def connection_down(parsed_args):
ipsec_connection = load_ipsec_connection(parsed_args)
connection_name = ipsec_connection['name']
ip_route = IPRoute()
if is_connection_up(ip_route, ipsec_connection):
ipsec_result = ipsec('down', connection_name)
if ipsec_result.status != 0:
raise DockerIPSecError('Failed to disconnect VPN: {0}\n{1}'.format(connection_name, ipsec_result.output))
filter_func = functools.partial(comment_matches_ipsec_connection, connection_name)
remove_iptables_rules(filter_func)
def connection_down(parsed_args):
ipsec_connection = load_ipsec_connection(parsed_args)
connection_name = ipsec_connection['name']
ip_route = IPRoute()
if is_connection_up(ip_route, ipsec_connection):
ipsec_result = ipsec('down', connection_name)
if ipsec_result.status != 0:
raise DockerIPSecError('Failed to disconnect VPN: {0}\n{1}'.format(
connection_name, ipsec_result.output))
filter_func = functools.partial(comment_matches_ipsec_connection,
connection_name)
remove_iptables_rules(filter_func)
def connection_up(parsed_args):
ipsec_connection = load_ipsec_connection(parsed_args)
connection_name = ipsec_connection['name']
docker_networks = parsed_args.dockerNetworks
if len(docker_networks) > 0:
docker_client = docker.Client()
docker_network_to_ip_network = functools.partial(ip_network_for_docker_network, docker_client)
docker_ip_networks = tuple(map(docker_network_to_ip_network, docker_networks))
else:
docker_ip_networks = tuple()
ip_route = IPRoute()
if not is_connection_up(ip_route, ipsec_connection):
ipsec_result = ipsec('up', connection_name)
if ipsec_result.status != 0:
raise DockerIPSecError('Failed to connect VPN: {0}\n{1}'.format(connection_name, ipsec_result.output))
add_ip_networks(ip_route, docker_ip_networks, connection_name)
def connection_up(parsed_args):
ipsec_connection = load_ipsec_connection(parsed_args)
connection_name = ipsec_connection['name']
docker_networks = parsed_args.dockerNetworks
if len(docker_networks) > 0:
docker_client = docker.DockerClient()
docker_network_to_ip_network = functools.partial(
ip_network_for_docker_network, docker_client)
docker_ip_networks = tuple(
map(docker_network_to_ip_network, docker_networks))
else:
docker_ip_networks = tuple()
ip_route = IPRoute()
if not is_connection_up(ip_route, ipsec_connection):
ipsec_result = ipsec('up', connection_name)
if ipsec_result.status != 0:
raise DockerIPSecError('Failed to connect VPN: {0}\n{1}'.format(
connection_name, ipsec_result.output))
add_ip_networks(ip_route, docker_ip_networks, connection_name)
def main():
desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels'
parser = argparse.ArgumentParser(
description=desc,
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument('command',
type=str,
choices=set(
('up', 'down', 'addbridge', 'removebridge')),
help='Start or stop an IPSec tunnel')
parser.add_argument('connection', type=str, default='')
parser.add_argument('--docker-bridge',
dest='dockerBridge',
type=str,
default='docker0',
help='Name of the docker bridge')
parser.add_argument('--ipsec-route-table',
dest='ipsecRouteTable',
type=int,
default=220,
help='Route table containing IPSec routes')
parser.add_argument('--ipsec-conf',
dest='ipsecConf',
type=str,
default='/etc/ipsec.conf',
help='IPSec configuration file')
parsedArgs = parser.parse_args()
with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile:
ipsecConfStr = ipsecConfFile.read()
ipsecConnectionName = parsedArgs.connection
if (ipsecConnectionName == ''):
ipsecConf = ipsecparse.loads(ipsecConfStr)
ipsecConnectionEntries = map(
lambda e: (e[0][0], e[1]),
filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default',
ipsecConf.entries()))
ipsecConnections = dict(ipsecConnectionEntries)
if (len(ipsecConnections) != 1):
print(
'IPSec configuration in {0} contains more than one connection, specify which one:'
)
for c in ipsecConnections.keys():
print(c + '\n')
return 1
ipsecConnectionName = tuple(ipsecConnections.keys())[0]
if (parsedArgs.command == 'down'):
docker_ipsec.removeIPTablesRules()
if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)):
return 1
return 0
if (parsedArgs.command == 'removebridge'):
def _removalFunc(j):
try:
return j['dockerBridgeName'] == parsedArgs.dockerBridge
except:
return Fale
docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc)
return 0
ipRoute = pyroute2.IPRoute()
dockerInfo = docker_ipsec.DockerInfo(
ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)
if parsedArgs.command == 'up' and not docker_ipsec.ipsec(
'up', ipsecConnectionName, verbose=True):
return 1
assert parsedArgs.command in ['up', 'addbridge']
ipsecInfo = docker_ipsec.IPSecInfo(
ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)
def ipsecEntryToIPTablesRule(e):
outputInterfaceIndex = e.outputInterfaceIndex()
outputInterface = docker_ipsec.getInterfaceNameForIndex(
outputInterfaceIndex, ipRoute=ipRoute)
