diff --git a/conf.default/config.xml b/conf.default/config.xml index b291c384c97..b3cbaf40abb 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,7 +1,7 @@ - 7.8 + 8.0 pfsense_ng diff --git a/etc/ca_countries b/etc/ca_countries new file mode 100644 index 00000000000..291711c3da1 --- /dev/null +++ b/etc/ca_countries @@ -0,0 +1,245 @@ +US United States of America +CA Canada +AX Aland Islands +AD Andorra +AE United Arab Emirates +AF Afghanistan +AG Antigua and Barbuda +AI Anguilla +AL Albania +AM Armenia +AN Netherlands Antilles +AO Angola +AQ Antarctica +AR Argentina +AS American Samoa +AT Austria +AU Australia +AW Aruba +AZ Azerbaijan +BA Bosnia and Herzegovina +BB Barbados +BD Bangladesh +BE Belgium +BF Burkina Faso +BG Bulgaria +BH Bahrain +BI Burundi +BJ Benin +BM Bermuda +BN Brunei Darussalam +BO Bolivia +BR Brazil +BS Bahamas +BT Bhutan +BV Bouvet Island +BW Botswana +BZ Belize +CA Canada +CC Cocos (Keeling) Islands +CF Central African Republic +CH Switzerland +CI Cote D'Ivoire (Ivory Coast) +CK Cook Islands +CL Chile +CM Cameroon +CN China +CO Colombia +CR Costa Rica +CS Czechoslovakia (former) +CV Cape Verde +CX Christmas Island +CY Cyprus +CZ Czech Republic +DE Germany +DJ Djibouti +DK Denmark +DM Dominica +DO Dominican Republic +DZ Algeria +EC Ecuador +EE Estonia +EG Egypt +EH Western Sahara +ER Eritrea +ES Spain +ET Ethiopia +FI Finland +FJ Fiji +FK Falkland Islands (Malvinas) +FM Micronesia +FO Faroe Islands +FR France +FX France, Metropolitan +GA Gabon +GB Great Britain (UK) +GD Grenada +GE Georgia +GF French Guiana +GG Guernsey +GH Ghana +GI Gibraltar +GL Greenland +GM Gambia +GN Guinea +GP Guadeloupe +GQ Equatorial Guinea +GR Greece +GS S. Georgia and S. Sandwich Isls. +GT Guatemala +GU Guam +GW Guinea-Bissau +GY Guyana +HK Hong Kong +HM Heard and McDonald Islands +HN Honduras +HR Croatia (Hrvatska) +HT Haiti +HU Hungary +ID Indonesia +IE Ireland +IL Israel +IM Isle of Man +IN India +IO British Indian Ocean Territory +IS Iceland +IT Italy +JE Jersey +JM Jamaica +JO Jordan +JP Japan +KE Kenya +KG Kyrgyzstan +KH Cambodia +KI Kiribati +KM Comoros +KN Saint Kitts and Nevis +KR Korea (South) +KW Kuwait +KY Cayman Islands +KZ Kazakhstan +LA Laos +LC Saint Lucia +LI Liechtenstein +LK Sri Lanka +LS Lesotho +LT Lithuania +LU Luxembourg +LV Latvia +LY Libya +MA Morocco +MC Monaco +MD Moldova +ME Montenegro +MG Madagascar +MH Marshall Islands +MK Macedonia +ML Mali +MM Myanmar +MN Mongolia +MO Macau +MP Northern Mariana Islands +MQ Martinique +MR Mauritania +MS Montserrat +MT Malta +MU Mauritius +MV Maldives +MW Malawi +MX Mexico +MY Malaysia +MZ Mozambique +NA Namibia +NC New Caledonia +NE Niger +NF Norfolk Island +NG Nigeria +NI Nicaragua +NL Netherlands +NO Norway +NP Nepal +NR Nauru +NT Neutral Zone +NU Niue +NZ New Zealand (Aotearoa) +OM Oman +PA Panama +PE Peru +PF French Polynesia +PG Papua New Guinea +PH Philippines +PK Pakistan +PL Poland +PM St. Pierre and Miquelon +PN Pitcairn +PR Puerto Rico +PS Palestinian Territory +PT Portugal +PW Palau +PY Paraguay +QA Qatar +RE Reunion +RO Romania +RS Serbia +RU Russian Federation +RW Rwanda +SA Saudi Arabia +SB Solomon Islands +SC Seychelles +SE Sweden +SG Singapore +SH St. Helena +SI Slovenia +SJ Svalbard and Jan Mayen Islands +SK Slovak Republic +SL Sierra Leone +SM San Marino +SN Senegal +SR Suriname +ST Sao Tome and Principe +SU USSR (former) +SV El Salvador +SZ Swaziland +TC Turks and Caicos Islands +TD Chad +TF French Southern Territories +TG Togo +TH Thailand +TJ Tajikistan +TK Tokelau +TM Turkmenistan +TN Tunisia +TO Tonga +TP East Timor +TR Turkey +TT Trinidad and Tobago +TV Tuvalu +TW Taiwan +TZ Tanzania +UA Ukraine +UG Uganda +UM US Minor Outlying Islands +US United States +UY Uruguay +UZ Uzbekistan +VA Vatican City State (Holy See) +VC Saint Vincent and the Grenadines +VE Venezuela +VG Virgin Islands (British) +VI Virgin Islands (U.S.) +VN Viet Nam +VU Vanuatu +WF Wallis and Futuna Islands +WS Samoa +YE Yemen +YT Mayotte +ZA South Africa +ZM Zambia +COM US Commercial +EDU US Educational +GOV US Government +INT International +MIL US Military +NET Network +ORG Non-Profit Organization +ARPA Old style Arpanet diff --git a/etc/devd.conf b/etc/devd.conf index 244af480989..d6731d8d09e 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -30,12 +30,12 @@ notify 100 { # When a USB keyboard arrives, attach it as the console keyboard. attach 100 { device-name "ukbd0"; - action "kbdcontrol -k /dev/ukbd0 < /dev/console"; + action "kbdcontrol -k /dev/ukbd0 < /dev/console 2>/dev/null"; }; detach 100 { device-name "ukbd0"; - action "kbdcontrol -k /dev/kbd0 < /dev/console"; + action "kbdcontrol -k /dev/kbd0 < /dev/console 2>/dev/null"; }; # diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index a66c6cb5791..e54413c152d 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -652,6 +652,13 @@ function captiveportal_prune_old() { * had a chance to iterate over all accounts. */ $unsetindexes = array(); + $voucher_needs_sync = false; + /* + * Snapshot the time here to use for calculation to speed up the process. + * If something is missed next run will catch it! + */ + $pruning_time = time(); + $stop_time = $pruning_time; foreach ($cpdb as $cpentry) { $timedout = false; @@ -659,7 +666,7 @@ function captiveportal_prune_old() { /* hard timeout? */ if ($timeout) { - if ((time() - $cpentry[0]) >= $timeout) { + if (($pruning_time - $cpentry[0]) >= $timeout) { $timedout = true; $term_cause = 5; // Session-Timeout } @@ -667,7 +674,7 @@ function captiveportal_prune_old() { /* Session-Terminate-Time */ if (!$timedout && !empty($cpentry[9])) { - if (time() >= $cpentry[9]) { + if ($pruning_time >= $cpentry[9]) { $timedout = true; $term_cause = 5; // Session-Timeout } @@ -682,7 +689,7 @@ function captiveportal_prune_old() { * We "fix" this by setting lastact to the login timestamp. */ $lastact = $lastact ? $lastact : $cpentry[0]; - if ($lastact && ((time() - $lastact) >= $uidletimeout)) { + if ($lastact && (($pruning_time - $lastact) >= $uidletimeout)) { $timedout = true; $term_cause = 4; // Idle-Timeout $stop_time = $lastact; // Entry added to comply with WISPr @@ -691,15 +698,16 @@ function captiveportal_prune_old() { /* if vouchers are configured, activate session timeouts */ if (!$timedout && isset($config['voucher']['enable']) && !empty($cpentry[7])) { - if (time() >= ($cpentry[0] + $cpentry[7])) { + if ($pruning_time >= ($cpentry[0] + $cpentry[7])) { $timedout = true; $term_cause = 5; // Session-Timeout + $voucher_needs_sync = true; } } /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpentry[7])) { - if (time() >= ($cpentry[0] + $cpentry[7])) { + if ($pruning_time >= ($cpentry[0] + $cpentry[7])) { $timedout = true; $term_cause = 5; // Session-Timeout } @@ -762,6 +770,10 @@ function captiveportal_prune_old() { } } + if ($voucher_needs_sync == true) + /* Triger a sync of the vouchers on config */ + send_event("service sync vouchers"); + /* write database */ if (!empty($unsetindexes)) captiveportal_write_db($cpdb, false, $unsetindexes); @@ -809,13 +821,12 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t captiveportal_free_ipfw_ruleno($dbent[1]); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; - $remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + $remote_status = xmlrpc_sync_voucher_disconnect($dbent, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); } } @@ -827,18 +838,15 @@ function captiveportal_disconnect_client($sessionid, $term_cause = 1, $logoutRea $radiusservers = captiveportal_get_radius_servers(); $unsetindex = array(); - $cpdblck = lock('captiveportaldb', LOCK_EX); - /* read database */ - $cpdb = captiveportal_read_db(true); + $cpdb = captiveportal_read_db(); /* find entry */ if (isset($cpdb[$sessionid])) { $cpentry = $cpdb[$sessionid]; /* write database */ $unsetindex[] = $sessionid; - captiveportal_write_db($cpdb, true, $unsetindex); - unlock($cpdblck); + captiveportal_write_db($cpdb, false, $unsetindex); captiveportal_disconnect($cpentry, $radiusservers, $term_cause); captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT"); @@ -1115,29 +1123,29 @@ function captiveportal_init_radius_servers() { /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { - global $g; - - $cprdsrvlck = lock('captiveportalradius'); - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", - FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) { - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + global $g; + + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; } } - unlock($cprdsrvlck); - return $radiusservers; } - unlock($cprdsrvlck); - return false; + return $radiusservers; + } + + unlock($cprdsrvlck); + return false; } /* log successful captive portal authentication to syslog */ @@ -1199,7 +1207,7 @@ function radius($username,$password,$clientip,$clientmac,$type) { } /* read captive portal DB into array */ -function captiveportal_read_db($locked = false) { +function captiveportal_read_db($locked = false, $index = 5 /* sessionid by default */) { global $g; $cpdb = array(); @@ -1213,7 +1221,7 @@ function captiveportal_read_db($locked = false) { if ($line) { $cpe = explode(",", $line); /* Hash by session id */ - $cpdb[$cpe[5]] = $cpe; + $cpdb[$cpe[$index]] = $cpe; } } fclose($fd); @@ -1233,8 +1241,12 @@ function captiveportal_write_db($cpdb, $locked = false, $remove = false) { if (is_array($remove)) { if (!empty($remove)) { $cpdb = captiveportal_read_db(true); - foreach ($remove as $key) - unset($cpdb[$key]); + foreach ($remove as $key) { + if (is_array($key)) + log_error("Captive portal Array passed as unset index: " . print_r($key, true)); + else + unset($cpdb[$key]); + } } else return; //This makes sure no record removal calls } @@ -1613,6 +1625,9 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut } } + /* Snaphost the timestamp */ + $allow_time = time(); + foreach ($cpdb as $sid => $cpentry) { /* on the same ip */ if($cpentry[2] == $clientip) { @@ -1623,7 +1638,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut elseif (($attributes['voucher']) && ($username != 'unauthenticated') && ($cpentry[4] == $username)) { // user logged in with an active voucher. Check for how long and calculate // how much time we can give him (voucher credit - used time) - $remaining_time = $cpentry[0] + $cpentry[7] - time(); + $remaining_time = $cpentry[0] + $cpentry[7] - $allow_time; if ($remaining_time < 0) // just in case. $remaining_time = 0; @@ -1717,7 +1732,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut /* encode password in Base64 just in case it contains commas */ $bpassword = base64_encode($password); - $cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $username, $sessionid, $bpassword, + $cpdb[] = array($allow_time, $ruleno, $clientip, $clientmac, $username, $sessionid, $bpassword, $attributes['session_timeout'], $attributes['idle_timeout'], $attributes['session_terminate_time']); /* rewrite information to database */ diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 859eb8ea4e5..575a661cd4b 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -342,8 +342,10 @@ function conf_mount_rw() { function conf_mount_ro() { global $g; + /* Do not trust $g['platform'] since this can be clobbered during factory reset. */ + $platform = trim(file_get_contents("/etc/platform")); /* do not umount on cdrom or pfSense platforms */ - if($g['platform'] == "cdrom" or $g['platform'] == "pfSense") + if($platform == "cdrom" or $platform == "pfSense") return; if($g['booting']) diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 150dedc7d48..340fbc1a956 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -98,7 +98,9 @@ $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); - + + $dyndnslck = lock($dnsHost, LOCK_EX); + if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': @@ -128,6 +130,7 @@ // Ensure that we where able to lookup the IP if(!is_ipaddr($this->_ifIP)) { log_error("There was an error trying to determine the IP for interface - {$dnsIf}({$this->_if}). Probably interface has no ip or is down. Dyndns update not possible for {$dnsService}."); + unlock($dyndnslck); return; } @@ -162,6 +165,8 @@ break; } } + + unlock($dyndnslck); } /* @@ -178,7 +183,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 120); // Completely empirical } switch ($this->_dnsService) { @@ -197,10 +202,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dhs': $needsIP = TRUE; @@ -228,10 +229,6 @@ curl_setopt($ch, CURLOPT_URL, '{$server}{$port}'); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'noip': $needsIP = TRUE; @@ -243,10 +240,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&pass=' . urlencode($this->_dnsPass) . '&hostname=' . $this->_dnsHost.'&ip=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'easydns': $needsIP = TRUE; @@ -259,10 +252,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=' . $this->_dnsBackMX); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'hn': $needsIP = TRUE; @@ -275,10 +264,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?ver=1&IP=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'zoneedit': $needsIP = FALSE; @@ -293,11 +278,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, "{$server}{$port}?host=" .$this->_dnsHost); - - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dyns': $needsIP = FALSE; @@ -308,10 +288,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'ods': $needsIP = FALSE; @@ -349,33 +325,21 @@ break; } } - $this->_checkStatus($code); + $this->_checkStatus(0, $code); break; case 'freedns': $needIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsexit': $needsIP = TRUE; curl_setopt($ch, CURLOPT_URL, 'http://www.dnsexit.com/RemoteUpdate.sv?login='.$this->_dnsUser. '&password='.$this->_dnsPass.'&host='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred:" . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'loopia': $needsIP = TRUE; curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_URL, 'https://dns.loopia.se/XDynDNSServer/XDynDNS.php?hostname='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'opendns': $needsIP = FALSE; @@ -389,19 +353,11 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'staticcling': $needsIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://www.staticcling.org/update.html?login='.$this->_dnsUser.'&pass='.$this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occured: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsomatic': /* Example syntax @@ -418,10 +374,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NOCHG'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Request completed. DNS-O-Matic reported: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'namecheap': /* Example: @@ -433,10 +385,6 @@ list($hostname, $domain) = explode(".", $this->_dnsHost, 2); $server = "https://dynamicdns.park-your-domain.com/update?host={$hostname}&domain={$domain}&password={$this->_dnsPass}&ip={$this->_dnsIP}"; curl_setopt($ch, CURLOPT_URL, $server); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'he-net': $needsIP = FALSE; @@ -445,24 +393,31 @@ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass); curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost); - $data = curl_exec($ch); - if(@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; default: break; } + if ($this->_dnsService != 'ods') { + $data = curl_exec($ch); + $this->_checkStatus($ch, $data); + @curl_close($ch); + } } /* * Private Function (added 12 July 2005) [beta] * Retrieve Update Status */ - function _checkStatus($data) { + function _checkStatus($ch, $data) { log_error("DynDns: DynDns _checkStatus() starting."); log_error("DynDns: Current Service: {$this->_dnsService}"); $successful_update = false; + if ($this->_dnsService != 'ods' && @curl_error($ch)) { + $status = "Curl error occurred: " . curl_error($ch); + log_error($status); + $this->status = $status; + return; + } switch ($this->_dnsService) { case 'dnsomatic': if (preg_match('/badauth/i', $data)) { @@ -795,12 +750,13 @@ if($successful_update == true) { /* Write WAN IP to cache file */ $wan_ip = $this->_checkIP(); - $currentTime = time(); - log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, $wan_ip.':'.