scip/jaildk
1
0
Fork 0
mirror of https://codeberg.org/scip/jaildk.git synced 2025-12-17 12:41:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10 from Culsu/dev

Browse Source 
IPFW support
This commit is contained in:
T.v.Dein
2020-12-01 18:04:31 +01:00
committed by GitHub
parent f0690c74eb 6c544268ed
commit cc30589b1f
2 changed files with 59 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@@ -372,6 +372,18 @@ The last step is to remove the current running jail, change the version in `etc/
If there's anything wrong you can always go back to the previous version using the above steps. If there's anything wrong you can always go back to the previous version using the above steps.
## Advanced Features
Jaildk also offers some advanced features like automatically setting up and deleting ipfw rules or freezing and thawing a jail (to make it easily portable).
### Using the IPFW
To use the IPFW on your host you first have to enable ipfw in your hosts rc.conf `firewall_enable="YES"`.
You probably want to set the default firewalling-type there aswell, check out the [FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) for further information.
Once enabled you also need to start ipfw by executing the rc script: `/etc/rc.d/ipfw start`.
Be aware that inter-jail communication is transfered via the loopback interface (normally lo0) for which there is a high priority allow any to any rule by default: `allow ip from any to any via lo`
In order to control the inter-jail communication you have to delete this rule first.
If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail.
E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state`
As demonstrated in the previous rule `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`).
## Getting help ## Getting help
@@ -389,6 +401,7 @@ This software is licensed under the BSD license.
## Authors ## Authors
T.v.Dein <tom AT vondein DOT org> T.v.Dein <tom AT vondein DOT org>
F.Sass (Culsu) F.Sass (Culsu)
## Project homepage ## Project homepage

50
jaildk
View File

@@ -715,7 +715,7 @@ jaildk_clone() {
clone $j/data/$src/www $j/data/$new/www clone $j/data/$src/www $j/data/$new/www
clone $j/data/$src/spool $j/data/$new/spool clone $j/data/$src/spool $j/data/$new/spool
ex cp -pRp $j/etc/$src/mount.conf $j/etc/$src/ports.conf $j/etc/$src/mtree.conf $j/etc/$new/ ex cp -pRp $j/etc/$src/mount.conf $j/etc/$src/ports.conf $j/etc/$src/mtree.conf $j/etc/$src/ipfw.conf $j/etc/$new/
echo "Creating $j/etc/$src/jail.conf" echo "Creating $j/etc/$src/jail.conf"
cat $j/etc/$src/jail.conf | egrep -v "^(name|version)=" > $j/etc/$new/jail.conf cat $j/etc/$src/jail.conf | egrep -v "^(name|version)=" > $j/etc/$new/jail.conf
@@ -782,9 +782,11 @@ jaildk_create() {
jaildk_clone -s $src -d $jail -o $srcversion -n $newversion jaildk_clone -s $src -d $jail -o $srcversion -n $newversion
# some perl magic to extract the hostname (if any) from /etc/jail.conf - and write it into the jails rc.conf # some perl magic to extract the hostname (if any) from /etc/jail.conf - and write it into the jails rc.conf
jailhostname=$(cat /etc/jail.conf | tr -d '\t\r\n ' | perl -ne '$_ =~ /.*'"$newjail"'(\{(?:\{.*\}|[^{])*\})|\w+/; print $1;' | grep -oE 'hostname=[^;]+' | cut -d= -f2) jailhostname=$(cat /etc/jail.conf | tr -d '\t\r\n ' | perl -ne '$_ =~ /.*'"$newjail"'(\{(?:\{.*\}|[^{])*\})|\w+/; print $1;' | grep -oE 'hostname=[^;]+' | cut -d= -f2)
[ -n "$jailhostname" ] && sed -iE 's/^hostname.*$/hostname="'"$jailhostname"'"/' $j/etc/$newjail/local-etc-$newversion/rc.conf if [ -n "$jailhostname" ]; then
echo "new name: $jailhostname"
echo "in path $j/etc/$jail/local-etc-$newversion/rc.conf"
sed -iE 's/^hostname.*$/hostname="'"$jailhostname"'"/' $j/etc/$newjail/local-etc-$newversion/rc.conf
fi
} }
remove() { remove() {
@@ -903,6 +905,7 @@ jaildk_jail() {
;; ;;
*) *)
service jail $mode $jail service jail $mode $jail
jaildk_ipfw $jail $mode
;; ;;
esac esac
fi fi
@@ -1162,6 +1165,9 @@ home/$name/root-$version $name/root nullfs rw' >
bold "creating template config $j/etc/.template/ports.conf" bold "creating template config $j/etc/.template/ports.conf"
(echo bash; echo ca_root_nss) > $j/etc/.template/ports.conf (echo bash; echo ca_root_nss) > $j/etc/.template/ports.conf
bold "creating template config $j/etc/.template/ipfw.conf"
touch $j/etc/.template/ipfw.conf
bold "creating template config $j/etc/.template/mtree.conf" bold "creating template config $j/etc/.template/mtree.conf"
# touch $j/etc/.template/mtree.conf # touch $j/etc/.template/mtree.conf
echo '/set type=dir uid=0 gid=0 mode=01777 echo '/set type=dir uid=0 gid=0 mode=01777
@@ -1460,6 +1466,42 @@ jaildk_thaw() {
bold "Done. Thawed jail $jail $version from $image." bold "Done. Thawed jail $jail $version from $image."
} }
jaildk_ipfw() {
jail=$1
mode=$2
if [ -f "$j/etc/$jail/ipfw.conf" ]; then
echo
bold "Managing IPFW Rules..."
case $mode in
start)
jaildk_ipfw_delete $jail "y"
jaildk_ipfw_add $jail
;;
stop)
jaildk_ipfw_delete $jail
;;
esac
bold "... done"
echo
fi
}
jaildk_ipfw_add() {
jail=$1
# Getting current jails IP..
jailip=$(jls | grep -E "$jail\$" | awk '{print $2}')
# Adding rules
cat $j/etc/$jail/ipfw.conf | awk -v jailname="$jail" '{print "ipfw add "$0" // " jailname}' | sed -E "s/\\\$ip/$jailip/g" | while read rule; do $rule; done
}
jaildk_ipfw_delete() {
jail=$1
noout=$2
# Deleting rules
ipfw show | grep -E "// $jail\$" | while read rule; do [ -z "$2" ] && bold "Deleting rule $rule"; sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done
}
########################## ##########################
# #