From fa1d965caff5038351748c68b0be5a350c55ae69 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 17:45:45 -0700 Subject: [PATCH 01/96] add network subcommand --- usr/local/bin/bastille | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 98cd52a1..a6099e93 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -157,7 +157,7 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|export|import|list|rdr|restart|setup|start|update|upgrade|verify) +bootstrap|create|destroy|export|import|list|network|rdr|restart|setup|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rcp|rename|service|stop|sysrc|tags|template|top|umount|zfs) From 9f75d117446e5822ab96aebffb4d05c01a746d66 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 17:47:12 -0700 Subject: [PATCH 02/96] clone support multiple interface cloning --- usr/local/share/bastille/clone.sh | 90 ++++++++++++++++++------------- 1 file changed, 53 insertions(+), 37 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index f26f460a..b2861192 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -104,46 +104,62 @@ update_jailconf() { update_jailconf_vnet() { bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" - # Determine number of containers and define an uniq_epair - local list_jails_num="$(bastille list jails | wc -l | awk '{print $1}')" - local num_range="$(expr "${list_jails_num}" + 1)" - jail_list=$(bastille list jail) - for _num in $(seq 0 "${num_range}"); do - if [ -n "${jail_list}" ]; then - if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" - local uniq_epair_bridge="${_num}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix - # we also do not use the main generate_static_mac function here - local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr="${macaddr_prefix}:${macaddr_suffix}" - # Update the exec.* with uniq_epair when cloning jails. - # for VNET jails - sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" - sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*a |ether ${macaddr}a |" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*b |ether ${macaddr}b |" "${JAIL_CONFIG}" - break + # Determine number of interfaces and define a uniq_epair + local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${JAIL_CONFIG} | sort -u)" + for _if in ${_if_list}; do + local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local num_range=$((_if_count + 1)) + for _num in $(seq 0 "${num_range}"); do + if ! grep -Eo "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="bastille${_num}" + local uniq_epair_bridge="${_num}" + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + # we also do not use the main generate_static_mac function here + local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr="${macaddr_prefix}:${macaddr_suffix}" + # Update the exec.* with uniq_epair when cloning jails. + # for VNET jails + if echo ${_if} 2>/dev/null | grep -Eo 'bastille[0-9]+'; then + sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}" + sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${JAIL_CONFIG}" + sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"ifconfig.*${uniq_epair}.*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + # Update /etc/rc.conf + sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" + if grep -q vnet0 "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then + if [ "${IP}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0=" inet ${IP} " + fi + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet${_num}="SYNCDHCP" + fi + elif echo ${_if} 2>/dev/null | grep -Eo 'epair[0-9]+'; then + local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+a_${TARGET}")" + local _if_epairb="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+b_${TARGET}")" + sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s|${_if_epaira}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|${_if_epairb}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|e${uniq_epair}a_${TARGET} ether.*:.*:.*:.*:.*:.*a\";|e${uniq_epair}a_${NEWNAME} ether ${macaddr}a\";|" "${JAIL_CONFIG}" + sed -i '' "s|e${uniq_epair}b_${TARGET} ether.*:.*:.*:.*:.*:.*b\";|e${uniq_epair}b_${NEWNAME} ether ${macaddr}b\";|" "${JAIL_CONFIG}" + # Update /etc/rc.conf + sed -i '' "s|${_if_epairb}|e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" + if grep -q "vnet0" "${bastille_jail_rc_conf}" | grep -q "e${uniq_epair_bridge}b_${NEWNAME}_name"; then + if [ "${IP}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet${_num}="SYNCDHCP" + fi fi + break fi - fi + done done - - # Rename interface to new uniq_epair - sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" - - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" - fi } update_fstab() { From b24f43f628ab209b9a0cef1c7578b6564fa3fa81 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 17:49:48 -0700 Subject: [PATCH 03/96] support multiple interfaces --- usr/local/share/bastille/common.sh | 32 ++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index ed9e5a6a..b080a1a6 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -70,12 +70,25 @@ warn() { echo -e "${COLOR_YELLOW}$*${COLOR_RESET}" } +check_target_is_running() { + local _TARGET="${1}" + if [ ! "$(/usr/sbin/jls name | awk "/^${_TARGET}$/")" ]; then + return 1 + else + return 0 + fi +} + generate_static_mac() { local jail_name="${1}" local external_interface="${2}" local macaddr_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" local macaddr_suffix="$(echo -n ${jail_name} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then + error_notify "Failed to generate MAC address." + fi macaddr="${macaddr_prefix}:${macaddr_suffix}" + export macaddr } generate_vnet_jail_netblock() { @@ -86,17 +99,14 @@ generate_vnet_jail_netblock() { ## determine number of containers + 1 ## iterate num and grep all jail configs ## define uniq_epair - local jail_list="$(bastille list jails)" - if [ -n "${jail_list}" ]; then - local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')" - local num_range=$((list_jails_num + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" - local uniq_epair_bridge="${_num}" - break - fi + local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local num_range=$((_if_count + 1)) + if [ "${_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${num_range}"); do + if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="bastille${_num}" + local uniq_epair_bridge="${_num}" + break fi done else From d0fd6728b25daee9d24b26305666709ef25643f8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 17:50:53 -0700 Subject: [PATCH 04/96] network subcommand --- usr/local/share/bastille/network.sh | 380 ++++++++++++++++++++++++++++ 1 file changed, 380 insertions(+) create mode 100644 usr/local/share/bastille/network.sh diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh new file mode 100644 index 00000000..772c6e19 --- /dev/null +++ b/usr/local/share/bastille/network.sh @@ -0,0 +1,380 @@ +#!/bin/sh +# +# Copyright (c) 2018-2024, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_notify "Usage: bastille network [option(s)] TARGET [remove INTERFACE] [add INTERFACE IP_ADDRESS]" + + cat << EOF + Options: + + -r | --restart Restart jail on completion. + -v | --vnet Adds a VNET interface to an existing jail. + -b | --bridge Adds a bridged VNET interface to an existing jail. + +EOF + exit 1 +} + +# Handle options. +FORCE=0 +RESTART=0 +VNET_JAIL=0 +BRIDGE_VNET_JAIL=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -f|--force) + FORCE=1 + shift + ;; + -r|--restart) + RESTART=1 + shift + ;; + -v|--vnet) + VNET_JAIL=1 + shift + ;; + -b|--bridge) + BRIDGE_VNET_JAIL=1 + shift + ;; + -*) + error_notify "Unknown Option: \"${1}\"" + usage + ;; + *) + break + ;; + esac +done + +if [ "${ACTION}" = "add" ]; then + if [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + error_notify "Error: [-v|-V|--vnet] and [-b|-B|--bridge] cannot both be set." + usage + elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ]; then + error_notify "Error: [-v|-V|--vnet] or [-b|-B|--bridge] must be set." + usage + fi +fi + +if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then + usage +fi + +TARGET="${1}" +ACTION="${2}" +INTERFACE="${3}" +IP="${4}" + +bastille_root_check +set_target_single "${TARGET}" + +validate_ip() { + local ip="${1}" + local ip6="$( echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" + if [ -n "${ip6}" ]; then + info "Valid: (${ip6})." + else + local IFS + if echo "${ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then + TEST_IP=$(echo "${ip}" | cut -d / -f1) + IFS=. + set ${TEST_IP} + for quad in 1 2 3 4; do + if eval [ \$$quad -gt 255 ]; then + error_exit "Invalid: (${TEST_IP})" + fi + done + info "Valid: (${ip})." + else + error_exit "Invalid: (${ip})." + fi + fi +} + +validate_netif() { + local _interface="${1}" + local _list_interfaces="$(ifconfig -l)" + if echo "${_list_interfaces} VNET" | grep -qwo "${_interface}"; then + info "Valid: (${_interface})." + else + error_exit "Invalid: (${_interface})." + fi +} + +validate_netconf() { + if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + error_exit "Invalid network configuration." + fi +} + +check_interface_added() { + local _jailname="${1}" + local _if="${2}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + if grep -o "${_if}" "${_jail_config}"; then + return 0 + else + return 1 + fi +} + +add_vnet_interface_block() { + local _jailname="${1}" + local _if="${2}" + local _ip="${3}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet=$((_if_vnet_count + 1)) + local num_range=$((_if_count + 1)) + for _num in $(seq 0 "${num_range}"); do + if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="bastille${_num}" + break + fi + done + generate_static_mac "${_jailname}" "${_if}" + sed -i '' "s|}||" "${_jail_config}" + ## generate config + cat << EOF >> "${_jail_config}" + ## ${uniq_epair} interface + vnet.interface += e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +} +EOF + + # add config to /etc/rc.conf + bastille sysrc ${_jailname} ifconfig_e0b_${uniq_epair}_name="vnet${_num}" + bastille sysrc ${_jailname} ifconfig_vnet${_num}=" inet ${_ip} " + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" +} + +add_bridge_interface_block() { + local _jailname="${1}" + local _if="${2}" + local _ip="${3}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet=$((_if_vnet_count + 1)) + local num_range=$((_if_count + 1)) + for _num in $(seq 0 "${num_range}"); do + if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="${_num}" + break + fi + done + generate_static_mac "${_jailname}" "${_if}" + sed -i '' "s|}||" "${_jail_config}" + ## generate config + cat << EOF >> "${_jail_config}" + ## epair${uniq_epair} interface + vnet.interface += e${uniq_epair}b_${_jailname}; + exec.prestart += "ifconfig epair${uniq_epair} create"; + exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; + exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; + exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; + exec.prestart += "ifconfig e${uniq_epair}a_${_jailname} ether ${macaddr}a"; + exec.prestart += "ifconfig e${uniq_epair}b_${_jailname} ether ${macaddr}b"; + exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; + exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; +} +EOF + + # Add config to /etc/rc.conf + bastille sysrc ${_jailname} ifconfig_e${uniq_epair}b_${_jailname}_name="vnet${_num}" + bastille sysrc ${_jailname} ifconfig_vnet${_num}=" inet ${_ip} " + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" +} + +remove_vnet_interface_block() { + local _jailname="${1}" + local _if="${2}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_jail="$(grep "${_if}" ${_jail_config} | grep -Eo 'bastille[0-9]+')" + if grep -o "${_if_jail}" ${_jail_rc_config}; then + local _if_vnet="$(grep "${_if_jail}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + else + error_exit "Interface not found: ${_if_jail}" + fi + + # Do not allow removing default vnet0 interface + if [ "${_if_vnet}" = "vnet0" ]; then + error_exit "Default interface cannot be removed." + fi + + # Avoid removing entire file contents if variables aren't set for some reason + if [ -z "${_if_jail}" ]; then + error_exit "Error: Could not find specifed interfaces. Exiting..." + fi + + # Remove interface from jail.conf + if [ -n "${_if_jail}" ]; then + sed -i '' "s|.*${_if_jail}.*||" "${_jail_config}" + sed -i '' '/^$/d' "${_jail_config}" + else + error_exit "Failed to remove interface from jail.conf" + fi + + # Remove interface from /etc/rc.conf + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then + sed -i '' "s|.*${_if_vnet}.*||" "${_jail_rc_config}" + sed -i '' '/^$/d' "${_jail_rc_config}" + else + error_exit "Failed to remove interface from /etc/rc.conf" + fi + + info "[${_jailname}]:" + echo "Removed interface: \"${_if}\"" +} + +remove_bridge_interface_block() { + local _jailname="${1}" + local _if="${2}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_epair="$(grep "${_if}" ${_jail_config} | grep -Eo 'epair[0-9]+')" + local _if_epaira_name="$(grep "${_if_epair}" ${_jail_config} | grep -Eo "e[0-9]+a_${_jailname}")" + local _if_epairb_name="$(grep "${_if_epair}" ${_jail_config} | grep -Eo "e[0-9]+b_${_jailname}")" + if grep -o "${_if_epairb_name}" ${_jail_rc_config}; then + local _if_vnet="$(grep "${_if_epairb_name}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + else + error_exit "Interface not found: ${_if_epair_name}" + fi + + # Do not allow removing default vnet0 interface + if [ "${_if_vnet}" = "vnet0" ]; then + error_exit "Default interface cannot be removed." + fi + + # Avoid removing entire file contents if variables aren't set for some reason + if [ -z "${_if_epair}" ] || [ -z "${_if_epaira_name}" ] || [ -z "${_if_epairb_name}" ] || [ -z "${_if_vnet}" ]; then + error_exit "Error: Could not find specifed interfaces. Exiting..." + fi + + # Remove interface from jail.conf + if [ -n "${_if_epair}" ] && [ -n "${_if_epaira_name}" ] && [ -n "${_if_epairb_name}" ] && [ -n "${_if_vnet}" ]; then + sed -i '' "s|.*${_if_epair}.*||" "${_jail_config}" + sed -i '' "s|.*${_if_epaira_name}.*||" "${_jail_config}" + sed -i '' "s|.*${_if_epairb_name}.*||" "${_jail_config}" + sed -i '' '/^$/d' "${_jail_config}" + else + error_exit "Failed to remove interface from jail.conf" + fi + + # Remove interface from /etc/rc.conf + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then + sed -i '' "s|ifconfig.*${_if_vnet}.*||" "${_jail_rc_config}" + sed -i '' '/^$/d' "${_jail_rc_config}" + else + error_exit "Failed to remove interface from /etc/rc.conf" + fi + + info "[${_jailname}]:" + echo "Removed interface: \"${_if}\"" +} + +case "${ACTION}" in + add) + check_target_is_running "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then + bastille start "${TARGET}" + else + error_notify "Jail is not running." + error_exit "Use [-f|--force] to force start the jail." + fi + validate_netconf + validate_netif "${INTERFACE}" + if check_interface_added "${TARGET}" "${INTERFACE}"; then + error_exit "Interface is already added: \"${INTERFACE}\"" + fi + validate_ip "${IP}" + if [ "${VNET_JAIL}" -eq 1 ]; then + if ifconfig | grep "${INTERFACE}" | grep -q bridge; then + error_exit "\"${INTERFACE}\" is a bridge interface." + else + add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + if [ "${RESTART}" -eq 1 ]; then + bastille restart "${TARGET}" + fi + fi + elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then + error_exit "\"${INTERFACE}\" is not a bridge interface." + else + add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + if [ "${RESTART}" -eq 1 ]; then + bastille restart "${TARGET}" + fi + fi + fi + ;; + remove|delete) + check_interface_added "${TARGET}" "${INTERFACE}" || error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" + validate_netif "${INTERFACE}" + if ! grep -q "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf; then + error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" + else + if grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]bastille[0-9]+'; then + remove_vnet_interface_block "${TARGET}" "${INTERFACE}" + if [ "${RESTART}" -eq 1 ]; then + bastille restart "${TARGET}" + fi + elif grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]epair[0-9]+'; then + remove_bridge_interface_block "${TARGET}" "${INTERFACE}" + if [ "${RESTART}" -eq 1 ]; then + bastille restart "${TARGET}" + fi + fi + fi + ;; + *) + error_exit "Only [add|remove] are supported." + ;; +esac + From b201fe1582433968c78fe84ef9bd5a3bb445a56e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 17:52:06 -0700 Subject: [PATCH 05/96] Update network.sh --- usr/local/share/bastille/network.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 772c6e19..6d4b9e40 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -37,6 +37,7 @@ usage() { cat << EOF Options: + -f | --force Start the jail it it is stopped. -r | --restart Restart jail on completion. -v | --vnet Adds a VNET interface to an existing jail. -b | --bridge Adds a bridged VNET interface to an existing jail. From a73da1d44249402364b466296348c37202de0086 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 18:16:43 -0700 Subject: [PATCH 06/96] small bugfix --- usr/local/share/bastille/clone.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index b2861192..519e4874 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -140,7 +140,7 @@ update_jailconf_vnet() { local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+a_${TARGET}")" local _if_epairb="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+b_${TARGET}")" sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|${_if_epaira}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|${_if_epaira}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|${_if_epairb}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|e${uniq_epair}a_${TARGET} ether.*:.*:.*:.*:.*:.*a\";|e${uniq_epair}a_${NEWNAME} ether ${macaddr}a\";|" "${JAIL_CONFIG}" sed -i '' "s|e${uniq_epair}b_${TARGET} ether.*:.*:.*:.*:.*:.*b\";|e${uniq_epair}b_${NEWNAME} ether ${macaddr}b\";|" "${JAIL_CONFIG}" From 037186febce933738bea908840f0377a3b603574 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 29 Dec 2024 18:25:09 -0700 Subject: [PATCH 07/96] update --- usr/local/share/bastille/network.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 6d4b9e40..24fa7576 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -162,7 +162,7 @@ add_vnet_interface_block() { local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet=$((_if_vnet_count + 1)) + local _if_vnet="vnet$((_if_vnet_count + 1))" local num_range=$((_if_count + 1)) for _num in $(seq 0 "${num_range}"); do if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then @@ -185,8 +185,13 @@ add_vnet_interface_block() { EOF # add config to /etc/rc.conf - bastille sysrc ${_jailname} ifconfig_e0b_${uniq_epair}_name="vnet${_num}" - bastille sysrc ${_jailname} ifconfig_vnet${_num}=" inet ${_ip} " + bastille sysrc ${_jailname} ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi info "[${_jailname}]:" echo "Added interface: \"${_if}\"" @@ -226,8 +231,13 @@ add_bridge_interface_block() { EOF # Add config to /etc/rc.conf - bastille sysrc ${_jailname} ifconfig_e${uniq_epair}b_${_jailname}_name="vnet${_num}" - bastille sysrc ${_jailname} ifconfig_vnet${_num}=" inet ${_ip} " + bastille sysrc ${_jailname} ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi info "[${_jailname}]:" echo "Added interface: \"${_if}\"" From 3a9f56d3ac5c32bf43fb0298707a03af9c3730fe Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 12:17:26 -0700 Subject: [PATCH 08/96] keep better track of interfaces --- usr/local/share/bastille/common.sh | 45 +++++++++++++++++++----------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index b080a1a6..5f29ec44 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -83,7 +83,7 @@ generate_static_mac() { local jail_name="${1}" local external_interface="${2}" local macaddr_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" - local macaddr_suffix="$(echo -n ${jail_name} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr_suffix="$(echo -n "${external_interface}${jail_name}" | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then error_notify "Failed to generate MAC address." fi @@ -92,26 +92,39 @@ generate_static_mac() { } generate_vnet_jail_netblock() { - local jail_name="$1" - local use_unique_bridge="$2" - local external_interface="$3" + local jail_name="${1}" + local use_unique_bridge="${2}" + local external_interface="${3}" generate_static_mac "${jail_name}" "${external_interface}" ## determine number of containers + 1 ## iterate num and grep all jail configs ## define uniq_epair - local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local num_range=$((_if_count + 1)) - if [ "${_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" - local uniq_epair_bridge="${_num}" - break - fi - done + local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local epair_num_range=$((_epair_if_count + 1)) + local vnet_num_range=$((_vnet_if_count + 1)) + if [ -n "${use_unique_bridge}" ]; then + if [ "${_epair_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then + local uniq_epair_bridge="${_num}" + break + fi + done + else + local uniq_epair_bridge="0" + fi else - local uniq_epair="bastille0" - local uniq_epair_bridge="0" + if [ "${_vnet_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${vnet_num_range}"); do + if ! grep -Eosq "bastillle${_num}" ${bastille_jailsdir}/*/jail.conf; then + local uniq_epair="${_num}" + break + fi + done + else + local uniq_epair="bastille0" + fi fi if [ -n "${use_unique_bridge}" ]; then ## generate bridge config From 85c12f368bdfe594514188f26a5d3ec9fa3cb3c9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 12:18:11 -0700 Subject: [PATCH 09/96] keep better track of interfaces --- usr/local/share/bastille/clone.sh | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 519e4874..f2b6da8f 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -107,10 +107,10 @@ update_jailconf_vnet() { # Determine number of interfaces and define a uniq_epair local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${JAIL_CONFIG} | sort -u)" for _if in ${_if_list}; do - local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf 2>/dev/null | sort -u | wc -l | awk '{print $1}')" local num_range=$((_if_count + 1)) for _num in $(seq 0 "${num_range}"); do - if ! grep -Eo "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + if ! grep -Eoq "epair${_num}|bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then local uniq_epair="bastille${_num}" local uniq_epair_bridge="${_num}" # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix @@ -119,41 +119,44 @@ update_jailconf_vnet() { local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" local macaddr="${macaddr_prefix}:${macaddr_suffix}" # Update the exec.* with uniq_epair when cloning jails. - # for VNET jails - if echo ${_if} 2>/dev/null | grep -Eo 'bastille[0-9]+'; then + # for VNET interfaces + if echo ${_if} 2>/dev/null | grep -Eoq 'bastille[0-9]+'; then + local _if_vnet="$(grep ${_if} "${bastille_jail_rc_conf}" | grep -Eo "vnet[0-9]+")" sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}" sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${JAIL_CONFIG}" sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${JAIL_CONFIG}" sed -i '' "s|exec.prestart += \"ifconfig.*${uniq_epair}.*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" # Update /etc/rc.conf sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - if grep -q vnet0 "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then + if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then if [ "${IP}" = "0.0.0.0" ]; then sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" else sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0=" inet ${IP} " fi else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet${_num}="SYNCDHCP" + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" fi - elif echo ${_if} 2>/dev/null | grep -Eo 'epair[0-9]+'; then + # for bridged VNET interfaces + elif echo ${_if} 2>/dev/null | grep -Eoq 'epair[0-9]+'; then local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+a_${TARGET}")" local _if_epairb="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+b_${TARGET}")" + local _if_vnet="$(grep ${_if_epairb} "${bastille_jail_rc_conf}" | grep -Eo "vnet[0-9]+")" sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" sed -i '' "s|${_if_epaira}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|${_if_epairb}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|e${uniq_epair}a_${TARGET} ether.*:.*:.*:.*:.*:.*a\";|e${uniq_epair}a_${NEWNAME} ether ${macaddr}a\";|" "${JAIL_CONFIG}" sed -i '' "s|e${uniq_epair}b_${TARGET} ether.*:.*:.*:.*:.*:.