diff options
| author | gnhb <gnoahb@gmail.com> | 2010-05-12 19:27:12 +0700 |
|---|---|---|
| committer | gnhb <gnoahb@gmail.com> | 2010-05-12 19:27:12 +0700 |
| commit | 37df6d7b15905be3dd198d9c17f19a1697beea9f (patch) | |
| tree | ef071adda82633630b88de0041b20f757c82bb89 /etc/inc | |
| parent | 04d36b1f1fdff85cd902b9aa15103b98475b4777 (diff) | |
| parent | e256e9d4d1dedb1418204d2879c7dcf7edcf2137 (diff) | |
| download | pfsense-37df6d7b15905be3dd198d9c17f19a1697beea9f.zip pfsense-37df6d7b15905be3dd198d9c17f19a1697beea9f.tar.gz | |
Merge branch 'master' of http://gitweb.pfsense.org/pfsense/mainline into mlppp
Conflicts:
etc/inc/upgrade_config.inc
Diffstat (limited to 'etc/inc')
| -rw-r--r-- | etc/inc/auth.inc | 30 | ||||
| -rw-r--r-- | etc/inc/captiveportal.inc | 229 | ||||
| -rw-r--r-- | etc/inc/config.lib.inc | 2 | ||||
| -rw-r--r-- | etc/inc/dyndns.class | 2 | ||||
| -rw-r--r-- | etc/inc/filter.inc | 423 | ||||
| -rw-r--r-- | etc/inc/gwlb.inc | 113 | ||||
| -rw-r--r-- | etc/inc/interfaces.inc | 12 | ||||
| -rw-r--r-- | etc/inc/ipsec.inc | 10 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 7 | ||||
| -rw-r--r-- | etc/inc/rrd.inc | 16 | ||||
| -rw-r--r-- | etc/inc/shaper.inc | 46 | ||||
| -rw-r--r-- | etc/inc/system.inc | 20 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 104 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 33 | ||||
| -rw-r--r-- | etc/inc/xmlparse.inc | 2 | ||||
| -rw-r--r-- | etc/inc/xmlreader.inc | 158 |
16 files changed, 787 insertions, 420 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 83fd02c..d1be73e 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -269,19 +269,8 @@ function local_user_set(& $user) { fwrite($fd, $user['password']); pclose($fd); $user_group = "wheel"; - $user_home = "/root"; } - /* admin user special handling */ - if ($user_uid == 0) { - $cmd = "/usr/sbin/pw usermod -q -n admin -s /bin/sh -H 0"; - if($debug) - log_error("Running: {$cmd}"); - $fd = popen($cmd, "w"); - fwrite($fd, $user['password']); - pclose($fd); - $user_group = "wheel"; - } /* read from pw db */ $fd = popen("/usr/sbin/pw usershow {$user_name} 2>&1", "r"); @@ -289,10 +278,11 @@ function local_user_set(& $user) { pclose($fd); /* determine add or mod */ - if (!strncmp($pwread, "pw:", 3)) - $user_op = "useradd"; - else + if (!strncmp($pwread, "pw:", 3)) { + $user_op = "useradd -o"; + } else { $user_op = "usermod"; + } /* add or mod pw db */ $cmd = "/usr/sbin/pw {$user_op} -q -u {$user_uid} -n {$user_name}". @@ -305,6 +295,18 @@ function local_user_set(& $user) { fwrite($fd, $user['password']); pclose($fd); + + /* admin user special handling */ + if ($user_uid == 0) { + $cmd = "/usr/sbin/pw usermod -q -n {$user_name} -s /bin/sh -H 0"; + if($debug) + log_error("Running: {$cmd}"); + $fd = popen($cmd, "w"); + fwrite($fd, $user['password']); + pclose($fd); + $user_group = "wheel"; + } + /* create user directory if required */ if (!is_dir($user_home)) { mkdir($user_home, 0700); diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index be89ba5..31cc680 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -107,7 +107,7 @@ function captiveportal_configure() { unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_ip.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_radius.db"); - mwexec("/sbin/ipfw table all flush"); + mwexec("/sbin/ipfw -q table all flush"); /* setup new database in case someone tries to access the status -> captive portal page */ touch("{$g['vardb_path']}/captiveportal.db"); @@ -118,7 +118,8 @@ function captiveportal_configure() { /* make sure ipfw is loaded */ if (!is_module_loaded("ipfw.ko")) filter_load_ipfw(); - if (isset($config['captiveportal']['peruserbw']) && !is_module_loaded("dummynet.ko")) + /* Always load dummynet now that even allowed ip and mac passthrough use it. */ + if (!is_module_loaded("dummynet.ko")) mwexec("/sbin/kldload dummynet"); /* generate ipfw rules */ @@ -126,7 +127,8 @@ function captiveportal_configure() { $cprules = captiveportal_rules_generate($cpinterface, $cpips); $cprules .= "\n"; /* generate passthru mac database */ - captiveportal_passthrumac_configure(true); + $cprules .= captiveportal_passthrumac_configure(true); + $cprules .= "\n"; /* allowed ipfw rules to make allowed ip work */ $cprules .= captiveportal_allowedip_configure(); @@ -228,7 +230,7 @@ EOD; fwrite($fd, $cprules); fclose($fd); - mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.cp.rules"); + mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules"); @unlink("{$g['tmp_path']}/ipfw.cp.rules"); @@ -327,12 +329,14 @@ EOD; $listifs = get_configured_interface_list_by_realif(); foreach ($listifs as $listrealif => $listif) { if (!empty($listrealif)) { - mwexec("/sbin/ifconfig {$listrealif} -ipfwfilter"); - $carpif = link_ip_to_carp_interface(find_interface_ip($listrealif)); - if (!empty($carpif)) { - $carpsif = explode(" ", $carpif); - foreach ($carpsif as $cpcarp) - mwexec("/sbin/ifconfig {$cpcarp} -ipfwfilter"); + if (does_interface_exist($listrealif)) { + mwexec("/sbin/ifconfig {$listrealif} -ipfwfilter"); + $carpif = link_ip_to_carp_interface(find_interface_ip($listrealif)); + if (!empty($carpif)) { + $carpsif = explode(" ", $carpif); + foreach ($carpsif as $cpcarp) + mwexec("/sbin/ifconfig {$cpcarp} -ipfwfilter"); + } } } } @@ -346,30 +350,30 @@ EOD; function captiveportal_rules_generate($cpif, &$cpiparray) { global $config, $g; - $cprules = "add 65301 set 1 allow pfsync from any to any\n"; - $cprules .= "add 65302 set 1 allow carp from any to any\n"; + $cprules = "add 65291 set 1 allow pfsync from any to any\n"; + $cprules .= "add 65292 set 1 allow carp from any to any\n"; $cprules .= <<<EOD -# add 65305 set 1 skipto 65534 all from any to any not layer2 +# add 65300 set 1 skipto 65534 all from any to any not layer2 # layer 2: pass ARP -add 65310 set 1 pass layer2 mac-type arp +add 65301 set 1 pass layer2 mac-type arp # pfsense requires for WPA -add 65311 set 1 pass layer2 mac-type 0x888e -add 65312 set 1 pass layer2 mac-type 0x88c7 +add 65302 set 1 pass layer2 mac-type 0x888e +add 65303 set 1 pass layer2 mac-type 0x88c7 # PPP Over Ethernet Discovery Stage -add 65313 set 1 pass layer2 mac-type 0x8863 +add 65304 set 1 pass layer2 mac-type 0x8863 # PPP Over Ethernet Session Stage -add 65314 set 1 pass layer2 mac-type 0x8864 +add 65305 set 1 pass layer2 mac-type 0x8864 # Allow WPA -add 65315 set 1 pass layer2 mac-type 0x888e +add 65306 set 1 pass layer2 mac-type 0x888e # layer 2: block anything else non-IP -add 65316 set 1 deny layer2 not mac-type ip +add 65307 set 1 deny layer2 not mac-type ip EOD; - $rulenum = 65320; + $rulenum = 65310; $ips = "255.255.255.255 "; foreach ($cpiparray as $cpip) $ips .= "or {$cpip} "; @@ -403,16 +407,35 @@ EOD; } if (!empty($config['system']['webgui']['port'])) $port = $config['system']['webgui']['port']; - else if ($config['system']['webgui']['proto'] == "https") - $port = 443; - else + else if ($config['system']['webgui']['proto'] == "http") $port = 80; + else + $port = 443; $rulenum++; $cprules .= "add {$rulenum} set 1 pass tcp from any to {$ips} {$port} in \n"; $rulenum++; $cprules .= "add {$rulenum} set 1 pass tcp from {$ips} {$port} to any out \n"; $rulenum++; + /* Allowed ips */ + $cprules .= "add {$rulenum} allow ip from table(3) to any in\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from any to table(4) out\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from table(5) to any in\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from any to table(6) out\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from any to table(7) in\n"; + $rulenum++; + $cprules .= "add {$rulenum} allow ip from table(8) to any out\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from any to table(9) in\n"; + $rulenum++; + $cprules .= "add {$rulenum} pipe tablearg ip from table(10) to any out\n"; + $rulenum++; + + /* Authenticated users rules. */ if (isset($config['captiveportal']['peruserbw'])) { $cprules .= "add {$rulenum} set 1 pipe tablearg ip from table(1) to any in\n"; $rulenum++; @@ -699,31 +722,119 @@ function captiveportal_radius_stop_all($lock = false) { unlock($captiveportallck); } +function captiveportal_passthrumac_configure_entry($macent) { + $rules = ""; + $enBwup = isset($macent['bw_up']); + $enBwdown = isset($macent['bw_down']); + $actionup = "allow"; + $actiondown = "allow"; + + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; + $actionup = "pipe {$bw_up}"; + } + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$macent['bw_down']}Kbit/s queue 100\n"; + $actiondown = "pipe {$bw_down}"; + } + $rules .