From 141bc10c289a787112319afd4cf25c2b91ec2b87 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 09:00:48 -0600 Subject: [PATCH 01/17] create: Add -g|--gateway --- usr/local/share/bastille/create.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 95f6b6af..2e82fc4c 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -44,6 +44,7 @@ usage() { -C | --clone Create a clone jail. -D | --dual Create jail with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). -E | --empty Create an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -g | --gateway IP Specify a default router/gateway for the jail. -L | --linux Create a Linux jail (experimental). -M | --static-mac Generate a static MAC address for jail (VNET only). --no-validate Do not validate the release when creating the jail. @@ -53,7 +54,7 @@ usage() { -V | --vnet Enable VNET, and attach to an existing, physical interface. -v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only). -x | --debug Enable debug mode. - -Z | --zfs-opts [zfs,options] Comma separated list of ZFS options to create the jail with. This overrides the defaults. + -Z | --zfs-opts zfs,options Comma separated list of ZFS options to create the jail with. This overrides the defaults. EOF exit 1 @@ -620,7 +621,9 @@ create_jail() { _ifconfig_inet=SYNCDHCP else # Else apply the default gateway - if [ -n "${bastille_network_gateway}" ]; then + if [ -n "${OPT_GATEWAY}" ]; then + _gateway="${OPT_GATEWAY}" + elif [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else _gateway="$(netstat -4rn | awk '/default/ {print $2}')" @@ -718,6 +721,7 @@ STATIC_MAC="" DUAL_STACK="" VALIDATE_RELEASE="1" PRIORITY="99" +OPT_GATEWAY="" while [ $# -gt 0 ]; do case "${1}" in -h|--help|help) @@ -740,6 +744,16 @@ while [ $# -gt 0 ]; do EMPTY_JAIL="1" shift ;; + -g|--gateway) + OPT_GATEWAY="${2}" + # Validate gateway + if [ -n "${OPT_GATEWAY}" ]; then + if ! validate_ip "${OPT_GATEWAY}" >/dev/null 2>/dev/null; then + error_exit "[ERROR]: Not a valid gateway: ${OPT_GATEWAY}" + fi + fi + shift 2 + ;; -L|--linux) LINUX_JAIL="1" shift From 4dfb629958f1934723761cd2213d73dcda4996c8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 09:05:49 -0600 Subject: [PATCH 02/17] docs: Document -g|--gateway --- docs/chapters/subcommands/create.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index c888ab84..f0bf1a2d 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -61,6 +61,7 @@ options. See the below help output. -C | --clone Create a clone jail. -D | --dual Create jail with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). -E | --empty Create an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -g | --gateway IP Specify a default router/gateway for the jail. -L | --linux Create a Linux jail (experimental). -M | --static-mac Generate a static MAC address for jail (VNET only). --no-validate Do not validate the release when creating the jail. @@ -70,4 +71,4 @@ options. See the below help output. -V | --vnet Enable VNET, and attach to an existing, physical interface. -v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only). -x | --debug Enable debug mode. - -Z | --zfs-opts [zfs,options] Comma separated list of ZFS options to create the jail with. This overrides the defaults. \ No newline at end of file + -Z | --zfs-opts zfs,options Comma separated list of ZFS options to create the jail with. This overrides the defaults. From 6bb915e4cb9ba3fdfe514f29a36f26323c8171b7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 11:38:57 -0600 Subject: [PATCH 03/17] create: Add -n|--nameserver --- usr/local/share/bastille/create.sh | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2e82fc4c..0ab4fb47 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -49,6 +49,7 @@ usage() { -M | --static-mac Generate a static MAC address for jail (VNET only). --no-validate Do not validate the release when creating the jail. --no-boot Create jail with boot=off. + -n | --nameserver Specify a nameserver for the jail. -p | --priority VALUE Set priority value for jail. -T | --thick Creates a thick container, they consume more space as they are self contained and independent. -V | --vnet Enable VNET, and attach to an existing, physical interface. @@ -689,6 +690,11 @@ create_jail() { fi fi + # Apply nameserver (if set) + if [ -n "${OPT_NAMESERVER}" ]; then + sed -i '' "\#nameserver.