Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2026-01-06 04:34:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

rdr: Add debug option, code cleanup

Browse Source
This commit is contained in:
tschettervictor
2025-01-06 18:43:22 -07:00
committed by GitHub
parent 0501dc59a0
commit 6f0d318fd3
1 changed files with 122 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

261
usr/local/share/bastille/rdr.sh
View File

@@ -32,82 +32,52 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp)] host_port jail_port [log ['(' logopts ')'] ] )]"
error_notify "Usage: bastille rdr [option(s)] TARGET [clear|reset|list|(tcp|udp)] HOST_PORT JAIL_PORT [log ['(' logopts ')'] ] )]"
cat << EOF
Options:
-i | --interface [interface] | -- Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-s | --source [source ip] | -- Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-d | --destination [destination ip] | -- Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-t | --type [ipv4|ipv6] | -- Specify IP type. Must be used if -s or -d are used. Defaults to both.
-d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug Enable debug mode.
EOF
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -lt 2 ]; then
usage
fi
bastille_root_check
TARGET="${1}"
JAIL_NAME=""
JAIL_IP=""
JAIL_IP6=""
shift
check_jail_validity() {
# Can only redirect to single jail
if [ "${TARGET}" = 'ALL' ]; then
error_exit "Can only redirect to a single jail."
fi
# Check if jail name is valid
JAIL_NAME=$(/usr/sbin/jls -j "${TARGET}" name 2>/dev/null)
if [ -z "${JAIL_NAME}" ]; then
error_exit "Jail not found: ${TARGET}"
fi
# Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)
if [ -z "${JAIL_IP}" ] || [ "${JAIL_IP}" = "-" ]; then
error_exit "Jail IP not found: ${TARGET}"
if [ "$( bastille config ${TARGET} get vnet )" != 'enabled' ]; then
_ip4_interfaces="$(bastille config ${TARGET} get ip4.addr | sed 's/,/ /g')"
_ip6_interfaces="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')"
# Check if jail ip4.addr is valid (non-VNET only)
if [ "${_ip4_interfaces}" != "not set" ] && [ "${_ip4_interfaces}" != "disable" ]; then
JAIL_IP="$(bastille config ${TARGET} get ip4.addr | awk '{print $1}' | awk -F"|" '{print $2}')"
fi
# Check if jail ip6.addr is valid (non-VNET only)
if [ "${_ip6_interfaces}" != "not set" ] && [ "${_ip6_interfaces}" != "disable" ]; then
JAIL_IP6="$(bastille config ${TARGET} get ip6.addr | awk '{print $1}' | awk -F"|" '{print $2}')"
fi
else
error_exit "VNET jails do not support rdr."
fi
# Check if jail ip6 address (ip6.addr) is valid (non-VNET only)
if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
if [ "$(bastille config $TARGET get ip6)" != 'disable' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then
JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null)
fi
fi
# Check if rdr-anchor is defined in pf.conf
if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
error_exit "rdr-anchor not found in pf.conf"
fi
}
# function: check if IP is valid
check_rdr_ip_validity() {
local ip4="$1"
local ip6="$(echo "${ip4}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)')"
local ip="${1}"
local ip6="$( echo "${ip}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )"
if [ -n "${ip6}" ]; then
info "Valid: (${ip6})."
else
local IFS
if echo "${ip4}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
TEST_IP=$(echo "${ip4}" | cut -d / -f1)
if echo "${ip}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
TEST_IP=$(echo "${ip}" | cut -d / -f1)
IFS=.
set ${TEST_IP}
for quad in 1 2 3 4; do
@@ -115,14 +85,13 @@ check_rdr_ip_validity() {
error_exit "Invalid: (${TEST_IP})"
fi
done
info "Valid: (${ip4})."
info "Valid: (${ip})."
else
error_exit "Invalid: (${ip4})."
error_exit "Invalid: (${ip})."
