diff options
author | Vinicius Coque <vinicius.coque@bluepex.com> | 2011-06-07 10:47:29 -0300 |
---|---|---|
committer | Vinicius Coque <vinicius.coque@bluepex.com> | 2011-06-07 10:47:29 -0300 |
commit | d8012adbce60d9a90dac54e5b7832f8fa7e82fb6 (patch) | |
tree | 1922288b0151aacb26a3091e9507f858473e3a22 /etc/inc | |
parent | 669113f9d12a43391cd480390dfbfbecf55d544e (diff) | |
parent | 3f8a13e051d17b6240f30f9a0c284baa3a0559ac (diff) | |
download | pfsense-d8012adbce60d9a90dac54e5b7832f8fa7e82fb6.zip pfsense-d8012adbce60d9a90dac54e5b7832f8fa7e82fb6.tar.gz |
Merge remote-tracking branch 'mainline/master' into inc
Conflicts:
etc/inc/voucher.inc
usr/local/www/fbegin.inc
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/captiveportal.inc | 56 | ||||
-rw-r--r-- | etc/inc/dyndns.class | 85 | ||||
-rw-r--r-- | etc/inc/filter.inc | 23 | ||||
-rw-r--r-- | etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | etc/inc/gwlb.inc | 2 | ||||
-rw-r--r-- | etc/inc/ipsec.inc | 4 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 13 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 38 | ||||
-rw-r--r-- | etc/inc/pkg-utils.inc | 6 | ||||
-rw-r--r-- | etc/inc/priv.defs.inc | 6 | ||||
-rw-r--r-- | etc/inc/system.inc | 8 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 7 | ||||
-rw-r--r-- | etc/inc/voucher.inc | 357 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 11 |
14 files changed, 389 insertions, 229 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 4ebb010..5d6074e 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -809,12 +809,11 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t captiveportal_free_ipfw_ruleno($dbent[1]); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); } @@ -827,18 +826,15 @@ function captiveportal_disconnect_client($sessionid, $term_cause = 1, $logoutRea $radiusservers = captiveportal_get_radius_servers(); $unsetindex = array(); - $cpdblck = lock('captiveportaldb', LOCK_EX); - /* read database */ - $cpdb = captiveportal_read_db(true); + $cpdb = captiveportal_read_db(); /* find entry */ if (isset($cpdb[$sessionid])) { $cpentry = $cpdb[$sessionid]; /* write database */ $unsetindex[] = $sessionid; - captiveportal_write_db($cpdb, true, $unsetindex); - unlock($cpdblck); + captiveportal_write_db($cpdb, false, $unsetindex); captiveportal_disconnect($cpentry, $radiusservers, $term_cause); captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT"); @@ -1115,29 +1111,29 @@ function captiveportal_init_radius_servers() { /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { - global $g; - - $cprdsrvlck = lock('captiveportalradius'); - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", - FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) { - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + global $g; + + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; } } - unlock($cprdsrvlck); - return $radiusservers; } - unlock($cprdsrvlck); - return false; + return $radiusservers; + } + + unlock($cprdsrvlck); + return false; } /* log successful captive portal authentication to syslog */ diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 01209b9..07fdf95 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -98,7 +98,9 @@ $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); - + + $dyndnslck = lock($dnsHost, LOCK_EX); + if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': @@ -128,6 +130,7 @@ // Ensure that we where able to lookup the IP if(!is_ipaddr($this->_ifIP)) { log_error("There was an error trying to determine the IP for interface - {$dnsIf}({$this->_if}). Probably interface has no ip or is down. Dyndns update not possible for {$dnsService}."); + unlock($dyndnslck); return; } @@ -162,6 +165,8 @@ break; } } + + unlock($dyndnslck); } /* @@ -178,7 +183,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 120); // Completely empirical } switch ($this->_dnsService) { @@ -197,10 +202,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dhs': $needsIP = TRUE; @@ -228,10 +229,6 @@ curl_setopt($ch, CURLOPT_URL, '{$server}{$port}'); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'noip': $needsIP = TRUE; @@ -243,10 +240,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&pass=' . urlencode($this->_dnsPass) . '&hostname=' . $this->_dnsHost.'&ip=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'easydns': $needsIP = TRUE; @@ -259,10 +252,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=' . $this->_dnsBackMX); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'hn': $needsIP = TRUE; @@ -275,10 +264,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?ver=1&IP=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'zoneedit': $needsIP = FALSE; @@ -293,11 +278,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, "{$server}{$port}?host=" .