diff options
36 files changed, 700 insertions, 257 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index a66c6cb..336b8e8 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -809,12 +809,11 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t captiveportal_free_ipfw_ruleno($dbent[1]); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); } diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 150dedc..65defb2 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -98,7 +98,9 @@ $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); - + + $dyndnslck = lock($dnsHost, LOCK_EX); + if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': @@ -128,6 +130,7 @@ // Ensure that we where able to lookup the IP if(!is_ipaddr($this->_ifIP)) { log_error("There was an error trying to determine the IP for interface - {$dnsIf}({$this->_if}). Probably interface has no ip or is down. Dyndns update not possible for {$dnsService}."); + unlock($dyndnslck); return; } @@ -162,6 +165,8 @@ break; } } + + unlock($dyndnslck); } /* @@ -178,7 +183,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 120); // Completely empirical } switch ($this->_dnsService) { @@ -795,12 +800,13 @@ if($successful_update == true) { /* Write WAN IP to cache file */ $wan_ip = $this->_checkIP(); - $currentTime = time(); - log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, $wan_ip.':'.$currentTime); - fclose($file); + if ($wan_ip > 0) { + $currentTime = time(); + log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}"); + @file_put_contents($this->_cacheFile, "{$wan_ip}:{$currentTime}"); + } else + @unlink($this->_cacheFile); conf_mount_ro(); } $this->status = $status; @@ -853,32 +859,37 @@ * | work with other systems. pfSense base is FreeBSD. */ function _detectChange() { - - log_error("DynDns: _detectChange() starting."); + global $debug; + + if ($debug) + log_error("DynDns: _detectChange() starting."); $currentTime = time(); $wan_ip = $this->_checkIP(); + if ($wan_ip == 0) { + log_error("DynDns: Current WAN IP could not be determined, skipping update process."); + return false; + } $this->_dnsIP = $wan_ip; - log_error("DynDns: Current WAN IP: {$wan_ip}"); + $log_error = "DynDns: Current WAN IP: {$wan_ip} "; if (file_exists($this->_cacheFile)) { $contents = file_get_contents($this->_cacheFile); list($cacheIP,$cacheTime) = split(':', $contents); $this->_debug($cacheIP.'/'.$cacheTime); $initial = false; - log_error("DynDns: Cached IP: {$cacheIP}"); + $log_error .= "Cached IP: {$cacheIP} "; } else { conf_mount_rw(); - $file = fopen($this->_cacheFile, 'w'); - fwrite($file, '0.0.0.0:'.$currentTime); - fclose($file); - conf_mount_ro(); $cacheIP = '0.0.0.0'; + @file_put_contents($this->_cacheFile, "0.0.0.0:{$currentTime}"); + conf_mount_ro(); $cacheTime = $currentTime; $initial = true; - log_error("DynDns: No Cached IP found."); + $log_error .= "No Cached IP found."; } + log_error($log_error); /* use 2419200 for dyndns, dhs, easydns, noip, hn * zoneedit, dyns, ods @@ -928,10 +939,14 @@ conf_mount_ro(); } function _checkIP() { + global $debug; - log_error("DynDns: _checkIP() starting."); + if ($debug) + log_error("DynDns: _checkIP() starting."); $ip_address = find_interface_ip($this->_if); + if (!is_ipaddr($ip_address)) + return 0; $this->_ifIP = $ip_address; if (is_private_ip($ip_address)) { $hosttocheck = "checkip.dyndns.org"; @@ -944,20 +959,25 @@ } if ($try >= 3) { log_error("Dyndns debug information: Could not resolve {$hosttocheck} to ip using interface ip {$ip_address}."); - return $ip_address; /* XXX: Might return private ip address! */ + return 0; } $ip_ch = curl_init("http://{$checkip}"); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); - curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); preg_match('/Current IP Address: (.*)<\/body>/', $ip_result_decoded, $matches); $ip_address = trim($matches[1]); - log_error("DynDns debug information: {$ip_address} extracted from {$hosttocheck}"); + if (is_ipaddr($ip_address)) + log_error("DynDns debug information: {$ip_address} extracted from {$hosttocheck}"); + else { + log_error("DynDns debug information: IP address could not be extracted from {$hosttocheck}"); + return 0; + } } else log_error("DynDns debug information: {$ip_address} extracted from local system."); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f5907c1..a949128 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -429,7 +429,7 @@ function filter_generate_scrubing() { } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) continue; /* set up MSS clamping */ if($scrubcfg['mss'] <> "" && is_numeric($scrubcfg['mss']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp" && @@ -513,8 +513,15 @@ function filter_generate_aliases() { $aliases = "loopback = \"{ lo0 }\"\n"; foreach ($FilterIflist as $if => $ifcfg) { - $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; - $aliases .= " }\"\n"; + if (is_array($ifcfg[0])) { + if ($ifcfg[0]['if'] == 'pppoe') { + $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; + $aliases .= " }\"\n"; + } + } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { + $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; + $aliases .= " }\"\n"; + } } $aliases .= "\n#SSH Lockout Table\n"; @@ -695,9 +702,15 @@ function filter_get_vpns_list() { } } /* pppoe */ - if($config['pppoe']['remoteip']) { - if(is_subnet($tunnel['remote-subnet'])) { - $vpns_arr[] = $config['pppoe']['remoteip'] ."/". $config['pppoe']['pppoe_subnet']; + if (is_array($config['pppoes']['pppoe'])) { + foreach($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] == "server") { + if(is_ipaddr($pppoe['remoteip'])) { + $pppoesub = gen_subnet($pppoe['remoteip'], $pppoe['pppoe_subnet']); + if (is_subnet($pppoesub)) + $vpns_arr[] = $pppoesub; + } + } } } if(!empty($vpns_arr)) { @@ -792,19 +805,26 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if($config['pppoe']['mode'] == "server") { - $oic = array(); - $oic['if'] = 'pppoe'; - $oic['descr'] = 'pppoe'; - $oic['ip'] = $config['pppoe']['localip']; - $oic['sa'] = $config['pppoe']['remoteip']; - $oic['mode'] = $config['pppoe']['mode']; - $oic['virtual'] = true; - if($config['pppoe']['pppoe_subnet'] <> "") - $oic['sn'] = $config['pppoe']['pppoe_subnet']; - else - $oic['sn'] = "32"; - $FilterIflist['pppoe'] = $oic; + if (is_array($config['pppoes']['pppoe']) && (count($config['pppoes']['pppoe']) > 0)) { + $pppoeifs = array(); + foreach($config['pppoes']['pppoe'] as $pppoe) { + if ($pppoe['mode'] == "server") { + $oic = array(); + $oic['if'] = 'pppoe'; + $oic['descr'] = 'pppoe'; + $oic['ip'] = $pppoe['localip']; + $oic['sa'] = $pppoe['remoteip']; + $oic['mode'] = $pppoe['mode']; + $oic['virtual'] = true; + if($pppoe['pppoe_subnet'] <> "") + $oic['sn'] = $pppoe['pppoe_subnet']; + else + $oic['sn'] = "32"; + $pppoeifs[] = $oic; + } + } + if (count($pppoeifs)) + $FilterIflist['pppoe'] = $pppoeifs; } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { @@ -1025,7 +1045,6 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $target = $FilterIflist[$rule['target']]['ip']; else return ""; - $starting_localhost_port_tmp = $starting_localhost_port; $toomanyports = false; /* only install reflection rules for < 19991 items */ @@ -1074,7 +1093,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $toadd_array = array_merge($toadd_array, range($loc_pt[0], $loc_pt[0] + $delta)); if(!empty($toadd_array)) { - $target = explode(" ", trim($target)); + $rtarget = explode(" ", trim($target)); foreach($toadd_array as $tda) { if (empty($tda)) continue; @@ -1086,7 +1105,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - foreach ($target as $targip) { + foreach ($rtarget as $targip) { if (empty($targip)) continue; $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$targip} {$tda}\n"; @@ -1359,19 +1378,18 @@ function filter_nat_rules_generate() { } } /* PPTP subnet */ - if(isset($FilterIflist['pptp']) && $FilterIflist['pptp']['mode'] == "server" ) { - $pptp_subnet = $FilterIflist['pptp']['sn']; - if(is_private_ip($FilterIflist['pptp']['sa']) && !empty($pptp_subnet)) { - $numberofnathosts++; - $tonathosts .= "{$FilterIflist['pptp']['sa']}/{$pptp_subnet} "; - } + if(($config['pptpd']['mode'] == "server" ) && is_private_ip($config['pptpd']['remoteip'])) { + $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); + $numberofnathosts += count($pptp_subnets); + $tonathosts .= implode(" ", $pptp_subnets) . " "; } /* PPPoE subnet */ - if(isset($FilterIflist['pppoe']) && $FilterIflist['pppoe']['mode'] == "server") { - $pppoe_subnet = $FilterIflist['pppoe']['sn']; - if(is_private_ip($FilterIflist['pppoe']['sa']) && !empty($pppoe_subnet)) { - $numberofnathosts++; - $tonathosts .= "{$FilterIflist['pppoe']['sa']}/{$pppoe_subnet} "; + if (is_array($FilterIflist['pppoe'])) { + foreach ($FilterIflist['pppoe'] as $pppoe) { + if(is_private_ip($pppoe['ip'])) { + $numberofnathosts++; + $tonathosts .= "{$pppoe['sa']}/{$pppoe['sn']} "; + } } } /* L2TP subnet */ @@ -1410,6 +1428,8 @@ function filter_nat_rules_generate() { } if($numberofnathosts > 0): foreach ($FilterIflist as $if => $ifcfg) { + if (substr($ifcfg['if'], 0, 4) == "ovpn") + continue; update_filter_reload_status("Creating outbound rules {$if} - ({$ifcfg['descr']})"); if(interface_has_gateway($if)) { $target = $ifcfg['ip']; @@ -1686,22 +1706,23 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "{$lansa}/{$lansn}"; break; case 'pptp': - $pptpsa = gen_subnetv6($FilterIflist['pptp']['sav6'], $FilterIflist['pptp']['snv6']); - $pptpsn = $FilterIflist['pptp']['snv6']; + $pptpsav6 = gen_subnetv6($FilterIflist['pptp']['sav6'], $FilterIflist['pptp']['snv6']); + $pptpsnv6 = $FilterIflist['pptp']['snv6']; $src = "{$pptpsav6}/{$pptpsnv6}"; break; case 'pppoe': - $pppoesa = gen_subnetv6($FilterIflist['pppoe']['ipv6'], $FilterIflist['pppoe']['snv6']); - $pppoesn = $FilterIflist['pppoe']['snv6']; - $src = "{$pppoesav6}/{$pppoesnv6}"; - break; + if (is_array($FilterIflist['pppoe'])) { + $pppoesav6 = gen_subnetv6($FilterIflist['pppoe'][0]['ipv6'], $FilterIflist['pppoe'][0]['snv6']); + $pppoesnv6 = $FilterIflist['pppoe'][0]['snv6']; + $src = "{$pppoesav6}/{$pppoesnv6}"; + } } } else { switch ($rule[$target]['network']) { case 'wan': $wansa = $FilterIflist['wan']['sa']; $wansn = $FilterIflist['wan']['sn']; - $src = "{$wansa}/{$wansn}"; + $src = "{$wansa}/{$wansn}"; break; case 'wanip': $src = $FilterIflist["wan"]['ip']; @@ -1720,10 +1741,13 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "{$pptpsa}/{$pptpsn}"; break; case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; + /* XXX: This needs to be fixed somehow! */ + if (is_array($FilterIflist['pppoe'])) { + $pppoesa = gen_subnet($FilterIflist['pppoe'][0]['ip'], $FilterIflist['pppoe'][0]['sn']); + $pppoesn = $FilterIflist['pppoe'][0]['sn']; $src = "{$pppoesa}/{$pppoesn}"; - break; + } + break; } } } @@ -1780,7 +1804,6 @@ function filter_generate_user_rule($rule) { } update_filter_reload_status("Creating filter rules {$rule['descr']} ..."); $pptpdcfg = $config['pptpd']; - $pppoecfg = $config['pppoe']; $int = ""; $aline = array(); @@ -2116,7 +2139,6 @@ function filter_rules_generate() { } $pptpdcfg = $config['pptpd']; - $pppoecfg = $config['pppoe']; $ipfrules = ""; //$ipfrules .= discover_pkg_rules("filter"); diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 3bd0de2..735ea52 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -91,7 +91,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "8.0", + "latest_config" => "8.1", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index d50c89a..480d1b6 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -955,9 +955,9 @@ function interfaces_configure() { return 0; } -function interface_reconfigure($interface = "wan") { +function interface_reconfigure($interface = "wan", $reloadall = false) { interface_bring_down($interface); - interface_configure($interface, true); + interface_configure($interface, $reloadall); } function interface_vip_bring_down($vip) { @@ -4018,4 +4018,4 @@ function get_vip_descr($ipaddress) { return ""; } -?> +?>
\ No newline at end of file diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 572333a..ddbecbb 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2264,4 +2264,47 @@ function load_mac_manufacturer_table() { return -1; } +<<<<<<< HEAD ?> +======= + +/****f* pfsense-utils/is_ipaddr_configured + * NAME + * is_ipaddr_configured + * INPUTS + * IP Address to check. + * RESULT + * returns true if the IP Address is + * configured and present on this device. +*/ +function is_ipaddr_configured($ipaddr) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($ipaddr, $ilips) == 0) + return true; + } +} + +/****f* pfsense-utils/pfSense_handle_custom_code + * NAME + * pfSense_handle_custom_code + * INPUTS + * directory name to process + * RESULT + * globs the directory and includes the files + */ +function pfSense_handle_custom_code($src_dir) { + // Allow extending of the nat edit page and include custom input validation + if(is_dir("$src_dir")) { + $cf = glob($src_dir . "/*.inc"); + foreach($cf as $nf) { + if($nf == "." || $nf == "..") + continue; + // Include the extra handler + include("$nf"); + } + } +} + +?> +>>>>>>> upstream/master diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 72ea7b9..0475169 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -402,7 +402,7 @@ function enable_rrd_graphing() { $rrdupdatesh .= " sleep 0.2\n"; $rrdupdatesh .