You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2012/07/03 01:40:17 UTC
[7/13] git commit: CS-6840: Update ipsectunnel.sh
CS-6840: Update ipsectunnel.sh
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/cd985433
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/cd985433
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/cd985433
Branch: refs/heads/vpc
Commit: cd9854336a8aeee1a174f4844293811485dcdd97
Parents: df062f1
Author: Sheng Yang <sh...@citrix.com>
Authored: Wed Jun 27 19:00:56 2012 -0700
Committer: Sheng Yang <sh...@citrix.com>
Committed: Mon Jul 2 16:27:38 2012 -0700
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/ipsectunnel.sh | 182 ++++++---------
1 files changed, 75 insertions(+), 107 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/cd985433/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
index 232958c..f3c5baf 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -12,147 +12,107 @@
#!/usr/bin/env bash
source /root/func.sh
-#lock="biglock"
-#locked=$(getLockFile $lock)
-#if [ "$locked" != "1" ]
-#then
-# exit 1
-#fi
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
vpnconfdir="/etc/ipsec.d"
-vpninmark="10"
-vpnoutmark="15"
-inIf="eth0"
-outIf="eth2"
+vpnoutmark="0x525"
usage() {
- printf "Usage: %s: (-A|-D) -r <right-side vpn peer> -R <right-side private ip> -p <right-side private subnet> -e <esp encryption> -E <esp hash> -l <sa lifetime> -i <ike encryption> -I <ike hash> -L <ike lifetime> -s <pre-shared secret> \n" $(basename $0) >&2
+ printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side gateway> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <lifetime> -s <pre-shared secret> \n" $(basename $0) >&2
}
#set -x
-get_dev_list() {
- ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
- ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
+enable_iptable() {
+ sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
+ for net in $rightnets
+ do
+ sudo iptables -A PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
+ done
}
-#ip_to_dev() {
-# local ip=$1
-#
-# for dev in $DEV_LIST; do
-# ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
-# [ $? -eq 0 ] && echo $dev && return 0
-# done
-# return 1
-#}
-
-get_left_info() {
- leftpeer=`ip addr show dev $outIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1`
- leftpriv=`ip addr show dev $inIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1`
- leftnet=`ip route show | grep $inIf | head -1 | awk '{print $1}'`
- leftgw=`ip route show | grep $outIf | grep default | head -1 | awk '{print $3}'`
-}
-
-nonat_chain() {
- get_left_info
- outIp=$leftpeer
- if iptables -L VPN_$outIp -t mangle > /dev/null 2>&1 ; then
- VPNCHAIN="1"
- else
- # Create VPN_outIp chain and push all traffic through it to prevent NAT in the tunnel
- sudo iptables -N VPN_$outIp -t mangle
- sudo iptables -A FORWARD -t mangle -j VPN_$outIp
- sudo iptables -A OUTPUT -t mangle -j VPN_$outIp
- # Explicitly trust all ESP / VPN traffic
- sudo iptables -A PREROUTING -t mangle -d $outIp -p esp -j MARK --set-mark $vpninmark
- sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpninmark -j ACCEPT
- sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpnoutmark -j ACCEPT
- sudo /etc/init.d/ipsec start
- fi
+disable_iptable() {
+ sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
+ for net in $rightnets
+ do
+ sudo iptables -D PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
+ done
}
ipsec_tunnel_del() {
- get_left_info
+ disable_iptable
outIp=$leftpeer
- local rightpeer=$1
- local rightnet=$2
- local op=$3
local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf
local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets
logger -t cloud "$(basename $0): removing configuration for ipsec tunnel to $rightpeer"
sudo rm -f $vpnconffile
sudo rm -f $vpnsecretsfile
- sudo iptables $op VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark
}
ipsec_tunnel_add() {
- get_left_info
outIp=$leftpeer
- nonat_chain
sudo mkdir -p $vpnconfdir
- local rightpeer=$1
- local rightpriv=$2
- local rightnet=$3
- local espcrypt=$4
- local esphash=$5
- local salife=$6
- local ikecrypt=$7
- local ikehash=$8
- local ikelife=$9
- local secret=${10}
local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf
local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets
logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \
- right peer=$rightpeer right network=$rightnet phase1 encryption=$espcrypt phase1 hash=$esphash \
- phase2 encryption=$ikecrypt phase2 hash=$ikehash secret=$secret"
+ left net=$leftnet left gateway=$leftgw right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \
+ phase2 policy=$esppolicy lifetime=$time secret=$secret"
- [ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnet "-D"
+ [ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnets "-D"
sudo echo "conn vpn-$rightpeer" > $vpnconffile &&
sudo echo " left=$leftpeer" >> $vpnconffile &&
sudo echo " leftsubnet=$leftnet" >> $vpnconffile &&
sudo echo " leftnexthop=$leftgw" >> $vpnconffile &&
- sudo echo " leftsourceip=$leftpriv" >> $vpnconffile &&
sudo echo " right=$rightpeer" >> $vpnconffile &&
- sudo echo " rightsubnets={$rightnet}" >> $vpnconffile &&
- sudo echo " rightsourceip=$rightpriv" >> $vpnconffile &&
+ sudo echo " rightsubnets={$rightnets}" >> $vpnconffile &&
sudo echo " type=tunnel" >> $vpnconffile &&
sudo echo " authby=secret" >> $vpnconffile &&
sudo echo " keyexchange=ike" >> $vpnconffile &&
sudo echo " pfs=no" >> $vpnconffile &&
- sudo echo " esp=$espcrypt;$esphash" >> $vpnconffile &&
- sudo echo " salifetime=${salife}s" >> $vpnconffile &&
- sudo echo " ike=$ikecrypt;$ikehash" >> $vpnconffile &&
- sudo echo " ikelifetime=${ikelife}s" >> $vpnconffile &&
+ sudo echo " esp=$esppolicy" >> $vpnconffile &&
+ sudo echo " salifetime=${time}s" >> $vpnconffile &&
+ sudo echo " ike=$ikepolicy" >> $vpnconffile &&
+ sudo echo " ikelifetime=${time}s" >> $vpnconffile &&
+ sudo echo " keyingtries=3" >> $vpnconffile &&
+ sudo echo " dpddelay=30" >> $vpnconffile &&
+ sudo echo " dpdtimeout=120" >> $vpnconffile &&
+ sudo echo " dpdaction=restart" >> $vpnconffile &&
sudo echo " auto=start" >> $vpnconffile &&
- sudo echo "$leftpeer $rightpeer: PSK $secret" > $vpnsecretsfile &&
- sudo chmod 0400 $vpnsecretsfile &&
- sudo iptables -A VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark &&
- sudo /etc/init.d/ipsec reload
+ sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile &&
+
+ sudo chmod 0400 $vpnsecretsfile
+
+ enable_iptable
+
+ sudo service ipsec restart
# Prevent NAT on "marked" VPN traffic
sudo iptables -D POSTROUTING -t nat -o $outIf -j SNAT --to-source $outIp
sudo iptables -D POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
sudo iptables -A POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
result=$?
- logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right network=$rightnet"
+ logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right networks=$rightnets"
return $result
}
rflag=
-Rflag=
pflag=
eflag=
Eflag=
lflag=
iflag=
Iflag=
-Lflag=
sflag=
op=""
-while getopts 'ADr:R:p:e:E:l:i:I:L:s:' OPTION
+while getopts 'ADl:n:g:r:N:e:i:t:s:' OPTION
do
case $OPTION in
A) opflag=1
@@ -161,55 +121,63 @@ do
D) opflag=2
op="-D"
;;
- r) rflag=1
- rightpeer="$OPTARG"
+ l) lflag=1
+ leftpeer="$OPTARG"
;;
- R) Rflag=1
- rightpriv="$OPTARG"
+ n) nflag=1
+ leftnet="$OPTARG"
;;
- p) pflag=1
- rightnet="$OPTARG"
+ g) gflag=1
+ leftgw="$OPTARG"
;;
- e) eflag=1
- espcrypt="$OPTARG"
+ r) rflag=1
+ rightpeer="$OPTARG"
;;
- E) Eflag=1
- esphash="$OPTARG"
+ N) Nflag=1
+ rightnets="$OPTARG"
;;
- l) lflag=1
- salife="$OPTARG"
+ e) eflag=1
+ esppolicy="$OPTARG"
;;
i) iflag=1
- ikecrypt="$OPTARG"
- ;;
- I) Iflag=1
- ikehash="$OPTARG"
+ ikepolicy="$OPTARG"
;;
- L) Lflag=1
- ikelife="$OPTARG"
+ t) tflag=1
+ time="$OPTARG"
;;
s) sflag=1
secret="$OPTARG"
;;
?) usage
-# unlock_exit 2 $lock $locked
+ unlock_exit 2 $lock $locked
;;
esac
done
-DEV_LIST=$(get_dev_list)
-OUTFILE=$(mktemp)
+# get interface for public ip
+ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist
+while read i
+do
+ ip addr show $i|grep "$leftpeer"
+ if [ $? -eq 0 ]
+ then
+ outIf=$i
+ break
+ fi
+done < /tmp/iflist
+
+rightnets=${rightnets//,/ }
#Firewall ports for one-to-one/static NAT
if [ "$opflag" == "1" ]
then
- ipsec_tunnel_add $rightpeer $rightpriv $rightnet $espcrypt $esphash $salife $ikecrypt $ikehash $ikelife $secret
+ ipsec_tunnel_add
elif [ "$opflag" == "2" ]
then
- ipsec_tunnel_del $rightpeer $rightnet $op
+ ipsec_tunnel_del
else
printf "Invalid action specified, must choose -A or -D to add/del tunnels\n" >&2
-# unlock_exit 5 $lock $locked
+ unlock_exit 5 $lock $locked
fi
-#unlock_exit 0 $lock $locked
+unlock_exit 0 $lock $locked