├── .cirrus.yml ├── .editorconfig ├── .gitignore ├── AUTHORS ├── BSDRP ├── BSDRP.nano ├── Files.mtree ├── Files │ ├── boot │ │ ├── brand-bsdrp.4th │ │ ├── entropy │ │ ├── loader.conf │ │ ├── loader.conf.local │ │ └── lua │ │ │ └── brand-bsdrp.lua │ ├── etc │ │ ├── COPYRIGHT │ │ ├── defaults │ │ │ └── vendor.conf │ │ ├── dot.complete │ │ ├── dot.cshrc │ │ ├── dot.profile │ │ ├── dot.shrc │ │ ├── dot.vimrc │ │ ├── mail │ │ │ └── mailer.conf │ │ ├── motd │ │ ├── nsswitch.conf │ │ ├── periodic.conf │ │ ├── rc.conf │ │ ├── sysctl.conf │ │ └── version │ ├── root │ │ ├── .exrc │ │ ├── AUTHORS │ │ └── LICENSE │ └── usr │ │ └── local │ │ ├── bin │ │ ├── bgptabledump2bird │ │ ├── cxgbe-filter-rate │ │ ├── equilibrium │ │ ├── equilibrium-noref │ │ ├── help │ │ ├── nic-queue-usage │ │ ├── reqroutes │ │ ├── show │ │ └── tuning │ │ ├── etc │ │ ├── mpd5 │ │ │ ├── if-down.sh │ │ │ └── if-up.sh │ │ ├── newsyslog.conf.d │ │ │ ├── bird │ │ │ └── openvpn │ │ ├── pkg.conf │ │ ├── rc.d │ │ │ ├── autosave │ │ │ ├── bxe_affinity │ │ │ ├── chelsio_affinity │ │ │ ├── disablelrotso │ │ │ ├── freevrrpd │ │ │ ├── gpartfix │ │ │ ├── igb_affinity │ │ │ ├── ix_affinity │ │ │ ├── ixiflib_affinity │ │ │ ├── mlx5en_affinity │ │ │ ├── ngnetflow │ │ │ ├── pim6dd │ │ │ ├── pim6sd │ │ │ ├── pimdd │ │ │ ├── polling │ │ │ ├── tayga │ │ │ ├── txabdicate │ │ │ └── ucarp │ │ ├── snmpd.conf │ │ └── ssmtp │ │ │ └── ssmtp.conf │ │ └── sbin │ │ ├── autosave │ │ ├── config │ │ ├── labconfig │ │ ├── post-upgrade │ │ ├── system │ │ ├── tenant │ │ └── upgrade ├── kernels │ ├── amd64 │ ├── amd64_xenhvm │ ├── arm64 │ └── i386 ├── make.conf ├── patches │ ├── freebsd.dhclient.patch │ ├── freebsd.makefile.patch │ ├── freebsd.netblast.PR179085.patch │ ├── freebsd.netreceive.PR178862.patch │ ├── freebsd.newvers.patch │ ├── freebsd.rc.initdiskless.patch │ ├── freebsd.tools-dir.patch │ ├── ports.dtrace-toolkit.patch │ ├── ports.iperf3.patch │ ├── ports.ixl_unlock.shar │ ├── ports.netmap-fwd.shar │ ├── ports.netmap-ipfw.shar │ ├── ports.pimd.patch │ ├── ports.pimdd.patch │ └── ports.quagga-bgp-netgen.shar └── tools │ ├── pim │ └── pim-test.c │ └── pktgen │ ├── Makefile │ └── bsdrp-pktgen.c ├── CHANGES.md ├── EINE ├── DEMO.data │ ├── data.conf │ ├── easy-rsa.vars │ ├── id_ed25519 │ ├── id_ed25519.pub │ └── keys │ │ ├── .rnd │ │ ├── 01.pem │ │ ├── ca.crt │ │ ├── ca.key │ │ ├── crl.pem │ │ ├── dh1024.pem │ │ ├── index.txt │ │ ├── index.txt.attr │ │ ├── index.txt.old │ │ ├── serial │ │ ├── serial.old │ │ ├── ta.key │ │ ├── unregistered.crt │ │ ├── unregistered.csr │ │ └── unregistered.key ├── EINE.nano ├── Files │ ├── etc │ │ ├── rc.conf │ │ ├── ssh │ │ │ └── sshd_config │ │ └── version │ └── usr │ │ └── local │ │ ├── bin │ │ ├── cputemp │ │ └── speedtest-cli │ │ ├── etc │ │ ├── ansible │ │ │ ├── ansible.cfg │ │ │ ├── gateways.yml │ │ │ ├── group_vars │ │ │ │ ├── freebsd │ │ │ │ └── gateways │ │ │ ├── inventory.ini │ │ │ ├── roles │ │ │ │ ├── common │ │ │ │ │ ├── handlers │ │ │ │ │ │ └── main.yml │ │ │ │ │ └── tasks │ │ │ │ │ │ └── main.yml │ │ │ │ ├── gateway │ │ │ │ │ ├── files │ │ │ │ │ │ ├── etc │ │ │ │ │ │ │ └── ipfw.rules.j2 │ │ │ │ │ │ └── usr │ │ │ │ │ │ │ └── local │ │ │ │ │ │ │ └── etc │ │ │ │ │ │ │ ├── bird.conf.j2 │ │ │ │ │ │ │ ├── openvpn │ │ │ │ │ │ │ ├── gateway.conf.j2 │ │ │ │ │ │ │ ├── ovpn-registration.sh │ │ │ │ │ │ │ └── registration.conf.j2 │ │ │ │ │ │ │ └── raddb │ │ │ │ │ │ │ ├── clients.conf.j2 │ │ │ │ │ │ │ └── proxy.conf.j2 │ │ │ │ │ ├── handlers │ │ │ │ │ │ └── main.yml │ │ │ │ │ └── tasks │ │ │ │ │ │ ├── bird.yml │ │ │ │ │ │ ├── firewall.yml │ │ │ │ │ │ ├── freeradius.yml │ │ │ │ │ │ ├── kld.yml │ │ │ │ │ │ ├── main.yml │ │ │ │ │ │ ├── openvpn.yml │ │ │ │ │ │ └── resolv.yml │ │ │ │ ├── nanobsd │ │ │ │ │ ├── handlers │ │ │ │ │ │ └── main.yml │ │ │ │ │ └── tasks │ │ │ │ │ │ └── main.yml │ │ │ │ └── vpn_wifi_router │ │ │ │ │ ├── files │ │ │ │ │ ├── etc │ │ │ │ │ │ ├── hostapd-wlan0.conf │ │ │ │ │ │ ├── ipfw.rules.j2 │ │ │ │ │ │ ├── periodic.conf │ │ │ │ │ │ ├── rc.conf.j2 │ │ │ │ │ │ └── sysctl.conf │ │ │ │ │ └── usr │ │ │ │ │ │ └── local │ │ │ │ │ │ └── etc │ │ │ │ │ │ ├── IDS-update.conf │ │ │ │ │ │ ├── bird.conf.j2 │ │ │ │ │ │ ├── dnsmasq.conf.j2 │ │ │ │ │ │ ├── monit.j2 │ │ │ │ │ │ ├── openvpn │ │ │ │ │ │ └── openvpn.conf.j2 │ │ │ │ │ │ └── snort │ │ │ │ │ │ └── snort.conf.j2 │ │ │ │ │ └── tasks │ │ │ │ │ └── main.yml │ │ │ ├── site.yml │ │ │ └── vpn_wifi_routers.yml │ │ ├── newsyslog.conf.d │ │ │ ├── bird │ │ │ ├── openvpn │ │ │ ├── radiusd │ │ │ └── suricata │ │ ├── openvpn │ │ │ ├── ca.crt │ │ │ ├── crl.pem │ │ │ ├── dh1024.pem │ │ │ ├── openvpn.conf │ │ │ ├── ovpn-if.sh │ │ │ ├── ta.key │ │ │ ├── unregistered.crt │ │ │ └── unregistered.key │ │ ├── periodic │ │ │ └── daily │ │ │ │ └── 401.IDS-update │ │ └── rc.d │ │ │ └── resetcheck │ │ └── sbin │ │ ├── IDS-update │ │ ├── device │ │ ├── eine.py │ │ ├── gateway │ │ ├── geoip-update │ │ ├── resetcheck │ │ ├── role │ │ └── vpn-wifi-router ├── README.md ├── docs │ ├── EINE_BSDCan2015.pdf │ ├── How-to.generate.keys.md │ ├── PC-Engines-APU-Terminal-Server-QCAD-R27.dxf │ └── images │ │ └── big-picture.png ├── kernels │ └── amd64 └── make.conf ├── LICENSE ├── Makefile ├── Makefile.vars ├── README.md ├── TODO.md ├── docs └── labs.examples.odp ├── logos ├── BSDRP.logo.114.png ├── BSDRP.logo.128.png ├── BSDRP.logo.256.png ├── BSDRP.logo.48.png ├── BSDRP.logo.64.png ├── BSDRP.logo.odg └── BSDRP.logo.png ├── obj └── .gitignore ├── poudriere.etc ├── poudriere.conf └── poudriere.d │ ├── BSDRP-pkglist.amd64 │ ├── BSDRP-pkglist.common │ ├── BSDRPj-make.conf │ ├── BSDRPj-src.conf.amd64 │ ├── BSDRPj-src.conf.common │ ├── README.md │ ├── excluded.files │ ├── image-BSDRPj-src.conf │ └── post-script.sh └── tools ├── BSDRP-lab-bhyve.sh ├── BSDRP-lab-qemu.sh ├── BSDRP-lab-vbox.ps1 ├── BSDRP-lab-vbox.sh ├── BSDRP-lab-vbox.vbs ├── bisection-gen.sh ├── bsdrp.lab.gv ├── ci-qemu-test.sh ├── defaults.sh ├── image_tool.sh ├── mputconfig.sh ├── release.sh ├── review-generate.sh └── validate-image.sh /.cirrus.yml: -------------------------------------------------------------------------------- 1 | freebsd_instance: 2 | image: freebsd-12-1-release-amd64 3 | cpu: 8 4 | memory: 24G 5 | 6 | env: 7 | CIRRUS_CLONE_DEPTH: 1 8 | 9 | task: 10 | timeout_in: 120m 11 | install_script: 12 | - pkg install -y qemu-devel 13 | sources_cache: 14 | folder: BSDRP/FreeBSD 15 | populate_script: sh ./make.sh -p TESTING -U 16 | workdir_cache: 17 | folder: workdir/TESTING.amd64 18 | script: 19 | - sh ./make.sh -u -p TESTING -c serial -f 20 | test_script: 21 | - sh tools/ci-qemu-test.sh 22 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | end_of_line = lf 5 | insert_final_newline = true 6 | trim_trailing_whitespace= true 7 | 8 | [{build,*.sh}] 9 | charset = latin1 10 | indent_style = space 11 | indent_size = 2 12 | 13 | [Makefile] 14 | indent_style = tab 15 | indent_size = 2 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # ignore downloaded FreeBSD source and port tree 2 | poudriere.etc/poudriere.d/jails/ 3 | poudriere.etc/poudriere.d/ports/ 4 | # ignore arch-dependent generated config file 5 | poudriere.etc/poudriere.d/BSDRPj-src.conf 6 | EINE/local.data 7 | EINE/DEMO.data/GeoLite2-City.mmdb 8 | EINE/DEMO.data/GeoLite2-City.mmdb.gz 9 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | BSDRP/Files/root/AUTHORS -------------------------------------------------------------------------------- /BSDRP/Files.mtree: -------------------------------------------------------------------------------- 1 | /set type=file uname=root gname=wheel mode=0755 2 | . type=dir 3 | /set type=file uname=root gname=wheel mode=0644 4 | boot type=dir mode=0755 5 | brand-bsdrp.4th 6 | entropy 7 | loader.conf 8 | loader.conf.local 9 | lua type=dir mode=0755 10 | brand-bsdrp.lua 11 | .. 12 | .. 13 | etc type=dir mode=0755 14 | COPYRIGHT 15 | dot.complete 16 | dot.cshrc 17 | dot.profile 18 | dot.shrc 19 | dot.vimrc 20 | motd 21 | nsswitch.conf 22 | periodic.conf 23 | rc.conf 24 | sysctl.conf 25 | version 26 | defaults type=dir mode=0755 27 | vendor.conf 28 | .. 29 | mail type=dir mode=0755 30 | mailer.conf 31 | .. 32 | .. 33 | root type=dir mode=0755 34 | .exrc 35 | AUTHORS 36 | LICENSE 37 | .. 38 | /set type=file uname=root gname=wheel mode=0755 39 | usr type=dir 40 | local type=dir 41 | bin type=dir 42 | bgptabledump2bird 43 | cxgbe-filter-rate 44 | equilibrium 45 | equilibrium-noref 46 | help 47 | nic-queue-usage 48 | reqroutes 49 | show 50 | tuning 51 | .. 52 | etc type=dir 53 | pkg.conf mode=0644 54 | snmpd.conf mode=0644 55 | mpd5 type=dir 56 | if-down.sh 57 | if-up.sh 58 | .. 59 | /set type=file uname=root gname=wheel mode=0644 60 | newsyslog.conf.d \ 61 | type=dir mode=0755 62 | bird 63 | openvpn 64 | .. 65 | /set type=file uname=root gname=wheel mode=0755 66 | rc.d type=dir 67 | autosave 68 | bxe_affinity 69 | chelsio_affinity 70 | disablelrotso 71 | freevrrpd 72 | gpartfix 73 | igb_affinity 74 | ix_affinity 75 | ixiflib_affinity 76 | mlx5en_affinity 77 | ngnetflow 78 | pim6dd 79 | pim6sd 80 | pimdd 81 | polling 82 | tayga 83 | txabdicate 84 | ucarp 85 | .. 86 | /set type=file uname=root gname=wheel mode=0644 87 | ssmtp type=dir mode=0755 88 | ssmtp.conf 89 | .. 90 | .. 91 | /set type=file uname=root gname=wheel mode=0755 92 | sbin type=dir 93 | autosave 94 | config 95 | labconfig 96 | post-upgrade 97 | system 98 | tenant 99 | upgrade 100 | .. 101 | .. 102 | .. 103 | .. 104 | -------------------------------------------------------------------------------- /BSDRP/Files/boot/brand-bsdrp.4th: -------------------------------------------------------------------------------- 1 | : brand ( x y -- ) \ "bsdrp" [wide] logo in B/W (7 rows x 42 columns) 2 | 3 | 2dup at-xy ." ____ _____ _____ ____ ____ " 1+ 4 | 2dup at-xy ." | _ \ / ____| __ \| _ \| _ \ " 1+ 5 | 2dup at-xy ." | |_) | (___ | | | | |_) | |_) |" 1+ 6 | 2dup at-xy ." | _ < \___ \| | | | /| __/ " 1+ 7 | 2dup at-xy ." | |_) |____) | |__| | |\ \| | " 1+ 8 | 2dup at-xy ." | | | | | | | | " 1+ 9 | at-xy ." |____/|_____/|_____/|_| |_|_| BSDRP_VERSION" 10 | 11 | \ Put the cursor back at the bottom 12 | 0 25 at-xy 13 | ; 14 | -------------------------------------------------------------------------------- /BSDRP/Files/boot/entropy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/BSDRP/Files/boot/entropy -------------------------------------------------------------------------------- /BSDRP/Files/boot/loader.conf: -------------------------------------------------------------------------------- 1 | ################################################################# 2 | # Don't modify this file ! # 3 | # Your changes will not be preserved after an upgrade # 4 | # Create a /boot/loader.conf.local in place # 5 | # # 6 | ################################################################# 7 | # 8 | loader_logo="none" # Disable the loader logo 9 | loader_brand="bsdrp" 10 | loader_menu_title="Welcome to BSD Router Project" 11 | autoboot_delay="2" # Reduce the autoboot delay to 2 seconds 12 | hw.vga.textmode="1" # Text mode 13 | -------------------------------------------------------------------------------- /BSDRP/Files/boot/loader.conf.local: -------------------------------------------------------------------------------- 1 | ##################################################################### 2 | # For modifying this file, you need to remount / in read-write: # 3 | # mount -uw / # 4 | # # 5 | # Don't load modules not necessary for mounting local disk here: # 6 | # - add module name to the kld_list variable in rc.conf # 7 | # Example for loading the padlock crypto module and coretemp: # 8 | # kld_list='padlock coretemp' # 9 | # # 10 | # For BIOS based machine, don’t put serial/dual console like these: # 11 | # - boot_serial # 12 | # - comconsole_speed # 13 | # - console # 14 | # Use /boot.config in place # 15 | ##################################################################### 16 | 17 | # Multiconsole support, mandatory for IPMI SoL 18 | boot_multicons="YES" 19 | # Values description in loader(8) and loader.efi(8) 20 | #console="eficom,efi,comconsole,vidconsole" 21 | # Some emulated serial port with IPMI SoL doesn’t use the default 0x3f8 22 | # Search for the correct value with :grep 'uart.*port' /var/run/dmesg.boot 23 | # Then declare the corrcet one, as example here: 24 | #comconsole_port="0x2F8" 25 | 26 | ### Don't wait for USB (can prevent correct reboot) 27 | hw.usb.no_shutdown_wait="1" 28 | 29 | ### Use next-gen MRSAS drivers in place of MFI for device supporting it 30 | # This solves lot of [mfi] COMMAND 0x... TIMEOUT AFTER ## SECONDS 31 | hw.mfi.mrsas_enable="1" 32 | 33 | ### Tune some global values ### 34 | hw.usb.no_pf="1" # Disable USB packet filtering 35 | 36 | # Load The DPDK Longest Prefix Match (LPM) modules 37 | dpdk_lpm4_load="YES" 38 | dpdk_lpm6_load="YES" 39 | 40 | # Load DXR: IPv4 lookup algo 41 | fib_dxr_load="YES" 42 | 43 | # Disabling Page Table Isolation 44 | # XXX Need to run bench 45 | #vm.pmap.pti="0" 46 | 47 | ### Intel NIC tuning ### 48 | # https://bsdrp.net/documentation/technical_docs/performance#nic_drivers_tuning 49 | # Don't limit the maximum of number of received packets to process at a time 50 | hw.igb.rx_process_limit="-1" 51 | hw.em.rx_process_limit="-1" 52 | hw.ix.rx_process_limit="-1" 53 | # Allow unsupported SFP 54 | hw.ix.unsupported_sfp="1" 55 | hw.ix.allow_unsupported_sfp="1" 56 | 57 | # No flow control: TCP will manage better the packet loss 58 | # 0: No fc, 1: rxpause, 2: txpause, 3: rx and tx pause (full) 59 | hw.ixl.flow_control="0" 60 | hw.ix.flow_control="0" 61 | 62 | ### Chelsio NIC tuning ### 63 | # Prevent to reserve ASIC ressources unused on a router/firewall, 64 | # improve performance when we will reach 10Mpps or more 65 | hw.cxgbe.toecaps_allowed="0" 66 | hw.cxgbe.rdmacaps_allowed="0" 67 | hw.cxgbe.iscsicaps_allowed="0" 68 | hw.cxgbe.fcoecaps_allowed="0" 69 | 70 | # Under network heavy usage, network critical traffic (mainly 71 | # non-RSS traffic like ARP, LACP) could be droped and flaping LACP links. 72 | # To mitigate this situation, Chelsio could reserves one TX queue for 73 | # non-RSS traffic with this tuneable: 74 | # hw.cxgbe.rsrv_noflowq="1" 75 | # But compensate the number of TX queue by increasing it by one. 76 | # As example, if you had 8 queues, uses now 9: 77 | # hw.cxgbe.ntxq="9" 78 | 79 | ### link tunning ### 80 | # Increase interface send queue length 81 | # lagg user: This value should be at minimum the sum of txd buffer of each NIC in the lagg 82 | # hw.ix.txd: 2048 by default, then use x4 here (lagg with 4 members) 83 | net.link.ifqmaxlen="16384" 84 | 85 | # Avoid message netisr_register: epair requested queue limit 688128 capped to net.isr.maxqlimit 1024 86 | net.isr.maxqlimit=1000000 87 | 88 | # Use all cores for netisr processing 89 | net.isr.maxthreads=-1 90 | -------------------------------------------------------------------------------- /BSDRP/Files/boot/lua/brand-bsdrp.lua: -------------------------------------------------------------------------------- 1 | local drawer = require("drawer") 2 | 3 | local bsdrp = { 4 | " ____ _____ _____ ____ ____ ", 5 | " | _ \\ / ____| __ \\| _ \\| _ \\ ", 6 | " | |_) | (___ | | | | |_) | |_) | ", 7 | " | _ < \\___ \\| | | | /| __/ ", 8 | " | |_) |____) | |__| | |\\ \\| | ", 9 | " | | | | | | | | ", 10 | " |____/|_____/|_____/|_| |_|_| BSDRP_VERSION" 11 | } 12 | 13 | drawer.addBrand("bsdrp", { 14 | graphic = bsdrp, 15 | }) 16 | 17 | return true 18 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/COPYRIGHT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/BSDRP/Files/etc/COPYRIGHT -------------------------------------------------------------------------------- /BSDRP/Files/etc/defaults/vendor.conf: -------------------------------------------------------------------------------- 1 | ###### BSD Router Project default configuration ######## 2 | 3 | ## System 4 | 5 | # R/O root adaptation 6 | # cf https://cgit.freebsd.org/src/commit/?id=e5579f98c02ff64b0c305f6731c3557ba69c2d25 7 | # Make root filesystem R/O by default 8 | root_rw_mount="NO" 9 | # Disable very early (used at early boot time) 10 | entropy_boot_file="NO" 11 | # Disable late entropy file 12 | entropy_file="NO" 13 | # Disable caching via cron 14 | entropy_dir="NO" 15 | 16 | # Update CPU microcode (fixing Meltdown and Spectre bugs) 17 | microcode_update_enable="YES" 18 | 19 | # Prevent to update motd 20 | update_motd=NO 21 | 22 | # Disable moused 23 | moused_enable="NO" 24 | moused_ums0_enable="NO" 25 | 26 | # Disable sendmail 27 | sendmail_enable="NONE" 28 | 29 | # No blanktime (suppress blanktimevidcontrol not found message) 30 | blanktime="NO" 31 | 32 | # Operate in secure mode: Do not log messages from remote machines 33 | syslogd_flags="-s" 34 | 35 | # Enable Zstandard compression of dump 36 | dumpon_flags="-Z" 37 | 38 | # SSHd hardening 39 | sshd_dsa_enable="no" 40 | sshd_ecdsa_enable="no" 41 | 42 | # Fixing gpt corrupt state (after dd image in bigger disk) 43 | gpartfix_enable="yes" 44 | 45 | ## Network 46 | 47 | # Enable routing 48 | gateway_enable="YES" 49 | ipv6_gateway_enable="YES" 50 | 51 | # Enable IPv6 on all interfaces 52 | ipv6_activate_all_interfaces="YES" 53 | 54 | # Reduce 30s default timeoute for a default route to 5s 55 | defaultroute_delay="5" 56 | 57 | # Disable LRO and TSO on all NIC 58 | # This feature should not be enabled on a router 59 | disablelrotso_enable="YES" 60 | 61 | # Disable INTERRUPT and ETHERNET from for entropy sources 62 | # This value is VERY important for 8 cores or more and allways improve performance 63 | harvest_mask="351" 64 | 65 | # Drop ICMP redirect 66 | icmp_drop_redirect="YES" 67 | 68 | # Since r336560, needs to enable tx_abdicate sysctl on iflib drivers 69 | txabdicate_enable="YES" 70 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/dot.cshrc: -------------------------------------------------------------------------------- 1 | # $FreeBSD: src/etc/root/dot.cshrc,v 1.30 2007/05/29 06:37:58 dougb Exp $ 2 | # 3 | # .cshrc - csh resource script, read at beginning of execution by each shell 4 | # 5 | # see also csh(1), environ(7). 6 | # 7 | 8 | alias h history 25 9 | alias j jobs -l 10 | alias la ls -aF 11 | alias lf ls -FA 12 | alias ll ls -lAF 13 | 14 | # Some BSDRP aliases: 15 | alias ls ls -G 16 | alias cli vtysh 17 | alias include grep 18 | alias reload 'system reboot' 19 | alias halt 'system halt' 20 | alias reboot 'system reboot' 21 | alias wr 'config save' 22 | alias tmux tmux -u 23 | alias please 'sudo \!-1' 24 | 25 | #Ugly patch because birdc is compiled for using /usr/local/var/run 26 | alias birdc 'birdc -s /var/run/bird.ctl' 27 | 28 | # A righteous umask 29 | umask 22 30 | 31 | set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin) 32 | 33 | setenv EDITOR vi 34 | setenv PAGER less 35 | setenv BLOCKSIZE K 36 | setenv XZ_DEFAULTS '--threads=0' 37 | #setenv IFCONFIG_FORMAT inet:cidr,inet6:cidr 38 | 39 | if ($?prompt) then 40 | # An interactive shell -- set some stuff up 41 | set prompt='%B[%n@%m]%~%b%# ' 42 | #set prompt="%{\033]0;%n@%m\007%}%N@%m:%~ %# " 43 | set filec 44 | set history = 1000 45 | set savehist = (1000 merge) 46 | set mail = (/var/mail/$USER) 47 | if ( $?tcsh ) then 48 | bindkey "^W" backward-delete-word 49 | bindkey -k up history-search-backward 50 | bindkey -k down history-search-forward 51 | endif 52 | # command complete with TAB 53 | # lists the remaining 54 | # choices (if any) whenever completion fails 55 | set autolist=ambiguous 56 | # recheck for new binary 57 | set autorehash 58 | # run the expand-history editor command 59 | # before each completion attempt 60 | set autoexpand 61 | # Disable beep 62 | set nobeep 63 | # Error correction 64 | set correct = cmd 65 | # enables color display for the builtin ls-F and it 66 | # passes --color=auto to ls 67 | set color 68 | # enables color escape sequence for NLS message files 69 | set colorcat 70 | # Prevent overwritting existing file 71 | # (disabled because prevent to use >> in script) 72 | #set noclobber 73 | # Display user login 74 | set watch=(0 any any) 75 | 76 | # Configure screen and tmux windows title with hostname 77 | printf "\033k`hostname -s`\033\\" 78 | 79 | # Load command complete file 80 | source ~/.complete 81 | 82 | # Don't generate core file 83 | limit coredumpsize 0 84 | 85 | endif 86 | 87 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/dot.profile: -------------------------------------------------------------------------------- 1 | # 2 | HOME=/root 3 | export HOME 4 | PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:~/bin 5 | export PATH 6 | TERM=${TERM:-xterm} 7 | export TERM 8 | PAGER=less 9 | export PAGER 10 | 11 | # set ENV to a file invoked each time sh is started for interactive use. 12 | ENV=$HOME/.shrc; export ENV 13 | 14 | CLICOLOR=1; export CLICOLOR 15 | XZ_DEFAULTS='--threads=0'; export XZ_DEFAULTS 16 | 17 | # Query terminal size; useful for serial lines. 18 | if [ -x /usr/bin/resizewin ] ; then /usr/bin/resizewin -z ; fi 19 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/dot.shrc: -------------------------------------------------------------------------------- 1 | # $FreeBSD$ 2 | # 3 | # .shrc - bourne shell startup file 4 | # 5 | # This file will be used if the shell is invoked for interactive use and 6 | # the environment variable ENV is set to this file. 7 | # 8 | # see also sh(1), environ(7). 9 | # 10 | 11 | # Some BSDRP aliases: 12 | alias ls='ls -G' 13 | alias cli='vtysh' 14 | alias include='grep' 15 | alias reload='system reboot' 16 | alias halt='system halt' 17 | alias reboot='system reboot' 18 | alias wr='config save' 19 | alias tmux='tmux -u' 20 | alias please='sudo \!-1' 21 | 22 | #Ugly patch because birdc is compiled for using /usr/local/var/run 23 | alias birdc='birdc -s /var/run/bird.ctl' 24 | 25 | # file permissions: rwxr-xr-x 26 | # 27 | # umask 022 28 | 29 | # Uncomment this to enable the builtin vi(1) command line editor in sh(1), 30 | # e.g. ESC to go into visual mode. 31 | # set -o vi 32 | 33 | export EDITOR=vi 34 | export PAGER=less 35 | export BLOCKSIZE=K 36 | export XZ_DEFAULTS="--threads=0" 37 | #export IFCONFIG_FORMAT="inet:cidr,inet6:cidr" 38 | 39 | # some useful aliases 40 | alias h='fc -l' 41 | alias j=jobs 42 | alias m="$PAGER" 43 | alias ll='ls -laFo' 44 | alias l='ls -l' 45 | alias g='egrep -i' 46 | 47 | # # be paranoid 48 | # alias cp='cp -ip' 49 | # alias mv='mv -i' 50 | # alias rm='rm -i' 51 | 52 | # # csh like history on arrow up and down 53 | bind ^[[A ed-search-prev-history 54 | bind ^[[B ed-search-next-history 55 | 56 | # # ctrl+arrow allow to jump from words to words 57 | bind "\\e[1;5C" em-next-word 58 | bind "\\e[1;5D" ed-prev-word 59 | alias history='fc -l' 60 | 61 | # Fix home/del for mobaxterm 62 | bind ^[[5~ ed-move-to-beg 63 | bind ^[[6~ ed-move-to-end 64 | 65 | # read(2) of directories may not be desirable by default, as this will provoke 66 | # EISDIR errors from each directory encountered. 67 | # alias grep='grep -d skip' 68 | 69 | # set prompt: ``username@hostname:directory $ '' 70 | PS1="\u@\h:\w \\$ " 71 | 72 | # search path for cd(1) 73 | # CDPATH=:$HOME 74 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/dot.vimrc: -------------------------------------------------------------------------------- 1 | " BSD Router Project vimrc file. 2 | 3 | " don't use vi compatible mode 4 | set nocompatible 5 | 6 | " Disable mouse 7 | set mouse= 8 | 9 | " allow backspacing over everything in insert mode 10 | set backspace=indent,eol,start 11 | 12 | " do not keep a backup file, use versions instead 13 | set nobackup 14 | 15 | " keep 50 lines of command line history 16 | set history=50 17 | 18 | " show the cursor position all the time 19 | set ruler 20 | 21 | " max size of a line with a red line 22 | set textwidth=80 23 | set colorcolumn=80 24 | 25 | " display incomplete commands 26 | set showcmd 27 | 28 | " use 4 spaces instead of tabs 29 | set tabstop=4 30 | set shiftwidth=4 31 | "set expandtab "Do not replace tab by space! 32 | set softtabstop=4 33 | 34 | set nowrapscan 35 | set paste 36 | 37 | " always show ^M in DOS files 38 | set fileformats=unix 39 | 40 | " always show line and col number and the current command, set title 41 | set title titlestring=vim\ %f 42 | 43 | " caseinsensitive incremental search 44 | set ignorecase 45 | set incsearch 46 | 47 | " Show matching brackets 48 | set showmatch 49 | 50 | " disable any autoindenting which could mess with your mouse pastes (and your head) 51 | " (not useing 'set paste' here to keep fancy stuff like tab completion working) 52 | set nocindent 53 | set nosmartindent 54 | set noautoindent 55 | set indentexpr= 56 | filetype indent off 57 | filetype plugin indent off 58 | 59 | " Default Shell 60 | set shell=/bin/csh 61 | 62 | " disable the use of swap file 63 | set noswapfile 64 | 65 | "disable the use of viminfo file 66 | set viminfo="" 67 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/mail/mailer.conf: -------------------------------------------------------------------------------- 1 | sendmail /usr/libexec/dma 2 | send-mail /usr/libexec/dma 3 | mailq /usr/libexec/dma 4 | newaliases /usr/bin/true 5 | hoststat /usr/bin/true 6 | purgestat /usr/bin/true 7 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/motd: -------------------------------------------------------------------------------- 1 | BSD Router project (BSDRP) (c) 2009-2021, The BSDRP Development Team 2 | All rights reserved. 3 | BSDRP is under the Simplified BSD license. 4 | 5 | Documentation: https://bsdrp.net 6 | 7 | Discover BSDRP tools with "help" command 8 | 9 | Keyboard layout can be changed with this command: 10 | kbdcontrol -l keymap_file ( to list available maps) 11 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/nsswitch.conf: -------------------------------------------------------------------------------- 1 | # 2 | # nsswitch.conf(5) - name service switch configuration file 3 | # $FreeBSD: src/etc/nsswitch.conf,v 1.1.8.1 2009/04/15 03:14:26 kensmith Exp $ 4 | # 5 | group: files 6 | hosts: files dns 7 | networks: files 8 | passwd: files 9 | shells: files 10 | services: files 11 | protocols: files 12 | rpc: files 13 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/periodic.conf: -------------------------------------------------------------------------------- 1 | daily_output="/var/log/periodic.daily.log" 2 | weekly_output="/var/log/periodic.weekly.log" 3 | monthly_output="/var/log/periodic.monthly.log" 4 | security_output="/var/log/periodic.security.log" 5 | #disable some sendmail specific daily maintenance routines 6 | daily_clean_hoststat_enable="NO" 7 | daily_status_mail_rejects_enable="NO" 8 | daily_status_include_submit_mailq="NO" 9 | daily_submit_queuerun="NO" 10 | #Security and pkg 11 | security_status_baseaudit_enable="NO" 12 | security_status_pkgaudit_enable="NO" 13 | # includes files are removed, so the checksum check is generating lot of 14 | # log 15 | security_status_pkg_checksum_enable="NO" 16 | daily_status_pkg_changes_enable="NO" 17 | #Disable pkg daily backup 18 | daily_backup_pkg_enable="NO" 19 | # Weekly 20 | weekly_status_pkg_enable="NO" 21 | weekly_whatis_enable="NO" 22 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/rc.conf: -------------------------------------------------------------------------------- 1 | ###### BSD Router Project Base Configuration ######## 2 | 3 | # /etc/rc.conf : This file, put your configuration parameters here 4 | # (do not delete this file, but it could be empty) 5 | # /etc/rc.conf.d/ : Or you could split each parameters here using their service name 6 | # /etc/defaults/vendor.conf : Default BSDRP parameters 7 | 8 | hostname="router.bsdrp.net" 9 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | # This file is read when going to multi-user and its contents piped thru 2 | # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. 