Xigmanas/xigmanas-bastille-extension
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Merge branch 'Mirrors-master'

Browse Source
This commit is contained in:
Matthias Berner
2026-02-22 09:17:41 +01:00
parent 56da8cfdf4 0125f86531
commit ae70375f08
45 changed files with 13545 additions and 720 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.idea

57
CHANGELOG
View File

@@ -1,8 +1,61 @@
======================
======================
= Extension Bastille =
======================
Version Description
1.4.04......Dashboard cosmetic changes and fixes, thanks to rucko24.
1.4.03......Cosmetic changes, adjust options row position.
1.4.02......Add resizable columns and auto-refresh option, thanks to rucko24.
1.4.01......Code fixes and improvements, thanks to rucko24.
1.4.00......Performance and code improvements, thanks to rucko24.
1.3.01......Check/update bastille config parameters on runtime.
1.3.00......Code improvements/fixes and dashboard cosmetic changes.
1.2.31......Minor cosmetic/wording changes.
1.2.30......Add auto and live export modes, add ZST compression support.
1.2.29......Fix jail backup.
1.2.28......Minor cosmetic/wording changes.
1.2.27......Minor cosmetic/wording changes.
1.2.26......Minor cosmetic/wording changes.
1.2.25......Add 'etcupdate' missing command, update bundled files.
1.2.24......Minor code changes/improvements.
1.2.23......Check/update bastille config parameters on runtime.
1.2.22......Make sure minor changes are always applied.
1.2.21......Check/update bastille config parameters on runtime.
1.2.20......Allow install in zroot platform with optional zfs dataset.
1.2.19......Fix typo in tarballs page and cleanup, thanks to Lux.
1.2.18......Fix typo in tarballs download page, thanks to Lux.
1.2.17......Check if bastille_zfs_enable is actually set to NO before zfs disable.
1.2.16......Disable zfs activation warnings if bastille_zfs_enable is set to NO.
1.2.15......Minor code changes/improvements.
1.2.14......Make sure bastille-prefix ends with bastille.
1.2.13... ..Fallback for custom bastille prefix name.
1.2.12......Minor code improvements, clean stale pkg files on error.
1.2.11......Add all bastille Linux flavors bootstrap options.
1.2.10......Minor code improvements and cleanup.
1.2.09......Add Debian keyring and minor code changes.
1.2.08......Code cleanup, remove unnecessary statement.
1.2.07......Minor cosmetic/wording changes.
1.2.06......Code changes, symlink bundled files in embedded platforms.
1.2.05......Mount unionfs for pkg while fetching debootstrap packages.
1.2.04......Fix for missing variable affecting embedded platforms, thanks to tga.
1.2.03......Added post upgrade function for convenience, cleanup obsolete code.
1.2.02......Always execute extension script after upgrade from WebGUI, code changes.
1.2.01......Fix extension script missing statement preventing for new installs.
1.2.00......Re-add Linux jail feature, WebGUI fixes and overall improvements.
1.1.53......Code changes, handle osrelease parameter update in bastille-init.
1.1.52......Re-add Thin jail release change and code improvements.
1.1.51......Code update/improvements, update jail config/util pages and bastille-init.
1.1.50......Disable linux_compat due incompatibility with later releases.
1.1.49......Disable basic interface to comply with bastille new syntax.
1.1.48......Add action to set priority value from utilities.
1.1.47......Cosmetic changes and improvements.
1.1.46......Display jail IP using bastille list buil-in command.
1.1.45......Code update for recent bastille boot settings changes.
1.1.44......Fix bastille version display under maintenance tab.
1.1.43......Update: Finish adding support for 14.3 release.
1.1.42......Update: Add support for 14.3 release + add -a option for destroy.
1.1.41......Update: Add support for 14.2 release.
1.1.40......Code fixes/improvements thanks to tschettervictor.
1.1.39......Update release list on bastille_manager_add.php.
1.1.38......Update release list, added new Debian/Ubuntu distros.
1.1.37......Workaround to copy host resolv.conf to jail path.
@@ -115,7 +168,7 @@ Version Description
1.0.30......Ability to convert thin jail to thick jail.
1.0.29......Added Chinese (Simplified) translation, thanks to lijinbiao.
1.0.28......Improve fstab utility error handling.
1.0.27......Improved fstab utility, don't allow blank fields.
1.0.27......Improved fstab utility, don't allow blank fields.
1.0.26......Improved jail IP search during import.
1.0.25......Add foreign jail import support, improved fstab utility.
1.0.24......Improved Thick container upgrade process.

2
LICENSE
View File

@@ -1,5 +1,5 @@
---------------------------------------------------------
Copyright (c) 2019, José Rivera
Copyright (c) 2019-2026, Jose Rivera
All rights reserved.
Redistribution and use in source and binary forms, with or without

12
README.md
View File

@@ -1,9 +1,17 @@
**Description:**
This is the XigmaNAS Bastille Extension for quickly create and manage FreeBSD Jails/Containers.
This is the XigmaNAS Bastille Extension to create and manage FreeBSD Jails/Containers.
**Install**
```
mkdir -p /mnt/tank/extensions/bastille
cd /mnt/tank/extensions/bastille
fetch --no-verify-peer https://raw.githubusercontent.com/JRGTH/xigmanas-bastille-extension/master/bastille-init && chmod +x bastille-init && ./bastille-init && echo "=> Done!"
```
**Credits:**
Christer Edwards (cedwards) Bastille, J.M. Rivera (JRGTH) XigmaNAS Add-on.
Christer Edwards (cedwards) Bastille, J.M. Rivera (JRGTH) Bastille and XigmaNAS Add-on.
Additional information on Bastille: <a href="http://bastillebsd.org/">http://bastillebsd.org/</a>

873
bastille-init Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

13
conf/bastille.conf.ext
View File

@@ -1,5 +1,6 @@
bastille_prefix="/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups"
bastille_migratedir="${bastille_prefix}/migrate"
bastille_cachedir="${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases"
@@ -8,12 +9,12 @@ bastille_logsdir="${bastille_prefix}/logs"
bastille_pf_conf="${bastille_prefix}/pf.conf"
bastille_sharedir="/usr/local/share/bastille"
bastille_bootstrap_archives="base"
bastille_pkgbase_packages="base-jail"
bastille_tzdata="etc/UTC"
bastille_resolv_conf="/etc/resolv.conf"
bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"
bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"
bastille_zfs_enable=""
bastille_zfs_zpool=""
bastille_zfs_prefix="bastille"
@@ -22,15 +23,23 @@ bastille_compress_xz_options="-0 -v"
bastille_decompress_xz_options="-c -d -v"
bastille_compress_gz_options="-1 -v"
bastille_decompress_gz_options="-k -d -c -v"
bastille_compress_zst_options="-3 -v"
bastille_decompress_zst_options="-k -d -c -v"
bastille_network_vnet_type="if_bridge"
bastille_network_loopback=""
bastille_network_pf_ext_if="ext_if"
bastille_network_pf_table="jails"
bastille_network_shared=""
bastille_network_gateway=""
bastille_network_gateway6=""
bastille_network_gateway6=""
bastille_template_base="default/base"
bastille_template_empty=""
bastille_template_thick="default/thick"
bastille_template_clone="default/clone"
bastille_template_thin="default/thin"
bastille_template_vnet="default/vnet"
bastille_template_vlan="default/vlan"
bastille_monitor_cron_path="/usr/local/etc/cron.d/bastille-monitor"
bastille_monitor_cron="*/5 * * * * root /usr/local/bin/bastille monitor ALL >/dev/null 2>&1"
bastille_monitor_logfile="${bastille_logsdir}/monitor.log"
bastille_monitor_healthchecks=""

3547
conf/system/freebsd-update/14.2/freebsd-update Executable file
View File

File diff suppressed because it is too large Load Diff

78
conf/system/freebsd-update/14.2/freebsd-update.conf Normal file
View File

@@ -0,0 +1,78 @@
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
# change it and explaining why.
KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
# Server or server pool from which to fetch updates. You can change
# this to point at a specific server if you want, but in most cases
# using a "nearby" server won't provide a measurable improvement in
# performance.
ServerName update.FreeBSD.org
# Components of the base system which should be kept updated.
Components src world kernel
# Example for updating the userland and the kernel source code only:
# Components src/base src/sys world
# Paths which start with anything matching an entry in an IgnorePaths
# statement will be ignored.
IgnorePaths
# Paths which start with anything matching an entry in an IDSIgnorePaths
# statement will be ignored by "freebsd-update IDS".
IDSIgnorePaths /usr/share/man/cat
IDSIgnorePaths /usr/share/man/whatis
IDSIgnorePaths /var/db/locate.database
IDSIgnorePaths /var/log
# Paths which start with anything matching an entry in an UpdateIfUnmodified
# statement will only be updated if the contents of the file have not been
# modified by the user (unless changes are merged; see below).
UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
# When upgrading to a new FreeBSD release, files which match MergeChanges
# will have any local changes merged into the version from the new release.
MergeChanges /etc/ /boot/device.hints
### Default configuration options:
# Directory in which to store downloaded updates and temporary
# files used by FreeBSD Update.
# WorkDir /var/db/freebsd-update
# Destination to send output of "freebsd-update cron" if an error
# occurs or updates have been downloaded.
# MailTo root
# Is FreeBSD Update allowed to create new files?
# AllowAdd yes
# Is FreeBSD Update allowed to delete files?
# AllowDelete yes
# If the user has modified file ownership, permissions, or flags, should
# FreeBSD Update retain this modified metadata when installing a new version
# of that file?
# KeepModifiedMetadata yes
# When upgrading between releases, should the list of Components be
# read strictly (StrictComponents yes) or merely as a list of components
# which *might* be installed of which FreeBSD Update should figure out
# which actually are installed and upgrade those (StrictComponents no)?
# StrictComponents no
# When installing a new kernel perform a backup of the old one first
# so it is possible to boot the old kernel in case of problems.
# BackupKernel yes
# If BackupKernel is enabled, the backup kernel is saved to this
# directory.
# BackupKernelDir /boot/kernel.old
# When backing up a kernel also back up debug symbol files?
# BackupKernelSymbolFiles no
# Create a new boot environment when installing patches
# CreateBootEnv yes

3588
conf/system/freebsd-update/14.3/freebsd-update Executable file
View File

File diff suppressed because it is too large Load Diff

78
conf/system/freebsd-update/14.3/freebsd-update.conf Normal file
View File

@@ -0,0 +1,78 @@
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
# change it and explaining why.
KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
# Server or server pool from which to fetch updates. You can change
# this to point at a specific server if you want, but in most cases
# using a "nearby" server won't provide a measurable improvement in
# performance.
ServerName update.FreeBSD.org
# Components of the base system which should be kept updated.
Components src world kernel
# Example for updating the userland and the kernel source code only:
# Components src/base src/sys world
# Paths which start with anything matching an entry in an IgnorePaths
# statement will be ignored.
IgnorePaths
# Paths which start with anything matching an entry in an IDSIgnorePaths
# statement will be ignored by "freebsd-update IDS".
IDSIgnorePaths /usr/share/man/cat
IDSIgnorePaths /usr/share/man/whatis
IDSIgnorePaths /var/db/locate.database
IDSIgnorePaths /var/log
# Paths which start with anything matching an entry in an UpdateIfUnmodified
# statement will only be updated if the contents of the file have not been
# modified by the user (unless changes are merged; see below).
UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
# When upgrading to a new FreeBSD release, files which match MergeChanges
# will have any local changes merged into the version from the new release.
MergeChanges /etc/ /boot/device.hints
### Default configuration options:
# Directory in which to store downloaded updates and temporary
# files used by FreeBSD Update.
# WorkDir /var/db/freebsd-update
# Destination to send output of "freebsd-update cron" if an error
# occurs or updates have been downloaded.
# MailTo root
# Is FreeBSD Update allowed to create new files?
# AllowAdd yes
# Is FreeBSD Update allowed to delete files?
# AllowDelete yes
# If the user has modified file ownership, permissions, or flags, should
# FreeBSD Update retain this modified metadata when installing a new version
# of that file?
# KeepModifiedMetadata yes
# When upgrading between releases, should the list of Components be
# read strictly (StrictComponents yes) or merely as a list of components
# which *might* be installed of which FreeBSD Update should figure out
# which actually are installed and upgrade those (StrictComponents no)?
# StrictComponents no
# When installing a new kernel perform a backup of the old one first
# so it is possible to boot the old kernel in case of problems.
# BackupKernel yes
# If BackupKernel is enabled, the backup kernel is saved to this
# directory.
# BackupKernelDir /boot/kernel.old
# When backing up a kernel also back up debug symbol files?
# BackupKernelSymbolFiles no
# Create a new boot environment when installing patches
# CreateBootEnv yes

BIN
conf/system/include/14.2/ar Executable file
View File

Binary file not shown.

BIN
conf/system/include/14.2/diff3 Executable file
View File

Binary file not shown.

417
conf/system/include/14.2/jib Executable file
View File

@@ -0,0 +1,417 @@
#!/bin/sh
#-
# Copyright (c) 2016 Devin Teske
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
############################################################ IDENT(1)
#
# $Title: if_bridge(4) management script for vnet jails $
#
############################################################ INFORMATION
#
# Use this tool with jail.conf(5) (or rc.conf(5) ``legacy'' configuration) to
# manage `vnet' interfaces for jails. Designed to automate the creation of vnet
# interface(s) during jail `prestart' and destroy said interface(s) during jail
# `poststop'.
#
# In jail.conf(5) format:
#
# ### BEGIN EXCERPT ###
#
# xxx {
# host.hostname = "xxx.yyy";
# path = "/vm/xxx";
#
# #
# # NB: Below 2-lines required
# # NB: The number of eNb_xxx interfaces should match the number of
# # arguments given to `jib addm xxx' in exec.prestart value.
# #
# vnet;
# vnet.interface = e0b_xxx, e1b_xxx, ...;
#
# exec.clean;
# exec.system_user = "root";
# exec.jail_user = "root";
#
# #
# # NB: Below 2-lines required
# # NB: The number of arguments after `jib addm xxx' should match
# # the number of eNb_xxx arguments in vnet.interface value.
# #
# exec.prestart += "jib addm xxx em0 em1 ...";
# exec.poststop += "jib destroy xxx";
#
# # Standard recipe
# exec.start += "/bin/sh /etc/rc";
# exec.stop = "/bin/sh /etc/rc.shutdown jail";
# exec.consolelog = "/var/log/jail_xxx_console.log";
# mount.devfs;
#
# # Optional (default off)
# #allow.mount;
# #allow.set_hostname = 1;
# #allow.sysvipc = 1;
# #devfs_ruleset = "11"; # rule to unhide bpf for DHCP
# }
#
# ### END EXCERPT ###
#
# In rc.conf(5) ``legacy'' format (used when /etc/jail.conf does not exist):
#
# ### BEGIN EXCERPT ###
#
# jail_enable="YES"
# jail_list="xxx"
#
# #
# # Global presets for all jails
# #
# jail_devfs_enable="YES" # mount devfs
#
# #
# # Global options (default off)
# #
# #jail_mount_enable="YES" # mount /etc/fstab.{name}
# #jail_set_hostname_allow="YES" # Allow hostname to change
# #jail_sysvipc_allow="YES" # Allow SysV Interprocess Comm.
#
# # xxx
# jail_xxx_hostname="xxx.shxd.cx" # hostname
# jail_xxx_rootdir="/vm/xxx" # root directory
# jail_xxx_vnet_interfaces="e0b_xxx e1bxxx ..." # vnet interface(s)
# jail_xxx_exec_prestart0="jib addm xxx em0 em1 ..." # bridge interface(s)
# jail_xxx_exec_poststop0="jib destroy xxx" # destroy interface(s)
# #jail_xxx_mount_enable="YES" # mount /etc/fstab.xxx
# #jail_xxx_devfs_ruleset="11" # rule to unhide bpf for DHCP
#
# ### END EXCERPT ###
#
# Note that the legacy rc.conf(5) format is converted to
# /var/run/jail.{name}.conf by /etc/rc.d/jail if jail.conf(5) is missing.
#
# ASIDE: dhclient(8) inside a vnet jail...
#
# To allow dhclient(8) to work inside a vnet jail, make sure the following
# appears in /etc/devfs.rules (which should be created if it doesn't exist):
#
# [devfsrules_jail=11]
# add include $devfsrules_hide_all
# add include $devfsrules_unhide_basic
# add include $devfsrules_unhide_login
# add path 'bpf*' unhide
#
# And set ether devfs.ruleset="11" (jail.conf(5)) or
# jail_{name}_devfs_ruleset="11" (rc.conf(5)).
#
# NB: While this tool can't create every type of desirable topology, it should
# handle most setups, minus some which considered exotic or purpose-built.
#
############################################################ GLOBALS
pgm="${0##*/}" # Program basename
#
# Global exit status
#
SUCCESS=0
FAILURE=1
############################################################ FUNCTIONS
usage()
{
local action usage descr
exec >&2
echo "Usage: $pgm action [arguments]"
echo "Actions:"
for action in \
addm \
show \
show1 \
destroy \
; do
eval usage=\"\$jib_${action}_usage\"
[ "$usage" ] || continue
eval descr=\"\$jib_${action}_descr\"
printf "\t%s\n\t\t%s\n" "$usage" "$descr"
done
exit $FAILURE
}
action_usage()
{
local usage descr action="$1"
eval usage=\"\$jib_${action}_usage\"
echo "Usage: $pgm $usage" >&2
eval descr=\"\$jib_${action}_descr\"
printf "\t%s\n" "$descr"
exit $FAILURE
}
derive_mac()
{
local OPTIND=1 OPTARG __flag
local __mac_num= __make_pair=
while getopts 2n: __flag; do
case "$__flag" in
2) __make_pair=1 ;;
n) __mac_num=${OPTARG%%[^0-9]*} ;;
esac
done
shift $(( $OPTIND - 1 ))
if [ ! "$__mac_num" ]; then
eval __mac_num=\${_${iface}_num:--1}
__mac_num=$(( $__mac_num + 1 ))
eval _${iface}_num=\$__mac_num
fi
local __iface="$1" __name="$2" __var_to_set="$3" __var_to_set_b="$4"
local __iface_devid __new_devid __num __new_devid_b
#
# Calculate MAC address derived from given iface.
#
# The formula I'm using is ``NP:SS:SS:II:II:II'' where:
# + N denotes 4 bits used as a counter to support branching
# each parent interface up to 15 times under the same jail
# name (see S below).
# + P denotes the special nibble whose value, if one of
# 2, 6, A, or E (but usually 2) denotes a privately
# administered MAC address (while remaining routable).
# + S denotes 16 bits, the sum(1) value of the jail name.
# + I denotes bits that are inherited from parent interface.
#
# The S bits are a CRC-16 checksum of NAME, allowing the jail
# to change link numbers in ng_bridge(4) without affecting the
# MAC address. Meanwhile, if...
# + the jail NAME changes (e.g., it was duplicated and given
# a new name with no other changes)
# + the underlying network interface changes
# + the jail is moved to another host
# the MAC address will be recalculated to a new, similarly
# unique value preventing conflict.
#
__iface_devid=$( ifconfig $__iface ether | awk '/ether/,$0=$2' )
# ??:??:??:II:II:II
__new_devid=${__iface_devid#??:??:??} # => :II:II:II
# => :SS:SS:II:II:II
__num=$( set -- `echo -n "$__name" | sum` && echo $1 )
__new_devid=$( printf :%02x:%02x \
$(( $__num >> 8 & 255 )) $(( $__num & 255 )) )$__new_devid
# => P:SS:SS:II:II:II
case "$__iface_devid" in
?2:*) __new_devid=a$__new_devid __new_devid_b=e$__new_devid ;;
?[Ee]:*) __new_devid=2$__new_devid __new_devid_b=6$__new_devid ;;
*) __new_devid=2$__new_devid __new_devid_b=e$__new_devid
esac
# => NP:SS:SS:II:II:II
__new_devid=$( printf %x $(( $__mac_num & 15 )) )$__new_devid
__new_devid_b=$( printf %x $(( $__mac_num & 15 )) )$__new_devid_b
#
# Return derivative MAC address(es)
#
if [ "$__make_pair" ]; then
if [ "$__var_to_set" -a "$__var_to_set_b" ]; then
eval $__var_to_set=\$__new_devid
eval $__var_to_set_b=\$__new_devid_b
else
echo $__new_devid $__new_devid_b
fi
else
if [ "$__var_to_set" ]; then
eval $__var_to_set=\$__new_devid
else
echo $__new_devid
fi
fi
}
mustberoot_to_continue()
{
if [ "$( id -u )" -ne 0 ]; then
echo "Must run as root!" >&2
exit $FAILURE
fi
}
jib_addm_usage="addm [-b BRIDGE_NAME] NAME [!]iface0 [[!]iface1 ...]"
jib_addm_descr="Creates e0b_NAME [e1b_NAME ...]"
jib_addm()
{
local OPTIND=1 OPTARG flag bridge=bridge
while getopts b: flag; do
case "$flag" in
b) bridge="${OPTARG:-bridge}" ;;
*) action_usage addm # NOTREACHED
esac
done
shift $(( $OPTIND - 1 ))
local name="$1"
[ "${name:-x}" = "${name#*[!0-9a-zA-Z_]}" -a $# -gt 1 ] ||
action_usage addm # NOTREACHED
shift 1 # name
mustberoot_to_continue
local iface eiface_devid_a eiface_devid_b
local new no_derive num quad i=0
for iface in $*; do
no_derive=
case "$iface" in
!*) iface=${iface#!} no_derive=1 ;;
esac
# Make sure the interface doesn't exist already
if ifconfig "e${i}a_$name" > /dev/null 2>&1; then
i=$(( $i + 1 ))
continue
fi
# Bring the interface up
ifconfig $iface up || return
# Make sure the interface has been bridged
if ! ifconfig "$iface$bridge" > /dev/null 2>&1; then
new=$( ifconfig bridge create ) || return
ifconfig $new addm $iface || return
ifconfig $new name "$iface$bridge" || return
ifconfig "$iface$bridge" up || return
fi
# Create a new interface to the bridge
new=$( ifconfig epair create ) || return
ifconfig "$iface$bridge" addm $new || return
# Rename the new interface
ifconfig $new name "e${i}a_$name" || return
ifconfig ${new%a}b name "e${i}b_$name" || return
ifconfig "e${i}a_$name" up || return
ifconfig "e${i}b_$name" up || return
#
# Set the MAC address of the new interface using a sensible
# algorithm to prevent conflicts on the network.
#
eiface_devid_a= eiface_devid_b=
[ "$no_derive" ] || derive_mac -2 $iface "$name" \
eiface_devid_a eiface_devid_b
if [ "$eiface_devid_a" -a "$eiface_devid_b" ]; then
ifconfig "e${i}a_$name" ether $eiface_devid_a
ifconfig "e${i}b_$name" ether $eiface_devid_b
fi > /dev/null 2>&1
i=$(( $i + 1 ))
done # for iface
}
jib_show_usage="show"
jib_show_descr="List possible NAME values for \`show NAME'"
jib_show1_usage="show NAME"
jib_show1_descr="Lists e0b_NAME [e1b_NAME ...]"
jib_show2_usage="show [NAME]"
jib_show()
{
local OPTIND=1 OPTARG flag
while getopts "" flag; do
case "$flag" in
*) action_usage show2 # NOTREACHED
esac
done
shift $(( $OPTIND - 1 ))
if [ $# -eq 0 ]; then
ifconfig | awk '
/^[^:[:space:]]+:/ {
iface = $1
sub(/:.*/, "", iface)
next
}
$1 == "groups:" {
for (n = split($0, group); n > 1; n--) {
if (group[n] != "bridge") continue
print iface
next
}
}' |
xargs -rn1 ifconfig |
awk '$1 == "member:" &&
sub(/^e[[:digit:]]+a_/, "", $2), $0 = $2' |
sort -u
return
fi
ifconfig | awk -v name="$1" '
match($0, /^e[[:digit:]]+a_/) && sub(/:.*/, "") &&
substr($1, RSTART + RLENGTH) == name
' | sort
}
jib_destroy_usage="destroy NAME"
jib_destroy_descr="Destroy e0b_NAME [e1b_NAME ...]"
jib_destroy()
{
local OPTIND=1 OPTARG flag
while getopts "" flag; do
case "$flag" in
*) action_usage destroy # NOTREACHED
esac
done
shift $(( $OPTIND -1 ))
local name="$1"
[ "${name:-x}" = "${name#*[!0-9a-zA-Z_]}" -a $# -eq 1 ] ||
action_usage destroy # NOTREACHED
mustberoot_to_continue
jib_show "$name" | xargs -rn1 -I eiface ifconfig eiface destroy
}
############################################################ MAIN
#
# Command-line arguments
#
action="$1"
[ "$action" ] || usage # NOTREACHED
#
# Validate action argument
#
if [ "$BASH_VERSION" ]; then
type="$( type -t "jib_$action" )" || usage # NOTREACHED
else
type="$( type "jib_$action" 2> /dev/null )" || usage # NOTREACHED
fi
case "$type" in
*function)
shift 1 # action
eval "jib_$action" \"\$@\"
;;
*) usage # NOTREACHED
esac
################################################################################
# END
################################################################################

BIN
conf/system/include/14.2/makewhatis Executable file
View File

Binary file not shown.

