def connection_down(parsed_args): ipsec_connection = load_ipsec_connection(parsed_args) connection_name = ipsec_connection['name'] ip_route = IPRoute() if is_connection_up(ip_route, ipsec_connection): ipsec_result = ipsec('down', connection_name) if ipsec_result.status != 0: raise DockerIPSecError('Failed to disconnect VPN: {0}\n{1}'.format(connection_name, ipsec_result.output)) filter_func = functools.partial(comment_matches_ipsec_connection, connection_name) remove_iptables_rules(filter_func)
def connection_down(parsed_args): ipsec_connection = load_ipsec_connection(parsed_args) connection_name = ipsec_connection['name'] ip_route = IPRoute() if is_connection_up(ip_route, ipsec_connection): ipsec_result = ipsec('down', connection_name) if ipsec_result.status != 0: raise DockerIPSecError('Failed to disconnect VPN: {0}\n{1}'.format( connection_name, ipsec_result.output)) filter_func = functools.partial(comment_matches_ipsec_connection, connection_name) remove_iptables_rules(filter_func)
def connection_up(parsed_args): ipsec_connection = load_ipsec_connection(parsed_args) connection_name = ipsec_connection['name'] docker_networks = parsed_args.dockerNetworks if len(docker_networks) > 0: docker_client = docker.Client() docker_network_to_ip_network = functools.partial(ip_network_for_docker_network, docker_client) docker_ip_networks = tuple(map(docker_network_to_ip_network, docker_networks)) else: docker_ip_networks = tuple() ip_route = IPRoute() if not is_connection_up(ip_route, ipsec_connection): ipsec_result = ipsec('up', connection_name) if ipsec_result.status != 0: raise DockerIPSecError('Failed to connect VPN: {0}\n{1}'.format(connection_name, ipsec_result.output)) add_ip_networks(ip_route, docker_ip_networks, connection_name)
def connection_up(parsed_args): ipsec_connection = load_ipsec_connection(parsed_args) connection_name = ipsec_connection['name'] docker_networks = parsed_args.dockerNetworks if len(docker_networks) > 0: docker_client = docker.DockerClient() docker_network_to_ip_network = functools.partial( ip_network_for_docker_network, docker_client) docker_ip_networks = tuple( map(docker_network_to_ip_network, docker_networks)) else: docker_ip_networks = tuple() ip_route = IPRoute() if not is_connection_up(ip_route, ipsec_connection): ipsec_result = ipsec('up', connection_name) if ipsec_result.status != 0: raise DockerIPSecError('Failed to connect VPN: {0}\n{1}'.format( connection_name, ipsec_result.output)) add_ip_networks(ip_route, docker_ip_networks, connection_name)
def main(): desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels' parser = argparse.ArgumentParser( description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument('command', type=str, choices=set( ('up', 'down', 'addbridge', 'removebridge')), help='Start or stop an IPSec tunnel') parser.add_argument('connection', type=str, default='') parser.add_argument('--docker-bridge', dest='dockerBridge', type=str, default='docker0', help='Name of the docker bridge') parser.add_argument('--ipsec-route-table', dest='ipsecRouteTable', type=int, default=220, help='Route table containing IPSec routes') parser.add_argument('--ipsec-conf', dest='ipsecConf', type=str, default='/etc/ipsec.conf', help='IPSec configuration file') parsedArgs = parser.parse_args() with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile: ipsecConfStr = ipsecConfFile.read() ipsecConnectionName = parsedArgs.connection if (ipsecConnectionName == ''): ipsecConf = ipsecparse.loads(ipsecConfStr) ipsecConnectionEntries = map( lambda e: (e[0][0], e[1]), filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default', ipsecConf.entries())) ipsecConnections = dict(ipsecConnectionEntries) if (len(ipsecConnections) != 1): print( 'IPSec configuration in {0} contains more than one connection, specify which one:' ) for c in ipsecConnections.keys(): print(c + '\n') return 1 ipsecConnectionName = tuple(ipsecConnections.keys())[0] if (parsedArgs.command == 'down'): docker_ipsec.removeIPTablesRules() if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)): return 1 return 0 if (parsedArgs.command == 'removebridge'): def _removalFunc(j): try: return j['dockerBridgeName'] == parsedArgs.dockerBridge except: return Fale docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc) return 0 ipRoute = pyroute2.IPRoute() dockerInfo = docker_ipsec.DockerInfo( ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge) if parsedArgs.command == 'up' and not docker_ipsec.ipsec( 'up', ipsecConnectionName, verbose=True): return 1 assert parsedArgs.command in ['up', 'addbridge'] ipsecInfo = docker_ipsec.IPSecInfo( ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable) def ipsecEntryToIPTablesRule(e): outputInterfaceIndex = e.outputInterfaceIndex() outputInterface = docker_ipsec.getInterfaceNameForIndex( outputInterfaceIndex, ipRoute=ipRoute) return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr()) rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries())) table = iptc.Table(iptc.Table.NAT) table.autocommit = False for rule in rules: docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule) table.commit()
