Fix #5350. Correct issues with strongswan logging (setting changes did not persist across reboots, setting silent did not work).

5 files changed, 134 insertions, 81 deletions

diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index a09d7a3..ccaf61c 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -72,7 +72,7 @@ $g = array(
 	"disablecrashreporter" => false,
 	"crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "12.4",
+	"latest_config" => "12.6",
 	"nopkg_platforms" => array("cdrom"),
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
index 37a6b09..5d45ef1 100644
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -42,6 +42,36 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE
 	"imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service",
 	"tls" => "TLS handler", "esp" => "IPsec traffic", "lib" => "StrongSwan Lib");
 
+global $ipsec_log_sevs;
+$ipsec_log_sevs = array(
+	'-1' => 'Silent',
+	'0' => 'Audit',
+	'1' => 'Control',
+	'2' => 'Diag',
+	'3' => 'Raw',
+	'4' => 'Highest'
+);
+
+global $ipsec_log_cats;
+$ipsec_log_cats = array(
+	"dmn" => "Daemon",
+	"mgr" => "SA Manager",
+	"ike" => "IKE SA",
+	"chd" => "IKE Child SA",
+	"job" => "Job Processing",
+	"cfg" => "Configuration backend",
+	"knl" => "Kernel Interface",
+	"net" => "Networking",
+	"asn" => "ASN encoding",
+	"enc" => "Message encoding",
+	"imc" => "Integrity checker",
+	"imv" => "Integrity Verifier",
+	"pts" => "Platform Trust Service",
+	"tls" => "TLS handler",
+	"esp" => "IPsec traffic",
+	"lib" => "StrongSwan Lib"
+);
+
 global $my_identifier_list;
 $my_identifier_list = array(
 	'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true),
diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc
index 428375f..7934426 100644
--- a/src/etc/inc/upgrade_config.inc
+++ b/src/etc/inc/upgrade_config.inc
@@ -3845,6 +3845,23 @@ function upgrade_118_to_119() {
 }
 
 function upgrade_119_to_120() {
+	global $config, $ipsec_log_cats;
+
+	if (!is_array($config['ipsec'])) {
+		return;
+	}
+
+	// add 1 to configured log levels as part of redmine #5340
+	foreach ($ipsec_log_cats as $lkey => $ldescr) {
+		if (isset($config['ipsec']["ipsec_{$lkey}"])) {
+			$config['ipsec']["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"] + 1;
+		}
+	}
+
+}
+
+
+function upgrade_120_to_121() {
 	global $config;
 
 	if (!isset($config['installedpackages']['miniupnpd']['config'][0])) {
@@ -3863,7 +3880,7 @@ function upgrade_119_to_120() {
 	}
 }
 
-function upgrade_120_to_121() {
+function upgrade_121_to_122() {
 	global $config;
 	foreach ($config['system']['user'] as &$user) {
 		if (isset($user['nt-hash'])) {
@@ -3872,7 +3889,7 @@ function upgrade_120_to_121() {
 	}
 }
 
-function upgrade_121_to_122() {
+function upgrade_122_to_123() {
 	global $config;
 
 	// PPTP server was removed
@@ -3970,7 +3987,7 @@ function upgrade_121_to_122() {
 	}
 }
 
-function upgrade_122_to_123() {
+function upgrade_123_to_124() {
 	if (isset($config['system']['altpkgrepo'])) {
 		unset($config['system']['altpkgrepo']);
 	}
@@ -3980,7 +3997,7 @@ function upgrade_122_to_123() {
 	}
 }
 
-function upgrade_123_to_124() {
+function upgrade_124_to_125() {
 	global $config;
 
 	/* Find interfaces with WEP configured. */
@@ -4003,5 +4020,36 @@ function upgrade_123_to_124() {
 	}
 }
 
