Merge pull request #1152 from BastilleBSD/rdr-table-source

2025-12-23 18:50:46 +01:00 · 2025-06-20 13:57:31 -06:00
parent c8477839fc fe12a24525
commit 0ede2a51e6
4 changed files with 41 additions and 20 deletions
--- a/docs/chapters/subcommands/list.rst
+++ b/docs/chapters/subcommands/list.rst
@@ -2,9 +2,9 @@ list
 ====

 List jails, ports, releases, templates, logs, limits, exports and imports and much more
-managed by bastille.
+managed by bastille. See the ``help`` output below.

-Using `bastille list` without args will print with all the info we feel is most important.
+Using `bastille list` without args will print all jails with the info we feel is most important.

 Most options can be printed in JSON format by including the ``-j|--json`` flag. Use ``-p|--pretty``
 to print in columns instead of rows.
@@ -13,7 +13,7 @@ to print in columns instead of rows.

  ishmael ~ # bastille list help
  Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)]
-                                                  [path(s)] [port(s)] [prio|priority] [state(s)] [template(s)]
+                                                  [path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)]
      Options:
    
      -d | --down            List stopped jails only.
--- a/docs/chapters/subcommands/rdr.rst
+++ b/docs/chapters/subcommands/rdr.rst
@@ -34,10 +34,10 @@ The ``rdr`` command includes 4 additional options:

 .. code-block:: shell

-    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
+    -d | --destination [destination]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+    -i | --interface   [interface]            Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
+    -s | --source      [source]               Limit rdr to a source IP or table. Useful to only allow access from certain sources.
+    -t | --type        [ipv4|ipv6]            Specify IP type. Must be used if -s or -d are used. Defaults to both.

 .. code-block:: shell

@@ -68,6 +68,9 @@ The options can be used together, as seen above.
 If you have multiple interfaces assigned to your jail, ``bastille rdr`` will
 only redirect using the default one.

+It is also possible to specify a pf table as the source, providing it exists. Simply use the table
+name instead of an IP address or subnet.
+
 .. code-block:: shell

  # bastille rdr --help
@@ -75,8 +78,8 @@ only redirect using the default one.
 
      Options:

+      -d | --destination [destination]             Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
      -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-      -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-      -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+      -s | --source      [source]                  Limit rdr to a source IP or table. Useful to only allow access from certain sources.
      -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
-      -x | --debug                                 Enable debug mode.
+      -x | --debug                                 Enable debug mode.
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -34,7 +34,7 @@

 usage() {
    error_notify "Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)]"
-    error_notify "                                                [path(s)] [port(s)] [prio|priority] [state(s)] [template(s)]"
+    error_notify "                                                [path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)]"
    cat << EOF
    Options:

--- a/usr/local/share/bastille/rdr.sh
+++ b/usr/local/share/bastille/rdr.sh
@@ -38,11 +38,11 @@ usage() {
 	
    Options:

-    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
-    -x | --debug                                 Enable debug mode.
+    -d | --destination [destination]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+    -i | --interface   [interface]            Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
+    -s | --source      [source]               Limit rdr to a source IP or table. Useful to only allow access from certain sources.
+    -t | --type        [ipv4|ipv6]            Specify IP type. Must be used if -s or -d are used. Defaults to both.
+    -x | --debug                              Enable debug mode.

 EOF
    exit 1
@@ -108,6 +108,17 @@ check_rdr_ip_validity() {
    fi
 }

+check_rdr_table_validity() {
+
+    local table="${1}"
+
+    if ! pfctl -t "${table}" -T show > /dev/null 2>&1; then
+        error_exit "\nInvalid: (${table})."
+    else
+        info "\nValid: (${table})."
+    fi
+}
+
 validate_rdr_rule() {

    local if="${1}"
@@ -237,6 +248,7 @@ OPTION_IF=0
 OPTION_SRC=0
 OPTION_DST=0
 OPTION_INET_TYPE=0
+OPT_SRC_TABLE=0
 while [ "$#" -gt 0 ]; do
    case "${1}" in
        -h|--help|help)
@@ -261,9 +273,15 @@ while [ "$#" -gt 0 ]; do
            fi
            ;;
        -s|--source)
-            check_rdr_ip_validity "${2}"
+	    if echo "${2}" | grep -Eoq "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|.*:.*)"; then
+                check_rdr_ip_validity "${2}"
+		RDR_SRC="${2}"
+	    else
+                check_rdr_table_validity "${2}"
+		OPT_SRC_TABLE=1
+		RDR_SRC="$(echo "${2}" | sed -e 's/^/</' -e 's/$/>/')"
+	    fi
            OPTION_SRC=1
-            RDR_SRC="${2}"
            shift 2
            ;;
        -t|--type)
@@ -341,8 +359,8 @@ while [ "$#" -gt 0 ]; do
        tcp|udp)
            if [ "$#" -lt 3 ]; then
                usage
-            elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ];then
-                error_exit "[ERROR]: [-t|--type] must be set when using [-s|--source] or [-d|--destination]"
+            elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ] && [ "${OPT_SRC_TABLE}" -eq 0 ];then
+                error_exit "[ERROR]: [-t|--type] must be set when NOT using a table as [-s|--source] or [-d|--destination]."
            elif [ "$#" -eq 3 ]; then
                check_jail_validity
                validate_rdr_rule $RDR_IF $RDR_SRC $RDR_DST $1 $2 $3