From 41969f12dc002fbed0cb1d2b8ce29093887a8ac4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 18:59:32 -0600 Subject: [PATCH 01/32] common: Use dynamic epairs for all jail types --- usr/local/share/bastille/common.sh | 124 +++++++++++++---------------- 1 file changed, 57 insertions(+), 67 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 0d744eff..42ef360b 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -138,26 +138,6 @@ check_target_is_stopped() { fi } -get_bastille_if_count() { - if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - for _config in /usr/local/etc/bastille/*.conf; do - local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)" - _bastille_if_list="$(printf '%s\n%s' "$( (grep -Ehos '(epair[0-9]+|bastille[0-9]+)' ${bastille_jailsdir}/*/jail.conf; ifconfig -g epair | grep -Eos "_bastille[0-9]+$"; ifconfig -g epair | grep -vs 'bastille' | grep -Eos 'e[0-9]+a_') | grep -Eos '[0-9]+')" "${_bastille_if_list}")" - done - _bastille_if_count=$(printf '%s' "${_bastille_if_list}" | sort -u | wc -l | awk '{print $1}') - export _bastille_if_list - export _bastille_if_count - elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - for _config in /usr/local/etc/bastille/*.conf; do - local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)" - _bastille_if_list="$(printf '%s\n%s' "$( (grep -Ehos 'ng[0-9]+_bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | grep -Eos 'bastille[0-9]+'; ngctl list -n | grep "eiface" | grep -Eos 'ng[0-9]+_bastille[0-9]+' | grep -Eos 'bastille[0-9]+') | grep -Eos '[0-9]+')" "${_bastille_if_list}")" - done - _bastille_if_count=$(printf '%s' "${_bastille_if_list}" | sort -u | wc -l | awk '{print $1}') - export _bastille_if_list - export _bastille_if_count - fi -} - get_jail_name() { local _JID="${1}" local _jailname="$(jls -j ${_JID} name 2>/dev/null)" @@ -380,34 +360,48 @@ generate_static_mac() { } generate_vnet_jail_netblock() { + local jail_name="${1}" local use_unique_bridge="${2}" local external_interface="${3}" local static_mac="${4}" - # Get number of epairs on the system - get_bastille_if_count - local _bastille_if_num_range=$((_bastille_if_count + 1)) - if [ -n "${use_unique_bridge}" ]; then - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then - if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then - local host_epair=e${_num}a_${jail_name} - local jail_epair=e${_num}b_${jail_name} - else - local host_epair=epair${_num}a - local jail_epair=epair${_num}b - fi - break + + if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then + if [ -n "${use_unique_bridge}" ]; then + if [ "$(echo -n "e0a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e0a_${jail_name} + local jail_epair=e0b_${jail_name} + else + name_prefix="$(echo ${jail_name} | cut -c1-7)" + name_suffix="$(echo ${jail_name} | rev | cut -c1-2 | rev)" + local host_epair="e0a_${name_prefix}xx${name_suffix}" + local jail_epair="e0b_${name_prefix}xx${name_suffix}" fi - done - else - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then - local _jail_if="bastille${_num}" - break - fi - done + else + if [ "$(echo -n "e0a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e0a_${jail_name} + local jail_epair=e0b_${jail_name} + local jib_epair=${jail_name} + else + name_prefix="$(echo ${jail_name} | cut -c1-7)" + name_suffix="$(echo ${jail_name} | rev | cut -c1-2 | rev)" + local host_epair="e0a_${name_prefix}xx${name_suffix}" + local jail_epair="e0b_${name_prefix}xx${name_suffix}" + local jib_epair="${name_prefix}xx${name_suffix}" + fi + fi + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then + if [ "$(echo -n "ng0_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local ng_if=ng0_${jail_name} + local jng_if=${jail_name} + else + name_prefix="$(echo ${jail_name} | cut -c1-7)" + name_suffix="$(echo ${jail_name} | rev | cut -c1-2 | rev)" + local ng_if="ng0_${name_prefix}xx${name_suffix}" + local jng_if="${name_prefix}xx${name_suffix}" + fi fi + ## If BRIDGE is enabled, generate bridge config, else generate VNET config if [ -n "${use_unique_bridge}" ]; then if [ -n "${static_mac}" ]; then @@ -416,10 +410,8 @@ generate_vnet_jail_netblock() { cat <<-EOF vnet; vnet.interface = ${jail_epair}; - exec.prestart += "ifconfig epair${_num} create"; - exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; - exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; - exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "epair=\\\$(ifconfig epair create) && ifconfig \\\${epair} up name ${host_epair} && ifconfig \\\${epair%a}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${external_interface} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; @@ -431,10 +423,8 @@ EOF cat <<-EOF vnet; vnet.interface = ${jail_epair}; - exec.prestart += "ifconfig epair${_num} create"; - exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; - exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; - exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "epair=\\\$(ifconfig epair create) && ifconfig \\\${epair} up name ${host_epair} && ifconfig \\\${epair%a}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${external_interface} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; @@ -447,21 +437,21 @@ EOF generate_static_mac "${jail_name}" "${external_interface}" cat <<-EOF vnet; - vnet.interface = e0b_${_jail_if}; - exec.prestart += "jib addm ${_jail_if} ${external_interface}"; - exec.prestart += "ifconfig e0a_${_jail_if} ether ${macaddr}a"; - exec.prestart += "ifconfig e0b_${_jail_if} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${_jail_if} description \"vnet0 host interface for Bastille jail ${jail_name}\""; - exec.poststop += "jib destroy ${_jail_if}"; + vnet.interface = ${jail_epair}; + exec.prestart += "jib addm ${jib_epair} ${external_interface}"; + exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; + exec.poststop += "jib destroy ${jib_epair}"; EOF else ## Generate VNET config without static MAC address cat <<-EOF vnet; - vnet.interface = e0b_${_jail_if}; - exec.prestart += "jib addm ${_jail_if} ${external_interface}"; - exec.prestart += "ifconfig e0a_${_jail_if} description \"vnet0 host interface for Bastille jail ${jail_name}\""; - exec.poststop += "jib destroy ${_jail_if}"; + vnet.interface = ${jail_epair}; + exec.prestart += "jib addm ${jib_epair} ${external_interface}"; + exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; + exec.poststop += "jib destroy ${jib_epair}"; EOF fi elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then @@ -470,18 +460,18 @@ EOF generate_static_mac "${jail_name}" "${external_interface}" cat <<-EOF vnet; - vnet.interface = ng0_${_jail_if}; - exec.prestart += "jng bridge ${_jail_if} ${external_interface}"; - exec.prestart += "ifconfig ng0_${_jail_if} ether ${macaddr}a"; - exec.poststop += "jng shutdown ${_jail_if}"; + vnet.interface = ${ng_if}; + exec.prestart += "jng bridge ${jng_if} ${external_interface}"; + exec.prestart += "ifconfig ${ng_if} ether ${macaddr}b"; + exec.poststop += "jng shutdown ${jng_if}"; EOF else ## Generate VNET config without static MAC address cat <<-EOF vnet; - vnet.interface = ng0_${_jail_if}; - exec.prestart += "jng bridge ${_jail_if} ${external_interface}"; - exec.poststop += "jng shutdown ${_jail_if}"; + vnet.interface = ${ng_if}; + exec.prestart += "jng bridge ${jng_if} ${external_interface}"; + exec.poststop += "jng shutdown ${jng_if}"; EOF fi fi From c62efeb20a045bd8691e22a3ab2c2acd440f894a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 19:33:28 -0600 Subject: [PATCH 02/32] use epair0 for default --- usr/local/share/bastille/common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 42ef360b..2ba8207a 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -410,7 +410,7 @@ generate_vnet_jail_netblock() { cat <<-EOF vnet; vnet.interface = ${jail_epair}; - exec.prestart += "epair=\\\$(ifconfig epair create) && ifconfig \\\${epair} up name ${host_epair} && ifconfig \\\${epair%a}b up name ${jail_epair}"; + exec.prestart += "epair0=\\\$(ifconfig epair create) && ifconfig \\\${epair0} up name ${host_epair} && ifconfig \\\${epair0%a}b up name ${jail_epair}"; exec.prestart += "ifconfig ${external_interface} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; @@ -423,7 +423,7 @@ EOF cat <<-EOF vnet; vnet.interface = ${jail_epair}; - exec.prestart += "epair=\\\$(ifconfig epair create) && ifconfig \\\${epair} up name ${host_epair} && ifconfig \\\${epair%a}b up name ${jail_epair}"; + exec.prestart += "epair0=\\\$(ifconfig epair create) && ifconfig \\\${epair0} up name ${host_epair} && ifconfig \\\${epair0%a}b up name ${jail_epair}"; exec.prestart += "ifconfig ${external_interface} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; From 3ef22b914b3bc7cb806adf47520da2531d086043 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 20:20:00 -0600 Subject: [PATCH 03/32] update rename to use dynamic epairs --- usr/local/share/bastille/rename.sh | 102 ++++++++++++++++++++++++----- 1 file changed, 85 insertions(+), 17 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index fcc1d414..cfbf15d0 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -128,38 +128,106 @@ update_jailconf_vnet() { # Change bastille interface name (only needed for bridged epairs) # We still gather interface names for JIB and JNG managed interfaces (for future use) if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _if_list="$(grep -Eo 'epair[0-9]+|e[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'e[0-9]+a_.* ' ${_jail_conf} | sort -u)" elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _if_list="$(grep -Eo 'ng[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'ng[0-9]+_.* ' ${_jail_conf} | sort -u)" fi for _if in ${_if_list}; do - if echo ${_if} | grep -Eoq 'epair[0-9]+'; then - # Check if epair name = jail name - local _epair_num="$(grep -Eo -m 1 "epair[0-9]+" "${_jail_conf}" | grep -Eo "[0-9]+")" - if grep -E "epair[0-9]+a" "${_jail_conf}" | grep -Eo "e[0-9]+a_${TARGET}"; then - local _target_host_epair="$(grep -Eo -m 1 "e[0-9]+a_${TARGET}" "${_jail_conf}")" - local _target_jail_epair="$(grep -Eo -m 1 "e[0-9]+b_${TARGET}" "${_jail_conf}")" - else - local _target_host_epair="$(grep -Eo -m 1 "epair[0-9]+a" "${_jail_conf}")" - local _target_jail_epair="$(grep -Eo -m 1 "epair[0-9]+b" "${_jail_conf}")" - fi + local _if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" + local _if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" + + # For VNET jails that use the JIB script + if grep " ${_if_suffix} " ${_jail_conf} | grep -Eoq "jib addm"; then + + local _epair_num="$(grep -Eo -m 1 "${_if}" "${_jail_conf}" | grep -Eo "[0-9]+")" + local _target_host_epair="$(grep -Eo -m 1 "e${_epair_num}a_.* " "${_jail_conf}")" + local _target_jail_epair="$(grep -Eo -m 1 "e${_epair_num}b_.