diff options
author | Seth Mos <seth.mos@dds.nl> | 2011-04-12 10:39:20 +0200 |
---|---|---|
committer | Seth Mos <seth.mos@dds.nl> | 2011-04-12 10:39:20 +0200 |
commit | 86966fba757f554967773f518ef707f461b84636 (patch) | |
tree | 90318ca3a7fe4151b851ec768055d095b8bc01be /etc/inc | |
parent | d68647a11a553ad6bec1993385196b4ecdba5a46 (diff) | |
parent | d7f4030ad861859312c20510bbe788be67c2454b (diff) | |
download | pfsense-86966fba757f554967773f518ef707f461b84636.zip pfsense-86966fba757f554967773f518ef707f461b84636.tar.gz |
Merge remote branch 'upstream/master'
Conflicts:
etc/inc/filter.inc
usr/local/www/themes/the_wall/rrdcolors.inc.php
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/certs.inc | 6 | ||||
-rw-r--r-- | etc/inc/config.lib.inc | 3 | ||||
-rw-r--r-- | etc/inc/easyrule.inc | 2 | ||||
-rw-r--r-- | etc/inc/filter.inc | 26 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 10 | ||||
-rw-r--r-- | etc/inc/rrd.inc | 6 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 52 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 138 | ||||
-rw-r--r-- | etc/inc/xmlrpc.inc | 36 |
9 files changed, 221 insertions, 58 deletions
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 8d5604f..2b192c1 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -121,13 +121,14 @@ function ca_chain(& $cert) { return ""; } -function ca_import(& $ca, $str, $key="") { +function ca_import(& $ca, $str, $key="", $serial=0) { global $config; $ca['crt'] = base64_encode($str); if (!empty($key)) $ca['prv'] = base64_encode($key); - + if (!empty($serial)) + $ca['serial'] = $serial; $subject = cert_get_subject($str, false); $issuer = cert_get_issuer($str, false); @@ -355,6 +356,7 @@ function cert_get_issuer($str_crt, $decode = true) { $inf_crt = openssl_x509_parse($str_crt); $components = $inf_crt['issuer']; + ksort($components); if (!is_array($components)) return "unknown"; foreach ($components as $a => $v) { diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 11e1ec3..1b7766a 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -404,7 +404,8 @@ function convert_config() { $cur = $config['version'] * 10; $next = $cur + 1; $migration_function = sprintf('upgrade_%03d_to_%03d', $cur, $next); - $migration_function(); + if (function_exists($migration_function)) + $migration_function(); $migration_function = "{$migration_function}_custom"; if (function_exists($migration_function)) $migration_function(); diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc index 63be652..094bc83 100644 --- a/etc/inc/easyrule.inc +++ b/etc/inc/easyrule.inc @@ -53,7 +53,7 @@ function easyrule_find_rule_interface($int) { $iflist['l2tp'] = "L2TP VPN"; /* add ipsec interfaces */ - if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])){ + if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])){ $iflist["enc0"] = "IPSEC"; } diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index fae42a6..0424748 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -796,7 +796,7 @@ function filter_generate_optcfg_array() { $FilterIflist['pppoe'] = $oic; } /* add ipsec interfaces */ - if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) { + if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { $oic = array(); $oic['if'] = 'enc0'; $oic['descr'] = 'IPsec'; @@ -1074,7 +1074,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - $target = explode(" ", $target); + $target = explode(" ", trim($target)); foreach ($target as $targip) { if (empty($targip)) continue; @@ -1673,8 +1673,17 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $lansn = $FilterIflist['lan']['snv6']; $src = "{$lansa}/{$lansn}"; break; - } - if(isset($rule[$target]['not'])) $src = "!