diff options
author | Vinicius Coque <vinicius.coque@bluepex.com> | 2010-12-14 09:56:34 -0200 |
---|---|---|
committer | Vinicius Coque <vinicius.coque@bluepex.com> | 2010-12-14 09:56:34 -0200 |
commit | c92ccac76ff2938c5718440efdd846317f6a2d55 (patch) | |
tree | 1dd190505af25191f0289552a155732d7432da58 /etc/inc | |
parent | 386447eaa7cfe727678455955285b1ecd4e6e9f9 (diff) | |
parent | c9b08a50f0ba328ac0569247eb2063d34f7e6279 (diff) | |
download | pfsense-c92ccac76ff2938c5718440efdd846317f6a2d55.zip pfsense-c92ccac76ff2938c5718440efdd846317f6a2d55.tar.gz |
Merge remote branch 'mainline/master' into inc
Conflicts:
etc/inc/auth.inc
etc/inc/config.lib.inc
etc/inc/filter.inc
etc/inc/gwlb.inc
etc/inc/interfaces.inc
etc/inc/pfsense-utils.inc
etc/inc/pkg-utils.inc
etc/inc/shaper.inc
etc/inc/upgrade_config.inc
etc/inc/xmlparse.inc
usr/local/www/fbegin.inc
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/auth.inc | 108 | ||||
-rw-r--r-- | etc/inc/captiveportal.inc | 3 | ||||
-rw-r--r-- | etc/inc/certs.inc | 13 | ||||
-rw-r--r-- | etc/inc/config.console.inc | 2 | ||||
-rw-r--r-- | etc/inc/config.gui.inc | 6 | ||||
-rw-r--r-- | etc/inc/config.inc | 13 | ||||
-rw-r--r-- | etc/inc/config.lib.inc | 81 | ||||
-rw-r--r-- | etc/inc/dyndns.class | 20 | ||||
-rw-r--r-- | etc/inc/filter.inc | 120 | ||||
-rw-r--r-- | etc/inc/globals.inc | 65 | ||||
-rw-r--r-- | etc/inc/gwlb.inc | 20 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 269 | ||||
-rw-r--r-- | etc/inc/ipsec.inc | 16 | ||||
-rwxr-xr-x | etc/inc/openvpn.auth-user.php | 8 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 25 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 131 | ||||
-rw-r--r-- | etc/inc/pkg-utils.inc | 315 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 2 | ||||
-rw-r--r-- | etc/inc/system.inc | 30 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 45 | ||||
-rw-r--r-- | etc/inc/util.inc | 42 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 42 | ||||
-rw-r--r-- | etc/inc/xmlparse.inc | 15 | ||||
-rw-r--r-- | etc/inc/xmlreader.inc | 8 | ||||
-rw-r--r-- | etc/inc/xmlrpc.inc | 27 |
25 files changed, 842 insertions, 584 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 61a816e..2a0e7d9 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -49,6 +49,9 @@ if(!$do_not_include_config_gui_inc) require_once("config.gui.inc"); +// Will be changed to false if security checks fail +$security_passed = true; + /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { @@ -61,66 +64,90 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ $http_host = $_SERVER['HTTP_HOST']; } if(is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or - $http_host == "localhost" or $_SERVER['SERVER_ADDR'] == "localhost") + strcasecmp($http_host, "localhost") == 0) + $found_host = true; + if(strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or + strcasecmp($http_host, $config['system']['hostname']) == 0) $found_host = true; - if($config['dyndnses']['dyndns']) + + if(is_array($config['dyndnses']['dyndns']) && !$found_host) foreach($config['dyndnses']['dyndns'] as $dyndns) - if($dyndns['host'] == $http_host or $dyndns['host'] == $_SERVER['SERVER_ADDR']) + if(strcasecmp($dyndns['host'], $http_host) == 0) { $found_host = true; + break; + } - if(!empty($config['system']['webgui']['althostnames'])) { + if(!empty($config['system']['webgui']['althostnames']) && !$found_host) { $althosts = explode(" ", $config['system']['webgui']['althostnames']); foreach ($althosts as $ah) - if($ah == $http_host or $ah == $_SERVER['SERVER_ADDR']) + if(strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) { $found_host = true; + break; + } } - if($http_host == $config['system']['hostname'] . "." . $config['system']['domain'] or - $http_host == $_SERVER['SERVER_ADDR'] or - $http_host == $config['system']['hostname']) - $found_host = true; - if($found_host == false) { - display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname.")); - exit; + if(!security_checks_disabled()) { + display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname.")); + exit; + } + $security_passed = false; } } // If the HTTP_REFERER is something other than ourselves then disallow. if(function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) { if($_SERVER['HTTP_REFERER']) { - $found_host = false; - $hostname_me = $config['system']['hostname'] . "." . $config['system']['domain']; - if(stristr($_SERVER['HTTP_REFERER'], $hostname_me)) - $found_host = true; - if(!empty($config['system']['webgui']['althostnames'])) { - $althosts = explode(" ", $config['system']['webgui']['althostnames']); - foreach ($althosts as $ah) { - if(empty($ah)) - continue; - if(stristr($ah, $hostname_me)) { - $found_host = true; - break; - } + if(file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) { + if($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) { + unlink("{$g['tmp_path']}/setupwizard_lastreferrer"); + header("Refresh: 1; url=index.php"); + echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">"; + echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>"; + exit; } } - $interface_list_ips = get_configured_ip_addresses(); - foreach($interface_list_ips as $ilips) { - if(empty($ilips)) - continue; - $hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips; - if(stristr($_SERVER['HTTP_REFERER'],$hostname_me_ip)) { + $found_host = false; + $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); + if($referrer_host) { + if(strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 + || strcasecmp($referrer_host, $config['system']['hostname']) == 0) $found_host = true; - break; + if(!empty($config['system']['webgui']['althostnames']) && !$found_host) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if(strcasecmp($referrer_host, $ah) == 0) { + $found_host = true; + break; + } + } + } + if(!$found_host) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($referrer_host, $ilips) == 0) { + $found_host = true; + break; + } + } } } if($found_host == false) { - display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + $security_passed = false; } - } + } else + $security_passed = false; } +if (function_exists("display_error_form") && $security_passed) + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +unset($security_passed); + $groupindex = index_groups(); $userindex = index_users(); @@ -393,10 +420,11 @@ function local_user_set(& $user) { $keys = base64_decode($user['authorizedkeys']); file_put_contents("{$user_home}/.ssh/authorized_keys", $keys); chown("{$user_home}/.ssh/authorized_keys", $user_name); - } + } else + unlink_if_exists("{$user_home}/.ssh/authorized_keys"); $un = $lock_account ? "" : "un"; - exec("/usr/sbin/pw {$un}lock -q {$user_name}"); + exec("/usr/sbin/pw {$un}lock {$user_name} -q"); conf_mount_ro(); } @@ -1184,7 +1212,7 @@ function session_auth() { $_SESSION['Logged_In'] = "True"; $_SESSION['Username'] = $_POST['usernamefld']; $_SESSION['last_access'] = time(); - log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); + log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; if (isset($_POST['postafterlogin'])) return true; @@ -1196,8 +1224,8 @@ function session_auth() { exit; } else { /* give the user an error message */ - $_SESSION['Login_Error'] = gettext("Username or Password incorrect"); - log_error(sprintf(gettext("Login attempt with user: '%1\$s' from: '%2\$s' failed."), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); + $_SESSION['Login_Error'] = "Username or Password incorrect"; + log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); if(isAjax()) { echo "showajaxmessage('{$_SESSION['Login_Error']}');"; return; diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 874c99c..5bf7579 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -608,6 +608,7 @@ EOD; $rulenum = 65310; $ipcount = 0; + $ips = ""; foreach ($cpips as $cpip) { if($ipcount == 0) { $ips = "{$cpip} "; @@ -616,7 +617,7 @@ EOD; } $ipcount++; } - $ips = "{ {$ips} }"; + $ips = "{ 255.255.255.255 or {$ips} }"; $cprules .= "add {$rulenum} set 1 pass ip from any to {$ips} in\n"; $rulenum++; $cprules .= "add {$rulenum} set 1 pass ip from {$ips} to any out\n"; diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 33aac66..e82baba 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -308,10 +308,15 @@ function cert_get_subject($str_crt, $decode = true) { return "unknown"; foreach ($components as $a => $v) { - if (!strlen($subject)) - $subject = "{$a}={$v}"; - else - $subject = "{$a}={$v}, {$subject}"; + if (is_array($v)) + foreach ($v as $w) { + $asubject = "{$a}={$w}"; + $subject = (strlen($subject)) ? "{$asubject}, {$subject}" : $asubject; + } + else { + $asubject = "{$a}={$v}"; + $subject = (strlen($subject)) ? "{$asubject}, {$subject}" : $asubject; + } } return $subject; diff --git a/etc/inc/config.console.inc b/etc/inc/config.console.inc index 934f0d1..40b765e 100644 --- a/etc/inc/config.console.inc +++ b/etc/inc/config.console.inc @@ -38,7 +38,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ diff --git a/etc/inc/config.gui.inc b/etc/inc/config.gui.inc index eea6f33..cd38049 100644 --- a/etc/inc/config.gui.inc +++ b/etc/inc/config.gui.inc @@ -38,7 +38,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ /* @@ -49,10 +49,10 @@ require_once("globals.inc"); /* do not load this file twice. */ -if($config_inc_loaded == true) +if($config_parsed == true) return; else - $config_inc_loaded = true; + $config_parsed = true; // Set the memory limit to 128M. When someone has something like 500+ tunnels // the parser needs quite a bit of ram. Do not remove this line unless you diff --git a/etc/inc/config.inc b/etc/inc/config.inc index 98592c9..b01fa13 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -38,7 +38,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ @@ -48,10 +48,17 @@ if($g['booting']) echo "."; //if (in_array("/etc/inc/config.inc", get_included_files())) // return; -// Set the memory limit to 128M. When someone has something like 500+ tunnels +// Set the memory limit to 128M on i386. When someone has something like 500+ tunnels // the parser needs quite a bit of ram. Do not remove this line unless you // know what you are doing. If in doubt, check with dev@ _/FIRST/_! -ini_set("memory_limit","128M"); +if(!$ARCH) + $ARCH = php_uname("m"); + +// Set memory limit to 256M on amd64. +if($ARCH == "amd64") + ini_set("memory_limit","256M"); +else + ini_set("memory_limit","128M"); /* include globals from notices.inc /utility/XML parser files */ require_once("notices.inc"); diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 36417cd..e985aa8 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -39,7 +39,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ @@ -148,7 +148,7 @@ function parse_config($parse = false) { die(gettext("Config.xml is corrupted and is 0 bytes. Could not restore a previous backup.")); } } - $config = parse_xml_config($g['conf_path'] . '/config.xml', $g['xml_rootobj']); + $config = parse_xml_config($g['conf_path'] . '/config.xml', array($g['xml_rootobj'], 'pfsense')); if($config == "-1") { $last_backup = discover_last_backup(); if ($last_backup) @@ -210,6 +210,7 @@ function restore_backup($file) { conf_mount_rw(); unlink_if_exists("{$g['tmp_path']}/config.cache"); copy("$file","/cf/conf/config.xml"); + disable_security_checks(); log_error(sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file)); file_notice("config.xml", sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file), "pfSenseConfigurator", ""); conf_mount_ro(); @@ -352,7 +353,7 @@ function conf_mount_ro() { clear_subsystem_dirty('mount'); /* sync data, then force a remount of /cf */ - mwexec("/bin/sync; /bin/sync"); + pfSense_sync(); mwexec("/sbin/mount -u -r -f {$g['cf_path']}"); mwexec("/sbin/mount -u -r -f /"); } @@ -432,27 +433,32 @@ function convert_config() { * boolean - true if successful, false if not ******/ function safe_write_file($file, $content, $force_binary) { - $tmp_file = $file . "." . getmypid(); - $write_mode = $force_binary ? "wb" : "w"; + $tmp_file = $file . "." . getmypid(); + $write_mode = $force_binary ? "wb" : "w"; - $fd = fopen($tmp_file, $write_mode); - if (!$fd) { - // Unable to open temporary file for writing - return false; - } - if (!fwrite($fd, $content)) { - // Unable to write to temporary file - fclose($fd); - return false; + $fd = fopen($tmp_file, $write_mode); + if (!$fd) { + // Unable to open temporary file for writing + return false; } - fclose($fd); + if (!fwrite($fd, $content)) { + // Unable to write to temporary file + fclose($fd); + return false; + } + fflush($fd); + fclose($fd); - if (!rename($tmp_file, $file)) { - // Unable to move temporary file to original - unlink($tmp_file); - return false; - } - return true; + if (!rename($tmp_file, $file)) { + // Unable to move temporary file to original + @unlink($tmp_file); + return false; + } + + // Sync file before returning + pfSense_sync(); + + return true; } /****f* config/write_config @@ -569,6 +575,8 @@ function reset_factory_defaults($lock = false) { /* copy default configuration */ copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* call the wizard */ touch("/conf/trigger_initial_wizard"); if (!