From 6421e45c29538235724040e17c0739a0e487e1f3 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 7 Jan 2006 16:57:00 +0000 Subject: Implement Ganneff's wish to be able to manually set ports for certain connections git-svn-id: svn+ssh://asteria.noreply.org/svn/weaselutils/trunk@52 bc3d92e2-beff-0310-a7cd-cc87d7ac0ede --- Generate | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) (limited to 'Generate') diff --git a/Generate b/Generate index dccbdfd..a942738 100755 --- a/Generate +++ b/Generate @@ -291,6 +291,7 @@ $config['hosts'].each_pair{ |name, host| if host['ipv6'] host['networks6'][host['vpn_address6']+"/128"] = host['groups'].join(',') end + host['inet_port'] = {} } throw "Duplicate iface names" unless hostlist.collect{ |host| host['ifacename'] }.uniq.size == $config['hosts'].size @@ -316,14 +317,48 @@ hostlist.each{ |host| } # Setup ports for openvpn +# ======================= +# First import ports from manual configuration +hostlist.each{ |host| + next unless host['inet_port_override'] + host['inet_port_override'].each_key{ |peername| + hostname = host['name'] + peer = $config['hosts'][ peername ] + throw "Peer #{peername} for host #{hostname} not found" unless peer + + [peername, hostname].each{ |item| + throw "host->#{hostname}->inet_port_override->#{peername} does not have a key #{item}" unless host['inet_port_override'][peername][item] + } + + host['inet_port'][peername] = {} + host['inet_port'][peername]['local'] = host['inet_port_override'][peername][hostname] + host['inet_port'][peername]['remote'] = host['inet_port_override'][peername][peername] + + unless peer['inet_port'][hostname] + peer['inet_port'][hostname] = {} + [peername, hostname].each{ |item| + if peer['inet_port_override'] and + peer['inet_port_override'][hostname] and + peer['inet_port_override'][hostname][item] and + peer['inet_port_override'][hostname][item] != host['inet_port_override'][peername][item] + throw("host->#{hostname}->inet_port_override->#{peername}->#{item} and "+ + "host->#{peername}->inet_port_override->#{hostname}->#{item} both exist but are different") + end + } + peer['inet_port'][hostname]['remote'] = host['inet_port'][peername]['local'] + peer['inet_port'][hostname]['local'] = host['inet_port'][peername]['remote'] + end + } +} +# Then set the default values if nothing is set yet hostlist.each{ |host| - host['inet_port'] = {} host['peers'].each{ |peer| host['inet_port'][ peer['name'] ] = { "remote" => $config['baseport']+host['host_no'], "local" => $config['baseport']+peer['host_no'] - } + } unless host['inet_port'][ peer['name'] ] } + throw "Duplicate local ports on host #{host['name']}" unless host['inet_port'].values.collect{ |peer| peer['local'] }.uniq.size == host['inet_port'].size } ##################################################################### @@ -643,6 +678,8 @@ hostlist.each{ |host| ########## # do not filter on remote port as NAT gateways may change ports + iptables.puts "#" + iptables.puts "# to/from #{peer['name']}" iptables.puts "iptables --append vpn-#{$NAMESPACE} --source #{ peer['host_address'] || '0.0.0.0/0' } --destination #{ host['host_address'] || '0.0.0.0/0' } \\" iptables.puts " --protocol udp --destination-port #{ host['inet_port'][ peer['name'] ]['local'] } \\" iptables.puts " --jump ACCEPT" -- cgit v1.2.3