$this->_dnsHost); - - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dyns': $needsIP = FALSE; @@ -308,10 +288,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'ods': $needsIP = FALSE; @@ -349,33 +325,21 @@ break; } } - $this->_checkStatus($code); + $this->_checkStatus(0, $code); break; case 'freedns': $needIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsexit': $needsIP = TRUE; curl_setopt($ch, CURLOPT_URL, 'http://www.dnsexit.com/RemoteUpdate.sv?login='.$this->_dnsUser. '&password='.$this->_dnsPass.'&host='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred:" . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'loopia': $needsIP = TRUE; curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_URL, 'https://dns.loopia.se/XDynDNSServer/XDynDNS.php?hostname='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'opendns': $needsIP = FALSE; @@ -389,19 +353,11 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'staticcling': $needsIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://www.staticcling.org/update.html?login='.$this->_dnsUser.'&pass='.$this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occured: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsomatic': /* Example syntax @@ -418,10 +374,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NOCHG'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Request completed. DNS-O-Matic reported: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'namecheap': /* Example: @@ -433,10 +385,6 @@ list($hostname, $domain) = explode(".", $this->_dnsHost, 2); $server = "https://dynamicdns.park-your-domain.com/update?host={$hostname}&domain={$domain}&password={$this->_dnsPass}&ip={$this->_dnsIP}"; curl_setopt($ch, CURLOPT_URL, $server); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'he-net': $needsIP = FALSE; @@ -445,14 +393,15 @@ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass); curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost); - $data = curl_exec($ch); - if(@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; default: break; } + if ($this->_dnsService != 'ods') { + $data = curl_exec($ch); + $this->_checkStatus($ch, $data); + @curl_close($ch); + } } /* @@ -463,6 +412,12 @@ log_error("DynDns: DynDns _checkStatus() starting."); log_error("DynDns: Current Service: {$this->_dnsService}"); $successful_update = false; + if ($this->_dnsService != 'ods' && @curl_error($ch)) { + $status = "Curl error occurred: " . curl_error($ch); + log_error($status); + $this->status = $status; + return; + } switch ($this->_dnsService) { case 'dnsomatic': if (preg_match('/badauth/i', $data)) { @@ -961,7 +916,7 @@ curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); - curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 78ad19f..e5bc59a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -430,7 +430,7 @@ function filter_generate_scrubing() { } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) continue; /* set up MSS clamping */ if($scrubcfg['mss'] <> "" && is_numeric($scrubcfg['mss']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp" && @@ -519,7 +519,7 @@ function filter_generate_aliases() { $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; $aliases .= " }\"\n"; } - } else { + } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; $aliases .= " }\"\n"; } @@ -802,8 +802,8 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if (is_array($config['pppoes']['pppoe'])) { - $FilterIflist['pppoe'] = array(); + if (is_array($config['pppoes']['pppoe']) && (count($config['pppoes']['pppoe']) > 0)) { + $pppoeifs = array(); foreach($config['pppoes']['pppoe'] as $pppoe) { if ($pppoe['mode'] == "server") { $oic = array(); @@ -817,9 +817,11 @@ function filter_generate_optcfg_array() { $oic['sn'] = $pppoe['pppoe_subnet']; else $oic['sn'] = "32"; - $FilterIflist['pppoe'][] = $oic; + $pppoeifs[] = $oic; } } + if (count($pppoeifs)) + $FilterIflist['pppoe'] = $pppoeifs; } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { @@ -1383,6 +1385,12 @@ function filter_nat_rules_generate() { } } } + /* IPsec mode_cfg subnet */ + if (isset($config['ipsec']['client']['enable']) && + !empty($config['ipsec']['client']['pool_address']) && + !empty($config['ipsec']['client']['pool_netbits'])) { + $tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} "; + } $natrules .= "\n# Subnets to NAT \n"; $tonathosts .= "127.0.0.0/8 "; if($numberofnathosts > 4) { @@ -1744,6 +1752,11 @@ function filter_generate_user_rule($rule) { } else if(!array_key_exists($rule['interface'], $FilterIflist)) { foreach($FilterIflist as $oc) $item .