diff options
author | Renato Botelho <renato.botelho@bluepex.com> | 2010-08-16 09:13:15 -0300 |
---|---|---|
committer | Renato Botelho <renato.botelho@bluepex.com> | 2010-08-16 09:13:15 -0300 |
commit | 0f8ae70920f0247dfcff94bcb658e45074afccc4 (patch) | |
tree | 9cb8584fac1c721e68847305960ad26c0173ef33 /etc | |
parent | e96d2182cddab944ecc6de439d81ad95ca09ac62 (diff) | |
parent | 67299a3fe75dbe7802d7d3f81f3da59f2608b686 (diff) | |
download | pfsense-0f8ae70920f0247dfcff94bcb658e45074afccc4.zip pfsense-0f8ae70920f0247dfcff94bcb658e45074afccc4.tar.gz |
Merge remote branch 'mainline/master' into inc
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/auth.inc | 4 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 9 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 16 | ||||
-rw-r--r-- | etc/inc/util.inc | 4 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 21 | ||||
-rw-r--r-- | etc/inc/zeromq.inc | 268 | ||||
-rwxr-xr-x | etc/rc | 12 |
7 files changed, 312 insertions, 22 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 77e4aa5..0e6c2ef 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -46,8 +46,8 @@ * NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php * file courtesy of Michael Retterklieber. */ - -require_once("config.gui.inc"); +if(!$do_not_include_config_gui_inc) + require_once("config.gui.inc"); /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 97503b8..021d76d 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -3126,16 +3126,19 @@ function is_altq_capable($int) { */ $capable = array("age", "ale", "an", "ath", "aue", "awi", "bce", "bfe", "bge", "dc", "de", "ed", "em", "ep", "fxp", "gem", - "hme", "ipw", "iwi", "jme", "le", "msk", "mxge", "my", "nfe", + "hme", "igb", "ipw", "iwi", "jme", "le", "msk", "mxge", "my", "nfe", "npe", "nve", "ral", "re", "rl", "rum", "sf", "sis", "sk", "ste", "stge", "txp", "udav", "ural", "vge", "vr", "wi", "xl", - "ndis", "tun", "ovpns", "ovpnc", "vlan", "pppoe", "pptp", "ng", "ppp"); + "ndis", "tun", "ovpns", "ovpnc", "vlan", "pppoe", "pptp", "ng", + "l2tp", "ppp"); $int_family = preg_split("/[0-9]+/", $int); if (in_array($int_family[0], $capable)) return true; - else if (stristr($int_family, "vlan")) /* VLANs are name $parent.$vlan now */ + else if (stristr($int_family, "vlan")) /* VLANs are name $parent_$vlan now */ + return true; + else if (stristr($int_family, "_wlan")) /* WLANs are name $parent_$wlan now */ return true; else return false; diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index b951d0d..fa7da13 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -1255,23 +1255,17 @@ function get_interface_info($ifdescr) { $ifinfo['dhcplink'] = "down"; break; - /* PPPoE interface? -> get status from virtual interface */ + /* PPPoE/PPTP/L2TP interface? -> get status from virtual interface */ case "pppoe": + case "pptp": + case "l2tp": if ($ifinfo['status'] == "up" && !isset($link0)) /* get PPPoE link status for dial on demand */ - $ifinfo['pppoelink'] = "up"; + $ifinfo["{$link_type}link"] = "up"; else - $ifinfo['pppoelink'] = "down"; + $ifinfo["{$link_type}link"] = "down"; break; - /* PPTP interface? -> get status from virtual interface */ - case "pptp": - if ($ifinfo['status'] == "up" && !isset($link0)) - /* get PPTP link status for dial on demand */ - $ifinfo['pptplink'] = "up"; - else - $ifinfo['pptplink'] = "down"; - break; /* PPP interface? -> get uptime for this session and cumulative uptime from the persistant log file in conf */ case "ppp": if ($ifinfo['status'] == "up") diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 922eb5e..8632540 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -1192,7 +1192,7 @@ function is_interface_mismatch() { $do_assign = false; $i = 0; foreach ($config['interfaces'] as $ifname => $ifcfg) { - if (preg_match("/^enc|^cua|^tun|^pptp|^ppp|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_wlan/i", $ifcfg['if'])) { + if (preg_match("/^enc|^cua|^tun|^l2tp|^pptp|^ppp|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_wlan/i", $ifcfg['if'])) { $i++; } else if (does_interface_exist($ifcfg['if']) == false) { @@ -1431,4 +1431,4 @@ function array_merge_recursive_unique($array0, $array1) return $result; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 6efec52..1c204f0 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -474,14 +474,14 @@ function vpn_ipsec_configure($ipchg = false) $init = "on"; $genp = "off"; - $pcheck = "claim"; + $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim"; $passive = ""; if (isset($ph1ent['mobile'])) { $rgip = "anonymous"; /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { $passive = "passive on;"; - $pcheck = "obey"; + $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; $genp = "on"; } else { $init = "off"; @@ -535,7 +535,23 @@ function vpn_ipsec_configure($ipchg = false) chmod($keypath, 0600); + $ca = lookup_ca($ph1ent['caref']); + if ($ca) { + $cafile = "ca-".$ikeid.".crt"; + $capath = $g['varetc_path']."/".$cafile; + + if (!file_put_contents($capath, base64_decode($ca['crt']))) + { + log_error("Error: Cannot write phase1 CA certificate file for {$ph1ent['name']}"); + continue; + } + + chmod($capath, 0600); + $caline = "ca_type x509 \"".basename($capath)."\";"; + } + $certline = "certificate_type x509 \"".basename($certpath)."\" \"".basename($keypath)."\";"; + } $ealgos = ''; @@ -570,6 +586,7 @@ remote {$rgip} initial_contact = {$init}; nat_traversal = {$natt}; {$certline} + {$caline} {$dpdline1} {$dpdline2} support_proxy on; diff --git a/etc/inc/zeromq.inc b/etc/inc/zeromq.inc new file mode 100644 index 0000000..5b2d70c --- /dev/null +++ b/etc/inc/zeromq.inc @@ -0,0 +1,268 @@ +<?php +/* + zeromq.inc + part of the pfSense project (http://www.pfsense.com) + Copyright 2010 Scott Ullrich <sullrich@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +define('ZEROMQ_AUTH_FAIL', 'authfail'); +define('ZEROMQ_TRUE', 'true'); +define('ZEROMQ_FASLE', 'false'); + +$do_not_include_config_gui_inc = true; +require("auth.inc"): + +/* zeromq_send: Send a message to a member node */ +function zeromq_send($protocol = "tcp", $ipaddress, $port, $method, $params, $username, $password) { + if(!$ipaddress || !$port || !$message || !$username || !$password) + return; + + /* Set calling function and auth information */ + $params['username'] = $username; + $params['password'] = $password; + $params['function'] = $method; + + /* Serialize the data we are going to send over */ + $serialized = serialize($params); + + /* Create new queue object */ + $queue = new ZMQSocket(new ZMQContext(), ZMQ::SOCKET_REQ, "MySock1"); + $queue->connect("{$protocol}://{$ipaddress}:{$port}"); + + /* Assign socket 1 to the queue, send and receive */ + $result = $queue->send($serialized)->recv(); + + /* Unserialize the return and return */ + $unserializedresult = unserialize($result); + + /* Return the result to the caller */ + return $unserializedresult; +} + +function zeromq_server($protocol = "tcp", $ipaddress, $port) { + if(!$ipaddress || !$port) + return; + $server = new ZMQSocket(new ZMQContext(), ZMQ::SOCKET_REP); + $server->bind("{$protocol}://{$ipaddress}:{$port}"); + /* Loop receiving and echoing back */ + while ($msg = $server->recv()) { + $message = unserialize($msg); + switch ($message['function']) { + case "pfsense.exec_shell": + $function_to_call = "exec_shell_zeromq"; + break; + case "pfsense.exec_php": + $function_to_call = "exec_php_zeromq"; + break; + case "pfsense.filter_configure": + $function_to_call = "filter_configure_zeromq"; + break; + case "pfsense.interfaces_carp_configure": + $function_to_call = "interfaces_carp_configure_zeromq"; + break; + case "pfsense.backup_config_section": + $function_to_call = "backup_config_section_zeromq"; + break; + case "pfsense.restore_config_section": + $function_to_call = "restore_config_section_zeromq"; + break; + case "pfsense.merge_config_section": + $function_to_call = "merge_config_section_zeromq"; + break; + case "pfsense.merge_installedpackages_section_zeromq": + $function_to_call = "merge_installedpackages_section_zeromq"; + break; + case "pfsense.check_firmware_version": + $function_to_call = "check_firmware_version_zeromq"; + break; + case "pfsense.reboot": + $function_to_call = "reboot_zeromq"; + break; + case "pfsense.get_notices": + $function_to_call = "get_notices_zeromq"; + break; + } + if(!$function_to_call) + return; + // Call function that is being invoked + $result = $function_to_call($message); + /* echo back the result */ + $server->send($result); + } +} + +function zeromq_auth($params) { + global $config, $g; + + $username = $params['username']; + $password = $params['password']; + + $user = getUserEntry($username); + if (!