From ae39ededbb57d0adf3c5eac83bbcf549f0798444 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:56:02 -0600 Subject: [PATCH 01/11] rdr: Allow setting table name as source --- usr/local/share/bastille/rdr.sh | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 1cabc9e3..631a10c6 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -108,6 +108,17 @@ check_rdr_ip_validity() { fi } +check_rdr_table_validity() { + + local table="${1}" + + if ! pfctl -t "${table}" -T show; then + info "\nValid: (${table})." + else + info "\nValid: (${table})." + fi +} + validate_rdr_rule() { local if="${1}" @@ -261,9 +272,14 @@ while [ "$#" -gt 0 ]; do fi ;; -s|--source) - check_rdr_ip_validity "${2}" + if echo "${2}" | grep -Eoq "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|.*:.*"; then + check_rdr_ip_validity "${2}" + RDR_SRC="${2}" + else + check_rdr_table_validity "${2}" + RDR_SRC="$(echo "${2}" | sed -e 's/^//')" + fi OPTION_SRC=1 - RDR_SRC="${2}" shift 2 ;; -t|--type) From aed09d68b995c3b9b4d9221414d75c817313e657 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 19:00:09 -0600 Subject: [PATCH 02/11] docs: rdr: add docs for table as source --- docs/chapters/subcommands/rdr.rst | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/chapters/subcommands/rdr.rst b/docs/chapters/subcommands/rdr.rst index ecf37c63..f2527bf4 100644 --- a/docs/chapters/subcommands/rdr.rst +++ b/docs/chapters/subcommands/rdr.rst @@ -35,8 +35,8 @@ The ``rdr`` command includes 4 additional options: .. code-block:: shell -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. .. code-block:: shell @@ -68,6 +68,9 @@ The options can be used together, as seen above. If you have multiple interfaces assigned to your jail, ``bastille rdr`` will only redirect using the default one. +It is also possible to specify a pf table as the source, providing it exists. Simply use the table +name instead of an IP address or subnet. + .. code-block:: shell # bastille rdr --help @@ -76,7 +79,7 @@ only redirect using the default one. Options: -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. - -x | --debug Enable debug mode. \ No newline at end of file + -x | --debug Enable debug mode. From 00640f267840b188d8f9506754729107562add8f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 19:01:16 -0600 Subject: [PATCH 03/11] rdr: Fix help message --- usr/local/share/bastille/rdr.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 631a10c6..62971d30 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -38,11 +38,11 @@ usage() { Options: - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. - -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. - -x | --debug Enable debug mode. + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. + -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. + -x | --debug Enable debug mode. EOF exit 1 From 58a74fa3f65bbcdcb4d38bce86a8b9c6fbcd599c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 19:02:22 -0600 Subject: [PATCH 04/11] docs: rdr: fix help message --- docs/chapters/subcommands/rdr.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/chapters/subcommands/rdr.rst b/docs/chapters/subcommands/rdr.rst index f2527bf4..ea1d15cb 100644 --- a/docs/chapters/subcommands/rdr.rst +++ b/docs/chapters/subcommands/rdr.rst @@ -34,10 +34,10 @@ The ``rdr`` command includes 4 additional options: .. code-block:: shell - -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. - -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. - -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. + -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. + -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. .. code-block:: shell @@ -78,8 +78,8 @@ name instead of an IP address or subnet. Options: + -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. -s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources. - -d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. -x | --debug Enable debug mode. From f65ae95212734f7c4179cec5da95119c424427cb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 19:12:31 -0600 Subject: [PATCH 05/11] rdr: Fix exit on invalid table --- usr/local/share/bastille/rdr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 62971d30..80122b5e 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -113,7 +113,7 @@ check_rdr_table_validity() { local table="${1}" if ! pfctl -t "${table}" -T show; then - info "\nValid: (${table})." + error_exit "\nInvalid: (${table})." else info "\nValid: (${table})." fi From 78b4c6c86185abb58569db51459d62b9ee1df233 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 21:00:42 -0600 Subject: [PATCH 06/11] =?UTF-8?q?list:=20add=20missing=20=E2=80=9Creleases?