construqt 0.0.1

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb

@@ -0,0 +1,300 @@
+module Construqt
+  module Flavour
+    module Ubuntu
+
+      module Firewall
+        class ToFrom
+          include Util::Chainable
+          chainable_attr_value :begin, nil
+          chainable_attr_value :begin_to, nil
+          chainable_attr_value :begin_from, nil
+          chainable_attr_value :middle, nil
+          chainable_attr_value :middle_to, nil
+          chainable_attr_value :middle_from, nil
+          chainable_attr_value :end, nil
+          chainable_attr_value :end_to, nil
+          chainable_attr_value :end_from, nil
+          chainable_attr_value :factory, nil
+          chainable_attr_value :ifname, nil
+          chainable_attr_value :interface, nil
+          chainable_attr :output_only, true, false
+          chainable_attr :input_only, true, false
+          chainable_attr_value :output_ifname_direction, "-i"
+          chainable_attr_value :input_ifname_direction, "-o"
+
+          def only_in_out(rule)
+            output_only rule.output_only?
+            input_only rule.input_only?
+            self
+          end
+
+          def space_before(str)
+            if str.nil? or str.empty?
+              ""
+            else
+              " "+str.strip
+            end
+          end
+
+          def push_begin_to(str)
+            begin_to(get_begin_to + space_before(str))
+          end
+
+          def push_begin_from(str)
+            begin_from(get_begin_from + space_before(str))
+          end
+
+          def push_middle_to(str)
+            middle_to(get_middle_to + space_before(str))
+          end
+
+          def push_middle_from(str)
+            middle_from(get_middle_from + space_before(str))
+          end
+
+          def push_end_to(str)
+            end_to(get_end_to + space_before(str))
+          end
+
+          def push_end_from(str)
+            end_from(get_end_from + space_before(str))
+          end
+
+          def get_begin_to
+            return space_before(@begin_to) if @begin_to
+            return space_before(@begin)
+          end
+
+          def get_begin_from
+            return space_before(@begin_from) if @begin_from
+            return space_before(@begin)
+          end
+
+          def get_middle_to
+            return space_before(@middle_to) if @middle_to
+            return space_before(@middle)
+          end
+
+          def get_middle_from
+            return space_before(@middle_from) if @middle_from
+            return space_before(@middle)
+          end
+
+          def get_end_to
+            return space_before(@end_to) if @end_to
+            return space_before(@end)
+          end
+
+          def get_end_from
+            return space_before(@end_from) if @end_from
+            return space_before(@end)
+          end
+
+          def bind_interface(ifname, iface, rule)
+            self.interface(iface)
+            self.ifname(ifname)
+            if rule.from_is_inbound?
+              output_ifname_direction("-i")
+              input_ifname_direction("-o")
+            else
+              output_ifname_direction("-o")
+              input_ifname_direction("-i")
+            end
+          end
+
+          def output_ifname
+            return space_before("#{@output_ifname_direction} #{@ifname}") if @ifname
+            return ""
+          end
+
+          def input_ifname
+            return space_before("#{@input_ifname_direction} #{@ifname}") if @ifname
+            return ""
+          end
+
+          def has_to?
+            @begin || @begin_to || @middle || @middle_to || @end || @end_to
+          end
+
+          def has_from?
+            @begin || @begin_from || @middle || @middle_from || @end || @end_from
+          end
+
+          def factory!
+            get_factory.create
+          end
+        end
+
+        def self.write_table(iptables, rule, to_from)
+          family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
+          if rule.from_interface?
+            #binding.pry
+            from_list = IPAddress::IPv4::summarize(
+              *(iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s).map do |adr|
+                adr.to_string
+              end)
+          else
+            from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
+          end
+
+          to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
+          #puts ">>>>>#{from_list.inspect}"
+          #puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
+          action_i = action_o = rule.get_action
+          if to_list.empty? && from_list.empty?
