diff options
| author | Ermal Luçi <eri@pfsense.org> | 2009-10-01 15:18:17 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2009-10-01 15:19:42 +0000 |
| commit | abcb2bed927c18f29b12972f023b253c703132d1 (patch) | |
| tree | e06b5f0da200a6694b2d3a5ba79907fb6de06b46 | |
| parent | 6b0c587976d5941bce0b7e569a519f7e7fcbc62a (diff) | |
| download | pfsense-abcb2bed927c18f29b12972f023b253c703132d1.zip pfsense-abcb2bed927c18f29b12972f023b253c703132d1.tar.gz | |
* Convert carp/vips code to behave the same as other interfaces.
* Make optimizations around it.
* Make sure when we reload teh underlying interface we reload carp too.
* Some fixes around the code.
Reviewed-by: scott@ and billm@
| -rw-r--r-- | etc/inc/interfaces.inc | 599 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 192 | ||||
| -rw-r--r-- | etc/inc/priv.defs.inc | 14 | ||||
| -rw-r--r-- | etc/inc/services.inc | 54 | ||||
| -rw-r--r-- | etc/inc/util.inc | 22 | ||||
| -rwxr-xr-x | etc/rc.bootup | 3 | ||||
| -rwxr-xr-x | usr/local/www/firewall_virtual_ip.php | 34 | ||||
| -rwxr-xr-x | usr/local/www/firewall_virtual_ip_edit.php | 25 | ||||
| -rwxr-xr-x | usr/local/www/interfaces.php | 2 | ||||
| -rwxr-xr-x | usr/local/www/services_proxyarp.php | 147 | ||||
| -rwxr-xr-x | usr/local/www/services_proxyarp_edit.php | 283 | ||||
| -rwxr-xr-x | usr/local/www/status_services.php | 7 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec.php | 8 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 8 | ||||
| -rw-r--r-- | usr/local/www/widgets/widgets/services_status.widget.php | 7 |
15 files changed, 463 insertions, 942 deletions
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 858b5a2..9dcf6e3 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -35,7 +35,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /usr/sbin/pppd /sbin/dhclient /bin/sh /usr/bin/grep /usr/bin/xargs /usr/bin/awk + pfSense_BUILDER_BINARIES: /usr/sbin/pppd /sbin/dhclient /bin/sh /usr/bin/grep /usr/bin/xargs /usr/bin/awk /usr/local/sbin/choparp pfSense_BUILDER_BINARIES: /sbin/ifconfig /sbin/route /usr/sbin/ngctl /usr/sbin/arp /bin/kill /usr/local/sbin/mpd4 pfSense_MODULE: interfaces @@ -102,7 +102,7 @@ function interfaces_vlan_configure() { } } -function interface_vlan_configure($vlan) { +function interface_vlan_configure(&$vlan) { global $config, $g; if (!is_array($vlan)) { @@ -124,28 +124,17 @@ function interface_vlan_configure($vlan) { mwexec("/sbin/ifconfig {$if} vlanhwtag"); mwexec("/sbin/ifconfig {$if} vlanmtu"); - if ($g['booting'] || !(empty($vlanif))) { - /* before destroying, see if CARP is in use - If an interface containing an active CARP IP is destroyed, - the CARP interface will hang in INIT and must be destroyed - itself before it will function again (which causes a panic). - Trying to configure a CARP interface stuck in INIT will - cause a panic as well. -cmb - */ - $carpcount = find_number_of_needed_carp_interfaces(); - /* will continue to destroy VLANs where CARP is not in use - to retain previous behavior and avoid regressions */ - if($carpcount < 1) - mwexec("/sbin/ifconfig {$vlanif} destroy"); - //mwexec("/sbin/ifconfig {$vlanif} create"); - } - $tmpvlanif = exec("/sbin/ifconfig vlan create"); + if (!empty($vlanif) && does_interface_exist($vlanif)) + mwexec("/sbin/ifconfig {$vlanif} delete"); + else { + $tmpvlanif = exec("/sbin/ifconfig vlan create"); + mwexec("/sbin/ifconfig {$tmpvlanif} name {$vlanif}"); + } - mwexec("/sbin/ifconfig {$tmpvlanif} vlan " . + mwexec("/sbin/ifconfig {$vlanif} vlan " . escapeshellarg($tag) . " vlandev " . escapeshellarg($if)); - mwexec("/sbin/ifconfig {$tmpvlanif} name {$vlanif}"); interfaces_bring_up($vlanif); /* invalidate interface cache */ @@ -167,7 +156,7 @@ function interface_vlan_configure($vlan) { return $vlanif; } -function interface_qinq_configure($vlan, $fd = NULL) { +function interface_qinq_configure(&$vlan, $fd = NULL) { global $config, $g; if (!is_array($vlan)) { @@ -194,19 +183,8 @@ function interface_qinq_configure($vlan, $fd = NULL) { mwexec("/sbin/ifconfig {$if} vlanhwtag\n"); mwexec("/sbin/ifconfig {$if} vlanmtu\n"); - if ($g['booting'] || !(empty($vlanif))) { - /* before destroying, see if CARP is in use - If an interface containing an active CARP IP is destroyed, - the CARP interface will hang in INIT and must be destroyed - itself before it will function again (which causes a panic). - Trying to configure a CARP interface stuck in INIT will - cause a panic as well. -cmb - */ - $carpcount = find_number_of_needed_carp_interfaces(); - /* will continue to destroy VLANs where CARP is not in use - to retain previous behavior and avoid regressions */ - if($carpcount < 1) - fwrite($fd, "shutdown {$if}qinq:\n"); + if (!empty($vlanif) && does_interface_exist($vlanif)) { + fwrite($fd, "shutdown {$if}qinq:\n"); exec("/usr/sbin/ngctl msg {$if}qinq: gettable", $result); if (empty($result)) { fwrite($fd, "mkpeer {$if}: vlan lower downstream\n"); @@ -280,7 +258,7 @@ function interfaces_qinq_configure() { } } -function interface_qinq2_configure($qinq, $fd, $macaddr) { +function interface_qinq2_configure(&$qinq, $fd, $macaddr) { global $config, $g; if (!is_array($qinq)) { @@ -747,11 +725,8 @@ function interfaces_configure() { echo "done.\n"; } - /* bring up carp interfaces */ - interfaces_carp_configure(); - - /* bring ip IP aliases */ - interfaces_ipalias_configure(); + /* bring up vip interfaces */ + interfaces_vips_configure(); /* configure interface groups */ interfaces_group_setup(); @@ -785,6 +760,26 @@ function interface_reconfigure($interface = "wan") { interface_configure($interface); } +function interface_vip_bring_down(&$vip) { + + switch ($vip['mode']) { + case "proxyarp": + interfaces_proxyarp_configure(); + break; + case "ipalias": + mwexec("/sbin/ifconfig " . get_real_interface($vip['interface']) . " delete {$vip['subnet']}"); + break; + case "carp": + case "carpdev-dhcp": + $vipif = "vip" . x{$vip['vhid']; + mwexec("/sbin/ifconfig {$vipif} delete"); + mwexec("/sbin/ifconfig {$vipif} down"); + mwexec("/sbin/ifconfig {$vipif} destroy"); + break; + } + +} + function interface_bring_down($interface = "wan", $destroy = false) { global $config, $g; @@ -859,7 +854,7 @@ function interfaces_ppp_configure() { } } -function interface_ppp_configure($ifcfg) { +function interface_ppp_configure(&$ifcfg) { global $config, $g; /* Remove the /dev/ from the device name. */ @@ -962,228 +957,354 @@ function interface_ppp_configure($ifcfg) { return $realif; } -function interfaces_carp_configure() { +function interfaces_carp_setup() { global $g, $config; + $balanacing = ""; $pfsyncinterface = ""; $pfsyncenabled = ""; if(isset($config['system']['developerspew'])) { $mt = microtime(); - echo "interfaces_carp_configure() being called $mt\n"; + echo "interfaces_carp_setup() being called $mt\n"; } + // Prepare