construqt 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/construqt/addresses.rb +121 -10
- data/lib/construqt/bgps.rb +10 -12
- data/lib/construqt/firewalls.rb +115 -16
- data/lib/construqt/flavour/ciscian/ciscian.rb +73 -93
- data/lib/construqt/flavour/ciscian/deploy_template.rb +36 -0
- data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +62 -114
- data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +74 -14
- data/lib/construqt/flavour/delegates.rb +9 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +0 -3
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +12 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +32 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +2 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +3 -3
- data/lib/construqt/flavour/plantuml/plantuml.rb +2 -2
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +24 -13
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +16 -7
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +218 -67
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +33 -17
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +77 -14
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +77 -29
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +18 -3
- data/lib/construqt/interfaces.rb +25 -6
- data/lib/construqt/ipsecs.rb +5 -3
- data/lib/construqt/rack.rb +51 -0
- data/lib/construqt/resource.rb +25 -3
- data/lib/construqt/reverse.rb +1 -0
- data/lib/construqt/services.rb +15 -29
- data/lib/construqt/tags.rb +21 -15
- data/lib/construqt/templates.rb +17 -0
- data/lib/construqt/users.rb +4 -0
- data/lib/construqt/util.rb +1 -1
- data/lib/construqt/version.rb +1 -1
- data/lib/construqt/vlans.rb +13 -2
- data/lib/construqt.rb +2 -1
- metadata +4 -2
@@ -22,9 +22,9 @@ module Construqt
|
|
22
22
|
chainable_attr_value :output_ifname_direction, "-i"
|
23
23
|
chainable_attr_value :input_ifname_direction, "-o"
|
24
24
|
|
25
|
-
def
|
26
|
-
output_only rule.output_only?
|
27
|
-
input_only rule.input_only?
|
25
|
+
def assign_in_out(rule)
|
26
|
+
output_only if rule.output_only?
|
27
|
+
input_only if rule.input_only?
|
28
28
|
self
|
29
29
|
end
|
30
30
|
|
@@ -125,19 +125,67 @@ module Construqt
|
|
125
125
|
end
|
126
126
|
end
|
127
127
|
|
128
|
+
|
129
|
+
def self.filter_routes(routes, family)
|
130
|
+
routes.map{|i| i.dst }.select{|i| family == Construqt::Addresses::IPV6 ? i.ipv6? : i.ipv4? }
|
131
|
+
end
|
132
|
+
|
133
|
+
# def self.try_tags_as_ipaddress(list, family, *possible_addrs)
|
134
|
+
# return list unless list.empty?
|
135
|
+
# ret = possible_addrs.map do |addr|
|
136
|
+
# next nil unless addr
|
137
|
+
# begin
|
138
|
+
# addr = IPAddress.parse(addr)
|
139
|
+
# next addr if (addr.ipv4? && family == Construqt::Addresses::IPV4) || (addr.ipv6? && family == Construqt::Addresses::IPV6)
|
140
|
+
# nil
|
141
|
+
# rescue Exception => e
|
142
|
+
# nil
|
143
|
+
# end
|
144
|
+
# end.compact
|
145
|
+
# binding.pry unless ret.empty?
|
146
|
+
# ret
|
147
|
+
# end
|
148
|
+
|
128
149
|
def self.write_table(iptables, rule, to_from)
|
129
150
|
family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
|
130
|
-
if rule.
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
151
|
+
if rule.from_my_net?
|
152
|
+
networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
|
153
|
+
if rule.from_route?
|
154
|
+
networks += self.filter_routes(to_from.get_interface.address.routes, family)
|
155
|
+
end
|
156
|
+
from_list = IPAddress.summarize(networks)
|
136
157
|
else
|
137
158
|
from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
|
159
|
+
# from_list = try_tags_as_ipaddress(from_list, family, rule.get_from_net)
|
138
160
|
end
|
139
161
|
|
140
|
-
|
162
|
+
if rule.to_my_net?
|
163
|
+
networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
|
164
|
+
if rule.from_route?