+            #puts "write_table=>o:#{to_from.output_only?}:#{to_from.output_ifname} i:#{to_from.input_only?}:#{to_from.input_ifname}"
+            if to_from.output_only?
+              to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from}#{to_from.get_middle_to} -j #{rule.get_action}#{to_from.get_end_to}")
+            end
+
+            if to_from.input_only?
+              to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_from.get_middle_from} -j #{rule.get_action}#{to_from.get_end_from}")
+            end
+          end
+
+          if to_list.length > 1
+            action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
+            action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
+            to_list.each do |ip|
+              if to_from.output_only?
+                to_from.factory!.table(action_o).row("#{to_from.output_ifname} -d #{ip.to_string} -j #{rule.get_action}")
+              end
+
+              if to_from.input_only?
+                to_from.factory!.table(action_i).row("#{to_from.input_ifname} -s #{ip.to_string} -j #{rule.get_action}")
+              end
+            end
+
+          elsif to_list.length == 1
+            from_dst = " -d #{to_list.first.to_string}"
+            to_src = " -s #{to_list.first.to_string}"
+          else
+            from_dst = to_src =""
+          end
+
+          from_list.each do |ip|
+            if to_from.output_only?
+              to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from} -s #{ip.to_string}#{from_dst}#{to_from.get_middle_from} -j #{action_o}#{to_from.get_end_to}")
+            end
+
+            if to_from.input_only?
+              to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_src} -d #{ip.to_string}#{to_from.get_middle_to} -j #{action_i}#{to_from.get_end_from}")
+            end
+          end
+        end
+
+        def self.write_raw(raw, ifname, iface, writer)
+          #        puts ">>>RAW #{iface.name} #{raw.firewall.name}"
+          raw.rules.each do |rule|
+            throw "ACTION must set #{ifname}" unless rule.get_action
+            if rule.prerouting?
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
+              #puts "PREROUTING #{to_from.inspect}"
+              write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
+              write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
+            end
+
+            if rule.output?
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
+              write_table("iptables", rule, to_from.factory(writer.ipv4.output))
+              write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
+            end
+          end
+        end
+
+        def self.write_nat(nat, ifname, iface, writer)
+          nat.rules.each do |rule|
+            throw "ACTION must set #{ifname}" unless rule.get_action
+            throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
+            if rule.to_source? && rule.postrouting?
+              src = iface.address.ips.select{|ip| ip.ipv4?}.first
+              throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
+              to_from = ToFrom.new.only_in_out(rule).end_to("--to-source #{src}")
+                .ifname(ifname).factory(writer.ipv4.postrouting)
+              write_table("iptables", rule, to_from)
+            end
+          end
+        end
+
+        def self.protocol_loop(rule)
+          protocol_loop = []
+          if !rule.tcp? && !rule.udp?
+            protocol_loop << ''
+          else
+            protocol_loop << '-p tcp' if rule.tcp?
+            protocol_loop << '-p udp' if rule.udp?
+          end
+
+          protocol_loop
+        end
+
+        def self.write_forward(forward, ifname, iface, writer)
+          forward.rules.each do |rule|
+            throw "ACTION must set #{ifname}" unless rule.get_action
+            #puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
+            if rule.get_log
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
+                .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
+                .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
+              write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
+              write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
+            end
+
+            protocol_loop(rule).each do |protocol|
+              #binding.pry
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
+              to_from.push_begin_to(protocol)
+              to_from.push_begin_from(protocol)
+              if rule.get_ports && !rule.get_ports.empty?
+                to_from.push_middle_from("-dports #{rule.get_ports.join(",")}")
+                to_from.push_middle_to("-dports #{rule.get_ports.join(",")}")
+              end
+
+              if rule.connection?
