diff options
Diffstat (limited to 'Generate')
-rwxr-xr-x | Generate | 55 |
1 files changed, 37 insertions, 18 deletions
@@ -1,6 +1,7 @@ #!/usr/bin/ruby require 'yaml' +require 'ipaddr' THISHOST = `hostname`.chomp @@ -408,12 +409,10 @@ hostlist.each{ |host| ip6tables.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." ip6tables.puts "PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin" ip6tables.puts "echo 'Doing #{$NAMESPACE} VPN rules.'" - if host['ipv6'] - ip6tables.puts "ip6tables --new-chain vpn-#{$NAMESPACE}" - ip6tables.puts "ip6tables --flush vpn-#{$NAMESPACE}" - ip6ferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." - ip6ferm.puts "def &vpn_#{$NAMESPACE}6() = {" - end + ip6tables.puts "ip6tables --new-chain vpn-#{$NAMESPACE}" + ip6tables.puts "ip6tables --flush vpn-#{$NAMESPACE}" + ip6ferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." + ip6ferm.puts "def &vpn_#{$NAMESPACE}6() = {" ipferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." ipferm.puts "def &vpn_#{$NAMESPACE}() = {" @@ -723,11 +722,37 @@ hostlist.each{ |host| ########## # do not filter on remote port as NAT gateways may change ports - iptables.puts "#" - iptables.puts "# to/from #{peer['name']}" - iptables.puts "iptables --append vpn-#{$NAMESPACE} --source #{ peer['host_address'] || '0.0.0.0/0' } --destination #{ host['bind_address'] || host['host_address'] || '0.0.0.0/0' } \\" - iptables.puts " --protocol udp --destination-port #{ host['inet_port'][ peer['name'] ]['local'] } \\" - iptables.puts " --jump ACCEPT" + iptables.puts "#\n# to/from #{peer['name']}" + ip6tables.puts "#\n# to/from #{peer['name']}" + ipferm.puts "#\n# to/from #{peer['name']}" + ip6ferm.puts "#\n# to/from #{peer['name']}" + + src = [] + remote_addr + src << '0.0.0.0/0' << '::/0' if src.size == 0 + src = src.select {|x| IPAddr.new(x) rescue nil } + dst = [] + dst << host['host_address'] if host['host_address'] + dst += host['host_address_extra'] if host['host_address_extra'] + dst << '0.0.0.0/0' << '::/0' if dst.size == 0 + dst = dst.select {|x| IPAddr.new(x) rescue nil } + src.each do |s| + s6 = IPAddr.new(s).ipv6? + dst.each do |d| + d6 = IPAddr.new(d).ipv6? + next if s6 != d6 + + o = d6 ? ip6tables : iptables + i = d6 ? 'ip6tables' : 'iptables' + o.puts "#{i} --append vpn-#{$NAMESPACE} --source #{ s } --destination #{ d } \\" + o.puts " --protocol udp --destination-port #{ host['inet_port'][ peer['name'] ]['local'] } \\" + o.puts " --jump ACCEPT" + + o = d6 ? ip6ferm : ipferm + o.puts " saddr #{ s } daddr #{ d } " + + " proto udp dport #{ host['inet_port'][ peer['name'] ]['local'] } " + + " ACCEPT;" + end + end iptables.puts "iptables --append vpn-#{$NAMESPACE} --source #{ peer['vpn_address'] } --destination #{ host['vpn_address'] } \\" iptables.puts " --protocol tcp --destination-port #{ host['bgp_port'] or '179' } \\" @@ -742,12 +767,6 @@ hostlist.each{ |host| ip6tables.puts " --jump ACCEPT" end - ipferm.puts "#" - ipferm.puts "# to/from #{peer['name']}" - ipferm.puts " saddr #{ peer['host_address'] || '0.0.0.0/0' } daddr #{ host['host_address'] || '0.0.0.0/0' } " + - " proto udp dport #{ host['inet_port'][ peer['name'] ]['local'] } " + - " ACCEPT;" - ipferm.puts " saddr #{ peer['vpn_address'] } daddr #{ host['vpn_address'] } " + " proto tcp dport #{ host['bgp_port'] or '179' } " + " interface #{ peer['ifacename'] } " + @@ -804,7 +823,7 @@ hostlist.each{ |host| ip6tables.close ipferm.puts "}" ipferm.close - ip6ferm.puts "}" if host['ipv6'] + ip6ferm.puts "}" ip6ferm.close bgpd.close |