
[ "$ONPARENT" != "no" -a "$ONPARENT" != "NO" ] && new_interface
unset DEVICE
done
for FILE in ifcfg-${parent_device}-range* ; do
is_ignored_file "$FILE" && continue
ini_env
. ./$FILE
ipaddr_prefix=${IPADDR_START%.*}
ipaddr_startnum=${IPADDR_START##*.}
ipaddr_endnum=${IPADDR_END##*.}
if [ "${IPADDR_START%.*}" != "${IPADDR_END%.*}" ]; then
net_log $"error in $FILE: IPADDR_START and IPADDR_END don't agree"
continue
fi
if [ $ipaddr_startnum -gt $ipaddr_endnum ]; then
net_log $"error in $FILE: IPADDR_START greater than IPADDR_END"
continue
fi
ipaddr_num=$ipaddr_startnum
ipaddr_clonenum=$CLONENUM_START
while [ $ipaddr_num -le $ipaddr_endnum ]; do
IPADDR="$ipaddr_prefix.$ipaddr_num"
DEVICE="$parent_device:$ipaddr_clonenum"
IPV6INIT="no"
[ "$ONPARENT" != "no" -a "$ONPARENT" != "NO" ] && new_interface
ipaddr_num=$(($ipaddr_num+1))
ipaddr_clonenum=$(($ipaddr_clonenum+1))
done
done
#
# Remove any devices that should not be around
#
for DEVNUM in $rdev_LIST ; do
eval " rdev_mark=\$rdev_${DEVNUM}_mark "
if [ -z "$rdev_mark" ]; then
/sbin/ip addr flush dev $parent_device label $parent_device:${DEVNUM}
fi
done
if [ -x /sbin/ifup-local ]; then
for DEVICE in $ifuplocal_queue ; do
/sbin/ifup-local ${DEVICE}
done
fi

55
sysconfig/network-scripts/ifup-bnep Executable file
View File

@@ -0,0 +1,55 @@
#! /bin/bash
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
source_config
# On hotplug events, just bring the virtual device up as if it's normal Ethernet
if [ -n "$IN_HOTPLUG" ]; then
exec sh -x /etc/sysconfig/network-scripts/ifup-eth ${CONFIG} $2
fi
start_panu()
{
PANDARGS="--persist --pidfile=/run/pand-${DEVICE}.pid --ethernet=${DEVICE} --autozap"
[ "${CACHE}" != "no" -a "${CACHE}" != "NO" ] && PANDARGS="${PANDARGS} --cache"
if [ "${REMOTEBDADDR}" = "" ]; then
PANDARGS="${PANDARGS} --search"
else
PANDARGS="${PANDARGS} --connect ${REMOTEBDADDR}"
fi
/usr/bin/pand ${PANDARGS}
}
start_nap()
{
:
}
start_gn()
{
:
}
case "$ROLE" in
PANU)
start_panu
;;
NAP)
start_nap
;;
GN)
start_gn
;;
*)
echo Unknown BNEP mode :$ROLE
;;
esac

383
sysconfig/network-scripts/ifup-eth Executable file
View File

@@ -0,0 +1,383 @@
#!/bin/bash
# Network Interface Configuration System
# Copyright (c) 1996-2014 Red Hat, Inc. all rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
CONFIG=${1}
need_config "${CONFIG}"
source_config
if [ "${BOOTPROTO}" = "bootp" -o "${BOOTPROTO}" = "dhcp" ]; then
DYNCONFIG=true
fi
# load the module associated with that device
# /sbin/modprobe ${REALDEVICE}
is_available ${REALDEVICE}
# bail out, if the MAC does not fit
if [ -n "${HWADDR}" ]; then
FOUNDMACADDR=$(get_hwaddr ${REALDEVICE})
if [ "${FOUNDMACADDR}" != "${HWADDR}" -a "${FOUNDMACADDR}" != "${MACADDR}" ]; then
net_log $"Device ${DEVICE} has different MAC address than expected, ignoring."
exit 1
fi
fi
# If the device is a bridge, create it
if [ "${TYPE}" = "Bridge" ]; then
bridge_opts=""
[ -n "${DELAY}" ] && bridge_opts+="forward_delay ${DELAY} "
if is_true "${STP}"; then
bridge_opts+="stp_state 1 "
elif is_false "${STP}"; then
bridge_opts+="stp_state 0 "
fi
[ -n "${PRIO}" ] && bridge_opts+="priority ${PRIO} "
[ -n "${AGEING}" ] && bridge_opts+="ageing_time ${AGEING} "
if [ ! -d /sys/class/net/${DEVICE}/bridge ]; then
ip link add ${DEVICE} type bridge $bridge_opts || exit 1
elif [ -n "${bridge_opts}" ]; then
ip link set dev ${DEVICE} type bridge $bridge_opts || exit 1
fi
unset bridge_opts
# add the bits to setup driver parameters here
for arg in $BRIDGING_OPTS ; do
key=${arg%%=*};
value=${arg##*=};
if [ "${key}" != "multicast_router" -a "${key}" != "hash_max" -a "${key}" != "multicast_snooping" ]; then
echo $value > /sys/class/net/${DEVICE}/bridge/$key
fi
done
# set LINKDELAY (used as timeout when calling check_link_down())
# to at least (${DELAY} * 2) + 7 if STP is enabled. This is the
# minimum time required for /sys/class/net/$REALDEVICE/carrier to
# become 1 after "ip link set dev $DEVICE up" is called.
if is_true "${STP}"; then
if [ -n "${DELAY}" ]; then
forward_delay="${DELAY}"
else
# If the ${DELAY} value is not set by the user, then we need to obtain
# the forward_delay value from kernel first, and convert it to seconds.
# Otherwise STP might not correctly complete the startup before trying
# to obtain an IP address from DHCP.
forward_delay="$(cat /sys/devices/virtual/net/${DEVICE}/bridge/forward_delay)"
forward_delay="$(convert2sec ${forward_delay} centi)"
fi
forward_delay=$(bc -q <<< "${forward_delay} * 2 + 7")
# It's possible we are comparing floating point numbers here, therefore
# we are using 'bc' for comparison. The [ ] and [[ ]] do not work.
(( $(bc -l <<< "${LINKDELAY:-0} < ${forward_delay}") )) && LINKDELAY=${forward_delay}
unset forward_delay
fi
fi
# Create tap device.
if [ "${TYPE}" = "Tap" ]; then
[ -n "${OWNER}" ] && OWNER="user ${OWNER}"
TUNMODE="mode tap"
[[ ${DEVICE} == tun* ]] && TUNMODE="mode tun"
ip tuntap add ${TUNMODE} ${OWNER} dev ${DEVICE} > /dev/null
fi
# Team master initialization.
if [ -n "${TEAM_CONFIG}" ] && [ ! "${DEVICETYPE}" = "Team" ] && [ -x ./ifup-Team ]; then
./ifup-Team ${CONFIG} $2
fi
if [ -z "${REALDEVICE}" ]; then
net_log $"Device name does not seem to be present."
exit 1
fi
# now check the real state
is_available_wait ${REALDEVICE} ${DEVTIMEOUT} || {
if [ -n "$alias" ]; then
net_log $"$alias device ${DEVICE} does not seem to be present, delaying initialization."
else
net_log $"Device ${DEVICE} does not seem to be present, delaying initialization."
fi
exit 1
}
# this isn't the same as the MAC in the configuration filename. It is
# available as a configuration option in the config file, forcing the kernel
# to think an ethernet card has a different MAC address than it really has.
if [ -n "${MACADDR}" ]; then
ip link set dev ${DEVICE} address ${MACADDR}
fi
if [ -n "${MTU}" ]; then
ip link set dev ${DEVICE} mtu ${MTU}
fi
# is the device wireless? If so, configure wireless device specifics
is_wireless_device ${DEVICE} && . ./ifup-wireless
# Team slave device?
if [ -n "${TEAM_MASTER}" ] && [ ! "${DEVICETYPE}" = "TeamPort" ] && [ -x ./ifup-TeamPort ]; then
./ifup-TeamPort ${CONFIG} $2
ethtool_set
exit 0
fi
# slave device?
if [ "${SLAVE}" = yes -a "${ISALIAS}" = no -a "${MASTER}" != "" ]; then
install_bonding_driver ${MASTER}
grep -wq "${DEVICE}" /sys/class/net/${MASTER}/bonding/slaves 2>/dev/null || {
/sbin/ip link set dev ${DEVICE} down
echo "+${DEVICE}" > /sys/class/net/${MASTER}/bonding/slaves 2>/dev/null
}
ethtool_set
exit 0
fi
# Bonding initialization. For DHCP, we need to enslave the devices early,
# so it can actually get an IP.
if [ "$ISALIAS" = no ] && is_bonding_device ${DEVICE} ; then
install_bonding_driver ${DEVICE}
/sbin/ip link set dev ${DEVICE} up
for device in $(LANG=C grep -l "^[[:space:]]*MASTER=['\"]\?${DEVICE}['\"]\?\([[:space:]#]\|$\)" /etc/sysconfig/network-scripts/ifcfg-*) ; do
is_ignored_file "$device" && continue
/sbin/ifup ${device##*/} || net_log "Unable to start slave device ${device##*/} for master ${DEVICE}." warning
done
[ -n "${LINKDELAY}" ] && /bin/sleep ${LINKDELAY}
# add the bits to setup the needed post enslavement parameters
for arg in $BONDING_OPTS ; do
key=${arg%%=*};
value=${arg##*=};
if [ "${key}" = "primary" ]; then
echo $value > /sys/class/net/${DEVICE}/bonding/$key
fi
done
fi
# If the device is part of a bridge, add the device to the bridge
if [ -n "${BRIDGE}" ]; then
if [ ! -d /sys/class/net/${BRIDGE}/bridge ]; then
ip link add ${BRIDGE} type bridge 2>/dev/null
fi
/sbin/ip addr flush dev ${DEVICE} 2>/dev/null
/sbin/ip link set dev ${DEVICE} up
ethtool_set
[ -n "${LINKDELAY}" ] && /bin/sleep ${LINKDELAY}
ip link set dev ${DEVICE} master ${BRIDGE}
# add the bits to setup driver parameters here
for arg in $BRIDGING_OPTS ; do
key=${arg%%=*};
value=${arg##*=};
echo $value > /sys/class/net/${DEVICE}/brport/$key
done
# Upon adding a device to a bridge,
# it's necessary to make radvd reload its config
[ -r /run/radvd/radvd.pid ] && kill -HUP $(cat /run/radvd/radvd.pid)
exit 0
fi
if [ -n "${DYNCONFIG}" ] && [ -x /sbin/dhclient ]; then
if is_true "${PERSISTENT_DHCLIENT}"; then
ONESHOT="";
else
ONESHOT="-1";
fi;
generate_config_file_name
generate_lease_file_name
# Initialize the dhclient args and obtain the hostname options if needed:
DHCLIENTARGS="${DHCLIENTARGS} ${ONESHOT} -q ${DHCLIENTCONF} -lf ${LEASEFILE} -pf /run/dhclient-${DEVICE}.pid"
set_hostname_options DHCLIENTARGS
echo
echo -n $"Determining IP information for ${DEVICE}..."
if ! is_true "${PERSISTENT_DHCLIENT}" && check_link_down ${DEVICE}; then
echo $" failed; no link present. Check cable?"
exit 1
fi
ethtool_set
if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} ; then
echo $" done."
dhcpipv4="good"
else
echo $" failed."
if is_true "${IPV4_FAILURE_FATAL}"; then
exit 1
fi
if is_false "$IPV6INIT" || ! is_true "$DHCPV6C"; then
exit 1
fi
net_log "Unable to obtain IPv4 DHCP address ${DEVICE}." warning
fi
# end dynamic device configuration
else
if [ -z "${IPADDR}" -a -z "${IPADDR0}" -a -z "${IPADDR1}" -a -z "${IPADDR2}" ]; then
# enable device without IP, useful for e.g. PPPoE
ip link set dev ${REALDEVICE} up
ethtool_set
[ -n "${LINKDELAY}" ] && /bin/sleep ${LINKDELAY}
else
expand_config
[ -n "${ARP}" ] && \
ip link set dev ${REALDEVICE} $(toggle_value arp $ARP)
if ! ip link set dev ${REALDEVICE} up ; then
net_log $"Failed to bring up ${DEVICE}."
exit 1
fi
ethtool_set
[ -n "${LINKDELAY}" ] && /bin/sleep ${LINKDELAY}
if [ "${DEVICE}" = "lo" ]; then
SCOPE="scope host"
else
SCOPE=${SCOPE:-}
fi
if [ -n "$SRCADDR" ]; then
SRC="src $SRCADDR"
else
SRC=
fi
# set IP address(es)
for idx in {0..256} ; do
if [ -z "${ipaddr[$idx]}" ]; then
break
fi
if ! LC_ALL=C ip addr ls ${REALDEVICE} | LC_ALL=C grep -q "${ipaddr[$idx]}/${prefix[$idx]}" ; then
if [ "${REALDEVICE}" != "lo" ] && [ "${arpcheck[$idx]}" != "no" ] ; then
ARPING=$(/sbin/arping -c 2 -w ${ARPING_WAIT:-3} -D -I ${REALDEVICE} ${ipaddr[$idx]})
if [ $? = 1 ]; then
ARPINGMAC=$(echo $ARPING | sed -ne 's/.*\[\(.*\)\].*/\1/p')
net_log $"Error, some other host ($ARPINGMAC) already uses address ${ipaddr[$idx]}."
exit 1
fi
fi
if ! ip addr add ${ipaddr[$idx]}/${prefix[$idx]} \
brd ${broadcast[$idx]:-+} dev ${REALDEVICE} ${SCOPE} label ${DEVICE}; then
net_log $"Error adding address ${ipaddr[$idx]} for ${DEVICE}."
fi
fi
if [ -n "$SRCADDR" ]; then
sysctl -w "net.ipv4.conf.${SYSCTLDEVICE}.arp_filter=1" >/dev/null 2>&1
fi
# update ARP cache of neighboring computers
if ! is_false "${arpupdate[$idx]}" && [ "${REALDEVICE}" != "lo" ]; then
/sbin/arping -q -A -c 1 -I ${REALDEVICE} ${ipaddr[$idx]}
( sleep 2;
/sbin/arping -q -U -c 1 -I ${REALDEVICE} ${ipaddr[$idx]} ) > /dev/null 2>&1 < /dev/null &
fi
# set lifetime of address to forever
ip addr change ${ipaddr[$idx]}/${prefix[$idx]} dev ${REALDEVICE} valid_lft forever preferred_lft forever
done
# Set a default route.
if [ "${DEFROUTE}" != "no" ] && [ -z "${GATEWAYDEV}" -o "${GATEWAYDEV}" = "${REALDEVICE}" ]; then
# set up default gateway. replace if one already exists
if [ -n "${GATEWAY}" ] && [ "$(ipcalc --network ${GATEWAY} ${netmask[0]} 2>/dev/null)" = "NETWORK=${NETWORK}" ]; then
ip route replace default ${METRIC:+metric $METRIC} \
${EXTRA_ROUTE_OPTS} \
via ${GATEWAY} ${WINDOW:+window $WINDOW} ${SRC} \
${GATEWAYDEV:+dev $GATEWAYDEV} ||
net_log $"Error adding default gateway ${GATEWAY} for ${DEVICE}."
elif [ "${GATEWAYDEV}" = "${DEVICE}" ]; then
ip route replace default ${METRIC:+metric $METRIC} \
${EXTRA_ROUTE_OPTS} \
${SRC} ${WINDOW:+window $WINDOW} dev ${REALDEVICE} ||
net_log $"Error adding default gateway for ${REALDEVICE}."
fi
fi
fi
fi
# Add Zeroconf route.
if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" -a "${REALDEVICE}" != "lo" ]; then
ip route add 169.254.0.0/16 dev ${REALDEVICE} metric $((1000 + $(cat /sys/class/net/${REALDEVICE}/ifindex))) scope link
fi
if [ "${TYPE}" = "Bridge" ]; then
for arg in $BRIDGING_OPTS ; do
key=${arg%%=*};
value=${arg##*=};
if [ "${key}" = "multicast_router" -o "${key}" = "hash_max" -o "${key}" = "multicast_snooping" ]; then
echo $value > /sys/class/net/${DEVICE}/bridge/$key
fi
done
fi
# IPv6 initialisation?
/etc/sysconfig/network-scripts/ifup-ipv6 ${CONFIG}
if is_true "${DHCPV6C}" && [ -x /sbin/dhclient ]; then
# Assign interface into a firewalld zone so we can
# obtain the IPv6 via DHCPv6 (empty ZONE means default):
if [ "${REALDEVICE}" != "lo" ]; then
dbus-send --print-reply --system --dest=org.fedoraproject.FirewallD1 \
/org/fedoraproject/FirewallD1 \
org.fedoraproject.FirewallD1.zone.changeZoneOfInterface \
string:"${ZONE}" string:"${DEVICE}" \
> /dev/null 2>&1
fi
generate_config_file_name 6
generate_lease_file_name 6
echo
echo -n $"Determining IPv6 information for ${DEVICE}..."
# Initialize the dhclient args for IPv6 and obtain the hostname options if needed:
DHCLIENTARGS="-6 -1 ${DHCPV6C_OPTIONS} ${DHCLIENTCONF} -lf ${LEASEFILE} -pf /run/dhclient6-${DEVICE}.pid ${DEVICE}"
set_hostname_options DHCLIENTARGS
if /sbin/dhclient $DHCLIENTARGS; then
echo $" done."
else
echo $" failed."
if [ "${dhcpipv4}" = "good" -o -n "${IPADDR}" ]; then
net_log "Unable to obtain IPv6 DHCP address ${DEVICE}." warning
else
exit 1
fi
fi
fi
exec /etc/sysconfig/network-scripts/ifup-post ${CONFIG} ${2}

