diff --git a/docs/chapters/subcommands/list.rst b/docs/chapters/subcommands/list.rst index 4757a577..b5f7e85b 100644 --- a/docs/chapters/subcommands/list.rst +++ b/docs/chapters/subcommands/list.rst @@ -2,9 +2,9 @@ list ==== List jails, ports, releases, templates, logs, limits, exports and imports and much more -managed by bastille. +managed by bastille. See the ``help`` output below. -Using `bastille list` without args will print with all the info we feel is most important. +Using `bastille list` without args will print all jails with the info we feel is most important. Most options can be printed in JSON format by including the ``-j|--json`` flag. Use ``-p|--pretty`` to print in columns instead of rows. @@ -13,7 +13,7 @@ to print in columns instead of rows. ishmael ~ # bastille list help Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)] - [path(s)] [port(s)] [prio|priority] [state(s)] [template(s)] + [path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)] Options: -d | --down List stopped jails only. diff --git a/docs/chapters/subcommands/rdr.rst b/docs/chapters/subcommands/rdr.rst index ecf37c63..ea1d15cb 100644 --- a/docs/chapters/subcommands/rdr.rst +++ b/docs/chapters/subcommands/rdr.rst @@ -34,10 +34,10 @@ The ``rdr`` command includes 4 additional options: .. code-block:: shell - -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. - -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. + -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. .. code-block:: shell @@ -68,6 +68,9 @@ The options can be used together, as seen above. If you have multiple interfaces assigned to your jail, ``bastille rdr`` will only redirect using the default one. +It is also possible to specify a pf table as the source, providing it exists. Simply use the table +name instead of an IP address or subnet. + .. code-block:: shell # bastille rdr --help @@ -75,8 +78,8 @@ only redirect using the default one. Options: + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. - -x | --debug Enable debug mode. \ No newline at end of file + -x | --debug Enable debug mode. diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index ebbfdb24..44bcd0b9 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -93,36 +93,43 @@ if [ -n "${bastille_export_options}" ]; then info "Default export option(s): '${DEFAULT_EXPORT_OPTS}'" + # Don't shift here when default export options are explicitly denoted in the config file, hence TARGET will always be $1. for opt in ${DEFAULT_EXPORT_OPTS}; do case "${opt}" in + -a|--auto) + AUTO="1" + ;; --gz) GZIP_EXPORT="1" opt_count - shift;; + ;; --xz) XZ_EXPORT="1" opt_count - shift;; + ;; --tgz) TGZ_EXPORT="1" opt_count zfs_enable_check - shift;; + ;; --txz) TXZ_EXPORT="1" opt_count zfs_enable_check - shift;; + ;; -s|--safe) SAFE_EXPORT="1" - shift;; + ;; -r|--raw) RAW_EXPORT="1" opt_count - shift ;; + ;; -v|--verbose) OPT_ZSEND="-Rv" - shift;; + ;; + -x) + enable_debug + ;; -*) error_notify "[ERROR]: Unknown Option: \"${1}\"" usage;; esac @@ -179,7 +186,7 @@ else enable_debug shift ;; - -*) + -*) for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do case ${_opt} in a) AUTO=1 ;; diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 8d5a1c59..387c420e 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -34,7 +34,7 @@ usage() { error_notify "Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)]" - error_notify " [path(s)] [port(s)] [prio|priority] [state(s)] [template(s)]" + error_notify " [path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)]" cat << EOF Options: diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 1cabc9e3..19876671 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -38,11 +38,11 @@ usage() { Options: - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. - -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. - -x | --debug Enable debug mode. + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. + -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. + -x | --debug Enable debug mode. EOF exit 1 @@ -108,6 +108,17 @@ check_rdr_ip_validity() { fi } +check_rdr_table_validity() { + + local table="${1}" + + if ! pfctl -t "${table}" -T show > /dev/null 2>&1; then + error_exit "\nInvalid: (${table})." + else + info "\nValid: (${table})." + fi +} + validate_rdr_rule() { local if="${1}" @@ -237,6 +248,7 @@ OPTION_IF=0 OPTION_SRC=0 OPTION_DST=0 OPTION_INET_TYPE=0 +OPT_SRC_TABLE=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) @@ -261,9 +273,15 @@ while [ "$#" -gt 0 ]; do fi ;; -s|--source) - check_rdr_ip_validity "${2}" + if echo "${2}" | grep -Eoq "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|.*:.*)"; then + check_rdr_ip_validity "${2}" + RDR_SRC="${2}" + else + check_rdr_table_validity "${2}" + OPT_SRC_TABLE=1 + RDR_SRC="$(echo "${2}" | sed -e 's/^//')" + fi OPTION_SRC=1 - RDR_SRC="${2}" shift 2 ;; -t|--type) @@ -341,8 +359,8 @@ while [ "$#" -gt 0 ]; do tcp|udp) if [ "$#" -lt 3 ]; then usage - elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ];then - error_exit "[ERROR]: [-t|--type] must be set when using [-s|--source] or [-d|--destination]" + elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ] && [ "${OPT_SRC_TABLE}" -eq 0 ];then + error_exit "[ERROR]: [-t|--type] must be set when NOT using a table as [-s|--source] or [-d|--destination]." elif [ "$#" -eq 3 ]; then check_jail_validity validate_rdr_rule $RDR_IF $RDR_SRC $RDR_DST $1 $2 $3