3 | # 4 | 5 | ### Forwarding ### 6 | # Enable Zerocopy for bpf 7 | net.bpf.zerocopy_enable=1 8 | # Sendmsg() cat't send messages more than maxdgram length. 9 | # Default value causes routing software to fail with OSPF if jumbo frames is turned on. 10 | net.inet.raw.maxdgram=16384 11 | net.inet.raw.recvspace=16384 12 | # Bump net.route.netisr_maxqlen to 2048 or higher value 13 | net.route.netisr_maxqlen=2048 14 | # Increasing bpf perfs 15 | net.bpf.optimize_writers=1 16 | 17 | # Do not send IP redirects (enable fastforwarding path) 18 | net.inet.ip.redirect=0 19 | net.inet6.ip6.redirect=0 20 | 21 | # Current CPU can manage a lot's more of interrupts than default (1000) 22 | # The 9000 value was found in /usr/src/sys/dev/ixgbe/README 23 | hw.intr_storm_threshold=9000 24 | # TCP Segmentation Offload (TSO) need to be disabled on a router & firewall 25 | # avoid to issue -tso for each NIC 26 | net.inet.tcp.tso=0 27 | 28 | ### Security ### 29 | # blackhole(8) 30 | # Disable this feature because prevent traceroute to works correctly 31 | #net.inet.tcp.blackhole=2 32 | #net.inet.udp.blackhole=1 33 | # prevent users from seeing information about processes that 34 | # are being run under another UID. 35 | security.bsd.see_other_uids=0 36 | security.bsd.see_other_gids=0 37 | # Prevent some potential exploit 38 | security.bsd.unprivileged_proc_debug=0 39 | security.bsd.unprivileged_read_msgbuf=0 40 | # Randomize the PID of newly created processes 41 | # This value need to be randomized on each server 42 | kern.randompid=1543 43 | # Insert stack guard page ahead of the growable segments 44 | # Disabled because mpd5 crash (illegal instruction) with this 45 | #security.bsd.stack_guard_page=512 46 | 47 | ### Misc ### 48 | # Save core into the /var/crash 49 | kern.corefile=/var/crash/%N.%P.%U.core 50 | # Allow setuid and setgid processes to dump core 51 | kern.sugid_coredump=1 52 | #Power save: Disable power for device with no driver loaded 53 | hw.pci.do_power_nodriver=3 54 | # ICMP reply from incoming interface for non-local packets 55 | net.inet.icmp.reply_from_interface=1 56 | 57 | # FRR's OSPF daemons need big socket buffers 58 | kern.ipc.maxsockbuf=16777216 59 | -------------------------------------------------------------------------------- /BSDRP/Files/etc/version: -------------------------------------------------------------------------------- 1 | n298636 2 | -------------------------------------------------------------------------------- /BSDRP/Files/root/.exrc: -------------------------------------------------------------------------------- 1 | " use 4 spaces instead of tabs 2 | set tabstop=4 3 | set shiftwidth=4 4 | 5 | -------------------------------------------------------------------------------- /BSDRP/Files/root/LICENSE: -------------------------------------------------------------------------------- 1 | BSD Router Project (BSDRP) (c) 2009-2025, The BSDRP Development Team 2 | 3 | All rights reserved. 4 | 5 | https://bsdrp.net 6 | 7 | BSD Router Project code and documentation are released under the Simplified 8 | BSD license, under terms as follows. 9 | 10 | Redistribution and use in source and binary forms, with or without 11 | modification, are permitted provided that the following conditions are met: 12 | 13 | 1. Redistributions of source code must retain the above copyright notice, 14 | this list of conditions and the following disclaimer. 15 | 2. Redistributions in binary form must reproduce the above copyright notice, 16 | this list of conditions and the following disclaimer in the documentation 17 | and/or other materials provided with the distribution. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 20 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 21 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 23 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 24 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 26 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 28 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/bin/bgptabledump2bird: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Convert Cisco 'show ip bgp' into a bird static routes configuration file 3 | # https://bgp.potaroo.net/as2.0/bgptable.txt && 4 | # https://bgp.potaroo.net/v6/as2.0/bgptable.txt 5 | set -eu 6 | if ! [ -f bgp4table.txt ]; then 7 | echo "Downloading bgp inet table..." 8 | fetch -o bgp4table.txt https://bgp.potaroo.net/as2.0/bgptable.txt 9 | sed -i "" -e 's/\r//' bgp4table.txt 10 | fi 11 | if ! [ -f bgp6table.txt ]; then 12 | echo "Downloading bgp inet6 table..." 13 | fetch -o bgp6table.txt https://bgp.potaroo.net/v6/as2.0/bgptable.txt 14 | sed -i "" -e 's/\r//' bgp6table.txt 15 | fi 16 | 17 | cat > bird.conf < bgp${i}table.conf << EOF 39 | protocol static fullview${i} { 40 | ipv${i}; 41 | EOF 42 | done 43 | echo "Converting bgp inet table to bird configuration file..." 44 | # 45 | #* 1.0.128.0/19 203.119.104.1 0 4608 24115 38040 23969 i 46 | #*> 202.12.28.1 0 4777 6939 38040 23969 i 47 | #* 203.119.104.2 0 4608 24115 38040 23969 i 48 | #*> 1.0.128.0/24 203.119.104.1 0 4608 24115 58453 38040 23969 ? 49 | #* 202.12.28.1 0 4777 4713 2914 58453 38040 23969 ? 50 | #* 4.0.0.0 203.119.104.1 0 4608 1221 3356 i 51 | #*> 202.12.28.1 0 4777 2516 3356 i 52 | #* 203.119.104.2 0 4608 7575 3356 i 53 | #* 2001:250:101e::/48 54 | # 2001:dd8:8::1 0 4608 7575 4134 4538 4538 23910 24353 i 55 | #* 2001:dd8:8::2 0 4608 7575 4134 4538 4538 23910 24353 i 56 | #*> ::ffff:202.12.28.1 57 | # 0 4777 2497 4837 4538 4538 4538 4538 i 58 | #*> 2001:250:101f::/48 59 | # ::ffff:202.12.28.1 60 | # 61 | # 1. need to start by *: ^\* 62 | # 2. need to be followed by > or a space: (>|[[:space:]]) 63 | # 3: then need a space: [[:space:]] 64 | # 4: And a digit: [[:digit:]] 65 | # 5: Must having a '/' somewhere after (example of bad 4.0.0.0): .*\/ 66 | awk '/^\*(>|[[:space:]])[[:space:]][[:digit:]].*\// {printf " route %s via nexthop4;\n",$2}' bgp4table.txt >> bgp4table.conf 67 | echo "Converting bgp inet6 table to bird configuration file..." 68 | awk '/^\*(>|[[:space:]])[[:space:]][[:digit:]].*\// {printf " route %s via nexthop6;\n",$2}' bgp6table.txt >> bgp6table.conf 69 | echo "*** Verification step ***" 70 | for i in 4 6; do 71 | echo '}' >> bgp${i}table.conf 72 | echo "Number of inet$i prefixes in bgp${i}table.txt:" 73 | tail -n 2 bgp${i}table.txt | awk '/Displayed/ {print $2}' 74 | echo "Number of inet$i static routes in bgp${i}table.conf:" 75 | grep via bgp${i}table.conf -c 76 | done 77 | echo "Done" 78 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/bin/cxgbe-filter-rate: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -euf -o pipefail 3 | if [ $# -eq 0 ]; then 4 | echo "Need Chelsio nexus name (examble: t5nex0)" 5 | echo "List of Nexus detected:" 6 | grep t.nex /var/run/dmesg.boot || true 7 | exit 1 8 | fi 9 | VALUE=$(cxgbetool $1 filter list | awk '{if (NR!=1) {print $2}}') 10 | echo "Filter hit rate" 11 | while true; do 12 | sleep 1 13 | NEW_VALUE=$(cxgbetool $1 filter list | awk '{if (NR!=1) {print $2}}') 14 | RATE=$((NEW_VALUE - VALUE)) 15 | VALUE=${NEW_VALUE} 16 | echo ${RATE} 17 | done 18 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/bin/help: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Help tool for BSD Router Project 4 | # https://bsdrp.net 5 | # 6 | # Copyright (c) 2009-2019, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 | # SUCH DAMAGE. 29 | # 30 | 31 | # Uncomment for enable the debug mode: 32 | # set -xv 33 | 34 | # Strict script 35 | set -e 36 | set -u 37 | 38 | echo "Welcome to BSD Router Project (BSDRP) help" 39 | echo "" 40 | echo "BSDRP is an embedded FreeBSD with some customized tools:" 41 | echo " - config : Manage config files" 42 | echo " - show : Display somes system information" 43 | echo " - upgrade : upgrade BSDRP" 44 | echo " - system : System actions" 45 | echo " - cli : Enter into frr router mode" 46 | echo " Need to start it first with" 47 | echo " sysrc frr_enable=yes" 48 | echo " service frr start" 49 | echo " - graphpath : helper tool to graph path " 50 | echo " - tuning : Give some tuning advice" 51 | echo " - help : Display this help message" 52 | echo "" 53 | echo "Command completion is available with TAB key" 54 | echo "More information with: tools-name help" 55 | echo "Display all rc variables configured with: sysrc -a" 56 | echo "" 57 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/bin/reqroutes: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # return true if the number of routes entrie is bigger or egal as the argument 3 | set -eu 4 | expected=$1 5 | routes=$(netstat -rn | wc -l) 6 | routes=$(echo $routes) 7 | [ $routes -ge $expected ] && exit 0 || exit 1 8 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/mpd5/if-down.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #Example of if-down.sh script to be used with mpd5 3 | #mpd5 call script with options: 4 | #interface proto local-ip remote-ip authname peer-address 5 | #example: 6 | #command "/urs/local/etc/mpd5/if-down.sh ng0 inet 10.3.23.1/32 10.3.23.10 '-' '10.0.23.2'" 7 | logger "$0 called with parameters: $@" 8 | remote_inet="1.1.1.0/24" 9 | remote_inet6="2001:db8:1::1 -prefixlen 64" 10 | eval " 11 | if ! route get -net -\$2 ${remote_$2}; then 12 | logger "Route ${remote_inet} not in table" 13 | return 0 14 | else 15 | cmd=\"route del \${remote_$2} \$4\" 16 | fi 17 | " 18 | if $cmd; then 19 | logger "if-down: ${cmd} succesfull" 20 | return 0 21 | else 22 | logger "if-down: ${cmd} failed" 23 | return 1 24 | fi 25 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/mpd5/if-up.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #Example of if-up.sh script to be used with mpd5 3 | #mpd5 call script with options: 4 | #interface proto local-ip remote-ip authname [ dns1 server-ip ] [ dns2 server-ip ] peer-address 5 | #Examples 6 | #command "/usr/local/etc/mpd5/if-up.sh ng0 inet 10.3.23.1/32 10.3.23.10 '-' '' '' '10.1.23.2'" 7 | #command "/usr/local/etc/mpd5/if-up.sh ng0 inet6 fe80::5ef3:fcff:fee5:a4c0%ng0 fe80::5ef3:fcff:fee5:7338%ng0 '-' '10.1.23.2'" 8 | #mpd5 wait for 0 as successful 9 | set -e 10 | logger "$0 called with parameters: $@" 11 | remote_inet="1.1.1.0/24" 12 | remote_inet6="2001:db8:1:: -prefixlen 64" 13 | eval " 14 | if route get -net -\$2 \${remote_$2}; then 15 | logger \"route \${remote_$2} already present\" 16 | return 0 17 | else 18 | cmd=\"route add -\$2 \${remote_$2} \$4\" 19 | fi 20 | " 21 | if $cmd; then 22 | logger "$0: $cmd successfull" 23 | return 0 24 | else 25 | logger "$0: $cmd failed" 26 | return 1 27 | fi 28 | 29 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/newsyslog.conf.d/bird: -------------------------------------------------------------------------------- 1 | /var/log/bird.log 600 3 100 * JB /var/run/bird.pid 2 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/newsyslog.conf.d/openvpn: -------------------------------------------------------------------------------- 1 | /var/log/openvpn.log 600 3 100 * JC /var/run/openvpn.pid 2 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/pkg.conf: -------------------------------------------------------------------------------- 1 | # Avoid installing uneeded files from port 2 | # net-snmp fails to install if removing includes 3 | # So need to be removed during the post-script.sh 4 | # "/usr/local/include/*", 5 | FILES_IGNORE_GLOB: [ 6 | "*.a", 7 | "/usr/local/share/info/*", 8 | "/usr/local/sbin/pkg-static*", 9 | ] 10 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/autosave: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: autosave Init script 4 | # http://bsdrp.net 5 | # 6 | # Copyright (c) 2017, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 19 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 22 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | 30 | # PROVIDE: autosave 31 | # REQUIRE: DAEMON 32 | # KEYWORD: shutdown 33 | 34 | . /etc/rc.subr 35 | 36 | name=autosave 37 | rcvar=${name}_enable 38 | stop_cmd="${name}_stop" 39 | 40 | autosave_stop () { 41 | # autosave is a simple shell script with fswatch in a loop 42 | # for stoping autosave, we need to stop fswatch and the autosave script 43 | autosave_pid=$(pgrep -f "/bin/sh /usr/local/sbin/autosave") 44 | fswatch_pid=$(pgrep -f "fswatch -1dr /etc") 45 | if [ -n "${autosave_pid}" ] && [ -n "${fswatch_pid}" ]; then 46 | kill ${autosave_pid} ${fswatch_pid} || logger Failed to kill autosave 47 | fi 48 | } 49 | 50 | pidfile="/var/run/${name}.pid" 51 | 52 | command="/usr/sbin/daemon" 53 | 54 | load_rc_config ${name} 55 | : ${autosave_enable="NO"} 56 | 57 | command_args="-f -P ${pidfile} -u root /usr/local/sbin/autosave" 58 | 59 | run_rc_command "$1" 60 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/bxe_affinity: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Bind bxe(4) interrupt threads to different cores 3 | # Adapted from same chelsio RC script by farrokhi@FreeBSD.org 4 | 5 | # PROVIDE: bxe_affinity 6 | # REQUIRE: FILESYSTEMS netif 7 | # KEYWORD: nojail 8 | 9 | # 10 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 11 | # to enable this service: 12 | # 13 | # bxe_affinity_enable (bool): Set to NO by default. 14 | # Set it to YES to bind interrupt threads to different cores 15 | # bxe_affinity_avoidncpu (int): 0 by default. 16 | # Set to number of CPU to exclude from binding 17 | 18 | . /etc/rc.subr 19 | 20 | name="bxe_affinity" 21 | rcvar=${name}_enable 22 | 23 | start_cmd="bxe_affinity_start" 24 | 25 | bxe_affinity_start() 26 | { 27 | # Need a bxe NIC 28 | NQ=$(/sbin/sysctl -ni dev.bxe.0.state) 29 | if [ -z "${NQ}" ]; then 30 | echo "No bxe NIC detected" 31 | exit 0; 32 | fi 33 | 34 | # Work with 2 CPU minimum 35 | NCPU=$(/sbin/sysctl -n hw.ncpu) 36 | if [ ${NCPU} -le 2 ]; then 37 | echo "Not enought CPU detected" 38 | exit 0 39 | fi 40 | 41 | # Exclude some CPU from binding 42 | NCPU=$((NCPU - ${bxe_affinity_avoidncpu})) 43 | CPU=0 44 | nics=$(/sbin/sysctl dev.bxe. | grep -c fw_version) 45 | for i in $(seq 0 $((nics - 1))); do 46 | for IRQ in `/usr/bin/vmstat -ai |\ 47 | /usr/bin/sed -nE "/bxe${i}:fp./ s/irq([[:digit:]]+):.*/\1/p"`; do 48 | echo "Bind bxe${i} IRQ ${IRQ} to CPU ${CPU}" 49 | /usr/bin/cpuset -l ${CPU} -x ${IRQ} 50 | CPU=$(((CPU + 1) % NCPU)) 51 | done 52 | CPU=0 53 | done 54 | } 55 | 56 | load_rc_config $name 57 | 58 | : ${bxe_affinity_enable="NO"} 59 | : ${bxe_affinity_avoidncpu=0} 60 | 61 | run_rc_command "$1" 62 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/chelsio_affinity: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Bind Chelsio interrupt threads to different cores (melifaro@FreeBSD.org) 3 | # If numa-domain is present, bind in the same numa-domain 4 | 5 | # PROVIDE: chelsio_affinity 6 | # REQUIRE: FILESYSTEMS netif 7 | # KEYWORD: nojail 8 | 9 | # 10 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 11 | # to enable this service: 12 | # 13 | # chelsio_affinity_enable (bool): Set to YES by default. 14 | # Set it to YES to bind interrupt threads to different cores 15 | # chelsio_affinity_avoidncpu (int): 0 (none) by default. 16 | # Set to number of CPU to exclude from binding 17 | # This to avoid overloading all CPUs in case of huge 18 | # traffic received 19 | 20 | . /etc/rc.subr 21 | 22 | name="chelsio_affinity" 23 | rcvar=${name}_enable 24 | 25 | start_cmd="chelsio_affinity_start" 26 | 27 | bind_ports() { 28 | # card_type example: t5nex|t6nex 29 | # card_index example: 0|1 30 | card_type=$1 31 | card_index=$2 32 | card=${card_type}${card_index} 33 | dev=dev.${card_type}.${card_index} 34 | card_domain=$(/sbin/sysctl -n ${dev}.%domain 2> /dev/null) 35 | if [ -z $card_domain ]; then 36 | echo "No %domain found for ${dev}.%domain, setting to 0" 37 | card_domain=0 38 | fi 39 | 40 | echo "$card on numa-domain ${card_domain}" 41 | # find ports 42 | ports=$(/sbin/sysctl -n ${dev}.nports 2> /dev/null) 43 | if [ -n $ports ]; then 44 | echo " $card has $ports ports" 45 | # Iterate through ports on this card 46 | for port in $(seq 0 $((ports - 1))); do 47 | echo " $card port $port" 48 | # List all CPUs from this domain 49 | # cpuset output example: 0 1 2 3 4 5 6 7 8 9 10 11 50 | CPUS=$(/usr/bin/cpuset -g -d $card_domain | sed 's/domain.*mask: //g;s/\,//g') 51 | set $CPUS 52 | if [ ${chelsio_affinity_avoidncpu} -ne 0 ]; then 53 | for avoidcpu in $(seq 0 $((chelsio_affinity_avoidncpu - 1))); do 54 | shift 55 | done 56 | fi 57 | for irq in $(/usr/bin/vmstat -ai |\ 58 | /usr/bin/sed -nE "/${card}:${port}a/s/irq([[:digit:]]+):.*/\1/p"); do 59 | if [ -z "$1" ]; then 60 | # case when there are less CPU than IRQ/Queue (can this be possible?) 61 | echo " Warning: Less available CPU than queues to bind" 62 | set $CPUS 63 | fi 64 | echo " Bind ${card}:${port}a IRQ ${irq} to CPU $1" 65 | /usr/bin/cpuset -l $1 -x ${irq} 66 | shift 67 | done 68 | done 69 | else 70 | echo "$card has no ports!" 71 | exit 0 72 | fi 73 | } 74 | 75 | chelsio_affinity_start() { 76 | # Need a Chelsio Card, search for T5 and T6 cards 77 | Nt5=$(/sbin/sysctl -i dev.t5nex | grep -c nports) 78 | Nt6=$(/sbin/sysctl -i dev.t6nex | grep -c nports) 79 | 80 | if [ $Nt5 -eq 0 ] && [ $Nt6 -eq 0 ]; then 81 | echo "No Chelsio card detected" 82 | exit 0 83 | fi 84 | echo "# of T5 cards: $Nt5, # of T6 cards: $Nt6" 85 | 86 | # Minimum of 2 CPU mandatory 87 | NCPU=$(/sbin/sysctl -n hw.ncpu) 88 | if [ ${NCPU} -le 2 ]; then 89 | echo "Need 2 CPU minimum" 90 | exit 0 91 | fi 92 | 93 | # iterate through cards and bind queues on every card/port/queue combo to cpus 94 | if [ $Nt5 -gt 0 ]; then 95 | for j in $(seq 0 $((Nt5 - 1))); do 96 | bind_ports t5nex $j 97 | done 98 | fi 99 | if [ $Nt6 -gt 0 ]; then 100 | for j in $(seq 0 $((Nt6 - 1))); do 101 | bind_ports t6nex $j 102 | done 103 | fi 104 | } 105 | 106 | load_rc_config $name 107 | 108 | : ${chelsio_affinity_enable="NO"} 109 | : ${chelsio_affinity_avoidncpu=0} 110 | 111 | run_rc_command "$1" 112 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/disablelrotso: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: Disable LRO and TSO feature on all interface 4 | # 5 | # Copyright (c) 2014-2018, The BSDRP Development Team 6 | # All rights reserved. 7 | # 8 | # Redistribution and use in source and binary forms, with or without 9 | # modification, are permitted provided that the following conditions 10 | # are met: 11 | # 1. Redistributions of source code must retain the above copyright 12 | # notice, this list of conditions and the following disclaimer. 13 | # 2. Redistributions in binary form must reproduce the above copyright 14 | # notice, this list of conditions and the following disclaimer in the 15 | # documentation and/or other materials provided with the distribution. 16 | # 17 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 18 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | # 28 | # PROVIDE: disablelrotso 29 | # REQUIRE: netif 30 | # KEYWORD: nojail 31 | # 32 | # Add the following to /etc/rc.conf[.local] to enable this service 33 | # 34 | # disablelrotso_enable="YES" 35 | # 36 | 37 | . /etc/rc.subr 38 | 39 | disablelrotso=${disablelrotso_enable-"NO"} 40 | 41 | name="disablelrotso" 42 | rcvar=${name}_enable 43 | 44 | start_cmd="${name}_start" 45 | stop_cmd="${name}_stop" 46 | 47 | # Get the list of Ethernet devices 48 | DETECTED_DEVICES=`ifconfig -l "ether"` 49 | 50 | disablelrotso_start() 51 | { 52 | # Disable LRO and TSO on all detected interfaces: 53 | for DETECTED in ${DETECTED_DEVICES} 54 | do 55 | echo -n "Disabling TSO, LRO and VLAN_HWTSO on: ${DETECTED}..." 56 | ifconfig ${DETECTED} -tso4 -tso6 -lro -vlanhwtso && echo "done" || echo "failed" 57 | done 58 | exit 0 59 | } 60 | 61 | disablelrotso_stop() 62 | { 63 | # Re-enable LRO and TSO on all interface that support it: 64 | for DETECTED in ${DETECTED_DEVICES} 65 | do 66 | echo -n "Re-enabling TSO, LRO and VLAN_HWTSO on : ${DETECTED}..." 67 | ifconfig ${DETECTED} tso4 tso6 lro vlanhwtso && echo "done" || echo "failed" 68 | done 69 | exit 0 70 | } 71 | 72 | load_rc_config $name 73 | : ${disablelrotso_enable="NO"} 74 | 75 | run_rc_command "$1" 76 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/freevrrpd: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # PROVIDE: freevrrpd 4 | # REQUIRE: NETWORKING 5 | # KEYWORD: nojail 6 | # 7 | # Add the following to /etc/rc.conf[.local] to enable this service 8 | # 9 | # freevrrpd_enable="YES" 10 | # 11 | 12 | . /etc/rc.subr 13 | 14 | freevrrpd_enable=${freevrrpd_enable-"NO"} 15 | 16 | name="freevrrpd" 17 | rcvar=${name}_enable 18 | 19 | command="/usr/local/sbin/${name}" 20 | required_files="/usr/local/etc/${name}.conf" 21 | required_modules="ng_socket ng_ether ng_bridge ng_eiface" 22 | 23 | load_rc_config ${name} 24 | 25 | run_rc_command "$1" 26 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/gpartfix: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Fix GPT partition table 3 | 4 | # PROVIDE: gpartfix 5 | # REQUIRE: FILESYSTEMS 6 | # KEYWORD: nojail 7 | 8 | # 9 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 10 | # to enable this service: 11 | # 12 | # gpartfix (bool): Set to YES by default. 13 | 14 | . /etc/rc.subr 15 | 16 | name="gpartfix" 17 | rcvar=${name}_enable 18 | 19 | start_cmd="gpartfix_start" 20 | 21 | gpartfix_start() { 22 | . /etc/nanobsd.conf 23 | boot_disk=$(glabel status | grep -E "${boot_label}(s1a|1)" \ 24 | | awk '{ s=$3; sub(/[s|p][1-4]a?$/, "", s); print s; }') 25 | if [ -n "${output}" ]; then 26 | echo "BUG in gpartfix: Can't retrieve boot disk name" 27 | exit 1 28 | fi 29 | if /sbin/gpart show ${boot_disk} | grep -q CORRUPT; then 30 | echo "GPT corrupted table found on bootable media, fixing it..." 31 | /sbin/gpart recover ${boot_disk} 32 | fi 33 | } 34 | 35 | load_rc_config $name 36 | 37 | : ${gpartfix_enable="NO"} 38 | 39 | run_rc_command "$1" 40 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/igb_affinity: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Bind Intel igb interrupt threads to different cores 3 | # Adapted from same chelsio RC script by farrokhi@FreeBSD.org 4 | 5 | # PROVIDE: igb_affinity 6 | # REQUIRE: FILESYSTEMS netif 7 | # KEYWORD: nojail 8 | 9 | # 10 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 11 | # to enable this service: 12 | # 13 | # igb_affinity_enable (bool): Set to NO by default. 14 | # Set it to YES to bind interrupt threads to different cores 15 | # igb_affinity_avoidncpu (int): 0 by default. 16 | # Set to number of CPU to exclude from binding 17 | 18 | . /etc/rc.subr 19 | 20 | name="igb_affinity" 21 | rcvar=${name}_enable 22 | 23 | start_cmd="igb_affinity_start" 24 | 25 | igb_affinity_start() 26 | { 27 | # Need an Intel igb NIC 28 | NQ=$(/sbin/sysctl -ni dev.igb.0.link_irq) 29 | if [ -z "${NQ}" ]; then 30 | echo "No Intel igb port detected" 31 | exit 0; 32 | fi 33 | 34 | # Work with 2 CPU minimum 35 | NCPU=$(/sbin/sysctl -n hw.ncpu) 36 | if [ ${NCPU} -le 2 ]; then 37 | echo "Not enought CPU detected" 38 | exit 0 39 | fi 40 | 41 | # Exclude some CPU from binding 42 | NCPU=$((NCPU - ${igb_affinity_avoidncpu})) 43 | CPU=0 44 | igb=$(/sbin/sysctl dev.igb. | grep -c disable_msix) 45 | for i in $(seq 0 $((igb - 1))); do 46 | for IRQ in `/usr/bin/vmstat -ai |\ 47 | /usr/bin/sed -nE "/igb${i}:rxq./ s/irq([[:digit:]]+):.*/\1/p"`; do 48 | echo "Bind igb${i} IRQ ${IRQ} to CPU ${CPU}" 49 | /usr/bin/cpuset -l ${CPU} -x ${IRQ} 50 | CPU=$(((CPU + 1) % NCPU)) 51 | done 52 | CPU=0 53 | done 54 | } 55 | 56 | load_rc_config $name 57 | 58 | : ${igb_affinity_enable="NO"} 59 | : ${igb_affinity_avoidncpu=0} 60 | 61 | run_rc_command "$1" 62 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/ix_affinity: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Bind Intel interrupt threads to different cores 3 | # Adapted from same chelsio RC script by farrokhi@FreeBSD.org 4 | 5 | # PROVIDE: ix_affinity 6 | # REQUIRE: FILESYSTEMS netif 7 | # KEYWORD: nojail 8 | 9 | # 10 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 11 | # to enable this service: 12 | # 13 | # ix_affinity_enable (bool): Set to NO by default. 14 | # Set it to YES to bind interrupt threads to different cores 15 | # ix_affinity_avoidncpu (int): 0 by default. 16 | # Set to number of CPU to exclude from binding 17 | 18 | . /etc/rc.subr 19 | 20 | name="ix_affinity" 21 | rcvar=${name}_enable 22 | 23 | start_cmd="ix_affinity_start" 24 | 25 | ix_affinity_start() 26 | { 27 | # Need an Intel NIC 28 | NQ=$(/sbin/sysctl -ni hw.ix.num_queues) 29 | if [ "${NQ}" -eq 0 ]; then 30 | echo "No Intel ix port detected" 31 | exit 0; 32 | fi 33 | 34 | # Work with 2 CPU minimum 35 | NCPU=$(/sbin/sysctl -n hw.ncpu) 36 | if [ ${NCPU} -le 2 ]; then 37 | echo "Not enought CPU detected" 38 | exit 0 39 | fi 40 | 41 | # Exclude some CPU from binding 42 | NCPU=$((NCPU - ${ix_affinity_avoidncpu})) 43 | CPU=0 44 | ix=$(sysctl dev.ix. | grep -c link_irq) 45 | for i in $(seq 0 $((ix - 1))); do 46 | for IRQ in `/usr/bin/vmstat -ai |\ 47 | /usr/bin/sed -nE "/ix${i}:q./ s/irq([[:digit:]]+):.*/\1/p"`; do 48 | echo "Bind ix${i} IRQ ${IRQ} to CPU ${CPU}" 49 | /usr/bin/cpuset -l ${CPU} -x ${IRQ} 50 | CPU=$(((CPU + 1) % NCPU)) 51 | done 52 | CPU=0 53 | done 54 | } 55 | 56 | load_rc_config $name 57 | 58 | : ${ix_affinity_enable="NO"} 59 | : ${ix_affinity_avoidncpu=0} 60 | 61 | run_rc_command "$1" 62 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/ixiflib_affinity: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Bind Intel interrupt threads to different cores 3 | # Adapted from same chelsio RC script by farrokhi@FreeBSD.org 4 | 5 | # PROVIDE: ix_affinity 6 | # REQUIRE: FILESYSTEMS netif 7 | # KEYWORD: nojail 8 | 9 | # 10 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 11 | # to enable this service: 12 | # 13 | # ix_affinity_enable (bool): Set to NO by default. 