CmdCHAIN that will be used to execute commands. $cmdchain = new CmdCHAIN(); - $carp_instances_counter = 0; - $total_carp_interfaces_defined = find_number_of_created_carp_interfaces(); - /* destroy previous interfaces */ - for($x=0; $x<$total_carp_interfaces_defined; $x++) - $cmdchain->add("Delete CARP interface", "/sbin/ifconfig carp{$x} delete", false); + if ($g['booting']) { - echo "Configuring CARP interfaces..."; + echo "Configuring CARP settings..."; mute_kernel_msgs(); } + /* suck in configuration items */ - if($config['installedpackages']['carpsettings']) + if($config['installedpackages']['carpsettings']) { if($config['installedpackages']['carpsettings']['config']) { - foreach($config['installedpackages']['carpsettings']['config'] as $carp) { - $pfsyncenabled = $carp['pfsyncenabled']; - $balanacing = $carp['balancing']; - $pfsyncinterface = $carp['pfsyncinterface']; - $pfsyncpeerip = $carp['pfsyncpeerip']; + foreach($config['installedpackages']['carpsettings']['config'] as $carp) { + $pfsyncenabled = $carp['pfsyncenabled']; + $balanacing = $carp['balancing']; + $pfsyncinterface = $carp['pfsyncinterface']; + $pfsyncpeerip = $carp['pfsyncpeerip']; + } } } else { unset($pfsyncinterface); unset($balanacing); unset($pfsyncenabled); } + $cmdchain->add("Allow CARP", "/sbin/sysctl net.inet.carp.allow=1", true); if($balanacing) { $cmdchain->add("Enable CARP ARP-balancing", "/sbin/sysctl net.inet.carp.arpbalance=1", true); $cmdchain->add("Disallow CARP preemption", "/sbin/sysctl net.inet.carp.preempt=0", true); - } else { + } else $cmdchain->add("Enable CARP preemption", "/sbin/sysctl net.inet.carp.preempt=1", true); - } + $cmdchain->add("Enable CARP logging", "/sbin/sysctl net.inet.carp.log=2", true); - $carp_sync_int = get_real_interface($pfsyncinterface); + if (!empty($pfsyncinterface)) + $carp_sync_int = get_real_interface($pfsyncinterface); + if($g['booting']) { /* install rules to alllow pfsync to sync up during boot * carp interfaces will remain down until the bootup sequence finishes */ - exec("echo pass quick proto carp all keep state > /tmp/rules.boot"); - exec("echo pass quick proto pfsync all >> /tmp/rules.boot"); - exec("echo pass out quick from any to any keep state >> /tmp/rules.boot"); - exec("/sbin/pfctl -f /tmp/rules.boot"); + exec("echo pass quick proto carp all keep state > {$g['tmp_path']}/rules.boot"); + exec("echo pass quick proto pfsync all >> {$g['tmp_path']}/rules.boot"); + exec("echo pass out quick from any to any keep state >> {$g['tmp_path']}/rules.boot"); + exec("/sbin/pfctl -f {$g['tmp_path']}/rules.boot"); } + /* setup pfsync interface */ if($carp_sync_int and $pfsyncenabled) { - if($pfsyncpeerip) { + if (is_ipaddr($pfsyncpeerip)) $cmdchain->add("Bring up pfsync0 syncpeer", "/sbin/ifconfig pfsync0 syncdev {$carp_sync_int} syncpeer {$pfsyncpeerip} up", false); - } else { + else $cmdchain->add("Bring up pfsync0 syncdev", "/sbin/ifconfig pfsync0 syncdev {$carp_sync_int} up", false); - } - } else { + } else $cmdchain->add("Bring up pfsync0", "/sbin/ifconfig pfsync0 syncdev lo0 up", false); - } - //$fd = fopen("/tmp/carp.sh", "w"); - $viparr = &$config['virtualip']['vip']; - if($config['virtualip']['vip']) { + + if($config['virtualip']['vip']) $cmdchain->add("Allow CARP.", "/sbin/sysctl net.inet.carp.allow=1", true); - } else { - $viparr = array(); + else $cmdchain->add("Disallow CARP.", "/sbin/sysctl net.inet.carp.allow=0", true); - } - if(!$viparr and $config['interfaces']['wan']['ipaddr'] == "carpdev-dhcp") { - /* no vips exist but we need to bring up carpdev... */ - $viparr_temp = array(); - $viparr_temp['advskew'] = "200"; - $viparr_temp['vhid'] = "1"; - $viparr_temp['mode'] = "carpdev-dhcp"; - $viparr_temp['password'] = $config['system']['hostname'] . "pfS"; - $viparr = $viparr_temp; - } if($g['debug']) $cmdchain->setdebug(); // optional for verbose logging + $cmdchain->execute(); - - // Reset CmdCHAIN $cmdchain->clear(); - if(is_array($viparr)) - foreach ($viparr as $vip) { - $vip_password = $vip['password']; - $vip_password = str_replace(" ", "", $vip_password); - if($vip['password'] != "") - $password = " pass \"" . $vip_password . "\""; - $interface = interface_translate_type_to_real($vip['interface']); - $carpint = "carp" . $carp_instances_counter; - - switch ($vip['mode']) { - case "carp": - /* ensure CARP IP really exists prior to loading up */ - $found = false; - $iflist = get_configured_interface_list(); - foreach($iflist as $if) { - $ww_subnet_ip = $config['interfaces'][$if]['ipaddr']; - $ww_subnet_bits = $config['interfaces'][$if]['subnet']; - if (ip_in_subnet($vip['subnet'], gen_subnet($ww_subnet_ip, $ww_subnet_bits) . "/" . $ww_subnet_bits)) - $found = true; - } - if($found == false) { - file_notice("CARP", "Sorry but we could not find a matching real interface subnet for the virtual IP address {$vip['subnet']}.", "Firewall: Virtual IP", ""); - continue; - } - /* ensure the interface containing the VIP really exists - prevents a panic if the interface is missing or invalid - */ - $realif = get_real_interface($vip['interface']); - $intcount = exec("/sbin/ifconfig | grep $realif | wc -l | awk '{print $1}'"); - if($intcount < 1) { - file_notice("CARP", "Interface specified for the virtual IP address {$vip['subnet']} does not exist. Skipping this VIP.", "Firewall: Virtual IP", ""); - continue; - } - /* create the carp interface and setup */ - $cmdchain->add("create CARP interface", "/sbin/ifconfig {$carpint} create", false); - - /* invalidate interface cache */ - get_interface_arr(true); - $broadcast_address = gen_subnet_max($vip['subnet'], $vip['subnet_bits']); - $cmdchain->add("config CARP interface", "/sbin/ifconfig {$carpint} " . $vip['subnet'] . "/" . $vip['subnet_bits'] . " vhid " . $vip['vhid'] . " advskew " . $vip['advskew'] . $password, false); - $cmdchain->add("bring CARP interface UP", "/sbin/ifconfig {$carpint} up", false); - $carp_instances_counter++; - break; - case "carpdev-dhcp": - log_error("Found carpdev interface {$vip['interface']} on top of interface {$interface}"); - if(!empty($interface)) { - - $cmdchain->add("bring CARP parent interface UP", "/sbin/ifconfig {$interface} up", false); - $cmdchain->add("create CARP interface", "/sbin/ifconfig {$carpint} create", false); - $cmdchain->add("bring CARP interface UP", "/sbin/ifconfig {$carpint} up", false); - $cmdchain->add("assign CARP CarpDEV directive", "/sbin/ifconfig {$carpint} carpdev ". $interface . " vhid " . $vip['vhid'] . " advskew " . $vip['advskew'] . $password, false); - $cmdchain->add("bring CARP interface UP", "/sbin/ifconfig {$carpint} up", false); - - /* - * XXX: BIG HACK but carpdev needs ip services active - * before even starting something as dhclient. - * I do not know if this is a feature or a bug - * but better than track it make it work ;) . - */ - //$fakeiptouse = "10.254.254." . ($carp_instances_counter+1); - //$cmdchain->add("CarpDEV hack", "/sbin/ifconfig {$carpint} inet {$fakeiptouse}", false); - - /* generate dhclient_wan.conf */ - $fd = fopen("{$g['varetc_path']}/dhclient_{$carpint}.conf", "w"); - if ($fd) { - - $dhclientconf = ""; - - $dhclientconf .