diff options
| author | Carlos Eduardo Ramos <carlos.ramos@bluepex.com> | 2010-05-04 08:12:13 -0300 |
|---|---|---|
| committer | Carlos Eduardo Ramos <carlos.ramos@bluepex.com> | 2010-05-04 08:12:13 -0300 |
| commit | 1cfa0465f4a0d9f6c2c207fbb2d94a95349631ca (patch) | |
| tree | 7759cc6ac1d98290301184b874a966176ff4d440 | |
| parent | 8a0b4f1476502fd173f91254a8cdfaab22d83d53 (diff) | |
| parent | 156a7868ba2acafc803318e575b1a1b9ca222fba (diff) | |
| download | pfsense-1cfa0465f4a0d9f6c2c207fbb2d94a95349631ca.zip pfsense-1cfa0465f4a0d9f6c2c207fbb2d94a95349631ca.tar.gz | |
Merge commit 'mainline/master'
| -rw-r--r-- | etc/inc/captiveportal.inc | 209 | ||||
| -rw-r--r-- | etc/inc/filter.inc | 135 | ||||
| -rw-r--r-- | etc/inc/shaper.inc | 2 | ||||
| -rw-r--r-- | etc/inc/system.inc | 16 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 42 | ||||
| -rw-r--r-- | etc/phpshellsessions/gitsync | 23 | ||||
| -rwxr-xr-x | usr/local/captiveportal/index.php | 16 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_ip.php | 12 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_ip_edit.php | 39 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_mac.php | 14 | ||||
| -rwxr-xr-x | usr/local/www/services_captiveportal_mac_edit.php | 2 | ||||
| -rw-r--r-- | usr/local/www/vpn_openvpn_client.php | 1 | ||||
| -rw-r--r-- | usr/local/www/vpn_openvpn_csc.php | 1 | ||||
| -rw-r--r-- | usr/local/www/vpn_openvpn_server.php | 1 | ||||
| -rw-r--r-- | usr/local/www/wizards/openvpn_wizard.xml | 20 |
15 files changed, 333 insertions, 200 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index be89ba5..94ca06e 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -107,7 +107,7 @@ function captiveportal_configure() { unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_ip.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_radius.db"); - mwexec("/sbin/ipfw table all flush"); + mwexec("/sbin/ipfw -q table all flush"); /* setup new database in case someone tries to access the status -> captive portal page */ touch("{$g['vardb_path']}/captiveportal.db"); @@ -118,7 +118,8 @@ function captiveportal_configure() { /* make sure ipfw is loaded */ if (!is_module_loaded("ipfw.ko")) filter_load_ipfw(); - if (isset($config['captiveportal']['peruserbw']) && !is_module_loaded("dummynet.ko")) + /* Always load dummynet now that even allowed ip and mac passthrough use it. */ + if (!is_module_loaded("dummynet.ko")) mwexec("/sbin/kldload dummynet"); /* generate ipfw rules */ @@ -126,7 +127,8 @@ function captiveportal_configure() { $cprules = captiveportal_rules_generate($cpinterface, $cpips); $cprules .= "\n"; /* generate passthru mac database */ - captiveportal_passthrumac_configure(true); + $cprules .= captiveportal_passthrumac_configure(true); + $cprules .= "\n"; /* allowed ipfw rules to make allowed ip work */ $cprules .= captiveportal_allowedip_configure(); @@ -228,7 +230,7 @@ EOD; fwrite($fd, $cprules); fclose($fd); - mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.cp.rules"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules"); @unlink("{$g['tmp_path']}/ipfw.cp.rules"); @@ -346,30 +348,30 @@ EOD; function captiveportal_rules_generate($cpif, &$cpiparray) { global $config, $g; - $cprules = "add 65301 set 1 allow pfsync from any to any\n"; - $cprules .= "add 65302 set 1 allow carp from any to any\n"; + $cprules = "add 65291 set 1 allow pfsync from any to any\n"; + $cprules .= "add 65292 set 1 allow carp from any to any\n"; $cprules .= <<<EOD -# add 65305 set 1 skipto 65534 all from any to any not layer2 +# add 65300 set 1 skipto 65534 all from any to any not layer2 # layer 2: pass ARP -add 65310 set 1 pass layer2 mac-type arp +add 65301 set 1 pass layer2 mac-type arp # pfsense requires for WPA -add 65311 set 1 pass layer2 mac-type 0x888e -add 65312 set 1 pass layer2 mac-type 0x88c7 +add 65302 set 1 pass layer2 mac-type 0x888e +add 65303 set 1 pass layer2 mac-type 0x88c7 # PPP Over Ethernet Discovery Stage -add 65313 set 1 pass layer2 mac-type 0x8863 +add 65304 set 1 pass layer2 mac-type 0x8863 # PPP Over Ethernet Session Stage -add 65314 set 1 pass layer2 mac-type 0x8864 +add 65305 set 1 pass layer2 mac-type 0x8864 # Allow WPA -add 65315 set 1 pass layer2 mac-type 0x888e +add 65306 set 1 pass layer2 mac-type 0x888e # layer 2: block anything else non-IP -add 65316 set 1 deny layer2 not mac-type ip +add 65307 set 1 deny layer2 not mac-type ip EOD; - $rulenum = 65320; + $rulenum = 65310; $ips = "255.255.255.255 "; foreach ($cpiparray as $cpip) $ips .= "or {$cpip} "; @@ -413,6 +415,25 @@ EOD; $cprules .= "add {$rulenum} set 1 pass tcp from {$ips} {$port} to any out \n"; $rulenum++; + /* Allowed ips */ + $cprules .