construqt 0.0.5 → 0.0.6

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb

@@ -22,9 +22,9 @@ module Construqt
           chainable_attr_value :output_ifname_direction, "-i"
           chainable_attr_value :input_ifname_direction, "-o"
 
-          def only_in_out(rule)
-            output_only rule.output_only?
-            input_only rule.input_only?
+          def assign_in_out(rule)
+            output_only if rule.output_only?
+            input_only if rule.input_only?
             self
           end
 
@@ -125,19 +125,67 @@ module Construqt
           end
         end
 
+
+        def self.filter_routes(routes, family)
+          routes.map{|i| i.dst }.select{|i| family == Construqt::Addresses::IPV6 ? i.ipv6? : i.ipv4? }
+        end
+
+#        def self.try_tags_as_ipaddress(list, family, *possible_addrs)
+#          return list unless list.empty?
+#          ret = possible_addrs.map do |addr|
+#            next nil unless addr
+#            begin
+#              addr = IPAddress.parse(addr)
+#              next addr if (addr.ipv4? && family == Construqt::Addresses::IPV4) || (addr.ipv6? && family == Construqt::Addresses::IPV6)
+#              nil
+#            rescue Exception => e
+#              nil
+#            end
+#          end.compact
+#          binding.pry unless ret.empty?
+#          ret
+#        end
+
         def self.write_table(iptables, rule, to_from)
           family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
-          if rule.from_interface?
-            #binding.pry
-            from_list = IPAddress::IPv4::summarize(
-              *(iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s).map do |adr|
-                adr.to_string
-              end)
+          if rule.from_my_net?
+            networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
+            if rule.from_route?
+              networks += self.filter_routes(to_from.get_interface.address.routes, family)
+            end
+            from_list = IPAddress.summarize(networks)
           else
             from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
+#            from_list = try_tags_as_ipaddress(from_list, family, rule.get_from_net)
           end
 
-          to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
+          if rule.to_my_net?
+            networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
+            if rule.from_route?
+              networks += self.filter_routes(to_from.get_interface.address.routes, family)
+            end
+            to_list = IPAddress.summarize(networks)
+          else
+            if rule.get_to_host
+              to_list = Construqt::Tags.ips_hosts(rule.get_to_host, family)
+            else
+              to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
+            end
+#           to_list = try_tags_as_ipaddress(to_list, family, rule.get_to_net, rule.get_to_host)
+          end
+          unless rule.get_to_net_addr.empty?
+            #binding.pry
+            addrs = rule.get_to_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
+              (i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
+            }
+            to_list = IPAddress.summarize(to_list + addrs)
+          end
+          unless rule.get_from_net_addr.empty?
+            addrs = rule.get_from_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
+              (i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
+            }
+            from_list = IPAddress.summarize(from_list + addrs)
+          end
           #puts ">>>>>#{from_list.inspect}"
           #puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
           action_i = action_o = rule.get_action
@@ -153,6 +201,7 @@ module Construqt
           end
 
           if to_list.length > 1
+            # work on these do a better hashing
             action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
             action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
             to_list.each do |ip|
@@ -183,116 +232,218 @@ module Construqt
           end
         end
 
-        def self.write_raw(raw, ifname, iface, writer)
+        def self.write_raw(fw, raw, ifname, iface, writer)
           #        puts ">>>RAW #{iface.name} #{raw.firewall.name}"
           raw.rules.each do |rule|
             throw "ACTION must set #{ifname}" unless rule.get_action
             if rule.prerouting?
-              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
               #puts "PREROUTING #{to_from.inspect}"
-              write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
-              write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
+              fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
+              fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
             end
 
             if rule.output?
-              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
-              write_table("iptables", rule, to_from.factory(writer.ipv4.output))
-              write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
+              fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.output))
+              fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
             end
           end
         end
 
-        def self.write_nat(nat, ifname, iface, writer)
+        def self.write_nat(fw, nat, ifname, iface, writer)
           nat.rules.each do |rule|
             throw "ACTION must set #{ifname}" unless rule.get_action
             throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
             if rule.to_source? && rule.postrouting?
               src = iface.address.ips.select{|ip| ip.ipv4?}.first
               throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
-              to_from = ToFrom.new.only_in_out(rule).end_to("--to-source #{src}")
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule).end_to("--to-source #{src}")
                 .ifname(ifname).factory(writer.ipv4.postrouting)
-              write_table("iptables", rule, to_from)
+              fw.ipv4? && write_table("iptables", rule, to_from)
             end
           end
         end
 
         def self.protocol_loop(rule)
           protocol_loop = []
-          if !rule.tcp? && !rule.udp?
-            protocol_loop << ''
-          else
-            protocol_loop << '-p tcp' if rule.tcp?
-            protocol_loop << '-p udp' if rule.udp?
+          {
+            'tcp' => rule.tcp?,
+            'udp' => rule.udp?,
+            'esp' => rule.esp?,
+            'ah' => rule.ah?,
+            'icmp' => rule.icmp?
+          }.each do |proto, enabled|
+            protocol_loop << "-p #{proto}" if enabled
           end
-
+          protocol_loop = [''] if protocol_loop.empty?
           protocol_loop
         end
 
