Merge pull request #144 from cedwards/0_6_release_prep

preparation for 0.6x initial release
2020-02-05 19:04:23 -07:00 · 2020-02-05 19:02:19 -07:00 · 2020-02-05 12:35:54 -07:00 · 2020-02-05 12:25:36 -07:00 · 2020-02-05 07:00:11 -04:00 · 2020-02-05 09:12:31 +01:00
44 changed files with 1773 additions and 581 deletions
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -2,29 +2,35 @@
 ## Lead
-Christer Edwards [christer.edwards@gmail.com]
+Christer Edwards [christer.edwards@gmail.com]  
-## Contributors
+## Contributors (code)
-Barry McCormick
+Barry McCormick  
-Jose Rivera
+Brian Downs  
-Giacomo Olgeni
+Dave Cottlehuber  
-Jan-Piet Mens
+Giacomo Olgeni  
 JP Mens  
 Jose Rivera  
 Lars E.  
 Paul C.  
 Sven R.  
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may
-not be found in the commit history.
+not be found in the commit history but have influenced Bastille's development
 in some way.
-Barry McCormick
+Carlos Meza  
-Carlos Meza
+Casandra Woodcox  
-Casandra Woodcox
+Clint Savage  
-Clint Savage
+G. Clifford Williams  
-G. Clifford Williams
+Jack Thomasson  
-Jack Thomasson
+Jun C Park  
-Jun C Park
+Justin Desilets  
-Justin Desilets
+Larry Raab  
-Larry Raab
+Nate Taylor  
-Nate Taylor
+Peter Czanik  
-Ryan Simpkins
+Ryan Simpkins  
-Tim Gelter
+Tim Gelter  
-Trevor Sharpe
+Trevor Sharpe  
--- a/CODE-OF-CONDUCT.md
+++ b/CODE-OF-CONDUCT.md
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at conduct@bastillebsd.org. All
+reported by contacting the project team lead at christer.edwards@gmail.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause License
-Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/6
+++ b/6
@@ -1,3 +1,6 @@
 .PHONY: all
 all:
 	@echo "Nothing to be done. Please use make install or make uninstall"
 .PHONY: install
 install:
 	@echo "Installing Bastille"
@@ -14,6 +17,9 @@ uninstall:
 	@echo "Removing Bastille sub-commands"
 	@rm -rvf /usr/local/share/bastille
 	@echo
 	@echo "removing man page"
 	@rm -rvf /usr/local/share/man/man1/bastille.1.gz
 	@echo
 	@echo "removing configuration file"
 	@rm -rvf /usr/local/etc/bastille
 	@echo
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
-Bastille: Automated Container Security
+Bastille: Automate Container Security
-======================================
+=====================================
-Bastille is an open-source system for automating deployment and management of
+[Bastille](https://bastillebsd.org/) is an open-source system for automating
-containerized applications on FreeBSD.
+deployment and management of containerized applications on FreeBSD.
-Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates)?
+Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates/)?
 Installation
@@ -46,23 +46,28 @@ Available Commands:
  bootstrap   Bootstrap a FreeBSD release for container base.
  cmd         Execute arbitrary command on targeted container(s).
  console     Console into a running container.
  convert     Convert a thin container into a thick container.
  cp          cp(1) files from host to targeted container(s).
-  create      Create a new thin container or a thick container if -T|--thick option specified.
+  create      Create a new thin or thick container.
-  destroy     Destroy a stopped container or a FreeBSD release.
+  destroy     Destroy a stopped container or a bootstrapped release.
  export      Exports a container archive or image.
  help        Help about any command
  htop        Interactive process viewer (requires htop).
-  list        List containers (running and stopped).
+  import      Import a container archive or image.
  limits      Apply resources limits to targeted container(s). See rctl(8).
  list        List containers, releases, templates, logs, limits or backups.
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  restart     Restart a running container.
  service     Manage services within targeted container(s).
  start       Start a stopped container.
  stop        Stop a running container.
  sysrc       Safely edit rc files within targeted container(s).
-  template    Apply file templates to targeted container(s).
+  template    Apply automation templates to targeted container(s).
  top         Display and update information about the top(1) cpu processes.
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
-  verify      Compare release against a "known good" index.
+  verify      Verify bootstrapped release or automation template.
  zfs         Manage (get|set) zfs attributes on targeted container(s).
 Use "bastille -v|--version" for version information.
@@ -70,7 +75,7 @@ Use "bastille command -h|--help" for more information about a command.
 ```
-## 0.5-beta
+## 0.6-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.
@@ -115,13 +120,21 @@ set skip on lo
 table <jails> persist
 nat on $ext_if from <jails> to any -> ($ext_if)
-## rdr example
+## static rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 # Enable dynamic rdr (see below)
 rdr-anchor "rdr/*"
 block in all
 pass out quick modulate state
 antispoof for $ext_if inet
 pass in inet proto tcp from any to any port ssh flags S/SA keep state
 # make sure you also open up ports that you are going to use for dynamic rdr
 # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
 # pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
 ```
 * Make sure to change the `ext_if` variable to match your host system interface.
@@ -148,6 +161,24 @@ container at `10.17.89.45`.
 Finally, enable and (re)start the firewall:
 ## dynamic rdr 
 The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the 
 `bastille rdr` command at runtime - eg.
 ```
  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
  bastille rdr <jail> udp 2053 53 # Same for udp
  bastille rdr <jail> list        # List dynamic rdr rules
  bastille rdr <jail> clear       # Clear dynamic rdr rules
 ```
  Note that if you are rediirecting ports where the host is also listening
  (eg. ssh) you should make sure that the host service is not listening on 
  the cloned interface - eg. for ssh set sshd_flags in rc.conf
 ## Enable pf rules
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ishmael ~ # service pf restart
@@ -220,14 +251,14 @@ ishmael ~ # bastille bootstrap 12.0-RELEASE
 ishmael ~ # bastille bootstrap 12.1-RELEASE
 ```
-**HardenedBSD 11-STABLE-LAST**
+**HardenedBSD 11-STABLE-BUILD-XX**
 ```shell
-ishmael ~ # bastille bootstrap 11-STABLE-LAST
+ishmael ~ # bastille bootstrap 11-STABLE-BUILD-XX
 ```
-**HardenedBSD 12-STABLE-LAST**
+**HardenedBSD 12-STABLE-BUILD-XX**
 ```shell
-ishmael ~ # bastille bootstrap 12-STABLE-LAST
+ishmael ~ # bastille bootstrap 12-STABLE-BUILD-XX
 ```
 > `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap.
@@ -364,7 +395,8 @@ ishmael ~ # bastille list
 You can also list non-running containers with `bastille list containers`.  In
 the same manner you can list archived `logs`, downloaded `templates`, and
-`releases`.
+`releases` and `backups`.  Providing the `-j` flag to list alone will result in
 JSON output.
 bastille service
@@ -543,40 +575,46 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the container automatically.
-Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
+Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
-Planned template hooks include: `FSTAB`, `PF`, `LOG`
+`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
 Planned template hooks include: `PF`, `LOG`
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
-the template hooks. Simply create a new directory named after the template. eg;
+the template hooks. Simply create a new directory in the format project/repo,
 ie; `username/base-template`
 ```shell
-mkdir -p /usr/local/bastille/templates/username/base
+mkdir -p /usr/local/bastille/templates/username/base-template
 ```
 To leverage a template hook, create an UPPERCASE file in the root of the
 template directory named after the hook you want to execute. eg;
 ```shell
-echo "install zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
+echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG
-echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
+echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD
-echo "etc\nroot\nusr" > /usr/local/bastille/templates/base/OVERLAY
+echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY
 ```
 Template hooks are executed in specific order and require specific syntax to
-work as expected. This table outlines those requirements:
+work as expected. This table outlines that order and those requirements:
-| SUPPORTED | format           | example                                                        |
+| SUPPORTED | format              | example                                        |
-|-----------|------------------|----------------------------------------------------------------|
+|-----------|---------------------|------------------------------------------------|
-| PRE/CMD   | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh                            |
+| LIMITS    | resource value      | memoryuse 1G                                   |
-| OVERLAY   | paths (one/line) | etc root usr                                                   |
+| INCLUDE   | template path/URL   | http?://TEMPLATE_URL or username/base-template |
-| PKG       | port/pkg name(s) | vim-console zsh git-lite tree htop                             |
+| PRE       | /bin/sh command     | mkdir -p /usr/local/path                       |
-| SYSRC     | sysrc command(s) | nginx_enable=YES                                               |
+| FSTAB     | fstab syntax        | /host/path container/path nullfs ro 0 0        |
 | PKG       | port/pkg name(s)    | vim-console zsh git-lite tree htop             |
 | OVERLAY   | paths (one/line)    | etc usr                                        |
 | SYSRC     | sysrc command(s)    | nginx_enable=YES                               |
 | SERVICE   | service command(s)  | nginx restart                                  |
 | CMD       | /bin/sh command     | /usr/bin/chsh -s /usr/local/bin/zsh            |
 | PLANNED | format           | example                                                        |
 |---------|------------------|----------------------------------------------------------------|
 | PF      | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
 | LOG     | path             | /var/log/nginx/access.log                                      |
 | FSTAB   | fstab syntax     | /path/on/host /path/in/container nullfs ro 0 0                      |
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
@@ -587,12 +625,12 @@ template directory as "/".
 An example here may help. Think of
 `/usr/local/bastille/templates/username/base`, our example template, as the
 root of our filesystem overlay. If you create an `etc/hosts` or
-`etc/resolv.conf` *inside* the base template directory, these can be overlayed
+`etc/resolv.conf` inside the base template directory, these can be overlayed
 into your container.
 Note: due to the way FreeBSD segregates user-space, the majority of your
 overlayed template files will be in `usr/local`. The few general
-exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`, etc.
+exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
 After populating `usr/local/` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
@@ -714,6 +752,28 @@ ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
 /tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf
 ```
 bastille-rdr
 ------------
 `bastille rdr` allows you to configure dynamic rdr rules for your containers
 without modifying pf.conf (assuming you are using the `bastille0` interface 
 for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
 as described in the Networking section).
 ```shell
    # bastille rdr --help
    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
    # bastille rdr dev1 tcp 2001 22
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    # bastille rdr dev1 udp 2053 53
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
    # bastille rdr dev1 clear
    nat cleared
 ```
 bastille update
 ---------------
 The `update` command targets a release instead of a container. Because every
@@ -786,6 +846,34 @@ ishmael ~ # bastille zfs ALL df
 ishmael ~ # bastille zfs folsom df
 ```
 bastille export
 ----------------
 Containers can be exported for archiving purposes easily.
 Note: On UFS systems containers must be stopped before export.
 ```shell
 ishmael ~ # bastille export folsom
 Exporting 'folsom' to a compressed .xz archive.
 Sending zfs data stream...
  100 %     1057.2 KiB / 9231.5 KiB = 0.115                   0:01             
 Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully.
 ```
 bastille import
 ----------------
 Containers can be imported from supported archives easily.
 ```shell
 ishmael ~ # bastille import folsom_2020-01-26-19:22:23.xz
 Validating file: folsom_2020-01-26-19:22:23.xz...
 File validation successful!
 Importing 'folsom' from compressed .xz archive.
 Receiving zfs data stream...
 /usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1)
  100 %      626.4 KiB / 9231.5 KiB = 0.068                   0:02             
 Container 'folsom' imported successfully.
 ```
 Example (create, start, console)
 ================================
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,45 +1,55 @@
-Bastille Roadmap
+2020 Bastille Roadmap
-================
+=====================
 This is the general roadmap for the next nine months. I would like the
 near-term done by the end of 2018. The mid-term should be done by March 2019.