= "add {$rulenum} allow ip from table(3) to any in\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from any to table(4) out\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from table(5) to any in\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from any to table(6) out\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from any to table(7) in\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from table(8) to any out\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from any to table(9) in\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from table(10) to any out\n"; + $rulenum++; + + /* Authenticated users rules. */ if (isset($config['captiveportal']['peruserbw'])) { $cprules .= "add {$rulenum} set 1 pipe tablearg ip from table(1) to any in\n"; $rulenum++; @@ -699,31 +720,119 @@ function captiveportal_radius_stop_all($lock = false) { unlock($captiveportallck); } +function captiveportal_passthrumac_configure_entry($macent) { + $rules = ""; + $enBwup = isset($macent['bw_up']); + $enBwdown = isset($macent['bw_down']); + $actionup = "allow"; + $actiondown = "allow"; + + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; + $actionup = "pipe {$bw_up}"; + } + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$macent['bw_down']}Kbit/s queue 100\n"; + $actiondown = "pipe {$bw_down}"; + } + $rules .= "add {$ruleno} {$actionup} ip from any to any MAC {$macent['mac']} any\n"; + $ruleno++; + $rules .= "add {$ruleno} {$actiondown} ip from any to any MAC any {$macent['mac']}\n"; + + return $rules; +} + function captiveportal_passthrumac_configure($lock = false) { global $config, $g; - if (!$lock) - $captiveportallck = lock('captiveportal'); - - /* clear out passthru macs, if necessary */ - unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db"); + $rules = ""; if (is_array($config['captiveportal']['passthrumac'])) { $macdb = array(); foreach ($config['captiveportal']['passthrumac'] as $macent) { + $rules .= captiveportal_passthrumac_configure_entry($macent); $macdb[$macent['mac']]['active'] = true; - if (isset($macent['bw_up'])) - $macdb[$macent['mac']]['bw_up'] = $macent['bw_up']; - if (isset($macent['bw_down'])) - $macdb[$macent['mac']]['bw_down'] = $macent['bw_down']; } - /* record passthru MACs so can be recognized and let thru */ - file_put_contents("{$g['vardb_path']}/captiveportal_mac.db", serialize($macdb)); } - if (!$lock) - unlock($captiveportallck); + return $rules; +} + +/* + * table (3=IN)/(4=OUT) hold allowed ip's without bw limits + * table (5=IN)/(6=OUT) hold allowed ip's with bw limit. + */ +function captiveportal_allowedip_configure_entry($ipent) { + + $rules = ""; + $enBwup = isset($ipent['bw_up']); + $enBwdown = isset($ipent['bw_down']); + $bw_up = ""; + $bw_down = ""; + $tablein = array(); + $tableout = array(); + + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + + if ($ipent['dir'] == "from") { + if ($enBwup) + $tablein[] = 5; + else + $tablein[] = 3; + if ($enBwdown) + $tableout[] = 6; + else + $tableout[] = 4; + } else if ($ipent['dir'] == "to") { + if ($enBwup) + $tablein[] = 9; + else + $tablein[] = 7; + if ($enBwdown) + $tableout[] = 10; + else + $tableout[] = 8; + } else if ($ipent['dir'] == "both") { + if ($enBwup) { + $tablein[] = 5; + $tablein[] = 9; + } else { + $tablein[] = 3; + $tablein[] = 7; + } + if ($enBwdown) { + $tableout[] = 6; + $tableout[] = 10; + } else { + $tableout[] = 4; + $tableout[] = 8; + } + } + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; + } + foreach ($tablein as $table) + $rules .= "table {$table} add {$ipent['ip']} {$bw_up}\n"; + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; + } + foreach ($tableout as $table) + $rules .= "table {$table} add {$ipent['ip']} {$bw_down}\n"; + + return $rules; } function captiveportal_allowedip_configure() { @@ -731,26 +840,8 @@ function captiveportal_allowedip_configure() { $rules = ""; if (is_array($config['captiveportal']['allowedip'])) { - $peruserbw = isset($config['captiveportal']['peruserbw']); foreach ($config['captiveportal']['allowedip'] as $ipent) { - $ruleno = captiveportal_get_next_ipfw_ruleno(); - $bw_up = ""; - $bw_down = ""; - if ($peruserbw) { - $bwup = isset($ipent['bw_up']) ? trim($ipent['bw_up']) : $config['captiveportal']['bwdefaultup']; - $bwdown = isset($ipent['bw_down']) ? trim($ipent['bw_down']) : $config['captiveportal']['bwdefaultdn']; - if (!empty($bwup) && is_numeric($bwup)) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$bw_up}Kbit/s queue 100\n"; - } - if (!empty($bwdown) && is_numeric($bwdown)) { - $bw_down = $ruleno + 20001; - $rules .= "pipe {$bw_down} config bw {$bw_down}Kbit/s queue 100\n"; - } - } - /* insert address in ipfw table */ - $rules .= "table 1 add {$ipent['ip']} ${bw_up}\n"; - $rules .= "table 2 add {$ipent['ip']} ${bw_down}\n"; + $rules .= captiveportal_allowedip_configure_entry($ipent); } } @@ -953,7 +1044,7 @@ function captiveportal_init_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_ma * within the range specified based on the actual logged on users * */ -function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899) { +function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899, $usebw = false) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -975,7 +1066,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang } $ruleno = $ridx; $rules[$ridx] = "used"; - if (isset($config['captiveportal']['peruserbw'])) + if (isset($config['captiveportal']['peruserbw']) || $usebw == true) $rules[++$ridx] = "used"; break; } @@ -988,7 +1079,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang return $ruleno; } -function captiveportal_free_ipfw_ruleno($ruleno) { +function captiveportal_free_ipfw_ruleno($ruleno, $usedbw = false) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -997,13 +1088,13 @@ function captiveportal_free_ipfw_ruleno($ruleno) { if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $rules[$ruleno] = false; - if (isset($config['captiveportal']['peruserbw'])) + if (isset($config['captiveportal']['peruserbw']) || $usedbw == true) $rules[++$ruleno] = false; file_put_contents("{$g['vardb_path']}/captiveportal.rules", serialize($rules)); } } -function captiveportal_get_ipfw_ruleno_byvalue($value) { +function captiveportal_get_ipfw_passthru_ruleno($value) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -1011,7 +1102,7 @@ function captiveportal_get_ipfw_ruleno_byvalue($value) { if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); - $ruleno = intval(`/sbin/ipfw table 1 list | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); + $ruleno = intval(`/sbin/ipfw show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); if ($rules[$ruleno]) return $ruleno; } @@ -1088,18 +1179,6 @@ function getNasIP() return $nasIp; } -function portal_mac_fixed($clientmac) { - global $g ; - - /* open captive portal mac db */ - if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) { - $macdb = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_mac.db")); - if (isset($macdb[$clientmac])) - return $macdb[$clientmac]; - } - return FALSE ; -} - function portal_ip_from_client_ip($cliip) { global $config; diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index ed16434..94e247b 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -791,14 +791,14 @@ function filter_get_reflection_interfaces($natif = "") { return $nat_if_list; } -function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstport, &$starting_localhost_port, &$reflection_txt) { +function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_port, $dstport, &$starting_localhost_port, &$reflection_txt) { global $FilterIflist, $config; // Initialize natrules holder string $natrules = ""; $reflection_txt = array(); - if(!isset($config['system']['disablenatreflection'])) { + if(!empty($rdr_ifs)) { if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else @@ -806,9 +806,6 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstport, update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); - if(empty($rdr_ifs)) - return ""; - $rdr_if_list = implode(" ", $rdr_ifs); if(count($rdr_ifs) > 1) $rdr_if_list = "{ {$rdr_if_list} }"; @@ -819,17 +816,50 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstport, $range_end = ($dstport[1]); else $range_end = ($dstport[0]); - $range_end++; - - /* TODO: support multiple ip's in an alias. */ - if (is_alias($rule['destination']['address'])) - $dstaddr = filter_expand_alias($rule['destination']['address']); - else if(is_ipaddr($rule['destination']['address'])) - $dstaddr = $rule['destination']['address']; - else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) - $dstaddr = $FilterIflist[$rule['interface']]['ip']; + + $dstaddr = explode(" ", $dstaddr_port); + if($dstaddr[2]) + $rflctintrange = $dstaddr[2]; else - return "\n"; + $rflctintrange = ""; + $dstaddr = $dstaddr[0]; + + if(isset($rule['destination']['any'])) { + if(!$rule['interface']) + $natif = "wan"; + else + $natif = $rule['interface']; + + if(!isset($FilterIflist[$natif])) + return ""; + if(is_ipaddr($FilterIflist[$natif]['ip'])) + $dstaddr = $FilterIflist[$natif]['ip']; + else + return ""; + + if(!empty($FilterIflist[$natif]['sn'])) + $dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn']; + } + + switch($rule['protocol']) { + case "tcp/udp": + $protocol = "{ tcp udp }"; + $reflect_protos = array('tcp', 'udp'); + break; + case "tcp": + case "udp": + $protocol = $rule['protocol']; + $reflect_protos = array($rule['protocol']); + break; + default: + return ""; + break; + } + + if(!empty($nordr)) { + $natrules .