diff options
author | Matt Smith <mgsmith@netgate.com> | 2015-11-11 15:10:41 -0600 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2015-11-11 15:17:59 -0600 |
commit | c53e411fc458a59d39662e955b0677cdb37211c7 (patch) | |
tree | 0ebe9213d214bab3df275a582cc1154f307987f4 /src | |
parent | 824329d2c3f096aba45a91675a1a6d46ce62f90d (diff) | |
download | pfsense-c53e411fc458a59d39662e955b0677cdb37211c7.zip pfsense-c53e411fc458a59d39662e955b0677cdb37211c7.tar.gz |
Fix #5350. Correct issues with strongswan logging (setting changes did not persist across reboots, setting silent did not work).
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | src/etc/inc/ipsec.inc | 30 | ||||
-rw-r--r-- | src/etc/inc/upgrade_config.inc | 56 | ||||
-rw-r--r-- | src/etc/inc/vpn.inc | 37 | ||||
-rw-r--r-- | src/usr/local/www/vpn_ipsec_settings.php | 90 |
5 files changed, 134 insertions, 81 deletions
diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc index a09d7a3..ccaf61c 100644 --- a/src/etc/inc/globals.inc +++ b/src/etc/inc/globals.inc @@ -72,7 +72,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "12.4", + "latest_config" => "12.6", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index 37a6b09..5d45ef1 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -42,6 +42,36 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE "imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service", "tls" => "TLS handler", "esp" => "IPsec traffic", "lib" => "StrongSwan Lib"); +global $ipsec_log_sevs; +$ipsec_log_sevs = array( + '-1' => 'Silent', + '0' => 'Audit', + '1' => 'Control', + '2' => 'Diag', + '3' => 'Raw', + '4' => 'Highest' +); + +global $ipsec_log_cats; +$ipsec_log_cats = array( + "dmn" => "Daemon", + "mgr" => "SA Manager", + "ike" => "IKE SA", + "chd" => "IKE Child SA", + "job" => "Job Processing", + "cfg" => "Configuration backend", + "knl" => "Kernel Interface", + "net" => "Networking", + "asn" => "ASN encoding", + "enc" => "Message encoding", + "imc" => "Integrity checker", + "imv" => "Integrity Verifier", + "pts" => "Platform Trust Service", + "tls" => "TLS handler", + "esp" => "IPsec traffic", + "lib" => "StrongSwan Lib" +); + global $my_identifier_list; $my_identifier_list = array( 'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true), diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc index 428375f..7934426 100644 --- a/src/etc/inc/upgrade_config.inc +++ b/src/etc/inc/upgrade_config.inc @@ -3845,6 +3845,23 @@ function upgrade_118_to_119() { } function upgrade_119_to_120() { + global $config, $ipsec_log_cats; + + if (!is_array($config['ipsec'])) { + return; + } + + // add 1 to configured log levels as part of redmine #5340 + foreach ($ipsec_log_cats as $lkey => $ldescr) { + if (isset($config['ipsec']["ipsec_{$lkey}"])) { + $config['ipsec']["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"] + 1; + } + } + +} + + +function upgrade_120_to_121() { global $config; if (!isset($config['installedpackages']['miniupnpd']['config'][0])) { @@ -3863,7 +3880,7 @@ function upgrade_119_to_120() { } } -function upgrade_120_to_121() { +function upgrade_121_to_122() { global $config; foreach ($config['system']['user'] as &$user) { if (isset($user['nt-hash'])) { @@ -3872,7 +3889,7 @@ function upgrade_120_to_121() { } } -function upgrade_121_to_122() { +function upgrade_122_to_123() { global $config; // PPTP server was removed @@ -3970,7 +3987,7 @@ function upgrade_121_to_122() { } } -function upgrade_122_to_123() { +function upgrade_123_to_124() { if (isset($config['system']['altpkgrepo'])) { unset($config['system']['altpkgrepo']); } @@ -3980,7 +3997,7 @@ function upgrade_122_to_123() { } } -function upgrade_123_to_124() { +function