Merge pull request #765 from tschettervictor/rdr-multiple-interfaces

RDR Improvements: Allow TO/FROM+INTERACE+IP STACK
2025-12-11 17:39:52 +01:00 · 2025-02-22 20:56:28 -08:00
parent e0e9dc95be 4aa9ca555f
commit 94a785af90
3 changed files with 373 additions and 115 deletions
--- a/docs/chapters/subcommands/rdr.rst
+++ b/docs/chapters/subcommands/rdr.rst
@@ -14,13 +14,67 @@ specify the interface they run on in rc.conf (or other config files)
 .. code-block:: shell

    # bastille rdr --help
-    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
+    Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]
+    Options:
+
+    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
+    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
+    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
+    -x | --debug                                 Enable debug mode.
+    
    # bastille rdr dev1 tcp 2001 22
+    [jail1]:
+    IPv4 tcp/2001:22  on em0
+   
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    
    # bastille rdr dev1 udp 2053 53
+    [jail1]:
+    IPv4 udp/2053:53 on em0
+    
    # bastille rdr dev1 list
-    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
-    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    rdr pass on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr pass on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    
    # bastille rdr dev1 clear
    nat cleared
+
+The `rdr` command includes 4 additional options:
+
+.. code-block:: shell
+
+    -i | --interface   [interface]               Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
+    -s | --source      [source ip]               Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
+    -d | --destination [destination ip]          Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
+    -t | --type        [ipv4|ipv6]               Specify IP type. Must be used if -s or -d are used. Defaults to both.
+
+.. code-block:: shell
+
+    # bastille rdr dev1 -i vtnet0 udp 8000 80
+    [jail1]:
+    IPv4 tcp/8000:80 on vtnet0
+    
+    # bastille rdr dev1 -s 192.168.0.1 tcp 8080 81
+    [jail1]:
+    IPv4 tcp/8080:81 on em0
+
+    # bastille rdr dev1 -d 192.168.0.84 tcp 8082 82
+    [jail1]:
+    IPv4 tcp/8082:82 on em0
+
+    # bastille rdr dev1 -i vtnet0 -d 192.168.0.45 tcp 9000 9000
+    [jail1]:
+    IPv4 tcp/9000:9000 on vtnet0
+
+    # bastille rdr dev1 list
+    rdr pass on vtnet0 inet proto udp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr pass on em0 inet proto tcp from 192.168.0.1 to any port = 8080 -> 10.17.89.1 port 81
+    rdr pass on em0 inet proto tcp from any to 192.168.0.84 port = 8082 -> 10.17.89.1 port 82
+    rdr pass on vtnet0 inet proto tcp from any to 192.168.0.45 port = 9000 -> 10.17.89.1 port 9000
+
+The options can be used together, as seen above.
+
+If you have multiple interfaces assigned to your jail, `bastille rdr` will
+only redirect using the default one.