construqt 0.0.5 → 0.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (38) hide show
  1. checksums.yaml +4 -4
  2. data/lib/construqt/addresses.rb +121 -10
  3. data/lib/construqt/bgps.rb +10 -12
  4. data/lib/construqt/firewalls.rb +115 -16
  5. data/lib/construqt/flavour/ciscian/ciscian.rb +73 -93
  6. data/lib/construqt/flavour/ciscian/deploy_template.rb +36 -0
  7. data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +62 -114
  8. data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +74 -14
  9. data/lib/construqt/flavour/delegates.rb +9 -0
  10. data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +0 -3
  11. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +12 -1
  12. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +32 -1
  13. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +2 -0
  14. data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +3 -3
  15. data/lib/construqt/flavour/plantuml/plantuml.rb +2 -2
  16. data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +24 -13
  17. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +16 -7
  18. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +5 -5
  19. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +218 -67
  20. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +33 -17
  21. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +5 -5
  22. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +77 -14
  23. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +77 -29
  24. data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +18 -3
  25. data/lib/construqt/interfaces.rb +25 -6
  26. data/lib/construqt/ipsecs.rb +5 -3
  27. data/lib/construqt/rack.rb +51 -0
  28. data/lib/construqt/resource.rb +25 -3
  29. data/lib/construqt/reverse.rb +1 -0
  30. data/lib/construqt/services.rb +15 -29
  31. data/lib/construqt/tags.rb +21 -15
  32. data/lib/construqt/templates.rb +17 -0
  33. data/lib/construqt/users.rb +4 -0
  34. data/lib/construqt/util.rb +1 -1
  35. data/lib/construqt/version.rb +1 -1
  36. data/lib/construqt/vlans.rb +13 -2
  37. data/lib/construqt.rb +2 -1
  38. metadata +4 -2
@@ -22,9 +22,9 @@ module Construqt
22
22
  chainable_attr_value :output_ifname_direction, "-i"
23
23
  chainable_attr_value :input_ifname_direction, "-o"
24
24
 
25
- def only_in_out(rule)
26
- output_only rule.output_only?
27
- input_only rule.input_only?
25
+ def assign_in_out(rule)
26
+ output_only if rule.output_only?
27
+ input_only if rule.input_only?
28
28
  self
29
29
  end
30
30
 
@@ -125,19 +125,67 @@ module Construqt
125
125
  end
126
126
  end
127
127
 
128
+
129
+ def self.filter_routes(routes, family)
130
+ routes.map{|i| i.dst }.select{|i| family == Construqt::Addresses::IPV6 ? i.ipv6? : i.ipv4? }
131
+ end
132
+
133
+ # def self.try_tags_as_ipaddress(list, family, *possible_addrs)
134
+ # return list unless list.empty?
135
+ # ret = possible_addrs.map do |addr|
136
+ # next nil unless addr
137
+ # begin
138
+ # addr = IPAddress.parse(addr)
139
+ # next addr if (addr.ipv4? && family == Construqt::Addresses::IPV4) || (addr.ipv6? && family == Construqt::Addresses::IPV6)
140
+ # nil
141
+ # rescue Exception => e
142
+ # nil
143
+ # end
144
+ # end.compact
145
+ # binding.pry unless ret.empty?
146
+ # ret
147
+ # end
148
+
128
149
  def self.write_table(iptables, rule, to_from)
129
150
  family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
130
- if rule.from_interface?
131
- #binding.pry
132
- from_list = IPAddress::IPv4::summarize(
133
- *(iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s).map do |adr|
134
- adr.to_string
135
- end)
151
+ if rule.from_my_net?
152
+ networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
153
+ if rule.from_route?
154
+ networks += self.filter_routes(to_from.get_interface.address.routes, family)
155
+ end
156
+ from_list = IPAddress.summarize(networks)
136
157
  else
137
158
  from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
159
+ # from_list = try_tags_as_ipaddress(from_list, family, rule.get_from_net)
138
160
  end
139
161
 
