Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-18 08:12:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #978 from BastilleBSD/netgraph-support

Browse Source 
bastille: Initial support for netgraph
This commit is contained in:
Barry McCormick
2025-04-30 08:39:11 -07:00
committed by GitHub
parent 0b21a25b1e 9be80bdc75
commit 984c4a1191
8 changed files with 351 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -52,6 +52,7 @@ bastille_decompress_gz_options="-k -d -c -v" ## default
bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz"
## Networking
bastille_network_vnet_type="if_bridge" ## default: "if_bridge"
bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails"

95
usr/local/share/bastille/clone.sh
View File

@@ -150,6 +150,7 @@ update_jailconf() {
fi
if grep -qw "vnet;" "${JAIL_CONFIG}"; then
validate_netconf
update_jailconf_vnet
else
_ip4="$(bastille config ${TARGET} get ip4.addr | sed 's/,/ /g')"
@@ -192,18 +193,28 @@ update_jailconf() {
}
update_jailconf_vnet() {
local _jail_conf="${bastille_jailsdir}/${NEWNAME}/jail.conf"
local _rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf"
# Determine number of interfaces and define a uniq_epair
local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${_jail_conf} | sort -u)"
# Determine number of interfaces
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_list="$(grep -Eo 'epair[0-9]+|e[0-9]+b_bastille[0-9]+' ${_jail_conf} | sort -u)"
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_list="$(grep -Eo 'ng[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)"
fi
for _if in ${_if_list}; do
# Get number of epairs on the system
get_epair_count
local _epair_num_range=$((_epair_count + 1))
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
# Get number of interfaces manged by Bastille
get_bastille_if_count
local _bastille_if_num_range=$((_bastille_if_count + 1))
# Update bridged VNET config
for _num in $(seq 0 "${_epair_num_range}"); do
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
# Generate new epair name
if [ "$(echo -n "e${_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
local _new_host_epair="e${_num}a_${NEWNAME}"
@@ -269,26 +280,70 @@ update_jailconf_vnet() {
break
fi
done
elif echo ${_if} | grep -Eoq 'bastille[0-9]+'; then
# Update VNET (non-bridged) config
elif echo ${_if} | grep -Eoq 'e[0-9]+b_bastille[0-9]+'; then
# Update VNET config
for _num in $(seq 0 "${_epair_num_range}"); do
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
_if="$(echo ${_if} | grep -Eo 'bastille[0-9]+')"
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
# Update jail.conf epair name
local uniq_epair="bastille${_num}"
local _jail_if="bastille${_num}"
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_if}|${uniq_epair}|g" "${_jail_conf}"
sed -i '' "s|${_if}|${_jail_if}|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${uniq_epair}; then
local external_interface="$(grep ${uniq_epair} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')"
if grep ether ${_jail_conf} | grep -qoc ${_jail_if}; then
local external_interface="$(grep ${_jail_if} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${_jail_conf}"
sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*a\";|${_jail_if} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*b\";|${_jail_if} ether ${macaddr}b\";|" "${_jail_conf}"
fi
sed -i '' "/${uniq_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
sed -i '' "/${_jail_if}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Update /etc/rc.conf
sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${_rc_conf}"
if grep "vnet0" "${_rc_conf}" | grep -q ${uniq_epair}; then
sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${_jail_if}_name|" "${_rc_conf}"
if grep "vnet0" "${_rc_conf}" | grep -q ${_jail_if}; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}"
fi
else
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}"
fi
fi
else
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
fi
break
fi
done
# Update netgraph VNET (non-bridged) config
elif echo ${_if} | grep -Eoq 'ng[0-9]+_bastille[0-9]+'; then
_if="$(echo ${_if} | grep -Eo 'bastille[0-9]+')"
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
# Update jail.conf epair name
local _jail_if="bastille${_num}"
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_if}|${_jail_if}|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${_jail_if}; then
local external_interface="$(grep ${_jail_if} ${_jail_conf} | grep -o 'jng bridge.*' | awk '{print $4}' | sed 's/["|;]//g')"
generate_static_mac "${NEWNAME}" "${external_interface}"
sed -i '' "s|${_jail_if} ether.*:.*:.*:.*:.*:.*a\";|${_jail_if} ether ${macaddr}a\";|" "${_jail_conf}"
fi
# Update /etc/rc.conf
sed -i '' "s|ifconfig_ng0_${_if}_name|ifconfig_ng0_${_jail_if}_name|" "${_rc_conf}"
if grep "vnet0" "${_rc_conf}" | grep -q ${_jail_if}; then
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"

