diff options
| author | Vinicius Coque <vinicius.coque@bluepex.com> | 2011-01-28 17:32:17 -0200 |
|---|---|---|
| committer | Vinicius Coque <vinicius.coque@bluepex.com> | 2011-01-28 17:32:17 -0200 |
| commit | 9d3d8d005ec74d6108aa423c7ad09e0b58951127 (patch) | |
| tree | f765cfb57d7d75ac2af8fa6b975ea953b557bdfc /etc/inc | |
| parent | b638ef519a8e1ad3e843c55e091fc2649e834797 (diff) | |
| parent | 1596d9c17349f47ef06defa5c44333db0158a110 (diff) | |
| download | pfsense-9d3d8d005ec74d6108aa423c7ad09e0b58951127.zip pfsense-9d3d8d005ec74d6108aa423c7ad09e0b58951127.tar.gz | |
Merge branch 'master' into inc
Conflicts:
etc/inc/captiveportal.inc
etc/inc/config.console.inc
etc/inc/config.lib.inc
etc/inc/easyrule.inc
etc/inc/filter.inc
etc/inc/ipsec.inc
etc/inc/pkg-utils.inc
etc/inc/shaper.inc
etc/inc/system.inc
etc/inc/voucher.inc
Diffstat (limited to 'etc/inc')
38 files changed, 2523 insertions, 877 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 2a0e7d9..6942223 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -130,6 +130,10 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui'][' break; } } + if($referrer_host == "127.0.0.1" || $referrer_host == "localhost") { + // allow SSH port forwarded connections and links from localhost + $found_host = true; + } } } if($found_host == false) { @@ -406,7 +410,7 @@ function local_user_set(& $user) { /* create user directory if required */ if (!is_dir($user_home)) { mkdir($user_home, 0700); - mwexec("cp /root/.* {$home_base}/"); + mwexec("/bin/cp /root/.* {$home_base}/", true); } chown($user_home, $user_name); chgrp($user_home, $user_group); diff --git a/etc/inc/basic_sasl_client.inc b/etc/inc/basic_sasl_client.inc new file mode 100644 index 0000000..b2972b5 --- /dev/null +++ b/etc/inc/basic_sasl_client.inc @@ -0,0 +1,61 @@ +<?php +/* + * basic_sasl_client.php + * + * @(#) $Id: basic_sasl_client.php,v 1.1 2004/11/17 08:01:23 mlemos Exp $ + * + */ + +define("SASL_BASIC_STATE_START", 0); +define("SASL_BASIC_STATE_DONE", 1); + +class basic_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_BASIC_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_BASIC_STATE_START) + { + $client->error="Basic authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"" + ); + $defaults=array( + ); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + { + $message=$this->credentials["user"].":".$this->credentials["password"]; + $this->state=SASL_BASIC_STATE_DONE; + } + else + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_BASIC_STATE_DONE: + $client->error="Basic authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid Basic authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 5bf7579..4a3b80d 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -2,12 +2,11 @@ /* captiveportal.inc part of pfSense (http://www.pfSense.org) - - originally part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2004-2011 Scott Ullrich <sullrich@gmail.com> Copyright (C) 2009 Ermal Luçi <ermal.luci@gmail.com> Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + + originally part of m0n0wall (http://m0n0.ch/wall) All rights reserved. Redistribution and use in source and binary forms, with or without @@ -38,9 +37,9 @@ These changes are (c) 2004 Keycom PLC. pfSense_BUILDER_BINARIES: /sbin/ipfw /sbin/sysctl /sbin/kldunload - pfSense_BUILDER_BINARIES: /usr/local/sbin/lighttpd /usr/local/bin/minicron /sbin/pfctl - pfSense_BUILDER_BINARIES: /bin/hostname /bin/cp - pfSense_MODULE: captiveportal + pfSense_BUILDER_BINARIES: /usr/local/sbin/lighttpd /usr/local/bin/minicron /sbin/pfctl + pfSense_BUILDER_BINARIES: /bin/hostname /bin/cp + pfSense_MODULE: captiveportal */ /* include all configuration functions */ @@ -74,8 +73,8 @@ function get_default_captive_portal_html() { <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> @@ -100,7 +99,7 @@ function get_default_captive_portal_html() { </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -145,14 +144,14 @@ EOD; <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="5"> <tr> - <td> + <td> <div id="maindivarea"> <center> <div id='statusbox'> @@ -171,15 +170,15 @@ EOD; <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> <tr><td> </td></tr> <tr> - <td colspan="2"> + <td colspan="2"> <center><input name="accept" type="submit" value="Continue"></center> - </td> + </td> </tr> </table> </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -206,7 +205,7 @@ EOD; function captiveportal_configure() { global $config, $g; - $captiveportallck = lock('captiveportal'); + $captiveportallck = lock('captiveportal', LOCK_EX); if (isset($config['captiveportal']['enable'])) { @@ -233,13 +232,14 @@ function captiveportal_configure() { captiveportal_init_rules(true); /* stop accounting on all clients */ - captiveportal_radius_stop_all(true); + captiveportal_radius_stop_all(); /* initialize minicron interval value */ $croninterval = $config['captiveportal']['croninterval'] ? $config['captiveportal']['croninterval'] : 60; /* double check if the $croninterval is numeric and at least 10 seconds. If not we set it to 60 to avoid problems */ - if ((!is_numeric($croninterval)) || ($croninterval < 10)) { $croninterval = 60; } + if ((!is_numeric($croninterval)) || ($croninterval < 10)) + $croninterval = 60; /* write portal page */ if ($config['captiveportal']['page']['htmltext']) @@ -259,6 +259,10 @@ function captiveportal_configure() { $htmltext = str_replace("\$CLIENT_IP\$", "#CLIENT_IP#", $htmltext); $htmltext = str_replace("\$ORIGINAL_PORTAL_IP\$", "#ORIGINAL_PORTAL_IP#", $htmltext); $htmltext = str_replace("\$PORTAL_ACTION\$", "#PORTAL_ACTION#", $htmltext); + if($config['captiveportal']['preauthurl']) { + $htmltext = str_replace("\$PORTAL_REDIRURL\$", "{$config['captiveportal']['preauthurl']}", $htmltext); + $htmltext = str_replace("#PORTAL_REDIRURL#", "{$config['captiveportal']['preauthurl']}", $htmltext); + } fwrite($fd, $htmltext); fclose($fd); } @@ -289,14 +293,14 @@ function captiveportal_configure() { <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="5"> <tr> - <td> + <td> <div id="maindivarea"> <center> <div id='statusbox'> @@ -315,15 +319,15 @@ function captiveportal_configure() { <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> <tr><td> </td></tr> <tr> - <td colspan="2"> + <td colspan="2"> <center><input name="accept" type="submit" value="Continue"></center> - </td> + </td> </tr> </table> </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -355,6 +359,10 @@ EOD; $errtext = str_replace("\$CLIENT_IP\$", "#CLIENT_IP#", $errtext); $errtext = str_replace("\$ORIGINAL_PORTAL_IP\$", "#ORIGINAL_PORTAL_IP#", $errtext); $errtext = str_replace("\$PORTAL_ACTION\$", "#PORTAL_ACTION#", $errtext); + if($config['captiveportal']['preauthurl']) { + $errtext = str_replace("\$PORTAL_REDIRURL\$", "{$config['captiveportal']['preauthurl']}", $errtext); + $errtext = str_replace("#PORTAL_REDIRURL#", "{$config['captiveportal']['preauthurl']}", $errtext); + } fwrite($fd, $errtext); fclose($fd); } @@ -375,18 +383,18 @@ EOD; <!-- LogoutWin = window.open('', 'Logout', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=256,height=64'); if (LogoutWin) { - LogoutWin.document.write('<HTML>'); - LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ; - LogoutWin.document.write('<BODY BGCOLOR="#435370">'); - LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ; - LogoutWin.document.write('<B>Click the button below to disconnect</B><P>'); - LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">'); - LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">'); - LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">'); - LogoutWin.document.write('</FORM>'); - LogoutWin.document.write('</DIV></BODY>'); - LogoutWin.document.write('</HTML>'); - LogoutWin.document.close(); + LogoutWin.document.write('<HTML>'); + LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ; + LogoutWin.document.write('<BODY BGCOLOR="#435370">'); + LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ; + LogoutWin.document.write('<B>Click the button below to disconnect</B><P>'); + LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">'); + LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">'); + LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">'); + LogoutWin.document.write('</FORM>'); + LogoutWin.document.write('</DIV></BODY>'); + LogoutWin.document.write('</HTML>'); + LogoutWin.document.close(); } document.location.href="<?=\$my_redirurl;?>"; @@ -414,41 +422,7 @@ EOD; "/etc/rc.prunecaptiveportal"); /* generate radius server database */ - if ($config['captiveportal']['radiusip'] && (!isset($config['captiveportal']['auth_method']) || - ($config['captiveportal']['auth_method'] == "radius"))) { - $radiusip = $config['captiveportal']['radiusip']; - $radiusip2 = ($config['captiveportal']['radiusip2']) ? $config['captiveportal']['radiusip2'] : null; - - if ($config['captiveportal']['radiusport']) - $radiusport = $config['captiveportal']['radiusport']; - else - $radiusport = 1812; - - if ($config['captiveportal']['radiusacctport']) - $radiusacctport = $config['captiveportal']['radiusacctport']; - else - $radiusacctport = 1813; - - if ($config['captiveportal']['radiusport2']) - $radiusport2 = $config['captiveportal']['radiusport2']; - else - $radiusport2 = 1812; - - $radiuskey = $config['captiveportal']['radiuskey']; - $radiuskey2 = ($config['captiveportal']['radiuskey2']) ? $config['captiveportal']['radiuskey2'] : null; - - $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db", "w"); - if (!$fd) { - printf(gettext("Error: cannot open radius DB file in captiveportal_configure().%s"), "\n"); - return 1; - } else if (isset($radiusip2, $radiuskey2)) { - fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey . "\n" - . $radiusip2 . "," . $radiusport2 . "," . $radiusacctport . "," . $radiuskey2); - } else { - fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey); - } - fclose($fd); - } + captiveportal_init_radius_servers(); if ($g['booting']) printf(gettext("done%s"), "\n"); @@ -457,7 +431,7 @@ EOD; killbypid("{$g['varrun_path']}/lighty-CaptivePortal.pid"); killbypid("{$g['varrun_path']}/minicron.pid"); - captiveportal_radius_stop_all(true); + captiveportal_radius_stop_all(); mwexec("/sbin/sysctl net.link.ether.ipfw=0"); @@ -470,7 +444,7 @@ EOD; if (does_interface_exist($listrealif)) { pfSense_interface_flags($listrealif, -IFF_IPFW_FILTER); $carpif = link_ip_to_carp_interface(find_interface_ip($listrealif)); - if (!empty($carpif)) { + if (!empty($carpif)) { $carpsif = explode(" ", $carpif); foreach ($carpsif as $cpcarp) pfSense_interface_flags($cpcarp, -IFF_IPFW_FILTER); @@ -489,7 +463,7 @@ function captiveportal_init_webgui() { global $g, $config; if (!isset($config['captiveportal']['enable'])) - return; + return; if ($config['captiveportal']['maxproc']) $maxproc = $config['captiveportal']['maxproc']; @@ -567,7 +541,7 @@ function captiveportal_init_rules($reinit = false) { if (count($cpips) > 0) { $cpactive = true; $cpinterface = "{ {$cpinterface} } "; - } else + } else return false; if ($reinit == false) @@ -583,7 +557,7 @@ function captiveportal_init_rules($reinit = false) { if (!is_module_loaded("dummynet.ko")) mwexec("/sbin/kldload dummynet"); - $cprules = "add 65291 set 1 allow pfsync from any to any\n"; + $cprules = "add 65291 set 1 allow pfsync from any to any\n"; $cprules .= "add 65292 set 1 allow carp from any to any\n"; $cprules .= <<<EOD @@ -652,12 +626,12 @@ EOD; $rulenum++; } else { $cprules .= "add {$rulenum} set 1 allow ip from table(1) to any in\n"; - $rulenum++; - $cprules .= "add {$rulenum} set 1 allow ip from any to table(2) out\n"; - $rulenum++; + $rulenum++; + $cprules .= "add {$rulenum} set 1 allow ip from any to table(2) out\n"; + $rulenum++; } - $cprules .= <<<EOD + $cprules .= <<<EOD # redirect non-authenticated clients to captive portal add 65531 set 1 fwd 127.0.0.1,8000 tcp from any to any in @@ -673,9 +647,13 @@ EOD; /* generate passthru mac database */ $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n"; + /* allowed ipfw rules to make allowed ip work */ $cprules .= captiveportal_allowedip_configure(); + /* allowed ipfw rules to make allowed hostnames work */ + $cprules .= captiveportal_allowedhostname_configure(); + /* load rules */ if ($reinit == true) $cprules = "table all flush\nflush\n{$cprules}"; @@ -694,179 +672,173 @@ EOD; file_put_contents("{$g['tmp_path']}/ipfw.cp.rules", $cprules); mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules", true); - @unlink("{$g['tmp_path']}/ipfw.cp.rules"); + //@unlink("{$g['tmp_path']}/ipfw.cp.rules"); if ($reinit == false) unlock($captiveportallck); - /* filter on layer2 as well so we can check MAC addresses */ mwexec("/sbin/sysctl net.link.ether.ipfw=1"); return $cprules; } -/* remove clients that have been around for longer than the specified amount of time */ -/* db file structure: -timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid,password,session_timeout,idle_timeout,session_terminate_time */ - -/* (password is in Base64 and only saved when reauthentication is enabled) */ +/* remove clients that have been around for longer than the specified amount of time + * db file structure: + * timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid,password,session_timeout,idle_timeout,session_terminate_time + * (password is in Base64 and only saved when reauthentication is enabled) + */ function captiveportal_prune_old() { + global $g, $config; + + /* check for expired entries */ + if (empty($config['captiveportal']['timeout']) || + !is_numeric($config['captiveportal']['timeout'])) + $timeout = 0; + else + $timeout = $config['captiveportal']['timeout'] * 60; + + if (empty($config['captiveportal']['idletimeout']) || + !is_numeric($config['captiveportal']['idletimeout'])) + $idletimeout = 0; + else + $idletimeout = $config['captiveportal']['idletimeout'] * 60; + + if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate']) && + !isset($config['captiveportal']['radiussession_timeout']) && !isset($config['voucher']['enable'])) + return; + + /* read database */ + $cpdb = captiveportal_read_db(); - global $g, $config; - - /* check for expired entries */ - if ($config['captiveportal']['timeout']) - $timeout = $config['captiveportal']['timeout'] * 60; - else - $timeout = 0; - - if ($config['captiveportal']['idletimeout']) - $idletimeout = $config['captiveportal']['idletimeout'] * 60; - else - $idletimeout = 0; - - if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate']) && - !isset($config['captiveportal']['radiussession_timeout']) && !isset($config['voucher']['enable'])) - return; - - $captiveportallck = lock('captiveportal'); - - /* read database */ - $cpdb = captiveportal_read_db(); - - $radiusservers = captiveportal_get_radius_servers(); - - /* To make sure we iterate over ALL accounts on every run the count($cpdb) is moved - * outside of the loop. Otherwise the loop would evaluate count() on every iteration - * and since $i would increase and count() would decrement they would meet before we - * had a chance to iterate over all accounts. - */ - $unsetindexes = array(); - $no_users = count($cpdb); - for ($i = 0; $i < $no_users; $i++) { - - $timedout = false; - $term_cause = 1; - - /* hard timeout? */ - if ($timeout) { - if ((time() - $cpdb[$i][0]) >= $timeout) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - /* Session-Terminate-Time */ - if (!$timedout && !empty($cpdb[$i][9])) { - if (time() >= $cpdb[$i][9]) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - /* check if the radius idle_timeout attribute has been set and if its set change the idletimeout to this value */ - $idletimeout = (is_numeric($cpdb[$i][8])) ? $cpdb[$i][8] : $idletimeout; - /* if an idle timeout is specified, get last activity timestamp from ipfw */ - if (!$timedout && $idletimeout) { - $lastact = captiveportal_get_last_activity($cpdb[$i][2]); - /* If the user has logged on but not sent any traffic they will never be logged out. - * We "fix" this by setting lastact to the login timestamp. + $radiusservers = captiveportal_get_radius_servers(); + + /* To make sure we iterate over ALL accounts on every run the count($cpdb) is moved + * outside of the loop. Otherwise the loop would evaluate count() on every iteration + * and since $i would increase and count() would decrement they would meet before we + * had a chance to iterate over all accounts. + */ + $unsetindexes = array(); + $no_users = count($cpdb); + for ($i = 0; $i < $no_users; $i++) { + + $timedout = false; + $term_cause = 1; + + /* hard timeout? */ + if ($timeout) { + if ((time() - $cpdb[$i][0]) >= $timeout) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* Session-Terminate-Time */ + if (!$timedout && !empty($cpdb[$i][9])) { + if (time() >= $cpdb[$i][9]) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* check if the radius idle_timeout attribute has been set and if its set change the idletimeout to this value */ + $uidletimeout = (is_numeric($cpdb[$i][8])) ? $cpdb[$i][8] : $idletimeout; + /* if an idle timeout is specified, get last activity timestamp from ipfw */ + if (!$timedout && $uidletimeout) { + $lastact = captiveportal_get_last_activity($cpdb[$i][2]); + /* If the user has logged on but not sent any traffic they will never be logged out. + * We "fix" this by setting lastact to the login timestamp. */ $lastact = $lastact ? $lastact : $cpdb[$i][0]; - if ($lastact && ((time() - $lastact) >= $idletimeout)) { - $timedout = true; - $term_cause = 4; // Idle-Timeout - $stop_time = $lastact; // Entry added to comply with WISPr - } - } - - /* if vouchers are configured, activate session timeouts */ - if (!$timedout && isset($config['voucher']['enable']) && !empty($cpdb[$i][7])) { - if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { - $timedout = true; - $term_cause = 5; // Session-Timeout + if ($lastact && ((time() - $lastact) >= $uidletimeout)) { + $timedout = true; + $term_cause = 4; // Idle-Timeout + $stop_time = $lastact; // Entry added to comply with WISPr + } } - } - /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ - if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpdb[$i][7])) { - if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - if ($timedout) { - captiveportal_disconnect($cpdb[$i], $radiusservers,$term_cause,$stop_time); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); - $unsetindexes[$i] = $i; - } - - /* do periodic RADIUS reauthentication? */ - if (!$timedout && isset($config['captiveportal']['reauthenticate']) && - !empty($radiusservers)) { - - if (isset($config['captiveportal']['radacct_enable'])) { - if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { - /* stop and restart accounting */ - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 10); // NAS Request - exec("/sbin/ipfw table 1 entryzerostats {$cpdb[$i][2]}"); - exec("/sbin/ipfw table 2 entryzerostats {$cpdb[$i][2]}"); - RADIUS_ACCOUNTING_START($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3]); // clientmac - } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 10, // NAS Request - true); // Interim Updates - } - } - - /* check this user against RADIUS again */ - $auth_list = RADIUS_AUTHENTICATION($cpdb[$i][4], // username - base64_decode($cpdb[$i][6]), // password - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - $cpdb[$i][1]); // ruleno - - if ($auth_list['auth_val'] == 3) { - captiveportal_disconnect($cpdb[$i], $radiusservers, 17); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT", $auth_list['reply_message']); - $unsetindexes[$i] = $i; - } - } - } - /* This is a kludge to overcome some php weirdness */ - foreach($unsetindexes as $unsetindex) - unset($cpdb[$unsetindex]); + /* if vouchers are configured, activate session timeouts */ + if (!$timedout && isset($config['voucher']['enable']) && !empty($cpdb[$i][7])) { + if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ + if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpdb[$i][7])) { + if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + if ($timedout) { + captiveportal_disconnect($cpdb[$i], $radiusservers,$term_cause,$stop_time); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); + $unsetindexes[$i] = $i; + } + + /* do periodic RADIUS reauthentication? */ + if (!