$user) + return false; + + if (is_account_disabled($username) || is_account_expired($username)) + return false; + + if ($user['password']) { + $passwd = crypt($passwd, $user['password']); + if ($passwd == $user['password']) + return true; + } + + if ($user['md5-hash']) { + $passwd = md5($passwd); + if ($passwd == $user['md5-hash']) + return true; + } + + return false; +} + +function exec_php_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + $exec_php = $params[0]; + eval($exec_php); + if($toreturn) { + $response = XML_RPC_encode($toreturn); + return new XML_RPC_Response($response); + } else + return ZEROMQ_FASLE; +} + +function exec_shell_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + $shell_cmd = $params[0]; + mwexec($shell_cmd); + return ZEROMQ_FASLE; +} + +function backup_config_section_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + $val = array_intersect_key($config, array_flip($params[0])); + return new XML_RPC_Response(XML_RPC_encode($val)); +} + +function restore_config_section_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + $config = array_merge($config, $params[0]); + $mergedkeys = implode(",", array_keys($params[0])); + write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."),$mergedkeys)); + return ZEROMQ_FASLE; +} + +function merge_installedpackages_section_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + $config['installedpackages'] = array_merge($config['installedpackages'], $params[0]); + $mergedkeys = implode(",", array_keys($params[0])); + write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."),$mergedkeys)); + return ZEROMQ_FASLE; +} + +function merge_config_section_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + $config = array_merge_recursive_unique($config, $params[0]); + $mergedkeys = implode(",", array_keys($params[0])); + write_config("Merged in config ({$mergedkeys} sections) from XMLRPC client."); + return ZEROMQ_FASLE; +} + +function filter_configure_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + filter_configure(); + system_routing_configure(); + setup_gateways_monitor(); + relayd_configure(); + require_once("openvpn.inc"); + openvpn_resync_all(); + services_dhcpd_configure(); + services_dnsmasq_configure(); + local_sync_accounts(); + return ZEROMQ_FASLE; +} + +function interfaces_carp_configure_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + interfaces_carp_setup(); + interfaces_vips_configure(); + return ZEROMQ_FASLE; +} + +function check_firmware_version_zeromq($raw_params) { + global $XML_RPC_String; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) return ZEROMQ_AUTH_FAIL; + return new XML_RPC_Response(new XML_RPC_Value(check_firmware_version(false), $XML_RPC_String)); +} + +function reboot_zeromq($raw_params) { + global $config, $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + mwexec_bg("/etc/rc.reboot"); + return ZEROMQ_FASLE; +} + +function get_notices_zeromq($raw_params) { + global $g; + $params = xmlrpc_params_to_php($raw_params); + if(!zeromq_auth($params)) + return ZEROMQ_AUTH_FAIL; + require("notices.inc"); + if(!$params) { + $toreturn = get_notices(); + } else { + $toreturn = get_notices($params); + } + $response = new XML_RPC_Response(XML_RPC_encode($toreturn)); + return $response; +} + +?>
\ No newline at end of file @@ -28,6 +28,16 @@ version=`cat /etc/version` # Mount memory file system if it exists echo "Mounting filesystems..." +# Handle ZFS read-only case +if [ "$PLATFORM" = "pfSense" ]; then + if [ -f /usr/bin/grep ]; then + WHEREISROOT=`/sbin/mount | /usr/bin/grep " / " | /usr/bin/grep "tank" | /usr/bin/cut -d' ' -f1` + if [ "$WHEREISROOT" != "" ]; then + /sbin/zfs set readonly=off $WHEREISROOT + fi + fi +fi + if [ "$PLATFORM" = "cdrom" ]; then /etc/rc.cdrom fi @@ -112,7 +122,6 @@ if [ "$PLATFORM" = "cdrom" ] ; then mkdir /tmp/unionfs/bin mkdir /tmp/unionfs/boot mkdir /tmp/unionfs/confdefault - mkdir /tmp/unionfs/PCBSD echo -n "Mounting unionfs directories:" echo -n " usr" mount_unionfs /tmp/unionfs/usr /usr/ @@ -127,7 +136,6 @@ if [ "$PLATFORM" = "cdrom" ] ; then echo -n " conf.default" mount_unionfs /tmp/unionfs/confdefault /conf.default/ echo -n " installer" - mount_unionfs /tmp/unionfs/PCBSD /PCBSD/ echo "... done." fi |