14 | # Set it to YES to bind interrupt threads to different cores 15 | # ix_affinity_avoidncpu (int): 0 by default. 16 | # Set to number of CPU to exclude from binding 17 | 18 | . /etc/rc.subr 19 | 20 | name="ix_affinity" 21 | rcvar=${name}_enable 22 | 23 | start_cmd="ix_affinity_start" 24 | 25 | ix_affinity_start() 26 | { 27 | # Need an Intel NIC 28 | #NQ=$(/sbin/sysctl -ni hw.ix.num_queues) 29 | NQ=$(sysctl dev.ix.0. | grep irqs | wc -l | sed 's/ //g') 30 | if [ "${NQ}" -eq 0 ]; then 31 | echo "No Intel ix port detected" 32 | exit 0; 33 | fi 34 | 35 | # Work with 2 CPU minimum 36 | NCPU=$(/sbin/sysctl -n hw.ncpu) 37 | if [ ${NCPU} -le 2 ]; then 38 | echo "Not enought CPU detected" 39 | exit 0 40 | fi 41 | 42 | # Exclude some CPU from binding 43 | NCPU=$((NCPU - ${ix_affinity_avoidncpu})) 44 | CPU=0 45 | ix=$(sysctl dev.ix. | grep -c link_irq) 46 | for i in $(seq 0 $((ix - 1))); do 47 | for IRQ in `/usr/bin/vmstat -ai |\ 48 | /usr/bin/sed -nE "/ix${i}:rxq./ s/irq([[:digit:]]+):.*/\1/p"`; do 49 | echo "Bind ix${i} IRQ ${IRQ} to CPU ${CPU}" 50 | /usr/bin/cpuset -l ${CPU} -x ${IRQ} 51 | CPU=$(((CPU + 1) % NCPU)) 52 | done 53 | CPU=0 54 | done 55 | } 56 | 57 | load_rc_config $name 58 | 59 | : ${ix_affinity_enable="NO"} 60 | : ${ix_affinity_avoidncpu=0} 61 | 62 | run_rc_command "$1" 63 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/mlx5en_affinity: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Bind Mellanox mlx5en interrupt threads to different core 3 | 4 | # PROVIDE: mlx5en_affinity 5 | # REQUIRE: FILESYSTEMS netif 6 | # KEYWORD: nojail 7 | 8 | # 9 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 10 | # to enable this service: 11 | # 12 | # mlx5en_affinity_enable (bool): Set to YES by default. 13 | # Set it to YES to bind interrupt threads to different cores 14 | # mlx5en_affinity_avoidncpu (int): 0 by default. 15 | # Set to number of CPU to exclude from binding 16 | # mlx5en_affinity_firstcpu (int): 0 by default. 17 | # Set the first CPU id (for starting at second numa-domain) 18 | 19 | . /etc/rc.subr 20 | 21 | name="mlx5en_affinity" 22 | rcvar=${name}_enable 23 | 24 | start_cmd="mlx5en_affinity_start" 25 | 26 | mlx5en_affinity_start() 27 | { 28 | # Need a mce NIC 29 | NQ=$(/sbin/sysctl -ni dev.mce.0.conf.channels) 30 | if [ -z "${NQ}" ]; then 31 | echo "No Mellanox mlx5en NIC port detected" 32 | exit 0; 33 | fi 34 | 35 | # Work with 2 CPU minimum 36 | NCPU=$(/sbin/sysctl -n hw.ncpu) 37 | if [ ${NCPU} -le 2 ]; then 38 | echo "Not enought CPU detected" 39 | exit 0 40 | fi 41 | 42 | # Exclude some CPU from binding 43 | NCPU=$((NCPU - ${mlx5en_affinity_avoidncpu})) 44 | CPU=${mlx5en_affinity_firstcpu} 45 | 46 | # Number of NIC 47 | nic=$(sysctl dev.mce. | grep -c hw_mtu) 48 | if [ ${nic} -eq 0 ]; then 49 | echo "No Mellanox card detected" 50 | exit 0 51 | fi 52 | 53 | # XXX Need to guest the CPU numa domain 54 | for i in $(seq 0 $((nic - 1))); do 55 | # Need to filter the first 3 IRQ that seems not related to RX queues 56 | # Need to filter only the used IRQ (=number of channels) 57 | for IRQ in `/usr/bin/vmstat -ai |\ 58 | /usr/bin/sed -nE "/mlx5_core${i}/s/irq([[:digit:]]+):.*/\1/p" | tail -n +4 | head -${NQ}`; do 59 | echo "Bind mlx5_core${i} IRQ ${IRQ} to CPU ${CPU}" 60 | /usr/bin/cpuset -l ${CPU} -x ${IRQ} 61 | CPU=$(((CPU + 1) % NCPU)) 62 | done 63 | CPU=${mlx5en_affinity_firstcpu} 64 | done 65 | } 66 | 67 | load_rc_config $name 68 | 69 | : ${mlx5en_affinity_enable="NO"} 70 | : ${mlx5en_affinity_avoidncpu=0} 71 | : ${mlx5en_affinity_firstcpu=0} 72 | 73 | run_rc_command "$1" 74 | 75 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/ngnetflow: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # PROVIDE: ngnetflow 4 | # REQUIRE: NETWORKING 5 | # KEYWORD: nojail 6 | # 7 | # Add the following lines to /etc/rc.conf.local or /etc/rc.conf 8 | # to enable this service: 9 | # 10 | # Mandatory: 11 | # ngnetflow_enable (bool): Set to NO by default. 12 | # Set it to YES to enable netflow. 13 | # ngnetflow_if (nic): Set the Source interface. 14 | # ngnetflow_dst (IP:PORT): Set the destination and port. 15 | # 16 | # Optional: 17 | # ngnetflow_src (IP:PORT) Set the source ip and port. 18 | # Defalt: Not used 19 | # ngnetflow_ver (9): Set the netflow version to use. 20 | # Default: 9 21 | # ngnetflow_actimeout: Set the active timeout. 22 | # Default: 1800 seconds (30 minutes) 23 | # ngnetflow_inactimeout: Set the inactive timeout. 24 | # Default: 15 seconds 25 | # 26 | 27 | . /etc/rc.subr 28 | 29 | name="ngnetflow" 30 | rcvar=${name}_enable 31 | 32 | command=/usr/local/sbin/${name} 33 | 34 | load_rc_config $name 35 | : ${ngnetflow_enable="NO"} 36 | : ${ngnetflow_if=""} 37 | : ${ngnetflow_src=""} 38 | : ${ngnetflow_dst="127.0.0.1:9996"} 39 | : ${ngnetflow_ver="9"} 40 | : ${ngnetflow_actimeout="1800"} 41 | : ${ngnetflow_inactimeout="15"} 42 | 43 | start_cmd="${name}_start" 44 | stop_cmd="${name}_stop" 45 | status_cmd="${name}_status" 46 | required_modules="ng_netflow ng_ether" 47 | 48 | ngnetflow_status() { 49 | if ngctl show netflow: > /dev/null 2>&1; then 50 | echo "${name} is running" 51 | else 52 | echo "${name} is not running" 53 | fi 54 | } 55 | 56 | ngnetflow_start() { 57 | if [ -z "${ngnetflow_if}" ]; then 58 | warn "if name (ngnetflow_if) not configured" 59 | return 1 60 | fi 61 | [ "${ngnetflow_ver}" = "5" ] && version="" || version="${ngnetflow_ver}" 62 | /usr/sbin/ngctl -f- <<-EOF 63 | mkpeer ${ngnetflow_if}: netflow lower iface0 64 | name ${ngnetflow_if}:lower netflow 65 | connect ${ngnetflow_if}: netflow: upper out0 66 | mkpeer netflow: ksocket export${version} inet/dgram/udp 67 | name netflow:export${version} netflow_export 68 | EOF 69 | if [ -n "${ngnetflow_src}" ]; then 70 | /usr/sbin/ngctl msg netflow: bind inet/${ngnetflow_src} 71 | fi 72 | /usr/sbin/ngctl -f- <<-EOF 73 | msg netflow: settimeouts { inactive = ${ngnetflow_inactimeout} active = ${ngnetflow_actimeout} } 74 | msg netflow:export${version} connect inet/${ngnetflow_dst} 75 | EOF 76 | 77 | } 78 | 79 | ngnetflow_stop() { 80 | /usr/sbin/ngctl shutdown netflow: 81 | } 82 | 83 | run_rc_command "$1" 84 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/pim6dd: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: Multicast IPv6 PIM Dense Mode Daemon startup script 4 | # http://bsdrp.net 5 | # 6 | # Copyright (c) 2009-2010, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 19 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 22 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | # PROVIDE: pim6dd 30 | # REQUIRE: netif routing 31 | # KEYWORD: nojail 32 | 33 | # 34 | # Add the following to /etc/rc.conf[.local] to enable this service 35 | # 36 | # pim6dd_enable="YES" 37 | # 38 | 39 | . /etc/rc.subr 40 | 41 | pim6dd_enable=${pim6dd_enable-"NO"} 42 | 43 | name="pim6dd" 44 | rcvar=${name}_enable 45 | 46 | command="/usr/local/sbin/${name}" 47 | 48 | extra_commands=reload 49 | 50 | load_rc_config $name 51 | run_rc_command "$1" 52 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/pim6sd: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: Multicast IPv6 PIM Sparse Mode Daemon startup script 4 | # http://bsdrp.net 5 | # 6 | # Copyright (c) 2009-2010, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 19 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 22 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | # PROVIDE: pim6sd 30 | # REQUIRE: netif routing 31 | # KEYWORD: nojail 32 | 33 | # 34 | # Add the following to /etc/rc.conf[.local] to enable this service 35 | # 36 | # pim6sd_enable="YES" 37 | # 38 | 39 | . /etc/rc.subr 40 | 41 | pim6sd_enable=${pim6sd_enable-"NO"} 42 | 43 | name="pim6sd" 44 | rcvar=${name}_enable 45 | 46 | command="/usr/local/sbin/${name}" 47 | required_files="/usr/local/etc/${name}.conf" 48 | 49 | extra_commands=reload 50 | 51 | load_rc_config $name 52 | run_rc_command "$1" 53 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/pimdd: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: Multicast IPv4 PIM Dense Mode Daemon startup script 4 | # http://bsdrp.net 5 | # 6 | # Copyright (c) 2009-2012, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 19 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 22 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | # PROVIDE: pimdd 30 | # REQUIRE: netif routing 31 | # KEYWORD: nojail 32 | 33 | # 34 | # Add the following to /etc/rc.conf[.local] to enable this service 35 | # 36 | # pimdd_enable="YES" 37 | # 38 | 39 | . /etc/rc.subr 40 | 41 | pimdd_enable=${pimdd_enable-"NO"} 42 | 43 | name="pimdd" 44 | rcvar=${name}_enable 45 | 46 | command="/usr/local/sbin/${name}" 47 | 48 | extra_commands=reload 49 | 50 | load_rc_config $name 51 | run_rc_command "$1" 52 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/polling: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: Auto enable polling for interface that support it 4 | # 5 | # Copyright (c) 2009-2018, The BSDRP Development Team 6 | # All rights reserved. 7 | # 8 | # Redistribution and use in source and binary forms, with or without 9 | # modification, are permitted provided that the following conditions 10 | # are met: 11 | # 1. Redistributions of source code must retain the above copyright 12 | # notice, this list of conditions and the following disclaimer. 13 | # 2. Redistributions in binary form must reproduce the above copyright 14 | # notice, this list of conditions and the following disclaimer in the 15 | # documentation and/or other materials provided with the distribution. 16 | # 17 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 18 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 21 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | # 28 | # PROVIDE: polling 29 | # REQUIRE: netif 30 | # KEYWORD: nojail 31 | # 32 | # Add the following to /etc/rc.conf[.local] to enable this service 33 | # 34 | # polling_enable="YES" 35 | # 36 | 37 | . /etc/rc.subr 38 | 39 | polling_enable=${polling_enable-"NO"} 40 | 41 | name="polling" 42 | rcvar=${name}_enable 43 | 44 | start_cmd="${name}_start" 45 | stop_cmd="${name}_stop" 46 | 47 | # List of supported drivers 48 | # Get from the "man polling" 49 | SUPPORTED_DEVICES="bge dc em igb fwe fwip fxp ixgb lem nfe nge re rl sf sis ste stge vge vr xl" 50 | # Get the list of detected devices 51 | DETECTED_DEVICES=$(ifconfig -l "ether") 52 | 53 | polling_start() 54 | { 55 | # If the device support it, enable polling: 56 | for DETECTED in ${DETECTED_DEVICES}; do 57 | for SUPPORTED in ${SUPPORTED_DEVICES}; do 58 | if echo ${DETECTED} | /usr/bin/grep -q "${SUPPORTED}"; then 59 | echo -n "Try to enable polling for: ${DETECTED}..." 60 | ifconfig ${DETECTED} polling && echo "done" || echo "failed" 61 | break 62 | fi 63 | done 64 | done 65 | exit 0 66 | } 67 | 68 | polling_stop() 69 | { 70 | # Disable polling on all interface that support it: 71 | for DETECTED in ${DETECTED_DEVICES}; do 72 | for SUPPORTED in ${SUPPORTED_DEVICES}; do 73 | if echo ${DETECTED} | /usr/bin/grep -q "${SUPPORTED}"; then 74 | echo -n "Try to disable polling for: ${DETECTED}..." 75 | ifconfig ${DETECTED} -polling && echo "done" || echo "failed" 76 | break 77 | fi 78 | done 79 | done 80 | exit 0 81 | } 82 | 83 | load_rc_config $name 84 | 85 | : ${polling_enable="NO"} 86 | run_rc_command "$1" 87 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/tayga: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # PROVIDE: tayga 5 | # REQUIRE: NETWORKING 6 | # KEYWORD: shutdown 7 | # 8 | # Define these tayga_* variables in one of these files: 9 | # /etc/rc.conf 10 | # /etc/rc.conf.local 11 | # /etc/rc.conf.d/tayga 12 | # 13 | # DO NOT CHANGE THESE DEFAULT VALUES HERE 14 | 15 | . /etc/rc.subr 16 | 17 | tayga_enable=${tayga_enable-"NO"} 18 | 19 | name="tayga" 20 | rcvar=${name}_enable 21 | 22 | load_rc_config $name 23 | 24 | 25 | command="/usr/local/sbin/${name}" 26 | pidfile="/var/run/${name}.pid" 27 | 28 | start_precmd="${name}_prestart" 29 | stop_postcmd="${name}_cleanup" 30 | start_postcmd="${name}_postcmd" 31 | 32 | eval ": \${${name}_configfile:=\"/usr/local/etc/${name}.conf\"}" 33 | configfile="$(eval echo \${${name}_configfile})" 34 | required_files=${configfile} 35 | 36 | if [ -f ${configfile} ]; then 37 | tun_device=$(sed -rn "/^[ \t]*tun-device/s/^[ \t]*tun-device[ \t]+//p" ${configfile}) 38 | ipv4_addr=$(sed -rn "/^[ \t]*ipv4-addr/s/^[ \t]*ipv4-addr[ \t]+//p" ${configfile}) 39 | ipv6_addr=$(sed -rn "/^[ \t]*ipv6-addr/s/^[ \t]*ipv6-addr[ \t]+//p" ${configfile}) 40 | prefix=$(sed -rn "/^[ \t]*prefix/s/^[ \t]*prefix[ \t]+//p" ${configfile}) 41 | dynamic_pool=$(sed -rn "/^[ \t]*dynamic-pool/s/^[ \t]*dynamic-pool[ \t]+//p" ${configfile}) 42 | fi 43 | 44 | tayga_cleanup() 45 | { 46 | [ -f ${pidfile} ] && /bin/rm -f ${pidfile} 47 | # Tayga didn't delete old tun interface when shutdown 48 | if ifconfig ${tun_device} >/dev/null 2>&1; then 49 | ifconfig ${tun_device} destroy 50 | fi 51 | } 52 | 53 | tayga_prestart() 54 | { 55 | tayga_cleanup 56 | /bin/mkdir -p /var/db/${name} 57 | } 58 | 59 | tayga_postcmd() 60 | { 61 | sleep 1 62 | if ifconfig ${tun_device} >/dev/null 2>&1; then 63 | ifconfig ${tun_device} up 64 | # Warning: tayga ask to not configure same IP on router than tayga 65 | [ -n "${ipv4_addr}" ] && ifconfig ${tun_device} inet ${ipv4_addr} netmask 255.255.255.255 ${ipv4_addr} 66 | [ -n "${ipv6_addr}" ] && ifconfig ${tun_device} inet6 ${ipv6_addr} 67 | [ -n "${dynamic_pool}" ] && route add ${dynamic_pool} -interface ${tun_device} 68 | [ -n "${prefix}" ] && route add -inet6 ${prefix} -interface ${tun_device} 69 | else 70 | echo "ERROR: No ${tun_device} interface detected" 71 | fi 72 | } 73 | 74 | command_args="--pidfile ${pidfile}" 75 | run_rc_command "$1" 76 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/rc.d/txabdicate: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # BSD Router Project: Enable txabdicate on all iflib NIC interfaces 4 | # (cause tx to abdicate instead of running to completion) 5 | # 6 | # Copyright (c) 2018, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR 19 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 | # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, 22 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | # 29 | # PROVIDE: txabdicate 30 | # REQUIRE: netif 31 | # KEYWORD: nojail 32 | # 33 | # Add the following to /etc/rc.conf[.local] to enable this service 34 | # 35 | # txabdicate_enable="YES" 36 | # 37 | 38 | . /etc/rc.subr 39 | 40 | txabdicate_enable=${txabdicate_enable-"NO"} 41 | 42 | name="txabdicate" 43 | rcvar=${name}_enable 44 | 45 | start_cmd="${name}_start" 46 | stop_cmd="${name}_stop" 47 | 48 | # Get the list of detected devices 49 | DETECTED_DEVICES=$(sysctl -a dev | grep tx_abdicate | cut -d ':' -f 1) 50 | 51 | txabdicate_start() 52 | { 53 | for DETECTED in ${DETECTED_DEVICES}; do 54 | echo "Enabling tx_abdicate on $(echo ${DETECTED}| cut -d '.' -f 2-3)" 55 | sysctl ${DETECTED}=1 > /dev/null 2>&1 56 | done 57 | exit 0 58 | } 59 | 60 | txabdicate_stop() 61 | { 62 | for DETECTED in ${DETECTED_DEVICES}; do 63 | echo "Disabling tx_abdicate on $(echo ${DETECTED}| cut -d '.' -f 2-3)" 64 | sysctl ${DETECTED}=0 > /dev/null 2>&1 65 | done 66 | exit 0 67 | } 68 | 69 | load_rc_config $name 70 | 71 | : ${txabdicate_enable="NO"} 72 | run_rc_command "$1" 73 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/etc/ssmtp/ssmtp.conf: -------------------------------------------------------------------------------- 1 | root=your-gmail-login@gmail.com 2 | mailhub=smtp.gmail.com:587 3 | AuthUser=your-gmail-login@gmail.com 4 | AuthPass=your-gmail-password 5 | rewriteDomain=bsdrp.net 6 | hostname=_HOSTNAME_ 7 | FromLineOverride=YES 8 | UseSTARTTLS=YES 9 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/sbin/autosave: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Autosave configuration daemon for BSD Router Project 4 | # http://bsdrp.net 5 | # 6 | # Copyright (c) 2017, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 | # SUCH DAMAGE. 29 | # 30 | 31 | set -eu 32 | 33 | # Global variables 34 | 35 | lock="/var/run/autosave.bsdrp.lock" 36 | 37 | # A usefull function (from: http://code.google.com/p/sh-die/) 38 | die() { echo -n "EXIT: " >&2; echo "$@" >&2; exit 1; } 39 | 40 | # Because we are using running script, we need to cleanup mess before leaving 41 | cleanup () { 42 | logger autosave stoping 43 | pkill fswatch || true 44 | [ -d $lock ] && rm -rf $lock 45 | } 46 | 47 | logger autosave starting 48 | # Prevent to execute this script twice 49 | trap cleanup EXIT INT TERM 50 | 51 | # We need a method for checking AND creating lock file in same step 52 | if ! mkdir $lock 2>/dev/null; then 53 | logger "autosave is already running (file $lock detected)" 54 | echo "This script is already running (file $lock detected)" 55 | usage 56 | fi 57 | 58 | [ -x /usr/local/bin/fswatch ] || die "fswatch is mandatory" 59 | 60 | echo "Watching /etc for change..." 61 | # Need to exit fswatch once change detected for avoid multiple triggers 62 | while true; do 63 | if fswatch -1dr /etc; then 64 | logger autosave triggered 65 | config save || logger autosave failed to save configuration 66 | fi 67 | done 68 | -------------------------------------------------------------------------------- /BSDRP/Files/usr/local/sbin/post-upgrade: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Post-upgrade fixup tool for BSD Router Project 4 | # https://bsdrp.net 5 | # 6 | # Copyright (c) 2009-2020, The BSDRP Development Team 7 | # All rights reserved. 8 | # 9 | # Redistribution and use in source and binary forms, with or without 10 | # modification, are permitted provided that the following conditions 11 | # are met: 12 | # 1. Redistributions of source code must retain the above copyright 13 | # notice, this list of conditions and the following disclaimer. 14 | # 2. Redistributions in binary form must reproduce the above copyright 15 | # notice, this list of conditions and the following disclaimer in the 16 | # documentation and/or other materials provided with the distribution. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 | # SUCH DAMAGE. 29 | # 30 | 31 | set -e 32 | 33 | # A usefull function (from: http://code.google.com/p/sh-die/) 34 | die() { echo -n "EXIT: " >&2; echo "$@" >&2; exit 1; } 35 | 36 | [ $# -lt 1 ] && die "ERROR: This script should be call by update" 37 | 38 | DST=$1 39 | set -u 40 | mount_newpart () { 41 | if [ ! -d /tmp/sysupgrade ]; then 42 | mkdir /tmp/sysupgrade 43 | if ! mount ${DST} /tmp/sysupgrade; then 44 | echo "ERROR: Can't mount new partition" 45 | rm -r /tmp/sysupgrade || echo "and can't clean /tmp/sysupgrade" 46 | exit 1 47 | fi 48 | fi 49 | } 50 | 51 | umount_newpart () { 52 | if mount | grep -q "${DST} on /tmp/sysupgrade"; then 53 | umount /tmp/sysupgrade || die "ERROR: Can't umount new partition" 54 | rm -r /tmp/sysupgrade || echo "WARNING: Can't remove tempdir" 55 | fi 56 | } 57 | 58 | # Release 1.1 upgrade script didn't preserve the existence of /boot/loader.conf.local 59 | if grep -q '^1.1$' /etc/version; then 60 | mount_newpart 61 | # Kept the /boot/loader.conf.local file 62 | if [ -f /boot/loader.conf.local ]; then 63 | cp /boot/loader.conf.local /tmp/sysupgrade/boot || echo "WARNING: Can't backup /boot/loader.conf.local" 64 | fi 65 | umount_newpart 66 | fi 67 | 68 | # Release 1.7 (and previous, but they are very old, then we don't care here) need a Quagga to FRR upgrade 69 | if grep -q '^1.7' /etc/version; then 70 | # Need to add new users and groups 71 | pw groupadd frr -g 168 72 | pw useradd frr -u 168 -c "FRRouting user" -d /var/empty -g 168 -s /usr/sbin/nologin 73 | pw groupadd frrvty -M frr -g 152 74 | config save 75 | # Need to check if /cfg/group or /cfg/password and generation action 76 | if grep -q quagga /etc/rc.conf; then 77 | echo "Quagga seems configured, replacing quagga references by frr..." 78 | # Replacing quagga by frr and copying quagga configuration files into frr 79 | if mount | ! grep -q "/cfg"; then 80 | mount /cfg 81 | fi 82 | sed -i "" -e s/quagga/frr/g /cfg/rc.conf 83 | # We will change current /etc/rc.conf too for avoiding asking saving before reboot 84 | sed -i "" -e s/quagga/frr/g /etc/rc.conf 85 | 86 | if [ -d /cfg/local/quagga ]; then 87 | [ -d /cfg/local/frr ] || mkdir /cfg/local/frr 88 | cp /cfg/local/quagga/* /cfg/local/frr/ 89 | chown -R 168:168 /cfg/local/frr/ 90 | fi 91 | umount /cfg 92 | fi 93 | fi 94 | 95 | # Check if /etc/fstab contains special directories ( 96 | CFG_UMOUNT=true 97 | if ! grep -q fdesc /etc/fstab; then 98 | if mount | ! grep -q "/cfg"; then 99 | mount /cfg || die "cannot mount /cfg" 100 | else 101 | CFG_UMOUNT=false 102 | fi 103 | ( 104 | echo "fdesc /dev/fd fdescfs rw 0 0" 105 | echo "proc /proc procfs rw 0 0" 106 | ) >> /cfg/fstab 107 | cp /cfg/fstab /etc/ || die "Cannot copy patched /cfg/fstab into /etc" 108 | if (${CFG_UMOUNT}); then 109 | umount /cfg || true 110 | fi 111 | fi 112 | 113 | # If we need to add new users (because local /etc/master.passw was modified by just changing the root password, the new one will be ignored) 114 | # echo 'blablalba' >> /etc/master.passwd 115 | # pwd_mkdb -C /etc/master.passwd && pwd_mkdb -p /etc/master.passwd || die "error" 116 | # config save 117 | 118 | exit 0 119 | -------------------------------------------------------------------------------- /BSDRP/kernels/amd64_xenhvm: -------------------------------------------------------------------------------- 1 | include amd64 2 | ident BSDRP-AMD64-XENHVM 3 | 4 | #makeoptions MODULES_OVERRIDE="" 5 | 6 | # 7 | # Adaptive locks rely on a lock-free pointer read to determine the run state 8 | # of the thread holding a lock when under contention; under a virtualisation 9 | # system, the thread run state may not accurately reflect whether the thread 10 | # (or rather its host VCPU) is actually executing. As such, disable this 11 | # optimisation. 12 | # 13 | options NO_ADAPTIVE_MUTEXES 14 | options NO_ADAPTIVE_RWLOCKS 15 | options NO_ADAPTIVE_SX 16 | 17 | # Xen HVM support 18 | options XENHVM 19 | device xenpci 20 | -------------------------------------------------------------------------------- /BSDRP/make.conf: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Name of the product 4 | # alphanumerics caracters only (not - or _) 5 | NAME="BSDRP" 6 | 7 | # If this project is a child of a father project put the name of the father project here 8 | MASTER_PROJECT="" 9 | 10 | # SVN revision number to sync with 11 | #SRC_REV="0b70e3e78b0279c66be06dea27bcdaf5eadf663d" 12 | SRC_REV="8f1a2d507e2" 13 | PORTS_REV="34388df3fda0" 14 | SRC_METHOD="git" 15 | SRC_REPO="https://git.freebsd.org/src" 16 | SRC_BRANCH="main" 17 | PORTS_REPO="https://git.freebsd.org/ports" 18 | PORTS_BRANCH="main" 19 | # Where the FreeBSD source tree lives 20 | FREEBSD_SRC="${PROJECT_DIR}/FreeBSD/src" 21 | 22 | # Where the FreeBSD custom sources patches lives 23 | SRC_PATCH_DIR="${PROJECT_DIR}/patches" 24 | 25 | # Where the FreeBSD ports tree lives 26 | PORTS_SRC="${PROJECT_DIR}/FreeBSD/ports" 27 | 28 | # Where the port tree custom patches lives 29 | PORT_PATCH_DIR="${SRC_PATCH_DIR}" 30 | 31 | # Where the nanobsd tree lives 32 | NANOBSD_DIR="${FREEBSD_SRC}/tools/tools/nanobsd" 33 | 34 | # Target disk size (in MB) 35 | : ${DISK_SIZE="2000"} 36 | 37 | # List of kernel modules to build and install 38 | # backlight is only useful to prevent boot crash when loader.conf instruct to load mlx5en->linuxkpi->backlight 39 | MODULES_PF="pf pfsync pflog" 40 | MODULES_IPFW="ipfw ipfw_nat ipfw_nat64 ipfw_pmod ipfw_nptv6 ipdivert libalias" 41 | MODULES_ZFS="acl_nfs4 opensolaris xdr zfs" 42 | MODULES_IF="if_bridge if_disc if_epair if_gre if_infiniband if_lagg if_ovpn if_stf if_tuntap if_vxlan if_wg mlx mlx4en usb/uether usb/urndis" 43 | SHARED_MODULES="backlight blake2 bridgestp carp dtrace dummynet fdescfs ipfilter ipsec i2c fib_dxr ksyms netgraph nullfs rc4 unionfs ${MODULES_PF} ${MODULES_IPFW} ${MODULES_IF} ${MODULES_ZFS}" 44 | NANO_MODULES_i386="${SHARED_MODULES} acpi amdsbwd amdtemp cpuctl coretemp i2c ispfw ichwd ipmi hifn hwpmc padlock safe glxsb vmware" 45 | NANO_MODULES_i386_xenhvm=${NANO_MODULES_i386} 46 | NANO_MODULES_i386_xenpv="${SHARED_MODULES} acpi" 47 | NANO_MODULES_amd64="${SHARED_MODULES} amdsbwd amdsmn amdtemp cpuctl coretemp dpdk_lpm4 dpdk_lpm6 ena ichwd ioat ipmi ispfw hifn hyperv qat qatfw qat_c2xxx hwpmc padlock qlxgb qlxgbe safe vmware" 48 | NANO_MODULES_amd64_xenhvm=${NANO_MODULES_amd64} 49 | NANO_MODULES_arm="" 50 | NANO_MODULES_arm64="${SHARED_MODULES}" 51 | -------------------------------------------------------------------------------- /BSDRP/patches/freebsd.dhclient.patch: -------------------------------------------------------------------------------- 1 | diff --git sbin/dhclient/bpf.c sbin/dhclient/bpf.c 2 | index d4bbe56332c..eeae19f1f89 100644 3 | --- sbin/dhclient/bpf.c 4 | +++ sbin/dhclient/bpf.c 5 | @@ -179,6 +179,8 @@ if_register_send(struct interface_info *info) 6 | if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, 7 | sizeof(on)) == -1) 8 | error("setsockopt(IP_HDRINCL): %m"); 9 | + if (setsockopt(sock, SOL_SOCKET, SO_SETFIB, &info->fib, sizeof(info->fib))) 10 | + error("setsockopt(SOL_SOCKET, SO_SETFIB): %m"); 11 | info->ufdesc = sock; 12 | } 13 | 14 | diff --git sbin/dhclient/dhclient.c sbin/dhclient/dhclient.c 15 | index 93988d5ce7a..0a238fe5f0b 100644 16 | --- sbin/dhclient/dhclient.c 17 | +++ sbin/dhclient/dhclient.c 18 | @@ -376,6 +376,7 @@ main(int argc, char *argv[]) 19 | int ch, fd, quiet = 0, i = 0; 20 | int pipe_fd[2]; 21 | int immediate_daemon = 0; 22 | + uint32_t fib = 0; 23 | struct passwd *pw; 24 | pid_t otherpid; 25 | cap_rights_t rights; 26 | @@ -397,6 +398,9 @@ main(int argc, char *argv[]) 27 | case 'd': 28 | no_daemon = 1; 29 | break; 30 | + case 'f': 31 | + fib = atoi(optarg); 32 | + break; 33 | case 'l': 34 | path_dhclient_db = optarg; 35 | break; 36 | @@ -448,6 +452,7 @@ main(int argc, char *argv[]) 37 | if (quiet) 38 | log_perror = 0; 39 | 40 | + ifi->fib = fib; 41 | tzset(); 42 | clock_gettime(CLOCK_MONOTONIC, &time_now); 43 | cur_time = time_now.tv_sec; 44 | @@ -580,7 +585,7 @@ usage(void) 45 | { 46 | 47 | fprintf(stderr, "usage: %s [-bdnqu] ", getprogname()); 48 | - fprintf(stderr, "[-c conffile] [-l leasefile] interface\n"); 49 | + fprintf(stderr, "[-c conffile] [-f fib] [-l leasefile] interface\n"); 50 | exit(1); 51 | } 52 | 53 | diff --git sbin/dhclient/dhcpd.h sbin/dhclient/dhcpd.h 54 | index 6f1f6679875..167d5e7d022 100644 55 | --- sbin/dhclient/dhcpd.h 56 | +++ sbin/dhclient/dhcpd.h 57 | @@ -214,6 +214,7 @@ struct interface_info { 58 | int dead; 59 | u_int16_t index; 60 | int linkstat; 61 | + uint32_t fib; 62 | }; 63 | 64 | struct timeout { 65 | -------------------------------------------------------------------------------- /BSDRP/patches/freebsd.makefile.patch: -------------------------------------------------------------------------------- 1 | diff --git Makefile.inc1 Makefile.inc1 2 | index 69a1ad2c8d0..2834411fce0 100644 3 | --- Makefile.inc1 4 | +++ Makefile.inc1 5 | @@ -633,7 +633,7 @@ XPATH= ${WORLDTMP}/bin:${WORLDTMP}/usr/sbin:${WORLDTMP}/usr/bin 6 | # When building we want to find the cross tools before the host tools in ${BPATH}. 