708
conf/system/include/14.2/pf.os Normal file
View File

@@ -0,0 +1,708 @@
# $OpenBSD: pf.os,v 1.27 2016/09/03 17:08:57 sthen Exp $
# passive OS fingerprinting
# -------------------------
#
# SYN signatures. Those signatures work for SYN packets only (duh!).
#
# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
#
# This fingerprint database is adapted from Michal Zalewski's p0f passive
# operating system package. The last database sync was from a Nov 3 2003
# p0f.fp.
#
#
# Each line in this file specifies a single fingerprint. Please read the
# information below carefully before attempting to append any signatures
# reported as UNKNOWN to this file to avoid mistakes.
#
# We use the following set metrics for fingerprinting:
#
# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
# performance control (max. amount of data to be sent without ACK).
# Some systems use a fixed value for initial packets. On other
# systems, it is a multiple of MSS or MTU (MSS+40). In some rare
# cases, the value is just arbitrary.
#
# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
# value of nn is not fixed (unlikely), just copy the Snn or Tnn token
# literally. If you know this device has a simple stack and a fixed
# MTU, you can however multiply S value by MSS, or T value by MSS+40,
# and put it instead of Snn or Tnn.
#
# If WSS otherwise looks like a fixed value (for example a multiple
# of two), or if you can confirm the value is fixed, please quote
# it literally. If there's no apparent pattern in WSS chosen, you
# should consider wildcarding this value.
#
# - Overall packet size - a function of all IP and TCP options and bugs.
#
# NEW SIGNATURE: Copy this value literally.
#
# - Initial TTL - We check the actual TTL of a received packet. It can't
# be higher than the initial TTL, and also shouldn't be dramatically
# lower (maximum distance is defined as 40 hops).
#
# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
# You need to determine the initial TTL. The best way to do it is to
# check the documentation for a remote system, or check its settings.
# A fairly good method is to simply round the observed TTL up to
# 32, 64, 128, or 255, but it should be noted that some obscure devices
# might not use round TTLs (in particular, some shoddy appliances use
# "original" initial TTL settings). If not sure, you can see how many
# hops you're away from the remote party with traceroute or mtr.
#
# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
# discovery. Others do not bother.
#
# NEW SIGNATURE: Copy this value literally.
#
# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
# uses it to determine link type of the remote host.
#
# NEW SIGNATURE: Always wildcard this value, except for rare cases when
# you have an appliance with a fixed value, know the system supports only
# a very limited number of network interface types, or know the system
# is using a value it pulled out of nowhere. Specific unique MSS
# can be used to tell Google crawlbots from the rest of the population.
#
# - Window scaling (WSCALE) - this feature is used to scale WSS.
# It extends the size of a TCP/IP window to 32 bits. Some modern
# systems implement this feature.
#
# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
# to zero or other low value. There's usually no need to wildcard this
# parameter.
#
# - Timestamp - some systems that implement timestamps set them to
# zero in the initial SYN. This case is detected and handled appropriately.
#
# - Selective ACK permitted - a flag set by systems that implement
# selective ACK functionality.
#
# - The sequence of TCP all options (MSS, window scaling, selective ACK
# permitted, timestamp, NOP). Other than the options previously
# discussed, p0f also checks for timestamp option (a silly
# extension to broadcast your uptime ;-), NOP options (used for
# header padding) and sackOK option (selective ACK feature).
#
# NEW SIGNATURE: Copy the sequence literally.
#
# To wildcard any value (except for initial TTL or TCP options), replace
# it with '*'. You can also use a modulo operator to match any values
# that divide by nnn - '%nnn'.
#
# Fingerprint entry format:
#
# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
#
# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
# "S" and "T" which are a multiple of MSS or a multiple of MTU
# respectively.
# ttt - initial TTL
# D - don't fragment bit (0 - not set, 1 - set)
# ss - overall SYN packet size
# OOO - option value and order specification (see below)
# OS - OS genre (Linux, Solaris, Windows)
# Version - OS Version (2.0.27 on x86, etc)
# Subtype - OS subtype or patchlevel (SP3, lo0)
# details - Generic OS details
#
# If OS genre starts with '*', p0f will not show distance, link type
# and timestamp data. It is useful for userland TCP/IP stacks of
# network scanners and so on, where many settings are randomized or
# bogus.
#
# If OS genre starts with @, it denotes an approximate hit for a group
# of operating systems (signature reporting still enabled in this case).
# Use this feature at the end of this file to catch cases for which
# you don't have a precise match, but can tell it's Windows or FreeBSD
# or whatnot by looking at, say, flag layout alone.
#
# Option block description is a list of comma or space separated
# options in the order they appear in the packet:
#
# N - NOP option
# Wnnn - window scaling option, value nnn (or * or %nnn)
# Mnnn - maximum segment size option, value nnn (or * or %nnn)
# S - selective ACK OK
# T - timestamp
# T0 - timestamp with a zero value
#
# To denote no TCP options, use a single '.'.
#
# Please report any additions to this file, or any inaccuracies or
# problems spotted, to the maintainers: lcamtuf@coredump.cx,
# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
# capture of the relevant SYN packet(s)
#
# A test and submission page is available at
# http://lcamtuf.coredump.cx/p0f-help/
#
#
# WARNING WARNING WARNING
# -----------------------
#
# Do not add a system X as OS Y just because NMAP says so. It is often
# the case that X is a NAT firewall. While nmap is talking to the
# device itself, p0f is fingerprinting the guy behind the firewall
# instead.
#
# When in doubt, use common sense, don't add something that looks like
# a completely different system as Linux or FreeBSD or LinkSys router.
# Check DNS name, establish a connection to the remote host and look
# at SYN+ACK - does it look similar?
#
# Some users tweak their TCP/IP settings - enable or disable RFC1323
# functionality, enable or disable timestamps or selective ACK,
# disable PMTU discovery, change MTU and so on. Always compare a new rule
# to other fingerprints for this system, and verify the system isn't
# "customized" before adding it. It is OK to add signature variants
# caused by a commonly used software (personal firewalls, security
# packages, etc), but it makes no sense to try to add every single
# possible /proc/sys/net/ipv4 tweak on Linux or so.
#
# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
# normalize packets. Signatures will not correspond to the originating
# system (and probably not quite to the firewall either).
#
# NOTE: Try to keep this file in some reasonable order, from most to
# least likely systems. This will speed up operation. Also keep most
# generic and broad rules near the end.
#
##########################
# Standard OS signatures #
##########################
# ----------------- AIX ---------------------
# AIX is first because its signatures are close to NetBSD, MacOS X and
# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
# This is a shoddy hack, though.
45046:64:0:44:M*: AIX:4.3::AIX 4.3
16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
# ----------------- Linux -------------------
# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support)
512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
# Endian snafu! Nelson says "ha-ha":
2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7
S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7
S4:64:1:60:M*,S,T,N,W5: Linux:2.6::Linux 2.6 (newer, 1)
S4:64:1:60:M*,S,T,N,W6: Linux:2.6::Linux 2.6 (newer, 2)
S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 3)
T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0
S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
# Popular cluster config scripts disable timestamps and
# selective ACK:
S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
# This needs to be investigated. On some systems, WSS
# is selected as a multiple of MTU instead of MSS. I got
# many submissions for this for many late versions of 2.4:
T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
# This happens only over loopback, but let's make folks happy:
32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
# Opera visitors:
16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
# Some fairly common mods:
S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
# ----------------- FreeBSD -----------------
16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X)
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X)
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X)
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
# XXX need quirks support
# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3)
# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323)
# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
# ----------------- NetBSD ------------------
16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3
65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera)
16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF)
65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF)
32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization)
# ----------------- OpenBSD -----------------
16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8
16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df)
57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0
57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df)
65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera)
16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9
16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df)
16384:64:1:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1::OpenBSD 6.1
16384:64:0:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1:no-df:OpenBSD 6.1 (scrub no-df)
# ----------------- DragonFly BSD -----------------
57344:64:1:60:M*,N,W0,N,N,T: DragonFly:1.0:A:DragonFly 1.0A
57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:1.2-1.12::DragonFly 1.2-1.12
5840:64:1:60:M*,S,T,N,W4: DragonFly:2.0-2.1::DragonFly 2.0-2.1
57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:2.2-2.3::DragonFly 2.2-2.3
57344:64:0:64:M*,N,W5,N,N,S,N,N,T: DragonFly:2.4-2.7::DragonFly 2.4-2.7
# ----------------- Solaris -----------------
S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7
S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1
S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9
S44:255:1:44:M*: Solaris:2.7::Solaris 7
4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x
S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta)
32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203
# ----------------- IRIX --------------------
49152:64:0:44:M*: IRIX:6.4::IRIX 6.4
61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27
# ----------------- Tru64 -------------------
32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4)
32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0
8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
# ----------------- OpenVMS -----------------
6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
# ----------------- MacOS -------------------
# XXX Need EOL tcp opt support
# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
# XXX some of these use EOL too
16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP)
32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2
65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4)
# ----------------- Windows -----------------
# Windows TCP/IP stack is a mess. For most recent XP, 2000 and
# even 98, the patchlevel, not the actual OS version, is more
# relevant to the signature. They share the same code, so it would
# seem. Luckily for us, almost all Windows 9x boxes have an
# awkward MSS of 536, which I use to tell one from another
# in most difficult cases.
8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows)
S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95
8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b
# There were so many tweaking tools and so many stack versions for
# Windows 98 it is no longer possible to tell them from each other
# without some very serious research. Until then, there's an insane
# number of signatures, for your amusement:
S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98
%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98
S4:64:1:48:M*,N,N,S: Windows:98::Windows 98
S6:64:1:48:M*,N,N,S: Windows:98::Windows 98
S12:64:1:48:M*,N,N,S: Windows:98::Windows 98
T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
32767:64:1:48:M*,N,N,S: Windows:98::Windows 98
37300:64:1:48:M*,N,N,S: Windows:98::Windows 98
46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323)
65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack)
S16:128:1:48:M*,N,N,S: Windows:98::Windows 98
S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
S26:128:1:48:M*,N,N,S: Windows:98::Windows 98
T30:128:1:48:M*,N,N,S: Windows:98::Windows 98
32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98
60352:128:1:48:M*,N,N,S: Windows:98::Windows 98
60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98
# What's with 1414 on NT?
T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older)
# Windows XP and 2000. Most of the signatures that were
# either dubious or non-specific (no service pack data)
# were deleted and replaced with generics at the end.
65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3
S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3
S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1
S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1
40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+
S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+
S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1
S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3
S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3
64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3
64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3
32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4
32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4
8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7
# Odds, ends, mods:
S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco
S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco
65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone
16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm?
2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server
44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?)
S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2
32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS
# No need to be more specific, it passes:
# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk
# there is an equiv similar generic sig w/o the quirk
# ----------------- HP/UX -------------------
32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20
32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0
32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11
32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11
# Whoa. Hardcore WSS.
0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
# ----------------- RiscOS ------------------
# We don't yet support the ?12 TCP option
#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36
12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10
# XXX quirk
# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00
# ----------------- BSD/OS ------------------
# Once again, power of two WSS is also shared by MacOS X with DF set
8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
# ---------------- NewtonOS -----------------
4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1
# ---------------- NeXTSTEP -----------------
S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3
S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3
# ------------------ BeOS -------------------
1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1
12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x
# ------------------ OS/400 -----------------
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5
4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
# XXX quirk
# 28672:64:0:44:M1460:A:OS/390:?
# ------------------ ULTRIX -----------------
16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5
# ------------------- QNX -------------------
S16:64:0:44:M512: QNX:::QNX demodisk
# ------------------ Novell -----------------
16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0
6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11
6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ?
6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3
# ----------------- SCO ------------------
S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3
S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0
# ------------------- DOS -------------------
2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro)
# ------------------ OS/2 -------------------
S56:64:0:44:M512: OS/2:4::OS/2 4
28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0
# ----------------- TOPS-20 -----------------
# Another hardcore MSS, one of the ACK leakers hunted down.
# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7
0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7
# ----------------- FreeMiNT ----------------
S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari)
# ------------------ AMIGA ------------------
# XXX TCP option 12
# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
# ------------------ Plan9 ------------------
65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4
# ----------------- AMIGAOS -----------------
16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX
###########################################
# Appliance / embedded / other signatures #
###########################################
# ---------- Firewalls / routers ------------
S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1)
S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x
# XXX TCP option 12
# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50
8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway
S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router
# ------- Switches and other stuff ----------
4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
S8:255:0:44:M*: Cisco:12008::Cisco 12008
60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client
# ---------- Caches and whatnots ------------
S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1
65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5
65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1
65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1
8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1
S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg
16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200
32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine
# ----------- Embedded systems --------------
S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C
S5:255:0:44:M536: PalmOS:3::PalmOS 3/4
S5:255:0:44:M536: PalmOS:4::PalmOS 3/4
S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5
2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera)
S29:255:0:44:M536: PalmOS:5::PalmOS 5.0
16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie)
S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo)
S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7
8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?)
8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?)
S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?)
S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?)
# Perhaps S4?
5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10
32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0
4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027)
S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?)
S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0
####################
# Fancy signatures #
####################
1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
# Requires quirks support
# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1)
# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2)
# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3)
# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4)
1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
32767:64:0:40:.: *NAST:::NASTsyn scan
# Requires quirks support
# 12345:255:0:40:.:A:-p0f:sendsyn utility
#####################################
# Generic signatures - just in case #
#####################################
#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+)
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000

BIN
conf/system/include/14.2/pfctl Executable file
View File

Binary file not shown.

BIN
conf/system/include/14.2/pfilctl Executable file
View File

Binary file not shown.

BIN
conf/system/include/14.2/pflogd Executable file
View File

Binary file not shown.

BIN
conf/system/include/14.2/setfib Executable file
View File

Binary file not shown.

BIN
conf/system/include/14.2/sum Executable file
View File

Binary file not shown.

BIN
conf/system/include/14.3/ar Normal file
View File

Binary file not shown.

BIN
conf/system/include/14.3/diff3 Normal file
View File

Binary file not shown.