 The long-term by summer 2019.
-At that point, if the templating is mature, and the top 50 is complete, the
+1. Virtual Networking
-platform is ready for general purpose use. 
+1. Bastille CI/CD
 1. Template Maturity & Consolidation
 1. Container Monitoring
 1. Bastille API
 Rough timeline and description below.
-near-term
+Virtual Networking (Jan-Feb) ~ 0.6.x-beta
---------
+-----------------------------------------
-1. zfs support (configurable)
+VNET (Virtual Networking) will allow fully virtualized network stacks. This
-2. bastille-dev template (see below):
+would bring the total network options to three (loopback, LAN, VNET). The
-```shell
+anticipated design would use a bridge device connected to containers via epair
-## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 
+interfaces.
 ## ip4.addr=10.20.12.68 persist
 ## jexec foo /bin/csh
 ## foo# jail -c name=bar host.hostname=bar allow.raw_sockets 
 ## ip4.addr=10.20.12.68 persist
 ## foo# jexec bar /bin/csh
 ## bar# ping gritton.org
 ```
 3. branding
 Bastille CI/CD (March-May) ~ 0.7.x-beta
 ---------------------------------------
 While we have many of the templates validated by automatic CI/CD, we are not
 validating updates to Bastille itself. This automated validation of Pull
 Requests should be a priority early in the year with a full test suite designed
 to validate all expected uses of Bastille sub-commands.
-mid-term
+Template Maturity & Consolidation (June-Aug) ~ 0.8.x-beta
--------
+---------------------------------------------------------
-1. templating
+Put the 101 templates found in GitHub's BastilleBSD-Templates repository into
-2. ssh-to-jail demo (ie; ldap + .authorized_keys + command)
+GitLab CI/CD pipeline until fully covered. This is a great place for community
-```shell
+contribution. Templates are easy to create and verify and we'd love to
-## TODO: .ssh/authorized_keys auto-launch into user jail
+replicate as much of the FreeBSD ports tree as possible!
 ## jail_create_login_hook() {
 ##     echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
 ##     echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
 ## }
 ```
 3. additional modules: ps, sockstat, pf, fstab.
 In addition, it would be nice to create a consolidated repository of curated
 templates similar in design to the FreeBSD ports tree. This would contain all
 templates in a single repository and mimick ports behavior where appropriate.
-long-term
+Container Monitoring (Sept-Oct) ~ 0.9.x-beta
---------
+--------------------------------------------
-1. top 50
+The ability to monitor processes, services, mounts, sockets, etc from the host.
-2. monitoring
+Auto-remediation would be simple enough to define. Notifications would probably
-3. rctl
+require a plugin system for methods/endpoints.
 Possible monitoring modules: ps, sockstat, pf, fstab
 Possible notification modules: pagerduty, slack, splunk, ELK, etc.
 Bastille API (Nov-Dec) ~ 1.0.x-beta
 -----------------------------------
 I have thoughts about a lightweight API for Bastille that would accept (json?)
 payloads of Bastille commands. The API should be lightweight just as Bastille
 is.
 The API is scheduled later in the roadmap because I want to have the other
 components stable before we implement an API on top of it. The addition of the
 API should match up with Bastille 1.0-stable.
--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
-Current version is `0.5.20191128`.
+Current version is `0.6.20200202`.
 To install from the FreeBSD package repository:
--- a/docs/chapters/jail-config.rst
+++ b/docs/chapters/jail-config.rst
@@ -13,25 +13,115 @@ template looks like this:
 .. code-block:: shell
  interface = {interface};
  host.hostname = {name};
  exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
  path = /usr/local/bastille/jails/{name}/root;
  ip6 = disable;
  securelevel = 2;
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  exec.clean;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/{name}/fstab;
  {name} {
    devfs_ruleset = 4;
    enforce_statfs = 2;
    exec.clean;
    exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
    exec.start = '/bin/sh /etc/rc';
    exec.stop = '/bin/sh /etc/rc.shutdown';
    host.hostname = {name};
    interface = {interface};
    mount.devfs;
    mount.fstab = /usr/local/bastille/jails/{name}/fstab;
    path = /usr/local/bastille/jails/{name}/root;
    securelevel = 2;
    ip4.addr = x.x.x.x;
    ip6 = disable;
  }
 devfs_ruleset
 -------------
 .. code-block:: shell
  devfs_ruleset
    The number of the devfs ruleset that is enforced for mounting
    devfs in this jail.  A value of zero (default) means no ruleset
    is enforced.  Descendant jails inherit the parent jail's devfs
    ruleset enforcement.  Mounting devfs inside a jail is possible
    only if the allow.mount and allow.mount.devfs permissions are
    effective and enforce_statfs is set to a value lower than 2.
    Devfs rules and rulesets cannot be viewed or modified from inside
    a jail.
    NOTE: It is important that only appropriate device nodes in devfs
    be exposed to a jail; access to disk devices in the jail may
    permit processes in the jail to bypass the jail sandboxing by
    modifying files outside of the jail.  See devfs(8) for
    information on how to use devfs rules to limit access to entries
    in the per-jail devfs.  A simple devfs ruleset for jails is
    available as ruleset #4 in /etc/defaults/devfs.rules.
 enforce_statfs
 --------------
 .. code-block:: shell
  enforce_statfs
    This determines what information processes in a jail are able to
    get about mount points.  It affects the behaviour of the
    following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
    fhstatfs(2) (as well as similar compatibility syscalls).  When
    set to 0, all mount points are available without any
    restrictions.  When set to 1, only mount points below the jail's
    chroot directory are visible.  In addition to that, the path to
    the jail's chroot directory is removed from the front of their
    pathnames.  When set to 2 (default), above syscalls can operate
    only on a mount-point where the jail's chroot directory is
    located.
 exec.clean
 ----------
 .. code-block:: shell
  exec.clean
    Run commands in a clean environment.  The environment is
    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
    are set to the target login's default values.  USER is set to the
    target login.  TERM is imported from the current environment.
    The environment variables from the login class capability
    database for the target login are also set.
 exec.consolelog
 ---------------
 .. code-block:: shell
  exec.consolelog
    A file to direct command output (stdout and stderr) to.
 exec.start
 ----------
 .. code-block:: shell
  exec.start
    Command(s) to run in the jail environment when a jail is created.
    A typical command to run is "sh /etc/rc".
 exec.stop
 ---------
 .. code-block:: shell
  exec.stop
    Command(s) to run in the jail environment before a jail is
    removed, and after any exec.prestop commands have completed.  A
    typical command to run is "sh /etc/rc.shutdown".
 host.hostname
 -------------
 .. code-block:: shell
  host.hostname
    The hostname of the jail.  Other similar parameters are
    host.domainname, host.hostuuid and host.hostid.
 interface
 ---------
 .. code-block:: shell
@@ -43,28 +133,31 @@ interface
    the interface after the jail is removed.
-host.hostname
+mount.devfs
-------------
+-----------
 .. code-block:: shell
-  host.hostname
+  mount.devfs
-    The hostname of the jail.  Other similar parameters are
+    Mount a devfs(5) filesystem on the chrooted /dev directory, and
-    host.domainname, host.hostuuid and host.hostid.
+    apply the ruleset in the devfs_ruleset parameter (or a default of
    ruleset 4: devfsrules_jail) to restrict the devices visible
    inside the jail.
-exec.consolelog
+mount.fstab
---------------
+-----------
 .. code-block:: shell
-  exec.consolelog
+  mount.fstab
-    A file to direct command output (stdout and stderr) to.
+    An fstab(5) format file containing filesystems to mount before
    creating a jail.
 path
 ----
 .. code-block:: shell
-  path   
+  path
    The directory which is to be the root of the jail.  Any commands
    run inside the jail, either by jail or from jexec(8), are run
    from this directory.
@@ -114,95 +207,3 @@ cases.
        filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
        changed and dummynet(4) or pf(4) configuration cannot be adjusted.
 devfs_ruleset
 -------------
 .. code-block:: shell
  devfs_ruleset
    The number of the devfs ruleset that is enforced for mounting
    devfs in this jail.  A value of zero (default) means no ruleset
    is enforced.  Descendant jails inherit the parent jail's devfs
    ruleset enforcement.  Mounting devfs inside a jail is possible
    only if the allow.mount and allow.mount.devfs permissions are
    effective and enforce_statfs is set to a value lower than 2.
    Devfs rules and rulesets cannot be viewed or modified from inside
    a jail.
    NOTE: It is important that only appropriate device nodes in devfs
    be exposed to a jail; access to disk devices in the jail may
    permit processes in the jail to bypass the jail sandboxing by
    modifying files outside of the jail.  See devfs(8) for
    information on how to use devfs rules to limit access to entries
    in the per-jail devfs.  A simple devfs ruleset for jails is
    available as ruleset #4 in /etc/defaults/devfs.rules.
 enforce_statfs
 --------------
 .. code-block:: shell
  enforce_statfs
    This determines what information processes in a jail are able to
    get about mount points.  It affects the behaviour of the
    following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
    fhstatfs(2) (as well as similar compatibility syscalls).  When
    set to 0, all mount points are available without any
    restrictions.  When set to 1, only mount points below the jail's
    chroot directory are visible.  In addition to that, the path to
    the jail's chroot directory is removed from the front of their
    pathnames.  When set to 2 (default), above syscalls can operate
    only on a mount-point where the jail's chroot directory is
    located.
 exec.start
 ----------
 .. code-block:: shell
  exec.start
    Command(s) to run in the jail environment when a jail is created.
    A typical command to run is "sh /etc/rc".
 exec.stop
 ---------
 .. code-block:: shell
  exec.stop
    Command(s) to run in the jail environment before a jail is
    removed, and after any exec.prestop commands have completed.  A
    typical command to run is "sh /etc/rc.shutdown".
 exec.clean
 ----------
 .. code-block:: shell
  exec.clean
    Run commands in a clean environment.  The environment is
    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
    are set to the target login's default values.  USER is set to the
    target login.  TERM is imported from the current environment.
    The environment variables from the login class capability
    database for the target login are also set.
 mount.devfs
 -----------
 .. code-block:: shell
  mount.devfs
    Mount a devfs(5) filesystem on the chrooted /dev directory, and
    apply the ruleset in the devfs_ruleset parameter (or a default of
    ruleset 4: devfsrules_jail) to restrict the devices visible
    inside the jail.
 mount.fstab
 -----------
 .. code-block:: shell
  mount.fstab
    An fstab(5) format file containing filesystems to mount before
    creating a jail.
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -103,14 +103,21 @@ Create the firewall rules:
  table <jails> persist
  nat on $ext_if from <jails> to any -> ($ext_if)
-  ## rdr example
+  ## static rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
  ## dynamic rdr anchor (see below)
  rdr-anchor "rdr/*"
  block in all
  pass out quick modulate state
  antispoof for $ext_if inet
  pass in inet proto tcp from any to any port ssh flags S/SA modulate state
  # If you are using dynamic rdr also need to ensure that the external port
  # range you are using is open
  # pass in inet proto tcp any to any port <rdr-start>:<rdr-end>
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
@@ -121,7 +128,7 @@ to containers are:
  nat on $ext_if from <jails> to any -> ($ext_if)
-  ## rdr example
+  ## static rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 The `nat` routes traffic from the loopback interface to the external
@@ -131,6 +138,23 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
 containers at `10.17.89.45`.
  ## dynamic rdr anchor (see below)
  rdr-anchor "rdr/*"
 The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the 
 `bastille rdr` command at runtime - eg.