7 | # We also need to add UNIVERSE_TOOLCHAIN_PATH so that we can find the shared 8 | # toolchain files (clang, lld, etc.) during make universe/tinderbox 9 | -STRICTTMPPATH= ${XPATH}:${BPATH}:${UNIVERSE_TOOLCHAIN_PATH} 10 | +STRICTTMPPATH= ${XPATH}:${BPATH}${UNIVERSE_TOOLCHAIN_PATH:D\:${UNIVERSE_TOOLCHAIN_PATH}} 11 | # We should not be using tools from /usr/bin accidentally since this could cause 12 | # the build to break on other systems that don't have that tool. For now we 13 | # still allow using the old behaviour (inheriting $PATH) if 14 | -------------------------------------------------------------------------------- /BSDRP/patches/freebsd.newvers.patch: -------------------------------------------------------------------------------- 1 | diff --git sys/conf/newvers.sh sys/conf/newvers.sh 2 | index 481af548039..d4ace519275 100644 3 | --- sys/conf/newvers.sh 4 | +++ sys/conf/newvers.sh 5 | @@ -156,6 +156,7 @@ shift $((OPTIND - 1)) 6 | # 7 | findvcs() 8 | { 9 | + return 1 10 | local savedir 11 | 12 | savedir=$(pwd) 13 | -------------------------------------------------------------------------------- /BSDRP/patches/freebsd.rc.initdiskless.patch: -------------------------------------------------------------------------------- 1 | diff --git libexec/rc/rc.initdiskless libexec/rc/rc.initdiskless 2 | index a4c6c613b85..c0796758961 100644 3 | --- libexec/rc/rc.initdiskless 4 | +++ libexec/rc/rc.initdiskless 5 | @@ -369,7 +369,7 @@ for i in ${templates} ; do 6 | subdir=${j##*/} 7 | if [ -d $j -a ! -f $j.cpio.gz ]; then 8 | create_md $subdir 9 | - cp -Rp $j/ /$subdir 10 | + cp -Rp $j/ /$subdir > /dev/null 2>&1 11 | fi 12 | done 13 | for j in /conf/$i/*.cpio.gz ; do 14 | -------------------------------------------------------------------------------- /BSDRP/patches/freebsd.tools-dir.patch: -------------------------------------------------------------------------------- 1 | diff --git tools/tools/ifinfo/Makefile tools/tools/ifinfo/Makefile 2 | index 3e95a642ca5..da98a49f4dc 100644 3 | --- tools/tools/ifinfo/Makefile 4 | +++ tools/tools/ifinfo/Makefile 5 | @@ -1,6 +1,7 @@ 6 | PROG= ifinfo 7 | SRCS= ifinfo.c rfc1650.c 8 | MAN= 9 | +BINDIR= /usr/local/bin 10 | BINDIR?= /usr/bin 11 | 12 | .include 13 | diff --git tools/tools/mctest/Makefile tools/tools/mctest/Makefile 14 | index 0616e599ecf..010719ed775 100644 15 | --- tools/tools/mctest/Makefile 16 | +++ tools/tools/mctest/Makefile 17 | @@ -1,4 +1,5 @@ 18 | PROG_CXX= mctest 19 | LIBADD= pthread 20 | +BINDIR= /usr/local/bin 21 | 22 | .include 23 | diff --git tools/tools/netmap/Makefile tools/tools/netmap/Makefile 24 | index c1346149310..25daf3fcf29 100644 25 | --- tools/tools/netmap/Makefile 26 | +++ tools/tools/netmap/Makefile 27 | @@ -3,6 +3,7 @@ 28 | # For multiple programs using a single source file each, 29 | # we can just define 'progs' and create custom targets. 30 | PROGS = pkt-gen nmreplay bridge lb 31 | +BINDIR = /usr/local/sbin 32 | 33 | CLEANFILES = $(PROGS) *.o 34 | MAN= 35 | @@ -33,3 +34,8 @@ nmreplay: nmreplay.o 36 | 37 | lb: lb.o pkt_hash.o 38 | $(CC) $(CFLAGS) -o lb lb.o pkt_hash.o $(LDFLAGS) 39 | + 40 | +install: ${PROGS} 41 | + for i in ${PROGS}; do \ 42 | + install $$i ${DESTDIR}${BINDIR}; \ 43 | + done 44 | diff --git tools/tools/netrate/netsend/Makefile tools/tools/netrate/netsend/Makefile 45 | index a4c4ec187b8..80106d3b4ce 100644 46 | --- tools/tools/netrate/netsend/Makefile 47 | +++ tools/tools/netrate/netsend/Makefile 48 | @@ -4,5 +4,6 @@ 49 | CFLAGS+= -Wall 50 | PROG= netsend 51 | MAN= 52 | +BINDIR?= /usr/local/bin 53 | 54 | .include 55 | -------------------------------------------------------------------------------- /BSDRP/patches/ports.dtrace-toolkit.patch: -------------------------------------------------------------------------------- 1 | diff --git sysutils/dtrace-toolkit/Makefile sysutils/dtrace-toolkit/Makefile 2 | index f741b6fb7434..fe2ba46cfcb0 100644 3 | --- sysutils/dtrace-toolkit/Makefile 4 | +++ sysutils/dtrace-toolkit/Makefile 5 | @@ -10,7 +10,7 @@ WWW= https://github.com/opendtrace/toolkit 6 | LICENSE= CDDL 7 | LICENSE_FILE= ${WRKSRC}/Docs/cddl1.txt 8 | 9 | -USES= perl5 python ruby shebangfix 10 | +USES= perl5 python shebangfix 11 | USE_GITHUB= yes 12 | GH_ACCOUNT= opendtrace 13 | GH_PROJECT= toolkit 14 | -------------------------------------------------------------------------------- /BSDRP/patches/ports.iperf3.patch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/BSDRP/patches/ports.iperf3.patch -------------------------------------------------------------------------------- /BSDRP/patches/ports.ixl_unlock.shar: -------------------------------------------------------------------------------- 1 | # This is a shell archive. Save it in a file, remove anything before 2 | # this line, and then unpack it by entering "sh file". Note, it may 3 | # create directories; files and directories will be owned by you and 4 | # have default permissions. 5 | # 6 | # This archive contains: 7 | # 8 | # net/ixl_unlock 9 | # net/ixl_unlock/pkg-descr 10 | # net/ixl_unlock/Makefile 11 | # net/ixl_unlock/distinfo 12 | # 13 | echo c - net/ixl_unlock 14 | mkdir -p net/ixl_unlock > /dev/null 2>&1 15 | echo x - net/ixl_unlock/pkg-descr 16 | sed 's/^X//' >net/ixl_unlock/pkg-descr << 'd241d2d356f77b3b37efd2ee4ae6295c' 17 | XThis utility is inteded to be used on FreeBSD with if_ixl(4) driver. 18 | XIt disables Module Qualification check to be able use any SFPs. 19 | X 20 | XNOTE: since the datacheet is not clear about the location of PHY capability 21 | Xdata structure, I made some assumptions when did the search. If my assumptions 22 | Xare wrong, this can damage your card. If you are not sure, do not use this 23 | Xutility. Also, it looks like the location highly depends from the firmware 24 | Xversion. 25 | X 26 | XWWW: https://github.com/bu7cher/ixl_unlock 27 | d241d2d356f77b3b37efd2ee4ae6295c 28 | echo x - net/ixl_unlock/Makefile 29 | sed 's/^X//' >net/ixl_unlock/Makefile << '574b5aa2df8a31162489f645f742f824' 30 | X# $FreeBSD$ 31 | X 32 | XPORTNAME= ixl_unlock 33 | XPORTVERSION= 1 34 | XCATEGORIES= net 35 | X 36 | XMAINTAINER= olivier@FreeBSD.org 37 | XCOMMENT= Disable SFP Module Qualification on Intel XL710 network cards 38 | X 39 | XLICENSE= BSD2CLAUSE 40 | X 41 | XUSE_GITHUB= yes 42 | XGH_ACCOUNT= bu7cher 43 | XGH_TAGNAME= 8e0c9a6 44 | X 45 | XPLIST_FILES= sbin/ixl_unlock 46 | X 47 | Xdo-install: 48 | X ${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin/ 49 | X 50 | X.include 51 | 574b5aa2df8a31162489f645f742f824 52 | echo x - net/ixl_unlock/distinfo 53 | sed 's/^X//' >net/ixl_unlock/distinfo << '2fb1fa2274a6dc82e7116b2f85aa9437' 54 | XTIMESTAMP = 1517929893 55 | XSHA256 (bu7cher-ixl_unlock-1-8e0c9a6_GH0.tar.gz) = e44102d8b487df1eb413c9bee04139f1c51eabd362f71548b01caa96610bfd1a 56 | XSIZE (bu7cher-ixl_unlock-1-8e0c9a6_GH0.tar.gz) = 3583 57 | 2fb1fa2274a6dc82e7116b2f85aa9437 58 | exit 59 | 60 | -------------------------------------------------------------------------------- /BSDRP/patches/ports.netmap-ipfw.shar: -------------------------------------------------------------------------------- 1 | # This is a shell archive. Save it in a file, remove anything before 2 | # this line, and then unpack it by entering "sh file". Note, it may 3 | # create directories; files and directories will be owned by you and 4 | # have default permissions. 5 | # 6 | # This archive contains: 7 | # 8 | # net/netmap-ipfw 9 | # net/netmap-ipfw/pkg-descr 10 | # net/netmap-ipfw/Makefile 11 | # net/netmap-ipfw/files 12 | # net/netmap-ipfw/files/patch-Makefile 13 | # net/netmap-ipfw/distinfo 14 | # 15 | echo c - net/netmap-ipfw 16 | mkdir -p net/netmap-ipfw > /dev/null 2>&1 17 | echo x - net/netmap-ipfw/pkg-descr 18 | sed 's/^X//' >net/netmap-ipfw/pkg-descr << '9a97a7bd38a4baeda5ae24ea8cf43823' 19 | XA userspace version of ipfw and dummynet, using netmap for packet I/O. 20 | XOn an i7-3400, this version is able to process over 6 million packets 21 | Xper second (Mpps) with simple rulesets, and over 2.2 Mpps through 22 | Xdummynet pipes, 5..10 times faster than the in-kernel equivalent. 23 | X 24 | XWWW: http://info.iet.unipi.it/~luigi/dummynet/ 25 | 9a97a7bd38a4baeda5ae24ea8cf43823 26 | echo x - net/netmap-ipfw/Makefile 27 | sed 's/^X//' >net/netmap-ipfw/Makefile << '8530d577be73e06c4cb1ee69ee6225ad' 28 | X# New ports collection makefile for: ipfw-user 29 | X# Date created: 14 August 2012 30 | X# Whom: Olivier Cochard-Labbé (olivier@cochard.me) 31 | X# 32 | X# $FreeBSD$ 33 | X# 34 | X 35 | XPORTNAME= netmap-ipfw 36 | XPORTVERSION= 0.1 37 | XCATEGORIES= net 38 | X 39 | XMAINTAINER= oliver@cochard.me 40 | XCOMMENT= Netmap-enabled IPFW userspace version 41 | X 42 | X#WRKSRC= ${WRKDIR}/${PORTNAME}-${COMMIT} 43 | XUSES= gmake 44 | X 45 | XUSE_GITHUB= yes 46 | XGH_ACCOUNT= luigirizzo 47 | XGH_PROJECT= ${PORTNAME} 48 | XGH_TAGNAME= 81bf5d4 49 | X 50 | X#Warning: conflict name with /sbin/ipfw 51 | XPLIST_FILES= bin/ipfw \ 52 | X bin/kipfw 53 | X 54 | Xdo-install: 55 | X ${INSTALL_PROGRAM} ${WRKSRC}/ipfw/ipfw \ 56 | X ${STAGEDIR}${PREFIX}/bin 57 | X ${INSTALL_PROGRAM} ${WRKSRC}/kipfw \ 58 | X ${STAGEDIR}${PREFIX}/bin 59 | X 60 | X.include 61 | 8530d577be73e06c4cb1ee69ee6225ad 62 | echo c - net/netmap-ipfw/files 63 | mkdir -p net/netmap-ipfw/files > /dev/null 2>&1 64 | echo x - net/netmap-ipfw/files/patch-Makefile 65 | sed 's/^X//' >net/netmap-ipfw/files/patch-Makefile << '2b846191be5f519ce4bd00e8042c84f4' 66 | X--- Makefile.orig 2012-08-14 15:47:57.000000000 +0200 67 | X+++ Makefile 2012-08-14 15:48:10.000000000 +0200 68 | X@@ -9,7 +9,7 @@ 69 | X 70 | X ipfw: $(OBJDIR) 71 | X $(MSG) Building userspace ... 72 | X- @(cd ipfw && $(MAKE) $(MAKECMDGOALS) ) 73 | X+ @(cd ipfw && $(MAKE) ) 74 | X 75 | X $(OBJDIR): 76 | X -@mkdir $(OBJDIR) 77 | 2b846191be5f519ce4bd00e8042c84f4 78 | echo x - net/netmap-ipfw/distinfo 79 | sed 's/^X//' >net/netmap-ipfw/distinfo << 'cad32b3eaef6fc5a96401d8a0ae5a6cb' 80 | XSHA256 (luigirizzo-netmap-ipfw-0.1-81bf5d4_GH0.tar.gz) = 3c5e8355c8e638b6b211e573d96fe69b59bb5003e50f11fd65540ec4bcbc8065 81 | XSIZE (luigirizzo-netmap-ipfw-0.1-81bf5d4_GH0.tar.gz) = 362608 82 | cad32b3eaef6fc5a96401d8a0ae5a6cb 83 | exit 84 | 85 | -------------------------------------------------------------------------------- /BSDRP/patches/ports.pimd.patch: -------------------------------------------------------------------------------- 1 | diff --git net/pimd/Makefile net/pimd/Makefile 2 | index f4e8c572d5af..6f9f24fac619 100644 3 | --- net/pimd/Makefile 4 | +++ net/pimd/Makefile 5 | @@ -1,6 +1,5 @@ 6 | PORTNAME= pimd 7 | -PORTVERSION= 2.3.2 8 | -PORTREVISION= 1 9 | +PORTVERSION= 2.3.2b 10 | CATEGORIES= net 11 | 12 | MAINTAINER= olivier@FreeBSD.org 13 | @@ -10,23 +9,33 @@ WWW= http://troglobit.com/pimd.html 14 | LICENSE= BSD3CLAUSE 15 | LICENSE_FILE= ${WRKSRC}/LICENSE 16 | 17 | +USES= autoreconf:build 18 | + 19 | USE_GITHUB= yes 20 | GH_ACCOUNT= troglobit 21 | GH_PROJECT= libite:libite 22 | -GH_TAGNAME= v1.4.4:libite 23 | +GH_TAGNAME= 17ae62f\ 24 | + v1.4.4:libite 25 | GH_SUBDIR= libite:libite 26 | 27 | USE_RC_SUBR= ${PORTNAME} 28 | 29 | -HAS_CONFIGURE= yes 30 | +GNU_CONFIGURE= yes 31 | + 32 | MAKE_ARGS= prefix="${PREFIX}" sysconfdir="${PREFIX}/etc/" 33 | 34 | +pre-configure: 35 | + cd ${WRKSRC} && ./autogen.sh 36 | + 37 | do-install: 38 | - ${INSTALL_PROGRAM} ${WRKSRC}/pimd ${STAGEDIR}${PREFIX}/sbin/ 39 | + ${INSTALL_PROGRAM} ${WRKSRC}/src/pimd ${STAGEDIR}${PREFIX}/sbin/ 40 | + ${INSTALL_PROGRAM} ${WRKSRC}/src/pimctl ${STAGEDIR}${PREFIX}/sbin/ 41 | ${INSTALL_DATA} ${WRKSRC}/pimd.conf \ 42 | ${STAGEDIR}${PREFIX}/etc/pimd.conf.sample 43 | ${INSTALL_SCRIPT} ${FILESDIR}/pimd.in \ 44 | ${STAGEDIR}${PREFIX}/etc/rc.d/pimd 45 | - ${INSTALL_MAN} ${WRKSRC}/pimd.8 ${STAGEDIR}${PREFIX}/share/man/man8/ 46 | + ${INSTALL_MAN} ${WRKSRC}/man/pimd.8 ${STAGEDIR}${PREFIX}/share/man/man8/ 47 | + ${INSTALL_MAN} ${WRKSRC}/man/pimctl.8 ${STAGEDIR}${PREFIX}/share/man/man8/ 48 | + ${INSTALL_MAN} ${WRKSRC}/man/pimd.conf.5 ${STAGEDIR}${PREFIX}/share/man/man5/ 49 | 50 | .include 51 | diff --git net/pimd/distinfo net/pimd/distinfo 52 | index 04f5043941d3..6d6ed53b9fbe 100644 53 | --- net/pimd/distinfo 54 | +++ net/pimd/distinfo 55 | @@ -1,4 +1,5 @@ 56 | -SHA256 (troglobit-pimd-2.3.2_GH0.tar.gz) = b6cda75a55952fac06fdc50a95ab7ee2f94f8568de365c49c49a2acf078488eb 57 | -SIZE (troglobit-pimd-2.3.2_GH0.tar.gz) = 237277 58 | +TIMESTAMP = 1733871538 59 | +SHA256 (troglobit-pimd-2.3.2b-17ae62f_GH0.tar.gz) = d247e190eedae2314fe5e442fe79f0d9c4260ee62077fa38827d5e53c90eac2c 60 | +SIZE (troglobit-pimd-2.3.2b-17ae62f_GH0.tar.gz) = 1390204 61 | SHA256 (troglobit-libite-v1.4.4_GH0.tar.gz) = c4327e7d3ade7efb191d02a4f9ffaf7b8e86e7e7f91a2f7e8b600e2102330607 62 | SIZE (troglobit-libite-v1.4.4_GH0.tar.gz) = 36086 63 | diff --git net/pimd/files/pimd.in net/pimd/files/pimd.in 64 | index d3339b5e9c70..251bb9ccd71f 100644 65 | --- net/pimd/files/pimd.in 66 | +++ net/pimd/files/pimd.in 67 | @@ -2,7 +2,7 @@ 68 | # 69 | # PROVIDE: pimd 70 | # REQUIRE: netif routing 71 | -# KEYWORD: nojail 72 | +# KEYWORD: nojailvnet 73 | 74 | # 75 | # Add the following to /etc/rc.conf[.local] to enable this service 76 | @@ -17,6 +17,7 @@ rcvar="${name}_enable" 77 | command="%%PREFIX%%/sbin/${name}" 78 | required_files="%%PREFIX%%/etc/${name}.conf" 79 | extra_commands=reload 80 | +required_modules="ip_mroute 81 | 82 | load_rc_config $name 83 | : ${pimd_enable="NO"} 84 | diff --git net/pimd/pkg-plist net/pimd/pkg-plist 85 | index 723d3999ad75..18039f16831c 100644 86 | --- net/pimd/pkg-plist 87 | +++ net/pimd/pkg-plist 88 | @@ -1,3 +1,6 @@ 89 | @sample etc/pimd.conf.sample 90 | sbin/pimd 91 | +sbin/pimctl 92 | share/man/man8/pimd.8.gz 93 | +share/man/man8/pimctl.8.gz 94 | +share/man/man5/pimd.conf.5.gz 95 | -------------------------------------------------------------------------------- /BSDRP/patches/ports.pimdd.patch: -------------------------------------------------------------------------------- 1 | diff --git net/pimdd/Makefile net/pimdd/Makefile 2 | index bc00d83d5c05..ef879520ec64 100644 3 | --- net/pimdd/Makefile 4 | +++ net/pimdd/Makefile 5 | @@ -1,6 +1,6 @@ 6 | PORTNAME= pimdd 7 | PORTVERSION= 0.2.1.0 8 | -PORTREVISION= 2 9 | +PORTREVISION= 3 10 | CATEGORIES= net 11 | MASTER_SITES= http://antc.uoregon.edu/PIMDM/ 12 | DISTNAME= pimd-dense 13 | diff --git net/pimdd/files/patch-Makefile net/pimdd/files/patch-Makefile 14 | index 26738616213e..dd9a652a125c 100644 15 | --- net/pimdd/files/patch-Makefile 16 | +++ net/pimdd/files/patch-Makefile 17 | @@ -17,7 +17,7 @@ 18 | ### Compilation flags for different platforms. Uncomment only one of them 19 | ## FreeBSD 20 | -CFLAGS= -Wall -g -Iinclude/freebsd ${MCAST_INCLUDE} ${SNMPDEF} ${RSRRDEF} ${MISCDEFS} -DFreeBSD -DPIM 21 | -+CFLAGS+= ${MCAST_INCLUDE} ${SNMPDEF} ${RSRRDEF} ${MISCDEFS} -DFreeBSD -DPIM -Dlog=logit ${CPPFLAGS} 22 | ++CFLAGS+= ${MCAST_INCLUDE} ${SNMPDEF} ${RSRRDEF} ${MISCDEFS} -DFreeBSD -DPIM -Dlog=logit ${CPPFLAGS} -DRAW_INPUT_IS_RAW -DRAW_OUTPUT_IS_RAW 23 | 24 | ## NetBSD -DNetBSD is done by OS 25 | #CFLAGS= -Wall -g -Iinclude/netbsd ${MCAST_INCLUDE} ${SNMPDEF} ${RSRRDEF} ${MISCDEFS} -DPIM 26 | diff --git net/pimdd/files/pimdd.in net/pimdd/files/pimdd.in 27 | index 239797997cf1..3fd4e267790b 100644 28 | --- net/pimdd/files/pimdd.in 29 | +++ net/pimdd/files/pimdd.in 30 | @@ -17,6 +17,7 @@ rcvar="${name}_enable" 31 | command="%%PREFIX%%/sbin/${name}" 32 | required_files="%%PREFIX%%/etc/${name}.conf" 33 | extra_commands=reload 34 | +required_modules="ip_mroute" 35 | 36 | load_rc_config $name 37 | : ${pimdd_enable="NO"} 38 | -------------------------------------------------------------------------------- /BSDRP/patches/ports.quagga-bgp-netgen.shar: -------------------------------------------------------------------------------- 1 | # This is a shell archive. Save it in a file, remove anything before 2 | # this line, and then unpack it by entering "sh file". Note, it may 3 | # create directories; files and directories will be owned by you and 4 | # have default permissions. 5 | # 6 | # This archive contains: 7 | # 8 | # net/quagga-bgp-netgen 9 | # net/quagga-bgp-netgen/Makefile 10 | # net/quagga-bgp-netgen/pkg-descr 11 | # net/quagga-bgp-netgen/distinfo 12 | # 13 | echo c - net/quagga-bgp-netgen 14 | mkdir -p net/quagga-bgp-netgen > /dev/null 2>&1 15 | echo x - net/quagga-bgp-netgen/Makefile 16 | sed 's/^X//' >net/quagga-bgp-netgen/Makefile << '371c89f90e3f2cda5c52cff6114fcea2' 17 | X# $FreeBSD$ 18 | X 19 | XPORTNAME= quagga-bgp-netgen 20 | XPORTVERSION= 0.2 21 | XCATEGORIES= net 22 | X 23 | XMAINTAINER= olivier@FreeBSD.org 24 | XCOMMENT= Generates Quagga/FRR bgp configuration file with lot's of routes 25 | X 26 | XLICENSE= BSD2CLAUSE 27 | XLICENSE_FILE= ${WRKSRC}/LICENSE 28 | X 29 | XUSE_GITHUB= yes 30 | XGH_ACCOUNT= ocochard 31 | X 32 | XPLIST_FILES= bin/${PORTNAME} 33 | X 34 | Xdo-install: 35 | X ${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/bin/ 36 | X 37 | X.include 38 | 371c89f90e3f2cda5c52cff6114fcea2 39 | echo x - net/quagga-bgp-netgen/pkg-descr 40 | sed 's/^X//' >net/quagga-bgp-netgen/pkg-descr << '869fc9a7e72bf796866a76c60ae38127' 41 | XGenerate a Quagga/FRR bgp configuration file with lot's of routes. 42 | XAllows to use Quagga/FRR as simple BGP routes generator on a lab. 43 | X 44 | XWWW: https://github.com/ocochard/quagga-bgp-netgen 45 | 869fc9a7e72bf796866a76c60ae38127 46 | echo x - net/quagga-bgp-netgen/distinfo 47 | sed 's/^X//' >net/quagga-bgp-netgen/distinfo << '0fb3c3f83f73881628e56c45d916475e' 48 | XTIMESTAMP = 1554448715 49 | XSHA256 (ocochard-quagga-bgp-netgen-0.2_GH0.tar.gz) = 761707691ee610b6571e9a59fc0ee9b7d95ed89c61f453483a68ad6e4d8b9d7f 50 | XSIZE (ocochard-quagga-bgp-netgen-0.2_GH0.tar.gz) = 2110 51 | 0fb3c3f83f73881628e56c45d916475e 52 | exit 53 | 54 | -------------------------------------------------------------------------------- /BSDRP/tools/pktgen/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # $FreeBSD$ 3 | # 4 | 5 | PROG= bsdrp-pktgen 6 | NO_MAN= 7 | 8 | .include 9 | -------------------------------------------------------------------------------- /BSDRP/tools/pktgen/bsdrp-pktgen.c: -------------------------------------------------------------------------------- 1 | /* Simple packet (UDP) generator */ 2 | /* With lot's of comments (I'm learning C coding) */ 3 | 4 | #define PAYLOAD_STRING "0123456789" 5 | #define PAYLOAD_SIZE 10 6 | 7 | #include 8 | #include /* exit */ 9 | #include /* atoi */ 10 | #include /* setuid, getuid, close */ 11 | 12 | #include 13 | 14 | #include 15 | #include /* getaddrinfo */ 16 | 17 | /* Display the usage */ 18 | static void 19 | usage(void) 20 | { 21 | fprintf(stderr,"bsdrp-pktgen \n"); 22 | exit(-1); 23 | } 24 | 25 | int 26 | main(int argc, char *argv[]) 27 | { 28 | int s, error; 29 | /* s: socket number */ 30 | /* error: return value */ 31 | unsigned long port; /* UDP destination port */ 32 | char *dummy; /* mandatory for strtoul but not used */ 33 | const char *cause = NULL; /* Error explanation */ 34 | struct addrinfo hints, *res, *res0; 35 | /* hints: will give hints about family (4 or 6) */ 36 | /* res: pointer to a struct */ 37 | /* res0: a linked list of struct */ 38 | 39 | /* Initilazie the hints struct */ 40 | memset(&hints, 0, sizeof(hints)); 41 | hints.ai_family = PF_UNSPEC; /* For the moment, We didn't know what kind of family the IP given is */ 42 | hints.ai_socktype = SOCK_DGRAM; /* It's an UDP packet generator */ 43 | 44 | /* If not a minimum of 3 argument given display usage */ 45 | if(argc != 3) 46 | usage(); 47 | 48 | /* convert the string "port" to unsigned_long */ 49 | port = strtoul(argv[2], &dummy, 10); 50 | /* now we can check the boundary of the port number */ 51 | if (port < 1 || port > 65535 || *dummy != '\0') { 52 | fprintf(stderr, "Invalid port number: %s\n", argv[2]); 53 | usage(); 54 | /*NOTREACHED*/ 55 | } 56 | /* The user give something as destination (ipv4, ipv6, hostname) */ 57 | /* We need to call getaddrinfo that will looks for information about (hints) */ 58 | /* argv[1]: destination server/ip */ 59 | /* argv[2]: destination port */ 60 | /* If successfull, res0 is a linked list of addrinfo structures */ 61 | error = getaddrinfo(argv[1], argv[2], &hints, &res0); 62 | if (error) { 63 | perror(gai_strerror(error)); 64 | return (-1); 65 | /*NOTREACHED*/ 66 | } 67 | 68 | /* We will try all results given in the res0 list one by one */ 69 | s = -1; 70 | for (res = res0; res; res = res->ai_next) { 71 | s = socket(res->ai_family, res->ai_socktype, 0); 72 | /* socket failed */ 73 | if (s < 0) { 74 | cause = "socket"; 75 | continue; 76 | } 77 | 78 | /* Try a connection to the socket */ 79 | if (connect(s, res->ai_addr, res->ai_addrlen) < 0) { 80 | cause = "connect"; 81 | close(s); 82 | s = -1; 83 | continue; 84 | } 85 | 86 | break; /* okay we got one */ 87 | } 88 | if (s < 0) { 89 | perror(cause); 90 | return (-1); 91 | /*NOTREACHED*/ 92 | } 93 | 94 | /* we have our socket, we don't need the list res0 anymore */ 95 | freeaddrinfo(res0); 96 | 97 | printf("Sending packet at %s, port %s\n", argv[1], argv[2]); 98 | /* Infinite loop of send() */ 99 | for(;;) { 100 | send(s, PAYLOAD_STRING, PAYLOAD_SIZE, 0); 101 | } 102 | } 103 | 104 | -------------------------------------------------------------------------------- /CHANGES.md: -------------------------------------------------------------------------------- 1 | # Release 2.0 (xxx) 2 | 3 | ## Special instruction before upgrade 4 | Need BSDRP 1.994 minimum. 5 | Upgrading will not add the dual UEFI/BIOS mode, a full reinstall is requiered. 6 | 7 | ## New features 8 | * The Nanobsd framework is now replaced by poudriere-image. This brings: 9 | * Support for both BIOS and UEFI boot (you'll need to reinstall to add the EFI boot partition) 10 | * Migration from MBR to GPT 11 | * Packages built using the official poudriere method 12 | * New packages: 13 | * net/vpp 14 | * net/frr10 has lua scripting enabled 15 | * Removed packages: 16 | * isc-dhcp44 (use dnsmasq) 17 | * dhcprelya (use dnsmasq) 18 | 19 | ## To fix and test before release 20 | * reboot or halt when asking to save modifications, refuse to continue if 21 | pressed "no" when we don’t want to save. 22 | * "/usr/local/etc/rc.d/pimd: 20: Syntax error: Unterminated quoted string" 23 | * bootonce script that should do: 24 | * gpart recover da0 (fix 'corrupt' status on gpt partitions) 25 | * Check for bootfailed attribute and act regarding 26 | * Update script need to be updated to add bootonce and not removing bootme 27 | 28 | ## Upgraded packages 29 | 30 | TO DO 31 | 32 | ## Packages list 33 | 34 | TO DO 35 | -------------------------------------------------------------------------------- /EINE/DEMO.data/data.conf: -------------------------------------------------------------------------------- 1 | DOMAIN_NAME="eine.orange-business.com" 2 | GATEWAYS="emea1 amer1 asia1" 3 | OVPN_UNREG_PORT="1194" 4 | #OVPN_REG_PORT will be OVPN_UNREG_PORT+1 5 | ADMIN_USERNAME="eine" 6 | CONSOLE_PASSWORD="eine" 7 | SSH_PORT="69" 8 | #Demo private SSH keys passphrase: verylongpassword 9 | -------------------------------------------------------------------------------- /EINE/DEMO.data/easy-rsa.vars: -------------------------------------------------------------------------------- 1 | # easy-rsa parameter settings 2 | 3 | # NOTE: If you installed from an RPM, 4 | # don't edit this file in place in 5 | # /usr/share/openvpn/easy-rsa -- 6 | # instead, you should copy the whole 7 | # easy-rsa directory to another location 8 | # (such as /etc/openvpn) so that your 9 | # edits will not be wiped out by a future 10 | # OpenVPN package upgrade. 11 | 12 | # This variable should point to 13 | # the top level of the easy-rsa 14 | # tree. 15 | export EASY_RSA="`pwd`" 16 | 17 | # 18 | # This variable should point to 19 | # the requested executables 20 | # 21 | export OPENSSL="openssl" 22 | export PKCS11TOOL="pkcs11-tool" 23 | export GREP="grep" 24 | 25 | 26 | # This variable should point to 27 | # the openssl.cnf file included 28 | # with easy-rsa. 29 | export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` 30 | 31 | # Edit this variable to point to 32 | # your soon-to-be-created key 33 | # directory. 34 | # 35 | # WARNING: clean-all will do 36 | # a rm -rf on this directory 37 | # so make sure you define 38 | # it correctly! 39 | export KEY_DIR="/usr/local/etc/keys" 40 | 41 | # Issue rm -rf warning 42 | echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR 43 | 44 | # PKCS11 fixes 45 | export PKCS11_MODULE_PATH="dummy" 46 | export PKCS11_PIN="dummy" 47 | 48 | # Increase this to 2048 if you 49 | # are paranoid. This will slow 50 | # down TLS negotiation performance 51 | # as well as the one-time DH parms 52 | # generation process. 53 | export KEY_SIZE=1024 54 | 55 | # In how many days should the root CA key expire? 56 | export CA_EXPIRE=3650 57 | 58 | # In how many days should certificates expire? 59 | export KEY_EXPIRE=3650 60 | 61 | # These are the default values for fields 62 | # which will be placed in the certificate. 63 | # Don't leave any of these fields blank. 