Merge remote branch 'mainline/master' into inc

5 files changed, 21 insertions, 4 deletions

diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc
index 2e3af4b..d834702 100644
--- a/etc/inc/easyrule.inc
+++ b/etc/inc/easyrule.inc
@@ -80,6 +80,8 @@ function easyrule_block_rule_exists($int = 'wan') {
 
 	/* Search through the rules for one referencing our alias */
 	foreach ($config['filter']['rule'] as $rule)
+		if (!is_array($rule) || !is_array($rule['source']))
+			continue;
 		if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int))
 			return true;
 	return false;
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
index 1be6068..8e749e5 100644
--- a/etc/inc/interfaces.inc
+++ b/etc/inc/interfaces.inc
@@ -133,7 +133,7 @@ function interface_vlan_configure(&$vlan) {
 	pfSense_interface_capabilities($if, IFCAP_VLAN_HWTAGGING|IFCAP_VLAN_MTU|IFCAP_VLAN_HWFILTER);
 
 	if (!empty($vlanif) && does_interface_exist($vlanif)) {
-		interface_bring_down($vlanif);
+		interface_bring_down($vlanif, true);
 	} else {
 		$tmpvlanif = pfSense_interface_create("vlan");
 		pfSense_interface_rename($tmpvlanif, $vlanif);
diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php
index a611f8c..544e21f 100755
--- a/etc/inc/openvpn.auth-user.php
+++ b/etc/inc/openvpn.auth-user.php
@@ -85,6 +85,7 @@ openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 /* read data from environment */
 $username = getenv("username");
 $password = getenv("password");
+$common_name = getenv("common_name");
 
 if (!$username || !$password) {
 	syslog(LOG_ERR, "invalid user authentication environment");
@@ -95,6 +96,12 @@ if (!$username || !$password) {
 //<template>
 
 $authenticated = false;
+
+if (($strictusercn === true) && ($common_name != $username)) {
+	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
+	exit(1);
+}
+
 foreach ($authmodes as $authmode) {
 	$authcfg = auth_get_authserver($authmode);
 	if (!$authcfg && $authmode != "local")
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 1e7e9b8..c528f67 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -392,7 +392,9 @@ function openvpn_reconfigure($mode,& $settings) {
 						$firstsed = 1;
 						$sed .= "\"{$authcfg}\"";
 					}
-					$sed .= ");";
+					$sed .= ");\\\n";
+					if (isset($settings['strictusercn']))
+						$sed .= "\$strictusercn = true;";
 					mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.php");
 					mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
 					$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";
diff --git a/etc/inc/services.inc b/etc/inc/services.inc
index c91071c..82166d6 100644
--- a/etc/inc/services.inc
+++ b/etc/inc/services.inc
@@ -565,12 +565,18 @@ function services_dhcrelay_configure() {
 				$destif = get_real_interface("wan");
 		}
 
-		$dhcrelayifs[] = $destif;
+		if (!empty($destif))
+			$dhcrelayifs[] = $destif;
 	}
 	$dhcrelayifs = array_unique($dhcrelayifs);
 
 	/* fire up dhcrelay */
-	$cmd = "/usr/local/sbin/dhcrelay -i " .  join(" -i ", $dhcrelayifs);
+	if (empty($dhcrelayifs)) {
+		log_error("No suitable interface found for running dhcrelay!");
+		return; /* XXX */
+	}
+
+	$cmd = "/usr/local/sbin/dhcrelay -i " .  implode(" -i ", $dhcrelayifs);
 
 	if (isset($dhcrelaycfg['agentoption']))
 		$cmd .=  " -a -m replace";