  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
  bastille rdr <jail> udp 2053 53 # Same for udp
  bastille rdr <jail> list        # List dynamic rdr rules
  bastille rdr <jail> clear       # Clear dynamic rdr rules
  Note that if you are redirecting ports where the host is also listening
  (eg. ssh) you should make sure that the host service is not listening on 
  the cloned interface - eg. for ssh set sshd_flags in rc.conf
  sshd_flags="-o ListenAddress=<hostname>"
 Finally, start up the firewall:
 .. code-block:: shell
--- a/docs/chapters/subcommands/index.rst
+++ b/docs/chapters/subcommands/index.rst
@@ -20,6 +20,5 @@ Bastille sub-commands
   sysrc
   top
   update
   update
   upgrade
   verify
--- a/docs/chapters/subcommands/rdr.rst
+++ b/docs/chapters/subcommands/rdr.rst
@@ -0,0 +1,28 @@
 ===
 rdr
 ===
 `bastille rdr` allows you to configure dynamic rdr rules for your containers
 without modifying pf.conf (assuming you are using the `bastille0` interface 
 for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
 as described in the Networking section).
 Note: you need to be careful if host services are configured to run 
 on all interfaces as this will include the jail interface - you should 
 sepcify the interface they run on in rc.conf (or other config files)
 .. code-block:: shell
    # bastille rdr --help
    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
    # bastille rdr dev1 tcp 2001 22
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    # bastille rdr dev1 udp 2053 53
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
    # bastille rdr dev1 clear
    nat cleared
--- a/docs/chapters/subcommands/service.rst
+++ b/docs/chapters/subcommands/service.rst
@@ -11,3 +11,6 @@ running inside the containers.
  ishmael ~ # bastille service web01 'nginx start'
  ishmael ~ # bastille service db01 'mysql-server restart'
  ishmael ~ # bastille service proxy 'nginx configtest'
  ishmael ~ # bastille service proxy 'nginx enable'
  ishmael ~ # bastille service proxy 'nginx disable'
  ishmael ~ # bastille service proxy 'nginx delete'
--- a/docs/chapters/template.rst
+++ b/docs/chapters/template.rst
@@ -1,12 +1,15 @@
 ========
 Template
 ========
 Looking for ready made CI/CD validated [Bastille
 Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the containers automatically.
-Currently supported template hooks are: `PRE`, `OVERLAY`, `PKG`, `SYSRC`, `CMD`.
+Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
-Planned template hooks include: `FSTAB`, `PF`, `LOG`.
+`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
 Planned template hooks include: `PF`, `LOG`.
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory named after the template. eg;
@@ -22,30 +25,36 @@ template directory named after the hook you want to execute. eg;
  echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
  echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
-  echo "etc\nrootjn usr" > /usr/local/bastille/templates/username/base/OVERLAY
+  echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
-| HOOK    | format           | example                              |
+| HOOK    | format            | example                                 |
-+=========+==================+======================================+
+=========+===================+=========================================+
-| PRE     | /bin/sh command  | mkdir -p /usr/local/my_app/html      |
+| LIMITS  | resource value    | memoryuse 1G                            |
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
-| OVERLAY | path(s)          | etc root usr (one per line)          |
+| INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path    |
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
-| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
+| PRE     | /bin/sh command   | mkdir -p /usr/local/my_app/html         |
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
-| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
+| FSTAB   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
-| SERVICE | service command  | 'nginx start' OR 'postfix reload'    |
+| PKG     | port/pkg name(s)  | vim-console zsh git-lite tree htop      |
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
-| CMD     | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
+| OVERLAY | path(s)           | etc root usr (one per line)             |
-+---------+------------------+--------------------------------------+
+---------+-------------------+-----------------------------------------+
 | SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
 +---------+-------------------+-----------------------------------------+
 | SERVICE | service command   | 'nginx start' OR 'postfix reload'       |
 +---------+-------------------+-----------------------------------------+
 | CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
 +---------+-------------------+-----------------------------------------+
-Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped.
+Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
-ie; `\"`)
+ie; (`\\"`)
 In addition to supporting template hooks, Bastille supports overlaying
 files into the container. This is done by placing the files in their full path,
@@ -61,17 +70,16 @@ overlayed template files will be in `usr/local`. The few general
 exceptions are the `etc/hosts`, `etc/resolv.conf`, and
 `etc/rc.conf.local`.
-After populating `usr/local/` with custom config files that your container will
+After populating `usr/local` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
 .. code-block:: shell
-  echo "etc\nusr" > /usr/local/bastille/templates/username/base/OVERLAY
+  echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
-The above example "etc usr" will include anything under "etc" and "usr"
+The above example "usr" will include anything under "usr" inside the template.
-inside the template. You do not need to list individual files. Just
+You do not need to list individual files. Just include the top-level directory
-include the top-level directory name. List these top-level directories one per
+name. List these top-level directories one per line.
 line.
 Applying Templates
 ------------------
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 project = 'Bastille'
-copyright = '2018-2019, Christer Edwards'
+copyright = '2018-2020, Christer Edwards'
 author = 'Christer Edwards'
 # The short X.Y version
-version = '0.5.20191128'
+version = '0.6.20200202'
 # The full version, including alpha/beta/rc tags
-release = '0.5.20191128-beta'
+release = '0.6.20200202-beta'
 # -- General configuration ---------------------------------------------------
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 ## root check first.
 bastille_root_check() {
-    if [ $(id -u) -ne 0 ]; then
+    if [ "$(id -u)" -ne 0 ]; then
        ## so we can make it colorful
        . /usr/local/share/bastille/colors.pre.sh
@@ -69,7 +69,7 @@ bastille_perms_check
 . /usr/local/etc/bastille/bastille.conf
 ## version
-BASTILLE_VERSION="0.5.20191128"
+BASTILLE_VERSION="0.6.20200202"
 usage() {
    cat << EOF
@@ -83,13 +83,17 @@ Available Commands:
  bootstrap   Bootstrap a FreeBSD release for container base.
  cmd         Execute arbitrary command on targeted container(s).
  console     Console into a running container.
  convert     Convert a Thin container into a Thick container.
  cp          cp(1) files from host to targeted container(s).
  create      Create a new thin container or a thick container if -T|--thick option specified.
  destroy     Destroy a stopped container or a FreeBSD release.
-  help        Help about any command
+  export      Exports a specified container.
  help        Help about any command.
  htop        Interactive process viewer (requires htop).
  import      Import a specified container.
  list        List containers (running and stopped).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  restart     Restart a running container.
  service     Manage services within targeted container(s).
  start       Start a stopped container.
@@ -127,13 +131,13 @@ esac
 # Filter out all non-commands
 case "${CMD}" in
-cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
+bootstrap|cmd|console|convert|cp|create)
    ;;
-update|upgrade)
+destroy|export|htop|import|limits|list)
    ;;
-service|console|bootstrap|htop|top)
+pkg|rdr|restart|service|start|stop|sysrc)
    ;;
-bootstrap|update|upgrade|zfs)
+template|top|update|upgrade|verify|zfs)
    ;;
 *)
 usage
@@ -142,12 +146,12 @@ esac
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
 if [ -f "${SCRIPTPATH}" ]; then
-    : ${UMASK:=022}
+    : "${UMASK:=022}"
-    umask ${UMASK}
+    umask "${UMASK}"
-    : ${SH:=sh}
+    : "${SH:=sh}"
-    exec ${SH} "${SCRIPTPATH}" "$@"
+    exec "${SH}" "${SCRIPTPATH}" "$@"
 else
    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
 fi
--- a/usr/local/etc/bastille/bastille.conf
+++ b/usr/local/etc/bastille/bastille.conf
@@ -1,37 +0,0 @@
 #####################
 ## [ BastilleBSD ] ##
 #####################
 ## default paths
 bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
 bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
 bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
 bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
 bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
 ## bastille scripts directory (assumed by bastille pkg)
 bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
 ## bootstrap archives (base, lib32, ports, src, test)
 bastille_bootstrap_archives="base"                      ## default: "base"
 ## default timezone
 bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
 ## ZFS options
 bastille_zfs_enable=""                                  ## default: ""
 bastille_zfs_zpool=""                                   ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
 ## Networking
 bastille_jail_loopback="lo1"                            ## default: "lo1"
 bastille_jail_interface="bastille0"                     ## default: "bastille0"
 bastille_jail_external=""                               ## default: ""
 bastille_jail_addr="10.17.89.10"                        ## default: "10.17.89.10"
 bastille_jail_gateway=""                                ## default: ""
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -0,0 +1,45 @@
 #####################
 ## [ BastilleBSD ] ##
 #####################
 ## default paths
 bastille_prefix=/usr/local/bastille                                   ## default: "/usr/local/bastille"
 bastille_backupsdir=${bastille_prefix}/backups                        ## default: ${bastille_prefix}/backups
 bastille_cachedir=${bastille_prefix}/cache                            ## default: ${bastille_prefix}/cache
 bastille_jailsdir=${bastille_prefix}/jails                            ## default: ${bastille_prefix}/jails
 bastille_logsdir=${bastille_prefix}/logs                              ## default: ${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases                      ## default: ${bastille_prefix}/releases
 bastille_templatesdir=${bastille_prefix}/templates                    ## default: ${bastille_prefix}/templates
 ## bastille scripts directory (assumed by bastille pkg)
 bastille_sharedir=/usr/local/share/bastille                           ## default: "/usr/local/share/bastille"
 ## bootstrap archives (base, lib32, ports, src, test)
 bastille_bootstrap_archives="base"                                    ## default: "base"
 ## default timezone
 bastille_tzdata="etc/UTC"                                             ## default: "etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
 ## bootstrap urls
 bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
 bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
 ## ZFS options
 bastille_zfs_enable=""                                                ## default: ""
 bastille_zfs_zpool=""                                                 ## default: ""
 bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"
 ## Export/Import options
 bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
 bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
 ## Networking
 bastille_jail_loopback="lo1"                                          ## default: "lo1"
 bastille_jail_interface="bastille0"                                   ## default: "bastille0"
 bastille_jail_external=""                                             ## default: ""
 bastille_jail_addr="10.17.89.10"                                      ## default: "10.17.89.10"
 bastille_jail_gateway=""                                              ## default: ""
--- a/usr/local/etc/rc.d/bastille
+++ b/usr/local/etc/rc.d/bastille
@@ -29,8 +29,8 @@ restart_cmd="bastille_stop && bastille_start"
 bastille_start()
 {
-    if [ ! -n "${bastille_list}" ]; then
+    if [ -z "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+        echo "bastille_list is undefined"
        return 1
    fi
@@ -44,8 +44,8 @@ bastille_start()
 bastille_stop()
 {
-    if [ ! -n "${bastille_list}" ]; then
+    if [ -z "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+        echo "bastille_list is undefined"
        return 1
    fi
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,7 @@ if [ "${bastille_zfs_enable}" = "YES" ]; then
    if [ -z "${bastille_zfs_zpool}" ]; then
        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
        exit 1
-	elif [ -z "${bastille_zfs_prefix}" ]; then
+    elif [ -z "${bastille_zfs_prefix}" ]; then
        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
        exit 1
    elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
@@ -66,17 +66,32 @@ if [ "${bastille_zfs_enable}" = "YES" ]; then
    fi
 fi
 validate_release_url() {
    ## check upstream url, else warn user
    if [ -n "${NAME_VERIFY}" ]; then
        RELEASE="${NAME_VERIFY}"
        if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
            echo -e "${COLOR_RED}Unable to fetch MANIFEST, See 'bootstrap urls'.${COLOR_RESET}"
            exit 1
        fi
        bootstrap_directories
        bootstrap_release
    else
        usage
    fi
 }
 bootstrap_network_interfaces() {
    ## test for both options empty