-        def self.write_forward(forward, ifname, iface, writer)
+        def self.icmp_type(family, type)
+          {
+            Construqt::Firewalls::ICMP::PingRequest => {
+                :v4 => "-m icmp --icmp-type 8/0",
+                :v6 => "--icmpv6-type 128"
+            }
+          }[type][family]
+        end
+
+        def self.write_forward(fw, forward, ifname, iface, writer)
           forward.rules.each do |rule|
             throw "ACTION must set #{ifname}" unless rule.get_action
             #puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
             if rule.get_log
-              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
+              to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
                 .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
                 .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
-              write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
-              write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
+              fw.ipv4? && write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
+              fw.ipv6? && write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
             end
 
             protocol_loop(rule).each do |protocol|
-              #binding.pry
-              to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
-              to_from.push_begin_to(protocol)
-              to_from.push_begin_from(protocol)
-              if rule.get_ports && !rule.get_ports.empty?
-                to_from.push_middle_from("-dports #{rule.get_ports.join(",")}")
-                to_from.push_middle_to("-dports #{rule.get_ports.join(",")}")
-              end
-
-              if rule.connection?
-                to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
-                to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
+              {:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => writer.ipv4.forward },
+               :v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => writer.ipv6.forward }}.each do |family, cfg|
+                next unless cfg[:enabled]
+                to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
+                if protocol == "-p icmp" && family == :v6
+                  my_protocol = "-p icmpv6"
+                else
+                  my_protocol = protocol
+                end
+                to_from.push_begin_to(my_protocol)
+                to_from.push_begin_from(my_protocol)
+
+                if rule.get_ports && !rule.get_ports.empty?
+                  to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
+                  to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
+                end
+                if rule.icmp? && rule.get_type
+                  to_from.push_middle_from(icmp_type(family, rule.get_type))
+                end
+
+                if rule.connection?
+                  to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
+                  to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
+                end
+                write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
               end
-
-              write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
-              write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
             end
           end
         end
 
-        def self.write_host(host, ifname, iface, writer)
+        def self.create_link_local(fw, ifname, iface, rule, writer)
+          return unless fw.ipv6?
+          # fe80::/64
+          # ff02::/16 dest
+          i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
+          i_rule = rule.clone.from_my_net.to_my_net
+          i_to_from.push_begin_to("-p icmpv6")
+          i_rule.to_net_addr("fe80::/64")
+          i_rule.from_net_addr("ff02::/16", "fe80::/64")
+          write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
+
+          #i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
+          #i_rule = rule.clone.from_my_net.to_my_net
+          #i_to_from.push_begin_to("-p icmpv6")
+          #i_rule.to_net_addr("fe80::/64")
+          #i_rule.from_net_addr("fe80::/64")
+          #i_to_from.push_middle_to("--icmpv6-type 136")
+          #write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
+
+          o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
+          o_to_from.push_begin_from("-p icmpv6")
+          o_rule = rule.clone.from_my_net.to_my_net
+          #o_rule.from_net_addr("fe80::/64")
+          o_rule.from_net_addr("fe80::/64")
+          o_rule.to_net_addr("ff02::/16", "fe80::/64")
+          #o_to_from.push_middle_from("--icmpv6-type 135")
+          write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
+
+          #binding.pry
+          #o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
+          #o_to_from.push_begin_from("-p icmpv6")
+          #o_rule = rule.clone.from_my_net.to_my_net
+          #o_rule.from_net_addr("fe80::/64")
+          #o_rule.to_net_addr("fe80::/64")
+          #o_to_from.push_middle_from("--icmpv6-type 136")
+          #write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
+        end
+
+        def self.write_host(fw, host, ifname, iface, writer)
           host.rules.each do |rule|
-            in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
-            out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
             if rule.get_log
-              #binding.pry
-              l_in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
-                .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
-              l_out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
-                .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
-              write_table("iptables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv4.input))
-              write_table("iptables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv4.output))
-              write_table("ip6tables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv6.input))
-              write_table("ip6tables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv6.output))
+              nflog_rule = rule.clone.action("NFLOG")
+              l_in_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).input_only
+                .end_from("--nflog-prefix o:#{rule.get_log}:#{ifname}")
+              l_out_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).output_only
+                .end_to("--nflog-prefix i:#{rule.get_log}:#{ifname}")
+              fw.ipv4? && write_table("iptables", nflog_rule, l_in_to_from.factory(writer.ipv4.input))
+              fw.ipv4? && write_table("iptables", nflog_rule, l_out_to_from.factory(writer.ipv4.output))
+              fw.ipv6? && write_table("ip6tables", nflog_rule, l_in_to_from.factory(writer.ipv6.input))
+              fw.ipv6? && write_table("ip6tables", nflog_rule, l_out_to_from.factory(writer.ipv6.output))
             end
+            next create_link_local(fw, ifname, iface, rule, writer) if rule.link_local?
 
