diff options
28 files changed, 194 insertions, 59 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 8f1cde8..9d27da8 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -360,6 +360,8 @@ function local_user_set(& $user) { $user_shell = "/usr/local/bin/scponly"; } elseif (userHasPrivilege($user, "user-ssh-tunnel")) { $user_shell = "/usr/local/sbin/ssh_tunnel_shell"; + } elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) { + $user_shell = "/sbin/nologin"; } else { $user_shell = "/sbin/nologin"; $lock_account = true; diff --git a/etc/inc/config.console.inc b/etc/inc/config.console.inc index 9512b95..03a9833 100644 --- a/etc/inc/config.console.inc +++ b/etc/inc/config.console.inc @@ -84,8 +84,8 @@ EOD; $iflist = array(); } else { foreach ($iflist as $iface => $ifa) { - echo sprintf("% -6s%s%s\t%s\n", $iface, $ifa['mac'], - $ifa['up'] ? " (up)" : " (down)", $ifa['dmesg']); + echo sprintf("% -6s%s %s %s\n", $iface, $ifa['mac'], + $ifa['up'] ? " (up)" : "(down)", $ifa['dmesg']); } } diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 5b84cfa..7232d14 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -534,10 +534,17 @@ function write_config($desc="Unknown", $backup = true) { /* NOTE: We assume that the file can be parsed since we wrote it. */ $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); if ($config == -1) { + copy("{$g['conf_path']}/config.xml", "{$g['conf_path']}/config.xml.bad"); $last_backup = discover_last_backup(); - if ($last_backup) + if ($last_backup) { restore_backup("/cf/conf/backup/{$last_backup}"); - else + $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); + if ($g['booting']) { + echo "\n\n ************** WARNING **************"; + echo "\n\n Configuration could not be validated. A previous configuration was restored. \n"; + echo "\n The failed configuration file has been saved as {$g['conf_path']}/config.xml.bad} \n\n"; + } + } else log_error(gettext("Could not restore config.xml.")); } else generate_config_cache($config); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 08b166f..4340f1c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1060,6 +1060,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $toadd_array = array_merge($toadd_array, range($loc_pt[0], $loc_pt[0] + $delta)); if(!empty($toadd_array)) { + $target = explode(" ", trim($target)); foreach($toadd_array as $tda) { if (empty($tda)) continue; @@ -1071,7 +1072,6 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - $target = explode(" ", trim($target)); foreach ($target as $targip) { if (empty($targip)) continue; @@ -2268,7 +2268,7 @@ EOD; } } /* PPTPd enabled? */ - if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) { + if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off") && !isset($config['system']['disablevpnrules'])) { if($pptpdcfg['mode'] == "server") $pptpdtarget = get_interface_ip(); else @@ -2701,6 +2701,9 @@ function filter_generate_ipsec_rules() { echo "filter_generate_ipsec_rules() being called $mt\n"; } + if (isset($config['system']['disablevpnrules'])) + return "\n# VPN Rules not added disabled in System->Advanced.\n"; + $ipfrules = "\n# VPN Rules\n"; /* Is IP Compression enabled? */ if(isset($config['ipsec']['ipcomp'])) diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 6c4cb9d..d2aaa39 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -373,23 +373,33 @@ function return_gateway_groups_array() { */ $upgw = ""; $dfltgwdown = false; + $dfltgwfound = false; foreach ($gateways_arr as $gwname => $gwsttng) { - if ($gwsttng['defaultgw'] == true && stristr($gateways_status[$gwname]['status'], "down")) - $dfltgwdown = true; + if (isset($gwsttng['defaultgw'])) { + $dfltgwfound = true; + if (stristr($gateways_status[$gwname]['status'], "down")) + $dfltgwdown = true; + } /* Keep a record of the last up gateway */ if (empty($upgw) && !stristr($gateways_status[$gwname]['status'], "down")) $upgw = $gwname; - if ($dfltgwdown == true && !empty($upgw)) { - if ($gateways_arr[$upgw]['gateway'] == "dynamic") - $gateways_arr[$upgw]['gateway'] = get_interface_gateway($gateways_arr[$upgw]['friendlyiface']); - if (is_ipaddr($gateways_arr[$upgw]['gateway'])) { - log_error("Default gateway down setting {$upgw} as default!"); - mwexec("/sbin/route delete -inet default; /sbin/route add -inet default {$gateways_arr[$upgw]['gateway']}"); - } + if ($dfltgwdown == true && !empty($upgw)) break; + } + if ($dfltgwfound == false) { + $gwname = convert_friendly_interface_to_friendly_descr("wan"); + if (stristr($gateways_status[$gwname]['status'], "down")) + $dfltgwdown = true; + } + if ($dfltgwdown == true && !empty($upgw)) { + if ($gateways_arr[$upgw]['gateway'] == "dynamic") + $gateways_arr[$upgw]['gateway'] = get_interface_gateway($gateways_arr[$upgw]['friendlyiface']); + if (is_ipaddr($gateways_arr[$upgw]['gateway'])) { + log_error("Default gateway down setting {$upgw} as default!"); + mwexec("/sbin/route delete -inet default; /sbin/route add -inet default {$gateways_arr[$upgw]['gateway']}"); } } - unset($upgw, $dfltgwdown, $gwname, $gwsttng); + unset($upgw, $dfltgwfound, $dfltgwdown, $gwname, $gwsttng); if (is_array($config['gateways']['gateway_group'])) { foreach($config['gateways']['gateway_group'] as $group) { @@ -409,7 +419,7 @@ function return_gateway_groups_array() { $status = $gateways_status[$gwname]; $gwdown = false; if (stristr($status['status'], "down")) { - $msg = sprintf(gettext("MONITOR: %s has high latency, removing from routing group"), $gwname); + $msg = sprintf(gettext("MONITOR: %s is down, removing from routing group"), $gwname); $gwdown = true; } else if (stristr($status['status'], "loss") && strstr($group['trigger'], "loss")) { /* packet loss */ @@ -423,6 +433,7 @@ function return_gateway_groups_array() { if ($gwdown == true) { log_error($msg); notify_via_growl($msg); + notify_via_smtp($msg); } else /* Online add member */ $tiers[$tier][] = $gwname; @@ -435,6 +446,7 @@ function return_gateway_groups_array() { $msg = gettext("Gateways status could not be determined, considering all as up/active."); log_error($msg); notify_via_growl($msg); + notify_via_smtp($msg); } $tiers = $backupplan; } diff --git a/etc/inc/notices.inc b/etc/inc/notices.inc index 54a8489..a35d148 100644 --- a/etc/inc/notices.inc +++ b/etc/inc/notices.inc @@ -345,6 +345,14 @@ function notify_via_smtp($message) { function notify_via_growl($message) { require_once("growl.class"); global $config,$g; + + /* Do NOT send the same message twice */ + if(file_exists("/var/db/growlnotices_lastmsg.txt")) { + $lastmsg = trim(file_get_contents("/var/db/growlnotices_lastmsg.txt")); + if($lastmsg == $message) + return; + } + $hostname = $config['system']['hostname'] . "." . $config['system']['domain']; $growl_ip = $config['notifications']['growl']['ipaddress']; $growl_password = $config['notifications']['growl']['password']; @@ -355,6 +363,11 @@ function notify_via_growl($message) { $growl = new Growl($growl_ip, $growl_password, $growl_name); $growl->notify("{$growl_notification}", gettext(sprintf("%s (%s) - Notification", $g['product_name'], $hostname)), "{$message}"); } + + /* Store last message sent to avoid spamming */ + $fd = fopen("/var/db/growlnotices_lastmsg.txt", "w"); + fwrite($fd, $message); + fclose($fd); } /****f* notices/register_via_growl diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 96ea1f9..17769bf 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -382,13 +382,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { - case 'p2p_tls': case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); $ip2 = long2ip32($baselong + 2); $conf .