Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-21 09:41:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

bastille: Initial support for netgraph

Browse Source
This commit is contained in:
tschettervictor
2025-04-25 14:33:38 -06:00
parent 938c9f6978
commit bf443e8586
4 changed files with 97 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -52,6 +52,7 @@ bastille_decompress_gz_options="-k -d -c -v" ## default
bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz" bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz"
## Networking ## Networking
bastille_network_vnet_type="if_bridge" ## default: "if_bridge"
bastille_network_loopback="bastille0" ## default: "bastille0" bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if" bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails" bastille_network_pf_table="jails" ## default: "jails"

40
usr/local/share/bastille/common.sh
View File

@@ -360,10 +360,11 @@ EOF
EOF EOF
fi fi
else else
if [ -n "${static_mac}" ]; then if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
## Generate VNET config with static MAC address if [ -n "${static_mac}" ]; then
generate_static_mac "${jail_name}" "${external_interface}" ## Generate VNET config with static MAC address
cat <<-EOF generate_static_mac "${jail_name}" "${external_interface}"
cat <<-EOF
vnet; vnet;
vnet.interface = e0b_${uniq_epair}; vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
@@ -372,15 +373,38 @@ EOF
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}"; exec.poststop += "jib destroy ${uniq_epair}";
EOF EOF
else else
## Generate VNET config without static MAC address ## Generate VNET config without static MAC address
cat <<-EOF cat <<-EOF
vnet; vnet;
vnet.interface = e0b_${uniq_epair}; vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}"; exec.poststop += "jib destroy ${uniq_epair}";
EOF EOF
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
if [ -n "${static_mac}" ]; then
## Generate VNET config with static MAC address
generate_static_mac "${jail_name}" "${external_interface}"
cat <<-EOF
vnet;
vnet.interface = ng0_${uniq_epair};
exec.prestart += "jng bridge ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig ng0_${uniq_epair} ether ${macaddr}a";
exec.poststop += "jng shutdown ${uniq_epair}";
EOF
else
## Generate VNET config without static MAC address
cat <<-EOF
vnet;
vnet.interface = ng0_${uniq_epair};
exec.prestart += "jng bridge ${uniq_epair} ${external_interface}";
exec.poststop += "jng shutdown ${uniq_epair}";
EOF
fi
else
error_exit "[ERROR]: 'bastille_network_vnet_type' is not set correctly: ${bastille_network_vnet_type}"
fi fi
fi fi
} }
@@ -404,4 +428,4 @@ checkyesno() {
return 1 return 1
;; ;;
esac esac
} }

23
usr/local/share/bastille/create.sh
View File

@@ -528,10 +528,18 @@ create_jail() {
## VNET specific ## VNET specific
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
## VNET requires jib script ## VNET requires jib or jng script
if [ ! "$(command -v jib)" ]; then if [ "${bastille_network_vnet_type}" = "if_bridge" ]; then
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then if [ ! "$(command -v jib)" ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
fi
fi
elif [ "${bastille_network_vnet_type}" = "netgraph" ]; then
if [ ! "$(command -v jib)" ]; then
if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then
install -m 0544 /usr/share/examples/jails/jng /usr/local/bin/jng
fi
fi fi
fi fi
fi fi
@@ -819,6 +827,11 @@ elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then
fi fi
fi fi
# Do not allow netgraph with -B|--bridge yet...
if [ "${bastille_network_vnet_type}" = "netgraph" ] && [ "${VNET_JAIL_BRIDGE}" -eq 1 ]; then
error_exit "[ERROR]: Netgraph does not support the [-B|--bridge] option."
fi
if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then
case "${RELEASE}" in case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
@@ -999,4 +1012,4 @@ fi
if check_target_exists "${NAME}"; then if check_target_exists "${NAME}"; then
error_exit "Error: Existing jail found: ${NAME}" error_exit "Error: Existing jail found: ${NAME}"
fi fi
create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"

47
usr/local/share/bastille/setup.sh
View File

@@ -41,6 +41,31 @@ if [ $# -gt 1 ]; then
usage usage
fi fi
# Configure netgraph
configure_netgraph() {
if [ ! "$(kldstat -m netgraph)" ]; then
sysrc -f "${BASTILLE_CONFIG}" bastille_network_vnet_type="netgraph"
info "Configuring netgraph modules..."
kldload netgraph
kldload ng_netflow
kldload ng_ksocket
kldload ng_ether
kldload ng_bridge
kldload ng_eiface
kldload ng_socket
sysrc -f /boot/loader.conf netgraph_load="YES"
sysrc -f /boot/loader.conf ng_netflow_load="YES"
sysrc -f /boot/loader.conf ng_ksocket_load="YES"
sysrc -f /boot/loader.conf ng_ether_load="YES"
sysrc -f /boot/loader.conf ng_bridge_load="YES"
sysrc -f /boot/loader.conf ng_eiface_load="YES"
sysrc -f /boot/loader.conf ng_socket_load="YES"
info "Netgraph has been successfully configured!"
else
info "Netgraph has already been configured!"
fi
}
# Configure bastille loopback network interface # Configure bastille loopback network interface
configure_loopback_interface() { configure_loopback_interface() {
if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then
@@ -224,6 +249,26 @@ case "$1" in
-p|pf|firewall) -p|pf|firewall)
configure_pf configure_pf
;; ;;
-n|netgraph)
warn "[WARNING] Bastille only allows using either 'if_bridge' or 'netgraph'"
warn "as VNET network options. You CANNOT use both on the same system. If you have"
warn "already started using bastille with 'if_bridge' do not continue."
# shellcheck disable=SC3045
read -p "Do you really want to continue setting up netgraph for Bastille? [y|n]:" _answer
case "${_answer}" in
[Yy]|[Yy][Ee][Ss])
configure_vnet
configure_netgraph
;;
[Nn]|[Nn][Oo])
error_exit "Netgraph setup cancelled."
;;
*)
error_exit "Invalid selection. Please answer 'y' or 'n'"
;;
esac
;;
-l|loopback) -l|loopback)
warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'" warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"
warn "interface to be configured ant one time. If you continue, the 'shared'" warn "interface to be configured ant one time. If you continue, the 'shared'"
@@ -270,4 +315,4 @@ case "$1" in
configure_vnet configure_vnet
configure_bridge configure_bridge
;; ;;
esac esac