Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2026-03-28 19:54:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1132 from BastilleBSD/dynamic-epair

Browse Source 
common: Use dynamic epairs for all jail types
This commit is contained in:
Barry McCormick
2025-06-15 10:01:46 -07:00
committed by GitHub
parent 6afd6fd1f3 cde8a5549b
commit 8f3e3e951d
6 changed files with 668 additions and 519 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@@ -5,6 +5,44 @@ deployment and management of containerized applications on FreeBSD.
[Bastille Documentation](https://bastille.readthedocs.io/en/latest/)
1.0 Potentially Breaking Changes
================================
Up until version 1.0.20250714, Bastille has handled epairs for `-V` jails using the
jib script included in FreeBSD installs. However, for `-B` jails, Bastille statically
assigned an epair to each jail. This means you can only run one type (`-V` or `-B`) of VNET jails on
a given system.
Starting with version 1.0.20250714, we are now handling all epairs dynamically, allowing
the use of both types of VNET jails without issue. We have also selected a naming scheme
that will allow for consistency across these jail types. The naming scheme is as follows...
`e0a_jailname` and `e0b_jailname` are the default epair interfaces for every jail. The `a` side
is on the host, while the `b` is in the jail. This will allow better management
when trying to figure out which jail a given epair is linked to. Due to a limitation in how long
an interface name can be, Bastille will truncate "jailname" to avoid errors if it is too long. So, `mylongjailname`
will be `e0a_mylongjxxme` and `e0b_mylongjxxme`. The `xx` part is necessary due to another limitation
that does not allow dots (\.) in interface names when using the jib script.
If you decide to add an interface using the `network` sub-command, they will be named
`e1a_jailname` and `e1b_jailname` respectively. The number included will increment by 1
for each interface you add.
Mandatory
---------
We have tried our best to auto-convert each jails `jail.conf` and `rc.conf` to the new
syntax (this happens when the jail is stopped). It isn't a huge change (only a handful
of lines), but if you do have an issue please open a bug report.
After updating, you must restart all your jails (probably one at a time, in case of issues)
to have Bastille convert the `jail.conf` and `rc.conf` files. This simply involves renaming
the epairs to the new syntax.
If you have used the `network` sub-command to add any amount of interfaces, you will have to edit the `jail.conf`
and `rc.conf` files for each jail to update the names of the epair interfaces. This is because all epairs will have been renamed to
`e0...` in both files. For each additional one, simply increment the number by 1.
Bastille Compared to Other Jail Managers
========================================

398
usr/local/share/bastille/clone.sh
View File

@@ -180,7 +180,7 @@ update_jailconf() {
sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}"
sed -i '' "s|^${TARGET}.*{$|${NEWNAME} {|" "${JAIL_CONFIG}"
fi
fi
@@ -235,242 +235,214 @@ update_jailconf_vnet() {
# Determine number of interfaces
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_list="$(grep -Eo 'epair[0-9]+|e[0-9]+b_bastille[0-9]+' ${_jail_conf} | sort -u)"
local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_conf} | sort -u)"
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_list="$(grep -Eo 'ng[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)"
local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_conf} | sort -u)"
fi
for _if in ${_if_list}; do
# Get number of interfaces manged by Bastille
get_bastille_if_count
local _old_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')"
local _old_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')"
local _bastille_if_num_range=$((_bastille_if_count + 1))
# For if_bridge network type
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
# Update bridged VNET config
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _epair_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")"
local _old_host_epair="${_if}"
local _old_jail_epair="${_old_if_prefix%a}b_${_old_if_suffix}"
if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
# Generate new epair name
local _new_host_epair="e${_epair_num}a_${NEWNAME}"
local _new_jail_epair="e${_epair_num}b_${NEWNAME}"
else
name_prefix="$(echo ${NEWNAME} | cut -c1-7)"
name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)"
local _new_host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}"
local _new_jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}"
fi
# Generate new epair name
if [ "$(echo -n "e${_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
local _new_host_epair="e${_num}a_${NEWNAME}"
local _new_jail_epair="e${_num}b_${NEWNAME}"
local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')"
local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')"