= "add {$ruleno} {$actionup} ip from any to any MAC {$macent['mac']} any\n"; + $ruleno++; + $rules .= "add {$ruleno} {$actiondown} ip from any to any MAC any {$macent['mac']}\n"; + + return $rules; +} + function captiveportal_passthrumac_configure($lock = false) { global $config, $g; - if (!$lock) - $captiveportallck = lock('captiveportal'); - - /* clear out passthru macs, if necessary */ - unlink_if_exists("{$g['vardb_path']}/captiveportal_mac.db"); + $rules = ""; if (is_array($config['captiveportal']['passthrumac'])) { $macdb = array(); foreach ($config['captiveportal']['passthrumac'] as $macent) { + $rules .= captiveportal_passthrumac_configure_entry($macent); $macdb[$macent['mac']]['active'] = true; - if (isset($macent['bw_up'])) - $macdb[$macent['mac']]['bw_up'] = $macent['bw_up']; - if (isset($macent['bw_down'])) - $macdb[$macent['mac']]['bw_down'] = $macent['bw_down']; } - /* record passthru MACs so can be recognized and let thru */ - file_put_contents("{$g['vardb_path']}/captiveportal_mac.db", serialize($macdb)); } - if (!$lock) - unlock($captiveportallck); + return $rules; +} + +/* + * table (3=IN)/(4=OUT) hold allowed ip's without bw limits + * table (5=IN)/(6=OUT) hold allowed ip's with bw limit. + */ +function captiveportal_allowedip_configure_entry($ipent) { + + $rules = ""; + $enBwup = isset($ipent['bw_up']); + $enBwdown = isset($ipent['bw_down']); + $bw_up = ""; + $bw_down = ""; + $tablein = array(); + $tableout = array(); + + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + + if ($ipent['dir'] == "from") { + if ($enBwup) + $tablein[] = 5; + else + $tablein[] = 3; + if ($enBwdown) + $tableout[] = 6; + else + $tableout[] = 4; + } else if ($ipent['dir'] == "to") { + if ($enBwup) + $tablein[] = 9; + else + $tablein[] = 7; + if ($enBwdown) + $tableout[] = 10; + else + $tableout[] = 8; + } else if ($ipent['dir'] == "both") { + if ($enBwup) { + $tablein[] = 5; + $tablein[] = 9; + } else { + $tablein[] = 3; + $tablein[] = 7; + } + if ($enBwdown) { + $tableout[] = 6; + $tableout[] = 10; + } else { + $tableout[] = 4; + $tableout[] = 8; + } + } + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; + } + foreach ($tablein as $table) + $rules .= "table {$table} add {$ipent['ip']} {$bw_up}\n"; + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; + } + foreach ($tableout as $table) + $rules .= "table {$table} add {$ipent['ip']} {$bw_down}\n"; + + return $rules; } function captiveportal_allowedip_configure() { @@ -731,26 +842,8 @@ function captiveportal_allowedip_configure() { $rules = ""; if (is_array($config['captiveportal']['allowedip'])) { - $peruserbw = isset($config['captiveportal']['peruserbw']); foreach ($config['captiveportal']['allowedip'] as $ipent) { - $ruleno = captiveportal_get_next_ipfw_ruleno(); - $bw_up = ""; - $bw_down = ""; - if ($peruserbw) { - $bwup = isset($ipent['bw_up']) ? trim($ipent['bw_up']) : $config['captiveportal']['bwdefaultup']; - $bwdown = isset($ipent['bw_down']) ? trim($ipent['bw_down']) : $config['captiveportal']['bwdefaultdn']; - if (!empty($bwup) && is_numeric($bwup)) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$bw_up}Kbit/s queue 100\n"; - } - if (!empty($bwdown) && is_numeric($bwdown)) { - $bw_down = $ruleno + 20001; - $rules .= "pipe {$bw_down} config bw {$bw_down}Kbit/s queue 100\n"; - } - } - /* insert address in ipfw table */ - $rules .= "table 1 add {$ipent['ip']} ${bw_up}\n"; - $rules .= "table 2 add {$ipent['ip']} ${bw_down}\n"; + $rules .= captiveportal_allowedip_configure_entry($ipent); } } @@ -953,7 +1046,7 @@ function captiveportal_init_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_ma * within the range specified based on the actual logged on users * */ -function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899) { +function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_range_max = 49899, $usebw = false) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -975,7 +1068,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang } $ruleno = $ridx; $rules[$ridx] = "used"; - if (isset($config['captiveportal']['peruserbw'])) + if (isset($config['captiveportal']['peruserbw']) || $usebw == true) $rules[++$ridx] = "used"; break; } @@ -988,7 +1081,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang return $ruleno; } -function captiveportal_free_ipfw_ruleno($ruleno) { +function captiveportal_free_ipfw_ruleno($ruleno, $usedbw = false) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -997,13 +1090,13 @@ function captiveportal_free_ipfw_ruleno($ruleno) { if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $rules[$ruleno] = false; - if (isset($config['captiveportal']['peruserbw'])) + if (isset($config['captiveportal']['peruserbw']) || $usedbw == true) $rules[++$ruleno] = false; file_put_contents("{$g['vardb_path']}/captiveportal.rules", serialize($rules)); } } -function captiveportal_get_ipfw_ruleno_byvalue($value) { +function captiveportal_get_ipfw_passthru_ruleno($value) { global $config, $g; if(!isset($config['captiveportal']['enable'])) @@ -1011,7 +1104,7 @@ function captiveportal_get_ipfw_ruleno_byvalue($value) { if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); - $ruleno = intval(`/sbin/ipfw table 1 list | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); + $ruleno = intval(`/sbin/ipfw show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); if ($rules[$ruleno]) return $ruleno; } @@ -1088,18 +1181,6 @@ function getNasIP() return $nasIp; } -function portal_mac_fixed($clientmac) { - global $g ; - - /* open captive portal mac db */ - if (file_exists("{$g['vardb_path']}/captiveportal_mac.db")) { - $macdb = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_mac.db")); - if (isset($macdb[$clientmac])) - return $macdb[$clientmac]; - } - return FALSE ; -} - function portal_ip_from_client_ip($cliip) { global $config; diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 4d6ca8d..e0f63f6 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -484,7 +484,7 @@ function write_config($desc="Unknown", $backup = true) { if (!safe_write_file("{$g['cf_conf_path']}/config.xml", $xmlconfig, false)) { log_error("WARNING: Config contents could not be save. Could not open file!"); unlock($lockkey); - file_notice("Unable to open {$g['cf_conf_path']}/config.xml for writing in write_config()\n"); + file_notice("config.xml", "Unable to open {$g['cf_conf_path']}/config.xml for writing in write_config()\n"); return -1; } diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 29011fb..bf442fb 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -375,7 +375,7 @@ if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") $this->_dnsWildcard = "ON"; curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); - $server = "https://updates.opendns.com/nic/update?hostname="; + $server = "https://updates.opendns.com/nic/update?hostname=". $this->_dnsHost; $port = ""; if($this->_dnsServer) $server = $this->_dnsServer; diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 5dc5cd5..d485de8 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -51,6 +51,9 @@ $time_based_rules = false; /* Used to hold the interface list that will be used on ruleset creation. */ $FilterIflist = array(); +/* Create a global array to avoid errors on rulesets. */ +$GatewaysList = array(); + /* Used for the hostname dns resolver */ $filterdns = ""; @@ -482,8 +485,12 @@ function filter_generate_aliases() { if(isset($config['aliases']['alias'])) { foreach ($config['aliases']['alias'] as $aliased) { $extraalias = ""; - $ip = find_interface_ip($aliased['address']); - $extraalias = " " . link_ip_to_carp_interface($ip); + /* + * XXX: i am not sure what this does so i am commenting it out for now, because as it is + * its quite dangerous! + * $ip = find_interface_ip($aliased['address']); + * $extraalias = " " . link_ip_to_carp_interface($ip); + */ $aliasnesting = array(); $aliasaddrnesting = array(); $addrlist = filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting); @@ -531,7 +538,7 @@ function filter_generate_aliases() { } function filter_generate_gateways() { - global $config, $g; + global $config, $g, $GatewaysList; $rules = "# Gateways\n"; @@ -588,6 +595,9 @@ function filter_generate_gateways() { } } + /* Create a global array to avoid errors on rulesets. */ + $GatewaysList = array_merge($GatewaysList, $GatewayGroupsList); + $rules .