construqt 0.0.5 → 0.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/construqt/addresses.rb +121 -10
- data/lib/construqt/bgps.rb +10 -12
- data/lib/construqt/firewalls.rb +115 -16
- data/lib/construqt/flavour/ciscian/ciscian.rb +73 -93
- data/lib/construqt/flavour/ciscian/deploy_template.rb +36 -0
- data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +62 -114
- data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +74 -14
- data/lib/construqt/flavour/delegates.rb +9 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +0 -3
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +12 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +32 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +2 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +3 -3
- data/lib/construqt/flavour/plantuml/plantuml.rb +2 -2
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +24 -13
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +16 -7
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +218 -67
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +33 -17
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +77 -14
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +77 -29
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +18 -3
- data/lib/construqt/interfaces.rb +25 -6
- data/lib/construqt/ipsecs.rb +5 -3
- data/lib/construqt/rack.rb +51 -0
- data/lib/construqt/resource.rb +25 -3
- data/lib/construqt/reverse.rb +1 -0
- data/lib/construqt/services.rb +15 -29
- data/lib/construqt/tags.rb +21 -15
- data/lib/construqt/templates.rb +17 -0
- data/lib/construqt/users.rb +4 -0
- data/lib/construqt/util.rb +1 -1
- data/lib/construqt/version.rb +1 -1
- data/lib/construqt/vlans.rb +13 -2
- data/lib/construqt.rb +2 -1
- metadata +4 -2
@@ -22,9 +22,9 @@ module Construqt
|
|
22
22
|
chainable_attr_value :output_ifname_direction, "-i"
|
23
23
|
chainable_attr_value :input_ifname_direction, "-o"
|
24
24
|
|
25
|
-
def
|
26
|
-
output_only rule.output_only?
|
27
|
-
input_only rule.input_only?
|
25
|
+
def assign_in_out(rule)
|
26
|
+
output_only if rule.output_only?
|
27
|
+
input_only if rule.input_only?
|
28
28
|
self
|
29
29
|
end
|
30
30
|
|
@@ -125,19 +125,67 @@ module Construqt
|
|
125
125
|
end
|
126
126
|
end
|
127
127
|
|
128
|
+
|
129
|
+
def self.filter_routes(routes, family)
|
130
|
+
routes.map{|i| i.dst }.select{|i| family == Construqt::Addresses::IPV6 ? i.ipv6? : i.ipv4? }
|
131
|
+
end
|
132
|
+
|
133
|
+
# def self.try_tags_as_ipaddress(list, family, *possible_addrs)
|
134
|
+
# return list unless list.empty?
|
135
|
+
# ret = possible_addrs.map do |addr|
|
136
|
+
# next nil unless addr
|
137
|
+
# begin
|
138
|
+
# addr = IPAddress.parse(addr)
|
139
|
+
# next addr if (addr.ipv4? && family == Construqt::Addresses::IPV4) || (addr.ipv6? && family == Construqt::Addresses::IPV6)
|
140
|
+
# nil
|
141
|
+
# rescue Exception => e
|
142
|
+
# nil
|
143
|
+
# end
|
144
|
+
# end.compact
|
145
|
+
# binding.pry unless ret.empty?
|
146
|
+
# ret
|
147
|
+
# end
|
148
|
+
|
128
149
|
def self.write_table(iptables, rule, to_from)
|
129
150
|
family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
|
130
|
-
if rule.
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
151
|
+
if rule.from_my_net?
|
152
|
+
networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
|
153
|
+
if rule.from_route?
|
154
|
+
networks += self.filter_routes(to_from.get_interface.address.routes, family)
|
155
|
+
end
|
156
|
+
from_list = IPAddress.summarize(networks)
|
136
157
|
else
|
137
158
|
from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
|
159
|
+
# from_list = try_tags_as_ipaddress(from_list, family, rule.get_from_net)
|
138
160
|
end
|
139
161
|
|
140
|
-
|
162
|
+
if rule.to_my_net?
|
163
|
+
networks = iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s
|
164
|
+
if rule.from_route?