384
sysconfig/network-scripts/ifup-ippp Executable file
View File

@@ -0,0 +1,384 @@
#! /bin/bash
#
# ifup-ippp
#
# This script is normally called from the ifup script when it detects an ippp device.
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
# Get global network configuration
[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
GATEWAY=""
# set device
CONFIG=$1
[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
source_config
if [ "${2}" = "boot" -a "${ONBOOT}" = "no" ]; then
exit
fi
if [ ! -f /var/lock/subsys/isdn ] && [ -x /etc/init.d/isdn ] ; then
/etc/init.d/isdn start
fi
# check that ipppd is available for syncppp
if [ "$ENCAP" = "syncppp" ]; then
if [ ! -x /sbin/ipppd ] && [ ! -x /usr/sbin/ipppd ] ; then
/usr/bin/logger -p daemon.info -t ifup-ippp "ipppd does not exist or is not executable"
exit 1
fi
fi
# check that isdnctrl is available
if [ ! -x /sbin/isdnctrl ] && [ ! -x /usr/sbin/isdnctrl ] ; then
/usr/bin/logger -p daemon.info -t ifup-ippp "isdnctrl does not exist or is not executable"
exit 1
fi
# check all ISDN devices
if ! isdnctrl list all >/dev/null 2>&1 ; then
/usr/bin/logger -p daemon.info -t ifup-ippp "cannot list ISDN devices"
exit 1
fi
# check if device already is configured
isdnctrl list $DEVICE >/dev/null 2>&1 && exit 0
function log_echo()
{
/usr/bin/logger -p daemon.info -t ifup-ippp $"$*"
}
function log_isdnctrl()
{
/usr/bin/logger -p daemon.info -t ifup-ippp isdnctrl $*
isdnctrl $* >/dev/null 2>&1 || exit 1
}
function create_option_file()
{
umask 066
echo "$1" > /etc/ppp/ioption-secret-$DEVICE
umask 022
}
function start_ibod()
{
# don't start ibod, if it's running
[ -f /var/lock/subsys/ibod ] && return
device=$1
if [ -f /etc/isdn/ibod.cf ] && [ -x /usr/sbin/ibod ] ; then
ibod $device &
pid=$(pidof ibod)
[ -n "$pid" ] && touch /var/lock/subsys/ibod
fi
}
function addprovider()
{
options=
if [ -z "$PHONE_OUT" ]; then
log_echo "Error: $1: no outgoing phone number set"
return 1
fi
# set the encapsulation mode
[ -z "$ENCAP" ] && ENCAP="syncppp"
# set the dial mode
[ -z "$DIALMODE" ] && DIALMODE="off"
[ "$AUTH" = "none" -o "$AUTH" = "noauth" -o -z "$AUTH" ] && AUTH="-pap -chap"
# set layer-2/3 protocol
[ -z "$L2_PROT" ] && L2_PROT="hdlc"
[ -z "$L3_PROT" ] && L3_PROT="trans"
# check local/remote IP
[ -z "$IPADDR" ] && IPADDR="0.0.0.0"
[ -z "$GATEWAY" ] && GATEWAY="0.0.0.0"
# set default route
[ "$DEFROUTE" = "yes" ] && options="$options defaultroute deldefaultroute"
# set authentication
_auth=$(echo "$AUTH" | sed 's/[a-z -]*//g')
if [ -n "$_auth" ]; then
if [ -z "$USER" -a "$DIALIN" != "on" ]; then
log_echo " Error: $1 (syncppp) user is not set"
return 1
fi
if [ "$DIALIN" != "on" ]; then
# we should hide the user name, so i add user name to option file.
if [ "$AUTH" = "-pap +chap" ]; then
create_option_file "name \"$USER\""
else
create_option_file "user \"$USER\""
fi
options="$options file /etc/ppp/ioption-secret-$DEVICE"
fi
# authentication options:
# +pap and/or +chap does not work correct by dialout - remove
# them if it's configured as dialout
[ "$DIALIN" = "on" ] || AUTH=$(echo "$AUTH" | sed 's/+[a-z]*//g')
fi
# add ISDN device
log_isdnctrl addif $DEVICE
# set local MSN
[ -z "$MSN" ] || log_isdnctrl eaz $DEVICE $MSN
# set dialout numbers
if echo $COUNTRYCODE | grep ":" >/dev/null 2>&1 ; then
COUNTRYCODE="$(echo $COUNTRYCODE | cut -f 2 -d ':')"
[ "$COUNTRYCODE" = "0" ] && COUNTRYCODE=
else
COUNTRYCODE=
fi
for i in $PHONE_OUT; do
log_isdnctrl addphone $DEVICE out $COUNTRYCODE$PREFIX$AREACODE$i
done
for i in $PHONE_IN; do
log_isdnctrl addphone $DEVICE in $i
done
# set layer-2/3 protocol
log_isdnctrl l2_prot $DEVICE $L2_PROT
log_isdnctrl l3_prot $DEVICE $L3_PROT
# set encapsulation
log_isdnctrl encap $DEVICE $ENCAP
# set dialmode
log_isdnctrl dialmode $DEVICE $DIALMODE
[ -n "$SECURE" ] && log_isdnctrl secure $DEVICE $SECURE
[ -n "$HUPTIMEOUT" ] && log_isdnctrl huptimeout $DEVICE $HUPTIMEOUT
[ -n "$CHARGEHUP" ] && log_isdnctrl chargehup $DEVICE $CHARGEHUP
[ -n "$CHARGEINT" ] && log_isdnctrl chargeint $DEVICE $CHARGEINT
[ -n "$IHUP" ] && log_isdnctrl ihup $DEVICE $IHUP
# set the number of dial atempts for each number
[ -n "$DIALMAX" ] && log_isdnctrl dialmax $DEVICE $DIALMAX
# set callback
if [ "$CALLBACK" = "out" -o "$CALLBACK" = "in" ] ; then
log_isdnctrl callback $DEVICE $CALLBACK
else
log_isdnctrl callback $DEVICE off
fi
[ -n "$CBDELAY" ] && log_isdnctrl cbdelay $DEVICE $CBDELAY
[ -n "$CBHUP" ] && log_isdnctrl cbhup $DEVICE $CBHUP
options="$options ipparam $DEVNAME"
[ "$ENCAP" = "syncppp" ] && log_isdnctrl pppbind $DEVICE
if [ "$IPADDR" = "0.0.0.0" ]; then
options="$options ipcp-accept-local"
else
if [ "$DIALIN" != "on" ]; then
options="$options noipdefault"
fi
fi
# Add device
options="$options /dev/$DEVICE"
# set channel bundling
if [ "$BUNDLING" = "yes" -o "$BUNDLING" = "on" ] && [ -n "$SLAVE_DEVICE" ]; then
[ -z "$SLAVE_MSN" ] && SLAVE_MSN="$MSN"
[ -z "$SLAVE_PHONE_OUT" ] && SLAVE_PHONE_OUT="$PHONE_OUT"
[ -z "$SLAVE_PHONE_IN" ] && SLAVE_PHONE_IN="$PHONE_IN"
[ -z "$SLAVE_HUPTIMEOUT" ] && SLAVE_HUPTIMEOUT="$HUPTIMEOUT"
[ -z "$SLAVE_CHARGEHUP" ] && SLAVE_CHARGEHUP="$CHARGEHUP"
[ -z "$SLAVE_CHARGEINT" ] && SLAVE_CHARGEINT="$CHARGEINT"
[ -z "$SLAVE_CBHUP" ] && SLAVE_CBHUP="$CBHUP"
[ -z "$SLAVE_IHUP" ] && SLAVE_IHUP="$IHUP"
[ -z "$SLAVE_DIALMAX" ] && SLAVE_DIALMAX="$DIALMAX"
[ -z "$SLAVE_CALLBACK" ] && SLAVE_CALLBACK="$CALLBACK"
[ -z "$SLAVE_CBDELAY" ] && SLAVE_CBDELAY="$CBDELAY"
if [ "$DIALIN" != "on" ] ; then
[ -z "$SLAVE_DIALMODE" ] && SLAVE_DIALMODE="auto"
else
# Master should not dial by default on incoming MPPP
[ -z "$SLAVE_DIALMODE" ] && SLAVE_DIALMODE="$DIALMODE"
fi
slave=$SLAVE_DEVICE
options="$options /dev/$slave +mp"
# Create slave and set options
log_isdnctrl addslave $DEVICE $slave
[ -z $SLAVE_MSN ] || log_isdnctrl eaz $slave $SLAVE_MSN
# set phone number
for i in $SLAVE_PHONE_OUT; do
log_isdnctrl addphone $slave out $COUNTRYCODE$PREFIX$AREACODE$i
done
for i in $SLAVE_PHONE_IN; do
log_isdnctrl addphone $slave in $i
done
# set layer-2/3 protocol
log_isdnctrl l2_prot $slave $L2_PROT
log_isdnctrl l3_prot $slave $L3_PROT
# set encapsulation
log_isdnctrl encap $slave $ENCAP
# set dial mode
log_isdnctrl dialmode $slave $SLAVE_DIALMODE
[ -n "$SECURE" ] && log_isdnctrl secure $slave $SECURE
[ -n "$SLAVE_HUPTIMEOUT" ] && log_isdnctrl huptimeout $slave $SLAVE_HUPTIMEOUT
[ -n "$SLAVE_CHARGEHUP" ] && log_isdnctrl chargehup $slave $SLAVE_CHARGEHUP
[ -n "$SLAVE_CHARGEINT" ] && log_isdnctrl chargeint $slave $SLAVE_CHARGEINT
[ -n "$SLAVE_IHUP" ] && log_isdnctrl ihup $slave $SLAVE_IHUP
[ -n "$SLAVE_DIALMAX" ] && log_isdnctrl dialmax $slave $SLAVE_DIALMAX
# set callback
[ -n "$SLAVE_CBHUP" ] && log_isdnctrl cbhup $slave $SLAVE_CBHUP
[ -n "$SLAVE_CALLBACK" ] || SLAVE_CALLBACK="off"
log_isdnctrl callback $slave $SLAVE_CALLBACK
[ -n "$SLAVE_CBDELAY" ] && log_isdnctrl cbdelay $DEVICE $SLAVE_CBDELAY
# options for master device
[ -n "$SLAVE_DELAY" ] && log_isdnctrl sdelay $DEVICE $SLAVE_DELAY
[ -n "$SLAVE_TRIGGER" ] && log_isdnctrl trigger $DEVICE $SLAVE_TRIGGER
fi
if [ "$GATEWAY" = "0.0.0.0" ]; then
if [ "$DIALIN" != "on" ]; then
options="$options ipcp-accept-remote"
fi
options="$IPADDR:$GATEWAY $options"
else
options="$options $IPADDR:$GATEWAY"
fi
# Van Jacobson style TCP/IP header compression and
# VJ connection-ID compression
[ "$VJ" = "off" ] && options="$options -vj"
[ "$VJCCOMP" = "off" ] && options="$options -vjccomp"
# Address/Control compression, protocol field compression,
[ "$AC" = "off" ] && options="$options -ac"
[ "$PC" = "off" ] && options="$options -pc"
# BSD-Compression scheme
if [ "$BSDCOMP" = "on" ] ; then
options="$options bsdcomp 9,9"
else
options="$options -bsdcomp"
fi
# Stac compression
if [ "$LZS" = "on" ] ; then
# supports LZS check mode 3 and 4
[ -n "$LZS_MODE" ] || LZS_MODE="4"
[ "$LZS_MODE" = "3" ] && options="$options lzs 1"
[ "$LZS_MODE" = "4" ] && options="$options lzs 1:4"
fi
# Set max receive and max transmit units
[ -n "$MRU" ] && options="$options mru $MRU"
[ -n "$MTU" ] && options="$options mtu $MTU"
# set CBCP protocoll
if [ "$CBCP" = "on" ] ; then
if [ -n "$CBCP_MSN" ] ; then
# User managed callback
options="$options callback $CBCP_MSN"
else
# admin managed callback, it's enabled by default
options="$options callback 6"
fi
else
# Disable CBCP
options="$options -callback-cbcp"
fi
# set CCP protocoll
[ "$CCP" = "off" ] && options="$options noccp"
# set host name
[ -n "$ISDN_HOSTNAME" ] && options="$options remotename $ISDN_HOSTNAME"
# Set authentication
for i in $AUTH ; do
options="$options $i"
done
# add ppp options
for i in $PPPOPTIONS ; do
options="$options $i"
done
# check dns entry
if [ -z "$DNS1" -a -z "$DNS2" ]; then
options="$options ms-get-dns"
else
[ -n "$DNS1" ] && options="$options ms-dns $DNS1"
[ -n "$DNS2" ] && options="$options ms-dns $DNS2"
fi
# set debug
[ "$DEBUG" = "yes" ] && options="-d $options"
# set netmask, if available
[ -n "$NETMASK" ] && {
val=$(ipcalc --prefix $IPADDR $NETMASK)
pfx=${val##PREFIX=}
}
# activate ISDN device
/usr/bin/logger -p daemon.info -t ifup-ippp "ip addr add $IPADDR peer $GATEWAY${pfx:/$pfx} dev $DEVICE"
ip addr add $IPADDR peer $GATEWAY${pfx:/$pfx} dev $DEVICE
ip link set dev $DEVICE up
if [ "$ENCAP" = "syncppp" ]; then
# start ipppd daemon
/usr/bin/logger -p daemon.info -t ifup-ippp "ipppd $options $netmask"
ipppd $options $netmask >/dev/null 2>&1
# start ibod daemon
if [ "$DIALIN" != "on" ]; then
[ "$BUNDLING" = "yes" -o "$BUNDLING" = "on" ] && [ -n "$SLAVE_DEVICE" ] && start_ibod $DEVICE
fi
fi
# set default gateway for dial on demand
if [ "$DIALMODE" = "auto" ] ; then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
if [ "$DEFROUTE" = "yes" ] ; then
if [ "$GATEWAY" = "0.0.0.0" ]; then
ip route replace default ${METRIC:+metric $METRIC} dev ${DEVICE} >/dev/null 2>&1
else
ip route replace default ${METRIC:+metric $METRIC} via ${GATEWAY} dev ${DEVICE} >/dev/null 2>&1
fi
fi
fi
# Setup IPv6
if ! is_false "$IPV6INIT" && ! [[ -z "$IPV6ADDR" ]]; then
# Native IPv6 use of device configured, check of encapsulation required
if [ "$ENCAP" = "syncppp" ]; then
echo $"Warning: ipppd (kernel 2.4.x and below) doesn't support IPv6 using encapsulation 'syncppp'"
elif [ "$ENCAP" = "rawip" ]; then
echo $"Warning: link doesn't support IPv6 using encapsulation 'rawip'"
fi
fi
/etc/sysconfig/network-scripts/ifup-ipv6 $CONFIG
}
addprovider || exit 1
exit 0

