From 8e5edbcd1f7aa1bc704b41e3dfa535ee4b48c001 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 3 Jan 2025 07:32:00 -0700 Subject: [PATCH] network: merge functions as opposed to separate Merge add/remove functions to avoid having unnecessarily long code blocks and functions. --- usr/local/share/bastille/network.sh | 276 +++++++++++----------------- 1 file changed, 105 insertions(+), 171 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index bf220dc2..2a252465 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -166,139 +166,129 @@ check_interface_added() { local _jailname="${1}" local _if="${2}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - if grep -o "${_if}" "${_jail_config}"; then + if grep -qo "${_if}" "${_jail_config}"; then return 0 else return 1 fi } -add_vnet_interface_block() { +add_interface() { local _jailname="${1}" local _if="${2}" local _ip="${3}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet="vnet$((_if_vnet_count + 1))" - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" - break - fi - done - sed -i '' "s|}||" "${_jail_config}" - # Generate VNET block - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" - ## ${uniq_epair} interface - vnet.interface += e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${_if}"; - exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; - exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -} -EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" - ## ${uniq_epair} interface - vnet.interface += e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${_if}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -} -EOF - fi - - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi - - info "[${_jailname}]:" - echo "Added VNET interface: \"${_if}\"" -} - -add_bridge_interface_block() { - local _jailname="${1}" - local _if="${2}" - local _ip="${3}" - local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet=vnet$((_if_vnet_count + 1)) - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do + local _epair_if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet="vnet$((_vnet_if_count + 1))" + local epair_num_range=$((_epair_if_count + 1)) + local bastille_num_range=$((_bastille_if_count + 1)) + if [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + for _num in $(seq 0 "${epair_num_range}"); do if ! grep -Eq "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="${_num}" + local bridge_epair="epair${_num}" break fi done - sed -i '' "s|}||" "${_jail_config}" - # Generate bridged VNET block - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" - ## epair${uniq_epair} interface - vnet.interface += e${uniq_epair}b_${_jailname}; - exec.prestart += "ifconfig epair${uniq_epair} create"; - exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; - exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; - exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; - exec.prestart += "ifconfig e${uniq_epair}a_${_jailname} ether ${macaddr}a"; - exec.prestart += "ifconfig e${uniq_epair}b_${_jailname} ether ${macaddr}b"; - exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; - exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" + ## ${bridge_epair} interface + vnet.interface += ${bridge_epair}b; + exec.prestart += "ifconfig ${bridge_epair} create"; + exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; + exec.prestart += "ifconfig ${bridge_epair}a ether ${macaddr}a"; + exec.prestart += "ifconfig ${bridge_epair}b ether ${macaddr}b"; + exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; + exec.poststop += "ifconfig ${bridge_epair}a destroy"; } EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" - ## epair${uniq_epair} interface - vnet.interface += e${uniq_epair}b_${_jailname}; - exec.prestart += "ifconfig epair${uniq_epair} create"; - exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; - exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; - exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; - exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; - exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${bridge_epair} interface + vnet.interface += ${bridge_epair}b; + exec.prestart += "ifconfig ${bridge_epair} create"; + exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; + exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; + exec.poststop += "ifconfig ${bridge_epair}a destroy"; } EOF - fi + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_${bridge_epair}b_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" - info "[${_jailname}]:" - echo "Added interface: \"${_if}\"" + elif [ "${VNET_JAIL}" -eq 1 ]; then + for _num in $(seq 0 "${bastille_num_range}"); do + if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local bastille_epair="bastille${_num}" + break + fi + done + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" + ## ${bastille_epair} interface + vnet.interface += e0b_${bastille_epair}; + exec.prestart += "jib addm ${bastille_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${bastille_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig e0b_${bastille_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${bastille_epair}"; +} +EOF + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${bastille_epair} interface + vnet.interface += e0b_${bastille_epair}; + exec.prestart += "jib addm ${bastille_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${bastille_epair}"; +} +EOF + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_e0b_${bastille_epair}_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi + + info "[${_jailname}]:" + echo "Added VNET interface: \"${_if}\"" + fi } -remove_vnet_interface_block() { +remove_interface() { local _jailname="${1}" local _if="${2}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_jail="$(grep "${_if}" ${_jail_config} | grep -Eo 'bastille[0-9]+')" + local _if_jail="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 'epair[0-9]+|bastille[0-9]+')" if grep -o "${_if_jail}" ${_jail_rc_config}; then - local _if_vnet="$(grep "${_if_jail}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" else error_exit "Interface not found: ${_if_jail}" fi @@ -310,67 +300,19 @@ remove_vnet_interface_block() { # Avoid removing entire file contents if variables aren't set for some reason if [ -z "${_if_jail}" ]; then - error_exit "Error: Could not find specifed interfaces. Exiting..." + error_exit "Error: Could not find specifed interface." fi # Remove interface from jail.conf if [ -n "${_if_jail}" ]; then - sed -i '' "s|.*${_if_jail}.*||" "${_jail_config}" - sed -i '' '/^$/d' "${_jail_config}" + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" else error_exit "Failed to remove interface from jail.conf" fi # Remove interface from /etc/rc.conf if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then - sed -i '' "s|.*${_if_vnet}.*||" "${_jail_rc_config}" - sed -i '' '/^$/d' "${_jail_rc_config}" - else - error_exit "Failed to remove interface from /etc/rc.conf" - fi - - info "[${_jailname}]:" - echo "Removed interface: \"${_if}\"" -} - -remove_bridge_interface_block() { - local _jailname="${1}" - local _if="${2}" - local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_epair="$(grep "${_if}" ${_jail_config} | grep -Eo 'epair[0-9]+')" - local _if_epaira_name="$(grep "${_if_epair}" ${_jail_config} | grep -Eo "e[0-9]+a_${_jailname}")" - local _if_epairb_name="$(grep "${_if_epair}" ${_jail_config} | grep -Eo "e[0-9]+b_${_jailname}")" - if grep -o "${_if_epairb_name}" ${_jail_rc_config}; then - local _if_vnet="$(grep "${_if_epairb_name}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" - else - error_exit "Interface not found: ${_if_epair_name}" - fi - - # Do not allow removing default vnet0 interface - if [ "${_if_vnet}" = "vnet0" ]; then - error_exit "Default interface cannot be removed." - fi - - # Avoid removing entire file contents if variables aren't set for some reason - if [ -z "${_if_epair}" ] || [ -z "${_if_epaira_name}" ] || [ -z "${_if_epairb_name}" ] || [ -z "${_if_vnet}" ]; then - error_exit "Error: Could not find specifed interfaces. Exiting..." - fi - - # Remove interface from jail.conf - if [ -n "${_if_epair}" ] && [ -n "${_if_epaira_name}" ] && [ -n "${_if_epairb_name}" ] && [ -n "${_if_vnet}" ]; then - sed -i '' "s|.*${_if_epair}.*||" "${_jail_config}" - sed -i '' "s|.*${_if_epaira_name}.*||" "${_jail_config}" - sed -i '' "s|.*${_if_epairb_name}.*||" "${_jail_config}" - sed -i '' '/^$/d' "${_jail_config}" - else - error_exit "Failed to remove interface from jail.conf" - fi - - # Remove interface from /etc/rc.conf - if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then - sed -i '' "s|ifconfig.*${_if_vnet}.*||" "${_jail_rc_config}" - sed -i '' '/^$/d' "${_jail_rc_config}" + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" else error_exit "Failed to remove interface from /etc/rc.conf" fi @@ -392,19 +334,19 @@ case "${ACTION}" in validate_ip "${IP}" fi if [ "${VNET_JAIL}" -eq 1 ]; then - if ifconfig | grep "${INTERFACE}" | grep -q bridge; then + if ifconfig | grep "${INTERFACE}" 2>/dev/null | grep -q bridge; then error_exit "\"${INTERFACE}\" is a bridge interface." else - add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + add_interface "${TARGET}" "${INTERFACE}" "${IP}" if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi fi elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then + if ! ifconfig | grep "${INTERFACE}" 2>/dev/null | grep -q bridge; then error_exit "\"${INTERFACE}\" is not a bridge interface." else - add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + add_interface "${TARGET}" "${INTERFACE}" "${IP}" if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi @@ -417,16 +359,9 @@ case "${ACTION}" in if ! grep -q "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf; then error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" else - if grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]bastille[0-9]+'; then - remove_vnet_interface_block "${TARGET}" "${INTERFACE}" - if [ "${START}" -eq 1 ]; then - bastille start "${TARGET}" - fi - elif grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]epair[0-9]+'; then - remove_bridge_interface_block "${TARGET}" "${INTERFACE}" - if [ "${START}" -eq 1 ]; then - bastille start "${TARGET}" - fi + remove_interface "${TARGET}" "${INTERFACE}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" fi fi ;; @@ -434,4 +369,3 @@ case "${ACTION}" in error_exit "Only [add|remove] are supported." ;; esac -