$lock) @@ -593,6 +601,8 @@ function config_restore($conffile) { unlink_if_exists("{$g['tmp_path']}/config.cache"); copy($conffile, "{$g['cf_conf_path']}/config.xml"); + disable_security_checks(); + unlock($lockkey); $config = parse_config(true); @@ -623,6 +633,8 @@ function config_install($conffile) { copy($conffile, "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* unlink cache file if it exists */ if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); @@ -633,6 +645,31 @@ function config_install($conffile) { return 0; } +/* + * Disable security checks for DNS rebind and HTTP referrer until next time + * they pass (or reboot), to aid in preventing accidental lockout when + * restoring settings like hostname, domain, IP addresses, and settings + * related to the DNS rebind and HTTP referrer checks. + * Intended for use when restoring a configuration or directly + * modifying config.xml without an unconditional reboot. + */ +function disable_security_checks() { + global $g; + touch("{$g['tmp_path']}/disable_security_checks"); +} + +/* Restores security checks. Should be called after all succeed. */ +function restore_security_checks() { + global $g; + unlink_if_exists("{$g['tmp_path']}/disable_security_checks"); +} + +/* Returns status of security check temporary disable. */ +function security_checks_disabled() { + global $g; + return file_exists("{$g['tmp_path']}/disable_security_checks"); +} + function config_validate($conffile) { global $g, $xmlerr; @@ -690,7 +727,7 @@ function cleanup_backupcache($revisions = 30, $lock = false) { $i = true; if($g['booting']) echo "."; - $newxml = parse_xml_config($backup, $g['xml_rootobj']); + $newxml = parse_xml_config($backup, array($g['xml_rootobj'], 'pfsense')); if($newxml == "-1") { log_error(sprintf(gettext("The backup cache file %s is corrupted. Unlinking."), $backup)); unlink($backup); diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 247fa68..785c902 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -92,8 +92,8 @@ global $config, $g; - $this->_cacheFile = "{$g['conf_path']}/dyndns_{$dnsIf}{$dnsService}.cache"; - $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}.debug"; + $this->_cacheFile = "{$g['conf_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".cache"; + $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); @@ -175,7 +175,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical } switch ($this->_dnsService) { @@ -902,11 +902,23 @@ $this->_ifIP = $ip_address; if (is_private_ip($ip_address)) { $hosttocheck = "checkip.dyndns.org"; - $checkip = gethostbyname($hosttocheck); + $try = 0; + while ($try < 3) { + $checkip = gethostbyname($hosttocheck); + if (is_ipaddr($checkip)) + break; + $try++; + } + if ($try >= 3) { + log_error("Dyndns debug information: Could not resolve {$hosttocheck} to ip using interface ip {$ip_address}."); + return $ip_address; /* XXX: Might return private ip address! */ + } $ip_ch = curl_init("http://{$checkip}"); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); + curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c9ed6f8..8d0d9f2 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -62,31 +62,27 @@ $aliases = ""; function flowtable_configure() { global $config, $g; - return; + + if (empty($config['system']['flowtable'])) { + mwexec("/sbin/sysctl net.inet.flowtable.enable=0", true); + return; + } + // Figure out how many flows we should reserve // sized 2x larger than the number of unique connection destinations. if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) $maxstates = $config['system']['maximumstates']; else - $maxstates = "150000"; + $maxstates = 150000; // nmbflows cpu count * ($maxstates * 2) - $cpus = trim(`/sbin/sysctl kern.smp.cpus | /usr/bin/cut -d' ' -f2`); + $cpus = trim(`/sbin/sysctl -n kern.smp.cpus`, " \n"); $nmbflows = ($cpus*($maxstates*2)); - // flowtable is not enabled - /* - if($config['system']['flowtable']) - $flowtable_enable = 1; - else - $flowtable_enable = 0; // Flowtable currently only works on 8.0 if(get_freebsd_version() == "8") { - if($flowtable_enable == 1) { - mwexec("/sbin/sysctl net.inet.flowtable.nmbflows={$config['system']['maximumstates']}"); - mwexec("/sbin/sysctl net.inet.ip.output_flowtable_size={$nmbflows}"); - } - mwexec("/sbin/sysctl net.inet.flowtable.enable={$flowtable_enable}"); + mwexec("/sbin/sysctl net.inet.flowtable.nmbflows={$nmbflows}"); + mwexec("/sbin/sysctl net.inet.ip.output_flowtable_size={$maxstates}"); + mwexec("/sbin/sysctl net.inet.flowtable.enable=1"); } - */ } function filter_load_ipfw() { @@ -135,16 +131,27 @@ function filter_pflog_start() { /* reload filter async */ function filter_configure() { + global $g; + if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_configure() being called $mt\n"; } - send_event("filter reload"); + + /* + * NOTE: Check here for bootup status since this should not be triggered during bootup. + * The reason is that rc.bootup calls filter_configure_sync directly which does this too. + */ + if (!$g['booting']) + send_event("filter reload"); } function filter_delete_states_for_down_gateways() { global $config, $GatewaysList; + if (isset($config['system']['kill_states'])) + return; + $a_gateways = return_gateways_status(); if (is_array($GatewaysList)) { foreach ($GatewaysList as $gwname => $gateway) { @@ -177,8 +184,9 @@ function filter_configure_sync() { global $config, $g, $after_filter_configure_run, $FilterIflist; global $time_based_rules, $filterdns, $aliases; - /* Use config lock to not allow recursion and config changes during this run. */ - $filterlck = lock('config'); + /* Use filter lock to not allow recursion and config lock to prevent changes during this run. */ + $filterlck = lock('filter', LOCK_EX); + $configlck = lock('config'); filter_pflog_start(); @@ -233,6 +241,7 @@ function filter_configure_sync() { update_filter_reload_status(gettext("Filter is disabled. Not loading rules.")); if($g['booting'] == true) echo gettext("done.") . "\n"; + unlock($configlck); unlock($filterlck); return; } @@ -290,6 +299,7 @@ function filter_configure_sync() { if(!file_put_contents("{$g['tmp_path']}/rules.debug", $rules, LOCK_EX)) { log_error(gettext("WARNING: Could not write new rules!")); + unlock($configlck); unlock($filterlck); return; } @@ -329,6 +339,7 @@ function filter_configure_sync() { file_notice("filter_load", $error_msg, "Filter Reload", ""); log_error($error_msg); update_filter_reload_status($error_msg); + unlock($configlck); unlock($filterlck); return; } @@ -357,7 +368,7 @@ function filter_configure_sync() { * FilterDNS has three debugging levels. The default choosen is 1. * Availabe are level 2 and greater then 2. */ - mwexec("/usr/local/sbin/filterdns {$g['tmp_path']}/filterdns.pid 300 {$g['varetc_path']}/filterdns.conf 1"); + mwexec("/usr/local/sbin/filterdns -p {$g['tmp_path']}/filterdns.pid -i 300 -c {$g['varetc_path']}/filterdns.conf -d 1"); } /* run items scheduled for after filter configure run */ @@ -377,7 +388,7 @@ function filter_configure_sync() { fclose($fda); } - unlock($filterlck); + unlock($configlck); if(file_exists("{$g['tmp_path']}/commands.txt")) { mwexec("sh {$g['tmp_path']}/commands.txt &"); @@ -408,6 +419,7 @@ function filter_configure_sync() { if($g['booting'] == true) echo gettext("done.") . "\n"; + unlock($filterlck); return 0; } @@ -514,6 +526,7 @@ function filter_generate_aliases() { $aliases .= "\n#SSH Lockout Table\n"; $aliases .= "table <sshlockout> persist\n"; + $aliases .= "table <webConfiguratorlockout> persist\n"; $aliases .= "#Snort2C table\n"; $aliases .= "table <snort2c>\n"; @@ -845,7 +858,12 @@ function filter_get_reflection_interfaces($natif = "") { return $nat_if_list; } -function filter_generate_reflection_nat($rule, $nat_ifs, $protocol, $target, $target_ip, $target_subnet = "") { +function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protocol, $target, $target_ip, $target_subnet = "") { + global $config; + + if(!isset($config['system']['enablenatreflectionhelper'])) + return ""; + // Initialize natrules holder string $natrules = ""; @@ -864,21 +882,26 @@ function filter_generate_reflection_nat($rule, $nat_ifs, $protocol, $target, $ta $protocol_text = ""; } - $target_if_list = array(); - if(empty($target_subnet) || !is_numeric($target_subnet) || $target_subnet == 32) { - $target_if_list[] = guess_interface_from_ip($target_ip); - } else { - $target_if_list[] = guess_interface_from_ip(gen_subnet_max($target_ip, $target_subnet)); - } + if(empty($target_subnet) || !is_numeric($target_subnet)) + $target_subnet = 32; - foreach ($target_if_list as $target_if) { - /* Only install additional NAT rules if the - * target is in the list of source networks */ - if(in_array($target_if, $nat_ifs)) { - $target_networks = "{$target_if}:network"; + if(!is_array($route_table)) { + $route_table = array(); + /* create a route table we can search */ + exec("netstat -rnWf inet", $route_table); + } - $natrules .= "no nat on {$target_if}{$protocol_text} from {$target_if} to {$target}\n"; - $natrules .= "nat on {$target_if}{$protocol_text} from {$target_networks} to {$target} -> {$target_if}{$static_port}\n"; + /* Search for matching subnets in the routing table */ + foreach($route_table as $line) { + if(preg_match("/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+[ ]+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|link[#])/", $line)) { + $fields = preg_split("/[ ]+/", $line); + $subnet = $fields[0]; + $subnet_split = explode("/", $subnet); + $subnet_if = $fields[6]; + if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { + $natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n"; + $natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$subnet_if}{$static_port}\n"; + } } } @@ -1143,6 +1166,7 @@ function filter_nat_rules_generate() { update_filter_reload_status(gettext("Creating 1:1 rules...")); $reflection_txt = ""; + $route_table = ""; /* any 1:1 mappings? */ if(is_array($config['nat']['onetoone'])) { @@ -1200,7 +1224,7 @@ function filter_nat_rules_generate() { } $nat_if_list = array_merge(array($natif), $nat_if_list); - $reflection_txt .= filter_generate_reflection_nat($rule, $nat_if_list, "", $srcaddr, $srcip, $sn); + $reflection_txt .= filter_generate_reflection_nat($rule, $route_table, $nat_if_list, "", $srcaddr, $srcip, $sn); } } $natrules .= "\n# Outbound NAT rules\n"; @@ -1493,11 +1517,12 @@ function filter_nat_rules_generate() { fclose($inetd_fd); // Close file handle // Check if inetd is running, if not start it. If so, restart it gracefully. $helpers = isvalidproc("inetd"); - if(!$helpers) - mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); - else - sigkillbypid("/var/run/inetd.pid", "HUP"); - + if(file_exists("/var/etc/inetd.conf")) { + if(!$helpers) + mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); + else + sigkillbypid("/var/run/inetd.pid", "HUP"); + } $natrules .= discover_pkg_rules("nat"); $natrules .= filter_process_carp_nat_rules(); @@ -2031,8 +2056,21 @@ EOD; $sshport = $config['system']['ssh']['port']; else $sshport = 22; - $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port {$sshport} label \"sshlockout\"\n"; + if($sshport) + $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port {$sshport} label \"sshlockout\"\n"; + } + + $ipfrules .= "\n# webConfigurator lockout\n"; + if(!$config['system']['webgui']['port']) { + if($config['system']['webgui']['protocol'] == "http") + $webConfiguratorlockoutport = "80"; + else + $webConfiguratorlockoutport = "443"; + } else { + $webConfiguratorlockoutport = $config['system']['webgui']['port']; } + if($webConfiguratorlockoutport) + $ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to any port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n"; /* * Support for allow limiting of TCP connections by establishment rate diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index b8593dc..ba97ba0 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -41,7 +41,7 @@ function remove_numbers($string) { } function get_nics_with_capabilities($CAPABILITIES) { - $ifs = `ifconfig -l`; + $ifs = `/sbin/ifconfig -l`; $if_list = split(" ", $ifs); $vlan_native_supp = array(); foreach($if_list as $if => $iface) { @@ -113,7 +113,7 @@ $vlan_native_supp = get_nics_with_capabilities("vlanmtu"); if(count($vlan_native_supp) > 0) $g['vlan_long_frame'] = $vlan_native_supp; else - $g['vlan_long_frame'] = array("vge", "bfe", "bge", "dc", "em", "fxp", "gem", "hme", "ixgb", "le", "nge", "re", "rl", "sis", "sk", "ste", "ti", "tl", "tx", "txp", "vr", "xl", "lagg"); + $g['vlan_long_frame'] = array("vge", "bfe", "bge", "dc", "em", "fxp", "gem", "hme", "ixgb", "le", "lem", "nge", "re", "rl", "sis", "sk", "ste", "ti", "tl", "tx", "txp", "vr", "xl", "lagg"); /* IP TOS flags */ $iptos = array("lowdelay", "throughput", "reliability"); @@ -122,7 +122,7 @@ $iptos = array("lowdelay", "throughput", "reliability"); $tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg"); if(file_exists("/etc/platform")) { - $arch = trim(`uname -m`); + $arch = php_uname("m"); $g['platform'] = trim(file_get_contents("/etc/platform")); if($g['platform'] == "nanobsd") { $g['update_url']="http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/{$arch}/pfSense_HEAD/.updaters/"; @@ -138,32 +138,33 @@ if(file_exists("/etc/platform")) { /* Default sysctls */ $sysctls = array("net.inet.ip.portrange.first" => "1024", - "net.inet.tcp.blackhole" => "2", - "net.inet.udp.blackhole" => "1", - "net.inet.ip.random_id" => "1", - "net.inet.tcp.drop_synfin" => "1", - "net.inet.ip.redirect" => "1", - "net.inet6.ip6.redirect" => "1", - "net.inet.tcp.syncookies" => "1", - "net.inet.tcp.recvspace" => "65228", - "net.inet.tcp.sendspace" => "65228", - "net.inet.ip.fastforwarding" => "1", - "net.inet.tcp.delayed_ack" => "0", - "net.inet.udp.maxdgram" => "57344", - "net.link.bridge.pfil_onlyip" => "0", - "net.link.bridge.pfil_member" => "1", - "net.link.bridge.pfil_bridge" => "0", - "net.link.tap.user_open" => "1", - "kern.rndtest.verbose" => "0", - "kern.randompid" => "347", - "net.inet.ip.intr_queue_maxlen" => "1000", - "hw.syscons.kbd_reboot" => "0", - "net.inet.tcp.inflight.enable" => "1", - "net.inet.tcp.log_debug" => "0", - "net.inet.tcp.tso" => "1", - "net.inet.icmp.icmplim" => "0" - ); - -$config_inc_loaded = false; - -?>