= "no rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange}\n"; + return $natrules; + } if (is_alias($rule['target'])) $target = filter_expand_alias($rule['target']); @@ -838,12 +868,11 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstport, else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) $target = $FilterIflist[$rule['target']]['ip']; else - return "\n"; + return ""; if($rule['local-port']) $lrange_start = $rule['local-port']; - if($range_end - $dstport[0] > 500) { - $range_end = $dstport[0]+1; + if(($range_end + 1) - $dstport[0] > 500) { log_error("Not installing nat reflection rules for a port range > 500"); /* only install reflection rules for < 19991 items */ } else if($starting_localhost_port < 19991) { @@ -860,55 +889,45 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstport, } $inetdport = $starting_localhost_port; - if(($range_end - 1) > $dstport[0]) { + if($range_end > $dstport[0]) { $rflctrange = "{$starting_localhost_port}"; - $delta = $range_end - $dstport[0] - 1; + $delta = $range_end - $dstport[0]; if(($starting_localhost_port + $delta) > 19990) { log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); $delta = 19990 - $starting_localhost_port; + $range_end = $dstport[0] + $delta; + $rflctintrange = ""; } $starting_localhost_port = $starting_localhost_port + $delta; $rflctrange .= ":{$starting_localhost_port}"; - $rflctintrange = "{$dstport[0]}:{$range_end}"; + if(empty($rflctintrange)) + $rflctintrange = "{$dstport[0]}:{$range_end}"; if($rflctnorange) $toadd_array = range($loc_pt, $loc_pt + $delta); + $starting_localhost_port++; } else { $rflctrange = $starting_localhost_port; - $rflctintrange = $dstport[0]; + if(empty($rflctintrange)) + $rflctintrange = $dstport[0]; if($rflctnorange) $toadd_array = array($loc_pt); $starting_localhost_port++; } - switch($rule['protocol']) { - case "tcp/udp": - $protocol = "{ tcp udp }"; - foreach($toadd_array as $tda) { - $reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n"; - $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; + foreach($toadd_array as $tda){ + foreach($reflect_protos as $reflect_proto) { + if($reflect_proto == "udp") { + $socktype = "dgram"; + $dash_u = "-u "; + } else { + $socktype = "stream"; + $dash_u = ""; } - $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT" . - ($nordr == "" ? " -> 127.0.0.1 port {$rflctrange}" : "") . "\n"; - break; - case "tcp": - case "udp": - $protocol = $rule['protocol']; - if($protocol == "udp") { - $socktype = "dgram"; - $dash_u = "-u "; - } else { - $socktype = "stream"; - $dash_u = ""; - } - foreach($toadd_array as $tda){ - $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; + $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; } - $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT" . - ($nordr == "" ? " -> 127.0.0.1 port {$rflctrange}" : "") . "\n"; - break; + $inetdport++; } + $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; } $reflection_txt = array_unique($reflection_txt); } @@ -1227,7 +1246,7 @@ function filter_nat_rules_generate() { } $target = alias_expand($rule['target']); - if(!$target) { + if(!$target && !isset($rule['nordr'])) { $natrules .= "# Unresolvable alias {$rule['target']}\n"; continue; /* unresolvable alias */ } @@ -1252,18 +1271,28 @@ function filter_nat_rules_generate() { $natif = $FilterIflist[$natif]['if']; - if (isset($rule['nordr'])) + if (isset($rule['nordr'])) { $nordr = "no "; - else + $rdrpass = ""; + } else $nordr = ""; + if(!isset($config['system']['disablenatreflection'])) { + $nat_if_list = filter_get_reflection_interfaces($natif); + } else { + $nat_if_list = array(); + } + if($srcaddr <> "" && $dstaddr <> "") { + $srcaddr = trim($srcaddr); + $dstaddr = trim($dstaddr); + /* is rule a port range? */ if($natif) $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); /* Does this rule redirect back to a internal host? */ - if(isset($rule['destination']['any']) && !interface_has_gateway($rule['interface'])) { + if(isset($rule['destination']['any']) && !interface_has_gateway($rule['interface']) && !isset($rule['nordr'])) { $rule_interface_ip = find_interface_ip($natif); $rule_interface_subnet = find_interface_subnet($natif); $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet); @@ -1271,7 +1300,7 @@ function filter_nat_rules_generate() { $natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n"; $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$dstport[0]} -> ({$natif})\n"; } - $natrules .