* " "${_jail_conf}")" if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then # Generate new epair name local _new_host_epair="e${_epair_num}a_${NEWNAME}" local _new_jail_epair="e${_epair_num}b_${NEWNAME}" else - local _new_host_epair="epair${_epair_num}a" - local _new_jail_epair="epair${_epair_num}b" + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + fi + + local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" + local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" + + # Replace host epair name in jail.conf + #sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|jib addm ${_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" + #sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_if_suffix} destroy|${_new_if_suffix} destroy|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" + + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" + #sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" + sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + + # Replace epair description + sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_target_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" + + elif grep " ${_if_suffix} " ${_jail_conf} | grep -Eoq "jng bridge"; then + + local _ngif_num="$(grep -Eo -m 1 "${_if}" "${_jail_conf}" | grep -Eo "[0-9]+")" + local _target_ngif="$(grep -Eo -m 1 "ng${_ngif_num}_.* " "${_jail_conf}")" + + if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then + # Generate new epair name + local _new_ngif="ng${_ngif_num}_${NEWNAME}" + else + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + local host_ngif="ng${_epair_num}_${name_prefix}xx${name_suffix}" + fi + + local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" + local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" + + # Replace netgraph interface name + sed -i '' "s|jng bridge ${_if_suffix}|jng bridge ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_target_ngif} ether|${_new_ngif} ether|g" "${_jail_conf}" + sed -i '' "s|jng shutdown ${_if_suffix}|jng shutdown ${_new_if_suffix}|g" "${_jail_conf}" + + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_target_ngif};|= ${_new_ngif};|g" "${_jail_conf}" + + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_target_ngif}|${_new_ngif}|g" "${_rc_conf}" + + elif grep "${_if}" ${_jail_conf} | grep -Eoq "epair create"; then + + local _epair_num="$(grep -Eo -m 1 "${_if}" "${_jail_conf}" | grep -Eo "[0-9]+")" + local _target_host_epair="$(grep -Eo -m 1 "e${_epair_num}a_.* " "${_jail_conf}")" + local _target_jail_epair="$(grep -Eo -m 1 "e${_epair_num}b_.* " "${_jail_conf}")" + + if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then + # Generate new epair name + local _new_host_epair="e${_epair_num}a_${NEWNAME}" + local _new_jail_epair="e${_epair_num}b_${NEWNAME}" + else + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" fi # Replace host epair name in jail.conf sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} destroy|${_new_jail_epair} destroy|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" # Replace jail epair name in jail.conf @@ -168,7 +236,7 @@ update_jailconf_vnet() { sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" # Replace epair description - sed -i '' "s|${_new_host_epair} host interface for Bastille jail ${TARGET}|${_new_host_epair} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Replace epair name in /etc/rc.conf sed -i '' "/ifconfig/ s|${_target_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" @@ -242,4 +310,4 @@ info "\nAttempting to rename '${TARGET}' to ${NEWNAME}..." change_name -info "\nRenamed '${TARGET}' to '${NEWNAME}' successfully.\n" \ No newline at end of file +info "\nRenamed '${TARGET}' to '${NEWNAME}' successfully.\n" From 336a6c6edda52c511f2a93a3ed649dd949efb33a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 20:23:11 -0600 Subject: [PATCH 04/32] Update rename.sh --- usr/local/share/bastille/rename.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index cfbf15d0..8b84b124 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -150,8 +150,8 @@ update_jailconf_vnet() { local _new_host_epair="e${_epair_num}a_${NEWNAME}" local _new_jail_epair="e${_epair_num}b_${NEWNAME}" else - name_prefix="$(echo ${NEWNAME} | cut -c1-7)" - name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" fi @@ -187,8 +187,8 @@ update_jailconf_vnet() { # Generate new epair name local _new_ngif="ng${_ngif_num}_${NEWNAME}" else - name_prefix="$(echo ${NEWNAME} | cut -c1-7)" - name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" local host_ngif="ng${_epair_num}_${name_prefix}xx${name_suffix}" fi @@ -217,8 +217,8 @@ update_jailconf_vnet() { local _new_host_epair="e${_epair_num}a_${NEWNAME}" local _new_jail_epair="e${_epair_num}b_${NEWNAME}" else - name_prefix="$(echo ${NEWNAME} | cut -c1-7)" - name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" fi @@ -227,7 +227,7 @@ update_jailconf_vnet() { sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} destroy|${_new_jail_epair} destroy|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" # Replace jail epair name in jail.conf From 44a305e5de653feb4a86a163f1b1e59d77e88b58 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 20:31:21 -0600 Subject: [PATCH 05/32] Update rename.sh --- usr/local/share/bastille/rename.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 8b84b124..d6452e8c 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -141,7 +141,7 @@ update_jailconf_vnet() { # For VNET jails that use the JIB script if grep " ${_if_suffix} " ${_jail_conf} | grep -Eoq "jib addm"; then - local _epair_num="$(grep -Eo -m 1 "${_if}" "${_jail_conf}" | grep -Eo "[0-9]+")" + local _epair_num="$(grep -Eo -m 1 "${_if_prefix}" "${_jail_conf}" | grep -Eo "[0-9]+")" local _target_host_epair="$(grep -Eo -m 1 "e${_epair_num}a_.* " "${_jail_conf}")" local _target_jail_epair="$(grep -Eo -m 1 "e${_epair_num}b_.* " "${_jail_conf}")" @@ -152,12 +152,12 @@ update_jailconf_vnet() { else name_prefix="$(echo ${NEWNAME} | cut -c1-7)" name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" - local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" - local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + local _new_host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local _new_jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" fi - local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" - local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" + local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')" + local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')" # Replace host epair name in jail.conf #sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" @@ -180,7 +180,7 @@ update_jailconf_vnet() { elif grep " ${_if_suffix} " ${_jail_conf} | grep -Eoq "jng bridge"; then - local _ngif_num="$(grep -Eo -m 1 "${_if}" "${_jail_conf}" | grep -Eo "[0-9]+")" + local _ngif_num="$(grep -Eo -m 1 "${_if_prefix}" "${_jail_conf}" | grep -Eo "[0-9]+")" local _target_ngif="$(grep -Eo -m 1 "ng${_ngif_num}_.* " "${_jail_conf}")" if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then @@ -189,7 +189,7 @@ update_jailconf_vnet() { else name_prefix="$(echo ${NEWNAME} | cut -c1-7)" name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" - local host_ngif="ng${_epair_num}_${name_prefix}xx${name_suffix}" + local _new_ngif="ng${_epair_num}_${name_prefix}xx${name_suffix}" fi local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" @@ -208,7 +208,7 @@ update_jailconf_vnet() { elif grep "${_if}" ${_jail_conf} | grep -Eoq "epair create"; then - local _epair_num="$(grep -Eo -m 1 "${_if}" "${_jail_conf}" | grep -Eo "[0-9]+")" + local _epair_num="$(grep -Eo -m 1 "${_if_prefix}" "${_jail_conf}" | grep -Eo "[0-9]+")" local _target_host_epair="$(grep -Eo -m 1 "e${_epair_num}a_.* " "${_jail_conf}")" local _target_jail_epair="$(grep -Eo -m 1 "e${_epair_num}b_.* " "${_jail_conf}")" @@ -219,8 +219,8 @@ update_jailconf_vnet() { else name_prefix="$(echo ${NEWNAME} | cut -c1-7)" name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" - local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" - local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + local _new_host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local _new_jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" fi # Replace host epair name in jail.conf From 84de77031a75cd7808ffbe5421338758675c062e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 20:41:12 -0600 Subject: [PATCH 06/32] Update rename.sh --- usr/local/share/bastille/rename.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index d6452e8c..ede53c4b 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -160,16 +160,13 @@ update_jailconf_vnet() { local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')" # Replace host epair name in jail.conf - #sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|jib addm ${_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - #sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_if_suffix} destroy|${_new_if_suffix} destroy|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" # Replace jail epair name in jail.conf sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" - #sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" # Replace epair description @@ -225,6 +222,7 @@ update_jailconf_vnet() { # Replace host epair name in jail.conf sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|addm ${_target_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" From c2474aa170925775ff67e35f92ea0fd30c83bd52 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 22:26:32 -0600 Subject: [PATCH 07/32] Update rename.sh --- usr/local/share/bastille/rename.sh | 125 +++++++++++++---------------- 1 file changed, 56 insertions(+), 69 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index ede53c4b..b8b7b3dd 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -112,7 +112,7 @@ update_jailconf() { sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${_jail_conf}" sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${_jail_conf}" sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${_jail_conf}" - sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${_jail_conf}" + sed -i '' "s|^${TARGET}.*{$|${NEWNAME} {|" "${_jail_conf}" fi if grep -qo "vnet;" "${_jail_conf}"; then update_jailconf_vnet @@ -128,22 +128,22 @@ update_jailconf_vnet() { # Change bastille interface name (only needed for bridged epairs) # We still gather interface names for JIB and JNG managed interfaces (for future use) if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _if_list="$(grep -Eo 'e[0-9]+a_.* ' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_conf} | sort -u)" elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _if_list="$(grep -Eo 'ng[0-9]+_.* ' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_conf} | sort -u)" fi for _if in ${_if_list}; do - local _if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" - local _if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" + local _old_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" + local _old_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" - # For VNET jails that use the JIB script - if grep " ${_if_suffix} " ${_jail_conf} | grep -Eoq "jib addm"; then + # For if_bridge network type + if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _epair_num="$(grep -Eo -m 1 "${_if_prefix}" "${_jail_conf}" | grep -Eo "[0-9]+")" - local _target_host_epair="$(grep -Eo -m 1 "e${_epair_num}a_.* " "${_jail_conf}")" - local _target_jail_epair="$(grep -Eo -m 1 "e${_epair_num}b_.