RDR Improvements: Allow TO/FROM+INTERACE+IP STACK

[tschettervictor]

EDIT If you have used the previous version on RDR, please run bastille rdr jail reset to clear the old rules, otherwise you might have warnings and errors on jail start.

I've reconstructed much of the rdr.sh to allow users to set TO/FROM and also the interface.
Old command of bastille rdr jail tcp 8000 80 still functions as it should and will use the default interface and any to any when creating the rules. Major differences are

• you can now set which interface the rule is created on with -i em0 or any specified interface
• if you want to limit the rdr rule to a certain source, use -s 134.234.67.34
• if you have multiple IPs on an interface, you can choose to redirect to only one using -d 192.168.1.45
• -t is also available if you want to specifically load a rule doing ip4/6 -t ipv4 or -t ipv6. The default will use both, or 'dual'

Error checking is also in place, and testers are welcome.
I will continue to update this PR with the docs and usage commands if users find this helpful.

[tschettervictor]

I've reconstructed much of the rdr.sh to allow users to set TO/FROM and also the interface.
Old command of bastille rdr jail tcp 8000 80 still functions as it should and will use the default interface and any to any when creating the rules. Major differences are

• you can now set which interface the rule is created on with -i em0 or any specified interface
• if you want to limit the rdr rule to a certain source, use -s 134.234.67.34
• if you have multiple IPs on an interface, you can choose to redirect to only one using -d 192.168.1.45

Error checking is also in place, and testers are welcome.
I will continue to update this PR with the docs and usage commands if users find this helpful.

#707
#673
#664
#654
#644
#402

[tschettervictor]

RDR will now show errors for any rule that failed to create.
It also will now print better info when redirecting IPv4/6 rules.

[bmac2]

@tschettervictor this one has conflicts. I was going to start testing but need it cleanedup then I will start testing.

[tschettervictor]

Done.

[tschettervictor]

Any testers for this one?

[sinclairday]

I installed your changes to rdr.sh and list.sh in /usr/local/share/bastille on top of the latest release, on FreeBSD 14.2-RELEASE:

$ pkg info bastille
bastille-0.13.20250126
Name           : bastille
Version        : 0.13.20250126
Installed on   : Tue Jan 28 17:43:07 2025 PST
Origin         : sysutils/bastille
Architecture   : FreeBSD:14:*

I was testing against dual-stack jails (i.e., assigned ipv4 and ipv6 addresses) that under unmodified versions of bastille would not start cleanly because of incorrect PF rdr directives. With your changes, the problem is resolved.

However, I did stumble over a problem with a jail's rdr.conf subsequent to a restart using the new code. The pre-existing rdr.conf for the jail was:

tcp 110 110
tcp 143 143
tcp 465 465
tcp 587 587
tcp 993 993
tcp 995 995
tcp 3587 3587

After starting the jail using the new code, rdr.conf was changed into:

tcp 110 110
tcp 143 143
tcp 465 465
tcp 587 587
tcp 993 993
tcp 995 995
tcp 3587 3587
dual vtnet0 any any tcp 110 110
dual vtnet0 any any tcp 143 143
dual vtnet0 any any tcp 465 465
dual vtnet0 any any tcp 587 587
dual vtnet0 any any tcp 993 993
dual vtnet0 any any tcp 995 995
dual vtnet0 any any tcp 3587 3587

Although the inittial restart cleanly started, subsequent ones all complain:

Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
Error: Ports already in use on this interface.
See 'bastille list ports' or 'bastille rdr TARGET reset'.
IPv4 tcp/110:110 on vtnet0
IPv6 tcp/110:110 on vtnet0
IPv4 tcp/143:143 on vtnet0
IPv6 tcp/143:143 on vtnet0
IPv4 tcp/465:465 on vtnet0
IPv6 tcp/465:465 on vtnet0
IPv4 tcp/587:587 on vtnet0
IPv6 tcp/587:587 on vtnet0
IPv4 tcp/993:993 on vtnet0
IPv6 tcp/993:993 on vtnet0
IPv4 tcp/995:995 on vtnet0
IPv6 tcp/995:995 on vtnet0
IPv4 tcp/3587:3587 on vtnet0
IPv6 tcp/3587:3587 on vtnet0
done

After using bastille rdr reset on the jail and allowing bastille to rebuild the file, the problem was cleared up. But the initial success might mislead one into thinking that the upgrade was clean. (I did not install or read the modified documentation.)

[tschettervictor]

Will make a not of that.