diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index b2e6c45a..7d057a65 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -110,88 +110,33 @@ clone_validate_jail_name() { fi } -validate_ip() { - - local ip="${1}" - local ip4="$(echo ${ip} | awk -F"/" '{print $1}')" - local ip6="$(echo ${ip} | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')" - local subnet="$(echo ${ip} | awk -F"/" '{print $2}')" - - if [ -n "${ip6}" ]; then - if [ "${ip6}" = "SLAAC" ] && [ "$(bastille config ${TARGET} get vnet)" != "enabled" ]; then - error_exit "[ERROR]: Unsupported IP option for standard jail: (${ip6})." - fi - if [ "${VNET_JAIL}" -eq 1 ]; then - if [ -z "${subnet}" ]; then - subnet="64" - ip6="${ip6}/${subnet}" - elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 128 ]; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - fi - fi - info "\nValid IP: ${ip6}" - IP6_ADDR="${ip6}" - elif [ "${ip}" = "inherit" ] || [ "${ip}" = "ip_hostname" ]; then - if [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then - error_exit "[ERROR]: Unsupported IP option for VNET jail: ${ip}" - else - info "\nValid IP: ${ip}" - IP4_ADDR="${ip}" - IP6_ADDR="${ip}" - fi - elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ] || [ "${ip}" = "SYNCDHCP" ]; then - if [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then - info "\nValid IP: ${ip}" - IP4_ADDR="${ip}" - else - error_exit "[ERROR]: Unsupported IP option for standard jail: ${ip}" - fi - else - if [ "${VNET_JAIL}" -eq 1 ]; then - if [ -z "${subnet}" ]; then - subnet="24" - ip4="${ip4}/${subnet}" - elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 32 ]; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - fi - fi - local IFS - if echo "${ip4}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then - TEST_IP=$(echo "${ip4}" | cut -d / -f1) - IFS=. - set ${TEST_IP} - for quad in 1 2 3 4; do - if eval [ \$$quad -gt 255 ]; then - error_exit "[ERROR]: Invalid IP: ${TEST_IP}" - fi - done - - if ifconfig | grep -qwF "${TEST_IP}"; then - warn "\n[WARNING]: IP address already in use: ${TEST_IP}" - IP4_ADDR="${ip4}" - else - info "\nValid IP: ${ip4}" - IP4_ADDR="${ip4}" - fi - - else - error_exit "[ERROR]: Invalid IP: ${ip4}" - fi - fi -} - -validate_ips() { +define_ips() { IP4_ADDR="" IP6_ADDR="" for ip in ${IP}; do - validate_ip "${ip}" + validate_ip "${ip}" "${VNET_JAIL}" done + + if [ -n "${IP4_ADDR}" ]; then + if [ "${IP4_ADDR}" = "inherit" ] || [ "${IP4_ADDR}" = "ip_hostname" ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for VNET jail: ${IP4_ADDR}" + elif [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + if [ "$(bastille config ${TARGET} get vnet)" != "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: ${IP4_ADDR}" + fi + elif ifconfig | grep -qwF "${IP4_ADDR}"; then + warn "\n[WARNING]: IP address already in use: ${TEST_IP}" + fi + fi + + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ] && [ "$(bastille config ${TARGET} get vnet)" != "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: ${IP6_ADDR}" + fi + fi } update_jailconf() { @@ -495,7 +440,7 @@ clone_jail() { fi if [ -n "${IP}" ]; then - validate_ips + define_ips else usage fi diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index f56968d4..e47f98a4 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -327,13 +327,72 @@ target_all_jails() { } update_fstab() { - local _oldname="${1}" - local _newname="${2}" - local _fstab="${bastille_jailsdir}/${_newname}/fstab" - if [ -f "${_fstab}" ]; then - sed -i '' "s|${bastille_jailsdir}/${_oldname}/root/|${bastille_jailsdir}/${_newname}/root/|" "${_fstab}" + + local oldname="${1}" + local newname="${2}" + local fstab="${bastille_jailsdir}/${newname}/fstab" + + if [ -f "${fstab}" ]; then + sed -i '' "s|${bastille_jailsdir}/${oldname}/root/|${bastille_jailsdir}/${newname}/root/|" "${fstab}" else - error_notify "Error: Failed to update fstab: ${_newmane}" + error_notify "Error: Failed to update fstab: ${newmane}" + fi +} + +validate_ip() { + + local ip="${1}" + local vnet_jail="${2}" + local ip4="$(echo ${ip} | awk -F"/" '{print $1}')" + local ip6="$(echo ${ip} | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')" + local subnet="$(echo ${ip} | awk -F"/" '{print $2}')" + local IFS + + if [ -n "${ip6}" ]; then + if [ "${vnet_jail}" -eq 1 ]; then + if [ -z "${subnet}" ]; then + subnet="64" + ip6="${ip6}/${subnet}" + elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then + error_exit "[ERROR]: Invalid subnet: /${subnet}" + elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 128 ]; then + error_exit "[ERROR]: Invalid subnet: /${subnet}" + fi + fi + info "\nValid IP: ${ip6}" + export IP6_ADDR="${ip6}" + elif [ "${ip}" = "inherit" ] || [ "${ip}" = "ip_hostname" ] || [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ] || [ "${ip}" = "SYNCDHCP" ]; then + info "\nValid IP: ${ip}" + IP4_ADDR="${ip}" + IP6_ADDR="${ip}" + elif [ -n "${ip4}" ]; then + if [ "${vnet_jail}" -eq 1 ]; then + if [ -z "${subnet}" ]; then + subnet="24" + ip4="${ip4}/${subnet}" + elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then + error_exit "[ERROR]: Invalid subnet: /${subnet}" + elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 32 ]; then + error_exit "[ERROR]: Invalid subnet: /${subnet}" + fi + fi + if echo "${ip4}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then + test_ip=$(echo "${ip4}" | cut -d / -f1) + IFS=. + set ${test_ip} + for quad in 1 2 3 4; do + if eval [ \$$quad -gt 255 ]; then + error_exit "[ERROR]: Invalid IP: ${test_ip}" + fi + done + + info "\nValid IP: ${ip4}" + export IP4_ADDR="${ip4}" + else + error_exit "[ERROR]: Invalid IP: ${ip4}" + fi + else + error_exit "[ERROR]: IP incorrectly formatted: ${ip}" fi } diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index fb6dca49..76887ba1 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -111,105 +111,61 @@ validate_release() { OS_RELEASE="$( ${bastille_releasesdir}/${RELEASE}/bin/freebsd-version )" } -validate_ip() { +define_ips() { - local ip="${1}" - local ip4="$(echo ${ip} | awk -F"/" '{print $1}')" - local ip6="$(echo ${ip} | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')" - local subnet="$(echo ${ip} | awk -F"/" '{print $2}')" + IP6_MODE="disable" + IP4_DEFINITION="" + IP6_DEFINITION="" + IP4_ADDR="" + IP6_ADDR="" + IP_HOSTNAME="" - if [ -n "${ip6}" ]; then - if [ "${VNET_JAIL}" -eq 1 ]; then - if [ -z "${subnet}" ]; then - subnet="64" - ip6="${ip6}/${subnet}" - elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 128 ]; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - fi - fi - info "\nValid IP: ${ip6}" - local ipx_addr="ip6.addr" - else - if [ "${ip4}" = "inherit" ] || [ "${ip4}" = "ip_hostname" ]; then + for ip in ${IP}; do + validate_ip "${ip}" + done + + if [ -n "${IP4_ADDR}" ]; then + if [ "${IP4_ADDR}" = "inherit" ] || [ "${IP4_ADDR}" = "ip_hostname" ]; then if [ "${VNET_JAIL}" -eq 1 ]; then - error_exit "[ERROR]: Unsupported IP option for VNET jail: ${ip4}" - else - info "\nValid IP: ${ip4}" + error_exit "[ERROR]: Unsupported IP option for VNET jail: ${IP4_ADDR}" fi - elif [ "${ip4}" = "DHCP" ] || [ "${ip4}" = "SYNCDHCP" ] || [ "${ip4}" = "0.0.0.0" ]; then + elif [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ] || [ "${IP4_ADDR}" = "0.0.0.0" ]; then if [ "${VNET_JAIL}" -eq 0 ]; then - error_exit "[ERROR]: Unsupported IP option for non-VNET jail: ${ip4}" - else - info "\nValid IP: ${ip4}" + error_exit "[ERROR]: Unsupported IP option for non-VNET jail: ${IP4_ADDR}" fi - else - if [ "${VNET_JAIL}" -eq 1 ]; then - if [ -z "${subnet}" ]; then - subnet="24" - ip4="${ip4}/${subnet}" - elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 32 ]; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - fi - fi - local IFS - if echo "${ip4}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then - TEST_IP=$(echo "${ip4}" | cut -d / -f1) - IFS=. - set ${TEST_IP} - for quad in 1 2 3 4; do - if eval [ \$$quad -gt 255 ]; then - error_exit "Invalid IP: ${TEST_IP}" - fi - done - ipx_addr="ip4.addr" - info "\nValid IP: ${ip4}" - else - error_exit "Invalid IP: ${ip4}" - fi + # Warn if IP is in use + elif ifconfig | grep -qwF "${IP4_ADDR}"; then + warn "[WARNING]: IP address in use: ${IP4_ADDR}" fi + local ipx_addr="ip4.addr" fi - # Warn if IP is in use - if ifconfig | grep -qwF "${TEST_IP}"; then - warn "[WARNING]: IP address in use: ${TEST_IP}" - fi - - # Set interface value - if [ ! -f "${bastille_jail_conf}" ]; then - if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then - local bastille_jail_conf_interface=${bastille_network_shared} - fi - if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then - local bastille_jail_conf_interface=${bastille_network_loopback} - fi - if [ -n "${INTERFACE}" ]; then - local bastille_jail_conf_interface=${INTERFACE} + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ] && [ "${VNET_JAIL}" -eq 0 ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: ${IP6_ADDR}" fi + local ipx_addr="ip6.addr" fi # Determine IP/Interface mode - if [ "${ip}" = "inherit" ]; then + if [ "${IP4_ADDR}" = "inherit" ]; then if [ "${DUAL_STACK}" -eq 1 ]; then - IP4_DEFINITION="ip4 = ${ip};" - IP6_DEFINITION="ip6 = ${ip};" + IP4_DEFINITION="ip4 = ${IP4_ADDR};" + IP6_DEFINITION="ip6 = ${IP6_ADDR};" IP6_MODE="new" else - IP4_DEFINITION="ip4 = ${ip};" + IP4_DEFINITION="ip4 = ${IP4_ADDR};" IP6_DEFINITION="" IP6_MODE="disable" fi - elif [ "${ip}" = "ip_hostname" ]; then + elif [ "${IP4_ADDR}" = "ip_hostname" ]; then if [ "${DUAL_STACK}" -eq 1 ]; then - IP_HOSTNAME="${ip}" + IP_HOSTNAME="${IP4_ADDR}" IP4_DEFINITION="${IP_HOSTNAME};" IP6_DEFINITION="${IP_HOSTNAME};" IP6_MODE="new" else - IP_HOSTNAME="${ip}" + IP_HOSTNAME="${IP4_ADDR}" IP4_DEFINITION="${IP_HOSTNAME};" IP6_DEFINITION="" IP6_MODE="disable" @@ -225,35 +181,28 @@ validate_ip() { error_exit "[ERROR]: Unsupported IP option for standard jail: ${ip}" fi else - if [ "${VNET_JAIL}" -eq 1 ]; then + if [ "${VNET_JAIL}" -eq 0 ]; then if [ "${ipx_addr}" = "ip4.addr" ]; then - IP4_ADDR="${ip4}" + IP4_DEFINITION="${ipx_addr} = ${bastille_jail_conf_interface}|${IP4_ADDR};" elif [ "${ipx_addr}" = "ip6.addr" ]; then - IP6_ADDR="${ip6}" - fi - else - if [ "${ipx_addr}" = "ip4.addr" ]; then - IP4_DEFINITION="${ipx_addr} = ${bastille_jail_conf_interface}|${ip};" - elif [ "${ipx_addr}" = "ip6.addr" ]; then - IP6_DEFINITION="${ipx_addr} = ${bastille_jail_conf_interface}|${ip};" + IP6_DEFINITION="${ipx_addr} = ${bastille_jail_conf_interface}|${IP6_ADDR};" IP6_MODE="new" fi fi fi -} -validate_ips() { - - IP6_MODE="disable" - IP4_DEFINITION="" - IP6_DEFINITION="" - IP4_ADDR="" - IP6_ADDR="" - IP_HOSTNAME="" - - for ip in ${IP}; do - validate_ip "${ip}" - done + # Set interface value + if [ ! -f "${bastille_jail_conf}" ]; then + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi } validate_netif() { diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 5824fa2f..b602217f 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -140,6 +140,9 @@ fi # Default is standard interface if [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ]; then STANDARD=1 + VNET_JAIL=0 +else + VNET_JAIL=1 fi if [ "${ACTION}" = "add" ]; then @@ -175,54 +178,31 @@ else error_exit "Use [-a|--auto] to auto-stop the jail." fi -validate_ip() { +define_ips() { - local ip="${1}" - local ip4="$(echo ${ip} | awk -F"/" '{print $1}')" - local ip6="$( echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" - local subnet="$(echo ${ip} | awk -F"/" '{print $2}')" + IP4_ADDR="" + IP6_ADDR="" - if [ -n "${ip6}" ]; then - if [ "${STANDARD}" -eq 0 ]; then - if [ -z "${subnet}" ]; then - subnet="64" - ip6="${ip6}/${subnet}" - elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 128 ]; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" + for ip in ${IP}; do + validate_ip "${ip}" "${VNET_JAIL}" + done + + if [ -n "${IP4_ADDR}" ]; then + if [ "${IP4_ADDR}" = "inherit" ] || [ "${IP4_ADDR}" = "ip_hostname" ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for VNET jail: ${IP4_ADDR}" + elif [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + if [ "$(bastille config ${TARGET} get vnet)" != "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: ${IP4_ADDR}" fi + elif ifconfig | grep -qwF "${IP4_ADDR}"; then + warn "\n[WARNING]: IP address already in use: ${TEST_IP}" fi - info "\nValid IP: ${ip6}" - IP6_ADDR="${ip6}" - elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ] || [ "${ip}" = "SYNCDHCP" ]; then - info "\nValid IP: ${ip}" - IP4_ADDR="${ip}" - else - if [ "${STANDARD}" -eq 0 ]; then - if [ -z "${subnet}" ]; then - subnet="24" - ip4="${ip4}/${subnet}" - elif echo "${subnet}" | grep -Eq '^[0-9]+$'; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - elif [ "${subnet}" -lt 1 ] || [ "${subnet}" -gt 32 ]; then - error_exit "[ERROR]: Invalid subnet: /${subnet}" - fi - fi - local IFS - if echo "${ip4}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then - TEST_IP=$(echo "${ip4}" | cut -d / -f1) - IFS=. - set ${TEST_IP} - for quad in 1 2 3 4; do - if eval [ \$$quad -gt 255 ]; then - error_exit "[ERROR]: Invalid IP: ${TEST_IP}" - fi - done - info "\nValid IP: ${ip4}" - IP4_ADDR="${ip4}" - else - error_exit "[ERROR]: Invalid IP: ${ip4}" + fi + + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ] && [ "$(bastille config ${TARGET} get vnet)" != "enabled" ]; then + error_exit "[ERROR]: Unsupported IP option for standard jail: ${IP6_ADDR}" fi fi } @@ -667,7 +647,7 @@ case "${ACTION}" in ## validate IP if not empty if [ -n "${IP}" ]; then - validate_ip "${IP}" + define_ips "${IP}" fi if [ "${VNET}" -eq 1 ]; then