bastille: Initial support for netgraph

2025-12-17 15:50:11 +01:00 · 2025-04-25 14:33:38 -06:00
parent 938c9f6978
commit bf443e8586
4 changed files with 97 additions and 14 deletions
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -52,6 +52,7 @@ bastille_decompress_gz_options="-k -d -c -v"                          ## default
 bastille_export_options=""                                            ## default "" predefined export options, e.g. "--safe --gz"

 ## Networking
+bastille_network_vnet_type="if_bridge"                                ## default: "if_bridge"
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
 bastille_network_pf_table="jails"                                     ## default: "jails"
--- a/usr/local/share/bastille/common.sh
+++ b/usr/local/share/bastille/common.sh
@@ -360,10 +360,11 @@ EOF
 EOF
        fi
    else
-        if [ -n "${static_mac}" ]; then
-            ## Generate VNET config with static MAC address
-            generate_static_mac "${jail_name}" "${external_interface}"
-            cat <<-EOF
+        if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
+            if [ -n "${static_mac}" ]; then
+                ## Generate VNET config with static MAC address
+                generate_static_mac "${jail_name}" "${external_interface}"
+                cat <<-EOF
  vnet;
  vnet.interface = e0b_${uniq_epair};
  exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
@@ -372,15 +373,38 @@ EOF
  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
  exec.poststop += "jib destroy ${uniq_epair}";
 EOF
-        else
-            ## Generate VNET config without static MAC address
-            cat <<-EOF
+            else
+                ## Generate VNET config without static MAC address
+                cat <<-EOF
  vnet;
  vnet.interface = e0b_${uniq_epair};
  exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
  exec.poststop += "jib destroy ${uniq_epair}";
 EOF
+            fi
+        elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
+            if [ -n "${static_mac}" ]; then
+                ## Generate VNET config with static MAC address
+                generate_static_mac "${jail_name}" "${external_interface}"
+                cat <<-EOF
+  vnet;
+  vnet.interface = ng0_${uniq_epair};
+  exec.prestart += "jng bridge ${uniq_epair} ${external_interface}";
+  exec.prestart += "ifconfig ng0_${uniq_epair} ether ${macaddr}a";
+  exec.poststop += "jng shutdown ${uniq_epair}";
+EOF
+            else
+                ## Generate VNET config without static MAC address
+                cat <<-EOF
+  vnet;
+  vnet.interface = ng0_${uniq_epair};
+  exec.prestart += "jng bridge ${uniq_epair} ${external_interface}";
+  exec.poststop += "jng shutdown ${uniq_epair}";
+EOF
+            fi
+        else
+            error_exit "[ERROR]: 'bastille_network_vnet_type' is not set correctly: ${bastille_network_vnet_type}"
        fi
    fi
 }
@@ -404,4 +428,4 @@ checkyesno() {
        return 1
        ;;
    esac
-}
+}
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -528,10 +528,18 @@ create_jail() {

        ## VNET specific
        if [ -n "${VNET_JAIL}" ]; then
-            ## VNET requires jib script
-            if [ ! "$(command -v jib)" ]; then
-                if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
-                    install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
+            ## VNET requires jib or jng script
+            if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
+                if [ ! "$(command -v jib)" ]; then
+                    if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
+                        install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
+                    fi
+                fi
+            elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
+                if [ ! "$(command -v jib)" ]; then
+                    if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then
+                        install -m 0544 /usr/share/examples/jails/jng /usr/local/bin/jng
+                    fi
                fi
            fi
        fi
@@ -819,6 +827,11 @@ elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then
    fi
 fi

+# Do not allow netgraph with -B|--bridge yet...
+if [ "${bastille_network_vnet_type}" = "netgraph" ] && [ "${VNET_JAIL_BRIDGE}" -eq 1 ]; then
+    error_exit "[ERROR]: Netgraph does not support the [-B|--bridge] option."
+fi
+
 if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then
    case "${RELEASE}" in
    bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
@@ -999,4 +1012,4 @@ fi
 if check_target_exists "${NAME}"; then
    error_exit "Error: Existing jail found: ${NAME}"
 fi
-create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
+create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
--- a/usr/local/share/bastille/setup.sh
+++ b/usr/local/share/bastille/setup.sh
@@ -41,6 +41,31 @@ if [ $# -gt 1 ]; then
    usage
 fi

+# Configure netgraph
+configure_netgraph() {
+    if [ ! "$(kldstat -m netgraph)" ]; then
+        sysrc -f "${BASTILLE_CONFIG}" bastille_network_vnet_type="netgraph"
+        info "Configuring netgraph modules..."
+        kldload netgraph
+        kldload ng_netflow
+        kldload ng_ksocket
+        kldload ng_ether
+        kldload ng_bridge
+        kldload ng_eiface
+        kldload ng_socket
+        sysrc -f /boot/loader.conf netgraph_load="YES"
+        sysrc -f /boot/loader.conf ng_netflow_load="YES"
+        sysrc -f /boot/loader.conf ng_ksocket_load="YES"
+        sysrc -f /boot/loader.conf ng_ether_load="YES"
+        sysrc -f /boot/loader.conf ng_bridge_load="YES"
+        sysrc -f /boot/loader.conf ng_eiface_load="YES"
+        sysrc -f /boot/loader.conf ng_socket_load="YES"
+        info "Netgraph has been successfully configured!"
+    else
+        info "Netgraph has already been configured!"
+    fi
+}
+
 # Configure bastille loopback network interface
 configure_loopback_interface() {
    if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then
@@ -224,6 +249,26 @@ case "$1" in
    -p|pf|firewall)
        configure_pf
        ;;
+    -n|netgraph)
+        warn "[WARNING] Bastille only allows using either 'if_bridge' or 'netgraph'"
+        warn "as VNET network options. You CANNOT use both on the same system. If you have"
+        warn "already started using bastille with 'if_bridge' do not continue."
+        # shellcheck disable=SC3045
+        read -p "Do you really want to continue setting up netgraph for Bastille? [y|n]:" _answer
+        case "${_answer}" in
+            [Yy]|[Yy][Ee][Ss])
+                configure_vnet
+                configure_netgraph
+                ;;
+            [Nn]|[Nn][Oo])
+                error_exit "Netgraph setup cancelled."
+                ;;
+            *)
+                error_exit "Invalid selection. Please answer 'y' or 'n'"
+                ;;
+        esac
+        ;;
+
    -l|loopback)
        warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"
        warn "interface to be configured ant one time. If you continue, the 'shared'"
@@ -270,4 +315,4 @@ case "$1" in
        configure_vnet
        configure_bridge
        ;;
-esac
+esac