diff options
author | Ermal <eri@pfsense.org> | 2014-08-01 20:39:06 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-08-01 20:39:06 +0000 |
commit | 9b91568608add6749256d4c85b624985e53652e4 (patch) | |
tree | b933e8044acc6da5ae9804f427ac1d0323493229 /usr | |
parent | fa0a1411026bcbf173fbe6d573dfc260ee883102 (diff) | |
download | pfsense-9b91568608add6749256d4c85b624985e53652e4.zip pfsense-9b91568608add6749256d4c85b624985e53652e4.tar.gz |
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/vpn_ipsec.php | 52 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 133 |
2 files changed, 83 insertions, 102 deletions
diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 6161e72..587c048 100644 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -93,9 +93,8 @@ if ($_GET['act'] == "delph1") /* remove the phase1 entry */ unset($a_phase1[$_GET['p1index']]); - vpn_ipsec_configure(); write_config(); - filter_configure(); + mark_subsystem_dirty('ipsec'); header("Location: vpn_ipsec.php"); exit; } @@ -105,10 +104,14 @@ if ($_GET['act'] == "delph2") { if ($a_phase1[$_GET['p1index']] && $a_phase2[$_GET['p2index']]) { /* remove the phase2 entry */ - unset($a_phase2[$_GET['p2index']]); - vpn_ipsec_configure(); - filter_configure(); - write_config(); + foreach ($a_phase2 as $ph2idx => $ph2) { + if ($ph2['uniqid'] == $_GET['p2index']) { + unset($a_phase2[$ph2idx]); + write_config(); + mark_subsystem_dirty('ipsec'); + break; + } + } header("Location: vpn_ipsec.php"); exit; } @@ -289,8 +292,6 @@ include("head.inc"); foreach ($a_phase2 as $ph2ent) { if ($ph2ent['ikeid'] != $ph1ent['ikeid']) continue; - if (isset( $ph2ent['disabled']) || isset($ph1ent['disabled'])) - continue; $phase2count++; } ?> @@ -312,13 +313,10 @@ include("head.inc"); </a> </td> </tr> - <?php - $j = 0; - foreach ($a_phase2 as $ph2ent) { - if ($ph2ent['ikeid'] != $ph1ent['ikeid']) { - $j++; + <?php + foreach ($a_phase2 as $ph2ent): + if ($ph2ent['ikeid'] != $ph1ent['ikeid']) continue; - } if (isset( $ph2ent['disabled']) || isset($ph1ent['disabled'])) { $spans = "<span class=\"gray\">"; @@ -326,8 +324,8 @@ include("head.inc"); } else $spans = $spane = ""; - ?> - <tr valign="top" ondblclick="document.location='vpn_ipsec_phase2.php?p2index=<?=$j;?>'"> + ?> + <tr valign="top" ondblclick="document.location='vpn_ipsec_phase2.php?p2index=<?=$ph2ent['uniqid'];?>'"> <td class="listlr nowrap"> <?=$spans;?> @@ -359,9 +357,8 @@ include("head.inc"); <td class="listr"> <?=$spans;?> <?php - $k = 0; - foreach ($ph2ent['encryption-algorithm-option'] as $ph2ea) { - if ($k++) + foreach ($ph2ent['encryption-algorithm-option'] as $k => $ph2ea) { + if ($k) echo ", "; echo $p2_ealgos[$ph2ea['name']]['name']; if ($ph2ea['keylen']) { @@ -377,9 +374,8 @@ include("head.inc"); <td class="listr nowrap"> <?=$spans;?> <?php - $k = 0; - foreach ($ph2ent['hash-algorithm-option'] as $ph2ha) { - if ($k++) + foreach ($ph2ent['hash-algorithm-option'] as $k => $ph2ha) { + if ($k) echo ", "; echo $p2_halgos[$ph2ha]; } @@ -387,22 +383,20 @@ include("head.inc"); <?=$spane;?> </td> <td class="list nowrap"> - <a href="vpn_ipsec_phase2.php?p2index=<?=$j;?>"> + <a href="vpn_ipsec_phase2.php?p2index=<?=$ph2ent['uniqid'];?>"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit phase2 entry"); ?>" width="17" height="17" border="0" alt="edit" /> </a> - <a href="vpn_ipsec.php?act=delph2&p1index=<?=$i;?>&p2index=<?=$j;?>" onclick="return confirm('<?=gettext("Do you really want to delete this phase2 entry?"); ?>')"> + <a href="vpn_ipsec.php?act=delph2&p1index=<?=$i;?>&p2index=<?=$ph2ent['uniqid'];?>" onclick="return confirm('<?=gettext("Do you really want to delete this phase2 entry?"); ?>')"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete phase2 entry"); ?>" width="17" height="17" border="0" alt="delete" /> </a> - <a href="vpn_ipsec_phase2.php?dup=<?=$j;?>"> + <a href="vpn_ipsec_phase2.php?dup=<?=$ph2ent['uniqid'];?>"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new Phase 2 based on this one"); ?