*b\";|e${uniq_epair}b_${NEWNAME} ether ${macaddr}b\";|" "${JAIL_CONFIG}" # Update /etc/rc.conf - sed -i '' "s|${_if_epairb}|e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" - if grep -q "vnet0" "${bastille_jail_rc_conf}" | grep -q "e${uniq_epair_bridge}b_${NEWNAME}_name"; then + sed -i '' "s|${_if_epairb}_name|e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" + if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q "e${uniq_epair_bridge}b_${NEWNAME}_name"; then if [ "${IP}" = "0.0.0.0" ]; then sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" else sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" fi else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet${_num}="SYNCDHCP" + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" fi fi break From 453c4c102880466a93b31abc2820cd59a55cfadb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 12:18:36 -0700 Subject: [PATCH 10/96] update --- usr/local/share/bastille/network.sh | 37 +++++++++++------------------ 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 24fa7576..40f9e3fb 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -37,7 +37,6 @@ usage() { cat << EOF Options: - -f | --force Start the jail it it is stopped. -r | --restart Restart jail on completion. -v | --vnet Adds a VNET interface to an existing jail. -b | --bridge Adds a bridged VNET interface to an existing jail. @@ -106,12 +105,12 @@ set_target_single "${TARGET}" validate_ip() { local ip="${1}" - local ip6="$( echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" + local ip6="$( echo "${ip}" 2>/dev/null | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" if [ -n "${ip6}" ]; then info "Valid: (${ip6})." else local IFS - if echo "${ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then + if echo "${ip}" 2>/dev/null | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then TEST_IP=$(echo "${ip}" | cut -d / -f1) IFS=. set ${TEST_IP} @@ -129,8 +128,7 @@ validate_ip() { validate_netif() { local _interface="${1}" - local _list_interfaces="$(ifconfig -l)" - if echo "${_list_interfaces} VNET" | grep -qwo "${_interface}"; then + if ifconfig -l | grep -qwo ${_interface}; then info "Valid: (${_interface})." else error_exit "Invalid: (${_interface})." @@ -160,12 +158,12 @@ add_vnet_interface_block() { local _ip="${3}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" local _if_vnet="vnet$((_if_vnet_count + 1))" local num_range=$((_if_count + 1)) for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then local uniq_epair="bastille${_num}" break fi @@ -185,12 +183,12 @@ add_vnet_interface_block() { EOF # add config to /etc/rc.conf - bastille sysrc ${_jailname} ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" + sysrc -f "${_jail_rc_config}" ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}=" inet ${_ip} " + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " fi info "[${_jailname}]:" @@ -203,12 +201,12 @@ add_bridge_interface_block() { local _ip="${3}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet=$((_if_vnet_count + 1)) + local _if_vnet=vnet$((_if_vnet_count + 1)) local num_range=$((_if_count + 1)) for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "epair${_num}|bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + if ! grep -Eq "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then local uniq_epair="${_num}" break fi @@ -231,12 +229,12 @@ add_bridge_interface_block() { EOF # Add config to /etc/rc.conf - bastille sysrc ${_jailname} ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" + sysrc -f "${_jail_rc_config}" ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}=" inet ${_ip} " + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " fi info "[${_jailname}]:" @@ -333,12 +331,6 @@ remove_bridge_interface_block() { case "${ACTION}" in add) - check_target_is_running "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then - bastille start "${TARGET}" - else - error_notify "Jail is not running." - error_exit "Use [-f|--force] to force start the jail." - fi validate_netconf validate_netif "${INTERFACE}" if check_interface_added "${TARGET}" "${INTERFACE}"; then @@ -388,4 +380,3 @@ case "${ACTION}" in error_exit "Only [add|remove] are supported." ;; esac - From 3976b4f9ccc925237999e6066be9c29473c66027 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:52:36 -0700 Subject: [PATCH 11/96] fix static mac --- usr/local/share/bastille/common.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5f29ec44..c57d9419 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -82,8 +82,9 @@ check_target_is_running() { generate_static_mac() { local jail_name="${1}" local external_interface="${2}" - local macaddr_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" - local macaddr_suffix="$(echo -n "${external_interface}${jail_name}" | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | sed 's#:##g')" + local macaddr_prefix="$(echo -n "${external_interface_mac}" | sha256 | cut -b -6 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr_suffix="$(echo -n "${jail_name}" | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then error_notify "Failed to generate MAC address." fi From 78949415ec8199d8ead1ae9ee1d257114ce53f9a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:55:38 -0700 Subject: [PATCH 12/96] force add --- usr/local/share/bastille/network.sh | 34 ++++++++++++++++++----------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 40f9e3fb..56940a66 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -37,7 +37,8 @@ usage() { cat << EOF Options: - -r | --restart Restart jail on completion. + -f | --force Stop the jail if it is running. + -s | --start Start jail on completion. -v | --vnet Adds a VNET interface to an existing jail. -b | --bridge Adds a bridged VNET interface to an existing jail. @@ -47,7 +48,7 @@ EOF # Handle options. FORCE=0 -RESTART=0 +START=0 VNET_JAIL=0 BRIDGE_VNET_JAIL=0 while [ "$#" -gt 0 ]; do @@ -60,14 +61,14 @@ while [ "$#" -gt 0 ]; do shift ;; -r|--restart) - RESTART=1 + START=1 shift ;; - -v|--vnet) + -v|-V|--vnet) VNET_JAIL=1 shift ;; - -b|--bridge) + -b|-B|--bridge) BRIDGE_VNET_JAIL=1 shift ;; @@ -102,6 +103,12 @@ IP="${4}" bastille_root_check set_target_single "${TARGET}" +check_target_is_stopped "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then + bastille stop "${TARGET}" +else + error_notify "Jail is running." + error_continue "Use [-f|--force] to force stop the jail." +fi validate_ip() { local ip="${1}" @@ -342,8 +349,8 @@ case "${ACTION}" in error_exit "\"${INTERFACE}\" is a bridge interface." else add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" - if [ "${RESTART}" -eq 1 ]; then - bastille restart "${TARGET}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" fi fi elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then @@ -351,8 +358,8 @@ case "${ACTION}" in error_exit "\"${INTERFACE}\" is not a bridge interface." else add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" - if [ "${RESTART}" -eq 1 ]; then - bastille restart "${TARGET}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" fi fi fi @@ -365,13 +372,13 @@ case "${ACTION}" in else if grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]bastille[0-9]+'; then remove_vnet_interface_block "${TARGET}" "${INTERFACE}" - if [ "${RESTART}" -eq 1 ]; then - bastille restart "${TARGET}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" fi elif grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]epair[0-9]+'; then remove_bridge_interface_block "${TARGET}" "${INTERFACE}" - if [ "${RESTART}" -eq 1 ]; then - bastille restart "${TARGET}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" fi fi fi @@ -380,3 +387,4 @@ case "${ACTION}" in error_exit "Only [add|remove] are supported." ;; esac + From c46b033da10a7b54f12b78ebff5955fb44556c05 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:56:24 -0700 Subject: [PATCH 13/96] Update clone.sh --- usr/local/share/bastille/clone.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index f2b6da8f..be9f9e08 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -103,7 +103,6 @@ update_jailconf() { update_jailconf_vnet() { bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" - # Determine number of interfaces and define a uniq_epair local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${JAIL_CONFIG} | sort -u)" for _if in ${_if_list}; do From 4c8bb692ddaf3a6737a4b1ea466b4ca61b41bfff Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 30 Dec 2024 17:13:58 -0700 Subject: [PATCH 14/96] Add stopped function --- usr/local/share/bastille/common.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index c57d9419..f181cad8 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -79,6 +79,15 @@ check_target_is_running() { fi } +check_target_is_stopped() { + local _TARGET="${1}" + if [ "$(/usr/sbin/jls name | awk "/^${_TARGET}$/")" ]; then + return 1 + else + return 0 + fi +} + generate_static_mac() { local jail_name="${1}" local external_interface="${2}" From 0c3d484307e412e8f425b516ad7341077da39166 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:15:53 -0700 Subject: [PATCH 15/96] Implement -m switch for optional static MAC --- usr/local/share/bastille/network.sh | 157 ++++++++++++++++++++++++---- 1 file changed, 134 insertions(+), 23 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 56940a66..ee27665e 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -32,35 +32,44 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille network [option(s)] TARGET [remove INTERFACE] [add INTERFACE IP_ADDRESS]" - + error_notify "Usage: bastille network [option(s)] TARGET [remove|add] INTERFACE [IP_ADDRESS]" cat << EOF Options: - -f | --force Stop the jail if it is running. - -s | --start Start jail on completion. - -v | --vnet Adds a VNET interface to an existing jail. - -b | --bridge Adds a bridged VNET interface to an existing jail. + -b | --bridge Add a bridged VNET interface to an existing jail. + -f | --force Stop the jail if it is running. + -m | --static-mac Generate a static MAC address for the interface. + -s | --start Start jail on completion. + -v | --vnet Add a VNET interface to an existing jail. EOF exit 1 } # Handle options. +BRIDGE_VNET_JAIL=0 FORCE=0 +STATIC_MAC=0 START=0 VNET_JAIL=0 -BRIDGE_VNET_JAIL=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) usage ;; + -b|-B|--bridge) + BRIDGE_VNET_JAIL=1 + shift + ;; -f|--force) FORCE=1 shift ;; - -r|--restart) + -m|--static-mac) + STATIC_MAC=1 + shift + ;; + -s|--start) START=1 shift ;; @@ -68,13 +77,18 @@ while [ "$#" -gt 0 ]; do VNET_JAIL=1 shift ;; - -b|-B|--bridge) - BRIDGE_VNET_JAIL=1 - shift - ;; -*) - error_notify "Unknown Option: \"${1}\"" - usage + for _o in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_o} in + b|B) BRIDGE_VNET_JAIL=1 ;; + f) FORCE=1 ;; + m) STATIC_MAC=1 ;; + s) START=1 ;; + v|V) VNET_JAIL=1 ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift ;; *) break @@ -82,6 +96,11 @@ while [ "$#" -gt 0 ]; do esac done +TARGET="${1}" +ACTION="${2}" +INTERFACE="${3}" +IP="${4}" + if [ "${ACTION}" = "add" ]; then if [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then error_notify "Error: [-v|-V|--vnet] and [-b|-B|--bridge] cannot both be set." @@ -96,18 +115,13 @@ if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then usage fi -TARGET="${1}" -ACTION="${2}" -INTERFACE="${3}" -IP="${4}" - bastille_root_check set_target_single "${TARGET}" check_target_is_stopped "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then bastille stop "${TARGET}" else error_notify "Jail is running." - error_continue "Use [-f|--force] to force stop the jail." + error_exit "Use [-f|--force] to force stop the jail." fi validate_ip() { @@ -182,6 +196,47 @@ add_vnet_interface_block() { ## ${uniq_epair} interface vnet.interface += e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +} +EOF + + # add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" +} + +add_vnet_interface_block_static_mac() { + local _jailname="${1}" + local _if="${2}" + local _ip="${3}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet="vnet$((_if_vnet_count + 1))" + local num_range=$((_if_count + 1)) + for _num in $(seq 0 "${num_range}"); do + if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="bastille${_num}" + break + fi + done + generate_static_mac "${_jailname}" "${_if}" + sed -i '' "s|}||" "${_jail_config}" + ## generate config + cat << EOF >> "${_jail_config}" + ## ${uniq_epair} interface + vnet.interface += e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${_if}"; exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; @@ -228,6 +283,50 @@ add_bridge_interface_block() { exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; + exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; + exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; +} +EOF + + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" +} + +add_bridge_interface_block_static_mac() { + local _jailname="${1}" + local _if="${2}" + local _ip="${3}" + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet=vnet$((_if_vnet_count + 1)) + local num_range=$((_if_count + 1)) + for _num in $(seq 0 "${num_range}"); do + if ! grep -Eq "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="${_num}" + break + fi + done + generate_static_mac "${_jailname}" "${_if}" + sed -i '' "s|}||" "${_jail_config}" + ## generate config + cat << EOF >> "${_jail_config}" + ## epair${uniq_epair} interface + vnet.interface += e${uniq_epair}b_${_jailname}; + exec.prestart += "ifconfig epair${uniq_epair} create"; + exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; + exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; + exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; exec.prestart += "ifconfig e${uniq_epair}a_${_jailname} ether ${macaddr}a"; exec.prestart += "ifconfig e${uniq_epair}b_${_jailname} ether ${macaddr}b"; exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; @@ -343,12 +442,20 @@ case "${ACTION}" in if check_interface_added "${TARGET}" "${INTERFACE}"; then error_exit "Interface is already added: \"${INTERFACE}\"" fi - validate_ip "${IP}" + if [ -z "${IP}" ] || [ "${IP}" = "0.0.0.0" ]; then + IP="SYNCDHCP" + else + validate_ip "${IP}" + fi if [ "${VNET_JAIL}" -eq 1 ]; then if ifconfig | grep "${INTERFACE}" | grep -q bridge; then error_exit "\"${INTERFACE}\" is a bridge interface." else - add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + if [ "${STATIC_MAC}" -eq 1 ]; then + add_vnet_interface_block_static_mac "${TARGET}" "${INTERFACE}" "${IP}" + else + add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + fi if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi @@ -357,7 +464,11 @@ case "${ACTION}" in if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then error_exit "\"${INTERFACE}\" is not a bridge interface." else - add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + if [ "${STATIC_MAC}" -eq 1 ]; then + add_bridge_interface_block_static_mac "${TARGET}" "${INTERFACE}" "${IP}" + else + add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + fi if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi From 0120f460d5f9b7a54d55750dcc24013d2168f011 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 1 Jan 2025 21:17:51 -0700 Subject: [PATCH 16/96] _o -> _opt --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index ee27665e..16a5dcbd 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -78,8 +78,8 @@ while [ "$#" -gt 0 ]; do shift ;; -*) - for _o in $(echo ${1} | sed 's/-//g' | fold -w1); do - case ${_o} in + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in b|B) BRIDGE_VNET_JAIL=1 ;; f) FORCE=1 ;; m) STATIC_MAC=1 ;; From e5b5f8443f445251bb9c2c713bb0df368dfb84e5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 2 Jan 2025 17:02:14 -0700 Subject: [PATCH 17/96] code cleanup: STATIC_MAC --- usr/local/share/bastille/network.sh | 150 ++++++++-------------------- 1 file changed, 43 insertions(+), 107 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 16a5dcbd..bf220dc2 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -65,7 +65,7 @@ while [ "$#" -gt 0 ]; do FORCE=1 shift ;; - -m|--static-mac) + -m|-M|--static-mac) STATIC_MAC=1 shift ;; @@ -78,11 +78,11 @@ while [ "$#" -gt 0 ]; do shift ;; -*) - for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do - case ${_opt} in + for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do + case ${_o} in b|B) BRIDGE_VNET_JAIL=1 ;; f) FORCE=1 ;; - m) STATIC_MAC=1 ;; + m|M) STATIC_MAC=1 ;; s) START=1 ;; v|V) VNET_JAIL=1 ;; *) error_exit "Unknown Option: \"${1}\"" ;; @@ -189,51 +189,12 @@ add_vnet_interface_block() { break fi done - generate_static_mac "${_jailname}" "${_if}" sed -i '' "s|}||" "${_jail_config}" - ## generate config - cat << EOF >> "${_jail_config}" - ## ${uniq_epair} interface - vnet.interface += e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${_if}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -} -EOF - - # add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi - - info "[${_jailname}]:" - echo "Added interface: \"${_if}\"" -} - -add_vnet_interface_block_static_mac() { - local _jailname="${1}" - local _if="${2}" - local _ip="${3}" - local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet="vnet$((_if_vnet_count + 1))" - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" - break - fi - done - generate_static_mac "${_jailname}" "${_if}" - sed -i '' "s|}||" "${_jail_config}" - ## generate config - cat << EOF >> "${_jail_config}" + # Generate VNET block + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" ## ${uniq_epair} interface vnet.interface += e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${_if}"; @@ -243,8 +204,19 @@ add_vnet_interface_block_static_mac() { exec.poststop += "jib destroy ${uniq_epair}"; } EOF + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${uniq_epair} interface + vnet.interface += e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +} +EOF + fi - # add config to /etc/rc.conf + # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ]; then @@ -254,7 +226,7 @@ EOF fi info "[${_jailname}]:" - echo "Added interface: \"${_if}\"" + echo "Added VNET interface: \"${_if}\"" } add_bridge_interface_block() { @@ -273,54 +245,12 @@ add_bridge_interface_block() { break fi done - generate_static_mac "${_jailname}" "${_if}" sed -i '' "s|}||" "${_jail_config}" - ## generate config - cat << EOF >> "${_jail_config}" - ## epair${uniq_epair} interface - vnet.interface += e${uniq_epair}b_${_jailname}; - exec.prestart += "ifconfig epair${uniq_epair} create"; - exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; - exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; - exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; - exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; - exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; -} -EOF - - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi - - info "[${_jailname}]:" - echo "Added interface: \"${_if}\"" -} - -add_bridge_interface_block_static_mac() { - local _jailname="${1}" - local _if="${2}" - local _ip="${3}" - local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet=vnet$((_if_vnet_count + 1)) - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="${_num}" - break - fi - done - generate_static_mac "${_jailname}" "${_if}" - sed -i '' "s|}||" "${_jail_config}" - ## generate config - cat << EOF >> "${_jail_config}" + # Generate bridged VNET block + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" ## epair${uniq_epair} interface vnet.interface += e${uniq_epair}b_${_jailname}; exec.prestart += "ifconfig epair${uniq_epair} create"; @@ -333,6 +263,20 @@ add_bridge_interface_block_static_mac() { exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; } EOF + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## epair${uniq_epair} interface + vnet.interface += e${uniq_epair}b_${_jailname}; + exec.prestart += "ifconfig epair${uniq_epair} create"; + exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; + exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; + exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; + exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; + exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; +} +EOF + fi # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" @@ -451,11 +395,7 @@ case "${ACTION}" in if ifconfig | grep "${INTERFACE}" | grep -q bridge; then error_exit "\"${INTERFACE}\" is a bridge interface." else - if [ "${STATIC_MAC}" -eq 1 ]; then - add_vnet_interface_block_static_mac "${TARGET}" "${INTERFACE}" "${IP}" - else - add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" - fi + add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi @@ -464,11 +404,7 @@ case "${ACTION}" in if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then error_exit "\"${INTERFACE}\" is not a bridge interface." else - if [ "${STATIC_MAC}" -eq 1 ]; then - add_bridge_interface_block_static_mac "${TARGET}" "${INTERFACE}" "${IP}" - else - add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" - fi + add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi From 8e5edbcd1f7aa1bc704b41e3dfa535ee4b48c001 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 3 Jan 2025 07:32:00 -0700 Subject: [PATCH 18/96] network: merge functions as opposed to separate Merge add/remove functions to avoid having unnecessarily long code blocks and functions. --- usr/local/share/bastille/network.sh | 276 +++++++++++----------------- 1 file changed, 105 insertions(+), 171 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index bf220dc2..2a252465 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -166,139 +166,129 @@ check_interface_added() { local _jailname="${1}" local _if="${2}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - if grep -o "${_if}" "${_jail_config}"; then + if grep -qo "${_if}" "${_jail_config}"; then return 0 else return 1 fi } -add_vnet_interface_block() { +add_interface() { local _jailname="${1}" local _if="${2}" local _ip="${3}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet="vnet$((_if_vnet_count + 1))" - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" - break - fi - done - sed -i '' "s|}||" "${_jail_config}" - # Generate VNET block - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" - ## ${uniq_epair} interface - vnet.interface += e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${_if}"; - exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; - exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -} -EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" - ## ${uniq_epair} interface - vnet.interface += e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${_if}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -} -EOF - fi - - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e0b_${uniq_epair}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi - - info "[${_jailname}]:" - echo "Added VNET interface: \"${_if}\"" -} - -add_bridge_interface_block() { - local _jailname="${1}" - local _if="${2}" - local _ip="${3}" - local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _if_vnet_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet=vnet$((_if_vnet_count + 1)) - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do + local _epair_if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet="vnet$((_vnet_if_count + 1))" + local epair_num_range=$((_epair_if_count + 1)) + local bastille_num_range=$((_bastille_if_count + 1)) + if [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + for _num in $(seq 0 "${epair_num_range}"); do if ! grep -Eq "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="${_num}" + local bridge_epair="epair${_num}" break fi done - sed -i '' "s|}||" "${_jail_config}" - # Generate bridged VNET block - if [ "${STATIC_MAC}" -eq 1 ]; then - # Generate NETBLOCK with static MAC - generate_static_mac "${_jailname}" "${_if}" - cat << EOF >> "${_jail_config}" - ## epair${uniq_epair} interface - vnet.interface += e${uniq_epair}b_${_jailname}; - exec.prestart += "ifconfig epair${uniq_epair} create"; - exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; - exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; - exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; - exec.prestart += "ifconfig e${uniq_epair}a_${_jailname} ether ${macaddr}a"; - exec.prestart += "ifconfig e${uniq_epair}b_${_jailname} ether ${macaddr}b"; - exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; - exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" + ## ${bridge_epair} interface + vnet.interface += ${bridge_epair}b; + exec.prestart += "ifconfig ${bridge_epair} create"; + exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; + exec.prestart += "ifconfig ${bridge_epair}a ether ${macaddr}a"; + exec.prestart += "ifconfig ${bridge_epair}b ether ${macaddr}b"; + exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; + exec.poststop += "ifconfig ${bridge_epair}a destroy"; } EOF - else - # Generate NETBLOCK without static MAC - cat << EOF >> "${_jail_config}" - ## epair${uniq_epair} interface - vnet.interface += e${uniq_epair}b_${_jailname}; - exec.prestart += "ifconfig epair${uniq_epair} create"; - exec.prestart += "ifconfig ${_if} addm epair${uniq_epair}a"; - exec.prestart += "ifconfig epair${uniq_epair}a up name e${uniq_epair}a_${_jailname}"; - exec.prestart += "ifconfig epair${uniq_epair}b up name e${uniq_epair}b_${_jailname}"; - exec.poststop += "ifconfig ${_if} deletem e${uniq_epair}a_${_jailname}"; - exec.poststop += "ifconfig e${uniq_epair}a_${_jailname} destroy"; + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${bridge_epair} interface + vnet.interface += ${bridge_epair}b; + exec.prestart += "ifconfig ${bridge_epair} create"; + exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; + exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; + exec.poststop += "ifconfig ${bridge_epair}a destroy"; } EOF - fi + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_${bridge_epair}b_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi - # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_e${uniq_epair}b_${_jailname}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" - info "[${_jailname}]:" - echo "Added interface: \"${_if}\"" + elif [ "${VNET_JAIL}" -eq 1 ]; then + for _num in $(seq 0 "${bastille_num_range}"); do + if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local bastille_epair="bastille${_num}" + break + fi + done + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + if [ "${STATIC_MAC}" -eq 1 ]; then + # Generate NETBLOCK with static MAC + generate_static_mac "${_jailname}" "${_if}" + cat << EOF >> "${_jail_config}" + ## ${bastille_epair} interface + vnet.interface += e0b_${bastille_epair}; + exec.prestart += "jib addm ${bastille_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${bastille_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig e0b_${bastille_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${bastille_epair}"; +} +EOF + else + # Generate NETBLOCK without static MAC + cat << EOF >> "${_jail_config}" + ## ${bastille_epair} interface + vnet.interface += e0b_${bastille_epair}; + exec.prestart += "jib addm ${bastille_epair} ${_if}"; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "jib destroy ${bastille_epair}"; +} +EOF + fi + # Add config to /etc/rc.conf + sysrc -f "${_jail_rc_config}" ifconfig_e0b_${bastille_epair}_name="${_if_vnet}" + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi + + info "[${_jailname}]:" + echo "Added VNET interface: \"${_if}\"" + fi } -remove_vnet_interface_block() { +remove_interface() { local _jailname="${1}" local _if="${2}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_jail="$(grep "${_if}" ${_jail_config} | grep -Eo 'bastille[0-9]+')" + local _if_jail="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 'epair[0-9]+|bastille[0-9]+')" if grep -o "${_if_jail}" ${_jail_rc_config}; then - local _if_vnet="$(grep "${_if_jail}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" else error_exit "Interface not found: ${_if_jail}" fi @@ -310,67 +300,19 @@ remove_vnet_interface_block() { # Avoid removing entire file contents if variables aren't set for some reason if [ -z "${_if_jail}" ]; then - error_exit "Error: Could not find specifed interfaces. Exiting..." + error_exit "Error: Could not find specifed interface." fi # Remove interface from jail.conf if [ -n "${_if_jail}" ]; then - sed -i '' "s|.