def test5_conn_filter(self):
conf = loads(self.strongswan_in)
names = lambda lst: list(x[0] for x in lst)
self.assertEqual(
names(conf.conn_filter(
Key('leftsubnet') == '10.1.0.0/16' and Key('right') == '%any'
)),
['roadwarrior']
)
conf['conn', 'myconn'] = {'left': '10.1.0.1', 'right': '192.168.0.2'}
self.assertEqual(
names(conf.conn_filter(
Keys('left', 'right').contains('192.168.0.2')
)),
['myconn']
)
self.assertEqual(
names(conf.conn_filter(Key('left') != '10.10.10.10')),
['%default', 'roadwarrior', 'myconn']
)
del conf['conn', 'roadwarrior']
self.assertEqual(
conf.conn_filter(
Key('leftsubnet') == '10.1.0.0/16' or Key('right') == '%any'
),
[]
)
def test5_conn_filter(self):
conf = loads(self.strongswan_in)
names = lambda lst: list(x[0] for x in lst)
self.assertEqual(
names(
conf.conn_filter(
Key('leftsubnet') == '10.1.0.0/16'
and Key('right') == '%any')), ['roadwarrior'])
conf['conn', 'myconn'] = {'left': '10.1.0.1', 'right': '192.168.0.2'}
self.assertEqual(
names(
conf.conn_filter(
Keys('left', 'right').contains('192.168.0.2'))),
['myconn'])
self.assertEqual(names(conf.conn_filter(Key('left') != '10.10.10.10')),
['%default', 'roadwarrior', 'myconn'])
del conf['conn', 'roadwarrior']
self.assertEqual(
conf.conn_filter(
Key('leftsubnet') == '10.1.0.0/16' or Key('right') == '%any'),
[])
def load_ipsec_conf(parsed_args):
try:
with open(parsed_args.ipsecConf, 'rt') as ipsec_conf_file:
ipsec_conf_str = ipsec_conf_file.read()
except BaseException as e:
raise DockerIPSecError('Failed to read: {0}'.format(parsed_args.ipsecConf)) from e
try:
return ipsecparse.loads(ipsec_conf_str)
except BaseException as e:
raise DockerIPSecError('Failed to parse: {0}'.format(parsed_args.ipsecConf)) from e
def test4(self):
conf = """
config setup
nat_traversal=yes
plutodebug="all crypt" # testing quoted string
conn myconn
left=192.168.0.2
right=10.0.0.1"""
conf = loads(conf)
self.assertEqual(conf['config', 'setup']['plutodebug'], "all crypt")
def test4(self):
conf = """
config setup
nat_traversal=yes
plutodebug="all crypt" # testing quoted string
conn myconn
left=192.168.0.2
right=10.0.0.1"""
conf = loads(conf)
self.assertEqual(conf['config','setup']['plutodebug'], "all crypt")
def load_ipsec_conf(parsed_args):
try:
with open(parsed_args.ipsecConf, 'rt') as ipsec_conf_file:
ipsec_conf_str = ipsec_conf_file.read()
except BaseException as e:
raise DockerIPSecError('Failed to read: {0}'.format(
parsed_args.ipsecConf)) from e
try:
return ipsecparse.loads(ipsec_conf_str)
except BaseException as e:
raise DockerIPSecError('Failed to parse: {0}'.format(
parsed_args.ipsecConf)) from e
def test3_empty_values(self):
conf = """
conn myconn1
dpddelay=
salifetime=1h
aggrmode=
conn myconn2
phase2=esp
leftsubnet=
"""
conf = loads(conf)
self.assertEqual(conf['conn', 'myconn1']['dpddelay'], '')
self.assertEqual(conf['conn', 'myconn1']['aggrmode'], '')
self.assertEqual(conf['conn', 'myconn2']['leftsubnet'], '')
def test3_empty_values(self):
conf = """
conn myconn1
dpddelay=
salifetime=1h
aggrmode=
conn myconn2
phase2=esp
leftsubnet=
"""
conf = loads(conf)
self.assertEqual(conf['conn', 'myconn1']['dpddelay'], '')
self.assertEqual(conf['conn', 'myconn1']['aggrmode'], '')
self.assertEqual(conf['conn', 'myconn2']['leftsubnet'], '')
def test2_empty_lines(self):
conf = """
config setup
nat_traversal=yes
strictcrlpolicy=yes
"""
self.assertEqual(
dumps(loads(conf), indent=' '), """\
config setup
nat_traversal=yes
strictcrlpolicy=yes
""")
def test2_empty_lines(self):
conf = """
config setup
nat_traversal=yes
strictcrlpolicy=yes
"""
self.assertEqual(
dumps(loads(conf), indent = ' '),
"""\
config setup
nat_traversal=yes
strictcrlpolicy=yes
"""
)
from subprocess import Popen, PIPE, STDOUT
import os
####
#ipsec_status, err = subprocess.Popen(['ipsec', 'status'], stdout=subprocess.PIPE).communicate()
ipsec_status, err = subprocess.Popen(['cat', 'ipsec.status'],
stdout=subprocess.PIPE).communicate()
####
#Apontar o arquivo de configuração do ipsec
ipsec_conf_file = 'cliente.conf'
sline = '========================================================================================================================================'
