diff options
author | Vinicius Coque <vinicius.coque@bluepex.com> | 2011-05-23 15:41:26 -0300 |
---|---|---|
committer | Vinicius Coque <vinicius.coque@bluepex.com> | 2011-05-23 15:41:26 -0300 |
commit | d21d6e2090c6701041b8555cdaca9ad2c949d4f1 (patch) | |
tree | af0245350bcbb585909b9740c1ac51d3cb07aa80 /etc | |
parent | a51493d1981175048bdccce51f6b4ad6720da679 (diff) | |
parent | 042578fd634f8c54a158417527d018e0f8f56b95 (diff) | |
download | pfsense-d21d6e2090c6701041b8555cdaca9ad2c949d4f1.zip pfsense-d21d6e2090c6701041b8555cdaca9ad2c949d4f1.tar.gz |
Merge remote-tracking branch 'mainline/master' into inc
Conflicts:
etc/inc/interfaces.inc
etc/inc/upgrade_config.inc
etc/inc/vpn.inc
Diffstat (limited to 'etc')
-rw-r--r-- | etc/bogons | 9 | ||||
-rw-r--r-- | etc/devd.conf | 5 | ||||
-rwxr-xr-x | etc/ecl.php | 2 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 3 | ||||
-rw-r--r-- | etc/inc/captiveportal.inc | 4 | ||||
-rw-r--r-- | etc/inc/certs.inc | 18 | ||||
-rw-r--r-- | etc/inc/filter.inc | 42 | ||||
-rw-r--r-- | etc/inc/globals.inc | 1 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 93 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 5 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 27 | ||||
-rw-r--r-- | etc/inc/services.inc | 1 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 2 | ||||
-rw-r--r-- | etc/inc/system.inc | 7 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 16 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 5 | ||||
-rw-r--r-- | etc/inc/vslb.inc | 107 | ||||
-rw-r--r-- | etc/version | 2 |
18 files changed, 219 insertions, 130 deletions
@@ -1,17 +1,10 @@ 0.0.0.0/8 -39.0.0.0/8 -102.0.0.0/8 -103.0.0.0/8 -104.0.0.0/8 -106.0.0.0/8 127.0.0.0/8 169.254.0.0/16 -179.0.0.0/8 -185.0.0.0/8 192.0.0.0/24 192.0.2.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 -240.0.0.0/4
\ No newline at end of file +240.0.0.0/4 diff --git a/etc/devd.conf b/etc/devd.conf index 7c63591..244af48 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -39,10 +39,7 @@ detach 100 { }; # -# Try to start dhclient on Ethernet like interfaces when the link comes -# up. Only devices that are configured to support DHCP will actually -# run it. No link down rule exists because dhclient automaticly exits -# when the link goes down. +# Signal upper levels that an event happened on ethernet class interface # notify 0 { match "system" "IFNET"; diff --git a/etc/ecl.php b/etc/ecl.php index 9f68919..47e187a 100755 --- a/etc/ecl.php +++ b/etc/ecl.php @@ -149,8 +149,8 @@ function find_config_xml() { exec("/sbin/umount /tmp/mnt/cf"); exit; } - exec("/sbin/umount /tmp/mnt/cf"); } + exec("/sbin/umount /tmp/mnt/cf"); } } } diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 110765c..f05265e 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -226,8 +226,9 @@ if($config['virtualip']) $nifty_background = "#999"; print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br/><br/>If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); } + $noautocomplete = isset($config['system']['webgui']['noautocomplete']) ? 'autocomplete="off"' : ''; ?> - <form id="iform" name="login_iform" method="post" action="<?=$_SERVER['SCRIPT_NAME'];?>"> + <form id="iform" name="login_iform" method="post" <?= $noautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>"> <h1></h1> <div id="inputerrors"><?=$_SESSION['Login_Error'];?></div> <p> diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index fb2384c..4ebb010 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -1659,8 +1659,8 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut */ $peruserbw = isset($config['captiveportal']['peruserbw']); - $bw_up = isset($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup']; - $bw_down = isset($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn']; + $bw_up = isset($attributes['bw_up']) ? round(intval($attributes['bw_up'])/1000, 2) : $config['captiveportal']['bwdefaultup']; + $bw_down = isset($attributes['bw_down']) ? round(intval($attributes['bw_down'])/1000, 2) : $config['captiveportal']['bwdefaultdn']; if ($passthrumac) { $mac = array(); diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 2b192c1..357ac05 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -479,14 +479,16 @@ function crl_update(& $crl) { if (!