|
165
|
+
networks += self.filter_routes(to_from.get_interface.address.routes, family)
|
166
|
+
end
|
167
|
+
to_list = IPAddress.summarize(networks)
|
168
|
+
else
|
169
|
+
if rule.get_to_host
|
170
|
+
to_list = Construqt::Tags.ips_hosts(rule.get_to_host, family)
|
171
|
+
else
|
172
|
+
to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
|
173
|
+
end
|
174
|
+
# to_list = try_tags_as_ipaddress(to_list, family, rule.get_to_net, rule.get_to_host)
|
175
|
+
end
|
176
|
+
unless rule.get_to_net_addr.empty?
|
177
|
+
#binding.pry
|
178
|
+
addrs = rule.get_to_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
|
179
|
+
(i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
|
180
|
+
}
|
181
|
+
to_list = IPAddress.summarize(to_list + addrs)
|
182
|
+
end
|
183
|
+
unless rule.get_from_net_addr.empty?
|
184
|
+
addrs = rule.get_from_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
|
185
|
+
(i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
|
186
|
+
}
|
187
|
+
from_list = IPAddress.summarize(from_list + addrs)
|
188
|
+
end
|
141
189
|
#puts ">>>>>#{from_list.inspect}"
|
142
190
|
#puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
|
143
191
|
action_i = action_o = rule.get_action
|
@@ -153,6 +201,7 @@ module Construqt
|
|
153
201
|
end
|
154
202
|
|
155
203
|
if to_list.length > 1
|
204
|
+
# work on these do a better hashing
|
156
205
|
action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
|
157
206
|
action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
|
158
207
|
to_list.each do |ip|
|
@@ -183,116 +232,218 @@ module Construqt
|
|
183
232
|
end
|
184
233
|
end
|
185
234
|
|
186
|
-
def self.write_raw(raw, ifname, iface, writer)
|
235
|
+
def self.write_raw(fw, raw, ifname, iface, writer)
|
187
236
|
# puts ">>>RAW #{iface.name} #{raw.firewall.name}"
|
188
237
|
raw.rules.each do |rule|
|
189
238
|
throw "ACTION must set #{ifname}" unless rule.get_action
|
190
239
|
if rule.prerouting?
|
191
|
-
to_from = ToFrom.new.bind_interface(ifname, iface, rule).
|
240
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
192
241
|
#puts "PREROUTING #{to_from.inspect}"
|
193
|
-
write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
|
194
|
-
write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
|
242
|
+
fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
|
243
|
+
fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
|
195
244
|
end
|
196
245
|
|
197
246
|
if rule.output?
|
198
|
-
to_from = ToFrom.new.bind_interface(ifname, iface, rule).
|
199
|
-
write_table("iptables", rule, to_from.factory(writer.ipv4.output))
|
200
|
-
write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
|
247
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
248
|
+
fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.output))
|
249
|
+
fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
|
201
250
|
end
|
202
251
|
end
|
203
252
|
end
|
204
253
|
|
205
|
-
def self.write_nat(nat, ifname, iface, writer)
|
254
|
+
def self.write_nat(fw, nat, ifname, iface, writer)
|
206
255
|
nat.rules.each do |rule|
|
207
256
|
throw "ACTION must set #{ifname}" unless rule.get_action
|
208
257
|
throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
|
209
258
|
if rule.to_source? && rule.postrouting?
|
210
259
|
src = iface.address.ips.select{|ip| ip.ipv4?}.first
|
211
260
|
throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
|
212
|
-
to_from = ToFrom.new.
|
261
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule).end_to("--to-source #{src}")
|
213
262
|
.ifname(ifname).factory(writer.ipv4.postrouting)
|
214
|
-
write_table("iptables", rule, to_from)
|
263
|
+
fw.ipv4? && write_table("iptables", rule, to_from)
|
215
264
|
end
|
216
265
|
end
|
217
266
|
end
|
218
267
|
|
219
268
|
def self.protocol_loop(rule)
|
220
269
|
protocol_loop = []
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
|
225
|
-
|
270
|
+
{
|
271
|
+
'tcp' => rule.tcp?,
|
272
|
+
'udp' => rule.udp?,
|
273
|
+
'esp' => rule.esp?,
|
274
|
+
'ah' => rule.ah?,
|
275
|
+
'icmp' => rule.icmp?
|
276
|
+
}.each do |proto, enabled|
|
277
|
+
protocol_loop << "-p #{proto}" if enabled
|
226
278
|
end
|
227
|
-
|
279
|
+
protocol_loop = [''] if protocol_loop.empty?