-    if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+    if [ -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
        echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
        echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
        exit 1
    fi
    ## test for required variables -- external
-    if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+    if [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_external}" ]; then
       ## test for existing interface
       ifconfig ${bastille_jail_external} 2>&1 >/dev/null
@@ -101,8 +116,8 @@ bootstrap_network_interfaces() {
    fi
    ## test for required variables -- loopback
-    if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
+    if [ -z "${bastille_jail_external}" ] && [ ! -z "${bastille_jail_loopback}" ] && \
-       [ ! -z ${bastille_jail_addr} ]; then
+       [ ! -z "${bastille_jail_addr}" ]; then
       echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
       ## test for existing interface
@@ -173,6 +188,18 @@ bootstrap_directories() {
        fi
    fi
    ## ${bastille_backupsdir}
    if [ ! -d "${bastille_backupsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ];then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_backupsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups
            fi
        else
            mkdir -p "${bastille_backupsdir}"
            chmod 0750 "${bastille_backupsdir}"
        fi
    fi
    ## ${bastille_cachedir}
    if [ ! -d "${bastille_cachedir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
@@ -250,10 +277,22 @@ bootstrap_directories() {
 }
 bootstrap_release() {
-    ## if release exists, quit
+    ## if release exists quit, else bootstrap additional distfiles
    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+        ## check distfiles list and skip existing cached files
-        exit 1
+        bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//")
        bastille_cached_files=$(ls ${bastille_cachedir}/${RELEASE} | grep -v "MANIFEST" | tr -d ".txz")
        for distfile in ${bastille_cached_files}; do
            bastille_bootstrap_archives=$(echo ${bastille_bootstrap_archives} | sed "s/${distfile}//")
        done
        ## check if release already bootstrapped, else continue bootstrapping
        if [ -z "${bastille_bootstrap_archives}" ]; then
            echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
            exit 1
        else
            echo -e "${COLOR_GREEN}Bootstrapping additional distfiles...${COLOR_RESET}"
        fi
    fi
    for _archive in ${bastille_bootstrap_archives}; do
@@ -360,74 +399,21 @@ bootstrap_template() {
    _template=${bastille_templatesdir}/${_user}/${_repo}
    ## support for non-git
-    if [ ! -x /usr/local/bin/git ]; then
+    if [ ! -x "$(which git)" ]; then
-        echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
+        echo -e "${COLOR_RED}Git not found.${COLOR_RESET}"
-        echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+        echo -e "${COLOR_RED}Not yet implemented.${COLOR_RESET}"
        exit 1
-    fi
+    elif [ -x "$(which git)" ]; then
    ## support for git
    if [ -x /usr/local/bin/git ]; then
        if [ ! -d "${_template}/.git" ]; then
-            /usr/local/bin/git clone "${_url}" "${_template}" ||\
+            $(which git) clone "${_url}" "${_template}" ||\
                echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
                echo
        elif [ -d "${_template}/.git" ]; then
-            cd ${_template} &&
+            cd ${_template} && $(which git) pull ||\
            /usr/local/bin/git pull ||\
                echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
                echo
        fi
    fi
-    ## template validation
+    bastille verify ${_user}/${_repo}
    _hook_validate=0
    for _hook in PRE FSTAB PF PKG SYSRC CMD; do
        if [ -s ${_template}/${_hook} ]; then
            _hook_validate=$((_hook_validate+1))
            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
            echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
            cat "${_template}/${_hook}"
            echo
        fi
    done
    # template overlay
    if [ -s ${_template}/OVERLAY ]; then
        _hook_validate=$((_hook_validate+1))
        echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            if [ -x $(which tree) ]; then
                tree -a ${_template}/${_dir}
            fi
        done < ${_template}/OVERLAY
        echo
    fi
    if [ -s ${_template}/CONFIG ]; then
        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            if [ -x $(which tree) ]; then
                tree -a ${_template}/${_dir}
            fi
        done < ${_template}/CONFIG
    fi
    ## remove bad templates
    if [ ${_hook_validate} -lt 1 ]; then
        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
        rm -rf ${_template}
        exit 1
    fi
    ## if validated; ready to use 
    if [ ${_hook_validate} -gt 0 ]; then
        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
        echo
    fi
 }
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
@@ -437,35 +423,53 @@ RELEASE="${1}"
 ## Filter sane release names
 case "${1}" in
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-## check for FreeBSD releases name
+    ## check for FreeBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-if [ -n "${NAME_VERIFY}" ]; then
+    UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
-    RELEASE="${NAME_VERIFY}"
+    validate_release_url
    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/${RELEASE}"
    bootstrap_directories
    bootstrap_release
 else
    usage
 fi
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-## check for HardenedBSD releases name
+    ## check for HardenedBSD releases name(previous infrastructure, keep for reference)
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-if [ -n "${NAME_VERIFY}" ]; then
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
-    RELEASE="${NAME_VERIFY}"
+    validate_release_url
-    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${RELEASE}"
+    ;;
-    bootstrap_directories
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
-    bootstrap_release
+    ## check for HardenedBSD(specific stable build releases)
-else
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build|-STABLE-BUILD)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
-    usage
+    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/-build-[0-9]\{1,2\}//g')
-fi
+    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/[0-9]\{1,2\}-stable-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    validate_release_url
    ;;
 *-stable-build-latest|*-STABLE-BUILD-LATEST)
    ## check for HardenedBSD(latest stable build release)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest|-STABLE-BUILD-LATEST)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/-BUILD-LATEST//g')
    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/[0-9]\{1,2\}-stable-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    validate_release_url
    ;;
 current-build-[0-9]*|*-CURRENT-BUILD-[0-9]*)
    ## check for HardenedBSD(specific current build releases)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build|-CURRENT-BUILD)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/current-.*/current/g')
    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/current-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    validate_release_url
    ;;
 current-build-latest|*-CURRENT-BUILD-LATEST)
    ## check for HardenedBSD(latest current build release)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest|-CURRENT-BUILD-LATEST)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/current-.*/current/g')
    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/current-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    validate_release_url
    ;;
 http?://github.com/*/*|http?://gitlab.com/*/*)
    BASTILLE_TEMPLATE_URL=${1}
    BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
    BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
    echo
    bootstrap_template
    ;;
 network)
--- a/usr/local/share/bastille/cmd.sh
+++ b/usr/local/share/bastille/cmd.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -53,7 +53,7 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/console.sh
+++ b/usr/local/share/bastille/console.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,13 +54,30 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 validate_user() {
    if jexec -l ${_jail} id "${USER}" >/dev/null 2>&1; then
        USER_SHELL="$(jexec -l ${_jail} getent passwd "${USER}" | cut -d: -f7)"
        if [ -n "${USER_SHELL}" ]; then
            if jexec -l ${_jail} grep -qwF "${USER_SHELL}" /etc/shells; then
                jexec -l ${_jail} /usr/bin/login -f "${USER}"
            else
                echo "Invalid shell for user ${USER}"
            fi
        else
            echo "User ${USER} has no shell"
        fi
    else
        echo "Unknown user ${USER}"
    fi
 }
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    if [ ! -z "${USER}" ]; then
-        jexec -l ${_jail} /usr/bin/login -f "${USER}"
+        validate_user
    else
        jexec -l ${_jail} /usr/bin/login -f root
    fi
--- a/usr/local/share/bastille/convert.sh
+++ b/usr/local/share/bastille/convert.sh
@@ -0,0 +1,168 @@
 #!/bin/sh
 # 
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 # 
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 # 
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 # 
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille convert TARGET.${COLOR_RESET}"
    exit 1
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 error_notify()
 {
    # Notify message on error and exit
    echo -e "$*" >&2
    exit 1
 }
 convert_symlinks() {
    # Work with the symlinks, revert on first cp error
    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
        # Retrieve old symlinks temporarily
        for _link in ${SYMLINKS}; do
            if [ -L "${_link}" ]; then
                mv ${_link} ${_link}.old
            fi
        done
        # Copy new files to destination jail
        for _link in ${SYMLINKS}; do
            if [ ! -d "${_link}" ]; then
                if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
                    cp -a "${bastille_releasesdir}/${RELEASE}/${_link}" "${bastille_jailsdir}/${TARGET}/root/${_link}"
                fi
                if [ $? -ne 0 ]; then
                    revert_convert
                fi
            fi
        done
        # Remove the old symlinks on success
        for _link in ${SYMLINKS}; do
            if [ -L "${_link}.old" ]; then
                rm -r ${_link}.old
            fi
        done
    else
        error_notify "${COLOR_RED}Release must be bootstrapped first, See `bastille bootstrap`.${COLOR_RESET}"
    fi
 }
 revert_convert() {
    # Revert the conversion on first cp error
    echo -e "${COLOR_RED}A problem has occurred while copying the files, reverting changes...${COLOR_RESET}"
    for _link in ${SYMLINKS}; do
        if [ -d "${_link}" ]; then
            chflags -R noschg "${bastille_jailsdir}/${TARGET}/root/${_link}"
            rm -rf "${bastille_jailsdir}/${TARGET}/root/${_link}"
        fi
    done
    # Restore previous symlinks
    for _link in ${SYMLINKS}; do
        if [ -L "${_link}.old" ]; then
            mv ${_link}.old ${_link}
        fi
    done
    error_notify "${COLOR_GREEN}Changes for '${TARGET}' has been reverted.${COLOR_RESET}"
 }
 start_convert() {
    # Attempt container conversion and handle some errors
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        echo -e "${COLOR_GREEN}Converting '${TARGET}' into a thickjail, this may take a while...${COLOR_RESET}"
        # Set some variables
        RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])' ${bastille_jailsdir}/${TARGET}/fstab)
        FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" ${bastille_jailsdir}/${TARGET}/fstab)
        SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
        if [ -n "${RELEASE}" ]; then
            cd "${bastille_jailsdir}/${TARGET}/root"
            # Work with the symlinks
            convert_symlinks
            # Comment the line containing .bastille and rename mountpoint
            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
            mv ${bastille_jailsdir}/${TARGET}/root/.bastille ${bastille_jailsdir}/${TARGET}/root/.bastille.old
            echo -e "${COLOR_GREEN}Conversion of '${TARGET}' completed successfully!${COLOR_RESET}"
            exit 0
        else
            error_notify "${COLOR_RED}Can't determine release version, See `bastille bootstrap`.${COLOR_RESET}"
        fi
     else
        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
    fi
 }
 # Check compatibility
 if [ -n "$(freebsd-version | grep -i HBSD)" ]; then
    error_notify "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
 fi
 # Check if container is running
 if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
    error_notify "${COLOR_RED}${TARGET} is running, See `bastille stop`.${COLOR_RESET}"
 fi
 # Check if is a thin container
 if [ ! -d "${bastille_jailsdir}/${TARGET}/root/.bastille" ]; then
    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
 elif ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
 fi
 # Make sure the user agree with the conversion
 # Be interactive here since this cannot be easily undone
 while :; do
    echo -e "${COLOR_RED}Warning: container conversion from thin to thick can't be undone!${COLOR_RESET}"
    read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn
    case ${yn} in
    [Yy]) start_convert;;
    [Nn]) exit 0;;
    esac
 done
--- a/usr/local/share/bastille/cp.sh
+++ b/usr/local/share/bastille/cp.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,13 @@ usage() {
 }
 running_jail() {
-    jls name | grep -w "${NAME}"
+    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
        echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
        exit 1
    elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
        echo -e "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
        exit 1
    fi
 }
 validate_ip() {
@@ -52,7 +58,11 @@ validate_ip() {
          exit 1
        fi
      done
-      echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
+      if ifconfig | grep -w "$ip" >/dev/null; then
        echo -e "${COLOR_YELLOW}Warning: ip address already in use ($ip).${COLOR_RESET}"
      else
        echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"      
      fi
    else
      echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
      exit 1
@@ -61,17 +71,16 @@ validate_ip() {
 validate_netif() {
    local LIST_INTERFACES=$(ifconfig -l)
-    interface=${INTERFACE}
+    if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
-    if echo "${LIST_INTERFACES}" | grep -qwo "${INTERFACE}"; then
+        echo -e "${COLOR_GREEN}Valid: (${INTERFACE}).${COLOR_RESET}"
        echo -e "${COLOR_GREEN}Valid: ($interface).${COLOR_RESET}"
    else
-        echo -e "${COLOR_RED}Invalid: ($interface).${COLOR_RESET}"
+        echo -e "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
        exit 1
    fi
 }
 validate_netconf() {
-	if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
+    if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    fi
@@ -91,6 +100,15 @@ validate_netconf() {
    fi
 }
 validate_release() {
    ## check release name match, else show usage
    if [ -n "${NAME_VERIFY}" ]; then
        RELEASE="${NAME_VERIFY}"
    else
        usage
    fi
 }
 create_jail() {
    bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
    bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -140,10 +158,10 @@ create_jail() {
    fi
    if [ ! -f "${bastille_jail_conf}" ]; then
-        if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+        if [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_external}" ]; then
            local bastille_jail_conf_interface=${bastille_jail_external}
        fi
-        if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+        if [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
            local bastille_jail_conf_interface=${bastille_jail_interface}
        fi
        if [ ! -z  ${INTERFACE} ]; then
@@ -322,22 +340,34 @@ fi
 ## verify release
 case "${RELEASE}" in
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-## check for FreeBSD releases name
+    ## check for FreeBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-if [ -n "${NAME_VERIFY}" ]; then
+    validate_release
    RELEASE="${NAME_VERIFY}"
 else
    usage
 fi
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-## check for HardenedBSD releases name
+    ## check for HardenedBSD releases name(previous infrastructure)
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-if [ -n "${NAME_VERIFY}" ]; then
+    validate_release
-    RELEASE="${NAME_VERIFY}"
+    ;;
-else
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
-    usage
+    ## check for HardenedBSD(specific stable build releases)
-fi
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build|-STABLE-BUILD)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
    validate_release
    ;;
 *-stable-build-latest|*-STABLE-BUILD-LATEST)
    ## check for HardenedBSD(latest stable build release)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest|-STABLE-BUILD-LATEST)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    validate_release
    ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
    ## check for HardenedBSD(specific current build releases)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build|-CURRENT-BUILD)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
    validate_release
    ;;
 current-build-latest|CURRENT-BUILD-LATEST)
    ## check for HardenedBSD(latest current build release)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest|-CURRENT-BUILD-LATEST)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    validate_release
    ;;
 *)
    echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
@@ -357,15 +387,13 @@ if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
    exit 1
 fi
-## check if a running jail matches name
+## check if a running jail matches name or already exist
-if running_jail ${NAME}; then
+if [ -n "${NAME}" ]; then
-    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+    running_jail
    echo -e "${COLOR_RED}Jails must be stopped before they are destroyed.${COLOR_RESET}"
    exit 1
 fi
 ## check if ip address is valid
-if [ ! -z ${IP} ]; then
+if [ ! -z "${IP}" ]; then
    validate_ip
 else
    usage
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,18 +32,22 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille destroy [container|release]${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille destroy [option] | [container|release]${COLOR_RESET}"
    exit 1
 }
 destroy_jail() {
-    bastille_jail_base="${bastille_jailsdir}/${NAME}"            ## dir
+    bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
-    bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
+    bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
-    if [ $(jls name | grep -w "${NAME}") ]; then
+    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
-        echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
+        if [ "${FORCE}" = "1" ]; then
-        echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
+            bastille stop ${TARGET}
-        exit 1
+        else
            echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
            echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}"
            exit 1
        fi
    fi
    if [ ! -d "${bastille_jail_base}" ]; then
@@ -52,12 +56,12 @@ destroy_jail() {
    fi
    if [ -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}Deleting Jail: ${TARGET}.${COLOR_RESET}"
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
-                if [ ! -z "${NAME}" ]; then
+                if [ ! -z "${TARGET}" ]; then
                    ## remove jail zfs dataset recursively
-                    zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+                    zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}
                fi
            fi
        fi
@@ -81,15 +85,23 @@ destroy_jail() {
 }
 destroy_rel() {
-    bastille_rel_base="${bastille_releasesdir}/${NAME}"  ## dir
+    ## check release name match before destroy
    if [ -n "${NAME_VERIFY}" ]; then
        TARGET="${NAME_VERIFY}"
        break
    else
        usage
    fi
    bastille_rel_base="${bastille_releasesdir}/${TARGET}"  ## dir
    ## check if this release have containers child
    BASE_HASCHILD="0"
-	if [ -d "${bastille_jailsdir}" ]; then
+    if [ -d "${bastille_jailsdir}" ]; then
        JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
        for _jail in ${JAIL_LIST}; do
-            if grep -qwo "${NAME}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then
+            if grep -qwo "${TARGET}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then
-                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${NAME} base.${COLOR_RESET}"
+                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${TARGET} base.${COLOR_RESET}"
                BASE_HASCHILD="1"
            fi
        done
@@ -100,10 +112,15 @@ destroy_rel() {
        exit 1
    else
        if [ "${BASE_HASCHILD}" -eq "0" ]; then
-            echo -e "${COLOR_GREEN}Deleting base: ${NAME}.${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
            if [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ ! -z "${bastille_zfs_zpool}" ]; then
-                    zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${NAME}
+                    zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}
                    if [ "${FORCE}" = "1" ]; then
                        if [ -d "${bastille_cachedir}/${TARGET}" ]; then
                            zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}
                        fi
                    fi
                fi
            fi
@@ -114,6 +131,13 @@ destroy_rel() {
                ## remove jail base
                rm -rf ${bastille_rel_base}
            fi
            if [ "${FORCE}" = "1" ]; then
                ## remove cache on force
                if [ -d "${bastille_cachedir}/${TARGET}" ]; then
                    rm -rf "${bastille_cachedir}/${TARGET}"
                fi
            fi
            echo
        else
            echo -e "${COLOR_RED}Cannot destroy base with containers child.${COLOR_RESET}"
@@ -128,37 +152,62 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+OPTION="${1}"
-    usage
+TARGET="${2}"
 fi
-NAME="$1"
+## handle additional options
-
+case "${OPTION}" in
-## check what should we clean
+-f|--force)
-case "${NAME}" in
+    if [ $# -gt 2 ] || [ $# -lt 2 ]; then
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
    ## check for FreeBSD releases name
    NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
    if [ -n "${NAME_VERIFY}" ]; then
        NAME="${NAME_VERIFY}"
        destroy_rel
    else
        usage
    fi
    FORCE="1"
    ;;
-
+-*)
-*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+    echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
-    ## check for HardenedBSD releases name
+    usage
    NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
    if [ -n "${NAME_VERIFY}" ]; then
        NAME="${NAME_VERIFY}"
        destroy_rel
    else
        usage
    fi
    ;;
 *)
    if [ $# -gt 1 ] || [ $# -lt 1 ]; then
        usage
    fi
    TARGET="${1}"
    ;;
 esac
 ## check what should we clean
 case "${TARGET}" in
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
    ## check for FreeBSD releases name
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
    destroy_rel
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
    ## check for HardenedBSD releases name
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
    destroy_rel
    ;;
 *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
    ## check for HardenedBSD(specific stable build releases)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build|-STABLE-BUILD)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
    destroy_rel
    ;;
 *-stable-build-latest|*-STABLE-BUILD-LATEST)
    ## check for HardenedBSD(latest stable build release)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest|-STABLE-BUILD-LATEST)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    destroy_rel
    ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
    ## check for HardenedBSD(specific current build releases)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build|-CURRENT-BUILD)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
    destroy_rel
    ;;
 current-build-latest|CURRENT-BUILD-LATEST)
    ## check for HardenedBSD(latest current build release)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest|-CURRENT-BUILD-LATEST)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    destroy_rel
    ;;
 *)
    ## just destroy a jail
    destroy_jail
    ;;
--- a/usr/local/share/bastille/export.sh
+++ b/usr/local/share/bastille/export.sh
@@ -0,0 +1,113 @@
 #!/bin/sh
 # 
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 # 
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 # 
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 # 
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille export TARGET.${COLOR_RESET}"
    exit 1
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 error_notify()
 {
    # Notify message on error and exit
    echo -e "$*" >&2
    exit 1
 }
 jail_export()
 {
    # Attempt to export the container
    DATE=$(date +%F-%H:%M:%S)
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                FILE_EXT="xz"
                echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}"
                echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}"
                # Take a recursive temporary snapshot
                SNAP_NAME="bastille_export-${DATE}"
                zfs snapshot -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME}
                # Export the container recursively and cleanup temporary snapshots
                zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} | \
                xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}
                zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME}
            fi
        else
            # Create standard backup archive
            FILE_EXT="txz"
            echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}"
            cd ${bastille_jailsdir} && tar -cf - ${TARGET} | xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}
        fi
        if [ $? -ne 0 ]; then
            error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}"
        else
            # Generate container checksum file
            cd ${bastille_backupsdir}
            sha256 -q ${TARGET}_${DATE}.${FILE_EXT} > ${TARGET}_${DATE}.sha256
            echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}"
            exit 0
        fi
    else
        error_notify "${COLOR_RED}Container '${TARGET}' does not exist.${COLOR_RESET}"
    fi
 }
 # Check if backups directory/dataset exist
 if [ ! -d "${bastille_backupsdir}" ]; then
    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
 fi
 # Check if is a ZFS system
 if [ "${bastille_zfs_enable}" != "YES" ]; then
    # Check if container is running and ask for stop in UFS systems
    if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
        error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
    fi
 fi
 jail_export
--- a/usr/local/share/bastille/htop.sh
+++ b/usr/local/share/bastille/htop.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/import.sh
+++ b/usr/local/share/bastille/import.sh
@@ -0,0 +1,194 @@
 #!/bin/sh
 # 
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 # 
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 # 
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 # 
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille import backup_file.${COLOR_RESET}"
    exit 1