\ No newline at end of file + "net.inet.tcp.blackhole" => "2", + "net.inet.udp.blackhole" => "1", + "net.inet.ip.random_id" => "1", + "net.inet.tcp.drop_synfin" => "1", + "net.inet.ip.redirect" => "1", + "net.inet6.ip6.redirect" => "1", + "net.inet.tcp.syncookies" => "1", + "net.inet.tcp.recvspace" => "65228", + "net.inet.tcp.sendspace" => "65228", + "net.inet.ip.fastforwarding" => "0", + "net.inet.tcp.delayed_ack" => "0", + "net.inet.udp.maxdgram" => "57344", + "net.link.bridge.pfil_onlyip" => "0", + "net.link.bridge.pfil_member" => "1", + "net.link.bridge.pfil_bridge" => "0", + "net.link.tap.user_open" => "1", + "kern.rndtest.verbose" => "0", + "kern.randompid" => "347", + "net.inet.ip.intr_queue_maxlen" => "1000", + "hw.syscons.kbd_reboot" => "0", + "net.inet.tcp.inflight.enable" => "1", + "net.inet.tcp.log_debug" => "0", + "net.inet.tcp.tso" => "1", + "net.inet.icmp.icmplim" => "0", + "vfs.read_max" => "32" +); + +$config_parsed = false; + +?> diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 8ff94d9..1dcd6c1 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -41,8 +41,6 @@ function setup_gateways_monitor() { if (!is_array($gateways_arr)) { log_error("No gateways to monitor. Apinger will not be run."); killbypid("{$g['varrun_path']}/apinger.pid"); - // TEMPORARY XXX - exec("/usr/bin/killall -9 apinger"); @unlink("{$g['tmp_path']}/apinger.status"); return; } @@ -215,7 +213,7 @@ EOD; log_error(sprintf(gettext('Removing static route for monitor %1$s and adding a new route through %2$s'), $gateway['monitor']. $gateway['gateway'])); mwexec("/sbin/route delete -host " . escapeshellarg($gateway['monitor']), true); mwexec("/sbin/route add -host " . escapeshellarg($gateway['monitor']) . - " " . escapeshellarg($gateway['gateway'])); + " " . escapeshellarg($gateway['gateway']), true); } $apingerconfig .= $alarmscfg; @@ -225,8 +223,6 @@ EOD; fclose($fd); killbypid("{$g['varrun_path']}/apinger.pid"); - // TEMPORARY XXX - exec("/usr/bin/killall -9 apinger"); if (is_dir("{$g['tmp_path']}")) chmod("{$g['tmp_path']}", 01777); if (!is_dir("{$g['vardb_path']}/rrd")) @@ -236,6 +232,7 @@ EOD; /* start a new apinger process */ @unlink("{$g['tmp_path']}/apinger.status"); + sleep(1); mwexec_bg("/usr/local/sbin/apinger -c {$g['varetc_path']}/apinger.conf"); return 0; @@ -291,13 +288,14 @@ function return_gateways_array($disabled = false) { $gateway['friendlyiface'] = $gateway['interface']; $gateway['interface'] = get_real_interface($gateway['interface']); - /* Some interface like wan might be default but have no info recorded + /* FIXME: Should this be enabled. + * Some interface like wan might be default but have no info recorded * the config. - */ if ($gateway['friendlyiface'] == "wan" && !isset($gateway['defaultgw'])) { if (file_exists("{$g['tmp_path']}/{$gateway['interface']}_defaultgw")) $gateway['defaultgw'] = true; } + */ /* include the gateway index as the attribute */ $gateway['attribute'] = $i; @@ -409,9 +407,11 @@ function return_gateway_groups_array() { $tiers_count = count($tiers); if($tiers_count == 0) { /* Oh dear, we have no members! Engage Plan B */ - $msg = gettext("Gateways status could not be determined, considering all as up/active."); - log_error($msg); - notify_via_growl($msg); + if (!$g['booting']) { + $msg = gettext("Gateways status could not be determined, considering all as up/active."); + log_error($msg); + notify_via_growl($msg); + } $tiers = $backupplan; } /* sort the tiers array by the tier key */ diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 254932b..ba8d217 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -35,7 +35,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /usr/sbin/pppd /sbin/dhclient /bin/sh /usr/bin/grep /usr/bin/xargs /usr/bin/awk /usr/local/sbin/choparp + pfSense_BUILDER_BINARIES: /sbin/dhclient /bin/sh /usr/bin/grep /usr/bin/xargs /usr/bin/awk /usr/local/sbin/choparp pfSense_BUILDER_BINARIES: /sbin/ifconfig /sbin/route /usr/sbin/ngctl /usr/sbin/arp /bin/kill /usr/local/sbin/mpd5 pfSense_MODULE: interfaces @@ -336,6 +336,12 @@ function interface_bridge_configure(&$bridge) { $commontx = false; if (!isset($opts['encaps']['rxcsum'])) $commonrx = false; + if (!isset($opts['encaps']['tso4'])) + $commontso4 = false; + if (!isset($opts['encaps']['tso6'])) + $commontso6 = false; + if (!isset($opts['encaps']['lro'])) + $commonlro = false; if ($smallermtu == 0 && !empty($mtu)) $smallermtu = $mtu; else if (!empty($mtu) && $mtu < $smallermtu) @@ -347,10 +353,16 @@ function interface_bridge_configure(&$bridge) { $smallermtu = 1500; $flags = 0; - if ($commonrx == false) + if ($commonrx === false) $flags |= IFCAP_RXCSUM; - if ($commontx == false) + if ($commontx === false) $flags |= IFCAP_TXCSUM; + if ($commontso4 === false) + $flags |= IFCAP_TSO4; + if ($commontso6 === false) + $flags |= IFCAP_TSO6; + if ($commonlro === false) + $flags |= IFCAP_LRO; /* Add interfaces to bridge */ foreach ($members as $member) { @@ -543,7 +555,18 @@ function interface_lagg_configure(&$lagg) { /* Calculate smaller mtu and enforce it */ $smallermtu = 0; foreach ($members as $member) { - $mtu = get_interface_mtu($member); + $opts = pfSense_get_interface_addresses($member); + $mtu = $opts['mtu']; + if (!isset($opts['encaps']['txcsum'])) + $commontx = false; + if (!isset($opts['encaps']['rxcsum'])) + $commonrx = false; + if (!isset($opts['encaps']['tso4'])) + $commontso4 = false; + if (!isset($opts['encaps']['tso6'])) + $commontso6 = false; + if (!isset($opts['encaps']['lro'])) + $commonlro = false; if ($smallermtu == 0 && !empty($mtu)) $smallermtu = $mtu; else if (!empty($mtu) && $mtu < $smallermtu) @@ -554,11 +577,24 @@ function interface_lagg_configure(&$lagg) { if ($smallermtu == 0) $smallermtu = 1500; + $flags = 0; + if ($commonrx === false) + $flags |= IFCAP_RXCSUM; + if ($commontx === false) + $flags |= IFCAP_TXCSUM; + if ($commontso4 === false) + $flags |= IFCAP_TSO4; + if ($commontso6 === false) + $flags |= IFCAP_TSO6; + if ($commonlro === false) + $flags |= IFCAP_LRO; + foreach ($members as $member) { if (!array_key_exists($member, $checklist)) continue; /* make sure the parent interface is up */ pfSense_interface_mtu($member, $smallermtu); + pfSense_interface_capabilities($member, -$flags); interfaces_bring_up($member); mwexec("/sbin/ifconfig {$laggif} laggport {$member}"); } @@ -573,19 +609,18 @@ function interface_lagg_configure(&$lagg) { function interfaces_gre_configure() { global $config; - $i = 0; if (is_array($config['gres']['gre']) && count($config['gres']['gre'])) { - foreach ($config['gres']['gre'] as $gre) { + foreach ($config['gres']['gre'] as $i => $gre) { if(empty($gre['greif'])) $gre['greif'] = "gre{$i}"; /* XXX: Maybe we should report any errors?! */ interface_gre_configure($gre); - $i++; } } } -function interface_gre_configure(&$gre) { +/* NOTE: $grekey is not used but useful for passing this function to array_walk. */ +function interface_gre_configure(&$gre, $grekey = "") { global $config, $g; if (!is_array($gre)) @@ -628,19 +663,19 @@ function interface_gre_configure(&$gre) { function interfaces_gif_configure() { global $config; - $i = 0; + if (is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) { - foreach ($config['gifs']['gif'] as $gif) { + foreach ($config['gifs']['gif'] as $i => $gif) { if(empty($gif['gifif'])) $gre['gifif'] = "gif{$i}"; /* XXX: Maybe we should report any errors?! */ interface_gif_configure($gif); - $i++; } } } -function interface_gif_configure(&$gif) { +/* NOTE: $gifkey is not used but useful for passing this function to array_walk. */ +function interface_gif_configure(&$gif, $gifkey = "") { global $config, $g; if (!is_array($gif)) @@ -783,9 +818,6 @@ function interfaces_configure() { /* reload captive portal */ captiveportal_init_rules(); - - /* set the reload filter dity flag */ - filter_configure(); } return 0; @@ -1467,7 +1499,7 @@ function interfaces_carp_setup() { } else $cmdchain->add(gettext("Enable CARP preemption"), "/sbin/sysctl net.inet.carp.preempt=1", true); - $cmdchain->add(gettext("Enable CARP logging"), "/sbin/sysctl net.inet.carp.log=2", true); + $cmdchain->add(gettext("Enable CARP logging"), "/sbin/sysctl net.inet.carp.log=1", true); if (!empty($pfsyncinterface)) $carp_sync_int = get_real_interface($pfsyncinterface); @@ -1686,7 +1718,6 @@ function interface_carp_configure(&$vip) { // set the vip interface to the vhid $vipif = "vip{$vip['vhid']}"; - $interface = interface_translate_type_to_real($vip['interface']); /* * ensure the interface containing the VIP really exists * prevents a panic if the interface is missing or invalid @@ -1718,7 +1749,7 @@ function interface_carp_configure(&$vip) { get_interface_arr(true); $broadcast_address = gen_subnet_max($vip['subnet'], $vip['subnet_bits']); - mwexec("/sbin/ifconfig {$vipif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + mwexec("/sbin/ifconfig {$vipif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} advbase {$vip['advbase']} {$password}"); interfaces_bring_up($vipif); @@ -1736,12 +1767,11 @@ function interface_carpdev_configure(&$vip) { if($vip['password'] != "") $password = " pass \"" . $vip_password . "\""; - log_error(sprintf(gettext('Found carpdev interface %1$s on top of interface %2$s'), $vip['interface'], $interface)); if (empty($vip['interface'])) return; $vipif = "vip" . $vip['vhid']; - $realif = interface_translate_type_to_real($vip['interface']); + $realif = get_real_interface($vip['interface']); interfaces_bring_up($realif); /* * ensure the interface containing the VIP really exists @@ -1760,7 +1790,7 @@ function interface_carpdev_configure(&$vip) { pfSense_ngctl_name("{$carpdevif}:", $vipif); } - mwexec("/sbin/ifconfig {$vipif} carpdev {$realif} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + mwexec("/sbin/ifconfig {$vipif} carpdev {$realif} vhid {$vip['vhid']} advskew {$vip['advskew']} advbase {$vip['advbase']} {$password}"); interfaces_bring_up($vipif); /* @@ -1860,6 +1890,7 @@ function interface_wireless_clone($realif, $wlcfg) { pfSense_interface_rename($newif, $realif); // FIXME: not sure what ngctl is for. Doesn't work. // mwexec("/usr/sbin/ngctl name {$newif}: {$realif}", false); + file_put_contents("{$g['tmp_path']}/{$realif}_oldmac", get_interface_mac($realif)); } return true; } @@ -2220,7 +2251,26 @@ EOD; fwrite($fd_set, "{$wpa_supplicant} -B -i {$if} -c {$g['varetc_path']}/wpa_supplicant_{$if}.conf\n"); } if ($wlcfg['mode'] == "hostap") { + /* add line to script to restore old mac to make hostapd happy */ + if (file_exists("{$g['tmp_path']}/{$if}_oldmac")) { + $if_oldmac = file_get_contents("{$g['tmp_path']}/{$if}_oldmac"); + if (is_macaddr($if_oldmac)) + fwrite($fd_set, "{$ifconfig} " . escapeshellarg($if) . + " link " . escapeshellarg($if_oldmac) . "\n"); + } + fwrite($fd_set, "{$hostapd} -B {$g['varetc_path']}/hostapd_{$if}.conf\n"); + + /* add line to script to restore spoofed mac after running hostapd */ + if (file_exists("{$g['tmp_path']}/{$if}_oldmac")) { + if ($wl['spoofmac']) + $if_curmac = $wl['spoofmac']; + else + $if_curmac = get_interface_mac($if); + if (is_macaddr($if_curmac)) + fwrite($fd_set, "{$ifconfig} " . escapeshellarg($if) . + " link " . escapeshellarg($if_curmac) . "\n"); + } } } @@ -2347,6 +2397,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven $wancfg = $config['interfaces'][$interface]; $realif = get_real_interface($interface); + $realhwif = interface_translate_type_to_real($interface); if (!