Merge pull request #529 from BastilleBSD/fete_nationale_2022

prepare for fete nationale 2022
2022-07-13 21:32:33 -06:00 · 2022-07-13 21:30:04 -06:00 · 2022-07-10 20:23:44 -06:00 · 2022-07-10 20:23:22 -06:00 · 2022-06-20 06:35:02 -05:00 · 2022-06-20 06:30:42 -05:00
51 changed files with 1086 additions and 479 deletions
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -0,0 +1,9 @@
 version: 2
 sphinx:
  configuration: docs/conf.py
 python:
  version: 3.7
  install:
    - requirements: docs/requirements.txt
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -22,6 +22,12 @@ Christer Edwards [christer.edwards@gmail.com]
 - Petru T. Garstea
 - Sven R.
 - Tobias Tom
 - Stefano Marinelli
 - Logan Ellis
 - Chuck Tuffli
 - Niketh Murali
 - Eric Borisch
 - Kevet Duncombe
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause License
-Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/README.md
+++ b/README.md
@@ -292,11 +292,11 @@ bootstrapping templates from GitHub or GitLab.
 See `bastille update` to ensure your bootstrapped releases include the latest
 patches.
-** Ubuntu Linux [new since 0.9] **
+**Ubuntu Linux [new since 0.9]**
 The bootstrap process for Linux containers is very different from the BSD process.
 You will need the package debootstrap and some kernel modules for that.
-But don't worry, Bastille will do that for that for you.
+But don't worry, Bastille will do that for you.
 ```shell
 ishmael ~ # bastille bootstrap focal
@@ -735,8 +735,8 @@ After populating `usr/local/` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
 ```shell
-echo "CP etc" >> /usr/local/bastille/templates/username/base/Bastillefile
+echo "OVERLAY etc" >> /usr/local/bastille/templates/username/base/Bastillefile
-echo "CP usr" >> /usr/local/bastille/templates/username/base/Bastillefile
+echo "OVERLAY usr" >> /usr/local/bastille/templates/username/base/Bastillefile
 ```
 The above example will include anything under "etc" and "usr" inside
--- a/5
+++ b/5
@@ -9,8 +9,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
    vm_config.ssh.shell = "sh"
-    vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
+    vm_config.vm.box = "freebsd/FreeBSD-13.0-RELEASE"
-    vm_config.vm.box_version = "2019.11.01"
+    vm_config.vm.box_version = "2021.04.09"
    vm_config.vm.provider "virtualbox" do |vb|
      vb.name = "bastille"
@@ -19,6 +19,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
    end
    vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
    vm_config.vm.provision "shell", inline: "pkg install -y git-lite"
  end
 end
--- a/docs/chapters/bastilletweet.png
+++ b/docs/chapters/bastilletweet.png
--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
-Current version is `0.9.20210714`.
+Current version is `0.9.20220714`.
 To install from the FreeBSD package repository:
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -109,6 +109,18 @@ To define a default route / gateway for all VNET containers define the value in
 This config change will apply the defined gateway to any new containers.
 Existing containers will need to be manually updated.
 Virtual Network (VNET) on External Bridge
 --------------------------------------
 To create a VNET based container and attach it to an external, already existing bridge, use the `-B` option, an IP/netmask and
 external bridge.
 .. code-block:: shell
  bastille create -B azkaban 12.1-RELEASE 192.168.1.50/24 bridge0
 Bastille will automagically create the interface, attach it to the specified bridge and connect /
 disconnect containers as they are started and stopped. 
 The bridge needs to be created/enabled before creating and starting the jail.
 Public Network
 ==============
--- a/docs/chapters/subcommands/bootstrap.rst
+++ b/docs/chapters/subcommands/bootstrap.rst
@@ -22,7 +22,7 @@ Releases
 Example
 -------
-To `bootstrap` a release, run the bootstrap sub-command with the
+To `bootstrap` a FreeBSD release, run the bootstrap sub-command with the
 release version as the argument.
 .. code-block:: shell
@@ -30,6 +30,14 @@ release version as the argument.
  ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
  ishmael ~ # bastille bootstrap 12.1-RELEASE
 To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
 build version as the argument.
 .. code-block:: shell
  ishmael ~ # bastille bootstrap 13-stable-build-latest
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
 download the base.txz. These files are verified (sha256 via MANIFEST file)
--- a/docs/chapters/targeting.rst
+++ b/docs/chapters/targeting.rst
@@ -27,7 +27,7 @@ Examples: Containers
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
 +-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+
+----+------+--------+-----+------------+-------------------------------------------------------------+
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
@@ -39,11 +39,11 @@ Examples: Containers
 | template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | start     | web02  | ---              | start web02 container                                       |
 +-----------+--------+-----+------------+-------------------------------------------------------------+
 | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
 +----+------+----+---+------------------+--------------+----------------------------------------------+
 | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
 +----+------+----+---+---------------------------------+----------------------------------------------+
 | create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
-+-----------+--------+------------------+--------------+----------------------------------------------+
+-----------+--------+---------------------------------+----------------------------------------------+
 Examples: Releases
@@ -60,7 +60,7 @@ Examples: Releases
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
+| upgrade   | 11.3-RELEASE | 11.4-RELEASE | upgrade 11.3-RELEASE release to 11.4-RELEASE                |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
+| verify    | 11.4-RELEASE | ---          | verify 11.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+
--- a/docs/chapters/zfs-support.rst
+++ b/docs/chapters/zfs-support.rst
@@ -0,0 +1,28 @@
 ZFS Support
 ====================
 .. image:: /images/bastillebsd-twitter-poll.png
  :width: 400
  :alt: Alternative text
 Bastille 0.4 added initial support for ZFS. ``bastille bootstrap`` and ``bastille create`` will generate ZFS volumes based on settings found in the ``bastille.conf``. This section outlines how to enable and configure Bastille for ZFS.
 Two values are required for Bastille to use ZFS. The default values in the ``bastille.conf`` are empty. Populate these two to enable ZFS.
 .. code-block:: shell
  ## ZFS options
  bastille_zfs_enable=""                                  ## default: ""
  bastille_zfs_zpool=""                                   ## default: ""
  bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
  bastille_prefix="/bastille"                             ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here
  bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
 Example
 .. code-block:: shell
  ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
  ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
 Replace ``ZPOOL_NAME`` with the zpool you want Bastille to use. Tip: ``zpool list`` and ``zpool status`` will help. 
 If you get 'no pools available' you are likely not using ZFS and can safely ignore these settings.
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 project = 'Bastille'
-copyright = '2018-2021, Christer Edwards'
+copyright = '2018-2022, Christer Edwards'
 author = 'Christer Edwards'
 # The short X.Y version
-version = '0.9.20210714'
+version = '0.9.20220714'
 # The full version, including alpha/beta/rc tags
-release = '0.8.20210714-beta'
+release = '0.9.20220714-beta'
 # -- General configuration ---------------------------------------------------
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -18,6 +18,7 @@ https://docs.bastillebsd.org.
   chapters/subcommands/index
   chapters/template
   chapters/jail-config
   chapters/zfs-support
   copyright
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -0,0 +1 @@
 docutils < 0.18
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -70,7 +70,7 @@ bastille_perms_check() {
 bastille_perms_check
 ## version
-BASTILLE_VERSION="0.9.20210714"
+BASTILLE_VERSION="0.9.20220714"
 usage() {
    cat << EOF
@@ -147,14 +147,24 @@ clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|st
        shift
        if [ "${TARGET}" = 'ALL' ]; then
-            _JAILS=$(jls name)
+            _JAILS=$(/usr/sbin/jls name)
            JAILS=""
            for _jail in ${_JAILS}; do
-                _JAILPATH=$(jls -j "${_jail}" path)
+                _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path)
                if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
                    JAILS="${JAILS} ${_jail}"
                fi
            done
        elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then
            TARGET="${1}"
            USE_HOST_PKG=1
            JAILS="${TARGET}"
            shift
            # Require the target to be running
            if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
                error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
            fi
        elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then
            # This command does not act on a jail, so we are temporarily bypassing the presence/started
            # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells
@@ -169,18 +179,19 @@ clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|st
            case "${CMD}" in
            cmd|console|htop|pkg|service|stop|sysrc|template|top)
                # Require the target to be running. -- cwells
-                if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+                if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
                    error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
                fi
                ;;
            convert|rename)
                # Require the target to be stopped. -- cwells
-                if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+                if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
                    error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
                fi
                ;;
            esac
        fi
        export USE_HOST_PKG
        export TARGET
        export JAILS
    fi
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -25,7 +25,7 @@ bastille_sharedir="/usr/local/share/bastille"                         ## default
 bastille_bootstrap_archives="base"                                    ## default: "base"
 ## default timezone
-bastille_tzdata="Etc/UTC"                                             ## default: "Etc/UTC"
+bastille_tzdata=""                                                    ## default: empty to use host's time zone
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
@@ -51,10 +51,12 @@ bastille_decompress_gz_options="-k -d -c -v"                          ## default
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
 bastille_network_gateway6=""                                          ## default: ""
 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
 bastille_template_empty=""                                            ## default: "default/empty"
 bastille_template_thick="default/thick"                               ## default: "default/thick"
 bastille_template_clone="default/clone"                               ## default: "default/clone"
 bastille_template_thin="default/thin"                                 ## default: "default/thin"
 bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"
--- a/usr/local/etc/rc.d/bastille
+++ b/usr/local/etc/rc.d/bastille
@@ -3,7 +3,7 @@
 # Bastille jail startup script
 #
 # PROVIDE: bastille
-# REQUIRE: LOGIN
+# REQUIRE: NETWORKING
 # KEYWORD: shutdown
 # Add the following to /etc/rc.conf[.local] to enable this service
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -103,12 +103,11 @@ bootstrap_directories() {
        if [ "${bastille_zfs_enable}" = "YES" ];then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
                chmod 0750 "${bastille_prefix}"
            fi
        else
            mkdir -p "${bastille_prefix}"
            chmod 0750 "${bastille_prefix}"
        fi
        chmod 0750 "${bastille_prefix}"
    fi
    ## ${bastille_backupsdir}
@@ -116,12 +115,11 @@ bootstrap_directories() {
        if [ "${bastille_zfs_enable}" = "YES" ];then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
                chmod 0750 "${bastille_backupsdir}"
            fi
        else
            mkdir -p "${bastille_backupsdir}"
            chmod 0750 "${bastille_backupsdir}"
        fi
        chmod 0750 "${bastille_backupsdir}"
    fi
    ## ${bastille_cachedir}
@@ -129,19 +127,29 @@ bootstrap_directories() {
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
                if [ -z "${NOCACHEDIR}" ]; then
                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
                fi
            fi
        else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
+            mkdir -p "${bastille_cachedir}"
            # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
            if [ -z "${NOCACHEDIR}" ]; then
                mkdir -p "${bastille_cachedir}/${RELEASE}"
            fi
        fi
    ## create subsequent cache/XX.X-RELEASE datasets
    elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
-            if [ -n "${bastille_zfs_zpool}" ]; then
+        if [ -z "${NOCACHEDIR}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+            if [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
                fi
            else
                mkdir -p "${bastille_cachedir}/${RELEASE}"
            fi
        else
            mkdir -p "${bastille_cachedir}/${RELEASE}"
