diff --git a/README.md b/README.md index ca2d2d38..5c44667e 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ Available Commands: Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. +Use "bastille [-c|--config FILE] command" to specify a non-default config file. ``` diff --git a/docs/chapters/configuration.rst b/docs/chapters/configuration.rst new file mode 100644 index 00000000..1249c822 --- /dev/null +++ b/docs/chapters/configuration.rst @@ -0,0 +1,106 @@ +Configuration +============= + +Bastille is configured using a default config file located at `/usr/local/etc/bastille/bastille.conf`. When first installing +bastille, you will be asked if you want to copy the sample config file to this location. The default are sensible for UFS, but +if you want to use ZFS, you will have to change a few options. See the chapter on ZFS Support. + +This is the default `bastille.conf` file. + +.. code-block:: shell + + ##################### + ## [ BastilleBSD ] ## + ##################### + + ## default paths + bastille_prefix="/usr/local/bastille" ## default: "/usr/local/bastille" + bastille_backupsdir="${bastille_prefix}/backups" ## default: "${bastille_prefix}/backups" + bastille_cachedir="${bastille_prefix}/cache" ## default: "${bastille_prefix}/cache" + bastille_jailsdir="${bastille_prefix}/jails" ## default: "${bastille_prefix}/jails" + bastille_releasesdir="${bastille_prefix}/releases" ## default: "${bastille_prefix}/releases" + bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates" + bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille" + + ## pf configuration path + bastille_pf_conf="/etc/pf.conf" ## default: "/etc/pf.conf" + + ## bastille scripts directory (assumed by bastille pkg) + bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille" + + ## bootstrap archives, which components of the OS to install. + ## base - The base OS, kernel + userland + ## lib32 - Libraries for compatibility with 32 bit binaries + ## ports - The FreeBSD ports (3rd party applications) tree + ## src - The source code to the kernel + userland + ## test - The FreeBSD test suite + ## this is a whitespace separated list: + ## bastille_bootstrap_archives="base lib32 ports src test" + bastille_bootstrap_archives="base" ## default: "base" + + ## default timezone + bastille_tzdata="" ## default: empty to use host's time zone + + ## default jail resolv.conf + bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" + + ## bootstrap urls + bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" + bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" + bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/" + + ## ZFS options + bastille_zfs_enable="NO" ## default: "NO" + bastille_zfs_zpool="" ## default: "" + bastille_zfs_prefix="bastille" ## default: "bastille" + bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" + + ## Export/Import options + bastille_compress_xz_options="-0 -v" ## default "-0 -v" + bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v" + bastille_compress_gz_options="-1 -v" ## default "-1 -v" + bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v" + bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz" + + ## Networking + bastille_network_loopback="bastille0" ## default: "bastille0" + bastille_network_pf_ext_if="ext_if" ## default: "ext_if" + bastille_network_pf_table="jails" ## default: "jails" + bastille_network_shared="" ## default: "" + bastille_network_gateway="" ## default: "" + bastille_network_gateway6="" ## default: "" + + ## Default Templates + bastille_template_base="default/base" ## default: "default/base" + bastille_template_empty="" ## default: "default/empty" + bastille_template_thick="default/thick" ## default: "default/thick" + bastille_template_clone="default/clone" ## default: "default/clone" + bastille_template_thin="default/thin" ## default: "default/thin" + bastille_template_vnet="default/vnet" ## default: "default/vnet" + +Notes +----- + +The options here are fairly self-explanitory, but there are some things to note. + +* If you use ZFS, DO NOT create the bastille dataset. You must only create the parent. Bastille must be allowed to create the `bastille` child dataset, or you will have issues. So, if you want bastille to live at `zroot/data/bastille` you should set `bastille_zfs_zpool` to `zroot` and `bastille_zfs_prefix` to `data/bastille` but you should only create `zroot/data` before running bastille for the first time. + +* Bastille will mount the dataset it creates at `bastille_prefix` which defaults to `/usr/local/bastille`. So if you want to navigate to your jails, you will use the `bastille_prefix` as the location because this is where the will be mounted. + +Custom Configuration +-------------------- + +Bastille now supports using a custom config in addition to the default one. This is nice if you have multiple users, or want to store different +jails at different locations based on your needs. + +Simply copy the default config file and edit it according to your new environment or user. Then, it can be used in a couple of ways. + +1. Run Bastille using `bastille --config /path/to/config.conf bootstrap 14.2-RELEASE` to bootstrap the release using the new config. + +2. As a specific user, export the `BASTILLE_CONFIG` variable using `export BASTILLE_CONFIG=/path/to/config.conf`. This config will then always be used when running Bastille with that user. See notes below... + +- Exporting the `BASTILLE_CONFIG` variable will only export it for the current session. If you want to persist the export, see documentation for the shell that you use. + +- If you use sudo, you will need to run it with `sudo -E bastille bootstrap...