Merge pull request #71 from cedwards/improvements

Improvements to firewalling for loopback containers

README.md

@@ -94,15 +94,7 @@ First, create the loopback interface:
 ```shell
 ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
-ishmael ~ # sysrc ifconfig_bastille0_aliases="inet 10.17.89.1/32"
 ishmael ~ # service netif cloneup
-ishmael ~ # ifconfig bastille0 inet 10.17.89.1/32
-```
-
-Second, enable the firewall:
-
-```shell
-ishmael ~ # sysrc pf_enable="YES"
 ```
 
 Create the firewall config, or merge as necessary.
@@ -116,7 +108,8 @@ set block-policy return
 scrub in on $ext_if all fragment reassemble
 
 set skip on lo
-nat on $ext_if from bastille0:network to any -> ($ext_if)
+table <jails> persist
+nat on $ext_if from <jails> to any -> ($ext_if)
 
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -135,7 +128,8 @@ Note: if you have an existing firewall, the key lines for in/out traffic to
 containers are:
 
 ```
-nat on $ext_if from bastille0:network to any -> ($ext_if)
+table <jails> persist
+nat on $ext_if from <jails> to any -> ($ext_if)
 
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -148,9 +142,10 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of container Y. The example shown redirects web traffic (80 & 443) to the
 container at `10.17.89.45`.
 
-Finally, start up the firewall:
+Finally, enable and (re)start the firewall:
 
 ```shell
+ishmael ~ # sysrc pf_enable="YES"
 ishmael ~ # service pf restart
 ```
 

usr/local/bin/bastille

@@ -28,6 +28,8 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
 ## root check first.
 bastille_root_check() {
     if [ $(id -u) -ne 0 ]; then

usr/local/share/bastille/start.sh

@@ -51,10 +51,10 @@ TARGET="${1}"
 shift
 
 if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails)
+    JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | grep -w "${TARGET}")
 fi
 
 for _jail in ${JAILS}; do
@@ -67,9 +67,9 @@ for _jail in ${JAILS}; do
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
 
-        ## update ${bastille_jail_loopback}:network with added/removed addresses
+        ## add ip4.addr to firewall table:jails
         if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
+            pfctl -t jails -T add $(jls -j ${_jail} ip4.addr)
         fi
     fi
     echo

usr/local/share/bastille/stop.sh

@@ -64,13 +64,14 @@ for _jail in ${JAILS}; do
 
     ## test if running
     elif [ $(jls name | grep -w "${_jail}") ]; then
+        ## remove ip4.addr from firewall table:jails
+        if [ ! -z ${bastille_jail_loopback} ]; then
+            pfctl -t jails -T delete $(jls -j ${_jail} ip4.addr)
+        fi
+
+        ## stop container
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-
-        ## update ${bastille_jail_loopback}:network with added/removed addresses
-        if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
-        fi
     fi
     echo
 done