if grep "${_old_if_suffix}" "${_jail_conf}" | grep -oq "jib addm"; then
# For -V jails
# Replace host epair name in jail.conf
sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}"
sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${_new_jail_epair}; then
local external_interface="$(grep ${_new_if_suffix} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_jail_epair} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}"
fi
# Replace epair description
sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Replace epair name in /etc/rc.conf
sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}"
else
# For -B jails
# Replace host epair name in jail.conf
sed -i '' "s|up name ${_old_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|addm ${_old_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}"
sed -i '' "s|up name ${_old_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}"
sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep -q ether ${_jail_conf}; then
local external_interface="$(grep "e${_epair_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}"
fi
# Replace epair description
sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Replace epair name in /etc/rc.conf
sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}"
fi
# Update /etc/rc.conf
local _jail_vnet="$(grep ${_old_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_old_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}"
# IP4
if [ -n "${IP4_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}"
fi
else
local _new_host_epair="epair${_num}a"
local _new_jail_epair="epair${_num}b"
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}"
fi
fi
# Get epair name from TARGET
if grep -Eoq "e[0-9]+a_${TARGET}" "${_jail_conf}"; then
_target_host_epair="$(grep -Eo -m 1 "e[0-9]+a_${TARGET}" "${_jail_conf}")"
_target_jail_epair="$(grep -Eo -m 1 "e[0-9]+b_${TARGET}" "${_jail_conf}")"
else
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
_target_host_epair="${_if}a"
_target_jail_epair="${_if}b"
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
# Replace host epair name in jail.conf
sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}"
sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}"
sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}"
sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}"
sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}"
# Replace epair name in jail.conf
sed -i '' "s|${_if}|epair${_num}|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep -q ether ${_jail_conf}; then
local external_interface="$(grep "epair${_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}"
fi
# Update /etc/rc.conf
local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}"
# IP4
if [ -n "${IP4_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}"
fi
else
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}"
fi
fi
else
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
fi
fi
# IP6
if [ -n "${IP6_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
else
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
fi
fi
fi
# Replace epair description
sed -i '' "/${_new_host_epair}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
break
fi
done
# Update VNET (non-bridged) config
elif echo ${_if} | grep -Eoq 'e[0-9]+b_bastille[0-9]+'; then
# Update VNET config
_if="$(echo ${_if} | grep -Eo 'bastille[0-9]+')"
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
# Update jail.conf epair name
local _jail_if="bastille${_num}"
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_if}|${_jail_if}|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${_jail_if}; then
local external_interface="$(grep ${_jail_if} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*a\";|${_jail_if} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*b\";|${_jail_if} ether ${macaddr}b\";|" "${_jail_conf}"
fi
# IP6
if [ -n "${IP6_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
sed -i '' "/${_jail_if}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Update /etc/rc.conf
sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${_jail_if}_name|" "${_rc_conf}"
# IP4
if [ -n "${IP4_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}"
fi
else
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}"
fi
fi
else
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
fi
else
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
fi
# IP6
if [ -n "${IP6_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
fi
fi
# Replace epair description
sed -i '' "/${_jail_if}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
break
fi
done
# Update netgraph VNET (non-bridged) config
elif echo ${_if} | grep -Eoq 'ng[0-9]+_bastille[0-9]+'; then
_if="$(echo ${_if} | grep -Eo 'bastille[0-9]+')"
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
fi
# Update jail.conf epair name
local _jail_if="bastille${_num}"
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_if}|${_jail_if}|g" "${_jail_conf}"
# Replace epair description
sed -i '' "/${_new_host_epair}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${_jail_if}; then
