diff options
70 files changed, 1102 insertions, 742 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 46afa50..6a6da59 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,6 +1,6 @@ <?xml version="1.0"?> <pfsense> - <version>11.7</version> + <version>11.8</version> <lastchange/> <theme>pfsense_ng</theme> <system> diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index aede42d..c983161 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -78,6 +78,7 @@ function encrypted_configxml() { exec("/bin/mv {$g['conf_path']}/config.xml.tmp {$g['conf_path']}/config.xml"); echo "\n" . gettext("Config.xml unlocked.") . "\n"; fclose($fp); + pfSense_fsync("{$g['conf_path']}/config.xml"); } else { echo "\n" . gettext("Invalid password entered. Please try again.") . "\n"; } @@ -179,12 +180,15 @@ function generate_config_cache($config) { $configcache = fopen($g['tmp_path'] . '/config.cache', "w"); fwrite($configcache, serialize($config)); fclose($configcache); + pfSense_fsync("{$g['tmp_path']}/config.cache"); + unset($configcache); /* Used for config.extra.xml */ if(file_exists($g['tmp_path'] . '/config.extra.cache') && $config_extra) { $configcacheextra = fopen($g['tmp_path'] . '/config.extra.cache', "w"); fwrite($configcacheextra, serialize($config_extra)); - fclose($configcacheextra); + fclose($configcacheextra); + pfSense_fsync("{$g['tmp_path']}/config.extra.cache"); unset($configcacheextra); } } @@ -210,6 +214,8 @@ function restore_backup($file) { conf_mount_rw(); unlink_if_exists("{$g['tmp_path']}/config.cache"); copy("$file","/cf/conf/config.xml"); + pfSense_fsync("/cf/conf/config.xml"); + pfSense_fsync($g['conf_path']); disable_security_checks(); log_error(sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file)); file_notice("config.xml", sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file), "pfSenseConfigurator", ""); @@ -365,7 +371,7 @@ function conf_mount_ro() { clear_subsystem_dirty('mount'); /* sync data, then force a remount of /cf */ - pfSense_sync(); + pfSense_fsync($g['cf_path']); mwexec("/sbin/mount -u -r -f -o sync,noatime {$g['cf_path']}"); mwexec("/sbin/mount -u -r -f -o sync,noatime /"); } @@ -466,16 +472,14 @@ function safe_write_file($file, $content, $force_binary) { fflush($fd); fclose($fd); - if (!rename($tmp_file, $file)) { + if (!pfSense_fsync($tmp_file) || !rename($tmp_file, $file)) { // Unable to move temporary file to original @unlink($tmp_file); return false; } // Sync file before returning - pfSense_sync(); - - return true; + return pfSense_fsync($file); } /****f* config/write_config @@ -522,7 +526,7 @@ function write_config($desc="Unknown", $backup = true) { /* write new configuration */ if (!safe_write_file("{$g['cf_conf_path']}/config.xml", $xmlconfig, false)) { - log_error(gettext("WARNING: Config contents could not be save. Could not open file!")); + log_error(gettext("WARNING: Config contents could not be saved. Could not open file!")); unlock($lockkey); file_notice("config.xml", sprintf(gettext("Unable to open %s/config.xml for writing in write_config()%s"), $g['cf_conf_path'], "\n")); return -1; @@ -791,6 +795,7 @@ function cleanup_backupcache($lock = false) { $bakout = fopen($g['cf_conf_path'] . '/backup/backup.cache', "w"); fwrite($bakout, serialize($tocache)); fclose($bakout); + pfSense_fsync("{$g['cf_conf_path']}/backup/backup.cache"); conf_mount_ro(); if (!$lock) @@ -824,30 +829,31 @@ function backup_config() { /* Create backup directory if needed */ safe_mkdir("{$g['cf_conf_path']}/backup"); - - if($config['revision']['time'] == "") { - $baktime = 0; - } else { - $baktime = $config['revision']['time']; - } - if($config['revision']['description'] == "") { - $bakdesc = "Unknown"; - } else { - $bakdesc = $config['revision']['description']; - } + + if($config['revision']['time'] == "") { + $baktime = 0; + } else { + $baktime = $config['revision']['time']; + } + if($config['revision']['description'] == "") { + $bakdesc = "Unknown"; + } else { + $bakdesc = $config['revision']['description']; + } $bakver = ($config['version'] == "") ? "?" : $config['version']; $bakfilename = $g['cf_conf_path'] . '/backup/config-' . $baktime . '.xml'; copy($g['cf_conf_path'] . '/config.xml', $bakfilename); - if(file_exists($g['cf_conf_path'] . '/backup/backup.cache')) { - $backupcache = unserialize(file_get_contents($g['cf_conf_path'] . '/backup/backup.cache')); - } else { - $backupcache = array(); - } + if(file_exists($g['cf_conf_path'] . '/backup/backup.cache')) { + $backupcache = unserialize(file_get_contents($g['cf_conf_path'] . '/backup/backup.cache')); + } else { + $backupcache = array(); + } $backupcache[$baktime] = array('description' => $bakdesc, 'version' => $bakver, 'filesize' => filesize($bakfilename)); - $bakout = fopen($g['cf_conf_path'] . '/backup/backup.cache', "w"); - fwrite($bakout, serialize($backupcache)); - fclose($bakout); + $bakout = fopen($g['cf_conf_path'] . '/backup/backup.cache', "w"); + fwrite($bakout, serialize($backupcache)); + fclose($bakout); + pfSense_fsync("{$g['cf_conf_path']}/backup/backup.cache"); conf_mount_ro(); diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 73c6765..a28d332 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -622,12 +622,12 @@ curl_setopt($ch, CURLOPT_URL, $server .$port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP); break; case 'gratisdns': - $needsIP = FALSE; + $needsIP = TRUE; if ($this->_dnsVerboseLog) log_error("GratisDNS.dk ({$this->_dnsHost}): DNS update() starting."); $server = "https://ssl.gratisdns.dk/ddns.phtml"; list($hostname, $domain) = explode(".", $this->_dnsHost, 2); - curl_setopt($ch, CURLOPT_URL, $server . '?u=' . $this->_dnsUser . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain); + curl_setopt($ch, CURLOPT_URL, $server . '?u=' . $this->_dnsUser . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain . '&i=' . $this->_dnsIP); break; case 'ovh-dynhost': $needsIP = FALSE; diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f58cdd9..6a8e4c1 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -575,6 +575,7 @@ function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddr $builtlist = ""; $urltable_nesting = ""; $aliasnesting[$name] = $name; + $alias_type = alias_get_type($name); foreach ($addresses as $address) { if (empty($address)) continue; @@ -600,7 +601,7 @@ function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddr else if(!isset($aliasnesting[$address])) $tmpline = filter_generate_nested_alias($name, $aliastable[$address], $aliasnesting, $aliasaddrnesting); } else if(!isset($aliasaddrnesting[$address])) { - if (!is_ipaddr($address) && !is_subnet($address) && !is_port($address) && !is_portrange($address) && is_hostname($address)) { + if (!is_ipaddr($address) && !is_subnet($address) && !(($alias_type == 'port') && (is_port($address) || is_portrange($address))) && is_hostname($address)) { if (!isset($filterdns["{$address}{$name}"])) { $use_filterdns = true; $filterdns["{$address}{$name}"] = "pf {$address} {$name}\n"; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 4df1b36..7a8a09a 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -74,7 +74,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "11.7", + "latest_config" => "11.8", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", @@ -152,7 +152,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.inet.icmp.icmplim" => "0", "vfs.read_max" => "32", "kern.ipc.maxsockbuf" => "4262144", - "debug.pfftpproxy" => "0", "net.inet.ip.process_options" => 0, "kern.random.sys.harvest.interrupt" => 0, "kern.random.sys.harvest.point_to_point" => 0, @@ -161,7 +160,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.inet.udp.checksum" => 1, "net.bpf.zerocopy_enable" => 1, "net.inet.icmp.reply_from_interface" => 1, - "vfs.forcesync" => "1", "net.inet6.ip6.rfc6204w3" => 1, "net.enc.out.ipsec_bpf_mask" => "0x0001", "net.enc.out.ipsec_filter_mask" => "0x0001", diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 8bfed07..d3a6fe8 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -44,22 +44,22 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE global $my_identifier_list; $my_identifier_list = array( - 'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ), - 'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ), - 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), - 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), - 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), - 'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ), - 'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true )); + 'myaddress' => array('desc' => gettext('My IP address'), 