64 | export KEY_COUNTRY="FR" 65 | export KEY_PROVINCE="Bretagne" 66 | export KEY_CITY="Rennes" 67 | export KEY_ORG="Orange Business Services" 68 | export KEY_EMAIL="me@myhost.mydomain" 69 | export KEY_EMAIL=olivier.cochard@orange.com 70 | export KEY_CN=changeme 71 | export KEY_NAME=changeme 72 | export KEY_OU=IBNF 73 | export PKCS11_MODULE_PATH=changeme 74 | export PKCS11_PIN=1234 75 | export RANDFILE=$KEY_DIR/.rnd 76 | -------------------------------------------------------------------------------- /EINE/DEMO.data/id_ed25519: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABBmYLBYSh 3 | FR3fU5JPaUWGw3AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGvB2c8PBhkF/66n 4 | nCCZM8KId6fzNwi1xdA0gRyfpZfIAAAAoL59NyPxma3Q04ffuNqXI8cxhCCRI34JJ03hQ3 5 | 1ZauSu+fa1m3nPVpnwqUYlIsQxeaOdBiP7dFno2IBH5k/jRv9p92s/sxtgdkOms0kxr+Ye 6 | kEmZv4sA6sCcdnlMmiTgWDiROEnZkGGjHiGvlPMGdfBCzADDsvUU8KjGB8Om/iXYczfZI3 7 | iPRll2oo7muABL/2WpYRFqlLe1Zg0rv7Zofp8= 8 | -----END OPENSSH PRIVATE KEY----- 9 | -------------------------------------------------------------------------------- /EINE/DEMO.data/id_ed25519.pub: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGvB2c8PBhkF/66nnCCZM8KId6fzNwi1xdA0gRyfpZfI root@SM1.orange.bsdrp.net 2 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/.rnd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/EINE/DEMO.data/keys/.rnd -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/01.pem: -------------------------------------------------------------------------------- 1 | Certificate: 2 | Data: 3 | Version: 3 (0x2) 4 | Serial Number: 1 (0x1) 5 | Signature Algorithm: sha1WithRSAEncryption 6 | Issuer: C=FR, ST=Bretagne, L=Rennes, O=Orange Business Services, OU=IBNF, CN=CA/name=CA/emailAddress=olivier.cochard@orange.com 7 | Validity 8 | Not Before: Sep 19 10:51:28 2014 GMT 9 | Not After : Sep 16 10:51:28 2024 GMT 10 | Subject: C=FR, ST=Bretagne, L=Rennes, O=Orange Business Services, OU=IBNF, CN=unregistered/name=unregistered/emailAddress=olivier.cochard@orange.com 11 | Subject Public Key Info: 12 | Public Key Algorithm: rsaEncryption 13 | Public-Key: (1024 bit) 14 | Modulus: 15 | 00:c5:ef:bb:bc:cb:2c:8f:df:09:56:bd:31:d4:fa: 16 | 94:ba:16:9f:af:21:5d:67:14:9d:2e:87:b1:46:70: 17 | 64:27:16:c3:f1:e8:ac:f6:e5:36:2c:8f:c8:72:1a: 18 | 6f:53:29:00:43:50:0d:bc:04:a6:e6:64:99:63:51: 19 | 52:bd:a2:cf:56:ec:90:52:7a:0c:96:0e:5b:bc:c9: 20 | 60:37:4c:3f:19:88:46:bc:78:fc:3f:53:a2:de:c2: 21 | be:3d:a3:6f:f4:a2:4c:2e:ca:91:3a:99:57:20:f9: 22 | 3f:e2:7d:20:ed:fe:c9:00:62:db:fa:3d:0d:14:ee: 23 | c7:0d:fe:2d:1d:25:08:b9:25 24 | Exponent: 65537 (0x10001) 25 | X509v3 extensions: 26 | X509v3 Basic Constraints: 27 | CA:FALSE 28 | Netscape Comment: 29 | Easy-RSA Generated Certificate 30 | X509v3 Subject Key Identifier: 31 | B7:EA:88:0C:66:BE:B9:0A:15:29:1F:42:C4:76:D4:46:18:58:EF:5C 32 | X509v3 Authority Key Identifier: 33 | keyid:70:48:06:C0:2B:31:06:33:EC:72:24:0B:1E:7A:E0:B4:3F:3F:5D:31 34 | DirName:/C=FR/ST=Bretagne/L=Rennes/O=Orange Business Services/OU=IBNF/CN=CA/name=CA/emailAddress=olivier.cochard@orange.com 35 | serial:A7:3A:3D:4C:29:93:49:69 36 | 37 | X509v3 Extended Key Usage: 38 | TLS Web Client Authentication 39 | X509v3 Key Usage: 40 | Digital Signature 41 | Signature Algorithm: sha1WithRSAEncryption 42 | 8d:3f:85:1e:49:06:82:eb:ed:40:4b:2d:c2:a2:f3:ce:8e:47: 43 | 08:ae:b9:72:a4:ae:87:aa:53:f0:d7:81:13:5d:68:96:ca:a8: 44 | f3:c2:f3:f3:02:25:34:56:22:cc:6d:d4:7d:36:6b:f4:2a:1f: 45 | 7a:5b:b8:82:04:c6:e2:ee:d0:31:9d:50:2a:1b:af:b0:a4:81: 46 | 52:47:e0:41:69:af:9e:97:9f:6e:08:00:e0:4f:8b:92:93:c6: 47 | db:17:94:91:51:17:c1:7c:d3:dc:56:90:48:3f:cc:5b:db:02: 48 | 12:24:02:41:97:d0:86:71:7b:4a:86:2f:79:10:7d:aa:28:26: 49 | 43:46 50 | -----BEGIN CERTIFICATE----- 51 | MIIEPTCCA6agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCRlIx 52 | ETAPBgNVBAgTCEJyZXRhZ25lMQ8wDQYDVQQHEwZSZW5uZXMxITAfBgNVBAoTGE9y 53 | YW5nZSBCdXNpbmVzcyBTZXJ2aWNlczENMAsGA1UECxMESUJORjELMAkGA1UEAxMC 54 | Q0ExCzAJBgNVBCkTAkNBMSkwJwYJKoZIhvcNAQkBFhpvbGl2aWVyLmNvY2hhcmRA 55 | b3JhbmdlLmNvbTAeFw0xNDA5MTkxMDUxMjhaFw0yNDA5MTYxMDUxMjhaMIG8MQsw 56 | CQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5lczEh 57 | MB8GA1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0wCwYDVQQLEwRJQk5G 58 | MRUwEwYDVQQDEwx1bnJlZ2lzdGVyZWQxFTATBgNVBCkTDHVucmVnaXN0ZXJlZDEp 59 | MCcGCSqGSIb3DQEJARYab2xpdmllci5jb2NoYXJkQG9yYW5nZS5jb20wgZ8wDQYJ 60 | KoZIhvcNAQEBBQADgY0AMIGJAoGBAMXvu7zLLI/fCVa9MdT6lLoWn68hXWcUnS6H 61 | sUZwZCcWw/HorPblNiyPyHIab1MpAENQDbwEpuZkmWNRUr2iz1bskFJ6DJYOW7zJ 62 | YDdMPxmIRrx4/D9Tot7Cvj2jb/SiTC7KkTqZVyD5P+J9IO3+yQBi2/o9DRTuxw3+ 63 | LR0lCLklAgMBAAGjggFfMIIBWzAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5F 64 | YXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFLfqiAxmvrkK 65 | FSkfQsR21EYYWO9cMIHdBgNVHSMEgdUwgdKAFHBIBsArMQYz7HIkCx564LQ/P10x 66 | oYGupIGrMIGoMQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNV 67 | BAcTBlJlbm5lczEhMB8GA1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0w 68 | CwYDVQQLEwRJQk5GMQswCQYDVQQDEwJDQTELMAkGA1UEKRMCQ0ExKTAnBgkqhkiG 69 | 9w0BCQEWGm9saXZpZXIuY29jaGFyZEBvcmFuZ2UuY29tggkApzo9TCmTSWkwEwYD 70 | VR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GB 71 | AI0/hR5JBoLr7UBLLcKi886ORwiuuXKkroeqU/DXgRNdaJbKqPPC8/MCJTRWIsxt 72 | 1H02a/QqH3pbuIIExuLu0DGdUCobr7CkgVJH4EFpr56Xn24IAOBPi5KTxtsXlJFR 73 | F8F809xWkEg/zFvbAhIkAkGX0IZxe0qGL3kQfaooJkNG 74 | -----END CERTIFICATE----- 75 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID4zCCA0ygAwIBAgIJAKc6PUwpk0lpMA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD 3 | VQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5lczEhMB8G 4 | A1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0wCwYDVQQLEwRJQk5GMQsw 5 | CQYDVQQDEwJDQTELMAkGA1UEKRMCQ0ExKTAnBgkqhkiG9w0BCQEWGm9saXZpZXIu 6 | Y29jaGFyZEBvcmFuZ2UuY29tMB4XDTE0MDkxOTEwNTEwNloXDTI0MDkxNjEwNTEw 7 | NlowgagxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhCcmV0YWduZTEPMA0GA1UEBxMG 8 | UmVubmVzMSEwHwYDVQQKExhPcmFuZ2UgQnVzaW5lc3MgU2VydmljZXMxDTALBgNV 9 | BAsTBElCTkYxCzAJBgNVBAMTAkNBMQswCQYDVQQpEwJDQTEpMCcGCSqGSIb3DQEJ 10 | ARYab2xpdmllci5jb2NoYXJkQG9yYW5nZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD 11 | gY0AMIGJAoGBAMKH7AuUtRR76chpd8UUMrviCPKuypKgBIYMnvOEe8ex6eIRCTnE 12 | rF/7/qCl7wxFmYPfoIG8UQ4k4oDsK/VtIHEbIvgsrP0T7PUEgbCC2GocVh9DcePI 13 | 9R30y/njQpBqgWlDf0T/5RSt6QsnWmTq8ZizwDPZi7V9aFNuYex7uWPDAgMBAAGj 14 | ggERMIIBDTAdBgNVHQ4EFgQUcEgGwCsxBjPsciQLHnrgtD8/XTEwgd0GA1UdIwSB 15 | 1TCB0oAUcEgGwCsxBjPsciQLHnrgtD8/XTGhga6kgaswgagxCzAJBgNVBAYTAkZS 16 | MREwDwYDVQQIEwhCcmV0YWduZTEPMA0GA1UEBxMGUmVubmVzMSEwHwYDVQQKExhP 17 | cmFuZ2UgQnVzaW5lc3MgU2VydmljZXMxDTALBgNVBAsTBElCTkYxCzAJBgNVBAMT 18 | AkNBMQswCQYDVQQpEwJDQTEpMCcGCSqGSIb3DQEJARYab2xpdmllci5jb2NoYXJk 19 | QG9yYW5nZS5jb22CCQCnOj1MKZNJaTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB 20 | BQUAA4GBAB3uzniwH9l6EGEvb4w1EKvR6la646qxB9gbDh7EYCFFHd4uRN2foHNP 21 | BdjBHqZJSliBYhciSWLeMjB5UhPDhCE2whpJ3GFRd/qHp+3zwkppe8OTJi6J/6UR 22 | iWaVWZfiMVQ8zhIKyzutGoFdwe0Y1a4Q5lMeVOcxa9OstioDtyaG 23 | -----END CERTIFICATE----- 24 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/ca.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMKH7AuUtRR76chp 3 | d8UUMrviCPKuypKgBIYMnvOEe8ex6eIRCTnErF/7/qCl7wxFmYPfoIG8UQ4k4oDs 4 | K/VtIHEbIvgsrP0T7PUEgbCC2GocVh9DcePI9R30y/njQpBqgWlDf0T/5RSt6Qsn 5 | WmTq8ZizwDPZi7V9aFNuYex7uWPDAgMBAAECgYA+o6PnasAQU4JJDWUKqeFYTIWT 6 | F6OVKT+rpn68bUmqWOi16cRtvJ3A3pT0R9o8umCfbS/y9p+nDUt+Ng5FnhkWof0e 7 | 3bEyysJotmZI07VQag20XUyOWrp/7f6utzsibyJxKK1KPFeC7pdIAdPuWo1qaJo6 8 | NYCHttEWGfbx0hGN0QJBAPouxtEXpWeVbDhSPSoJ+04SiKC3EgQoDLddnm3+cc4F 9 | 6HvfXXGzqTuonbpOTSlnzgYXoeVcyU0ns4TWUWufnpsCQQDHDeA3RkqJLxV+t4uV 10 | rYtVVDDO5k0Qhj0cmORYVeVAs3KSrfo92keS4aQQA/mXsG3pnTrebGly4NCwuSj+ 11 | ws35AkEA0JOa8cuS/K7YkIQPtjKoL0jIW6UFAi4Zm+4THYTagHbwggWQtDCi0Lgc 12 | 96w8LF78ppuhP8WBli+ZPRAoxV9ILQJATgvCvelxkBhF9UlCEY3Z87ru6DCkRrZb 13 | f7ryzS/gk13IrnpIg7fyGEUgbqcgVbl3XwGm807OiZxcNu5ihIEdAQJADn8dpwtn 14 | hi3ZMKKE0ogvY1i/EBPzrQr5r00xO8wQGS9hroZYaceacuotVHkD3Yx+MzNwGIzO 15 | lgJtE4ViM7w5/A== 16 | -----END PRIVATE KEY----- 17 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/crl.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBbjCB2DANBgkqhkiG9w0BAQQFADCBqDELMAkGA1UEBhMCRlIxETAPBgNVBAgT 3 | CEJyZXRhZ25lMQ8wDQYDVQQHEwZSZW5uZXMxITAfBgNVBAoTGE9yYW5nZSBCdXNp 4 | bmVzcyBTZXJ2aWNlczENMAsGA1UECxMESUJORjELMAkGA1UEAxMCQ0ExCzAJBgNV 5 | BCkTAkNBMSkwJwYJKoZIhvcNAQkBFhpvbGl2aWVyLmNvY2hhcmRAb3JhbmdlLmNv 6 | bRcNMTQwOTE5MTA1MjExWhcNMTQxMDE5MTA1MjExWjANBgkqhkiG9w0BAQQFAAOB 7 | gQAfD5pmLOjynZZkplXvqxaHfi83k8hnL9jiFUYIQNCSSzkLxv19QohjxetcD8+1 8 | Yt8yLPcHuyyo17Ug7Y38kyApNqBCHyzZJhqwMycn21V9aaOMmfRkSCI+QJggtpsE 9 | dQ5utXzA03KLCylHJi1btgHc0WYPohaPvybjKc0EvqaR7A== 10 | -----END X509 CRL----- 11 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/dh1024.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIGHAoGBAPx7nO/6r25ZxDApbMpvuGkvTbdpG8gG4XJTWKZs3qiQwSXtIonLaCoh 3 | axLVxIB+rTSLXhrXAcyt6zl/6vk9BhUGiK+Mp+AOSYkE+l/OQR7uVIVTp3zOT83a 4 | qshtcgxobxZkzLK7kaK53RWDfr7OaTI2PGmfxUu8QnlLqFbOYIVjAgEC 5 | -----END DH PARAMETERS----- 6 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/index.txt: -------------------------------------------------------------------------------- 1 | V 240916105128Z 01 unknown /C=FR/ST=Bretagne/L=Rennes/O=Orange Business Services/OU=IBNF/CN=unregistered/name=unregistered/emailAddress=olivier.cochard@orange.com 2 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/index.txt.attr: -------------------------------------------------------------------------------- 1 | unique_subject = yes 2 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/index.txt.old: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/EINE/DEMO.data/keys/index.txt.old -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/serial: -------------------------------------------------------------------------------- 1 | 02 2 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/serial.old: -------------------------------------------------------------------------------- 1 | 01 2 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/ta.key: -------------------------------------------------------------------------------- 1 | # 2 | # 2048 bit OpenVPN static key 3 | # 4 | -----BEGIN OpenVPN Static key V1----- 5 | bb8656ae8e3de56e58c730d624f2be39 6 | a2b3cad7cde55841985005dce39c6b0a 7 | 9cb21200fe2aa61d2e54ccad24800b22 8 | 709d0b88ec3d9d153102145f1fc5e561 9 | dad6bf26cbfa622efc28f88323d6d441 10 | f1785cd38d25cbe676a7838363b8f2fd 11 | e2558705f16f64ea76512946d828b7f7 12 | 1d68397ca7fea734016e3577df6cabb9 13 | cdef7c0319f48d6d32161ab5900e3c91 14 | 111ff7887e59038a1e3a86445247ea16 15 | 26c050669d1596692e160b473769fd53 16 | ac8a61930bca46920909acc1c779af70 17 | fdfb02b66179c67a4be95d625a5bc1d5 18 | 93a67ff3ed719d30da62dea34ede2f21 19 | 3a6616da75320e5aa26cafc1b9222f22 20 | e88dbb46cfbc43bf5ae3668ddeee9a9a 21 | -----END OpenVPN Static key V1----- 22 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/unregistered.crt: -------------------------------------------------------------------------------- 1 | Certificate: 2 | Data: 3 | Version: 3 (0x2) 4 | Serial Number: 1 (0x1) 5 | Signature Algorithm: sha1WithRSAEncryption 6 | Issuer: C=FR, ST=Bretagne, L=Rennes, O=Orange Business Services, OU=IBNF, CN=CA/name=CA/emailAddress=olivier.cochard@orange.com 7 | Validity 8 | Not Before: Sep 19 10:51:28 2014 GMT 9 | Not After : Sep 16 10:51:28 2024 GMT 10 | Subject: C=FR, ST=Bretagne, L=Rennes, O=Orange Business Services, OU=IBNF, CN=unregistered/name=unregistered/emailAddress=olivier.cochard@orange.com 11 | Subject Public Key Info: 12 | Public Key Algorithm: rsaEncryption 13 | Public-Key: (1024 bit) 14 | Modulus: 15 | 00:c5:ef:bb:bc:cb:2c:8f:df:09:56:bd:31:d4:fa: 16 | 94:ba:16:9f:af:21:5d:67:14:9d:2e:87:b1:46:70: 17 | 64:27:16:c3:f1:e8:ac:f6:e5:36:2c:8f:c8:72:1a: 18 | 6f:53:29:00:43:50:0d:bc:04:a6:e6:64:99:63:51: 19 | 52:bd:a2:cf:56:ec:90:52:7a:0c:96:0e:5b:bc:c9: 20 | 60:37:4c:3f:19:88:46:bc:78:fc:3f:53:a2:de:c2: 21 | be:3d:a3:6f:f4:a2:4c:2e:ca:91:3a:99:57:20:f9: 22 | 3f:e2:7d:20:ed:fe:c9:00:62:db:fa:3d:0d:14:ee: 23 | c7:0d:fe:2d:1d:25:08:b9:25 24 | Exponent: 65537 (0x10001) 25 | X509v3 extensions: 26 | X509v3 Basic Constraints: 27 | CA:FALSE 28 | Netscape Comment: 29 | Easy-RSA Generated Certificate 30 | X509v3 Subject Key Identifier: 31 | B7:EA:88:0C:66:BE:B9:0A:15:29:1F:42:C4:76:D4:46:18:58:EF:5C 32 | X509v3 Authority Key Identifier: 33 | keyid:70:48:06:C0:2B:31:06:33:EC:72:24:0B:1E:7A:E0:B4:3F:3F:5D:31 34 | DirName:/C=FR/ST=Bretagne/L=Rennes/O=Orange Business Services/OU=IBNF/CN=CA/name=CA/emailAddress=olivier.cochard@orange.com 35 | serial:A7:3A:3D:4C:29:93:49:69 36 | 37 | X509v3 Extended Key Usage: 38 | TLS Web Client Authentication 39 | X509v3 Key Usage: 40 | Digital Signature 41 | Signature Algorithm: sha1WithRSAEncryption 42 | 8d:3f:85:1e:49:06:82:eb:ed:40:4b:2d:c2:a2:f3:ce:8e:47: 43 | 08:ae:b9:72:a4:ae:87:aa:53:f0:d7:81:13:5d:68:96:ca:a8: 44 | f3:c2:f3:f3:02:25:34:56:22:cc:6d:d4:7d:36:6b:f4:2a:1f: 45 | 7a:5b:b8:82:04:c6:e2:ee:d0:31:9d:50:2a:1b:af:b0:a4:81: 46 | 52:47:e0:41:69:af:9e:97:9f:6e:08:00:e0:4f:8b:92:93:c6: 47 | db:17:94:91:51:17:c1:7c:d3:dc:56:90:48:3f:cc:5b:db:02: 48 | 12:24:02:41:97:d0:86:71:7b:4a:86:2f:79:10:7d:aa:28:26: 49 | 43:46 50 | -----BEGIN CERTIFICATE----- 51 | MIIEPTCCA6agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCRlIx 52 | ETAPBgNVBAgTCEJyZXRhZ25lMQ8wDQYDVQQHEwZSZW5uZXMxITAfBgNVBAoTGE9y 53 | YW5nZSBCdXNpbmVzcyBTZXJ2aWNlczENMAsGA1UECxMESUJORjELMAkGA1UEAxMC 54 | Q0ExCzAJBgNVBCkTAkNBMSkwJwYJKoZIhvcNAQkBFhpvbGl2aWVyLmNvY2hhcmRA 55 | b3JhbmdlLmNvbTAeFw0xNDA5MTkxMDUxMjhaFw0yNDA5MTYxMDUxMjhaMIG8MQsw 56 | CQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5lczEh 57 | MB8GA1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0wCwYDVQQLEwRJQk5G 58 | MRUwEwYDVQQDEwx1bnJlZ2lzdGVyZWQxFTATBgNVBCkTDHVucmVnaXN0ZXJlZDEp 59 | MCcGCSqGSIb3DQEJARYab2xpdmllci5jb2NoYXJkQG9yYW5nZS5jb20wgZ8wDQYJ 60 | KoZIhvcNAQEBBQADgY0AMIGJAoGBAMXvu7zLLI/fCVa9MdT6lLoWn68hXWcUnS6H 61 | sUZwZCcWw/HorPblNiyPyHIab1MpAENQDbwEpuZkmWNRUr2iz1bskFJ6DJYOW7zJ 62 | YDdMPxmIRrx4/D9Tot7Cvj2jb/SiTC7KkTqZVyD5P+J9IO3+yQBi2/o9DRTuxw3+ 63 | LR0lCLklAgMBAAGjggFfMIIBWzAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5F 64 | YXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFLfqiAxmvrkK 65 | FSkfQsR21EYYWO9cMIHdBgNVHSMEgdUwgdKAFHBIBsArMQYz7HIkCx564LQ/P10x 66 | oYGupIGrMIGoMQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNV 67 | BAcTBlJlbm5lczEhMB8GA1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0w 68 | CwYDVQQLEwRJQk5GMQswCQYDVQQDEwJDQTELMAkGA1UEKRMCQ0ExKTAnBgkqhkiG 69 | 9w0BCQEWGm9saXZpZXIuY29jaGFyZEBvcmFuZ2UuY29tggkApzo9TCmTSWkwEwYD 70 | VR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GB 71 | AI0/hR5JBoLr7UBLLcKi886ORwiuuXKkroeqU/DXgRNdaJbKqPPC8/MCJTRWIsxt 72 | 1H02a/QqH3pbuIIExuLu0DGdUCobr7CkgVJH4EFpr56Xn24IAOBPi5KTxtsXlJFR 73 | F8F809xWkEg/zFvbAhIkAkGX0IZxe0qGL3kQfaooJkNG 74 | -----END CERTIFICATE----- 75 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/unregistered.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIIB/TCCAWYCAQAwgbwxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhCcmV0YWduZTEP 3 | MA0GA1UEBxMGUmVubmVzMSEwHwYDVQQKExhPcmFuZ2UgQnVzaW5lc3MgU2Vydmlj 4 | ZXMxDTALBgNVBAsTBElCTkYxFTATBgNVBAMTDHVucmVnaXN0ZXJlZDEVMBMGA1UE 5 | KRMMdW5yZWdpc3RlcmVkMSkwJwYJKoZIhvcNAQkBFhpvbGl2aWVyLmNvY2hhcmRA 6 | b3JhbmdlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxe+7vMssj98J 7 | Vr0x1PqUuhafryFdZxSdLoexRnBkJxbD8eis9uU2LI/IchpvUykAQ1ANvASm5mSZ 8 | Y1FSvaLPVuyQUnoMlg5bvMlgN0w/GYhGvHj8P1Oi3sK+PaNv9KJMLsqROplXIPk/ 9 | 4n0g7f7JAGLb+j0NFO7HDf4tHSUIuSUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GB 10 | AHjmc+FRT/4iTQf8D9WlbP/AtRgyOcS7YjLOlVSHv92Ffe5NuEpr6Jm537LKgEfr 11 | 3aowlxFl5aPFXNVhwqFrKstpai/XMtMoC3Dl6tLOBcuDDwbwzYMnvN7IeOOCRunH 12 | 3IV7jJHWUv3X+FMc2NDVOXnGVXeM5yZOIJ3EgOGFqhSm 13 | -----END CERTIFICATE REQUEST----- 14 | -------------------------------------------------------------------------------- /EINE/DEMO.data/keys/unregistered.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMXvu7zLLI/fCVa9 3 | MdT6lLoWn68hXWcUnS6HsUZwZCcWw/HorPblNiyPyHIab1MpAENQDbwEpuZkmWNR 4 | Ur2iz1bskFJ6DJYOW7zJYDdMPxmIRrx4/D9Tot7Cvj2jb/SiTC7KkTqZVyD5P+J9 5 | IO3+yQBi2/o9DRTuxw3+LR0lCLklAgMBAAECgYA+MUVb3LrzubDFgEzYDqQMlG84 6 | J9OhP+jjZd9dspLFdXG74M/4A60x8zuYHpY8GvXqMI0gNpX6bkGD41mMHEvpBo0C 7 | 1JPerq1I31i/FLc4QZM/xAGZWFMGXrIyP54Wa/QpMTr2FqlvOv+57A+MN4w96ltD 8 | qfuvrhuwKEOnnGSRQQJBAOYsdSBb59sq77ROeEd7ao57OYOvIH/bekQIFxyR8nnS 9 | TGj4hzAWTKCGa4Xr/1b7uIBkOjoDTGsUlYOrux5nrxsCQQDcJUoitQQZLurDGO0y 10 | ooC4AsrfzUC3xwLOxELy31Nja+V/LsneODP33gDdOv7gyNY5Rz110ZHkBzqRVTnY 11 | VHy/AkEAgMzF6gqjzqfTJMF4Wv+72+kmgQLBm+p0G5evXyRoXDUK3v6bn5QK4xT1 12 | HCa4ZrNLRkVPs+DepVkKZXj2p4f7mwJBAJ++AzyKA05OyBUHil66ohJkHFgndPWl 13 | 1/i3WyknOjgje+U8y0iPmc4bbp8ZhwcPVLs9YXCTwHwpbqs0n4PFUrsCQFzpUALH 14 | 9AI8hcnkNXskD9oSGgXgI82fk7F1FkYuEuJyMLG8EnXz0qRALvFjNnXuu+GhmQbs 15 | J1P3dC52Wzv16Jo= 16 | -----END PRIVATE KEY----- 17 | -------------------------------------------------------------------------------- /EINE/Files/etc/rc.conf: -------------------------------------------------------------------------------- 1 | ###### BSD Router Project Base Configuration ######## 2 | 3 | # /etc/rc.conf: This file, put your configuration here 4 | # /etc/rc.conf.misc: Special BSDRP configuration parameters (polling, somes sysctl tunning) 5 | # /etc/default/rc.conf: Default FreeBSD value and some examples (Do not edit this file!) 6 | 7 | # Hostname 8 | hostname="vpnrouter.eine.orangebusiness.com" 9 | 10 | # Enable routing (prevent to learn IPv6 default gateways) 11 | gateway_enable="YES" 12 | ipv6_gateway_enable="YES" 13 | 14 | # Enable IPv6 15 | ipv6_activate_all_interfaces="YES" 16 | 17 | # Configure first interface as net0 "Internet" interface 18 | # re0 on APU 19 | # vtnet0 on VirtIO VM 20 | # em0 or vmx0 on VMware VM 21 | ifconfig_re0_name="net0" 22 | ifconfig_vtnet0_name="net0" 23 | ifconfig_em0_name="net0" 24 | ifconfig_vmx0_name="net0" 25 | ifconfig_igb0_name="net0" 26 | 27 | # Configure second interface as net1 "Internal" interface 28 | # APU had 3 NIC, re2 is not used in our case 29 | ifconfig_re1_name="net1" 30 | ifconfig_vtnet1_name="net1" 31 | ifconfig_em1_name="net1" 32 | ifconfig_vmx1_name="net1" 33 | ifconfig_igb1_name="net1" 34 | 35 | # Enable DHCP on net0 interface 36 | ifconfig_net0="DHCP" 37 | 38 | # Permit to learn default IPv6 route on this interface even with IPv6 routing enabled 39 | ipv6_cpe_wanif="net0" 40 | 41 | # Enable Router Advertisment on "Internal" interface 42 | rtadvd_enable="NO" 43 | rtadvd_interfaces="net1" 44 | 45 | # Enable RFC1323 extensions 46 | tcp_extensions="YES" 47 | 48 | # Enable SSH by default 49 | sshd_enable="YES" 50 | 51 | # Load APU LED module drivers by default 52 | kld_list="apuled" 53 | 54 | # Loop script that is waiting for RESET 55 | resetcheck_enable="YES" 56 | 57 | # Enable firewall 58 | firewall_type="workstation" 59 | firewall_enable="YES" 60 | firewall_allowservices="any" 61 | firewall_quiet="YES" 62 | 63 | # Enable OpenVPN 64 | openvpn_enable="YES" 65 | 66 | # Forcing date setup by NTP at boot is mandatory 67 | # Certificate date are checked 68 | ntpd_sync_on_start="YES" 69 | ntpd_enable="YES" 70 | 71 | # Variables that will be added by the EINE firmware build script: 72 | # firewall_myservices="${SSH_PORT}/tcp" 73 | -------------------------------------------------------------------------------- /EINE/Files/etc/ssh/sshd_config: -------------------------------------------------------------------------------- 1 | Protocol 2 2 | HostKey /etc/ssh/ssh_host_ed25519_key 3 | StrictModes yes 4 | KexAlgorithms curve25519-sha256@libssh.org 5 | Ciphers aes256-gcm@openssh.com 6 | UsePrivilegeSeparation sandbox 7 | UseDNS no 8 | PermitEmptyPasswords no 9 | PermitRootLogin no 10 | PermitUserEnvironment no 11 | AllowTcpForwarding no 12 | X11Forwarding no 13 | ClientAliveInterval 120 14 | ClientAliveCountMax 2 15 | ChallengeResponseAuthentication no 16 | PasswordAuthentication no 17 | UsePAM no 18 | Subsystem sftp /usr/libexec/sftp-server 19 | #Others variables added by the build script: 20 | #AllowUsers ${ADMIN_USERNAME} 21 | #Port ${SSH_PORT} 22 | -------------------------------------------------------------------------------- /EINE/Files/etc/version: -------------------------------------------------------------------------------- 1 | 0.95 2 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/bin/cputemp: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Script used to monitor CPU temperature 3 | # Used by monit 4 | # Argument: Maximum temperature 5 | set -eu 6 | # Intel: dev.cpu.0.temperature 7 | # AMD: dev.amdtemp.0.core0.sensor0 8 | TEMP=`sysctl -n dev.amdtemp.0.core0.sensor0` 9 | TEMP=${TEMP%.*C} 10 | [ ${TEMP} -ge $1 ] && return ${TEMP} || return 0 11 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | retry_files_enabled = False 3 | inventory = /usr/local/etc/ansible/inventory.ini 4 | pipelining = True 5 | forks = 50 6 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/gateways.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: gateways 3 | gather_facts: no 4 | sudo: yes 5 | roles: 6 | - common 7 | - gateway 8 | - nanobsd 9 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/group_vars/freebsd: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_python_interpreter: /usr/local/bin/python 3 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/group_vars/gateways: -------------------------------------------------------------------------------- 1 | --- 2 | radius_servers: 3 | - name: radius1 4 | ip: 10.10.10.10 5 | port: 1645 6 | password: averylongpassword 7 | - name: radius2 8 | ip: 10.10.10.20 9 | port: 1645 10 | password: averylongpassword 11 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/inventory.ini: -------------------------------------------------------------------------------- 1 | [freebsd:children] 2 | gateways 3 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/common/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart hostname 3 | command: hostname {{inventory_hostname}} 4 | 5 | - name: restart netif 6 | service: name=netif state=restarted 7 | 8 | - name: restart routing 9 | service: name=routing state=restarted 10 | ignore_errors: yes 11 | 12 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Configure hostname 3 | lineinfile: dest=/etc/rc.conf regexp=^hostname= line='hostname="{{inventory_hostname}}"' 4 | tags: hostname 5 | notify: 6 | - restart hostname 7 | 8 | - name: Configure IP on internal interface 9 | lineinfile: dest=/etc/rc.conf regexp=^ifconfig_net1= line='ifconfig_net1="inet {{if_int_inet4_addr}}/{{if_int_inet4_prefix}}"' 10 | tags: interface 11 | notify: 12 | - restart netif 13 | 14 | - name: Configure IP on interface net0 15 | lineinfile: dest=/etc/rc.conf regexp=^ifconfig_net0= line='ifconfig_net0="inet {{if_ext_inet4_addr}}/{{if_ext_inet4_prefix}}"' 16 | tags: interface 17 | notify: 18 | - restart netif 19 | 20 | - name: Create additionnal loopback interfaces 21 | lineinfile: dest=/etc/rc.conf regexp=^cloned_interfaces= line='cloned_interfaces="lo1 lo2"' 22 | tags: interface 23 | notify: 24 | - restart netif 25 | 26 | - name: Configure loopback interface 27 | lineinfile: dest=/etc/rc.conf regexp=^ifconfig_lo1= line='ifconfig_lo1="inet {{if_lo_inet4_addr}}/{{if_lo_inet4_prefix}}"' 28 | tags: interface 29 | notify: 30 | - restart netif 31 | 32 | - name: Configure loopback interface lo2 33 | lineinfile: dest=/etc/rc.conf regexp=^ifconfig_lo2= line='ifconfig_lo2="inet 2.2.2.2/32"' 34 | tags: interface 35 | notify: 36 | - restart netif 37 | 38 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/etc/ipfw.rules.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #{{ ansible_managed }} 3 | fwcmd="/sbin/ipfw" 4 | # Interfaces description: 5 | # net0 is [UNSECURE] Internet facing NIC 6 | # tun0 is [SECURE] registered OpenVPN tunnel interface 7 | # net1 is [SECURE] local/internal facing NIC 8 | # wlan0 is [SECURE] local/internal facing Wireless NIC 9 | # lo1 is [SECURE] loopback interface used for managment 10 | # Get the SSH port (should be the same on the manager) 11 | SSH_PORT=`grep '^Port [[:digit:]]' /etc/ssh/sshd_config | cut -d ' ' -f 2` 12 | [ ${SSH_PORT} -lt 1 -o ${SSH_PORT} -gt 65535 ] && SSH_PORT=22 13 | # Get the OpenVPN port list 14 | #OVPN_GW_PORT=`grep '^port [[:digit:]]' /usr/local/etc/openvpn/gateway.conf | cut -d ' ' -f 2` 15 | OVPN_PORT=`grep '^port [[:digit:]]' /usr/local/etc/openvpn/registration.conf | cut -d ' ' -f 2` 16 | # Flush out the list before we begin. 17 | ${fwcmd} -f flush 18 | # Didn't filter packet to/from loopback, tunnel and internal interfaces 19 | ${fwcmd} add pass ip from any to any via lo0 20 | ${fwcmd} add pass ip from any to any via lo1 21 | ${fwcmd} add pass ip from any to any via net1 22 | ${fwcmd} add pass ip from any to any via tun1 23 | # Create a NAT table for reaching unregistered VPN clients 24 | # This prevent to push any route to them 25 | ${fwcmd} nat 111 config if tun0 deny_in same_ports unreg_only reset 26 | # Check incoming packets against NAT table 27 | ${fwcmd} add nat 111 ip from any to any in via tun0 28 | # Allow ICMP to myself on Internet interface 29 | ${fwcmd} add pass icmp from me to any out via net0 30 | ${fwcmd} add pass icmp from any to me in via net0 31 | # Allow NTP to myself on Internet interface 32 | ${fwcmd} add pass udp from me 123 to any 123 out via net0 33 | ${fwcmd} add pass udp from any 123 to me 123 in via net0 34 | ## Allow OpenVPN to myself on Internet interface 35 | ${fwcmd} add pass udp from me ${OVPN_PORT} to any out via net0 36 | ${fwcmd} add pass udp from any to me ${OVPN_PORT} in via net0 37 | # All ICMP and SSH to manager ONLY from the unregistered-ovpn interface 38 | # NAT internal traffic when reaching unregistered-VPN devices 39 | ${fwcmd} add nat 111 ip from any to any out via tun0 40 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/bird.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | # Configure logging 3 | log syslog all; 4 | log "/var/log/bird.log" all; 5 | #log stderr all; 6 | 7 | # Override router ID 8 | router id {{ if_lo_inet4_addr }}; 9 | 10 | filter direct_in 11 | { 12 | if net = {{unregistered_inet4_net}}/{{unregistered_inet4_prefix}} then accept; 13 | else reject; 14 | } 15 | 16 | # Sync bird routing table with kernel 17 | protocol kernel { 18 | export all; 19 | learn; 20 | scan time 10; 21 | } 22 | 23 | # Include device route (warning: Generate a device route (/32) for each connected interfaces) 24 | protocol device { 25 | scan time 10; 26 | } 27 | 28 | # Include directly connected network (simulate passive interface) 29 | protocol direct { 30 | interface "tun0"; 31 | } 32 | 33 | # Enable OSPF, only on LAN and tun interface to registered client 34 | protocol ospf GATEWAY { 35 | export filter direct_in; # We advertise only tun0 routes to ospf 36 | rfc1583compat yes; 37 | area 0.0.0.0 { 38 | interface "net1" { 39 | cost 10; 40 | type broadcast; 41 | }; 42 | interface "tun1" { 43 | cost 10; 44 | type ptp; 45 | }; 46 | interface "lo1" { 47 | stub yes; 48 | }; 49 | }; 50 | } 51 | 52 | protocol static { 53 | route 0.0.0.0/0 via {{gateway_inet4}}; 54 | } 55 | 56 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/gateway.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | server {{registered_inet4_net}} {{registered_inet4_mask}} 3 | topology subnet 4 | dev tun1 5 | proto udp 6 | port 1195 7 | fast-io 8 | ca ca.crt 9 | cert {{hostname}}.crt 10 | key {{hostname}}.key 11 | dh dh1024.pem 12 | cipher AES-128-CBC 13 | tls-auth ta.key 0 14 | persist-key 15 | persist-tun 16 | user nobody 17 | group nobody 18 | keepalive 10 60 19 | crl-verify crl.pem 20 | status /var/log/openvpn-gateway.log 5 21 | status-version 2 22 | client-config-dir ccd 23 | ifconfig-pool-persist ipp.txt 24 | # All VPN gateways hosts VPN-routers service on 2.2.2.2 25 | push "route 2.2.2.2 255.255.255.255" 26 | # Limiting too big UDP packets (like RADIUS EAP-TLS packets) 27 | fragment 1400 28 | # reduce TCP MSS size 29 | mssfix 30 | # Next lines (push dhcp-option) will be added by the 'role manager' script 31 | #push "dhcp-option DOMAIN eine.bsdrp.net" 32 | #push "dhcp-option DNS 10.0.12.2" 33 | #push "dhcp-option DNS 10.0.23.2" 34 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/ovpn-registration.