*${_if_jail}.*||" "${_jail_config}" - sed -i '' '/^$/d' "${_jail_config}" + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" else error_exit "Failed to remove interface from jail.conf" fi # Remove interface from /etc/rc.conf if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then - sed -i '' "s|.*${_if_vnet}.*||" "${_jail_rc_config}" - sed -i '' '/^$/d' "${_jail_rc_config}" - else - error_exit "Failed to remove interface from /etc/rc.conf" - fi - - info "[${_jailname}]:" - echo "Removed interface: \"${_if}\"" -} - -remove_bridge_interface_block() { - local _jailname="${1}" - local _if="${2}" - local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_epair="$(grep "${_if}" ${_jail_config} | grep -Eo 'epair[0-9]+')" - local _if_epaira_name="$(grep "${_if_epair}" ${_jail_config} | grep -Eo "e[0-9]+a_${_jailname}")" - local _if_epairb_name="$(grep "${_if_epair}" ${_jail_config} | grep -Eo "e[0-9]+b_${_jailname}")" - if grep -o "${_if_epairb_name}" ${_jail_rc_config}; then - local _if_vnet="$(grep "${_if_epairb_name}" ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" - else - error_exit "Interface not found: ${_if_epair_name}" - fi - - # Do not allow removing default vnet0 interface - if [ "${_if_vnet}" = "vnet0" ]; then - error_exit "Default interface cannot be removed." - fi - - # Avoid removing entire file contents if variables aren't set for some reason - if [ -z "${_if_epair}" ] || [ -z "${_if_epaira_name}" ] || [ -z "${_if_epairb_name}" ] || [ -z "${_if_vnet}" ]; then - error_exit "Error: Could not find specifed interfaces. Exiting..." - fi - - # Remove interface from jail.conf - if [ -n "${_if_epair}" ] && [ -n "${_if_epaira_name}" ] && [ -n "${_if_epairb_name}" ] && [ -n "${_if_vnet}" ]; then - sed -i '' "s|.*${_if_epair}.*||" "${_jail_config}" - sed -i '' "s|.*${_if_epaira_name}.*||" "${_jail_config}" - sed -i '' "s|.*${_if_epairb_name}.*||" "${_jail_config}" - sed -i '' '/^$/d' "${_jail_config}" - else - error_exit "Failed to remove interface from jail.conf" - fi - - # Remove interface from /etc/rc.conf - if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then - sed -i '' "s|ifconfig.*${_if_vnet}.*||" "${_jail_rc_config}" - sed -i '' '/^$/d' "${_jail_rc_config}" + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" else error_exit "Failed to remove interface from /etc/rc.conf" fi @@ -392,19 +334,19 @@ case "${ACTION}" in validate_ip "${IP}" fi if [ "${VNET_JAIL}" -eq 1 ]; then - if ifconfig | grep "${INTERFACE}" | grep -q bridge; then + if ifconfig | grep "${INTERFACE}" 2>/dev/null | grep -q bridge; then error_exit "\"${INTERFACE}\" is a bridge interface." else - add_vnet_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + add_interface "${TARGET}" "${INTERFACE}" "${IP}" if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi fi elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then + if ! ifconfig | grep "${INTERFACE}" 2>/dev/null | grep -q bridge; then error_exit "\"${INTERFACE}\" is not a bridge interface." else - add_bridge_interface_block "${TARGET}" "${INTERFACE}" "${IP}" + add_interface "${TARGET}" "${INTERFACE}" "${IP}" if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" fi @@ -417,16 +359,9 @@ case "${ACTION}" in if ! grep -q "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf; then error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" else - if grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]bastille[0-9]+'; then - remove_vnet_interface_block "${TARGET}" "${INTERFACE}" - if [ "${START}" -eq 1 ]; then - bastille start "${TARGET}" - fi - elif grep "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf 2>/dev/null | grep -qE '[[:blank:]]epair[0-9]+'; then - remove_bridge_interface_block "${TARGET}" "${INTERFACE}" - if [ "${START}" -eq 1 ]; then - bastille start "${TARGET}" - fi + remove_interface "${TARGET}" "${INTERFACE}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" fi fi ;; @@ -434,4 +369,3 @@ case "${ACTION}" in error_exit "Only [add|remove] are supported." ;; esac - From bc85f505299742e6a18bc674a27d3f6a6c195c48 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 3 Jan 2025 07:42:02 -0700 Subject: [PATCH 19/96] network: Fix jail name variable --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 2a252465..24180c9e 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -204,7 +204,7 @@ add_interface() { exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; exec.prestart += "ifconfig ${bridge_epair}a ether ${macaddr}a"; exec.prestart += "ifconfig ${bridge_epair}b ether ${macaddr}b"; - exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${_jailname}\""; exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; exec.poststop += "ifconfig ${bridge_epair}a destroy"; } @@ -216,7 +216,7 @@ EOF vnet.interface += ${bridge_epair}b; exec.prestart += "ifconfig ${bridge_epair} create"; exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; - exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${_jailname}\""; exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; exec.poststop += "ifconfig ${bridge_epair}a destroy"; } From 8263aafa15f6fbe9d587c08a17033b479f86aa8d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 3 Jan 2025 13:25:27 -0700 Subject: [PATCH 20/96] network: support add/remove from classic jails --- usr/local/share/bastille/network.sh | 114 +++++++++++++++++++--------- 1 file changed, 80 insertions(+), 34 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 24180c9e..d140345e 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -37,6 +37,7 @@ usage() { Options: -b | --bridge Add a bridged VNET interface to an existing jail. + -c | --classic Add an interface to a classic (non_VNET) jail. -f | --force Stop the jail if it is running. -m | --static-mac Generate a static MAC address for the interface. -s | --start Start jail on completion. @@ -48,6 +49,7 @@ EOF # Handle options. BRIDGE_VNET_JAIL=0 +CLASSIC_JAIL=0 FORCE=0 STATIC_MAC=0 START=0 @@ -61,7 +63,11 @@ while [ "$#" -gt 0 ]; do BRIDGE_VNET_JAIL=1 shift ;; - -f|--force) + -c|--classic) + CLASSIC_JAIL=1 + shift + ;; + -f|--force) FORCE=1 shift ;; @@ -81,6 +87,7 @@ while [ "$#" -gt 0 ]; do for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do case ${_o} in b|B) BRIDGE_VNET_JAIL=1 ;; + c) CLASSIC_JAIL=1 ;; f) FORCE=1 ;; m|M) STATIC_MAC=1 ;; s) START=1 ;; @@ -102,11 +109,13 @@ INTERFACE="${3}" IP="${4}" if [ "${ACTION}" = "add" ]; then - if [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - error_notify "Error: [-v|-V|--vnet] and [-b|-B|--bridge] cannot both be set." + if { [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } || \ + { [ "${VNET_JAIL}" -eq 1 ] && [ "${CLASSIC_JAIL}" -eq 1 ]; } || \ + { [ "${CLASSIC_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } then + error_notify "Error: Only one of [-b|-B|--bridge], [-c|--classic] or [-v|-V|--vnet] should be set." usage - elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ]; then - error_notify "Error: [-v|-V|--vnet] or [-b|-B|--bridge] must be set." + elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${CLASSIC_JAIL}" -eq 0 ]; then + error_notify "Error: [-c|--classic], [-b|-B|--bridge] or [-v|-V|--vnet] must be set." usage fi fi @@ -125,10 +134,12 @@ else fi validate_ip() { + IP6_ENABLE=0 local ip="${1}" local ip6="$( echo "${ip}" 2>/dev/null | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )" if [ -n "${ip6}" ]; then info "Valid: (${ip6})." + IP6_ENABLE=1 else local IFS if echo "${ip}" 2>/dev/null | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then @@ -278,45 +289,70 @@ EOF info "[${_jailname}]:" echo "Added VNET interface: \"${_if}\"" + + elif [ "${CLASSIC_JAIL}" -eq 1 ]; then + if [ "${IP6_ENABLE}" -eq 1 ]; then + sed -i '' "s/interface = .*/&\n ip6.addr += ${_if}|${_ip};/" ${_jail_config} + else + sed -i '' "s/interface = .*/&\n ip4.addr += ${_if}|${_ip};/" ${_jail_config} + fi fi + + info "[${_jailname}]:" + echo "Added interface: \"${_if}\"" } remove_interface() { local _jailname="${1}" local _if="${2}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_jail="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 'epair[0-9]+|bastille[0-9]+')" - if grep -o "${_if_jail}" ${_jail_rc_config}; then - local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" - else - error_exit "Interface not found: ${_if_jail}" - fi + # Skip next block in case of classic jail + if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _if_jail="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 'epair[0-9]+|bastille[0-9]+')" + + if grep -o "${_if_jail}" ${_jail_rc_config}; then + local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + else + error_exit "Interface not found: ${_if_jail}" + fi - # Do not allow removing default vnet0 interface - if [ "${_if_vnet}" = "vnet0" ]; then - error_exit "Default interface cannot be removed." - fi + # Do not allow removing default vnet0 interface + if [ "${_if_vnet}" = "vnet0" ]; then + error_exit "Default interface cannot be removed." + fi - # Avoid removing entire file contents if variables aren't set for some reason - if [ -z "${_if_jail}" ]; then - error_exit "Error: Could not find specifed interface." - fi - - # Remove interface from jail.conf - if [ -n "${_if_jail}" ]; then - sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" - else - error_exit "Failed to remove interface from jail.conf" - fi + # Avoid removing entire file contents if variables aren't set for some reason + if [ -z "${_if_jail}" ]; then + error_exit "Error: Could not find specifed interface." + fi + + # Remove interface from /etc/rc.conf + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + else + error_exit "Failed to remove interface from /etc/rc.conf" + fi - # Remove interface from /etc/rc.conf - if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then - sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + # Remove VNET interface from jail.conf (VNET) + if [ -n "${_if_jail}" ]; then + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" + else + error_exit "Failed to remove interface from jail.conf" + fi else - error_exit "Failed to remove interface from /etc/rc.conf" + # Remove interface from jail.conf (non-VNET) + if [ -n ${_if} ]; then + if grep ${_if} ${_jail_config} 2>/dev/null | grep -qo " = "; then + error_exit "Default interface cannot be removed." + else + sed -i '' "/.*${_if}.*/d" "${_jail_config}" + fi + else + error_exit "Failed to remove interface from jail.conf" + fi fi - + info "[${_jailname}]:" echo "Removed interface: \"${_if}\"" } @@ -334,7 +370,7 @@ case "${ACTION}" in validate_ip "${IP}" fi if [ "${VNET_JAIL}" -eq 1 ]; then - if ifconfig | grep "${INTERFACE}" 2>/dev/null | grep -q bridge; then + if ifconfig | grep "${INTERFACE}" | grep -q bridge; then error_exit "\"${INTERFACE}\" is a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" @@ -343,7 +379,7 @@ case "${ACTION}" in fi fi elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - if ! ifconfig | grep "${INTERFACE}" 2>/dev/null | grep -q bridge; then + if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then error_exit "\"${INTERFACE}\" is not a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" @@ -351,6 +387,15 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi + elif [ "${CLASSIC_JAIL}" -eq 1 ]; then + if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then + error_exit "Error: ${TARGET} is a VNET jail." + else + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ "${START}" -eq 1 ]; then + bastille start "${TARGET}" + fi + fi fi ;; remove|delete) @@ -369,3 +414,4 @@ case "${ACTION}" in error_exit "Only [add|remove] are supported." ;; esac + From fe7b4b73975e0a1643d2d8ff85916a05dad18c18 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 4 Jan 2025 08:28:25 -0700 Subject: [PATCH 21/96] Fix quotes --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index d140345e..6d02acc4 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -342,7 +342,7 @@ remove_interface() { fi else # Remove interface from jail.conf (non-VNET) - if [ -n ${_if} ]; then + if [ -n "${_if}" ]; then if grep ${_if} ${_jail_config} 2>/dev/null | grep -qo " = "; then error_exit "Default interface cannot be removed." else From 7250522b1ea74834cc4e941f148c99bded54b0a3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 08:12:20 -0800 Subject: [PATCH 22/96] clone: Rebase --- usr/local/share/bastille/clone.sh | 294 ++++++++++++++++++++---------- 1 file changed, 201 insertions(+), 93 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 074c3c95..f3f1d8d2 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -34,33 +34,84 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille clone TARGET NEW_NAME IPADDRESS" + error_notify "Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS" + cat << EOF + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. Cannot be used with [-l|--live]. + -l | --live Clone a running jail. ZFS only. Jail must be running. Cannot be used with [-a|--auto]. + -x | --debug Enable debug mode. + +EOF + exit 1 } -# Handle special-case commands first -case "$1" in -help|-h|--help) - usage - ;; -esac +# Handle options. +AUTO=0 +LIVE=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -a|--auto) + AUTO=1 + shift + ;; + -l|--live) + if ! checkyesno bastille_zfs_enable; then + error_exit "[-l|--live] can only be used with ZFS." + else + LIVE=1 + shift + fi + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + a) AUTO=1 ;; + l) LIVE=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" + esac + done + shift + ;; + *) + break + ;; + esac +done -if [ $# -ne 2 ]; then +if [ "${AUTO}" -eq 1 ] && [ "${LIVE}" -eq 1 ]; then + error_exit "[-a|--auto] cannot be used with [-l|--live]" +fi + +if [ $# -ne 3 ]; then usage fi -bastille_root_check +TARGET="${1}" +NEWNAME="${2}" +IP="${3}" -NEWNAME="${1}" -IP="${2}" +bastille_root_check +set_target_single "${TARGET}" + +## don't allow for dots(.) in container names +if echo "${NEWNAME}" | grep -q "[.]"; then + error_exit "Container names may not contain a dot(.)!" +fi validate_ip() { - IPX_ADDR="ip4.addr" IP6_MODE="disable" ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))') if [ -n "${ip6}" ]; then info "Valid: (${ip6})." - IPX_ADDR="ip6.addr" - # shellcheck disable=SC2034 IP6_MODE="new" else local IFS @@ -89,97 +140,158 @@ update_jailconf() { JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf" if [ -f "${JAIL_CONFIG}" ]; then if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then - sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" + sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" - sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" fi fi if grep -qw "vnet;" "${JAIL_CONFIG}"; then update_jailconf_vnet + else + _ip4="$(bastille config ${TARGET} get ip4.addr | sed 's/,/ /g')" + _ip6="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')" + # IP4 + if [ "${_ip4}" != "not set" ]; then + for _ip in ${_ip4}; do + if echo ${_ip} | grep -q "|"; then + _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" + fi + sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + sed -i '' "/ip4.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" + done + fi + # IP6 + if [ "${_ip6}" != "not set" ]; then + for _ip in ${_ip6}; do + if echo ${_ip} | grep -q "|"; then + _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" + fi + sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + sed -i '' "/ip6.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" + sed -i '' "s/ip6 = .*/ip6 = ${IP6_MODE};/" "${JAIL_CONFIG}" + done + fi fi } update_jailconf_vnet() { - bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" + local _jail_conf="${bastille_jailsdir}/${NEWNAME}/jail.conf" + local _rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" # Determine number of interfaces and define a uniq_epair - local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${JAIL_CONFIG} | sort -u)" + local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${_jail_conf} | sort -u)" for _if in ${_if_list}; do - local _if_count="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf 2>/dev/null | sort -u | wc -l | awk '{print $1}')" - local num_range=$((_if_count + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -Eoq "epair${_num}|bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then - local uniq_epair="bastille${_num}" - local uniq_epair_bridge="${_num}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix - # we also do not use the main generate_static_mac function here - local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr="${macaddr_prefix}:${macaddr_suffix}" - # Update the exec.* with uniq_epair when cloning jails. - # for VNET interfaces - if echo ${_if} 2>/dev/null | grep -Eoq 'bastille[0-9]+'; then - local _if_vnet="$(grep ${_if} "${bastille_jail_rc_conf}" | grep -Eo "vnet[0-9]+")" - sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}" - sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${JAIL_CONFIG}" - sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig.*${uniq_epair}.*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + local _epair_if_count="$( (grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local epair_num_range=$((_epair_if_count + 1)) + local bastille_num_range=$((_bastille_if_count + 1)) + if echo ${_if} | grep -Eoq 'epair[0-9]+'; then + # Update bridged VNET config + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eoq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eoq "(e${_num}a|epair${_num}a)"; then + # Generate new epair name + if [ "$(echo -n "e${_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then + local _new_host_epair="e${_num}a_${NEWNAME}" + local _new_jail_epair="e${_num}b_${NEWNAME}" + else + local _new_host_epair="epair${_num}a" + local _new_jail_epair="epair${_num}b" + fi + # Get epair name from TARGET + if grep -Eoq "e[0-9]+a_${TARGET}" "${_jail_conf}"; then + _target_host_epair="$(grep -Eo -m 1 "e[0-9]+a_${TARGET}" "${_jail_conf}")" + _target_jail_epair="$(grep -Eo -m 1 "e[0-9]+b_${TARGET}" "${_jail_conf}")" + else + _target_host_epair="${_if}a" + _target_jail_epair="${_if}b" + fi + # Replace host epair name in jail.conf + sed -i '' "s|up name ${_target_host_epair}|up name ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} ether|${_new_host_epair} ether|g" "${_jail_conf}" + sed -i '' "s|deletem ${_target_host_epair}|deletem ${_new_host_epair}|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} destroy|${_new_host_epair} destroy|g" "${_jail_conf}" + sed -i '' "s|${_target_host_epair} description|${_new_host_epair} description|g" "${_jail_conf}" + # Replace jail epair name in jail.conf + sed -i '' "s|= ${_target_jail_epair};|= ${_new_jail_epair};|g" "${_jail_conf}" + sed -i '' "s|up name ${_target_jail_epair}|up name ${_new_jail_epair}|g" "${_jail_conf}" + sed -i '' "s|${_target_jail_epair} ether|${_new_jail_epair} ether|g" "${_jail_conf}" + # Replace epair name in jail.conf + sed -i '' "s|${_if}|epair${_num}|g" "${_jail_conf}" + # If jail had a static MAC, generate one for clone + if grep -q ether ${_jail_conf}; then + local external_interface="$(grep "epair${_num}a" ${_jail_conf} | grep -o '[^ ]* addm' | awk '{print $1}')" + generate_static_mac "${NEWNAME}" "${external_interface}" + sed -i '' "s|${_new_host_epair} ether.*:.*:.*:.*:.*:.*a\";|${_new_host_epair} ether ${macaddr}a\";|" "${_jail_conf}" + sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" + fi + # Replace epair description + sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Update /etc/rc.conf - sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then + local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" + if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0=" inet ${IP} " + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" fi else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" - fi - # for bridged VNET interfaces - elif echo ${_if} 2>/dev/null | grep -Eoq 'epair[0-9]+'; then - local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+a_${TARGET}")" - local _if_epairb="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo "e[0-9]+b_${TARGET}")" - local _if_vnet="$(grep ${_if_epairb} "${bastille_jail_rc_conf}" | grep -Eo "vnet[0-9]+")" - sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|${_if_epaira}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|${_if_epairb}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|e${uniq_epair}a_${TARGET} ether.*:.*:.*:.*:.*:.*a\";|e${uniq_epair}a_${NEWNAME} ether ${macaddr}a\";|" "${JAIL_CONFIG}" - sed -i '' "s|e${uniq_epair}b_${TARGET} ether.*:.*:.*:.*:.*:.*b\";|e${uniq_epair}b_${NEWNAME} ether ${macaddr}b\";|" "${JAIL_CONFIG}" - # Update /etc/rc.conf - sed -i '' "s|${_if_epairb}_name|e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" - if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q "e${uniq_epair_bridge}b_${NEWNAME}_name"; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" - fi - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" fi + break fi - break - fi - done + done + elif echo ${_if} | grep -Eoq 'bastille[0-9]+'; then + # Update VNET config + for _num in $(seq 0 "${bastille_num_range}"); do + if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then + # Update jail.conf epair name + local uniq_epair="bastille${_num}" + local _if_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + sed -i '' "s|${_if}|${uniq_epair}|g" "${_jail_conf}" + # If jail had a static MAC, generate one for clone + if grep ether ${_jail_conf} | grep -qoc ${uniq_epair}; then + local external_interface="$(grep ${uniq_epair} ${_jail_conf} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')" + generate_static_mac "${NEWNAME}" "${external_interface}" + sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${_jail_conf}" + sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${_jail_conf}" + fi + sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + # Update /etc/rc.conf + sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${_rc_conf}" + if grep "vnet0" "${_rc_conf}" | grep -q ${uniq_epair}; then + if [ "${IP}" = "0.0.0.0" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0=" inet ${IP} " + fi + else + sysrc -f "${_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + fi + break + fi + done + fi done } -update_fstab() { - # Update fstab to use the new name - FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" - if [ -f "${FSTAB_CONFIG}" ]; then - # Update additional fstab paths with new jail path - sed -i '' "s|${bastille_jailsdir}/${TARGET}/root/|${bastille_jailsdir}/${NEWNAME}/root/|" "${FSTAB_CONFIG}" - fi -} - clone_jail() { - # Attempt container clone - info "Attempting to clone '${TARGET}' to ${NEWNAME}..." + + info "Attempting to clone ${TARGET} to ${NEWNAME}..." + if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then if checkyesno bastille_zfs_enable; then + if [ "${LIVE}" -eq 1 ]; then + check_target_is_running "${TARGET}" || error_exit "[-l|--live] can only be used with a running jail." + else check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then + bastille stop "${TARGET}" + else + error_notify "Jail is running." + error_exit "Use [-a|--auto] to force stop the jail, or [-l|--live] (ZFS only) to clone a running jail." + fi + fi if [ -n "${bastille_zfs_zpool}" ]; then # Replicate the existing container DATE=$(date +%F-%H%M%S) @@ -195,13 +307,13 @@ clone_jail() { zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}@bastille_clone_${DATE}" fi else - # Just clone the jail directory - # Check if container is running - if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then - error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'." + # Perform container file copy (archive mode) + check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then + bastille stop "${TARGET}" + else + error_notify "Jail is running." + error_exit "Use [-a|--auto] to force stop the jail." fi - - # Perform container file copy(archive mode) cp -a "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}" fi else @@ -210,7 +322,7 @@ clone_jail() { # Generate jail configuration files update_jailconf - update_fstab + update_fstab "${TARGET}" "${NEWNAME}" # Display the exist status if [ "$?" -ne 0 ]; then @@ -218,18 +330,14 @@ clone_jail() { else info "Cloned '${TARGET}' to '${NEWNAME}' successfully." fi + if [ "${AUTO}" -eq 1 ] || [ "${LIVE}" -eq 1 ]; then + bastille start "${NEWNAME}" + fi } -## don't allow for dots(.) in container names -if echo "${NEWNAME}" | grep -q "[.]"; then - error_exit "Container names may not contain a dot(.)