$timedout && !empty($radiusservers)) { + if (isset($config['captiveportal']['radacct_enable'])) { + if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { + /* stop and restart accounting */ + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + 10); // NAS Request + exec("/sbin/ipfw table 1 entryzerostats {$cpdb[$i][2]}"); + exec("/sbin/ipfw table 2 entryzerostats {$cpdb[$i][2]}"); + RADIUS_ACCOUNTING_START($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3]); // clientmac + } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + 10, // NAS Request + true); // Interim Updates + } + } - /* write database */ - captiveportal_write_db($cpdb); + /* check this user against RADIUS again */ + if (isset($config['captiveportal']['reauthenticate'])) { + $auth_list = RADIUS_AUTHENTICATION($cpdb[$i][4], // username + base64_decode($cpdb[$i][6]), // password + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + $cpdb[$i][1]); // ruleno + if ($auth_list['auth_val'] == 3) { + captiveportal_disconnect($cpdb[$i], $radiusservers, 17); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT", $auth_list['reply_message']); + $unsetindexes[$i] = $i; + } + } + } + } + /* This is a kludge to overcome some php weirdness */ + foreach($unsetindexes as $unsetindex) + unset($cpdb[$unsetindex]); - unlock($captiveportallck); + /* write database */ + captiveportal_write_db($cpdb); } /* remove a single client according to the DB entry */ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_time = null) { - global $g, $config; $stop_time = (empty($stop_time)) ? time() : $stop_time; @@ -874,15 +846,15 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t /* this client needs to be deleted - remove ipfw rules */ if (isset($config['captiveportal']['radacct_enable']) && !empty($radiusservers)) { RADIUS_ACCOUNTING_STOP($dbent[1], // ruleno - $dbent[4], // username - $dbent[5], // sessionid - $dbent[0], // start time - $radiusservers, - $dbent[2], // clientip - $dbent[3], // clientmac - $term_cause, // Acct-Terminate-Cause - false, - $stop_time); + $dbent[4], // username + $dbent[5], // sessionid + $dbent[0], // start time + $radiusservers, + $dbent[2], // clientip + $dbent[3], // clientmac + $term_cause, // Acct-Terminate-Cause + false, + $stop_time); } /* Delete client's ip entry from tables 3 and 4. */ mwexec("/sbin/ipfw table 1 delete {$dbent[2]}"); @@ -908,22 +880,17 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t /* remove a single client by ipfw rule number */ function captiveportal_disconnect_client($id,$term_cause = 1) { - global $g, $config; - $captiveportallck = lock('captiveportal'); - /* read database */ $cpdb = captiveportal_read_db(); $radiusservers = captiveportal_get_radius_servers(); /* find entry */ - $tmpindex = 0; - $cpdbcount = count($cpdb); - for ($i = 0; $i < $cpdbcount; $i++) { - if ($cpdb[$i][1] == $id) { - captiveportal_disconnect($cpdb[$i], $radiusservers, $term_cause); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "DISCONNECT"); + foreach ($cpdb as $i => $cpentry) { + if ($cpentry[1] == $id) { + captiveportal_disconnect($cpentry, $radiusservers, $term_cause); + captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT"); unset($cpdb[$i]); break; } @@ -931,61 +898,53 @@ function captiveportal_disconnect_client($id,$term_cause = 1) { /* write database */ captiveportal_write_db($cpdb); - - unlock($captiveportallck); } /* send RADIUS acct stop for all current clients */ -function captiveportal_radius_stop_all($lock = false) { - global $g, $config; +function captiveportal_radius_stop_all() { + global $config; if (!isset($config['captiveportal']['radacct_enable'])) return; - if (!$lock) - $captiveportallck = lock('captiveportal'); - - $cpdb = captiveportal_read_db(); - $radiusservers = captiveportal_get_radius_servers(); if (!empty($radiusservers)) { - for ($i = 0; $i < count($cpdb); $i++) { - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 7); // Admin Reboot + $cpdb = captiveportal_read_db(); + foreach ($cpdb as $cpentry) { + RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno + $cpentry[4], // username + $cpentry[5], // sessionid + $cpentry[0], // start time + $radiusservers, + $cpentry[2], // clientip + $cpentry[3], // clientmac + 7); // Admin Reboot } } - if (!$lock) - unlock($captiveportallck); } function captiveportal_passthrumac_configure_entry($macent) { $rules = ""; - $enBwup = isset($macent['bw_up']); - $enBwdown = isset($macent['bw_down']); + $enBwup = isset($macent['bw_up']); + $enBwdown = isset($macent['bw_down']); $actionup = "allow"; $actiondown = "allow"; - if ($enBwup && $enBwdown) - $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); - else - $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); if ($enBwup) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; $actionup = "pipe {$bw_up}"; - } - if ($enBwdown) { + } + if ($enBwdown) { $bw_down = $ruleno + 20001; $rules .= "pipe {$bw_down} config bw {$macent['bw_down']}Kbit/s queue 100\n"; $actiondown = "pipe {$bw_down}"; - } + } $rules .= "add {$ruleno} {$actiondown} ip from any to any MAC {$macent['mac']} any\n"; $ruleno++; $rules .= "add {$ruleno} {$actionup} ip from any to any MAC any {$macent['mac']}\n"; @@ -1028,80 +987,126 @@ function captiveportal_passthrumac_findbyname($username) { */ function captiveportal_allowedip_configure_entry($ipent) { + /* This function can deal with hostname or ipaddress */ + if($ipent['ip']) + $ipaddress = $ipent['ip']; + + /* Instead of copying this entire function for something + * easy such as hostname vs ip address add this check + */ + if($ipent['hostname']) { + $ipaddress = gethostbyname($ipent['hostname']); + if(!is_ipaddr($ipaddress)) + return; + } + $rules = ""; - $enBwup = isset($ipent['bw_up']); - $enBwdown = isset($ipent['bw_down']); + $enBwup = intval($ipent['bw_up']); + $enBwdown = intval($ipent['bw_down']); $bw_up = ""; - $bw_down = ""; - $tablein = array(); - $tableout = array(); + $bw_down = ""; + $tablein = array(); + $tableout = array(); - if ($enBwup && $enBwdown) + if (intval($enBwup) > 0 or intval($enBwdown) > 0) $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); else $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); - if ($ipent['dir'] == "from") { - if ($enBwup) - $tablein[] = 5; - else - $tablein[] = 3; - if ($enBwdown) - $tableout[] = 6; - else - $tableout[] = 4; - } else if ($ipent['dir'] == "to") { - if ($enBwup) - $tablein[] = 9; - else - $tablein[] = 7; - if ($enBwdown) - $tableout[] = 10; - else - $tableout[] = 8; - } else if ($ipent['dir'] == "both") { - if ($enBwup) { - $tablein[] = 5; - $tablein[] = 9; - } else { - $tablein[] = 3; - $tablein[] = 7; - } - if ($enBwdown) { - $tableout[] = 6; - $tableout[] = 10; - } else { - $tableout[] = 4; - $tableout[] = 8; - } - } - if ($enBwup) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; - } + if ($ipent['dir'] == "from") { + if ($enBwup) + $tablein[] = 5; + else + $tablein[] = 3; + if ($enBwdown) + $tableout[] = 6; + else + $tableout[] = 4; + } else if ($ipent['dir'] == "to") { + if ($enBwup) + $tablein[] = 9; + else + $tablein[] = 7; + if ($enBwdown) + $tableout[] = 10; + else + $tableout[] = 8; + } else if ($ipent['dir'] == "both") { + if ($enBwup) { + $tablein[] = 5; + $tablein[] = 9; + } else { + $tablein[] = 3; + $tablein[] = 7; + } + if ($enBwdown) { + $tableout[] = 6; + $tableout[] = 10; + } else { + $tableout[] = 4; + $tableout[] = 8; + } + } + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; + } $subnet = ""; if (!empty($ipent['sn'])) $subnet = "/{$ipent['sn']}"; foreach ($tablein as $table) - $rules .= "table {$table} add {$ipent['ip']}{$subnet} {$bw_up}\n"; - if ($enBwdown) { - $bw_down = $ruleno + 20001; - $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; - } - foreach ($tableout as $table) - $rules .= "table {$table} add {$ipent['ip']}{$subnet} {$bw_down}\n"; + $rules .= "table {$table} add {$ipaddress}{$subnet} {$bw_up}\n"; + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; + } + foreach ($tableout as $table) + $rules .= "table {$table} add {$ipaddress}{$subnet} {$bw_down}\n"; return $rules; } +/* + Adds a dnsfilter entry and watches for hostname changes. + A change results in reloading the ruleset. +*/ +function setup_dnsfilter_entries() { + global $g, $config; + + $cp_filterdns_filename = "{$g['varetc_path']}/filterdns-captiveportal.conf"; + $cp_filterdns_conf = ""; + if (is_array($config['captiveportal']['allowedhostname'])) { + foreach ($config['captiveportal']['allowedhostname'] as $hostnameent) { + $cp_filterdns_conf .= "ipfw $hostnameent 3 '/etc/rc.captiveportal_configure'\n"; + $cp_filterdns_conf .= "ipfw $hostnameent 4 '/etc/rc.captiveportal_configure'\n"; + $cp_filterdns_conf .= "ipfw $hostnameent 7 '/etc/rc.captiveportal_configure'\n"; + $cp_filterdns_conf .= "ipfw $hostnameent 8 '/etc/rc.captiveportal_configure'\n"; + } + } + file_put_contents($cp_filterdns_filename, $cp_filterdns_conf); + killbypid("{$g['tmp_path']}/filterdns-cpah.pid"); + mwexec("/usr/local/sbin/filterdns -p {$g['tmp_path']}/filterdns-cpah.pid -i 300 -c {$cp_filterdns_filename} -d 1"); +} + +function captiveportal_allowedhostname_configure() { + global $config, $g; + + $rules = "\n# captiveportal_allowedhostname_configure()\n"; + setup_dnsfilter_entries(); + if (is_array($config['captiveportal']['allowedhostname'])) { + foreach ($config['captiveportal']['allowedhostname'] as $hostnameent) + $rules .= captiveportal_allowedip_configure_entry($hostnameent); + } + return $rules; +} + function captiveportal_allowedip_configure() { global $config, $g; $rules = ""; if (is_array($config['captiveportal']['allowedip'])) { - foreach ($config['captiveportal']['allowedip'] as $ipent) { + foreach ($config['captiveportal']['allowedip'] as $ipent) $rules .= captiveportal_allowedip_configure_entry($ipent); - } } return $rules; @@ -1123,42 +1128,84 @@ function captiveportal_get_last_activity($ip) { return 0; } +function captiveportal_init_radius_servers() { + global $config, $g; + + /* generate radius server database */ + if ($config['captiveportal']['radiusip'] && (!isset($config['captiveportal']['auth_method']) || + ($config['captiveportal']['auth_method'] == "radius"))) { + $radiusip = $config['captiveportal']['radiusip']; + $radiusip2 = ($config['captiveportal']['radiusip2']) ? $config['captiveportal']['radiusip2'] : null; + + if ($config['captiveportal']['radiusport']) + $radiusport = $config['captiveportal']['radiusport']; + else + $radiusport = 1812; + if ($config['captiveportal']['radiusacctport']) + $radiusacctport = $config['captiveportal']['radiusacctport']; + else + $radiusacctport = 1813; + if ($config['captiveportal']['radiusport2']) + $radiusport2 = $config['captiveportal']['radiusport2']; + else + $radiusport2 = 1812; + $radiuskey = $config['captiveportal']['radiuskey']; + $radiuskey2 = ($config['captiveportal']['radiuskey2']) ? $config['captiveportal']['radiuskey2'] : null; + + $cprdsrvlck = lock('captiveportalradius', LOCK_EX); + $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db", "w"); + if (!$fd) { + captiveportal_syslog("Error: cannot open radius DB file in captiveportal_configure().\n"); + unlock($cprdsrvlck); + return 1; + } else if (isset($radiusip2, $radiuskey2)) + fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey . "\n" + . $radiusip2 . "," . $radiusport2 . "," . $radiusacctport . "," . $radiuskey2); + else + fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey); + fclose($fd); + unlock($cprdsrvlck); + } +} + /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { + global $g; - global $g; - - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; + } + } + } + unlock($cprdsrvlck); + return $radiusservers; } - return $radiusservers; - } - - return false; + unlock($cprdsrvlck); + return false; } /* log successful captive portal authentication to syslog */ /* part of this code from php.net */ function captiveportal_logportalauth($user,$mac,$ip,$status, $message = null) { - $message = trim($message); // Log it if (!$message) $message = "$status: $user, $mac, $ip"; - else + else { + $message = trim($message); $message = "$status: $user, $mac, $ip, $message"; + } captiveportal_syslog($message); - closelog(); } /* log simple messages to syslog */ @@ -1172,91 +1219,78 @@ function captiveportal_syslog($message) { } function radius($username,$password,$clientip,$clientmac,$type) { - global $g, $config; - - /* Start locking from the beginning of an authentication session */ - $captiveportallck = lock('captiveportal'); - - $ruleno = captiveportal_get_next_ipfw_ruleno(); - - /* If the pool is empty, return appropriate message and fail authentication */ - if (is_null($ruleno)) { - $auth_list = array(); - $auth_list['auth_val'] = 1; - $auth_list['error'] = gettext("System reached maximum login capacity"); - unlock($captiveportallck); - return $auth_list; - } - - /* - * Drop the lock since radius takes some time to finish. - * The implementation is reentrant so we gain speed with this. - */ - unlock($captiveportallck); - - $radiusservers = captiveportal_get_radius_servers(); - - $auth_list = RADIUS_AUTHENTICATION($username, - $password, - $radiusservers, - $clientip, - $clientmac, - $ruleno); + global $g, $config; - $captiveportallck = lock('captiveportal'); + $ruleno = captiveportal_get_next_ipfw_ruleno(); - if ($auth_list['auth_val'] == 2) { - captiveportal_logportalauth($username,$clientmac,$clientip,$type); - $sessionid = portal_allow($clientip, - $clientmac, - $username, - $password, - $auth_list, - $ruleno); - } + /* If the pool is empty, return appropriate message and fail authentication */ + if (is_null($ruleno)) { + $auth_list = array(); + $auth_list['auth_val'] = 1; + $auth_list['error'] = "System reached maximum login capacity"; + return $auth_list; + } - unlock($captiveportallck); + $radiusservers = captiveportal_get_radius_servers(); - return $auth_list; + $auth_list = RADIUS_AUTHENTICATION($username, + $password, + $radiusservers, + $clientip, + $clientmac, + $ruleno); + + if ($auth_list['auth_val'] == 2) { + captiveportal_logportalauth($username,$clientmac,$clientip,$type); + $sessionid = portal_allow($clientip, + $clientmac, + $username, + $password, + $auth_list, + $ruleno); + } + return $auth_list; } /* read captive portal DB into array */ function captiveportal_read_db() { + global $g; + + $cpdb = array(); - global $g; - - $cpdb = array(); - $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); - if ($fd) { - while (!feof($fd)) { - $line = trim(fgets($fd)); - if ($line) { - $cpdb[] = explode(",", $line); - } - } - fclose($fd); - } - return $cpdb; + $cpdblck = lock('captiveportaldb'); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) + $cpdb[] = explode(",", $line); + } + fclose($fd); + } + unlock($cpdblck); + return $cpdb; } /* write captive portal DB */ function captiveportal_write_db($cpdb) { - - global $g; - - $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); - if ($fd) { - foreach ($cpdb as $cpent) { - fwrite($fd, join(",", $cpent) . "\n"); - } - fclose($fd); - } + global $g; + + $cpdblck = lock('captiveportaldb', LOCK_EX); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); + if ($fd) { + foreach ($cpdb as $cpent) { + fwrite($fd, join(",", $cpent) . "\n"); + } + fclose($fd); + } + unlock($cpdblck); } function captiveportal_write_elements() { global $g, $config; - + /* delete any existing elements */ if (is_dir($g['captiveportal_element_path'])) { $dh = opendir($g['captiveportal_element_path']); @@ -1265,8 +1299,9 @@ function captiveportal_write_elements() { unlink($g['captiveportal_element_path'] . "/" . $file); } closedir($dh); - } else + } else { @mkdir($g['captiveportal_element_path']); + } if (is_array($config['captiveportal']['element'])) { conf_mount_rw(); @@ -1285,7 +1320,7 @@ function captiveportal_write_elements() { } conf_mount_ro(); } - + return 0; } @@ -1308,16 +1343,17 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang if(!isset($config['captiveportal']['enable'])) return NULL; + $cpruleslck = lock('captiveportalrules', LOCK_EX); $ruleno = 0; if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); for ($ridx = 2; $ridx < ($rulenos_range_max - $rulenos_start); $ridx++) { if ($rules[$ridx]) { /* - * This allows our traffic shaping pipes to be the in pipe the same as ruleno - * and the out pipe ruleno + 1. This removes limitation that where present in - * previous version of the peruserbw. - */ + * This allows our traffic shaping pipes to be the in pipe the same as ruleno + * and the out pipe ruleno + 1. This removes limitation that where present in + * previous version of the peruserbw. + */ if (isset($config['captiveportal']['peruserbw'])) $ridx++; continue; @@ -1334,6 +1370,7 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang $ruleno = 2; } file_put_contents("{$g['vardb_path']}/captiveportal.rules", serialize($rules)); + unlock($cpruleslck); return $ruleno; } @@ -1343,6 +1380,7 @@ function captiveportal_free_ipfw_ruleno($ruleno, $usedbw = false) { if(!isset($config['captiveportal']['enable'])) return NULL; + $cpruleslck = lock('captiveportalrules', LOCK_EX); if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $rules[$ruleno] = false; @@ -1350,21 +1388,26 @@ function captiveportal_free_ipfw_ruleno($ruleno, $usedbw = false) { $rules[++$ruleno] = false; file_put_contents("{$g['vardb_path']}/captiveportal.rules", serialize($rules)); } + unlock($cpruleslck); } function captiveportal_get_ipfw_passthru_ruleno($value) { global $config, $g; if(!isset($config['captiveportal']['enable'])) - return NULL; + return NULL; - if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); + $cpruleslck = lock('captiveportalrules', LOCK_EX); + if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { + $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $ruleno = intval(`/sbin/ipfw show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); - if ($rules[$ruleno]) + if ($rules[$ruleno]) { + unlock($cpruleslck); return $ruleno; - } + } + } + unlock($cpruleslck); return NULL; } @@ -1381,31 +1424,31 @@ function captiveportal_get_ipfw_passthru_ruleno($value) { function getVolume($ip) { - $volume = array(); + $volume = array(); - // Initialize vars properly, since we don't want NULL vars - $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; + // Initialize vars properly, since we don't want NULL vars + $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; - // Ingress - $ipfwin = ""; - $ipfwout = ""; - $matchesin = ""; - $matchesout = ""; - exec("/sbin/ipfw table 1 entrystats {$ip}", $ipfwin); - if ($ipfwin[0]) { + // Ingress + $ipfwin = ""; + $ipfwout = ""; + $matchesin = ""; + $matchesout = ""; + exec("/sbin/ipfw table 1 entrystats {$ip}", $ipfwin); + if ($ipfwin[0]) { $ipfwin = split(" ", $ipfwin[0]); $volume['input_pkts'] = $ipfwin[2]; $volume['input_bytes'] = $ipfwin[3]; - } + } - exec("/sbin/ipfw table 2 entrystats {$ip}", $ipfwout); - if ($ipfwout[0]) { - $ipfwout = split(" ", $ipfwout[0]); - $volume['output_pkts'] = $ipfwout[2]; - $volume['output_bytes'] = $ipfwout[3]; - } + exec("/sbin/ipfw table 2 entrystats {$ip}", $ipfwout); + if ($ipfwout[0]) { + $ipfwout = split(" ", $ipfwout[0]); + $volume['output_pkts'] = $ipfwout[2]; + $volume['output_bytes'] = $ipfwout[3]; + } - return $volume; + return $volume; } /** @@ -1415,11 +1458,11 @@ function getVolume($ip) { */ function getNasID() { - $nasId = ""; - exec("/bin/hostname", $nasId); - if(!$nasId[0]) - $nasId[0] = "{$g['product_name']}"; - return $nasId[0]; + $nasId = ""; + exec("/bin/hostname", $nasId); + if(!$nasId[0]) + $nasId[0] = "{$g['product_name']}"; + return $nasId[0]; } /** @@ -1433,17 +1476,17 @@ function getNasIP() { global $config; - if (empty($config['captiveportal']['radiussrcip_attribute'])) - $nasIp = get_interface_ip(); - else { + if (empty($config['captiveportal']['radiussrcip_attribute'])) { + $nasIp = get_interface_ip(); + } else { if (is_ipaddr($config['captiveportal']['radiussrcip_attribute'])) - $nasIp = $config['captiveportal']['radiussrcip_attribute']; - else - $nasIp = get_interface_ip($config['captiveportal']['radiussrcip_attribute']); + $nasIp = $config['captiveportal']['radiussrcip_attribute']; + else + $nasIp = get_interface_ip($config['captiveportal']['radiussrcip_attribute']); } - if(!is_ipaddr($nasIp)) - $nasIp = "0.0.0.0"; + if(!is_ipaddr($nasIp)) + $nasIp = "0.0.0.0"; return $nasIp; } diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index e82baba..7d19045 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -286,6 +286,7 @@ function csr_get_subject($str_crt, $decode = true) { if (!is_array($components)) return "unknown"; + ksort($components); foreach ($components as $a => $v) { if (!strlen($subject)) $subject = "{$a}={$v}"; @@ -307,13 +308,15 @@ function cert_get_subject($str_crt, $decode = true) { if (!is_array($components)) return "unknown"; + ksort($components); foreach ($components as $a => $v) { - if (is_array($v)) + if (is_array($v)) { + ksort($v); foreach ($v as $w) { $asubject = "{$a}={$w}"; $subject = (strlen($subject)) ? "{$asubject}, {$subject}" : $asubject; } - else { + } else { $asubject = "{$a}={$v}"; $subject = (strlen($subject)) ? "{$asubject}, {$subject}" : $asubject; } @@ -561,4 +564,4 @@ function is_crl_internal($crl) { return !(!empty($crl['text']) && empty($crl['cert'])); } -?>
