diff options
| author | Seth Mos <seth.mos@dds.nl> | 2010-12-20 21:06:33 +0100 |
|---|---|---|
| committer | Seth Mos <seth.mos@dds.nl> | 2010-12-20 21:06:33 +0100 |
| commit | 81afb50916235853a9b3046796199a443d27c224 (patch) | |
| tree | f25e1acd56748f178699a1edc33c123bd2182f20 /etc | |
| parent | 172007f50c215acf458340773a32052c28556aaa (diff) | |
| parent | 49659e1cc6f78af1287590fca7b64791fd6da6f1 (diff) | |
| download | pfsense-81afb50916235853a9b3046796199a443d27c224.zip pfsense-81afb50916235853a9b3046796199a443d27c224.tar.gz | |
Merge remote branch 'upstream/master'
Conflicts:
etc/inc/interfaces.inc
etc/inc/vslb.inc
usr/local/www/interfaces.php
Diffstat (limited to 'etc')
42 files changed, 1605 insertions, 975 deletions
diff --git a/etc/devd.conf b/etc/devd.conf index 647de43..7c63591 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -27,12 +27,6 @@ notify 100 { action "/etc/rc.carpbackup $subsystem"; }; -#notify 0 { -# match "type" "LINK_DOWN"; -# media-type "ethernet"; -# action "/usr/local/sbin/pfSctl -c 'interface linkup stop $subsystem'"; -#}; - # When a USB keyboard arrives, attach it as the console keyboard. attach 100 { device-name "ukbd0"; @@ -57,6 +51,13 @@ notify 0 { action "/usr/local/sbin/pfSctl -c 'interface linkup start $subsystem'"; }; +notify 0 { + match "system" "IFNET"; + match "type" "LINK_DOWN"; + media-type "ethernet"; + action "/usr/local/sbin/pfSctl -c 'interface linkup stop $subsystem'"; +}; + # Notify all users before beginning emergency shutdown when we get # a _CRT or _HOT thermal event and we're going to power down the system # very soon. diff --git a/etc/ecl.php b/etc/ecl.php new file mode 100755 index 0000000..9f68919 --- /dev/null +++ b/etc/ecl.php @@ -0,0 +1,164 @@ +<?php +/* + external config loader + Copyright (C) 2010 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + Currently supported file system types: MS-Dos, FreeBSD UFS + +*/ + +require("globals.inc"); +require("functions.inc"); +require("config.lib.inc"); +require("config.inc"); + +$debug = false; + +function get_boot_disk() { + global $g, $debug; + $disk = exec("/sbin/mount | /usr/bin/grep \"on / \" | /usr/bin/cut -d'/' -f3 | /usr/bin/cut -d' ' -f1"); + return $disk; +} + +function get_disk_slices($disk) { + global $g, $debug; + $slices_array = array(); + $slices = trim(exec("/bin/ls /dev/{$disk}s* 2>/dev/null")); + $slices = str_replace("/dev/", "", $slices); + if($slices == "ls: No match.") + return; + $slices_array = split(" ", $slices); + return $slices_array; +} + +function get_disks() { + global $g, $debug; + $disks_array = array(); + $disks = exec("/sbin/sysctl kern.disks | cut -d':' -f2"); + $disks_s = explode(" ", $disks); + foreach($disks_s as $disk) + if(trim($disk)) + $disks_array[] = $disk; + return $disks_array; +} + +function discover_config($mountpoint) { + global $g, $debug; + $locations_to_check = array("/", "/config"); + foreach($locations_to_check as $ltc) { + $tocheck = "/tmp/mnt/cf{$ltc}config.xml"; + if($debug) { + echo "\nChecking for $tocheck"; + if(file_exists($tocheck)) + echo " -> found!"; + } + if(file_exists($tocheck)) + return $tocheck; + } + return ""; +} + +function test_config($file_location) { + global $g, $debug; + if(!$file_location) + return; + // config.xml was found. ensure it is sound. + $root_obj = trim("<{$g['xml_rootobj']}>"); + $xml_file_head = exec("/usr/bin/head -2 {$file_location} | /usr/bin/tail -n1"); + if($debug) { + echo "\nroot obj = $root_obj"; + echo "\nfile head = $xml_file_head"; + } + if($xml_file_head == $root_obj) { + // Now parse config to make sure + $config_status = config_validate($file_location); + if($config_status) + return true; + } + return false; +} + +// Probes all disks looking for config.xml +function find_config_xml() { + global $g, $debug; + $disks = get_disks(); + // Safety check. + if(!is_array($disks)) + return; + $boot_disk = get_boot_disk(); + exec("/bin/mkdir -p /tmp/mnt/cf"); + foreach($disks as $disk) { + $slices = get_disk_slices($disk); + if(is_array($slices)) { + foreach($slices as $slice) { + if($slice == "") + continue; + if(stristr($slice, $boot_disk)) { + if($debug) + echo "\nSkipping boot device slice $slice"; + continue; + } + echo " $slice"; + // First try msdos fs + if($debug) + echo "\n/sbin/mount -t msdosfs /dev/{$slice} /tmp/mnt/cf 2>/dev/null \n"; + $result = exec("/sbin/mount -t msdosfs /dev/{$slice} /tmp/mnt/cf 2>/dev/null"); + // Next try regular fs (ufs) + if(!$result) { + if($debug) + echo "\n/sbin/mount /dev/{$slice} /tmp/mnt/cf 2>/dev/null \n"; + $result = exec("/sbin/mount /dev/{$slice} /tmp/mnt/cf 2>/dev/null"); + } + $mounted = trim(exec("/sbin/mount | /usr/bin/grep -v grep | /usr/bin/grep '/tmp/mnt/cf' | /usr/bin/wc -l")); + if($debug) + echo "\nmounted: $mounted "; + if(intval($mounted) > 0) { + // Item was mounted - look for config.xml file + $config_location = discover_config($slice); + if($config_location) { + if(test_config($config_location)) { + // We have a valid configuration. Install it. + echo " -> found config.xml\n"; + echo "Backing up old configuration...\n"; + backup_config(); + echo "Restoring [{$slice}] {$config_location}...\n"; + restore_backup($config_location); + echo "Cleaning up...\n"; + exec("/sbin/umount /tmp/mnt/cf"); + exit; + } + exec("/sbin/umount /tmp/mnt/cf"); + } + } + } + } + } +} + +echo "External config loader 1.0 is now starting..."; +find_config_xml(); +echo "\n"; + +?>
\ No newline at end of file diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index dbd8a3e..60912f7 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -49,6 +49,9 @@ if(!$do_not_include_config_gui_inc) require_once("config.gui.inc"); +// Will be changed to false if security checks fail +$security_passed = true; + /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { @@ -61,57 +64,90 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ $http_host = $_SERVER['HTTP_HOST']; } if(is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or - $http_host == "localhost" or $_SERVER['SERVER_ADDR'] == "localhost") + strcasecmp($http_host, "localhost") == 0) + $found_host = true; + if(strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or + strcasecmp($http_host, $config['system']['hostname']) == 0) $found_host = true; - if($config['dyndnses']['dyndns']) + + if(is_array($config['dyndnses']['dyndns']) && !$found_host) foreach($config['dyndnses']['dyndns'] as $dyndns) - if($dyndns['host'] == $http_host or $dyndns['host'] == $_SERVER['SERVER_ADDR']) + if(strcasecmp($dyndns['host'], $http_host) == 0) { $found_host = true; + break; + } - if(!empty($config['system']['webgui']['althostnames'])) { + if(!empty($config['system']['webgui']['althostnames']) && !$found_host) { $althosts = explode(" ", $config['system']['webgui']['althostnames']); foreach ($althosts as $ah) - if($ah == $http_host or $ah == $_SERVER['SERVER_ADDR']) + if(strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) { $found_host = true; + break; + } } - if($http_host == $config['system']['hostname'] . "." . $config['system']['domain'] or - $http_host == $_SERVER['SERVER_ADDR'] or - $http_host == $config['system']['hostname']) - $found_host = true; - if($found_host == false) { - display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); + exit; + } + $security_passed = false; } } // If the HTTP_REFERER is something other than ourselves then disallow. -if(function_exists("display_error_form") && !$config['system']['nohttpreferercheck']) { +if(function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) { if($_SERVER['HTTP_REFERER']) { - $found_host = false; - $hostname_me = $config['system']['hostname'] . "." . $config['system']['domain']; - if(stristr($_SERVER['HTTP_REFERER'], $hostname_me)) - $found_host = true; - if(!empty($config['system']['webgui']['althostnames'])) { - $althosts = explode(" ", $config['system']['webgui']['althostnames']); - foreach ($althosts as $ah) - if(stristr($ah, $hostname_me)) - $found_host = true; + if(file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) { + if($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) { + unlink("{$g['tmp_path']}/setupwizard_lastreferrer"); + header("Refresh: 1; url=index.php"); + echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">"; + echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>"; + exit; + } } - $interface_list_ips = get_configured_ip_addresses(); - foreach($interface_list_ips as $ilips) { - $hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips; - if(stristr($_SERVER['HTTP_REFERER'],$hostname_me_ip)) + $found_host = false; + $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); + if($referrer_host) { + if(strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 + || strcasecmp($referrer_host, $config['system']['hostname']) == 0) $found_host = true; + if(!empty($config['system']['webgui']['althostnames']) && !$found_host) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if(strcasecmp($referrer_host, $ah) == 0) { + $found_host = true; + break; + } + } + } + if(!$found_host) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($referrer_host, $ilips) == 0) { + $found_host = true; + break; + } + } + } } if($found_host == false) { - display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + $security_passed = false; } - } + } else + $security_passed = false; } +if (function_exists("display_error_form") && $security_passed) + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +unset($security_passed); + $groupindex = index_groups(); $userindex = index_users(); @@ -384,10 +420,11 @@ function local_user_set(& $user) { $keys = base64_decode($user['authorizedkeys']); file_put_contents("{$user_home}/.ssh/authorized_keys", $keys); chown("{$user_home}/.ssh/authorized_keys", $user_name); - } + } else + unlink_if_exists("{$user_home}/.ssh/authorized_keys"); $un = $lock_account ? "" : "un"; - exec("/usr/sbin/pw {$un}lock -q {$user_name}"); + exec("/usr/sbin/pw {$un}lock {$user_name} -q"); conf_mount_ro(); } @@ -1175,7 +1212,7 @@ function session_auth() { $_SESSION['Logged_In'] = "True"; $_SESSION['Username'] = $_POST['usernamefld']; $_SESSION['last_access'] = time(); - log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}"); + log_auth("Successful webConfigurator login for user '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; if (isset($_POST['postafterlogin'])) return true; @@ -1188,7 +1225,7 @@ function session_auth() { } else { /* give the user an error message */ $_SESSION['Login_Error'] = "Username or Password incorrect"; - log_error("Login attempt with user: '{$_POST['usernamefld']}' from: '{$_SERVER['REMOTE_ADDR']}' failed."); + log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); if(isAjax()) { echo "showajaxmessage('{$_SESSION['Login_Error']}');"; return; diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 007bd44..e36a626 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -608,6 +608,7 @@ EOD; $rulenum = 65310; $ipcount = 0; + $ips = ""; foreach ($cpips as $cpip) { if($ipcount == 0) { $ips = "{$cpip} "; @@ -616,7 +617,7 @@ EOD; } $ipcount++; } - $ips = "{ {$ips} }"; + $ips = "{ 255.255.255.255 or {$ips} }"; $cprules .= "add {$rulenum} set 1 pass ip from any to {$ips} in\n"; $rulenum++; $cprules .= "add {$rulenum} set 1 pass ip from {$ips} to any out\n"; @@ -1471,4 +1472,4 @@ function portal_ip_from_client_ip($cliip) { return false; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 33aac66..e82baba 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -308,10 +308,15 @@ function cert_get_subject($str_crt, $decode = true) { return "unknown"; foreach ($components as $a => $v) { - if (!strlen($subject)) - $subject = "{$a}={$v}"; - else - $subject = "{$a}={$v}, {$subject}"; + if (is_array($v)) + foreach ($v as $w) { + $asubject = "{$a}={$w}"; + $subject = (strlen($subject)) ? "{$asubject}, {$subject}" : $asubject; + } + else { + $asubject = "{$a}={$v}"; + $subject = (strlen($subject)) ? "{$asubject}, {$subject}" : $asubject; + } } return $subject; diff --git a/etc/inc/config.console.inc b/etc/inc/config.console.inc index 5c5590c..1514926 100644 --- a/etc/inc/config.console.inc +++ b/etc/inc/config.console.inc @@ -38,7 +38,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ diff --git a/etc/inc/config.gui.inc b/etc/inc/config.gui.inc index b41073f..dda13cc 100644 --- a/etc/inc/config.gui.inc +++ b/etc/inc/config.gui.inc @@ -38,7 +38,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ /* @@ -49,10 +49,10 @@ require_once("globals.inc"); /* do not load this file twice. */ -if($config_inc_loaded == true) +if($config_parsed == true) return; else - $config_inc_loaded = true; + $config_parsed = true; // Set the memory limit to 128M. When someone has something like 500+ tunnels // the parser needs quite a bit of ram. Do not remove this line unless you diff --git a/etc/inc/config.inc b/etc/inc/config.inc index a00f910..1485669 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -38,7 +38,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ @@ -48,10 +48,17 @@ if($g['booting']) echo "."; //if (in_array("/etc/inc/config.inc", get_included_files())) // return; -// Set the memory limit to 128M. When someone has something like 500+ tunnels +// Set the memory limit to 128M on i386. When someone has something like 500+ tunnels // the parser needs quite a bit of ram. Do not remove this line unless you // know what you are doing. If in doubt, check with dev@ _/FIRST/_! -ini_set("memory_limit","128M"); +if(!$ARCH) + $ARCH = php_uname("m"); + +// Set memory limit to 256M on amd64. +if($ARCH == "amd64") + ini_set("memory_limit","256M"); +else + ini_set("memory_limit","128M"); /* include globals from notices.inc /utility/XML parser files */ require_once("notices.inc"); diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 4feef0f..ae7e445 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -39,7 +39,7 @@ POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck /bin/sync + pfSense_BUILDER_BINARIES: /sbin/mount /sbin/sysctl /sbin/umount /sbin/halt /sbin/fsck pfSense_MODULE: config */ @@ -148,7 +148,7 @@ function parse_config($parse = false) { die("Config.xml is corrupted and is 0 bytes. Could not restore a previous backup."); } } - $config = parse_xml_config($g['conf_path'] . '/config.xml', $g['xml_rootobj']); + $config = parse_xml_config($g['conf_path'] . '/config.xml', array($g['xml_rootobj'], 'pfsense')); if($config == "-1") { $last_backup = discover_last_backup(); if ($last_backup) @@ -210,8 +210,9 @@ function restore_backup($file) { conf_mount_rw(); unlink_if_exists("{$g['tmp_path']}/config.cache"); copy("$file","/cf/conf/config.xml"); + disable_security_checks(); log_error("{$g['product_name']} is restoring the configuration $file"); - file_notice("config.xml", "{$g['product_name']} is restoring the configuration $file", "pfSenseConfigurator", ""); + file_notice("config.xml", "{$g['product_name']} is restoring the configuration $file", "{$g['product_name']}Configurator", ""); conf_mount_ro(); } } @@ -352,7 +353,7 @@ function conf_mount_ro() { clear_subsystem_dirty('mount'); /* sync data, then force a remount of /cf */ - mwexec("/bin/sync; /bin/sync"); + pfSense_sync(); mwexec("/sbin/mount -u -r -f {$g['cf_path']}"); mwexec("/sbin/mount -u -r -f /"); } @@ -411,9 +412,6 @@ function convert_config() { if ($prev_version != $config['version']) write_config("Upgraded config version level from {$prev_version} to {$config['version']}"); - - if($g['booting']) - echo "Loading new configuration..."; } /****f* config/safe_write_file @@ -432,27 +430,32 @@ function convert_config() { * boolean - true if successful, false if not ******/ function safe_write_file($file, $content, $force_binary) { - $tmp_file = $file . "." . getmypid(); - $write_mode = $force_binary ? "wb" : "w"; + $tmp_file = $file . "." . getmypid(); + $write_mode = $force_binary ? "wb" : "w"; - $fd = fopen($tmp_file, $write_mode); - if (!$fd) { - // Unable to open temporary file for writing - return false; - } - if (!fwrite($fd, $content)) { - // Unable to write to temporary file - fclose($fd); - return false; + $fd = fopen($tmp_file, $write_mode); + if (!$fd) { + // Unable to open temporary file for writing + return false; } - fclose($fd); + if (!fwrite($fd, $content)) { + // Unable to write to temporary file + fclose($fd); + return false; + } + fflush($fd); + fclose($fd); - if (!rename($tmp_file, $file)) { - // Unable to move temporary file to original - unlink($tmp_file); - return false; - } - return true; + if (!rename($tmp_file, $file)) { + // Unable to move temporary file to original + @unlink($tmp_file); + return false; + } + + // Sync file before returning + pfSense_sync(); + + return true; } /****f* config/write_config @@ -569,6 +572,8 @@ function reset_factory_defaults($lock = false) { /* copy default configuration */ copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* call the wizard */ touch("/conf/trigger_initial_wizard"); if (!$lock) @@ -593,6 +598,8 @@ function config_restore($conffile) { unlink_if_exists("{$g['tmp_path']}/config.cache"); copy($conffile, "{$g['cf_conf_path']}/config.xml"); + disable_security_checks(); + unlock($lockkey); $config = parse_config(true); @@ -623,6 +630,8 @@ function config_install($conffile) { copy($conffile, "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* unlink cache file if it exists */ if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); @@ -633,6 +642,31 @@ function config_install($conffile) { return 0; } +/* + * Disable security checks for DNS rebind and HTTP referrer until next time + * they pass (or reboot), to aid in preventing accidental lockout when + * restoring settings like hostname, domain, IP addresses, and settings + * related to the DNS rebind and HTTP referrer checks. + * Intended for use when restoring a configuration or directly + * modifying config.xml without an unconditional reboot. + */ +function disable_security_checks() { + global $g; + touch("{$g['tmp_path']}/disable_security_checks"); +} + +/* Restores security checks. Should be called after all succeed. */ +function restore_security_checks() { + global $g; + unlink_if_exists("{$g['tmp_path']}/disable_security_checks"); +} + +/* Returns status of security check temporary disable. */ +function security_checks_disabled() { + global $g; + return file_exists("{$g['tmp_path']}/disable_security_checks"); +} + function config_validate($conffile) { global $g, $xmlerr; @@ -690,7 +724,7 @@ function cleanup_backupcache($revisions = 30, $lock = false) { $i = true; if($g['booting']) echo "."; - $newxml = parse_xml_config($backup, $g['xml_rootobj']); + $newxml = parse_xml_config($backup, array($g['xml_rootobj'], 'pfsense')); if($newxml == "-1") { log_error("The backup cache file $backup is corrupted. Unlinking."); unlink($backup); @@ -803,4 +837,4 @@ function set_device_perms() { } } -?>
