diff options
-rw-r--r-- | etc/inc/easyrule.inc | 2 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 2 | ||||
-rwxr-xr-x | etc/inc/openvpn.auth-user.php | 7 | ||||
-rw-r--r-- | etc/inc/openvpn.inc | 4 | ||||
-rw-r--r-- | etc/inc/services.inc | 10 | ||||
-rwxr-xr-x | usr/local/www/graph.php | 9 | ||||
-rwxr-xr-x | usr/local/www/interfaces.php | 4 | ||||
-rw-r--r-- | usr/local/www/interfaces_lagg_edit.php | 2 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 24 | ||||
-rw-r--r-- | usr/local/www/widgets/widgets/traffic_graphs.widget.php | 77 |
10 files changed, 86 insertions, 55 deletions
diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc index 2e3af4b..d834702 100644 --- a/etc/inc/easyrule.inc +++ b/etc/inc/easyrule.inc @@ -80,6 +80,8 @@ function easyrule_block_rule_exists($int = 'wan') { /* Search through the rules for one referencing our alias */ foreach ($config['filter']['rule'] as $rule) + if (!is_array($rule) || !is_array($rule['source'])) + continue; if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int)) return true; return false; diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 1be6068..8e749e5 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -133,7 +133,7 @@ function interface_vlan_configure(&$vlan) { pfSense_interface_capabilities($if, IFCAP_VLAN_HWTAGGING|IFCAP_VLAN_MTU|IFCAP_VLAN_HWFILTER); if (!empty($vlanif) && does_interface_exist($vlanif)) { - interface_bring_down($vlanif); + interface_bring_down($vlanif, true); } else { $tmpvlanif = pfSense_interface_create("vlan"); pfSense_interface_rename($tmpvlanif, $vlanif); diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index a611f8c..544e21f 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -85,6 +85,7 @@ openlog("openvpn", LOG_ODELAY, LOG_AUTH); /* read data from environment */ $username = getenv("username"); $password = getenv("password"); +$common_name = getenv("common_name"); if (!$username || !$password) { syslog(LOG_ERR, "invalid user authentication environment"); @@ -95,6 +96,12 @@ if (!$username || !$password) { //<template> $authenticated = false; + +if (($strictusercn === true) && ($common_name != $username)) { + syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); + exit(1); +} + foreach ($authmodes as $authmode) { $authcfg = auth_get_authserver($authmode); if (!$authcfg && $authmode != "local") diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 1e7e9b8..c528f67 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -392,7 +392,9 @@ function openvpn_reconfigure($mode,& $settings) { $firstsed = 1; $sed .= "\"{$authcfg}\""; } - $sed .= ");"; + $sed .= ");\\\n"; + if (isset($settings['strictusercn'])) + $sed .= "\$strictusercn = true;"; mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n"; diff --git a/etc/inc/services.inc b/etc/inc/services.inc index c91071c..82166d6 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -565,12 +565,18 @@ function services_dhcrelay_configure() { $destif = get_real_interface("wan"); } - $dhcrelayifs[] = $destif; + if (!empty($destif)) + $dhcrelayifs[] = $destif; } $dhcrelayifs = array_unique($dhcrelayifs); /* fire up dhcrelay */ - $cmd = "/usr/local/sbin/dhcrelay -i " . join(" -i ", $dhcrelayifs); + if (empty($dhcrelayifs)) { + log_error("No suitable interface found for running dhcrelay!"); + return; /* XXX */ + } + + $cmd = "/usr/local/sbin/dhcrelay -i " . implode(" -i ", $dhcrelayifs); if (isset($dhcrelaycfg['agentoption'])) $cmd .