#!/bin/ash # shellcheck shell=dash # alpine / debian initrd 共用此脚本 # accept_ra 接收 RA + 自动配置网关 # autoconf 自动配置地址,依赖 accept_ra mac_addr=$1 ipv4_addr=$2 ipv4_gateway=$3 ipv6_addr=$4 ipv6_gateway=$5 is_in_china=$6 DHCP_TIMEOUT=15 DNS_FILE_TIMEOUT=5 TEST_TIMEOUT=10 # 检测是否有网络是通过检测这些 IP 的端口是否开放 # 因为 debian initrd 没有 nslookup # 改成 generate_204?但检测网络时可能 resolv.conf 为空 # HTTP 80 # HTTPS/DOH 443 # DOT 853 if $is_in_china; then ipv4_dns1='223.5.5.5' ipv4_dns2='119.29.29.29' # 不开放 853 ipv6_dns1='2400:3200::1' ipv6_dns2='2402:4e00::' # 不开放 853 else ipv4_dns1='1.1.1.1' ipv4_dns2='8.8.8.8' # 不开放 80 ipv6_dns1='2606:4700:4700::1111' ipv6_dns2='2001:4860:4860::8888' # 不开放 80 fi # 找到主网卡 # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs get_ethx() { # 过滤 azure vf (带 master ethx) # 2: eth0: mtu 1500 qdisc mq state UP qlen 1000\ link/ether 60:45:bd:21:8a:51 brd ff:ff:ff:ff:ff:ff # 3: eth1: mtu 1500 qdisc mq master eth0 state UP qlen 1000\ link/ether 60:45:bd:21:8a:51 brd ff:ff:ff if false; then ip -o link | grep -i "$mac_addr" | grep -v master | awk '{print $2}' | cut -d: -f1 else ip -o link | grep -i "$mac_addr" | grep -v master | cut -d' ' -f2 | cut -d: -f1 fi } get_ipv4_gateway() { # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs ip -4 route show default dev "$ethx" | head -1 | cut -d ' ' -f3 } get_ipv6_gateway() { # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs ip -6 route show default dev "$ethx" | head -1 | cut -d ' ' -f3 } get_first_ipv4_addr() { # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs if false; then ip -4 -o addr show scope global dev "$ethx" | head -1 | awk '{print $4}' else ip -4 -o addr show scope global dev "$ethx" | head -1 | grep -o '[0-9\.]*/[0-9]*' fi } get_first_ipv4_gateway() { # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs if false; then ip -4 route show default dev "$ethx" | head -1 | awk '{print $3}' else ip -4 route show default dev "$ethx" | head -1 | cut -d' ' -f3 fi } remove_netmask() { cut -d/ -f1 } get_first_ipv6_addr() { # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs if false; then ip -6 -o addr show scope global dev "$ethx" | head -1 | awk '{print $4}' else ip -6 -o addr show scope global dev "$ethx" | head -1 | grep -o '[0-9a-f\:]*/[0-9]*' fi } get_first_ipv6_gateway() { # debian 11 initrd 没有 xargs awk # debian 12 initrd 没有 xargs if false; then ip -6 route show default dev "$ethx" | head -1 | awk '{print $3}' else ip -6 route show default dev "$ethx" | head -1 | cut -d' ' -f3 fi } is_have_ipv4_addr() { ip -4 addr show scope global dev "$ethx" | grep -q inet } is_have_ipv6_addr() { ip -6 addr show scope global dev "$ethx" | grep -q inet6 } is_have_ipv4_gateway() { ip -4 route show default dev "$ethx" | grep -q . } is_have_ipv6_gateway() { ip -6 route show default dev "$ethx" | grep -q . } is_have_ipv4() { is_have_ipv4_addr && is_have_ipv4_gateway } is_have_ipv6() { is_have_ipv6_addr && is_have_ipv6_gateway } is_have_ipv4_dns() { [ -f /etc/resolv.conf ] && grep -q '^nameserver .