= =?UTF-8?q?=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 8d5a1c59..387c420e 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -34,7 +34,7 @@ usage() { error_notify "Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)]" - error_notify " [path(s)] [port(s)] [prio|priority] [state(s)] [template(s)]" + error_notify " [path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)]" cat << EOF Options: From 7303db152165d5c4e25f42031b25f9687ab8afd7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 18 Jun 2025 21:01:29 -0600 Subject: [PATCH 07/11] =?UTF-8?q?docs:=20list:=20add=20missing=20=E2=80=9C?= =?UTF-8?q?releases=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/chapters/subcommands/list.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/list.rst b/docs/chapters/subcommands/list.rst index 4757a577..5d278dfa 100644 --- a/docs/chapters/subcommands/list.rst +++ b/docs/chapters/subcommands/list.rst @@ -13,7 +13,7 @@ to print in columns instead of rows. ishmael ~ # bastille list help Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)] - [path(s)] [port(s)] [prio|priority] [state(s)] [template(s)] + [path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)] Options: -d | --down List stopped jails only. From a03fd2e007ca7b28612a791688c780127262819a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 19 Jun 2025 08:36:02 -0600 Subject: [PATCH 08/11] docs: list: Update help docs --- docs/chapters/subcommands/list.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/list.rst b/docs/chapters/subcommands/list.rst index 5d278dfa..b5f7e85b 100644 --- a/docs/chapters/subcommands/list.rst +++ b/docs/chapters/subcommands/list.rst @@ -2,9 +2,9 @@ list ==== List jails, ports, releases, templates, logs, limits, exports and imports and much more -managed by bastille. +managed by bastille. See the ``help`` output below. -Using `bastille list` without args will print with all the info we feel is most important. +Using `bastille list` without args will print all jails with the info we feel is most important. Most options can be printed in JSON format by including the ``-j|--json`` flag. Use ``-p|--pretty`` to print in columns instead of rows. From a90e29244dfa1ed43ddad898928a18b715e5fdbb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 20 Jun 2025 12:23:45 -0600 Subject: [PATCH 09/11] rdr: Fix () --- usr/local/share/bastille/rdr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 80122b5e..a1bcb304 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -272,7 +272,7 @@ while [ "$#" -gt 0 ]; do fi ;; -s|--source) - if echo "${2}" | grep -Eoq "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|.*:.*"; then + if echo "${2}" | grep -Eoq "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|.*:.*)"; then check_rdr_ip_validity "${2}" RDR_SRC="${2}" else From d3c192e347cd0f18d26c1dbc849d148448824ac9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 20 Jun 2025 12:37:40 -0600 Subject: [PATCH 10/11] rdr: suppress table output --- usr/local/share/bastille/rdr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index a1bcb304..90147c9d 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -112,7 +112,7 @@ check_rdr_table_validity() { local table="${1}" - if ! pfctl -t "${table}" -T show; then + if ! pfctl -t "${table}" -T show > /dev/null 2>&1; then error_exit "\nInvalid: (${table})." else info "\nValid: (${table})." From fe12a245259a4f27597af46b52fdd60a1fcd3cea Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 20 Jun 2025 12:54:50 -0600 Subject: [PATCH 11/11] rdr: Load tables on both stacks by default --- usr/local/share/bastille/rdr.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 90147c9d..19876671 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -248,6 +248,7 @@ OPTION_IF=0 OPTION_SRC=0 OPTION_DST=0 OPTION_INET_TYPE=0 +OPT_SRC_TABLE=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) @@ -277,6 +278,7 @@ while [ "$#" -gt 0 ]; do RDR_SRC="${2}" else check_rdr_table_validity "${2}" + OPT_SRC_TABLE=1 RDR_SRC="$(echo "${2}" | sed -e 's/^//')" fi OPTION_SRC=1 @@ -357,8 +359,8 @@ while [ "$#" -gt 0 ]; do tcp|udp) if [ "$#" -lt 3 ]; then usage - elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ];then - error_exit "[ERROR]: [-t|--type] must be set when using [-s|--source] or [-d|--destination]" + elif [ "${OPTION_SRC}" -eq 1 ] || [ "${OPTION_DST}" -eq 1 ] && [ "${OPTION_INET_TYPE}" -ne 1 ] && [ "${OPT_SRC_TABLE}" -eq 0 ];then + error_exit "[ERROR]: [-t|--type] must be set when NOT using a table as [-s|--source] or [-d|--destination]." elif [ "$#" -eq 3 ]; then check_jail_validity validate_rdr_rule $RDR_IF $RDR_SRC $RDR_DST $1 $2 $3