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # OpenVPN Registration tunnel up/down script: 4 | # ipfw didn't have tun0 interface during startup, then it need to be 5 | # reloaded after openvpn create and setup the tun0 interface 6 | 7 | case ${script_type} in 8 | up) 9 | /bin/sh /etc/ipfw.rules || /usr/bin/logger "ERROR for reloading ipfw" 10 | ;; 11 | down) 12 | ;; 13 | esac 14 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/registration.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | server {{unregistered_inet4_net}} {{unregistered_inet4_mask}} 3 | topology p2p 4 | dev tun0 5 | proto udp 6 | port 1194 7 | fast-io 8 | ca ca.crt 9 | cert {{hostname}}.crt 10 | key {{hostname}}.key 11 | dh dh1024.pem 12 | cipher AES-128-CBC 13 | tls-auth ta.key 0 14 | persist-key 15 | persist-tun 16 | user nobody 17 | group nobody 18 | keepalive 10 60 19 | status /var/log/openvpn-registration.log 5 20 | status-version 2 21 | duplicate-cn 22 | # Very important feature for limiting too big UDP packet (RADIUS with EAP-TLS) 23 | fragment 1400 24 | # reduce TCP MSS size 25 | mssfix 26 | # Need to reload ipfw after creating tun0 27 | script-security 2 28 | up /usr/local/etc/openvpn/ovpn-registration.sh 29 | down /usr/local/etc/openvpn/ovpn-registration.sh 30 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/raddb/clients.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | client vpnwifirouter { 3 | ipaddr = {{registered_inet4_net}}/{{registered_inet4_prefix}} 4 | proto = udp 5 | secret = "averylongpassword" 6 | require_message_authenticator = yes 7 | nas_type = other 8 | } 9 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/raddb/proxy.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | {% for host in radius_servers %} 3 | home_server {{ host.name }} { 4 | type = auth+acct 5 | ipaddr = {{ host.ip }} 6 | port = {{ host.port }} 7 | secret = "{{ host.password }}" 8 | require_message_authenticator = yes 9 | response_window = 20 10 | zombie_period = 40 11 | revive_interval = 120 12 | #Microsoft crap still didn't support RFC5997 in 2016 13 | #status_check = status-server 14 | status_check = request 15 | username = "test_user_please_reject_me" 16 | check_interval = 30 17 | num_answers_to_alive = 3 18 | } 19 | {% endfor %} 20 | 21 | home_server_pool eap_radius_servers { 22 | type = fail-over 23 | {% for host in radius_servers %} 24 | home_server = {{ host.name }} 25 | {% endfor %} 26 | } 27 | 28 | realm NULL { 29 | nostrip 30 | auth_pool = eap_radius_servers 31 | acct_pool = eap_radius_servers 32 | } 33 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: start kld 3 | service: name=kld state=restarted 4 | 5 | - name: stop openvpn 6 | service: name=openvpn state=stopped 7 | 8 | - name: restart openvpn_registration 9 | service: name=openvpn_registration state=restarted 10 | 11 | - name: restart openvpn_gateway 12 | service: name=openvpn_gateway state=restarted 13 | 14 | - name: restart bird 15 | service: name=bird state=restarted 16 | 17 | - name: restart firewall 18 | service: name=ipfw state=restarted 19 | 20 | - name: restart freeradius 21 | service: name=radiusd state=restarted 22 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/bird.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: enable bird 3 | action: service name=bird enabled=yes 4 | tags: bird 5 | notify: 6 | - restart bird 7 | 8 | - name: Generate bird.conf file 9 | template: src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/bird.conf.j2 10 | dest=/usr/local/etc/bird.conf owner=root group=wheel mode=0600 11 | validate='bird -pc %s' 12 | tags: bird 13 | notify: 14 | - restart bird 15 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/firewall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate ipfw.rules 3 | template: src=/usr/local/etc/ansible/roles/gateway/files/etc/ipfw.rules.j2 4 | dest=/etc/ipfw.rules owner=root group=wheel mode=0644 5 | tags: firewall 6 | notify: 7 | - restart firewall 8 | 9 | - name: Declare ipfw configuration file 10 | lineinfile: dest=/etc/rc.conf regexp=^firewall_script= line='firewall_script="/etc/ipfw.rules"' 11 | tags: firewall 12 | notify: 13 | - restart firewall 14 | 15 | - name: enable firewall nat 16 | lineinfile: dest=/etc/rc.conf regexp=^firewall_nat_enable= line='firewall_nat_enable="YES"' 17 | tags: firewall 18 | notify: 19 | - restart firewall 20 | 21 | - name: enable firewall 22 | action: service name=ipfw enabled=yes 23 | tags: firewall 24 | notify: 25 | - restart firewall 26 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/freeradius.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate proxy.conf 3 | template: src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/raddb/proxy.conf.j2 4 | dest=/usr/local/etc/raddb/proxy.conf owner=root group=wheel mode=0600 5 | tags: freeradius 6 | notify: 7 | - restart freeradius 8 | 9 | - name: Generate clients.conf 10 | template: src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/raddb/clients.conf.j2 11 | dest=/usr/local/etc/raddb/clients.conf owner=root group=wheel mode=0644 12 | tags: freeradius 13 | notify: 14 | - restart freeradius 15 | 16 | - name: enable radius 17 | action: service name=radiusd enabled=yes 18 | tags: freeradius 19 | notify: 20 | - restart freeradius 21 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/kld.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Declare kernel modules to load 3 | lineinfile: dest=/etc/rc.conf regexp=^kld_list= line='kld_list=="coretemp ipmi aesni"' 4 | tags: kld 5 | notify: 6 | - start kld 7 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: kld.yml 3 | - include: resolv.yml 4 | - include: firewall.yml 5 | - include: openvpn.yml 6 | - include: bird.yml 7 | - include: freeradius.yml 8 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/openvpn.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Stop OpenVPN 3 | lineinfile: dest=/etc/rc.conf regexp=^openvpn_enable line='openvpn_enable="NO"' 4 | tags: openvpn 5 | notify: 6 | - stop openvpn 7 | 8 | - name: Generate multiple rc scripts for gateway and registration 9 | file: src=/usr/local/etc/rc.d/openvpn dest=/usr/local/etc/rc.d/openvpn_{{ item }} state=link 10 | with_items: 11 | - gateway 12 | - registration 13 | notify: 14 | - restart openvpn_gateway 15 | - restart openvpn_registration 16 | 17 | - name: enable openvpn_gateway 18 | action: service name=openvpn_gateway enabled=yes 19 | tags: openvpn 20 | notify: 21 | - restart openvpn_gateway 22 | 23 | - name: enable openvpn_registration 24 | action: service name=openvpn_registration enabled=yes 25 | tags: openvpn 26 | notify: 27 | - restart openvpn_registration 28 | 29 | - name: copy certificate files 30 | action: copy src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/{{ inventory_hostname }}.{{ item }} 31 | dest=/usr/local/etc/openvpn owner=root group=wheel mode=0600 32 | with_items: 33 | - crt 34 | - key 35 | notify: 36 | - restart openvpn_registration 37 | - restart openvpn_gateway 38 | 39 | - name: copy crl file 40 | action: copy src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/crl.pem 41 | dest=/usr/local/etc/openvpn owner=root group=wheel mode=0664 42 | tags: 43 | - openvpn 44 | - crl 45 | 46 | - name: copy script 47 | action: copy src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/{{ item }} 48 | dest=/usr/local/etc/openvpn owner=root group=wheel mode=0711 49 | with_items: 50 | - ovpn-registration.sh 51 | notify: 52 | - restart openvpn_registration 53 | 54 | - name: creates ccd directory 55 | action: file path=/usr/local/etc/openvpn/ccd state=directory 56 | tags: 57 | - openvpn 58 | - ccd 59 | 60 | - name: Copy all files from ccd/* 61 | action: copy src={{ item}} dest=/usr/local/etc/openvpn/ccd 62 | tags: 63 | - openvpn 64 | - ccd 65 | with_fileglob: 66 | - /usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/ccd/* 67 | 68 | - name: Set configuration file 69 | lineinfile: dest=/etc/rc.conf regexp=^openvpn_{{item}}_configfile= line='openvpn_{{item}}_configfile="/usr/local/etc/openvpn/{{item}}.conf"' 70 | tags: openvpn 71 | with_items: 72 | - gateway 73 | - registration 74 | notify: 75 | - restart openvpn_registration 76 | - restart openvpn_gateway 77 | 78 | - name: Generate gateway.conf and registration files 79 | template: src=/usr/local/etc/ansible/roles/gateway/files/usr/local/etc/openvpn/{{item }}.conf.j2 80 | dest=/usr/local/etc/openvpn/{{item}}.conf owner=root group=wheel mode=0644 81 | tags: openvpn 82 | with_items: 83 | - gateway 84 | - registration 85 | notify: 86 | - restart openvpn_gateway 87 | - restart openvpn_registration 88 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/gateway/tasks/resolv.yml: -------------------------------------------------------------------------------- 1 | - name: copy resolv.conf file 2 | action: copy src=/usr/local/etc/ansible/roles/gateway/files/etc/resolv.conf 3 | dest=/etc/resolv.conf owner=root group=wheel mode=0644 4 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/nanobsd/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: config save 3 | command: config save 4 | 5 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/nanobsd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Checking configuration saved status 3 | command: config diff quiet 4 | register: config_status 5 | changed_when: "config_status.rc != 0" 6 | ## BUG that trigger changed in all case 7 | failed_when: "'ERROR' in config_status.stderr" 8 | tags: saving 9 | notify: 10 | - config save 11 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/etc/hostapd-wlan0.conf: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | ### Global parameters ### 3 | #Wireless interface previously put in hostap mode 4 | interface=wlan0 5 | # Interface for separate control program (like hostapd_cli) 6 | ctrl_interface=/var/run/hostapd 7 | # Access control for the control interface 8 | ctrl_interface_group=wheel 9 | #logger_syslog=-1 10 | #logger_syslog_level=2 11 | ##### IEEE 802.11 related configuration ####################################### 12 | # SSID to be used in IEEE 802.11 management frames 13 | ssid=WIFI@EINE 14 | ##### IEEE 802.1X-2004 related configuration ################################## 15 | # ieee8021x must be set for WPA2-EAP 16 | ieee8021x=1 17 | ### RADIUS client ### 18 | # IP address 2.2.2.2 is a loopback on ALL gateways 19 | # and a route toward 2.2.2.2/32 is installed by ovpn-if up script 20 | auth_server_addr=2.2.2.2 21 | auth_server_shared_secret=averylongpassword 22 | acct_server_addr=2.2.2.2 23 | acct_server_shared_secret=averylongpassword 24 | ##### WPA/IEEE 802.11i configuration ########################################## 25 | #This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) 26 | # and/or WPA2 (full IEEE 802.11i/RSN): 27 | # bit0 = WPA 28 | # bit1 = IEEE 802.11i/RSN (WPA2) 29 | wpa=2 30 | # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The 31 | # entries are separated with a space. 32 | # (dot11RSNAConfigAuthenticationSuitesTable) 33 | wpa_key_mgmt=WPA-EAP 34 | # Set of accepted cipher suites (encryption algorithms) for pairwise keys 35 | # (unicast packets). This is a space separated list of algorithms: 36 | # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 37 | # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 38 | # Group cipher suite (encryption algorithm for broadcast and multicast frames) 39 | # is automatically selected based on this configuration. If only CCMP is 40 | # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, 41 | # TKIP will be used as the group cipher. 42 | # (dot11RSNAConfigPairwiseCiphersTable) 43 | # Pairwise cipher for WPA (v1) (default: TKIP) 44 | wpa_pairwise=CCMP 45 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/etc/ipfw.rules.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #{{ ansible_managed }} 3 | ### WARNING ### 4 | # When this rules is loaded during boot, tun0 interface didn't exist 5 | # Then ALL traffic on tun0 is denied: Firewall rules NEED to be reloaded with openvpn-if-up script 6 | # Theses rules NEEDS: net.inet.ip.fw.one_pass=0 7 | # With the default net.inet.ip.fw.one_pass=1, the incoming nat rule is the last rule for matched packet 8 | fwcmd="/sbin/ipfw -q" 9 | fwadd="${fwcmd} add" 10 | LANS="{{if_lan_inet4_net}}/{{if_lan_inet4_prefix}},{{if_wifi_inet4_net}}/{{if_wifi_inet4_prefix}}" 11 | # Interfaces description: 12 | # net0 is [UNSECURE] Internet facing NIC 13 | # tun0 is registered OpenVPN tunnel interface 14 | # net1 is local/internal facing NIC 15 | # wlan0 is local/internal facing Wireless NIC 16 | # lo1 is loopback interface used for managment 17 | 18 | ## Flush out the list before we begin. 19 | ${fwcmd} -f flush 20 | 21 | #### Section: NAT table creation #### 22 | # Create a NAT table for outgoing Internet traffic using Internet NIC source IP 23 | # Option "deny-in" is to be used only with net.inet.ip.fw.one_pass=1 mode 24 | ${fwcmd} nat 1 config if net0 log same_ports unreg_only reset 25 | # Create a second NAT table just for forcing RADIUS request to use tunnel as source IP 26 | # hostapd can't bind specific interface and will use bad source IP 27 | ${fwcmd} nat 2 config if tun0 log same_ports unreg_only reset 28 | 29 | #### Section: Trusted Interfaces #### 30 | # Didn't filter on loopback and internal interfaces 31 | ${fwadd} pass ip from any to any via lo0 32 | ${fwadd} pass ip from any to any via lo1 33 | ${fwadd} pass ip from any to any via net1 34 | ${fwadd} pass ip from any to any via wlan0 35 | 36 | #### Section: Incomming rules #### 37 | # Re-assemble input fragmented packets received on Internet interface 38 | ${fwadd} reass ip from any to any in recv net0 39 | # NAT back incoming packets 40 | ${fwadd} nat 1 ip from any to any in recv net0 41 | ${fwadd} nat 2 ip from any to any in recv tun0 42 | # Now that incoming traffic from tunnel is NATed back, we trust all traffic from it 43 | ${fwadd} allow ip from any to any in recv tun0 44 | # Check incoming packets against statefull table 45 | # This imply to take action registered during state creation (allow/deny/skipto) 46 | ${fwadd} check-state 47 | 48 | #### Section: Outgoing rules to Internet #### 49 | # Allow internal LANs to exit to Internet by creating a statefull entry with action "skipto" NAT section 50 | # The statefull table will include private addresses (because called BEFORE NAT rule) 51 | ${fwadd} skipto 2000 ip from ${LANS} to any out xmit net0 keep-state 52 | # Allow firewall to exit to Internet with statefull protection 53 | # ICMP 54 | ${fwadd} pass icmp from me to any out xmit net0 keep-state 55 | # DNS, BOOTPS, NTP and OpenVPN 56 | ${fwadd} pass udp from me to any 53,67,123,1195 out xmit net0 keep-state 57 | # HTTP and HTTPS (Firmware or IDS signatures download) 58 | ${fwadd} pass tcp from me to any 80,443 out xmit net0 setup keep-state 59 | 60 | #### Section: Outgoing rules to Tunnel #### 61 | # NAT source IP for packets going to RADIUS ONLY 62 | # hostapd can't bind a specific interface, but we need to force it using tunnel address as source 63 | ${fwadd} nat 2 udp from me to 2.2.2.2 1812,1813 out xmit tun0 64 | # Allow LANs and firewall to exit to Tunnel 65 | ${fwadd} pass ip from ${LANS} to any xmit tun0 66 | ${fwadd} pass ip from me to any xmit tun0 67 | 68 | #### Last rule: Deny all the rest 69 | ${fwadd} deny ip from any to any 70 | 71 | #### External skipto section: IDS and NAT Internet traffic 72 | # Packets directed here are: 73 | # 1. outgoing from LANs to Internet (they are still not NATed) 74 | # 2. incomming from Internet and matching a session (they are already unNATed) 75 | # Then for all these packets, we send them to the IDS 76 | ${fwadd} 2000 divert 8000 ip from any to any via net0 77 | # We NAT only outgoing packets 78 | ${fwadd} nat 1 ip from any to any out xmit net0 79 | # Now we alllow boths direction packets 80 | ${fwadd} allow ip from any to any via net0 81 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/etc/periodic.conf: -------------------------------------------------------------------------------- 1 | daily_output="/var/log/daily.log" 2 | weekly_output="/var/log/weekly.log" 3 | monthly_output="/var/log/monthly.log" 4 | security_output="/var/log/security.log" 5 | #disable some sendmail specific daily maintenance routines 6 | daily_clean_hoststat_enable="NO" 7 | daily_status_mail_rejects_enable="NO" 8 | daily_status_include_submit_mailq="NO" 9 | daily_submit_queuerun="NO" 10 | #Disable pkg audit and maintenance routines 11 | daily_status_security_pkgaudit_enable="NO" 12 | daily_status_pkg_changes_enable="NO" 13 | weekly_status_pkg_enable="NO" 14 | daily_update_ids_enable="YES" 15 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/etc/rc.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | # Hostname 3 | hostname="{{hostname}}" 4 | 5 | # Configure first interface as net0 "Internet" interface 6 | {% if if_internet_device is defined %} 7 | ifconfig_{{ if_internet_device }}_name="net0" 8 | {% else %} 9 | # re0 on APU 10 | # vtnet0 on VirtIO VM 11 | # em0 or vmx0 on VMware VM 12 | # igb on SuperMicro 13 | ifconfig_re0_name="net0" 14 | ifconfig_vtnet0_name="net0" 15 | ifconfig_em0_name="net0" 16 | ifconfig_vmx0_name="net0" 17 | ifconfig_igb0_name="net0" 18 | {% endif %} 19 | 20 | # Configure second interface as net1 "Internal" interface 21 | {% if if_lan_device is defined %} 22 | ifconfig_{{ if_lan_device }}_name="net1" 23 | {% else %} 24 | # APU had 3 NIC, re2 is not used in our case 25 | ifconfig_re1_name="net1" 26 | ifconfig_vtnet1_name="net1" 27 | ifconfig_em1_name="net1" 28 | ifconfig_vmx1_name="net1" 29 | ifconfig_igb1_name="net1" 30 | {% endif %} 31 | 32 | # Enable routing 33 | gateway_enable="YES" 34 | ipv6_gateway_enable="NO" 35 | ipv6_activate_all_interfaces="NO" 36 | rtadvd_enable="NO" 37 | rtadvd_interfaces="net1 wlan0" 38 | 39 | # Configure "Internet" interface as DHCP client 40 | background_dhclient=YES 41 | ifconfig_net0="DHCP" 42 | 43 | # Permit to learn default IPv6 route on this interface even with IPv6 routing enabled 44 | ipv6_cpe_wanif="net0" 45 | 46 | # LAN and lo1 interface IP configuration 47 | cloned_interfaces="lo1" 48 | ifconfig_lo1="inet {{if_lo_inet4_addr}}/{{if_lo_inet4_prefix}}" 49 | ifconfig_net1="inet {{if_lan_inet4_addr}}/{{if_lan_inet4_prefix}}" 50 | 51 | # Wifi interface 52 | wlans_{{if_wifi_device}}="wlan0" 53 | create_args_wlan0="wlanmode hostap" 54 | ifconfig_wlan0="inet {{if_wifi_inet4_addr}}/{{if_wifi_inet4_prefix}} hostap channel 5" 55 | 56 | # Firewall 57 | firewall_enable="YES" 58 | firewall_nat_enable="YES" 59 | firewall_script="/etc/ipfw.rules" 60 | 61 | # Enable RFC1323 extensions 62 | tcp_extensions="YES" 63 | 64 | # Enable SSH by default 65 | sshd_enable="YES" 66 | 67 | # Load APU LED module drivers and amdtemp 68 | kld_list="apuled amdtemp wlan_xauth ipdivert" 69 | 70 | # Loop script that is waiting for RESET 71 | resetcheck_enable="YES" 72 | 73 | # Enable OpenVPN 74 | openvpn_enable="YES" 75 | 76 | # Enable bird 77 | bird_enable="YES" 78 | 79 | # Enable DNSmasq 80 | dnsmasq_enable="YES" 81 | 82 | # Forcing date setup by NTP at boot is mandatory 83 | # Certificate date are checked 84 | ntpdate_enable="YES" 85 | 86 | # Enable IDPS 87 | snort_enable="YES" 88 | 89 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | # $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $ 2 | # 3 | # This file is read when going to multi-user and its contents piped thru 4 | # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. 5 | # 6 | 7 | ### TO DO ### 8 | # Read the document here: 9 | # Advices from: http://wiki.freebsd.org/NetworkPerformanceTuning 10 | 11 | ### Forwarding ### 12 | # Enable Fastforwarding (man 4 inet) and BREAK IPsec (but TCP_MD5 stills works with fastforwarding): 13 | net.inet.ip.fastforwarding=1 14 | # Enable Zerocopy for bpf: 15 | net.bpf.zerocopy_enable=1 16 | # Sendmsg() cat't send messages more than maxdgram length. 17 | # Default value causes routing software to fail with OSPF if jumbo frames is turned on. 18 | net.inet.raw.maxdgram=16384 19 | net.inet.raw.recvspace=16384 20 | # Bump net.route.netisr_maxqlen to 2048 or higher value 21 | net.route.netisr_maxqlen=2048 22 | # Increasing bpf perfs (in -current only ?) 23 | #net.bpf.optimize_writers=1 24 | # Do not send IP redirects 25 | net.inet.ip.redirect=0 26 | # Current CPU can manage a lot's more of interrupts than default (1000) 27 | # The 9000 value was found in /usr/src/sys/dev/ixgbe/README 28 | hw.intr_storm_threshold=9000 29 | 30 | ### Polling ### 31 | # Improve a lot's the polling performance 32 | # Enable idle_poll 33 | #kern.polling.idle_poll=1 34 | # The default value of 150 was for FastEthernet: 35 | #kern.polling.burst_max=20000 36 | #kern.polling.each_burst=50 37 | # For a router, don't need to share 50/50 with user process 38 | #kern.polling.user_frac=30 39 | 40 | ### Security ### 41 | # blackhole(8) 42 | # Disable this feature because prevent traceroute to works correctly 43 | #net.inet.tcp.blackhole=2 44 | #net.inet.udp.blackhole=1 45 | # prevent users from seeing information about processes that 46 | # are being run under another UID. 47 | security.bsd.see_other_uids=0 48 | security.bsd.see_other_gids=0 49 | # Prevent some potential exploit 50 | security.bsd.unprivileged_proc_debug=0 51 | 52 | ### Misc ### 53 | # Do not generate core file 54 | kern.coredump=0 55 | #Power save: Disable power for device with no driver loaded 56 | hw.pci.do_power_nodriver=3 57 | # ICMP reply from incoming interface for non-local packets 58 | net.inet.icmp.reply_from_interface=1 59 | # Enable multi-pass with IPFW 60 | net.inet.ip.fw.one_pass=0 61 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/usr/local/etc/IDS-update.conf: -------------------------------------------------------------------------------- 1 | # Configuration file for IDS update 2 | SNORT_REG_URL='https://www.snort.org/downloads/community/community-rules.tar.gz' 3 | SNORT_REG_RULES=' 4 | rules/backdoor.rules 5 | rules/botnet-cnc.rules 6 | rules/malware-backdoor.rules 7 | rules/malware-cnc.rules 8 | rules/malware-other.rules 9 | rules/malware-tools.rules 10 | rules/phishing-spam.rules 11 | rules/spyware-put.rules 12 | rules/virus.rules 13 | ' 14 | 15 | ET_URL='http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz' 16 | ET_RULES=' 17 | rules/emerging-dos.rules 18 | rules/emerging-malware.rules 19 | rules/emerging-attack_response.rules 20 | rules/emerging-worm.rules 21 | rules/emerging-trojan.rules 22 | rules/emerging-mobile_malware.rules 23 | ' 24 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/usr/local/etc/bird.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | # Configure logging 3 | log syslog all; 4 | log "/var/log/bird.log" all; 5 | #log stderr all; 6 | 7 | # Override router ID 8 | router id {{ if_lo_inet4_addr }}; 9 | 10 | filter kernel_in 11 | { 12 | # Prevent to put the default-route (already learn by DHCP) into the kernel table 13 | if net = 0.0.0.0/0 then reject; 14 | else accept; 15 | } 16 | 17 | # Sync bird routing table with kernel 18 | protocol kernel { 19 | export filter kernel_in; 20 | learn; 21 | scan time 10; 22 | } 23 | 24 | # Include device route (warning, a device route is a /32) 25 | protocol device { 26 | scan time 10; 27 | } 28 | 29 | # Enable OSPF, only on tun interface 30 | protocol ospf CLIENT { 31 | rfc1583compat yes; 32 | area 0.0.0.0 { 33 | interface "tun0" { 34 | cost 10; 35 | type ptp; 36 | }; 37 | interface "lo1" { 38 | stub yes; 39 | }; 40 | interface "net1" { 41 | stub yes; 42 | }; 43 | interface "wlan0" { 44 | stub yes; 45 | }; 46 | }; 47 | } 48 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/usr/local/etc/monit.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | # check services at 30 seconds intervals 3 | set daemon 30 4 | # Send log to syslog 5 | set logfile syslog 6 | # Specify working file 7 | set pidfile /var/run/monit.pid 8 | set idfile /var/run/.monit.id 9 | set statefile /var/run/.monit.state 10 | set ssl { 11 | verify : enable, 12 | selfsigned : allow 13 | } 14 | 15 | # Define mail server 16 | set mailserver smtp.gmail.com port 465 17 | username cochard@gmail.com password xqtksmvphqirbyvk 18 | using SSL 19 | using HOSTNAME testrestorec 20 | # Define mail and filter 21 | set alert cochard@gmail.com but not on {instance, nonexist} 22 | mail-format { 23 | From: cochard@gmail.com 24 | Subject: [$HOST] $EVENT $SERVICE 25 | Message: $DESCRIPTION 26 | $DATE 27 | } 28 | # Set HTTP daemon 29 | set httpd 30 | port 80 31 | allow eine:monitor 32 | # Start monitoring processes 33 | # When monit start, sshd is still not started, need to add a tempo 34 | check process sshd with pidfile /var/run/sshd.pid 35 | start program = "/etc/rc.d/sshd onestart" 36 | stop program = "/etc/rc.d/sshd onestop" 37 | if failed port 666 protocol ssh then restart 38 | check process bird with pidfile /var/run/bird.pid 39 | start program = "/usr/local/etc/rc.d/bird onestart" 40 | stop program = "/usr/local/etc/rc.d/bird onestop" 41 | depends on openvpn 42 | # "protocol dns" will generate a DNS query, notice that when tunnel is up mode the DNS query 43 | # will target internel DNS servers behind the tunnel because 'resolvconf -x' used 44 | check process dnsmasq with pidfile /var/run/dnsmasq.pid 45 | start program = "/usr/local/etc/rc.d/dnsmasq onestart" 46 | stop program = "/usr/local/etc/rc.d/dnsmasq onestop" 47 | if failed host 127.0.0.1 port 53 type udp then alert 48 | if failed host 127.0.0.1 port 67 type udp then alert 49 | check process openvpn with pidfile /var/run/openvpn.pid 50 | start program = "/usr/local/etc/rc.d/openvpn onestart" 51 | stop program = "/usr/local/etc/rc.d/openvpn onestop" 52 | depends on ntpd 53 | check process hostapd with pidfile /var/run/hostapd-wlan0.pid 54 | start program = "/etc/rc.d/hostapd onestart wlan0" 55 | stop program = "/etc/rc.d/hostapd onestop wlan0" 56 | depends on wifi 57 | check file signature with path /usr/local/etc/snort/rules/emerging-malware.rules 58 | if does not exist then exec "/usr/local/sbin/IDS-update" 59 | # snort is slow to start too, need to add a tempo here too 60 | check process snort with pidfile /var/run/snort_.pid 61 | start program = "/usr/local/etc/rc.d/snort onestart" with timeout 60 seconds 62 | stop program = "/usr/local/etc/rc.d/snort onestop" 63 | depends on signature 64 | # testing protocol ntp3 wait for being synchronized, this can take a long time if use "protocol ntp3" 65 | check process ntpd with pidfile /var/run/ntpd.pid 66 | start program = "/etc/rc.d/ntpd onestart" 67 | stop program = "/etc/rc.d/ntpd onestop" 68 | if failed host 127.0.0.1 port 123 type udp then alert 69 | # Test for openvpn low-priority problem on the log file 70 | # openvpn MUST be configured with "--log" and NOT "--log-append" 71 | check file openvpnlog with path /var/log/openvpn.log 72 | if match "Permission denied" then restart 73 | start program = "/usr/local/etc/rc.d/openvpn onestart" 74 | stop program = "/usr/local/etc/rc.d/openvpn onestop" 75 | # Test for data trafic AND radius relay feature of the VPN gateway 76 | check host vpngateway with address 2.2.2.2 77 | if failed ping count 2 size 64 with timeout 10 seconds for 2 cycles then alert 78 | if failed port 1812 type udp then alert 79 | if failed port 1813 type udp then alert 80 | depends on bird 81 | check filesystem var with path /var 82 | if space usage > 90% then alert 83 | check system {{hostname}} 84 | if loadavg (1min) > 4 then alert 85 | if loadavg (5min) > 2 then alert 86 | if memory usage > 90% then alert 87 | check program cputemp with path "/usr/local/etc/cputemp 74" 88 | if status != 0 for 2 cycles then alert 89 | check network tunnel with interface tun0 90 | if failed link for 2 cycles then alert 91 | # if total download < 50 B in last 2 minutes then alert 92 | depends on openvpn 93 | check network wifi with interface wlan0 94 | noalert cochard@gmail.com 95 | #if failed link for 2 cycles then alert 96 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/files/usr/local/etc/openvpn/openvpn.conf.j2: -------------------------------------------------------------------------------- 1 | #{{ ansible_managed }} 2 | client 3 | dev tun0 4 | proto udp 5 | nobind 6 | {% for host in groups['gateways'] %} 7 | remote {{ hostvars[host]['hostname'] }}.eine.orange-business.com 1195 8 | {% endfor %} 9 | ca ca.crt 10 | cert {{hostname}}.crt 11 | key {{hostname}}.key 12 | cipher AES-128-CBC 13 | remote-cert-tls server 14 | tls-auth ta.key 1 15 | persist-key 16 | persist-tun 17 | user nobody 18 | group nobody 19 | fast-io 20 | explicit-exit-notify 21 | log-append /var/log/openvpn.log 22 | script-security 2 23 | up /usr/local/etc/openvpn/ovpn-if.sh 24 | plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-down-root.so "/usr/local/etc/openvpn/ovpn-if.sh" 25 | fragment 1400 26 | mssfix 27 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/roles/vpn_wifi_router/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Generate rc, openvpn, bird, ipfw, dnsmasq, snort configuration files 3 | template: src=/usr/local/etc/ansible/roles/vpn_wifi_router/files/{{ item }}.j2 4 | dest=/{{ item }} owner=root group=wheel mode=0644 5 | with_items: 6 | - etc/rc.conf 7 | - etc/ipfw.rules 8 | - usr/local/etc/openvpn/openvpn.conf 9 | - usr/local/etc/bird.conf 10 | - usr/local/etc/dnsmasq.conf 11 | - usr/local/etc/IDS-update.conf 12 | - usr/local/etc/snort/snort.conf 13 | 14 | - name: copy certificate files 15 | action: copy src=/usr/local/etc/ansible/roles/vpn_wifi_router/files/usr/local/etc/openvpn/{{ inventory_hostname }}.