= "ifconfig $ip1 $ip2\n"; break; + case 'p2p_tls': case 'server_tls': case 'server_user': case 'server_tls_user': diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc index 779f2bb..bfc7f59 100644 --- a/etc/inc/priv/user.priv.inc +++ b/etc/inc/priv/user.priv.inc @@ -21,6 +21,12 @@ $priv_list['user-ssh-tunnel']['descr'] = "Indicates whether the user is able to "Note: User - System - Copy files conflicts with ". "this privilege."; +$priv_list['user-ipsec-xauth-dialin'] = array(); +$priv_list['user-ipsec-xauth-dialin']['name'] = "User - VPN - IPsec xauth Dialin"; +$priv_list['user-ipsec-xauth-dialin']['descr'] = "Indicates whether the user is allowed to dial in via IPsec xauth ". + "(Note: Does not allow shell access, but may allow ". + "the user to create ssh tunnels)"; + $priv_list['user-l2tp-dialin'] = array(); $priv_list['user-l2tp-dialin']['name'] = "User - VPN - L2TP Dialin"; $priv_list['user-l2tp-dialin']['descr'] = "Indicates whether the user is allowed to dial in via L2TP"; diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 0ccce7e..1b80378 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1166,11 +1166,11 @@ function system_ntp_configure() { $ips = array_map('find_interface_ip', $ifaces); foreach ($ips as $ip) { if (is_ipaddr($ip)) - $ntpdcfg .= "listen on $ip\n"; + $ntpcfg .= "listen on $ip\n"; } } } - $ntpdcfg .= "\n"; + $ntpcfg .= "\n"; /* open configuration for wrting or bail */ $fd = fopen("{$g['varetc_path']}/ntpd.conf","w"); @@ -1192,9 +1192,6 @@ function system_ntp_configure() { if(!is_dir("/var/empty")) exec("/bin/mkdir -p /var/empty && chmod ug+rw /var/empty/."); - if ($g['booting']) - return; - /* start opentpd, set time now and use /var/etc/ntpd.conf */ exec("/usr/local/sbin/ntpd -s -f {$g['varetc_path']}/ntpd.conf"); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 8cdc97c..02825a1 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1470,12 +1470,12 @@ function upgrade_051_to_052() { $server['caref'] = $ca['refid']; /* create a crl entry if needed */ - if (!empty($server['crl'])) { + if (!empty($server['crl'][0])) { $crl = array(); $crl['refid'] = uniqid(); $crl['descr'] = "Imported OpenVPN CRL #{$index}"; $crl['caref'] = $ca['refid']; - $crl['text'] = $server['crl']; + $crl['text'] = $server['crl'][0]; if(!is_array($config['crl'])) $config['crl'] = array(); $config['crl'][] = $crl; diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 702ad99..dbd947b 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -896,7 +896,8 @@ EOD; mwexec("/usr/local/sbin/setkey -F", false); sleep("0.1"); /* start racoon */ - mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf", false); + $ipsecdebug = isset($config['ipsec']['racoondebug']) ? "-d -v" : ""; + mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/racoon.conf", false); sleep("0.1"); /* load SPD */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); @@ -1489,9 +1490,12 @@ l2tp_standard: EOD; - if (!empty($l2tpcfg['dns1'])) { + if (is_ipaddr($l2tpcfg['wins'])) { + $mpdconf .= " set ipcp nbns {$l2tpcfg['wins']}\n"; + } + if (is_ipaddr($l2tpcfg['dns1'])) { $mpdconf .