ssline = '----------------------------------------------------------------------------------------------------------------------------------------'
config = loads(open(ipsec_conf_file).read())
#Main dict
data = {}
#ipsec global dict
globaldict = {}
globaldict['total'] = []
sline = '========================================================================================================================================'
ssline = '----------------------------------------------------------------------------------------------------------------------------------------'
print(sline)
print('\t\t\t\t\tLibreSwan Status v.1.1 - by. wjesus')
for info in config:
name = info[1]
print(sline)
def main():
desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels'
parser = argparse.ArgumentParser(
description=desc,
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument('command',
type=str,
choices=set(
('up', 'down', 'addbridge', 'removebridge')),
help='Start or stop an IPSec tunnel')
parser.add_argument('connection', type=str, default='')
parser.add_argument('--docker-bridge',
dest='dockerBridge',
type=str,
default='docker0',
help='Name of the docker bridge')
parser.add_argument('--ipsec-route-table',
dest='ipsecRouteTable',
type=int,
default=220,
help='Route table containing IPSec routes')
parser.add_argument('--ipsec-conf',
dest='ipsecConf',
type=str,
default='/etc/ipsec.conf',
help='IPSec configuration file')
parsedArgs = parser.parse_args()
with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile:
ipsecConfStr = ipsecConfFile.read()
ipsecConnectionName = parsedArgs.connection
if (ipsecConnectionName == ''):
ipsecConf = ipsecparse.loads(ipsecConfStr)
ipsecConnectionEntries = map(
lambda e: (e[0][0], e[1]),
filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default',
ipsecConf.entries()))
ipsecConnections = dict(ipsecConnectionEntries)
if (len(ipsecConnections) != 1):
print(
'IPSec configuration in {0} contains more than one connection, specify which one:'
)
for c in ipsecConnections.keys():
print(c + '\n')
return 1
ipsecConnectionName = tuple(ipsecConnections.keys())[0]
if (parsedArgs.command == 'down'):
docker_ipsec.removeIPTablesRules()
if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)):
return 1
return 0
if (parsedArgs.command == 'removebridge'):
def _removalFunc(j):
try:
return j['dockerBridgeName'] == parsedArgs.dockerBridge
except:
return Fale
docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc)
return 0
ipRoute = pyroute2.IPRoute()
dockerInfo = docker_ipsec.DockerInfo(
ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)
if parsedArgs.command == 'up' and not docker_ipsec.ipsec(
'up', ipsecConnectionName, verbose=True):
return 1
assert parsedArgs.command in ['up', 'addbridge']
ipsecInfo = docker_ipsec.IPSecInfo(
ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)
def ipsecEntryToIPTablesRule(e):
outputInterfaceIndex = e.outputInterfaceIndex()
outputInterface = docker_ipsec.getInterfaceNameForIndex(
outputInterfaceIndex, ipRoute=ipRoute)
return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())
rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
table = iptc.Table(iptc.Table.NAT)
table.autocommit = False
for rule in rules:
docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule)
table.commit()
def main():
desc = 'Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels'
parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument('command', type=str, choices=set(('up', 'down', 'addbridge', 'removebridge')),
help='Start or stop an IPSec tunnel')
parser.add_argument('connection', type=str, default='')
parser.add_argument('--docker-bridge', dest='dockerBridge', type=str, default='docker0',
help='Name of the docker bridge')
parser.add_argument('--ipsec-route-table', dest='ipsecRouteTable', type=int, default=220,
help='Route table containing IPSec routes')
parser.add_argument('--ipsec-conf', dest='ipsecConf', type=str, default='/etc/ipsec.conf',
help='IPSec configuration file')
parsedArgs = parser.parse_args()
with open(parsedArgs.ipsecConf, 'rt') as ipsecConfFile:
ipsecConfStr = ipsecConfFile.read()
ipsecConnectionName = parsedArgs.connection
