class CsVrConfig(CsDataBag):
def process(self):
logging.debug("Processing CsVrConfig file ==> %s" % self.dbag)
syslogserverlist = ""
for item in self.dbag:
if item == "id":
continue
if item == "source_nat_list":
self._configure_firewall(self.dbag[item])
if item == "syslog_server_list":
syslogserverlist = self.dbag[item]
self._configure_syslog(syslogserverlist)
def _configure_firewall(self, sourcenatlist):
firewall = self.config.get_fw()
logging.debug("Processing source NAT list: %s" % sourcenatlist)
for cidr in sourcenatlist.split(','):
firewall.append([
"filter", "",
"-A SOURCE_NAT_LIST -o eth1 -s %s -j ACCEPT" % cidr
])
def _configure_syslog(self, syslogserverlist):
self.syslogconf = CsFile(RSYSLOG_IPTABLES_CONF)
self.syslogconf.repopulate()
logging.debug("Processing syslog server list: %s" % syslogserverlist)
ips = filter(bool, syslogserverlist.split(','))
if not ips:
# no IP in the syslog server list; reset the config to default:
self.syslogconf.append(
"# no remote syslog servers so stop further processing")
self.syslogconf.append("# this file is managed by CsVrConfig.py")
self.syslogconf.append(
":msg, regex, \"^\[ *[0-9]*\.[0-9]*\] iptables denied: \" ~")
else:
# add IPs from the syslog server list to the config:
self.syslogconf.append(
"# forwarding IP tables syslog to %s and stop further processing"
% syslogserverlist)
self.syslogconf.append("# this file is managed by CsVrConfig.py")
first = True
for ip in ips:
if first:
self.syslogconf.append(
":msg, regex, \"^\[ *[0-9]*\.[0-9]*\] iptables denied: \" @@%s:514"
% ip)
first = False
else:
self.syslogconf.append("& @@%s:514" % ip)
self.syslogconf.append("& ~")
changed = self.syslogconf.is_changed()
self.syslogconf.commit()
if changed:
CsHelper.execute2("service rsyslog restart")
def configure_ipsec(self, obj):
leftpeer = obj['local_public_ip']
rightpeer = obj['peer_gateway_ip']
peerlist = obj['peer_guest_cidr_list'].replace(' ', '')
vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, rightpeer)
vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR,
rightpeer)
ikepolicy = obj['ike_policy'].replace(';', '-')
esppolicy = obj['esp_policy'].replace(';', '-')
splitconnections = obj[
'split_connections'] if 'split_connections' in obj else False
ikeversion = obj['ike_version'] if 'ike_version' in obj and obj[
'ike_version'].lower() in ('ike', 'ikev1', 'ikev2') else 'ike'
peerlistarr = peerlist.split(',')
if splitconnections:
logging.debug('Splitting rightsubnets %s' % peerlistarr)
peerlist = peerlistarr[0]
if rightpeer in self.confips:
self.confips.remove(rightpeer)
file = CsFile(vpnconffile)
file.repopulate(
) # This avoids issues when switching off split_connections or removing subnets with split_connections == true
file.add("#conn for vpn-%s" % rightpeer, 0)
file.search("conn ", "conn vpn-%s" % rightpeer)
file.addeq(" left=%s" % leftpeer)
file.addeq(" leftsubnet=%s" % obj['local_guest_cidr'])
file.addeq(" right=%s" % rightpeer)
file.addeq(" rightsubnet=%s" % peerlist)
file.addeq(" type=tunnel")
file.addeq(" authby=secret")
file.addeq(" keyexchange=%s" % ikeversion)
file.addeq(" ike=%s" % ikepolicy)
file.addeq(" ikelifetime=%s" %
self.convert_sec_to_h(obj['ike_lifetime']))
file.addeq(" esp=%s" % esppolicy)
file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
file.addeq(" keyingtries=2")
file.addeq(" auto=route")
if 'encap' not in obj:
obj['encap'] = False
file.addeq(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap']))
if obj['dpd']:
file.addeq(" dpddelay=30")
file.addeq(" dpdtimeout=120")
file.addeq(" dpdaction=restart")
if splitconnections and peerlistarr.count > 1:
logging.debug('Splitting connections for rightsubnets %s' %
peerlistarr)
for peeridx in range(1, len(peerlistarr)):
logging.debug('Adding split connection -%d for subnet %s' %
(peeridx + 1, peerlistarr[peeridx]))
file.append('')
file.search('conn vpn-.*-%d' % (peeridx + 1),
"conn vpn-%s-%d" % (rightpeer, peeridx + 1))
file.append(' also=vpn-%s' % rightpeer)
file.append(' rightsubnet=%s' % peerlistarr[peeridx])
secret = CsFile(vpnsecretsfile)
secret.search(
"%s " % leftpeer,
"%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
if secret.is_changed() or file.is_changed():
secret.commit()
file.commit()
logging.info("Configured vpn %s %s", leftpeer, rightpeer)
CsHelper.execute("ipsec rereadsecrets")
# This will load the new config
CsHelper.execute("ipsec reload")
os.chmod(vpnsecretsfile, 0400)
for i in xrange(3):
done = True
for peeridx in range(0, len(peerlistarr)):
# Check for the proper connection and subnet
conn = rightpeer if not splitconnections else rightpeer if peeridx == 0 else '%s-%d' % (
rightpeer, peeridx + 1)
result = CsHelper.execute('ipsec status vpn-%s | grep "%s"' %
(conn, peerlistarr[peeridx]))
# If any of the peers hasn't yet finished, continue the outer loop
if len(result) == 0:
done = False
if done:
break
time.sleep(1)
# With 'auto=route', connections are established on an attempt to
# communicate over the S2S VPN. This uses ping to initialize the connection.
for peer in peerlistarr:
octets = peer.split('/', 1)[0].split('.')
octets[3] = str((int(octets[3]) + 1))
ipinsubnet = '.'.join(octets)
CsHelper.execute("timeout 5 ping -c 3 %s" % ipinsubnet)