!" -fi - -## check if ip address is valid +# Check if IP address is valid. if [ -n "${IP}" ]; then validate_ip else usage -fi - -clone_jail +fi \ No newline at end of file From 71690572fce73d1b893e547daddb74b57c88fb34 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 08:13:57 -0800 Subject: [PATCH 23/96] common: Rebase --- usr/local/share/bastille/common.sh | 303 ++++++++++++++++++++--------- 1 file changed, 213 insertions(+), 90 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index d7be27fb..6fbeada0 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -31,7 +31,9 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Source config file -. /usr/local/etc/bastille/bastille.conf +if [ -f /usr/local/etc/bastille/bastille.conf ]; then + . /usr/local/etc/bastille/bastille.conf +fi COLOR_RED= COLOR_GREEN= @@ -50,24 +52,30 @@ enable_color() { . /usr/local/share/bastille/colors.pre.sh } +enable_debug() { + # Enable debug mode. + warn "***DEBUG MODE***" + set -x +} + # If "NO_COLOR" environment variable is present, or we aren't speaking to a # tty, disable output colors. if [ -z "${NO_COLOR}" ] && [ -t 1 ]; then enable_color fi -# Error/Info functions -error_notify() { - echo -e "${COLOR_RED}$*${COLOR_RESET}" 1>&2 -} - +# Notify message on error, and continue to next jail error_continue() { error_notify "$@" - # Disabling this shellcheck as we only ever call it inside of a loop # shellcheck disable=SC2104 continue } +# Notify message on error, but do not exit +error_notify() { + echo -e "${COLOR_RED}$*${COLOR_RESET}" 1>&2 +} + # Notify message on error and exit error_exit() { error_notify "$@" @@ -84,7 +92,8 @@ warn() { check_target_exists() { local _TARGET="${1}" - if [ ! -d "${bastille_jailsdir}"/"${_TARGET}" ]; then + local _jaillist="$(bastille list jails)" + if ! echo "${_jaillist}" | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -93,7 +102,7 @@ check_target_exists() { check_target_is_running() { local _TARGET="${1}" - if [ ! "$(/usr/sbin/jls name | awk "/^${_TARGET}$/")" ]; then + if ! jls name | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -102,99 +111,67 @@ check_target_is_running() { check_target_is_stopped() { local _TARGET="${1}" - if [ "$(/usr/sbin/jls name | awk "/^${_TARGET}$/")" ]; then + if jls name | grep -Eq "^${_TARGET}$"; then return 1 else return 0 fi } -generate_static_mac() { - local jail_name="${1}" - local external_interface="${2}" - local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | sed 's#:##g')" - local macaddr_prefix="$(echo -n "${external_interface_mac}" | sha256 | cut -b -6 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr_suffix="$(echo -n "${jail_name}" | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then - error_notify "Failed to generate MAC address." +get_jail_name() { + local _JID="${1}" + local _jailname="$(jls -j ${_JID} name 2>/dev/null)" + if [ -z "${_jailname}" ]; then + return 1 + else + echo "${_jailname}" fi - macaddr="${macaddr_prefix}:${macaddr_suffix}" - export macaddr } -generate_vnet_jail_netblock() { - local jail_name="${1}" - local use_unique_bridge="${2}" - local external_interface="${3}" - generate_static_mac "${jail_name}" "${external_interface}" - ## determine number of containers + 1 - ## iterate num and grep all jail configs - ## define uniq_epair - local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _vnet_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local epair_num_range=$((_epair_if_count + 1)) - local vnet_num_range=$((_vnet_if_count + 1)) - if [ -n "${use_unique_bridge}" ]; then - if [ "${_epair_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${epair_num_range}"); do - if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then - local uniq_epair_bridge="${_num}" - break - fi - done +jail_autocomplete() { + local _TARGET="${1}" + local _jaillist="$(bastille list jails)" + local _AUTOTARGET="$(echo "${_jaillist}" | grep -E "^${_TARGET}")" + if [ -n "${_AUTOTARGET}" ]; then + if [ "$(echo "${_AUTOTARGET}" | wc -l)" -eq 1 ]; then + echo "${_AUTOTARGET}" else - local uniq_epair_bridge="0" + error_continue "Multiple jails found for ${_TARGET}:\n${_AUTOTARGET}" + return 1 fi else - if [ "${_vnet_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${vnet_num_range}"); do - if ! grep -Eosq "bastillle${_num}" ${bastille_jailsdir}/*/jail.conf; then - local uniq_epair="${_num}" - break - fi - done - else - local uniq_epair="bastille0" - fi - fi - if [ -n "${use_unique_bridge}" ]; then - ## generate bridge config - cat <<-EOF - vnet; - vnet.interface = e${uniq_epair_bridge}b_${jail_name}; - exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; - exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}"; - exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${macaddr}a"; - exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${macaddr}b"; - exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}"; - exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy"; -EOF - else - ## generate config - cat <<-EOF - vnet; - vnet.interface = e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; - exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; - exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -EOF + return 2 fi } set_target() { - local _TARGET="${1}" + local _TARGET=${1} + JAILS="" + TARGET="" if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then target_all_jails else - check_target_exists "${_TARGET}" || error_exit "Jail not found \"${_TARGET}\"" - JAILS="${_TARGET}" - TARGET="${_TARGET}" - export JAILS + for _jail in ${_TARGET}; do + if [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && echo "${_jail}" | grep -Eq '^[0-9]+$'; then + if get_jail_name "${_jail}" > /dev/null; then + _jail="$(get_jail_name ${_jail})" + else + error_continue "Error: JID \"${_jail}\" not found. Is jail running?" + fi + elif ! check_target_exists "${_jail}"; then + if jail_autocomplete "${_jail}" > /dev/null; then + _jail="$(jail_autocomplete ${_jail})" + elif [ $? -eq 2 ]; then + error_continue "Jail not found \"${_jail}\"" + else + exit 1 + fi + fi + TARGET="${TARGET} ${_jail}" + JAILS="${JAILS} ${_jail}" + done export TARGET + export JAILS fi } @@ -202,13 +179,27 @@ set_target_single() { local _TARGET="${1}" if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then error_exit "[all|ALL] not supported with this command." - else - check_target_exists "${_TARGET}" || error_exit "Jail not found \"${_TARGET}\"" - JAILS="${_TARGET}" - TARGET="${_TARGET}" - export JAILS - export TARGET + elif [ "$(echo ${_TARGET} | wc -w)" -gt 1 ]; then + error_exit "Error: Command only supports a single TARGET." + elif [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && echo "${_TARGET}" | grep -Eq '^[0-9]+$'; then + if get_jail_name "${_TARGET}" > /dev/null; then + _TARGET="$(get_jail_name ${_TARGET})" + else + error_exit "Error: JID \"${_TARGET}\" not found. Is jail running?" + fi + elif ! check_target_exists "${_TARGET}"; then + if jail_autocomplete "${_TARGET}" > /dev/null; then + _TARGET="$(jail_autocomplete ${_TARGET})" + elif [ $? -eq 2 ]; then + error_exit "Jail not found \"${_TARGET}\"" + else + exit 1 + fi fi + TARGET="${_TARGET}" + JAILS="${_TARGET}" + export TARGET + export JAILS } target_all_jails() { @@ -222,6 +213,139 @@ target_all_jails() { export JAILS } +update_fstab() { + local _oldname="${1}" + local _newname="${2}" + local _fstab="${bastille_jailsdir}/${_newname}/fstab" + if [ -f "${_fstab}" ]; then + sed -i '' "s|${bastille_jailsdir}/${_oldname}/root/|${bastille_jailsdir}/${_newname}/root/|" "${_fstab}" + else + error_notify "Error: Failed to update fstab: ${_newmane}" + fi +} + +generate_static_mac() { + local jail_name="${1}" + local external_interface="${2}" + local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}')" + # Use FreeBSD vendor MAC prefix (58:9c:fc) for jail MAC prefix + local macaddr_prefix="58:9c:fc" + # Use hash of interface+jailname for jail MAC suffix + local macaddr_suffix="$(echo -n "${external_interface_mac}${jail_name}" | sed 's#:##g' | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then + error_notify "Failed to generate MAC address." + fi + macaddr="${macaddr_prefix}:${macaddr_suffix}" + export macaddr +} + +generate_vnet_jail_netblock() { + local jail_name="${1}" + local use_unique_bridge="${2}" + local external_interface="${3}" + local static_mac="${4}" + ## determine number of interfaces + 1 + ## iterate num and grep all jail configs + ## define uniq_epair + local _epair_if_count="$( (grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local epair_num_range=$((_epair_if_count + 1)) + local bastille_num_range=$((_bastille_if_count + 1)) + if [ -n "${use_unique_bridge}" ]; then + if [ "${_epair_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then + if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_num}a_${jail_name} + local jail_epair=e${_num}b_${jail_name} + else + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi + break + fi + done + else + if [ "$(echo -n "e0a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local _num=0 + local host_epair=e${_num}a_${jail_name} + local jail_epair=e${_num}b_${jail_name} + else + local _num=0 + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi + fi + else + if [ "${_bastille_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${bastille_num_range}"); do + if ! grep -Eosq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then + local uniq_epair="bastille${_num}" + break + fi + done + else + local uniq_epair="bastille0" + fi + fi + ## If BRIDGE is enabled, generate bridge config, else generate VNET config + if [ -n "${use_unique_bridge}" ]; then + if [ -n "${static_mac}" ]; then + ## Generate bridged VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF + vnet; + vnet.interface = ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; +EOF + else + ## Generate bridged VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; +EOF + fi + else + if [ -n "${static_mac}" ]; then + ## Generate VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF + vnet; + vnet.interface = e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; + exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +EOF + else + ## Generate VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +EOF + fi + fi +} + checkyesno() { ## copied from /etc/rc.subr -- cedwards (20231125) ## issue #368 (lowercase values should be parsed) @@ -241,5 +365,4 @@ checkyesno() { return 1 ;; esac -} - +} \ No newline at end of file From 2743316c007a059d96329e13d14dea4aba431714 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 08:15:53 -0800 Subject: [PATCH 24/96] Update bastille: Rebar --- usr/local/bin/bastille | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 3c6fef07..ad8dcd44 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -78,7 +78,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.12.20250111" +BASTILLE_VERSION="0.13.20250126" usage() { cat << EOF @@ -95,19 +95,21 @@ Available Commands: config Get or set a config value for the targeted container(s). console Console into a running container. convert Convert a Thin container into a Thick container. - cp cp(1) files from host to targeted container(s). + cp cp(1) files from host to jail(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. edit Edit container configuration files (advanced). + etcupdate Update /etc directory to specified release. export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). + jcp cp(1) files from a jail to jail(s). import Import a specified container. limits Apply resources limits to targeted container(s). See rctl(8). list List containers (running). mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). - rcp reverse cp(1) files from a single container to the host. + rcp cp(1) files from a jail to host. rdr Redirect host port to container port. rename Rename a container. restart Restart a running container. @@ -137,7 +139,7 @@ EOF CMD=$1 shift -target_all_jails() { +target_all_jails_old() { _JAILS=$(/usr/sbin/jls name) JAILS="" for _jail in ${_JAILS}; do @@ -148,7 +150,7 @@ target_all_jails() { done } -check_target_is_running() { +check_target_is_running_old() { if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." fi @@ -163,10 +165,10 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|export|htop|import|list|mount|network|rdr|restart|setup|start|top|umount|update|upgrade|verify) +bootstrap|clone|console|create|cp|destroy|etcupdate|export|htop|import|jcp|list|mount|network|pkg|rcp|rdr|rename|restart|setup|start|top|umount|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysrc|tags|template|zfs) +config|cmd|convert|edit|limits|service|stop|sysrc|tags|template|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' @@ -187,15 +189,15 @@ clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysr fi if [ "${TARGET}" = 'ALL' ]; then - target_all_jails + target_all_jails_old elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then TARGET="${1}" USE_HOST_PKG=1 if [ "${TARGET}" = 'ALL' ]; then - target_all_jails + target_all_jails_old else JAILS="${TARGET}" - check_target_is_running + check_target_is_running_old fi shift elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then @@ -211,8 +213,8 @@ clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysr fi case "${CMD}" in - cmd|console|pkg|service|stop|sysrc|template) - check_target_is_running + cmd|pkg|service|stop|sysrc|template) + check_target_is_running_old ;; convert|rename) # Require the target to be stopped. -- cwells @@ -247,4 +249,4 @@ if [ -f "${SCRIPTPATH}" ]; then fi else error_exit "${SCRIPTPATH} not found." -fi +fi \ No newline at end of file From 6301d637fb8e398bc5221db072da835de9aaf4bf Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 10:57:44 -0800 Subject: [PATCH 25/96] clone: Fix missing command --- usr/local/share/bastille/clone.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index f3f1d8d2..85f7a48d 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -340,4 +340,6 @@ if [ -n "${IP}" ]; then validate_ip else usage -fi \ No newline at end of file +fi + +clone_jail \ No newline at end of file From 055e05254e5084904ee19ec74c2c32362dd347fa Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 12:51:27 -0700 Subject: [PATCH 26/96] Update network.sh --- usr/local/share/bastille/network.sh | 36 ++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 6d02acc4..1c213737 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -36,21 +36,21 @@ usage() { cat << EOF Options: + -a | --auto Start/stop the jail(s) if required. -b | --bridge Add a bridged VNET interface to an existing jail. - -c | --classic Add an interface to a classic (non_VNET) jail. - -f | --force Stop the jail if it is running. + -c | --classic Add an interface to a classic (non-VNET) jail. -m | --static-mac Generate a static MAC address for the interface. - -s | --start Start jail on completion. -v | --vnet Add a VNET interface to an existing jail. - + -x | --debug Enable debug mode. + EOF exit 1 } # Handle options. +AUTO=0 BRIDGE_VNET_JAIL=0 CLASSIC_JAIL=0 -FORCE=0 STATIC_MAC=0 START=0 VNET_JAIL=0 @@ -67,7 +67,7 @@ while [ "$#" -gt 0 ]; do CLASSIC_JAIL=1 shift ;; - -f|--force) + -a|--auto) FORCE=1 shift ;; @@ -75,23 +75,23 @@ while [ "$#" -gt 0 ]; do STATIC_MAC=1 shift ;; - -s|--start) - START=1 - shift - ;; -v|-V|--vnet) VNET_JAIL=1 shift ;; + -x|--debug) + enable_debug + shift + ;; -*) for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do case ${_o} in + a) AUTO=1 ;; b|B) BRIDGE_VNET_JAIL=1 ;; c) CLASSIC_JAIL=1 ;; - f) FORCE=1 ;; m|M) STATIC_MAC=1 ;; - s) START=1 ;; v|V) VNET_JAIL=1 ;; + x) enable_debug ;; *) error_exit "Unknown Option: \"${1}\"" ;; esac done @@ -126,11 +126,11 @@ fi bastille_root_check set_target_single "${TARGET}" -check_target_is_stopped "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then +check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then bastille stop "${TARGET}" else error_notify "Jail is running." - error_exit "Use [-f|--force] to force stop the jail." + error_exit "Use [-a|--auto] to force stop the jail." fi validate_ip() { @@ -374,7 +374,7 @@ case "${ACTION}" in error_exit "\"${INTERFACE}\" is a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" - if [ "${START}" -eq 1 ]; then + if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" fi fi @@ -383,7 +383,7 @@ case "${ACTION}" in error_exit "\"${INTERFACE}\" is not a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" - if [ "${START}" -eq 1 ]; then + if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" fi fi @@ -392,7 +392,7 @@ case "${ACTION}" in error_exit "Error: ${TARGET} is a VNET jail." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" - if [ "${START}" -eq 1 ]; then + if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" fi fi @@ -405,7 +405,7 @@ case "${ACTION}" in error_exit "Interface not found in jail.conf: \"${INTERFACE}\"" else remove_interface "${TARGET}" "${INTERFACE}" - if [ "${START}" -eq 1 ]; then + if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" fi fi From 276448a3c21cecf613db301636ab56efe7f357ae Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 11:57:44 -0800 Subject: [PATCH 27/96] Update network.sh --- usr/local/share/bastille/network.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 1c213737..3cc39957 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -52,7 +52,6 @@ AUTO=0 BRIDGE_VNET_JAIL=0 CLASSIC_JAIL=0 STATIC_MAC=0 -START=0 VNET_JAIL=0 while [ "$#" -gt 0 ]; do case "${1}" in @@ -68,7 +67,7 @@ while [ "$#" -gt 0 ]; do shift ;; -a|--auto) - FORCE=1 + AUTO=1 shift ;; -m|-M|--static-mac) From 0338d897801296d443fa97b33c7c95e7b0a34e16 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 13:39:07 -0800 Subject: [PATCH 28/96] network: Final copy --- usr/local/share/bastille/network.sh | 100 ++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 29 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 3cc39957..cedfabaf 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -189,51 +189,73 @@ add_interface() { local _ip="${3}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _epair_if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _bastille_if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _epair_if_count="$( (grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" local _if_vnet="vnet$((_vnet_if_count + 1))" local epair_num_range=$((_epair_if_count + 1)) local bastille_num_range=$((_bastille_if_count + 1)) if [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - for _num in $(seq 0 "${epair_num_range}"); do - if ! grep -Eq "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local bridge_epair="epair${_num}" + if [ "${_epair_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then + if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_num}a_${_jailname} + local jail_epair=e${_num}b_${_jailname} + else + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi break + fi + done + else + if [ "$(echo -n "e0a_${_jailname}" | awk '{print length}')" -lt 16 ]; then + local _num=0 + local host_epair=e${_num}a_${_jailname} + local jail_epair=e${_num}b_${_jailname} + else + local _num=0 + local host_epair=epair${_num}a + local jail_epair=epair${_num}b fi - done + fi # Remove ending brace (it is added again with the netblock) sed -i '' '/}/d' "${_jail_config}" if [ "${STATIC_MAC}" -eq 1 ]; then # Generate NETBLOCK with static MAC generate_static_mac "${_jailname}" "${_if}" cat << EOF >> "${_jail_config}" - ## ${bridge_epair} interface - vnet.interface += ${bridge_epair}b; - exec.prestart += "ifconfig ${bridge_epair} create"; - exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; - exec.prestart += "ifconfig ${bridge_epair}a ether ${macaddr}a"; - exec.prestart += "ifconfig ${bridge_epair}b ether ${macaddr}b"; - exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; - exec.poststop += "ifconfig ${bridge_epair}a destroy"; + ## ${host_epair} interface + vnet.interface += ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${_if} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; } EOF else # Generate NETBLOCK without static MAC cat << EOF >> "${_jail_config}" - ## ${bridge_epair} interface - vnet.interface += ${bridge_epair}b; - exec.prestart += "ifconfig ${bridge_epair} create"; - exec.prestart += "ifconfig ${_if} addm ${bridge_epair}a"; - exec.prestart += "ifconfig ${bridge_epair}a description \"vnet host interface for Bastille jail ${_jailname}\""; - exec.poststop += "ifconfig ${_if} deletem ${bridge_epair}a"; - exec.poststop += "ifconfig ${bridge_epair}a destroy"; + ## ${host_epair} interface + vnet.interface += ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${_if} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; } EOF fi # Add config to /etc/rc.conf - sysrc -f "${_jail_rc_config}" ifconfig_${bridge_epair}b_name="${_if_vnet}" + sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}" # If 0.0.0.0 set DHCP, else set static IP address if [ "${_ip}" = "0.0.0.0" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" @@ -308,9 +330,23 @@ remove_interface() { # Skip next block in case of classic jail if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _if_jail="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 'epair[0-9]+|bastille[0-9]+')" + if grep ${_if} ${_jail_config} | grep -Eo -m 1 'bastille[0-9]+'; then + local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" + local _if_jail="e0b_bastille${_if_bastille_num}" + _if_type="bastille" + elif grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+"; then + local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" + if grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}"; then + local _if_jail="$(grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}")" + else + local _if_jail="epair${_if_epair_num}b" + fi + _if_type="epair" + else + error_exit "Could not find interface inside jail: \"${_if_jail}\"" + fi - if grep -o "${_if_jail}" ${_jail_rc_config}; then + if grep -o "${_if_jail}" ${_jail_config}; then local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" else error_exit "Interface not found: ${_if_jail}" @@ -330,12 +366,19 @@ remove_interface() { if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" else - error_exit "Failed to remove interface from /etc/rc.conf" + error_continue "Failed to remove interface from /etc/rc.conf" fi # Remove VNET interface from jail.conf (VNET) if [ -n "${_if_jail}" ]; then - sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" + if [ "${_if_type}" = "epair" ]; then + sed -i '' "/.*epair${_if_epair_num}.*/d" "${_jail_config}" + sed -i '' "/.*e${_if_epair_num}a_${_jailname}.*/d" "${_jail_config}" + sed -i '' "/.*e${_if_epair_num}b_${_jailname}.*/d" "${_jail_config}" + elif [ "${_if_type}" = "bastille" ]; then + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" + sed -i '' "/.*bastille${_if_bastille_num}.*/d" "${_jail_config}" + fi else error_exit "Failed to remove interface from jail.conf" fi @@ -369,7 +412,7 @@ case "${ACTION}" in validate_ip "${IP}" fi if [ "${VNET_JAIL}" -eq 1 ]; then - if ifconfig | grep "${INTERFACE}" | grep -q bridge; then + if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" @@ -413,4 +456,3 @@ case "${ACTION}" in error_exit "Only [add|remove] are supported." ;; esac - From de79af7bb40f70c9626b6c6e892368597770e7b9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 5 Feb 2025 13:51:50 -0800 Subject: [PATCH 29/96] clone: Fix for same jail description --- usr/local/share/bastille/clone.