working copy; work in progress

fix logic for rc.conf + bastille.conf ZFS check

.readthedocs.yaml

@@ -0,0 +1,9 @@
+version: 2
+
+sphinx:
+  configuration: docs/conf.py
+
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.11"

AUTHORS.md

@@ -22,6 +22,12 @@ Christer Edwards [christer.edwards@gmail.com]
 - Petru T. Garstea
 - Sven R.
 - Tobias Tom
+- Stefano Marinelli
+- Logan Ellis
+- Chuck Tuffli
+- Niketh Murali
+- Eric Borisch
+- Kevet Duncombe
 
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -1,3 +1,5 @@
+BASTILLE_VERSION=$$(git rev-parse HEAD)
+
 .PHONY: all
 all:
 	@echo "Nothing to be done. Please use make install or make uninstall"
@@ -5,9 +7,13 @@ all:
 install:
 	@echo "Installing Bastille"
 	@echo
+	@echo "Updating Bastille version to match git revision."
+	@echo "BASTILLE_VERSION: ${BASTILLE_VERSION}"
+	@sed -i.orig "s/BASTILLE_VERSION=.*/BASTILLE_VERSION=${BASTILLE_VERSION}/" usr/local/bin/bastille
 	@cp -Rv usr /
 	@echo
-	@echo "This method is for testing / development."
+	@echo "This method is for testing & development."
+	@echo "Please report any issues to https://github.com/BastilleBSD/bastille/issues"
 
 .PHONY: uninstall
 uninstall:

Vagrantfile

@@ -9,8 +9,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
     vm_config.ssh.shell = "sh"
 
-    vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
-    vm_config.vm.box_version = "2019.11.01"
+    vm_config.vm.box = "freebsd/FreeBSD-13.0-RELEASE"
+    vm_config.vm.box_version = "2021.04.09"
 
     vm_config.vm.provider "virtualbox" do |vb|
       vb.name = "bastille"
@@ -19,6 +19,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     end
 
     vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
+    vm_config.vm.provision "shell", inline: "pkg install -y git-lite"
 
   end
 end

docs/chapters/gcp.rst

@@ -0,0 +1,93 @@
+Bastille VNET on GCP
+====================
+
+Bastille VNET runs on GCP with a few small tweaks. In summary, they are:
+
+- change MTU setting in jib script
+- add an IP address to the bridge interface
+- configure host pf to NAT and allow bridge traffic
+- set defaultrouter and nameserver in the host
+
+## Change MTU in the jib script
+
+GCP uses ``vtnet`` with MTU 1460, which [jib fails on](https://github.com/BastilleBSD/bastille/issues/538).
+
+Apply the below patch to set the correct MTU. You may need to ``cp /usr/share/examples/jails/jib /usr/local/bin/`` first.
+
+``patch /usr/local/bin/jib jib.patch``
+
+.. code-block:: text
+  --- /usr/local/bin/jib	2022-07-31 03:27:04.163245000 +0000
+  +++ jib.fixed	2022-07-31 03:41:16.710401000 +0000
+  @@ -299,14 +299,14 @@
+   
+   		# Make sure the interface has been bridged
+   		if ! ifconfig "$iface$bridge" > /dev/null 2>&1; then
+  -			new=$( ifconfig bridge create ) || return
+  +			new=$( ifconfig bridge create mtu 1460 ) || return
+   			ifconfig $new addm $iface || return
+   			ifconfig $new name "$iface$bridge" || return
+   			ifconfig "$iface$bridge" up || return
+   		fi
+   
+   		# Create a new interface to the bridge
+  -		new=$( ifconfig epair create ) || return
+  +		new=$( ifconfig epair create mtu 1460 ) || return
+   		ifconfig "$iface$bridge" addm $new || return
+   
+   		# Rename the new interface
+
+## Configure bridge interface
+
+Configure the bridge interface in /etc/rc.conf so it is available in the firewall rules.
+
+.. code-block:: shell
+  sysrc cloned_interfaces="bridge0"
+  sysrc ifconfig_bridge0="inet 192.168.1.1/24 mtu 1460 addm vtnet0 name vtnet0bridge up"
+  sysrc gateway_enable="yes"
+  sysrc pf_enable="yes"
+
+## Configure host pf
+
+This basic /etc/pf.conf allow incoming packets on the bridge interface, and NATs them through the external interface:
+
+.. code-block:: text
+  ext_if="vtnet0"
+  bridge_if="vtnet0bridge"
+  
+  set skip on lo
+  scrub in
+
+  # permissive NAT allows jail bridge and wireguard tunnels
+  nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
+  
+  block in
+  pass out
+  
+  pass in proto tcp to port {22}
+  pass in inet proto icmp icmp-type { echoreq }
+  pass in on $bridge_if
+
+Restart the host and make sure everything comes up correctly. You should see the following ifconfig:
+
+.. code-block:: text
+  vtnet0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1460
+  	ether 58:9c:fc:10:ff:90
+  	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
+  	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
+  	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
+  	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
+  	member: vtnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
+  	        ifmaxaddr 0 port 1 priority 128 path cost 2000
+  	groups: bridge
+
+## Configure router and resolver for new jails
+
+Set the default network gateway for new jails as described in the Networking chapter, and configure a default resolver.
+
+.. code-block:: shell
+  sysrc -f /usr/local/etc/bastille/bastille.conf bastille_network_gateway="192.168.1.1"
+  echo "nameserver 8.8.8.8" > /usr/local/etc/bastille/resolv.conf
+  sysrc -f /usr/local/etc/bastille/bastille.conf bastille_resolv_conf="/usr/local/etc/bastille/resolv.conf"
+
+You can now create a VNET jail with ``bastille create -V myjail 13.2-RELEASE 192.168.1.50/24 vtnet0``

docs/chapters/installation.rst

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
 
-Current version is `0.8.20210115`.
+Current version is `0.10.20231125`.
 
 To install from the FreeBSD package repository:
 
@@ -18,6 +18,8 @@ PKG
 .. code-block:: shell
 
   pkg install bastille
+  sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES
 
 
 To install from source (don't worry, no compiling):
@@ -28,6 +30,8 @@ ports
 .. code-block:: shell
 
   make -C /usr/ports/sysutils/bastille install clean
+  sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES
 
 
 GIT
@@ -38,7 +42,14 @@ GIT
   git clone https://github.com/BastilleBSD/bastille.git
   cd bastille
   make install
+  sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES
 
 This method will install the latest files from GitHub directly onto your
 system. It is verbose about the files it installs (for later removal), and also
-has a `make uninstall` target.
+has a `make uninstall` target. You may need to manually copy the `.sample`
+config into place before Bastille will run. (ie;
+`/usr/local/etc/bastille/bastille.conf.sample`)
+
+Note: installing using this method overwrites the version variable to match
+that of the source revision commit hash.

docs/chapters/migration.rst

@@ -0,0 +1,36 @@
+Stop the running jail and export it:
+
+.. code-block:: shell
+
+     iocage stop jailname
+     iocage export jailname
+
+Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr/local/bastille/backups/):
+
+.. code-block:: shell
+
+     mv /iocage/images/jailname_$(date +%F).* /usr/local/bastille/backups/
+
+for remote systems you could use rsync:
+
+.. code-block:: shell
+
+     rsync -avh /iocage/images/jailname_$(date +%F).* root@10.0.1.10:/usr/local/bastille/backups/
+
+     
+Import the iocage backup file (use zip file name)
+
+.. code-block:: shell
+
+     bastille import jailname_$(date +%F).zip
+
+Set your new ip address and interface:
+
+.. code-block:: shell
+
+     vim /usr/local/bastille/jails/jailname/jail.conf
+     interface = bastille0;
+     ip4.addr = "192.168.0.1";
+
+
+You can use you primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing.

docs/chapters/networking.rst

@@ -1,36 +1,44 @@
 Network Requirements
 ====================
 Here's the scenario. You've installed Bastille at home or in the cloud and want
-to get started putting applications in secure little containers, but how do I
-get these containers on the network?
+to get started putting applications in secure little containers, but how do you
+get these containers on the network?  Bastille tries to be flexible about how to 
+network containerized applications. Four methods are described here.
 
-Bastille tries to be flexible about how to network containerized applications.
-Three methods are described here. Consider each options when deciding
-which design work best for your needs. One of the methods works better in the 
-cloud while the others are simpler if used in local area networks.
+1. Home or Small Office
 
-**Note: if you are running in the cloud and only have a single public IP you
-may want the Public Network option. See below.**
+2. Cloud with IPV4 and multiple IPV6
 
+3. Cloud with single IPV4 (internal bridge)
 
-Local Area Network
-==================
-I will cover the local area network (LAN) method first. This method is simpler
-to get going and works well in a home network (or similar) where adding alias
-IP addresses is no problem.
+4. Cloud with a single IPV4 (external bridge)
 
-Shared Interface (IP alias)
----------------------------
-In FreeBSD network interfaces have different names, but look something like
-`em0`, `bge0`, `re0`, etc. On a virtual machine it may be `vtnet0`. You get the
-idea...
+Please choose the option which is most appropriate for your environment.
 
-Bastille allows you to define the interface you want the IP attached to when
-you create it. An example:
+First a few notes. Bastille tries to verify that the interface name you provide
+is a valid interface. In FreeBSD network interfaces have different names, but
+look something like `em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig
+commend will tell you the name of your existing interfaces. Bastille also
+checks for a valid syntax IP4 or IP6 address. When you are testing calling out
+from your containers, please note that the ping command is disabled within the
+containers, because raw socket access are a security hole. Instead, install and
+test with `wget`/`curl`/`fetch` instead.
+
+Shared Interface on Home or Small Office Network
+================================================
+If you have just one computer, or a home or small office network, where you are
+separated from the rest of the internet by a router.  So you are free to use
+`private IP addresses
+<https://www.lifewire.com/what-is-a-private-ip-address-2625970>`_.
+
+In this environment, to use Bastille, just create the container, give it a
+unique private ip address, and attach its ip address to your primary interface.
 
 .. code-block:: shell
 
-  bastille create alcatraz 12.1-RELEASE 192.168.1.50 em0
+  bastille create alcatraz 13.2-RELEASE 192.168.1.50 em0
+
+You may have to change em0
 
 When the `alcatraz` container is started it will add `192.168.1.50` as an IP
 alias to the `em0` interface. It will then simply be another member of the
@@ -38,13 +46,57 @@ hosts network. Other networked systems (firewall permitting) should be able to
 reach services at that address.
 
 This method is the simplest. All you need to know is the name of your network
-interface and a free IP on your current network.
+interface and a free IP on your local network.
+
+Shared Interface on IPV6 network (vultr.com)
+============================================ 
+Some ISP's, such as `Vultr <https://vultr.com>`_, give you a single ipv4 address,
+and a large block of ipv6 addresses. You can then assign a unique ipv6 address
+to each Bastille Container.
+
+On a virtual machine such as vultr.com the virtual interface may be `vtnet0`.
+So we issue the command:
+
+.. code-block:: shell
+
+ bastille create alcatraz 13.2-RELEASE 2001:19f0:6c01:114c::100 vtnet0
+
+We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100
+
+The tricky part are the ipv6 addresses. IPV6 is a string of 8 4 digit
+hexadecimal characters.  At vultr they said:
+
+Your server was assigned the following six section subnet:
+
+2001:19f0:6c01:114c:: / 64
+
+The `vultr ipv6 subnet calculator
+<https://www.vultr.com/resources/subnet-calculator-ipv6/?prefix_length=64&display=long&ipv6_address=2001%3Adb8%3Aacad%3Ae%3A%3A%2F64>`_
+is helpful in making sense of that ipv6 address. 
+
+We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 
+
+Where the /64 basicaly means that the first 64 bits of the address (4x4
+character hexadecimal) values define the network, and the remaining characters,
+we can assign as we want to the Bastille Container. In the actual bastille
+create command given above, it was defined to be 100. But we also have to tell
+the host operating system that we are now using this address. This is done on
+freebsd with the following command
+
+.. code-block:: shell
+
+  ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64"
+
+At that point your container can talk to the world, and the world can ping your
+container.  Of course when you reboot the machine, that command will be
+forgotten. To make it permanent, prefix the same command with `sysrc`
+
+Just remember you cannot ping out from the container. Instead, install and
+use `wget`/`curl`/`fetch` to test the connectivity.
 
-Bastille tries to verify that the interface name you provide it is a valid
-interface. It also checks for a valid syntax IP4 or IP6 address.
 
 Virtual Network (VNET)
-----------------------
+======================
 (Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
 
 Virtual Network (VNET) creates a private network interface for a container.
@@ -56,12 +108,12 @@ external interface.
 
 .. code-block:: shell
 
-  bastille create -V azkaban 12.1-RELEASE 192.168.1.50/24 em0
+  bastille create -V azkaban 13.2-RELEASE 192.168.1.50/24 em0
 
 Bastille will automagically create the bridge interface and connect /
 disconnect containers as they are started and stopped. A new interface will be
 created on the host matching the pattern `interface0bridge`. In the example
-here, `em0bridge`. 
+here, `em0bridge`.
 
 The `em0` interface will be attached to the bridge along with the unique
 container interfaces as they are started and stopped. These interface names
@@ -76,6 +128,11 @@ host system:
   ## /etc/devfs.rules (NOT .conf)
   
   [bastille_vnet=13]
+  add include $devfsrules_hide_all
+  add include $devfsrules_unhide_basic
+  add include $devfsrules_unhide_login
+  add include $devfsrules_jail
+  add include $devfsrules_jail_vnet
   add path 'bpf*' unhide
 
 Lastly, you may want to consider these three `sysctl` values:
@@ -86,12 +143,29 @@ Lastly, you may want to consider these three `sysctl` values:
   net.link.bridge.pfil_onlyip=0
   net.link.bridge.pfil_member=0
 
+Below is the definition of what these three parameters are used for and mean:
+
+
+       net.link.bridge.pfil_onlyip  Controls  the  handling  of	non-IP packets
+				    which are not passed to pfil(9).  Set to 1
+				    to only allow IP packets to	pass  (subject
+				    to	firewall  rules), set to 0 to uncondi-
+				    tionally pass all non-IP Ethernet frames.
+
+       net.link.bridge.pfil_member  Set	to 1 to	enable filtering on the	incom-
+				    ing	and outgoing member interfaces,	set to
+				    0 to disable it.
+
+       net.link.bridge.pfil_bridge  Set	to 1 to	enable filtering on the	bridge
+				    interface, set to 0	to disable it.
+
+  
 **Regarding Routes**
 
 Bastille will attempt to auto-detect the default route from the host system and
 assign it to the VNET container. This auto-detection may not always be accurate
-for your needs for the particular container. In this case you'll need to add
-a default route manually or define the preferred default route in the
+for your needs for the particular container. In this case you'll need to add a
+default route manually or define the preferred default route in the
 `bastille.conf`.
 
 .. code-block:: shell
@@ -109,20 +183,33 @@ To define a default route / gateway for all VNET containers define the value in
 This config change will apply the defined gateway to any new containers.
 Existing containers will need to be manually updated.
 
+Virtual Network (VNET) on External Bridge
+=========================================
+To create a VNET based container and attach it to an external, already existing
+bridge, use the `-B` option, an IP/netmask and external bridge.
+
+.. code-block:: shell
+
+  bastille create -B azkaban 13.2-RELEASE 192.168.1.50/24 bridge0
+
+Bastille will automagically create the interface, attach it to the specified
+bridge and connect / disconnect containers as they are started and stopped.
+The bridge needs to be created/enabled before creating and starting the jail.
 
 Public Network
 ==============
-In this section I'll describe how to network containers in a public network
-such as a cloud hosting provider (AWS, digital ocean, vultr, etc)
+In this section we describe how to network containers in a public network
+such as a cloud hosting provider who only provides you with a single ip address. 
+(AWS, Digital Ocean, etc) (The exception is vultr.com, which does 
+provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!)  
 
-In the public cloud you don't often have access to multiple private IP
-addresses for your virtual machines. This means if you want to create multiple
-containers and assign them all IP addresses, you'll need to create a new
+So if you only have a single IP address and if you want to create multiple
+containers and assign them all unique IP addresses, you'll need to create a new
 network.
 
 loopback (bastille0)
 --------------------
-What I recommend is creating a cloned loopback interface (`bastille0`) and
+What we recommend is creating a cloned loopback interface (`bastille0`) and
 assigning all the containers private (rfc1918) addresses on that interface. The
 setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address
 range. I have the ability to use whatever address I want within that range
@@ -165,23 +252,14 @@ Create the firewall rules:
   set skip on lo
 
   table <jails> persist
-  nat on $ext_if from <jails> to any -> ($ext_if)
-
-  ## static rdr example
-  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
-
-  ## dynamic rdr anchor (see below)
+  nat on $ext_if from <jails> to any -> ($ext_if:0)
   rdr-anchor "rdr/*"
 
   block in all
-  pass out quick modulate state
+  pass out quick keep state
   antispoof for $ext_if inet
   pass in inet proto tcp from any to any port ssh flags S/SA modulate state
 
-  # If you are using dynamic rdr also need to ensure that the external port
-  # range you are using is open
-  # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end>
-
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
 
@@ -190,34 +268,32 @@ to containers are:
 
 .. code-block:: shell
 
-  nat on $ext_if from <jails> to any -> ($ext_if)
-
-  ## static rdr example
-  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
+  nat on $ext_if from <jails> to any -> ($ext_if:0)
 
 The `nat` routes traffic from the loopback interface to the external
 interface for outbound access.
 
-The `rdr pass ...` will redirect traffic from the host firewall on port X to
-the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
-containers at `10.17.89.45`.
+.. code-block:: shell
 
-  ## dynamic rdr anchor (see below)
   rdr-anchor "rdr/*"
 
 The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 `bastille rdr` command at runtime - eg.
 
-  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
-  bastille rdr <jail> udp 2053 53 # Same for udp
-  bastille rdr <jail> list        # List dynamic rdr rules
-  bastille rdr <jail> clear       # Clear dynamic rdr rules
+.. code-block:: shell
 
-  Note that if you are redirecting ports where the host is also listening
-  (eg. ssh) you should make sure that the host service is not listening on
-  the cloned interface - eg. for ssh set sshd_flags in rc.conf
+  bastille rdr TARGET tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
+  bastille rdr TARGET udp 2053 53 # Same for udp
+  bastille rdr TARGET list        # List dynamic rdr rules
+  bastille rdr TARGET clear       # Clear dynamic rdr rules
 
-  sshd_flags="-o ListenAddress=<hostname>"
+Note that if you are redirecting ports where the host is also listening (eg.
+ssh) you should make sure that the host service is not listening on the cloned
+interface - eg. for ssh set sshd_flags in rc.conf
+
+.. code-block:: shell
+
+  sshd_flags="-o ListenAddress=<host-address>"
 
 Finally, start up the firewall:
 

docs/chapters/subcommands/bootstrap.rst

@@ -22,19 +22,42 @@ Releases
 Example
 -------
 
-To `bootstrap` a release, run the bootstrap sub-command with the
+To `bootstrap` a FreeBSD release, run the bootstrap sub-command with the
 release version as the argument.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
-  ishmael ~ # bastille bootstrap 12.1-RELEASE
+  ishmael ~ # bastille bootstrap 14.0-RELEASE [update]
+  ishmael ~ # bastille bootstrap 13.2-RELEASE [update]
+
+To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
+build version as the argument.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille bootstrap 13-stable-build-latest
+
 
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
 download the base.txz. These files are verified (sha256 via MANIFEST file)
 before they are extracted for use.
 
+EOL Releases
+------------
+
+It is sometimes necessary to run end-of-life releases for testing or legacy
+application support. Dy default Bastille will only install supported releases
+but you can bootstrap EOL / unsupported releases with a simple trick.
+
+.. code-block:: shell
+
+   ishmael ~ # export BASTILLE_URL_FREEBSD=http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/
+   ishmael ~ # bastille bootstrap 11.2-RELEASE
+
+By overriding the BASTILLE_URL_FREEBSD variable you can now bootstrap archived
+releases from the FTP archive.
+
 Tips
 ----
 

docs/chapters/subcommands/create.rst

@@ -22,6 +22,15 @@ bootstrapped release and a private (rfc1918) IP address.
 This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip
 address to the new system.
 
+.. code-block:: shell
+
+   ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.113/24
+
+
+The above code will create a jail with a /24 mask.  At the time of this documentation you 
+can only use CIDR notation, and not use a netmask 255.255.255.0 to accomplish this.
+
+
 I recommend using private (rfc1918) ip address ranges for your container.  These
 ranges include:
 
@@ -31,3 +40,13 @@ ranges include:
 
 Bastille does its best to validate the submitted ip is valid. This has not been
 thouroughly tested--I generally use the 10/8 range.
+
+A couple of notes about the created jails.  First, MOTD has been disabled inside 
+of the jails because it does not give information about the jail, but about the host 
+system.  This caused confusion for some users, so we implemented the .hushlogin which 
+silences the MOTD at login. 
+
+Also, uname does not work from within a jail.  Much like MOTD, it gives you the version 
+information about the host system instead of the jail.  If you need to check the version
+of freebsd running on the jail use the freebsd-version command to get accurate information.
+

docs/chapters/subcommands/export.rst

@@ -16,4 +16,16 @@ can be exported only when the jail is not running.
 