140
- to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
162
+ if rule.to_my_net?
163
+ networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
164
+ if rule.from_route?
165
+ networks += self.filter_routes(to_from.get_interface.address.routes, family)
166
+ end
167
+ to_list = IPAddress.summarize(networks)
168
+ else
169
+ if rule.get_to_host
170
+ to_list = Construqt::Tags.ips_hosts(rule.get_to_host, family)
171
+ else
172
+ to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
173
+ end
174
+ # to_list = try_tags_as_ipaddress(to_list, family, rule.get_to_net, rule.get_to_host)
175
+ end
176
+ unless rule.get_to_net_addr.empty?
177
+ #binding.pry
178
+ addrs = rule.get_to_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
179
+ (i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
180
+ }
181
+ to_list = IPAddress.summarize(to_list + addrs)
182
+ end
183
+ unless rule.get_from_net_addr.empty?
184
+ addrs = rule.get_from_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
185
+ (i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
186
+ }
187
+ from_list = IPAddress.summarize(from_list + addrs)
188
+ end
141
189
  #puts ">>>>>#{from_list.inspect}"
142
190
  #puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
143
191
  action_i = action_o = rule.get_action
@@ -153,6 +201,7 @@ module Construqt
153
201
  end
154
202
 
155
203
  if to_list.length > 1
204
+ # work on these do a better hashing
156
205
  action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
157
206
  action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
158
207
  to_list.each do |ip|
@@ -183,116 +232,218 @@ module Construqt
183
232
  end
184
233
  end
185
234
 
186
- def self.write_raw(raw, ifname, iface, writer)
235
+ def self.write_raw(fw, raw, ifname, iface, writer)
187
236
  # puts ">>>RAW #{iface.name} #{raw.firewall.name}"
188
237
  raw.rules.each do |rule|
189
238
  throw "ACTION must set #{ifname}" unless rule.get_action
190
239
  if rule.prerouting?
191
- to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
240
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
192
241
  #puts "PREROUTING #{to_from.inspect}"
193
- write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
194
- write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
242
+ fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
243
+ fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
195
244
  end
196
245
 
197
246
  if rule.output?
198
- to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
199
- write_table("iptables", rule, to_from.factory(writer.ipv4.output))
200
- write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
247
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
248
+ fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.output))
249
+ fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
201
250
  end
202
251
  end
203
252
  end
204
253
 
205
- def self.write_nat(nat, ifname, iface, writer)
254
+ def self.write_nat(fw, nat, ifname, iface, writer)
206
255
  nat.rules.each do |rule|
207
256
  throw "ACTION must set #{ifname}" unless rule.get_action
208
257
  throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
209
258
  if rule.to_source? && rule.postrouting?
210
259
  src = iface.address.ips.select{|ip| ip.ipv4?}.first
211
260
  throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
212
- to_from = ToFrom.new.only_in_out(rule).end_to("--to-source #{src}")
261
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule).end_to("--to-source #{src}")
213
262
  .ifname(ifname).factory(writer.ipv4.postrouting)
214
- write_table("iptables", rule, to_from)
263
+ fw.ipv4? && write_table("iptables", rule, to_from)
215
264
  end
216
265
  end
217
266
  end
218
267
 
219
268
  def self.protocol_loop(rule)
220
269
  protocol_loop = []
221
- if !rule.tcp? && !rule.udp?
222
- protocol_loop << ''
223
- else
224
- protocol_loop << '-p tcp' if rule.tcp?
225
- protocol_loop << '-p udp' if rule.udp?
270
+ {
271
+ 'tcp' => rule.tcp?,
272
+ 'udp' => rule.udp?,
273
+ 'esp' => rule.esp?,
274
+ 'ah' => rule.ah?,
275
+ 'icmp' => rule.icmp?
276
+ }.each do |proto, enabled|
277
+ protocol_loop << "-p #{proto}" if enabled
226
278
  end
227
-
279
+ protocol_loop = [''] if protocol_loop.empty?
228
280
  protocol_loop
229
281
  end
230
282
 