= filter_generate_reflection($rule, $nordr, filter_get_reflection_interfaces($natif), $srcaddr, $dstport, $starting_localhost_port, $reflection_rules); + $natrules .= filter_generate_reflection($rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $dstport, $starting_localhost_port, $reflection_rules); $natrules .= "\n"; foreach ($reflection_rules as $txtline) diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 9a023eb..80303a3 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -3443,7 +3443,7 @@ class layer7 { } function delete_l7c() { - mwexec("/bin/pkill -f 'ipfw-classifyd .* -p ". $l7rules->GetRPort() . "'", true); + mwexec("/bin/pkill -f 'ipfw-classifyd .* -p ". $this->GetRPort() . "'", true); unset_l7_object_by_reference($this->GetRName()); cleanup_l7_from_rules($this->GetRName()); } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index d26b1bb..530497b 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -192,11 +192,21 @@ function system_hosts_generate() { $hosts .= "127.0.0.1 localhost localhost.{$syscfg['domain']}\n"; - $sysiflist = get_configured_interface_list(); - foreach ($sysiflist as $sysif) { - $cfgip = get_interface_ip($sysif); + if ($config['interfaces']['lan']) { + $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + } else { + $sysiflist = get_configured_interface_list(); + foreach ($sysiflist as $sysif) { + if (!interface_has_gateway($sysif)) { + $cfgip = get_interface_ip($sysif); + if (is_ipaddr($cfgip)) { + $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + break; + } + } + } } foreach ($hostscfg as $host) { diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index f4d64e8..d2b33f7 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1066,34 +1066,38 @@ function upgrade_046_to_047() { function upgrade_047_to_048() { global $config; - $config['dyndnses']['dyndns'] = array(); - if (isset($config['dyndns']['enable'])) { + if (!empty($config['dyndns'])) { + $config['dyndnses'] = array(); + $config['dyndnses']['dyndns'] = array(); $tempdyn = array(); - $tempdyn['enable'] = isset($config['dyndns']['enable']); - $tempdyn['type'] = $config['dyndns']['type']; - $tempdyn['wildcard'] = isset($config['dyndns']['wildcard']); - $tempdyn['usernamefld'] = $config['dyndns']['username']; - $tempdyn['passwordfld'] = $config['dyndns']['password']; - $tempdyn['host'] = $config['dyndns']['host']; - $tempdyn['mx'] = $config['dyndns']['mx']; + $tempdyn['enable'] = isset($config['dyndns'][0]['enable']); + $tempdyn['type'] = $config['dyndns'][0]['type']; + $tempdyn['wildcard'] = isset($config['dyndns'][0]['wildcard']); + $tempdyn['usernamefld'] = $config['dyndns'][0]['username']; + $tempdyn['passwordfld'] = $config['dyndns'][0]['password']; + $tempdyn['host'] = $config['dyndns'][0]['host']; + $tempdyn['mx'] = $config['dyndns'][0]['mx']; + $tempdyn['interface'] = "wan"; + $tempdyn['descr'] = "Upgraded Dyndns {$tempdyn['type']}"; $config['dyndnses']['dyndns'][] = $tempdyn; unset($config['dyndns']); } - $config['dnsupdates']['dnsupdate'] = array(); - if (isset($config['dnsupdate']['enable'])) { + if (!empty($config['dnsupdate'])) { + $config['dnsupdates'][0]['dnsupdate'] = array(); $pconfig = array(); - $pconfig['dnsupdate_enable'] = isset($config['dnsupdate']['enable']); - $pconfig['dnsupdate_host'] = $config['dnsupdate']['host']; - $pconfig['dnsupdate_ttl'] = $config['dnsupdate']['ttl']; + $pconfig['dnsupdate_enable'] = isset($config['dnsupdate'][0]['enable']); + $pconfig['dnsupdate_host'] = $config['dnsupdate'][0]['host']; + $pconfig['dnsupdate_ttl'] = $config['dnsupdate'][0]['ttl']; if (!$pconfig['dnsupdate_ttl']) $pconfig['dnsupdate_ttl'] = 60; - $pconfig['dnsupdate_keydata'] = $config['dnsupdate']['keydata']; - $pconfig['dnsupdate_keyname'] = $config['dnsupdate']['keyname']; - $pconfig['dnsupdate_keytype'] = $config['dnsupdate']['keytype']; + $pconfig['dnsupdate_keydata'] = $config['dnsupdate'][0]['keydata']; + $pconfig['dnsupdate_keyname'] = $config['dnsupdate'][0]['keyname']; + $pconfig['dnsupdate_keytype'] = $config['dnsupdate'][0]['keytype']; if (!