if (ipsecConnectionName == ''):
ipsecConf = ipsecparse.loads(ipsecConfStr)
ipsecConnectionEntries = map(lambda e: (e[0][0], e[1]),
filter(lambda e: e[0][0] == 'conn' and e[0][1] != '%default',
ipsecConf.entries()))
ipsecConnections = dict(ipsecConnectionEntries)
if (len(ipsecConnections) != 1):
print('IPSec configuration in {0} contains more than one connection, specify which one:')
for c in ipsecConnections.keys():
print(c + '\n')
return 1
ipsecConnectionName = tuple(ipsecConnections.keys())[0]
if (parsedArgs.command == 'down'):
docker_ipsec.removeIPTablesRules()
if (not docker_ipsec.ipsec('down', ipsecConnectionName, verbose=True)):
return 1
return 0
if (parsedArgs.command == 'removebridge'):
def _removalFunc(j):
try:
return j['dockerBridgeName'] == parsedArgs.dockerBridge
except:
return Fale
docker_ipsec.removeIPTablesRules(filterFunc=_removalFunc)
return 0
ipRoute = pyroute2.IPRoute()
dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)
if parsedArgs.command == 'up' and not docker_ipsec.ipsec('up', ipsecConnectionName, verbose=True):
return 1
assert parsedArgs.command in ['up', 'addbridge']
ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)
def ipsecEntryToIPTablesRule(e):
outputInterfaceIndex = e.outputInterfaceIndex()
outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute)
return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())
rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
table = iptc.Table(iptc.Table.NAT)
table.autocommit = False
for rule in rules:
docker_ipsec.installIPTablesRule(table, parsedArgs.dockerBridge, *rule)
table.commit()
def test1(self):
self.assertEqual(dumps(loads(self.strongswan_in), indent=' '),
self.strongswan_out)
def test1(self):
self.assertEqual(
dumps(loads(self.strongswan_in), indent = ' '),
self.strongswan_out
)
def main():
desc = "Start and stop IPSec tunnels while allowing docker containers to route traffic down the tunnels"
parser = argparse.ArgumentParser(description=desc, formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("command", type=str, choices=set(("up", "down")), help="Start or stop an IPSec tunnel")
parser.add_argument("connection", type=str, default="")
parser.add_argument(
"--docker-bridge", dest="dockerBridge", type=str, default="docker0", help="Name of the docker bridge"
)
parser.add_argument(
"--ipsec-route-table", dest="ipsecRouteTable", type=int, default=220, help="Route table containing IPSec routes"
)
parser.add_argument(
"--ipsec-conf", dest="ipsecConf", type=str, default="/etc/ipsec.conf", help="IPSec configuration file"
)
parsedArgs = parser.parse_args()
with open(parsedArgs.ipsecConf, "rt") as ipsecConfFile:
ipsecConfStr = ipsecConfFile.read()
ipsecConnectionName = parsedArgs.connection
if ipsecConnectionName == "":
ipsecConf = ipsecparse.loads(ipsecConfStr)
ipsecConnectionEntries = map(
lambda e: (e[0][0], e[1]),
filter(lambda e: e[0][0] == "conn" and e[0][1] != "%default", ipsecConf.entries()),
)
ipsecConnections = dict(ipsecConnectionEntries)
if len(ipsecConnections) != 1:
print("IPSec configuration in {0} contains more than one connection, specify which one:")
for c in ipsecConnections.keys():
print(c + "\n")
return 1
ipsecConnectionName = tuple(ipsecConnections.keys())[0]
if parsedArgs.command == "down":
docker_ipsec.removeIPTablesRules()
if not docker_ipsec.ipsec("down", ipsecConnectionName, verbose=True):
return 1
return 0
ipRoute = pyroute2.IPRoute()
dockerInfo = docker_ipsec.DockerInfo(ipRoute=ipRoute, dockerBridgeName=parsedArgs.dockerBridge)
if not docker_ipsec.ipsec("up", ipsecConnectionName, verbose=True):
return 1
ipsecInfo = docker_ipsec.IPSecInfo(ipRoute=ipRoute, ipsecTableIndex=parsedArgs.ipsecRouteTable)
def ipsecEntryToIPTablesRule(e):
outputInterfaceIndex = e.outputInterfaceIndex()
outputInterface = docker_ipsec.getInterfaceNameForIndex(outputInterfaceIndex, ipRoute=ipRoute)
return (e.sourceIP(), outputInterface, e.destCIDR(), dockerInfo.cidr())
rules = tuple(map(ipsecEntryToIPTablesRule, ipsecInfo.entries()))
table = iptc.Table(iptc.Table.NAT)
table.autocommit = False
for rule in rules:
docker_ipsec.installIPTablesRule(table, *rule)
table.commit()