` to preserve your users environment. This can also be persisted by editing the sudoers file. + +- If you do set the `BASTILLE_CONFIG` variable, you do not need to specify the config file when running Bastille as that specified user. diff --git a/docs/chapters/gettingstarted.rst b/docs/chapters/gettingstarted.rst index 6a5d053c..2d776fac 100644 --- a/docs/chapters/gettingstarted.rst +++ b/docs/chapters/gettingstarted.rst @@ -1,4 +1,3 @@ -=============== Getting Started =============== diff --git a/docs/chapters/subcommands/index.rst b/docs/chapters/subcommands/index.rst index d241ca5a..7ea0739b 100644 --- a/docs/chapters/subcommands/index.rst +++ b/docs/chapters/subcommands/index.rst @@ -23,6 +23,7 @@ Bastille sub-commands limits list mount + network pkg rcp rdr diff --git a/docs/chapters/subcommands/network.rst b/docs/chapters/subcommands/network.rst new file mode 100644 index 00000000..13c4bb55 --- /dev/null +++ b/docs/chapters/subcommands/network.rst @@ -0,0 +1,32 @@ +network +======= + +Add or remove interfaces to existing jails. + +You can only add an interface once to a jail, with two exceptions. + +1. For classic jails, you can add an interface as many times as you want, but each time with a different IP. All this does is add the IP as another alias on that interface. + +2. For VNET jails, if the `-v|--vlan` switch is given along with a numerical VLAN ID, Bastille will add the VLAN ID to the jail as a vnetX.X interface, depending on which interface is specified. + +Bridges and VNET interfaces can be added to VNET jails, no matter if they were created with `-V` or `-B`. + +It is possible to passthrough an entire interface from the host to the jail using the `-P|--passthrough` option. This will make the interface fully available without the need for additional configuration. It will be available inside the jail just like it would be on the host. Adding an interface using this method will render it only available inside the jail. It will not be present on the host until the jail is stopped. + +When cloning a jail that has a `-P|--passthrough` interface, you will have warnings when running both jails at the same time. The first jail to start will be assigned the interface, and since it will no longer be available to the host, it will not be possible to add it to the second jail. To solve this, you must manually remove the interface from the jail.conf file, or running `bastille network TARGET remove INTERFACE` while both jails are stopped. + +.. code-block:: shell + + ishmael ~ # bastille network help + Usage: bastille network [option(s)] TARGET [remove|add] INTERFACE [IP_ADDRESS] + Options: + + -a | --auto Start/stop the jail(s) if required. + -B | --bridge Add a bridged VNET interface to an existing jail. + -C | --classic Add an interface to a classic (non-VNET) jail. + -M | --static-mac Generate a static MAC address for the interface. + -n | --no-ip Create interface without an IP (VNET only). + -P | --passthrough Pass the entire interface through to the jail. + -V | --vnet Add a VNET interface to an existing jail. + -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). + -x | --debug Enable debug mode. diff --git a/docs/chapters/usage.rst b/docs/chapters/usage.rst index e21d659d..c9c5c6f0 100644 --- a/docs/chapters/usage.rst +++ b/docs/chapters/usage.rst @@ -1,4 +1,3 @@ -===== Usage ===== @@ -51,4 +50,4 @@ Usage Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. - + Use "bastille [-c|--config FILE] command" to specify a non-default config file. diff --git a/docs/index.rst b/docs/index.rst index ff3d0103..b0aaff65 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,6 +13,7 @@ https://docs.bastillebsd.org. chapters/installation chapters/gettingstarted + chapters/configuration chapters/upgrading chapters/networking chapters/usage diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 804c822e..be4ee758 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -32,6 +32,8 @@ PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin +BASTILLE_VERSION="0.13.20250126" + ## check for config existence bastille_conf_check() { if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then @@ -54,12 +56,6 @@ bastille_conf_check() { fi } -bastille_conf_check - -## we only load this if conf_check passes -. /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf - ## bastille_prefix should be 0750 ## this restricts file system access to privileged users bastille_perms_check() { @@ -72,18 +68,13 @@ bastille_perms_check() { fi } -bastille_perms_check - -## version -BASTILLE_VERSION="0.13.20250126" - usage() { cat << EOF Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: - bastille command TARGET [args] + bastille command [option(s)] TARGET [args] Available Commands: bootstrap Bootstrap a FreeBSD release for container base. @@ -105,6 +96,7 @@ Available Commands: limits Apply resources limits to targeted container(s). See rctl(8). list List containers (running). mount Mount a volume inside the targeted container(s). + network Add/remove network interfaces from targeted container. pkg Manipulate binary packages within targeted container(s). See pkg(8). rcp cp(1) files from a jail to host. rdr Redirect host port to container port. @@ -126,11 +118,70 @@ Available Commands: Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. +Use "bastille [-c|--config FILE] command" to specify a non-default config file. EOF exit 1 } +bastille_conf_check +bastille_perms_check + +if [ -z "${BASTILLE_CONFIG}" ]; then + BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf + export BASTILLE_CONFIG +elif [ -r "${BASTILLE_CONFIG}" ]; then + export BASTILLE_CONFIG +elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then + BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}" + export BASTILLE_CONFIG +else + echo "Not a valid config file: ${BASTILLE_CONFIG}" + exit 1 +fi + +# Load common.sh after setting BASTILLE_CONFIG +. /usr/local/share/bastille/common.sh + +# Handle options +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + version|-v|--version) + info "${BASTILLE_VERSION}" + exit 0 + ;; + -c|--config) + BASTILLE_CONFIG="${2}" + if [ -r "${BASTILLE_CONFIG}" ]; then + info "Using custom config: ${BASTILLE_CONFIG}" + export BASTILLE_CONFIG + elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then + BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}" + info "Using custom config: ${BASTILLE_CONFIG}" + export BASTILLE_CONFIG + else + error_exit "Not a valid config file: ${BASTILLE_CONFIG}" + fi + shift 2 + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + x) enable_debug ;; + a) AUTO=1 ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift + ;; + *) + break + ;; + esac +done if [ "$#" -lt 1 ]; then usage else @@ -140,13 +191,6 @@ fi # Handle special-case commands first. case "${CMD}" in - version|-v|--version) - info "${BASTILLE_VERSION}" - exit 0 - ;; - help|-h|--help) - usage - ;; bootstrap| \ clone| \ cmd| \ @@ -205,4 +249,4 @@ if [ -f "${SCRIPTPATH}" ]; then fi else error_exit "${SCRIPTPATH} not found." -fi +fi \ No newline at end of file diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index ccc4af6d..5cfcfac0 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]" diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 0db63835..8315dd33 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS" @@ -153,13 +152,22 @@ update_jailconf() { else _ip4="$(bastille config ${TARGET} get ip4.addr | sed 's/,/ /g')" _ip6="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')" + _interface="$(bastille config ${TARGET} get interface)" + # Remove old style interface naming in place of new if|ip style + if [ "${_interface}" != "not set" ]; then + sed -i '' "/.*interface = .*/d" "${JAIL_CONFIG}" + fi # IP4 if [ "${_ip4}" != "not set" ]; then for _ip in ${_ip4}; do if echo ${_ip} | grep -q "|"; then _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi - sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + if [ "${_interface}" != "not set" ]; then + sed -i '' "s/.*ip4.addr = .*/ ip4.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" + else + sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + fi sed -i '' "/ip4.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" done fi @@ -169,7 +177,11 @@ update_jailconf() { if echo ${_ip} | grep -q "|"; then _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi - sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + if [ "${_interface}" != "not set" ]; then + sed -i '' "s/.*${_interface} = .*/ ip6.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" + else + sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + fi sed -i '' "/ip6.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" sed -i '' "s/ip6 = .*/ip6 = ${IP6_MODE};/" "${JAIL_CONFIG}" done @@ -227,18 +239,31 @@ update_jailconf_vnet() { sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" fi # Replace epair description - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + sed -i '' "/${_new_host_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Update /etc/rc.conf local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi fi else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + fi fi break fi @@ -249,7 +274,8 @@ update_jailconf_vnet() { if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then # Update jail.conf epair name local uniq_epair="bastille${_num}" - local _if_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" sed -i '' "s|${_if}|${uniq_epair}|g" "${_jail_conf}" # If jail had a static MAC, generate one for clone if grep ether ${_jail_conf} | grep -qoc ${uniq_epair}; then @@ -258,17 +284,29 @@ update_jailconf_vnet() { sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${_jail_conf}" sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${_jail_conf}" fi - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + sed -i '' "/${uniq_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Update /etc/rc.conf sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${_rc_conf}" if grep "vnet0" "${_rc_conf}" | grep -q ${uniq_epair}; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0=" inet ${IP} " + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi fi else - sysrc -f "${_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + fi fi break fi diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 0d958973..21fe6722 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille cmd [option(s)] TARGET command" diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 1fbbe5a0..0f4cb57f 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -30,11 +30,11 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# Source config file -if [ -f /usr/local/etc/bastille/bastille.conf ]; then - . /usr/local/etc/bastille/bastille.conf -fi - +# Load config. This only has to be done here +# because all commands load this file +# shellcheck disable=SC1090 +. ${BASTILLE_CONFIG} + COLOR_RED= COLOR_GREEN= COLOR_YELLOW= @@ -335,7 +335,7 @@ generate_vnet_jail_netblock() { exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; EOF @@ -348,7 +348,7 @@ EOF exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; - exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; EOF @@ -363,7 +363,7 @@ EOF exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF else @@ -372,7 +372,7 @@ EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF fi diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 0707a6d0..3218f8bb 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf + usage() { error_notify "Usage: bastille config TARGET [get|set] PROPERTY_NAME NEW_VALUE" diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 33851a05..cc66da6d 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille console [option(s)] TARGET [user]" diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index d5d5b582..b7659638 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille convert [option(s)] TARGET" diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 0d1b53a1..314cb239 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille cp [option(s)] TARGET HOST_PATH JAIL_PATH" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 0c288959..4e5f5186 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { # Build an independent usage for the create command diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 4e655fc6..f5c5ae4c 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille destroy [option(s)] [JAIL|RELEASE]" diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index 50c0ed88..03ab215e 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille edit [option(s)] TARGET [filename]" diff --git a/usr/local/share/bastille/etcupdate.sh b/usr/local/share/bastille/etcupdate.sh index 2f625d41..b3f08cbe 100644 --- a/usr/local/share/bastille/etcupdate.sh +++ b/usr/local/share/bastille/etcupdate.sh @@ -28,7 +28,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille etcupdate [option(s)] [bootstrap|TARGET] [diff|resolve|update RELEASE]" diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 8ef258dd..de4d3e37 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { # Build an independent usage for the export command diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index d6b108d8..fe2607d0 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille htop [option(s)] TARGET" diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 511fedcf..c184bb31 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { # Build an independent usage for the import command diff --git a/usr/local/share/bastille/jcp.sh b/usr/local/share/bastille/jcp.sh index fc8cf05e..391511cf 100644 --- a/usr/local/share/bastille/jcp.sh +++ b/usr/local/share/bastille/jcp.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille jcp [option(s)] SOURCE_JAIL JAIL_PATH DEST_JAIL JAIL_PATH" diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 0418ffd7..19a2f8af 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -32,7 +32,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille limits [option(s)] TARGET OPTION VALUE" @@ -111,7 +110,9 @@ for _jail in ${JAILS}; do if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 162be24c..238d6f1a 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille list [option(s)] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup] [priority]" @@ -102,12 +101,12 @@ list_all(){ if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then JAIL_STATE="Up" if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") - if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi - else - JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null | sed 's/,/\n/g') - if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null | sed 's/,/\n/g'); fi - fi + JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -an | grep -v "127.0.0.1" | grep "inet " | awk '{print $2}') + if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -an | grep -v "lo0" | awk '{print $2}'); fi + else + JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null) + if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi + fi JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null) JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null) @@ -120,7 +119,7 @@ list_all(){ else JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') + JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}') else JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') fi @@ -163,14 +162,14 @@ list_all(){ # 10.10.10.11 # 10.10.10.12 FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)" - if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}'); fi + if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}'); fi printf " ${JID}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" for IP in $(echo "${JAIL_IP}" | tail -n +2); do if echo "${IP}" | grep -q "|"; then IP=$(echo ${IP} | awk -F"|" '{print $2}'); fi printf "%*s%*s%*s%*s ${IP}\n" "$((${MAX_LENGTH_JID} + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((5 + ${SPACER}))" "" done else - if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP=$(echo ${JAIL_IP} | awk -F"|" '{print $2}'); fi + if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP=$(echo ${JAIL_IP} | awk -F"|" '{print $2}'); fi printf " ${JID}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" fi fi diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index f13c98ed..d58664fe 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille mount [option(s)] TARGET HOST_PATH JAIL_PATH [filesystem_type options dump pass_number]" diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh new file mode 100644 index 00000000..54d52738 --- /dev/null +++ b/usr/local/share/bastille/network.sh @@ -0,0 +1,600 @@ +#!/bin/sh +# +# Copyright (c) 2018-2025, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_notify "Usage: bastille network [option(s)] TARGET [remove|add] INTERFACE [IP_ADDRESS]" + cat << EOF + Options: + + -a | --auto Start/stop the jail(s) if required. + -B | --bridge Add a bridged VNET interface to an existing jail. + -C | --classic Add an interface to a classic (non-VNET) jail. + -M | --static-mac Generate a static MAC address for the interface. + -n | --no-ip Create interface without an IP (VNET only). + -P | --passthrough Pass the entire interface through to the jail. + -V | --vnet Add a VNET interface to an existing jail. + -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). + -x | --debug Enable debug mode. + +EOF + exit 1 +} + +# Handle options. +AUTO=0 +BRIDGE=0 +CLASSIC=0 +STATIC_MAC=0 +PASSTHROUGH=0 +VNET=0 +VLAN_ID="" +NO_IP=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -a|--auto) + AUTO=1 + shift + ;; + -B|--bridge) + BRIDGE=1 + shift + ;; + -C|--classic) + CLASSIC=1 + shift + ;; + -M|--static-mac) + STATIC_MAC=1 + shift + ;; + -n|--no-ip) + NO_IP=1 + shift + ;; + -P|--passthrough) + PASSTHROUGH=1 + shift + ;; + -V|--vnet) + VNET=1 + shift + ;; + -v|--vlan) + if echo "${2}" | grep -Eq '^[0-9]+$'; then + VLAN_ID="${2}" + else + error_exit "Not a valid VLAN ID: ${2}" + fi + shift 2 + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do + case ${_o} in + a) AUTO=1 ;; + B) BRIDGE=1 ;; + C) CLASSIC=1 ;; + M) STATIC_MAC=1 ;; + n) NO_IP=1 ;; + P) PASSTHROUGH=1 ;; + V) VNET=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift + ;; + *) + break + ;; + esac +done + +TARGET="${1}" +ACTION="${2}" +INTERFACE="${3}" +if [ "${ACTION}" = "add" ] && [ "${NO_IP}" -eq 0 ] && [ -n "${4}" ]; then + IP="${4}" +elif [ "${NO_IP}" -eq 1 ] && [ -n "${4}" ]; then + error_notify "IP should not be present when using -n|--no-ip." + usage +else + IP="" +fi + +if [ "${ACTION}" = "add" ]; then + if { [ "${VNET}" -eq 1 ] && [ "${BRIDGE}" -eq 1 ]; } || \ + { [ "${VNET}" -eq 1 ] && [ "${CLASSIC}" -eq 1 ]; } || \ + { [ "${VNET}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \ + { [ "${BRIDGE}" -eq 1 ] && [ "${CLASSIC}" -eq 1 ]; } || \ + { [ "${BRIDGE}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \ + { [ "${CLASSIC}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } then + error_notify "Error: Only one of [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] should be set." + usage + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${CLASSIC}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ]; then + error_notify "Error: [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] must be set." + usage + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ] && [ -n "${VLAN_ID}" ]; then + error_notify "VLANs can only be used with VNET interfaces." + usage + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then + error_notify "[-n|--no-ip] can only be used with VNET jails." + usage + fi +fi + +if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then + usage +fi + +bastille_root_check +set_target_single "${TARGET}" +check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then + bastille stop "${TARGET}" +else + error_notify "Jail is running." + error_exit "Use [-a|--auto] to auto-stop