path: root/etc/rc.network

#!/bin/sh -
#
# Copyright (c) 1993  The FreeBSD Project
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#	From: @(#)netstart	5.9 (Berkeley) 3/30/91
#

# Note that almost all of the user-configurable behavior is no longer in
# this file, but rather in /etc/defaults/rc.conf.  Please check that file
# first before contemplating any changes here.  If you do need to change
# this file for some reason, we would like to know about it.

# First pass startup stuff.
#
network_pass1() {
	echo -n 'Doing initial network setup:'

	# Generate host.conf for compatibility
	#
	if [ -f "/etc/nsswitch.conf" ]; then
		echo -n ' host.conf'
		generate_host_conf /etc/nsswitch.conf /etc/host.conf
	fi

	# Convert host.conf to nsswitch.conf if necessary
	#
	if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then
		echo ''
		echo 'Warning: /etc/host.conf is no longer used'
		echo '  /etc/nsswitch.conf will be created for you'
		convert_host_conf /etc/host.conf /etc/nsswitch.conf
	fi

	# Set the host name if it is not already set
	#
	if [ -z "`hostname -s`" ]; then
		hostname ${hostname}
		echo -n ' hostname'
	fi

	# Establish ipfilter ruleset as early as possible (best in
	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)

	# check whether ipfilter and/or ipnat is enabled
	ipfilter_active="NO"
	case ${ipfilter_enable} in
	[Yy][Ee][Ss])
		ipfilter_active="YES"
		;;
	esac
	case ${ipnat_enable} in
	[Yy][Ee][Ss])
		ipfilter_active="YES"
		;;
	esac
	case ${ipfilter_active} in
	[Yy][Ee][Ss])
		# load ipfilter kernel module if needed
		if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
			if kldload ipl; then
				echo 'IP-filter module loaded.'
			else
				echo 'Warning: IP-filter module failed to load.'
				# avoid further errors
				ipfilter_active="NO"
				ipmon_enable="NO"
				ipfilter_enable="NO"
				ipnat_enable="NO"
				ipfs_enable="NO"
			fi
		fi
		# start ipmon before loading any rules
		case "${ipmon_enable}" in
		[Yy][Ee][Ss])
			echo -n ' ipmon'
			${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
			;;
		esac
		case "${ipfilter_enable}" in
		[Yy][Ee][Ss])
			if [ -r "${ipfilter_rules}" -o \
			     -r "${ipv6_ipfilter_rules}" ]; then
				echo -n ' ipfilter'
				${ipfilter_program:-/sbin/ipf} -Fa
				if [ -r "${ipfilter_rules}" ]; then
					${ipfilter_program:-/sbin/ipf} \
					    -f "${ipfilter_rules}" \
					    ${ipfilter_flags}
				fi
				if [ -r "${ipv6_ipfilter_rules}" ]; then
					${ipfilter_program:-/sbin/ipf} -6 \
					    -f "${ipv6_ipfilter_rules}" \
					    ${ipfilter_flags}
				fi
			else
				ipfilter_enable="NO"
				echo -n ' NO IPF RULES'
			fi
			;;
		esac
		case "${ipnat_enable}" in
		[Yy][Ee][Ss])
			if [ -r "${ipnat_rules}" ]; then
				echo -n ' ipnat'
				eval ${ipnat_program:-/sbin/ipnat} -CF -f \
				    "${ipnat_rules}" ${ipnat_flags}
			else
				ipnat_enable="NO"
				echo -n ' NO IPNAT RULES'
			fi
			;;
		esac
		# restore filter/NAT state tables after loading the rules
		case "${ipfs_enable}" in
		[Yy][Ee][Ss])
			if [ -r "/var/db/ipf/ipstate.ipf" ]; then
				echo -n ' ipfs'
				${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
				# remove files to avoid reloading old state
				# after an ungraceful shutdown
				rm -f /var/db/ipf/ipstate.ipf
				rm -f /var/db/ipf/ipnat.ipf
			fi
			;;
		esac
		;;
	esac

	# Set the domainname if we're using NIS
	#
	case ${nisdomainname} in
	[Nn][Oo] | '')
		;;
	*)
		domainname ${nisdomainname}
		echo -n ' domain'
		;;
	esac

	echo '.'

