diff options
| author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-02-17 12:28:02 -0700 |
|---|---|---|
| committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-02-17 12:28:02 -0700 |
| commit | 38a37c33947a2165f8d63a2ef1b805fe42b58cff (patch) | |
| tree | 14fe21a8dac149aeea69e267fda1b0bd635b7411 | |
| parent | 79637b03ffd5fff43c5a15435c752f811b40cd29 (diff) | |
| parent | bd96e1fef91e4545402fa5863bb6b3f898e52139 (diff) | |
| download | pfsense-38a37c33947a2165f8d63a2ef1b805fe42b58cff.zip pfsense-38a37c33947a2165f8d63a2ef1b805fe42b58cff.tar.gz | |
Merge commit 'mainline/master' into alt_method
26 files changed, 463 insertions, 245 deletions
@@ -1,18 +1,13 @@ 0.0.0.0/8 -1.0.0.0/8 -2.0.0.0/8 5.0.0.0/8 14.0.0.0/8 23.0.0.0/8 -27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 42.0.0.0/8 -46.0.0.0/8 49.0.0.0/8 -50.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 @@ -20,7 +15,6 @@ 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 -107.0.0.0/8 127.0.0.0/8 169.254.0.0/16 176.0.0.0/8 diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 2c2c126..240a3a3 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -68,9 +68,10 @@ function encrypted_configxml() { if(!strstr($data, "<pfsense>")) $data = ""; if($data) { - $fd = fopen($g['conf_path'] . "/config.xml", "w"); + $fd = fopen($g['conf_path'] . "/config.xml.tmp", "w"); fwrite($fd, $data); fclose($fd); + exec("/bin/mv {$g['conf_path']}/config.xml.tmp {$g['conf_path']}/config.xml"); echo "\nConfig.xml unlocked.\n"; fclose($fp); } else { @@ -457,22 +458,12 @@ function write_config($desc="Unknown", $backup = true) { conf_mount_rw(); /* write new configuration */ - $fd = fopen("{$g['conf_path']}/config.xml", "w"); - if (!$fd) { - // Unable to open temporary file for writing + if (!safe_write_file("{$g['cf_conf_path']}/config.xml", $xmlconfig, false)) { log_error("WARNING: Config contents could not be save. Could not open file!"); unlock($lockkey); - return false; - } - if (!fwrite($fd, $xmlconfig)) { - // Unable to write to temporary file - log_error("WARNING: Config contents could not be written on file."); - fclose($fd); - unlock($lockkey); - return false; - } - fclose($fd); - + die("Unable to open {$g['cf_conf_path']}/config.xml for writing in write_config()\n"); + } + if($g['platform'] == "embedded" or $g['platform'] == "nanobsd") { cleanup_backupcache(5, true); } else { @@ -496,8 +487,9 @@ function write_config($desc="Unknown", $backup = true) { unlock($lockkey); unlink_if_exists("/usr/local/pkg/pf/carp_sync_client.php"); + /* sync carp entries to other firewalls */ - carp_sync_client(); + carp_sync_client(); if(is_dir("/usr/local/pkg/write_config")) { /* process packager manager custom rules */ diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc index 1747654..f07b67c 100644 --- a/etc/inc/easyrule.inc +++ b/etc/inc/easyrule.inc @@ -28,7 +28,7 @@ POSSIBILITY OF SUCH DAMAGE. */ /* - pfSense_BUILDER_BINARIES: + pfSense_BUILDER_BINARIES: pfSense_MODULE: filter */ @@ -38,21 +38,21 @@ function easyrule_find_rule_interface($int) { global $config; /* Borrowed from firewall_rules.php */ $iflist = get_configured_interface_with_descr(false, true); - + if ($config['pptpd']['mode'] == "server") $iflist['pptp'] = "PPTP VPN"; - + if ($config['pppoe']['mode'] == "server") $iflist['pppoe'] = "PPPoE VPN"; - + if ($config['l2tp']['mode'] == "server") $iflist['l2tp'] = "L2TP VPN"; /* add ipsec interfaces */ - if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])){ + if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])){ $iflist["enc0"] = "IPSEC"; } - + if (isset($iflist[$int])) return $int; @@ -60,7 +60,10 @@ function easyrule_find_rule_interface($int) { if (strtolower($int) == strtolower($ifd)) return $if; } - + + if (substr($int, 0, 4) == "ovpn") + return "openvpn"; + return false; } @@ -100,7 +103,7 @@ function easyrule_block_rule_create($int = 'wan') { /* Make up a new rule */ $filterent = array(); $filterent['type'] = 'block'; - $filterent['interface'] = $int; + $filterent['interface'] = $int; $filterent['source']['address'] = $blockaliasname . strtoupper($int); $filterent['destination']['any'] = ''; $filterent['descr'] = "Easy Rule: Blocked from Firewall Log View"; diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7b8d11d..6bf0674 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -529,6 +529,7 @@ function filter_get_vpns_list() { if(is_array($config['ipsec']['phase2'])) { foreach ($config['ipsec']['phase2'] as $ph2ent) { if((!