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 error_notify() {
    # Notify message on error and exit
    echo -e "$*" >&2
    exit 1
 }
 validate_archive() {
    # Compare checksums on the target archive
    if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
        echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}"
        SHA256_DIST=$(cat ${bastille_backupsdir}/${FILE_TRIM}.sha256)
        SHA256_FILE=$(sha256 -q ${bastille_backupsdir}/${TARGET})
        if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
            error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}"
        else
            echo -e "${COLOR_GREEN}File validation successful!${COLOR_RESET}"
        fi
    fi
 }
 update_zfsmount() {
    # Update the mountpoint property on the received zfs data stream
    OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root | awk '{print $3}')
    NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
    if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
        echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}"
        zfs set mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root
    fi
 }
 update_jailconf() {
    # Update jail.conf paths
    JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
    if [ -f "${JAIL_CONFIG}" ]; then
        if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" ${JAIL_CONFIG}; then
            echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
            sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" ${JAIL_CONFIG}
            sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" ${JAIL_CONFIG}
            sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" ${JAIL_CONFIG}
        fi
    fi
 }
 update_fstab() {
    # Update fstab .bastille mountpoint on thin containers only
    # Set some variables
    FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2]|-stable-build-[0-9]{1,3})' ${FSTAB_CONFIG})
    FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG})
    FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
    if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
        # If both variables are set, compare and update as needed
        if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG}; then
            echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}"
            sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG}
        fi
    fi
 }
 jail_import() {
    # Attempt to import container from file
    FILE_TRIM=$(echo ${TARGET} | sed 's/.[txz]\{2,3\}//')
    FILE_EXT=$(echo ${TARGET} | cut -d '.' -f2)
    validate_archive
    if [ -d "${bastille_jailsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                if [ "${FILE_EXT}" = "xz" ]; then
                    # Import from compressed xz on ZFS systems
                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed .${FILE_EXT} archive.${COLOR_RESET}"
                    echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
                    xz ${bastille_decompress_xz_options} ${bastille_backupsdir}/${TARGET} | \
                    zfs receive -u ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
                    # Update ZFS mountpoint property if required
                    # This is required on foreign imports only
                    update_zfsmount
                    # Mount new container ZFS datasets
                    zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
                    zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root
                elif [ "${FILE_EXT}" = "txz" ]; then
                    # Prepare the ZFS environment and restore from existing tar.xz file
                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' form .${FILE_EXT} archive.${COLOR_RESET}"
                    echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}"
                    zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
                    zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root \
                    ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root
                    # Extract required files to the new datasets
                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
                    tar --exclude='root' -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 1 -C ${bastille_jailsdir}/${TARGET_TRIM} 
                    tar -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 2 -C ${bastille_jailsdir}/${TARGET_TRIM}/root ${TARGET_TRIM}/root
                    if [ $? -ne 0 ]; then
                        zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
                        error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
                    fi
                else
                    error_notify "${COLOR_RED}Unknown archive format.${COLOR_RESET}"
                fi
            fi
        else
            # Import from standard tar.xz archive on UFS systems
            echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
            tar -Jxf  ${bastille_backupsdir}/${TARGET} -C ${bastille_jailsdir}
        fi
        if [ $? -ne 0 ]; then
            error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}"
        else
            # Update the jail.conf and fstab if required
            # This is required on foreign imports only
            update_jailconf
            update_fstab
            echo -e "${COLOR_GREEN}Container '${TARGET_TRIM}' imported successfully.${COLOR_RESET}"
            exit 0
        fi
    else
        error_notify "${COLOR_RED}Jails directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
    fi
 }
 # Check if backups directory/dataset exist
 if [ ! -d "${bastille_backupsdir}" ]; then
    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
 fi
 # Check if archive exist then trim archive name
 if [ "$(ls "${bastille_backupsdir}" | awk "/^${TARGET}$/")" ]; then
    TARGET_TRIM=$(echo ${TARGET} | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//")
 else
    error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}"
 fi
 # Check if a running jail matches name or already exist
 if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
    error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
 elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
    error_notify "${COLOR_RED}Container: ${TARGET_TRIM} already exist.${COLOR_RESET}"
 fi
 jail_import
--- a/usr/local/share/bastille/limits.sh
+++ b/usr/local/share/bastille/limits.sh
@@ -0,0 +1,74 @@
 #!/bin/sh
 # 
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 # 
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 # 
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 # 
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 usage() {
    echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
    echo -e "Example: bastille limits JAILNAME memoryuse 1G"
    exit 1
 }
 RACCT_ENABLE=$(sysctl -n kern.racct.enable)
 if [ "${RACCT_ENABLE}" != '1' ]; then
    echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
 fi
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -lt 2 ]; then
    usage
 fi
 TARGET="${1}"
 OPTION="${2}"
 VALUE="${3}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    echo -e "${TYPE} ${VALUE}"
     rctl -a jail:${_jail}:${OPTION}:deny=${VALUE}/jail
    echo -e "${COLOR_RESET}"
 done
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,12 +32,17 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille list [release|template|(jail|container)|log].${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)].${COLOR_RESET}"
    exit 1
 }
 if [ $# -eq 0 ]; then
-    jls -N
+   jls -N
 fi
 if [ "$1" == "-j" ]; then
    jls -N --libxo json
    exit 0
 fi
 if [ $# -gt 0 ]; then
@@ -51,8 +56,7 @@ if [ $# -gt 0 ]; then
            REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
            for _REL in ${REL_LIST}; do
                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
-                    #echo "${bastille_releasesdir}/${_REL}"
+                    echo "${_REL}"
 					echo "${_REL}"
                fi
            done
        fi
@@ -73,6 +77,13 @@ if [ $# -gt 0 ]; then
    log|logs)
        find "${bastille_logsdir}" -type f -maxdepth 1
        ;;
    limit|limits)
        rctl -h jail:
        ;;
    import|imports|export|exports|backup|backups)
        ls "${bastille_backupsdir}" | grep -Ev "*.sha256"
    exit 0
    ;;
    *)
        usage
        ;;
--- a/usr/local/share/bastille/pkg.sh
+++ b/usr/local/share/bastille/pkg.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -53,7 +53,7 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/rdr.sh
+++ b/usr/local/share/bastille/rdr.sh
@@ -0,0 +1,118 @@
 #!/bin/sh
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 # 
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 # 
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 # 
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]${COLOR_RESET}"
    exit 1
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -lt 2 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 # Can only redirect to single jail
 if [ "${TARGET}" = 'ALL' ]; then
    echo -e "${COLOR_RED}Can only redirect to single jail${COLOR_RESET}"
    exit 1
 fi
 # Check jail name valid
 JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
 if [ -z "${JAIL_NAME}" ]; then
    echo -e "${COLOR_RED}Jail not found: ${TARGET}${COLOR_RESET}"
    exit 1
 fi
 # Check jail ip4 address valid
 JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
 if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
    echo -e "${COLOR_RED}Jail IP not found: ${TARGET}${COLOR_RESET}"
    exit 1
 fi
 # Check rdr-anchor is setup in pf.conf
 if !(pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
    echo -e "${COLOR_RED}rdr-anchor not found in pf.conf${COLOR_RESET}"
    exit 1
 fi
 # Check ext_if is setup in pf.conf
 EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
 if [ -z "${JAIL_NAME}" ]; then
    echo -e "${COLOR_RED}ext_if not defined in pf.conf${COLOR_RESET}"
    exit 1
 fi
 while [ $# -gt 0 ]; do
    case "$1" in
        list)
            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
            shift
            ;;
        clear)
            pfctl -a "rdr/${JAIL_NAME}" -Fn
            shift
            ;;
        tcp)
            if [ $# -lt 3 ]; then
                usage
            fi
            ( pfctl -a "rdr/${JAIL_NAME}" -Psn; 
              printf '%s\nrdr on $ext_if inet proto tcp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
                  | pfctl -a "rdr/${JAIL_NAME}" -f-
            shift 3
            ;;
        udp)
            if [ $# -lt 3 ]; then
                usage
            fi
            ( pfctl -a "rdr/${JAIL_NAME}" -Psn; 
              printf '%s\nrdr on $ext_if inet proto udp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
                  | pfctl -a "rdr/${JAIL_NAME}" -f-
            shift 3
            ;;
        *)
            usage
            ;;
    esac
 done
--- a/usr/local/share/bastille/restart.sh
+++ b/usr/local/share/bastille/restart.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/service.sh
+++ b/usr/local/share/bastille/service.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,21 +54,36 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
    ## test if running
-    if [ $(jls name | grep -w ${_jail}) ]; then
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
        echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
    ## test if not running
-    elif [ ! $(jls name | grep -w ${_jail}) ]; then
+    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
 	## warn if matching configured (but not online) ip4.addr
        ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
        if ifconfig | grep -w "$ip" >/dev/null; then
          echo -e "${COLOR_RED}Error: IP address ($ip) already in use.${COLOR_RESET}"
          exit 1
        fi
 	## start the container
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
        ## add rctl limits
        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
            while read _limits; do
                rctl -a "${_limits}"
            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
        fi
        ## add ip4.addr to firewall table:jails
-        if [ ! -z ${bastille_jail_loopback} ]; then
+        if [ ! -z "${bastille_jail_loopback}" ]; then
            pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr)
        fi
    fi
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,21 +54,28 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
    ## test if not running
    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
        echo -e "${COLOR_RED}[${TARGET}]: Not started.${COLOR_RESET}"
    fi
 fi
 for _jail in ${JAILS}; do
    ## test if not running
    if [ ! $(jls name | grep -w "${_jail}") ]; then
        echo -e "${COLOR_RED}[${_jail}]: Not started.${COLOR_RESET}"
    ## test if running
-    elif [ $(jls name | grep -w "${_jail}") ]; then
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
        ## remove ip4.addr from firewall table:jails
-        if [ ! -z ${bastille_jail_loopback} ]; then
+        if [ ! -z "${bastille_jail_loopback}" ]; then
            pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr)
        fi
        ## remove rctl limits
        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
            while read _limits; do
                rctl -r "${_limits}"
            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
        fi
        ## stop container
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
--- a/usr/local/share/bastille/sysrc.sh
+++ b/usr/local/share/bastille/sysrc.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
-usage() {
+bastille_usage() {
    echo -e "${COLOR_RED}Usage: bastille template TARGET project/template.${COLOR_RESET}"
    exit 1
 }
@@ -39,12 +39,12 @@ usage() {
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
    ;;
 esac
 if [ $# -gt 2 ] || [ $# -lt 2 ]; then
-    usage
+    bastille_usage
 fi
 TARGET="${1}"
@@ -54,30 +54,24 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 TEMPLATE="${1}"