	# Initial ATM interface configuration
	#
	case ${atm_enable} in
	[Yy][Ee][Ss])
		if [ -r /etc/rc.atm ]; then
			. /etc/rc.atm
			atm_pass1
		fi
		;;
	esac

	# Attempt to create cloned interfaces.
	for ifn in ${cloned_interfaces}; do
		ifconfig ${ifn} create
	done

	# Special options for sppp(4) interfaces go here.  These need
	# to go _before_ the general ifconfig section, since in the case
	# of hardwired (no link1 flag) but required authentication, you
	# cannot pass auth parameters down to the already running interface.
	#
	for ifn in ${sppp_interfaces}; do
		eval spppcontrol_args=\$spppconfig_${ifn}
		if [ -n "${spppcontrol_args}" ]; then
			# The auth secrets might contain spaces; in order
			# to retain the quotation, we need to eval them
			# here.
			eval spppcontrol ${ifn} ${spppcontrol_args}
		fi
	done

	# gifconfig
	network_gif_setup

	# Set up all the network interfaces, calling startup scripts if needed
	#
	case ${network_interfaces} in
	[Aa][Uu][Tt][Oo])
		network_interfaces="`ifconfig -l`"
		;;
	*)
		network_interfaces="${network_interfaces} ${cloned_interfaces}"
		;;
	esac

	dhcp_interfaces=""
	for ifn in ${network_interfaces}; do
		_up=`ifconfig ${ifn} | head -1 | grep -v LOOPBACK | grep UP,`
		if [ "$_up" != "" ]; then
			# Interface is already up, so ignore it.
			continue;
		fi

		if [ -r /etc/start_if.${ifn} ]; then
			. /etc/start_if.${ifn}
			eval showstat_$ifn=1
		fi

		# Do the primary ifconfig if specified
		#
		eval ifconfig_args=\$ifconfig_${ifn}

		case ${ifconfig_args} in
		'')
			;;
		[Dd][Hh][Cc][Pp])
			# DHCP inits are done all in one go below
			dhcp_interfaces="$dhcp_interfaces $ifn"
			eval showstat_$ifn=1
			;;
		*)
			ifconfig ${ifn} ${ifconfig_args}
			eval showstat_$ifn=1
			;;
		esac
	done

	if [ ! -z "${dhcp_interfaces}" ]; then
		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
	fi

	for ifn in ${network_interfaces}; do
		# Check to see if aliases need to be added
		#
		alias=0
		while : ; do
			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
			if [ -n "${ifconfig_args}" ]; then
				ifconfig ${ifn} ${ifconfig_args} alias
				eval showstat_$ifn=1
				alias=$((${alias} + 1))
			else
				break;
			fi
		done

		# Do ipx address if specified
		#
		eval ifconfig_args=\$ifconfig_${ifn}_ipx
		if [ -n "${ifconfig_args}" ]; then
			ifconfig ${ifn} ${ifconfig_args}
			eval showstat_$ifn=1
		fi
	done

	for ifn in ${network_interfaces}; do
		eval showstat=\$showstat_${ifn}
		if [ ! -z ${showstat} ]; then
			ifconfig ${ifn}
		fi
	done

	# ISDN subsystem startup
	#
	case ${isdn_enable} in
	[Yy][Ee][Ss])
		if [ -r /etc/rc.isdn ]; then
			. /etc/rc.isdn
		fi
		;;
	esac

	# Start user ppp if required.  This must happen before natd.
	#
	case ${ppp_enable} in
	[Yy][Ee][Ss])
		# Establish ppp mode.
		#
		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
			-a "${ppp_mode}" != "dedicated" \
			-a "${ppp_mode}" != "background" ]; then
			ppp_mode="auto"
		fi

		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"

		# Switch on NAT mode?
		#
		case ${ppp_nat} in
		[Yy][Ee][Ss])
			ppp_command="${ppp_command} -nat"
			;;
		esac

		ppp_command="${ppp_command} ${ppp_profile}"

		echo "Starting ppp as \"${ppp_user}\""
		su -m ${ppp_user} -c "exec ${ppp_command}"
		;;
	esac

	# Re-Sync ipfilter so it picks up any new network interfaces
	#
	case ${ipfilter_active} in
	[Yy][Ee][Ss])
		${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
		;;
	esac
	unset ipfilter_active

