search

BastilleBSD / bastille

Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.
https://bastillebsd.org
BSD 3-Clause "New" or "Revised" License
858 stars 138 forks source link

[BUG] PF syntax issues with rdr #673

Open jake-g00dwin opened 9 months ago

jake-g00dwin commented 9 months ago

[MANDATORY] Describe the bug [MANDATORY] Starting/Stoping a thinjail causes pfctl to output an error DIOCGETRULES: Invalid argument. When trying to use RDR with ports it will also give errors about a macro not being defined, along with a syntax error.

Sockstat doesn't show the ports being in use before or after trying to start the jails that use RDR.

[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)

~>$ bastille -v && freebsd-version -kru
0.10.20231125
14.0-RELEASE-p3
14.0-RELEASE-p3
14.0-RELEASE-p4

[optional] Steps to reproduce?

~>$ sudo bastille rdr <jailname> tcp 8448 8448
pfctrl: DIOCGETRULES: Invalid argument
stdin:2: macro '' not defined
stdin:2: syntax error

[optional] Expected behavior Jail up and running using the correct ports.

[optional] Screenshots image

Bastille List All output image

PF rules image

[optional] Additional context

Had a VPS lose power and restart, noticed this issue after that. I'm assuming it's because I had updated Bastille before hand.

jake-g00dwin commented 9 months ago

644 Seems like it could be related, but I haven't changed any system tunables on this system yet, and I don't have IPV6 setup or in use on any interfaces.

adriel-tech commented 9 months ago

There were changes to bastille.conf that caused a lot of issues for people on the last Bastille update. Is it possible that you updated Bastille, everything was fine but your VPS rebooting after power loss and reloading the new Bastille settings broke things?

You could try comparing your usr/local/etc/Bastille/bastille.conf with the current one. https://github.com/BastilleBSD/bastille/blob/master/usr/local/etc/bastille/bastille.conf.sample

jake-g00dwin commented 9 months ago

Thanks for the info/fast update. And I think that you're right, that's probably the case.

I've played around with my pf.conf file a bit and manually setting:

rdr pass on $ext_if inet proto tcp from any to any port = 80 -> 10.10.10.1 port 80

works fine. I think it might have to do with the pfctl -a "rdr/${JAIL_NAME}" -Psn calls in the rdr.sh functions.

ran vimdiff on both the conf files and lines 14-16, 52 and 55-57 and are missing. I can see why those would be important.

I'll try yanking them into the current conf file and post results if it solves it.

jake-g00dwin commented 9 months ago

Success! image

Functions without needing to manually change the pf config now. Still outputs the DIOCGETRULES: Invalid argument however; so might be worth leaving issue open.

frenata commented 9 months ago

I hit the same issue today! A little bash debugging suggests that the syntax issues (but not he DIOCGETRULES issue) is related to the IP6 path in load_rdr_rule: the value of $JAIL_IP6 there for me is -.

ktk commented 8 months ago

Same issue for me, I diffed my bastille.conf with the sample & aligned. Resolved most issues but

pfctl: DIOCGETRULES: Invalid argument

Still remains for one jail. Any ideas on this one?

ntn888 commented 6 months ago

has anyone an update on this? I get the same error pfctl: DIOCGETRULES: Invalid argument. and the nat translation I setup is not working..

EDIT: NO issues; for some reason the ssh wasn't NAT'n through. but other services are accessible :)

sinclairday commented 5 months ago

I hit the same issue today! A little bash debugging suggests that the syntax issues (but not he DIOCGETRULES issue) is related to the IP6 path in load_rdr_rule: the value of $JAIL_IP6 there for me is -.

Check that the the value for the config parameter ip6 is set.

bastille config TARGET get ip6

I am unsure what the acceptable values are, but new works. Example:

  interface = vtnet1;
  ip4.addr = 10.10.1.2;
  ip6 = new;
  ip6.addr = 1234:abcd:abab:0:1234:aa:bbbb:cccc/64;

I had commented it out while troubleshooting a bug in Bastille's rdr.sh, and restoring it restored IP6 provisioning for the jail.

sinclairday commented 5 months ago

I believe some of the problems with RDR are related to IP6, and that two functions in /usr/local/share/bastille/rdr.sh need slight tweaking to make them work properly in all cases, esp. when running dual ip4 and ip6 stacks.

Below are snippets from my locally modified rdr.sh that changes the inet directive to inet6 in the $JAIL_IP6 blocks of the two functions. pf will not forward ports across IP families (i.e., ip4 -> ip6), and RDR would fail to load when bringing up the jail.

  1. load_rdr_rule()
if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \
    | tee -a /root/rdr.log | pfctl -a "rdr/${JAIL_NAME}" -f-
fi
  1. load_rdr_log_rule()
if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass %s on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \
    | tee -a /root/rdr.log | pfctl -a "rdr/${JAIL_NAME}" -f-
fi
KiriakosGeorgiou commented 5 months ago

Same issue here with the pfctl: DIOCGETRULES: Invalid argument error, on both FreeBSD 14.0 and 14.1 with jails on 13.2-RELEASE . I tried everything, could not get rid of the error, so I took drastic measures and installed FreeBSD 13.3 (which is supported for another year from now) on my cloud vm. I imported all my jails and all is good, no pfctl error. Hopefully this will be fixed, eventually. Bastille is awesome :)

t0maz commented 3 months ago

Same issue here as well on FreeBSD-14.1-p2 :

# bastille rdr haproxy tcp 443 443
pfctl: DIOCGETRULES: Invalid argument
stdin:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded

Perhaps this is the cause of the empty pf jails table, this commands gives empty output: pfctl -t jails -T show

This line seems to trigger the DIOCGETRULES: Invalid argument :

# pfctl -a "rdr/haproxy" -Psn
pfctl: DIOCGETRULES: Invalid argument

Perhaps pfctl -s option is expecting a missing modifier?

sumo commented 3 months ago

I missed the following line when upgrading old bastille.conf to new

bastille_pf_conf="/etc/pf.conf"

With it, I am not seeing the errors on 14.1

janondrusek commented 1 week ago

IPv6 handling in Bastille is now very broken. Here is an example jail.conf that will trigger the syntax error described above:

# comma separated list of IPv6 addresses, Bastille assumes this is a single address
ip6.addr = 2001:db8::1,2001:db8::2,2001:db8::3

Addresses 2001:db8::1 .. 3 get correctly assigned to the vnet interface, but the pfctl command fails. This is a regression, my setup used to work prior to 14.1 upgrade.

I see the rdr.sh assumes I want NAT for all assigned addresses, ip4 and ip6. I am assigning a list of public ip6 to my jail and I do not want any NAT for it.