'mobile' => true), + 'address' => array('desc' => gettext('IP address'), 'mobile' => true), + 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), + 'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true), + 'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true), + 'keyid tag' => array('desc' => gettext('KeyID tag'), 'mobile' => true), + 'dyn_dns' => array('desc' => gettext('Dynamic DNS'), 'mobile' => true)); global $peer_identifier_list; $peer_identifier_list = array( - 'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ), - 'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ), - 'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ), - 'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ), - 'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ), - 'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true )); + 'peeraddress' => array('desc' => gettext('Peer IP address'), 'mobile' => false), + 'address' => array('desc' => gettext('IP address'), 'mobile' => false), + 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), + 'user_fqdn' => array('desc' => gettext('User distinguished name'), 'mobile' => true), + 'asn1dn' => array('desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true), + 'keyid tag' => array('desc' =>gettext('KeyID tag'), 'mobile' => true)); global $ipsec_idhandling; $ipsec_idhandling = array( @@ -68,22 +68,25 @@ $ipsec_idhandling = array( global $p1_ealgos; $p1_ealgos = array( - 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), - 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), - '3des' => array( 'name' => '3DES' ), - 'cast128' => array( 'name' => 'CAST128' ), - 'des' => array( 'name' => 'DES' )); + 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), + 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), + 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), + 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), + 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), + '3des' => array('name' => '3DES'), + 'cast128' => array('name' => 'CAST128'), + 'des' => array('name' => 'DES')); global $p2_ealgos; $p2_ealgos = array( - 'aes' => array( 'name' => 'AES', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), - 'aes128gcm' => array( 'name' => 'AES128-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), - 'aes192gcm' => array( 'name' => 'AES192-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), - 'aes256gcm' => array( 'name' => 'AES256-GCM', 'keysel' => array( 'lo' => 64, 'hi' => 128, 'step' => 32 ) ), - 'blowfish' => array( 'name' => 'Blowfish', 'keysel' => array( 'lo' => 128, 'hi' => 256, 'step' => 64 ) ), - '3des' => array( 'name' => '3DES' ), - 'cast128' => array( 'name' => 'CAST128' ), - 'des' => array( 'name' => 'DES' )); + 'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), + 'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), + 'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), + 'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)), + 'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)), + '3des' => array('name' => '3DES'), + 'cast128' => array('name' => 'CAST128'), + 'des' => array('name' => 'DES')); global $p1_halgos; $p1_halgos = array( @@ -110,7 +113,10 @@ $p1_dhgroups = array( 21 => '21 (nist ecp521)', 22 => '22 (1024(sub 160) bit)', 23 => '23 (2048(sub 224) bit)', - 24 => '24 (2048(sub 256) bit)' + 24 => '24 (2048(sub 256) bit)', + 28 => '28 (brainpool ecp256)', + 29 => '29 (brainpool ecp384)', + 30 => '30 (brainpool ecp512)' ); global $p2_halgos; @@ -125,14 +131,14 @@ $p2_halgos = array( global $p1_authentication_methods; $p1_authentication_methods = array( - 'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ), - 'xauth_rsa_server' => array( 'name' => 'Mutual RSA + Xauth', 'mobile' => true ), - 'xauth_psk_server' => array( 'name' => 'Mutual PSK + Xauth', 'mobile' => true ), - 'eap-tls' => array( 'name' => 'EAP-TLS', 'mobile' => true), - 'eap-radius' => array( 'name' => 'EAP-RADIUS', 'mobile' => true), - 'eap-mschapv2' => array( 'name' => 'EAP-MSChapv2', 'mobile' => true), - 'rsasig' => array( 'name' => 'Mutual RSA', 'mobile' => false ), - 'pre_shared_key' => array( 'name' => 'Mutual PSK', 'mobile' => false ) ); + 'hybrid_rsa_server' => array('name' => 'Hybrid RSA + Xauth', 'mobile' => true), + 'xauth_rsa_server' => array('name' => 