Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-26 07:21:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

stop: Allow multiple IPs in jails

Browse Source
This commit is contained in:
tschettervictor
2025-01-28 17:53:13 -07:00
committed by GitHub
parent 7958718140
commit eb1ebff5d2
1 changed files with 87 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
usr/local/share/bastille/stop.sh
View File

@@ -2,7 +2,7 @@
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Copyright (c) 2018-2025, Christer Edwards <christer.edwards@gmail.com>
# Copyright (c) 2018-2024, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -34,52 +34,104 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille stop TARGET"
error_notify "Usage: bastille stop [option(s)] TARGET"
cat << EOF
Options:
-v | --verbose Print every action on jail stop.
-x | --debug Enable debug mode.
EOF
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
# Handle options.
OPTION=""
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-v|--verbose)
OPTION="-v"
shift
;;
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
v) OPTION="-v" ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
break
;;
esac
done
if [ $# -ne 0 ]; then
if [ "$#" -ne 1 ]; then
usage
fi
TARGET="${1}"
bastille_root_check
set_target "${TARGET}"
for _jail in ${JAILS}; do
## test if running
if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
## Capture ip4.addr address while still running
_ip4="$(bastille config ${_jail} get ip4.addr)"
# Check if pfctl is present
if [ "${_ip4}" != "not set" ]; then
if [ "$(bastille rdr ${_jail} list)" ]; then
bastille rdr ${_jail} clear
fi
fi
info "[${_jail}]:"
check_target_is_running "${_jail}" || error_continue "Jail is already stopped."
## remove rctl limits
if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
while read _limits; do
rctl -r "${_limits}"
done < "${bastille_jailsdir}/${_jail}/rctl.conf"
fi
## stop container
info "[${_jail}]:"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
## remove (captured above) ip4.addr from firewall table
if [ -n "${bastille_network_loopback}" ] && [ "${_ip4}" != "not set" ]; then
if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip4}"
# Remove RDR rules
if [ "$(bastille config ${_jail} get vnet)" != "enabled" ]; then
_ip4="$(bastille config ${_jail} get ip4.addr | sed 's/,/ /g')"
_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g')"
if [ "${_ip4}" != "not set" ] || [ "${_ip6}" != "not set" ]; then
if which -s pfctl; then
if [ "$(bastille rdr ${_jail} list)" ]; then
bastille rdr "${_jail}" clear
fi
fi
fi
fi
echo
# Remove rctl limits
if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
while read _limits; do
rctl -r "${_limits}"
done < "${bastille_jailsdir}/${_jail}/rctl.conf"
fi
# Stop jail
jail ${OPTION} -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
# Remove (captured above) IPs from firewall table
if [ "${_ip4}" != "not set" ]; then
for _ip in ${_ip4}; do
if echo "${_ip}" | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
_ip="$(echo ${_ip} | sed -E 's#/[0-9]+$##g')"
fi
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
done
fi
if [ "${_ip6}" != "not set" ]; then
for _ip in ${_ip6}; do
if echo "${_ip}" | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
_ip="$(echo ${_ip} | sed -E 's#/[0-9]+$##g')"
fi
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
done
fi
done