Skip to content

Commit

Permalink
Allow starting jails with ip[46] set to inherit
Browse files Browse the repository at this point in the history
Either or both ip4 and ip6 can be set to inherit. For example I have used the
following config:

```
  interface = vtnet0;
  ip4 = inherit;
  ip6 = new;
  ip6.addr = 2a01:xxxx:xxxx:xxx::1;
```
  • Loading branch information
cqexbesd committed Jul 24, 2022
1 parent 21a0ce7 commit 9332d32
Showing 1 changed file with 35 additions and 15 deletions.
50 changes: 35 additions & 15 deletions usr/local/share/bastille/start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,21 @@ usage() {
error_exit "Usage: bastille start TARGET"
}

# indicate if an IP configurtaion value (e.g. a value given for ip4 or ip6)
# requires extra configuration external to the jail
#
# success if it does, failure if it does not
ip_require_config() {

case "${1}" in
disable|inherit|"not set")
return 1
;;
esac

return 0
}

# Handle special-case commands first.
case "$1" in
help|-h|--help)
Expand Down Expand Up @@ -67,24 +82,29 @@ for _jail in ${JAILS}; do

## test if not running
elif [ ! "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
# Verify that the configured interface exists. -- cwells
if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then
_interface=$(bastille config $_jail get interface)
if ! ifconfig | grep "^${_interface}:" >/dev/null; then
error_notify "Error: ${_interface} interface does not exist."
continue
## if networking is entirely inherited we can skip any setup
_ip4=$(bastille config $_jail get ip4)
_ip6=$(bastille config $_jail get ip6)
if ip_require_config "${_ip4}" || ip_require_config "${_ip6}"; then
# Verify that the configured interface exists. -- cwells
if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then
_interface=$(bastille config $_jail get interface)
if ! ifconfig | grep "^${_interface}:" >/dev/null; then
error_notify "Error: ${_interface} interface does not exist."
continue
fi
fi
fi

## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry
ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
if [ -n "${ip}" ]; then
if ifconfig | grep -w "${ip}" >/dev/null; then
error_notify "Error: IP address (${ip}) already in use."
continue
## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry
ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
if [ -n "${ip}" ]; then
if ifconfig | grep -w "${ip}" >/dev/null; then
error_notify "Error: IP address (${ip}) already in use."
continue
fi
## add ip4.addr to firewall table:jails
pfctl -q -t jails -T add "${ip}"
fi
## add ip4.addr to firewall table:jails
pfctl -q -t jails -T add "${ip}"
fi

## start the container
Expand Down

0 comments on commit 9332d32

Please sign in to comment.