316
sysconfig/network-scripts/ifup-ipv6 Executable file
View File

@@ -0,0 +1,316 @@
#!/bin/bash
#
# ifup-ipv6
#
#
# Taken from:
# (P) & (C) 2000-2006 by Peter Bieringer <pb@bieringer.de>
#
# You will find more information on the initscripts-ipv6 homepage at
# http://www.deepspace6.net/projects/initscripts-ipv6.html
#
# RHL integration assistance by Pekka Savola <pekkas@netcore.fi>
#
# Version: 2006-07-20
#
# Note: if called (like normally) by /etc/sysconfig/network-scripts/ifup
# exit codes aren't handled by "ifup"
#
# Uses following information from "/etc/sysconfig/network":
# IPV6_DEFAULTDEV=<device>: controls default route (optional)
# IPV6_DEFAULTGW=<address>: controls default route (optional)
#
# Uses following information from "/etc/sysconfig/network-scripts/ifcfg-$1":
# IPV6INIT=yes|no: controls IPv6 configuration for this interface
# IPV6ADDR=<IPv6 address>[/<prefix length>]: specify primary static IPv6 address
# IPV6ADDR_SECONDARIES="<IPv6 address>[/<prefix length>] ..." (optional)
# IPV6_ROUTER=yes|no: controls IPv6 autoconfiguration (no: multi-homed interface without routing)
# IPV6_AUTOCONF=yes|no: controls IPv6 autoconfiguration
# defaults:
# IPV6FORWARDING=yes: IPV6_AUTOCONF=no, IPV6_ROUTER=yes
# IPV6FORWARDING=no: IPV6_AUTOCONF=yes
# IPV6_MTU=<MTU for IPv6>: controls IPv6 MTU for this link (optional)
# IPV6_PRIVACY="rfc3041": control IPv6 privacy (optional)
# This script only supports "rfc3041" (if kernel supports it)
#
# Optional for 6to4 tunneling (hardwired name of tunnel device is "tun6to4"):
# IPV6TO4INIT=yes|no: controls 6to4 tunneling setup
# IPV6TO4_RELAY=<IPv4 address>: IPv4 address of the remote 6to4 relay (default: 192.88.99.1)
# IPV6TO4_MTU=<MTU for IPv6>: controls IPv6 MTU for the 6to4 link (optional, default is MTU of interface - 20)
# IPV6TO4_IPV4ADDR=<IPv4 address>: overwrite local IPv4 address (optional)
# IPV6TO4_ROUTING="<device>-<suffix>/<prefix length> ...": information to setup additional interfaces
# Example: IPV6TO4_ROUTING="eth0-:f101::1/64 eth1-:f102::1/64"
#
# Optional for 6to4 tunneling to trigger radvd:
# IPV6_CONTROL_RADVD=yes|no: controls radvd triggering (optional)
# IPV6_RADVD_PIDFILE=<file>: PID file of radvd for sending signals, default is "/run/radvd/radvd.pid" (optional)
# IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP: how to trigger radvd (optional, default is SIGHUP)
#
# Required version of radvd to use 6to4 prefix recalculation
# 0.6.2p3 or newer supporting option "Base6to4Interface"
# Required version of radvd to use dynamic ppp links
# 0.7.0 + fixes or newer
#
. /etc/sysconfig/network
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG
source_config
REALDEVICE=${DEVICE%%:*}
DEVICE=$REALDEVICE
# Test whether IPv6 configuration is disabled for this interface
is_false "$IPV6INIT" && exit 0
[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1
. /etc/sysconfig/network-scripts/network-functions-ipv6
# IPv6 test, module loaded, exit if system is not IPv6-ready
ipv6_test || exit 1
# Test device status
ipv6_test_device_status $DEVICE
if [ $? != 0 -a $? != 11 ]; then
# device doesn't exist or other problem occurs
exit 1
fi
# Setup IPv6 address on specified interface
if [ -n "$IPV6ADDR" ]; then
ipv6_add_addr_on_device $DEVICE $IPV6ADDR || exit 1
fi
# Get current global IPv6 forwarding
ipv6_global_forwarding_current="$(/sbin/sysctl -e -n net.ipv6.conf.all.forwarding)"
# Set some proc switches depending on defines
if [ "$IPV6FORWARDING" = "yes" ]; then
# Global forwarding should be enabled
# Check, if global IPv6 forwarding was already set by global script
if [ $ipv6_global_forwarding_current -ne 1 ]; then
net_log $"Global IPv6 forwarding is enabled in configuration, but not currently enabled in kernel"
net_log $"Please restart network with '/sbin/service network restart'"
fi
ipv6_local_forwarding=1
ipv6_local_auto=0
ipv6_local_accept_ra=0
if [ "$IPV6_ROUTER" = "no" ]; then
ipv6_local_forwarding=0
fi
if [ "$IPV6_AUTOCONF" = "yes" ]; then
ipv6_local_auto=1
ipv6_local_accept_ra=2
fi
else
# Global forwarding should be disabled
# Check, if global IPv6 forwarding was already set by global script
if [ $ipv6_global_forwarding_current -ne 0 ]; then
net_log $"Global IPv6 forwarding is disabled in configuration, but not currently disabled in kernel"
net_log $"Please restart network with '/sbin/service network restart'"
fi
ipv6_local_forwarding=0
ipv6_local_auto=1
ipv6_local_accept_ra=1
if [ "$IPV6_AUTOCONF" = "no" ]; then
ipv6_local_auto=0
if [ ! "$IPV6_FORCE_ACCEPT_RA" = "yes" ]; then
ipv6_local_accept_ra=0
fi
fi
fi
if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.forwarding=$ipv6_local_forwarding >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_ra=$ipv6_local_accept_ra >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.accept_redirects=$ipv6_local_auto >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.autoconf=$ipv6_local_auto >/dev/null 2>&1
fi
# Set IPv6 MTU, if given
if [ -n "$IPV6_MTU" ]; then
ipv6_set_mtu $DEVICE $IPV6_MTU
fi
# Setup additional IPv6 addresses from list, if given
if [ -n "$IPV6ADDR_SECONDARIES" ]; then
for ipv6addr in $IPV6ADDR_SECONDARIES; do
ipv6_add_addr_on_device $DEVICE $ipv6addr
done
fi
# Enable IPv6 RFC3041 privacy extensions if desired
if [ "$IPV6_PRIVACY" = "rfc3041" ]; then
if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then
/sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.use_tempaddr=2 >/dev/null 2>&1
if [ $? -ne 0 ]; then
net_log $"Cannot enable IPv6 privacy method '$IPV6_PRIVACY', not supported by kernel"
fi
fi
fi
# Setup default IPv6 route, check are done by function
if [ -n "$IPV6_DEFAULTDEV" -o -n "$IPV6_DEFAULTGW" ]; then
ipv6_set_default_route "$IPV6_DEFAULTGW" "$IPV6_DEFAULTDEV" "$DEVICE"
fi
# Setup additional static IPv6 routes on specified interface, if given
if [ -f /etc/sysconfig/static-routes-ipv6 ]; then
LC_ALL=C grep -w "^$DEVICE" /etc/sysconfig/static-routes-ipv6 | while read device args; do
ipv6_add_route $args $DEVICE
done
fi
# Setup of 6to4, if configured
if [ "$IPV6TO4INIT" = "yes" ]; then
valid6to4config="yes"
# Test device status of 6to4 tunnel
ipv6_test_device_status tun6to4
if [ $? = 0 ]; then
# device is already up
net_log $"Device 'tun6to4' (from '$DEVICE') is already up, shutdown first"
exit 1
fi
# Get IPv4 address for global 6to4 prefix calculation
if [ -n "$IPV6TO4_IPV4ADDR" ]; then
# Take special configured from config file (precedence 1)
ipv4addr="$IPV6TO4_IPV4ADDR"
# Get local IPv4 address from interface
ipv4addrlocal="$(ipv6_get_ipv4addr_of_device $DEVICE)"
if [ -z "$ipv4addrlocal" ]; then
# Take configured from config file
ipv4addrlocal="$IPADDR"
fi
else
# Get IPv4 address from interface first (has precedence 2)
ipv4addr="$(ipv6_get_ipv4addr_of_device $DEVICE)"
if [ -z "$ipv4addr" ]; then
# Take configured from config file (precedence 3)
ipv4addr="$IPADDR"
fi
ipv4addrlocal="$ipv4addr"
fi
if [ -n "$ipv4addr" ]; then
if ! ipv6_test_ipv4_addr_global_usable $ipv4addr; then
net_log $"Given IPv4 address '$ipv4addr' is not globally usable" info
valid6to4config="no"
fi
if [ -z "$IPV6TO4_RELAY" ]; then
IPV6TO4_RELAY="192.88.99.1"
fi
# Check/generate relay address
ipv6to4_relay="$(ipv6_create_6to4_relay_address $IPV6TO4_RELAY)"
if [ $? -ne 0 ]; then
valid6to4config="no"
fi
else
net_log $"IPv6to4 configuration needs an IPv4 address on related interface or otherwise specified" info
valid6to4config="no"
fi
# Setup 6to4 tunnel (hardwired name is "tun6to4"), if config is valid
if [ "$valid6to4config" = "yes" ]; then
# Get MTU of master device
ipv4mtu="$(/sbin/ip link show dev $DEVICE | awk '/\<mtu\>/ { print $5 }')"
if [ -n "$ipv4mtu" ]; then
# IPv6 tunnel MTU is IPv4 MTU minus 20 for IPv4 header
tunnelmtu=$(($ipv4mtu-20))
fi
if [ -n "$IPV6TO4_MTU" ]; then
if [ $IPV6TO4_MTU -gt $tunnelmtu ]; then
net_log $"Warning: configured MTU '$IPV6TO4_MTU' for 6to4 exceeds maximum limit of '$tunnelmtu', ignored" warning
else
tunnelmtu=$IPV6TO4_MTU
fi
fi
ipv6_add_6to4_tunnel tun6to4 $ipv4addr "" $tunnelmtu $ipv4addrlocal || exit 1
# Add route to for compatible addresses (removed later again)
ipv6_add_route "::/96" "::" tun6to4
# Add default route, if device matches
if [ "$IPV6_DEFAULTDEV" = "tun6to4" ]; then
if [ -n "$IPV6_DEFAULTGW" ]; then
net_log $"Warning: interface 'tun6to4' does not support 'IPV6_DEFAULTGW', ignored" warning
fi
ipv6_set_default_route $ipv6to4_relay tun6to4
fi
# Add static routes
if [ -f /etc/sysconfig/static-routes-ipv6 ]; then
LC_ALL=C grep -w "^tun6to4" /etc/sysconfig/static-routes-ipv6 | while read device network gateway; do
if [ -z "$network" ]; then
continue
fi
if [ -z "$gateway" ]; then
gateway="$ipv6to4_relay"
fi
ipv6_add_route $network $gateway tun6to4
done
fi
# Setup additional static IPv6 routes (newer config style)
if [ -f "/etc/sysconfig/network-scripts/route6-tun6to4" ]; then
sed -ne 's/#.*//' -e '/[^[:space:]]/p' /etc/sysconfig/network-scripts/route6-tun6to4 | while read line; do
if echo "$line" | LC_ALL=C grep -vq 'via'; then
# Add gateway if missing
line="$line via $ipv6to4_relay"
fi
/sbin/ip -6 route add $line
done
fi
# Cleanup autmatically generated autotunnel (not needed for 6to4)
/sbin/ip -6 route del ::/96 dev tun6to4
/sbin/ip -6 addr del "::$ipv4addrlocal/128" dev tun6to4
if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then
# RADVD is in use, so forwarding of IPv6 packets should be enabled, display warning
if [ $ipv6_global_forwarding_current -ne 1 ]; then
net_log $"Using 6to4 and RADVD IPv6 forwarding usually should be enabled, but it isn't" warning
fi
if [ -n "$IPV6TO4_ROUTING" ]; then
ipv6to4prefix="$(ipv6_create_6to4_prefix $ipv4addr)"
if [ -n "$ipv6to4prefix" ]; then
# Add route to local networks
for devsuf in $IPV6TO4_ROUTING; do
dev="${devsuf%%-*}"
suf="$(echo $devsuf | awk -F- '{ print $2 }')"
ipv6_add_addr_on_device ${dev} ${ipv6to4prefix}${suf}
done
else
net_log $"Error occurred while calculating the IPv6to4 prefix"
fi
else
net_log $"radvd control enabled, but config is not complete"
fi
# Control running radvd
ipv6_trigger_radvd up "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE
fi
else
net_log $"6to4 configuration is not valid"
exit 1
fi
fi
#wait for all global IPv6 addresses to leave the "tentative" state
ipv6_wait_tentative $DEVICE

1
sysconfig/network-scripts/ifup-isdn Symbolic link
View File

@@ -0,0 +1 @@
ifup-ippp

27
sysconfig/network-scripts/ifup-plip Executable file
View File

@@ -0,0 +1,27 @@
#!/bin/sh
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
source_config
if [ "foo$2" = "fooboot" -a "${ONBOOT}" = "no" ]; then
exit
fi
[ -z "$PREFIX" ] && eval $(/bin/ipcalc --prefix ${IPADDR} ${NETMASK})
ip addr add ${IPADDR} peer ${REMIP}/${PREFIX} dev ${DEVICE}
ip link set up dev ${DEVICE}
ip route add ${NETWORK} dev ${DEVICE}
. /etc/sysconfig/network
if [ "${GATEWAY}" != "" ]; then
if [ "${GATEWAYDEV}" = "" -o "${GATEWAYDEV}" = "${DEVICE}" ]; then
# set up default gateway
ip route replace default ${METRIC:+metric $METRIC} via ${GATEWAY}
fi
fi
/etc/sysconfig/network-scripts/ifup-post $1

43
sysconfig/network-scripts/ifup-plusb Executable file
View File

@@ -0,0 +1,43 @@
#!/bin/sh
#
# /etc/sysconfig/network-scripts/ifup-plusb
#
# the plusb network driver is a USB host-host cable based on the Prolific
# chip. It works a lot like the plip driver.
#
# To get the plusb module to load automatically at boot, you will need to
# add the following lines to /etc/conf.modules:
#
# alias plusb0 plusb
#
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
source_config
if [ "foo$2" = "fooboot" -a "${ONBOOT}" = "no" ]
then
exit
fi
[ -z "$PREFIX" ] && eval $(/bin/ipcalc --prefix ${IPADDR} ${NETMASK})
if [ ${BROADCAST} != "" ] ; then
ip addr add ${IPADDR} peer ${REMIP}/${PREFIX} broadcast ${BROADCAST} dev ${DEVICE}
else
ip addr add ${IPADDR} peer ${REMIP}/${PREFIX} dev ${DEVICE}
fi
ip link set up dev ${DEVICE}
. /etc/sysconfig/network
if [ "${GATEWAY}" != "" ]; then
if [ "${GATEWAYDEV}" = "" -o "${GATEWAYDEV}" = "${DEVICE}" ]; then
# set up default gateway
ip route replace default ${METRIC:+metric $METRIC} via ${GATEWAY}
fi
fi
/etc/sysconfig/network-scripts/ifup-post $1