\ No newline at end of file +?> diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 247fa68..785c902 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -92,8 +92,8 @@ global $config, $g; - $this->_cacheFile = "{$g['conf_path']}/dyndns_{$dnsIf}{$dnsService}.cache"; - $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}.debug"; + $this->_cacheFile = "{$g['conf_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".cache"; + $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); @@ -175,7 +175,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 30); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical } switch ($this->_dnsService) { @@ -902,11 +902,23 @@ $this->_ifIP = $ip_address; if (is_private_ip($ip_address)) { $hosttocheck = "checkip.dyndns.org"; - $checkip = gethostbyname($hosttocheck); + $try = 0; + while ($try < 3) { + $checkip = gethostbyname($hosttocheck); + if (is_ipaddr($checkip)) + break; + $try++; + } + if ($try >= 3) { + log_error("Dyndns debug information: Could not resolve {$hosttocheck} to ip using interface ip {$ip_address}."); + return $ip_address; /* XXX: Might return private ip address! */ + } $ip_ch = curl_init("http://{$checkip}"); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); + curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 063d0ec..6aaaeeb 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -39,6 +39,7 @@ */ /* DISABLE_PHP_LINT_CHECKING */ +// vim: ts=4 sw=4 noexpandtab /* include all configuration functions */ @@ -62,31 +63,27 @@ $aliases = ""; function flowtable_configure() { global $config, $g; - return; + + if (empty($config['system']['flowtable'])) { + mwexec("/sbin/sysctl net.inet.flowtable.enable=0", true); + return; + } + // Figure out how many flows we should reserve // sized 2x larger than the number of unique connection destinations. if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) $maxstates = $config['system']['maximumstates']; else - $maxstates = "150000"; + $maxstates = 150000; // nmbflows cpu count * ($maxstates * 2) - $cpus = trim(`/sbin/sysctl kern.smp.cpus | /usr/bin/cut -d' ' -f2`); + $cpus = trim(`/sbin/sysctl -n kern.smp.cpus`, " \n"); $nmbflows = ($cpus*($maxstates*2)); - // flowtable is not enabled - /* - if($config['system']['flowtable']) - $flowtable_enable = 1; - else - $flowtable_enable = 0; // Flowtable currently only works on 8.0 if(get_freebsd_version() == "8") { - if($flowtable_enable == 1) { - mwexec("/sbin/sysctl net.inet.flowtable.nmbflows={$config['system']['maximumstates']}"); - mwexec("/sbin/sysctl net.inet.ip.output_flowtable_size={$nmbflows}"); - } - mwexec("/sbin/sysctl net.inet.flowtable.enable={$flowtable_enable}"); + mwexec("/sbin/sysctl net.inet.flowtable.nmbflows={$nmbflows}"); + mwexec("/sbin/sysctl net.inet.ip.output_flowtable_size={$maxstates}"); + mwexec("/sbin/sysctl net.inet.flowtable.enable=1"); } - */ } function filter_load_ipfw() { @@ -135,16 +132,27 @@ function filter_pflog_start() { /* reload filter async */ function filter_configure() { + global $g; + if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_configure() being called $mt\n"; } - send_event("filter reload"); + + /* + * NOTE: Check here for bootup status since this should not be triggered during bootup. + * The reason is that rc.bootup calls filter_configure_sync directly which does this too. + */ + if (!$g['booting']) + send_event("filter reload"); } function filter_delete_states_for_down_gateways() { global $config, $GatewaysList; + if (isset($config['system']['kill_states'])) + return; + $a_gateways = return_gateways_status(); if (is_array($GatewaysList)) { foreach ($GatewaysList as $gwname => $gateway) { @@ -177,8 +185,8 @@ function filter_configure_sync() { global $config, $g, $after_filter_configure_run, $FilterIflist; global $time_based_rules, $filterdns, $aliases; - /* Use config lock to not allow recursion and config changes during this run. */ - $filterlck = lock('config'); + /* Use filter lock to not allow concurrent filter reloads during this run. */ + $filterlck = lock('filter', LOCK_EX); filter_pflog_start(); @@ -355,7 +363,7 @@ function filter_configure_sync() { * FilterDNS has three debugging levels. The default choosen is 1. * Availabe are level 2 and greater then 2. */ - mwexec("/usr/local/sbin/filterdns {$g['tmp_path']}/filterdns.pid 300 {$g['varetc_path']}/filterdns.conf 1"); + mwexec("/usr/local/sbin/filterdns -p {$g['tmp_path']}/filterdns.pid -i 300 -c {$g['varetc_path']}/filterdns.conf -d 1"); } /* run items scheduled for after filter configure run */ @@ -375,8 +383,6 @@ function filter_configure_sync() { fclose($fda); } - unlock($filterlck); - if(file_exists("{$g['tmp_path']}/commands.txt")) { mwexec("sh {$g['tmp_path']}/commands.txt &"); unlink("{$g['tmp_path']}/commands.txt"); @@ -406,6 +412,7 @@ function filter_configure_sync() { if($g['booting'] == true) echo "done.\n"; + unlock($filterlck); return 0; } @@ -512,6 +519,7 @@ function filter_generate_aliases() { $aliases .= "\n#SSH Lockout Table\n"; $aliases .= "table <sshlockout> persist\n"; + $aliases .= "table <webConfiguratorlockout> persist\n"; $aliases .= "#Snort2C table\n"; $aliases .= "table <snort2c>\n"; @@ -847,7 +855,12 @@ function filter_get_reflection_interfaces($natif = "") { return $nat_if_list; } -function filter_generate_reflection_nat($rule, $nat_ifs, $protocol, $target, $target_ip, $target_subnet = "") { +function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protocol, $target, $target_ip, $target_subnet = "") { + global $config; + + if(!isset($config['system']['enablenatreflectionhelper'])) + return ""; + // Initialize natrules holder string $natrules = ""; @@ -866,21 +879,26 @@ function filter_generate_reflection_nat($rule, $nat_ifs, $protocol, $target, $ta $protocol_text = ""; } - $target_if_list = array(); - if(empty($target_subnet) || !is_numeric($target_subnet) || $target_subnet == 32) { - $target_if_list[] = guess_interface_from_ip($target_ip); - } else { - $target_if_list[] = guess_interface_from_ip(gen_subnet_max($target_ip, $target_subnet)); - } + if(empty($target_subnet) || !is_numeric($target_subnet)) + $target_subnet = 32; - foreach ($target_if_list as $target_if) { - /* Only install additional NAT rules if the - * target is in the list of source networks */ - if(in_array($target_if, $nat_ifs)) { - $target_networks = "{$target_if}:network"; + if(!is_array($route_table)) { + $route_table = array(); + /* create a route table we can search */ + exec("netstat -rnWf inet", $route_table); + } - $natrules .= "no nat on {$target_if}{$protocol_text} from {$target_if} to {$target}\n"; - $natrules .= "nat on {$target_if}{$protocol_text} from {$target_networks} to {$target} -> {$target_if}{$static_port}\n"; + /* Search for matching subnets in the routing table */ + foreach($route_table as $line) { + if(preg_match("/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+[ ]+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|link[#])/", $line)) { + $fields = preg_split("/[ ]+/", $line); + $subnet = $fields[0]; + $subnet_split = explode("/", $subnet); + $subnet_if = $fields[6]; + if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { + $natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n"; + $natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$subnet_if}{$static_port}\n"; + } } } @@ -1145,6 +1163,7 @@ function filter_nat_rules_generate() { update_filter_reload_status("Creating 1:1 rules..."); $reflection_txt = ""; + $route_table = ""; /* any 1:1 mappings? */ if(is_array($config['nat']['onetoone'])) { @@ -1202,7 +1221,7 @@ function filter_nat_rules_generate() { } $nat_if_list = array_merge(array($natif), $nat_if_list); - $reflection_txt .= filter_generate_reflection_nat($rule, $nat_if_list, "", $srcaddr, $srcip, $sn); + $reflection_txt .= filter_generate_reflection_nat($rule, $route_table, $nat_if_list, "", $srcaddr, $srcip, $sn); } } $natrules .= "\n# Outbound NAT rules\n"; @@ -1495,25 +1514,12 @@ function filter_nat_rules_generate() { fclose($inetd_fd); // Close file handle // Check if inetd is running, if not start it. If so, restart it gracefully. $helpers = isvalidproc("inetd"); - if(!$helpers) - mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); - else - sigkillbypid("/var/run/inetd.pid", "HUP"); - - $pptpdcfg = $config['pptpd']; - if($pptpdcfg['mode'] && $pptpdcfg['mode'] == "redir") { - $pptpdtarget = $pptpdcfg['redir']; - if(is_ipaddr($pptpdtarget) && is_array($FilterIflist['wan'])) { - $natrules .= <<<EOD - -# PPTP -rdr on \${$FilterIflist['wan']['descr']} proto gre from any to any -> $pptpdtarget -rdr on \${$FilterIflist['wan']['descr']} proto tcp from any to any port 1723 -> $pptpdtarget - -EOD; - } + if(file_exists("/var/etc/inetd.conf")) { + if(!$helpers) + mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); + else + sigkillbypid("/var/run/inetd.pid", "HUP"); } - $natrules .= discover_pkg_rules("nat"); $natrules .= filter_process_carp_nat_rules(); @@ -2027,46 +2033,9 @@ function filter_rules_generate() { $ipfrules = ""; //$ipfrules .= discover_pkg_rules("filter"); - /* if captive portal is enabled, ensure that access to this port - * is allowed on a locked down interface - */ - if(isset($config['captiveportal']['enable'])) { - $cpinterfaces = explode(",", $config['captiveportal']['interface']); - $cpiflist = array(); - $cpiplist = array(); - foreach ($cpinterfaces as $cpifgrp) { - if(!isset($FilterIflist[$cpifgrp])) - continue; - $tmpif = get_real_interface($cpifgrp); - if(!empty($tmpif)) { - $cpiflist[] = "{$tmpif}"; - $cpipm = get_interface_ip($cpifgrp); - if(is_ipaddr($cpipm)) { - $carpif = link_ip_to_carp_interface($cpipm); - if (!empty($carpif)) { - $cpiflist[] = $carpif; - $carpsif = explode(" ", $carpif); - foreach ($carpsif as $cpcarp) { - $carpip = find_interface_ip($cpcarp); - if (is_ipaddr($carpip)) - $cpiplist[] = $carpip; - } - } - $cpiplist[] = $cpipm; - } - } - } - if (count($cpiplist) > 0 && count($cpiflist) > 0) { - $cpinterface = implode(" ", $cpiflist); - $cpaddresses = implode(" ", $cpiplist); - $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; - $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from { {$cpaddresses} } port { 8000 8001 } to any keep state(sloppy)\n"; - } - } /* relayd */ $ipfrules .= "anchor \"relayd/*\"\n"; # BEGIN OF firewall rules - $ipfrules .= "anchor \"firewallrules\"\n"; /* default block logging? */ if(!isset($config['syslog']['nologdefaultblock'])) $log = "log"; @@ -2100,16 +2069,6 @@ EOD; block quick from <snort2c> to any label "Block snort2c hosts" block quick from any to <snort2c> label "Block snort2c hosts" -# package manager early specific hook -anchor "packageearly" - -EOD; - - $ipfrules .= <<<EOD - -# carp -anchor "carp" - EOD; $ipfrules .= filter_process_carp_rules(); @@ -2124,15 +2083,65 @@ EOD; $sshport = $config['system']['ssh']['port']; else $sshport = 22; - $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port {$sshport} label \"sshlockout\"\n"; + if($sshport) + $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port {$sshport} label \"sshlockout\"\n"; } + $ipfrules .= "\n# webConfigurator lockout\n"; + if(!$config['system']['webgui']['port']) { + if($config['system']['webgui']['protocol'] == "http") + $webConfiguratorlockoutport = "80"; + else + $webConfiguratorlockoutport = "443"; + } else { + $webConfiguratorlockoutport = $config['system']['webgui']['port']; + } + if($webConfiguratorlockoutport) + $ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to any port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n"; + /* * Support for allow limiting of TCP connections by establishment rate * Useful for protecting against sudden outburts, etc. */ $ipfrules .= "block in quick from <virusprot> to any label \"virusprot overload table\"\n"; + /* if captive portal is enabled, ensure that access to this port + * is allowed on a locked down interface + */ + if(isset($config['captiveportal']['enable'])) { + $cpinterfaces = explode(",", $config['captiveportal']['interface']); + $cpiflist = array(); + $cpiplist = array(); + foreach ($cpinterfaces as $cpifgrp) { + if(!isset($FilterIflist[$cpifgrp])) + continue; + $tmpif = get_real_interface($cpifgrp); + if(!empty($tmpif)) { + $cpiflist[] = "{$tmpif}"; + $cpipm = get_interface_ip($cpifgrp); + if(is_ipaddr($cpipm)) { + $carpif = link_ip_to_carp_interface($cpipm); + if (!empty($carpif)) { + $cpiflist[] = $carpif; + $carpsif = explode(" ", $carpif); + foreach ($carpsif as $cpcarp) { + $carpip = find_interface_ip($cpcarp); + if (is_ipaddr($carpip)) + $cpiplist[] = $carpip; + } + } + $cpiplist[] = $cpipm; + } + } + } + if (count($cpiplist) > 0 && count($cpiflist) > 0) { + $cpinterface = implode(" ", $cpiflist); + $cpaddresses = implode(" ", $cpiplist); + $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; + $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any port { 8000 8001 80 } to any flags any keep state(sloppy)\n"; + } + } + $bogontableinstalled = 0; foreach ($FilterIflist as $on => $oc) { /* block bogon networks */ @@ -2144,7 +2153,6 @@ EOD; $ipfrules .= <<<EOD # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt -anchor "{$on}bogons" block in $log quick on \${$oc['descr']} from <bogons> to any label "block bogon networks from {$oc['descr']}" EOD; @@ -2177,11 +2185,8 @@ EOD; } switch ($oc['type']) { case "pptp": - /* XXX: The proto gre rules should really be removed when the pptp patch is guaranted to work */ $ipfrules .= <<<EOD # allow PPTP client -anchor "pptpclient" -pass in on \${$oc['descr']} proto gre from any to any modulate state label "allow PPTP client" pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}" EOD; @@ -2190,7 +2195,6 @@ EOD; case "carpdev-dhcp": $ipfrules .= <<<EOD # allow our DHCP client out to the {$oc['descr']} -anchor "{$on}dhcp" pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "allow dhcp client out {$oc['descr']}" pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "allow dhcp client out {$oc['descr']}" # Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP. @@ -2208,7 +2212,6 @@ EOD; $ipfrules .= <<<EOD # allow access to DHCP server on {$oc['descr']} -anchor "dhcpserver{$oc['descr']}" pass in on \${$oc['descr']} proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on \${$oc['descr']} proto udp from any port = 68 to {$oc['ip']} port = 67 label "allow access to DHCP server" pass out on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any port = 68 label "allow access to DHCP server" @@ -2238,17 +2241,13 @@ EOD; * rules before them. */ $ipfrules .= <<<EOD -anchor "spoofing" # loopback -anchor "loopback" pass in on \$loopback all label "pass loopback" pass out on \$loopback all label "pass loopback" pass in on \$loopback inet6 all label "pass loopback" pass out on \$loopback inet6 all label "pass loopback" -anchor "firewallout" - EOD; $ipfrules .= <<<EOD @@ -2302,7 +2301,6 @@ EOD; $lanif = $FilterIflist['lan']['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -anchor "anti-lockout" pass in quick on {$lanif} proto tcp from any to ({$lanif}) port { $portarg $sshport } keep state label "anti-lockout rule" EOD; @@ -2311,7 +2309,6 @@ EOD; $wanif = $FilterIflist["wan"]['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -anchor "anti-lockout" pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { $portarg $sshport } keep state label "anti-lockout rule" EOD; @@ -2326,8 +2323,6 @@ EOD; if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) { $ipfrules .= <<<EOD # PPTPd rules -anchor "pptp" -pass in on \${$FilterIflist['wan']['descr']} proto gre from any to $pptpdtarget keep state label "allow gre pptpd" pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}" EOD; @@ -2391,7 +2386,6 @@ EOD; * topologies */ if(isset($config['filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { - $ipfrules .= "anchor \"staticrouted\" \n"; foreach ($config['staticroutes']['route'] as $route) { $friendly = $GatewaysList[$route['gateway']]['friendlyiface']; if(is_array($FilterIflist[$friendly])) { @@ -2436,13 +2430,8 @@ EOD; $ipfrules .= filter_generate_ipsec_rules(); $ipfrules .= <<<EOD -# package manager late specific hook -anchor "packagelate" - anchor "tftp-proxy/*" -anchor "limitingesr" - # uPnPd anchor "miniupnpd" @@ -2886,6 +2875,4 @@ function discover_pkg_rules($ruletype) { return $rules; } -// vim: ts=4 sw=4 noexpandtab - ?> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index b8593dc..ba97ba0 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -41,7 +41,7 @@ function remove_numbers($string) { } function get_nics_with_capabilities($CAPABILITIES) { - $ifs = `ifconfig -l`; + $ifs = `/sbin/ifconfig -l`; $if_list = split(" ", $ifs); $vlan_native_supp = array(); foreach($if_list as $if => $iface) { @@ -113,7 +113,7 @@ $vlan_native_supp = get_nics_with_capabilities("vlanmtu"); if(count($vlan_native_supp) > 0) $g['vlan_long_frame'] = $vlan_native_supp; else - $g['vlan_long_frame'] = array("vge", "bfe", "bge", "dc", "em", "fxp", "gem", "hme", "ixgb", "le", "nge", "re", "rl", "sis", "sk", "ste", "ti", "tl", "tx", "txp", "vr", "xl", "lagg"); + $g['vlan_long_frame'] = array("vge", "bfe", "bge", "dc", "em", "fxp", "gem", "hme", "ixgb", "le", "lem", "nge", "re", "rl", "sis", "sk", "ste", "ti", "tl", "tx", "txp", "vr", "xl", "lagg"); /* IP TOS flags */ $iptos = array("lowdelay", "throughput", "reliability"); @@ -122,7 +122,7 @@ $iptos = array("lowdelay", "throughput", "reliability"); $tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg"); if(file_exists("/etc/platform")) { - $arch = trim(`uname -m`); + $arch = php_uname("m"); $g['platform'] = trim(file_get_contents("/etc/platform")); if($g['platform'] == "nanobsd") { $g['update_url']="http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/{$arch}/pfSense_HEAD/.updaters/"; @@ -138,32 +138,33 @@ if(file_exists("/etc/platform")) { /* Default sysctls */ $sysctls = array("net.inet.ip.portrange.first" => "1024", - "net.inet.tcp.blackhole" => "2", - "net.inet.udp.blackhole" => "1", - "net.inet.ip.random_id" => "1", - "net.inet.tcp.drop_synfin" => "1", - "net.inet.ip.redirect" => "1", - "net.inet6.ip6.redirect" => "1", - "net.inet.tcp.syncookies" => "1", - "net.inet.tcp.recvspace" => "65228", - "net.inet.tcp.sendspace" => "65228", - "net.inet.ip.fastforwarding" => "1", - "net.inet.tcp.delayed_ack" => "0", - "net.inet.udp.maxdgram" => "57344", - "net.link.bridge.pfil_onlyip" => "0", - "net.link.bridge.pfil_member" => "1", - "net.link.bridge.pfil_bridge" => "0", - "net.link.tap.user_open" => "1", - "kern.rndtest.verbose" => "0", - "kern.randompid" => "347", - "net.inet.ip.intr_queue_maxlen" => "1000", - "hw.syscons.kbd_reboot" => "0", - "net.inet.tcp.inflight.enable" => "1", - "net.inet.tcp.log_debug" => "0", - "net.inet.tcp.tso" => "1", - "net.inet.icmp.icmplim" => "0" - ); - -$config_inc_loaded = false; - -?>
\ No newline at end of file + "net.inet.tcp.blackhole" => "2", + "net.inet.udp.blackhole" => "1", + "net.inet.ip.random_id" => "1", + "net.inet.tcp.drop_synfin" => "1", + "net.inet.ip.redirect" => "1", + "net.inet6.ip6.redirect" => "1", + "net.inet.tcp.syncookies" => "1", + "net.inet.tcp.recvspace" => "65228", + "net.inet.tcp.sendspace" => "65228", + "net.inet.ip.fastforwarding" => "0", + "net.inet.tcp.delayed_ack" => "0", + "net.inet.udp.maxdgram" => "57344", + "net.link.bridge.pfil_onlyip" => "0", + "net.link.bridge.pfil_member" => "1", + "net.link.bridge.pfil_bridge" => "0", + "net.link.tap.user_open" => "1", + "kern.rndtest.verbose" => "0", + "kern.randompid" => "347", + "net.inet.ip.intr_queue_maxlen" => "1000", + "hw.syscons.kbd_reboot" => "0", + "net.inet.tcp.inflight.enable" => "1", + "net.inet.tcp.log_debug" => "0", + "net.inet.tcp.tso" => "1", + "net.inet.icmp.icmplim" => "0", + "vfs.read_max" => "32" +); + +$config_parsed = false; + +?> diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 3d1ec93..cc9aa74 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -41,8 +41,6 @@ function setup_gateways_monitor() { if (!is_array($gateways_arr)) { log_error("No gateways to monitor. Apinger will not be run."); killbypid("{$g['varrun_path']}/apinger.pid"); - // TEMPORARY XXX - exec("/usr/bin/killall -9 apinger"); @unlink("{$g['tmp_path']}/apinger.status"); return; } @@ -220,7 +218,7 @@ EOD; log_error("Removing static route for monitor {$gateway['monitor']} and adding a new route through {$gateway['gateway']}"); mwexec("/sbin/route delete -host " . escapeshellarg($gateway['monitor']), true); mwexec("/sbin/route add -host " . escapeshellarg($gateway['monitor']) . - " " . escapeshellarg($gateway['gateway'])); + " " . escapeshellarg($gateway['gateway']), true); } $apingerconfig .= $alarmscfg; @@ -230,8 +228,6 @@ EOD; fclose($fd); killbypid("{$g['varrun_path']}/apinger.pid"); - // TEMPORARY XXX - exec("/usr/bin/killall -9 apinger"); if (is_dir("{$g['tmp_path']}")) chmod("{$g['tmp_path']}", 01777); if (!is_dir("{$g['vardb_path']}/rrd")) @@ -241,6 +237,7 @@ EOD; /* start a new apinger process */ @unlink("{$g['tmp_path']}/apinger.status"); + sleep(1); mwexec_bg("/usr/local/sbin/apinger -c {$g['varetc_path']}/apinger.conf"); return 0; @@ -296,13 +293,14 @@ function return_gateways_array($disabled = false) { $gateway['friendlyiface'] = $gateway['interface']; $gateway['interface'] = get_real_interface($gateway['interface']); - /* Some interface like wan might be default but have no info recorded + /* FIXME: Should this be enabled. + * Some interface like wan might be default but have no info recorded * the config. - */ if ($gateway['friendlyiface'] == "wan" && !isset($gateway['defaultgw'])) { if (file_exists("{$g['tmp_path']}/{$gateway['interface']}_defaultgw")) $gateway['defaultgw'] = true; } + */ /* include the gateway index as the attribute */ $gateway['attribute'] = $i; @@ -414,9 +412,11 @@ function return_gateway_groups_array() { $tiers_count = count($tiers); if($tiers_count == 0) { /* Oh dear, we have no members! Engage Plan B */ - $msg = "Gateways status could not be determined, considering all as up/active."; - log_error($msg); - notify_via_growl($msg); + if (!$g['booting']) { + $msg = "Gateways status could not be determined, considering all as up/active."; + log_error($msg); + notify_via_growl($msg); + } $tiers = $backupplan; } /* sort the tiers array by the tier key */ diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 2bbc05b..4d47495 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -35,7 +35,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /usr/sbin/pppd /sbin/dhclient /bin/sh /usr/bin/grep /usr/bin/xargs /usr/bin/awk /usr/local/sbin/choparp + pfSense_BUILDER_BINARIES: /sbin/dhclient /bin/sh /usr/bin/grep /usr/bin/xargs /usr/bin/awk /usr/local/sbin/choparp pfSense_BUILDER_BINARIES: /sbin/ifconfig /sbin/route /usr/sbin/ngctl /usr/sbin/arp /bin/kill /usr/local/sbin/mpd5 pfSense_MODULE: interfaces @@ -84,6 +84,49 @@ function does_interface_exist($interface) { return false; } +function interface_netgraph_needed($interface = "wan") { + global $config; + + $found = false; + if (!empty($config['pptpd']) && + $config['pptpd']['mode'] == "server") + $found = true; + if ($found == false && !empty($config['l2tp']) && + $config['l2tp']['mode'] == "server") + $found = true; + if ($found == false && is_array($config['pppoes']['pppoe'])) { + foreach ($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] != "server") + continue; + if ($pppoe['interface'] == $interface) + $found = true; + break; + } + } + if ($found == false && !empty($config['interfaces'][$interface])) { + switch ($config['interfaces'][$interface]['ipaddr']) { + case "ppp": + case "pppoe": + case "l2tp": + case "pptp": + $found = true; + break; + default: + $found = false; + break; + } + } + + $realif = get_real_interface($interface); + if ($found == false) + pfSense_ngctl_detach("{$realif}:", $realif); + /* NOTE: We make sure for this on interface_ppps_configure() + * no need to do it here agan. + * else + * pfSense_ngctl_attach(".", $realif); + */ +} + function interfaces_loopback_configure() { if($g['booting']) echo "Configuring loopback interface..."; @@ -336,6 +379,12 @@ function interface_bridge_configure(&$bridge) { $commontx = false; if (!isset($opts['encaps']['rxcsum'])) $commonrx = false; + if (!isset($opts['encaps']['tso4'])) + $commontso4 = false; + if (!isset($opts['encaps']['tso6'])) + $commontso6 = false; + if (!isset($opts['encaps']['lro'])) + $commonlro = false; if ($smallermtu == 0 && !empty($mtu)) $smallermtu = $mtu; else if (!empty($mtu) && $mtu < $smallermtu) @@ -347,10 +396,16 @@ function interface_bridge_configure(&$bridge) { $smallermtu = 1500; $flags = 0; - if ($commonrx == false) + if ($commonrx === false) $flags |= IFCAP_RXCSUM; - if ($commontx == false) + if ($commontx === false) $flags |= IFCAP_TXCSUM; + if ($commontso4 === false) + $flags |= IFCAP_TSO4; + if ($commontso6 === false) + $flags |= IFCAP_TSO6; + if ($commonlro === false) + $flags |= IFCAP_LRO; /* Add interfaces to bridge */ foreach ($members as $member) { @@ -543,7 +598,18 @@ function interface_lagg_configure(&$lagg) { /* Calculate smaller mtu and enforce it */ $smallermtu = 0; foreach ($members as $member) { - $mtu = get_interface_mtu($member); + $opts = pfSense_get_interface_addresses($member); + $mtu = $opts['mtu']; + if (!isset($opts['encaps']['txcsum'])) + $commontx = false; + if (!isset($opts['encaps']['rxcsum'])) + $commonrx = false; + if (!isset($opts['encaps']['tso4'])) + $commontso4 = false; + if (!isset($opts['encaps']['tso6'])) + $commontso6 = false; + if (!isset($opts['encaps']['lro'])) + $commonlro = false; if ($smallermtu == 0 && !empty($mtu)) $smallermtu = $mtu; else if (!empty($mtu) && $mtu < $smallermtu) @@ -554,11 +620,24 @@ function interface_lagg_configure(&$lagg) { if ($smallermtu == 0) $smallermtu = 1500; + $flags = 0; + if ($commonrx === false) + $flags |= IFCAP_RXCSUM; + if ($commontx === false) + $flags |= IFCAP_TXCSUM; + if ($commontso4 === false) + $flags |= IFCAP_TSO4; + if ($commontso6 === false) + $flags |= IFCAP_TSO6; + if ($commonlro === false) + $flags |= IFCAP_LRO; + foreach ($members as $member) { if (!array_key_exists($member, $checklist)) continue; /* make sure the parent interface is up */ pfSense_interface_mtu($member, $smallermtu); + pfSense_interface_capabilities($member, -$flags); interfaces_bring_up($member); mwexec("/sbin/ifconfig {$laggif} laggport {$member}"); } @@ -573,19 +652,18 @@ function interface_lagg_configure(&$lagg) { function interfaces_gre_configure() { global $config; - $i = 0; if (is_array($config['gres']['gre']) && count($config['gres']['gre'])) { - foreach ($config['gres']['gre'] as $gre) { + foreach ($config['gres']['gre'] as $i => $gre) { if(empty($gre['greif'])) $gre['greif'] = "gre{$i}"; /* XXX: Maybe we should report any errors?! */ interface_gre_configure($gre); - $i++; } } } -function interface_gre_configure(&$gre) { +/* NOTE: $grekey is not used but useful for passing this function to array_walk. */ +function interface_gre_configure(&$gre, $grekey = "") { global $config, $g; if (!is_array($gre)) @@ -628,19 +706,19 @@ function interface_gre_configure(&$gre) { function interfaces_gif_configure() { global $config; - $i = 0; + if (is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) { - foreach ($config['gifs']['gif'] as $gif) { + foreach ($config['gifs']['gif'] as $i => $gif) { if(empty($gif['gifif'])) $gre['gifif'] = "gif{$i}"; /* XXX: Maybe we should report any errors?! */ interface_gif_configure($gif); - $i++; } } } -function interface_gif_configure(&$gif) { +/* NOTE: $gifkey is not used but useful for passing this function to array_walk. */ +function interface_gif_configure(&$gif, $gifkey = "") { global $config, $g; if (!is_array($gif)) @@ -787,9 +865,6 @@ function interfaces_configure() { /* reload captive portal */ captiveportal_init_rules(); - - /* set the reload filter dity flag */ - filter_configure(); } return 0; @@ -1089,6 +1164,7 @@ function interface_ppps_configure($interface) { case "pppoe": /* Bring the parent interface up */ interfaces_bring_up($port); + pfSense_ngctl_attach(".", $port); break; case "pptp": case "l2tp": @@ -1119,6 +1195,7 @@ function interface_ppps_configure($interface) { log_error("Could not get a PPTP/L2TP Remote IP address from {$dhcp_gateway} for {$gway} in interfaces_ppps_configure."); return 0; } + pfSense_ngctl_attach(".", $port); break; case "ppp": if (!file_exists("{$port}")) { @@ -1414,7 +1491,7 @@ EOD; conf_mount_ro(); } } - + /* fire up mpd */ mwexec("/usr/local/sbin/mpd5 -b -k -d {$g['varetc_path']} -f mpd_{$interface}.conf -p {$g['varrun_path']}/{$ppp['type']}_{$interface}.pid -s ppp {$ppp['type']}client"); @@ -1471,7 +1548,7 @@ function interfaces_carp_setup() { } else $cmdchain->add("Enable CARP preemption", "/sbin/sysctl net.inet.carp.preempt=1", true); - $cmdchain->add("Enable CARP logging", "/sbin/sysctl net.inet.carp.log=2", true); + $cmdchain->add("Enable CARP logging", "/sbin/sysctl net.inet.carp.log=1", true); if (!empty($pfsyncinterface)) $carp_sync_int = get_real_interface($pfsyncinterface); @@ -1690,7 +1767,6 @@ function interface_carp_configure(&$vip) { // set the vip interface to the vhid $vipif = "vip{$vip['vhid']}"; - $interface = interface_translate_type_to_real($vip['interface']); /* * ensure the interface containing the VIP really exists * prevents a panic if the interface is missing or invalid @@ -1734,11 +1810,11 @@ function interface_carp_configure(&$vip) { if(is_ipaddrv4($vip['subnet'])) { $broadcast_address = gen_subnet_max($vip['subnet'], $vip['subnet_bits']); - mwexec("/sbin/ifconfig {$vipif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + mwexec("/sbin/ifconfig {$vipif} {$vip['subnet']}/{$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} advbase {$vip['advbase']} {$password}"); } if(is_ipaddrv6($vip['subnet'])) { $broadcast_address = gen_subnet_max($vip['subnet'], $vip['subnet_bits']); - mwexec("/sbin/ifconfig {$vipif} inet6 {$vip['subnet']} prefixlen {$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + mwexec("/sbin/ifconfig {$vipif} inet6 {$vip['subnet']} prefixlen {$vip['subnet_bits']} vhid {$vip['vhid']} advskew {$vip['advskew']} advbase {$vip['advbase']} {$password}"); } interfaces_bring_up($vipif); @@ -1757,12 +1833,11 @@ function interface_carpdev_configure(&$vip) { if($vip['password'] != "") $password = " pass \"" . $vip_password . "\""; - log_error("Found carpdev interface {$vip['interface']} on top of interface {$interface}"); if (empty($vip['interface'])) return; $vipif = "vip" . $vip['vhid']; - $realif = interface_translate_type_to_real($vip['interface']); + $realif = get_real_interface($vip['interface']); interfaces_bring_up($realif); /* * ensure the interface containing the VIP really exists @@ -1781,7 +1856,7 @@ function interface_carpdev_configure(&$vip) { pfSense_ngctl_name("{$carpdevif}:", $vipif); } - mwexec("/sbin/ifconfig {$vipif} carpdev {$realif} vhid {$vip['vhid']} advskew {$vip['advskew']} {$password}"); + mwexec("/sbin/ifconfig {$vipif} carpdev {$realif} vhid {$vip['vhid']} advskew {$vip['advskew']} advbase {$vip['advbase']} {$password}"); interfaces_bring_up($vipif); /* @@ -1813,7 +1888,7 @@ EOD; fclose($fd); /* fire up dhclient */ - mwexec("/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$vipif}.conf {$vipif} > {$g['tmp_path']}/{$vipif}_output > {$g['tmp_path']}/{$vipif}_error_output", false); + mwexec("/sbin/dhclient -c {$g['varetc_path']}/dhclient_{$vipif}.conf {$vipif} >{$g['tmp_path']}/{$vipif}_output 2>{$g['tmp_path']}/{$vipif}_error_output", false); } else { log_error("Error: cannot open dhclient_{$vipif}.conf in interfaces_carpdev_configure() for writing.\n"); mwexec("/sbin/dhclient -b {$vipif}"); @@ -1881,6 +1956,7 @@ function interface_wireless_clone($realif, $wlcfg) { pfSense_interface_rename($newif, $realif); // FIXME: not sure what ngctl is for. Doesn't work. // mwexec("/usr/sbin/ngctl name {$newif}: {$realif}", false); + file_put_contents("{$g['tmp_path']}/{$realif}_oldmac", get_interface_mac($realif)); } return true; } @@ -2241,7 +2317,26 @@ EOD; fwrite($fd_set, "{$wpa_supplicant} -B -i {$if} -c {$g['varetc_path']}/wpa_supplicant_{$if}.conf\n"); } if ($wlcfg['mode'] == "hostap") { + /* add line to script to restore old mac to make hostapd happy */ + if (file_exists("{$g['tmp_path']}/{$if}_oldmac")) { + $if_oldmac = file_get_contents("{$g['tmp_path']}/{$if}_oldmac"); + if (is_macaddr($if_oldmac)) + fwrite($fd_set, "{$ifconfig} " . escapeshellarg($if) . + " link " . escapeshellarg($if_oldmac) . "\n"); + } + fwrite($fd_set, "{$hostapd} -B {$g['varetc_path']}/hostapd_{$if}.conf\n"); + + /* add line to script to restore spoofed mac after running hostapd */ + if (file_exists("{$g['tmp_path']}/{$if}_oldmac")) { + if ($wl['spoofmac']) + $if_curmac = $wl['spoofmac']; + else + $if_curmac = get_interface_mac($if); + if (is_macaddr($if_curmac)) + fwrite($fd_set, "{$ifconfig} " . escapeshellarg($if) . + " link " . escapeshellarg($if_curmac) . "\n"); + } } } @@ -2369,6 +2464,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven $wancfg = $config['interfaces'][$interface]; $realif = get_real_interface($interface); + $realhwif = interface_translate_type_to_real($interface); if (!$g['booting']) { /* remove all IPv4 addresses */ @@ -2393,7 +2489,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven interface_wireless_configure($realif, $wancfg, $wancfg['wireless']); if ($wancfg['spoofmac']) { - mwexec("/sbin/ifconfig " . escapeshellarg($realif) . + mwexec("/sbin/ifconfig " . escapeshellarg($realhwif) . " link " . escapeshellarg($wancfg['spoofmac'])); /* @@ -2402,20 +2498,20 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven */ if (is_array($config['vlans']['vlan'])) { foreach ($config['vlans']['vlan'] as $vlan) { - if ($vlan['if'] == $realif) + if ($vlan['if'] == $realhwif) mwexec("/sbin/ifconfig " . escapeshellarg($vlan['vlanif']) . " link " . escapeshellarg($wancfg['spoofmac'])); } } } else { - $mac = get_interface_mac(get_real_interface($wancfg['if'])); - if($mac == "ff:ff:ff:ff:ff:ff") { + $mac = get_interface_mac($realhwif); + if ($mac == "ff:ff:ff:ff:ff:ff") { /* this is not a valid mac address. generate a * temporary mac address so the machine can get online. */ echo "Generating new MAC address."; $random_mac = generate_random_mac_address(); - mwexec("/sbin/ifconfig " . escapeshellarg(get_real_interface($wancfg['if'])) . + mwexec("/sbin/ifconfig " . escapeshellarg($realhwif) . " link " . escapeshellarg($random_mac)); $wancfg['spoofmac'] = $random_mac; write_config(); @@ -2425,7 +2521,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven /* media */ if ($wancfg['media'] || $wancfg['mediaopt']) { - $cmd = "/sbin/ifconfig " . escapeshellarg(get_real_interface($wancfg['if'])); + $cmd = "/sbin/ifconfig " . escapeshellarg($realhwif); if ($wancfg['media']) $cmd .= " media " . escapeshellarg($wancfg['media']); if ($wancfg['mediaopt']) @@ -2433,9 +2529,9 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven mwexec($cmd); } if (!empty($wancfg['mtu'])) - pfSense_interface_mtu($realif, $wancfg['mtu']); + pfSense_interface_mtu($realhwif, $wancfg['mtu']); - $options = pfSense_get_interface_addresses($realif); + $options = pfSense_get_interface_addresses($realhwif); if (is_array($options) && isset($options['caps']['polling'])) { if (isset($config['system']['polling'])) pfSense_interface_capabilities($realif, IFCAP_POLLING); @@ -2444,7 +2540,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } /* skip vlans for checksumming and polling */ - if (!stristr($realif, "vlan") && is_array($options)) { + if (!stristr($realhwif, "vlan") && is_array($options)) { $flags = 0; if(isset($config['system']['disablechecksumoffloading'])) { if (isset($options['encaps']['txcsum'])) @@ -2482,7 +2578,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven if (!isset($config['system']['polling']) || !isset($options['caps']['polling'])) { $flags |= IFCAP_POLLING; } - pfSense_interface_capabilities($realif, -$flags); + pfSense_interface_capabilities($realhwif, -$flags); } /* invalidate interface/ip/sn cache */ @@ -2540,19 +2636,21 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven if(does_interface_exist($wancfg['if'])) interfaces_bring_up($wancfg['if']); + + interface_netgraph_needed($interface); if (!$g['booting']) { - interface_reload_carps($realif); + link_interface_to_vips($interface, "update"); unset($gre); $gre = link_interface_to_gre($interface); if (!empty($gre)) - interface_gre_configure($gre); + array_walk($gre, 'interface_gre_configure'); unset($gif); $gif = link_interface_to_gif($interface); if (!empty($gif)) - interface_gif_configure($gif); + array_walk($gif, 'interface_gif_configure'); if ($linkupevent == false) { unset($bridgetmp); @@ -2561,11 +2659,9 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven interface_bridge_add_member($bridgetmp, $realif); } - link_interface_to_vips($interface, "update"); - $grouptmp = link_interface_to_group($interface); if (!empty($grouptmp)) - interface_group_add_member($realif, $grouptmp); + array_walk($grouptmp, 'interface_group_add_member'); if ($interface == "lan") /* make new hosts file */ @@ -2583,16 +2679,10 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven services_dnsmasq_configure(); /* update dyndns */ - services_dyndns_configure($interface); - - /* force DNS update */ - services_dnsupdate_process($interface); + send_event("service reload dyndns {$interface}"); /* reload captive portal */ captiveportal_init_rules(); - - /* set the reload filter dity flag */ - filter_configure(); } } @@ -2707,6 +2797,7 @@ function interface_group_setup(&$groupname /* The parameter is an array */) { } function interface_group_add_member($interface, $groupname) { + $interface = get_real_interface($interface); mwexec("/sbin/ifconfig {$interface} group {$groupname}", true); } @@ -2735,7 +2826,7 @@ function convert_real_interface_to_friendly_interface_name($interface = "wan") { $index = intval(substr($interface, 3)); foreach ($config['virtualip']['vip'] as $counter => $vip) { if ($vip['mode'] == "carpdev-dhcp" || $vip['mode'] == "carp") { - if ($index == $counter) + if ($index == $vip['vhid']) return $vip['interface']; } } @@ -2764,22 +2855,22 @@ function convert_friendly_interface_to_friendly_descr($interface) { global $config; switch ($interface) { - case "l2tp": - $ifdesc = "L2TP"; - break; - case "pptp": - $ifdesc = "PPTP"; - break; - case "pppoe": - $ifdesc = "PPPoE"; - break; - case "openvpn": - $ifdesc = "OpenVPN"; - break; - case "enc0": - case "ipsec": - $ifdesc = "IPsec"; - break; + case "l2tp": + $ifdesc = "L2TP"; + break; + case "pptp": + $ifdesc = "PPTP"; + break; + case "pppoe": + $ifdesc = "PPPoE"; + break; + case "openvpn": + $ifdesc = "OpenVPN"; + break; + case "enc0": + case "ipsec": + $ifdesc = "IPsec"; + break; default: if (isset($config['interfaces'][$interface])) { if (empty($config['interfaces'][$interface]['descr'])) @@ -2787,13 +2878,23 @@ function convert_friendly_interface_to_friendly_descr($interface) { else $ifdesc = strtoupper($config['interfaces'][$interface]['descr']); break; + } else if (substr($interface, 0, 3) == "vip") { + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $counter => $vip) { + if ($vip['mode'] == "carpdev-dhcp" || $vip['mode'] == "carp") { + if ($interface == "vip{$vip['vhid']}") + return "{$vip['subnet']} - {$vip['descr']}"; + } + } + } + } else { + /* if list */ + $ifdescrs = get_configured_interface_with_descr(false, true); + foreach ($ifdescrs as $if => $ifname) { + if ($if == $interface || $ifname == $interface) + return $ifname; + } } - /* if list */ - $ifdescrs = get_configured_interface_with_descr(false, true); - foreach ($ifdescrs as $if => $ifname) { - if ($if == $interface || $ifname == $interface) - return $ifname; - } break; } @@ -2820,10 +2921,31 @@ function convert_real_interface_to_friendly_descr($interface) { function interface_translate_type_to_real($interface) { global $config; - if ($config['interfaces'][$interface]['if'] <> "") - return $config['interfaces'][$interface]['if']; - else + if (empty($config['interfaces'][$interface])) return $interface; + $tmpif = $config['interfaces'][$interface]; + switch ($tmpif['type']) { + case "ppp": + case "pppoe": + case "pptp": + case "l2tp": + if (is_array($config['ppps']['ppp'])) { + foreach ($config['ppps']['ppp'] as $pppidx => $ppp) { + if ($tmpif['if'] == $ppp['if']) { + $interface = $ppp['ports']; + break; + } + } + } + break; + case "dhcp": + case "static": + default: + $interface = $tmpif['if']; + break; + } + + return $interface; } function interface_is_wireless_clone($wlif) { @@ -3108,14 +3230,17 @@ function link_interface_to_vlans($int, $action = "") { function link_interface_to_vips($int, $action = "") { global $config; - if (is_array($config['virtualip']['vip'])) - foreach ($config['virtualip']['vip'] as $vip) - if ($int == $vip['interface']) { - if ($action == "update") + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if ($int == $vip['interface']) { + if ($action == "update") { + interface_vip_bring_down($vip); interfaces_vips_configure($int); - else - return $vip; + } else + return $vip; } + } + } } /****f* interfaces/link_interface_to_bridge @@ -3140,30 +3265,44 @@ function link_interface_to_bridge($int) { function link_interface_to_group($int) { global $config; + $result = array(); + if (is_array($config['ifgroups']['ifgroupentry'])) { foreach ($config['ifgroups']['ifgroupentry'] as $group) { - if (in_array($int, explode(" ", $groupname['members']))) - return "{$group['ifname']}"; + if (in_array($int, explode(" ", $group['members']))) + $result[$group['ifname']] = $int; } } + + return $result; } function link_interface_to_gre($interface) { global $config; - if (is_array($config['gres']['gre'])) + $result = array(); + + if (is_array($config['gres']['gre'])) { foreach ($config['gres']['gre'] as $gre) if($gre['if'] == $interface) - return $gre; + $result[] = $gre; + } + + return $result; } function link_interface_to_gif($interface) { global $config; - if (is_array($config['gifs']['gif'])) + $result = array(); + + if (is_array($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $gif) if($gif['if'] == $interface) - return $gif; + $result[] = $gif; + } + + return $result; } /* @@ -3427,7 +3566,7 @@ function is_altq_capable($int) { */ $capable = array("age", "ale", "an", "ath", "aue", "awi", "bce", "bfe", "bge", "dc", "de", "ed", "em", "ep", "fxp", "gem", - "hme", "igb", "ipw", "iwi", "jme", "le", "msk", "mxge", "my", "nfe", + "hme", "igb", "ipw", "iwi", "jme", "le", "lem", "msk", "mxge", "my", "nfe", "npe", "nve", "ral", "re", "rl", "rum", "run", "bwn", "sf", "sis", "sk", "ste", "stge", "txp", "udav", "ural", "vge", "vr", "wi", "xl", "ndis", "tun", "ovpns", "ovpnc", "vlan", "pppoe", "pptp", "ng", @@ -3606,4 +3745,15 @@ EOD; unlink_if_exists($cron_file); } +function get_vip_descr($ipaddress) { + global $config; + + foreach ($config['virtualip']['vip'] as $vip) { + if ($vip['subnet'] == $ipaddress) { + return ($vip['descr']); + } + } + return ""; +} + ?> diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index a46e596..332f300 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -123,12 +123,18 @@ function ipsec_ikeid_next() { */ function ipsec_get_phase1_src(& $ph1ent) { - if ($ph1ent['interface']) - $if = $ph1ent['interface']; - else + if ($ph1ent['interface']) { + if (!is_ipaddr($ph1ent['interface'])) { + $if = $ph1ent['interface']; + $interfaceip = get_interface_ip($if); + } else { + $interfaceip=$ph1ent['interface']; + } + } + else { $if = "wan"; - - $interfaceip = get_interface_ip($if); + $interfaceip = get_interface_ip($if); + } return $interfaceip; } diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 460d681..9ca76cf 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -41,6 +41,7 @@ * in our config.xml file and check the credentials. */ +require_once("globals.inc"); require_once("config.inc"); require_once("radius.inc"); require_once("auth.inc"); @@ -95,6 +96,11 @@ if (!$username || !$password) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> +if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { + putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca"); + putenv("LDAPTLS_REQCERT=never"); +} + $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { @@ -121,4 +127,4 @@ syslog(LOG_WARNING, "user {$username} authenticated\n"); exit(0); -?>