$ca) return false; // If we have text but no certs, it was imported and cannot be updated. - if (!empty($crl['text']) && empty($crl['cert'])) + if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) return false; $crl['serial']++; $ca_str_crt = base64_decode($ca['crt']); $ca_str_key = base64_decode($ca['prv']); $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']); - foreach ($crl['cert'] as $cert) { - openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + if (is_array($crl['cert']) && (count($crl['cert']) > 0)) { + foreach ($crl['cert'] as $cert) { + openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + } } openssl_crl_export($crl_res, $crl_text, $ca_str_key); $crl['text'] = base64_encode($crl_text); @@ -514,7 +516,13 @@ function cert_unrevoke($cert, & $crl) { foreach ($crl['cert'] as $id => $rcert) { if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) { unset($crl['cert'][$id]); - crl_update($crl); + if (count($crl['cert']) == 0) { + // Protect against accidentally switching the type to imported, for older CRLs + if (!isset($crl['method'])) + $crl['method'] = "internal"; + crl_update($crl); + } else + crl_update($crl); return true; } } @@ -564,7 +572,7 @@ function crl_in_use($crlref) { } function is_crl_internal($crl) { - return !(!empty($crl['text']) && empty($crl['cert'])); + return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); } ?> diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 4340f1c..edff4d5 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1538,14 +1538,6 @@ function filter_nat_rules_generate() { } } fclose($inetd_fd); // Close file handle - // Check if inetd is running, if not start it. If so, restart it gracefully. - $helpers = isvalidproc("inetd"); - if(file_exists("/var/etc/inetd.conf")) { - if(!$helpers) - mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); - else - sigkillbypid("/var/run/inetd.pid", "HUP"); - } if (isset($config['pptpd']['mode']) && ($config['pptpd']['mode'] != "off")) { if ($config['pptpd']['mode'] == "redir") { @@ -1565,6 +1557,15 @@ function filter_nat_rules_generate() { if(!empty($reflection_txt)) $natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt; + // Check if inetd is running, if not start it. If so, restart it gracefully. + $helpers = isvalidproc("inetd"); + if(file_exists("/var/etc/inetd.conf")) { + if(!$helpers) + mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); + else + sigkillbypid("/var/run/inetd.pid", "HUP"); + } + return $natrules; } @@ -1887,7 +1888,7 @@ function filter_generate_user_rule($rule) { } else $aline['flags'] .= "keep state "; - if($noadvoptions == false) + if($noadvoptions == false || $l7_present) if( (isset($rule['source-track']) and $rule['source-track'] <> "") or (isset($rule['max']) and $rule['max'] <> "") or (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or @@ -1896,7 +1897,7 @@ function filter_generate_user_rule($rule) { (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or - isset($rule['sloppy'])) { + isset($rule['sloppy']) or $l7_present) { $aline['flags'] .= "( "; if (isset($rule['sloppy'])) $aline['flags'] .= "sloppy "; @@ -1920,6 +1921,9 @@ function filter_generate_user_rule($rule) { $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; } + if(!empty($aline['divert'])) + $aline['flags'] .= "max-packets 8 "; + $aline['flags'] .= " ) "; } } @@ -2770,32 +2774,32 @@ function filter_generate_ipsec_rules() { } /* Add rules to allow IKE to pass */ - $shorttunneldescr = substr($descr, 0, 36); + $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label \"IPsec: {$shorttunneldescr} - inbound isakmp\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label \"IPsec: {$shorttunneldescr} - inbound nat-t\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound esp proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound ah proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 21460c5..2168765 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -153,7 +153,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.link.bridge.pfil_member" => "1", "net.link.bridge.pfil_bridge" => "0", "net.link.tap.user_open" => "1", - "kern.rndtest.verbose" => "0", "kern.randompid" => "347", "net.inet.ip.intr_queue_maxlen" => "1000", "hw.syscons.kbd_reboot" => "0", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 02eadf4..3f3b02d 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -255,6 +255,7 @@ function interface_qinq_configure(&$vlan, $fd = NULL) { /* make sure the parent is converted to ng_vlan(4) and is up */ interfaces_bring_up($qinqif); + pfSense_ngctl_attach(".", $qinqif); if (!empty($vlanif) && does_interface_exist($vlanif)) { fwrite($fd, "shutdown {$qinqif}qinq:\n"); exec("/usr/sbin/ngctl msg {$qinqif}qinq: gettable", $result); @@ -364,7 +365,7 @@ function interfaces_create_wireless_clones() { echo " " . gettext("done.") . "\n"; } -function interfaces_bridge_configure() { +function interfaces_bridge_configure($checkmember = 0) { global $config; $i = 0; @@ -372,6 +373,10 @@ function interfaces_bridge_configure() { foreach ($config['bridges']['bridged'] as $bridge) { if(empty($bridge['bridgeif'])) $bridge['bridgeif'] = "bridge{$i}"; + if ($checkmember == 1 && (strstr($bridge['members'], "gif") || strstr($bridge['members'], "gre"))) + continue; + if ($checkmember == 2 && !strstr($bridge['members'], "gif") && !strstr($bridge['members'], "gre")) + continue; /* XXX: Maybe we should report any errors?! */ interface_bridge_configure($bridge); $i++; @@ -411,6 +416,8 @@ function interface_bridge_configure(&$bridge) { $realif = get_real_interface($member); $opts = pfSense_get_interface_addresses($realif); $mtu = $opts['mtu']; + if (substr($realif, 0, 3) == "gif" && $mtu < 1500) + continue; if (!isset($opts['encaps']['txcsum'])) $commontx = false; if (!isset($opts['encaps']['rxcsum'])) @@ -685,13 +692,17 @@ function interface_lagg_configure(&$lagg) { return $laggif; } -function interfaces_gre_configure() { +function interfaces_gre_configure($checkparent = 0) { global $config; if (is_array($config['gres']['gre']) && count($config['gres']['gre'])) { foreach ($config['gres']['gre'] as $i => $gre) { if(empty($gre['greif'])) $gre['greif'] = "gre{$i}"; + if ($checkparent == 1 && strstr($gre['if'], "vip")) + continue; + if ($checkparent == 2 && !strstr($gre['if'], "vip")) + continue; /* XXX: Maybe we should report any errors?! */ interface_gre_configure($gre); } @@ -740,13 +751,17 @@ function interface_gre_configure(&$gre, $grekey = "") { return $greif; } -function interfaces_gif_configure() { +function interfaces_gif_configure($checkparent = 0) { global $config; if (is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $i => $gif) { if(empty($gif['gifif'])) $gre['gifif'] = "gif{$i}"; + if ($checkparent == 1 && strstr($gif['if'], "vip")) + continue; + if ($checkparent == 2 && !strstr($gif['if'], "vip")) + continue; /* XXX: Maybe we should report any errors?! */ interface_gif_configure($gif); } @@ -843,12 +858,30 @@ function interfaces_configure() { /* create the unconfigured wireless clones */ interfaces_create_wireless_clones(); + /* + * NOTE: The following function parameter consists of + * 1 - Do not load gre/gif/bridge with parent/member as vip + * 2 - Do load gre/gif/bridge with parent/member as vip + */ + /* set up GRE virtual interfaces */ - interfaces_gre_configure(); + interfaces_gre_configure(1); /* set up GIF virtual interfaces */ - interfaces_gif_configure(); - + interfaces_gif_configure(1); + + /* set up BRIDGe virtual interfaces */ + interfaces_bridge_configure(1); + + /* bring up vip interfaces */ + interfaces_vips_configure(); + + /* set up GRE virtual interfaces */ + interfaces_gre_configure(2); + + /* set up GIF virtual interfaces */ + interfaces_gif_configure(2); + foreach ($delayed_list as $if => $ifname) { if ($g['booting']) printf(gettext("Configuring %s interface..."), $ifname); @@ -862,7 +895,7 @@ function interfaces_configure() { } /* set up BRIDGe virtual interfaces */ - interfaces_bridge_configure(); + interfaces_bridge_configure(2); foreach ($bridge_list as $if => $ifname) { if ($g['booting']) @@ -876,9 +909,6 @@ function interfaces_configure() { echo gettext("done.") . "\n"; } - /* bring up vip interfaces */ - interfaces_vips_configure(); - /* configure interface groups */ interfaces_group_setup(); @@ -1578,7 +1608,6 @@ function interfaces_carp_setup() { unset($pfsyncenabled); } - $cmdchain->add(gettext("Allow CARP"), "/sbin/sysctl net.inet.carp.allow=1", true); if($balanacing) { $cmdchain->add(gettext("Enable CARP ARP-balancing"), "/sbin/sysctl net.inet.carp.arpbalance=1", true); $cmdchain->add(gettext("Disallow CARP preemption"), "/sbin/sysctl net.inet.carp.preempt=0", true); @@ -1595,8 +1624,8 @@ function interfaces_carp_setup() { */ $fd = fopen("{$g['tmp_path']}/rules.boot", "w"); if ($fd) { - fwrite($fd, "pass quick proto carp all keep state\n"); - fwrite($fd, "pass quick proto pfsync all\n"); + fwrite($fd, "block