$ph2ent['mobile']) && ($ph2ent['mode'] != 'transport')) { + require_once("ipsec.inc"); $vpns_arr[] = ipsec_idinfo_to_cidr($ph2ent['remoteid']); } } @@ -681,34 +682,6 @@ function filter_generate_optcfg_array() { $FilterIflist[$ifgen['ifname']] = $oc; } } - /* this just duplicates the PPP interface, as it's handled above - if($config['ppps']) { - $ppp=0; - foreach($config['ppps']['ppp'] as $ifgen) { - // get the device name for this PPP connection minus /dev/ (e.g. cuaU0) - $dev = substr($ifgen['port'], 5); - // $ps is the PID of the ppp process matching this device - $ps = trim(`ps awux | grep -v grep | grep "$dev" | awk '{ print \$2 }'`); - if($ps) { - // $interface is the device in use by the PID of the ppp process found above (e.g. tun0) - $interface = trim(`ifconfig | grep -B2 "$ps" | head -n1 | cut -d: -f1`); - if($interface) { - foreach ($config['interfaces'] as $ifdescr => $ifname) { - if($ifname['serialport'] == $dev) { - $oc = array(); - $oc['if'] = $interface; - $oc['descr'] = $ifname['descr']; - $oc['virtual'] = true; - unset($FilterIflist[$ifname['descr']]); - $FilterIflist[$ifname['descr']] = $oc; - $ppp++; - } - } - } - } - } - } - */ } function filter_flush_nat_table() { @@ -740,103 +713,111 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, update_filter_reload_status("Setting up NAT Reflection"); $natrules .= "\n# Reflection redirects\n"; + $rdr_if_list = ""; foreach ($FilterIflist as $ifent => $ifname) { /* do not process interfaces with gateways*/ if(interface_has_gateway($ifent)) continue; - update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); + $rdr_if_list .= " " . $ifname['if']; + } + if (!empty($rdr_if_list)) + $rdr_if_list = "{ {$rdr_if_list} }"; - if($extport[1]) - $range_end = ($extport[1]); - else - $range_end = ($extport[0]); - $range_end++; - /* TODO: support multiple ip's in an alias. */ - if (is_alias($rule['external-address'])) - $extaddr = filter_expand_alias($rule['external-address']); - else if(is_ipaddr($rule['external-address'])) - $extaddr = $rule['external-address']; - else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) - $extaddr = $FilterIflist[$rule['interface']]['ip']; - - if (is_alias($rule['target'])) - $target = filter_expand_alias($rule['target']); - else if(is_ipaddr($rule['target'])) - $target = $rule['target']; - else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) - $target = $FilterIflist[$rule['target']]['ip']; - - if($rule['local-port']) - $lrange_start = $rule['local-port']; - if($range_end - $extport[0] > 500) { - $range_end = $extport[0]+1; - log_error("Not installing nat reflection rules for a port range > 500"); - /* only install reflection rules for < 19991 items */ - } else if($starting_localhost_port < 19991) { - $loc_pt = $lrange_start; - $rflctnorange = true; - if(is_alias($loc_pt)) { - $loc_pt_translated = filter_expand_alias($loc_pt); - if(!$loc_pt_translated) { - log_error("Reflection processing: {$loc_pt} is not a vaild port alias."); - continue; - } - $toadd_array = split(" ", $loc_pt_translated); - $rflctnorange = false; - } - - $inetdport = $starting_localhost_port; - if(($range_end - 1) > $extport[0]) { - $rflctrange = "{$starting_localhost_port}"; - $delta = $range_end - $extport[0] - 1; - if(($starting_localhost_port + $delta) > 19990) { - log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); - $delta = 19990 - $starting_localhost_port; - } - $starting_localhost_port = $starting_localhost_port + $delta; - $rflctrange .= ":{$starting_localhost_port}"; - $rflctintrange = "{$extport[0]}:{$range_end}"; - if($rflctnorange) - $toadd_array = range($loc_pt, $loc_pt + $delta); - } else { - $rflctrange = $starting_localhost_port; - $rflctintrange = $extport[0]; - if($rflctnorange) - $toadd_array = array($loc_pt); - $starting_localhost_port++; + update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); + + if($extport[1]) + $range_end = ($extport[1]); + else + $range_end = ($extport[0]); + $range_end++; + /* TODO: support multiple ip's in an alias. */ + if (is_alias($rule['external-address'])) + $extaddr = filter_expand_alias($rule['external-address']); + else if(is_ipaddr($rule['external-address'])) + $extaddr = $rule['external-address']; + else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) + $extaddr = $FilterIflist[$rule['interface']]['ip']; + else + return "\n"; + + if (is_alias($rule['target'])) + $target = filter_expand_alias($rule['target']); + else if(is_ipaddr($rule['target'])) + $target = $rule['target']; + else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) + $target = $FilterIflist[$rule['target']]['ip']; + else + return "\n"; + + if($rule['local-port']) + $lrange_start = $rule['local-port']; + if($range_end - $extport[0] > 500) { + $range_end = $extport[0]+1; + log_error("Not installing nat reflection rules for a port range > 500"); + /* only install reflection rules for < 19991 items */ + } else if($starting_localhost_port < 19991) { + $loc_pt = $lrange_start; + $rflctnorange = true; + if(is_alias($loc_pt)) { + $loc_pt_translated = filter_expand_alias($loc_pt); + if(!