 shift
-if [ ! -d "${bastille_templatesdir}"/"${TEMPLATE}" ]; then
+if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
    echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
    exit 1
 fi
 if [ -z "${JAILS}" ]; then
    echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
    exit 1
 fi
 ## global variables
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
 bastille_template_TARGET=${bastille_template}/TARGET
 bastille_template_INCLUDE=${bastille_template}/INCLUDE
 bastille_template_PRE=${bastille_template}/PRE
 bastille_template_OVERLAY=${bastille_template}/OVERLAY
 bastille_template_FSTAB=${bastille_template}/FSTAB
 bastille_template_PF=${bastille_template}/PF
 bastille_template_PKG=${bastille_template}/PKG
 bastille_template_SYSRC=${bastille_template}/SYSRC
 bastille_template_SERVICE=${bastille_template}/SERVICE
 bastille_template_CMD=${bastille_template}/CMD
 for _jail in ${JAILS}; do
    ## jail-specific variables. 
    bastille_jail_path=$(jls -j "${_jail}" path)
@@ -85,52 +79,166 @@ for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    ## TARGET
-    if [ -s "${bastille_template_TARGET}" ]; then
+    if [ -s "${bastille_template}/TARGET" ]; then
-        if [ $(grep -w "${_jail}" ${bastille_template_TARGET}) ]; then
+        if [ $(grep -w "${_jail}" ${bastille_template}/TARGET) ]; then
            echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
-	    echo
+            echo
            continue
        fi
-	if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template_TARGET}) ]; then
+    if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template}/TARGET) ]; then
            echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
-	    echo
+            echo
            continue
        fi
    fi
    ## LIMITS (RCTL)
    if [ -s "${bastille_template}/LIMITS" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"
        RACCT_ENABLE=$(sysctl -n kern.racct.enable)
        if [ "${RACCT_ENABLE}" != '1' ]; then
            echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
            continue
        fi
        while read _limits; do
            ## define the key and value
            _limit_key=$(echo "${_limits}" | awk '{print $1}')
            _limit_value=$(echo "${_limits}" | awk '{print $2}')
            _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
            ## if entry doesn't exist, add; else show existing entry
            if [ ! "$(grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf")" ]; then
                echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
                echo "${_limits}"
            else
                echo "${_limits}"
            fi
            ## apply limits to system
            rctl -a "${_rctl_rule}" || exit 1
        done < "${bastille_template}/LIMITS"
        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}"
        echo
    fi
    ## INCLUDE
-    if [ -s "${bastille_template_INCLUDE}" ]; then
+    if [ -s "${bastille_template}/INCLUDE" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
        while read _include; do
            echo
            echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
            echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
-            bastille bootstrap ${_include}
+
            case ${_include} in
                http?://github.com/*/*|http?://gitlab.com/*/*)
                    bastille bootstrap ${_include}
                ;;
                */*)
                    BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
                    BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
                    bastille template ${_jail} ${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}
                ;;
                *)
                    echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
                    exit 1
            ;;
            esac
            echo
            echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
            BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
            bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
-        done < "${bastille_template_INCLUDE}"
+        done < "${bastille_template}/INCLUDE"
        echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
        echo
    fi
    ## PRE
-    if [ -s "${bastille_template_PRE}" ]; then
+    if [ -s "${bastille_template}/PRE" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
-        jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" || exit 1
+        jexec -l ${_jail} /bin/sh < "${bastille_template}/PRE" || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
        echo
    fi
    ## FSTAB
    if [ -s "${bastille_template}/FSTAB" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}"
        while read _fstab; do
            ## assign needed variables
            _hostpath=$(echo "${_fstab}" | awk '{print $1}')
            _jailpath=$(echo "${_fstab}" | awk '{print $2}')
            _type=$(echo "${_fstab}" | awk '{print $3}')
            _perms=$(echo "${_fstab}" | awk '{print $4}')
            _checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
            ## if any variables are empty, bail out
            if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
                echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## if host path doesn't exist or type is not "nullfs"
            if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
                echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## if mount permissions are not "ro" or "rw"
            if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
                echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## if check & pass are not "0 0 - 1 1"; bail out
            if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
                echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## aggregate variables into FSTAB entry
            _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
            ## if entry doesn't exist, add; else show existing entry
            if [ ! "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")" ]; then
                echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
                echo "Added: ${_fstab_entry}"
            else
                echo "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")"
            fi
        done < "${bastille_template}/FSTAB"
        mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
        echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}"
        echo
    fi
    ## PF
    if [ -s "${bastille_template}/PF" ]; then
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
    ## PKG (bootstrap + pkg)
    if [ -s "${bastille_template}/PKG" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template}/PKG) || exit 1
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
        echo
    fi
    ## CONFIG / OVERLAY
-    if [ -s "${bastille_template_OVERLAY}" ]; then
+    if [ -s "${bastille_template}/OVERLAY" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
        while read _dir; do
            cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
-        done < ${bastille_template_OVERLAY}
+        done < ${bastille_template}/OVERLAY
        echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
        echo
    fi
@@ -144,54 +252,30 @@ for _jail in ${JAILS}; do
        echo
    fi
    ## FSTAB
    if [ -s "${bastille_template_FSTAB}" ]; then
        bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
    ## PF
    if [ -s "${bastille_template_PF}" ]; then
        bastille_templatepf=$(cat "${bastille_template_PF}")
        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
    ## PKG (bootstrap + pkg)
    if [ -s "${bastille_template_PKG}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
        echo
    fi
    ## SYSRC
-    if [ -s "${bastille_template_SYSRC}" ]; then
+    if [ -s "${bastille_template}/SYSRC" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
        while read _sysrc; do
            jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}" || exit 1
-        done < "${bastille_template_SYSRC}"
+        done < "${bastille_template}/SYSRC"
        echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
        echo
    fi
    ## SERVICE
-    if [ -s "${bastille_template_SERVICE}" ]; then
+    if [ -s "${bastille_template}/SERVICE" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
        while read _service; do
            jexec -l ${_jail} /usr/sbin/service ${_service} || exit 1
-        done < "${bastille_template_SERVICE}"
+        done < "${bastille_template}/SERVICE"
        echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
        echo
    fi
    ## CMD
-    if [ -s "${bastille_template_CMD}" ]; then
+    if [ -s "${bastille_template}/CMD" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
-        jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" || exit 1
+        jexec -l ${_jail} /bin/sh < "${bastille_template}/CMD" || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
        echo
    fi
--- a/usr/local/share/bastille/top.sh
+++ b/usr/local/share/bastille/top.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille update [release|container].${COLOR_RESET}"
    exit 1
 }
@@ -47,7 +47,7 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
    usage
 fi
-RELEASE="${1}"
+TARGET="${1}"
 shift
 if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
@@ -55,9 +55,34 @@ if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
    exit 1
 fi
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running "${RELEASE}"
+    if ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
            if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
                # Update a thick container.
                CURRENT_VERSION=$(/usr/sbin/jexec -l ${TARGET} freebsd-version 2>/dev/null)
                if [ -z "${CURRENT_VERSION}" ]; then
                    echo -e "${COLOR_RED}Can't determine '${TARGET}' version.${COLOR_RESET}"
                    exit 1
                else
                    env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" \
                    fetch install --currently-running "${CURRENT_VERSION}"
                fi
            else
                echo -e "${COLOR_RED}${TARGET} is not running.${COLOR_RESET}"
                echo -e "${COLOR_RED}See 'bastille start ${TARGET}'.${COLOR_RESET}"
                exit 1
            fi
    else
        echo -e "${COLOR_RED}${TARGET} is not a thick container.${COLOR_RESET}"
        exit 1
    fi
 else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
-    exit 1
+        # Update container base(affects child containers).
        env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
        fetch install --currently-running "${TARGET}"
    else
        echo -e "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
        exit 1
    fi
 fi
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -31,32 +31,132 @@
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
-usage() {
+bastille_usage() {
-    echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille verify [release|template].${COLOR_RESET}"
    exit 1
 }
 verify_release() {
    if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
        echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
        exit 1
    fi
    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
        freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running ${RELEASE} IDS
    else
        echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
        exit 1
    fi
 }
 verify_template() {
    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
    _hook_validate=0
    for _hook in TARGET INCLUDE PRE OVERLAY FSTAB PF PKG SYSRC SERVICE CMD; do
        _path=${_template_path}/${_hook}
        if [ -s "${_path}" ]; then
            _hook_validate=$((_hook_validate+1))
            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
            ## line count must match newline count
            if [ $(wc -l ${_path} | awk '{print $1}') -ne $(grep -c $'\n' ${_path}) ]; then
                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
                echo -e "${COLOR_RED}${BASTILLE_TEMPLATE}:${_hook} [failed].${COLOR_RESET}"
                echo -e "${COLOR_RED}Line numbers don't match line breaks.${COLOR_RESET}"
                echo
                echo -e "${COLOR_RED}Template validation failed.${COLOR_RESET}"
                exit 1
            ## if INCLUDE; recursive verify
            elif [ ${_hook} = 'INCLUDE' ]; then
                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
                cat "${_path}"
                echo
                while read _include; do
                    echo -e "${COLOR_GREEN}[${_hook}]:[${_include}]:${COLOR_RESET}"
                    case ${_include} in
                        http?://github.com/*/*|http?://gitlab.com/*/*)
                            bastille bootstrap ${_include}
                        ;;
                        */*)
                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
                            bastille verify ${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}
                        ;;
                        *)
                            echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
                            exit 1
                    ;;
                    esac
                done < ${_path}
            ## if tree; tree -a bastille_template/_dir
            elif [ ${_hook} = 'OVERLAY' ]; then
