diff options
| author | Evgeny Yurchenko <ey@tm-k.com> | 2011-06-05 15:17:09 -0400 |
|---|---|---|
| committer | Evgeny Yurchenko <ey@tm-k.com> | 2011-06-05 15:17:09 -0400 |
| commit | 8527bc02a6b8b1ce89dbeeb0e333747419224b90 (patch) | |
| tree | 6ad590303605aa44b7f39d95e3696479ff4a888a | |
| parent | 17d5077f61d963178f47e016b8768b768800ba68 (diff) | |
| parent | cf3711855b031d5c979188b5ebcd58e08879efe2 (diff) | |
| download | pfsense-8527bc02a6b8b1ce89dbeeb0e333747419224b90.zip pfsense-8527bc02a6b8b1ce89dbeeb0e333747419224b90.tar.gz | |
Merge remote branch 'origin/master'
| -rw-r--r-- | etc/inc/filter.inc | 6 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 13 | ||||
| -rw-r--r-- | etc/inc/pkg-utils.inc | 6 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 6 | ||||
| -rwxr-xr-x | etc/rc.restart_webgui | 9 | ||||
| -rwxr-xr-x | usr/local/www/diag_backup.php | 11 | ||||
| -rwxr-xr-x | usr/local/www/interfaces.php | 4 | ||||
| -rwxr-xr-x | usr/local/www/status_interfaces.php | 2 | ||||
| -rw-r--r-- | usr/local/www/system_camanager.php | 2 | ||||
| -rw-r--r-- | usr/local/www/system_certmanager.php | 2 | ||||
| -rwxr-xr-x | usr/local/www/vpn_ipsec.php | 3 | ||||
| -rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 18 | ||||
| -rw-r--r-- | usr/local/www/vpn_openvpn_client.php | 12 | ||||
| -rw-r--r-- | usr/local/www/vpn_openvpn_server.php | 16 |
14 files changed, 86 insertions, 24 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index e5e173c..0988093 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1384,6 +1384,12 @@ function filter_nat_rules_generate() { } } } + /* IPsec mode_cfg subnet */ + if (isset($config['ipsec']['client']['enable']) && + !empty($config['ipsec']['client']['pool_address']) && + !empty($config['ipsec']['client']['pool_netbits'])) { + $tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} "; + } $natrules .= "\n# Subnets to NAT \n"; $tonathosts .= "127.0.0.0/8 "; if($numberofnathosts > 4) { diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 7f82975..edd22be 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -367,8 +367,8 @@ function openvpn_reconfigure($mode, $settings) { // server specific settings if ($mode == 'server') { - list($ip, $mask) = explode('/', $settings['tunnel_network']); - $mask = gen_subnet_mask($mask); + list($ip, $cidr) = explode('/', $settings['tunnel_network']); + $mask = gen_subnet_mask($cidr); // configure tls modes switch($settings['mode']) { @@ -383,8 +383,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { case 'p2p_tls': - $conf .= "server {$ip} {$mask}\n"; - $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 + if ($cidr < 30) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 070dade..ebc2df2 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -141,10 +141,10 @@ function get_pkg_id($pkg_name) { /****f* pkg-utils/get_pkg_info * NAME - * get_pkg_info - Retrive package information from pfsense.com. + * get_pkg_info - Retrieve package information from pfsense.com. * INPUTS - * $pkgs - 'all' to retrive all packages, an array containing package names otherwise - * $info - 'all' to retrive all information, an array containing keys otherwise + * $pkgs - 'all' to retrieve all packages, an array containing package names otherwise + * $info - 'all' to retrieve all information, an array containing keys otherwise * RESULT * $raw_versions - Array containing retrieved information, indexed by package name. ******/ diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 2411caf..5e014fd 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -481,7 +481,7 @@ function vpn_ipsec_configure($ipchg = false) $natt = $ph1ent['nat_traversal']; $init = "on"; - $genp = "off"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "off"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim"; $passive = ""; if (isset($ph1ent['mobile'])) { @@ -490,10 +490,10 @@ function vpn_ipsec_configure($ipchg = false) /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; - $genp = "on"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "on"; } else { $init = "off"; - $genp = "unique"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "unique"; } } diff --git a/etc/rc.restart_webgui b/etc/rc.restart_webgui index 463f934..e74f201 100755 --- a/etc/rc.restart_webgui +++ b/etc/rc.restart_webgui @@ -8,10 +8,15 @@ require("shaper.inc"); require("captiveportal.inc"); require("rrd.inc"); -mwexec("killall -9 lighttpd"); - echo "Restarting webConfigurator..."; +sigkillbyname("lighttpd", "INT"); + +while (is_process_running("lighttpd")) { + echo '.'; + sleep(1); +} + system_webgui_start(); captiveportal_init_webgui(); diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php index 598f4d6..9d28375 100755 --- a/usr/local/www/diag_backup.php +++ b/usr/local/www/diag_backup.php @@ -158,6 +158,8 @@ if ($_POST) { $mode = "restore"; else if (stristr($_POST['Submit'], gettext("Reinstall"))) $mode = "reinstallpackages"; + else if (stristr($_POST['Submit'], gettext("Clear Package Lock"))) + $mode = "clearpackagelock"; else if (stristr($_POST['Submit'], gettext("Download"))) $mode = "download"; else if (stristr($_POST['Submit'], gettext("Restore version"))) @@ -470,6 +472,9 @@ if ($_POST) { header("Location: pkg_mgr_install.php?mode=reinstallall"); exit; + } else if ($mode == "clearpackagelock") { + clear_subsystem_dirty('packagelock'); + $savemsg = "Package Lock Cleared"; } else if ($mode == "restore_ver") { $input_errors[] = gettext("XXX - this feature may hose your config (do NOT backrev configs!) - billm"); if ($ver2restore <> "") { @@ -655,13 +660,17 @@ function backuparea_change(obj) { <td colspan="2" class="list" height="12"> </td> </tr> <tr> - <td colspan="2" class="listtopic"><?=gettext("Reinstall packages"); ?></td> + <td colspan="2" class="listtopic"><?=gettext("Package Functions"); ?></td> </tr> <tr> <td width="22%" valign="baseline" class="vncell"> </td> <td width="78%" class="vtable"> <p><?=gettext("Click this button to reinstall all system packages. This may take a while."); ?> <br /><br /> <input name="Submit" type="submit" class="formbtn" id="reinstallpackages" value="<?=gettext("Reinstall packages"); ?>"> + <br/> + <br/> + <p><?=gettext("Click this button to clear the package lock if a package fails to reinstall properly after an upgrade."); ?> <br /><br /> + <input name="Submit" type="submit" class="formbtn" id="clearpackagelock" value="<?=gettext("Clear Package Lock"); ?>"> </td> </tr> <?php } ?> diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index fc905b4..b37b6cb 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -1152,7 +1152,7 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" <?php endif; ?> <br> <?=gettext("This field can be used to modify (\"spoof\") the MAC " . - "address of the WAN interface"); ?><br> + "address of this interface"); ?><br> <?=gettext("(may be required with some cable connections)"); ?><br> <?=gettext("Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx " . "or leave blank"); ?> @@ -1201,7 +1201,7 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" } } echo '</select><br>'; - echo gettext("Here you can explicitely set up speed and duplex mode for the interface."); + echo gettext("Here you can explicitly set speed and duplex mode for this interface. WARNING: You MUST leave this set to autonegotiate unless the port this interface connects to has its speed and duplex forced."); echo '</div>'; echo '</td>'; echo '</tr>'; diff --git a/usr/local/www/status_interfaces.php b/usr/local/www/status_interfaces.php index 6c98a34..db88536 100755 --- a/usr/local/www/status_interfaces.php +++ b/usr/local/www/status_interfaces.php @@ -180,7 +180,7 @@ include("head.inc"); <?php $mac=$ifinfo['macaddr']; $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]); - if(isset($mac_man[$mac_hi])){ print "<span title=\"$mac\">" . htmlspecialchars($mac_man[$mac_hi]); print "</span>"; } + if(isset($mac_man[$mac_hi])){ print "<span>" . $mac . " - " . htmlspecialchars($mac_man[$mac_hi]); print "</span>"; } else {print htmlspecialchars($mac);} ?> </td> diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index e1b83f2..5541f83 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -92,6 +92,8 @@ if ($act == "del") { unset($a_ca[$id]); write_config(); $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), $name) . "<br/>"; + pfSenseHeader("system_camanager.php"); + exit; } if ($act == "edit") { diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index cc1c65a..470f0cd 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -94,6 +94,8 @@ if ($act == "del") { unset($a_cert[$id]); write_config(); $savemsg = sprintf(gettext("Certificate %s successfully deleted"), $name) . "<br/>"; + pfSenseHeader("system_certmanager.php"); + exit; } if ($act == "new") { diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 465c607..54ed505 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -375,6 +375,9 @@ include("head.inc"); <a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('<?=gettext("Do you really want to delete this phase2 entry?"); ?>')"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete phase2 entry"); ?>" width="17" height="17" border="0"> </a> + <a href="vpn_ipsec_phase2.php?dup=<?=$j;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new Phase 2 based on this one"); ?