return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())
rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
table = iptc.Table(iptc.Table.NAT)
table.autocommit = False
for rule in rules:
docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule)
table.commit()
def main():
desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels'
parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument('command', type=str, choices=set(('up', 'down', 'addbridge', 'removebridge')),
help='Start or stop an IPSec tunnel')
parser.add_argument('connection', type=str, default='')
parser.add_argument('--docker-bridge', dest='dockerBridge', type=str, default='docker0',
help='Name of the docker bridge')
parser.add_argument('--ipsec-route-table', dest='ipsecRouteTable', type=int, default=220,
help='Route table containing IPSec routes')
parser.add_argument('--ipsec-conf', dest='ipsecConf', type=str, default='/etc/ipsec.conf',
help='IPSec configuration file')
parsedArgs = parser.parse_args()
with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile:
ipsecConfStr = ipsecConfFile.read()
ipsecConnectionName = parsedArgs.connection
if (ipsecConnectionName == ''):
ipsecConf = ipsecparse.loads(ipsecConfStr)
ipsecConnectionEntries = map(lambda e: (e[0][0], e[1]),
filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default',
ipsecConf.entries()))
ipsecConnections = dict(ipsecConnectionEntries)
if (len(ipsecConnections) != 1):
print('IPSec configuration in {0} contains more than one connection, specify which one:')
for c in ipsecConnections.keys():
print(c + '\n')
return 1
ipsecConnectionName = tuple(ipsecConnections.keys())[0]
if (parsedArgs.command == 'down'):
docker_ipsec.removeIPTablesRules()
if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)):
return 1
return 0
if (parsedArgs.command == 'removebridge'):
def _removalFunc(j):
try:
return j['dockerBridgeName'] == parsedArgs.dockerBridge
except:
return Fale
docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc)
return 0
ipRoute = pyroute2.IPRoute()
dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)
if parsedArgs.command == 'up' and not docker_ipsec.ipsec('up', ipsecConnectionName, verbose=True):
return 1
assert parsedArgs.command in ['up', 'addbridge']
ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)
def ipsecEntryToIPTablesRule(e):
outputInterfaceIndex = e.outputInterfaceIndex()
outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute)
return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())
rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
table = iptc.Table(iptc.Table.NAT)
table.autocommit = False
for rule in rules:
docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule)
table.commit()
def main():
desc = "Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels"
parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("command", type=str, choices=set(("up", "down")), help="Start or stop an IPSec tunnel")
parser.add_argument("connection", type=str, default="")
parser.add_argument(
"--docker-bridge", dest="dockerBridge", type=str, default="docker0", help="Name of the docker bridge"
)
parser.add_argument(
"--ipsec-route-table", dest="ipsecRouteTable", type=int, default=220, help="Route table containing IPSec routes"
)
parser.add_argument(
"--ipsec-conf", dest="ipsecConf", type=str, default="/etc/ipsec.conf", help="IPSec configuration file"
)
parsedArgs = parser.parse_args()
with open(parsedArgs.ipsecConf, "rt") as ipsecConfFile:
ipsecConfStr = ipsecConfFile.read()
ipsecConnectionName = parsedArgs.connection
if ipsecConnectionName == "":
ipsecConf = ipsecparse.loads(ipsecConfStr)
ipsecConnectionEntries = map(
lambda e: (e[0][0], e[1]),
filter(lambda e: e[0][0] == "conn" and e[0][1] != "%default", ipsecConf.entries()),
)
ipsecConnections = dict(ipsecConnectionEntries)
if len(ipsecConnections) != 1:
print("IPSec configuration in {0} contains more than one connection, specify which one:")
for c in ipsecConnections.keys():
print(c + "\n")
return 1
ipsecConnectionName = tuple(ipsecConnections.keys())[0]
if parsedArgs.command == "down":
docker_ipsec.removeIPTablesRules()
if not docker_ipsec.ipsec("down", ipsecConnectionName, verbose=True):
return 1
return 0
ipRoute = pyroute2.IPRoute()
dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)
if not docker_ipsec.ipsec("up", ipsecConnectionName, verbose=True):
return 1
ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)
def ipsecEntryToIPTablesRule(e):
outputInterfaceIndex = e.outputInterfaceIndex()
outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute)
return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())
rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
table = iptc.Table(iptc.Table.NAT)
table.autocommit = False
for rule in rules:
docker_ipsec.installIPTablesRule(table, *rule)
table.commit()