= "\n"; return $rules; @@ -772,50 +782,136 @@ function filter_flush_state_table() { return mwexec("/sbin/pfctl -F state"); } -function filter_generate_reflection($rule, $nordr, $srcaddr, $dstport, &$starting_localhost_port, &$reflection_txt) { +function filter_get_reflection_interfaces($natif = "") { + global $FilterIflist; + + $nat_if_list = array(); + + foreach ($FilterIflist as $ifent => $ifname) { + if($ifname['if'] == $natif) + continue; + + /* Do not add reflection redirects for interfaces with gateways */ + if(interface_has_gateway($ifent)) + continue; + + $nat_if_list[] = $ifname['if']; + } + + return $nat_if_list; +} + +function filter_generate_reflection_nat($rule, $nat_ifs, $protocol, $target, $target_ip, $target_subnet = "") { + // Initialize natrules holder string + $natrules = ""; + + update_filter_reload_status("Creating reflection NAT rule for {$rule['descr']}..."); + + /* TODO: Add this option to port forwards page. */ + if(isset($rule['staticnatport'])) { + $static_port = " static-port"; + } else { + $static_port = " port 1024:65535"; + } + + if(!empty($protocol)) { + $protocol_text = " proto {$protocol}"; + } else { + $protocol_text = ""; + } + + $target_if_list = array(); + if(empty($target_subnet) || !is_numeric($target_subnet) || $target_subnet == 32) { + $target_if_list[] = guess_interface_from_ip($target_ip); + } else { + $target_if_list[] = guess_interface_from_ip(gen_subnet_max($target_ip, $target_subnet)); + } + + foreach ($target_if_list as $target_if) { + /* Only install additional NAT rules if the + * target is in the list of source networks */ + if(in_array($target_if, $nat_ifs)) { + $target_networks = "{$target_if}:network"; + + $natrules .= "no nat on {$target_if}{$protocol_text} from {$target_if} to {$target}\n"; + $natrules .= "nat on {$target_if}{$protocol_text} from {$target_networks} to {$target} -> {$target_if}{$static_port}\n"; + } + } + + return $natrules; +} + +function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_port, $dstport, &$starting_localhost_port, &$reflection_txt) { global $FilterIflist, $config; // Initialize natrules holder string $natrules = ""; $reflection_txt = array(); - if(!isset($config['system']['disablenatreflection'])) { + if(!empty($rdr_ifs)) { if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = "2000"; - update_filter_reload_status("Setting up NAT Reflection"); - - $natrules .= "\n# Reflection redirects\n"; - $rdr_if_list = ""; - foreach ($FilterIflist as $ifent => $ifname) { - /* do not process interfaces with gateways*/ - if(interface_has_gateway($ifent)) - continue; + update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); - $rdr_if_list .= " " . $ifname['if']; - } - if (!empty($rdr_if_list)) + $rdr_if_list = implode(" ", $rdr_ifs); + if(count($rdr_ifs) > 1) $rdr_if_list = "{ {$rdr_if_list} }"; - update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); + $natrules .= "\n# Reflection redirects\n"; if($dstport[1]) $range_end = ($dstport[1]); else $range_end = ($dstport[0]); - $range_end++; - - /* TODO: support multiple ip's in an alias. */ - if (is_alias($rule['destination']['address'])) - $dstaddr = filter_expand_alias($rule['destination']['address']); - else if(is_ipaddr($rule['destination']['address'])) - $dstaddr = $rule['destination']['address']; - else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) - $dstaddr = $FilterIflist[$rule['interface']]['ip']; + + $dstaddr = explode(" ", $dstaddr_port); + if($dstaddr[2]) + $rflctintrange = $dstaddr[2]; else - return "\n"; + $rflctintrange = ""; + $dstaddr = $dstaddr[0]; + if(empty($dstaddr) || strtolower(trim($dstaddr)) == "port") + return ""; + + if(isset($rule['destination']['any'])) { + if(!$rule['interface']) + $natif = "wan"; + else + $natif = $rule['interface']; + + if(!isset($FilterIflist[$natif])) + return ""; + if(is_ipaddr($FilterIflist[$natif]['ip'])) + $dstaddr = $FilterIflist[$natif]['ip']; + else + return ""; + + if(!empty($FilterIflist[$natif]['sn'])) + $dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn']; + } + + switch($rule['protocol']) { + case "tcp/udp": + $protocol = "{ tcp udp }"; + $reflect_protos = array('tcp', 'udp'); + break; + case "tcp": + case "udp": + $protocol = $rule['protocol']; + $reflect_protos = array($rule['protocol']); + break; + default: + return ""; + break; + } + + if(!empty($nordr)) { + $natrules .= "no rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange}\n"; + return $natrules; + } if (is_alias($rule['target'])) $target = filter_expand_alias($rule['target']); @@ -824,12 +920,11 @@ function filter_generate_reflection($rule, $nordr, $srcaddr, $dstport, &$startin else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) $target = $FilterIflist[$rule['target']]['ip']; else - return "\n"; + return ""; if($rule['local-port']) $lrange_start = $rule['local-port']; - if($range_end - $dstport[0] > 500) { - $range_end = $dstport[0]+1; + if(($range_end + 1) - $dstport[0] > 500) { log_error("Not installing nat reflection rules for a port range > 500"); /* only install reflection rules for < 19991 items */ } else if($starting_localhost_port < 19991) { @@ -846,55 +941,45 @@ function filter_generate_reflection($rule, $nordr, $srcaddr, $dstport, &$startin } $inetdport = $starting_localhost_port; - if(($range_end - 1) > $dstport[0]) { + if($range_end > $dstport[0]) { $rflctrange = "{$starting_localhost_port}"; - $delta = $range_end - $dstport[0] - 1; + $delta = $range_end - $dstport[0]; if(($starting_localhost_port + $delta) > 19990) { log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); $delta = 19990 - $starting_localhost_port; + $range_end = $dstport[0] + $delta; + $rflctintrange = ""; } $starting_localhost_port = $starting_localhost_port + $delta; $rflctrange .= ":{$starting_localhost_port}"; - $rflctintrange = "{$dstport[0]}:{$range_end}"; + if(empty($rflctintrange)) + $rflctintrange = "{$dstport[0]}:{$range_end}"; if($rflctnorange) $toadd_array = range($loc_pt, $loc_pt + $delta); + $starting_localhost_port++; } else { $rflctrange = $starting_localhost_port; - $rflctintrange = $dstport[0]; + if(empty($rflctintrange)) + $rflctintrange = $dstport[0]; if($rflctnorange) $toadd_array = array($loc_pt); $starting_localhost_port++; } - switch($rule['protocol']) { - case "tcp/udp": - $protocol = "{ tcp udp }"; - foreach($toadd_array as $tda) { - $reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n"; - $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; + foreach($toadd_array as $tda){ + foreach($reflect_protos as $reflect_proto) { + if($reflect_proto == "udp") { + $socktype = "dgram"; + $dash_u = "-u "; + } else { + $socktype = "stream"; + $dash_u = ""; } - $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT" . - ($nordr == "" ? " -> 127.0.0.1 port {$rflctrange}" : "") . "\n"; - break; - case "tcp": - case "udp": - $protocol = $rule['protocol']; - if($protocol == "udp") { - $socktype = "dgram"; - $dash_u = "-u "; - } else { - $socktype = "stream"; - $dash_u = ""; - } - foreach($toadd_array as $tda){ - $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; + $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; } - $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT" . - ($nordr == "" ? " -> 127.0.0.1 port {$rflctrange}" : "") . "\n"; - break; + $inetdport++; } + $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; } $reflection_txt = array_unique($reflection_txt); } @@ -983,8 +1068,27 @@ function filter_nat_rules_generate() { else $natif = $natent['interface']; $natif = $FilterIflist[$natif]['if']; - if($natif) - $natrules .= "binat on $natif from {$natent['internal']}/{$sn} to any -> {$natent['external']}/{$sn}\n"; + + if($natif) { + /* If reflection is enabled, turn on extra redirections + * for this rule by adding other interfaces to binat rule. */ + if(isset($config['system']['enablebinatreflection'])) { + $nat_if_list = filter_get_reflection_interfaces($natif); + } else { + $nat_if_list = array(); + } + + $nat_if_list = array_merge(array($natif), $nat_if_list); + //$binat_if_list = implode(" ", $nat_if_list); + //if(count($nat_if_list) > 1) + // $binat_if_list = "{ {$binat_if_list} }"; + + /* binat seems to currently only work with the first interface specified on the line */ + // $natrules .