= <<<EOD -interface "{$carpint}" { -timeout 60; -retry 1; -select-timeout 0; -initial-interval 1; -script "/sbin/dhclient-script"; + if ($g['booting']) { + unmute_kernel_msgs(); + echo "done.\n"; + } } -EOD; +function interfaces_proxyarp_configure() { + global $config, $g; + if(isset($config['system']['developerspew'])) { + $mt = microtime(); + echo "interfaces_proxyarp_configure() being called $mt\n"; + } - fwrite($fd, $dhclientconf); - fclose($fd); + /* kill any running choparp */ + killbyname("choparp"); - /* fire up dhclient */ - $cmdchain->add("bring CARP dhclient UP", "/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$carpint}.conf {$carpint} >/tmp/{$carpint}_output >/tmp/{$carpint}_error_output", false); - } else { - log_error("Error: cannot open dhclient_{$carpint}.conf in interfaces_carp_configure() for writing.\n"); - $cmdchain->add("bring CARP dhclient UP in background", "/sbin/dhclient -b {$carpint}", false); - } + if (isset($config['virtualip']) && is_array($config['virtualip']['vip'])) { + $paa = array(); - $fout = fopen("/tmp/ifconfig_{$carpint}","w"); - fwrite($fout, "/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$carpint}.conf {$carpint}"); - fclose($fout); + /* group by interface */ + foreach ($config['virtualip']['vip'] as $vipent) { + if ($vipent['mode'] === "proxyarp") { + if ($vipent['interface']) + $proxyif = $vipent['interface']; + else + $proxyif = "wan"; - } else { - log_error("Could not determine CarpDEV parent interface for {$vip['descr']}."); - } - $carp_instances_counter++; - break; - } - } + if (!is_array($paa[$if])) + $paa[$proxyif] = array(); - if($g['debug']) - $cmdchain->setdebug(); // optional for verbose logging - // Execute built up command chain. - $cmdchain->execute(); + $paa[$proxyif][] = $vipent; + } + } - if ($g['booting']) { - unmute_kernel_msgs(); - echo "done.\n"; - } + if (count($paa)) + foreach ($paa as $paif => $paents) { + $paaifip = get_interface_ip($paif); + if (!(is_ipaddr($paaifip))) + continue; + + $args = get_real_interface($paif) . " auto"; - /* update cache */ - if ($carp_instances_counter != find_number_of_created_carp_interfaces()) - find_number_of_created_carp_interfaces(true); + foreach ($paents as $paent) { + if (isset($paent['subnet'])) + $args .= " " . escapeshellarg("{$paent['subnet']}/{$paent['subnet_bits']}"); + else if (isset($paent['range'])) + $args .= " " . escapeshellarg($paent['range']['from'] . "-" . + $paent['range']['to']); + } + + mwexec_bg("/usr/local/sbin/choparp " . $args); + } + } } -function interfaces_ipalias_configure() { +function interfaces_vips_configure() { global $g, $config; if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "interfaces_ipalias_configure() being called $mt\n"; } - $viparr = &$config['virtualip']['vip']; - if(is_array($viparr)) { - foreach ($viparr as $vip) { - if ($vip['mode'] == "ipalias") { - $if = get_real_interface($vip['interface']); - mwexec("/sbin/ifconfig " . escapeshellarg($if) . " " . $vip['subnet'] . "/" . escapeshellarg($vip['subnet_bits']) . " alias"); + $paa = array(); + if(is_array($config['virtualip']['vip'])) { + $carp_setuped = false; + foreach ($config['virtualip']['vip'] as $vip) { + switch ($vip['mode']) { + case "proxyarp": + /* nothing it is handled on interfaces_proxyarp_configure() */ + break; + case "ipalias": + interface_ipalias_configure(&$vip); + break; + case "carp": + if ($carp_setuped == false) { + interfaces_carp_setup(); + $carp_setuped = true; + } + interface_carp_configure($vip); + break; + case "carpdev-dhcp": + interface_carpdev_configure($vip); + break; } } + + interfaces_proxyarp_configure(); + } +} + +function interface_ipalias_configure(&$vip) { + + if ($vip['mode'] == "ipalias") { + $if = get_real_interface($vip['interface']); + mwexec("/sbin/ifconfig " . escapeshellarg($if) . " " . $vip['subnet'] . "/" . escapeshellarg($vip['subnet_bits']) . " alias"); + } +} + +function interface_reload_carps($cif) { + global $config; + + $carpifs = link_ip_to_carp_interface(find_interface_ip($cif)); + if (empty($carpifs)) + return; + + $carps = explode(" ", $carpifs); + if(is_array($config['virtualip']['vip'])) { + $viparr = &$config['virtualip']['vip']; + foreach ($viparr as $vip) { + if (in_array($vip['carpif'], $carps)) { + switch ($vip['mode']) { + case "carp": + interface_vip_bring_down($vip); + sleep(1); + interface_carp_configure($vip); + break; + case "carpdev-dhcp": + interface_vip_bring_down($vip); + sleep(1); + interface_carpdev_configure($vip); + break; + } + } + } + } +} + +function interface_carp_configure(&$vip) { + global $config, $g; + if(isset($config['system']['developerspew'])) { + $mt = microtime(); + echo "interfaces_carp_configure() being called $mt\n"; + } + + if ($vip['mode'] != "carp") + return; + + $vip_password = $vip['password']; + $vip_password = str_replace(" ", "", $vip_password); + if ($vip['password'] != "") + $password = " pass \"" . $vip_password . "\""; + $vipif = "vip" . $vip['vhid']; + $interface = interface_translate_type_to_real($vip['interface']); + /* + * ensure the interface containing the VIP really exists + * prevents a panic if the interface is missing or invalid + */ + $realif = get_real_interface($vip['interface']); + if (!does_interface_exist($realif)) { + file_notice("CARP", "Interface specified for the virtual IP address {$vip['subnet']} does not exist. Skipping this VIP.", "Firewall: Virtual IP", ""); + return; + } + + /* ensure CARP IP really exists prior to loading up */ + /* XXX: this can be bound to only the interface choosen in the carp creation. Not yet since upgrade is needed! */ + $found = false; + $iflist = get_configured_interface_list(); + foreach($iflist as $if) { + $ww_subnet_ip = get_interface_ip($if); + $ww_subnet_bits = get_interface_subnet($if); + if (ip_in_subnet($vip['subnet'], gen_subnet($ww_subnet_ip, $ww_subnet_bits) . "/" . $ww_subnet_bits)) { + $found = true; + break; + } + } + if($found == false) { + file_notice("CARP", "Sorry but we could not find a matching real interface subnet for the virtual IP address {$vip['subnet']}.", "Firewall: Virtual IP", ""); + return; + } + + /* invalidate interface cache */ + get_interface_arr(true); + + /* create the carp interface and setup */ + if (does_interface_exist($vipif)) + mwexec("/sbin/ifconfig {$vipif} delete"); + else { + $carpif = exec("/sbin/ifconfig carp create"); + mwexec("/sbin/ifconfig {$carpif} name {$vipif}"); + } + + /* invalidate interface cache */ + get_interface_arr(true); + + $broadcast_address = gen_subnet_max($vip['subnet'], $vip['subnet_bits']); + mwexec("/sbin/ifconfig {$carpif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + + interfaces_bring_up($vipif); + + return $vipif; +} + +function interface_carpdev_configure(&$vip) { + global $g; + + if ($vip['mode'] != "carpdev-dhcp") + return; + + $vip_password = $vip['password']; + $vip_password = str_replace(" ", "", $vip_password); + if($vip['password'] != "") + $password = " pass \"" . $vip_password . "\""; + + log_error("Found carpdev interface {$vip['interface']} on top of interface {$interface}"); + if (empty($vip['interface'])) + return; + + $vipif = "vip" . $vip['vhid']; + $realif = interface_translate_type_to_real($vip['interface']); + interface_bring_up($realif); + /* + * ensure the interface containing the VIP really exists + * prevents a panic if the interface is missing or invalid + */ + if (!does_interface_exist($realif)) { + file_notice("CARP", "Interface specified for the virtual IP address {$vip['subnet']} does not exist. Skipping this VIP.", "Firewall: Virtual IP", ""); + return; + } + + if (does_interface_exist($vipif)) + mwexec("/sbin/ifconfig {$vipif} delete"); + else { + $carpdevif = exec("/sbin/ifconfig carp create"); + mwexec("/sbin/ifconfig {$carpdevif} name {$vipif}"); } + + mwexec("/sbin/ifconfig {$vipif} carpdev {$realif} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + interface_bring_up($vipif); + + /* + * XXX: BIG HACK but carpdev needs ip services active + * before even starting something as dhclient. + * I do not know if this is a feature or a bug + * but better than track it make it work ;) . + */ + //$fakeiptouse = "10.254.254." . ($carp_instances_counter+1); + //$cmdchain->add("CarpDEV hack", "/sbin/ifconfig {$carpint} inet {$fakeiptouse}", false); + + /* generate dhclient_wan.conf */ + $fd = fopen("{$g['varetc_path']}/dhclient_{$vipif}.conf", "w"); + if ($fd) { + $dhclientconf = ""; + + $dhclientconf .= <<<EOD +interface "{$vipif}" { +timeout 60; +retry 1; +select-timeout 0; +initial-interval 1; +script "/sbin/dhclient-script"; } -function interface_wireless_configure($if, $wlcfg) { +EOD; + + fwrite($fd, $dhclientconf); + fclose($fd); + + /* fire up dhclient */ + mwexec("/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$vipif}.conf {$vipif} >/tmp/{$vipif}_output >/tmp/{$vipif}_error_output", false); + } else { + log_error("Error: cannot open dhclient_{$vipif}.conf in interfaces_carpdev_configure() for writing.\n"); + mwexec("/sbin/dhclient -b {$vipif}"); + } + + $fout = fopen("/tmp/ifconfig_{$vipif}","w"); + fwrite($fout, "/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$vipif}.conf {$vipif}"); + fclose($fout); + + return $vipif; +} + +function interface_wireless_configure($if, &$wlcfg) { global $config, $g; /* open up a shell script that will be used to output the commands. @@ -1536,6 +1657,8 @@ function interface_configure($interface = "wan", $reloadall = false) { else log_error("Could not bring wancfg['if'] up -- variable not defined in interface_configure()"); + interface_reload_carps($realif); + if (!$g['booting']) { if (link_interface_to_gre($interface)) { foreach ($config['gres']['gre'] as $gre) @@ -1969,7 +2092,7 @@ function interfaces_group_setup() { return; } -function interface_group_setup($groupname /* The parameter is an array */) { +function interface_group_setup(&$groupname /* The parameter is an array */) { global $config; if (!is_array($groupname)) @@ -2205,14 +2328,86 @@ function find_ip_interface($ip) $ifdescrs = get_configured_interface_list(); foreach ($ifdescrs as $ifdescr => $ifname) { - $int = get_real_interface($ifname); - $ifconfig = `/sbin/ifconfig {$int}`; - if(stristr($ifconfig,$ip) <> false) - return $int; + if ($ip == get_interface_ip($ifname)) { + $int = get_real_interface($ifname); + return $int; + } } return false; } +/* + * find_carp_interface($ip): return the carp interface where an ip is defined + */ +function find_carp_interface($ip) { + global $config; + + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if ($vip['mode'] == "carp" || $vip['mode'] == "carpdev") { + $carp_ip = find_interface_ip($vip['carpif']); + if ($ip == $carp_ip) + return $vip['carpif']; + } + } + } +} + +function link_carp_interface_to_parent($interface) { + global $config; + + if ($interface == "") + return; + + $carp_ip = find_interface_ip($interface); + if (!is_ipaddr($carp_ip)) + return; + + /* if list */ + $ifdescrs = get_configured_interface_list(); + foreach ($ifdescrs as $ifdescr => $ifname) { + $interfaceip = get_interface_ip($ifname); + $subnet_bits = get_interface_subnet($ifname); + $subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}"); + if(ip_in_subnet($carp_ip, "{$subnet_ip}/{$subnet_bits}")) + return $ifname; + } + + return ""; +} + +/****f* interfaces/link_ip_to_carp_interface + * NAME + * link_ip_to_carp_interface - Find where a CARP interface links to. + * INPUTS + * $ip + * RESULT + * $carp_ints + ******/ +function link_ip_to_carp_interface($ip) { + global $config; + + if (!is_ipaddr($ip)) + return; + + $carp_ints = ""; + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if ($vip['mode'] == "carp" || $vip['mode'] == "carpdev") { + $carp_ip = $vip['subnet']); + $carp_sn = $vip['subnet_bits']; + $carp_nw = gen_subnet($carp_ip, $carp_sn); + if (ip_in_subnet($ip, "{$carp_nw}/{$carp_sn}")) { + if (!stristr($carp_ints, $carp_int)) + $carp_ints .= " {$carp_int}"; + } + } + } + } + + return $carp_ints; +} + /****f* interfaces/link_interface_to_bridge * NAME * link_interface_to_bridge - Finds out a bridge group for an interface diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 80a2601c..0a0f941 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -139,56 +139,6 @@ function get_tmp_file() { return "{$g['tmp_path']}/tmp-" . time(); } -/****f* pfsense-utils/find_number_of_needed_carp_interfaces - * NAME - * find_number_of_needed_carp_interfaces - * INPUTS - * null - * RESULT - * the number of needed carp interfacs - ******/ -function find_number_of_needed_carp_interfaces() { - global $config, $g; - $carp_counter=0; - if(!$config['virtualip']) - return 0; - if(!