diff options
author | Seth Mos <seth.mos@dds.nl> | 2011-01-26 15:40:32 +0100 |
---|---|---|
committer | Seth Mos <seth.mos@dds.nl> | 2011-01-26 15:40:32 +0100 |
commit | 9740fad81dce0f9389f157ac739473d17ad67839 (patch) | |
tree | c71eeae7d425f0bc7c42ded5b9dcbb904a44cce5 /etc | |
parent | 2259901018552f8a8432e295b8d6064fa918cda0 (diff) | |
parent | ee4fc984e1169a180457b3a10e011fab04fd0f31 (diff) | |
download | pfsense-9740fad81dce0f9389f157ac739473d17ad67839.zip pfsense-9740fad81dce0f9389f157ac739473d17ad67839.tar.gz |
Merge remote branch 'upstream/master'
Conflicts:
etc/inc/system.inc
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/auth.inc | 4 | ||||
-rw-r--r-- | etc/inc/captiveportal.inc | 809 | ||||
-rw-r--r-- | etc/inc/filter.inc | 2 | ||||
-rw-r--r-- | etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 126 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 22 | ||||
-rw-r--r-- | etc/inc/pkg-utils.inc | 40 | ||||
-rw-r--r-- | etc/inc/rrd.inc | 2 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 35 | ||||
-rw-r--r-- | etc/inc/system.inc | 5 | ||||
-rw-r--r-- | etc/inc/xmlparse.inc | 6 | ||||
-rw-r--r-- | etc/phpshellsessions/gitsync | 2 | ||||
-rwxr-xr-x | etc/rc | 5 | ||||
-rwxr-xr-x | etc/rc.bootup | 2 | ||||
-rwxr-xr-x | etc/rc.dumpon | 57 | ||||
-rwxr-xr-x | etc/rc.filter_synchronize | 4 | ||||
-rwxr-xr-x | etc/rc.newwanip | 3 |
17 files changed, 676 insertions, 450 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index c619004..805ea44 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -410,7 +410,7 @@ function local_user_set(& $user) { /* create user directory if required */ if (!is_dir($user_home)) { mkdir($user_home, 0700); - mwexec("cp /root/.* {$home_base}/"); + mwexec("/bin/cp /root/.* {$home_base}/", true); } chown($user_home, $user_name); chgrp($user_home, $user_group); @@ -1313,4 +1313,4 @@ function session_auth() { return true; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 84c98b2..12701ab 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -2,12 +2,11 @@ /* captiveportal.inc part of pfSense (http://www.pfSense.org) - - originally part of m0n0wall (http://m0n0.ch/wall) - - Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2004-2011 Scott Ullrich <sullrich@gmail.com> Copyright (C) 2009 Ermal Luçi <ermal.luci@gmail.com> Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + + originally part of m0n0wall (http://m0n0.ch/wall) All rights reserved. Redistribution and use in source and binary forms, with or without @@ -38,9 +37,9 @@ These changes are (c) 2004 Keycom PLC. pfSense_BUILDER_BINARIES: /sbin/ipfw /sbin/sysctl /sbin/kldunload - pfSense_BUILDER_BINARIES: /usr/local/sbin/lighttpd /usr/local/bin/minicron /sbin/pfctl - pfSense_BUILDER_BINARIES: /bin/hostname /bin/cp - pfSense_MODULE: captiveportal + pfSense_BUILDER_BINARIES: /usr/local/sbin/lighttpd /usr/local/bin/minicron /sbin/pfctl + pfSense_BUILDER_BINARIES: /bin/hostname /bin/cp + pfSense_MODULE: captiveportal */ /* include all configuration functions */ @@ -74,8 +73,8 @@ function get_default_captive_portal_html() { <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> @@ -100,7 +99,7 @@ function get_default_captive_portal_html() { </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -145,14 +144,14 @@ EOD; <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="5"> <tr> - <td> + <td> <div id="maindivarea"> <center> <div id='statusbox'> @@ -171,15 +170,15 @@ EOD; <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> <tr><td> </td></tr> <tr> - <td colspan="2"> + <td colspan="2"> <center><input name="accept" type="submit" value="Continue"></center> - </td> + </td> </tr> </table> </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -260,6 +259,10 @@ function captiveportal_configure() { $htmltext = str_replace("\$CLIENT_IP\$", "#CLIENT_IP#", $htmltext); $htmltext = str_replace("\$ORIGINAL_PORTAL_IP\$", "#ORIGINAL_PORTAL_IP#", $htmltext); $htmltext = str_replace("\$PORTAL_ACTION\$", "#PORTAL_ACTION#", $htmltext); + if($config['captiveportal']['preauthurl']) { + $htmltext = str_replace("\$PORTAL_REDIRURL\$", "{$config['captiveportal']['preauthurl']}", $htmltext); + $htmltext = str_replace("#PORTAL_REDIRURL#", "{$config['captiveportal']['preauthurl']}", $htmltext); + } fwrite($fd, $htmltext); fclose($fd); } @@ -290,14 +293,14 @@ function captiveportal_configure() { <div id="mainlevel"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="0"> - <tr> - <td> + <tr> + <td> <center> <div id="mainarea"> <center> <table width="100%" border="0" cellpadding="5" cellspacing="5"> <tr> - <td> + <td> <div id="maindivarea"> <center> <div id='statusbox'> @@ -316,15 +319,15 @@ function captiveportal_configure() { <tr><td align="right">Password:</td><td><input name="auth_pass" type="password" style="border: 1px dashed;"></td></tr> <tr><td> </td></tr> <tr> - <td colspan="2"> + <td colspan="2"> <center><input name="accept" type="submit" value="Continue"></center> - </td> + </td> </tr> </table> </div> </center> </div> - </td> + </td> </tr> </table> </center> @@ -356,6 +359,10 @@ EOD; $errtext = str_replace("\$CLIENT_IP\$", "#CLIENT_IP#", $errtext); $errtext = str_replace("\$ORIGINAL_PORTAL_IP\$", "#ORIGINAL_PORTAL_IP#", $errtext); $errtext = str_replace("\$PORTAL_ACTION\$", "#PORTAL_ACTION#", $errtext); + if($config['captiveportal']['preauthurl']) { + $errtext = str_replace("\$PORTAL_REDIRURL\$", "{$config['captiveportal']['preauthurl']}", $errtext); + $errtext = str_replace("#PORTAL_REDIRURL#", "{$config['captiveportal']['preauthurl']}", $errtext); + } fwrite($fd, $errtext); fclose($fd); } @@ -376,18 +383,18 @@ EOD; <!-- LogoutWin = window.open('', 'Logout', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=256,height=64'); if (LogoutWin) { - LogoutWin.document.write('<HTML>'); - LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ; - LogoutWin.document.write('<BODY BGCOLOR="#435370">'); - LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ; - LogoutWin.document.write('<B>Click the button below to disconnect</B><P>'); - LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">'); - LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">'); - LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">'); - LogoutWin.document.write('</FORM>'); - LogoutWin.document.write('</DIV></BODY>'); - LogoutWin.document.write('</HTML>'); - LogoutWin.document.close(); + LogoutWin.document.write('<HTML>'); + LogoutWin.document.write('<HEAD><TITLE>Logout</TITLE></HEAD>') ; + LogoutWin.document.write('<BODY BGCOLOR="#435370">'); + LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ; + LogoutWin.document.write('<B>Click the button below to disconnect</B><P>'); + LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">'); + LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">'); + LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">'); + LogoutWin.document.write('</FORM>'); + LogoutWin.document.write('</DIV></BODY>'); + LogoutWin.document.write('</HTML>'); + LogoutWin.document.close(); } document.location.href="<?