1963
conf/system/include/14.3/etcupdate Normal file
View File

File diff suppressed because it is too large Load Diff

417
conf/system/include/14.3/jib Executable file
View File

@@ -0,0 +1,417 @@
#!/bin/sh
#-
# Copyright (c) 2016 Devin Teske
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
#
############################################################ IDENT(1)
#
# $Title: if_bridge(4) management script for vnet jails $
#
############################################################ INFORMATION
#
# Use this tool with jail.conf(5) (or rc.conf(5) ``legacy'' configuration) to
# manage `vnet' interfaces for jails. Designed to automate the creation of vnet
# interface(s) during jail `prestart' and destroy said interface(s) during jail
# `poststop'.
#
# In jail.conf(5) format:
#
# ### BEGIN EXCERPT ###
#
# xxx {
# host.hostname = "xxx.yyy";
# path = "/vm/xxx";
#
# #
# # NB: Below 2-lines required
# # NB: The number of eNb_xxx interfaces should match the number of
# # arguments given to `jib addm xxx' in exec.prestart value.
# #
# vnet;
# vnet.interface = e0b_xxx, e1b_xxx, ...;
#
# exec.clean;
# exec.system_user = "root";
# exec.jail_user = "root";
#
# #
# # NB: Below 2-lines required
# # NB: The number of arguments after `jib addm xxx' should match
# # the number of eNb_xxx arguments in vnet.interface value.
# #
# exec.prestart += "jib addm xxx em0 em1 ...";
# exec.poststop += "jib destroy xxx";
#
# # Standard recipe
# exec.start += "/bin/sh /etc/rc";
# exec.stop = "/bin/sh /etc/rc.shutdown jail";
# exec.consolelog = "/var/log/jail_xxx_console.log";
# mount.devfs;
#
# # Optional (default off)
# #allow.mount;
# #allow.set_hostname = 1;
# #allow.sysvipc = 1;
# #devfs_ruleset = "11"; # rule to unhide bpf for DHCP
# }
#
# ### END EXCERPT ###
#
# In rc.conf(5) ``legacy'' format (used when /etc/jail.conf does not exist):
#
# ### BEGIN EXCERPT ###
#
# jail_enable="YES"
# jail_list="xxx"
#
# #
# # Global presets for all jails
# #
# jail_devfs_enable="YES" # mount devfs
#
# #
# # Global options (default off)
# #
# #jail_mount_enable="YES" # mount /etc/fstab.{name}
# #jail_set_hostname_allow="YES" # Allow hostname to change
# #jail_sysvipc_allow="YES" # Allow SysV Interprocess Comm.
#
# # xxx
# jail_xxx_hostname="xxx.shxd.cx" # hostname
# jail_xxx_rootdir="/vm/xxx" # root directory
# jail_xxx_vnet_interfaces="e0b_xxx e1bxxx ..." # vnet interface(s)
# jail_xxx_exec_prestart0="jib addm xxx em0 em1 ..." # bridge interface(s)
# jail_xxx_exec_poststop0="jib destroy xxx" # destroy interface(s)
# #jail_xxx_mount_enable="YES" # mount /etc/fstab.xxx
# #jail_xxx_devfs_ruleset="11" # rule to unhide bpf for DHCP
#
# ### END EXCERPT ###
#
# Note that the legacy rc.conf(5) format is converted to
# /var/run/jail.{name}.conf by /etc/rc.d/jail if jail.conf(5) is missing.
#
# ASIDE: dhclient(8) inside a vnet jail...
#
# To allow dhclient(8) to work inside a vnet jail, make sure the following
# appears in /etc/devfs.rules (which should be created if it doesn't exist):
#
# [devfsrules_jail=11]
# add include $devfsrules_hide_all
# add include $devfsrules_unhide_basic
# add include $devfsrules_unhide_login
# add path 'bpf*' unhide
#
# And set ether devfs.ruleset="11" (jail.conf(5)) or
# jail_{name}_devfs_ruleset="11" (rc.conf(5)).
#
# NB: While this tool can't create every type of desirable topology, it should
# handle most setups, minus some which considered exotic or purpose-built.
#
############################################################ GLOBALS
pgm="${0##*/}" # Program basename
#
# Global exit status
#
SUCCESS=0
FAILURE=1
############################################################ FUNCTIONS
usage()
{
local action usage descr
exec >&2
echo "Usage: $pgm action [arguments]"
echo "Actions:"
for action in \
addm \
show \
show1 \
destroy \
; do
eval usage=\"\$jib_${action}_usage\"
[ "$usage" ] || continue
eval descr=\"\$jib_${action}_descr\"
printf "\t%s\n\t\t%s\n" "$usage" "$descr"
done
exit $FAILURE
}
action_usage()
{
local usage descr action="$1"
eval usage=\"\$jib_${action}_usage\"
echo "Usage: $pgm $usage" >&2
eval descr=\"\$jib_${action}_descr\"
printf "\t%s\n" "$descr"
exit $FAILURE
}
derive_mac()
{
local OPTIND=1 OPTARG __flag
local __mac_num= __make_pair=
while getopts 2n: __flag; do
case "$__flag" in
2) __make_pair=1 ;;
n) __mac_num=${OPTARG%%[^0-9]*} ;;
esac
done
shift $(( $OPTIND - 1 ))
if [ ! "$__mac_num" ]; then
eval __mac_num=\${_${iface}_num:--1}
__mac_num=$(( $__mac_num + 1 ))
eval _${iface}_num=\$__mac_num
fi
local __iface="$1" __name="$2" __var_to_set="$3" __var_to_set_b="$4"
local __iface_devid __new_devid __num __new_devid_b
#
# Calculate MAC address derived from given iface.
#
# The formula I'm using is ``NP:SS:SS:II:II:II'' where:
# + N denotes 4 bits used as a counter to support branching
# each parent interface up to 15 times under the same jail
# name (see S below).
# + P denotes the special nibble whose value, if one of
# 2, 6, A, or E (but usually 2) denotes a privately
# administered MAC address (while remaining routable).
# + S denotes 16 bits, the sum(1) value of the jail name.
# + I denotes bits that are inherited from parent interface.
#
# The S bits are a CRC-16 checksum of NAME, allowing the jail
# to change link numbers in ng_bridge(4) without affecting the
# MAC address. Meanwhile, if...
# + the jail NAME changes (e.g., it was duplicated and given
# a new name with no other changes)
# + the underlying network interface changes
# + the jail is moved to another host
# the MAC address will be recalculated to a new, similarly
# unique value preventing conflict.
#
__iface_devid=$( ifconfig $__iface ether | awk '/ether/,$0=$2' )
# ??:??:??:II:II:II
__new_devid=${__iface_devid#??:??:??} # => :II:II:II
# => :SS:SS:II:II:II
__num=$( set -- `echo -n "$__name" | sum` && echo $1 )
__new_devid=$( printf :%02x:%02x \
$(( $__num >> 8 & 255 )) $(( $__num & 255 )) )$__new_devid
# => P:SS:SS:II:II:II
case "$__iface_devid" in
?2:*) __new_devid=a$__new_devid __new_devid_b=e$__new_devid ;;
?[Ee]:*) __new_devid=2$__new_devid __new_devid_b=6$__new_devid ;;
*) __new_devid=2$__new_devid __new_devid_b=e$__new_devid
esac
# => NP:SS:SS:II:II:II
__new_devid=$( printf %x $(( $__mac_num & 15 )) )$__new_devid
__new_devid_b=$( printf %x $(( $__mac_num & 15 )) )$__new_devid_b
#
# Return derivative MAC address(es)
#
if [ "$__make_pair" ]; then
if [ "$__var_to_set" -a "$__var_to_set_b" ]; then
eval $__var_to_set=\$__new_devid
eval $__var_to_set_b=\$__new_devid_b
else
echo $__new_devid $__new_devid_b
fi
else
if [ "$__var_to_set" ]; then
eval $__var_to_set=\$__new_devid
else
echo $__new_devid
fi
fi
}
mustberoot_to_continue()
{
if [ "$( id -u )" -ne 0 ]; then
echo "Must run as root!" >&2
exit $FAILURE
fi
}
jib_addm_usage="addm [-b BRIDGE_NAME] NAME [!]iface0 [[!]iface1 ...]"
jib_addm_descr="Creates e0b_NAME [e1b_NAME ...]"
jib_addm()
{
local OPTIND=1 OPTARG flag bridge=bridge
while getopts b: flag; do
case "$flag" in
b) bridge="${OPTARG:-bridge}" ;;
*) action_usage addm # NOTREACHED
esac
done
shift $(( $OPTIND - 1 ))
local name="$1"
[ "${name:-x}" = "${name#*[!0-9a-zA-Z_]}" -a $# -gt 1 ] ||
action_usage addm # NOTREACHED
shift 1 # name
mustberoot_to_continue
local iface eiface_devid_a eiface_devid_b
local new no_derive num quad i=0
for iface in $*; do
no_derive=
case "$iface" in
!*) iface=${iface#!} no_derive=1 ;;
esac
# Make sure the interface doesn't exist already
if ifconfig "e${i}a_$name" > /dev/null 2>&1; then
i=$(( $i + 1 ))
continue
fi
# Bring the interface up
ifconfig $iface up || return
# Make sure the interface has been bridged
if ! ifconfig "$iface$bridge" > /dev/null 2>&1; then
new=$( ifconfig bridge create ) || return
ifconfig $new addm $iface || return
ifconfig $new name "$iface$bridge" || return
ifconfig "$iface$bridge" up || return
fi
# Create a new interface to the bridge
new=$( ifconfig epair create ) || return
ifconfig "$iface$bridge" addm $new || return
# Rename the new interface
ifconfig $new name "e${i}a_$name" || return
ifconfig ${new%a}b name "e${i}b_$name" || return
ifconfig "e${i}a_$name" up || return
ifconfig "e${i}b_$name" up || return
#
# Set the MAC address of the new interface using a sensible
# algorithm to prevent conflicts on the network.
#
eiface_devid_a= eiface_devid_b=
[ "$no_derive" ] || derive_mac -2 $iface "$name" \
eiface_devid_a eiface_devid_b
if [ "$eiface_devid_a" -a "$eiface_devid_b" ]; then
ifconfig "e${i}a_$name" ether $eiface_devid_a
ifconfig "e${i}b_$name" ether $eiface_devid_b
fi > /dev/null 2>&1
i=$(( $i + 1 ))
done # for iface
}
jib_show_usage="show"
jib_show_descr="List possible NAME values for \`show NAME'"
jib_show1_usage="show NAME"
jib_show1_descr="Lists e0b_NAME [e1b_NAME ...]"
jib_show2_usage="show [NAME]"
jib_show()
{
local OPTIND=1 OPTARG flag
while getopts "" flag; do
case "$flag" in
*) action_usage show2 # NOTREACHED
esac
done
shift $(( $OPTIND - 1 ))
if [ $# -eq 0 ]; then
ifconfig | awk '
/^[^:[:space:]]+:/ {
iface = $1
sub(/:.*/, "", iface)
next
}
$1 == "groups:" {
for (n = split($0, group); n > 1; n--) {
if (group[n] != "bridge") continue
print iface
next
}
}' |
xargs -rn1 ifconfig |
awk '$1 == "member:" &&
sub(/^e[[:digit:]]+a_/, "", $2), $0 = $2' |
sort -u
return
fi
ifconfig | awk -v name="$1" '
match($0, /^e[[:digit:]]+a_/) && sub(/:.*/, "") &&
substr($1, RSTART + RLENGTH) == name
' | sort
}
jib_destroy_usage="destroy NAME"
jib_destroy_descr="Destroy e0b_NAME [e1b_NAME ...]"
jib_destroy()
{
local OPTIND=1 OPTARG flag
while getopts "" flag; do
case "$flag" in
*) action_usage destroy # NOTREACHED
esac
done
shift $(( $OPTIND -1 ))
local name="$1"
[ "${name:-x}" = "${name#*[!0-9a-zA-Z_]}" -a $# -eq 1 ] ||
action_usage destroy # NOTREACHED
mustberoot_to_continue
jib_show "$name" | xargs -rn1 -I eiface ifconfig eiface destroy
}
############################################################ MAIN
#
# Command-line arguments
#
action="$1"
[ "$action" ] || usage # NOTREACHED
#
# Validate action argument
#
if [ "$BASH_VERSION" ]; then
type="$( type -t "jib_$action" )" || usage # NOTREACHED
else
type="$( type "jib_$action" 2> /dev/null )" || usage # NOTREACHED
fi
case "$type" in
*function)
shift 1 # action
eval "jib_$action" \"\$@\"
;;
*) usage # NOTREACHED
esac
################################################################################
# END
################################################################################

BIN
conf/system/include/14.3/makewhatis Normal file
View File

Binary file not shown.

708
conf/system/include/14.3/pf.os Normal file
View File

@@ -0,0 +1,708 @@
# $OpenBSD: pf.os,v 1.27 2016/09/03 17:08:57 sthen Exp $
# passive OS fingerprinting
# -------------------------
#
# SYN signatures. Those signatures work for SYN packets only (duh!).
#
# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
#
# This fingerprint database is adapted from Michal Zalewski's p0f passive
# operating system package. The last database sync was from a Nov 3 2003
# p0f.fp.
#
#
# Each line in this file specifies a single fingerprint. Please read the
# information below carefully before attempting to append any signatures
# reported as UNKNOWN to this file to avoid mistakes.
#
# We use the following set metrics for fingerprinting:
#
# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
# performance control (max. amount of data to be sent without ACK).
# Some systems use a fixed value for initial packets. On other
# systems, it is a multiple of MSS or MTU (MSS+40). In some rare
# cases, the value is just arbitrary.
#
# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
# value of nn is not fixed (unlikely), just copy the Snn or Tnn token
# literally. If you know this device has a simple stack and a fixed
# MTU, you can however multiply S value by MSS, or T value by MSS+40,
# and put it instead of Snn or Tnn.
#
# If WSS otherwise looks like a fixed value (for example a multiple
# of two), or if you can confirm the value is fixed, please quote
# it literally. If there's no apparent pattern in WSS chosen, you
# should consider wildcarding this value.
#
# - Overall packet size - a function of all IP and TCP options and bugs.
#
# NEW SIGNATURE: Copy this value literally.
#
# - Initial TTL - We check the actual TTL of a received packet. It can't
# be higher than the initial TTL, and also shouldn't be dramatically
# lower (maximum distance is defined as 40 hops).
#
# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
# You need to determine the initial TTL. The best way to do it is to
# check the documentation for a remote system, or check its settings.
# A fairly good method is to simply round the observed TTL up to
# 32, 64, 128, or 255, but it should be noted that some obscure devices
# might not use round TTLs (in particular, some shoddy appliances use
# "original" initial TTL settings). If not sure, you can see how many
# hops you're away from the remote party with traceroute or mtr.
#
# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
# discovery. Others do not bother.
#
# NEW SIGNATURE: Copy this value literally.
#
# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
# uses it to determine link type of the remote host.
#
# NEW SIGNATURE: Always wildcard this value, except for rare cases when
# you have an appliance with a fixed value, know the system supports only
# a very limited number of network interface types, or know the system
# is using a value it pulled out of nowhere. Specific unique MSS
# can be used to tell Google crawlbots from the rest of the population.
#
# - Window scaling (WSCALE) - this feature is used to scale WSS.
# It extends the size of a TCP/IP window to 32 bits. Some modern
# systems implement this feature.
#
# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
# to zero or other low value. There's usually no need to wildcard this
# parameter.
#
# - Timestamp - some systems that implement timestamps set them to
# zero in the initial SYN. This case is detected and handled appropriately.
#
# - Selective ACK permitted - a flag set by systems that implement
# selective ACK functionality.
#
# - The sequence of TCP all options (MSS, window scaling, selective ACK
# permitted, timestamp, NOP). Other than the options previously
# discussed, p0f also checks for timestamp option (a silly
# extension to broadcast your uptime ;-), NOP options (used for
# header padding) and sackOK option (selective ACK feature).
#
# NEW SIGNATURE: Copy the sequence literally.
#
# To wildcard any value (except for initial TTL or TCP options), replace
# it with '*'. You can also use a modulo operator to match any values
# that divide by nnn - '%nnn'.
#
# Fingerprint entry format:
#
# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
#
# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
# "S" and "T" which are a multiple of MSS or a multiple of MTU
# respectively.
# ttt - initial TTL
# D - don't fragment bit (0 - not set, 1 - set)
# ss - overall SYN packet size
# OOO - option value and order specification (see below)
# OS - OS genre (Linux, Solaris, Windows)
# Version - OS Version (2.0.27 on x86, etc)
# Subtype - OS subtype or patchlevel (SP3, lo0)
# details - Generic OS details
#
# If OS genre starts with '*', p0f will not show distance, link type
# and timestamp data. It is useful for userland TCP/IP stacks of
# network scanners and so on, where many settings are randomized or
# bogus.
#
# If OS genre starts with @, it denotes an approximate hit for a group
# of operating systems (signature reporting still enabled in this case).
# Use this feature at the end of this file to catch cases for which
# you don't have a precise match, but can tell it's Windows or FreeBSD
# or whatnot by looking at, say, flag layout alone.
#
# Option block description is a list of comma or space separated
# options in the order they appear in the packet:
#
# N - NOP option
# Wnnn - window scaling option, value nnn (or * or %nnn)
# Mnnn - maximum segment size option, value nnn (or * or %nnn)
# S - selective ACK OK
# T - timestamp
# T0 - timestamp with a zero value
#
# To denote no TCP options, use a single '.'.
#
# Please report any additions to this file, or any inaccuracies or
# problems spotted, to the maintainers: lcamtuf@coredump.cx,
# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
# capture of the relevant SYN packet(s)
#
# A test and submission page is available at
# http://lcamtuf.coredump.cx/p0f-help/
#
#
# WARNING WARNING WARNING
# -----------------------
#
# Do not add a system X as OS Y just because NMAP says so. It is often
# the case that X is a NAT firewall. While nmap is talking to the
# device itself, p0f is fingerprinting the guy behind the firewall
# instead.
#
# When in doubt, use common sense, don't add something that looks like
# a completely different system as Linux or FreeBSD or LinkSys router.
# Check DNS name, establish a connection to the remote host and look
# at SYN+ACK - does it look similar?
#
# Some users tweak their TCP/IP settings - enable or disable RFC1323
# functionality, enable or disable timestamps or selective ACK,
# disable PMTU discovery, change MTU and so on. Always compare a new rule
# to other fingerprints for this system, and verify the system isn't
# "customized" before adding it. It is OK to add signature variants
# caused by a commonly used software (personal firewalls, security
# packages, etc), but it makes no sense to try to add every single
# possible /proc/sys/net/ipv4 tweak on Linux or so.
#
# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
# normalize packets. Signatures will not correspond to the originating
# system (and probably not quite to the firewall either).
#
# NOTE: Try to keep this file in some reasonable order, from most to
# least likely systems. This will speed up operation. Also keep most
# generic and broad rules near the end.
#
##########################
# Standard OS signatures #
##########################
# ----------------- AIX ---------------------
# AIX is first because its signatures are close to NetBSD, MacOS X and
# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
# This is a shoddy hack, though.
45046:64:0:44:M*: AIX:4.3::AIX 4.3
16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
# ----------------- Linux -------------------
# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support)
512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
# Endian snafu! Nelson says "ha-ha":
2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7
S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7
S4:64:1:60:M*,S,T,N,W5: Linux:2.6::Linux 2.6 (newer, 1)
S4:64:1:60:M*,S,T,N,W6: Linux:2.6::Linux 2.6 (newer, 2)
S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 3)
T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0
S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
# Popular cluster config scripts disable timestamps and
# selective ACK:
S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
# This needs to be investigated. On some systems, WSS
# is selected as a multiple of MTU instead of MSS. I got
# many submissions for this for many late versions of 2.4:
T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
# This happens only over loopback, but let's make folks happy:
32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
# Opera visitors:
16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
# Some fairly common mods:
S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
# ----------------- FreeBSD -----------------
16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X)
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X)
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X)
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
# XXX need quirks support
# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3)
# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323)
# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
# ----------------- NetBSD ------------------
16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3
65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera)
16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF)
65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF)
32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization)
# ----------------- OpenBSD -----------------
16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8
16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df)
57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0
57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df)
65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera)
16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9
16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df)
16384:64:1:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1::OpenBSD 6.1
16384:64:0:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1:no-df:OpenBSD 6.1 (scrub no-df)
# ----------------- DragonFly BSD -----------------
57344:64:1:60:M*,N,W0,N,N,T: DragonFly:1.0:A:DragonFly 1.0A
57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:1.2-1.12::DragonFly 1.2-1.12
5840:64:1:60:M*,S,T,N,W4: DragonFly:2.0-2.1::DragonFly 2.0-2.1
57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:2.2-2.3::DragonFly 2.2-2.3
57344:64:0:64:M*,N,W5,N,N,S,N,N,T: DragonFly:2.4-2.7::DragonFly 2.4-2.7
# ----------------- Solaris -----------------
S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7
S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1
S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9
S44:255:1:44:M*: Solaris:2.7::Solaris 7
4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x
S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta)
32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203
# ----------------- IRIX --------------------
49152:64:0:44:M*: IRIX:6.4::IRIX 6.4
61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27
# ----------------- Tru64 -------------------
32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4)
32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0
8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
# ----------------- OpenVMS -----------------
6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
# ----------------- MacOS -------------------
# XXX Need EOL tcp opt support
# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
# XXX some of these use EOL too
16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP)
32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2
65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4)
# ----------------- Windows -----------------
# Windows TCP/IP stack is a mess. For most recent XP, 2000 and
# even 98, the patchlevel, not the actual OS version, is more
# relevant to the signature. They share the same code, so it would
# seem. Luckily for us, almost all Windows 9x boxes have an
# awkward MSS of 536, which I use to tell one from another
# in most difficult cases.
8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows)
S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95
8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b
# There were so many tweaking tools and so many stack versions for
# Windows 98 it is no longer possible to tell them from each other
# without some very serious research. Until then, there's an insane
# number of signatures, for your amusement:
S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98
%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98
S4:64:1:48:M*,N,N,S: Windows:98::Windows 98
S6:64:1:48:M*,N,N,S: Windows:98::Windows 98
S12:64:1:48:M*,N,N,S: Windows:98::Windows 98
T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
32767:64:1:48:M*,N,N,S: Windows:98::Windows 98
37300:64:1:48:M*,N,N,S: Windows:98::Windows 98
46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323)
65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack)
S16:128:1:48:M*,N,N,S: Windows:98::Windows 98
S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
S26:128:1:48:M*,N,N,S: Windows:98::Windows 98
T30:128:1:48:M*,N,N,S: Windows:98::Windows 98
32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98
60352:128:1:48:M*,N,N,S: Windows:98::Windows 98
60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98
# What's with 1414 on NT?
T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older)
# Windows XP and 2000. Most of the signatures that were
# either dubious or non-specific (no service pack data)
# were deleted and replaced with generics at the end.
65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3
S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3
S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1
S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1
40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+
S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+
S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1
S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3
S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3
64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3
64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3
32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4
32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4
8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7
# Odds, ends, mods:
S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco
S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco
65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone
16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm?
2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server
44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?)
S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2
32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS
# No need to be more specific, it passes:
# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk
# there is an equiv similar generic sig w/o the quirk
# ----------------- HP/UX -------------------
32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20
32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0
32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11
32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11
# Whoa. Hardcore WSS.
0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
# ----------------- RiscOS ------------------
# We don't yet support the ?12 TCP option
#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36
12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10
# XXX quirk
# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00
# ----------------- BSD/OS ------------------
# Once again, power of two WSS is also shared by MacOS X with DF set
8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
# ---------------- NewtonOS -----------------
4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1
# ---------------- NeXTSTEP -----------------
S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3
S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3
# ------------------ BeOS -------------------
1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1
12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x
# ------------------ OS/400 -----------------
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5
4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
# XXX quirk
# 28672:64:0:44:M1460:A:OS/390:?
# ------------------ ULTRIX -----------------
16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5
# ------------------- QNX -------------------
S16:64:0:44:M512: QNX:::QNX demodisk
# ------------------ Novell -----------------
16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0
6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11
6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ?
6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3
# ----------------- SCO ------------------
S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3
S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0
# ------------------- DOS -------------------
2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro)
# ------------------ OS/2 -------------------
S56:64:0:44:M512: OS/2:4::OS/2 4
28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0
# ----------------- TOPS-20 -----------------
# Another hardcore MSS, one of the ACK leakers hunted down.
# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7
0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7
# ----------------- FreeMiNT ----------------
S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari)
# ------------------ AMIGA ------------------
# XXX TCP option 12
# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
# ------------------ Plan9 ------------------
65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4
# ----------------- AMIGAOS -----------------
16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX
###########################################
# Appliance / embedded / other signatures #
###########################################
# ---------- Firewalls / routers ------------
S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1)
S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x
# XXX TCP option 12
# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50
8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway
S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router
# ------- Switches and other stuff ----------
4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
S8:255:0:44:M*: Cisco:12008::Cisco 12008
60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client
# ---------- Caches and whatnots ------------
S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1
65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5
65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1
65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1
8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1
S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg
16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200
32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine
# ----------- Embedded systems --------------
S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C
S5:255:0:44:M536: PalmOS:3::PalmOS 3/4
S5:255:0:44:M536: PalmOS:4::PalmOS 3/4
S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5
2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera)
S29:255:0:44:M536: PalmOS:5::PalmOS 5.0
16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie)
S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo)
S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7
8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?)
8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?)
S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?)
S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?)
# Perhaps S4?
5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10
32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0
4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027)
S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?)
S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0
####################
# Fancy signatures #
####################
1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
# Requires quirks support
# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1)
# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2)
# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3)
# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4)
1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
32767:64:0:40:.: *NAST:::NASTsyn scan
# Requires quirks support
# 12345:255:0:40:.:A:-p0f:sendsyn utility
#####################################
# Generic signatures - just in case #
#####################################
#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+)
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000

BIN
conf/system/include/14.3/pfctl Normal file
View File

Binary file not shown.

BIN
conf/system/include/14.3/pfilctl Normal file
View File

Binary file not shown.

BIN
conf/system/include/14.3/pflogd Normal file
View File

Binary file not shown.

BIN
conf/system/include/14.3/setfib Normal file
View File

Binary file not shown.

BIN
conf/system/include/14.3/sum Normal file
View File

Binary file not shown.

BIN
conf/system/include/14.3/zstd Normal file
View File

Binary file not shown.