\ No newline at end of file +?> diff --git a/etc/inc/config.console.inc b/etc/inc/config.console.inc index 40b765e..536c976 100644 --- a/etc/inc/config.console.inc +++ b/etc/inc/config.console.inc @@ -319,6 +319,8 @@ EOD; if (in_array($key, array('y', 'Y'))) { if($lanif) { + if (!is_array($config['interfaces']['lan'])) + $config['interfaces']['lan'] = array(); $config['interfaces']['lan']['if'] = $lanif; $config['interfaces']['lan']['enable'] = true; } elseif (!$g['booting'] && !$auto_assign) { @@ -332,7 +334,7 @@ unload the interface now? [y|n]? EODD; if (strcasecmp(chop(fgets($fp)), "y") == 0) { - if($config['interfaces']['lan']['if']) + if(isset($config['interfaces']['lan']) && $config['interfaces']['lan']['if']) mwexec("/sbin/ifconfig " . $config['interfaces']['lan']['if'] . " delete"); } if(isset($config['interfaces']['lan'])) @@ -372,9 +374,12 @@ EODD; (!is_array($config['interfaces']['lan']['wireless']))) $config['interfaces']['lan']['wireless'] = array(); } else { - unset($config['interfaces']['lan']['wireless']); + if (isset($config['interfaces']['lan'])) + unset($config['interfaces']['lan']['wireless']); } + if (!is_array($config['interfaces']['wan'])) + $config['interfaces']['wan'] = array(); $config['interfaces']['wan']['if'] = $wanif; $config['interfaces']['wan']['enable'] = true; if (preg_match($g['wireless_regex'], $wanif)) { @@ -382,7 +387,8 @@ EODD; (!is_array($config['interfaces']['wan']['wireless']))) $config['interfaces']['wan']['wireless'] = array(); } else { - unset($config['interfaces']['wan']['wireless']); + if (isset($config['interfaces']['wan'])) + unset($config['interfaces']['wan']['wireless']); } for ($i = 0; $i < count($optif); $i++) { @@ -420,13 +426,7 @@ EODD; $g['booting'] = false; - /* XXX: ermal - disable it for now this is used during bootup at best so shouldn't be needed. - * For now just comment it out and later remove it completely. - * resync everything - reload_all_sync(); - */ - - echo " " . gettext("done!") . "\n"; + echo gettext(" done!") . "\n"; touch("{$g['tmp_path']}/assign_complete"); diff --git a/etc/inc/config.gui.inc b/etc/inc/config.gui.inc index cd38049..1a7e397 100644 --- a/etc/inc/config.gui.inc +++ b/etc/inc/config.gui.inc @@ -54,11 +54,6 @@ if($config_parsed == true) else $config_parsed = true; -// Set the memory limit to 128M. When someone has something like 500+ tunnels -// the parser needs quite a bit of ram. Do not remove this line unless you -// know what you are doing. If in doubt, check with dev@ _/FIRST/_! -ini_set("memory_limit","128M"); - /* include globals from notices.inc /utility/XML parser files */ require_once('config.lib.inc'); require_once("notices.inc"); diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index e985aa8..9f0b736 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -53,30 +53,33 @@ ******/ function encrypted_configxml() { global $g, $config; - if(file_exists($g['conf_path'] . "/config.xml")) { - if($g['booting']) { - $configtxt = file_get_contents($g['conf_path'] . "/config.xml"); - if(tagfile_deformat($configtxt, $configtxt, "config.xml")) { - $fp = fopen('php://stdin', 'r'); + + if (!file_exists($g['conf_path'] . "/config.xml")) + return; + + if (!$g['booting']) + return; + + $configtxt = file_get_contents($g['conf_path'] . "/config.xml"); + if(tagfile_deformat($configtxt, $configtxt, "config.xml")) { + $fp = fopen('php://stdin', 'r'); + $data = ""; + echo "\n\n*** Encrypted config.xml detected ***\n"; + while($data == "") { + echo "\nEnter the password to decrypt config.xml: "; + $decrypt_password = chop(fgets($fp)); + $data = decrypt_data($configtxt, $decrypt_password); + if(!strstr($data, "<pfsense>")) $data = ""; - echo "\n\n" . gettext("*** Encrypted config.xml detected ***") . "\n"; - while($data == "") { - echo "\n" . gettext("Enter the password to decrypt config.xml:") . " "; - $decrypt_password = chop(fgets($fp)); - $data = decrypt_data($configtxt, $decrypt_password); - if(!strstr($data, "<pfsense>")) - $data = ""; - if($data) { - $fd = fopen($g['conf_path'] . "/config.xml.tmp", "w"); - fwrite($fd, $data); - fclose($fd); - exec("/bin/mv {$g['conf_path']}/config.xml.tmp {$g['conf_path']}/config.xml"); - echo "\n" . gettext("Config.xml unlocked.") . "\n"; - fclose($fp); - } else { - echo "\n" . gettext("Invalid password entered. Please try again.") . "\n"; - } - } + if($data) { + $fd = fopen($g['conf_path'] . "/config.xml.tmp", "w"); + fwrite($fd, $data); + fclose($fd); + exec("/bin/mv {$g['conf_path']}/config.xml.tmp {$g['conf_path']}/config.xml"); + echo "\n" . gettext("Config.xml unlocked.") . "\n"; + fclose($fp); + } else { + echo "\n" . gettext("Invalid password entered. Please try again.") . "\n"; } } } @@ -92,9 +95,10 @@ function encrypted_configxml() { ******/ function parse_config($parse = false) { global $g, $config_parsed, $config_extra; - + $lockkey = lock('config'); $config_parsed = false; + if (!file_exists("{$g['conf_path']}/config.xml") || filesize("{$g['conf_path']}/config.xml") == 0) { $last_backup = discover_last_backup(); if($last_backup) { @@ -106,12 +110,17 @@ function parse_config($parse = false) { die(gettext("Config.xml is corrupted and is 0 bytes. Could not restore a previous backup.")); } } - if($g['booting']) echo "."; + + if($g['booting']) + echo "."; + // Check for encrypted config.xml encrypted_configxml(); + if(!$parse) { - if(file_exists($g['tmp_path'] . '/config.cache')) { + if (file_exists($g['tmp_path'] . '/config.cache')) { $config = unserialize(file_get_contents($g['tmp_path'] . '/config.cache')); +<<<<<<< HEAD if(is_null($config)) { unlock($lockkey); parse_config(true); @@ -139,6 +148,19 @@ function parse_config($parse = false) { if($g['booting']) echo "."; log_error(gettext("No config.xml found, attempting last known config restore.")); file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", ""); +======= + if (is_null($config)) + $parse = true; + } else + $parse = true; + } + if ($parse == true) { + if(!file_exists($g['conf_path'] . "/config.xml")) { + if($g['booting']) + echo "."; + log_error("No config.xml found, attempting last known config restore."); + file_notice("config.xml", "No config.xml found, attempting last known config restore.", "pfSenseConfigurator", ""); +>>>>>>> master $last_backup = discover_last_backup(); if ($last_backup) restore_backup("/cf/conf/backup/{$last_backup}"); @@ -149,7 +171,7 @@ function parse_config($parse = false) { } } $config = parse_xml_config($g['conf_path'] . '/config.xml', array($g['xml_rootobj'], 'pfsense')); - if($config == "-1") { + if($config == -1) { $last_backup = discover_last_backup(); if ($last_backup) restore_backup("/cf/conf/backup/{$last_backup}"); @@ -161,11 +183,15 @@ function parse_config($parse = false) { } generate_config_cache($config); } - if($g['booting']) echo "."; - alias_make_table($config); + + if($g['booting']) + echo "."; + $config_parsed = true; unlock($lockkey); + alias_make_table($config); + return $config; } @@ -226,7 +252,8 @@ function restore_backup($file) { function parse_config_bootup() { global $config, $g; - if($g['booting']) echo "."; + if($g['booting']) + echo "."; $lockkey = lock('config'); if (!file_exists("{$g['conf_path']}/config.xml")) { @@ -249,7 +276,12 @@ function parse_config_bootup() { restore_backup("/cf/conf/backup/{$last_backup}"); } if(!file_exists("{$g['conf_path']}/config.xml")) { +<<<<<<< HEAD echo sprintf(gettext("XML configuration file not found. %s cannot continue booting."), $g['product_name']) . "\n"; +======= + echo "XML configuration file not found. {$g['product_name']} cannot continue booting.\n"; + unlock($lockkey); +>>>>>>> master mwexec("/sbin/halt"); exit; } @@ -348,6 +380,9 @@ function conf_mount_ro() { if($g['platform'] == "cdrom" or $g['platform'] == "pfSense") return; + if($g['booting']) + return; + if (refcount_unreference(1000) > 0) return; @@ -411,10 +446,14 @@ function convert_config() { log_error(sprintf(gettext("Ended Configuration upgrade at %s"), $now)); if ($prev_version != $config['version']) +<<<<<<< HEAD write_config(sprintf(gettext('Upgraded config version level from %1$s to %2$s'), $prev_version, $config['version'])); if($g['booting']) echo gettext("Loading new configuration..."); +======= + write_config("Upgraded config version level from {$prev_version} to {$config['version']}"); +>>>>>>> master } /****f* config/safe_write_file @@ -481,12 +520,22 @@ function write_config($desc="Unknown", $backup = true) { * for now, since it was preventing config saving. */ // $config = parse_config(true, false, false); +<<<<<<< HEAD if($g['bootup']) log_error(gettext("WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml")); +======= + if($g['booting']) + log_error("WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml"); +>>>>>>> master + + $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; if($backup) backup_config(); + if (!is_array($config['revision'])) + $config['revision'] = array(); + if (time() > mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings are plausible */ $config['revision']['time'] = time(); @@ -494,8 +543,8 @@ function write_config($desc="Unknown", $backup = true) { if ($desc == "Unknown") $desc = sprintf(gettext("%s made unknown change"), $_SERVER['SCRIPT_NAME']); - $config['revision']['description'] = "{$_SESSION['Username']}: " . $desc; - $config['revision']['username'] = $_SESSION["Username"]; + $config['revision']['description'] = "{$username}: " . $desc; + $config['revision']['username'] = $username; conf_mount_rw(); $lockkey = lock('config', LOCK_EX); @@ -755,7 +804,7 @@ function cleanup_backupcache($revisions = 30, $lock = false) { foreach($tocache as $version => $versioninfo) { if(!in_array($version, array_keys($newcache))) { unlink_if_exists($g['conf_path'] . '/backup/config-' . $version . '.xml'); - if($g['booting']) print " " . $tocheck . "d"; + //if($g['booting']) print " " . $tocheck . "d"; } } $tocache = $newcache; diff --git a/etc/inc/cram_md5_sasl_client.inc b/etc/inc/cram_md5_sasl_client.inc new file mode 100644 index 0000000..69bd625 --- /dev/null +++ b/etc/inc/cram_md5_sasl_client.inc @@ -0,0 +1,67 @@ +<?php +/* + * cram_md5_sasl_client.php + * + * @(#) $Id: cram_md5_sasl_client.php,v 1.3 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_CRAM_MD5_STATE_START", 0); +define("SASL_CRAM_MD5_STATE_RESPOND_CHALLENGE", 1); +define("SASL_CRAM_MD5_STATE_DONE", 2); + +class cram_md5_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_CRAM_MD5_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function HMACMD5($key,$text) + { + $key=(strlen($key)<64 ? str_pad($key,64,"\0") : substr($key,0,64)); + return(md5((str_repeat("\x5c", 64)^$key).pack("H32", md5((str_repeat("\x36", 64)^$key).$text)))); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_CRAM_MD5_STATE_START) + { + $client->error="CRAM-MD5 authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"" + ); + $defaults=array(); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_CRAM_MD5_STATE_RESPOND_CHALLENGE; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_CRAM_MD5_STATE_RESPOND_CHALLENGE: + $message=$this->credentials["user"]." ".$this->HMACMD5($this->credentials["password"], $response); + $this->state=SASL_CRAM_MD5_STATE_DONE; + break; + case SASL_CRAM_MD5_STATE_DONE: + $client->error="CRAM-MD5 authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid CRAM-MD5 authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/crypt.inc b/etc/inc/crypt.inc index dc40eb9..582a84c 100644 --- a/etc/inc/crypt.inc +++ b/etc/inc/crypt.inc @@ -85,12 +85,12 @@ $body_pos = $btag_pos + $btag_len; $body_len = strlen($in); - $body_len -= strlen($btag_len); - $body_len -= strlen($etag_len); + $body_len -= $btag_len; + $body_len -= $etag_len + 1; $out = substr($in, $body_pos, $body_len); return true; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/digest_sasl_client.inc b/etc/inc/digest_sasl_client.inc new file mode 100644 index 0000000..924887d --- /dev/null +++ b/etc/inc/digest_sasl_client.inc @@ -0,0 +1,135 @@ +<?php +/* + * digest_sasl_client.php + * + * @(#) $Id: digest_sasl_client.php,v 1.1 2005/10/27 05:24:15 mlemos Exp $ + * + */ + +define('SASL_DIGEST_STATE_START', 0); +define('SASL_DIGEST_STATE_RESPOND_CHALLENGE', 1); +define('SASL_DIGEST_STATE_DONE', 2); + +class digest_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_DIGEST_STATE_START; + + Function unq($string) + { + return(($string[0]=='"' && $string[strlen($string)-1]=='"') ? substr($string, 1, strlen($string)-2) : $string); + } + + Function H($data) + { + return md5($data); + } + + Function KD($secret, $data) + { + return $this->H($secret.':'.$data); + } + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_DIGEST_STATE_START) + { + $client->error='Digest authentication state is not at the start'; + return(SASL_FAIL); + } + $this->credentials=array( + 'user'=>'', + 'password'=>'', + 'uri'=>'', + 'method'=>'', + 'session'=>'' + ); + $defaults=array(); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_DIGEST_STATE_RESPOND_CHALLENGE; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_DIGEST_STATE_RESPOND_CHALLENGE: + $values=explode(',',$response); + $parameters=array(); + for($v=0; $v<count($values); $v++) + $parameters[strtok(trim($values[$v]), '=')]=strtok(''); + + $message='username="'.$this->credentials['user'].'"'; + if(!IsSet($parameters[$p='realm']) + && !IsSet($parameters[$p='nonce'])) + { + $client->error='Digest authentication parameter '.$p.' is missing from the server response'; + return(SASL_FAIL); + } + $message.=', realm='.$parameters['realm']; + $message.=', nonce='.$parameters['nonce']; + $message.=', uri="'.$this->credentials['uri'].'"'; + if(IsSet($parameters['algorithm'])) + { + $algorithm=$this->unq($parameters['algorithm']); + $message.=', algorithm='.$parameters['algorithm']; + } + else + $algorithm=''; + + $realm=$this->unq($parameters['realm']); + $nonce=$this->unq($parameters['nonce']); + if(IsSet($parameters['qop'])) + { + switch($qop=$this->unq($parameters['qop'])) + { + case "auth": + $cnonce=$this->credentials['session']; + break; + default: + $client->error='Digest authentication quality of protection '.$qop.' is not yet supported'; + return(SASL_FAIL); + } + } + $nc_value='00000001'; + if(IsSet($parameters['qop']) + && !strcmp($algorithm, 'MD5-sess')) + $A1=$this->H($this->credentials['user'].':'. $realm.':'. $this->credentials['password']).':'.$nonce.':'.$cnonce; + else + $A1=$this->credentials['user'].':'. $realm.':'. $this->credentials['password']; + $A2=$this->credentials['method'].':'.$this->credentials['uri']; + if(IsSet($parameters['qop'])) + $response=$this->KD($this->H($A1), $nonce.':'. $nc_value.':'. $cnonce.':'. $qop.':'. $this->H($A2)); + else + $response=$this->KD($this->H($A1), $nonce.':'. $this->H($A2)); + $message.=', response="'.$response.'"'; + if(IsSet($parameters['opaque'])) + $message.=', opaque='.$parameters['opaque']; + if(IsSet($parameters['qop'])) + $message.=', qop="'.$qop.'"'; + $message.=', nc='.$nc_value; + if(IsSet($parameters['qop'])) + $message.=', cnonce="'.$cnonce.'"'; + $client->encode_response=0; + $this->state=SASL_DIGEST_STATE_DONE; + break; + case SASL_DIGEST_STATE_DONE: + $client->error='Digest authentication was finished without success'; + return(SASL_FAIL); + default: + $client->error='invalid Digest authentication step state'; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 785c902..da8844e 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -827,10 +827,7 @@ log_error("DynDns: Current WAN IP: {$wan_ip}"); if (file_exists($this->_cacheFile)) { - if(file_exists($this->_cacheFile)) - $contents = file_get_contents($this->_cacheFile); - else - $contents = ""; + $contents = file_get_contents($this->_cacheFile); list($cacheIP,$cacheTime) = split(':', $contents); $this->_debug($cacheIP.'/'.$cacheTime); $initial = false; @@ -933,4 +930,4 @@ } -?>
\ No newline at end of file +?> diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc index da1377d..96864b1 100644 --- a/etc/inc/easyrule.inc +++ b/etc/inc/easyrule.inc @@ -164,9 +164,9 @@ function easyrule_block_alias_add($host, $int = 'wan') { $alias['detail'] = $a_aliases[$id]['detail'] . gettext('Entry added') . ' ' . date('r') . '||'; } else { /* Create a new alias with all the proper information */ - $alias['name'] = $blockaliasname . strtoupper($int); - $alias['type'] = 'network'; - $alias['descr'] = mb_convert_encoding(gettext("Hosts blocked from Firewall Log view"),"HTML-ENTITIES","auto"); + $alias['name'] = $blockaliasname . strtoupper($int); + $alias['type'] = 'network'; + $alias['descr'] = gettext("Hosts blocked from Firewall Log view"); $alias['address'] = $host . '/32'; $alias['detail'] = gettext('Entry added') . ' ' . date('r') . '||'; diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8d0d9f2..6de6425 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -39,6 +39,7 @@ */ /* DISABLE_PHP_LINT_CHECKING */ +// vim: ts=4 sw=4 noexpandtab /* include all configuration functions */ @@ -184,9 +185,8 @@ function filter_configure_sync() { global $config, $g, $after_filter_configure_run, $FilterIflist; global $time_based_rules, $filterdns, $aliases; - /* Use filter lock to not allow recursion and config lock to prevent changes during this run. */ + /* Use filter lock to not allow concurrent filter reloads during this run. */ $filterlck = lock('filter', LOCK_EX); - $configlck = lock('config'); filter_pflog_start(); @@ -241,7 +241,6 @@ function filter_configure_sync() { update_filter_reload_status(gettext("Filter is disabled. Not loading rules.")); if($g['booting'] == true) echo gettext("done.") . "\n"; - unlock($configlck); unlock($filterlck); return; } @@ -298,8 +297,7 @@ function filter_configure_sync() { $rules .= discover_pkg_rules("filter"); if(!file_put_contents("{$g['tmp_path']}/rules.debug", $rules, LOCK_EX)) { - log_error(gettext("WARNING: Could not write new rules!")); - unlock($configlck); + log_error("WARNING: Could not write new rules!"); unlock($filterlck); return; } @@ -335,11 +333,9 @@ function filter_configure_sync() { if(is_array($line_split)) $line_error = sprintf(gettext('The line in question reads [%1$d]: %2$s'), $line_number, $line_split[$line_number-1]); if($line_error and $line_number) { - $error_msg = sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $rules_error, $line_error); - file_notice("filter_load", $error_msg, "Filter Reload", ""); - log_error($error_msg); - update_filter_reload_status($error_msg); - unlock($configlck); + file_notice("filter_load", sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $rules_error, $line_error), "Filter Reload", ""); + log_error("There were error(s) loading the rules: {$rules_error} - {$line_error}"); + update_filter_reload_status(sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $rules_error, $line_error)); unlock($filterlck); return; } @@ -388,8 +384,6 @@ function filter_configure_sync() { fclose($fda); } - unlock($configlck); - if(file_exists("{$g['tmp_path']}/commands.txt")) { mwexec("sh {$g['tmp_path']}/commands.txt &"); unlink("{$g['tmp_path']}/commands.txt"); @@ -479,7 +473,7 @@ function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddr $tmpline = filter_generate_nested_alias($address, $aliastable[$address], $aliasnesting, $aliasaddrnesting); } else if(!isset($aliasaddrnesting[$address])) { if(!is_ipaddr($address) && !is_subnet($address) && !is_port($address)) { - $filterdns .= "{$address} = {$name}\n"; + $filterdns .= "pf {$address} {$name}\n"; continue; } $aliasaddrnesting[$address] = $address; @@ -1094,13 +1088,18 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ } /* Generate a 'nat on' or 'no nat on' rule for given interface */ -function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "") { +function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "") { global $config, $FilterIflist; /* XXX: billm - any idea if this code is needed? */ if($src == "/32" || $src{0} == "/") return "# src incorrectly specified\n"; if($natip != "") { - $tgt = "{$natip}/32"; + if (is_subnet($natip)) + $tgt = $natip; + elseif (is_alias($natip)) + $tgt = "\${$natip}"; + else + $tgt = "{$natip}/32"; } else { $natip = get_interface_ip($if); if(is_ipaddr($natip)) @@ -1132,18 +1131,17 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " if($dstport != "") $dst .= " port {$dstport}"; /* outgoing static-port option, hamachi, Grandstream, VOIP, etc */ + $staticnatport_txt = ""; if($staticnatport) - $staticnatport_txt = " static-port"; - else - if(!$natport) - $staticnatport_txt = " port 1024:65535"; // set source port range - else - $staticnatport_txt = ""; + $staticnatport_txt = "static-port"; + elseif(!$natport) + $tgt .= " port 1024:65535"; // set source port range /* Allow for negating NAT entries */ if($nonat) { $nat = "no nat"; $target = ""; $staticnatport_txt = ""; + $poolopts = ""; } else { $nat = "nat"; $target = "-> {$tgt}"; @@ -1151,7 +1149,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " $if_friendly = $FilterIflist[$if]['descr']; /* Put all the pieces together */ if($if_friendly) - $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target}{$staticnatport_txt}\n"; + $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target} {$poolopts} {$staticnatport_txt}\n"; else $natrule .= "# Could not convert {$if} to friendly name(alias)\n"; return $natrule; @@ -1244,6 +1242,9 @@ function filter_nat_rules_generate() { else $natif = $obent['interface']; + $obtarget = ($obent['target'] == "other-subnet") ? $obent['targetip'] . '/' . $obent['targetip_subnet']: $obent['target']; + $poolopts = (is_subnet($obtarget) || is_alias($obtarget)) ? $obent['poolopts'] : ""; + if (!isset($FilterIflist[$natif])) continue; @@ -1252,11 +1253,12 @@ function filter_nat_rules_generate() { $obent['sourceport'], $dst, $obent['dstport'], - $obent['target'], + $obtarget, $obent['natport'], isset($obent['nonat']), isset($obent['staticnatport']), - $obent['protocol'] + $obent['protocol'], + $poolopts ); } } @@ -1346,6 +1348,8 @@ function filter_nat_rules_generate() { } if($numberofnathosts > 0): foreach ($FilterIflist as $if => $ifcfg) { + if (substr($ifcfg['if'], 0, 4) == "ovpn") + continue; update_filter_reload_status(sprintf(gettext('Creating outbound rules %1$s - (%2$s)'), $if, $ifcfg['descr'])); if(interface_has_gateway($if)) { $target = $ifcfg['ip']; @@ -1543,7 +1547,7 @@ function filter_generate_user_rule_arr($rule) { $ret['rule'] = $line; $ret['interface'] = $rule['interface']; if($rule['descr'] != "" and $line != "") - $ret['descr'] = "label \"USER_RULE: " . str_replace('"', '', substr($rule['descr'], 0, 63)) . "\""; + $ret['descr'] = "label \"USER_RULE: " . str_replace('"', '', substr($rule['descr'], 0, 52)) . "\""; else $ret['descr'] = "label \"USER_RULE\""; @@ -1972,42 +1976,6 @@ function filter_rules_generate() { $ipfrules = ""; //$ipfrules .