From 106c566c8897984b78ee0461c415effbd22e4a7e Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sun, 12 Apr 2020 17:04:37 -0600 Subject: [PATCH] network cleanup; default route addition for vnet --- usr/local/etc/bastille/bastille.conf.sample | 8 +- usr/local/share/bastille/bootstrap.sh | 95 --------------------- usr/local/share/bastille/create.sh | 29 +++---- usr/local/share/bastille/import.sh | 8 +- usr/local/share/bastille/start.sh | 2 +- usr/local/share/bastille/stop.sh | 2 +- 6 files changed, 19 insertions(+), 125 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 6503ae06..9e1c3235 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -38,8 +38,6 @@ bastille_compress_xz_options="-0 -v" ## default bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v" ## Networking -bastille_jail_loopback="lo1" ## default: "lo1" -bastille_jail_interface="bastille0" ## default: "bastille0" -bastille_jail_external="" ## default: "" -bastille_jail_addr="10.17.89.10" ## default: "10.17.89.10" -bastille_jail_gateway="" ## default: "" +bastille_network_loopback="bastille0" ## default: "bastille0" +bastille_network_shared="" ## default: "" +bastille_network_gateway="" ## default: "" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 6dcdf862..3add1de8 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -82,98 +82,6 @@ validate_release_url() { fi } -bootstrap_network_interfaces() { - - ## test for both options empty - if [ -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then - echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}" - echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}" - exit 1 - fi - - ## test for required variables -- external - if [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_external}" ]; then - - ## test for existing interface - ifconfig "${bastille_jail_external}" >/dev/null 2>&1 - if [ "$?" = 0 ]; then - - ## create ifconfig alias - ifconfig "${bastille_jail_external}" inet "${bastille_jail_addr}" alias && \ - echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}" - echo - - ## attempt to ping gateway - echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}" - ping -c3 -t3 -S "${bastille_jail_addr}" "${bastille_jail_gateway}" - if [ "$?" = 0 ]; then - echo - echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}" - echo - else - echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}" - fi - fi - fi - - ## test for required variables -- loopback - if [ -z "${bastille_jail_external}" ] && [ -n "${bastille_jail_loopback}" ] && \ - [ -n "${bastille_jail_addr}" ]; then - - echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}" - ## test for existing interface - ifconfig "${bastille_jail_interface}" >&2 >/dev/null - - ## if above return code is 1; create interface - if [ "$?" = 1 ]; then - sysrc ifconfig_"${bastille_jail_loopback}"_name | grep "${bastille_jail_interface}" >&2 >/dev/null - if [ "$?" = 1 ]; then - echo - echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}" - sysrc cloned_interfaces+="${bastille_jail_loopback}" && - sysrc ifconfig_"${bastille_jail_loopback}"_name="${bastille_jail_interface}" - sysrc ifconfig_"${bastille_jail_interface}"_aliases+="inet ${bastille_jail_addr}/32" - - ## create and name interface; assign address - echo - echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}" - ifconfig "${bastille_jail_loopback}" create name "${bastille_jail_interface}" - ifconfig "${bastille_jail_interface}" up - ifconfig "${bastille_jail_interface}" inet "${bastille_jail_addr}/32" - - ## reload firewall - pfctl -f /etc/pf.conf - - ## look for nat rule for bastille_jail_addr - echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}" - pfctl -s nat | grep nat | grep "${bastille_jail_addr}" - if [ "$?" = 0 ]; then - ## test connectivity; ping from bastille_jail_addr - echo - echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}" - ping -c3 -t3 -S "${bastille_jail_addr}" "${bastille_jail_gateway}" - if [ "$?" = 0 ]; then - echo - echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}" - echo - else - echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}" - echo -e - fi - else - echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}" - fi - else - echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}" - fi - else - echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}" - fi - fi -} - bootstrap_directories() { ## ensure required directories are in place @@ -488,9 +396,6 @@ http?://github.com/*/*|http?://gitlab.com/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; -network) - bootstrap_network_interfaces - ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 7df5a11f..e2efad98 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -89,21 +89,7 @@ validate_netif() { } validate_netconf() { - if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then - echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}" - exit 1 - fi - if [ -n "${bastille_jail_external}" ]; then - return 0 - elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then - if [ -z "${bastille_jail_interface}" ]; then - echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}" - exit 1 - fi - elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then - echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}" - exit 1 - elif [ -z "${bastille_jail_external}" ]; then + if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}" exit 1 fi @@ -230,11 +216,11 @@ create_jail() { fi if [ ! -f "${bastille_jail_conf}" ]; then - if [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_external}" ]; then - local bastille_jail_conf_interface=${bastille_jail_external} + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} fi - if [ -n "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then - local bastille_jail_conf_interface=${bastille_jail_interface} + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} fi if [ -n "${INTERFACE}" ]; then local bastille_jail_conf_interface=${INTERFACE} @@ -348,6 +334,11 @@ create_jail() { /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="DHCP" else /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" + if [ -n "${bastille_network_gateway}" ]; then + /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}" + else + /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(route show default | awk '/gateway/ {print $2}')" + fi fi ## VNET requires jib script diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index ec4f9dce..98da5218 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -274,10 +274,10 @@ workout_components() { config_netif() { # Get interface from bastille configuration - if [ -n "${bastille_jail_interface}" ]; then - NETIF_CONFIG="${bastille_jail_interface}" - elif [ -n "${bastille_jail_external}" ]; then - NETIF_CONFIG="${bastille_jail_external}" + if [ -n "${bastille_network_loopback}" ]; then + NETIF_CONFIG="${bastille_network_loopback}" + elif [ -n "${bastille_network_shared}" ]; then + NETIF_CONFIG="${bastille_network_shared}" else NETIF_CONFIG= fi diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 9aa33684..46a6f1b0 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -89,7 +89,7 @@ for _jail in ${JAILS}; do fi ## add ip4.addr to firewall table:jails - if [ ! -z "${bastille_jail_loopback}" ]; then + if [ ! -z "${bastille_network_loopback}" ]; then pfctl -q -t jails -T add "$(jls -j "${_jail}" ip4.addr)" fi fi diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index a191cb52..3c0cb45c 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -67,7 +67,7 @@ for _jail in ${JAILS}; do ## test if running if [ "$(jls name | awk "/^${_jail}$/")" ]; then ## remove ip4.addr from firewall table:jails - if [ -n "${bastille_jail_loopback}" ]; then + if [ -n "${bastille_network_loopback}" ]; then pfctl -q -t jails -T delete "$(jls -j "${_jail}" ip4.addr)" fi