A couple of RDR enhancements #684
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds a persistent keyword for rdr list and rdr clean. "rdr list persistent" shows rules in the rdr.conf file for the TARGET. "rdr clear persistent" removes also the rdr.conf file for the TARGET.
This is enhancement for the rdr command to allow to specify the target host ip and network device. The "ip" modifier sets the target ip replacing the "to any" to "to <IP>". The "dev" modifier replaces the default device to the specified one. Both are stored to the persistent rdr.conf. The format of old rdr.conf entries does not change. All of these rule combinations are now supported (any has a valid usecase): tcp 22 22 ip 192.168.1.1 tcp 22 22 dev wg0 tcp 22 22 ip 192.168.1.1 dev wg0 tcp 22 22 ip 192.168.1.1 dev wg0 tcp 23 22 log
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds two enhancements:
RDR list and RDR clear for persistent rules file
rdr.conf.The major rationale behind this was, that the
rdr cleardoes not clear therdr.confand only clears the applied pf rules. I didn't want to change the current default behavior (it may be useful in some cases).RDR ip and dev commands. It allows changing the globally configured ext_if device and defining specific host target ip address. Even this change extends the rdr.conf format it is consistent with the current format and no migration is needed.
Now a following format of
rdr.confis allowed:It allows bigger flexibility of redirection and fix some issues.
For example when the system is a gateway and the ext_if is the device being a gateway, the former redirection (from any to any) cause a redirect of all the packets heading to that port on this device even if the destination ip was different.
Another possible example of use case is having a two outgoing interfaces (in all my cases an ethernet port and a wireguard tunnel) with a possibility to selectively redirect from.
Then there are two extra commits. One is for the overall rdr.sh cleanup (deduplication, consistent formating, and generalization). And the last commit is update to the rdr documentation, which was not updated for a while.