{$src}"; + case 'pptp': + $pptpsa = gen_subnetv6($FilterIflist['pptp']['sav6'], $FilterIflist['pptp']['snv6']); + $pptpsn = $FilterIflist['pptp']['snv6']; + $src = "{$pptpsav6}/{$pptpsnv6}"; + break; + case 'pppoe': + $pppoesa = gen_subnetv6($FilterIflist['pppoe']['ipv6'], $FilterIflist['pppoe']['snv6']); + $pppoesn = $FilterIflist['pppoe']['snv6']; + $src = "{$pppoesav6}/{$pppoesnv6}"; + break; + } } else { switch ($rule[$target]['network']) { case 'wan': @@ -1704,7 +1713,6 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "{$pppoesa}/{$pppoesn}"; break; } - if(isset($rule[$target]['not'])) $src = "!{$src}"; } } } else if($rule[$target]['address']) { @@ -2280,6 +2288,7 @@ EOD; $ipfrules .= <<<EOD # allow PPTP client pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}" +pass in on \${$oc['descr']} proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}" EOD; break; @@ -2312,8 +2321,8 @@ EOD; if($config['dhcpd'][$on]['failover_peerip'] <> "") { $ipfrules .= <<<EOD # allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']} -pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover" -pass in on \${$oc['descr']} proto udp from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover" +pass in on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover" +pass in on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 520 label "allow access to DHCP failover" EOD; } @@ -2371,7 +2380,7 @@ EOD; /* add ipsec interfaces */ - if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) + if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) $ipfrules .= <<<EOD pass out on \$IPsec all keep state label "IPsec internal host to host" @@ -2419,6 +2428,7 @@ EOD; $ipfrules .= <<<EOD # PPTPd rules pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}" +pass in on \${$FilterIflist['wan']['descr']} proto gre from any to any keep state label "allow gre pptpd" EOD; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 8d71fd2..df531c7 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -295,11 +295,11 @@ function openvpn_reconfigure($mode, $settings) { $vpnid = $settings['vpnid']; $mode_id = $mode.$vpnid; - if (isset($settings['device_mode'])) - $tunname = "{$settings['device_mode']}{$vpnid}"; + if (isset($settings['dev_mode'])) + $tunname = "{$settings['dev_mode']}{$vpnid}"; else { /* defaults to tun */ $tunname = "tun{$vpnid}"; - $settings['device_mode'] = "tun"; + $settings['dev_mode'] = "tun"; } if ($mode == "server") @@ -323,7 +323,7 @@ function openvpn_reconfigure($mode, $settings) { $pfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid"; $proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}"); - $device_mode = $settings['device_mode']; + $dev_mode = $settings['dev_mode']; $cipher = $settings['crypto']; $interface = $settings['interface']; @@ -341,7 +341,7 @@ function openvpn_reconfigure($mode, $settings) { } $conf = "dev {$devname}\n"; - $conf .= "dev-type {$settings['device_mode']}\n"; + $conf .= "dev-type {$settings['dev_mode']}\n"; $conf .= "dev-node /dev/{$tunname}\n"; $conf .= "writepid {$pfile}\n"; $conf .= "#user nobody\n"; diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 433f659..2951450 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -459,14 +459,14 @@ function enable_rrd_graphing() { if($g['booting']) { $rrdqcommand = "-t "; $rrducommand = "N"; - $q = 0; + $qi = 0; foreach ($qlist as $qname => $q) { - if($q == 0) { + if($qi == 0) { $rrdqcommand .= "{$qname}"; } else { $rrdqcommand .= ":{$qname}"; } - $q++; + $qi++; $rrducommand .