construqt 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/lib/construqt/addresses.rb +204 -0
- data/lib/construqt/bgps.rb +164 -0
- data/lib/construqt/cables.rb +47 -0
- data/lib/construqt/firewalls.rb +247 -0
- data/lib/construqt/flavour/ciscian/ciscian.rb +687 -0
- data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +235 -0
- data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +114 -0
- data/lib/construqt/flavour/delegates.rb +448 -0
- data/lib/construqt/flavour/flavour.rb +97 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +417 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +134 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +79 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_ipsec.rb +65 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +182 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +355 -0
- data/lib/construqt/flavour/plantuml/plantuml.rb +462 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +381 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +117 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +97 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +300 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +144 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +60 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +537 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +115 -0
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +52 -0
- data/lib/construqt/flavour/unknown/unknown.rb +175 -0
- data/lib/construqt/hostid.rb +42 -0
- data/lib/construqt/hosts.rb +98 -0
- data/lib/construqt/interfaces.rb +166 -0
- data/lib/construqt/ipsecs.rb +64 -0
- data/lib/construqt/networks.rb +81 -0
- data/lib/construqt/regions.rb +32 -0
- data/lib/construqt/resource.rb +42 -0
- data/lib/construqt/services.rb +53 -0
- data/lib/construqt/tags.rb +61 -0
- data/lib/construqt/templates.rb +37 -0
- data/lib/construqt/tests/test_addresses.rb +50 -0
- data/lib/construqt/tests/test_bgps.rb +24 -0
- data/lib/construqt/tests/test_hostid.rb +32 -0
- data/lib/construqt/tests/test_hosts.rb +23 -0
- data/lib/construqt/tests/test_utils.rb +76 -0
- data/lib/construqt/users.rb +19 -0
- data/lib/construqt/util.rb +163 -0
- data/lib/construqt/version.rb +3 -0
- data/lib/construqt/vlans.rb +51 -0
- data/lib/construqt.rb +92 -0
- metadata +105 -0
@@ -0,0 +1,300 @@
|
|
1
|
+
module Construqt
|
2
|
+
module Flavour
|
3
|
+
module Ubuntu
|
4
|
+
|
5
|
+
module Firewall
|
6
|
+
class ToFrom
|
7
|
+
include Util::Chainable
|
8
|
+
chainable_attr_value :begin, nil
|
9
|
+
chainable_attr_value :begin_to, nil
|
10
|
+
chainable_attr_value :begin_from, nil
|
11
|
+
chainable_attr_value :middle, nil
|
12
|
+
chainable_attr_value :middle_to, nil
|
13
|
+
chainable_attr_value :middle_from, nil
|
14
|
+
chainable_attr_value :end, nil
|
15
|
+
chainable_attr_value :end_to, nil
|
16
|
+
chainable_attr_value :end_from, nil
|
17
|
+
chainable_attr_value :factory, nil
|
18
|
+
chainable_attr_value :ifname, nil
|
19
|
+
chainable_attr_value :interface, nil
|
20
|
+
chainable_attr :output_only, true, false
|
21
|
+
chainable_attr :input_only, true, false
|
22
|
+
chainable_attr_value :output_ifname_direction, "-i"
|
23
|
+
chainable_attr_value :input_ifname_direction, "-o"
|
24
|
+
|
25
|
+
def only_in_out(rule)
|
26
|
+
output_only rule.output_only?
|
27
|
+
input_only rule.input_only?
|
28
|
+
self
|
29
|
+
end
|
30
|
+
|
31
|
+
def space_before(str)
|
32
|
+
if str.nil? or str.empty?