upgrade_124_to_125() { global $config; /* Find interfaces with WEP configured. */ @@ -4003,5 +4020,36 @@ function upgrade_123_to_124() { } } +function upgrade_125_to_126() { + global $config, $ipsec_log_cats, $ipsec_log_sevs; + + $def_loglevel = 1; + if (!is_array($config['ipsec'])) { + return; + } + + if (!isset($config['ipsec']['logging']) || !is_array($config['ipsec']['logging'])) { + $config['ipsec']['logging'] = array(); + } + + /* subtract 2 from ipsec log levels. the value stored in the config.xml + * will now match the strongswan level exactly. + */ + foreach(array_keys($ipsec_log_cats) as $cat) { + if (!isset($config['ipsec']["ipsec_{$cat}"])) { + $new_level = $def_loglevel; + } else { + $new_level = intval($config['ipsec']["ipsec_{$cat}"]) - 2; + } + + if (in_array($new_level, array_keys($ipsec_log_sevs))) { + $config['ipsec']['logging'][$cat] = $new_level; + } else { + $config['ipsec']['logging'][$cat] = $def_loglevel; + } + unset($config['ipsec']["ipsec_{$cat}"]); + } +} + ?> diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc index 0edc6f5..7421942 100644 --- a/src/etc/inc/vpn.inc +++ b/src/etc/inc/vpn.inc @@ -42,22 +42,33 @@ require_once("ipsec.inc"); require_once("filter.inc"); -function vpn_ipsec_configure_loglevels($forconfig = false) { - global $config, $ipsec_loglevels; +function vpn_update_daemon_loglevel($category, $level) { + global $ipsec_log_cats, $ipsec_log_sevs; - $cfgtext = array(); - foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) { - mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); - } else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && - intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { - $forconfig ? $cfgtext[] = "${lkey} = " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : - mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); + if (in_array($category, array_keys($ipsec_log_cats), true) && in_array(intval($level), array_keys($ipsec_log_sevs), true)) { + + /* if you're setting to -1, need to add "--" to args */ + $argterm = ""; + if ($level == "-1") { + $argterm = "--"; } + + mwexec("/usr/local/sbin/ipsec stroke loglevel {$category} {$argterm} {$level}"); } - if ($forconfig) { - return $cfgtext; +} + +function vpn_logging_cfgtxt() { + global $config, $ipsec_log_cats, $ipsec_log_sevs; + + $cfgtext = array(); + foreach (array_keys($ipsec_log_cats) as $cat) { + if (is_numeric($config['ipsec']['logging'][$cat]) && + in_array(intval($config['ipsec']['logging'][$cat]), array_keys($ipsec_log_sevs), true)) { + $cfgtext[] = "${cat} = {$config['ipsec']['logging'][$cat]}"; + } } + + return $cfgtext; } /* include all configuration functions */ @@ -436,7 +447,7 @@ function vpn_ipsec_configure($restart = false) { unset($stronconf); $strongswanlog = ""; - $ipsecloglevels = vpn_ipsec_configure_loglevels(true); + $ipsecloglevels = vpn_logging_cfgtxt(); if (is_array($ipsecloglevels)) { foreach ($ipsecloglevels as $loglevel) { $strongswanlog .= "\t\t" . $loglevel . "\n"; diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php index 4603232..df50e5b 100644 --- a/src/usr/local/www/vpn_ipsec_settings.php +++ b/src/usr/local/www/vpn_ipsec_settings.php @@ -67,9 +67,13 @@ require_once("shaper.