hackacad/usr/local/share/bastille/rdr.sh

#!/bin/sh
#
# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
#   list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
#   this list of conditions and the following disclaimer in the documentation
#   and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
#   contributors may be used to endorse or promote products derived from
#   this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf

usage() {
    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
}

# Handle special-case commands first.
case "$1" in
help|-h|--help)
    usage
    ;;
esac

if [ $# -lt 2 ]; then
    usage
fi

bastille_root_check

TARGET="${1}"
JAIL_NAME=""
JAIL_IP=""
JAIL_IP6=""
EXT_IF=""
shift

check_jail_validity() {
    # Can only redirect to single jail
    if [ "${TARGET}" = 'ALL' ]; then
        error_exit "Can only redirect to a single jail."
    fi

    # Check if jail name is valid
    JAIL_NAME=$(/usr/sbin/jls -j "${TARGET}" name 2>/dev/null)
    if [ -z "${JAIL_NAME}" ]; then
        error_exit "Jail not found: ${TARGET}"
    fi

    # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
        JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)
        if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
            error_exit "Jail IP not found: ${TARGET}"
        fi
    fi
    # Check if jail ip6 address (ip6.addr) is valid (non-VNET only)
    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
        if [ "$(bastille config $TARGET get ip6)" != 'disabled' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then
            JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null)
        fi
    fi


    # Check if rdr-anchor is defined in pf.conf
    if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
        error_exit "rdr-anchor not found in pf.conf"
    fi

    # Check if ext_if is defined in pf.conf
    EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" /etc/pf.conf)
    if [ -z "${EXT_IF}" ]; then
        error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf"
    fi
}

# function: write rule to rdr.conf
persist_rdr_rule() {
if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
    echo "$1 $2 $3" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
fi
}

persist_rdr_log_rule() {
proto=$1;host_port=$2;jail_port=$3;
shift 3;
log=$@;
if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
    echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
fi
}


# function: load rdr rule via pfctl
load_rdr_rule() {
( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" ) \
      | pfctl -a "rdr/${JAIL_NAME}" -f-
if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \
    | pfctl -a "rdr/${JAIL_NAME}" -f-
fi
}

# function: load rdr rule with log via pfctl
load_rdr_log_rule() {
proto=$1;host_port=$2;jail_port=$3;
shift 3;
log=$@
( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
      | pfctl -a "rdr/${JAIL_NAME}" -f-
if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \
    | pfctl -a "rdr/${JAIL_NAME}" -f-
fi

}

while [ $# -gt 0 ]; do
    case "$1" in
        list)
            if [ "${TARGET}" = 'ALL' ]; then
                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
                    echo "${JAIL_NAME} redirects:"
                    pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
                done
            else
                check_jail_validity
                pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
            fi
            shift
            ;;
        clear)
            if [ "${TARGET}" = 'ALL' ]; then
                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
                    echo "${JAIL_NAME} redirects:"
                    pfctl -a "rdr/${JAIL_NAME}" -Fn
                done
            else
                check_jail_validity
                pfctl -a "rdr/${JAIL_NAME}" -Fn
            fi
            shift
            ;;
        tcp|udp)
            if [ $# -lt 3 ]; then
                usage
            elif [ $# -eq 3 ]; then
                check_jail_validity
                persist_rdr_rule $1 $2 $3
                load_rdr_rule $1 $2 $3
                shift 3
            else
                case "$4" in
                    log)
                        proto=$1
                        host_port=$2
                        jail_port=$3
                        shift 3
                        if [ $# -gt 3 ]; then
                            for last in $@; do
                                true
                            done
                            if [ $2 == "(" ] && [ $last == ")" ] ; then
                                check_jail_validity
                                persist_rdr_log_rule $proto $host_port $jail_port $@
                                load_rdr_log_rule $proto $host_port $jail_port $@
                                shift $#
                            else
                                usage
                            fi
                        elif [ $# -eq 1 ]; then
                            check_jail_validity
                            persist_rdr_log_rule $proto $host_port $jail_port $@
                            load_rdr_log_rule $proto $host_port $jail_port $@
                            shift 1
                        else
                            usage
                        fi
                        ;;
                    *)
                        usage
                        ;;
                esac
            fi
            ;;
        *)
            usage
            ;;
    esac
done
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`#!/bin/sh`
Cleanup whitespace 2020-04-14 11:52:29 +02:00			`#`
0.9.20220216 release 2022-02-16 23:28:09 -07:00			`# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>`
rdr now persists rules by default; rdr.sh cleanup 2021-01-09 15:42:24 -07:00			`# All rights reserved.`
			`#`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`# Redistribution and use in source and binary forms, with or without`
			`# modification, are permitted provided that the following conditions are met:`
Cleanup whitespace 2020-04-14 11:52:29 +02:00			`#`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`# * Redistributions of source code must retain the above copyright notice, this`
			`# list of conditions and the following disclaimer.`
Cleanup whitespace 2020-04-14 11:52:29 +02:00			`#`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`# * Redistributions in binary form must reproduce the above copyright notice,`
			`# this list of conditions and the following disclaimer in the documentation`
			`# and/or other materials provided with the distribution.`
Cleanup whitespace 2020-04-14 11:52:29 +02:00			`#`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`# * Neither the name of the copyright holder nor the names of its`
			`# contributors may be used to endorse or promote products derived from`
			`# this software without specific prior written permission.`
Cleanup whitespace 2020-04-14 11:52:29 +02:00			`#`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
			`# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE`
			`# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE`
			`# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
			`# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER`
			`# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
			`# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
			`# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`