\ No newline at end of file +?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 2750d01..234f756 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -393,8 +393,9 @@ function openvpn_reconfigure($mode,& $settings) { $sed .= "\"{$authcfg}\""; } $sed .= ");\\\n"; - if (isset($settings['strictusercn'])) + if ($settings['strictusercn']) $sed .= "\$strictusercn = true;"; + $sed .= " \$modeid = \"{$mode_id}\";"; mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n"; @@ -445,19 +446,19 @@ function openvpn_reconfigure($mode,& $settings) { break; } - // The port we'll listen at - // If local_port is used, bind the management port - if ($settings['local_port']) { + // If there is no bind option at all (ip and/or port), add "nobind" directive + // Otherwise, use the local port if defined, failing that, use lport 0 to + // ensure a random source port. + if ((empty($iface_ip)) && (!$settings['local_port'])) + $conf .= "nobind\n"; + elseif ($settings['local_port']) $conf .= "lport {$settings['local_port']}\n"; - } + else + $conf .= "lport 0\n"; + // Use unix socket to overcome the problem on any type of server $conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n"; - // If there is no bind option at all (ip and/or port), add "nobind" directive - if ((empty($iface_ip)) && (!$settings['local_port'])) { - $conf .= "nobind\n"; - } - // The remote server $conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n"; @@ -576,7 +577,9 @@ function openvpn_restart($mode, & $settings) { /* start the new process */ $fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf"; mwexec_bg("nohup openvpn --config {$fpath}"); - send_event("filter reload"); + + if (!$g['booting']) + send_event("filter reload"); } function openvpn_delete($mode, & $settings) { @@ -935,4 +938,4 @@ function openvpn_refresh_crls() { } } -?>
\ No newline at end of file +?> diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index ccc9745..c68c3f7 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -320,9 +320,8 @@ function setup_microcode() { ******/ function get_carp_status() { /* grab the current status of carp */ - $status = `/sbin/sysctl net.inet.carp.allow | cut -d" " -f2`; - if(intval($status) == "0") return false; - return true; + $status = `/sbin/sysctl -n net.inet.carp.allow`; + return (intval($status) > 0); } /* @@ -339,11 +338,8 @@ function convert_ip_to_network_format($ip, $subnet) { * get_carp_interface_status($carpinterface): returns the status of a carp ip */ function get_carp_interface_status($carpinterface) { - /* basically cache the contents of ifconfig statement - to speed up this routine */ - global $carp_query; - if($carp_query == "") - $carp_query = split("\n", `/sbin/ifconfig $carpinterface | grep carp`); + $carp_query = ""; + exec("/sbin/ifconfig $carpinterface | /usr/bin/grep -v grep | /usr/bin/grep carp:", $carp_query); foreach($carp_query as $int) { if(stristr($int, "MASTER")) return "MASTER"; @@ -377,17 +373,11 @@ function add_rule_to_anchor($anchor, $rule, $label) { * remove $text from file $file */ function remove_text_from_file($file, $text) { - global $fd_log; - if($fd_log) - fwrite($fd_log, "Adding needed text items:\n"); + if(!file_exists($file) && !is_writable($file)) + return; $filecontents = file_get_contents($file); - $textTMP = str_replace($text, "", $filecontents); - $text = $textTMP; - if($fd_log) - fwrite($fd_log, $text); - $fd = fopen($file, "w"); - fwrite($fd, $text); - fclose($fd); + $text = str_replace($text, "", $filecontents); + @file_put_contents($file, $text); } /* @@ -397,8 +387,6 @@ function remove_text_from_file($file, $text) { function add_text_to_file($file, $text, $replace = false) { if(file_exists($file) and is_writable($file)) { $filecontents = file($file); - $fout = fopen($file, "w"); - $filecontents = array_map('rtrim', $filecontents); array_push($filecontents, $text); if ($replace) @@ -406,12 +394,10 @@ function add_text_to_file($file, $text, $replace = false) { $file_text = implode("\n", $filecontents); - fwrite($fout, $file_text); - fclose($fout); + @file_put_contents($file, $file_text); return true; - } else { - return false; } + return false; } /* @@ -560,6 +546,7 @@ function restore_config_section($section, $new_contents) { if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); write_config("Restored {$section} of config file (maybe from CARP partner)"); + disable_security_checks(); conf_mount_ro(); return; } @@ -581,6 +568,7 @@ function merge_config_section($section, $new_contents) { $config[$section] = $section_xml; unlink($fname); write_config("Restored {$section} of config file (maybe from CARP partner)"); + disable_security_checks(); conf_mount_ro(); return; } @@ -724,7 +712,7 @@ function call_pfsense_method($method, $params, $timeout = 0) { $cli->setCredentials($username, $password); } $resp = $cli->send($msg, $timeout); - if(!$resp) { + if(!is_object($resp)) { log_error("XMLRPC communication error: " . $cli->errstr); return false; } elseif($resp->faultCode()) { @@ -740,13 +728,16 @@ function call_pfsense_method($method, $params, $timeout = 0) { */ function check_firmware_version($tocheck = "all", $return_php = true) { global $g, $config; + $ip = gethostbyname($g['product_website']); if($ip == $g['product_website']) return false; + $rawparams = array("firmware" => array("version" => trim(file_get_contents('/etc/version'))), "kernel" => array("version" => trim(file_get_contents('/etc/version_kernel'))), "base" => array("version" => trim(file_get_contents('/etc/version_base'))), - "platform" => trim(file_get_contents('/etc/platform')) + "platform" => trim(file_get_contents('/etc/platform')), + "config_version" => $config['version'] ); if($tocheck == "all") { $params = $rawparams; @@ -756,22 +747,38 @@ function check_firmware_version($tocheck = "all", $return_php = true) { $params['platform'] = $rawparams['platform']; } } - if($config['system']['firmware']['branch']) { + if($config['system']['firmware']['branch']) $params['branch'] = $config['system']['firmware']['branch']; - } - if(!$versions = call_pfsense_method('pfsense.get_firmware_version', $params)) { + + /* XXX: What is this method? */ + if(!($versions = call_pfsense_method('pfsense.get_firmware_version', $params))) { return false; } else { $versions["current"] = $params; } + return $versions; } +/* + * host_firmware_version(): Return the versions used in this install + */ +function host_firmware_version($tocheck = "") { + global $g, $config; + + return array( + "firmware" => array("version" => trim(file_get_contents('/etc/version', " \n"))), + "kernel" => array("version" => trim(file_get_contents('/etc/version_kernel', " \n"))), + "base" => array("version" => trim(file_get_contents('/etc/version_base', " \n"))), + "platform" => trim(file_get_contents('/etc/platform', " \n")), + "config_version" => $config['version'] + ); +} + function get_disk_info() { $diskout = ""; exec("/bin/df -h | /usr/bin/grep -w '/' | /usr/bin/awk '{ print $2, $3, $4, $5 }'", $diskout); return explode(' ', $diskout[0]); - // $size, $used, $avail, $cap } /****f* pfsense-utils/strncpy @@ -801,13 +808,6 @@ function strncpy(&$dst, $src, $length) { function reload_interfaces_sync() { global $config, $g; - /* XXX: Use locks?! */ - if (file_exists("{$g['tmp_path']}/reloading_all")) { - log_error("WARNING: Recursive call to interfaces sync!"); - return; - } - touch("{$g['tmp_path']}/reloading_all"); - if($g['debug']) log_error("reload_interfaces_sync() is starting."); @@ -824,13 +824,6 @@ function reload_interfaces_sync() { /* set up interfaces */ interfaces_configure(); - - /* remove reloading_all trigger */ - if($g['debug']) - log_error("Removing {$g['tmp_path']}/reloading_all"); - - /* start devd back up */ - mwexec("/bin/rm {$g['tmp_path']}/reload*"); } /****f* pfsense-utils/reload_all @@ -842,7 +835,6 @@ function reload_interfaces_sync() { * none ******/ function reload_all() { - global $g; send_event("service reload all"); } @@ -855,8 +847,7 @@ function reload_all() { * none ******/ function reload_interfaces() { - global $g; - touch("{$g['tmp_path']}/reload_interfaces"); + send_event("interface all reload"); } /****f* pfsense-utils/reload_all_sync @@ -872,13 +863,6 @@ function reload_all_sync() { $g['booting'] = false; - /* XXX: Use locks?! */ - if (file_exists("{$g['tmp_path']}/reloading_all")) { - log_error("WARNING: Recursive call to reload all sync!"); - return; - } - touch("{$g['tmp_path']}/reloading_all"); - /* parse config.xml again */ $config = parse_config(true); @@ -920,8 +904,6 @@ function reload_all_sync() { /* restart webConfigurator if needed */ send_event("service restart webgui"); - - mwexec("/bin/rm {$g['tmp_path']}/reload*"); } function auto_login() { @@ -990,21 +972,18 @@ function setup_serial_port() { } /* serial console - write out /boot/loader.conf */ $boot_config = file_get_contents("/boot/loader.conf"); - $boot_config_split = split("\n", $boot_config); - $fd = fopen("/boot/loader.conf","w"); - if($fd) { - foreach($boot_config_split as $bcs) { - if(stristr($bcs, "console")) { - /* DONT WRITE OUT, WE'LL DO IT LATER */ - } else { - if($bcs <> "") - fwrite($fd, "{$bcs}\n"); - } - } - if(isset($config['system']['enableserial'])) { - fwrite($fd, "console=\"comconsole\"\n"); - } - fclose($fd); + $boot_config_split = explode("\n", $boot_config); + if(count($boot_config_split) > 0) { + $new_boot_config = array(); + // Loop through and only add lines that are not empty, and which + // do not contain a console directive. + foreach($boot_config_split as $bcs) + if(!empty($bcs) && (stripos($bcs, "console") === false)) + $new_boot_config[] = $bcs; + + if(isset($config['system']['enableserial'])) + $new_boot_config[] = 'console="comconsole"'; + file_put_contents("/boot/loader.conf", implode("\n", $new_boot_config)); } } $ttys = file_get_contents("/etc/ttys"); @@ -1445,8 +1424,8 @@ function isvm() { } function get_freebsd_version() { - $version = trim(`/usr/bin/uname -r | /usr/bin/cut -d'.' -f1`); - return $version; + $version = php_uname("r"); + return $version[0]; } function download_file_with_progress_bar($url_file, $destination_file, $readbody = 'read_body') { @@ -1469,7 +1448,7 @@ function download_file_with_progress_bar($url_file, $destination_file, $readbody curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody); curl_setopt($ch, CURLOPT_NOPROGRESS, '1'); - curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '5'); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '60'); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_exec($ch); @@ -1496,8 +1475,11 @@ function read_body($ch, $string) { global $fout, $file_size, $downloaded, $sendto, $static_status, $static_output, $lastseen; $length = strlen($string); $downloaded += intval($length); - $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); - $downloadProgress = 100 - $downloadProgress; + if($file_size > 0) { + $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); + $downloadProgress = 100 - $downloadProgress; + } else + $downloadProgress = 0; if($lastseen <> $downloadProgress and $downloadProgress < 101) { if($sendto == "status") { $tostatus = $static_status . $downloadProgress . "%"; @@ -1521,9 +1503,7 @@ function read_body($ch, $string) { function update_output_window($text) { global $pkg_interface; $log = ereg_replace("\n", "\\n", $text); - if($pkg_interface == "console") { - /* too chatty */ - } else { + if($pkg_interface != "console") { echo "\n<script language=\"JavaScript\">this.document.forms[0].output.value = \"" . $log . "\";</script>"; } /* ensure that contents are written out */ diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 49fd2c5..2371939 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -8,6 +8,7 @@ * $Id$ ****** * + * Copyright (C) 2010 Ermal Luçi * Copyright (C) 2005-2006 Colin Smith (ethethlay@gmail.com) * All rights reserved. * Redistribution and use in source and binary forms, with or without @@ -34,12 +35,12 @@ */ /* - pfSense_BUILDER_BINARIES: /usr/bin/cd /usr/bin/tar /bin/cat /usr/sbin/fifolog_create /bin/chmod - pfSense_BUILDER_BINARIES: /usr/bin/killall /usr/sbin/pkg_info /usr/sbin/pkg_delete /bin/rm /bin/ls - pfSense_BUILDER_BINARIES: /sbin/pfctl + pfSense_BUILDER_BINARIES: /usr/bin/cd /usr/bin/tar /usr/sbin/fifolog_create /bin/chmod + pfSense_BUILDER_BINARIES: /usr/sbin/pkg_add /usr/sbin/pkg_info /usr/sbin/pkg_delete /bin/rm pfSense_MODULE: pkg */ +require_once("globals.inc"); require_once("xmlrpc.inc"); if(file_exists("/cf/conf/use_xmlreader")) require_once("xmlreader.inc"); @@ -47,7 +48,6 @@ else require_once("xmlparse.inc"); require_once("service-utils.inc"); require_once("pfsense-utils.inc"); -require_once("globals.inc"); if(!function_exists("update_status")) { function update_status($status) { @@ -60,20 +60,33 @@ if(!function_exists("update_output_window")) { } } -safe_mkdir("/var/db/pkg"); +if (!function_exists("pkg_debug")) { + /* set up logging if needed */ + function pkg_debug($msg) { + global $g, $debug, $fd_log; -conf_mount_rw(); + if (!$debug) + return; + + if (!$fd_log) { + if (!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$package}.log", "w")) + update_output_window("Warning, could not open log for writing."); + } + @fwrite($fd_log, $msg); + } +} + +$vardb = "/var/db/pkg"; +safe_mkdir($vardb); $g['platform'] = trim(file_get_contents("/etc/platform")); + +conf_mount_rw(); if(!is_dir("/usr/local/pkg") or !is_dir("/usr/local/pkg/pf")) { safe_mkdir("/usr/local/pkg"); safe_mkdir("/usr/local/pkg/pf"); } conf_mount_ro(); -$version = split("-", trim(file_get_contents("/etc/version"))); -$ver = split("\.", $version[0]); -$g['version'] = intval($ver[1]); - /****f* pkg-utils/remove_package * NAME * remove_package - Removes package from FreeBSD if it exists @@ -85,8 +98,7 @@ $g['version'] = intval($ver[1]); * ******/ function remove_freebsd_package($packagestring) { - $todel = substr(reverse_strrchr($packagestring, "."), 0, -1); - exec("echo y | /usr/sbin/pkg_delete -x {$todel}"); + exec("/usr/sbin/pkg_delete -x {$packagestring}"); } /****f* pkg-utils/is_package_installed @@ -117,12 +129,10 @@ function is_package_installed($packagename) { function get_pkg_id($pkg_name) { global $config; - if(is_array($config['installedpackages']['package'])) { - $i = 0; - foreach($config['installedpackages']['package'] as $pkg) { + if (is_array($config['installedpackages']['package'])) { + foreach($config['installedpackages']['package'] as $idx => $pkg) { if($pkg['name'] == $pkg_name) - return $i; - $i++; + return $idx; } } return -1; @@ -140,12 +150,12 @@ function get_pkg_id($pkg_name) { function get_pkg_info($pkgs = 'all', $info = 'all') { global $g; - $freebsd_version = str_replace("\n", "", `uname -r | cut -d'-' -f1 | cut -d'.' -f1`); - $freebsd_machine = str_replace("\n", "", `uname -m`); + $freebsd_version = php_uname("r"); + $freebsd_machine = php_uname("m"); $params = array( "pkg" => $pkgs, "info" => $info, - "freebsd_version" => $freebsd_version, + "freebsd_version" => $freebsd_version[0], "freebsd_machine" => $freebsd_machine ); $resp = call_pfsense_method('pfsense.get_pkgs', $params, 10); @@ -153,14 +163,22 @@ function get_pkg_info($pkgs = 'all', $info = 'all') { } function get_pkg_sizes($pkgs = 'all') { - global $g; + global $config, $g; - $params = array("pkg" => $pkgs); + $freebsd_version = php_uname("r"); + $freebsd_machine = php_uname("m"); + $params = array( + "pkg" => $pkgs, + "freebsd_version" => $freebsd_version, + "freebsd_machine" => $freebsd_machine + ); $msg = new XML_RPC_Message('pfsense.get_pkg_sizes', array(php_value_to_xmlrpc($params))); $xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl']; $cli = new XML_RPC_Client($g['xmlrpcpath'], $xmlrpc_base_url); $resp = $cli->send($msg, 10); - if($resp and !$resp->faultCode()) { + if(!is_object($resp)) + log_error("Could not get response from XMLRPC server!"); + else if (!$resp->faultCode()) { $raw_versions = $resp->value(); return xmlrpc_value_to_php($raw_versions); } @@ -173,35 +191,30 @@ function get_pkg_sizes($pkgs = 'all') { * This function may also print output to the terminal indicating progress. */ function resync_all_package_configs($show_message = false) { - global $config, $restart_sync, $pkg_interface; + global $config, $pkg_interface; - $i = 0; log_error("Resyncing configuration for all packages."); - if(!$config['installedpackages']['package']) + if (!is_array($config['installedpackages']['package'])) return; if($show_message == true) echo "Syncing packages:"; - if (is_array($config['installedpackages']['package'])) { - foreach($config['installedpackages']['package'] as $package) { - if (empty($package['name'])) - continue; - if($show_message == true) - echo " " . $package['name']; - get_pkg_depends($package['name'], "all"); - stop_service($package['name']); - sync_package($i, true, true); - if($restart_sync == true) { - $restart_sync = false; - if($pkg_interface == "console") - echo "\nSyncing packages:"; - } - $i++; - } + conf_mount_rw(); + foreach($config['installedpackages']['package'] as $idx => $package) { + if (empty($package['name'])) + continue; + if($show_message == true) + echo " " . $package['name']; + get_pkg_depends($package['name'], "all"); + stop_service($package['name']); + sync_package($idx, true, true); + if($pkg_interface == "console") + echo "\nSyncing packages:"; } if($show_message == true) echo " done.