local external_interface="$(grep ${_jail_if} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*a\";|${_jail_if} ether ${macaddr}a\";|" "${_jail_conf}"
fi
# Update netgraph VNET (non-bridged) config
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
# Update /etc/rc.conf
sed -i '' "s|ifconfig_ng0_${_if}_name|ifconfig_ng0_${_jail_if}_name|" "${_rc_conf}"
# IP4
if [ -n "${IP4_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}"
fi
else
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}"
fi
fi
local _ngif_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")"
local _old_ngif="${_if}"
if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
# Generate new netgraph interface name
local _new_ngif="ng${_ngif_num}_${NEWNAME}"
else
name_prefix="$(echo ${NEWNAME} | cut -c1-7)"
name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)"
local _new_ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}"
fi
local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')"
local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')"
# Replace netgraph interface name
sed -i '' "s|jng bridge ${_old_if_suffix}|jng bridge ${_new_if_suffix}|g" "${_jail_conf}"
sed -i '' "s|${_old_ngif} ether|${_new_ngif} ether|g" "${_jail_conf}"
sed -i '' "s|jng shutdown ${_old_if_suffix}|jng shutdown ${_new_if_suffix}|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_old_ngif};|= ${_new_ngif};|g" "${_jail_conf}"
# Replace epair name in /etc/rc.conf
sed -i '' "/ifconfig/ s|${_old_ngif}|${_new_ngif}|g" "${_rc_conf}"
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${_new_ngif}; then
local external_interface="$(grep ${_new_if_suffix} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_new_ngif} ether.*:.*:.*:.*:.*:.*a\";|${_new_ngif} ether ${macaddr}a\";|" "${_jail_conf}"
fi
# Update /etc/rc.conf
sed -i '' "s|ifconfig_${_old_ngif}_name|ifconfig_${_new_ngif}_name|" "${_rc_conf}"
# IP4
if [ -n "${IP4_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_ngif}_name"; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}"
fi
else
if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}"
fi
fi
# IP6
if [ -n "${IP6_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
fi
else
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
break
fi
done
fi
# IP6
if [ -n "${IP6_ADDR}" ]; then
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_ngif}_name"; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
fi
fi
fi
done
}

191
usr/local/share/bastille/common.sh
View File

@@ -138,26 +138,6 @@ check_target_is_stopped() {
fi
}
get_bastille_if_count() {
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
for _config in /usr/local/etc/bastille/*.conf; do
local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)"
_bastille_if_list="$(printf '%s\n%s' "$( (grep -Ehos '(epair[0-9]+|bastille[0-9]+)' ${bastille_jailsdir}/*/jail.conf; ifconfig -g epair | grep -Eos "_bastille[0-9]+$"; ifconfig -g epair | grep -vs 'bastille' | grep -Eos 'e[0-9]+a_') | grep -Eos '[0-9]+')" "${_bastille_if_list}")"
done
_bastille_if_count=$(printf '%s' "${_bastille_if_list}" | sort -u | wc -l | awk '{print $1}')
export _bastille_if_list
export _bastille_if_count
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
for _config in /usr/local/etc/bastille/*.conf; do
local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)"
_bastille_if_list="$(printf '%s\n%s' "$( (grep -Ehos 'ng[0-9]+_bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | grep -Eos 'bastille[0-9]+'; ngctl list -n | grep "eiface" | grep -Eos 'ng[0-9]+_bastille[0-9]+' | grep -Eos 'bastille[0-9]+') | grep -Eos '[0-9]+')" "${_bastille_if_list}")"
done
_bastille_if_count=$(printf '%s' "${_bastille_if_list}" | sort -u | wc -l | awk '{print $1}')
export _bastille_if_list
export _bastille_if_count
fi
}
get_jail_name() {
local _JID="${1}"
local _jailname="$(jls -j ${_JID} name 2>/dev/null)"
@@ -380,34 +360,48 @@ generate_static_mac() {
}
generate_vnet_jail_netblock() {
local jail_name="${1}"
local use_unique_bridge="${2}"
local external_interface="${3}"
local static_mac="${4}"
# Get number of epairs on the system
get_bastille_if_count
local _bastille_if_num_range=$((_bastille_if_count + 1))
if [ -n "${use_unique_bridge}" ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_num}a_${jail_name}
local jail_epair=e${_num}b_${jail_name}
else
local host_epair=epair${_num}a
local jail_epair=epair${_num}b
fi
break
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
if [ -n "${use_unique_bridge}" ]; then
if [ "$(echo -n "e0a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e0a_${jail_name}
local jail_epair=e0b_${jail_name}
else
name_prefix="$(echo ${jail_name} | cut -c1-7)"
name_suffix="$(echo ${jail_name} | rev | cut -c1-2 | rev)"
local host_epair="e0a_${name_prefix}xx${name_suffix}"
local jail_epair="e0b_${name_prefix}xx${name_suffix}"
fi
done
else
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _jail_if="bastille${_num}"
break
fi
done
else