= discover_pkg_rules("filter"); - /* if captive portal is enabled, ensure that access to this port - * is allowed on a locked down interface - */ - if(isset($config['captiveportal']['enable'])) { - $cpinterfaces = explode(",", $config['captiveportal']['interface']); - $cpiflist = array(); - $cpiplist = array(); - foreach ($cpinterfaces as $cpifgrp) { - if(!isset($FilterIflist[$cpifgrp])) - continue; - $tmpif = get_real_interface($cpifgrp); - if(!empty($tmpif)) { - $cpiflist[] = "{$tmpif}"; - $cpipm = get_interface_ip($cpifgrp); - if(is_ipaddr($cpipm)) { - $carpif = link_ip_to_carp_interface($cpipm); - if (!empty($carpif)) { - $cpiflist[] = $carpif; - $carpsif = explode(" ", $carpif); - foreach ($carpsif as $cpcarp) { - $carpip = find_interface_ip($cpcarp); - if (is_ipaddr($carpip)) - $cpiplist[] = $carpip; - } - } - $cpiplist[] = $cpipm; - } - } - } - if (count($cpiplist) > 0 && count($cpiflist) > 0) { - $cpinterface = implode(" ", $cpiflist); - $cpaddresses = implode(" ", $cpiplist); - $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; - $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from { {$cpaddresses} } port { 8000 8001 } to any keep state(sloppy)\n"; - } - } /* relayd */ $ipfrules .= "anchor \"relayd/*\"\n"; # BEGIN OF firewall rules @@ -2078,6 +2046,43 @@ EOD; */ $ipfrules .= "block in quick from <virusprot> to any label \"virusprot overload table\"\n"; + /* if captive portal is enabled, ensure that access to this port + * is allowed on a locked down interface + */ + if(isset($config['captiveportal']['enable'])) { + $cpinterfaces = explode(",", $config['captiveportal']['interface']); + $cpiflist = array(); + $cpiplist = array(); + foreach ($cpinterfaces as $cpifgrp) { + if(!isset($FilterIflist[$cpifgrp])) + continue; + $tmpif = get_real_interface($cpifgrp); + if(!empty($tmpif)) { + $cpiflist[] = "{$tmpif}"; + $cpipm = get_interface_ip($cpifgrp); + if(is_ipaddr($cpipm)) { + $carpif = link_ip_to_carp_interface($cpipm); + if (!empty($carpif)) { + $cpiflist[] = $carpif; + $carpsif = explode(" ", $carpif); + foreach ($carpsif as $cpcarp) { + $carpip = find_interface_ip($cpcarp); + if (is_ipaddr($carpip)) + $cpiplist[] = $carpip; + } + } + $cpiplist[] = $cpipm; + } + } + } + if (count($cpiplist) > 0 && count($cpiflist) > 0) { + $cpinterface = implode(" ", $cpiflist); + $cpaddresses = implode(" ", $cpiplist); + $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; + $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n"; + } + } + $bogontableinstalled = 0; foreach ($FilterIflist as $on => $oc) { /* block bogon networks */ @@ -2167,7 +2172,6 @@ EOD; pass in on \$loopback all label "pass loopback" pass out on \$loopback all label "pass loopback" - EOD; $ipfrules .= <<<EOD @@ -2766,6 +2770,4 @@ function discover_pkg_rules($ruletype) { return $rules; } -// vim: ts=4 sw=4 noexpandtab - ?> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index ba97ba0..6f64478 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -3,7 +3,7 @@ /* globals.inc part of pfSense (www.pfsense.com) - Copyright (C) 2004-2006 Scott Ullrich + Copyright (C) 2004-2010 Scott Ullrich Originally Part of m0n0wall Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. @@ -80,7 +80,7 @@ $g = array( "product_name" => "pfSense", "product_copyright" => "BSD Perimeter LLC", "product_copyright_url" => "http://www.bsdperimeter.com", - "product_copyright_years" => "2004 - 2010", + "product_copyright_years" => "2004 - 2011", "product_website" => "www.pfsense.org", "product_website_footer" => "http://www.pfsense.org/?gui20", "product_email" => "coreteam@pfsense.org", @@ -89,7 +89,7 @@ $g = array( "disablehelpmenu" => false, "disablehelpicon" => false, "debug" => false, - "latest_config" => "7.5", + "latest_config" => "7.6", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "105", "minimum_ram_warning_text" => "128 MB", @@ -110,10 +110,7 @@ $g = array( // Loop through and set vlan_long_frame VLAN_MTU $vlan_native_supp = get_nics_with_capabilities("vlanmtu"); -if(count($vlan_native_supp) > 0) - $g['vlan_long_frame'] = $vlan_native_supp; -else - $g['vlan_long_frame'] = array("vge", "bfe", "bge", "dc", "em", "fxp", "gem", "hme", "ixgb", "le", "lem", "nge", "re", "rl", "sis", "sk", "ste", "ti", "tl", "tx", "txp", "vr", "xl", "lagg"); +$g['vlan_long_frame'] = array_merge(array("vge", "bfe", "bge", "dc", "em", "fxp", "gem", "hme", "ixgb", "le", "lem", "nge", "re", "rl", "sis", "sk", "ste", "ti", "tl", "tx", "txp", "vr", "xl", "lagg"), (array)$vlan_native_supp); /* IP TOS flags */ $iptos = array("lowdelay", "throughput", "reliability"); @@ -162,7 +159,9 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.inet.tcp.log_debug" => "0", "net.inet.tcp.tso" => "1", "net.inet.icmp.icmplim" => "0", - "vfs.read_max" => "32" + "vfs.read_max" => "32", + "kern.ipc.maxsockbuf" => "4262144", + "debug.pfftpproxy" => "0" ); $config_parsed = false; diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index ba8d217..60201bd 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -84,6 +84,85 @@ function does_interface_exist($interface) { return false; } +function interface_netgraph_needed($interface = "wan") { + global $config; + + $found = false; + if (!empty($config['pptpd']) && + $config['pptpd']['mode'] == "server") + $found = true; + if ($found == false && !empty($config['l2tp']) && + $config['l2tp']['mode'] == "server") + $found = true; + if ($found == false && is_array($config['pppoes']['pppoe'])) { + foreach ($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] != "server") + continue; + if ($pppoe['interface'] == $interface) + $found = true; + break; + } + } + if ($found == false) { + if (!empty($config['interfaces'][$interface])) { + switch ($config['interfaces'][$interface]['ipaddr']) { + case "ppp": + case "pppoe": + case "l2tp": + case "pptp": + $found = true; + break; + default: + $found = false; + break; + } + } + } + if ($found == false) { + $realif = get_real_interface($interface); + if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { + foreach ($config['ppps']['ppp'] as $pppid => $ppp) { + +/* This if block doesn't do anything. It can be deleted. +PPP interfaces are found above in the previous if ($found == false) block. +This block of code is only entered for OPTx interfaces that are configured for PPPoE modem access, so $realif != $ppp['if'] + + if ($realif == $ppp['if']) { + $found = true; + break; + } +*/ + $ports = explode(',',$ppp['ports']); + foreach($ports as $pid => $port){ + $port = get_real_interface($port); + if ($realif == $port) { + $found = true; + break; + } + /* Find the parent interfaces of the vlans in the MLPPP configs + * there should be only one element in the array here + * -- this could be better . . . */ + $parent_if = get_parent_interface($port); + if ($realif == $parent_if[0]) { + $found = true; + break; + } + } + } + } + } + + if ($found == false) { + $realif = get_real_interface($interface); + pfSense_ngctl_detach("{$realif}:", $realif); + } + /* NOTE: We make sure for this on interface_ppps_configure() + * no need to do it here agan. + * else + * pfSense_ngctl_attach(".", $realif); + */ +} + function interfaces_loopback_configure() { if($g['booting']) echo gettext("Configuring loopback interface..."); @@ -873,13 +952,15 @@ function interface_bring_down($interface = "wan", $destroy = false) { if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { if ($realif == $ppp['if']) { - if (file_exists("{$g['varrun_path']}/{$ifcfg['ipaddr']}_{$interface}.pid")) { - killbypid("{$g['varrun_path']}/{$ifcfg['ipaddr']}_{$interface}.pid"); - sleep(5); + if (isset($ppp['ondemand']) && !$destroy){ + send_event("interface reconfigure {$interface}"); + break; + } + if (file_exists("{$g['varrun_path']}/{$ppp['type']}_{$interface}.pid")) { + killbypid("{$g['varrun_path']}/{$ppp['type']}_{$interface}.pid"); + sleep(2); } unlink_if_exists("{$g['varetc_path']}/mpd_{$interface}.conf"); - if (isset($ppp['ondemand']) && !$destroy) - send_event("interface reconfigure {$interface}"); break; } } @@ -893,7 +974,7 @@ function interface_bring_down($interface = "wan", $destroy = false) { case "dhcp": $pid = find_dhclient_process($realif); if($pid) - mwexec("kill {$pid}"); + mwexec("/bin/kill {$pid}"); sleep(1); unlink_if_exists("{$g['varetc_path']}/dhclient_{$interface}.conf"); if(does_interface_exist("$realif")) { @@ -1117,6 +1198,7 @@ function interface_ppps_configure($interface) { case "pppoe": /* Bring the parent interface up */ interfaces_bring_up($port); + pfSense_ngctl_attach(".", $port); break; case "pptp": case "l2tp": @@ -1147,6 +1229,7 @@ function interface_ppps_configure($interface) { log_error(sprintf(gettext('Could not get a PPTP/L2TP Remote IP address from %1$s for %2$s in interfaces_ppps_configure.'), $dhcp_gateway, $gway)); return 0; } + pfSense_ngctl_attach(".", $port); break; case "ppp": if (!file_exists("{$port}")) { @@ -1442,7 +1525,7 @@ EOD; conf_mount_ro(); } } - + /* fire up mpd */ mwexec("/usr/local/sbin/mpd5 -b -k -d {$g['varetc_path']} -f mpd_{$interface}.conf -p {$g['varrun_path']}/{$ppp['type']}_{$interface}.pid -s ppp {$ppp['type']}client"); @@ -1749,7 +1832,10 @@ function interface_carp_configure(&$vip) { get_interface_arr(true); $broadcast_address = gen_subnet_max($vip['subnet'], $vip['subnet_bits']); - mwexec("/sbin/ifconfig {$vipif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} advbase {$vip['advbase']} {$password}"); + $advbase = ""; + if (!empty($vip['advbase'])) + $advbase = "advbase {$vip['advbase']}"; + mwexec("/sbin/ifconfig {$vipif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} {$advbase} {$password}"); interfaces_bring_up($vipif); @@ -2387,7 +2473,7 @@ function find_dhclient_process($interface) { else $pid = 0; - return $pid; + return intval($pid); } function interface_configure($interface = "wan", $reloadall = false, $linkupevent = false) { @@ -2397,7 +2483,9 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven $wancfg = $config['interfaces'][$interface]; $realif = get_real_interface($interface); - $realhwif = interface_translate_type_to_real($interface); + $realhwif_array = get_parent_interface($interface); + // Need code to handle MLPPP if we ever use $realhwif for MLPPP handling + $realhwif = $realhwif_array[0]; if (!$g['booting']) { /* remove all IPv4 addresses */ @@ -2408,7 +2496,6 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven case 'l2tp': case 'pptp': case 'ppp': - interface_bring_down($interface, true); break; default: interface_bring_down($interface); @@ -2554,6 +2641,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven if(does_interface_exist($wancfg['if'])) interfaces_bring_up($wancfg['if']); + + interface_netgraph_needed($interface); if (!$g['booting']) { link_interface_to_vips($interface, "update"); @@ -2759,9 +2848,13 @@ function convert_real_interface_to_friendly_interface_name($interface = "wan") { if (stristr($interface, "_wlan0") && $config['interfaces'][$if]['if'] == interface_get_wireless_base($interface)) return $if; - $int = interface_translate_type_to_real($if); - if ($int == $interface) + // XXX: This case doesn't work anymore (segfaults - recursion?) - should be replaced with something else or just removed. + // Not to be replaced with get_real_interface - causes slow interface listings here because of recursion! + /* + $int = get_parent_interface($if); + if ($int[0] == $interface) return $ifname; + */ } return NULL; } @@ -2831,37 +2924,63 @@ function convert_real_interface_to_friendly_descr($interface) { } /* - * interface_translate_type_to_real($interface): - * returns the real hardware interface name for a friendly interface. ie: wan + * get_parent_interface($interface): + * --returns the (real or virtual) parent interface(s) array for a given interface friendly name (i.e. wan) + * or virtual interface (i.e. vlan) + * (We need array because MLPPP and bridge interfaces have more than one parent.) + * -- returns $interface passed in if $interface parent is not found + * -- returns empty array if an invalid interface is passed + * (Only handles ppps and vlans now.) */ -function interface_translate_type_to_real($interface) { - global $config; +function get_parent_interface($interface) { + global $config; - if (empty($config['interfaces'][$interface])) - return $interface; - $tmpif = $config['interfaces'][$interface]; - switch ($tmpif['type']) { - case "ppp": - case "pppoe": - case "pptp": - case "l2tp": - if (is_array($config['ppps']['ppp'])) { - foreach ($config['ppps']['ppp'] as $pppidx => $ppp) { - if ($tmpif['if'] == $ppp['if']) { - $interface = $ppp['ports']; - break; - } - } + $parents = array(); + //Check that we got a valid interface passed + $realif = get_real_interface($interface); + if ($realif == NULL) + return $parents; + + // If we got a real interface, find it's friendly assigned name + $interface = convert_real_interface_to_friendly_interface_name($interface); + + if (!empty($interface) && isset($config['interfaces'][$interface])) { + $ifcfg = $config['interfaces'][$interface]; + switch ($ifcfg['ipaddr']) { + case "ppp": + case "pppoe": + case "pptp": + case "l2tp": + if (empty($parents)) + if (is_array($config['ppps']['ppp'])) + foreach ($config['ppps']['ppp'] as $pppidx => $ppp) { + if ($ppp_if == $ppp['if']) { + $ports = explode(',', $ppp['ports']); + foreach ($ports as $pid => $parent_if) + $parents[$pid] = get_real_interface($parent_if); + break; + } + } + break; + case "dhcp": + case "static": + default: + // Handle _vlans + if (strstr($realif,"_vlan")) + if (is_array($config['vlans']['vlan'])) + foreach ($config['vlans']['vlan'] as $vlanidx => $vlan) + if ($ifcfg['if'] == $vlan['vlanif']){ + $parents[0] = $vlan['if']; + break; + } + break; } - break; - case "dhcp": - case "static": - default: - $interface = $tmpif['if']; - break; } - - return $interface; + + if (empty($parents)) + $parents[0] = $realif; + + return $parents; } function interface_is_wireless_clone($wlif) { @@ -3406,10 +3525,9 @@ function get_wireless_modes($interface) { /* return wireless modes and channels */ $wireless_modes = array(); - $wlif = interface_translate_type_to_real($interface); + $cloned_interface = get_real_interface($interface); - if(is_interface_wireless($wlif)) { - $cloned_interface = get_real_interface($interface); + if($cloned_interface && is_interface_wireless($cloned_interface)) { $chan_list = "/sbin/ifconfig {$cloned_interface} list chan"; $stack_list = "/usr/bin/awk -F\"Channel \" '{ gsub(/\\*/, \" \"); print \$2 \"\\\n\" \$3 }'"; $format_list = "/usr/bin/awk '{print \$5 \" \" \$6 \",\" \$1}'"; @@ -3452,10 +3570,9 @@ function get_wireless_modes($interface) { function get_wireless_channel_info($interface) { $wireless_channels = array(); - $wlif = interface_translate_type_to_real($interface); + $cloned_interface = get_real_interface($interface); - if(is_interface_wireless($wlif)) { - $cloned_interface = get_real_interface($interface); + if($cloned_interface && is_interface_wireless($cloned_interface)) { $chan_list = "/sbin/ifconfig {$cloned_interface} list txpower"; $stack_list = "/usr/bin/awk -F\"Channel \" '{ gsub(/\\*/, \" \"); print \$2 \"\\\n\" \$3 }'"; $format_list = "/usr/bin/awk '{print \$1 \",\" \$3 \" \" \$4 \",\" \$5 \",\" \$7}'"; diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6637c72..109bf18 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -469,4 +469,21 @@ function ipsec_mobilekey_sort() { usort($config['ipsec']['mobilekey'], "mobilekeycmp"); } +function ipsec_get_number_of_phase2($ikeid) { + global $config; + $a_phase2 = $config['ipsec']['phase2']; + + $nbph2=0; + + if (is_array($a_phase2) && count($a_phase2)) { + foreach ($a_phase2 as $ph2tmp) { + if ($ph2tmp['ikeid'] == $ikeid) { + $nbph2++; + } + } + } + + return $nbph2; +} + ?> diff --git a/etc/inc/login_sasl_client.inc b/etc/inc/login_sasl_client.inc new file mode 100644 index 0000000..923d16e --- /dev/null +++ b/etc/inc/login_sasl_client.inc @@ -0,0 +1,69 @@ +<?php +/* + * login_sasl_client.php + * + * @(#) $Id: login_sasl_client.php,v 1.2 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_LOGIN_STATE_START", 0); +define("SASL_LOGIN_STATE_IDENTIFY_USER", 1); +define("SASL_LOGIN_STATE_IDENTIFY_PASSWORD", 2); +define("SASL_LOGIN_STATE_DONE", 3); + +class login_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_LOGIN_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_LOGIN_STATE_START) + { + $client->error="LOGIN authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"", + "realm"=>"" + ); + $defaults=array( + "realm"=>"" + ); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_LOGIN_STATE_IDENTIFY_USER; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_LOGIN_STATE_IDENTIFY_USER: + $message=$this->credentials["user"].(strlen($this->credentials["realm"]) ? "@".$this->credentials["realm"] : ""); + $this->state=SASL_LOGIN_STATE_IDENTIFY_PASSWORD; + break; + case SASL_LOGIN_STATE_IDENTIFY_PASSWORD: + $message=$this->credentials["password"]; + $this->state=SASL_LOGIN_STATE_DONE; + break; + case SASL_LOGIN_STATE_DONE: + $client->error="LOGIN authentication was finished without success"; + break; + default: + $client->error="invalid LOGIN authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/notices.inc b/etc/inc/notices.inc index 6f410da..b0e95c5 100644 --- a/etc/inc/notices.inc +++ b/etc/inc/notices.inc @@ -283,6 +283,7 @@ function notify_via_smtp($message) { return; } + require_once("sasl.inc"); require_once("smtp.inc"); $smtp = new smtp_class; @@ -306,7 +307,7 @@ function notify_via_smtp($message) { if($config['notifications']['smtp']['username'] && $config['notifications']['smtp']['password']) { $smtp->authentication_mechanism = "PLAIN"; - $smtp->username = $config['notifications']['smtp']['username']; + $smtp->user = $config['notifications']['smtp']['username']; $smtp->password = $config['notifications']['smtp']['password']; } diff --git a/etc/inc/ntlm_sasl_client.inc b/etc/inc/ntlm_sasl_client.inc new file mode 100644 index 0000000..406edf2 --- /dev/null +++ b/etc/inc/ntlm_sasl_client.inc @@ -0,0 +1,180 @@ +<?php +/* + * ntlm_sasl_client.php + * + * @(#) $Id: ntlm_sasl_client.php,v 1.3 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_NTLM_STATE_START", 0); +define("SASL_NTLM_STATE_IDENTIFY_DOMAIN", 1); +define("SASL_NTLM_STATE_RESPOND_CHALLENGE", 2); +define("SASL_NTLM_STATE_DONE", 3); + +class ntlm_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_NTLM_STATE_START; + + Function Initialize(&$client) + { + if(!function_exists($function="mcrypt_encrypt") + || !function_exists($function="mhash")) + { + $extensions=array( + "mcrypt_encrypt"=>"mcrypt", + "mhash"=>"mhash" + ); + $client->error="the extension ".$extensions[$function]." required by the NTLM SASL client class is not available in this PHP configuration"; + return(0); + } + return(1); + } + + Function ASCIIToUnicode($ascii) + { + for($unicode="",$a=0;$a<strlen($ascii);$a++) + $unicode.=substr($ascii,$a,1).chr(0); + return($unicode); + } + + Function TypeMsg1($domain,$workstation) + { + $domain_length=strlen($domain); + $workstation_length=strlen($workstation); + $workstation_offset=32; + $domain_offset=$workstation_offset+$workstation_length; + return( + "NTLMSSP\0". + "\x01\x00\x00\x00". + "\x07\x32\x00\x00". + pack("v",$domain_length). + pack("v",$domain_length). + pack("V",$domain_offset). + pack("v",$workstation_length). + pack("v",$workstation_length). + pack("V",$workstation_offset). + $workstation. + $domain + ); + } + + Function NTLMResponse($challenge,$password) + { + $unicode=$this->ASCIIToUnicode($password); + $md4=mhash(MHASH_MD4,$unicode); + $padded=$md4.str_repeat(chr(0),21-strlen($md4)); + $iv_size=mcrypt_get_iv_size(MCRYPT_DES,MCRYPT_MODE_ECB); + $iv=mcrypt_create_iv($iv_size,MCRYPT_RAND); + for($response="",$third=0;$third<21;$third+=7) + { + for($packed="",$p=$third;$p<$third+7;$p++) + $packed.=str_pad(decbin(ord(substr($padded,$p,1))),8,"0",STR_PAD_LEFT); + for($key="",$p=0;$p<strlen($packed);$p+=7) + { + $s=substr($packed,$p,7); + $b=$s.((substr_count($s,"1") % 2) ? "0" : "1"); + $key.=chr(bindec($b)); + } + $ciphertext=mcrypt_encrypt(MCRYPT_DES,$key,$challenge,MCRYPT_MODE_ECB,$iv); + $response.=$ciphertext; + } + return $response; + } + + Function TypeMsg3($ntlm_response,$user,$domain,$workstation) + { + $domain_unicode=$this->ASCIIToUnicode($domain); + $domain_length=strlen($domain_unicode); + $domain_offset=64; + $user_unicode=$this->ASCIIToUnicode($user); + $user_length=strlen($user_unicode); + $user_offset=$domain_offset+$domain_length; + $workstation_unicode=$this->ASCIIToUnicode($workstation); + $workstation_length=strlen($workstation_unicode); + $workstation_offset=$user_offset+$user_length; + $lm=""; + $lm_length=strlen($lm); + $lm_offset=$workstation_offset+$workstation_length; + $ntlm=$ntlm_response; + $ntlm_length=strlen($ntlm); + $ntlm_offset=$lm_offset+$lm_length; + $session=""; + $session_length=strlen($session); + $session_offset=$ntlm_offset+$ntlm_length; + return( + "NTLMSSP\0". + "\x03\x00\x00\x00". + pack("v",$lm_length). + pack("v",$lm_length). + pack("V",$lm_offset). + pack("v",$ntlm_length). + pack("v",$ntlm_length). + pack("V",$ntlm_offset). + pack("v",$domain_length). + pack("v",$domain_length). + pack("V",$domain_offset). + pack("v",$user_length). + pack("v",$user_length). + pack("V",$user_offset). + pack("v",$workstation_length). + pack("v",$workstation_length). + pack("V",$workstation_offset). + pack("v",$session_length). + pack("v",$session_length). + pack("V",$session_offset). + "\x01\x02\x00\x00". + $domain_unicode. + $user_unicode. + $workstation_unicode. + $lm. + $ntlm + ); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_NTLM_STATE_START) + { + $client->error="NTLM authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"", + "realm"=>"", + "workstation"=>"" + ); + $defaults=array(); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + $this->state=SASL_NTLM_STATE_IDENTIFY_DOMAIN; + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { + case SASL_NTLM_STATE_IDENTIFY_DOMAIN: + $message=$this->TypeMsg1($this->credentials["realm"],$this->credentials["workstation"]); + $this->state=SASL_NTLM_STATE_RESPOND_CHALLENGE; + break; + case SASL_NTLM_STATE_RESPOND_CHALLENGE: + $ntlm_response=$this->NTLMResponse(substr($response,24,8),$this->credentials["password"]); + $message=$this->TypeMsg3($ntlm_response,$this->credentials["user"],$this->credentials["realm"],$this->credentials["workstation"]); + $this->state=SASL_NTLM_STATE_DONE; + break; + case SASL_NTLM_STATE_DONE: + $client->error="NTLM authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid NTLM authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 9ca76cf..35d79cd 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -127,4 +127,4 @@ syslog(LOG_WARNING, "user {$username} authenticated\n"); exit(0); -?> +?>
