diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index cfdca5b0..5287c8eb 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -52,6 +52,7 @@ bastille_decompress_gz_options="-k -d -c -v" ## default bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz" ## Networking +bastille_network_vnet_type="if_bridge" ## default: "if_bridge" bastille_network_loopback="bastille0" ## default: "bastille0" bastille_network_pf_ext_if="ext_if" ## default: "ext_if" bastille_network_pf_table="jails" ## default: "jails" diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index a5430a5a..b1e3cbba 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -360,10 +360,11 @@ EOF EOF fi else - if [ -n "${static_mac}" ]; then - ## Generate VNET config with static MAC address - generate_static_mac "${jail_name}" "${external_interface}" - cat <<-EOF + if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then + if [ -n "${static_mac}" ]; then + ## Generate VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; @@ -372,15 +373,38 @@ EOF exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF - else - ## Generate VNET config without static MAC address - cat <<-EOF + else + ## Generate VNET config without static MAC address + cat <<-EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF + fi + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then + if [ -n "${static_mac}" ]; then + ## Generate VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF + vnet; + vnet.interface = ng0_${uniq_epair}; + exec.prestart += "jng bridge ${uniq_epair} ${external_interface}"; + exec.prestart += "ifconfig ng0_${uniq_epair} ether ${macaddr}a"; + exec.poststop += "jng shutdown ${uniq_epair}"; +EOF + else + ## Generate VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = ng0_${uniq_epair}; + exec.prestart += "jng bridge ${uniq_epair} ${external_interface}"; + exec.poststop += "jng shutdown ${uniq_epair}"; +EOF + fi + else + error_exit "[ERROR]: 'bastille_network_vnet_type' is not set correctly: ${bastille_network_vnet_type}" fi fi } @@ -404,4 +428,4 @@ checkyesno() { return 1 ;; esac -} +} \ No newline at end of file diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index c4edf71d..95710294 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -528,10 +528,18 @@ create_jail() { ## VNET specific if [ -n "${VNET_JAIL}" ]; then - ## VNET requires jib script - if [ ! "$(command -v jib)" ]; then - if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then - install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib + ## VNET requires jib or jng script + if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then + if [ ! "$(command -v jib)" ]; then + if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then + install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib + fi + fi + elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then + if [ ! "$(command -v jib)" ]; then + if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then + install -m 0544 /usr/share/examples/jails/jng /usr/local/bin/jng + fi fi fi fi @@ -819,6 +827,11 @@ elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then fi fi +# Do not allow netgraph with -B|--bridge yet... +if [ "${bastille_network_vnet_type}" = "netgraph" ] && [ "${VNET_JAIL_BRIDGE}" -eq 1 ]; then + error_exit "[ERROR]: Netgraph does not support the [-B|--bridge] option." +fi + if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) @@ -999,4 +1012,4 @@ fi if check_target_exists "${NAME}"; then error_exit "Error: Existing jail found: ${NAME}" fi -create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" +create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" \ No newline at end of file diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 30933f32..25ddfe0e 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -41,6 +41,31 @@ if [ $# -gt 1 ]; then usage fi +# Configure netgraph +configure_netgraph() { + if [ ! "$(kldstat -m netgraph)" ]; then + sysrc -f "${BASTILLE_CONFIG}" bastille_network_vnet_type="netgraph" + info "Configuring netgraph modules..." + kldload netgraph + kldload ng_netflow + kldload ng_ksocket + kldload ng_ether + kldload ng_bridge + kldload ng_eiface + kldload ng_socket + sysrc -f /boot/loader.conf netgraph_load="YES" + sysrc -f /boot/loader.conf ng_netflow_load="YES" + sysrc -f /boot/loader.conf ng_ksocket_load="YES" + sysrc -f /boot/loader.conf ng_ether_load="YES" + sysrc -f /boot/loader.conf ng_bridge_load="YES" + sysrc -f /boot/loader.conf ng_eiface_load="YES" + sysrc -f /boot/loader.conf ng_socket_load="YES" + info "Netgraph has been successfully configured!" + else + info "Netgraph has already been configured!" + fi +} + # Configure bastille loopback network interface configure_loopback_interface() { if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then @@ -224,6 +249,26 @@ case "$1" in -p|pf|firewall) configure_pf ;; + -n|netgraph) + warn "[WARNING] Bastille only allows using either 'if_bridge' or 'netgraph'" + warn "as VNET network options. You CANNOT use both on the same system. If you have" + warn "already started using bastille with 'if_bridge' do not continue." + # shellcheck disable=SC3045 + read -p "Do you really want to continue setting up netgraph for Bastille? [y|n]:" _answer + case "${_answer}" in + [Yy]|[Yy][Ee][Ss]) + configure_vnet + configure_netgraph + ;; + [Nn]|[Nn][Oo]) + error_exit "Netgraph setup cancelled." + ;; + *) + error_exit "Invalid selection. Please answer 'y' or 'n'" + ;; + esac + ;; + -l|loopback) warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'" warn "interface to be configured ant one time. If you continue, the 'shared'" @@ -270,4 +315,4 @@ case "$1" in configure_vnet configure_bridge ;; -esac +esac \ No newline at end of file