 .. code-block:: shell
 
-  Usage: bastille export TARGET
+  Usage:  bastille export | option(s) | TARGET | PATH
+
+Available options are:
+
+.. code-block:: shell
+
+         --gz       -- Export a ZFS jail using GZIP(.gz) compressed image.
+    -r | --raw      -- Export a ZFS jail to an uncompressed RAW image.
+    -s | --safe     -- Safely stop and start a ZFS jail before the exporting process.
+         --tgz      -- Export a jail using simple .tgz compressed archive instead.
+         --txz      -- Export a jail using simple .txz compressed archive instead.
+    -v | --verbose  -- Be more verbose during the ZFS send operation.
+         --xz       -- Export a ZFS jail using XZ(.xz) compressed image.

docs/chapters/subcommands/index.rst

@@ -23,9 +23,11 @@ Bastille sub-commands
    rename
    restart
    service
+   setup
    start
    stop
    sysrc
+   tags
    top
    umount
    update

docs/chapters/subcommands/pkg.rst

@@ -6,35 +6,11 @@ To manage binary packages within the container use `bastille pkg`.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
+  ishmael ~ # bastille pkg folsom install vim-console git-lite zsh
   [folsom]:
   The package management tool is not yet installed on your system.
   Do you want to fetch and install it now? [y/N]: y
-  Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
-  Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
-  [folsom] Installing pkg-1.10.5_5...
-  [folsom] Extracting pkg-1.10.5_5: 100%
-  Updating FreeBSD repository catalogue...
-  pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
-  [folsom] Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
-  [folsom] Fetching packagesite.txz: 100%    6 MiB   3.4MB/s    00:02
-  Processing entries: 100%
-  FreeBSD repository update completed. 32550 packages processed.
-  All repositories are up to date.
-  Updating database digests format: 100%
-  The following 10 package(s) will be affected (of 0 checked):
-
-  New packages to be INSTALLED:
-      vim-console: 8.1.0342
-      git-lite: 2.19.1
-      zsh: 5.6.2
-      expat: 2.2.6_1
-      curl: 7.61.1
-      libnghttp2: 1.33.0
-      ca_root_nss: 3.40
-      pcre: 8.42
-      gettext-runtime: 0.19.8.1_1
-      indexinfo: 0.3.1
+  ...[snip]...
 
   Number of packages to be installed: 10
 
@@ -42,41 +18,7 @@ To manage binary packages within the container use `bastille pkg`.
   17 MiB to be downloaded.
 
   Proceed with this action? [y/N]: y
-  [folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100%    5 MiB   5.8MB/s    00:01
-  [folsom] [2/10] Fetching git-lite-2.19.1.txz: 100%    4 MiB   2.1MB/s    00:02
-  [folsom] [3/10] Fetching zsh-5.6.2.txz: 100%    4 MiB   4.4MB/s    00:01
-  [folsom] [4/10] Fetching expat-2.2.6_1.txz: 100%  109 KiB 111.8kB/s    00:01
-  [folsom] [5/10] Fetching curl-7.61.1.txz: 100%    1 MiB   1.2MB/s    00:01
-  [folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100%  107 KiB 109.8kB/s    00:01
-  [folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100%  287 KiB 294.3kB/s    00:01
-  [folsom] [8/10] Fetching pcre-8.42.txz: 100%    1 MiB   1.2MB/s    00:01
-  [folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100%  148 KiB 151.3kB/s    00:01
-  [folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100%    6 KiB   5.7kB/s    00:01
-  Checking integrity... done (0 conflicting)
-  [folsom] [1/10] Installing libnghttp2-1.33.0...
-  [folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
-  [folsom] [2/10] Installing ca_root_nss-3.40...
-  [folsom] [2/10] Extracting ca_root_nss-3.40: 100%
-  [folsom] [3/10] Installing indexinfo-0.3.1...
-  [folsom] [3/10] Extracting indexinfo-0.3.1: 100%
-  [folsom] [4/10] Installing expat-2.2.6_1...
-  [folsom] [4/10] Extracting expat-2.2.6_1: 100%
-  [folsom] [5/10] Installing curl-7.61.1...
-  [folsom] [5/10] Extracting curl-7.61.1: 100%
-  [folsom] [6/10] Installing pcre-8.42...
-  [folsom] [6/10] Extracting pcre-8.42: 100%
-  [folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
-  [folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
-  [folsom] [8/10] Installing vim-console-8.1.0342...
-  [folsom] [8/10] Extracting vim-console-8.1.0342: 100%
-  [folsom] [9/10] Installing git-lite-2.19.1...
-  ===> Creating groups.
-  Creating group 'git_daemon' with gid '964'.
-  ===> Creating users
-  Creating user 'git_daemon' with uid '964'.
-  [folsom] [9/10] Extracting git-lite-2.19.1: 100%
-  [folsom] [10/10] Installing zsh-5.6.2...
-  [folsom] [10/10] Extracting zsh-5.6.2: 100%
+  ...[snip]...
 
 
 The PKG sub-command can, of course, do more than just `install`. The
@@ -146,7 +88,7 @@ expectation is that you can fully leverage the pkg manager. This means,
   The following 1 package(s) will be affected (of 0 checked):
 
   Installed packages to be UPGRADED:
-      nginx-lite: 1.14.0_14,2 -> 1.14.1,2
+      nginx-lite: 1.23.0 -> 1.24.0_12,3
 
   Number of packages to be upgraded: 1
 
@@ -155,10 +97,10 @@ expectation is that you can fully leverage the pkg manager. This means,
   Proceed with this action? [y/N]: y
   [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100%  315 KiB 322.8kB/s    00:01
   Checking integrity... done (0 conflicting)
-  [nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2...
+  [nginx] [1/1] Upgrading nginx-lite from 1.23.0 to 1.24.0_12,3...
   ===> Creating groups.
   Using existing group 'www'.
   ===> Creating users
   Using existing user 'www'.
-  [nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100%
+  [nginx] [1/1] Extracting nginx-lite-1.24.0_12: 100%
   You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.

docs/chapters/subcommands/setup.rst

@@ -0,0 +1,16 @@
+=====
+setup
+=====
+
+The `setup` sub-command attempts to automatically configure a host system for
+Bastille containers. This allows you to configure networking, firewall, and storage
+options for a Bastille host with one command.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille setup -h        ## display setup help
+  ishmael ~ # bastille setup bastille0 ## only configure loopback interface
+  ishmael ~ # bastille setup pf        ## only configure default firewall
+  ishmael ~ # bastille setup zfs       ## only configure ZFS storage
+  ishmael ~ # bastille setup vnet      ## only configure VNET bridge
+  ishmael ~ # bastille setup           ## configure all of the above

docs/chapters/subcommands/tags.rst

@@ -0,0 +1,13 @@
+====
+tags
+====
+
+The `tags` sub-command adds, removes or lists arbitrary tags on your containers.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille tags -h                    ## display tags help
+  ishmael ~ # bastille tags TARGET add tag1,tag2  ## add the tags "tag1" and "tag2" to TARGET
+  ishmael ~ # bastille tags TARGET delete tag2    ## delete tag "tag2" from TARGET
+  ishmael ~ # bastille tags TARGET list           ## list tags assigned to TARGET
+  ishmael ~ # bastille tags ALL list              ## list tags from ALL containers

docs/chapters/subcommands/update.rst

@@ -10,14 +10,14 @@ If no updates are available, a message will be shown:
 
 .. code-block:: shell
 
-  ishmael ~ # bastille update 11.2-RELEASE
+  ishmael ~ # bastille update 11.4-RELEASE
   Looking up update.FreeBSD.org mirrors... 2 mirrors found.
-  Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
+  Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done.
   Fetching metadata index... done.
   Inspecting system... done.
   Preparing to download files... done.
 
-  No updates needed to update system to 11.2-RELEASE-p4.
+  No updates needed to update system to 11.4-RELEASE-p4.
   No updates are available to install.
 
 
@@ -25,9 +25,9 @@ The older the release, however, the more updates will be available:
 
 .. code-block:: shell
 
-  ishmael ~ # bastille update 10.4-RELEASE
+  ishmael ~ # bastille update 13.2-RELEASE
   Looking up update.FreeBSD.org mirrors... 2 mirrors found.
-  Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
+  Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... done.
   Fetching metadata index... done.
   Fetching 2 metadata patches.. done.
   Applying metadata patches... done.
@@ -35,7 +35,7 @@ The older the release, however, the more updates will be available:
   Inspecting system... done.
   Preparing to download files... done.
 
-  The following files will be added as part of updating to 10.4-RELEASE-p13:
+  The following files will be added as part of updating to 13.2-RELEASE-p4:
   ...[snip]...
 
 To be safe, you may want to restart any containers that have been updated live.

docs/chapters/subcommands/upgrade.rst

@@ -1,10 +0,0 @@
-=======
-upgrade
-=======
-
-This command lets you upgrade a release to a new release. Depending on the
-workflow this can be similar to a `bootstrap`.
-
-.. code-block:: shell
-
-  ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE

docs/chapters/targeting.rst

@@ -27,7 +27,7 @@ Examples: Containers
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
 +-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+
++----+------+--------+-----+------------+-------------------------------------------------------------+
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
@@ -39,11 +39,11 @@ Examples: Containers
 | template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | start     | web02  | ---              | start web02 container                                       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+
-| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
 +----+------+----+---+------------------+--------------+----------------------------------------------+
-| create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
-+-----------+--------+------------------+--------------+----------------------------------------------+
+| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
++----+------+----+---+---------------------------------+----------------------------------------------+
+| create    | folsom | 13.2-RELEASE 10.17.89.10        | create 13.2 container named `folsom` with IP |
++-----------+--------+---------------------------------+----------------------------------------------+
 
 
 Examples: Releases
@@ -56,11 +56,9 @@ Examples: Releases
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | command   | target       | args         | description                                                 |
 +===========+==============+==============+=============================================================+
-| bootstrap | 12.1-RELEASE | ---          | bootstrap 12.1-RELEASE release                              |
+| bootstrap | 13.2-RELEASE | ---          | bootstrap 13.2-RELEASE release                              |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
+| update    | 12.4-RELEASE | ---          | update 12.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+
-| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
+| verify    | 12.4-RELEASE | ---          | verify 12.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+

docs/chapters/template.rst

@@ -1,20 +1,19 @@
 ========
 Template
 ========
-Looking for ready made CI/CD validated [Bastille
-Templates](https://gitlab.com/BastilleBSD-Templates)?
+Looking for ready made CI/CD validated `Bastille Templates`_?
 
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the containers automatically.
 
-Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
-`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
+Currently supported template hooks are: `CMD`, `CP`, `INCLUDE`, `LIMITS`, `MOUNT`,
+`PKG`, `RDR`, `SERVICE`, `SYSRC`.
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks.
 
-Bastille 0.7.x
---------------
+Bastille 0.7.x+
+---------------
 Bastille 0.7.x introduces a template syntax that is more flexible and allows
 any-order scripting. Previous versions had a hard template execution order and
 instructions were spread across multiple files. The new syntax is done in a
@@ -27,23 +26,23 @@ Template Automation Hooks
 +---------+-------------------+-----------------------------------------+
 | HOOK    | format            | example                                 |
 +=========+===================+=========================================+
-| LIMITS  | resource value    | memoryuse 1G                            |
+| CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
++---------+-------------------+-----------------------------------------+
+| CP      | path(s)           | etc root usr (one per line)             |
 +---------+-------------------+-----------------------------------------+
 | INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path    |
 +---------+-------------------+-----------------------------------------+
-| PRE     | /bin/sh command   | mkdir -p /usr/local/my_app/html         |
+| LIMITS  | resource value    | memoryuse 1G                            |
 +---------+-------------------+-----------------------------------------+
-| FSTAB   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
+| MOUNT   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
 +---------+-------------------+-----------------------------------------+
 | PKG     | port/pkg name(s)  | vim-console zsh git-lite tree htop      |
 +---------+-------------------+-----------------------------------------+
-| OVERLAY | path(s)           | etc root usr (one per line)             |
-+---------+-------------------+-----------------------------------------+
-| SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
+| RDR     | tcp port port     | tcp 2200 22 (hostport jailport)         |
 +---------+-------------------+-----------------------------------------+
 | SERVICE | service command   | 'nginx start' OR 'postfix reload'       |
 +---------+-------------------+-----------------------------------------+
-| CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
+| SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
 +---------+-------------------+-----------------------------------------+
 
 Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
@@ -71,7 +70,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg;
 
 .. code-block:: shell
 
-  echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY
+  echo "CP usr /" >> /usr/local/bastille/templates/username/template/Bastillefile
 
 The above example "usr" will include anything under "usr" inside the template.
 You do not need to list individual files. Just include the top-level directory
@@ -139,3 +138,38 @@ directory names in the `bastille/templates` directory.
   Executing final command(s).
   chsh: user information updated
   Template Complete.
+
+.. _Bastille Templates: https://gitlab.com/BastilleBSD-Templates
+
+Using Ports in Templates
+------------------------
+
+Sometimes when you make a template you need special options for a package, or you need a newer version than what is in the pkgs.  The solution for these cases, or a case like minecraft server that has NO compiled option, is to use the ports.  A working example of this is the minecraft server template in the template repo.  The main lines needed to use this is first to mount the ports directory, then compile the port.  Below is an example of the minecraft template where this was used.
+
+.. code-block:: shell
+
+  ARG MINECRAFT_MEMX="1024M"
+  ARG MINECRAFT_MEMS="1024M"
+  ARG MINECRAFT_ARGS=""
+  CONFIG set enforce_statfs=1;
+  CONFIG set allow.mount.fdescfs;
+  CONFIG set allow.mount.procfs;
+  RESTART
+  PKG dialog4ports tmux openjdk17
+  MOUNT /usr/ports usr/ports nullfs ro 0 0
+  CP etc /
+  CP var /
+  CMD make -C /usr/ports/games/minecraft-server install clean
+  CP usr /
+  SYSRC minecraft_enable=YES
+  SYSRC minecraft_memx=${MINECRAFT_MEMX}
+  SYSRC minecraft_mems=${MINECRAFT_MEMS}
+  SYSRC minecraft_args=${MINECRAFT_ARGS}
+  SERVICE minecraft restart
+  RDR tcp 25565 25565
+
+The MOUNT line mounts the ports directory, then the CMD make line makes the port.  This can be modified to use any port in the port tree.
+
+
+
+

docs/chapters/upgrading.rst

@@ -0,0 +1,41 @@
+=========
+Upgrading
+=========
+This document outlines upgrading jails hosted using Bastille.
+
+Bastille can "bootstrap" multiple versions of FreeBSD to be used by jails. All jails do not NEED to be the same version (even if they often are), the only requirement here is that the "bootstrapped" versions are less than or equal to the host version of FreeBSD.
+
+To upgrade Bastille jails for a minor release (ie; 13.1→13.2) you can do the following:
+
+1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE update`
+2. stop the jail(s) that need to be updated.
+3. use `bastille edit TARGET fstab` to manually update the jail mounts from 13.1 to 13.2 release path.
+4. start the jail(s) that were edited
+5. upgrade complete!
+
+To upgrade Bastille jails for a major release (ie; 12.4→13.2) you can do the following:
+
+1. ensure the new version is bootstrapped and update to the latest patch release: `bastille bootstrap 13.2-RELEASE update`
+2. stop the jail(s) that need to be updated.
+3. use `bastille edit TARGET fstab` to manually update the jail mounts from 12.4 to 13.2 release path.
+4. start the jail(s) that were edited
+5. Force the reinstallation or upgrade of all installed packages (ABI change): `pkg upgrade -f` within each jail (or `bastille pkg ALL upgrade -f`)
+6. restart the affected jail(s)
+7. upgrade complete!
+
+Revert Upgrade / Downgrade Process
+----------------------------------
+The downgrade process (not usually needed) is similar to the upgrade process only in reverse.
+
+If you did a minor upgrade changing the release path from 13.1 to 13.2, stop the jail and revert that change. Downgrade complete.
+
+If you did a major upgrade changing the release path from 12.4 to 13.2, stop the jail and revert that change. The pkg reinstallation will also need to be repeated after the jail restarts on the previous release.
+
+Old Releases
+----------------------------------
+After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release.
+
+
+`bastille list releases` to list all bootstrapped releases.
+
+`bastille destroy X.Y-RELEASE` to fully delete the release. 

docs/chapters/zfs-support.rst

@@ -0,0 +1,28 @@
+ZFS Support
+====================
+.. image:: /images/bastillebsd-twitter-poll.png
+  :width: 400
+  :alt: Alternative text
+
+Bastille 0.4 added initial support for ZFS. ``bastille bootstrap`` and ``bastille create`` will generate ZFS volumes based on settings found in the ``bastille.conf``. This section outlines how to enable and configure Bastille for ZFS.
+
+Two values are required for Bastille to use ZFS. The default values in the ``bastille.conf`` are empty. Populate these two to enable ZFS.
+
+.. code-block:: shell
+
+  ## ZFS options
+  bastille_zfs_enable=""                                  ## default: ""
+  bastille_zfs_zpool=""                                   ## default: ""
+  bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
+  bastille_prefix="/bastille"                             ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here
+  bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
+
+Example
+
+.. code-block:: shell
+
+  ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
+  ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
+
+Replace ``ZPOOL_NAME`` with the zpool you want Bastille to use. Tip: ``zpool list`` and ``zpool status`` will help. 
+If you get 'no pools available' you are likely not using ZFS and can safely ignore these settings.

docs/conf.py

@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 
 project = 'Bastille'
-copyright = '2018-2021, Christer Edwards'
+copyright = '2018-2023, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version
-version = '0.8.20210115'
+version = '0.10.20231125'
 # The full version, including alpha/beta/rc tags
-release = '0.8.20210115-beta'
+release = '0.10.20231125-beta'
 
 
 # -- General configuration ---------------------------------------------------
@@ -26,10 +26,10 @@ templates_path = ['_templates']
 
 source_suffix = ['.rst', '.md']
 
-from recommonmark.parser import CommonMarkParser
-source_parsers = {
-    '.md': CommonMarkParser,
-}
+#from recommonmark.parser import CommonMarkParser
+#source_parsers = {
+#    '.md': CommonMarkParser,
+#}
 
 master_doc = 'index'
 language = None

docs/index.rst

@@ -12,12 +12,17 @@ https://docs.bastillebsd.org.
    :caption: Contents:
 
    chapters/installation
+   chapters/upgrading
    chapters/networking
    chapters/usage
    chapters/targeting
+   chapters/upgrading
    chapters/subcommands/index
    chapters/template
    chapters/jail-config
+   chapters/zfs-support
+   chapters/gcp
+   chapters/migration
 
    copyright
 

docs/requirements.txt

@@ -0,0 +1 @@
+docutils < 0.18

usr/local/bin/bastille

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,17 +32,6 @@ PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 
 . /usr/local/share/bastille/common.sh
 
-## root check first.
-bastille_root_check() {
-    if [ "$(id -u)" -ne 0 ]; then
-        ## permission denied
-        error_notify "Bastille: Permission Denied"
-        error_exit "root / sudo / doas required"
-    fi
-}
-
-bastille_root_check
-
 ## check for config existance
 bastille_conf_check() {
     if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
@@ -54,6 +43,9 @@ bastille_conf_check
 
 ## we only load the config if conf_check passes
 . /usr/local/etc/bastille/bastille.conf
+# Set default values for config properties added during the current major version:
+: "${bastille_network_pf_ext_if:=ext_if}"
+: "${bastille_network_pf_table:=jails}"
 
 ## bastille_prefix should be 0750
 ## this restricts file system access to privileged users
@@ -70,7 +62,7 @@ bastille_perms_check() {
 bastille_perms_check
 
 ## version
-BASTILLE_VERSION="0.8.20210115"
+BASTILLE_VERSION="0.10.20231125"
 
 usage() {
     cat << EOF
@@ -82,8 +74,8 @@ Usage:
 
 Available Commands:
   bootstrap   Bootstrap a FreeBSD release for container base.
-  cmd         Execute arbitrary command on targeted container(s).
   clone       Clone an existing container.
+  cmd         Execute arbitrary command on targeted container(s).
   config      Get or set a config value for the targeted container(s).
   console     Console into a running container.
   convert     Convert a Thin container into a Thick container.
@@ -99,13 +91,16 @@ Available Commands:
   list        List containers (running and stopped).
   mount       Mount a volume inside the targeted container(s).
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
+  rcp         reverse cp(1) files from a single container to the host.
   rdr         Redirect host port to container port.
   rename      Rename a container.
   restart     Restart a running container.
   service     Manage services within targeted container(s).
+  setup       Attempt to auto-configure network, firewall and storage on new installs.
   start       Start a stopped container.
   stop        Stop a running container.
   sysrc       Safely edit rc files within targeted container(s).
+  tags        Add or remove tags to targeted container(s).
   template    Apply file templates to targeted container(s).
   top         Display and update information about the top(1) cpu processes.
   umount      Unmount a volume from within the targeted container(s).
@@ -126,6 +121,23 @@ EOF
 CMD=$1
 shift
 