273
gui/bastille_manager-lib.inc Executable file → Normal file
View File

@@ -2,7 +2,7 @@
/*
bastille_manager-lib.inc
Copyright (c) 2019-2020 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -30,16 +30,18 @@
SUCH DAMAGE.
*/
require_once 'super_fun.inc';
require_once 'globals.inc';
require_once 'array.inc';
require_once 'system.inc';
// Initialize some variables.
// TODO: Some infos can be gathered with-
// internal PHP functions rather than external shell commands.
// ===== OPTIMIZATION: Cache Configuration =====
define('JAIL_INFO_CACHE_TIME', 5); // seconds
define('JAIL_INFO_CACHE_FILE', '/tmp/bastille_jail_info_cache.json');
// =============================================
//$rootfolder = dirname($config['rc']['postinit']['cmd'][$i]);
// Initialize some variables.
$prdname = "bastille";
$application = "Bastille Manager";
$restore_name = "restore";
@@ -67,42 +69,42 @@ $tarballversion = "/usr/local/bin/bastille";
$bastille_version_min = exec("grep 'BASTILLE_VERSION=' $tarballversion | cut -d '\"' -f2 | tr -d '.'");
$host_version = exec("/bin/cat /etc/prd.version | tr -d '.'");
$linux_compat_support = exec("/usr/bin/grep 'LINUX_COMPAT_SUPPORT=' $configfile | /usr/bin/cut -d'\"' -f2");
$jail_settings = "settings.conf";
// Ensure the root directory is configured.
if ($rootfolder == "")
if ($rootfolder == ""):
$input_errors[] = gtext("Extension installed with fault");
else {
else:
// Initialize locales.
$textdomain = "/usr/local/share/locale";
$textdomain_bastille = "/usr/local/share/locale-bastille";
if (!is_link($textdomain_bastille)) { mwexec("ln -s {$rootfolder}/locale-bastille {$textdomain_bastille}", true); }
if (!is_link($textdomain_bastille)):
mwexec("ln -s {$rootfolder}/locale-bastille {$textdomain_bastille}", true);
endif;
bindtextdomain("xigmanas", $textdomain_bastille);
}
endif;
if (is_file("{$rootfolder}/postinit")) unlink("{$rootfolder}/postinit");
// Check releases dir.
function is_dir_empty($reldir) {
if (!is_readable($reldir)) return NULL;
if (!is_readable($reldir)) return NULL;
return (count(scandir($reldir)) == 2);
}
// Get bastille version
function get_version_bastille() {
global $tarballversion, $prdname;
if (is_file("{$tarballversion}")) {
//exec("/bin/cat {$tarballversion}", $result);
exec("/usr/bin/grep 'BASTILLE_VERSION=' {$tarballversion} | cut -d'\"' -f2", $result);
if (is_file("{$tarballversion}")):
exec("/usr/bin/grep 'BASTILLE_VERSION=' {$tarballversion} | cut -d'=' -f2", $result);
return ($result[0] ?? '');
}
else {
else:
exec("/usr/local/bin/{$prdname} version | awk 'NR==1'", $result);
return ($result[0] ?? '');
}
endif;
}
// Initial install banner
function initial_install_banner() {
// Never display this if bastille is already bootstraped/activated.
global $rootfolder;
global $zfs_activated;
$is_activated = "";
@@ -122,7 +124,7 @@ function initial_install_banner() {
return $is_bootstrapped = "YES";
break;
endif;
endforeach;
endforeach;
endif;
}
@@ -144,7 +146,7 @@ function get_state_zfs() {
function get_all_release_list() {
global $rootfolder;
global $g;
exec("/bin/echo; /bin/ls {$rootfolder}/releases 2>/dev/null | /usr/bin/tr -s ' ' '\n'",$relinfo);
exec("/bin/echo; /bin/ls {$rootfolder}/releases | grep RELEASE 2>/dev/null | /usr/bin/tr -s ' ' '\n'",$relinfo);
array_shift($relinfo);
$rellist = [];
foreach($relinfo as $rel):
@@ -189,102 +191,179 @@ foreach($a_interface as $k_interface => $ifinfo):
$l_interfaces[$k_interface] = $k_interface;
endforeach;
// Get jail infos.
// ===== CACHE FUNCTIONS =====
function is_cache_valid() {
if (!file_exists(JAIL_INFO_CACHE_FILE)) {
return false;
}
$cache_age = time() - filemtime(JAIL_INFO_CACHE_FILE);
return $cache_age < JAIL_INFO_CACHE_TIME;
}
function get_cached_jail_info() {
if (!is_cache_valid()) {
return null;
}
$cache_data = @file_get_contents(JAIL_INFO_CACHE_FILE);
if ($cache_data === false) {
return null;
}
return json_decode($cache_data, true);
}
function save_jail_info_cache($data) {
@file_put_contents(JAIL_INFO_CACHE_FILE, json_encode($data));
}
function invalidate_jail_cache() {
@unlink(JAIL_INFO_CACHE_FILE);
}
// ===== OPTIMIZED: Get jail infos =====
// Get jail infos - OPTIMIZED VERSION
function get_jail_infos() {
global $img_path;
global $image_dir;
global $configfile;
global $jail_dir;
// Try cache first
$cached = get_cached_jail_info();
if ($cached !== null) {
return $cached;
}
$result = [];
if(is_dir($jail_dir)):
$cmd = '/usr/local/bin/bastille list jail 2>&1';
else:
$cmd = ":";
endif;
mwexec2($cmd,$rawdata);
foreach($rawdata as $line):
$a = preg_split('/\t/',$line);
if (!is_dir($jail_dir)) {
return $result;
}
// OPTIMIZATION: Get bastille list ONCE and parse all jails
// Format: JID Name Boot Prio State Type IP_Address Published_Ports Release Tags
$cmd = '/usr/local/bin/bastille list 2>&1';
mwexec2($cmd, $rawdata);
// Build a lookup table from bastille list output
$jail_data_map = [];
$header_skipped = false;
foreach ($rawdata as $line) {
// Skip header line
if (!$header_skipped) {
$header_skipped = true;
continue;
}
// Parse fields: JID Name Boot Prio State Type IP Ports Release Tags
$fields = preg_split('/\s+/', trim($line), 10);
if (count($fields) >= 6) {
$name = $fields[1];
$jail_data_map[$name] = [
'jid' => $fields[0],
'boot' => $fields[2],
'prio' => $fields[3],
'state' => $fields[4],
'type' => $fields[5],
'ip' => $fields[6] ?? '-',
'ports' => $fields[7] ?? '-',
'release' => $fields[8] ?? '-',
'tags' => $fields[9] ?? '-'
];
}
}
// Now process each jail from bastille list jail (for jail names)
$cmd = '/usr/local/bin/bastille list jail 2>&1';
mwexec2($cmd, $jail_names);
foreach ($jail_names as $line) {
$a = preg_split('/\t/', $line);
$r = [];
$name = $a[0];
if(preg_match('/(.*)/', $name, $m)):
$r['name'] = $m[1];
else:
$r['name'] = '-';
endif;
$r['jailname'] = $r['name'];
// Set the JID on the running jails.
$item = $r['jailname'];
$r['id'] = exec("/usr/sbin/jls | /usr/bin/awk '/{$item}\ /{print $1}'");
if (!$r['id']):
$r['id'] = "-";
endif;
// Set the IPv4 on the running jails.
//$r['ip'] = exec("/usr/sbin/jls | /usr/bin/grep {$item} | /usr/bin/awk '{print $2}'");
$r['ip'] = exec("/usr/bin/grep -w 'ip4.addr' {$jail_dir}/{$item}/jail.conf | /usr/bin/awk '{print $3}' | /usr/bin/tr -d ';'");
if (!$r['ip']):
$r['ip'] = exec("/usr/bin/grep -w 'ip6.addr' {$jail_dir}/{$item}/jail.conf | /usr/bin/awk '{print $3}' | /usr/bin/tr -d ';'");
endif;
// Try to get ip from vnet config.
if(!$r['ip']):
$r['ip'] = exec("/usr/local/bin/bastille cmd {$item} cat /etc/rc.conf | /usr/bin/grep 'ifconfig_vnet0=' | cut -d'\"' -f2 | sed 's/inet //'");
endif;
if (!$r['ip']):
$r['ip'] = "-";
endif;
// Display release.
$r['rel'] = exec("/usr/sbin/jexec {$item} freebsd-version 2>/dev/null");
if (!$r['rel']):
$r['rel'] = exec("/usr/sbin/jexec {$item} uname -o 2>/dev/null");
elseif (!$r['rel']):
$r['rel'] = "-";
endif;
// Display interfaces.
$r['nic'] = exec("/usr/bin/grep -wE 'interface.*=.*;|vnet.interface.*=.*;' {$jail_dir}/{$item}/jail.conf | /usr/bin/awk '{print $3}' | /usr/bin/tr -d ';'");
if (!$r['nic']):
$r['nic'] = "-";
endif;
// Display path.
$r['path'] = exec("/usr/bin/grep -w 'path' {$jail_dir}/{$item}/jail.conf | /usr/bin/awk '{print $3}' | /usr/bin/tr -d ';'");
if (!$r['path']):
$r['path'] = "-";
endif;
// Display auto-start settings.
$jail_autostart = exec("/usr/bin/grep -w {$item}_AUTO_START $configfile | cut -d'=' -f2 | tr -d '\"'");
if ($jail_autostart == 'YES') {
$r['boot'] = $img_path['ena'];
} elseif ($jail_autostart == 'NO') {
$r['boot'] = $img_path['dis'];
if (preg_match('/(.*)/', $name, $m)) {
$r['name'] = $m[1];
} else {
$r['boot'] = $img_path['dis'];
$r['name'] = '-';
}
// Display running status icons.
$jail_running = exec("/usr/sbin/jls name | /usr/bin/awk '/^{$item}\$/'");
if ($jail_running):
$r['jailname'] = $r['name'];
$item = $r['jailname'];
// Get data from our lookup table instead of executing bastille list again
if (isset($jail_data_map[$item])) {
$jail_data = $jail_data_map[$item];
$r['id'] = $jail_data['jid'];
$r['boot'] = $jail_data['boot'];
$r['prio'] = $jail_data['prio'];
$r['state'] = $jail_data['state'];
$r['type'] = $jail_data['type'];
$r['ip'] = $jail_data['ip'];
$r['ports'] = $jail_data['ports'];
$r['rel'] = $jail_data['release'];
$r['tags'] = $jail_data['tags'];
} else {
// Fallback if jail not in bastille list output
$r['id'] = '-';
$r['boot'] = '-';
$r['prio'] = '-';
$r['state'] = '-';
$r['type'] = '-';
$r['ip'] = '-';
$r['ports'] = '-';
$r['rel'] = '-';
$r['tags'] = '-';
}
// Get description
// $r['description'] = exec("/usr/local/bin/bastille config {$item} get description");
// if (!$r['description']) $r['description'] = "-";
// Set defaults for empty values
if (!$r['id']) $r['id'] = "-";
if (!$r['boot']) $r['boot'] = "-";
if (!$r['prio']) $r['prio'] = "-";
if (!$r['state']) $r['state'] = "-";
if (!$r['type']) $r['type'] = "-";
if (!$r['ip']) $r['ip'] = "-";
if (!$r['ports']) $r['ports'] = "-";
if (!$r['rel']) $r['rel'] = "-";
if (!$r['tags']) $r['tags'] = "-";
// Display running status icons
if ($r['state'] == "Up") {
$r['stat'] = $img_path['ena'];
else:
} else {
$r['stat'] = $img_path['dis'];
endif;
// Display custom template icons if available.
}
// Display custom template icons if available
$template_icon = "{$jail_dir}/{$item}/plugin_icon.png";
if(file_exists($template_icon)):
if(!file_exists("{$image_dir}/{$item}_icon.png")):
copy("$template_icon", "{$image_dir}/{$item}_icon.png");
endif;
if (file_exists($template_icon)) {
if (!file_exists("{$image_dir}/{$item}_icon.png")) {
@copy("$template_icon", "{$image_dir}/{$item}_icon.png");
}
$r['logo'] = "{$image_dir}/{$item}_icon.png";
else:
$template_icon = exec("/usr/bin/grep linsysfs {$jail_dir}/{$item}/fstab");
if($template_icon):
// Display standard Linux icon.
} else {
$template_icon = exec("/usr/bin/grep linsysfs {$jail_dir}/{$item}/fstab 2>/dev/null");
if ($template_icon) {
// Display standard Linux icon
$r['logo'] = "{$image_dir}/linux_icon.png";
else:
// Display standard FreeBSD icon.
} else {
// Display standard FreeBSD icon
$r['logo'] = "{$image_dir}/bsd_icon.png";
endif;
endif;
}
}
$result[] = $r;
endforeach;
}
// Save to cache
save_jail_info_cache($result);
return $result;
}
?>
?>

51
gui/bastille_manager_add.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_add.php
Copyright (c) 2019 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Portions of XigmaNAS® (https://www.xigmanas.com).
@@ -59,6 +59,12 @@ if(!get_all_release_list()):
$prerequisites_ok = false;
endif;
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
if($_POST):
global $jail_dir;
global $configfile;
@@ -69,6 +75,12 @@ if($_POST):
exit;
endif;
if(isset($_POST['Create']) && $_POST['Create']):
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Abort jail creation if invalid ZFS configuration.
$input_errors[] = gtext("Cannot create jail with an invalid ZFS configuration.");
else:
$jname = $pconfig['jailname'];
$ipaddr = $pconfig['ipaddress'];
$release = $pconfig['release'];
@@ -113,10 +125,10 @@ if($_POST):
// Just create an empty container with minimal jail.conf.
$cmd = ("/usr/local/bin/bastille create -E {$jname}");
else:
if (isset($_POST['nowstart'])):
$cmd = ("/usr/local/bin/bastille create {$options} {$jname} {$release} {$ipaddr} {$interface} && /usr/local/bin/bastille start {$jname}");
else:
if (isset($_POST['autostart'])):
$cmd = ("/usr/local/bin/bastille create {$options} {$jname} {$release} {$ipaddr} {$interface}");
else:
$cmd = ("/usr/local/bin/bastille create --no-boot {$options} {$jname} {$release} {$ipaddr} {$interface}");
endif;
endif;
@@ -124,16 +136,15 @@ if($_POST):
if(get_all_release_list()):
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
if (isset($_POST['autostart'])):
exec("/usr/sbin/sysrc -f {$configfile} {$jname}_AUTO_START=\"YES\"");
endif;
//if (isset($_POST['autostart'])):
// exec("/usr/sbin/sysrc -f {$configfile} {$jname}_AUTO_START=\"YES\"");
//endif;
if(is_link($resolv_conf)):
if(unlink($resolv_conf)):
//exec("/usr/local/bin/bastille cp $jname $resolv_host etc");
copy($resolv_host, $resolv_conf);
endif;
endif;
//$savemsg .= gtext("Boot Environment created and activated successfully.");
header('Location: bastille_manager_gui.php');
exit;
else:
@@ -143,6 +154,8 @@ if($_POST):
$errormsg .= gtext(" <<< Failed to create container.");
endif;
endif;
endif;
endif;
endif;
@@ -163,7 +176,7 @@ function emptyjail_change() {
showElementById('thickjail_tr', 'show');
showElementById('vnetjail_tr', 'show');
showElementById('bridgejail_tr', 'show');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('linuxjail_tr', 'show');
break;
@@ -174,7 +187,7 @@ function emptyjail_change() {
showElementById('thickjail_tr', 'hide');
showElementById('vnetjail_tr', 'hide');
showElementById('bridgejail_tr', 'hide');
showElementById('nowstart_tr', 'hide');
//showElementById('nowstart_tr', 'hide');
showElementById('autostart_tr', 'hide');
showElementById('linuxjail_tr', 'hide');
break;
@@ -190,7 +203,7 @@ function linuxjail_change() {
showElementById('thickjail_tr', 'show');
showElementById('vnetjail_tr', 'show');
showElementById('bridgejail_tr', 'show');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('linuxjail_tr', 'show');
showElementById('emptyjail_tr', 'show');
@@ -202,7 +215,7 @@ function linuxjail_change() {
showElementById('thickjail_tr', 'hide');
showElementById('vnetjail_tr', 'hide');
showElementById('bridgejail_tr', 'hide');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('emptyjail_tr', 'hide');
break;
@@ -218,7 +231,7 @@ function vnetjail_change() {
showElementById('thickjail_tr', 'show');
showElementById('vnetjail_tr', 'show');
showElementById('bridgejail_tr', 'show');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('linuxjail_tr', 'show');
break;
@@ -229,7 +242,7 @@ function vnetjail_change() {
showElementById('thickjail_tr', 'show');
showElementById('vnetjail_tr', 'show');
showElementById('bridgejail_tr', 'hide');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('linuxjail_tr', 'show');
break;
@@ -245,7 +258,7 @@ function bridgejail_change() {
showElementById('thickjail_tr', 'show');
showElementById('vnetjail_tr', 'show');
showElementById('bridgejail_tr', 'show');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('linuxjail_tr', 'show');
break;
@@ -256,7 +269,7 @@ function bridgejail_change() {
showElementById('thickjail_tr', 'show');
showElementById('vnetjail_tr', 'hide');
showElementById('bridgejail_tr', 'show');
showElementById('nowstart_tr', 'show');
//showElementById('nowstart_tr', 'show');
showElementById('autostart_tr', 'show');
showElementById('linuxjail_tr', 'show');
break;
@@ -310,17 +323,17 @@ $document->render();
html_combobox2('interface',gettext('Network interface'),!empty($pconfig['interface']),$a_action,'',true,false);
html_combobox2('release',gettext('Base release'),!empty($pconfig['release']),$b_action,'',true,false);
if($bastille_version_min > "0700000000"):
html_checkbox2('thickjail',gettext('Create a thick container'),!empty($pconfig['thickjail']) ? true : false,gettext('These containers consume more space, but are self contained.'),'',false);
html_checkbox2('thickjail',gettext('Create a thick container'),!empty($pconfig['thickjail']) ? true : false,gettext('These containers consume more space, but are self contained and fully independent.'),'',false);
if($host_version > "12100"):
html_checkbox2('vnetjail',gettext('Enable VNET(VIMAGE)'),!empty($pconfig['vnetjail']) ? true : false,gettext('VNET-enabled containers are attached to a virtual bridge interface for connectivity(Only supported on 13.x and above).'),'',false,false,'vnetjail_change()');
html_checkbox2('bridgejail',gettext('Enable Bridge VNET(VIMAGE)'),!empty($pconfig['bridgejail']) ? true : false,gettext('Bridge VNET-enabled containers are attached to a specified, already existing external bridge(Only supported on 13.x and above).'),'',false,false,'bridgejail_change()');
endif;
html_checkbox2('emptyjail',gettext('Create an empty container'),!empty($pconfig['emptyjail']) ? true : false,gettext('This are ideal for custom builds, experimenting with unsupported RELEASES or Linux jails.'),'',false,false,'emptyjail_change()');
if($linux_compat_support == "YES"):
html_checkbox2('linuxjail',gettext('Create a Linux container'),!empty($pconfig['linuxjail']) ? true : false,gettext('This will create a Linux container, this is highly experimental and for testing purposes.'),'',false,false,'linuxjail_change()');
//html_checkbox2('linuxjail',gettext('Create a Linux container'),!empty($pconfig['linuxjail']) ? true : false,gettext('This will create a Linux container, this is highly experimental and for testing purposes.'),'',false,false,'linuxjail_change()');
endif;
endif;
html_checkbox2('nowstart',gettext('Start after creation'),!empty($pconfig['nowstart']) ? true : false,gettext('Start the container after creation(May be overridden by later bastille releases).'),'',false);
//html_checkbox2('nowstart',gettext('Start after creation'),!empty($pconfig['nowstart']) ? true : false,gettext('Start the container after creation(May be overridden by later bastille releases).'),'',false);
html_checkbox2('autostart',gettext('Auto start on boot'),!empty($pconfig['autostart']) ? true : false,gettext('Automatically start the container at boot time.'),'',false);
?>
</tbody>

14
gui/bastille_manager_config.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_config.php
Copyright (c) 2019 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Copyright (c) 2018 Andreas Schmidhuber
@@ -64,6 +64,12 @@ if(!initial_install_banner()):
$prerequisites_ok = false;
endif;
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
function htmlInput($name, $title, $value="", $size=80) {
$result = "<input name='{$name}' size='{$size}' title='{$title}' placeholder='{$title}' value='{$value}' />";
return $result;
@@ -135,7 +141,7 @@ if ($_POST) {
if (isset($_POST['saveParam']) && $_POST['saveParam']) { // saveParam s/n/v
$buttonTag = explode("#", $_POST['saveParam']); // buttonTag[0] = section, buttonTag[1] = paramName
$hashTag = str_replace(["[", "]", ".", "#"], "", $buttonTag[0]); // create destination to jump to after post
$hashTag = str_replace(["[", "]", ".", "#"], "", $buttonTag[0]); // create destination to jump to after post
$nameTag = str_replace(["[", "]", ".", "#"], "", $_POST['saveParam']); // nameTag = <input title='$nameTag + addParam' ... />
$configArray[$buttonTag[0]][$buttonTag[1]] = $_POST[$nameTag]; // save param to section
#$savemsg .= "saveParam s/n/v: ".$_POST['saveParam']." ".$nameTag." ".$_POST[$nameTag];
@@ -165,10 +171,10 @@ bindtextdomain("xigmanas", $textdomain_bastille);
echo "<tr><td colspan='2' style='padding-left:0px; padding-right:0px;'>";
if (!empty($input_errors)) print_input_errors($input_errors);
if (!empty($savemsg)) print_info_box($savemsg);
echo "</td></tr>";
echo "</td></tr>";
// loop through configuration
$firstSection = true; // prevent first html_separator in loop
if (is_array($configArray) && !empty($configArray))
if (is_array($configArray) && !empty($configArray))
foreach($configArray as $key => $line) { // traverse array, key = section
$nameTag = str_replace(["[", "]", "."], "", $key); // create tag for post jump address and config changes
if (is_array($line)) {

6
gui/bastille_manager_editor.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_editor.php
Copyright (c) 2019 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Portions of XigmaNAS® (https://www.xigmanas.com).
@@ -60,7 +60,7 @@ if(isset($_POST['submit'])) {
} else {
$savemsg = sprintf('%s %s', gtext('File not found'), $savetopath);
$content = '';
$savetopath = '';
$savetopath = '';
}
}
break;
@@ -128,7 +128,7 @@ $(window).on("load", function() {
<button name="submit" type="submit" class="formbtn" id="Edit" value="edit"><?=gtext('Edit');?></button>
<button name="submit" type="submit" class="formbtn" id="Save" value="save"><?=gtext('Save');?></button>
<button name="submit" type="submit" class="formbtn" id="Return" value="bastille"><?=gtext('Return to Bastille');?></button>
<hr noshade="noshade" />
<hr noshade="noshade" />
</td>
</tr>
<?php

688
gui/bastille_manager_gui.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_gui.php
Copyright (c) 2019-2020 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Portions of XigmaNAS® (https://www.xigmanas.com).
@@ -39,6 +39,106 @@ require_once 'auth.inc';
require_once 'guiconfig.inc';
require_once 'bastille_manager-lib.inc';
$img_path = [
'add' => 'images/add.png',
'mod' => 'images/edit.png',
'del' => 'images/delete.png',
'loc' => 'images/locked.png',
'unl' => 'images/unlocked.png',
'mai' => 'images/maintain.png',
'inf' => 'images/info.png',
'ena' => 'images/status_enabled.png',
'dis' => 'images/status_disabled.png',
'mup' => 'images/up.png',
'mdn' => 'images/down.png'
];
// --- START AUTO-REFRESH LOGIC ---
if (isset($_GET['action']) && $_GET['action'] === 'refresh_table') {
error_reporting(0);
ini_set('display_errors', 0);
ob_start();
// Fetch fresh data
$jls_list = [];
if (function_exists('get_jail_infos')) {
$jls_list = get_jail_infos();
}
// Return JSON
ob_clean();
header('Content-Type: application/json');
header('Cache-Control: no-cache');
echo json_encode(['success' => true, 'jails' => $jls_list ?: []]);
exit;
}
// --- END AUTO-REFRESH LOGIC ---
function mwexec_parallel($commands) {
$processes = [];
$results = [];
foreach ($commands as $key => $command) {
$descriptors = [
0 => ['pipe', 'r'], // stdin
1 => ['pipe', 'w'], // stdout
2 => ['pipe', 'w'] // stderr
];
$process = proc_open($command, $descriptors, $pipes);
if (is_resource($process)) {
stream_set_blocking($pipes[1], false);
stream_set_blocking($pipes[2], false);
$processes[$key] = [
'process' => $process,
'pipes' => $pipes,
'command' => $command
];
}
}
$timeout = 30;
$start_time = time();
foreach ($processes as $key => $proc) {
$elapsed = time() - $start_time;
if ($elapsed < $timeout) {
$stdout = stream_get_contents($proc['pipes'][1]);
$stderr = stream_get_contents($proc['pipes'][2]);
fclose($proc['pipes'][0]);
fclose($proc['pipes'][1]);
fclose($proc['pipes'][2]);
$return_code = proc_close($proc['process']);
$results[$key] = [
'return_code' => $return_code,
'stdout' => $stdout,
'stderr' => $stderr
];
} else {
proc_terminate($proc['process']);
proc_close($proc['process']);
$results[$key] = [
'return_code' => -1,
'stdout' => '',
'stderr' => 'Command timeout'
];
}
}
return $results;
}
function mwexec_background($command) {
$command = $command . ' > /dev/null 2>&1 &';
exec($command);
}
$sphere_scriptname = basename(__FILE__);
$sphere_scriptname_child = 'bastille_manager_util.php';
$sphere_header = 'Location: '.$sphere_scriptname;
@@ -53,24 +153,13 @@ $gt_record_mod = gtext('Utilities');
$gt_selection_start = gtext('Start Selected');
$gt_selection_stop = gtext('Stop Selected');
$gt_selection_restart = gtext('Restart Selected');
$gt_selection_autoboot = gtext('Auto-boot Selected');
$gt_record_conf = gtext('Jail Configuration');
$gt_record_inf = gtext('Information');
$gt_selection_start_confirm = gtext('Do you really want to start selected jail(s)?');
$gt_selection_stop_confirm = gtext('Do you want to stop the selected jail(s)?');
$gt_selection_restart_confirm = gtext('Do you want to restart the selected jail(s)?');
$img_path = [
'add' => 'images/add.png',
'mod' => 'images/edit.png',
'del' => 'images/delete.png',
'loc' => 'images/locked.png',
'unl' => 'images/unlocked.png',
'mai' => 'images/maintain.png',
'inf' => 'images/info.png',
'ena' => 'images/status_enabled.png',
'dis' => 'images/status_disabled.png',
'mup' => 'images/up.png',
'mdn' => 'images/down.png'
];
$gt_selection_autoboot_confirm = gtext('Do you want to set auto-boot on selected jail(s)?');
$jls_list = get_jail_infos();
$sphere_array = $jls_list;
@@ -90,6 +179,12 @@ if(!initial_install_banner()):
$prerequisites_ok = false;
endif;
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
if($_POST):
if(isset($_POST['apply']) && $_POST['apply']):
$ret = array('output' => [], 'retval' => 0);
@@ -108,106 +203,511 @@ if($_POST):
if(isset($_POST['start_selected_jail']) && $_POST['start_selected_jail']):
$checkbox_member_array = isset($_POST[$checkbox_member_name]) ? $_POST[$checkbox_member_name] : [];
$commands = [];
foreach($checkbox_member_array as $checkbox_member_record):
if(false !== ($index = array_search_ex($checkbox_member_record, $sphere_array, 'jailname'))):
if(!isset($sphere_array[$index]['protected'])):
$cmd = ("/usr/local/bin/bastille start {$checkbox_member_record}");
$return_val = mwexec($cmd);
if($return_val == 0):
//$savemsg .= gtext("Jail(s) started successfully.");
header($sphere_header);
else:
$errormsg .= gtext("Failed to start jail(s).");
endif;
$commands[] = "/usr/local/bin/bastille start {$checkbox_member_record}";
endif;
endif;
endforeach;
if (!empty($commands)):
$results = mwexec_parallel($commands);
$success_count = 0;
$fail_count = 0;
foreach ($results as $result):
if ($result['return_code'] == 0):
$success_count++;
else:
$fail_count++;
endif;
endforeach;
if (function_exists('invalidate_jail_cache')) {
invalidate_jail_cache();
}
if ($fail_count > 0):
$errormsg = sprintf(gtext("Started %d jail(s), failed %d jail(s)."), $success_count, $fail_count);
else:
$savemsg = sprintf(gtext("%d jail(s) started successfully."), $success_count);
endif;
header($sphere_header);
endif;
endif;
if(isset($_POST['stop_selected_jail']) && $_POST['stop_selected_jail']):
$checkbox_member_array = isset($_POST[$checkbox_member_name]) ? $_POST[$checkbox_member_name] : [];
$commands = [];
foreach($checkbox_member_array as $checkbox_member_record):
if(false !== ($index = array_search_ex($checkbox_member_record, $sphere_array, 'jailname'))):
if(!isset($sphere_array[$index]['protected'])):
$cmd = ("/usr/local/bin/bastille stop {$checkbox_member_record}");
$return_val = mwexec($cmd);
if($return_val == 0):
//$savemsg .= gtext("Jail(s) stopped successfully.");
header($sphere_header);
else:
$errormsg .= gtext("Failed to stop jail(s).");
endif;
$commands[] = "/usr/local/bin/bastille stop {$checkbox_member_record}";
endif;
endif;
endforeach;
if (!empty($commands)):
$results = mwexec_parallel($commands);
$success_count = 0;
$fail_count = 0;
foreach ($results as $result):
if ($result['return_code'] == 0):
$success_count++;
else:
$fail_count++;
endif;
endforeach;
if (function_exists('invalidate_jail_cache')) {
invalidate_jail_cache();
}
if ($fail_count > 0):
$errormsg = sprintf(gtext("Stopped %d jail(s), failed %d jail(s)."), $success_count, $fail_count);
else:
$savemsg = sprintf(gtext("%d jail(s) stopped successfully."), $success_count);
endif;
header($sphere_header);
endif;
endif;
if(isset($_POST['restart_selected_jail']) && $_POST['restart_selected_jail']):
$checkbox_member_array = isset($_POST[$checkbox_member_name]) ? $_POST[$checkbox_member_name] : [];
$commands = [];
foreach($checkbox_member_array as $checkbox_member_record):
if(false !== ($index = array_search_ex($checkbox_member_record, $sphere_array, 'jailname'))):
if(!isset($sphere_array[$index]['protected'])):
$cmd = ("/usr/local/bin/bastille restart {$checkbox_member_record}");
$return_val = mwexec($cmd);
if($return_val == 0):
//$savemsg .= gtext("Jail(s) restarted successfully.");
header($sphere_header);
else:
$errormsg .= gtext("Failed to restart jail(s).");
endif;
$commands[] = "/usr/local/bin/bastille restart {$checkbox_member_record}";
endif;
endif;
endforeach;
if (!empty($commands)):
$results = mwexec_parallel($commands);
$success_count = 0;
$fail_count = 0;
foreach ($results as $result):
if ($result['return_code'] == 0):
$success_count++;
else:
$fail_count++;
endif;
endforeach;
if (function_exists('invalidate_jail_cache')) {
invalidate_jail_cache();
}
if ($fail_count > 0):
$errormsg = sprintf(gtext("Restarted %d jail(s), failed %d jail(s)."), $success_count, $fail_count);
else:
$savemsg = sprintf(gtext("%d jail(s) restarted successfully."), $success_count);
endif;
header($sphere_header);
endif;
endif;
if(isset($_POST['autoboot_selected_jail']) && $_POST['autoboot_selected_jail']):
$checkbox_member_array = isset($_POST[$checkbox_member_name]) ? $_POST[$checkbox_member_name] : [];
$commands = [];
foreach($checkbox_member_array as $checkbox_member_record):
if(false !== ($index = array_search_ex($checkbox_member_record, $sphere_array, 'jailname'))):
if(!isset($sphere_array[$index]['protected'])):
$commands[] = "/usr/local/bin/bastille config {$checkbox_member_record} set boot on";
endif;
endif;
endforeach;
if (!empty($commands)):
$results = mwexec_parallel($commands);
$success_count = 0;
$fail_count = 0;
foreach ($results as $result):
if ($result['return_code'] == 0):
$success_count++;
else:
$fail_count++;
endif;
endforeach;
if (function_exists('invalidate_jail_cache')) {
invalidate_jail_cache();
}
if ($fail_count > 0):
$errormsg = sprintf(gtext("Set autoboot on %d jail(s), failed %d jail(s)."), $success_count, $fail_count);
else:
$savemsg = sprintf(gtext("Autoboot set on %d jail(s) successfully."), $success_count);
endif;
header($sphere_header);
endif;
endif;
endif;
$pgtitle = [gtext("Extensions"), gtext('Bastille')];
$pgtitle = [gtext("Extensions"), gtext('Bastille'), gtext('Manager')];
include 'fbegin.inc';
?>
<style>
#refresh-spinner {
display: inline-block;
position: absolute;
width: 10px;
height: 10px;
border: 2px solid #ccc;
border-top-color: #007bff;
border-radius: 50%;
animation: spin 1s linear infinite;
margin-right: 5px;
right: 115px;
margin-top: 2px;
}
@keyframes spin {
to { transform: rotate(360deg); }
}
.area_data_selection tbody td img {
vertical-align: middle;
}
.lcelc {
text-align: center;
vertical-align: middle;
}
#refresh-now {
appearance: none;
font-family: inherit;
font-size: inherit;
font-weight: bold;
color: var(--txc-input-rw);
background-color: var(--bgc-area-data);
border: 1px solid var(--boc-button);
border-radius: var(--bor);
padding: 0.125rem 0.375rem;
cursor: pointer;
}
#refresh-now:hover {
filter: brightness(150%);
}
/* --- SIMPLE RESIZE STYLES --- */
table.area_data_selection {
table-layout: fixed;
border-collapse: collapse;
}
table.area_data_selection th {
position: relative;
padding: 5px 8px;
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
}
/* The visible handle */
.resizer {
position: absolute;
top: 0;
right: 0;
width: 6px;
height: 100%;
cursor: col-resize;
z-index: 100;
user-select: none;
touch-action: none;
}
.resizer:hover, .resizing {
background-color: #007bff; /* Azul */
opacity: 1;
}
</style>
<script type="text/javascript">
//<![CDATA[
$(window).on("load", function() {
// Init action buttons
$("#start_selected_jail").click(function () {
stopAutoRefresh(); // Pause for safety
return confirm('<?=$gt_selection_start_confirm;?>');
});
$("#stop_selected_jail").click(function () {
stopAutoRefresh();
return confirm('<?=$gt_selection_stop_confirm;?>');
});
$("#restart_selected_jail").click(function () {
stopAutoRefresh();
return confirm('<?=$gt_selection_restart_confirm;?>');
});
$("#autoboot_selected_jail").click(function () {
stopAutoRefresh();
return confirm('<?=$gt_selection_autoboot_confirm;?>');
});
// Disable action buttons.
disableactionbuttons(true);
// Init member checkboxes
$("input[name='<?=$checkbox_member_name;?>[]']").click(function() {
controlactionbuttons(this, '<?=$checkbox_member_name;?>[]');
});
// Init spinner onsubmit()
$("#iform").submit(function() { spinner(); });
$(".spin").click(function() { spinner(); });
// Attempt to load the previously saved interval
var savedInterval = localStorage.getItem('bastille_refresh_interval');
if (savedInterval !== null) {
$("#refresh-interval").val(savedInterval);
autoRefresh.interval = parseInt(savedInterval);
}
// --- REFRESH INIT
if (localStorage.getItem('bastille_show_refresh_button') === 'true') {
$("#refresh-controls").show();
startAutoRefresh();
}
$("#refresh-now").click(function() {
updateJailTable();
});
// save interval value in local storage
$("#refresh-interval").change(function() {
var val = parseInt($(this).val());
localStorage.setItem('bastille_refresh_interval', val);
stopAutoRefresh();
if (val > 0) {
autoRefresh.interval = val;
startAutoRefresh();
}
});
initSimpleResize();
$(document).on('click', "input[name='<?=$checkbox_member_name;?>[]']", function() {
controlactionbuttons(this, '<?=$checkbox_member_name;?>[]');
});
});
function disableactionbuttons(ab_disable) {
$("#start_selected_jail").prop("disabled", ab_disable);
$("#stop_selected_jail").prop("disabled", ab_disable);
$("#restart_selected_jail").prop("disabled", ab_disable);
$("#autoboot_selected_jail").prop("disabled", ab_disable);
}
function controlactionbuttons(ego, triggerbyname) {
var a_trigger = document.getElementsByName(triggerbyname);
var n_trigger = a_trigger.length;
var ab_disable = true;
var i = 0;
for (; i < n_trigger; i++) {
if (a_trigger[i].type == 'checkbox') {
if (a_trigger[i].checked) {
ab_disable = false;
break;
}
}
}
disableactionbuttons(ab_disable);
// Use jQuery selector to count checked checkboxes directly
var $checkedCheckboxes = $("input[name='" + triggerbyname + "']:checked");
var ab_disable = ($checkedCheckboxes.length === 0); // If no checkboxes are checked, disable buttons
disableactionbuttons(ab_disable);
}
// --- AUTO-REFRESH JS ---
var autoRefresh = {
enabled: true,
interval: 30000,
timerId: null,
lastUpdate: Date.now(),
isUpdating: false,
selectedJails: []
};
function updateJailTable() {
if (autoRefresh.isUpdating) return;
autoRefresh.isUpdating = true;
// Activar spinner
$("#refresh-spinner").show();
// Backup of checked checkboxes for persistence
autoRefresh.selectedJails = [];
$("input[name='<?=$checkbox_member_name;?>[]']:checked").each(function() {
autoRefresh.selectedJails.push($(this).val());
});
fetch('bastille_manager_gui.php?action=refresh_table')
.then(response => response.json())
.then(data => {
if (data.success) {
var tbody = $(".area_data_selection tbody");
tbody.empty();
data.jails.forEach(function(jail) {
var row = $('<tr>');
var checkCell = $('<td class="lcelc">');
var cb = $('<input type="checkbox">')
.attr('name', '<?=$checkbox_member_name;?>[]')
.attr('value', jail.jailname)
.attr('id', jail.jailname)
.prop('checked', autoRefresh.selectedJails.includes(jail.jailname));
checkCell.append(cb);
row.append(checkCell);
// 2. Data Columns
row.append($('<td class="lcell">').text(jail.id || '-'));
row.append($('<td class="lcell">').text(jail.name || '-'));
// Description Column
// row.append($('<td class="lcell">').text(jail.description || '-'));
row.append($('<td class="lcell">').text(jail.boot || '-'));
row.append($('<td class="lcell">').text(jail.prio || '-'));
row.append($('<td class="lcell">').text(jail.state || '-'));
row.append($('<td class="lcell">').text(jail.type || '-'));
row.append($('<td class="lcell">').text(jail.ip || '-'));
row.append($('<td class="lcell">').text(jail.ports || '-'));
row.append($('<td class="lcell">').text(jail.rel || '-'));
row.append($('<td class="lcell">').text(jail.tags || '-'));
var statImg = (jail.state === "Up") ? '<?=$img_path['ena'];?>' : '<?=$img_path['dis'];?>';
row.append($('<td class="lcell">').append($('<img>').attr('src', statImg)));
row.append($('<td class="lcell">').append($('<img>').attr('src', jail.logo)));
var tools = $('<td class="lcebld">').html('<table class="area_data_selection_toolbox"><tbody><tr>' +
'<td><a href="<?=$sphere_scriptname_child;?>?jailname=' + encodeURIComponent(jail.jailname) + '"><img src="<?=$img_path['mai'];?>" class="spin oneemhigh"></a></td>' +
'<td><a href="bastille_manager_jconf.php?jailname=' + encodeURIComponent(jail.jailname) + '"><img src="<?=$g_img['mod'];?>"></a></td>' +
'<td><a href="bastille_manager_info.php?uuid=' + encodeURIComponent(jail.jailname) + '"><img src="<?=$g_img['inf'];?>"></a></td>' +
'</tr></tbody></table>');
row.append(tools);
tbody.append(row);
});
autoRefresh.lastUpdate = Date.now();
// Restore button state
controlactionbuttons(null, '<?=$checkbox_member_name;?>[]');
// Reapply saved column widths after updating the table
applySavedColumnWidths();
}
})
.catch(error => {
console.error('Error fetching jail data: ', error);
})
.finally(() => {
autoRefresh.isUpdating = false;
$("#refresh-spinner").hide();
});
}
function startAutoRefresh() {
if (autoRefresh.interval > 0) {
autoRefresh.timerId = setInterval(updateJailTable, autoRefresh.interval);
}
}
function stopAutoRefresh() {
if (autoRefresh.timerId) clearInterval(autoRefresh.timerId);
}
// --- STABLE REDIMENSIONING FUNCTION (without %) ---
function initSimpleResize() {
var $table = $("table.area_data_selection");
var $cols = $table.find('colgroup col');
var $headers = $table.find('thead th');
// 1. Apply saved widths at the beginning
applySavedColumnWidths();
// 2. ADD HANDLES
$headers.each(function(i) {
if (i >= $headers.length - 1) return; // Ignore the last column
var $resizer = $('<div class="resizer"></div>');
$(this).append($resizer);
});
// 3. DRAG LOGIC
var isResizing = false;
var startX = 0;
var $currentCol = null;
var startWidth = 0;
$table.on('mousedown', '.resizer', function(e) {
e.preventDefault(); e.stopPropagation();
stopAutoRefresh();
// Convert all columns to fixed pixels when starting to drag
$cols.each(function() {
var w = $(this).width();
$(this).css('width', w + 'px');
});
var idx = $(this).parent().index();
$currentCol = $cols.eq(idx);
isResizing = true;
startX = e.pageX;
startWidth = $currentCol.width();
$(this).addClass('resizing');
$(document).on('mousemove.rsz', function(e) {
if (!isResizing) return;
var diff = e.pageX - startX;
var newW = startWidth + diff;
if (newW > 30) {
$currentCol.css('width', newW + 'px');
}
});
$(document).on('mouseup.rsz', function() {
if (!isResizing) {
return;
}
isResizing = false;
$('.resizer').removeClass('resizing');
$(document).off('mousemove.rsz mouseup.rsz');
// Save widths after resizing
saveColumnWidths();
setTimeout(function() {
// Only resume if enabled
if (localStorage.getItem('bastille_show_refresh_button') === 'true') {
startAutoRefresh();
}
}, 500);
});
});
}
function saveColumnWidths() {
var widths = {};
var $cols = $("table.area_data_selection colgroup col");
$cols.each(function(index) {
// We save the width in pixels.
widths[index] = $(this).css('width');
});
localStorage.setItem('bastille_col_widths', JSON.stringify(widths));
}
function applySavedColumnWidths() {
var saved = localStorage.getItem('bastille_col_widths');
if (saved) {
try {
var widths = JSON.parse(saved);
var $cols = $("table.area_data_selection colgroup col");
$cols.each(function(index) {
if (widths[index]) {
$(this).css('width', widths[index]);
}
});
} catch (e) {
console.error("Error parsing saved column widths", e);
}
}
}
//]]>
</script>
@@ -250,36 +750,57 @@ $document->render();
<tbody>
<?php
?>
</tbody>
</table>
<table class="area_data_selection">
</tbody>
</table>
<div id="refresh-controls" style="text-align: right; display: none; position: relative;">
<span id="refresh-spinner" style="display: none;"></span>
<button type="button" id="refresh-now" class="formbtn">Refresh</button>
<select id="refresh-interval" class="formfld">
<option value="5000">5s</option>
<option value="10000">10s</option>
<option value="30000" selected>30s</option>
<option value="60000">60s</option>
<option value="0">Manual</option>
</select>
</div>
<table class="area_data_selection" style="width: 100%; table-layout: fixed; border-collapse: collapse;">
<colgroup>
<col style="width:5%">
<col style="width:5%">
<col style="width:2%">
<col style="width:3%">
<col style="width:10%">
<!-- <col style="width:10%"> Description -->
<col style="width:4%">
<col style="width:4%">
<col style="width:4%">
<col style="width:4%">
<col style="width:12%">
<col style="width:12%">
<col style="width:7%">
<col style="width:10%">
<col style="width:4%">
<col style="width:4%">
<col style="width:10%">
<col style="width:10%">
<col style="width:25%">
<col style="width:5%">
<col style="width:5%">
<col style="width:5%">
<col style="width:5%">
</colgroup>
<thead>
<?php
html_separator2();
html_titleline2(gettext('Overview'), 11);
html_titleline2(gettext('Overview'), 14);
?>
<tr>
<th class="lhelc"><?=gtext('Select');?></th>
<th class="lhell"><?=gtext('JID');?></th>
<th class="lhell"><?=gtext('IP Address');?></th>
<th class="lhell"><?=gtext('Name');?></th>
<th class="lhell"><?=gtext('Release');?></th>
<th class="lhell"><?=gtext('Interface');?></th>
<th class="lhell"><?=gtext('Path');?></th>
<!-- <th class="lhell"><?=gtext('Description');?></th> -->
<th class="lhell"><?=gtext('Boot');?></th>
<th class="lhell"><?=gtext('Prio');?></th>
<th class="lhell"><?=gtext('State');?></th>
<th class="lhell"><?=gtext('Type');?></th>
<th class="lhell"><?=gtext('IP Address');?></th>
<th class="lhell"><?=gtext('Published Ports');?></th>
<th class="lhell"><?=gtext('Release');?></th>
<th class="lhell"><?=gtext('Tags');?></th>
<th class="lhell"><?=gtext('Active');?></th>
<th class="lhell"><?=gtext('Template');?></th>
<th class="lhebl"><?=gtext('Toolbox');?></th>
@@ -308,12 +829,16 @@ $document->render();
?>
</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['id']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['ip']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['name']);?>&nbsp;</td>
<!-- <td class="lcell"><?=htmlspecialchars($sphere_record['description']);?>&nbsp;</td> -->
<td class="lcell"><?=htmlspecialchars($sphere_record['boot']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['prio']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['state']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['type']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['ip']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['ports']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['rel']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['nic']);?>&nbsp;</td>
<td class="lcell"><?=htmlspecialchars($sphere_record['path']);?>&nbsp;</td>
<td class="lcell"><img src="<?=$sphere_record['boot'];?>"></td>
<td class="lcell"><?=htmlspecialchars($sphere_record['tags']);?>&nbsp;</td>
<td class="lcell"><img src="<?=$sphere_record['stat'];?>"></td>
<td class="lcell"><img src="<?=$sphere_record['logo'];?>"></td>
<td class="lcebld">
@@ -336,6 +861,7 @@ $document->render();
endif;
endif;
?>
</td>
<td>
<a href="bastille_manager_jconf.php?jailname=<?=urlencode($sphere_record['jailname']);?>"><img src="<?=$g_img['mod'];?>" title="<?=$gt_record_conf?>" alt="<?=$gt_record_conf?>"/></a>
</td>
@@ -351,7 +877,7 @@ $document->render();
</tbody>
<tfoot>
<tr>
<td class="lcenl" colspan="10"></td>
<td class="lcenl" colspan="13"></td>
<td class="lceadd">
<a href="bastille_manager_add.php"><img src="<?=$img_path['add'];?>" title="<?=$gt_record_add;?>" border="0" alt="<?=$gt_record_add;?>" class="spin oneemhigh"/></a>
</td>
@@ -362,10 +888,12 @@ $document->render();
<input name="start_selected_jail" id="start_selected_jail" type="submit" class="formbtn" value="<?=$gt_selection_start;?>"/>
<input name="stop_selected_jail" id="stop_selected_jail" type="submit" class="formbtn" value="<?=$gt_selection_stop;?>"/>
<input name="restart_selected_jail" id="restart_selected_jail" type="submit" class="formbtn" value="<?=$gt_selection_restart;?>"/>
<input name="autoboot_selected_jail" id="autoboot_selected_jail" type="submit" class="formbtn" value="<?=$gt_selection_autoboot;?>"/>
</div>
<?php
include 'formend.inc';
include 'formend.inc';
?>
</td></tr></tbody></table></form>
<?php
include 'fend.inc';
?>

