-
Notifications
You must be signed in to change notification settings - Fork 1
/
qjail.vnet.be
executable file
·197 lines (165 loc) · 7.44 KB
/
qjail.vnet.be
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#!/bin/sh
function=$1
jailname=$2
nicname=$3
firewall=$4
start () {
jid=`jls -j ${jailname} jid`
if [ "${jid}" -gt "100" ]; then
echo " "
echo "WARNING: The JID value is greater then 100."
echo "This may indicate many cycles of starting/stopping vnet jails"
echo "which results in lost memory pages. To recover the lost memory,"
echo "shutdown the host and reboot. This will zero out the JID counter"
echo "and make all the memory available again."
echo " "
fi
if [ "${jid}" -gt "250" ]; then
echo " "
echo "ERROR: No more vnet jail epair ip addresses can be created."
echo "You MUST shutdown the host and reboot before vnet jails are"
echo "startable again."
echo " "
exit 2
fi
# Check the hosts network for existing bridge.
# If no bridge yet then create the bridge.
# Add real interface device name to one side of bridge.
#
bridge=`ifconfig | grep -m 1 bridge | cut -f 1 -d :`
if [ -z ${bridge} ]; then
ifconfig bridge0 create > /dev/null 2> /dev/null
ifconfig bridge0 addm ${nicname}
ifconfig bridge0 up
# vnet jails will not work unless ip forwarding is enabled.
sysctl net.inet.ip.forwarding=1 > /dev/null 2> /dev/null
fi
# Do this logic for all vnet jails.
# Assign alias IP number to bridge using jid to make it unique per vnet jail.
# The alias IP number is the vnet jails default route ip address.
# Create epair assigning "a" to bridge and "b" to the vnet jail
#
ifconfig bridge0 alias 10.${jid}.0.1
ifconfig epair${jid} create > /dev/null 2> /dev/null
ifconfig bridge0 addm epair${jid}a
ifconfig epair${jid}a up
ifconfig epair${jid}b vnet ${jid}
# Assign ip address to epair "b" inside of the vnet jail.
#
jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2
jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null
jexec ${jailname} ifconfig lo0 127.0.0.1
if [ ${firewall} = "none" ]; then
# If no firewall was selected in config -v
# Start services inside of jail needed for network.
# Note: using service command because it's not nojail keyword aware.
#
jexec ${jailname} service netif start > /dev/null 2> /dev/null
jexec ${jailname} service routing start > /dev/null 2> /dev/null
exit 0
fi
if [ ${firewall} = "ipfw" ]; then
# Chech to see if selected firewall kernel modules have been loaded.
if ! kldstat -v | grep -qw ${firewall}; then
echo "Error: ${firewall} was not compiled into the kernel."
exit 2
fi
# If ipfw firewall was selected in config -v
# Get the epairXb interface name of the vnet jail and
# write the vaule to a file so the epairXb interface name can be
# passed to the ipfw.rules file, then start ipfw.
# Start services inside of jail needed by ipfw firewall.
# Note: using service command because it's not nojail keyword aware.
#
jexec ${jailname} service netif start > /dev/null 2> /dev/null
jexec ${jailname} service routing start > /dev/null 2> /dev/null
ipfw_epair="/usr/jails/${jailname}/etc/epair"
jexec ${jailname} ifconfig | grep -m 1 epair | cut -f 1 -d : > ${ipfw_epair}
jexec ${jailname} service ipfw start > /dev/null 2> /dev/null
exit 0
fi
if [ ${firewall} = "pf" ]; then
# Chech to see if selected firewall kernel modules have been loaded.
if ! kldstat -v | grep -qw ${firewall}; then
echo "Error: ${firewall} was not compiled into the kernel."
exit 2
fi
# If pf firewall was selected in config -v
# Get the epairXb interface name of the vnet jail and
# write the vaule to a file so the epairXb interface name can be
# passed to the pf.rules file, then start pf.
# Start services inside of jail needed by pf firewall.
# Note: using service command because it's not nojail keyword aware.
#
jexec ${jailname} service netif start > /dev/null 2> /dev/null
jexec ${jailname} service routing start > /dev/null 2> /dev/null
pf_epair="/usr/jails/${jailname}/etc/epair"
jexec ${jailname} ifconfig | grep -m 1 epair | cut -f 1 -d : > ${pf_epair}
jexec ${jailname} service pf start > /dev/null 2> /dev/null
# jexec ${jailname} pfctl -F all; pfctl -f /etc/pf.rules
fi
if [ ${firewall} = "ipfilter" ]; then
####### This stub is not used. Coded for when ipfilter becomes vnet aware.
# If ipfilter firewall was selected in config -v
# Get the epairXb interface name of the vnet jail and
# write the vaule to a file so the epairXb interface name can be
# passed to the pf.rules file, then start pf.
# Start services inside of jail needed by ipfilter firewall.
# Note: using service command because it's not nojail keyword aware.
#
jexec ${jailname} service netif start > /dev/null 2> /dev/null
jexec ${jailname} service routing start > /dev/null 2> /dev/null
ipf_epair="/usr/jails/${jailname}/etc/epair"
jexec ${jailname} ifconfig | grep -m 1 epair | cut -f 1 -d : > ${ipf_epair}
jexec ${jailname} service ipfilter start > /dev/null 2> /dev/null
fi
}
stop () {
# Disable vnet jails network configuration.
#
jid=`jls -j ${jailname} jid`
ifconfig epair${jid}b -vnet ${jid}
ifconfig bridge0 -alias 10.${jid}.0.1
ifconfig epair${jid}a destroy
# If host has no more vnet jails then disable bridge.
#
epair=`ifconfig | grep -m 1 epair | cut -f 1 -d :`
if [ -z ${epair} ]; then
ifconfig bridge0 destroy
sysctl net.inet.ip.forwarding=0 > /dev/null 2> /dev/null
fi
if [ ${firewall} = "ipfw" ]; then
# If ipfw was started, now disable it.
#
jexec ${jailname} service ipfw stop > /dev/null 2> /dev/null
jexec ${jailname} service routing stop > /dev/null 2> /dev/null
jexec ${jailname} service netif stop > /dev/null 2> /dev/null
sleep 2
fi
if [ ${firewall} = "pf" ]; then
# If pf was started, now disable it.
#
jexec ${jailname} service pf stop > /dev/null 2> /dev/null
jexec ${jailname} service routing stop > /dev/null 2> /dev/null
jexec ${jailname} service netif stop > /dev/null 2> /dev/null
sleep 2
fi
if [ ${firewall} = "ipfilter" ]; then
######### This stub is not used right now.
# If ipfilter was started, now disable it.
#
jexec ${jailname} service ipfilter stop > /dev/null 2> /dev/null
jexec ${jailname} service routing stop > /dev/null 2> /dev/null
jexec ${jailname} service netif stop > /dev/null 2> /dev/null
sleep 2
fi
if [ ${firewall} = "none" ]; then
# If no firewall was started, disable network.
#
jexec ${jailname} service routing stop > /dev/null 2> /dev/null
jexec ${jailname} service netif stop > /dev/null 2> /dev/null
sleep 2
fi
}
[ "${function}" = "start" ] && start $* && exit 0
[ "${function}" = "stop" ] && stop $* && exit 0