Merge pull request #502 from nmurali94/master
Extend RDR to support logging
This commit is contained in:
Christer Edwards
GitHub
@@ -32,7 +32,7 @@
|
|||||||
. /usr/local/etc/bastille/bastille.conf
|
. /usr/local/etc/bastille/bastille.conf
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]"
|
error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Handle special-case commands first.
|
# Handle special-case commands first.
|
||||||
@@ -91,6 +91,16 @@ if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
persist_rdr_log_rule() {
|
||||||
|
proto=$1;host_port=$2;jail_port=$3;
|
||||||
|
shift 3;
|
||||||
|
log=$@;
|
||||||
|
if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
|
||||||
|
echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# function: load rdr rule via pfctl
|
# function: load rdr rule via pfctl
|
||||||
load_rdr_rule() {
|
load_rdr_rule() {
|
||||||
( pfctl -a "rdr/${JAIL_NAME}" -Psn;
|
( pfctl -a "rdr/${JAIL_NAME}" -Psn;
|
||||||
@@ -98,6 +108,16 @@ load_rdr_rule() {
|
|||||||
| pfctl -a "rdr/${JAIL_NAME}" -f-
|
| pfctl -a "rdr/${JAIL_NAME}" -f-
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# function: load rdr rule with log via pfctl
|
||||||
|
load_rdr_log_rule() {
|
||||||
|
proto=$1;host_port=$2;jail_port=$3;
|
||||||
|
shift 3;
|
||||||
|
log=$@
|
||||||
|
( pfctl -a "rdr/${JAIL_NAME}" -Psn;
|
||||||
|
printf '%s\nrdr pass %s on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
|
||||||
|
| pfctl -a "rdr/${JAIL_NAME}" -f-
|
||||||
|
}
|
||||||
|
|
||||||
while [ $# -gt 0 ]; do
|
while [ $# -gt 0 ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
list)
|
list)
|
||||||
@@ -127,11 +147,44 @@ while [ $# -gt 0 ]; do
|
|||||||
tcp|udp)
|
tcp|udp)
|
||||||
if [ $# -lt 3 ]; then
|
if [ $# -lt 3 ]; then
|
||||||
usage
|
usage
|
||||||
|
elif [ $# -eq 3 ]; then
|
||||||
|
check_jail_validity
|
||||||
|
persist_rdr_rule $1 $2 $3
|
||||||
|
load_rdr_rule $1 $2 $3
|
||||||
|
shift 3
|
||||||
|
else
|
||||||
|
case "$4" in
|
||||||
|
log)
|
||||||
|
proto=$1
|
||||||
|
host_port=$2
|
||||||
|
jail_port=$3
|
||||||
|
shift 3
|
||||||
|
if [ $# -gt 3 ]; then
|
||||||
|
for last in $@; do
|
||||||
|
true
|
||||||
|
done
|
||||||
|
if [ $2 == "(" ] && [ $last == ")" ] ; then
|
||||||
|
check_jail_validity
|
||||||
|
persist_rdr_log_rule $proto $host_port $jail_port $@
|
||||||
|
load_rdr_log_rule $proto $host_port $jail_port $@
|
||||||
|
shift $#
|
||||||
|
else
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
elif [ $# -eq 1 ]; then
|
||||||
|
check_jail_validity
|
||||||
|
persist_rdr_log_rule $proto $host_port $jail_port $@
|
||||||
|
load_rdr_log_rule $proto $host_port $jail_port $@
|
||||||
|
shift 1
|
||||||
|
else
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
check_jail_validity
|
|
||||||
persist_rdr_rule $1 $2 $3
|
|
||||||
load_rdr_rule $1 $2 $3
|
|
||||||
shift 3
|
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
usage
|
usage
|
||||||
|
|||||||
Reference in New Issue
Block a user