|
165
|
+
networks += self.filter_routes(to_from.get_interface.address.routes, family)
|
166
|
+
end
|
167
|
+
to_list = IPAddress.summarize(networks)
|
168
|
+
else
|
169
|
+
if rule.get_to_host
|
170
|
+
to_list = Construqt::Tags.ips_hosts(rule.get_to_host, family)
|
171
|
+
else
|
172
|
+
to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
|
173
|
+
end
|
174
|
+
# to_list = try_tags_as_ipaddress(to_list, family, rule.get_to_net, rule.get_to_host)
|
175
|
+
end
|
176
|
+
unless rule.get_to_net_addr.empty?
|
177
|
+
#binding.pry
|
178
|
+
addrs = rule.get_to_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
|
179
|
+
(i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
|
180
|
+
}
|
181
|
+
to_list = IPAddress.summarize(to_list + addrs)
|
182
|
+
end
|
183
|
+
unless rule.get_from_net_addr.empty?
|
184
|
+
addrs = rule.get_from_net_addr.map { |i| IPAddress.parse(i) }.select { |i|
|
185
|
+
(i.ipv6? && family == Construqt::Addresses::IPV6) || (i.ipv4? && family == Construqt::Addresses::IPV4)
|
186
|
+
}
|
187
|
+
from_list = IPAddress.summarize(from_list + addrs)
|
188
|
+
end
|
141
189
|
#puts ">>>>>#{from_list.inspect}"
|
142
190
|
#puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
|
143
191
|
action_i = action_o = rule.get_action
|
@@ -153,6 +201,7 @@ module Construqt
|
|
153
201
|
end
|
154
202
|
|
155
203
|
if to_list.length > 1
|
204
|
+
# work on these do a better hashing
|
156
205
|
action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
|
157
206
|
action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
|
158
207
|
to_list.each do |ip|
|
@@ -183,116 +232,218 @@ module Construqt
|
|
183
232
|
end
|
184
233
|
end
|
185
234
|
|
186
|
-
def self.write_raw(raw, ifname, iface, writer)
|
235
|
+
def self.write_raw(fw, raw, ifname, iface, writer)
|
187
236
|
# puts ">>>RAW #{iface.name} #{raw.firewall.name}"
|
188
237
|
raw.rules.each do |rule|
|
189
238
|
throw "ACTION must set #{ifname}" unless rule.get_action
|
190
239
|
if rule.prerouting?
|
191
|
-
to_from = ToFrom.new.bind_interface(ifname, iface, rule).
|
240
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
192
241
|
#puts "PREROUTING #{to_from.inspect}"
|
193
|
-
write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
|
194
|
-
write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
|
242
|
+
fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
|
243
|
+
fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
|
195
244
|
end
|
196
245
|
|
197
246
|
if rule.output?
|
198
|
-
to_from = ToFrom.new.bind_interface(ifname, iface, rule).
|
199
|
-
write_table("iptables", rule, to_from.factory(writer.ipv4.output))
|
200
|
-
write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
|
247
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
248
|
+
fw.ipv4? && write_table("iptables", rule, to_from.factory(writer.ipv4.output))
|
249
|
+
fw.ipv6? && write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
|
201
250
|
end
|
202
251
|
end
|
203
252
|
end
|
204
253
|
|
205
|
-
def self.write_nat(nat, ifname, iface, writer)
|
254
|
+
def self.write_nat(fw, nat, ifname, iface, writer)
|
206
255
|
nat.rules.each do |rule|
|
207
256
|
throw "ACTION must set #{ifname}" unless rule.get_action
|
208
257
|
throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
|
209
258
|
if rule.to_source? && rule.postrouting?
|
210
259
|
src = iface.address.ips.select{|ip| ip.ipv4?}.first
|
211
260
|
throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
|
212
|
-
to_from = ToFrom.new.
