Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] PF syntax issues with rdr #673

Open
jake-g00dwin opened this issue Jan 30, 2024 · 9 comments
Open

[BUG] PF syntax issues with rdr #673

jake-g00dwin opened this issue Jan 30, 2024 · 9 comments

Comments

@jake-g00dwin
Copy link

[MANDATORY] Describe the bug [MANDATORY]
Starting/Stoping a thinjail causes pfctl to output an error DIOCGETRULES: Invalid argument. When trying to use RDR with ports it will also give errors about a macro not being defined, along with a syntax error.

Sockstat doesn't show the ports being in use before or after trying to start the jails that use RDR.

[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)

~>$ bastille -v && freebsd-version -kru
0.10.20231125
14.0-RELEASE-p3
14.0-RELEASE-p3
14.0-RELEASE-p4

[optional] Steps to reproduce?

~>$ sudo bastille rdr <jailname> tcp 8448 8448
pfctrl: DIOCGETRULES: Invalid argument
stdin:2: macro '' not defined
stdin:2: syntax error

[optional] Expected behavior
Jail up and running using the correct ports.

[optional] Screenshots
image

Bastille List All output
image

PF rules
image

[optional] Additional context

Had a VPS lose power and restart, noticed this issue after that. I'm assuming it's because I had updated Bastille before hand.
@jake-g00dwin
Copy link
Author

#644 Seems like it could be related, but I haven't changed any system tunables on this system yet, and I don't have IPV6 setup or in use on any interfaces.

@adriel-tech
Copy link
Contributor

There were changes to bastille.conf that caused a lot of issues for people on the last Bastille update. Is it possible that you updated Bastille, everything was fine but your VPS rebooting after power loss and reloading the new Bastille settings broke things?

You could try comparing your usr/local/etc/Bastille/bastille.conf with the current one.
https://github.com/BastilleBSD/bastille/blob/master/usr/local/etc/bastille/bastille.conf.sample

@jake-g00dwin
Copy link
Author

Thanks for the info/fast update. And I think that you're right, that's probably the case.

I've played around with my pf.conf file a bit and manually
setting:

rdr pass on $ext_if inet proto tcp from any to any port = 80 -> 10.10.10.1 port 80

works fine. I think it might have to do with the pfctl -a "rdr/${JAIL_NAME}" -Psn calls in the rdr.sh functions.

ran vimdiff on both the conf files and lines 14-16, 52 and 55-57 and are missing. I can see why those would be important.

I'll try yanking them into the current conf file and post results if it solves it.

@jake-g00dwin
Copy link
Author

jake-g00dwin commented Jan 31, 2024
edited

Success!
image

Functions without needing to manually change the pf config now. Still outputs the DIOCGETRULES: Invalid argument however; so might be worth leaving issue open.

@frenata
Copy link

frenata commented Feb 9, 2024

I hit the same issue today! A little bash debugging suggests that the syntax issues (but not he DIOCGETRULES issue) is related to the IP6 path in load_rdr_rule: the value of $JAIL_IP6 there for me is -.

@ktk
Copy link

ktk commented Mar 16, 2024

Same issue for me, I diffed my bastille.conf with the sample & aligned. Resolved most issues but

pfctl: DIOCGETRULES: Invalid argument

Still remains for one jail. Any ideas on this one?

@ntn888
Copy link

ntn888 commented May 11, 2024
edited

has anyone an update on this? I get the same error pfctl: DIOCGETRULES: Invalid argument. and the nat translation I setup is not working..

EDIT: NO issues; for some reason the ssh wasn't NAT'n through. but other services are accessible :)

@sinclairday
Copy link

I hit the same issue today! A little bash debugging suggests that the syntax issues (but not he DIOCGETRULES issue) is related to the IP6 path in load_rdr_rule: the value of $JAIL_IP6 there for me is -.

Check that the the value for the config parameter ip6 is set.

bastille config TARGET get ip6

I am unsure what the acceptable values are, but new works. Example:

  interface = vtnet1;
  ip4.addr = 10.10.1.2;
  ip6 = new;
  ip6.addr = 1234:abcd:abab:0:1234:aa:bbbb:cccc/64;

I had commented it out while troubleshooting a bug in Bastille's rdr.sh, and restoring it restored IP6 provisioning for the jail.

@sinclairday
Copy link

I believe some of the problems with RDR are related to IP6, and that two functions in /usr/local/share/bastille/rdr.sh need slight tweaking to make them work properly in all cases, esp. when running dual ip4 and ip6 stacks.

Below are snippets from my locally modified rdr.sh that changes the inet directive to inet6 in the $JAIL_IP6 blocks of the two functions. pf will not forward ports across IP families (i.e., ip4 -> ip6), and RDR would fail to load when bringing up the jail.

  1. load_rdr_rule()
if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \
    | tee -a /root/rdr.log | pfctl -a "rdr/${JAIL_NAME}" -f-
fi
  1. load_rdr_log_rule()
if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass %s on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \
    | tee -a /root/rdr.log | pfctl -a "rdr/${JAIL_NAME}" -f-
fi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@adriel-tech @sinclairday @ktk @frenata @ntn888 @jake-g00dwin