10
gui/bastille_manager_info.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_info.php
Copyright (c) 2019 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Portions of XigmaNAS® (https://www.xigmanas.com).
@@ -39,6 +39,12 @@ require_once 'auth.inc';
require_once 'guiconfig.inc';
require_once("bastille_manager-lib.inc");
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
function jls_get_jail_list(string $entity_name = NULL) {
if(isset($entity_name)):
$cmd = "/usr/sbin/jls -v -j $entity_name 2>&1";
@@ -141,7 +147,7 @@ $document->render();
</tr>
<tbody>
</table>
<tbody>
<tbody>
</td></tr></tbody></table>
<?php
include 'fend.inc';

209
gui/bastille_manager_jconf.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_jconf.inc
Copyright (c) 2020 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -34,6 +34,12 @@ require_once 'auth.inc';
require_once 'guiconfig.inc';
require_once("bastille_manager-lib.inc");
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
if (isset($_GET['uuid']))
$uuid = $_GET['uuid'];
if (isset($_POST['uuid']))
@@ -62,10 +68,11 @@ endif;
$pgtitle = [gtext('Extensions'),gtext('Bastille'),gtext('Configuration'), $container];
$jail_config = "$jail_dir/$container/jail.conf";
$item = $pconfig['jailname'];
// Get some jail system settings.
$is_vnet = exec("/usr/bin/grep '.*vnet;' $jail_config");
$pconfig['autostart'] = exec("/usr/bin/grep -w '{$container}_AUTO_START=\"YES\"' $bastille_config");
$pconfig['autostart'] = exec("/usr/bin/grep -w 'boot=\"on\"' {$jail_dir}/{$item}/{$jail_settings}");
// Get some jail config parameters.
// This could be done with a nice php preg loop in the future.
@@ -73,22 +80,28 @@ $pconfig['jname'] = "$container";
$pconfig['hostname'] = exec("/usr/bin/grep '.*host.hostname.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['ipv4'] = exec("/usr/bin/grep '.*ip4.addr.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['ipv6'] = exec("/usr/bin/grep '.*ip6.addr.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['interface'] = exec("/usr/bin/grep '.*interface.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
//$pconfig['interface'] = exec("/usr/bin/grep '.*interface.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['securelevel'] = exec("/usr/bin/grep '.*securelevel.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['devfs_ruleset'] = exec("/usr/bin/grep '.*devfs_ruleset.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['enforce_statfs'] = exec("/usr/bin/grep '.*enforce_statfs.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['osrelease'] = exec("/usr/local/bin/bastille config {$item} get osrelease | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['vnet_interface'] = exec("/usr/bin/grep '.*vnet.interface.*=' $jail_config | cut -d '=' -f2 | tr -d ' ;'");
$pconfig['boot_prio'] = exec("/usr/local/bin/bastille config {$item} get priority");
// $pconfig['description'] = exec("/usr/local/bin/bastille config {$item} get description");
// Set the jail config default parameters.
$jail_name_def = $pconfig['jname'];
$jail_hostname_def = $pconfig['hostname'];
$jail_ipv4_def = $pconfig['ipv4'];
$jail_ipv6_def = $pconfig['ipv6'];
$jail_interface_def = $pconfig['interface'];
//$jail_interface_def = $pconfig['interface'];
$jail_securelevel_def = $pconfig['securelevel'];
$jail_devfs_ruleset_def = $pconfig['devfs_ruleset'];
$jail_enforce_statfs_def = $pconfig['enforce_statfs'];
$jail_osrelease_def = $pconfig['osrelease'];
$jail_vnet_interface_def = $pconfig['vnet_interface'];
$jail_boot_prio_def = $pconfig['boot_prio'];
// $jail_description_def = $pconfig['description'];
// Check if is a Linux jail.
$is_linux_jail = exec("/usr/bin/grep linsysfs {$jail_dir}/{$jail_name_def}/fstab");
@@ -124,33 +137,59 @@ if ($_POST):
$input_errors[] = gtext("A valid hostname must be specified, it can't be left blank.");
endif;
if(isset($_POST['ipv4'])):
if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/', $pconfig['ipv4'])):
$input_errors[] = gtext("A valid IPv4 address must be specified.");
endif;
endif;
// Disable this IP validation check since bastille jail.conf syntax has changed recently.
//if(isset($_POST['ipv4'])):
// if(!preg_match('/^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/', $pconfig['ipv4'])):
// $input_errors[] = gtext("A valid IPv4 address must be specified.");
// endif;
//endif;
if(isset($_POST['ipv6'])):
if(!preg_match('/^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))/', $pconfig['ipv6'])):
$input_errors[] = gtext("A valid IPv6 address must be specified.");
endif;
endif;
// Disable this IP validation check since bastille jail.conf syntax has changed recently.
//if(isset($_POST['ipv6'])):
// if(!preg_match('/^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))/', $pconfig['ipv6'])):
// $input_errors[] = gtext("A valid IPv6 address must be specified.");
// endif;
//endif;
if(isset($_POST['securelevel'])):
if(!preg_match('/^[0-3]$/', $pconfig['securelevel'])):
$input_errors[] = gtext("A valid number must be specified for securelevel, between 0-3.");
if(!is_numeric($pconfig['securelevel'])):
$input_errors[] = gtext("This parameter must be a number.");
else:
if(!preg_match('/^[0-3]$/', $pconfig['securelevel'])):
$input_errors[] = gtext("A valid number must be specified for securelevel, between 0-3.");
endif;
endif;
endif;
if(isset($_POST['devfs_ruleset'])):
if(!preg_match('/^([0-9]{1,3})$/', $pconfig['devfs_ruleset'])):
$input_errors[] = gtext("A valid number must be specified for devfs_ruleset.");
if(!is_numeric($pconfig['devfs_ruleset'])):
$input_errors[] = gtext("This parameter must be a number.");
else:
if(!preg_match('/^([0-9]{1,3})$/', $pconfig['devfs_ruleset'])):
$input_errors[] = gtext("A valid number must be specified for devfs_ruleset.");
endif;
endif;
endif;
if(isset($_POST['enforce_statfs'])):
if(!preg_match('/^[0-2]$/', $pconfig['enforce_statfs'])):
$input_errors[] = gtext("A valid number must be specified for enforce_statfs, between 0-2.");
if(!is_numeric($pconfig['enforce_statfs'])):
$input_errors[] = gtext("This parameter must be a number.");
else:
if(!preg_match('/^[0-2]$/', $pconfig['enforce_statfs'])):
$input_errors[] = gtext("A valid number must be specified for enforce_statfs, between 0-2.");
endif;
endif;
endif;
if(isset($_POST['osrelease'])):
if(!is_string($pconfig['osrelease'])):
$input_errors[] = gtext("This parameter must be a string.");
endif;
endif;
if(isset($_POST['boot_prio'])):
if(!is_numeric($pconfig['boot_prio'])):
$input_errors[] = gtext("This parameter must be a number.");
endif;
endif;
@@ -175,9 +214,9 @@ if ($_POST):
if(isset($pconfig['ipv6'])):
$jail_ipv6 = $pconfig['ipv6'];
endif;
if(isset($pconfig['interface'])):
$jail_interface = $pconfig['interface'];
endif;
//if(isset($pconfig['interface'])):
// $jail_interface = $pconfig['interface'];
//endif;
if(isset($pconfig['securelevel'])):
$jail_securelevel = $pconfig['securelevel'];
endif;
@@ -187,11 +226,21 @@ if ($_POST):
if(isset($pconfig['enforce_statfs'])):
$jail_enforce_statfs = $pconfig['enforce_statfs'];
endif;
if(isset($pconfig['osrelease'])):
$jail_osrelease = $pconfig['osrelease'];
endif;
if(isset($pconfig['vnet_interface'])):
$jail_vnet_interface = $pconfig['vnet_interface'];
endif;
if(isset($pconfig['boot_prio'])):
$jail_boot_prio = $pconfig['boot_prio'];
endif;
if(isset($pconfig['description'])):
$jail_description = $pconfig['description'];
endif;
// Check if the config has changed for each parameter.
// Check if the config has changed for each parameters.
// This jails wide changes requires the jail to be already stopped.
// This could be done with a nice foreach loop in the future.
if($jail_name_def !== $jail_name):
$is_changed = "1";
@@ -205,9 +254,9 @@ if ($_POST):
if(isset($_POST['ipv6']) && ($jail_ipv6_def !== $jail_ipv6)):
$is_changed = "1";
endif;
if(isset($_POST['interface']) && ($jail_interface_def !== $jail_interface)):
$is_changed = "1";
endif;
//if(isset($_POST['interface']) && ($jail_interface_def !== $jail_interface)):
// $is_changed = "1";
//endif;
// Don't check "securelevel" if Linux jail.
if(!$is_linux_jail):
if($jail_securelevel_def !== $jail_securelevel):
@@ -232,8 +281,9 @@ if ($_POST):
// Skip jail running check.
$retval = "1";
endif;
if($retval == 0):
$input_errors[] = gtext("This jail is running, please stop it before making jail.conf changes.");
$input_errors[] = gtext("This jail is running, please stop it before making jail.conf wide changes.");
else:
if (isset($_POST['hostname']) && $_POST['hostname']):
if($jail_hostname_def !== $jail_hostname):
@@ -249,7 +299,7 @@ if ($_POST):
if (isset($_POST['ipv4']) && $_POST['ipv4']):
if($jail_ipv4_def !== $jail_ipv4):
$cmd = "/usr/bin/sed -i '' 's|.*ip4.addr.*=.*;| ip4.addr = $jail_ipv4;|' $jail_config";
$cmd = "/usr/bin/sed -i '' 's/.*ip4.addr.*=.*;/ ip4.addr = $jail_ipv4;/' $jail_config";
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("IPv4 changed successfully.");
@@ -261,7 +311,7 @@ if ($_POST):
if (isset($_POST['ipv6']) && $_POST['ipv6']):
if($jail_ipv6_def !== $jail_ipv6):
$cmd = "/usr/bin/sed -i '' 's|.*ip6.addr.*=.*;| ip6.addr = $jail_ipv6;|' $jail_config";
$cmd = "/usr/bin/sed -i '' 's/.*ip6.addr.*=.*;/ ip6.addr = $jail_ipv6;/' $jail_config";
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("IPv6 changed successfully.");
@@ -271,19 +321,19 @@ if ($_POST):
endif;
endif;
if (isset($_POST['interface']) && $_POST['interface']):
if($jail_interface_def !== $jail_interface):
if ($_POST['interface'] !== 'Config'):
$cmd = "/usr/bin/sed -i '' 's|.*interface.*=.*;| interface = $jail_interface;|' $jail_config";
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("Interface changed successfully.");
else:
$input_errors[] = gtext("Failed to save interface.");
endif;
endif;
endif;
endif;
//if (isset($_POST['interface']) && $_POST['interface']):
// if($jail_interface_def !== $jail_interface):
// if ($_POST['interface'] !== 'Config'):
// $cmd = "/usr/bin/sed -i '' 's|.*interface.*=.*;| interface = $jail_interface;|' $jail_config";
// unset($output,$retval);mwexec2($cmd,$output,$retval);
// if($retval == 0):
// //$savemsg .= gtext("Interface changed successfully.");
// else:
// $input_errors[] = gtext("Failed to save interface.");
// endif;
// endif;
// endif;
//endif;
if (isset($_POST['vnet_interface']) && $_POST['vnet_interface']):
if($jail_vnet_interface_def !== $jail_vnet_interface):
@@ -335,12 +385,25 @@ if ($_POST):
endif;
endif;
if (isset($_POST['autostart']) && $_POST['autostart']):
if($jail_name_def !== $jail_name):
// Remove obsolete variable.
exec("/usr/sbin/sysrc -f $configfile -x {$jail_name_def}_AUTO_START");
if (isset($_POST['osrelease']) || $_POST['osrelease']):
if($jail_osrelease_def !== $jail_osrelease):
$cmd = "/usr/local/bin/bastille config {$item} set osrelease $jail_osrelease";
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("Osrelease changed successfully.");
else:
$input_errors[] = gtext("Failed to save osrelease.");
endif;
endif;
$cmd = ("/usr/sbin/sysrc -f $configfile {$jail_name}_AUTO_START=\"YES\"");
endif;
if (isset($_POST['autostart']) && $_POST['autostart']):
//if($jail_name_def !== $jail_name):
// // Remove obsolete variable.
// exec("/usr/sbin/sysrc -f $configfile -x {$jail_name_def}_AUTO_START");
//endif;
//$cmd = ("/usr/sbin/sysrc -f $configfile {$jail_name}_AUTO_START=\"YES\"");
$cmd = ("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} boot=\"on\"");
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("Autostart changed successfully.");
@@ -348,12 +411,13 @@ if ($_POST):
$input_errors[] = gtext("Failed to enable autostart.");
endif;
else:
if($jail_name_def !== $jail_name):
// Remove obsolete variable.
exec("/usr/sbin/sysrc -f $configfile -x {$jail_name_def}_AUTO_START");
endif;
if(exec("/usr/sbin/sysrc -f $configfile -qn {$jail_name}_AUTO_START")):
$cmd = ("/usr/sbin/sysrc -f $configfile -x {$jail_name}_AUTO_START");
//if($jail_name_def !== $jail_name):
// // Remove obsolete variable.
// exec("/usr/sbin/sysrc -f $configfile -x {$jail_name_def}_AUTO_START");
//endif;
if(exec("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} -qn boot")):
//$cmd = ("/usr/sbin/sysrc -f $configfile -x {$jail_name}_AUTO_START");
$cmd = ("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} boot=\"off\"");
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("Autostart changed successfully.");
@@ -363,6 +427,30 @@ if ($_POST):
endif;
endif;
if (isset($_POST['boot_prio']) || $_POST['boot_prio']):
if($jail_boot_prio_def !== $jail_boot_prio):
$cmd = "/usr/local/bin/bastille config {$item} set priority $jail_boot_prio";
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("Priority changed successfully.");
else:
$input_errors[] = gtext("Failed to save priority .");
endif;
endif;
endif;
if (isset($_POST['description']) || $_POST['description']):
if($jail_description_def !== $jail_description):
$cmd = "/usr/local/bin/bastille config {$item} set description \"$jail_description\"";
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
//$savemsg .= gtext("Description changed successfully.");
else:
$input_errors[] = gtext("Failed to save description.");
endif;
endif;
endif;
if (isset($_POST['jname']) && $_POST['jname']):
if($jail_name_def !== $jail_name):
$cmd = "/usr/local/bin/bastille rename $jail_name_def $jail_name";
@@ -400,7 +488,6 @@ endif;
$a_action = $l_interfaces;
html_titleline2(gtext("Jail Configuration"));
html_inputbox("jname", gtext("Name"), $pconfig['jname'], gtext("Set the desired jail name, for example: jail_1. Warning: renaming a jail will also rename the directory/dataset."), true, 40);
html_inputbox("hostname", gtext("Hostname"), $pconfig['hostname'], gtext("Set the desired jail hostname, for example: jail.com, not to be confused with the jail name."), true, 40);
if ($jail_ipv4_def):
html_inputbox("ipv4", gtext("IPv4"), $pconfig['ipv4'], gtext("Set the desired jail IPv4 address, for example: 192.168.1.100, or 192.168.1.100/24."), true, 40);
@@ -408,24 +495,27 @@ endif;
if ($jail_ipv6_def):
html_inputbox("ipv6", gtext("IPv6"), $pconfig['ipv6'], gtext("Set the desired jail IPv4 address, for example: 2001:cdba::3257:9652, or 2001:cdba::3257:9652/64."), true, 40);
endif;
if (!$is_vnet):
html_combobox('interface', gtext('Interface'),$pconfig['interface'], $a_action, gtext("Set the network interface available from the dropdown menu, usually should not be changed unless replacing/renaming interface or moving jail from host."), true, false, 'action_change()');
endif;
//if (!$is_vnet):
// html_combobox('interface', gtext('Interface'),$pconfig['interface'], $a_action, gtext("Set the network interface available from the dropdown menu, usually should not be changed unless replacing/renaming interface or moving jail from host."), true, false, 'action_change()');
//endif;
if(!$is_linux_jail):
html_inputbox("securelevel", gtext("securelevel"), $pconfig['securelevel'], gtext("The value of the jail's kern.securelevel. A jail never has a lower securelevel than its parent system, but by setting this parameter it may have a higher one, default is 2."), false, 20);
endif;
html_inputbox("devfs_ruleset", gtext("devfs_ruleset"), $pconfig['devfs_ruleset'], gtext("The number of the devfs ruleset that is enforced for mounting devfs in this jail. A value of zero means no ruleset is enforced. default is 4, on VNET jails default is 13."), false, 20);
//if(!$is_linux_jail):
html_inputbox("enforce_statfs", gtext("enforce_statfs"), $pconfig['enforce_statfs'], gtext("This determines what information processes in a jail are able to get about mount points. Affects the behaviour of the following syscalls: statfs, fstatfs, getfsstat and fhstatfs, default is 2."), false, 20);
html_inputbox("osrelease", gtext("osrelease"), $pconfig['osrelease'], gtext("This sets the jail OS release, this parameter must be a string."), false, 20);
//endif;
if ($is_vnet):
html_inputbox("vnet_interface", gtext("VNET Interface"), $pconfig['vnet_interface'], gtext("Set the VNET interface manually, usually should not be changed unless renaming the interface or moving jail from host."), false, 20);
html_inputbox("vnet_interface", gtext("VNET Interface"), $pconfig['vnet_interface'], gtext("Set the VNET interface manually, usually should not be changed unless renaming the interface or moving jail from host, Note: manual edit of the jail rc.conf file may be required."), false, 20);
endif;
?>
<?php
html_separator2();
html_titleline2(gtext("Misc Configuration"));
html_checkbox2('autostart',gtext('Autoboot'),!empty($pconfig['autostart']) ? true : false,gtext('Autoboot this jail after system reboot.'),'',false);
html_inputbox("boot_prio", gtext("Priority"), $pconfig['boot_prio'], gtext("Set the priority value of the jail. Affects the boot order behaviour."), false, 20);
// html_inputbox("description", gtext("Description"), $pconfig['description'], gtext("Set a description for the jail."), false, 40);
//html_checkbox2('force_edit',gtext('Force edit'),!empty($pconfig['force_edit']) ? true : false,gtext('Automatically stop and start this jail if is already running.'),'',false);
?>
</table>
@@ -442,6 +532,7 @@ endif;
. gtext('For additional information about the jail configuration file, check the FreeBSD documentation')
. '</a>.';
html_remark("note", gtext('Note'), $helpinghand);
html_remark("note", gtext("Warning"), sprintf(gtext("Please be careful here as no input validation will be performed.")));
?>
</div>
<?php include 'formend.inc';?>