= " -a -m replace"; diff --git a/usr/local/www/graph.php b/usr/local/www/graph.php index 964c2c7..14af862 100755 --- a/usr/local/www/graph.php +++ b/usr/local/www/graph.php @@ -61,6 +61,11 @@ if ($_GET["timeint"]) else $time_interval = 3; +if ($_GET["initdelay"]) + $init_delay = $_GET["initdelay"]; //Initial Delay +else + $init_delay = 3; + //SVG attributes $attribs['axis']='fill="black" stroke="black"'; $attribs['in']='fill="#FF0000" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="7"'; @@ -229,13 +234,13 @@ function plot_data(obj) { last_ugmt = ugmt; last_ifin = ifin; last_ifout = ifout; - + var graphTimerId = 0; switch (plot_in.length) { case 0: SVGDoc.getElementById("collect_initial").setAttributeNS(null, 'visibility', 'visible'); plot_in[0] = diff_ifin / diff_ugmt; plot_out[0] = diff_ifout / diff_ugmt; - setTimeout('fetch_data()',<?=1000*$time_interval?>); + setTimeout('fetch_data()',<?=1000*($time_interval + $init_delay)?>); return; case 1: SVGDoc.getElementById("collect_initial").setAttributeNS(null, 'visibility', 'hidden'); diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 27b38e0..f08ca3c 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -1099,8 +1099,8 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" <td class="vtable"> <input name="mtu" type="text" class="formfld unknown" id="mtu" size="8" value="<?=htmlspecialchars($pconfig['mtu']);?>"> <br> - <?=gettext("If you leave this field blank, " . - "an MTU of 1500 bytes will be assumed."); ?> + <?=gettext("If you leave this field blank, the adapter's default MTU will " . + "be used. This is typically 1500 bytes but can vary on some hardware."); ?> </td> </tr> <tr> diff --git a/usr/local/www/interfaces_lagg_edit.php b/usr/local/www/interfaces_lagg_edit.php index 124c6ea..c7d1ef9 100644 --- a/usr/local/www/interfaces_lagg_edit.php +++ b/usr/local/www/interfaces_lagg_edit.php @@ -50,7 +50,7 @@ $portlist = get_interface_list(); /* add LAGG interfaces */ if (is_array($config['laggs']['lagg']) && count($config['laggs']['lagg'])) { foreach ($config['laggs']['lagg'] as $lagg) - $portlist[$lagg['laggif']] = $lagg; + unset($portlist[$lagg['laggif']]); } $checklist = get_configured_interface_list(false, true); diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 7ac7383..25c6f4f 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -138,13 +138,25 @@ if ($_POST) { /* input validation */ $method = $pconfig['authentication_method']; + // Only require PSK here for normal PSK tunnels (not mobile) or xauth. - if ((($method == "pre_shared_key") && (!$pconfig['mobile']))||($method == "xauth_psk_server")) { - $reqdfields = explode(" ", "pskey"); - $reqdfieldsn = array(gettext("Pre-Shared Key")); - } else { - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + // For RSA methods, require the CA/Cert. + switch ($method) { + case "pre_shared_key": + // If this is a mobile PSK tunnel the user PSKs go on + // the PSK tab, not here, so skip the check. + if ($pconfig['mobile']) + break; + case "xauth_psk_server": + $reqdfields = explode(" ", "pskey"); + $reqdfieldsn = array(gettext("Pre-Shared Key")); + break; + case "hybrid_rsa_server": + case "xauth_rsa_server": + case "rsasig": + $reqdfields = explode(" ", "caref certref"); + $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + break; } if (!$pconfig['mobile']) { $reqdfields[] = "remotegw"; diff --git a/usr/local/www/widgets/widgets/traffic_graphs.widget.php b/usr/local/www/widgets/widgets/traffic_graphs.widget.php index dcc8b77..bcc2298 100644 --- a/usr/local/www/widgets/widgets/traffic_graphs.widget.php +++ b/usr/local/www/widgets/widgets/traffic_graphs.widget.php @@ -1,34 +1,34 @@ <?php /* - $Id$ - Copyright 2007 Scott Dale - Part of pfSense widgets (www.pfsense.com) - originally based on m0n0wall (http://m0n0.ch/wall) + $Id$ + Copyright 2007 Scott Dale + Part of pfSense widgets (www.pfsense.com) + originally based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2004-2005 T. Lechat <dev@lechat.org>, Manuel Kasper <mk@neon1.net> - and Jonathan Watt <jwatt@jwatt.org>. - All rights reserved. + Copyright (C) 2004-2005 T. Lechat <dev@lechat.org>, Manuel Kasper <mk@neon1.net> + and Jonathan Watt <jwatt@jwatt.org>. + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); @@ -39,7 +39,7 @@ $ifdescrs = get_configured_interface_with_descr(); ?