|
228
280
|
protocol_loop
|
229
281
|
end
|
230
282
|
|
231
|
-
def self.
|
283
|
+
def self.icmp_type(family, type)
|
284
|
+
{
|
285
|
+
Construqt::Firewalls::ICMP::PingRequest => {
|
286
|
+
:v4 => "-m icmp --icmp-type 8/0",
|
287
|
+
:v6 => "--icmpv6-type 128"
|
288
|
+
}
|
289
|
+
}[type][family]
|
290
|
+
end
|
291
|
+
|
292
|
+
def self.write_forward(fw, forward, ifname, iface, writer)
|
232
293
|
forward.rules.each do |rule|
|
233
294
|
throw "ACTION must set #{ifname}" unless rule.get_action
|
234
295
|
#puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
|
235
296
|
if rule.get_log
|
236
|
-
to_from = ToFrom.new.bind_interface(ifname, iface, rule).
|
297
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
237
298
|
.end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
|
238
299
|
.end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
|
239
|
-
write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
|
240
|
-
write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
|
300
|
+
fw.ipv4? && write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
|
301
|
+
fw.ipv6? && write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
|
241
302
|
end
|
242
303
|
|
243
304
|
protocol_loop(rule).each do |protocol|
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
to_from.
|
255
|
-
|
305
|
+
{:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => writer.ipv4.forward },
|
306
|
+
:v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => writer.ipv6.forward }}.each do |family, cfg|
|
307
|
+
next unless cfg[:enabled]
|
308
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
309
|
+
if protocol == "-p icmp" && family == :v6
|
310
|
+
my_protocol = "-p icmpv6"
|
311
|
+
else
|
312
|
+
my_protocol = protocol
|
313
|
+
end
|
314
|
+
to_from.push_begin_to(my_protocol)
|
315
|
+
to_from.push_begin_from(my_protocol)
|
316
|
+
|
317
|
+
if rule.get_ports && !rule.get_ports.empty?
|
318
|
+
to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
|
319
|
+
to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
|
320
|
+
end
|
321
|
+
if rule.icmp? && rule.get_type
|
322
|
+
to_from.push_middle_from(icmp_type(family, rule.get_type))
|
323
|
+
end
|
324
|
+
|
325
|
+
if rule.connection?
|
326
|
+
to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
|
327
|
+
to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
|
328
|
+
end
|
329
|
+
write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
|
256
330
|
end
|
257
|
-
|
258
|
-
write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
|
259
|
-
write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
|
260
331
|
end
|
261
332
|
end
|
262
333
|
end
|
263
334
|
|
264
|
-
def self.
|
335
|
+
def self.create_link_local(fw, ifname, iface, rule, writer)
|
336
|
+
return unless fw.ipv6?
|
337
|
+
# fe80::/64
|
338
|
+
# ff02::/16 dest
|
339
|
+
i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
340
|
+
i_rule = rule.clone.from_my_net.to_my_net
|
341
|
+
i_to_from.push_begin_to("-p icmpv6")
|
342
|
+
i_rule.to_net_addr("fe80::/64")
|
343
|
+
i_rule.from_net_addr("ff02::/16", "fe80::/64")
|
344
|
+
write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
|
345
|
+
|
346
|
+
#i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
347
|
+
#i_rule = rule.clone.from_my_net.to_my_net
|
348
|
+
#i_to_from.push_begin_to("-p icmpv6")
|
349
|
+
#i_rule.to_net_addr("fe80::/64")
|
350
|
+
#i_rule.from_net_addr("fe80::/64")
|
351
|
+
#i_to_from.push_middle_to("--icmpv6-type 136")
|
352
|
+
#write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
|
353
|
+
|
354
|
+
o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
355
|
+
o_to_from.push_begin_from("-p icmpv6")
|
356
|
+
o_rule = rule.clone.from_my_net.to_my_net
|
357
|
+
#o_rule.from_net_addr("fe80::/64")
|
358
|
+
o_rule.from_net_addr("fe80::/64")
|
359
|
+
o_rule.to_net_addr("ff02::/16", "fe80::/64")
|
360
|
+
#o_to_from.push_middle_from("--icmpv6-type 135")
|
361
|
+
write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
|
362
|
+
|
363
|
+
#binding.pry
|
364
|
+
#o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
365
|
+
#o_to_from.push_begin_from("-p icmpv6")
|
366
|
+
#o_rule = rule.clone.from_my_net.to_my_net
|
367
|
+
#o_rule.from_net_addr("fe80::/64")
|
368
|
+
#o_rule.to_net_addr("fe80::/64")
|
369
|
+
#o_to_from.push_middle_from("--icmpv6-type 136")
|
370
|
+
#write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
|
371
|
+
end
|
372
|
+
|
373
|
+
def self.write_host(fw, host, ifname, iface, writer)
|
265
374
|
host.rules.each do |rule|
|
266
|
-
in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
267
|
-
out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
268
375
|
if rule.get_log
|
269
|
-
|
270
|
-
l_in_to_from = ToFrom.new.bind_interface(ifname, iface,
|
271
|
-
.