$currentTime); - fclose($file); + if ($wan_ip > 0) { + $currentTime = time(); + log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); + @file_put_contents($this->_cacheFile, "{$wan_ip}:{$currentTime}"); + } else + @unlink($this->_cacheFile); conf_mount_ro(); } $this->status = $status; @@ -853,32 +809,37 @@ * | work with other systems. pfSense base is FreeBSD. */ function _detectChange() { - - log_error("DynDns: _detectChange() starting."); + global $debug; + + if ($debug) + log_error("DynDns: _detectChange() starting."); $currentTime = time(); $wan_ip = $this->_checkIP(); + if ($wan_ip == 0) { + log_error("DynDns: Current WAN IP could not be determined, skipping update process."); + return false; + } $this->_dnsIP = $wan_ip; - log_error("DynDns: Current WAN IP: {$wan_ip}"); + $log_error = "DynDns: Current WAN IP: {$wan_ip} "; if (file_exists($this->_cacheFile)) { $contents = file_get_contents($this->_cacheFile); list($cacheIP,$cacheTime) = split(':', $contents); $this->_debug($cacheIP.'/'.$cacheTime); $initial = false; - log_error("DynDns: Cached IP: {$cacheIP}"); + $log_error .= "Cached IP: {$cacheIP} "; } else { conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, '0.0.0.0:'.$currentTime); - fclose($file); - conf_mount_ro(); $cacheIP = '0.0.0.0'; + @file_put_contents($this->_cacheFile, "0.0.0.0:{$currentTime}"); + conf_mount_ro(); $cacheTime = $currentTime; $initial = true; - log_error("DynDns: No Cached IP found."); + $log_error .= "No Cached IP found."; } + log_error($log_error); /* use 2419200 for dyndns, dhs, easydns, noip, hn * zoneedit, dyns, ods @@ -928,10 +889,14 @@ conf_mount_ro(); } function _checkIP() { + global $debug; - log_error("DynDns: _checkIP() starting."); + if ($debug) + log_error("DynDns: _checkIP() starting."); $ip_address = find_interface_ip($this->_if); + if (!is_ipaddr($ip_address)) + return 0; $this->_ifIP = $ip_address; if (is_private_ip($ip_address)) { $hosttocheck = "checkip.dyndns.org"; @@ -944,20 +909,25 @@ } if ($try >= 3) { log_error("Dyndns debug information: Could not resolve {$hosttocheck} to ip using interface ip {$ip_address}."); - return $ip_address; /* XXX: Might return private ip address! */ + return 0; } $ip_ch = curl_init("http://{$checkip}"); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); - curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); preg_match('/Current IP Address: (.*)<\/body>/', $ip_result_decoded, $matches); $ip_address = trim($matches[1]); - log_error("DynDns debug information: {$ip_address} extracted from {$hosttocheck}"); + if (is_ipaddr($ip_address)) + log_error("DynDns debug information: {$ip_address} extracted from {$hosttocheck}"); + else { + log_error("DynDns debug information: IP address could not be extracted from {$hosttocheck}"); + return 0; + } } else log_error("DynDns debug information: {$ip_address} extracted from local system."); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index bdb354170da..38ab773995e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -429,7 +429,7 @@ function filter_generate_scrubing() { } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) continue; /* set up MSS clamping */ if($scrubcfg['mss'] <> "" && is_numeric($scrubcfg['mss']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp" && @@ -504,17 +504,26 @@ function filter_expand_alias($alias_name) } function filter_generate_aliases() { - global $config, $FilterIflist; + global $config, $FilterIflist, $after_filter_configure_run; + if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_generate_aliases() being called $mt\n"; } + $alias = "#System aliases\n "; $aliases = "loopback = \"{ lo0 }\"\n"; foreach ($FilterIflist as $if => $ifcfg) { - $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; - $aliases .= " }\"\n"; + if (is_array($ifcfg[0])) { + if ($ifcfg[0]['if'] == 'pppoe') { + $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; + $aliases .= " }\"\n"; + } + } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { + $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; + $aliases .= " }\"\n"; + } } $aliases .= "\n#SSH Lockout Table\n"; @@ -547,9 +556,10 @@ function filter_generate_aliases() { case "network": case "url": $tableaddrs = "{$addrlist}{$extralias}"; - if(empty($tableaddrs)) + if(empty($tableaddrs)) { $aliases .= "table <{$aliased['name']}> persist\n"; - else + $after_filter_configure_run[] = "/sbin/pfctl -T flush -t " . escapeshellarg($aliased['name']); + } else $aliases .= "table <{$aliased['name']}> { {$addrlist}{$extralias} } \n"; $aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n"; @@ -695,9 +705,15 @@ function filter_get_vpns_list() { } } /* pppoe */ - if($config['pppoe']['remoteip']) { - if(is_subnet($tunnel['remote-subnet'])) { - $vpns_arr[] = $config['pppoe']['remoteip'] ."/". $config['pppoe']['pppoe_subnet']; + if (is_array($config['pppoes']['pppoe'])) { + foreach($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] == "server") { + if(is_ipaddr($pppoe['remoteip'])) { + $pppoesub = gen_subnet($pppoe['remoteip'], $pppoe['pppoe_subnet']); + if (is_subnet($pppoesub)) + $vpns_arr[] = $pppoesub; + } + } } } if(!empty($vpns_arr)) { @@ -788,19 +804,26 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if($config['pppoe']['mode'] == "server") { - $oic = array(); - $oic['if'] = 'pppoe'; - $oic['descr'] = 'pppoe'; - $oic['ip'] = $config['pppoe']['localip']; - $oic['sa'] = $config['pppoe']['remoteip']; - $oic['mode'] = $config['pppoe']['mode']; - $oic['virtual'] = true; - if($config['pppoe']['pppoe_subnet'] <> "") - $oic['sn'] = $config['pppoe']['pppoe_subnet']; - else - $oic['sn'] = "32"; - $FilterIflist['pppoe'] = $oic; + if (is_array($config['pppoes']['pppoe']) && (count($config['pppoes']['pppoe']) > 0)) { + $pppoeifs = array(); + foreach($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] == "server") { + $oic = array(); + $oic['if'] = 'pppoe'; + $oic['descr'] = 'pppoe'; + $oic['ip'] = $pppoe['localip']; + $oic['sa'] = $pppoe['remoteip']; + $oic['mode'] = $pppoe['mode']; + $oic['virtual'] = true; + if($pppoe['pppoe_subnet'] <> "") + $oic['sn'] = $pppoe['pppoe_subnet']; + else + $oic['sn'] = "32"; + $pppoeifs[] = $oic; + } + } + if (count($pppoeifs)) + $FilterIflist['pppoe'] = $pppoeifs; } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { @@ -1021,7 +1044,6 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $target = $FilterIflist[$rule['target']]['ip']; else return ""; - $starting_localhost_port_tmp = $starting_localhost_port; $toomanyports = false; /* only install reflection rules for < 19991 items */ @@ -1070,7 +1092,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $toadd_array = array_merge($toadd_array, range($loc_pt[0], $loc_pt[0] + $delta)); if(!empty($toadd_array)) { - $target = explode(" ", trim($target)); + $rtarget = explode(" ", trim($target)); foreach($toadd_array as $tda) { if (empty($tda)) continue; @@ -1082,7 +1104,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - foreach ($target as $targip) { + foreach ($rtarget as $targip) { if (empty($targip)) continue; $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$targip} {$tda}\n"; @@ -1326,19 +1348,18 @@ function filter_nat_rules_generate() { } } /* PPTP subnet */ - if(isset($FilterIflist['pptp']) && $FilterIflist['pptp']['mode'] == "server" ) { - $pptp_subnet = $FilterIflist['pptp']['sn']; - if(is_private_ip($FilterIflist['pptp']['sa']) && !empty($pptp_subnet)) { - $numberofnathosts++; - $tonathosts .= "{$FilterIflist['pptp']['sa']}/{$pptp_subnet} "; - } + if(($config['pptpd']['mode'] == "server" ) && is_private_ip($config['pptpd']['remoteip'])) { + $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); + $numberofnathosts += count($pptp_subnets); + $tonathosts .= implode(" ", $pptp_subnets) . " "; } /* PPPoE subnet */ - if(isset($FilterIflist['pppoe']) && $FilterIflist['pppoe']['mode'] == "server") { - $pppoe_subnet = $FilterIflist['pppoe']['sn']; - if(is_private_ip($FilterIflist['pppoe']['sa']) && !empty($pppoe_subnet)) { - $numberofnathosts++; - $tonathosts .= "{$FilterIflist['pppoe']['sa']}/{$pppoe_subnet} "; + if (is_array($FilterIflist['pppoe'])) { + foreach ($FilterIflist['pppoe'] as $pppoe) { + if(is_private_ip($pppoe['ip'])) { + $numberofnathosts++; + $tonathosts .= "{$pppoe['sa']}/{$pppoe['sn']} "; + } } } /* L2TP subnet */ @@ -1366,6 +1387,12 @@ function filter_nat_rules_generate() { } } } + /* IPsec mode_cfg subnet */ + if (isset($config['ipsec']['client']['enable']) && + !empty($config['ipsec']['client']['pool_address']) && + !empty($config['ipsec']['client']['pool_netbits'])) { + $tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} "; + } $natrules .= "\n# Subnets to NAT \n"; $tonathosts .= "127.0.0.0/8 "; if($numberofnathosts > 4) { @@ -1642,9 +1669,12 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "{$pptpsa}/{$pptpsn}"; break; case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $src = "{$pppoesa}/{$pppoesn}"; + /* XXX: This needs to be fixed somehow! */ + if (is_array($FilterIflist['pppoe'])) { + $pppoesa = gen_subnet($FilterIflist['pppoe'][0]['ip'], $FilterIflist['pppoe'][0]['sn']); + $pppoesn = $FilterIflist['pppoe'][0]['sn']; + $src = "{$pppoesa}/{$pppoesn}"; + } break; } if(isset($rule[$target]['not'])) @@ -1703,7 +1733,6 @@ function filter_generate_user_rule($rule) { } update_filter_reload_status("Creating filter rules {$rule['descr']} ..."); $pptpdcfg = $config['pptpd']; - $pppoecfg = $config['pppoe']; $int = ""; $aline = array(); @@ -1725,6 +1754,11 @@ function filter_generate_user_rule($rule) { } else if(!array_key_exists($rule['interface'], $FilterIflist)) { foreach($FilterIflist as $oc) $item .= $oc['descr']; return "# {$item} {$rule['interface']} array key does not exist for " . $rule['descr']; + } else if((array_key_exists($rule['interface'], $FilterIflist)) + && (is_array($FilterIflist[$rule['interface']])) + && (is_array($FilterIflist[$rule['interface']][0]))) { + /* Currently this only case for this is the pppoe server. There should be an existing macro with this name. */ + $aline['interface'] = " on \$" . $rule['interface'] . " "; } else $aline['interface'] = " on \$" . $FilterIflist[$rule['interface']]['descr'] . " "; $ifcfg = $FilterIflist[$rule['interface']]; @@ -2013,7 +2047,6 @@ function filter_rules_generate() { } $pptpdcfg = $config['pptpd']; - $pppoecfg = $config['pppoe']; $ipfrules = ""; //$ipfrules .= discover_pkg_rules("filter"); diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 70379336900..3bd0de295cb 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -91,7 +91,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "7.8", + "latest_config" => "8.0", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 9b4c32be777..66a0af38952 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -367,7 +367,7 @@ function return_gateway_groups_array() { $gateways_arr = return_gateways_array(); $gateway_groups_array = array(); - if (0) { + if (isset($config['system']['gw_switch_default'])) { /* * NOTE: The code below is meant to replace the default gateway when it goes down. * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 393833f6072..4a3498b7b66 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -84,6 +84,46 @@ function does_interface_exist($interface) { return false; } +/* + * does_vip_exist($vip): return true or false if a vip is + * configured. + */ +function does_vip_exist($vip) { + global $config; + + if(!$vip) + return false; + + + switch ($vip['mode']) { + case "carp": + case "carpdev": + $realif = "vip{$vip['vhid']}"; + if (!does_interface_exist($realif)) { + return false; + } + break; + case "ipalias": + $realif = get_real_interface($vip['interface']); + if (!does_interface_exist($realif)) { + return false; + } + break; + case "proxyarp": + /* XXX: Implement this */ + default: + return false; + } + + $ifacedata = pfSense_getall_interface_addresses($realif); + foreach ($ifacedata as $vipips) { + if ($vipips == "{$vip['subnet']}/{$vip['subnet_bits']}") + return true; + } + + return false; +} + function interface_netgraph_needed($interface = "wan") { global $config; @@ -3277,8 +3317,12 @@ function link_interface_to_vips($int, $action = "") { foreach ($config['virtualip']['vip'] as $vip) { if ($int == $vip['interface']) { if ($action == "update") { - interface_vip_bring_down($vip); - interfaces_vips_configure($int); + if ($vip['mode'] == "carp" && !does_interface_exist("vip{$vip['vhid']}")) + interfaces_vips_configure($int); + else { + interface_vip_bring_down($vip); + interfaces_vips_configure($int); + } } else return $vip; } diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index e15a14c6c94..7371702438f 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -449,6 +449,10 @@ function ipsec_dump_sad() case 3: $cursa['aalgo'] = $linea[1]; break; + case 8: + $sadata = explode("(", $linea[1]); + $cursa['data'] = $sadata[0] . " B"; + break; } } $i++; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 7f82975d17c..edd22bed3ef 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -367,8 +367,8 @@ function openvpn_reconfigure($mode, $settings) { // server specific settings if ($mode == 'server') { - list($ip, $mask) = explode('/', $settings['tunnel_network']); - $mask = gen_subnet_mask($mask); + list($ip, $cidr) = explode('/', $settings['tunnel_network']); + $mask = gen_subnet_mask($cidr); // configure tls modes switch($settings['mode']) { @@ -383,8 +383,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { case 'p2p_tls': - $conf .= "server {$ip} {$mask}\n"; - $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 + if ($cidr < 30) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index ca166349759..c75ae2065a5 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2207,4 +2207,42 @@ function load_mac_manufacturer_table() { } -?> +/****f* pfsense-utils/is_ipaddr_configured + * NAME + * is_ipaddr_configured + * INPUTS + * IP Address to check. + * RESULT + * returns true if the IP Address is + * configured and present on this device. +*/ +function is_ipaddr_configured($ipaddr) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($ipaddr, $ilips) == 0) + return true; + } +} + +/****f* pfsense-utils/pfSense_handle_custom_code + * NAME + * pfSense_handle_custom_code + * INPUTS + * directory name to process + * RESULT + * globs the directory and includes the files + */ +function pfSense_handle_custom_code($src_dir) { + // Allow extending of the nat edit page and include custom input validation + if(is_dir("$src_dir")) { + $cf = glob($src_dir . "/*.inc"); + foreach($cf as $nf) { + if($nf == "." || $nf == "..") + continue; + // Include the extra handler + include("$nf"); + } + } +} + +?> \ No newline at end of file diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 070dade9494..ebc2df250c1 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -141,10 +141,10 @@ function get_pkg_id($pkg_name) { /****f* pkg-utils/get_pkg_info * NAME - * get_pkg_info - Retrive package information from pfsense.com. + * get_pkg_info - Retrieve package information from pfsense.com. * INPUTS - * $pkgs - 'all' to retrive all packages, an array containing package names otherwise - * $info - 'all' to retrive all information, an array containing keys otherwise + * $pkgs - 'all' to retrieve all packages, an array containing package names otherwise + * $info - 'all' to retrieve all information, an array containing keys otherwise * RESULT * $raw_versions - Array containing retrieved information, indexed by package name. ******/ diff --git a/etc/inc/priv.defs.inc b/etc/inc/priv.defs.inc index 941120c3d4e..4a4855ed55a 100644 --- a/etc/inc/priv.defs.inc +++ b/etc/inc/priv.defs.inc @@ -955,6 +955,12 @@ $priv_list['page-system-usermanager']['descr'] = "Allow access to the 'System: U $priv_list['page-system-usermanager']['match'] = array(); $priv_list['page-system-usermanager']['match'][] = "system_usermanager.php*"; +$priv_list['page-system-usermanager-passwordmg'] = array(); +$priv_list['page-system-usermanager-passwordmg']['name'] = "WebCfg - System: User Password Manager page"; +$priv_list['page-system-usermanager-passwordmg']['descr'] = "Allow access to the 'System: User Password Manager' page."; +$priv_list['page-system-usermanager-passwordmg']['match'] = array(); +$priv_list['page-system-usermanager-passwordmg']['match'][] = "system_usermanager_passwordmg.php*"; + $priv_list['page-system-usermanager_addcert'] = array(); $priv_list['page-system-usermanager_addcert']['name'] = "WebCfg - System: User Manager: Add Certificate"; $priv_list['page-system-usermanager_addcert']['descr'] = "Allow access to the 'User Manager: Add Certificate' page."; diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 4d1c456b46d..8ae459b34b0 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -394,7 +394,7 @@ function enable_rrd_graphing() { $rrdupdatesh .= " sleep 0.2\n"; $rrdupdatesh .= " echo \"quit\"\n"; $rrdupdatesh .= "}\n"; - $rrdupdatesh .= "OVPN=`list_current_users | nc -U {$g['varetc_path']}/openvpn/server{$vpnid}.sock | awk -F\",\" '/^CLIENT_LIST/ {print \$2}' | wc -l | awk '{print $1}'` &\n"; + $rrdupdatesh .= "OVPN=`list_current_users | nc -U {$g['varetc_path']}/openvpn/server{$vpnid}.sock | awk -F\",\" '/^CLIENT_LIST/ {print \$2}' | wc -l | awk '{print $1}'`\n"; $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$vpnusers N:\${OVPN}\n"; } diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 7108bc381cf..d5c9ada226e 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -275,7 +275,7 @@ EOPP; $dhcpdconf .= " deny dynamic bootp clients;\n"; if (isset($dhcpifconf['denyunknown'])) - $dhcpdconf .= " deny unknown clients;\n"; + $dhcpdconf .= " deny unknown-clients;\n"; if ($dhcpifconf['gateway']) $routers = $dhcpifconf['gateway']; @@ -606,8 +606,6 @@ function services_dyndns_configure_client($conf) { /* load up the dyndns.class */ require_once("dyndns.class"); - log_error("DynDns: Running updatedns()"); - $dns = new updatedns($dnsService = $conf['type'], $dnsHost = $conf['host'], $dnsUser = $conf['username'], diff --git a/etc/inc/system.inc b/etc/inc/system.inc index e2c02aaaa3a..0d9a9fd0191 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -86,7 +86,9 @@ function system_resolvconf_generate($dynupdate = false) { $syscfg = $config['system']; - $resolvconf = "domain {$syscfg['domain']}\n"; + // Do not create blank domain lines, it breaks tools like dig. + if($syscfg['domain']) + $resolvconf = "domain {$syscfg['domain']}\n"; $havedns = false; @@ -116,9 +118,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $dnslock = lock('resolvconf', LOCK_EX); + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); if (!$fd) { printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); return 1; } @@ -148,7 +153,9 @@ function system_resolvconf_generate($dynupdate = false) { } } } - + + unlock($dnslock); + return 0; } @@ -734,8 +741,10 @@ function system_webgui_start() { } /* generate lighttpd configuration */ + $max_procs = ($config['system']['webgui']['max_procs']) ? $config['system']['webgui']['max_procs'] : 2; system_generate_lighty_config("{$g['varetc_path']}/lighty-webConfigurator.conf", - $crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/"); + $crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/", + "cert.pem", "ca.pem", $max_procs); /* attempt to start lighthttpd */ $res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-webConfigurator.conf"); @@ -815,6 +824,7 @@ function system_generate_lighty_config($filename, } // Ramp up captive portal max procs + // Work relative to the default of 2, for values that would be >2. if($captive_portal == true) { if($avail > 65 and $avail < 98) { $max_procs = 1; @@ -823,38 +833,38 @@ function system_generate_lighty_config($filename, $max_procs = 2; } if($avail > 127 and $avail < 256) { - $max_procs = 3; + $max_procs += 1; } if($avail > 255 and $avail < 384) { - $max_procs = 4; + $max_procs += 2; } if($avail > 383) { - $max_procs = 5; + $max_procs += 3; } } if($captive_portal == true) { $bin_environment = << ( - "PHP_FCGI_CHILDREN" => "$max_procs", - "PHP_FCGI_MAX_REQUESTS" => "500" - ), + "bin-environment" => ( + "PHP_FCGI_CHILDREN" => "$max_procs", + "PHP_FCGI_MAX_REQUESTS" => "500" + ), EOC; } else if ($avail > 0 and $avail < 128) { $bin_environment = << ( - "PHP_FCGI_CHILDREN" => "$max_procs", - "PHP_FCGI_MAX_REQUESTS" => "2", - ), + "bin-environment" => ( + "PHP_FCGI_CHILDREN" => "$max_procs", + "PHP_FCGI_MAX_REQUESTS" => "2", + ), EOC; } else $bin_environment = << ( - "PHP_FCGI_CHILDREN" => "$max_procs", - "PHP_FCGI_MAX_REQUESTS" => "500" - ), + "bin-environment" => ( + "PHP_FCGI_CHILDREN" => "$max_procs", + "PHP_FCGI_MAX_REQUESTS" => "500" + ), EOC; if($fast_cgi_enable == true) { @@ -869,7 +879,7 @@ fastcgi.server = ( ".php" => "socket" => "{$g['tmp_path']}/php-fastcgi.socket", "min-procs" => 0, "max-procs" => {$max_procs}, - {$bin_environment} +{$bin_environment} "bin-path" => "/usr/local/bin/php" ) ) @@ -1166,9 +1176,16 @@ function system_ntp_configure() { $xmlsettings = $config['installedpackages']['openntpd']['config'][0]; if ($xmlsettings['enable'] == 'on') { $ifaces = explode(',', $xmlsettings['interface']); - $ifaces = array_map('get_real_interface', $ifaces); - $ifaces = array_filter($ifaces, 'does_interface_exist'); - $ips = array_map('find_interface_ip', $ifaces); + $ips = array(); + foreach ($ifaces as $if) { + if (is_ipaddr($if)) { + $ips[] = $if; + } else { + $if = get_real_interface($if); + if (does_interface_exist($if)) + $ips[] = find_interface_ip($if); + } + } foreach ($ips as $ip) { if (is_ipaddr($ip)) $ntpcfg .= "listen on $ip\n"; @@ -1251,6 +1268,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); + // mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { @@ -1488,4 +1506,23 @@ function system_get_dmesg_boot() { return file_get_contents("{$g['varlog_path']}/dmesg.boot"); } +function openntpd_get_listen_ips() { + $interfaces = get_configured_interface_with_descr(); + $carplist = get_configured_carp_interface_list(); + $listenips = array(); + foreach ($carplist as $cif => $carpip) + $interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")"; + $aliaslist = get_configured_ip_aliases_list(); + foreach ($aliaslist as $aliasip => $aliasif) + $interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; + foreach ($interfaces as $iface => $ifacename) { + $tmp["name"] = $ifacename; + $tmp["value"] = $iface; + $listenips[] = $tmp; + } + $tmp["name"] = "Localhost"; + $tmp["value"] = "lo0"; + $listenips[] = $tmp; + return $listenips; +} ?> diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index a158ded964e..29f0ac02d3d 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2490,4 +2490,22 @@ function upgrade_077_to_078() { $config['pptpd']['radius'] = $radarr; } } + +function upgrade_078_to_079() { + global $g; + /* Delete old and unused RRD file */ + unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd"); +} + +function upgrade_079_to_080() { + global $config; + + /* Upgrade config in 1.2.3 specifying a username other than admin for synching. */ + if (!empty($config['system']['username']) && is_array($config['installedpackages']['carpsettings']) && + is_array($config['installedpackages']['carpsettings']['config'])) { + $config['installedpackages']['carpsettings']['config'][0]['username'] = $config['system']['username']; + unset($config['system']['username']); + } +} + ?> diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 7b8fc577c96..b165fec17b2 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -1250,29 +1250,30 @@ function is_interface_vlan_mismatch() { } function is_interface_mismatch() { - global $config, $g; + global $config, $g; - /* XXX: Should we process only enabled interfaces?! */ - $do_assign = false; - $i = 0; + $do_assign = false; + $i = 0; if (is_array($config['interfaces'])) { - foreach ($config['interfaces'] as $ifname => $ifcfg) { - if (preg_match("/^enc|^cua|^tun|^l2tp|^pptp|^ppp|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_wlan/i", $ifcfg['if'])) { - $i++; - } - else if (does_interface_exist($ifcfg['if']) == false) { + foreach ($config['interfaces'] as $ifname => $ifcfg) { + if (preg_match("/^enc|^cua|^tun|^l2tp|^pptp|^ppp|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_wlan/i", $ifcfg['if'])) { + // Do not check these interfaces. + $i++; + continue; + } + else if (does_interface_exist($ifcfg['if']) == false) { $do_assign = true; - } else - $i++; - } + } else + $i++; + } } - if ($g['minimum_nic_count'] > $i) { - $do_assign = true; - } else if (file_exists("{$g['tmp_path']}/assign_complete")) - $do_assign = false; + if ($g['minimum_nic_count'] > $i) { + $do_assign = true; + } else if (file_exists("{$g['tmp_path']}/assign_complete")) + $do_assign = false; - return $do_assign; + return $do_assign; } /* sync carp entries to other firewalls */ diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index ec5971688c6..be3e32260bf 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -29,7 +29,7 @@ */ /* - pfSense_BUILDER_BINARIES: /usr/local/bin/voucher /usr/local/bin/minicron + pfSense_BUILDER_BINARIES: /usr/local/bin/voucher pfSense_MODULE: captiveportal */ @@ -37,6 +37,53 @@ if(!function_exists('captiveportal_syslog')) require_once("captiveportal.inc"); +function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) { + global $g, $config; + require_once("xmlrpc.inc"); + if($port == "443") + $url = "https://{$syncip}"; + else + $url = "http://{$syncip}"; + + /* Construct code that is run on remote machine */ + $method = 'pfsense.exec_php'; + $execcmd = <<setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!is_object($resp)) { + $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); + return false; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); + return false; + } else { + log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + $toreturn = XML_RPC_Decode($resp->value()); + + return $toreturn; +} + function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = "1", $stop_time = null) { global $g, $config; require_once("xmlrpc.inc"); @@ -138,6 +185,112 @@ EOF; return $toreturn['timeleft']; } +function voucher_expire($voucher_received) { + global $g, $config; + + $voucherlck = lock('voucher', LOCK_EX); + + // XMLRPC Call over to the master Voucher node + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + xmlrpc_sync_voucher_expire($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); + } + + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + foreach ($config['voucher']['roll'] as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } + + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $active_dirty = false; + + $cpdb = captiveportal_read_db(false, 4); /* Indexed by Voucher */ + $unsetindexes[] = array(); + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + $active_dirty = true; + unset($active_vouchers[$roll][$voucher]); + } + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + // mark bit for this voucher as used + if (!(ord($bitstring[$roll][$pos]) & $mask)) + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire"); + + /* Check if this voucher has any active sessions */ + if (isset($cpdb[$voucher])) { + $cpentry = $cpdb[$voucher]; + captiveportal_disconnect($cpentry,null,13); + captiveportal_logportalauth($cpentry[4],$cpentry[3],$cpentry[2],"FORCLY TERMINATING VOUCHER {$voucher} SESSION"); + unset($cpdb[$voucher]); + $unsetindexes[] = $cpentry[5]; + } + } else + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } else + // hmm, thats weird ... not what I expected + captiveportal_syslog("$voucher invalid: $result !!"); + } + + // Refresh active DBs + if ($active_dirty == true) { + foreach ($active_vouchers as $roll => $active) + voucher_write_active_db($roll, $active); + + /* Triger a sync of the vouchers on config */ + send_event("service sync vouchers"); + } + + // Write back the used DB's + if (is_array($bitstring)) { + foreach ($bitstring as $roll => $used) { + if(is_array($used)) { + foreach($used as $u) + voucher_write_used_db($roll, base64_encode($u)); + } else { + voucher_write_used_db($roll, base64_encode($used)); + } + } + } + + unlock($voucherlck); + + /* Write database */ + if (!empty($unsetindexes)) + captiveportal_write_db($cpdb, false, $unsetindexes); + + return true; +} + /* * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list @@ -146,17 +299,16 @@ EOF; * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; + global $g, $config; - $voucherlck = lock('voucher', LOCK_EX); + $voucherlck = lock('voucher', LOCK_EX); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } @@ -164,112 +316,108 @@ function voucher_auth($voucher_received, $test = 0) { $tickets_per_roll = array(); $minutes_per_roll = array(); if (is_array($config['voucher']['roll'])) { - $a_roll = &$config['voucher']['roll']; - foreach ($a_roll as $rollent) { + foreach ($config['voucher']['roll'] as $rollent) { $tickets_per_roll[$rollent['number']] = $rollent['count']; $minutes_per_roll[$rollent['number']] = $rollent['minutes']; } } - // split into an array. Useful for multiple vouchers given - $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); - $error = 0; - $test_result = array(); // used to display for voucher test option in GUI - $total_minutes = 0; - $first_voucher = ""; - $first_voucher_roll = 0; - - // go through all received vouchers, check their valid and extract - // Roll# and Ticket# using the external readvoucher binary - - foreach ($a_vouchers_received as $voucher) { - - $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) - continue; // seems too short to be a voucher! - - $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); - list($status, $roll, $nr) = explode(" ", $result); - if ($status == "OK") { - if (!$first_voucher) { + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $error = 0; + $test_result = array(); // used to display for voucher test option in GUI + $total_minutes = 0; + $first_voucher = ""; + $first_voucher_roll = 0; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + if (!$first_voucher) { // store first voucher. Thats the one we give the timecredit - $first_voucher = $voucher; - $first_voucher_roll = $roll; - } - // check if we have this ticket on a registered roll for this ticket - if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { - // voucher is from a registered roll. - if (!isset($active_vouchers[$roll])) - $active_vouchers[$roll] = voucher_read_active_db($roll); - // valid voucher. Store roll# and ticket# - if (!empty($active_vouchers[$roll][$voucher])) { - list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); - // we have an already active voucher here. - $remaining = intval((($timestamp + (60*$minutes)) - time())/60); - $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; - $total_minutes += $remaining; - } else { - // voucher not used. Check if ticket Id is on the roll (not too high) - // and if the ticket is marked used. - // check if voucher already marked as used - if (!isset($bitstring[$roll])) - $bitstring[$roll] = voucher_read_used_db($roll); - $pos = $nr >> 3; // divide by 8 -> octet - $mask = 1 << ($nr % 8); - if (ord($bitstring[$roll][$pos]) & $mask) { - $test_result[] = "$voucher ($roll/$nr) already used and expired"; + $first_voucher = $voucher; + $first_voucher_roll = $roll; + } + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); + // we have an already active voucher here. + $remaining = intval((($timestamp + (60*$minutes)) - time())/60); + $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; + $total_minutes += $remaining; + } else { + // voucher not used. Check if ticket Id is on the roll (not too high) + // and if the ticket is marked used. + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + if (ord($bitstring[$roll][$pos]) & $mask) { + $test_result[] = "$voucher ($roll/$nr) already used and expired"; captiveportal_syslog("$voucher ($roll/$nr) already used and expired"); - $total_minutes = -1; // voucher expired - $error++; - } else { - // mark bit for this voucher as used - $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); - $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; - $total_minutes += $minutes_per_roll[$roll]; - } - } - } else { - $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); - } - } else { - // hmm, thats weird ... not what I expected - $test_result[] = "$voucher invalid: $result !!"; - captiveportal_syslog("$voucher invalid: $result !!"); - $error++; - } - } + $total_minutes = -1; // voucher expired + $error++; + } else { + // mark bit for this voucher as used + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; + $total_minutes += $minutes_per_roll[$roll]; + } + } + } else { + $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } + } else { + // hmm, thats weird ... not what I expected + $test_result[] = "$voucher invalid: $result !!"; + captiveportal_syslog("$voucher invalid: $result !!"); + $error++; + } + } - // if this was a test call, we're done. Return the result. - if ($test) { - if ($error) { - $test_result[] = "Access denied!"; - } else { - $test_result[] = "Access granted for $total_minutes Minutes in total."; - } - unlock($voucherlck); - return $test_result; - } + // if this was a test call, we're done. Return the result. + if ($test) { + if ($error) { + $test_result[] = "Access denied!"; + } else { + $test_result[] = "Access granted for $total_minutes Minutes in total."; + } + unlock($voucherlck); - // if we had an error (one of the vouchers is invalid), return 0. - // Discussion: we could return the time remaining for good vouchers, but then - // the user wouldn't know that he used at least one invalid voucher. + return $test_result; + } - if ($error) { + // if we had an error (one of the vouchers is invalid), return 0. + // Discussion: we could return the time remaining for good vouchers, but then + // the user wouldn't know that he used at least one invalid voucher. + if ($error) { unlock($voucherlck); - if ($total_minutes > 0) // probably not needed, but want to make sure - $total_minutes = 0; // we only report -1 (expired) or 0 (no access) - return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS - } + if ($total_minutes > 0) // probably not needed, but want to make sure + $total_minutes = 0; // we only report -1 (expired) or 0 (no access) + return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS + } // If we did a XMLRPC sync earlier check the timeleft - if(!empty($a_voucher['vouchersyncdbip'])) + if (!empty($config['voucher']['vouchersyncdbip'])) if($remote_time_used < $total_minutes) $total_minutes = $remote_time_used; - // All given vouchers were valid and this isn't simply a test. - // Write back the used DB's - + // All given vouchers were valid and this isn't simply a test. + // Write back the used DB's if (is_array($bitstring)) { foreach ($bitstring as $roll => $used) { if(is_array($used)) { @@ -281,32 +429,31 @@ function voucher_auth($voucher_received, $test = 0) { } } - // Active DB: we only add the first voucher if multiple given - // and give that one all the time credit. This allows the user to logout and - // log in later using just the first voucher. It also keeps username limited - // to one voucher and that voucher shows the correct time credit in 'active vouchers' + // Active DB: we only add the first voucher if multiple given + // and give that one all the time credit. This allows the user to logout and + // log in later using just the first voucher. It also keeps username limited + // to one voucher and that voucher shows the correct time credit in 'active vouchers' + if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { + list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); + } else { + $timestamp = time(); // new voucher + $minutes = $total_minutes; + } - if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { - list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); - } else { - $timestamp = time(); // new voucher - $minutes = $total_minutes; - } + $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; + voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; - voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); + /* Triger a sync of the vouchers on config */ + send_event("service sync vouchers"); - unlock($voucherlck); + unlock($voucherlck); - return $total_minutes; + return $total_minutes; } function voucher_configure($sync = false) { global $config, $g; - /* kill any running minicron */ - killbypid("{$g['varrun_path']}/vouchercron.pid"); - if (!isset($config['voucher']['enable'])) return 0; @@ -315,15 +462,6 @@ function voucher_configure($sync = false) { if ($sync == true) captiveportal_syslog("Writing voucher db from sync data..."); - // start cron if we're asked to save runtime DB periodically - // to XML config if it changed - $croninterval = $config['voucher']['saveinterval'] * 60; // need seconds. Config has minutes - if ($croninterval) { - /* start pruning process (interval defaults to 60 seconds) */ - mwexec("/usr/local/bin/minicron $croninterval {$g['varrun_path']}/vouchercron.pid " . - "/etc/rc.savevoucher"); - } - $voucherlck = lock('voucher', LOCK_EX); /* write public key used to verify vouchers */ @@ -352,11 +490,10 @@ function voucher_configure($sync = false) { if (($g['booting'] || $sync == true) && is_array($config['voucher']['roll'])) { - // create active and used DB per roll on ramdisk from config - $a_roll = &$config['voucher']['roll']; $voucherlck = lock('voucher', LOCK_EX); - foreach ($a_roll as $rollent) { + // create active and used DB per roll on ramdisk from config + foreach ($config['voucher']['roll'] as $rollent) { $roll = $rollent['number']; voucher_write_used_db($roll, $rollent['used']); @@ -421,8 +558,12 @@ function voucher_read_active_db($roll) { } } fclose($fd); - if ($dirty) // if we found expired entries, lets save our snapshot + if ($dirty) { // if we found expired entries, lets save our snapshot voucher_write_active_db($roll, $active); + + /* Triger a sync of the vouchers on config */ + send_event("service sync vouchers"); + } } } return $active; @@ -432,6 +573,8 @@ function voucher_read_active_db($roll) { function voucher_write_active_db($roll, $active) { global $g; + if (!is_array($active)) + return; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); if ($fd) { foreach($active as $voucher => $value) @@ -491,12 +634,12 @@ function voucher_log($priority, $message) { } /* Save active and used voucher DB into XML config and write it to flash - * Called during reboot -> system_reboot_cleanup() and minicron + * Called during reboot -> system_reboot_cleanup() and every active voucher change */ function voucher_save_db_to_config() { global $config, $g; - if (!isset($config['voucher']['enable']) || $config['voucher']['saveinterval'] == 0) + if (!isset($config['voucher']['enable'])) return; // no vouchers or don't want to save DB's $voucherlck = lock('voucher', LOCK_EX); @@ -524,7 +667,7 @@ function voucher_save_db_to_config() { unlock($voucherlck); - write_config(); + write_config("Synching vouchers"); return; } diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f595c9bc9f9..7c08ccb2254 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -481,7 +481,7 @@ function vpn_ipsec_configure($ipchg = false) $natt = $ph1ent['nat_traversal']; $init = "on"; - $genp = "off"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "off"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim"; $passive = ""; if (isset($ph1ent['mobile'])) { @@ -490,10 +490,10 @@ function vpn_ipsec_configure($ipchg = false) /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; - $genp = "on"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "on"; } else { $init = "off"; - $genp = "unique"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "unique"; } } @@ -864,8 +864,7 @@ EOD; /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); - mwexec("/sbin/route delete -host {$rgip}"); - mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); + mwexec("/sbin/route delete -host {$rgip}; /sbin/route add -host {$rgip} {$gatewayip}", true); } } } @@ -913,7 +912,7 @@ EOD; $hostnames = ""; array_unique($filterdns_list); foreach ($filterdns_list as $hostname) - $hostnames .= "cmd {$hostname} '/etc/rc.newipsecdns'\n"; + $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); diff --git a/etc/pfSense.obsoletedfiles b/etc/pfSense.obsoletedfiles index a5857ceb6d5..d2ce3c169dc 100644 --- a/etc/pfSense.obsoletedfiles +++ b/etc/pfSense.obsoletedfiles @@ -46,6 +46,7 @@ /usr/local/www/fred.png /usr/local/www/index.html /usr/local/www/system_usermanager_addcert.php +/usr/local/www/filter_log.inc /usr/local/pkg/routed/routed.inc /usr/local/pkg/routed/routed.xml -/usr/local/www/filter_log.inc \ No newline at end of file +/usr/local/pkg/carp.xml diff --git a/etc/rc.bootup b/etc/rc.bootup index e71c4301166..2f0c2cd33c0 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -322,7 +322,7 @@ system_do_shell_commands(); /* start IPsec tunnels */ vpn_ipsec_configure(); /* Reload dynamic hostname tunnels after bootup finishes */ -mwexec_bg("/etc/rc.newipsecdns"); +send_event("service reload ipsecdns"); /* start SNMP service */ services_snmpd_configure(); diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 6acadc0f5c2..fe8a30f2e49 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -87,7 +87,7 @@ function remove_special_characters($string) { return $string; } -function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host_firmware_version') { +function carp_check_version($url, $username, $password, $port = 80, $method = 'pfsense.host_firmware_version') { global $config, $g; if(file_exists("{$g['varrun_path']}/booting") || $g['booting']) @@ -101,10 +101,8 @@ function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host while ($numberofruns < 2) { $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - /* XXX: Configurable from the GUI?! */ - $username = "admin"; $cli->setCredentials($username, $password); - if($numberofruns > 1) + if($numberofruns > 0) $cli->setDebug(1); /* send our XMLRPC message and timeout after 240 seconds */ $resp = $cli->send($msg, "240"); @@ -138,7 +136,7 @@ function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host return false; } -function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsense.restore_config_section') { +function carp_sync_xml($url, $username, $password, $sections, $port = 80, $method = 'pfsense.restore_config_section') { global $config, $g; if(file_exists("{$g['varrun_path']}/booting") || $g['booting']) @@ -151,11 +149,11 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens /* strip out nosync items */ if (is_array($config_copy['nat']['advancedoutbound']['rule'])) { - $rulescnt = count($config_copy['nat']['advancedoutbound']['rule']); - for ($x = 0; $x < $rulescnt; $x++) { - $config_copy['nat']['advancedoutbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['advancedoutbound']['rule'][$x]['descr']); - if (isset ($config_copy['nat']['advancedoutbound']['rule'][$x]['nosync'])) - unset ($config_copy['nat']['advancedoutbound']['rule'][$x]); + $rulescnt = count($config_copy['nat']['advancedoutbound']['rule']); + for ($x = 0; $x < $rulescnt; $x++) { + $config_copy['nat']['advancedoutbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['advancedoutbound']['rule'][$x]['descr']); + if (isset ($config_copy['nat']['advancedoutbound']['rule'][$x]['nosync'])) + unset ($config_copy['nat']['advancedoutbound']['rule'][$x]); } } if (is_array($config_copy['nat']['rule'])) { @@ -218,8 +216,12 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens $xml[$section] = backup_vip_config_section(); break; case 'user': + $xml['system'][$section] = $config_copy['system'][$section]; + $xml['system']['nextuid'] = $config_copy['system']['nextuid']; + break; case 'group': $xml['system'][$section] = $config_copy['system'][$section]; + $xml['system']['nextgid'] = $config_copy['system']['nextgid']; break; default: $xml[$section] = $config_copy[$section]; @@ -236,10 +238,8 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens log_error("Beginning XMLRPC sync to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - /* XXX: Configurable from the GUI?! */ - $username = "admin"; $cli->setCredentials($username, $password); - if($numberofruns > 1) + if($numberofruns > 0) $cli->setDebug(1); /* send our XMLRPC message and timeout after 240 seconds */ $resp = $cli->send($msg, "240"); @@ -258,8 +258,10 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens log_error($error); file_notice("sync_settings", $error, "Settings Sync", ""); exit; - } else + } else { log_error("XMLRPC sync successfully completed with {$url}:{$port}."); + update_filter_reload_status("XMLRPC sync successfully completed with {$url}:{$port}."); + } $numberofruns = 3; } $numberofruns++; @@ -369,8 +371,8 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { $sections[] = 'crl'; } if ($carp['synchronizeusers'] != "") { - $mergesections[] = 'user'; - $mergesections[] = 'group'; + $sections[] = 'user'; + $sections[] = 'group'; } if ($carp['synchronizednsforwarder'] != "" and is_array($config['dnsmasq'])) $sections[] = 'dnsmasq'; @@ -384,21 +386,21 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { if ($carp['synchronizecaptiveportal'] != "" and is_array($config['vouchers'])) $sections[] = 'vouchers'; if (count($sections) > 0) { - if (!carp_check_version($synchronizetoip, $carp['password'], $port)) + if (empty($carp['username'])) + $username = "admin"; + else + $username = $carp['username']; + if (!carp_check_version($synchronizetoip, $username, $carp['password'], $port)) break; update_filter_reload_status("Signaling CARP reload signal..."); - carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); - if (is_array($mergesections)) - carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.merge_config_section'); + carp_sync_xml($synchronizetoip, $username, $carp['password'], $sections, $port); $cli = new XML_RPC_Client('/xmlrpc.php', $synchronizetoip, $port); $params = array( XML_RPC_encode($carp['password']) ); $msg = new XML_RPC_Message('pfsense.filter_configure', $params); - /* XXX: Configurable from the GUI */ - $username = "admin"; $cli->setCredentials($username, $carp['password']); $resp = $cli->send($msg, "900"); diff --git a/etc/rc.initial.setlanip b/etc/rc.initial.setlanip index e95acd45605..fd60d6ae674 100755 --- a/etc/rc.initial.setlanip +++ b/etc/rc.initial.setlanip @@ -217,7 +217,7 @@ } $upperifname = strtoupper($interface); - echo "\nPlease wait, saving and activating your changes to {$upperifname}..."; + echo "\nPlease wait while the changes are saved to {$upperifname}..."; write_config(gettext("{$interface} IP configuration from console menu")); interface_reconfigure(strtolower($upperifname)); echo " Reloading filter..."; diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 03950990dd9..a4fbde8f9d6 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -51,7 +51,7 @@ function restart_packages() { /* restart packages */ system_ntp_configure(); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); - mwexec_bg("/etc/rc.start_packages"); + send_event("service reload packages"); } /* Interface IP address has changed */ diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup index 67aceaf7d56..99efc3979f2 100755 --- a/etc/rc.php_ini_setup +++ b/etc/rc.php_ini_setup @@ -112,8 +112,12 @@ PHPMODULES="$PHPMODULES pdo" PHPMODULES="$PHPMODULES sqlite" # ZeroMQ PHPMODULES="$PHPMODULES zmq" +# SSH2 +PHPMODULES="$PHPMODULES ssh2" # pfSense extensions PHPMODULES="$PHPMODULES pfSense" +# ion cube +PHPMODULES="$PHPMODULES ioncube_loader" # Modules previously included. # can be turned on by touching diff --git a/etc/rc.restart_webgui b/etc/rc.restart_webgui index 463f93451cf..e74f201a88c 100755 --- a/etc/rc.restart_webgui +++ b/etc/rc.restart_webgui @@ -8,10 +8,15 @@ require("shaper.inc"); require("captiveportal.inc"); require("rrd.inc"); -mwexec("killall -9 lighttpd"); - echo "Restarting webConfigurator..."; +sigkillbyname("lighttpd", "INT"); + +while (is_process_running("lighttpd")) { + echo '.'; + sleep(1); +} + system_webgui_start(); captiveportal_init_webgui(); diff --git a/etc/rc.shutdown b/etc/rc.shutdown index 14faf805c02..c7e8b25bcd8 100755 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -5,10 +5,6 @@ if ! /usr/bin/lockf -s -t 30 /tmp/config.lock /usr/bin/true; then exit -1 fi -if [ -e /dev/ukbd0 ]; then - /usr/sbin/vidcontrol -s 2 -fi - product=`cat /etc/inc/globals.inc | grep product_name | cut -d'"' -f4` echo diff --git a/etc/rc.stop_packages b/etc/rc.stop_packages old mode 100755 new mode 100644 index 95e77fddb35..f20fa04287d --- a/etc/rc.stop_packages +++ b/etc/rc.stop_packages @@ -51,7 +51,7 @@ else { if (is_array($config['installedpackages']['package'])) { foreach($config['installedpackages']['package'] as $package) { - echo " Stoping package {$package['name']}..."; + echo " Stopping package {$package['name']}..."; stop_service($package['name']); unset($rcfiles["{$rcfileprefix}{$package['name']}.sh"]); echo "done.