        fi
    fi
@@ -304,6 +312,102 @@ bootstrap_release() {
    echo
 }
 debootstrap_release() {
    # Make sure to check/bootstrap directories first.
    NOCACHEDIR=1
    RELEASE="${DIR_BOOTSTRAP}"
    bootstrap_directories
    #check and install OS dependencies @hackacad
    #ToDo: add function 'linux_pre' for sysrc etc.
    required_mods="fdescfs linprocfs linsysfs tmpfs"
    linuxarc_mods="linux linux64"
    for _req_kmod in ${required_mods}; do
        if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ] && \
            [ ! "$(sysrc -f /boot/loader.conf.local -qn ${_req_kmod}_load)" = "YES" ]; then
            warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you?  (N|y)"
            read  answer
            case "${answer}" in
                [Nn][Oo]|[Nn]|"")
                    error_exit "Exiting."
                    ;;
                [Yy][Ee][Ss]|[Yy])
                    # Skip already loaded known modules.
                    if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
                        info "Loading kernel module: ${_req_kmod}"
                        kldload -v ${_req_kmod}
                    fi
                    info "Persisting module: ${_req_kmod}"
                    sysrc -f /boot/loader.conf ${_req_kmod}_load=YES
                ;;
            esac
        else
            # If already set in /boot/loader.conf, check and try to load the module. 
            if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
                info "Loading kernel module: ${_req_kmod}"
                kldload -v ${_req_kmod}
            fi
        fi
    done
        # Mandatory Linux modules/rc.
        for _lin_kmod in ${linuxarc_mods}; do
            if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then
                info "Loading kernel module: ${_lin_kmod}"
                kldload -v ${_lin_kmod}
            fi
        done
        if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && \
            [ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then
            sysrc linux_enable=YES
        fi
    if ! which -s debootstrap; then
        warn "Debootstrap not found. Should it be installed? (N|y)"
        read  answer
        case $answer in
            [Nn][Oo]|[Nn]|"")
                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
                ;;
            [Yy][Ee][Ss]|[Yy])
                pkg install -y debootstrap
                ;;
        esac
    fi
    # Fetch the Linux flavor
    info "Bootstrapping ${PLATFORM_OS} distfiles..."
    if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
        ## perform cleanup only for stale/empty directories on failure
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
                fi
            fi
        fi
        if [ -d "${bastille_releasesdir}/${DIR_BOOTSTRAP}" ]; then
            if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
                rm -rf "${bastille_releasesdir:?}/${DIR_BOOTSTRAP}"
            fi
        fi
        error_exit "Bootstrap failed."
    fi
    case "${LINUX_FLAVOR}" in
        bionic|stretch|buster|bullseye)
        info "Increasing APT::Cache-Start"
        echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude
        ;;
    esac
    info "Bootstrap successful."
    info "See 'bastille --help' for available commands."
    echo
 }
 bootstrap_template() {
    ## ${bastille_templatesdir}
@@ -343,6 +447,16 @@ bootstrap_template() {
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
 # bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
 # create a new variable
 if [ "${HW_MACHINE_ARCH}" == "aarch64" ]; then
    HW_MACHINE_ARCH_LINUX="arm64"
 else
    HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
 fi
 NOCACHEDIR=
 RELEASE="${1}"
 OPTION="${2}"
@@ -431,86 +545,45 @@ http?://*/*/*)
    ;;
 #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
 ubuntu_bionic|bionic|ubuntu-bionic)
-    #check and install OS dependencies @hackacad
+    PLATFORM_OS="Ubuntu/Linux"
-    if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
+    LINUX_FLAVOR="bionic"
-        warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you?  (N|y)"
+    DIR_BOOTSTRAP="Ubuntu_1804"
-        read  answer
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
-        case $answer in
+    debootstrap_release
            [Nn][Oo]|[Nn]|"")
                error_exit "Exiting."
                ;;
            [Yy][Ee][Ss]|[Yy])
                info "Loading modules"
                kldload linux linux64 linprocfs linsysfs tmpfs
                info "Persisting modules"
                sysrc linux_enable=YES
                sysrc -f /boot/loader.conf linprocfs_load=YES
                sysrc -f /boot/loader.conf linsysfs_load=YES
                sysrc -f /boot/loader.conf tmpfs_load=YES
                ;;
        esac
    fi
    if which -s debootstrap; then
        debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
    else
        warn "Debootstrap not found. Should it be installed? (N|y)"
        read  answer
        case $answer in
            [Nn][Oo]|[Nn]|"")
                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
                ;;
            [Yy][Ee][Ss]|[Yy])
                pkg install -y debootstrap
                debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
                ;;
        esac
    fi
    echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude
    ;;
 ubuntu_focal|focal|ubuntu-focal)
-    #check and install OS dependencies @hackacad
+    PLATFORM_OS="Ubuntu/Linux"
-    #ToDo: add function 'linux_pre' for sysrc etc.
+    LINUX_FLAVOR="focal"
-    if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
+    DIR_BOOTSTRAP="Ubuntu_2004"
-        warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you?  (N|y)"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
-        read  answer
+    debootstrap_release
-        case $answer in
+    ;;
-            [Nn][Oo]|[Nn]|"")
+debian_stretch|stretch|debian-stretch)
-                error_exit "Exiting."
+    PLATFORM_OS="Debian/Linux"
-                ;;
+    LINUX_FLAVOR="stretch"
-            [Yy][Ee][Ss]|[Yy])
+    DIR_BOOTSTRAP="Debian9"
-                info "Loading modules"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
-                kldload linux linux64 linprocfs linsysfs tmpfs
+    debootstrap_release
-                info "Persisting modules"
+    ;;
-                sysrc linux_enable=YES
+debian_buster|buster|debian-buster)
-                sysrc -f /boot/loader.conf linprocfs_load=YES
+    PLATFORM_OS="Debian/Linux"
-                sysrc -f /boot/loader.conf linsysfs_load=YES
+    LINUX_FLAVOR="buster"
-                sysrc -f /boot/loader.conf tmpfs_load=YES
+    DIR_BOOTSTRAP="Debian10"
-                ;;
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
-        esac
+    debootstrap_release
-    fi
+    ;;
-    if which -s debootstrap; then
+debian_bullseye|bullseye|debian-bullseye)
-        debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
+    PLATFORM_OS="Debian/Linux"
-    else
+    LINUX_FLAVOR="bullseye"
-        warn "Debootstrap not found. Should it be installed? (N|y)"
+    DIR_BOOTSTRAP="Debian11"
-        read  answer
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
-        case $answer in
+    debootstrap_release
            [Nn][Oo]|[Nn]|"")
                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
                ;;
            [Yy][Ee][Ss]|[Yy])
                pkg install -y debootstrap
                debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
                ;;
        esac
    fi
    ;;
 *)
    usage
    ;;
 esac
 case "${OPTION}" in
 update)
    bastille update "${RELEASE}"
--- a/usr/local/share/bastille/clone.sh
+++ b/usr/local/share/bastille/clone.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -130,7 +130,7 @@ update_fstab() {
    # Update fstab to use the new name
    FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
    if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -139,6 +139,8 @@ update_fstab() {
                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
            fi
        fi
        # Update additional fstab paths with new jail path
        sed -i '' "s|${bastille_jailsdir}/${TARGET}/root/|${bastille_jailsdir}/${NEWNAME}/root/|" "${FSTAB_CONFIG}"
    fi
 }
@@ -164,7 +166,7 @@ clone_jail() {
        else
            # Just clone the jail directory
            # Check if container is running
-            if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+            if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
                error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
            fi
--- a/usr/local/share/bastille/cmd.sh
+++ b/usr/local/share/bastille/cmd.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -29,6 +29,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille cmd TARGET command"
@@ -45,8 +46,35 @@ if [ $# -eq 0 ]; then
    usage
 fi
 COUNT=0
 RETURN=0
 for _jail in ${JAILS}; do
    COUNT=$(($COUNT+1))
    info "[${_jail}]:"
-    jexec -l -U root "${_jail}" "$@"
+
    if grep -qw "linsysfs" "${bastille_jailsdir}/${TARGET}/fstab"; then
        # Allow executing commands on Linux jails.
        jexec -l -u root "${_jail}" "$@"
    else
        jexec -l -U root "${_jail}" "$@"
    fi
    ERROR_CODE=$?