* " "${_jail_conf}")" + local _epair_num=$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+") + local _old_host_epair="${_if}" + local _old_jail_epair="${_old_if_prefix%a}b_${_old_if_suffix}" if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then # Generate new epair name @@ -159,85 +159,72 @@ update_jailconf_vnet() { local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')" local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')" - # Replace host epair name in jail.conf - sed -i '' "s|jib addm ${_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|${_if_suffix} destroy|${_new_if_suffix} destroy|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" + if grep "${_old_if_suffix}" "${_jail_conf}" | grep "jib addm"; then + # For -V jails + # Replace host epair name in jail.conf + sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" + sed -i '' "s|destroy ${_old_if_suffix}|destroy ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" - # Replace jail epair name in jail.conf - sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" - sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" + sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" - # Replace epair description - sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + # Replace epair description + sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - # Replace epair name in /etc/rc.conf - sed -i '' "/ifconfig/ s|${_target_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" - - elif grep " ${_if_suffix} " ${_jail_conf} | grep -Eoq "jng bridge"; then + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" + else + # For -B jails + # Replace host epair name in jail.conf + sed -i '' "s|up name ${_old_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|addm ${_old_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" + sed -i '' "s|deletem ${_old_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" + + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" + sed -i '' "s|up name ${_old_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" + sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + + # Replace epair description + sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" + fi + # For netgraph network type + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _ngif_num="$(grep -Eo -m 1 "${_if_prefix}" "${_jail_conf}" | grep -Eo "[0-9]+")" - local _target_ngif="$(grep -Eo -m 1 "ng${_ngif_num}_.* " "${_jail_conf}")" + local _ngif_num=$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+") + local _old_ngif="${_if}" if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then - # Generate new epair name + # Generate new netgraph interface name local _new_ngif="ng${_ngif_num}_${NEWNAME}" else name_prefix="$(echo ${NEWNAME} | cut -c1-7)" name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" - local _new_ngif="ng${_epair_num}_${name_prefix}xx${name_suffix}" + local _new_ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}" fi local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" # Replace netgraph interface name - sed -i '' "s|jng bridge ${_if_suffix}|jng bridge ${_new_if_suffix}|g" "${_jail_conf}" - sed -i '' "s|${_target_ngif} ether|${_new_ngif} ether|g" "${_jail_conf}" - sed -i '' "s|jng shutdown ${_if_suffix}|jng shutdown ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|jng bridge ${_old_if_suffix}|jng bridge ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_ngif} ether|${_new_ngif} ether|g" "${_jail_conf}" + sed -i '' "s|jng shutdown ${_old_if_suffix}|jng shutdown ${_new_if_suffix}|g" "${_jail_conf}" # Replace jail epair name in jail.conf - sed -i '' "s|= ${_target_ngif};|= ${_new_ngif};|g" "${_jail_conf}" + sed -i '' "s|= ${_old_ngif};|= ${_new_ngif};|g" "${_jail_conf}" # Replace epair name in /etc/rc.conf - sed -i '' "/ifconfig/ s|${_target_ngif}|${_new_ngif}|g" "${_rc_conf}" - - elif grep "${_if}" ${_jail_conf} | grep -Eoq "epair create"; then - - local _epair_num="$(grep -Eo -m 1 "${_if_prefix}" "${_jail_conf}" | grep -Eo "[0-9]+")" - local _target_host_epair="$(grep -Eo -m 1 "e${_epair_num}a_.* " "${_jail_conf}")" - local _target_jail_epair="$(grep -Eo -m 1 "e${_epair_num}b_.* " "${_jail_conf}")" - - if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then - # Generate new epair name - local _new_host_epair="e${_epair_num}a_${NEWNAME}" - local _new_jail_epair="e${_epair_num}b_${NEWNAME}" - else - name_prefix="$(echo ${NEWNAME} | cut -c1-7)" - name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" - local _new_host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" - local _new_jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" - fi - - # Replace host epair name in jail.conf - sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|addm ${_target_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" - - # Replace jail epair name in jail.conf - sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" - sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" - - # Replace epair description - sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - - # Replace epair name in /etc/rc.conf - sed -i '' "/ifconfig/ s|${_target_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" + sed -i '' "/ifconfig/ s|${_old_ngif}|${_new_ngif}|g" "${_rc_conf}" fi done } From 984e108b06b8fa6096a97b87cdd6175c30365a3d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 22:30:09 -0600 Subject: [PATCH 08/32] fix shellcheck --- usr/local/share/bastille/rename.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index b8b7b3dd..2fe7e1ef 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -141,7 +141,7 @@ update_jailconf_vnet() { # For if_bridge network type if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _epair_num=$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+") + local _epair_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")" local _old_host_epair="${_if}" local _old_jail_epair="${_old_if_prefix%a}b_${_old_if_suffix}" @@ -200,7 +200,7 @@ update_jailconf_vnet() { # For netgraph network type elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _ngif_num=$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+") + local _ngif_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")" local _old_ngif="${_if}" if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then From 588cfa069761f19ecd73cf57ee5bfa6380c8431e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 22:57:39 -0600 Subject: [PATCH 09/32] clone: Use dynamic epairs --- usr/local/share/bastille/clone.sh | 391 ++++++++++++++---------------- 1 file changed, 178 insertions(+), 213 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index c4eb2335..09f0d116 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -180,7 +180,7 @@ update_jailconf() { sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" - sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" + sed -i '' "s|^${TARGET}.*{$|${NEWNAME} {|" "${JAIL_CONFIG}" fi fi @@ -235,242 +235,207 @@ update_jailconf_vnet() { # Determine number of interfaces if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _if_list="$(grep -Eo 'epair[0-9]+|e[0-9]+b_bastille[0-9]+' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_conf} | sort -u)" elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _if_list="$(grep -Eo 'ng[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_conf} | sort -u)" fi for _if in ${_if_list}; do - # Get number of interfaces manged by Bastille - get_bastille_if_count + local _old_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" + local _old_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" - local _bastille_if_num_range=$((_bastille_if_count + 1)) + # For if_bridge network type + if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - # Update bridged VNET config - if echo ${_if} | grep -Eoq 'epair[0-9]+'; then - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then + local _epair_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")" + local _old_host_epair="${_if}" + local _old_jail_epair="${_old_if_prefix%a}b_${_old_if_suffix}" + + if [ "$(echo -n "e${_epair_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then + # Generate new epair name + local _new_host_epair="e${_epair_num}a_${NEWNAME}" + local _new_jail_epair="e${_epair_num}b_${NEWNAME}" + else + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + local _new_host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local _new_jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + fi - # Generate new epair name - if [ "$(echo -n "e${_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then - local _new_host_epair="e${_num}a_${NEWNAME}" - local _new_jail_epair="e${_num}b_${NEWNAME}" + local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')" + local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')" + + if grep "${_old_if_suffix}" "${_jail_conf}" | grep "jib addm"; then + # For -V jails + # Replace host epair name in jail.conf + sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" + sed -i '' "s|destroy ${_old_if_suffix}|destroy ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" + + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" + sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + + # Replace epair description + sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" + else + # For -B jails + # Replace host epair name in jail.conf + sed -i '' "s|up name ${_old_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|addm ${_old_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" + sed -i '' "s|deletem ${_old_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" + + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" + sed -i '' "s|up name ${_old_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" + sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + + # Replace epair description + sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" + fi + + # If jail had a static MAC, generate one for clone + if grep -q ether ${_jail_conf}; then + local external_interface="$(grep "e${_epari_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')" + generate_static_mac "${NEWNAME}" "${external_interface}" + sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}" + sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" + fi + + # Update /etc/rc.conf + local _jail_vnet="$(grep ${_old_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" + sed -i '' "s|${_old_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" + # IP4 + if [ -n "${IP4_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" + fi else - local _new_host_epair="epair${_num}a" - local _new_jail_epair="epair${_num}b" + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" + fi fi - - # Get epair name from TARGET - if grep -Eoq "e[0-9]+a_${TARGET}" "${_jail_conf}"; then - _target_host_epair="$(grep -Eo -m 1 "e[0-9]+a_${TARGET}" "${_jail_conf}")" - _target_jail_epair="$(grep -Eo -m 1 "e[0-9]+b_${TARGET}" "${_jail_conf}")" + else + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" else - _target_host_epair="${_if}a" - _target_jail_epair="${_if}b" + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" fi - - # Replace host epair name in jail.conf - sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" - sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" - - # Replace jail epair name in jail.conf - sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" - sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" - sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" - - # Replace epair name in jail.conf - sed -i '' "s|${_if}|epair${_num}|g" "${_jail_conf}" - - # If jail had a static MAC, generate one for clone - if grep -q ether ${_jail_conf}; then - local external_interface="$(grep "epair${_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')" - generate_static_mac "${NEWNAME}" "${external_interface}" - sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}" - sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" - fi - - # Update /etc/rc.conf - local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" - local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" - sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" - # IP4 - if [ -n "${IP4_ADDR}" ]; then - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ -n "${_jail_vnet_vlan}" ]; then - if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" - fi - else - if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" - fi - fi - else - if [ -n "${_jail_vnet_vlan}" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" - fi - fi - fi - # IP6 - if [ -n "${IP6_ADDR}" ]; then - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" - fi - else - if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" - fi - fi - fi - - # Replace epair description - sed -i '' "/${_new_host_epair}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - - break fi - done - - # Update VNET (non-bridged) config - elif echo ${_if} | grep -Eoq 'e[0-9]+b_bastille[0-9]+'; then - - # Update VNET config - _if="$(echo ${_if} | grep -Eo 'bastille[0-9]+')" - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then - - # Update jail.conf epair name - local _jail_if="bastille${_num}" - local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" - local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" - sed -i '' "s|${_if}|${_jail_if}|g" "${_jail_conf}" - - # If jail had a static MAC, generate one for clone - if grep ether ${_jail_conf} | grep -qoc ${_jail_if}; then - local external_interface="$(grep ${_jail_if} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')" - generate_static_mac "${NEWNAME}" "${external_interface}" - sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*a\";|${_jail_if} ether ${macaddr}a\";|" "${_jail_conf}" - sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*b\";|${_jail_if} ether ${macaddr}b\";|" "${_jail_conf}" + fi + # IP6 + if [ -n "${IP6_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" fi - sed -i '' "/${_jail_if}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - - # Update /etc/rc.conf - sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${_jail_if}_name|" "${_rc_conf}" - # IP4 - if [ -n "${IP4_ADDR}" ]; then - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ -n "${_jail_vnet_vlan}" ]; then - if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" - fi - else - if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" - fi - fi - else - if [ -n "${_jail_vnet_vlan}" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" - fi - fi + else + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" fi - # IP6 - if [ -n "${IP6_ADDR}" ]; then - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" - fi - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" - fi - fi - - # Replace epair description - sed -i '' "/${_jail_if}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - break fi - done - - # Update netgraph VNET (non-bridged) config - elif echo ${_if} | grep -Eoq 'ng[0-9]+_bastille[0-9]+'; then - _if="$(echo ${_if} | grep -Eo 'bastille[0-9]+')" - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then + fi - # Update jail.conf epair name - local _jail_if="bastille${_num}" - local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" - local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" - sed -i '' "s|${_if}|${_jail_if}|g" "${_jail_conf}" + # Replace epair description + sed -i '' "/${_new_host_epair}/ s|${_jail_vnet} host interface for Bastille jail ${TARGET}|${_jail_vnet} host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" - # If jail had a static MAC, generate one for clone - if grep ether ${_jail_conf} | grep -qoc ${_jail_if}; then - local external_interface="$(grep ${_jail_if} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')" - generate_static_mac "${NEWNAME}" "${external_interface}" - sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*a\";|${_jail_if} ether ${macaddr}a\";|" "${_jail_conf}" - fi + # Update netgraph VNET (non-bridged) config + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - # Update /etc/rc.conf - sed -i '' "s|ifconfig_ng0_${_if}_name|ifconfig_ng0_${_jail_if}_name|" "${_rc_conf}" - # IP4 - if [ -n "${IP4_ADDR}" ]; then - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ -n "${_jail_vnet_vlan}" ]; then - if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" - fi - else - if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" - fi - fi + local _ngif_num="$(echo "${_old_if_prefix}" | grep -Eo "[0-9]+")" + local _old_ngif="${_if}" + + if [ "$(echo -n "ng${_ngif_num}_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then + # Generate new netgraph interface name + local _new_ngif="ng${_ngif_num}_${NEWNAME}" + else + name_prefix="$(echo ${NEWNAME} | cut -c1-7)" + name_suffix="$(echo ${NEWNAME} | rev | cut -c1-2 | rev)" + local _new_ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}" + fi + + local _new_if_prefix="$(echo ${_if} | awk -F'_' '{print $1}')" + local _new_if_suffix="$(echo ${_if} | awk -F'_' '{print $2}')" + + # Replace netgraph interface name + sed -i '' "s|jng bridge ${_old_if_suffix}|jng bridge ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_ngif} ether|${_new_ngif} ether|g" "${_jail_conf}" + sed -i '' "s|jng shutdown ${_old_if_suffix}|jng shutdown ${_new_if_suffix}|g" "${_jail_conf}" + + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_old_ngif};|= ${_new_ngif};|g" "${_jail_conf}" + + # Replace epair name in /etc/rc.conf + sed -i '' "/ifconfig/ s|${_old_ngif}|${_new_ngif}|g" "${_rc_conf}" + + local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" + + # If jail had a static MAC, generate one for clone + if grep ether ${_jail_conf} | grep -qoc ${_new_ngif}; then + local external_interface="$(grep ${_new_ngif} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')" + generate_static_mac "${NEWNAME}" "${external_interface}" + sed -i '' "s|${_new_ngif} ether.*:.*:.*:.*:.*:.*a\";|${_new_ngif} ether ${macaddr}a\";|" "${_jail_conf}" + fi + + # Update /etc/rc.conf + sed -i '' "s|ifconfig_${_old_ngif}_name|ifconfig_${_new_ngif}_name|" "${_rc_conf}" + # IP4 + if [ -n "${IP4_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_ngif}_name"; then + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" else - if [ -n "${_jail_vnet_vlan}" ]; then - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" - fi + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP4_ADDR}" + fi + else + if [ "${IP4_ADDR}" = "0.0.0.0" ] || [ "${IP4_ADDR}" = "DHCP" ] || [ "${IP4_ADDR}" = "SYNCDHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP4_ADDR}" fi fi - # IP6 - if [ -n "${IP6_ADDR}" ]; then - if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" - else - sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" - fi - else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" - fi + else + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" fi - break fi - done + fi + # IP6 + if [ -n "${IP6_ADDR}" ]; then + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_ngif}_name"; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + fi + fi fi done } From 23387016967c44871579f6cc5858e6833aadc1d7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 23:07:30 -0600 Subject: [PATCH 10/32] Update clone.sh --- usr/local/share/bastille/clone.sh | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 09f0d116..7c604950 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -278,6 +278,14 @@ update_jailconf_vnet() { sed -i '' "s|= ${_old_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + # If jail had a static MAC, generate one for clone + if grep ether ${_jail_conf} | grep -qoc ${_new_jail_epair}; then + local external_interface="$(grep ${_new_jail_epair} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')" + generate_static_mac "${NEWNAME}" "${external_interface}" + sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_jail_epair} ether ${macaddr}a\";|" "${_jail_conf}" + sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" + fi + # Replace epair description sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" @@ -298,6 +306,14 @@ update_jailconf_vnet() { sed -i '' "s|up name ${_old_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" sed -i '' "s|${_old_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + # If jail had a static MAC, generate one for clone + if grep -q ether ${_jail_conf}; then + local external_interface="$(grep "e${_epair_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')" + generate_static_mac "${NEWNAME}" "${external_interface}" + sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}" + sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" + fi + # Replace epair description sed -i '' "s|host interface for Bastille jail ${TARGET}|host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" @@ -305,14 +321,6 @@ update_jailconf_vnet() { sed -i '' "/ifconfig/ s|${_old_jail_epair}|${_new_jail_epair}|g" "${_rc_conf}" fi - # If jail had a static MAC, generate one for clone - if grep -q ether ${_jail_conf}; then - local external_interface="$(grep "e${_epari_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')" - generate_static_mac "${NEWNAME}" "${external_interface}" - sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}" - sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" - fi - # Update /etc/rc.conf local _jail_vnet="$(grep ${_old_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" From bc6d3c0d555260b6a45b125fb4df65fa352176b5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 23:10:07 -0600 Subject: [PATCH 11/32] Update clone.sh --- usr/local/share/bastille/clone.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 7c604950..e414d955 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -280,7 +280,7 @@ update_jailconf_vnet() { # If jail had a static MAC, generate one for clone if grep ether ${_jail_conf} | grep -qoc ${_new_jail_epair}; then - local external_interface="$(grep ${_new_jail_epair} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')" + local external_interface="$(grep ${_new_if_suffix} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')" generate_static_mac "${NEWNAME}" "${external_interface}" sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_jail_epair} ether ${macaddr}a\";|" "${_jail_conf}" sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" @@ -401,7 +401,7 @@ update_jailconf_vnet() { # If jail had a static MAC, generate one for clone if grep ether ${_jail_conf} | grep -qoc ${_new_ngif}; then - local external_interface="$(grep ${_new_ngif} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')" + local external_interface="$(grep ${_new_if_suffix} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')" generate_static_mac "${NEWNAME}" "${external_interface}" sed -i '' "s|${_new_ngif} ether.*:.*:.*:.*:.*:.*a\";|${_new_ngif} ether ${macaddr}a\";|" "${_jail_conf}" fi From 2fe777f0f86928a2b5aea43c583d2ed8c891114a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 23:13:06 -0600 Subject: [PATCH 12/32] Update rename.sh --- usr/local/share/bastille/rename.