231
- def self.write_forward(forward, ifname, iface, writer)
283
+ def self.icmp_type(family, type)
284
+ {
285
+ Construqt::Firewalls::ICMP::PingRequest => {
286
+ :v4 => "-m icmp --icmp-type 8/0",
287
+ :v6 => "--icmpv6-type 128"
288
+ }
289
+ }[type][family]
290
+ end
291
+
292
+ def self.write_forward(fw, forward, ifname, iface, writer)
232
293
  forward.rules.each do |rule|
233
294
  throw "ACTION must set #{ifname}" unless rule.get_action
234
295
  #puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
235
296
  if rule.get_log
236
- to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
297
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
237
298
  .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
238
299
  .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
239
- write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
240
- write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
300
+ fw.ipv4? && write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
301
+ fw.ipv6? && write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
241
302
  end
242
303
 
243
304
  protocol_loop(rule).each do |protocol|
244
- #binding.pry
245
- to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
246
- to_from.push_begin_to(protocol)
247
- to_from.push_begin_from(protocol)
248
- if rule.get_ports && !rule.get_ports.empty?
249
- to_from.push_middle_from("-dports #{rule.get_ports.join(",")}")
250
- to_from.push_middle_to("-dports #{rule.get_ports.join(",")}")
251
- end
252
-
253
- if rule.connection?
254
- to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
255
- to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
305
+ {:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => writer.ipv4.forward },
306
+ :v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => writer.ipv6.forward }}.each do |family, cfg|
307
+ next unless cfg[:enabled]
308
+ to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
309
+ if protocol == "-p icmp" && family == :v6
310
+ my_protocol = "-p icmpv6"
311
+ else
312
+ my_protocol = protocol
313
+ end
314
+ to_from.push_begin_to(my_protocol)
315
+ to_from.push_begin_from(my_protocol)
316
+
317
+ if rule.get_ports && !rule.get_ports.empty?
318
+ to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
319
+ to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
320
+ end
321
+ if rule.icmp? && rule.get_type
322
+ to_from.push_middle_from(icmp_type(family, rule.get_type))
323
+ end
324
+
325
+ if rule.connection?
326
+ to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
327
+ to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
328
+ end
329
+ write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
256
330
  end
257
-
258
- write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
259
- write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
260
331
  end
261
332
  end
262
333
  end
263
334
 