$loc_pt_translated) { + log_error("Reflection processing: {$loc_pt} is not a vaild port alias."); + continue; } - - switch($rule['protocol']) { - case "tcp/udp": - $protocol = "{ tcp udp }"; - foreach($toadd_array as $tda) { - $reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n"; - $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; - } - $natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; - break; - case "tcp": - case "udp": - $protocol = $rule['protocol']; - if($protocol == "udp") { - $socktype = "dgram"; - $dash_u = "-u "; - } else { - $socktype = "stream"; - $dash_u = ""; - } - foreach($toadd_array as $tda){ - $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; + $toadd_array = split(" ", $loc_pt_translated); + $rflctnorange = false; + } + + $inetdport = $starting_localhost_port; + if(($range_end - 1) > $extport[0]) { + $rflctrange = "{$starting_localhost_port}"; + $delta = $range_end - $extport[0] - 1; + if(($starting_localhost_port + $delta) > 19990) { + log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); + $delta = 19990 - $starting_localhost_port; + } + $starting_localhost_port = $starting_localhost_port + $delta; + $rflctrange .= ":{$starting_localhost_port}"; + $rflctintrange = "{$extport[0]}:{$range_end}"; + if($rflctnorange) + $toadd_array = range($loc_pt, $loc_pt + $delta); + } else { + $rflctrange = $starting_localhost_port; + $rflctintrange = $extport[0]; + if($rflctnorange) + $toadd_array = array($loc_pt); + $starting_localhost_port++; + } + + switch($rule['protocol']) { + case "tcp/udp": + $protocol = "{ tcp udp }"; + foreach($toadd_array as $tda) { + $reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n"; + $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; $inetdport++; } - $natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; - break; + $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; + break; + case "tcp": + case "udp": + $protocol = $rule['protocol']; + if($protocol == "udp") { + $socktype = "dgram"; + $dash_u = "-u "; + } else { + $socktype = "stream"; + $dash_u = ""; } + foreach($toadd_array as $tda){ + $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; + $inetdport++; + } + $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; + break; } } - $reflection_txt = array_unique($reflection_txt); } @@ -1165,25 +1146,21 @@ function filter_nat_rules_generate() { $natrules .= "{$nordr} rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} -> {$target}"; } } - } - /* does this rule redirect back to a internal host? - * if so, add some extra goo to help this work. - */ - $rule_interface_ip = find_interface_ip($natif); - $rule_interface_subnet = find_interface_subnet($natif); - $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet); - if($config['interfaces']['lan']) { - if($rule['external-address'] == "any" and $rule['interface'] == "lan") { + /* Does this rule redirect back to a internal host? */ + if($extaddr == "any" && !interface_has_gateway($rule['interface'])) { + $rule_interface_ip = find_interface_ip($natif); + $rule_interface_subnet = find_interface_subnet($natif); + $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet); $natrules .= "\n"; $natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n"; $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$extport[0]} -> ({$natif})\n"; } + $natrules .= filter_generate_reflection($rule, $extport, $starting_localhost_port, $reflection_rules); + $natrules .= "\n"; + + foreach ($reflection_rules as $txtline) + fwrite($inetd_fd, $txtline); } - $natrules .= filter_generate_reflection($rule, $extport, $starting_localhost_port, $reflection_rules); - $natrules .= "\n"; - - foreach ($reflection_rules as $txtline) - fwrite($inetd_fd, $txtline); } } fclose($inetd_fd); // Close file handle @@ -2457,4 +2434,4 @@ function discover_pkg_rules($ruletype) { } } -?> +?>
\ No newline at end of file diff --git a/etc/inc/filter_log.inc b/etc/inc/filter_log.inc index fc40539..3005d8c 100644 --- a/etc/inc/filter_log.inc +++ b/etc/inc/filter_log.inc @@ -88,6 +88,8 @@ function match_filter_line($flent, $filtertext = "") { function collapse_filter_lines($logarr) { $lastline = ""; $collapsed = array(); + /* Stick a blank entry at the end to be sure we always fully parse the last entry */ + $logarr[] = ""; foreach ($logarr as $logent) { $line_split = ""; preg_match("/.*\spf:\s(.*)/", $logent, $line_split); diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 6fb0344..127ba4c 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -102,7 +102,7 @@ $g = array( "xmlrpcpath" => "/pfSense/xmlrpc.php", "embeddedbootupslice" => "/dev/ad0a", "services_dhcp_server_enable" => true, - "wireless_regex" => "/^(ndis|wi|ath|an|ral|ural|wai|iwi|awi|wlan|rum|zyd)/", + "wireless_regex" => "/^(ndis|wi|ath|an|ral|ural|iwi|wlan|rum|zyd|mwl|bwi|ipw|iwn|malo|uath|upgt|urtw|wpi)/", "help_base_url" => "/help.php" ); diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 276944d..c5a324e 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -1616,11 +1616,27 @@ wpa_group_rekey={$wlcfg['wpa']['wpa_group_rekey']} wpa_gmk_rekey={$wlcfg['wpa']['wpa_gmk_rekey']} wpa_strict_rekey={$wlcfg['wpa']['wpa_strict_rekey']} wpa_passphrase={$wlcfg['wpa']['passphrase']} -ieee8021x={$wlcfg['wpa']['ieee8021x']} #Enable the next lines for preauth when roaming. Interface = wired or wireless interface talking to the AP you want to roam from/to #rsn_preauth=1 #rsn_preauth_interfaces=eth0 + +EOD; + + if($wlcfg['auth_server_addr'] && $wlcfg['auth_server_shared_secret']) { + $auth_server_port = "1812"; + if($wlcfg['auth_server_port']) + $auth_server_port = $wlcfg['auth_server_port']; + $wpa .= <<<EOD + +ieee8021x=1 +auth_server_addr={$wlcfg['auth_server_addr']} +auth_server_port={$auth_server_port} +auth_server_shared_secret={$wlcfg['auth_server_shared_secret']} + EOD; + } else { + $wpa .= "ieee8021x={$wlcfg['wpa']['ieee8021x']}\n"; + } $fd = fopen("{$g['varetc_path']}/hostapd_{$if}.conf", "w"); fwrite($fd, "{$wpa}"); @@ -2691,8 +2707,8 @@ function find_interface_ip($interface, $flush = false) /* Setup IP cache */ if (!isset($interface_ip_arr_cache[$interface]) or $flush) { - $interface_ip_arr_cache[$interface] = `/sbin/ifconfig {$interface} | /usr/bin/grep -w "inet" | /usr/bin/cut -d" " -f 2| /usr/bin/head -1`; - $interface_ip_arr_cache[$interface] = str_replace("\n", "", $interface_ip_arr_cache[$interface]); + $ifinfo = pfSense_get_interface_addresses($interface); + $interface_ip_arr_cache[$interface] = $ifinfo['ipaddr']; } return $interface_ip_arr_cache[$interface]; @@ -2707,11 +2723,8 @@ function find_interface_subnet($interface, $flush = false) return; if (!isset($interface_sn_arr_cache[$interface]) or $flush) { - if (preg_match("/^tun|^ppp|^pptp|^pppoe|^ovpn|^gif|^gre/i", $interface)) - $interface_sn_arr_cache[$interface] = `/sbin/ifconfig {$interface} | /usr/bin/grep -w "inet" | /usr/bin/cut -d" " -f 6 | /usr/bin/head -1`; - else - $interface_sn_arr_cache[$interface] = `/sbin/ifconfig {$interface} | /usr/bin/grep -w "inet" | /usr/bin/cut -d" " -f 4 | /usr/bin/head -1`; - $interface_sn_arr_cache[$interface] = strlen(str_replace("0", "", base_convert(str_replace("\n", "", $interface_sn_arr_cache[$interface]),16, 2))); + $ifinfo = pfSense_get_interface_addresses($interface); + $interface_sn_arr_cache[$interface] = $ifinfo['subnetbits']; } return $interface_sn_arr_cache[$interface]; @@ -2914,18 +2927,14 @@ function get_wireless_modes($interface) { * $tmp - Returns the mtu of an interface ******/ function get_interface_mtu($interface) { - $mtu = `/sbin/ifconfig {$interface} | /usr/bin/grep mtu | /usr/bin/cut -d" " -f6`; - return $mtu; + $mtu = pfSense_get_interface_addresses($interface); + return $mtu['mtu']; } function get_interface_mac($interface) { - $mac = array(); - exec("/sbin/ifconfig {$interface} | /usr/bin/awk '/ether/ {print $2}'", $mac); - if(is_macaddr($mac[0])) { - return trim($mac[0]); - } else { - return ""; - } + + $macinfo = pfSense_get_interface_addresses($interface); + return $macinfo["macaddr"]; } function get_interface_bssid($interface) { diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index b41b551..a67d1bb 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -423,8 +423,11 @@ function openvpn_reconfigure($mode,& $settings) { } // The port we'll listen at - if ($settings['local_port']) + // If local_port is used, bing the management port + if ($settings['local_port']) { $conf .= "lport {$settings['local_port']}\n"; + $conf .= "management 127.0.0.1 {$settings['local_port']}\n"; + } else $conf .= "nobind\n"; diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 989396b..521d07e 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -1713,4 +1713,43 @@ function update_alias_names_upon_change($section, $subsection, $fielda, $fieldb, } -?> +/****f* pfsense-utils/safe_write_file + * NAME + * safe_write_file - Write a file out atomically + * DESCRIPTION + * safe_write_file() Writes a file out atomically by first writing to a + * temporary file of the same name but ending with the pid of the current + * process, them renaming the temporary file over the original. + * INPUTS + * $filename - string containing the filename of the file to write + * $content - string containing the file content to write to file + * $force_binary - boolean denoting whether we should force binary + * mode writing. + * RESULT + * boolean - true if successful, false if not + ******/ +function safe_write_file($file, $content, $force_binary) { + $tmp_file = $file . "." . getmypid(); + $write_mode = $force_binary ? "wb" : "w"; + + $fd = fopen($tmp_file, $write_mode); + if (!$fd) { + // Unable to open temporary file for writing + return false; + } + if (!fwrite($fd, $content)) { + // Unable to write to temporary file + fclose($fd); + return false; + } + fclose($fd); + + if (!rename($tmp_file, $file)) { + // Unable to move temporary file to original + unlink($tmp_file); + return false; + } + return true; +} + +?>
\ No newline at end of file diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index b348fc1..1cd4679 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -390,12 +390,14 @@ function voucher_save_db_to_config() { $rollent['used'] = base64_encode($bitmask); $active_vouchers = voucher_read_active_db($roll); $db = array(); + $dbi = 1; foreach($active_vouchers as $voucher => $line) { list($timestamp,$minutes) = explode(",", $line); $activent['voucher'] = $voucher; $activent['timestamp'] = $timestamp; $activent['minutes'] = $minutes; - $db[] = $activent; + $db["v{$dbi}"] = $activent; + $dbi++; } $rollent['active'] = $db; } diff --git a/etc/phpshellsessions/gitsync b/etc/phpshellsessions/gitsync index ef92455..bd662ca 100644 --- a/etc/phpshellsessions/gitsync +++ b/etc/phpshellsessions/gitsync @@ -4,6 +4,7 @@ * Part of the pfSense project pfSsh.php subsystem */ +require_once("globals.inc"); require_once("filter.inc"); require_once("shaper.inc"); require_once("rrd.inc"); @@ -64,7 +65,7 @@ if($command_split[2]) { } if($argv[4] == "NOBACKUP") - $nobackup=true; + $nobackup = true; else $nobackup = false; diff --git a/etc/rc.create_full_backup b/etc/rc.create_full_backup new file mode 100644 index 0000000..143e652 --- /dev/null +++ b/etc/rc.create_full_backup @@ -0,0 +1,16 @@ +#!/bin/sh + +FILENAME="pfSense-full-backup-`date "+%Y%m%d-%H%M"`.tgz" +echo ">>> Creating full backup to /root/$FILENAME" +tar czPf /root/$FILENAME \ + --exclude dev/* \ + --exclude tmp/* \ + --exclude var/db \ + --exclude var/run/* \ + --exclude root/* \ + --exclude var/empty/* \ + --exclude var/empty \ + / +echo ">>> Backup completed. Note: this backup includes config.xml!" +echo ">>> To restore this backup run this command:" +echo " tar xzPUf /root/$FILENAME -C /" diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup index 6c48881..696219b 100755 --- a/etc/rc.php_ini_setup +++ b/etc/rc.php_ini_setup @@ -86,6 +86,7 @@ PHPMODULES="apc \ standard \ # Extra sanity seatbelts suhosin \ + pfSense \ # Firewall rules edit ctype \ # Config read/write diff --git a/etc/rc.savevoucher b/etc/rc.savevoucher index 29b18d6..29b18d6 100644..100755 --- a/etc/rc.savevoucher +++ b/etc/rc.savevoucher diff --git a/usr/local/bin/filterparser.php b/usr/local/bin/filterparser.php index d432419..3460e3e 100755 --- a/usr/local/bin/filterparser.php +++ b/usr/local/bin/filterparser.php @@ -73,7 +73,9 @@ while(!feof($log)) { dstip - Destination IP dstport - Destination Port */ - if ($flent != "") + if ($flent != "") { echo "{$flent['time']} {$flent['act']} {$flent['realint']} {$flent['proto']} {$flent['src']} {$flent['dst']}\n"; + $flent = ""; + } } fclose($log); ?>
\ No newline at end of file diff --git a/usr/local/www/index.php b/usr/local/www/index.php index 77cfaaa..3e2cf8d 100755 --- a/usr/local/www/index.php +++ b/usr/local/www/index.php @@ -553,7 +553,7 @@ echo $jscriptstr; $inputdisplay = "hide"; $showWidget = "inline"; $mindiv = "none"; - berak; + break; case "close": $divdisplay = "none"; $display = "block"; diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 1ff6dcc..a2a07ed 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -228,6 +228,9 @@ if (isset($wancfg['wireless'])) { $pconfig['apbridge_enable'] = isset($wancfg['wireless']['apbridge']['enable']); $pconfig['authmode'] = $wancfg['wireless']['authmode']; $pconfig['hidessid_enable'] = isset($wancfg['wireless']['hidessid']['enable']); + $pconfig['auth_server_addr'] = $wancfg['wireless']['auth_server_addr']; + $pconfig['auth_server_port'] = $wancfg['wireless']['auth_server_port']; + $pconfig['auth_server_shared_secret'] = $wancfg['wireless']['auth_server_shared_secret']; if (is_array($wancfg['wireless']['wpa'])) { $pconfig['debug_mode'] = $wancfg['wireless']['wpa']['debug_mode']; $pconfig['macaddr_acl'] = $wancfg['wireless']['wpa']['macaddr_acl']; @@ -703,6 +706,9 @@ function handle_wireless_post() { $wancfg['wireless']['wpa']['wpa_gmk_rekey'] = $_POST['wpa_gmk_rekey']; $wancfg['wireless']['wpa']['passphrase'] = $_POST['passphrase']; $wancfg['wireless']['wpa']['ext_wpa_sw'] = $_POST['ext_wpa_sw']; + $wancfg['wireless']['auth_server_addr'] = $_POST['auth_server_addr']; + $wancfg['wireless']['auth_server_port'] = $_POST['auth_server_port']; + $wancfg['wireless']['auth_server_shared_secret'] = $_POST['auth_server_shared_secret']; if ($_POST['hidessid_enable'] == "yes") $wancfg['wireless']['hidessid']['enable'] = true; else if (isset($wancfg['wireless']['hidessid']['enable'])) @@ -1490,12 +1496,33 @@ $types = array("none" => "None", "static" => "Static", "dhcp" => "DHCP", "pppoe" </td> </tr> <tr> - <td valign="top" class="vncell">Enable IEEE802.1X</td> + <td valign="top" class="vncell">Enable IEEE802.1X Authentication</td> <td class="vtable"> <input name="ieee8021x" type="checkbox" value="yes" class="formfld" id="ieee8021x" <? if ($pconfig['ieee8021x']) echo "checked";?>> <br/>Setting this option will enable 802.1x authentication. </td> </tr> + <tr> + <td valign="top" class="vncell">802.1X Authentication Server IP Address</td> + <td class="vtable"> + <input name="auth_server_addr" id="auth_server_addr" type="text" class="formfld unknown" size="66" value="<?=htmlspecialchars($pconfig['auth_server_addr']);?