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 2fe7e1ef..6f535ca7 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -159,7 +159,7 @@ update_jailconf_vnet() { local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')" local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')" - if grep "${_old_if_suffix}" "${_jail_conf}" | grep "jib addm"; then + if grep "${_old_if_suffix}" "${_jail_conf}" | grep -oq "jib addm"; then # For -V jails # Replace host epair name in jail.conf sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" From 104a154a91d47a5d35a2ac63efa9d4dc79e14d3b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 11 Jun 2025 23:13:55 -0600 Subject: [PATCH 13/32] Update clone.sh --- usr/local/share/bastille/clone.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index e414d955..1daa93d7 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -266,7 +266,7 @@ update_jailconf_vnet() { local _new_if_prefix="$(echo ${_new_host_epair} | awk -F'_' '{print $1}')" local _new_if_suffix="$(echo ${_new_host_epair} | awk -F'_' '{print $2}')" - if grep "${_old_if_suffix}" "${_jail_conf}" | grep "jib addm"; then + if grep "${_old_if_suffix}" "${_jail_conf}" | grep -oq "jib addm"; then # For -V jails # Replace host epair name in jail.conf sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" From de217db9ea40ab9e13bb5f7516a22f16892f8549 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 09:03:41 -0600 Subject: [PATCH 14/32] network: Support adding with dynamic epairs --- usr/local/share/bastille/network.sh | 177 ++++++++++++++-------------- 1 file changed, 88 insertions(+), 89 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 2e62da65..1b9ba5cc 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -236,36 +236,29 @@ add_interface() { local _ip="${3}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - # Get number of interfaces manged by Bastille - get_bastille_if_count - local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet="vnet$((_vnet_if_count + 1))" - local _bastille_if_num_range=$((_bastille_if_count + 1)) + local _jail_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l)" + local _jail_vnet="vnet$((_jail_vnet_count + 1))" + + # Determine number of interfaces + if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then + local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_conf} | sort -u)" + local _epair_count="$(echo "${_if_list}" | grep -Eo "[0-9]+" | wc -l)" + local _epair_num=$((_epair_count + 1)) + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then + local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_conf} | sort -u)" + local _ngif_count="$(echo "${_if_list}" | grep -Eo "[0-9]+" | wc -l)" + local _ngif_num=$((_old_if_prefix + 1)) + fi if [ "${BRIDGE}" -eq 1 ]; then - if [ "${_bastille_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then - if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then - local host_epair=e${_num}a_${_jailname} - local jail_epair=e${_num}b_${_jailname} - else - local host_epair=epair${_num}a - local jail_epair=epair${_num}b - fi - break - fi - done + if [ "$(echo -n "e${_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_epair_num}a_${_jailname} + local jail_epair=e${_epair_num}b_${_jailname} else - if [ "$(echo -n "e0a_${_jailname}" | awk '{print length}')" -lt 16 ]; then - local _num=0 - local host_epair=e${_num}a_${_jailname} - local jail_epair=e${_num}b_${_jailname} - else - local _num=0 - local host_epair=epair${_num}a - local jail_epair=epair${_num}b - fi + name_prefix="$(echo ${_jailname} | cut -c1-7)" + name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" + local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" fi # Remove ending brace (it is added again with the netblock) sed -i '' '/}/d' "${_jail_config}" @@ -275,13 +268,11 @@ add_interface() { cat << EOF >> "${_jail_config}" ## ${host_epair} interface vnet.interface += ${jail_epair}; - exec.prestart += "ifconfig epair${_num} create"; - exec.prestart += "ifconfig ${_if} addm epair${_num}a"; - exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; - exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${_if} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; + exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; } @@ -291,11 +282,9 @@ EOF cat << EOF >> "${_jail_config}" ## ${host_epair} interface vnet.interface += ${jail_epair}; - exec.prestart += "ifconfig epair${_num} create"; - exec.prestart += "ifconfig ${_if} addm epair${_num}a"; - exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; - exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; - exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; + exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${_if} addm ${host_epair}"; + exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; } @@ -303,19 +292,19 @@ EOF fi # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}" + sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" if [ -n "${IP6_ADDR}" ]; then if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" fi elif [ -n "${IP4_ADDR}" ]; then # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" fi fi @@ -323,94 +312,104 @@ EOF elif [ "${VNET}" -eq 1 ]; then if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then - local _jail_if="bastille${_num}" - break - fi - done + if [ "$(echo -n "e${_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_epair_num}a_${_jailname} + local jail_epair=e${_epair_num}b_${_jailname} + local jib_epair=${jail_name} + else + name_prefix="$(echo ${_jailname} | cut -c1-7)" + name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" + local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + local jib_epair="${name_prefix}xx${name_suffix}" + fi # Remove ending brace (it is added again with the netblock) sed -i '' '/}/d' "${_jail_config}" if [ "${STATIC_MAC}" -eq 1 ]; then # Generate NETBLOCK with static MAC generate_static_mac "${_jailname}" "${_if}" cat << EOF >> "${_jail_config}" - ## ${_jail_if} interface - vnet.interface += e0b_${_jail_if}; - exec.prestart += "jib addm ${_jail_if} ${_if}"; - exec.prestart += "ifconfig e0a_${_jail_if} ether ${macaddr}a"; - exec.prestart += "ifconfig e0b_${_jail_if} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${_jail_if} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${_jail_if}"; + ## ${host_epair} interface + vnet.interface += ${jail_epair}; + exec.prestart += "jib addm ${jib_epair} ${_if}"; + exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${jib_epair}"; } EOF else # Generate NETBLOCK without static MAC cat << EOF >> "${_jail_config}" - ## ${_jail_if} interface - vnet.interface += e0b_${_jail_if}; - exec.prestart += "jib addm ${_jail_if} ${_if}"; - exec.prestart += "ifconfig e0a_${_jail_if} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${_jail_if}"; + ## ${host_epair} interface + vnet.interface += ${jail_epair}; + exec.prestart += "jib addm ${jib_epair} ${_if}"; + exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${jib_epair}"; } EOF fi # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e0b_${_jail_if}_name="${_if_vnet}" - if [ -n "${IP6_ADDR}" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" + if [ -n "${IP6_ADDR}" ]; then if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" fi elif [ -n "${IP4_ADDR}" ]; then # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" fi fi echo "Added VNET interface: \"${_if}\"" elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - for _num in $(seq 0 "${_bastille_if_num_range}"); do - if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then - local _jail_if="bastille${_num}" - break - fi - done + + if [ "$(echo -n "ng${_ngif_num}_${_jailname}" | awk '{print length}')" -lt 16 ]; then + # Generate new netgraph interface name + local _ngif="ng${_ngif_num}_${_jailname}" + local jng_if="${_jailname}" + else + name_prefix="$(echo ${_jailname} | cut -c1-7)" + name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" + local _ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}" + local jng_if="${name_prefix}xx${name_suffix}" + fi # Remove ending brace (it is added again with the netblock) sed -i '' '/}/d' "${_jail_config}" if [ "${STATIC_MAC}" -eq 1 ]; then # Generate NETBLOCK with static MAC generate_static_mac "${_jailname}" "${_if}" cat << EOF >> "${_jail_config}" - ## ${_jail_if} interface - vnet.interface += ng0_${_jail_if}; - exec.prestart += "jng bridge ${_jail_if} ${_if}"; - exec.prestart += "ifconfig ng0_${_jail_if} ether ${macaddr}a"; - exec.poststop += "jng shutdown ${_jail_if}"; + ## ${_ngif} interface + vnet.interface += ${_ngif}; + exec.prestart += "jng bridge ${jng_if} ${_if}"; + exec.prestart += "ifconfig ${_ngif} ether ${macaddr}b"; + exec.poststop += "jng shutdown ${jng_if}"; } EOF else # Generate NETBLOCK without static MAC cat << EOF >> "${_jail_config}" - ## ${_jail_if} interface - vnet.interface += e0b_${_jail_if}; - exec.prestart += "jng bridge ${_jail_if} ${_if}"; - exec.poststop += "jng shutdown ${_jail_if}"; + ## ${_ngif} interface + vnet.interface += ${_ngif}; + exec.prestart += "jng bridge ${jng_if} ${_if}"; + exec.poststop += "jng shutdown ${jng_if}"; } EOF fi # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_jng_${_jail_if}_name="${_if_vnet}" + sysrc -f "${_jail_rc_config}" ifconfig_${_ngif}_name="${_jail_vnet}" if [ -n "${_ip}" ]; then # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${_ip}" fi fi echo "Added VNET interface: \"${_if}\"" @@ -427,18 +426,18 @@ EOF } EOF # Add config to /etc/rc.conf - if [ -n "${IP6_ADDR}" ]; then + if [ -n "${IP6_ADDR}" ]; then if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" fi elif [ -n "${IP4_ADDR}" ]; then # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${IP4_ADDR}" + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" fi fi echo "Added Passthrough interface: \"${_if}\"" @@ -668,4 +667,4 @@ case "${ACTION}" in *) error_exit "[ERROR]: Only [add|remove] are supported." ;; -esac \ No newline at end of file +esac From 4c8dfa8f3947ebc59eed3393209b564b0b6e0aeb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 10:12:24 -0600 Subject: [PATCH 15/32] Update network.sh --- usr/local/share/bastille/network.sh | 227 +++++++++++++++------------- 1 file changed, 121 insertions(+), 106 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 1b9ba5cc..0189e8d7 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -241,31 +241,33 @@ add_interface() { # Determine number of interfaces if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'e[0-9]+a_[^;" ]+' ${_jail_config} | sort -u)" local _epair_count="$(echo "${_if_list}" | grep -Eo "[0-9]+" | wc -l)" - local _epair_num=$((_epair_count + 1)) + local _epair_num_range=$((_epair_count + 1)) elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_conf} | sort -u)" + local _if_list="$(grep -Eo 'ng[0-9]+_[^;" ]+' ${_jail_config} | sort -u)" local _ngif_count="$(echo "${_if_list}" | grep -Eo "[0-9]+" | wc -l)" - local _ngif_num=$((_old_if_prefix + 1)) + local _ngif_num_range=$((_ngif_count + 1)) fi if [ "${BRIDGE}" -eq 1 ]; then - if [ "$(echo -n "e${_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then - local host_epair=e${_epair_num}a_${_jailname} - local jail_epair=e${_epair_num}b_${_jailname} - else - name_prefix="$(echo ${_jailname} | cut -c1-7)" - name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" - local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" - local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" - fi - # Remove ending brace (it is added again