'Mutual RSA + Xauth', 'mobile' => true), + 'xauth_psk_server' => array('name' => 'Mutual PSK + Xauth', 'mobile' => true), + 'eap-tls' => array('name' => 'EAP-TLS', 'mobile' => true), + 'eap-radius' => array('name' => 'EAP-RADIUS', 'mobile' => true), + 'eap-mschapv2' => array('name' => 'EAP-MSChapv2', 'mobile' => true), + 'rsasig' => array('name' => 'Mutual RSA', 'mobile' => false), + 'pre_shared_key' => array('name' => 'Mutual PSK', 'mobile' => false)); global $ipsec_preshared_key_type; $ipsec_preshared_key_type = array( @@ -161,7 +167,13 @@ $p2_pfskeygroups = array( 15 => '15 (3072 bit)', 16 => '16 (4096 bit)', 17 => '17 (6144 bit)', - 18 => '18 (8192 bit)' + 18 => '18 (8192 bit)', + 19 => '19 (nist ecp256)', + 20 => '20 (nist ecp384)', + 21 => '21 (nist ecp521)', + 28 => '28 (brainpool ecp256)', + 29 => '29 (brainpool ecp384)', + 30 => '30 (brainpool ecp512)' ); /* @@ -171,9 +183,11 @@ $p2_pfskeygroups = array( function ipsec_ikeid_used($ikeid) { global $config; - foreach ($config['ipsec']['phase1'] as $ph1ent) - if( $ikeid == $ph1ent['ikeid'] ) + foreach ($config['ipsec']['phase1'] as $ph1ent) { + if ($ikeid == $ph1ent['ikeid']) { return true; + } + } return false; } @@ -181,8 +195,9 @@ function ipsec_ikeid_used($ikeid) { function ipsec_ikeid_next() { $ikeid = 1; - while(ipsec_ikeid_used($ikeid)) + while (ipsec_ikeid_used($ikeid)) { $ikeid++; + } return $ikeid; } @@ -205,14 +220,15 @@ function ipsec_get_phase1_src(& $ph1ent) { $interfaceip = get_interface_ip($if); } } else { - $interfaceip=$ph1ent['interface']; + $interfaceip = $ph1ent['interface']; } } else { $if = "wan"; - if ($ph1ent['protocol'] == "inet6") + if ($ph1ent['protocol'] == "inet6") { $interfaceip = get_interface_ipv6($if); - else + } else { $interfaceip = get_interface_ip($if); + } } return $interfaceip; @@ -224,15 +240,18 @@ function ipsec_get_phase1_src(& $ph1ent) { function ipsec_get_phase1_dst(& $ph1ent) { global $g; - if (empty($ph1ent['remote-gateway'])) + if (empty($ph1ent['remote-gateway'])) { return false; + } $rg = $ph1ent['remote-gateway']; if (!is_ipaddr($rg)) { - if(! platform_booting()) + if (!platform_booting()) { return resolve_retry($rg); + } } - if(!is_ipaddr($rg)) + if (!is_ipaddr($rg)) { return false; + } return $rg; } @@ -246,12 +265,14 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { switch ($idinfo['type']) { case "address": if ($addrbits) { - if ($mode == "tunnel6") + if ($mode == "tunnel6") { return $idinfo['address']."/128"; - else + } else { return $idinfo['address']."/32"; - } else + } + } else { return $idinfo['address']; + } break; /* NOTREACHED */ case "network": return "{$idinfo['address']}/{$idinfo['netbits']}"; @@ -261,18 +282,19 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { return '0.0.0.0/0'; break; /* NOTREACHED */ default: - if (empty($mode) && !empty($idinfo['mode'])) + if (empty($mode) && !empty($idinfo['mode'])) { $mode = $idinfo['mode']; + } if ($mode == "tunnel6") { $address = get_interface_ipv6($idinfo['type']); $netbits = get_interface_subnetv6($idinfo['type']); - $address = gen_subnetv6($address,$netbits); + $address = gen_subnetv6($address, $netbits); return "{$address}/{$netbits}"; } else { $address = get_interface_ip($idinfo['type']); $netbits = get_interface_subnet($idinfo['type']); - $address = gen_subnet($address,$netbits); + $address = gen_subnet($address, $netbits); return "{$address}/{$netbits}"; } break; /* NOTREACHED */ @@ -282,18 +304,20 @@ function ipsec_idinfo_to_cidr(& $idinfo, $addrbits = false, $mode = "") { /* * Return phase2 idinfo in address/netmask format */ -function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) { +function ipsec_idinfo_to_subnet(& $idinfo, $addrbits = false) { global $config; switch ($idinfo['type']) { case "address": if ($addrbits) { - if ($idinfo['mode'] == "tunnel6") + if ($idinfo['mode'] == "tunnel6") { return $idinfo['address']."/128"; - else + } else { return $idinfo['address']."/255.255.255.255"; - } else + } + } else { return $idinfo['address']; + } break; /* NOTREACHED */ case "none": case "network": @@ -306,12 +330,12 @@ function ipsec_idinfo_to_subnet(& $idinfo,$addrbits = false) { if ($idinfo['mode'] == "tunnel6") { $address = get_interface_ipv6($idinfo['type']); $netbits = get_interface_subnetv6($idinfo['type']); - $address = gen_subnetv6($address,$netbits); + $address = gen_subnetv6($address, $netbits); return $address."