diff options
| author | Bill Marquette <bill.marquette@gmail.com> | 2011-05-14 11:08:39 -0500 |
|---|---|---|
| committer | Bill Marquette <bill.marquette@gmail.com> | 2011-05-14 11:08:39 -0500 |
| commit | 23b774e0cfce78e24cd290f096972b098b7bf66b (patch) | |
| tree | 57e3f8ee97ba7da4d83213c40ed40b3473db87c0 /etc | |
| parent | 2594f4010b85e5f4571ba76a69e36a16f441b4e3 (diff) | |
| parent | 2ad2758feff078a29de0213bdbd71a91adb1a5fe (diff) | |
| download | pfsense-23b774e0cfce78e24cd290f096972b098b7bf66b.zip pfsense-23b774e0cfce78e24cd290f096972b098b7bf66b.tar.gz | |
Merge branch 'master' into yakatz-ssl
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/devd.conf | 5 | ||||
| -rwxr-xr-x | etc/ecl.php | 2 | ||||
| -rw-r--r-- | etc/inc/authgui.inc | 3 | ||||
| -rw-r--r-- | etc/inc/captiveportal.inc | 4 | ||||
| -rw-r--r-- | etc/inc/certs.inc | 18 | ||||
| -rw-r--r-- | etc/inc/dyndns.class | 36 | ||||
| -rw-r--r-- | etc/inc/filter.inc | 42 | ||||
| -rw-r--r-- | etc/inc/globals.inc | 1 | ||||
| -rw-r--r-- | etc/inc/interfaces.inc | 89 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 1 | ||||
| -rw-r--r-- | etc/inc/services.inc | 3 | ||||
| -rw-r--r-- | etc/inc/shaper.inc | 2 | ||||
| -rw-r--r-- | etc/inc/system.inc | 2 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 4 | ||||
| -rw-r--r-- | etc/inc/voucher.inc | 2 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 5 | ||||
| -rw-r--r-- | etc/inc/vslb.inc | 107 | ||||
| -rw-r--r-- | etc/version | 2 |
18 files changed, 215 insertions, 113 deletions
diff --git a/etc/devd.conf b/etc/devd.conf index 7c63591..244af48 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -39,10 +39,7 @@ detach 100 { }; # -# Try to start dhclient on Ethernet like interfaces when the link comes -# up. Only devices that are configured to support DHCP will actually -# run it. No link down rule exists because dhclient automaticly exits -# when the link goes down. +# Signal upper levels that an event happened on ethernet class interface # notify 0 { match "system" "IFNET"; diff --git a/etc/ecl.php b/etc/ecl.php index 9f68919..47e187a 100755 --- a/etc/ecl.php +++ b/etc/ecl.php @@ -149,8 +149,8 @@ function find_config_xml() { exec("/sbin/umount /tmp/mnt/cf"); exit; } - exec("/sbin/umount /tmp/mnt/cf"); } + exec("/sbin/umount /tmp/mnt/cf"); } } } diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 9655d79..d64d1cc 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -226,8 +226,9 @@ if($config['virtualip']) $nifty_background = "#999"; print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br/><br/>If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); } + $noautocomplete = isset($config['system']['webgui']['noautocomplete']) ? 'autocomplete="off"' : ''; ?> - <form id="iform" name="login_iform" method="post" action="<?=$_SERVER['SCRIPT_NAME'];?>"> + <form id="iform" name="login_iform" method="post" <?= $noautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>"> <h1></h1> <div id="inputerrors"><?=$_SESSION['Login_Error'];?></div> <p> diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 196d83c..a66c6cb 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -1659,8 +1659,8 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut */ $peruserbw = isset($config['captiveportal']['peruserbw']); - $bw_up = isset($attributes['bw_up']) ? trim($attributes['bw_up']) : $config['captiveportal']['bwdefaultup']; - $bw_down = isset($attributes['bw_down']) ? trim($attributes['bw_down']) : $config['captiveportal']['bwdefaultdn']; + $bw_up = isset($attributes['bw_up']) ? round(intval($attributes['bw_up'])/1000, 2) : $config['captiveportal']['bwdefaultup']; + $bw_down = isset($attributes['bw_down']) ? round(intval($attributes['bw_down'])/1000, 2) : $config['captiveportal']['bwdefaultdn']; if ($passthrumac) { $mac = array(); diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 2e9718c..3595f45 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -498,14 +498,16 @@ function crl_update(& $crl) { if (!