>" width="17" height="17" border="0" alt="add" /> </a> </td> </tr> - <?php - $j++; - } - ?> + <?php endforeach; ?> + </table> </td> </tr> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 6848efd..8a78065 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -51,35 +51,45 @@ if (!is_array($config['ipsec']['phase2'])) $a_phase2 = &$config['ipsec']['phase2']; -if (is_numericint($_GET['p2index'])) - $p2index = $_GET['p2index']; -if (isset($_POST['p2index']) && is_numericint($_POST['p2index'])) - $p2index = $_POST['p2index']; - -if (isset($_GET['dup']) && is_numericint($_GET['dup'])) - $p2index = $_GET['dup']; +if (!empty($_GET['p2index'])) + $uindex = $_GET['p2index']; +if (!empty($_POST['uniqid'])) + $uindex = $_POST['uniqid']; + +if (!empty($_GET['dup'])) + $uindex = $_GET['dup']; + +$ph2found = false; +if (isset($uindex)) { + foreach ($a_phase2 as $p2index => $ph2) { + if ($ph2['uniqid'] == $uindex) { + $ph2found = true; + break; + } + } +} -if (isset($p2index) && $a_phase2[$p2index]) +if ($ph2found === true) { - $pconfig['ikeid'] = $a_phase2[$p2index]['ikeid']; - $pconfig['disabled'] = isset($a_phase2[$p2index]['disabled']); - $pconfig['mode'] = $a_phase2[$p2index]['mode']; - $pconfig['descr'] = $a_phase2[$p2index]['descr']; - $old_ph2ent = $a_phase2[$p2index]; - - if (!empty($a_phase2[$p2index]['natlocalid'])) - idinfo_to_pconfig("natlocal",$a_phase2[$p2index]['natlocalid'],$pconfig); - idinfo_to_pconfig("local",$a_phase2[$p2index]['localid'],$pconfig); - idinfo_to_pconfig("remote",$a_phase2[$p2index]['remoteid'],$pconfig); - - $pconfig['proto'] = $a_phase2[$p2index]['protocol']; - ealgos_to_pconfig($a_phase2[$p2index]['encryption-algorithm-option'],$pconfig); - $pconfig['halgos'] = $a_phase2[$p2index]['hash-algorithm-option']; - $pconfig['pfsgroup'] = $a_phase2[$p2index]['pfsgroup']; - $pconfig['lifetime'] = $a_phase2[$p2index]['lifetime']; - $pconfig['pinghost'] = $a_phase2[$p2index]['pinghost']; - - if (isset($a_phase2[$p2index]['mobile'])) + $pconfig['ikeid'] = $ph2['ikeid']; + $pconfig['disabled'] = isset($ph2['disabled']); + $pconfig['mode'] = $ph2['mode']; + $pconfig['descr'] = $ph2['descr']; + $pconfig['uniqid'] = $ph2['uniqid']; + + if (!empty($ph2['natlocalid'])) + idinfo_to_pconfig("natlocal",$ph2['natlocalid'],$pconfig); + idinfo_to_pconfig("local",$ph2['localid'],$pconfig); + idinfo_to_pconfig("remote",$ph2['remoteid'],$pconfig); + + $pconfig['proto'] = $ph2['protocol']; + ealgos_to_pconfig($ph2['encryption-algorithm-option'],$pconfig); + $pconfig['halgos'] = $ph2['hash-algorithm-option']; + $pconfig['pfsgroup'] = $ph2['pfsgroup']; + $pconfig['lifetime'] = $ph2['lifetime']; + $pconfig['pinghost'] = $ph2['pinghost']; + + if (isset($ph2['mobile'])) $pconfig['mobile'] = true; } else @@ -94,14 +104,19 @@ else $pconfig['halgos'] = explode(",", "hmac_sha1,hmac_md5"); $pconfig['pfsgroup'] = "0"; $pconfig['lifetime'] = "3600"; + $pconfig['uniqid'] = uniqid(); - /* mobile client */ - if($_GET['mobile']) - $pconfig['mobile']=true; + /* mobile client */ + if($_GET['mobile']) + $pconfig['mobile']=true; } -if (isset($_GET['dup']) && is_numericint($_GET['dup'])) +unset($ph2); +if (!empty($_GET['dup'])) { + unset($uindex); unset($p2index); + $pconfig['uniqid'] = uniqid(); +} if ($_POST) { @@ -112,8 +127,8 @@ if ($_POST) { $input_errors[] = gettext("A valid ikeid must be specified."); /* input validation */ - $reqdfields = explode(" ", "localid_type halgos"); - $reqdfieldsn = array(gettext("Local network type"),gettext("P2 Hash Algorithms")); + $reqdfields = explode(" ", "localid_type halgos uniqid"); + $reqdfieldsn = array(gettext("Local network type"),gettext("P2 Hash Algorithms"), gettext("Unique Identifier")); if (!isset($pconfig['mobile'])){ $reqdfields[] = "remoteid_type"; $reqdfieldsn[] = gettext("Remote network type"); @@ -191,7 +206,7 @@ if ($_POST) { if (isset($pconfig['mobile'])){ /* User is adding phase 2 for mobile phase1 */ foreach($a_phase2 as $key => $name){ - if (isset($name['mobile'])){ + if (isset($name['mobile']) && $name['uniqid'] != $pconfig['uniqid']) { /* check duplicate localids only for mobile clents */ $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); $entered = array(); @@ -200,15 +215,9 @@ if ($_POST) { if (isset($pconfig['localid_netbits'])) $entered['netbits'] = $pconfig['localid_netbits']; $entered_localid_data = ipsec_idinfo_to_cidr($entered, false, $pconfig['mode']); if ($localid_data == $entered_localid_data){ - if (!isset($pconfig['p2index'])){ - /* adding new p2 entry */ - $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); - break; - }else if ($pconfig['p2index'] != $key){ - /* editing p2 and entered p2 networks match with different p2 for given p1 */ - $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); - break; - } + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; } } } @@ -216,7 +225,7 @@ if ($_POST) { /* User is adding phase 2 for site-to-site phase1 */ $input_error = 0; foreach($a_phase2 as $key => $name){ - if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ + if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid'] && $pconfig['uniqid'] != $name['uniqid']) { /* check duplicate subnets only for given phase1 */ $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid'], false, $name['mode']); @@ -231,15 +240,9 @@ if ($_POST) { if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits']; $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']); if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) { - if (!isset($pconfig['p2index'])){ - /* adding new p2 entry */ - $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); - break; - }else if ($pconfig['p2index'] != $key){ - /* editing p2 and entered p2 networks match with different p2 for given p1 */ - $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); - break; - } + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); + break; } } } @@ -259,7 +262,9 @@ if ($_POST) { if (!$input_errors) { + $ph2ent = array(); $ph2ent['ikeid'] = $pconfig['ikeid']; + $ph2ent['uniqid'] = $pconfig['uniqid']; $ph2ent['mode'] = $pconfig['mode']; $ph2ent['disabled'] = $pconfig['disabled'] ? true : false; @@ -281,27 +286,12 @@ if ($_POST) { if (isset($pconfig['mobile'])) $ph2ent['mobile'] = true; - ipsec_lookup_phase1($ph2ent, $ph1ent); - if (($ph1ent['protocol'] == "inet") && ($ph2ent['mode'] == "tunnel6")) - $input_errors[] = gettext("Phase 1 is using IPv4. You cannot use Tunnel IPv6 on Phase 2."); - if (($ph1ent['protocol'] == "inet6") && ($ph2ent['mode'] == "tunnel")) - $input_errors[] = gettext("Phase 1 is using IPv6. You cannot use Tunnel IPv4 on Phase 2."); - } - - if (!$input_errors) { - if (isset($p2index) && $a_phase2[$p2index]) + if ($ph2found === true && $a_phase2[$p2index]) $a_phase2[$p2index] = $ph2ent; else $a_phase2[] = $ph2ent; - /* now we need to find all phase2 entries for this host */ - if(is_array($ph2ent)) { - ipsec_lookup_phase1($ph2ent, $ph1ent); - $old_ph1ent = $ph1ent; - $old_ph1ent['remote-gateway'] = resolve_retry($old_ph1ent['remote-gateway']); - } - write_config(); mark_subsystem_dirty('ipsec'); @@ -780,15 +770,13 @@ function change_protocol() { <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <?php if (isset($p2index) && $a_phase2[$p2index]): ?> - <input name="p2index" type="hidden" value="<?=htmlspecialchars($p2index);?>" /> - <?php endif; ?> <?php if ($pconfig['mobile']): ?> <input name="mobile" type="hidden" value="true" /> <input name="remoteid_type" type="hidden" value="mobile" /> <?php endif; ?> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>" /> + <input name="uniqid" type="hidden" value="<?=htmlspecialchars($pconfig['uniqid']);?>" /> </td> </tr> </table> @@ -817,7 +805,6 @@ typesel_change_remote(<?=htmlspecialchars($pconfig['remoteid_netbits'])?>); /* local utility functions */ function pconfig_to_ealgos(& $pconfig) { - global $p2_ealgos; $ealgos = array(); |