= " echo \"quit\"\n"; $rrdupdatesh .= "}\n"; - $rrdupdatesh .= "OVPN=`list_current_users | nc -U {$g['varetc_path']}/openvpn/server{$vpnid}.sock | awk -F\",\" '/^CLIENT_LIST/ {print \$2}' | wc -l | awk '{print $1}'` &\n"; + $rrdupdatesh .= "OVPN=`list_current_users | nc -U {$g['varetc_path']}/openvpn/server{$vpnid}.sock | awk -F\",\" '/^CLIENT_LIST/ {print \$2}' | wc -l | awk '{print $1}'`\n"; $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$vpnusers N:\${OVPN}\n"; } diff --git a/etc/inc/services.inc b/etc/inc/services.inc index d18bfea..382e8dd 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -397,7 +397,7 @@ EOPP; $dhcpdconf .= " deny dynamic bootp clients;\n"; if (isset($dhcpifconf['denyunknown'])) - $dhcpdconf .= " deny unknown clients;\n"; + $dhcpdconf .= " deny unknown-clients;\n"; if ($dhcpifconf['gateway']) $routers = $dhcpifconf['gateway']; @@ -1067,8 +1067,6 @@ function services_dyndns_configure_client($conf) { /* load up the dyndns.class */ require_once("dyndns.class"); - log_error("DynDns: Running updatedns()"); - $dns = new updatedns($dnsService = $conf['type'], $dnsHost = $conf['host'], $dnsUser = $conf['username'], diff --git a/etc/inc/system.inc b/etc/inc/system.inc index d88218f..a2f0598 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -116,9 +116,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $dnslock = lock('resolvconf', LOCK_EX); + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); if (!$fd) { printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); return 1; } @@ -148,7 +151,9 @@ function system_resolvconf_generate($dynupdate = false) { } } } - + + unlock($dnslock); + return 0; } @@ -1346,6 +1351,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); + mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 1646292..ccd5629 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2490,8 +2490,13 @@ function upgrade_077_to_078() { $config['pptpd']['radius'] = $radarr; } } - function upgrade_078_to_079() { + global $g; + /* Delete old and unused RRD file */ + unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd"); +} + +function upgrade_079_to_080() { global $config; global $g; @@ -2577,7 +2582,7 @@ function upgrade_078_to_079() { } } -function upgrade_079_to_080() { +function upgrade_080_to_081() { global $config; /* enable the allow IPv6 toggle */ $config['system']['ipv6allow'] = true; diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index ec59716..e6a44c4 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -37,6 +37,53 @@ if(!function_exists('captiveportal_syslog')) require_once("captiveportal.inc"); +function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) { + global $g, $config; + require_once("xmlrpc.inc"); + if($port == "443") + $url = "https://{$syncip}"; + else + $url = "http://{$syncip}"; + + /* Construct code that is run on remote machine */ + $method = 'pfsense.exec_php'; + $execcmd = <<<EOF + require_once('/etc/inc/captiveportal.inc'); + require_once('/etc/inc/voucher.inc'); + voucher_expire(\$vouchers); + +EOF; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("Captive Portal Voucher XMLRPC sync data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!is_object($resp)) { + $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); + return false; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); + return false; + } else { + log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + $toreturn = XML_RPC_Decode($resp->value()); + + return $toreturn; +} + function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = "1", $stop_time = null) { global $g, $config; require_once("xmlrpc.inc"); @@ -138,6 +185,93 @@ EOF; return $toreturn['timeleft']; } +function voucher_expire($voucher_received) { + global $g, $config; + + $voucherlck = lock('voucher', LOCK_EX); + + // XMLRPC Call over to the master Voucher node + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + xmlrpc_sync_voucher_expire($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); + } + + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + foreach ($config['voucher']['roll'] as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } + + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $active_dirty = false; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + $active_dirty = true; + unset($active_vouchers[$roll][$voucher]); + } + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + // mark bit for this voucher as used + if (!(ord($bitstring[$roll][$pos]) & $mask)) + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire"); + } else + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } else + // hmm, thats weird ... not what I expected + captiveportal_syslog("$voucher invalid: $result !!"); + } + + // Refresh active DBs + if ($active_dirty == true) { + foreach ($active_vouchers as $roll => $active) + voucher_write_active_db($roll, $active); + } + + // Write back the used DB's + if (is_array($bitstring)) { + foreach ($bitstring as $roll => $used) { + if(is_array($used)) { + foreach($used as $u) + voucher_write_used_db($roll, base64_encode($u)); + } else { + voucher_write_used_db($roll, base64_encode($used)); + } + } + } + + unlock($voucherlck); + + return true; +} + /* * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list @@ -146,17 +280,16 @@ EOF; * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; + global $g, $config; - $voucherlck = lock('voucher', LOCK_EX); + $voucherlck = lock('voucher', LOCK_EX); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } @@ -164,112 +297,108 @@ function voucher_auth($voucher_received, $test = 0) { $tickets_per_roll = array(); $minutes_per_roll = array(); if (is_array($config['voucher']['roll'])) { - $a_roll = &$config['voucher']['roll']; - foreach ($a_roll as $rollent) { + foreach ($config['voucher']['roll'] as $rollent) { $tickets_per_roll[$rollent['number']] = $rollent['count']; $minutes_per_roll[$rollent['number']] = $rollent['minutes']; } } - // split into an array. Useful for multiple vouchers given - $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); - $error = 0; - $test_result = array(); // used to display for voucher test option in GUI - $total_minutes = 0; - $first_voucher = ""; - $first_voucher_roll = 0; - - // go through all received vouchers, check their valid and extract - // Roll# and Ticket# using the external readvoucher binary - - foreach ($a_vouchers_received as $voucher) { - - $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) - continue; // seems too short to be a voucher! - - $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); - list($status, $roll, $nr) = explode(" ", $result); - if ($status == "OK") { - if (!