=\$my_redirurl;?>"; @@ -437,7 +444,7 @@ EOD; if (does_interface_exist($listrealif)) { pfSense_interface_flags($listrealif, -IFF_IPFW_FILTER); $carpif = link_ip_to_carp_interface(find_interface_ip($listrealif)); - if (!empty($carpif)) { + if (!empty($carpif)) { $carpsif = explode(" ", $carpif); foreach ($carpsif as $cpcarp) pfSense_interface_flags($cpcarp, -IFF_IPFW_FILTER); @@ -456,7 +463,7 @@ function captiveportal_init_webgui() { global $g, $config; if (!isset($config['captiveportal']['enable'])) - return; + return; if ($config['captiveportal']['maxproc']) $maxproc = $config['captiveportal']['maxproc']; @@ -534,7 +541,7 @@ function captiveportal_init_rules($reinit = false) { if (count($cpips) > 0) { $cpactive = true; $cpinterface = "{ {$cpinterface} } "; - } else + } else return false; if ($reinit == false) @@ -550,7 +557,7 @@ function captiveportal_init_rules($reinit = false) { if (!is_module_loaded("dummynet.ko")) mwexec("/sbin/kldload dummynet"); - $cprules = "add 65291 set 1 allow pfsync from any to any\n"; + $cprules = "add 65291 set 1 allow pfsync from any to any\n"; $cprules .= "add 65292 set 1 allow carp from any to any\n"; $cprules .= <<<EOD @@ -619,12 +626,12 @@ EOD; $rulenum++; } else { $cprules .= "add {$rulenum} set 1 allow ip from table(1) to any in\n"; - $rulenum++; - $cprules .= "add {$rulenum} set 1 allow ip from any to table(2) out\n"; - $rulenum++; + $rulenum++; + $cprules .= "add {$rulenum} set 1 allow ip from any to table(2) out\n"; + $rulenum++; } - $cprules .= <<<EOD + $cprules .= <<<EOD # redirect non-authenticated clients to captive portal add 65531 set 1 fwd 127.0.0.1,8000 tcp from any to any in @@ -640,9 +647,13 @@ EOD; /* generate passthru mac database */ $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n"; + /* allowed ipfw rules to make allowed ip work */ $cprules .= captiveportal_allowedip_configure(); + /* allowed ipfw rules to make allowed hostnames work */ + $cprules .= captiveportal_allowedhostname_configure(); + /* load rules */ if ($reinit == true) $cprules = "table all flush\nflush\n{$cprules}"; @@ -661,12 +672,11 @@ EOD; file_put_contents("{$g['tmp_path']}/ipfw.cp.rules", $cprules); mwexec("/sbin/ipfw -q {$g['tmp_path']}/ipfw.cp.rules", true); - @unlink("{$g['tmp_path']}/ipfw.cp.rules"); + //@unlink("{$g['tmp_path']}/ipfw.cp.rules"); if ($reinit == false) unlock($captiveportallck); - /* filter on layer2 as well so we can check MAC addresses */ mwexec("/sbin/sysctl net.link.ether.ipfw=1"); @@ -679,153 +689,152 @@ EOD; * (password is in Base64 and only saved when reauthentication is enabled) */ function captiveportal_prune_old() { - global $g, $config; + global $g, $config; - /* check for expired entries */ - if (empty($config['captiveportal']['timeout']) || + /* check for expired entries */ + if (empty($config['captiveportal']['timeout']) || !is_numeric($config['captiveportal']['timeout'])) - $timeout = 0; - else - $timeout = $config['captiveportal']['timeout'] * 60; + $timeout = 0; + else + $timeout = $config['captiveportal']['timeout'] * 60; - if (empty($config['captiveportal']['idletimeout']) || + if (empty($config['captiveportal']['idletimeout']) || !is_numeric($config['captiveportal']['idletimeout'])) - $idletimeout = 0; - else - $idletimeout = $config['captiveportal']['idletimeout'] * 60; + $idletimeout = 0; + else + $idletimeout = $config['captiveportal']['idletimeout'] * 60; - if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate']) && + if (!$timeout && !$idletimeout && !isset($config['captiveportal']['reauthenticate']) && !isset($config['captiveportal']['radiussession_timeout']) && !isset($config['voucher']['enable'])) - return; - - /* read database */ - $cpdb = captiveportal_read_db(); - - $radiusservers = captiveportal_get_radius_servers(); - - /* To make sure we iterate over ALL accounts on every run the count($cpdb) is moved - * outside of the loop. Otherwise the loop would evaluate count() on every iteration - * and since $i would increase and count() would decrement they would meet before we - * had a chance to iterate over all accounts. - */ - $unsetindexes = array(); - $no_users = count($cpdb); - for ($i = 0; $i < $no_users; $i++) { - - $timedout = false; - $term_cause = 1; - - /* hard timeout? */ - if ($timeout) { - if ((time() - $cpdb[$i][0]) >= $timeout) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - /* Session-Terminate-Time */ - if (!$timedout && !empty($cpdb[$i][9])) { - if (time() >= $cpdb[$i][9]) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - /* check if the radius idle_timeout attribute has been set and if its set change the idletimeout to this value */ - $uidletimeout = (is_numeric($cpdb[$i][8])) ? $cpdb[$i][8] : $idletimeout; - /* if an idle timeout is specified, get last activity timestamp from ipfw */ - if (!$timedout && $uidletimeout) { - $lastact = captiveportal_get_last_activity($cpdb[$i][2]); - /* If the user has logged on but not sent any traffic they will never be logged out. - * We "fix" this by setting lastact to the login timestamp. - */ - $lastact = $lastact ? $lastact : $cpdb[$i][0]; - if ($lastact && ((time() - $lastact) >= $uidletimeout)) { - $timedout = true; - $term_cause = 4; // Idle-Timeout - $stop_time = $lastact; // Entry added to comply with WISPr + return; + + /* read database */ + $cpdb = captiveportal_read_db(); + + $radiusservers = captiveportal_get_radius_servers(); + + /* To make sure we iterate over ALL accounts on every run the count($cpdb) is moved + * outside of the loop. Otherwise the loop would evaluate count() on every iteration + * and since $i would increase and count() would decrement they would meet before we + * had a chance to iterate over all accounts. + */ + $unsetindexes = array(); + $no_users = count($cpdb); + for ($i = 0; $i < $no_users; $i++) { + + $timedout = false; + $term_cause = 1; + + /* hard timeout? */ + if ($timeout) { + if ((time() - $cpdb[$i][0]) >= $timeout) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } } - } - /* if vouchers are configured, activate session timeouts */ - if (!$timedout && isset($config['voucher']['enable']) && !empty($cpdb[$i][7])) { - if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { - $timedout = true; - $term_cause = 5; // Session-Timeout + /* Session-Terminate-Time */ + if (!$timedout && !empty($cpdb[$i][9])) { + if (time() >= $cpdb[$i][9]) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* check if the radius idle_timeout attribute has been set and if its set change the idletimeout to this value */ + $uidletimeout = (is_numeric($cpdb[$i][8])) ? $cpdb[$i][8] : $idletimeout; + /* if an idle timeout is specified, get last activity timestamp from ipfw */ + if (!