	# Initialize IP filtering using ipfw
	#
	if /sbin/ipfw -q flush > /dev/null 2>&1; then
		firewall_in_kernel=1
	else
		firewall_in_kernel=0
	fi

	case ${firewall_enable} in
	[Yy][Ee][Ss])
		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
			firewall_in_kernel=1
			echo 'Kernel firewall module loaded'
		elif [ "${firewall_in_kernel}" -eq 0 ]; then
			echo 'Warning: firewall kernel module failed to load'
		fi
		;;
	esac

	# Load the filters if required
	#
	case ${firewall_in_kernel} in
	1)
		if [ -z "${firewall_script}" ]; then
			firewall_script=/etc/rc.firewall
		fi

		case ${firewall_enable} in
		[Yy][Ee][Ss])
			if [ -r "${firewall_script}" ]; then
				. "${firewall_script}"
				echo -n 'Firewall rules loaded, starting divert daemons:'

				# Network Address Translation daemon
				#
				case ${natd_enable} in
				[Yy][Ee][Ss])
					if [ -n "${natd_interface}" ]; then
						if echo ${natd_interface} | \
							grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
							natd_flags="$natd_flags -a ${natd_interface}"
						else
							natd_flags="$natd_flags -n ${natd_interface}"
						fi
					fi
					echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
					;;
				esac

				echo '.'

			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
				echo 'Warning: kernel has firewall functionality,' \
				     'but firewall rules are not enabled.'
				echo '		 All ip services are disabled.'
			fi

			case ${firewall_logging} in
			[Yy][Ee][Ss] | '')
				echo 'Firewall logging=YES'
				sysctl net.inet.ip.fw.verbose=1 >/dev/null
				;;
			*)
				;;
			esac

			;;
		esac
		;;
	esac

	# Additional ATM interface configuration
	#
	if [ -n "${atm_pass1_done}" ]; then
		atm_pass2
	fi

	# Configure routing
	#
	case ${defaultrouter} in
	[Nn][Oo] | '')
		;;
	*)
		static_routes="default ${static_routes}"
		route_default="default ${defaultrouter}"
		;;
	esac

	# Set up any static routes.  This should be done before router discovery.
	#
	if [ -n "${static_routes}" ]; then
		for i in ${static_routes}; do
			eval route_args=\$route_${i}
			route add ${route_args}
		done
	fi

	echo -n 'Additional routing options:'
	case ${tcp_extensions} in
	[Yy][Ee][Ss] | '')
		;;
	*)
		echo -n ' tcp extensions=NO'
		sysctl net.inet.tcp.rfc1323=0 >/dev/null
		;;
	esac

	case ${icmp_bmcastecho} in
	[Yy][Ee][Ss])
		echo -n ' broadcast ping responses=YES'
		sysctl net.inet.icmp.bmcastecho=1 >/dev/null
		;;
	esac

	case ${icmp_drop_redirect} in
	[Yy][Ee][Ss])
		echo -n ' ignore ICMP redirect=YES'
		sysctl net.inet.icmp.drop_redirect=1 >/dev/null
		;;
	esac

	case ${icmp_log_redirect} in
	[Yy][Ee][Ss])
		echo -n ' log ICMP redirect=YES'
		sysctl net.inet.icmp.log_redirect=1 >/dev/null
		;;
	esac

	case ${gateway_enable} in
	[Yy][Ee][Ss])
		echo -n ' IP gateway=YES'
		sysctl net.inet.ip.forwarding=1 >/dev/null
		;;
	esac

	case ${forward_sourceroute} in
	[Yy][Ee][Ss])
		echo -n ' do source routing=YES'
		sysctl net.inet.ip.sourceroute=1 >/dev/null
		;;
	esac

	case ${accept_sourceroute} in
	[Yy][Ee][Ss])
		echo -n ' accept source routing=YES'
		sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
		;;
	esac

	case ${tcp_keepalive} in
	[Nn][Oo])
		echo -n ' TCP keepalive=NO'
		sysctl net.inet.tcp.always_keepalive=0 >/dev/null
		;;
	esac

	case ${tcp_drop_synfin} in
	[Yy][Ee][Ss])
		echo -n ' drop SYN+FIN packets=YES'
		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
		;;
	esac

	case ${ipxgateway_enable} in
	[Yy][Ee][Ss])
		echo -n ' IPX gateway=YES'
		sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
		;;
	esac