+function upgrade_125_to_126() {
+	global $config, $ipsec_log_cats, $ipsec_log_sevs;
+
+	$def_loglevel = 1;
+	if (!is_array($config['ipsec'])) {
+		return;
+	}
+
+	if (!isset($config['ipsec']['logging']) || !is_array($config['ipsec']['logging'])) {
+		$config['ipsec']['logging'] = array();
+	}
+
+	/* subtract 2 from ipsec log levels. the value stored in the config.xml
+	 * will now match the strongswan level exactly.
+	 */
+	foreach(array_keys($ipsec_log_cats) as $cat) {
+		if (!isset($config['ipsec']["ipsec_{$cat}"])) {
+			$new_level = $def_loglevel;
+		} else {
+			$new_level = intval($config['ipsec']["ipsec_{$cat}"]) - 2;
+		}
+
+		if (in_array($new_level, array_keys($ipsec_log_sevs))) {
+			$config['ipsec']['logging'][$cat] = $new_level;
+		} else {
+			$config['ipsec']['logging'][$cat] = $def_loglevel;
+		}
+		unset($config['ipsec']["ipsec_{$cat}"]);
+	}
+}
+
 
 ?>
diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index 0edc6f5..7421942 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -42,22 +42,33 @@
 require_once("ipsec.inc");
 require_once("filter.inc");
 
-function vpn_ipsec_configure_loglevels($forconfig = false) {
-	global $config, $ipsec_loglevels;
+function vpn_update_daemon_loglevel($category, $level) {
+	global $ipsec_log_cats, $ipsec_log_sevs;
 
-	$cfgtext = array();
-	foreach ($ipsec_loglevels as $lkey => $ldescr) {
-		if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) {
-			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
-		} else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
-		    intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) {
-			$forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
-				mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
+	if (in_array($category, array_keys($ipsec_log_cats), true) && in_array(intval($level), array_keys($ipsec_log_sevs), true)) {
+
+		/* if you're setting to -1, need to add "--" to args */
+		$argterm = "";
+		if ($level == "-1") {
+			$argterm = "--";
 		}
+
+		mwexec("/usr/local/sbin/ipsec stroke loglevel {$category} {$argterm} {$level}");
 	}
-	if ($forconfig) {
-		return $cfgtext;
+}
+
+function vpn_logging_cfgtxt() {
+	global $config, $ipsec_log_cats, $ipsec_log_sevs;
+
+	$cfgtext = array();
+	foreach (array_keys($ipsec_log_cats) as $cat) {
+		if (is_numeric($config['ipsec']['logging'][$cat]) &&
+		    in_array(intval($config['ipsec']['logging'][$cat]), array_keys($ipsec_log_sevs), true)) {
+			$cfgtext[] = "${cat} = {$config['ipsec']['logging'][$cat]}";
+		}
 	}
+
+	return $cfgtext;
 }
 
 /* include all configuration functions */
@@ -436,7 +447,7 @@ function vpn_ipsec_configure($restart = false) {
 	unset($stronconf);
 
 	$strongswanlog = "";
-	$ipsecloglevels = vpn_ipsec_configure_loglevels(true);
+	$ipsecloglevels = vpn_logging_cfgtxt();
 	if (is_array($ipsecloglevels)) {
 		foreach ($ipsecloglevels as $loglevel) {
 			$strongswanlog .= "\t\t" . $loglevel . "\n";
diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php
index 4603232..df50e5b 100644
--- a/src/usr/local/www/vpn_ipsec_settings.php
+++ b/src/usr/local/www/vpn_ipsec_settings.php
@@ -67,9 +67,13 @@ require_once("shaper.inc");
 require_once("ipsec.inc");
 require_once("vpn.inc");
 
-foreach ($ipsec_loglevels as $lkey => $ldescr) {
-	if (!empty($config['ipsec']["ipsec_{$lkey}"])) {
-		$pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"];
+$def_loglevel = '1';
+
+foreach (array_keys($ipsec_log_cats) as $cat) {
+	if (isset($config['ipsec']['logging'][$cat])) {
+		$pconfig[$cat] = $config['ipsec']['logging'][$cat];
+	} else {
+		$pconfig[$cat] = $def_loglevel;
 	}
 }
 
@@ -88,54 +92,12 @@ if ($_POST) {
 	unset($input_errors);
 	$pconfig = $_POST;
 