if [ "$(echo -n "e0a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e0a_${jail_name}
local jail_epair=e0b_${jail_name}
local jib_epair=${jail_name}
else
name_prefix="$(echo ${jail_name} | cut -c1-7)"
name_suffix="$(echo ${jail_name} | rev | cut -c1-2 | rev)"
local host_epair="e0a_${name_prefix}xx${name_suffix}"
local jail_epair="e0b_${name_prefix}xx${name_suffix}"
local jib_epair="${name_prefix}xx${name_suffix}"
fi
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
if [ "$(echo -n "ng0_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local ng_if=ng0_${jail_name}
local jng_if=${jail_name}
else
name_prefix="$(echo ${jail_name} | cut -c1-7)"
name_suffix="$(echo ${jail_name} | rev | cut -c1-2 | rev)"
local ng_if="ng0_${name_prefix}xx${name_suffix}"
local jng_if="${name_prefix}xx${name_suffix}"
fi
fi
## If BRIDGE is enabled, generate bridge config, else generate VNET config
if [ -n "${use_unique_bridge}" ]; then
if [ -n "${static_mac}" ]; then
@@ -416,14 +410,11 @@ generate_vnet_jail_netblock() {
cat <<-EOF
vnet;
vnet.interface = ${jail_epair};
exec.prestart += "ifconfig epair${_num} create";
exec.prestart += "ifconfig ${external_interface} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "epair0=\\\$(ifconfig epair create) && ifconfig \\\${epair0} up name ${host_epair} && ifconfig \\\${epair0%a}b up name ${jail_epair}";
exec.prestart += "ifconfig ${external_interface} addm ${host_epair}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
EOF
else
@@ -431,12 +422,9 @@ EOF
cat <<-EOF
vnet;
vnet.interface = ${jail_epair};
exec.prestart += "ifconfig epair${_num} create";
exec.prestart += "ifconfig ${external_interface} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "epair0=\\\$(ifconfig epair create) && ifconfig \\\${epair0} up name ${host_epair} && ifconfig \\\${epair0%a}b up name ${jail_epair}";
exec.prestart += "ifconfig ${external_interface} addm ${host_epair}";
exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
EOF
fi
@@ -447,21 +435,21 @@ EOF
generate_static_mac "${jail_name}" "${external_interface}"
cat <<-EOF
vnet;
vnet.interface = e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${external_interface}";
exec.prestart += "ifconfig e0a_${_jail_if} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${_jail_if} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${_jail_if} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${_jail_if}";
vnet.interface = ${jail_epair};
exec.prestart += "jib addm ${jib_epair} ${external_interface}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "ifconfig ${host_epair} destroy";
EOF
else
## Generate VNET config without static MAC address
cat <<-EOF
vnet;
vnet.interface = e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${external_interface}";
exec.prestart += "ifconfig e0a_${_jail_if} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${_jail_if}";
vnet.interface = ${jail_epair};
exec.prestart += "jib addm ${jib_epair} ${external_interface}";
exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "ifconfig ${host_epair} destroy";
EOF
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
@@ -470,18 +458,18 @@ EOF
generate_static_mac "${jail_name}" "${external_interface}"
cat <<-EOF
vnet;
vnet.interface = ng0_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${external_interface}";
exec.prestart += "ifconfig ng0_${_jail_if} ether ${macaddr}a";
exec.poststop += "jng shutdown ${_jail_if}";
vnet.interface = ${ng_if};
exec.prestart += "jng bridge ${jng_if} ${external_interface}";
exec.prestart += "ifconfig ${ng_if} ether ${macaddr}b";
exec.poststop += "jng shutdown ${jng_if}";
EOF
else
## Generate VNET config without static MAC address
cat <<-EOF
vnet;
vnet.interface = ng0_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${external_interface}";
exec.poststop += "jng shutdown ${_jail_if}";
vnet.interface = ${ng_if};
exec.prestart += "jng bridge ${jng_if} ${external_interface}";
exec.poststop += "jng shutdown ${jng_if}";
EOF
fi
fi
@@ -528,4 +516,69 @@ checkyesno() {
esac
}
update_jail_syntax_v1() {
local jail="${1}"
local jail_config="${bastille_jailsdir}/${jail}/jail.conf"
local jail_rc_config="${bastille_jailsdir}/${jail}/root/etc/rc.conf"
# Only apply if old syntax is found
if grep -Eoq "exec.prestart.*ifconfig epair[0-9]+ create.*" "${jail_config}"; then
if [ "$(echo -n "e0a_${jail}" | awk '{print length}')" -lt 16 ]; then
local new_host_epair=e0a_${jail}
local new_jail_epair=e0b_${jail}
else
name_prefix="$(echo ${jail} | cut -c1-7)"
name_suffix="$(echo ${jail} | rev | cut -c1-2 | rev)"
local new_host_epair="e0a_${name_prefix}xx${name_suffix}"
local new_jail_epair="e0b_${name_prefix}xx${name_suffix}"
fi
# Delete unneeded lines
sed -i '' "/.*exec.prestart.*ifconfig.*up name.*;/d" "${jail_config}"
sed -i '' "/.*exec.poststop.*ifconfig.*deletem.*;/d" "${jail_config}"
# Change jail.conf
sed -i '' "s|.*vnet.interface =.*| vnet.interface = ${new_jail_epair};|g" "${jail_config}"