+target_all_jails() {
+  _JAILS=$(/usr/sbin/jls name)
+  JAILS=""
+  for _jail in ${_JAILS}; do
+      _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path)
+      if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
+          JAILS="${JAILS} ${_jail}"
+      fi
+  done
+}
+
+check_target_is_running() {
+  if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+      error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
+  fi
+}
+
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
@@ -135,10 +147,10 @@ version|-v|--version)
 help|-h|--help)
     usage
     ;;
-bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify)
+bootstrap|create|destroy|export|import|list|rdr|restart|setup|start|update|upgrade|verify)
     # Nothing "extra" to do for these commands. -- cwells
     ;;
-clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs)
+clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rcp|rename|service|stop|sysrc|tags|template|top|umount|zfs)
     # Parse the target and ensure it exists. -- cwells
     if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells
         PARAMS='help'
@@ -147,14 +159,17 @@ clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|ser
         shift
 
         if [ "${TARGET}" = 'ALL' ]; then
-            _JAILS=$(jls name)
-            JAILS=""
-            for _jail in ${_JAILS}; do
-                _JAILPATH=$(jls -j "${_jail}" path)
-                if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
-                    JAILS="${JAILS} ${_jail}"
-                fi
-            done
+            target_all_jails
+        elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then
+            TARGET="${1}"
+            USE_HOST_PKG=1
+            if [ "${TARGET}" = 'ALL' ]; then
+              target_all_jails
+            else
+              JAILS="${TARGET}"
+              check_target_is_running
+            fi
+            shift
         elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then
             # This command does not act on a jail, so we are temporarily bypassing the presence/started
             # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells
@@ -168,19 +183,17 @@ clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|ser
 
             case "${CMD}" in
             cmd|console|htop|pkg|service|stop|sysrc|template|top)
-                # Require the target to be running. -- cwells
-                if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
-                    error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
-                fi
+                check_target_is_running
                 ;;
             convert|rename)
                 # Require the target to be stopped. -- cwells
-                if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+                if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
                     error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
                 fi
                 ;;
             esac
         fi
+        export USE_HOST_PKG
         export TARGET
         export JAILS
     fi

usr/local/etc/bastille/bastille.conf.sample

@@ -11,6 +11,9 @@ bastille_releasesdir="${bastille_prefix}/releases"                    ## default
 bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
 bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"
 
+## pf configuration path
+bastille_pf_conf="/etc/pf.conf"                                       ## default: "/etc/pf.conf"
+
 ## bastille scripts directory (assumed by bastille pkg)
 bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"
 
@@ -25,14 +28,15 @@ bastille_sharedir="/usr/local/share/bastille"                         ## default
 bastille_bootstrap_archives="base"                                    ## default: "base"
 
 ## default timezone
-bastille_tzdata="Etc/UTC"                                             ## default: "Etc/UTC"
+bastille_tzdata=""                                                    ## default: empty to use host's time zone
 
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
 
 ## bootstrap urls
 bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
-bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
+bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
+bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"          ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
 
 ## ZFS options
 bastille_zfs_enable=""                                                ## default: ""
@@ -43,15 +47,22 @@ bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default
 ## Export/Import options
 bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
 bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
+bastille_compress_gz_options="-1 -v"                                  ## default "-1 -v"
+bastille_decompress_gz_options="-k -d -c -v"                          ## default "-k -d -c -v"
+bastille_export_options=""                                            ## default "" predefined export options, e.g. "--safe --gz"
 
 ## Networking
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
+bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
+bastille_network_pf_table="jails"                                     ## default: "jails"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
+bastille_network_gateway6=""                                          ## default: ""
 
 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
 bastille_template_empty=""                                            ## default: "default/empty"
 bastille_template_thick="default/thick"                               ## default: "default/thick"
+bastille_template_clone="default/clone"                               ## default: "default/clone"
 bastille_template_thin="default/thin"                                 ## default: "default/thin"
 bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"

usr/local/etc/rc.d/bastille

@@ -3,15 +3,24 @@
 # Bastille jail startup script
 #
 # PROVIDE: bastille
-# REQUIRE: LOGIN
+# REQUIRE: NETWORKING
 # KEYWORD: shutdown
 
 # Add the following to /etc/rc.conf[.local] to enable this service
 #
-# bastille_enable (bool):          Set to NO by default.
-#               Set it to YES to enable bastille.
-# bastille_list (string):        Set to "ALL" by default.
-#               Space separated list of jails to start.
+# bastille_enable (bool): Set to "NO" by default.
+#               Set it to "YES" to enable bastille.
+# bastille_conf (bool):   Set to "/usr/local/etc/bastille/bastille.conf" by default.
+#               Path to bastile.conf file. Used if bastille_rcorder="YES".
+# bastille_list (string): Set to "ALL" by default.
+#               Space separated list of jails to start or "ALL" to start all
+#               jails.
+# bastille_rcorder (bool):       Set to "NO" by default.
+#               Set it to "YES" to start all jails in order, defined by
+#               rcorder(8). It starts all jails, except jails with "KEYWORD:
+#               nostart" in jail.conf. Value of bastille_list is ignored in this
+#               case, requires correct path to bastile.conf in bastille_conf
+#               var.
 #
 
 . /etc/rc.subr
@@ -19,24 +28,36 @@
 name=bastille
 rcvar=${name}_enable
 
-: ${bastille_enable:=NO}
+: ${bastille_enable:="NO"}
+: ${bastille_conf:="/usr/local/etc/bastille/bastille.conf"}
 : ${bastille_list:="ALL"}
+: ${bastille_rcorder:="NO"}
 
 command=/usr/local/bin/${name}
 start_cmd="bastille_start"
 stop_cmd="bastille_stop"
 restart_cmd="bastille_stop && bastille_start"
 
+rcordered_list() {
+    local _jailsdir
+    _jailsdir=$(. $bastille_conf; echo $bastille_jailsdir)
+    bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename | tr "\n" " ")
+}
+
 bastille_start()
 {
-    if [ -z "${bastille_list}" ]; then
-        echo "bastille_list is undefined"
-        return 1
-    fi
-
     local _jail
 
-    for _jail in ${bastille_list}; do
+    if checkyesno bastille_rcorder; then
+        rcordered_list
+    elif [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
+        return 1
+    else
+        bastille_ordered_list=${bastille_list}
+    fi
+
+    for _jail in ${bastille_ordered_list}; do
         echo "Starting Bastille Container: ${_jail}"
         ${command} start ${_jail}
     done
@@ -44,14 +65,20 @@ bastille_start()
 
 bastille_stop()
 {
-    if [ -z "${bastille_list}" ]; then
+    local _jail _revlist
+
+    if checkyesno bastille_rcorder; then
+        rcordered_list
+    elif [ -z "${bastille_list}" ]; then
         echo "bastille_list is undefined"
         return 1
+    else
+        bastille_ordered_list=${bastille_list}
     fi
 
-    local _jail
-
-    for _jail in ${bastille_list}; do
+    ## reverse order of list for shutdown ## fixes #389
+    _revlist=$(echo "${bastille_ordered_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
+    for _jail in ${_revlist}; do
         echo "Stopping Bastille Container: ${_jail}"
         ${command} stop ${_jail}
     done

usr/local/share/bastille/bootstrap.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -42,22 +42,22 @@ help|-h|--help)
     ;;
 esac
 
+bastille_root_check
+
 #Validate if ZFS is enabled in rc.conf and bastille.conf.
-if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
+if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
     warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
-    read  answer
+    read answer
     case $answer in
         no|No|n|N|"")
             error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
             ;;
-        yes|Yes|y|Y)
-            continue
-            ;;
+        yes|Yes|y|Y) ;;
     esac
 fi
 
 # Validate ZFS parameters.
-if [ "${bastille_zfs_enable}" = "YES" ]; then
+if checkyesno bastille_zfs_enable; then
     ## check for the ZFS pool and bastille prefix
     if [ -z "${bastille_zfs_zpool}" ]; then
         error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
@@ -85,7 +85,7 @@ validate_release_url() {
         info "Bootstrapping ${PLATFORM_OS} distfiles..."
 
         # Alternate RELEASE/ARCH fetch support
-        if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then
+        if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
             ARCH="i386"
             RELEASE="${RELEASE}-${ARCH}"
         fi
@@ -102,54 +102,62 @@ bootstrap_directories() {
 
     ## ${bastille_prefix}
     if [ ! -d "${bastille_prefix}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ];then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
-                chmod 0750 "${bastille_prefix}"
             fi
         else
             mkdir -p "${bastille_prefix}"
-            chmod 0750 "${bastille_prefix}"
         fi
+        chmod 0750 "${bastille_prefix}"
     fi
 
     ## ${bastille_backupsdir}
     if [ ! -d "${bastille_backupsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ];then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
-                chmod 0750 "${bastille_backupsdir}"
             fi
         else
             mkdir -p "${bastille_backupsdir}"
-            chmod 0750 "${bastille_backupsdir}"
         fi
+        chmod 0750 "${bastille_backupsdir}"
     fi
 
     ## ${bastille_cachedir}
     if [ ! -d "${bastille_cachedir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+                if [ -z "${NOCACHEDIR}" ]; then
+                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                fi
             fi
         else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
+            mkdir -p "${bastille_cachedir}"
+            # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+            if [ -z "${NOCACHEDIR}" ]; then
+                mkdir -p "${bastille_cachedir}/${RELEASE}"
+            fi
         fi
     ## create subsequent cache/XX.X-RELEASE datasets
     elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+        # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+        if [ -z "${NOCACHEDIR}" ]; then
+            if checkyesno bastille_zfs_enable; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                fi
+            else
+                mkdir -p "${bastille_cachedir}/${RELEASE}"
             fi
-        else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
         fi
     fi
 
     ## ${bastille_jailsdir}
     if [ ! -d "${bastille_jailsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
             fi
@@ -160,7 +168,7 @@ bootstrap_directories() {
 
     ## ${bastille_logsdir}
     if [ ! -d "${bastille_logsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
             fi
@@ -171,19 +179,18 @@ bootstrap_directories() {
 
     ## ${bastille_templatesdir}
     if [ ! -d "${bastille_templatesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
             fi
         else
             mkdir -p "${bastille_templatesdir}"
         fi
-        ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
     fi
 
     ## ${bastille_releasesdir}
     if [ ! -d "${bastille_releasesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
@@ -194,7 +201,7 @@ bootstrap_directories() {
 
     ## create subsequent releases/XX.X-RELEASE datasets
     elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
             fi
@@ -216,7 +223,7 @@ bootstrap_release() {
 
         ## check if release already bootstrapped, else continue bootstrapping
         if [ -z "${bastille_bootstrap_archives}" ]; then
-            error_exit "Bootstrap appears complete."
+            error_notify "Bootstrap appears complete."
         else
             info "Bootstrapping additional distfiles..."
         fi
@@ -242,7 +249,7 @@ bootstrap_release() {
 
             if [ "${FETCH_VALIDATION}" -ne "0" ]; then
                 ## perform cleanup only for stale/empty directories on failure
-                if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if checkyesno bastille_zfs_enable; then
                     if [ -n "${bastille_zfs_zpool}" ]; then
                         if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
                             zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
@@ -254,12 +261,12 @@ bootstrap_release() {
                     fi
                     if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
                         if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
-                            rm -rf "${bastille_cachedir}/${RELEASE}"
+                            rm -rf "${bastille_cachedir:?}/${RELEASE}"
                         fi
                     fi
                     if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
                         if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
-                            rm -rf "${bastille_releasesdir}/${RELEASE}"
+                            rm -rf "${bastille_releasesdir:?}/${RELEASE}"
                         fi
                     fi
                     error_exit "Bootstrap failed."
@@ -267,8 +274,7 @@ bootstrap_release() {
 
                 ## fetch for missing dist files
                 if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-                    fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-                    if [ "$?" -ne 0 ]; then
+                    if ! fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
                         ## alert only if unable to fetch additional dist files
                         error_notify "Failed to fetch ${_archive}.txz."
                     fi
@@ -308,11 +314,107 @@ bootstrap_release() {
     echo
 }
 
+debootstrap_release() {
+
+    # Make sure to check/bootstrap directories first.
+    NOCACHEDIR=1
+    RELEASE="${DIR_BOOTSTRAP}"
+    bootstrap_directories
+
+    #check and install OS dependencies @hackacad
+    #ToDo: add function 'linux_pre' for sysrc etc.
+
+    required_mods="fdescfs linprocfs linsysfs tmpfs"
+    linuxarc_mods="linux linux64"
+    for _req_kmod in ${required_mods}; do
+        if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ] && \
+            [ ! "$(sysrc -f /boot/loader.conf.local -qn ${_req_kmod}_load)" = "YES" ]; then
+            warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you?  (N|y)"
+            read  answer
+            case "${answer}" in
+                [Nn][Oo]|[Nn]|"")
+                    error_exit "Exiting."
+                    ;;
+                [Yy][Ee][Ss]|[Yy])
+                    # Skip already loaded known modules.
+                    if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
+                        info "Loading kernel module: ${_req_kmod}"
+                        kldload -v ${_req_kmod}
+                    fi
+                    info "Persisting module: ${_req_kmod}"
+                    sysrc -f /boot/loader.conf ${_req_kmod}_load=YES
+                ;;
+            esac
+        else
+            # If already set in /boot/loader.conf, check and try to load the module. 
+            if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
+                info "Loading kernel module: ${_req_kmod}"
+                kldload -v ${_req_kmod}
+            fi
+        fi
+    done
+
+        # Mandatory Linux modules/rc.
+        for _lin_kmod in ${linuxarc_mods}; do
+            if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then
+                info "Loading kernel module: ${_lin_kmod}"
+                kldload -v ${_lin_kmod}
+            fi
+        done
+        if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && \
+            [ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then
+            sysrc linux_enable=YES
+        fi
+
+    if ! which -s debootstrap; then
+        warn "Debootstrap not found. Should it be installed? (N|y)"
+        read  answer
+        case $answer in
+            [Nn][Oo]|[Nn]|"")
+                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
+                ;;
+            [Yy][Ee][Ss]|[Yy])
+                pkg install -y debootstrap
+                ;;
+        esac
+    fi
+
+    # Fetch the Linux flavor
+    info "Bootstrapping ${PLATFORM_OS} distfiles..."
+    if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
+        ## perform cleanup only for stale/empty directories on failure
+        if checkyesno bastille_zfs_enable; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
+                fi
+            fi
+        fi
+        if [ -d "${bastille_releasesdir}/${DIR_BOOTSTRAP}" ]; then
+            if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
+                rm -rf "${bastille_releasesdir:?}/${DIR_BOOTSTRAP}"
+            fi
+        fi
+        error_exit "Bootstrap failed."
+    fi
+
+    case "${LINUX_FLAVOR}" in
+        bionic|focal|jammy|buster|bullseye|bookworm)
+        info "Increasing APT::Cache-Start"
+        echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude
+        ;;
+    esac
+
+    info "Bootstrap successful."
+    info "See 'bastille --help' for available commands."
+    echo
+}
+
 bootstrap_template() {
 
     ## ${bastille_templatesdir}
     if [ ! -d "${bastille_templatesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
             fi
@@ -325,19 +427,19 @@ bootstrap_template() {
     ## define basic variables
     _url=${BASTILLE_TEMPLATE_URL}
     _user=${BASTILLE_TEMPLATE_USER}
-    _repo=${BASTILLE_TEMPLATE_REPO}
+    _repo=${BASTILLE_TEMPLATE_REPO%.*} # Remove the trailing ".git"
     _template=${bastille_templatesdir}/${_user}/${_repo}
 
     ## support for non-git
-    if [ ! -x "$(which git)" ]; then
+    if ! which -s git; then
         error_notify "Git not found."
         error_exit "Not yet implemented."
-    elif [ -x "$(which git)" ]; then
+    else
         if [ ! -d "${_template}/.git" ]; then
-            $(which git) clone "${_url}" "${_template}" ||\
+            git clone "${_url}" "${_template}" ||\
                 error_notify "Clone unsuccessful."
         elif [ -d "${_template}/.git" ]; then
-            cd "${_template}" && $(which git) pull ||\
+            git -C "${_template}" pull ||\
                 error_notify "Template update unsuccessful."
         fi
     fi
@@ -347,13 +449,23 @@ bootstrap_template() {
 
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+
+# bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
+# create a new variable
+if [ "${HW_MACHINE_ARCH}" == "aarch64" ]; then
+    HW_MACHINE_ARCH_LINUX="arm64"
+else
+    HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
+fi
+
+NOCACHEDIR=
 RELEASE="${1}"
 OPTION="${2}"
 
 # Alternate RELEASE/ARCH fetch support(experimental)
 if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then
     # Supported architectures
-    if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then
+    if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
         HW_MACHINE="i386"
         HW_MACHINE_ARCH="i386"
     else
@@ -361,8 +473,20 @@ if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" !=
     fi
 fi
 
+## allow override bootstrap URLs via environment variables
+[ -n "${BASTILLE_URL_FREEBSD}" ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}"
+[ -n "${BASTILLE_URL_HARDENEDBSD}" ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}"
+[ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}"
+
 ## Filter sane release names
 case "${1}" in
+2.[0-9]*)
+    ## check for MidnightBSD releases name
+    NAME_VERIFY=$(echo "${RELEASE}")
+    UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
+    PLATFORM_OS="MidnightBSD"
+    validate_release_url
+    ;;
 *-CURRENT|*-current)
     ## check for FreeBSD releases name
     NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
@@ -370,9 +494,9 @@ case "${1}" in
     PLATFORM_OS="FreeBSD"
     validate_release_url
     ;;
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
     ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
     UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
     PLATFORM_OS="FreeBSD"
     validate_release_url
@@ -397,8 +521,8 @@ case "${1}" in
     ## check for HardenedBSD(latest stable build release)
     NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
     NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
-    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
-    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
     PLATFORM_OS="HardenedBSD"
     validate_release_url
     ;;
@@ -415,17 +539,67 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
     ## check for HardenedBSD(latest current build release)
     NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
     NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
-    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
-    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
     PLATFORM_OS="HardenedBSD"
     validate_release_url
     ;;
-http?://github.com/*/*|http?://gitlab.com/*/*)
+http?://*/*/*)
     BASTILLE_TEMPLATE_URL=${1}
     BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
     bootstrap_template
     ;;
+git@*:*/*)
+    BASTILLE_TEMPLATE_URL=${1}
+    git_repository=$(echo "${1}" | awk -F : '{ print $2 }')
+    BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }')
+    BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }')
+    bootstrap_template
+    ;;
+#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
+ubuntu_bionic|bionic|ubuntu-bionic)
+    PLATFORM_OS="Ubuntu/Linux"
+    LINUX_FLAVOR="bionic"
+    DIR_BOOTSTRAP="Ubuntu_1804"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+ubuntu_focal|focal|ubuntu-focal)
+    PLATFORM_OS="Ubuntu/Linux"
+    LINUX_FLAVOR="focal"
+    DIR_BOOTSTRAP="Ubuntu_2004"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+ubuntu_jammy|jammy|ubuntu-jammy)
+    PLATFORM_OS="Ubuntu/Linux"
+    LINUX_FLAVOR="jammy"
+    DIR_BOOTSTRAP="Ubuntu_2204"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+debian_buster|buster|debian-buster)
+    PLATFORM_OS="Debian/Linux"
+    LINUX_FLAVOR="buster"
+    DIR_BOOTSTRAP="Debian10"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+debian_bullseye|bullseye|debian-bullseye)
+    PLATFORM_OS="Debian/Linux"
+    LINUX_FLAVOR="bullseye"
+    DIR_BOOTSTRAP="Debian11"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+debian_bookworm|bookworm|debian-bookworm)
+    PLATFORM_OS="Debian/Linux"
+    LINUX_FLAVOR="bookworm"
+    DIR_BOOTSTRAP="Debian12"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
 *)
     usage
     ;;

usr/local/share/bastille/clone.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46,6 +46,8 @@ if [ $# -ne 2 ]; then
     usage
 fi
 
+bastille_root_check
+
 NEWNAME="${1}"
 IP="${2}"
 
@@ -68,7 +70,7 @@ validate_ip() {
                     error_exit "Invalid: (${TEST_IP})"
                 fi
             done
-            if ifconfig | grep -qw "${TEST_IP}"; then
+            if ifconfig | grep -qwF "${TEST_IP}"; then
                 warn "Warning: IP address already in use (${TEST_IP})."
             else
                 info "Valid: (${IP})."
@@ -109,7 +111,11 @@ update_jailconf_vnet() {
         if [ -n "${jail_list}" ]; then
             if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
                 uniq_epair="bastille${_num}"
+                # Update the exec.* with uniq_epair when cloning jails.
                 sed -i '' "s|vnet.interface = e0b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}"
+                sed -i '' "s|exec.prestart += \"jib addm bastille[0-9]|exec.prestart += \"jib addm ${uniq_epair}|" "${JAIL_CONFIG}"
+                sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille[0-9].*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}"
+                sed -i '' "s|exec.poststop += \"jib destroy bastille[0-9]\";|exec.poststop += \"jib destroy ${uniq_epair}\";|" "${JAIL_CONFIG}"
                 break
             fi
         fi
@@ -130,7 +136,7 @@ update_fstab() {
     # Update fstab to use the new name
     FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
     if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
         FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
         FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
         if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -139,6 +145,8 @@ update_fstab() {
                 sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
             fi
         fi
+        # Update additional fstab paths with new jail path
+        sed -i '' "s|${bastille_jailsdir}/${TARGET}/root/|${bastille_jailsdir}/${NEWNAME}/root/|" "${FSTAB_CONFIG}"
     fi
 }
 
@@ -146,7 +154,7 @@ clone_jail() {
     # Attempt container clone
     info "Attempting to clone '${TARGET}' to ${NEWNAME}..."
     if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 # Replicate the existing container
                 DATE=$(date +%F-%H%M%S)
@@ -164,7 +172,7 @@ clone_jail() {
         else
             # Just clone the jail directory
             # Check if container is running
-            if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+            if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
                 error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
             fi
 

usr/local/share/bastille/cmd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -29,6 +29,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 . /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
 
 usage() {
     error_exit "Usage: bastille cmd TARGET command"
@@ -45,8 +46,37 @@ if [ $# -eq 0 ]; then
     usage
 fi
 
+bastille_root_check
+
+COUNT=0
+RETURN=0
+
 for _jail in ${JAILS}; do
+    COUNT=$(($COUNT+1))
     info "[${_jail}]:"
-    jexec -l "${_jail}" "$@"
+
+    if grep -qw "linsysfs" "${bastille_jailsdir}/${_jail}/fstab"; then
+        # Allow executing commands on Linux jails.
+        jexec -l -u root "${_jail}" "$@"
+    else
+        jexec -l -U root "${_jail}" "$@"
+    fi
+
+    ERROR_CODE=$?
+    info "[${_jail}]: ${ERROR_CODE}"
+    
+    if [ "$COUNT" -eq 1 ]; then
+        RETURN=${ERROR_CODE}
+    else 
+        RETURN=$(($RETURN+$ERROR_CODE))
+    fi
+    
     echo
 done
+
+# Check when a command is executed in all running jails. (bastille cmd ALL ...)
+if [ "${COUNT}" -gt 1 ] && [ "${RETURN}" -gt 0 ]; then
+    RETURN=1
+fi
+
+return "${RETURN}"

usr/local/share/bastille/common.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,7 +28,28 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+COLOR_RED=
+COLOR_GREEN=
+COLOR_YELLOW=
+COLOR_RESET=
+
+bastille_root_check() {
+    if [ "$(id -u)" -ne 0 ]; then
+        ## permission denied
+        error_notify "Bastille: Permission Denied"
+        error_exit "root / sudo / doas required"
+    fi
+}
+
+enable_color() {
+    . /usr/local/share/bastille/colors.pre.sh
+}
+
+# If "NO_COLOR" environment variable is present, or we aren't speaking to a
+# tty, disable output colors.
+if [ -z "${NO_COLOR}" -a -t 1 ]; then
+    enable_color
+fi
 
 # Notify message on error, but do not exit
 error_notify() {
@@ -48,3 +69,72 @@ info() {
 warn() {
     echo -e "${COLOR_YELLOW}$*${COLOR_RESET}"
 }
+
+generate_vnet_jail_netblock() {
+    local jail_name="$1"
+    local use_unique_bridge="$2"
+    local external_interface="$3"
+    ## determine number of containers + 1
+    ## iterate num and grep all jail configs
+    ## define uniq_epair
+    local jail_list=$(bastille list jails)
+    if [ -n "${jail_list}" ]; then
+        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
+        local num_range=$((list_jails_num + 1))
+        for _num in $(seq 0 "${num_range}"); do
+            if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                    local uniq_epair="bastille${_num}"
+                    local uniq_epair_bridge="${_num}"
+                    break
+                fi
+            fi
+        done
+    else
+        local uniq_epair="bastille0"
+        local uniq_epair_bridge="0"
+    fi
+    if [ -n "${use_unique_bridge}" ]; then
+        ## generate bridge config
+        cat <<-EOF
+  vnet;
+  vnet.interface = "e${uniq_epair_bridge}b_${jail_name}";
+  exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
+  exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a";
+  exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}";
+  exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}";
+  exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}";
+  exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy";
+EOF
+    else
+        ## generate config
+        cat <<-EOF
+  vnet;
+  vnet.interface = e0b_${uniq_epair};
+  exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
+  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
+  exec.poststop += "jib destroy ${uniq_epair}";
+EOF
+    fi
+}
+
+checkyesno() {
+    ## copied from /etc/rc.subr -- cedwards (20231125)
+    ## issue #368 (lowercase values should be parsed)
+    ## now used for all bastille_zfs_enable=YES|NO tests
+    ## example: if checkyesno bastille_zfs_enable; then ...
+    ## returns 0 for enabled; returns 1 for disabled
+    eval _value=\$${1}
+    case $_value in
+    [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
+        return 0
+        ;;
+    [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|[Oo][Ff][Ff]|0)
+        return 1
+        ;;
+    *)
+        warn "\$${1} is not set properly - see rc.conf(5)."
+        return 1
+        ;;
+    esac
+}

usr/local/share/bastille/config.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -35,6 +35,15 @@ usage() {
     error_exit "Usage: bastille config TARGET get|set propertyName [newValue]"
 }
 
+# we need jail(8) to parse the config file so it can expand variables etc
+print_jail_conf() {
+
+    # we need to pass a literal \n to jail to get each parameter on its own
+    # line
+    jail -f "$1" -e '
+'
+} 
+
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
@@ -46,6 +55,8 @@ if [ $# -eq 1 ] || [ $# -gt 3 ]; then
     usage
 fi
 
+bastille_root_check
+
 ACTION=$1
 shift
 
@@ -71,22 +82,39 @@ for _jail in ${JAILS}; do
         continue
     fi
 
-    ESCAPED_PROPERTY=$(echo "${PROPERTY}" | sed 's/\./\\\./g')
-    MATCH_LINE=$(grep "^[[:blank:]]*${ESCAPED_PROPERTY}[[:blank:]=;]" "${FILE}" 2>/dev/null)
-    MATCH_FOUND=$?
-
     if [ "${ACTION}" = 'get' ]; then
-        if [ $MATCH_FOUND -ne 0 ]; then
-            warn "not set"
-        elif ! echo "${MATCH_LINE}" | grep '=' > /dev/null 2>&1; then
-            echo "enabled"
+        _output=$(
+            print_jail_conf "${FILE}" | awk -F= -v property="${PROPERTY}" '
+                $1 == property {
+                    # note that we have found the property
+                    found = 1;
+                    # check if there is a value for this property
+                    if (NF == 2) {
+                        # remove any quotes surrounding the string
+                        sub(/^"/, "", $2);
+                        sub(/"$/, "", $2);
+                        print $2;
+                    } else {
+                        # no value, just the property name
+                        print "enabled";
+                    }
+                    exit 0;
+                }
+                END {
+                    # if we have not found anything we need to print a special
+                    # string
+                    if (! found) {
+                        print("not set");
+                        #  let the caller know that this is a warn condition
+                        exit(120);
+                    }
+                }'
+            )
+        # check if our output is a warning or regular
+        if [ $? -eq 120 ]; then
+            warn "${_output}"
         else
-            VALUE=$(echo "${MATCH_LINE}" | sed -E 's/.+= *(.+) *;$/\1/' 2>/dev/null)
-            if [ $? -ne 0 ]; then
-                error_notify "Failed to get value."
-            else
-                echo "${VALUE}"
-            fi
+            echo "${_output}"
         fi
     else # Setting the value. -- cwells
         if [ -n "${VALUE}" ]; then
@@ -99,11 +127,40 @@ for _jail in ${JAILS}; do
             LINE="  ${PROPERTY};"
         fi
 
-        if [ $MATCH_FOUND -ne 0 ]; then # No match, so insert the property at the end. -- cwells
-            echo "$(awk -v line="${LINE}" '$0 == "}" { print line; } 1 { print $0; }' "${FILE}")" > "${FILE}"
-        else # Replace the existing value. -- cwells
-            sed -i '' -E "s/ *${ESCAPED_PROPERTY}[ =;].*/${LINE}/" "${FILE}"
-        fi
+        # add the value to the config file, replacing any existing value or, if
+        # there is none, at the end
+        #
+        # awk doesn't have "inplace" editing so we use a temp file
+        _tmpfile=$(mktemp) || error_exit "unable to set because mktemp failed"
+        cp "${FILE}" "${_tmpfile}" && \
+        awk -F= -v line="${LINE}" -v property="${PROPERTY}" '
+            BEGIN {
+                # build RE as string as we can not expand vars in RE literals
+                prop_re = "^[[:space:]]*" property "[[:space:]]*$";
+            }
+            $1 ~ prop_re && !found {
+                # we already have an entry in the config for this property so
+                # we need to substitute our line here rather than keep the
+                # existing line
+                print(line);
+                # note we have already found the property
+                found = 1;
+                # move onto the next line
+                next;
+            }
+            $1 == "}" {
+                # reached the end of the stanza so if we have not already
+                # added our line we need to do so now
+                if (! found) {
+                    print(line);
+                }
+            }
+            {
+                # print each uninteresting line unchanged
+                print;
+            }
+        ' "${_tmpfile}" > "${FILE}"
+        rm "${_tmpfile}"
     fi
 done
 

usr/local/share/bastille/console.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille console TARGET [user]'"
+    error_exit "Usage: bastille console TARGET [user]"
 }
 
 # Handle special-case commands first.
@@ -46,6 +46,8 @@ if [ $# -gt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 USER="${1}"
 
 validate_user() {
@@ -53,7 +55,7 @@ validate_user() {
         USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)"
         if [ -n "${USER_SHELL}" ]; then
             if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
-                jexec -l "${_jail}" /usr/bin/login -f "${USER}"
+                jexec -l "${_jail}" $LOGIN -f "${USER}"
             else
                 echo "Invalid shell for user ${USER}"
             fi
@@ -76,11 +78,12 @@ check_fib() {
 
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
+    LOGIN="$(jexec -l "${_jail}" which login)"
     if [ -n "${USER}" ]; then
         validate_user
     else
-        check_fib
-        ${_setfib} jexec -l "${_jail}" /usr/bin/login -f root
+        LOGIN="$(jexec -l "${_jail}" which login)"
+        ${_setfib} jexec -l "${_jail}" $LOGIN -f root
     fi
     echo
 done

usr/local/share/bastille/convert.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then
     usage
 fi
 
+bastille_root_check
+
 convert_symlinks() {
     # Work with the symlinks, revert on first cp error
     if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
@@ -57,6 +59,7 @@ convert_symlinks() {
         done
 
         # Copy new files to destination jail
+        info "Copying required base files to container..."
         for _link in ${SYMLINKS}; do
             if [ ! -d "${_link}" ]; then
                 if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
@@ -100,13 +103,15 @@ revert_convert() {
 
 start_convert() {
     # Attempt container conversion and handle some errors
+    DATE=$(date)
     if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
         info "Converting '${TARGET}' into a thickjail. This may take a while..."
 
         # Set some variables
-        RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${bastille_jailsdir}/${TARGET}/fstab")
+        RELEASE=$(grep -w "${bastille_releasesdir}/.* ${bastille_jailsdir}/${TARGET}/root/.bastille" ${bastille_jailsdir}/${TARGET}/fstab | sed "s|${bastille_releasesdir}/||;s| .*||")
         FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab")
         SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
+        HASPORTS=$(grep -w ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jailsdir}/${TARGET}/fstab)
 
         if [ -n "${RELEASE}" ]; then
             cd "${bastille_jailsdir}/${TARGET}/root"
@@ -115,7 +120,12 @@ start_convert() {
             convert_symlinks
 
             # Comment the line containing .bastille and rename mountpoint
-            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
+            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on ${DATE}|g" "${bastille_jailsdir}/${TARGET}/fstab"
+            if [ -n "${HASPORTS}" ]; then
+                sed -i '' -E "s|${HASPORTS}|# Ports copied from base to container on ${DATE}|g" "${bastille_jailsdir}/${TARGET}/fstab"
+                info "Copying ports to container..."
+                cp -a "${bastille_releasesdir}/${RELEASE}/usr/ports" "${bastille_jailsdir}/${TARGET}/root/usr"
+            fi
             mv "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/root/.bastille.old"
 
             info "Conversion of '${TARGET}' completed successfully!"

usr/local/share/bastille/cp.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,27 +32,43 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH"
+    error_exit "Usage: bastille cp [OPTION] TARGET HOST_PATH CONTAINER_PATH"
 }
 
+CPSOURCE="${1}"
+CPDEST="${2}"
+
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
     usage
     ;;
+-q|--quiet)
+    OPTION="${1}"
+    CPSOURCE="${2}"
+    CPDEST="${3}"
+    ;;
 esac
 
 if [ $# -ne 2 ]; then
     usage
 fi
 
-CPSOURCE="${1}"
-CPDEST="${2}"
+bastille_root_check
+
+case "${OPTION}" in
+    -q|--quiet)
+        OPTION="-a"
+        ;;
+    *)
+        OPTION="-av"
+        ;;
+esac
 
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
     bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
-    cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
+    cp "${OPTION}" "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
     RETURN="$?"
     if [ "${TARGET}" = "ALL" ]; then
         # Display the return status for reference

usr/local/share/bastille/create.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,11 +32,27 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille create [option] name release ip [interface]"
+    # Build an independent usage for the create command
+    # If no option specified, will create a thin container by default
+    error_notify "Usage: bastille create [option(s)] name release ip [interface]"
+
+    cat << EOF
+    Options:
+
+    -B | --bridge -- Enables VNET. VNET containers are attached to a bridge interface. (DIY)
+    -C | --clone  -- Creates a ZFS clone container. Clones are ZFS snapshots of the release, consuming minimal storage.
+    -E | --empty  -- Creates an empty container. Intended for custom jail builds and experimentation.
+    -L | --linux  -- This option is intended for testing with Linux jails. This is considered experimental.
+    -N | --nested -- Creates a Nested container. Nesting containers provides support for "pods", poudriere, etc.
+    -T | --thick  -- Creates a thick container. Thick containers consume more space as they are full copies of a release.
+    -V | --vnet   -- Enables VNET. VNET containers are attached to a bridge interface (FreeBSD jib).
+
+EOF
+    exit 1
 }
 
 running_jail() {
-    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
+    if [ -n "$(/usr/sbin/jls name | awk "/^${NAME}$/")" ]; then
         error_exit "A running jail matches name."
     elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
         error_exit "Jail: ${NAME} already created."
@@ -54,34 +70,57 @@ validate_name() {
 }
 
 validate_ip() {
-    IPX_ADDR="ip4.addr"
-    IP6_MODE="disable"
-    ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
+    ipx_addr="ip4.addr"
+    ip="$1"
+    ip6=$(echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')
     if [ -n "${ip6}" ]; then
         info "Valid: (${ip6})."
-        IPX_ADDR="ip6.addr"
+        ipx_addr="ip6.addr"
         IP6_MODE="new"
     else
-        local IFS
-        if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
-            TEST_IP=$(echo "${IP}" | cut -d / -f1)
-            IFS=.
-            set ${TEST_IP}
-            for quad in 1 2 3 4; do
-                if eval [ \$$quad -gt 255 ]; then
-                    echo "Invalid: (${TEST_IP})"
-                    exit 1
-                fi
-            done
-            if ifconfig | grep -qw "${TEST_IP}"; then
-                warn "Warning: IP address already in use (${TEST_IP})."
-            else
-                info "Valid: (${IP})."
-            fi
+        if [ "${ip}" = "DHCP" ]; then
+            info "Valid: (${ip})."
         else
-            error_exit "Invalid: (${IP})."
+            local IFS
+            if echo "${ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
+                TEST_IP=$(echo "${ip}" | cut -d / -f1)
+                IFS=.
+                set ${TEST_IP}
+                for quad in 1 2 3 4; do
+                    if eval [ \$$quad -gt 255 ]; then
+                        echo "Invalid: (${TEST_IP})"
+                        exit 1
+                    fi
+                done
+                if ifconfig | grep -qwF "${TEST_IP}"; then
+                    warn "Warning: IP address already in use (${TEST_IP})."
+                else
+                    info "Valid: (${ip})."
+                fi
+            else
+                error_exit "Invalid: (${ip})."
+            fi
         fi
     fi
+    if echo "${ip}" | grep -qvE '(SLAAC|DHCP|0[.]0[.]0[.]0)'; then
+        if [ "${ipx_addr}" = "ip4.addr" ]; then
+                IP4_ADDR="${ip}"
+                IP4_DEFINITION="${ipx_addr} = ${ip};"
+        else
+                IP6_ADDR="${ip}"
+                IP6_DEFINITION="${ipx_addr} = ${ip};"
+        fi
+    fi
+}
+validate_ips() {
+    IP6_MODE="disable"
+    IP4_DEFINITION=""
+    IP6_DEFINITION=""
+    IP4_ADDR=""
+    IP6_ADDR=""
+    for ip in ${IP}; do
+        validate_ip "${ip}"
+    done
 }
 
 validate_netif() {
@@ -100,6 +139,13 @@ validate_netconf() {
 }
 
 validate_release() {
+    ## ensure the user set the Linux(experimental) option explicitly
+    if [ -n "${UBUNTU}" ]; then
+        if [ -z "${LINUX_JAIL}" ]; then
+            usage
+        fi
+    fi
+
     ## check release name match, else show usage
     if [ -n "${NAME_VERIFY}" ]; then
         RELEASE="${NAME_VERIFY}"
@@ -133,33 +179,41 @@ ${NAME} {
   mount.fstab = ${bastille_jail_fstab};
   path = ${bastille_jail_path};
   securelevel = 2;
+  osrelease = ${RELEASE};
 
   interface = ${bastille_jail_conf_interface};
-  ${IPX_ADDR} = ${IP};
+  ${IP4_DEFINITION}
+  ${IP6_DEFINITION}
+  ip6 = ${IP6_MODE};
+}
+EOF
+}
+
+generate_linux_jail_conf() {
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  host.hostname = ${NAME};
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  devfs_ruleset = 4;
+  enforce_statfs = 1;
+
+  exec.start = '/bin/true';
+  exec.stop = '/bin/true';
+  persist;
+
+  allow.mount;
+  allow.mount.devfs;
+
+  interface = ${bastille_jail_conf_interface};
+  ${ipx_addr} = ${IP};
   ip6 = ${IP6_MODE};
 }
 EOF
 }
 
 generate_vnet_jail_conf() {
-    ## determine number of containers + 1
-    ## iterate num and grep all jail configs
-    ## define uniq_epair
-    local jail_list=$(bastille list jails)
-    if [ -n "${jail_list}" ]; then
-        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
-        local num_range=$(expr "${list_jails_num}" + 1)
-        for _num in $(seq 0 "${num_range}"); do
-            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
-                uniq_epair="bastille${_num}"
-                break
-            fi
-        done
-    else
-        uniq_epair="bastille0"
-    fi
-
-    ## generate config
+    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
     cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
   devfs_ruleset = 13;
@@ -173,15 +227,90 @@ ${NAME} {
   mount.fstab = ${bastille_jail_fstab};
   path = ${bastille_jail_path};
   securelevel = 2;
+  osrelease = ${RELEASE};
 
-  vnet;
-  vnet.interface = e0b_${uniq_epair};
-  exec.prestart += "jib addm ${uniq_epair} ${bastille_jail_conf_interface}";
-  exec.poststop += "jib destroy ${uniq_epair}";
+${NETBLOCK}
 }
 EOF
 }
 
+generate_nested_vnet_jail_conf() {
+    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  devfs_ruleset = 13;
+  enforce_statfs = 1;
+  exec.clean;
+  exec.consolelog = ${bastille_jail_log};
+  exec.start = '/bin/sh /etc/rc';
+  exec.stop = '/bin/sh /etc/rc.shutdown';
+  host.hostname = ${NAME};
+  mount.devfs;
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  securelevel = 2;
+  osrelease = ${RELEASE};
+
+  children.max = 16;
+
+  allow.chflags;
+  allow.mount;
+  allow.mount.devfs;
+  allow.mount.fdescfs;
+  allow.mount.linprocfs;
+  allow.mount.nullfs;
+  allow.mount.procfs;
+  allow.mount.tmpfs;
+  allow.mount.zfs;
+  allow.raw_sockets;
+  allow.set_hostname;
+  ## nested params
+
+${NETBLOCK}
+}
+EOF
+}
+
+
+post_create_jail() {
+    # Common config checks and settings.
+
+    # Using relative paths here.
+    # MAKE SURE WE'RE IN THE RIGHT PLACE.
+    cd "${bastille_jail_path}"
+    echo
+
+    if [ ! -f "${bastille_jail_conf}" ]; then
+        if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
+            local bastille_jail_conf_interface=${bastille_network_shared}
+        fi
+        if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
+            local bastille_jail_conf_interface=${bastille_network_loopback}
+        fi
+        if [ -n "${INTERFACE}" ]; then
+            local bastille_jail_conf_interface=${INTERFACE}
+        fi
+    fi
+
+    if [ ! -f "${bastille_jail_fstab}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
+            echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
+        else
+            touch "${bastille_jail_fstab}"
+        fi
+    fi
+
+    # Generate the jail configuration file.
+    if [ -n "${NESTED_JAIL}" ] && [ -n "${VNET_JAIL}" ]; then
+        generate_nested_vnet_jail_conf
+    elif [ -n "${VNET_JAIL}" ]; then
+        generate_vnet_jail_conf
+    else
+        generate_jail_conf
+    fi
+
+}
+
 create_jail() {
     bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
     bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -193,11 +322,13 @@ create_jail() {
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
     if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 ## create required zfs datasets, mountpoint inherited from system
-                zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
-                if [ -z "${THICK_JAIL}" ]; then
+                if [ -z "${CLONE_JAIL}" ]; then
+                    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
+                fi
+                if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
                     zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                 fi
             fi
@@ -206,26 +337,37 @@ create_jail() {
         fi
     fi
 