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 85f7a48d..617a3994 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -227,7 +227,7 @@ update_jailconf_vnet() { sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}" fi # Replace epair description - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + sed -i '' "/${_new_host_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Update /etc/rc.conf local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" @@ -258,7 +258,7 @@ update_jailconf_vnet() { sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${_jail_conf}" sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${_jail_conf}" fi - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" + sed -i '' "/${uniq_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Update /etc/rc.conf sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${_rc_conf}" if grep "vnet0" "${_rc_conf}" | grep -q ${uniq_epair}; then @@ -342,4 +342,4 @@ else usage fi -clone_jail \ No newline at end of file +clone_jail From 513e7777ffb09f833f3401bfdadbd2dc2f654942 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 26 Feb 2025 14:59:44 -0700 Subject: [PATCH 30/96] network: Fix bridge interface not properly detected --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index cedfabaf..bcf5a971 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -421,7 +421,7 @@ case "${ACTION}" in fi fi elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - if ! ifconfig | grep "${INTERFACE}" | grep -q bridge; then + if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is not a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" From 6ba11dc762c7d882f84144adbd3e173befdd3906 Mon Sep 17 00:00:00 2001 From: tschettervictor Date: Sat, 1 Mar 2025 18:48:14 -0700 Subject: [PATCH 31/96] bastille: Support user based config This PR will allow bastille to be configured based on the user you run as. To load the config for a specifig user, you must be logged in as the specified user, and there must be a file called "bastille_user.conf" inside /usr/local/etc/bastille or else bastille will just load the default config file. --- usr/local/share/bastille/bootstrap.sh | 2 +- usr/local/share/bastille/clone.sh | 2 +- usr/local/share/bastille/cmd.sh | 2 +- usr/local/share/bastille/common.sh | 17 ++++++++++++----- usr/local/share/bastille/config.sh | 2 +- usr/local/share/bastille/console.sh | 2 +- usr/local/share/bastille/convert.sh | 2 +- usr/local/share/bastille/cp.sh | 2 +- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/destroy.sh | 2 +- usr/local/share/bastille/edit.sh | 2 +- usr/local/share/bastille/etcupdate.sh | 2 +- usr/local/share/bastille/export.sh | 2 +- usr/local/share/bastille/htop.sh | 2 +- usr/local/share/bastille/import.sh | 2 +- usr/local/share/bastille/jcp.sh | 2 +- usr/local/share/bastille/limits.sh | 2 +- usr/local/share/bastille/list.sh | 2 +- usr/local/share/bastille/mount.sh | 2 +- usr/local/share/bastille/pkg.sh | 2 +- usr/local/share/bastille/rcp.sh | 2 +- usr/local/share/bastille/rdr.sh | 2 +- usr/local/share/bastille/rename.sh | 2 +- usr/local/share/bastille/service.sh | 1 + usr/local/share/bastille/setup.sh | 4 +--- usr/local/share/bastille/start.sh | 2 +- usr/local/share/bastille/stop.sh | 2 +- usr/local/share/bastille/sysrc.sh | 2 +- usr/local/share/bastille/tags.sh | 2 +- usr/local/share/bastille/template.sh | 2 +- usr/local/share/bastille/top.sh | 2 +- usr/local/share/bastille/umount.sh | 2 +- usr/local/share/bastille/update.sh | 2 +- usr/local/share/bastille/upgrade.sh | 2 +- usr/local/share/bastille/verify.sh | 2 +- usr/local/share/bastille/zfs.sh | 2 +- 36 files changed, 47 insertions(+), 41 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 74219638..c7d97dbc 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]" diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 0db63835..74a88b78 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS" diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 0d958973..cca0082e 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille cmd [option(s)] TARGET command" diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index fd62d6e2..763b0d17 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -30,11 +30,6 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# Source config file -if [ -f /usr/local/etc/bastille/bastille.conf ]; then - . /usr/local/etc/bastille/bastille.conf -fi - COLOR_RED= COLOR_GREEN= COLOR_YELLOW= @@ -48,6 +43,18 @@ bastille_root_check() { fi } +load_config() { + _user="$(id -un)" + if [ "${_user}" != "root" ] && [ -r "/usr/local/etc/bastille/bastille_${_user}.conf" ]; then + . /usr/local/etc/bastille/bastille_${_user}.conf + else + . /usr/local/etc/bastille/bastille.conf + fi +} + +# Load configuration file +load_config + enable_color() { . /usr/local/share/bastille/colors.pre.sh } diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index a6ff11c5..0323d470 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille config TARGET [get|set] PROPERTY_NAME NEW_VALUE" diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 33851a05..7b133287 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille console [option(s)] TARGET [user]" diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index d5d5b582..8b6d66fe 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille convert [option(s)] TARGET" diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 0d1b53a1..c23a17e7 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille cp [option(s)] TARGET HOST_PATH JAIL_PATH" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8ddcd11a..2f3783a5 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { # Build an independent usage for the create command diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index b18a670a..d590adf1 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille destroy [option(s)] [JAIL|RELEASE]" diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index 50c0ed88..0298da89 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille edit [option(s)] TARGET [filename]" diff --git a/usr/local/share/bastille/etcupdate.sh b/usr/local/share/bastille/etcupdate.sh index 2f625d41..4db33e7b 100644 --- a/usr/local/share/bastille/etcupdate.sh +++ b/usr/local/share/bastille/etcupdate.sh @@ -28,7 +28,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille etcupdate [option(s)] [bootstrap|TARGET] [diff|resolve|update RELEASE]" diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index f4d07fd4..584f1e36 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { # Build an independent usage for the export command diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index d6b108d8..1e0f796e 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille htop [option(s)] TARGET" diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index d76c8858..ec55fbd4 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { # Build an independent usage for the import command diff --git a/usr/local/share/bastille/jcp.sh b/usr/local/share/bastille/jcp.sh index fc8cf05e..ac2aa490 100644 --- a/usr/local/share/bastille/jcp.sh +++ b/usr/local/share/bastille/jcp.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille jcp [option(s)] SOURCE_JAIL JAIL_PATH DEST_JAIL JAIL_PATH" diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 0418ffd7..b20b2a12 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -32,7 +32,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille limits [option(s)] TARGET OPTION VALUE" diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index c01875ab..3fd0dec5 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille list [option(s)] [-j|-a] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]" diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index f13c98ed..dd0e7bc0 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille mount [option(s)] TARGET HOST_PATH JAIL_PATH [filesystem_type options dump pass_number]" diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index c69f6763..fe4a000e 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille pkg [option(s)] TARGET COMMAND args" diff --git a/usr/local/share/bastille/rcp.sh b/usr/local/share/bastille/rcp.sh index f3880a0f..0c82b299 100644 --- a/usr/local/share/bastille/rcp.sh +++ b/usr/local/share/bastille/rcp.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille rcp [option(s)] TARGET JAIL_PATH HOST_PATH" diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index ef1e60a8..bc9c26b7 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille rdr [option(s)] TARGET [clear|reset|list|(tcp|udp)] HOST_PORT JAIL_PORT [log ['(' logopts ')'] ]" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 7aa887b8..41600f75 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -29,7 +29,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille rename [option(s)] TARGET NEW_NAME" diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index 40551def..1bb7fc27 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -31,6 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh +load_config usage() { error_notify "Usage: bastille service [options(s)] TARGET SERVICE_NAME ACTION" diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 020d2cf4..726c08f8 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -30,10 +30,8 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -bastille_config="/usr/local/etc/bastille/bastille.conf" . /usr/local/share/bastille/common.sh -# shellcheck source=/usr/local/etc/bastille/bastille.conf -. ${bastille_config} +load_config usage() { error_exit "Usage: bastille setup [pf|network|zfs|vnet]" diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 8a0960d1..923b338b 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille start [option(s)] TARGET" diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index faafe4cc..0a921baf 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille stop [option(s)] TARGET" diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index f2361ab1..3b5bbb19 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille sysrc [option(s)] TARGET args" diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index 0285570f..3bba6941 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -32,7 +32,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille tags TARGET [add|delete|list] [tag1,tag2]" diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index eec08752..5c4de5ee 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]" diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index ef2a8bcb..3883b126 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille top [options(s)] TARGET" diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index 89017dfd..36a147cc 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille umount [option(s)] TARGET JAIL_PATH" diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 1a387b36..a5665b78 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille update [option(s)] TARGET" diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 5d92d181..eb2b7e0a 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille upgrade [option(s)] TARGET [NEWRELEASE|install]" diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index b82b5d93..7309883d 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille verify [RELEASE|TEMPLATE]" diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 8ffef062..8d1e6cc2 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf +load_config usage() { error_notify "Usage: bastille zfs TARGET [set|get|snap|destroy_snap|df|usage] [key=value|date]" From b09ee860372143c888c132827ef0bca28681b9c4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 18:51:17 -0700 Subject: [PATCH 32/96] Fix shellcheck --- usr/local/share/bastille/common.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 763b0d17..ddc00a91 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -46,6 +46,7 @@ bastille_root_check() { load_config() { _user="$(id -un)" if [ "${_user}" != "root" ] && [ -r "/usr/local/etc/bastille/bastille_${_user}.conf" ]; then + # shellcheck disable=SC1090 . /usr/local/etc/bastille/bastille_${_user}.conf else . /usr/local/etc/bastille/bastille.conf From b5611e9196eba458c7736210110aee4af77b15e3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 20:03:03 -0700 Subject: [PATCH 33/96] common: Load config as variable --- usr/local/share/bastille/common.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index ddc00a91..262e6ecf 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -44,13 +44,8 @@ bastille_root_check() { } load_config() { - _user="$(id -un)" - if [ "${_user}" != "root" ] && [ -r "/usr/local/etc/bastille/bastille_${_user}.conf" ]; then - # shellcheck disable=SC1090 - . /usr/local/etc/bastille/bastille_${_user}.conf - else - . /usr/local/etc/bastille/bastille.conf - fi + # shellcheck disable=SC1090 + . ${BASTILLE_CONFIG} } # Load configuration file From fab14ffe7c72dae03544ed7e53dacce33e66a857 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 21:14:56 -0700 Subject: [PATCH 34/96] bastille: Allow setting config file --- usr/local/bin/bastille | 61 +++++++++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 18 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index d347952c..9be4f78f 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -31,6 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin +. /usr/local/share/bastille/common.sh ## check for config existence bastille_conf_check() { @@ -54,12 +55,6 @@ bastille_conf_check() { fi } -bastille_conf_check - -## we only load this if conf_check passes -. /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf - ## bastille_prefix should be 0750 ## this restricts file system access to privileged users bastille_perms_check() { @@ -72,11 +67,6 @@ bastille_perms_check() { fi } -bastille_perms_check - -## version -BASTILLE_VERSION="0.13.20250126" - usage() { cat << EOF Bastille is an open-source system for automating deployment and management of @@ -131,6 +121,48 @@ EOF exit 1 } +bastille_conf_check +bastille_perms_check + +BASTILLE_VERSION="0.13.20250126" + +# Handle options +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + version|-v|--version) + info "${BASTILLE_VERSION}" + exit 0 + ;; + -c|--config) + BASTILLE_CONFIG="${2}" + if [ -r "${BASTILLE_CONFIG}" ]; then + info "Using custom config: ${BASTILLE_CONFIG}" + elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then + BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}" + info "Using custom config: ${BASTILLE_CONFIG}" + else + error_exit "Not a valid config file: ${BASTILLE_CONFIG}" + fi + shift 2 + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + x) enable_debug ;; + a) AUTO=1 ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift + ;; + *) + break + ;; + esac +done if [ "$#" -lt 1 ]; then usage else @@ -140,13 +172,6 @@ fi # Handle special-case commands first. case "${CMD}" in - version|-v|--version) - info "${BASTILLE_VERSION}" - exit 0 - ;; - help|-h|--help) - usage - ;; bootstrap| \ clone| \ cmd| \ From efcfe7c2b09a718dcd29b637c6d946cd013b1f6d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 21:21:18 -0700 Subject: [PATCH 35/96] bastille: export BASTILLE_CONFIG --- usr/local/bin/bastille | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 9be4f78f..7024050f 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -116,6 +116,7 @@ Available Commands: Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. +Use "bastille -c|--config command" to slecify a non-defaukt config file. EOF exit 1 @@ -125,6 +126,8 @@ bastille_conf_check bastille_perms_check BASTILLE_VERSION="0.13.20250126" +BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf +export BASTILLE_CONFIG # Handle options while [ "$#" -gt 0 ]; do @@ -140,9 +143,11 @@ while [ "$#" -gt 0 ]; do BASTILLE_CONFIG="${2}" if [ -r "${BASTILLE_CONFIG}" ]; then info "Using custom config: ${BASTILLE_CONFIG}" + export BASTILLE_CONFIG elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}" info "Using custom config: ${BASTILLE_CONFIG}" + export BASTILLE_CONFIG else error_exit "Not a valid config file: ${BASTILLE_CONFIG}" fi From 3dd3956a88857317e5d0e258a4e29bf38eaff62c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 21:33:54 -0700 Subject: [PATCH 36/96] bastille: Export only if env not set --- usr/local/bin/bastille | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 7024050f..ce42753a 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -116,7 +116,7 @@ Available Commands: Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. -Use "bastille -c|--config command" to slecify a non-defaukt config file. +Use "bastille -c|--config command" to specify a non-defaukt config file. EOF exit 1 @@ -126,8 +126,10 @@ bastille_conf_check bastille_perms_check BASTILLE_VERSION="0.13.20250126" -BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf -export BASTILLE_CONFIG +if [ -z "${BASTILLE_CONFIG}" ]; then + BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf + export BASTILLE_CONFIG +fi # Handle options while [ "$#" -gt 0 ]; do From 58cb2ccdf769ec72eb4151f9ec8e5dbcdfc584d8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 21:38:13 -0700 Subject: [PATCH 37/96] Load config after setting BASTILLE_CONFIG --- usr/local/bin/bastille | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index ce42753a..ae0da199 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin -. /usr/local/share/bastille/common.sh ## check for config existence bastille_conf_check() { @@ -131,6 +130,9 @@ if [ -z "${BASTILLE_CONFIG}" ]; then export BASTILLE_CONFIG fi +# Load common.sh after setting BASTILLE_CONFIG +. /usr/local/share/bastille/common.sh + # Handle options while [ "$#" -gt 0 ]; do case "${1}" in From 9c1fa6eb91c8ebb16ae659ab890164dfaa5abc35 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 22:00:06 -0700 Subject: [PATCH 38/96] bastille: Load config if set in ENV --- usr/local/bin/bastille | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index ae0da199..228b9eaf 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -128,7 +128,16 @@ BASTILLE_VERSION="0.13.20250126" if [ -z "${BASTILLE_CONFIG}" ]; then BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf export BASTILLE_CONFIG -fi +elif [ -r "${BASTILLE_CONFIG}" ]; then + info "Using custom config: ${BASTILLE_CONFIG}" + export BASTILLE_CONFIG +elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then + BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}" + info "Using custom config: ${BASTILLE_CONFIG}" + export BASTILLE_CONFIG +else + error_exit "Not a valid config file: ${BASTILLE_CONFIG}" +fi # Load common.sh after setting BASTILLE_CONFIG . /usr/local/share/bastille/common.sh From 4a1fb4bf89f9f6f895f28e490949f41e1e5ab06f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 22:02:01 -0700 Subject: [PATCH 39/96] bastille: Exit instead of info --- usr/local/bin/bastille | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 228b9eaf..f5afeda9 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -129,14 +129,13 @@ if [ -z "${BASTILLE_CONFIG}" ]; then BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf export BASTILLE_CONFIG elif [ -r "${BASTILLE_CONFIG}" ]; then - info "Using custom config: ${BASTILLE_CONFIG}" export BASTILLE_CONFIG elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}" - info "Using custom config: ${BASTILLE_CONFIG}" export BASTILLE_CONFIG else - error_exit "Not a valid config file: ${BASTILLE_CONFIG}" + echo "Not a valid config file: ${BASTILLE_CONFIG}" + exit 1 fi # Load common.sh after setting BASTILLE_CONFIG From 454288b2b13d7746cec8d006029b54562503ef2d Mon Sep 17 00:00:00 2001 From: tschettervictor Date: Sun, 2 Mar 2025 11:23:35 -0700 Subject: [PATCH 40/96] bastille: Load config only from commons.sh Since all files source common.sh anyway, we don't want to source the config twice. --- usr/local/bin/bastille | 11 ++++++----- usr/local/share/bastille/bootstrap.sh | 1 - usr/local/share/bastille/clone.sh | 1 - usr/local/share/bastille/cmd.sh | 1 - usr/local/share/bastille/common.sh | 13 +++++-------- usr/local/share/bastille/config.sh | 2 +- usr/local/share/bastille/console.sh | 1 - usr/local/share/bastille/convert.sh | 1 - usr/local/share/bastille/cp.sh | 1 - usr/local/share/bastille/create.sh | 1 - usr/local/share/bastille/destroy.sh | 1 - usr/local/share/bastille/edit.sh | 1 - usr/local/share/bastille/etcupdate.sh | 1 - usr/local/share/bastille/export.sh | 1 - usr/local/share/bastille/htop.sh | 1 - usr/local/share/bastille/import.sh | 1 - usr/local/share/bastille/jcp.sh | 1 - usr/local/share/bastille/limits.sh | 1 - usr/local/share/bastille/list.sh | 1 - usr/local/share/bastille/mount.sh | 1 - usr/local/share/bastille/pkg.sh | 1 - usr/local/share/bastille/rcp.sh | 1 - usr/local/share/bastille/rdr.sh | 1 - usr/local/share/bastille/rename.sh | 1 - usr/local/share/bastille/service.sh | 1 - usr/local/share/bastille/setup.sh | 1 - usr/local/share/bastille/start.sh | 1 - usr/local/share/bastille/stop.sh | 1 - usr/local/share/bastille/sysrc.sh | 1 - usr/local/share/bastille/tags.sh | 1 - usr/local/share/bastille/template.sh | 1 - usr/local/share/bastille/top.sh | 1 - usr/local/share/bastille/umount.sh | 1 - usr/local/share/bastille/update.sh | 1 - usr/local/share/bastille/upgrade.sh | 1 - usr/local/share/bastille/verify.sh | 1 - usr/local/share/bastille/zfs.sh | 1 - 37 files changed, 12 insertions(+), 48 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index f5afeda9..5f6fab92 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -32,6 +32,8 @@ PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin +BASTILLE_VERSION="0.13.20250126" + ## check for config existence bastille_conf_check() { if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then @@ -72,7 +74,7 @@ Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: - bastille command TARGET [args] + bastille command [option(s)] TARGET [args] Available Commands: bootstrap Bootstrap a FreeBSD release for container base. @@ -113,9 +115,9 @@ Available Commands: verify Compare release against a "known good" index. zfs Manage (get|set) ZFS attributes on targeted container(s). -Use "bastille -v|--version" for version information. -Use "bastille command -h|--help" for more information about a command. -Use "bastille -c|--config command" to specify a non-defaukt config file. +Use "bastille [-v|--version]" for version information. +Use "bastille command [-h|--help]" for more information about a command. +Use "bastille [-c|--config config.conf] command" to specify a non-default config file. EOF exit 1 @@ -124,7 +126,6 @@ EOF bastille_conf_check bastille_perms_check -BASTILLE_VERSION="0.13.20250126" if [ -z "${BASTILLE_CONFIG}" ]; then BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf export BASTILLE_CONFIG diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index c7d97dbc..d4336da8 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]" diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 74a88b78..64eb0d23 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS" diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index cca0082e..21fe6722 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille cmd [option(s)] TARGET command" diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 262e6ecf..9cec63f9 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -30,6 +30,11 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# Load config. This only has to be done here +# becasue all commands load this file +# shellcheck disable=SC1090 +. ${BASTILLE_CONFIG} + COLOR_RED= COLOR_GREEN= COLOR_YELLOW= @@ -43,14 +48,6 @@ bastille_root_check() { fi } -load_config() { - # shellcheck disable=SC1090 - . ${BASTILLE_CONFIG} -} - -# Load configuration file -load_config - enable_color() { . /usr/local/share/bastille/colors.pre.sh } diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 0323d470..b15a03fb 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config + usage() { error_notify "Usage: bastille config TARGET [get|set] PROPERTY_NAME NEW_VALUE" diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 7b133287..cc66da6d 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille console [option(s)] TARGET [user]" diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index 8b6d66fe..b7659638 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille convert [option(s)] TARGET" diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index c23a17e7..314cb239 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille cp [option(s)] TARGET HOST_PATH JAIL_PATH" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2f3783a5..cbea793b 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { # Build an independent usage for the create command diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index d590adf1..6c7902d7 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille destroy [option(s)] [JAIL|RELEASE]" diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index 0298da89..03ab215e 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille edit [option(s)] TARGET [filename]" diff --git a/usr/local/share/bastille/etcupdate.sh b/usr/local/share/bastille/etcupdate.sh index 4db33e7b..b3f08cbe 100644 --- a/usr/local/share/bastille/etcupdate.sh +++ b/usr/local/share/bastille/etcupdate.sh @@ -28,7 +28,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille etcupdate [option(s)] [bootstrap|TARGET] [diff|resolve|update RELEASE]" diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 584f1e36..d1274798 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { # Build an independent usage for the export command diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index 1e0f796e..fe2607d0 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille htop [option(s)] TARGET" diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index ec55fbd4..15e4677a 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { # Build an independent usage for the import command diff --git a/usr/local/share/bastille/jcp.sh b/usr/local/share/bastille/jcp.sh index ac2aa490..391511cf 100644 --- a/usr/local/share/bastille/jcp.sh +++ b/usr/local/share/bastille/jcp.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille jcp [option(s)] SOURCE_JAIL JAIL_PATH DEST_JAIL JAIL_PATH" diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index b20b2a12..2d511987 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -32,7 +32,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille limits [option(s)] TARGET OPTION VALUE" diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 3fd0dec5..01baf641 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille list [option(s)] [-j|-a] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]" diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index dd0e7bc0..d58664fe 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille mount [option(s)] TARGET HOST_PATH JAIL_PATH [filesystem_type options dump pass_number]" diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index fe4a000e..c51b9ea4 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille pkg [option(s)] TARGET COMMAND args" diff --git a/usr/local/share/bastille/rcp.sh b/usr/local/share/bastille/rcp.sh index 0c82b299..b6273ae7 100644 --- a/usr/local/share/bastille/rcp.sh +++ b/usr/local/share/bastille/rcp.