$timedout && $uidletimeout) { + $lastact = captiveportal_get_last_activity($cpdb[$i][2]); + /* If the user has logged on but not sent any traffic they will never be logged out. + * We "fix" this by setting lastact to the login timestamp. + */ + $lastact = $lastact ? $lastact : $cpdb[$i][0]; + if ($lastact && ((time() - $lastact) >= $uidletimeout)) { + $timedout = true; + $term_cause = 4; // Idle-Timeout + $stop_time = $lastact; // Entry added to comply with WISPr + } } - } - /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ - if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpdb[$i][7])) { - if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { - $timedout = true; - $term_cause = 5; // Session-Timeout - } - } - - if ($timedout) { - captiveportal_disconnect($cpdb[$i], $radiusservers,$term_cause,$stop_time); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); - $unsetindexes[$i] = $i; - } - - /* do periodic RADIUS reauthentication? */ - if (!$timedout && !empty($radiusservers)) { - if (isset($config['captiveportal']['radacct_enable'])) { - if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { - /* stop and restart accounting */ - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 10); // NAS Request - exec("/sbin/ipfw table 1 entryzerostats {$cpdb[$i][2]}"); - exec("/sbin/ipfw table 2 entryzerostats {$cpdb[$i][2]}"); - RADIUS_ACCOUNTING_START($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3]); // clientmac - } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][5], // sessionid - $cpdb[$i][0], // start time - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - 10, // NAS Request - true); // Interim Updates - } - } - - /* check this user against RADIUS again */ - if (isset($config['captiveportal']['reauthenticate'])) { - $auth_list = RADIUS_AUTHENTICATION($cpdb[$i][4], // username - base64_decode($cpdb[$i][6]), // password - $radiusservers, - $cpdb[$i][2], // clientip - $cpdb[$i][3], // clientmac - $cpdb[$i][1]); // ruleno - - if ($auth_list['auth_val'] == 3) { - captiveportal_disconnect($cpdb[$i], $radiusservers, 17); - captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT", $auth_list['reply_message']); + /* if vouchers are configured, activate session timeouts */ + if (!$timedout && isset($config['voucher']['enable']) && !empty($cpdb[$i][7])) { + if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + /* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */ + if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpdb[$i][7])) { + if (time() >= ($cpdb[$i][0] + $cpdb[$i][7])) { + $timedout = true; + $term_cause = 5; // Session-Timeout + } + } + + if ($timedout) { + captiveportal_disconnect($cpdb[$i], $radiusservers,$term_cause,$stop_time); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "TIMEOUT"); $unsetindexes[$i] = $i; - } - } - } - } - /* This is a kludge to overcome some php weirdness */ - foreach($unsetindexes as $unsetindex) + } + + /* do periodic RADIUS reauthentication? */ + if (!$timedout && !empty($radiusservers)) { + if (isset($config['captiveportal']['radacct_enable'])) { + if ($config['captiveportal']['reauthenticateacct'] == "stopstart") { + /* stop and restart accounting */ + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + 10); // NAS Request + exec("/sbin/ipfw table 1 entryzerostats {$cpdb[$i][2]}"); + exec("/sbin/ipfw table 2 entryzerostats {$cpdb[$i][2]}"); + RADIUS_ACCOUNTING_START($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3]); // clientmac + } else if ($config['captiveportal']['reauthenticateacct'] == "interimupdate") { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + 10, // NAS Request + true); // Interim Updates + } + } + + /* check this user against RADIUS again */ + if (isset($config['captiveportal']['reauthenticate'])) { + $auth_list = RADIUS_AUTHENTICATION($cpdb[$i][4], // username + base64_decode($cpdb[$i][6]), // password + $radiusservers, + $cpdb[$i][2], // clientip + $cpdb[$i][3], // clientmac + $cpdb[$i][1]); // ruleno + if ($auth_list['auth_val'] == 3) { + captiveportal_disconnect($cpdb[$i], $radiusservers, 17); + captiveportal_logportalauth($cpdb[$i][4], $cpdb[$i][3], $cpdb[$i][2], "RADIUS_DISCONNECT", $auth_list['reply_message']); + $unsetindexes[$i] = $i; + } + } + } + } + /* This is a kludge to overcome some php weirdness */ + foreach($unsetindexes as $unsetindex) unset($cpdb[$unsetindex]); - /* write database */ - captiveportal_write_db($cpdb); + /* write database */ + captiveportal_write_db($cpdb); } /* remove a single client according to the DB entry */ @@ -837,15 +846,15 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t /* this client needs to be deleted - remove ipfw rules */ if (isset($config['captiveportal']['radacct_enable']) && !empty($radiusservers)) { RADIUS_ACCOUNTING_STOP($dbent[1], // ruleno - $dbent[4], // username - $dbent[5], // sessionid - $dbent[0], // start time - $radiusservers, - $dbent[2], // clientip - $dbent[3], // clientmac - $term_cause, // Acct-Terminate-Cause - false, - $stop_time); + $dbent[4], // username + $dbent[5], // sessionid + $dbent[0], // start time + $radiusservers, + $dbent[2], // clientip + $dbent[3], // clientmac + $term_cause, // Acct-Terminate-Cause + false, + $stop_time); } /* Delete client's ip entry from tables 3 and 4. */ mwexec("/sbin/ipfw table 1 delete {$dbent[2]}"); @@ -903,39 +912,39 @@ function captiveportal_radius_stop_all() { $cpdb = captiveportal_read_db(); foreach ($cpdb as $cpentry) { RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno - $cpentry[4], // username - $cpentry[5], // sessionid - $cpentry[0], // start time - $radiusservers, - $cpentry[2], // clientip - $cpentry[3], // clientmac - 7); // Admin Reboot + $cpentry[4], // username + $cpentry[5], // sessionid + $cpentry[0], // start time + $radiusservers, + $cpentry[2], // clientip + $cpentry[3], // clientmac + 7); // Admin Reboot } } } function captiveportal_passthrumac_configure_entry($macent) { $rules = ""; - $enBwup = isset($macent['bw_up']); - $enBwdown = isset($macent['bw_down']); + $enBwup = isset($macent['bw_up']); + $enBwdown = isset($macent['bw_down']); $actionup = "allow"; $actiondown = "allow"; - if ($enBwup && $enBwdown) - $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); - else - $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); + if ($enBwup && $enBwdown) + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); + else + $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); if ($enBwup) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$macent['bw_up']}Kbit/s queue 100\n"; $actionup = "pipe {$bw_up}"; - } - if ($enBwdown) { + } + if ($enBwdown) { $bw_down = $ruleno + 20001; $rules .= "pipe {$bw_down} config bw {$macent['bw_down']}Kbit/s queue 100\n"; $actiondown = "pipe {$bw_down}"; - } + } $rules .= "add {$ruleno} {$actiondown} ip from any to any MAC {$macent['mac']} any\n"; $ruleno++; $rules .