*\.' /etc/resolv.conf } is_have_ipv6_dns() { [ -f /etc/resolv.conf ] && grep -q '^nameserver .*:' /etc/resolv.conf } add_missing_ipv4_config() { if [ -n "$ipv4_addr" ] && [ -n "$ipv4_gateway" ]; then if ! is_have_ipv4_addr; then ip -4 addr add "$ipv4_addr" dev "$ethx" fi if ! is_have_ipv4_gateway; then # 如果 dhcp 无法设置onlink网关,那么在这里设置 # debian 9 ipv6 不能识别 onlink,但 ipv4 能识别 onlink if true; then ip -4 route add "$ipv4_gateway" dev "$ethx" ip -4 route add default via "$ipv4_gateway" dev "$ethx" else ip -4 route add default via "$ipv4_gateway" dev "$ethx" onlink fi fi fi } add_missing_ipv6_config() { if [ -n "$ipv6_addr" ] && [ -n "$ipv6_gateway" ]; then if ! is_have_ipv6_addr; then ip -6 addr add "$ipv6_addr" dev "$ethx" fi if ! is_have_ipv6_gateway; then # 如果 dhcp 无法设置onlink网关,那么在这里设置 # debian 9 ipv6 不能识别 onlink if true; then ip -6 route add "$ipv6_gateway" dev "$ethx" ip -6 route add default via "$ipv6_gateway" dev "$ethx" else ip -6 route add default via "$ipv6_gateway" dev "$ethx" onlink fi fi fi } is_need_test_ipv4() { is_have_ipv4 && ! $ipv4_has_internet } is_need_test_ipv6() { is_have_ipv6 && ! $ipv6_has_internet } # 测试方法: # ping 有的机器禁止 # nc 测试 dot doh 端口是否开启 # wget 测试下载 # initrd 里面的软件版本,是否支持指定源IP/网卡 # 软件 nc wget nslookup # debian9 × √ 没有此软件 # alpine √ × × test_by_wget() { src=$1 dst=$2 # ipv6 需要添加 [] if echo "$dst" | grep -q ':'; then url="https://[$dst]" else url="https://$dst" fi # tcp 443 通了就算成功,不管 http 是不是 404 wget -T "$TEST_TIMEOUT" \ --bind-address="$src" \ --no-check-certificate \ --max-redirect 0 \ --tries 1 \ -O /dev/null \ "$url" 2>&1 | grep -iq connected } test_by_nc() { src=$1 dst=$2 # tcp 443 通了就算成功 nc -z -v \ -w "$TEST_TIMEOUT" \ -s "$src" \ "$dst" 443 } is_debian_kali() { [ -f /etc/lsb-release ] && grep -Eiq 'Debian|Kali' /etc/lsb-release } test_connect() { if is_debian_kali; then test_by_wget "$1" "$2" else test_by_nc "$1" "$2" fi } test_internet() { for i in $(seq 5); do echo "Testing Internet Connection. Test $i... " if is_need_test_ipv4 && test_connect "$(get_first_ipv4_addr | remove_netmask)" "$ipv4_dns1" >/dev/null 2>&1; then echo "IPv4 has internet." ipv4_has_internet=true fi if is_need_test_ipv6 && test_connect "$(get_first_ipv6_addr | remove_netmask)" "$ipv6_dns1" >/dev/null 2>&1; then echo "IPv6 has internet." ipv6_has_internet=true fi if ! is_need_test_ipv4 && ! is_need_test_ipv6; then break fi sleep 1 done } flush_ipv4_config() { ip -4 addr flush scope global dev "$ethx" ip -4 route flush dev "$ethx" } should_disable_accept_ra=false should_disable_autoconf=false flush_ipv6_config() { if $should_disable_accept_ra; then echo 0 >"/proc/sys/net/ipv6/conf/$ethx/accept_ra" fi if $should_disable_autoconf; then echo 0 >"/proc/sys/net/ipv6/conf/$ethx/autoconf" fi ip -6 addr flush scope global dev "$ethx" ip -6 route flush dev "$ethx" } ethx=$(get_ethx) if [ -z "$ethx" ]; then echo "Not found network card: $mac_addr" exit fi echo "Configuring $ethx ($mac_addr)..." # 