91
usr/local/share/bastille/common.sh
View File

@@ -130,14 +130,24 @@ check_target_is_stopped() {
fi
}
get_epair_count() {
get_bastille_if_count() {
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
for _config in /usr/local/etc/bastille/*.conf; do
local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)"
_epair_list="$(printf '%s\n%s' "$( (grep -Ehos '(epair[0-9]+|bastille[0-9]+)' ${bastille_jailsdir}/*/jail.conf; ifconfig -g epair | grep -Eos "_bastille[0-9]+$"; ifconfig -g epair | grep -vs 'bastille' | grep -Eos 'e[0-9]+a_') | grep -Eos '[0-9]+')" "${_epair_list}")"
_bastille_if_list="$(printf '%s\n%s' "$( (grep -Ehos '(epair[0-9]+|bastille[0-9]+)' ${bastille_jailsdir}/*/jail.conf; ifconfig -g epair | grep -Eos "_bastille[0-9]+$"; ifconfig -g epair | grep -vs 'bastille' | grep -Eos 'e[0-9]+a_') | grep -Eos '[0-9]+')" "${_bastille_if_list}")"
done
_epair_count=$(printf '%s' "${_epair_list}" | sort -u | wc -l | awk '{print $1}')
export _epair_list
export _epair_count
_bastille_if_count=$(printf '%s' "${_bastille_if_list}" | sort -u | wc -l | awk '{print $1}')
export _bastille_if_list
export _bastille_if_count
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
for _config in /usr/local/etc/bastille/*.conf; do
local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)"
_bastille_if_list="$(printf '%s\n%s' "$( (grep -Ehos 'ng[0-9]+_bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | grep -Eos 'bastille[0-9]+'; ngctl list -n | grep "eiface" | grep -Eos 'ng[0-9]+_bastille[0-9]+' | grep -Eos 'bastille[0-9]+') | grep -Eos '[0-9]+')" "${_bastille_if_list}")"
done
_bastille_if_count=$(printf '%s' "${_bastille_if_list}" | sort -u | wc -l | awk '{print $1}')
export _bastille_if_list
export _bastille_if_count
fi
}
get_jail_name() {
@@ -300,12 +310,12 @@ generate_vnet_jail_netblock() {
local external_interface="${3}"
local static_mac="${4}"
# Get number of epairs on the system
get_epair_count
local _epair_num_range=$((_epair_count + 1))
get_bastille_if_count
local _bastille_if_num_range=$((_bastille_if_count + 1))
if [ -n "${use_unique_bridge}" ]; then
if [ "${_epair_count}" -gt 0 ]; then
for _num in $(seq 0 "${_epair_num_range}"); do
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
if [ "${_bastille_if_count}" -gt 0 ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_num}a_${jail_name}
local jail_epair=e${_num}b_${jail_name}
@@ -328,15 +338,15 @@ generate_vnet_jail_netblock() {
fi
fi
else
if [ "${_epair_count}" -gt 0 ]; then
for _num in $(seq 0 "${_epair_num_range}"); do
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
local uniq_epair="bastille${_num}"
if [ "${_bastille_if_count}" -gt 0 ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _jail_if="bastille${_num}"
break
fi
done
else
local uniq_epair="bastille0"
local _jail_if="bastille0"
fi
fi
## If BRIDGE is enabled, generate bridge config, else generate VNET config
@@ -372,28 +382,59 @@ EOF
EOF
fi
else
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
if [ -n "${static_mac}" ]; then
## Generate VNET config with static MAC address
generate_static_mac "${jail_name}" "${external_interface}"
cat <<-EOF
vnet;
vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}";
vnet.interface = e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${external_interface}";
exec.prestart += "ifconfig e0a_${_jail_if} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${_jail_if} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${_jail_if} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${_jail_if}";
EOF
else
## Generate VNET config without static MAC address
cat <<-EOF
vnet;
vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}";
vnet.interface = e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${external_interface}";
exec.prestart += "ifconfig e0a_${_jail_if} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${_jail_if}";
EOF
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
if [ -n "${static_mac}" ]; then
## Generate VNET config with static MAC address
generate_static_mac "${jail_name}" "${external_interface}"
cat <<-EOF
vnet;
vnet.interface = ng0_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${external_interface}";
exec.prestart += "ifconfig ng0_${_jail_if} ether ${macaddr}a";
exec.poststop += "jng shutdown ${_jail_if}";
EOF
else
## Generate VNET config without static MAC address
cat <<-EOF
vnet;
vnet.interface = ng0_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${external_interface}";
exec.poststop += "jng shutdown ${_jail_if}";
EOF
fi
fi
fi
}
validate_netconf() {
if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
error_exit "[ERROR]: 'bastille_network_loopback' and 'bastille_network_shared' cannot both be set."
fi
if [ "${bastille_network_vnet_type}" != "if_bridge" ] && [ "${bastille_network_vnet_type}" != "netgraph" ]; then
error_exit "[ERROR]: 'bastille_network_vnet_type' not set properly: ${bastille_network_vnet_type}"
fi
}