$g['booting']) { /* remove all IPv4 addresses */ @@ -2370,7 +2421,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven interface_wireless_configure($realif, $wancfg, $wancfg['wireless']); if ($wancfg['spoofmac']) { - mwexec("/sbin/ifconfig " . escapeshellarg($realif) . + mwexec("/sbin/ifconfig " . escapeshellarg($realhwif) . " link " . escapeshellarg($wancfg['spoofmac'])); /* @@ -2379,20 +2430,20 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven */ if (is_array($config['vlans']['vlan'])) { foreach ($config['vlans']['vlan'] as $vlan) { - if ($vlan['if'] == $realif) + if ($vlan['if'] == $realhwif) mwexec("/sbin/ifconfig " . escapeshellarg($vlan['vlanif']) . " link " . escapeshellarg($wancfg['spoofmac'])); } } } else { - $mac = get_interface_mac(get_real_interface($wancfg['if'])); - if($mac == "ff:ff:ff:ff:ff:ff") { + $mac = get_interface_mac($realhwif); + if ($mac == "ff:ff:ff:ff:ff:ff") { /* this is not a valid mac address. generate a * temporary mac address so the machine can get online. */ echo gettext("Generating new MAC address."); $random_mac = generate_random_mac_address(); - mwexec("/sbin/ifconfig " . escapeshellarg(get_real_interface($wancfg['if'])) . + mwexec("/sbin/ifconfig " . escapeshellarg($realhwif) . " link " . escapeshellarg($random_mac)); $wancfg['spoofmac'] = $random_mac; write_config(); @@ -2402,7 +2453,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven /* media */ if ($wancfg['media'] || $wancfg['mediaopt']) { - $cmd = "/sbin/ifconfig " . escapeshellarg(get_real_interface($wancfg['if'])); + $cmd = "/sbin/ifconfig " . escapeshellarg($realhwif); if ($wancfg['media']) $cmd .= " media " . escapeshellarg($wancfg['media']); if ($wancfg['mediaopt']) @@ -2410,9 +2461,9 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven mwexec($cmd); } if (!empty($wancfg['mtu'])) - pfSense_interface_mtu($realif, $wancfg['mtu']); + pfSense_interface_mtu($realhwif, $wancfg['mtu']); - $options = pfSense_get_interface_addresses($realif); + $options = pfSense_get_interface_addresses($realhwif); if (is_array($options) && isset($options['caps']['polling'])) { if (isset($config['system']['polling'])) pfSense_interface_capabilities($realif, IFCAP_POLLING); @@ -2421,7 +2472,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } /* skip vlans for checksumming and polling */ - if (!stristr($realif, "vlan") && is_array($options)) { + if (!stristr($realhwif, "vlan") && is_array($options)) { $flags = 0; if(isset($config['system']['disablechecksumoffloading'])) { if (isset($options['encaps']['txcsum'])) @@ -2459,7 +2510,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven if (!isset($config['system']['polling']) || !isset($options['caps']['polling'])) { $flags |= IFCAP_POLLING; } - pfSense_interface_capabilities($realif, -$flags); + pfSense_interface_capabilities($realhwif, -$flags); } /* invalidate interface/ip/sn cache */ @@ -2505,17 +2556,17 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven interfaces_bring_up($wancfg['if']); if (!$g['booting']) { - interface_reload_carps($realif); + link_interface_to_vips($interface, "update"); unset($gre); $gre = link_interface_to_gre($interface); if (!empty($gre)) - interface_gre_configure($gre); + array_walk($gre, 'interface_gre_configure'); unset($gif); $gif = link_interface_to_gif($interface); if (!empty($gif)) - interface_gif_configure($gif); + array_walk($gif, 'interface_gif_configure'); if ($linkupevent == false) { unset($bridgetmp); @@ -2524,11 +2575,9 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven interface_bridge_add_member($bridgetmp, $realif); } - link_interface_to_vips($interface, "update"); - $grouptmp = link_interface_to_group($interface); if (!empty($grouptmp)) - interface_group_add_member($realif, $grouptmp); + array_walk($grouptmp, 'interface_group_add_member'); if ($interface == "lan") /* make new hosts file */ @@ -2546,16 +2595,10 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven services_dnsmasq_configure(); /* update dyndns */ - services_dyndns_configure($interface); - - /* force DNS update */ - services_dnsupdate_process($interface); + send_event("service reload dyndns {$interface}"); /* reload captive portal */ captiveportal_init_rules(); - - /* set the reload filter dity flag */ - filter_configure(); } } @@ -2670,6 +2713,7 @@ function interface_group_setup(&$groupname /* The parameter is an array */) { } function interface_group_add_member($interface, $groupname) { + $interface = get_real_interface($interface); mwexec("/sbin/ifconfig {$interface} group {$groupname}", true); } @@ -2698,7 +2742,7 @@ function convert_real_interface_to_friendly_interface_name($interface = "wan") { $index = intval(substr($interface, 3)); foreach ($config['virtualip']['vip'] as $counter => $vip) { if ($vip['mode'] == "carpdev-dhcp" || $vip['mode'] == "carp") { - if ($index == $counter) + if ($index == $vip['vhid']) return $vip['interface']; } } @@ -2727,22 +2771,22 @@ function convert_friendly_interface_to_friendly_descr($interface) { global $config; switch ($interface) { - case "l2tp": - $ifdesc = "L2TP"; - break; - case "pptp": - $ifdesc = "PPTP"; - break; - case "pppoe": - $ifdesc = "PPPoE"; - break; - case "openvpn": - $ifdesc = "OpenVPN"; - break; - case "enc0": - case "ipsec": - $ifdesc = "IPsec"; - break; + case "l2tp": + $ifdesc = "L2TP"; + break; + case "pptp": + $ifdesc = "PPTP"; + break; + case "pppoe": + $ifdesc = "PPPoE"; + break; + case "openvpn": + $ifdesc = "OpenVPN"; + break; + case "enc0": + case "ipsec": + $ifdesc = "IPsec"; + break; default: if (isset($config['interfaces'][$interface])) { if (empty($config['interfaces'][$interface]['descr'])) @@ -2750,13 +2794,23 @@ function convert_friendly_interface_to_friendly_descr($interface) { else $ifdesc = strtoupper($config['interfaces'][$interface]['descr']); break; + } else if (substr($interface, 0, 3) == "vip") { + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $counter => $vip) { + if ($vip['mode'] == "carpdev-dhcp" || $vip['mode'] == "carp") { + if ($interface == "vip{$vip['vhid']}") + return "{$vip['subnet']} - {$vip['descr']}"; + } + } + } + } else { + /* if list */ + $ifdescrs = get_configured_interface_with_descr(false, true); + foreach ($ifdescrs as $if => $ifname) { + if ($if == $interface || $ifname == $interface) + return $ifname; + } } - /* if list */ - $ifdescrs = get_configured_interface_with_descr(false, true); - foreach ($ifdescrs as $if => $ifname) { - if ($if == $interface || $ifname == $interface) - return $ifname; - } break; } @@ -2783,10 +2837,31 @@ function convert_real_interface_to_friendly_descr($interface) { function interface_translate_type_to_real($interface) { global $config; - if ($config['interfaces'][$interface]['if'] <> "") - return $config['interfaces'][$interface]['if']; - else + if (empty($config['interfaces'][$interface])) return $interface; + $tmpif = $config['interfaces'][$interface]; + switch ($tmpif['type']) { + case "ppp": + case "pppoe": + case "pptp": + case "l2tp": + if (is_array($config['ppps']['ppp'])) { + foreach ($config['ppps']['ppp'] as $pppidx => $ppp) { + if ($tmpif['if'] == $ppp['if']) { + $interface = $ppp['ports']; + break; + } + } + } + break; + case "dhcp": + case "static": + default: + $interface = $tmpif['if']; + break; + } + + return $interface; } function interface_is_wireless_clone($wlif) { @@ -3042,14 +3117,17 @@ function link_interface_to_vlans($int, $action = "") { function link_interface_to_vips($int, $action = "") { global $config; - if (is_array($config['virtualip']['vip'])) - foreach ($config['virtualip']['vip'] as $vip) - if ($int == $vip['interface']) { - if ($action == "update") + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if ($int == $vip['interface']) { + if ($action == "update") { + interface_vip_bring_down($vip); interfaces_vips_configure($int); - else - return $vip; + } else + return $vip; } + } + } } /****f* interfaces/link_interface_to_bridge @@ -3074,30 +3152,44 @@ function link_interface_to_bridge($int) { function link_interface_to_group($int) { global $config; + $result = array(); + if (is_array($config['ifgroups']['ifgroupentry'])) { foreach ($config['ifgroups']['ifgroupentry'] as $group) { - if (in_array($int, explode(" ", $groupname['members']))) - return "{$group['ifname']}"; + if (in_array($int, explode(" ", $group['members']))) + $result[$group['ifname']] = $int; } } + + return $result; } function link_interface_to_gre($interface) { global $config; - if (is_array($config['gres']['gre'])) + $result = array(); + + if (is_array($config['gres']['gre'])) { foreach ($config['gres']['gre'] as $gre) if($gre['if'] == $interface) - return $gre; + $result[] = $gre; + } + + return $result; } function link_interface_to_gif($interface) { global $config; - if (is_array($config['gifs']['gif'])) + $result = array(); + + if (is_array($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $gif) if($gif['if'] == $interface) - return $gif; + $result[] = $gif; + } + + return $result; } /* @@ -3271,7 +3363,7 @@ function is_altq_capable($int) { */ $capable = array("age", "ale", "an", "ath", "aue", "awi", "bce", "bfe", "bge", "dc", "de", "ed", "em", "ep", "fxp", "gem", - "hme", "igb", "ipw", "iwi", "jme", "le", "msk", "mxge", "my", "nfe", + "hme", "igb", "ipw", "iwi", "jme", "le", "lem", "msk", "mxge", "my", "nfe", "npe", "nve", "ral", "re", "rl", "rum", "run", "bwn", "sf", "sis", "sk", "ste", "stge", "txp", "udav", "ural", "vge", "vr", "wi", "xl", "ndis", "tun", "ovpns", "ovpnc", "vlan", "pppoe", "pptp", "ng", @@ -3450,4 +3542,15 @@ EOD; unlink_if_exists($cron_file); } +function get_vip_descr($ipaddress) { + global $config; + + foreach ($config['virtualip']['vip'] as $vip) { + if ($vip['subnet'] == $ipaddress) { + return ($vip['descr']); + } + } + return ""; +} + ?> diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 12f106a..6637c72 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -123,12 +123,18 @@ function ipsec_ikeid_next() { */ function ipsec_get_phase1_src(& $ph1ent) { - if ($ph1ent['interface']) - $if = $ph1ent['interface']; - else + if ($ph1ent['interface']) { + if (!is_ipaddr($ph1ent['interface'])) { + $if = $ph1ent['interface']; + $interfaceip = get_interface_ip($if); + } else { + $interfaceip=$ph1ent['interface']; + } + } + else { $if = "wan"; - - $interfaceip = get_interface_ip($if); + $interfaceip = get_interface_ip($if); + } return $interfaceip; } diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 460d681..9ca76cf 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -41,6 +41,7 @@ * in our config.xml file and check the credentials. */ +require_once("globals.inc"); require_once("config.inc"); require_once("radius.inc"); require_once("auth.inc"); @@ -95,6 +96,11 @@ if (!$username || !$password) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> +if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { + putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca"); + putenv("LDAPTLS_REQCERT=never"); +} + $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { @@ -121,4 +127,4 @@ syslog(LOG_WARNING, "user {$username} authenticated\n"); exit(0); -?>
