BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Merge pull request #435 from CamilionEU/evilham-improve-ipv6-and-dualstack-creation

Browse Source 
[WIP] [feedback required] Improve dualstack and IPv6 support on jail creation
This commit is contained in:
Christer Edwards
2022-10-17 20:35:32 -06:00
committed by GitHub
parent f1d73a0c02 f6f179b6c3
commit 0dcefae18c
1 changed files with 78 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
usr/local/share/bastille/create.sh
+64 -21
View File
@@ -69,17 +69,20 @@ validate_name() {
} }
validate_ip() { validate_ip() {
IPX_ADDR="ip4.addr" ipx_addr="ip4.addr"
IP6_MODE="disable" ip="$1"
ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))') ip6=$(echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')
if [ -n "${ip6}" ]; then if [ -n "${ip6}" ]; then
info "Valid: (${ip6})." info "Valid: (${ip6})."
IPX_ADDR="ip6.addr" ipx_addr="ip6.addr"
IP6_MODE="new" IP6_MODE="new"
else
if [ "${ip}" = "DHCP" ]; then
info "Valid: (${ip})."
else else
local IFS local IFS
if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then if echo "${ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
TEST_IP=$(echo "${IP}" | cut -d / -f1) TEST_IP=$(echo "${ip}" | cut -d / -f1)
IFS=. IFS=.
set ${TEST_IP} set ${TEST_IP}
for quad in 1 2 3 4; do for quad in 1 2 3 4; do
@@ -91,12 +94,32 @@ validate_ip() {
if ifconfig | grep -qw "${TEST_IP}"; then if ifconfig | grep -qw "${TEST_IP}"; then
warn "Warning: IP address already in use (${TEST_IP})." warn "Warning: IP address already in use (${TEST_IP})."
else else
info "Valid: (${IP})." info "Valid: (${ip})."
fi fi
else else
error_exit "Invalid: (${IP})." error_exit "Invalid: (${ip})."
fi fi
fi fi
fi
if echo "${ip}" | grep -qvE '(SLAAC|DHCP|0[.]0[.]0[.]0)'; then
if [ "${ipx_addr}" = "ip4.addr" ]; then
IP4_ADDR="${ip}"
IP4_DEFINITION="${ipx_addr}=${ip};"
else
IP6_ADDR="${ip}"
IP6_DEFINITION="${ipx_addr}=${ip};"
fi
fi
}
validate_ips() {
IP6_MODE="disable"
IP4_DEFINITION=""
IP6_DEFINITION=""
IP4_ADDR=""
IP6_ADDR=""
for ip in ${IP}; do
validate_ip "${ip}"
done
} }
validate_netif() { validate_netif() {
@@ -157,7 +180,8 @@ ${NAME} {
securelevel = 2; securelevel = 2;
interface = ${bastille_jail_conf_interface}; interface = ${bastille_jail_conf_interface};
${IPX_ADDR} = ${IP}; ${IP4_DEFINITION}
${IP6_DEFINITION}
ip6 = ${IP6_MODE}; ip6 = ${IP6_MODE};
} }
EOF EOF
@@ -479,25 +503,44 @@ create_jail() {
_gateway='' _gateway=''
_gateway6='' _gateway6=''
_ifconfig=SYNCDHCP _ifconfig_inet=''
if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address. _ifconfig_inet6=''
if [ -n "${ip6}" ]; then if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then
_ifconfig="inet6 ${IP}" # Enable DHCP if requested
_ifconfig_inet=SYNCDHCP
else else
_ifconfig="inet ${IP}" # Else apply the default gateway
fi
if [ -n "${bastille_network_gateway}" ]; then if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}" _gateway="${bastille_network_gateway}"
elif [ -n "${bastille_network_gateway6}" ]; then else
_gateway="$(netstat -rn | awk '/default/ {print $2}')"
fi
fi
# Add IPv4 address (this is empty if DHCP is used)
if [ -n "${IP4_ADDR}" ]; then
_ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}"
fi
# Enable IPv6 if used
if [ "${IP6_MODE}" != "disable" ]; then
_ifconfig_inet6='inet6 -ifdisabled'
if echo "${IP}" | grep -qE 'SLAAC'; then
# Enable SLAAC if requested
_ifconfig_inet6="${_ifconfig_inet6} accept_rtadv"
else
# Else apply the default gateway
if [ -n "${bastille_network_gateway6}" ]; then
_gateway6="${bastille_network_gateway6}" _gateway6="${bastille_network_gateway6}"
else else
if [ -z ${ip6} ]; then _gateway6="$(netstat -6rn | awk '/default/ {print $2}')"
_gateway="$(netstat -4rn | awk '/default/ {print $2}')"
else
_gateway="$(netstat -6rn | awk '/default/ {print $2}')"
fi fi
fi fi
fi fi
# Add IPv6 address (this is empty if SLAAC is used)
if [ -n "${IP6_ADDR}" ]; then
_ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}"
fi
# Join together IPv4 and IPv6 parts of ifconfig
_ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}"
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
fi fi
elif [ -n "${THICK_JAIL}" ]; then elif [ -n "${THICK_JAIL}" ]; then
@@ -740,7 +783,7 @@ if [ -z "${EMPTY_JAIL}" ]; then
## check if ip address is valid ## check if ip address is valid
if [ -n "${IP}" ]; then if [ -n "${IP}" ]; then
validate_ip validate_ips
else else
usage usage
fi fi