= "add {$ruleno} {$actionup} ip from any to any MAC any {$macent['mac']}\n"; @@ -978,69 +987,112 @@ function captiveportal_passthrumac_findbyname($username) { */ function captiveportal_allowedip_configure_entry($ipent) { + /* This function can deal with hostname or ipaddress */ + if($ipent['ip']) + $ipaddress = $ipent['ip']; + + /* Instead of copying this entire function for something + * easy such as hostname vs ip address add this check + */ + if($ipent['hostname']) { + $ipaddress = gethostbyname($ipent['hostname']); + if(!is_ipaddr($ipaddress)) + return; + } + $rules = ""; - $enBwup = isset($ipent['bw_up']); - $enBwdown = isset($ipent['bw_down']); + $enBwup = intval($ipent['bw_up']); + $enBwdown = intval($ipent['bw_down']); $bw_up = ""; - $bw_down = ""; - $tablein = array(); - $tableout = array(); + $bw_down = ""; + $tablein = array(); + $tableout = array(); - if ($enBwup && $enBwdown) + if (intval($enBwup) > 0 or intval($enBwdown) > 0) $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, true); else $ruleno = captiveportal_get_next_ipfw_ruleno(2000, 49899, false); - if ($ipent['dir'] == "from") { - if ($enBwup) - $tablein[] = 5; - else - $tablein[] = 3; - if ($enBwdown) - $tableout[] = 6; - else - $tableout[] = 4; - } else if ($ipent['dir'] == "to") { - if ($enBwup) - $tablein[] = 9; - else - $tablein[] = 7; - if ($enBwdown) - $tableout[] = 10; - else - $tableout[] = 8; - } else if ($ipent['dir'] == "both") { - if ($enBwup) { - $tablein[] = 5; - $tablein[] = 9; - } else { - $tablein[] = 3; - $tablein[] = 7; - } - if ($enBwdown) { - $tableout[] = 6; - $tableout[] = 10; - } else { - $tableout[] = 4; - $tableout[] = 8; - } - } - if ($enBwup) { - $bw_up = $ruleno + 20000; - $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; - } + if ($ipent['dir'] == "from") { + if ($enBwup) + $tablein[] = 5; + else + $tablein[] = 3; + if ($enBwdown) + $tableout[] = 6; + else + $tableout[] = 4; + } else if ($ipent['dir'] == "to") { + if ($enBwup) + $tablein[] = 9; + else + $tablein[] = 7; + if ($enBwdown) + $tableout[] = 10; + else + $tableout[] = 8; + } else if ($ipent['dir'] == "both") { + if ($enBwup) { + $tablein[] = 5; + $tablein[] = 9; + } else { + $tablein[] = 3; + $tablein[] = 7; + } + if ($enBwdown) { + $tableout[] = 6; + $tableout[] = 10; + } else { + $tableout[] = 4; + $tableout[] = 8; + } + } + if ($enBwup) { + $bw_up = $ruleno + 20000; + $rules .= "pipe {$bw_up} config bw {$ipent['bw_up']}Kbit/s queue 100\n"; + } $subnet = ""; if (!empty($ipent['sn'])) $subnet = "/{$ipent['sn']}"; foreach ($tablein as $table) - $rules .= "table {$table} add {$ipent['ip']}{$subnet} {$bw_up}\n"; - if ($enBwdown) { - $bw_down = $ruleno + 20001; - $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; - } - foreach ($tableout as $table) - $rules .= "table {$table} add {$ipent['ip']}{$subnet} {$bw_down}\n"; + $rules .= "table {$table} add {$ipaddress}{$subnet} {$bw_up}\n"; + if ($enBwdown) { + $bw_down = $ruleno + 20001; + $rules .= "pipe {$bw_down} config bw {$ipent['bw_down']}Kbit/s queue 100\n"; + } + foreach ($tableout as $table) + $rules .= "table {$table} add {$ipaddress}{$subnet} {$bw_down}\n"; + + return $rules; +} + +/* + Adds a dnsfilter entry and watches for hostname changes. + A change results in reloading the ruleset. +*/ +function setup_dnsfilter_entries() { + global $g, $config; + $cp_filterdns_filename = "{$g['varetc_path']}/filterdns-captiveportal.conf"; + $fd = fopen($cp_filterdns_filename, "w"); + if (is_array($config['captiveportal']['allowedhostname'])) + foreach ($config['captiveportal']['allowedhostname'] as $hostnameent) + fwrite($fd, $hostnameent['hostname'] . "\n"); + fclose($fd); + killbypid("{$g['tmp_path']}/dnswatch-cpah.pid"); + // For some reason the killbypid() is not working. Brute force if needed. + exec("/bin/ps awux | grep -v /usr/bin/grep | grep dnswatch-cpah.pid | /usr/bin/awk '{ print \$2 }' | /usr/bin/xargs kill"); + mwexec("/usr/local/sbin/dnswatch {$g['tmp_path']}/dnswatch-cpah.pid 300 /etc/rc.captiveportal_configure {$cp_filterdns_filename}"); +} + +function captiveportal_allowedhostname_configure() { + global $config, $g; + $rules = "\n# captiveportal_allowedhostname_configure()\n"; + setup_dnsfilter_entries(); + if (is_array($config['captiveportal']['allowedhostname'])) { + foreach ($config['captiveportal']['allowedhostname'] as $hostnameent) + $rules .= captiveportal_allowedip_configure_entry($hostnameent); + } return $rules; } @@ -1049,9 +1101,8 @@ function captiveportal_allowedip_configure() { $rules = ""; if (is_array($config['captiveportal']['allowedip'])) { - foreach ($config['captiveportal']['allowedip'] as $ipent) { + foreach ($config['captiveportal']['allowedip'] as $ipent) $rules .= captiveportal_allowedip_configure_entry($ipent); - } } return $rules; @@ -1078,7 +1129,7 @@ function captiveportal_init_radius_servers() { /* generate radius server database */ if ($config['captiveportal']['radiusip'] && (!isset($config['captiveportal']['auth_method']) || - ($config['captiveportal']['auth_method'] == "radius"))) { + ($config['captiveportal']['auth_method'] == "radius"))) { $radiusip = $config['captiveportal']['radiusip']; $radiusip2 = ($config['captiveportal']['radiusip2']) ? $config['captiveportal']['radiusip2'] : null; @@ -1115,29 +1166,29 @@ function captiveportal_init_radius_servers() { /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { - global $g; + global $g; - $cprdsrvlck = lock('captiveportalradius'); - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; + } + } + } + unlock($cprdsrvlck); + return $radiusservers; } unlock($cprdsrvlck); - return $radiusservers; - } - - unlock($cprdsrvlck); - return false; + return false; } /* log successful captive portal authentication to syslog */ @@ -1164,79 +1215,78 @@ function captiveportal_syslog($message) { } function radius($username,$password,$clientip,$clientmac,$type) { - global $g, $config; - - $ruleno = captiveportal_get_next_ipfw_ruleno(); - - /* If the pool is empty, return appropriate message and fail authentication */ - if (is_null($ruleno)) { - $auth_list = array(); - $auth_list['auth_val'] = 1; - $auth_list['error'] = "System reached maximum login capacity"; - return $auth_list; - } - - $radiusservers = captiveportal_get_radius_servers(); - - $auth_list = RADIUS_AUTHENTICATION($username, - $password, - $radiusservers, - $clientip, - $clientmac, - $ruleno); - - if ($auth_list['auth_val'] == 2) { - captiveportal_logportalauth($username,$clientmac,$clientip,$type); - $sessionid = portal_allow($clientip, - $clientmac, - $username, - $password, - $auth_list, - $ruleno); - } - - return $auth_list; + global $g, $config; + + $ruleno = captiveportal_get_next_ipfw_ruleno(); + + /* If the pool is empty, return appropriate message and fail authentication */ + if (is_null($ruleno)) { + $auth_list = array(); + $auth_list['auth_val'] = 1; + $auth_list['error'] = "System reached maximum login capacity"; + return $auth_list; + } + + $radiusservers = captiveportal_get_radius_servers(); + + $auth_list = RADIUS_AUTHENTICATION($username, + $password, + $radiusservers, + $clientip, + $clientmac, + $ruleno); + + if ($auth_list['auth_val'] == 2) { + captiveportal_logportalauth($username,$clientmac,$clientip,$type); + $sessionid = portal_allow($clientip, + $clientmac, + $username, + $password, + $auth_list, + $ruleno); + } + + return $auth_list; } /* read captive portal DB into array */ function captiveportal_read_db() { - global $g; - - $cpdb = array(); - - $cpdblck = lock('captiveportaldb'); - $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); - if ($fd) { - while (!feof($fd)) { - $line = trim(fgets($fd)); - if ($line) { - $cpdb[] = explode(",", $line); - } - } - fclose($fd); - } - unlock($cpdblck); - return $cpdb; + global $g; + + $cpdb = array(); + + $cpdblck = lock('captiveportaldb'); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); + if ($fd) { + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) + $cpdb[] = explode(",", $line); + } + fclose($fd); + } + unlock($cpdblck); + return $cpdb; } /* write captive portal DB */ function captiveportal_write_db($cpdb) { - global $g; - - $cpdblck = lock('captiveportaldb', LOCK_EX); - $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); - if ($fd) { - foreach ($cpdb as $cpent) { - fwrite($fd, join(",", $cpent) . "\n"); - } - fclose($fd); - } + global $g; + + $cpdblck = lock('captiveportaldb', LOCK_EX); + $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "w"); + if ($fd) { + foreach ($cpdb as $cpent) { + fwrite($fd, join(",", $cpent) . "\n"); + } + fclose($fd); + } unlock($cpdblck); } function captiveportal_write_elements() { global $g, $config; - + /* delete any existing elements */ if (is_dir($g['captiveportal_element_path'])) { $dh = opendir($g['captiveportal_element_path']); @@ -1245,8 +1295,9 @@ function captiveportal_write_elements() { unlink($g['captiveportal_element_path'] . "/" . $file); } closedir($dh); - } else + } else { @mkdir($g['captiveportal_element_path']); + } if (is_array($config['captiveportal']['element'])) { conf_mount_rw(); @@ -1265,7 +1316,7 @@ function captiveportal_write_elements() { } conf_mount_ro(); } - + return 0; } @@ -1295,10 +1346,10 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2000, $rulenos_rang for ($ridx = 2; $ridx < ($rulenos_range_max - $rulenos_start); $ridx++) { if ($rules[$ridx]) { /* - * This allows our traffic shaping pipes to be the in pipe the same as ruleno - * and the out pipe ruleno + 1. This removes limitation that where present in - * previous version of the peruserbw. - */ + * This allows our traffic shaping pipes to be the in pipe the same as ruleno + * and the out pipe ruleno + 1. This removes limitation that where present in + * previous version of the peruserbw. + */ if (isset($config['captiveportal']['peruserbw'])) $ridx++; continue; @@ -1340,17 +1391,17 @@ function captiveportal_get_ipfw_passthru_ruleno($value) { global $config, $g; if(!isset($config['captiveportal']['enable'])) - return NULL; + return NULL; $cpruleslck = lock('captiveportalrules', LOCK_EX); - if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { - $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); + if (file_exists("{$g['vardb_path']}/captiveportal.rules")) { + $rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal.rules")); $ruleno = intval(`/sbin/ipfw show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`); if ($rules[$ruleno]) { unlock($cpruleslck); return $ruleno; } - } + } unlock($cpruleslck); return NULL; @@ -1369,31 +1420,31 @@ function captiveportal_get_ipfw_passthru_ruleno($value) { function getVolume($ip) { - $volume = array(); + $volume = array(); - // Initialize vars properly, since we don't want NULL vars - $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; + // Initialize vars properly, since we don't want NULL vars + $volume['input_pkts'] = $volume['input_bytes'] = $volume['output_pkts'] = $volume['output_bytes'] = 0 ; - // Ingress - $ipfwin = ""; - $ipfwout = ""; - $matchesin = ""; - $matchesout = ""; - exec("/sbin/ipfw table 1 entrystats {$ip}", $ipfwin); - if ($ipfwin[0]) { + // Ingress + $ipfwin = ""; + $ipfwout = ""; + $matchesin = ""; + $matchesout = ""; + exec("/sbin/ipfw table 1 entrystats {$ip}", $ipfwin); + if ($ipfwin[0]) { $ipfwin = split(" ", $ipfwin[0]); $volume['input_pkts'] = $ipfwin[2]; $volume['input_bytes'] = $ipfwin[3]; - } + } - exec("/sbin/ipfw table 2 entrystats {$ip}", $ipfwout); - if ($ipfwout[0]) { - $ipfwout = split(" ", $ipfwout[0]); - $volume['output_pkts'] = $ipfwout[2]; - $volume['output_bytes'] = $ipfwout[3]; - } + exec("/sbin/ipfw table 2 entrystats {$ip}", $ipfwout); + if ($ipfwout[0]) { + $ipfwout = split(" ", $ipfwout[0]); + $volume['output_pkts'] = $ipfwout[2]; + $volume['output_bytes'] = $ipfwout[3]; + } - return $volume; + return $volume; } /** @@ -1403,11 +1454,11 @@ function getVolume($ip) { */ function getNasID() { - $nasId = ""; - exec("/bin/hostname", $nasId); - if(!$nasId[0]) - $nasId[0] = "{$g['product_name']}"; - return $nasId[0]; + $nasId = ""; + exec("/bin/hostname", $nasId); + if(!$nasId[0]) + $nasId[0] = "{$g['product_name']}"; + return $nasId[0]; } /** @@ -1421,17 +1472,17 @@ function getNasIP() { global $config; - if (empty($config['captiveportal']['radiussrcip_attribute'])) - $nasIp = get_interface_ip(); - else { + if (empty($config['captiveportal']['radiussrcip_attribute'])) { + $nasIp = get_interface_ip(); + } else { if (is_ipaddr($config['captiveportal']['radiussrcip_attribute'])) - $nasIp = $config['captiveportal']['radiussrcip_attribute']; - else - $nasIp = get_interface_ip($config['captiveportal']['radiussrcip_attribute']); + $nasIp = $config['captiveportal']['radiussrcip_attribute']; + else + $nasIp = get_interface_ip($config['captiveportal']['radiussrcip_attribute']); } - if(!is_ipaddr($nasIp)) - $nasIp = "0.0.0.0"; + if(!is_ipaddr($nasIp)) + $nasIp = "0.0.0.0"; return $nasIp; } @@ -1460,4 +1511,4 @@ function portal_ip_from_client_ip($cliip) { return false; } -?> +?>
\ No newline at end of file diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index ae54409..6fbcbca 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1380,6 +1380,8 @@ function filter_nat_rules_generate() { } if($numberofnathosts > 0): foreach ($FilterIflist as $if => $ifcfg) { + if (substr($ifcfg['if'], 0, 4) == "ovpn") + continue; update_filter_reload_status("Creating outbound rules {$if} - ({$ifcfg['descr']})"); if(interface_has_gateway($if)) { $target = $ifcfg['ip']; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index c19a849..6f64478 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -80,7 +80,7 @@ $g = array( "product_name" => "pfSense", "product_copyright" => "BSD Perimeter LLC", "product_copyright_url" => "http://www.bsdperimeter.com", - "product_copyright_years" => "2004 - 2010", + "product_copyright_years" => "2004 - 2011", "product_website" => "www.pfsense.org", "product_website_footer" => "http://www.pfsense.org/?gui20", "product_email" => "coreteam@pfsense.org", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index b2b4118..035a6c2 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -122,14 +122,36 @@ function interface_netgraph_needed($interface = "wan") { $realif = get_real_interface($interface); if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) { foreach ($config['ppps']['ppp'] as $pppid => $ppp) { + +/* This if block doesn't do anything. It can be deleted. +PPP interfaces are found above in the previous if ($found == false) block. +This block of code is only