+                to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
+                to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
+              end
+
+              write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
+              write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
+            end
+          end
+        end
+
+        def self.write_host(host, ifname, iface, writer)
+          host.rules.each do |rule|
+            in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
+            out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
+            if rule.get_log
+              #binding.pry
+              l_in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
+                .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
+              l_out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
+                .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
+              write_table("iptables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv4.input))
+              write_table("iptables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv4.output))
+              write_table("ip6tables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv6.input))
+              write_table("ip6tables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv6.output))
+            end
+
+            write_table("iptables", rule, in_to_from.factory(writer.ipv4.input))
+            write_table("iptables", rule, out_to_from.factory(writer.ipv4.output))
+            write_table("ip6tables", rule, in_to_from.factory(writer.ipv6.input))
+            write_table("ip6tables", rule, out_to_from.factory(writer.ipv6.output))
+          end
+        end
+
+        def self.create(host, ifname, iface)
+          throw 'interface must set' unless ifname
+          writer = iface.host.result.etc_network_iptables
+          iface.firewalls && iface.firewalls.each do |firewall|
+            firewall.get_raw && Firewall.write_raw(firewall.get_raw, ifname, iface, writer.raw)
+            firewall.get_nat && Firewall.write_nat(firewall.get_nat, ifname, iface, writer.nat)
+            firewall.get_forward && Firewall.write_forward(firewall.get_forward, ifname, iface, writer.filter)
+            firewall.get_host && Firewall.write_host(firewall.get_host, ifname, iface, writer.filter)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb

@@ -0,0 +1,144 @@
+
+module Construqt
+  module Flavour
+    module Ubuntu
+      class Ipsec < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def self.header(host)
+          addrs = {}
+          host.interfaces.values.each do |iface|
+            iface = iface.delegate
+            next unless iface.cfg
+            next unless iface.cfg.kind_of? Construqt::Ipsec
+            if iface.remote.first_ipv4
+              addrs[iface.remote.first_ipv4.to_s] = "isakmp #{self.remote.first_ipv4.to_s} [500];"
+            end
+            if iface.remote.first_ipv6
+              addrs[iface.remote.first_ipv6.to_s] = "isakmp #{self.remote.first_ipv6.to_s} [500];"
+            end
+          end
+          return if addrs.empty?
+          self.host.result.add(self, <<HEADER, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
+# do not edit generated filed #{path}
+path pre_shared_key "/etc/racoon/psk.txt";
+path certificate "/etc/racoon/certs";
+log info;
+listen {
+#{Util.indent(addrs.keys.sort.map{|k| addrs[k] }.join("\n"), " ")}
+  strict_address;
+}
+HEADER
+        end
+
+        #    def build_gre_config()
+        #      iname = Util.clean_if("gt", self.other.host.name)
+        #      writer = self.host.result.delegate.etc_network_interfaces.get(self.interface)
+        #      writer.lines.add(<<UP)
+        #up ip -6 tunnel add #{iname} mode ip6gre local #{self.my.first_ipv6} remote #{self.other.my.first_ipv6}
+        #up ip -6 addr add #{self.my.first_ipv6.to_string} dev #{iname}
+        #up ip -6 link set dev #{iname} up
+        #UP
+        #      writer.lines.add(<<DOWN)
+        #down ip -6 tunnel del #{iname}
+        #DOWN
+        #    end
+
+        def build_racoon_config(remote_ip)
+          #binding.pry
+          self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
+# #{self.cfg.name}
+remote #{remote_ip} {
+  exchange_mode main;
+  lifetime time 24 hour;
+
+  proposal_check strict;
+  dpd_delay 30;
+  ike_frag on;                    # use IKE fragmentation
+  proposal {
+    encryption_algorithm aes256;
+    hash_algorithm sha1;
+    authentication_method pre_shared_key;
+    dh_group modp1536;
+  }
+}
+RACOON
+        end
+
+        def from_to_sainfo(my_ip, other_ip)
+          if my_ip.network.to_s == other_ip.network.to_s