-    if [ -z "${EMPTY_JAIL}" ]; then
+    ## PoC for Linux jails @hackacad
+    if [ -n "${LINUX_JAIL}" ]; then
+        info "\nCreating a linuxjail. This may take a while...\n"
         if [ ! -d "${bastille_jail_base}" ]; then
             mkdir -p "${bastille_jail_base}"
         fi
-
-        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
-            mkdir -p "${bastille_jail_path}/usr/local"
-        fi
+        mkdir -p "${bastille_jail_path}/dev"
+        mkdir -p "${bastille_jail_path}/proc"
+        mkdir -p "${bastille_jail_path}/sys"
+        mkdir -p "${bastille_jail_path}/home"
+        mkdir -p "${bastille_jail_path}/tmp"
+        touch "${bastille_jail_path}/dev/shm"
+        touch "${bastille_jail_path}/dev/fd"
+        cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
+        echo "${NAME}" > ${bastille_jail_path}/etc/hostname
 
         if [ ! -d "${bastille_jail_template}" ]; then
             mkdir -p "${bastille_jail_template}"
         fi
 
         if [ ! -f "${bastille_jail_fstab}" ]; then
-            if [ -z "${THICK_JAIL}" ]; then
-                echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
-            else
-                touch "${bastille_jail_fstab}"
-            fi
+            touch "${bastille_jail_fstab}"
         fi
+        echo -e "devfs           ${bastille_jail_path}/dev      devfs           rw                      0       0" >> "${bastille_jail_fstab}"
+        echo -e "tmpfs           ${bastille_jail_path}/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0" >> "${bastille_jail_fstab}"
+        echo -e "fdescfs         ${bastille_jail_path}/dev/fd   fdescfs         rw,linrdlnk             0       0" >> "${bastille_jail_fstab}"
+        echo -e "linprocfs       ${bastille_jail_path}/proc     linprocfs       rw                      0       0" >> "${bastille_jail_fstab}"
+        echo -e "linsysfs        ${bastille_jail_path}/sys      linsysfs        rw                      0       0" >> "${bastille_jail_fstab}"
+        echo -e "/tmp            ${bastille_jail_path}/tmp      nullfs          rw                      0       0" >> "${bastille_jail_fstab}"
+        ## removed temporarely / only for X11 jails? @hackacad
+        #echo -e "/home           ${bastille_jail_path}/home     nullfs          rw                      0       0" >> "${bastille_jail_fstab}"
 
         if [ ! -f "${bastille_jail_conf}" ]; then
             if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
@@ -237,32 +379,33 @@ create_jail() {
             if [ -n "${INTERFACE}" ]; then
                 local bastille_jail_conf_interface=${INTERFACE}
             fi
+        fi
+    fi
 
-            ## generate the jail configuration file
-            if [ -n "${VNET_JAIL}" ]; then
-                generate_vnet_jail_conf
-            else
-                generate_jail_conf
+    if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
+            if [ ! -d "${bastille_jail_base}" ]; then
+                mkdir -p "${bastille_jail_base}"
+            fi
+            if [ ! -d "${bastille_jail_template}" ]; then
+                mkdir -p "${bastille_jail_template}"
             fi
         fi
 
-        ## using relative paths here
-        ## MAKE SURE WE'RE IN THE RIGHT PLACE
-        cd "${bastille_jail_path}"
-        echo
-        info "NAME: ${NAME}."
-        info "IP: ${IP}."
-        if [ -n  "${INTERFACE}" ]; then
-            info "INTERFACE: ${INTERFACE}."
+        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
+            mkdir -p "${bastille_jail_path}/usr/local"
         fi
-        info "RELEASE: ${RELEASE}."
-        echo
 
-        if [ -z "${THICK_JAIL}" ]; then
+        # Check and apply required settings.
+        post_create_jail
+
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
             LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
+            info "Creating a thinjail...\n"
             for _link in ${LINK_LIST}; do
                 ln -sf /.bastille/${_link} ${_link}
             done
+
             # Properly link shared ports on thin jails in read-write.
             if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then
                 if [ ! -d "${bastille_jail_path}/usr/ports" ]; then
@@ -272,14 +415,13 @@ create_jail() {
             fi
         fi
 
-        if [ -z "${THICK_JAIL}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
             ## rw
             ## copy only required files for thin jails
             FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
             for files in ${FILE_LIST}; do
                 if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
-                    cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
-                    if [ "$?" -ne 0 ]; then
+                    if ! cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"; then
                         ## notify and clean stale files/directories
                         bastille destroy "${NAME}"
                         error_exit "Failed to copy release files. Please retry create!"
@@ -287,27 +429,40 @@ create_jail() {
                 fi
             done
         else
-            info "Creating a thickjail. This may take a while..."
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
-                    ## perform release base replication
+                    if [ -n "${CLONE_JAIL}" ]; then
+                        info "Creating a clonejail...\n"
+                        ## clone the release base to the new basejail
+                        SNAP_NAME="bastille-clone-$(date +%Y-%m-%d-%H%M%S)"
+                        zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
 
-                    ## sane bastille zfs options
-                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
+                        zfs clone -p "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" \
+                        "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
 
-                    ## take a temp snapshot of the base release
-                    SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
-                    zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                        # Check and apply required settings.
+                        post_create_jail
+                    elif [ -n "${THICK_JAIL}" ]; then
+                        info "Creating a thickjail. This may take a while...\n"
+                        ## perform release base replication
 
-                    ## replicate the release base to the new thickjail and set the default mountpoint
-                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
-                    zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
-                    zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
-                    zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                        ## sane bastille zfs options
+                        ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
 
-                    ## cleanup temp snapshots initially
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
+                        ## take a temp snapshot of the base release
+                        SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
+                        zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+
+                        ## replicate the release base to the new thickjail and set the default mountpoint
+                        zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
+                        zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                        zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                        zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+
+                        ## cleanup temp snapshots initially
+                        zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                        zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
+                    fi
 
                     if [ "$?" -ne 0 ]; then
                         ## notify and clean stale files/directories
@@ -326,23 +481,33 @@ create_jail() {
             fi
         fi
 
-        ## create home directory if missing
-        if [ ! -d "${bastille_jail_path}/usr/home" ]; then
-            mkdir -p "${bastille_jail_path}/usr/home"
-        fi
-        ## link home properly
-        if [ ! -L "home" ]; then
-            ln -s usr/home home
-        fi
+        if [ -z "${LINUX_JAIL}" ]; then
+            ## create home directory if missing
+            if [ ! -d "${bastille_jail_path}/usr/home" ]; then
+                mkdir -p "${bastille_jail_path}/usr/home"
+            fi
+            ## link home properly
+            if [ ! -L "home" ]; then
+                ln -s usr/home home
+            fi
 
-        ## TZ: configurable (default: Etc/UTC)
-        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
+            ## TZ: configurable (default: empty to use host's time zone)
+            if [ -z "${bastille_tzdata}" ]; then
+                # Note that if host has no time zone, FreeBSD assumes UTC anyway
+                if [ -e /etc/localtime ]; then
+                    # uses cp as a way to prevent issues with symlinks if the host happens to use that for tz configuration
+                    cp /etc/localtime etc/localtime
+                fi
+            else
+                ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
+            fi
 
-        # Post-creation jail misc configuration
-        # Create a dummy fstab file
-        touch "etc/fstab"
-        # Disables adjkerntz, avoids spurious error messages
-        sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
+            # Post-creation jail misc configuration
+            # Create a dummy fstab file
+            touch "etc/fstab"
+            # Disables adjkerntz, avoids spurious error messages
+            sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
+        fi
 
         ## VNET specific
         if [ -n "${VNET_JAIL}" ]; then
@@ -353,7 +518,10 @@ create_jail() {
                 fi
             fi
         fi
-    else
+    elif [ -n "${LINUX_JAIL}" ]; then
+        ## Generate configuration for Linux jail
+        generate_linux_jail_conf
+    elif [ -n "${EMPTY_JAIL}" ]; then
         ## Generate minimal configuration for empty jail
         generate_minimal_conf
     fi
@@ -374,36 +542,79 @@ create_jail() {
     if [ -n "${VNET_JAIL}" ]; then
         if [ -n "${bastille_template_vnet}" ]; then
             ## rename interface to generic vnet0
-            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
+            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g')
 
             _gateway=''
-            _ifconfig=SYNCDHCP
-            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
-                _ifconfig="inet ${IP}"
+            _gateway6=''
+            _ifconfig_inet=''
+            _ifconfig_inet6=''
+            if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then
+                # Enable DHCP if requested
+                _ifconfig_inet=SYNCDHCP
+            else
+                # Else apply the default gateway
                 if [ -n "${bastille_network_gateway}" ]; then
                     _gateway="${bastille_network_gateway}"
                 else
                     _gateway="$(netstat -rn | awk '/default/ {print $2}')"
                 fi
             fi
-            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
+            # Add IPv4 address (this is empty if DHCP is used)
+            if [ -n "${IP4_ADDR}" ]; then
+                    _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}"
+            fi
+            # Enable IPv6 if used
+            if [ "${IP6_MODE}" != "disable" ]; then
+                _ifconfig_inet6='inet6 -ifdisabled'
+                if echo "${IP}" | grep -qE 'SLAAC'; then
+                    # Enable SLAAC if requested
+                    _ifconfig_inet6="${_ifconfig_inet6} accept_rtadv"
+                else
+                    # Else apply the default gateway
+                    if [ -n "${bastille_network_gateway6}" ]; then
+                        _gateway6="${bastille_network_gateway6}"
+                    else
+                        _gateway6="$(netstat -6rn | awk '/default/ {print $2}')"
+                    fi
+                fi
+            fi
+            # Add IPv6 address (this is empty if SLAAC is used)
+            if [ -n "${IP6_ADDR}" ]; then
+                    _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}"
+            fi
+            # Join together IPv4 and IPv6 parts of ifconfig
+            _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}"
+            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
         fi
     elif [ -n "${THICK_JAIL}" ]; then
         if [ -n "${bastille_template_thick}" ]; then
             bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
         fi
+    elif [ -n "${CLONE_JAIL}" ]; then
+        if [ -n "${bastille_template_clone}" ]; then
+            bastille template "${NAME}" ${bastille_template_clone} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
     elif [ -n "${EMPTY_JAIL}" ]; then
         if [ -n "${bastille_template_empty}" ]; then
             bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
         fi
-    else # Thin jail.
+    ## Using templating function to fetch necessary packges @hackacad
+    elif [ -n "${LINUX_JAIL}" ]; then
+        info "Fetching packages..."
+        jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb"
+        jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
+        jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
+        jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
+        jexec -l "${NAME}" /bin/bash -c "apt update"
+    else
+        # Thin jail.
         if [ -n "${bastille_template_thin}" ]; then
             bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
         fi
     fi
 
     # Apply values changed by the template. -- cwells
-    if [ -z "${EMPTY_JAIL}" ]; then
+    if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
         bastille restart "${NAME}"
     elif [ -n "${EMPTY_JAIL}" ]; then
         # Don't restart empty jails unless a template defined.
@@ -420,6 +631,8 @@ help|-h|--help)
     ;;
 esac
 
+bastille_root_check
+
 if echo "$3" | grep '@'; then
     BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}')
     BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}')
@@ -428,34 +641,120 @@ fi
 ## reset this options
 EMPTY_JAIL=""
 THICK_JAIL=""
+CLONE_JAIL=""
 VNET_JAIL=""
+LINUX_JAIL=""
 
-## handle combined options then shift
-if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
-    [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then
-    THICK_JAIL="1"
-    VNET_JAIL="1"
-    shift 2
-else
-    ## handle single options
+# Handle and parse options
+while [ $# -gt 0 ]; do
     case "${1}" in
-        -E|--empty|empty)
-            shift
-            EMPTY_JAIL="1"
-            ;;
-        -T|--thick|thick)
-            shift
-            THICK_JAIL="1"
-            ;;
-        -V|--vnet|vnet)
-            shift
+        -B|--bridge)
             VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
             ;;
-        -*)
+        -C|--clone)
+            CLONE_JAIL="1"
+            shift
+            ;;
+        -CB|-BC|--clone-bridge)
+            CLONE_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -CV|-VC|--clone-vnet)
+            CLONE_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -CNB|--nested-clone-bridge)
+            CLONE_JAIL="1"
+            NESTED_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -CNV|--nested-clone-vnet)
+            CLONE_JAIL="1"
+            NESTED_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -E|--empty)
+            EMPTY_JAIL="1"
+            shift
+            ;;
+        -EB|-BE|--empty-bridge)
+            EMPTY_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -EV|-VE|--empty-vnet)
+            EMPTY_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -L|--linux)
+            LINUX_JAIL="1"
+            shift
+            ;;
+        -LB|-BL|--linux-bridge)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -N|--nested)
+            NESTED_JAIL="1"
+            shift
+            ;;
+        -T|--thick)
+            THICK_JAIL="1"
+            shift
+            ;;
+        -TB|-BT|--thick-bridge)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -TV|-VT|--thick-vnet)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -V|--vnet)
+            VNET_JAIL="1"
+            shift
+            ;;
+        -LV|-VL|--linux-vnet)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -*|--*)
             error_notify "Unknown Option."
             usage
             ;;
+        *)
+            break
+            ;;
     esac
+done
+
+## validate for combined options
+if [ -n "${EMPTY_JAIL}" ]; then
+    if [ -n "${CLONE_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
+        error_exit "Error: Empty jail option can't be used with other options."
+    fi
+elif [ -n "${LINUX_JAIL}" ]; then
+    if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${CLONE_JAIL}" ]; then
+        error_exit "Error: Linux jail option can't be used with other options."
+    fi
+elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then
+    error_exit "Error: Clonejail and Thickjail can't be used together."
 fi
 
 NAME="$1"
@@ -478,17 +777,55 @@ if [ -n "${NAME}" ]; then
     validate_name
 fi
 
+if [ -n "${LINUX_JAIL}" ]; then
+    case "${RELEASE}" in
+    bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=ubuntu_bionic
+        ;;
+    focal|ubuntu_focal|ubuntu-focal)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=ubuntu_focal
+        ;;
+    jammy|ubuntu_jammy|ubuntu-jammy)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=ubuntu_jammy
+        ;;
+    debian_buster|buster|debian-buster)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=buster
+        ;;
+    debian_bullseye|bullseye|debian-bullseye)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=bullseye
+        ;;
+    debian_bookworm|bookworm|debian-bookworm)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=bookworm
+        ;;
+    *)
+        error_notify "Unknown Linux."
+        usage
+        ;;
+    esac
+fi
+
 if [ -z "${EMPTY_JAIL}" ]; then
     ## verify release
     case "${RELEASE}" in
+    2.[0-9]*)
+        ## check for MidnightBSD releases name
+        NAME_VERIFY=$(echo "${RELEASE}")
+        validate_release
+        ;;
     *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
         ## check for FreeBSD releases name
         NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
         validate_release
         ;;
-    *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
         ## check for FreeBSD releases name
-        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
         validate_release
         ;;
     *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
@@ -516,6 +853,33 @@ if [ -z "${EMPTY_JAIL}" ]; then
         NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
         validate_release
         ;;
+    ubuntu_bionic|bionic|ubuntu-bionic)
+        UBUNTU="1"
+        NAME_VERIFY=Ubuntu_1804
+        validate_release
+        ;;
+    ubuntu_focal|focal|ubuntu-focal)
+        UBUNTU="1"
+        NAME_VERIFY=Ubuntu_2004
+        validate_release
+        ;;
+    ubuntu_jammy|jammy|ubuntu-jammy)
+        UBUNTU="1"
+        NAME_VERIFY=Ubuntu_2204
+        validate_release
+        ;;
+    debian_buster|buster|debian-buster)
+        NAME_VERIFY=Debian10
+        validate_release
+        ;;
+    debian_bullseye|bullseye|debian-bullseye)
+        NAME_VERIFY=Debian11
+        validate_release
+        ;;
+    debian_bookworm|bookworm|debian-bookworm)
+        NAME_VERIFY=Debian12
+        validate_release
+        ;;
     *)
         error_notify "Unknown Release."
         usage
@@ -534,7 +898,7 @@ if [ -z "${EMPTY_JAIL}" ]; then
 
     ## check if ip address is valid
     if [ -n "${IP}" ]; then
-        validate_ip
+        validate_ips
     else
         usage
     fi
@@ -577,9 +941,15 @@ fi
 if [ -z ${bastille_template_empty+x} ]; then
     bastille_template_empty='default/empty'
 fi
+if [ -z ${bastille_template_linux+x} ]; then
+    bastille_template_linux='default/linux'
+fi
 if [ -z ${bastille_template_thick+x} ]; then
     bastille_template_thick='default/thick'
 fi
+if [ -z ${bastille_template_clone+x} ]; then
+    bastille_template_clone='default/clone'
+fi
 if [ -z ${bastille_template_thin+x} ]; then
     bastille_template_thin='default/thin'
 fi

usr/local/share/bastille/destroy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille destroy [option] | [container|release]"
+    error_exit "Usage: bastille destroy [force] | [container|release]"
 }
 
 destroy_jail() {
@@ -40,7 +40,7 @@ destroy_jail() {
     bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
     bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
 
-    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
         if [ "${FORCE}" = "1" ]; then
             bastille stop "${TARGET}"
         else
@@ -55,7 +55,7 @@ destroy_jail() {
 
     if [ -d "${bastille_jail_base}" ]; then
         info "Deleting Jail: ${TARGET}."
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ -n "${TARGET}" ]; then
                     OPTIONS="-r"
@@ -118,6 +118,23 @@ destroy_rel() {
             if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
                 error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                 BASE_HASCHILD="1"
+            elif checkyesno bastille_zfs_enable; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    ## check if this release have child clones
+                    if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
+                        SNAP_CLONE=$(zfs list -H -t snapshot -r "${bastille_rel_base}" 2> /dev/null | awk '{print $1}')
+                        for _snap_clone in ${SNAP_CLONE}; do
+                            if zfs list -H -o clones "${_snap_clone}" > /dev/null 2>&1; then
+                                CLONE_JAIL=$(zfs list -H -o clones "${_snap_clone}" | tr ',' '\n')
+                                CLONE_CHECK="${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}/root"
+                                if echo "${CLONE_JAIL}" | grep -qw "${CLONE_CHECK}"; then
+                                    error_notify "Notice: (${_jail}) depends on ${TARGET} base."
+                                    BASE_HASCHILD="1"
+                                fi
+                            fi
+                        done
+                    fi
+                fi
             fi
         done
     fi
@@ -127,7 +144,7 @@ destroy_rel() {
     else
         if [ "${BASE_HASCHILD}" -eq "0" ]; then
             info "Deleting base: ${TARGET}"
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
                     if [ -n "${TARGET}" ]; then
                         OPTIONS="-r"
@@ -193,6 +210,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 ## check what should we clean
 case "${TARGET}" in
 *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
@@ -200,34 +219,44 @@ case "${TARGET}" in
     NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
     destroy_rel
     ;;
-*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
     ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
     destroy_rel
     ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
     ## check for HardenedBSD releases name
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g;s/last/LAST/g')
     destroy_rel
     ;;
 *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
     ## check for HardenedBSD(specific stable build releases)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g;s/STABLE/stable/g')
     destroy_rel
     ;;
 *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
     ## check for HardenedBSD(latest stable build release)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/;s/build/BUILD/g;s/latest/LATEST/g')
     destroy_rel
     ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
     ## check for HardenedBSD(specific current build releases)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g;s/CURRENT/current/g')
     destroy_rel
     ;;
 current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
     ## check for HardenedBSD(latest current build release)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/;s/build/BUILD/g;s/latest/LATEST/g')
+    destroy_rel
+    ;;
+Ubuntu_1804|Ubuntu_2004|Ubuntu_2204|UBUNTU_1804|UBUNTU_2004|UBUNTU_2204)
+    ## check for Linux releases
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$|(Ubuntu_2204)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g')
+    destroy_rel
+    ;;
+Debian10|Debian11|Debian12|DEBIAN10|DEBIAN11|DEBIAN12)
+    ## check for Linux releases
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian10)$|(Debian11)$|(Debian12)$' | sed 's/DEBIAN/Debian/g')
     destroy_rel
     ;;
 *)

usr/local/share/bastille/edit.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -48,6 +48,8 @@ elif [ $# -eq 1 ]; then
     TARGET_FILENAME="${1}"
 fi
 
+bastille_root_check
+
 if [ -z "${EDITOR}" ]; then
     EDITOR=vi
 fi

usr/local/share/bastille/export.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,27 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille export TARGET [option] | PATH"
+    # Build an independent usage for the export command
+    # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz
+    # Valid compress/options for non ZFS configured systems are .tgz and .txz
+    # If no compression option specified, user must redirect standard output
+    error_notify "Usage: bastille export | option(s) | TARGET | PATH"
+
+    cat << EOF
+    Options:
+
+         --gz       -- Export a ZFS jail using GZIP(.gz) compressed image.
+    -r | --raw      -- Export a ZFS jail to an uncompressed RAW image.
+    -s | --safe     -- Safely stop and start a ZFS jail before the exporting process.
+         --tgz      -- Export a jail using simple .tgz compressed archive instead.
+         --txz      -- Export a jail using simple .txz compressed archive instead.
+    -v | --verbose  -- Be more verbose during the ZFS send operation.
+         --xz       -- Export a ZFS jail using XZ(.xz) compressed image.
+
+Note: If no export option specified, the container should be redirected to standard output.
+
+EOF
+    exit 1
 }
 
 # Handle special-case commands first
@@ -47,90 +67,308 @@ if [ "${TARGET}" = "ALL" ]; then
     error_exit "Batch export is unsupported."
 fi
 