= " set ipcp dns " . $l2tpcfg['dns1']; - if (!empty($l2tpcfg['dns2'])) + if (is_ipaddr($l2tpcfg['dns2'])) $mpdconf .= " " . $l2tpcfg['dns2']; $mpdconf .= "\n"; } elseif (isset ($config['dnsmasq']['enable'])) { diff --git a/etc/rc.bootup b/etc/rc.bootup index 6cff6ac..e71c430 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -289,9 +289,6 @@ echo "Starting OpenNTP time client..."; system_ntp_configure(); echo "done.\n"; -/* Launch on bootup and keep trying to sync. Exit once time/date has been sync'd. */ -mwexec_bg("/usr/local/sbin/ntpdate_sync_once.sh"); - /* start DHCP service */ services_dhcpd_configure(); diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 654d0dd..0395099 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -49,7 +49,7 @@ function restart_packages() { global $oldip, $curwanipi, $g; /* restart packages */ - mwexec_bg("/usr/local/sbin/ntpdate_sync_once.sh"); + system_ntp_configure(); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); mwexec_bg("/etc/rc.start_packages"); } diff --git a/sbin/dhclient-script b/sbin/dhclient-script index e7fee7a..e51132e 100755 --- a/sbin/dhclient-script +++ b/sbin/dhclient-script @@ -192,7 +192,10 @@ add_new_routes() { if [ "$new_ip_address" = "$router" -o "$router" = "255.255.255.255" ]; then $ROUTE add default -iface $interface echo $ROUTE add default -iface $interface | $LOGGER - echo $router > /tmp/${interface}_router + # NOTE: Do not activate this for all ones address since pf(4) will try to forward packets to it. + if [ "$new_ip_address" = "$router" ]; then + echo $router > /tmp/${interface}_router + fi else $ROUTE add default $router echo $ROUTE add default $router | $LOGGER diff --git a/usr/local/sbin/ntpdate_sync_once.sh b/usr/local/sbin/ntpdate_sync_once.sh index 508ce3e..e328ac4 100755 --- a/usr/local/sbin/ntpdate_sync_once.sh +++ b/usr/local/sbin/ntpdate_sync_once.sh @@ -2,16 +2,18 @@ NOTSYNCED="true" SERVER=`cat /cf/conf/config.xml | grep timeservers | cut -d">" -f2 | cut -d"<" -f1` +pkill -f ntpdate_sync_once.sh while [ "$NOTSYNCED" = "true" ]; do - ntpdate $SERVER + # Ensure that ntpd and ntpdate are not running so that the socket we want will be free. + killall ntpd 2>/dev/null + killall ntpdate + sleep 1 + ntpdate -s -t 5 $SERVER if [ "$?" = "0" ]; then NOTSYNCED="false" fi sleep 5 done -# Launch -- we have net. -killall ntpd 2>/dev/null -sleep 1 -/usr/local/sbin/ntpd -s -f /var/etc/ntpd.conf +/usr/local/sbin/ntpd -s -f /var/etc/ntpd.conf
\ No newline at end of file diff --git a/usr/local/www/diag_packet_capture.php b/usr/local/www/diag_packet_capture.php index 8a9cb41..684011c 100644 --- a/usr/local/www/diag_packet_capture.php +++ b/usr/local/www/diag_packet_capture.php @@ -72,7 +72,7 @@ if ($_POST) { } elseif ($_POST['stopbtn']!= "") { $action = gettext("Stop"); - $processes_running = trim(shell_exec('/bin/ps axw -O pid= | /usr/bin/grep tcpdump | /usr/bin/grep '.$fn.' | /usr/bin/grep -v pflog')); + $processes_running = trim(shell_exec("/bin/ps axw -O pid= | /usr/bin/grep tcpdump | /usr/bin/grep {$fn} | /usr/bin/egrep -v '(pflog|grep)'")); //explode processes into an array, (delimiter is new line) $processes_running_array = explode("\n", $processes_running); @@ -194,13 +194,13 @@ include("fbegin.inc"); <?php /* check to see if packet capture tcpdump is already running */ - $processcheck = (trim(shell_exec('/bin/ps axw -O pid= | /usr/bin/grep tcpdump | /usr/bin/grep $fn | /usr/bin/grep -v pflog'))); + $processcheck = (trim(shell_exec("/bin/ps axw -O pid= | /usr/bin/grep tcpdump | /usr/bin/grep {$fn} | /usr/bin/egrep -v '(pflog|grep)'"))); - $processisrunning = false; - - if ($processcheck != false) + if ($processcheck != "") $processisrunning = true; - + else + $processisrunning = false; + if (($action == gettext("Stop") or $action == "") and $processisrunning != true) echo "<input type=\"submit\" name=\"startbtn\" value=\"" . gettext("Start") . "\"> "; else { diff --git a/usr/local/www/head.inc b/usr/local/www/head.inc index 97c7111..a24be9e 100755 --- a/usr/local/www/head.inc +++ b/usr/local/www/head.inc @@ -7,7 +7,7 @@ * if user has selected a custom template, use it. * otherwise default to pfsense tempalte */ -if($config['theme'] <> "") +if($config['theme'] <> "" && (is_dir($g["www_path"].'/themes/'.$config['theme']))) $g['theme'] = $config['theme']; else $g['theme'] = "pfsense"; diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 2469631..ec8d3ee 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -1200,10 +1200,10 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" } } ?> - </select> + </select> -or- <a OnClick="show_add_gateway();" href="#"><?=gettext("add a new one."); ?></a> <br/> <div id='addgwbox'> - <?=gettext("If this interface is an Internet connection, select an existing Gateway from the list or"); ?> <a OnClick="show_add_gateway();" href="#"><?=gettext("add a new one."); ?></a> + <?=gettext("If this interface is an Internet connection, select an existing Gateway from the list or add one using the link above"); ?> </div> <div id='notebox'> </div> diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index d6ffc55..203906a 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -167,7 +167,7 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if ($_POST['enable']) { + if ($_POST['enable'] == "yes") { if (!$_POST['vouchersyncusername']) { $reqdfields = explode(" ", "charset rollbits ticketbits checksumbits publickey magic saveinterval"); $reqdfieldsn = array(gettext("charset"),gettext("rollbits"),gettext("ticketbits"),gettext("checksumbits"),gettext("publickey"),gettext("magic"),gettext("saveinterval")); @@ -202,8 +202,11 @@ if ($_POST) { } if (!$input_errors) { - $config['voucher']['enable'] = $_POST['enable'] ? true : false; - if (!$_POST['vouchersyncusername']) { + if ($_POST['enable'] == "yes") + $config['voucher']['enable'] = true; + else + unset($config['voucher']['enable']); + if (empty($_POST['vouchersyncusername'])) { $config['voucher']['charset'] = $_POST['charset']; $config['voucher']['rollbits'] = $_POST['rollbits']; $config['voucher']['ticketbits'] = $_POST['ticketbits']; diff --git a/usr/local/www/services_snmp.php b/usr/local/www/services_snmp.php index 432db3d..925cb7b 100755 --- a/usr/local/www/services_snmp.php +++ b/usr/local/www/services_snmp.php @@ -384,7 +384,7 @@ function enable_change(whichone) { <input name="hostres" type="checkbox" id="hostres" value="yes" onClick="check_deps()" <?php if ($pconfig['hostres']) echo "checked"; ?> ><?=gettext("Host Resources (Requires MibII)");?> </td> </tr> -<?php if(!$config['interfaces']['lan']): ?> +<?php if($config['interfaces']['lan']): ?