|
261
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule).end_to("--to-source #{src}")
|
213
262
|
.ifname(ifname).factory(writer.ipv4.postrouting)
|
214
|
-
write_table("iptables", rule, to_from)
|
263
|
+
fw.ipv4? && write_table("iptables", rule, to_from)
|
215
264
|
end
|
216
265
|
end
|
217
266
|
end
|
218
267
|
|
219
268
|
def self.protocol_loop(rule)
|
220
269
|
protocol_loop = []
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
|
225
|
-
|
270
|
+
{
|
271
|
+
'tcp' => rule.tcp?,
|
272
|
+
'udp' => rule.udp?,
|
273
|
+
'esp' => rule.esp?,
|
274
|
+
'ah' => rule.ah?,
|
275
|
+
'icmp' => rule.icmp?
|
276
|
+
}.each do |proto, enabled|
|
277
|
+
protocol_loop << "-p #{proto}" if enabled
|
226
278
|
end
|
227
|
-
|
279
|
+
protocol_loop = [''] if protocol_loop.empty?
|
228
280
|
protocol_loop
|
229
281
|
end
|
230
282
|
|
231
|
-
def self.
|
283
|
+
def self.icmp_type(family, type)
|
284
|
+
{
|
285
|
+
Construqt::Firewalls::ICMP::PingRequest => {
|
286
|
+
:v4 => "-m icmp --icmp-type 8/0",
|
287
|
+
:v6 => "--icmpv6-type 128"
|
288
|
+
}
|
289
|
+
}[type][family]
|
290
|
+
end
|
291
|
+
|
292
|
+
def self.write_forward(fw, forward, ifname, iface, writer)
|
232
293
|
forward.rules.each do |rule|
|
233
294
|
throw "ACTION must set #{ifname}" unless rule.get_action
|
234
295
|
#puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
|
235
296
|
if rule.get_log
|
236
|
-
to_from = ToFrom.new.bind_interface(ifname, iface, rule).
|
297
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
237
298
|
.end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
|
238
299
|
.end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
|
239
|
-
write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
|
240
|
-
write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
|
300
|
+
fw.ipv4? && write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
|
301
|
+
fw.ipv6? && write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
|
241
302
|
end
|
242
303
|
|
243
304
|
protocol_loop(rule).each do |protocol|
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
to_from.
|
255
|
-
|
305
|
+
{:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => writer.ipv4.forward },
|
306
|
+
:v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => writer.ipv6.forward }}.each do |family, cfg|
|
307
|
+
next unless cfg[:enabled]
|
308
|
+
to_from = ToFrom.new.bind_interface(ifname, iface, rule).assign_in_out(rule)
|
309
|
+
if protocol == "-p icmp" && family == :v6
|
310
|
+
my_protocol = "-p icmpv6"
|
311
|
+
else
|
312
|
+
my_protocol = protocol
|
313
|
+
end
|
314
|
+
to_from.push_begin_to(my_protocol)
|
315
|
+
to_from.push_begin_from(my_protocol)
|
316
|
+
|
317
|
+
if rule.get_ports && !rule.get_ports.empty?
|
318
|
+
to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
|
319
|
+
to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
|
320
|
+
end
|
321
|
+
if rule.icmp? && rule.get_type
|
322
|
+
to_from.push_middle_from(icmp_type(family, rule.get_type))
|
323
|
+
end
|
324
|
+
|
325
|
+
if rule.connection?
|
326
|
+
to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
|
327
|
+
to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
|
328
|
+
end
|
329
|
+
write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
|
256
330
|
end
|
257
|
-
|
258
|
-
write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
|
259
|
-
write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
|
260
331
|
end
|
261
332
|
end
|
262
333
|
end
|
263
334
|
|
264
|
-
def self.
|
335
|
+
def self.create_link_local(fw, ifname, iface, rule, writer)
|
336
|
+
return unless fw.ipv6?