                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
                cat "${_path}"
                echo
                while read _dir; do
                    echo -e "${COLOR_GREEN}[${_hook}]:[${_dir}]:${COLOR_RESET}"
                        if [ -x /usr/local/bin/tree ]; then
                            /usr/local/bin/tree -a ${_template_path}/${_dir}
                        else
                           find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
                        fi
                    echo
                done < ${_path}
            else
                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
                cat "${_path}"
                echo
            fi
        fi
    done
    ## remove bad templates
    if [ ${_hook_validate} -lt 1 ]; then
        echo -e "${COLOR_RED}No valid template hooks found.${COLOR_RESET}"
        echo -e "${COLOR_RED}Template discarded.${COLOR_RESET}"
        rm -rf ${bastille_template}
        exit 1
    fi
    ## if validated; ready to use
    if [ ${_hook_validate} -gt 0 ]; then
        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
    fi
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
    ;;
 esac
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
-    usage
+    bastille_usage
 fi
-RELEASE=$1
+case "$1" in
-
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    RELEASE=$1
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    verify_release
-    exit 1
+    ;;
-fi
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-
+    RELEASE=$1
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    verify_release
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
+    ;;
-else
+http?*)
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+    bastille_usage
-    exit 1
+    ;;
-fi
+*/*)
    BASTILLE_TEMPLATE=$1
    verify_template
    ;;
 *)
    bastille_usage
    ;;
 esac
--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -98,7 +98,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 case "$2" in
--- a/usr/local/share/man/man1/bastille.1.gz
+++ b/usr/local/share/man/man1/bastille.1.gz
Author	SHA1	Message	Date
Christer Edwards	7b706f83f4	Merge pull request #144 from cedwards/0_6_release_prep preparation for 0.6x initial release	2020-02-05 19:04:23 -07:00
Christer Edwards	62c77b4e71	preparation for 0.6x initial release	2020-02-05 19:02:19 -07:00
Christer Edwards	488b6b614b	Merge pull request #142 from hackacad/man_page_0.6 update man page for 0.6	2020-02-05 12:35:54 -07:00
Christer Edwards	e6fb8ba45f	Merge pull request #143 from JRGTH/master Code improvements, use awk for exact match	2020-02-05 12:25:36 -07:00
Jose	498029a13c	Code improvements, use awk for exact match	2020-02-05 07:00:11 -04:00
hackacad	c9db9b41d0	update man page for 0.6	2020-02-05 09:12:31 +01:00
Christer Edwards	9a1b673721	Merge pull request #141 from cedwards/fixes Few fixes	2020-02-04 14:54:10 -07:00
Christer Edwards	11d7524446	checks needs to run before jail starts	2020-02-04 14:52:19 -07:00
Christer Edwards	b1e44e39ce	add missing fi	2020-02-04 14:51:59 -07:00
Christer Edwards	70eb3e6aa2	Merge pull request #139 from JRGTH/master Compare/update fstab if both variables are set	2020-02-04 13:01:13 -07:00
Jose	96fcc6b591	Remove unneeded cat command	2020-02-04 15:56:52 -04:00
Jose	b3f4064d08	Compare/update fstab if both variables are set	2020-02-04 13:37:20 -04:00
Christer Edwards	7e43c10281	Merge pull request #138 from hackacad/ip_check Check if IP address is in use	2020-02-04 09:38:26 -07:00
Christer Edwards	210a4f5018	Merge pull request #137 from hackacad/moveconfigfilesample move bastille.config file to bastille.config.sample	2020-02-04 06:47:21 -07:00
hackacad	3171015ea3	move config file to .sample to avoid overwriting it when updating/upgrading bastille	2020-02-04 09:32:45 +01:00
hackacad	45f9247be9	Check if IP address is in use.	2020-02-04 09:30:03 +01:00
Christer Edwards	f61c530265	Merge pull request #121 from JRGTH/master Add HardenedBSD CURRENT and LATEST download options, and code improve…	2020-02-02 20:52:07 -07:00
Jose	b3a30a8951	Delete cache files on destroy if force option, remove alternate urls	2020-02-02 19:55:18 -04:00
Christer Edwards	031a23400e	Merge pull request #122 from cedwards/doc_updates preparing docs for 0.6.x release	2020-02-02 14:00:35 -07:00
Christer Edwards	830de68bf9	preparing docs for 0.6.x release	2020-02-02 13:56:02 -07:00
Jose	9517d9608e	Fix typo in bootstrap.sh	2020-02-02 12:03:35 -04:00
Jose	874e3696e3	Do not hardcode alternate url's in bootstrap.sh	2020-02-02 12:00:09 -04:00
Jose	013987f7e1	Fix minor bootstrap.sh regression	2020-02-02 07:24:16 -04:00
Jose	9681254d76	Add force stop option to bastille destroy, minor code cleanup	2020-02-02 06:50:58 -04:00
Jose	5aba0d36f5	Do not use suffix version number in HardenedBSD "CURRENT" releases	2020-02-02 04:08:24 -04:00
Jose	7620d61e49	Add HardenedBSD CURRENT and LATEST download options, and code improvements	2020-02-02 02:42:22 -04:00
Christer Edwards	503f787d69	Merge pull request #119 from paulc/master Add support for dynamic redirection of host/container ports	2020-02-01 18:11:48 -07:00
pc	d8914f9892	Switch from `--option` to `option` and fix typos	2020-02-02 00:28:02 +00:00
pc	fe16a25cee	Update README	2020-02-01 16:12:20 +00:00
Christer Edwards	f5ddc434a3	Merge pull request #118 from cedwards/115-Makefile-fix reverting Makefile; resolves #115	2020-02-01 09:08:40 -07:00
pc	e408254448	Update README	2020-02-01 16:06:13 +00:00
Christer Edwards	56f2f9afb6	reverting mkdir; resolves #115	2020-02-01 09:05:29 -07:00
pc	f65fe999cc	Add dynamic rdr	2020-02-01 15:58:02 +00:00
Christer Edwards	eb38963752	Merge pull request #113 from cedwards/little_fixes Minor fixes to create and import	2020-01-28 17:41:59 -07:00
Christer Edwards	97417b5b4f	updating import usage output	2020-01-28 17:36:30 -07:00
Christer Edwards	2cfcc4b8ad	simplify variable usage in interface validation	2020-01-28 17:36:17 -07:00
Christer Edwards	d9d52f09e3	Merge pull request #109 from JRGTH/master Initial support for container export and import	2020-01-28 17:17:19 -07:00
Christer Edwards	08d9449f42	Merge branch 'master' into master	2020-01-28 16:05:23 -07:00
Jose	38ae0ed4a6	Update list command and config	2020-01-28 18:57:51 -04:00
Christer Edwards	19e1cbf0fe	Merge pull request #112 from hackacad/master bootstrap_urls in bastille.conf	2020-01-28 09:31:41 -07:00
Sven R	eedcaf9abb	bootstrap_url in bastille.conf	2020-01-28 17:25:41 +01:00
Sven R	0f20ae255f	bootstrap_url in bastille.conf	2020-01-28 09:51:26 +01:00
Sven R	4a94dd53f8	bootstrap_url in bastille.conf	2020-01-28 09:14:14 +01:00
Jose	095075b142	Initial support for container export and import	2020-01-26 19:45:26 -04:00
Christer Edwards	af15a39160	Merge pull request #108 from cedwards/documentation updating template docs to include limits support	2020-01-26 12:46:01 -07:00
Christer Edwards	a60c678036	updating template docs to include limits	2020-01-26 12:43:45 -07:00
Christer Edwards	7c5436c740	Merge pull request #107 from cedwards/list_update support listing currently enabled container resource limits	2020-01-26 11:49:44 -07:00
Christer Edwards	27393f8db4	support listing current defined container resource limits	2020-01-26 11:48:21 -07:00
Christer Edwards	9917550093	Merge pull request #106 from cedwards/template_support_limits add/remove rctl limits on container start/stop	2020-01-26 10:10:36 -07:00
Christer Edwards	02d0e94ef6	add/remove rctl limits on container start/stop	2020-01-26 10:08:42 -07:00
Christer Edwards	49c60f9896	Merge pull request #105 from cedwards/template_support_limits Initial support for LIMITS in template automation	2020-01-26 09:56:48 -07:00
Christer Edwards	8b9760b0a5	initial support for limits automation; updated copyright year	2020-01-26 09:51:02 -07:00
Christer Edwards	798d182e21	Merge pull request #104 from jpmens/patch-3 remove duplicate entry in sub-command list	2020-01-26 07:30:12 -07:00
Christer Edwards	04303353f2	Merge pull request #103 from jpmens/patch-2 make escaped quote visible	2020-01-26 07:29:50 -07:00
JP Mens	aa15b13594	remove duplicate entry	2020-01-26 15:26:15 +01:00
JP Mens	9299670126	make escaped quote visible	2020-01-26 15:18:29 +01:00
Christer Edwards	0940d86d62	Merge pull request #96 from hackacad/master initial man page	2020-01-19 19:15:12 -07:00
Christer Edwards	b16d32e673	Merge pull request #97 from JRGTH/master Add support for thinjail to thickjail conversion, minor code fixes	2020-01-19 19:14:21 -07:00
Jose	e0d722203a	Bootstrap additional distfiles after updating bootstrap_archives	2020-01-18 16:17:10 -04:00
Jose	39b3c25bb5	Add support for thinjail to thickjail conversion, minor code fixes	2020-01-16 15:03:05 -04:00
Sven R	39a12abe25	initial man page	2020-01-15 19:56:25 +01:00
Sven R	04b19ccc2b	initial man page	2020-01-15 19:49:15 +01:00
Sven R	c588f54156	initial man page	2020-01-15 19:42:58 +01:00
Christer Edwards	19a838921f	Merge pull request #95 from bsdlme/master use find + sed if `tree` not installed	2020-01-15 09:54:18 -07:00
Lars Engels	35717ada4e	Print a simple directory tree to verify a template's contents using find + sed if tree(1) is not installed	2020-01-15 17:27:03 +01:00
Christer Edwards	a6b4ede0fa	updating contributors	2020-01-15 09:21:29 -07:00
Christer Edwards	4ce6b41c7c	Merge pull request #94 from skunkwerks/master build: fix manual install path	2020-01-15 08:12:18 -07:00
Dave Cottlehuber	6641baad51	build: fix manual install path	2020-01-15 09:52:16 +00:00
Christer Edwards	65855ecd80	Merge pull request #92 from cedwards/cedwards_fstab cedwards FSTAB template hook	2020-01-12 07:47:26 -07:00
Christer Edwards	ab67cb82d0	fixing README ver (for now)	2020-01-12 07:33:24 -07:00
Christer Edwards	edc6308001	Initial working FSTAB hook and documentation	2020-01-12 07:32:10 -07:00
Christer Edwards	9778a24870	Merge pull request #89 from JRGTH/master Minor changes, fix notify if container not started	2020-01-08 13:31:34 -07:00
Jose	2eb91e2f95	Improved jail validation and deal with dashes	2019-12-29 23:04:19 -04:00
Jose	f3615a3380	Minor changes, fix notify if container not started	2019-12-27 14:48:06 -04:00
Christer Edwards	9421cc59a0	Merge pull request #88 from JRGTH/master Fix to match exact container name, add missing quotes	2019-12-27 10:43:07 -07:00
Jose	0c78ebae88	Fix to match exact container name, add missing quotes	2019-12-27 13:15:58 -04:00
Christer Edwards	de1590d709	Merge pull request #86 from hackacad/master support for ressource limits; small Makefile improvemts	2019-12-26 08:58:17 -07:00
Christer Edwards	ff9313a2ca	Merge pull request #85 from JRGTH/master Improved container update process, add support for Thickjail updates	2019-12-26 08:57:31 -07:00
Sven R	bac677dc41	added ressource limits	2019-12-23 10:54:09 +01:00
Sven R	8770e5dd4c	Merge branch 'master' of https://github.com/hackacad/bastille	2019-12-23 09:59:00 +01:00
Sven R	861953734f	added chmod to Makefile Signed-off-by: Sven R <admin@hackacad.net>	2019-12-23 09:57:56 +01:00
Sven R	b16b393717	Update Makefile	2019-12-23 09:48:02 +01:00
Sven R	9b859f84ed	added all to Makefile Signed-off-by: Sven R <admin@hackacad.net>	2019-12-23 09:46:32 +01:00
Jose	ddff440b4f	Simplify grep search, add full path to jexec	2019-12-19 11:23:46 -04:00
Jose	61f49e5d02	Merge remote-tracking branch 'upstream/master'	2019-12-19 11:20:47 -04:00
Christer Edwards	eb13d48eac	Merge pull request #84 from briandowns/master Add JSON output for list command	2019-12-18 18:04:23 -07:00
Jose	1b522522af	Improved container update process, add support for Thickjail updates	2019-12-17 18:11:22 -04:00
Brian Downs	71873e9389	readme update	2019-12-15 21:20:34 -07:00
Brian Downs	ffe6efd0e5	add json output for jail list	2019-12-15 21:16:57 -07:00
Christer Edwards	d95d815949	Merge pull request #79 from JRGTH/master Minor code cleanup/formatting	2019-12-12 20:41:22 -08:00
Christer Edwards	0fd6cd0fd9	Merge pull request #81 from bsdlme/patch-1 Add more examples to service documentation	2019-12-12 20:39:34 -08:00
Christer Edwards	4a1e769036	Merge pull request #82 from bsdlme/master Add "" around variables in test(1) cases to prevent errors when a variable is empty	2019-12-12 20:38:27 -08:00
Lars Engels	a57ae3ff46	Bail out when you try to apply a template to a container that is not started.	2019-12-11 21:17:09 +01:00
Lars Engels	5b11f81a1b	Add "" around variables in test(1) cases to prevent errors when a variable is unset	2019-12-11 20:35:05 +01:00
Lars E	ed60f9c409	Add more examples Since FreeBSD 12.0 service(8) supports enable/disable/delete keywords. This also works with the 'bastille service' command.	2019-12-11 19:04:58 +01:00
Jose	23b96bd82a	Minor code cleanup/formatting	2019-12-08 17:46:15 -04:00
Christer Edwards	3f7573825d	Merge pull request #78 from cedwards/template_work template validation improvements	2019-12-07 17:57:03 -07:00
Christer Edwards	265b8480e1	support for local templates and stricter validation	2019-12-07 17:48:39 -07:00
Christer Edwards	abbec0652d	clarifying template docs	2019-12-07 17:48:06 -07:00
Christer Edwards	1608d7f226	Merge pull request #76 from JRGTH/master Added support for: - HardenedBSD new link structure - basic mirror support - console user validation	2019-12-07 16:53:43 -07:00
Jose	172baa8c32	Validate user/shell to prevent stuck login	2019-12-05 16:52:57 -04:00
Jose	cfcad20f4a	Simplify URL validation, don't use ping/ICMP	2019-12-05 03:38:33 -04:00
Jose	6e8279ecd4	Wait just 2 secs before switch to a mirror and be quite	2019-12-03 01:20:34 -04:00
Jose	9a30610d1a	Provide alternative fetch urls	2019-12-03 00:57:47 -04:00
Jose	f68ed2ecfd	Added support for HardenedBSD new link structure	2019-12-02 03:10:45 -04:00