\ No newline at end of file diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 5dc0233..9101c04 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -172,6 +172,23 @@ function openvpn_get_cipherlist() { return $ciphers; } +function openvpn_get_engines() { + $openssl_engines = array('none' => 'No Hardware Crypto Acceleration'); + exec("/usr/bin/openssl engine", $openssl_engine_output); + foreach ($openssl_engine_output as $oeo) { + $linematch = array(); + preg_match("/\((.*)\)\s(.*)/", $oeo, $linematch); + if ($linematch[1] != "dynamic") + $openssl_engines[$linematch[1]] = $linematch[2]; + } + return $openssl_engines; +} + +function openvpn_validate_engine($engine) { + $engines = openvpn_get_engines(); + return array_key_exists($engine, $engines); +} + function openvpn_validate_host($value, $name) { $value = trim($value); if (empty($value) || (!is_domain($value) && !is_ipaddr($value))) @@ -261,7 +278,7 @@ function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "") $conf .= "{$directive} {$fpath} {$opt}\n"; } -function openvpn_reconfigure($mode,& $settings) { +function openvpn_reconfigure($mode, $settings) { global $g, $config; if (empty($settings)) @@ -343,6 +360,9 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "local {$iface_ip}\n"; } + if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none")) + $conf .= "engine {$settings['engine']}\n"; + // server specific settings if ($mode == 'server') { @@ -431,6 +451,8 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "client-to-client\n"; break; } + if (isset($settings['duplicate_cn'])) + $conf .= "duplicate-cn\n"; } // client specific settings @@ -514,7 +536,7 @@ function openvpn_reconfigure($mode,& $settings) { openvpn_add_keyfile($crl['text'], $conf, $mode_id, "crl-verify"); } if ($settings['tls']) { - if (stristr($settings['mode'], "server")) + if ($mode == "server") $tlsopt = 0; else $tlsopt = 1; @@ -549,7 +571,7 @@ function openvpn_reconfigure($mode,& $settings) { @chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600); } -function openvpn_restart($mode, & $settings) { +function openvpn_restart($mode, $settings) { global $g, $config; $vpnid = $settings['vpnid']; @@ -661,7 +683,7 @@ function openvpn_delete_csc(& $settings) { } // Resync the configuration and restart the VPN -function openvpn_resync($mode, & $settings) { +function openvpn_resync($mode, $settings) { openvpn_reconfigure($mode, $settings); openvpn_restart($mode, $settings); } @@ -696,9 +718,9 @@ function openvpn_resync_all($interface = "") { } */ if ($interface <> "") - log_error("Resyncing openvpn instances configurations for interface " . convert_friendly_interface_to_friendly_descr($interface) . "."); + log_error("Resyncing OpenVPN instances for interface " . convert_friendly_interface_to_friendly_descr($interface) . "."); else - log_error("Resyncing openvpn instances configurations."); + log_error("Resyncing OpenVPN instances."); if (is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as & $settings) { diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index c5890d1..b6755c8 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -1458,17 +1458,35 @@ function read_header($ch, $string) { function read_body($ch, $string) { global $fout, $file_size, $downloaded, $sendto, $static_status, $static_output, $lastseen; + global $pkg_interface; $length = strlen($string); $downloaded += intval($length); - $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); - $downloadProgress = 100 - $downloadProgress; + if($file_size > 0) { + $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); + $downloadProgress = 100 - $downloadProgress; + } else + $downloadProgress = 0; if($lastseen <> $downloadProgress and $downloadProgress < 101) { if($sendto == "status") { + if($pkg_interface == "console") { + if(substr($downloadProgress,2,1) == "0" || count($downloadProgress) < 2) { + $tostatus = $static_status . $downloadProgress . "%"; + update_status($tostatus); + } + } else { $tostatus = $static_status . $downloadProgress . "%"; - update_status($tostatus); + update_status($tostatus); + } } else { + if($pkg_interface == "console") { + if(substr($downloadProgress,2,1) == "0" || count($downloadProgress) < 2) { + $tooutput = $static_output . $downloadProgress . "%"; + update_output_window($tooutput); + } + } else { $tooutput = $static_output . $downloadProgress . "%"; update_output_window($tooutput); + } } update_progress_bar($downloadProgress); $lastseen = $downloadProgress; @@ -1486,7 +1504,9 @@ function update_output_window($text) { global $pkg_interface; $log = ereg_replace("\n", "\\n", $text); if($pkg_interface != "console") { - echo "\n<script language=\"JavaScript\">this.document.forms[0].output.value = \"" . $log . "\";</script>"; + echo "\n<script language=\"JavaScript\">\nthis.document.forms[0].output.value = \"" . $log . "\";\n"; + echo "this.document.forms[0].output.scrollTop = this.document.forms[0].output.scrollHeight;\n"; + echo "</script>"; } /* ensure that contents are written out */ ob_flush(); diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index e7bcd15..eb54b6d 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -98,7 +98,7 @@ conf_mount_ro(); * ******/ function remove_freebsd_package($packagestring) { - exec("/usr/sbin/pkg_delete -x {$packagestring}"); + exec("/usr/sbin/pkg_delete -x {$packagestring} 2>>/tmp/pkg_delete_errors.txt"); } /****f* pkg-utils/is_package_installed @@ -191,28 +191,34 @@ function get_pkg_sizes($pkgs = 'all') { * This function may also print output to the terminal indicating progress. */ function resync_all_package_configs($show_message = false) { - global $config, $pkg_interface; + global $config, $pkg_interface, $g; log_error(gettext("Resyncing configuration for all packages.")); + if (!is_array($config['installedpackages']['package'])) return; + if($show_message == true) echo "Syncing packages:"; conf_mount_rw(); + foreach($config['installedpackages']['package'] as $idx => $package) { if (empty($package['name'])) continue; if($show_message == true) echo " " . $package['name']; get_pkg_depends($package['name'], "all"); - stop_service($package['name']); + if($g['booting'] != true) + stop_service($package['name']); sync_package($idx, true, true); if($pkg_interface == "console") echo "\n" . gettext("Syncing packages:"); } + if($show_message == true) echo " done.\n"; + @unlink("/conf/needs_package_sync"); conf_mount_ro(); } @@ -222,6 +228,8 @@ function resync_all_package_configs($show_message = false) { * package is installed. */ function is_freebsd_pkg_installed($pkg) { + if(!$pkg) + return; $output = ""; exec("/usr/sbin/pkg_info -E \"{$pkg}*\"", $output, $retval); @@ -303,6 +311,18 @@ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $retu function uninstall_package($pkg_name) { global $config, $static_output; + global $builder_package_install; + + // Back up /usr/local/lib libraries first if + // not running from the builder code. + if(!$builder_package_install) { + if(!file_exists("/tmp/pkg_libs.tgz")) { + $static_output .= "Backing up libraries... "; + update_output_window($static_output); + exec("/usr/bin/tar czPf /tmp/pkg_libs.tgz `/bin/cat /etc/pfSense_md5.txt | /usr/bin/grep 'local/lib' | /usr/bin/awk '{ print $2 }' | /usr/bin/cut -d'(' -f2 | /usr/bin/cut -d')' -f1`"); + $static_output .= "\n"; + } + } $id = get_pkg_id($pkg_name); if ($id >= 0) { @@ -315,6 +335,15 @@ function uninstall_package($pkg_name) { } } delete_package_xml($pkg_name); + + // Restore libraries that we backed up if not + // running from the builder code. + if(!$builder_package_install) { + $static_output .= "Cleaning up... "; + update_output_window($static_output); + exec("/usr/bin/tar xzPfU /tmp/pkg_libs.tgz -C /"); + @unlink("/tmp/pkg_libs.tgz"); + } } function force_remove_package($pkg_name) { @@ -326,6 +355,12 @@ function force_remove_package($pkg_name) { */ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { global $config, $config_parsed; + global $builder_package_install; + + // If this code is being called by pfspkg_installer + // which the builder system uses then return (ignore). + if($builder_package_install) + return; if(empty($config['installedpackages']['package'])) return; @@ -418,16 +453,16 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = $osname = php_uname("s"); $arch = php_uname("m"); - $rel = php_uname("r"); - $rel = substr($rel, 0, strrpos($rel, "-")); - $priv_url = "http://ftp2.{$osname}.org/pub/{$osname}/ports/{$arch}/packages-{$rel}/Latest"; + $rel = strtolower(php_uname("r")); + if (substr_count($rel, '-') > 1) + $rel = substr($rel, 0, strrpos($rel, "-")); + $priv_url = "http://ftp2.{$osname}.org/pub/{$osname}/ports/{$arch}/packages-{$rel}/All"; if (empty($base_url)) $base_url = $priv_url; if (substr($base_url, -1) == "/") $base_url = substr($base_url, 0, -1); - $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $pkgname . " "; $fetchto = "{$g['tmp_path']}/apkg_{$filename}"; - $static_output .= "\n" . str_repeat(" ", $dependlevel * 2 + 1) . "Trying to download {$base_url}/{$filename} ... "; + $static_output .= "\n" . str_repeat(" ", $dependlevel * 2 + 1) . "Downloading {$base_url}/{$filename} ... "; if (download_file_with_progress_bar("{$base_url}/{$filename}", $fetchto) !== true) { if ($base_url != $priv_url && download_file_with_progress_bar("{$priv_url}/{$filename}", $fetchto) !== true) { $static_output .= " could not download from there or {$priv_url}/{$filename}.\n"; @@ -438,7 +473,7 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = update_output_window($static_output); return false; } else { - $static_output .= " downloaded from {$osname} repository instead of provided one.\n"; + $static_output .= " [{$osname} repository]\n"; update_output_window($static_output); } } @@ -459,8 +494,6 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = if (pkg_fetch_recursive($working_depend[1], $depend_filename, $dependlevel + 1, $base_url) == false) return false; } else { - //$dependlevel++; - $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $working_depend[1] . " already installed."; pkg_debug($working_depend[1] . "\n"); } } @@ -505,7 +538,7 @@ function install_package($package, $pkg_info = "") { if($pkg_interface == "console") print "\n" . gettext("ERROR! Unable to fetch package configuration file. Aborting package installation.") . "\n"; else { - $static_output .= gettext("failed!\n\nInstallation aborted."); + $static_output .= gettext("failed!\n\nInstallation aborted.\n"); update_output_window($static_output); echo "<br>Show <a href=\"pkg_mgr_install.php?showlog=true\">install log</a></center>"; } @@ -528,9 +561,10 @@ function install_package($package, $pkg_info = "") { $changedesc = sprintf(gettext("Overwrote previous installation of %s."), $pkg_info['name']); $to_output = gettext("overwrite!") . "\n"; } - /* XXX: Fix inclusion of config.inc that causes data loss! */ + if(file_exists('/conf/needs_package_sync')) + @unlink('/conf/needs_package_sync'); conf_mount_ro(); - write_config(); + write_config("Intermediate config write during package install for {$pkg_info['name']}."); $static_output .= $to_output; update_output_window($static_output); /* install other package components */ @@ -620,18 +654,18 @@ function install_package_xml($pkg) { } $configfile = substr(strrchr($pkg_info['config_file'], '/'), 1); if(file_exists("/usr/local/pkg/" . $configfile)) { - $static_output .= "\n" . gettext("Loading package configuration... "); + $static_output .= gettext("Loading package configuration... "); update_output_window($static_output); $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $configfile, "packagegui"); $static_output .= gettext("done.") . "\n"; update_output_window($static_output); - $static_output .= "\t" . gettext("Configuring package components...") . "\n"; + $static_output .= gettext("Configuring package components...\n"); if (!empty($pkg_config['filter_rules_needed'])) $config['installedpackages']['package'][$pkgid]['filter_rule_function'] = $pkg_config['filter_rules_needed']; update_output_window($static_output); /* modify system files */ if(is_array($pkg_config['modify_system']) && is_array($pkg_config['modify_system']['item'])) { - $static_output .= "\t" . gettext("System files... "); + $static_output .= gettext("System files... "); update_output_window($static_output); foreach($pkg_config['modify_system']['item'] as $ms) { if($ms['textneeded']) { @@ -643,7 +677,7 @@ function install_package_xml($pkg) { } /* download additional files */ if(is_array($pkg_config['additional_files_needed'])) { - $static_output .= "\t" . gettext("Additional files... "); + $static_output .= gettext("Additional files... "); $static_orig = $static_output; update_output_window($static_output); foreach($pkg_config['additional_files_needed'] as $afn) { @@ -661,7 +695,7 @@ function install_package_xml($pkg) { if(!is_dir($prefix)) safe_mkdir($prefix); $static_output .= $filename . " "; - update_output_window($static_output); + update_output_window($static_output); if (download_file_with_progress_bar($afn['item'][0], $prefix . $filename) !== true) { $static_output .= "failed.\n"; update_output_window($static_output); @@ -697,7 +731,7 @@ function install_package_xml($pkg) { require_once($pkg_config['include_file']); else { $missing_include = true; - $static_output .= "\tInclude " . basename($pkg_config['include_file']) . " is missing!\n"; + $static_output .= "Include " . basename($pkg_config['include_file']) . " is missing!\n"; update_output_window($static_output); /* XXX: Should undo the steps before this?! */ return false; @@ -705,7 +739,7 @@ function install_package_xml($pkg) { } /* sidebar items */ if(is_array($pkg_config['menu'])) { - $static_output .= "\t" . gettext("Menu items... "); + $static_output .= gettext("Menu items... "); update_output_window($static_output); foreach($pkg_config['menu'] as $menu) { if(is_array($config['installedpackages']['menu'])) @@ -719,7 +753,7 @@ function install_package_xml($pkg) { } /* integrated tab items */ if(is_array($pkg_config['tabs']['tab'])) { - $static_output .= "\t" . gettext("Integrated Tab items... "); + $static_output .= gettext("Integrated Tab items... "); update_output_window($static_output); foreach($pkg_config['tabs']['tab'] as $tab) { if(is_array($config['installedpackages']['tab'])) @@ -733,7 +767,7 @@ function install_package_xml($pkg) { } /* services */ if(is_array($pkg_config['service'])) { - $static_output .= "\t" . gettext("Services... "); + $static_output .= gettext("Services... "); update_output_window($static_output); foreach($pkg_config['service'] as $service) { if(is_array($config['installedpackages']['service'])) @@ -750,21 +784,21 @@ function install_package_xml($pkg) { update_output_window($static_output); if ($missing_include == false) { if($pkg_config['custom_php_global_functions'] <> "") { - $static_output .= "\t" . gettext("Executing custom_php_global_functions()..."); + $static_output .= gettext("Executing custom_php_global_functions()..."); update_output_window($static_output); eval_once($pkg_config['custom_php_global_functions']); $static_output .= gettext("done.") . "\n"; update_output_window($static_output); } if($pkg_config['custom_php_install_command']) { - $static_output .= "\t" . gettext("Executing custom_php_install_command()..."); + $static_output .= gettext("Executing custom_php_install_command()..."); update_output_window($static_output); eval_once($pkg_config['custom_php_install_command']); $static_output .= gettext("done.") . "\n"; update_output_window($static_output); } if($pkg_config['custom_php_resync_config_command'] <> "") { - $static_output .= "\t" . gettext("Executing custom_php_resync_config_command()..."); + $static_output .= gettext("Executing custom_php_resync_config_command()..."); update_output_window($static_output); eval_once($pkg_config['custom_php_resync_config_command']); $static_output .= gettext("done.") . "\n"; @@ -795,31 +829,54 @@ function install_package_xml($pkg) { return true; } +function does_package_depend($pkg) { + // Should not happen, but just in case. + if(!$pkg) + return; + $pkg_var_db_dir = glob("/var/db/pkg/{$pkg}*"); + // If this package has dependency then return true + foreach($pkg_var_db_dir as $pvdd) { + if (file_exists("{$vardb}/{$pvdd}/+REQUIRED_BY") && count(file("{$vardb}/{$pvdd}/+REQUIRED_BY")) > 0) + return true; + } + // Did not find a record of dependencies, so return false. + return false; +} + function delete_package($pkg) { global $config, $g, $static_output, $vardb; - $pkg = substr(reverse_strrchr($pkg, "."), 0, -1); + if(!$pkg) + return; + $pkg = substr(reverse_strrchr($pkg, "."), 0, -1); - if (file_exists("{$vardb}/{$pkg}/+REQUIRED_BY") && count(file("{$vardb}/{$pkg}/+REQUIRED_BY")) > 0) { - $static_output .= "\t" . sprintf(gettext("Skipping package deletion for %s because it is required by other packages."), $pkg) . "\n"; + // If package has dependencies then skip it + if(does_package_depend($pkg)) { + $static_output .= sprintf(gettext("Skipping package deletion for %s because it is a dependency."),$pkg) . "\n"; update_output_window($static_output); - return; + return; } else { if($pkg) - $static_output .= "\t" . sprintf(gettext("Starting package deletion for %s..."), $pkg); - update_output_window($static_output); + $static_output .= sprintf(gettext("Starting package deletion for %s..."),$pkg); + update_output_window($static_output); } + $info = ""; exec("/usr/sbin/pkg_info -qrx {$pkg}", $info); remove_freebsd_package($pkg); $static_output .= "done.\n"; update_output_window($static_output); foreach($info as $line) { - $depend = trim(str_replace("@pkgdep", "", $line), " \n"); - delete_package($depend); + $depend = trim(str_replace("@pkgdep ", "", $line), " \n"); + // If package has dependencies then skip it + if(!does_package_depend($depend)) + delete_package($depend); } + /* Rescan directories for what has been left and avoid fooling other programs. */ + mwexec("/sbin/ldconfig"); + return; } @@ -854,7 +911,7 @@ function delete_package_xml($pkg) { $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $packages[$pkgid]['configurationfile'], "packagegui"); /* remove tab items */ if(is_array($pkg_config['tabs'])) { - $static_output .= "\t" . gettext("Tabs items... "); + $static_output .= gettext("Tabs items... "); update_output_window($static_output); if(is_array($pkg_config['tabs']['tab']) && is_array($tabs)) { foreach($pkg_config['tabs']['tab'] as $tab) { @@ -871,7 +928,7 @@ function delete_package_xml($pkg) { } /* remove menu items */ if(is_array($pkg_config['menu'])) { - $static_output .= "\t" . gettext("Menu items... "); + $static_output .= gettext("Menu items... "); update_output_window($static_output); if (is_array($pkg_config['menu']) && is_array($menus)) { foreach($pkg_config['menu'] as $menu) { @@ -888,13 +945,14 @@ function delete_package_xml($pkg) { } /* remove services */ if(is_array($pkg_config['service'])) { - $static_output .= "\t" . gettext("Services... "); + $static_output .= gettext("Services... "); update_output_window($static_output); if (is_array($pkg_config['service']) && is_array($services)) { foreach($pkg_config['service'] as $service) { foreach($services as $key => $instservice) { if($instservice['name'] == $service['name']) { - stop_service($service['name']); + if($g['booting'] != true) + stop_service($service['name']); unset($services[$key]); } } @@ -907,7 +965,7 @@ function delete_package_xml($pkg) { * XXX: Otherwise inclusion of config.inc again invalidates actions taken. * Same is done during installation. */ - write_config(); + write_config("Intermediate config write during package removal for {$pkg}."); /* * If a require exists, include it. this will @@ -924,7 +982,7 @@ function delete_package_xml($pkg) { else { $missing_include = true; update_output_window($static_output); - $static_output .