\n"; @@ -61,7 +61,7 @@ if (is_array($config['installedpackages']['package'])) { $shell = @popen("/bin/sh", "w"); if ($shell) { foreach ($rcfiles as $rcfile => $number) { - echo " Stoping {$rcfile}..."; + echo " Stopping {$rcfile}..."; fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1"); echo "done.\n"; } diff --git a/etc/version b/etc/version index 3f0e26d3ae8..f1970443447 100644 --- a/etc/version +++ b/etc/version @@ -1 +1 @@ -2.0-RC2 +2.0-RC3 diff --git a/tmp/post_upgrade_command b/tmp/post_upgrade_command index 99285e40014..8603a5397c2 100755 --- a/tmp/post_upgrade_command +++ b/tmp/post_upgrade_command @@ -2,7 +2,9 @@ /etc/rc.conf_mount_rw +PFSENSETYPE=`cat /etc/platform` KERNELTYPE=`cat /boot/kernel/pfsense_kernel.txt` + if [ $KERNELTYPE = "wrap" ]; then if [ -f /kernels/kernel_wrap.gz ]; then tar xzpf /kernels/kernel_wrap.gz --exclude loader.conf -C /boot/ @@ -26,6 +28,10 @@ if [ $KERNELTYPE = "UP" ]; then fi fi +if [ $PFSENSETYPE = "pfSense" ] || [ $PFSENSETYPE = "nanobsd" ]; then + touch /conf/needs_package_sync +fi + # Detect interactive logins and display the shell echo "if [ \`env | grep SSH_TTY | wc -l\` -gt 0 ] || [ \`env | grep cons25 | wc -l\` -gt 0 ]; then" > $CVS_CO_DIR/root/.shrc echo " /etc/rc.initial" >> $CVS_CO_DIR/root/.shrc @@ -37,7 +43,7 @@ echo " exit" >> $CVS_CO_DIR/root/.profile echo "fi" >> $CVS_CO_DIR/root/.profile # Now turn on or off serial console as needed -php -f /tmp/post_upgrade_command.php +/tmp/post_upgrade_command.php # Remove any previous MD5 sum files rm -f /root/*.md5 @@ -45,7 +51,6 @@ rm -f /root/*.md5 # File moved to pfSense php shell (pfSsh.php) rm -rf /usr/local/sbin/cvs_sync.sh -PFSENSETYPE=`cat /etc/platform` if [ $PFSENSETYPE = "embedded" ]; then cp /etc/ttys_wrap /etc/ttys fi @@ -53,4 +58,3 @@ fi if [ -f /usr/local/sbin/php ]; then rm /usr/local/sbin/php fi - diff --git a/tmp/post_upgrade_command.php b/tmp/post_upgrade_command.php index dfe9342d17b..a188710259c 100755 --- a/tmp/post_upgrade_command.php +++ b/tmp/post_upgrade_command.php @@ -20,9 +20,6 @@ setup_serial_port(); - if($g['platform'] == "pfSense" or $g['platform'] == "nanobsd") - touch("/conf/needs_package_sync"); - $files_to_process = split("\n", file_get_contents("/etc/pfSense.obsoletedfiles")); foreach($files_to_process as $filename) if(file_exists($filename)) diff --git a/usr/local/pkg/carp.xml b/usr/local/pkg/carp.xml deleted file mode 100644 index 36f9fbe1884..00000000000 --- a/usr/local/pkg/carp.xml +++ /dev/null @@ -1,234 +0,0 @@ - - - carp - 0.1.0 - $Revision$ - Services: CARP (failover) - - - CARP (failover) - CARP is a tool to help achieve system redundancy, by having multiple computers creating a single, virtual network interface between them. -
Services
- carp_status.php - - - - - CARP Status - carp_status.php - - - CARP Settings - pkg_edit.php?xml=carp_settings.xml&id=0 - - - - /usr/local/pkg/ - a+rx - http://www.pfsense.com/packages/config/carp_settings.xml - - - /usr/local/pkg/pf/ - a+rx - http://www.pfsense.com/packages/config/carp_sync_client.php - - - /usr/local/pkg/ - a+rx - - http://www.pfsense.com/packages/config/carp_sync_server.php - - - /usr/local/www/ - a+rx - http://www.pfsense.com/packages/config/carp_status.php - - - ['installedpackages']['carp']['config'] - - - VHID Group - vhid - - - Virtual IP Address - ipaddress - - - Advertising Frequency - advskew - - - Netmask - netmask - - - - - - Virtual IP Address - ipaddress - Enter the IP Address that you would like to share on both machines - input - - - - Virtual IP Netmask - netmask - Enter the IP Address's netmask that you would like to share on both machines - select - 24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Virtual IP Password - password - Enter the VHID group password. - password - - - VHID Group - vhid - Enter the VHID group that the machines will share - select - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Advertising Frequency - advskew - The frequency that this machine will advertise. 0 = master. Anything above 0 designates a backup. - select - 0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - interfaces_carp_setup(); - - - - - interfaces_carp_setup(); - - - unlink_if_exists("/usr/local/pkg/carp*"); - unlink_if_exists("/usr/local/pkg/pf/carp*"); - unlink_if_exists("/usr/local/etc/rc.d/carp*"); - unlink_if_exists("/usr/local/pkg/pf/carp*"); - - diff --git a/usr/local/pkg/carp_settings.xml b/usr/local/pkg/carp_settings.xml index f33523643ef..32a9b8c3122 100644 --- a/usr/local/pkg/carp_settings.xml +++ b/usr/local/pkg/carp_settings.xml @@ -85,6 +85,14 @@ input + + Remote System Username + username + admin + Enter the webConfigurator username of the system entered above for synchronizing your configuration. + <br><br>NOTE: <b>Do not use the Synchronize Config to IP and username option on backup cluster members!</b> + input + Remote System Password password diff --git a/usr/local/pkg/openntpd.xml b/usr/local/pkg/openntpd.xml index 907c6fb3005..cefb76d9975 100644 --- a/usr/local/pkg/openntpd.xml +++ b/usr/local/pkg/openntpd.xml @@ -15,8 +15,12 @@ Interface Select the interface(s) the NTP server will listen on. lan - interfaces_selection + select_source + + name + value + diff --git a/usr/local/pkg/routed.inc b/usr/local/pkg/routed.inc index 4d1b1d8a7f2..ec730d5bea7 100644 --- a/usr/local/pkg/routed.inc +++ b/usr/local/pkg/routed.inc @@ -39,10 +39,15 @@ function setup_routed() { if (isset($config['installedpackages']['routed']['config'][0]['enable']) && $config['installedpackages']['routed']['config'][0]['enable'] == "on") { /* if user selected individual interfaces */ - $ifarr = explode(",", $config['installedpackages']['routed']['config'][0]['iface_array']); + $ifarr = array_flip(explode(",", $config['installedpackages']['routed']['config'][0]['iface_array'])); + $allifs = get_interface_arr(); if (!empty($ifarr)) { - foreach($ifarr as $ifname) { - $gw .= setup_etc_gateways($ifname, 'enable'); + foreach($allifs as $ifname) { + $friendly_ifname = convert_real_interface_to_friendly_interface_name($ifname); + if (array_key_exists($friendly_ifname, $ifarr)) + $gw .= setup_etc_gateways($ifname, 'enable'); + else + $gw .= setup_etc_gateways($ifname, 'disable'); } } else /* setup for all interfaces */ @@ -76,7 +81,7 @@ function setup_etc_gateways($iface="", $mode="") { } break; case "disable": - $ret .= "no_rip "; + $ret .= "no_rip_out no_solicit no_rdisc no_rdisc_adv"; break; default: diff --git a/usr/local/www/carp_status.php b/usr/local/www/carp_status.php index 12b8be9912a..e893dadde4f 100755 --- a/usr/local/www/carp_status.php +++ b/usr/local/www/carp_status.php @@ -71,8 +71,6 @@ interface_vip_bring_down($vip); $savemsg = sprintf(gettext("%s IPs have been disabled. Please note that disabling does not survive a reboot."), $carp_counter); } else { $savemsg = gettext("CARP has been enabled."); - mwexec("/sbin/sysctl net.inet.carp.allow=1"); - interfaces_carp_setup(); if(is_array($config['virtualip']['vip'])) { $viparr = &$config['virtualip']['vip']; foreach ($viparr as $vip) { @@ -85,9 +83,15 @@ interface_carp_configure($vip); interface_carpdev_configure($vip); sleep(1); break; + case "ipalias": + if (substr($vip['interface'], 0, 3) == "vip") + interface_ipalias_configure($vip); + break; } } } + interfaces_carp_setup(); + mwexec("/sbin/sysctl net.inet.carp.allow=1"); } } diff --git a/usr/local/www/diag_arp.php b/usr/local/www/diag_arp.php index 4665a4432b7..9dc12a51e7d 100755 --- a/usr/local/www/diag_arp.php +++ b/usr/local/www/diag_arp.php @@ -248,10 +248,14 @@ function _getHostName($mac,$ip) { return $dhcpmac[$mac]; else if ($dhcpip[$ip]) return $dhcpip[$ip]; - else if(gethostbyaddr($ip) <> "" and gethostbyaddr($ip) <> $ip) - return gethostbyaddr($ip); - else - return ""; + else{ + exec("host -W 1 $ip", $output); + if (preg_match('/.*pointer ([A-Za-z0-9.-]+)\..*/',$output[0],$matches)) { + if ($matches[1] <> $ip) + return $matches[1]; + } + } + return ""; } $pgtitle = array(gettext("Diagnostics"),gettext("ARP Table")); @@ -277,8 +281,18 @@ function _getHostName($mac,$ip) { // Resolve hostnames and replace Z_ with "". The intention // is to sort the list by hostnames, alpha and then the non // resolvable addresses will appear last in the list. +$dnsavailable=1; +$dns = trim(_getHostName("", "8.8.8.8")); +if ($dns == ""){ + $dns = trim(_getHostName("", "8.8.4.4")); + if ($dns == "") $dnsavailable =0; +} + foreach ($data as &$entry) { - $dns = trim(_getHostName($entry['mac'], $entry['ip'])); + if ($dnsavailable){ + $dns = trim(_getHostName($entry['mac'], $entry['ip'])); + }else + $dns=""; if(trim($dns)) $entry['dnsresolve'] = "$dns"; else diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php index 598f4d6db71..9d28375e9aa 100755 --- a/usr/local/www/diag_backup.php +++ b/usr/local/www/diag_backup.php @@ -158,6 +158,8 @@ function spit_out_select_items($area, $showall) { $mode = "restore"; else if (stristr($_POST['Submit'], gettext("Reinstall"))) $mode = "reinstallpackages"; + else if (stristr($_POST['Submit'], gettext("Clear Package Lock"))) + $mode = "clearpackagelock"; else if (stristr($_POST['Submit'], gettext("Download"))) $mode = "download"; else if (stristr($_POST['Submit'], gettext("Restore version"))) @@ -470,6 +472,9 @@ function spit_out_select_items($area, $showall) { header("Location: pkg_mgr_install.php?mode=reinstallall"); exit; + } else if ($mode == "clearpackagelock") { + clear_subsystem_dirty('packagelock'); + $savemsg = "Package Lock Cleared"; } else if ($mode == "restore_ver") { $input_errors[] = gettext("XXX - this feature may hose your config (do NOT backrev configs!) - billm"); if ($ver2restore <> "") { @@ -655,13 +660,17 @@ function backuparea_change(obj) {   - +  



"> +
+
+



+ "> diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php index 7ee8b727e27..e08feba2106 100755 --- a/usr/local/www/diag_ipsec_sad.php +++ b/usr/local/www/diag_ipsec_sad.php @@ -90,6 +90,7 @@ + @@ -100,6 +101,7 @@ + " . gettext("You must apply the changes in order for them to take effect."));?> - +
diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index e9f45771dac..135d0e99fc8 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -99,6 +99,15 @@ function nat_1to1_rules_sort() { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface external"); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 3dc1d839aaf..5aa069c40c7 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -101,6 +101,7 @@ /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ +unset($input_errors); foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); @@ -173,7 +174,6 @@ $_POST['dsttype'] = "single"; } - unset($input_errors); $pconfig = $_POST; /* input validation */ @@ -290,6 +290,9 @@ } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); + if (!$input_errors) { $natent = array(); @@ -410,6 +413,9 @@ mark_subsystem_dirty('filter'); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); + // Update the NAT entry now if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -443,6 +449,10 @@ + + diff --git a/usr/local/www/firewall_nat_out.php b/usr/local/www/firewall_nat_out.php index 4649795b486..b8506d8a7b1 100755 --- a/usr/local/www/firewall_nat_out.php +++ b/usr/local/www/firewall_nat_out.php @@ -125,16 +125,23 @@ $natent['natport'] = ""; $a_out[] = $natent; + $natent = array(); + $natent['source']['network'] = "127.0.0.0/8"; + $natent['dstport'] = ""; + $natent['descr'] = sprintf(gettext('Auto created rule for localhost to %1$s'),$ifdesc2); + $natent['target'] = ""; + $natent['interface'] = $if2; + $natent['destination']['any'] = true; + $natent['staticnatport'] = false; + $natent['natport'] = "1024:65535"; + $a_out[] = $natent; + /* PPTP subnet */ - if($config['pptpd']['mode'] == "server") { - if (is_ipaddr($config['pptpd']['localip'])) { - if($config['pptpd']['pptp_subnet'] <> "") - $ossubnet = $config['pptpd']['pptp_subnet']; - else - $ossubnet = "32"; - $osn = gen_subnet($config['pptpd']['localip'], $ossubnet); + if (($config['pptpd']['mode'] == "server") && is_private_ip($config['pptpd']['remoteip'])) { + $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); + foreach ($pptp_subnets as $pptpsn) { $natent = array(); - $natent['source']['network'] = "{$osn}/{$ossubnet}"; + $natent['source']['network'] = $pptpsn; $natent['sourceport'] = ""; $natent['descr'] = gettext("Auto created rule for PPTP server"); $natent['target'] = ""; diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2fa08..72bc556bc5d 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -46,7 +46,7 @@ require("shaper.inc"); if (!is_array($config['nat']['advancedoutbound'])) - $config['nat']['advancedoutbound'] = array(); + $config['nat']['advancedoutbound'] = array(); if (!is_array($config['nat']['advancedoutbound']['rule'])) { $config['nat']['advancedoutbound']['rule'] = array(); @@ -115,6 +115,15 @@ unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); @@ -209,6 +218,9 @@ } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/input_validation"); + if (!$input_errors) { $natent = array(); $natent['source']['network'] = $osn; @@ -265,6 +277,9 @@ $natent['destination']['not'] = true; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/pre_write_config"); + if (isset($id) && $a_out[$id]) { $a_out[$id] = $natent; } else { @@ -387,6 +402,10 @@ function poolopts_change() { + + + + + 0){ + $mediaopt_from_config = $config['interfaces'][$if]['media'] . ' ' . $config['interfaces'][$if]['mediaopt']; + echo ""; + echo ''; + echo ''; + echo ''; + } + ?> @@ -2157,6 +2211,11 @@ function save_callback(transport) { report_failure(); } } + function show_advanced_media() { + document.getElementById("showadvmediabox").innerHTML=''; + aodiv = document.getElementById('showmediaadv'); + aodiv.style.display = "block"; + } diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 145fe0a2016..08f1a534ca8 100755 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -97,9 +97,13 @@ interfaces_vlan_edit.php if (!$input_errors) { if (isset($id) && $a_vlans[$id]) { - if ($a_vlans[$id]['if'] != $_POST['if']) - // Destroy previous vlan - pfSense_interface_destroy($a_vlans[$id]['if']); + if (($a_vlans[$id]['if'] != $_POST['if']) || ($a_vlans[$id]['tag'] != $_POST['tag'])) { + if (!empty($a_vlans[$id]['vlanif'])) + // Destroy previous vlan + pfSense_interface_destroy($a_vlans[$id]['vlanif']); + else + pfSense_interface_destroy("{$a_vlans[$id]['if']}_vlan{$a_vlans[$id]['tag']}"); + } } $vlan = array(); $vlan['if'] = $_POST['if']; diff --git a/usr/local/www/pkg.php b/usr/local/www/pkg.php index b3485f0eb4c..0a119d991e4 100755 --- a/usr/local/www/pkg.php +++ b/usr/local/www/pkg.php @@ -146,6 +146,8 @@ function gentitle_pkg($pgname) { } else { $active = false; } + if(isset($tab['no_drop_down'])) + $no_drop_down = true; $urltmp = ""; if($tab['url'] <> "") $urltmp = $tab['url']; if($tab['xml'] <> "") $urltmp = "pkg_edit.php?xml=" . $tab['xml']; @@ -170,8 +172,8 @@ function gentitle_pkg($pgname) { ksort($tab_array); foreach($tab_array as $tab) { - echo ''; } } diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php index 5361b51d520..9f883cde45b 100755 --- a/usr/local/www/pkg_edit.php +++ b/usr/local/www/pkg_edit.php @@ -366,6 +366,8 @@ function enablechange() { } else { $active = false; } + if(isset($tab['no_drop_down'])) + $no_drop_down = true; $urltmp = ""; if($tab['url'] <> "") $urltmp = $tab['url']; if($tab['xml'] <> "") $urltmp = "pkg_edit.php?xml=" . $tab['xml']; @@ -390,9 +392,9 @@ function enablechange() { ksort($tab_array); foreach($tab_array as $tab) { - echo ''; + echo ''; } } ?> @@ -462,7 +464,7 @@ function enablechange() { $value = $_POST[$fieldname]; if (is_array($value)) $value = implode(',', $value); } else { - if (isset($id) && $a_pkg[$id]) + if (isset($id) && $a_pkg[$id] && $a_pkg[$id][$fieldname]) $value = $a_pkg[$id][$fieldname]; else $value = $pkga['default_value']; diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index 23e6cd9443a..3d1bd512896 100755 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -300,10 +300,10 @@ function enable_change(enable_change) { document.iform.radmac_secret.disabled = (radius_endis || !document.iform.radmac_enable.checked) && !enable_change; - var reauthenticate_dis = (radius_endis || !document.iform.reauthenticate.checked) && !enable_change; - document.iform.reauthenticateacct[0].disabled = reauthenticate_dis; - document.iform.reauthenticateacct[1].disabled = reauthenticate_dis; - document.iform.reauthenticateacct[2].disabled = reauthenticate_dis; + var radacct_dis = (radius_endis || !document.iform.radacct_enable.checked) && !enable_change; + document.iform.reauthenticateacct[0].disabled = radacct_dis; + document.iform.reauthenticateacct[1].disabled = radacct_dis; + document.iform.reauthenticateacct[2].disabled = radacct_dis; } //--> @@ -474,7 +474,7 @@ function enable_change(enable_change) { + / - + diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index fd87c5beae5..01d52a24b75 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -158,6 +158,9 @@ function allowedips_sort() {