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille rcp [option(s)] TARGET JAIL_PATH HOST_PATH" diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index bc9c26b7..8edfe474 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille rdr [option(s)] TARGET [clear|reset|list|(tcp|udp)] HOST_PORT JAIL_PORT [log ['(' logopts ')'] ]" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 41600f75..00a2e541 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -29,7 +29,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille rename [option(s)] TARGET NEW_NAME" diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index 1bb7fc27..40551def 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille service [options(s)] TARGET SERVICE_NAME ACTION" diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 726c08f8..71b9d1c0 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_exit "Usage: bastille setup [pf|network|zfs|vnet]" diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 923b338b..bdb2cc91 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille start [option(s)] TARGET" diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 0a921baf..8e8a1f2a 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille stop [option(s)] TARGET" diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index 3b5bbb19..de715e13 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille sysrc [option(s)] TARGET args" diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index 3bba6941..be0fc13a 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -32,7 +32,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille tags TARGET [add|delete|list] [tag1,tag2]" diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 5c4de5ee..f8cad31e 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]" diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index 3883b126..9c767079 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille top [options(s)] TARGET" diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index 36a147cc..57c3081c 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille umount [option(s)] TARGET JAIL_PATH" diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index a5665b78..ba3ea52f 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille update [option(s)] TARGET" diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index eb2b7e0a..45088490 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille upgrade [option(s)] TARGET [NEWRELEASE|install]" diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 7309883d..f1983902 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille verify [RELEASE|TEMPLATE]" diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 8d1e6cc2..675cb0e1 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -31,7 +31,6 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh -load_config usage() { error_notify "Usage: bastille zfs TARGET [set|get|snap|destroy_snap|df|usage] [key=value|date]" From af2bf4b235c3ecdc9682be36dd498d691f2b8489 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 12:53:13 -0700 Subject: [PATCH 41/96] bastille: version and help not optional --- usr/local/bin/bastille | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 5f6fab92..c70721f8 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -115,8 +115,8 @@ Available Commands: verify Compare release against a "known good" index. zfs Manage (get|set) ZFS attributes on targeted container(s). -Use "bastille [-v|--version]" for version information. -Use "bastille command [-h|--help]" for more information about a command. +Use "bastille -v|--version" for version information. +Use "bastille command -h|--help" for more information about a command. Use "bastille [-c|--config config.conf] command" to specify a non-default config file. EOF From d1156cbb05b37ab6ca055e4e3f0319373be07f87 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 13:19:26 -0700 Subject: [PATCH 42/96] common: typo and trailing whitespace --- usr/local/share/bastille/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 9cec63f9..b0d5cf58 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -31,7 +31,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Load config. This only has to be done here -# becasue all commands load this file +# because all commands load this file # shellcheck disable=SC1090 . ${BASTILLE_CONFIG} From e834b84dd62f4ce59d47ca76f32188efa5a47a4b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 13:20:14 -0700 Subject: [PATCH 43/96] Update bastille --- usr/local/bin/bastille | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index c70721f8..93691788 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -117,7 +117,7 @@ Available Commands: Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. -Use "bastille [-c|--config config.conf] command" to specify a non-default config file. +Use "bastille [-c|--config FILE] command" to specify a non-default config file. EOF exit 1 From 1c184840eaebe32fcf8183bb37078eacefebcf12 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 16:10:46 -0700 Subject: [PATCH 44/96] docs: Spacing fix --- docs/chapters/gettingstarted.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/gettingstarted.rst b/docs/chapters/gettingstarted.rst index 6a5d053c..2d776fac 100644 --- a/docs/chapters/gettingstarted.rst +++ b/docs/chapters/gettingstarted.rst @@ -1,4 +1,3 @@ -=============== Getting Started =============== From d489ffad67e15292b2d12a702b4a5a7778ba2565 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 16:28:11 -0700 Subject: [PATCH 45/96] docs: Add configuration and document custom config --- docs/chapters/configuration.rst | 106 ++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 docs/chapters/configuration.rst diff --git a/docs/chapters/configuration.rst b/docs/chapters/configuration.rst new file mode 100644 index 00000000..d9bcd0f9 --- /dev/null +++ b/docs/chapters/configuration.rst @@ -0,0 +1,106 @@ +Configuration +============= + +Bastille is configured using a default config file located at `/usr/local/etc/bastille/bastille.conf`. When first installing +bastille, you will be asked if you want to copy the sample config file to this location. The default are sensible for UFS, but +if you want to use ZFS, you will have to change a few options. See the chapter on ZFS Support. + +This is the default `bastille.conf` file. + +.. code-block:: shell + + ##################### + ## [ BastilleBSD ] ## + ##################### + + ## default paths + bastille_prefix="/usr/local/bastille" ## default: "/usr/local/bastille" + bastille_backupsdir="${bastille_prefix}/backups" ## default: "${bastille_prefix}/backups" + bastille_cachedir="${bastille_prefix}/cache" ## default: "${bastille_prefix}/cache" + bastille_jailsdir="${bastille_prefix}/jails" ## default: "${bastille_prefix}/jails" + bastille_releasesdir="${bastille_prefix}/releases" ## default: "${bastille_prefix}/releases" + bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates" + bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille" + + ## pf configuration path + bastille_pf_conf="/etc/pf.conf" ## default: "/etc/pf.conf" + + ## bastille scripts directory (assumed by bastille pkg) + bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille" + + ## bootstrap archives, which components of the OS to install. + ## base - The base OS, kernel + userland + ## lib32 - Libraries for compatibility with 32 bit binaries + ## ports - The FreeBSD ports (3rd party applications) tree + ## src - The source code to the kernel + userland + ## test - The FreeBSD test suite + ## this is a whitespace separated list: + ## bastille_bootstrap_archives="base lib32 ports src test" + bastille_bootstrap_archives="base" ## default: "base" + + ## default timezone + bastille_tzdata="" ## default: empty to use host's time zone + + ## default jail resolv.conf + bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" + + ## bootstrap urls + bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" + bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" + bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/" + + ## ZFS options + bastille_zfs_enable="NO" ## default: "NO" + bastille_zfs_zpool="" ## default: "" + bastille_zfs_prefix="bastille" ## default: "bastille" + bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" + + ## Export/Import options + bastille_compress_xz_options="-0 -v" ## default "-0 -v" + bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v" + bastille_compress_gz_options="-1 -v" ## default "-1 -v" + bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v" + bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz" + + ## Networking + bastille_network_loopback="bastille0" ## default: "bastille0" + bastille_network_pf_ext_if="ext_if" ## default: "ext_if" + bastille_network_pf_table="jails" ## default: "jails" + bastille_network_shared="" ## default: "" + bastille_network_gateway="" ## default: "" + bastille_network_gateway6="" ## default: "" + + ## Default Templates + bastille_template_base="default/base" ## default: "default/base" + bastille_template_empty="" ## default: "default/empty" + bastille_template_thick="default/thick" ## default: "default/thick" + bastille_template_clone="default/clone" ## default: "default/clone" + bastille_template_thin="default/thin" ## default: "default/thin" + bastille_template_vnet="default/vnet" ## default: "default/vnet" + +Notes +----- + +The options here are fairly self explanitory, but there are some things to note. + +* If you use ZFS, DO NOT create the bastille dataset. Bastille expects to do this, and you will have issues if you try. All you need to do is create the parent. So if you want bastille to live at `zroot/data/bastille` you should set `bastille_zfs_zpool` to `zroot` and `bastille_zfs_prefix` to `data/bastille` but you should only create `zroot/data` before running bastille for the first time. + +* Bastille will mount the dataset it creates at `bastille_prefix` which defaults to `/usr/local/bastille`. So if you want to navigate to your jails, you will use the `bastille_prefix` as the location because this is where the will be mounted. + +Custom Configuration +-------------------- + +Bastille now supports using a custom config in addition to the default one. This is nice if you have multiple users, or want to store different +jails at different locations based on your needs. + +Simply copy the default config file and edit it according to your new environment or user. Then, it can be used in a couple of ways. + +1. Run Bastille using `bastille --config /path/to/config.conf bootstrap 14.2-RELEASE` to bootstrap the release using the new config. + +2. As a specific user, export the `BASTILLE_CONFIG` variable using `export BASTILLE_CONFIG=/path/to/config.conf`. This config will then always be used when running Bastille with that user. See notes below... + +- Exporting the `BASTILLE_CONFIG` variable will only export it for the current session. If you want to persist the export, see documentation for the shell that you use. + +- If you use sudo, you will need to run it with `sudo -E bastille bootstrap...` to preserve your users environment. This can also be persisted by editing the sudoers file. + +- If you do set the `BASTILLE_CONFIG` variable, you do not need to specify the config file when running Bastille as that specified user. From b273540e05458c3b0dc68d3246eb21d131e0155c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 16:28:57 -0700 Subject: [PATCH 46/96] docs: Add configuration to index tree --- docs/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/index.rst b/docs/index.rst index ff3d0103..b0aaff65 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,6 +13,7 @@ https://docs.bastillebsd.org. chapters/installation chapters/gettingstarted + chapters/configuration chapters/upgrading chapters/networking chapters/usage From fa187baf8c811ca89d0ba776040255851638e68c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 08:19:01 -0700 Subject: [PATCH 47/96] docs: Fix wording on configuration --- docs/chapters/configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/configuration.rst b/docs/chapters/configuration.rst index d9bcd0f9..1ae65cf5 100644 --- a/docs/chapters/configuration.rst +++ b/docs/chapters/configuration.rst @@ -83,7 +83,7 @@ Notes The options here are fairly self explanitory, but there are some things to note. -* If you use ZFS, DO NOT create the bastille dataset. Bastille expects to do this, and you will have issues if you try. All you need to do is create the parent. So if you want bastille to live at `zroot/data/bastille` you should set `bastille_zfs_zpool` to `zroot` and `bastille_zfs_prefix` to `data/bastille` but you should only create `zroot/data` before running bastille for the first time. +* If you use ZFS, DO NOT create the bastille dataset. You must only create the parent. Bastille must be allowed to create the `bastille` child dataset, or you will have issues. So, if you want bastille to live at `zroot/data/bastille` you should set `bastille_zfs_zpool` to `zroot` and `bastille_zfs_prefix` to `data/bastille` but you should only create `zroot/data` before running bastille for the first time. * Bastille will mount the dataset it creates at `bastille_prefix` which defaults to `/usr/local/bastille`. So if you want to navigate to your jails, you will use the `bastille_prefix` as the location because this is where the will be mounted. From 2ef9f9547729770373f5243308839df985b2d06e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 14:58:51 -0700 Subject: [PATCH 48/96] clone: Allow to clone with VLANs --- usr/local/share/bastille/clone.sh | 44 ++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 617a3994..7466a786 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -230,15 +230,28 @@ update_jailconf_vnet() { sed -i '' "/${_new_host_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}" # Update /etc/rc.conf local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}" if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi fi else - sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + fi fi break fi @@ -249,7 +262,8 @@ update_jailconf_vnet() { if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then # Update jail.conf epair name local uniq_epair="bastille${_num}" - local _if_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')" sed -i '' "s|${_if}|${uniq_epair}|g" "${_jail_conf}" # If jail had a static MAC, generate one for clone if grep ether ${_jail_conf} | grep -qoc ${uniq_epair}; then @@ -262,13 +276,25 @@ update_jailconf_vnet() { # Update /etc/rc.conf sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${_rc_conf}" if grep "vnet0" "${_rc_conf}" | grep -q ${uniq_epair}; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}" + fi else - sysrc -f "${_rc_conf}" ifconfig_vnet0=" inet ${IP} " + if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then + sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi fi else - sysrc -f "${_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + if [ -n "${_jail_vnet_vlan}" ]; then + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP" + else + sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP" + fi fi break fi From 6520be4834c982a7899aeef2987973e80ecfca76 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 15:09:08 -0700 Subject: [PATCH 49/96] network: Allow VLANs when adding VNET interfaces --- usr/local/share/bastille/network.sh | 63 +++++++++++++++++++---------- 1 file changed, 42 insertions(+), 21 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index bcf5a971..6e4d2686 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -36,12 +36,13 @@ usage() { cat << EOF Options: - -a | --auto Start/stop the jail(s) if required. - -b | --bridge Add a bridged VNET interface to an existing jail. - -c | --classic Add an interface to a classic (non-VNET) jail. - -m | --static-mac Generate a static MAC address for the interface. - -v | --vnet Add a VNET interface to an existing jail. - -x | --debug Enable debug mode. + -a | --auto Start/stop the jail(s) if required. + -B | --bridge Add a bridged VNET interface to an existing jail. + -C | --classic Add an interface to a classic (non-VNET) jail. + -M | --static-mac Generate a static MAC address for the interface. + -V | --vnet Add a VNET interface to an existing jail. + -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). + -x | --debug Enable debug mode. EOF exit 1 @@ -53,31 +54,40 @@ BRIDGE_VNET_JAIL=0 CLASSIC_JAIL=0 STATIC_MAC=0 VNET_JAIL=0 +VLAN_ID="" while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) usage ;; - -b|-B|--bridge) - BRIDGE_VNET_JAIL=1 - shift - ;; - -c|--classic) - CLASSIC_JAIL=1 - shift - ;; - -a|--auto) + -a|--auto) AUTO=1 shift ;; - -m|-M|--static-mac) + -B|--bridge) + BRIDGE_VNET_JAIL=1 + shift + ;; + -C|--classic) + CLASSIC_JAIL=1 + shift + ;; + -M|--static-mac) STATIC_MAC=1 shift ;; - -v|-V|--vnet) + -V|--vnet) VNET_JAIL=1 shift ;; + -v|--vlan) + if echo "${2}" | grep -Eq '^[0-9]+$'; then + VLAN_ID="${2}" + else + error_exit "Not a valid VLAN ID: ${2}" + fi + shift 2 + ;; -x|--debug) enable_debug shift @@ -86,10 +96,10 @@ while [ "$#" -gt 0 ]; do for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do case ${_o} in a) AUTO=1 ;; - b|B) BRIDGE_VNET_JAIL=1 ;; - c) CLASSIC_JAIL=1 ;; - m|M) STATIC_MAC=1 ;; - v|V) VNET_JAIL=1 ;; + B) BRIDGE_VNET_JAIL=1 ;; + C) CLASSIC_JAIL=1 ;; + M) STATIC_MAC=1 ;; + V) VNET_JAIL=1 ;; x) enable_debug ;; *) error_exit "Unknown Option: \"${1}\"" ;; esac @@ -116,6 +126,9 @@ if [ "${ACTION}" = "add" ]; then elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${CLASSIC_JAIL}" -eq 0 ]; then error_notify "Error: [-c|--classic], [-b|-B|--bridge] or [-v|-V|--vnet] must be set." usage + elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${VLAN_ID}" -eq 1 ]; then + error_notify "VLANs can only be used with VNET interfaces." + usage fi fi @@ -263,6 +276,10 @@ EOF sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " fi + if [ -n "${VLAN_ID}" ]; then + bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="inet ${_ip}" + fi + info "[${_jailname}]:" echo "Added interface: \"${_if}\"" @@ -308,6 +325,10 @@ EOF sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " fi + if [ -n "${VLAN_ID}" ]; then + bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="inet ${_ip}" + fi + info "[${_jailname}]:" echo "Added VNET interface: \"${_if}\"" From 7d5955fd8c19a718bfb15cad9b8c4d3349208544 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 16:24:02 -0700 Subject: [PATCH 50/96] docs: Add config option to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ca2d2d38..5c44667e 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ Available Commands: Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. +Use "bastille [-c|--config FILE] command" to specify a non-default config file. ``` From 3fd1b01831bca0584664069250f9d4672b15fa07 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 16:24:41 -0700 Subject: [PATCH 51/96] docs: Add config to usage page --- docs/chapters/usage.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/chapters/usage.rst b/docs/chapters/usage.rst index e21d659d..c9c5c6f0 100644 --- a/docs/chapters/usage.rst +++ b/docs/chapters/usage.rst @@ -1,4 +1,3 @@ -===== Usage ===== @@ -51,4 +50,4 @@ Usage Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. - + Use "bastille [-c|--config FILE] command" to specify a non-default config file. From 4793f1cf886dd5a23c62d72164d654efe35ba422 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 4 Mar 2025 11:32:51 -0700 Subject: [PATCH 52/96] network: Add check for VLAN already added --- usr/local/share/bastille/network.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 6e4d2686..c2deef6a 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -432,7 +432,7 @@ case "${ACTION}" in else validate_ip "${IP}" fi - if [ "${VNET_JAIL}" -eq 1 ]; then + if [ "${VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; then if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." else @@ -441,7 +441,7 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi - elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; then if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is not a bridge interface." else @@ -459,6 +459,11 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi + elif { [ "${VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; } || \ + { [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; } then + if grep -Eq "ifconfig_vnet[0-9]+_${VLAN_ID}" "${bastille_jailsdir}/${TARGET}/root/etc/rc.conf"; then + error_exit "VLAN has already been added: VLAN ${VLAN_ID}" + fi fi ;; remove|delete) From 3fc16e51188de140c5c3c5c5ae385d93a7406d19 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 4 Mar 2025 11:44:41 -0700 Subject: [PATCH 53/96] network: -z for VLAN + VNET --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index c2deef6a..992f3d72 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -432,7 +432,7 @@ case "${ACTION}" in else validate_ip "${IP}" fi - if [ "${VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; then + if [ "${VNET_JAIL}" -eq 1 ] && [ -z "${VLAN_ID}" ]; then if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." else @@ -441,7 +441,7 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi - elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; then + elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -z "${VLAN_ID}" ]; then if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is not a bridge interface." else From c7b845f29b989f5438db6ad8c67e3494c46c682c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:37:46 -0700 Subject: [PATCH 54/96] network: Allow adding VLAN when IF already added --- usr/local/share/bastille/network.sh | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 992f3d72..321cd197 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -420,6 +420,21 @@ remove_interface() { echo "Removed interface: \"${_if}\"" } +add_vlan() { + local _jailname="${1}" + local _ip="${2}" + local _vlan_id="${3}" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" + local _if_vnet="vnet$((_vnet_if_count + 1))" + + # Run VLAN template on jail + bastille template "${_jailname}" ${bastille_template_vlan} --arg JAIL_VNET"${_if_vnet}" --arg VLANID="${_vlan_id}" --arg IFCONFIG="inet ${_ip}" + + info "[${_jailname}]:" + echo "Added VLAN ${VLAN_ID} to interface: \"${_if}\"" +} + case "${ACTION}" in add) validate_netconf @@ -463,7 +478,9 @@ case "${ACTION}" in { [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; } then if grep -Eq "ifconfig_vnet[0-9]+_${VLAN_ID}" "${bastille_jailsdir}/${TARGET}/root/etc/rc.conf"; then error_exit "VLAN has already been added: VLAN ${VLAN_ID}" - fi + else + add_vlan "${TARGET}" "${IP}" "${VLAN_ID}" + fi fi ;; remove|delete) From dede7f4b4aecb430a07806a0380b025bfce3d110 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:39:35 -0700 Subject: [PATCH 55/96] Use default value for VLAN template --- .../share/bastille/templates/default/vlan/Bastillefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/templates/default/vlan/Bastillefile b/usr/local/share/bastille/templates/default/vlan/Bastillefile index 6d594446..c6a3c5b2 100644 --- a/usr/local/share/bastille/templates/default/vlan/Bastillefile +++ b/usr/local/share/bastille/templates/default/vlan/Bastillefile @@ -1,6 +1,7 @@ +ARG JAIL_VNET="vnet0" ARG VLANID ARG IFCONFIG="SYNCDHCP" -SYSRC ifconfig_vnet0="up" -SYSRC vlans_vnet0="${VLANID}" -SYSRC ifconfig_vnet0_${VLANID}="${IFCONFIG}" +SYSRC ifconfig_${JAIL_VNET}="up" +SYSRC vlans_${JAIL_VNET}="${VLANID}" +SYSRC ifconfig_${JAIL_VNET}_${VLANID}="${IFCONFIG}" From d92c61ee6f3f24e99636a4604a503b8ce044182a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:40:16 -0700 Subject: [PATCH 56/96] Allow multiple VLANS on single jail vnet --- usr/local/share/bastille/templates/default/vlan/Bastillefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/templates/default/vlan/Bastillefile b/usr/local/share/bastille/templates/default/vlan/Bastillefile index c6a3c5b2..7bde367b 100644 --- a/usr/local/share/bastille/templates/default/vlan/Bastillefile +++ b/usr/local/share/bastille/templates/default/vlan/Bastillefile @@ -3,5 +3,5 @@ ARG VLANID ARG IFCONFIG="SYNCDHCP" SYSRC ifconfig_${JAIL_VNET}="up" -SYSRC vlans_${JAIL_VNET}="${VLANID}" +SYSRC vlans_${JAIL_VNET}+="${VLANID}" SYSRC ifconfig_${JAIL_VNET}_${VLANID}="${IFCONFIG}" From bc03a2c147b22f1738377b7a0f2369d3a8dbedd1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:54:09 -0700 Subject: [PATCH 57/96] network: Add vlan in separate block --- usr/local/share/bastille/network.sh | 34 ++++++++++++----------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 321cd197..15a0bf93 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -326,7 +326,7 @@ EOF fi if [ -n "${VLAN_ID}" ]; then - bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="inet ${_ip}" + add_vlan "${_jailname}" "${_if_vnet}" "${_ip}" "${VLAN_ID}" fi info "[${_jailname}]:" @@ -422,24 +422,25 @@ remove_interface() { add_vlan() { local _jailname="${1}" - local _ip="${2}" - local _vlan_id="${3}" - local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')" - local _if_vnet="vnet$((_vnet_if_count + 1))" - - # Run VLAN template on jail - bastille template "${_jailname}" ${bastille_template_vlan} --arg JAIL_VNET"${_if_vnet}" --arg VLANID="${_vlan_id}" --arg IFCONFIG="inet ${_ip}" + local _jail_vnet="${2}" + local _ip="${3}" + local _vlan_id="${4}" + + if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then + error_exit "VLAN has already been added: VLAN ${_vlan_id}" + else + bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${_vlan_id}" --arg IFCONFIG="inet ${_ip}" --arg JAIL_VNET="${_jail_vnet}" + fi info "[${_jailname}]:" - echo "Added VLAN ${VLAN_ID} to interface: \"${_if}\"" + echo "Added VLAN ${_vlan_id} to interface: \"${_jail_vnet}\"" } case "${ACTION}" in add) validate_netconf validate_netif "${INTERFACE}" - if check_interface_added "${TARGET}" "${INTERFACE}"; then + if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then error_exit "Interface is already added: \"${INTERFACE}\"" fi if [ -z "${IP}" ] || [ "${IP}" = "0.0.0.0" ]; then @@ -447,7 +448,7 @@ case "${ACTION}" in else validate_ip "${IP}" fi - if [ "${VNET_JAIL}" -eq 1 ] && [ -z "${VLAN_ID}" ]; then + if [ "${VNET_JAIL}" -eq 1 ]; then if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." else @@ -456,7 +457,7 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi - elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -z "${VLAN_ID}" ]; then + elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is not a bridge interface." else @@ -474,13 +475,6 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi - elif { [ "${VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; } || \ - { [ "${BRIDGE_VNET_JAIL}" -eq 1 ] && [ -n "${VLAN_ID}" ]; } then - if grep -Eq "ifconfig_vnet[0-9]+_${VLAN_ID}" "${bastille_jailsdir}/${TARGET}/root/etc/rc.conf"; then - error_exit "VLAN has already been added: VLAN ${VLAN_ID}" - else - add_vlan "${TARGET}" "${IP}" "${VLAN_ID}" - fi fi ;; remove|delete) From 8301fac183fe21944bf05eae3ef2b4e4dcffa5e5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 12:56:19 -0700 Subject: [PATCH 58/96] Update network.sh --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 15a0bf93..9c64875d 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -277,7 +277,7 @@ EOF fi if [ -n "${VLAN_ID}" ]; then - bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="inet ${_ip}" + add_vlan "${_jailname}" "${_if_vnet}" "${_ip}" "${VLAN_ID}" fi info "[${_jailname}]:" From 88133464b9c5e287ac8f150b941dd68078b0e262 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:12:55 -0700 Subject: [PATCH 59/96] network: Fix VLAN adding --- usr/local/share/bastille/network.sh | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 9c64875d..a0a7980f 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -276,10 +276,6 @@ EOF sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " fi - if [ -n "${VLAN_ID}" ]; then - add_vlan "${_jailname}" "${_if_vnet}" "${_ip}" "${VLAN_ID}" - fi - info "[${_jailname}]:" echo "Added interface: \"${_if}\"" @@ -325,10 +321,6 @@ EOF sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " fi - if [ -n "${VLAN_ID}" ]; then - add_vlan "${_jailname}" "${_if_vnet}" "${_ip}" "${VLAN_ID}" - fi - info "[${_jailname}]:" echo "Added VNET interface: \"${_if}\"" @@ -422,10 +414,18 @@ remove_interface() { add_vlan() { local _jailname="${1}" - local _jail_vnet="${2}" + local _interface="${2}" local _ip="${3}" local _vlan_id="${4}" - + local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" + local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" + if [ "${VNET_JAIL}" -eq 1 ]; then + local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo "bastille[0-9]+" | grep -Eo "[0-9]+")" + local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+" | grep -Eo "[0-9]+")" + elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo "epair[0-9]+" | grep -Eo "[0-9]+")" + local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+" | grep -Eo "[0-9]+")" + fi if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then error_exit "VLAN has already been added: VLAN ${_vlan_id}" else @@ -442,6 +442,8 @@ case "${ACTION}" in validate_netif "${INTERFACE}" if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then error_exit "Interface is already added: \"${INTERFACE}\"" + elif { [ "${VNET_JAIL}" -eq 1 ] || [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then + add_vlan "{TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" fi if [ -z "${IP}" ] || [ "${IP}" = "0.0.0.0" ]; then IP="SYNCDHCP" @@ -453,6 +455,9 @@ case "${ACTION}" in error_exit "\"${INTERFACE}\" is a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ -n "${VLAN_ID}" ]; then + add_vlan "{TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + fi if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" fi @@ -462,6 +467,9 @@ case "${ACTION}" in error_exit "\"${INTERFACE}\" is not a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ -n "${VLAN_ID}" ]; then + add_vlan "{TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + fi if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" fi From c0307f09c5978029f72298a093d4381765b5c643 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:18:13 -0700 Subject: [PATCH 60/96] network: Cosmetic fixes --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index a0a7980f..0ec38356 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -121,10 +121,10 @@ if [ "${ACTION}" = "add" ]; then if { [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } || \ { [ "${VNET_JAIL}" -eq 1 ] && [ "${CLASSIC_JAIL}" -eq 1 ]; } || \ { [ "${CLASSIC_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } then - error_notify "Error: Only one of [-b|-B|--bridge], [-c|--classic] or [-v|-V|--vnet] should be set." + error_notify "Error: Only one of [-B|--bridge], [-C|--classic] or [-V|--vnet] should be set." usage elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${CLASSIC_JAIL}" -eq 0 ]; then - error_notify "Error: [-c|--classic], [-b|-B|--bridge] or [-v|-V|--vnet] must be set." + error_notify "Error: [-C|--classic], [-B|--bridge] or [-V|--vnet] must be set." usage elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${VLAN_ID}" -eq 1 ]; then error_notify "VLANs can only be used with VNET interfaces." From e578ec1b2206edebdd22e298e6af499c66f2884e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:24:07 -0700 Subject: [PATCH 61/96] network: Fix spacing --- usr/local/share/bastille/network.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 0ec38356..5b41ece0 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -81,11 +81,11 @@ while [ "$#" -gt 0 ]; do shift ;; -v|--vlan) - if echo "${2}" | grep -Eq '^[0-9]+$'; then + if echo "${2}" | grep -Eq '^[0-9]+$'; then VLAN_ID="${2}" - else + else error_exit "Not a valid VLAN ID: ${2}" - fi + fi shift 2 ;; -x|--debug) From 50ebdd5118bef9fa59f715fdf73b72b256ba1d69 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:27:37 -0700 Subject: [PATCH 62/96] network: Quick bugfix --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 5b41ece0..7ed8912a 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -468,7 +468,7 @@ case "${ACTION}" in else add_interface "${TARGET}" "${INTERFACE}" "${IP}" if [ -n "${VLAN_ID}" ]; then - add_vlan "{TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" fi if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" From b8d9eae21f995d6d7398f4e05eccd6dd133d2641 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:28:45 -0700 Subject: [PATCH 63/96] Update network.sh --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 7ed8912a..16447db4 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -456,7 +456,7 @@ case "${ACTION}" in else add_interface "${TARGET}" "${INTERFACE}" "${IP}" if [ -n "${VLAN_ID}" ]; then - add_vlan "{TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" fi if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" From 0ec64bc2384af86e2f094585628e489018fa3415 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:30:28 -0700 Subject: [PATCH 64/96] Update network.sh --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 16447db4..e94d45a1 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -443,7 +443,7 @@ case "${ACTION}" in if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then error_exit "Interface is already added: \"${INTERFACE}\"" elif { [ "${VNET_JAIL}" -eq 1 ] || [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then - add_vlan "{TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" fi if [ -z "${IP}" ] || [ "${IP}" = "0.0.0.0" ]; then IP="SYNCDHCP" From 0341789c447d77a32dd72ce5041f91d1a62794fa Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:37:41 -0700 Subject: [PATCH 65/96] Update network.sh --- usr/local/share/bastille/network.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index e94d45a1..15d719ec 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -420,16 +420,18 @@ add_vlan() { local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" if [ "${VNET_JAIL}" -eq 1 ]; then - local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo "bastille[0-9]+" | grep -Eo "[0-9]+")" + local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+" | grep -Eo "[0-9]+")" elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then - local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo "epair[0-9]+" | grep -Eo "[0-9]+")" + local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+" | grep -Eo "[0-9]+")" fi if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then error_exit "VLAN has already been added: VLAN ${_vlan_id}" else + bastille start "${_jailname}" bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${_vlan_id}" --arg IFCONFIG="inet ${_ip}" --arg JAIL_VNET="${_jail_vnet}" + bastille restart "${_jailname}" fi info "[${_jailname}]:" From 2e38c6d940be727b8e31b66b5c78d3d36e5dc79b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:39:15 -0700 Subject: [PATCH 66/96] Update network.sh --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 15d719ec..f3431f2f 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -421,10 +421,10 @@ add_vlan() { local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" if [ "${VNET_JAIL}" -eq 1 ]; then local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" - local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+" | grep -Eo "[0-9]+")" + local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" - local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+" | grep -Eo "[0-9]+")" + local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" fi if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then error_exit "VLAN has already been added: VLAN ${_vlan_id}" From 21edede663181aa50fd74661a6c387bc253dbce9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:42:21 -0700 Subject: [PATCH 67/96] network: Exit on VLAN added --- usr/local/share/bastille/network.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index f3431f2f..f406e4b7 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -446,6 +446,7 @@ case "${ACTION}" in error_exit "Interface is already added: \"${INTERFACE}\"" elif { [ "${VNET_JAIL}" -eq 1 ] || [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + exit 0 fi if [ -z "${IP}" ] || [ "${IP}" = "0.0.0.0" ]; then IP="SYNCDHCP" From 75f02d5f8d00232c919b0de756a4a898515fb5c2 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 6 Mar 2025 16:54:58 -0700 Subject: [PATCH 68/96] Update network.sh --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index f406e4b7..2b9efa00 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -435,7 +435,7 @@ add_vlan() { fi info "[${_jailname}]:" - echo "Added VLAN ${_vlan_id} to interface: \"${_jail_vnet}\"" + info "Added VLAN ${_vlan_id} to interface: \"${_jail_vnet}\"" } case "${ACTION}" in From 79304cd75e755e505dd4bdd2959186558e320d47 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 7 Mar 2025 06:04:49 -0700 Subject: [PATCH 69/96] docs: Configuration - hyphen --- docs/chapters/configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/configuration.rst b/docs/chapters/configuration.rst index 1ae65cf5..1249c822 100644 --- a/docs/chapters/configuration.rst +++ b/docs/chapters/configuration.rst @@ -81,7 +81,7 @@ This is the default `bastille.conf` file. Notes ----- -The options here are fairly self explanitory, but there are some things to note. +The options here are fairly self-explanitory, but there are some things to note. * If you use ZFS, DO NOT create the bastille dataset. You must only create the parent. Bastille must be allowed to create the `bastille` child dataset, or you will have issues. So, if you want bastille to live at `zroot/data/bastille` you should set `bastille_zfs_zpool` to `zroot` and `bastille_zfs_prefix` to `data/bastille` but you should only create `zroot/data` before running bastille for the first time. From bd88d7fcc6ef0f26f46dfa346545271a6089276b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 10 Mar 2025 16:59:48 -0600 Subject: [PATCH 70/96] network: Add --no-ip swithc for vnet --- usr/local/share/bastille/network.sh | 58 ++++++++++++++++++++--------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 2b9efa00..f2fde9e0 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -40,6 +40,7 @@ usage() { -B | --bridge Add a bridged VNET interface to an existing jail. -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. + -n | --no-ip Create interface without an IP (VNET only). -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. @@ -55,6 +56,7 @@ CLASSIC_JAIL=0 STATIC_MAC=0 VNET_JAIL=0 VLAN_ID="" +NO_IP=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) @@ -76,6 +78,10 @@ while [ "$#" -gt 0 ]; do STATIC_MAC=1 shift ;; + -n|--no-ip) + NO_IP=1 + shift + ;; -V|--vnet) VNET_JAIL=1 shift @@ -99,6 +105,7 @@ while [ "$#" -gt 0 ]; do B) BRIDGE_VNET_JAIL=1 ;; C) CLASSIC_JAIL=1 ;; M) STATIC_MAC=1 ;; + n) NO_IP=1 ;; V) VNET_JAIL=1 ;; x) enable_debug ;; *) error_exit "Unknown Option: \"${1}\"" ;; @@ -115,7 +122,11 @@ done TARGET="${1}" ACTION="${2}" INTERFACE="${3}" -IP="${4}" +if [ "${NO_IP}" -eq 0 ]; then + IP="${4}" +else + IP="" +fi if [ "${ACTION}" = "add" ]; then if { [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } || \ @@ -129,6 +140,12 @@ if [ "${ACTION}" = "add" ]; then elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${VLAN_ID}" -eq 1 ]; then error_notify "VLANs can only be used with VNET interfaces." usage + elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then + error_notify "[-n|--no-ip] can only be used with VNET jails." + usage + elif [ "${NO_IP}" -eq 1 ] && [ -z "${VLAN_ID}" ]; then + error_notify "[-n|--no-ip] can only be used when adding a VLAN." + usage fi fi @@ -267,13 +284,16 @@ EOF } EOF fi + # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi fi info "[${_jailname}]:" @@ -314,12 +334,14 @@ EOF fi # Add config to /etc/rc.conf sysrc -f "${_jail_rc_config}" ifconfig_e0b_${bastille_epair}_name="${_if_vnet}" - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${_ip}" = "0.0.0.0" ]; then - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" - else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " - fi + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + fi + fi info "[${_jailname}]:" echo "Added VNET interface: \"${_if}\"" @@ -448,11 +470,13 @@ case "${ACTION}" in add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" exit 0 fi - if [ -z "${IP}" ] || [ "${IP}" = "0.0.0.0" ]; then - IP="SYNCDHCP" - else - validate_ip "${IP}" - fi + if [ -n "${IP}" ]; then + if [ "${IP}" = "DHCP" ] || [ "${IP}" = "0.0.0.0" ]; then + IP="SYNCDHCP" + else + validate_ip "${IP}" + fi + fi if [ "${VNET_JAIL}" -eq 1 ]; then if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." From ebb290e4fb476818505a5f79d83c9959fc990ed7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 10 Mar 2025 17:22:04 -0600 Subject: [PATCH 71/96] network: Do not allow a 4th arg on --no-ip --- usr/local/share/bastille/network.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index f2fde9e0..2a84f7cb 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -124,8 +124,10 @@ ACTION="${2}" INTERFACE="${3}" if [ "${NO_IP}" -eq 0 ]; then IP="${4}" -else +elif [ "${NO_IP}" -eq 1] && [ -z "${4}" ]; then IP="" +else + usage fi if [ "${ACTION}" = "add" ]; then From f3fae040db4d9e03590497dae958ffddbedb2760 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 10 Mar 2025 17:26:35 -0600 Subject: [PATCH 72/96] network: Force > auto typo --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 2a84f7cb..0e682458 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -161,7 +161,7 @@ check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then bastille stop "${TARGET}" else error_notify "Jail is running." - error_exit "Use [-a|--auto] to force stop the jail." + error_exit "Use [-a|--auto] to auto-stop the jail." fi validate_ip() { From 2db0801e62b3376baae5b1d40bad49d8aaccec4d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 10 Mar 2025 17:28:24 -0600 Subject: [PATCH 73/96] network: Copyright year 2024 > 2025 --- usr/local/share/bastille/network.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 0e682458..e4ec53ce 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2024, Christer Edwards +# Copyright (c) 2018-2025, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -40,7 +40,7 @@ usage() { -B | --bridge Add a bridged VNET interface to an existing jail. -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. - -n | --no-ip Create interface without an IP (VNET only). + -n | --no-ip Create interface without an IP (VLAN+VNET only). -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. From ffcc2371dac1fc543f22753105bc6e0314b284e5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 10 Mar 2025 17:42:15 -0600 Subject: [PATCH 74/96] docs: Add network.sh --- docs/chapters/subcommands/network.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs/chapters/subcommands/network.rst diff --git a/docs/chapters/subcommands/network.rst b/docs/chapters/subcommands/network.rst new file mode 100644 index 00000000..e8e5f884 --- /dev/null +++ b/docs/chapters/subcommands/network.rst @@ -0,0 +1,27 @@ +network +======= + +Add or remove interfaces to existing jails. + +You can only add an interface once to a jail, with two exceptions. + +1. For classic jails, you can add an interface as many times as you want, but each time with a different IP. All this does is add the IP as another alias on that interface. + +2. For VNET jails, if the `-v|--vlan` switch is given along with a numerical VLAN ID, Bastille will add the VLAN ID to the jail as a vnetX.X interface, depending on which interface is specified. + +Bridges and VNET interfaces can be added to VNET jails, no matter if they were created with `-V` or `-B`. + +.. code-block:: shell + + ishmael ~ # bastille network help + Usage: bastille network [option(s)] TARGET [remove|add] INTERFACE [IP_ADDRESS] + Options: + + -a | --auto Start/stop the jail(s) if required. + -B | --bridge Add a bridged VNET interface to an existing jail. + -C | --classic Add an interface to a classic (non-VNET) jail. + -M | --static-mac Generate a static MAC address for the interface. + -n | --no-ip Create interface without an IP (VLAN+VNET only). + -V | --vnet Add a VNET interface to an existing jail. + -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). + -x | --debug Enable debug mode. From e90059ff7a84ff9f139267f772d80bc215535589 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 10 Mar 2025 17:44:07 -0600 Subject: [PATCH 75/96] network: Fix shellcheck --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index e4ec53ce..59a72717 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -124,7 +124,7 @@ ACTION="${2}" INTERFACE="${3}" if [ "${NO_IP}" -eq 0 ]; then IP="${4}" -elif [ "${NO_IP}" -eq 1] && [ -z "${4}" ]; then +elif [ "${NO_IP}" -eq 1 ] && [ -z "${4}" ]; then IP="" else usage From 70b106dda50e291637eb9edbdf4113fe291681cf Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 11 Mar 2025 08:05:14 -0600 Subject: [PATCH 76/96] network: Allow no ip without vlan --- usr/local/share/bastille/network.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 59a72717..554d3b3e 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -40,7 +40,7 @@ usage() { -B | --bridge Add a bridged VNET interface to an existing jail. -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. - -n | --no-ip Create interface without an IP (VLAN+VNET only). + -n | --no-ip Create interface without an IP (VNET only). -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. @@ -145,9 +145,6 @@ if [ "${ACTION}" = "add" ]; then elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then error_notify "[-n|--no-ip] can only be used with VNET jails." usage - elif [ "${NO_IP}" -eq 1 ] && [ -z "${VLAN_ID}" ]; then - error_notify "[-n|--no-ip] can only be used when adding a VLAN." - usage fi fi From 296c7c1f32db23da416f04c2782e1064923df765 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 11 Mar 2025 10:08:34 -0600 Subject: [PATCH 77/96] network: Better validation of DHCP --- usr/local/share/bastille/network.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 554d3b3e..5b1faf74 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -168,6 +168,8 @@ validate_ip() { if [ -n "${ip6}" ]; then info "Valid: (${ip6})." IP6_ENABLE=1 + elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ]; then + info "Valid: (${ip})." else local IFS if echo "${ip}" 2>/dev/null | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then @@ -291,7 +293,7 @@ EOF if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" fi fi @@ -338,7 +340,7 @@ EOF if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP" else - sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}=" inet ${_ip} " + sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}" fi fi @@ -469,13 +471,10 @@ case "${ACTION}" in add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" exit 0 fi + ## validate IP if not empty if [ -n "${IP}" ]; then - if [ "${IP}" = "DHCP" ] || [ "${IP}" = "0.0.0.0" ]; then - IP="SYNCDHCP" - else validate_ip "${IP}" - fi - fi + fi if [ "${VNET_JAIL}" -eq 1 ]; then if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." From 9aae6972766c9081d6f4def3a91d84ac31d5a33d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 11 Mar 2025 14:16:32 -0600 Subject: [PATCH 78/96] network: Description now shows the jail vnet also --- usr/local/share/bastille/network.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 5b1faf74..8b924ef5 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -265,7 +265,7 @@ add_interface() { exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; } @@ -279,7 +279,7 @@ EOF exec.prestart += "ifconfig ${_if} addm epair${_num}a"; exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; - exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; exec.poststop += "ifconfig ${_if} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; } @@ -318,7 +318,7 @@ EOF exec.prestart += "jib addm ${bastille_epair} ${_if}"; exec.prestart += "ifconfig e0a_${bastille_epair} ether ${macaddr}a"; exec.prestart += "ifconfig e0b_${bastille_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${bastille_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; exec.poststop += "jib destroy ${bastille_epair}"; } EOF @@ -328,7 +328,7 @@ EOF ## ${bastille_epair} interface vnet.interface += e0b_${bastille_epair}; exec.prestart += "jib addm ${bastille_epair} ${_if}"; - exec.prestart += "ifconfig e0a_${bastille_epair} description \"vnet host interface for Bastille jail ${_jailname}\""; + exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\""; exec.poststop += "jib destroy ${bastille_epair}"; } EOF From f449cd4fd9c0c9035189218f3b2ff6fe5aa27134 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 11 Mar 2025 14:18:28 -0600 Subject: [PATCH 79/96] common: Show vnetX interface for multiple interfaces --- usr/local/share/bastille/common.