$first_voucher) { + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $error = 0; + $test_result = array(); // used to display for voucher test option in GUI + $total_minutes = 0; + $first_voucher = ""; + $first_voucher_roll = 0; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + if (!$first_voucher) { // store first voucher. Thats the one we give the timecredit - $first_voucher = $voucher; - $first_voucher_roll = $roll; - } - // check if we have this ticket on a registered roll for this ticket - if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { - // voucher is from a registered roll. - if (!isset($active_vouchers[$roll])) - $active_vouchers[$roll] = voucher_read_active_db($roll); - // valid voucher. Store roll# and ticket# - if (!empty($active_vouchers[$roll][$voucher])) { - list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); - // we have an already active voucher here. - $remaining = intval((($timestamp + (60*$minutes)) - time())/60); - $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; - $total_minutes += $remaining; - } else { - // voucher not used. Check if ticket Id is on the roll (not too high) - // and if the ticket is marked used. - // check if voucher already marked as used - if (!isset($bitstring[$roll])) - $bitstring[$roll] = voucher_read_used_db($roll); - $pos = $nr >> 3; // divide by 8 -> octet - $mask = 1 << ($nr % 8); - if (ord($bitstring[$roll][$pos]) & $mask) { - $test_result[] = "$voucher ($roll/$nr) already used and expired"; + $first_voucher = $voucher; + $first_voucher_roll = $roll; + } + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); + // we have an already active voucher here. + $remaining = intval((($timestamp + (60*$minutes)) - time())/60); + $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; + $total_minutes += $remaining; + } else { + // voucher not used. Check if ticket Id is on the roll (not too high) + // and if the ticket is marked used. + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + if (ord($bitstring[$roll][$pos]) & $mask) { + $test_result[] = "$voucher ($roll/$nr) already used and expired"; captiveportal_syslog("$voucher ($roll/$nr) already used and expired"); - $total_minutes = -1; // voucher expired - $error++; - } else { - // mark bit for this voucher as used - $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); - $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; - $total_minutes += $minutes_per_roll[$roll]; - } - } - } else { - $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); - } - } else { - // hmm, thats weird ... not what I expected - $test_result[] = "$voucher invalid: $result !!"; - captiveportal_syslog("$voucher invalid: $result !!"); - $error++; - } - } + $total_minutes = -1; // voucher expired + $error++; + } else { + // mark bit for this voucher as used + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; + $total_minutes += $minutes_per_roll[$roll]; + } + } + } else { + $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } + } else { + // hmm, thats weird ... not what I expected + $test_result[] = "$voucher invalid: $result !!"; + captiveportal_syslog("$voucher invalid: $result !!"); + $error++; + } + } - // if this was a test call, we're done. Return the result. - if ($test) { - if ($error) { - $test_result[] = "Access denied!"; - } else { - $test_result[] = "Access granted for $total_minutes Minutes in total."; - } - unlock($voucherlck); - return $test_result; - } + // if this was a test call, we're done. Return the result. + if ($test) { + if ($error) { + $test_result[] = "Access denied!"; + } else { + $test_result[] = "Access granted for $total_minutes Minutes in total."; + } + unlock($voucherlck); - // if we had an error (one of the vouchers is invalid), return 0. - // Discussion: we could return the time remaining for good vouchers, but then - // the user wouldn't know that he used at least one invalid voucher. + return $test_result; + } - if ($error) { + // if we had an error (one of the vouchers is invalid), return 0. + // Discussion: we could return the time remaining for good vouchers, but then + // the user wouldn't know that he used at least one invalid voucher. + if ($error) { unlock($voucherlck); - if ($total_minutes > 0) // probably not needed, but want to make sure - $total_minutes = 0; // we only report -1 (expired) or 0 (no access) - return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS - } + if ($total_minutes > 0) // probably not needed, but want to make sure + $total_minutes = 0; // we only report -1 (expired) or 0 (no access) + return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS + } // If we did a XMLRPC sync earlier check the timeleft - if(!empty($a_voucher['vouchersyncdbip'])) + if (!empty($config['voucher']['vouchersyncdbip'])) if($remote_time_used < $total_minutes) $total_minutes = $remote_time_used; - // All given vouchers were valid and this isn't simply a test. - // Write back the used DB's - + // All given vouchers were valid and this isn't simply a test. + // Write back the used DB's if (is_array($bitstring)) { foreach ($bitstring as $roll => $used) { if(is_array($used)) { @@ -281,24 +410,23 @@ function voucher_auth($voucher_received, $test = 0) { } } - // Active DB: we only add the first voucher if multiple given - // and give that one all the time credit. This allows the user to logout and - // log in later using just the first voucher. It also keeps username limited - // to one voucher and that voucher shows the correct time credit in 'active vouchers' - - if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { - list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); - } else { - $timestamp = time(); // new voucher - $minutes = $total_minutes; - } + // Active DB: we only add the first voucher if multiple given + // and give that one all the time credit. This allows the user to logout and + // log in later using just the first voucher. It also keeps username limited + // to one voucher and that voucher shows the correct time credit in 'active vouchers' + if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { + list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); + } else { + $timestamp = time(); // new voucher + $minutes = $total_minutes; + } - $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; - voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); + $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; + voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - unlock($voucherlck); + unlock($voucherlck); - return $total_minutes; + return $total_minutes; } function voucher_configure($sync = false) { @@ -352,11 +480,10 @@ function voucher_configure($sync = false) { if (($g['booting'] || $sync == true) && is_array($config['voucher']['roll'])) { - // create active and used DB per roll on ramdisk from config - $a_roll = &$config['voucher']['roll']; $voucherlck = lock('voucher', LOCK_EX); - foreach ($a_roll as $rollent) { + // create active and used DB per roll on ramdisk from config + foreach ($config['voucher']['roll'] as $rollent) { $roll = $rollent['number']; voucher_write_used_db($roll, $rollent['used']); @@ -432,6 +559,8 @@ function voucher_read_active_db($roll) { function voucher_write_active_db($roll, $active) { global $g; + if (!is_array($active)) + return; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); if ($fd) { foreach($active as $voucher => $value) diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 80e3a85..819d396 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -894,8 +894,7 @@ EOD; /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); - mwexec("/sbin/route delete -host {$rgip}"); - mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); + mwexec("/sbin/route delete -host {$rgip}; /sbin/route add -host {$rgip} {$gatewayip}", true); } } } diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 0fe4c15..2700eac 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -392,7 +392,7 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { update_filter_reload_status("Signaling CARP reload signal..."); carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); if (is_array($mergesections)) - carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.merge_config_section'); + carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.restore_config_section'); $cli = new XML_RPC_Client('/xmlrpc.php', $synchronizetoip, $port); $params = array( XML_RPC_encode($carp['password']) diff --git a/etc/rc.initial.setlanip b/etc/rc.initial.setlanip index c1f6ddc..e95acd4 100755 --- a/etc/rc.initial.setlanip +++ b/etc/rc.initial.setlanip @@ -219,7 +219,7 @@ $upperifname = strtoupper($interface); echo "\nPlease wait, saving and activating your changes to {$upperifname}..."; write_config(gettext("{$interface} IP configuration from console menu")); - interface_configure(strtolower($upperifname)); + interface_reconfigure(strtolower($upperifname)); echo " Reloading filter..."; filter_configure_sync(); echo "\n"; diff --git a/etc/rc.newwanip b/etc/rc.newwanip index d9d5317..01c6890 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -51,7 +51,7 @@ function restart_packages() { /* restart packages */ system_ntp_configure(); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); - mwexec_bg("/etc/rc.start_packages"); + send_event("reload packages"); } /* Interface IP address has changed */ diff --git a/etc/rc.shutdown b/etc/rc.shutdown index 14faf80..c7e8b25 100755 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -5,10 +5,6 @@ if ! /usr/bin/lockf -s -t 30 /tmp/config.lock /usr/bin/true; then exit -1 fi -if [ -e /dev/ukbd0 ]; then - /usr/sbin/vidcontrol -s 2 -fi - product=`cat /etc/inc/globals.inc | grep product_name | cut -d'"' -f4` echo diff --git a/etc/rc.stop_packages b/etc/rc.stop_packages index 95e77fd..f20fa04 100755..100644 --- a/etc/rc.stop_packages +++ b/etc/rc.stop_packages @@ -51,7 +51,7 @@ else { if (is_array($config['installedpackages']['package'])) { foreach($config['installedpackages']['package'] as $package) { - echo " Stoping package {$package['name']}..."; + echo " Stopping package {$package['name']}..."; stop_service($package['name']); unset($rcfiles["{$rcfileprefix}{$package['name']}.sh"]); echo "done.\n"; @@ -61,7 +61,7 @@ if (is_array($config['installedpackages']['package'])) { $shell = @popen("/bin/sh", "w"); if ($shell) { foreach ($rcfiles as $rcfile => $number) { - echo " Stoping {$rcfile}..."; + echo " Stopping {$rcfile}..."; fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1"); echo "done.\n"; } diff --git a/tmp/post_upgrade_command b/tmp/post_upgrade_command index 99285e4..8603a53 100755 --- a/tmp/post_upgrade_command +++ b/tmp/post_upgrade_command @@ -2,7 +2,9 @@ /etc/rc.conf_mount_rw +PFSENSETYPE=`cat /etc/platform` KERNELTYPE=`cat /boot/kernel/pfsense_kernel.txt` + if [ $KERNELTYPE = "wrap" ]; then if [ -f /kernels/kernel_wrap.gz ]; then tar xzpf /kernels/kernel_wrap.gz --exclude loader.conf -C /boot/ @@ -26,6 +28,10 @@ if [ $KERNELTYPE = "UP" ]; then fi fi +if [ $PFSENSETYPE = "pfSense" ] || [ $PFSENSETYPE = "nanobsd" ]; then + touch /conf/needs_package_sync +fi + # Detect interactive logins and display the shell echo "if [ \`env | grep SSH_TTY | wc -l\` -gt 0 ] || [ \`env | grep cons25 | wc -l\` -gt 0 ]; then" > $CVS_CO_DIR/root/.shrc echo " /etc/rc.initial" >> $CVS_CO_DIR/root/.shrc @@ -37,7 +43,7 @@ echo " exit" >> $CVS_CO_DIR/root/.profile echo "fi" >> $CVS_CO_DIR/root/.profile # Now turn on or off serial console as needed -php -f /tmp/post_upgrade_command.php +/tmp/post_upgrade_command.php # Remove any previous MD5 sum files rm -f /root/*.md5 @@ -45,7 +51,6 @@ rm -f /root/*.md5 # File moved to pfSense php shell (pfSsh.php) rm -rf /usr/local/sbin/cvs_sync.sh -PFSENSETYPE=`cat /etc/platform` if [ $PFSENSETYPE = "embedded" ]; then cp /etc/ttys_wrap /etc/ttys fi @@ -53,4 +58,3 @@ fi if [ -f /usr/local/sbin/php ]; then rm /usr/local/sbin/php fi - diff --git a/tmp/post_upgrade_command.php b/tmp/post_upgrade_command.php index dfe9342..a188710 100755 --- a/tmp/post_upgrade_command.php +++ b/tmp/post_upgrade_command.php @@ -20,9 +20,6 @@ setup_serial_port(); - if($g['platform'] == "pfSense" or $g['platform'] == "nanobsd") - touch("/conf/needs_package_sync"); - $files_to_process = split("\n", file_get_contents("/etc/pfSense.obsoletedfiles")); foreach($files_to_process as $filename) if(file_exists($filename)) diff --git a/usr/local/pkg/routed.inc b/usr/local/pkg/routed.inc index 4d1b1d8..ec730d5 100644 --- a/usr/local/pkg/routed.inc +++ b/usr/local/pkg/routed.inc @@ -39,10 +39,15 @@ function setup_routed() { if (isset($config['installedpackages']['routed']['config'][0]['enable']) && $config['installedpackages']['routed']['config'][0]['enable'] == "on") { /* if user selected individual interfaces */ - $ifarr = explode(",", $config['installedpackages']['routed']['config'][0]['iface_array']); + $ifarr = array_flip(explode(",", $config['installedpackages']['routed']['config'][0]['iface_array'])); + $allifs = get_interface_arr(); if (!empty($ifarr)) { - foreach($ifarr as $ifname) { - $gw .= setup_etc_gateways($ifname, 'enable'); + foreach($allifs as $ifname) { + $friendly_ifname = convert_real_interface_to_friendly_interface_name($ifname); + if (array_key_exists($friendly_ifname, $ifarr)) + $gw .= setup_etc_gateways($ifname, 'enable'); + else + $gw .