>"> + <br/>Enter the IP address of the 802.1X Authentication Server. This is commonly a Radius server (FreeRadius, Internet Authentication Services, etc.) + </td> + </tr> + <tr> + <td valign="top" class="vncell">802.1X Authentication Server Port</td> + <td class="vtable"> + <input name="auth_server_port" id="auth_server_port" type="text" class="formfld unknown" size="66" value="<?=htmlspecialchars($pconfig['auth_server_port']);?>"> + <br/>Leave blank for the default 1812 port. + </td> + </tr> + <tr> + <td valign="top" class="vncell">802.1X Authentication Server Shared Secret</td> + <td class="vtable"> + <input name="auth_server_shared_secret" id="auth_server_shared_secret" type="text" class="formfld unknown" size="66" value="<?=htmlspecialchars($pconfig['auth_server_shared_secret']);?>"> + <br/> + </td> + </tr> <? endif; ?> <tr> <td colspan="2" valign="top" height="16"></td> diff --git a/usr/local/www/services_dyndns_edit.php b/usr/local/www/services_dyndns_edit.php index e5e73b1..c79734a 100644 --- a/usr/local/www/services_dyndns_edit.php +++ b/usr/local/www/services_dyndns_edit.php @@ -175,7 +175,7 @@ include("head.inc"); </td> </tr> <tr> - <td width="22%" valign="top" class="vncellreq">Hostname/Interface</td> + <td width="22%" valign="top" class="vncellreq">Hostname</td> <td width="78%" class="vtable"> <input name="host" type="text" class="formfld unknown" id="host" size="30" value="<?=htmlspecialchars($pconfig['host']);?>"> <br> diff --git a/usr/local/www/status_openvpn.php b/usr/local/www/status_openvpn.php index fdd03c0..1132fd8 100644 --- a/usr/local/www/status_openvpn.php +++ b/usr/local/www/status_openvpn.php @@ -148,8 +148,8 @@ if (is_array($config['openvpn']['openvpn-server'])) { } else { $conn = array(); $conn['common_name'] = "[error]"; - $conn['remote_host'] = "No Management Daemon"; - $conn['virtual_addr'] = "See Note Below"; + $conn['remote_host'] = "Management Daemon Unreachable"; + $conn['virtual_addr'] = ""; $conn['bytes_recv'] = 0; $conn['bytes_sent'] = 0; $conn['connect_time'] = 0; @@ -159,6 +159,91 @@ if (is_array($config['openvpn']['openvpn-server'])) { $servers[] = $server; } } + + +if (is_array($config['openvpn']['openvpn-client'])) { + foreach ($config['openvpn']['openvpn-client'] as & $settings) { + + $prot = $settings['protocol']; + $port = $settings['local_port']; + + $client = array(); + $client['port'] = $settings['local_port']; + if ($settings['description']) + $client['name'] = "{$settings['description']} {$prot}:{$port}"; + else + $client['name'] = "Client {$prot}:{$port}"; + + $tcpcli = "tcp://127.0.0.1:{$port}"; + $errval; + $errstr; + + $client['status']="down"; + + /* open a tcp connection to the management port of each cli */ + $fp = @stream_socket_client($tcpcli, $errval, $errstr, 1); + if ($fp) { + + /* send our status request */ + fputs($fp, "state 1\n"); + + /* recv all response lines */ + while (!feof($fp)) { + /* read the next line */ + $line = fgets($fp, 1024); + + /* Get the client state */ + if (strstr($line,"CONNECTED")) { + $client['status']="up"; + $list = explode(",", $line); + + $client['connect_time'] = date("D M j G:i:s Y", $list[0]); + $client['virtual_addr'] = $list[3]; + $client['remote_host'] = $list[4]; + } + /* parse end of output line */ + if (strstr($line, "END")) + break; + } + + /* If up, get read/write stats */ + if (strcmp($client['status'], "up") == 0) { + fputs($fp, "status 2\n"); + /* recv all response lines */ + while (!feof($fp)) { + /* read the next line */ + $line = fgets($fp, 1024); + + if (strstr($line,"TCP/UDP read bytes")) { + $list = explode(",", $line); + $client['bytes_recv'] = $list[1]; + } + + if (strstr($line,"TCP/UDP write bytes")) { + $list = explode(",", $line); + $client['bytes_sent'] = $list[1]; + } + + /* parse end of output line */ + if (strstr($line, "END")) + break; + } + } + + fclose($fp); + + } else { + $DisplayNote=true; + $client['remote_host'] = "No Management Daemon"; + $client['virtual_addr'] = "See Note Below"; + $client['bytes_recv'] = 0; + $client['bytes_sent'] = 0; + $client['connect_time'] = 0; + } + + $clients[] = $client; + } +} include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?=$jsevents["body"]["onload"];?>"> @@ -254,5 +339,65 @@ include("head.inc"); ?> </table> <?php endforeach; ?> +<br> + + +<table style="padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td colspan="6" class="listtopic"> + OpenVPN client instances statistics + </td> + </tr> + <tr> + <table style="padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px" class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdrr">Name</td> + <td class="listhdrr">Status</td> + <td class="listhdrr">Connected Since</td> + <td class="listhdrr">Virtual Addr</td> + <td class="listhdrr">Remote Host</td> + <td class="listhdrr">Bytes Sent</td> + <td class="listhdrr">Bytes Received</td> + </tr> + +<?php foreach ($clients as $client): ?> + <tr name='<?php echo "r:{$client['port']}:{$conn['remote_host']}"; ?>'> + <td class="listlr"> + <?=$client['name'];?> + </td> + <td class="listlr"> + <?