= "binat on {$binat_if_list} from {$natent['internal']}/{$sn} to any -> {$natent['external']}/{$sn}\n"; + foreach ($nat_if_list as $natifname) + $natrules .= "binat on {$natifname} from {$natent['internal']}/{$sn} to any -> {$natent['external']}/{$sn}\n"; + $natrules .= filter_generate_reflection_nat($rule, $nat_if_list, "", "{$natent['internal']}/{$sn}", $natent['internal'], $sn); + } } } $natrules .= "\n# Outbound NAT rules\n"; @@ -1176,17 +1280,6 @@ function filter_nat_rules_generate() { if(isset($rule['disabled'])) continue; - if (strtolower($rule['protocol']) == "tcp/udp") - $protocol = "{ tcp udp }"; - else - $protocol = strtolower($rule['protocol']); - - /* if item is an alias, expand */ - $srcport = ""; - $srcport[0] = alias_expand($rule['source']['port']); - if(!$srcport[0]) - $srcport = explode("-", $rule['source']['port']); - /* if item is an alias, expand */ $dstport = ""; $dstport[0] = alias_expand($rule['destination']['port']); @@ -1195,8 +1288,10 @@ function filter_nat_rules_generate() { /* if item is an alias, expand */ $localport = alias_expand($rule['local-port']); - if(!$localport || $rule['destination']['port'] == $rule['local-port']) { + if(!$localport || $dstport[0] == $localport) { $localport = ""; + } else if(is_alias($rule['destination']['port']) || is_alias($rule['local-port'])) { + $localport = " port {$localport}"; } else { if(($dstport[1]) && ($dstport[0] != $dstport[1])) { $localendport = $localport + ($dstport[1] - $dstport[0]); @@ -1207,8 +1302,22 @@ function filter_nat_rules_generate() { $localport = " port {$localport}"; } + switch(strtolower($rule['protocol'])) { + case "tcp/udp": + $protocol = "{ tcp udp }"; + break; + case "tcp": + case "udp": + $protocol = strtolower($rule['protocol']); + break; + default: + $protocol = strtolower($rule['protocol']); + $localport = ""; + break; + } + $target = alias_expand($rule['target']); - if(!$target) { + if(!$target && !isset($rule['nordr'])) { $natrules .= "# Unresolvable alias {$rule['target']}\n"; continue; /* unresolvable alias */ } @@ -1233,18 +1342,26 @@ function filter_nat_rules_generate() { $natif = $FilterIflist[$natif]['if']; - if (isset($rule['nordr'])) + if (isset($rule['nordr'])) { $nordr = "no "; - else + $rdrpass = ""; + } else $nordr = ""; - if($srcaddr <> "" && $dstaddr <> "") { - /* is rule a port range? */ - if($natif) - $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); + if(!isset($config['system']['disablenatreflection'])) { + $nat_if_list = filter_get_reflection_interfaces($natif); + } else { + $nat_if_list = array(); + } + + if($srcaddr <> "" && $dstaddr <> "" && $natif) { + $srcaddr = trim($srcaddr); + $dstaddr = trim($dstaddr); + + $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); /* Does this rule redirect back to a internal host? */ - if($dstaddr == "any" && !interface_has_gateway($rule['interface'])) { + if(isset($rule['destination']['any']) && !interface_has_gateway($rule['interface']) && !isset($rule['nordr'])) { $rule_interface_ip = find_interface_ip($natif); $rule_interface_subnet = find_interface_subnet($natif); $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet); @@ -1252,7 +1369,7 @@ function filter_nat_rules_generate() { $natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n"; $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$dstport[0]} -> ({$natif})\n"; } - $natrules .= filter_generate_reflection($rule, $nordr, $srcaddr, $dstport, $starting_localhost_port, $reflection_rules); + $natrules .= filter_generate_reflection($rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $dstport, $starting_localhost_port, $reflection_rules); $natrules .= "\n"; foreach ($reflection_rules as $txtline) @@ -1324,7 +1441,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { if(strstr($rule[$target]['network'], "opt")) { $optmatch = ""; $matches = ""; - if(preg_match("/opt([0-9]*)/", $rule[$target]['network'], $optmatch)) { + if(preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) { $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; if(!is_ipaddr($opt_ip)) return ""; @@ -1408,7 +1525,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { } function filter_generate_user_rule($rule) { - global $config, $g, $FilterIflist; + global $config, $g, $FilterIflist, $GatewaysList; global $layer7_rules_list; if(isset($config['system']['developerspew'])) { @@ -1498,8 +1615,11 @@ function filter_generate_user_rule($rule) { } /* if user has selected a custom gateway, lets work with it */ else if($rule['gateway'] <> "") { - /* Add the load balanced gateways */ - $aline['route'] = " \$GW{$rule['gateway']} "; + if (isset($GatewaysList[$rule['gateway']])) + /* Add the load balanced gateways */ + $aline['route'] = " \$GW{$rule['gateway']} "; + else + log_error("The gateway: {$rule['gateway']} is invalid/unkown not using it."); } if(isset($rule['protocol'])) { @@ -1553,9 +1673,29 @@ function filter_generate_user_rule($rule) { if($type == "pass") { if(isset($rule['allowopts'])) $aline['allowopts'] = " allow-opts "; - if( isset($rule['source-track']) or isset($rule['max']) or isset($rule['max-src-nodes']) or isset($rule['max-src-conn']) or isset($rule['max-src-states']) ) - if($rule['protocol'] == "tcp") + + $aline['flags'] = ""; + if($rule['protocol'] == "tcp") { + if (isset($rule['tcpflags_any'])) + $aline['flags'] = "flags any "; + else if (!empty($rule['tcpflags2'])) { + $aline['flags'] = "flags "; + if (!empty($rule['tcpflags1'])) { + $flags1 = explode(",", $rule['tcpflags1']); + foreach ($flags1 as $flag1) + $aline['flags'] .= strtoupper($flag1[0]); + } + $aline['flags'] .= "/"; + if (!empty($rule['tcpflags2'])) { + $flags2 = explode(",", $rule['tcpflags2']); + foreach ($flags2 as $flag2) + $aline['flags'] .= strtoupper($flag2[0]); + } + $aline['flags'] .= " "; + } else $aline['flags'] = "flags S/SA "; + } + /* * # keep state * works with TCP, UDP, and ICMP. @@ -1574,30 +1714,37 @@ function filter_generate_user_rule($rule) { switch($rule['statetype']) { case "none": $noadvoptions = true; - $aline['flags'] = " no state "; + $aline['flags'] .= " no state "; break; case "modulate state": case "synproxy state": if($rule['protocol'] == "tcp") - $aline['flags'] = "{$rule['statetype']} "; + $aline['flags'] .= "{$rule['statetype']} "; + break; + case "sloppy state": + $aline['flags'] .= "keep state "; + $rule['sloppy'] = true; break; default: - $aline['flags'] = "{$rule['statetype']} "; + $aline['flags'] .= "{$rule['statetype']} "; + break; } } else - $aline['flags'] = "keep state "; + $aline['flags'] .= "keep state "; if($noadvoptions == false || $l7_present) - if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max']) and $rule['max'] <> "" or - isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or - isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "" or - isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or - isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or - isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or - isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or - $l7_present) { + if( (isset($rule['source-track']) and $rule['source-track'] <> "") or + (isset($rule['max']) and $rule['max'] <> "") or + (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or + (isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "") or + (isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "") or + (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or + (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or + (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or + isset($rule['sloppy']) or $l7_present) { $aline['flags'] .= "( "; + if (isset($rule['sloppy'])) + $aline['flags'] .= "sloppy "; if(isset($rule['source-track']) and $rule['source-track'] <> "") $aline['flags'] .= "source-track rule "; if(isset($rule['max']) and $rule['max'] <> "") @@ -1918,34 +2065,6 @@ pass out on \$IPsec all keep state label "IPsec internal host to host" EOD; - /* pass traffic between statically routed subnets and the subnet on the - * interface in question to avoid problems with complicated routing - * topologies - */ - if(isset($config['filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { - $ipfrules .