quick proto carp \n"); + fwrite($fd, "block quick proto pfsync \n"); fwrite($fd, "pass out quick from any to any keep state\n"); fclose($fd); mwexec("/sbin/pfctl -f {$g['tmp_path']}/rules.boot"); @@ -1725,10 +1754,8 @@ function interfaces_vips_configure($interface = "") { case "carp": if ($interface <> "" && $vip['interface'] <> $interface) continue; - if ($carp_setuped == false) { - interfaces_carp_setup(); + if ($carp_setuped == false) $carp_setuped = true; - } interface_carp_configure($vip); break; case "carpdev-dhcp": @@ -1738,7 +1765,8 @@ function interfaces_vips_configure($interface = "") { break; } } - + if ($carp_setuped == true) + interfaces_carp_setup(); if ($anyproxyarp == true) interface_proxyarp_configure(); } @@ -2490,7 +2518,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven // Need code to handle MLPPP if we ever use $realhwif for MLPPP handling $realhwif = $realhwif_array[0]; - if (!$g['booting']) { + + if (!$g['booting'] && !substr($realif, 0, 4) == "ovpn") { /* remove all IPv4 addresses */ while (mwexec("/sbin/ifconfig " . escapeshellarg($realif) . " -alias", true) == 0); @@ -2552,6 +2581,11 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } if (!empty($wancfg['mtu'])) pfSense_interface_mtu($realhwif, $wancfg['mtu']); + else { + $mtu = get_interface_default_mtu(remove_numbers($realhwif)); + if ($mtu != get_interface_mtu($realhwif)) + pfSense_interface_mtu($realhwif, $mtu); + } $options = pfSense_get_interface_addresses($realhwif); if (is_array($options) && isset($options['caps']['polling'])) { @@ -2633,7 +2667,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } else if (substr($realif, 0, 3) == "gif") { if (is_array($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $gif) - if($gif['gifif'] == $interface) + if($gif['gifif'] == $realif) interface_gif_configure($gif); } } else if (substr($realif, 0, 4) == "ovpn") { @@ -3662,6 +3696,27 @@ EOD; unlink_if_exists($cron_file); } +function get_interface_default_mtu($type = "ethernet") { + switch ($type) { + case "gre": + return 1476; + break; + case "gif": + return 1280; + break; + case "tun": + case "vlan": + case "tap": + case "ethernet": + default: + return 1500; + break; + } + + /* Never reached */ + return 1500; +} + function get_vip_descr($ipaddress) { global $config; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 17769bf..4ba2f3f 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -382,13 +382,15 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { + case 'p2p_tls': + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); $ip2 = long2ip32($baselong + 2); $conf .= "ifconfig $ip1 $ip2\n"; break; - case 'p2p_tls': case 'server_tls': case 'server_user': case 'server_tls_user': @@ -951,6 +953,7 @@ function openvpn_refresh_crls() { case 'server_user': if (!empty($settings['crlref'])) { $crl = lookup_crl($settings['crlref']); + crl_update($crl); $fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify"; file_put_contents($fpath, base64_decode($crl['text'])); @chmod($fpath, 0644); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index a352cf2..a6a9c58 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -703,7 +703,20 @@ function call_pfsense_method($method, $params, $timeout = 0) { $xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl']; $xmlrpc_path = $g['xmlrpcpath']; $msg = new XML_RPC_Message($method, array(XML_RPC_Encode($params))); - $cli = new XML_RPC_Client($xmlrpc_path, $xmlrpc_base_url); + $port = 0; + $proxyurl = ""; + $proxyport = 0; + $proxyuser = ""; + $proxypass = ""; + if (!empty($config['system']['httpproxy'])) + $proxyurl = $config['system']['httpproxy']; + if (!empty($config['system']['httpproxyport']) && is_numeric($config['system']['httpproxyport'])) + $proxyport = $config['system']['httpproxyport']; + if (!empty($config['system']['httpproxyuser'])) + $proxyuser = $config['system']['httpproxyuser']; + if (!empty($config['system']['httpproxypass'])) + $proxypass = $config['system']['httpproxypass']; + $cli = new XML_RPC_Client($xmlrpc_path, $xmlrpc_base_url, $port, $proxyurl, $proxyport, $proxyuser, $proxypass); // If the ALT PKG Repo has a username/password set, use it. if($config['system']['altpkgrepo']['username'] && $config['system']['altpkgrepo']['password']) { @@ -1430,7 +1443,7 @@ function get_freebsd_version() { } function download_file_with_progress_bar($url_file, $destination_file, $readbody = 