Пример #1
0
def connection_down(parsed_args):
    ipsec_connection = load_ipsec_connection(parsed_args)
    connection_name = ipsec_connection['name']
    ip_route = IPRoute()
    if is_connection_up(ip_route, ipsec_connection):
        ipsec_result = ipsec('down', connection_name)
        if ipsec_result.status != 0:
            raise DockerIPSecError('Failed to disconnect VPN: {0}\n{1}'.format(connection_name, ipsec_result.output))

    filter_func = functools.partial(comment_matches_ipsec_connection, connection_name)
    remove_iptables_rules(filter_func)
Пример #2
0
def connection_down(parsed_args):
    ipsec_connection = load_ipsec_connection(parsed_args)
    connection_name = ipsec_connection['name']
    ip_route = IPRoute()
    if is_connection_up(ip_route, ipsec_connection):
        ipsec_result = ipsec('down', connection_name)
        if ipsec_result.status != 0:
            raise DockerIPSecError('Failed to disconnect VPN: {0}\n{1}'.format(
                connection_name, ipsec_result.output))

    filter_func = functools.partial(comment_matches_ipsec_connection,
                                    connection_name)
    remove_iptables_rules(filter_func)
Пример #3
0
def connection_up(parsed_args):
    ipsec_connection = load_ipsec_connection(parsed_args)
    connection_name = ipsec_connection['name']
    docker_networks = parsed_args.dockerNetworks
    if len(docker_networks) > 0:
        docker_client = docker.Client()
        docker_network_to_ip_network = functools.partial(ip_network_for_docker_network, docker_client)
        docker_ip_networks = tuple(map(docker_network_to_ip_network, docker_networks))
    else:
        docker_ip_networks = tuple()

    ip_route = IPRoute()
    if not is_connection_up(ip_route, ipsec_connection):
        ipsec_result = ipsec('up', connection_name)
        if ipsec_result.status != 0:
            raise DockerIPSecError('Failed to connect VPN: {0}\n{1}'.format(connection_name, ipsec_result.output))

    add_ip_networks(ip_route, docker_ip_networks, connection_name)
Пример #4
0
def connection_up(parsed_args):
    ipsec_connection = load_ipsec_connection(parsed_args)
    connection_name = ipsec_connection['name']
    docker_networks = parsed_args.dockerNetworks
    if len(docker_networks) > 0:
        docker_client = docker.DockerClient()
        docker_network_to_ip_network = functools.partial(
            ip_network_for_docker_network, docker_client)
        docker_ip_networks = tuple(
            map(docker_network_to_ip_network, docker_networks))
    else:
        docker_ip_networks = tuple()

    ip_route = IPRoute()
    if not is_connection_up(ip_route, ipsec_connection):
        ipsec_result = ipsec('up', connection_name)
        if ipsec_result.status != 0:
            raise DockerIPSecError('Failed to connect VPN: {0}\n{1}'.format(
                connection_name, ipsec_result.output))

    add_ip_networks(ip_route, docker_ip_networks, connection_name)
Пример #5
0
def main():
    desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels'
    parser = argparse.ArgumentParser(
        description=desc,
        formatter_class=argparse.ArgumentDefaultsHelpFormatter)

    parser.add_argument('command',
                        type=str,
                        choices=set(
                            ('up', 'down', 'addbridge', 'removebridge')),
                        help='Start or stop an IPSec tunnel')

    parser.add_argument('connection', type=str, default='')

    parser.add_argument('--docker-bridge',
                        dest='dockerBridge',
                        type=str,
                        default='docker0',
                        help='Name of the docker bridge')
    parser.add_argument('--ipsec-route-table',
                        dest='ipsecRouteTable',
                        type=int,
                        default=220,
                        help='Route table containing IPSec routes')
    parser.add_argument('--ipsec-conf',
                        dest='ipsecConf',
                        type=str,
                        default='/etc/ipsec.conf',
                        help='IPSec configuration file')

    parsedArgs = parser.parse_args()

    with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile:
        ipsecConfStr = ipsecConfFile.read()

    ipsecConnectionName = parsedArgs.connection
    if (ipsecConnectionName == ''):
        ipsecConf = ipsecparse.loads(ipsecConfStr)
        ipsecConnectionEntries = map(
            lambda e: (e[0][0], e[1]),
            filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default',
                   ipsecConf.entries()))
        ipsecConnections = dict(ipsecConnectionEntries)
        if (len(ipsecConnections) != 1):
            print(
                'IPSec configuration in {0} contains more than one connection, specify which one:'
            )
            for c in ipsecConnections.keys():
                print(c + '\n')
            return 1

        ipsecConnectionName = tuple(ipsecConnections.keys())[0]

    if (parsedArgs.command == 'down'):
        docker_ipsec.removeIPTablesRules()
        if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)):
            return 1
        return 0

    if (parsedArgs.command == 'removebridge'):

        def _removalFunc(j):
            try:
                return j['dockerBridgeName'] == parsedArgs.dockerBridge
            except:
                return Fale

        docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc)
        return 0

    ipRoute = pyroute2.IPRoute()
    dockerInfo = docker_ipsec.DockerInfo(
        ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)

    if parsedArgs.command == 'up' and not docker_ipsec.ipsec(
            'up', ipsecConnectionName, verbose=True):
        return 1