开启 ethx ip link set dev "$ethx" up sleep 1 # 开启 dhcpv4/v6 # debian / kali if [ -f /usr/share/debconf/confmodule ]; then # shellcheck source=/dev/null . /usr/share/debconf/confmodule db_progress STEP 1 # dhcpv4 # 无需等待写入 dns,在 dhcpv6 等待 db_progress INFO netcfg/dhcp_progress udhcpc -i "$ethx" -f -q -n || true db_progress STEP 1 # slaac + dhcpv6 db_progress INFO netcfg/slaac_wait_title # https://salsa.debian.org/installer-team/netcfg/-/blob/master/autoconfig.c#L148 cat </var/lib/netcfg/dhcp6c.conf interface $ethx { send ia-na 0; request domain-name-servers; request domain-name; script "/lib/netcfg/print-dhcp6c-info"; }; id-assoc na 0 { }; EOF dhcp6c -c /var/lib/netcfg/dhcp6c.conf "$ethx" || true sleep $DHCP_TIMEOUT # 等待获取 ip 和写入 dns # kill-all-dhcp kill -9 "$(cat /var/run/dhcp6c.pid)" || true db_progress STEP 1 # 静态 + 检测网络提示 db_subst netcfg/link_detect_progress interface "$ethx" db_progress INFO netcfg/link_detect_progress else # alpine # h3c 移动云电脑使用 udhcpc 会重复提示 sending select,无法获得 ipv6,因此使用 dhcpcd method=dhcpcd case "$method" in udhcpc) udhcpc -i "$ethx" -f -q -n || true udhcpc6 -i "$ethx" -f -q -n || true sleep $DNS_FILE_TIMEOUT # 好像不用等待写入 dns,但是以防万一 ;; dhcpcd) # https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/dhcpcd/dhcpcd.pre-install grep -q dhcpcd /etc/group || addgroup -S dhcpcd grep -q dhcpcd /etc/passwd || adduser -S -D -H \ -h /var/lib/dhcpcd \ -s /sbin/nologin \ -G dhcpcd \ -g dhcpcd \ dhcpcd # --noipv4ll 禁止生成 169.254.x.x if false; then # 等待 DHCP 全过程 timeout $DHCP_TIMEOUT \ dhcpcd --persistent --noipv4ll --nobackground "$ethx" else # 等待 DNS dhcpcd --persistent --noipv4ll "$ethx" # 获取到 IP 后立即切换到后台 sleep $DNS_FILE_TIMEOUT # 需要等待写入 dns dhcpcd -x "$ethx" # 终止 fi ;; esac fi # 等待slaac # 有ipv6地址就跳过,不管是slaac或者dhcpv6 # 因为会在trans里判断 # 这里等待5秒就够了,因为之前尝试获取dhcp6也用了一段时间 for i in $(seq 5 -1 0); do is_have_ipv6 && break echo "waiting slaac for ${i}s" sleep 1 done # 记录是否有动态地址 # 由于还没设置静态ip,所以有条目表示有动态地址 is_have_ipv4_addr && dhcpv4=true || dhcpv4=false is_have_ipv6_addr && dhcpv6_or_slaac=true || dhcpv6_or_slaac=false if is_have_ipv6_gateway; then ra_has_gateway=true ipv6_gateway_from_ra=$(get_ipv6_gateway) else ra_has_gateway=false fi # 如果自动获取的 IP 不是重装前的,则改成静态,使用之前的 IP # 只比较 IP,不比较掩码/网关,因为 # 1. 假设掩码/网关导致无法上网,后面也会检测到并改成静态 # 2. openSUSE wicked dhcpv6 是 64 位掩码,aws lightsail 模板上的也是,而其它 dhcpv6 软件都是 128 位掩码 if $dhcpv4 && [ -n "$ipv4_addr" ] && [ -n "$ipv4_gateway" ] && ! [ "$(echo "$ipv4_addr" | cut -d/ -f1)" = "$(get_first_ipv4_addr | cut -d/ -f1)" ]; then echo "IPv4 address obtained from DHCP is different from old system." dhcpv4=false flush_ipv4_config fi if $dhcpv6_or_slaac && [ -n "$ipv6_addr" ] && [ -n "$ipv6_gateway" ] && ! [ "$(echo "$ipv6_addr" | cut -d/ -f1)" = "$(get_first_ipv6_addr | cut -d/ -f1)" ]; then echo "IPv6 address obtained from SLAAC/DHCPv6 is different from old system." dhcpv6_or_slaac=false should_disable_accept_ra=true should_disable_autoconf=true flush_ipv6_config fi # 设置静态地址,或者设置 debian 9 udhcpc 