> <tr> <td width="22%" valign="top" class="vtable"></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php index 8165922..0cdaad7 100644 --- a/usr/local/www/system_advanced_firewall.php +++ b/usr/local/www/system_advanced_firewall.php @@ -66,6 +66,7 @@ $pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout']; $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']); $pconfig['disablescrub'] = isset($config['system']['disablescrub']); $pconfig['tftpinterface'] = explode(",", $config['system']['tftpinterface']); +$pconfig['disablevpnrules'] = isset($config['system']['disablevpnrules']); if ($_POST) { @@ -96,6 +97,10 @@ if ($_POST) { else unset($config['system']['disablefilter']); + if($_POST['disablevpnrules'] == "yes") + $config['system']['disablevpnrules'] = true; + else + unset($config['system']['disablevpnrules']); if($_POST['rfc959workaround'] == "yes") $config['system']['rfc959workaround'] = "enabled"; else @@ -139,7 +144,7 @@ if ($_POST) { if($_POST['bypassstaticroutes'] == "yes") $config['filter']['bypassstaticroutes'] = $_POST['bypassstaticroutes']; - else + elseif(isset($config['filter']['bypassstaticroutes'])) unset($config['filter']['bypassstaticroutes']); if($_POST['disablescrub'] == "yes") @@ -331,6 +336,16 @@ function update_description(itemnum) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Disable Auto-added VPN rules</td> + <td width="78%" class="vtable"> + <input name="disablevpnrules" type="checkbox" id="disablevpnrules" value="yes" <?php if (isset($config['system']['disablevpnrules'])) echo "checked"; ?> /> + <strong><?=gettext("Disable all auto-added VPN rules.");?></strong> + <br /> + <span class="vexpl"><?=gettext("Note: This disables automatically added rules for IPsec, PPTP.");?> + </span> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell">Disable reply-to</td> <td width="78%" class="vtable"> <input name="disablereplyto" type="checkbox" id="disablereplyto" value="yes" <?php if ($pconfig['disablereplyto']) echo "checked"; ?> /> diff --git a/usr/local/www/system_advanced_misc.php b/usr/local/www/system_advanced_misc.php index b93301d..590a955 100644 --- a/usr/local/www/system_advanced_misc.php +++ b/usr/local/www/system_advanced_misc.php @@ -47,11 +47,13 @@ require("guiconfig.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); +require_once("ipsec.inc"); require_once("vpn.inc"); $pconfig['harddiskstandby'] = $config['system']['harddiskstandby']; $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']); $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); +$pconfig['racoondebug_enable'] = isset($config['ipsec']['racoondebug']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); $pconfig['maxmss'] = $config['system']['maxmss']; $pconfig['powerd_enable'] = isset($config['system']['powerd_enable']); @@ -85,6 +87,19 @@ if ($_POST) { else unset($config['ipsec']['preferoldsa']); + $need_racoon_restart = false; + if($_POST['racoondebug_enable'] == "yes") { + if (!isset($config['ipsec']['racoondebug'])) { + $config['ipsec']['racoondebug'] = true; + $need_racoon_restart = true; + } + } else { + if (isset($config['ipsec']['racoondebug'])) { + unset($config['ipsec']['racoondebug']); + $need_racoon_restart = true; + } + } + if($_POST['maxmss_enable'] == "yes") { $config['system']['maxmss_enable'] = true; $config['system']['maxmss'] = $_POST['maxmss']; @@ -125,6 +140,8 @@ if ($_POST) { activate_powerd(); load_glxsb(); vpn_ipsec_configure_preferoldsa(); + if ($need_racoon_restart) + vpn_ipsec_force_reload(); } } @@ -259,6 +276,17 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("IPsec Debug"); ?></td> + <td width="78%" class="vtable"> + <input name="racoondebug_enable" type="checkbox" id="racoondebug_enable" value="yes" <?php if ($pconfig['racoondebug_enable']) echo "checked"; ?> /> + <strong><?=gettext("Start racoon in debug mode"); ?></strong> + <br /> + <?=gettext("Launches racoon in debug mode so that more verbose logs " . + "will be generated to aid in troubleshooting."); ?><br/> + <?=gettext("NOTE: Changing this setting will restart racoon."); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Maximum MSS"); ?