diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 93fa4193..c4eb2335 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -109,44 +109,66 @@ fi validate_ip() { - local IP="${1}" - IP6_MODE="disable" - ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))') - - if [ -n "${ip6}" ]; then - - info "\nValid: (${ip6})." - IP6_MODE="new" - - elif { [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; } && [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then - - info "\nValid: (${IP})." + local _ip="${1}" + local _ip6="$(echo ${_ip} | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')" + if [ -n "${_ip6}" ]; then + if [ "${_ip6}" = "SLAAC" ] && [ "$(bastille config ${TARGET} get vnet)" != "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: (${_ip6})." + fi + info "\nValid: (${_ip6})." + IP6_ADDR="${_ip6}" + elif [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for VNET jail: (${_ip})." + else + info "\nValid: (${_ip})." + IP4_ADDR="${_ip}" + IP6_ADDR="${_ip}" + fi + elif [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then + info "\nValid: (${_ip})." + IP4_ADDR="${_ip}" + else + error_exit "[ERROR]: Unsupported IP option for standard jail: (${_ip})." + fi else - local IFS - if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then - TEST_IP=$(echo "${IP}" | cut -d / -f1) + if echo "${_ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then + TEST_IP=$(echo "${_ip}" | cut -d / -f1) IFS=. set ${TEST_IP} for quad in 1 2 3 4; do if eval [ \$$quad -gt 255 ]; then - error_exit "Invalid: (${TEST_IP})" + error_continue "Invalid: (${TEST_IP})" fi done if ifconfig | grep -qwF "${TEST_IP}"; then warn "\nWarning: IP address already in use (${TEST_IP})." + IP4_ADDR="${_ip}" else - info "\nValid: (${IP})." + info "\nValid: (${_ip})." + IP4_ADDR="${_ip}" fi else - error_exit "Invalid: (${IP})." + error_continue "Invalid: (${_ip})." fi fi } +validate_ips() { + + IP4_ADDR="" + IP6_ADDR="" + + for ip in ${IP}; do + validate_ip "${ip}" + done +} + update_jailconf() { # Update jail.conf @@ -181,9 +203,9 @@ update_jailconf() { _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi if [ "${_interface}" != "not set" ]; then - sed -i '' "s#.*ip4.addr = .*# ip4.addr = ${_interface}|${IP};#" "${JAIL_CONFIG}" + sed -i '' "s#.*ip4.addr = .*# ip4.addr = ${_interface}|${IP4_ADDR};#" "${JAIL_CONFIG}" else - sed -i '' "\#ip4.addr = .*# s#${_ip}#${IP}#" "${JAIL_CONFIG}" + sed -i '' "\#ip4.addr = .*# s#${_ip}#${IP4_ADDR}#" "${JAIL_CONFIG}" fi sed -i '' "\#ip4.addr += .*# s#${_ip}#127.0.0.1#" "${JAIL_CONFIG}" done @@ -196,12 +218,11 @@ update_jailconf() { _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi if [ "${_interface}" != "not set" ]; then - sed -i '' "s#.*${_interface} = .*# ip6.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" + sed -i '' "s#.*${_interface} = .*# ip6.addr = ${_interface}|${IP6_ADDR};/" "${JAIL_CONFIG}" else - sed -i '' "\#ip6.addr = .*# s#${_ip}#${IP}#" "${JAIL_CONFIG}" + sed -i '' "\#ip6.addr = .*# s#${_ip}#${IP6_ADDR}#" "${JAIL_CONFIG}" fi - sed -i '' "\#ip6.addr += .*# s#${_ip}#127.0.0.1#" "${JAIL_CONFIG}" - sed -i '' "s#ip6 = .*#ip6 = ${IP6_MODE};#" "${JAIL_CONFIG}" + sed -i '' "\#ip6.addr += .*# s#${_ip}#::1#" "${JAIL_CONFIG}" done fi fi @@ -272,34 +293,52 @@ update_jailconf_vnet() { sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" fi - # Replace epair description - sed -i '' "/${_new_host_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - # Update /etc/rc.conf local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ -n "${_jail_vnet_vlan}" ]; then - if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + # IP4 + if [ -n "${IP4_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" + fi fi else - if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" fi fi - else - if [ -n "${_jail_vnet_vlan}" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" - fi fi + # IP6 + if [ -n "${IP6_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + else + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + fi + fi + fi + + # Replace epair description + sed -i '' "/${_new_host_epair}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + break fi done @@ -329,27 +368,45 @@ update_jailconf_vnet() { # Update /etc/rc.conf sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${_jail_if}_name|" "${_rc_conf}" - if grep "vnet0" "${_rc_conf}" | grep -q ${_jail_if}; then - if [ -n "${_jail_vnet_vlan}" ]; then - if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + # IP4 + if [ -n "${IP4_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" + fi fi else - if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" fi fi - else - if [ -n "${_jail_vnet_vlan}" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" - fi fi + # IP6 + if [ -n "${IP6_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + fi + fi + + # Replace epair description + sed -i '' "/${_jail_if}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" break fi done @@ -375,25 +432,40 @@ update_jailconf_vnet() { # Update /etc/rc.conf sed -i '' "s|ifconfig_ng0_${_if}_name|ifconfig_ng0_${_jail_if}_name|" "${_rc_conf}" - if grep "vnet0" "${_rc_conf}" | grep -q ${_jail_if}; then - if [ -n "${_jail_vnet_vlan}" ]; then - if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + # IP4 + if [ -n "${IP4_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" + fi fi else - if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" fi fi - else - if [ -n "${_jail_vnet_vlan}" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" + fi + # IP6 + if [ -n "${IP6_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" fi fi break @@ -425,11 +497,36 @@ clone_jail() { fi if [ -n "${IP}" ]; then - validate_ip "${IP}" + validate_ips else usage fi + # Validate proper IP settings + if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then + # VNET + if grep -Eoq "ifconfig_vnet0=" "${bastille_jailsdir}/${TARGET}/root/etc/rc.conf"; then + if [ -z "${IP4_ADDR}" ]; then + error_exit "[ERROR]: IPv4 not set. Retry with a proper IPv4 address." + fi + fi + if grep -Eoq "ifconfig_vnet0_ipv6=" "${bastille_jailsdir}/${TARGET}/root/etc/rc.conf"; then + if [ -z "${IP6_ADDR}" ]; then + error_exit "[ERROR]: IPv6 not set. Retry with a proper IPv6 address." + fi + fi + else + if [ "$(bastille config ${TARGET} get ip4.addr)" != "not set" ]; then + if [ -z "${IP4_ADDR}" ]; then + error_exit "[ERROR]: IPv4 not set. Retry with a proper IPv4 address." + fi + elif [ "$(bastille config ${TARGET} get ip6.addr)" != "not set" ]; then + if [ -z "${IP6_ADDR}" ]; then + error_exit "[ERROR]: IPv6 not set. Retry with a proper IPv6 address." + fi + fi + fi + if [ -n "${bastille_zfs_zpool}" ]; then # Replicate the existing container DATE=$(date +%F-%H%M%S) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 37ab5b48..c187c072 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -65,7 +65,8 @@ validate_name() { local NAME_VERIFY=${NAME} local NAME_SANITY="$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')" - + + # Make sure NAME has only allowed characters if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then error_exit "[ERROR]: Jail names may not begin with (-|_) characters!" elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then @@ -77,20 +78,26 @@ validate_name() { validate_ip() { - _ip="${1}" - _ip6=$(echo "${_ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)') + local _ip="${1}" + local _ip6="$(echo ${_ip} | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')" if [ -n "${_ip6}" ]; then - info "\nValid: (${_ip6})." - - ipx_addr="ip6.addr" - + # This is only used in this function to set IPX_DEFINITION + local ipx_addr="ip6.addr" else - if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then - - info "\nValid: (${_ip})." - + if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ]; then + if [ -n "${VNET_JAIL}" ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: (${_ip})." + else + info "\nValid: (${_ip})." + fi + elif [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ] || [ "${_ip}" = "0.0.0.0" ]; then + if [ -z "${VNET_JAIL}" ]; then + error_exit "[ERROR]: Unsupported IP option for VNET jail: (${_ip})." + else + info "\nValid: (${_ip})." + fi else local IFS if echo "${_ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then @@ -151,7 +158,17 @@ validate_ip() { IP6_DEFINITION="" IP6_MODE="disable" fi - elif echo "${_ip}" | grep -qvE '(SLAAC|DHCP|0[.]0[.]0[.]0)'; then + elif [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SLAAC" ] || [ "${_ip}" = "0.0.0.0" ]; then + if [ -n "${VNET_JAIL}" ]; then + if [ "${ipx_addr}" = "ip4.addr" ]; then + IP4_ADDR="${_ip}" + elif [ "${ipx_addr}" = "ip6.addr" ]; then + IP6_ADDR="${_ip}" + fi + else + error_exit "[ERROR]: Unsupported IP option for standard jail: (${_ip})." + fi + else if [ "${ipx_addr}" = "ip4.addr" ]; then IP4_ADDR="${_ip}" IP4_DEFINITION="${ipx_addr} = ${bastille_jail_conf_interface}|${_ip};" @@ -621,15 +638,16 @@ create_jail() { if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then + ## rename interface to generic vnet0 uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g') - _gateway='' _gateway6='' _ifconfig_inet='' _ifconfig_inet6='' - if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then + # Determine default gateway option + if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP|SYNCDHCP)'; then # Enable DHCP if requested _ifconfig_inet=SYNCDHCP else @@ -642,12 +660,14 @@ create_jail() { _gateway="$(netstat -4rn | awk '/default/ {print $2}')" fi fi + # Add IPv4 address (this is empty if DHCP is used) if [ -n "${IP4_ADDR}" ]; then - _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}" + _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}" fi + # Enable IPv6 if used - if [ "${IP6_MODE}" != "disable" ]; then + if [ -n "${IP6_ADDR}" ]; then _ifconfig_inet6='inet6 -ifdisabled' if echo "${IP}" | grep -qE 'SLAAC'; then # Enable SLAAC if requested @@ -661,13 +681,16 @@ create_jail() { fi fi fi + # Add IPv6 address (this is empty if SLAAC is used) if [ -n "${IP6_ADDR}" ]; then - _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}" + _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}" fi - # Join together IPv4 and IPv6 parts of ifconfig - _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}" - bastille template "${NAME}" ${bastille_template_vnet} --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" + + # We need to pass IP4 and IP6 separately + _ifconfig="${_ifconfig_inet}" + _ifconfig6="${_ifconfig_inet6}" + bastille template "${NAME}" ${bastille_template_vnet} --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" --arg IFCONFIG6="${_ifconfig6}" # Add VLAN ID if it was given if [ -n "${VLAN_ID}" ]; then diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 04007f75..2132d9e3 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -177,15 +177,15 @@ fi validate_ip() { - IP6_ENABLE=0 local ip="${1}" local ip6="$( echo "${ip}" 2>/dev/null | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" if [ -n "${ip6}" ]; then info "\nValid: (${ip6})." - IP6_ENABLE=1 - elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ]; then + IP6_ADDR="${ip6}" + elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ] || [ "${ip}" = "SYNCDHCP" ]; then info "\nValid: (${ip})." + IP4_ADDR="${ip}" else local IFS if echo "${ip}" 2>/dev/null | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then @@ -198,6 +198,7 @@ validate_ip() { fi done info "\nValid: (${ip})." + IP4_ADDR="${ip}" else error_exit "Invalid: (${ip})." fi @@ -303,12 +304,18 @@ EOF # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}" - if [ -n "${_ip}" ]; then + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + elif [ -n "${IP4_ADDR}" ]; then # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}" fi fi @@ -350,16 +357,22 @@ EOF fi # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_e0b_${_jail_if}_name="${_if_vnet}" - if [ -n "${_ip}" ]; then + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + elif [ -n "${IP4_ADDR}" ]; then # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}" fi - fi - + fi echo "Added VNET interface: \"${_if}\"" + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then for _num in $(seq 0 "${_bastille_if_num_range}"); do if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then @@ -392,16 +405,17 @@ EOF fi # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_jng_${_jail_if}_name="${_if_vnet}" - if [ -n "${_ip}" ]; then + if [ -n "${_ip}" ]; then # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" fi - fi + fi echo "Added VNET interface: \"${_if}\"" fi + elif [ "${PASSTHROUGH}" -eq 1 ]; then # Remove ending brace (it is added again with the netblock) sed -i '' '/}/d' "${_jail_config}" @@ -412,19 +426,24 @@ EOF } EOF # Add config to /etc/rc.conf - if [ -n "${_ip}" ]; then - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if}="SYNCDHCP" + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if}="inet ${_ip}" + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" fi - fi - + elif [ -n "${IP4_ADDR}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}" + fi + fi echo "Added Passthrough interface: \"${_if}\"" elif [ "${CLASSIC}" -eq 1 ]; then - if [ "${IP6_ENABLE}" -eq 1 ]; then + if [ -n "${IP6_ADDR}" ]; then sed -i '' "s/interface = .*/&\n ip6.addr += ${_if}|${_ip};/" ${_jail_config} else sed -i '' "s/interface = .*/&\n ip4.addr += ${_if}|${_ip};/" ${_jail_config} diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 5c462ad5..fcc1d414 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -168,7 +168,7 @@ update_jailconf_vnet() { sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" # Replace epair description - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + sed -i '' "s|${_new_host_epair} host interface for Bastille jail ${TARGET}|${_new_host_epair} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Replace epair name in /etc/rc.conf sed -i '' "/ifconfig/ s|${_target_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" diff --git a/usr/local/share/bastille/templates/default/vnet/Bastillefile b/usr/local/share/bastille/templates/default/vnet/Bastillefile index 95613485..e529380c 100644 --- a/usr/local/share/bastille/templates/default/vnet/Bastillefile +++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile @@ -2,9 +2,14 @@ ARG EPAIR ARG GATEWAY ARG GATEWAY6 ARG IFCONFIG="SYNCDHCP" +ARG IFCONFIG6 SYSRC ifconfig_${EPAIR}_name=vnet0 SYSRC ifconfig_vnet0="${IFCONFIG}" + +# Apply IFCONFIG6 if set +CMD if [ -n "${IFCONFIG6}" ]; then /usr/sbin/sysrc ifconfig_vnet0_ipv6="${IFCONFIG6}"; fi + # GATEWAY will be empty for a DHCP config. -- cwells CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi