aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2018-09-05 16:43:10 +0300
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2018-09-05 17:33:42 +0300
commit866b4ac69bca08d8b1fd0f1970933ce6e240d29b (patch)
treed340d2f10cfd4e228ba9a91b90a0010c469cefc0
parent265aaf936458d4732e0fc10ba558a36129239a9a (diff)
downloaddmvpn-tools-866b4ac69bca08d8b1fd0f1970933ce6e240d29b.tar.bz2
dmvpn-tools-866b4ac69bca08d8b1fd0f1970933ce6e240d29b.tar.xz
setup-dmvpn: configure spoke firewall if active
-rw-r--r--dmvpn-hub.awall25
-rw-r--r--dmvpn.awall24
-rwxr-xr-xsetup-dmvpn53
3 files changed, 57 insertions, 45 deletions
diff --git a/dmvpn-hub.awall b/dmvpn-hub.awall
index 067230e..7d9f8ef 100644
--- a/dmvpn-hub.awall
+++ b/dmvpn-hub.awall
@@ -1,12 +1,6 @@
{
- "zone": {
- "dmvpn-ipsec": { "addr": "0.0.0.0/0" },
- "dmvpn-gre": { "addr": "0.0.0.0/0", "ipsec": true },
- "dmvpn-bgp": {
- "iface": "$dmvpn_gre_iface", "addr": "0.0.0.0/0"
- },
- "dmvpn": { "iface": "$dmvpn_gre_iface", "route-back": true }
- },
+ "description": "DMVPN hub",
+ "import": "dmvpn",
"log": {
"dmvpn": {
"mode": "nflog",
@@ -19,18 +13,5 @@
}
}
},
- "packet-log": [ { "in": "dmvpn", "out": "dmvpn", "log": "dmvpn" } ],
- "filter": [
- {
- "in": "_fw",
- "service": [ "dns", "http", "https", "ldap", "ldaps" ]
- },
- { "in": "dmvpn-ipsec", "out": "_fw", "service": "ipsec" },
- { "in": "_fw", "out": "dmvpn-ipsec", "service": "ipsec" },
- { "in": "dmvpn-gre", "out": "_fw", "service": "gre" },
- { "in": "_fw", "out": "dmvpn-gre", "service": "gre" },
- { "in": "dmvpn-bgp", "out": "_fw", "service": "bgp" },
- { "in": "_fw", "out": "dmvpn-bgp", "service": "bgp" },
- { "in": "dmvpn", "out": "dmvpn" }
- ]
+ "packet-log": [ { "in": "dmvpn", "out": "dmvpn", "log": "dmvpn" } ]
}
diff --git a/dmvpn.awall b/dmvpn.awall
new file mode 100644
index 0000000..339e571
--- /dev/null
+++ b/dmvpn.awall
@@ -0,0 +1,24 @@
+{
+ "description": "DMVPN router",
+ "zone": {
+ "dmvpn-ipsec": { "addr": "0.0.0.0/0" },
+ "dmvpn-gre": { "addr": "0.0.0.0/0", "ipsec": true },
+ "dmvpn-bgp": {
+ "iface": "$dmvpn_gre_iface", "addr": "0.0.0.0/0"
+ },
+ "dmvpn": { "iface": "$dmvpn_gre_iface", "route-back": true }
+ },
+ "filter": [
+ {
+ "in": "_fw",
+ "service": [ "dns", "http", "https", "ldap", "ldaps" ]
+ },
+ { "in": "dmvpn-ipsec", "out": "_fw", "service": "ipsec" },
+ { "in": "_fw", "out": "dmvpn-ipsec", "service": "ipsec" },
+ { "in": "dmvpn-gre", "out": "_fw", "service": "gre" },
+ { "in": "_fw", "out": "dmvpn-gre", "service": "gre" },
+ { "in": "dmvpn-bgp", "out": "_fw", "service": "bgp" },
+ { "in": "_fw", "out": "dmvpn-bgp", "service": "bgp" },
+ { "in": "dmvpn", "out": "dmvpn" }
+ ]
+}
diff --git a/setup-dmvpn b/setup-dmvpn
index bcc5021..022c703 100755
--- a/setup-dmvpn
+++ b/setup-dmvpn
@@ -245,35 +245,42 @@ enable_service nhrpd
vtysh -c "$(get_quagga_config)"
-if [ "$NFLOG_GROUP" ]; then
+if [ -f /etc/iptables/awall-save -o "$NFLOG_GROUP" ]; then
apk add awall
- cat > /etc/awall/dmvpn.json <<EOF
-{
- "variable": {
- "dmvpn_gre_iface": "$GRE_IFACE",
- "dmvpn_nflog_group": $NFLOG_GROUP,
- "dmvpn_site_mask": { "inet": $SITE_PREFIX_LEN_IPV4 }
- }
-}
-EOF
- [ "$SITE_PREFIX_LEN_IPV6" ] && augtool -s <<EOF
-set /files/etc/awall/dmvpn.json/dict/entry/dict/entry['dmvpn_site_mask']/dict/entry[2] inet6
-set /files/etc/awall/dmvpn.json/dict/entry/dict/entry['dmvpn_site_mask']/dict/entry[2]/number $SITE_PREFIX_LEN_IPV6
-EOF
-
- awall enable dmvpn-hub
- awall translate
- enable_firewall iptables
+ echo "{ \"variable\": { \"dmvpn_gre_iface\": \"$GRE_IFACE\" } }" > \
+ /etc/awall/dmvpn-config.json
- cat > /etc/nhrp-events.conf <<EOF
+ if [ "$NFLOG_GROUP" ]; then
+ cat > /etc/nhrp-events.conf <<EOF
max-prefix-length:
ip: $SITE_PREFIX_LEN_IPV4
EOF
-
- if [ "$SITE_PREFIX_LEN_IPV6" ]; then
- enable_firewall ip6tables
- cat >> /etc/nhrp-events.conf <<EOF
+ [ "$SITE_PREFIX_LEN_IPV6" ] && \
+ cat >> /etc/nhrp-events.conf <<EOF
ipv6: $SITE_PREFIX_LEN_IPV6
EOF
+
+ (
+ PREFIX="set /files/etc/awall/dmvpn-config.json/dict/entry/dict/entry"
+ cat <<EOF
+$PREFIX[2] dmvpn_nflog_group
+$PREFIX[2]/number $NFLOG_GROUP
+$PREFIX[3] dmvpn_site_mask
+$PREFIX[3]/dict/entry inet
+$PREFIX[3]/dict/entry/number $SITE_PREFIX_LEN_IPV4
+EOF
+ [ "$SITE_PREFIX_LEN_IPV6" ] && cat <<EOF
+$PREFIX[3]/dict/entry[2] inet6
+$PREFIX[3]/dict/entry[2]/number $SITE_PREFIX_LEN_IPV6
+EOF
+ ) | augtool -s
+ awall enable dmvpn-hub
+ else
+ awall enable dmvpn
fi
+
+ awall translate
+ enable_firewall iptables
+ [ -f /etc/iptables/rules6-save -o "$SITE_PREFIX_LEN_IPV6" ] && \
+ enable_firewall ip6tables
fi