    info "[${_jail}]: ${ERROR_CODE}"
    if [ "$COUNT" -eq 1 ]; then
        RETURN=${ERROR_CODE}
    else 
        RETURN=$(($RETURN+$ERROR_CODE))
    fi
    echo
 done
 # Check when a command is executed in all running jails. (bastille cmd ALL ...)
 if [ "${COUNT}" -gt 1 ] && [ "${RETURN}" -gt 0 ]; then
    RETURN=1
 fi
 return "${RETURN}"
--- a/usr/local/share/bastille/common.sh
+++ b/usr/local/share/bastille/common.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -38,7 +38,7 @@ enable_color() {
 }
 # If "NO_COLOR" environment variable is present, disable output colors.
-if ! export | grep -q "NO_COLOR"; then
+if [ -z "${NO_COLOR}" ]; then
    enable_color
 fi
@@ -60,3 +60,51 @@ info() {
 warn() {
    echo -e "${COLOR_YELLOW}$*${COLOR_RESET}"
 }
 generate_vnet_jail_netblock() {
    local jail_name="$1"
    local use_unique_bridge="$2"
    local external_interface="$3"
    ## determine number of containers + 1
    ## iterate num and grep all jail configs
    ## define uniq_epair
    local jail_list=$(bastille list jails)
    if [ -n "${jail_list}" ]; then
        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
        local num_range=$((list_jails_num + 1))
        for _num in $(seq 0 "${num_range}"); do
            if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
                if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then
                    local uniq_epair="bastille${_num}"
                    local uniq_epair_bridge="${_num}"
                    break
                fi
            fi
        done
    else
        local uniq_epair="bastille0"
        local uniq_epair_bridge="0"
    fi
    if [ -n "${use_unique_bridge}" ]; then
        ## generate bridge config
        cat <<-EOF
  vnet;
  vnet.interface = "e${uniq_epair_bridge}b_${jail_name}";
  exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
  exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a";
  exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}";
  exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}";
  exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}";
  exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy";
 EOF
    else
        ## generate config
        cat <<-EOF
  vnet;
  vnet.interface = e0b_${uniq_epair};
  exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
  exec.poststop += "jib destroy ${uniq_epair}";
 EOF
    fi
 }
--- a/usr/local/share/bastille/config.sh
+++ b/usr/local/share/bastille/config.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/console.sh
+++ b/usr/local/share/bastille/console.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/convert.sh
+++ b/usr/local/share/bastille/convert.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/cp.sh
+++ b/usr/local/share/bastille/cp.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -43,13 +43,15 @@ usage() {
    -L | --linux  -- This option is intended for testing with Linux jails, this is considered experimental.
    -T | --thick  -- Creates a thick container, they consume more space as they are self contained and independent.
    -V | --vnet   -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
    -C | --clone  -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
    -B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
 EOF
    exit 1
 }
 running_jail() {
-    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
+    if [ -n "$(/usr/sbin/jls name | awk "/^${NAME}$/")" ]; then
        error_exit "A running jail matches name."
    elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
        error_exit "Jail: ${NAME} already created."
@@ -113,6 +115,13 @@ validate_netconf() {
 }
 validate_release() {
    ## ensure the user set the Linux(experimental) option explicitly
    if [ -n "${UBUNTU}" ]; then
        if [ -z "${LINUX_JAIL}" ]; then
            usage
        fi
    fi
    ## check release name match, else show usage
    if [ -n "${NAME_VERIFY}" ]; then
        RELEASE="${NAME_VERIFY}"
@@ -161,13 +170,12 @@ ${NAME} {
  mount.fstab = ${bastille_jail_fstab};
  path = ${bastille_jail_path};
  devfs_ruleset = 4;
  enforce_statfs = 1;
  exec.start = '/bin/true';
  exec.stop = '/bin/true';
  persist;
  mount.devfs;
  allow.mount;
  allow.mount.devfs;
@@ -179,24 +187,7 @@ EOF
 }
 generate_vnet_jail_conf() {
-    ## determine number of containers + 1
+    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
    ## iterate num and grep all jail configs
    ## define uniq_epair
    local jail_list=$(bastille list jails)
    if [ -n "${jail_list}" ]; then
        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
        local num_range=$(expr "${list_jails_num}" + 1)
        for _num in $(seq 0 "${num_range}"); do
            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
                uniq_epair="bastille${_num}"
                break
            fi
        done
    else
        uniq_epair="bastille0"
    fi
    ## generate config
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
  devfs_ruleset = 13;
@@ -211,14 +202,48 @@ ${NAME} {
  path = ${bastille_jail_path};
  securelevel = 2;
-  vnet;
+${NETBLOCK}
  vnet.interface = e0b_${uniq_epair};
  exec.prestart += "jib addm ${uniq_epair} ${bastille_jail_conf_interface}";
  exec.poststop += "jib destroy ${uniq_epair}";
 }
 EOF
 }
 post_create_jail() {
    # Common config checks and settings.
    # Using relative paths here.
    # MAKE SURE WE'RE IN THE RIGHT PLACE.
    cd "${bastille_jail_path}"
    echo
    if [ ! -f "${bastille_jail_conf}" ]; then
        if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
            local bastille_jail_conf_interface=${bastille_network_shared}
        fi
        if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
            local bastille_jail_conf_interface=${bastille_network_loopback}
        fi
        if [ -n "${INTERFACE}" ]; then
            local bastille_jail_conf_interface=${INTERFACE}
        fi
    fi
    if [ ! -f "${bastille_jail_fstab}" ]; then
        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
            echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
        else
            touch "${bastille_jail_fstab}"
        fi
    fi
    # Generate the jail configuration file.
    if [ -n "${VNET_JAIL}" ]; then
        generate_vnet_jail_conf
    else
        generate_jail_conf
    fi
 }
 create_jail() {
    bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
    bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -233,8 +258,10 @@ create_jail() {
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                ## create required zfs datasets, mountpoint inherited from system
-                zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
+                if [ -z "${CLONE_JAIL}" ]; then
-                if [ -z "${THICK_JAIL}" ]; then
+                    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
                fi
                if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
                    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                fi
            fi
@@ -242,8 +269,10 @@ create_jail() {
            mkdir -p "${bastille_jailsdir}/${NAME}/root"
        fi
    fi
    ## PoC for Linux jails @hackacad
    if [ -n "${LINUX_JAIL}" ]; then
        info "\nCreating a linuxjail. This may take a while...\n"
        if [ ! -d "${bastille_jail_base}" ]; then
            mkdir -p "${bastille_jail_base}"
        fi
@@ -255,7 +284,7 @@ create_jail() {
        touch "${bastille_jail_path}/dev/shm"
        touch "${bastille_jail_path}/dev/fd"
        cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
-        echo ${NAME} ${bastille_jail_path}/etc/hostname
+        echo "${NAME}" > ${bastille_jail_path}/etc/hostname
        if [ ! -d "${bastille_jail_template}" ]; then
            mkdir -p "${bastille_jail_template}"
@@ -264,14 +293,14 @@ create_jail() {
        if [ ! -f "${bastille_jail_fstab}" ]; then
            touch "${bastille_jail_fstab}"
        fi
-        echo -e "devfs           ${bastille_jail_path}/dev      devfs           rw                      0       0" > "${bastille_jail_fstab}"
+        echo -e "devfs           ${bastille_jail_path}/dev      devfs           rw                      0       0" >> "${bastille_jail_fstab}"
-        echo -e "tmpfs           ${bastille_jail_path}/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0" > "${bastille_jail_fstab}"
+        echo -e "tmpfs           ${bastille_jail_path}/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0" >> "${bastille_jail_fstab}"
-        echo -e "fdescfs         ${bastille_jail_path}/dev/fd   fdescfs         rw,linrdlnk             0       0" > "${bastille_jail_fstab}"
+        echo -e "fdescfs         ${bastille_jail_path}/dev/fd   fdescfs         rw,linrdlnk             0       0" >> "${bastille_jail_fstab}"
-        echo -e "linprocfs       ${bastille_jail_path}/proc     linprocfs       rw                      0       0" > "${bastille_jail_fstab}"
+        echo -e "linprocfs       ${bastille_jail_path}/proc     linprocfs       rw                      0       0" >> "${bastille_jail_fstab}"
-        echo -e "linsysfs        ${bastille_jail_path}/sys      linsysfs        rw                      0       0" > "${bastille_jail_fstab}"
+        echo -e "linsysfs        ${bastille_jail_path}/sys      linsysfs        rw                      0       0" >> "${bastille_jail_fstab}"
-        echo -e "/tmp            ${bastille_jail_path}/tmp      nullfs          rw                      0       0" > "${bastille_jail_fstab}"
+        echo -e "/tmp            ${bastille_jail_path}/tmp      nullfs          rw                      0       0" >> "${bastille_jail_fstab}"
        ## removed temporarely / only for X11 jails? @hackacad
-        #echo -e "/home           ${bastille_jail_path}/home     nullfs          rw                      0       0" > "${bastille_jail_fstab}"
+        #echo -e "/home           ${bastille_jail_path}/home     nullfs          rw                      0       0" >> "${bastille_jail_fstab}"
        if [ ! -f "${bastille_jail_conf}" ]; then
            if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
@@ -287,55 +316,29 @@ create_jail() {
    fi
    if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
-        if [ ! -d "${bastille_jail_base}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
-            mkdir -p "${bastille_jail_base}"
+            if [ ! -d "${bastille_jail_base}" ]; then
                mkdir -p "${bastille_jail_base}"
            fi
            if [ ! -d "${bastille_jail_template}" ]; then
                mkdir -p "${bastille_jail_template}"
            fi
        fi
        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
            mkdir -p "${bastille_jail_path}/usr/local"
        fi
-        if [ ! -d "${bastille_jail_template}" ]; then
+        # Check and apply required settings.