|
272
|
-
l_out_to_from = ToFrom.new.bind_interface(ifname, iface,
|
273
|
-
.
|
274
|
-
write_table("iptables",
|
275
|
-
write_table("iptables",
|
276
|
-
write_table("ip6tables",
|
277
|
-
write_table("ip6tables",
|
376
|
+
nflog_rule = rule.clone.action("NFLOG")
|
377
|
+
l_in_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).input_only
|
378
|
+
.end_from("--nflog-prefix o:#{rule.get_log}:#{ifname}")
|
379
|
+
l_out_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).output_only
|
380
|
+
.end_to("--nflog-prefix i:#{rule.get_log}:#{ifname}")
|
381
|
+
fw.ipv4? && write_table("iptables", nflog_rule, l_in_to_from.factory(writer.ipv4.input))
|
382
|
+
fw.ipv4? && write_table("iptables", nflog_rule, l_out_to_from.factory(writer.ipv4.output))
|
383
|
+
fw.ipv6? && write_table("ip6tables", nflog_rule, l_in_to_from.factory(writer.ipv6.input))
|
384
|
+
fw.ipv6? && write_table("ip6tables", nflog_rule, l_out_to_from.factory(writer.ipv6.output))
|
278
385
|
end
|
386
|
+
next create_link_local(fw, ifname, iface, rule, writer) if rule.link_local?
|
279
387
|
|
280
|
-
|
281
|
-
|
282
|
-
|
283
|
-
|
388
|
+
protocol_loop(rule).each do |protocol|
|
389
|
+
[{
|
390
|
+
:doit => rule.input_only?,
|
391
|
+
:from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).input_only },
|
392
|
+
:writer4 => !rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
|
393
|
+
:writer6 => !rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
|
394
|
+
},{
|
395
|
+
:doit => rule.output_only?,
|
396
|
+
:from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).output_only },
|
397
|
+
:writer4 => rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
|
398
|
+
:writer6 => rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
|
399
|
+
}].each do |to_from_writer|
|
400
|
+
next unless to_from_writer[:doit]
|
401
|
+
{:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => to_from_writer[:writer4]},
|
402
|
+
:v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => to_from_writer[:writer6] }}.each do |family, cfg|
|
403
|
+
to_from = to_from_writer[:from_to].call
|
404
|
+
next unless cfg[:enabled]
|
405
|
+
if protocol == "-p icmp" && family == :v6
|
406
|
+
my_protocol = "-p icmpv6"
|
407
|
+
else
|
408
|
+
my_protocol = protocol
|
409
|
+
end
|
410
|
+
to_from.push_begin_to(my_protocol)
|
411
|
+
to_from.push_begin_from(my_protocol)
|
412
|
+
if rule.get_ports && !rule.get_ports.empty?
|
413
|
+
to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
|
414
|
+
to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
|
415
|
+
end
|
416
|
+
if rule.icmp? && rule.get_type
|
417
|
+
to_from.push_middle_from(icmp_type(family, rule.get_type))
|
418
|
+
end
|
419
|
+
if rule.connection?