= "anchor \"staticrouted\" \n"; - foreach ($config['staticroutes']['route'] as $route) { - $realif = guess_interface_from_ip(lookup_gateway_ip_by_name($route['gateway'])); - $friendly = convert_real_interface_to_friendly_interface_name($realif); - if(is_array($FilterIflist[$friendly])) { - $oc = $FilterIflist[$friendly]; - if($oc['ip']) { - $sa = $oc['sa']; - $sn = $oc['sn']; - $if = $oc['if']; - } - if($sa) { - $ipfrules .= <<<EOD -pass in quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} no state label "pass traffic between statically routed subnets" -pass in quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} no state label "pass traffic between statically routed subnets" -pass out quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} no state label "pass traffic between statically routed subnets" -pass out quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} no state label "pass traffic between statically routed subnets" - -EOD; - } - } - } - } if(!isset($config['system']['webgui']['noantilockout'])) { if(count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) { /* if antilockout is enabled, LAN exists and has @@ -2033,6 +2152,35 @@ EOD; } } + /* pass traffic between statically routed subnets and the subnet on the + * interface in question to avoid problems with complicated routing + * topologies + */ + if(isset($config['filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { + $ipfrules .= "anchor \"staticrouted\" \n"; + foreach ($config['staticroutes']['route'] as $route) { + $realif = guess_interface_from_ip(lookup_gateway_ip_by_name($route['gateway'])); + $friendly = convert_real_interface_to_friendly_interface_name($realif); + if(is_array($FilterIflist[$friendly])) { + $oc = $FilterIflist[$friendly]; + if($oc['ip']) { + $sa = $oc['sa']; + $sn = $oc['sn']; + $if = $oc['if']; + } + if($sa) { + $ipfrules .= <<<EOD +pass quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} keep state(sloppy) label "pass traffic between statically routed subnets" + +EOD; + } + } + } + } + update_filter_reload_status("Creating IPsec rules..."); $ipfrules .= filter_generate_ipsec_rules(); @@ -2457,8 +2605,12 @@ EOD; function discover_pkg_rules($ruletype) { global $config, $g; - if(!is_dir("/usr/local/pkg")) + + /* Bail if there is no pkg directory, or if the package files might be out of sync. */ + if(!is_dir("/usr/local/pkg") || file_exists('/conf/needs_package_sync')) return ""; + + $rules = ""; $files = split("\n", trim(`ls /usr/local/pkg/*.inc`)); foreach($files as $pkg_inc) { if($pkg_inc == "ls: No match.") @@ -2469,15 +2621,16 @@ function discover_pkg_rules($ruletype) { $pkg_generate_rules = "{$pkg}_generate_rules"; if(function_exists($pkg_generate_rules)) { update_filter_reload_status("Processing early {$ruletype} rules for package {$pkg_inc}"); - $rules .= $pkg_generate_rules("$ruletype"); - file_put_contents("{$g['tmp_path']}/rules.packages", $rules); - $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.packages"); + $tmprules = $pkg_generate_rules("$ruletype"); + file_put_contents("{$g['tmp_path']}/rules.test.packages", $tmprules); + $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.test.packages"); if ($status <> 0) { $errorrules = "There was an error while parsing the package filter rules for {$pkg_inc}.\n"; log_error($errorrules); file_put_contents("{$g['tmp_path']}/rules.packages.{$pkg_inc}", "#{$errorrules}\n"); - return ""; + continue; } + $rules .= $tmprules; } } return $rules; diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 3506869..0dbf329 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -42,14 +42,11 @@ function setup_gateways_monitor() { $a_gateway_item = &$config['gateways']['gateway_item']; - if (is_array($config['gateways']['settings'])) { - $a_settings = &$config['gateways']['settings']; - } else { - $a_settings['latencylow'] = "200"; - $a_settings['latencyhigh'] = "500"; - $a_settings['losslow'] = "10"; - $a_settings['losshigh'] = "20"; - } + $a_settings = array(); + $a_settings['latencylow'] = "200"; + $a_settings['latencyhigh'] = "500"; + $a_settings['losslow'] = "10"; + $a_settings['losshigh'] = "20"; /* kill apinger process */ if(is_process_running("apinger")) @@ -149,9 +146,10 @@ EOD; if(is_array($gateways_arr)) { $i = 2; foreach($gateways_arr as $name => $gateway) { + $gwref = $a_gateway_item[$gateway['attribute']]; /* for dynamic gateways without an IP address we subtitute a local one */ - if((is_numeric($gateway['attribute'])) && is_ipaddr($a_gateway_item[$gateway['attribute']]['monitor'])) { - $gateway['monitor'] = $a_gateway_item[$gateway['attribute']]['monitor']; + if((is_numeric($gateway['attribute'])) && is_ipaddr($gwref['monitor'])) { + $gateway['monitor'] = $gwref['monitor']; } else { if(($gateway['gateway'] == "dynamic") && ($gateway['monitor'])) { $gateway['monitor'] = "127.0.0.{$i}"; @@ -161,11 +159,59 @@ EOD; $gateway['monitor'] = $gateway['gateway']; } } - $apingerconfig .= "target \"{$gateway['monitor']}\" {\n"; - $apingerconfig .= " description \"{$gateway['name']}\"\n"; - $apingerconfig .= " rrd file \"{$g['vardb_path']}/rrd/{$gateway['name']}-quality.rrd\"\n"; - $apingerconfig .= "}\n"; - $apingerconfig .= "\n"; + + $apingercfg .= "target \"{$gateway['monitor']}\" {\n"; + $apingercfg .= " description \"{$gateway['name']}\"\n"; + $alarms = ""; + $override = false; + if (!empty($gwref['lowloss'])) { + $alarmscfg .= "alarm loss \"{$gateway['name']}loss\" {\n"; + $alarmscfg .= "\tpercent_low {$gwref['losslow']}\n"; + $alarmscfg .= "\tpercent_high {$gwref['losshigh']}\n"; + $alarmscfg .= "}\n"; + $alarms .= "\"{$gateway['name']}loss\""; + $override = true; + } else { + if ($override == true) + $alarms .= ","; + $alarms .= "\"loss\""; + $override = true; + } + if (!empty($gwref['latencylow'])) { + $alarmscfg .= "alarm delay \"{$gateway['name']}delay\" {\n"; + $alarmscfg .= "\tdelay_low {$gwref['latencylow']}ms\n"; + $alarmscfg .= "\tdelay_high {$gwref['latencyhigh']}ms\n"; + $alarmscfg .= "}\n"; + if ($override == true) + $alarms .= ","; + $alarms .= "\"{$gateway['name']}delay\""; + $override = true; + } else { + if ($override == true) + $alarms .= ","; + $alarms .= "\"delay\""; + $override = true; + } + if (!empty($gwref['down'])) { + $alarmscfg .= "alarm down \"{$gateway['name']}down\" {\n"; + $alarmscfg .= "\ttime {$gwref['down']}s\n"; + $alarmscfg .= "}\n"; + if ($override == true) + $alarms .= ","; + $alarms .= "\"{$gateway['name']}down\""; + $override = true; + } else { + if ($override == true) + $alarms .= ","; + $alarms .= "\"down\""; + $override = true; + } + if ($override == true) + $apingercfg .= "\talarms override {$alarms};\n"; + + $apingercfg .= " rrd file \"{$g['vardb_path']}/rrd/{$gateway['name']}-quality.rrd\"\n"; + $apingercfg .= "}\n"; + $apingercfg .= "\n"; if($gateway['monitor'] == $gateway['gateway']) { /* if the gateway is the same as the monitor we do not add a * route as this will break the routing table */ @@ -179,6 +225,8 @@ EOD; } } } + $apingerconfig .= $alarmscfg; + $apingerconfig .= $apingercfg; } fwrite($fd, $apingerconfig); fclose($fd); @@ -222,32 +270,13 @@ function return_gateways_status() { } foreach($apingerstatus as $line) { - $fields = explode(":", $line); - switch($fields[0]) { - case "Target": - $target = trim($fields[1]); - break; - case "Description": - if($target) - $status[$target]['name'] = trim($fields[1]); - break; - case "Last reply received": - if($target) - $status[$target]['lastcheck'] = trim($fields[1]) .":". trim($fields[2]) .":". trim($fields[3]); - break; - case "Average delay": - if($target) - $status[$target]['delay'] = trim($fields[1]); - break; - case "Average packet loss": - if($target) - $status[$target]['loss'] = trim($fields[1]); - break; - case "Active alarms": - if($target) - $status[$target]['status'] = trim($fields[1]); - break; - } + $info = explode("|", $line); + $target = $info[0]; + $status[$target]['name'] = $info[1]; + $status[$target]['lastcheck'] = $info[4] ? date('r', $info[4]) : date('r'); + $status[$target]['delay'] = $info[5]; + $status[$target]['loss'] = $info[6]; + $status[$target]['status'] = trim($info[7]); } return($status); } @@ -370,7 +399,7 @@ function return_gateway_groups_array() { } else { $tiers[$tier][] = $gwname; } - } elseif (stristr($status['status'], $delay)) { + } elseif (stristr($status['status'], "delay")) { if (strstr($group['trigger'] , "latency")) { /* high latency */ $msg = "MONITOR: $gwname has high latency, removing from routing group"; diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 6b42811..ca0af88 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -692,7 +692,7 @@ function interfaces_configure() { foreach($iflist as $if => $ifname) { $realif = $config['interfaces'][$if]['if']; - if(is_array($realif['pppoe']) && isset($realif['pppoe']['pppoe-reset-type'])) + if(is_array($config['interfaces'][$if]['pppoe']) && isset($config['interfaces'][$if]['pppoe']['pppoe-reset-type'])) setup_pppoe_reset_file($if, true); else setup_pppoe_reset_file($if, false); @@ -3121,17 +3121,19 @@ function link_ip_to_carp_interface($ip) { $carp_ints = ""; if (is_array($config['virtualip']['vip'])) { + $first = 0; + $carp_int = array(); foreach ($config['virtualip']['vip'] as $vip) { if ($vip['mode'] == "carp" || $vip['mode'] == "carpdev") { $carp_ip = $vip['subnet']; $carp_sn = $vip['subnet_bits']; $carp_nw = gen_subnet($carp_ip, $carp_sn); - if (ip_in_subnet($ip, "{$carp_nw}/{$carp_sn}")) { - if (!stristr($carp_ints, $carp_int)) - $carp_ints .