-            mkdir -p "${bastille_jail_template}"
+        post_create_jail
        fi
-        if [ ! -f "${bastille_jail_fstab}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
            if [ -z "${THICK_JAIL}" ]; then
                echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
            else
                touch "${bastille_jail_fstab}"
            fi
        fi
        if [ ! -f "${bastille_jail_conf}" ]; then
            if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
                local bastille_jail_conf_interface=${bastille_network_shared}
            fi
            if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
                local bastille_jail_conf_interface=${bastille_network_loopback}
            fi
            if [ -n "${INTERFACE}" ]; then
                local bastille_jail_conf_interface=${INTERFACE}
            fi
            ## generate the jail configuration file
            if [ -n "${VNET_JAIL}" ]; then
                generate_vnet_jail_conf
            else
                generate_jail_conf
            fi
        fi
        ## using relative paths here
        ## MAKE SURE WE'RE IN THE RIGHT PLACE
        cd "${bastille_jail_path}"
        echo
        if [ -z "${THICK_JAIL}" ]; then
            LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
            info "Creating a thinjail...\n"
            for _link in ${LINK_LIST}; do
                ln -sf /.bastille/${_link} ${_link}
            done
            # Properly link shared ports on thin jails in read-write.
            if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then
                if [ ! -d "${bastille_jail_path}/usr/ports" ]; then
@@ -345,7 +348,7 @@ create_jail() {
            fi
        fi
-        if [ -z "${THICK_JAIL}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
            ## rw
            ## copy only required files for thin jails
            FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
@@ -359,27 +362,40 @@ create_jail() {
                fi
            done
        else
            info "Creating a thickjail. This may take a while..."
            if [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ -n "${bastille_zfs_zpool}" ]; then
-                    ## perform release base replication
+                    if [ -n "${CLONE_JAIL}" ]; then
                        info "Creating a clonejail...\n"
                        ## clone the release base to the new basejail
                        SNAP_NAME="bastille-clone-$(date +%Y-%m-%d-%H%M%S)"
                        zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
-                    ## sane bastille zfs options
+                        zfs clone -p "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" \
-                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
+                        "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
-                    ## take a temp snapshot of the base release
+                        # Check and apply required settings.
-                    SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
+                        post_create_jail
-                    zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                    elif [ -n "${THICK_JAIL}" ]; then
                        info "Creating a thickjail. This may take a while...\n"
                        ## perform release base replication
-                    ## replicate the release base to the new thickjail and set the default mountpoint
+                        ## sane bastille zfs options
-                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
+                        ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
                    zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
-                    ## cleanup temp snapshots initially
+                        ## take a temp snapshot of the base release
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                        SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
+                        zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                        ## replicate the release base to the new thickjail and set the default mountpoint
                        zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
                        zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                        zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                        zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                        ## cleanup temp snapshots initially
                        zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                        zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
                    fi
                    if [ "$?" -ne 0 ]; then
                        ## notify and clean stale files/directories
@@ -408,8 +424,16 @@ create_jail() {
                ln -s usr/home home
            fi
-            ## TZ: configurable (default: Etc/UTC)
+            ## TZ: configurable (default: empty to use host's time zone)
-            ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
+            if [ -z "${bastille_tzdata}" ]; then
                # Note that if host has no time zone, FreeBSD assumes UTC anyway
                if [ -e /etc/localtime ]; then
                    # uses cp as a way to prevent issues with symlinks if the host happens to use that for tz configuration
                    cp /etc/localtime etc/localtime
                fi
            else
                ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
            fi
            # Post-creation jail misc configuration
            # Create a dummy fstab file
@@ -454,6 +478,7 @@ create_jail() {
            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
            _gateway=''
            _gateway6=''
            _ifconfig=SYNCDHCP
            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
                if [ -n "${ip6}" ]; then
@@ -463,6 +488,8 @@ create_jail() {
                fi
                if [ -n "${bastille_network_gateway}" ]; then
                    _gateway="${bastille_network_gateway}"
                elif [ -n "${bastille_network_gateway6}" ]; then
                    _gateway6="${bastille_network_gateway6}"
                else
                    if [ -z ${ip6} ]; then
                        _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
@@ -471,12 +498,16 @@ create_jail() {
                    fi
                fi
            fi
-            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
+            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
        fi
    elif [ -n "${THICK_JAIL}" ]; then
        if [ -n "${bastille_template_thick}" ]; then
            bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
        fi
    elif [ -n "${CLONE_JAIL}" ]; then
        if [ -n "${bastille_template_clone}" ]; then
            bastille template "${NAME}" ${bastille_template_clone} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
        fi
    elif [ -n "${EMPTY_JAIL}" ]; then
        if [ -n "${bastille_template_empty}" ]; then
            bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
@@ -522,6 +553,7 @@ fi
 ## reset this options
 EMPTY_JAIL=""
 THICK_JAIL=""
 CLONE_JAIL=""
 VNET_JAIL=""
 LINUX_JAIL=""
@@ -544,6 +576,15 @@ while [ $# -gt 0 ]; do
            VNET_JAIL="1"
            shift
            ;;
        -B|--bridge|bridge)
            VNET_JAIL="1"
            VNET_JAIL_BRIDGE="1"
            shift
            ;;
        -C|--clone|clone)
            CLONE_JAIL="1"
            shift
            ;;
        -*|--*)
            error_notify "Unknown Option."
            usage
@@ -556,13 +597,15 @@ done
 ## validate for combined options
 if [ -n "${EMPTY_JAIL}" ]; then
-    if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
+    if [ -n "${CLONE_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
        error_exit "Error: Empty jail option can't be used with other options."
    fi
 elif [ -n "${LINUX_JAIL}" ]; then
-    if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then
+    if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${CLONE_JAIL}" ]; then
        error_exit "Error: Linux jail option can't be used with other options."
    fi
 elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then
    error_exit "Error: Clonejail and Thickjail can't be used together."
 fi
 NAME="$1"
@@ -595,6 +638,18 @@ if [ -n "${LINUX_JAIL}" ]; then
        ## check for FreeBSD releases name
        NAME_VERIFY=ubuntu_focal
        ;;
    debian_stretch|stretch|debian-stretch)
        ## check for FreeBSD releases name
        NAME_VERIFY=stretch
        ;;
    debian_buster|buster|debian-buster)
        ## check for FreeBSD releases name
        NAME_VERIFY=buster
        ;;
    debian_bullseye|bullseye|debian-bullseye)
        ## check for FreeBSD releases name
        NAME_VERIFY=bullseye
        ;;
    *)
        error_notify "Unknown Linux."
        usage
@@ -646,13 +701,27 @@ if [ -z "${EMPTY_JAIL}" ]; then
        validate_release
        ;;
    ubuntu_bionic|bionic|ubuntu-bionic)
        UBUNTU="1"
        NAME_VERIFY=Ubuntu_1804
        validate_release
        ;;
    ubuntu_focal|focal|ubuntu-focal)
        UBUNTU="1"
        NAME_VERIFY=Ubuntu_2004
        validate_release
        ;;
    debian_stretch|stretch|debian-stretch)
        NAME_VERIFY=Debian9
        validate_release
        ;;
    debian_buster|buster|debian-buster)
        NAME_VERIFY=Debian10
        validate_release
        ;;
    debian_bullseye|bullseye|debian-bullseye)
        NAME_VERIFY=Debian11
        validate_release
        ;;
    *)
        error_notify "Unknown Release."