= "\tInclude file " . basename($pkg_config['include_file']) . " could not be found for inclusion.\n"; + $static_output .= "Include file " . basename($pkg_config['include_file']) . " could not be found for inclusion.\n"; } } /* ermal @@ -940,7 +998,7 @@ function delete_package_xml($pkg) { } /* system files */ if(is_array($pkg_config['modify_system']) && is_array($pkg_config['modify_system']['item'])) { - $static_output .= "\t" . gettext("System files... "); + $static_output .= gettext("System files... "); update_output_window($static_output); foreach($pkg_config['modify_system']['item'] as $ms) if($ms['textneeded']) remove_text_from_file($ms['modifyfilename'], $ms['textneeded']); @@ -950,27 +1008,26 @@ function delete_package_xml($pkg) { } /* deinstall commands */ if($pkg_config['custom_php_deinstall_command'] <> "") { - $static_output .= "\t" . gettext("Deinstall commands... "); + $static_output .= gettext("Deinstall commands... "); update_output_window($static_output); if ($missing_include == false) { eval_once($pkg_config['custom_php_deinstall_command']); $static_output .= gettext("done.") . "\n"; } else - $static_output .= "\n\t" . gettext("Not executing custom deinstall hook because an include is missing.") . "\n"; + $static_output .= "\nNot executing custom deinstall hook because an include is missing.\n"; update_output_window($static_output); } if($pkg_config['include_file'] <> "") { - $static_output .= "\t" . gettext("Removing package instructions..."); - update_output_window($static_output); + $static_output .= gettext("Removing package instructions..."); + update_output_window($static_output); pkg_debug(sprintf(gettext("Remove '%s'"), $pkg_config['include_file']) . "\n"); - unlink_if_exists("/usr/local/pkg/" . $pkg_config['include_file']); - $static_output .= "done.\n"; - update_output_window($static_output); - - } + unlink_if_exists("/usr/local/pkg/" . $pkg_config['include_file']); + $static_output .= gettext("done.") . "\n"; + update_output_window($static_output); + } /* remove all additional files */ if(is_array($pkg_config['additional_files_needed'])) { - $static_output .= "\t" . gettext("Auxiliary files... "); + $static_output .= gettext("Auxiliary files... "); update_output_window($static_output); foreach($pkg_config['additional_files_needed'] as $afn) { $filename = get_filename_from_url($afn['item'][0]); @@ -978,14 +1035,13 @@ function delete_package_xml($pkg) { $prefix = $afn['prefix']; else $prefix = "/usr/local/pkg/"; - unlink_if_exists($prefix . $filename); } $static_output .= gettext("done.") . "\n"; update_output_window($static_output); } /* package XML file */ - $static_output .= "\t" . gettext("Package XML... "); + $static_output .= gettext("Package XML... "); update_output_window($static_output); unlink_if_exists("/usr/local/pkg/" . $packages[$pkgid]['configurationfile']); $static_output .= gettext("done.") . "\n"; @@ -993,7 +1049,7 @@ function delete_package_xml($pkg) { } /* syslog */ if(is_array($pkg_info['logging']) && $pkg_info['logging']['logfile_name'] <> "") { - $static_output .= "\tSyslog entries... "; + $static_output .= "Syslog entries... "; update_output_window($static_output); remove_text_from_file("/etc/syslog.conf", $pkg_info['logging']['facilityname'] . "\t\t\t\t" . $pkg_info['logging']['logfilename']); system_syslogd_start(); @@ -1001,9 +1057,10 @@ function delete_package_xml($pkg) { $static_output .= "done.\n"; update_output_window($static_output); } + conf_mount_ro(); /* remove config.xml entries */ - $static_output .= "\t" . gettext("Configuration... "); + $static_output .= gettext("Configuration... "); update_output_window($static_output); unset($config['installedpackages']['package'][$pkgid]); $static_output .= gettext("done.") . "\n"; @@ -1081,4 +1138,33 @@ function squash_from_bytes($size, $round = "") { return; } +function pkg_reinstall_all() { + global $g, $config; + $pkg_id = 0; + $todo = array(); + if (is_array($config['installedpackages']['package'])) + foreach($config['installedpackages']['package'] as $package) + $todo[] = array('name' => $package['name'], 'version' => $package['version']); + echo "One moment please, reinstalling packages...\n"; + echo " >>> Trying to fetch package info..."; + $pkg_info = get_pkg_info(); + if ($pkg_info) { + echo " Done.\n"; + } else { + $xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl']; + echo "\n" . sprintf(gettext(' >>> Unable to communicate with %1$s. Please verify DNS and interface configuration, and that %2$s has functional Internet connectivity.'), $xmlrpc_base_url, $g['product_name']) . "\n"; + return; + } + if(is_array($todo)) { + foreach($todo as $pkgtodo) { + $static_output = ""; + if($pkgtodo['name']) { + uninstall_package($pkgtodo['name']); + install_package($pkgtodo['name']); + $pkg_id++; + } + } + } +} + ?> diff --git a/etc/inc/plain_sasl_client.inc b/etc/inc/plain_sasl_client.inc new file mode 100644 index 0000000..c7feed0 --- /dev/null +++ b/etc/inc/plain_sasl_client.inc @@ -0,0 +1,99 @@ +<?php +/* + * plain_sasl_client.php + * + * @(#) $Id: plain_sasl_client.php,v 1.2 2004/11/17 08:00:37 mlemos Exp $ + * + */ + +define("SASL_PLAIN_STATE_START", 0); +define("SASL_PLAIN_STATE_IDENTIFY", 1); +define("SASL_PLAIN_STATE_DONE", 2); + +define("SASL_PLAIN_DEFAULT_MODE", 0); +define("SASL_PLAIN_EXIM_MODE", 1); +define("SASL_PLAIN_EXIM_DOCUMENTATION_MODE", 2); + +class plain_sasl_client_class +{ + var $credentials=array(); + var $state=SASL_PLAIN_STATE_START; + + Function Initialize(&$client) + { + return(1); + } + + Function Start(&$client, &$message, &$interactions) + { + if($this->state!=SASL_PLAIN_STATE_START) + { + $client->error="PLAIN authentication state is not at the start"; + return(SASL_FAIL); + } + $this->credentials=array( + "user"=>"", + "password"=>"", + "realm"=>"", + "mode"=>"" + ); + $defaults=array( + "realm"=>"", + "mode"=>"" + ); + $status=$client->GetCredentials($this->credentials,$defaults,$interactions); + if($status==SASL_CONTINUE) + { + switch($this->credentials["mode"]) + { + case SASL_PLAIN_EXIM_MODE: + $message=$this->credentials["user"]."\0".$this->credentials["password"]."\0"; + break; + case SASL_PLAIN_EXIM_DOCUMENTATION_MODE: + $message="\0".$this->credentials["user"]."\0".$this->credentials["password"]; + break; + default: + $message=$this->credentials["user"]."\0".$this->credentials["user"].(strlen($this->credentials["realm"]) ? "@".$this->credentials["realm"] : "")."\0".$this->credentials["password"]; + break; + } + $this->state=SASL_PLAIN_STATE_DONE; + } + else + Unset($message); + return($status); + } + + Function Step(&$client, $response, &$message, &$interactions) + { + switch($this->state) + { +/* + case SASL_PLAIN_STATE_IDENTIFY: + switch($this->credentials["mode"]) + { + case SASL_PLAIN_EXIM_MODE: + $message=$this->credentials["user"]."\0".$this->credentials["password"]."\0"; + break; + case SASL_PLAIN_EXIM_DOCUMENTATION_MODE: + $message="\0".$this->credentials["user"]."\0".$this->credentials["password"]; + break; + default: + $message=$this->credentials["user"]."\0".$this->credentials["user"].(strlen($this->credentials["realm"]) ? "@".$this->credentials["realm"] : "")."\0".$this->credentials["password"]; + break; + } + var_dump($message); + $this->state=SASL_PLAIN_STATE_DONE; + break; +*/ + case SASL_PLAIN_STATE_DONE: + $client->error="PLAIN authentication was finished without success"; + return(SASL_FAIL); + default: + $client->error="invalid PLAIN authentication step state"; + return(SASL_FAIL); + } + return(SASL_CONTINUE); + } +}; + +?>
\ No newline at end of file diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 365ba9f..e928fc8 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -175,6 +175,8 @@ function enable_rrd_graphing() { $mem = "-memory.rrd"; $cellular = "-cellular.rrd"; $vpnusers = "-vpnusers.rrd"; + $captiveportalconcurrent = "-concurrent.rrd"; + $captiveportalloggedin = "-loggedin.rrd"; $rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool"; $netstat = "/usr/bin/netstat"; @@ -186,6 +188,7 @@ function enable_rrd_graphing() { $top = "/usr/bin/top"; $spamd_gather = "/usr/local/bin/spamd_gather_stats.php"; $ifconfig = "/sbin/ifconfig"; + $captiveportal_gather = "/usr/local/bin/captiveportal_gather_stats.php"; $rrdtrafficinterval = 60; $rrdwirelessinterval = 60; @@ -199,6 +202,7 @@ function enable_rrd_graphing() { $rrdmeminterval = 60; $rrdcellularinterval = 60; $rrdvpninterval = 60; + $rrdcaptiveportalinterval = 60; $trafficvalid = $rrdtrafficinterval * 2; $wirelessvalid = $rrdwirelessinterval * 2; @@ -212,6 +216,7 @@ function enable_rrd_graphing() { $memvalid = $rrdmeminterval * 2; $cellularvalid = $rrdcellularinterval * 2; $vpnvalid = $rrdvpninterval * 2; + $captiveportalvalid = $rrdcaptiveportalinterval * 2; /* Asume GigE for now */ $downstream = 125000000; @@ -602,7 +607,7 @@ function enable_rrd_graphing() { /* SPAMD, set up the spamd rrd file */ if (isset($config['installedpackages']['spamdsettings']) && - isset ($config['installedpackages']['spamdsettings']['config'][0]['enablerrd'])) { + $config['installedpackages']['spamdsettings']['config'][0]['enablerrd']) { /* set up the spamd rrd file */ if (!file_exists("$rrddbpath$ifname$spamd")) { $rrdcreate = "$rrdtool create $rrddbpath$ifname$spamd --step $rrdspamdinterval "; @@ -660,6 +665,78 @@ function enable_rrd_graphing() { $rrdupdatesh .= "else $rrdtool update $rrddbpath$ifname$cellular N:U:U; fi\n"; } + /* Captive Portal statistics, set up the rrd file */ + if(isset($config['captiveportal']['enable'])) { + $ifname= "captiveportal"; + if (!file_exists("$rrddbpath$ifname$captiveportal")) { + $rrdcreate = "$rrdtool create $rrddbpath$ifname$captiveportalconcurrent --step $rrdcaptiveportalinterval "; + $rrdcreate .= "DS:concurrentusers:GAUGE:$captiveportalvalid:0:10000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:1:1000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:5:1000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:60:1000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:720:3000 "; + $rrdcreate .= "RRA:MIN:0.5:1:1000 "; + $rrdcreate .= "RRA:MIN:0.5:5:1000 "; + $rrdcreate .= "RRA:MIN:0.5:60:1000 "; + $rrdcreate .= "RRA:MIN:0.5:720:3000 "; + $rrdcreate .= "RRA:MAX:0.5:1:1000 "; + $rrdcreate .= "RRA:MAX:0.5:5:1000 "; + $rrdcreate .= "RRA:MAX:0.5:60:1000 "; + $rrdcreate .= "RRA:MAX:0.5:720:3000 "; + $rrdcreate .= "RRA:LAST:0.5:1:1000 "; + $rrdcreate .= "RRA:LAST:0.5:5:1000 "; + $rrdcreate .= "RRA:LAST:0.5:60:1000 "; + $rrdcreate .= "RRA:LAST:0.5:720:3000 "; + + create_new_rrd($rrdcreate); + } + + /* enter UNKNOWN values in the RRD so it knows we rebooted. */ + if($g['booting']) { + mwexec("$rrdtool update $rrddbpath$ifname$captiveportalconcurrent N:U"); + } + + /* the Captive Portal stats gathering function. */ + $rrdupdatesh .= "\n"; + $rrdupdatesh .= "# polling Captive Portal for number of concurrent users\n"; + $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$captiveportalconcurrent \\\n"; + $rrdupdatesh .= "`$php -q $captiveportal_gather concurrent`\n"; + + $ifname= "captiveportal"; + if (!file_exists("$rrddbpath$ifname$captiveportal")) { + $rrdcreate = "$rrdtool create $rrddbpath$ifname$captiveportalloggedin --step $rrdcaptiveportalinterval "; + $rrdcreate .= "DS:loggedinusers:GAUGE:$captiveportalvalid:0:10000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:1:1000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:5:1000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:60:1000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:720:3000 "; + $rrdcreate .= "RRA:MIN:0.5:1:1000 "; + $rrdcreate .= "RRA:MIN:0.5:5:1000 "; + $rrdcreate .= "RRA:MIN:0.5:60:1000 "; + $rrdcreate .= "RRA:MIN:0.5:720:3000 "; + $rrdcreate .= "RRA:MAX:0.5:1:1000 "; + $rrdcreate .= "RRA:MAX:0.5:5:1000 "; + $rrdcreate .= "RRA:MAX:0.5:60:1000 "; + $rrdcreate .= "RRA:MAX:0.5:720:3000 "; + $rrdcreate .= "RRA:LAST:0.5:1:1000 "; + $rrdcreate .= "RRA:LAST:0.5:5:1000 "; + $rrdcreate .= "RRA:LAST:0.5:60:1000 "; + $rrdcreate .= "RRA:LAST:0.5:720:3000 "; + + create_new_rrd($rrdcreate); + } + + /* enter UNKNOWN values in the RRD so it knows we rebooted. */ + if($g['booting']) { + mwexec("$rrdtool update $rrddbpath$ifname$captiveportalloggedin N:U"); + } + + /* the Captive Portal stats gathering function. */ + $rrdupdatesh .= "\n"; + $rrdupdatesh .= "# polling Captive Portal for number of logged in users and concurrent users\n"; + $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$captiveportalloggedin \\\n"; + $rrdupdatesh .= "`$php -q $captiveportal_gather loggedin`\n"; + } $rrdupdatesh .= "sleep 60\n"; $rrdupdatesh .= "done\n"; diff --git a/etc/inc/sasl.inc b/etc/inc/sasl.inc new file mode 100644 index 0000000..d64442e --- /dev/null +++ b/etc/inc/sasl.inc @@ -0,0 +1,422 @@ +<?php +/* + * sasl.php + * + * @(#) $Id: sasl.php,v 1.11 2005/10/31 18:43:27 mlemos Exp $ + * + */ + +define("SASL_INTERACT", 2); +define("SASL_CONTINUE", 1); +define("SASL_OK", 0); +define("SASL_FAIL", -1); +define("SASL_NOMECH", -4); + +class sasl_interact_class +{ + var $id; + var $challenge; + var $prompt; + var $default_result; + var $result; +}; + +/* +{metadocument}<?xml version="1.0" encoding="ISO-8859-1" ?> +<class> + + <package>net.manuellemos.sasl</package> + + <version>@(#) $Id: sasl.php,v 1.11 2005/10/31 18:43:27 mlemos Exp $</version> + <copyright>Copyright © (C) Manuel Lemos 2004</copyright> + <title>Simple Authentication and Security Layer client</title> + <author>Manuel Lemos</author> + <authoraddress>mlemos-at-acm.org</authoraddress> + + <documentation> + <idiom>en</idiom> + <purpose>Provide a common interface to plug-in driver classes that + implement different mechanisms for authentication used by clients of + standard protocols like SMTP, POP3, IMAP, HTTP, etc.. Currently the + supported authentication mechanisms are: <tt>PLAIN</tt>, + <tt>LOGIN</tt>, <tt>CRAM-MD5</tt>, <tt>Digest</tt> and <tt>NTML</tt> + (Windows or Samba).</purpose> + <usage>.</usage> + </documentation> + +{/metadocument} +*/ + +class sasl_client_class +{ + /* Public variables */ + +/* +{metadocument} + <variable> + <name>error</name> + <type>STRING</type> + <value></value> + <documentation> + <purpose>Store the message that is returned when an error + occurs.</purpose> + <usage>Check this variable to understand what happened when a call to + any of the class functions has failed.<paragraphbreak /> + This class uses cumulative error handling. This means that if one + class functions that may fail is called and this variable was + already set to an error message due to a failure in a previous call + to the same or other function, the function will also fail and does + not do anything.<paragraphbreak /> + This allows programs using this class to safely call several + functions that may fail and only check the failure condition after + the last function call.<paragraphbreak /> + Just set this variable to an empty string to clear the error + condition.</usage> + </documentation> + </variable> +{/metadocument} +*/ + var $error=''; + +/* +{metadocument} + <variable> + <name>mechanism</name> + <type>STRING</type> + <value></value> + <documentation> + <purpose>Store the name of the mechanism that was selected during the + call to the <functionlink>Start</functionlink> function.</purpose> + <usage>You can access this variable but do not change it.</usage> + </documentation> + </variable> +{/metadocument} +*/ + var $mechanism=''; + +/* +{metadocument} + <variable> + <name>encode_response</name> + <type>BOOLEAN</type> + <value>1</value> + <documentation> + <purpose>Let the drivers inform the applications whether responses + need to be encoded.</purpose> + <usage>Applications should check this variable before sending + authentication responses to the server to determine if the + responses need to be encoded, eventually with base64 algorithm.</usage> + </documentation> + </variable> +{/metadocument} +*/ + var $encode_response=1; + + /* Private variables */ + + var $driver; + var $drivers=array( + "Digest" => array("digest_sasl_client_class", "digest_sasl_client.inc" ), + "CRAM-MD5" => array("cram_md5_sasl_client_class", "cram_md5_sasl_client.inc" ), + "LOGIN" => array("login_sasl_client_class", "login_sasl_client.inc" ), + "NTLM" => array("ntlm_sasl_client_class", "ntlm_sasl_client.inc" ), + "PLAIN" => array("plain_sasl_client_class", "plain_sasl_client.inc" ), + "Basic" => array("basic_sasl_client_class", "basic_sasl_client.inc" ) + ); + var $credentials=array(); + + /* Public functions */ + +/* +{metadocument} + <function> + <name>SetCredential</name> + <type>VOID</type> + <documentation> + <purpose>Store the value of a credential that may be used by any of + the supported mechanisms to process the authentication messages and + responses.</purpose> + <usage>Call this function before starting the authentication dialog + to pass all the credential values that be needed to use the type + of authentication that the applications may need.</usage> + <returnvalue>.</returnvalue> + </documentation> + <argument> + <name>key</name> + <type>STRING</type> + <documentation> + <purpose>Specify the name of the credential key.</purpose> + </documentation> + </argument> + <argument> + <name>value</name> + <type>STRING</type> + <documentation> + <purpose>Specify the value for the credential.</purpose> + </documentation> + </argument> + <do> +{/metadocument} +*/ + Function SetCredential($key,$value) + { + $this->credentials[$key]=$value; + } +/* +{metadocument} + </do> + </function> +{/metadocument} +*/ + +/* +{metadocument} + <function> + <name>GetCredentials</name> + <type>INTEGER</type> + <documentation> + <purpose>Retrieve the values of one or more credentials to be used by + the authentication mechanism classes.</purpose> + <usage>This is meant to be used by authentication mechanism driver + classes to retrieve the credentials that may be neede.</usage> + <returnvalue>The function may return <tt>SASL_CONTINUE</tt> if it + succeeded, or <tt>SASL_NOMECH</tt> if it was not possible to + retrieve one of the requested credentials.</returnvalue> + </documentation> + <argument> + <name>credentials</name> + <type>HASH</type> + <documentation> + <purpose>Reference to an associative array variable with all the + credentials that are being requested. The function initializes + this associative array values.</purpose> + </documentation> + </argument> + <argument> + <name>defaults</name> + <type>HASH</type> + <documentation> + <purpose>Associative arrays with default values for credentials + that may have not been defined.</purpose> + </documentation> + </argument> + <argument> + <name>interactions</name> + <type>ARRAY</type> + <documentation> + <purpose>Not yet in use. It is meant to provide context + information to retrieve credentials that may be obtained + interacting with the user.</purpose> + </documentation> + </argument> + <do> +{/metadocument} +*/ + Function GetCredentials(&$credentials,$defaults,&$interactions) + { + Reset($credentials); + $end=(GetType($key=Key($credentials))!="string"); + for(;!$end;) + { + if(!IsSet($this->credentials[$key])) + { + if(IsSet($defaults[$key])) + $credentials[$key]=$defaults[$key]; + else + { + $this->error="the requested credential ".$key." is not defined"; + return(SASL_NOMECH); + } + } + else + $credentials[$key]=$this->credentials[$key]; + Next($credentials); + $end=(GetType($key=Key($credentials))!="string"); + } + return(SASL_CONTINUE); + } +/* +{metadocument} + </do> + </function> +{/metadocument} +*/ + +/* +{metadocument} + <function> + <name>Start</name> + <type>INTEGER</type> + <documentation> + <purpose>Process the initial authentication step initializing the + driver class that implements the first of the list of requested + mechanisms that is supported by this SASL client library + implementation.</purpose> + <usage>Call this function specifying a list of mechanisms that the + server supports. If the <argumentlink> + <argument>message</argument> + <function>Start</function> + </argumentlink> argument returns a string, it should be sent to + the server as initial message. Check the + <variablelink>encode_response</variablelink> variable to determine + whether the initial message needs to be encoded, eventually with + base64 algorithm, before it is sent to the server.</usage> + <returnvalue>The function may return <tt>SASL_CONTINUE</tt> if it + could start one of the requested authentication mechanisms. It + may return <tt>SASL_NOMECH</tt> if it was not possible to start + any of the requested mechanisms. It returns <tt>SASL_FAIL</tt> or + other value in case of error.</returnvalue> + </documentation> + <argument> + <name>mechanisms</name> + <type>ARRAY</type> + <inout /> + <documentation> + <purpose>Define the list of names of authentication mechanisms + supported by the that should be tried.</purpose> + </documentation> + </argument> + <argument> + <name>message</name> + <type>STRING</type> + <out /> + <documentation> + <purpose>Return the initial message that should be sent to the + server to start the authentication dialog. If this value is + undefined, no message should be sent to the server.</purpose> + </documentation> + </argument> + <argument> + <name>interactions</name> + <type>ARRAY</type> + <documentation> + <purpose>Not yet in use. It is meant to provide context + information to interact with the end user.