sed -i '' "s|.*ifconfig epair.*create.*| exec.prestart += \"epair0=\\\\\$(ifconfig epair create) \&\& ifconfig \\\\\${epair0} up name ${new_host_epair} \&\& ifconfig \\\\\${epair0%a}b up name ${new_jail_epair}\";|g" "${jail_config}"
sed -i '' "s|addm.*|addm ${new_host_epair}\";|g" "${jail_config}"
sed -i '' "/ether.*:.*:.*:.*:.*:.*a/ s|ifconfig.*ether|ifconfig ${new_host_epair} ether|g" "${jail_config}"
sed -i '' "/ether.*:.*:.*:.*:.*:.*b/ s|ifconfig.*ether|ifconfig ${new_jail_epair} ether|g" "${jail_config}"
sed -i '' "s|ifconfig.*description|ifconfig ${new_host_epair} description|g" "${jail_config}"
sed -i '' "s|ifconfig.*destroy|ifconfig ${new_host_epair} destroy|g" "${jail_config}"
# Change rc.conf
sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_rc_config}"
elif grep -Eoq "exec.poststop.*jib destroy.*" "${jail_config}"; then
local external_interface="$(grep -Eo "jib addm.*" "${jail_config}" | awk '{print $4}')"
if [ "$(echo -n "e0a_${jail}" | awk '{print length}')" -lt 16 ]; then
local new_host_epair=e0a_${jail}
local new_jail_epair=e0b_${jail}
local jib_epair="${jail}"
else
name_prefix="$(echo ${jail} | cut -c1-7)"
name_suffix="$(echo ${jail} | rev | cut -c1-2 | rev)"
local new_host_epair="e0a_${name_prefix}xx${name_suffix}"
local new_jail_epair="e0b_${name_prefix}xx${name_suffix}"
local jib_epair="${name_prefix}xx${name_suffix}"
fi
# Change jail.conf
sed -i '' "s|.*vnet.interface =.*| vnet.interface = ${new_jail_epair};|g" "${jail_config}"
sed -i '' "s|jib addm.*|jib addm ${jib_epair} ${external_interface}|g" "${jail_config}"
sed -i '' "/ether.*:.*:.*:.*:.*:.*a/ s|ifconfig.*ether|ifconfig ${new_host_epair} ether|g" "${jail_config}"
sed -i '' "/ether.*:.*:.*:.*:.*:.*b/ s|ifconfig.*ether|ifconfig ${new_jail_epair} ether|g" "${jail_config}"
sed -i '' "s|ifconfig.*description|ifconfig ${new_host_epair} description|g" "${jail_config}"
sed -i '' "s|jib destroy.*|ifconfig ${new_host_epair} destroy\";|g" "${jail_config}"
# Change rc.conf
sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_rc_config}"
fi
}
set_bastille_mountpoints

446
usr/local/share/bastille/network.sh
View File

@@ -236,184 +236,196 @@ add_interface() {
local _ip="${3}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
# Get number of interfaces manged by Bastille
get_bastille_if_count
local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')"
local _if_vnet="vnet$((_vnet_if_count + 1))"
local _bastille_if_num_range=$((_bastille_if_count + 1))
local _jail_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l)"
local _jail_vnet="vnet$((_jail_vnet_count + 1))"
# Determine number of interfaces
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_config} | sort -u)"
local _epair_count="$(echo "${_if_list}" | grep -Eo "[0-9]+" | wc -l)"
local _epair_num_range=$((_epair_count + 1))
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_config} | sort -u)"
local _ngif_count="$(echo "${_if_list}" | grep -Eo "[0-9]+" | wc -l)"
local _ngif_num_range=$((_ngif_count + 1))
fi
if [ "${BRIDGE}" -eq 1 ]; then
if [ "${_bastille_if_count}" -gt 0 ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_num}a_${_jailname}
local jail_epair=e${_num}b_${_jailname}
for _epair_num in $(seq 0 ${_epair_num_range}); do
if ! grep -Eoqs "e${_epair_num}a_" "${_jail_config}"; then
if [ "$(echo -n "e${_epair_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_epair_num}a_${_jailname}
local jail_epair=e${_epair_num}b_${_jailname}
else
name_prefix="$(echo ${_jailname} | cut -c1-7)"
name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)"
local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}"
local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}"
fi
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}";
exec.prestart += "ifconfig ${_if} addm ${host_epair}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}";
exec.prestart += "ifconfig ${_if} addm ${host_epair}";
exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}"
if [ -n "${IP6_ADDR}" ]; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
else
local host_epair=epair${_num}a
local jail_epair=epair${_num}b
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
elif [ -n "${IP4_ADDR}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}"
fi
fi
break
fi
done
echo "Added bridge interface: \"${_if}\""
elif [ "${VNET}" -eq 1 ]; then
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
for _epair_num in $(seq 0 ${_epair_num_range}); do
if ! grep -Eoqs "e${_epair_num}a_" "${_jail_config}"; then
if [ "$(echo -n "e${_epair_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_epair_num}a_${_jailname}
local jail_epair=e${_epair_num}b_${_jailname}
local jib_epair=${jail_name}
else
name_prefix="$(echo ${_jailname} | cut -c1-7)"
name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)"
local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}"
local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}"
local jib_epair="${name_prefix}xx${name_suffix}"
fi
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "jib addm ${jib_epair} ${_if}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "jib addm ${jib_epair} ${_if}";
exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}"
if [ -n "${IP6_ADDR}" ]; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
elif [ -n "${IP4_ADDR}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}"
fi
fi
break
fi
done
else
if [ "$(echo -n "e0a_${_jailname}" | awk '{print length}')" -lt 16 ]; then
local _num=0
local host_epair=e${_num}a_${_jailname}
local jail_epair=e${_num}b_${_jailname}
else
local _num=0
local host_epair=epair${_num}a
local jail_epair=epair${_num}b
fi
fi
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "ifconfig epair${_num} create";
exec.prestart += "ifconfig ${_if} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${_if} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "ifconfig epair${_num} create";
exec.prestart += "ifconfig ${_if} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${_if} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}"
if [ -n "${IP6_ADDR}" ]; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
elif [ -n "${IP4_ADDR}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}"
fi
fi
echo "Added interface: \"${_if}\""
elif [ "${VNET}" -eq 1 ]; then
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _jail_if="bastille${_num}"
break
fi
done
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${_jail_if} interface
vnet.interface += e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${_if}";
exec.prestart += "ifconfig e0a_${_jail_if} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${_jail_if} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${_jail_if} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${_jail_if}";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${_jail_if} interface
vnet.interface += e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${_if}";
exec.prestart += "ifconfig e0a_${_jail_if} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${_jail_if}";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_e0b_${_jail_if}_name="${_if_vnet}"
if [ -n "${IP6_ADDR}" ]; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
elif [ -n "${IP4_ADDR}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}"
fi
fi
echo "Added VNET interface: \"${_if}\""
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _jail_if="bastille${_num}"
break
fi
done
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${_jail_if} interface
vnet.interface += ng0_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${_if}";
exec.prestart += "ifconfig ng0_${_jail_if} ether ${macaddr}a";
exec.poststop += "jng shutdown ${_jail_if}";
for _ngif_num in $(seq 0 ${_ngif_num_range}); do
if ! grep -Eoqs "e${_ngif_num}a_" "${_jail_config}"; then
if [ "$(echo -n "ng${_ngif_num}_${_jailname}" | awk '{print length}')" -lt 16 ]; then
# Generate new netgraph interface name
local _ngif="ng${_ngif_num}_${_jailname}"
local jng_if="${_jailname}"
else
name_prefix="$(echo ${_jailname} | cut -c1-7)"
name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)"
local _ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}"
local jng_if="${name_prefix}xx${name_suffix}"
fi
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${_ngif} interface
vnet.interface += ${_ngif};
exec.prestart += "jng bridge ${jng_if} ${_if}";
exec.prestart += "ifconfig ${_ngif} ether ${macaddr}b";
exec.poststop += "jng shutdown ${jng_if}";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${_jail_if} interface
vnet.interface += e0b_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${_if}";
exec.poststop += "jng shutdown ${_jail_if}";
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${_ngif} interface
vnet.interface += ${_ngif};
exec.prestart += "jng bridge ${jng_if} ${_if}";
exec.poststop += "jng shutdown ${jng_if}";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_jng_${_jail_if}_name="${_if_vnet}"
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}"
fi
fi
echo "Added VNET interface: \"${_if}\""
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_${_ngif}_name="${_jail_vnet}"
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${_ip}"
fi
fi
break
fi
done
echo "Added VNET interface: \"${_if}\""
fi
elif [ "${PASSTHROUGH}" -eq 1 ]; then
@@ -427,18 +439,18 @@ EOF
}
EOF
# Add config to /etc/rc.conf
if [ -n "${IP6_ADDR}" ]; then
if [ -n "${IP6_ADDR}" ]; then
if [ "${IP6_ADDR}" = "SLAAC" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}"
fi
elif [ -n "${IP4_ADDR}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}"
sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}"
fi
fi
echo "Added Passthrough interface: \"${_if}\""
@@ -450,8 +462,6 @@ EOF
sed -i '' "s/interface = .*/&\n ip4.addr += ${_if}|${_ip};/" ${_jail_config}
fi
fi
echo "Added interface: \"${_if}\""
}
remove_interface() {
@@ -459,36 +469,51 @@ remove_interface() {
local _jailname="${1}"
local _if="${2}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
# Skip next block in case of classic jail
# Skip next block in case of standard jail
if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
if grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 'bastille[0-9]+'; then
local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")"
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_jail="e0b_bastille${_if_bastille_num}"
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_jail="ng0_bastille${_if_bastille_num}"
fi
_if_type="bastille"
elif grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 "epair[0-9]+"; then
local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")"
if grep -q epair${_if_epair_num}b ${_jail_config} | grep -Eoq -m 1 "e${_if_epair_num}b_${_jailname}"; then
local _if_jail="$(grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}")"
else
local _if_jail="epair${_if_epair_num}b"
fi
_if_type="epair"
elif grep -q "vnet.interface.*${_if};" ${_jail_config}; then
if grep -q "vnet.interface.*${_if};" ${_jail_config}; then
local _if_jail="${_if}"
_if_type="passthrough"
local _if_type="passthrough"
elif [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _jib_epair="$(grep "jib addm.*${_if}" ${_jail_config} | awk '{print $3}')"
local _if_type="if_bridge"
if [ -n "${_jib_epair}" ]; then
local _epaira="$(grep -m 1 -A 1 "${_if}" ${_jail_config} | grep -Eo "e[0-9]+a_${_jib_epair}")"
local _epairb="$(echo ${_epaira} | sed 's/a_/b_/')"
local _if_jail="${_epairb}"
else
local _epaira="$(grep -m 1 "${_if}" ${_jail_config} | grep -Eo 'e[0-9]+a_[^;" ]+')"
local _epairb="$(echo ${_epaira} | sed 's/a_/b_/')"
local _if_jail="${_epairb}"
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _jng_if="$(grep "jng bridge.*${_if}" ${_jail_config} | awk '{print $3}')"
local _if_jail="$(grep "ng[0-9]+_${_jng_if}" ${_jail_config})"
local _if_type="netgraph"
else
error_exit "[ERROR]: Could not find interface inside jail: \"${_if_jail}\""
fi
if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then
# Get vnetX value from rc.conf
if [ "${_if_type}" = "if_bridge" ]; then
if grep -oq "${_if_jail}" ${_jail_config}; then
local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')"
local _if_vnet="$(grep "${_if_jail}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')"
else
error_exit "[ERROR]: Interface not found: ${_if_jail}"
fi
elif [ "${_if_type}" = "netgraph" ]; then
if grep -oq "${_if_jail}" ${_jail_config}; then
local _if_vnet="${_if_jail}"
else
error_exit "[ERROR]: Interface not found: ${_if_jail}"
fi
@@ -511,8 +536,14 @@ remove_interface() {
fi
# Remove interface from /etc/rc.conf
if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then
if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then
if [ "${_if_type}" = "if_bridge" ]; then
if [ -n "${_if_vnet}" ] && echo ${_if_vnet} | grep -Eoq 'vnet[0-9]+'; then
sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}"
else
error_exit "[ERROR]: Failed to remove interface from /etc/rc.conf"
fi
elif [ "${_if_type}" = "netgraph" ]; then
if [ -n "${_if_vnet}" ] && echo ${_if_vnet} | grep -Eoq 'vnet[0-9]+'; then
sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}"
else
error_exit "[ERROR]: Failed to remove interface from /etc/rc.conf"
@@ -527,13 +558,13 @@ remove_interface() {
# Remove VNET interface from jail.conf (VNET)
if [ -n "${_if_jail}" ]; then
if [ "${_if_type}" = "epair" ]; then
sed -i '' "/.*epair${_if_epair_num}.*/d" "${_jail_config}"
sed -i '' "/.*e${_if_epair_num}a_${_jailname}.*/d" "${_jail_config}"
sed -i '' "/.*e${_if_epair_num}b_${_jailname}.*/d" "${_jail_config}"
elif [ "${_if_type}" = "bastille" ]; then
sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}"
sed -i '' "/.*bastille${_if_bastille_num}.*/d" "${_jail_config}"
if [ "${_if_type}" = "if_bridge" ]; then
sed -i '' "/.*${_epaira}.*/d" "${_jail_config}"
sed -i '' "/.*${_epairb}.*/d" "${_jail_config}"
sed -i '' "/.*${_if}.*/d" "${_jail_config}"
elif [ "${_if_type}" = "netgraph" ]; then
sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}"
sed -i '' "/.*${_if}.*/d" "${_jail_config}"
elif [ "${_if_type}" = "passthrough" ]; then
sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}"
fi
@@ -566,11 +597,12 @@ add_vlan() {
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
if [ "${VNET}" -eq 1 ]; then
local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")"
local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")"
local _jib_epair="$(grep "jib addm.*${_if}" ${_jail_config} | awk '{print $3}')"
local _jail_epair="$(grep "e[0-9]+b_${_jib_epair}" ${_jail_config})"
local _jail_vnet="$(grep "${_jail_epair}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")"
elif [ "${BRIDGE}" -eq 1 ]; then
local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")"
local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")"
local _jail_epair="$(grep 'e[0-9]+b_[^;" ]+' ${_jail_config})"
local _jail_vnet="$(grep "${_jail_epair}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")"
elif [ "${PASSTHROUGH}" -eq 1 ]; then
local _jail_vnet="${_interface}"
fi
@@ -668,4 +700,4 @@ case "${ACTION}" in
*)
error_exit "[ERROR]: Only [add|remove] are supported."