\ No newline at end of file +?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 5e607a8..5dc0233 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -393,8 +393,9 @@ function openvpn_reconfigure($mode,& $settings) { $sed .= "\"{$authcfg}\""; } $sed .= ");\\\n"; - if (isset($settings['strictusercn'])) + if ($settings['strictusercn']) $sed .= "\$strictusercn = true;"; + $sed .= " \$modeid = \"{$mode_id}\";"; mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n"; @@ -445,19 +446,19 @@ function openvpn_reconfigure($mode,& $settings) { break; } - // The port we'll listen at - // If local_port is used, bind the management port - if ($settings['local_port']) { + // If there is no bind option at all (ip and/or port), add "nobind" directive + // Otherwise, use the local port if defined, failing that, use lport 0 to + // ensure a random source port. + if ((empty($iface_ip)) && (!$settings['local_port'])) + $conf .= "nobind\n"; + elseif ($settings['local_port']) $conf .= "lport {$settings['local_port']}\n"; - } + else + $conf .= "lport 0\n"; + // Use unix socket to overcome the problem on any type of server $conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n"; - // If there is no bind option at all (ip and/or port), add "nobind" directive - if ((empty($iface_ip)) && (!$settings['local_port'])) { - $conf .= "nobind\n"; - } - // The remote server $conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n"; @@ -576,7 +577,9 @@ function openvpn_restart($mode, & $settings) { /* start the new process */ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; mwexec_bg("nohup openvpn --config {$fpath}"); - send_event("filter reload"); + + if (!$g['booting']) + send_event("filter reload"); } function openvpn_delete($mode, & $settings) { diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 96a9d25..c5890d1 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -320,9 +320,8 @@ function setup_microcode() { ******/ function get_carp_status() { /* grab the current status of carp */ - $status = `/sbin/sysctl net.inet.carp.allow | cut -d" " -f2`; - if(intval($status) == "0") return false; - return true; + $status = `/sbin/sysctl -n net.inet.carp.allow`; + return (intval($status) > 0); } /* @@ -339,11 +338,8 @@ function convert_ip_to_network_format($ip, $subnet) { * get_carp_interface_status($carpinterface): returns the status of a carp ip */ function get_carp_interface_status($carpinterface) { - /* basically cache the contents of ifconfig statement - to speed up this routine */ - global $carp_query; - if($carp_query == "") - $carp_query = split("\n", `/sbin/ifconfig $carpinterface | grep carp`); + $carp_query = ""; + exec("/sbin/ifconfig $carpinterface | /usr/bin/grep -v grep | /usr/bin/grep carp:", $carp_query); foreach($carp_query as $int) { if(stristr($int, "MASTER")) return gettext("MASTER"); @@ -377,17 +373,11 @@ function add_rule_to_anchor($anchor, $rule, $label) { * remove $text from file $file */ function remove_text_from_file($file, $text) { - global $fd_log; - if($fd_log) - fwrite($fd_log, sprintf(gettext("Adding needed text items:%s"), "\n")); + if(!file_exists($file) && !is_writable($file)) + return; $filecontents = file_get_contents($file); - $textTMP = str_replace($text, "", $filecontents); - $text = $textTMP; - if($fd_log) - fwrite($fd_log, $text); - $fd = fopen($file, "w"); - fwrite($fd, $text); - fclose($fd); + $text = str_replace($text, "", $filecontents); + @file_put_contents($file, $text); } /* @@ -397,8 +387,6 @@ function remove_text_from_file($file, $text) { function add_text_to_file($file, $text, $replace = false) { if(file_exists($file) and is_writable($file)) { $filecontents = file($file); - $fout = fopen($file, "w"); - $filecontents = array_map('rtrim', $filecontents); array_push($filecontents, $text); if ($replace) @@ -406,12 +394,10 @@ function add_text_to_file($file, $text, $replace = false) { $file_text = implode("\n", $filecontents); - fwrite($fout, $file_text); - fclose($fout); + @file_put_contents($file, $file_text); return true; - } else { - return false; } + return false; } /* @@ -560,6 +546,7 @@ function restore_config_section($section, $new_contents) { if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); write_config(sprintf(gettext("Restored %s of config file (maybe from CARP partner)"), $section)); + disable_security_checks(); conf_mount_ro(); return; } @@ -581,6 +568,7 @@ function merge_config_section($section, $new_contents) { $config[$section] = $section_xml; unlink($fname); write_config(sprintf(gettext("Restored %s of config file (maybe from CARP partner)"), $section)); + disable_security_checks(); conf_mount_ro(); return; } @@ -724,7 +712,7 @@ function call_pfsense_method($method, $params, $timeout = 0) { $cli->setCredentials($username, $password); } $resp = $cli->send($msg, $timeout); - if(!$resp) { + if(!is_object($resp)) { log_error(sprintf(gettext("XMLRPC communication error: %s"), $cli->errstr)); return false; } elseif($resp->faultCode()) { @@ -740,13 +728,16 @@ function call_pfsense_method($method, $params, $timeout = 0) { */ function check_firmware_version($tocheck = "all", $return_php = true) { global $g, $config; + $ip = gethostbyname($g['product_website']); if($ip == $g['product_website']) return false; + $rawparams = array("firmware" => array("version" => trim(file_get_contents('/etc/version'))), "kernel" => array("version" => trim(file_get_contents('/etc/version_kernel'))), "base" => array("version" => trim(file_get_contents('/etc/version_base'))), - "platform" => trim(file_get_contents('/etc/platform')) + "platform" => trim(file_get_contents('/etc/platform')), + "config_version" => $config['version'] ); if($tocheck == "all") { $params = $rawparams; @@ -756,22 +747,38 @@ function check_firmware_version($tocheck = "all", $return_php = true) { $params['platform'] = $rawparams['platform']; } } - if($config['system']['firmware']['branch']) { + if($config['system']['firmware']['branch']) $params['branch'] = $config['system']['firmware']['branch']; - } - if(!$versions = call_pfsense_method('pfsense.get_firmware_version', $params)) { + + /* XXX: What is this method? */ + if(!($versions = call_pfsense_method('pfsense.get_firmware_version', $params))) { return false; } else { $versions["current"] = $params; } + return $versions; } +/* + * host_firmware_version(): Return the versions used in this install + */ +function host_firmware_version($tocheck = "") { + global $g, $config; + + return array( + "firmware" => array("version" => trim(file_get_contents('/etc/version', " \n"))), + "kernel" => array("version" => trim(file_get_contents('/etc/version_kernel', " \n"))), + "base" => array("version" => trim(file_get_contents('/etc/version_base', " \n"))), + "platform" => trim(file_get_contents('/etc/platform', " \n")), + "config_version" => $config['version'] + ); +} + function get_disk_info() { $diskout = ""; exec("/bin/df -h | /usr/bin/grep -w '/' | /usr/bin/awk '{ print $2, $3, $4, $5 }'", $diskout); return explode(' ', $diskout[0]); - // $size, $used, $avail, $cap } /****f* pfsense-utils/strncpy @@ -801,13 +808,6 @@ function strncpy(&$dst, $src, $length) { function reload_interfaces_sync() { global $config, $g; - /* XXX: Use locks?! */ - if (file_exists("{$g['tmp_path']}/reloading_all")) { - log_error(gettext("WARNING: Recursive call to interfaces sync!")); - return; - } - touch("{$g['tmp_path']}/reloading_all"); - if($g['debug']) log_error(gettext("reload_interfaces_sync() is starting.")); @@ -824,13 +824,6 @@ function reload_interfaces_sync() { /* set up interfaces */ interfaces_configure(); - - /* remove reloading_all trigger */ - if($g['debug']) - log_error(sprintf(gettext("Removing %s/reloading_all"), $g['tmp_path'])); - - /* start devd back up */ - mwexec("/bin/rm {$g['tmp_path']}/reload*"); } /****f* pfsense-utils/reload_all @@ -842,7 +835,6 @@ function reload_interfaces_sync() { * none ******/ function reload_all() { - global $g; send_event("service reload all"); } @@ -855,8 +847,7 @@ function reload_all() { * none ******/ function reload_interfaces() { - global $g; - touch("{$g['tmp_path']}/reload_interfaces"); + send_event("interface all reload"); } /****f* pfsense-utils/reload_all_sync @@ -872,13 +863,6 @@ function reload_all_sync() { $g['booting'] = false; - /* XXX: Use locks?! */ - if (file_exists("{$g['tmp_path']}/reloading_all")) { - log_error(gettext("WARNING: Recursive call to reload all sync!")); - return; - } - touch("{$g['tmp_path']}/reloading_all"); - /* parse config.xml again */ $config = parse_config(true); @@ -920,8 +904,6 @@ function reload_all_sync() { /* restart webConfigurator if needed */ send_event("service restart webgui"); - - mwexec("/bin/rm {$g['tmp_path']}/reload*"); } function auto_login() { @@ -990,21 +972,18 @@ function setup_serial_port() { } /* serial console - write out /boot/loader.conf */ $boot_config = file_get_contents("/boot/loader.conf"); - $boot_config_split = split("\n", $boot_config); - $fd = fopen("/boot/loader.conf","w"); - if($fd) { - foreach($boot_config_split as $bcs) { - if(stristr($bcs, "console")) { - /* DONT WRITE OUT, WE'LL DO IT LATER */ - } else { - if($bcs <> "") - fwrite($fd, "{$bcs}\n"); - } - } - if(isset($config['system']['enableserial'])) { - fwrite($fd, "console=\"comconsole\"\n"); - } - fclose($fd); + $boot_config_split = explode("\n", $boot_config); + if(count($boot_config_split) > 0) { + $new_boot_config = array(); + // Loop through and only add lines that are not empty, and which + // do not contain a console directive. + foreach($boot_config_split as $bcs) + if(!empty($bcs) && (stripos($bcs, "console") === false)) + $new_boot_config[] = $bcs; + + if(isset($config['system']['enableserial'])) + $new_boot_config[] = 'console="comconsole"'; + file_put_contents("/boot/loader.conf", implode("\n", $new_boot_config)); } } $ttys = file_get_contents("/etc/ttys"); @@ -1430,8 +1409,8 @@ function isvm() { } function get_freebsd_version() { - $version = trim(`/usr/bin/uname -r | /usr/bin/cut -d'.' -f1`); - return $version; + $version = php_uname("r"); + return $version[0]; } function download_file_with_progress_bar($url_file, $destination_file, $readbody = 'read_body') { @@ -1454,7 +1433,7 @@ function download_file_with_progress_bar($url_file, $destination_file, $readbody curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody); curl_setopt($ch, CURLOPT_NOPROGRESS, '1'); - curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '5'); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '60'); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_exec($ch); @@ -1506,9 +1485,7 @@ function read_body($ch, $string) { function update_output_window($text) { global $pkg_interface; $log = ereg_replace("\n", "\\n", $text); - if($pkg_interface == "console") { - /* too chatty */ - } else { + if($pkg_interface != "console") { echo "\n<script language=\"JavaScript\">this.document.forms[0].output.value = \"" . $log . "\";</script>"; } /* ensure that contents are written out */ diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 7dcd28d..e7bcd15 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -8,6 +8,7 @@ * $Id$ ****** * + * Copyright (C) 2010 Ermal Luçi * Copyright (C) 2005-2006 Colin Smith (ethethlay@gmail.com) * All rights reserved. * Redistribution and use in source and binary forms, with or without @@ -34,12 +35,12 @@ */ /* - pfSense_BUILDER_BINARIES: /usr/bin/cd /usr/bin/tar /bin/cat /usr/sbin/fifolog_create /bin/chmod - pfSense_BUILDER_BINARIES: /usr/bin/killall /usr/sbin/pkg_info /usr/sbin/pkg_delete /bin/rm /bin/ls - pfSense_BUILDER_BINARIES: /sbin/pfctl + pfSense_BUILDER_BINARIES: /usr/bin/cd /usr/bin/tar /usr/sbin/fifolog_create /bin/chmod + pfSense_BUILDER_BINARIES: /usr/sbin/pkg_add /usr/sbin/pkg_info /usr/sbin/pkg_delete /bin/rm pfSense_MODULE: pkg */ +require_once("globals.inc"); require_once("xmlrpc.inc"); if(file_exists("/cf/conf/use_xmlreader")) require_once("xmlreader.inc"); @@ -47,7 +48,6 @@ else require_once("xmlparse.inc"); require_once("service-utils.inc"); require_once("pfsense-utils.inc"); -require_once("globals.inc"); if(!function_exists("update_status")) { function update_status($status) { @@ -60,21 +60,33 @@ if(!function_exists("update_output_window")) { } } +if (!function_exists("pkg_debug")) { + /* set up logging if needed */ + function pkg_debug($msg) { + global $g, $debug, $fd_log; + + if (!$debug) + return; + + if (!$fd_log) { + if (!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$package}.log", "w")) + update_output_window("Warning, could not open log for writing."); + } + @fwrite($fd_log, $msg); + } +} + $vardb = "/var/db/pkg"; safe_mkdir($vardb); +$g['platform'] = trim(file_get_contents("/etc/platform")); conf_mount_rw(); -$g['platform'] = trim(file_get_contents("/etc/platform")); if(!is_dir("/usr/local/pkg") or !is_dir("/usr/local/pkg/pf")) { safe_mkdir("/usr/local/pkg"); safe_mkdir("/usr/local/pkg/pf"); } conf_mount_ro(); -$version = split("-", trim(file_get_contents("/etc/version"))); -$ver = split("\.", $version[0]); -$g['version'] = intval($ver[1]); - /****f* pkg-utils/remove_package * NAME * remove_package - Removes package from FreeBSD if it exists @@ -86,8 +98,7 @@ $g['version'] = intval($ver[1]); * ******/ function remove_freebsd_package($packagestring) { - $todel = substr(reverse_strrchr($packagestring, "."), 0, -1); - exec("/usr/sbin/pkg_delete -x {$todel}"); + exec("/usr/sbin/pkg_delete -x {$packagestring}"); } /****f* pkg-utils/is_package_installed @@ -118,12 +129,10 @@ function is_package_installed($packagename) { function get_pkg_id($pkg_name) { global $config; - if(is_array($config['installedpackages']['package'])) { - $i = 0; - foreach($config['installedpackages']['package'] as $pkg) { + if (is_array($config['installedpackages']['package'])) { + foreach($config['installedpackages']['package'] as $idx => $pkg) { if($pkg['name'] == $pkg_name) - return $i; - $i++; + return $idx; } } return -1; @@ -141,12 +150,12 @@ function get_pkg_id($pkg_name) { function get_pkg_info($pkgs = 'all', $info = 'all') { global $g; - $freebsd_version = str_replace("\n", "", `uname -r | cut -d'-' -f1 | cut -d'.' -f1`); - $freebsd_machine = str_replace("\n", "", `uname -m`); + $freebsd_version = php_uname("r"); + $freebsd_machine = php_uname("m"); $params = array( "pkg" => $pkgs, "info" => $info, - "freebsd_version" => $freebsd_version, + "freebsd_version" => $freebsd_version[0], "freebsd_machine" => $freebsd_machine ); $resp = call_pfsense_method('pfsense.get_pkgs', $params, 10); @@ -154,14 +163,22 @@ function get_pkg_info($pkgs = 'all', $info = 'all') { } function get_pkg_sizes($pkgs = 'all') { - global $g; + global $config, $g; - $params = array("pkg" => $pkgs); + $freebsd_version = php_uname("r"); + $freebsd_machine = php_uname("m"); + $params = array( + "pkg" => $pkgs, + "freebsd_version" => $freebsd_version, + "freebsd_machine" => $freebsd_machine + ); $msg = new XML_RPC_Message('pfsense.get_pkg_sizes', array(php_value_to_xmlrpc($params))); $xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl']; $cli = new XML_RPC_Client($g['xmlrpcpath'], $xmlrpc_base_url); $resp = $cli->send($msg, 10); - if($resp and !