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); -foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (!empty($config['ipsec']["ipsec_{$lkey}"])) { - $pconfig["ipsec_{$lkey}"] = $config['ipsec']["ipsec_{$lkey}"]; +$def_loglevel = '1'; + +foreach (array_keys($ipsec_log_cats) as $cat) { + if (isset($config['ipsec']['logging'][$cat])) { + $pconfig[$cat] = $config['ipsec']['logging'][$cat]; + } else { + $pconfig[$cat] = $def_loglevel; } } @@ -88,54 +92,12 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - if (!in_array($pconfig['ipsec_dmn'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Daemon debug."; - } - if (!in_array($pconfig['ipsec_mgr'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for SA Manager debug."; - } - if (!in_array($pconfig['ipsec_ike'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for IKE SA debug."; - } - if (!in_array($pconfig['ipsec_chd'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for IKE Child SA debug."; - } - if (!in_array($pconfig['ipsec_job'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Job Processing debug."; - } - if (!in_array($pconfig['ipsec_cfg'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Configuration backend debug."; - } - if (!in_array($pconfig['ipsec_knl'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Kernel Interface debug."; - } - if (!in_array($pconfig['ipsec_net'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Networking debug."; - } - if (!in_array($pconfig['ipsec_asn'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for ASN Encoding debug."; - } - if (!in_array($pconfig['ipsec_enc'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Message encoding debug."; - } - if (!in_array($pconfig['ipsec_imc'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Integrity checker debug."; - } - if (!in_array($pconfig['ipsec_imv'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Integrity Verifier debug."; - } - if (!in_array($pconfig['ipsec_pts'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for Platform Trust Service debug."; - } - if (!in_array($pconfig['ipsec_tls'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for TLS Handler debug."; - } - if (!in_array($pconfig['ipsec_esp'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for IPsec Traffic debug."; - } - if (!in_array($pconfig['ipsec_lib'], array('0', '1', '2', '3', '4', '5'), true)) { - $input_errors[] = "A valid value must be specified for StrongSwan Lib debug."; + foreach ($ipsec_log_cats as $cat => $desc) { + if (!in_array(intval($pconfig[$cat]), array_keys($ipsec_log_sevs), true)) { + $input_errors[] = "A valid value must be specified for {$desc} debug."; + } } + if (isset($pconfig['maxmss'])) { if (!is_numericint($pconfig['maxmss']) && $pconfig['maxmss'] != '') { $input_errors[] = "An integer must be specified for Maximum MSS."; @@ -147,13 +109,16 @@ if ($_POST) { if (!$input_errors) { - foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (empty($_POST["ipsec_{$lkey}"])) { - if (isset($config['ipsec']["ipsec_{$lkey}"])) { - unset($config['ipsec']["ipsec_{$lkey}"]); - } - } else { - $config['ipsec']["ipsec_{$lkey}"] = $_POST["ipsec_{$lkey}"]; + /* log levels aren't set initially and use default. They all + * get set when we save, even if it's to the default level. + */ + foreach (array_keys($ipsec_log_cats) as $cat) { + if (!isset($pconfig[$cat])) { + continue; + } + if ($pconfig[$cat] != $config['ipsec']['logging'][$cat]) { + $config['ipsec']['logging'][$cat] = $pconfig[$cat]; + vpn_update_daemon_loglevel($cat, $pconfig[$cat]); } } @@ -250,7 +215,6 @@ if ($_POST) { } vpn_ipsec_configure($needsrestart); - vpn_ipsec_configure_loglevels(); header("Location: vpn_ipsec_settings.php"); return; @@ -306,13 +270,13 @@ $form = new Form; $section = new Form_Section('Start IPsec in debug mode based on sections selected'); -foreach ($ipsec_loglevels as $lkey => $ldescr) +foreach ($ipsec_log_cats as $cat => $desc) { $section->addInput(new Form_Select( - 'ipsec_' . $lkey, - $ldescr, - $pconfig['ipsec_' . $lkey], - array('Silent', 'Audit', 'Control', 'Diag', 'Raw', 'Highest') + $cat, + $desc, + $pconfig[$cat], + $ipsec_log_sevs ))->setWidth(2); } |