Since the 13.1 release, /etc/rc.d/jail has looked for a per-jail config file in /etc/jail.conf.d. Before RELENG 14, the ".include" directive was added to jail(8), with a a sample line in the jail.conf(5) man page that includes "/etc/jail.conf.d/*.conf".

These two use cases don't work together. When the jail.conf.d files are included from a master jail.conf, the files in jail.conf.d are likely to hold only partial configurations, and shouldn't be directly loaded by rc.d/jail. But there are existing configurations that depend on the current rc.d behavior. While it would be simple to advise users not to include from /etc/jail.conf.d, it would be the obvious choice even if not mentioned in jail.conf.5

The workaround is for rc.d/jail to continue to load the individual files, but only when /etc/jail.conf doesn't include from that directory (via a simple grep test), This allows the new use for this directory, while not breaking the previous use.

Create per-jail configuration files in /etc/rc.d/jail.conf.d that are meant to be the entire configuration for a single jail. These should load with "service jail start jailname" when /etc/jail.conf doesn't exist, or exists without including from that directory. In this case, nothing in /etc/jail.conf should be loaded for those jails.

Second, create a master /etc/jail.conf that includes "/etc/jail.conf.d/*" to pull in some jail-specific configuration, while keeping the global configuration in /etc/jail.conf. This time, the files in /etc/jail.conf.d should *not* work on their own. Again, "service jail start jailname" should properly start the jail, showing the files weren't improperly included directly, but via /etc/jail.conf instead.