-	if (!in_array($pconfig['ipsec_dmn'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Daemon debug.";
-	}
-	if (!in_array($pconfig['ipsec_mgr'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for SA Manager debug.";
-	}
-	if (!in_array($pconfig['ipsec_ike'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for IKE SA debug.";
-	}
-	if (!in_array($pconfig['ipsec_chd'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for IKE Child SA debug.";
-	}
-	if (!in_array($pconfig['ipsec_job'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Job Processing debug.";
-	}
-	if (!in_array($pconfig['ipsec_cfg'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Configuration backend debug.";
-	}
-	if (!in_array($pconfig['ipsec_knl'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Kernel Interface debug.";
-	}
-	if (!in_array($pconfig['ipsec_net'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Networking debug.";
-	}
-	if (!in_array($pconfig['ipsec_asn'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for ASN Encoding debug.";
-	}
-	if (!in_array($pconfig['ipsec_enc'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Message encoding debug.";
-	}
-	if (!in_array($pconfig['ipsec_imc'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Integrity checker debug.";
-	}
-	if (!in_array($pconfig['ipsec_imv'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Integrity Verifier debug.";
-	}
-	if (!in_array($pconfig['ipsec_pts'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for Platform Trust Service debug.";
-	}
-	if (!in_array($pconfig['ipsec_tls'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for TLS Handler debug.";
-	}
-	if (!in_array($pconfig['ipsec_esp'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for IPsec Traffic debug.";
-	}
-	if (!in_array($pconfig['ipsec_lib'], array('0', '1', '2', '3', '4', '5'), true)) {
-		$input_errors[] = "A valid value must be specified for StrongSwan Lib debug.";
+	foreach ($ipsec_log_cats as $cat => $desc) {
+		if (!in_array(intval($pconfig[$cat]), array_keys($ipsec_log_sevs), true)) {
+			$input_errors[] = "A valid value must be specified for {$desc} debug.";
+		}
 	}
+
 	if (isset($pconfig['maxmss'])) {
 		if (!is_numericint($pconfig['maxmss']) && $pconfig['maxmss'] != '') {
 			$input_errors[] = "An integer must be specified for Maximum MSS.";
@@ -147,13 +109,16 @@ if ($_POST) {
 
 	if (!$input_errors) {
 
-		foreach ($ipsec_loglevels as $lkey => $ldescr) {
-			if (empty($_POST["ipsec_{$lkey}"])) {
-				if (isset($config['ipsec']["ipsec_{$lkey}"])) {
-					unset($config['ipsec']["ipsec_{$lkey}"]);
-				}
-			} else {
-				$config['ipsec']["ipsec_{$lkey}"] = $_POST["ipsec_{$lkey}"];
+		/* log levels aren't set initially and use default. They all
+		 * get set when we save, even if it's to the default level.
+		 */
+		foreach (array_keys($ipsec_log_cats) as $cat) {
+			if (!isset($pconfig[$cat])) {
+				continue;
+			}
+			if ($pconfig[$cat] != $config['ipsec']['logging'][$cat]) {
+				$config['ipsec']['logging'][$cat] = $pconfig[$cat];
+				vpn_update_daemon_loglevel($cat, $pconfig[$cat]);
 			}
 		}
 
@@ -250,7 +215,6 @@ if ($_POST) {
 		}
 
 		vpn_ipsec_configure($needsrestart);
-		vpn_ipsec_configure_loglevels();
 
 		header("Location: vpn_ipsec_settings.php");
 		return;
@@ -306,13 +270,13 @@ $form = new Form;
 
 $section = new Form_Section('Start IPsec in debug mode based on sections selected');
 
-foreach ($ipsec_loglevels as $lkey => $ldescr)
+foreach ($ipsec_log_cats as $cat => $desc)
 {
 	$section->addInput(new Form_Select(
-		'ipsec_' . $lkey,
-		$ldescr,
-		$pconfig['ipsec_' . $lkey],
-		array('Silent', 'Audit', 'Control', 'Diag', 'Raw', 'Highest')
+		$cat,
+		$desc,
+		$pconfig[$cat],
+		$ipsec_log_sevs
 	))->setWidth(2);
 }