|
337
|
+
# fe80::/64
|
338
|
+
# ff02::/16 dest
|
339
|
+
i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
340
|
+
i_rule = rule.clone.from_my_net.to_my_net
|
341
|
+
i_to_from.push_begin_to("-p icmpv6")
|
342
|
+
i_rule.to_net_addr("fe80::/64")
|
343
|
+
i_rule.from_net_addr("ff02::/16", "fe80::/64")
|
344
|
+
write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
|
345
|
+
|
346
|
+
#i_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
347
|
+
#i_rule = rule.clone.from_my_net.to_my_net
|
348
|
+
#i_to_from.push_begin_to("-p icmpv6")
|
349
|
+
#i_rule.to_net_addr("fe80::/64")
|
350
|
+
#i_rule.from_net_addr("fe80::/64")
|
351
|
+
#i_to_from.push_middle_to("--icmpv6-type 136")
|
352
|
+
#write_table("ip6tables", i_rule, i_to_from.factory(writer.ipv6.input))
|
353
|
+
|
354
|
+
o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
355
|
+
o_to_from.push_begin_from("-p icmpv6")
|
356
|
+
o_rule = rule.clone.from_my_net.to_my_net
|
357
|
+
#o_rule.from_net_addr("fe80::/64")
|
358
|
+
o_rule.from_net_addr("fe80::/64")
|
359
|
+
o_rule.to_net_addr("ff02::/16", "fe80::/64")
|
360
|
+
#o_to_from.push_middle_from("--icmpv6-type 135")
|
361
|
+
write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
|
362
|
+
|
363
|
+
#binding.pry
|
364
|
+
#o_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
365
|
+
#o_to_from.push_begin_from("-p icmpv6")
|
366
|
+
#o_rule = rule.clone.from_my_net.to_my_net
|
367
|
+
#o_rule.from_net_addr("fe80::/64")
|
368
|
+
#o_rule.to_net_addr("fe80::/64")
|
369
|
+
#o_to_from.push_middle_from("--icmpv6-type 136")
|
370
|
+
#write_table("ip6tables", o_rule, o_to_from.factory(writer.ipv6.output))
|
371
|
+
end
|
372
|
+
|
373
|
+
def self.write_host(fw, host, ifname, iface, writer)
|
265
374
|
host.rules.each do |rule|
|
266
|
-
in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
|
267
|
-
out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
|
268
375
|
if rule.get_log
|
269
|
-
|
270
|
-
l_in_to_from = ToFrom.new.bind_interface(ifname, iface,
|
271
|
-
.
|
272
|
-
l_out_to_from = ToFrom.new.bind_interface(ifname, iface,
|
273
|
-
.
|
274
|
-
write_table("iptables",
|
275
|
-
write_table("iptables",
|
276
|
-
write_table("ip6tables",
|
277
|
-
write_table("ip6tables",
|
376
|
+
nflog_rule = rule.clone.action("NFLOG")
|
377
|
+
l_in_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).input_only
|
378
|
+
.end_from("--nflog-prefix o:#{rule.get_log}:#{ifname}")
|
379
|
+
l_out_to_from = ToFrom.new.bind_interface(ifname, iface, nflog_rule).output_only
|
380
|
+
.end_to("--nflog-prefix i:#{rule.get_log}:#{ifname}")
|
381
|
+
fw.ipv4? && write_table("iptables", nflog_rule, l_in_to_from.factory(writer.ipv4.input))
|
382
|
+
fw.ipv4? && write_table("iptables", nflog_rule, l_out_to_from.factory(writer.ipv4.output))
|
383
|
+
fw.ipv6? && write_table("ip6tables", nflog_rule, l_in_to_from.factory(writer.ipv6.input))
|
384
|
+
fw.ipv6? && write_table("ip6tables", nflog_rule, l_out_to_from.factory(writer.ipv6.output))
|
278
385
|
end
|
386
|
+
next create_link_local(fw, ifname, iface, rule, writer) if rule.link_local?