$config['virtualip']['vip']) - return 0; - foreach($config['virtualip']['vip'] as $vip) { - if($vip['mode'] == "carp") - $carp_counter++; - } - return $carp_counter; -} - -/****f* pfsense-utils/reset_carp - * NAME - * reset_carp - resets carp after primary interface changes - * INPUTS - * null - * RESULT - * null - ******/ -function reset_carp() { - $carp_counter=find_number_of_created_carp_interfaces(); - $needed_carp_interfaces = find_number_of_needed_carp_interfaces(); - mwexec("/sbin/sysctl net.inet.carp.allow=0"); - for($x=0; $x<$carp_counter; $x++) { - mwexec("/sbin/ifconfig carp{$x} down"); - usleep(1000); - mwexec("/sbin/ifconfig carp{$x} delete"); - if($needed_carp_interfaces < $carp_counter) { - $needed_carp_interfaces--; - //log_error("Destroying carp interface."); - //mwexec("/sbin/ifconfig carp{$x} destroy"); - } - } - find_number_of_created_carp_interfaces(true); - sleep(1); - mwexec("/sbin/sysctl net.inet.carp.allow=1"); - interfaces_carp_configure(); -} - /****f* pfsense-utils/get_dns_servers * NAME * get_dns_servres - get system dns servers @@ -457,126 +407,6 @@ function get_carp_status() { return true; } -/****f* pfsense-utils/is_carp_defined - * NAME - * is_carp_defined - Return whether CARP is detected in the kernel. - * RESULT - * boolean - true if CARP is detected, false otherwise. - ******/ -function is_carp_defined() { - /* is carp compiled into the kernel and userland? */ - $command = "/sbin/sysctl -a | grep carp"; - $fd = popen($command . " 2>&1 ", "r"); - if(!$fd) { - log_error("Warning, could not execute command {$command}"); - return 0; - } - while(!feof($fd)) { - $tmp .= fread($fd,49); - } - fclose($fd); - - if($tmp == "") - return false; - else - return true; -} - -/****f* pfsense-utils/find_number_of_created_carp_interfaces - * NAME - * find_number_of_created_carp_interfaces - Return the number of CARP interfaces. - * RESULT - * $tmp - Number of currently created CARP interfaces. - ******/ -function find_number_of_created_carp_interfaces($flush = false) { - global $carp_interface_count_cache; - - if (!isset($carp_interface_count_cache) or $flush) { - $command = "/sbin/ifconfig | /usr/bin/grep \"carp*:\" | /usr/bin/wc -l"; - $fd = popen($command . " 2>&1 ", "r"); - if(!$fd) { - log_error("Warning, could not execute command {$command}"); - return 0; - } - while(!feof($fd)) { - $tmp .= fread($fd,49); - } - fclose($fd); - $carp_interface_count_cache = intval($tmp); - } - return $carp_interface_count_cache; -} - -function link_carp_interface_to_parent($interface) { - global $config; - - if ($interface == "") - return; - - $carp_ip = find_interface_ip($interface); - if (!is_ipaddr($carp_ip)) - return; - - /* if list */ - $ifdescrs = get_configured_interface_list(); - foreach ($ifdescrs as $ifdescr => $ifname) { - $interfaceip = get_interface_ip($ifname); - $subnet_bits = get_interface_subnet($ifname); - $subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}"); - if(ip_in_subnet($carp_ip, "{$subnet_ip}/{$subnet_bits}")) - return $ifname; - } - - return ""; -} - -/****f* pfsense-utils/link_ip_to_carp_interface - * NAME - * link_ip_to_carp_interface - Find where a CARP interface links to. - * INPUTS - * $ip - * RESULT - * $carp_ints - ******/ -function link_ip_to_carp_interface($ip) { - global $config; - - if (!is_ipaddr($ip)) - return; - - $carp_ints = ""; - $num_carp_ints = find_number_of_created_carp_interfaces(); - for ($x=0; $x<$num_carp_ints; $x++) { - $carp_int = "carp{$x}"; - $carp_ip = find_interface_ip($carp_int); - $carp_subnet = find_virtual_ip_netmask($carp_ip); - $starting_ip = gen_subnet("{$carp_ip}", "{$carp_subnet}"); - if (ip_in_subnet($ip, "{$starting_ip}/{$carp_subnet}")) - if(!stristr($carp_ints, $carp_int)) - $carp_ints .= " " . $carp_int; - } - - return $carp_ints; -} - -/****f* pfsense-utils/find_virtual_ip_netmask - * NAME - * find_virtual_ip_netmask - Finds a virtual ip's subnet mask' - * INPUTS - * $ip - ip address to locate subnet mask of - * RESULT - * String containing the command's result. - * NOTES - * This function returns the command's stdout and stderr. - ******/ -function find_virtual_ip_netmask($ip) { - global $config; - foreach($config['virtualip']['vip'] as $vip) { - if($ip == $vip['subnet']) - return $vip['subnet_bits']; - } -} - /* * convert_ip_to_network_format($ip, $subnet): converts an ip address to network form @@ -621,26 +451,6 @@ function get_pfsync_interface_status($pfsyncinterface) { } /* - * find_carp_interface($ip): return the carp interface where an ip is defined - */ -function find_carp_interface($ip) { - global $find_carp_ifconfig; - if($find_carp_ifconfig == "") { - $find_carp_ifconfig = array(); - $num_carp_ints = find_number_of_created_carp_interfaces(); - for($x=0; $x<$num_carp_ints; $x++) { - $find_carp_ifconfig[$x] = exec_command("/sbin/ifconfig carp{$x}"); - } - } - $carps = 0; - foreach($find_carp_ifconfig as $fci) { - if(stristr($fci, $ip . " ") == true) - return "carp{$carps}"; - $carps++; - } -} - -/* * add_rule_to_anchor($anchor, $rule): adds the specified rule to an anchor */ function add_rule_to_anchor($anchor, $rule, $label) { @@ -1830,4 +1640,4 @@ function update_alias_names_upon_change($section, $subsection, $fielda, $fieldb, } -?>
\ No newline at end of file +?> diff --git a/etc/inc/priv.defs.inc b/etc/inc/priv.defs.inc index fadf09b..0a2e8d6 100644 --- a/etc/inc/priv.defs.inc +++ b/etc/inc/priv.defs.inc @@ -617,24 +617,12 @@ $priv_list['page-services-dynamicdnsclient']['descr'] = "Allow access to the 'Se $priv_list['page-services-dynamicdnsclient']['match'] = array(); $priv_list['page-services-dynamicdnsclient']['match'][] = "services_dyndns_edit.php*"; -$priv_list['page-services-proxyarp'] = array(); -$priv_list['page-services-proxyarp']['name'] = "WebCfg - Services: Proxy ARP page"; -$priv_list['page-services-proxyarp']['descr'] = "Allow access to the 'Services: Proxy ARP' page."; -$priv_list['page-services-proxyarp']['match'] = array(); -$priv_list['page-services-proxyarp']['match'][] = "services_proxyarp.php*"; - $priv_list['page-services-snmp'] = array(); $priv_list['page-services-snmp']['name'] = "WebCfg - Services: SNMP page"; $priv_list['page-services-snmp']['descr'] = "Allow access to the 'Services: SNMP' page."; $priv_list['page-services-snmp']['match'] = array(); $priv_list['page-services-snmp']['match'][] = "services_snmp.php*"; -$priv_list['page-services-proxyarp-edit'] = array(); -$priv_list['page-services-proxyarp-edit']['name'] = "WebCfg - Services: Proxy ARP: Edit page"; -$priv_list['page-services-proxyarp-edit']['descr'] = "Allow access to the 'Services: Proxy ARP: Edit' page."; -$priv_list['page-services-proxyarp-edit']['match'] = array(); -$priv_list['page-services-proxyarp-edit']['match'][] = "services_proxyarp_edit.php*"; - $priv_list['page-services-rfc2136clients'] = array(); $priv_list['page-services-rfc2136clients']['name'] = "WebCfg - Services: RFC 2136 clients page"; $priv_list['page-services-rfc2136clients']['descr'] = "Allow access to the 'Services: RFC 2136 clients' page."; @@ -1010,4 +998,4 @@ $priv_list['page-openvpn-csc']['match'][] = "vpn_openvpn_csc.php*"; $priv_rmvd = array(); -?>