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 6fbeada0..b6005b2d 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -302,7 +302,7 @@ generate_vnet_jail_netblock() { exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; EOF @@ -315,7 +315,7 @@ EOF exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; - exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; exec.poststop += "ifconfig ${host_epair} destroy"; EOF @@ -330,7 +330,7 @@ EOF exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF else @@ -339,7 +339,7 @@ EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF fi @@ -365,4 +365,4 @@ checkyesno() { return 1 ;; esac -} \ No newline at end of file +} From a42eb7a05104489afc419d368d9dc6c8535433be Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 11 Mar 2025 20:16:37 -0600 Subject: [PATCH 80/96] network: Quiet grep on remove --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 8b924ef5..0ee645c7 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -399,7 +399,7 @@ remove_interface() { fi # Remove interface from /etc/rc.conf - if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eo 'vnet[0-9]+'; then + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" else error_continue "Failed to remove interface from /etc/rc.conf" From 0af6f236d312ac61e65f949b3b3319a6cb86f250 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 15:20:55 -0600 Subject: [PATCH 81/96] docs: Add network to index.rst --- docs/chapters/subcommands/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/chapters/subcommands/index.rst b/docs/chapters/subcommands/index.rst index d241ca5a..7ea0739b 100644 --- a/docs/chapters/subcommands/index.rst +++ b/docs/chapters/subcommands/index.rst @@ -23,6 +23,7 @@ Bastille sub-commands limits list mount + network pkg rcp rdr From 57b8760eb313c15808b5c25752295a32ea7d8a79 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 22:11:24 -0600 Subject: [PATCH 82/96] network: Allow passthrough of entire interface --- usr/local/share/bastille/network.sh | 152 ++++++++++++++++++++-------- 1 file changed, 107 insertions(+), 45 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 0ee645c7..474c59d7 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -41,6 +41,7 @@ usage() { -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. -n | --no-ip Create interface without an IP (VNET only). + -P | --passthrough Pass the entire interface through to jail. -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. @@ -51,10 +52,11 @@ EOF # Handle options. AUTO=0 -BRIDGE_VNET_JAIL=0 -CLASSIC_JAIL=0 +BRIDGE=0 +CLASSIC=0 STATIC_MAC=0 -VNET_JAIL=0 +PASSTHROUGH=0 +VNET=0 VLAN_ID="" NO_IP=0 while [ "$#" -gt 0 ]; do @@ -67,11 +69,11 @@ while [ "$#" -gt 0 ]; do shift ;; -B|--bridge) - BRIDGE_VNET_JAIL=1 + BRIDGE=1 shift ;; -C|--classic) - CLASSIC_JAIL=1 + CLASSIC=1 shift ;; -M|--static-mac) @@ -82,8 +84,12 @@ while [ "$#" -gt 0 ]; do NO_IP=1 shift ;; + -P|--passthrough) + PASSTHROUGH=1 + shift + ;; -V|--vnet) - VNET_JAIL=1 + VNET=1 shift ;; -v|--vlan) @@ -102,11 +108,12 @@ while [ "$#" -gt 0 ]; do for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do case ${_o} in a) AUTO=1 ;; - B) BRIDGE_VNET_JAIL=1 ;; - C) CLASSIC_JAIL=1 ;; + B) BRIDGE=1 ;; + C) CLASSIC=1 ;; M) STATIC_MAC=1 ;; n) NO_IP=1 ;; - V) VNET_JAIL=1 ;; + P) PASSTHROUGH=1 ;; + V) VNET=1 ;; x) enable_debug ;; *) error_exit "Unknown Option: \"${1}\"" ;; esac @@ -122,27 +129,31 @@ done TARGET="${1}" ACTION="${2}" INTERFACE="${3}" -if [ "${NO_IP}" -eq 0 ]; then +if [ "${ACTION}" = "add" ] && [ "${NO_IP}" -eq 0 ] && [ -n "${4}" ]; then IP="${4}" -elif [ "${NO_IP}" -eq 1 ] && [ -z "${4}" ]; then - IP="" -else +elif [ "${NO_IP}" -eq 1 ] && [ -n "${4}" ]; then + error_notify "IP should not be present when using -n|--no-ip." usage +else + IP="" fi if [ "${ACTION}" = "add" ]; then - if { [ "${VNET_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } || \ - { [ "${VNET_JAIL}" -eq 1 ] && [ "${CLASSIC_JAIL}" -eq 1 ]; } || \ - { [ "${CLASSIC_JAIL}" -eq 1 ] && [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } then - error_notify "Error: Only one of [-B|--bridge], [-C|--classic] or [-V|--vnet] should be set." + if { [ "${VNET}" -eq 1 ] && [ "${BRIDGE}" -eq 1 ]; } || \ + { [ "${VNET}" -eq 1 ] && [ "${CLASSIC}" -eq 1 ]; } || \ + { [ "${VNET}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \ + { [ "${BRIDGE}" -eq 1 ] && [ "${CLASSIC}" -eq 1 ]; } || \ + { [ "${BRIDGE}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \ + { [ "${CLASSIC}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } then + error_notify "Error: Only one of [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] should be set." usage - elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${CLASSIC_JAIL}" -eq 0 ]; then - error_notify "Error: [-C|--classic], [-B|--bridge] or [-V|--vnet] must be set." + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${CLASSIC}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ]; then + error_notify "Error: [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] must be set." usage - elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${VLAN_ID}" -eq 1 ]; then + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ -n "${VLAN_ID}" ]; then error_notify "VLANs can only be used with VNET interfaces." usage - elif [ "${VNET_JAIL}" -eq 0 ] && [ "${BRIDGE_VNET_JAIL}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then error_notify "[-n|--no-ip] can only be used with VNET jails." usage fi @@ -226,7 +237,7 @@ add_interface() { local _if_vnet="vnet$((_vnet_if_count + 1))" local epair_num_range=$((_epair_if_count + 1)) local bastille_num_range=$((_bastille_if_count + 1)) - if [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + if [ "${BRIDGE}" -eq 1 ]; then if [ "${_epair_if_count}" -gt 0 ]; then for _num in $(seq 0 "${epair_num_range}"); do if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then @@ -300,7 +311,7 @@ EOF info "[${_jailname}]:" echo "Added interface: \"${_if}\"" - elif [ "${VNET_JAIL}" -eq 1 ]; then + elif [ "${VNET}" -eq 1 ]; then for _num in $(seq 0 "${bastille_num_range}"); do if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then local bastille_epair="bastille${_num}" @@ -346,8 +357,30 @@ EOF info "[${_jailname}]:" echo "Added VNET interface: \"${_if}\"" - - elif [ "${CLASSIC_JAIL}" -eq 1 ]; then + + elif [ "${PASSTHROUGH}" -eq 1 ]; then + # Remove ending brace (it is added again with the netblock) + sed -i '' '/}/d' "${_jail_config}" + # Generate NETBLOCK (static MAC not used on passthrough) + cat << EOF >> "${_jail_config}" + ## ${_if} interface + vnet.interface += ${_if}; +} +EOF + # Add config to /etc/rc.conf + if [ -n "${_ip}" ]; then + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then + sysrc -f "${_jail_rc_config}" ifconfig_${_if}="SYNCDHCP" + else + sysrc -f "${_jail_rc_config}" ifconfig_${_if}="inet ${_ip}" + fi + fi + + info "[${_jailname}]:" + echo "Added Passthrough interface: \"${_if}\"" + + elif [ "${CLASSIC}" -eq 1 ]; then if [ "${IP6_ENABLE}" -eq 1 ]; then sed -i '' "s/interface = .*/&\n ip6.addr += ${_if}|${_ip};/" ${_jail_config} else @@ -366,26 +399,37 @@ remove_interface() { # Skip next block in case of classic jail if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - if grep ${_if} ${_jail_config} | grep -Eo -m 1 'bastille[0-9]+'; then + if grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 'bastille[0-9]+'; then local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" local _if_jail="e0b_bastille${_if_bastille_num}" _if_type="bastille" - elif grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+"; then + elif grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 "epair[0-9]+"; then local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" - if grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}"; then + if grep -q epair${_if_epair_num}b ${_jail_config} | grep -Eoq -m 1 "e${_if_epair_num}b_${_jailname}"; then local _if_jail="$(grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}")" else local _if_jail="epair${_if_epair_num}b" fi _if_type="epair" + elif grep -q "vnet.interface.*${_if};" ${_jail_config}; then + local _if_jail="${_if}" + _if_type="passthrough" else error_exit "Could not find interface inside jail: \"${_if_jail}\"" fi - - if grep -o "${_if_jail}" ${_jail_config}; then - local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" - else - error_exit "Interface not found: ${_if_jail}" + + if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then + if grep -oq "${_if_jail}" ${_jail_config}; then + local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')" + else + error_exit "Interface not found: ${_if_jail}" + fi + elif [ "${_if_type}" = "passthrough" ]; then + if grep -oq "${_if_jail}" ${_jail_config}; then + local _if_vnet="${_if_jail}" + else + error_exit "Interface not found: ${_if_jail}" + fi fi # Do not allow removing default vnet0 interface @@ -398,13 +442,21 @@ remove_interface() { error_exit "Error: Could not find specifed interface." fi - # Remove interface from /etc/rc.conf - if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then - sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" - else - error_continue "Failed to remove interface from /etc/rc.conf" + # Remove interface from /etc/rc.conf + if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then + if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + else + error_continue "Failed to remove interface from /etc/rc.conf" + fi + elif [ "${_if_type}" = "passthrough" ]; then + if [ -n "${_if_vnet}" ]; then + sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}" + else + error_continue "Failed to remove interface from /etc/rc.conf" + fi fi - + # Remove VNET interface from jail.conf (VNET) if [ -n "${_if_jail}" ]; then if [ "${_if_type}" = "epair" ]; then @@ -414,6 +466,8 @@ remove_interface() { elif [ "${_if_type}" = "bastille" ]; then sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" sed -i '' "/.*bastille${_if_bastille_num}.*/d" "${_jail_config}" + elif [ "${_if_type}" = "passthrough" ]; then + sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}" fi else error_exit "Failed to remove interface from jail.conf" @@ -442,10 +496,10 @@ add_vlan() { local _vlan_id="${4}" local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf" local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf" - if [ "${VNET_JAIL}" -eq 1 ]; then + if [ "${VNET}" -eq 1 ]; then local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")" local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" - elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + elif [ "${BRIDGE}" -eq 1 ]; then local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" fi @@ -467,7 +521,7 @@ case "${ACTION}" in validate_netif "${INTERFACE}" if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then error_exit "Interface is already added: \"${INTERFACE}\"" - elif { [ "${VNET_JAIL}" -eq 1 ] || [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then + elif { [ "${VNET}" -eq 1 ] || [ "${BRIDGE}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" exit 0 fi @@ -475,7 +529,7 @@ case "${ACTION}" in if [ -n "${IP}" ]; then validate_ip "${IP}" fi - if [ "${VNET_JAIL}" -eq 1 ]; then + if [ "${VNET}" -eq 1 ]; then if ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." else @@ -487,7 +541,7 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi - elif [ "${BRIDGE_VNET_JAIL}" -eq 1 ]; then + elif [ "${BRIDGE}" -eq 1 ]; then if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is not a bridge interface." else @@ -499,7 +553,15 @@ case "${ACTION}" in bastille start "${TARGET}" fi fi - elif [ "${CLASSIC_JAIL}" -eq 1 ]; then + elif [ "${PASSTHROUGH}" -eq 1 ]; then + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + if [ -n "${VLAN_ID}" ]; then + add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" + fi + if [ "${AUTO}" -eq 1 ]; then + bastille start "${TARGET}" + fi + elif [ "${CLASSIC}" -eq 1 ]; then if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then error_exit "Error: ${TARGET} is a VNET jail." else From 1e188d09feee92cf4da53a1102cecb148d64d63a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 22:16:39 -0600 Subject: [PATCH 83/96] network: One more VLAN change for passthrough --- usr/local/share/bastille/network.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 474c59d7..7b6bcbe1 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -41,7 +41,7 @@ usage() { -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. -n | --no-ip Create interface without an IP (VNET only). - -P | --passthrough Pass the entire interface through to jail. + -P | --passthrough Pass the entire interface througg to the jail. -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. @@ -502,6 +502,8 @@ add_vlan() { elif [ "${BRIDGE}" -eq 1 ]; then local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")" local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")" + elif [ "${PASSTHROUGH}" -eq 1 ]; then + local _jail_vnet="${_interface}" fi if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then error_exit "VLAN has already been added: VLAN ${_vlan_id}" From d28f416809c6d446201a7cf77ed98915072fce9d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 22:21:56 -0600 Subject: [PATCH 84/96] docs: Document -P --- docs/chapters/subcommands/network.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/network.rst b/docs/chapters/subcommands/network.rst index e8e5f884..989ce15a 100644 --- a/docs/chapters/subcommands/network.rst +++ b/docs/chapters/subcommands/network.rst @@ -11,6 +11,10 @@ You can only add an interface once to a jail, with two exceptions. Bridges and VNET interfaces can be added to VNET jails, no matter if they were created with `-V` or `-B`. +It is possible to passthrough an entire interface from the host to the jail. This will make the interface fully available without the need for additional configuration. It will be available inside the jail just like it would be on the host. Adding an interface using this method will render it only available inside the jail. It will not be present on the host until the jail is stopped. + +When cloning a jail that has a `-P|--passthrough` interface, you will have warnings when running both jails at the same time. The first jail to start will be assigned the interface, and since it will no longer be available to the host, it will not be possible to add it to the second jail. + .. code-block:: shell ishmael ~ # bastille network help @@ -21,7 +25,8 @@ Bridges and VNET interfaces can be added to VNET jails, no matter if they were c -B | --bridge Add a bridged VNET interface to an existing jail. -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. - -n | --no-ip Create interface without an IP (VLAN+VNET only). + -n | --no-ip Create interface without an IP (VNET only). + -P | --passthrough Pass the entire interface througg to the jail. -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. From 694a43bed006725cc5869688590e5fe899429e27 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 22:27:05 -0600 Subject: [PATCH 85/96] docs: Document removal of passthrough interface --- docs/chapters/subcommands/network.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/network.rst b/docs/chapters/subcommands/network.rst index 989ce15a..0bce3556 100644 --- a/docs/chapters/subcommands/network.rst +++ b/docs/chapters/subcommands/network.rst @@ -11,9 +11,9 @@ You can only add an interface once to a jail, with two exceptions. Bridges and VNET interfaces can be added to VNET jails, no matter if they were created with `-V` or `-B`. -It is possible to passthrough an entire interface from the host to the jail. This will make the interface fully available without the need for additional configuration. It will be available inside the jail just like it would be on the host. Adding an interface using this method will render it only available inside the jail. It will not be present on the host until the jail is stopped. +It is possible to passthrough an entire interface from the host to the jail using the `-P|--passthrough` option. This will make the interface fully available without the need for additional configuration. It will be available inside the jail just like it would be on the host. Adding an interface using this method will render it only available inside the jail. It will not be present on the host until the jail is stopped. -When cloning a jail that has a `-P|--passthrough` interface, you will have warnings when running both jails at the same time. The first jail to start will be assigned the interface, and since it will no longer be available to the host, it will not be possible to add it to the second jail. +When cloning a jail that has a `-P|--passthrough` interface, you will have warnings when running both jails at the same time. The first jail to start will be assigned the interface, and since it will no longer be available to the host, it will not be possible to add it to the second jail. To solve this, you must manually remove the interface from the jail.conf file, or running `bastille network TARGET remove INTERFACE` while both jails are stopped. .. code-block:: shell From ae4b1182f4198698c782cc43bcdebc63e5da1c44 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 22:27:27 -0600 Subject: [PATCH 86/96] docs: network - typo --- docs/chapters/subcommands/network.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/network.rst b/docs/chapters/subcommands/network.rst index 0bce3556..13c4bb55 100644 --- a/docs/chapters/subcommands/network.rst +++ b/docs/chapters/subcommands/network.rst @@ -26,7 +26,7 @@ When cloning a jail that has a `-P|--passthrough` interface, you will have warni -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. -n | --no-ip Create interface without an IP (VNET only). - -P | --passthrough Pass the entire interface througg to the jail. + -P | --passthrough Pass the entire interface through to the jail. -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. From daa19bd152fa0bf71498723858294e4ca528fe5d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 13 Mar 2025 22:27:54 -0600 Subject: [PATCH 87/96] network: Typo --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 7b6bcbe1..b51b0444 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -41,7 +41,7 @@ usage() { -C | --classic Add an interface to a classic (non-VNET) jail. -M | --static-mac Generate a static MAC address for the interface. -n | --no-ip Create interface without an IP (VNET only). - -P | --passthrough Pass the entire interface througg to the jail. + -P | --passthrough Pass the entire interface through to the jail. -V | --vnet Add a VNET interface to an existing jail. -v | --vlan VLANID Add interface with specified VLAN ID (VNET only). -x | --debug Enable debug mode. From 4cb14ebbdb9f0ffce9e3fa5b8f69fcfe6c823004 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 14 Mar 2025 15:53:24 -0600 Subject: [PATCH 88/96] network: Allow VLANs with passthrough and don't allow VNET with classic jails --- usr/local/share/bastille/network.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index b51b0444..8b27e8c5 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -150,7 +150,7 @@ if [ "${ACTION}" = "add" ]; then elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${CLASSIC}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ]; then error_notify "Error: [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] must be set." usage - elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ -n "${VLAN_ID}" ]; then + elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ] && [ -n "${VLAN_ID}" ]; then error_notify "VLANs can only be used with VNET interfaces." usage elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then @@ -529,10 +529,12 @@ case "${ACTION}" in fi ## validate IP if not empty if [ -n "${IP}" ]; then - validate_ip "${IP}" + validate_ip "${IP}" fi if [ "${VNET}" -eq 1 ]; then - if ifconfig -g bridge | grep -owq "${INTERFACE}"; then + if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then + error_exit "Error: ${TARGET} is not a VNET jail." + elif ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" @@ -544,7 +546,9 @@ case "${ACTION}" in fi fi elif [ "${BRIDGE}" -eq 1 ]; then - if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then + if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then + error_exit "Error: ${TARGET} is not a VNET jail." + elif ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then error_exit "\"${INTERFACE}\" is not a bridge interface." else add_interface "${TARGET}" "${INTERFACE}" "${IP}" @@ -556,8 +560,12 @@ case "${ACTION}" in fi fi elif [ "${PASSTHROUGH}" -eq 1 ]; then - add_interface "${TARGET}" "${INTERFACE}" "${IP}" - if [ -n "${VLAN_ID}" ]; then + if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then + error_exit "Error: ${TARGET} is not a VNET jail." + else + add_interface "${TARGET}" "${INTERFACE}" "${IP}" + fi + if [ -n "${VLAN_ID}" ]; then add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" fi if [ "${AUTO}" -eq 1 ]; then From fc48b3300725dc36ee5fdd36dc3e9beb363426e5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 16 Mar 2025 09:18:34 -0600 Subject: [PATCH 89/96] network: Fix VLAN on passthrough --- usr/local/share/bastille/network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/network.sh b/usr/local/share/bastille/network.sh index 8b27e8c5..54d52738 100644 --- a/usr/local/share/bastille/network.sh +++ b/usr/local/share/bastille/network.sh @@ -523,7 +523,7 @@ case "${ACTION}" in validate_netif "${INTERFACE}" if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then error_exit "Interface is already added: \"${INTERFACE}\"" - elif { [ "${VNET}" -eq 1 ] || [ "${BRIDGE}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then + elif { [ "${VNET}" -eq 1 ] || [ "${BRIDGE}" -eq 1 ] || [ "${PASSTHROUGH}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}" exit 0 fi From 47faf79f3af909dcbd2ba680da2afc235824869d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 20 Mar 2025 17:31:26 -0600 Subject: [PATCH 90/96] clone: Fix old style interface to new style --- usr/local/share/bastille/clone.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 0db63835..f278dd15 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -153,13 +153,22 @@ update_jailconf() { else _ip4="$(bastille config ${TARGET} get ip4.addr | sed 's/,/ /g')" _ip6="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')" + _interface="$(bastille config ${TARGET} get interface)" + # Remove old style interface naming in place of new if|ip style + if [ "${_interface}" != "not set" ]; then + sed -i '' "/.*interface = .*/d" "${JAIL_CONFIG}" + fi # IP4 if [ "${_ip4}" != "not set" ]; then for _ip in ${_ip4}; do if echo ${_ip} | grep -q "|"; then _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi - sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + if [ "${_interface}" != "not set" ]; then + sed -i '' "s/.*${_interface} = .*/ ip4.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" + else + sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + fi sed -i '' "/ip4.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" done fi @@ -169,7 +178,11 @@ update_jailconf() { if echo ${_ip} | grep -q "|"; then _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi - sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + if [ "${_interface}" != "not set" ]; then + sed -i '' "s/.*${_interface} = .*/ ip6.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" + else + sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + fi sed -i '' "/ip6.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" sed -i '' "s/ip6 = .*/ip6 = ${IP6_MODE};/" "${JAIL_CONFIG}" done From 0f3b5baf83215a6097fba610b33c056cd676c9b0 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 05:43:04 -0600 Subject: [PATCH 91/96] clone: Fix old to new interface style --- usr/local/share/bastille/clone.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index f278dd15..1ac64bca 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -165,7 +165,7 @@ update_jailconf() { _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" fi if [ "${_interface}" != "not set" ]; then - sed -i '' "s/.*${_interface} = .*/ ip4.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" + sed -i '' "s/.*ip4.addr = .*/ ip4.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}" else sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" fi From b319cd714242c861af6e46208182398aec155510 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 09:35:37 -0600 Subject: [PATCH 92/96] limits: Fix log not updating on editing a rule --- usr/local/share/bastille/limits.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 0418ffd7..2c794772 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -111,7 +111,9 @@ for _jail in ${JAILS}; do if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" From d0421eaddd317c559b7fcd7c317b4e532d9364e8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 17:43:20 -0600 Subject: [PATCH 93/96] list: Properly list vlan IPs --- usr/local/share/bastille/list.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index c01875ab..12d1fc7e 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -98,8 +98,8 @@ list_all(){ if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then JAIL_STATE="Up" if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") - if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi + JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -an | grep -v "127.0.0.1" | grep "inet " | awk '{print $2}') + if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -an | grep -v "lo0" | awk '{print $2}'); fi else JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null) if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi @@ -116,7 +116,7 @@ list_all(){ else JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') + JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o inet.* | awk '{print $2}') else JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') fi From 57296e8da2c00e783e18decd74e920122aaebbc3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 17:46:25 -0600 Subject: [PATCH 94/96] list: Fix shellcheck --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 12d1fc7e..28233fe6 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -116,7 +116,7 @@ list_all(){ else JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o inet.* | awk '{print $2}') + JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}') else JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') fi From 660b545f9da962250dc577c4e8d47c8c24177cf8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 09:09:37 -0600 Subject: [PATCH 95/96] list: Fix listing of JID on multiple IPs --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 28233fe6..2e26f5ea 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -157,7 +157,7 @@ list_all(){ # 10.10.10.11 # 10.10.10.12 FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)" - printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" + printf " ${JID}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" for IP in $(echo "${JAIL_IP}" | tail -n +2); do printf "%*s %*s${IP}\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER}))" "" "$((5 + ${SPACER}))" "" done From 690121ce96597ff30e75a1fbc98fb44ada89b473 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 09:22:53 -0600 Subject: [PATCH 96/96] Update list.sh --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 2e26f5ea..5f8ada26 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -159,7 +159,7 @@ list_all(){ FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)" printf " ${JID}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" for IP in $(echo "${JAIL_IP}" | tail -n +2); do - printf "%*s %*s${IP}\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER}))" "" "$((5 + ${SPACER}))" "" + printf " %*s%*s${IP}\n" "$((${MAX_LENGTH_JID} + ${SPACER}))" "" "$((5 + ${SPACER}))" "" done else printf " ${JID}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""