*# s#nameserver.*#nameserver ${OPT_NAMESERVER}#" "${bastille_jail_resolv_conf}" + fi + # Apply values changed by the template. -- cwells if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" @@ -722,6 +728,7 @@ DUAL_STACK="" VALIDATE_RELEASE="1" PRIORITY="99" OPT_GATEWAY="" +OPT_NAMESERVER="" while [ $# -gt 0 ]; do case "${1}" in -h|--help|help) @@ -744,7 +751,7 @@ while [ $# -gt 0 ]; do EMPTY_JAIL="1" shift ;; - -g|--gateway) + -g|--gateway|--defaultrouter) OPT_GATEWAY="${2}" # Validate gateway if [ -n "${OPT_GATEWAY}" ]; then @@ -762,6 +769,16 @@ while [ $# -gt 0 ]; do STATIC_MAC="1" shift ;; + -n|--nameserver) + OPT_NAMESERVER="${2}" + # Validate nameserver + if [ -n "${OPT_NAMESERVER}" ]; then + if ! validate_ip "${OPT_NAMESERVER}" >/dev/null 2>/dev/null; then + error_exit "[ERROR]: Not a valid nameserver: ${OPT_NAMESERVER}" + fi + fi + shift 2 + ;; -p|--priority) if echo "${2}" | grep -Eoq "^[0-9]+$"; then PRIORITY="${2}" @@ -787,11 +804,11 @@ while [ $# -gt 0 ]; do shift ;; -v|--vlan) - if echo "${2}" | grep -Eq '^[0-9]+$'; then + if echo "${2}" | grep -Eq '^[0-9]+$'; then VLAN_ID="${2}" - else + else error_exit "Not a valid VLAN ID: ${2}" - fi + fi shift 2 ;; -x|--debug) From 53e4162fc743a19664fd612bbf454ffe704ecb13 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 11:39:35 -0600 Subject: [PATCH 04/17] docs: Document -n|--nameserver for create --- docs/chapters/subcommands/create.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index f0bf1a2d..f2d3849f 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -64,6 +64,7 @@ options. See the below help output. -g | --gateway IP Specify a default router/gateway for the jail. -L | --linux Create a Linux jail (experimental). -M | --static-mac Generate a static MAC address for jail (VNET only). + -n | --nameserver Specify a nameserver for the jail. --no-validate Do not validate the release when creating the jail. --no-boot Create jail with boot=off. -p | --priority VALUE Set priority value for jail. From 256e40e03d342312b3324781c76f6c45a66e4238 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 11:40:04 -0600 Subject: [PATCH 05/17] create: Reorder option -n --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 0ab4fb47..437e0682 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -47,9 +47,9 @@ usage() { -g | --gateway IP Specify a default router/gateway for the jail. -L | --linux Create a Linux jail (experimental). -M | --static-mac Generate a static MAC address for jail (VNET only). + -n | --nameserver Specify a nameserver for the jail. --no-validate Do not validate the release when creating the jail. --no-boot Create jail with boot=off. - -n | --nameserver Specify a nameserver for the jail. -p | --priority VALUE Set priority value for jail. -T | --thick Creates a thick container, they consume more space as they are self contained and independent. -V | --vnet Enable VNET, and attach to an existing, physical interface. From af62e9ab0bf57bd69e095583f422b5d21ac6ad24 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 12:10:35 -0600 Subject: [PATCH 06/17] common: Add function to escape special --- usr/local/share/bastille/common.sh | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 9407c697..5c62df3f 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -93,6 +93,19 @@ warn() { echo -e "${COLOR_YELLOW}$*${COLOR_RESET}" } +escape_special_characters() { + + # Escape special charcters for jail.conf files + # Only "." for now + + local _string="${1}" + + _escaped_string="$(echo ${_string} | sed 's#\.#\\\.#g')" + + echo "${_escaped_string}" + +} + # Parallel mode, don't exceed process limit bastille_running_jobs() { @@ -544,4 +557,4 @@ checkyesno() { esac } -set_bastille_mountpoints \ No newline at end of file +set_bastille_mountpoints From aa1400371914306e5a93e475d70f30dd3d3cebcf Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 12:17:20 -0600 Subject: [PATCH 07/17] create: call parse for interface --- usr/local/share/bastille/create.