$ca) return false; // If we have text but no certs, it was imported and cannot be updated. - if (!empty($crl['text']) && empty($crl['cert'])) + if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) return false; $crl['serial']++; $ca_str_crt = base64_decode($ca['crt']); $ca_str_key = base64_decode($ca['prv']); $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']); - foreach ($crl['cert'] as $cert) { - openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + if (is_array($crl['cert']) && (count($crl['cert']) > 0)) { + foreach ($crl['cert'] as $cert) { + openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + } } openssl_crl_export($crl_res, $crl_text, $ca_str_key); $crl['text'] = base64_encode($crl_text); @@ -533,7 +535,13 @@ function cert_unrevoke($cert, & $crl) { foreach ($crl['cert'] as $id => $rcert) { if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) { unset($crl['cert'][$id]); - crl_update($crl); + if (count($crl['cert']) == 0) { + // Protect against accidentally switching the type to imported, for older CRLs + if (!isset($crl['method'])) + $crl['method'] = "internal"; + crl_update($crl); + } else + crl_update($crl); return true; } } @@ -583,7 +591,7 @@ function crl_in_use($crlref) { } function is_crl_internal($crl) { - return !(!empty($crl['text']) && empty($crl['cert'])); + return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); } ?> diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index dcde894..150dedc 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -18,6 +18,7 @@ * - DNSexit (dnsexit.com) * - OpenDNS (opendns.com) * - Namecheap (namecheap.com) + * - HE.net (dns.he.net) * +----------------------------------------------------+ * Requirements: * - PHP version 4.0.2 or higher with CURL Library @@ -49,6 +50,7 @@ * DNSexit - Last Tested: 20 July 2008 * OpenDNS - Last Tested: 4 August 2008 * Namecheap - Last Tested: 31 August 2010 + * HE.net - Last Tested: NEVER * +====================================================+ * * @author E.Kristensen @@ -152,6 +154,7 @@ case 'dnsexit': case 'opendns': case 'namecheap': + case 'he-net': $this->_update(); break; default: @@ -434,6 +437,19 @@ if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); curl_close($ch); $this->_checkStatus($data); + break; + case 'he-net': + $needsIP = FALSE; + log_error("HE.net: DNS update() starting."); + $server = "https://dyn.dns.he.net/nic/update?"; + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass); + curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost); + $data = curl_exec($ch); + if(@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); + curl_close($ch); + $this->_checkStatus($data); + break; default: break; } @@ -754,6 +770,26 @@ $this->_debug($data); } break; + + case 'he-net': + if (preg_match("/badip/i", $data)) { + $status = "phpDynDNS: (Error) Bad Request - The IP provided was invalid."; + } else if (preg_match('/nohost/i', $data)) { + $status = "phpDynDNS: (Error) Bad Request - A hostname was not provided."; + } else if (preg_match('/badauth/i', $data)) { + $status = "phpDynDNS: (Error) Invalid username or password."; + } else if (preg_match('/good/i', $data)) { + $status = "phpDynDNS: (Success) IP Address Updated Successfully!"; + $successful_update = true; + } else if (preg_match('/nochg/i', $data)) { + $status = "phpDynDNS: (Success) No Change In IP Address."; + $successful_update = true; + } else { + $status = "phpDynDNS: (Unknown Response)"; + log_error("phpDynDNS: PAYLOAD: {$data}"); + $this->_debug($data); + } + break; } if($successful_update == true) { diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8fdf752..14e6560 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1537,14 +1537,6 @@ function filter_nat_rules_generate() { } } fclose($inetd_fd); // Close file handle - // Check if inetd is running, if not start it. If so, restart it gracefully. - $helpers = isvalidproc("inetd"); - if(file_exists("/var/etc/inetd.conf")) { - if(!$helpers) - mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); - else - sigkillbypid("/var/run/inetd.pid", "HUP"); - } if (isset($config['pptpd']['mode']) && ($config['pptpd']['mode'] != "off")) { if ($config['pptpd']['mode'] == "redir") { @@ -1564,6 +1556,15 @@ function filter_nat_rules_generate() { if(!empty($reflection_txt)) $natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt; + // Check if inetd is running, if not start it. If so, restart it gracefully. + $helpers = isvalidproc("inetd"); + if(file_exists("/var/etc/inetd.conf")) { + if(!$helpers) + mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); + else + sigkillbypid("/var/run/inetd.pid", "HUP"); + } + return $natrules; } @@ -1886,7 +1887,7 @@ function filter_generate_user_rule($rule) { } else $aline['flags'] .= "keep state "; - if($noadvoptions == false) + if($noadvoptions == false || $l7_present) if( (isset($rule['source-track']) and $rule['source-track'] <> "") or (isset($rule['max']) and $rule['max'] <> "") or (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or @@ -1895,7 +1896,7 @@ function filter_generate_user_rule($rule) { (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or - isset($rule['sloppy'])) { + isset($rule['sloppy']) or $l7_present) { $aline['flags'] .= "( "; if (isset($rule['sloppy'])) $aline['flags'] .= "sloppy "; @@ -1919,6 +1920,9 @@ function filter_generate_user_rule($rule) { $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; } + if(!empty($aline['divert'])) + $aline['flags'] .= "max-packets 8 "; + $aline['flags'] .= " ) "; } } @@ -2769,32 +2773,32 @@ function filter_generate_ipsec_rules() { } /* Add rules to allow IKE to pass */ - $shorttunneldescr = substr($descr, 0, 36); + $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label \"IPsec: {$shorttunneldescr} - inbound isakmp\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label \"IPsec: {$shorttunneldescr} - inbound nat-t\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound esp proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound ah proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 21460c5..2168765 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -153,7 +153,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.link.bridge.pfil_member" => "1", "net.link.bridge.pfil_bridge" => "0", "net.link.tap.user_open" => "1", - "kern.rndtest.verbose" => "0", "kern.randompid" => "347", "net.inet.ip.intr_queue_maxlen" => "1000", "hw.syscons.kbd_reboot" => "0", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 0e101d1..dae5495 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -255,6 +255,7 @@ function interface_qinq_configure(&$vlan, $fd = NULL) { /* make sure the parent is converted to ng_vlan(4) and is up */ interfaces_bring_up($qinqif); + pfSense_ngctl_attach(".", $qinqif); if (!empty($vlanif) && does_interface_exist($vlanif)) { fwrite($fd, "shutdown {$qinqif}qinq:\n"); exec("/usr/sbin/ngctl msg {$qinqif}qinq: gettable", $result); @@ -364,7 +365,7 @@ function interfaces_create_wireless_clones() { echo " done.\n"; } -function interfaces_bridge_configure() { +function interfaces_bridge_configure($checkmember = 0) { global $config; $i = 0; @@ -372,6 +373,10 @@ function interfaces_bridge_configure() { foreach ($config['bridges']['bridged'] as $bridge) { if(empty($bridge['bridgeif'])) $bridge['bridgeif'] = "bridge{$i}"; + if ($checkmember == 1 && (strstr($bridge['members'], "gif") || strstr($bridge['members'], "gre"))) + continue; + if ($checkmember == 2 && !strstr($bridge['members'], "gif") && !strstr($bridge['members'], "gre")) + continue; /* XXX: Maybe we should report any errors?! */ interface_bridge_configure($bridge); $i++; @@ -411,6 +416,8 @@ function interface_bridge_configure(&$bridge) { $realif = get_real_interface($member); $opts = pfSense_get_interface_addresses($realif); $mtu = $opts['mtu']; + if (substr($realif, 0, 3) == "gif" && $mtu < 1500) + continue; if (!isset($opts['encaps']['txcsum'])) $commontx = false; if (!isset($opts['encaps']['rxcsum'])) @@ -685,13 +692,17 @@ function interface_lagg_configure(&$lagg) { return $laggif; } -function interfaces_gre_configure() { +function interfaces_gre_configure($checkparent = 0) { global $config; if (is_array($config['gres']['gre']) && count($config['gres']['gre'])) { foreach ($config['gres']['gre'] as $i => $gre) { if(empty($gre['greif'])) $gre['greif'] = "gre{$i}"; + if ($checkparent == 1 && strstr($gre['if'], "vip")) + continue; + if ($checkparent == 2 && !strstr($gre['if'], "vip")) + continue; /* XXX: Maybe we should report any errors?! */ interface_gre_configure($gre); } @@ -740,13 +751,17 @@ function interface_gre_configure(&$gre, $grekey = "") { return $greif; } -function interfaces_gif_configure() { +function interfaces_gif_configure($checkparent = 0) { global $config; if (is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $i => $gif) { if(empty($gif['gifif'])) $gre['gifif'] = "gif{$i}"; + if ($checkparent == 1 && strstr($gif['if'], "vip")) + continue; + if ($checkparent == 2 && !strstr($gif['if'], "vip")) + continue; /* XXX: Maybe we should report any errors?! */ interface_gif_configure($gif); } @@ -843,12 +858,30 @@ function interfaces_configure() { /* create the unconfigured wireless clones */ interfaces_create_wireless_clones(); + /* + * NOTE: The following function parameter consists of + * 1 - Do not load gre/gif/bridge with parent/member as vip + * 2 - Do load gre/gif/bridge with parent/member as vip + */ + /* set up GRE virtual interfaces */ - interfaces_gre_configure(); + interfaces_gre_configure(1); /* set up GIF virtual interfaces */ - interfaces_gif_configure(); - + interfaces_gif_configure(1); + + /* set up BRIDGe virtual interfaces */ + interfaces_bridge_configure(1); + + /* bring up vip interfaces */ + interfaces_vips_configure(); + + /* set up GRE virtual interfaces */ + interfaces_gre_configure(2); + + /* set up GIF virtual interfaces */ + interfaces_gif_configure(2); + foreach ($delayed_list as $if => $ifname) { if ($g['booting']) echo "Configuring {$ifname} interface..."; @@ -862,7 +895,7 @@ function interfaces_configure() { } /* set up BRIDGe virtual interfaces */ - interfaces_bridge_configure(); + interfaces_bridge_configure(2); foreach ($bridge_list as $if => $ifname) { if ($g['booting']) @@ -876,9 +909,6 @@ function interfaces_configure() { echo "done.\n"; } - /* bring up vip interfaces */ - interfaces_vips_configure(); - /* configure interface groups */ interfaces_group_setup(); @@ -1578,7 +1608,6 @@ function interfaces_carp_setup() { unset($pfsyncenabled); } - $cmdchain->add("Allow CARP", "/sbin/sysctl net.inet.carp.allow=1", true); if($balanacing) { $cmdchain->add("Enable CARP ARP-balancing", "/sbin/sysctl net.inet.carp.arpbalance=1", true); $cmdchain->add("Disallow CARP preemption", "/sbin/sysctl net.inet.carp.preempt=0", true); @@ -1725,10 +1754,8 @@ function interfaces_vips_configure($interface = "") { case "carp": if ($interface <> "" && $vip['interface'] <> $interface) continue; - if ($carp_setuped == false) { - interfaces_carp_setup(); + if ($carp_setuped == false) $carp_setuped = true; - } interface_carp_configure($vip); break; case "carpdev-dhcp": @@ -1738,7 +1765,8 @@ function interfaces_vips_configure($interface = "") { break; } } - + if ($carp_setuped == true) + interfaces_carp_setup(); if ($anyproxyarp == true) interface_proxyarp_configure(); } @@ -2490,7 +2518,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven // Need code to handle MLPPP if we ever use $realhwif for MLPPP handling $realhwif = $realhwif_array[0]; - if (!$g['booting']) { + + if (!$g['booting'] && !substr($realif, 0, 4) == "ovpn") { /* remove all IPv4 addresses */ while (mwexec("/sbin/ifconfig " . escapeshellarg($realif) . " -alias", true) == 0); @@ -2552,6 +2581,11 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } if (!empty($wancfg['mtu'])) pfSense_interface_mtu($realhwif, $wancfg['mtu']); + else { + $mtu = get_interface_default_mtu(remove_numbers($realhwif)); + if ($mtu != get_interface_mtu($realhwif)) + pfSense_interface_mtu($realhwif, $mtu); + } $options = pfSense_get_interface_addresses($realhwif); if (is_array($options) && isset($options['caps']['polling'])) { @@ -2633,7 +2667,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } else if (substr($realif, 0, 3) == "gif") { if (is_array($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $gif) - if($gif['gifif'] == $interface) + if($gif['gifif'] == $realif) interface_gif_configure($gif); } } else if (substr($realif, 0, 4) == "ovpn") { @@ -3662,6 +3696,27 @@ EOD; unlink_if_exists($cron_file); } +function get_interface_default_mtu($type = "ethernet") { + switch ($type) { + case "gre": + return 1476; + break; + case "gif": + return 1280; + break; + case "tun": + case "vlan": + case "tap": + case "ethernet": + default: + return 1500; + break; + } + + /* Never reached */ + return 1500; +} + function get_vip_descr($ipaddress) { global $config; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 4115784..7f82975 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -953,6 +953,7 @@ function openvpn_refresh_crls() { case 'server_user': if (!empty($settings['crlref'])) { $crl = lookup_crl($settings['crlref']); + crl_update($crl); $fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify"; file_put_contents($fpath, base64_decode($crl['text'])); @chmod($fpath, 0644); diff --git a/etc/inc/services.inc b/etc/inc/services.inc index ebb1bf9..7108bc3 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -436,6 +436,7 @@ EOD; $realif = get_real_interface($ifn); $igmpconf .= "phyint {$realif} disabled\n"; } + $igmpconf .= "\n"; $igmpfl = fopen($g['tmp_path'] . "/igmpproxy.conf", "w"); if (!$igmpfl) { @@ -556,7 +557,7 @@ function services_dhcrelay_configure() { foreach($route_str as $routeline) { $items = preg_split("/[ ]+/i", $routeline); if (ip_in_subnet($srvip, $items[0])) { - $destif = trim($items[2]); + $destif = trim($items[6]); break; } } diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index a0fb0e4..c9f41f3 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -3743,7 +3743,7 @@ function layer7_start_l7daemon() { mwexec("/bin/kill -HUP {$l7pid[0]}"); } else { // XXX: Hardcoded number of packets to garbage collect and queue length.. - $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; + $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 8 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; mwexec_bg($ipfw_classifyd_init); } } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index c55a0c0..e2c02aa 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1201,7 +1201,7 @@ function system_ntp_configure() { exec("/usr/local/sbin/ntpd -s -f {$g['varetc_path']}/ntpd.conf"); // Note that we are starting up - exec("echo 'OpenNTPD is starting up' >> {$g['varlog_path']}/ntpd.log"); + log_error("OpenNTPD is starting up."); } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 96810ae..3e280d3 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -685,10 +685,6 @@ function upgrade_040_to_041() { $config['sysctl']['item'][13]['descr'] = "Allow unprivileged access to tap(4) device nodes"; $config['sysctl']['item'][13]['value'] = "default"; - $config['sysctl']['item'][14]['tunable'] = "kern.rndtest.verbose"; - $config['sysctl']['item'][14]['descr'] = "Verbosity of the rndtest driver (0: do not display results on console)"; - $config['sysctl']['item'][14]['value'] = "default"; - $config['sysctl']['item'][15]['tunable'] = "kern.randompid"; $config['sysctl']['item'][15]['descr'] = "Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())"; $config['sysctl']['item'][15]['value'] = "default"; diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index d5c040b..ec59716 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -129,7 +129,7 @@ EOF; log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } $toreturn = XML_RPC_Decode($resp->value()); - if(count($toreturn['voucher']['roll']) <> count($config['voucher']['roll'])) { + if (is_array($toreturn['voucher']) && (count($toreturn['voucher']['roll']) <> count($config['voucher']['roll']))) { $config['voucher']['roll'] = $toreturn['voucher']['roll']; write_config("Captive Portal Voucher database synchronized with {$url}"); voucher_configure(true); diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 8284183..b414d4a 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -485,9 +485,9 @@ function