72
gui/bastille_manager_maintenance.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_maintenance.php
Copyright (c) 2019-2020 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Copyright (c) 2016 Andreas Schmidhuber
@@ -54,6 +54,12 @@ if(!initial_install_banner()):
$prerequisites_ok = false;
endif;
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
// For legacy product versions.
$legacy_check = mwexec("/bin/cat /etc/prd.version | cut -d'.' -f1 | /usr/bin/grep '10'", true);
if ($legacy_check == 0) {
@@ -82,8 +88,11 @@ if ($_POST) {
ob_start();
include("{$logevent}");
$ausgabe = ob_get_contents();
ob_end_clean();
ob_end_clean();
$savemsg .= str_replace("\n", "<br />", $ausgabe)."<br />";
// Silently execute bastille-init post upgrade for pending changes.
// This is to make sure that minor changes are always applied.
exec('bastille-init');
else:
$input_errors[] = gtext('An error has occurred during upgrade process.');
$cmd = sprintf('echo %s: %s An error has occurred during upgrade process. >> %s',$date,$application,$logfile);
@@ -100,7 +109,7 @@ if ($_POST) {
ob_start();
include("{$logevent}");
$ausgabe = ob_get_contents();
ob_end_clean();
ob_end_clean();
$savemsg .= str_replace("\n", "<br />", $ausgabe)."<br />";
else:
$input_errors[] = gtext('An error has occurred during core update process.');
@@ -116,12 +125,12 @@ if ($_POST) {
if (is_link($textdomain_bastille)) mwexec("rm -f {$textdomain_bastille}", true);
if (is_dir($confdir)) mwexec("rm -Rf {$confdir}", true);
mwexec("rm /usr/local/www/bastille_manager_gui.php && rm -R /usr/local/www/ext/bastille", true);
mwexec("{$rootfolder}/usr/local/sbin/bastille-init -t", true);
mwexec("{$rootfolder}/usr/local/sbin/bastille-init -t", true);
$uninstall_cmd = "echo 'y' | /usr/local/sbin/bastille-init -U";
mwexec($uninstall_cmd, true);
if (is_link("/usr/local/share/{$prdname}")) mwexec("rm /usr/local/share/{$prdname}", true);
if (is_link("/var/cache/pkg")) mwexec("rm /var/cache/pkg", true);
if (is_link("/var/db/pkg")) mwexec("rm /var/db/pkg && mkdir /var/db/pkg", true);
//if (is_link("/var/cache/pkg")) mwexec("rm /var/cache/pkg", true);
//if (is_link("/var/db/pkg")) mwexec("rm /var/db/pkg && mkdir /var/db/pkg", true);
// Remove start postinit cmd in later product versions.
if (is_array($config['rc']) && is_array($config['rc']['param'])) {
@@ -211,7 +220,7 @@ if ($_POST) {
ob_start();
include("{$logevent}");
$ausgabe = ob_get_contents();
ob_end_clean();
ob_end_clean();
$savemsg .= str_replace("\n", "<br />", $ausgabe)."<br />";
exec("/usr/sbin/sysrc -f {$configfile} ZFS_ACTIVATED=\"YES\"");
else:
@@ -237,8 +246,6 @@ if ($_POST) {
$savemsg .= gtext("ZFS activation option has been skipped.");
endif;
endif;
# Run bastille-init to update config.
exec("bastille-init");
}
if (isset($_POST['restore']) && $_POST['restore']) {
@@ -299,6 +306,23 @@ $(document).ready(function(){
$('#getinfo_bastille').html(data.bastille);
$('#getinfo_ext').html(data.ext);
});
// --- LOGICA DEL CHECKBOX REFRESH (LocalStorage) ---
var $chk = $("#show_refresh_button");
// 1. Leer estado inicial desde LocalStorage
var savedState = localStorage.getItem('bastille_show_refresh_button');
if (savedState === 'true') {
$chk.prop('checked', true);
} else {
$chk.prop('checked', false); // Por defecto deshabilitado
}
// 2. Guardar cambios al hacer click
$chk.change(function() {
var isChecked = $(this).is(':checked');
localStorage.setItem('bastille_show_refresh_button', isChecked);
});
});
//]]>
</script>
@@ -306,19 +330,16 @@ $(document).ready(function(){
<script src="js/spin.min.js"></script>
<!-- use: onsubmit="spinner()" within the form tag -->
<script type="text/javascript">
<!--
}
//-->
</script>
<form action="bastille_manager_maintenance.php" method="post" name="iform" id="iform" onsubmit="spinner()">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="tabnavtbl">
<ul id="tabnav">
<li class="tabinact"><a href="bastille_manager_gui.php"><span><?=gettext("Containers");?></span></a></li>
<ul id="tabnav">
<li class="tabinact"><a href="bastille_manager_gui.php"><span><?=gettext("Containers");?></span></a></li>
<li class="tabact"><a href="bastille_manager_info.php"><span><?=gettext("Information");?></span></a></li>
<li class="tabact"><a href="bastille_manager_maintenance.php"><span><?=gettext("Maintenance");?></span></a></li>
</ul>
</td></tr>
<li class="tabact"><a href="bastille_manager_maintenance.php"><span><?=gettext("Maintenance");?></span></a></li>
</ul>
</td></tr>
<tr><td class="tabnavtbl">
<ul id="tabnav2">
<li class="tabact"><a href="bastille_manager_config.php"><span><?=gettext("Bastille Configuration");?></span></a></li>
@@ -352,14 +373,20 @@ $(document).ready(function(){
html_checkbox2('zfs_activate',gtext('ZFS support activation'),'' ? true : false,gtext('Check this to activate ZFS support or leave unchecked to dismiss (requires ZFS support to be available/enabled), this is a one time option and this row will disappear after clicking Save button or page refresh.'),'',false);
endif;
?>
<?php html_filechooser("backup_path", gtext("Backup directory"), $backup_path, gtext("Directory to store containers backup archives, use as file chooser for restoring from file, importable formats: .GZ/TGZ/TXZ/XZ or RAW(no extension on the file name)."), $backup_path, true, 60);?>
<?php html_filechooser("backup_path", gtext("Backup directory"), $backup_path, gtext("Directory to store containers backup archives, use as file chooser for restoring from file, importable formats: .GZ/TGZ/TXZ/XZ/ZST/TZST or RAW(no extension on the file name)."), $backup_path, true, 60);?>
</table>
<div id="submit">
<input id="save" name="save" type="submit" class="formbtn" title="<?=gtext("Save settings");?>" value="<?=gtext("Save");?>"/>
<input name="upgrade" type="submit" class="formbtn" title="<?=gtext("Upgrade Extension and Bastille Core Packages");?>" value="<?=gtext("Upgrade");?>" />
<input name="update" type="submit" class="formbtn" title="<?=gtext("Update Bastille Core Package Only");?>" value="<?=gtext("Update");?>" />
<input name="update" type="submit" class="formbtn" title="<?=gtext("Apply Bastille Core latest Patches and Fixes");?>" value="<?=gtext("Update");?>" />
<input name="restore" type="submit" class="formbtn" title="<?=gtext("Restore a container");?>" value="<?=gtext("Restore");?>" />
</div>
<table width="100%" border="0" cellpadding="6" cellspacing="0">
<?php html_separator();?>
<?php html_titleline(gtext("Refresh"));?>
<?php html_checkbox2('show_refresh_button',gtext('Show refresh button'),'' ? true : false,gtext('This will display a refresh button in the containers tab.'),'',false);?>
<?php html_separator();?>
</table>
<div id="remarks">
<?php html_remark("note", gtext("Info"), sprintf(gtext("For general information visit the following link(s):")));?>
<div id="enumeration"><ul><li><a href="http://bastillebsd.org/" target="_blank" ><?=gtext("Bastille helps you quickly create and manage FreeBSD Jails.")?></a></li></ul></div>
@@ -369,6 +396,7 @@ $(document).ready(function(){
<?php html_titleline(gtext("Uninstall"));?>
<?php html_checkbox2('delete_confirm',gtext('Uninstall confirm'),'' ? true : false,gtext('Check to confirm extension uninstall. Note: Jail related content will be preserved by default.'),'',false);?>
<?php html_separator();?>
<?php html_separator();?>
</table>
<div id="submit1">
<input name="uninstall" type="submit" class="formbtn" title="<?=gtext("Uninstall Extension");?>" value="<?=gtext("Uninstall");?>" onclick="return confirm('<?=gtext("Bastille Extension and packages will be completely removed, Bastille containers and child directories will not be touched, really to proceed?");?>')" />
@@ -378,8 +406,6 @@ $(document).ready(function(){
<?php include("formend.inc");?>
</form>
<script type="text/javascript">
<!--
enable_change(false);
//-->
<!--enable_change(false);-->
</script>
<?php include("fend.inc");?>
<?php include("fend.inc");?>

81
gui/bastille_manager_tarballs.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_tarballs.php
Copyright (c) 2019 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Portions of XigmaNAS® (https://www.xigmanas.com).
@@ -53,7 +53,7 @@ function get_rel_list() {
if (is_dir("{$rootfolder}/releases")):
$entries = preg_grep('/^[0-9]+\.[0-9]+\-RELEASE|(Debian[0-9]{1,2}$)|(Ubuntu_[0-9]{4}$)/', scandir("{$rootfolder}/releases"));
foreach($entries as $entry):
$a = preg_split('/\t/',$entry);
$a = preg_split('/\t/',$entry);
$r = [];
$name = $a[0];
if(preg_match('/^[0-9]+\.[0-9]+\-RELEASE|(Debian[0-9]{1,2}$)|(Ubuntu_[0-9]{4}$)/', $name, $m)):
@@ -67,53 +67,42 @@ function get_rel_list() {
endif;
return $result;
}
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
$rel_list = get_rel_list();
$sphere_array = $rel_list;
if ($linux_compat_support == "YES"):
$a_action = [
//'14.2-RELEASE' => gettext('14.2-RELEASE'),
'14.3-RELEASE' => gettext('14.3-RELEASE'),
'14.2-RELEASE' => gettext('14.2-RELEASE'),
'14.1-RELEASE' => gettext('14.1-RELEASE'),
'14.0-RELEASE' => gettext('14.0-RELEASE'),
'13.5-RELEASE' => gettext('13.5-RELEASE'),
'13.4-RELEASE' => gettext('13.4-RELEASE'),
'13.3-RELEASE' => gettext('13.3-RELEASE'),
'13.2-RELEASE' => gettext('13.2-RELEASE'),
'13.1-RELEASE' => gettext('13.1-RELEASE'),
'13.0-RELEASE' => gettext('13.0-RELEASE'),
'12.4-RELEASE' => gettext('12.4-RELEASE'),
'12.3-RELEASE' => gettext('12.3-RELEASE'),
'12.2-RELEASE' => gettext('12.2-RELEASE'),
'12.1-RELEASE' => gettext('12.1-RELEASE'),
'12.0-RELEASE' => gettext('12.0-RELEASE'),
'11.4-RELEASE' => gettext('11.4-RELEASE'),
'11.3-RELEASE' => gettext('11.3-RELEASE'),
'11.2-RELEASE' => gettext('11.2-RELEASE'),
'ubuntu-jammy' => gettext('Ubuntu-Jammy'),
'ubuntu-focal' => gettext('Ubuntu-Focal'),
'ubuntu-bionic' => gettext('Ubuntu-Bionic'),
'debian-bookworm' => gettext('Debian-Bookworm'),
'debian-bullseye' => gettext('Debian-Bullseye'),
'debian-buster' => gettext('Debian-Buster'),
//'debian-stretch' => gettext('Debian-Stretch'), -> Obsolete, removed from bastille boostrap.
// Linux base release bootstrap is allowed from command-line.
//'ubuntu-noble' => gettext('Ubuntu-noble'),
//'ubuntu-jammy' => gettext('Ubuntu-Jammy'),
//'ubuntu-focal' => gettext('Ubuntu-Focal'),
//'ubuntu-bionic' => gettext('Ubuntu-Bionic'),
//'debian-bookworm' => gettext('Debian-Bookworm'),
//'debian-bullseye' => gettext('Debian-Bullseye'),
//'debian-buster' => gettext('Debian-Buster'),
//'debian-stretch' => gettext('Debian-Stretch'),
];
else:
$a_action = [
//'14.2-RELEASE' => gettext('14.2-RELEASE'),
'14.3-RELEASE' => gettext('14.3-RELEASE'),
'14.2-RELEASE' => gettext('14.2-RELEASE'),
'14.1-RELEASE' => gettext('14.1-RELEASE'),
'14.0-RELEASE' => gettext('14.0-RELEASE'),
'13.5-RELEASE' => gettext('13.5-RELEASE'),
'13.4-RELEASE' => gettext('13.4-RELEASE'),
'13.3-RELEASE' => gettext('13.3-RELEASE'),
'13.2-RELEASE' => gettext('13.2-RELEASE'),
'13.1-RELEASE' => gettext('13.1-RELEASE'),
'13.0-RELEASE' => gettext('13.0-RELEASE'),
'12.4-RELEASE' => gettext('12.4-RELEASE'),
'12.3-RELEASE' => gettext('12.3-RELEASE'),
'12.2-RELEASE' => gettext('12.2-RELEASE'),
'12.1-RELEASE' => gettext('12.1-RELEASE'),
'12.0-RELEASE' => gettext('12.0-RELEASE'),
'11.4-RELEASE' => gettext('11.4-RELEASE'),
'11.3-RELEASE' => gettext('11.3-RELEASE'),
'11.2-RELEASE' => gettext('11.2-RELEASE'),
];
endif;
@@ -135,6 +124,7 @@ if($_POST):
$check_release = ("{$rootfolder}/releases/{$get_release}");
$cmd = sprintf('/bin/echo "Y" | /usr/local/bin/bastille bootstrap %1$s > %2$s',$get_release,$logevent);
$base_mandatory = "base";
$zfs_status = get_state_zfs();
//unset($lib32,$ports,$src);
if (isset($_POST['lib32'])):
@@ -148,12 +138,12 @@ if($_POST):
endif;
$opt_tarballs = "$lib32 $ports $src";
// FreeBSD base release check.
//if(file_exists($check_release)):
// $savemsg .= sprintf(gtext('%s base appears to be already extracted.'),$get_release);
//else:
// Download a FreeBSD base release.
if ($_POST['Download']):
// Download a FreeBSD base release.
if ($_POST['Download']):
if($zfs_status == "Invalid ZFS configuration"):
// Abort bootstrap if invalid ZFS configuration.
$input_errors[] = gtext("Cannot bootstrap with an invalid ZFS configuration.");
else:
$savemsg = "";
$errormsg = "";
if ($opt_tarballs):
@@ -177,8 +167,9 @@ if($_POST):
else:
$errormsg .= sprintf(gtext('%s Failed to download and/or extract release base.'),$get_release);
endif;
endif;
//endif;
endif;
endif;
if (isset($_POST['Destroy']) && $_POST['Destroy']):
@@ -212,7 +203,7 @@ if($_POST):
// Do not delete base releases with containers child.
if ($check_used):
$errormsg .= sprintf(gtext('%s base appears to have containers child.'),$get_release);
else:
else:
// Delete the FreeBSD base release/directory.
if ($_POST['Destroy']):
unset($output,$retval);mwexec2($cmd,$output,$retval);
@@ -222,7 +213,7 @@ if($_POST):
else:
$errormsg .= sprintf(gtext('%s failed to delete.'),$get_release);
endif;
endif;
endif;
endif;
endif;
endif;
@@ -284,7 +275,7 @@ $document->render();
<?php
if (is_dir($reldir)):
if (!is_dir_empty($reldir)):
html_titleline2(gettext('FreeBSD/Linux Base Release Installed'));
html_titleline2(gettext('FreeBSD/Linux Base Release Installed'));
endif;
foreach ($sphere_array as $sphere_record):
if (file_exists("{$reldir}/{$sphere_record['relname']}/root/.profile")):