/".$netbits; } else { $address = get_interface_ip($idinfo['type']); $netbits = get_interface_subnet($idinfo['type']); - $address = gen_subnet($address,$netbits); + $address = gen_subnet($address, $netbits); return $address."/".$netbits; } break; /* NOTREACHED */ @@ -325,45 +349,49 @@ function ipsec_idinfo_to_text(& $idinfo) { global $config; switch ($idinfo['type']) { - case "address": - return $idinfo['address']; - break; /* NOTREACHED */ - case "network": - return $idinfo['address']."/".$idinfo['netbits']; - break; /* NOTREACHED */ - case "mobile": - return gettext("Mobile Client"); - break; /* NOTREACHED */ - case "none": - return gettext("None"); - break; /* NOTREACHED */ - default: - if (!empty($config['interfaces'][$idinfo['type']])) - return convert_friendly_interface_to_friendly_descr($idinfo['type']); - else - return strtoupper($idinfo['type']); - break; /* NOTREACHED */ + case "address": + return $idinfo['address']; + break; /* NOTREACHED */ + case "network": + return $idinfo['address']."/".$idinfo['netbits']; + break; /* NOTREACHED */ + case "mobile": + return gettext("Mobile Client"); + break; /* NOTREACHED */ + case "none": + return gettext("None"); + break; /* NOTREACHED */ + default: + if (!empty($config['interfaces'][$idinfo['type']])) { + return convert_friendly_interface_to_friendly_descr($idinfo['type']); + } else { + return strtoupper($idinfo['type']); + } + break; /* NOTREACHED */ } } /* * Return phase1 association for phase2 */ -function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { +function ipsec_lookup_phase1(& $ph2ent, & $ph1ent) { global $config; - if (!is_array($config['ipsec'])) + if (!is_array($config['ipsec'])) { return false; - if (!is_array($config['ipsec']['phase1'])) + } + if (!is_array($config['ipsec']['phase1'])) { return false; - if (empty($config['ipsec']['phase1'])) + } + if (empty($config['ipsec']['phase1'])) { return false; + } foreach ($config['ipsec']['phase1'] as $ph1tmp) { - if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { - $ph1ent = $ph1tmp; - return $ph1ent; - } + if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { + $ph1ent = $ph1tmp; + return $ph1ent; + } } return false; @@ -376,8 +404,9 @@ function ipsec_phase1_status(&$ipsec_status, $ikeid) { foreach ($ipsec_status as $ike) { if ($ike['id'] == $ikeid) { - if ($ike['status'] == 'established') + if ($ike['status'] == 'established') { return true; + } } } @@ -389,8 +418,9 @@ function ipsec_phase1_status(&$ipsec_status, $ikeid) { */ function ipsec_phase2_status(&$ipsec_status, &$phase2) { - if (ipsec_lookup_phase1($ph2ent,$ph1ent)) + if (ipsec_lookup_phase1($ph2ent, $ph1ent)) { return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']); + } return false; } @@ -419,8 +449,9 @@ function ipsec_smp_dump_status() { $response = ""; while (!strstr($sread, "</message>")) { $sread = fgets($fd); - if ($sread === false) + if ($sread === false) { break; + } $response .= $sread; } fclose($fd); @@ -444,20 +475,22 @@ function ipsec_smp_dump_status() { /* * Return dump of SPD table */ -function ipsec_dump_spd() -{ +function ipsec_dump_spd() { $fd = @popen("/sbin/setkey -DP", "r"); $spd = array(); if ($fd) { while (!feof($fd)) { $line = chop(fgets($fd)); - if (!$line) + if (!$line) { continue; - if ($line == "No SPD entries.") + } + if ($line == "No SPD entries.") { break; + } if ($line[0] != "\t") { - if (is_array($cursp)) + if (is_array($cursp)) { $spd[] = $cursp; + } $cursp = array(); $linea = explode(" ", $line); $cursp['srcid'] = substr($linea[0], 0, strpos($linea[0], "[")); @@ -466,26 +499,27 @@ function ipsec_dump_spd() } else if (is_array($cursp)) { $line = trim($line, "\t\r\n "); $linea = explode(" ", $line); - switch($i) - { + switch ($i) { case 1: - if ($linea[1] == "none") /* don't show default anti-lockout rule */ + if ($linea[1] == "none") /* don't show default anti-lockout rule */ { unset($cursp); - else + } else { $cursp['dir'] = $linea[0]; + } break; case 2: $upperspec = explode("/", $linea[0]); $cursp['proto'] = $upperspec[0]; list($cursp['src'], $cursp['dst']) = explode("-", $upperspec[2]); - $cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); + $cursp['reqid'] = substr($upperspec[3], strpos($upperspec[3], "#")+1); break; } } $i++; } - if (is_array($cursp) && count($cursp)) + if (is_array($cursp) && count($cursp)) { $spd[] = $cursp; + } pclose($fd); } @@ -495,36 +529,35 @@ function ipsec_dump_spd() /* * Return dump of SAD table */ -function ipsec_dump_sad() -{ +function ipsec_dump_sad() { $fd = @popen("/sbin/setkey -D", "r"); $sad = array(); if ($fd) { while (!feof($fd)) { $line = chop(fgets($fd)); - if (!