|
420
|
+
to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
|
421
|
+
to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
|
422
|
+
end
|
423
|
+
write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
|
424
|
+
end
|
425
|
+
end
|
426
|
+
end
|
427
|
+
end
|
428
|
+
end
|
429
|
+
|
430
|
+
def self.create_from_iface(ifname, iface, writer)
|
431
|
+
iface.firewalls && iface.firewalls.each do |firewall|
|
432
|
+
firewall.get_raw && Firewall.write_raw(firewall, firewall.get_raw, ifname, iface, writer.raw)
|
433
|
+
firewall.get_nat && Firewall.write_nat(firewall, firewall.get_nat, ifname, iface, writer.nat)
|
434
|
+
firewall.get_forward && Firewall.write_forward(firewall, firewall.get_forward, ifname, iface, writer.filter)
|
435
|
+
firewall.get_host && Firewall.write_host(firewall, firewall.get_host, ifname, iface, writer.filter)
|
284
436
|
end
|
285
437
|
end
|
286
438
|
|
287
439
|
def self.create(host, ifname, iface)
|
288
440
|
throw 'interface must set' unless ifname
|
289
441
|
writer = iface.host.result.etc_network_iptables
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
end
|
442
|
+
create_from_iface(ifname, iface, writer)
|
443
|
+
create_from_iface(ifname, iface.delegate.vrrp.delegate, writer) if iface.delegate.vrrp
|
444
|
+
writer_local = host.result.etc_network_interfaces.get(iface)
|
445
|
+
writer_local.lines.up("iptables-restore < /etc/network/iptables.cfg")
|
446
|
+
writer_local.lines.up("ip6tables-restore < /etc/network/ip6tables.cfg")
|
296
447
|
end
|
297
448
|
end
|
298
449
|
end
|
@@ -10,9 +10,11 @@ module Construqt
|
|
10
10
|
def self.header(host)
|
11
11
|
#binding.pry
|
12
12
|
addrs = {}
|
13
|
+
ifaces = {}
|
13
14
|
host.ipsecs.each do |ipsec|
|
14
15
|
[ipsec.left, ipsec.right].each do |iface|
|
15
16
|
next if iface.host != host
|
17
|
+
ifaces[iface.remote.interface.name] = iface.remote.interface
|
16
18
|
if iface.remote.first_ipv4
|
17
19
|
addrs[iface.remote.first_ipv4.to_s] = "isakmp #{iface.remote.first_ipv4.to_s} [500];"
|
18
20
|
end
|
@@ -22,7 +24,18 @@ module Construqt
|
|
22
24
|
end
|
23
25
|
end
|
24
26
|
return if addrs.empty?
|
25
|
-
host.result.add(self, <<HEADER, Construqt::Resources::Rights::
|
27
|
+
host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "default", "racoon")
|
28
|
+
# do not edit generated file
|
29
|
+
#
|
30
|
+
# this a a evil hack to avoid a raise condition on starting the
|
31
|
+
# OS racoon in the same moment like our
|
32
|
+
if [ "$STARTED_BY_CONSTRUQT" = "" ]
|
33
|
+
then
|
34
|
+
exit 0
|
35
|
+
fi
|
36
|
+
HEADER
|
37
|
+
|
38
|
+
host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
|
26
39
|
# do not edit generated file
|
27
40
|
path pre_shared_key "/etc/racoon/psk.txt";
|
28
41
|
path certificate "/etc/racoon/certs";
|
@@ -49,7 +62,7 @@ HEADER
|
|
49
62
|
|
50
63
|
def build_racoon_config(remote_ip)
|
51
64
|
#binding.pry
|
52
|
-
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::
|
65
|
+
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
|
53
66
|
# #{self.cfg.name}
|
54
67
|
remote #{remote_ip} {
|
55
68
|
exchange_mode main;
|
@@ -77,7 +90,7 @@ RACOON
|
|
77
90
|
other_ip_str = other_ip.to_string
|
78
91
|
end
|
79
92
|
|
80
|
-
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::
|
93
|
+
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
|
81
94
|
sainfo address #{my_ip_str} any address #{other_ip_str} any {
|
82
95
|
pfs_group 5;
|
83
96
|
encryption_algorithm aes256;
|
@@ -89,21 +102,22 @@ RACOON
|
|
89
102
|
end
|
90
103
|
|
91
104
|
def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
|
92
|
-
host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::
|
105
|
+
host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
|
93
106
|
if my.network.to_s == other.network.to_s
|
94
107
|
spdadd = "spdadd #{my.to_s} #{other.to_s} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
|
95
108
|
else
|
96
109
|