Create and leverage global error functions 2020-08-30 10:57:14 -04:00			`. /usr/local/share/bastille/common.sh`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`. /usr/local/etc/bastille/bastille.conf`

			`usage() {`
Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`error_exit "Usage: bastille rdr TARGET [clear\|list\|(tcp\|udp host_port jail_port [log ['(' logopts ')'] ] )]"`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`}`

			`# Handle special-case commands first.`
			`case "$1" in`
			`help\|-h\|--help)`
			`usage`
			`;;`
			`esac`

			`if [ $# -lt 2 ]; then`
			`usage`
			`fi`

Allow running bastille and subcomands with help flags as regular user 2023-03-16 20:58:11 +01:00			`bastille_root_check`

Add dynamic rdr 2020-02-01 15:58:02 +00:00			`TARGET="${1}"`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`JAIL_NAME=""`
			`JAIL_IP=""`
add ipv6 rdr support 2023-03-28 15:03:53 +02:00			`JAIL_IP6=""`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`EXT_IF=""`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`shift`

Fix for issue #403 2021-09-02 22:44:49 +02:00			`check_jail_validity() {`
			`# Can only redirect to single jail`
			`if [ "${TARGET}" = 'ALL' ]; then`
			`error_exit "Can only redirect to a single jail."`
			`fi`
Add dynamic rdr 2020-02-01 15:58:02 +00:00
Fix for issue #403 2021-09-02 22:44:49 +02:00			`# Check if jail name is valid`
use full path when calling jls binary 2021-12-17 19:09:49 -07:00			`JAIL_NAME=$(/usr/sbin/jls -j "${TARGET}" name 2>/dev/null)`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`if [ -z "${JAIL_NAME}" ]; then`
			`error_exit "Jail not found: ${TARGET}"`
			`fi`
Add dynamic rdr 2020-02-01 15:58:02 +00:00
Fix for issue #403 2021-09-02 22:44:49 +02:00			`# Check if jail ip4 address (ip4.addr) is valid (non-VNET only)`
			`if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then`
use full path when calling jls binary 2021-12-17 19:09:49 -07:00			`JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then`
			`error_exit "Jail IP not found: ${TARGET}"`
			`fi`
adding a couple vnet exceptions for ip4.addr checks 2021-01-01 09:23:26 -07:00			`fi`
add ipv6 rdr support 2023-03-28 15:03:53 +02:00			`# Check if jail ip6 address (ip6.addr) is valid (non-VNET only)`
			`if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then`
fix rdr issue detecting IP6 when disabled or not set 2023-06-21 20:34:19 -06:00			`if [ "$(bastille config $TARGET get ip6)" != 'disabled' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then`
			`JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null)`
			`fi`
add ipv6 rdr support 2023-03-28 15:03:53 +02:00			`fi`
Add dynamic rdr 2020-02-01 15:58:02 +00:00
fix rdr issue detecting IP6 when disabled or not set 2023-06-21 20:34:19 -06:00
Fix for issue #403 2021-09-02 22:44:49 +02:00			`# Check if rdr-anchor is defined in pf.conf`
			`if ! (pfctl -sn \| grep rdr-anchor \| grep 'rdr/\*' >/dev/null); then`
			`error_exit "rdr-anchor not found in pf.conf"`
			`fi`
Add dynamic rdr 2020-02-01 15:58:02 +00:00
Fix for issue #403 2021-09-02 22:44:49 +02:00			`# Check if ext_if is defined in pf.conf`
Make pf table name and external interface configurable. Closes #508 2022-11-26 23:24:33 -05:00			`EXT_IF=$(grep "^[[:space:]]${bastille_network_pf_ext_if}[[:space:]]=" /etc/pf.conf)`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`if [ -z "${EXT_IF}" ]; then`
Make pf table name and external interface configurable. Closes #508 2022-11-26 23:24:33 -05:00			`error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf"`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`fi`
			`}`
Add dynamic rdr 2020-02-01 15:58:02 +00:00
rdr now persists rules by default; rdr.sh cleanup 2021-01-09 15:42:24 -07:00			`# function: write rule to rdr.conf`
			`persist_rdr_rule() {`
			`if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then`
			`echo "$1 $2 $3" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"`
			`fi`
			`}`

Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`persist_rdr_log_rule() {`
			`proto=$1;host_port=$2;jail_port=$3;`
			`shift 3;`
			`log=$@;`
			`if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then`
			`echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"`
			`fi`
			`}`


rdr now persists rules by default; rdr.sh cleanup 2021-01-09 15:42:24 -07:00			`# function: load rdr rule via pfctl`
			`load_rdr_rule() {`
			`( pfctl -a "rdr/${JAIL_NAME}" -Psn;`
Make pf table name and external interface configurable. Closes #508 2022-11-26 23:24:33 -05:00			`printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" ) \`
rdr now persists rules by default; rdr.sh cleanup 2021-01-09 15:42:24 -07:00			`\| pfctl -a "rdr/${JAIL_NAME}" -f-`
add ipv6 rdr support 2023-03-28 15:03:53 +02:00			`if [ -n "$JAIL_IP6" ]; then`
			`( pfctl -a "rdr/${JAIL_NAME}" -Psn;`
			`printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \`
			`\| pfctl -a "rdr/${JAIL_NAME}" -f-`
			`fi`
rdr now persists rules by default; rdr.sh cleanup 2021-01-09 15:42:24 -07:00			`}`

Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`# function: load rdr rule with log via pfctl`
			`load_rdr_log_rule() {`
			`proto=$1;host_port=$2;jail_port=$3;`
			`shift 3;`
			`log=$@`
			`( pfctl -a "rdr/${JAIL_NAME}" -Psn;`
Make pf table name and external interface configurable. Closes #508 2022-11-26 23:24:33 -05:00			`printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \`
Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`\| pfctl -a "rdr/${JAIL_NAME}" -f-`
add ipv6 rdr support 2023-03-28 15:03:53 +02:00			`if [ -n "$JAIL_IP6" ]; then`
			`( pfctl -a "rdr/${JAIL_NAME}" -Psn;`
			`printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \`
			`\| pfctl -a "rdr/${JAIL_NAME}" -f-`
			`fi`

Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`}`

Add dynamic rdr 2020-02-01 15:58:02 +00:00			`while [ $# -gt 0 ]; do`
			`case "$1" in`
Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`list)`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`if [ "${TARGET}" = 'ALL' ]; then`
			`for JAIL_NAME in $(ls "${bastille_jailsdir}" \| sed "s/\n//g"); do`
			`echo "${JAIL_NAME} redirects:"`
			`pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null`
			`done`
			`else`
			`check_jail_validity`
			`pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null`
			`fi`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`shift`
			`;;`
Switch from `--option` to `option` and fix typos 2020-02-02 00:28:02 +00:00			`clear)`
Fix for issue #403 2021-09-02 22:44:49 +02:00			`if [ "${TARGET}" = 'ALL' ]; then`
			`for JAIL_NAME in $(ls "${bastille_jailsdir}" \| sed "s/\n//g"); do`
			`echo "${JAIL_NAME} redirects:"`
			`pfctl -a "rdr/${JAIL_NAME}" -Fn`
			`done`
			`else`
			`check_jail_validity`
			`pfctl -a "rdr/${JAIL_NAME}" -Fn`
			`fi`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`shift`
			`;;`
rdr now persists rules by default; rdr.sh cleanup 2021-01-09 15:42:24 -07:00			`tcp\|udp)`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`if [ $# -lt 3 ]; then`
			`usage`
Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`elif [ $# -eq 3 ]; then`
			`check_jail_validity`
			`persist_rdr_rule $1 $2 $3`
			`load_rdr_rule $1 $2 $3`
			`shift 3`
			`else`
			`case "$4" in`
			`log)`
			`proto=$1`
			`host_port=$2`
			`jail_port=$3`
			`shift 3`
			`if [ $# -gt 3 ]; then`
			`for last in $@; do`
Convert tab to spaces Spaces seem to be the convention for these files, for better or worse, so make things consistent. 2022-07-24 22:16:38 +00:00			`true`
Extend RDR to support logging PF allows us to log rdr rules. The syntax to enable this is found in pf.conf under the syntax grammar section for rdr-rule. This commit extends Bastille's command line interface to allow users to choose to log their rdr rules using the pf.conf syntax - `````````````````````````````````````````````````````` tcp\|udp host_port jail_port [log ['(' logopts ')'] ] `````````````````````````````````````````````````````` Here, the syntax after jail_port is optional. This is sufficient to provide backwards compatibility. The keyword 'log' enables logging with the default options. The user can also provide custom options - logopts - whose the syntax and allowed keywords are defined in pf.conf. It's left to the user to supply correct logopts as the code does not verify those values or their syntax. 2022-03-01 21:54:03 -05:00			`done`
			`if [ $2 == "(" ] && [ $last == ")" ] ; then`
			`check_jail_validity`
			`persist_rdr_log_rule $proto $host_port $jail_port $@`
			`load_rdr_log_rule $proto $host_port $jail_port $@`
			`shift $#`
			`else`
			`usage`
			`fi`
			`elif [ $# -eq 1 ]; then`
			`check_jail_validity`
			`persist_rdr_log_rule $proto $host_port $jail_port $@`
			`load_rdr_log_rule $proto $host_port $jail_port $@`
			`shift 1`
			`else`
			`usage`
			`fi`
			`;;`
			`*)`
			`usage`
			`;;`
			`esac`
Add dynamic rdr 2020-02-01 15:58:02 +00:00			`fi`
			`;;`
			`*)`
			`usage`
			`;;`
			`esac`
			`done`