\n"; @unlink("/conf/needs_package_sync"); + conf_mount_ro(); } /* @@ -209,11 +222,10 @@ function resync_all_package_configs($show_message = false) { * package is installed. */ function is_freebsd_pkg_installed($pkg) { - global $g; + $output = ""; + exec("/usr/sbin/pkg_info -E \"{$pkg}*\"", $output, $retval); - if(in_array($pkg, return_dir_as_array("{$g['vardb_path']}/pkg"))) - return true; - return false; + return (intval($retval) == 0); } /* @@ -226,7 +238,6 @@ function is_freebsd_pkg_installed($pkg) { */ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $return_nosync = 1) { global $config; - require_once("notices.inc"); $pkg_id = get_pkg_id($pkg_name); if($pkg_id == -1) @@ -238,8 +249,10 @@ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $retu if(!file_exists("/usr/local/pkg/" . $package['configurationfile'])) { log_error("The {$package['name']} package is missing required dependencies and is being reinstalled." . $package['configurationfile']); uninstall_package($package['name']); - if (install_package($package['name']) < 0) + if (install_package($package['name']) < 0) { + log_error("Failed reinstalling package {$package['name']}."); return false; + } } $pkg_xml = parse_xml_config_pkg("/usr/local/pkg/" . $package['configurationfile'], "packagegui"); if (!empty($pkg_xml['additional_files_needed'])) { @@ -289,21 +302,22 @@ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $retu } function uninstall_package($pkg_name) { - global $config; + global $config, $static_output; $id = get_pkg_id($pkg_name); if ($id >= 0) { $pkg_depends =& $config['installedpackages']['package'][$id]['depends_on_package']; + $static_output .= "Removing package...\n"; + update_output_window($static_output); if (is_array($pkg_depends)) { foreach ($pkg_depends as $pkg_depend) - delete_package($pkg_depend, $id); + delete_package($pkg_depend); } } delete_package_xml($pkg_name); } function force_remove_package($pkg_name) { - global $config; delete_package_xml($pkg_name); } @@ -311,8 +325,7 @@ function force_remove_package($pkg_name) { * sync_package($pkg_name, $sync_depends = true, $show_message = false) Force a package to setup its configuration and rc.d files. */ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { - global $config; - require_once("notices.inc"); + global $config, $config_parsed; if(empty($config['installedpackages']['package'])) return; @@ -335,7 +348,8 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { return -1; } $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $package['configurationfile'], "packagegui"); - + if(isset($pkg_config['nosync'])) + return; /* Bring in package include files */ if (!empty($pkg_config['include_file'])) { $include_file = $pkg_config['include_file']; @@ -352,11 +366,6 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { } } - /* XXX: Zend complains about the next line "Wrong break depth" - * The code is obviously wrong, but I'm not sure what it's supposed to do? - */ - if(isset($pkg_config['nosync'])) - continue; if(!empty($pkg_config['custom_php_global_functions'])) eval($pkg_config['custom_php_global_functions']); if(!empty($pkg_config['custom_php_resync_config_command'])) @@ -366,18 +375,30 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { if(is_array($depends)) { foreach($depends as $item) { if(!file_exists($item)) { + require_once("notices.inc"); file_notice($package['name'], "The {$package['name']} package is missing required dependencies and must be reinstalled.", "Packages", "/pkg_mgr_install.php?mode=reinstallpkg&pkg={$package['name']}", 1); log_error("Could not find {$item}. Reinstalling package."); uninstall_package($pkg_name); - install_package($pkg_name); + if (install_package($pkg_name) < 0) { + log_error("Reinstalling package {$package['name']} failed. Take appropriate measures!!!"); + return -1; + } } else { $item_config = parse_xml_config_pkg($item, "packagegui"); if (empty($item_config)) continue; if(isset($item_config['nosync'])) continue; - if($item_config['custom_php_command_before_form'] <> "") - eval($item_config['custom_php_command_before_form']); + if (!empty($item_config['include_file'])) { + if (file_exists($item_config['include_file'])) + require_once($item_config['include_file']); + else { + log_error("Not calling package sync code for dependency {$item_config['name']} of {$package['name']} because some include files are missing."); + continue; + } + } + if($item_config['custom_php_global_functions'] <> "") + eval($item_config['custom_php_global_functions']); if($item_config['custom_php_resync_config_command'] <> "") eval($item_config['custom_php_resync_config_command']); if($show_message == true) @@ -391,87 +412,105 @@ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { /* * pkg_fetch_recursive: Download and install a FreeBSD package and its dependencies. This function provides output to * a progress bar and output window. - * - * XXX: This function needs to return where a pkg_add fails. Our current error messages aren't very descriptive. */ -function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = 'http://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest') { - global $pkgent, $static_output, $g, $fd_log; - - $pkg_extension = strrchr($filename, '.'); +function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = "") { + global $static_output, $g; + + $osname = php_uname("s"); + $arch = php_uname("m"); + $rel = php_uname("r"); + $rel = strtolower(substr($rel, 0, strrpos($rel, "-"))); + $priv_url = "http://ftp2.{$osname}.org/pub/{$osname}/ports/{$arch}/packages-{$rel}/All"; + if (empty($base_url)) + $base_url = $priv_url; + if (substr($base_url, -1) == "/") + $base_url = substr($base_url, 0, -1); $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $pkgname . " "; - $fetchto = "{$g['tmp_path']}/apkg_{$pkgname}{$pkg_extension}"; - download_file_with_progress_bar("{$base_url}/{$filename}", $fetchto); + $fetchto = "{$g['tmp_path']}/apkg_{$filename}"; + $static_output .= "\n" . str_repeat(" ", $dependlevel * 2 + 1) . "Trying to download {$base_url}/{$filename} ... "; + if (download_file_with_progress_bar("{$base_url}/{$filename}", $fetchto) !== true) { + if ($base_url != $priv_url && download_file_with_progress_bar("{$priv_url}/{$filename}", $fetchto) !== true) { + $static_output .= " could not download from there or {$priv_url}/{$filename}.\n"; + update_output_window($static_output); + return false; + } else if ($base_url == $priv_url) { + $static_output .= " failed to download.\n"; + update_output_window($static_output); + return false; + } else { + $static_output .= " downloaded from {$osname} repository instead of provided one.\n"; + update_output_window($static_output); + } + } $static_output .= " (extracting)"; update_output_window($static_output); $slaveout = ""; exec("/usr/bin/tar --fast-read -O -f {$fetchto} -x +CONTENTS 2>&1", $slaveout); - $workingdir = preg_grep("/instmp/", $slaveout); - $workingdir = $workingdir[0]; $raw_depends_list = array_values(preg_grep("/\@pkgdep/", $slaveout)); - if($raw_depends_list != "") { - if($pkgent['exclude_dependency'] != "") - $raw_depends_list = array_values(preg_grep($pkgent['exclude_dependency'], PREG_GREP_INVERT)); + if ($raw_depends_list != "") { + $pkg_extension = ".tbz"; foreach($raw_depends_list as $adepend) { - $working_depend = explode(" ", $adepend); - //$working_depend = explode("-", $working_depend[1]); - $depend_filename = $working_depend[1] . $pkg_extension; - if(is_freebsd_pkg_installed($working_depend[1]) === false) { - pkg_fetch_recursive($working_depend[1], $depend_filename, $dependlevel + 1, $base_url); + $working_depend = explode(" ", trim($adepend, "\n")); + if (substr($working_depend[1], -4) != ".tbz") + $depend_filename = $working_depend[1] . $pkg_extension; + else + $depend_filename = $working_depend[1]; + if (!is_freebsd_pkg_installed($working_depend[1])) { + if (pkg_fetch_recursive($working_depend[1], $depend_filename, $dependlevel + 1, $base_url) == false) + return false; } else { //$dependlevel++; - $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $working_depend[1] . " "; - @fwrite($fd_log, $working_depend[1] . "\n"); + $static_output .= "\n" . str_repeat(" ", $dependlevel * 2) . $working_depend[1] . " already installed."; + pkg_debug($working_depend[1] . "\n"); } } } $pkgaddout = ""; - exec("/bin/cat {$g['tmp_path']}/y | /usr/sbin/pkg_add -fv {$fetchto} 2>&1", $pkgaddout); - @fwrite($fd_log, $pkgname . " " . print_r($pkgaddout, true) . "\n"); + exec("/usr/sbin/pkg_add -fv {$fetchto} 2>&1", $pkgaddout); + pkg_debug($pkgname . " " . print_r($pkgaddout, true) . "\npkg_add successfully completed.\n"); return true; } function install_package($package, $pkg_info = "") { - global $g, $config, $pkg_interface, $fd_log, $static_output, $pkg_interface, $restart_sync; + global $g, $config, $static_output, $pkg_interface; /* safe side. Write config below will send to ro again. */ conf_mount_rw(); if($pkg_interface == "console") echo "\n"; - /* open logfiles and begin installation */ - if (!$fd_log) { - if (!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$package}.log", "w")) - update_output_window("Warning, could not open log for writing."); - } /* fetch package information if needed */ if(empty($pkg_info) or !is_array($pkg_info[$package])) { $pkg_info = get_pkg_info(array($package)); $pkg_info = $pkg_info[$package]; // We're only dealing with one package, so we can strip away the extra array. + if (empty($pkg_info)) { + conf_mount_ro(); + return -1; + } } - @fwrite($fd_log, "Beginning package installation.\n"); + pkg_debug("Beginning package installation.\n"); log_error('Beginning package installation for ' . $pkg_info['name'] . '.'); - update_status("Beginning package installation for " . $pkg_info['name'] . "..."); + $static_output .= "Beginning package installation for " . $pkg_info['name'] . "..."; + update_status($static_output); /* fetch the package's configuration file */ if($pkg_info['config_file'] != "") { - $static_output .= "Downloading package configuration file... "; + $static_output .= "\nDownloading package configuration file... "; update_output_window($static_output); - @fwrite($fd_log, "Downloading package configuration file...\n"); + pkg_debug("Downloading package configuration file...\n"); $fetchto = substr(strrchr($pkg_info['config_file'], '/'), 1); download_file_with_progress_bar($pkg_info['config_file'], '/usr/local/pkg/' . $fetchto); if(!file_exists('/usr/local/pkg/' . $fetchto)) { - @fwrite($fd_log, "ERROR! Unable to fetch package configuration file. Aborting installation.\n"); - if($pkg_interface == "console") { - conf_mount_ro(); + pkg_debug("ERROR! Unable to fetch package configuration file. Aborting installation.\n"); + if($pkg_interface == "console") print "\nERROR! Unable to fetch package configuration file. Aborting package installation.\n"; - return; - } else { + else { $static_output .= "failed!\n\nInstallation aborted."; update_output_window($static_output); echo "<br>Show <a href=\"pkg_mgr_install.php?showlog=true\">install log</a></center>"; - conf_mount_ro(); - return -1; } + conf_mount_ro(); + return -1; } $static_output .= "done.\n"; update_output_window($static_output); @@ -511,8 +550,6 @@ function install_package($package, $pkg_info = "") { update_output_window($static_output); if($pkg_info['after_install_info']) update_output_window($pkg_info['after_install_info']); - start_service($pkg_info['name']); - $restart_sync = true; } } @@ -539,7 +576,7 @@ function eval_once($toeval) { } function install_package_xml($pkg) { - global $g, $config, $fd_log, $static_output, $pkg_interface; + global $g, $config, $static_output, $pkg_interface, $config_parsed; if(($pkgid = get_pkg_id($pkg)) == -1) { $static_output .= "The {$pkg} package is not installed.\n\nInstallation aborted."; @@ -553,20 +590,6 @@ function install_package_xml($pkg) { } else $pkg_info = $config['installedpackages']['package'][$pkgid]; - /* set up logging if needed */ - if(!$fd_log) { - if(!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$pkg}.log", "w")) { - update_output_window("Warning, could not open log for writing."); - } - } - - /* make 'y' file */ - $fd = fopen("{$g['tmp_path']}/y", "w"); - for($line = 0; $line < 10; $line++) { - fwrite($fd, "y\n"); - } - fclose($fd); - /* pkg_add the package and its dependencies */ if($pkg_info['depends_on_package_base_url'] != "") { if($pkg_interface == "console") @@ -578,49 +601,36 @@ function install_package_xml($pkg) { update_output_window($static_output); foreach((array) $pkg_info['depends_on_package'] as $pkgdep) { $pkg_name = substr(reverse_strrchr($pkgdep, "."), 0, -1); - if(isset($pkg_info['skip_install_checks'])) - $pkg_installed = true; - else - $pkg_installed = is_freebsd_pkg_installed($pkg_name); - - if($pkg_installed == false) - pkg_fetch_recursive($pkg_name, $pkgdep, 0, $pkg_info['depends_on_package_base_url']); - $static_output = $static_orig . "done.\nChecking for successful package installation... "; + $static_output = $static_orig . "\nChecking for package installation... "; update_output_window($static_output); - /* make sure our package was successfully installed */ - if($pkg_installed == false) - $pkg_installed = is_freebsd_pkg_installed($pkg_name); - if($pkg_installed == true) { - $static_output .= "done.\n"; - update_output_window($static_output); - fwrite($fd_log, "pkg_add successfully completed.\n"); - } else { - $static_output .= "of {$pkg_name} failed!\n\nInstallation aborted."; - update_output_window($static_output); - fwrite($fd_log, "Package WAS NOT installed properly.\n"); - fclose($fd_log); - if($pkg_interface <> "console") { - echo "\n<script language=\"JavaScript\">document.progressbar.style.visibility='hidden';</script>"; - echo "\n<script language=\"JavaScript\">document.progholder.style.visibility='hidden';</script>"; + if (!is_freebsd_pkg_installed($pkg_name)) { + if (!pkg_fetch_recursive($pkg_name, $pkgdep, 0, $pkg_info['depends_on_package_base_url'])) { + $static_output .= "of {$pkg_name} failed!\n\nInstallation aborted."; + update_output_window($static_output); + pkg_debug("Package WAS NOT installed properly.\n"); + if($pkg_interface <> "console") { + echo "\n<script language=\"JavaScript\">document.progressbar.style.visibility='hidden';</script>"; + echo "\n<script language=\"JavaScript\">document.progholder.style.visibility='hidden';</script>"; + } + sleep(1); + return false; } - sleep(1); - return false; } } } $configfile = substr(strrchr($pkg_info['config_file'], '/'), 1); if(file_exists("/usr/local/pkg/" . $configfile)) { - $static_output .= "Loading package configuration... "; + $static_output .= "\nLoading package configuration... "; update_output_window($static_output); $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $configfile, "packagegui"); $static_output .= "done.\n"; update_output_window($static_output); - $static_output .= "Configuring package components...\n"; + $static_output .= "\tConfiguring package components...\n"; if (!empty($pkg_config['filter_rules_needed'])) $config['installedpackages']['package'][$pkgid]['filter_rule_function'] = $pkg_config['filter_rules_needed']; update_output_window($static_output); /* modify system files */ - if(is_array($pkg_config['modify_system']['item'])) { + if(is_array($pkg_config['modify_system']) && is_array($pkg_config['modify_system']['item'])) { $static_output .= "\tSystem files... "; update_output_window($static_output); foreach($pkg_config['modify_system']['item'] as $ms) { @@ -652,15 +662,19 @@ function install_package_xml($pkg) { safe_mkdir($prefix); $static_output .= $filename . " "; update_output_window($static_output); - download_file_with_progress_bar($afn['item'][0], $prefix . $filename); + if (download_file_with_progress_bar($afn['item'][0], $prefix . $filename) !== true) { + $static_output .= "failed.\n"; + update_output_window($static_output); + return false; + } if(stristr($filename, ".tgz") <> "") { - fwrite($fd_log, "Extracting tarball to -C for " . $filename . "...\n"); + pkg_debug("Extracting tarball to -C for " . $filename . "...\n"); $tarout = ""; exec("/usr/bin/tar xvzf " . $prefix . $filename . " -C / 2>&1", $tarout); - fwrite($fd_log, print_r($tarout, true) . "\n"); + pkg_debug(print_r($tarout, true) . "\n"); } if($pkg_chmod <> "") { - fwrite($fd_log, "Changing file mode to {$pkg_chmod} for {$prefix}{$filename}\n"); + pkg_debug("Changing file mode to {$pkg_chmod} for {$prefix}{$filename}\n"); @chmod($prefix . $filename, $pkg_chmod); system("/bin/chmod {$pkg_chmod} {$prefix}{$filename}"); } @@ -674,12 +688,20 @@ function install_package_xml($pkg) { * show us where an error exists in a package * instead of making us blindly guess */ + $missing_include = false; if($pkg_config['include_file'] <> "") { - $static_output = "Loading package instructions..."; + $static_output .= "Loading package instructions...\n"; update_output_window($static_output); - fwrite($fd_log, "require_once('{$pkg_config['include_file']}')\n"); + pkg_debug("require_once('{$pkg_config['include_file']}')\n"); if (file_exists($pkg_config['include_file'])) require_once($pkg_config['include_file']); + else { + $missing_include = true; + $static_output .= "\tInclude " . basename($pkg_config['include_file']) . " is missing!\n"; + update_output_window($static_output); + /* XXX: Should undo the steps before this?! */ + return false; + } } /* sidebar items */ if(is_array($pkg_config['menu'])) { @@ -724,30 +746,35 @@ function install_package_xml($pkg) { update_output_window($static_output); } /* custom commands */ - $static_output .= "\tCustom commands... "; + $static_output .= "Custom commands...\n"; update_output_window($static_output); - if($pkg_config['custom_php_global_functions'] <> "") { - $static_output = "Executing custom_php_global_functions()..."; - update_output_window($static_output); - eval_once($pkg_config['custom_php_global_functions']); - } - if($pkg_config['custom_php_install_command']) { - $static_output = "Executing custom_php_install_command()..."; - update_output_window($static_output); - eval_once($pkg_config['custom_php_install_command']); - } - if($pkg_config['custom_php_resync_config_command'] <> "") { - $static_output = "Executing custom_php_resync_config_command()..."; - update_output_window($static_output); - eval_once($pkg_config['custom_php_resync_config_command']); + if ($missing_include == false) { + if($pkg_config['custom_php_global_functions'] <> "") { + $static_output .= "\tExecuting custom_php_global_functions()..."; + update_output_window($static_output); + eval_once($pkg_config['custom_php_global_functions']); + $static_output .= "done.\n"; + update_output_window($static_output); + } + if($pkg_config['custom_php_install_command']) { + $static_output .= "\tExecuting custom_php_install_command()..."; + update_output_window($static_output); + eval_once($pkg_config['custom_php_install_command']); + $static_output .= "done.\n"; + update_output_window($static_output); + } + if($pkg_config['custom_php_resync_config_command'] <> "") { + $static_output .= "\tExecuting custom_php_resync_config_command()..."; + update_output_window($static_output); + eval_once($pkg_config['custom_php_resync_config_command']); + $static_output .= "done.\n"; + update_output_window($static_output); + } } - $static_output .= "done.\n"; - update_output_window($static_output); } else { $static_output .= "Loading package configuration... failed!\n\nInstallation aborted."; update_output_window($static_output); - fwrite($fd_log, "Unable to load package configuration. Installation aborted.\n"); - fclose($fd_log); + pkg_debug("Unable to load package configuration. Installation aborted.\n"); if($pkg_interface <> "console") { echo "\n<script language=\"JavaScript\">document.progressbar.style.visibility='hidden';</script>"; echo "\n<script language=\"JavaScript\">document.progholder.style.visibility='hidden';</script>"; @@ -760,64 +787,44 @@ function install_package_xml($pkg) { if($pkg_info['logging']) { mwexec("/usr/sbin/fifolog_create -s 32768 {$g['varlog_path']}/{$pkg_info['logging']['logfilename']}"); @chmod($g['varlog_path'] . '/' . $pkg_info['logging']['logfilename'], 0600); - @fwrite($fd_log, "Adding text to file /etc/syslog.conf\n"); - if(is_process_running("syslogd")) - mwexec("killall syslogd"); + add_text_to_file("/etc/syslog.conf", $pkg_info['logging']['facilityname'] . "\t\t\t\t" . $pkg_info['logging']['logfilename']); + pkg_debug("Adding text to file /etc/syslog.conf\n"); system_syslogd_start(); } return true; } -function delete_package($pkg, $pkgid) { - global $g, $config, $fd_log, $static_output; +function delete_package($pkg) { + global $config, $g, $static_output, $vardb; - update_status("Removing package..."); - $static_output .