22
usr/local/share/bastille/create.sh
View File

@@ -168,12 +168,6 @@ validate_netif() {
fi
}
validate_netconf() {
if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
error_exit "Invalid network configuration."
fi
}
validate_release() {
## ensure the user set the Linux(experimental) option explicitly
if [ -n "${UBUNTU}" ]; then
@@ -528,12 +522,20 @@ create_jail() {
## VNET specific
if [ -n "${VNET_JAIL}" ]; then
## VNET requires jib script
## VNET requires jib or jng script
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
if [ ! "$(command -v jib)" ]; then
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
fi
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
if [ ! "$(command -v jng)" ]; then
if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then
install -m 0544 /usr/share/examples/jails/jng /usr/local/bin/jng
fi
fi
fi
fi
elif [ -n "${LINUX_JAIL}" ]; then
## Generate configuration for Linux jail
@@ -819,6 +821,11 @@ elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then
fi
fi
# Do not allow netgraph with -B|--bridge yet...
if [ "${bastille_network_vnet_type}" = "netgraph" ] && [ -n "${VNET_JAIL_BRIDGE}" ]; then
error_exit "[ERROR]: Netgraph does not support the [-B|--bridge] option."
fi
if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then
case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
@@ -999,4 +1006,5 @@ fi
if check_target_exists "${NAME}"; then
error_exit "Error: Existing jail found: ${NAME}"
fi
create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"

12
usr/local/share/bastille/import.sh
View File

@@ -236,8 +236,8 @@ generate_config() {
# See if we need to generate a vnet network section
if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}" "${OPT_STATIC_MAC}")
vnet_requirements
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}" "${OPT_STATIC_MAC}")
else
# If there are multiple IP/NIC let the user configure network
IP4_DEFINITION=""
@@ -443,6 +443,7 @@ workout_components() {
vnet_requirements() {
# VNET jib script requirement
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
if [ ! "$(command -v jib)" ]; then
if [ -f "/usr/share/examples/jails/jib" ] && [ ! -f "/usr/local/bin/jib" ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
@@ -450,6 +451,15 @@ vnet_requirements() {
warn "Warning: Unable to locate/install jib script required by VNET jails."
fi
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
if [ ! "$(command -v jng)" ]; then
if [ -f "/usr/share/examples/jails/jng" ] && [ ! -f "/usr/local/bin/jng" ]; then
install -m 0544 /usr/share/examples/jails/jng /usr/local/bin/jng
else
warn "Warning: Unable to locate/install jng script required by VNET jails."
fi
fi
fi
}
config_netif() {