    assert parsedArgs.command in ['up', 'addbridge']

    ipsecInfo = docker_ipsec.IPSecInfo(
        ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)

    def ipsecEntryToIPTablesRule(e):
        outputInterfaceIndex = e.outputInterfaceIndex()
        outputInterface = docker_ipsec.getInterfaceNameForIndex(
            outputInterfaceIndex, ipRoute=ipRoute)
        return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())

    rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
    table = iptc.Table(iptc.Table.NAT)
    table.autocommit = False
    for rule in rules:
        docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule)
    table.commit()
Пример #6
0
def main():
    desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels'
    parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter)

    parser.add_argument('command', type=str, choices=set(('up', 'down', 'addbridge', 'removebridge')),
                        help='Start or stop an IPSec tunnel')

    parser.add_argument('connection', type=str, default='')

    parser.add_argument('--docker-bridge', dest='dockerBridge', type=str, default='docker0',
                        help='Name of the docker bridge')
    parser.add_argument('--ipsec-route-table', dest='ipsecRouteTable', type=int, default=220,
                        help='Route table containing IPSec routes')
    parser.add_argument('--ipsec-conf', dest='ipsecConf', type=str, default='/etc/ipsec.conf',
                        help='IPSec configuration file')
    
    parsedArgs = parser.parse_args()

    with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile:
        ipsecConfStr = ipsecConfFile.read()

    ipsecConnectionName = parsedArgs.connection
    if (ipsecConnectionName == ''):
        ipsecConf = ipsecparse.loads(ipsecConfStr)
        ipsecConnectionEntries = map(lambda e: (e[0][0], e[1]),
                                    filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default',
                                           ipsecConf.entries()))
        ipsecConnections = dict(ipsecConnectionEntries)
        if (len(ipsecConnections) != 1):
            print('IPSec configuration in {0} contains more than one connection, specify which one:')
            for c in ipsecConnections.keys():
                print(c + '\n')
            return 1

        ipsecConnectionName = tuple(ipsecConnections.keys())[0]

    if (parsedArgs.command == 'down'):
        docker_ipsec.removeIPTablesRules()
        if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)):
            return 1
        return 0

    if (parsedArgs.command == 'removebridge'):
        def _removalFunc(j):
            try:
                return j['dockerBridgeName'] == parsedArgs.dockerBridge
            except:
                return Fale
        docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc)
        return 0

    ipRoute = pyroute2.IPRoute()
    dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)

    if parsedArgs.command == 'up' and not docker_ipsec.ipsec('up', ipsecConnectionName, verbose=True):
        return 1

    assert parsedArgs.command in ['up', 'addbridge']

    ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)

    def ipsecEntryToIPTablesRule(e):
        outputInterfaceIndex = e.outputInterfaceIndex()
        outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute)
        return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())

    rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
    table = iptc.Table(iptc.Table.NAT)
    table.autocommit = False
    for rule in rules:
        docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule)
    table.commit()
Пример #7
0
def main():
    desc = "Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels"
    parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter)

    parser.add_argument("command", type=str, choices=set(("up", "down")), help="Start or stop an IPSec tunnel")

    parser.add_argument("connection", type=str, default="")

    parser.add_argument(
        "--docker-bridge", dest="dockerBridge", type=str, default="docker0", help="Name of the docker bridge"
    )
    parser.add_argument(
        "--ipsec-route-table", dest="ipsecRouteTable", type=int, default=220, help="Route table containing IPSec routes"
    )
    parser.add_argument(
        "--ipsec-conf", dest="ipsecConf", type=str, default="/etc/ipsec.conf", help="IPSec configuration file"
    )

    parsedArgs = parser.parse_args()

    with open(parsedArgs.ipsecConf, "rt") as ipsecConfFile:
        ipsecConfStr = ipsecConfFile.read()

    ipsecConnectionName = parsedArgs.connection
    if ipsecConnectionName == "":
        ipsecConf = ipsecparse.loads(ipsecConfStr)
        ipsecConnectionEntries = map(
            lambda e: (e[0][0], e[1]),
            filter(lambda e: e[0][0] == "conn" and e[0][1] != "%default", ipsecConf.entries()),
        )
        ipsecConnections = dict(ipsecConnectionEntries)
        if len(ipsecConnections) != 1:
            print("IPSec configuration in {0} contains more than one connection, specify which one:")
            for c in ipsecConnections.keys():
                print(c + "\n")
            return 1

        ipsecConnectionName = tuple(ipsecConnections.keys())[0]

    if parsedArgs.command == "down":
        docker_ipsec.removeIPTablesRules()
        if not docker_ipsec.ipsec("down", ipsecConnectionName, verbose=True):
            return 1
        return 0

    ipRoute = pyroute2.IPRoute()
    dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)

    if not docker_ipsec.ipsec("up", ipsecConnectionName, verbose=True):
        return 1

    ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)

    def ipsecEntryToIPTablesRule(e):
        outputInterfaceIndex = e.outputInterfaceIndex()
        outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute)
        return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())

    rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
    table = iptc.Table(iptc.Table.NAT)
    table.autocommit = False
    for rule in rules:
        docker_ipsec.installIPTablesRule(table, *rule)
    table.commit()