\ No newline at end of file +?> diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 8034411..2fadd68 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -33,7 +33,7 @@ /* pfSense_BUILDER_BINARIES: /usr/bin/killall /bin/sh /usr/local/sbin/dhcpd /usr/local/sbin/igmpproxy pfSense_BUILDER_BINARIES: /sbin/ifconfig /usr/sbin/arp /sbin/ifconfig /usr/local/sbin/dnsmasq - pfSense_BUILDER_BINARIES: /usr/sbin/bsnmpd /usr/local/sbin/choparp /sbin/route /usr/local/sbin/olsrd + pfSense_BUILDER_BINARIES: /usr/sbin/bsnmpd /sbin/route /usr/local/sbin/olsrd pfSense_BUILDER_BINARIES: /usr/local/sbin/miniupnpd pfSense_MODULE: utils */ @@ -829,56 +829,6 @@ EOD; return 0; } -function services_proxyarp_configure() { - global $config, $g; - if(isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "services_proxyarp_configure() being called $mt\n"; - } - - /* kill any running choparp */ - killbyname("choparp"); - - if (isset($config['virtualip']) && is_array($config['virtualip']['vip'])) { - $paa = array(); - - /* group by interface */ - foreach ($config['virtualip']['vip'] as $vipent) { - if ($vipent['mode'] === "proxyarp") { - if ($vipent['interface']) - $if = $vipent['interface']; - else - $if = "wan"; - - if (!is_array($paa[$if])) - $paa[$if] = array(); - - $paa[$if][] = $vipent; - } - } - - if (count($paa)) - foreach ($paa as $paif => $paents) { - $paaifip = get_interface_ip($paif); - if (!(is_ipaddr($paaifip))) - continue; - - $args = get_real_interface($paif) . " auto"; - - foreach ($paents as $paent) { - - if (isset($paent['subnet'])) - $args .= " " . escapeshellarg("{$paent['subnet']}/{$paent['subnet_bits']}"); - else if (isset($paent['range'])) - $args .= " " . escapeshellarg($paent['range']['from'] . "-" . - $paent['range']['to']); - } - - mwexec_bg("/usr/local/sbin/choparp " . $args); - } - } -} - function services_dnsupdate_process() { global $config, $g; if(isset($config['system']['developerspew'])) { @@ -1330,4 +1280,4 @@ function upnp_start() { } } -?>
\ No newline at end of file +?> diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 77ad536..7db736e 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -339,6 +339,28 @@ function is_valid_shaperbw($val) { return (preg_match("/^(\d+(?:\.\d+)?)([MKG]?b|%)$/", $val)); } +/* return the configured carp interface list */ +function get_configured_carp_interface_list() { + global $config; + + $iflist = array(); + + if(is_array($config['virtualip']['vip'])) { + $viparr = &$config['virtualip']['vip']; + foreach ($viparr as $vip) { + switch ($vip['mode']) { + case "carp": + case "carpdev-dhcp": + $iflist[$vip['carpif']] = $vip['subnet']; + interface_carpdev_configure($vip); + break; + } + } + } + + return $iflist; +} + /* return the configured interfaces list. */ function get_configured_interface_list($only_opt = false, $withdisabled = false) { global $config; diff --git a/etc/rc.bootup b/etc/rc.bootup index 0ea8a92..ed8af91 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -267,9 +267,6 @@ services_dnsmasq_configure(); /* start DHCP relay */ services_dhcrelay_configure(); -/* start proxy ARP service */ -services_proxyarp_configure(); - /* setup pppoe and pptp */ vpn_setup(); diff --git a/usr/local/www/firewall_virtual_ip.php b/usr/local/www/firewall_virtual_ip.php index e69ab4a..dd4dd2c 100755 --- a/usr/local/www/firewall_virtual_ip.php +++ b/usr/local/www/firewall_virtual_ip.php @@ -59,17 +59,29 @@ if ($_POST) { $pconfig = $_POST; if ($_POST['apply']) { + + if ($a_vip[$_POST['id']]) { + switch ($a_vip[$_POST['id']]['mode']) { + case "ipalias": + interface_ipalias_configure($a_vip[$_POST['id']]); + break; + case "proxyarp": + services_proxyarp_configure(); + break; + case "carp": + interface_carp_configure($a_vip[$_POST['id']]); + break; + case "carpdev-dhcp": + interface_carpdev_configure($a_vip[$_POST['id']]); + break; + default: + break; + } + } $retval = 0; - $retval = services_proxyarp_configure(); - /* Bring up any configured CARP interfaces */ - reset_carp(); $retval |= filter_configure(); - interfaces_ipalias_configure(); - /* reset carp states */ - reset_carp(); - interfaces_carp_configure(); - $savemsg = get_std_save_message($retval); + clear_subsystem_dirty('vip'); } } @@ -98,7 +110,8 @@ if ($_GET['act'] == "del") { exit; } } -} +} else if ($_GET['changes'] == "mods") + $id = $_GET['id']; $pgtitle = array("Firewall","Virtual IP Addresses"); include("head.inc"); @@ -129,6 +142,9 @@ include("head.inc"); ?> </td></tr> <tr> + <td><input type="hidden" id="id" name="id" value="<? echo $id; ?>"></td> + </tr> + <tr> <td> <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php index f04f297..efe82fb 100755 --- a/usr/local/www/firewall_virtual_ip_edit.php +++ b/usr/local/www/firewall_virtual_ip_edit.php @@ -119,7 +119,7 @@ if ($_POST) { } } } - + /* make sure new ip is within the subnet of a valid ip * on one of our interfaces (wan, lan optX) */ @@ -135,22 +135,13 @@ if ($_POST) { } if($_POST['password'] == "") $input_errors[] = "You must specify a CARP password that is shared between the two VHID members."; - $can_post = true; - $found = false; - $subnet_ip = return_first_two_octets($_POST['subnet']); - $iflist = get_configured_interface_list_by_realif(false, true); - foreach($iflist as $realif => $if) { - $ww_subnet_ip = get_interface_ip($if); - $ww_subnet_bits = get_interface_subnet($if); - if (ip_in_subnet($_POST['subnet'], gen_subnet($ww_subnet_ip, $ww_subnet_bits) . "/" . $ww_subnet_bits)) - $found = true; - } - if($found == false) { + + $parent_ip = get_interface_ip($_POST['interface']); + $parent_sn = get_interface_subnet($_POST['interface']); + if (!ip_in_subnet($_POST['subnet'], gen_subnet($parent_ip, $parent_sn) . "/" . $parent_sn)) { $cannot_find = $_POST['subnet'] . "/" . $_POST['subnet_bits'] ; - $can_post = false; - } - if($can_post == false) $input_errors[] = "Sorry, we could not locate an interface with a matching subnet for {$cannot_find}. Please add an IP alias in this subnet on this interface."; + } } if (!$input_errors) { @@ -198,7 +189,7 @@ if ($_POST) { if (isset($id) && $a_vip[$id]) { if ($_POST['mode'] == "ipalias") - mwexec("/sbin/ifconfig " . get_real_interface($a_vip[$id]['interface']) . " delete {$a_vip[$id]['subnet']}"); + interface_vip_bring_down($a_vip[$id]); /* modify all virtual IP rules with this address */ for ($i = 0; isset($config['nat']['rule'][$i]); $i++) { if ($config['nat']['rule'][$i]['external-address'] == $a_vip[$id]['subnet']) @@ -212,7 +203,7 @@ if ($_POST) { write_config(); - header("Location: firewall_virtual_ip.php"); + header("Location: firewall_virtual_ip.php?changes=mods&id={$id}"); exit; } } diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 9e5cef0..930e775 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -239,7 +239,7 @@ if ($_POST['apply']) { unlink_if_exists("{$g['tmp_path']}/config.cache"); clear_subsystem_dirty('interfaces'); interface_configure($if); - reset_carp(); + /* restart snmp so that it binds to correct address */ services_snmpd_configure(); if ($if == "lan") diff --git a/usr/local/www/services_proxyarp.php b/usr/local/www/services_proxyarp.php deleted file mode 100755 index 600aa4d..0000000 --- a/usr/local/www/services_proxyarp.php +++ /dev/null @@ -1,147 +0,0 @@ -<?php -/* $Id$ */ -/* - services_proxyarp.php - part of pfSense - Copyright (C) 2004 Scott Ullrich - - originally part of m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_MODULE: proxyarp -*/ - -##|+PRIV -##|*IDENT=page-services-proxyarp -##|*NAME=Services: Proxy ARP page -##|*DESCR=Allow access to the 'Services: Proxy ARP' page. -##|*MATCH=services_proxyarp.php* -##|-PRIV - -require("guiconfig.inc"); - -if (!is_array($config['proxyarp']['proxyarpnet'])) { - $config['proxyarp']['proxyarpnet'] = array(); -} -$a_proxyarp = &$config['proxyarp']['proxyarpnet']; - -if ($_POST) { - $pconfig = $_POST; - - $retval = 0; - $retval = services_proxyarp_configure(); - $savemsg = get_std_save_message($retval); - - if ($retval == 0) - clear_subsystem_dirty('proxyarp'); -} - -if ($_GET['act'] == "del") { - if ($a_proxyarp[$_GET['id']]) { - unset($a_proxyarp[$_GET['id']]); - write_config(); - mark_subsystem_dirty('proxyarp'); - header("Location: services_proxyarp.php"); - exit; - } -} - -$pgtitle = array("Services","Proxy ARP"); -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<form action="services_proxyarp.php" method="post"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (is_subsystem_dirty('proxyarp')): ?><p> -<?php print_info_box_np("The proxy ARP configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> -<?php endif; ?> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="20%" class="listhdrr">Interface</td> - <td width="30%" class="listhdrr">Network</td> - <td width="40%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - <?php $i = 0; foreach ($a_proxyarp as $arpent): ?> - <tr> - <td class="listlr" ondblclick="document.location='services_proxyarp_edit.php?id=<?=$i;?>';"> - <?php - if ($arpent['interface']) { - $iflabels = get_configured_interface_with_descr(); - - echo htmlspecialchars($iflabels[$arpent['interface']]); - } else { - echo "WAN"; - } - ?> - </td> - <td class="listr" ondblclick="document.location='services_proxyarp_edit.php?id=<?=$i;?>';"> - <?php if (isset($arpent['network'])) { - list($sa,$sn) = explode("/", $arpent['network']); - if ($sn == 32) - echo $sa; - else - echo $arpent['network']; - } else if (isset($arpent['range'])) - echo $arpent['range']['from'] . "-" . $arpent['range']['to']; - ?> - </td> - <td class="listbg" ondblclick="document.location='services_proxyarp_edit.php?id=<?=$i;?>';"> - <?=htmlspecialchars($arpent['descr']);?> - </td> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td valign="middle"><a href="services_proxyarp_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> - <td valign="middle"><a href="services_proxyarp.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this network?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $i++; endforeach; ?> - <tr> - <td class="list" colspan="3"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td valign="middle"><a href="services_proxyarp_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - </table> - </form> - <p class="vexpl"><span class="red"><strong>Notes:<br> - </strong></span> - *Proxy ARP can be used if you need {$g['product_name']} to send ARP replies on an interface for other IP addresses than its own (e.g. for 1:1, advanced outbound or server NAT). It is not necessary on the WAN interface if you have a subnet routed to you or if you use PPPoE/PPTP, and it only works on the WAN interface if it's configured with a static IP address or DHCP.</p> - <br> - *CARP can be a great replacement for proxyarp. - <?php include("fend.inc"); ?> -</body> -</html> diff --git a/usr/local/www/services_proxyarp_edit.php b/usr/local/www/services_proxyarp_edit.php deleted file mode 100755 index 55bc239..0000000 --- a/usr/local/www/services_proxyarp_edit.php +++ /dev/null @@ -1,283 +0,0 @@ -<?php -/* $Id$ */ -/* - services_proxyarp_edit.php - part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_MODULE: proxyarp -*/ - -##|+PRIV -##|*IDENT=page-services-proxyarp-edit -##|*NAME=Services: Proxy ARP: Edit page -##|*DESCR=Allow access to the 'Services: Proxy ARP: Edit' page. -##|*MATCH=services_proxyarp_edit.php* -##|-PRIV - -function proxyarpcmp($a, $b) { - if (isset($a['network'])) - list($ast,$asn) = explode("/", $a['network']); - else if (isset($a['range'])) { - $ast = $a['range']['from']; - $asn = 32; - } - if (isset($b['network'])) - list($bst,$bsn) = explode("/", $b['network']); - else if (isset($b['range'])) { - $bst = $b['range']['from']; - $bsn = 32; - } - if (ipcmp($ast, $bst) == 0) - return ($asn - $bsn); - else - return ipcmp($ast, $bst); -} - -function proxyarp_sort() { - global $config; - - usort($config['proxyarp']['proxyarpnet'], "proxyarpcmp"); -} - -require("guiconfig.inc"); - -if (!is_array($config['proxyarp']['proxyarpnet'])) { - $config['proxyarp']['proxyarpnet'] = array(); -} -proxyarp_sort(); -$a_proxyarp = &$config['proxyarp']['proxyarpnet']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_proxyarp[$id]) { - if ($a_proxyarp[$id]['interface']) - $pconfig['interface'] = $a_proxyarp[$id]['interface']; - else - $pconfig['interface'] = "wan"; - if (isset($a_proxyarp[$id]['network'])) - list($pconfig['subnet'], $pconfig['subnet_bits']) = explode("/", $a_proxyarp[$id]['network']); - else if (isset($a_proxyarp[$id]['range'])) { - $pconfig['range_from'] = $a_proxyarp[$id]['range']['from']; - $pconfig['range_to'] = $a_proxyarp[$id]['range']['to']; - } - $pconfig['descr'] = $a_proxyarp[$id]['descr']; -} else { - $pconfig['interface'] = "wan"; - $pconfig['subnet_bits'] = 32; -} - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - if ($_POST['type'] == "single") { - $reqdfields = explode(" ", "subnet"); - $reqdfieldsn = explode(",", "Address"); - $_POST['subnet_bits'] = 32; - } else if ($_POST['type'] == "network") { - $reqdfields = explode(" ", "subnet subnet_bits"); - $reqdfieldsn = explode(",", "Network,Network mask"); - } else if ($_POST['type'] == "range") { - $reqdfields = explode(" ", "range_from range_to"); - $reqdfieldsn = explode(",", "Range start,Range end"); - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if ((($_POST['type'] != "range") && $_POST['subnet'] && !is_ipaddr($_POST['subnet']))) { - $input_errors[] = "A valid address must be specified."; - } - if ((($_POST['type'] == "range") && $_POST['range_from'] && !is_ipaddr($_POST['range_from']))) { - $input_errors[] = "A valid range start must be specified."; - } - if ((($_POST['type'] == "range") && $_POST['range_to'] && !is_ipaddr($_POST['range_to']))) { - $input_errors[] = "A valid range end must be specified."; - } - - /* check for overlaps */ - foreach ($a_proxyarp as $arpent) { - if (isset($id) && ($a_proxyarp[$id]) && ($a_proxyarp[$id] === $arpent)) - continue; - - if (($_POST['type'] == "range") && isset($arpent['range'])) { - if (($_POST['range_from'] == $arpent['range']['from']) && - ($_POST['range_to'] == $arpent['range']['to'])) { - $input_errors[] = "This range already exists."; - break; - } - } else if (isset($arpent['network'])) { - if (($arpent['network'] == "{$_POST['subnet']}/{$_POST['subnet_bits']}")) { - $input_errors[] = "This network already exists."; - break; - } - } - } - - if (!