-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: optional ext_if6 macro in pf.conf to enable rdr for non-VNET dual-stack jails #627
base: master
Are you sure you want to change the base?
Conversation
… to default ext_if (IPv4) interface in bastille.conf, and adjusted rdr.sh so that rdr rules are also added for the ext_if6 interface
@@ -45,6 +45,7 @@ bastille_conf_check | |||
. /usr/local/etc/bastille/bastille.conf | |||
# Set default values for config properties added during the current major version: | |||
: "${bastille_network_pf_ext_if:=ext_if}" | |||
: "${bastille_network_pf_ext_if:=ext_if6}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume this variable is meant to be ${bastille_network_pf_ext_if6:=ext_if6}
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are correct... I fixed it locally but forgot to push.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@waseigo can you push the change so we can review it again?
@@ -62,7 +63,7 @@ bastille_perms_check() { | |||
bastille_perms_check | |||
|
|||
## version | |||
BASTILLE_VERSION="0.10.20231013" | |||
BASTILLE_VERSION=b7d741b5cd3b0c758f0983fd9546e88fba0354d7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't need to be included in the patch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, will keep it in mind for next time!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@waseigo please then remove the change from your PR
@cedwards I am not terribly proficient at this (to put it mildly), so haven't run it through the gauntlet, so to say, to see if other things break. |
Update on this? I've redone much of the code on rdr.sh to allow setting an interface as well as setting a source and destination IP. Check out PR #765 and test it to see if it will work for you. With it you can specify an interface to use with rdr so no need to add additional rules to pf.conf I've tested it pretty thoroughly, and it appears to be pretty stable at this point. It allows dual, IPv4 only, or IPv6 only rule types. |
ext_if6
for an IPv6 interface inpf.conf
interface next to the defaultext_if
(for IPv4) inbastille.conf
.rdr.sh
so that rdr rules are also added and persisted for theext_if6
interface.This makes it possible to have a non-VNET jail that can deal with packets coming from a Wireguard interface (IPv4) and from an Yggdrasil (IPv6) interface.
For example, I am running caddy in a non-VNET dual-stack jail, and this way I can have it reverse-proxy to other jails.
Prior to this change, if I didn't want to deal with VNET, I would have to have a separate non-VNET IPv6-only jail running caddy to deal with requests coming from the Yggdrasil interface.
This doesn't affect the creation of an IPv4-only jail.
I have not changed anything in
create.sh
. After creating an IPv4-only jail, I edit itsjail.conf
and addip6.addr = fd80:...
(in this case, a link-local address) and delete the lineip6 = new;
For an IPv6-only jail, an improvement to this would be to make
create.sh
setip4 = disabled;
(for which other scripts might need to be adjusted).The changes to the "standard"
pf.conf
look like this: