diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 2f3235ef69cc..a591737befff 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -425,10 +425,10 @@ def deletevpn(self, ip): CsHelper.execute("ipsec auto --rereadall") def configure_iptables(self, dev, obj): - self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -j ACCEPT" % dev]) - self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -j ACCEPT" % dev]) - self.fw.append(["", "front", "-A INPUT -i %s -p esp -j ACCEPT" % dev]) - self.fw.append(["nat", "front", "-A POSTROUTING -t nat -o %s-m mark --set-xmark 0x525/0xffffffff -j ACCEPT" % dev]) + self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) + self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) + self.fw.append(["", "front", "-A INPUT -i %s -p esp -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) + self.fw.append(["nat", "front", "-A POSTROUTING -t nat -o %s -m mark --mark 0x525 -j ACCEPT" % dev]) for net in obj['peer_guest_cidr_list'].lstrip().rstrip().split(','): self.fw.append(["mangle", "front", "-A FORWARD -s %s -d %s -j MARK --set-xmark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)]) @@ -453,7 +453,7 @@ def configure_ipsec(self, obj): file.addeq(" leftsubnet=%s" % obj['local_guest_cidr']) file.addeq(" leftnexthop=%s" % obj['local_public_gateway']) file.addeq(" right=%s" % rightpeer) - file.addeq(" rightsubnets=%s" % peerlist) + file.addeq(" rightsubnets={%s}" % peerlist) file.addeq(" type=tunnel") file.addeq(" authby=secret") file.addeq(" keyexchange=ike") @@ -463,7 +463,7 @@ def configure_ipsec(self, obj): file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) file.addeq(" pfs=%s" % CsHelper.bool_to_yn(obj['dpd'])) file.addeq(" keyingtries=2") - file.addeq(" auto=add") + file.addeq(" auto=start") if obj['dpd']: file.addeq(" dpddelay=30") file.addeq(" dpdtimeout=120") @@ -678,9 +678,6 @@ def main(argv): red = CsRedundant(config) red.set() - nf = CsNetfilters() - nf.compare(config.get_fw()) - vpns = CsSite2SiteVpn("site2sitevpn", config) vpns.process() @@ -693,6 +690,9 @@ def main(argv): mon = CsMonitor("monitorservice", config) mon.process() + nf = CsNetfilters() + nf.compare(config.get_fw()) + # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4") CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6") diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py index 28d441363baf..1cbf9713c4a4 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py @@ -114,7 +114,10 @@ def greplace(self, search, replace): def search(self, search, replace): found = False - logging.debug("Searching for %s and replacing with %s" % (search, replace)) + replace_filtered = replace + if re.search("PSK \"", replace): + replace_filtered = re.sub(r'".*"', '"****"', replace) + logging.debug("Searching for %s and replacing with %s" % (search, replace_filtered)) for index, line in enumerate(self.new_config): if line.lstrip().startswith("#"): continue