|
279
387
|
|
280
|
-
|
281
|
-
|
282
|
-
|
283
|
-
|
388
|
+
protocol_loop(rule).each do |protocol|
|
389
|
+
[{
|
390
|
+
:doit => rule.input_only?,
|
391
|
+
:from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).input_only },
|
392
|
+
:writer4 => !rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
|
393
|
+
:writer6 => !rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
|
394
|
+
},{
|
395
|
+
:doit => rule.output_only?,
|
396
|
+
:from_to => lambda { ToFrom.new.bind_interface(ifname, iface, rule).output_only },
|
397
|
+
:writer4 => rule.from_is_inbound? ? writer.ipv4.input : writer.ipv4.output,
|
398
|
+
:writer6 => rule.from_is_inbound? ? writer.ipv6.input : writer.ipv6.output
|
399
|
+
}].each do |to_from_writer|
|
400
|
+
next unless to_from_writer[:doit]
|
401
|
+
{:v4 => { :enabled => fw.ipv4?, :table => "iptables", :writer => to_from_writer[:writer4]},
|
402
|
+
:v6 => { :enabled => fw.ipv6?, :table => "ip6tables", :writer => to_from_writer[:writer6] }}.each do |family, cfg|
|
403
|
+
to_from = to_from_writer[:from_to].call
|
404
|
+
next unless cfg[:enabled]
|
405
|
+
if protocol == "-p icmp" && family == :v6
|
406
|
+
my_protocol = "-p icmpv6"
|
407
|
+
else
|
408
|
+
my_protocol = protocol
|
409
|
+
end
|
410
|
+
to_from.push_begin_to(my_protocol)
|
411
|
+
to_from.push_begin_from(my_protocol)
|
412
|
+
if rule.get_ports && !rule.get_ports.empty?
|
413
|
+
to_from.push_middle_from("-m multiport --dports #{rule.get_ports.join(",")}")
|
414
|
+
to_from.push_middle_to("-m multiport --sports #{rule.get_ports.join(",")}")
|
415
|
+
end
|
416
|
+
if rule.icmp? && rule.get_type
|
417
|
+
to_from.push_middle_from(icmp_type(family, rule.get_type))
|
418
|
+
end
|
419
|
+
if rule.connection?
|
420
|
+
to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
|
421
|
+
to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
|
422
|
+
end
|
423
|
+
write_table(cfg[:table], rule, to_from.factory(cfg[:writer]))
|
424
|
+
end
|
425
|
+
end
|
426
|
+
end
|
427
|
+
end
|
428
|
+
end
|
429
|
+
|
430
|
+
def self.create_from_iface(ifname, iface, writer)
|
431
|
+
iface.firewalls && iface.firewalls.each do |firewall|
|
432
|
+
firewall.get_raw && Firewall.write_raw(firewall, firewall.get_raw, ifname, iface, writer.raw)
|
433
|
+
firewall.get_nat && Firewall.write_nat(firewall, firewall.get_nat, ifname, iface, writer.nat)
|
434
|
+
firewall.get_forward && Firewall.write_forward(firewall, firewall.get_forward, ifname, iface, writer.filter)
|
435
|
+
firewall.get_host && Firewall.write_host(firewall, firewall.get_host, ifname, iface, writer.filter)
|
284
436
|
end
|
285
437
|
end
|
286
438
|
|
287
439
|
def self.create(host, ifname, iface)
|
288
440
|
throw 'interface must set' unless ifname
|
289
441
|
writer = iface.host.result.etc_network_iptables
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
end
|
442
|
+
create_from_iface(ifname, iface, writer)
|
443
|
+
create_from_iface(ifname, iface.delegate.vrrp.delegate, writer) if iface.delegate.vrrp
|
444
|
+
writer_local = host.result.etc_network_interfaces.get(iface)
|
445
|
+
writer_local.lines.up("iptables-restore < /etc/network/iptables.cfg")
|
446
|
+
writer_local.lines.up("ip6tables-restore < /etc/network/ip6tables.cfg")
|
296
447
|
end
|
297
448
|
end
|
298
449
|
end
|
@@ -10,9 +10,11 @@ module Construqt
|
|
10
10
|
def self.header(host)
|
11
11
|
#binding.pry
|
12
12
|
addrs = {}
|
13
|
+
ifaces = {}
|
13
14
|
host.ipsecs.each do |ipsec|
|
14
15
|
[ipsec.left, ipsec.right].each do |iface|
|
15
16
|
next if iface.host != host
|
17
|
+
ifaces[iface.remote.interface.name] = iface.remote.interface
|
16
18
|
if iface.remote.first_ipv4
|
17
19
|
addrs[iface.remote.first_ipv4.to_s] = "isakmp #{iface.remote.first_ipv4.to_s} [500];"
|
18
20
|
end
|
@@ -22,7 +24,18 @@ module Construqt
|
|
22
24
|
end
|
23
25
|
end
|
24
26
|
return if addrs.empty?
