From 393fbbb1d5a09694e6ac3878c6f50b8a66243efb Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 10 Nov 2008 23:26:41 +0000
Subject: Insure against evil busses or trucks

git-svn-id: svn+ssh://asteria.noreply.org/svn/weaselutils/trunk@372 bc3d92e2-beff-0310-a7cd-cc87d7ac0ede
---
 Generate | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Generate b/Generate
index 82882c1..274b965 100755
--- a/Generate
+++ b/Generate
@@ -391,6 +391,7 @@ hostlist.each{ |host|
 	iptables = File.new("#{dir}/#{$NAMESPACE}.iptables.sh", "w")
 	ip6tables = File.new("#{dir}/#{$NAMESPACE}.ip6tables.sh", "w")
 	ipferm = File.new("#{dir}/#{$NAMESPACE}.iptables.ferm", "w")
+	ip6ferm = File.new("#{dir}/#{$NAMESPACE}.ip6tables.ferm", "w")
 	iptables.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}."
 	iptables.puts "PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin"
 	iptables.puts "echo 'Doing #{$NAMESPACE} VPN rules.'"
@@ -403,6 +404,8 @@ hostlist.each{ |host|
 	if host['ipv6']
 		ip6tables.puts "ip6tables --new-chain vpn-#{$NAMESPACE}"
 		ip6tables.puts "ip6tables --flush vpn-#{$NAMESPACE}"
+		ip6ferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}."
+		ip6ferm.puts "def &vpn_#{$NAMESPACE}6() = {"
 	end
 
 	ipferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}."
@@ -669,6 +672,7 @@ hostlist.each{ |host|
 		conffile.puts "comp-lzo"
 		conffile.puts "keepalive 10 30"
 		conffile.puts "verb 0"
+		conffile.puts "script-security 2" if host['openvpn'] == '2.1'
 		conffile.close
 
 		##########
@@ -713,6 +717,14 @@ hostlist.each{ |host|
 		            "     interface #{ peer['ifacename'] } " +
 		            "     ACCEPT;"
 
+		if host['ipv6'] and peer['ipv6']
+			ip6ferm.puts "	saddr #{ host['link-local'][ peer['name'] ]['peer'] } \\"
+			ip6ferm.puts "         daddr #{ host['link-local'][ peer['name'] ]['me'] } \\"
+			ip6ferm.puts "         proto tcp dport #{ host['bgp_port'] or '179' } \\"
+			ip6ferm.puts "         interface #{ peer['ifacename'] } \\"
+			ip6ferm.puts "         ACCEPT;"
+		end
+
 		##########
 		bgpd.puts "!"
 		bgpd.puts "! ** peer #{peer['name']} **"
@@ -756,6 +768,8 @@ hostlist.each{ |host|
 	ip6tables.close
 	ipferm.puts "}"
 	ipferm.close
+	ip6ferm.puts "}"
+	ip6ferm.close
 	bgpd.close
 
 	File.chmod(0600, bgpdfilename) == 1 or throw "Cannot chmod #{bgpdfilename}"
-- 
cgit v1.2.3