$pconfig['dnsupdate_keytype']) $pconfig['dnsupdate_keytype'] = "zone"; - $pconfig['dnsupdate_server'] = $config['dnsupdate']['server']; - $pconfig['dnsupdate_usetcp'] = isset($config['dnsupdate']['usetcp']); + $pconfig['dnsupdate_server'] = $config['dnsupdate'][0]['server']; + $pconfig['dnsupdate_usetcp'] = isset($config['dnsupdate'][0]['usetcp']); + $pconfig['interface'] = "wan"; $config['dnsupdates']['dnsupdate'][] = $pconfig; unset($config['dnsupdate']); } diff --git a/etc/phpshellsessions/gitsync b/etc/phpshellsessions/gitsync index 4176dfe..ec7031f 100644 --- a/etc/phpshellsessions/gitsync +++ b/etc/phpshellsessions/gitsync @@ -39,7 +39,8 @@ if(is_dir("/root/pfsense/HEAD")) /* NOTE: Set branches here */ $branches = array( "master" => "2.0 development branch", - "RELENG_1_2" => "1.2* release branch" + "RELENG_1_2" => "1.2* release branch", + "build_commit" => "The commit originally used to build the image" ); if(file_exists("/root/cvssync_backup.tgz")) { @@ -151,11 +152,19 @@ if(is_dir("$CODIR/pfSenseGITREPO/pfSenseGITREPO")) { exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git config remote.origin.url $GIT_REPO"); exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git fetch"); exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git clean -f -f -x -d"); - $git_cmd = array( - "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git branch $branch origin/$branch 2>/dev/null", - "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git checkout -f $branch 2>/dev/null", - "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git reset --hard origin/$branch" - ); + if($branch == "build_commit") { + $git_cmd = array( + "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git branch $branch 2>/dev/null", + "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git checkout -f $branch 2>/dev/null", + "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git reset --hard `cat /etc/version.lastcommit`" + ); + } else { + $git_cmd = array( + "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git branch $branch origin/$branch 2>/dev/null", + "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git checkout -f $branch 2>/dev/null", + "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git reset --hard origin/$branch" + ); + } run_cmds($git_cmd); } else { exec("mkdir -p $CODIR/pfSenseGITREPO"); @@ -167,6 +176,8 @@ if(is_dir("$CODIR/pfSenseGITREPO/pfSenseGITREPO")) { exec("mv $CODIR/pfSenseGITREPO/mainline $CODIR/pfSenseGITREPO/pfSenseGITREPO"); if($branch == "master") { exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git checkout master"); + } else if($branch == "build_commit") { + exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git checkout -b build_commit `cat /etc/version.lastcommit`"); } else { exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && git checkout -b $branch origin/$branch"); } diff --git a/usr/local/captiveportal/index.php b/usr/local/captiveportal/index.php index 7d51fc3..4f68026 100755 --- a/usr/local/captiveportal/index.php +++ b/usr/local/captiveportal/index.php @@ -119,12 +119,6 @@ setTimeout('window.close();',5000) ; EOD; exit; -/* The $macfilter can be removed safely since we first check if the $clientmac is present, if not we fail */ -} else if ($clientmac && portal_mac_fixed($clientmac)) { - /* punch hole in ipfw for pass thru mac addresses */ - portal_allow($clientip, $clientmac, "unauthenticated"); - exit; - } else if ($clientmac && $radmac_enable && portal_mac_radius($clientmac,$clientip)) { /* radius functions handle everything so we exit here since we're done */ exit; @@ -322,19 +316,11 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut */ $peruserbw = isset($config['captiveportal']['peruserbw']); $passthrumacadd = isset($config['captiveportal']['passthrumacadd']); - $portalmac = NULL; - if (!empty($clientmac)) { - $portalmac = portal_mac_fixed($clientmac); - if ($portalmac) { - $attributes['bw_up'] = $portalmac['bw_up']; - $attributes['bw_down'] = $portalmac['bw_down']; - } - } $bw_up = isset($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup']; $bw_down = isset($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn']; - if ($passthrumacadd && $portalmac == NULL) { + if ($passthrumacadd) { $mac = array(); $mac['mac'] = $clientmac; $mac['descr'] = "Auto added pass-through MAC for user {$username}"; diff --git a/usr/local/www/services_captiveportal_ip.php b/usr/local/www/services_captiveportal_ip.php index fb8711b..4bf2cf9 100755 --- a/usr/local/www/services_captiveportal_ip.php +++ b/usr/local/www/services_captiveportal_ip.php @@ -56,8 +56,10 @@ if ($_GET['act'] == "del") { $ipent = $a_allowedips[$_GET['id']]; if (isset($config['captiveportal']['enable'])) { - mwexec("/sbin/ipfw table 1 delete " . $ipent['ip']); - mwexec("/sbin/ipfw table 2 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 3 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 4 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 5 delete " . $ipent['ip']); + mwexec("/sbin/ipfw table 6 delete " . $ipent['ip']); } unset($a_allowedips[$_GET['id']]); @@ -104,7 +106,13 @@ include("head.inc"); <?php $i = 0; foreach ($a_allowedips as $ip): ?> <tr ondblclick="document.location='services_captiveportal_ip_edit.php?id=<?=$i;?