Initial additions to support local and remote protoport in general instead of just for GRE

11 files changed, 127 insertions, 17 deletions

diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm
index e57d5f9..23ba63d 100755
--- a/lib/Vyatta/VPN/Util.pm
+++ b/lib/Vyatta/VPN/Util.pm
@@ -27,7 +27,7 @@ use strict;
 use warnings;
 
 our @EXPORT = qw(rsa_get_local_key_file LOCAL_KEY_FILE_DEFAULT rsa_get_local_pubkey
-                 is_vpn_running vpn_debug enableICMP);
+                 is_vpn_running vpn_debug enableICMP is_tcp_udp get_protocols conv_protocol);
 use base qw(Exporter);
 
 use Vyatta::Config;
@@ -40,6 +40,49 @@ sub is_vpn_running {
     return ( -e '/var/run/pluto.ctl');
 }
 
+sub get_protocols {
+  my $cmd = "sudo cat /etc/protocols |";
+  open(PROTOCOLS, $cmd);
+  my @protocols = [];
+  while(<PROTOCOLS>){
+    push (@protocols, $_);
+  }
+  my %protohash = ();
+  foreach my $line (@protocols) {
+    next if ($line =~ /^\#/);
+    if ($line =~ /(\S+)\s+(\d+)\s+(\S+)\s+\#(.*)/){
+      my ($name, $number, $desc) = ($1,$2,$4);
+      if (not exists $protohash{$number}){
+        $protohash{$number} = {
+          _name => $name,
+          _number => $number,
+          _desc => $desc
+        };
+      }
+    }
+  }
+  return %protohash;
+}
+ 
+sub conv_protocol {
+  my $proto = pop(@_);
+  my %protohash = get_protocols();
+  foreach my $key (keys %protohash){
+    if ("$key" == "$proto") {
+      return $protohash{$key}->{_name};
+    }
+  }
+  return $proto;
+}
+
+
+sub is_tcp_udp {
+  my $protocol = pop @_;
+  return 1 if (($protocol eq '6')  || ($protocol eq 'tcp') ||
+               ($protocol eq '17') || ($protocol eq 'udp'));
+  return 0;
+}
+
 sub rsa_get_local_key_file {
     my $file = LOCAL_KEY_FILE_DEFAULT;
     
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index f7627c4..28c965b 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -516,7 +516,7 @@ if ( $vcVPN->exists('ipsec') ) {
       # Write tunnel configuration
       #
       my $leftsubnet = $vcVPN->returnValue(
-        "ipsec site-to-site peer $peer tunnel $tunnel local-subnet");
+        "ipsec site-to-site peer $peer tunnel $tunnel local subnet");
       if ( defined($leftsubnet) && $leftsubnet eq 'any' ) {
         $leftsubnet = '0.0.0.0/0';
       }
@@ -544,7 +544,7 @@ if ( $vcVPN->exists('ipsec') ) {
       }
 
       my $remotesubnet = $vcVPN->returnValue(
-        "ipsec site-to-site peer $peer tunnel $tunnel remote-subnet");
+        "ipsec site-to-site peer $peer tunnel $tunnel remote subnet");
 
       my $rightsubnet;
       my $allow_nat_networks = $vcVPN->returnValue(
@@ -605,18 +605,52 @@ if ( $vcVPN->exists('ipsec') ) {
       $genout .= $leftsourceip if defined $leftsourceip;
 