= " {$carp_int}"; - } + if (ip_in_subnet($ip, "{$carp_nw}/{$carp_sn}")) + $carp_int[] = "vip{$vip['vhid']}"; } } + if (!empty($carp_int)) + $carp_ints = implode(" ", array_unique($carp_int)); } return $carp_ints; diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index d80f1c2..0dd0fe0 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -453,4 +453,14 @@ function ipsec_dump_sad() return $sad; } +function ipsec_mobilekey_sort() { + global $config; + + function mobilekeycmp($a, $b) { + return strcmp($a['ident'][0], $b['ident'][0]); + } + + usort($config['ipsec']['mobilekey'], "mobilekeycmp"); +} + ?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 66a81fc..72630e7 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -336,8 +336,8 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; - $conf .= "up /etc/rc.filter_configure\n"; - $conf .= "down /etc/rc.filter_configure\n"; + $conf .= "up /usr/local/sbin/ovpn-linkup\n"; + $conf .= "down /usr/local/sbin/ovpn-linkdown\n"; if (!empty($iface_ip)) { $conf .= "local {$iface_ip}\n"; @@ -424,6 +424,9 @@ function openvpn_reconfigure($mode,& $settings) { openvpn_add_dhcpopts($settings, $conf); break; } + + if ($settings['client2client']) + $conf .= "client-to-client\n"; } // client specific settings diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index b20fe55..fa2920e 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -37,7 +37,7 @@ function dump_rrd_to_xml($rrddatabase, $xmldumpfile) { $rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool"; if(file_exists($xmldumpfile)) - exec("rm {$xmldumpfile}"); + mwexec("rm {$xmldumpfile}"); exec("$rrdtool dump {$rrddatabase} {$xmldumpfile} 2>&1", $dumpout, $dumpret); if ($dumpret <> 0) { @@ -275,7 +275,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$traffic N:U:U:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$traffic N:U:U:U:U"); } $rrdupdatesh .= "\n"; @@ -301,7 +301,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$packets N:U:U:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$packets N:U:U:U:U"); } $rrdupdatesh .= "\n"; @@ -327,7 +327,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$wireless N:U:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$wireless N:U:U:U"); } $rrdupdatesh .= "\n"; @@ -466,7 +466,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$states N:U:U:U:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$states N:U:U:U:U:U"); } /* the pf states gathering function. */ @@ -500,7 +500,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$proc N:U:U:U:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$proc N:U:U:U:U:U"); } /* the CPU stats gathering function. */ @@ -538,7 +538,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$mem N:U:U:U:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$mem N:U:U:U:U:U"); } /* the Memory stats gathering function. */ @@ -597,7 +597,7 @@ function enable_rrd_graphing() { /* enter UNKNOWN values in the RRD so it knows we rebooted. */ if($g['booting']) { - exec("$rrdtool update $rrddbpath$ifname$cellular N:U:U"); + mwexec("$rrdtool update $rrddbpath$ifname$cellular N:U:U"); } $rrdupdatesh .= "\n"; diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 9a023eb..96712bf 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -513,7 +513,7 @@ class altq_root_queue { * this->queues[$qkey]->build_rule(); */ function build_rules() { - if (count($this->queues) > 0 && $this->GetEnabled()) { + if (count($this->queues) > 0 && $this->GetEnabled() == "on") { $rules = " altq on " . get_real_interface($this->GetInterface()); if ($this->GetScheduler()) $rules .= " ".strtolower($this->GetScheduler()); @@ -593,7 +593,15 @@ class altq_root_queue { * to the user like the traffic wizard does. */ function build_form() { - $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br><span class=\"vexpl\">Name</span></td>"; + $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br>"; + $form .= "Enable/Disable"; + $form .= "</td><td class=\"vncellreq\">"; + $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\" value=\"on\""; + if ($this->GetEnabled() == "on") + $form .= " CHECKED"; + $form .= " ><span class=\"vexpl\"> Enable/Disable discipline and its childs</span>"; + $form .= "</td></tr>"; + $form .= "<tr><td valign=\"top\" class=\"vncellreq\"><br><span class=\"vexpl\">Name</span></td>"; $form .= "<td class=\"vncellreq\">"; $form .= "<strong>".$this->GetQname()."</strong>"; $form .= "</td></tr>"; @@ -1067,6 +1075,14 @@ class priq_queue { * need to update it. */ function build_form() { + $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br>"; + $form .= "Enable/Disable"; + $form .= "</td><td class=\"vncellreq\">"; + $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\" value=\"on\""; + if ($this->GetEnabled() == "on") + $form .= " CHECKED"; + $form .= " ><span class=\"vexpl\"> Enable/Disable queue and its childs</span>"; + $form .= "</td></tr>"; $form .= "<tr>"; $form .= "<td width=\"22%\" valign=\"top\" class=\"vncellreq\">"; $form .= "Queue Name</td><td width=\"78%\" class=\"vtable\">"; @@ -2907,7 +2923,15 @@ class dnpipe_class extends dummynet_class { } function build_form() { - $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br><span class=\"vexpl\">Name</span></td>"; + $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br>"; + $form .= "Enable/Disable"; + $form .= "</td><td class=\"vncellreq\">"; + $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\" value=\"on\""; + if ($this->GetEnabled() == "on") + $form .= " CHECKED"; + $form .= " ><span class=\"vexpl\"> Enable/Disable limiter and its childs</span>"; + $form .= "</td></tr>"; + $form .= "<tr><td valign=\"top\" class=\"vncellreq\"><br><span class=\"vexpl\">Name</span></td>"; $form .= "<td class=\"vncellreq\">"; $form .= "<input type=\"text\" id=\"name\" name=\"name\" value=\""; $form .= $this->GetQname()."\">"; @@ -3142,7 +3166,15 @@ class dnqueue_class extends dummynet_class { } function build_form() { - $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br><span class=\"vexpl\">Name</span></td>"; + $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br>"; + $form .= "Enable/Disable"; + $form .= "</td><td class=\"vncellreq\">"; + $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\" value=\"on\""; + if ($this->GetEnabled() == "on") + $form .= " CHECKED"; + $form .= " ><span class=\"vexpl\"> Enable/Disable queue and its childs</span>"; + $form .= "</td></tr>"; + $form .= "<tr><td valign=\"top\" class=\"vncellreq\"><br><span class=\"vexpl\">Name</span></td>"; $form .= "<td class=\"vncellreq\">"; $form .= "<input type=\"text\" id=\"name\" name=\"name\" value=\""; $form .= $this->GetQname()."\">"; @@ -3355,8 +3387,8 @@ class layer7 { $form = "<tr><td valign=\"top\" class=\"vncellreq\"><br>"; $form .= "Enable/Disable"; $form .= "</td><td class=\"vncellreq\">"; - $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\""; - if ($this->GetREnabled()) { + $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\" value=\"on\" "; + if ($this->GetREnabled() == "on") { $form .= "checked = \"CHECKED\""; } $form .= " ><span class=\"vexpl\"> Enable/Disable layer7 Container</span>"; @@ -3443,7 +3475,7 @@ class layer7 { } function delete_l7c() { - mwexec("/bin/pkill -f 'ipfw-classifyd .* -p ". $l7rules->GetRPort() . "'", true); + mwexec("/bin/pkill -f 'ipfw-classifyd .