= setup_etc_gateways($ifname, 'disable'); } } else /* setup for all interfaces */ @@ -76,7 +81,7 @@ function setup_etc_gateways($iface="", $mode="") { } break; case "disable": - $ret .= "no_rip "; + $ret .= "no_rip_out no_solicit no_rdisc no_rdisc_adv"; break; default: diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index e9f4577..135d0e9 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -99,6 +99,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface external"); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 3dc1d83..5aa069c 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -101,6 +101,7 @@ if (isset($_GET['dup'])) /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ +unset($input_errors); foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); @@ -173,7 +174,6 @@ if ($_POST) { $_POST['dsttype'] = "single"; } - unset($input_errors); $pconfig = $_POST; /* input validation */ @@ -290,6 +290,9 @@ if ($_POST) { } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); + if (!$input_errors) { $natent = array(); @@ -410,6 +413,9 @@ if ($_POST) { mark_subsystem_dirty('filter'); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); + // Update the NAT entry now if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -443,6 +449,10 @@ include("fbegin.inc"); ?> <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Redirect entry"); ?></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphpearly"); +?> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td> <td width="78%" class="vtable"> @@ -817,6 +827,10 @@ include("fbegin.inc"); ?> </select> </td> </tr><?php endif; ?> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphplate"); +?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> </td> diff --git a/usr/local/www/firewall_nat_out.php b/usr/local/www/firewall_nat_out.php index 6535fe8..db20a27 100755 --- a/usr/local/www/firewall_nat_out.php +++ b/usr/local/www/firewall_nat_out.php @@ -125,16 +125,23 @@ if (isset($_POST['save']) && $_POST['save'] == "Save") { $natent['natport'] = ""; $a_out[] = $natent; + $natent = array(); + $natent['source']['network'] = "127.0.0.0/8"; + $natent['dstport'] = ""; + $natent['descr'] = sprintf(gettext('Auto created rule for localhost to %1$s'),$ifdesc2); + $natent['target'] = ""; + $natent['interface'] = $if2; + $natent['destination']['any'] = true; + $natent['staticnatport'] = false; + $natent['natport'] = "1024:65535"; + $a_out[] = $natent; + /* PPTP subnet */ - if($config['pptpd']['mode'] == "server") { - if (is_ipaddr($config['pptpd']['localip'])) { - if($config['pptpd']['pptp_subnet'] <> "") - $ossubnet = $config['pptpd']['pptp_subnet']; - else - $ossubnet = "32"; - $osn = gen_subnet($config['pptpd']['localip'], $ossubnet); + if (($config['pptpd']['mode'] == "server") && is_private_ip($config['pptpd']['remoteip'])) { + $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); + foreach ($pptp_subnets as $pptpsn) { $natent = array(); - $natent['source']['network'] = "{$osn}/{$ossubnet}"; + $natent['source']['network'] = $pptpsn; $natent['sourceport'] = ""; $natent['descr'] = gettext("Auto created rule for PPTP server"); $natent['target'] = ""; diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2..72bc556 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -46,7 +46,7 @@ require("filter.inc"); require("shaper.inc"); if (!is_array($config['nat']['advancedoutbound'])) - $config['nat']['advancedoutbound'] = array(); + $config['nat']['advancedoutbound'] = array(); if (!is_array($config['nat']['advancedoutbound']['rule'])) { $config['nat']['advancedoutbound']['rule'] = array(); @@ -115,6 +115,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); @@ -209,6 +218,9 @@ if ($_POST) { } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/input_validation"); + if (!$input_errors) { $natent = array(); $natent['source']['network'] = $osn; @@ -265,6 +277,9 @@ if ($_POST) { $natent['destination']['not'] = true; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/pre_write_config"); + if (isset($id) && $a_out[$id]) { $a_out[$id] = $natent; } else { @@ -387,6 +402,10 @@ function poolopts_change() { <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Advanced Outbound NAT entry");?></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphpearly"); +?> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Do not NAT");?></td> <td width="78%" class="vtable"> @@ -620,6 +639,10 @@ any)");?></td> <br> <span class="vexpl"><?=gettext("You may enter a description here " . "for your reference (not parsed).");?></span></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/htmlphplate"); +?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 542f832..41e537e 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -256,19 +256,6 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - /* run through $_POST items encoding HTML entties so that the user - * cannot think he is slick and perform a XSS attack on the unwilling - */ - foreach ($_POST as $key => $value) { - $temp = str_replace(">", "", $value); - - if (isset($_POST['floating']) && $key == "interface") - continue; - $newpost = htmlentities($temp); - if($newpost <> $temp) - $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); - } - /* input validation */ $reqdfields = explode(" ", "type proto"); if ( isset($a_filter[$id]['associated-rule-id'])===false ) { @@ -404,6 +391,9 @@ if ($_POST) { $input_errors[] = gettext("If you specify TCP flags that should be set you should specify out of which flags as well."); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/input_validation"); + if (!$input_errors) { $filterent = array(); $filterent['id'] = $_POST['ruleid']>0?$_POST['ruleid']:''; @@ -551,6 +541,9 @@ if ($_POST) { $filterent['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); + if (isset($id) && $a_filter[$id]) $a_filter[$id] = $filterent; else { @@ -561,6 +554,7 @@ if ($_POST) { } filter_rules_sort(); + write_config(); mark_subsystem_dirty('filter'); @@ -603,6 +597,10 @@ include("head.inc"); <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Firewall rule");?></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphpearly"); +?> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Action");?></td> <td width="78%" class="vtable"> @@ -1405,6 +1403,10 @@ $i--): ?> </div> </td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphplate"); +?