148
sysconfig/network-scripts/ifup-post Executable file
View File

@@ -0,0 +1,148 @@
#!/bin/bash
# Source the general functions for is_true() and is_false():
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
[ -f ../network ] && . ../network
unset REALDEVICE
if [ "$1" = --realdevice ] ; then
REALDEVICE=$2
shift 2
fi
CONFIG=$1
source_config
[ -z "$REALDEVICE" ] && REALDEVICE=$DEVICE
if is_false "$ISALIAS"; then
/etc/sysconfig/network-scripts/ifup-aliases ${DEVICE} ${CONFIG}
fi
if ! is_true "$NOROUTESET"; then
/etc/sysconfig/network-scripts/ifup-routes ${REALDEVICE} ${DEVNAME}
fi
if ! is_false "${PEERDNS}" || is_true "${RESOLV_MODS}"; then
# Obtain the DNS entries when using PPP if necessary:
[ -n "${MS_DNS1}" ] && DNS1="${MS_DNS1}"
[ -n "${MS_DNS2}" ] && DNS2="${MS_DNS2}"
# Remove duplicate DNS entries and shift them, if necessary:
update_DNS_entries
# Determine what regexp we should use (for testing below):
if [ -n "${DNS3}" ]; then
grep_regexp="[^#]?nameserver[[:space:]]+${DNS1}[^#]?nameserver[[:space:]]+${DNS2}[^#]?nameserver[[:space:]]+${DNS3}"
elif [ -n "${DNS2}" ]; then
grep_regexp="[^#]?nameserver[[:space:]]+${DNS1}[^#]?nameserver[[:space:]]+${DNS2}"
elif [ -n "${DNS1}" ]; then
grep_regexp="[^#]?nameserver[[:space:]]+${DNS1}"
else
# No DNS entries used at all ->> match everything.
grep_regexp=".*"
fi
# Test if the search field needs updating, or
# if the nameserver entries order should be updated:
if [ -n "${DOMAIN}" ] && ! grep -q "^search.*${DOMAIN}.*$" /etc/resolv.conf ||
! tr --delete '\n' < /etc/resolv.conf | grep -E -q "${grep_regexp}"; then
if tmp_file=$(mktemp); then
search_str=''
while read line; do
case ${line} in
# Skip nameserver entries when at least one DNS option was given
# (at this stage we know that we have to update all the nameserver
# enries anyway -- see below), or copy them if we are changing just
# the 'search' field in /etc/resolv.conf:
nameserver*)
if [[ "${grep_regexp}" != ".*" ]]; then
continue
else
echo "${line}" >> "${tmp_file}"
fi
;;
domain* | search*)
if [ -n "${DOMAIN}" ]; then
read search value < <(echo ${line})
search_str+=" ${value}"
else
echo "${line}" >> "${tmp_file}"
fi
;;
# Keep the rest of the /etc/resolv.conf as it was:
*)
echo "${line}" >> "${tmp_file}"
;;
esac
done < /etc/resolv.conf
# Insert the domain into 'search' field:
if [ -n "${DOMAIN}" ]; then
echo "search ${DOMAIN}${search_str}" >> "${tmp_file}"
fi
# Add the requested nameserver entries:
[ -n "${DNS1}" ] && echo "nameserver ${DNS1}" >> "${tmp_file}"
[ -n "${DNS2}" ] && echo "nameserver ${DNS2}" >> "${tmp_file}"
[ -n "${DNS3}" ] && echo "nameserver ${DNS3}" >> "${tmp_file}"
# Backup resolv.conf only if it doesn't exist already:
! [ -f /etc/resolv.conf.save ] && cp -af /etc/resolv.conf /etc/resolv.conf.save
# Maintain permissions, but set umask in case it doesn't exist:
umask_old=$(umask)
umask 022
# Update the resolv.conf:
change_resolv_conf "${tmp_file}"
rm -f "${tmp_file}"
umask ${umask_old}
unset tmp_file search_str umask_old
else
net_log $"/etc/resolv.conf was not updated: failed to create temporary file" 'err' 'ifup-post'
fi
fi
unset grep_regexp
fi
# don't set hostname on ppp/slip connections
if [ "$2" = "boot" -a \
"${DEVICE}" != lo -a \
"${DEVICETYPE}" != "ppp" -a \
"${DEVICETYPE}" != "slip" ]; then
if need_hostname; then
IPADDR=$(LANG=C ip -o -4 addr ls dev ${DEVICE} | awk '{ print $4 ; exit }')
eval $(/bin/ipcalc --silent --hostname ${IPADDR} ; echo "status=$?")
if [ "$status" = "0" ]; then
set_hostname $HOSTNAME
fi
fi
fi
# Set firewall ZONE for this device (empty ZONE means default):
if [ "${REALDEVICE}" != "lo" ]; then
dbus-send --print-reply --system --dest=org.fedoraproject.FirewallD1 \
/org/fedoraproject/FirewallD1 \
org.fedoraproject.FirewallD1.zone.changeZoneOfInterface \
string:"${ZONE}" string:"${DEVICE}" \
> /dev/null 2>&1
fi
if [ -x /sbin/ifup-local ]; then
/sbin/ifup-local ${DEVICE}
fi
exit 0

76
sysconfig/network-scripts/ifup-routes Executable file
View File

@@ -0,0 +1,76 @@
#! /bin/bash
#
# adds static routes which go through device $1
if [ -z "$1" ]; then
echo $"usage: ifup-routes <net-device> [<nickname>]"
exit 1
fi
MATCH='^[[:space:]]*(\#.*)?$'
handle_file () {
. $1
routenum=0
while [ "x$(eval echo '$'ADDRESS$routenum)x" != "xx" ]; do
eval $(ipcalc -p $(eval echo '$'ADDRESS$routenum) $(eval echo '$'NETMASK$routenum))
line="$(eval echo '$'ADDRESS$routenum)/$PREFIX"
if [ "x$(eval echo '$'GATEWAY$routenum)x" != "xx" ]; then
line="$line via $(eval echo '$'GATEWAY$routenum)"
fi
line="$line dev $2"
/sbin/ip route add $line
routenum=$(($routenum+1))
done
}
handle_ip_file() {
local f t type= file=$1 proto="-4"
f=${file##*/}
t=${f%%-*}
type=${t%%6}
if [ "$type" != "$t" ]; then
proto="-6"
fi
{ cat "$file" ; echo ; } | while read line; do
if [[ ! "$line" =~ $MATCH ]]; then
/sbin/ip $proto $type add $line
fi
done
}
FILES="/etc/sysconfig/network-scripts/route-$1 /etc/sysconfig/network-scripts/route6-$1"
if [ -n "$2" -a "$2" != "$1" ]; then
FILES="$FILES /etc/sysconfig/network-scripts/route-$2 /etc/sysconfig/network-scripts/route6-$2"
fi
for file in $FILES; do
if [ -f "$file" ]; then
if grep -Eq '^[[:space:]]*ADDRESS[0-9]+=' $file ; then
# new format
handle_file $file ${1%:*}
else
# older format
handle_ip_file $file
fi
fi
done
# Red Hat network configuration format
NICK=${2:-$1}
CONFIG="/etc/sysconfig/network-scripts/$NICK.route"
[ -f $CONFIG ] && handle_file $CONFIG $1
# Routing rules
FILES="/etc/sysconfig/network-scripts/rule-$1 /etc/sysconfig/network-scripts/rule6-$1"
if [ -n "$2" -a "$2" != "$1" ]; then
FILES="$FILES /etc/sysconfig/network-scripts/rule-$2 /etc/sysconfig/network-scripts/rule6-$2"
fi
for file in $FILES; do
if [ -f "$file" ]; then
handle_ip_file $file
fi
done

108
sysconfig/network-scripts/ifup-sit Executable file
View File

@@ -0,0 +1,108 @@
#!/bin/bash
#
# ifup-sit
#
#
# Taken from:
# (P) & (C) 2000-2003 by Peter Bieringer <pb@bieringer.de>
#
# You will find more information on the initscripts-ipv6 homepage at
# http://www.deepspace6.net/projects/initscripts-ipv6.html
#
# RHL integration assistance by Pekka Savola <pekkas@netcore.fi>
#
# Version: 2003-09-08
#
# Uses following information from /etc/sysconfig/network:
# IPV6_DEFAULTDEV=<device>: controls default route (optional)
# IPV6_DEFAULTGW=<address>: controls default route (optional)
#
# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1:
# DEVICE=<device>
# IPV6INIT=yes|no: controls IPv6 configuration for this interface
# IPV6_MTU=<MTU for IPv6>: controls IPv6 MTU for this link (optional)
#
# For static tunnels
# IPV6TUNNELIPV4=<IPv4 address>: IPv4 address of remote tunnel endpoint
# IPV6TUNNELIPV4LOCAL=<IPv4 address>: (optional) local IPv4 address of tunnel
# IPV6ADDR=<IPv6 address>[/<prefix length>]: (optional) local IPv6 address of a numbered tunnel
# IPV6ADDR_SECONDARIES="<IPv6 address>[/<prefix length>] ..." (optional) additional local IPv6 addresses
#
. /etc/sysconfig/network
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG
source_config
# IPv6 don't need aliases anymore, config is skipped
REALDEVICE=${DEVICE%%:*}
[ "$DEVICE" != "$REALDEVICE" ] && exit 0
# Test whether IPv6 configuration is disabled for this interface
is_false "$IPV6INIT" && exit 0
[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1
. /etc/sysconfig/network-scripts/network-functions-ipv6
# IPv6 test, module loaded, exit if system is not IPv6-ready
ipv6_test || exit 1
# Generic tunnel device sit0 is not supported here
if [ "$DEVICE" = "sit0" ]; then
net_log $"Device '$DEVICE' isn't supported here, use IPV6_AUTOTUNNEL setting and restart (IPv6) networking"
exit 1
fi
if [ -z "$IPV6TUNNELIPV4" ]; then
net_log $"Missing remote IPv4 address of tunnel, configuration is not valid"
exit 1
fi
# Test device status
ipv6_test_device_status $DEVICE
if [ $? = 0 ]; then
# device is already up
net_log $"Device '$DEVICE' is already up, please shutdown first"
exit 1
fi
# Create tunnel
ipv6_add_tunnel_device $DEVICE $IPV6TUNNELIPV4 "" $IPV6TUNNELIPV4LOCAL || exit 1
# Set IPv6 MTU, if given
if [ -n "$IPV6_MTU" ]; then
ipv6_set_mtu $DEVICE $IPV6_MTU
fi
# Apply local IPv6 address, if given (numbered tunnel)
if [ -n "$IPV6ADDR" ]; then
ipv6_add_addr_on_device $DEVICE $IPV6ADDR
fi
# Setup additional IPv6 addresses from list, if given
if [ -n "$IPV6ADDR_SECONDARIES" ]; then
for ipv6addr in $IPV6ADDR_SECONDARIES; do
ipv6_add_addr_on_device $DEVICE $ipv6addr
done
fi
# Setup default IPv6 route, check are done by function
if [ -n "$IPV6_DEFAULTDEV" -o -n "$IPV6_DEFAULTGW" ]; then
ipv6_set_default_route "$IPV6_DEFAULTGW" "$IPV6_DEFAULTDEV" "$DEVICE"
fi
# Setup additional static IPv6 routes on specified interface, if given
if [ -f /etc/sysconfig/static-routes-ipv6 ]; then
LC_ALL=C grep -w "^$DEVICE" /etc/sysconfig/static-routes-ipv6 | while read device ipv6route args; do
ipv6_add_route $ipv6route :: $DEVICE
done
fi
# Setup static routes
/etc/sysconfig/network-scripts/ifup-routes ${REALDEVICE}

99
sysconfig/network-scripts/ifup-tunnel Executable file
View File

@@ -0,0 +1,99 @@
#!/bin/bash
# Copyright (C) 1996-2009 Red Hat, Inc. all rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# Thanks to:
# - Razvan Corneliu C.R. Vilt <razvan.vilt@linux360.ro>
# - Aaron Hope <aaron.hope@unh.edu>
# - Sean Millichamp <sean@enertronllc.com>
# for providing the scripts this one is based on
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. ./network-functions
CONFIG=$1
need_config "$CONFIG"
source_config
if [ "$PEER_OUTER_IPADDR" = "$PEER_INNER_IPADDR" ]; then
# Specifying PEER_INNER_IPADDR would automatically add a route to the peer
# through the tunnel, redirecting tunnel packets back to the tunnel and
# creating a dead loop.
unset PEER_INNER_IPADDR
fi
case "$TYPE" in
GRE)
MODE=gre
proto=-4
/sbin/modprobe ip_gre
;;
GRE6)
MODE=ip6gre
proto=-6
/sbin/modprobe ip6_gre
;;
IPIP)
MODE=ipip
proto=-4
/sbin/modprobe ipip
;;
IPIP6|EXTERNAL)
MODE=ipip6
proto=-6
/sbin/modprobe ip6_tunnel
;;
*)
net_log $"Invalid tunnel type $TYPE"
exit 1
;;
esac
# Generic tunnel devices are not supported here
if [ "$DEVICE" = gre0 -o "$DEVICE" = tunl0 -o "$DEVICE" = ip6tnl0 ]; then
net_log $"Device '$DEVICE' isn't supported as a valid GRE device name."
exit 1
fi
# Create the tunnel
# The outer addresses are those of the underlying (public) network.
if [ "$TYPE" = 'EXTERNAL' ]; then
/sbin/ip link add "$DEVICE" type ip6tnl external
else
/sbin/ip $proto tunnel add "$DEVICE" mode "$MODE" \
${MY_OUTER_IPADDR:+local "$MY_OUTER_IPADDR"} \
${PEER_OUTER_IPADDR:+remote "$PEER_OUTER_IPADDR"} \
${KEY:+key "$KEY"} ${TTL:+ttl "$TTL"}
fi
if [ -n "$MTU" ]; then
/sbin/ip link set "$DEVICE" mtu "$MTU"
fi
# The inner address are used mainly for communication between a gateway
# and a private network. When the peer is configured with an inner address
# contained in the peer's private network or identical to it's public address,
# it need not be specified.
/sbin/ip addr add "$MY_INNER_IPADDR" dev "$DEVICE" \
${PEER_INNER_IPADDR:+peer "$PEER_INNER_IPADDR"}
/sbin/ip link set dev "$DEVICE" up
# IPv6 initialisation?
/etc/sysconfig/network-scripts/ifup-ipv6 ${CONFIG}
exec /etc/sysconfig/network-scripts/ifup-post "$CONFIG" "$2"