|
33
|
+
""
|
34
|
+
else
|
35
|
+
" "+str.strip
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def push_begin_to(str)
|
40
|
+
begin_to(get_begin_to + space_before(str))
|
41
|
+
end
|
42
|
+
|
43
|
+
def push_begin_from(str)
|
44
|
+
begin_from(get_begin_from + space_before(str))
|
45
|
+
end
|
46
|
+
|
47
|
+
def push_middle_to(str)
|
48
|
+
middle_to(get_middle_to + space_before(str))
|
49
|
+
end
|
50
|
+
|
51
|
+
def push_middle_from(str)
|
52
|
+
middle_from(get_middle_from + space_before(str))
|
53
|
+
end
|
54
|
+
|
55
|
+
def push_end_to(str)
|
56
|
+
end_to(get_end_to + space_before(str))
|
57
|
+
end
|
58
|
+
|
59
|
+
def push_end_from(str)
|
60
|
+
end_from(get_end_from + space_before(str))
|
61
|
+
end
|
62
|
+
|
63
|
+
def get_begin_to
|
64
|
+
return space_before(@begin_to) if @begin_to
|
65
|
+
return space_before(@begin)
|
66
|
+
end
|
67
|
+
|
68
|
+
def get_begin_from
|
69
|
+
return space_before(@begin_from) if @begin_from
|
70
|
+
return space_before(@begin)
|
71
|
+
end
|
72
|
+
|
73
|
+
def get_middle_to
|
74
|
+
return space_before(@middle_to) if @middle_to
|
75
|
+
return space_before(@middle)
|
76
|
+
end
|
77
|
+
|
78
|
+
def get_middle_from
|
79
|
+
return space_before(@middle_from) if @middle_from
|
80
|
+
return space_before(@middle)
|
81
|
+
end
|
82
|
+
|
83
|
+
def get_end_to
|
84
|
+
return space_before(@end_to) if @end_to
|
85
|
+
return space_before(@end)
|
86
|
+
end
|
87
|
+
|
88
|
+
def get_end_from
|
89
|
+
return space_before(@end_from) if @end_from
|
90
|
+
return space_before(@end)
|
91
|
+
end
|
92
|
+
|
93
|
+
def bind_interface(ifname, iface, rule)
|
94
|
+
self.interface(iface)
|
95
|
+
self.ifname(ifname)
|
96
|
+
if rule.from_is_inbound?
|
97
|
+
output_ifname_direction("-i")
|
98
|
+
input_ifname_direction("-o")
|
99
|
+
else
|
100
|
+
output_ifname_direction("-o")
|
101
|
+
input_ifname_direction("-i")
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
def output_ifname
|
106
|
+
return space_before("#{@output_ifname_direction} #{@ifname}") if @ifname
|
107
|
+
return ""
|
108
|
+
end
|
109
|
+
|
110
|
+
def input_ifname
|
111
|
+
return space_before("#{@input_ifname_direction} #{@ifname}") if @ifname
|
112
|
+
return ""
|
113
|
+
end
|
114
|
+
|
115
|
+
def has_to?
|
116
|
+
@begin || @begin_to || @middle || @middle_to || @end || @end_to
|
117
|
+
end
|
118
|
+
|
119
|
+
def has_from?
|
120
|
+
@begin || @begin_from || @middle || @middle_from || @end || @end_from
|
121
|
+
end
|
122
|
+
|
123
|
+
def factory!
|
124
|
+
get_factory.create
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
128
|
+
def self.write_table(iptables, rule, to_from)
|
129
|
+
family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
|
130
|
+
if rule.from_interface?
|
131
|
+
#binding.pry
|
132
|
+
from_list = IPAddress::IPv4::summarize(
|
133
|
+
*(iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s).map do |adr|
|
134
|
+
adr.to_string
|
135
|
+
end)
|
136
|
+
else
|
137
|
+
from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
|
138
|
+
end
|
139
|
+
|
140
|
+
to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
|
141
|
+
#puts ">>>>>#{from_list.inspect}"
|
142
|
+
#puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
|
143
|
+
action_i = action_o = rule.get_action
|
144
|
+
if to_list.empty? && from_list.empty?
|
145
|
+
#puts "write_table=>o:#{to_from.output_only?}:#{to_from.output_ifname} i:#{to_from.input_only?}:#{to_from.input_ifname}"
|
146
|
+
if to_from.output_only?
|
147
|
+
to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from}#{to_from.get_middle_to} -j #{rule.get_action}#{to_from.get_end_to}")
|
148
|
+
end
|
149
|
+
|
150
|
+
if to_from.input_only?