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index e001903..0ecf1d3 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -346,7 +346,7 @@ if ($_POST['apply']) { log_error("removing old v6 address {$values['ipaddrv6']} on {$realif}"); mwexec("/sbin/ifconfig {$realif} inet6 {$values['ipaddrv6']} -alias"); } - interface_reconfigure($ifapply); + interface_reconfigure($ifapply, true); } else { interface_bring_down($ifapply); } @@ -814,6 +814,15 @@ if ($_POST['apply']) { } else { $wancfg['mss'] = $_POST['mss']; } + if (empty($_POST['mediaopt'])) { + unset($wancfg['media']); + unset($wancfg['mediaopt']); + } else { + $mediaopts = explode(' ', $_POST['mediaopt']); + if ($mediaopts[0] != ''){ $wancfg['media'] = $mediaopts[0]; } + if ($mediaopts[1] != ''){ $wancfg['mediaopt'] = $mediaopts[1]; } + else { unset($wancfg['mediaopt']); } + } if (isset($wancfg['wireless'])) { handle_wireless_post(); } @@ -1006,6 +1015,21 @@ function check_wireless_mode() { } } +// Find all possible media options for the interface +$mediaopts_list = array(); +$intrealname = $config['interfaces'][$if]['if']; +exec("/sbin/ifconfig -m $intrealname | grep \"media \"", $mediaopts); +foreach ($mediaopts as $mediaopt){ + preg_match("/media (.*)/", $mediaopt, $matches); + if (preg_match("/(.*) mediaopt (.*)/", $matches[1], $matches1)){ + // there is media + mediaopt like "media 1000baseT mediaopt full-duplex" + array_push($mediaopts_list, $matches1[1] . " " . $matches1[2]); + }else{ + // there is only media like "media 1000baseT" + array_push($mediaopts_list, $matches[1]); + } +} + $pgtitle = array(gettext("Interfaces"), $pconfig['descr']); $statusurl = "status_interfaces.php"; @@ -1272,6 +1296,35 @@ $types = array("none" => gettext("None"), "staticv4" => gettext("Static IPv4"), "header size) will be in effect."); ?> </td> </tr> + <?php + if (count($mediaopts_list) > 0){ + $mediaopt_from_config = $config['interfaces'][$if]['media'] . ' ' . $config['interfaces'][$if]['mediaopt']; + echo "<tr>"; + echo '<td valign="top" class="vncell">' . gettext("Speed and duplex") . '</td>'; + echo '<td class="vtable">'; + echo '<div id="showadvmediabox"'; + if ($mediaopt_from_config != 'autoselect ' && $mediaopt_from_config != ' ') echo " style='display:none'>"; + else echo '>'; + echo '<input type="button" onClick="show_advanced_media()" value="' . gettext("Advanced") . '"></input> - ' . gettext("Show advanced option"); + echo "</div>"; + echo '<div id="showmediaadv" '; + if ($mediaopt_from_config == 'autoselect ' || $mediaopt_from_config == ' ') echo "style='display:none'>"; + else echo '>'; + echo '<select name="mediaopt" class="formselect" id="mediaopt">'; + foreach($mediaopts_list as $mediaopt){ + if ($mediaopt != rtrim($mediaopt_from_config)){ + print "<option value=\"$mediaopt\">" . gettext("$mediaopt") . "</option>"; + } else { + print "<option value=\"$mediaopt\" selected>" . gettext("$mediaopt") . "</option>"; + } + } + echo '</select><br>'; + echo gettext("Here you can explicitely set up speed and duplex mode for the interface."); + echo '</div>'; + echo '</td>'; + echo '</tr>'; + } + ?> <tr> <td colspan="2" valign="top" height="16"></td> </tr> @@ -2488,6 +2541,11 @@ $types = array("none" => gettext("None"), "staticv4" => gettext("Static IPv4"), report_failure(); } } + function show_advanced_media() { + document.getElementById("showadvmediabox").innerHTML=''; + aodiv = document.getElementById('showmediaadv'); + aodiv.style.display = "block"; + } function save_callback_v6(transport) { var response_v6 = transport.responseText; if(response_v6) { diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 145fe0a..08f1a53 100755 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -97,9 +97,13 @@ if ($_POST) { if (!$input_errors) { if (isset($id) && $a_vlans[$id]) { - if ($a_vlans[$id]['if'] != $_POST['if']) - // Destroy previous vlan - pfSense_interface_destroy($a_vlans[$id]['if']); + if (($a_vlans[$id]['if'] != $_POST['if']) || ($a_vlans[$id]['tag'] != $_POST['tag'])) { + if (!empty($a_vlans[$id]['vlanif'])) + // Destroy previous vlan + pfSense_interface_destroy($a_vlans[$id]['vlanif']); + else + pfSense_interface_destroy("{$a_vlans[$id]['if']}_vlan{$a_vlans[$id]['tag']}"); + } } $vlan = array(); $vlan['if'] = $_POST['if']; diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index 23e6cd9..586e569 100755 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -474,7 +474,7 @@ value="<?=htmlspecialchars($pconfig['maxprocperip']);?>"> <?=gettext("per client </tr> <tr> <td colspan="2"><input name="auth_method" type="radio" id="auth_method" value="local" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="local") echo "checked"; ?>> - <?=gettext("Local"); ?> <a href="system_usermanager.php"><?=gettext("User Manager"); ?></a></td> + <?=gettext("Local"); ?> <a href="system_usermanager.php"><?=gettext("User Manager"); ?></a> / <?=gettext("Vouchers"); ?></td> </tr> <tr> <td colspan="2"><input name="auth_method" type="radio" id="auth_method" value="radius" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="radius") echo "checked"; ?>> diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index fd87c5b..01d52a2 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -159,6 +159,9 @@ include("head.inc"); <form action="services_captiveportal_ip_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit allowed ip rule");?></td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Direction"); ?></td> <td width="78%" class="vtable"> <select name="dir" class="formfld"> diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php index 25c250c..f42ac80 100755 --- a/usr/local/www/services_captiveportal_mac.php +++ b/usr/local/www/services_captiveportal_mac.php @@ -108,6 +108,7 @@ if ($_GET['act'] == "del") { if ($a_passthrumacs[$_GET['id']]) { $ruleno = captiveportal_get_ipfw_passthru_ruleno($a_passthrumacs[$_GET['id']]['mac']); if ($ruleno) { + captiveportal_free_ipfw_ruleno($ruleno); mwexec("/sbin/ipfw delete {$ruleno}; /sbin/ipfw delete " . ++$ruleno); } unset($a_passthrumacs[$_GET['id']]); diff --git a/usr/local/www/services_captiveportal_mac_edit.php b/usr/local/www/services_captiveportal_mac_edit.php index aabf4b3..07f6d8c 100755 --- a/usr/local/www/services_captiveportal_mac_edit.php +++ b/usr/local/www/services_captiveportal_mac_edit.php @@ -153,6 +153,9 @@ include("head.inc"); <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="services_captiveportal_mac_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Pass-through MAC address");?></td> + </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("MAC address"); ?