Merge pull request #71 from cedwards/improvements

Improvements to firewalling for loopback containers
2026-01-04 11:43:48 +01:00 · 2019-11-25 17:13:32 -07:00
parent f6653a6a48 0a708c3dc7
commit f2a968a065
4 changed files with 18 additions and 20 deletions
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -51,10 +51,10 @@ TARGET="${1}"
 shift

 if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails)
+    JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | grep -w "${TARGET}")
 fi

 for _jail in ${JAILS}; do
@@ -67,9 +67,9 @@ for _jail in ${JAILS}; do
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}

-        ## update ${bastille_jail_loopback}:network with added/removed addresses
+        ## add ip4.addr to firewall table:jails
        if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
+            pfctl -t jails -T add $(jls -j ${_jail} ip4.addr)
        fi
    fi
    echo
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -64,13 +64,14 @@ for _jail in ${JAILS}; do

    ## test if running
    elif [ $(jls name | grep -w "${_jail}") ]; then
+        ## remove ip4.addr from firewall table:jails
+        if [ ! -z ${bastille_jail_loopback} ]; then
+            pfctl -t jails -T delete $(jls -j ${_jail} ip4.addr)
+        fi
+
+        ## stop container
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-
-        ## update ${bastille_jail_loopback}:network with added/removed addresses
-        if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
-        fi
    fi
    echo
 done