-            write_table("iptables", rule, in_to_from.factory(writer.ipv4.input))
-            write_table("iptables", rule, out_to_from.factory(writer.ipv4.output))
-            write_table("ip6tables", rule, in_to_from.factory(writer.ipv6.input))
-            write_table("ip6tables", rule, out_to_from.factory(writer.ipv6.output))
+            protocol_loop(rule).each do |protocol|
+              [{
+                :doit    => rule.input_only?,
+                :from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).input_only },
+                :writer4 => !rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
+                :writer6 => !rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
+              },{
+                :doit    => rule.output_only?,
+                :from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).output_only },
+                :writer4 => rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
+                :writer6 => rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
+              }].each do |to_from_writer|
+                next unless to_from_writer[:doit]
+                {:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => to_from_writer[:writer4]},
+                 :v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => to_from_writer[:writer6] }}.each do |family, cfg|
+                  to_from = to_from_writer[:from_to].call
+                  next unless cfg[:enabled]
+                  if protocol == "-p icmp" && family == :v6
+                    my_protocol = "-p icmpv6"
+                  else
+                    my_protocol = protocol
+                  end
+                  to_from.push_begin_to(my_protocol)
+                  to_from.push_begin_from(my_protocol)
+                  if rule.get_ports && !rule.get_ports.empty?
+                    to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
+                    to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
+                  end
+                  if rule.icmp? && rule.get_type
+                    to_from.push_middle_from(icmp_type(family, rule.get_type))
+                  end
+                  if rule.connection?
+                    to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
+                    to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
+                  end
+                  write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
+                end
+              end
+            end
+          end
+        end
+
+        def self.create_from_iface(ifname, iface, writer)
+          iface.firewalls && iface.firewalls.each do |firewall|
+            firewall.get_raw && Firewall.write_raw(firewall, firewall.get_raw, ifname, iface, writer.raw)
+            firewall.get_nat && Firewall.write_nat(firewall, firewall.get_nat, ifname, iface, writer.nat)
+            firewall.get_forward && Firewall.write_forward(firewall, firewall.get_forward, ifname, iface, writer.filter)
+            firewall.get_host && Firewall.write_host(firewall, firewall.get_host, ifname, iface, writer.filter)
           end
         end
 
         def self.create(host, ifname, iface)
           throw 'interface must set' unless ifname
           writer = iface.host.result.etc_network_iptables
-          iface.firewalls && iface.firewalls.each do |firewall|
-            firewall.get_raw && Firewall.write_raw(firewall.get_raw, ifname, iface, writer.raw)
-            firewall.get_nat && Firewall.write_nat(firewall.get_nat, ifname, iface, writer.nat)
-            firewall.get_forward && Firewall.write_forward(firewall.get_forward, ifname, iface, writer.filter)
-            firewall.get_host && Firewall.write_host(firewall.get_host, ifname, iface, writer.filter)
-          end
+          create_from_iface(ifname, iface, writer)
+          create_from_iface(ifname, iface.delegate.vrrp.delegate, writer) if iface.delegate.vrrp
+          writer_local = host.result.etc_network_interfaces.get(iface)
+          writer_local.lines.up("iptables-restore < /etc/network/iptables.cfg")
+          writer_local.lines.up("ip6tables-restore < /etc/network/ip6tables.cfg")
         end
       end
     end