104
usr/local/share/bastille/network.sh
View File

@@ -148,16 +148,14 @@ if [ "${ACTION}" = "add" ]; then
{ [ "${BRIDGE}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \
{ [ "${CLASSIC}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } then
error_notify "Error: Only one of [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] should be set."
usage
elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${CLASSIC}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ]; then
error_notify "Error: [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] must be set."
usage
elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ] && [ -n "${VLAN_ID}" ]; then
error_notify "VLANs can only be used with VNET interfaces."
usage
elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then
error_notify "[-n|--no-ip] can only be used with VNET jails."
usage
elif [ "${bastille_network_vnet_type}" = "netgraph" ] && [ "${BRIDGE}" -eq 1 ]; then
error_notify "[-B|--bridge] cannot be used with Netgraph."
fi
fi
@@ -210,12 +208,6 @@ validate_netif() {
fi
}
validate_netconf() {
if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
error_exit "Invalid network configuration."
fi
}
check_interface_added() {
local _jailname="${1}"
local _if="${2}"
@@ -233,15 +225,15 @@ add_interface() {
local _ip="${3}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
# Get number of epairs on the system
get_epair_count
# Get number of interfaces manged by Bastille
get_bastille_if_count
local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')"
local _if_vnet="vnet$((_vnet_if_count + 1))"
local _epair_num_range=$((_epair_count + 1))
local _bastille_if_num_range=$((_bastille_if_count + 1))
if [ "${BRIDGE}" -eq 1 ]; then
if [ "${_epair_count}" -gt 0 ]; then
for _num in $(seq 0 "${_epair_num_range}"); do
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
if [ "${_bastille_if_count}" -gt 0 ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_num}a_${_jailname}
local jail_epair=e${_num}b_${_jailname}
@@ -313,9 +305,10 @@ EOF
echo "Added interface: \"${_if}\""
elif [ "${VNET}" -eq 1 ]; then
for _num in $(seq 0 "${_epair_num_range}"); do
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
local bastille_epair="bastille${_num}"
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _jail_if="bastille${_num}"
break
fi
done
@@ -325,28 +318,28 @@ EOF
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${bastille_epair} interface
vnet.interface += e0b_${bastille_epair};
exec.prestart += "jib addm ${bastille_epair} ${_if}";
exec.prestart += "ifconfig e0a_${bastille_epair} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${bastille_epair} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${bastille_epair}";
## ${_jail_if} interface
vnet.interface += e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${_if}";
exec.prestart += "ifconfig e0a_${_jail_if} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${_jail_if} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${_jail_if} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${_jail_if}";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${bastille_epair} interface
vnet.interface += e0b_${bastille_epair};
exec.prestart += "jib addm ${bastille_epair} ${_if}";
exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${bastille_epair}";
## ${_jail_if} interface
vnet.interface += e0b_${_jail_if};
exec.prestart += "jib addm ${_jail_if} ${_if}";
exec.prestart += "ifconfig e0a_${_jail_if} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${_jail_if}";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_e0b_${bastille_epair}_name="${_if_vnet}"
sysrc -f "${_jail_rc_config}" ifconfig_e0b_${_jail_if}_name="${_if_vnet}"
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
@@ -358,7 +351,50 @@ EOF
info "[${_jailname}]:"
echo "Added VNET interface: \"${_if}\""
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
for _num in $(seq 0 "${_bastille_if_num_range}"); do
if ! echo "${_bastille_if_list}" | grep -oqswx "${_num}"; then
local _jail_if="bastille${_num}"
break
fi
done
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${_jail_if} interface
vnet.interface += ng0_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${_if}";
exec.prestart += "ifconfig ng0_${_jail_if} ether ${macaddr}a";
exec.poststop += "jng shutdown ${_jail_if}";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${_jail_if} interface
vnet.interface += e0b_${_jail_if};
exec.prestart += "jng bridge ${_jail_if} ${_if}";
exec.poststop += "jng shutdown ${_jail_if}";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_jng_${_jail_if}_name="${_if_vnet}"
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}"
fi
fi
info "[${_jailname}]:"
echo "Added VNET interface: \"${_if}\""
fi
elif [ "${PASSTHROUGH}" -eq 1 ]; then
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
@@ -402,7 +438,11 @@ remove_interface() {
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
if grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 'bastille[0-9]+'; then
local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")"
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_jail="e0b_bastille${_if_bastille_num}"
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_jail="ng0_bastille${_if_bastille_num}"
fi
_if_type="bastille"
elif grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 "epair[0-9]+"; then
local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")"