|
151
|
+
to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_from.get_middle_from} -j #{rule.get_action}#{to_from.get_end_from}")
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
if to_list.length > 1
|
156
|
+
action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
|
157
|
+
action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
|
158
|
+
to_list.each do |ip|
|
159
|
+
if to_from.output_only?
|
160
|
+
to_from.factory!.table(action_o).row("#{to_from.output_ifname} -d #{ip.to_string} -j #{rule.get_action}")
|
161
|
+
end
|
162
|
+
|
163
|
+
if to_from.input_only?
|
164
|
+
to_from.factory!.table(action_i).row("#{to_from.input_ifname} -s #{ip.to_string} -j #{rule.get_action}")
|
165
|
+
end
|
166
|
+
end
|
167
|
+
|
168
|
+
elsif to_list.length == 1
|
169
|
+
from_dst = " -d #{to_list.first.to_string}"
|
170
|
+
to_src = " -s #{to_list.first.to_string}"
|
171
|
+
else
|
172
|
+
from_dst = to_src =""
|
173
|
+
end
|
174
|
+
|
175
|
+
from_list.each do |ip|
|
176
|
+
if to_from.output_only?
|
177
|
+
to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from} -s #{ip.to_string}#{from_dst}#{to_from.get_middle_from} -j #{action_o}#{to_from.get_end_to}")
|
178
|
+
end
|
179
|
+
|
180
|
+
if to_from.input_only?
|
181
|
+
to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_src} -d #{ip.to_string}#{to_from.get_middle_to} -j #{action_i}#{to_from.get_end_from}")
|
182
|
+
end
|
183
|
+
end
|
184
|
+
end
|
185
|
+
|
186
|
+
def self.write_raw(raw, ifname, iface, writer)
|
187
|
+
# puts ">>>RAW #{iface.name} #{raw.firewall.name}"
|
188
|
+
raw.rules.each do |rule|
|
189
|
+
throw "ACTION must set #{ifname}" unless rule.get_action
|
190
|
+
if rule.prerouting?
|
191
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
|
192
|
+
#puts "PREROUTING #{to_from.inspect}"
|
193
|
+
write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
|
194
|
+
write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
|
195
|
+
end
|
196
|
+
|
197
|
+
if rule.output?
|
198
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
|
199
|
+
write_table("iptables", rule, to_from.factory(writer.ipv4.output))
|
200
|
+
write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
|
201
|
+
end
|
202
|
+
end
|
203
|
+
end
|
204
|
+
|
205
|
+
def self.write_nat(nat, ifname, iface, writer)
|
206
|
+
nat.rules.each do |rule|
|
207
|
+
throw "ACTION must set #{ifname}" unless rule.get_action
|
208
|
+
throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
|
209
|
+
if rule.to_source? && rule.postrouting?
|
210
|
+
src = iface.address.ips.select{|ip| ip.ipv4?}.first
|
211
|
+
throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
|
212
|
+
to_from = ToFrom.new.only_in_out(rule).end_to("--to-source #{src}")
|
213
|
+
.ifname(ifname).factory(writer.ipv4.postrouting)
|
214
|
+
write_table("iptables", rule, to_from)
|
215
|
+
end
|
216
|
+
end
|
217
|
+
end
|
218
|
+
|
219
|
+
def self.protocol_loop(rule)
|
220
|
+
protocol_loop = []
|
221
|
+
if !rule.tcp? && !rule.udp?
|
222
|
+
protocol_loop << ''
|
223
|
+
else
|
224
|
+
protocol_loop << '-p tcp' if rule.tcp?
|
225
|
+
protocol_loop << '-p udp' if rule.udp?
|
226
|
+
end
|
227
|
+
|
228
|
+
protocol_loop
|
229
|
+
end
|
230
|
+
|
231
|
+
def self.write_forward(forward, ifname, iface, writer)
|
232
|
+
forward.rules.each do |rule|
|
233
|
+
throw "ACTION must set #{ifname}" unless rule.get_action
|
234
|
+
#puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
|
235
|
+
if rule.get_log
|
236
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
|
237
|
+
.end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
|
238
|
+
.end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
|
239
|
+
write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
|
240
|
+
write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
|
241
|
+
end
|
242
|
+
|
243
|
+
protocol_loop(rule).each do |protocol|
|
244
|
+
#binding.pry
|
245
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
|
246
|
+
to_from.push_begin_to(protocol)
|
247
|
+
to_from.push_begin_from(protocol)
|
248
|
+
if rule.get_ports && !rule.get_ports.empty?