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index 203906a..f5af953 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -39,6 +39,8 @@ $statusurl = "status_captiveportal_vouchers.php"; $logurl = "diag_logs_auth.php"; +if ($_POST['postafterlogin']) + $nocsrf= true; require("guiconfig.inc"); require("functions.inc"); require("filter.inc"); @@ -116,9 +118,8 @@ if ($_GET['act'] == "del") { exit; } } - /* print all vouchers of the selected roll */ -if ($_GET['act'] == "csv") { +else if ($_GET['act'] == "csv") { $privkey = base64_decode($config['voucher']['privatekey']); if (strstr($privkey,"BEGIN RSA PRIVATE KEY")) { $fd = fopen("{$g['varetc_path']}/voucher.private","w"); @@ -164,6 +165,12 @@ $pconfig['vouchersyncusername'] = $config['voucher']['vouchersyncusername']; if ($_POST) { unset($input_errors); + + if ($_POST['postafterlogin']) { + voucher_expire($_POST['voucher_expire']); + exit; + } + $pconfig = $_POST; /* input validation */ @@ -199,6 +206,8 @@ if ($_POST) { $input_errors[] = gettext("This doesn't look like an RSA Public key."); if ($_POST['privatekey'] && (!strstr($_POST['privatekey'],"BEGIN RSA PRIVATE KEY"))) $input_errors[] = gettext("This doesn't look like an RSA Private key."); + if ($_POST['vouchersyncdbip'] && (is_ipaddr_configured($_POST['vouchersyncdbip']))) + $input_errors[] = gettext("You cannot sync the voucher database to this host (itself)."); } if (!$input_errors) { @@ -559,7 +568,8 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncellreq"><?=gettext("Synchronize Voucher Database IP"); ?></td> <td width="78%" class="vtable"> <input name="vouchersyncdbip" type="text" class="formfld" id="vouchersyncdbip" size="17" value="<?=htmlspecialchars($pconfig['vouchersyncdbip']);?>"> - <br><?=gettext("IP address of master nodes webConfigurator to synchronize voucher database and used vouchers from."); ?> + <br/><?=gettext("IP address of master nodes webConfigurator to synchronize voucher database and used vouchers from."); ?> + <br/><?=gettext("NOTE: this should be setup on the slave nodes and not the primary node!"); ?> </td> </tr> <tr> diff --git a/usr/local/www/status_rrd_graph_img.php b/usr/local/www/status_rrd_graph_img.php index 48581ce..f6247e5 100644 --- a/usr/local/www/status_rrd_graph_img.php +++ b/usr/local/www/status_rrd_graph_img.php @@ -1062,8 +1062,9 @@ elseif((strstr($curdatabase, "-loggedin.rrd")) && (file_exists("$rrddbpath$curda $graphcmd .= "--height 200 --width 620 "; $graphcmd .= "DEF:\"$curif-loggedinusers=$rrddbpath$curdatabase:loggedinusers:AVERAGE\" "; $graphcmd .= "CDEF:\"$curif-totalusers_t=PREV,UN,0,PREV,IF,$curif-loggedinusers,+\" "; - $graphcmd .= "AREA:\"$curif-totalusers_t#{$colorcaptiveportalusers[0]}:Total logged in users\" "; - $graphcmd .= "GPRINT:\"$curif-totalusers_t:MAX:%8.0lf \\n\" "; + $graphcmd .= "CDEF:\"$curif-totalusers_d=$curif-totalusers_t,FLOOR\" "; + $graphcmd .= "AREA:\"$curif-totalusers_d#{$colorcaptiveportalusers[0]}:Total logged in users\" "; + $graphcmd .= "GPRINT:\"$curif-totalusers_d:MAX:%8.0lf \\n\" "; $graphcmd .= "COMMENT:\"\\n\" "; $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t`date +\"%b %d %H\:%M\:%S %Y\"`\" "; } diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index d810cb9..597aefd 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -49,7 +49,7 @@ require("certs.inc"); require("guiconfig.inc"); -if (isAllowedPage("system_usermanager")) { +if (isAllowedPage("system_usermanager*")) { // start admin user code $pgtitle = array(gettext("System"),gettext("User Manager")); diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 5957c9e..6586b42 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -141,8 +141,74 @@ if ($_POST) { } } - /* TODO : Validate enabled phase2's are not duplicates */ - + /* Validate enabled phase2's are not duplicates */ + if (isset($pconfig['mobile'])){ + /* User is adding phase 2 for mobile phase1 */ + foreach($a_phase2 as $name){ + if (isset($name['mobile'])){ + /* check duplicate localids only for mobile clents */ + if ($name['localid']['type'] == $pconfig['localid_type']){ + /* Types match, check further */ + switch($pconfig['localid_type']){ + case "none": + case "lan": + case "wan": + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + case "address": + if ($name['localid']['address'] == $pconfig['localid_address']) + $input_errors[] = gettext("Phase2 with this Local Address is already defined for mobile clients."); + break; + case "network": + if ($name['localid']['address'] == $pconfig['localid_address'] && + $name['localid']['netbits'] == $pconfig['localid_netbits']) + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + } + if (count($input_errors) > 0) + break; /* there is an error, stop checking other phase2 definitions */ + } + } + } + }else{ + /* User is adding phase 2 for site-to-site phase1 */ + $input_error = 0; + foreach($a_phase2 as $name){ + if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ + /* check duplicate subnets only for given phase1 */ + if ($name['localid']['type'] == $pconfig['localid_type'] && + $name['remoteid']['type'] == $pconfig['remoteid_type']){ + /* Types match, check further */ + $configured_remote_string = $name['remoteid']['address'] . $name['remoteid']['netbits']; + $eneterd_remote_string = $pconfig['remoteid_address'] . $pconfig['remoteid_netbits']; + switch($pconfig['localid_type']){ + case "none": + case "lan": + case "wan": + if ($configured_remote_string == $eneterd_remote_string) + $input_error = 1; + break; + case "address": + if ($name['localid']['address'] == $pconfig['localid_address'] && + $configured_remote_string == $eneterd_remote_string) + $input_error = 1; + break; + case "network": + if ($name['localid']['address'] == $pconfig['localid_address'] && + $name['localid']['netbits'] == $pconfig['localid_netbits'] && + $configured_remote_string == $eneterd_remote_string) + $input_error = 1; + break; + } + if ($input_error){ + $input_errors[] = gettext("Phase2 with this Local/Remote Networks combination is already defined for this Phase1."); + break; /* there is an error, stop checking other phase2 definitions */ + } + } + } + } + } + $ealgos = pconfig_to_ealgos($pconfig); if (!count($ealgos)) { diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index 97fbc45..500700a 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -271,8 +271,14 @@ $merge_config_section_sig = array( function merge_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; - - return restore_config_section_xmlrpc($raw_params); + $params = xmlrpc_params_to_php($raw_params); + if(!xmlrpc_auth($params)) + return $xmlrpc_g['return']['authfail']; + $config_new = array_overlay($config, $params[0]); + $config = $config_new; + $mergedkeys = implode(",", array_keys($params[0])); + write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); + return $xmlrpc_g['return']['true']; } /*****************************/ @@ -448,4 +454,17 @@ $server = new XML_RPC_Server( unlock($xmlrpclockkey); + function array_overlay($a1,$a2) + { + foreach($a1 as $k => $v) { + if(!array_key_exists($k,$a2)) continue; + if(is_array($v) && is_array($a2[$k])){ + $a1[$k] = array_overlay($v,$a2[$k]); + }else{ + $a1[$k] = $a2[$k]; + } + } + return $a1; + } + ?> |