12
usr/local/share/bastille/rename.sh
View File

@@ -114,10 +114,18 @@ update_jailconf() {
}
update_jailconf_vnet() {
local _jail_conf="${bastille_jailsdir}/${NEWNAME}/jail.conf"
local _rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf"
# Change epair name (if needed)
local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${_jail_conf} | sort -u)"
# Change bastille interface name (only needed for bridged epairs)
# We still gather interface names for JIB and JNG managed interfaces (for future use)
if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
local _if_list="$(grep -Eo 'epair[0-9]+|e[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)"
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
local _if_list="$(grep -Eo 'ng[0-9]+_bastille[0-9]+' ${_jail_conf} | sort -u)"
fi
for _if in ${_if_list}; do
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
# Check if epair name = jail name

45
usr/local/share/bastille/setup.sh
View File

@@ -41,6 +41,31 @@ if [ $# -gt 1 ]; then
usage
fi
# Configure netgraph
configure_netgraph() {
if [ ! "$(kldstat -m netgraph)" ]; then
sysrc -f "${BASTILLE_CONFIG}" bastille_network_vnet_type="netgraph"
info "Configuring netgraph modules..."
kldload netgraph
kldload ng_netflow
kldload ng_ksocket
kldload ng_ether
kldload ng_bridge
kldload ng_eiface
kldload ng_socket
sysrc -f /boot/loader.conf netgraph_load="YES"
sysrc -f /boot/loader.conf ng_netflow_load="YES"
sysrc -f /boot/loader.conf ng_ksocket_load="YES"
sysrc -f /boot/loader.conf ng_ether_load="YES"
sysrc -f /boot/loader.conf ng_bridge_load="YES"
sysrc -f /boot/loader.conf ng_eiface_load="YES"
sysrc -f /boot/loader.conf ng_socket_load="YES"
info "Netgraph has been successfully configured!"
else
info "Netgraph has already been configured!"
fi
}
# Configure bastille loopback network interface
configure_loopback_interface() {
if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then
@@ -224,6 +249,26 @@ case "$1" in
-p|pf|firewall)
configure_pf
;;
-n|netgraph)
warn "[WARNING] Bastille only allows using either 'if_bridge' or 'netgraph'"
warn "as VNET network options. You CANNOT use both on the same system. If you have"
warn "already started using bastille with 'if_bridge' do not continue."
# shellcheck disable=SC3045
read -p "Do you really want to continue setting up netgraph for Bastille? [y|n]:" _answer
case "${_answer}" in
[Yy]|[Yy][Ee][Ss])
configure_vnet
configure_netgraph
;;
[Nn]|[Nn][Oo])
error_exit "Netgraph setup cancelled."
;;
*)
error_exit "Invalid selection. Please answer 'y' or 'n'"
;;
esac
;;
-l|loopback)
warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"
warn "interface to be configured ant one time. If you continue, the 'shared'"