bastille: Initial support for netgraph

usr/local/etc/bastille/bastille.conf.sample

@@ -52,6 +52,7 @@ bastille_decompress_gz_options="-k -d -c -v"                          ## default
 bastille_export_options=""                                            ## default "" predefined export options, e.g. "--safe --gz"
 
 ## Networking
+bastille_network_vnet_type="if_bridge"                                ## default: "if_bridge"
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
 bastille_network_pf_table="jails"                                     ## default: "jails"

usr/local/share/bastille/common.sh

@@ -360,6 +360,7 @@ EOF
 EOF
         fi
     else
+        if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
             if [ -n "${static_mac}" ]; then
                 ## Generate VNET config with static MAC address
                 generate_static_mac "${jail_name}" "${external_interface}"
@@ -382,6 +383,29 @@ EOF
   exec.poststop += "jib destroy ${uniq_epair}";
 EOF
             fi
+        elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
+            if [ -n "${static_mac}" ]; then
+                ## Generate VNET config with static MAC address
+                generate_static_mac "${jail_name}" "${external_interface}"
+                cat <<-EOF
+  vnet;
+  vnet.interface = ng0_${uniq_epair};
+  exec.prestart += "jng bridge ${uniq_epair} ${external_interface}";
+  exec.prestart += "ifconfig ng0_${uniq_epair} ether ${macaddr}a";
+  exec.poststop += "jng shutdown ${uniq_epair}";
+EOF
+            else
+                ## Generate VNET config without static MAC address
+                cat <<-EOF
+  vnet;
+  vnet.interface = ng0_${uniq_epair};
+  exec.prestart += "jng bridge ${uniq_epair} ${external_interface}";
+  exec.poststop += "jng shutdown ${uniq_epair}";
+EOF
+            fi
+        else
+            error_exit "[ERROR]: 'bastille_network_vnet_type' is not set correctly: ${bastille_network_vnet_type}"
+        fi
     fi
 }
 

usr/local/share/bastille/create.sh

@@ -528,12 +528,20 @@ create_jail() {
 
         ## VNET specific
         if [ -n "${VNET_JAIL}" ]; then
-            ## VNET requires jib script
+            ## VNET requires jib or jng script
+            if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
                 if [ ! "$(command -v jib)" ]; then
                     if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
                         install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
                     fi
                 fi
+            elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
+                if [ ! "$(command -v jib)" ]; then
+                    if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then
+                        install -m 0544 /usr/share/examples/jails/jng /usr/local/bin/jng
+                    fi
+                fi
+            fi
         fi
     elif [ -n "${LINUX_JAIL}" ]; then
         ## Generate configuration for Linux jail
@@ -819,6 +827,11 @@ elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then
     fi
 fi
 
+# Do not allow netgraph with -B|--bridge yet...
+if [ "${bastille_network_vnet_type}" = "netgraph" ] && [ "${VNET_JAIL_BRIDGE}" -eq 1 ]; then
+    error_exit "[ERROR]: Netgraph does not support the [-B|--bridge] option."
+fi
+
 if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then
     case "${RELEASE}" in
     bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)

usr/local/share/bastille/setup.sh

@@ -41,6 +41,31 @@ if [ $# -gt 1 ]; then
     usage
 fi
 
+# Configure netgraph
+configure_netgraph() {
+    if [ ! "$(kldstat -m netgraph)" ]; then
+        sysrc -f "${BASTILLE_CONFIG}" bastille_network_vnet_type="netgraph"
+        info "Configuring netgraph modules..."
+        kldload netgraph
+        kldload ng_netflow
+        kldload ng_ksocket
+        kldload ng_ether
+        kldload ng_bridge
+        kldload ng_eiface
+        kldload ng_socket
+        sysrc -f /boot/loader.conf netgraph_load="YES"
+        sysrc -f /boot/loader.conf ng_netflow_load="YES"
+        sysrc -f /boot/loader.conf ng_ksocket_load="YES"
+        sysrc -f /boot/loader.conf ng_ether_load="YES"
+        sysrc -f /boot/loader.conf ng_bridge_load="YES"
+        sysrc -f /boot/loader.conf ng_eiface_load="YES"
+        sysrc -f /boot/loader.conf ng_socket_load="YES"
+        info "Netgraph has been successfully configured!"
+    else
+        info "Netgraph has already been configured!"
+    fi
+}
+
 # Configure bastille loopback network interface
 configure_loopback_interface() {
     if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then
@@ -224,6 +249,26 @@ case "$1" in
     -p|pf|firewall)
         configure_pf
         ;;
+    -n|netgraph)
+        warn "[WARNING] Bastille only allows using either 'if_bridge' or 'netgraph'"
+        warn "as VNET network options. You CANNOT use both on the same system. If you have"
+        warn "already started using bastille with 'if_bridge' do not continue."
+        # shellcheck disable=SC3045
+        read -p "Do you really want to continue setting up netgraph for Bastille? [y|n]:" _answer
+        case "${_answer}" in
+            [Yy]|[Yy][Ee][Ss])
+                configure_vnet
+                configure_netgraph
+                ;;
+            [Nn]|[Nn][Oo])
+                error_exit "Netgraph setup cancelled."
+                ;;
+            *)
+                error_exit "Invalid selection. Please answer 'y' or 'n'"
+                ;;
+        esac
+        ;;
+
     -l|loopback)
         warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"
         warn "interface to be configured ant one time. If you continue, the 'shared'"