#!/usr/sbin/sh
#
# Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
#
# This service configures IP tunnel links and IP interfaces over IP
# tunnels.
#

. /lib/svc/share/smf_include.sh
. /lib/svc/share/net_include.sh

# There's nothing to do in shared-IP zones
smf_configure_ip || exit $SMF_EXIT_OK

#
# Configure tunnels which were deferred by /lib/svc/method/net-physical (the
# svc:/network/physical service) since it depends on the tunnel source
# addresses being available.
#
# WARNING: you may wish to turn OFF forwarding if you haven't already, because
# of various possible security vulnerabilities when configuring tunnels for
# Virtual Private Network (VPN) construction.
#
# Also, since the /etc/hostname*.* files have been obsoleted, ipadm(1M)
# should be used to create persistent configuration for IP tunnels.
#

#
# get_tunnel_links: print the names of the tunnel links currently configured
# on the running system.
#
get_tunnel_links ()
{
	$DLADM show-iptun -p -o link
}

teardown_tunnels()
{
	tunnel_links=`get_tunnel_links`

	# Unplumb IP interfaces
	for tun in $tunnel_links; do
		$IPADM disable-if -t $tun > /dev/null 2>&1
	done

	# Take down the IP tunnel links
	$DLADM down-iptun
}

case "$1" in
start|refresh)
	#
	# First, remove any tunnel links left over from previous profile
	# activation when the start method runs.
	#
	if [ "$1" = "start" ]; then
		teardown_tunnels
	fi
	#
	# Now, bring up tunnel links.  If a tunnel link has already been
	# brought up, then subsequent "up-iptun" (by the refresh command) will
	# not have any effect on that link.
	#	
	$DLADM up-iptun

	#
	# Get the list of IP tunnel interfaces we'll need to configure.  These
	# are comprised of IP interfaces over the tunnels we've just brought
	# up in the above dladm command.
	#
	tunnel_interfaces=`get_tunnel_links | /usr/bin/sort -u`
	for intf_name in $tunnel_interfaces; do
		#
		# Initialize the tunnel link properties
		#
		$DLADM init-linkprop $intf_name

		#
		# Configure IP tunnel interfaces set up using ipadm
		#
		state=`$IPADM show-if -p -o state $intf_name 2>/dev/null`
		if [ $? -ne 0 ] || [ "$state" != "disabled" ]; then
			#
			# skip if not managed my ipadm or if not a persistent
			# interface or already enabled
			#
			continue;
		else
			# Enable the interface managed by ipadm
			$IPADM enable-if -t $intf_name
		fi
	done

	#
	# Set 6to4 Relay Router communication support policy and, if
	# applicable, the destination Relay Router IPv4 address.  See
	# /etc/default/inetinit for setting and further info on
	# ACCEPT6TO4RELAY and RELAY6TO4ADDR.  If ACCEPT6TO4RELAY=NO, the
	# default value in the kernel will be used.
	#
	[ -f /etc/default/inetinit ] && . /etc/default/inetinit
	ACCEPT6TO4RELAY=`echo "$ACCEPT6TO4RELAY" | /usr/bin/tr '[A-Z]' '[a-z]'`
	if [ "$ACCEPT6TO4RELAY" = yes ]; then
		if [ "$RELAY6TO4ADDR" ]; then
			/usr/sbin/6to4relay -e -a $RELAY6TO4ADDR
		else
			/usr/sbin/6to4relay -e
		fi
	fi
	;;

stop)
	teardown_tunnels
	;;

unconfigure)
	for tun in `get_tunnel_links`; do
		$IPADM delete-ip $tun > /dev/null 2>&1
		$DLADM delete-iptun $tun
	done
	;;

*)
	echo "Usage: $0 { start | stop | unconfigure }"
	exit 1
	;;
esac

exit $SMF_EXIT_OK