= $oc['descr']; return "# {$item} {$rule['interface']} array key does not exist for " . $rule['descr']; + } else if((array_key_exists($rule['interface'], $FilterIflist)) + && (is_array($FilterIflist[$rule['interface']])) + && (is_array($FilterIflist[$rule['interface']][0]))) { + /* Currently this only case for this is the pppoe server. There should be an existing macro with this name. */ + $aline['interface'] = " on \$" . $rule['interface'] . " "; } else $aline['interface'] = " on \$" . $FilterIflist[$rule['interface']]['descr'] . " "; $ifcfg = $FilterIflist[$rule['interface']]; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 7037933..6993148 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -91,7 +91,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "7.8", + "latest_config" => "7.9", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index f5c35ca..097b1ff 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -367,7 +367,7 @@ function return_gateway_groups_array() { $gateways_arr = return_gateways_array(); $gateway_groups_array = array(); - if (0) { + if (isset($config['system']['gw_switch_default'])) { /* * NOTE: The code below is meant to replace the default gateway when it goes down. * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6040de6..6f8e0d0 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -449,6 +449,10 @@ function ipsec_dump_sad() case 3: $cursa['aalgo'] = $linea[1]; break; + case 8: + $sadata = explode("(", $linea[1]); + $cursa['data'] = $sadata[0] . " B"; + break; } } $i++; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 4ba2f3f..cb35d99 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -367,8 +367,8 @@ function openvpn_reconfigure($mode, $settings) { // server specific settings if ($mode == 'server') { - list($ip, $mask) = explode('/', $settings['tunnel_network']); - $mask = gen_subnet_mask($mask); + list($ip, $cidr) = explode('/', $settings['tunnel_network']); + $mask = gen_subnet_mask($cidr); // configure tls modes switch($settings['mode']) { @@ -383,8 +383,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { case 'p2p_tls': - $conf .= "server {$ip} {$mask}\n"; - $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 + if ($cidr < 30) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index b2897dd..bbdf7c8 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2207,4 +2207,42 @@ function load_mac_manufacturer_table() { } +/****f* pfsense-utils/is_ipaddr_configured + * NAME + * is_ipaddr_configured + * INPUTS + * IP Address to check. + * RESULT + * returns true if the IP Address is + * configured and present on this device. +*/ +function is_ipaddr_configured($ipaddr) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($ipaddr, $ilips) == 0) + return true; + } +} + +/****f* pfsense-utils/pfSense_handle_custom_code + * NAME + * pfSense_handle_custom_code + * INPUTS + * directory name to process + * RESULT + * globs the directory and includes the files + */ +function pfSense_handle_custom_code($src_dir) { + // Allow extending of the nat edit page and include custom input validation + if(is_dir("$src_dir")) { + $cf = glob($src_dir . "/*.inc"); + foreach($cf as $nf) { + if($nf == "." || $nf == "..") + continue; + // Include the extra handler + include("$nf"); + } + } +} + ?> diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 1798f85..b735375 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -141,10 +141,10 @@ function get_pkg_id($pkg_name) { /****f* pkg-utils/get_pkg_info * NAME - * get_pkg_info - Retrive package information from pfsense.com. + * get_pkg_info - Retrieve package information from pfsense.com. * INPUTS - * $pkgs - 'all' to retrive all packages, an array containing package names otherwise - * $info - 'all' to retrive all information, an array containing keys otherwise + * $pkgs - 'all' to retrieve all packages, an array containing package names otherwise + * $info - 'all' to retrieve all information, an array containing keys otherwise * RESULT * $raw_versions - Array containing retrieved information, indexed by package name. ******/ diff --git a/etc/inc/priv.defs.inc b/etc/inc/priv.defs.inc index 335c681..c3db0cb 100644 --- a/etc/inc/priv.defs.inc +++ b/etc/inc/priv.defs.inc @@ -955,6 +955,12 @@ $priv_list['page-system-usermanager']['descr'] = gettext("Allow access to the 'S $priv_list['page-system-usermanager']['match'] = array(); $priv_list['page-system-usermanager']['match'][] = "system_usermanager.php*"; +$priv_list['page-system-usermanager-passwordmg'] = array(); +$priv_list['page-system-usermanager-passwordmg']['name'] = "WebCfg - System: User Password Manager page"; +$priv_list['page-system-usermanager-passwordmg']['descr'] = "Allow access to the 'System: User