fi
fi
}
# function: write rule to rdr.conf
persist_rdr_rule() {
local inet="${1}"
local if="${2}"
@@ -131,8 +100,8 @@ persist_rdr_rule() {
local proto="${5}"
local host_port="${6}"
local jail_port="${7}"
if ! grep -qs "$inet $if $src $dst $proto $host_port $jail_port" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
echo "$inet $if $src $dst $proto $host_port $jail_port" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
if ! grep -qs "$inet $if $src $dst $proto $host_port $jail_port" "${bastille_jailsdir}/${TARGET}/rdr.conf"; then
echo "$inet $if $src $dst $proto $host_port $jail_port" >> "${bastille_jailsdir}/${TARGET}/rdr.conf"
fi
}
@@ -146,12 +115,11 @@ persist_rdr_log_rule() {
local jail_port="${7}"
shift 7;
log=$@;
if ! grep -qs "$inet $if $src $dst $proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
echo "$inet $if $src $dst $proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
if ! grep -qs "$inet $if $src $dst $proto $host_port $jail_port $log" "${bastille_jailsdir}/${TARGET}/rdr.conf"; then
echo "$inet $if $src $dst $proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${TARGET}/rdr.conf"
fi
}
# function: load rdr rule via pfctl
load_rdr_rule() {
local inet="${1}"
local if_name="${2}"
@@ -162,30 +130,31 @@ load_rdr_rule() {
local host_port="${6}"
local jail_port="${7}"
# Create IPv4 rdr rule
if [ "${inet}" = "ipv4" ] || [ "${inet}" = "dual" ]; then
if ! ( pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null;
# shellcheck disable=SC2193
if { [ "${inet}" = "ipv4" ] || [ "${inet}" = "dual" ]; } then
if ! ( pfctl -a "rdr/${TARGET}" -Psn 2>/dev/null;
printf '%s\nrdr pass on $%s inet proto %s from %s to %s port %s -> %s port %s\n' "$if" "${bastille_network_pf_ext_if}" "$proto" "$src" "$dst" "$host_port" "$JAIL_IP" "$jail_port" ) \
| pfctl -a "rdr/${JAIL_NAME}" -f-; then
| pfctl -a "rdr/${TARGET}" -f-; then
error_exit "Failed to create IPv4 rdr rule \"${if_name} ${src} ${dst} ${proto} ${host_port} ${jail_port}\""
else
info "[${JAIL_NAME}]:"
info "[${TARGET}]:"
echo "IPv4 ${proto}/${host_port}:${jail_port} on ${if_name}"
fi
fi
# Create IPv6 rdr rule (if ip6.addr is enabled)
if [ -n "$JAIL_IP6" ] && [ "${inet}" = "ipv6" ] || [ "${inet}" = "dual" ]; then
if ! ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
# shellcheck disable=SC2193
if [ -n "${JAIL_IP6}" ] && { [ "${inet}" = "ipv6" ] || [ "${inet}" = "dual" ]; } then
if ! ( pfctl -a "rdr/${TARGET}" -Psn;
printf '%s\nrdr pass on $%s inet6 proto %s from %s to %s port %s -> %s port %s\n' "$if" "${bastille_network_pf_ext_if}" "$proto" "$src" "$dst" "$host_port" "$JAIL_IP6" "$jail_port" ) \
| pfctl -a "rdr/${JAIL_NAME}" -f-; then
| pfctl -a "rdr/${TARGET}" -f-; then
error_exit "Failed to create IPv6 rdr rule \"${if_name} ${src} ${dst} ${proto} ${host_port} ${jail_port}\""
else
info "[${JAIL_NAME}]:"
echo "IPv6 ${proto}/${host_port}:${jail_port} on ${if_name}"
info "[${TARGET}]:"
echo "IPv6 ${proto}/${src}:${host_port} -> ${dst}:${jail_port} on ${if_name}"
fi
fi
}
# function: load rdr rule with log via pfctl
load_rdr_log_rule() {
local inet="${1}"
local if_name="${2}"
@@ -198,30 +167,32 @@ load_rdr_log_rule() {
shift 7;
log=$@
# Create IPv4 rule with log
if { [ "${inet}" = "ipv4" ] || [ "${inet}" = "dual" ]; }; then
if ! ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
# shellcheck disable=SC2193
if { [ "${inet}" = "ipv4" ] || [ "${inet}" = "dual" ]; } then
if ! ( pfctl -a "rdr/${TARGET}" -Psn;
printf '%s\nrdr pass %s on $%s inet proto %s from %s to %s port %s -> %s port %s\n' "$if" "$log" "${bastille_network_pf_ext_if}" "$proto" "$src" "$dst" "$host_port" "$JAIL_IP" "$jail_port" ) \
| pfctl -a "rdr/${JAIL_NAME}" -f-; then
| pfctl -a "rdr/${TARGET}" -f-; then
error_exit "Failed to create logged IPv4 rdr rule \"${if_name} ${src} ${dst} ${proto} ${host_port} ${jail_port}\""
else
info "[${JAIL_NAME}]:"
echo "IPv4 ${proto}/${host_port}:${jail_port} on ${if_name}"
info "[${TARGET}]:"
echo "IPv4 ${proto}/${src}:${host_port} -> ${dst}:${jail_port} on ${if_name}"
fi
fi
# Create IPv6 rdr rule with log (if ip6.addr is enabled)
if [ -n "$JAIL_IP6" ] && { [ "${inet}" = "ipv6" ] || [ "${inet}" = "dual" ]; };then
if ! ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
# shellcheck disable=SC2193
if [ -n "${JAIL_IP6}" ] && { [ "${inet}" = "ipv6" ] || [ "${inet}" = "dual" ]; } then
if ! ( pfctl -a "rdr/${TARGET}" -Psn;
printf '%s\nrdr pass %s on $%s inet6 proto %s from %s to %s port %s -> %s port %s\n' "$if" "$log" "${bastille_network_pf_ext_if}" "$proto" "$src" "$dst" "$host_port" "$JAIL_IP6" "$jail_port" ) \
| pfctl -a "rdr/${JAIL_NAME}" -f-; then
| pfctl -a "rdr/${TARGET}" -f-; then
error_exit "Failed to create logged IPv6 rdr rule \"${if_name} ${src} ${dst} ${proto} ${host_port} ${jail_port}\""
else
info "[${JAIL_NAME}]:"
echo "IPv6 ${proto}/${host_port}:${jail_port} on ${if_name}"
info "[${TARGET}]:"
echo "IPv6 ${proto}/${src}:${host_port} -> ${dst}:${jail_port} on ${if_name}"
fi
fi
}
# Set defaults
# Handle options.
RDR_IF="$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf} | awk -F'"' '{print $2}')"
RDR_SRC="any"
RDR_DST="any"
@@ -230,14 +201,13 @@ OPTION_IF=0
OPTION_SRC=0
OPTION_DST=0
OPTION_INET_TYPE=0
# Check for options
while [ "$#" -gt 0 ]; do
case "$1" in
case "${1}" in
-h|--help|help)
usage
;;
-i|--interface)
if [ -z "${2}" ] || [ -z "${3}" ]; then
usage
elif ifconfig | grep -owq "${2}:"; then
if ifconfig | grep -owq "${2}:"; then
OPTION_IF=1
RDR_IF="${2}"
shift 2
@@ -246,19 +216,13 @@ while [ "$#" -gt 0 ]; do
fi
;;
-s|--source)
if [ -z "${2}" ] || [ -z "${3}" ]; then
usage
else
check_rdr_ip_validity "${2}"
OPTION_SRC=1
RDR_SRC="${2}"
shift 2
fi
check_rdr_ip_validity "${2}"
OPTION_SRC=1
RDR_SRC="${2}"
shift 2
;;
-d|--destination)
if [ -z "${2}" ] || [ -z "${3}" ]; then
usage
elif ifconfig | grep -owq "inet ${2}"; then
if ifconfig | grep -owq "inet ${2}"; then
OPTION_DST=1
RDR_DST="${2}"
shift 2
@@ -267,92 +231,113 @@ while [ "$#" -gt 0 ]; do
fi
;;
-t|--type)
if [ -z "${2}" ] || [ -z "${3}" ]; then
usage
elif [ "${2}" != "ipv4" ] && [ "${2}" != "ipv6" ]; then
usage
if [ "${2}" != "ipv4" ] && [ "${2}" != "ipv6" ]; then
error_exit "[-t|--type] must be [ipv4|ipv6]"
else
OPTION_INET_TYPE=1
RDR_INET="${2}"
shift 2
fi
;;
-*)
error_exit "Unknown option: \"${1}\""
;;
*)
break
;;
esac
done
if [ "$#" -lt 2 ]; then
usage
fi
TARGET="${1}"
JAIL_IP=""
JAIL_IP6=""
shift
bastille_root_check
set_target_single "${TARGET}"
while [ "$#" -gt 0 ]; do
case "${1}" in
list)
if [ "${OPTION_IF}" -eq 1 ] || [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ]; then
if [ "${OPTION_IF}" -eq 1 ] || [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ];then
error_exit "Command \"${1}\" cannot be used with options."
elif [ -n "${2}" ]; then
elif [ -n "${2}" ]; then
usage
elif [ "${TARGET}" = 'ALL' ]; then
for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${JAIL_NAME} redirects:"
pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
for _jail in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${_jail} redirects:"
pfctl -a "rdr/${_jail}" -Psn 2>/dev/null
done
else
check_jail_validity
pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
pfctl -a "rdr/${TARGET}" -Psn 2>/dev/null
fi
shift
;;
clear)
if [ "${OPTION_IF}" -eq 1 ] || [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ]; then
if [ "${OPTION_IF}" -eq 1 ] || [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ];then
error_exit "Command \"${1}\" cannot be used with options."
