From 75d95ac53ce764081c26d17524920f274f7dec81 Mon Sep 17 00:00:00 2001 From: foudil Date: Sun, 3 Nov 2024 10:36:50 +0100 Subject: [PATCH] fix bastille0 ip6 support --- usr/local/share/bastille/rdr.sh | 4 ++-- usr/local/share/bastille/start.sh | 18 +++++++++++------- usr/local/share/bastille/stop.sh | 13 ++++++++----- 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 74279304..3324a10c 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -120,7 +120,7 @@ load_rdr_rule() { | pfctl -a "rdr/${JAIL_NAME}" -f- if [ -n "$JAIL_IP6" ]; then ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \ + printf '%s\nrdr pass on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- fi } @@ -135,7 +135,7 @@ log=$@ | pfctl -a "rdr/${JAIL_NAME}" -f- if [ -n "$JAIL_IP6" ]; then ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \ + printf '%s\nrdr pass %s on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- fi diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index f9e5a180..2ef42642 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -78,16 +78,20 @@ for _jail in ${JAILS}; do fi fi - ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry - ip=$(bastille config "${_jail}" get ip4.addr) - if [ -n "${ip}" ]; then + ## warn if matching configured (but not online) ipX.addr, ignore if there's no ipX.addr entry + ips=$(bastille config "${_jail}" get ip4.addr) + ips="${ips} $(bastille config "${_jail}" get ip6.addr)" + for ip in ${ips}; do + ip=$(printf "$ip" | sed -E 's,/[0-9]+,,') + if [ -n "${ip}" ]; then if ifconfig | grep -wF "${ip}" >/dev/null; then - error_notify "Error: IP address (${ip}) already in use." - continue + error_notify "Error: IP address (${ip}) already in use." + continue fi - ## add ip4.addr to firewall table + ## add ipX.addr to firewall table pfctl -q -t "${bastille_network_pf_table}" -T add "${ip}" - fi + fi + done ## start the container info "[${_jail}]:" diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 49cec54d..7c3d8f75 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -51,8 +51,9 @@ bastille_root_check for _jail in ${JAILS}; do ## test if running if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then - ## Capture ip4.addr address while still running - _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)" + ## Capture ipX.addr address while still running + ips="$(/usr/sbin/jls -j ${_jail} ip4.addr)" + ips="${ips} $(/usr/sbin/jls -j ${_jail} ip6.addr)" # Check if pfctl is present if which -s pfctl; then @@ -72,10 +73,12 @@ for _jail in ${JAILS}; do info "[${_jail}]:" jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" - ## remove (captured above) ip4.addr from firewall table - if [ -n "${bastille_network_loopback}" ] && [ ! -z "${_ip}" ]; then + ## remove (captured above) ipX.addr from firewall table + if [ -n "${bastille_network_loopback}" && ! -z "${ips}" ]; then if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then - pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" + for _ip in ${ips}; do + pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" + done fi fi fi