diff options
| -rwxr-xr-x | Generate | 41 |
1 files changed, 39 insertions, 2 deletions
@@ -291,6 +291,7 @@ $config['hosts'].each_pair{ |name, host| if host['ipv6'] host['networks6'][host['vpn_address6']+"/128"] = host['groups'].join(',') end + host['inet_port'] = {} } throw "Duplicate iface names" unless hostlist.collect{ |host| host['ifacename'] }.uniq.size == $config['hosts'].size @@ -316,14 +317,48 @@ hostlist.each{ |host| } # Setup ports for openvpn +# ======================= +# First import ports from manual configuration +hostlist.each{ |host| + next unless host['inet_port_override'] + host['inet_port_override'].each_key{ |peername| + hostname = host['name'] + peer = $config['hosts'][ peername ] + throw "Peer #{peername} for host #{hostname} not found" unless peer + + [peername, hostname].each{ |item| + throw "host->#{hostname}->inet_port_override->#{peername} does not have a key #{item}" unless host['inet_port_override'][peername][item] + } + + host['inet_port'][peername] = {} + host['inet_port'][peername]['local'] = host['inet_port_override'][peername][hostname] + host['inet_port'][peername]['remote'] = host['inet_port_override'][peername][peername] + + unless peer['inet_port'][hostname] + peer['inet_port'][hostname] = {} + [peername, hostname].each{ |item| + if peer['inet_port_override'] and + peer['inet_port_override'][hostname] and + peer['inet_port_override'][hostname][item] and + peer['inet_port_override'][hostname][item] != host['inet_port_override'][peername][item] + throw("host->#{hostname}->inet_port_override->#{peername}->#{item} and "+ + "host->#{peername}->inet_port_override->#{hostname}->#{item} both exist but are different") + end + } + peer['inet_port'][hostname]['remote'] = host['inet_port'][peername]['local'] + peer['inet_port'][hostname]['local'] = host['inet_port'][peername]['remote'] + end + } +} +# Then set the default values if nothing is set yet hostlist.each{ |host| - host['inet_port'] = {} host['peers'].each{ |peer| host['inet_port'][ peer['name'] ] = { "remote" => $config['baseport']+host['host_no'], "local" => $config['baseport']+peer['host_no'] - } + } unless host['inet_port'][ peer['name'] ] } + throw "Duplicate local ports on host #{host['name']}" unless host['inet_port'].values.collect{ |peer| peer['local'] }.uniq.size == host['inet_port'].size } ##################################################################### @@ -643,6 +678,8 @@ hostlist.each{ |host| ########## # do not filter on remote port as NAT gateways may change ports + iptables.puts "#" + iptables.puts "# to/from #{peer['name']}" iptables.puts "iptables --append vpn-#{$NAMESPACE} --source #{ peer['host_address'] || '0.0.0.0/0' } --destination #{ host['host_address'] || '0.0.0.0/0' } \\" iptables.puts " --protocol udp --destination-port #{ host['inet_port'][ peer['name'] ]['local'] } \\" iptables.puts " --jump ACCEPT" |