        usage
@@ -720,6 +789,9 @@ fi
 if [ -z ${bastille_template_thick+x} ]; then
    bastille_template_thick='default/thick'
 fi
 if [ -z ${bastille_template_clone+x} ]; then
    bastille_template_clone='default/clone'
 fi
 if [ -z ${bastille_template_thin+x} ]; then
    bastille_template_thin='default/thin'
 fi
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -40,7 +40,7 @@ destroy_jail() {
    bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
    bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
-    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
        if [ "${FORCE}" = "1" ]; then
            bastille stop "${TARGET}"
        else
@@ -118,6 +118,23 @@ destroy_rel() {
            if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
                error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                BASE_HASCHILD="1"
            elif [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    ## check if this release have child clones
                    if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
                        SNAP_CLONE=$(zfs list -H -t snapshot -r "${bastille_rel_base}" 2> /dev/null | awk '{print $1}')
                        for _snap_clone in ${SNAP_CLONE}; do
                            if zfs list -H -o clones "${_snap_clone}" > /dev/null 2>&1; then
                                CLONE_JAIL=$(zfs list -H -o clones "${_snap_clone}" | tr ',' '\n')
                                CLONE_CHECK="${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}/root"
                                if echo "${CLONE_JAIL}" | grep -qw "${CLONE_CHECK}"; then
                                    error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                                    BASE_HASCHILD="1"
                                fi
                            fi
                        done
                    fi
                fi
            fi
        done
    fi
@@ -207,27 +224,37 @@ case "${TARGET}" in
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
    ## check for HardenedBSD releases name
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g;s/last/LAST/g')
    destroy_rel
    ;;
 *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
    ## check for HardenedBSD(specific stable build releases)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g;s/STABLE/stable/g')
    destroy_rel
    ;;
 *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
    ## check for HardenedBSD(latest stable build release)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/;s/build/BUILD/g;s/latest/LATEST/g')
    destroy_rel
    ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
    ## check for HardenedBSD(specific current build releases)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g;s/CURRENT/current/g')
    destroy_rel
    ;;
 current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
    ## check for HardenedBSD(latest current build release)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/;s/build/BUILD/g;s/latest/LATEST/g')
    destroy_rel
    ;;
 Ubuntu_1804|Ubuntu_2004|UBUNTU_1804|UBUNTU_2004)
    ## check for Linux releases
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g')
    destroy_rel
    ;;
 Debian9|Debian10|Debian11|DEBIAN9|DEBIAN10|DEBIAN11)
    ## check for Linux releases
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian9)$|(Debian10)$|(Debian11)$' | sed 's/DEBIAN/Debian/g')
    destroy_rel
    ;;
 *)
--- a/usr/local/share/bastille/edit.sh
+++ b/usr/local/share/bastille/edit.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/export.sh
+++ b/usr/local/share/bastille/export.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,7 @@ usage() {
    -v | --verbose  -- Be more verbose during the ZFS send operation.
         --xz       -- Export a ZFS jail using XZ(.xz) compressed image.
-Tip: If no option specified, container should be exported to standard output.
+Note: If no export option specified, the container should be redirected to standard output.
 EOF
    exit 1
@@ -80,6 +80,7 @@ zfs_enable_check() {
 TARGET="${1}"
 GZIP_EXPORT=
 XZ_EXPORT=
 SAFE_EXPORT=
 USER_EXPORT=
 RAW_EXPORT=
@@ -93,67 +94,112 @@ opt_count() {
    COMP_OPTION=$(expr ${COMP_OPTION} + 1)
 }
-# Handle and parse option args
+if [ -n "${bastille_export_options}" ]; then
-while [ $# -gt 0 ]; do
+    # Overrides the case options by the user defined option(s) automatically.
-    case "${1}" in
+    # Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable.
-        --gz)
+    # To restore the standard case options, empty bastille_export_options="" in bastille.conf, or `unset bastille_export_options` environment variable.
-            GZIP_EXPORT="1"
+    # Reference "/bastille/issues/443"
-            TARGET="${2}"
+
-            opt_count
+    DEFAULT_EXPORT_OPTS="${bastille_export_options}"
-            shift
+    info "Default export option(s): '${DEFAULT_EXPORT_OPTS}'"
-            ;;
+
-        --xz)
+    for opt in ${DEFAULT_EXPORT_OPTS}; do
-            XZ_EXPORT="1"
+        case "${opt}" in
-            TARGET="${2}"
+            --gz)
-            opt_count
+                GZIP_EXPORT="1"
-            shift
+                opt_count
-            ;;
+                shift;;
-        --tgz)
+            --xz)
-            TGZ_EXPORT="1"
+                XZ_EXPORT="1"
-            TARGET="${2}"
+                opt_count
-            opt_count
+                shift;;
-            zfs_enable_check
+            --tgz)
-            shift
+                TGZ_EXPORT="1"
-            ;;
+                opt_count
-        --txz)
+                zfs_enable_check
-            TXZ_EXPORT="1"
+                shift;;
-            TARGET="${2}"
+            --txz)
-            opt_count
+                TXZ_EXPORT="1"
-            zfs_enable_check
+                opt_count
-            shift
+                zfs_enable_check
-            ;;
+                shift;;
-        -s|--safe)
+            --safe)
-            SAFE_EXPORT="1"
+                SAFE_EXPORT="1"
-            TARGET="${2}"
+                shift;;
-            shift
+            --raw)
-            ;;
+                RAW_EXPORT="1"
-        -r|--raw)
+                opt_count
-            RAW_EXPORT="1"
+                shift ;;
-            TARGET="${2}"
+            --verbose)
-            opt_count
+                OPT_ZSEND="-Rv"
-            shift
+                shift;;
-            ;;
+            -*|--*) error_notify "Unknown Option."
-        -v|--verbose)
+                usage;;
-            OPT_ZSEND="-Rv"
+        esac
-            TARGET="${2}"
+    done
-            shift
+else
-            ;;
+    # Handle and parse option args
-        -*|--*)
+    while [ $# -gt 0 ]; do
-            error_notify "Unknown Option."
+        case "${1}" in
-            usage
+            --gz)
-            ;;
+                GZIP_EXPORT="1"
-        *)
+                TARGET="${2}"
-            if echo "${1}" | grep -q "\/"; then
+                opt_count
-                DIR_EXPORT="${1}"
+                shift
-            else
+                ;;
-                if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+            --xz)
-                   usage
+                XZ_EXPORT="1"
                TARGET="${2}"
                opt_count
                shift
                ;;
            --tgz)
                TGZ_EXPORT="1"
                TARGET="${2}"
                opt_count
                zfs_enable_check
                shift
                ;;
            --txz)
                TXZ_EXPORT="1"
                TARGET="${2}"
                opt_count
                zfs_enable_check
                shift
                ;;
            -s|--safe)
                SAFE_EXPORT="1"
                TARGET="${2}"
                shift
                ;;
            -r|--raw)
                RAW_EXPORT="1"
                TARGET="${2}"
                opt_count
                shift
                ;;
            -v|--verbose)
                OPT_ZSEND="-Rv"
                TARGET="${2}"
                shift
                ;;
            -*|--*)
                error_notify "Unknown Option."
                usage
                ;;
            *)
                if echo "${1}" | grep -q "\/"; then
                    DIR_EXPORT="${1}"
                else
                    if [ $# -gt 2 ] || [ $# -lt 1 ]; then
                       usage
                    fi
                fi
-            fi
+                shift
-            shift
+                ;;
-            ;;
+        esac
-    esac
+    done
-done
+fi
 # Validate for combined options
 if [ "${COMP_OPTION}" -gt "1" ]; then
@@ -172,7 +218,7 @@ fi
 if [ -n "${SAFE_EXPORT}" ]; then
    # Check if container is running, otherwise just ignore
-    if [ -z "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ -z "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
        SAFE_EXPORT=
    fi
 fi
@@ -200,19 +246,19 @@ create_zfs_snap() {
    if [ -z "${USER_EXPORT}" ]; then
        info "Creating temporary ZFS snapshot for export..."
    fi
-    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
 }
 clean_zfs_snap() {
    # Cleanup the recursive temporary snapshot
-    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}"
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_${TARGET}_${DATE}"
-    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
 }
 export_check() {
    # Inform the user about the exporting method
    if [ -z "${USER_EXPORT}" ]; then
-        if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
            if [ -n "${SAFE_EXPORT}" ]; then
                EXPORT_AS="Safely exporting"
            else
@@ -263,7 +309,7 @@ jail_export() {
                export_check
                # Export the raw container recursively and cleanup temporary snapshots
-                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" \
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" \
                > "${bastille_backupsdir}/${TARGET}_${DATE}"
                clean_zfs_snap
            elif [ -n "${GZIP_EXPORT}" ]; then
@@ -271,7 +317,7 @@ jail_export() {
                export_check
                # Export the raw container recursively and cleanup temporary snapshots
-                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
                gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
                clean_zfs_snap
            elif [ -n "${XZ_EXPORT}" ]; then
@@ -279,7 +325,7 @@ jail_export() {
                export_check
                # Export the container recursively and cleanup temporary snapshots
-                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
                xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
                clean_zfs_snap
            else
@@ -288,8 +334,10 @@ jail_export() {
                export_check
                # Quietly export the container recursively, user must redirect standard output
-                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+                if ! zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"; then
-                clean_zfs_snap
+                    clean_zfs_snap
                    error_notify "\nError: An export option is required, see 'bastille export, otherwise the user must redirect to standard output."
                fi
            fi
        fi
    else
@@ -336,7 +384,7 @@ if [ -n "${TARGET}" ]; then
    # Check if is a ZFS system
    if [ "${bastille_zfs_enable}" != "YES" ]; then
        # Check if container is running and ask for stop in non ZFS systems
-        if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
            error_exit "${TARGET} is running. See 'bastille stop'."
        fi
    fi
--- a/usr/local/share/bastille/htop.sh
+++ b/usr/local/share/bastille/htop.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -47,7 +47,7 @@ if [ $# -ne 0 ]; then
 fi
 for _jail in ${JAILS}; do
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
    if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
        error_notify "htop not found on ${_jail}."
    elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
--- a/usr/local/share/bastille/import.sh
+++ b/usr/local/share/bastille/import.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -173,6 +173,7 @@ generate_config() {
    # Attempt to read previous config file and set required variables accordingly
    # If we can't get a valid interface, fallback to lo1 and warn user
    info "Generating jail.conf..."