$line || $line[0] == " ") + if (!$line || $line[0] == " ") { continue; - if ($line == "No SAD entries.") + } + if ($line == "No SAD entries.") { break; - if ($line[0] != "\t") - { - if (is_array($cursa)) + } + if ($line[0] != "\t") { + if (is_array($cursa)) { $sad[] = $cursa; + } $cursa = array(); - list($cursa['src'],$cursa['dst']) = explode(" ", $line); - } - else - { + list($cursa['src'], $cursa['dst']) = explode(" ", $line); + } else { $line = trim($line, "\t\n\r "); $linea = explode(" ", $line); foreach ($linea as $idx => $linee) { - if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') + if ($linee == 'esp' || $linee == 'ah' || $linee[0] == '#') { $cursa['proto'] = $linee; - else if (substr($linee, 0, 3) == 'spi') + } else if (substr($linee, 0, 3) == 'spi') { $cursa['spi'] = substr($linee, strpos($linee, 'x') + 1, -1); - else if (substr($linee, 0, 5) == 'reqid') + } else if (substr($linee, 0, 5) == 'reqid') { $cursa['reqid'] = substr($linee, strpos($linee, 'x') + 1, -1); - else if (substr($linee, 0, 2) == 'E:') { + } else if (substr($linee, 0, 2) == 'E:') { $cursa['ealgo'] = $linea[$idx + 1]; break; } else if (substr($linee, 0, 2) == 'A:') { @@ -534,12 +567,12 @@ function ipsec_dump_sad() $cursa['data'] = substr($linea[$idx + 1], 0, strpos($linea[$idx + 1], 'bytes') - 1) . ' B'; break; } - } } } - if (is_array($cursa) && count($cursa)) + if (is_array($cursa) && count($cursa)) { $sad[] = $cursa; + } pclose($fd); } @@ -560,8 +593,9 @@ function ipsec_dump_mobile() { } /* This is needed for fixing #4130 */ - if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) + if (filesize("{$g['tmp_path']}/strongswan_leases.xml") < 200) { return array(); + } $custom_listtags = array('lease', 'pool'); $response = parse_xml_config("{$g['tmp_path']}/strongswan_leases.xml", "leases"); @@ -583,13 +617,13 @@ function ipsec_mobilekey_sort() { function ipsec_get_number_of_phase2($ikeid) { global $config; - $a_phase2 = $config['ipsec']['phase2']; + $a_phase2 = $config['ipsec']['phase2']; - $nbph2=0; + $nbph2 = 0; - if (is_array($a_phase2) && count($a_phase2)) { - foreach ($a_phase2 as $ph2tmp) { - if ($ph2tmp['ikeid'] == $ikeid) { + if (is_array($a_phase2) && count($a_phase2)) { + foreach ($a_phase2 as $ph2tmp) { + if ($ph2tmp['ikeid'] == $ikeid) { $nbph2++; } } @@ -602,8 +636,9 @@ function ipsec_get_descr($ikeid) { global $config; if (!isset($config['ipsec']['phase1']) || - !is_array($config['ipsec']['phase1'])) + !is_array($config['ipsec']['phase1'])) { return ''; + } foreach ($config['ipsec']['phase1'] as $p1) { if ($p1['ikeid'] == $ikeid) { @@ -615,26 +650,28 @@ function ipsec_get_descr($ikeid) { } function ipsec_get_phase1($ikeid) { - global $config; + global $config; - if (!isset($config['ipsec']['phase1']) || - !is_array($config['ipsec']['phase1'])) - return ''; + if (!isset($config['ipsec']['phase1']) || + !is_array($config['ipsec']['phase1'])) { + return ''; + } - $a_phase1 = $config['ipsec']['phase1']; - foreach ($a_phase1 as $p1) { - if ($p1['ikeid'] == $ikeid) { - return $p1; - } - } - unset($a_phase1); + $a_phase1 = $config['ipsec']['phase1']; + foreach ($a_phase1 as $p1) { + if ($p1['ikeid'] == $ikeid) { + return $p1; + } + } + unset($a_phase1); } function ipsec_fixup_ip($ipaddr) { - if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) + if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) { return Net_IPv6::compress(Net_IPv6::uncompress($ipaddr)); - else + } else { return $ipaddr; + } } function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { @@ -643,65 +680,68 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { $id_data = $ph1ent['myid_data']; $addr = ipsec_get_phase1_src($ph1ent); - if (!$addr) + if (!