'read_body', $connect_timeout=60, $timeout=0) { - global $ch, $fout, $file_size, $downloaded; + global $ch, $fout, $file_size, $downloaded, $config; $file_size = 1; $downloaded = 1; /* open destination file */ @@ -1452,6 +1465,16 @@ function download_file_with_progress_bar($url_file, $destination_file, $readbody curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout); curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); + if (!empty($config['system']['proxyurl'])) { + curl_setopt($ch, CURLOPT_PROXY, $config['system']['proxyurl']); + if (!empty($config['system']['proxyport'])) + curl_setopt($ch, CURLOPT_PROXYPORT, $config['system']['proxyport']); + if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) { + @curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY | CURLAUTH_ANYSAFE); + curl_setopt($ch, CURLOPT_PROXYUSERPASS, "{$config['system']['proxyuser']}:{$config['system']['proxypass']}"); + } + } + @curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); if($fout) diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 3e9de7b..291b2b5 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -436,6 +436,7 @@ EOD; $realif = get_real_interface($ifn); $igmpconf .= "phyint {$realif} disabled\n"; } + $igmpconf .= "\n"; $igmpfl = fopen($g['tmp_path'] . "/igmpproxy.conf", "w"); if (!$igmpfl) { diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index ec1bf74..67a1dae 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -3740,7 +3740,7 @@ function layer7_start_l7daemon() { mwexec("/bin/kill -HUP {$l7pid[0]}"); } else { // XXX: Hardcoded number of packets to garbage collect and queue length.. - $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; + $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 8 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; mwexec_bg($ipfw_classifyd_init); } } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 1b80378..ea0be9b 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1086,6 +1086,11 @@ EOD; $lighty_config .= "## " . gettext("ssl configuration") . "\n"; $lighty_config .= "ssl.engine = \"enable\"\n"; $lighty_config .= "ssl.pemfile = \"{$g['varetc_path']}/{$cert_location}\"\n\n"; + + // Harden SSL a bit for PCI conformance testing + $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; + $lighty_config .= "ssl.cipher-list = \"TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH\"\n"; + if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; } @@ -1196,7 +1201,7 @@ function system_ntp_configure() { exec("/usr/local/sbin/ntpd -s -f {$g['varetc_path']}/ntpd.conf"); // Note that we are starting up - exec("echo 'OpenNTPD is starting up' >> {$g['varlog_path']}/ntpd.log"); + log_error("OpenNTPD is starting up."); } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 02825a1..b3d7bf6 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -685,10 +685,6 @@ function upgrade_040_to_041() { $config['sysctl']['item'][13]['descr'] = gettext("Allow unprivileged access to tap(4) device nodes"); $config['sysctl']['item'][13]['value'] = "default"; - $config['sysctl']['item'][14]['tunable'] = "kern.rndtest.verbose"; - $config['sysctl']['item'][14]['descr'] = gettext("Verbosity of the rndtest driver (0: do not display results on console)"); - $config['sysctl']['item'][14]['value'] = "default"; - $config['sysctl']['item'][15]['tunable'] = "kern.randompid"; $config['sysctl']['item'][15]['descr'] = gettext("Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())"); $config['sysctl']['item'][15]['value'] = "default"; @@ -1262,13 +1258,13 @@ function upgrade_047_to_048() { unset($config['dnsupdate']); } - if (is_array($config['pppoe'])) { + if (is_array($config['pppoe']) && is_array($config['pppoe'][0])) { $pconfig = array(); - $pconfig['username'] = $config['pppoe']['username']; - $pconfig['password'] = $config['pppoe']['password']; - $pconfig['provider'] = $config['pppoe']['provider']; - $pconfig['ondemand'] = isset($config['pppoe']['ondemand']); - $pconfig['timeout'] = $config['pppoe']['timeout']; + $pconfig['username'] = $config['pppoe'][0]['username']; + $pconfig['password'] = $config['pppoe'][0]['password']; + $pconfig['provider'] = $config['pppoe'][0]['provider']; + $pconfig['ondemand'] = isset($config['pppoe'][0]['ondemand']); + $pconfig['timeout'] = $config['pppoe'][0]['timeout']; unset($config['pppoe']); $config['interfaces']['wan']['pppoe_username'] = $pconfig['username']; $config['interfaces']['wan']['pppoe_password'] = $pconfig['password']; diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index