Password Manager' page."; +$priv_list['page-system-usermanager-passwordmg']['match'] = array(); +$priv_list['page-system-usermanager-passwordmg']['match'][] = "system_usermanager_passwordmg.php*"; + $priv_list['page-system-usermanager_addcert'] = array(); $priv_list['page-system-usermanager_addcert']['name'] = gettext("WebCfg - System: User Manager: Add Certificate"); $priv_list['page-system-usermanager_addcert']['descr'] = gettext("Allow access to the 'User Manager: Add Certificate' page."); diff --git a/etc/inc/system.inc b/etc/inc/system.inc index ea0be9b..bf69eda 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -116,9 +116,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $dnslock = lock('resolvconf', LOCK_EX); + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); if (!$fd) { printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); return 1; } @@ -148,7 +151,9 @@ function system_resolvconf_generate($dynupdate = false) { } } } - + + unlock($dnslock); + return 0; } @@ -1251,6 +1256,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); + // mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 60490aa..714e11d 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2490,4 +2490,11 @@ function upgrade_077_to_078() { $config['pptpd']['radius'] = $radarr; } } + +function upgrade_078_to_079() { + global $g; + /* Delete old and unused RRD file */ + unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd"); +} + ?> diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index f7f5b01..dda49d2 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -37,6 +37,53 @@ if(!function_exists('captiveportal_syslog')) require_once("captiveportal.inc"); +function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) { + global $g, $config; + require_once("xmlrpc.inc"); + if($port == "443") + $url = "https://{$syncip}"; + else + $url = "http://{$syncip}"; + + /* Construct code that is run on remote machine */ + $method = 'pfsense.exec_php'; + $execcmd = <<<EOF + require_once('/etc/inc/captiveportal.inc'); + require_once('/etc/inc/voucher.inc'); + voucher_expire(\$vouchers); + +EOF; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("Captive Portal Voucher XMLRPC sync data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!is_object($resp)) { + $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); + return false; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); + return false; + } else { + log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + $toreturn = XML_RPC_Decode($resp->value()); + + return $toreturn; +} + function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = "1", $stop_time = null) { global $g, $config; require_once("xmlrpc.inc"); @@ -138,6 +185,93 @@ EOF; return $toreturn['timeleft']; } +function voucher_expire($voucher_received) { + global $g, $config; + + $voucherlck = lock('voucher', LOCK_EX); + + // XMLRPC Call over to the master Voucher node + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + xmlrpc_sync_voucher_expire($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); + } + + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + foreach ($config['voucher']['roll'] as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } + + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $active_dirty = false; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + $active_dirty = true; + unset($active_vouchers[$roll][$voucher]); + } + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + // mark bit for this voucher as used + if (!(ord($bitstring[$roll][$pos]) & $mask)) + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire"); + } else + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } else + // hmm, thats weird ... not what I expected + captiveportal_syslog("$voucher invalid: $result !!"); + } + + // Refresh active DBs + if ($active_dirty == true) { + foreach ($active_vouchers as $roll => $active) + voucher_write_active_db($roll, $active); + } + + // Write back the used DB's + if (is_array($bitstring)) { + foreach ($bitstring as $roll => $used) { + if(is_array($used)) { + foreach($used as $u) + voucher_write_used_db($roll, base64_encode($u)); + } else { + voucher_write_used_db($roll, base64_encode($used)); + } + } + } + + unlock($voucherlck); + + return true; +} + /* * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list @@ -146,17 +280,16 @@ EOF; * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; + global $g, $config; - $voucherlck = lock('voucher', LOCK_EX); + $voucherlck = lock('voucher', LOCK_EX); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } @@ -170,105 +303,102 @@ function voucher_auth($voucher_received, $test = 0) { } } - // split into an array. Useful for multiple vouchers given - $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); - $error = 0; - $test_result = array(); // used to display for voucher test option in GUI - $total_minutes = 0; - $first_voucher = ""; - $first_voucher_roll = 0; - - // go through all received vouchers, check their valid and extract - // Roll# and Ticket# using the external readvoucher binary - - foreach ($a_vouchers_received as $voucher) { - - $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) - continue; // seems too short to be a voucher! - - $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); - list($status, $roll, $nr) = explode(" ", $result); - if ($status == "OK") { - if (!