{{ item }} 16 | dest=/usr/local/etc/openvpn owner=root group=wheel mode=0600 17 | with_items: 18 | - crt 19 | - key 20 | 21 | - name: copy files in 0644 mode (sysctl, periodic, hostapd) 22 | action: copy src=/usr/local/etc/ansible/roles/vpn_wifi_router/files/{{ item }} 23 | dest=/{{ item }} owner=root group=wheel mode=0644 24 | with_items: 25 | - etc/sysctl.conf 26 | - etc/periodic.conf 27 | - etc/hostapd-wlan0.conf 28 | 29 | - name: copy files in 0755 mode (ovpn-if.sh) 30 | action: copy src=/usr/local/etc/ansible/roles/vpn_wifi_router/files/{{ item }} 31 | dest=/{{ item }} owner=root group=wheel mode=0755 32 | with_items: 33 | - usr/local/etc/openvpn/ovpn-if.sh 34 | 35 | - name: Forcing IDS database download 36 | command: IDS-update 37 | changed_when: False 38 | 39 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/site.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include: gateways.yml 3 | - include: vpn_wifi_routers.yml 4 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/ansible/vpn_wifi_routers.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: vpn_wifi_routers 3 | gather_facts: no 4 | sudo: yes 5 | roles: 6 | - vpn_wifi_router 7 | - nanobsd 8 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/newsyslog.conf.d/bird: -------------------------------------------------------------------------------- 1 | /var/log/bird.log 600 3 100 * JB /var/run/bird.pid 2 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/newsyslog.conf.d/openvpn: -------------------------------------------------------------------------------- 1 | /var/log/openvpn.log 600 3 100 * JC /var/run/openvpn.pid 2 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/newsyslog.conf.d/radiusd: -------------------------------------------------------------------------------- 1 | /var/log/radius.log freeradius:freeradius 600 3 100 * J /var/run/radiusd/radiusd.pid 2 | /var/log/radius/radacct/*/* freeradius:freeradius 600 10 100 * JG 3 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/newsyslog.conf.d/suricata: -------------------------------------------------------------------------------- 1 | /var/log/suricata/stats.log root:wheel 640 3 500 * BX /var/run/suricata_inline.pid 2 | /var/log/suricata/fast.log root:wheel 640 3 500 * BX /var/run/suricata_inline.pid 3 | /var/log/suricata/http.log root:wheel 640 3 500 * BX /var/run/suricata_inline.pid 4 | /var/log/suricata/suricata.log root:wheel 640 3 500 * BX /var/run/suricata_inline.pid 5 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID4zCCA0ygAwIBAgIJAKc6PUwpk0lpMA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD 3 | VQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5lczEhMB8G 4 | A1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0wCwYDVQQLEwRJQk5GMQsw 5 | CQYDVQQDEwJDQTELMAkGA1UEKRMCQ0ExKTAnBgkqhkiG9w0BCQEWGm9saXZpZXIu 6 | Y29jaGFyZEBvcmFuZ2UuY29tMB4XDTE0MDkxOTEwNTEwNloXDTI0MDkxNjEwNTEw 7 | NlowgagxCzAJBgNVBAYTAkZSMREwDwYDVQQIEwhCcmV0YWduZTEPMA0GA1UEBxMG 8 | UmVubmVzMSEwHwYDVQQKExhPcmFuZ2UgQnVzaW5lc3MgU2VydmljZXMxDTALBgNV 9 | BAsTBElCTkYxCzAJBgNVBAMTAkNBMQswCQYDVQQpEwJDQTEpMCcGCSqGSIb3DQEJ 10 | ARYab2xpdmllci5jb2NoYXJkQG9yYW5nZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD 11 | gY0AMIGJAoGBAMKH7AuUtRR76chpd8UUMrviCPKuypKgBIYMnvOEe8ex6eIRCTnE 12 | rF/7/qCl7wxFmYPfoIG8UQ4k4oDsK/VtIHEbIvgsrP0T7PUEgbCC2GocVh9DcePI 13 | 9R30y/njQpBqgWlDf0T/5RSt6QsnWmTq8ZizwDPZi7V9aFNuYex7uWPDAgMBAAGj 14 | ggERMIIBDTAdBgNVHQ4EFgQUcEgGwCsxBjPsciQLHnrgtD8/XTEwgd0GA1UdIwSB 15 | 1TCB0oAUcEgGwCsxBjPsciQLHnrgtD8/XTGhga6kgaswgagxCzAJBgNVBAYTAkZS 16 | MREwDwYDVQQIEwhCcmV0YWduZTEPMA0GA1UEBxMGUmVubmVzMSEwHwYDVQQKExhP 17 | cmFuZ2UgQnVzaW5lc3MgU2VydmljZXMxDTALBgNVBAsTBElCTkYxCzAJBgNVBAMT 18 | AkNBMQswCQYDVQQpEwJDQTEpMCcGCSqGSIb3DQEJARYab2xpdmllci5jb2NoYXJk 19 | QG9yYW5nZS5jb22CCQCnOj1MKZNJaTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB 20 | BQUAA4GBAB3uzniwH9l6EGEvb4w1EKvR6la646qxB9gbDh7EYCFFHd4uRN2foHNP 21 | BdjBHqZJSliBYhciSWLeMjB5UhPDhCE2whpJ3GFRd/qHp+3zwkppe8OTJi6J/6UR 22 | iWaVWZfiMVQ8zhIKyzutGoFdwe0Y1a4Q5lMeVOcxa9OstioDtyaG 23 | -----END CERTIFICATE----- 24 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/crl.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN X509 CRL----- 2 | MIIBbjCB2DANBgkqhkiG9w0BAQQFADCBqDELMAkGA1UEBhMCRlIxETAPBgNVBAgT 3 | CEJyZXRhZ25lMQ8wDQYDVQQHEwZSZW5uZXMxITAfBgNVBAoTGE9yYW5nZSBCdXNp 4 | bmVzcyBTZXJ2aWNlczENMAsGA1UECxMESUJORjELMAkGA1UEAxMCQ0ExCzAJBgNV 5 | BCkTAkNBMSkwJwYJKoZIhvcNAQkBFhpvbGl2aWVyLmNvY2hhcmRAb3JhbmdlLmNv 6 | bRcNMTQwOTE5MTA1MjExWhcNMTQxMDE5MTA1MjExWjANBgkqhkiG9w0BAQQFAAOB 7 | gQAfD5pmLOjynZZkplXvqxaHfi83k8hnL9jiFUYIQNCSSzkLxv19QohjxetcD8+1 8 | Yt8yLPcHuyyo17Ug7Y38kyApNqBCHyzZJhqwMycn21V9aaOMmfRkSCI+QJggtpsE 9 | dQ5utXzA03KLCylHJi1btgHc0WYPohaPvybjKc0EvqaR7A== 10 | -----END X509 CRL----- 11 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/dh1024.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIGHAoGBAPx7nO/6r25ZxDApbMpvuGkvTbdpG8gG4XJTWKZs3qiQwSXtIonLaCoh 3 | axLVxIB+rTSLXhrXAcyt6zl/6vk9BhUGiK+Mp+AOSYkE+l/OQR7uVIVTp3zOT83a 4 | qshtcgxobxZkzLK7kaK53RWDfr7OaTI2PGmfxUu8QnlLqFbOYIVjAgEC 5 | -----END DH PARAMETERS----- 6 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/openvpn.conf: -------------------------------------------------------------------------------- 1 | client 2 | dev tun0 3 | proto udp 4 | nobind 5 | ca ca.crt 6 | cert unregistered.crt 7 | key unregistered.key 8 | cipher AES-128-CBC 9 | remote-cert-tls server 10 | tls-auth ta.key 1 11 | persist-key 12 | persist-tun 13 | user nobody 14 | group nobody 15 | explicit-exit-notify 16 | fast-io 17 | script-security 2 18 | up /usr/local/etc/openvpn/ovpn-if.sh 19 | down /usr/local/etc/openvpn/ovpn-if.sh 20 | # Very important feature for limiting too big UDP packet (RADIUS with EAP-TLS) 21 | fragment 1400 22 | # reduce TCP MSS size 23 | mssfix 24 | #"remote" servers will be declared by the EINE firmware build-script 25 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/ovpn-if.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # OpenVPN tunnel up/down script: 4 | # - Get environnement variable (DNS, Domain name) passed from the gateway 5 | # Pass them to a resolvconf configuration file and dnsmasq configuration file 6 | # - Change LED status regarding the OpenVPN status 7 | # 8 | # foreign_option_1=dhcp-option DNS 10.10.10.1 9 | # foreign_option_2=dhcp-option DNS 10.10.10.2 10 | # We don't use the default script $PREFIX/libexec/openvpn-client.up|down 11 | 12 | RESOLV_CONF="/tmp/ovpnif-resolv.conf" 13 | DNSMASQ_CONF="/var/run/ovpnif-dnsmasq.conf" 14 | DNSMASQ_RESOLV="/var/run/ovpnif-dnsmasq.resolv" 15 | 16 | #DEBUG="/tmp/debug.txt" 17 | #touch ${DEBUG} 18 | #chown nobody ${DEBUG} 19 | #echo "OpenVPN DEBUG" >> $DEBUG 20 | #echo "Script parameters received:" >> $DEBUG 21 | #echo $@ >> $DEBUG 22 | #logger "openvpn call script with type: ${script_type} and args: $@" 23 | #echo "Environnement variables:" >> $DEBUG 24 | #printenv >> $DEBUG 25 | 26 | # Check if we are in registered or unregistered mode 27 | # ipfw.rules is only present if we are in registered mode 28 | [ -f /etc/ipfw.rules ] && REGISTERED=true || REGISTERED=false 29 | 30 | # There is a bug with the down-root plugin: ${script_type} variable is not set 31 | [ -z ${script_type} ] && script_type="down" 32 | 33 | case ${script_type} in 34 | up) 35 | if (${REGISTERED}); then 36 | # Registered mode: 37 | # Set LED 3 on 38 | # Reload ipfw (because tun0 interface was inexistant during boot) 39 | [ -e /dev/led/led3 ] && echo "1" > /dev/led/led3 40 | /bin/sh /etc/ipfw.rules || /usr/bin/logger "ERROR for reloading ipfw" 41 | else 42 | # blink LED 3 slowly 43 | [ -e /dev/led/led3 ] && echo f9 > /dev/led/led3 44 | fi 45 | 46 | # Parse the DNS server and DOMAIN list from the environnement variables setted by openvpn 47 | i=1 48 | DNS_LIST="" 49 | DOMAIN_LIST="" 50 | while true; do 51 | eval option=\$foreign_option_${i} 52 | [ -z "${option}" ] && break 53 | eval " 54 | if echo \$foreign_option_$i | grep -q \"dhcp-option DNS\"; then 55 | DNS=\`echo \$foreign_option_$i | cut -d ' ' -f 3\` 56 | DNS_LIST=\"\${DNS_LIST} \${DNS}\" 57 | elif echo \$foreign_option_$i | grep -q \"dhcp-option DOMAIN\"; then 58 | DOMAIN=\`echo \$foreign_option_$i | cut -d ' ' -f 3\` 59 | DOMAIN_LIST=\"\${DOMAIN_LIST} \${DOMAIN}\" 60 | fi 61 | " 62 | i=$(expr $i + 1) 63 | done 64 | 65 | # Generate the resolv.conf file and reload it 66 | [ -f ${RESOLV_CONF} ] && rm ${RESOLV_CONF} 67 | for DNS in ${DNS_LIST}; do 68 | echo "nameserver ${DNS}" >> ${RESOLV_CONF} 69 | done 70 | first_domain=true 71 | for DOMAIN in ${DOMAIN_LIST}; do 72 | if (${first_domain}); then 73 | echo "domain ${DOMAIN}" >> ${RESOLV_CONF} 74 | first_domain=false 75 | else 76 | echo "search ${DOMAIN}" >> ${RESOLV_CONF} 77 | fi 78 | done 79 | if [ -f ${RESOLV_CONF} ]; then 80 | cat ${RESOLV_CONF} | /sbin/resolvconf -p -a ${dev} || logger "WARNING: failed to update resolvconf" 81 | else 82 | (${REGISTERED}) && logger "WARNING: Didn't receive any DNS/DOMAIN from gateway in registered mode" 83 | fi 84 | 85 | # Generate dnsmasq configuration file 86 | [ -f ${DNSMASQ_CONF} ] && rm ${DNSMASQ_CONF} 87 | for DNS in ${DNS_LIST}; do 88 | DOMAIN_LIST=`echo ${DOMAIN_LIST} | sed -e 's/ /\//g'` 89 | echo "server=/${DOMAIN_LIST}/${DNS}" >> ${DNSMASQ_CONF} 90 | done 91 | # Reload dnsmasq 92 | if [ -f ${DNSMASQ_CONF} ]; then 93 | pkill -HUP dnsmasq || logger "Can't reload dnsmasq" 94 | fi 95 | ;; 96 | down) 97 | # Warning: when openvpn started under "nobody" privilege, it's mandatory to load the root-down plugin (openvpn configuration file) 98 | # Disable LED 3 99 | [ -e /dev/led/led3 ] && echo "0" > /dev/led/led3 100 | # Clean-up resolvconf 101 | /sbin/resolvconf -d ${dev} -f || logger "Can't delete interface to resolvconf" 102 | [ -f ${RESOLV_CONF} ] && rm ${RESOLV_CONF} 103 | # clean-up and reload dnsmasq_conf file 104 | if [ -f ${DNSMASQ_CONF} ]; then 105 | rm ${DNSMASQ_CONF} 106 | pkill -HUP dnsmasq || logger "Can't reload dnsmasq" 107 | fi 108 | ;; 109 | esac 110 | 111 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/ta.key: -------------------------------------------------------------------------------- 1 | # 2 | # 2048 bit OpenVPN static key 3 | # 4 | -----BEGIN OpenVPN Static key V1----- 5 | bb8656ae8e3de56e58c730d624f2be39 6 | a2b3cad7cde55841985005dce39c6b0a 7 | 9cb21200fe2aa61d2e54ccad24800b22 8 | 709d0b88ec3d9d153102145f1fc5e561 9 | dad6bf26cbfa622efc28f88323d6d441 10 | f1785cd38d25cbe676a7838363b8f2fd 11 | e2558705f16f64ea76512946d828b7f7 12 | 1d68397ca7fea734016e3577df6cabb9 13 | cdef7c0319f48d6d32161ab5900e3c91 14 | 111ff7887e59038a1e3a86445247ea16 15 | 26c050669d1596692e160b473769fd53 16 | ac8a61930bca46920909acc1c779af70 17 | fdfb02b66179c67a4be95d625a5bc1d5 18 | 93a67ff3ed719d30da62dea34ede2f21 19 | 3a6616da75320e5aa26cafc1b9222f22 20 | e88dbb46cfbc43bf5ae3668ddeee9a9a 21 | -----END OpenVPN Static key V1----- 22 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/unregistered.crt: -------------------------------------------------------------------------------- 1 | Certificate: 2 | Data: 3 | Version: 3 (0x2) 4 | Serial Number: 1 (0x1) 5 | Signature Algorithm: sha1WithRSAEncryption 6 | Issuer: C=FR, ST=Bretagne, L=Rennes, O=Orange Business Services, OU=IBNF, CN=CA/name=CA/emailAddress=olivier.cochard@orange.com 7 | Validity 8 | Not Before: Sep 19 10:51:28 2014 GMT 9 | Not After : Sep 16 10:51:28 2024 GMT 10 | Subject: C=FR, ST=Bretagne, L=Rennes, O=Orange Business Services, OU=IBNF, CN=unregistered/name=unregistered/emailAddress=olivier.cochard@orange.com 11 | Subject Public Key Info: 12 | Public Key Algorithm: rsaEncryption 13 | Public-Key: (1024 bit) 14 | Modulus: 15 | 00:c5:ef:bb:bc:cb:2c:8f:df:09:56:bd:31:d4:fa: 16 | 94:ba:16:9f:af:21:5d:67:14:9d:2e:87:b1:46:70: 17 | 64:27:16:c3:f1:e8:ac:f6:e5:36:2c:8f:c8:72:1a: 18 | 6f:53:29:00:43:50:0d:bc:04:a6:e6:64:99:63:51: 19 | 52:bd:a2:cf:56:ec:90:52:7a:0c:96:0e:5b:bc:c9: 20 | 60:37:4c:3f:19:88:46:bc:78:fc:3f:53:a2:de:c2: 21 | be:3d:a3:6f:f4:a2:4c:2e:ca:91:3a:99:57:20:f9: 22 | 3f:e2:7d:20:ed:fe:c9:00:62:db:fa:3d:0d:14:ee: 23 | c7:0d:fe:2d:1d:25:08:b9:25 24 | Exponent: 65537 (0x10001) 25 | X509v3 extensions: 26 | X509v3 Basic Constraints: 27 | CA:FALSE 28 | Netscape Comment: 29 | Easy-RSA Generated Certificate 30 | X509v3 Subject Key Identifier: 31 | B7:EA:88:0C:66:BE:B9:0A:15:29:1F:42:C4:76:D4:46:18:58:EF:5C 32 | X509v3 Authority Key Identifier: 33 | keyid:70:48:06:C0:2B:31:06:33:EC:72:24:0B:1E:7A:E0:B4:3F:3F:5D:31 34 | DirName:/C=FR/ST=Bretagne/L=Rennes/O=Orange Business Services/OU=IBNF/CN=CA/name=CA/emailAddress=olivier.cochard@orange.com 35 | serial:A7:3A:3D:4C:29:93:49:69 36 | 37 | X509v3 Extended Key Usage: 38 | TLS Web Client Authentication 39 | X509v3 Key Usage: 40 | Digital Signature 41 | Signature Algorithm: sha1WithRSAEncryption 42 | 8d:3f:85:1e:49:06:82:eb:ed:40:4b:2d:c2:a2:f3:ce:8e:47: 43 | 08:ae:b9:72:a4:ae:87:aa:53:f0:d7:81:13:5d:68:96:ca:a8: 44 | f3:c2:f3:f3:02:25:34:56:22:cc:6d:d4:7d:36:6b:f4:2a:1f: 45 | 7a:5b:b8:82:04:c6:e2:ee:d0:31:9d:50:2a:1b:af:b0:a4:81: 46 | 52:47:e0:41:69:af:9e:97:9f:6e:08:00:e0:4f:8b:92:93:c6: 47 | db:17:94:91:51:17:c1:7c:d3:dc:56:90:48:3f:cc:5b:db:02: 48 | 12:24:02:41:97:d0:86:71:7b:4a:86:2f:79:10:7d:aa:28:26: 49 | 43:46 50 | -----BEGIN CERTIFICATE----- 51 | MIIEPTCCA6agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCRlIx 52 | ETAPBgNVBAgTCEJyZXRhZ25lMQ8wDQYDVQQHEwZSZW5uZXMxITAfBgNVBAoTGE9y 53 | YW5nZSBCdXNpbmVzcyBTZXJ2aWNlczENMAsGA1UECxMESUJORjELMAkGA1UEAxMC 54 | Q0ExCzAJBgNVBCkTAkNBMSkwJwYJKoZIhvcNAQkBFhpvbGl2aWVyLmNvY2hhcmRA 55 | b3JhbmdlLmNvbTAeFw0xNDA5MTkxMDUxMjhaFw0yNDA5MTYxMDUxMjhaMIG8MQsw 56 | CQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNVBAcTBlJlbm5lczEh 57 | MB8GA1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0wCwYDVQQLEwRJQk5G 58 | MRUwEwYDVQQDEwx1bnJlZ2lzdGVyZWQxFTATBgNVBCkTDHVucmVnaXN0ZXJlZDEp 59 | MCcGCSqGSIb3DQEJARYab2xpdmllci5jb2NoYXJkQG9yYW5nZS5jb20wgZ8wDQYJ 60 | KoZIhvcNAQEBBQADgY0AMIGJAoGBAMXvu7zLLI/fCVa9MdT6lLoWn68hXWcUnS6H 61 | sUZwZCcWw/HorPblNiyPyHIab1MpAENQDbwEpuZkmWNRUr2iz1bskFJ6DJYOW7zJ 62 | YDdMPxmIRrx4/D9Tot7Cvj2jb/SiTC7KkTqZVyD5P+J9IO3+yQBi2/o9DRTuxw3+ 63 | LR0lCLklAgMBAAGjggFfMIIBWzAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5F 64 | YXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFLfqiAxmvrkK 65 | FSkfQsR21EYYWO9cMIHdBgNVHSMEgdUwgdKAFHBIBsArMQYz7HIkCx564LQ/P10x 66 | oYGupIGrMIGoMQswCQYDVQQGEwJGUjERMA8GA1UECBMIQnJldGFnbmUxDzANBgNV 67 | BAcTBlJlbm5lczEhMB8GA1UEChMYT3JhbmdlIEJ1c2luZXNzIFNlcnZpY2VzMQ0w 68 | CwYDVQQLEwRJQk5GMQswCQYDVQQDEwJDQTELMAkGA1UEKRMCQ0ExKTAnBgkqhkiG 69 | 9w0BCQEWGm9saXZpZXIuY29jaGFyZEBvcmFuZ2UuY29tggkApzo9TCmTSWkwEwYD 70 | VR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GB 71 | AI0/hR5JBoLr7UBLLcKi886ORwiuuXKkroeqU/DXgRNdaJbKqPPC8/MCJTRWIsxt 72 | 1H02a/QqH3pbuIIExuLu0DGdUCobr7CkgVJH4EFpr56Xn24IAOBPi5KTxtsXlJFR 73 | F8F809xWkEg/zFvbAhIkAkGX0IZxe0qGL3kQfaooJkNG 74 | -----END CERTIFICATE----- 75 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/openvpn/unregistered.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMXvu7zLLI/fCVa9 3 | MdT6lLoWn68hXWcUnS6HsUZwZCcWw/HorPblNiyPyHIab1MpAENQDbwEpuZkmWNR 4 | Ur2iz1bskFJ6DJYOW7zJYDdMPxmIRrx4/D9Tot7Cvj2jb/SiTC7KkTqZVyD5P+J9 5 | IO3+yQBi2/o9DRTuxw3+LR0lCLklAgMBAAECgYA+MUVb3LrzubDFgEzYDqQMlG84 6 | J9OhP+jjZd9dspLFdXG74M/4A60x8zuYHpY8GvXqMI0gNpX6bkGD41mMHEvpBo0C 7 | 1JPerq1I31i/FLc4QZM/xAGZWFMGXrIyP54Wa/QpMTr2FqlvOv+57A+MN4w96ltD 8 | qfuvrhuwKEOnnGSRQQJBAOYsdSBb59sq77ROeEd7ao57OYOvIH/bekQIFxyR8nnS 9 | TGj4hzAWTKCGa4Xr/1b7uIBkOjoDTGsUlYOrux5nrxsCQQDcJUoitQQZLurDGO0y 10 | ooC4AsrfzUC3xwLOxELy31Nja+V/LsneODP33gDdOv7gyNY5Rz110ZHkBzqRVTnY 11 | VHy/AkEAgMzF6gqjzqfTJMF4Wv+72+kmgQLBm+p0G5evXyRoXDUK3v6bn5QK4xT1 12 | HCa4ZrNLRkVPs+DepVkKZXj2p4f7mwJBAJ++AzyKA05OyBUHil66ohJkHFgndPWl 13 | 1/i3WyknOjgje+U8y0iPmc4bbp8ZhwcPVLs9YXCTwHwpbqs0n4PFUrsCQFzpUALH 14 | 9AI8hcnkNXskD9oSGgXgI82fk7F1FkYuEuJyMLG8EnXz0qRALvFjNnXuu+GhmQbs 15 | J1P3dC52Wzv16Jo= 16 | -----END PRIVATE KEY----- 17 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/periodic/daily/401.IDS-update: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Start IDS update signature 4 | # 5 | 6 | # If there is a global system configuration file, suck it in. 7 | # 8 | if [ -r /etc/defaults/periodic.conf ] 9 | then 10 | . /etc/defaults/periodic.conf 11 | source_periodic_confs 12 | fi 13 | 14 | idsupdate=/usr/local/sbin/IDS-update 15 | 16 | rc=0 17 | 18 | case "${daily_update_ids_enable}" in 19 | [Yy][Ee][Ss]) 20 | if [ ! -x $idsupdate ]; then 21 | echo "\$daily_update_ids_enable is set but ${idsupdate}" \ 22 | "isn't executable" 23 | exit 2 24 | fi 25 | 26 | echo "" 27 | echo "Updating IDS rules:" 28 | 29 | $idsupdate && rc=1 || rc=3 30 | 31 | ;; 32 | *) 33 | rc=0 34 | ;; 35 | esac 36 | 37 | exit $rc 38 | 39 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/etc/rc.d/resetcheck: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # PROVIDE: resetcheck 4 | # REQUIRE: DAEMON 5 | # KEYWORD: nojail 6 | # 7 | # Add the following to /etc/rc.conf[.local] to enable this service 8 | # 9 | # resetcheck_enable="YES" 10 | # 11 | 12 | . /etc/rc.subr 13 | 14 | resetcheck_enable=${resetcheck_enable-"NO"} 15 | 16 | name="resetcheck" 17 | rcvar=${name}_enable 18 | 19 | load_rc_config ${name} 20 | 21 | pidfile="/var/run/${name}.pid" 22 | 23 | start_cmd="resetcheck_start" 24 | command="/usr/local/sbin/resetcheck" 25 | 26 | resetcheck_start(){ 27 | echo "starting monitoring RESET button status." 28 | /usr/sbin/daemon -p ${pidfile} ${command} 29 | } 30 | 31 | run_rc_command "$1" 32 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/sbin/IDS-update: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -eu 3 | 4 | CONFIG_FILE="/usr/local/etc/IDS-update.conf" 5 | SNORT_DIR_RULES="/usr/local/etc/snort/rules/" 6 | BACKUP_FILE="/tmp/backuped_rules.xz" 7 | LOCK_FILE="/tmp/IDS-update.lock" 8 | 9 | # A usefull function (from: http://code.google.com/p/sh-die/) 10 | die() { 11 | [ -f ${LOCK_FILE} ] && rm ${LOCK_FILE} 12 | echo -n "EXIT: " >&2 13 | echo "$@" >&2 14 | logger "IDS-UPDATE EXIT: $@" 15 | exit 1 16 | } 17 | 18 | [ -f ${CONFIG_FILE} ] || logger "IDS-update: No config file found, using default" 19 | 20 | backup_rules () { 21 | echo "backuping existing rules" 22 | [ -f ${BACKUP_FILE} ] && rm ${BACKUP_FILE} 23 | tar -cJf ${BACKUP_FILE} -C ${SNORT_DIR_RULES} . || die "Can't backup existing rules" 24 | } 25 | 26 | checking_rules () { 27 | echo -n "Checking new downloaded rules..." 28 | if snort -T -c /usr/local/etc/snort/snort.conf; then 29 | if service snort onestatus; then 30 | echo "OK, reloading snort" 31 | service snort onereload || die "Can't reload snort" 32 | else 33 | echo "snort is not running" 34 | fi 35 | else 36 | echo "NOK, restoring previous rules" 37 | logger "Bad configuration rules" 38 | restoring_rules 39 | fi 40 | } 41 | 42 | restoring_rules () { 43 | tar -C ${SNORT_DIR_RULES} -xf ${BACKUP_FILE} || die "Can't restore previous rules" 44 | } 45 | 46 | cleanup_rules () { 47 | [ -f /tmp/backuped_rules.xz ] && rm ${BACKUP_FILE} 48 | } 49 | 50 | # Load variable from configuration file 51 | # SNORT_REG_URL: Snort registration URL (including oik code) 52 | # SNORT_REG_RULES: List of rules/files to extract 53 | # ET_URL: ET URL 54 | # ET_RULES: List of ET rules to extract 55 | 56 | . /usr/local/etc/IDS-update.conf 57 | 58 | # If called when already running, exit 59 | [ -f ${LOCK_FILE} ] && die "IDS update alreay running" 60 | 61 | touch ${LOCK_FILE} || die "Can't create lock file" 62 | 63 | backup_rules 64 | 65 | SNORT_COM_URL='https://www.snort.org/downloads/community/community-rules.tar.gz' 66 | 67 | if [ -z "${SNORT_REG_URL}" ]; then 68 | logger -s "Downloading and extracting Snort community rules" 69 | fetch ${SNORT_COM_URL} -o - | tar -C ${SNORT_DIR_RULES} -f - --extract --null --strip=1 --no-same-owner community-rules/community.rules && \ 70 | logger -s "Download and extracted snort community rules with success" 71 | else 72 | logger -s "Downloading and extracting Snort registered rules..." 73 | fetch ${SNORT_REG_URL} -o - | tar -C ${SNORT_DIR_RULES} -f - --extract --null --strip=1 --no-same-owner ${SNORT_REG_RULES} && \ 74 | logger -s "Downloaded and extracted snort registered rules with success" || \ 75 | logger -s "Can't download/extract snort registered rules" 76 | fi 77 | 78 | if [ -n "${ET_URL}" ]; then 79 | logger -s "Downloading and extracting Emergingthreads rules" 80 | fetch ${ET_URL} -o - | tar -C ${SNORT_DIR_RULES} -f - --extract --null --strip=1 --no-same-owner ${ET_RULES} && \ 81 | logger -s "Download and extracted ET with success" || \ 82 | logger -s "Can't download/extract ET" 83 | fi 84 | 85 | checking_rules 86 | 87 | cleanup_rules 88 | 89 | rm ${LOCK_FILE} || die "Can't delete lock file" 90 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/sbin/geoip-update: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Updating GeoIP database 3 | set -eu 4 | 5 | DATA_DIR="/usr/local/share/GeoIP" 6 | TMPFS_DIR="/var/tmp/tmpfs" 7 | 8 | # A usefull function (from: http://code.google.com/p/sh-die/) 9 | die() { echo -n "EXIT: " >&2; echo "$@" >&2; exit 1; } 10 | 11 | clean_exit () { 12 | umount /tmp/tmpfs 13 | mount -ur / || die "Can't remount in Read-Only mode" 14 | } 15 | 16 | echo "Downloading new GeoIP database..." 17 | [ -d ${TMPFS_DIR} ] || mkdir ${TMPFS_DIR} 18 | mount -t tmpfs tmpfs ${TMPFS_DIR} || die "Can't mount tmpfs file system" 19 | fetch -o ${TMPFS_DIR}/GeoLite2-City.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz || die "Can't download new database" 20 | mount -uw / || die "Can't re-mount / in Read-Write mode" 21 | trap "echo 'Running exit trap code' ; clean_exit" 1 2 15 EXIT 22 | rm ${DATA_DIR}/GeoLite2-City.mmdb || echo "Can't rm old database" 23 | gzcat ${TMPFS_DIR}/GeoLite2-City.mmdb.gz > ${DATA_DIR}/GeoLite2-City.mmdb || echo "Can't gunzip new database" 24 | clean_exit 25 | trap - 1 2 15 EXIT 26 | echo "GeoIP database updated!" 27 | -------------------------------------------------------------------------------- /EINE/Files/usr/local/sbin/resetcheck: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Check if reset button is triggered on APU 3 | set -eu 4 | while true; do 5 | if [ -e /dev/modesw ]; then 6 | if [ `head -c 1 /dev/modesw` -eq 1 ]; then 7 | for i in 1 2 3; do 8 | [ -e /dev/led/led$i ] && echo f9 > /dev/led/led$i 9 | done 10 | logger "FACTORY RESET BUTTON TRIGGERED!!!!" 11 | /usr/local/sbin/config factory > /tmp/debug-reset.log && logger "factory reset done" || logger "factory reset failed" 12 | /sbin/shutdown -r now 13 | fi 14 | fi 15 | sleep 2 16 | done 17 | -------------------------------------------------------------------------------- /EINE/README.md: -------------------------------------------------------------------------------- 1 | Easy Internet vpN Extender (EINE) 2 | ================================= 3 | 4 | EINE is a solution for large-scale plug&play x86 network appliance deployment over Internet. 5 | 6 | License: BSD 2-clause 7 | 8 | Author: [Orange] (http://www.orange.com) 9 | 10 | EINE, a sub-project of BSD Router Project, permit to generate an x86 raw image disk (appliance firmware) to be use for deploying this solution: 11 | 12 | ![EINE big picture](docs/images/big-picture.png) 13 | 14 | The demo EINE firmware include build-in DEMO certificate and passwords that NEED to be customized for your usage. 15 | Private AND public keys/certificates are embedded in the demo firmware, then are totally unsecure. 