Variables substitution in jail.conf

James Gritton jamie at freebsd.org
Wed Mar 30 13:47:25 UTC 2016 

Niklaas Baudet von Gersdorff <stdin at niklaas.eu> wrote:

> I am experimenting with jail.conf, trying to automate everything as 
> much as
> I can. I would like to execute pfctl commands automatically once a jail 
> is
> started or stopped; that is, adding the IP of the jail to a table that 
> passes
> connection and deleting it again once it's no longer needed. This is my
> jail.conf:
> 
>     host.hostname = "$name.box-fra-01.klaas";
>     path          = "/usr/local/jails/$name";
>     ip4.addr      = "lo1|10.15.$network.$id";
>     ip6.addr      = "vtnet0|2a00:XXX:XXXX:XXXX:X::$network:$id";
>     mount         = "/usr/local/jails/templates/base-10.2-RELEASE 
> /usr/local/jails/$name/     nullfs ro 0 0";
>     mount        += "/usr/local/jails/thinjails/$name             
> /usr/local/jails/$name/jail nullfs rw 0 0";
>     mount.devfs;
> 
>     exec.start    = "/bin/sh /etc/rc";
>     exec.stop     = "/bin/sh /etc/rc.shutdown";
> 
>     exec.clean;
> 
>     www {
>         $id            = 1;
>         $network       = 1;
>         exec.poststart = "pfctl -t www -T add ${ip4.addr} {$ip6.addr}";
>         exec.poststop  = "pfctl -t www -T delete {$ip4.addr} 
> {$ip6.addr}";
>     }
> 
> However, I get an error that ip6 is not defined. I have already 
> realised that
> pfctl will give an error (because ip{4,6}.addr includes {lo1,vtnet0}) 
> but what
> I do not understand is why the parameter is not recognised.
> 
> I also tried setting things up with additional variables my_ip4 and 
> my_ip6 but
> that didn't work either. After reading jail.conf(5) I thought about 
> putting
> everything in hierarchical jails but I am not sure whether that will 
> help to
> make substitution work the way I want it to.
> 
> I am happy for any advise.

The problem is pretty simple - just a case of moving some brackets.  In 
the definition of exec.poststart, you did ip4.addr right - ${ip4.addr}.  
But for ip6.addr, you moved the dollar sign inside the braces - 
{$ip6.addr}.  That makes it look like the braces and the ".addr" are 
just part of the string, and only $ip6 is the variable to be 
substituted.

So all you need is:

         exec.poststart = "pfctl -t www -T add ${ip4.addr} ${ip6.addr}";
         exec.poststop  = "pfctl -t www -T delete ${ip4.addr} 
${ip6.addr}";

- Jamie

More information about the freebsd-questions mailing list