|
249
|
+
to_from.push_middle_from("-dports #{rule.get_ports.join(",")}")
|
250
|
+
to_from.push_middle_to("-dports #{rule.get_ports.join(",")}")
|
251
|
+
end
|
252
|
+
|
253
|
+
if rule.connection?
|
254
|
+
to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
|
255
|
+
to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
|
256
|
+
end
|
257
|
+
|
258
|
+
write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
|
259
|
+
write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
|
260
|
+
end
|
261
|
+
end
|
262
|
+
end
|
263
|
+
|
264
|
+
def self.write_host(host, ifname, iface, writer)
|
265
|
+
host.rules.each do |rule|
|
266
|
+
in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
267
|
+
out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
268
|
+
if rule.get_log
|
269
|
+
#binding.pry
|
270
|
+
l_in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
271
|
+
.end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
|
272
|
+
l_out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
273
|
+
.end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
|
274
|
+
write_table("iptables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv4.input))
|
275
|
+
write_table("iptables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv4.output))
|
276
|
+
write_table("ip6tables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv6.input))
|
277
|
+
write_table("ip6tables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv6.output))
|
278
|
+
end
|
279
|
+
|
280
|
+
write_table("iptables", rule, in_to_from.factory(writer.ipv4.input))
|
281
|
+
write_table("iptables", rule, out_to_from.factory(writer.ipv4.output))
|
282
|
+
write_table("ip6tables", rule, in_to_from.factory(writer.ipv6.input))
|
283
|
+
write_table("ip6tables", rule, out_to_from.factory(writer.ipv6.output))
|
284
|
+
end
|
285
|
+
end
|
286
|
+
|
287
|
+
def self.create(host, ifname, iface)
|
288
|
+
throw 'interface must set' unless ifname
|
289
|
+
writer = iface.host.result.etc_network_iptables
|
290
|
+
iface.firewalls && iface.firewalls.each do |firewall|
|
291
|
+
firewall.get_raw && Firewall.write_raw(firewall.get_raw, ifname, iface, writer.raw)
|
292
|
+
firewall.get_nat && Firewall.write_nat(firewall.get_nat, ifname, iface, writer.nat)
|
293
|
+
firewall.get_forward && Firewall.write_forward(firewall.get_forward, ifname, iface, writer.filter)
|
294
|
+
firewall.get_host && Firewall.write_host(firewall.get_host, ifname, iface, writer.filter)
|
295
|
+
end
|
296
|
+
end
|
297
|
+
end
|
298
|
+
end
|
299
|
+
end
|
300
|
+
end
|
@@ -0,0 +1,144 @@
|
|
1
|
+
|
2
|
+
module Construqt
|
3
|
+
module Flavour
|
4
|
+
module Ubuntu
|
5
|
+
class Ipsec < OpenStruct
|
6
|
+
def initialize(cfg)
|
7
|
+
super(cfg)
|
8
|
+
end
|
9
|
+
|
10
|
+
def self.header(host)
|
11
|
+
addrs = {}
|
12
|
+
host.interfaces.values.each do |iface|
|
13
|
+
iface = iface.delegate
|
14
|
+
next unless iface.cfg
|
15
|
+
next unless iface.cfg.kind_of? Construqt::Ipsec
|
16
|
+
if iface.remote.first_ipv4
|
17
|
+
addrs[iface.remote.first_ipv4.to_s] = "isakmp #{self.remote.first_ipv4.to_s} [500];"
|
18
|
+
end
|
19
|
+
if iface.remote.first_ipv6
|
20
|
+
addrs[iface.remote.first_ipv6.to_s] = "isakmp #{self.remote.first_ipv6.to_s} [500];"
|
21
|
+
end
|
22
|
+
end
|
23
|
+
return if addrs.empty?