-if [ $# -gt 2 ] || [ $# -lt 0 ]; then
+if [ $# -gt 5 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-OPTION="${1}"
-EXPATH="${2}"
-SAFE_EXPORT=
+bastille_root_check
 
-# Handle some options
-if [ -n "${OPTION}" ]; then
-    if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            # Temporarily disable ZFS so we can create a standard backup archive
-            bastille_zfs_enable="NO"
-        fi
-    elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" ]; then
-        SAFE_EXPORT="1"
-    elif echo "${OPTION}" | grep -q "\/"; then
-        if [ -d "${OPTION}" ]; then
-            EXPATH="${OPTION}"
-        else
-            error_exit "Error: Path not found."
-        fi
-    else
-        error_notify "Invalid option!"
-        usage
+zfs_enable_check() {
+    # Temporarily disable ZFS so we can create a standard backup archive
+    if checkyesno bastille_zfs_enable; then
+        bastille_zfs_enable="NO"
+    fi
+}
+
+TARGET="${1}"
+GZIP_EXPORT=
+XZ_EXPORT=
+SAFE_EXPORT=
+USER_EXPORT=
+RAW_EXPORT=
+DIR_EXPORT=
+TXZ_EXPORT=
+TGZ_EXPORT=
+OPT_ZSEND="-R"
+COMP_OPTION="0"
+
+opt_count() {
+    COMP_OPTION=$(expr ${COMP_OPTION} + 1)
+}
+
+if [ -n "${bastille_export_options}" ]; then
+    # Overrides the case options by the user defined option(s) automatically.
+    # Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable.
+    # To restore the standard case options, empty bastille_export_options="" in bastille.conf, or `unset bastille_export_options` environment variable.
+    # Reference "/bastille/issues/443"
+
+    DEFAULT_EXPORT_OPTS="${bastille_export_options}"
+    info "Default export option(s): '${DEFAULT_EXPORT_OPTS}'"
+
+    for opt in ${DEFAULT_EXPORT_OPTS}; do
+        case "${opt}" in
+            --gz)
+                GZIP_EXPORT="1"
+                opt_count
+                shift;;
+            --xz)
+                XZ_EXPORT="1"
+                opt_count
+                shift;;
+            --tgz)
+                TGZ_EXPORT="1"
+                opt_count
+                zfs_enable_check
+                shift;;
+            --txz)
+                TXZ_EXPORT="1"
+                opt_count
+                zfs_enable_check
+                shift;;
+            --safe)
+                SAFE_EXPORT="1"
+                shift;;
+            --raw)
+                RAW_EXPORT="1"
+                opt_count
+                shift ;;
+            --verbose)
+                OPT_ZSEND="-Rv"
+                shift;;
+            -*|--*) error_notify "Unknown Option."
+                usage;;
+        esac
+    done
+else
+    # Handle and parse option args
+    while [ $# -gt 0 ]; do
+        case "${1}" in
+            --gz)
+                GZIP_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                shift
+                ;;
+            --xz)
+                XZ_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                shift
+                ;;
+            --tgz)
+                TGZ_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                zfs_enable_check
+                shift
+                ;;
+            --txz)
+                TXZ_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                zfs_enable_check
+                shift
+                ;;
+            -s|--safe)
+                SAFE_EXPORT="1"
+                TARGET="${2}"
+                shift
+                ;;
+            -r|--raw)
+                RAW_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                shift
+                ;;
+            -v|--verbose)
+                OPT_ZSEND="-Rv"
+                TARGET="${2}"
+                shift
+                ;;
+            -*|--*)
+                error_notify "Unknown Option."
+                usage
+                ;;
+            *)
+                if echo "${1}" | grep -q "\/"; then
+                    DIR_EXPORT="${1}"
+                else
+                    if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+                       usage
+                    fi
+                fi
+                shift
+                ;;
+        esac
+    done
+fi
+
+# Validate for combined options
+if [ "${COMP_OPTION}" -gt "1" ]; then
+    error_exit "Error: Only one compression format can be used during export."
+fi
+
+if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then
+    error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
+fi
+
+if checkyesno bastille_zfs_enable; then
+    if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then
+        error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
+    fi
+fi
+
+if [ -n "${SAFE_EXPORT}" ]; then
+    # Check if container is running, otherwise just ignore
+    if [ -z "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+        SAFE_EXPORT=
     fi
 fi
 
 # Export directory check
-if [ -n "${EXPATH}" ]; then
-    if [ -d "${EXPATH}" ]; then
+if [ -n "${DIR_EXPORT}" ]; then
+    if [ -d "${DIR_EXPORT}" ]; then
         # Set the user defined export directory
-        bastille_backupsdir="${EXPATH}"
+        bastille_backupsdir="${DIR_EXPORT}"
     else
         error_exit "Error: Path not found."
     fi
 fi
 
-create_zfs_snap(){
+# Fallback to default if missing config parameters
+if [ -z "${bastille_compress_xz_options}" ]; then
+    bastille_compress_xz_options="-0 -v"
+fi
+if [ -z "${bastille_compress_gz_options}" ]; then
+    bastille_compress_gz_options="-1 -v"
+fi
+
+create_zfs_snap() {
     # Take a recursive temporary snapshot
-    info "Creating temporary ZFS snapshot for export..."
-    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+    if [ -z "${USER_EXPORT}" ]; then
+        info "Creating temporary ZFS snapshot for export..."
+    fi
+    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
 }
 
-jail_export()
-{
+clean_zfs_snap() {
+    # Cleanup the recursive temporary snapshot
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_${TARGET}_${DATE}"
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
+}
+
+export_check() {
+    # Inform the user about the exporting method
+    if [ -z "${USER_EXPORT}" ]; then
+        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+            if [ -n "${SAFE_EXPORT}" ]; then
+                EXPORT_AS="Safely exporting"
+            else
+                EXPORT_AS="Hot exporting"
+            fi
+        else
+            EXPORT_AS="Exporting"
+        fi
+
+        if [ "${FILE_EXT}" = ".xz" -o "${FILE_EXT}" = ".gz" -o "${FILE_EXT}" = "" ]; then
+            EXPORT_TYPE="image"
+        else
+            EXPORT_TYPE="archive"
+        fi
+
+        if [ -n "${RAW_EXPORT}" ]; then
+            EXPORT_INFO="to a raw ${EXPORT_TYPE}"
+        else
+            EXPORT_INFO="to a compressed ${FILE_EXT} ${EXPORT_TYPE}"
+        fi
+
+        info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO}..."
+    fi
+
+    # Safely stop and snapshot the jail
+    if [ -n "${SAFE_EXPORT}" ]; then
+        bastille stop ${TARGET}
+        create_zfs_snap
+        bastille start ${TARGET}
+    else
+        create_zfs_snap
+    fi
+
+    if checkyesno bastille_zfs_enable; then
+        if [ -z "${USER_EXPORT}" ]; then
+            info "Sending ZFS data stream..."
+        fi
+    fi
+}
+
+jail_export() {
     # Attempt to export the container
     DATE=$(date +%F-%H%M%S)
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
         if [ -n "${bastille_zfs_zpool}" ]; then
-            FILE_EXT="xz"
+            if [ -n "${RAW_EXPORT}" ]; then
+                FILE_EXT=""
+                export_check
 
-            if [ -n "${SAFE_EXPORT}" ]; then
-                info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive."
-                bastille stop ${TARGET}
-                create_zfs_snap
-                bastille start ${TARGET}
+                # Export the raw container recursively and cleanup temporary snapshots
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" \
+                > "${bastille_backupsdir}/${TARGET}_${DATE}"
+                clean_zfs_snap
+            elif [ -n "${GZIP_EXPORT}" ]; then
+                FILE_EXT=".gz"
+                export_check
+
+                # Export the raw container recursively and cleanup temporary snapshots
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
+                gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+                clean_zfs_snap
+            elif [ -n "${XZ_EXPORT}" ]; then
+                FILE_EXT=".xz"
+                export_check
+
+                # Export the container recursively and cleanup temporary snapshots
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
+                xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+                clean_zfs_snap
             else
-                info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive."
-                create_zfs_snap
-            fi
+                FILE_EXT=""
+                USER_EXPORT="1"
+                export_check
 
-            info "Sending ZFS data stream..."
-            # Export the container recursively and cleanup temporary snapshots
-            zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \
-            xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
-            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}"
-            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+                # Quietly export the container recursively, user must redirect standard output
+                if ! zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"; then
+                    clean_zfs_snap
+                    error_notify "\nError: An export option is required, see 'bastille export, otherwise the user must redirect to standard output."
+                fi
+            fi
         fi
     else
-        # Create standard backup archive
-        FILE_EXT="txz"
-        info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive..."
-        cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
+        if [ -n "${TGZ_EXPORT}" ]; then
+            FILE_EXT=".tgz"
+
+            # Create standard tgz backup archive
+            info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..."
+            cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+        elif [ -n "${TXZ_EXPORT}" ]; then
+            FILE_EXT=".txz"
+
+            # Create standard txz backup archive
+            info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..."
+            cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+        else
+            error_exit "Error: export option required"
+        fi
     fi
 
     if [ "$?" -ne 0 ]; then
         error_exit "Failed to export '${TARGET}' container."
     else
-        # Generate container checksum file
-        cd "${bastille_backupsdir}"
-        sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
-        info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully."
+        if [ -z "${USER_EXPORT}" ]; then
+            # Generate container checksum file
+            cd "${bastille_backupsdir}"
+            sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
+            info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully."
+        fi
         exit 0
     fi
 }
@@ -140,12 +378,17 @@ if [ ! -d "${bastille_backupsdir}" ]; then
     error_exit "Backups directory/dataset does not exist. See 'bastille bootstrap'."
 fi
 
-# Check if is a ZFS system
-if [ "${bastille_zfs_enable}" != "YES" ]; then
-    # Check if container is running and ask for stop in UFS systems
-    if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
-        error_exit "${TARGET} is running. See 'bastille stop'."
+if [ -n "${TARGET}" ]; then
+    if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
+        error_exit "[${TARGET}]: Not found."
     fi
-fi
 
-jail_export
+    # Check if is a ZFS system
+    if ! checkyesno bastille_zfs_enable; then
+        # Check if container is running and ask for stop in non ZFS systems
+        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+            error_exit "${TARGET} is running. See 'bastille stop'."
+        fi
+    fi
+    jail_export
+fi

usr/local/share/bastille/htop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46,8 +46,10 @@ if [ $# -ne 0 ]; then
     usage
 fi
 
+bastille_root_check
+
 for _jail in ${JAILS}; do
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
     if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
         error_notify "htop not found on ${_jail}."
     elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then

usr/local/share/bastille/import.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,20 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille import file [option]"
+    # Build an independent usage for the import command
+    # If no file/extension specified, will import from standard input
+    error_notify "Usage: bastille import [option(s)] FILE"
+
+    cat << EOF
+    Options:
+
+    -f | --force    -- Force an archive import regardless if the checksum file does not match or missing.
+    -v | --verbose  -- Be more verbose during the ZFS receive operation.
+
+Tip: If no option specified, container should be imported from standard input.
+
+EOF
+    exit 1
 }
 
 # Handle special-case commands first
@@ -42,39 +55,72 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+if [ $# -gt 3 ] || [ $# -lt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 TARGET="${1}"
-OPTION="${2}"
-shift
+OPT_FORCE=
+USER_IMPORT=
+OPT_ZRECV="-u"
+
+# Handle and parse option args
+while [ $# -gt 0 ]; do
+    case "${1}" in
+        -f|--force)
+            OPT_FORCE="1"
+            TARGET="${2}"
+            shift
+            ;;
+        -v|--verbose)
+            OPT_ZRECV="-u -v"
+            TARGET="${2}"
+            shift
+            ;;
+        -*|--*)
+            error_notify "Unknown Option."
+            usage
+            ;;
+        *)
+            if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+                usage
+            fi
+            shift
+            ;;
+    esac
+done
+
+# Fallback to default if missing config parameters
+if [ -z "${bastille_decompress_xz_options}" ]; then
+    bastille_decompress_xz_options="-c -d -v"
+fi
+if [ -z "${bastille_decompress_gz_options}" ]; then
+    bastille_decompress_gz_options="-k -d -c -v"
+fi
 
 validate_archive() {
     # Compare checksums on the target archive
-    # Skip validation for unsupported archives
-    if [ "${FILE_EXT}" != ".tar.gz" ] && [ "${FILE_EXT}" != ".tar" ]; then
-        if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
-            if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then
-                info "Validating file: ${TARGET}..."
-                SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
-                SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
-                if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
-                    error_exit "Failed validation for ${TARGET}."
-                else
-                    info "File validation successful!"
-                fi
+    # Skip validation for unsupported archive
+    if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
+        if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then
+            info "Validating file: ${TARGET}..."
+            SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
+            SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
+            if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
+                error_exit "Failed validation for ${TARGET}."
             else
-                # Check if user opt to force import
-                if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then
-                    warn "Warning: Skipping archive validation!"
-                else
-                    error_exit "Checksum file not found. See 'bastille import TARGET -f'."
-                fi
+                info "File validation successful!"
+            fi
+        else
+            # Check if user opt to force import
+            if [ -n "${OPT_FORCE}" ]; then
+                warn "Warning: Skipping archive validation!"
+            else
+                error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'."
             fi
         fi
-    else
-        warn "Warning: Skipping archive validation!"
     fi
 }
 
@@ -106,6 +152,11 @@ update_jailconf() {
             sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
             sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
         fi
+
+        # Check for the jib script
+        if grep -qw "vnet" "${JAIL_CONFIG}"; then
+            vnet_requirements
+        fi
     fi
 }
 
@@ -113,7 +164,7 @@ update_fstab() {
     # Update fstab .bastille mountpoint on thin containers only
     # Set some variables
     FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
-    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
     FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
     FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
     if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -129,6 +180,7 @@ generate_config() {
     # Attempt to read previous config file and set required variables accordingly
     # If we can't get a valid interface, fallback to lo1 and warn user
     info "Generating jail.conf..."
+    DEVFS_RULESET=4
 
     if [ "${FILE_EXT}" = ".zip" ]; then
         # Gather some bits from foreign/iocage config files
@@ -136,63 +188,89 @@ generate_config() {
         if [ -n "${JSON_CONFIG}" ]; then
             IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
             IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
+            DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://')
+            DEVFS_RULESET=${DEVFS_RULESET:-4}
+            IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://')
+            CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
+            IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://')
+            VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://')
+            ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1
+            if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then
+                # Grab the default ipv4 route from netstat and pull out the interface
+                VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4)
+            fi
         fi
     elif [ "${FILE_EXT}" = ".tar.gz" ]; then
         # Gather some bits from foreign/ezjail config files
         PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
         if [ -n "${PROP_CONFIG}" ]; then
             IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
+            CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
         fi
+        # Always assume it's thin for ezjail
+        IS_THIN_JAIL=1
     fi
 
-    # If there are multiple IP/NIC let the user configure network
-    if [ -n "${IPV4_CONFIG}" ]; then
-        if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
-            NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-            if [ -z "${NETIF_CONFIG}" ]; then
-                config_netif
+    # See if we need to generate a vnet network section
+    if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
+        NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
+        vnet_requirements
+    else
+        # If there are multiple IP/NIC let the user configure network
+        if [ -n "${IPV4_CONFIG}" ]; then
+            if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
+                NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+                if [ -z "${NETIF_CONFIG}" ]; then
+                    config_netif
+                fi
+                IPX_ADDR="ip4.addr"
+                IP_CONFIG="${IPV4_CONFIG}"
+                IP6_MODE="disable"
             fi
-            IPX_ADDR="ip4.addr"
-            IP_CONFIG="${IPV4_CONFIG}"
-            IP6_MODE="disable"
-        fi
-    elif [ -n "${IPV6_CONFIG}" ]; then
-        if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
-            NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-            if [ -z "${NETIF_CONFIG}" ]; then
-                config_netif
-            fi
-            IPX_ADDR="ip6.addr"
-            IP_CONFIG="${IPV6_CONFIG}"
-            IP6_MODE="new"
-        fi
-    elif [ -n "${IPVX_CONFIG}" ]; then
-        if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
-            NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-            if [ -z "${NETIF_CONFIG}" ]; then
-                config_netif
-            fi
-            IPX_ADDR="ip4.addr"
-            IP_CONFIG="${IPVX_CONFIG}"
-            IP6_MODE="disable"
-            if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
+        elif [ -n "${IPV6_CONFIG}" ]; then
+            if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
+                NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+                if [ -z "${NETIF_CONFIG}" ]; then
+                    config_netif
+                fi
                 IPX_ADDR="ip6.addr"
+                IP_CONFIG="${IPV6_CONFIG}"
                 IP6_MODE="new"
             fi
+        elif [ -n "${IPVX_CONFIG}" ]; then
+            if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
+                NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+                if [ -z "${NETIF_CONFIG}" ]; then
+                    config_netif
+                fi
+                IPX_ADDR="ip4.addr"
+                IP_CONFIG="${IPVX_CONFIG}"
+                IP6_MODE="disable"
+                if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
+                    IPX_ADDR="ip6.addr"
+                    IP6_MODE="new"
+                fi
+            fi
         fi
+
+        # Let the user configure network manually
+        if [ -z "${NETIF_CONFIG}" ]; then
+            NETIF_CONFIG="lo1"
+            IPX_ADDR="ip4.addr"
+            IP_CONFIG="-"
+            IP6_MODE="disable"
+            warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
+        fi
+
+        NETBLOCK=$(cat <<-EOF
+  interface = ${NETIF_CONFIG};
+  ${IPX_ADDR} = ${IP_CONFIG};
+  ip6 = ${IP6_MODE};
+EOF
+        )
     fi
 
-    # Let the user configure network manually
-    if [ -z "${NETIF_CONFIG}" ]; then
-        NETIF_CONFIG="lo1"
-        IPX_ADDR="ip4.addr"
-        IP_CONFIG="-"
-        IP6_MODE="disable"
-        warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
-    fi
-
-    if [ "${FILE_EXT}" = ".tar.gz" ]; then
-        CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
+    if [ "${IS_THIN_JAIL:-0}" = "1" ]; then
         if [ -z "${CONFIG_RELEASE}" ]; then
             # Fallback to host version
             CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
@@ -213,7 +291,7 @@ generate_config() {
     # Generate a basic jail configuration file on foreign imports
     cat << EOF > "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
 ${TARGET_TRIM} {
-  devfs_ruleset = 4;
+  devfs_ruleset = ${DEVFS_RULESET};
   enforce_statfs = 2;
   exec.clean;
   exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;
@@ -225,9 +303,7 @@ ${TARGET_TRIM} {
   path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
   securelevel = 2;
 
-  interface = ${NETIF_CONFIG};
-  ${IPX_ADDR} = ${IP_CONFIG};
-  ip6 = ${IP6_MODE};
+${NETBLOCK}
 }
 EOF
 }
@@ -265,6 +341,17 @@ workout_components() {
     fi
 }
 
+vnet_requirements() {
+    # VNET jib script requirement
+    if [ ! "$(command -v jib)" ]; then
+        if [ -f "/usr/share/examples/jails/jib" ] && [ ! -f "/usr/local/bin/jib" ]; then
+            install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
+        else
+            warn "Warning: Unable to locate/install jib script required by VNET jails."
+        fi
+    fi
+}
+
 config_netif() {
     # Get interface from bastille configuration
     if [ -n "${bastille_network_loopback}" ]; then
@@ -290,6 +377,13 @@ update_symlinks() {
     for _link in ${SYMLINKS}; do
         if [ -L "${_link}" ]; then
             ln -sf /.bastille/${_link} ${_link}
+        elif [ "${ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED:-0}" = "1" -a -d "${_link}" ]; then
+            # -F will enforce that the directory is empty and replaced by the symlink
+            ln -sfF /.bastille/${_link} ${_link} || EXIT_CODE=$?
+            if [ "${EXIT_CODE:-0}" != "0" ]; then
+                # Assume that the failure was due to the directory not being empty and explain the problem in friendlier terms
+                warn "Warning: directory ${_link} on imported jail was not empty and will not be updated by Bastille"
+            fi
         fi
     done
 }
@@ -313,23 +407,34 @@ remove_zfs_datasets() {
 
 jail_import() {
     # Attempt to import container from file
-    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
+    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
     FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
-    validate_archive
     if [ -d "${bastille_jailsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ "${FILE_EXT}" = ".xz" ]; then
+                    validate_archive
                     # Import from compressed xz on ZFS systems
-                    info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} archive."
+                    info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image."
                     info "Receiving ZFS data stream..."
                     xz ${bastille_decompress_xz_options} "${bastille_backupsdir}/${TARGET}" | \
-                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+
+                    # Update ZFS mountpoint property if required
+                    update_zfsmount
+                elif [ "${FILE_EXT}" = ".gz" ]; then
+                    validate_archive
+                    # Import from compressed xz on ZFS systems
+                    info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image."
+                    info "Receiving ZFS data stream..."
+                    gzip ${bastille_decompress_gz_options} "${bastille_backupsdir}/${TARGET}" | \
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
 
                     # Update ZFS mountpoint property if required
                     update_zfsmount
 
                 elif [ "${FILE_EXT}" = ".txz" ]; then
+                    validate_archive
                     # Prepare the ZFS environment and restore from existing .txz file
                     create_zfs_datasets
 