def main(): desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels' parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument('command', type=str, choices=set(('up', 'down', 'addbridge', 'removebridge')), help='Start or stop an IPSec tunnel') parser.add_argument('connection', type=str, default='') parser.add_argument('--docker-bridge', dest='dockerBridge', type=str, default='docker0', help='Name of the docker bridge') parser.add_argument('--ipsec-route-table', dest='ipsecRouteTable', type=int, default=220, help='Route table containing IPSec routes') parser.add_argument('--ipsec-conf', dest='ipsecConf', type=str, default='/etc/ipsec.conf', help='IPSec configuration file') parsedArgs = parser.parse_args() with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile: ipsecConfStr = ipsecConfFile.read() ipsecConnectionName = parsedArgs.connection if (ipsecConnectionName == ''): ipsecConf = ipsecparse.loads(ipsecConfStr) ipsecConnectionEntries = map(lambda e: (e[0][0], e[1]), filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default', ipsecConf.entries())) ipsecConnections = dict(ipsecConnectionEntries) if (len(ipsecConnections) != 1): print('IPSec configuration in {0} contains more than one connection, specify which one:') for c in ipsecConnections.keys(): print(c + '\n') return 1 ipsecConnectionName = tuple(ipsecConnections.keys())[0] if (parsedArgs.command == 'down'): docker_ipsec.removeIPTablesRules() if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)): return 1 return 0 if (parsedArgs.command == 'removebridge'): def _removalFunc(j): try: return j['dockerBridgeName'] == parsedArgs.dockerBridge except: return Fale docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc) return 0 ipRoute = pyroute2.IPRoute() dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge) if parsedArgs.command == 'up' and not docker_ipsec.ipsec('up', ipsecConnectionName, verbose=True): return 1 assert parsedArgs.command in ['up', 'addbridge'] ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable) def ipsecEntryToIPTablesRule(e): outputInterfaceIndex = e.outputInterfaceIndex() outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute) return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr()) rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries())) table = iptc.Table(iptc.Table.NAT) table.autocommit = False for rule in rules: docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule) table.commit()
def main(): desc = "Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels" parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("command", type=str, choices=set(("up", "down")), help="Start or stop an IPSec tunnel") parser.add_argument("connection", type=str, default="") parser.add_argument( "--docker-bridge", dest="dockerBridge", type=str, default="docker0", help="Name of the docker bridge" ) parser.add_argument( "--ipsec-route-table", dest="ipsecRouteTable", type=int, default=220, help="Route table containing IPSec routes" ) parser.add_argument( "--ipsec-conf", dest="ipsecConf", type=str, default="/etc/ipsec.conf", help="IPSec configuration file" ) parsedArgs = parser.parse_args() with open(parsedArgs.ipsecConf, "rt") as ipsecConfFile: ipsecConfStr = ipsecConfFile.read() ipsecConnectionName = parsedArgs.connection if ipsecConnectionName == "": ipsecConf = ipsecparse.loads(ipsecConfStr) ipsecConnectionEntries = map( lambda e: (e[0][0], e[1]), filter(lambda e: e[0][0] == "conn" and e[0][1] != "%default", ipsecConf.entries()), ) ipsecConnections = dict(ipsecConnectionEntries) if len(ipsecConnections) != 1: print("IPSec configuration in {0} contains more than one connection, specify which one:") for c in ipsecConnections.keys(): print(c + "\n") return 1 ipsecConnectionName = tuple(ipsecConnections.keys())[0] if parsedArgs.command == "down": docker_ipsec.removeIPTablesRules() if not docker_ipsec.ipsec("down", ipsecConnectionName, verbose=True): return 1 return 0 ipRoute = pyroute2.IPRoute() dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge) if not docker_ipsec.ipsec("up", ipsecConnectionName, verbose=True): return 1 ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable) def ipsecEntryToIPTablesRule(e): outputInterfaceIndex = e.outputInterfaceIndex() outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute) return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr()) rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries())) table = iptc.Table(iptc.Table.NAT) table.autocommit = False for rule in rules: docker_ipsec.installIPTablesRule(table, *rule) table.commit()