diff options
| author | jim-p <jimp@pfsense.org> | 2016-03-03 17:16:38 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2016-03-03 17:16:38 -0500 |
| commit | 31b151809d04c40fd915c129d28cc9b440a0eabe (patch) | |
| tree | dd77c564fa3ff1ea8710dc438df0a51d6f47f892 /src/etc | |
| parent | 12d7d9e71e85308daeebf9533700d37f14fcc41b (diff) | |
| download | pfsense-31b151809d04c40fd915c129d28cc9b440a0eabe.zip pfsense-31b151809d04c40fd915c129d28cc9b440a0eabe.tar.gz | |
Move NTP access restrictions to their own tab and add the ability to craft custom restrictions for arbitrary networks. Fixes #4463
Diffstat (limited to 'src/etc')
| -rw-r--r-- | src/etc/inc/system.inc | 37 | ||||
| -rw-r--r-- | src/etc/inc/util.inc | 10 |
2 files changed, 45 insertions, 2 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 4bda7c1..d8b1efb 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1718,7 +1718,6 @@ function system_ntp_configure($start_ntpd=true) { unset($ts); $ntpcfg .= "\n\n"; - $ntpcfg .= "disable monitor\n"; //prevent NTP reflection attack, see https://forum.pfsense.org/index.php/topic,67189.msg389132.html#msg389132 if (!empty($config['ntpd']['clockstats']) || !empty($config['ntpd']['loopstats']) || !empty($config['ntpd']['peerstats'])) { $ntpcfg .= "enable stats\n"; $ntpcfg .= 'statistics'; @@ -1743,7 +1742,8 @@ function system_ntp_configure($start_ntpd=true) { } $ntpcfg .= "\n"; $ntpcfg .= "driftfile {$driftfile}\n"; - /* Access restrictions */ + + /* Default Access restrictions */ $ntpcfg .= 'restrict default'; if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */ $ntpcfg .= ' kod limited'; @@ -1782,7 +1782,40 @@ function system_ntp_configure($start_ntpd=true) { if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */ $ntpcfg .= ' notrap'; } + /* Custom Access Restrictions */ + if (is_array($config['ntpd']['restrictions']) && is_array($config['ntpd']['restrictions']['row'])) { + $networkacl = $config['ntpd']['restrictions']['row']; + foreach ($networkacl as $acl) { + $ntpcfg .= "\nrestrict "; + if (is_ipaddrv6($acl['acl_network'])) { + $ntpcfg .= "-6 {$acl['acl_network']} mask " . gen_subnet_mask_v6($acl['mask']) . " "; + } elseif (is_ipaddrv4($acl['acl_network'])) { + $ntpcfg .= "{$acl['acl_network']} mask " . gen_subnet_mask($acl['mask']) . " "; + } else { + continue; + } + if (!empty($acl['kod'])) { + $ntpcfg .= ' kod limited'; + } + if (!empty($acl['nomodify'])) { + $ntpcfg .= ' nomodify'; + } + if (!empty($acl['noquery'])) { + $ntpcfg .= ' noquery'; + } + if (!empty($acl['nopeer'])) { + $ntpcfg .= ' nopeer'; + } + if (!empty($acl['noserve'])) { + $ntpcfg .= ' noserve'; + } + if (!empty($acl['notrap'])) { + $ntpcfg .= ' notrap'; + } + } + } $ntpcfg .= "\n"; + /* End Custom Access Restrictions */ /* A leapseconds file is really only useful if this clock is stratum 1 */ $ntpcfg .= "\n"; diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index e1f5c80..e74dc64 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -425,6 +425,16 @@ function gen_subnet_mask($bits) { return long2ip(gen_subnet_mask_long($bits)); } +/* Convert a prefix length to an IPv6 address-like mask notation. Very rare but at least ntp needs it. See #4463 */ +function gen_subnet_mask_v6($bits) { + /* Binary representation of the prefix length */ + $bin = str_repeat('1', $bits); + /* Pad right with zeroes to reach the full address length */ + $bin = str_pad($bin, 128, '0', STR_PAD_RIGHT); + /* Convert back to an IPv6 address style notation */ + return Net_IPv6::_bin2Ip($bin); +} + /* Convert long int to IPv4 address Returns '' if not valid IPv4 (including if any bits >32 are non-zero) */ function long2ip32($ip) { |