</purpose> + </documentation> + </argument> + <do> +{/metadocument} +*/ + Function Start($mechanisms, &$message, &$interactions) + { + if(strlen($this->error)) + return(SASL_FAIL); + if(IsSet($this->driver)) + return($this->driver->Start($this,$message,$interactions)); + $no_mechanism_error=""; + for($m=0;$m<count($mechanisms);$m++) + { + $mechanism=$mechanisms[$m]; + if(IsSet($this->drivers[$mechanism])) + { + if(!class_exists($this->drivers[$mechanism][0])) + require(dirname(__FILE__)."/".$this->drivers[$mechanism][1]); + $this->driver=new $this->drivers[$mechanism][0]; + if($this->driver->Initialize($this)) + { + $this->encode_response=1; + $status=$this->driver->Start($this,$message,$interactions); + switch($status) + { + case SASL_NOMECH: + Unset($this->driver); + if(strlen($no_mechanism_error)==0) + $no_mechanism_error=$this->error; + $this->error=""; + break; + case SASL_CONTINUE: + $this->mechanism=$mechanism; + return($status); + default: + Unset($this->driver); + $this->error=""; + return($status); + } + } + else + { + Unset($this->driver); + if(strlen($no_mechanism_error)==0) + $no_mechanism_error=$this->error; + $this->error=""; + } + } + } + $this->error=(strlen($no_mechanism_error) ? $no_mechanism_error : "it was not requested any of the authentication mechanisms that are supported"); + return(SASL_NOMECH); + } +/* +{metadocument} + </do> + </function> +{/metadocument} +*/ + +/* +{metadocument} + <function> + <name>Step</name> + <type>INTEGER</type> + <documentation> + <purpose>Process the authentication steps after the initial step, + until the authetication iteration dialog is complete.</purpose> + <usage>Call this function iteratively after a successful initial + step calling the <functionlink>Start</functionlink> function.</usage> + <returnvalue>The function returns <tt>SASL_CONTINUE</tt> if step was + processed successfully, or returns <tt>SASL_FAIL</tt> in case of + error.</returnvalue> + </documentation> + <argument> + <name>response</name> + <type>STRING</type> + <in /> + <documentation> + <purpose>Pass the response returned by the server to the previous + step.</purpose> + </documentation> + </argument> + <argument> + <name>message</name> + <type>STRING</type> + <out /> + <documentation> + <purpose>Return the message that should be sent to the server to + continue the authentication dialog. If this value is undefined, + no message should be sent to the server.</purpose> + </documentation> + </argument> + <argument> + <name>interactions</name> + <type>ARRAY</type> + <documentation> + <purpose>Not yet in use. It is meant to provide context + information to interact with the end user.</purpose> + </documentation> + </argument> + <do> +{/metadocument} +*/ + Function Step($response, &$message, &$interactions) + { + if(strlen($this->error)) + return(SASL_FAIL); + return($this->driver->Step($this,$response,$message,$interactions)); + } +/* +{metadocument} + </do> + </function> +{/metadocument} +*/ + +}; + +/* + +{metadocument} +</class> +{/metadocument} + +*/ + +?> diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 11d49ed..3c23ece 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -72,7 +72,7 @@ function services_dhcpd_configure() { fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/etc\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/usr/local/sbin\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/var/db\n"); - fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/var/run\n"); + fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/var/run\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/usr\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/lib\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/run\n"); @@ -228,6 +228,9 @@ EOPP; $subnet = gen_subnet($ifcfgip, $ifcfgsn); $subnetmask = gen_subnet_mask($ifcfgsn); + if (!is_ipaddr($subnet)) + continue; + if($is_olsr_enabled == true) if($dhcpifconf['netmask']) $subnetmask = gen_subnet_mask($dhcpifconf['netmask']); @@ -257,7 +260,7 @@ EOPP; $dnscfg .= " option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";"; } - $dhcpdconf .= "subnet $subnet netmask $subnetmask {\n"; + $dhcpdconf .= "subnet {$subnet} netmask {$subnetmask} {\n"; $dhcpdconf .= " pool {\n"; /* is failover dns setup? */ diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index d63367d..bc4a0c2 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -31,6 +31,8 @@ /* XXX: needs some reducing on include. */ /* include all configuration functions. */ require_once("functions.inc"); +require_once("util.inc"); +require_once("notices.inc"); /* * I admit :) this is derived from xmplparse.inc StartElement() @@ -122,20 +124,20 @@ function get_bandwidthtype_scale($type) { switch ($type) { case "Gb": - $factor = 1000 * 1000 * 1000; + $factor = 1024 * 1024 * 1024; break; case "Mb": - $factor = 1000 * 1000; + $factor = 1024 * 1024; break; case "Kb": - $factor = 1000; + $factor = 1024; break; case "b": default: $factor = 1; break; } - return floatval($factor); + return intval($factor); } function get_hfsc_bandwidth($object, $bw) @@ -418,6 +420,7 @@ class altq_root_queue { $q->ReadConfig($queue); $q->validate_input($queue, $input_errors); if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; } @@ -514,8 +517,9 @@ class altq_root_queue { * foreach ($queues as $qkey => $queue) * this->queues[$qkey]->build_rule(); */ - function build_rules() { + function build_rules(&$default = false) { if (count($this->queues) > 0 && $this->GetEnabled() == "on") { + $default = false; $rules = " altq on " . get_real_interface($this->GetInterface()); if ($this->GetScheduler()) $rules .= " ".strtolower($this->GetScheduler()); @@ -538,9 +542,16 @@ class altq_root_queue { } $rules .= " } \n"; foreach ($this->queues as $q) { - $rules .= $q->build_rules(); + $rules .= $q->build_rules($default); } } + if ($default == false) { + $error = "SHAPER: no default queue specified for interface ". $this->GetInterface() . ". The interface queue will be enforced as default."; + file_notice("Shaper", $error, "Error occurred", ""); + unset($error); + return "\n"; + } + $frule .= $rules; } $rules .= " \n"; return $rules; @@ -1024,7 +1035,7 @@ class priq_queue { /* Should return something like: * queue $qname on $qinterface bandwidth .... */ - function build_rules() { + function build_rules(&$default = false) { $pfq_rule = " queue ". $this->qname; if ($this->GetInterface()) $pfq_rule .= " on ".get_real_interface($this->GetInterface()); @@ -1060,6 +1071,7 @@ class priq_queue { if ($comma) $pfq_rule .= " ,"; $pfq_rule .= " default "; + $default = true; } $pfq_rule .= " ) "; } @@ -1335,6 +1347,7 @@ class hfsc_queue extends priq_queue { $q->ReadConfig($qname); $q->validate_input($qname, $input_errors); if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; } @@ -1672,7 +1685,7 @@ class hfsc_queue extends priq_queue { } /* Even this should take children into consideration */ - function build_rules() { + function build_rules(&$default = false) { $pfq_rule = " queue ". $this->qname; if ($this->GetInterface()) @@ -1711,6 +1724,7 @@ class hfsc_queue extends priq_queue { $pfq_rule .= " ,"; $comma = 1; $pfq_rule .= " default "; + $default = true; } if ($this->GetRealtime() <> "") { @@ -1753,7 +1767,7 @@ class hfsc_queue extends priq_queue { } $pfq_rule .= " } \n"; foreach ($this->subqueues as $q) - $pfq_rule .= $q->build_rules(); + $pfq_rule .= $q->build_rules(&$default); } $pfq_rule .= " \n"; @@ -2038,6 +2052,7 @@ class cbq_queue extends priq_queue { $q->ReadConfig($qname); $q->validate_input($qname, $input_errors); if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; } switch ($q->GetBwscale()) { @@ -2212,7 +2227,7 @@ class cbq_queue extends priq_queue { } /* Even this should take children into consideration */ - function build_rules() { + function build_rules(&$default = false) { $pfq_rule = "queue ". $this->qname; if ($this->GetInterface()) $pfq_rule .= " on ".get_real_interface($this->GetInterface()); @@ -2251,6 +2266,7 @@ class cbq_queue extends priq_queue { $pfq_rule .= " ,"; $comma = 1; $pfq_rule .= " default "; + $default = true; } $tmpvalue = trim($this->GetBorrow()); if (!empty($tmpvalue)) { @@ -2272,7 +2288,7 @@ class cbq_queue extends priq_queue { } $pfq_rule .= " } \n"; foreach ($this->subqueues as $q) - $pfq_rule .= $q->build_rules(); + $pfq_rule .= $q->build_rules($default); } $pfq_rule .= " \n"; @@ -2486,7 +2502,7 @@ class fairq_queue extends priq_queue { } /* Even this should take children into consideration */ - function build_rules() { + function build_rules(&$default = false) { $pfq_rule = "queue ". $this->qname; if ($this->GetInterface()) $pfq_rule .= " on ".get_real_interface($this->GetInterface()); @@ -2526,6 +2542,7 @@ class fairq_queue extends priq_queue { $pfq_rule .= " ,"; $comma = 1; $pfq_rule .= " default "; + $default = true; } $tmpvalue = trim($this->GetBuckets()); if (!empty($tmpvalue)) { @@ -2813,8 +2830,10 @@ class dnpipe_class extends dummynet_class { $q->SetParent(&$this); $q->ReadConfig($queue); $q->validate_input($queue, $input_errors); - if (count($input_errors)) + if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; + } $this->subqueues[$q->GetQname()] = &$q; return $q; @@ -2867,16 +2886,28 @@ class dnpipe_class extends dummynet_class { } if (isset($q['qlimit']) && $q['qlimit'] <> "") $this->SetQlimit($q['qlimit']); + else + $this->SetQlimit(""); if (isset($q['mask']) && $q['mask'] <> "") $this->SetMask($q['mask']); + else + $this->SetMask(""); if (isset($q['buckets']) && $q['buckets'] <> "") $this->SetBuckets($q['buckets']); + else + $this->SetBuckets(""); if (isset($q['plr']) && $q['plr'] <> "") $this->SetPlr($q['plr']); + else + $this->SetPlr(""); if (isset($q['delay']) && $q['delay'] <> "") $this->SetDelay($q['delay']); + else + $this->SetDelay(0); if (isset($q['description']) && $q['description'] <> "") $this->SetDescription($q['description']); + else + $this->SetDescription(""); $this->SetEnabled($q['enabled']); } @@ -2943,12 +2974,12 @@ class dnpipe_class extends dummynet_class { function build_form() { $form = "<tr><td valign=\"center\" class=\"vncellreq\"><br>"; - $form .= gettext("Enable/Disable"); + $form .= gettext("Enable"); $form .= "</td><td class=\"vncellreq\">"; $form .= " <input type=\"checkbox\" id=\"enabled\" name=\"enabled\" value=\"on\""; if ($this->GetEnabled() == "on") $form .= " CHECKED"; - $form .= " ><span class=\"vexpl\"> " . gettext("Enable/Disable limiter and its children") . "</span>"; + $form .= " ><span class=\"vexpl\"> " . gettext("Enable limiter and its children") . "</span>"; $form .= "</td></tr>"; $form .= "<tr><td valign=\"center\" class=\"vncellreq\"><br><span class=\"vexpl\">" . gettext("Name") . "</span></td>"; $form .= "<td class=\"vncellreq\">"; @@ -3136,12 +3167,20 @@ class dnqueue_class extends dummynet_class { $this->SetNumber($q['number']); if (isset($q['qlimit']) && $q['qlimit'] <> "") $this->SetQlimit($q['qlimit']); + else + $this->SetQlimit(""); if (isset($q['mask']) && $q['mask'] <> "") $this->SetMask($q['mask']); + else + $this->SetMask(""); if (isset($q['weight']) && $q['weight'] <> "") $this->SetWeight($q['weight']); + else + $this->SetWeight(""); if (isset($q['description']) && $q['description'] <> "") $this->SetDescription($q['description']); + else + $this->SetDescription(""); $this->SetEnabled($q['enabled']); } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index e560a19..107a777 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -86,12 +86,6 @@ function system_resolvconf_generate($dynupdate = false) { $syscfg = $config['system']; - $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); - if (!$fd) { - printf(gettext("Error: cannot open resolv.conf in system_resolvconf_generate().%s"), "\n"); - return 1; - } - $resolvconf = "domain {$syscfg['domain']}\n"; $havedns = false; @@ -122,6 +116,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); + if (!$fd) { + printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + return 1; + } + fwrite($fd, $resolvconf); fclose($fd); @@ -158,11 +158,16 @@ function get_searchdomains() { $master_list = array(); // Read in dhclient nameservers - $search_list = split("\n", `/bin/cat /var/etc/searchdomain_* 2>/dev/null`); + $search_list = glob("/var/etc/searchdomain_*"); if (is_array($search_lists)) { - foreach($search_lists as $dns) { - if(is_hostname($dns)) - $master_list[] = $dns; + foreach($search_lists as $fdns) { + $contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if (!is_array($contents)) + continue; + foreach ($contents as $dns) { + if(is_hostname($dns)) + $master_list[] = $dns; + } } } @@ -174,21 +179,27 @@ function get_nameservers() { $master_list = array(); // Read in dhclient nameservers - $dns_lists = split("\n", `/bin/cat /var/etc/nameserver_* 2>/dev/null`); + $dns_lists = glob("/var/etc/nameserver_*"); if (is_array($dns_lists)) { - foreach($dns_lists as $dns) { - if(is_ipaddr($dns)) - $master_list[] = $dns; + foreach($dns_lists as $fdns) { + $contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if (!is_array($contents)) + continue; + foreach ($contents as $dns) { + if(is_ipaddr($dns)) + $master_list[] = $dns; + } } } // Read in any extra nameservers if(file_exists("/var/etc/nameservers.conf")) { - $dns_lists = split("\n", `/bin/cat /var/etc/nameservers.conf`); - if(is_array($dns_s)) + $dns_s = file("/var/etc/nameservers.conf", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if(is_array($dns_s)) { foreach($dns_s as $dns) if (is_ipaddr($dns)) $master_list[] = $dns; + } } return $master_list; @@ -314,6 +325,8 @@ function system_routing_configure($interface = "") { mwexec("/bin/rm {$g['tmp_path']}/*_defaultgw", true); foreach ($config['gateways']['gateway_item'] as $gateway) { if (isset($gateway['defaultgw'])) { + if(strstr($gateway['gateway'], ":")) + break; if ($gateway['gateway'] == "dynamic") $gateway['gateway'] = get_interface_gateway($gateway['interface']); $gatewayip = $gateway['gateway']; @@ -364,8 +377,8 @@ function system_routing_configure($interface = "") { if(isset($route_arr['default'])) { $action = "change"; } - log_error(sprintf(gettext('ROUTING: %1$s default route to %2$s'), $action, $gatewayip)); - mwexec("/sbin/route {$action} default " . escapeshellarg($gatewayip)); + log_error("ROUTING: $action default route to $gatewayip"); + mwexec("/sbin/route {$action} -inet default " . escapeshellarg($gatewayip)); } } @@ -379,7 +392,7 @@ function system_routing_configure($interface = "") { continue; } $gateway = $gateways_arr[$rtent['gateway']]; - if ($interface == $gateway['friendlyiface']) + if (!empty($interface) && $interface != $gateway['friendlyiface']) continue; $gatewayip = $gateway['gateway']; $interfacegw = $gateway['interface']; @@ -388,10 +401,10 @@ function system_routing_configure($interface = "") { $action = "change"; if (is_ipaddr($gatewayip)) { - mwexec("/sbin/route {$action} " . escapeshellarg($rtent['network']) . + mwexec("/sbin/route {$action} -inet " . escapeshellarg($rtent['network']) . " " . escapeshellarg($gatewayip)); } else if (!empty($interfacegw)) { - mwexec("/sbin/route {$action} " . escapeshellarg($rtent['network']) . + mwexec("/sbin/route {$action} -inet " . escapeshellarg($rtent['network']) . " -iface " . escapeshellarg($interfacegw)); } } @@ -613,9 +626,14 @@ EOD; } fwrite($fd, $syslogconf); fclose($fd); + + // Ensure that the log directory exists + if(!is_dir("{$g['dhcpd_chroot_path']}/var/run")) + exec("/bin/mkdir -p {$g['dhcpd_chroot_path']}/var/run"); + // Are we logging to a least one remote server ? if(strpos($syslogconf, "@") != false) - $retval = system("/usr/sbin/syslogd -c c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); + $retval = system("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); else $retval = system("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); @@ -689,7 +707,7 @@ function system_webgui_start() { if (!is_array($config['cert'])) $config['cert'] = array(); $a_cert =& $config['cert']; - echo gettext("Creating SSL Certificate... "); + log_error("Creating SSL Certificate for this host"); $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = gettext("webConfigurator default"); @@ -765,7 +783,7 @@ function system_generate_lighty_config($filename, if($captive_portal == true) { $captiveportal = ",\"mod_rewrite\""; $captive_portal_rewrite = "url.rewrite-once = ( \"(.*captiveportal.*)\" => \"$1\", \"(.*)\" => \"/index.php?redirurl=$1\" )\n"; - $captive_portal_module = "\"mod_accesslog\", "; + $captive_portal_module = ""; $maxprocperip = $config['captiveportal']['maxprocperip']; if(!$maxprocperip and $maxprocperip > 0) $captive_portal_mod_evasive = "evasive.max-conns-per-ip = {$maxprocperip}"; @@ -1054,7 +1072,7 @@ EOD; fwrite($fd, "\n"); fwrite($fd, $key); fclose($fd); - if($ca <> "") { + if(!(empty($ca) || (strlen(trim($ca)) == 0))) { $fd = fopen("{$g['varetc_path']}/{$ca_location}", "w"); if (!$fd) { printf(gettext("Error: cannot open ca.pem in system_webgui_start().%s"), "\n"); @@ -1068,7 +1086,7 @@ EOD; $lighty_config .= "## " . gettext("ssl configuration") . "\n"; $lighty_config .= "ssl.engine = \"enable\"\n"; $lighty_config .= "ssl.pemfile = \"{$g['varetc_path']}/{$cert_location}\"\n\n"; - if($ca <> "") + if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index bca0ec7..c7c29c8 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -709,10 +709,14 @@ function upgrade_040_to_041() { $config['sysctl']['item'][19]['descr'] = "Set the ephemeral port range starting port"; $config['sysctl']['item'][19]['value'] = "default"; - $config['sysctl']['item'][20]['tunable'] = "hw.syscons.kbd_reboot "; + $config['sysctl']['item'][20]['tunable'] = "hw.syscons.kbd_reboot"; $config['sysctl']['item'][20]['descr'] = "Enables ctrl+alt+delete"; $config['sysctl']['item'][20]['value'] = "default"; + $config['sysctl']['item'][21]['tunable'] = "kern.ipc.maxsockbuf"; + $config['sysctl']['item'][21]['descr'] = "Maximum socket buffer size"; + $config['sysctl']['item'][21]['value'] = "default"; + } } @@ -817,8 +821,7 @@ function upgrade_044_to_045() { $iflist = get_configured_interface_list(false, true); if (is_array($config['vlans']['vlan']) && count($config['vlans']['vlan'])) { foreach ($config['vlans']['vlan'] as $id => $vlan) { - $vlan['vlanif'] = "{$vlan['if']}_vlan{$vlan['tag']}"; - $config['vlans']['vlan'][$id] = $vlan; + $config['vlans']['vlan'][$id]['vlanif'] = "{$vlan['if']}_vlan{$vlan['tag']}"; /* Make sure to update the interfaces section with the right name */ foreach($iflist as $ifname) { if($config['interfaces'][$ifname]['if'] == "vlan{$id}") { @@ -1083,8 +1086,8 @@ function upgrade_047_to_048() { $tempdyn['enable'] = isset($config['dyndns'][0]['enable']); $tempdyn['type'] = $config['dyndns'][0]['type']; $tempdyn['wildcard'] = isset($config['dyndns'][0]['wildcard']); - $tempdyn['usernamefld'] = $config['dyndns'][0]['username']; - $tempdyn['passwordfld'] = $config['dyndns'][0]['password']; + $tempdyn['username'] = $config['dyndns'][0]['username']; + $tempdyn['password'] = $config['dyndns'][0]['password']; $tempdyn['host'] = $config['dyndns'][0]['host']; $tempdyn['mx'] = $config['dyndns'][0]['mx']; $tempdyn['interface'] = "wan"; @@ -2282,4 +2285,17 @@ function upgrade_074_to_075() { rename_field($config['crl'], 'name', 'descr'); } +function upgrade_075_to_076() { + global $config; + $cron_item = array(); + $cron_item['minute'] = "30"; + $cron_item['hour'] = "12"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /etc/rc.update_urltables"; + $config['cron']['item'][] = $cron_item; +} + ?> diff --git a/etc/inc/util.inc b/etc/inc/util.inc index a39670b..507e32c 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -1237,6 +1237,19 @@ function start_devd() { sleep(1); } +function is_interface_vlan_mismatch() { + global $config, $g; + + if (is_array($config['vlans']['vlan'])) { + foreach ($config['vlans']['vlan'] as $vlan) { + if (does_interface_exist($vlan['if']) == false) + return true; + } + } + + return false; +} + function is_interface_mismatch() { global $config, $g; diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index 1aaf91e..74d83d9 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -1,6 +1,8 @@ <?php /* - Copyright (C) 2007 Marcel Wiget <mwiget@mac.com>. + Copyright (C) 2010 Ermal Luci <ermal.luci@gmail.com> + Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2007 Marcel Wiget <mwiget@mac.com> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -32,6 +34,8 @@ */ /* include all configuration functions */ +if(!function_exists('captiveportal_syslog')) + require_once("captiveportal.inc"); function xmlrpc_sync_used_voucher($voucher_received, $syncip, $port, $password, $username) { global $g, $config; @@ -63,14 +67,12 @@ EOF; $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, "250"); - if(!