|
25
|
-
host.result.add(self, <<HEADER, Construqt::Resources::Rights::
|
27
|
+
host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "default", "racoon")
|
28
|
+
# do not edit generated file
|
29
|
+
#
|
30
|
+
# this a a evil hack to avoid a raise condition on starting the
|
31
|
+
# OS racoon in the same moment like our
|
32
|
+
if [ "$STARTED_BY_CONSTRUQT" = "" ]
|
33
|
+
then
|
34
|
+
exit 0
|
35
|
+
fi
|
36
|
+
HEADER
|
37
|
+
|
38
|
+
host.result.add(self, <<HEADER, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
|
26
39
|
# do not edit generated file
|
27
40
|
path pre_shared_key "/etc/racoon/psk.txt";
|
28
41
|
path certificate "/etc/racoon/certs";
|
@@ -49,7 +62,7 @@ HEADER
|
|
49
62
|
|
50
63
|
def build_racoon_config(remote_ip)
|
51
64
|
#binding.pry
|
52
|
-
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::
|
65
|
+
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
|
53
66
|
# #{self.cfg.name}
|
54
67
|
remote #{remote_ip} {
|
55
68
|
exchange_mode main;
|
@@ -77,7 +90,7 @@ RACOON
|
|
77
90
|
other_ip_str = other_ip.to_string
|
78
91
|
end
|
79
92
|
|
80
|
-
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights::
|
93
|
+
self.host.result.add(self, <<RACOON, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "racoon", "racoon.conf")
|
81
94
|
sainfo address #{my_ip_str} any address #{other_ip_str} any {
|
82
95
|
pfs_group 5;
|
83
96
|
encryption_algorithm aes256;
|
@@ -89,21 +102,22 @@ RACOON
|
|
89
102
|
end
|
90
103
|
|
91
104
|
def from_to_ipsec_conf(dir, remote_my, remote_other, my, other)
|
92
|
-
host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights::
|
105
|
+
host.result.add(self, "# #{self.cfg.name} #{dir}", Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
|
93
106
|
if my.network.to_s == other.network.to_s
|
94
107
|
spdadd = "spdadd #{my.to_s} #{other.to_s} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
|
95
108
|
else
|
96
109
|
spdadd = "spdadd #{my.to_string} #{other.to_string} any -P #{dir} ipsec esp/tunnel/#{remote_my}-#{remote_other}/unique;"
|
97
110
|
end
|
98
111
|
|
99
|
-
host.result.add(self, spdadd, Construqt::Resources::Rights::
|
112
|
+
host.result.add(self, spdadd, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::IPSEC), "etc", "ipsec-tools.d", "ipsec.conf")
|
100
113
|
end
|
101
114
|
|
102
|
-
def build_policy(remote_my, remote_other, my, other)
|
115
|
+
def build_policy(family, remote_my, remote_other, my, other)
|
103
116
|
#binding.pry
|
104
117
|
my.ips.each do |my_ip|
|
105
118
|
other.ips.each do |other_ip|
|
106
|
-
next unless (
|
119
|
+
next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
|
120
|
+
(family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
|
107
121
|
from_to_ipsec_conf("out", remote_my, remote_other, my_ip, other_ip)
|
108
122
|
from_to_sainfo(my_ip, other_ip)
|
109
123
|
end
|
@@ -111,7 +125,8 @@ RACOON
|
|
111
125
|
|
112
126
|
other.ips.each do |other_ip|
|
113
127
|
my.ips.each do |my_ip|
|
114
|
-
next unless (
|
128
|
+
next unless (family == Construqt::Addresses::IPV6 && (my_ip.ipv6? && my_ip.ipv6? == other_ip.ipv6?)) ||
|
129
|
+
(family == Construqt::Addresses::IPV4 && (my_ip.ipv4? && my_ip.ipv4? == other_ip.ipv4?))