spdadd = "spdadd #{my.to_string} #{other.to_string} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
|
97
110
|
end
|
98
111
|
|
99
|
-
host.result.add(self, spdadd, Construqt::Resources::Rights::
|
112
|
+
host.result.add(self, spdadd, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
|
100
113
|
end
|
101
114
|
|
102
|
-
def build_policy(remote_my, remote_other, my, other)
|
115
|
+
def build_policy(family, remote_my, remote_other, my, other)
|
103
116
|
#binding.pry
|
104
117
|
my.ips.each do |my_ip|
|
105
118
|
other.ips.each do |other_ip|
|
106
|
-
next unless (
|
119
|
+
next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
|
120
|
+
(family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
|
107
121
|
from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
|
108
122
|
from_to_sainfo(my_ip, other_ip)
|
109
123
|
end
|
@@ -111,7 +125,8 @@ RACOON
|
|
111
125
|
|
112
126
|
other.ips.each do |other_ip|
|
113
127
|
my.ips.each do |my_ip|
|
114
|
-
next unless (
|
128
|
+
next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
|
129
|
+
(family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
|
115
130
|
from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
|
116
131
|
from_to_sainfo(other_ip, my_ip)
|
117
132
|
end
|
@@ -127,19 +142,20 @@ RACOON
|
|
127
142
|
|
128
143
|
def build_config(unused, unused2)
|
129
144
|
# build_gre_config()
|
130
|
-
|
131
|
-
|
145
|
+
if self.cfg.transport_family == Construqt::Addresses::IPV6
|
146
|
+
throw "we need a remote ipv6 address #{self.cfg.name}" unless self.other.remote.first_ipv6
|
147
|
+
throw "we need a local ipv6 address #{self.cfg.name}" unless self.remote.first_ipv6
|
132
148
|
build_racoon_config(self.other.remote.first_ipv6.to_s)
|
133
149
|
host.result.add(self, psk(self.other.remote.first_ipv6.to_s, cfg),
|
134
|
-
Construqt::Resources::Rights::
|
135
|
-
build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
|
136
|
-
|
150
|
+
Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
|
151
|
+
build_policy(self.cfg.transport_family, self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
|
152
|
+
else
|
153
|
+
throw "we need a remote ipv4 address #{self.cfg.name}" unless self.other.remote.first_ipv4
|
154
|
+
throw "we need a local ipv4 address #{self.cfg.name}" unless self.remote.first_ipv4
|
137
155
|
build_racoon_config(self.other.remote.first_ipv4.to_s)
|
138
156
|
host.result.add(self, psk(self.other.remote.first_ipv4.to_s, cfg),
|
139
|
-
Construqt::Resources::Rights::
|
140
|
-
build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
|
141
|
-
else
|
142
|
-
throw "ipsec need a remote address"
|
157
|
+
Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
|
158
|
+
build_policy(self.cfg.transport_family, self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
|
143
159
|
end
|
144
160
|
end
|
145
161
|
end
|
@@ -16,11 +16,11 @@ module Construqt
|
|
16
16
|
push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
|
17
17
|
end
|
18
18
|
|
19
|
-
host.result.add(self, iface.cacert, Construqt::Resources::Rights::
|
20
|
-
host.result.add(self, iface.hostcert, Construqt::Resources::Rights::
|
21
|
-
host.result.add(self, iface.hostkey, Construqt::Resources::Rights::
|
22
|
-
host.result.add(self, iface.dh1024, Construqt::Resources::Rights::
|
23
|
-
host.result.add(self, <<OPVN, Construqt::Resources::Rights::
|
19
|
+
host.result.add(self, iface.cacert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
|
20
|
+
host.result.add(self, iface.hostcert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
|
21
|
+
host.result.add(self, iface.hostkey, Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
|
22
|
+
host.result.add(self, iface.dh1024, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
|
23
|
+
host.result.add(self, <<OPVN, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "#{iface.name}.conf")
|
24
24
|
daemon
|
25
25
|
local #{local}
|
26
26
|
proto udp#{local.ipv6? ? '6' : ''}
|