= ":U"; } mwexec("$rrdtool update $rrddbpath$ifname$queues $rrdqcommand $rrducommand"); diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 9c8618a..a0fb0e4 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -742,7 +742,7 @@ class priq_queue { var $available_bw; /* in b/s */ /* This is here to help with form building and building rules/lists */ - var $subqueues = array(); + var $subqueues = array(); /* Accesor functions */ function GetAvailableBandwidth() { @@ -953,9 +953,17 @@ class priq_queue { $reqdfieldsn[] = "Name"; shaper_do_input_validation($data, $reqdfields, $reqdfieldsn, $input_errors); + if ($data['bandwidth'] && (!is_numeric($data['bandwidth']))) + $input_errors[] = "Bandwidth must be an integer."; + if ($data['bandwidth'] < 0) + $input_errors[] = "Bandwidth cannot be negative."; + if ($data['qlimit'] && (!is_numeric($data['qlimit']))) + $input_errors[] = "Qlimit must be an integer."; + if ($data['qlimit'] < 0) + $input_errors[] = "Qlimit must be an positive."; if ($data['priority'] && (!is_numeric($data['priority']) - || ($data['priority'] < 1) || ($data['priority'] > 15))) { - $input_errors[] = "The priority must be an integer between 1 and 15."; + || ($data['priority'] < 1) || ($data['priority'] > 15))) { + $input_errors[] = "The priority must be an integer between 1 and 15."; } if ($data['qlimit'] && (!is_numeric($data['qlimit']))) $input_errors[] = "Queue limit must be an integer"; @@ -1131,13 +1139,15 @@ class priq_queue { $form .= "<tr>"; $form .= "<td width=\"22%\" valign=\"center\" class=\"vncell\">Scheduler options</td>"; $form .= "<td width=\"78%\" class=\"vtable\">"; - $tmpvalue = $this->GetDefault(); - if (!empty($tmpvalue)) { - $form .= "<input type=\"checkbox\" id=\"default\" CHECKED name=\"default\" value=\"default\""; - $form .= "> Default queue<br>"; - } else { - $form .= "<input type=\"checkbox\" id=\"default\" name=\"default\" value=\"default\""; - $form .= "> Default queue<br>"; + if (empty($this->subqueues)) { + $tmpvalue = $this->GetDefault(); + if (!empty($tmpvalue)) { + $form .= "<input type=\"checkbox\" id=\"default\" CHECKED name=\"default\" value=\"default\""; + $form .= "> Default queue<br>"; + } else { + $form .= "<input type=\"checkbox\" id=\"default\" name=\"default\" value=\"default\""; + $form .= "> Default queue<br>"; + } } $form .= "<input type=\"checkbox\" id=\"red\" name=\"red\" value=\"red\" "; $tmpvalue = $this->GetRed(); @@ -4038,20 +4048,20 @@ function build_iface_without_this_queue($iface, $qname) { global $g, $altq_list_queues; $altq =& $altq_list_queues[$iface]; - if ($altq) - $scheduler = ": " . $altq->GetScheduler(); + if ($altq) + $scheduler = ": " . $altq->GetScheduler(); $form = "<tr><td width=\"20%\" >"; $form .= "<a href=\"firewall_shaper.php?interface=" . $iface . "&queue=" . $iface."&action=show\">".$iface.": ".$scheduler."</a>"; - $form .= "</td></tr>"; - $form .= "<tr><td width=\"100%\" class=\"vncellreq\">"; - $form .= "<a href=\"firewall_shaper_queues.php?interface="; - $form .= $iface . "&queue=". $qname . "&action=add\">"; - $form .= "<img src=\""; - $form .= "./themes/".$g['theme']."/images/icons/icon_plus.gif\""; - $form .= " width=\"17\" height=\"17\" border=\"0\" title=\"Clone shaper/queue on this interface\">"; - $form .= " Clone shaper/queue on this interface</a></td></tr>"; + $form .= "</td></tr>"; + $form .= "<tr><td width=\"100%\" class=\"vncellreq\">"; + $form .= "<a href=\"firewall_shaper_queues.php?interface="; + $form .= $iface . "&queue=". $qname . "&action=add\">"; + $form .= "<img src=\""; + $form .= "./themes/".$g['theme']."/images/icons/icon_plus.gif\""; + $form .