       #
-      # Protocol 
+      # Protocol/port
       #
-      my $protocol = $vcVPN->returnValue(
-          "ipsec site-to-site peer $peer tunnel $tunnel protocol");
-      if (defined($protocol)){
-        if ($protocol eq "GRE"){
-          $genout .= "\tleftprotoport=gre\n\trightprotoport=gre\n"
-        } else {
-          vpn_die(["vpn", "ipsec", "site-to-site", "peer", $peer, "tunnel", $tunnel, "protocol"], 
-                  "$vpn_cfg_err protocol, $protocol, is unsupported.");
-        }
+      my $lprotocol = $vcVPN->returnValue(
+          "ipsec site-to-site peer $peer tunnel $tunnel local protocol");
+      my $lprotoport = '';
+      if (defined($lprotocol)){
+          $lprotoport .= $lprotocol; 
       }
+      my $lport = $vcVPN->returnValue(
+          "ipsec site-to-site peer $peer tunnel $tunnel local port");
+      if (defined($lport)){
+          if (!defined($lprotocol)){
+            $lprotoport .= "0/$lport";
+          } elsif (is_tcp_udp($lprotocol)){
+            $lprotoport .= "/$lport";
+          } else {
+            vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "local", "port"],
+                "$vpn_cfg_err local port can only be defined when local protocol is tcp, udp, or undefined.\n");
+          }
+      }
+      if (not ($lprotoport eq '')){
+        $genout .= "\tleftprotoport=$lprotoport\n";
+      }
+
+      my $rprotocol = $vcVPN->returnValue(
+          "ipsec site-to-site peer $peer tunnel $tunnel remote protocol");
+      my $rprotoport = '';
+      if (defined($rprotocol)){
+          $rprotoport .= $rprotocol; 
+      }
+      my $rport = $vcVPN->returnValue(
+          "ipsec site-to-site peer $peer tunnel $tunnel remote port");
+      if (defined($rport)){
+          if (!defined($rprotocol)){
+            $rprotoport .= "0/$rport";
+          } elsif (is_tcp_udp($rprotocol)){
+            $rprotoport .= "/$rport";
+          } else {
+            vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "remote", "port"],
+                "$vpn_cfg_err remote port can only be defined when remote protocol is tcp, udp, or undefined.\n");
+          }
+      }
+      if (not ($rprotoport eq '')){
+        $genout .= "\trightprotoport=$rprotoport\n";
+      }
+
 
       #
       # check if passthrough connection is needed
@@ -636,7 +670,7 @@ if ( $vcVPN->exists('ipsec') ) {
           my $remotesubnet_object = new NetAddr::IP($rightsubnet);
           if ($remotesubnet_object == $localsubnet_object) {
             vpn_die(["vpn","ipsec","site-to-site","peer",$peer],
-                "$vpn_cfg_err local-subnet and remote-subnet cannot be the same.\n");
+                "$vpn_cfg_err local subnet and remote subnet cannot be the same.\n");
           }
           if ($remotesubnet_object->contains($localsubnet_object)) {
             $needs_passthrough = 'true';
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/node.def
new file mode 100644
index 0000000..4f761cf
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/node.def
@@ -0,0 +1 @@
+help: Local parameters for interesting traffic
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/port/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/port/node.def
new file mode 100644
index 0000000..721e59f
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/port/node.def
@@ -0,0 +1,6 @@
+type: txt
+
+help: Destination port
+
+val_help: <port name> ; Named port (any name in /etc/services, e.g., http)
+val_help: u32:1-65535 ; Numbered port
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/protocol/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/protocol/node.def
new file mode 100644
index 0000000..040a391
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/protocol/node.def
@@ -0,0 +1,11 @@
+type:  txt
+
+help: Protocol to Encrypt
+
+val_help: txt ; IP protocol name from /etc/protocols (e.g. "gre" or "tcp")
+val_help: u32:0-255 ; IP protocol number
+
+syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol '$VAR(@)'`\" ]; then \
+                            echo invalid protocol \"$VAR(@)\" ; \
+                            exit 1 ; \
+                        fi ; "
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local-subnet/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/subnet/node.def
index fbae2e8..fbae2e8 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local-subnet/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local/subnet/node.def
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/protocol/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/protocol/node.def
deleted file mode 100644
index 033f7fa..0000000
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/protocol/node.def
+++ /dev/null
@@ -1,3 +0,0 @@
-help: Protocol that will be sent over tunnel.
-type: txt
-syntax:expression: $VAR(@) in "GRE"; "Only GRE is allowed"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/node.def
new file mode 100644
index 0000000..28e0592
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/node.def
@@ -0,0 +1 @@
+help: Remote parameters for interesting traffic
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/port/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/port/node.def
new file mode 100644
index 0000000..721e59f
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/port/node.def
@@ -0,0 +1,6 @@
+type: txt
+
+help: Destination port
+
+val_help: <port name> ; Named port (any name in /etc/services, e.g., http)
+val_help: u32:1-65535 ; Numbered port
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/protocol/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/protocol/node.def
new file mode 100644
index 0000000..040a391
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/protocol/node.def
@@ -0,0 +1,11 @@
+type:  txt
+
+help: Protocol to Encrypt
+
+val_help: txt ; IP protocol name from /etc/protocols (e.g. "gre" or "tcp")
+val_help: u32:0-255 ; IP protocol number
+
+syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol '$VAR(@)'`\" ]; then \
+                            echo invalid protocol \"$VAR(@)\" ; \
+                            exit 1 ; \
+                        fi ; "
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote-subnet/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/subnet/node.def
index e5383bf..e5383bf 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote-subnet/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote/subnet/node.def