	case ${arpproxy_all} in
	[Yy][Ee][Ss])
		echo -n ' ARP proxyall=YES'
		sysctl net.link.ether.inet.proxyall=1 >/dev/null
		;;
	esac

	case ${ip_portrange_first} in
	[Nn][Oo] | '')
		;;
	*)
		echo -n " ip_portrange_first=$ip_portrange_first"
		sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
		;;
	esac

	case ${ip_portrange_last} in
	[Nn][Oo] | '')
		;;
	*)
		echo -n " ip_portrange_last=$ip_portrange_last"
		sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
		;;
	esac

	echo '.'

	case ${ipsec_enable} in
	[Yy][Ee][Ss])
		if [ -f ${ipsec_file} ]; then
		    echo ' ipsec: enabled'
		    setkey -f ${ipsec_file}
		else
		    echo ' ipsec: file not found'
		fi
		;;
	esac

	echo -n 'Routing daemons:'
	case ${router_enable} in
	[Yy][Ee][Ss])
		echo -n " ${router}";	${router} ${router_flags}
		;;
	esac

	case ${ipxrouted_enable} in
	[Yy][Ee][Ss])
		echo -n ' IPXrouted'
		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
		;;
	esac

	case ${mrouted_enable} in
	[Yy][Ee][Ss])
		echo -n ' mrouted';	mrouted ${mrouted_flags}
		;;
	esac

	case ${rarpd_enable} in
	[Yy][Ee][Ss])
		echo -n ' rarpd';	rarpd ${rarpd_flags}
		;;
	esac
	echo '.'

	# Let future generations know we made it.
	#
	network_pass1_done=YES
}

network_pass2() {
	echo -n 'Doing additional network setup:'
	case ${named_enable} in
	[Yy][Ee][Ss])
		echo -n ' named';	${named_program:-named} ${named_flags}
		;;
	esac

	case ${ntpdate_enable} in
	[Yy][Ee][Ss])
		echo -n ' ntpdate'
		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
		;;
	esac

	case ${ntpd_enable} in
	[Yy][Ee][Ss])
		echo -n ' ntpd';	${ntpd_program:-ntpd} ${ntpd_flags}
		;;
	esac

	case ${timed_enable} in
	[Yy][Ee][Ss])
		echo -n ' timed';	timed ${timed_flags}
		;;
	esac

	case ${rpcbind_enable} in
	[Yy][Ee][Ss])
		echo -n ' rpcbind';	${rpcbind_program:-/usr/sbin/rpcbind} \
			${rpcbind_flags}

		# Start ypserv if we're an NIS server.
		# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
		#
		case ${nis_server_enable} in
		[Yy][Ee][Ss])
			echo -n ' ypserv'; ypserv ${nis_server_flags}

			case ${nis_ypxfrd_enable} in
			[Yy][Ee][Ss])
				echo -n ' rpc.ypxfrd'
				rpc.ypxfrd ${nis_ypxfrd_flags}
				;;
			esac

			case ${nis_yppasswdd_enable} in
			[Yy][Ee][Ss])
				echo -n ' rpc.yppasswdd'
				rpc.yppasswdd ${nis_yppasswdd_flags}
				;;
			esac
			;;
		esac

		# Start ypbind if we're an NIS client
		#
		case ${nis_client_enable} in
		[Yy][Ee][Ss])
			echo -n ' ypbind'; ypbind ${nis_client_flags}
			case ${nis_ypset_enable} in
			[Yy][Ee][Ss])
				echo -n ' ypset';	ypset ${nis_ypset_flags}
				;;
			esac
			;;
		esac

		# Start keyserv if we are running Secure RPC
		#
		case ${keyserv_enable} in
		[Yy][Ee][Ss])
			echo -n ' keyserv';	keyserv ${keyserv_flags}
			;;
		esac

		# Start ypupdated if we are running Secure RPC
		# and we are NIS master
		#
		case ${rpc_ypupdated_enable} in
		[Yy][Ee][Ss])
			echo -n ' rpc.ypupdated';	rpc.ypupdated
			;;
		esac
		;;
	esac

