[BUG] PF syntax issues with rdr

[jake-g00dwin]

[MANDATORY] Describe the bug [MANDATORY]
Starting/Stoping a thinjail causes pfctl to output an error DIOCGETRULES: Invalid argument. When trying to use RDR with ports it will also give errors about a macro not being defined, along with a syntax error.

Sockstat doesn't show the ports being in use before or after trying to start the jails that use RDR.

[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)

~>$ bastille -v && freebsd-version -kru
0.10.20231125
14.0-RELEASE-p3
14.0-RELEASE-p3
14.0-RELEASE-p4

[optional] Steps to reproduce?

~>$ sudo bastille rdr <jailname> tcp 8448 8448
pfctrl: DIOCGETRULES: Invalid argument
stdin:2: macro '' not defined
stdin:2: syntax error

[optional] Expected behavior
Jail up and running using the correct ports.

[optional] Screenshots

Bastille List All output

PF rules

[optional] Additional context

Had a VPS lose power and restart, noticed this issue after that. I'm assuming it's because I had updated Bastille before hand.

[jake-g00dwin]

#644 Seems like it could be related, but I haven't changed any system tunables on this system yet, and I don't have IPV6 setup or in use on any interfaces.

[adriel-tech]

There were changes to bastille.conf that caused a lot of issues for people on the last Bastille update. Is it possible that you updated Bastille, everything was fine but your VPS rebooting after power loss and reloading the new Bastille settings broke things?

You could try comparing your usr/local/etc/Bastille/bastille.conf with the current one.
https://github.com/BastilleBSD/bastille/blob/master/usr/local/etc/bastille/bastille.conf.sample

[jake-g00dwin]

Thanks for the info/fast update. And I think that you're right, that's probably the case.

I've played around with my pf.conf file a bit and manually
setting:

rdr pass on $ext_if inet proto tcp from any to any port = 80 -> 10.10.10.1 port 80

works fine. I think it might have to do with the pfctl -a "rdr/${JAIL_NAME}" -Psn calls in the rdr.sh functions.

ran vimdiff on both the conf files and lines 14-16, 52 and 55-57 and are missing. I can see why those would be important.

I'll try yanking them into the current conf file and post results if it solves it.

[jake-g00dwin]

Success!

Functions without needing to manually change the pf config now. Still outputs the DIOCGETRULES: Invalid argument however; so might be worth leaving issue open.

[frenata]

I hit the same issue today! A little bash debugging suggests that the syntax issues (but not he DIOCGETRULES issue) is related to the IP6 path in load_rdr_rule: the value of $JAIL_IP6 there for me is -.

[ktk]

Same issue for me, I diffed my bastille.conf with the sample & aligned. Resolved most issues but

pfctl: DIOCGETRULES: Invalid argument

Still remains for one jail. Any ideas on this one?

[ntn888]

has anyone an update on this? I get the same error pfctl: DIOCGETRULES: Invalid argument. and the nat translation I setup is not working..

EDIT: NO issues; for some reason the ssh wasn't NAT'n through. but other services are accessible :)

[sinclairday]

I hit the same issue today! A little bash debugging suggests that the syntax issues (but not he DIOCGETRULES issue) is related to the IP6 path in load_rdr_rule: the value of $JAIL_IP6 there for me is -.

Check that the the value for the config parameter ip6 is set.

bastille config TARGET get ip6

I am unsure what the acceptable values are, but new works. Example:

  interface = vtnet1;
  ip4.addr = 10.10.1.2;
  ip6 = new;
  ip6.addr = 1234:abcd:abab:0:1234:aa:bbbb:cccc/64;

I had commented it out while troubleshooting a bug in Bastille's rdr.sh, and restoring it restored IP6 provisioning for the jail.

[sinclairday]

I believe some of the problems with RDR are related to IP6, and that two functions in /usr/local/share/bastille/rdr.sh need slight tweaking to make them work properly in all cases, esp. when running dual ip4 and ip6 stacks.

Below are snippets from my locally modified rdr.sh that changes the inet directive to inet6 in the $JAIL_IP6 blocks of the two functions. pf will not forward ports across IP families (i.e., ip4 -> ip6), and RDR would fail to load when bringing up the jail.

1. load_rdr_rule()

if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \
    | tee -a /root/rdr.log | pfctl -a "rdr/${JAIL_NAME}" -f-
fi

2. load_rdr_log_rule()

if [ -n "$JAIL_IP6" ]; then
  ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass %s on $%s inet6 proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \
    | tee -a /root/rdr.log | pfctl -a "rdr/${JAIL_NAME}" -f-
fi

[KiriakosGeorgiou]

Same issue here with the pfctl: DIOCGETRULES: Invalid argument error, on both FreeBSD 14.0 and 14.1 with jails on 13.2-RELEASE . I tried everything, could not get rid of the error, so I took drastic measures and installed FreeBSD 13.3 (which is supported for another year from now) on my cloud vm. I imported all my jails and all is good, no pfctl error. Hopefully this will be fixed, eventually. Bastille is awesome :)

[t0maz]

Same issue here as well on FreeBSD-14.1-p2 :

# bastille rdr haproxy tcp 443 443
pfctl: DIOCGETRULES: Invalid argument
stdin:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded

Perhaps this is the cause of the empty pf jails table, this commands gives empty output:
pfctl -t jails -T show

This line seems to trigger the DIOCGETRULES: Invalid argument :

# pfctl -a "rdr/haproxy" -Psn
pfctl: DIOCGETRULES: Invalid argument

Perhaps pfctl -s option is expecting a missing modifier?

[sumo]

I missed the following line when upgrading old bastille.conf to new

bastille_pf_conf="/etc/pf.conf"

With it, I am not seeing the errors on 14.1

[janondrusek]

IPv6 handling in Bastille is now very broken. Here is an example jail.conf that will trigger the syntax error described above:

# comma separated list of IPv6 addresses, Bastille assumes this is a single address
ip6.addr = 2001:db8::1,2001:db8::2,2001:db8::3

Addresses 2001:db8::1 .. 3 get correctly assigned to the vnet interface, but the pfctl command fails. This is a regression, my setup used to work prior to 14.1 upgrade.

I see the rdr.sh assumes I want NAT for all assigned addresses, ip4 and ip6. I am assigning a list of public ip6 to my jail and I do not want any NAT for it.

[bmac2]

seems we need some testing on ipv6 in bastille to determine the current state of ipv6 support. There are many various issues above. Are these an issue with the current repo version of Bastille, or is it because of the past updates and is no longer an issue???
@cedwards @yaazkal

[tschettervictor]

Just ran into this also.

root@webmin:~ # bastille rdr jail tcp 8080 80
jail1
pfctl: DIOCGETRULES: Invalid argument
pfctl: pfctl_rules
pfctl: DIOCXROLLBACK: Invalid argument

[tschettervictor]

EDIT: looks like the function still works though. The ports are published and I can get inside the jail. This is with IPv4 only though.

[tschettervictor]

#768 should take care of this error. It only happens when pfctl is not able to find any rules in the table, meaning they have not yet been created. But once they are created, the error never shows up. The PR I linked to simply ignores the error.