@@ -817,6 +827,10 @@
   
@@ -620,6 +639,10 @@ function poolopts_change() {
  diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php index daf577a8502..82d03236ad4 100755 --- a/usr/local/www/firewall_rules.php +++ b/usr/local/www/firewall_rules.php @@ -126,12 +126,12 @@ function delete_nat_association($id) { $icmptypes = array( "" => gettext("any"), + "echoreq" => gettext("Echo request"), "echorep" => gettext("Echo reply"), "unreach" => gettext("Destination unreachable"), "squench" => gettext("Source quench"), "redir" => gettext("Redirect"), "althost" => gettext("Alternate Host"), - "echoreq" => gettext("Echo"), "routeradv" => gettext("Router advertisement"), "routersol" => gettext("Router solicitation"), "timex" => gettext("Time exceeded"), diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index c05151895ef..acebe3c7a41 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -253,19 +253,6 @@ unset($input_errors); $pconfig = $_POST; - /* run through $_POST items encoding HTML entties so that the user - * cannot think he is slick and perform a XSS attack on the unwilling - */ - foreach ($_POST as $key => $value) { - $temp = str_replace(">", "", $value); - - if (isset($_POST['floating']) && $key == "interface") - continue; - $newpost = htmlentities($temp); - if($newpost <> $temp) - $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); - } - /* input validation */ $reqdfields = explode(" ", "type proto"); if ( isset($a_filter[$id]['associated-rule-id'])===false ) { @@ -401,6 +388,9 @@ $input_errors[] = gettext("If you specify TCP flags that should be set you should specify out of which flags as well."); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/input_validation"); + if (!$input_errors) { $filterent = array(); $filterent['id'] = $_POST['ruleid']>0?$_POST['ruleid']:''; @@ -544,6 +534,9 @@ $filterent['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); + if (isset($id) && $a_filter[$id]) $a_filter[$id] = $filterent; else { @@ -554,6 +547,7 @@ } filter_rules_sort(); + write_config(); mark_subsystem_dirty('filter'); @@ -596,6 +590,10 @@
@@ -748,12 +746,12 @@ gettext("any"), + "echoreq" => gettext("Echo request"), "echorep" => gettext("Echo reply"), "unreach" => gettext("Destination unreachable"), "squench" => gettext("Source quench"), "redir" => gettext("Redirect"), "althost" => gettext("Alternate Host"), - "echoreq" => gettext("Echo"), "routeradv" => gettext("Router advertisement"), "routersol" => gettext("Router solicitation"), "timex" => gettext("Time exceeded"), @@ -1381,6 +1379,10 @@
  diff --git a/usr/local/www/firewall_virtual_ip.php b/usr/local/www/firewall_virtual_ip.php index 63d0f7e289d..ae3a1f717c4 100755 --- a/usr/local/www/firewall_virtual_ip.php +++ b/usr/local/www/firewall_virtual_ip.php @@ -118,9 +118,9 @@ interface_carpdev_configure($a_vip[$vid]); $input_errors[] = gettext("This entry cannot be deleted because it is still referenced by CARP") . " {$vip['descr']}."; } } else if ($a_vip[$_GET['id']]['mode'] == "carp") { - $vipiface = $a_vip[$_GET['id']]['interface']; + $vipiface = "vip{$a_vip[$_GET['id']]['vhid']}"; foreach ($a_vip as $vip) { - if ($vipiface == "vip{$vip['vhid']}" && $vip['mode'] == "ipalias") + if ($vipiface == $vip['interface'] && $vip['mode'] == "ipalias") $input_errors[] = gettext("This entry cannot be deleted because it is still referenced by ip alias entry") . " {$vip['descr']}."; } } diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 6b3aefdb05e..63fadab3331 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -249,6 +249,7 @@ function print_input_errors($input_errors) { global $g; print <<

@@ -269,6 +270,7 @@ EOF;
+

 
EOF2; diff --git a/usr/local/www/help.php b/usr/local/www/help.php index a89a551bd01..03915053991 100644 --- a/usr/local/www/help.php +++ b/usr/local/www/help.php @@ -222,7 +222,6 @@ /* Below here are pages that may need some cleanup or have not been fully looked at yet */ 'carp_status.php' => 'http://doc.pfsense.org/index.php/Category:CARP', - 'carp.xml' => 'http://doc.pfsense.org/index.php/Category:CARP', 'carp_settings.xml' => 'http://doc.pfsense.org/index.php/Category:CARP', 'load_balancer_monitor.php' => 'http://doc.pfsense.org/index.php/Category:Load_balancing', diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 899e209c42b..b37b6cb4db0 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -711,6 +711,15 @@ interface_sync_wireless_clones($wancfg, false); } else { $wancfg['mss'] = $_POST['mss']; } + if (empty($_POST['mediaopt'])) { + unset($wancfg['media']); + unset($wancfg['mediaopt']); + } else { + $mediaopts = explode(' ', $_POST['mediaopt']); + if ($mediaopts[0] != ''){ $wancfg['media'] = $mediaopts[0]; } + if ($mediaopts[1] != ''){ $wancfg['mediaopt'] = $mediaopts[1]; } + else { unset($wancfg['mediaopt']); } + } if (isset($wancfg['wireless'])) { handle_wireless_post(); } @@ -897,6 +906,21 @@ function check_wireless_mode() { } } +// Find all possible media options for the interface +$mediaopts_list = array(); +$intrealname = $config['interfaces'][$if]['if']; +exec("/sbin/ifconfig -m $intrealname | grep \"media \"", $mediaopts); +foreach ($mediaopts as $mediaopt){ + preg_match("/media (.*)/", $mediaopt, $matches); + if (preg_match("/(.*) mediaopt (.*)/", $matches[1], $matches1)){ + // there is media + mediaopt like "media 1000baseT mediaopt full-duplex" + array_push($mediaopts_list, $matches1[1] . " " . $matches1[2]); + }else{ + // there is only media like "media 1000baseT" + array_push($mediaopts_list, $matches[1]); + } +} + $pgtitle = array(gettext("Interfaces"), $pconfig['descr']); $statusurl = "status_interfaces.php"; @@ -1128,7 +1152,7 @@ function prefill_provider() {

+ "address of this interface"); ?>

@@ -1153,6 +1177,36 @@ function prefill_provider() { "header size) will be in effect."); ?>
' . gettext("Speed and duplex") . ''; + echo '"; + echo '
"; + else echo '>'; + echo '
'; + echo gettext("Here you can explicitly set speed and duplex mode for this interface. WARNING: You MUST leave this set to autonegotiate unless the port this interface connects to has its speed and duplex forced."); + echo '
'; + echo '
'; - display_top_tabs($tab); + echo '
'; + display_top_tabs($tab, $no_drop_down); echo '
'; - display_top_tabs($tab); - echo '
'; + display_top_tabs($tab, $no_drop_down); + echo '
> -
> @@ -520,8 +520,7 @@ function enable_change(enable_change) {
  
+ + + diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 12bb235a5a2..69cb43894a6 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -89,6 +89,7 @@ $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; + $pconfig['generate_policy'] = $a_phase1[$p1index]['generate_policy']; $pconfig['proposal_check'] = $a_phase1[$p1index]['proposal_check']; if (($pconfig['authentication_method'] == "pre_shared_key") || @@ -307,6 +308,7 @@ $ph1ent['certref'] = $pconfig['certref']; $ph1ent['caref'] = $pconfig['caref']; $ph1ent['authentication_method'] = $pconfig['authentication_method']; + $ph1ent['generate_policy'] = $pconfig['generate_policy']; $ph1ent['proposal_check'] = $pconfig['proposal_check']; $ph1ent['descr'] = $pconfig['descr']; $ph1ent['nat_traversal'] = $pconfig['nat_traversal']; @@ -644,6 +646,22 @@ function dpdchkbox_change() { + + + + diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 4a24e2e91d2..b08c481f0d2 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -555,10 +555,6 @@ function netbios_change() { Certificate Manager or use the Wizard. to create one. "; -if (count($a_cert) == 0) - $savemsg .= "
You have no Certificates defined. You can visit the Certificate Manager or use the Wizard. to create one. "; if ($input_errors) print_input_errors($input_errors); @@ -768,6 +764,7 @@ function netbios_change() { diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index 97fbc453c60..2fbf5e39e5a 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -166,7 +166,9 @@ function restore_config_section_xmlrpc($raw_params) { foreach ($config['virtualip']['vip'] as $vipindex => $vip) { if ($vip['mode'] == "carp") $oldvips[$vip['vhid']] = "{$vip['password']}{$vip['advskew']}{$vip['subnet']}{$vip['subnet_bits']}{$vip['advbase']}"; - else if ((($vip['mode'] == 'ipalias') || ($vip['mode'] == 'proxyarp')) && substr($vip['interface'], 0, 3) != "vip") + else if ($vip['mode'] == "ipalias" && substr($vip['interface'], 0, 3) == "vip") + $oldvips[$vip['subnet']] = "{$vip['interface']}{$vip['subnet']}{$vip['subnet_bits']}"; + else if (($vip['mode'] == "ipalias" || $vip['mode'] == 'proxyarp') && substr($vip['interface'], 0, 3) != "vip") $vipbackup[] = $vip; } } @@ -193,16 +195,26 @@ function restore_config_section_xmlrpc($raw_params) { * The real work on handling the vips specially * This is a copy of intefaces_vips_configure with addition of not reloading existing/not changed carps */ - if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { + if (isset($params[0]['virtualip']) && is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { $carp_setuped = false; $anyproxyarp = false; foreach ($config['virtualip']['vip'] as $vip) { - if (isset($oldvips[$vip['vhid']])) { + if ($vip['mode'] == "carp" && isset($oldvips[$vip['vhid']])) { if ($oldvips[$vip['vhid']] == "{$vip['password']}{$vip['advskew']}{$vip['subnet']}{$vip['subnet_bits']}{$vip['advbase']}") { - if (does_interface_exist("vip{$vip['vhid']}")) - continue; // Skip reconfiguring this vips since nothing has changed. - } else - unset($oldvips['vhid']); + if (does_vip_exist($vip)) { + unset($oldvips[$vip['vhid']]); + continue; // Skip reconfiguring this vips since nothing has changed. + } + } + unset($oldvips[$vip['vhid']]); + } else if ($vip['mode'] == "ipalias" && substr($vip['interface'], 0, 3) == "vip" && isset($oldvips[$vip['subnet']])) { + if ($oldvips[$vip['subnet']] = "{$vip['interface']}{$vip['subnet']}{$vip['subnet_bits']}") { + if (does_vip_exist($vip)) { + unset($oldvips[$vip['subnet']]); + continue; // Skip reconfiguring this vips since nothing has changed. + } + } + unset($oldvips[$vip['subnet']]); } switch ($vip['mode']) { @@ -224,7 +236,7 @@ interface_carpdev_configure($vip); } /* Cleanup remaining old carps */ foreach ($oldvips as $oldvipif => $oldvippar) { - if (does_interface_exist("vip{$oldvipif}")) + if (!is_ipaddr($oldvipif) && does_interface_exist("vip{$oldvipif}")) pfSense_interface_destroy("vip{$oldvipif}"); } if ($carp_setuped == true) @@ -271,8 +283,14 @@ function merge_installedpackages_section_xmlrpc($raw_params) { function merge_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; - - return restore_config_section_xmlrpc($raw_params); + $params = xmlrpc_params_to_php($raw_params); + if(!xmlrpc_auth($params)) + return $xmlrpc_g['return']['authfail']; + $config_new = array_overlay($config, $params[0]); + $config = $config_new; + $mergedkeys = implode(",", array_keys($params[0])); + write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); + return $xmlrpc_g['return']['true']; } /*****************************/ @@ -448,4 +466,17 @@ function get_notices_xmlrpc($raw_params) { unlock($xmlrpclockkey); + function array_overlay($a1,$a2) + { + foreach($a1 as $k => $v) { + if(!array_key_exists($k,$a2)) continue; + if(is_array($v) && is_array($a2[$k])){ + $a1[$k] = array_overlay($v,$a2[$k]); + }else{ + $a1[$k] = $a2[$k]; + } + } + return $a1; + } + ?> diff --git a/usr/sbin/pc-sysinstall/backend/functions-extractimage.sh b/usr/sbin/pc-sysinstall/backend/functions-extractimage.sh index aeb585fea9f..76cb247f8df 100755 --- a/usr/sbin/pc-sysinstall/backend/functions-extractimage.sh +++ b/usr/sbin/pc-sysinstall/backend/functions-extractimage.sh @@ -404,45 +404,53 @@ init_extraction() # Lets start by figuring out what medium we are using case ${INSTALLMEDIUM} in - LiveCD) - get_value_from_cfg cpdupPaths - if [ ! -z "${VAL}" ] - then - INSFILE="${VAL}" ; export INSFILE - fi - oIFS=$IFS - IFS="," - for FILE in $INSFILE; do - echo_log "pc-sysinstall: Running cpdup -vvv -I -o /${FILE} /mnt/${FILE}" - /usr/local/bin/cpdup -vvv -I -o /${FILE} /mnt/${FILE} >&1 2>&1 - if [ "$?" != "0" ] - then - echo "CPDUP failure occured:" >>${LOGOUT} - exit_err "ERROR: Error occurred during cpdup" - fi - done - oIFS=$IFS - IFS=" -" - return + LiveCD) # Copies files using cpdup. Ideal for pre-staged fs + if [ ! -f /usr/local/bin/cpdup ] + then + echo "Could not locate cpdup binary" >>${LOGOUT} + exit_err "Could not locate cpdup binary (pkg_add -r cpdup)?" + fi + get_value_from_cfg cpdupPathsPrefix + if [ ! -z "${VAL}" ] + CPDUPPATHPREFIX="" + then + CPDUPPATHPREFIX="${VAL}" ; export CPDUPPATHPREFIX + fi + get_value_from_cfg cpdupPaths + if [ ! -z "${VAL}" ] + then + CPDUPDIR="${VAL}" ; export CPDUPDIR + fi + oIFS=$IFS + IFS="," + for FILE in $CPDUPDIR; do + echo_log "pc-sysinstall: Running cpdup -o ${CPDUPPATHPREFIX}/${FILE} /mnt/${FILE}" + /usr/local/bin/cpdup -o ${CPDUPPATHPREFIX}/${FILE} /mnt/${FILE} >&1 2>&1 + if [ "$?" != "0" ] + then + echo "cpdup failure occurred:" >>${LOGOUT} + exit_err "ERROR: Error occurred during cpdup" + fi + done + IFS=$oIFS + return ;; dvd|usb) # Lets start by mounting the disk opt_mount - if [ ! -z "${INSDIR}" ] - then - INSDIR="${CDMNT}/${INSDIR}" ; export INSDIR - start_extract_split - - else - INSFILE="${CDMNT}/${INSFILE}" ; export INSFILE - start_extract_uzip_tar - fi + if [ ! -z "${INSDIR}" ] + then + INSDIR="${CDMNT}/${INSDIR}" ; export INSDIR + start_extract_split + else + INSFILE="${CDMNT}/${INSFILE}" ; export INSFILE + start_extract_uzip_tar + fi ;; ftp) fetch_install_file start_extract_uzip_tar ;; rsync) start_rsync_copy - ;; + ;; *) exit_err "ERROR: Unknown install medium" ;; esac
diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php index 25c250cd404..f42ac809755 100755 --- a/usr/local/www/services_captiveportal_mac.php +++ b/usr/local/www/services_captiveportal_mac.php @@ -108,6 +108,7 @@ if ($a_passthrumacs[$_GET['id']]) { $ruleno = captiveportal_get_ipfw_passthru_ruleno($a_passthrumacs[$_GET['id']]['mac']); if ($ruleno) { + captiveportal_free_ipfw_ruleno($ruleno); mwexec("/sbin/ipfw delete {$ruleno}; /sbin/ipfw delete " . ++$ruleno); } unset($a_passthrumacs[$_GET['id']]); diff --git a/usr/local/www/services_captiveportal_mac_edit.php b/usr/local/www/services_captiveportal_mac_edit.php index aabf4b3bcbc..07f6d8c4f6b 100755 --- a/usr/local/www/services_captiveportal_mac_edit.php +++ b/usr/local/www/services_captiveportal_mac_edit.php @@ -153,6 +153,9 @@ function passthrumacs_sort() { + + + - - - - diff --git a/usr/local/www/services_rfc2136_edit.php b/usr/local/www/services_rfc2136_edit.php index 7c5f1149e29..e5b36d6793c 100644 --- a/usr/local/www/services_rfc2136_edit.php +++ b/usr/local/www/services_rfc2136_edit.php @@ -146,6 +146,7 @@ diff --git a/usr/local/www/services_wol.php b/usr/local/www/services_wol.php index cdc3e6a4079..37d41555e01 100755 --- a/usr/local/www/services_wol.php +++ b/usr/local/www/services_wol.php @@ -156,7 +156,7 @@  

-

diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index 203906a067e..f4f4b8976f5 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -39,6 +39,8 @@ $statusurl = "status_captiveportal_vouchers.php"; $logurl = "diag_logs_auth.php"; +if ($_POST['postafterlogin']) + $nocsrf= true; require("guiconfig.inc"); require("functions.inc"); require("filter.inc"); @@ -76,8 +78,6 @@ $config['voucher']['rollbits'] = 16; if (!isset($config['voucher']['ticketbits'])) $config['voucher']['ticketbits'] = 10; -if (!isset($config['voucher']['saveinterval'])) - $config['voucher']['saveinterval'] = 5; if (!isset($config['voucher']['checksumbits'])) $config['voucher']['checksumbits'] = 5; if (!isset($config['voucher']['magic'])) @@ -116,9 +116,8 @@ exit; } } - /* print all vouchers of the selected roll */ -if ($_GET['act'] == "csv") { +else if ($_GET['act'] == "csv") { $privkey = base64_decode($config['voucher']['privatekey']); if (strstr($privkey,"BEGIN RSA PRIVATE KEY")) { $fd = fopen("{$g['varetc_path']}/voucher.private","w"); @@ -149,7 +148,6 @@ $pconfig['charset'] = $config['voucher']['charset']; $pconfig['rollbits'] = $config['voucher']['rollbits']; $pconfig['ticketbits'] = $config['voucher']['ticketbits']; -$pconfig['saveinterval'] = $config['voucher']['saveinterval']; $pconfig['checksumbits'] = $config['voucher']['checksumbits']; $pconfig['magic'] = $config['voucher']['magic']; $pconfig['publickey'] = base64_decode($config['voucher']['publickey']); @@ -164,13 +162,19 @@ if ($_POST) { unset($input_errors); + + if ($_POST['postafterlogin']) { + voucher_expire($_POST['voucher_expire']); + exit; + } + $pconfig = $_POST; /* input validation */ if ($_POST['enable'] == "yes") { if (!$_POST['vouchersyncusername']) { - $reqdfields = explode(" ", "charset rollbits ticketbits checksumbits publickey magic saveinterval"); - $reqdfieldsn = array(gettext("charset"),gettext("rollbits"),gettext("ticketbits"),gettext("checksumbits"),gettext("publickey"),gettext("magic"),gettext("saveinterval")); + $reqdfields = explode(" ", "charset rollbits ticketbits checksumbits publickey magic"); + $reqdfieldsn = array(gettext("charset"),gettext("rollbits"),gettext("ticketbits"),gettext("checksumbits"),gettext("publickey"),gettext("magic")); } else { $reqdfields = explode(" ", "vouchersyncdbip vouchersyncport vouchersyncpass vouchersyncusername"); $reqdfieldsn = array(gettext("Synchronize Voucher Database IP"),gettext("Sync port"),gettext("Sync password"),gettext("Sync username")); @@ -193,12 +197,12 @@ $input_errors[] = gettext("# of Bits to store Ticket Id needs to be between 1..16."); if ($_POST['checksumbits'] && (!is_numeric($_POST['checksumbits']) || ($_POST['checksumbits'] < 1) || ($_POST['checksumbits'] > 31))) $input_errors[] = gettext("# of Bits to store checksum needs to be between 1..31."); - if ($_POST['saveinterval'] && (!is_numeric($_POST['saveinterval']) || ($_POST['saveinterval'] < 1))) - $input_errors[] = gettext("Save interval in minutes cant be negative."); if ($_POST['publickey'] && (!strstr($_POST['publickey'],"BEGIN PUBLIC KEY"))) $input_errors[] = gettext("This doesn't look like an RSA Public key."); if ($_POST['privatekey'] && (!strstr($_POST['privatekey'],"BEGIN RSA PRIVATE KEY"))) $input_errors[] = gettext("This doesn't look like an RSA Private key."); + if ($_POST['vouchersyncdbip'] && (is_ipaddr_configured($_POST['vouchersyncdbip']))) + $input_errors[] = gettext("You cannot sync the voucher database to this host (itself)."); } if (!$input_errors) { @@ -212,7 +216,6 @@ $config['voucher']['ticketbits'] = $_POST['ticketbits']; $config['voucher']['checksumbits'] = $_POST['checksumbits']; $config['voucher']['magic'] = $_POST['magic']; - $config['voucher']['saveinterval'] = $_POST['saveinterval']; $config['voucher']['publickey'] = base64_encode($_POST['publickey']); $config['voucher']['privatekey'] = base64_encode($_POST['privatekey']); $config['voucher']['msgnoaccess'] = $_POST['msgnoaccess']; @@ -278,8 +281,6 @@ $config['voucher']['rollbits'] = $toreturn['voucher']['rollbits']; if($toreturn['voucher']['ticketbits']) $config['voucher']['ticketbits'] = $toreturn['voucher']['ticketbits']; - if($toreturn['voucher']['saveinterval']) - $config['voucher']['saveinterval'] = $toreturn['voucher']['saveinterval']; if($toreturn['voucher']['checksumbits']) $config['voucher']['checksumbits'] = $toreturn['voucher']['checksumbits']; if($toreturn['voucher']['magic']) @@ -327,7 +328,6 @@ function before_save() { document.iform.charset.disabled = false; document.iform.rollbits.disabled = false; document.iform.ticketbits.disabled = false; - document.iform.saveinterval.disabled = false; document.iform.checksumbits.disabled = false; document.iform.magic.disabled = false; document.iform.publickey.disabled = false; @@ -344,7 +344,6 @@ function enable_change(enable_change) { document.iform.charset.disabled = endis; document.iform.rollbits.disabled = endis; document.iform.ticketbits.disabled = endis; - document.iform.saveinterval.disabled = endis; document.iform.checksumbits.disabled = endis; document.iform.magic.disabled = endis; document.iform.publickey.disabled = endis; @@ -359,7 +358,6 @@ function enable_change(enable_change) { document.iform.charset.disabled = true; document.iform.rollbits.disabled = true; document.iform.ticketbits.disabled = true; - document.iform.saveinterval.disabled = true; document.iform.checksumbits.disabled = true; document.iform.magic.disabled = true; document.iform.publickey.disabled = true; @@ -524,14 +522,6 @@ function enable_change(enable_change) {
- -
- -
@@ -559,7 +549,8 @@ function enable_change(enable_change) { -
+
+
+
Fully qualified hostname of the host to be updated
+
diff --git a/usr/local/www/status_interfaces.php b/usr/local/www/status_interfaces.php index 6c98a340801..db88536b3cc 100755 --- a/usr/local/www/status_interfaces.php +++ b/usr/local/www/status_interfaces.php @@ -180,7 +180,7 @@ interface_configure($interface); " . htmlspecialchars($mac_man[$mac_hi]); print ""; } + if(isset($mac_man[$mac_hi])){ print "" . $mac . " - " . htmlspecialchars($mac_man[$mac_hi]); print ""; } else {print htmlspecialchars($mac);} ?> diff --git a/usr/local/www/status_rrd_graph_img.php b/usr/local/www/status_rrd_graph_img.php index a2aa6d2b312..15a096b5503 100644 --- a/usr/local/www/status_rrd_graph_img.php +++ b/usr/local/www/status_rrd_graph_img.php @@ -940,8 +940,9 @@ function timeDiff($time, $opt = array()) { $graphcmd .= "--height 200 --width 620 "; $graphcmd .= "DEF:\"$curif-loggedinusers=$rrddbpath$curdatabase:loggedinusers:AVERAGE\" "; $graphcmd .= "CDEF:\"$curif-totalusers_t=PREV,UN,0,PREV,IF,$curif-loggedinusers,+\" "; - $graphcmd .= "AREA:\"$curif-totalusers_t#{$colorcaptiveportalusers[0]}:Total logged in users\" "; - $graphcmd .= "GPRINT:\"$curif-totalusers_t:MAX:%8.0lf \\n\" "; + $graphcmd .= "CDEF:\"$curif-totalusers_d=$curif-totalusers_t,FLOOR\" "; + $graphcmd .= "AREA:\"$curif-totalusers_d#{$colorcaptiveportalusers[0]}:Total logged in users\" "; + $graphcmd .= "GPRINT:\"$curif-totalusers_d:MAX:%8.0lf \\n\" "; $graphcmd .= "COMMENT:\"\\n\" "; $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t`date +\"%b %d %H\:%M\:%S %Y\"`\" "; } diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 601bb8ec50d..4965fb9c679 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -51,6 +51,7 @@ $pconfig['webguiproto'] = $config['system']['webgui']['protocol']; $pconfig['webguiport'] = $config['system']['webgui']['port']; +$pconfig['max_procs'] = ($config['system']['webgui']['max_procs']) ? $config['system']['webgui']['max_procs'] : 2; $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref']; $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']); $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); @@ -84,6 +85,10 @@ if(!is_port($_POST['webguiport'])) $input_errors[] = gettext("You must specify a valid webConfigurator port number"); + if ($_POST['max_procs']) + if(!is_numeric($_POST['max_procs']) || ($_POST['max_procs'] < 1) || ($_POST['max_procs'] > 500)) + $input_errors[] = gettext("Max Processes must be a number 1 or greater"); + if ($_POST['althostnames']) { $althosts = explode(" ", $_POST['althostnames']); foreach ($althosts as $ah) @@ -111,6 +116,8 @@ $restart_webgui = true; if (update_if_changed("webgui certificate", $config['system']['webgui']['ssl-certref'], $_POST['ssl-certref'])) $restart_webgui = true; + if (update_if_changed("webgui max processes", $config['system']['webgui']['max_procs'], $_POST['max_procs'])) + $restart_webgui = true; if ($_POST['disablehttpredirect'] == "yes") { $config['system']['webgui']['disablehttpredirect'] = true; @@ -321,6 +328,18 @@ function prot_change() { + + + + + + + + diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index e1b83f24ffc..a4b60af5a2c 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -92,6 +92,8 @@ unset($a_ca[$id]); write_config(); $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), $name) . "
"; + pfSenseHeader("system_camanager.php"); + exit; } if ($act == "edit") { @@ -152,7 +154,7 @@ if ($_POST) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -183,6 +185,18 @@ } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if ($pconfig['method'] != "existing") + /* Make sure we do not have invalid characters in the fields for the certificate */ + for ($i = 0; $i < count($reqdfields); $i++) { + if ($reqdfields[$i] == 'dn_email'){ + if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_email"])) + array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); + }else if ($reqdfields[$i] == 'dn_commonname'){ + if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_commonname"])) + array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); + }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -269,6 +283,15 @@ function method_change() { print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); + + // Load valid country codes + $dn_cc = array(); + if (file_exists("/etc/ca_countries")){ + $dn_cc_file=file("/etc/ca_countries"); + foreach($dn_cc_file as $line) + if (preg_match('/^(\S*)\s(.*)$/', $line, $matches)) + array_push($dn_cc, $matches[1]); + } ?>
+ +
+ + + +
diff --git a/usr/local/www/system_advanced_misc.php b/usr/local/www/system_advanced_misc.php index 51857abb65b..22643653f4e 100644 --- a/usr/local/www/system_advanced_misc.php +++ b/usr/local/www/system_advanced_misc.php @@ -56,6 +56,7 @@ $pconfig['proxypass'] = $config['system']['proxypass']; $pconfig['harddiskstandby'] = $config['system']['harddiskstandby']; $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']); +$pconfig['gw_switch_default'] = isset($config['system']['gw_switch_default']); $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); $pconfig['racoondebug_enable'] = isset($config['ipsec']['racoondebug']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); @@ -106,6 +107,11 @@ else unset($config['system']['lb_use_sticky']); + if($_POST['gw_switch_default'] == "yes") + $config['system']['gw_switch_default'] = true; + else + unset($config['system']['gw_switch_default']); + if($_POST['preferoldsa_enable'] == "yes") $config['ipsec']['preferoldsa'] = true; else @@ -271,6 +277,15 @@ function maxmss_checked(obj) { "robin."); ?>
+ /> +
+ +
 
@@ -392,12 +415,15 @@ function method_change() { diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index cc1c65af118..87b8d9119e0 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -94,6 +94,8 @@ unset($a_cert[$id]); write_config(); $savemsg = sprintf(gettext("Certificate %s successfully deleted"), $name) . "
"; + pfSenseHeader("system_certmanager.php"); + exit; } if ($act == "new") { @@ -151,7 +153,7 @@ if ($_POST) { if ($_POST['save'] == gettext("Save")) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -204,6 +206,18 @@ } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if ($pconfig['method'] != "import") + /* Make sure we do not have invalid characters in the fields for the certificate */ + for ($i = 0; $i < count($reqdfields); $i++) { + if (preg_match('/email/', $reqdfields[$i])){ /* dn_email or csr_dn_name */ + if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); + }else if (preg_match('/commonname/', $reqdfields[$i])){ /* dn_commonname or csr_dn_commonname */ + if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); + }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -411,6 +425,15 @@ function internalca_change() { print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); + + // Load valid country codes + $dn_cc = array(); + if (file_exists("/etc/ca_countries")){ + $dn_cc_file=file("/etc/ca_countries"); + foreach($dn_cc_file as $line) + if (preg_match('/^(\S*)\s(.*)$/', $line, $matches)) + array_push($dn_cc, $matches[1]); + } ?>
:   - -   - -   - - +
@@ -637,13 +660,15 @@ function internalca_change() { diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index d810cb9239a..783eb0febbd 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -49,311 +49,304 @@ require("certs.inc"); require("guiconfig.inc"); -if (isAllowedPage("system_usermanager")) { - // start admin user code - $pgtitle = array(gettext("System"),gettext("User Manager")); +// start admin user code +$pgtitle = array(gettext("System"),gettext("User Manager")); - $id = $_GET['id']; - if (isset($_POST['id'])) - $id = $_POST['id']; +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; - if (!is_array($config['system']['user'])) - $config['system']['user'] = array(); +if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); - $a_user = &$config['system']['user']; +$a_user = &$config['system']['user']; - if ($_GET['act'] == "deluser") { +if ($_GET['act'] == "deluser") { - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } - - local_user_del($a_user[$id]); - $userdeleted = $a_user[$id]['name']; - unset($a_user[$id]); - write_config(); - $savemsg = gettext("User")." {$userdeleted} ". - gettext("successfully deleted")."
"; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); + exit; } - if ($_GET['act'] == "delpriv") { - - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } + local_user_del($a_user[$id]); + $userdeleted = $a_user[$id]['name']; + unset($a_user[$id]); + write_config(); + $savemsg = gettext("User")." {$userdeleted} ". + gettext("successfully deleted")."
"; +} +else if ($_GET['act'] == "delpriv") { - $privdeleted = $priv_list[$a_user[$id]['priv'][$_GET['privid']]]['name']; - unset($a_user[$id]['priv'][$_GET['privid']]); - local_user_set($a_user[$id]); - write_config(); - $_GET['act'] = "edit"; - $savemsg = gettext("Privilege")." {$privdeleted} ". - gettext("successfully deleted")."
"; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); + exit; } - if ($_GET['act'] == "expcert") { - - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } - - $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - - $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.crt"); - $exp_data = base64_decode($cert['crt']); - $exp_size = strlen($exp_data); + $privdeleted = $priv_list[$a_user[$id]['priv'][$_GET['privid']]]['name']; + unset($a_user[$id]['priv'][$_GET['privid']]); + local_user_set($a_user[$id]); + write_config(); + $_GET['act'] = "edit"; + $savemsg = gettext("Privilege")." {$privdeleted} ". + gettext("successfully deleted")."
"; +} +else if ($_GET['act'] == "expcert") { - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); exit; } - if ($_GET['act'] == "expckey") { - - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } + $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); + $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.crt"); + $exp_data = base64_decode($cert['crt']); + $exp_size = strlen($exp_data); - $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.key"); - $exp_data = base64_decode($cert['prv']); - $exp_size = strlen($exp_data); + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename={$exp_name}"); + header("Content-Length: $exp_size"); + echo $exp_data; + exit; +} +else if ($_GET['act'] == "expckey") { - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); exit; } - if ($_GET['act'] == "delcert") { + $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } + $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.key"); + $exp_data = base64_decode($cert['prv']); + $exp_size = strlen($exp_data); - $certdeleted = lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - $certdeleted = $certdeleted['descr']; - unset($a_user[$id]['cert'][$_GET['certid']]); - write_config(); - $_GET['act'] = "edit"; - $savemsg = gettext("Certificate")." {$certdeleted} ". - gettext("association removed.")."
"; - } + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename={$exp_name}"); + header("Content-Length: $exp_size"); + echo $exp_data; + exit; +} +else if ($_GET['act'] == "delcert") { - if ($_GET['act'] == "edit") { - if (isset($id) && $a_user[$id]) { - $pconfig['usernamefld'] = $a_user[$id]['name']; - $pconfig['descr'] = $a_user[$id]['descr']; - $pconfig['expires'] = $a_user[$id]['expires']; - $pconfig['groups'] = local_user_get_groups($a_user[$id]); - $pconfig['utype'] = $a_user[$id]['scope']; - $pconfig['uid'] = $a_user[$id]['uid']; - $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); - $pconfig['priv'] = $a_user[$id]['priv']; - $pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk']; - $pconfig['disabled'] = isset($a_user[$id]['disabled']); - } + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); + exit; } - if ($_GET['act'] == "new") { - /* - * set this value cause the text field is read only - * and the user should not be able to mess with this - * setting. - */ - $pconfig['utype'] = "user"; - $pconfig['lifetime'] = 3650; + $certdeleted = lookup_cert($a_user[$id]['cert'][$_GET['certid']]); + $certdeleted = $certdeleted['descr']; + unset($a_user[$id]['cert'][$_GET['certid']]); + write_config(); + $_GET['act'] = "edit"; + $savemsg = gettext("Certificate")." {$certdeleted} ". + gettext("association removed.")."
"; +} +else if ($_GET['act'] == "edit") { + if (isset($id) && $a_user[$id]) { + $pconfig['usernamefld'] = $a_user[$id]['name']; + $pconfig['descr'] = $a_user[$id]['descr']; + $pconfig['expires'] = $a_user[$id]['expires']; + $pconfig['groups'] = local_user_get_groups($a_user[$id]); + $pconfig['utype'] = $a_user[$id]['scope']; + $pconfig['uid'] = $a_user[$id]['uid']; + $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); + $pconfig['priv'] = $a_user[$id]['priv']; + $pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk']; + $pconfig['disabled'] = isset($a_user[$id]['disabled']); } +} +else if ($_GET['act'] == "new") { + /* + * set this value cause the text field is read only + * and the user should not be able to mess with this + * setting. + */ + $pconfig['utype'] = "user"; + $pconfig['lifetime'] = 3650; +} - if ($_POST) { - unset($input_errors); - $pconfig = $_POST; +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; - /* input validation */ - if (isset($id) && ($a_user[$id])) { - $reqdfields = explode(" ", "usernamefld"); - $reqdfieldsn = array(gettext("Username")); + /* input validation */ + if (isset($id) && ($a_user[$id])) { + $reqdfields = explode(" ", "usernamefld"); + $reqdfieldsn = array(gettext("Username")); + } else { + if (empty($_POST['name'])) { + $reqdfields = explode(" ", "usernamefld passwordfld1"); + $reqdfieldsn = array( + gettext("Username"), + gettext("Password")); } else { - if (empty($_POST['name'])) { - $reqdfields = explode(" ", "usernamefld passwordfld1"); - $reqdfieldsn = array( - gettext("Username"), - gettext("Password")); - } else { - $reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime"); - $reqdfieldsn = array( - gettext("Username"), - gettext("Password"), - gettext("Descriptive name"), - gettext("Certificate authority"), - gettext("Key length"), - gettext("Lifetime")); - } + $reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime"); + $reqdfieldsn = array( + gettext("Username"), + gettext("Password"), + gettext("Descriptive name"), + gettext("Certificate authority"), + gettext("Key length"), + gettext("Lifetime")); } + } - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) - $input_errors[] = gettext("The username contains invalid characters."); + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) + $input_errors[] = gettext("The username contains invalid characters."); - if (strlen($_POST['usernamefld']) > 16) - $input_errors[] = gettext("The username is longer than 16 characters."); + if (strlen($_POST['usernamefld']) > 16) + $input_errors[] = gettext("The username is longer than 16 characters."); - if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) - $input_errors[] = gettext("The passwords do not match."); + if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) + $input_errors[] = gettext("The passwords do not match."); - if (isset($id) && $a_user[$id]) - $oldusername = $a_user[$id]['name']; - else - $oldusername = ""; - /* make sure this user name is unique */ - if (!$input_errors) { - foreach ($a_user as $userent) { - if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { - $input_errors[] = gettext("Another entry with the same username already exists."); - break; - } + if (isset($id) && $a_user[$id]) + $oldusername = $a_user[$id]['name']; + else + $oldusername = ""; + /* make sure this user name is unique */ + if (!$input_errors) { + foreach ($a_user as $userent) { + if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { + $input_errors[] = gettext("Another entry with the same username already exists."); + break; } } - /* also make sure it is not reserved */ - if (!$input_errors) { - $system_users = explode("\n", file_get_contents("/etc/passwd")); - foreach ($system_users as $s_user) { - $ent = explode(":", $s_user); - if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { - $input_errors[] = gettext("That username is reserved by the system."); - break; - } + } + /* also make sure it is not reserved */ + if (!$input_errors) { + $system_users = explode("\n", file_get_contents("/etc/passwd")); + foreach ($system_users as $s_user) { + $ent = explode(":", $s_user); + if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { + $input_errors[] = gettext("That username is reserved by the system."); + break; } } + } - /* - * Check for a valid expirationdate if one is set at all (valid means, - * strtotime() puts out a time stamp so any strtotime compatible time - * format may be used. to keep it simple for the enduser, we only - * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs - * like "+1 day", which will be converted to MM/DD/YYYY based on "now". - * Otherwhise such an entry would lead to an invalid expiration data. - */ - if ($_POST['expires']){ - if(strtotime($_POST['expires']) > 0){ - if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($_POST['expires'])))) { - // Allow items to lie in the past which ends up disabling. - } else { - //convert from any strtotime compatible date to MM/DD/YYYY - $expdate = strtotime($_POST['expires']); - $_POST['expires'] = date("m/d/Y",$expdate); - } + /* + * Check for a valid expirationdate if one is set at all (valid means, + * strtotime() puts out a time stamp so any strtotime compatible time + * format may be used. to keep it simple for the enduser, we only + * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs + * like "+1 day", which will be converted to MM/DD/YYYY based on "now". + * Otherwhise such an entry would lead to an invalid expiration data. + */ + if ($_POST['expires']){ + if(strtotime($_POST['expires']) > 0){ + if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($_POST['expires'])))) { + // Allow items to lie in the past which ends up disabling. } else { - $input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead."); + //convert from any strtotime compatible date to MM/DD/YYYY + $expdate = strtotime($_POST['expires']); + $_POST['expires'] = date("m/d/Y",$expdate); } + } else { + $input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead."); } + } - if (!empty($_POST['name'])) { - $ca = lookup_ca($_POST['caref']); - if (!$ca) - $input_errors[] = gettext("Invalid internal Certificate Authority") . "\n"; - } + if (!empty($_POST['name'])) { + $ca = lookup_ca($_POST['caref']); + if (!$ca) + $input_errors[] = gettext("Invalid internal Certificate Authority") . "\n"; + } - /* if this is an AJAX caller then handle via JSON */ - if (isAjax() && is_array($input_errors)) { - input_errors2Ajax($input_errors); - exit; - } + /* if this is an AJAX caller then handle via JSON */ + if (isAjax() && is_array($input_errors)) { + input_errors2Ajax($input_errors); + exit; + } - if (!$input_errors) { - conf_mount_rw(); - $userent = array(); - if (isset($id) && $a_user[$id]) - $userent = $a_user[$id]; - - isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; - - /* the user name was modified */ - if ($_POST['usernamefld'] <> $_POST['oldusername']) - $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; - - /* the user password was mofified */ - if ($_POST['passwordfld1']) - local_user_set_password($userent, $_POST['passwordfld1']); - - $userent['name'] = $_POST['usernamefld']; - $userent['descr'] = $_POST['descr']; - $userent['expires'] = $_POST['expires']; - $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); - $userent['ipsecpsk'] = $_POST['ipsecpsk']; - - if($_POST['disabled']) - $userent['disabled'] = true; - else - unset($userent['disabled']); - - if (isset($id) && $a_user[$id]) - $a_user[$id] = $userent; - else { - if (!empty($_POST['name'])) { - $cert = array(); - $cert['refid'] = uniqid(); - $userent['cert'] = array(); - - $cert['descr'] = $_POST['name']; - - $subject = cert_get_subject_array($ca['crt']); - - $dn = array( - 'countryName' => $subject[0]['v'], - 'stateOrProvinceName' => $subject[1]['v'], - 'localityName' => $subject[2]['v'], - 'organizationName' => $subject[3]['v'], - 'emailAddress' => $subject[4]['v'], - 'commonName' => $userent['name']); - - cert_create($cert, $_POST['caref'], $_POST['keylen'], - (int)$_POST['lifetime'], $dn); - - if (!is_array($config['cert'])) - $config['cert'] = array(); - $config['cert'][] = $cert; - $userent['cert'][] = $cert['refid']; - } - $userent['uid'] = $config['system']['nextuid']++; - /* Add the user to All Users group. */ - foreach ($config['system']['group'] as $gidx => $group) { - if ($group['name'] == "all") { - if (!is_array($config['system']['group'][$gidx]['member'])) - $config['system']['group'][$gidx]['member'] = array(); - $config['system']['group'][$gidx]['member'][] = $userent['uid']; - break; - } - } + if (!$input_errors) { + conf_mount_rw(); + $userent = array(); + if (isset($id) && $a_user[$id]) + $userent = $a_user[$id]; - $a_user[] = $userent; - } + isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; + + /* the user name was modified */ + if ($_POST['usernamefld'] <> $_POST['oldusername']) + $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; - local_user_set_groups($userent,$_POST['groups']); - local_user_set($userent); - write_config(); + /* the user password was mofified */ + if ($_POST['passwordfld1']) + local_user_set_password($userent, $_POST['passwordfld1']); - if(is_dir("/etc/inc/privhooks")) - run_plugins("/etc/inc/privhooks"); + $userent['name'] = $_POST['usernamefld']; + $userent['descr'] = $_POST['descr']; + $userent['expires'] = $_POST['expires']; + $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $userent['ipsecpsk'] = $_POST['ipsecpsk']; + + if($_POST['disabled']) + $userent['disabled'] = true; + else + unset($userent['disabled']); + + if (isset($id) && $a_user[$id]) + $a_user[$id] = $userent; + else { + if (!empty($_POST['name'])) { + $cert = array(); + $cert['refid'] = uniqid(); + $userent['cert'] = array(); + + $cert['descr'] = $_POST['name']; + + $subject = cert_get_subject_array($ca['crt']); + + $dn = array( + 'countryName' => $subject[0]['v'], + 'stateOrProvinceName' => $subject[1]['v'], + 'localityName' => $subject[2]['v'], + 'organizationName' => $subject[3]['v'], + 'emailAddress' => $subject[4]['v'], + 'commonName' => $userent['name']); + + cert_create($cert, $_POST['caref'], $_POST['keylen'], + (int)$_POST['lifetime'], $dn); + + if (!is_array($config['cert'])) + $config['cert'] = array(); + $config['cert'][] = $cert; + $userent['cert'][] = $cert['refid']; + } + $userent['uid'] = $config['system']['nextuid']++; + /* Add the user to All Users group. */ + foreach ($config['system']['group'] as $gidx => $group) { + if ($group['name'] == "all") { + if (!is_array($config['system']['group'][$gidx]['member'])) + $config['system']['group'][$gidx]['member'] = array(); + $config['system']['group'][$gidx]['member'][] = $userent['uid']; + break; + } + } - conf_mount_ro(); - - pfSenseHeader("system_usermanager.php"); + $a_user[] = $userent; } + + local_user_set_groups($userent,$_POST['groups']); + local_user_set($userent); + write_config(); + + if(is_dir("/etc/inc/privhooks")) + run_plugins("/etc/inc/privhooks"); + + conf_mount_ro(); + + pfSenseHeader("system_usermanager.php"); } +} - include("head.inc"); +include("head.inc"); ?> "> @@ -871,98 +864,4 @@ function sshkeyClicked(obj) {
:   - -   - ex: -   - US -   - +
- - saving changes - $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1'])); - local_user_set($config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]); - write_config(); - $savemsg = gettext("Password successfully changed") . "
"; - } - } - - /* determine if user is not local to system */ - $islocal = false; - foreach($config['system']['user'] as $user) - if($user['name'] == $_SESSION['Username']) - $islocal = true; -?> - -"> - -
-
- - - - - - - - - - - - - - - - -
's
- -
- -   -
- - - -
  - " /> -
- -
-
- - - - + diff --git a/usr/local/www/system_usermanager_passwordmg.php b/usr/local/www/system_usermanager_passwordmg.php new file mode 100644 index 00000000000..b8b3f76c596 --- /dev/null +++ b/usr/local/www/system_usermanager_passwordmg.php @@ -0,0 +1,128 @@ + saving changes + $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1'])); + local_user_set($config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]); + + write_config(); + + $savemsg = gettext("Password successfully changed") . "
"; + } +} + +/* determine if user is not local to system */ +$islocal = false; +foreach($config['system']['user'] as $user) + if($user['name'] == $_SESSION['Username']) + $islocal = true; + +?> + +"> + + +
+
+
+ + + + + + + + + + + + + + + +
's
+ +
+ +   +
+ + + +
  + " /> +
+
+
+
+ + + diff --git a/usr/local/www/themes/pfsense_ng/all.css b/usr/local/www/themes/pfsense_ng/all.css index 650d52d5a6f..b89299dde59 100644 --- a/usr/local/www/themes/pfsense_ng/all.css +++ b/usr/local/www/themes/pfsense_ng/all.css @@ -1333,7 +1333,7 @@ div#log span.log-protocol-mini-header { /* Sortable tables */ table.sortable thead { cursor: default; - background-color: #EEEEEE; + padding-right: 12px; padding-left: 12px; padding-top: 12px; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 465c6072cdb..54ed50503e1 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -375,6 +375,9 @@ ')"> " width="17" height="17" border="0"> + + " width="17" height="17" border="0"> +
+ +
+ + + +
diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index d45b0d69dc3..395b81ee203 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -140,9 +140,64 @@ break; } } - - /* TODO : Validate enabled phase2's are not duplicates */ - + /* Validate enabled phase2's are not duplicates */ + if (isset($pconfig['mobile'])){ + /* User is adding phase 2 for mobile phase1 */ + foreach($a_phase2 as $key => $name){ + if (isset($name['mobile'])){ + /* check duplicate localids only for mobile clents */ + $localid_data = ipsec_idinfo_to_cidr($name['localid']); + $entered = array(); + $entered['type'] = $pconfig['localid_type']; + if (isset($pconfig['localid_address'])) $entered['address'] = $pconfig['localid_address']; + if (isset($pconfig['localid_netbits'])) $entered['netbits'] = $pconfig['localid_netbits']; + $entered_localid_data = ipsec_idinfo_to_cidr($entered); + if ($localid_data == $entered_localid_data){ + if (!isset($pconfig['p2index'])){ + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + }else if ($pconfig['p2index'] != $key){ + /* editing p2 and entered p2 networks match with different p2 for given p1 */ + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + } + } + } + } + }else{ + /* User is adding phase 2 for site-to-site phase1 */ + $input_error = 0; + foreach($a_phase2 as $key => $name){ + if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ + /* check duplicate subnets only for given phase1 */ + $localid_data = ipsec_idinfo_to_cidr($name['localid']); + $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid']); + $entered_local = array(); + $entered_local['type'] = $pconfig['localid_type']; + if (isset($pconfig['localid_address'])) $entered_local['address'] = $pconfig['localid_address']; + if (isset($pconfig['localid_netbits'])) $entered_local['netbits'] = $pconfig['localid_netbits']; + $entered_localid_data = ipsec_idinfo_to_cidr($entered_local); + $entered_remote = array(); + $entered_remote['type'] = $pconfig['remoteid_type']; + if (isset($pconfig['remoteid_address'])) $entered_remote['address'] = $pconfig['remoteid_address']; + if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits']; + $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote); + if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) { + if (!isset($pconfig['p2index'])){ + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); + break; + }else if ($pconfig['p2index'] != $key){ + /* editing p2 and entered p2 networks match with different p2 for given p1 */ + $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); + break; + } + } + } + } + } + $ealgos = pconfig_to_ealgos($pconfig); if (!count($ealgos)) { diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 4b9fc74e367..97b7769ed0a 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -350,10 +350,6 @@ function autotls_change() { Certificate Manager to make one."; -if (count($a_cert) == 0) - $savemsg .= "
You have no Certificates defined. You must visit the Certificate Manager to make one."; if ($input_errors) print_input_errors($input_errors); @@ -632,6 +628,7 @@ function autotls_change() {
+ + + No Certificate Authorities defined.
Create one under System > Cert Manager. +
+ + + No Certificates defined.
Create one under System > Cert Manager. +
+ + + No Certificate Authorities defined.
Create one under System > Cert Manager. +
+ + + No Certificate Revocation Lists (CRLs) defined.
Create one under System > Cert Manager. +
+ + + No Certificates defined.
Create one under System > Cert Manager. +