with the netblock) - sed -i '' '/}/d' "${_jail_config}" - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" + for _epair_num in $(seq 0 ${_epair_num_range}); do + if ! grep -Eoqs "e${_epair_num}a_" "${_jail_config}"; then + if [ "$(echo -n "e${_epair_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_epair_num}a_${_jailname} + local jail_epair=e${_epair_num}b_${_jailname} + else + name_prefix="$(echo ${_jailname} | cut -c1-7)" + name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" + local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + fi + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" ## ${host_epair} interface vnet.interface += ${jail_epair}; exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}"; @@ -277,9 +279,9 @@ add_interface() { exec.poststop += "ifconfig ${host_epair} destroy"; } EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" ## ${host_epair} interface vnet.interface += ${jail_epair}; exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}"; @@ -289,46 +291,51 @@ EOF exec.poststop += "ifconfig ${host_epair} destroy"; } EOF - fi + fi - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" - if [ -n "${IP6_ADDR}" ]; then - if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + elif [ -n "${IP4_ADDR}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" + fi + fi + break fi - elif [ -n "${IP4_ADDR}" ]; then - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" - fi - fi + done echo "Added interface: \"${_if}\"" elif [ "${VNET}" -eq 1 ]; then if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - if [ "$(echo -n "e${_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then - local host_epair=e${_epair_num}a_${_jailname} - local jail_epair=e${_epair_num}b_${_jailname} - local jib_epair=${jail_name} - else - name_prefix="$(echo ${_jailname} | cut -c1-7)" - name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" - local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" - local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" - local jib_epair="${name_prefix}xx${name_suffix}" - fi - # Remove ending brace (it is added again with the netblock) - sed -i '' '/}/d' "${_jail_config}" - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" + for _epair_num in $(seq 0 ${_epair_num_range}); do + if ! grep -Eoqs "e${_epair_num}a_" "${_jail_config}"; then + if [ "$(echo -n "e${_epair_num}a_${_jailname}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_epair_num}a_${_jailname} + local jail_epair=e${_epair_num}b_${_jailname} + local jib_epair=${jail_name} + else + name_prefix="$(echo ${_jailname} | cut -c1-7)" + name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" + local host_epair="e${_epair_num}a_${name_prefix}xx${name_suffix}" + local jail_epair="e${_epair_num}b_${name_prefix}xx${name_suffix}" + local jib_epair="${name_prefix}xx${name_suffix}" + fi + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" ## ${host_epair} interface vnet.interface += ${jail_epair}; exec.prestart += "jib addm ${jib_epair} ${_if}"; @@ -338,9 +345,9 @@ EOF exec.poststop += "jib destroy ${jib_epair}"; } EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" ## ${host_epair} interface vnet.interface += ${jail_epair}; exec.prestart += "jib addm ${jib_epair} ${_if}"; @@ -348,43 +355,48 @@ EOF exec.poststop += "jib destroy ${jib_epair}"; } EOF - fi - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" - if [ -n "${IP6_ADDR}" ]; then - if [ "${IP6_ADDR}" = "SLAAC" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" + if [ -n "${IP6_ADDR}" ]; then + if [ "${IP6_ADDR}" = "SLAAC" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled ${IP6_ADDR}" + fi + elif [ -n "${IP4_ADDR}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" + fi + fi + break fi - elif [ -n "${IP4_ADDR}" ]; then - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${IP4_ADDR}" - fi - fi + done + echo "Added VNET interface: \"${_if}\"" elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - - if [ "$(echo -n "ng${_ngif_num}_${_jailname}" | awk '{print length}')" -lt 16 ]; then - # Generate new netgraph interface name - local _ngif="ng${_ngif_num}_${_jailname}" - local jng_if="${_jailname}" - else - name_prefix="$(echo ${_jailname} | cut -c1-7)" - name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" - local _ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}" - local jng_if="${name_prefix}xx${name_suffix}" - fi - # Remove ending brace (it is added again with the netblock) - sed -i '' '/}/d' "${_jail_config}" - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" + for _ngif_num in $(seq 0 ${_ngif_num_range}); do + if ! grep -Eoqs "e${_ngif_num}a_" "${_jail_config}"; then + if [ "$(echo -n "ng${_ngif_num}_${_jailname}" | awk '{print length}')" -lt 16 ]; then + # Generate new netgraph interface name + local _ngif="ng${_ngif_num}_${_jailname}" + local jng_if="${_jailname}" + else + name_prefix="$(echo ${_jailname} | cut -c1-7)" + name_suffix="$(echo ${_jailname} | rev | cut -c1-2 | rev)" + local _ngif="ng${_ngif_num}_${name_prefix}xx${name_suffix}" + local jng_if="${name_prefix}xx${name_suffix}" + fi + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" ## ${_ngif} interface vnet.interface += ${_ngif}; exec.prestart += "jng bridge ${jng_if} ${_if}"; @@ -392,27 +404,30 @@ EOF exec.poststop += "jng shutdown ${jng_if}"; } EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" ## ${_ngif} interface vnet.interface += ${_ngif}; exec.prestart += "jng bridge ${jng_if} ${_if}"; exec.poststop += "jng shutdown ${jng_if}"; } EOF - fi - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_${_ngif}_name="${_jail_vnet}" - if [ -n "${_ip}" ]; then - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${_ip}" - fi - fi - echo "Added VNET interface: \"${_if}\"" + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_${_ngif}_name="${_jail_vnet}" + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}="inet ${_ip}" + fi + fi + break + fi + done + echo "Added VNET interface: \"${_if}\"" fi elif [ "${PASSTHROUGH}" -eq 1 ]; then From 01d65e5f0f130bb9619110412ce0799a744b2096 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 12:49:02 -0600 Subject: [PATCH 16/32] network: Optimize --- usr/local/share/bastille/network.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 0189e8d7..a5892bc4 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -275,7 +275,6 @@ add_interface() { exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; - exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; } EOF @@ -287,7 +286,6 @@ EOF exec.prestart += "epair${_epair_num}=\\\$(ifconfig epair create) && ifconfig \\\${epair${_epair_num}} up name ${host_epair} && ifconfig \\\${epair${_epair_num}%a}b up name ${jail_epair}"; exec.prestart += "ifconfig ${_if} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; - exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; } EOF @@ -342,7 +340,7 @@ EOF exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${jib_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; } EOF else @@ -352,7 +350,7 @@ EOF vnet.interface += ${jail_epair}; exec.prestart += "jib addm ${jib_epair} ${_if}"; exec.prestart += "ifconfig ${host_epair} description \"${_jail_vnet} host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${jib_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; } EOF fi From 7242a22439c08e0a01ec2e23ee64e512d087c662 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 12:49:18 -0600 Subject: [PATCH 17/32] Update rename.sh --- usr/local/share/bastille/rename.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 6f535ca7..c5fe4beb 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -164,7 +164,7 @@ update_jailconf_vnet() { # Replace host epair name in jail.conf sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|destroy ${_old_if_suffix}|destroy ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" # Replace jail epair name in jail.conf @@ -182,7 +182,6 @@ update_jailconf_vnet() { sed -i '' "s|up name ${_old_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|addm ${_old_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|deletem ${_old_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" From fac3bed7046b394531ed0107d5ba3d51d669185f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 12:49:35 -0600 Subject: [PATCH 18/32] Update clone.sh --- usr/local/share/bastille/clone.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 1daa93d7..de2b21de 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -271,7 +271,7 @@ update_jailconf_vnet() { # Replace host epair name in jail.conf sed -i '' "s|jib addm ${_old_if_suffix}|jib addm ${_new_if_suffix}|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|destroy ${_old_if_suffix}|destroy ${_new_if_suffix}|g" "${_jail_conf}" + sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" # Replace jail epair name in jail.conf @@ -297,7 +297,6 @@ update_jailconf_vnet() { sed -i '' "s|up name ${_old_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|addm ${_old_host_epair}|addm ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" - sed -i '' "s|deletem ${_old_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" sed -i '' "s|${_old_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" From f52f017cc380fd1054b54f41b4aa14a4e0d6d9a3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 12:49:53 -0600 Subject: [PATCH 19/32] Update common.sh --- usr/local/share/bastille/common.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 2ba8207a..4ba8e636 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -415,7 +415,6 @@ generate_vnet_jail_netblock() { exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; - exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; EOF else @@ -426,7 +425,6 @@ EOF exec.prestart += "epair0=\\\$(ifconfig epair create) && ifconfig \\\${epair0} up name ${host_epair} && ifconfig \\\${epair0%a}b up name ${jail_epair}"; exec.prestart += "ifconfig ${external_interface} addm ${host_epair}"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; - exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; EOF fi @@ -442,7 +440,7 @@ EOF exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; - exec.poststop += "jib destroy ${jib_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; EOF else ## Generate VNET config without static MAC address @@ -451,7 +449,7 @@ EOF vnet.interface = ${jail_epair}; exec.prestart += "jib addm ${jib_epair} ${external_interface}"; exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; - exec.poststop += "jib destroy ${jib_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; EOF fi elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then From 1096404196f2bdc2b31aff08a2dee603b5a8734c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 15:29:22 -0600 Subject: [PATCH 20/32] final rough commit --- usr/local/share/bastille/network.sh | 94 ++++++++++++++++++----------- 1 file changed, 58 insertions(+), 36 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index a5892bc4..a3b603ef 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -293,7 +293,7 @@ EOF # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" - if [ -n "${IP6_ADDR}" ]; then + if [ -n "${IP6_ADDR}" ]; then if [ "${IP6_ADDR}" = "SLAAC" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" else @@ -356,7 +356,7 @@ EOF fi # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_jail_vnet}" - if [ -n "${IP6_ADDR}" ]; then + if [ -n "${IP6_ADDR}" ]; then if [ "${IP6_ADDR}" = "SLAAC" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_jail_vnet}_ipv6="inet6 -ifdisabled accept_rtadv" else @@ -471,39 +471,54 @@ remove_interface() { local _jailname="${1}" local _if="${2}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - # Skip next block in case of classic jail + # Skip next block in case of standard jail if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - if grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 'bastille[0-9]+'; then - local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" - if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then - local _if_jail="e0b_bastille${_if_bastille_num}" - elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then - local _if_jail="ng0_bastille${_if_bastille_num}" - fi - _if_type="bastille" - elif grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 "epair[0-9]+"; then - local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" - if grep -q epair${_if_epair_num}b ${_jail_config} | grep -Eoq -m 1 "e${_if_epair_num}b_${_jailname}"; then - local _if_jail="$(grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}")" - else - local _if_jail="epair${_if_epair_num}b" - fi - _if_type="epair" - elif grep -q "vnet.interface.