$input_errors) { - $arpent = array(); - $arpent['interface'] = $_POST['interface']; - if ($_POST['type'] == "range") { - $arpent['range']['from'] = $_POST['range_from']; - $arpent['range']['to'] = $_POST['range_to']; - } else - $arpent['network'] = $_POST['subnet'] . "/" . $_POST['subnet_bits']; - $arpent['descr'] = $_POST['descr']; - - proxyarp_sort(); - if (isset($id) && $a_proxyarp[$id]) - $a_proxyarp[$id] = $arpent; - else - $a_proxyarp[] = $arpent; - - mark_subsystem_dirty('proxyarp'); - - write_config(); - - header("Location: services_proxyarp.php"); - exit; - } -} - -$pgtitle = array("Services","Proxy ARP","Edit"); -include("head.inc"); - -?> - -<script language="JavaScript"> -<!-- -function typesel_change() { - switch (document.iform.type.selectedIndex) { - case 0: // single - document.iform.subnet.disabled = 0; - document.iform.subnet_bits.disabled = 1; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - break; - case 1: // network - document.iform.subnet.disabled = 0; - document.iform.subnet_bits.disabled = 0; - document.iform.range_from.disabled = 1; - document.iform.range_to.disabled = 1; - break; - case 2: // range - document.iform.subnet.disabled = 1; - document.iform.subnet_bits.disabled = 1; - document.iform.range_from.disabled = 0; - document.iform.range_to.disabled = 0; - break; - } -} -//--> -</script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="services_proxyarp_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="22%" valign="top" class="vncellreq">Interface</td> - <td width="78%" class="vtable"> - <select name="interface" class="formselect"> - <?php - $interfaces = get_configured_interface_with_descr(); - foreach ($interfaces as $iface => $ifacename): ?> - <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> - <?=htmlspecialchars($ifacename);?> - </option> - <?php endforeach; ?> - </select> </td> - </tr> - <tr> - <td valign="top" class="vncellreq">Network</td> - <td class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td>Type: </td> - <td><select name="type" class="formselect" onChange="typesel_change()"> - <option value="single" <?php if (!$pconfig['range_from'] && $pconfig['subnet_bits'] == 32) echo "selected"; ?>> - Single address</option> - <option value="network" <?php if (!$pconfig['range_from'] && $pconfig['subnet_bits'] != 32) echo "selected"; ?>> - Network</option> - <option value="range" <?php if ($pconfig['range_from']) echo "selected"; ?>> - Range</option> - </select></td> - </tr> - <tr> - <td>Address: </td> - <td><input name="subnet" type="text" class="formfld unknown" id="subnet" size="20" value="<?=htmlspecialchars($pconfig['subnet']);?>"> - / - <select name="subnet_bits" class="formselect" id="select"> - <?php for ($i = 31; $i >= 0; $i--): ?> - <option value="<?=$i;?>" <?php if ($i == $pconfig['subnet_bits']) echo "selected"; ?>> - <?=$i;?> - </option> - <?php endfor; ?> - </select> - </td> - </tr> - <tr> - <td>Range: </td> - <td><input name="range_from" type="text" class="formfld unknown" id="range_from" size="20" value="<?=htmlspecialchars($pconfig['range_from']);?>"> -- - <input name="range_to" type="text" class="formfld unknown" id="range_to" size="20" value="<?=htmlspecialchars($pconfig['range_to']);?>"> - </td> - </tr> - </table> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Description</td> - <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> - <br> <span class="vexpl">You may enter a description here - for your reference (not parsed).</span></td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> <input class="formbtn" type="button" value="Cancel" onclick="history.back()"> - <?php if (isset($id) && $a_proxyarp[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?> - </td> - </tr> - </table> -</form> -<script language="JavaScript"> -<!-- -typesel_change(); -//--> -</script> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/usr/local/www/status_services.php b/usr/local/www/status_services.php index 108a191..77b5994 100755 --- a/usr/local/www/status_services.php +++ b/usr/local/www/status_services.php @@ -292,13 +292,6 @@ if(isset($config['snmpd']['enable'])) { unset($pconfig); } -if(isset($config['proxyarp']['proxyarpnet'])) { - $pconfig['name'] = "choparp"; - $pconfig['description'] = "Proxy ARP"; - $services[] = $pconfig; - unset($pconfig); -} - if (count($config['igmpproxy']['igmpentry']) > 0) { $pconfig['name'] = "igmpproxy"; $pconfig['descritption'] = "IGMP proxy"; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 8e7ab85..9eb6ac1 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -182,11 +182,9 @@ include("head.inc"); <?php if ($ph1ent['interface']) { $iflabels = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for( $j=0; $j<$carpips; $j++ ) { - $carpip = find_interface_ip("carp" . $j); - $iflabels['carp' . $j] = "CARP{$j} ({$carpip})"; - } + $carplist = get_configured_carp_interface_list(); + foreach ($carplist as $cif => $carpip) + $iflabels[$cif] = strtoupper($cif) . " ({$carpip})"; $if = htmlspecialchars($iflabels[$ph1ent['interface']]); } else diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index b1f7a1a..e45948f 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -471,11 +471,9 @@ function dpdchkbox_change() { <select name="interface" class="formselect"> <?php $interfaces = get_configured_interface_with_descr(); - $carpips = find_number_of_needed_carp_interfaces(); - for ($i=0; $i<$carpips; $i++) { - $carpip = find_interface_ip("carp" . $i); - $interfaces['carp' . $i] = "CARP{$i} ({$carpip})"; - } + $carplist = get_configured_carp_interface_list(); + foreach ($carplist as $cif => $carpip) + $interfaces[$cif] = strtoupper($cif) . " ({$carpip})"; foreach ($interfaces as $iface => $ifacename): ?> <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> diff --git a/usr/local/www/widgets/widgets/services_status.widget.php b/usr/local/www/widgets/widgets/services_status.widget.php index 714d912..ed47fb7 100644 --- a/usr/local/www/widgets/widgets/services_status.widget.php +++ b/usr/local/www/widgets/widgets/services_status.widget.php @@ -102,13 +102,6 @@ if(isset($config['snmpd']['enable'])) { unset($pconfig2); } -if(isset($config['proxyarp']['proxyarpnet'])) { - $pconfig2['name'] = "choparp"; - $pconfig2['description'] = "Proxy Arp"; - $services[] = $pconfig2; - unset($pconfig2); -} - if($config['installedpackages']['miniupnpd']['config'][0]['enable']) { $pconfig2['name'] = "miniupnpd"; $pconfig2['description'] = gettext("UPnP Service"); |