* -p ". $this->GetRPort() . "'", true); unset_l7_object_by_reference($this->GetRName()); cleanup_l7_from_rules($this->GetRName()); } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index d26b1bb..369d181 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -192,11 +192,21 @@ function system_hosts_generate() { $hosts .= "127.0.0.1 localhost localhost.{$syscfg['domain']}\n"; - $sysiflist = get_configured_interface_list(); - foreach ($sysiflist as $sysif) { - $cfgip = get_interface_ip($sysif); + if ($config['interfaces']['lan']) { + $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + } else { + $sysiflist = get_configured_interface_list(); + foreach ($sysiflist as $sysif) { + if (!interface_has_gateway($sysif)) { + $cfgip = get_interface_ip($sysif); + if (is_ipaddr($cfgip)) { + $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + break; + } + } + } } foreach ($hostscfg as $host) { @@ -281,7 +291,7 @@ function system_routing_configure() { * gateway setup configured. * Force WAN to be default gateway because that is the 1.2 behavior. */ - log_error("SYSTEM: We do not have a default gateway in our config. Is this configuration damaged?"); + log_error("WARNING: There is no default gateway in the configuration."); if (is_ipaddr($config['interfaces']['wan']['gateway'])) { $gatewayip = $config['interfaces']['wan']['gateway']; mwexec("/sbin/route add default " . escapeshellarg($gatewayip), true); @@ -303,7 +313,7 @@ function system_routing_configure() { } else if (is_ipaddr($rtent['gateway'])) { $gatewayip = $rtent['gateway']; } else { - log_error("Static Routes: Gateway ip could not be found for {$rtent['network']}"); + log_error("Static Routes: Gateway IP could not be found for {$rtent['network']}"); continue; } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 3e53abe..d72e5a6 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -800,6 +800,34 @@ function upgrade_042_to_043() { function upgrade_043_to_044() { global $config; + + /* migrate static routes to the new gateways config */ + $gateways = return_gateways_array(true); + $i = 0; + if (is_array($config['staticroutes']['route'])) { + foreach ($config['staticroutes']['route'] as $idx => $sroute) { + $found = false; + foreach ($gateways as $gwname => $gw) { + if ($gw['gateway'] == $sroute['gateway']) { + $config['staticroutes']['route'][$idx]['gateway'] = $gwname; + $found = true; + break; + } + } + if ($found == false) { + $gateway = array(); + $gateway['name'] = "SROUTE{$i}"; + $gateway['gateway'] = $sroute['gateway']; + $gateway['interface'] = $sroute['interface']; + $gateway['descr'] = "Upgraded static route for {$sroute['network']}"; + if (!is_array($config['gateways']['gateway_item'])) + $config['gateways']['gateway_item'] = array(); + $config['gateways']['gateway_item'][] = $gateway; + $config['staticroutes']['route'][$idx]['gateway'] = $gateway['name']; + $i++; + } + } + } } @@ -1066,34 +1094,40 @@ function upgrade_046_to_047() { function upgrade_047_to_048() { global $config; - $config['dyndnses']['dyndns'] = array(); - if (isset($config['dyndns']['enable'])) { - $tempdyn = array(); - $tempdyn['enable'] = isset($config['dyndns']['enable']); - $tempdyn['type'] = $config['dyndns']['type']; - $tempdyn['wildcard'] = isset($config['dyndns']['wildcard']); - $tempdyn['usernamefld'] = $config['dyndns']['username']; - $tempdyn['passwordfld'] = $config['dyndns']['password']; - $tempdyn['host'] = $config['dyndns']['host']; - $tempdyn['mx'] = $config['dyndns']['mx']; - $config['dyndnses']['dyndns'][] = $tempdyn; + if (!empty($config['dyndns'])) { + $config['dyndnses'] = array(); + $config['dyndnses']['dyndns'] = array(); + if(isset($config['dyndns'][0]['enable'])) { + $tempdyn = array(); + $tempdyn['enable'] = isset($config['dyndns'][0]['enable']); + $tempdyn['type'] = $config['dyndns'][0]['type']; + $tempdyn['wildcard'] = isset($config['dyndns'][0]['wildcard']); + $tempdyn['usernamefld'] = $config['dyndns'][0]['username']; + $tempdyn['passwordfld'] = $config['dyndns'][0]['password']; + $tempdyn['host'] = $config['dyndns'][0]['host']; + $tempdyn['mx'] = $config['dyndns'][0]['mx']; + $tempdyn['interface'] = "wan"; + $tempdyn['descr'] = "Upgraded Dyndns {$tempdyn['type']}"; + $config['dyndnses']['dyndns'][] = $tempdyn; + } unset($config['dyndns']); } - $config['dnsupdates']['dnsupdate'] = array(); - if (isset($config['dnsupdate']['enable'])) { + if (!empty($config['dnsupdate'])) { + $config['dnsupdates'][0]['dnsupdate'] = array(); $pconfig = array(); - $pconfig['dnsupdate_enable'] = isset($config['dnsupdate']['enable']); - $pconfig['dnsupdate_host'] = $config['dnsupdate']['host']; - $pconfig['dnsupdate_ttl'] = $config['dnsupdate']['ttl']; + $pconfig['dnsupdate_enable'] = isset($config['dnsupdate'][0]['enable']); + $pconfig['dnsupdate_host'] = $config['dnsupdate'][0]['host']; + $pconfig['dnsupdate_ttl'] = $config['dnsupdate'][0]['ttl']; if (!$pconfig['dnsupdate_ttl']) $pconfig['dnsupdate_ttl'] = 60; - $pconfig['dnsupdate_keydata'] = $config['dnsupdate']['keydata']; - $pconfig['dnsupdate_keyname'] = $config['dnsupdate']['keyname']; - $pconfig['dnsupdate_keytype'] = $config['dnsupdate']['keytype']; + $pconfig['dnsupdate_keydata'] = $config['dnsupdate'][0]['keydata']; + $pconfig['dnsupdate_keyname'] = $config['dnsupdate'][0]['keyname']; + $pconfig['dnsupdate_keytype'] = $config['dnsupdate'][0]['keytype']; if (!$pconfig['dnsupdate_keytype']) $pconfig['dnsupdate_keytype'] = "zone"; - $pconfig['dnsupdate_server'] = $config['dnsupdate']['server']; - $pconfig['dnsupdate_usetcp'] = isset($config['dnsupdate']['usetcp']); + $pconfig['dnsupdate_server'] = $config['dnsupdate'][0]['server']; + $pconfig['dnsupdate_usetcp'] = isset($config['dnsupdate'][0]['usetcp']); + $pconfig['interface'] = "wan"; $config['dnsupdates']['dnsupdate'][] = $pconfig; unset($config['dnsupdate']); } @@ -1598,9 +1632,10 @@ function upgrade_053_to_054() { } // Unset lbpool if we no longer have any server pools if (count($lbpool_srv_arr) == 0) { - unset($config['load_balancer']['lbpool']); - if(count($config['load_balancer']) == 0) { + if(empty($config['load_balancer'])) { unset($config['load_balancer']); + } else { + unset($config['load_balancer']['lbpool']); } } else { $config['load_balancer']['lbpool'] = $lbpool_srv_arr; @@ -1887,7 +1922,8 @@ function upgrade_061_to_062() { ); if (empty($natent['destination']['address'])) { - $natent['destination']['address'] = $natent['interface'] . 'ip'; + unset($natent['destination']['address']); + $natent['destination']['network'] = $natent['interface'] . 'ip'; } else if ($natent['destination']['address'] == 'any') { unset($natent['destination']['address']); $natent['destination']['any'] = true; @@ -1902,20 +1938,14 @@ function upgrade_061_to_062() { } function upgrade_062_to_063() { + /* Upgrade legacy Themes to the new pfsense_ng */ global $config; - if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { - foreach ($config['ppps']['ppp'] as $pppid => $ppp) { - if (isset($ppp['port'])){ - $config['ppps']['ppp'][$pppid]['ports'] = $ppp['port']; - unset($config['ppps']['ppp'][$pppid]['port']); - } - if (!isset($ppp['type'])){ - $config['ppps']['ppp'][$pppid]['type'] = "ppp"; - } - if (!isset($ppp['ptpid'])){ - $config['ppps']['ppp'][$pppid]['ptpid'] = uniqid('', true); - } - } + + switch($config['theme']) { + case "nervecenter": + $config['theme'] = "pfsense_ng"; + break; } + } ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 3aba988..f2343e1 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -291,6 +291,13 @@ function vpn_ipsec_configure($ipchg = false) } } + /* add PSKs for mobile clients */ + if (is_array($ipseccfg['mobilekey'])) { + foreach ($ipseccfg['mobilekey'] as $key) { + $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; + } + } + fwrite($fd, $pskconf); fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); @@ -484,10 +491,19 @@ function vpn_ipsec_configure($ipchg = false) $init = "on"; $genp = "off"; + $pcheck = "claim"; + $passive = ""; if (isset($ph1ent['mobile'])) { $rgip = "anonymous"; - $init = "off"; - $genp = "unique"; + /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ + if ($ph1ent['authentication_method'] == "pre_shared_key") { + $passive = "passive on;"; + $pcheck = "obey"; + $genp = "on"; + } else { + $init = "off"; + $genp = "unique"; + } } $dpdline1 = ''; @@ -551,6 +567,11 @@ function vpn_ipsec_configure($ipchg = false) if ($ph1ent['lifetime']) $lifeline = "lifetime time {$ph1ent['lifetime']} secs;"; + /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ + if (!