Browse Source

Besides the usual style changes:

- verify that kbd is executable and kbdtype is not empty
- use safer 'print --' to pipe the initial pf ruleset to pfctl
- simplify the ipsecctl if-block
Feedback and OK halex@
OK krw@
OPENBSD_5_9
rpe 9 years ago
parent
commit
d4fca8ad21
1 changed files with 31 additions and 25 deletions
  1. +31
    -25
      src/etc/rc

+ 31
- 25
src/etc/rc View File

@ -1,4 +1,4 @@
# $OpenBSD: rc,v 1.463 2015/09/13 13:29:22 rpe Exp $
# $OpenBSD: rc,v 1.464 2015/09/29 17:40:56 rpe Exp $
# System startup script run by init on autoboot or after single-user. # System startup script run by init on autoboot or after single-user.
# Output and error are redirected to console by init, and the console is the # Output and error are redirected to console by init, and the console is the
@ -267,13 +267,15 @@ rm -f /fastboot # XXX (root now writeable)
echo 'setting tty flags' echo 'setting tty flags'
ttyflags -a ttyflags -a
if [ -f /sbin/kbd -a -f /etc/kbdtype ]; then
kbd `cat /etc/kbdtype`
# Set keyboard encoding.
if [[ -x /sbin/kbd && -s /etc/kbdtype ]]; then
kbd "$(cat /etc/kbdtype)"
fi fi
wsconsctl_conf wsconsctl_conf
if [ X"${pf}" != X"NO" ]; then
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
RULES="block all" RULES="block all"
RULES="$RULES\npass on lo0" RULES="$RULES\npass on lo0"
RULES="$RULES\npass in proto tcp from any to any port ssh keep state" RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
@ -291,7 +293,7 @@ if [ X"${pf}" != X"NO" ]; then
fi fi
RULES="$RULES\npass in proto carp keep state (no-sync)" RULES="$RULES\npass in proto carp keep state (no-sync)"
RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)" RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"
case `sysctl vfs.mounts.nfs 2>/dev/null` in
case $(sysctl vfs.mounts.nfs 2>/dev/null) in
*[1-9]*) *[1-9]*)
# Don't kill NFS. # Don't kill NFS.
RULES="set reassemble yes no-df\n$RULES" RULES="set reassemble yes no-df\n$RULES"
@ -299,7 +301,7 @@ if [ X"${pf}" != X"NO" ]; then
RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"
;; ;;
esac esac
echo $RULES | pfctl -f -
print -- "$RULES" | pfctl -f -
pfctl -e pfctl -e
fi fi
@ -309,23 +311,28 @@ fill_baddynamic tcp
sysctl_conf sysctl_conf
# Set hostname, turn on network.
echo 'starting network' echo 'starting network'
# Set carp interlock by increasing the demotion counter.
# Prevents carp from preempting until the system is booted.
ifconfig -g carp carpdemote 128 ifconfig -g carp carpdemote 128
if [ -f /etc/resolv.conf.save ]; then
# Recover resolv.conf in case dhclient died hard.
if [[ -f /etc/resolv.conf.save ]]; then
mv -f /etc/resolv.conf.save /etc/resolv.conf mv -f /etc/resolv.conf.save /etc/resolv.conf
touch /etc/resolv.conf touch /etc/resolv.conf
fi fi
sh /etc/netstart sh /etc/netstart
dmesg >/dev/random # Any write triggers a rekey. dmesg >/dev/random # Any write triggers a rekey.
# Load pf rules and bring up pfsync interface. # Load pf rules and bring up pfsync interface.
if [ X"${pf}" != X"NO" ]; then
if [ -f /etc/pf.conf ]; then
if [[ $pf != NO ]]; then
if [[ -f /etc/pf.conf ]]; then
pfctl -f /etc/pf.conf pfctl -f /etc/pf.conf
fi fi
# Bring up pfsync after the working ruleset has been loaded.
if [ -f /etc/hostname.pfsync0 ]; then
if [[ -f /etc/hostname.pfsync0 ]]; then
sh /etc/netstart pfsync0 sh /etc/netstart pfsync0
fi fi
fi fi
@ -340,8 +347,7 @@ rm -f /etc/nologin /var/spool/lock/LCK.* /var/spool/uucp/STST/*
(cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; }) (cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; })
(cd /var/authpf && rm -rf -- *) (cd /var/authpf && rm -rf -- *)
# Save a copy of the boot messages.
dmesg >/var/run/dmesg.boot
dmesg >/var/run/dmesg.boot # Save a copy of the boot messages.
make_keys make_keys
@ -351,42 +357,42 @@ start_daemon iscsid isakmpd iked sasyncd ldapd npppd
echo '.' echo '.'
# Load IPsec rules. # Load IPsec rules.
if [ X"${ipsec}" != X"NO" ]; then
if [ -f /etc/ipsec.conf ]; then
ipsecctl -f /etc/ipsec.conf
fi
if [[ $ipsec != NO && -f /etc/ipsec.conf ]]; then
ipsecctl -f /etc/ipsec.conf
fi fi
echo -n 'starting RPC daemons:' echo -n 'starting RPC daemons:'
start_daemon portmap ypldap start_daemon portmap ypldap
if [ X"`domainname`" != X"" ]; then
if [[ -n $(domainname) ]]; then
start_daemon ypserv ypbind yppasswdd start_daemon ypserv ypbind yppasswdd
fi fi
start_daemon mountd nfsd lockd statd amd start_daemon mountd nfsd lockd statd amd
echo '.' echo '.'
# Check and mount remaining file systems and enable additional swap.
mount -a mount -a
swapctl -A -t noblk swapctl -A -t noblk
# Check and mount networked filesystems.
do_fsck -N do_fsck -N
mount -a -N mount -a -N
# /var/crash should be a directory or a symbolic link to the crash directory # /var/crash should be a directory or a symbolic link to the crash directory
# if core dumps are to be saved. # if core dumps are to be saved.
if [ -d /var/crash ]; then
savecore ${savecore_flags} /var/crash
if [[ -d /var/crash ]]; then
savecore $savecore_flags /var/crash
fi fi
if [ X"${check_quotas}" = X"YES" ]; then
if [[ $check_quotas == YES ]]; then
echo -n 'checking quotas:' echo -n 'checking quotas:'
quotacheck -a quotacheck -a
echo ' done.' echo ' done.'
quotaon -a quotaon -a
fi fi
kvm_mkdb # build kvm(3) databases
# Build kvm(3) and /dev databases.
kvm_mkdb
dev_mkdb dev_mkdb
# Set proper permission for the tty device files.
chmod 666 /dev/tty[pqrstuvwxyzPQRST]* chmod 666 /dev/tty[pqrstuvwxyzPQRST]*
chown root:wheel /dev/tty[pqrstuvwxyzPQRST]* chown root:wheel /dev/tty[pqrstuvwxyzPQRST]*


Loading…
Cancel
Save