158
gui/bastille_manager_util.php
View File

@@ -2,7 +2,7 @@
/*
bastille_manager_util.php
Copyright (c) 2019 José Rivera (joserprg@gmail.com).
Copyright (c) 2019-2026 José Rivera (joserprg@gmail.com).
All rights reserved.
Portions of XigmaNAS® (https://www.xigmanas.com).
@@ -39,6 +39,12 @@ require_once 'auth.inc';
require_once 'guiconfig.inc';
require_once("bastille_manager-lib.inc");
$zfs_status = get_state_zfs();
if($zfs_status == "Invalid ZFS configuration"):
// Warning if invalid ZFS configuration.
$input_errors[] = gtext("WARNING: Invalid ZFS configuration detected.");
endif;
if(isset($_GET['uuid'])):
$uuid = $_GET['uuid'];
endif;
@@ -115,9 +121,9 @@ if($_POST):
$bastille_version = get_version_bastille();
$bastille_version_min = "0920210714";
$bastille_version_format = str_replace(".", "", $bastille_version);
$bastille_bin_path = "/usr/local/bin";
$export_option = "";
$skip_safemode = "";
#$skip_safemode = "";
$skip_livemode = "";
if(isset($_POST['format'])):
$export_format = $_POST['format'];
@@ -133,44 +139,54 @@ if($_POST):
break;
case 'tgz':
$user_export_format = "--tgz";
$skip_safemode = "yes";
#$skip_safemode = "yes";
$skip_livemode = "yes";
break;
case 'txz':
$user_export_format = "--txz";
$skip_safemode = "yes";
#$skip_safemode = "yes";
$skip_livemode = "yes";
break;
case 'tzst':
$user_export_format = "--tzst";
#$skip_safemode = "yes";
$skip_livemode = "yes";
break;
case 'xz':
$user_export_format = "--xz";
break;
case 'zst':
$user_export_format = "--zst";
break;
endswitch;
if($pconfig['safemode']):
$export_option = "--auto";
endif;
if ($zfs_activated == "YES"):
if($pconfig['safemode']):
if(!$skip_safemode):
$export_option = "--safe";
if($pconfig['livemode']):
if(!$export_option):
$export_option = "--live";
endif;
endif;
endif;
if($bastille_version_format >= $bastille_version_min):
if ($zfs_activated == "YES"):
if ($pconfig['format'] == "default"):
$export_format = "--xz";
$cmd = ("$bastille_bin_path/bastille export $export_option $export_format '{$item}'");
$cmd = ("/usr/local/bin/bastille export $export_option $export_format '{$item}'");
else:
$cmd = ("$bastille_bin_path/bastille export $export_option $user_export_format '{$item}'");
$cmd = ("/usr/local/bin/bastille export $export_option $user_export_format '{$item}'");
endif;
else:
if ($pconfig['format'] == "default"):
$export_format = "--txz";
$cmd = ("$bastille_bin_path/bastille export $export_format '{$item}'");
$cmd = ("/usr/local/bin/bastille export $export_option $export_format '{$item}'");
else:
$cmd = ("$bastille_bin_path/bastille export $user_export_format '{$item}'");
$cmd = ("/usr/local/bin/bastille export $export_option $user_export_format '{$item}'");
endif;
endif;
else:
$cmd = ("$bastille_bin_path/bastille export '{$item}'");
endif;
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
@@ -225,9 +241,17 @@ if($_POST):
$current_release = exec("/usr/bin/grep '\-RELEASE' {$jail_dir}/{$item}/fstab | awk '{print $1}' | grep -o '[^/]*$'");
if ($_POST['update_base']):
$cmd = ("/usr/local/sbin/bastille-init update '{$current_release}'");
if ($_POST['update_base_force']):
$cmd = ("/usr/local/sbin/bastille-init update_force '{$current_release}'");
else:
$cmd = ("/usr/local/sbin/bastille-init update '{$current_release}'");
endif;
elseif ($_POST['update_jail']):
$cmd = ("/usr/local/sbin/bastille-init update '{$item}'");
if ($_POST['update_jail_force']):
$cmd = ("/usr/local/sbin/bastille-init update_force '{$item}'");
else:
$cmd = ("/usr/local/sbin/bastille-init update '{$item}'");
endif;
else:
$input_errors[] = sprintf(gtext("Failed to update container %s."),$item);
break;
@@ -236,7 +260,14 @@ if($_POST):
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
$update_release = exec("/usr/sbin/jexec -l {$item} freebsd-version");
$savemsg .= sprintf(gtext("Container release updated to %s successfully."),$update_release);
if (($_POST['update_jail_force']) || ($_POST['update_base_force'])):
$savemsg .= sprintf(gtext("Container release forcefully updated to %s successfully, a restart is required to apply pending changes."),$update_release);
else:
$savemsg .= sprintf(gtext("Container release updated to %s successfully, a restart is required to apply pending changes."),$update_release);
endif;
if ($_POST['update_base']):
exec("/usr/local/bin/bastille config {$item} set osrelease $update_release");
endif;
exec("echo '{$date}: {$application}: Container release updated to {$update_release} successfully for {$item}' >> {$logfile}");
//header('Location: bastille_manager_gui.php');
//exit;
@@ -284,7 +315,8 @@ if($_POST):
$container['jailname'] = $_POST['jailname'];
$confirm_name = $pconfig['confirmname'];
$item = $container['jailname'];
$cmd = ("/usr/sbin/sysrc -f {$configfile} {$item}_AUTO_START=\"YES\"");
//$cmd = ("/usr/sbin/sysrc -f {$configfile} {$item}_AUTO_START=\"YES\"");
$cmd = ("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} boot=\"on\"");
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
header('Location: bastille_manager_gui.php');
@@ -303,8 +335,9 @@ if($_POST):
$container['jailname'] = $_POST['jailname'];
$confirm_name = $pconfig['confirmname'];
$item = $container['jailname'];
if(exec("/usr/sbin/sysrc -f $configfile -qn {$item}_AUTO_START")):
$cmd = ("/usr/sbin/sysrc -f $configfile -x {$item}_AUTO_START");
if(exec("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} -qn boot")):
//$cmd = ("/usr/sbin/sysrc -f $configfile -x {$item}_AUTO_START");
$cmd = ("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} boot=\"off\"");
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
header('Location: bastille_manager_gui.php');
@@ -316,6 +349,31 @@ if($_POST):
endif;
break;
case 'priority':
// Input validation required
if(empty($input_errors)):
$container = [];
$container['uuid'] = $_POST['uuid'];
$container['jailname'] = $_POST['jailname'];
$set_priority = $pconfig['prioritynumber'];
$item = $container['jailname'];
if(exec("/usr/sbin/sysrc -f {$jail_dir}/{$item}/{$jail_settings} -qn priority")):
if (is_numeric($set_priority)):
$cmd = ("/usr/local/bin/bastille config {$item} set priority {$set_priority}");
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
header('Location: bastille_manager_gui.php');
exit;
else:
$input_errors[] = gtext("Failed to set priority.");
endif;
else:
$input_errors[] = gtext("Priority value must be a number.");
endif;
endif;
endif;
break;
case 'fstab':
// Input validation not required
if(empty($input_errors)):
@@ -376,7 +434,7 @@ if($_POST):
break;
case 'delete':
// Delete a contained
// Delete a container
if(empty($input_errors)):
$container = [];
$container['uuid'] = $_POST['uuid'];
@@ -390,9 +448,9 @@ if($_POST):
break;
else:
if (isset($_POST['nowstop'])):
$cmd = ("/usr/local/bin/bastille destroy -f {$item}");
$cmd = ("/usr/local/bin/bastille destroy -afy {$item}");
else:
$cmd = ("/usr/local/bin/bastille destroy {$item}");
$cmd = ("/usr/local/bin/bastille destroy -fy {$item}");
endif;
unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0):
@@ -439,6 +497,8 @@ function action_change() {
showElementById('release_tr','hide');
showElementById('update_base_tr','hide');
showElementById('update_jail_tr','hide');
showElementById('update_base_force_tr', 'hide');
showElementById('update_jail_force_tr', 'hide');
showElementById('newname_tr', 'hide');
showElementById('newipaddr_tr', 'hide');
showElementById('clonestop_tr', 'hide');
@@ -447,15 +507,15 @@ function action_change() {
showElementById('backup_tr', 'hide');
showElementById('format_tr', 'hide');
showElementById('safemode_tr', 'hide');
//showElementById('dateadd_tr','hide');
showElementById('livemode_tr', 'hide');
showElementById('prioritynumber_tr','hide');
var action = document.iform.action.value;
switch (action) {
case "backup":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('backup_tr', 'show');
showElementById('format_tr', 'show');
showElementById('safemode_tr', 'show');
showElementById('livemode_tr', 'show');
break;
case "clone":
showElementById('newname_tr','show');
@@ -463,30 +523,25 @@ function action_change() {
showElementById('clonestop_tr','show');
break;
case "update":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('update_base_tr','show');
showElementById('update_jail_tr','show');
showElementById('update_base_force_tr', 'show');
showElementById('update_jail_force_tr', 'show');
break;
case "base":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('jail_release_tr', 'show');
showElementById('release_tr','show');
break;
case "autoboot":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('auto_boot_tr', 'show');
break;
case "noauto":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('no_autoboot_tr', 'show');
break;
case "priority":
showElementById('prioritynumber_tr','show');
break;
case "fstab":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('source_path_tr','show');
showElementById('target_path_tr','show');
showElementById('path_check_tr','show');
@@ -499,8 +554,6 @@ function action_change() {
showElementById('nowstop_tr','show');
break;
case "advanced":
showElementById('confirmname_tr','hide');
showElementById('nowstop_tr','hide');
showElementById('advanced_tr','show');
break;
default:
@@ -548,6 +601,7 @@ $document->render();
</thead>
<tbody>
<?php
$b_action = $l_release;
#$current_release = exec("/usr/sbin/jexec {$pconfig['jailname']} freebsd-version 2>/dev/null");
$current_release = "";
@@ -575,6 +629,7 @@ $document->render();
'base' => gettext('Release'),
'autoboot' => gettext('Autoboot'),
'noauto' => gettext('Noauto'),
'priority' => gettext('Priority'),
'fstab' => gettext('Fstab'),
'delete' => gettext('Destroy'),
'advanced' => gettext('Advanced'),
@@ -587,47 +642,56 @@ $document->render();
'raw' => gettext('RAW'),
'tgz' => gettext('TGZ'),
'txz' => gettext('TXZ'),
'tzst' => gettext('TZST'),
'xz' => gettext('XZ'),
'zst' => gettext('ZST'),
];
else:
$c_action = [
'default' => gettext('Default'),
'tgz' => gettext('TGZ'),
'txz' => gettext('TXZ'),
'tzst' => gettext('TZST'),
];
endif;
html_combobox2('action',gettext('Action'),!empty($pconfig['action']),$a_action,'',true,false,'action_change()');
html_combobox2('format',gettext('Archive format'),!empty($pconfig['format']),$c_action,'',true,false);
if ($zfs_activated == "YES"):
html_checkbox2('safemode',gettext('Safe ZFS export'),!empty($pconfig['safemode']) ? true : false,gettext('Safely stop and start a ZFS jail before the exporting process, this has no effect on .TGZ/TXZ since the jail should be stopped regardless.'),'',false);
html_checkbox2('safemode',gettext('Safe Jail export'),!empty($pconfig['safemode']) ? true : false,gettext('Safely stop and start the jail before the exporting process.'),'',false);
html_checkbox2('livemode',gettext('Live ZFS export'),!empty($pconfig['livemode']) ? true : false,gettext('Export a running ZFS jail, safe export overrides this option, this has no effect on .TGZ/TXZ/TZST since the jail should be stopped regardless.'),'',false);
else:
html_checkbox2('safemode',gettext('Safe Jail export'),!empty($pconfig['safemode']) ? true : false,gettext('Safely stop and start the jail before the exporting process.'),'',false);
endif;
html_inputbox2('confirmname',gettext('Enter name for confirmation'),!empty($pconfig['confirmname']),'',true,30);
html_inputbox2('prioritynumber',gettext('Enter priority value'),!empty($pconfig['prioritynumber']),'',true,30);
html_checkbox2('nowstop',gettext('Stop container'),!empty($pconfig['nowstop']) ? true : false,gettext('Stop the container if running before deletion.'),'',false);
html_inputbox2('newname',gettext('Enter a name for the new container'),!empty($pconfig['newname']),'',true,30);
html_inputbox2('newipaddr',gettext('Enter a IP address for the new container'),!empty($pconfig['newipaddr']),'',true,30);
html_checkbox2('clonestop',gettext('Stop container'),!empty($pconfig['clonestop']) ? true : false,gettext('Stop the container if running before cloning, mandatory on UFS filesystem.'),'',false);
html_filechooser("source_path",gtext("Source Data Directory"),!empty($pconfig['source_path']), gtext("Source data directory to be shared, full path here, if the path contain spaces they will be automatically escaped with the ASCII \"\\040\" octal code."), !empty($source_path), false, 60);
html_filechooser("target_path",gtext("Target Data Directory"),!empty($pconfig['target_path']), gtext("Target data directory to be mapped, full path to jail here, if the path contain spaces they will be automatically escaped with the ASCII \"\\040\" octal code."), !empty($target_path), false, 60);
html_checkbox2("path_check", gettext("Source/Target path check"),!empty($pconfig['path_check']) ? true : false, gettext("If this option is selected no examination of the source/target directory paths will be performed."), "<b><font color='red'>".gettext("Please use this option only if you know what you are doing here!")."</font></b>", false);
html_checkbox2('advanced',gettext('Advanced jail configuration Files'),!empty($pconfig['advanced']) ? true : false,gettext('I want to edit the jail files manually, Warning: It is recommended to stop the jail before config edit to prevent issues.'),'',true);
html_filechooser("target_path",gtext("Target Data Directory"),!empty($pconfig['target_path']), gtext("Target data directory to be mapped, full path to jail here, if the path contain spaces they will be automatically escaped with the ASCII \"\\040\" octal code."), !empty($target_path), false, 60);
html_checkbox2("path_check", gettext("Source/Target path check"),!empty($pconfig['path_check']) ? true : false, gettext("If this option is selected no examination of the source/target directory paths will be performed."), "<b><font color='red'>".gettext("Please use this option only if you know what you are doing here!")."</font></b>", false);
html_checkbox2('advanced',gettext('Advanced jail configuration Files'),!empty($pconfig['advanced']) ? true : false,gettext('I want to edit the jail files manually, Warning: It is recommended to stop the jail before editing the config to prevent issues.'),'',true);
html_checkbox2('readonly',gettext('Read-Only Mode'),!empty($pconfig['readonly']) ? true : false,gettext('Set target directory in Read-Only mode.'),'',true);
html_checkbox2('automount',gettext('Auto-mount Nullfs'),!empty($pconfig['automount']) ? true : false,gettext('Auto-mount the nullfs mountpoint if the container is already running.'),'',true);
html_checkbox2('createdir',gettext('Create Target Directory'),!empty($pconfig['createdir']) ? true : true,gettext('Create target directory if missing (recommended).'),'',true);
if ($is_thinjail):
html_checkbox2('update_base',gettext('Base update confirm'),!empty($pconfig['update_base']) ? true : false,gettext('This is a thin container, therefore the base release will be updated, this affects child containers.'),'',true);
//html_checkbox2('update_base',gettext('Base update confirm'),!empty($pconfig['update_base']) ? true : false,gettext('This is a thin container, therefore the base release will be updated, this affects child containers.'),'',true);
//html_checkbox2('update_base_force',gettext('Base update force confirm:'),!empty($pconfig['update_base']) ? true : false,gettext('This will perform a forced base update, this affects child containers.'),'',true);
html_text2('update_base',gettext('Container Update'),htmlspecialchars("This is a thin container, the host is missing some core components to manage updates on this containers, therefore this containers has to be manually upgraded from the command-line."));
else:
html_checkbox2('update_jail',gettext('Container update confirm:'),!empty($pconfig['update_jail']) ? true : false,gettext('This is a thick container, therefore the update will be performed within its root, current containers are not affected.'),'',true);
html_checkbox2('update_jail_force',gettext('Container update force confirm:'),!empty($pconfig['update_jail']) ? true : false,gettext('This will perform a forced jail update, current containers are not affected.'),'',true);
endif;
html_text2('jail_release',gettext('Current base release:'),htmlspecialchars($current_release));
html_text2('auto_boot',gettext('Enable container auto-startup'),htmlspecialchars("This will cause the container to automatically start each time the system restart."));
html_text2('no_autoboot',gettext('Disable container auto-startup'),htmlspecialchars("This will disable the container automatic startup."));
html_text2('backup',gettext('Export container'),htmlspecialchars("This will export a container to a compressed file/image, please execute `bastille export` for more info in regards exporting formats, Default is .XZ on ZFS setups or .TXZ otherwise, For faster compressed backups consider .GZ/.TGZ."));
html_text2('backup',gettext('Export container'),htmlspecialchars("This will export a container to a compressed file/image, please execute `bastille export` for more info in regards exporting formats, Default is .XZ on ZFS setups or .TXZ otherwise, For faster compressed backups consider .ZST/.TZST or .GZ/.TGZ"));
if ($disable_base_change == "no"):
html_combobox2('release',gettext('New base release'),!empty($pconfig['release']),$b_action,gettext("Warning: This will change current shared base to the selected base on the thin container only, the user is responsible for package updates and/or general incompatibilities issues, or use the command line for native upgrade."),true,false,);
endif;
//html_checkbox2('dateadd',gettext('Date'),!empty($pconfig['dateadd']) ? true : false,gettext('Append the date in the following format: ITEM-XXXX-XX-XX-XXXXXX.'),'',false);
?>
</tbody>
</table>

58
gui/css/bastille-header-refresh.css Normal file
View File

@@ -0,0 +1,58 @@
/* bastille_manager.css
Estilo NATIVO (Minimalista)
*/
#refresh-controls {
/* Fondo transparente y sin bordes para integrarse con el tema */
background: transparent;
border: none;
padding: 10px 0;
margin-bottom: 5px;
/* Alineación a la derecha */
display: flex;
justify-content: flex-end;
align-items: center;
gap: 15px;
/* Fuente estándar del sistema */
font-size: 13px;
color: inherit;
}
#refresh-status {
/* Color de texto por defecto del tema (negro/gris) */
color: inherit;
margin-right: 5px;
/* Coloca el texto a la izquierda de los botones */
order: -1;
}
/* Pequeño spinner azul discreto solo cuando actualiza */
#refresh-status.updating .refresh-spinner {
display: inline-block;
width: 10px;
height: 10px;
border: 2px solid #ccc;
border-top-color: #007bff;
border-radius: 50%;
animation: spin 1s linear infinite;
margin-right: 5px;
}
/* Animación del spinner */
@keyframes spin {
to { transform: rotate(360deg); }
}
/* Asegurar que los iconos de la tabla estén centrados verticalmente */
.area_data_selection tbody td img {
vertical-align: middle;
}
/* Centrado perfecto para los checkboxes */
.lcelc {
text-align: center;
vertical-align: middle;
}

181
unionfs.sh Executable file → Normal file
View File

@@ -10,7 +10,7 @@
# Debug script
#set -x
# Copyright (c) 2019-2024, José Rivera (joserprg@gmail.com).
# Copyright (c) 2019-2026, José Rivera (joserprg@gmail.com).
# All rights reserved.
# Redistribution and use in source and binary forms, with or without
@@ -51,20 +51,9 @@ error_notify() {
# Log/notify message on error and exit.
MSG="${*}"
logger -t "${SCRIPTNAME}" "${MSG}"
echo -e "${MSG}" >&2; exit 1
}
platform_check()
{
# Check for working platform.
if [ "${PRDPLATFORM}" = "x64-embedded" ]; then
pkg_symlink
else
if [ -d "/var/cache/pkg" ]; then
echo "Cleaning the pkg cache."
pkg clean -y -a
fi
fi
echo -e "${MSG}" >&2
posterror_exec
exit 1
}
load_kmods() {
@@ -79,7 +68,7 @@ load_kmods() {
# Skip already loaded known modules.
for _req_kmod in ${required_mods}; do
if ! sysrc -f /boot/loader.conf -qn ${_req_kmod}_load=YES | grep -q "YES"; then
if ! sysrc -f /boot/loader.conf -qc ${_req_kmod}_load=YES; then
sysrc -f /boot/loader.conf ${_req_kmod}_load=YES
fi
if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
@@ -95,66 +84,95 @@ load_kmods() {
kldload -v ${_lin_kmod}
fi
done
if ! sysrc -qn linux_enable=YES | grep -q "YES"; then
if ! sysrc -qc linux_enable=YES; then
sysrc linux_enable=YES
fi
}
pkg_symlink() {
if ! sysrc -f ${CWDIR}${EXTCONF} -qn LINUX_COMPAT_SUPPORT | grep -q "YES"; then
echo "Creating pkg environment for embedded platforms."
unload_kmods() {
required_mods="fdescfs linprocfs linsysfs tmpfs"
linuxarc_mods="linux linux64"
if [ -d "/var/cache/pkg" ]; then
if [ ! -L "/var/cache/pkg" ]; then
rm -R /var/cache/pkg
mkdir -p ${CWDIR}/system/cache/pkg
ln -vFs ${CWDIR}/system/cache/pkg /var/cache/pkg
fi
else
mkdir -m 0755 -p /var/cache
mkdir -p ${CWDIR}/system/cache/pkg
ln -vFs ${CWDIR}/system/cache/pkg /var/cache/pkg
for _req_kmod in ${required_mods}; do
if sysrc -f /boot/loader.conf -qc ${_req_kmod}_load=YES; then
echo "Unset kernel module: ${_req_kmod}"
sysrc -f /boot/loader.conf -x ${_req_kmod}_load
fi
done
if [ -d "/var/db/pkg" ]; then
if [ ! -L "/var/db/pkg" ]; then
rm -R /var/db/pkg
mkdir -p ${CWDIR}/system/pkg/db
ln -vFs ${CWDIR}/system/pkg/db /var/db/pkg
fi
else
mkdir -p ${CWDIR}/system/pkg/db
ln -vFs ${CWDIR}/system/pkg/db /var/db/pkg
fi
if sysrc -qc linux_enable=YES; then
echo "Unset linux_enable"
sysrc -x linux_enable
fi
}
posterror_exec() {
# Commands to be executed post errors.
unionfs_disable
# Clean for stale pkg.
if [ -d "${CWDIR}/system/All" ]; then
rm -r ${CWDIR}/system/All
fi
}
unionfs_disable() {
# Check and disable uniofs mounts on error.
unionfs_pkgoff
unionfs_off
}
unionfs_pkgon() {
if ! df | grep -q "${CWDIR}/system/var/db/pkg"; then
echo "Enabling UnionFS for ${CWDIR}/system/var/db/pkg."
mount_unionfs -o avobe ${CWDIR}/system/var/db/pkg /var/db/pkg
fi
}
unionfs_pkgoff() {
if df | grep -q "${CWDIR}/system/var/db/pkg"; then
echo "Disabling UnionFS for ${CWDIR}/system/var/db/pkg."
umount -f /var/db/pkg
fi
}
fetch_cmd() {
PKG_LIST="debootstrap debian-keyring"
pkg fetch -y -d -o ${CWDIR}/system/ ${PKG_LIST}
}
fetch_pkg() {
if ! sysrc -f ${CWDIR}${EXTCONF} -qn LINUX_COMPAT_SUPPORT | grep -q "YES"; then
echo "Fetching required packages."
if [ ! -d "/var/db/pkg" ]; then
mkdir -p "/var/db/pkg"
fi
if [ ! -d "${CWDIR}/system/var/db/pkg" ]; then
mkdir -p ${CWDIR}/system/var/db/pkg
fi
# Skip existing packages/ports bundled with XigmaNAS.
#PKGLIST="#bash #ca_root_nss debootstrap #gettext-runtime glib gmp gnugrep gnugpg gnutls #indexinfo libassuan #libedit #libffi libgcrypt libgpg-error #libiconv libidn2 libksba libtasn1 libunistring libxml2 mpdecimal nettle npth p11-kit #pcre perl5 pinentry pinentry-curses #python38 #readline #sqlite3 tpm-emulator #trousers ubuntu-keyring wget"
PKGLIST="debootstrap glib gmp gnugrep gnupg gnutls libassuan libgcrypt libgpg-error libidn2 libksba libtasn1 libunistring libxml2 mpdecimal nettle npth p11-kit perl5 pinentry pinentry-curses tpm-emulator ubuntu-keyring wget"
trap "unionfs_pkgoff" 0 1 2 5 15
unionfs_pkgon
for pkg in ${PKGLIST}; do
pkg fetch -y "${pkg}" || error_notify "Error while fetching required [${pkg}] package, exiting."
done
echo "Fetching required packages."
# Fetch deboostrap and dependency packages.
fetch_cmd || echo "Cleaning addon stale pkg db and retry..."
rm -rf ${CWDIR}/system/var/db/pkg/*
fetch_cmd || error_notify "Error while fetching packages, exiting."
echo "Done."
extract_pkg
unionfs_pkgoff
extract_pkg
}
fetch_debootstrap() {
if ! sysrc -f ${CWDIR}${EXTCONF} -qc LINUX_COMPAT_SUPPORT=YES; then
fetch_pkg
fi
}
extract_pkg() {
echo "Extracting required packages."
if [ "${PRDPLATFORM}" = "x64-embedded" ]; then
FILELIST=$(find "${CWDIR}/system/cache/pkg" -type f)
LINKLIST=$(find "${CWDIR}/system/cache/pkg" -type l)
else
FILELIST=$(find "/var/cache/pkg" -type f)
LINKLIST=$(find "/var/cache/pkg" -type l)
fi
FILELIST=$(find "${CWDIR}/system/All" -type f)
for item in ${FILELIST}; do
if [ -f "${item}" ]; then
@@ -163,59 +181,68 @@ extract_pkg() {
fi
done
# Clean leftovers pkg symlinks
if [ "${PRDPLATFORM}" = "x64-embedded" ]; then
for item in ${LINKLIST}; do
if [ -L "${item}" ]; then
rm -rf ${item}
fi
done
else
echo "Cleaning the pkg cache."
pkg clean -y -a
if [ -d "${CWDIR}/system/All" ]; then
rm -r ${CWDIR}/system/All
fi
if [ ! -d "${CWDIR}/templates" ]; then
mkdir -p ${CWDIR}/templates
fi
if [ ! -d "${CWDIR}/system/var/run" ]; then
mkdir -p ${CWDIR}/system/var/run
fi
echo "Done."
}
unionfs_on() {
if ! df | grep -q "${CWDIR}/system/usr/local"; then
echo "Enabling UnionFS mount for ${CWDIR}/system/usr/local."
mount_unionfs -o below ${CWDIR}/system/usr/local /usr/local
echo "Enabling UnionFS for ${CWDIR}/system/usr/local."
mount_unionfs -o above ${CWDIR}/system/usr/local /usr/local
fi
if ! df | grep -q "${CWDIR}/system/var/run"; then
echo "Enabling UnionFS mount for ${CWDIR}/system/var/run."
mount_unionfs -o below ${CWDIR}/system/var/run /var/run
echo "Enabling UnionFS for ${CWDIR}/system/var/run."
mount_unionfs -o avobe ${CWDIR}/system/var/run /var/run
fi
}
unionfs_off() {
if df | grep -q "${CWDIR}/system/usr/local"; then
echo "Disabling UnionFS mounts for ${CWDIR}/system/usr/local."
echo "Disabling UnionFS for ${CWDIR}/system/usr/local."
umount -f /usr/local
fi
if df | grep -q "${CWDIR}/system/var/run"; then
echo "Disabling UnionFS mounts for ${CWDIR}/system/var/run."
echo "Disabling UnionFS for ${CWDIR}/system/var/run."
umount -f /var/run
fi
}
update_debootstrap() {
echo "Updating debootstrap..."
unionfs_off
fetch_pkg
}
case "${1}" in
fetch_pkg)
platform_check
fetch_pkg
fetch_debootstrap)
fetch_debootstrap
;;
load_kmods)
load_kmods
;;
unload_kmods)
unload_kmods
;;
unionfs_on)
unionfs_on
;;
unionfs_off)
unionfs_off
;;
update_debootstrap)
update_debootstrap
;;
esac

2
version
View File

@@ -1 +1 @@
1.1.39
1.4.04