= " width=\"17\" height=\"17\" border=\"0\" title=\"Clone shaper/queue on this interface\">"; + $form .= " Clone shaper/queue on this interface</a></td></tr>"; - return $form; + return $form; } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 1e1fe13..2ffa7ed 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -982,6 +982,7 @@ function upgrade_046_to_047() { $ph1alg = array( 'name' => 'aes', 'keylen' => '128' ); break; case "rijndael 256": + case "aes 256": $ph1alg = array( 'name' => 'aes', 'keylen' => '256' ); break; } @@ -1066,6 +1067,7 @@ function upgrade_046_to_047() { break; case "rijndael": case "rijndael 256": + case "aes 256": $ph2alg = array( 'name' => 'aes', 'keylen' => 'auto' ); $aes_found = true; $aes_count++; @@ -1090,6 +1092,142 @@ function upgrade_046_to_047() { $config['ipsec']['phase1'] = $a_phase1; $config['ipsec']['phase2'] = $a_phase2; } + + /* Upgrade Mobile IPsec */ + if (isset($config['ipsec']['mobileclients']) + && is_array($config['ipsec']['mobileclients']) + && is_array($config['ipsec']['mobileclients']['p1']) + && is_array($config['ipsec']['mobileclients']['p2'])) { + + if (isset($config['ipsec']['mobileclients']['enable'])) { + $config['ipsec']['client']['enable'] = true; + $config['ipsec']['client']['user_source'] = 'system'; + $config['ipsec']['client']['group_source'] = 'system'; + } + + $mobilecfg = $config['ipsec']['mobileclients']; + + $ph1ent = array(); + $ph1ent['ikeid'] = ++$ikeid; + + if (!isset($mobilecfg['enable'])) + $ph1ent['disabled'] = true; + + /* Assume WAN since mobile tunnels couldn't be on a separate interface on 1.2.x */ + $ph1ent['interface'] = 'wan'; + $ph1ent['descr'] = "Mobile Clients (upgraded)"; + $ph1ent['mode'] = $mobilecfg['p1']['mode']; + + if (isset($mobilecfg['p1']['myident']['myaddress'])) + $ph1ent['myid_type'] = "myaddress"; + if (isset($mobilecfg['p1']['myident']['address'])) { + $ph1ent['myid_type'] = "address"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['address']; + } + if (isset($mobilecfg['p1']['myident']['fqdn'])) { + $ph1ent['myid_type'] = "fqdn"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['fqdn']; + } + if (isset($mobilecfg['p1']['myident']['ufqdn'])) { + $ph1ent['myid_type'] = "user_fqdn"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['ufqdn']; + } + if (isset($mobilecfg['p1']['myident']['asn1dn'])) { + $ph1ent['myid_type'] = "asn1dn"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['asn1dn']; + } + if (isset($mobilecfg['p1']['myident']['dyn_dns'])) { + $ph1ent['myid_type'] = "dyn_dns"; + $ph1ent['myid_data'] = $mobilecfg['p1']['myident']['dyn_dns']; + } + $ph1ent['peerid_type'] = "fqdn"; + $ph1ent['peerid_data'] = ""; + + switch ($mobilecfg['p1']['encryption-algorithm']) { + case "des": + $ph1alg = array( 'name' => 'des' ); + break; + case "3des": + $ph1alg = array( 'name' => '3des' ); + break; + case "blowfish": + $ph1alg = array( 'name' => 'blowfish', 'keylen' => '128' ); + break; + case "cast128": + $ph1alg = array( 'name' => 'cast128' ); + break; + case "rijndael": + $ph1alg = array( 'name' => 'aes', 'keylen' => '128' ); + break; + case "rijndael 256": + case "aes 256": + $ph1alg = array( 'name' => 'aes', 'keylen' => '256' ); + break; + } + + $ph1ent['encryption-algorithm'] = $ph1alg; + $ph1ent['hash-algorithm'] = $mobilecfg['p1']['hash-algorithm']; + $ph1ent['dhgroup'] = $mobilecfg['p1']['dhgroup']; + $ph1ent['lifetime'] = $mobilecfg['p1']['lifetime']; + $ph1ent['authentication_method'] = $mobilecfg['p1']['authentication_method']; + + if (isset($mobilecfg['p1']['cert'])) + $ph1ent['cert'] = $mobilecfg['p1']['cert']; + if (isset($mobilecfg['p1']['peercert'])) + $ph1ent['peercert'] = $mobilecfg['p1']['peercert']; + if (isset($mobilecfg['p1']['private-key'])) + $ph1ent['private-key'] = $mobilecfg['p1']['private-key']; + + $ph1ent['nat_traversal'] = "on"; + $ph1ent['dpd_enable'] = 1; + $ph1ent['dpd_delay'] = 10; + $ph1ent['dpd_maxfail'] = 5; + $ph1ent['mobile'] = true; + + $ph2ent = array(); + $ph2ent['ikeid'] = $ph1ent['ikeid']; + $ph2ent['descr'] = "phase2 for ".