;;
esac
esac

110
usr/local/share/bastille/rename.sh
View File

@@ -112,7 +112,7 @@ update_jailconf() {
sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${_jail_conf}"
sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${_jail_conf}"
sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${_jail_conf}"
sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${_jail_conf}"
sed -i '' "s|^${TARGET}.*{$|${NEWNAME} {|" "${_jail_conf}"
fi
if grep -qo "vnet;" "${_jail_conf}"; then
update_jailconf_vnet
@@ -128,50 +128,102 @@ update_jailconf_vnet() {
# Change bastille interface name (only needed for bridged epairs)
# We still gather interface names for JIB and JNG managed interfaces (for future use)
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_list="$(grep -Eo 'epair[0-9]+|e[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)"
local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_conf} | sort -u)"
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_list="$(grep -Eo 'ng[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)"
local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_conf} | sort -u)"
fi
for _if in ${_if_list}; do
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
# Check if epair name = jail name
local _epair_num="$(grep -Eo -m 1 "epair[0-9]+" "${_jail_conf}" | grep -Eo "[0-9]+")"
if grep -E "epair[0-9]+a" "${_jail_conf}" | grep -Eo "e[0-9]+a_${TARGET}"; then
local _target_host_epair="$(grep -Eo -m 1 "e[0-9]+a_${TARGET}" "${_jail_conf}")"
local _target_jail_epair="$(grep -Eo -m 1 "e[0-9]+b_${TARGET}" "${_jail_conf}")"
else
local _target_host_epair="$(grep -Eo -m 1 "epair[0-9]+a" "${_jail_conf}")"
local _target_jail_epair="$(grep -Eo -m 1 "epair[0-9]+b" "${_jail_conf}")"
fi
local _old_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')"
local _old_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')"
# For if_bridge network type
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _epair_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")"
local _old_host_epair="${_if}"
local _old_jail_epair="${_old_if_prefix%a}b_${_old_if_suffix}"
if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
# Generate new epair name
local _new_host_epair="e${_epair_num}a_${NEWNAME}"
local _new_jail_epair="e${_epair_num}b_${NEWNAME}"
else
local _new_host_epair="epair${_epair_num}a"
local _new_jail_epair="epair${_epair_num}b"
name_prefix="$(echo ${NEWNAME} | cut -c1-7)"
name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)"
local _new_host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}"
local _new_jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}"
fi
# Replace host epair name in jail.conf
sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}"
sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}"
sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}"
local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')"
local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')"
if grep "${_old_if_suffix}" "${_jail_conf}" | grep -oq "jib addm"; then
# For -V jails
# Replace host epair name in jail.conf
sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}"
sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}"
# Replace epair description
sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Replace epair name in /etc/rc.conf
sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}"
else
# For -B jails
# Replace host epair name in jail.conf
sed -i '' "s|up name ${_old_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|addm ${_old_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}"
sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}"
sed -i '' "s|up name ${_old_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}"
sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}"
# Replace epair description
sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Replace epair name in /etc/rc.conf
sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}"
fi
# For netgraph network type
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _ngif_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")"
local _old_ngif="${_if}"
if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
# Generate new netgraph interface name
local _new_ngif="ng${_ngif_num}_${NEWNAME}"
else
name_prefix="$(echo ${NEWNAME} | cut -c1-7)"
name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)"
local _new_ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}"
fi
local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')"
local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')"
# Replace netgraph interface name
sed -i '' "s|jng bridge ${_old_if_suffix}|jng bridge ${_new_if_suffix}|g" "${_jail_conf}"
sed -i '' "s|${_old_ngif} ether|${_new_ngif} ether|g" "${_jail_conf}"
sed -i '' "s|jng shutdown ${_old_if_suffix}|jng shutdown ${_new_if_suffix}|g" "${_jail_conf}"
# Replace jail epair name in jail.conf
sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}"
sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}"
sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}"
# Replace epair description
sed -i '' "s|${_new_host_epair} host interface for Bastille jail ${TARGET}|${_new_host_epair} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
sed -i '' "s|= ${_old_ngif};|= ${_new_ngif};|g" "${_jail_conf}"
# Replace epair name in /etc/rc.conf
sed -i '' "/ifconfig/ s|${_target_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}"
sed -i '' "/ifconfig/ s|${_old_ngif}|${_new_ngif}|g" "${_rc_conf}"
fi
done
}
@@ -242,4 +294,4 @@ info "\nAttempting to rename '${TARGET}' to ${NEWNAME}..."
change_name
info "\nRenamed '${TARGET}' to '${NEWNAME}' successfully.\n"
info "\nRenamed '${TARGET}' to '${NEWNAME}' successfully.\n"

4
usr/local/share/bastille/stop.sh
View File

@@ -159,9 +159,11 @@ for _jail in ${JAILS}; do
done
fi
update_jail_syntax_v1 "${_jail}"
) &
bastille_running_jobs "${bastille_process_limit}"
done
wait
wait