>" width="17" height="17" border="0"> + </a> </td> </tr> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 12bb235..69cb438 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -89,6 +89,7 @@ if (isset($p1index) && $a_phase1[$p1index]) { $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; + $pconfig['generate_policy'] = $a_phase1[$p1index]['generate_policy']; $pconfig['proposal_check'] = $a_phase1[$p1index]['proposal_check']; if (($pconfig['authentication_method'] == "pre_shared_key") || @@ -307,6 +308,7 @@ if ($_POST) { $ph1ent['certref'] = $pconfig['certref']; $ph1ent['caref'] = $pconfig['caref']; $ph1ent['authentication_method'] = $pconfig['authentication_method']; + $ph1ent['generate_policy'] = $pconfig['generate_policy']; $ph1ent['proposal_check'] = $pconfig['proposal_check']; $ph1ent['descr'] = $pconfig['descr']; $ph1ent['nat_traversal'] = $pconfig['nat_traversal']; @@ -644,6 +646,22 @@ function dpdchkbox_change() { </span> </td> </tr> + <tr id="generate_policy"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Policy Generation"); ?></td> + <td width="78%" class="vtable"> + <select name="generate_policy" class="formselect"> + <option value="" <?php if (empty($pconfig['generate_policy'])) echo "selected"; ?>>Default</option> + <option value="on" <?php if ($pconfig['generate_policy'] == "on") echo "selected"; ?>>On</option> + <option value="off" <?php if ($pconfig['generate_policy'] == "off") echo "selected"; ?>>Off</option> + <option value="require" <?php if ($pconfig['generate_policy'] == "require") echo "selected"; ?>>Require</option> + <option value="unique" <?php if ($pconfig['generate_policy'] == "unique") echo "selected"; ?>>Unique</option> + </select> + <br> + <span class="vexpl"> + <?=gettext("When working as a responder (as with mobile clients), this controls how policies are generated based on SA proposals."); ?> + </span> + </td> + </tr> <tr id="proposal_check"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Proposal Checking"); ?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index f1171a0..eb9e078 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -350,10 +350,6 @@ function autotls_change() { <?php if (!$savemsg) $savemsg = ""; -if (count($a_ca) == 0) - $savemsg .= "You have no Certificate Authorities defined. You must visit the <a href=\"system_camanager.php\">Certificate Manager</a> to make one."; -if (count($a_cert) == 0) - $savemsg .= "<br/>You have no Certificates defined. You must visit the <a href=\"system_camanager.php\">Certificate Manager</a> to make one."; if ($input_errors) print_input_errors($input_errors); @@ -632,6 +628,7 @@ if ($savemsg) <tr id="tls_ca"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Authority"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_ca)): ?> <select name='caref' class="formselect"> <?php foreach ($a_ca as $ca): @@ -642,11 +639,15 @@ if ($savemsg) <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificate Authorities defined.</b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_cert"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Client Certificate"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_cert)): ?> <select name='certref' class="formselect"> <?php foreach ($a_cert as $cert): @@ -667,6 +668,9 @@ if ($savemsg) <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="psk"> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 49df7a1..17641ad 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -555,10 +555,6 @@ function netbios_change() { <?php if (!$savemsg) $savemsg = ""; -if (count($a_ca) == 0) - $savemsg .= "You have no Certificate Authorities defined. You can visit the <a href=\"system_camanager.php\">Certificate Manager</a> or use the <a href=\"wizard.php?xml=openvpn_wizard.xml\">Wizard.</a> to create one. "; -if (count($a_cert) == 0) - $savemsg .= "<br/>You have no Certificates defined. You can visit the <a href=\"system_camanager.php\">Certificate Manager</a> or use the <a href=\"wizard.php?xml=openvpn_wizard.xml\">Wizard.</a> to create one. "; if ($input_errors) print_input_errors($input_errors); @@ -768,6 +764,7 @@ if ($savemsg) <tr id="tls_ca"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Authority"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_ca)): ?> <select name='caref' class="formselect"> <?php foreach ($a_ca as $ca): @@ -778,11 +775,15 @@ if ($savemsg) <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificate Authorities defined.</b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_crl"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Revocation List"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_crl)): ?> <select name='crlref' class="formselect"> <option value="">None</option> <?php @@ -799,11 +800,15 @@ if ($savemsg) <option value="<?=$crl['refid'];?>" <?=$selected;?>><?=$crl['descr'] . $caname;?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificate Revocation Lists (CRLs) defined.</b> <br/>Create one under <a href="system_crlmanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_cert"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Server Certificate"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_cert)): ?> <select name='certref' class="formselect"> <?php foreach ($a_cert as $cert): @@ -824,6 +829,9 @@ if ($savemsg) <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_dh"> |