>'"> <td class="listlr"> + <?php if($ip['dir'] == "to") + echo "any <img src=\"in.gif\" width=\"11\" height=\"11\" align=\"absmiddle\">"; + ?> <?=strtolower($ip['ip']);?> + <?php if($ip['dir'] == "from") + echo "<img src=\"in.gif\" width=\"11\" height=\"11\" align=\"absmiddle\"> any"; + ?> </td> <td class="listbg"> <?=htmlspecialchars($ip['descr']);?> diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index 45c4e2f..09d8075 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -67,6 +67,7 @@ if (isset($_POST['id'])) if (isset($id) && $a_allowedips[$id]) { $pconfig['ip'] = $a_allowedips[$id]['ip']; + $pconfig['dir'] = $a_allowedips[$id]['dir']; $pconfig['bw_up'] = $a_allowedips[$id]['bw_up']; $pconfig['bw_down'] = $a_allowedips[$id]['bw_down']; $pconfig['descr'] = $a_allowedips[$id]['descr']; @@ -104,6 +105,7 @@ if ($_POST) { if (!$input_errors) { $ip = array(); $ip['ip'] = $_POST['ip']; + $ip['dir'] = $_POST['dir']; $ip['descr'] = $_POST['descr']; if ($_POST['bw_up']) $ip['bw_up'] = $_POST['bw_up']; @@ -117,22 +119,11 @@ if ($_POST) { write_config(); - if (isset($config['captiveportal']['enable'])) { - $bwup = ""; - $bwdown = ""; - $ruleno = captiveportal_get_next_ipfw_ruleno(); - if (!empty($ip['bw_up'])) { - $pipeno = $ruleno + 20000; - mwexec("/sbin/ipfw pipe {$pipeno} config bw {$ip['bw_up']}Kbit/s queue 100"); - $bwup = "pipe {$pipeno}"; - } - if (!empty($ip['bw_down'])) { - $pipeno = $ruleno + 20001; - mwexec("/sbin/ipfw pipe {$pipeno} config bw {$ip['bw_down']}Kbit/s queue 100"); - $bwdown = "pipe {$pipeno}"; - } - mwexec("/sbin/ipfw table 1 add {$ip['ip']} {$bwup}"); - mwexec("/sbin/ipfw table 2 add {$ip['ip']} {$bwdown}"); + if (isset($config['captiveportal']['enable']) && is_module_loaded("ipfw.ko")) { + $rules = captiveportal_allowedip_configure_entry($ip); + file_put_contents("{$g['tmp_path']}/allowedip_tmp", $rules); + mwexec("/sbin/ipfw {$g['tmp_path']}/allowedip_tmp"); + @unlink("{$g['tmp_path']}/allowedip_tmp"); } header("Location: services_captiveportal_ip.php"); @@ -149,6 +140,22 @@ include("head.inc"); <form action="services_captiveportal_ip_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> + <td width="22%" valign="top" class="vncellreq">Direction</td> + <td width="78%" class="vtable"> + <select name="dir" class="formfld"> + <?php + $dirs = explode(" ", "Both From To") ; + foreach ($dirs as $dir): ?> + <option value="<?=strtolower($dir);?>" <?php if (strtolower($dir) == strtolower($pconfig['dir'])) echo "selected";?> > + <?=htmlspecialchars($dir);?> + </option> + <?php endforeach; ?> + </select> + <br> + <span class="vexpl">Use <em>From</em> to always allow an IP address through the captive portal (without authentication). + Use <em>To</em> to allow access from all clients (even non-authenticated ones) behind the portal to this IP address.</span></td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq">IP address</td> <td width="78%" class="vtable"> <?=$mandfldhtml;?><input name="ip" type="text" class="formfld unknown" id="ip" size="17" value="<?=htmlspecialchars($pconfig['ip']);?>"> diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php index dd5fdfe..7c40b85 100755 --- a/usr/local/www/services_captiveportal_mac.php +++ b/usr/local/www/services_captiveportal_mac.php @@ -74,13 +74,12 @@ if ($_POST) { } } if ($found == true) { - $ip = captiveportal_get_ipfw_ruleno_byvalue($_POST['delmac']); - if ($ip) { - captiveportal_disconnect_client($ip); + $ruleno = captiveportal_get_ipfw_passthru_ruleno($_POST['delmac']); + if ($ruleno) { + mwexec("/sbin/ipfw delete {$ruleno}; /sbin/ipfw delete " . ++$ruleno); } unset($a_passthrumacs[$idx]); write_config(); - captiveportal_passthrumac_configure(true); } } exit; @@ -89,14 +88,13 @@ if ($_POST) { if ($_GET['act'] == "del") { if ($a_passthrumacs[$_GET['id']]) { - $ip = captiveportal_get_ipfw_ruleno_byvalue($a_passthrumacs[$_GET['id']]['mac']); - if ($ip) { - captiveportal_disconnect_client($ip); + $ruleno = captiveportal_get_ipfw_passthru_ruleno($a_passthrumacs[$_GET['id']]['mac']); + if ($ruleno) { + mwexec("/sbin/ipfw delete {$ruleno}; /sbin/ipfw delete " . ++$ruleno); } unset($a_passthrumacs[$_GET['id']]); write_config(); header("Location: services_captiveportal_mac.php"); - mark_subsystem_dirty('passthrumac'); exit; } } diff --git a/usr/local/www/services_captiveportal_mac_edit.php b/usr/local/www/services_captiveportal_mac_edit.php index 89e2757..ac7b341 100755 --- a/usr/local/www/services_captiveportal_mac_edit.php +++ b/usr/local/www/services_captiveportal_mac_edit.php @@ -120,8 +120,6 @@ if ($_POST) { write_config(); - mark_subsystem_dirty('passthrumac'); - header("Location: services_captiveportal_mac.php"); exit; } diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 14a4af6..831be25 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -341,6 +341,7 @@ function autotls_change() { $tab_array[] = array(gettext("Client"), true, "vpn_openvpn_client.php"); $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); $tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml"); + $tab_array[] = array(gettext("Logs"), false, "diag_logs_openvpn.php"); add_package_tabs("OpenVPN", $tab_array); display_top_tabs($tab_array); ?