62
sysconfig/network-scripts/ifup-wireless Executable file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
# Network Interface Configuration System
# Copyright (c) 1996-2009 Red Hat, Inc. all rights reserved.
#
# Based on PCMCIA wireless script by (David Hinds/Jean Tourrilhes)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 2,
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# Configure wireless network device options. See iw(8) for more info.
# Valid variables:
# MODE: Ad-Hoc, Managed, etc.
# ESSID: Name of the wireless network
# FREQ: Frequency to operate on. See CHANNEL
# KEY: Encryption key for WEP.
# Only meant to be called from ifup.
cd /etc/sysconfig/network-scripts
. ./network-functions
IW=${IW:-iw}
[ "$KEY" ] && KEYS="key d:0:$KEY"
shopt -s nocasematch
case "$MODE" in
managed)
if [ "$ESSID" ]; then
$IW dev "$DEVICE" set type managed
$IW dev "$DEVICE" connect -w "$ESSID" $FREQ $KEYS
fi
;;
ad-hoc)
if [ -n "$ESSID" -a -n "$FREQ" ]; then
$IW dev "$DEVICE" set type ibss
$IW dev "$DEVICE" ibss join "$ESSID" "$FREQ" $KEYS
fi
;;
monitor)
if [ "$FREQ" ]; then
$IW dev "$DEVICE" set type monitor
$IW dev "$DEVICE" set freq "$FREQ"
fi
;;
esac
if [ -n "$WOWLAN" ] ; then
PHYDEVICE=$(phy_wireless_device $DEVICE)
iw phy $PHYDEVICE wowlan enable ${WOWLAN}
fi

164
sysconfig/network-scripts/init.ipv6-global Executable file
View File

@@ -0,0 +1,164 @@
#!/bin/bash
#
# init.ipv6-global
#
#
# Taken from: init.ipv6-global
# (P) & (C) 2001-2005 by Peter Bieringer <pb@bieringer.de>
#
# You will find more information on the initscripts-ipv6 homepage at
# http://www.deepspace6.net/projects/initscripts-ipv6.html
#
# RHL integration assistance by Pekka Savola <pekkas@netcore.fi>
#
# Version: 2005-01-04
#
# Calling parameters:
# $1: action (currently supported: start|stop|showsysctl)
# $2: position for start|stop (currently supported: pre|post)
#
# Called by hooks from /etc/[rc.d/]init.d/network
#
# Uses following information from /etc/sysconfig/network:
# IPV6FORWARDING=yes|no: controls global IPv6 forwarding (default: no)
# IPV6_AUTOCONF=yes|no: controls global automatic IPv6 configuration
# (default: yes if IPV6FORWARDING=no, no if IPV6FORWARDING=yes)
# IPV6_AUTOTUNNEL=yes|no: controls automatic IPv6 tunneling (default: no)
# IPV6_DEFAULTGW=<ipv6address[%interface]> [optional]
# IPV6_DEFAULTDEV=<interface> [optional]
#
. /etc/sysconfig/network
cd /etc/sysconfig/network-scripts
. ./network-functions
# Get action and hook position
ACTION="$1"
POSITION="$2"
[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1
. /etc/sysconfig/network-scripts/network-functions-ipv6
# Initialize IPv6, depending on caller option
case $ACTION in
start)
case $POSITION in
pre)
# IPv6 test, module loaded, exit if system is not IPv6-ready
ipv6_test || exit 1
if [ "$IPV6FORWARDING" = "yes" ]; then
ipv6_global_forwarding=1
ipv6_global_auto=0
else
ipv6_global_forwarding=0
if [ "$IPV6_AUTOCONF" = "no" ]; then
ipv6_global_auto=0
else
ipv6_global_auto=1
fi
fi
if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then
# Reset IPv6 sysctl switches for "all", "default" and still existing devices
for i in /proc/sys/net/ipv6/conf/* ; do
interface=${i##*/}
sinterface=${interface/.//}
# Host/Router behaviour for the interface
/sbin/sysctl -e -w net.ipv6.conf.$sinterface.forwarding=$ipv6_global_forwarding >/dev/null 2>&1
# Autoconfiguration and redirect handling for Hosts
/sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_ra=$ipv6_global_auto >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_redirects=$ipv6_global_auto >/dev/null 2>&1
done
fi
;;
post)
# IPv6 test, module loaded, exit if system is not IPv6-ready
ipv6_test || exit 1
if [ "$IPV6_AUTOTUNNEL" = "yes" ]; then
ipv6_enable_autotunnel
# autotunnel interface doesn't require a MTU setup
fi
## Add some routes which should never appear on the wire
# Unreachable IPv4-only addresses, normally blocked by source address selection
/sbin/ip route add unreach ::ffff:0.0.0.0/96
# Unreachable IPv4-mapped addresses
/sbin/ip route add unreach ::0.0.0.0/96
# Unreachable 6to4: IPv4 multicast, reserved, limited broadcast
/sbin/ip route add unreach 2002:e000::/19
# Unreachable 6to4: IPv4 loopback
/sbin/ip route add unreach 2002:7f00::/24
# Unreachable 6to4: IPv4 private (RFC 1918)
/sbin/ip route add unreach 2002:0a00::/24
/sbin/ip route add unreach 2002:ac10::/28
/sbin/ip route add unreach 2002:c0a8::/32
# Unreachable 6to4: IPv4 private (APIPA / DHCP link-local)
/sbin/ip route add unreach 2002:a9fe::/32
# Unreachable IPv6: 6bone test addresses
/sbin/ip route add unreach 3ffe:ffff::/32
# Set default route for autotunnel, if specified
if [ "$IPV6_DEFAULTDEV" = "sit0" -a "$IPV6_AUTOTUNNEL" = "yes" ]; then
if [ -n "$IPV6_DEFAULTGW" ]; then
ipv6_set_default_route $IPV6_DEFAULTGW $IPV6_DEFAULTDEV sit0
elif [ -n "$IPV6_DEFAULTDEV" ]; then
ipv6_set_default_route "" $IPV6_DEFAULTDEV sit0
fi
fi
;;
*)
echo "Usage: $0 $1 {pre|post}"
;;
esac
;;
stop)
case $POSITION in
pre)
;;
post)
# IPv6 test, no module loaded, exit if system is not IPv6-ready
ipv6_test testonly || exit 0
if [ ! "$IPV6_SET_SYSCTLS" = "no" ]; then
for i in /proc/sys/net/ipv6/conf/* ; do
interface=${i##*/}
sinterface=${interface/.//}
# Assume Host behaviour
/sbin/sysctl -e -w net.ipv6.conf.$sinterface.forwarding=0 >/dev/null 2>&1
# Disable autoconfiguration and redirects
/sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_ra=0 >/dev/null 2>&1
/sbin/sysctl -e -w net.ipv6.conf.$sinterface.accept_redirects=0 >/dev/null 2>&1
done
fi
# Cleanup still existing tunnel devices
ipv6_cleanup_tunnel_devices
# Shut down generic tunnel interface now
if ipv6_test_device_status sit0 ; then
/sbin/ip link set sit0 down
fi
;;
*)
echo "Usage: $0 $1 {pre|post}"
;;
esac
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|showsysctl}"
exit 1
;;
esac