    DEVFS_RULESET=4
    if [ "${FILE_EXT}" = ".zip" ]; then
        # Gather some bits from foreign/iocage config files
@@ -180,63 +181,88 @@ generate_config() {
        if [ -n "${JSON_CONFIG}" ]; then
            IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
            IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
            DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://')
            DEVFS_RULESET=${DEVFS_RULESET:-4}
            IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://')
            CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
            IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://')
            VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://')
            ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1
            if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then
                # Grab the default ipv4 route from netstat and pull out the interface
                VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4)
            fi
        fi
    elif [ "${FILE_EXT}" = ".tar.gz" ]; then
        # Gather some bits from foreign/ezjail config files
        PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
        if [ -n "${PROP_CONFIG}" ]; then
            IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
            CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
        fi
        # Always assume it's thin for ezjail
        IS_THIN_JAIL=1
    fi
-    # If there are multiple IP/NIC let the user configure network
+    # See if we need to generate a vnet network section
-    if [ -n "${IPV4_CONFIG}" ]; then
+    if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
-        if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
+        NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
-            NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+    else
-            if [ -z "${NETIF_CONFIG}" ]; then
+        # If there are multiple IP/NIC let the user configure network
-                config_netif
+        if [ -n "${IPV4_CONFIG}" ]; then
            if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
                NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
                if [ -z "${NETIF_CONFIG}" ]; then
                    config_netif
                fi
                IPX_ADDR="ip4.addr"
                IP_CONFIG="${IPV4_CONFIG}"
                IP6_MODE="disable"
            fi
-            IPX_ADDR="ip4.addr"
+        elif [ -n "${IPV6_CONFIG}" ]; then
-            IP_CONFIG="${IPV4_CONFIG}"
+            if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
-            IP6_MODE="disable"
+                NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-        fi
+                if [ -z "${NETIF_CONFIG}" ]; then
-    elif [ -n "${IPV6_CONFIG}" ]; then
+                    config_netif
-        if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
+                fi
            NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
            if [ -z "${NETIF_CONFIG}" ]; then
                config_netif
            fi
            IPX_ADDR="ip6.addr"
            IP_CONFIG="${IPV6_CONFIG}"
            IP6_MODE="new"
        fi
    elif [ -n "${IPVX_CONFIG}" ]; then
        if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
            NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
            if [ -z "${NETIF_CONFIG}" ]; then
                config_netif
            fi
            IPX_ADDR="ip4.addr"
            IP_CONFIG="${IPVX_CONFIG}"
            IP6_MODE="disable"
            if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
                IPX_ADDR="ip6.addr"
                IP_CONFIG="${IPV6_CONFIG}"
                IP6_MODE="new"
            fi
        elif [ -n "${IPVX_CONFIG}" ]; then
            if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
                NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
                if [ -z "${NETIF_CONFIG}" ]; then
                    config_netif
                fi
                IPX_ADDR="ip4.addr"
                IP_CONFIG="${IPVX_CONFIG}"
                IP6_MODE="disable"
                if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
                    IPX_ADDR="ip6.addr"
                    IP6_MODE="new"
                fi
            fi
        fi
        # Let the user configure network manually
        if [ -z "${NETIF_CONFIG}" ]; then
            NETIF_CONFIG="lo1"
            IPX_ADDR="ip4.addr"
            IP_CONFIG="-"
            IP6_MODE="disable"
            warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
        fi
        NETBLOCK=$(cat <<-EOF
  interface = ${NETIF_CONFIG};
  ${IPX_ADDR} = ${IP_CONFIG};
  ip6 = ${IP6_MODE};
 EOF
        )
    fi
-    # Let the user configure network manually
+    if [ "${IS_THIN_JAIL:-0}" = "1" ]; then
    if [ -z "${NETIF_CONFIG}" ]; then
        NETIF_CONFIG="lo1"
        IPX_ADDR="ip4.addr"
        IP_CONFIG="-"
        IP6_MODE="disable"
        warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
    fi
    if [ "${FILE_EXT}" = ".tar.gz" ]; then
        CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
        if [ -z "${CONFIG_RELEASE}" ]; then
            # Fallback to host version
            CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
@@ -257,7 +283,7 @@ generate_config() {
    # Generate a basic jail configuration file on foreign imports
    cat << EOF > "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
 ${TARGET_TRIM} {
-  devfs_ruleset = 4;
+  devfs_ruleset = ${DEVFS_RULESET};
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;
@@ -269,9 +295,7 @@ ${TARGET_TRIM} {
  path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
  securelevel = 2;
-  interface = ${NETIF_CONFIG};
+${NETBLOCK}
  ${IPX_ADDR} = ${IP_CONFIG};
  ip6 = ${IP6_MODE};
 }
 EOF
 }
@@ -334,6 +358,13 @@ update_symlinks() {
    for _link in ${SYMLINKS}; do
        if [ -L "${_link}" ]; then
            ln -sf /.bastille/${_link} ${_link}
        elif [ "${ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED:-0}" = "1" -a -d "${_link}" ]; then
            # -F will enforce that the directory is empty and replaced by the symlink
            ln -sfF /.bastille/${_link} ${_link} || EXIT_CODE=$?
            if [ "${EXIT_CODE:-0}" != "0" ]; then
                # Assume that the failure was due to the directory not being empty and explain the problem in friendlier terms
                warn "Warning: directory ${_link} on imported jail was not empty and will not be updated by Bastille"
            fi
        fi
    done
 }
@@ -577,7 +608,7 @@ else
 fi
 # Check if a running jail matches name or already exist
-if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
+if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET_TRIM}$/")" ]; then
    error_exit "A running jail matches name."
