diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 032d17e8..0542bed8 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -54,6 +54,9 @@ bastille_conf_check ## we only load the config if conf_check passes . /usr/local/etc/bastille/bastille.conf +# Set default values for config properties added during the current major version: +: "${bastille_network_pf_ext_if:=ext_if}" +: "${bastille_network_pf_table:=jails}" ## bastille_prefix should be 0750 ## this restricts file system access to privileged users diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 2c4688a8..4e812e7f 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -49,6 +49,8 @@ bastille_decompress_gz_options="-k -d -c -v" ## default ## Networking bastille_network_loopback="bastille0" ## default: "bastille0" +bastille_network_pf_ext_if="ext_if" ## default: "ext_if" +bastille_network_pf_table="jails" ## default: "jails" bastille_network_shared="" ## default: "" bastille_network_gateway="" ## default: "" bastille_network_gateway6="" ## default: "" diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index ee0514d5..a7e59c2e 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -78,9 +78,9 @@ check_jail_validity() { fi # Check if ext_if is defined in pf.conf - EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf) + EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" /etc/pf.conf) if [ -z "${EXT_IF}" ]; then - error_exit "ext_if not defined in pf.conf" + error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf" fi } @@ -104,7 +104,7 @@ fi # function: load rdr rule via pfctl load_rdr_rule() { ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$1" "$2" "$JAIL_IP" "$3" ) \ + printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- } @@ -114,7 +114,7 @@ proto=$1;host_port=$2;jail_port=$3; shift 3; log=$@ ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass %s on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \ + printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- } diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index e08af945..45110be4 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -83,8 +83,8 @@ for _jail in ${JAILS}; do error_notify "Error: IP address (${ip}) already in use." continue fi - ## add ip4.addr to firewall table:jails - pfctl -q -t jails -T add "${ip}" + ## add ip4.addr to firewall table + pfctl -q -t "${bastille_network_pf_table}" -T add "${ip}" fi ## start the container diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 5d4911b8..5343d77d 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -70,10 +70,10 @@ for _jail in ${JAILS}; do info "[${_jail}]:" jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" - ## remove (captured above) ip4.addr from firewall table:jails + ## remove (captured above) ip4.addr from firewall table if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then - pfctl -q -t jails -T delete "${_ip}" + pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" fi fi fi