RDR Improvements: Allow TO/FROM+INTERACE+IP STACK

[tschettervictor]

I've reconstructed much of the rdr.sh to allow users to set TO/FROM and also the interface.
Old command of bastille rdr jail tcp 8000 80 still functions as it should and will use the default interface and any to any when creating the rules. Major differences are

• you can now set which interface the rule is created on with -i em0 or any specified interface
• if you want to limit the rdr rule to a certain source, use -s 134.234.67.34
• if you have multiple IPs on an interface, you can choose to redirect to only one using -d 192.168.1.45
• -t is also available if you want to specifically load a rule doing ip4/6 -t ipv4 or -t ipv6. The default will use both, or 'dual'

Error checking is also in place, and testers are welcome.
I will continue to update this PR with the docs and usage commands if users find this helpful.

[tschettervictor]

I've reconstructed much of the rdr.sh to allow users to set TO/FROM and also the interface.
Old command of bastille rdr jail tcp 8000 80 still functions as it should and will use the default interface and any to any when creating the rules. Major differences are

• you can now set which interface the rule is created on with -i em0 or any specified interface
• if you want to limit the rdr rule to a certain source, use -s 134.234.67.34
• if you have multiple IPs on an interface, you can choose to redirect to only one using -d 192.168.1.45

Error checking is also in place, and testers are welcome.
I will continue to update this PR with the docs and usage commands if users find this helpful.

#707
#673
#664
#654
#644
#402

[tschettervictor]

RDR will now show errors for any rule that failed to create.
It also will now print better info when redirecting IPv4/6 rules.

[tschettervictor]

Currently, rules are only persisted if both IP4 and 6 rules can be loaded. This means that if for some reason the IP6 rules can't be loaded, then they won't be entered into rdr.conf. This is because the "load_rule" functions try to load both, and only if they both pass will it persist the rule.

@yaazkal Would it be better to split the function, or just revert back to persisting the rule and then loading it?

[tschettervictor]

I just ran into this trying to create a jail with both IP4 and 6. The jail works, but any rdr rules fail to persist because the interface that they were created on doesn't support IP6, so the IP4 rules load, but not the IP6 ones.

Current implementation has great error handling and will not accept false inputs when doing "bastille rdr" so perhaps persisting the rule first is best.

[tschettervictor]

@yaazkal Looks like there was a bug in the rule that called "inet" instead of "inet6" when creating IPv6 rules. IPv6 is now working as expected also.

[tschettervictor]

Here is my output.

root@webmin:~ # bastille create jail9 14.0-RELEASE '10.0.0.56 2001:db8:ee00:ff00::117/64'
Valid: (10.0.0.56).
Valid: (2001:db8:ee00:ff00::117/64).

Creating a thinjail...

[jail9]:
jail9: created

[jail9]:
Applying template: default/thin...
[jail9]:
Applying template: default/base...
[jail9]:
[jail9]: 0

[jail9]:
syslogd_flags: -s -> -ss

[jail9]:
sendmail_enable: NONE -> NO

[jail9]:
sendmail_submit_enable: YES -> NO

[jail9]:
sendmail_outbound_enable: YES -> NO

[jail9]:
sendmail_msp_queue_enable: YES -> NO

[jail9]:
cron_flags:  -> -J 60

[jail9]:
/etc/resolv.conf -> /usr/local/bastille/jails/jail9/root/etc/resolv.conf

Template applied: default/base

Template applied: default/thin

[jail9]:
jail9: removed

[jail9]:
jail9: created

root@webmin:~ # bastille rdr jail9 tcp 8000 80
[jail9]:
IPv4 tcp/any:8000 -> any:80 on vtnet0
[jail9]:
IPv6 tcp/any:8000 -> any:80 on vtnet0
root@webmin:~ # bastille restart jail9
nat cleared
[jail9]:
jail9: removed

[jail9]:
jail9: created
[jail9]:
IPv4 tcp/any:8000 -> any:80 on vtnet0
[jail9]:
IPv6 tcp/any:8000 -> any:80 on vtnet0

root@webmin:~ #

[tschettervictor]

Dual stack can still be a problem when doing -d or -s though.
Ideas are welcome there.

[tschettervictor]

New! -t|--type

• support for setting IP type. Can be ipv6 or ipv4. Defaults to dual
• must be used when -s or -d is used
• rules will now be loaded only on specified stack if it is set, otherwise they will be loaded on both stacks

[tschettervictor]

@yaazkal @bmac2 I think this should do it. Can I request a review?

This PR allows very high functionality and would allow us to close many issues and PRs.

And I've tested most if not all combinations of options and made sure error catching is good as well as IPv4 and IPv6 handling.

Thanks

[bmac2]

@tschettervictor this one has conflicts. I was going to start testing but need it cleanedup then I will start testing.

[tschettervictor]

Done.