elif [ -n "${2}" ]; then
elif [ -n "${2}" ]; then
usage
elif [ "${TARGET}" = 'ALL' ]; then
for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${JAIL_NAME} redirects:"
pfctl -a "rdr/${JAIL_NAME}" -Fn
for _jail in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${_jail} redirects:"
pfctl -a "rdr/${_jail}" -Fn
done
else
check_jail_validity
pfctl -a "rdr/${JAIL_NAME}" -Fn
pfctl -a "rdr/${TARGET}" -Fn
fi
shift
;;
reset)
if [ "${OPTION_IF}" -eq 1 ] || [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ]; then
if [ "${OPTION_IF}" -eq 1 ] || [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ];then
error_exit "Command \"${1}\" cannot be used with options."
elif [ -n "${2}" ]; then
elif [ -n "${2}" ]; then
usage
elif [ "${TARGET}" = 'ALL' ]; then
for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${JAIL_NAME} redirects:"
pfctl -a "rdr/${JAIL_NAME}" -Fn
if rm -f "${bastille_jailsdir}"/"${JAIL_NAME}"/rdr.conf; then
info "[${JAIL_NAME}]: rdr.conf removed"
fi
for _jail in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
echo "${_jail} redirects:"
pfctl -a "rdr/${_jail}" -Fn
if rm -f "${bastille_jailsdir}"/"${_jail}"/rdr.conf; then
info "[${_jail}]: rdr.conf removed"
fi
done
else
check_jail_validity
pfctl -a "rdr/${JAIL_NAME}" -Fn
if rm -f "${bastille_jailsdir}"/"${JAIL_NAME}"/rdr.conf; then
info "[${JAIL_NAME}]: rdr.conf removed"
fi
pfctl -a "rdr/${TARGET}" -Fn
if rm -f "${bastille_jailsdir}"/"${_jail}"/rdr.conf; then
info "[${TARGET}]: rdr.conf removed"
fi
fi
shift
;;
tcp|udp)
if [ $# -lt 3 ]; then
if [ "$#" -lt 3 ]; then
usage
elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ]; then
elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ];then
error_exit "[-t|--type] must be set when using [-s|--source] or [-d|--destination]"
elif [ $# -eq 3 ]; then
elif [ "$#" -eq 3 ]; then
check_jail_validity
persist_rdr_rule $RDR_INET $RDR_IF $RDR_SRC $RDR_DST $1 $2 $3
load_rdr_rule $RDR_INET $RDR_IF $RDR_SRC $RDR_DST $1 $2 $3
shift "$#"
else
case "$4" in
case "${4}" in
log)
proto=$1
host_port=$2
jail_port=$3
shift 3
if [ $# -gt 3 ]; then
if [ "$#" -gt 3 ]; then
for last in "$@"; do
true
done
if [ "$2" = "(" ] && [ "$last" = ")" ] ; then
if [ "${2}" = "(" ] && [ "${last}" = ")" ] ; then
check_jail_validity
persist_rdr_log_rule $RDR_INET $RDR_IF $RDR_SRC $RDR_DST $proto $host_port $jail_port "$@"
load_rdr_log_rule $RDR_INET $RDR_IF $RDR_SRC $RDR_DST $proto $host_port $jail_port "$@"
@@ -376,23 +361,21 @@ while [ "$#" -gt 0 ]; do
fi
;;
*)
if [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] || [ "${OPTION_INET_TYPE}" -eq 1 ] || [ "${OPTION_IF}" -eq 1 ]; then
usage
elif [ "${1}" = "dual" ] || [ "${1}" = "ipv4" ] || [ "${1}" = "ipv6" ]; then
if [ "${1}" = "dual" ] || [ "${1}" = "ipv4" ] || [ "${1}" = "ipv6" ]; then
RDR_INET="${1}"
else
usage
fi
if [ $# -eq 7 ] && [ "${5}" = "tcp" ] || [ "${5}" = "udp" ]; then
if [ "$#" -eq 7 ] && { [ "${5}" = "tcp" ] || [ "${5}" = "udp" ]; } then
check_jail_validity
persist_rdr_rule "$@"
load_rdr_rule "$@"
shift $#
elif [ $# -ge 8 ] && [ "${8}" = "log" ]; then
shift "$#"
elif [ "$#" -ge 8 ] && [ "${8}" = "log" ]; then
check_jail_validity
persist_rdr_log_rule "$@"
load_rdr_log_rule "$@"
shift $#
shift "$#"
else
usage
fi