729
sysconfig/network-scripts/network-functions Normal file
View File

@@ -0,0 +1,729 @@
# -*-Shell-script-*-
#
# This file is not a stand-alone shell script; it provides functions
# to network scripts that source it.
# Set up a default search path.
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
export PATH
# We need to initialize the $HOSTNAME variable by ourselves now:
# (It was previously done for RHEL-6 branch, but got lost in time.)
HOSTNAME="$(hostname)"
[ -z "$__sed_discard_ignored_files" ] && . /etc/init.d/functions
get_hwaddr ()
{
if [ -f /sys/class/net/${1}/address ]; then
tr '[a-z]' '[A-Z]' < /sys/class/net/${1}/address
elif [ -d "/sys/class/net/${1}" ]; then
LC_ALL= LANG= ip -o link show ${1} 2>/dev/null | \
awk '{ print toupper(gensub(/.*link\/[^ ]* ([[:alnum:]:]*).*/,
"\\1", 1)); }'
fi
}
get_config_by_device ()
{
LANG=C grep -l "^[[:space:]]*DEVICE=['\"]\?${1}['\"]\?\([[:space:]#]\|$\)" \
/etc/sysconfig/network-scripts/ifcfg-* \
| LC_ALL=C sed -e "$__sed_discard_ignored_files"
}
get_config_by_hwaddr ()
{
LANG=C grep -il "^[[:space:]]*HWADDR=['\"]\?${1}['\"]\?\([[:space:]#]\|$\)" /etc/sysconfig/network-scripts/ifcfg-* \
| LC_ALL=C sed -e "$__sed_discard_ignored_files"
}
get_config_by_subchannel ()
{
LANG=C grep -E -i -l \
"^[[:space:]]*SUBCHANNELS=['\"]?([0-9]\.[0-9]\.[a-f0-9]+,){0,2}${1}(,[0-9]\.[0-9]\.[a-f0-9]+){0,2}['\"]?([[:space:]]+#|[[:space:]]*$)" \
/etc/sysconfig/network-scripts/ifcfg-* \
| LC_ALL=C sed -e "$__sed_discard_ignored_files"
}
get_config_by_name ()
{
LANG=C grep -E -i -l "^[[:space:]]*NAME=\"(Auto |System )?${1}\"" \
/etc/sysconfig/network-scripts/ifcfg-* \
| LC_ALL=C sed -e "$__sed_discard_ignored_files"
}
get_device_by_hwaddr ()
{
LANG=C ip -o link | awk -F ': ' -vIGNORECASE=1 '!/link\/ieee802\.11/ && /'"$1"'/ { print $2 }'
}
get_uuid_by_config ()
{
dbus-send --system --print-reply --dest=com.redhat.ifcfgrh1 /com/redhat/ifcfgrh1 com.redhat.ifcfgrh1.GetIfcfgDetails string:"/etc/sysconfig/network-scripts/$1" 2>/dev/null | awk -F '"' '/string / { print $2 }'
}
generate_lease_file_name ()
{
local ver=$1
LEASEFILE="/var/lib/dhclient/dhclient$ver-${DEVICE}.leases"
if [ -f $LEASEFILE ]; then
return
fi
LEASEFILE="/var/lib/dhclient/dhclient$ver-${UUID}-${DEVICE}.lease"
}
generate_config_file_name ()
{
local ver=$1
if [ -s /etc/dhcp/dhclient$ver-${DEVICE}.conf ]; then
DHCLIENTCONF="-cf /etc/dhcp/dhclient$ver-${DEVICE}.conf";
elif [ -s /etc/dhclient$ver-${DEVICE}.conf ]; then
DHCLIENTCONF="-cf /etc/dhclient$ver-${DEVICE}.conf";
else
DHCLIENTCONF='';
fi
}
need_config ()
{
local nconfig
CONFIG="ifcfg-${1}"
[ -f "${CONFIG}" ] && return
CONFIG="${1##*/}"
[ -f "${CONFIG}" ] && return
nconfig=$(get_config_by_name "${1}")
if [ -n "$nconfig" ] && [ -f "$nconfig" ]; then
CONFIG=${nconfig##*/}
return
fi
local addr=$(get_hwaddr ${1})
if [ -n "$addr" ]; then
nconfig=$(get_config_by_hwaddr ${addr})
if [ -n "$nconfig" ] ; then
CONFIG=${nconfig##*/}
[ -f "${CONFIG}" ] && return
fi
fi
nconfig=$(get_config_by_device ${1})
if [ -n "$nconfig" ] && [ -f "$nconfig" ]; then
CONFIG=${nconfig##*/}
return
fi
}
source_config ()
{
CONFIG=${CONFIG##*/}
DEVNAME=${CONFIG##ifcfg-}
. /etc/sysconfig/network-scripts/$CONFIG
[ -r "keys-$DEVNAME" ] && . /etc/sysconfig/network-scripts/keys-$DEVNAME
case "$TYPE" in
Ethernet)
DEVICETYPE="eth"
;;
CIPE)
DEVICETYPE="cipcb"
;;
IPSEC)
DEVICETYPE="ipsec"
;;
Modem)
DEVICETYPE="ppp"
;;
xDSL)
DEVICETYPE="ppp"
;;
ISDN)
DEVICETYPE="ippp"
;;
Wireless)
DEVICETYPE="eth"
;;
"Token Ring")
DEVICETYPE="eth"
;;
CTC)
DEVICETYPE="ctc"
;;
GRE | GRE6 | IPIP | IPIP6)
DEVICETYPE="tunnel"
;;
SIT | sit)
DEVICETYPE="sit"
;;
InfiniBand | infiniband)
DEVICETYPE="ib"
;;
OVS*)
DEVICETYPE="ovs"
;;
Bridge)
DEVICETYPE="eth"
;;
esac
if [ -n "$HWADDR" ]; then
HWADDR=$(tr '[a-z]' '[A-Z]' <<<"$HWADDR")
fi
if [ -n "$MACADDR" ]; then
MACADDR=$(tr '[a-z]' '[A-Z]' <<<"$MACADDR")
fi
[ -z "$DEVICE" -a -n "$HWADDR" ] && DEVICE=$(get_device_by_hwaddr $HWADDR)
[ -z "$DEVICETYPE" ] && DEVICETYPE=$(echo ${DEVICE} | sed "s/[0-9]*$//")
[ -z "$REALDEVICE" -a -n "$PARENTDEVICE" ] && REALDEVICE=$PARENTDEVICE
[ -z "$REALDEVICE" ] && REALDEVICE=${DEVICE%%:*}
[ -z "$SYSCTLDEVICE" ] && SYSCTLDEVICE=${REALDEVICE/.//}
if [ "${DEVICE}" != "${REALDEVICE}" ]; then
ISALIAS=yes
else
ISALIAS=no
fi
if is_nm_running && [ "$REALDEVICE" != "lo" ] ; then
nm_con_load "$CONFIG"
if ! is_false $NM_CONTROLLED; then
UUID=$(get_uuid_by_config $CONFIG)
[ -n "$UUID" ] && _use_nm=true
fi
fi
}
nm_con_load () {
dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager \
/org/freedesktop/NetworkManager/Settings \
org.freedesktop.NetworkManager.Settings.LoadConnections \
array:string:"/etc/sysconfig/network-scripts/${1}" >/dev/null 2>&1
}
ethtool_set()
{
oldifs=$IFS;
IFS=';';
if [ -n "${ETHTOOL_DELAY}" ]; then
# Convert microseconds to seconds:
local ETHTOOL_DELAY_SEC=$(convert2sec ${ETHTOOL_DELAY} micro)
sleep ${ETHTOOL_DELAY_SEC}
fi
for opts in $ETHTOOL_OPTS ; do
IFS=$oldifs;
if [[ "${opts}" =~ [[:space:]]*- ]]; then
/sbin/ethtool $opts
else
/sbin/ethtool -s ${REALDEVICE} $opts
fi
IFS=';';
done
IFS=$oldifs;
}
expand_config ()
{
local i=0 val
for idx in '' {0..255} ; do
ipaddr[$i]=$(eval echo '$'IPADDR$idx)
if [ -z "${ipaddr[$i]}" ]; then
[ "$idx" ] && [ $idx -ge 2 ] && break
continue
fi
prefix[$i]=$(eval echo '$'PREFIX$idx)
netmask[$i]=$(eval echo '$'NETMASK$idx)
broadcast[$i]=$(eval echo '$'BROADCAST$idx)
arpcheck[$i]=$(eval echo '$'ARPCHECK$idx)
arpupdate[$i]=$(eval echo '$'ARPUPDATE$idx)
if [ "${prefix[$i]}x" != "x" ]; then
val=$(/bin/ipcalc --netmask "${ipaddr[$i]}/${prefix[$i]}")
netmask[$i]=${val##NETMASK=}
fi
if [ "${netmask[$i]}x" = "x" ]; then
val=$(/bin/ipcalc --netmask "${ipaddr[$i]}")
netmask[$i]=${val##NETMASK=}
fi
if [ "${prefix[$i]}x" = "x" ]; then
val=$(/bin/ipcalc --prefix ${ipaddr[$i]} ${netmask[$i]})
prefix[$i]=${val##PREFIX=}
fi
if [ "${broadcast[$i]}x" = "x" ]; then
val=$(/bin/ipcalc --broadcast ${ipaddr[$i]} ${netmask[$i]})
broadcast[$i]=${val##BROADCAST=}
fi
if [ "${arpcheck[$i]}x" != "x" ]; then
arpcheck[$i]=${arpcheck[$i]##ARPCHECK=}
arpcheck[$i]=${arpcheck[$i],,*}
fi
if [ "${arpupdate[$i]}x" != "x" ]; then
arpupdate[$i]=${arpupdate[$i]##ARPUPDATE=}
arpupdate[$i]=${arpupdate[$i],,*}
fi
i=$((i+1))
done
[ -n "$DHCP_HOSTNAME" ] && DHCP_HOSTNAME=${DHCP_HOSTNAME%%.*}
if [ -z "${NETWORK}" ]; then
eval $(/bin/ipcalc --network ${ipaddr[0]} ${netmask[0]})
fi
}
toggle_value ()
{
if [ "$2" = "yes" -o "$2" = "YES" ] ; then
echo "$1 on"
elif [ "$2" = "no" -o "$2" = "NO" ] ; then
echo "$1 off"
else
echo ''
fi
}
is_nm_running ()
{
dbus-send --system --print-reply \
--dest=org.freedesktop.DBus \
/org/freedesktop/DBus \
org.freedesktop.DBus.GetNameOwner \
string:"org.freedesktop.NetworkManager" >/dev/null 2>&1
}
is_nm_active ()
{
LANG=C nmcli -t --fields device,state dev status 2>/dev/null | grep -q "^${1}:connected$"
}
is_nm_handling ()
{
LANG=C nmcli -t --fields device,state dev status 2>/dev/null | grep -q "^\(${1}:connected\)\|\(${1}:connecting.*\)$"
}
is_nm_device_unmanaged ()
{
LANG=C nmcli -t --fields GENERAL dev show "${1}" 2>/dev/null | awk -F ':' '/GENERAL.STATE/ { if ($2 == "unmanaged") exit 0 ; else exit 1; }'
}
# Sets $alias to the device module if $? != 0
is_available ()
{
[ -z "$1" ] && return 1
[ -d "/sys/class/net/$1" ] && return 0
[ -n "$BONDING_OPTS" ] && install_bonding_driver $1
alias=$(modprobe -c | awk \
'BEGIN { alias = ""; }
$1 == "alias" && $2 == "'"$1"'" { alias = $3; }
$1 == "install" { install[$2] = $3; }
END {
cmd = install[alias];
print alias;
if (alias == "" || alias == "off" || cmd == "/bin/true" || cmd == ":")
exit 1;
exit 0;
}
')
[ $? -eq 0 ] || return 2
modprobe $1 > /dev/null 2>&1 || {
return 1
}
if [ -n "$HWADDR" ]; then
local curdev=$(get_device_by_hwaddr "$HWADDR")
if [ -z "$curdev" ]; then
return 1
fi
fi
if [ ${alias} = "bonding" ]; then
install_bonding_driver $1
fi
[ -d "/sys/class/net/$1" ] && return 0 || return 1
}
is_available_wait ()
{
[ -z "$1" ] && return 1
local retry=${2##*[!0-9]*}
is_available $1 && return 0
ret=$?
while [ 0"$retry" -gt 0 ]; do
sleep 1
[ -d "/sys/class/net/$1" ] && return 0
retry=$(($retry -1))
done
return $ret
}
is_hostname_set ()