|
24
|
+
self.host.result.add(self, <<HEADER, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
|
25
|
+
# do not edit generated filed #{path}
|
26
|
+
path pre_shared_key "/etc/racoon/psk.txt";
|
27
|
+
path certificate "/etc/racoon/certs";
|
28
|
+
log info;
|
29
|
+
listen {
|
30
|
+
#{Util.indent(addrs.keys.sort.map{|k| addrs[k] }.join("\n"), " ")}
|
31
|
+
strict_address;
|
32
|
+
}
|
33
|
+
HEADER
|
34
|
+
end
|
35
|
+
|
36
|
+
# def build_gre_config()
|
37
|
+
# iname = Util.clean_if("gt", self.other.host.name)
|
38
|
+
# writer = self.host.result.delegate.etc_network_interfaces.get(self.interface)
|
39
|
+
# writer.lines.add(<<UP)
|
40
|
+
#up ip -6 tunnel add #{iname} mode ip6gre local #{self.my.first_ipv6} remote #{self.other.my.first_ipv6}
|
41
|
+
#up ip -6 addr add #{self.my.first_ipv6.to_string} dev #{iname}
|
42
|
+
#up ip -6 link set dev #{iname} up
|
43
|
+
#UP
|
44
|
+
# writer.lines.add(<<DOWN)
|
45
|
+
#down ip -6 tunnel del #{iname}
|
46
|
+
#DOWN
|
47
|
+
# end
|
48
|
+
|
49
|
+
def build_racoon_config(remote_ip)
|
50
|
+
#binding.pry
|
51
|
+
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
|
52
|
+
# #{self.cfg.name}
|
53
|
+
remote #{remote_ip} {
|
54
|
+
exchange_mode main;
|
55
|
+
lifetime time 24 hour;
|
56
|
+
|
57
|
+
proposal_check strict;
|
58
|
+
dpd_delay 30;
|
59
|
+
ike_frag on; # use IKE fragmentation
|
60
|
+
proposal {
|
61
|
+
encryption_algorithm aes256;
|
62
|
+
hash_algorithm sha1;
|
63
|
+
authentication_method pre_shared_key;
|
64
|
+
dh_group modp1536;
|
65
|
+
}
|
66
|
+
}
|
67
|
+
RACOON
|
68
|
+
end
|
69
|
+
|
70
|
+
def from_to_sainfo(my_ip, other_ip)
|
71
|
+
if my_ip.network.to_s == other_ip.network.to_s
|
72
|
+
my_ip_str = my_ip.to_s
|
73
|
+
other_ip_str = other_ip.to_s
|
74
|
+
else
|
75
|
+
my_ip_str = my_ip.to_string
|
76
|
+
other_ip_str = other_ip.to_string
|
77
|
+
end
|
78
|
+
|
79
|
+
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
|
80
|
+
sainfo address #{my_ip_str} any address #{other_ip_str} any {
|
81
|
+
pfs_group 5;
|
82
|
+
encryption_algorithm aes256;
|
83
|
+
authentication_algorithm hmac_sha1;
|
84
|
+
compression_algorithm deflate;
|
85
|
+
lifetime time 1 hour;
|
86
|
+
}
|
87
|
+
RACOON
|
88
|
+
end
|
89
|
+
|
90
|
+
def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
|
91
|
+
host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
|
92
|
+
if my.network.to_s == other.network.to_s
|
93
|
+
spdadd = "spdadd #{my.to_s} #{other.to_s} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
|
94
|
+
else
|
95
|
+
spdadd = "spdadd #{my.to_string} #{other.to_string} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
|
96
|
+
end
|
97
|
+
|
98
|
+
host.result.add(self, spdadd, Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
|
99
|
+
end
|
100
|
+
|
101
|
+
def build_policy(remote_my, remote_other, my, other)
|
102
|
+
#binding.pry
|
103
|
+
my.ips.each do |my_ip|
|
104
|
+
other.ips.each do |other_ip|
|
105
|
+
next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
|
106
|
+
from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
|
107
|
+
from_to_sainfo(my_ip, other_ip)
|
108
|
+
end
|
109
|
+
end
|
110
|
+
|
111
|
+
other.ips.each do |other_ip|
|
112
|
+
my.ips.each do |my_ip|
|
113
|
+
next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
|
114
|
+
from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