16 | 17 | For building your own EINE firmware, you NEED: 18 | - A FreeBSD Operating system (10.1 minimum) 19 | - with an Internet access for downloading sources 20 | 21 | Then you had to follow these steps: 22 | 23 | 1. Download source 24 | ``` 25 | svnlite co https://github.com/ocochard/BSDRP/trunk BSDRP 26 | cd BSDRP 27 | ``` 28 | 2. [Generate your own SSH keys and certificate](docs/How-to.generate.keys.md) 29 | 3. Create an EINE/local.data/data.conf file for declaring: 30 | - ADMIN_USERNAME: admin username 31 | - CONSOLE_PASSWORD: Root password 32 | - DOMAIN_NAME: domain name 33 | - GATEWAYS: List of of gateways hostname 34 | - OVPN_UNREG_PORT: UDP port to be used for unregistered gateway 35 | - SSH_PORT: Port used by sshd 36 | - check examples in [EINE/DEMO.data/data.conf](DEMO.data/data.conf) 37 | 4. Generate EINE x86 disk image using BSD Router Project build script 38 | ``` 39 | ./make.sh -p EINE 40 | ``` 41 | -------------------------------------------------------------------------------- /EINE/docs/EINE_BSDCan2015.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/EINE/docs/EINE_BSDCan2015.pdf -------------------------------------------------------------------------------- /EINE/docs/How-to.generate.keys.md: -------------------------------------------------------------------------------- 1 | HOW TO generate keys for EINE 2 | ============================= 3 | 4 | For deploying EINE solution, you need to generate your own SSH/Certificates. 5 | Here is how to do these steps. 6 | 7 | Pre-requisite 8 | ============= 9 | 10 | On your FreeBSD developement machine, you need these packages installed 11 | * easy-rsa (for generating certificates) 12 | * openvpn (for generating the key) 13 | 14 | Then, go into the BSD Router Project source directory and set the dir variable. 15 | Example using tcsh shell: 16 | ``` 17 | setenv BSDRP_DIR `pwd` 18 | ``` 19 | 20 | Keys directory 21 | ============== 22 | 23 | Create your local data directory: 24 | 25 | ``` 26 | mkdir ${BSDRP_DIR}/EINE/local.data 27 | ``` 28 | 29 | SSH keys 30 | ======== 31 | 32 | EINE use by default ED25519 SSH keys: 33 | ``` 34 | ssh-keygen -t ed25519 -b 256 -o -f ${BSDRP_DIR}/EINE/local.data/id_ed25519 35 | ``` 36 | 37 | And use a good password for protecting the private key. 38 | 39 | Detail of ssh-keygen options used: 40 | * -o: new openSSH format (increased resistance to brute-force password cracking) 41 | * -t: ed25519 (recommanded curve) 42 | * -b: 256bits algo 43 | 44 | OpenVPN certificate 45 | =================== 46 | 47 | We will use easy-RSA for creating the CA and the "unregistered" common certificate. 48 | You should use a very long valid period (not only 1 year) for this certificate. 49 | Here is an example used for the DEMO keys: 50 | 51 | ``` 52 | cp /usr/local/share/easy-rsa/vars ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 53 | sed -i "" -e '/KEY_SIZE=/s/1024/2048/' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 54 | sed -i "" -e '/KEY_COUNTRY=/s/US/FR/' ${BSDRP_DIR}/EINE/local.data/etc/easy-rsa.vars 55 | sed -i "" -e '/KEY_PROVINCE=/s/CA/Bretagne/' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 56 | sed -i "" -e '/KEY_CITY=/s/SanFrancisco/Rennes/' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 57 | sed -i "" -e '/KEY_ORG=/s/Fort-Funston/Orange Business Services/' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 58 | sed -i "" -e '/KEY_OU=/s/MyOrganizationalUnit/EINE DEMO unsecure certificate/' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 59 | sed -i "" -e '/KEY_EMAIL=/s/me@myhost.mydomain/olivier.cochard@orange.com/' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 60 | echo 'export RANDFILE=${KEY_DIR}/.rnd' >> ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars 61 | sed 's/export/setenv/;s/=/ /' ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars > ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars.tcsh 62 | cd /usr/local/share/easy-rsa 63 | source ${BSDRP_DIR}/EINE/local.data/easy-rsa.vars.tcsh 64 | sudo chmod g+w /usr/local/etc 65 | ./clean-all 66 | ./build-dh 67 | env KEY_CN=CA KEY_NAME=CA ./pkitool --initca CA 68 | env KEY_CN=unregistered KEY_NAME=unregistered ./pkitool unregistered 69 | openvpn --genkey --secret ${KEY_DIR}/ta.key 70 | openssl ca -gencrl -out ${KEY_DIR}/crl.pem -config "${KEY_CONFIG}" 71 | mv keys ${BSDRP_DIR}/EINE/local.data/ 72 | sed -i "" -e '/KEY_DIR=/s/$EASY_RSA/\/usr\/local\/etc/' ${BSDRP_DIR}EINE/local.data/easy-rsa.vars 73 | sed -i "" -e '/setenv KEY_DIR/s/$EASY_RSA/\/usr\/local\/etc/' ${BSDRP_DIR}EINE/local.data/easy-rsa.vars.tcsh 74 | ``` 75 | 76 | Generating keys archive 77 | ======================= 78 | 79 | Once generated SSH keys and Certificates, we need to put them into an archive. 80 | This archive will be copied to the EINE manager for initializing it. 81 | 82 | ``` 83 | tar cvfz ${BSDRP_DIR}/EINE/PROD.certs.tgz -C ${BSDRP_DIR}/EINE/local.data easy-rsa.vars easy-rsa.vars.tcsh keys id_ed25519 84 | ``` 85 | -------------------------------------------------------------------------------- /EINE/docs/images/big-picture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/EINE/docs/images/big-picture.png -------------------------------------------------------------------------------- /EINE/make.conf: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Name of the product 4 | # alphanumerics caracters only (not - or _) 5 | NAME="EINE" 6 | 7 | # If this project is a child of a father project 8 | MASTER_PROJECT="BSDRP" 9 | 10 | # Target disk size (in MB) 11 | : ${DISK_SIZE="2000"} 12 | 13 | # List of kernel modules to build and install 14 | SHARED_MODULES="amdtemp bridgestp carp coretemp dtrace dummynet if_bridge if_gre if_lagg if_stf if_tuntap ipdivert ipfw ipfw_nat libalias netgraph nmdm nullfs opensolaris rc4 tmpfs usb/ucom usb/uplcom vmm wlan wlan_acl wlan_amrr wlan_ccmp wlan_rssadapt wlan_tkip wlan_wep wlan_xauth" 15 | NANO_MODULES_amd64="${SHARED_MODULES} aesni amdsbwd cpuctl coretemp hwpmc i2c ichwd ipmi ispfw sppp" 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSDRP/Files/root/LICENSE -------------------------------------------------------------------------------- /Makefile.vars: -------------------------------------------------------------------------------- 1 | FreeBSD_hash?=adad9298141 2 | FreeBSD_repo?=https://git.freebsd.org/src 3 | FreeBSD_branch?=main 4 | ports_hash?=30b6c9578fe5 5 | ports_repo?=https://git.freebsd.org/ports 6 | ports_branch?=main 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # [![BSDRP logo](logos/BSDRP.logo.128.png)BSD Router Project](https://bsdrp.net) 2 | 3 | Copyright (c) 2009-2025, The BSDRP Development Team 4 | 5 | ## Description 6 | 7 | The BSD Router Project (BSDRP) is a free, open-source router distribution based on [FreeBSD](https://www.freebsd.org). 8 | It includes software like: [FRRouting](https://frrouting.org), [Bird](http://bird.network.cz/), [ExaBGP](https://github.com/Exa-Networks/exabgp), [OpenVPN](https://openvpn.net/) and [strongSwan](https://www.strongswan.org/). 9 | 10 | ## Requirements to Build 11 | 12 | - FreeBSD 14.2 or higher 13 | - poudriere 14 | - git 15 | 16 | ## How to build 17 | 18 | The build system uses a Makefile. To build BSDRP image disks, run: 19 | ``` 20 | make 21 | ``` 22 | 23 | And `make help` for more information. 24 | 25 | [Learn more in the technical documentation]( https://bsdrp.net/documentation/technical_docs) 26 | -------------------------------------------------------------------------------- /TODO.md: -------------------------------------------------------------------------------- 1 | # TODO List 2 | 3 | ## Bugs # 4 | 5 | * if no-mandatory /data had a fsck problem, system refuse go in single user 6 | * add auto-trimming of all log files that are being created 7 | 8 | ## Boot loader ## 9 | * poudriere-image uses EFI, need to test generated image on APU 10 | 11 | ## Authentication # 12 | 13 | * Need to test PAM (Radius, TACAS+) modules 14 | 15 | ## misc # 16 | 17 | * generate SBOM for each release 18 | * Is utf-8 support for console usefull ? 19 | * Need to publish an OVF (Open Virtualization Format) tar file 20 | * Need to enable nuageinit (usefull for automatic regression tests) 21 | * A netgraph documentation "for dummies" like this: http://nexus.org.ua/weblog/message/406/ 22 | 23 | ## TRIM ## 24 | 25 | Adding a rc script that automatically enable TRIM on /dev/ufs/BSDRP* if: 26 | sudo camcontrol identify ada0 | grep TRIM | cut -d ' ' -f 5 27 | give "yes" 28 | 29 | ## labs # 30 | 31 | * Lab script: Generate a lab diagram in DOT language, see example in tools/bsdrp.lab.gv 32 | * Lab script: Add a libvirt script 33 | * Lab script: Add jail based lab 34 | 35 | ## Security 36 | 37 | Embedded the mtree file, and just store its hash online 38 | -------------------------------------------------------------------------------- /docs/labs.examples.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/docs/labs.examples.odp -------------------------------------------------------------------------------- /logos/BSDRP.logo.114.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.114.png -------------------------------------------------------------------------------- /logos/BSDRP.logo.128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.128.png -------------------------------------------------------------------------------- /logos/BSDRP.logo.256.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.256.png -------------------------------------------------------------------------------- /logos/BSDRP.logo.48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.48.png -------------------------------------------------------------------------------- /logos/BSDRP.logo.64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.64.png -------------------------------------------------------------------------------- /logos/BSDRP.logo.odg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.odg -------------------------------------------------------------------------------- /logos/BSDRP.logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/logos/BSDRP.logo.png -------------------------------------------------------------------------------- /obj/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything in this directory 2 | * 3 | # Except this file 4 | !.gitignore 5 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.conf: -------------------------------------------------------------------------------- 1 | /usr/local/etc/poudriere.conf -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/BSDRP-pkglist.amd64: -------------------------------------------------------------------------------- 1 | net/realtek-re-kmod 2 | net/vpp 3 | sysutils/cpu-microcode 4 | sysutils/dtrace-toolkit 5 | sysutils/intel-pcm 6 | sysutils/x86info 7 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/BSDRP-pkglist.common: -------------------------------------------------------------------------------- 1 | benchmarks/iperf 2 | benchmarks/iperf3 3 | benchmarks/netperf 4 | devel/py-setuptools 5 | dns/dnsmasq 6 | editors/vim@console 7 | emulators/open-vm-tools@nox11 8 | lang/perl5.36 9 | lang/python 10 | net-mgmt/bgpq4 11 | net-mgmt/bsnmp-regex 12 | net-mgmt/bsnmp-ucd 13 | net-mgmt/lldpd 14 | net-mgmt/nrpe 15 | net-mgmt/nstat 16 | net-mgmt/pmacct 17 | net-mgmt/rtrlib 18 | net/arping 19 | net/bird2 20 | net/dhcp6 21 | net/dhcprelya 22 | net/exabgp4 23 | net/frr10 24 | net/frr10-pythontools 25 | net/graphpath 26 | net/isc-dhcp44-server 27 | net/ixl_unlock 28 | net/mlvpn 29 | net/mpd5 30 | net/mrouted 31 | net/mrtparse 32 | net/mtr@nox11 33 | net/nc 34 | net/netmap-fwd 35 | net/ntraceroute 36 | net/pimd 37 | net/pimdd 38 | net/pkt-gen 39 | net/quagga-bgp-netgen 40 | net/tayga 41 | net/wireguard-tools 42 | ports-mgmt/pkg 43 | security/openvpn 44 | security/openvpn-auth-radius 45 | security/strongswan 46 | security/sudo 47 | security/tinc 48 | sysutils/dtrace-toolkit 49 | sysutils/flashrom 50 | sysutils/fswatch-mon 51 | sysutils/ipmitool 52 | sysutils/monit 53 | sysutils/mstflint 54 | sysutils/tmux 55 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/BSDRPj-make.conf: -------------------------------------------------------------------------------- 1 | # Default zstd compression is not multithreaded, so it take useless times 2 | # because we store installed packages on the firmware 3 | PKG_COMPRESSION_FORMAT=tar 4 | OPTIONS_UNSET+=DOCS EXAMPLES INFO NLS X11 DOXYGEN 5 | lang_perl5.36_UNSET+=DTRACE 6 | textproc_expat2_SET+=STATIC 7 | net_frr10_SET+=MULTIPATH SCRIPTING 8 | security_strongswan_SET+=MEDIATION GCM 9 | security_strongswan_UNSET+=EAPAKA3GPP2 EAPSIMFILE SQLITE UNBOUND LOADTESTER TESTVECTOR 10 | security_openvpn_SET+=DCO 11 | benchmarks_netperf_UNSET+=OMNI 12 | sysutils_flashrom_UNSET+=DMIDECODE FTDI 13 | sysutils_mstflint_SET+=FWMANAGER ADAB 14 | net_bird2_SET+=BMP 15 | net_mtr_UNSET+=JSON 16 | ftp_curl_SET+=GSSAPI_NONE 17 | ftp_curl_UNSET+=GSSAPI_BASE IMAP GOPHER HTTP2 LIBSSH2 POP3 PSL RTSP SMTP TELNET 18 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/BSDRPj-src.conf.amd64: -------------------------------------------------------------------------------- 1 | amdsbwd \ 2 | amdsmn \ 3 | amdtemp \ 4 | blake2 \ 5 | coretemp \ 6 | cpuctl \ 7 | ichwd \ 8 | ioat \ 9 | hifn \ 10 | hyperv \ 11 | padlock \ 12 | qat \ 13 | qat_c2xxx \ 14 | qatfw \ 15 | vmware 16 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/BSDRPj-src.conf.common: -------------------------------------------------------------------------------- 1 | BOOT_BOOT0_COMCONSOLE_SPEED=0 2 | WITHOUT_ACCT= 3 | WITHOUT_AMD= 4 | WITHOUT_APM= 5 | WITHOUT_ASSERT_DEBUG= 6 | WITHOUT_ATF= 7 | WITHOUT_ATM= 8 | WITHOUT_AUDIT= 9 | WITHOUT_AUTHPF= 10 | WITHOUT_AUTOFS= 11 | WITHOUT_BHYVE= 12 | WITHOUT_BLUETOOTH= 13 | WITHOUT_BOOTPARAMD= 14 | WITHOUT_BOOTPD= 15 | WITHOUT_BSDINSTALL= 16 | WITHOUT_CALENDAR= 17 | WITHOUT_CCD= 18 | WITHOUT_CROSS_COMPILER= 19 | WITHOUT_CLANG_FULL= 20 | WITHOUT_CTM= 21 | WITHOUT_CVS= 22 | WITHOUT_DICT= 23 | WITHOUT_EE= 24 | WITHOUT_EXAMPLES= 25 | WITHOUT_FINGER= 26 | WITHOUT_FLOPPY= 27 | WITHOUT_FORTH= 28 | WITHOUT_FREEBSD_UPDATE= 29 | WITHOUT_GAMES= 30 | WITHOUT_GCOV= 31 | WITHOUT_GOOGLETEST= 32 | WITHOUT_GPIO= 33 | WITHOUT_GROFF= 34 | WITHOUT_HAST= 35 | WITHOUT_HTML= 36 | WITHOUT_INFO= 37 | WITHOUT_ISCSI= 38 | WITHOUT_KERBEROS= 39 | WITHOUT_LIB32= 40 | WITHOUT_LINT= 41 | WITHOUT_LLVM_ASSERTIONS= 42 | WITHOUT_LLVM_TARGET_ALL= 43 | WITHOUT_LOADER_FIREWIRE= 44 | WITHOUT_LOADER_GELI= 45 | WITHOUT_LOADER_OFW= 46 | WITHOUT_LOADER_UBOOT= 47 | WITHOUT_LOADER_ZFS= 48 | WITHOUT_LOCATE= 49 | WITHOUT_LPR= 50 | WITHOUT_NCP= 51 | WITHOUT_NIS= 52 | WITHOUT_NLS= 53 | WITHOUT_NLS_CATALOGS= 54 | WITHOUT_NS_CACHING= 55 | WITHOUT_PROFILE= 56 | WITHOUT_QUOTAS= 57 | WITHOUT_RBOOTD= 58 | WITHOUT_RESCUE= 59 | WITHOUT_ROUTED= 60 | WITHOUT_SENDMAIL= 61 | WITHOUT_SERVICESDB= 62 | WITHOUT_SHAREDOCS= 63 | WITHOUT_SYSCONS= 64 | WITHOUT_SYSINSTALL= 65 | WITHOUT_TALK= 66 | WITHOUT_TESTS= 67 | WITHOUT_TESTS_SUPPORT= 68 | WITHOUT_TFTP= 69 | WITHOUT_TIMED= 70 | WITHOUT_UNBOUND= 71 | WITHOUT_USB_GADGET_EXAMPLES= 72 | WITHOUT_WIRELESS= 73 | WITHOUT_WPA_SUPPLICANT_EAPOL= 74 | WITH_IDEA= 75 | WITH_OFED= 76 | WITH_DEBUG_FILES= 77 | WITH_RETPOLINE= 78 | WITH_REPRODUCIBLE_BUILD= 79 | WITH_MALLOC_PRODUCTION= 80 | WITH_OPENSSL_KTLS= 81 | WITH_PIE= 82 | WITHOUT_PTHREADS_ASSERTIONS= 83 | MODULES_OVERRIDE= \ 84 | acl_nfs4 \ 85 | backlight \ 86 | bridgestp \ 87 | carp \ 88 | dpdk_lpm4 \ 89 | dpdk_lpm6 \ 90 | dtrace \ 91 | dummynet \ 92 | efirt \ 93 | ena \ 94 | fdescfs \ 95 | fib_dxr \ 96 | hwpmc \ 97 | i2c \ 98 | if_bridge \ 99 | if_disc \ 100 | if_epair \ 101 | if_gre \ 102 | if_infiniband \ 103 | if_lagg \ 104 | if_ovpn \ 105 | if_stf \ 106 | if_tuntap \ 107 | if_vxlan \ 108 | ipdivert \ 109 | ipfilter \ 110 | ipfw \ 111 | ipfw_nat \ 112 | ipfw_nat64 \ 113 | ipfw_nptv6 \ 114 | ipfw_pmod \ 115 | ipmi \ 116 | ipsec \ 117 | ispfw \ 118 | ksyms \ 119 | libalias \ 120 | mlx \ 121 | mlx4 \ 122 | mlx4en \ 123 | mlx5 \ 124 | mlx5en \ 125 | netgraph \ 126 | nullfs \ 127 | opensolaris \ 128 | pf \ 129 | pflog \ 130 | pfsync \ 131 | qlxgb \ 132 | qlxgbe \ 133 | rc4 \ 134 | safe \ 135 | unionfs \ 136 | usb/uether \ 137 | usb/urndis \ 138 | xdr \ 139 | zfs \ 140 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/README.md: -------------------------------------------------------------------------------- 1 | From nanobsd to poudriere 2 | ========================= 3 | 4 | ## Work in progress 5 | 6 | Converting BSDRP from nanobsd to poudriere image. 7 | 8 | More information here: 9 | https://bsdrp.net/documentation/technical_docs/poudriere 10 | 11 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/excluded.files: -------------------------------------------------------------------------------- 1 | *.a 2 | usr/obj 3 | usr/sbin/config 4 | usr/lib/debug 5 | usr/share/bhyve 6 | usr/share/examples 7 | usr/share/flua 8 | usr/share/doc 9 | usr/share/man/man3 10 | usr/share/man/man3lua 11 | usr/share/man/man9 12 | usr/share/mk 13 | usr/share/openssl 14 | usr/include 15 | usr/share/misc/magic.mgc 16 | usr/share/misc/termcap.db 17 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/image-BSDRPj-src.conf: -------------------------------------------------------------------------------- 1 | # Still usr/lib/debug, need to delete them with post-script 2 | WITHOUT_DEBUG_FILES= 3 | WITHOUT_TOOLCHAIN= 4 | # Still 26M in /usr/includes, need to delete them with post-script 5 | WITHOUT_INCLUDES= 6 | WITHOUT_KERNEL_SYMBOLS= 7 | WITHOUT_INSTALLLIB= 8 | WITHOUT_FDT= 9 | WITHOUT_SERVICESDB= 10 | -------------------------------------------------------------------------------- /poudriere.etc/poudriere.d/post-script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # poudriere cleanup phase is run at 'almost' the last stage 4 | # (notice fstab is generated after) 5 | # so overlaydir is already copied and packages installed 6 | 7 | # cleanup phase (when the clean way fails) 8 | # - Use WITHOUT_ in image-BSDRPj-src.conf 9 | # - Excluding files from package to be installed (in pkg.conf) 10 | # in place of having to cleanup here 11 | 12 | # Not all WITHOUT_ options are correctly applied during image generation 13 | # - Some /usr/include are still here 14 | # - some ports aren't happy with excluding /usr/local/include (net-snmp) 15 | 16 | # XXX Need to build /usr/src/tools/tools/netrate/netblast&netreceive 17 | 18 | # If port related, it is recommanded to add list of file in the pkg.conf file 19 | # That will avoid installing files during packages installation 20 | # About pkg-static: https://github.com/freebsd/pkg/issues/2190 21 | TO_REMOVE=' 22 | usr/local/sbin/pkg-static 23 | usr/include 24 | usr/local/include 25 | ' 26 | 27 | if [ -z "${WORLDDIR}" ]; then 28 | echo "ERROR: Empty variable WORLDDIR" 29 | exit 1 30 | fi 31 | 32 | for i in ${TO_REMOVE}; do 33 | if [ -e ${WORLDDIR}/$i ]; then 34 | rm -rf ${WORLDDIR}/$i 35 | fi 36 | done 37 | 38 | # System customization 39 | # Imported from the nanobsd bsdrp_custom () 40 | # Mainly renaming NANO_WORLDDIR by WORLDDIR 41 | 42 | # boot.config used by boot(8) and uefi(8) 43 | # -D : boot with the dual console configuration 44 | # Disabled: Could generate multiple errors messages on screen 45 | # echo "-D" > ${WORLDDIR}/boot.config 46 | 47 | # Replace BSDRP_VERSION in /boot/lua/brand-bsdrp.lua with the version number in etc/version 48 | sed -i "" -e /BSDRP_VERSION/s//$(cat ${WORLDDIR}/etc/version)/ ${WORLDDIR}/boot/lua/brand-bsdrp.lua 49 | 50 | # SSH: 51 | # - Allow root (the only user by default) 52 | # - Disable reverse DNS 53 | ( 54 | echo "UseDNS no" 55 | echo "PermitRootLogin yes" 56 | ) >> ${WORLDDIR}/etc/ssh/sshd_config 57 | 58 | # Disable system beep and enable color with csh 59 | ( 60 | echo "set nobeep" 61 | echo "setenv CLICOLOR true" 62 | ) >> ${WORLDDIR}/etc/csh.cshrc 63 | # cpio (cust_install_file) doesn't support symlink 64 | # relocate /root/.ssh to /etc/dot.root.ssh 65 | # This permit to save ssh keys 66 | mkdir -p ${WORLDDIR}/etc/dot.ssh.root 67 | ln -s ../etc/dot.ssh.root ${WORLDDIR}/root/.ssh 68 | # relocate /root/.* to /etc/dot.* 69 | ln -s ../etc/dot.vimrc ${WORLDDIR}/root/.vimrc 70 | rm ${WORLDDIR}/root/.shrc 71 | ln -s ../etc/dot.shrc ${WORLDDIR}/root/.shrc 72 | ln -s ../etc/dot.complete ${WORLDDIR}/root/.complete 73 | rm ${WORLDDIR}/root/.cshrc 74 | ln -s ../etc/dot.cshrc ${WORLDDIR}/root/.cshrc 75 | rm ${WORLDDIR}/root/.profile 76 | ln -s ../etc/dot.profile ${WORLDDIR}/root/.profile 77 | 78 | # Add fdesc (mandatory to use bash) and procfs to fstab 79 | ( 80 | echo "fdesc /dev/fd fdescfs rw 0 0" 81 | echo "proc /proc procfs rw 0 0" 82 | ) >> ${WORLDDIR}/etc/fstab 83 | 84 | # relocate /var/cron to /etc/cron 85 | # This permit to save crontab (only /etc and /usr/local/etc are saved) 86 | mkdir -p ${WORLDDIR}/etc/cron 87 | rm -rf ${WORLDDIR}/var/cron 88 | ln -s ../etc/cron ${WORLDDIR}/var/cron 89 | 90 | # Generating mtree 91 | echo "Generating mtree..." 92 | IMG_DIR=${POUDRIERE_DATA}/images 93 | echo "./etc" > ${IMG_DIR}/${IMAGENAME}.mtree-exclude 94 | echo "./var" >> ${IMG_DIR}/${IMAGENAME}.mtree-exclude 95 | echo "./tmp" >> ${IMG_DIR}/${IMAGENAME}.mtree-exclude 96 | echo "./dev" >> ${IMG_DIR}/${IMAGENAME}.mtree-exclude 97 | ( cd ${WORLDDIR} && mtree -x -ic -k flags,gid,mode,nlink,size,link,uid,sha256digest -X ${IMG_DIR}/${IMAGENAME}.mtree-exclude ) > ${IMG_DIR}/${IMAGENAME}.mtree 98 | rm ${IMG_DIR}/${IMAGENAME}.mtree-exclude 99 | -------------------------------------------------------------------------------- /tools/BSDRP-lab-bhyve.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/tools/BSDRP-lab-bhyve.sh -------------------------------------------------------------------------------- /tools/BSDRP-lab-vbox.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ocochard/BSDRP/8bd71614d24fe94576dc50efda94cd5bc7af581c/tools/BSDRP-lab-vbox.sh -------------------------------------------------------------------------------- /tools/bsdrp.lab.gv: -------------------------------------------------------------------------------- 1 | graph BSDRP { 2 | label = "BSD Router Project lab"; 3 | overlap = "scale"; 4 | ratio = "fill"; 5 | labelfloat = "true"; 6 | size = "8.0,8.0" 7 | node [shape=circle]; 8 | R1; 9 | R2; 10 | R3; 11 | R4; 12 | node [shape=plaintext]; 13 | LAN1; 14 | edge [fontsize=10, labeldistance=3.0]; 15 | R1 -- R2 [taillabel="em0", headlabel="em1"]; 16 | R1 -- R3 [headlabel="em1", taillabel="em0"]; 17 | R1 -- R4 [headlabel="em1", taillabel="em0"]; 18 | R2 -- R3 [headlabel="em2", taillabel="em2"]; 19 | R2 -- R4 [headlabel="em2", taillabel="em2"]; 20 | R3 -- R4 [headlabel="em2", taillabel="em2"]; 21 | R1 -- LAN1 [taillabel="em2"]; 22 | R2 -- LAN1 [taillabel="em2"]; 23 | R3 -- LAN1 [taillabel="em2"]; 24 | R4 -- LAN1 [taillabel="em2"]; 25 | 26 | } 27 | -------------------------------------------------------------------------------- /tools/ci-qemu-test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Testing BSDRP with qemu 4 | 5 | set -euf 6 | 7 | PROJECT=TESTING 8 | ARCH=amd64 9 | 10 | die() 11 | { 12 | echo "$*" 1>&2 13 | exit 1 14 | } 15 | 16 | # And, boot in QEMU. 17 | : ${BOOTLOG:=${TMPDIR:-/tmp}/ci-qemu-test-boot.log} 18 | IMG=$(ls workdir/${PROJECT}.${ARCH}/ | grep 'full-amd64-serial.img$') 19 | if [ -z ${IMG} ]; then 20 | echo "DEBUG:" 21 | ls workdir/${PROJECT}.${ARCH}/ 22 | die "No IMG found" 23 | fi 24 | 25 | MD=$(mdconfig -a -t vnode -f workdir/${PROJECT}.${ARCH}/${IMG}) 26 | TMP=$(mktemp -d) 27 | mount /dev/${MD}s3 ${TMP} 28 | cat > ${TMP}/rc.conf.local <&1 | tee ${BOOTLOG} 42 | set -e 43 | 44 | # Check whether we succesfully booted... 45 | if grep -q 'Hello world' ${BOOTLOG}; then 46 | echo "OK" 47 | else 48 | die "Did not boot successfully, see ${BOOTLOG}" 49 | if [ -r ${BOOTLOG} ]; then 50 | echo "Displaying qemu boot log" 51 | cat ${BOOTLOG} 52 | fi 53 | fi 54 | -------------------------------------------------------------------------------- /tools/review-generate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Generate images from a review DXXXX number: 3 | # 2 images using the TESTING (current with minimum patches applied) 4 | # one without the DXXX patchs and another with the patch 5 | 6 | set -eu 7 | REVIEW="" 8 | 9 | # Update source for TESTING (re-using update script) 10 | # Check for unwanted patches (git status | remove?) 11 | # make directory and build reference and patched images 12 | 13 | usage () { 14 | echo "Usage: $0 -r REVIEW-ID" 15 | exit 0 16 | } 17 | 18 | ### Main function ### 19 | 20 | [ $# -lt 1 ] && usage 21 | 22 | while getopts "r:" FLAG; do 23 | case "${FLAG}" in 24 | r) 25 | REVIEW="$OPTARG" 26 | ;; 27 | *) 28 | break 29 | esac 30 | done 31 | 32 | shift $((OPTIND-1)) 33 | 34 | [ -z "${REVIEW}" ] && usage 35 | 36 | # Start by downloading patchs and check it before launching build 37 | fetch -o freebsd.${REVIEW}.patch https://reviews.freebsd.org/${REVIEW}?download=true 38 | 39 | mkdir /root/images/${REVIEW} 40 | git clean -fd TESTING/patches/ 41 | tools/update-svn.sh TESTING 42 | REV=$(grep -E '^SRC_REV=' TESTING/make.conf | cut -d '"' -f 2) 43 | echo "r${REV}" > TESTING/Files/etc/version 44 | ./make.sh -c serial -p TESTING -u 45 | mv workdir/TESTING.amd64/BSDRP-r${REV}-* /root/images/${REVIEW} 46 | mv freebsd.${REVIEW}.patch TESTING/patches/ 47 | echo "r${REV}${REVIEW}" > TESTING/Files/etc/version 48 | ./make.sh -c serial -p TESTING -u 49 | mv workdir/TESTING.amd64/BSDRP-r${REV}${REVIEW}-* /root/images/${REVIEW} 50 | 51 | -------------------------------------------------------------------------------- /tools/validate-image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Small script testing to boot image disk until login: prompt 3 | 4 | set -eu 5 | 6 | BSDRP_DIR="/usr/local/BSDRP/tools" 7 | CR="/tmp/validate-images-status.txt" 8 | [ -f ${CR} ] && rm ${CR} 9 | 10 | # A usefull function (from: http://code.google.com/p/sh-die/) 11 | die() { echo -n "ERROR: " >&2; echo "$@" >&2; exit 1; } 12 | 13 | run_vm () { 14 | echo "stop BSDRP-bhyve lab..." 15 | ${BSDRP_DIR}/BSDRP-lab-bhyve.sh -s 16 | ${BSDRP_DIR}/BSDRP-lab-bhyve.sh -e -i $1 17 | } 18 | 19 | test_vm () { 20 | if /tmp/wait-for-login; then 21 | echo "Success: $1" >> ${CR} 22 | else 23 | echo "Failed: $1" >> ${CR} 24 | fi 25 | } 26 | 27 | stop_vm () { 28 | ${BSDRP_DIR}/BSDRP-lab-bhyve.sh -s 29 | ${BSDRP_DIR}/BSDRP-lab-bhyve.sh -d 30 | } 31 | ### main 32 | 33 | [ $# -lt 1 ] && die "Missing directory as argument" 34 | 35 | [ -f ${BSDRP_DIR}/BSDRP-lab-bhyve.sh ] || die "Can't found BSDRP-lab-bhyve.sh" 36 | [ -f /usr/local/bin/expect ] || die "Can't found expect installed" 37 | 38 | IMAGES_DIR=$1 39 | 40 | if ! [ -d ${IMAGES_DIR} ]; then 41 | die "${IMAGES_DIR} is not a directory" 42 | fi 43 | 44 | cat </tmp/wait-for-login 45 | #!/usr/local/bin/expect -f 46 | set timeout 30 47 | spawn cu -l /dev/nmdm1B 48 | 49 | expect { 50 | "login:" { puts "Login detected"; exit 0} 51 | timeout { puts "Timeout"; exit 1 } 52 | } 53 | EOF 54 | chmod +x /tmp/wait-for-login 55 | 56 | echo "Testing to boot VM until to reach login prompt" 57 | for IMAGE in $(ls -1 ${IMAGES_DIR}/BSDRP-* | egrep 'full.*\.img($|\.xz)'); do 58 | run_vm ${IMAGE} 59 | test_vm ${IMAGE} 60 | stop_vm 61 | done 62 | --------------------------------------------------------------------------------