Merge pull request #435 from CamilionEU/evilham-improve-ipv6-and-dualstack-creation

[WIP] [feedback required] Improve dualstack and IPv6 support on jail creation

usr/local/share/bastille/create.sh

@@ -69,34 +69,57 @@ validate_name() {
 }
 
 validate_ip() {
-    IPX_ADDR="ip4.addr"
-    IP6_MODE="disable"
-    ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
+    ipx_addr="ip4.addr"
+    ip="$1"
+    ip6=$(echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')
     if [ -n "${ip6}" ]; then
         info "Valid: (${ip6})."
-        IPX_ADDR="ip6.addr"
+        ipx_addr="ip6.addr"
         IP6_MODE="new"
     else
-        local IFS
-        if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
-            TEST_IP=$(echo "${IP}" | cut -d / -f1)
-            IFS=.
-            set ${TEST_IP}
-            for quad in 1 2 3 4; do
-                if eval [ \$$quad -gt 255 ]; then
-                    echo "Invalid: (${TEST_IP})"
-                    exit 1
-                fi
-            done
-            if ifconfig | grep -qw "${TEST_IP}"; then
-                warn "Warning: IP address already in use (${TEST_IP})."
-            else
-                info "Valid: (${IP})."
-            fi
+        if [ "${ip}" = "DHCP" ]; then
+            info "Valid: (${ip})."
         else
-            error_exit "Invalid: (${IP})."
+            local IFS
+            if echo "${ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
+                TEST_IP=$(echo "${ip}" | cut -d / -f1)
+                IFS=.
+                set ${TEST_IP}
+                for quad in 1 2 3 4; do
+                    if eval [ \$$quad -gt 255 ]; then
+                        echo "Invalid: (${TEST_IP})"
+                        exit 1
+                    fi
+                done
+                if ifconfig | grep -qw "${TEST_IP}"; then
+                    warn "Warning: IP address already in use (${TEST_IP})."
+                else
+                    info "Valid: (${ip})."
+                fi
+            else
+                error_exit "Invalid: (${ip})."
+            fi
         fi
     fi
+    if echo "${ip}" | grep -qvE '(SLAAC|DHCP|0[.]0[.]0[.]0)'; then
+        if [ "${ipx_addr}" = "ip4.addr" ]; then
+                IP4_ADDR="${ip}"
+                IP4_DEFINITION="${ipx_addr}=${ip};"
+        else
+                IP6_ADDR="${ip}"
+                IP6_DEFINITION="${ipx_addr}=${ip};"
+        fi
+    fi
+}
+validate_ips() {
+    IP6_MODE="disable"
+    IP4_DEFINITION=""
+    IP6_DEFINITION=""
+    IP4_ADDR=""
+    IP6_ADDR=""
+    for ip in ${IP}; do
+        validate_ip "${ip}"
+    done
 }
 
 validate_netif() {
@@ -157,7 +180,8 @@ ${NAME} {
   securelevel = 2;
 
   interface = ${bastille_jail_conf_interface};
-  ${IPX_ADDR} = ${IP};
+  ${IP4_DEFINITION}
+  ${IP6_DEFINITION}
   ip6 = ${IP6_MODE};
 }
 EOF
@@ -479,25 +503,44 @@ create_jail() {
 
             _gateway=''
             _gateway6=''
-            _ifconfig=SYNCDHCP
-            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
-                if [ -n "${ip6}" ]; then
-                    _ifconfig="inet6 ${IP}"
-                else
-                    _ifconfig="inet ${IP}"
-                fi
+            _ifconfig_inet=''
+            _ifconfig_inet6=''
+            if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then
+                # Enable DHCP if requested
+                _ifconfig_inet=SYNCDHCP
+            else
+                # Else apply the default gateway
                 if [ -n "${bastille_network_gateway}" ]; then
                     _gateway="${bastille_network_gateway}"
-                elif [ -n "${bastille_network_gateway6}" ]; then
-                    _gateway6="${bastille_network_gateway6}"
                 else
-                    if [ -z ${ip6} ]; then
-                        _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
+                    _gateway="$(netstat -rn | awk '/default/ {print $2}')"
+                fi
+            fi
+            # Add IPv4 address (this is empty if DHCP is used)
+            if [ -n "${IP4_ADDR}" ]; then
+                    _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}"
+            fi
+            # Enable IPv6 if used
+            if [ "${IP6_MODE}" != "disable" ]; then
+                _ifconfig_inet6='inet6 -ifdisabled'
+                if echo "${IP}" | grep -qE 'SLAAC'; then
+                    # Enable SLAAC if requested
+                    _ifconfig_inet6="${_ifconfig_inet6} accept_rtadv"
+                else
+                    # Else apply the default gateway
+                    if [ -n "${bastille_network_gateway6}" ]; then
+                        _gateway6="${bastille_network_gateway6}"
                     else
-                        _gateway="$(netstat -6rn | awk '/default/ {print $2}')"
+                        _gateway6="$(netstat -6rn | awk '/default/ {print $2}')"
                     fi
                 fi
             fi
+            # Add IPv6 address (this is empty if SLAAC is used)
+            if [ -n "${IP6_ADDR}" ]; then
+                    _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}"
+            fi
+            # Join together IPv4 and IPv6 parts of ifconfig
+            _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}"
             bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
         fi
     elif [ -n "${THICK_JAIL}" ]; then
@@ -740,7 +783,7 @@ if [ -z "${EMPTY_JAIL}" ]; then
 
     ## check if ip address is valid
     if [ -n "${IP}" ]; then
-        validate_ip
+        validate_ips
     else
         usage
     fi