entered for OPTx interfaces that are configured for PPPoE modem access, so $realif != $ppp['if'] + if ($realif == $ppp['if']) { $found = true; break; } +*/ + $ports = explode(',',$ppp['ports']); + foreach($ports as $pid => $port){ + $port = get_real_interface($port); + if ($realif == $port) { + $found = true; + break; + } + /* Find the parent interfaces of the vlans in the MLPPP configs + * there should be only one element in the array here + * -- this could be better . . . */ + $parent_if = get_parent_interface($port); + if ($realif == $parent_if[0]) { + $found = true; + break; + } + } } } } - + if ($found == false) { $realif = get_real_interface($interface); pfSense_ngctl_detach("{$realif}:", $realif); @@ -2484,7 +2506,9 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven $wancfg = $config['interfaces'][$interface]; $realif = get_real_interface($interface); - $realhwif = interface_translate_type_to_real($interface); + $realhwif_array = get_parent_interface($interface); + // Need code to handle MLPPP if we ever use $realhwif for MLPPP handling + $realhwif = $realhwif_array[0]; if (!$g['booting']) { /* remove all IPv4 addresses */ @@ -2862,9 +2886,13 @@ function convert_real_interface_to_friendly_interface_name($interface = "wan") { if (stristr($interface, "_wlan0") && $config['interfaces'][$if]['if'] == interface_get_wireless_base($interface)) return $if; - $int = interface_translate_type_to_real($if); - if ($int == $interface) + // XXX: This case doesn't work anymore (segfaults - recursion?) - should be replaced with something else or just removed. + // Not to be replaced with get_real_interface - causes slow interface listings here because of recursion! + /* + $int = get_parent_interface($if); + if ($int[0] == $interface) return $ifname; + */ } return NULL; } @@ -2934,37 +2962,63 @@ function convert_real_interface_to_friendly_descr($interface) { } /* - * interface_translate_type_to_real($interface): - * returns the real hardware interface name for a friendly interface. ie: wan + * get_parent_interface($interface): + * --returns the (real or virtual) parent interface(s) array for a given interface friendly name (i.e. wan) + * or virtual interface (i.e. vlan) + * (We need array because MLPPP and bridge interfaces have more than one parent.) + * -- returns $interface passed in if $interface parent is not found + * -- returns empty array if an invalid interface is passed + * (Only handles ppps and vlans now.) */ -function interface_translate_type_to_real($interface) { - global $config; +function get_parent_interface($interface) { + global $config; - if (empty($config['interfaces'][$interface])) - return $interface; - $tmpif = $config['interfaces'][$interface]; - switch ($tmpif['type']) { - case "ppp": - case "pppoe": - case "pptp": - case "l2tp": - if (is_array($config['ppps']['ppp'])) { - foreach ($config['ppps']['ppp'] as $pppidx => $ppp) { - if ($tmpif['if'] == $ppp['if']) { - $interface = $ppp['ports']; - break; - } - } + $parents = array(); + //Check that we got a valid interface passed + $realif = get_real_interface($interface); + if ($realif == NULL) + return $parents; + + // If we got a real interface, find it's friendly assigned name + $interface = convert_real_interface_to_friendly_interface_name($interface); + + if (!empty($interface) && isset($config['interfaces'][$interface])) { + $ifcfg = $config['interfaces'][$interface]; + switch ($ifcfg['ipaddr']) { + case "ppp": + case "pppoe": + case "pptp": + case "l2tp": + if (empty($parents)) + if (is_array($config['ppps']['ppp'])) + foreach ($config['ppps']['ppp'] as $pppidx => $ppp) { + if ($ppp_if == $ppp['if']) { + $ports = explode(',', $ppp['ports']); + foreach ($ports as $pid => $parent_if) + $parents[$pid] = get_real_interface($parent_if); + break; + } + } + break; + case "dhcp": + case "static": + default: + // Handle _vlans + if (strstr($realif,"_vlan")) + if (is_array($config['vlans']['vlan'])) + foreach ($config['vlans']['vlan'] as $vlanidx => $vlan) + if ($ifcfg['if'] == $vlan['vlanif']){ + $parents[0] = $vlan['if']; + break; + } + break; } - break; - case "dhcp": - case "static": - default: - $interface = $tmpif['if']; - break; } - - return $interface; + + if (empty($parents)) + $parents[0] = $realif; + + return $parents; } function interface_is_wireless_clone($wlif) { @@ -3628,10 +3682,9 @@ function get_wireless_modes($interface) { /* return wireless modes and channels */ $wireless_modes = array(); - $wlif = interface_translate_type_to_real($interface); + $cloned_interface = get_real_interface($interface); - if(is_interface_wireless($wlif)) { - $cloned_interface = get_real_interface($interface); + if($cloned_interface && is_interface_wireless($cloned_interface)) { $chan_list = "/sbin/ifconfig {$cloned_interface} list chan"; $stack_list = "/usr/bin/awk -F\"Channel \" '{ gsub(/\\*/, \" \"); print \$2 \"\\\n\" \$3 }'"; $format_list = "/usr/bin/awk '{print \$5 \" \" \$6 \",\" \$1}'"; @@ -3674,10 +3727,9 @@ function get_wireless_modes($interface) { function get_wireless_channel_info($interface) { $wireless_channels = array(); - $wlif = interface_translate_type_to_real($interface); + $cloned_interface = get_real_interface($interface); - if(is_interface_wireless($wlif)) { - $cloned_interface = get_real_interface($interface); + if($cloned_interface && is_interface_wireless($cloned_interface)) { $chan_list = "/sbin/ifconfig {$cloned_interface} list txpower"; $stack_list = "/usr/bin/awk -F\"Channel \" '{ gsub(/\\*/, \" \"); print \$2 \"\\\n\" \$3 }'"; $format_list = "/usr/bin/awk '{print \$1 \",\" \$3 \" \" \$4 \",\" \$5 \",\" \$7}'"; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index ca463e8..ce1e9fd 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -172,6 +172,23 @@ function openvpn_get_cipherlist() { return $ciphers; } +function openvpn_get_engines() { + $openssl_engines = array('none' => 'No Hardware Crypto Acceleration'); + exec("/usr/bin/openssl engine", $openssl_engine_output); + foreach ($openssl_engine_output as $oeo) { + $linematch = array(); + preg_match("/\((.*)\)\s(.*)/", $oeo, $linematch); + if ($linematch[1] != "dynamic") + $openssl_engines[$linematch[1]] = $linematch[2]; + } + return $openssl_engines; +} + +function openvpn_validate_engine($engine) { + $engines = openvpn_get_engines(); + return array_key_exists($engine, $engines); +} + function openvpn_validate_host($value, $name) { $value = trim($value); if (empty($value) || (!is_domain($value) && !is_ipaddr($value))) @@ -343,6 +360,9 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "local {$iface_ip}\n"; } + if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none")) + $conf .= "engine {$settings['engine']}\n"; + // server specific settings if ($mode == 'server') { @@ -431,6 +451,8 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "client-to-client\n"; break; } + if (isset($settings['duplicate_cn'])) + $conf .