vpn_ipsec_configure($ipchg = false) $passive = ""; if (isset($ph1ent['mobile'])) { $rgip = "anonymous"; + $passive = "passive on;"; /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { - $passive = "passive on;"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; $genp = "on"; } else { @@ -862,7 +862,7 @@ EOD; if(is_ipaddr($gatewayip)) { /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ - log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); + // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); mwexec("/sbin/route delete -host {$rgip}"); mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); } @@ -916,6 +916,7 @@ EOD; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); + sleep(1); mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1"); } diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 2c3f0ca..980bcd0 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -202,6 +202,7 @@ function relayd_configure() { /* reindex pools by name as we loop through the pools array */ $pools = array(); $conf .= "log updates \n"; + $conf .= "timeout 1000 \n"; /* Virtual server pools */ if(is_array($pool_a)) { for ($i = 0; isset($pool_a[$i]); $i++) { @@ -233,59 +234,61 @@ function relayd_configure() { $conf .= $proto; } } - if(is_array($vs_a)) { - for ($i = 0; isset($vs_a[$i]); $i++) { - switch($vs_a[$i]['mode']) { - case 'redirect_mode': { - $conf .= "redirect \"{$vs_a[$i]['name']}\" {\n"; - $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing - if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - $conf .= "}\n"; - break; - } - case 'relay': { - $conf .= "relay \"{$vs_a[$i]['name']}\" {\n"; - $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; - $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - $conf .= "}\n"; - break; - } - } - } - } - fwrite($fd, $conf); - fclose($fd); - - if (is_process_running('relayd')) { - if (! empty($vs_a)) { - // it's running and there is a config, just reload - mwexec("/usr/local/sbin/relayctl reload"); + if(is_array($vs_a)) { + for ($i = 0; isset($vs_a[$i]); $i++) { + switch($vs_a[$i]['mode']) { + case 'redirect_mode': { + $conf .= "redirect \"{$vs_a[$i]['name']}\" {\n"; + $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; + $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + if (isset($config['system']['lb_use_sticky'])) + $conf .= " sticky-address\n"; + + # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing + if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + $conf .= "}\n"; + break; + } + case 'relay': { + $conf .= "relay \"{$vs_a[$i]['name']}\" {\n"; + $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; + $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; + $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= "}\n"; + break; + } + } + } + } + fwrite($fd, $conf); + fclose($fd); + + if (is_process_running('relayd')) { + if (! empty($vs_a)) { + // it's running and there is a config, just reload + mwexec("/usr/local/sbin/relayctl reload"); + } else { + /* + * XXX: Something breaks our control connection with relayd + * and makes 'relayctl stop' not work + * rule reloads are the current suspect + * mwexec('/usr/local/sbin/relayctl stop'); + * returns "command failed" + */ + mwexec('pkill relayd'); + } } else { - /* - * XXX: Something breaks our control connection with relayd - * and makes 'relayctl stop' not work - * rule reloads are the current suspect - * mwexec('/usr/local/sbin/relayctl stop'); - * returns "command failed" - */ - mwexec('pkill relayd'); + if (! empty($vs_a)) { + // not running and there is a config, start it + mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf"); + } } - } else { - if (! empty($vs_a)) { - // not running and there is a config, start it - mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf"); - } - } - } function get_lb_redirects() { @@ -354,4 +357,4 @@ function get_lb_summary() { return $relay_hosts; } -?>
\ No newline at end of file +?> diff --git a/etc/version b/etc/version index 73a14bb..3f0e26d 100644 --- a/etc/version +++ b/etc/version @@ -1 +1 @@ -2.0-RC1 +2.0-RC2 |