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb

@@ -10,9 +10,11 @@ module Construqt
         def self.header(host)
           #binding.pry
           addrs = {}
+          ifaces = {}
           host.ipsecs.each do |ipsec|
             [ipsec.left, ipsec.right].each do |iface|
               next if iface.host != host
+              ifaces[iface.remote.interface.name] = iface.remote.interface
               if iface.remote.first_ipv4
                 addrs[iface.remote.first_ipv4.to_s] = "isakmp #{iface.remote.first_ipv4.to_s} [500];"
               end
@@ -22,7 +24,18 @@ module Construqt
             end
           end
           return if addrs.empty?
-          host.result.add(self, <<HEADER, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
+          host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "default", "racoon")
+# do not edit generated file
+#
+# this a a evil hack to avoid a raise condition on starting the
+# OS racoon in the same moment like our
+if [ "$STARTED_BY_CONSTRUQT" = "" ]
+then
+  exit 0
+fi
+HEADER
+
+          host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
 # do not edit generated file
 path pre_shared_key "/etc/racoon/psk.txt";
 path certificate "/etc/racoon/certs";
@@ -49,7 +62,7 @@ HEADER
 
         def build_racoon_config(remote_ip)
           #binding.pry
-          self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
+          self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
 # #{self.cfg.name}
 remote #{remote_ip} {
   exchange_mode main;
@@ -77,7 +90,7 @@ RACOON
             other_ip_str = other_ip.to_string
           end
 
-          self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
+          self.host.result.add(self, <<RACOON, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
 sainfo address #{my_ip_str} any address #{other_ip_str} any {
 pfs_group 5;
 encryption_algorithm aes256;
@@ -89,21 +102,22 @@ RACOON
         end
 
         def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
-          host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
+          host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
           if my.network.to_s == other.network.to_s
             spdadd = "spdadd #{my.to_s} #{other.to_s}  any -P #{dir}  ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
           else
             spdadd = "spdadd #{my.to_string} #{other.to_string}  any -P #{dir}  ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
           end
 
-          host.result.add(self, spdadd, Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
+          host.result.add(self, spdadd, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
         end
 
-        def build_policy(remote_my, remote_other, my, other)
+        def build_policy(family, remote_my, remote_other, my, other)
           #binding.pry
           my.ips.each do |my_ip|
             other.ips.each do |other_ip|
-              next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
+              next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
+                          (family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
               from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
               from_to_sainfo(my_ip, other_ip)
             end
@@ -111,7 +125,8 @@ RACOON
 
           other.ips.each do |other_ip|
             my.ips.each do |my_ip|
-              next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
+              next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
+                          (family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
               from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
               from_to_sainfo(other_ip, my_ip)
             end
@@ -127,19 +142,20 @@ RACOON
 
         def build_config(unused, unused2)
           #      build_gre_config()
-          #binding.pry
-          if self.other.remote.first_ipv6
+          if self.cfg.transport_family == Construqt::Addresses::IPV6
+            throw "we need a remote ipv6 address #{self.cfg.name}" unless self.other.remote.first_ipv6
+            throw "we need a local ipv6 address #{self.cfg.name}" unless self.remote.first_ipv6
             build_racoon_config(self.other.remote.first_ipv6.to_s)
             host.result.add(self, psk(self.other.remote.first_ipv6.to_s, cfg),
-                            Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
-            build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
-          elsif self.other.remote.first_ipv4
+                            Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
+            build_policy(self.cfg.transport_family, self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
+          else
+            throw "we need a remote ipv4 address #{self.cfg.name}" unless self.other.remote.first_ipv4
+            throw "we need a local ipv4 address #{self.cfg.name}" unless self.remote.first_ipv4
             build_racoon_config(self.other.remote.first_ipv4.to_s)
             host.result.add(self, psk(self.other.remote.first_ipv4.to_s, cfg),
-                            Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
-            build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
-          else
-            throw "ipsec need a remote address"
+                            Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
+            build_policy(self.cfg.transport_family, self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
           end
         end
       end

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb

@@ -16,11 +16,11 @@ module Construqt
             push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
           end
 
-          host.result.add(self, iface.cacert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
-          host.result.add(self, iface.hostcert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
-          host.result.add(self, iface.hostkey, Construqt::Resources::Rights::ROOT_0600, "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
-          host.result.add(self, iface.dh1024, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
-          host.result.add(self, <<OPVN, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "#{iface.name}.conf")
+          host.result.add(self, iface.cacert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
+          host.result.add(self, iface.hostcert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
+          host.result.add(self, iface.hostkey, Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
+          host.result.add(self, iface.dh1024, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
+          host.result.add(self, <<OPVN, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "#{iface.name}.conf")
 daemon
 local #{local}
 proto udp#{local.ipv6? ? '6' : ''}