From 0741d0d39fc9c0554e82b22cd32d696b25b4c790 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Thu, 27 Mar 2008 18:46:12 +0000
Subject: fermstuff

git-svn-id: svn+ssh://asteria.noreply.org/svn/weaselutils/trunk@322 bc3d92e2-beff-0310-a7cd-cc87d7ac0ede
---
 Generate | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Generate b/Generate
index 6752a89..82882c1 100755
--- a/Generate
+++ b/Generate
@@ -390,6 +390,7 @@ hostlist.each{ |host|
 
 	iptables = File.new("#{dir}/#{$NAMESPACE}.iptables.sh", "w")
 	ip6tables = File.new("#{dir}/#{$NAMESPACE}.ip6tables.sh", "w")
+	ipferm = File.new("#{dir}/#{$NAMESPACE}.iptables.ferm", "w")
 	iptables.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}."
 	iptables.puts "PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin"
 	iptables.puts "echo 'Doing #{$NAMESPACE} VPN rules.'"
@@ -404,6 +405,9 @@ hostlist.each{ |host|
 		ip6tables.puts "ip6tables --flush vpn-#{$NAMESPACE}"
 	end
 
+	ipferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}."
+	ipferm.puts "def &vpn_#{$NAMESPACE}() = {"
+
 	daemonsfilename = "#{dir}/#{$NAMESPACE}.quagga.daemons"
 	daemons = File.new(daemonsfilename, "w")
 	daemons.puts QUAGGA_DAEMONS.gsub('HOSTNAME', host['name'])
@@ -698,6 +702,17 @@ hostlist.each{ |host|
 			ip6tables.puts "         --jump ACCEPT"
 		end
 
+		ipferm.puts "#"
+		ipferm.puts "# to/from #{peer['name']}"
+		ipferm.puts "	saddr #{ peer['host_address'] || '0.0.0.0/0' } daddr #{ host['host_address'] || '0.0.0.0/0' } " +
+		            "     proto udp dport #{ host['inet_port'][ peer['name'] ]['local'] } " +
+		            "     ACCEPT;"
+		
+		ipferm.puts "	saddr #{ peer['vpn_address'] } daddr #{ host['vpn_address'] } " +
+		            "     proto tcp dport #{ host['bgp_port'] or '179' } " +
+		            "     interface #{ peer['ifacename'] } " +
+		            "     ACCEPT;"
+
 		##########
 		bgpd.puts "!"
 		bgpd.puts "! ** peer #{peer['name']} **"
@@ -739,6 +754,8 @@ hostlist.each{ |host|
 
 	iptables.close
 	ip6tables.close
+	ipferm.puts "}"
+	ipferm.close
 	bgpd.close
 
 	File.chmod(0600, bgpdfilename) == 1 or throw "Cannot chmod #{bgpdfilename}"
-- 
cgit v1.2.3