= "Removing package... "; - update_output_window($static_output); - if (!is_array($config['installedpackages']['package'])) - return; - - $pkg_info =& $config['installedpackages']['package'][$pkgid]; - if (empty($pkg_info)) - return; - if (empty($pkg_info['configurationfile'])) - return; - - $static_output .= "\nStarting package deletion for {$pkg_info['name']}...\n"; - update_output_window($static_output); - if (!empty($pkg)) - delete_package_recursive($pkg); - $static_output .= "done.\n"; - update_output_window($static_output); - - return; -} + $pkg = substr(reverse_strrchr($pkg, "."), 0, -1); -function delete_package_recursive($pkg) { - global $config, $g; - $fd = fopen("{$g['tmp_path']}/y", "w"); - for($line = 0; $line < 10; $line++) { - fwrite($fd, "y\n"); + if (file_exists("{$vardb}/{$pkg}/+REQUIRED_BY") && count(file("{$vardb}/{$pkg}/+REQUIRED_BY")) > 0) { + $static_output .= "\tSkipping package deletion for {$pkg} because it is required by other packages.\n"; + update_output_window($static_output); + return; + } else { + if($pkg) + $static_output .= "\tStarting package deletion for {$pkg}..."; + update_output_window($static_output); } - fclose($fd); - $pkg = substr(reverse_strrchr($pkg, "."), 0, -1); $info = ""; - exec("/usr/sbin/pkg_info -r {$pkg} 2>&1", $info); + exec("/usr/sbin/pkg_info -qrx {$pkg}", $info); remove_freebsd_package($pkg); - $pkgdb = ""; - exec("/bin/ls {$g['vardb_path']}/pkg", $pkgdb); + $static_output .= "done.\n"; + update_output_window($static_output); foreach($info as $line) { - $depend = trim(array_pop(explode(":", $line))); - if(in_array($depend, $pkgdb)) - delete_package_recursive($depend); + $depend = trim(str_replace("@pkgdep", "", $line), " \n"); + delete_package($depend); } + return; } function delete_package_xml($pkg) { - global $g, $config, $fd_log, $static_output, $pkg_interface; + global $g, $config, $static_output, $pkg_interface; conf_mount_rw(); @@ -834,14 +841,7 @@ function delete_package_xml($pkg) { conf_mount_ro(); return; } - /* set up logging if needed */ - if(!$fd_log) { - if(!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$pkg}.log", "w")) { - update_output_window("Warning, could not open log for writing."); - } - } - update_status("Removing {$pkg} components..."); - fwrite($fd_log, "Removing {$pkg} package... "); + pkg_debug("Removing {$pkg} package... "); $static_output .= "Removing {$pkg} components...\n"; update_output_window($static_output); /* parse package configuration */ @@ -849,7 +849,8 @@ function delete_package_xml($pkg) { $tabs =& $config['installedpackages']['tab']; $menus =& $config['installedpackages']['menu']; $services = &$config['installedpackages']['service']; - if(file_exists("/usr/local/pkg/" . $packages[$pkgid]['configurationfile'])) { + $pkg_info =& $packages[$pkgid]; + if(file_exists("/usr/local/pkg/" . $pkg_info['configurationfile'])) { $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $packages[$pkgid]['configurationfile'], "packagegui"); /* remove tab items */ if(is_array($pkg_config['tabs'])) { @@ -913,21 +914,32 @@ function delete_package_xml($pkg) { * show us where an error exists in a package * instead of making us blindly guess */ + $missing_include = false; if($pkg_config['include_file'] <> "") { - $static_output = "Loading package instructions..."; + $static_output .= "Loading package instructions...\n"; update_output_window($static_output); - fwrite($fd_log, "require_once(\"{$pkg_config['include_file']}\")\n"); - if(file_exists($pkg_config['include_file'])) + pkg_debug("require_once(\"{$pkg_config['include_file']}\")\n"); + if (file_exists($pkg_config['include_file'])) require_once($pkg_config['include_file']); - fwrite($fd_log, "require_once(\"{$pkg_config['include_file']}\") included\n"); + else { + $missing_include = true; + update_output_window($static_output); + $static_output .= "\tInclude file " . basename($pkg_config['include_file']) . " could not be found for inclusion.\n"; + } + } + /* ermal + * NOTE: It is not possible to handle parse errors on eval. + * So we prevent it from being run at all to not interrupt all the other code. + */ + if ($missing_include == false) { + /* evalate this package's global functions and pre deinstall commands */ + if($pkg_config['custom_php_global_functions'] <> "") + eval_once($pkg_config['custom_php_global_functions']); + if($pkg_config['custom_php_pre_deinstall_command'] <> "") + eval_once($pkg_config['custom_php_pre_deinstall_command']); } - /* evalate this package's global functions and pre deinstall commands */ - if($pkg_config['custom_php_global_functions'] <> "") - eval_once($pkg_config['custom_php_global_functions']); - if($pkg_config['custom_php_pre_deinstall_command'] <> "") - eval_once($pkg_config['custom_php_pre_deinstall_command']); /* system files */ - if(is_array($pkg_config['modify_system']['item'])) { + if(is_array($pkg_config['modify_system']) && is_array($pkg_config['modify_system']['item'])) { $static_output .= "\tSystem files... "; update_output_window($static_output); foreach($pkg_config['modify_system']['item'] as $ms) @@ -936,26 +948,21 @@ function delete_package_xml($pkg) { $static_output .= "done.\n"; update_output_window($static_output); } - /* syslog */ - if($pkg_config['logging']['logfile_name'] <> "") { - $static_output .= "\tSyslog entries... "; - update_output_window($static_output); - remove_text_from_file("/etc/syslog.conf", $pkg_config['logging']['facilityname'] . "\t\t\t\t" . $pkg_config['logging']['logfilename']); - $static_output .= "done.\n"; - update_output_window($static_output); - } /* deinstall commands */ if($pkg_config['custom_php_deinstall_command'] <> "") { $static_output .= "\tDeinstall commands... "; update_output_window($static_output); - eval_once($pkg_config['custom_php_deinstall_command']); - $static_output .= "done.\n"; + if ($missing_include == false) { + eval_once($pkg_config['custom_php_deinstall_command']); + $static_output .= "done.\n"; + } else + $static_output .= "\n\tNot executing custom deinstall hook because an include is missing.\n"; update_output_window($static_output); } if($pkg_config['include_file'] <> "") { - $static_output = "\tRemoving package instructions..."; + $static_output .= "\tRemoving package instructions..."; update_output_window($static_output); - fwrite($fd_log, "Remove '{$pkg_config['include_file']}'\n"); + pkg_debug("Remove '{$pkg_config['include_file']}'\n"); unlink_if_exists("/usr/local/pkg/" . $pkg_config['include_file']); $static_output .= "done.\n"; update_output_window($static_output); @@ -984,29 +991,24 @@ function delete_package_xml($pkg) { $static_output .= "done.\n"; update_output_window($static_output); } - /* remove config.xml entries */ + /* syslog */ + if(is_array($pkg_info['logging']) && $pkg_info['logging']['logfile_name'] <> "") { + $static_output .= "\tSyslog entries... "; + update_output_window($static_output); + remove_text_from_file("/etc/syslog.conf", $pkg_info['logging']['facilityname'] . "\t\t\t\t" . $pkg_info['logging']['logfilename']); + system_syslogd_start(); + @unlink("{$g['varlog_path']}/{$pkg_info['logging']['logfilename']}"); + $static_output .= "done.\n"; + update_output_window($static_output); + } conf_mount_ro(); + /* remove config.xml entries */ $static_output .= "\tConfiguration... "; update_output_window($static_output); unset($config['installedpackages']['package'][$pkgid]); $static_output .= "done.\n"; update_output_window($static_output); - write_config("Removed {$pkg} package."); - /* file cleanup */ - $ctag = file("/etc/crontab"); - foreach($ctag as $line) - if(trim($line) != "") - $towrite[] = $line; - - $tmptab = fopen("{$g['tmp_path']}/crontab", "w"); - foreach($towrite as $line) - fwrite($tmptab, $line); - fclose($tmptab); - - // Go RW again since the write_config above will put it back to RO - conf_mount_rw(); - rename("{$g['tmp_path']}/crontab", "/etc/crontab"); - conf_mount_ro(); + write_config("Removed {$pkg} package.\n"); } function expand_to_bytes($size) { @@ -1058,7 +1060,8 @@ function get_package_install_size($pkg = 'all', $pkg_info = "") { if(!$pkg_info) $pkg_info = get_pkg_sizes($pkg); foreach($pkg as $apkg) { - if(!$pkg_info[$apkg]) continue; + if(!$pkg_info[$apkg]) + continue; $toreturn[$apkg] = expand_to_bytes(walk_depend(array($pkg_info[$apkg]), $pkgdb)); } return $toreturn; @@ -1078,4 +1081,4 @@ function squash_from_bytes($size, $round = "") { return; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/services.inc b/etc/inc/services.inc index f4f05e1..79668f5 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -144,7 +144,7 @@ function services_dhcpd_configure() { fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/etc\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/usr/local/sbin\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/var/db\n"); - fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/var/run\n"); + fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/var/run\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/usr\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/lib\n"); fwrite($fd, "mkdir -p {$g['dhcpd_chroot_path']}/run\n"); diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 02a1cd7..7c61546 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -4004,6 +4004,4 @@ $dn_default_shaper_msg .= "buttons at the bottom represent queue actions and are $dn_default_shaper_msg .= " </p></strong></span>"; $dn_default_shaper_msg .= "</td></tr>"; - - ?>
\ No newline at end of file diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 9776966..5219c32 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -33,7 +33,7 @@ pfSense_BUILDER_BINARIES: /usr/sbin/powerd /usr/bin/killall /sbin/sysctl /sbin/route pfSense_BUILDER_BINARIES: /bin/hostname /bin/ls /usr/bin/netstat /usr/sbin/syslogd pfSense_BUILDER_BINARIES: /usr/sbin/pccardd /usr/local/sbin/lighttpd /bin/chmod /bin/mkdir - pfSense_BUILDER_BINARIES: /usr/bin/tar /bin/sync /usr/local/sbin/ntpd /usr/sbin/ntpdate + pfSense_BUILDER_BINARIES: /usr/bin/tar /usr/local/sbin/ntpd /usr/sbin/ntpdate pfSense_BUILDER_BINARIES: /usr/bin/nohup /sbin/dmesg /usr/local/sbin/atareinit /sbin/kldload pfSense_MODULE: utils */ @@ -52,10 +52,9 @@ function activate_powerd() { function get_default_sysctl_value($id) { global $sysctls; - foreach($sysctls as $sysctl => $value) { - if($sysctl == $id) - return $value; - } + + if (isset($sysctls[$id])) + return $sysctls[$id]; } function activate_sysctls() { @@ -307,11 +306,6 @@ function system_routing_configure($interface = "") { echo "system_routing_configure() being called $mt\n"; } - /* Enable fast routing, if enabled */ - /* XXX: More checks need to be done for subsystems that are not compatibel with fast routing. */ - if(isset($config['staticroutes']['enablefastrouting']) && !isset($config['ipsec']['enable'])) - mwexec("/sbin/sysctl net.inet.ip.fastforwarding=1"); - $gatewayip = ""; $interfacegw = ""; $foundgw = false; @@ -511,11 +505,9 @@ function system_syslogd_start() { if($config['installedpackages']['package']) { foreach($config['installedpackages']['package'] as $package) { if($package['logging']) { - $pkgfacilities[] = $package['logging']['facilityname']; - $separatelogfacilities = $separatelogfacilities + $pkgfacilities; - $facilitylist = implode(',', $pkgfacilities); + array_push($separatelogfacilities, $package['logging']['facilityname']); mwexec("{$log_create_directive} 10240 {$g['varlog_path']}/{$package['logging']['logfilename']}"); - $syslogconf .= "!{$facilitylist}\n*.*\t\t\t\t\t\t {$log_directive}{$g['varlog_path']}/{$package['logging']['logfilename']}\n"; + $syslogconf .= "!{$package['logging']['facilityname']}\n*.*\t\t\t\t\t\t {$log_directive}{$g['varlog_path']}/{$package['logging']['logfilename']}\n"; } } } @@ -580,7 +572,7 @@ news.err;local0.none;local3.none;local4.none; {$log_directive}{$g['varlog_path local7.none {$log_directive}{$g['varlog_path']}/system.log security.* {$log_directive}{$g['varlog_path']}/system.log auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log -auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf +auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15 *.emerg * EOD; @@ -677,14 +669,19 @@ EOD; } fwrite($fd, $syslogconf); fclose($fd); + + // Ensure that the log directory exists + if(!is_dir("{$g['dhcpd_chroot_path']}/var/run")) + exec("/bin/mkdir -p {$g['dhcpd_chroot_path']}/var/run"); + // Are we logging to a least one remote server ? if(strpos($syslogconf, "@") != false) - $retval = system("/usr/sbin/syslogd -c -f {$g['varetc_path']}/syslog.conf"); + $retval = system("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); else - $retval = system("/usr/sbin/syslogd -c -f {$g['varetc_path']}/syslog.conf"); + $retval = system("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log -f {$g['varetc_path']}/syslog.conf"); } else { - $retval = mwexec("/usr/sbin/syslogd -c"); + $retval = mwexec("/usr/sbin/syslogd -c -c -l /var/dhcpd/var/run/log"); } if ($g['booting']) @@ -753,7 +750,7 @@ function system_webgui_start() { if (!is_array($config['cert'])) $config['cert'] = array(); $a_cert =& $config['cert']; - echo "Creating SSL Certificate... "; + log_error("Creating SSL Certificate for this host"); $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = "webConfigurator default"; @@ -1426,7 +1423,7 @@ function system_set_harddisk_standby() { // Check for a numeric value if (is_numeric($standby)) { // Sync the disk(s) - mwexec('/bin/sync'); + pfSense_sync(); if (!mwexec('/sbin/sysctl hw.ata.standby=' . ((int)$standby))) { // Reinitialize ATA-drives mwexec('/usr/local/sbin/atareinit'); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 7bf8f2e..9f7be86 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -704,18 +704,14 @@ function upgrade_040_to_041() { $config['sysctl']['item'][18]['tunable'] = "net.inet.tcp.tso"; $config['sysctl']['item'][18]['descr'] = "TCP Offload engine"; $config['sysctl']['item'][18]['value'] = "default"; - - $config['sysctl']['item'][19]['tunable'] = "hw.bce.tso_enable"; - $config['sysctl']['item'][19]['descr'] = "TCP Offload engine - BCE"; - $config['sysctl']['item'][19]['value'] = "default"; - $config['sysctl']['item'][20]['tunable'] = "net.inet.ip.portrange.first"; - $config['sysctl']['item'][20]['descr'] = "Set the ephemeral port range starting port"; - $config['sysctl']['item'][20]['value'] = "default"; + $config['sysctl']['item'][19]['tunable'] = "net.inet.ip.portrange.first"; + $config['sysctl']['item'][19]['descr'] = "Set the ephemeral port range starting port"; + $config['sysctl']['item'][19]['value'] = "default"; - $config['sysctl']['item'][21]['tunable'] = "hw.syscons.kbd_reboot "; - $config['sysctl']['item'][21]['descr'] = "Enables ctrl+alt+delete"; - $config['sysctl']['item'][21]['value'] = "default"; + $config['sysctl']['item'][20]['tunable'] = "hw.syscons.kbd_reboot "; + $config['sysctl']['item'][20]['descr'] = "Enables ctrl+alt+delete"; + $config['sysctl']['item'][20]['value'] = "default"; } } @@ -1082,7 +1078,7 @@ function upgrade_047_to_048() { if (!empty($config['dyndns'])) { $config['dyndnses'] = array(); $config['dyndnses']['dyndns'] = array(); - if(isset($config['dyndns'][0]['enable'])) { + if(isset($config['dyndns'][0]['host'])) { $tempdyn = array(); $tempdyn['enable'] = isset($config['dyndns'][0]['enable']); $tempdyn['type'] = $config['dyndns'][0]['type']; @@ -1671,10 +1667,11 @@ function upgrade_053_to_054() { $monitor = $split[1]; /* on static upgraded configuration we automatically prepend GW_ */ $static_name = "GW_" . strtoupper($interface); - if(is_ipaddr($monitor)) { - $interface = $static_name; - $config['interfaces'][$interface]['monitorip'] = $monitor; - } + if(is_ipaddr($monitor)) + foreach ($a_gateways as & $gw) + if ($gw['name'] == $static_name) + $gw['monitor'] = $monitor; + /* on failover increment tier. Else always assign 1 */ if($lbpool['behaviour'] == "failover") { $i++; @@ -1738,6 +1735,8 @@ function upgrade_054_to_055() { } /* the roundtrip times need to be divided by 1000 to get seconds, really */ $databases = array(); + if (!file_exists($rrddbpath)) + @mkdir($rrddbpath); chdir($rrddbpath); $databases = glob("*-quality.rrd"); rsort($databases); @@ -1885,11 +1884,20 @@ function upgrade_055_to_056() { function upgrade_056_to_057() { global $config; + if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); /* migrate captivate portal to user manager */ if (is_array($config['captiveportal']['user'])) { foreach($config['captiveportal']['user'] as $user) { // avoid user conflicts - if ($config['system']['user'][$user['name']]) + $found = false; + foreach ($config['system']['user'] as $userent) { + if ($userent['name'] == $user['name']) { + $found = true; + break; + } + } + if ($found) continue; $user['scope'] = "user"; if (isset($user['expirationdate'])) { @@ -1900,6 +1908,7 @@ function upgrade_056_to_057() { $user['md5-hash'] = $user['password']; unset($user['password']); } + $user['uid'] = $config['system']['nextuid']++; $config['system']['user'][] = $user; } unset($config['captiveportal']['user']); @@ -2228,10 +2237,10 @@ function upgrade_070_to_071() { function rename_field(& $section, $oldname, $newname) { if (is_array($section)) { foreach($section as & $item) { - if (!empty($item[$oldname])) { + if (!empty($item[$oldname])) $item[$newname] = $item[$oldname]; + if (isset($item[$oldname])) unset($item[$oldname]); - } } } } @@ -2273,4 +2282,4 @@ function upgrade_074_to_075() { rename_field($config['crl'], 'name', 'descr'); } -?>