+            my_ip_str = my_ip.to_s
+            other_ip_str = other_ip.to_s
+          else
+            my_ip_str = my_ip.to_string
+            other_ip_str = other_ip.to_string
+          end
+
+          self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
+sainfo address #{my_ip_str} any address #{other_ip_str} any {
+pfs_group 5;
+encryption_algorithm aes256;
+authentication_algorithm hmac_sha1;
+compression_algorithm deflate;
+lifetime time 1 hour;
+}
+RACOON
+        end
+
+        def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
+          host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
+          if my.network.to_s == other.network.to_s
+            spdadd = "spdadd #{my.to_s} #{other.to_s}  any -P #{dir}  ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
+          else
+            spdadd = "spdadd #{my.to_string} #{other.to_string}  any -P #{dir}  ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
+          end
+
+          host.result.add(self, spdadd, Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
+        end
+
+        def build_policy(remote_my, remote_other, my, other)
+          #binding.pry
+          my.ips.each do |my_ip|
+            other.ips.each do |other_ip|
+              next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
+              from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
+              from_to_sainfo(my_ip, other_ip)
+            end
+          end
+
+          other.ips.each do |other_ip|
+            my.ips.each do |my_ip|
+              next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
+              from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
+              from_to_sainfo(other_ip, my_ip)
+            end
+          end
+        end
+
+        def build_config(unused, unused2)
+          #      build_gre_config()
+          #binding.pry
+          if self.other.remote.first_ipv6
+            build_racoon_config(self.other.remote.first_ipv6.to_s)
+            host.result.add(self, <<IPV6, Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
+# #{self.cfg.name}
+            #{self.other.remote.first_ipv6.to_s} #{Util.password(self.cfg.password)}
+IPV6
+            build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
+          elsif self.other.remote.first_ipv4
+            build_racoon_config(self.other.remote.first_ipv4.to_s)
+            host.result.add(self, <<IPV4, Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
+# #{self.cfg.name}
+            #{self.other.remote.first_ipv4.to_s} #{Util.password(self.cfg.password)}
+IPV4
+            build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
+          else
+            throw "ipsec need a remote address"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb

@@ -0,0 +1,60 @@
+
+module Construqt
+  module Flavour
+    module Ubuntu
+      class Opvn < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, opvn)
+          iface = opvn.delegate
+          local = iface.ipv6 ? host.id.first_ipv6.first_ipv6 : host.id.first_ipv4.first_ipv4
+          return unless local
+          push_routes = ""
+          if iface.push_routes
+            push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
+          end
+
+          host.result.add(self, iface.cacert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
+          host.result.add(self, iface.hostcert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
+          host.result.add(self, iface.hostkey, Construqt::Resources::Rights::ROOT_0600, "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
+          host.result.add(self, iface.dh1024, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
+          host.result.add(self, <<OPVN, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "#{iface.name}.conf")
+daemon
+local #{local}
+proto udp#{local.ipv6? ? '6' : ''}
+port 1194
+mode server
+tls-server
+dev #{iface.name}
+ca   /etc/openvpn/ssl/#{iface.name}-cacert.pem
+cert /etc/openvpn/ssl/#{iface.name}-hostcert.pem
+key  /etc/openvpn/ssl/#{iface.name}-hostkey.pem
+dh   /etc/openvpn/ssl/#{iface.name}-dh1024
+server #{iface.network.first_ipv4.to_s} #{iface.network.first_ipv4.netmask}
+server-ipv6 #{iface.network.first_ipv6.to_string}
+client-to-client
+keepalive 10 30
+cipher AES-128-CBC   # AES
+cipher BF-CBC        # Blowfish (default)
+comp-lzo
+max-clients 100
+user nobody
+group nogroup
+persist-key
+persist-tun
+status /etc/openvpn/status
+log-append  /var/log/openvpn-#{iface.name}.log
+mute 20
+          #{push_routes}
+mssfix #{iface.mtu||1348}
+plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
+client-cert-not-required
+script-security 2
+OPVN
+        end
+      end
+    end
+  end
+end