the jail." +fi + +validate_ip() { + IP6_ENABLE=0 + local ip="${1}" + local ip6="$( echo "${ip}" 2>/dev/null | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" + if [ -n "${ip6}" ]; then + info "Valid: (${ip6})." + IP6_ENABLE=1 + elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ]; then + info "Valid: (${ip})." + else + local IFS + if echo "${ip}" 2>/dev/null | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then + TEST_IP=$(echo "${ip}" | cut -d / -f1) + IFS=. + set ${TEST_IP} + for quad in 1 2 3 4; do + if eval [ \$$quad -gt 255 ]; then + error_exit "Invalid: (${TEST_IP})" + fi + done + info "Valid: (${ip})." + else + error_exit "Invalid: (${ip})." + fi + fi +} + +validate_netif() { + local _interface="${1}" + if ifconfig -l | grep -qwo ${_interface}; then + info "Valid: (${_interface})." + else + error_exit "Invalid: (${_interface})." + fi +} + +validate_netconf() { + if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + error_exit "Invalid network configuration." + fi +} + +check_interface_added() { + local _jailname="${1}" + local _if="${2}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + if grep -qo "${_if}" "${_jail_config}"; then + return 0 + else + return 1 + fi +} + +add_interface() { + local _jailname="${1}" + local _if="${2}" + local _ip="${3}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _epair_if_count="$( (grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet="vnet$((_vnet_if_count + 1))" + local epair_num_range=$((_epair_if_count + 1)) + local bastille_num_range=$((_bastille_if_count + 1)) + if [ "${BRIDGE}" -eq 1 ]; then + if [ "${_epair_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then + if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_num}a_${_jailname} + local jail_epair=e${_num}b_${_jailname} + else + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi + break + fi + done + else + if [ "$(echo -n "e0a_${_jailname}" | awk '{print length}')" -lt 16 ]; then + local _num=0 + local host_epair=e${_num}a_${_jailname} + local jail_epair=e${_num}b_${_jailname} + else + local _num=0 + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi + fi + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" + ## ${host_epair} interface + vnet.interface += ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${_if} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; + exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; +} +EOF + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${host_epair} interface + vnet.interface += ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${_if} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; + exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; +} +EOF + fi + + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}" + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" + fi + fi + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" + + elif [ "${VNET}" -eq 1 ]; then + for _num in $(seq 0 "${bastille_num_range}"); do + if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local bastille_epair="bastille${_num}" + break + fi + done + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" + ## ${bastille_epair} interface + vnet.interface += e0b_${bastille_epair}; + exec.prestart += "jib addm ${bastille_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${bastille_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig e0b_${bastille_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${bastille_epair}"; +} +EOF + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${bastille_epair} interface + vnet.interface += e0b_${bastille_epair}; + exec.prestart += "jib addm ${bastille_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${bastille_epair}"; +} +EOF + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_e0b_${bastille_epair}_name="${_if_vnet}" + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" + fi + fi + + info "[${_jailname}]:" + echo "Added VNET interface: \"${_if}\"" + + elif [ "${PASSTHROUGH}" -eq 1 ]; then + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + # Generate NETBLOCK (static MAC not used on passthrough) + cat << EOF >> "${_jail_config}" + ## ${_if} interface + vnet.interface += ${_if}; +} +EOF + # Add config to /etc/rc.conf + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if}="inet ${_ip}" + fi + fi + + info "[${_jailname}]:" + echo "Added Passthrough interface: \"${_if}\"" + + elif [ "${CLASSIC}" -eq 1 ]; then + if [ "${IP6_ENABLE}" -eq 1 ]; then + sed -i '' "s/interface = .*/&\n ip6.addr += ${_if}|${_ip};/" ${_jail_config} + else + sed -i '' "s/interface = .*/&\n ip4.addr += ${_if}|${_ip};/" ${_jail_config} + fi + fi + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" +} + +remove_interface() { + local _jailname="${1}" + local _if="${2}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + # Skip next block in case of classic jail + if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + if grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 'bastille[0-9]+'; then + local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" + local _if_jail="e0b_bastille${_if_bastille_num}" + _if_type="bastille" + elif grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 "epair[0-9]+"; then + local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" + if grep -q epair${_if_epair_num}b ${_jail_config} | grep -Eoq -m 1 "e${_if_epair_num}b_${_jailname}"; then + local _if_jail="$(grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}")" + else + local _if_jail="epair${_if_epair_num}b" + fi + _if_type="epair" + elif grep -q "vnet.interface.