\ No newline at end of file +?> diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 718a22b..494f81b 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -38,7 +38,7 @@ /* kill a process by pid file */ function killbypid($pidfile) { - sigkillbypid($pidfile, "TERM"); + return sigkillbypid($pidfile, "TERM"); } function isvalidpid($pid) { @@ -716,10 +716,16 @@ function get_configured_ip_addresses() { require_once("interfaces.inc"); $ip_array = array(); $interfaces = get_configured_interface_list(); - foreach($interfaces as $int) { - $ipaddr = get_interface_ip($int); - $ip_array[$int] = $ipaddr; + if(is_array($interfaces)) { + foreach($interfaces as $int) { + $ipaddr = get_interface_ip($int); + $ip_array[$int] = $ipaddr; + } } + $interfaces = get_configured_carp_interface_list(); + if(is_array($interfaces)) + foreach($interfaces as $int => $ipaddr) + $ip_array[$int] = $ipaddr; return $ip_array; } @@ -851,6 +857,23 @@ function log_error($error) { return; } +/****f* util/log_auth +* NAME +* log_error - Sends a string to syslog as LOG_AUTH facility +* INPUTS +* $error - string containing the syslog message. +* RESULT +* null +******/ +function log_auth($error) { + global $g; + $page = $_SERVER['SCRIPT_NAME']; + syslog(LOG_AUTH, "$page: $error"); + if ($g['debug']) + syslog(LOG_WARNING, var_dump(debug_backtrace())); + return; +} + /****f* util/exec_command * NAME * exec_command - Execute a command and return a string of the result. @@ -869,17 +892,16 @@ function exec_command($command) { /* wrapper for exec() */ function mwexec($command, $mute = false) { - global $g; - $oarr = array(); - $retval = 0; + if ($g['debug']) { if (!$_SERVER['REMOTE_ADDR']) echo "mwexec(): $command\n"; - exec("$command 2>&1", $oarr, $retval); - } else { - exec("$command 2>&1", $oarr, $retval); } + $oarr = array(); + $retval = 0; + $garbage = exec("$command 2>&1", $oarr, $retval); + if(isset($config['system']['developerspew'])) $mute = false; if(($retval <> 0) && ($mute === false)) { diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index 3b8e1ac..5c1d132 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -63,14 +63,12 @@ EOF; $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, "250"); - if(!$resp) { + if(!is_object($resp)) { $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); return array("timeleft" => "0"); } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, "250"); $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); @@ -84,25 +82,24 @@ EOF; write_config("Captive Portal Voucher database synchronized with {$url}"); voucher_configure(); } - return $toreturn['timeleft']; + + return $toreturn['timeleft']; } /* - *Authenticate a voucher and return the remaining time credit in minutes + * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list * of active vouchers + * If $test is set, simply test the voucher. Don't change anything + * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; - // if $test is set, simply test the voucher. Don't change anything - // but return a more verbose error and result message back - $voucherlck = lock('voucher'); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; + $a_voucher = &$config['voucher']; if($a_voucher['vouchersyncdbip']) { $syncip = $a_voucher['vouchersyncdbip']; $syncport = $a_voucher['vouchersyncport']; @@ -111,12 +108,16 @@ function voucher_auth($voucher_received, $test = 0) { $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } - // read rolls into assoc array with rollid as key and minutes as value - $a_roll = &$config['voucher']['roll']; - foreach ($a_roll as $rollent) { - $tickets_per_roll[$rollent['number']] = $rollent['count']; - $minutes_per_roll[$rollent['number']] = $rollent['minutes']; - } + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + $a_roll = &$config['voucher']['roll']; + foreach ($a_roll as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } // split into an array. Useful for multiple vouchers given $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); @@ -138,9 +139,9 @@ function voucher_auth($voucher_received, $test = 0) { $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); list($status, $roll, $nr) = explode(" ", $result); if ($status == "OK") { - if (!$first_voucher) - { - $first_voucher = $voucher; // store first voucher. Thats the one we give the timecredit + if (!$first_voucher) { + // store first voucher. Thats the one we give the timecredit + $first_voucher = $voucher; $first_voucher_roll = $roll; } // check if we have this ticket on a registered roll for this ticket @@ -191,7 +192,7 @@ function voucher_auth($voucher_received, $test = 0) { } else { $test_result[] = "Access granted for $total_minutes Minutes in total."; } - unlock($voucherlck); + unlock($voucherlck); return $test_result; } @@ -200,7 +201,7 @@ function voucher_auth($voucher_received, $test = 0) { // the user wouldn't know that he used at least one invalid voucher. if ($error) { - unlock($voucherlck); + unlock($voucherlck); if ($total_minutes > 0) // probably not needed, but want to make sure $total_minutes = 0; // we only report -1 (expired) or 0 (no access) return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS @@ -240,9 +241,6 @@ function voucher_auth($voucher_received, $test = 0) { $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - // mark the DB's as dirty. - mark_subsystem_dirty('voucher'); - unlock($voucherlck); return $total_minutes; @@ -250,15 +248,15 @@ function voucher_auth($voucher_received, $test = 0) { function voucher_configure() { global $config, $g; - - /* kill any running minicron */ - killbypid("{$g['varrun_path']}/vouchercron.pid"); - if (isset($config['voucher']['enable'])) { + /* kill any running minicron */ + killbypid("{$g['varrun_path']}/vouchercron.pid"); + + if (!isset($config['voucher']['enable'])) + return 0; - if ($g['booting']) { + if ($g['booting']) echo "Enabling voucher support... "; - } // start cron if we're asked to save runtime DB periodically // to XML config if it changed @@ -269,18 +267,19 @@ function voucher_configure() { "/etc/rc.savevoucher"); } - $voucherlck = lock('voucher'); + $voucherlck = lock('voucher', LOCK_EX); + /* write public key used to verify vouchers */ $pubkey = base64_decode($config['voucher']['publickey']); $fd = fopen("{$g['varetc_path']}/voucher.public", "w"); if (!$fd) { - printf("Error: cannot write voucher.public\n"); + log_error("Voucher error: cannot write voucher.public\n"); unlock($voucherlck); return 1; } - chmod("{$g['varetc_path']}/voucher.public", 0600); fwrite($fd, $pubkey); fclose($fd); + @chmod("{$g['varetc_path']}/voucher.public", 0600); /* write config file used by voucher binary to decode vouchers */ $fd = fopen("{$g['varetc_path']}/voucher.cfg", "w"); @@ -289,12 +288,12 @@ function voucher_configure() { unlock($voucherlck); return 1; } - chmod("{$g['varetc_path']}/voucher.cfg", 0600); fwrite($fd, "{$config['voucher']['rollbits']},{$config['voucher']['ticketbits']},{$config['voucher']['checksumbits']},{$config['voucher']['magic']},{$config['voucher']['charset']}\n"); fclose($fd); + @chmod("{$g['varetc_path']}/voucher.cfg", 0600); unlock($voucherlck); - if ($g['booting']) { + if ($g['booting'] && is_array($config['voucher']['roll'])) { // create active and used DB per roll on ramdisk from config $a_roll = &$config['voucher']['roll']; @@ -323,61 +322,56 @@ function voucher_configure() { unlock($voucherlck); echo "done\n"; } - } - return 0; + + return 0; } /* write bitstring of used vouchers to ramdisk. * Bitstring must already be base64_encoded! */ function voucher_write_used_db($roll, $vdb) { - - global $g; - - $fd = fopen("{$g['vardb_path']}/voucher_used_$roll.db", "w"); - if ($fd) { - fwrite($fd, $vdb . "\n"); - fclose($fd); - } else { - voucher_log(LOG_ERR, "cant write {$g['vardb_path']}/voucher_used_$roll.db"); - } + global $g; + + $fd = fopen("{$g['vardb_path']}/voucher_used_$roll.db", "w"); + if ($fd) { + fwrite($fd, $vdb . "\n"); + fclose($fd); + } else + voucher_log(LOG_ERR, "cant write {$g['vardb_path']}/voucher_used_$roll.db"); } /* return assoc array of active vouchers with activation timestamp * voucher is index. */ function voucher_read_active_db($roll) { - - global $g; - - $active = array(); - $dirty = 0; - $file = "{$g['vardb_path']}/voucher_active_$roll.db"; - if (file_exists($file)) { - $fd = fopen($file, "r"); - if ($fd) { - while (!feof($fd)) { - $line = trim(fgets($fd)); - if ($line) { - list($voucher,$timestamp,$minutes) = explode(",", $line); // voucher,timestamp - if ((($timestamp + 60*$minutes) - time()) > 0) { - $active[$voucher] = "$timestamp,$minutes"; - } else { - $dirty=1; - } - } - } - fclose($fd); - if ($dirty) // if we found expired entries, lets save our snapshot - voucher_write_active_db($roll, $active); - } - } - return $active; + global $g; + + $active = array(); + $dirty = 0; + $file = "{$g['vardb_path']}/voucher_active_$roll.db"; + if (file_exists($file)) { + $fd = fopen($file, "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) { + list($voucher,$timestamp,$minutes) = explode(",", $line); // voucher,timestamp + if ((($timestamp + 60*$minutes) - time()) > 0) + $active[$voucher] = "$timestamp,$minutes"; + else + $dirty=1; + } + } + fclose($fd); + if ($dirty) // if we found expired entries, lets save our snapshot + voucher_write_active_db($roll, $active); + } + } + return $active; } /* store array of active vouchers back to DB */ function voucher_write_active_db($roll, $active) { - global $g; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); @@ -390,7 +384,6 @@ function voucher_write_active_db($roll, $active) { /* return how many vouchers are marked used on a roll */ function voucher_used_count($roll) { - global $g; $bitstring = voucher_read_used_db($roll); @@ -407,7 +400,6 @@ function voucher_used_count($roll) { } function voucher_read_used_db($roll) { - global $g; $vdb = ""; @@ -425,10 +417,9 @@ function voucher_read_used_db($roll) { } function voucher_unlink_db($roll) { - global $g; - unlink("{$g['vardb_path']}/voucher_used_$roll.db"); - unlink("{$g['vardb_path']}/voucher_active_$roll.db"); + @unlink("{$g['vardb_path']}/voucher_used_$roll.db"); + @unlink("{$g['vardb_path']}/voucher_active_$roll.db"); } /* we share the log with captiveportal for now */ @@ -445,20 +436,15 @@ function voucher_log($priority, $message) { * Called during reboot -> system_reboot_cleanup() and minicron */ function voucher_save_db_to_config() { - global $config, $g; if (!isset($config['voucher']['enable']) || $config['voucher']['saveinterval'] == 0) return; // no vouchers or don't want to save DB's - if (!is_subsystem_dirty('voucher')) - return; // nothing changed. - - $voucherlck = lock('voucher'); + $voucherlck = lock('voucher', LOCK_EX); // walk all active rolls and save runtime DB's to flash $a_roll = &$config['voucher']['roll']; -// foreach ($a_roll as $rollent) { while (list($key, $value) = each($a_roll)) { $rollent = &$a_roll[$key]; $roll = $rollent['number']; @@ -477,10 +463,11 @@ function voucher_save_db_to_config() { } $rollent['active'] = $db; } - clear_subsystem_dirty('voucher'); + unlock($voucherlck); + write_config(); return; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 7c045d2..ef06f61 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -118,6 +118,7 @@ function vpn_ipsec_configure($ipchg = false) return true; } else { mwexec("/sbin/ifconfig enc0 up"); + mwexec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); if ($g['booting']) echo "Configuring IPsec VPN... "; @@ -635,15 +636,18 @@ EOD; $localid_type = $ph2ent['localid']['type']; $localid_data = ipsec_idinfo_to_cidr($ph2ent['localid']); - /* Do not print localid in some cases, such as a pure-psk mobile tunnel */ - if (($localid_type == "none") || ($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile'])) + /* Do not print localid in some cases, such as a pure-psk or psk/xauth mobile tunnel */ + if (($localid_type == "none") || + (($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) + && isset($ph1ent['mobile'])) $localid_spec = " "; else { - if ($localid_type != "address") { - $localid_type = "subnet"; - } - $localid_spec = $localid_type." ".$localid_data." any"; - } + if ($localid_type != "address") { + $localid_type = "subnet"; + } + $localid_spec = $localid_type." ".$localid_data." any"; + } if (!isset($ph2ent['mobile'])) { $remoteid_type = $ph2ent['remoteid']['type']; @@ -656,16 +660,23 @@ EOD; $remoteid_spec = "anonymous"; } else { - $rgip = $rgmap[$ph1ent['remote-gateway']]; - $localid_data = ipsec_get_phase1_src($ph1ent); - if($ph2ent['mode'] == 'transport') { $localid_data="$localid_data any"; } - $localid_spec = "address {$localid_data}"; - - $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; - if($ph2ent['mode'] == 'transport') { $remoteid_data="$remoteid_data any"; } - $remoteid_spec = "address {$remoteid_data}"; + if ((($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) + && isset($ph1ent['mobile'])) + $localid_spec = " "; + else { + $localid_data = ipsec_get_phase1_src($ph1ent); + if($ph2ent['mode'] == 'transport') { $localid_data="$localid_data any"; } + $localid_spec = "address {$localid_data}"; + } + if (!isset($ph2ent['mobile'])) { + $remoteid_data = $rgmap[$ph1ent['remote-gateway']]; + if($ph2ent['mode'] == 'transport') { $remoteid_data="$remoteid_data any"; } + $remoteid_spec = "address {$remoteid_data}"; + } else + $remoteid_spec = "anonymous"; } if($ph2ent['protocol'] == 'esp') { @@ -877,7 +888,6 @@ EOD; sleep("0.1"); mwexec("/usr/local/sbin/setkey -F", false); sleep("0.1"); - exec("/sbin/sysctl net.inet.ip.ipsec_in_use=1"); /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf", false); sleep("0.1"); @@ -953,6 +963,15 @@ function vpn_setup() { vpn_l2tp_configure(); } +function vpn_netgraph_support() { + $iflist = get_configured_interface_list(); + foreach ($iflist as $iface) { + $realif = get_real_interface($iface); + /* Get support for netgraph(4) from the nic */ + pfSense_ngctl_attach(".", $realif); + } +} + function vpn_pptpd_configure() { global $config, $g; @@ -1143,6 +1162,8 @@ EOD; fclose($fd); chmod("{$g['varetc_path']}/pptp-vpn/mpd.secret", 0600); + vpn_netgraph_support(); + /* fire up mpd */ mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pptp-vpn -p {$g['varrun_path']}/pptp-vpn.pid -s pptps pptps"); @@ -1346,6 +1367,8 @@ EOD; chmod("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600); } + /* Get support for netgraph(4) from the nic */ + pfSense_ngctl_attach(".", $pppoe_interface); /* fire up mpd */ mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn -p {$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes"); @@ -1527,6 +1550,8 @@ EOD; fclose($fd); chmod("{$g['varetc_path']}/l2tp-vpn/mpd.secret", 0600); + vpn_netgraph_support(); + /* fire up mpd */ mwexec("/usr/local/sbin/mpd4 -b -d {$g['varetc_path']}/l2tp-vpn -p {$g['varrun_path']}/l2tp-vpn.pid -s l2tps l2tps"); @@ -1721,4 +1746,4 @@ function vpn_ipsec_configure_preferoldsa() { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } -?>
\ No newline at end of file +?> diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 73d434e..5eb784a 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -206,7 +206,12 @@ function relayd_configure() { if(is_array($pool_a)) { for ($i = 0; isset($pool_a[$i]); $i++) { if(is_array($pool_a[$i]['servers'])) { - $srvtxt = implode(", ", $pool_a[$i]['servers']); + if (!empty($pool_a[$i]['retry'])) { + $retrytext = " retry {$pool_a[$i]['retry']}"; + $srvtxt = implode("{$retrytext}, ", $pool_a[$i]['servers']) . "{$retrytext}"; + } else { + $srvtxt = implode(", ", $pool_a[$i]['servers']); + } $conf .= "table <{$pool_a[$i]['name']}> { $srvtxt }\n"; /* Index by name for easier fetching when we loop through the virtual servers */ $pools[$pool_a[$i]['name']] = $pool_a[$i]; @@ -283,4 +288,73 @@ function relayd_configure() { } +<<<<<<< HEAD +?> +======= +function get_lb_redirects() { +/* +# relayctl show summary +Id Type Name Avlblty Status +1 redirect testvs2 active +5 table test2:80 active (3 hosts up) +11 host 192.168.1.2 91.55% up +10 host 192.168.1.3 100.00% up +9 host 192.168.1.4 88.73% up +3 table test:80 active (1 hosts up) +7 host 192.168.1.2 66.20% down +6 host 192.168.1.3 97.18% up +0 redirect testvs active +3 table test:80 active (1 hosts up) +7 host 192.168.1.2 66.20% down +6 host 192.168.1.3 97.18% up +4 table testvs-sitedown:80 active (1 hosts up) +8 host 192.168.1.4 84.51% up +# relayctl show redirects +Id Type Name Avlblty Status +1 redirect testvs2 active +0 redirect testvs active +# relayctl show redirects +Id Type Name Avlblty Status +1 redirect testvs2 active + total: 2 sessions + last: 2/60s 2/h 2/d sessions + average: 1/60s 0/h 0/d sessions +0 redirect testvs active +*/ + $rdr_a = array(); + exec('/usr/local/sbin/relayctl show redirects 2>&1', $rdr_a); + $vs = array(); + for ($i = 0; isset($rdr_a[$i]); $i++) { + $line = $rdr_a[$i]; + if (preg_match("/^[0-9]+/", $line)) { + $regs = array(); + if($x = preg_match("/^[0-9]+\s+redirect\s+([^\s]+)\s+([^\s]+)/", $line, $regs)) { + $vs[trim($regs[1])] = array(); + $vs[trim($regs[1])]['status'] = trim($regs[2]); + } + } + } + return $vs; +} + +function get_lb_summary() { + $relayctl = array(); + exec('/usr/local/sbin/relayctl show summary 2>&1', $relayctl); + $relay_hosts=Array(); + foreach( (array) $relayctl as $line) { + $t=split("\t", $line); + switch (trim($t[1])) { + case "table": + $curpool=trim($t[2]); + break; + case "host": + $curhost=trim($t[2]); + $relay_hosts[$curpool][$curhost]['avail']=trim($t[3]); + $relay_hosts[$curpool][$curhost]['state']=trim($t[4]); + break; + } + } + return $relay_hosts; +} + ?> diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc index 582f9b4..75871a9 100644 --- a/etc/inc/xmlparse.inc +++ b/etc/inc/xmlparse.inc @@ -179,20 +179,27 @@ function parse_xml_config_raw($cffile, $rootobj, $isstring = "false") { while ($data = fread($fp, 4096)) { if (!xml_parse($xml_parser, $data, feof($fp))) { - log_error(sprintf("XML error: %s at line %d\n", + log_error(sprintf("XML error: %s at line %d in %s\n", xml_error_string(xml_get_error_code($xml_parser)), - xml_get_current_line_number($xml_parser))); + xml_get_current_line_number($xml_parser), + $cffile)); return -1; } } xml_parser_free($xml_parser); - if (!$parsedcfg[$rootobj]) { - log_error("XML error: no $rootobj object found!\n"); + if (!is_array($rootobj)) + $rootobj = array($rootobj); + foreach ($rootobj as $rootobj_name) + if ($parsedcfg[$rootobj_name]) + break; + + if (!$parsedcfg[$rootobj_name]) { + log_error("XML error: no $rootobj_name object found!\n"); return -1; } - return $parsedcfg[$rootobj]; + return $parsedcfg[$rootobj_name]; } function dump_xml_config_sub($arr, $indent) { diff --git a/etc/inc/xmlreader.inc b/etc/inc/xmlreader.inc index a228cd0..0beeb74 100644 --- a/etc/inc/xmlreader.inc +++ b/etc/inc/xmlreader.inc @@ -128,7 +128,13 @@ function parse_xml_config_raw($cffile, $rootobj, $isstring = "false") { } else log_error("Error returned while trying to parse {$cffile}"); - return $parsedcfg[$rootobj]; + if (!is_array($rootobj)) + $rootobj = array($rootobj); + foreach ($rootobj as $rootobj_name) + if ($parsedcfg[$rootobj_name]) + break; + + return $parsedcfg[$rootobj_name]; } function dump_xml_config_sub(& $writer, $arr) { diff --git a/etc/inc/xmlrpc.inc b/etc/inc/xmlrpc.inc index 61167bf..ef4fc19 100644 --- a/etc/inc/xmlrpc.inc +++ b/etc/inc/xmlrpc.inc @@ -107,17 +107,36 @@ function php_value_to_xmlrpc($value, $force_array = false) { * the array before returning it. */ function xmlrpc_auth(&$params) { - global $config; + global $config, $_SERVER; + + if (!is_array($config['system']['user'])) { + array_shift($params); + unset($params['xmlrpcauth']); + log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); + return false; + } + if (!isset($config['system']['user'][0]['password'])) { + array_shift($params); + unset($params['xmlrpcauth']); + log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); + return false; + } + $localpass = $config['system']['user'][0]['password']; if(crypt($params[0], $localpass) == $localpass) { array_shift($params); + unset($params['xmlrpcauth']); return true; - } else if(crypt($params['xmlrpcauth'], $localpass) != $localpass) { + } else if(crypt($params['xmlrpcauth'], $localpass) == $localpass) { + array_shift($params); unset($params['xmlrpcauth']); - return false; + return true; } + + array_shift($params); unset($params['xmlrpcauth']); + log_error("webConfigurator authentication error for 'admin' from {$_SERVER['REMOTE_ADDR']} during sync settings."); return false; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/xmlrpc_client.inc b/etc/inc/xmlrpc_client.inc index 462917b..39d6d70 100644 --- a/etc/inc/xmlrpc_client.inc +++ b/etc/inc/xmlrpc_client.inc @@ -190,7 +190,7 @@ $GLOBALS['XML_RPC_backslash'] = chr(92) . chr(92); * which can cause PHP's SAX-based XML parser to break? * @global boolean $GLOBALS['XML_RPC_auto_base64'] */ -$GLOBALS['XML_RPC_auto_base64'] = false; +$GLOBALS['XML_RPC_auto_base64'] = true; /** diff --git a/etc/phpshellsessions/externalconfiglocator b/etc/phpshellsessions/externalconfiglocator new file mode 100644 index 0000000..84534b3 --- /dev/null +++ b/etc/phpshellsessions/externalconfiglocator @@ -0,0 +1,3 @@ + +include("/etc/ecl.php"); + @@ -115,6 +115,7 @@ else fi if [ "$PLATFORM" = "cdrom" ] ; then + echo -n "Mounting unionfs directories..." /bin/mkdir /tmp/unionfs /bin/mkdir /tmp/unionfs/usr /bin/mkdir /tmp/unionfs/root @@ -122,21 +123,13 @@ if [ "$PLATFORM" = "cdrom" ] ; then /bin/mkdir /tmp/unionfs/bin /bin/mkdir /tmp/unionfs/boot /bin/mkdir /tmp/unionfs/confdefault - echo -n "Mounting unionfs directories:" - echo -n " usr" /sbin/mount_unionfs /tmp/unionfs/usr /usr/ - echo -n " root" /sbin/mount_unionfs /tmp/unionfs/root /root/ - echo -n " bin" /sbin/mount_unionfs /tmp/unionfs/bin /bin/ - echo -n " sbin" /sbin/mount_unionfs /tmp/unionfs/sbin /sbin/ - echo -n " boot" /sbin/mount_unionfs /tmp/unionfs/boot /boot/ - echo -n " conf.default" /sbin/mount_unionfs /tmp/unionfs/confdefault /conf.default/ - echo -n " installer" - echo "... done." + echo "done." fi echo -n "Creating symlinks..." @@ -332,16 +325,31 @@ echo "done." if [ `/bin/ls -la /etc/gettytab | /usr/bin/awk '{ print $5'}` -lt 512 ]; then echo ">>> Restoring /etc/gettytab due to unusal size" echo ">>> Restoring /etc/gettytab due to unusal size" | /usr/bin/logger - cp /etc/gettytab.bak /etc/gettytab + /bin/cp /etc/gettytab.bak /etc/gettytab fi # Recreate capabilities DB -cap_mkdb /etc/login.conf +/usr/bin/cap_mkdb /etc/login.conf # Run the php.ini setup file and populate # /usr/local/etc/php.ini and /usr/local/lib/php.ini /etc/rc.php_ini_setup +# Launch external configuration loader for supported platforms +if [ "$PLATFORM" = "embedded" ]; then + /usr/local/bin/php -q /etc/ecl.php +fi + +# Launch external configuration loader for supported platforms +if [ "$PLATFORM" = "nanobsd" ]; then + /usr/local/bin/php -q /etc/ecl.php +fi + +# Launch external configuration loader for supported platforms +if [ "$PLATFORM" = "pfSense" ]; then + /usr/local/bin/php -q /etc/ecl.php +fi + nohup /usr/bin/nice -n20 /usr/local/sbin/check_reload_status # let the PHP-based configuration subsystem set up the system now @@ -379,12 +387,12 @@ echo "done." /bin/chmod a+rw /tmp/. echo "Bootup complete" -rm $varrunpath/booting +/bin/rm $varrunpath/booting /usr/local/bin/beep.sh start 2>&1 >/dev/null # Reset the cache. read-only requires this. -rm /tmp/config.cache +/bin/rm /tmp/config.cache /etc/rc.conf_mount_ro diff --git a/etc/rc.banner b/etc/rc.banner index 9b32334..6f81cb9 100755 --- a/etc/rc.banner +++ b/etc/rc.banner @@ -45,7 +45,7 @@ if(!