Merge branch 'BastilleBSD:master' into destroy-new-functions

BastilleBSD · Feb 23, 2025 · 44d6e90 · 44d6e90
2 parents 90a6445 + 94a785a
commit 44d6e90
Show file tree

Hide file tree

Showing 3 changed files with 369 additions and 111 deletions.
diff --git a/docs/chapters/subcommands/rdr.rst b/docs/chapters/subcommands/rdr.rst
@@ -14,13 +14,67 @@ specify the interface they run on in rc.conf (or other config files)
 .. code-block:: shell
 
     # bastille rdr --help
-    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
+    Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]
+    Options:
+
+    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
+    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
+    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
+    -x | --debug                                 Enable debug mode.
+    
     # bastille rdr dev1 tcp 2001 22
+    [jail1]:
+    IPv4 tcp/2001:22  on em0
+   
     # bastille rdr dev1 list
     rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    
     # bastille rdr dev1 udp 2053 53
+    [jail1]:
+    IPv4 udp/2053:53 on em0
+    
     # bastille rdr dev1 list
-    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
-    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    rdr pass on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr pass on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    
     # bastille rdr dev1 clear
     nat cleared
+
+The `rdr` command includes 4 additional options:
+
+.. code-block:: shell
+
+    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
+    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
+    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
+
+.. code-block:: shell
+
+    # bastille rdr dev1 -i vtnet0 udp 8000 80
+    [jail1]:
+    IPv4 tcp/8000:80 on vtnet0
+    
+    # bastille rdr dev1 -s 192.168.0.1 tcp 8080 81
+    [jail1]:
+    IPv4 tcp/8080:81 on em0
+
+    # bastille rdr dev1 -d 192.168.0.84 tcp 8082 82
+    [jail1]:
+    IPv4 tcp/8082:82 on em0
+
+    # bastille rdr dev1 -i vtnet0 -d 192.168.0.45 tcp 9000 9000
+    [jail1]:
+    IPv4 tcp/9000:9000 on vtnet0
+
+    # bastille rdr dev1 list
+    rdr pass on vtnet0 inet proto udp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr pass on em0 inet proto tcp from 192.168.0.1 to any port = 8080 -> 10.17.89.1 port 81
+    rdr pass on em0 inet proto tcp from any to 192.168.0.84 port = 8082 -> 10.17.89.1 port 82
+    rdr pass on vtnet0 inet proto tcp from any to 192.168.0.45 port = 9000 -> 10.17.89.1 port 9000
+
+The options can be used together, as seen above.
+
+If you have multiple interfaces assigned to your jail, `bastille rdr` will
+only redirect using the default one.
diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh
@@ -34,7 +34,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]"
+    error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|ports|(import|export|backup)]"
 }
 
 if [ "${1}" = help ] || [ "${1}" = "-h" ] || [ "${1}" = "--help" ]; then
@@ -230,12 +230,28 @@ list_import(){
     ls "${bastille_backupsdir}" | grep -v ".sha256$"
 }
 
+list_ports(){
+    if [ -d "${bastille_jailsdir}" ]; then
+        JAIL_LIST="$(bastille list jails)"
+        for _jail in ${JAIL_LIST}; do
+            if [ -f "${bastille_jailsdir}/${_jail}/rdr.conf" ]; then
+                _PORTS="$(cat ${bastille_jailsdir}/${_jail}/rdr.conf)"
+                info "[${_jail}]:"
+		echo "${_PORTS}"
+	    fi
+        done
+    fi
+}
+
 if [ $# -gt 0 ]; then
     # Handle special-case commands first.
     case "${1}" in
     all|-a|--all)
         list_all
         ;;
+    port|ports)
+        list_ports
+	;;
     release|releases)
         list_release "${2}"
         ;;