264
- def self.write_host(host, ifname, iface, writer)
335
+ def self.create_link_local(fw, ifname, iface, rule, writer)
336
+ return unless fw.ipv6?
337
+ # fe80::/64
338
+ # ff02::/16 dest
339
+ i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
340
+ i_rule = rule.clone.from_my_net.to_my_net
341
+ i_to_from.push_begin_to("-p icmpv6")
342
+ i_rule.to_net_addr("fe80::/64")
343
+ i_rule.from_net_addr("ff02::/16", "fe80::/64")
344
+ write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
345
+
346
+ #i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
347
+ #i_rule = rule.clone.from_my_net.to_my_net
348
+ #i_to_from.push_begin_to("-p icmpv6")
349
+ #i_rule.to_net_addr("fe80::/64")
350
+ #i_rule.from_net_addr("fe80::/64")
351
+ #i_to_from.push_middle_to("--icmpv6-type 136")
352
+ #write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
353
+
354
+ o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
355
+ o_to_from.push_begin_from("-p icmpv6")
356
+ o_rule = rule.clone.from_my_net.to_my_net
357
+ #o_rule.from_net_addr("fe80::/64")
358
+ o_rule.from_net_addr("fe80::/64")
359
+ o_rule.to_net_addr("ff02::/16", "fe80::/64")
360
+ #o_to_from.push_middle_from("--icmpv6-type 135")
361
+ write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
362
+
363
+ #binding.pry
364
+ #o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
365
+ #o_to_from.push_begin_from("-p icmpv6")
366
+ #o_rule = rule.clone.from_my_net.to_my_net
367
+ #o_rule.from_net_addr("fe80::/64")
368
+ #o_rule.to_net_addr("fe80::/64")
369
+ #o_to_from.push_middle_from("--icmpv6-type 136")
370
+ #write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
371
+ end
372
+
373
+ def self.write_host(fw, host, ifname, iface, writer)
265
374
  host.rules.each do |rule|
266
- in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
267
- out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
268
375
  if rule.get_log
269
- #binding.pry
270
- l_in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
271
- .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
272
- l_out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
273
- .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
274
- write_table("iptables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv4.input))
275
- write_table("iptables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv4.output))
276
- write_table("ip6tables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv6.input))
277
- write_table("ip6tables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv6.output))
376
+ nflog_rule = rule.clone.action("NFLOG")
377
+ l_in_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).input_only
378
+ .end_from("--nflog-prefix o:#{rule.get_log}:#{ifname}")
379
+ l_out_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).output_only
380
+ .end_to("--nflog-prefix i:#{rule.get_log}:#{ifname}")
381
+ fw.ipv4? && write_table("iptables", nflog_rule, l_in_to_from.factory(writer.ipv4.input))
382
+ fw.ipv4? && write_table("iptables", nflog_rule, l_out_to_from.factory(writer.ipv4.output))
383
+ fw.ipv6? && write_table("ip6tables", nflog_rule, l_in_to_from.factory(writer.ipv6.input))
384
+ fw.ipv6? && write_table("ip6tables", nflog_rule, l_out_to_from.factory(writer.ipv6.output))
278
385
  end
386
+ next create_link_local(fw, ifname, iface, rule, writer) if rule.link_local?
279
387
 
280
- write_table("iptables", rule, in_to_from.factory(writer.ipv4.input))
281
- write_table("iptables", rule, out_to_from.factory(writer.ipv4.output))
282
- write_table("ip6tables", rule, in_to_from.factory(writer.ipv6.input))
283
- write_table("ip6tables", rule, out_to_from.factory(writer.ipv6.output))
388
+ protocol_loop(rule).each do |protocol|
389
+ [{
390
+ :doit => rule.input_only?,
391
+ :from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).input_only },
392
+ :writer4 => !rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
393
+ :writer6 => !rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
394
+ },{
395
+ :doit => rule.output_only?,
396
+ :from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).output_only },
397
+ :writer4 => rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
398
+ :writer6 => rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
399
+ }].each do |to_from_writer|
400
+ next unless to_from_writer[:doit]
401
+ {:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => to_from_writer[:writer4]},
402
+ :v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => to_from_writer[:writer6] }}.each do |family, cfg|
403
+ to_from = to_from_writer[:from_to].call
404
+ next unless cfg[:enabled]
405
+ if protocol == "-p icmp" && family == :v6
406
+ my_protocol = "-p icmpv6"
407
+ else
408
+ my_protocol = protocol
409
+ end
410
+ to_from.push_begin_to(my_protocol)
411
+ to_from.push_begin_from(my_protocol)
412
+ if rule.get_ports && !rule.get_ports.empty?
413
+ to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
414
+ to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
415
+ end
416
+ if rule.icmp? && rule.get_type
417
+ to_from.push_middle_from(icmp_type(family, rule.get_type))
418
+ end
419
+ if rule.connection?
420
+ to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
421
+ to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
422
+ end
423
+ write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
424
+ end
425
+ end
426
+ end
427
+ end
428
+ end
429
+
430
+ def self.create_from_iface(ifname, iface, writer)
431
+ iface.firewalls && iface.firewalls.each do |firewall|
432
+ firewall.get_raw && Firewall.write_raw(firewall, firewall.get_raw, ifname, iface, writer.raw)
433
+ firewall.get_nat && Firewall.write_nat(firewall, firewall.get_nat, ifname, iface, writer.nat)
434
+ firewall.get_forward && Firewall.write_forward(firewall, firewall.get_forward, ifname, iface, writer.filter)
435
+ firewall.get_host && Firewall.write_host(firewall, firewall.get_host, ifname, iface, writer.filter)
284
436
  end
285
437
  end
286
438
 