= "duplicate-cn\n"; } // client specific settings diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index b34054a..3a2984a 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -311,13 +311,17 @@ function get_pkg_depends($pkg_name, $filetype = ".xml", $format = "files", $retu function uninstall_package($pkg_name) { global $config, $static_output; + global $builder_package_install; - // Back up /usr/local/lib libraries first - if(!file_exists("/tmp/pkg_libs.tgz")) { - $static_output .= "Backing up libraries... "; - update_output_window($static_output); - exec("/usr/bin/tar czPf /tmp/pkg_libs.tgz `/bin/cat /etc/pfSense_md5.txt | /usr/bin/grep 'local/lib' | /usr/bin/awk '{ print $2 }' | /usr/bin/cut -d'(' -f2 | /usr/bin/cut -d')' -f1`"); - $static_output .= "\n"; + // Back up /usr/local/lib libraries first if + // not running from the builder code. + if(!$builder_package_install) { + if(!file_exists("/tmp/pkg_libs.tgz")) { + $static_output .= "Backing up libraries... "; + update_output_window($static_output); + exec("/usr/bin/tar czPf /tmp/pkg_libs.tgz `/bin/cat /etc/pfSense_md5.txt | /usr/bin/grep 'local/lib' | /usr/bin/awk '{ print $2 }' | /usr/bin/cut -d'(' -f2 | /usr/bin/cut -d')' -f1`"); + $static_output .= "\n"; + } } $id = get_pkg_id($pkg_name); @@ -332,11 +336,14 @@ function uninstall_package($pkg_name) { } delete_package_xml($pkg_name); - // Restore libraries that we backed up - $static_output .= "Cleaning up... "; - update_output_window($static_output); - exec("/usr/bin/tar xzPfU /tmp/pkg_libs.tgz -C /"); - @unlink("/tmp/pkg_libs.tgz"); + // Restore libraries that we backed up if not + // running from the builder code. + if(!$builder_package_install) { + $static_output .= "Cleaning up... "; + update_output_window($static_output); + exec("/usr/bin/tar xzPfU /tmp/pkg_libs.tgz -C /"); + @unlink("/tmp/pkg_libs.tgz"); + } } function force_remove_package($pkg_name) { @@ -348,6 +355,12 @@ function force_remove_package($pkg_name) { */ function sync_package($pkg_name, $sync_depends = true, $show_message = false) { global $config, $config_parsed; + global $builder_package_install; + + // If this code is being called by pfspkg_installer + // which the builder system uses then return (ignore). + if($builder_package_install) + return; if(empty($config['installedpackages']['package'])) return; @@ -440,8 +453,9 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url = $osname = php_uname("s"); $arch = php_uname("m"); - $rel = php_uname("r"); - $rel = strtolower(substr($rel, 0, strrpos($rel, "-"))); + $rel = strtolower(php_uname("r")); + if (substr_count($rel, '-') > 1) + $rel = substr($rel, 0, strrpos($rel, "-")); $priv_url = "http://ftp2.{$osname}.org/pub/{$osname}/ports/{$arch}/packages-{$rel}/All"; if (empty($base_url)) $base_url = $priv_url; diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index f8f027b..21de58b 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -602,7 +602,7 @@ function enable_rrd_graphing() { /* SPAMD, set up the spamd rrd file */ if (isset($config['installedpackages']['spamdsettings']) && - isset ($config['installedpackages']['spamdsettings']['config'][0]['enablerrd'])) { + $config['installedpackages']['spamdsettings']['config'][0]['enablerrd']) { /* set up the spamd rrd file */ if (!file_exists("$rrddbpath$ifname$spamd")) { $rrdcreate = "$rrdtool create $rrddbpath$ifname$spamd --step $rrdspamdinterval "; diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 6ae5ab6..bea2c04 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -31,6 +31,8 @@ /* XXX: needs some reducing on include. */ /* include all configuration functions. */ require_once("functions.inc"); +require_once("util.inc"); +require_once("notices.inc"); /* * I admit :) this is derived from xmplparse.inc StartElement() @@ -418,6 +420,7 @@ class altq_root_queue { $q->ReadConfig($queue); $q->validate_input($queue, $input_errors); if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; } @@ -514,8 +517,9 @@ class altq_root_queue { * foreach ($queues as $qkey => $queue) * this->queues[$qkey]->build_rule(); */ - function build_rules() { + function build_rules($default = false) { if (count($this->queues) > 0 && $this->GetEnabled() == "on") { + $default = false; $rules = " altq on " . get_real_interface($this->GetInterface()); if ($this->GetScheduler()) $rules .= " ".strtolower($this->GetScheduler()); @@ -538,9 +542,16 @@ class altq_root_queue { } $rules .= " } \n"; foreach ($this->queues as $q) { - $rules .= $q->build_rules(); + $rules .= $q->build_rules(&$default); } } + if ($default == false) { + $error = "SHAPER: no default queue specified for interface ". $this->GetInterface() . ". The interface queue will be enforced as default."; + file_notice("Shaper", $error, "Error occurred", ""); + unset($error); + return "\n"; + } + $frule .= $rules; } $rules .= " \n"; return $rules; @@ -1024,7 +1035,7 @@ class priq_queue { /* Should return something like: * queue $qname on $qinterface bandwidth .... */ - function build_rules() { + function build_rules($default = false) { $pfq_rule = " queue ". $this->qname; if ($this->GetInterface()) $pfq_rule .= " on ".get_real_interface($this->GetInterface()); @@ -1060,6 +1071,7 @@ class priq_queue { if ($comma) $pfq_rule .= " ,"; $pfq_rule .= " default "; + $default = true; } $pfq_rule .= " ) "; } @@ -1335,6 +1347,7 @@ class hfsc_queue extends priq_queue { $q->ReadConfig($qname); $q->validate_input($qname, $input_errors); if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; } @@ -1672,7 +1685,7 @@ class hfsc_queue extends priq_queue { } /* Even this should take children into consideration */ - function build_rules() { + function build_rules($default = false) { $pfq_rule = " queue ". $this->qname; if ($this->GetInterface()) @@ -1711,6 +1724,7 @@ class hfsc_queue extends priq_queue { $pfq_rule .= " ,"; $comma = 1; $pfq_rule .= " default "; + $default = true; } if ($this->GetRealtime() <> "") { @@ -2038,6 +2052,7 @@ class cbq_queue extends priq_queue { $q->ReadConfig($qname); $q->validate_input($qname, $input_errors); if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; } switch ($q->GetBwscale()) { @@ -2212,7 +2227,7 @@ class cbq_queue extends priq_queue { } /* Even this should take children into consideration */ - function build_rules() { + function build_rules($default = false) { $pfq_rule = "queue ". $this->qname; if ($this->GetInterface()) $pfq_rule .= " on ".get_real_interface($this->GetInterface()); @@ -2251,6 +2266,7 @@ class cbq_queue extends priq_queue { $pfq_rule .= " ,"; $comma = 1; $pfq_rule .= " default "; + $default = true; } $tmpvalue = trim($this->GetBorrow()); if (!empty($tmpvalue)) { @@ -2272,7 +2288,7 @@ class cbq_queue extends priq_queue { } $pfq_rule .= " } \n"; foreach ($this->subqueues as $q) - $pfq_rule .= $q->build_rules(); + $pfq_rule .= $q->build_rules(&$default); } $pfq_rule .= " \n"; @@ -2486,7 +2502,7 @@ class fairq_queue extends priq_queue { } /* Even this should take children into consideration */ - function build_rules() { + function build_rules($default = false) { $pfq_rule = "queue ". $this->qname; if ($this->GetInterface()) $pfq_rule .