BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Fix for issue #403

Browse Source
This commit is contained in:
Daniel Ziltener
2021-09-02 22:44:49 +02:00
parent 27ea04712f
commit cd054f2a32
1 changed files with 50 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
usr/local/share/bastille/rdr.sh
View File

@@ -47,37 +47,42 @@ if [ $# -lt 2 ]; then
fi fi
TARGET="${1}" TARGET="${1}"
JAIL_NAME=""
JAIL_IP=""
EXT_IF=""
shift shift
# Can only redirect to single jail check_jail_validity() {
if [ "${TARGET}" = 'ALL' ]; then # Can only redirect to single jail
error_exit "Can only redirect to a single jail." if [ "${TARGET}" = 'ALL' ]; then
fi error_exit "Can only redirect to a single jail."
# Check if jail name is valid
JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
if [ -z "${JAIL_NAME}" ]; then
error_exit "Jail not found: ${TARGET}"
fi
# Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
error_exit "Jail IP not found: ${TARGET}"
fi fi
fi
# Check if rdr-anchor is defined in pf.conf # Check if jail name is valid
if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
error_exit "rdr-anchor not found in pf.conf" if [ -z "${JAIL_NAME}" ]; then
fi error_exit "Jail not found: ${TARGET}"
fi
# Check if ext_if is defined in pf.conf # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf) if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
if [ -z "${EXT_IF}" ]; then JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
error_exit "ext_if not defined in pf.conf" if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
fi error_exit "Jail IP not found: ${TARGET}"
fi
fi
# Check if rdr-anchor is defined in pf.conf
if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
error_exit "rdr-anchor not found in pf.conf"
fi
# Check if ext_if is defined in pf.conf
EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
if [ -z "${EXT_IF}" ]; then
error_exit "ext_if not defined in pf.conf"
fi
}
# function: write rule to rdr.conf # function: write rule to rdr.conf
persist_rdr_rule() { persist_rdr_rule() {
@@ -96,17 +101,34 @@ load_rdr_rule() {
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
case "$1" in case "$1" in
list) list)
pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null if [ "${TARGET}" = 'ALL' ]; then
for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${JAIL_NAME} redirects:"
pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
done
else
check_jail_validity
pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
fi
shift shift
;; ;;
clear) clear)
pfctl -a "rdr/${JAIL_NAME}" -Fn if [ "${TARGET}" = 'ALL' ]; then
for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${JAIL_NAME} redirects:"
pfctl -a "rdr/${JAIL_NAME}" -Fn
done
else
check_jail_validity
pfctl -a "rdr/${JAIL_NAME}" -Fn
fi
shift shift
;; ;;
tcp|udp) tcp|udp)
if [ $# -lt 3 ]; then if [ $# -lt 3 ]; then
usage usage
fi fi
check_jail_validity
persist_rdr_rule $1 $2 $3 persist_rdr_rule $1 $2 $3
load_rdr_rule $1 $2 $3 load_rdr_rule $1 $2 $3
shift 3 shift 3