	# Start ATM daemons
	if [ -n "${atm_pass2_done}" ]; then
		atm_pass3
	fi

	echo '.'
	network_pass2_done=YES
}

network_pass3() {
	echo -n 'Starting final network daemons:'

	case ${rpcbind_enable} in
	[Yy][Ee][Ss])
		case ${nfs_server_enable} in
		[Yy][Ee][Ss])
			# Handle absent nfs server support
			nfsserver_in_kernel=0
			if sysctl vfs.nfsrv >/dev/null 2>&1; then
				nfsserver_in_kernel=1
			else
				kldload nfsserver && nfsserver_in_kernel=1
			fi

			if [ -r /etc/exports -a \
			    ${nfsserver_in_kernel} -eq 1 ]; then
				echo -n ' mountd'

				case ${weak_mountd_authentication} in
				[Yy][Ee][Ss])
					mountd_flags="${mountd_flags} -n"
					;;
				esac

				mountd ${mountd_flags}

				case ${nfs_reserved_port_only} in
				[Yy][Ee][Ss])
					echo -n ' NFS on reserved port only=YES'
					sysctl vfs.nfsrv.nfs_privport=1 > /dev/null
					;;
				esac

				echo -n ' nfsd';	nfsd ${nfs_server_flags}

				case ${rpc_statd_enable} in
				[Yy][Ee][Ss])
					echo -n ' rpc.statd';	rpc.statd
					;;
				esac

				case ${rpc_lockd_enable} in
				[Yy][Ee][Ss])
					echo -n ' rpc.lockd';	rpc.lockd
					;;
				esac
			else
				echo -n ' Warning: nfs server failed'
			fi
			;;
		*)
			case ${mountd_enable} in
			[Yy][Ee][Ss])
				if [ -r /etc/exports ]; then
					echo -n ' mountd'

					case ${weak_mountd_authentication} in
					[Yy][Ee][Ss])
						mountd_flags="-n"
						;;
					esac

					mountd ${mountd_flags}
				fi
				;;
			esac
			;;
		esac

		case ${nfs_client_enable} in
		[Yy][Ee][Ss])
			nfsclient_in_kernel=0
			# Handle absent nfs client support
			if sysctl vfs.nfs >/dev/null 2>&1; then
				nfsclient_in_kernel=1
			else
				kldload nfsclient && nfsclient_in_kernel=1
			fi

			if [ ${nfsclient_in_kernel} -eq 1 ]
			then
				if [ -n "${nfs_access_cache}" ]; then
					echo -n " NFS access cache time=${nfs_access_cache}"
					sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
				fi
				if [ -n "${nfs_bufpackets}" ]; then
					sysctl vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null
				fi
				case ${rpc_statd_enable} in
				[Yy][Ee][Ss])
					echo -n ' rpc.statd';	rpc.statd
					;;
				esac

				case ${rpc_lockd_enable} in
				[Yy][Ee][Ss])
					echo -n ' rpc.lockd';	rpc.lockd
					;;
				esac

				case ${amd_enable} in
				[Yy][Ee][Ss])
					echo -n ' amd'
					case ${amd_map_program} in
					[Nn][Oo] | '')
						;;
					*)
						amd_flags="${amd_flags} `eval\
							${amd_map_program}`"
						;;
					esac

					case "${amd_flags}" in
					'')
						if [ -r /etc/amd.conf ]; then
							amd &
						else
							echo ''
			echo 'Warning: amd will not load without arguments'
						fi
						;;
					*)
						amd -p ${amd_flags} \
							 >/var/run/amd.pid \
							2>/dev/null &
						;;
					esac
					;;
				esac
			else
				echo 'Warning: NFS client kernel module failed to load'
				nfs_client_enable=NO
			fi
			;;
		esac

		# If /var/db/mounttab exists, some nfs-server has not been
		# successfully notified about a previous client shutdown.
		# If there is no /var/db/mounttab, we do nothing.
		if [ -f /var/db/mounttab ]; then
			rpc.umntall -k
		fi

		;;
	esac

	case ${rwhod_enable} in
	[Yy][Ee][Ss])
		echo -n ' rwhod';	rwhod ${rwhod_flags}
		;;
	esac