$resp->faultCode()) { + if(!is_object($resp)) + log_error("Could not get response from XMLRPC server!"); + else if (!$resp->faultCode()) { $raw_versions = $resp->value(); return xmlrpc_value_to_php($raw_versions); } @@ -174,35 +191,30 @@ function get_pkg_sizes($pkgs = 'all') { * This function may also print output to the terminal indicating progress. */ function resync_all_package_configs($show_message = false) { - global $config, $restart_sync, $pkg_interface; + global $config, $pkg_interface; - $i = 0; log_error(gettext("Resyncing configuration for all packages.")); - if(!$config['installedpackages']['package']) + if (!is_array($config['installedpackages']['package'])) return; if($show_message == true) echo "Syncing packages:"; - if (is_array($config['installedpackages']['package'])) { - foreach($config['installedpackages']['package'] as $package) { - if (empty($package['name'])) - continue; - if($show_message == true) - echo " " . $package['name']; - get_pkg_depends($package['name'], "all"); - stop_service($package['name']); - sync_package($i, true, true); - if($restart_sync == true) { - $restart_sync = false; - if($pkg_interface == "console") - echo "\n" . gettext("Syncing packages:"); - } - $i++; - } + conf_mount_rw(); + foreach($config['installedpackages']['package'] as $idx => $package) { + if (empty($package['name'])) + continue; + if($show_message == true) + echo " " . $package['name']; + get_pkg_depends($package['name'], "all"); + stop_service($package['name']); + sync_package($idx, true, true); + if($pkg_interface == "console") + echo "\n" . gettext("Syncing packages:"); } if($show_message == true) echo " done.\n"; @unlink("/conf/needs_package_sync"); + conf_mount_ro(); } /* @@ -226,7 +238,6 @@ function is_freebsd_pkg_installed($pkg) { */ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $return_nosync = 1) { global $config; - require_once("notices.inc"); $pkg_id = get_pkg_id($pkg_name); if($pkg_id == -1) @@ -238,8 +249,10 @@ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $retu if(!file_exists("/usr/local/pkg/" . $package['configurationfile'])) { log_error(sprintf(gettext('The %1$s package is missing required dependencies and must be reinstalled. %2$s'), $package['name'], $package['configurationfile'])); uninstall_package($package['name']); - if (install_package($package['name']) < 0) + if (install_package($package['name']) < 0) { + log_error("Failed reinstalling package {$package['name']}."); return false; + } } $pkg_xml = parse_xml_config_pkg("/usr/local/pkg/" . $package['configurationfile'], "packagegui"); if (!empty($pkg_xml['additional_files_needed'])) { @@ -305,7 +318,6 @@ function uninstall_package($pkg_name) { } function force_remove_package($pkg_name) { - global $config; delete_package_xml($pkg_name); } @@ -313,8 +325,7 @@ function force_remove_package($pkg_name) { * sync_package($pkg_name, $sync_depends = true, $show_message = false) Force a package to setup its configuration and rc.d files. */ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { - global $config; - require_once("notices.inc"); + global $config, $config_parsed; if(empty($config['installedpackages']['package'])) return; @@ -337,7 +348,8 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { return -1; } $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $package['configurationfile'], "packagegui"); - + if(isset($pkg_config['nosync'])) + return; /* Bring in package include files */ if (!empty($pkg_config['include_file'])) { $include_file = $pkg_config['include_file']; @@ -354,11 +366,6 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { } } - /* XXX: Zend complains about the next line "Wrong break depth" - * The code is obviously wrong, but I'm not sure what it's supposed to do? - */ - if(isset($pkg_config['nosync'])) - continue; if(!empty($pkg_config['custom_php_global_functions'])) eval($pkg_config['custom_php_global_functions']); if(!empty($pkg_config['custom_php_resync_config_command'])) @@ -368,18 +375,30 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { if(is_array($depends)) { foreach($depends as $item) { if(!file_exists($item)) { + require_once("notices.inc"); file_notice($package['name'], sprintf(gettext("The %s package is missing required dependencies and must be reinstalled."), $package['name']), "Packages", "/pkg_mgr_install.php?mode=reinstallpkg&pkg={$package['name']}", 1); log_error("Could not find {$item}. Reinstalling package."); uninstall_package($pkg_name); - install_package($pkg_name); + if (install_package($pkg_name) < 0) { + log_error("Reinstalling package {$package['name']} failed. Take appropriate measures!!!"); + return -1; + } } else { $item_config = parse_xml_config_pkg($item, "packagegui"); if (empty($item_config)) continue; if(isset($item_config['nosync'])) continue; - if($item_config['custom_php_command_before_form'] <> "") - eval($item_config['custom_php_command_before_form']); + if (!empty($item_config['include_file'])) { + if (file_exists($item_config['include_file'])) + require_once($item_config['include_file']); + else { + log_error("Not calling package sync code for dependency {$item_config['name']} of {$package['name']} because some include files are missing."); + continue; + } + } + if($item_config['custom_php_global_functions'] <> "") + eval($item_config['custom_php_global_functions']); if($item_config['custom_php_resync_config_command'] <> "") eval($item_config['custom_php_resync_config_command']); if($show_message == true) @@ -393,11 +412,9 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { /* * pkg_fetch_recursive: Download and install a FreeBSD package and its dependencies. This function provides output to * a progress bar and output window. - * - * XXX: This function needs to return where a pkg_add fails. Our current error messages aren't very descriptive. */ -function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = '') { - global $pkgent, $static_output, $g, $fd_log; +function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = "") { + global $static_output, $g; $osname = php_uname("s"); $arch = php_uname("m"); @@ -406,14 +423,14 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = $priv_url = "http://ftp2.{$osname}.org/pub/{$osname}/ports/{$arch}/packages-{$rel}/Latest"; if (empty($base_url)) $base_url = $priv_url; - $pkg_extension = ".tgz"; - if (substr($filename, -4) != ".tbz") - $filename .= $pkg_extension; + if (substr($base_url, -1) == "/") + $base_url = substr($base_url, 0, -1); $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $pkgname . " "; $fetchto = "{$g['tmp_path']}/apkg_{$filename}"; + $static_output .= "\n" . str_repeat(" ", $dependlevel * 2 + 1) . "Trying to download {$base_url}/{$filename} ... "; if (download_file_with_progress_bar("{$base_url}/{$filename}", $fetchto) !== true) { if ($base_url != $priv_url && download_file_with_progress_bar("{$priv_url}/{$filename}", $fetchto) !== true) { - $static_output .= " could not download.\n"; + $static_output .= " could not download from there or {$priv_url}/{$filename}.\n"; update_output_window($static_output); return false; } else if ($base_url == $priv_url) { @@ -429,47 +446,40 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = update_output_window($static_output); $slaveout = ""; exec("/usr/bin/tar --fast-read -O -f {$fetchto} -x +CONTENTS 2>&1", $slaveout); - $workingdir = preg_grep("/instmp/", $slaveout); - $workingdir = $workingdir[0]; $raw_depends_list = array_values(preg_grep("/\@pkgdep/", $slaveout)); - if($raw_depends_list != "") { - if($pkgent['exclude_dependency'] != "") - $raw_depends_list = array_values(preg_grep($pkgent['exclude_dependency'], PREG_GREP_INVERT)); + if ($raw_depends_list != "") { + $pkg_extension = ".tbz"; foreach($raw_depends_list as $adepend) { - $working_depend = explode(" ", $adepend); + $working_depend = explode(" ", trim($adepend, "\n")); if (substr($working_depend[1], -4) != ".tbz") $depend_filename = $working_depend[1] . $pkg_extension; else $depend_filename = $working_depend[1]; - if(is_freebsd_pkg_installed($working_depend[1]) === false) { - pkg_fetch_recursive($working_depend[1], $depend_filename, $dependlevel + 1, $base_url); + if (!is_freebsd_pkg_installed($working_depend[1])) { + if (pkg_fetch_recursive($working_depend[1], $depend_filename, $dependlevel + 1, $base_url) == false) + return false; } else { //$dependlevel++; - $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $working_depend[1] . " "; - @fwrite($fd_log, $working_depend[1] . "\n"); + $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $working_depend[1] . " already installed."; + pkg_debug($working_depend[1] . "\n"); } } } $pkgaddout = ""; exec("/usr/sbin/pkg_add -fv {$fetchto} 2>&1", $pkgaddout); - @fwrite($fd_log, $pkgname . " " . print_r($pkgaddout, true) . "\n"); + pkg_debug($pkgname . " " . print_r($pkgaddout, true) . "\npkg_add successfully completed.\n"); return true; } function install_package($package, $pkg_info = "") { - global $g, $config, $pkg_interface, $fd_log, $static_output, $pkg_interface, $restart_sync; + global $g, $config, $static_output, $pkg_interface; /* safe side. Write config below will send to ro again. */ conf_mount_rw(); if($pkg_interface == "console") echo "\n"; - /* open logfiles and begin installation */ - if (!$fd_log) { - if (!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$package}.log", "w")) - update_output_window(gettext("Warning, could not open log for writing.")); - } /* fetch package information if needed */ if(empty($pkg_info) or !is_array($pkg_info[$package])) { $pkg_info = get_pkg_info(array($package)); @@ -479,19 +489,19 @@ function install_package($package, $pkg_info = "") { return -1; } } - @fwrite($fd_log, gettext("Beginning package installation.\n")); - log_error(gettext('Beginning package installation for') . ' ' . $pkg_info['name'] . '.'); - update_status(gettext("Beginning package installation for") . " " . $pkg_info['name'] . "..."); + pkg_debug(gettext("Beginning package installation.") . "\n"); + log_error(sprintf(gettext('Beginning package installation for %s .'), $pkg_info['name'])); + $static_output .= sprintf(gettext("Beginning package installation for %s ."), $pkg_info['name']); update_status($static_output); /* fetch the package's configuration file */ if($pkg_info['config_file'] != "") { - $static_output .= gettext("Downloading package configuration file...") . " "; + $static_output .= "\n" . gettext(Downloading package configuration file... "); update_output_window($static_output); - @fwrite($fd_log, gettext("Downloading package configuration file...\n")); + pkg_debug(gettext("Downloading package configuration file...") . "\n"); $fetchto = substr(strrchr($pkg_info['config_file'], '/'), 1); download_file_with_progress_bar($pkg_info['config_file'], '/usr/local/pkg/' . $fetchto); if(!file_exists('/usr/local/pkg/' . $fetchto)) { - @fwrite($fd_log, gettext("ERROR! Unable to fetch package configuration file. Aborting installation.") . "\n"); + pkg_debug(gettext("ERROR! Unable to fetch package configuration file. Aborting installation.") . \n"); if($pkg_interface == "console") print "\n" . gettext("ERROR! Unable to fetch package configuration file. Aborting package installation.") . "\n"; else { @@ -540,8 +550,6 @@ function install_package($package, $pkg_info = "") { update_output_window($static_output); if($pkg_info['after_install_info']) update_output_window($pkg_info['after_install_info']); - start_service($pkg_info['name']); - $restart_sync = true; } } @@ -568,7 +576,7 @@ function eval_once($toeval) { } function install_package_xml($pkg) { - global $g, $config, $fd_log, $static_output, $pkg_interface; + global $g, $config, $static_output, $pkg_interface, $config_parsed; if(($pkgid = get_pkg_id($pkg)) == -1) { $static_output .= sprintf(gettext("The %s package is not installed.%sInstallation aborted."), $pkg, "\n\n"); @@ -582,13 +590,6 @@ function install_package_xml($pkg) { } else $pkg_info = $config['installedpackages']['package'][$pkgid]; - /* set up logging if needed */ - if(!$fd_log) { - if(!