From 74fdcbdcb51d809c9f9923d72fedc18c5accc2c0 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 9 Jan 2021 15:42:24 -0700 Subject: [PATCH] rdr now persists rules by default; rdr.sh cleanup --- usr/local/share/bastille/rdr.sh | 45 ++++++++++++++++------------ usr/local/share/bastille/template.sh | 3 -- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 2490eb2c..a133d4a5 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -1,5 +1,8 @@ #!/bin/sh # +# Copyright (c) 2018-2021, Christer Edwards +# All rights reserved. +# # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # @@ -29,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille rdr TARGET [clear] | [list] | [tcp ] | [udp ]" + error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]" } # Handle special-case commands first. @@ -51,13 +54,13 @@ if [ "${TARGET}" = 'ALL' ]; then error_exit "Can only redirect to a single jail." fi -# Check jail name valid +# Check if jail name is valid JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null) if [ -z "${JAIL_NAME}" ]; then error_exit "Jail not found: ${TARGET}" fi -# Check jail ip4 address valid +# Check if jail ip4 address (ip4.addr) is valid (non-VNET only) if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null) if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then @@ -65,17 +68,31 @@ if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then fi fi -# Check rdr-anchor is setup in pf.conf +# Check if rdr-anchor is defined in pf.conf if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then error_exit "rdr-anchor not found in pf.conf" fi -# Check ext_if is setup in pf.conf +# Check if ext_if is defined in pf.conf EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf) -if [ -z "${JAIL_NAME}" ]; then +if [ -z "${EXT_IF}" ]; then error_exit "ext_if not defined in pf.conf" fi +# function: write rule to rdr.conf +persist_rdr_rule() { +if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then + echo "$1 $2 $3" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" +fi +} + +# function: load rdr rule via pfctl +load_rdr_rule() { +( pfctl -a "rdr/${JAIL_NAME}" -Psn; + printf '%s\nrdr pass on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$1" "$2" "$JAIL_IP" "$3" ) \ + | pfctl -a "rdr/${JAIL_NAME}" -f- +} + while [ $# -gt 0 ]; do case "$1" in list) @@ -86,22 +103,12 @@ while [ $# -gt 0 ]; do pfctl -a "rdr/${JAIL_NAME}" -Fn shift ;; - tcp) + tcp|udp) if [ $# -lt 3 ]; then usage fi - ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass on $ext_if inet proto tcp to port %s -> %s port %s\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \ - | pfctl -a "rdr/${JAIL_NAME}" -f- - shift 3 - ;; - udp) - if [ $# -lt 3 ]; then - usage - fi - ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass on $ext_if inet proto udp to port %s -> %s port %s\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \ - | pfctl -a "rdr/${JAIL_NAME}" -f- + persist_rdr_rule $1 $2 $3 + load_rdr_rule $1 $2 $3 shift 3 ;; *) diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index d43ba95c..24a3f7f9 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -42,9 +42,6 @@ post_command_hook() { case $_cmd in rdr) - if ! grep -qs "${_args}" "${bastille_jailsdir}/${_jail}/rdr.conf"; then - echo "${_args}" >> "${bastille_jailsdir}/${_jail}/rdr.conf" - fi echo -e ${_args} esac }