$mobilecfg['descr']; + $ph2ent['localid'] = array('type' => 'none'); + $ph2ent['remoteid'] = array('type' => 'mobile'); + $ph2ent['protocol'] = $mobilecfg['p2']['protocol']; + + $aes_count = 0; + foreach( $mobilecfg['p2']['encryption-algorithm-option'] as $tunalg ) { + $aes_found = false; + switch ($tunalg) { + case "des": + $ph2alg = array( 'name' => 'des' ); + break; + case "3des": + $ph2alg = array( 'name' => '3des' ); + break; + case "blowfish": + $ph2alg = array( 'name' => 'blowfish', 'keylen' => 'auto' ); + break; + case "cast128": + $ph2alg = array( 'name' => 'cast128' ); + break; + case "rijndael": + case "rijndael 256": + case "aes 256": + $ph2alg = array( 'name' => 'aes', 'keylen' => 'auto' ); + $aes_found = true; + $aes_count++; + break; + } + + if( !$aes_found || ($aes_count < 2)) + $ph2ent['encryption-algorithm-option'][] = $ph2alg; + } + $ph2ent['hash-algorithm-option'] = $mobilecfg['p2']['hash-algorithm-option']; + $ph2ent['pfsgroup'] = $mobilecfg['p2']['pfsgroup']; + $ph2ent['lifetime'] = $mobilecfg['p2']['lifetime']; + $ph2ent['mobile'] = true; + + $config['ipsec']['phase1'][] = $ph1ent; + $config['ipsec']['phase2'][] = $ph2ent; + unset($config['ipsec']['mobileclients']); + } } diff --git a/etc/inc/xmlrpc.inc b/etc/inc/xmlrpc.inc index ae725e5..ca07cee 100644 --- a/etc/inc/xmlrpc.inc +++ b/etc/inc/xmlrpc.inc @@ -33,6 +33,7 @@ pfSense_MODULE: utils */ +require_once("auth.inc"); require_once("xmlrpc_client.inc"); /* @@ -109,25 +110,26 @@ function php_value_to_xmlrpc($value, $force_array = false) { function xmlrpc_auth(&$params) { global $config, $_SERVER; - if (!is_array($config['system']['user'])) { - array_shift($params); - unset($params['xmlrpcauth']); - log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); - return false; - } - if (!isset($config['system']['user'][0]['password'])) { - array_shift($params); - unset($params['xmlrpcauth']); - log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); - return false; - } - - $localpass = $config['system']['user'][0]['password']; - if(crypt($params[0], $localpass) == $localpass) { + /* XXX: Should teach caller to pass username and use it here. */ + /* XXX: Should clarify from old behaviour what is in params[0] that differs from params['xmlrpcauth'] */ + if (isset($config['system']['webgui']['authmode'])) { + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + if (authenticate_user("admin", $params[0], $authcfg) || + authenticate_user("admin", $params[0])) { + array_shift($params); + unset($params['xmlrpcauth']); + return true; + } else if (!empty($params['xmlrpcauth']) && (authenticate_user("admin", $params['xmlrpcauth'], $authcfg) || + authenticate_user("admin", $params['xmlrpcauth']))) { + array_shift($params); + unset($params['xmlrpcauth']); + return true; + } + } else if (authenticate_user("admin", $params[0])) { array_shift($params); unset($params['xmlrpcauth']); return true; - } else if(crypt($params['xmlrpcauth'], $localpass) == $localpass) { + } else if (!empty($params['xmlrpcauth']) && authenticate_user("admin", $params['xmlrpcauth'])) { array_shift($params); unset($params['xmlrpcauth']); return true; @@ -139,4 +141,4 @@ function xmlrpc_auth(&$params) { return false; } -?>
\ No newline at end of file +?> |