##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
##

<%
config = YAML.load(@ipsec_config)

unless config.keys.include?(@fqdn) then
	fail("Host #{@fqdn} not found in ipsec config.")
end

peers = []
config.keys.each do |host|
	next if @fqdn == host
	peers << config[host]['address']
end
%>

domain ip table filter {
  chain ipsec-peers {
    saddr (<%= peers.join(" ")  %>) ACCEPT;
  }

  chain INPUT {
    proto udp dport (isakmp) jump ipsec-peers;
    proto esp                jump ipsec-peers;
  }
}