无法设置的网关 add_missing_ipv4_config add_missing_ipv6_config # 检查 ipv4/ipv6 是否连接联网 ipv4_has_internet=false ipv6_has_internet=false test_internet # 如果无法上网,并且自动获取的 掩码/网关 不是重装前的,则改成静态 # ip_addr 包括 IP/掩码,所以可以用来判断掩码是否不同 # IP 不同的情况在前面已经改成静态了 if ! $ipv4_has_internet && $dhcpv4 && [ -n "$ipv4_addr" ] && [ -n "$ipv4_gateway" ] && ! { [ "$ipv4_addr" = "$(get_first_ipv4_addr)" ] || [ "$ipv4_gateway" = "$(get_first_ipv4_gateway)" ]; }; then echo "IPv4 netmask/gateway obtained from DHCP is different from old system." dhcpv4=false flush_ipv4_config add_missing_ipv4_config test_internet fi if ! $ipv6_has_internet && $dhcpv6_or_slaac && [ -n "$ipv6_addr" ] && [ -n "$ipv6_gateway" ] && ! { [ "$ipv6_addr" = "$(get_first_ipv6_addr)" ] || [ "$ipv6_gateway" = "$(get_first_ipv6_gateway)" ]; }; then echo "IPv6 netmask/gateway obtained from SLAAC/DHCPv6 is different from old system." dhcpv6_or_slaac=false should_disable_accept_ra=true should_disable_autoconf=true flush_ipv6_config add_missing_ipv6_config test_internet fi # 如果是静态地址(包括动态无法上网而改成静态的),但是 RA 有网关且和正确的网关不同,要关闭 RA,避免自动设置网关 # TODO: 测试 RA 给的网关和静态设置的网关的优先级 if $ipv6_has_internet && ! $dhcpv6_or_slaac && $ra_has_gateway && ! [ "$(get_first_ipv6_gateway)" = "$ipv6_gateway_from_ra" ]; then echo "Ignore IPv6 gateway from RA." should_disable_accept_ra=true fi # 要删除不联网协议的ip,因为 # 1 甲骨文云管理面板添加ipv6地址然后取消 # 依然会分配ipv6地址,但ipv6没网络 # 此时alpine只会用ipv6下载apk,而不用会ipv4下载 # 2 有ipv4地址但没有ipv4网关的情况(vultr),aria2会用ipv4下载 if $ipv4_has_internet && ! $ipv6_has_internet; then flush_ipv6_config elif ! $ipv4_has_internet && $ipv6_has_internet; then flush_ipv4_config fi # 如果联网了,但没获取到默认 DNS,则添加我们的 DNS if $ipv4_has_internet && ! { [ -e /etc/resolv.conf ] && is_have_ipv4_dns; }; then echo "nameserver $ipv4_dns1" >>/etc/resolv.conf echo "nameserver $ipv4_dns2" >>/etc/resolv.conf fi if $ipv6_has_internet && ! { [ -e /etc/resolv.conf ] && is_have_ipv6_dns; }; then echo "nameserver $ipv6_dns1" >>/etc/resolv.conf echo "nameserver $ipv6_dns2" >>/etc/resolv.conf fi # 传参给 trans.start netconf="/dev/netconf/$ethx" mkdir -p "$netconf" $dhcpv4 && echo 1 >"$netconf/dhcpv4" || echo 0 >"$netconf/dhcpv4" $dhcpv6_or_slaac && echo 1 >"$netconf/dhcpv6_or_slaac" || echo 0 >"$netconf/dhcpv6_or_slaac" $should_disable_accept_ra && echo 1 >"$netconf/should_disable_accept_ra" || echo 0 >"$netconf/should_disable_accept_ra" $should_disable_autoconf && echo 1 >"$netconf/should_disable_autoconf" || echo 0 >"$netconf/should_disable_autoconf" $is_in_china && echo 1 >"$netconf/is_in_china" || echo 0 >"$netconf/is_in_china" echo "$ethx" >"$netconf/ethx" echo "$mac_addr" >"$netconf/mac_addr" echo "$ipv4_addr" >"$netconf/ipv4_addr" echo "$ipv4_gateway" >"$netconf/ipv4_gateway" echo "$ipv6_addr" >"$netconf/ipv6_addr" echo "$ipv6_gateway" >"$netconf/ipv6_gateway" $ipv4_has_internet && echo 1 >"$netconf/ipv4_has_internet" || echo 0 >"$netconf/ipv4_has_internet" $ipv6_has_internet && echo 1 >"$netconf/ipv6_has_internet" || echo 0 >"$netconf/ipv6_has_internet"