*${_if};" ${_jail_config}; then + local _if_jail="${_if}" + _if_type="passthrough" + else + error_exit "Could not find interface inside jail: \"${_if_jail}\"" + fi + + if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then + if grep -oq "${_if_jail}" ${_jail_config}; then + local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + else + error_exit "Interface not found: ${_if_jail}" + fi + elif [ "${_if_type}" = "passthrough" ]; then + if grep -oq "${_if_jail}" ${_jail_config}; then + local _if_vnet="${_if_jail}" + else + error_exit "Interface not found: ${_if_jail}" + fi + fi + + # Do not allow removing default vnet0 interface + if [ "${_if_vnet}" = "vnet0" ]; then + error_exit "Default interface cannot be removed." + fi + + # Avoid removing entire file contents if variables aren't set for some reason + if [ -z "${_if_jail}" ]; then + error_exit "Error: Could not find specifed interface." + fi + + # Remove interface from /etc/rc.conf + if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + else + error_continue "Failed to remove interface from /etc/rc.conf" + fi + elif [ "${_if_type}" = "passthrough" ]; then + if [ -n "${_if_vnet}" ]; then + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + else + error_continue "Failed to remove interface from /etc/rc.conf" + fi + fi + + # Remove VNET interface from jail.conf (VNET) + if [ -n "${_if_jail}" ]; then + if [ "${_if_type}" = "epair" ]; then + sed -i '' "/.*epair${_if_epair_num}.*/d" "${_jail_config}" + sed -i '' "/.*e${_if_epair_num}a_${_jailname}.*/d" "${_jail_config}" + sed -i '' "/.*e${_if_epair_num}b_${_jailname}.*/d" "${_jail_config}" + elif [ "${_if_type}" = "bastille" ]; then + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" + sed -i '' "/.*bastille${_if_bastille_num}.*/d" "${_jail_config}" + elif [ "${_if_type}" = "passthrough" ]; then + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" + fi + else + error_exit "Failed to remove interface from jail.conf" + fi + else + # Remove interface from jail.conf (non-VNET) + if [ -n "${_if}" ]; then + if grep ${_if} ${_jail_config} 2>/dev/null | grep -qo " = "; then + error_exit "Default interface cannot be removed." + else + sed -i '' "/.*${_if}.*/d" "${_jail_config}" + fi + else + error_exit "Failed to remove interface from jail.conf" + fi + fi + + info "[${_jailname}]:" + echo "Removed interface: \"${_if}\"" +} + +add_vlan() { + local _jailname="${1}" + local _interface="${2}" + local _ip="${3}" + local _vlan_id="${4}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + if [ "${VNET}" -eq 1 ]; then + local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" + local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" + elif [ "${BRIDGE}" -eq 1 ]; then + local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" + local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" + elif [ "${PASSTHROUGH}" -eq 1 ]; then + local _jail_vnet="${_interface}" + fi + if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then + error_exit "VLAN has already been added: VLAN ${_vlan_id}" + else + bastille start "${_jailname}" + bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${_vlan_id}" --arg IFCONFIG="inet ${_ip}" --arg JAIL_VNET="${_jail_vnet}" + bastille restart "${_jailname}" + fi + + info "[${_jailname}]:" + info "Added VLAN ${_vlan_id} to interface: \"${_jail_vnet}\"" +} + +case "${ACTION}" in + add) + validate_netconf + validate_netif "${INTERFACE}" + if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then + error_exit "Interface is already added: \"${INTERFACE}\"" + elif { [ "${VNET}" -eq 1 ] || [ "${BRIDGE}" -eq 1 ] || [ "${PASSTHROUGH}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + exit 0 + fi + ## validate IP if not empty + if [ -n "${IP}" ]; then + validate_ip "${IP}" + fi + if [ "${VNET}" -eq 1 ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then + error_exit "Error: ${TARGET} is not a VNET jail." + elif ifconfig -g bridge | grep -owq "${INTERFACE}"; then + error_exit "\"${INTERFACE}\" is a bridge interface." + else + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ -n "${VLAN_ID}" ]; then + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + fi + if [ "${AUTO}" -eq 1 ]; then + bastille start "${TARGET}" + fi + fi + elif [ "${BRIDGE}" -eq 1 ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then + error_exit "Error: ${TARGET} is not a VNET jail." + elif ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then + error_exit "\"${INTERFACE}\" is not a bridge interface." + else + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ -n "${VLAN_ID}" ]; then + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + fi + if [ "${AUTO}" -eq 1 ]; then + bastille start "${TARGET}" + fi + fi + elif [ "${PASSTHROUGH}" -eq 1 ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then + error_exit "Error: ${TARGET} is not a VNET jail." + else + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + fi + if [ -n "${VLAN_ID}" ]; then + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + fi + if [ "${AUTO}" -eq 1 ]; then + bastille start "${TARGET}" + fi + elif [ "${CLASSIC}" -eq 1 ]; then + if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then + error_exit "Error: ${TARGET} is a VNET jail." + else + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ "${AUTO}" -eq 1 ]; then + bastille start "${TARGET}" + fi + fi + fi + ;; + remove|delete) + check_interface_added "${TARGET}" "${INTERFACE}" || error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" + validate_netif "${INTERFACE}" + if ! grep -q "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf; then + error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" + else + remove_interface "${TARGET}" "${INTERFACE}" + if [ "${AUTO}" -eq 1 ]; then + bastille start "${TARGET}" + fi + fi + ;; + *) + error_exit "Only [add|remove] are supported." + ;; +esac diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index c69f6763..c51b9ea4 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille pkg [option(s)] TARGET COMMAND args" diff --git a/usr/local/share/bastille/rcp.sh b/usr/local/share/bastille/rcp.sh index f3880a0f..b6273ae7 100644 --- a/usr/local/share/bastille/rcp.sh +++ b/usr/local/share/bastille/rcp.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille rcp [option(s)] TARGET JAIL_PATH HOST_PATH" diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index ef1e60a8..8edfe474 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille rdr [option(s)] TARGET [clear|reset|list|(tcp|udp)] HOST_PORT JAIL_PORT [log ['(' logopts ')'] ]" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 7aa887b8..00a2e541 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -29,7 +29,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille rename [option(s)] TARGET NEW_NAME" diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 020d2cf4..71b9d1c0 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -30,10 +30,7 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -bastille_config="/usr/local/etc/bastille/bastille.conf" . /usr/local/share/bastille/common.sh -# shellcheck source=/usr/local/etc/bastille/bastille.conf -. ${bastille_config} usage() { error_exit "Usage: bastille setup [pf|network|zfs|vnet]" diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 4056c65c..44f518b8 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille start [option(s)] TARGET" diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index b6747af3..d7bb1350 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille stop [option(s)] TARGET" diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index f2361ab1..de715e13 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille sysrc [option(s)] TARGET args" diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index 0285570f..be0fc13a 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -32,7 +32,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille tags TARGET [add|delete|list] [tag1,tag2]" diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 1ff943a3..b3ca2ffa 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]" diff --git a/usr/local/share/bastille/templates/default/vlan/Bastillefile b/usr/local/share/bastille/templates/default/vlan/Bastillefile index 6d594446..7bde367b 100644 --- a/usr/local/share/bastille/templates/default/vlan/Bastillefile +++ b/usr/local/share/bastille/templates/default/vlan/Bastillefile @@ -1,6 +1,7 @@ +ARG JAIL_VNET="vnet0" ARG VLANID ARG IFCONFIG="SYNCDHCP" -SYSRC ifconfig_vnet0="up" -SYSRC vlans_vnet0="${VLANID}" -SYSRC ifconfig_vnet0_${VLANID}="${IFCONFIG}" +SYSRC ifconfig_${JAIL_VNET}="up" +SYSRC vlans_${JAIL_VNET}+="${VLANID}" +SYSRC ifconfig_${JAIL_VNET}_${VLANID}="${IFCONFIG}" diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index ef2a8bcb..9c767079 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille top [options(s)] TARGET" diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index 89017dfd..57c3081c 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille umount [option(s)] TARGET JAIL_PATH" diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 1a387b36..ba3ea52f 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille update [option(s)] TARGET" diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 5d92d181..45088490 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille upgrade [option(s)] TARGET [NEWRELEASE|install]" diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index b82b5d93..f1983902 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille verify [RELEASE|TEMPLATE]" diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 8ffef062..675cb0e1 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf usage() { error_notify "Usage: bastille zfs TARGET [set|get|snap|destroy_snap|df|usage] [key=value|date]"