> diff --git a/usr/local/www/vpn_openvpn_csc.php b/usr/local/www/vpn_openvpn_csc.php index 2408af0..b70404f 100644 --- a/usr/local/www/vpn_openvpn_csc.php +++ b/usr/local/www/vpn_openvpn_csc.php @@ -291,6 +291,7 @@ function netbios_change() { $tab_array[] = array(gettext("Client"), false, "vpn_openvpn_client.php"); $tab_array[] = array(gettext("Client Specific Overrides"), true, "vpn_openvpn_csc.php"); $tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml"); + $tab_array[] = array(gettext("Logs"), false, "diag_logs_openvpn.php"); add_package_tabs("OpenVPN", $tab_array); display_top_tabs($tab_array); ?> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 4f0d59d..f19a216 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -504,6 +504,7 @@ function netbios_change() { $tab_array[] = array(gettext("Client"), false, "vpn_openvpn_client.php"); $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php"); $tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml"); + $tab_array[] = array(gettext("Logs"), false, "diag_logs_openvpn.php"); add_package_tabs("OpenVPN", $tab_array); display_top_tabs($tab_array); ?> diff --git a/usr/local/www/wizards/openvpn_wizard.xml b/usr/local/www/wizards/openvpn_wizard.xml index bba38c8..01d5d57 100644 --- a/usr/local/www/wizards/openvpn_wizard.xml +++ b/usr/local/www/wizards/openvpn_wizard.xml @@ -204,21 +204,21 @@ </field> <field> <name>nameattr</name> - <displayname>User naming attribute</displayname> + <displayname>User Naming Attribute</displayname> <type>input</type> <bindstofield>ovpnserver->step2->nameattr</bindstofield> - <description>Typically "cn" (OpenLDAP, Novell eDirectory), "samAccountName" (Microsoft AD), </description> + <description>Typically "cn" (OpenLDAP, Novell eDirectory), "samAccountName" (Microsoft AD)</description> </field> <field> <name>groupattr</name> - <displayname>Group naming attribute</displayname> + <displayname>Group Naming Attribute</displayname> <type>input</type> <bindstofield>ovpnserver->step2->groupattr</bindstofield> <description>Typically "cn" (OpenLDAP, Microsoft AD, and Novell eDirectory)</description> </field> <field> <name>memberattr</name> - <displayname>Member naming attribute</displayname> + <displayname>Member Naming Attribute</displayname> <type>input</type> <bindstofield>ovpnserver->step2->memberattr</bindstofield> <description>Typically "member" (OpenLDAP), "memberOf" (Microsoft AD), "uniqueMember" (Novell eDirectory)</description> @@ -611,7 +611,7 @@ </field> <field> <name>localport</name> - <displayname>Local port</displayname> + <displayname>Local Port</displayname> <description>Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank unless you need to use a different port.</description> <type>input</type> <size>10</size> @@ -678,7 +678,7 @@ <field> <name>crypto</name> <type>select</type> - <displayname>Encryption algorithm</displayname> + <displayname>Encryption Algorithm</displayname> <bindstofield>ovpnserver->step10->crypto</bindstofield> <options> <option> @@ -693,7 +693,7 @@ <name>Tunnel Settings</name> </field> <field> - <displayname>Tunnel network</displayname> + <displayname>Tunnel Network</displayname> <name>tunnelnet</name> <type>input</type> <size>20</size> @@ -708,7 +708,7 @@ <bindstofield>ovpnserver->step10->rdrgw</bindstofield> </field> <field> - <displayname>Local network</displayname> + <displayname>Local Network</displayname> <name>localnet</name> <type>input</type> <size>20</size> @@ -716,7 +716,7 @@ <description>This is the network that will be accessible from the remote endpoint, expressed as a CIDR range. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.</description> </field> <field> - <displayname>Remote network</displayname> + <displayname>Remote Network</displayname> <name>remotenet</name> <type>input</type> <size>20</size> @@ -746,7 +746,7 @@ <bindstofield>ovpnserver->step10->tos</bindstofield> </field> <field> - <displayname>Inter-client communication</displayname> + <displayname>Inter-Client Communication</displayname> <name>interclient</name> <type>checkbox</type> <description>Allow communication between clients connected to this server.</description> |