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 437e0682..668efdd1 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -186,6 +186,8 @@ validate_netif() { else error_exit "[ERROR]: Invalid: (${INTERFACE})." fi + + INTERFACE="$(parse_value_jail_conf ${INTERFACE})" } validate_release() { From 4425d3ee2554153a622a61d527464edd2ba35fa1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 20 May 2025 12:18:22 -0600 Subject: [PATCH 08/17] Update common.sh --- usr/local/share/bastille/common.sh | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5c62df3f..8f003bb8 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -93,19 +93,6 @@ warn() { echo -e "${COLOR_YELLOW}$*${COLOR_RESET}" } -escape_special_characters() { - - # Escape special charcters for jail.conf files - # Only "." for now - - local _string="${1}" - - _escaped_string="$(echo ${_string} | sed 's#\.#\\\.#g')" - - echo "${_escaped_string}" - -} - # Parallel mode, don't exceed process limit bastille_running_jobs() { @@ -517,6 +504,19 @@ EOF fi } +parse_value_jail_conf() { + + # Escape special charcters for compatability with jail.conf files + # Only "." for now + + local _string="${1}" + + _escaped_string="$(echo ${_string} | sed 's#\.#\\\.#g')" + + echo "${_escaped_string}" + +} + validate_netconf() { # Add default 'bastille_network_vnet_type' on old config file From 2b5f07c4d6dc784eb35652e7b3d4fd4670203be1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 09:07:25 -0600 Subject: [PATCH 09/17] create: Allow comma separated nameservers --- usr/local/share/bastille/create.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 668efdd1..7b4b2867 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -186,8 +186,6 @@ validate_netif() { else error_exit "[ERROR]: Invalid: (${INTERFACE})." fi - - INTERFACE="$(parse_value_jail_conf ${INTERFACE})" } validate_release() { @@ -694,7 +692,7 @@ create_jail() { # Apply nameserver (if set) if [ -n "${OPT_NAMESERVER}" ]; then - sed -i '' "\#nameserver.*# s#nameserver.*#nameserver ${OPT_NAMESERVER}#" "${bastille_jail_resolv_conf}" + sed -i '' "s#nameserver.*#nameserver ${OPT_NAMESERVER}#" "${bastille_jail_resolv_conf}" fi # Apply values changed by the template. -- cwells @@ -775,9 +773,11 @@ while [ $# -gt 0 ]; do OPT_NAMESERVER="${2}" # Validate nameserver if [ -n "${OPT_NAMESERVER}" ]; then - if ! validate_ip "${OPT_NAMESERVER}" >/dev/null 2>/dev/null; then - error_exit "[ERROR]: Not a valid nameserver: ${OPT_NAMESERVER}" - fi + for _nameserver in $(echo ${OPT_NAMESERVER} | sed 's/,/ /g'); do + if ! validate_ip "${_nameserver}" >/dev/null 2>/dev/null; then + error_exit "[ERROR]: Invalid nameserver(s): ${OPT_NAMESERVER}" + fi + done fi shift 2 ;; From ccdfbbe1b2e255fb2f970c15ebe42a734f09ffac Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 09:16:53 -0600 Subject: [PATCH 10/17] Update create.rst --- docs/chapters/subcommands/create.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index f2d3849f..79c6d78f 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -64,7 +64,7 @@ options. See the below help output. -g | --gateway IP Specify a default router/gateway for the jail. -L | --linux Create a Linux jail (experimental). -M | --static-mac Generate a static MAC address for jail (VNET only). - -n | --nameserver Specify a nameserver for the jail. + -n | --nameserver IP,IP Specify nameserver(s) for the jail. Comma separated. --no-validate Do not validate the release when creating the jail. --no-boot Create jail with boot=off. -p | --priority VALUE Set priority value for jail. From 402fa6a1a05994948161f19352aed14e71d7c78d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 09:17:23 -0600 Subject: [PATCH 11/17] Update common.sh --- usr/local/share/bastille/common.sh | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 8f003bb8..87400515 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -504,19 +504,6 @@ EOF fi } -parse_value_jail_conf() { - - # Escape special charcters for compatability with jail.conf files - # Only "." for now - - local _string="${1}" - - _escaped_string="$(echo ${_string} | sed 's#\.#\\\.