=$client['status'];?> + </td> + <td class="listr"> + <?=$client['connect_time'];?> + </td> + <td class="listr"> + <?=$client['virtual_addr'];?> + </td> + <td class="listr"> + <?=$client['remote_host'];?> + </td> + <td class="listr"> + <?=$client['bytes_sent'];?> + </td> + <td class="listr"> + <?=$client['bytes_recv'];?> + </td> + </tr> +<?php endforeach; ?> + </table> + </tr> +</table> + +<?php if ($DisplayNote) { + echo "<br/><b>NOTE:</b> You need to bind each OpenVPN client to enable its management daemon: use 'Local port' setting in the OpenVPN client screen"; +} +?> + +<? if ((!isset($clients)) && (!isset($servers))) { + echo "No OpenVPN instance defined"; +} +?> + <?php include("fend.inc"); ?> diff --git a/usr/local/www/status_rrd_graph_img.php b/usr/local/www/status_rrd_graph_img.php index 905413d..63657d0 100644 --- a/usr/local/www/status_rrd_graph_img.php +++ b/usr/local/www/status_rrd_graph_img.php @@ -703,6 +703,7 @@ elseif((strstr($curdatabase, "-queuedrops.rrd")) && (file_exists("$rrddbpath$cur $graphcmd .= "--height 200 --width 620 -x \"$scale\" "; if ($altq) { $a_queues =& $altq->get_queue_list(); + $t = 0; } else { $a_queues = array(); $i = 0; diff --git a/usr/local/www/status_services.php b/usr/local/www/status_services.php index 9ccda16..25d3de5 100755 --- a/usr/local/www/status_services.php +++ b/usr/local/www/status_services.php @@ -39,6 +39,7 @@ require("guiconfig.inc"); require_once("service-utils.inc"); +require_once("ipsec.inc"); require_once("vpn.inc"); function gentitle_pkg($pgname) { diff --git a/usr/local/www/themes/code-red/rrdcolors.inc.php b/usr/local/www/themes/code-red/rrdcolors.inc.php index d04762e..cbd6a8d 100755 --- a/usr/local/www/themes/code-red/rrdcolors.inc.php +++ b/usr/local/www/themes/code-red/rrdcolors.inc.php @@ -30,10 +30,10 @@ /* This file is included by the RRD graphing page and sets the colors */
-$colortrafficup = "666666";
-$colortrafficdown = "990000";
-$colorpacketsup = "666666";
-$colorpacketsdown = "990000";
+$colortrafficup = array("666666", "CCCCCC");
+$colortrafficdown = array("990000", "CC0000");
+$colorpacketsup = array("666666", "CCCCCC");
+$colorpacketsdown = array("990000", "CC0000");
$colorstates = array('990000','a83c3c','b36666','bd9090','cccccc','000000');
$colorprocessor = array('990000','a83c3c','b36666','bd9090','cccccc','000000');
$colormemory = array('990000','a83c3c','b36666','bd9090','cccccc','000000');
diff --git a/usr/local/www/themes/the_wall/rrdcolors.inc.php b/usr/local/www/themes/the_wall/rrdcolors.inc.php index e657259..e3153fd 100644 --- a/usr/local/www/themes/the_wall/rrdcolors.inc.php +++ b/usr/local/www/themes/the_wall/rrdcolors.inc.php @@ -36,6 +36,7 @@ $colorpacketsup = array("666666", "CCCCCC"); $colorpacketsdown = array("990000", "CC0000"); $colorstates = array('990000','a83c3c','b36666','bd9090','cccccc','000000'); $colorprocessor = array('990000','a83c3c','b36666','bd9090','cccccc','000000'); +$colormemory = array('990000','a83c3c','b36666','bd9090','cccccc','000000'); $colorqueuesup = array('000000','7B0000','990000','BB0000','CC0000','D90000','EE0000','FF0000','CC0000'); $colorqueuesdown = array('000000','7B7B7B','999999','BBBBBB','CCCCCC','D9D9D9','EEEEEE','FFFFFF','CCCCCC'); $colorqueuesdropup = array('000000','7B0000','990000','BB0000','CC0000','D90000','EE0000','FF0000','CC0000'); diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 9c99ef1..f2899e6 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -122,8 +122,8 @@ if ($_POST) { { switch ($pconfig['localid_type']) { case "network": - if (!$pconfig['localid_netbits'] || !is_numeric($pconfig['localid_netbits'])) - $input_errors[] = "A valid local network bit count must be specified.."; + if (($pconfig['localid_netbits'] != 0 && !$pconfig['localid_netbits']) || !is_numeric($pconfig['localid_netbits'])) + $input_errors[] = "A valid local network bit count must be specified."; case "address": if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) $input_errors[] = "A valid local network IP address must be specified."; @@ -132,8 +132,8 @@ if ($_POST) { switch ($pconfig['remoteid_type']) { case "network": - if (!$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) - $input_errors[] = "A valid remote network bit count must be specified.."; + if (($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits']) || !is_numeric($pconfig['remoteid_netbits'])) + $input_errors[] = "A valid remote network bit count must be specified."; case "address": if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) $input_errors[] = "A valid remote network IP address must be specified."; @@ -401,11 +401,12 @@ function change_protocol() { <input name="remoteid_address" type="text" class="formfld unknown" id="remoteid_address" size="20" value="<?=$pconfig['remoteid_address'];?