Extend RDR to support logging

PF allows us to log rdr rules. The syntax to enable this is found in
pf.conf under the syntax grammar section for rdr-rule.

This commit extends Bastille's command line interface to allow users
to choose to log their rdr rules using the pf.conf syntax -

``````````````````````````````````````````````````````
tcp|udp host_port jail_port [log ['(' logopts ')'] ]
``````````````````````````````````````````````````````
Here, the syntax after jail_port is optional. This is sufficient to
provide backwards compatibility. The keyword 'log' enables logging with
the default options. The user can also provide custom options -
logopts - whose the syntax and allowed keywords are defined in pf.conf.
It's left to the user to supply correct logopts as the code does not
verify those values or their syntax.

usr/local/share/bastille/rdr.sh

@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]"
+    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
 }
 
 # Handle special-case commands first.
@@ -91,6 +91,16 @@ if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
 fi
 }
 
+persist_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@;
+if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
+    echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
+fi
+}
+
+
 # function: load rdr rule via pfctl
 load_rdr_rule() {
 ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
@@ -98,6 +108,16 @@ load_rdr_rule() {
       | pfctl -a "rdr/${JAIL_NAME}" -f-
 }
 
+# function: load rdr rule with log via pfctl
+load_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@
+( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass %s on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
+      | pfctl -a "rdr/${JAIL_NAME}" -f-
+}
+
 while [ $# -gt 0 ]; do
     case "$1" in
         list)
@@ -127,11 +147,44 @@ while [ $# -gt 0 ]; do
         tcp|udp)
             if [ $# -lt 3 ]; then
                 usage
+            elif [ $# -eq 3 ]; then
+                check_jail_validity
+                persist_rdr_rule $1 $2 $3
+                load_rdr_rule $1 $2 $3
+                shift 3
+            else
+                case "$4" in
+                    log)
+                        proto=$1
+                        host_port=$2
+                        jail_port=$3
+                        shift 3
+                        if [ $# -gt 3 ]; then
+                            for last in $@; do
+				true
+                            done
+                            if [ $2 == "(" ] && [ $last == ")" ] ; then
+                                check_jail_validity
+                                persist_rdr_log_rule $proto $host_port $jail_port $@
+                                load_rdr_log_rule $proto $host_port $jail_port $@
+                                shift $#
+                            else
+                                usage
+                            fi
+                        elif [ $# -eq 1 ]; then
+                            check_jail_validity
+                            persist_rdr_log_rule $proto $host_port $jail_port $@
+                            load_rdr_log_rule $proto $host_port $jail_port $@
+                            shift 1
+                        else
+                            usage
+                        fi
+                        ;;
+                    *)
+                        usage
+                        ;;
+                esac
             fi
-            check_jail_validity
-            persist_rdr_rule $1 $2 $3
-            load_rdr_rule $1 $2 $3
-            shift 3
             ;;
         *)
             usage