></td> <td width="78%" class="vtable"> <input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?php if ($pconfig['maxmss_enable'] == true) echo "checked"; ?> onClick="maxmss_checked(this)" /> diff --git a/usr/local/www/themes/_corporate/rrdcolors.inc.php b/usr/local/www/themes/_corporate/rrdcolors.inc.php index e3153fd..09956cc 100644 --- a/usr/local/www/themes/_corporate/rrdcolors.inc.php +++ b/usr/local/www/themes/_corporate/rrdcolors.inc.php @@ -32,6 +32,7 @@ $colortrafficup = array("666666", "CCCCCC"); $colortrafficdown = array("990000", "CC0000"); +$colortraffic95 = array("660000", "FF0000"); $colorpacketsup = array("666666", "CCCCCC"); $colorpacketsdown = array("990000", "CC0000"); $colorstates = array('990000','a83c3c','b36666','bd9090','cccccc','000000'); @@ -46,5 +47,7 @@ $colorqualityloss = "ee0000"; $colorwireless = array('333333','a83c3c','999999'); $colorspamdtime = array('DDDDFF', 'AAAAFF', 'DDDDFF', '000066'); $colorspamdconn = array('00AA00BB', 'FFFFFFFF', '00660088', 'FFFFFF88', '006600'); +$colorvpnusers = array('990000'); +$colorcaptiveportalusers = array('990000'); ?> diff --git a/usr/local/www/themes/nervecenter/rrdcolors.inc.php b/usr/local/www/themes/nervecenter/rrdcolors.inc.php index c681f78..09956cc 100644 --- a/usr/local/www/themes/nervecenter/rrdcolors.inc.php +++ b/usr/local/www/themes/nervecenter/rrdcolors.inc.php @@ -48,5 +48,6 @@ $colorwireless = array('333333','a83c3c','999999'); $colorspamdtime = array('DDDDFF', 'AAAAFF', 'DDDDFF', '000066'); $colorspamdconn = array('00AA00BB', 'FFFFFFFF', '00660088', 'FFFFFF88', '006600'); $colorvpnusers = array('990000'); +$colorcaptiveportalusers = array('990000'); ?> diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 40879f6..465c607 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -418,7 +418,9 @@ include("head.inc"); <span class="red"> <strong><?=gettext("Note"); ?>:<br></strong> </span> - <?=gettext("You can check your IPsec status at"); ?> <a href="diag_ipsec.php"><?=gettext("Status:IPsec"); ?></a>. + <?=gettext("You can check your IPsec status at"); ?> <a href="diag_ipsec.php"><?=gettext("Status:IPsec"); ?></a>.<br/> + <?=gettext("IPsec Debug Mode can be enabled at"); ?> <a href="system_advanced_misc.php"><?=gettext("System:Advanced:Miscellaneous"); ?></a>.<br/> + <?=gettext("IPsec can be set to prefer older SAs at"); ?> <a href="system_advanced_misc.php"><?=gettext("System:Advanced:Miscellaneous"); ?></a>. </span> </p> </td> diff --git a/usr/local/www/vpn_l2tp.php b/usr/local/www/vpn_l2tp.php index 3cb6e4e..37eac0f 100644 --- a/usr/local/www/vpn_l2tp.php +++ b/usr/local/www/vpn_l2tp.php @@ -50,6 +50,9 @@ $pconfig['localip'] = $l2tpcfg['localip']; $pconfig['l2tp_subnet'] = $l2tpcfg['l2tp_subnet']; $pconfig['mode'] = $l2tpcfg['mode']; $pconfig['interface'] = $l2tpcfg['interface']; +$pconfig['l2tp_dns1'] = $l2tpcfg['dns1']; +$pconfig['l2tp_dns2'] = $l2tpcfg['dns2']; +$pconfig['wins'] = $l2tpcfg['wins']; $pconfig['radiusenable'] = isset($l2tpcfg['radius']['enable']); $pconfig['radacct_enable'] = isset($l2tpcfg['radius']['accounting']); $pconfig['radiusserver'] = $l2tpcfg['radius']['server']; @@ -126,8 +129,26 @@ if ($_POST) { $l2tpcfg['radius']['secret'] = $_POST['radiussecret']; $l2tpcfg['secret'] = $_POST['secret']; + if($_POST['wins']) + $l2tpcfg['wins'] = $_POST['wins']; + else + unset($l2tpcfg['wins']); + $l2tpcfg['paporchap'] = $_POST['paporchap']; + + if ($_POST['l2tp_dns1'] == "") { + if (isset($l2tpcfg['dns1'])) + unset($l2tpcfg['dns1']); + } else + $l2tpcfg['dns1'] = $_POST['l2tp_dns1']; + + if ($_POST['l2tp_dns2'] == "") { + if (isset($l2tpcfg['dns2'])) + unset($l2tpcfg['dns2']); + } else + $l2tpcfg['dns2'] = $_POST['l2tp_dns2']; + if($_POST['radiusenable'] == "yes") $l2tpcfg['radius']['enable'] = true; else @@ -183,6 +204,8 @@ function enable_change(enable_over) { document.iform.interface.disabled = 0; document.iform.n_l2tp_units.disabled = 0; document.iform.secret.disabled = 0; + document.iform.l2tp_dns1.disabled = 0; + document.iform.l2tp_dns2.disabled = 0; /* fix colors */ document.iform.remoteip.style.backgroundColor = '#FFFFFF'; document.iform.localip.style.backgroundColor = '#FFFFFF'; @@ -218,6 +241,8 @@ function enable_change(enable_over) { document.iform.interface.disabled = 1; document.iform.n_l2tp_units.disabled = 1; document.iform.l2tp_subnet.disabled = 1; + document.iform.l2tp_dns1.disabled = 1; + document.iform.l2tp_dns2.disabled = 1; document.iform.paporchap.disabled = 1; document.iform.remoteip.disabled = 1; document.iform.localip.disabled = 1; @@ -360,6 +385,22 @@ function enable_change(enable_over) { <?=gettext("Specifies which protocol to use for authentication.");?><br /> </td> </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("L2TP DNS Servers"); ?></td> + <td width="78%" class="vtable"> + <?=$mandfldhtml;?><input name="l2tp_dns1" type="text" class="formfld unknown" id="l2tp_dns1" size="20" value="<?=htmlspecialchars($pconfig['l2tp_dns1']);?>"> + <br> + <input name="l2tp_dns2" type="text" class="formfld unknown" id="l2tp_dns2" size="20" value="<?=htmlspecialchars($pconfig['l2tp_dns2']);?>"> + <br> + <?=gettext("primary and secondary DNS servers assigned to L2TP clients"); ?><br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("WINS Server"); ?></td> + <td width="78%" valign="top" class="vtable"> + <input name="wins" class="formfld unknown" id="wins" size="20" value="<?=htmlspecialchars($pconfig['wins']);?>"> + </td> + </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("RADIUS"); ?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index d28315d..4b9fc74 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -654,8 +654,6 @@ if ($savemsg) $caname = ""; $inuse = ""; $revoked = ""; - if (is_user_cert($cert['refid'])) - continue; $ca = lookup_ca($cert['caref']); if ($ca) $caname = " (CA: {$ca['descr']})"; diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index cc38e65..204cb62 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -563,9 +563,9 @@ function netbios_change() { if (!$savemsg) $savemsg = ""; if (count($a_ca) == 0) - $savemsg .= "You have no Certificate Authorities defined. You must visit the <a href=\"system_camanager.php\">Certificate Manager</a> to make one."; + $savemsg .= "You have no Certificate Authorities defined. You can visit the <a href=\"system_camanager.php\">Certificate Manager</a> or use the <a href=\"wizard.php?xml=openvpn_wizard.xml\">Wizard.</a> to create one. "; if (count($a_cert) == 0) - $savemsg .= "<br/>You have no Certificates defined. You must visit the <a href=\"system_camanager.php\">Certificate Manager</a> to make one."; + $savemsg .= "<br/>You have no Certificates defined. You can visit the <a href=\"system_camanager.php\">Certificate Manager</a> or use the <a href=\"wizard.php?xml=openvpn_wizard.xml\">Wizard.</a> to create one. "; if ($input_errors) print_input_errors($input_errors); @@ -815,8 +815,6 @@ if ($savemsg) $caname = ""; $inuse = ""; $revoked = ""; - if (is_user_cert($cert['refid'])) - continue; $ca = lookup_ca($cert['caref']); if ($ca) $caname = " (CA: {$ca['descr']})"; |