|
115
130
|
from_to_ipsec_conf("in", remote_other, remote_my, other_ip, my_ip)
|
116
131
|
from_to_sainfo(other_ip, my_ip)
|
117
132
|
end
|
@@ -127,19 +142,20 @@ RACOON
|
|
127
142
|
|
128
143
|
def build_config(unused, unused2)
|
129
144
|
# build_gre_config()
|
130
|
-
|
131
|
-
|
145
|
+
if self.cfg.transport_family == Construqt::Addresses::IPV6
|
146
|
+
throw "we need a remote ipv6 address #{self.cfg.name}" unless self.other.remote.first_ipv6
|
147
|
+
throw "we need a local ipv6 address #{self.cfg.name}" unless self.remote.first_ipv6
|
132
148
|
build_racoon_config(self.other.remote.first_ipv6.to_s)
|
133
149
|
host.result.add(self, psk(self.other.remote.first_ipv6.to_s, cfg),
|
134
|
-
Construqt::Resources::Rights::
|
135
|
-
build_policy(self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
|
136
|
-
|
150
|
+
Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
|
151
|
+
build_policy(self.cfg.transport_family, self.remote.first_ipv6.to_s, self.other.remote.first_ipv6.to_s, self.my, self.other.my)
|
152
|
+
else
|
153
|
+
throw "we need a remote ipv4 address #{self.cfg.name}" unless self.other.remote.first_ipv4
|
154
|
+
throw "we need a local ipv4 address #{self.cfg.name}" unless self.remote.first_ipv4
|
137
155
|
build_racoon_config(self.other.remote.first_ipv4.to_s)
|
138
156
|
host.result.add(self, psk(self.other.remote.first_ipv4.to_s, cfg),
|
139
|
-
Construqt::Resources::Rights::
|
140
|
-
build_policy(self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
|
141
|
-
else
|
142
|
-
throw "ipsec need a remote address"
|
157
|
+
Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::IPSEC), "etc", "racoon", "psk.txt")
|
158
|
+
build_policy(self.cfg.transport_family, self.remote.first_ipv4.to_s, self.other.remote.first_ipv4.to_s, self.my, self.other.my)
|
143
159
|
end
|
144
160
|
end
|
145
161
|
end
|
@@ -16,11 +16,11 @@ module Construqt
|
|
16
16
|
push_routes = iface.push_routes.routes.map{|route| "push \"route #{route.dst.to_string}\"" }.join("\n")
|
17
17
|
end
|
18
18
|
|
19
|
-
host.result.add(self, iface.cacert, Construqt::Resources::Rights::
|
20
|
-
host.result.add(self, iface.hostcert, Construqt::Resources::Rights::
|
21
|
-
host.result.add(self, iface.hostkey, Construqt::Resources::Rights::
|
22
|
-
host.result.add(self, iface.dh1024, Construqt::Resources::Rights::
|
23
|
-
host.result.add(self, <<OPVN, Construqt::Resources::Rights::
|
19
|
+
host.result.add(self, iface.cacert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-cacert.pem")
|
20
|
+
host.result.add(self, iface.hostcert, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostcert.pem")
|
21
|
+
host.result.add(self, iface.hostkey, Construqt::Resources::Rights.root_0600(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-hostkey.pem")
|
22
|
+
host.result.add(self, iface.dh1024, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "ssl", "#{iface.name}-dh1024")
|
23
|
+
host.result.add(self, <<OPVN, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::OPENVPN), "etc", "openvpn", "#{iface.name}.conf")
|
24
24
|
daemon
|
25
25
|
local #{local}
|
26
26
|
proto udp#{local.ipv6? ? '6' : ''}
|