#g')" - - echo "${_escaped_string}" - -} - validate_netconf() { # Add default 'bastille_network_vnet_type' on old config file From 395ef3de1ec9a8a2deb72f589f33bdb5aebb46b0 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 09:18:20 -0600 Subject: [PATCH 12/17] Update create.sh --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 7b4b2867..b9a71325 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -47,7 +47,7 @@ usage() { -g | --gateway IP Specify a default router/gateway for the jail. -L | --linux Create a Linux jail (experimental). -M | --static-mac Generate a static MAC address for jail (VNET only). - -n | --nameserver Specify a nameserver for the jail. + -n | --nameserver IP,IP Specify nameserver(s) for the jail. Comma separated. --no-validate Do not validate the release when creating the jail. --no-boot Create jail with boot=off. -p | --priority VALUE Set priority value for jail. From 1f0a03e34fd2644dec60bba817cf54130f3a1c2e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 12:13:11 -0600 Subject: [PATCH 13/17] Update create.sh --- usr/local/share/bastille/create.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index b9a71325..cd45ff85 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -692,7 +692,8 @@ create_jail() { # Apply nameserver (if set) if [ -n "${OPT_NAMESERVER}" ]; then - sed -i '' "s#nameserver.*#nameserver ${OPT_NAMESERVER}#" "${bastille_jail_resolv_conf}" + sed -i '' "/^nameserver.*/d" "${bastille_jail_resolv_conf}" + echo "nameserver ${OPT_NAMESERVER}" >> "${bastille_jail_resolv_conf}" fi # Apply values changed by the template. -- cwells From 5e6b02c7a29776d974b05ff544c670aa737c8eb2 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 12:41:35 -0600 Subject: [PATCH 14/17] create: Don't allow dots in interface if -B --- usr/local/share/bastille/create.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index cd45ff85..a6ca05d3 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -186,6 +186,12 @@ validate_netif() { else error_exit "[ERROR]: Invalid: (${INTERFACE})." fi + # Don't allow dots in INTERFACE if -V + if [ "${VNET_JAIL}" -eq 1 ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then + if echo "${INTERFACE}" | grep -q "\."; then + error_exit "[ERROR]: [-V|--vnet] does not support dots \(.\) in interface names." + fi + fi } validate_release() { From 5075951133a266067aa04d0b669b9959901f42c8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 18:00:44 -0600 Subject: [PATCH 15/17] Update create.sh --- usr/local/share/bastille/create.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a6ca05d3..90058041 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -699,7 +699,9 @@ create_jail() { # Apply nameserver (if set) if [ -n "${OPT_NAMESERVER}" ]; then sed -i '' "/^nameserver.*/d" "${bastille_jail_resolv_conf}" - echo "nameserver ${OPT_NAMESERVER}" >> "${bastille_jail_resolv_conf}" + for _ns in $(echo ${OPT_NAMESERVER} | sed 's/,/ /g'); do + echo "nameserver ${_ns}" >> "${bastille_jail_resolv_conf}" + done fi # Apply values changed by the template. -- cwells From 213659db3a8666fcaeaff951432774a2968e92ec Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 18:39:04 -0600 Subject: [PATCH 16/17] Update create.sh --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 90058041..c63b6bdb 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -187,7 +187,7 @@ validate_netif() { error_exit "[ERROR]: Invalid: (${INTERFACE})." fi # Don't allow dots in INTERFACE if -V - if [ "${VNET_JAIL}" -eq 1 ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then + if [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then if echo "${INTERFACE}" | grep -q "\."; then error_exit "[ERROR]: [-V|--vnet] does not support dots \(.\) in interface names." fi From 21c0d75a13da57b58dff7c49332c8dfb49997c68 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 21 May 2025 18:40:37 -0600 Subject: [PATCH 17/17] Update create.sh --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index c63b6bdb..35d31639 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -189,7 +189,7 @@ validate_netif() { # Don't allow dots in INTERFACE if -V if [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then if echo "${INTERFACE}" | grep -q "\."; then - error_exit "[ERROR]: [-V|--vnet] does not support dots \(.\) in interface names." + error_exit "[ERROR]: [-V|--vnet] does not support dots (.) in interface names." fi fi }