|
115
|
+
from_to_sainfo(other_ip, my_ip)
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
119
|
+
|
120
|
+
def build_config(unused, unused2)
|
121
|
+
# build_gre_config()
|
122
|
+
#binding.pry
|
123
|
+
if self.other.remote.first_ipv6
|
124
|
+
build_racoon_config(self.other.remote.first_ipv6.to_s)
|
125
|
+
host.result.add(self, <<IPV6, Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
|
126
|
+
# #{self.cfg.name}
|
127
|
+
#{self.other.remote.first_ipv6.to_s} #{Util.password(self.cfg.password)}
|
128
|
+
IPV6
|
129
|
+
build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
|
130
|
+
elsif self.other.remote.first_ipv4
|
131
|
+
build_racoon_config(self.other.remote.first_ipv4.to_s)
|
132
|
+
host.result.add(self, <<IPV4, Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
|
133
|
+
# #{self.cfg.name}
|
134
|
+
#{self.other.remote.first_ipv4.to_s} #{Util.password(self.cfg.password)}
|
135
|
+
IPV4
|
136
|
+
build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
|
137
|
+
else
|
138
|
+
throw "ipsec need a remote address"
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|
144
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
|
2
|
+
module Construqt
|
3
|
+
module Flavour
|
4
|
+
module Ubuntu
|
5
|
+
class Opvn < OpenStruct
|
6
|
+
def initialize(cfg)
|
7
|
+
super(cfg)
|
8
|
+
end
|
9
|
+
|
10
|
+
def build_config(host, opvn)
|
11
|
+
iface = opvn.delegate
|
12
|
+
local = iface.ipv6 ? host.id.first_ipv6.first_ipv6 : host.id.first_ipv4.first_ipv4
|
13
|
+
return unless local
|
14
|
+
push_routes = ""
|
15
|
+
if iface.push_routes
|
16
|
+
push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
|
17
|
+
end
|
18
|
+
|
19
|
+
host.result.add(self, iface.cacert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
|
20
|
+
host.result.add(self, iface.hostcert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
|
21
|
+
host.result.add(self, iface.hostkey, Construqt::Resources::Rights::ROOT_0600, "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
|
22
|
+
host.result.add(self, iface.dh1024, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
|
23
|
+
host.result.add(self, <<OPVN, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "#{iface.name}.conf")
|
24
|
+
daemon
|
25
|
+
local #{local}
|
26
|
+
proto udp#{local.ipv6? ? '6' : ''}
|
27
|
+
port 1194
|
28
|
+
mode server
|
29
|
+
tls-server
|
30
|
+
dev #{iface.name}
|
31
|
+
ca /etc/openvpn/ssl/#{iface.name}-cacert.pem
|
32
|
+
cert /etc/openvpn/ssl/#{iface.name}-hostcert.pem
|
33
|
+
key /etc/openvpn/ssl/#{iface.name}-hostkey.pem
|
34
|
+
dh /etc/openvpn/ssl/#{iface.name}-dh1024
|
35
|
+
server #{iface.network.first_ipv4.to_s} #{iface.network.first_ipv4.netmask}
|
36
|
+
server-ipv6 #{iface.network.first_ipv6.to_string}
|
37
|
+
client-to-client
|
38
|
+
keepalive 10 30
|
39
|
+
cipher AES-128-CBC # AES
|
40
|
+
cipher BF-CBC # Blowfish (default)
|
41
|
+
comp-lzo
|
42
|
+
max-clients 100
|
43
|
+
user nobody
|
44
|
+
group nogroup
|
45
|
+
persist-key
|
46
|
+
persist-tun
|
47
|
+
status /etc/openvpn/status
|
48
|
+
log-append /var/log/openvpn-#{iface.name}.log
|
49
|
+
mute 20
|
50
|
+
#{push_routes}
|
51
|
+
mssfix #{iface.mtu||1348}
|
52
|
+
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
|
53
|
+
client-cert-not-required
|
54
|
+
script-security 2
|
55
|
+
OPVN
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|