287
439
  def self.create(host, ifname, iface)
288
440
  throw 'interface must set' unless ifname
289
441
  writer = iface.host.result.etc_network_iptables
290
- iface.firewalls && iface.firewalls.each do |firewall|
291
- firewall.get_raw && Firewall.write_raw(firewall.get_raw, ifname, iface, writer.raw)
292
- firewall.get_nat && Firewall.write_nat(firewall.get_nat, ifname, iface, writer.nat)
293
- firewall.get_forward && Firewall.write_forward(firewall.get_forward, ifname, iface, writer.filter)
294
- firewall.get_host && Firewall.write_host(firewall.get_host, ifname, iface, writer.filter)
295
- end
442
+ create_from_iface(ifname, iface, writer)
443
+ create_from_iface(ifname, iface.delegate.vrrp.delegate, writer) if iface.delegate.vrrp
444
+ writer_local = host.result.etc_network_interfaces.get(iface)
445
+ writer_local.lines.up("iptables-restore < /etc/network/iptables.cfg")
446
+ writer_local.lines.up("ip6tables-restore < /etc/network/ip6tables.cfg")
296
447
  end
297
448
  end
298
449
  end
@@ -10,9 +10,11 @@ module Construqt
10
10
  def self.header(host)
11
11
  #binding.pry
12
12
  addrs = {}
13
+ ifaces = {}
13
14
  host.ipsecs.each do |ipsec|
14
15
  [ipsec.left, ipsec.right].each do |iface|
15
16
  next if iface.host != host
17
+ ifaces[iface.remote.interface.name] = iface.remote.interface
16
18
  if iface.remote.first_ipv4
17
19
  addrs[iface.remote.first_ipv4.to_s] = "isakmp #{iface.remote.first_ipv4.to_s} [500];"
18
20
  end
@@ -22,7 +24,18 @@ module Construqt
22
24
  end
23
25
  end
24
26
  return if addrs.empty?
25
- host.result.add(self, <<HEADER, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
27
+ host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "default", "racoon")
28
+ # do not edit generated file
29
+ #
30
+ # this a a evil hack to avoid a raise condition on starting the
31
+ # OS racoon in the same moment like our
32
+ if [ "$STARTED_BY_CONSTRUQT" = "" ]
33
+ then
34
+ exit 0
35
+ fi
36
+ HEADER
37
+
38
+ host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
26
39
  # do not edit generated file
27
40
  path pre_shared_key "/etc/racoon/psk.txt";
28
41
  path certificate "/etc/racoon/certs";
@@ -49,7 +62,7 @@ HEADER
49
62
 
50
63
  def build_racoon_config(remote_ip)
51
64
  #binding.pry
52
- self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
65
+ self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
53
66
  # #{self.cfg.name}
54
67
  remote #{remote_ip} {
55
68
  exchange_mode main;
@@ -77,7 +90,7 @@ RACOON
77
90
  other_ip_str = other_ip.to_string
78
91
  end
79
92
 
80
- self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::ROOT_0644, "etc", "racoon", "racoon.conf")
93
+ self.host.result.add(self, <<RACOON, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
81
94
  sainfo address #{my_ip_str} any address #{other_ip_str} any {
82
95
  pfs_group 5;
83
96
  encryption_algorithm aes256;
@@ -89,21 +102,22 @@ RACOON
89
102
  end
90
103
 