$first_voucher) { - // store first voucher. Thats the one we give the timecredit - $first_voucher = $voucher; - $first_voucher_roll = $roll; - } - // check if we have this ticket on a registered roll for this ticket - if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { - // voucher is from a registered roll. - if (!isset($active_vouchers[$roll])) - $active_vouchers[$roll] = voucher_read_active_db($roll); - // valid voucher. Store roll# and ticket# - if (!empty($active_vouchers[$roll][$voucher])) { - list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); - // we have an already active voucher here. - $remaining = intval((($timestamp + (60*$minutes)) - time())/60); - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) active and good for %4$d Minutes'), $voucher, $roll, $nr, $remaining); - $total_minutes += $remaining; - } else { - // voucher not used. Check if ticket Id is on the roll (not too high) - // and if the ticket is marked used. - // check if voucher already marked as used - if (!isset($bitstring[$roll])) - $bitstring[$roll] = voucher_read_used_db($roll); - $pos = $nr >> 3; // divide by 8 -> octet - $mask = 1 << ($nr % 8); - if (ord($bitstring[$roll][$pos]) & $mask) { - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) already used and expired'), $voucher, $roll, $nr); - captiveportal_syslog(sprintf(gettext('%1$s (%2$s/%3$s) already used and expired'), $voucher, $roll, $nr)); - $total_minutes = -1; // voucher expired - $error++; - } else { - // mark bit for this voucher as used - $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) good for %4$d Minutes'), $voucher, $roll, $nr, $minutes_per_roll[$roll]); - $total_minutes += $minutes_per_roll[$roll]; - } - } - } else { - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s): not found on any registererd Roll'), $voucher, $roll, $nr); - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); - } - } else { - // hmm, thats weird ... not what I expected - $test_result[] = sprintf(gettext('%1$s invalid: %2$s !!'),$voucher,$result); - captiveportal_syslog("$voucher invalid: $result !!"); - $error++; - } - } + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $error = 0; + $test_result = array(); // used to display for voucher test option in GUI + $total_minutes = 0; + $first_voucher = ""; + $first_voucher_roll = 0; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + if (!$first_voucher) { + // store first voucher. Thats the one we give the timecredit + $first_voucher = $voucher; + $first_voucher_roll = $roll; + } + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); + // we have an already active voucher here. + $remaining = intval((($timestamp + (60*$minutes)) - time())/60); + $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) active and good for %4$d Minutes'), $voucher, $roll, $nr, $remaining); + $total_minutes += $remaining; + } else { + // voucher not used. Check if ticket Id is on the roll (not too high) + // and if the ticket is marked used. + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + if (ord($bitstring[$roll][$pos]) & $mask) { + $test_result[] = "$voucher ($roll/$nr) already used and expired"; + captiveportal_syslog("$voucher ($roll/$nr) already used and expired"); + $total_minutes = -1; // voucher expired + $error++; + } else { + // mark bit for this voucher as used + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; + $total_minutes += $minutes_per_roll[$roll]; + } + } + } else { + $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } + } else { + // hmm, thats weird ... not what I expected + $test_result[] = "$voucher invalid: $result !!"; + captiveportal_syslog("$voucher invalid: $result !!"); + $error++; + } + } - // if this was a test call, we're done. Return the result. - if ($test) { - if ($error) { - $test_result[] = gettext("Access denied!"); - } else { - $test_result[] = sprintf(gettext("Access granted for %d Minutes in total."), $total_minutes); - } - unlock($voucherlck); - return $test_result; - } + // if