*${_if};" ${_jail_config}; then + + if grep -q "vnet.interface.*${_if};" ${_jail_config}; then + local _if_jail="${_if}" - _if_type="passthrough" + local _if_type="passthrough" + + elif [ "${bastille_network_vnet_type}" = "if_bridge" ]; then + + local _jib_epair="$(grep "jib addm.*${_if}" ${_jail_config} | awk '{print $3}')" + local _if_type="if_bridge" + + if [ -n "${_jib_epair}" ]; then + local _epaira="$(grep "e[0-9]+a_${_jib_epair}" ${_jail_config})" + local _epairb="$(grep "e[0-9]+b_${_jib_epair}" ${_jail_config})" + local _if_jail="${_epairb}" + else + local _epaira="$(grep "e[0-9]+a_[^;" ]+" ${_jail_config})" + local _epairb="$(grep "e[0-9]+b_[^;" ]+" ${_jail_config})" + local _if_jail="${_epairb}" + fi + + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then + + local _jng_if="$(grep "jng bridge.*${_if}" ${_jail_config} | awk '{print $3}')" + local _if_jail="$(grep "ng[0-9]+_${_jng_if}" ${_jail_config})" + local _if_type="netgraph" + else error_exit "[ERROR]: Could not find interface inside jail: \"${_if_jail}\"" fi - if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then + # Get vnetX value from rc.conf + if [ "${_if_type}" = "if_bridge" ]; then if grep -oq "${_if_jail}" ${_jail_config}; then local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" else error_exit "[ERROR]: Interface not found: ${_if_jail}" fi + elif [ "${_if_type}" = "netgraph" ]; then + if grep -oq "${_if_jail}" ${_jail_config}; then + local _if_vnet="${_if_jail}" + else + error_exit "[ERROR]: Interface not found: ${_if_jail}" + fi elif [ "${_if_type}" = "passthrough" ]; then if grep -oq "${_if_jail}" ${_jail_config}; then local _if_vnet="${_if_jail}" @@ -523,8 +538,14 @@ remove_interface() { fi # Remove interface from /etc/rc.conf - if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then - if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then + if [ "${_if_type}" = "if_bridge" ]; then + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} | grep -Eoq 'vnet[0-9]+'; then + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + else + error_exit "[ERROR]: Failed to remove interface from /etc/rc.conf" + fi + elif [ "${_if_type}" = "netgraph" ]; then + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} | grep -Eoq 'vnet[0-9]+'; then sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" else error_exit "[ERROR]: Failed to remove interface from /etc/rc.conf" @@ -539,13 +560,13 @@ remove_interface() { # Remove VNET interface from jail.conf (VNET) if [ -n "${_if_jail}" ]; then - if [ "${_if_type}" = "epair" ]; then - sed -i '' "/.*epair${_if_epair_num}.*/d" "${_jail_config}" - sed -i '' "/.*e${_if_epair_num}a_${_jailname}.*/d" "${_jail_config}" - sed -i '' "/.*e${_if_epair_num}b_${_jailname}.*/d" "${_jail_config}" - elif [ "${_if_type}" = "bastille" ]; then - sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" - sed -i '' "/.*bastille${_if_bastille_num}.*/d" "${_jail_config}" + if [ "${_if_type}" = "if_bridge" ]; then + sed -i '' "/.*${_epaira}.*/d" "${_jail_config}" + sed -i '' "/.*${_epairb}.*/d" "${_jail_config}" + sed -i '' "/.*${_if}.*/d" "${_jail_config}" + elif [ "${_if_type}" = "netgraph" ]; then + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" + sed -i '' "/.*${_if}.*/d" "${_jail_config}" elif [ "${_if_type}" = "passthrough" ]; then sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" fi @@ -578,11 +599,12 @@ add_vlan() { local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" if [ "${VNET}" -eq 1 ]; then - local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" - local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" + local _jib_epair="$(grep "jib addm.*${_if}" ${_jail_config} | awk '{print $3}')" + local _jail_epair="$(grep "e[0-9]+b_${_jib_epair}" ${_jail_config})" + local _jail_vnet="$(grep "${_jail_epair}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" elif [ "${BRIDGE}" -eq 1 ]; then - local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" - local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" + local _jail_epair="$(grep "e[0-9]+b_[^;" ]+" ${_jail_config})" + local _jail_vnet="$(grep "${_jail_epair}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" elif [ "${PASSTHROUGH}" -eq 1 ]; then local _jail_vnet="${_interface}" fi From e76e8a8d701b8008fb33dfde300b7eb2fb9ec302 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 12 Jun 2025 15:32:31 -0600 Subject: [PATCH 21/32] Update network.sh --- usr/local/share/bastille/network.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index a3b603ef..12721a80 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -491,8 +491,8 @@ remove_interface() { local _epairb="$(grep "e[0-9]+b_${_jib_epair}" ${_jail_config})" local _if_jail="${_epairb}" else - local _epaira="$(grep "e[0-9]+a_[^;" ]+" ${_jail_config})" - local _epairb="$(grep "e[0-9]+b_[^;" ]+" ${_jail_config})" + local _epaira="$(grep 'e[0-9]+a_[^;" ]+' ${_jail_config})" + local _epairb="$(grep 'e[0-9]+b_[^;" ]+' ${_jail_config})" local _if_jail="${_epairb}" fi @@ -603,7 +603,7 @@ add_vlan() { local _jail_epair="$(grep "e[0-9]+b_${_jib_epair}" ${_jail_config})" local _jail_vnet="$(grep "${_jail_epair}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" elif [ "${BRIDGE}" -eq 1 ]; then - local _jail_epair="$(grep "e[0-9]+b_[^;" ]+" ${_jail_config})" + local _jail_epair="$(grep 'e[0-9]+b_[^;" ]+' ${_jail_config})" local _jail_vnet="$(grep "${_jail_epair}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" elif [ "${PASSTHROUGH}" -eq 1 ]; then local _jail_vnet="${_interface}" From a06694f649da93ca5018ef73d1e50d081ab585b6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 13 Jun 2025 19:36:01 -0600 Subject: [PATCH 22/32] add function to update jail syntax --- usr/local/share/bastille/common.sh | 57 ++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 4ba8e636..5f40f592 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -516,4 +516,61 @@ checkyesno() { esac } +update_jail_syntax_v1() { + + local jail="${1}" + local jail_config="${bastille_jailsdir}/${jail}/jail.conf" + local jail_rc_config="${bastille_jailsdir}/${jail}/root/etc/rc.conf" + + # Only apply if old syntax is found + if grep -Eoq "exec.prestart.*ifconfig epair[0-9]+ create.*" "${jail_config}"; then + + if [ "$(echo -n "e0a_${jail}" | awk '{print length}')" -lt 16 ]; then + local new_host_epair=e0a_${jail} + local new_jail_epair=e0b_${jail} + else + name_prefix="$(echo ${jail} | cut -c1-7)" + name_suffix="$(echo ${jail} | rev | cut -c1-2 | rev)" + local new_host_epair="e0a_${name_prefix}xx${name_suffix}" + local new_jail_epair="e0b_${name_prefix}xx${name_suffix}" + fi + + # Delete unneeded lines + sed -i '' "/.*exec.prestart.*ifconfig.*up name.*;/d" "${jail_config}" + sed -i '' "/.*exec.poststop.*ifconfig.*deletem.*;/d" "${jail_config}" + + sed -i '' "s|.*vnet.interface =.*| vnet.interface = ${new_jail_epair};|g" "${jail_config}" + sed -i '' "s|.*ifconfig epair.*create.*| exec.prestart += \"epair0=\\\\\$(ifconfig epair create) \&\& ifconfig \\\\\${epair0} up name ${new_host_epair} \&\& ifconfig \\\\\${epair0%a}b up name ${new_jail_epair}\";|g" "${jail_config}" + sed -i '' "s|addm.*|addm ${new_host_epair}\";|g" "${jail_config}" + sed -i '' "/ether.*:.*:.*:.*:.*:.*a/ s|ifconfig.*ether|ifconfig ${new_host_epair} ether|g" "${jail_config}" + sed -i '' "/ether.*:.*:.*:.*:.*:.*b/ s|ifconfig.*ether|ifconfig ${new_jail_epair} ether|g" "${jail_config}" + sed -i '' "s|ifconfig.*description|ifconfig ${new_host_epair} description|g" "${jail_config}" + sed -i '' "s|ifconfig.*destroy|ifconfig ${new_host_epair} destroy|g" "${jail_config}" + + elif grep -Eoq "exec.poststop.*jib destroy.*" "${jail_config}"; then + + local external_interface="$(grep -Eo "jib addm.*" "${jail_config}" | awk '{print $4}')" + + if [ "$(echo -n "e0a_${jail}" | awk '{print length}')" -lt 16 ]; then + local new_host_epair=e0a_${jail} + local new_jail_epair=e0b_${jail} + local jib_epair="${jail}" + else + name_prefix="$(echo ${jail} | cut -c1-7)" + name_suffix="$(echo ${jail} | rev | cut -c1-2 | rev)" + local new_host_epair="e0a_${name_prefix}xx${name_suffix}" + local new_jail_epair="e0b_${name_prefix}xx${name_suffix}" + local jib_epair="${name_prefix}xx${name_suffix}" + fi + + sed -i '' "s|.*vnet.interface =.*| vnet.interface = ${new_jail_epair};|g" "${jail_config}" + sed -i '' "s|jib addm.*|jib addm ${jib_epair} ${external_interface}|g" "${jail_config}" + sed -i '' "/ether.*:.*:.*:.*:.*:.*a/ s|ifconfig.*ether|ifconfig ${new_host_epair} ether|g" "${jail_config}" + sed -i '' "/ether.*:.*:.*:.*:.*:.*b/ s|ifconfig.*ether|ifconfig ${new_jail_epair} ether|g" "${jail_config}" + sed -i '' "s|ifconfig.*description|ifconfig ${new_host_epair} description|g" "${jail_config}" + sed -i '' "s|jib destroy.*|ifconfig ${new_host_epair} destroy\";|g" "${jail_config}" + + fi +} + set_bastille_mountpoints From 1b37b2577c69e1b84460e14065878da931e6526a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 13 Jun 2025 19:38:12 -0600 Subject: [PATCH 23/32] update jail syntax on jail stop --- usr/local/share/bastille/stop.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 680c4ec0..09707da9 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -159,9 +159,11 @@ for _jail in ${JAILS}; do done fi + update_jail_syntax_v1 "${_jail}" + ) & bastille_running_jobs "${bastille_process_limit}" done -wait \ No newline at end of file +wait From 19759447895ced72c565304dcc187e181eb5a5e3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 13 Jun 2025 20:22:49 -0600 Subject: [PATCH 24/32] Forgot rc.conf --- usr/local/share/bastille/common.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5f40f592..254e93ca 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -539,6 +539,7 @@ update_jail_syntax_v1() { sed -i '' "/.*exec.prestart.*ifconfig.*up name.*;/d" "${jail_config}" sed -i '' "/.*exec.poststop.*ifconfig.*deletem.*;/d" "${jail_config}" + # Change jail.conf sed -i '' "s|.*vnet.interface =.*| vnet.interface = ${new_jail_epair};|g" "${jail_config}" sed -i '' "s|.*ifconfig epair.*create.