{
case "${HOSTNAME}" in
'(none)' | 'localhost' | 'localhost.localdomain')
# Hostname NOT set:
return 1
;;
*)
# Hostname IS set:
return 0
;;
esac
}
need_hostname ()
{
# Should we avoid obtaining hostname from DHCP? (user override)
is_true "${NO_DHCP_HOSTNAME}" && return 1
if is_hostname_set; then
# Hostname is already set, we do not need to acquire it:
return 1
else
# Hostname is NOT set, we need to acquire it:
return 0
fi
}
set_hostname_options ()
{
# User explicitly requires to *not* send DHCP_HOSTNAME, DHCP_FQDN or HOSTNAME:
is_false "${DHCP_SEND_HOSTNAME}" && return
if [[ -n "${DHCP_HOSTNAME}" && -n "${DHCP_FQDN}" ]]; then
net_log $"Both 'DHCP_HOSTNAME=${DHCP_HOSTNAME}' and 'DHCP_FQDN=${DHCP_FQDN}' are configured... Using DHCP_FQDN." warning
fi
local hostname_options=''
# DHCP_FQDN takes precedence before DHCP_HOSTNAME -- as it does in NetworkManager,
# and DHCP_HOSTNAME takes precedence before HOSTNAME:
if [[ -n "${DHCP_FQDN}" ]]; then
hostname_options="-F ${DHCP_FQDN}"
elif [[ -n "${DHCP_HOSTNAME}" ]]; then
hostname_options="-H ${DHCP_HOSTNAME}"
elif is_hostname_set; then
# We need to truncate the hostname in case it is the FQDN:
hostname_options="-H ${HOSTNAME%%.*}"
else
# Nothing to send to the DHCP server:
# ['(none)', 'localhost' or 'localhost.localdomain' are not valid]
return
fi
# Append the hostname options to the content of passed variable name:
eval "$1='${!1} ${hostname_options}'"
return
}
set_hostname ()
{
hostname $1
if ! grep search /etc/resolv.conf >/dev/null 2>&1; then
domain=$(echo $1 | sed 's/^[^\.]*\.//')
if [ -n "$domain" ]; then
rsctmp=$(mktemp /tmp/XXXXXX);
cat /etc/resolv.conf > $rsctmp
echo "search $domain" >> $rsctmp
# Backup resolv.conf only if it doesn't exist already:
! [ -f /etc/resolv.conf.save ] && cp -af /etc/resolv.conf /etc/resolv.conf.save
change_resolv_conf $rsctmp
/bin/rm -f $rsctmp
fi
fi
}
check_device_down ()
{
[ ! -d /sys/class/net/$1 ] && return 0
if LC_ALL=C ip -o link show dev $1 2>/dev/null | grep -q ",UP" ; then
return 1
else
return 0
fi
}
check_link_down ()
{
if ! LC_ALL=C ip link show dev $1 2>/dev/null| grep -q ",UP" ; then
ip link set dev $1 up >/dev/null 2>&1
fi
timeout=0
delay=10
[ -n "$LINKDELAY" ] && delay=$(($LINKDELAY * 2))
while [ $timeout -le $delay ]; do
[ "$(cat /sys/class/net/$REALDEVICE/carrier 2>/dev/null)" != "0" ] && return 1
sleep 0.5
timeout=$((timeout+1))
done
return 0
}
check_default_route ()
{
LC_ALL=C ip route list match 0.0.0.0/0 | grep -q default
}
find_gateway_dev ()
{
. /etc/sysconfig/network
if [ -n "${GATEWAY}" -a "${GATEWAY}" != "none" ] ; then
dev=$(LC_ALL=C /sbin/ip route get to "${GATEWAY}" 2>/dev/null | \
sed -n 's/.* dev \([[:alnum:]]*\) .*/\1/p')
if [ -n "$dev" ]; then
GATEWAYDEV="$dev"
fi
fi
}
# After the device $1 goes away, restore the standard default route; typically
# used for ppp with DEFROUTE temporarily replacing the "standard" default
# route.
# FIXME: This function doesn't support some newer features (GATEWAY in ifcfg,
# $WINDOW, $METRIC)
add_default_route ()
{
. /etc/sysconfig/network
check_default_route && return 0
find_gateway_dev
if [ "$GATEWAYDEV" != "" -a -n "${GATEWAY}" -a \
"${GATEWAY}" != "none" ]; then
if ! check_device_down $1; then
if [ "$GATEWAY" = "0.0.0.0" ]; then
/sbin/ip route add default dev ${GATEWAYDEV}
else
/sbin/ip route add default via ${GATEWAY}
fi
fi
elif [ -f /etc/default-routes ]; then
while read spec; do
/sbin/ip route add $spec
done < /etc/default-routes
rm -f /etc/default-routes
fi
}
is_wireless_device ()
{
[ -x /usr/sbin/iw ] || return 1
LC_ALL=C /usr/sbin/iw dev $1 info > /dev/null 2>&1 && return 0
return 1
}
phy_wireless_device ()
{
cat /sys/class/net/$1/phy80211/name
}
bond_master_exists ()
{
local bond_name
[ -z "${1}" ] && return 1
[ ! -f /sys/class/net/bonding_masters ] && return 1
for bond_name in $(< /sys/class/net/bonding_masters); do
[ "${bond_name}" == "${1}" ] && return 0
done
return 1
}
install_bonding_driver ()
{
local fn="install_bonding_driver"
if ! bond_master_exists ${1}; then
modprobe bonding || return 1
echo "+$1" > /sys/class/net/bonding_masters 2>/dev/null
fi
(
# Set config here
need_config "$1"
source_config
if [ -f /sys/class/net/${DEVICE}/bonding/slaves ] && [ $(wc -l < /sys/class/net/${DEVICE}/bonding/slaves) -eq 0 ]; then
/sbin/ip link set dev ${DEVICE} down
# parse options and put them to arrays
for arg in $BONDING_OPTS ; do
bopts_keys[${#bopts_keys[*]}]=${arg%%=*}
bopts_vals[${#bopts_vals[*]}]=${arg##*=}
done
# add the bits to setup driver parameters here
# first set mode, miimon
for (( idx=0; idx < ${#bopts_keys[*]}; idx++ )) ; do
key=${bopts_keys[$idx]}
value=${bopts_vals[$idx]}
if [ "${key}" = "mode" ] ; then
echo "${value}" > /sys/class/net/${DEVICE}/bonding/$key || {
net_log $"Failed to set value '$value' [mode] to ${DEVICE} bonding device" err $fn
}
bopts_keys[$idx]=""
fi
if [ "${key}" = "miimon" ] ; then
echo "${value}" > /sys/class/net/${DEVICE}/bonding/$key || {
net_log $"Failed to set value '$value' [miimon] to ${DEVICE} bonding device" err $fn
}
bopts_keys[$idx]=""
fi
done
# set all other remaining options
for (( idx=0; idx < ${#bopts_keys[*]}; idx++ )) ; do
key=${bopts_keys[$idx]}
value=${bopts_vals[$idx]}
# option already set; take next
[[ -z "$key" ]] && continue
if [ "${key}" = "arp_ip_target" -a "${value:0:1}" != "+" ]; then
OLDIFS=$IFS;
IFS=',';
for arp_ip in $value; do
if ! grep -q $arp_ip /sys/class/net/${DEVICE}/bonding/$key; then
echo +$arp_ip > /sys/class/net/${DEVICE}/bonding/$key || {
net_log $"Failed to set '$arp_ip' value [arp_ip_target] to ${DEVICE} bonding device" err $fn
}
fi
done
IFS=$OLDIFS;
elif [ "${key}" = "arp_ip_target" ]; then
if ! grep -q ${value#+} /sys/class/net/${DEVICE}/bonding/$key; then
echo "$value" > /sys/class/net/${DEVICE}/bonding/$key || {
net_log $"Failed to set '$value' value [arp_ip_target] to ${DEVICE} bonding device" err $fn
}
fi
elif [ "${key}" != "primary" ]; then
echo $value > /sys/class/net/${DEVICE}/bonding/$key || {
net_log $"Failed to set '$value' value [$key] to ${DEVICE} bonding device" err $fn
}
fi
done
fi
)
return 0
}
is_bonding_device ()
{
[ -f "/sys/class/net/$1/bonding/slaves" ]
}
# Invoke this when /etc/resolv.conf has changed:
change_resolv_conf ()
{
s=$(/bin/grep '^[\ \ ]*option' /etc/resolv.conf 2>/dev/null)
if [ $# -gt 1 ]; then
if [ "x$s" != "x" ]; then
s="$s"$'\n'
fi
n_args=$#
while [ $n_args -gt 0 ]; do
case "$s" in
*$1*)
shift
n_args=$(($n_args-1))
continue
;;
esac
s="$s$1"
shift
if [ $# -gt 0 ]; then
s="$s"$'\n'
fi
n_args=$(($n_args-1))
done
elif [ $# -eq 1 ]; then
if [ "x$s" != "x" ]; then
s="$s"$'\n'$(/bin/grep -vF "$s" $1)
else
s=$(cat $1)
fi
fi
(echo "$s" > /etc/resolv.conf) >/dev/null 2>&1;
r=$?
if [ $r -eq 0 ]; then
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/resolv.conf >/dev/null 2>&1 # reset the correct context
/usr/bin/logger -p local7.notice -t "NET" -i "$0 : updated /etc/resolv.conf"
[ -e /run/nscd/socket ] && /usr/sbin/nscd -i hosts # invalidate cache
fi
return $r
}
# Logging function
#
# Usage: net_log <message> <err|warning|info> <optional file/function name>
#
# Default level is 'err'.
net_log()
{
local message="$1"
local level="$2"
local name="$3"
[ -z "$message" ] && return 1
[ -z "$level" ] && level=err
[ -z "$name" ] && name=$0
case $level in
'debug')
local txt_level=$"DEBUG "
;;
'err')
local txt_level=$"ERROR "
;;
'warning')
local txt_level=$"WARN "
;;
'info')
local txt_level=$"INFO "
;;
esac
echo "$txt_level: [$name] $message"
if [ -x /usr/bin/logger ]; then
/usr/bin/logger -p daemon.$level -t "$name" "$message"
fi
return 0
}
update_DNS_entries()
{
# Remove duplicate values from DNS options if any:
if [ -n "${DNS3}" ] && [[ "${DNS3}" == "${DNS2}" || "${DNS3}" == "${DNS1}" ]]; then
unset DNS3
fi
if [ -n "${DNS2}" ] && [[ "${DNS2}" == "${DNS1}" ]]; then
unset DNS2
fi
# Shift the DNS options if necessary:
if [ -z "${DNS1}" ] && [ -n "${DNS2}" ]; then
DNS1="${DNS2}"
unset DNS2
fi
if [ -z "${DNS2}" ] && [ -n "${DNS3}" ]; then
DNS2="${DNS3}"
unset DNS3
fi
# We need to check DNS1 again in case only DNS3 was set at all:
if [ -z "${DNS1}" ] && [ -n "${DNS2}" ]; then
DNS1="${DNS2}"
unset DNS2
fi
}