>"> / <select name="remoteid_netbits" class="formselect" id="remoteid_netbits"> - <?php for ($i = 32; $i >= 0; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['remoteid_netbits']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> + <?php for ($i = 32; $i >= 0; $i--) { + + echo "<option value=\"{$i}\""; + if ($i == $pconfig['remoteid_netbits']) echo " selected"; + echo ">{$i}</option>\n"; + } ?> </select> </td> </tr> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index c0ecede..4617e5c 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -79,7 +79,7 @@ if($_GET['act']=="edit"){ if (isset($id) && $a_server[$id]) { - $pconfig['disable'] = $a_server[$id]['disable']; + $pconfig['disable'] = isset($a_server[$id]['disable']); $pconfig['mode'] = $a_server[$id]['mode']; $pconfig['protocol'] = $a_server[$id]['protocol']; $pconfig['interface'] = $a_server[$id]['interface']; @@ -257,7 +257,8 @@ if ($_POST) { else $server['vpnid'] = openvpn_vpnid_next(); - $server['disable'] = $pconfig['disable']; + if ($_POST['disable'] == "yes") + $server['disable'] = true; $server['mode'] = $pconfig['mode']; $server['protocol'] = $pconfig['protocol']; list($server['interface'], $server['ipaddr']) = explode ("|",$pconfig['interface']); @@ -1147,7 +1148,7 @@ function netbios_change() { $i = 0; foreach($a_server as $server): $disabled = "NO"; - if ($server['disable']) + if (isset($server['disable'])) $disabled = "YES"; ?> <tr> diff --git a/usr/local/www/widgets/widgets/services_status.widget.php b/usr/local/www/widgets/widgets/services_status.widget.php index a7a88f8..11d448e 100644 --- a/usr/local/www/widgets/widgets/services_status.widget.php +++ b/usr/local/www/widgets/widgets/services_status.widget.php @@ -54,23 +54,23 @@ $services = $config['installedpackages']['service']; * */ if(isset($config['dnsmasq']['enable'])) { - $pconfig['name'] = "dnsmasq"; - $pconfig['description'] = "DNS Forwarder"; - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "dnsmasq"; + $sconfig['description'] = "DNS Forwarder"; + $services[] = $sconfig; + unset($sconfig); } -$pconfig['name'] = "ntpd"; -$pconfig['description'] = "NTP clock sync"; -$services[] = $pconfig; -unset($pconfig); +$sconfig['name'] = "ntpd"; +$sconfig['description'] = "NTP clock sync"; +$services[] = $sconfig; +unset($sconfig); if(isset($config['captiveportal']['enable'])) { - $pconfig['name'] = "lighttpd"; - $pconfig['description'] = "Captive Portal"; - $services[] = $pconfig; - $pconfig = ""; - unset($pconfig); + $sconfig['name'] = "lighttpd"; + $sconfig['description'] = "Captive Portal"; + $services[] = $sconfig; + $sconfig = ""; + unset($sconfig); } $iflist = array(); @@ -87,45 +87,45 @@ foreach($iflist as $if) { } if($show_dhcprelay == true) { - $pconfig['name'] = "dhcrelay"; - $pconfig['description'] = "DHCP Relay"; - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "dhcrelay"; + $sconfig['description'] = "DHCP Relay"; + $services[] = $sconfig; + unset($sconfig); } if(is_dhcp_server_enabled()) { - $pconfig['name'] = "dhcpd"; - $pconfig['description'] = "DHCP Service"; - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "dhcpd"; + $sconfig['description'] = "DHCP Service"; + $services[] = $sconfig; + unset($sconfig); } if(isset($config['snmpd']['enable'])) { - $pconfig['name'] = "bsnmpd"; - $pconfig['description'] = "SNMP Service"; - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "bsnmpd"; + $sconfig['description'] = "SNMP Service"; + $services[] = $sconfig; + unset($sconfig); } if (count($config['igmpproxy']['igmpentry']) > 0) { - $pconfig['name'] = "igmpproxy"; - $pconfig['descritption'] = "IGMP proxy"; - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "igmpproxy"; + $sconfig['description'] = "IGMP proxy"; + $services[] = $sconfig; + unset($sconfig); } if($config['installedpackages']['miniupnpd']['config'][0]['enable']) { - $pconfig['name'] = "miniupnpd"; - $pconfig['description'] = gettext("UPnP Service"); - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "miniupnpd"; + $sconfig['description'] = gettext("UPnP Service"); + $services[] = $sconfig; + unset($sconfig); } if (isset($config['ipsec']['enable'])) { - $pconfig['name'] = "racoon"; - $pconfig['description'] = gettext("IPsec VPN"); - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "racoon"; + $sconfig['description'] = gettext("IPsec VPN"); + $services[] = $sconfig; + unset($sconfig); } foreach (array('server', 'client') as $mode) { @@ -133,12 +133,12 @@ foreach (array('server', 'client') as $mode) { foreach ($config['installedpackages']["openvpn$mode"]['config'] as $id => $settings) { $setting = $config['installedpackages']["openvpn$mode"]['config'][$id]; if (!$setting['disable']) { - $pconfig['name'] = "openvpn"; - $pconfig['mode'] = $mode; - $pconfig['id'] = $id; - $pconfig['description'] = "OpenVPN ".$mode.": ".htmlspecialchars($setting['description']); - $services[] = $pconfig; - unset($pconfig); + $sconfig['name'] = "openvpn"; + $sconfig['mode'] = $mode; + $sconfig['id'] = $id; + $sconfig['description'] = "OpenVPN ".$mode.": ".htmlspecialchars($setting['description']); + $services[] = $sconfig; + unset($sconfig); } } } |
