Jails often have repetitive boilerplate that can't be factored out of jail.conf using .include "<glob>"; or requires external lookups that require wrappers around jail(8) e.g. network interface creation or IP allocation, database lookups.
This patch checks if a jail.conf(5) is executable by trying to reopen its file descriptor for execution in which case it runs it as child process of the jail command and parses the child's standard output.