= " on ".get_real_interface($this->GetInterface()); @@ -2526,6 +2542,7 @@ class fairq_queue extends priq_queue { $pfq_rule .= " ,"; $comma = 1; $pfq_rule .= " default "; + $default = true; } $tmpvalue = trim($this->GetBuckets()); if (!empty($tmpvalue)) { @@ -2813,8 +2830,10 @@ class dnpipe_class extends dummynet_class { $q->SetParent(&$this); $q->ReadConfig($queue); $q->validate_input($queue, $input_errors); - if (count($input_errors)) + if (count($input_errors)) { + log_error("SHAPER: could not create queue " . $q->GetQname() . " on interface {$interface} because: " . print_r($input_errors, true)); return $q; + } $this->subqueues[$q->GetQname()] = &$q; return $q; diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 395aa3a..4403c6f 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -444,6 +444,9 @@ function system_routing_configure($interface = "") { continue; } $gateway = $gateways_arr[$rtent['gateway']]; + if (!empty($interface) && $interface != $gateway['friendlyiface']) + continue; + $gatewayip = $gateway['gateway']; $interfacegw = $gateway['interface']; $action = "add"; @@ -840,7 +843,7 @@ function system_generate_lighty_config($filename, if($captive_portal == true) { $captiveportal = ",\"mod_rewrite\""; $captive_portal_rewrite = "url.rewrite-once = ( \"(.*captiveportal.*)\" => \"$1\", \"(.*)\" => \"/index.php?redirurl=$1\" )\n"; - $captive_portal_module = "\"mod_accesslog\", "; + $captive_portal_module = ""; $maxprocperip = $config['captiveportal']['maxprocperip']; if(!$maxprocperip and $maxprocperip > 0) $captive_portal_mod_evasive = "evasive.max-conns-per-ip = {$maxprocperip}"; diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc index 1304c4e..5fa51c3 100644 --- a/etc/inc/xmlparse.inc +++ b/etc/inc/xmlparse.inc @@ -36,9 +36,9 @@ function listtags() { * I know it's a pain, but it's a pain to find stuff too if it's not */ $ret = explode(" ", - "alias aliasurl allowedip authserver bridged ca cacert cert crl clone config ". - "container columnitem build_port_path depends_on_package disk dnsserver dnsupdate ". - "domainoverrides dyndns earlyshellcmd element encryption-algorithm-option ". + "alias aliasurl allowedip allowedhostname authserver bridged ca cacert cert crl ". + "clone config container columnitem build_port_path depends_on_package disk dnsserver ". + "dnsupdate domainoverrides dyndns earlyshellcmd element encryption-algorithm-option ". "field fieldname hash-algorithm-option gateway_item gateway_group gif gre ". "group hosts member ifgroupentry igmpentry interface_array item key lagg " . "lbaction lbpool l7rules lbprotocol ". diff --git a/etc/phpshellsessions/gitsync b/etc/phpshellsessions/gitsync index 9fa7079..4b865c5 100644 --- a/etc/phpshellsessions/gitsync +++ b/etc/phpshellsessions/gitsync @@ -313,6 +313,8 @@ function post_cvssync_commands() { fwrite($fd, "sleep 5\n"); fwrite($fd, "killall php\n"); fwrite($fd, "/usr/local/sbin/pfSctl -c 'service restart webgui'\n"); + if(file_exists("/var/etc/lighty-CaptivePortal.conf")) + fwrite($fd, "/usr/local/sbin/lighttpd -f /var/etc/lighty-CaptivePortal.conf\n"); fclose($fd); mwexec_bg("sh /tmp/restart_lighty"); echo "\n"; @@ -110,8 +110,9 @@ elif [ "$PLATFORM" = "nanobsd" ] ; then /bin/rm -rf /var/db/pkg /bin/ln -s /root/var/db/pkg/ /var/db/pkg else - SWAPDEVICE=`/bin/cat /etc/fstab | /usr/bin/grep swap | /usr/bin/cut -f1` - /sbin/swapon -a 2>/dev/null >/dev/null + /etc/rc.dumpon + SWAPDEVICE=`/bin/cat /etc/fstab | /usr/bin/grep swap | /usr/bin/cut -f1` + /sbin/swapon -a 2>/dev/null >/dev/null fi if [ "$PLATFORM" = "cdrom" ] ; then diff --git a/etc/rc.bootup b/etc/rc.bootup index 6333ab8..3451c88 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -385,7 +385,9 @@ if(file_exists('/conf/needs_package_sync')) { if($config['installedpackages'] <> '' && is_array($config['installedpackages']['package'])) { require_once("pkg-utils.inc"); if($g['platform'] == "pfSense" || $g['platform'] == "nanobsd") { + mark_subsystem_dirty('packagelock'); pkg_reinstall_all(); + clear_subsystem_dirty('packagelock'); } } } diff --git a/etc/rc.dumpon b/etc/rc.dumpon new file mode 100755 index 0000000..7e72a73 --- /dev/null +++ b/etc/rc.dumpon @@ -0,0 +1,57 @@ +#!/bin/sh +# Based on: +# FreeBSD: src/etc/rc.d/dumpon,v 1.12.2.1.4.1 2010/06/14 02:09:06 kensmith Exp +# FreeBSD: src/etc/rc.d/savecore,v 1.16.2.2.4.1 2010/06/14 02:09:06 kensmith Exp + +# dumpon + +dumpon_try() +{ + if /sbin/dumpon "${1}" ; then + # Make a symlink in devfs for savecore + echo "Using ${1} for dump device." + ln -fs "${1}" /dev/dumpdev + return 0 + fi + echo "Unable to specify $1 as a dump device." + return 1 +} + +# Enable dumpdev so that savecore can see it. Enable it +# early so a crash early in the boot process can be caught. +# +while read dev mp type more ; do + [ "${type}" = "swap" ] || continue + [ -c "${dev}" ] || continue + dumpon_try "${dev}" && works=true +done </etc/fstab +if [ "${works}" != "true" ]; then + echo "No suitable dump device was found." 1>&2 + exit +fi + +# ddb +if [ ! -z "`sysctl -Nq debug.ddb.scripting.scripts`" ]; then + /sbin/ddb /etc/ddb.conf +fi + +# savecore + +dumpdev=`/bin/realpath /dev/dumpdev` +dumpdir='/var/crash' + +if [ ! -c "${dumpdev}" ]; then + echo "Dump device does not exist. Savecore not run." + exit +fi + +if [ ! -d "${dumpdir}" ]; then + echo "Dump directory does not exist. Savecore not run." + exit +fi + +if savecore -C "${dumpdir}" "${dumpdev}" >/dev/null; then + savecore ${dumpdir} ${dumpdev} +else + echo 'No core dumps found.' +fi diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 15dca87..304d76c 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -383,8 +383,8 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { $sections[] = 'vouchers'; if (count($sections) > 0) { if (!carp_check_version($synchronizetoip, $carp['password'], $port)) { - update_filter_reload_status("The other member is on older version of {$g['product']}. Sync will not be done to prevent problems!"); - log_error("The other member is on older version of {$g['product']}. Sync will not be done to prevent problems!"); + update_filter_reload_status("The other member is on older configuration version of {$g['product_name']}. Sync will not be done to prevent problems!"); + log_error("The other member is on older configuration version of {$g['product_name']}. Sync will not be done to prevent problems!"); break; } diff --git a/etc/rc.newwanip b/etc/rc.newwanip index b63996c..b85d102 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -84,7 +84,6 @@ system_resolvconf_generate(true); /* write current WAN IP to file */ file_put_contents("{$g['vardb_path']}/{$interface}_ip", $curwanip); -file_put_contents("{$g['vardb_path']}/{$interface}_cacheip", $curwanip); /* reconfigure static routes (kernel may have deleted them) */ system_routing_configure($interface); @@ -107,6 +106,8 @@ if (is_ipaddr($oldip) && $curwanip == $oldip) { exit; } +file_put_contents("{$g['vardb_path']}/{$interface}_cacheip", $curwanip); + /* perform RFC 2136 DNS update */ services_dnsupdate_process($interface); |