From 39fab861f0e5a890d09020e661c29c765fbad343 Mon Sep 17 00:00:00 2001 From: foudil Date: Sun, 3 Nov 2024 10:36:50 +0100 Subject: [PATCH 1/3] fix bastille0 ip6 support --- usr/local/share/bastille/rdr.sh | 4 ++-- usr/local/share/bastille/start.sh | 18 +++++++++++------- usr/local/share/bastille/stop.sh | 13 ++++++++----- 3 files changed, 21 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 63df7839..9c030999 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -120,7 +120,7 @@ load_rdr_rule() { | pfctl -a "rdr/${JAIL_NAME}" -f- if [ -n "$JAIL_IP6" ]; then ( pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null; - printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \ + printf '%s\nrdr pass on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- fi } @@ -135,7 +135,7 @@ log=$@ | pfctl -a "rdr/${JAIL_NAME}" -f- if [ -n "$JAIL_IP6" ]; then ( pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null; - printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \ + printf '%s\nrdr pass %s on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- fi diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index f9e5a180..2ef42642 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -78,16 +78,20 @@ for _jail in ${JAILS}; do fi fi - ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry - ip=$(bastille config "${_jail}" get ip4.addr) - if [ -n "${ip}" ]; then + ## warn if matching configured (but not online) ipX.addr, ignore if there's no ipX.addr entry + ips=$(bastille config "${_jail}" get ip4.addr) + ips="${ips} $(bastille config "${_jail}" get ip6.addr)" + for ip in ${ips}; do + ip=$(printf "$ip" | sed -E 's,/[0-9]+,,') + if [ -n "${ip}" ]; then if ifconfig | grep -wF "${ip}" >/dev/null; then - error_notify "Error: IP address (${ip}) already in use." - continue + error_notify "Error: IP address (${ip}) already in use." + continue fi - ## add ip4.addr to firewall table + ## add ipX.addr to firewall table pfctl -q -t "${bastille_network_pf_table}" -T add "${ip}" - fi + fi + done ## start the container info "[${_jail}]:" diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 49cec54d..7c3d8f75 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -51,8 +51,9 @@ bastille_root_check for _jail in ${JAILS}; do ## test if running if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then - ## Capture ip4.addr address while still running - _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)" + ## Capture ipX.addr address while still running + ips="$(/usr/sbin/jls -j ${_jail} ip4.addr)" + ips="${ips} $(/usr/sbin/jls -j ${_jail} ip6.addr)" # Check if pfctl is present if which -s pfctl; then @@ -72,10 +73,12 @@ for _jail in ${JAILS}; do info "[${_jail}]:" jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" - ## remove (captured above) ip4.addr from firewall table - if [ -n "${bastille_network_loopback}" ] && [ ! -z "${_ip}" ]; then + ## remove (captured above) ipX.addr from firewall table + if [ -n "${bastille_network_loopback}" && ! -z "${ips}" ]; then if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then - pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" + for _ip in ${ips}; do + pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" + done fi fi fi From 537a7d16b493b1d1a0699514881cabc0487fa213 Mon Sep 17 00:00:00 2001 From: foudil Date: Sun, 3 Nov 2024 11:18:50 +0100 Subject: [PATCH 2/3] Add documentation --- docs/chapters/networking.rst | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index d94bf27d..23d61a06 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -2,8 +2,8 @@ Network Requirements ==================== Here's the scenario. You've installed Bastille at home or in the cloud and want to get started putting applications in secure little containers, but how do you -get these containers on the network? Bastille tries to be flexible about how to -network containerized applications. Four methods are described here. +get these containers on the network? Bastille tries to be flexible about how to +network containerized applications. Multiple methods are described here. 1. Home or Small Office @@ -13,6 +13,8 @@ network containerized applications. Four methods are described here. 4. Cloud with a single IPV4 (external bridge) +5. Public network + Please choose the option which is most appropriate for your environment. First a few notes. Bastille tries to verify that the interface name you provide @@ -49,7 +51,7 @@ This method is the simplest. All you need to know is the name of your network interface and a free IP on your local network. Shared Interface on IPV6 network (vultr.com) -============================================ +============================================ Some ISP's, such as `Vultr `_, give you a single ipv4 address, and a large block of ipv6 addresses. You can then assign a unique ipv6 address to each Bastille Container. @@ -72,9 +74,9 @@ Your server was assigned the following six section subnet: The `vultr ipv6 subnet calculator `_ -is helpful in making sense of that ipv6 address. +is helpful in making sense of that ipv6 address. -We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 +We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 Where the /64 basicaly means that the first 64 bits of the address (4x4 character hexadecimal) values define the network, and the remaining characters, @@ -126,7 +128,7 @@ host system: .. code-block:: shell ## /etc/devfs.rules (NOT .conf) - + [bastille_vnet=13] add include $devfsrules_hide_all add include $devfsrules_unhide_basic @@ -159,7 +161,7 @@ Below is the definition of what these three parameters are used for and mean: net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface, set to 0 to disable it. - + **Regarding Routes** Bastille will attempt to auto-detect the default route from the host system and @@ -199,9 +201,9 @@ The bridge needs to be created/enabled before creating and starting the jail. Public Network ============== In this section we describe how to network containers in a public network -such as a cloud hosting provider who only provides you with a single ip address. -(AWS, Digital Ocean, etc) (The exception is vultr.com, which does -provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!) +such as a cloud hosting provider who only provides you with a single ip address. +(AWS, Digital Ocean, etc) (The exception is vultr.com, which does +provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!) So if you only have a single IP address and if you want to create multiple containers and assign them all unique IP addresses, you'll need to create a new @@ -305,3 +307,9 @@ At this point you'll likely be disconnected from the host. Reconnect the ssh session and continue. This step only needs to be done once in order to prepare the host. + +You can then create a container without specifying the interface. + +.. code-block:: shell + + bastille create tatouine 13.2-RELEASE '192.168.1.50/24 fd11:ee00:ee00::50/64' From cdba7c6760cbd1a6cfb170720deb0c194d4b002b Mon Sep 17 00:00:00 2001 From: foudil Date: Tue, 17 Dec 2024 01:30:05 +0100 Subject: [PATCH 3/3] Typo --- usr/local/share/bastille/start.sh | 2 +- usr/local/share/bastille/stop.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 2ef42642..fcacddb5 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -82,7 +82,7 @@ for _jail in ${JAILS}; do ips=$(bastille config "${_jail}" get ip4.addr) ips="${ips} $(bastille config "${_jail}" get ip6.addr)" for ip in ${ips}; do - ip=$(printf "$ip" | sed -E 's,/[0-9]+,,') + ip=${ip%%/*} if [ -n "${ip}" ]; then if ifconfig | grep -wF "${ip}" >/dev/null; then error_notify "Error: IP address (${ip}) already in use." diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 7c3d8f75..6b99fb77 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -74,7 +74,7 @@ for _jail in ${JAILS}; do jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" ## remove (captured above) ipX.addr from firewall table - if [ -n "${bastille_network_loopback}" && ! -z "${ips}" ]; then + if [ -n "${bastille_network_loopback}" ] && [ ! -z "${ips}" ]; then if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then for _ip in ${ips}; do pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"