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$pkg}.log", "w")) { - update_output_window(gettext("Warning, could not open log for writing.")); - } - } - /* pkg_add the package and its dependencies */ if($pkg_info['depends_on_package_base_url'] != "") { if($pkg_interface == "console") @@ -600,38 +601,26 @@ function install_package_xml($pkg) { update_output_window($static_output); foreach((array) $pkg_info['depends_on_package'] as $pkgdep) { $pkg_name = substr(reverse_strrchr($pkgdep, "."), 0, -1); - $static_output = $static_orig . "done.\nChecking for successful package installation... "; + $static_output = $static_orig . "\nChecking for package installation... "; update_output_window($static_output); - $pkg_installed = true; - if (!isset($pkg_info['skip_install_checks'])) - $pkg_installed = is_freebsd_pkg_installed($pkg_name); - - if($pkg_installed == false) - pkg_fetch_recursive($pkg_name, $pkgdep, 0, $pkg_info['depends_on_package_base_url']); - /* make sure our package was successfully installed */ - if($pkg_installed == false) - $pkg_installed = is_freebsd_pkg_installed($pkg_name); - if($pkg_installed == true) { - $static_output .= gettext("done.") . "\n"; - update_output_window($static_output); - fwrite($fd_log, gettext("pkg_add successfully completed.\n")); - } else { - $static_output .= "of {$pkg_name} failed!\n\nInstallation aborted."; - update_output_window($static_output); - fwrite($fd_log, gettext("Package WAS NOT installed properly.\n")); - fclose($fd_log); - if($pkg_interface <> "console") { - echo "\n<script language=\"JavaScript\">document.progressbar.style.visibility='hidden';</script>"; - echo "\n<script language=\"JavaScript\">document.progholder.style.visibility='hidden';</script>"; + if (!is_freebsd_pkg_installed($pkg_name)) { + if (!pkg_fetch_recursive($pkg_name, $pkgdep, 0, $pkg_info['depends_on_package_base_url'])) { + $static_output .= "of {$pkg_name} failed!\n\nInstallation aborted."; + update_output_window($static_output); + pkg_debug(gettext("Package WAS NOT installed properly.") . "\n"); + if($pkg_interface <> "console") { + echo "\n<script language=\"JavaScript\">document.progressbar.style.visibility='hidden';</script>"; + echo "\n<script language=\"JavaScript\">document.progholder.style.visibility='hidden';</script>"; + } + sleep(1); + return false; } - sleep(1); - return false; } } } $configfile = substr(strrchr($pkg_info['config_file'], '/'), 1); if(file_exists("/usr/local/pkg/" . $configfile)) { - $static_output .= gettext("Loading package configuration... "); + $static_output .= "\n" . gettext("Loading package configuration... "); update_output_window($static_output); $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $configfile, "packagegui"); $static_output .= gettext("done.") . "\n"; @@ -679,13 +668,13 @@ function install_package_xml($pkg) { return false; } if(stristr($filename, ".tgz") <> "") { - fwrite($fd_log, gettext("Extracting tarball to -C for") . " " . $filename . "...\n"); + pkg_debug(gettext("Extracting tarball to -C for ") . $filename . "...\n"); $tarout = ""; exec("/usr/bin/tar xvzf " . $prefix . $filename . " -C / 2>&1", $tarout); - fwrite($fd_log, print_r($tarout, true) . "\n"); + pkg_debug(print_r($tarout, true) . "\n"); } if($pkg_chmod <> "") { - fwrite($fd_log, sprintf(gettext('Changing file mode to %1$s for %2$s%3$s%4$s'), $pkg_chmod, $prefix, $filename, "\n")); + pkg_debug(sprintf(gettext('Changing file mode to %1$s for %2$s%3$s%4$s'), $pkg_chmod, $prefix, $filename, "\n")); @chmod($prefix . $filename, $pkg_chmod); system("/bin/chmod {$pkg_chmod} {$prefix}{$filename}"); } @@ -703,7 +692,7 @@ function install_package_xml($pkg) { if($pkg_config['include_file'] <> "") { $static_output = gettext("Loading package instructions...") . "\n"; update_output_window($static_output); - fwrite($fd_log, "require_once('{$pkg_config['include_file']}')\n"); + pkg_debug("require_once('{$pkg_config['include_file']}')\n"); if (file_exists($pkg_config['include_file'])) require_once($pkg_config['include_file']); else { @@ -785,8 +774,7 @@ function install_package_xml($pkg) { } else { $static_output .= gettext("Loading package configuration... failed!") . "\n\n" . gettext("Installation aborted."); update_output_window($static_output); - fwrite($fd_log, gettext("Unable to load package configuration. Installation aborted.\n")); - fclose($fd_log); + pkg_debug(gettext("Unable to load package configuration. Installation aborted.") ."\n"); if($pkg_interface <> "console") { echo "\n<script language=\"JavaScript\">document.progressbar.style.visibility='hidden';</script>"; echo "\n<script language=\"JavaScript\">document.progholder.style.visibility='hidden';</script>"; @@ -799,9 +787,8 @@ function install_package_xml($pkg) { if($pkg_info['logging']) { mwexec("/usr/sbin/fifolog_create -s 32768 {$g['varlog_path']}/{$pkg_info['logging']['logfilename']}"); @chmod($g['varlog_path'] . '/' . $pkg_info['logging']['logfilename'], 0600); - @fwrite($fd_log, "Adding text to file /etc/syslog.conf\n"); - if(is_process_running("syslogd")) - mwexec("killall syslogd"); + add_text_to_file("/etc/syslog.conf", $pkg_info['logging']['facilityname'] . "\t\t\t\t" . $pkg_info['logging']['logfilename']); + pkg_debug("Adding text to file /etc/syslog.conf\n"); system_syslogd_start(); } @@ -819,24 +806,25 @@ function delete_package($pkg) { update_output_window($static_output); return; } else { - $static_output .= "\t" . sprintf(gettext("Starting package deletion for %s..."), $pkg); + if($pkg) + $static_output .= "\t" . sprintf(gettext("Starting package deletion for %s..."), $pkg); update_output_window($static_output); } $info = ""; exec("/usr/sbin/pkg_info -qrx {$pkg}", $info); remove_freebsd_package($pkg); + $static_output .= "done.\n"; + update_output_window($static_output); foreach($info as $line) { - $depend = trim(str_replace("@pkgdep", "", $line)); + $depend = trim(str_replace("@pkgdep", "", $line), " \n"); delete_package($depend); } - $static_output .= "done.\n"; - update_output_window($static_output); return; } function delete_package_xml($pkg) { - global $g, $config, $fd_log, $static_output, $pkg_interface; + global $g, $config, $static_output, $pkg_interface; conf_mount_rw(); @@ -853,21 +841,16 @@ function delete_package_xml($pkg) { conf_mount_ro(); return; } - /* set up logging if needed */ - if(!$fd_log) { - if(!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$pkg}.log", "w")) { - update_output_window(gettext("Warning, could not open log for writing.")); - } - } - fwrite($fd_log, sprintf(gettext("Removing %s package... "), $pkg)); - $static_output .= sprintf(gettext("Removing %s components..."), $pkg) . "\n"; + pkg_debug(sprintf(gettext("Removing %s package... "),$pkg)); + $static_output .= sprintf(gettext("Removing %s components..."),$pkg) . "\n"; update_output_window($static_output); /* parse package configuration */ $packages = &$config['installedpackages']['package']; $tabs =& $config['installedpackages']['tab']; $menus =& $config['installedpackages']['menu']; $services = &$config['installedpackages']['service']; - if(file_exists("/usr/local/pkg/" . $packages[$pkgid]['configurationfile'])) { + $pkg_info =& $packages[$pkgid]; + if(file_exists("/usr/local/pkg/" . $pkg_info['configurationfile'])) { $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $packages[$pkgid]['configurationfile'], "packagegui"); /* remove tab items */ if(is_array($pkg_config['tabs'])) { @@ -935,7 +918,7 @@ function delete_package_xml($pkg) { if($pkg_config['include_file'] <> "") { $static_output .= gettext("Loading package instructions...") . "\n"; update_output_window($static_output); - fwrite($fd_log, "require_once(\"{$pkg_config['include_file']}\")\n"); + pkg_debug("require_once(\"{$pkg_config['include_file']}\")\n"); if (file_exists($pkg_config['include_file'])) require_once($pkg_config['include_file']); else { @@ -965,14 +948,6 @@ function delete_package_xml($pkg) { $static_output .= gettext("done.") . "\n"; update_output_window($static_output); } - /* syslog */ - if(is_array($pkg_config['logging']) && $pkg_config['logging']['logfile_name'] <> "") { - $static_output .= "\t" . gettext("Syslog entries... "); - update_output_window($static_output); - remove_text_from_file("/etc/syslog.conf", $pkg_config['logging']['facilityname'] . "\t\t\t\t" . $pkg_config['logging']['logfilename']); - $static_output .= gettext("done.") . "\n"; - update_output_window($static_output); - } /* deinstall commands */ if($pkg_config['custom_php_deinstall_command'] <> "") { $static_output .= "\t" . gettext("Deinstall commands... "); @@ -987,7 +962,7 @@ function delete_package_xml($pkg) { if($pkg_config['include_file'] <> "") { $static_output .= "\t" . gettext("Removing package instructions..."); update_output_window($static_output); - fwrite($fd_log, sprintf(gettext("Remove '%s'"), $pkg_config['include_file']) . "\n"); + pkg_debug(sprintf(gettext("Remove '%s'"), $pkg_config['include_file']) . "\n"); unlink_if_exists("/usr/local/pkg/" . $pkg_config['include_file']); $static_output .= "done.\n"; update_output_window($static_output); @@ -1016,29 +991,24 @@ function delete_package_xml($pkg) { $static_output .= gettext("done.") . "\n"; update_output_window($static_output); } - /* remove config.xml entries */ + /* syslog */ + if(is_array($pkg_info['logging']) && $pkg_info['logging']['logfile_name'] <> "") { + $static_output .= "\tSyslog entries... "; + update_output_window($static_output); + remove_text_from_file("/etc/syslog.conf", $pkg_info['logging']['facilityname'] . "\t\t\t\t" . $pkg_info['logging']['logfilename']); + system_syslogd_start(); + @unlink("{$g['varlog_path']}/{$pkg_info['logging']['logfilename']}"); + $static_output .= "done.\n"; + update_output_window($static_output); + } conf_mount_ro(); + /* remove config.xml entries */ $static_output .= "\t" . gettext("Configuration... "); update_output_window($static_output); unset($config['installedpackages']['package'][$pkgid]); $static_output .= gettext("done.") . "\n"; update_output_window($static_output); - write_config(sprintf(gettext("Removed %s package.") . "\n", $pkg)); - /* file cleanup */ - $ctag = file("/etc/crontab"); - foreach($ctag as $line) - if(trim($line) != "") - $towrite[] = $line; - - $tmptab = fopen("{$g['tmp_path']}/crontab", "w"); - foreach($towrite as $line) - fwrite($tmptab, $line); - fclose($tmptab); - - // Go RW again since the write_config above will put it back to RO - conf_mount_rw(); - rename("{$g['tmp_path']}/crontab", "/etc/crontab"); - conf_mount_ro(); + write_config("Removed {$pkg} package.\n"); } function expand_to_bytes($size) { @@ -1090,7 +1060,8 @@ function get_package_install_size($pkg = 'all', $pkg_info = "") { if(!$pkg_info) $pkg_info = get_pkg_sizes($pkg); foreach($pkg as $apkg) { - if(!$pkg_info[$apkg]) continue; + if(!$pkg_info[$apkg]) + continue; $toreturn[$apkg] = expand_to_bytes(walk_depend(array($pkg_info[$apkg]), $pkgdb)); } return $toreturn; diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 11f89c9..d63367d 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -4001,6 +4001,4 @@ $dn_default_shaper_msg .= gettext("The tree on the left helps you navigate throu $dn_default_shaper_msg .= " </p></strong></span>"; $dn_default_shaper_msg .= "</td></tr>"; - - ?> diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 604d481..e560a19 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -33,7 +33,7 @@ pfSense_BUILDER_BINARIES: /usr/sbin/powerd /usr/bin/killall /sbin/sysctl /sbin/route pfSense_BUILDER_BINARIES: /bin/hostname /bin/ls /usr/bin/netstat /usr/sbin/syslogd pfSense_BUILDER_BINARIES: /usr/sbin/pccardd /usr/local/sbin/lighttpd /bin/chmod /bin/mkdir - pfSense_BUILDER_BINARIES: /usr/bin/tar /bin/sync /usr/local/sbin/ntpd /usr/sbin/ntpdate + pfSense_BUILDER_BINARIES: /usr/bin/tar /usr/local/sbin/ntpd /usr/sbin/ntpdate pfSense_BUILDER_BINARIES: /usr/bin/nohup /sbin/dmesg /usr/local/sbin/atareinit /sbin/kldload pfSense_MODULE: utils */ @@ -52,10 +52,9 @@ function activate_powerd() { function get_default_sysctl_value($id) { global $sysctls; - foreach($sysctls as $sysctl => $value) { - if($sysctl == $id) - return $value; - } + + if (isset($sysctls[$id])) + return $sysctls[$id]; } function activate_sysctls() { @@ -307,11 +306,6 @@ function system_routing_configure($interface = "") { echo "system_routing_configure() being called $mt\n"; } - /* Enable fast routing, if enabled */ - /* XXX: More checks need to be done for subsystems that are not compatibel with fast routing. */ - if(isset($config['staticroutes']['enablefastrouting']) && !isset($config['ipsec']['enable'])) - mwexec("/sbin/sysctl net.inet.ip.fastforwarding=1"); - $gatewayip = ""; $interfacegw = ""; $foundgw = false; @@ -455,11 +449,9 @@ function system_syslogd_start() { if($config['installedpackages']['package']) { foreach($config['installedpackages']['package'] as $package) { if($package['logging']) { - $pkgfacilities[] = $package['logging']['facilityname']; - $separatelogfacilities = $separatelogfacilities + $pkgfacilities; - $facilitylist = implode(',', $pkgfacilities); + array_push($separatelogfacilities, $package['logging']['facilityname']); mwexec("{$log_create_directive} 10240 {$g['varlog_path']}/{$package['logging']['logfilename']}"); - $syslogconf .