From aaba815dbccbb0d623def17d1e030383d905daa0 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 29 Jun 2016 20:14:25 +0200
Subject: =?UTF-8?q?IPSec=20=E2=86=92=20IPsec?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../common/files/usr/local/sbin/update-firewall.sh | 13 +++++-----
 roles/common/handlers/main.yml                     |  2 +-
 roles/common/tasks/ipsec.yml                       | 28 +++++++++++-----------
 roles/common/templates/etc/iptables/services.j2    |  2 +-
 .../common/templates/etc/network/if-up.d/ipsec.j2  |  6 ++---
 5 files changed, 25 insertions(+), 26 deletions(-)

(limited to 'roles')

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 7ca9bab..b27e5ce 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -48,7 +48,7 @@ else
 fi
 
 fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
+IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
 declare -A rss=() tables=()
 
 usage() {
@@ -104,7 +104,7 @@ ipt-trim() {
     # automatically included by third-party servers (such as strongSwan
     # or fail2ban).  The output is ready to be made persistent.
     grep -Ev -e '^:fail2ban-\S' \
-             -e "$IPSec_re" \
+             -e "$IPsec_re" \
              -e '-j fail2ban-\S+$' \
              -e "$fail2ban_re"
 }
@@ -197,9 +197,8 @@ run() {
     fi >> "$new"
 
     if [ "$f" = 4 -a "$ipsec" = y ]; then
-        # Our IPSec tunnels are IPv4 only.
-        # (Host-to-host) IPSec tunnels come first.
-        grep -E -- "$IPSec_re" "$old" >> "$new" || true
+        # IPsec tunnels come first (IPv4 only).
+        grep -E -- "$IPsec_re" "$old" >> "$new" || true
 
         # Allow any IPsec $secproto protocol packets to be sent and received.
         iptables -A INPUT  -i $if -p $secproto -j ACCEPT
@@ -215,11 +214,11 @@ run() {
     local ip
     if [ "$f" = 4 -a "$ipsec" = y ]; then
         # Private-use networks (RFC 1918) and link local (RFC 3927)
-        local MyIPSec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
+        local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
         local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \
                           | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \
                           | while read ip; do
-                              for ips in $MyIPSec; do
+                              for ips in $MyIPsec; do
                                 [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip"
                               done
                             done
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 250c77b..73877f8 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -23,7 +23,7 @@
 - name: Restart fail2ban
   service: name=fail2ban state=restarted
 
-- name: Restart IPSec
+- name: Restart IPsec
   service: name=ipsec state=restarted
 
 - name: Reload networking
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index ca03c98..ce158fe 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -6,9 +6,9 @@
     - libstrongswan-standard-plugins
   notify:
     - Update firewall
-    - Restart IPSec
+    - Restart IPsec
 
-- name: Auto-create a dedicated virtual subnet for IPSec
+- name: Auto-create a dedicated virtual subnet for IPsec
   template: src=etc/network/if-up.d/ipsec.j2
             dest=/etc/network/if-up.d/ipsec
             owner=root group=root
@@ -16,7 +16,7 @@
   notify:
     - Reload networking
 
-- name: Auto-deactivate the dedicated virtual subnet for IPSec
+- name: Auto-deactivate the dedicated virtual subnet for IPsec
   file: src=../if-up.d/ipsec
         dest=/etc/network/if-down.d/ipsec
         owner=root group=root state=link force=yes
@@ -24,23 +24,23 @@
 - meta: flush_handlers
 
 
-- name: Configure IPSec
+- name: Configure IPsec
   template: src=etc/ipsec.conf.j2
             dest=/etc/ipsec.conf
             owner=root group=root
             mode=0644
   register: r1
   notify:
-    - Restart IPSec
+    - Restart IPsec
 
-- name: Configure IPSec's secrets
+- name: Configure IPsec's secrets
   template: src=etc/ipsec.secrets.j2
             dest=/etc/ipsec.secrets
             owner=root group=root
             mode=0600
   register: r2
   notify:
-    - Restart IPSec
+    - Restart IPsec
 
 - name: Configure Charon
   copy: src=etc/strongswan.d/{{ item }}
@@ -52,9 +52,9 @@
     - charon/socket-default.conf
   register: r3
   notify:
-    - Restart IPSec
+    - Restart IPsec
 
-- name: Generate a key pair for IPSec public key authentication
+- name: Generate a key pair for IPsec public key authentication
   command: genkeypair.sh keypair
                          --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
                          --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
@@ -63,11 +63,11 @@
   changed_when: r4.rc == 0
   failed_when: r4.rc > 1
   notify:
-    - Restart IPSec
+    - Restart IPsec
   tags:
     - genkey
 
-- name: Fetch the public part of IPSec host key
+- name: Fetch the public part of IPsec host key
   # Ensure we don't fetch private data
   become: False
   fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
@@ -78,7 +78,7 @@
 
 # Don't copy our pubkey due to a possible race condition.  Only the
 # remote machine has authority regarding its key.
-- name: Copy the public part of IPSec peers' key
+- name: Copy the public part of IPsec peers' key
   copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
         dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
         owner=root group=root
@@ -88,8 +88,8 @@
   tags:
     - genkey
   notify:
-    - Restart IPSec
+    - Restart IPsec
 
-- name: Start IPSec
+- name: Start IPsec
   service: name=ipsec state=started
   when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index ccbc735..247f98a 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -7,7 +7,7 @@
 {% if groups.all | length > 1 %}
 inout4  udp     500      500                            # ISAKMP
 {% if groups.NATed | length > 0 %}
-inout4  udp     4500     4500                           # IPSec NAT Traversal
+inout4  udp     4500     4500                           # IPsec NAT Traversal
 {% endif %}
 {% endif %}
 
diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2
index 7dd41d4..caa5129 100755
--- a/roles/common/templates/etc/network/if-up.d/ipsec.j2
+++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # A post-up/down hook to automatically create/delete a virtual subnet
-# for IPSec (inet4 only).
+# for IPsec (inet4 only).
 # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org>
 #
 # This program is free software: you can redistribute it and/or modify
@@ -35,9 +35,9 @@ vsubnet="{{ ipsec_subnet }}"
 
 case "$MODE" in
     start) ip address add "$vip/32" dev "$IFACE" scope global || true
-           # Nullroute the subnet used for IPSec to avoid data leaks
+           # Nullroute the subnet used for IPsec to avoid data leaks
            # in the absence of xfrm lookup (i.e., when there is no
-           # matching IPSec Security Association).
+           # matching IPsec Security Association).
            ip route replace prohibit "$vsubnet" proto static || true
            ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true
     ;;
-- 
cgit v1.2.3