Add dynamic rdr

docs/chapters/networking.rst

@@ -103,14 +103,21 @@ Create the firewall rules:
   table <jails> persist
   nat on $ext_if from <jails> to any -> ($ext_if)
   
-  ## rdr example
+  ## static rdr example
   ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
+
+  ## dynamic rdr anchor (see below)
+  rdr-anchor "rdr/*"
   
   block in all
   pass out quick modulate state
   antispoof for $ext_if inet
   pass in inet proto tcp from any to any port ssh flags S/SA modulate state
 
+  # If you are using dynamic rdr also need to ensure that the external port
+  # range you are using is open
+  # pass in inet proto tcp any to any port <rdr-start>:<rdr-end>
+
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
 
@@ -121,7 +128,7 @@ to containers are:
 
   nat on $ext_if from <jails> to any -> ($ext_if)
   
-  ## rdr example
+  ## static rdr example
   ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 
 The `nat` routes traffic from the loopback interface to the external
@@ -131,6 +138,23 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
 containers at `10.17.89.45`.
 
+  ## dynamic rdr anchor (see below)
+  rdr-anchor "rdr/*"
+
+The `rdr-anchor "rdr/*"` anables dynamic rdr rules to be setup using the 
+`bastille rdr` command at runtime - eg.
+
+  bastille rdr <jail> --tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
+  bastille rdr <jail> --udp 2053 53 # Same for udp
+  bastille rdr <jail> --list        # List dynamic rdr rules
+  bastille rdr <jail> --clear       # Clear dynamic rdr rules
+
+  Note that if you are rediirecting ports where the host is also listening
+  (eg. ssh) you should make sure that the host service is not listening on 
+  the cloned interface - eg. for ssh set sshd_flags in rc.conf
+
+  sshd_flags="-o ListenAddress=<hostname>"
+
 Finally, start up the firewall:
 
 .. code-block:: shell

docs/chapters/subcommands/rdr.rst

@@ -0,0 +1,27 @@
+===
+rdr
+===
+
+`bastille rdr` allows yiou to configure dynamic rdr rules for your containers
+without modifying pf.conf (assuming you are using the `bastille0` interface 
+for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
+as described in the Networking section).
+
+Note: you need to be careful if host services are configured to run 
+on all interfaces as by default thsi will 
+
+.. code-block:: shell
+
+    # bastille rdr --help
+    Usage: bastille rdr TARGET [--clear] | [--list] | [--tcp <host_port> <jail_port>] | [--udp <host_port> <jail_port>]
+    # bastille rdr dev1 --tcp 2001 22
+    # bastille rdr dev1 --list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    # bastille rdr dev1 --udp 2053 53
+    # bastille rdr dev1 --list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    # bastille rdr dev1 --clear
+    nat cleared
+
+