*| exec.prestart += \"epair0=\\\\\$(ifconfig epair create) \&\& ifconfig \\\\\${epair0} up name ${new_host_epair} \&\& ifconfig \\\\\${epair0%a}b up name ${new_jail_epair}\";|g" "${jail_config}" sed -i '' "s|addm.*|addm ${new_host_epair}\";|g" "${jail_config}" @@ -547,6 +548,9 @@ update_jail_syntax_v1() { sed -i '' "s|ifconfig.*description|ifconfig ${new_host_epair} description|g" "${jail_config}" sed -i '' "s|ifconfig.*destroy|ifconfig ${new_host_epair} destroy|g" "${jail_config}" + # Change rc.conf + sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_config}" + elif grep -Eoq "exec.poststop.*jib destroy.*" "${jail_config}"; then local external_interface="$(grep -Eo "jib addm.*" "${jail_config}" | awk '{print $4}')" @@ -563,6 +567,7 @@ update_jail_syntax_v1() { local jib_epair="${name_prefix}xx${name_suffix}" fi + # Change jail.conf sed -i '' "s|.*vnet.interface =.*| vnet.interface = ${new_jail_epair};|g" "${jail_config}" sed -i '' "s|jib addm.*|jib addm ${jib_epair} ${external_interface}|g" "${jail_config}" sed -i '' "/ether.*:.*:.*:.*:.*:.*a/ s|ifconfig.*ether|ifconfig ${new_host_epair} ether|g" "${jail_config}" @@ -570,6 +575,9 @@ update_jail_syntax_v1() { sed -i '' "s|ifconfig.*description|ifconfig ${new_host_epair} description|g" "${jail_config}" sed -i '' "s|jib destroy.*|ifconfig ${new_host_epair} destroy\";|g" "${jail_config}" + # Change rc.conf + sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_config}" + fi } From 3bbe183854eacfb386c26df5a48ec97f5ad28813 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 13 Jun 2025 20:26:47 -0600 Subject: [PATCH 25/32] Update common.sh --- usr/local/share/bastille/common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 254e93ca..1c6cb512 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -549,7 +549,7 @@ update_jail_syntax_v1() { sed -i '' "s|ifconfig.*destroy|ifconfig ${new_host_epair} destroy|g" "${jail_config}" # Change rc.conf - sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_config}" + sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_rc_config}" elif grep -Eoq "exec.poststop.*jib destroy.*" "${jail_config}"; then @@ -576,7 +576,7 @@ update_jail_syntax_v1() { sed -i '' "s|jib destroy.*|ifconfig ${new_host_epair} destroy\";|g" "${jail_config}" # Change rc.conf - sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_config}" + sed -i '' "/ifconfig_.*_name.*vnet.*/ s|ifconfig_.*_name|ifconfig_${new_jail_epair}_name|g" "${jail_rc_config}" fi } From 5095f6488be79fc7e9351474c35ffc8fd68cbdd7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 12:05:14 -0600 Subject: [PATCH 26/32] Update README.md --- README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/README.md b/README.md index f7f5a306..c5b79229 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,42 @@ deployment and management of containerized applications on FreeBSD. [Bastille Documentation](https://bastille.readthedocs.io/en/latest/) +1.0 Potentially Breaking Chnages +================================ + +Up until version 1.0.20250714, Bastille has handled epairs for `-V` jails using the +jib script included in FreeBSD installs. However, for `-B` jails, Bastille statically +assigned an epair to each jail. This means you can only run one type (`-V` or `-B`) of VNET jails on +a given system. + +Starting with version 1.0.20250714, we are now handling all epairs dynamically, allowing +the use of both types of VNET jails without issue. We have also selected a naming scheme +that will allow for consistency across these jail types. The naming scheme is as follows... + +`e0a_jailname` and `e0b_jailname` are the default interfaces for every jail. This will allow better management +when trying to figure out which jail a given epair is linked to. Due to a limitation in how long +an interface name can be, Bastille will truncate "jailname" to avoid errors if it is too long. So, `mylongjailname` +will be `e0a_mylongjxxme` and `e0b_mylongjxxme`. The `xx` part is necessary due to another limitation +that does not allow dots (\.) in interface names when using the jib script. + +If you decide to add an interface using the `network` sub-command, they will be named +`e1a_jailname` and `e1b_jailname` respectively. The number included will increment by 1 +for each interface you add. + +Mandatory +--------- + +We have tried our best to auto-convert each jails `jail.conf` and `rc.conf` to the new +syntax (this happens when the jail is stopped). It isn't a huge change (only a handful +of lines), but if you do have an issue please open a bug report. + +After updating, you must stop all your jails, then start them (don't use restart) to have Bastille convert +the `jail.conf` and `rc.conf` files. This simply involves renaming the epairs to the new syntax. + +If you have used the `network` sub-command to add any amount of interfaces, you will have to edit the `jail.conf` +and `rc.conf` files for each jail to update the names of the epair interfaces. This is because all epairs will have been renamed to +`e0...` in both files. For each additional one, simply increment the number by 1. + Bastille Compared to Other Jail Managers ======================================== From 7ef9d35a3eea2ac92b4010e76f53cefc8f124381 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 12:35:17 -0600 Subject: [PATCH 27/32] Update network.sh --- usr/local/share/bastille/network.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 12721a80..2e7aa77d 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -311,7 +311,7 @@ EOF fi done - echo "Added interface: \"${_if}\"" + echo "Added bridge interface: \"${_if}\"" elif [ "${VNET}" -eq 1 ]; then if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then @@ -462,8 +462,6 @@ EOF sed -i '' "s/interface = .*/&\n ip4.addr += ${_if}|${_ip};/" ${_jail_config} fi fi - - echo "Added interface: \"${_if}\"" } remove_interface() { @@ -487,12 +485,12 @@ remove_interface() { local _if_type="if_bridge" if [ -n "${_jib_epair}" ]; then - local _epaira="$(grep "e[0-9]+a_${_jib_epair}" ${_jail_config})" - local _epairb="$(grep "e[0-9]+b_${_jib_epair}" ${_jail_config})" + local _epaira="$(grep -A 1 "${_if}" ${_jail_config} | grep "e[0-9]+a_${_jib_epair}")" + local _epairb="${_epaira%a_}b_" local _if_jail="${_epairb}" else - local _epaira="$(grep 'e[0-9]+a_[^;" ]+' ${_jail_config})" - local _epairb="$(grep 'e[0-9]+b_[^;" ]+' ${_jail_config})" + local _epaira="$(grep -m 1 "${_if}" ${_jail_config} | grep 'e[0-9]+a_[^;" ]+')" + local _epairb="${_epaira%a_}b_" local _if_jail="${_epairb}" fi @@ -509,7 +507,7 @@ remove_interface() { # Get vnetX value from rc.conf if [ "${_if_type}" = "if_bridge" ]; then if grep -oq "${_if_jail}" ${_jail_config}; then - local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + local _if_vnet="$(grep "${_if_jail}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" else error_exit "[ERROR]: Interface not found: ${_if_jail}" fi From 1049061c7bfe989625d57edb914c93fb0a6879fc Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 12:41:02 -0600 Subject: [PATCH 28/32] Update network.sh --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 2e7aa77d..9d55027b 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -485,11 +485,11 @@ remove_interface() { local _if_type="if_bridge" if [ -n "${_jib_epair}" ]; then - local _epaira="$(grep -A 1 "${_if}" ${_jail_config} | grep "e[0-9]+a_${_jib_epair}")" + local _epaira="$(grep -m 1 -A 1 "${_if}" ${_jail_config} | grep -Eo "e[0-9]+a_${_jib_epair}")" local _epairb="${_epaira%a_}b_" local _if_jail="${_epairb}" else - local _epaira="$(grep -m 1 "${_if}" ${_jail_config} | grep 'e[0-9]+a_[^;" ]+')" + local _epaira="$(grep -m 1 "${_if}" ${_jail_config} | grep -Eo 'e[0-9]+a_[^;" ]+')" local _epairb="${_epaira%a_}b_" local _if_jail="${_epairb}" fi From be316bc8bdeb65bfa5a20768d967406ce8cb9a6d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 12:44:39 -0600 Subject: [PATCH 29/32] Update network.sh --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 9d55027b..b5257e92 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -486,11 +486,11 @@ remove_interface() { if [ -n "${_jib_epair}" ]; then local _epaira="$(grep -m 1 -A 1 "${_if}" ${_jail_config} | grep -Eo "e[0-9]+a_${_jib_epair}")" - local _epairb="${_epaira%a_}b_" + local _epairb="$(echo ${_epaira} | sed 's/a_/b_/')" local _if_jail="${_epairb}" else local _epaira="$(grep -m 1 "${_if}" ${_jail_config} | grep -Eo 'e[0-9]+a_[^;" ]+')" - local _epairb="${_epaira%a_}b_" + local _epairb="$(echo ${_epaira} | sed 's/a_/b_/')" local _if_jail="${_epairb}" fi From d363a42e44dd2cc537639a30ac493094d5ebe8ef Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 17:55:24 -0600 Subject: [PATCH 30/32] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c5b79229..b65b133f 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,9 @@ We have tried our best to auto-convert each jails `jail.conf` and `rc.conf` to t syntax (this happens when the jail is stopped). It isn't a huge change (only a handful of lines), but if you do have an issue please open a bug report. -After updating, you must stop all your jails, then start them (don't use restart) to have Bastille convert -the `jail.conf` and `rc.conf` files. This simply involves renaming the epairs to the new syntax. +After updating, you must restart all your jails (probably one at a time, in case of issues) +to have Bastille convert the `jail.conf` and `rc.conf` files. This simply involves renaming +the epairs to the new syntax. If you have used the `network` sub-command to add any amount of interfaces, you will have to edit the `jail.conf` and `rc.conf` files for each jail to update the names of the epair interfaces. This is because all epairs will have been renamed to From 6ca61135f35ebb47f7c7beec36e685bc094bfc08 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 22:08:04 -0600 Subject: [PATCH 31/32] Typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b65b133f..3f7739e7 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ deployment and management of containerized applications on FreeBSD. [Bastille Documentation](https://bastille.readthedocs.io/en/latest/) -1.0 Potentially Breaking Chnages +1.0 Potentially Breaking Changes ================================ Up until version 1.0.20250714, Bastille has handled epairs for `-V` jails using the From cde8a5549b859376d15c4efe39c29331ee6ed427 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 14 Jun 2025 22:10:01 -0600 Subject: [PATCH 32/32] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f7739e7..bfaa8dd3 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,8 @@ Starting with version 1.0.20250714, we are now handling all epairs dynamically, the use of both types of VNET jails without issue. We have also selected a naming scheme that will allow for consistency across these jail types. The naming scheme is as follows... -`e0a_jailname` and `e0b_jailname` are the default interfaces for every jail. This will allow better management +`e0a_jailname` and `e0b_jailname` are the default epair interfaces for every jail. The `a` side +is on the host, while the `b` is in the jail. This will allow better management when trying to figure out which jail a given epair is linked to. Due to a limitation in how long an interface name can be, Bastille will truncate "jailname" to avoid errors if it is too long. So, `mylongjailname` will be `e0a_mylongjxxme` and `e0b_mylongjxxme`. The `xx` part is necessary due to another limitation