 elif [ -n "${TARGET_TRIM}" ]; then
    if [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
--- a/usr/local/share/bastille/limits.sh
+++ b/usr/local/share/bastille/limits.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
 #
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,15 +32,15 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    error_exit "Usage: bastille list [-j|-a] [release|template|(jail|container)|log|limit|(import|export|backup)]"
+    error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]"
 }
 if [ $# -eq 0 ]; then
-   jls -N
+   /usr/sbin/jls -N
 fi
 if [ "$1" == "-j" ]; then
-    jls -N --libxo json
+    /usr/sbin/jls -N --libxo json
    exit 0
 fi
@@ -54,65 +54,86 @@ if [ $# -gt 0 ]; then
        if [ -d "${bastille_jailsdir}" ]; then
            DEFAULT_VALUE="-"
            SPACER=2
-            MAX_LENGTH_JAIL_NAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf | sed "s/^.*\/\(.*\)\/jail.conf$/\1/" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_NAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^.* {$" | awk '{ print length($1) }' | sort -nr | head -n 1)
            MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3}
            if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi
-            MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
            MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10}
-            MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/grep "ifconfig_vnet0=" \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | sed 's/\// /g' | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
            MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10}
            if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi
            if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi
-            MAX_LENGTH_JAIL_HOSTNAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_HOSTNAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^[ ]*host.hostname[ ]*=[ ]*\(.*\);" | awk '{ print length(substr($3, 1, length($3)-1)) }' | sort -nr | head -n 1)
            MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8}
            if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi
-            MAX_LENGTH_JAIL_PORTS=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name rdr.conf -exec awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' {} \; | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_PORTS=$(find ""${bastille_jailsdir}/*/rdr.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 -n1 awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' | sort -nr | head -n 1)
            MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15}
            if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi
            if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi
-            MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab 2> /dev/null -exec grep "/releases/.*/root/.bastille nullfs" {} \; | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
            MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7}
-            MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin"" -maxdepth 1 -type f -name freebsd-version 2> /dev/null -exec grep "^USERLAND_VERSION=" {} \; | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
            MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7}
            MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1) 
            MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7}
            if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi
            if [ ${MAX_LENGTH_LINUX_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi
            if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi
            printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" ""
            JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
            for _JAIL in ${JAIL_LIST}; do
                if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
-                        if [ "$(jls name | awk "/^${_JAIL}$/")" ]; then
+                        JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }')
                        IS_FREEBSD_JAIL=0
                        if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi
                        IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0}
                        IS_LINUX_JAIL=0
                        if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi
                        IS_LINUX_JAIL=${IS_LINUX_JAIL:-0}
                        if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then
                                JAIL_STATE="Up"
-                                if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then
+                                if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
-                                        JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
+                                        JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
-                                        if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
+                                        if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
                                else
-                                        JAIL_IP=$(jls -j ${_JAIL} ip4.addr 2> /dev/null)
+                                        JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null)
-                                        if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(jls -j ${_JAIL} ip6.addr 2> /dev/null); fi
+                                        if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi
                                fi
                                JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null)
                                JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
                                JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null)
                                if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then
                                        JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null)
                                fi
                                if [ ${IS_LINUX_JAIL} -eq 1 ]; then
                                                JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
                                fi
                                JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null)
                                JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
                                JAIL_PATH=$(jls -j ${_JAIL} path 2> /dev/null)
                                JAIL_RELEASE=$(jexec -l ${_JAIL} freebsd-version -u 2> /dev/null)
                        else
-                                JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi)
+                                JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
-                                if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then
+                                if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
-                                        JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf" | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
+                                        JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
                                else
-                                        JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | sed "s/\// /g" | awk '{ print $1 }')
+                                        JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
                                fi
-                                JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf")
+                                JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
-                                if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi
+                                if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi
-                                JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf")
+                                JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
                                if [ ${JAIL_PATH} ]; then
-                                        if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
+                                        if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then
-                                                JAIL_RELEASE=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${JAIL_PATH}/bin/freebsd-version")
+                                                if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
-                                        else
+                                                        JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
-                                                JAIL_RELEASE=$(grep "/releases/.*/root/.bastille nullfs" "${bastille_jailsdir}/${_JAIL}/fstab" 2> /dev/null | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p")
+                                                else
                                                        JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
                                                fi
                                        fi
                                        if [ ${IS_LINUX_JAIL} -eq 1 ]; then
                                                JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
                                        fi
                                else
                                        JAIL_RELEASE=""
                                fi
                        fi
                        if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi
                        JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}}
                        JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}}
@@ -121,7 +142,7 @@ if [ $# -gt 0 ]; then
                        JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}}
                        JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}}
                        JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}}
-                        printf " ${_JAIL}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#_JAIL} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
+                        printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
                fi
            done
        else
@@ -132,8 +153,14 @@ if [ $# -gt 0 ]; then
        if [ -d "${bastille_releasesdir}" ]; then
            REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
            for _REL in ${REL_LIST}; do
-                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
+                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then
-                    echo "${_REL}"
+                    if [ "$2" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then
                        REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null)
                        REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}}
                        echo "${REL_PATCH_LEVEL}"
                    else
                        echo "${_REL}"
                    fi
                fi
            done
        fi
--- a/usr/local/share/bastille/mount.sh
+++ b/usr/local/share/bastille/mount.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -93,25 +93,25 @@ for _jail in ${JAILS}; do
    info "[${_jail}]:"
    ## aggregate variables into FSTAB entry
-    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
+    _fullpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
-    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
+    _fstab_entry="${_hostpath} ${_fullpath} ${_type} ${_perms} ${_checks}"
    ## Create mount point if it does not exist. -- cwells
-    if [ ! -d "${_jailpath}" ]; then
+    if [ ! -d "${_fullpath}" ]; then
-        if ! mkdir -p "${_jailpath}"; then
+        if ! mkdir -p "${_fullpath}"; then
            error_exit "Failed to create mount point inside jail."
        fi
    fi
    ## if entry doesn't exist, add; else show existing entry
-    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
+    if ! egrep -q "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
        if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
            error_exit "Failed to create fstab entry: ${_fstab_entry}"
        fi
        echo "Added: ${_fstab_entry}"
    else
        warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab"
-        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
+        egrep "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
    fi
    mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
    echo
--- a/usr/local/share/bastille/pkg.sh
+++ b/usr/local/share/bastille/pkg.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/common.sh
 usage() {
-    error_exit "Usage: bastille pkg TARGET command [args]"
+    error_exit "Usage: bastille pkg [-H|--host] TARGET command [args]"
 }
 # Handle special-case commands first.
@@ -47,10 +47,15 @@ fi
 for _jail in ${JAILS}; do
    info "[${_jail}]:"
-    if [ -f "/usr/sbin/pkg" ]; then
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
-        jexec -l "${_jail}" /usr/sbin/pkg "$@"
+    if [ -f "/usr/sbin/mport" ]; then
        jexec -l -U root "${_jail}" /usr/sbin/mport "$@"
    elif [ -f "${bastille_jail_path}/usr/bin/apt" ]; then
        jexec -l "${_jail}" /usr/bin/apt "$@"
    elif [ "${USE_HOST_PKG}" = 1 ]; then
        /usr/sbin/pkg -j "${_jail}" "$@"
    else
-        jexec -l "${_jail}" /usr/sbin/mport "$@"
+        jexec -l -U root "${_jail}" /usr/sbin/pkg "$@"
    fi
    echo
 done
--- a/usr/local/share/bastille/rdr.sh
+++ b/usr/local/share/bastille/rdr.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]"
+    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
 }
 # Handle special-case commands first.
@@ -47,37 +47,42 @@ if [ $# -lt 2 ]; then
 fi
 TARGET="${1}"
 JAIL_NAME=""
 JAIL_IP=""
 EXT_IF=""
 shift
-# Can only redirect to single jail
+check_jail_validity() {
-if [ "${TARGET}" = 'ALL' ]; then
+    # Can only redirect to single jail
-    error_exit "Can only redirect to a single jail."
+    if [ "${TARGET}" = 'ALL' ]; then
-fi
+        error_exit "Can only redirect to a single jail."
 # Check if jail name is valid
 JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
 if [ -z "${JAIL_NAME}" ]; then
    error_exit "Jail not found: ${TARGET}"
 fi
 # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
 if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
    JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
    if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
        error_exit "Jail IP not found: ${TARGET}"
    fi
 fi
-# Check if rdr-anchor is defined in pf.conf
+    # Check if jail name is valid
-if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
+    JAIL_NAME=$(/usr/sbin/jls -j "${TARGET}" name 2>/dev/null)
-    error_exit "rdr-anchor not found in pf.conf"
+    if [ -z "${JAIL_NAME}" ]; then
-fi
+        error_exit "Jail not found: ${TARGET}"
    fi
-# Check if ext_if is defined in pf.conf
+    # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
-EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
+    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
-if [ -z "${EXT_IF}" ]; then
+        JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)
-    error_exit "ext_if not defined in pf.conf"
+        if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
-fi
+            error_exit "Jail IP not found: ${TARGET}"
        fi
    fi
    # Check if rdr-anchor is defined in pf.conf
    if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
        error_exit "rdr-anchor not found in pf.conf"
    fi
    # Check if ext_if is defined in pf.conf
    EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
    if [ -z "${EXT_IF}" ]; then
        error_exit "ext_if not defined in pf.conf"
    fi
 }
 # function: write rule to rdr.conf
 persist_rdr_rule() {
@@ -86,6 +91,16 @@ if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
 fi
 }
 persist_rdr_log_rule() {
 proto=$1;host_port=$2;jail_port=$3;
 shift 3;
 log=$@;
 if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
    echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
 fi
 }
 # function: load rdr rule via pfctl
 load_rdr_rule() {
 ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
@@ -93,23 +108,83 @@ load_rdr_rule() {
      | pfctl -a "rdr/${JAIL_NAME}" -f-
 }
 # function: load rdr rule with log via pfctl
 load_rdr_log_rule() {
 proto=$1;host_port=$2;jail_port=$3;
 shift 3;
 log=$@
 ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass %s on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
      | pfctl -a "rdr/${JAIL_NAME}" -f-
 }
 while [ $# -gt 0 ]; do
    case "$1" in
        list)
-            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            if [ "${TARGET}" = 'ALL' ]; then
                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
                    echo "${JAIL_NAME} redirects:"
                    pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
                done
            else
                check_jail_validity
                pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
            fi
            shift
            ;;
        clear)
-            pfctl -a "rdr/${JAIL_NAME}" -Fn
+            if [ "${TARGET}" = 'ALL' ]; then
                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
                    echo "${JAIL_NAME} redirects:"
                    pfctl -a "rdr/${JAIL_NAME}" -Fn
                done
            else
                check_jail_validity
                pfctl -a "rdr/${JAIL_NAME}" -Fn
            fi
            shift
            ;;
        tcp|udp)
            if [ $# -lt 3 ]; then
                usage
            elif [ $# -eq 3 ]; then
                check_jail_validity
                persist_rdr_rule $1 $2 $3
                load_rdr_rule $1 $2 $3
                shift 3
            else
                case "$4" in
                    log)
                        proto=$1
                        host_port=$2
                        jail_port=$3
                        shift 3
                        if [ $# -gt 3 ]; then
                            for last in $@; do
 				true
                            done
                            if [ $2 == "(" ] && [ $last == ")" ] ; then
                                check_jail_validity
                                persist_rdr_log_rule $proto $host_port $jail_port $@
                                load_rdr_log_rule $proto $host_port $jail_port $@
                                shift $#
                            else
                                usage
                            fi
                        elif [ $# -eq 1 ]; then
                            check_jail_validity
                            persist_rdr_log_rule $proto $host_port $jail_port $@
                            load_rdr_log_rule $proto $host_port $jail_port $@
                            shift 1
                        else
                            usage
                        fi
                        ;;
                    *)
                        usage
                        ;;
                esac
            fi
            persist_rdr_rule $1 $2 $3
            load_rdr_rule $1 $2 $3
            shift 3
            ;;
        *)
            usage
--- a/usr/local/share/bastille/rename.sh
+++ b/usr/local/share/bastille/rename.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -76,13 +76,22 @@ update_fstab() {
    # Update fstab to use the new name
    FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
    if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+        # Skip if fstab is empty, e.g newly created thick or clone jails
-        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
+        if [ -s "${FSTAB_CONFIG}" ]; then
-        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
+            FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
-        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+            FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
-            # If both variables are set, update as needed
+            FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
-            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
+            if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
-                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+                # If both variables are set, update as needed
                if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
                    sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
                fi
            fi
            # Update linuxjail fstab name entries
            # Search for either linprocfs/linsysfs, if true assume is a linux jail
            if grep -qwE "linprocfs|linsysfs" "${FSTAB_CONFIG}"; then
                sed -i '' "s|.${bastille_jailsdir}/${TARGET}/|${bastille_jailsdir}/${NEWNAME}/|" "${FSTAB_CONFIG}"
            fi
        fi
    fi
--- a/usr/local/share/bastille/restart.sh
+++ b/usr/local/share/bastille/restart.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/service.sh
+++ b/usr/local/share/bastille/service.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -62,11 +62,11 @@ fi
 for _jail in ${JAILS}; do
    ## test if running
-    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
+    if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
        error_notify "[${_jail}]: Already started."