	# Kerberos servers run ONLY on the Kerberos server machine
	case ${kerberos4_server_enable} in
	[Yy][Ee][Ss])
		case ${kerberos_stash} in
		[Yy][Ee][Ss])
			stash=-n
			;;
		*)
			stash=
			;;
		esac

		echo -n ' kerberosIV'
		${kerberos4_server} ${stash} >> /var/log/kerberos.log &

		case ${kadmind4_server_enable} in
		[Yy][Ee][Ss])
			echo -n ' kadmindIV'
			(
				sleep 20;
				${kadmind4_server} ${stash} >/dev/null 2>&1 &
			) &
			;;
		esac
		unset stash_flag
		;;
	esac

	case ${kerberos5_server_enable} in
	[Yy][Ee][Ss])
		echo -n ' kerberos5'
		${kerberos5_server} &

		case ${kadmind5_server_enable} in
		[Yy][Ee][Ss])
			echo -n ' kadmind5'
			${kadmind5_server} &
			;;
		esac
		;;
	esac

	case ${pppoed_enable} in
	[Yy][Ee][Ss])
		if [ -n "${pppoed_provider}" ]; then
			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
		fi
		echo -n ' pppoed';
		_opts=$-; set -f
		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
		set +f; set -${_opts}
		;;
	esac

	case ${sshd_enable} in
	[Yy][Ee][Ss])
		if [ -x /usr/bin/ssh-keygen ]; then
			if [ ! -f /etc/ssh/ssh_host_key ]; then
				echo ' creating ssh1 RSA host key';
				/usr/bin/ssh-keygen -t rsa1 -N "" \
					-f /etc/ssh/ssh_host_key
			fi
			if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
				echo ' creating ssh2 RSA host key';
				/usr/bin/ssh-keygen -t rsa -N "" \
					-f /etc/ssh/ssh_host_rsa_key
			fi
			if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
				echo ' creating ssh2 DSA host key';
				/usr/bin/ssh-keygen -t dsa -N "" \
					-f /etc/ssh/ssh_host_dsa_key
			fi
		fi
		;;
	esac

	echo '.'
	network_pass3_done=YES
}

network_pass4() {
	echo -n 'Additional TCP options:'
	case ${log_in_vain} in
	[Nn][Oo] | '')
		log_in_vain=0
		;;
	[Yy][Ee][Ss])
		log_in_vain=1
		;;
	[0-9]*)
		;;
	*)
		echo " invalid log_in_vain setting: ${log_in_vain}"
		log_in_vain=0
		;;
	esac

	[ "${log_in_vain}" -ne 0 ] && (
	    echo -n " log_in_vain=${log_in_vain}"
	    sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
	    sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
	)
	echo '.'
	network_pass4_done=YES
}

network_gif_setup() {
	case ${gif_interfaces} in
	[Nn][Oo] | '')
		;;
	*)
		for i in ${gif_interfaces}; do
			eval peers=\$gifconfig_$i
			case ${peers} in
			'')
				continue
				;;
			*)
				ifconfig $i create >/dev/null 2>&1
				ifconfig $i tunnel ${peers}
				ifconfig $i up
				;;
			esac
		done
		;;
	esac
}

convert_host_conf() {
    host_conf=$1; shift;
    nsswitch_conf=$1; shift;
    awk '                                                                   \
        /^[:blank:]*#/       { next }                                       \
        /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next }           \
        /(dns|bind)/         { nsswitch[c] = "dns";   c++; next }           \
        /nis/                { nsswitch[c] = "nis";   c++; next }           \
        { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" }    \
        END {                                                               \
                printf "hosts: ";                                           \
                for (i in nsswitch) printf "%s ", nsswitch[i];              \
                printf "\n";                                                \
        }' < $host_conf > $nsswitch_conf
}

generate_host_conf() {
    nsswitch_conf=$1; shift;
    host_conf=$1; shift;
    
    awk '
BEGIN {
    xlat["files"] = "hosts";
    xlat["dns"] = "bind";
    xlat["nis"] = "nis";
    cont = 0;
}
sub(/^[\t ]*hosts:/, "") || cont {
    if (!cont)
	srcs = ""
    sub(/#.*/, "")
    gsub(/[][]/, " & ")
    cont = sub(/\\$/, "")
    srcs = srcs " " $0
}
END {
    print "# Auto-generated from nsswitch.conf, do not edit"
    ns = split(srcs, s)
    for (n = 1; n <= ns; ++n) {
        if (s[n] in xlat)
            print xlat[s[n]]
    }
}
' <$nsswitch_conf >$host_conf
}