1084
sysconfig/network-scripts/network-functions-ipv6 Normal file
View File

File diff suppressed because it is too large Load Diff

1
sysconfig/network-scripts/route-eth0 Normal file
View File

@@ -0,0 +1 @@
default via 192.168.1.1 dev eth0

8
sysconfig/nftables.conf Normal file
View File

@@ -0,0 +1,8 @@
# Uncomment the include statement here to load the default config sample
# in /etc/nftables for nftables service.
#include "/etc/nftables/main.nft"
# To customize, either edit the samples in /etc/nftables, append further
# commands to the end of this file or overwrite it after first service
# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.

1
sysconfig/node_exporter Normal file
View File

@@ -0,0 +1 @@
OPTIONS=

2
sysconfig/nrpe Normal file
View File

@@ -0,0 +1,2 @@
# specify additional command line arguments for nrpe
NRPE_SSL_OPT=""

8
sysconfig/opendkim Normal file
View File

@@ -0,0 +1,8 @@
# Set the necessary startup options
OPTIONS="-x /etc/opendkim.conf -P /run/opendkim/opendkim.pid"
# Set the default DKIM selector
DKIM_SELECTOR=default
# Set the default DKIM key location
DKIM_KEYDIR=/etc/opendkim/keys

2
sysconfig/opendmarc Normal file
View File

@@ -0,0 +1,2 @@
# Set the necessary startup options
OPTIONS="-c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid"

1
sysconfig/pptpd Normal file
View File

@@ -0,0 +1 @@
OPTIONS=

19
sysconfig/qemu-ga Normal file
View File

@@ -0,0 +1,19 @@
# This is a systemd environment file, not a shell script.
# It provides settings for "/lib/systemd/system/qemu-guest-agent.service".
# Comma-separated blacklist of RPCs to disable, or empty list to enable all.
#
# You can get the list of RPC commands using "qemu-ga --blacklist='?'".
# There should be no spaces between commas and commands in the blacklist.
BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status
# Fsfreeze hook script specification.
#
# FSFREEZE_HOOK_PATHNAME=/dev/null : disables the feature.
#
# FSFREEZE_HOOK_PATHNAME=/path/to/executable : enables the feature with the
# specified binary or shell script.
#
# FSFREEZE_HOOK_PATHNAME= : enables the feature with the
# default value (invoke "qemu-ga --help" to interrogate).
FSFREEZE_HOOK_PATHNAME=/etc/qemu-ga/fsfreeze-hook

54
sysconfig/rhn/up2date Normal file
View File

@@ -0,0 +1,54 @@
# Red Hat Update Agent config file.
# Format: 1.0
debug[comment]=Whether or not debugging is enabled
debug=0
systemIdPath[comment]=Location of system id
systemIdPath=/etc/sysconfig/rhn/systemid
serverURL[comment]=Remote server URL (use FQDN)
serverURL=https://enter.your.server.url.here/XMLRPC
hostedWhitelist[comment]=RHN Hosted URL's
hostedWhitelist=
enableProxy[comment]=Use a HTTP Proxy
enableProxy=0
versionOverride[comment]=Override the automatically determined system version
versionOverride=
httpProxy[comment]=HTTP proxy in host:port format, e.g. squid.redhat.com:3128
httpProxy=
noReboot[comment]=Disable the reboot actions
noReboot=0
networkRetries[comment]=Number of attempts to make at network connections before giving up
networkRetries=1
disallowConfChanges[comment]=Config options that can not be overwritten by a config update action
disallowConfChanges=noReboot;sslCACert;useNoSSLForPackages;serverURL;disallowConfChanges;
sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
# Akamai does not support http protocol, therefore setting this option as side effect disable "Location aware" function
useNoSSLForPackages[comment]=Use HTTP for package, package list, and header fetching (disable Akamai)
useNoSSLForPackages=0
retrieveOnly[comment]=Retrieve packages only
retrieveOnly=0
skipNetwork[comment]=Skips network information in hardware profile sync during registration.
skipNetwork=0
writeChangesToLog[comment]=Log to /var/log/up2date which packages has been added and removed
writeChangesToLog=0
stagingContent[comment]=Retrieve content of future actions in advance
stagingContent=1
stagingContentWindow[comment]=How much forward we should look for future actions. In hours.
stagingContentWindow=24

10
sysconfig/rkhunter Normal file
View File

@@ -0,0 +1,10 @@
# System configuration file for Rootkit Hunter which
# stores RPM system specifics for cron run, etc.
#
# MAILTO= <email address to send scan report>
# DIAG_SCAN= no - perform normal report scan
# yes - perform detailed report scan
# (includes application check)
MAILTO=root@localhost
DIAG_SCAN=no

3
sysconfig/rpcbind Normal file
View File

@@ -0,0 +1,3 @@
#
# Optional arguments passed to rpcbind. See rpcbind(8)
RPCBIND_ARGS=""

5
sysconfig/rsyslog Normal file
View File

@@ -0,0 +1,5 @@
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS=""

0
sysconfig/run-parts Normal file
View File

23
sysconfig/sa-update Normal file
View File

@@ -0,0 +1,23 @@
# sa-update configuration
#
# Note that the opposite of "yes" is the empty string, NOT "no"
# Don't run sa-update even if it's in /etc/cron.d/ - as installed
#SAUPDATE=no
# Run sa-update even if no daemon is detected
#SAUPDATE=yes
# Default: Run only if a daemon is detected
# Options for the actual sa-update command
# These are added to the channel configuration from
# /etc/mail/spamassassin/channel.d/*.conf
# OPTIONS=-v
# Debug script - send mail even if no update available
# DEBUG=yes
# Send mail when updates successfully processed
# Default: send mail only on error
#NOTIFY_UPD=yes

11
sysconfig/saslauthd Normal file
View File

@@ -0,0 +1,11 @@
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=

1
sysconfig/selinux Symbolic link
View File

@@ -0,0 +1 @@
../selinux/config

1
sysconfig/snapd Normal file
View File

@@ -0,0 +1 @@
SNAP_REEXEC=0

4
sysconfig/snmpd Normal file
View File

@@ -0,0 +1,4 @@
# snmpd command line options
# '-f' is implicitly added by snmpd systemd unit file
# OPTIONS="-LS0-6d"
OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid -a"

3
sysconfig/snmptrapd Normal file
View File

@@ -0,0 +1,3 @@
# snmptrapd command line options
# '-f' is implicitly added by snmptrapd systemd unit file
# OPTIONS="-Lsd"

2
sysconfig/spamassassin Normal file
View File

@@ -0,0 +1,2 @@
# Options to spamd
SPAMDOPTIONS="-c -m5 -H --razor-home-dir='/var/spool/amavisd/.razor' --razor-log-file='sys-syslog' --ipv4only"

17
sysconfig/sshd Normal file
View File

@@ -0,0 +1,17 @@
# Configuration file for the sshd service.
# The server keys are automatically generated if they are missing.
# To change the automatic creation, adjust sshd.service options for
# example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation.
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
# System-wide crypto policy:
# To opt-out, uncomment the following line
# CRYPTO_POLICY=

5
sysconfig/sslh Normal file
View File

@@ -0,0 +1,5 @@
#
# The options passed to the sslh binary can be provided here
# Defaults to passing the configuration file to the daemon
#
DAEMON_OPTS="-F/etc/sslh.cfg"

4
sysconfig/svnserve Normal file
View File

@@ -0,0 +1,4 @@
# OPTIONS is used to pass command-line arguments to svnserve.
#
# Specify the repository location in -r parameter:
OPTIONS="-r /var/svn"