> <input type="hidden" id="traffic_graphs-config" name="traffic_graphs-config" value=""> -<?php +<?php //set variables for traffic graph $width = "100%"; $height = "150"; @@ -50,13 +50,13 @@ $ifdescrs = get_configured_interface_with_descr(); $refreshintervalstring = $showngraphlist[$graphlistcount-1]; $eqposition = strpos($refreshintervalstring,"="); $refreshInterval = substr($refreshintervalstring, $eqposition +1 ); - } else { + } else { $refreshInterval = "10"; } ?> <div id="traffic_graphs-settings" name="traffic_graphs-settings" class="widgetconfigdiv" style="display:none;"> -Refresh Interval: +Refresh Interval: <select name="refreshInterval" class="formfld" id="refreshInterval" onchange="updateGraphDisplays();"> <option value="1" <?php if ($refreshInterval == "1") echo "SELECTED";?>>1</option> <option value="2" <?php if ($refreshInterval == "2") echo "SELECTED";?>>2</option> @@ -80,9 +80,8 @@ Refresh Interval: </script> <?php - foreach ($ifdescrs as $ifdescr => $ifname) { - $ifinfo = get_interface_info($ifdescr); + $ifinfo = get_interface_info($ifdescr); $currentgraph = $showngraphlist[$graphcounter]; $colposition = strpos($currentgraph,":"); $currentgraph = substr($currentgraph, $colposition+1); @@ -111,9 +110,8 @@ Refresh Interval: $interfacevalue = "hide"; } } - - - if ($ifinfo['status'] != "down") { + + if ($ifinfo['status'] != "down") { ?> <div id="<?=$ifname;?>trafficdiv" style="padding: 5px"> <input type="hidden" id="<?php echo $ifname;?>_graph-config" name="<?php echo $ifname;?>_graph-config" class="graphsettings" value="<?=$interfacevalue;?>"> @@ -122,17 +120,16 @@ Refresh Interval: <span onClick="location.href='/status_graph.php?if=<?=$ifdescr;?>'" style="cursor:pointer">Current <?=$ifname;?> Traffic</span> </div> <div align="right" style="float:right;width:49%"> - <div id="<?=$ifname;?>graphdiv-min" onclick='return trafficminimizeDiv("<?php echo $ifname;?>",true)' style="display:<?php echo $mingraphbutton;?>; cursor:pointer" ><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_minus.gif" alt="Minimize <?=$ifname;?> traffic graph" /></div> - <div id="<?=$ifname;?>graphdiv-open" onclick='return trafficshowDiv("<?php echo $ifname;?>",true)' style="display:<?php echo $showgraphbutton;?>; cursor:pointer" ><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_open.gif" alt="Show <?=$ifname;?> traffic graph" /></div> + <div id="<?=$ifname;?>graphdiv-min" onclick='return trafficminimizeDiv("<?php echo $ifname;?>",true)' style="display:<?php echo $mingraphbutton;?>; cursor:pointer" ><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_minus.gif" alt="Minimize <?=$ifname;?> traffic graph" /></div> + <div id="<?=$ifname;?>graphdiv-open" onclick='return trafficshowDiv("<?php echo $ifname;?>",true)' style="display:<?php echo $showgraphbutton;?>; cursor:pointer" ><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_open.gif" alt="Show <?=$ifname;?> traffic graph" /></div> </div> <div style="clear:both;"></div> - </div> + </div> <div id="<?=$ifname;?>graphdiv" style="display:<?php echo $graphdisplay;?>"> - <?php $refreshInterval = $refreshInterval + 3 ?> - <embed id="graph" src="graph.php?ifnum=<?=$ifdescr;?>&ifname=<?=rawurlencode($ifname);?>&timeint=<?=$refreshInterval;?>" type="image/svg+xml" width="<? echo $width; ?>" height="<? echo $height; ?>" pluginspage="http://www.adobe.com/svg/viewer/install/auto" /> + <embed id="graph" src="graph.php?ifnum=<?=$ifdescr;?>&ifname=<?=rawurlencode($ifname);?>&timeint=<?=$refreshInterval;?>&initdelay=<?=($graphcounter+1) * 2;?>" type="image/svg+xml" width="<? echo $width; ?>" height="<? echo $height; ?>" pluginspage="http://www.adobe.com/svg/viewer/install/auto" /> </div> <? $firstgraphshown = true; $graphcounter++; ?> - </div> - <? } - } + </div> + <? } + } ?> |