@@ -340,7 +445,20 @@ jail_import() {
                     if [ "$?" -ne 0 ]; then
                         remove_zfs_datasets
                     fi
+                elif [ "${FILE_EXT}" = ".tgz" ]; then
+                    validate_archive
+                    # Prepare the ZFS environment and restore from existing .tgz file
+                    create_zfs_datasets
+
+                    # Extract required files to the new datasets
+                    info "Extracting files from '${TARGET}' archive..."
+                    tar --exclude='root' -xf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}"
+                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root"
+                    if [ "$?" -ne 0 ]; then
+                        remove_zfs_datasets
+                    fi
                 elif [ "${FILE_EXT}" = ".zip" ]; then
+                    validate_archive
                     # Attempt to import a foreign/iocage container
                     info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive."
                     # Sane bastille ZFS options
@@ -353,9 +471,9 @@ jail_import() {
                         rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
                     fi
                     info "Receiving ZFS data stream..."
-                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
                     zfs set ${ZFS_OPTIONS} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
-                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
 
                     # Update ZFS mountpoint property if required
                     update_zfsmount
@@ -403,6 +521,27 @@ jail_import() {
                     else
                         update_config
                     fi
+                elif [ -z "${FILE_EXT}" ]; then
+                    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$'; then
+                        validate_archive
+                        # Based on the file name, looks like we are importing a raw bastille image
+                        # Import from uncompressed image file
+                        info "Importing '${TARGET_TRIM}' from uncompressed image archive."
+                        info "Receiving ZFS data stream..."
+                        zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}"
+
+                        # Update ZFS mountpoint property if required
+                        update_zfsmount
+                    else
+                        # Based on the file name, looks like we are importing from previous redirected bastille image
+                        # Quietly import from previous redirected bastille image
+                        if ! zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
+                            exit 1
+                        else
+                            # Update ZFS mountpoint property if required
+                            update_zfsmount
+                        fi
+                    fi
                 else
                     error_exit "Unknown archive format."
                 fi
@@ -412,6 +551,9 @@ jail_import() {
             if [ "${FILE_EXT}" = ".txz" ]; then
                 info "Extracting files from '${TARGET}' archive..."
                 tar -Jxf  "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
+            elif [ "${FILE_EXT}" = ".tgz" ]; then
+                info "Extracting files from '${TARGET}' archive..."
+                tar -xf  "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
             elif [ "${FILE_EXT}" = ".tar.gz" ]; then
                 # Attempt to import/configure foreign/ezjail container
                 info "Extracting files from '${TARGET}' archive..."
@@ -442,7 +584,9 @@ jail_import() {
             # This is required on foreign imports only
             update_jailconf
             update_fstab
-            info "Container '${TARGET_TRIM}' imported successfully."
+            if [ -z "${USER_IMPORT}" ]; then
+                info "Container '${TARGET_TRIM}' imported successfully."
+            fi
             exit 0
         fi
     else
@@ -465,22 +609,32 @@ fi
 # Check if archive exist then trim archive name
 if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
     # Filter unsupported/unknown archives
-    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
+    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.gz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.tgz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
         if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then
-            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//")
+            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.gz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.tgz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*//")
         fi
     else
         error_exit "Unrecognized archive name."
     fi
 else
-    error_exit "Archive '${TARGET}' not found."
+    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.*$'; then
+        error_exit "Archive '${TARGET}' not found."
+    else
+        # Assume user will import from standard input
+        TARGET_TRIM=${TARGET}
+        USER_IMPORT="1"
+    fi
 fi
 
 # Check if a running jail matches name or already exist
-if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
+if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET_TRIM}$/")" ]; then
     error_exit "A running jail matches name."
-elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
-    error_exit "Container: ${TARGET_TRIM} already exists."
+elif [ -n "${TARGET_TRIM}" ]; then
+    if [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
+        error_exit "Container: ${TARGET_TRIM} already exists."
+    fi
 fi
 
-jail_import
+if [ -n "${TARGET}" ]; then
+    jail_import
+fi

usr/local/share/bastille/limits.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
 #
@@ -55,6 +55,8 @@ if [ $# -ne 2 ]; then
     usage
 fi
 
+bastille_root_check
+
 OPTION="${1}"
 VALUE="${2}"
 

usr/local/share/bastille/list.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,59 +32,209 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)]"
+    error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]"
 }
 
-if [ $# -eq 0 ]; then
-   jls -N
+if [ "${1}" = help -o "${1}" = "-h" -o "${1}" = "--help" ]; then
+    usage
 fi
 
-if [ "$1" == "-j" ]; then
-    jls -N --libxo json
+bastille_root_check
+
+if [ $# -eq 0 ]; then
+   /usr/sbin/jls
+fi
+
+if [ "${1}" == "-j" ]; then
+    /usr/sbin/jls -N --libxo json
     exit 0
 fi
 
+TARGET=
+
+list_all(){
+        if [ -d "${bastille_jailsdir}" ]; then
+            DEFAULT_VALUE="-"
+            SPACER=2
+            MAX_LENGTH_JAIL_NAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^.* {$" | awk '{ print length($1) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3}
+            if [ "${MAX_LENGTH_JAIL_NAME}" -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi
+            MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10}
+            MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10}
+            if [ "${MAX_LENGTH_JAIL_VNET_IP}" -gt "${MAX_LENGTH_JAIL_IP}" ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi
+            if [ "${MAX_LENGTH_JAIL_IP}" -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi
+            MAX_LENGTH_JAIL_HOSTNAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^[ ]*host.hostname[ ]*=[ ]*\(.*\);" | awk '{ print length(substr($3, 1, length($3)-1)) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8}
+            if [ "${MAX_LENGTH_JAIL_HOSTNAME}" -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi
+            MAX_LENGTH_JAIL_PORTS=$(find ""${bastille_jailsdir}/*/rdr.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 -n1 awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15}
+            if [ "${MAX_LENGTH_JAIL_PORTS}" -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi
+            if [ "${MAX_LENGTH_JAIL_PORTS}" -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi
+            MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7}
+            MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7}
+            MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1) 
+            MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7}
+            if [ "${MAX_LENGTH_THICK_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi
+            if [ "${MAX_LENGTH_LINUX_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi
+            if [ "${MAX_LENGTH_JAIL_RELEASE}" -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi
+            printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" ""
+            if [ -n "${TARGET}" ]; then
+                # Query all info for a specific jail.
+                JAIL_LIST="${TARGET}"
+            else
+                # Query all info for all jails(default).
+                JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
+            fi
+            for _JAIL in ${JAIL_LIST}; do
+                if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
+                    JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }')
+                    IS_FREEBSD_JAIL=0
+                    if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi
+                    IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0}
+                    IS_LINUX_JAIL=0
+                    if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi
+                    IS_LINUX_JAIL=${IS_LINUX_JAIL:-0}
+                    if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then
+                        JAIL_STATE="Up"
+                        if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
+                            JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
+                            if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
+                        else
+                            JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null)
+                            if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi
+                        fi
+                        JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null)
+                        JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
+                        JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null)
+                        if [ "${IS_FREEBSD_JAIL}" -eq 1 ]; then
+                            JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null)
+                        fi
+                        if [ "${IS_LINUX_JAIL}" -eq 1 ]; then
+                            JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
+                        fi
+                    else
+                        JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
+                        if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
+                            JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
+                        else
+                            JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
+                        fi
+                        JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
+                        if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi
+                            JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
+                            if [ "${JAIL_PATH}" ]; then
+                                if [ "${IS_FREEBSD_JAIL}" -eq 1 ]; then
+                                    if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
+                                        JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
+                                    else
+                                        JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
+                                    fi
+                                fi
+                                if [ "${IS_LINUX_JAIL}" -eq 1 ]; then
+                                    JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
+                                fi
+                            else
+                               JAIL_RELEASE=""
+                            fi
+                        fi
+
+                        if [ "${#JAIL_PORTS}" -gt "${MAX_LENGTH_JAIL_PORTS}" ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi
+                        JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}}
+                        JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}}
+                        JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}}
+                        JAIL_PORTS=${JAIL_PORTS:-${DEFAULT_VALUE}}
+                        JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}}
+                        JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}}
+                        JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}}
+                        printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
+                fi
+            done
+        else
+            error_exit "unfortunately there are no jails here (${bastille_jailsdir})"
+        fi
+}
+
+list_release(){
+    if [ -d "${bastille_releasesdir}" ]; then
+        REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
+        for _REL in ${REL_LIST}; do
+            if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then
+                if [ "${2}" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then
+                    REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null)
+                    REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}}
+                    echo "${REL_PATCH_LEVEL}"
+                else
+                    echo "${_REL}"
+                fi
+            fi
+        done
+    fi
+}
+
+list_template(){
+    find "${bastille_templatesdir}" -type d -maxdepth 2
+}
+
+list_jail(){
+    if [ -d "${bastille_jailsdir}" ]; then
+        JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
+        for _JAIL in ${JAIL_LIST}; do
+            if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
+                echo "${_JAIL}"
+            fi
+        done
+    fi
+}
+
+list_log(){
+	find "${bastille_logsdir}" -type f -maxdepth 1
+}
+
+list_limit(){
+    rctl -h jail:
+}
+
+list_import(){
+    ls "${bastille_backupsdir}" | grep -v ".sha256$"
+}
+
 if [ $# -gt 0 ]; then
     # Handle special-case commands first.
-    case "$1" in
-    help|-h|--help)
-        usage
+    case "${1}" in
+    all|-a|--all)
+        list_all
         ;;
     release|releases)
-        if [ -d "${bastille_releasesdir}" ]; then
-            REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
-            for _REL in ${REL_LIST}; do
-                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
-                    echo "${_REL}"
-                fi
-            done
-        fi
+        list_release
         ;;
     template|templates)
-        find "${bastille_templatesdir}" -type d -maxdepth 2
+        list_template
         ;;
     jail|jails|container|containers)
-        if [ -d "${bastille_jailsdir}" ]; then
-            JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
-            for _JAIL in ${JAIL_LIST}; do
-                if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
-                    echo "${_JAIL}"
-                fi
-            done
-        fi
+        list_jail
         ;;
     log|logs)
-        find "${bastille_logsdir}" -type f -maxdepth 1
+        list_log
         ;;
     limit|limits)
-        rctl -h jail:
+        list_limit
         ;;
     import|imports|export|exports|backup|backups)
-        ls "${bastille_backupsdir}" | grep -Ev "*.sha256"
+        list_import
     exit 0
     ;;
     *)
-        usage
+        # Check if we want to query all info for a specific jail instead.
+        if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then
+            TARGET="${1}"
+            list_all
+        else
+            usage
+        fi
         ;;
     esac
 fi

usr/local/share/bastille/mount.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -50,6 +50,8 @@ else
     _fstab="$@"
 fi
 
+bastille_root_check
+
 ## assign needed variables
 _hostpath=$(echo "${_fstab}" | awk '{print $1}')
 _jailpath=$(echo "${_fstab}" | awk '{print $2}')
@@ -65,8 +67,10 @@ if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "
     exit 1
 fi
 
-## if host path doesn't exist or type is not "nullfs"
-if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
+## if host path doesn't exist, type is not "nullfs" or are using advanced mount type "tmpfs,linprocfs,linsysfs, fdescfs, procfs"	
+if [ "${_hostpath}" == "tmpfs" -a "$_type" == "tmpfs" ] || [ "${_hostpath}" == "linprocfs" -a "${_type}" == "linprocfs" ] || [ "${_hostpath}" == "linsysfs" -a "${_type}" == "linsysfs" ] || [ "${_hostpath}" == "proc" -a "${_type}" == "procfs" ] || [ "${_hostpath}" == "fdesc" -a "${_type}" == "fdescfs" ]  ;  then
+    warn "Detected advanced mount type ${_hostpath}"
+elif [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
     error_notify "Detected invalid host path or incorrect mount type in FSTAB."
     warn "Format: /host/path jail/path nullfs ro 0 0"
     warn "Read: ${_fstab}"
@@ -93,24 +97,25 @@ for _jail in ${JAILS}; do
     info "[${_jail}]:"
 
     ## aggregate variables into FSTAB entry
-    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
-    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
+    _fullpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
+    _fstab_entry="${_hostpath} ${_fullpath} ${_type} ${_perms} ${_checks}"
 
     ## Create mount point if it does not exist. -- cwells
-    if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then
-        if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then
+    if [ ! -d "${_fullpath}" ]; then
+        if ! mkdir -p "${_fullpath}"; then
             error_exit "Failed to create mount point inside jail."
         fi
     fi
 
     ## if entry doesn't exist, add; else show existing entry
-    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
+    if ! egrep -q "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
         if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
             error_exit "Failed to create fstab entry: ${_fstab_entry}"
         fi
         echo "Added: ${_fstab_entry}"
     else
-        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
+        warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab"
+        egrep "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
     fi
     mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
     echo

usr/local/share/bastille/pkg.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/common.sh
 
 usage() {
-    error_exit "Usage: bastille pkg TARGET command [args]"
+    error_exit "Usage: bastille pkg [-H|--host] TARGET command [args]"
 }
 
 # Handle special-case commands first.
@@ -45,8 +45,34 @@ if [ $# -lt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
+errors=0
+
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
-    jexec -l "${_jail}" /usr/sbin/pkg "$@"
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
+    if [ -f "/usr/sbin/mport" ]; then
+        if ! jexec -l -U root "${_jail}" /usr/sbin/mport "$@"; then
+            errors=1
+        fi
+    elif [ -f "${bastille_jail_path}/usr/bin/apt" ]; then
+        if ! jexec -l "${_jail}" /usr/bin/apt "$@"; then
+            errors=1
+        fi
+    elif [ "${USE_HOST_PKG}" = 1 ]; then
+        if ! /usr/sbin/pkg -j "${_jail}" "$@"; then
+            errors=1
+        fi
+    else
+        if ! jexec -l -U root "${_jail}" /usr/sbin/pkg "$@"; then
+            errors=1
+        fi
+    fi
     echo
 done
+
+if [ $errors -ne 0 ]; then
+    error_exit "Failed to apply on some jails, please check logs"
+    exit 1
+fi

usr/local/share/bastille/rcp.sh

@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    error_exit "Usage: bastille rcp [OPTION] TARGET CONTAINER_PATH HOST_PATH"
+}
+
+CPSOURCE="${1}"
+CPDEST="${2}"
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+-q|--quiet)
+    OPTION="${1}"
+    CPSOURCE="${2}"
+    CPDEST="${3}"
+    ;;
+esac
+
+if [ $# -ne 2 ]; then
+    usage
+fi
+
+if [ "${TARGET}" = "ALL" ]; then
+    usage
+fi
+
+case "${OPTION}" in
+    -q|--quiet)
+        OPTION="-a"
+        ;;
+    *)
+        OPTION="-av"
+        ;;
+esac
+
+for _jail in ${JAILS}; do
+    info "[${_jail}]:"
+    bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
+    cp "${OPTION}" "${bastille_jail_path}/${CPSOURCE}" "${CPDEST}"
+    RETURN="$?"
+    echo
+    return "${RETURN}"
+done

usr/local/share/bastille/rdr.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]"
+    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
 }
 
 # Handle special-case commands first.
@@ -46,38 +46,55 @@ if [ $# -lt 2 ]; then
     usage
 fi
 
+bastille_root_check
+
 TARGET="${1}"
+JAIL_NAME=""
+JAIL_IP=""
+JAIL_IP6=""
+EXT_IF=""
 shift
 
-# Can only redirect to single jail
-if [ "${TARGET}" = 'ALL' ]; then
-    error_exit "Can only redirect to a single jail."
-fi
-
-# Check if jail name is valid
-JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
-if [ -z "${JAIL_NAME}" ]; then
-    error_exit "Jail not found: ${TARGET}"
-fi
-
-# Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
-if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
-    JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
-    if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
-        error_exit "Jail IP not found: ${TARGET}"
+check_jail_validity() {
+    # Can only redirect to single jail
+    if [ "${TARGET}" = 'ALL' ]; then
+        error_exit "Can only redirect to a single jail."
     fi
-fi
 
-# Check if rdr-anchor is defined in pf.conf
-if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
-    error_exit "rdr-anchor not found in pf.conf"
-fi
+    # Check if jail name is valid
+    JAIL_NAME=$(/usr/sbin/jls -j "${TARGET}" name 2>/dev/null)
+    if [ -z "${JAIL_NAME}" ]; then
+        error_exit "Jail not found: ${TARGET}"
+    fi
 
-# Check if ext_if is defined in pf.conf
-EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
-if [ -z "${EXT_IF}" ]; then
-    error_exit "ext_if not defined in pf.conf"
-fi
+    # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
+    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
+        JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)
+        if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
+            error_exit "Jail IP not found: ${TARGET}"
+        fi
+    fi
+    # Check if jail ip6 address (ip6.addr) is valid (non-VNET only)
+    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
+        if [ "$(bastille config $TARGET get ip6)" != 'disable' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then
+            JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null)
+        fi
+    fi
+
+
+    # Check if rdr-anchor is defined in pf.conf
+    if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
+        error_exit "rdr-anchor not found in pf.conf"
+    fi
+
+    # Check if ext_if is defined in pf.conf
+    if [ -n "${bastille_pf_conf}" ]; then
+        EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf})
+        if [ -z "${EXT_IF}" ]; then
+            error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf"
+        fi
+    fi
+}
 
 # function: write rule to rdr.conf
 persist_rdr_rule() {
@@ -86,30 +103,111 @@ if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
 fi
 }
 
+persist_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@;
+if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
+    echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
+fi
+}
+
+
 # function: load rdr rule via pfctl
 load_rdr_rule() {
 ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
-  printf '%s\nrdr pass on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$1" "$2" "$JAIL_IP" "$3" ) \
+  printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" ) \
       | pfctl -a "rdr/${JAIL_NAME}" -f-
+if [ -n "$JAIL_IP6" ]; then
+  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \
+    | pfctl -a "rdr/${JAIL_NAME}" -f-
+fi
+}
+
+# function: load rdr rule with log via pfctl
+load_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@
+( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
+      | pfctl -a "rdr/${JAIL_NAME}" -f-
+if [ -n "$JAIL_IP6" ]; then
+  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \
+    | pfctl -a "rdr/${JAIL_NAME}" -f-
+fi
+
 }
 
 while [ $# -gt 0 ]; do
     case "$1" in
         list)
-            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            if [ "${TARGET}" = 'ALL' ]; then
+                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
+                    echo "${JAIL_NAME} redirects:"
+                    pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+                done
+            else
+                check_jail_validity
+                pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            fi
             shift
             ;;
         clear)
-            pfctl -a "rdr/${JAIL_NAME}" -Fn
+            if [ "${TARGET}" = 'ALL' ]; then
+                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
+                    echo "${JAIL_NAME} redirects:"
+                    pfctl -a "rdr/${JAIL_NAME}" -Fn
+                done
+            else
+                check_jail_validity
+                pfctl -a "rdr/${JAIL_NAME}" -Fn
+            fi
             shift
             ;;
         tcp|udp)
             if [ $# -lt 3 ]; then
                 usage
+            elif [ $# -eq 3 ]; then
+                check_jail_validity
+                persist_rdr_rule $1 $2 $3
+                load_rdr_rule $1 $2 $3
+                shift 3
+            else
+                case "$4" in
+                    log)
+                        proto=$1
+                        host_port=$2
+                        jail_port=$3
+                        shift 3
+                        if [ $# -gt 3 ]; then
+                            for last in $@; do
+                                true
+                            done
+                            if [ $2 == "(" ] && [ $last == ")" ] ; then
+                                check_jail_validity
+                                persist_rdr_log_rule $proto $host_port $jail_port $@
+                                load_rdr_log_rule $proto $host_port $jail_port $@
+                                shift $#
+                            else
+                                usage
+                            fi
+                        elif [ $# -eq 1 ]; then
+                            check_jail_validity
+                            persist_rdr_log_rule $proto $host_port $jail_port $@
+                            load_rdr_log_rule $proto $host_port $jail_port $@
+                            shift 1
+                        else
+                            usage
+                        fi
+                        ;;
+                    *)
+                        usage
+                        ;;
+                esac
             fi
-            persist_rdr_rule $1 $2 $3
-            load_rdr_rule $1 $2 $3
-            shift 3
             ;;
         *)
             usage

usr/local/share/bastille/rename.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -56,6 +56,8 @@ if [ $# -ne 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 NEWNAME="${1}"
 
 update_jailconf() {
@@ -68,6 +70,9 @@ update_jailconf() {
             sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
             sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
             sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${JAIL_CONFIG}"
+            # Rename vnet interface
+            sed -i '' "/vnet.interface/s|_${TARGET}\";|_${NEWNAME}\";|" "${JAIL_CONFIG}"
+            sed -i '' "/ifconfig/s|_${TARGET}|_${NEWNAME}|" "${JAIL_CONFIG}"
         fi
     fi
 }
@@ -76,13 +81,22 @@ update_fstab() {
     # Update fstab to use the new name
     FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
     if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
-        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
-        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
-        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
-            # If both variables are set, update as needed
-            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
-                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+        # Skip if fstab is empty, e.g newly created thick or clone jails
+        if [ -s "${FSTAB_CONFIG}" ]; then
+            FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+            FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
+            FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
+            if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+                # If both variables are set, update as needed
+                if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
+                    sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+                fi
+            fi
+
+            # Update linuxjail fstab name entries
+            # Search for either linprocfs/linsysfs, if true assume is a linux jail
+            if grep -qwE "linprocfs|linsysfs" "${FSTAB_CONFIG}"; then
+                sed -i '' "s|.${bastille_jailsdir}/${TARGET}/|${bastille_jailsdir}/${NEWNAME}/|" "${FSTAB_CONFIG}"
             fi
         fi
     fi
@@ -91,7 +105,7 @@ update_fstab() {
 change_name() {
     # Attempt container name change
     info "Attempting to rename '${TARGET}' to ${NEWNAME}..."
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
         if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
             # Check and rename container ZFS dataset accordingly
             # Perform additional checks in case of non-ZFS existing containers

usr/local/share/bastille/restart.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/service.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -41,10 +41,12 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -ne 2 ]; then
+if [ $# -lt 1 -o $# -gt 2 ]; then
     usage
 fi
 