$hideplatform) $platformbanner = "-{$platform}"; - print "\n*** Welcome to {$product} {$version}{$platformbanner} ({$machine}) on {$hostname} ***\n"; + print "*** Welcome to {$product} {$version}{$platformbanner} ({$machine}) on {$hostname} ***\n"; $iflist = get_configured_interface_with_descr(false, true); foreach($iflist as $ifname => $friendly) { diff --git a/etc/rc.bootup b/etc/rc.bootup index 2d39df6..fe1faa3 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -249,9 +249,6 @@ echo "Starting PFLOG..."; filter_pflog_start(); echo "done.\n"; -/* start load balancer daemon */ -relayd_configure(); - /* reconfigure our gateway monitor */ echo "Setting up gateway monitors..."; setup_gateways_monitor(); @@ -282,6 +279,9 @@ system_routing_configure(); /* enable routing */ system_routing_enable(); +/* start load balancer daemon */ +relayd_configure(); + /* configure console menu */ system_console_configure(); @@ -293,10 +293,6 @@ echo "done.\n"; /* Launch on bootup and keep trying to sync. Exit once time/date has been sync'd. */ mwexec_bg("/usr/local/sbin/ntpdate_sync_once.sh"); -/* static IP address? -> attempt DNS update */ -if (is_ipaddr($config['interfaces']['wan']['ipaddr'])) - services_dnsupdate_process(); - /* start DHCP service */ services_dhcpd_configure(); @@ -306,12 +302,15 @@ services_dnsmasq_configure(); /* start dhcpleases dhpcp hosts leases program */ system_dhcpleases_configure(); -/* start dyndns service */ -send_event("service reload dyndnsall"); - /* start DHCP relay */ services_dhcrelay_configure(); +/* dyndns service updates */ +send_event("service reload dyndnsall"); + +/* Run a filter configure now that most all services have started */ +filter_configure_sync(); + /* setup pppoe and pptp */ vpn_setup(); @@ -336,9 +335,6 @@ system_set_harddisk_standby(); /* lock down console if necessary */ auto_login(); -/* Run a filter configure now that most all services have started */ -filter_configure_sync(); - /* load graphing functions */ enable_rrd_graphing(); @@ -361,16 +357,16 @@ if($config['system']['afterbootupshellcmd'] <> "") { if($avail < $g['minimum_ram_warning']) { require_once("/etc/inc/notices.inc"); file_notice("{$g['product_name']}MemoryRequirements", "{$g['product_name']} requires at least {$g['minimum_ram_warning_text']} of RAM. Expect unusual performance. This platform is not supported.", "Memory", "", 1); - mwexec("sysctl net.inet.tcp.recvspace=4096"); - mwexec("sysctl net.inet.tcp.sendspace=4096"); + mwexec("/sbin/sysctl net.inet.tcp.recvspace=4096"); + mwexec("/sbin/sysctl net.inet.tcp.sendspace=4096"); } /* if we are operating at 1000 then increase timeouts. this was never accounted for after moving to 1000 hz */ -$kern_hz = `sysctl kern.clockrate | awk '{ print $5 }' | cut -d"," -f1`; +$kern_hz = `/sbin/sysctl kern.clockrate | /usr/bin/awk '{ print $5 }' | /usr/bin/cut -d"," -f1`; $kern_hz = trim($kern_hz, "\r\n"); if($kern_hz == "1000") - mwexec("sysctl net.inet.tcp.rexmit_min=30"); + mwexec("/sbin/sysctl net.inet.tcp.rexmit_min=30"); /* start the igmpproxy daemon */ services_igmpproxy_configure(); @@ -383,7 +379,7 @@ activate_powerd(); /* Remove the old shutdown binary if we kept it. */ if (file_exists("/sbin/shutdown.old")) - unlink("/sbin/shutdown.old"); + @unlink("/sbin/shutdown.old"); /* done */ unset($g['booting']); diff --git a/etc/rc.dyndns.update b/etc/rc.dyndns.update index a84cadd..557113c 100755 --- a/etc/rc.dyndns.update +++ b/etc/rc.dyndns.update @@ -38,9 +38,12 @@ require_once("shaper.inc"); $argument = trim($argv[1], " \n"); -if(empty($argument)) +if(empty($argument)) { services_dyndns_configure(); -else + services_dnsupdate_process(); +} else { services_dyndns_configure($argument); + services_dnsupdate_process($argument); +} ?> diff --git a/etc/rc.filter_configure_xmlrpc b/etc/rc.filter_configure_xmlrpc index 4a42df7..bd1f785 100755 --- a/etc/rc.filter_configure_xmlrpc +++ b/etc/rc.filter_configure_xmlrpc @@ -43,7 +43,6 @@ require_once("shaper.inc"); require_once("xmlrpc.inc"); require_once("interfaces.inc"); -filter_configure(); system_routing_configure(); setup_gateways_monitor(); relayd_configure(); @@ -51,4 +50,4 @@ require_once("openvpn.inc"); openvpn_resync_all(); services_dhcpd_configure(); -?>
\ No newline at end of file +?> diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 15131b0..31843af 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -64,6 +64,13 @@ function backup_vip_config_section() { $section_val = 255; $section['advskew'] = $section_val; } + if($section['advbase'] <> "") { + $section_val = intval($section['advbase']); + $section_val=$section_val+1; + if($section_val > 255) + $section_val = 255; + $section['advbase'] = $section_val; + } $temp['vip'][] = $section; } return $temp; @@ -81,10 +88,59 @@ function remove_special_characters($string) { return $string; } +function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host_firmware_version') { + global $config, $g; + + if(file_exists("{$g['varrun_path']}/booting") || $g['booting']) + return; + + $params = array( + XML_RPC_encode($password) + ); + + $numberofruns = 0; + while ($numberofruns < 2) { + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $username = $config['system']['user'][0]['name']; + $cli->setCredentials($username, $password); + if($numberofruns > 1) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 240 seconds */ + $resp = $cli->send($msg, "240"); + if(!is_object($resp)) { + $error = "A communications error occured while attempting XMLRPC sync with username {$username} {$url}:{$port}."; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting XMLRPC sync with username {$username} {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + } else { + $parsed_response = XML_RPC_decode($resp->value()); + if(!is_array($parsed_response)) { + if (trim($parsed_response) == "Authentication failed") { + $error = "A authentication failure occurred while trying to access {$url}:{$port} ({$method})."; + log_error($error); + file_notice("sync_settings", $error, "Settings Sync", ""); + exit; + } + } else { + if (!isset($parsed_response['config_version']) || + $parsed_response['config_version'] < $config['version']) + return false; + else + return true; + } + } + log_error($error); + file_notice("sync_settings", $error, "Settings Sync", ""); + $numberofruns++; + } + + return false; +} + function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsense.restore_config_section') { global $config, $g; - if(file_exists("{$g['varrun_path']}/booting")) + if(file_exists("{$g['varrun_path']}/booting") || $g['booting']) return; update_filter_reload_status("Syncing CARP data to {$url}"); @@ -185,12 +241,7 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens $cli->setDebug(1); /* send our XMLRPC message and timeout after 240 seconds */ $resp = $cli->send($msg, "240"); - if($resp->faultCode()) { - $error = "A communications error occurred while attempting communication with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); - return; - } - if(!$resp) { + if(!is_object($resp)) { $error = "A communications error occured while attempting XMLRPC sync with username {$username} {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "Settings Sync", ""); @@ -199,39 +250,43 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens log_error($error); file_notice("sync_settings", $error, "Settings Sync", ""); } else { - log_error("XMLRPC sync successfully completed with {$url}:{$port}."); + $parsed_response = XML_RPC_decode($resp->value()); + if(!is_array($parsed_response) && trim($parsed_repsonse) == "Authentication failed") { + $error = "A authentication failure occurred while trying to access {$url}:{$port} ($method)."; + log_error($error); + file_notice("sync_settings", $error, "Settings Sync", ""); + exit; + } else + log_error("XMLRPC sync successfully completed with {$url}:{$port}."); $numberofruns = 3; } - $parsed_response = XML_RPC_Decode($resp->value()); - if(!is_array($firewall_info) && trim($firewall_info) == "Authentication failed") { - $error = "A authentication failure occurred while trying to access {$url}:{$port} (pfsense.exec_php)."; - log_error($error); - $numberofruns = 5; - } $numberofruns++; } } global $g; -if (file_exists("{$g['varrun_path']}/booting")) +if (file_exists("{$g['varrun_path']}/booting") || $g['booting']) return; if (is_array($config['installedpackages']['carpsettings']['config'])) { update_filter_reload_status("Building CARP sync information"); foreach($config['installedpackages']['carpsettings']['config'] as $carp) { - if ($carp['synchronizetoip'] != "" ) { - /* - * XXX: The way we're finding the port right now is really suboptimal - - * we can't assume that the other machine is setup identically. - */ - if ($config['system']['webgui']['protocol'] != "") { + if (empty($carp['synchronizetoip'])) { + log_error("CARP sync not being done because of missing sync ip!"); + break; + } + /* + * XXX: The way we're finding the port right now is really suboptimal - + * we can't assume that the other machine is setup identically. + */ + if (!empty($config['system']['webgui']['protocol'])) { $synchronizetoip = $config['system']['webgui']['protocol']; $synchronizetoip .= "://"; } /* if port is empty lets rely on the protocol selection */ $port = $config['system']['webgui']['port']; - if ($port == "") { + if (empty($port)) { if ($config['system']['webgui']['protocol'] == "http") $port = "80"; else @@ -328,6 +383,12 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { if ($carp['synchronizecaptiveportal'] != "" and is_array($config['vouchers'])) $sections[] = 'vouchers'; if (count($sections) > 0) { + if (!carp_check_version($synchronizetoip, $carp['password'], $port)) { + update_filter_reload_status("The other member is on older version of {$g['product']}. Sync will not be done to prevent problems!"); + log_error("The other member is on older version of {$g['product']}. Sync will not be done to prevent problems!"); + break; + } + update_filter_reload_status("Signaling CARP reload signal..."); carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); if (is_array($mergesections)) @@ -356,7 +417,6 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { } } break; - } } } diff --git a/etc/rc.initial b/etc/rc.initial index 13fcbba..3d600f1 100755 --- a/etc/rc.initial +++ b/etc/rc.initial @@ -3,7 +3,7 @@ # $Id$ # /etc/rc.initial # part of pfSense by Scott Ullrich -# Copyright (C) 2004 Scott Ullrich, All rights reserved. +# Copyright (C) 2004-2010 Scott Ullrich, All rights reserved. # originally based on m0n0wall (http://neon1.net/m0n0wall) # Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. # All rights reserved. @@ -43,42 +43,39 @@ fi product=`grep product_name /etc/inc/globals.inc | cut -d'"' -f4` hidebanner=`grep hidebanner /etc/inc/globals.inc | cut -d'"' -f4` -# display a cheap menu -echo -echo -echo " ${product} console setup " -echo "***************************" -echo " 0) Logout (SSH only)" -echo " 1) Assign Interfaces" -echo " 2) Set interface(s) IP address" -echo " 3) Reset webConfigurator password" -echo " 4) Reset to factory defaults" -echo " 5) Reboot system" -echo " 6) Halt system" -echo " 7) Ping host" -echo " 8) Shell" -echo " 9) PFtop" -echo "10) Filter Logs" -echo "11) Restart webConfigurator" -echo "12) ${product} Developer Shell" -echo "13) Upgrade from console" +# Check to see if SSH is listening. SSHD=`/usr/bin/sockstat -4l | grep "*.22" | wc -l` if [ "$SSHD" -gt 0 ]; then - echo "14) Disable Secure Shell (sshd)"; + sshd_option="14) Disable Secure Shell (sshd)"; else - echo "14) Enable Secure Shell (sshd)"; + sshd_option="14) Enable Secure Shell (sshd)"; fi for i in /var/db/pfi/capable_*; do if [ -f $i -a ! -L /cf/conf ]; then - echo "98) Move configuration file to removable device" + option98="98) Move configuration file to removable device" break fi done if [ "$PLATFORM" = "cdrom" ]; then - echo "99) Install ${product} to a hard drive/memory drive, etc." - echo + option99="99) Install ${product} to a hard drive, etc." +fi + +# display a cheap menu +echo "" +echo "" +echo " 0) Logout (SSH only) 8) Shell" +echo " 1) Assign Interfaces 9) pfTop" +echo " 2) Set interface(s) IP address 10) Filter Logs" +echo " 3) Reset webConfigurator password 11) Restart webConfigurator" +echo " 4) Reset to factory defaults 12) ${product} Developer Shell" +echo " 5) Reboot system 13) Upgrade from console" +echo " 6) Halt system ${sshd_option}" +echo " 7) Ping host ${option98}" + +if [ "${option99}" != "" ]; then + /bin/echo "${option99}" fi echo diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 347ccd0..a31cddc 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -41,6 +41,10 @@ require_once("ipsec.inc"); require_once("vpn.inc"); require_once("openvpn.inc"); +// Do not process while booting +if($g['booting']) + exit; + /* Interface IP address has changed */ $argument = str_replace("\n", "", $argv[1]); @@ -71,6 +75,10 @@ $oldip = "0.0.0.0"; if (file_exists("{$g['vardb_path']}/{$interface}_cacheip")) $oldip = file_get_contents("{$g['vardb_path']}/{$interface}_cacheip"); +$grouptmp = link_interface_to_group($interface); +if (!empty($grouptmp)) + array_walk($grouptmp, 'interface_group_add_member'); + /* regenerate resolv.conf if DNS overrides are allowed */ system_resolvconf_generate(true); @@ -84,8 +92,20 @@ system_routing_configure($interface); /* reconfigure our gateway monitor */ setup_gateways_monitor(); -if (is_ipaddr($oldip) && $curwanip == $oldip) +/* signal filter reload */ +filter_configure(); + +if (is_ipaddr($oldip) && $curwanip == $oldip) { + // Still need to sync VPNs on PPPoE and such, as even with the same IP the VPN software is unhappy with the IP disappearing. + if (in_array($config['interfaces'][$interface]['ipaddr'], array('pppoe', 'pptp', 'ppp'))) { + /* reconfigure IPsec tunnels */ + vpn_ipsec_force_reload(); + + /* start OpenVPN server & clients */ + openvpn_resync_all($interface); + } exit; +} /* perform RFC 2136 DNS update */ services_dnsupdate_process($interface); @@ -99,10 +119,6 @@ vpn_ipsec_force_reload(); /* start OpenVPN server & clients */ openvpn_resync_all($interface); -/* signal filter reload */ -unlink_if_exists("/tmp/config.cache"); -filter_configure(); - /* reload graphing functions */ enable_rrd_graphing(); @@ -111,5 +127,4 @@ mwexec_bg("/usr/local/sbin/ntpdate_sync_once.sh"); mwexec_bg("/etc/rc.start_packages"); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); -return 0; ?> diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup index b2b6320..6fc7589 100755 --- a/etc/rc.php_ini_setup +++ b/etc/rc.php_ini_setup @@ -26,7 +26,7 @@ # POSSIBILITY OF SUCH DAMAGE. # Set our operating platform -PLATFORM=`cat /etc/platform` +PLATFORM=`/bin/cat /etc/platform` EXTENSIONSDIR="/usr/local/lib/php/20060613/" # Grab amount of memory that is detected @@ -37,8 +37,8 @@ else fi if [ -z "$AVAILMEM" ]; then - MEM=`sysctl hw.physmem | cut -d':' -f2` - AVAILMEM=`expr $MEM / 1048576` + MEM=`/sbin/sysctl hw.physmem | cut -d':' -f2` + AVAILMEM=`/bin/expr $MEM / 1048576` fi # Calculate APC SHM size according @@ -132,18 +132,18 @@ PHPMODULES="$PHPMODULES pfSense" # Clear the .ini file to make sure we are clean if [ -f /usr/local/etc/php.ini ]; then - rm /usr/local/etc/php.ini + /bin/rm /usr/local/etc/php.ini fi if [ -f /usr/local/lib/php.ini ]; then - rm /usr/local/lib/php.ini + /bin/rm /usr/local/lib/php.ini fi -LOADED_MODULES=`/usr/local/bin/php -m | grep -v "\["` +LOADED_MODULES=`/usr/local/bin/php -m | /usr/bin/grep -v "\["` # Get a loaded module list in the stock php # Populate a dummy php.ini to avoid # the file being clobbered and the firewall # not being able to boot back up. -cat >/usr/local/lib/php.ini <<EOF +/bin/cat >/usr/local/lib/php.ini <<EOF ; File generated from /etc/rc.php_ini_setup output_buffering = "0" expose_php = Off @@ -168,16 +168,16 @@ extension_dir=${EXTENSIONSDIR} EOF # Copy php.ini file to etc/ too (cli) -cp /usr/local/lib/php.ini /usr/local/etc/php.ini +/bin/cp /usr/local/lib/php.ini /usr/local/etc/php.ini # Ensure directory exists if [ ! -d /etc/php_dynamodules ]; then - mkdir /etc/php_dynamodules + /bin/mkdir /etc/php_dynamodules fi # Read in dynamodules if [ -d /etc/php_dynamodules ]; then - DYNA_MODULES=`ls /etc/php_dynamodules/` + DYNA_MODULES=`/bin/ls /etc/php_dynamodules/` PHPMODULES="$PHPMODULES $DYNA_MODULES" fi @@ -200,12 +200,12 @@ for EXT in $PHPMODULES; do done # Get amount of ram installed on this system -RAM=`sysctl hw.realmem | awk '{print $2/1000000}' | awk -F '.' '{print $1}'` +RAM=`/sbin/sysctl hw.realmem | /usr/bin/awk '{print $2/1000000}' | /usr/bin/awk -F '.' '{print $1}'` export RAM export LOWMEM if [ "$RAM" -gt 96 ]; then - cat >>/usr/local/lib/php.ini <<EOF + /bin/cat >>/usr/local/lib/php.ini <<EOF ; APC Settings apc.enabled="1" @@ -217,10 +217,10 @@ EOF else LOWMEM="TRUE" echo ">>> WARNING! under 128 megabytes of ram detected. Not enabling APC." - echo ">>> WARNING! under 128 megabytes of ram detected. Not enabling APC." | logger -p daemon.info -i -t rc.php_ini_setup + echo ">>> WARNING! under 128 megabytes of ram detected. Not enabling APC." | /usr/bin/logger -p daemon.info -i -t rc.php_ini_setup fi - cat >>/usr/local/lib/php.ini <<EOF + /bin/cat >>/usr/local/lib/php.ini <<EOF [suhosin] suhosin.get.max_array_depth = 5000 @@ -235,24 +235,25 @@ suhosin.request.max_array_depth = 5000 suhosin.request.max_array_index_length = 256 suhosin.request.max_vars = 5000 suhosin.request.max_value_length = 500000 +suhosin.memory_limit = 512435456 EOF # Copy php.ini file to etc/ too (cli) -cp /usr/local/lib/php.ini /usr/local/etc/php.ini +/bin/cp /usr/local/lib/php.ini /usr/local/etc/php.ini # Remove old log file if it exists. if [ -f /var/run/php_modules_load_errors.txt ]; then - rm /var/run/php_modules_load_errors.txt + /bin/rm /var/run/php_modules_load_errors.txt fi for EXT in $PHPMODULES; do - PHPMODULESLC="$PHPMODULESLC `echo "$EXT" | tr '[:upper:]' '[:lower:]'`" + PHPMODULESLC="$PHPMODULESLC `echo "$EXT" | /usr/bin/tr '[:upper:]' '[:lower:]'`" done # Check loaded modules and remove anything that did not load correctly -LOADED_MODULES=`/usr/local/bin/php -m | tr '[:upper:]' '[:lower:]' 2>/dev/null | grep -v "\["` +LOADED_MODULES=`/usr/local/bin/php -m | /usr/bin/tr '[:upper:]' '[:lower:]' 2>/dev/null | /usr/bin/grep -v "\["` for EXT in $PHPMODULESLC; do SHOULDREMOVE="true" for LM in $LOADED_MODULES; do @@ -272,12 +273,12 @@ for EXT in $PHPMODULESLC; do if [ "$SHOULDREMOVE" = "true" ]; then if [ -f "${EXTENSIONSDIR}${EXT}.so" ]; then echo ">>> ${EXT} did not load correctly. Removing from php.ini..." >> /var/run/php_modules_load_errors.txt - cat /usr/local/lib/php.ini | grep -v $EXT > /tmp/php.ini - rm -f /usr/local/lib/php.ini - mv /tmp/php.ini /usr/local/lib/php.ini + /bin/cat /usr/local/lib/php.ini | /usr/bin/grep -v $EXT > /tmp/php.ini + /bin/rm -f /usr/local/lib/php.ini + /bin/mv /tmp/php.ini /usr/local/lib/php.ini fi fi done # Copy php.ini file to etc/ too (cli) -cp /usr/local/lib/php.ini /usr/local/etc/php.ini +/bin/cp /usr/local/lib/php.ini /usr/local/etc/php.ini @@ -53,7 +53,14 @@ if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key")) { if(!file_exists("/etc/ssh/ssh_host_key.pub")) { echo "Restoring SSH from /conf/sshd/"; - exec("cp /conf/sshd/* /etc/ssh/"); + exec("/bin/cp -p /conf/sshd/* /etc/ssh/"); + + /* make sure host private key permissions aren't too open so sshd won't complain */ + $files_to_check = array('ssh_host_dsa_key','ssh_host_key','ssh_host_rsa_key'); + foreach($files_to_check as $f2c) { + if(file_exists("/etc/ssh/{$f2c}")) + chmod("/etc/ssh/{$f2c}", 0600); + } } } @@ -176,7 +183,7 @@ if($g['platform'] == "nanobsd") { if(!is_dir("/conf/sshd")) exec("mkdir /conf/sshd"); - exec("cp /etc/ssh/ssh_host* /conf/sshd"); + exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd"); } conf_mount_ro(); |