    ## test if not running
-    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
+    elif [ ! "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
        # Verify that the configured interface exists. -- cwells
        if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then
            _interface=$(bastille config $_jail get interface)
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -48,13 +48,9 @@ fi
 for _jail in ${JAILS}; do
    ## test if running
-    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
+    if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
-        ## remove ip4.addr from firewall table:jails
+        ## Capture ip4.addr address while still running
-        if [ -n "${bastille_network_loopback}" ]; then
+        _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)"
            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
                pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
            fi
        fi
        # Check if pfctl is present
        if which -s pfctl; then
@@ -73,6 +69,13 @@ for _jail in ${JAILS}; do
        ## stop container
        info "[${_jail}]:"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
        ## remove (captured above) ip4.addr from firewall table:jails
        if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then
            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
                pfctl -q -t jails -T delete "${_ip}"
            fi
        fi
    fi
    echo
 done
--- a/usr/local/share/bastille/sysrc.sh
+++ b/usr/local/share/bastille/sysrc.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -186,7 +186,11 @@ case ${TEMPLATE} in
        ;;
    */*)
        if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
-            error_exit "${TEMPLATE} not found."
+            if [ ! -d ${TEMPLATE} ]; then
                error_exit "${TEMPLATE} not found."
            else
                bastille_template=${TEMPLATE}
            fi
        fi
        ;;
    *)
@@ -222,9 +226,10 @@ for _jail in ${JAILS}; do
    info "Applying template: ${TEMPLATE}..."
    ## jail-specific variables.
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
-        _jail_ip=$(jls -j "${_jail}" ip4.addr 2>/dev/null)
+        _jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null)
        _jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null)
        if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then
            error_notify "Jail IP not found: ${_jail}"
            _jail_ip='' # In case it was -. -- cwells
@@ -247,7 +252,7 @@ for _jail in ${JAILS}; do
    # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
    # Values provided by default (without being defined by the user) are listed here. -- cwells
-    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
+    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_IP6}/${_jail_ip6}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
    # This is parsed outside the HOOKS loop so an ARG file can be used with a Bastillefile. -- cwells
    if [ -s "${bastille_template}/ARG" ]; then
        while read _line; do
--- a/usr/local/share/bastille/templates/default/clone/Bastillefile
+++ b/usr/local/share/bastille/templates/default/clone/Bastillefile
@@ -0,0 +1,4 @@
 ARG BASE_TEMPLATE=default/base
 ARG HOST_RESOLV_CONF=/etc/resolv.conf
 INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
--- a/usr/local/share/bastille/templates/default/vnet/Bastillefile
+++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile
@@ -5,9 +5,11 @@ INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
 ARG EPAIR
 ARG GATEWAY
 ARG GATEWAY6
 ARG IFCONFIG="SYNCDHCP"
 SYSRC ifconfig_${EPAIR}_name=vnet0
 SYSRC ifconfig_vnet0="${IFCONFIG}"
 # GATEWAY will be empty for a DHCP config. -- cwells
 CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
 CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi
--- a/usr/local/share/bastille/top.sh
+++ b/usr/local/share/bastille/top.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/umount.sh
+++ b/usr/local/share/bastille/umount.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    error_exit "Usage: bastille update [release|container] | [force]"
+    error_exit "Usage: bastille update [release|container|template] | [force]"
 }
 # Handle special-case commands first.
@@ -73,9 +73,16 @@ if freebsd-version | grep -qi HBSD; then
    error_exit "Not yet supported on HardenedBSD."
 fi
 # Check for alternate/unsupported archs
 arch_check() {
    if echo "${TARGET}" | grep -w "[0-9]\{1,2\}\.[0-9]\-RELEASE\-i386"; then
        ARCH_I386="1"
    fi
 }
 jail_check() {
    # Check if the jail is thick and is running
-    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
        error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
    else
        if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
@@ -103,15 +110,61 @@ jail_update() {
 release_update() {
    # Update a release base(affects child containers)
    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
        TARGET_TRIM="${TARGET}"
        if [ -n "${ARCH_I386}" ]; then
            TARGET_TRIM=$(echo "${TARGET}" | sed 's/-i386//')
        fi
        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
-        fetch install --currently-running "${TARGET}"
+        fetch install --currently-running "${TARGET_TRIM}"
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 template_update() {
    # Update a template
    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
    if [ -d $_template_path ]; then
        info "[${BASTILLE_TEMPLATE}]:"
        git -C $_template_path pull ||\
            error_notify "${BASTILLE_TEMPLATE} update unsuccessful."    
        bastille verify "${BASTILLE_TEMPLATE}"
    else 
        error_exit "${BASTILLE_TEMPLATE} not found. See 'bastille bootstrap'."
    fi
 }
 templates_update() {
    # Update all templates
    _updated_templates=0
    if [ -d  ${bastille_templatesdir} ]; then
        for _template_path in $(ls -d ${bastille_templatesdir}/*/*); do
            if [ -d $_template_path/.git ]; then
                BASTILLE_TEMPLATE=$(echo "$_template_path" | awk -F / '{ print $(NF-1) "/" $NF }')
                template_update
                _updated_templates=$((_updated_templates+1))
            fi
        done
    fi
    if [ "$_updated_templates" -ne "0" ]; then
        info "$_updated_templates templates updated."
    else 
        error_exit "no templates found. See 'bastille bootstrap'."
    fi
 }
 # Check what we should update
-if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+if [ "${TARGET}" = 'TEMPLATES' ]; then
    templates_update
 elif echo "${TARGET}" | grep -Eq '^[A-Za-z0-9_-]+/[A-Za-z0-9_-]+$'; then
    BASTILLE_TEMPLATE="${TARGET}"
    template_update
 elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
    arch_check
    release_update
 else
    jail_update
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -76,7 +76,7 @@ esac
 jail_check() {
    # Check if the jail is thick and is running
-    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
        error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
    else
        if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -51,6 +51,22 @@ verify_release() {
    fi
 }
 handle_template_include() {
    case ${TEMPLATE_INCLUDE} in
        http?://*/*/*)
            bastille bootstrap "${TEMPLATE_INCLUDE}"
        ;;
        */*)
            BASTILLE_TEMPLATE_USER=$(echo "${TEMPLATE_INCLUDE}" | awk -F / '{ print $1 }')
            BASTILLE_TEMPLATE_REPO=$(echo "${TEMPLATE_INCLUDE}" | awk -F / '{ print $2 }')
            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
        ;;
        *)
            error_exit "Template INCLUDE content not recognized."
    ;;
    esac
 }
 verify_template() {
    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
    _hook_validate=0
@@ -75,20 +91,8 @@ verify_template() {
                echo
                while read _include; do
                    info "[${_hook}]:[${_include}]:"
-
+                    TEMPLATE_INCLUDE="${_include}"
-                    case ${_include} in
+                    handle_template_include
                        http?://*/*/*)
                            bastille bootstrap "${_include}"
                        ;;
                        */*)
                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
                            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
                        ;;
                        *)
                            error_exit "Template INCLUDE content not recognized."
                    ;;
                    esac
                done < "${_path}"
            ## if tree; tree -a bastille_template/_dir
@@ -105,6 +109,18 @@ verify_template() {
                        fi
                    echo
                done < "${_path}"
            elif [ "${_hook}" = 'Bastillefile' ]; then
                info "[${_hook}]:"
                cat "${_path}"
                while read _line; do
                    _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
                    ## if include; recursive verify
                    if [ "${_cmd}" = 'include' ]; then
                        TEMPLATE_INCLUDE=$(echo "${_line}" | awk '{print $2;}')
                        handle_template_include
                    fi
                done < "${_path}"
                echo
            else
                info "[${_hook}]:"
                cat "${_path}"
--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without