= "!{$facilitylist}\n*.*\t\t\t\t\t\t {$log_directive}{$g['varlog_path']}/{$package['logging']['logfilename']}\n"; + $syslogconf .= "!{$package['logging']['facilityname']}\n*.*\t\t\t\t\t\t {$log_directive}{$g['varlog_path']}/{$package['logging']['logfilename']}\n"; } } } @@ -524,7 +516,7 @@ news.err;local0.none;local3.none;local4.none; {$log_directive}{$g['varlog_path local7.none {$log_directive}{$g['varlog_path']}/system.log security.* {$log_directive}{$g['varlog_path']}/system.log auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log -auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf +auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15 *.emerg * EOD; @@ -623,12 +615,12 @@ EOD; fclose($fd); // Are we logging to a least one remote server ? if(strpos($syslogconf, "@") != false) - $retval = system("/usr/sbin/syslogd -c -f {$g['varetc_path']}/syslog.conf"); + $retval = system("/usr/sbin/syslogd -c c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); else - $retval = system("/usr/sbin/syslogd -c -f {$g['varetc_path']}/syslog.conf"); + $retval = system("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); } else { - $retval = mwexec("/usr/sbin/syslogd -c"); + $retval = mwexec("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log"); } if ($g['booting']) @@ -1334,7 +1326,7 @@ function system_set_harddisk_standby() { // Check for a numeric value if (is_numeric($standby)) { // Sync the disk(s) - mwexec('/bin/sync'); + pfSense_sync(); if (!mwexec('/sbin/sysctl hw.ata.standby=' . ((int)$standby))) { // Reinitialize ATA-drives mwexec('/usr/local/sbin/atareinit'); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 65bcbaa..bca0ec7 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -704,18 +704,14 @@ function upgrade_040_to_041() { $config['sysctl']['item'][18]['tunable'] = "net.inet.tcp.tso"; $config['sysctl']['item'][18]['descr'] = gettext("TCP Offload engine"); $config['sysctl']['item'][18]['value'] = "default"; - - $config['sysctl']['item'][19]['tunable'] = "hw.bce.tso_enable"; - $config['sysctl']['item'][19]['descr'] = gettext("TCP Offload engine - BCE"); - $config['sysctl']['item'][19]['value'] = "default"; - $config['sysctl']['item'][20]['tunable'] = "net.inet.ip.portrange.first"; - $config['sysctl']['item'][20]['descr'] = gettext("Set the ephemeral port range starting port"); - $config['sysctl']['item'][20]['value'] = "default"; + $config['sysctl']['item'][19]['tunable'] = "net.inet.ip.portrange.first"; + $config['sysctl']['item'][19]['descr'] = "Set the ephemeral port range starting port"; + $config['sysctl']['item'][19]['value'] = "default"; - $config['sysctl']['item'][21]['tunable'] = "hw.syscons.kbd_reboot "; - $config['sysctl']['item'][21]['descr'] = gettext("Enables ctrl+alt+delete"); - $config['sysctl']['item'][21]['value'] = "default"; + $config['sysctl']['item'][20]['tunable'] = "hw.syscons.kbd_reboot "; + $config['sysctl']['item'][20]['descr'] = "Enables ctrl+alt+delete"; + $config['sysctl']['item'][20]['value'] = "default"; } } @@ -1082,7 +1078,7 @@ function upgrade_047_to_048() { if (!empty($config['dyndns'])) { $config['dyndnses'] = array(); $config['dyndnses']['dyndns'] = array(); - if(isset($config['dyndns'][0]['enable'])) { + if(isset($config['dyndns'][0]['host'])) { $tempdyn = array(); $tempdyn['enable'] = isset($config['dyndns'][0]['enable']); $tempdyn['type'] = $config['dyndns'][0]['type']; @@ -1671,10 +1667,11 @@ function upgrade_053_to_054() { $monitor = $split[1]; /* on static upgraded configuration we automatically prepend GW_ */ $static_name = "GW_" . strtoupper($interface); - if(is_ipaddr($monitor)) { - $interface = $static_name; - $config['interfaces'][$interface]['monitorip'] = $monitor; - } + if(is_ipaddr($monitor)) + foreach ($a_gateways as & $gw) + if ($gw['name'] == $static_name) + $gw['monitor'] = $monitor; + /* on failover increment tier. Else always assign 1 */ if($lbpool['behaviour'] == "failover") { $i++; @@ -1738,6 +1735,8 @@ function upgrade_054_to_055() { } /* the roundtrip times need to be divided by 1000 to get seconds, really */ $databases = array(); + if (!file_exists($rrddbpath)) + @mkdir($rrddbpath); chdir($rrddbpath); $databases = glob("*-quality.rrd"); rsort($databases); @@ -1885,11 +1884,20 @@ function upgrade_055_to_056() { function upgrade_056_to_057() { global $config; + if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); /* migrate captivate portal to user manager */ if (is_array($config['captiveportal']['user'])) { foreach($config['captiveportal']['user'] as $user) { // avoid user conflicts - if ($config['system']['user'][$user['name']]) + $found = false; + foreach ($config['system']['user'] as $userent) { + if ($userent['name'] == $user['name']) { + $found = true; + break; + } + } + if ($found) continue; $user['scope'] = "user"; if (isset($user['expirationdate'])) { @@ -1900,6 +1908,7 @@ function upgrade_056_to_057() { $user['md5-hash'] = $user['password']; unset($user['password']); } + $user['uid'] = $config['system']['nextuid']++; $config['system']['user'][] = $user; } unset($config['captiveportal']['user']); @@ -2228,10 +2237,10 @@ function upgrade_070_to_071() { function rename_field(& $section, $oldname, $newname) { if (is_array($section)) { foreach($section as & $item) { - if (!empty($item[$oldname])) { + if (!empty($item[$oldname])) $item[$newname] = $item[$oldname]; + if (isset($item[$oldname])) unset($item[$oldname]); - } } } } diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 90875a0..a39670b 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -38,7 +38,7 @@ /* kill a process by pid file */ function killbypid($pidfile) { - sigkillbypid($pidfile, "TERM"); + return sigkillbypid($pidfile, "TERM"); } function isvalidpid($pid) { @@ -649,10 +649,16 @@ function get_configured_ip_addresses() { require_once("interfaces.inc"); $ip_array = array(); $interfaces = get_configured_interface_list(); - foreach($interfaces as $int) { - $ipaddr = get_interface_ip($int); - $ip_array[$int] = $ipaddr; + if(is_array($interfaces)) { + foreach($interfaces as $int) { + $ipaddr = get_interface_ip($int); + $ip_array[$int] = $ipaddr; + } } + $interfaces = get_configured_carp_interface_list(); + if(is_array($interfaces)) + foreach($interfaces as $int => $ipaddr) + $ip_array[$int] = $ipaddr; return $ip_array; } @@ -784,6 +790,23 @@ function log_error($error) { return; } +/****f* util/log_auth +* NAME +* log_error - Sends a string to syslog as LOG_AUTH facility +* INPUTS +* $error - string containing the syslog message. +* RESULT +* null +******/ +function log_auth($error) { + global $g; + $page = $_SERVER['SCRIPT_NAME']; + syslog(LOG_AUTH, "$page: $error"); + if ($g['debug']) + syslog(LOG_WARNING, var_dump(debug_backtrace())); + return; +} + /****f* util/exec_command * NAME * exec_command - Execute a command and return a string of the result. @@ -802,17 +825,16 @@ function exec_command($command) { /* wrapper for exec() */ function mwexec($command, $mute = false) { - global $g; - $oarr = array(); - $retval = 0; + if ($g['debug']) { if (!$_SERVER['REMOTE_ADDR']) echo "mwexec(): $command\n"; - exec("$command 2>&1", $oarr, $retval); - } else { - exec("$command 2>&1", $oarr, $retval); } + $oarr = array(); + $retval = 0; + $garbage = exec("$command 2>&1", $oarr, $retval); + if(isset($config['system']['developerspew'])) $mute = false; if(($retval <> 0) && ($mute === false)) { diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index b76f959..e720853 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -118,6 +118,7 @@ function vpn_ipsec_configure($ipchg = false) return true; } else { mwexec("/sbin/ifconfig enc0 up"); + mwexec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); if ($g['booting']) echo gettext("Configuring IPsec VPN... "); @@ -635,15 +636,18 @@ EOD; $localid_type = $ph2ent['localid']['type']; $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - /* Do not print localid in some cases, such as a pure-psk mobile tunnel */ - if (($localid_type == "none") || ($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile'])) + /* Do not print localid in some cases, such as a pure-psk or psk/xauth mobile tunnel */ + if (($localid_type == "none") || + (($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) + && isset($ph1ent['mobile'])) $localid_spec = " "; else { - if ($localid_type != "address") { - $localid_type = "subnet"; - } - $localid_spec = $localid_type." ".$localid_data." any"; - } + if ($localid_type != "address") { + $localid_type = "subnet"; + } + $localid_spec = $localid_type." ".$localid_data." any"; + } if (!isset($ph2ent['mobile'])) { $remoteid_type = $ph2ent['remoteid']['type']; @@ -656,16 +660,23 @@ EOD; $remoteid_spec = "anonymous"; } else { - $rgip = $rgmap[$ph1ent['remote-gateway']]; - $localid_data = ipsec_get_phase1_src($ph1ent); - if($ph2ent['mode'] == 'transport') { $localid_data="$localid_data any"; } - $localid_spec = "address {$localid_data}"; - - $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; - if($ph2ent['mode'] == 'transport') { $remoteid_data="$remoteid_data any"; } - $remoteid_spec = "address {$remoteid_data}"; + if ((($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) + && isset($ph1ent['mobile'])) + $localid_spec = " "; + else { + $localid_data = ipsec_get_phase1_src($ph1ent); + if($ph2ent['mode'] == 'transport') { $localid_data="$localid_data any"; } + $localid_spec = "address {$localid_data}"; + } + if (!isset($ph2ent['mobile'])) { + $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; + if($ph2ent['mode'] == 'transport') { $remoteid_data="$remoteid_data any"; } + $remoteid_spec = "address {$remoteid_data}"; + } else + $remoteid_spec = "anonymous"; } if($ph2ent['protocol'] == 'esp') { @@ -877,7 +888,6 @@ EOD; sleep("0.1"); mwexec("/usr/local/sbin/setkey -F", false); sleep("0.1"); - exec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf", false); sleep("0.1"); diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc index 1738370..c1ab5cd 100644 --- a/etc/inc/xmlparse.inc +++ b/etc/inc/xmlparse.inc @@ -179,20 +179,27 @@ function parse_xml_config_raw($cffile, $rootobj, $isstring = "false") { while ($data = fread($fp, 4096)) { if (!xml_parse($xml_parser, $data, feof($fp))) { - log_error(sprintf(gettext('XML error: %1$s at line %2$d') . "\n", + log_error(sprintf(gettext('XML error: %1$s at line %2$d in %3$s') . "\n", xml_error_string(xml_get_error_code($xml_parser)), - xml_get_current_line_number($xml_parser))); + xml_get_current_line_number($xml_parser), + $cffile)); return -1; } } xml_parser_free($xml_parser); - if (!$parsedcfg[$rootobj]) { + if (!is_array($rootobj)) + $rootobj = array($rootobj); + foreach ($rootobj as $rootobj_name) + if ($parsedcfg[$rootobj_name]) + break; + + if (!$parsedcfg[$rootobj_name]) { log_error(sprintf(gettext("XML error: no %s object found!") . "\n", $rootobj)); return -1; } - return $parsedcfg[$rootobj]; + return $parsedcfg[$rootobj_name]; } function dump_xml_config_sub($arr, $indent) { diff --git a/etc/inc/xmlreader.inc b/etc/inc/xmlreader.inc index f1450b8..173a59f 100644 --- a/etc/inc/xmlreader.inc +++ b/etc/inc/xmlreader.inc @@ -128,7 +128,13 @@ function parse_xml_config_raw($cffile, $rootobj, $isstring = "false") { } else log_error(sprintf(gettext("Error returned while trying to parse %s"), $cffile)); - return $parsedcfg[$rootobj]; + if (!is_array($rootobj)) + $rootobj = array($rootobj); + foreach ($rootobj as $rootobj_name) + if ($parsedcfg[$rootobj_name]) + break; + + return $parsedcfg[$rootobj_name]; } function dump_xml_config_sub(& $writer, $arr) { diff --git a/etc/inc/xmlrpc.inc b/etc/inc/xmlrpc.inc index 61167bf..ef4fc19 100644 --- a/etc/inc/xmlrpc.inc +++ b/etc/inc/xmlrpc.inc @@ -107,17 +107,36 @@ function php_value_to_xmlrpc($value, $force_array = false) { * the array before returning it. */ function xmlrpc_auth(&$params) { - global $config; + global $config, $_SERVER; + + if (!is_array($config['system']['user'])) { + array_shift($params); + unset($params['xmlrpcauth']); + log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); + return false; + } + if (!isset($config['system']['user'][0]['password'])) { + array_shift($params); + unset($params['xmlrpcauth']); + log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); + return false; + } + $localpass = $config['system']['user'][0]['password']; if(crypt($params[0], $localpass) == $localpass) { array_shift($params); + unset($params['xmlrpcauth']); return true; - } else if(crypt($params['xmlrpcauth'], $localpass) != $localpass) { + } else if(crypt($params['xmlrpcauth'], $localpass) == $localpass) { + array_shift($params); unset($params['xmlrpcauth']); - return false; + return true; } + + array_shift($params); unset($params['xmlrpcauth']); + log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); return false; } -?>
\ No newline at end of file +?> |