$resp) { + if(!is_object($resp)) { $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); return array("timeleft" => "0"); } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, "250"); $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); @@ -84,25 +86,24 @@ EOF; write_config("Captive Portal Voucher database synchronized with {$url}"); voucher_configure(); } - return $toreturn['timeleft']; + + return $toreturn['timeleft']; } /* - *Authenticate a voucher and return the remaining time credit in minutes + * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list * of active vouchers + * If $test is set, simply test the voucher. Don't change anything + * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; - // if $test is set, simply test the voucher. Don't change anything - // but return a more verbose error and result message back - $voucherlck = lock('voucher'); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; + $a_voucher = &$config['voucher']; if($a_voucher['vouchersyncdbip']) { $syncip = $a_voucher['vouchersyncdbip']; $syncport = $a_voucher['vouchersyncport']; @@ -111,12 +112,16 @@ function voucher_auth($voucher_received, $test = 0) { $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } - // read rolls into assoc array with rollid as key and minutes as value - $a_roll = &$config['voucher']['roll']; - foreach ($a_roll as $rollent) { - $tickets_per_roll[$rollent['number']] = $rollent['count']; - $minutes_per_roll[$rollent['number']] = $rollent['minutes']; - } + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + $a_roll = &$config['voucher']['roll']; + foreach ($a_roll as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } // split into an array. Useful for multiple vouchers given $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); @@ -138,9 +143,9 @@ function voucher_auth($voucher_received, $test = 0) { $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); list($status, $roll, $nr) = explode(" ", $result); if ($status == "OK") { - if (!$first_voucher) - { - $first_voucher = $voucher; // store first voucher. Thats the one we give the timecredit + if (!$first_voucher) { + // store first voucher. Thats the one we give the timecredit + $first_voucher = $voucher; $first_voucher_roll = $roll; } // check if we have this ticket on a registered roll for this ticket @@ -165,6 +170,7 @@ function voucher_auth($voucher_received, $test = 0) { $mask = 1 << ($nr % 8); if (ord($bitstring[$roll][$pos]) & $mask) { $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) already used and expired'), $voucher, $roll, $nr); + captiveportal_syslog(sprintf(gettext('%1$s (%2$s/%3$s) already used and expired'), $voucher, $roll, $nr)); $total_minutes = -1; // voucher expired $error++; } else { @@ -176,10 +182,12 @@ function voucher_auth($voucher_received, $test = 0) { } } else { $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s): not found on any registererd Roll'), $voucher, $roll, $nr); + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); } } else { // hmm, thats weird ... not what I expected $test_result[] = "$voucher " . gettext("invalid:") . " $result !!"; + captiveportal_syslog("$voucher " . gettext("invalid:") . " $result !!"); $error++; } } @@ -240,9 +248,6 @@ function voucher_auth($voucher_received, $test = 0) { $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - // mark the DB's as dirty. - mark_subsystem_dirty('voucher'); - unlock($voucherlck); return $total_minutes; @@ -250,15 +255,15 @@ function voucher_auth($voucher_received, $test = 0) { function voucher_configure() { global $config, $g; - - /* kill any running minicron */ - killbypid("{$g['varrun_path']}/vouchercron.pid"); - if (isset($config['voucher']['enable'])) { + /* kill any running minicron */ + killbypid("{$g['varrun_path']}/vouchercron.pid"); + + if (!isset($config['voucher']['enable'])) + return 0; - if ($g['booting']) { + if ($g['booting']) echo gettext("Enabling voucher support... "); - } // start cron if we're asked to save runtime DB periodically // to XML config if it changed @@ -269,18 +274,19 @@ function voucher_configure() { "/etc/rc.savevoucher"); } - $voucherlck = lock('voucher'); + $voucherlck = lock('voucher', LOCK_EX); + /* write public key used to verify vouchers */ $pubkey = base64_decode($config['voucher']['publickey']); $fd = fopen("{$g['varetc_path']}/voucher.public", "w"); if (!$fd) { - printf(gettext("Error: cannot write voucher.public") . "\n"); - unlock($voucherlck); + captiveportal_syslog(gettext("Voucher error: cannot write voucher.public") . "\n"); + unlock($voucherlck); return 1; } - chmod("{$g['varetc_path']}/voucher.public", 0600); fwrite($fd, $pubkey); fclose($fd); + @chmod("{$g['varetc_path']}/voucher.public", 0600); /* write config file used by voucher binary to decode vouchers */ $fd = fopen("{$g['varetc_path']}/voucher.cfg", "w"); @@ -289,16 +295,16 @@ function voucher_configure() { unlock($voucherlck); return 1; } - chmod("{$g['varetc_path']}/voucher.cfg", 0600); fwrite($fd, "{$config['voucher']['rollbits']},{$config['voucher']['ticketbits']},{$config['voucher']['checksumbits']},{$config['voucher']['magic']},{$config['voucher']['charset']}\n"); fclose($fd); - unlock($voucherlck); + @chmod("{$g['varetc_path']}/voucher.cfg", 0600); + unlock($voucherlck); - if ($g['booting']) { + if ($g['booting'] && is_array($config['voucher']['roll'])) { // create active and used DB per roll on ramdisk from config $a_roll = &$config['voucher']['roll']; - $voucherlck = lock('voucher'); + $voucherlck = lock('voucher'); foreach ($a_roll as $rollent) { @@ -320,64 +326,59 @@ function voucher_configure() { voucher_write_active_db($roll, $active_vouchers); } - unlock($voucherlck); + unlock($voucherlck); echo gettext("done") . "\n"; } - } - return 0; + + return 0; } /* write bitstring of used vouchers to ramdisk. * Bitstring must already be base64_encoded! */ function voucher_write_used_db($roll, $vdb) { - - global $g; - - $fd = fopen("{$g['vardb_path']}/voucher_used_$roll.db", "w"); - if ($fd) { - fwrite($fd, $vdb . "\n"); - fclose($fd); - } else { - voucher_log(LOG_ERR, sprintf(gettext('cant write %1$s/voucher_used_%2$s.db'), $g['vardb_path'], $roll)); - } + global $g; + + $fd = fopen("{$g['vardb_path']}/voucher_used_$roll.db", "w"); + if ($fd) { + fwrite($fd, $vdb . "\n"); + fclose($fd); + } else + voucher_log(LOG_ERR, sprintf(gettext('cant write %1$s/voucher_used_%2$s.db'), $g['vardb_path'], $roll)); } /* return assoc array of active vouchers with activation timestamp * voucher is index. */ function voucher_read_active_db($roll) { - - global $g; - - $active = array(); - $dirty = 0; - $file = "{$g['vardb_path']}/voucher_active_$roll.db"; - if (file_exists($file)) { - $fd = fopen($file, "r"); - if ($fd) { - while (!feof($fd)) { - $line = trim(fgets($fd)); - if ($line) { - list($voucher,$timestamp,$minutes) = explode(",", $line); // voucher,timestamp - if ((($timestamp + 60*$minutes) - time()) > 0) { - $active[$voucher] = "$timestamp,$minutes"; - } else { - $dirty=1; - } - } - } - fclose($fd); - if ($dirty) // if we found expired entries, lets save our snapshot - voucher_write_active_db($roll, $active); - } - } - return $active; + global $g; + + $active = array(); + $dirty = 0; + $file = "{$g['vardb_path']}/voucher_active_$roll.db"; + if (file_exists($file)) { + $fd = fopen($file, "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) { + list($voucher,$timestamp,$minutes) = explode(",", $line); // voucher,timestamp + if ((($timestamp + 60*$minutes) - time()) > 0) + $active[$voucher] = "$timestamp,$minutes"; + else + $dirty=1; + } + } + fclose($fd); + if ($dirty) // if we found expired entries, lets save our snapshot + voucher_write_active_db($roll, $active); + } + } + return $active; } /* store array of active vouchers back to DB */ function voucher_write_active_db($roll, $active) { - global $g; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); @@ -390,7 +391,6 @@ function voucher_write_active_db($roll, $active) { /* return how many vouchers are marked used on a roll */ function voucher_used_count($roll) { - global $g; $bitstring = voucher_read_used_db($roll); @@ -407,7 +407,6 @@ function voucher_used_count($roll) { } function voucher_read_used_db($roll) { - global $g; $vdb = ""; @@ -425,10 +424,9 @@ function voucher_read_used_db($roll) { } function voucher_unlink_db($roll) { - global $g; - unlink("{$g['vardb_path']}/voucher_used_$roll.db"); - unlink("{$g['vardb_path']}/voucher_active_$roll.db"); + @unlink("{$g['vardb_path']}/voucher_used_$roll.db"); + @unlink("{$g['vardb_path']}/voucher_active_$roll.db"); } /* we share the log with captiveportal for now */ @@ -445,20 +443,15 @@ function voucher_log($priority, $message) { * Called during reboot -> system_reboot_cleanup() and minicron */ function voucher_save_db_to_config() { - global $config, $g; if (!isset($config['voucher']['enable']) || $config['voucher']['saveinterval'] == 0) return; // no vouchers or don't want to save DB's - if (!is_subsystem_dirty('voucher')) - return; // nothing changed. - - $voucherlck = lock('voucher'); + $voucherlck = lock('voucher', LOCK_EX); // walk all active rolls and save runtime DB's to flash $a_roll = &$config['voucher']['roll']; -// foreach ($a_roll as $rollent) { while (list($key, $value) = each($a_roll)) { $rollent = &$a_roll[$key]; $roll = $rollent['number']; @@ -466,7 +459,7 @@ function voucher_save_db_to_config() { $rollent['used'] = base64_encode($bitmask); $active_vouchers = voucher_read_active_db($roll); $db = array(); - $dbi = 1; + $dbi = 1; foreach($active_vouchers as $voucher => $line) { list($timestamp,$minutes) = explode(",", $line); $activent['voucher'] = $voucher; @@ -477,8 +470,9 @@ function voucher_save_db_to_config() { } $rollent['active'] = $db; } - clear_subsystem_dirty('voucher'); + unlock($voucherlck); + write_config(); return; } diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index e720853..906fcdd 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -37,7 +37,7 @@ pfSense_BUILDER_BINARIES: /usr/bin/killall /usr/local/sbin/sasyncd /sbin/ifconfig /sbin/sysctl pfSense_BUILDER_BINARIES: /usr/local/sbin/setkey /usr/bin/netstat /sbin/route /bin/mkdir pfSense_BUILDER_BINARIES: /usr/local/sbin/racoonctl /usr/local/sbin/racoon - pfSense_BUILDER_BINARIES: /usr/local/sbin/dnswatch /usr/local/sbin/mpd4 + pfSense_BUILDER_BINARIES: /usr/local/sbin/filterdns /usr/local/sbin/mpd4 pfSense_MODULE: vpn */ @@ -103,7 +103,7 @@ function vpn_ipsec_configure($ipchg = false) /* kill racoon */ if(is_process_running("racoon")) mwexec("/usr/bin/killall racoon", true); - killbypid("{$g['varrun_path']}/dnswatch-ipsec.pid"); + killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); /* wait for racoon process to die */ sleep(2); @@ -133,7 +133,7 @@ function vpn_ipsec_configure($ipchg = false) /* resolve all local, peer addresses and setup pings */ $ipmap = array(); $rgmap = array(); - $dnswatch_list = array(); + $filterdns_list = array(); if (is_array($a_phase1) && count($a_phase1)) { /* step through each phase1 entry */ @@ -149,7 +149,7 @@ function vpn_ipsec_configure($ipchg = false) $ipmap[] = $ep; /* see if this tunnel has a hostname for the remote-gateway. If so, - try to resolve it now and add it to the list for dnswatch */ + try to resolve it now and add it to the list for filterdns */ if (isset ($ph1ent['mobile'])) continue; @@ -157,7 +157,7 @@ function vpn_ipsec_configure($ipchg = false) $rg = $ph1ent['remote-gateway']; if (!is_ipaddr($rg)) { - $dnswatch_list[] = "{$rg}=value"; + $filterdns_list[] = "{$rg}"; add_hostname_to_watch($rg); $rg = resolve_retry($rg); if (!$rg) @@ -636,11 +636,12 @@ EOD; $localid_type = $ph2ent['localid']['type']; $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - /* Do not print localid in some cases, such as a pure-psk or psk/xauth mobile tunnel */ + /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ if (($localid_type == "none") || (($ph1ent['authentication_method'] == "xauth_psk_server") || ($ph1ent['authentication_method'] == "pre_shared_key")) - && isset($ph1ent['mobile'])) + && isset($ph1ent['mobile']) + && (ipsec_get_number_of_phase2($ikeid)==1)) $localid_spec = " "; else { if ($localid_type != "address") { @@ -879,7 +880,9 @@ EOD; /* mange racoon process */ if (is_process_running("racoon")) { sleep("0.1"); - mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); + /* XXX: This seems to not work in ipsec-tools 0.7.3 but a HUP signal is equivalent. */ + //mwexec("/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config", false); + sigkillbypid("{$g['varrun_path']}/racoon.pid", "HUP"); /* load SPD without flushing to be safe on config additions or changes. */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); } else { @@ -894,19 +897,20 @@ EOD; /* load SPD */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); - /* start dnswatch, if necessary */ - if (count($dnswatch_list) > 0) { + /* start filterdns, if necessary */ + if (count($filterdns_list) > 0) { $interval = 60; if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) $interval = $ipseccfg['dns-interval']; $hostnames = ""; - array_unique($dnswatch_list); - $hostnames = implode("\n", $dnswatch_list); - file_put_contents("{$g['varetc_path']}/dnswatch-ipsec.hosts", $hostnames); + array_unique($filterdns_list); + foreach ($hostname as $filterdns_list) + $hostnames .= "cmd {$hostname} '/etc/rc.newipsecdns'\n"; + file_put_contents("{$g['varetc_path']}/filternds-ipsec.hosts", $hostnames); - killbypid("{$g['varrun_path']}/dnswatch-ipsec.pid"); - mwexec("/usr/local/sbin/dnswatch {$g['varrun_path']}/dnswatch-ipsec.pid $interval /etc/rc.newipsecdns {$g['varetc_path']}/dnswatch-ipsec.hosts"); + killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); + mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns_ipsec.hosts -d 1"); } } @@ -963,6 +967,17 @@ function vpn_setup() { vpn_l2tp_configure(); } +function vpn_netgraph_support() { + $iflist = get_configured_interface_list(); + foreach ($iflist as $iface) { + $realif = get_real_interface($iface); + /* Get support for netgraph(4) from the nic */ + $ifinfo = pfSense_get_interface_addresses($realif); + if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) + pfSense_ngctl_attach(".", $realif); + } +} + function vpn_pptpd_configure() { global $config, $g; @@ -1153,6 +1168,8 @@ EOD; fclose($fd); chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600); + vpn_netgraph_support(); + /* fire up mpd */ mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps"); @@ -1289,8 +1306,14 @@ EOD; } if (isset ($pppoecfg['radius']['server']['enable'])) { + $radiusport = ""; + $radiusacctport = ""; + if (isset($pppoecfg['radius']['server']['port'])) + $radiusport = $pppoecfg['radius']['server']['port']; + if (isset($pppoecfg['radius']['server']['acctport'])) + $radiusacctport = $pppoecfg['radius']['server']['acctport']; $mpdconf .=<<<EOD - set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" + set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']} {$radiusport} {$radiusacctport}" set radius retries 3 set radius timeout 10 set auth enable radius-auth @@ -1356,6 +1379,8 @@ EOD; chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600); } + /* Get support for netgraph(4) from the nic */ + pfSense_ngctl_attach(".", $pppoe_interface); /* fire up mpd */ mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes"); @@ -1537,6 +1562,8 @@ EOD; fclose($fd); chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600); + vpn_netgraph_support(); + /* fire up mpd */ mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps"); @@ -1648,7 +1675,7 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { $old_remote_subnet = ipsec_idinfo_to_cidr($old_phase2['remoteid']); /* see if this tunnel has a hostname for the remote-gateway, and if so, - * try to resolve it now and add it to the list for dnswatch */ + * try to resolve it now and add it to the list for filterdns */ if (!is_ipaddr($phase1['remote-gateway'])) { $rgip = resolve_retry($phase1['remote-gateway']); add_hostname_to_watch($phase1['remote-gateway']); diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 3985337..2c3f0ca 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -206,7 +206,12 @@ function relayd_configure() { if(is_array($pool_a)) { for ($i = 0; isset($pool_a[$i]); $i++) { if(is_array($pool_a[$i]['servers'])) { - $srvtxt = implode(", ", $pool_a[$i]['servers']); + if (!empty($pool_a[$i]['retry'])) { + $retrytext = " retry {$pool_a[$i]['retry']}"; + $srvtxt = implode("{$retrytext}, ", $pool_a[$i]['servers']) . "{$retrytext}"; + } else { + $srvtxt = implode(", ", $pool_a[$i]['servers']); + } $conf .= "table <{$pool_a[$i]['name']}> { $srvtxt }\n"; /* Index by name for easier fetching when we loop through the virtual servers */ $pools[$pool_a[$i]['name']] = $pool_a[$i]; @@ -283,4 +288,70 @@ function relayd_configure() { } +function get_lb_redirects() { +/* +# relayctl show summary +Id Type Name Avlblty Status +1 redirect testvs2 active +5 table test2:80 active (3 hosts up) +11 host 192.168.1.2 91.55% up +10 host 192.168.1.3 100.00% up +9 host 192.168.1.4 88.73% up +3 table test:80 active (1 hosts up) +7 host 192.168.1.2 66.20% down +6 host 192.168.1.3 97.18% up +0 redirect testvs active +3 table test:80 active (1 hosts up) +7 host 192.168.1.2 66.20% down +6 host 192.168.1.3 97.18% up +4 table testvs-sitedown:80 active (1 hosts up) +8 host 192.168.1.4 84.51% up +# relayctl show redirects +Id Type Name Avlblty Status +1 redirect testvs2 active +0 redirect testvs active +# relayctl show redirects +Id Type Name Avlblty Status +1 redirect testvs2 active + total: 2 sessions + last: 2/60s 2/h 2/d sessions + average: 1/60s 0/h 0/d sessions +0 redirect testvs active +*/ + $rdr_a = array(); + exec('/usr/local/sbin/relayctl show redirects 2>&1', $rdr_a); + $vs = array(); + for ($i = 0; isset($rdr_a[$i]); $i++) { + $line = $rdr_a[$i]; + if (preg_match("/^[0-9]+/", $line)) { + $regs = array(); + if($x = preg_match("/^[0-9]+\s+redirect\s+([^\s]+)\s+([^\s]+)/", $line, $regs)) { + $vs[trim($regs[1])] = array(); + $vs[trim($regs[1])]['status'] = trim($regs[2]); + } + } + } + return $vs; +} + +function get_lb_summary() { + $relayctl = array(); + exec('/usr/local/sbin/relayctl show summary 2>&1', $relayctl); + $relay_hosts=Array(); + foreach( (array) $relayctl as $line) { + $t=split("\t", $line); + switch (trim($t[1])) { + case "table": + $curpool=trim($t[2]); + break; + case "host": + $curhost=trim($t[2]); + $relay_hosts[$curpool][$curhost]['avail']=trim($t[3]); + $relay_hosts[$curpool][$curhost]['state']=trim($t[4]); + break; + } + } + return $relay_hosts; +} + ?>
\ No newline at end of file diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc index c1ab5cd..49ebb0e 100644 --- a/etc/inc/xmlparse.inc +++ b/etc/inc/xmlparse.inc @@ -36,9 +36,9 @@ function listtags() { * I know it's a pain, but it's a pain to find stuff too if it's not */ $ret = explode(" ", - "alias aliasurl allowedip authserver bridged ca cacert cert crl clone config ". - "container columnitem build_port_path depends_on_package disk dnsserver dnsupdate ". - "domainoverrides dyndns earlyshellcmd element encryption-algorithm-option ". + "alias aliasurl allowedip allowedhostname authserver bridged ca cacert cert crl ". + "clone config container columnitem build_port_path depends_on_package disk dnsserver ". + "dnsupdate domainoverrides dyndns earlyshellcmd element encryption-algorithm-option ". "field fieldname hash-algorithm-option gateway_item gateway_group gif gre ". "group hosts member ifgroupentry igmpentry interface_array item key lagg " . "lbaction lbpool l7rules lbprotocol ". @@ -47,7 +47,7 @@ function listtags() { "option package passthrumac phase1 phase2 ppp pppoe priv proxyarpnet qinqentry queue ". "pages pipe roll route row rrddatafile rule schedule service servernat servers ". "serversdisabled earlyshellcmd shellcmd staticmap subqueue timerange ". - "tunnel user vip virtual_server vlan winsserver wolentry widget" + "tunnel user vip virtual_server vlan winsserver wolentry widget npt" ); return $ret; } @@ -229,7 +229,7 @@ function dump_xml_config_sub($arr, $indent) { $xmlconfig .= str_repeat("\t", $indent); if((is_bool($cval) && $cval == true) || ($cval === "")) { $xmlconfig .= "<$ent/>\n"; - } else if (substr($ent, 0, 5) == "descr") { + } else if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) { $xmlconfig .= "<$ent><![CDATA[" . htmlentities($cval) . "]]></$ent>\n"; } else { $xmlconfig .= "<$ent>" . htmlentities($cval) . "</$ent>\n"; @@ -253,7 +253,7 @@ function dump_xml_config_sub($arr, $indent) { $xmlconfig .= "<$ent/>\n"; } else if (!is_bool($val)) { $xmlconfig .= str_repeat("\t", $indent); - if (substr($ent, 0, 5) == "descr") + if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) $xmlconfig .= "<$ent><![CDATA[" . htmlentities($val) . "]]></$ent>\n"; else $xmlconfig .= "<$ent>" . htmlentities($val) . "</$ent>\n"; diff --git a/etc/inc/xmlreader.inc b/etc/inc/xmlreader.inc index 173a59f..1caa6ea 100644 --- a/etc/inc/xmlreader.inc +++ b/etc/inc/xmlreader.inc @@ -51,7 +51,7 @@ function listtags() { "option package passthrumac phase1 phase2 ppp pppoe priv proxyarpnet qinqentry queue ". "pages pipe roll route row rrddatafile rule schedule service servernat servers ". "serversdisabled earlyshellcmd shellcmd staticmap subqueue timerange ". - "tunnel user vip virtual_server vlan winsserver wolentry widget" + "tunnel user vip virtual_server vlan winsserver wolentry widget npt" ); return array_flip($ret); } diff --git a/etc/inc/xmlrpc.inc b/etc/inc/xmlrpc.inc index ef4fc19..ae725e5 100644 --- a/etc/inc/xmlrpc.inc +++ b/etc/inc/xmlrpc.inc @@ -139,4 +139,4 @@ function xmlrpc_auth(&$params) { return false; } -?> +?>
\ No newline at end of file diff --git a/etc/inc/xmlrpc_client.inc b/etc/inc/xmlrpc_client.inc index 5a9f559..80bf7c8 100644 --- a/etc/inc/xmlrpc_client.inc +++ b/etc/inc/xmlrpc_client.inc @@ -228,7 +228,7 @@ if (function_exists('mb_ereg')) { * which can cause PHP's SAX-based XML parser to break? * @global boolean $GLOBALS['XML_RPC_auto_base64'] */ -$GLOBALS['XML_RPC_auto_base64'] = false; +$GLOBALS['XML_RPC_auto_base64'] = true; /** |