(($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile']))) { + $peerid_spec = "peers_identifier {$peerid_type} {$peerid_data};"; + } + /* add remote section to configuration */ $racoonconf .=<<<EOD @@ -560,7 +581,7 @@ remote {$rgip} ph1id {$ikeid}; exchange_mode {$ph1ent['mode']}; my_identifier {$myid_type} {$myid_data}; - peers_identifier {$peerid_type} {$peerid_data}; + {$peerid_spec} ike_frag on; generate_policy = {$genp}; initial_contact = {$init}; @@ -569,7 +590,8 @@ remote {$rgip} {$dpdline1} {$dpdline2} support_proxy on; - proposal_check claim; + proposal_check {$pcheck}; + {$passive} proposal { @@ -611,7 +633,8 @@ EOD; $localid_type = $ph2ent['localid']['type']; $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - if ($localid_type == "none") + /* Do not print localid in some cases, such as a pure-psk mobile tunnel */ + if (($localid_type == "none") || ($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile'])) $localid_spec = " "; else if ($localid_type != "address") { $localid_type = "subnet"; diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc index 3dac5a7..22cb5d6 100644 --- a/etc/inc/xmlparse.inc +++ b/etc/inc/xmlparse.inc @@ -47,7 +47,7 @@ function listtags() { "option ppp package passthrumac phase1 phase2 priv proxyarpnet qinqentry queue ". "pages pipe roll route row rrddatafile rule schedule service servernat servers ". "serversdisabled earlyshellcmd shellcmd staticmap subqueue timerange ". - "tunnel user vip virtual_server vlan winsserver wolentry widget " + "tunnel user vip virtual_server vlan winsserver wolentry widget" ); return $ret; } diff --git a/etc/inc/xmlreader.inc b/etc/inc/xmlreader.inc index dd6eb9a..41f2938 100644 --- a/etc/inc/xmlreader.inc +++ b/etc/inc/xmlreader.inc @@ -40,19 +40,19 @@ function listtags() { * I know it's a pain, but it's a pain to find stuff too if it's not */ $ret = explode(" ", - "alias aliasurl allowedip authserver bridged ca cacert cert clone config ". - "container columnitem depends_on_package disk dnsserver dnsupdate ". - "domainoverrides dyndns earlyshellcmd element encryption-algorithm-option ". - "field fieldname hash-algorithm-option gateway_item gateway_group gif gre ". - "group hosts member ifgroupentry igmpentry interface_array item key lagg " . - "lbaction lbpool l7rules lbprotocol ". - "member menu tab mobilekey monitor_type mount ntpserver onetoone ". - "openvpn-server openvpn-client openvpn-csc " . - "option ppp package passthrumac phase1 phase2 priv proxyarpnet qinqentry queue ". - "pages pipe roll route row rrddatafile rule schedule service servernat servers ". - "serversdisabled earlyshellcmd shellcmd staticmap subqueue timerange ". - "tunnel user vip virtual_server vlan winsserver wolentry widget " - ); + "alias aliasurl allowedip authserver bridged ca cacert cert clone config ". + "container columnitem depends_on_package disk dnsserver dnsupdate ". + "domainoverrides dyndns earlyshellcmd element encryption-algorithm-option ". + "field fieldname hash-algorithm-option gateway_item gateway_group gif gre ". + "group hosts member ifgroupentry igmpentry interface_array item key lagg " . + "lbaction lbpool l7rules lbprotocol ". + "member menu tab mobilekey monitor_type mount ntpserver onetoone ". + "openvpn-server openvpn-client openvpn-csc " . + "option ppp package passthrumac phase1 phase2 priv proxyarpnet qinqentry queue ". + "pages pipe roll route row rrddatafile rule schedule service servernat servers ". + "serversdisabled earlyshellcmd shellcmd staticmap subqueue timerange ". + "tunnel user vip virtual_server vlan winsserver wolentry widget" + ); return array_flip($ret); } @@ -68,36 +68,30 @@ function add_elements(&$cfgarray, &$parser) { while ($parser->read()) { switch ($parser->nodeType) { case XMLReader::WHITESPACE: - //$type = "WHITESPACE"; - break; case XMLReader::SIGNIFICANT_WHITESPACE: - //$type = "SIGNIFICANT_WHITESPACE"; break; case XMLReader::ELEMENT: - if ($parser->isEmptyElement) { - $cfgarray[$parser->name] = ""; - } else { - if (isset($listtags[$parser->name])) + if (isset($listtags[strtolower($parser->name)])) { + if (!$parser->isEmptyElement) add_elements($cfgarray[$parser->name][], $parser); - else { - add_elements($cfgarray[$parser->name], $parser); - if (!isset($cfgarray[$parser->name])) - $cfgarray[$parser->name] = array(); - } - } + } else { + if ($parser->isEmptyElement) + $cfgarray[$parser->name] = ""; + else + add_elements($cfgarray[$parser->name], $parser); + } break; case XMLReader::TEXT: case XMLReader::CDATA: $cfgarray = $parser->value; break; case XMLReader::END_ELEMENT: - return; - break; + return; + break; default: break; } - - } + } } function parse_xml_config($cffile, $rootobj, $isstring = "false") { @@ -108,6 +102,7 @@ function parse_xml_config($cffile, $rootobj, $isstring = "false") { $listtags[$tag] = $tag; } } + return parse_xml_config_raw($cffile, $rootobj); } @@ -127,7 +122,7 @@ function parse_xml_config_raw($cffile, $rootobj, $isstring = "false") { $parsedcfg = array(); $par = new XMLReader(); - if ($par->open($cffile)) { + if ($par->open($cffile, "UTF-8", LIBXML_NOERROR | LIBXML_NOWARNING)) { add_elements($parsedcfg, $par); $par->close(); } else @@ -136,53 +131,45 @@ function parse_xml_config_raw($cffile, $rootobj, $isstring = "false") { return $parsedcfg[$rootobj]; } -function dump_xml_config_sub($arr, $indent) { - - global $listtags; - - $xmlconfig = ""; - - foreach ($arr as $ent => $val) { - if (is_array($val)) { - /* is it just a list of multiple values? */ - if (isset($listtags[strtolower($ent)])) { - foreach ($val as $cval) { - if (is_array($cval)) { - $xmlconfig .= str_repeat("\t", $indent); - $xmlconfig .= "<$ent>\n"; - $xmlconfig .= dump_xml_config_sub($cval, $indent + 1); - $xmlconfig .= str_repeat("\t", $indent); - $xmlconfig .= "</$ent>\n"; - } else { - $xmlconfig .= str_repeat("\t", $indent); - if($cval === false) continue; - if(($cval === true) || ($cval === "")) { - $xmlconfig .= "<$ent/>\n"; - } else { - $xmlconfig .= "<$ent>" . htmlspecialchars($cval) . "</$ent>\n"; - } - } - } - } else { - /* it's an array */ - $xmlconfig .= str_repeat("\t", $indent); - $xmlconfig .= "<$ent>\n"; - $xmlconfig .= dump_xml_config_sub($val, $indent + 1); - $xmlconfig .= str_repeat("\t", $indent); - $xmlconfig .= "</$ent>\n"; - } - } else { - if ((is_bool($val) && ($val == true)) || ($val === "")) { - $xmlconfig .= str_repeat("\t", $indent); - $xmlconfig .= "<$ent/>\n"; - } else if (!is_bool($val)) { - $xmlconfig .= str_repeat("\t", $indent); - $xmlconfig .= "<$ent>" . htmlspecialchars($val) . "</$ent>\n"; - } - } - } +function dump_xml_config_sub(& $writer, $arr) { + global $listtags; - return $xmlconfig; + foreach ($arr as $ent => $val) { + if (is_array($val)) { + /* is it just a list of multiple values? */ + if (isset($listtags[strtolower($ent)])) { + foreach ($val as $cval) { + if (is_array($cval)) { + if (empty($cval)) + $writer->writeElement($ent); + else { + $writer->startElement($ent); + dump_xml_config_sub($writer, $cval); + $writer->endElement(); + } + } else { + if($cval === false) continue; + if ((is_bool($val) && ($val == true)) || ($val === "")) + $writer->writeElement($ent); + else if (!is_bool($val)) + $writer->writeElement($ent, $cval); + } + } + } else if (empty($val)) { + $writer->writeElement($ent); + } else { + /* it's an array */ + $writer->startElement($ent); + dump_xml_config_sub($writer, $val); + $writer->endElement(); + } + } else { + if ((is_bool($val) && ($val == true)) || ($val === "")) + $writer->writeElement($ent); + else if (!is_bool($val)) + $writer->writeElement($ent, $val); + } + } } function dump_xml_config($arr, $rootobj) { @@ -209,14 +196,19 @@ function dump_xml_config_pkg($arr, $rootobj) { function dump_xml_config_raw($arr, $rootobj) { - $xmlconfig = "<?xml version=\"1.0\"?" . ">\n"; - $xmlconfig .= "<$rootobj>\n"; - - $xmlconfig .= dump_xml_config_sub($arr, 1); + $writer = new XMLWriter(); + $writer->openMemory(); + $writer->setIndent(true); + $writer->setIndentString("\t"); + $writer->startDocument("1.0", "UTF-8"); + $writer->startElement($rootobj); - $xmlconfig .= "</$rootobj>\n"; + dump_xml_config_sub($writer, $arr); - return $xmlconfig; + $writer->endElement(); + $writer->endDocument(); + $xmlconfig = $writer->outputMemory(true); + return $xmlconfig; } ?> |