this was a test call, we're done. Return the result. + if ($test) { + if ($error) { + $test_result[] = gettext("Access denied!"); + } else { + $test_result[] = sprintf(gettext("Access granted for %d Minutes in total."),$total_minutes); + } + unlock($voucherlck); - // if we had an error (one of the vouchers is invalid), return 0. - // Discussion: we could return the time remaining for good vouchers, but then - // the user wouldn't know that he used at least one invalid voucher. + return $test_result; + } - if ($error) { + // if we had an error (one of the vouchers is invalid), return 0. + // Discussion: we could return the time remaining for good vouchers, but then + // the user wouldn't know that he used at least one invalid voucher. + if ($error) { unlock($voucherlck); - if ($total_minutes > 0) // probably not needed, but want to make sure - $total_minutes = 0; // we only report -1 (expired) or 0 (no access) - return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS - } + if ($total_minutes > 0) // probably not needed, but want to make sure + $total_minutes = 0; // we only report -1 (expired) or 0 (no access) + return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS + } // If we did a XMLRPC sync earlier check the timeleft - if(!empty($a_voucher['vouchersyncdbip'])) + if (!empty($config['voucher']['vouchersyncdbip'])) if($remote_time_used < $total_minutes) $total_minutes = $remote_time_used; - // All given vouchers were valid and this isn't simply a test. - // Write back the used DB's - + // All given vouchers were valid and this isn't simply a test. + // Write back the used DB's if (is_array($bitstring)) { foreach ($bitstring as $roll => $used) { if(is_array($used)) { @@ -280,24 +410,23 @@ function voucher_auth($voucher_received, $test = 0) { } } - // Active DB: we only add the first voucher if multiple given - // and give that one all the time credit. This allows the user to logout and - // log in later using just the first voucher. It also keeps username limited - // to one voucher and that voucher shows the correct time credit in 'active vouchers' - - if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { - list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); - } else { - $timestamp = time(); // new voucher - $minutes = $total_minutes; - } + // Active DB: we only add the first voucher if multiple given + // and give that one all the time credit. This allows the user to logout and + // log in later using just the first voucher. It also keeps username limited + // to one voucher and that voucher shows the correct time credit in 'active vouchers' + if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { + list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); + } else { + $timestamp = time(); // new voucher + $minutes = $total_minutes; + } - $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; - voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); + $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; + voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - unlock($voucherlck); + unlock($voucherlck); - return $total_minutes; + return $total_minutes; } function voucher_configure($sync = false) { @@ -430,6 +559,8 @@ function voucher_read_active_db($roll) { function voucher_write_active_db($roll, $active) { global $g; + if (!is_array($active)) + return; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); if ($fd) { foreach($active as $voucher => $value) diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 455c07d..bd985b2 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -481,7 +481,7 @@ function vpn_ipsec_configure($ipchg = false) $natt = $ph1ent['nat_traversal']; $init = "on"; - $genp = "off"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "off"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim"; $passive = ""; if (isset($ph1ent['mobile'])) { @@ -490,10 +490,10 @@ function vpn_ipsec_configure($ipchg = false) /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; - $genp = "on"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "on"; } else { $init = "off"; - $genp = "unique"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "unique"; } } @@ -864,8 +864,7 @@ EOD; /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); - mwexec("/sbin/route delete -host {$rgip}"); - mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); + mwexec("/sbin/route delete -host {$rgip}; /sbin/route add -host {$rgip} {$gatewayip}", true); } } } @@ -913,7 +912,7 @@ EOD; $hostnames = ""; array_unique($filterdns_list); foreach ($filterdns_list as $hostname) - $hostnames .= "cmd {$hostname} '/etc/rc.newipsecdns'\n"; + $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); |