91
104
  def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
92
- host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
105
+ host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
93
106
  if my.network.to_s == other.network.to_s
94
107
  spdadd = "spdadd #{my.to_s} #{other.to_s} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
95
108
  else
96
109
  spdadd = "spdadd #{my.to_string} #{other.to_string} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
97
110
  end
98
111
 
99
- host.result.add(self, spdadd, Construqt::Resources::Rights::ROOT_0644, "etc", "ipsec-tools.d", "ipsec.conf")
112
+ host.result.add(self, spdadd, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
100
113
  end
101
114
 
102
- def build_policy(remote_my, remote_other, my, other)
115
+ def build_policy(family, remote_my, remote_other, my, other)
103
116
  #binding.pry
104
117
  my.ips.each do |my_ip|
105
118
  other.ips.each do |other_ip|
106
- next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
119
+ next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
120
+ (family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
107
121
  from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
108
122
  from_to_sainfo(my_ip, other_ip)
109
123
  end
@@ -111,7 +125,8 @@ RACOON
111
125
 
112
126
  other.ips.each do |other_ip|
113
127
  my.ips.each do |my_ip|
114
- next unless (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?) || (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?)
128
+ next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
129
+ (family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
115
130
  from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
116
131
  from_to_sainfo(other_ip, my_ip)
117
132
  end
@@ -127,19 +142,20 @@ RACOON
127
142
 
128
143
  def build_config(unused, unused2)
129
144
  # build_gre_config()
130
- #binding.pry
131
- if self.other.remote.first_ipv6
145
+ if self.cfg.transport_family == Construqt::Addresses::IPV6
146
+ throw "we need a remote ipv6 address #{self.cfg.name}" unless self.other.remote.first_ipv6
147
+ throw "we need a local ipv6 address #{self.cfg.name}" unless self.remote.first_ipv6
132
148
  build_racoon_config(self.other.remote.first_ipv6.to_s)
133
149
  host.result.add(self, psk(self.other.remote.first_ipv6.to_s, cfg),
134
- Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
135
- build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
136
- elsif self.other.remote.first_ipv4
150
+ Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
151
+ build_policy(self.cfg.transport_family, self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
152
+ else
153
+ throw "we need a remote ipv4 address #{self.cfg.name}" unless self.other.remote.first_ipv4
154
+ throw "we need a local ipv4 address #{self.cfg.name}" unless self.remote.first_ipv4
137
155
  build_racoon_config(self.other.remote.first_ipv4.to_s)
138
156
  host.result.add(self, psk(self.other.remote.first_ipv4.to_s, cfg),
139
- Construqt::Resources::Rights::ROOT_0600, "etc", "racoon", "psk.txt")
140
- build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
141
- else
142
- throw "ipsec need a remote address"
157
+ Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
158
+ build_policy(self.cfg.transport_family, self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
143
159
  end
144
160
  end
145
161
  end
@@ -16,11 +16,11 @@ module Construqt
16
16
  push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
17
17
  end
18
18
 
19
- host.result.add(self, iface.cacert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
20
- host.result.add(self, iface.hostcert, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
21
- host.result.add(self, iface.hostkey, Construqt::Resources::Rights::ROOT_0600, "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
22
- host.result.add(self, iface.dh1024, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
23
- host.result.add(self, <<OPVN, Construqt::Resources::Rights::ROOT_0644, "etc", "openvpn", "#{iface.name}.conf")
19
+ host.result.add(self, iface.cacert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
20
+ host.result.add(self, iface.hostcert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
21
+ host.result.add(self, iface.hostkey, Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
22
+ host.result.add(self, iface.dh1024, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
23
+ host.result.add(self, <<OPVN, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "#{iface.name}.conf")
24
24
  daemon
25
25
  local #{local}
26
26
  proto udp#{local.ipv6? ? '6' : ''}