+bastille_root_check
+
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
     jexec -l "${_jail}" /usr/sbin/service "$@"

usr/local/share/bastille/setup.sh

@@ -0,0 +1,144 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    error_exit "Usage: bastille setup [pf|bastille0|zfs|vnet]"
+}
+
+# Check for too many args
+if [ $# -gt 1 ]; then
+    usage
+fi
+
+# Configure bastille0 network interface
+configure_bastille0() {
+    info "Configuring bastille0 loopback interface"
+    sysrc cloned_interfaces+=lo1
+    sysrc ifconfig_lo1_name="bastille0"
+
+    info "Bringing up new interface: bastille0"
+    service netif cloneup
+}
+
+configure_vnet() {
+    info "Configuring bridge interface"
+    sysrc cloned_interfaces+=bridge1
+    sysrc ifconfig_bridge1_name=bastille1
+
+    info "Bringing up new interface: bastille1"
+    service netif cloneup
+
+    if [ ! -f /etc/devfs.rules ]; then
+        info "Creating bastille_vnet devfs.rules"
+        cat << EOF > /etc/devfs.rules
+[bastille_vnet=13]
+add include \$devfsrules_hide_all
+add include \$devfsrules_unhide_basic
+add include \$devfsrules_unhide_login
+add include \$devfsrules_jail
+add include \$devfsrules_jail_vnet
+add path 'bpf*' unhide
+EOF
+    fi
+}
+
+# Configure pf firewall
+configure_pf() {
+if [ ! -f "${bastille_pf_conf}" ]; then
+    local ext_if
+    ext_if=$(netstat -rn | awk '/default/ {print $4}' | head -n1)
+    info "Determined default network interface: ($ext_if)"
+    info "${bastille_pf_conf} does not exist: creating..." 
+    
+    ## creating pf.conf
+    cat << EOF > ${bastille_pf_conf}
+## generated by bastille setup
+ext_if="$ext_if"
+
+set block-policy return
+scrub in on \$ext_if all fragment reassemble
+set skip on lo
+
+table <jails> persist
+nat on \$ext_if from <jails> to any -> (\$ext_if:0)
+rdr-anchor "rdr/*"
+
+block in all
+pass out quick keep state
+antispoof for \$ext_if inet
+pass in inet proto tcp from any to any port ssh flags S/SA keep state
+EOF
+    sysrc pf_enable=YES
+else
+    error_exit "${bastille_pf_conf} already exists. Exiting."
+fi
+}
+
+# Configure ZFS
+configure_zfs() {
+    if [ ! "$(kldstat -m zfs)" ]; then
+        info "ZFS module not loaded; skipping..."
+    else
+        ## attempt to determine bastille_zroot from `zpool list`
+        bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
+        sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES
+        sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}"
+    fi
+}
+
+# Run all base functions (w/o vnet) if no args
+if [ $# -eq 0 ]; then
+    sysrc bastille_enable=YES
+    configure_bastille0
+    configure_pf
+    configure_zfs
+fi
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+pf|firewall)
+    configure_pf
+    ;;
+bastille0|loopback)
+    configure_bastille0
+    ;;
+zfs|storage)
+    configure_zfs
+    ;;
+bastille1|vnet|bridge)
+    configure_vnet
+    ;;
+esac

usr/local/share/bastille/start.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46,6 +46,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 TARGET="${1}"
 shift
 
@@ -62,11 +64,11 @@ fi
 
 for _jail in ${JAILS}; do
     ## test if running
-    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
+    if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
         error_notify "[${_jail}]: Already started."
 
     ## test if not running
-    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
+    elif [ ! "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
         # Verify that the configured interface exists. -- cwells
         if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then
             _interface=$(bastille config $_jail get interface)
@@ -77,12 +79,14 @@ for _jail in ${JAILS}; do
         fi
 
         ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry
-        ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
+        ip=$(bastille config "${_jail}" get ip4.addr)
         if [ -n "${ip}" ]; then
-            if ifconfig | grep -w "${ip}" >/dev/null; then
+            if ifconfig | grep -wF "${ip}" >/dev/null; then
                 error_notify "Error: IP address (${ip}) already in use."
                 continue
             fi
+            ## add ip4.addr to firewall table
+            pfctl -q -t "${bastille_network_pf_table}" -T add "${ip}"
         fi
 
         ## start the container
@@ -102,13 +106,6 @@ for _jail in ${JAILS}; do
                 bastille rdr "${_jail}" ${_rules}
             done < "${bastille_jailsdir}/${_jail}/rdr.conf"
         fi
-
-        ## add ip4.addr to firewall table:jails
-        if [ -n "${bastille_network_loopback}" ]; then
-            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
-                pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
-            fi
-        fi
     fi
     echo
 done

usr/local/share/bastille/stop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46,19 +46,20 @@ if [ $# -ne 0 ]; then
     usage
 fi
 
+bastille_root_check
+
 for _jail in ${JAILS}; do
     ## test if running
-    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
-        ## remove ip4.addr from firewall table:jails
-        if [ -n "${bastille_network_loopback}" ]; then
-            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
-                pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
+    if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
+        ## Capture ip4.addr address while still running
+        _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)"
+
+        # Check if pfctl is present
+        if which -s pfctl; then
+            if [ "$(bastille rdr ${_jail} list)" ]; then
+                bastille rdr ${_jail} clear
             fi
         fi
-        
-        if [ "$(bastille rdr ${_jail} list)" ]; then
-            bastille rdr ${_jail} clear
-        fi
 
         ## remove rctl limits
         if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
@@ -70,6 +71,13 @@ for _jail in ${JAILS}; do
         ## stop container
         info "[${_jail}]:"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
+
+        ## remove (captured above) ip4.addr from firewall table
+        if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
+                pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
+            fi
+        fi
     fi
     echo
 done

usr/local/share/bastille/sysrc.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -45,6 +45,8 @@ if [ $# -lt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
     jexec -l "${_jail}" /usr/sbin/sysrc "$@"

usr/local/share/bastille/tags.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# Ressource limits added by Lars Engels github.com/bsdlme
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    error_notify "Usage: bastille tags TARGET add tag1[,tag2,...]"
+    error_notify "       bastille tags TARGET delete tag1[,tag2,...]"
+    error_notify "       bastille tags TARGET list [tag]"
+    echo -e "Example: bastille tags JAILNAME add database,mysql"
+    echo -e "         bastille tags JAILNAME delete mysql"
+    echo -e "         bastille tags ALL list"
+    echo -e "         bastille tags ALL list mysql"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -lt 1 -o $# -gt 2 ]; then
+    usage
+fi
+
+bastille_root_check
+
+ACTION="${1}"
+TAGS="${2}"
+
+for _jail in ${JAILS}; do
+    bastille_jail_tags="${bastille_jailsdir}/${_jail}/tags"
+    case ${ACTION} in
+        add)
+        for _tag in $(echo ${TAGS} | tr , ' '); do
+            echo ${_tag} >> "${bastille_jail_tags}"
+            tmpfile="$(mktemp)"
+            sort "${bastille_jail_tags}" | uniq > "${tmpfile}"
+            mv "${tmpfile}" "${bastille_jail_tags}"
+        done
+        ;;
+        del*)
+        for _tag in $(echo ${TAGS} | tr , ' '); do
+            [ ! -f "${bastille_jail_tags}" ] && break # skip if no tags file
+            tmpfile="$(mktemp)"
+            grep -Ev "^${_tag}\$" "${bastille_jail_tags}" > "${tmpfile}"
+            mv "${tmpfile}" "${bastille_jail_tags}"
+            # delete tags file if empty
+            [ ! -s "${bastille_jail_tags}" ] && rm "${bastille_jail_tags}"
+        done
+        ;;
+        list)
+        if [ -n "${TAGS}" ]; then
+            [ -n "$(echo ${TAGS} | grep ,)" ] && usage # Only one tag per query
+            [ ! -f "${bastille_jail_tags}" ] && continue # skip if there is no tags file
+            grep -qE "^${TAGS}\$" "${bastille_jail_tags}"
+            if [ $? -eq 0 ]; then
+              echo "${_jail}"
+              continue
+            fi
+        else
+            if [ -f "${bastille_jail_tags}" ]; then
+                echo -n "${_jail}: "
+                xargs < "${bastille_jail_tags}"
+            fi
+        fi
+        ;;
+        *)
+        usage
+        ;;
+    esac
+done
+

usr/local/share/bastille/template.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -116,6 +116,8 @@ if [ $# -lt 1 ]; then
     bastille_usage
 fi
 
+bastille_root_check
+
 ## global variables
 TEMPLATE="${1}"
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
@@ -173,7 +175,7 @@ if [ "${TARGET}" = '--convert' ]; then
 fi
 
 case ${TEMPLATE} in
-    http?://github.com/*/*|http?://gitlab.com/*/*)
+    http?://*/*/*)
         TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
         if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
             info "Bootstrapping ${TEMPLATE}..."
@@ -186,7 +188,11 @@ case ${TEMPLATE} in
         ;;
     */*)
         if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
-            error_exit "${TEMPLATE} not found."
+            if [ ! -d ${TEMPLATE} ]; then
+                error_exit "${TEMPLATE} not found."
+            else
+                bastille_template=${TEMPLATE}
+            fi
         fi
         ;;
     *)
@@ -222,9 +228,10 @@ for _jail in ${JAILS}; do
     info "Applying template: ${TEMPLATE}..."
 
     ## jail-specific variables.
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
     if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
-        _jail_ip=$(jls -j "${_jail}" ip4.addr 2>/dev/null)
+        _jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null)
+        _jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null)
         if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then
             error_notify "Jail IP not found: ${_jail}"
             _jail_ip='' # In case it was -. -- cwells
@@ -247,7 +254,7 @@ for _jail in ${JAILS}; do
 
     # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
     # Values provided by default (without being defined by the user) are listed here. -- cwells
-    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
+    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_IP6}/${_jail_ip6}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
     # This is parsed outside the HOOKS loop so an ARG file can be used with a Bastillefile. -- cwells
     if [ -s "${bastille_template}/ARG" ]; then
         while read _line; do

usr/local/share/bastille/templates/default/clone/Bastillefile

@@ -0,0 +1,4 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"

usr/local/share/bastille/templates/default/linux/Bastillefile

@@ -0,0 +1,14 @@
+PRE mkdir -p home
+PRE mkdir -p tmp
+
+
+FSTAB devfs           root/dev      devfs           rw                      0       0
+FSTAB tmpfs           dev/shm  tmpfs           rw,size=1g,mode=1777    0       0
+FSTAB fdescfs         dev/fd   fdescfs         rw,linrdlnk             0       0
+FSTAB linprocfs       proc     linprocfs       rw                      0       0
+FSTAB linsysfs        sys      linsysfs        rw                      0       0
+FSTAB /tmp            tmp      nullfs          rw                      0       0
+FSTAB /home           home     nullfs          rw                      0       0
+
+CMD mkdir etc/apt/apt.conf.d/00aptitude
+CMD echo "APT::Cache-Start 251658240;" > etc/apt/apt.conf.d/00aptitude

usr/local/share/bastille/templates/default/vnet/Bastillefile

@@ -5,9 +5,11 @@ INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
 
 ARG EPAIR
 ARG GATEWAY
+ARG GATEWAY6
 ARG IFCONFIG="SYNCDHCP"
 
 SYSRC ifconfig_${EPAIR}_name=vnet0
 SYSRC ifconfig_vnet0="${IFCONFIG}"
 # GATEWAY will be empty for a DHCP config. -- cwells
 CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
+CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi

usr/local/share/bastille/top.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -45,6 +45,8 @@ if [ $# -ne 0 ]; then
     usage
 fi
 
+bastille_root_check
+
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
     jexec -l "${_jail}" /usr/bin/top

usr/local/share/bastille/umount.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46,6 +46,8 @@ if [ $# -ne 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 MOUNT_PATH=$1
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/update.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille update [release|container] | [option]"
+    error_exit "Usage: bastille update [release|container|template] | [force]"
 }
 
 # Handle special-case commands first.
@@ -46,6 +46,8 @@ if [ $# -gt 2 ] || [ $# -lt 1 ]; then
     usage
 fi
 
+bastille_root_check
+
 TARGET="${1}"
 OPTION="${2}"
 
@@ -64,13 +66,25 @@ if [ "${TARGET}" = "ALL" ]; then
     error_exit "Batch upgrade is unsupported."
 fi
 
+if [ -f "/bin/midnightbsd-version" ]; then
+    echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if freebsd-version | grep -qi HBSD; then
     error_exit "Not yet supported on HardenedBSD."
 fi
 
+# Check for alternate/unsupported archs
+arch_check() {
+    if echo "${TARGET}" | grep -w "[0-9]\{1,2\}\.[0-9]\-RELEASE\-i386"; then
+        ARCH_I386="1"
+    fi
+}
+
 jail_check() {
     # Check if the jail is thick and is running
-    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
         error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
     else
         if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
@@ -98,15 +112,63 @@ jail_update() {
 release_update() {
     # Update a release base(affects child containers)
     if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
+        TARGET_TRIM="${TARGET}"
+        if [ -n "${ARCH_I386}" ]; then
+            TARGET_TRIM=$(echo "${TARGET}" | sed 's/-i386//')
+        fi
+
         env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
-        fetch install --currently-running "${TARGET}"
+        fetch --currently-running "${TARGET_TRIM}"
+        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
+        install --currently-running "${TARGET_TRIM}"
     else
         error_exit "${TARGET} not found. See 'bastille bootstrap'."
     fi
 }
 
+template_update() {
+    # Update a template
+    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
+    if [ -d $_template_path ]; then
+        info "[${BASTILLE_TEMPLATE}]:"
+        git -C $_template_path pull ||\
+            error_notify "${BASTILLE_TEMPLATE} update unsuccessful."    
+
+        bastille verify "${BASTILLE_TEMPLATE}"
+    else 
+        error_exit "${BASTILLE_TEMPLATE} not found. See 'bastille bootstrap'."
+    fi
+}
+
+templates_update() {
+    # Update all templates
+    _updated_templates=0
+    if [ -d  ${bastille_templatesdir} ]; then
+        for _template_path in $(ls -d ${bastille_templatesdir}/*/*); do
+            if [ -d $_template_path/.git ]; then
+                BASTILLE_TEMPLATE=$(echo "$_template_path" | awk -F / '{ print $(NF-1) "/" $NF }')
+                template_update
+
+                _updated_templates=$((_updated_templates+1))
+            fi
+        done
+    fi
+
+    if [ "$_updated_templates" -ne "0" ]; then
+        info "$_updated_templates templates updated."
+    else 
+        error_exit "no templates found. See 'bastille bootstrap'."
+    fi
+}
+
 # Check what we should update
-if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+if [ "${TARGET}" = 'TEMPLATES' ]; then
+    templates_update
+elif echo "${TARGET}" | grep -Eq '^[A-Za-z0-9_-]+/[A-Za-z0-9_-]+$'; then
+    BASTILLE_TEMPLATE="${TARGET}"
+    template_update
+elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+    arch_check
     release_update
 else
     jail_update

usr/local/share/bastille/upgrade.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [option]"
+    error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [force]"
 }
 
 # Handle special-case commands first.
@@ -46,6 +46,8 @@ if [ $# -gt 3 ] || [ $# -lt 2 ]; then
     usage
 fi
 
+bastille_root_check
+
 TARGET="$1"
 NEWRELEASE="$2"
 OPTION="$3"
@@ -55,6 +57,11 @@ if [ "${TARGET}" = "ALL" ]; then
     error_exit "Batch upgrade is unsupported."
 fi
 
+if [ -f "/bin/midnightbsd-version" ]; then
+    echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if freebsd-version | grep -qi HBSD; then
     error_exit "Not yet supported on HardenedBSD."
 fi
@@ -71,7 +78,7 @@ esac
 
 jail_check() {
     # Check if the jail is thick and is running
-    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
         error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
     else
         if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
@@ -82,7 +89,7 @@ jail_check() {
 
 release_check() {
     # Validate the release
-    if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+    if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
         error_exit "${NEWRELEASE} is not a valid release."
     fi
 }

usr/local/share/bastille/verify.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -36,6 +36,10 @@ bastille_usage() {
 }
 
 verify_release() {
+    if [ -f "/bin/midnightbsd-version" ]; then
+        echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
+        exit 1
+    fi
     if freebsd-version | grep -qi HBSD; then
         error_exit "Not yet supported on HardenedBSD."
     fi
@@ -47,6 +51,22 @@ verify_release() {
     fi
 }
 
+handle_template_include() {
+    case ${TEMPLATE_INCLUDE} in
+        http?://*/*/*)
+            bastille bootstrap "${TEMPLATE_INCLUDE}"
+        ;;
+        */*)
+            BASTILLE_TEMPLATE_USER=$(echo "${TEMPLATE_INCLUDE}" | awk -F / '{ print $1 }')
+            BASTILLE_TEMPLATE_REPO=$(echo "${TEMPLATE_INCLUDE}" | awk -F / '{ print $2 }')
+            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
+        ;;
+        *)
+            error_exit "Template INCLUDE content not recognized."
+    ;;
+    esac
+}
+
 verify_template() {
     _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
     _hook_validate=0
@@ -65,42 +85,42 @@ verify_template() {
                 echo
                 error_exit "Template validation failed."
             ## if INCLUDE; recursive verify
-            elif [ ${_hook} = 'INCLUDE' ]; then
+            elif [ "${_hook}" = 'INCLUDE' ]; then
                 info "[${_hook}]:"
                 cat "${_path}"
                 echo
                 while read _include; do
                     info "[${_hook}]:[${_include}]:"
-
-                    case ${_include} in
-                        http?://github.com/*/*|http?://gitlab.com/*/*)
-                            bastille bootstrap "${_include}"
-                        ;;
-                        */*)
-                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
-                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
-                            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
-                        ;;
-                        *)
-                            error_exit "Template INCLUDE content not recognized."
-                    ;;
-                    esac
+                    TEMPLATE_INCLUDE="${_include}"
+                    handle_template_include
                 done < "${_path}"
 
             ## if tree; tree -a bastille_template/_dir
-            elif [ ${_hook} = 'OVERLAY' ]; then
+            elif [ "${_hook}" = 'OVERLAY' ]; then
                 info "[${_hook}]:"
                 cat "${_path}"
                 echo
                 while read _dir; do
                     info "[${_hook}]:[${_dir}]:"
-                        if [ -x /usr/local/bin/tree ]; then
+                        if [ -x "/usr/local/bin/tree" ]; then
                             /usr/local/bin/tree -a "${_template_path}/${_dir}"
                         else
                            find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
                         fi
                     echo
                 done < "${_path}"
+            elif [ "${_hook}" = 'Bastillefile' ]; then
+                info "[${_hook}]:"
+                cat "${_path}"
+                while read _line; do
+                    _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
+                    ## if include; recursive verify
+                    if [ "${_cmd}" = 'include' ]; then
+                        TEMPLATE_INCLUDE=$(echo "${_line}" | awk '{print $2;}')
+                        handle_template_include
+                    fi
+                done < "${_path}"
+                echo
             else
                 info "[${_hook}]:"
                 cat "${_path}"
@@ -110,7 +130,7 @@ verify_template() {
     done
 
     ## remove bad templates
-    if [ ${_hook_validate} -lt 1 ]; then
+    if [ "${_hook_validate}" -lt 1 ]; then
         error_notify "No valid template hooks found."
         error_notify "Template discarded."
         rm -rf "${bastille_template}"
@@ -118,7 +138,7 @@ verify_template() {
     fi
 
     ## if validated; ready to use
-    if [ ${_hook_validate} -gt 0 ]; then
+    if [ "${_hook_validate}" -gt 0 ]; then
         info "Template ready to use."
     fi
 }
@@ -134,8 +154,10 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     bastille_usage
 fi
 
+bastille_root_check
+
 case "$1" in
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9])
     RELEASE=$1
     verify_release
     ;;

usr/local/share/bastille/zfs.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2023, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -43,6 +43,14 @@ for _jail in ${JAILS}; do
 done
 }
 
+zfs_destroy_snapshot() {
+for _jail in ${JAILS}; do
+    info "[${_jail}]:"
+    zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
+    echo
+done
+}
+
 zfs_set_value() {
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
@@ -74,8 +82,10 @@ help|-h|--help)
     ;;
 esac
 
+bastille_root_check
+
 ## check ZFS enabled
-if [ ! "${bastille_zfs_enable}" = "YES" ]; then
+if ! checkyesno bastille_zfs_enable; then
     error_exit "ZFS not enabled."
 fi
 
@@ -101,6 +111,10 @@ snap|snapshot)
     TAG=$2
     zfs_snapshot
     ;;
+destroy_snap|destroy_snapshot)
+    TAG=$2
+    zfs_destroy_snapshot
+    ;;
 df|usage)
     zfs_disk_usage
     ;;