dbd947b..6311072 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -485,9 +485,9 @@ function vpn_ipsec_configure($ipchg = false) $passive = ""; if (isset($ph1ent['mobile'])) { $rgip = "anonymous"; + $passive = "passive on;"; /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { - $passive = "passive on;"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; $genp = "on"; } else { @@ -862,7 +862,7 @@ EOD; if(is_ipaddr($gatewayip)) { /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ - log_error(sprintf(gettext('IPSEC interface is not WAN but %1$s, adding static route for VPN endpoint %2$s via %3$s'), $parentinterface, $rgip, $gatewayip)); + // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); mwexec("/sbin/route delete -host {$rgip}"); mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); } @@ -916,6 +916,7 @@ EOD; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); + sleep(1); mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1"); } diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 2c3f0ca..980bcd0 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -202,6 +202,7 @@ function relayd_configure() { /* reindex pools by name as we loop through the pools array */ $pools = array(); $conf .= "log updates \n"; + $conf .= "timeout 1000 \n"; /* Virtual server pools */ if(is_array($pool_a)) { for ($i = 0; isset($pool_a[$i]); $i++) { @@ -233,59 +234,61 @@ function relayd_configure() { $conf .= $proto; } } - if(is_array($vs_a)) { - for ($i = 0; isset($vs_a[$i]); $i++) { - switch($vs_a[$i]['mode']) { - case 'redirect_mode': { - $conf .= "redirect \"{$vs_a[$i]['name']}\" {\n"; - $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing - if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - $conf .= "}\n"; - break; - } - case 'relay': { - $conf .= "relay \"{$vs_a[$i]['name']}\" {\n"; - $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; - $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - $conf .= "}\n"; - break; - } - } - } - } - fwrite($fd, $conf); - fclose($fd); - - if (is_process_running('relayd')) { - if (! empty($vs_a)) { - // it's running and there is a config, just reload - mwexec("/usr/local/sbin/relayctl reload"); + if(is_array($vs_a)) { + for ($i = 0; isset($vs_a[$i]); $i++) { + switch($vs_a[$i]['mode']) { + case 'redirect_mode': { + $conf .= "redirect \"{$vs_a[$i]['name']}\" {\n"; + $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; + $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + if (isset($config['system']['lb_use_sticky'])) + $conf .= " sticky-address\n"; + + # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing + if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + $conf .= "}\n"; + break; + } + case 'relay': { + $conf .= "relay \"{$vs_a[$i]['name']}\" {\n"; + $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; + $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; + $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= "}\n"; + break; + } + } + } + } + fwrite($fd, $conf); + fclose($fd); + + if (is_process_running('relayd')) { + if (! empty($vs_a)) { + // it's running and there is a config, just reload + mwexec("/usr/local/sbin/relayctl reload"); + } else { + /* + * XXX: Something breaks our control connection with relayd + * and makes 'relayctl stop' not work + * rule reloads are the current suspect + * mwexec('/usr/local/sbin/relayctl stop'); + * returns "command failed" + */ + mwexec('pkill relayd'); + } } else { - /* - * XXX: Something breaks our control connection with relayd - * and makes 'relayctl stop' not work - * rule reloads are the current suspect - * mwexec('/usr/local/sbin/relayctl stop'); - * returns "command failed" - */ - mwexec('pkill relayd'); + if (! empty($vs_a)) { + // not running and there is a config, start it + mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf"); + } } - } else { - if (! empty($vs_a)) { - // not running and there is a config, start it - mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf"); - } - } - } function get_lb_redirects() { @@ -354,4 +357,4 @@ function get_lb_summary() { return $relay_hosts; } -?>
\ No newline at end of file +?> diff --git a/etc/version b/etc/version index 73a14bb..3f0e26d 100644 --- a/etc/version +++ b/etc/version @@ -1 +1 @@ -2.0-RC1 +2.0-RC2 |