$addr) { return array(); + } } elseif ($side == "peer") { $id_type = $ph1ent['peerid_type']; $id_data = $ph1ent['peerid_data']; - if (isset($ph1ent['mobile'])) + if (isset($ph1ent['mobile'])) { $addr = "%any"; - else + } else { $addr = $ph1ent['remote-gateway']; - } else + } + } else { return array(); + } $thisid_type = $id_type; switch ($thisid_type) { - case 'myaddress': - $thisid_type = 'address'; - $thisid_data = $addr; - break; - case 'dyn_dns': - $thisid_type = 'dns'; - $thisid_data = $id_data; - break; - case 'peeraddress': - $thisid_type = 'address'; - $thisid_data = $rgmap[$ph1ent['remote-gateway']]; - break; - case 'address': - $thisid_data = $id_data; - break; - case 'fqdn': - $thisid_data = "{$id_data}"; - break; - case 'keyid tag': - $thisid_type = 'keyid'; - $thisid_data = "{$thisid_data}"; - break; - case 'user_fqdn': - $thisid_type = 'userfqdn'; - $thisid_data = "{$id_data}"; - break; - case 'asn1dn': - $thisid_data = $id_data; - $thisid_data = "{$id_data}"; - break; + case 'myaddress': + $thisid_type = 'address'; + $thisid_data = $addr; + break; + case 'dyn_dns': + $thisid_type = 'dns'; + $thisid_data = $id_data; + break; + case 'peeraddress': + $thisid_type = 'address'; + $thisid_data = $rgmap[$ph1ent['remote-gateway']]; + break; + case 'address': + $thisid_data = $id_data; + break; + case 'fqdn': + $thisid_data = "{$id_data}"; + break; + case 'keyid tag': + $thisid_type = 'keyid'; + $thisid_data = "{$id_data}"; + break; + case 'user_fqdn': + $thisid_type = 'userfqdn'; + $thisid_data = "{$id_data}"; + break; + case 'asn1dn': + $thisid_data = $id_data; + break; } return array($thisid_type, $thisid_data); } function ipsec_fixup_network($network) { - if (substr($network, -3) == '|/0') + if (substr($network, -3) == '|/0') { $result = substr($network, 0, -3); - else { + } else { $tmp = explode('|', $network); - if (isset($tmp[1])) + if (isset($tmp[1])) { $result = $tmp[1]; - else + } else { $result = $tmp[0]; + } unset($tmp); } @@ -711,14 +751,16 @@ function ipsec_fixup_network($network) { function ipsec_new_reqid() { global $config; - if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) + if (!is_array($config['ipsec']) || !is_array($config['ipsec']['phase2'])) { return; + } $ipsecreqid = lock('ipsecreqids', LOCK_EX); $keyids = array(); $keyid = 1; - foreach ($config['ipsec']['phase2'] as $ph2) + foreach ($config['ipsec']['phase2'] as $ph2) { $keyids[$ph2['reqid']] = $ph2['reqid']; + } for ($i = 1; $i < 16000; $i++) { if (!isset($keyids[$i])) { diff --git a/etc/inc/unbound.inc b/etc/inc/unbound.inc index aaaeed8..340efcc 100644 --- a/etc/inc/unbound.inc +++ b/etc/inc/unbound.inc @@ -166,10 +166,10 @@ EOF; $outgoing_interfaces = explode(",", $config['unbound']['outgoing_interface']); foreach($outgoing_interfaces as $outif) { $outip = get_interface_ip($outif); - if (!is_null($outip)) + if (is_ipaddr($outip)) $outgoingints .= "outgoing-interface: $outip\n"; $outip = get_interface_ipv6($outif); - if (!is_null($outip)) + if (is_ipaddrv6($outip)) $outgoingints .= "outgoing-interface: $outip\n"; } } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 96f0325..a60b966 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -3566,4 +3566,25 @@ function upgrade_116_to_117() { } +function upgrade_117_to_118() { + global $config; + + if (!isset($config['ipsec']['phase1'])) { + return; + } + + $a_phase1 =& $config['ipsec']['phase1']; + + foreach ($a_phase1 as &$ph1_entry) { + if (isset($ph1_entry['myid_type']) && $ph1_entry['myid_type'] == 'asn1dn') { + $ph1_entry['myid_data'] = + preg_replace('/\/\s*emailAddress\s*=\s*/', ', E=', $ph1_entry['myid_data']); + } + if (isset($ph1_entry['peerid_type']) && $ph1_entry['peerid_type'] == 'asn1dn') { + $ph1_entry['peerid_data'] = + preg_replace('/\/\s*emailAddress\s*=\s*/', ', E=', $ph1_entry['peerid_data']); + } + } +} + ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 6e4d71d..aaf7c09 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -4,7 +4,7 @@ vpn.inc Copyright (C) 2004 Scott Ullrich Copyright (C) 2008 Shrew Soft Inc - Copyright (C) 2008 Ermal Lu�i + Copyright (C) 2008 Ermal Luçi All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) @@ -42,78 +42,87 @@ require_once("ipsec.inc"); -function vpn_ipsec_configure_loglevels($forconfig = false) -{ +function vpn_ipsec_configure_loglevels($forconfig = false) { global $config, $ipsec_loglevels; $cfgtext = array(); foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) + if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig) { mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false); - else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && - intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) + } else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) && + intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { $forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) : mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false); + } } - if ($forconfig) + if ($forconfig) { return implode(',', $cfgtext); + } } /* include all configuration functions */ -function vpn_ipsec_convert_to_modp($index) -{ +function vpn_ipsec_convert_to_modp($index) { $convertion = ""; switch ($index) { - case '1': - $convertion = "modp768"; - break; - case '2': - $convertion = "modp1024"; - break; - case '5': - $convertion = "modp1536"; - break; - case '14': - $convertion = "modp2048"; - break; - case '15': - $convertion = "modp3072"; - break; - case '16': - $convertion = "modp4096"; - break; - case '17': - $convertion = "modp6144"; - break; - case '18': - $convertion = "modp8192"; - break; - case '19': - $convertion = "ecp256"; - break; - case '20': - $convertion = "ecp384"; - break; - case '21': - $convertion = "ecp512"; - break; + case '1': + $convertion = "modp768"; + break; + case '2': + $convertion = "modp1024"; + break; + case '5': + $convertion = "modp1536"; + break; + case '14': + $convertion = "modp2048"; + break; + case '15': + $convertion = "modp3072"; + break; + case '16': + $convertion = "modp4096"; + break; + case '17': + $convertion = "modp6144"; + break; + case '18': + $convertion = "modp8192"; + break; + case '19': + $convertion = "ecp256"; + break; + case '20': + $convertion = "ecp384"; + break; + case '21': + $convertion = "ecp521"; + break; + case '28': + $convertion = "ecp256bp"; + break; + case '29': + $convertion = "ecp384bp"; + break; + case '30': + $convertion = "ecp512bp"; + break; } return $convertion; } -function vpn_ipsec_configure($restart = false) -{ +function vpn_ipsec_configure($restart = false) { global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling; - if ($g['platform'] == 'jail') + if ($g['platform'] == 'jail') { return; + } /* get the automatic ping_hosts.sh ready */ unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); touch("{$g['vardb_path']}/ipsecpinghosts"); - + /* service may have been enabled, disabled, or otherwise changed in a way requiring rule updates */ filter_configure(); @@ -145,34 +154,46 @@ function vpn_ipsec_configure($restart = false) mwexec("/sbin/ifconfig enc0 up"); set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); - if (php_uname('m') != "amd64") + if (php_uname('m') != "amd64") { set_single_sysctl("net.inet.ipsec.directdispatch", "0"); + } /* needed for config files */ - if (!is_dir("{$g['varetc_path']}/ipsec")) + if (!is_dir("{$g['varetc_path']}/ipsec")) { mkdir("{$g['varetc_path']}/ipsec"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) + } + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) { mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); - if (!is_dir($capath)) + } + if (!is_dir($capath)) { mkdir($capath); - if (!is_dir($keypath)) + } + if (!is_dir($keypath)) { mkdir($keypath); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) + } + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) { mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); - if (!is_dir($certpath)) + } + if (!is_dir($certpath)) { mkdir($certpath); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) + } + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) { mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) + } + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) { mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) + } + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) { mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) + } + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) { mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); - + } + - if (platform_booting()) + if (platform_booting()) { echo gettext("Configuring IPsec VPN... "); + } /* fastforwarding is not compatible with ipsec tunnels */ set_single_sysctl("net.inet.ip.fastforwarding", "0"); @@ -190,23 +211,26 @@ function vpn_ipsec_configure($restart = false) $ipsecpinghosts = ""; /* step through each phase1 entry */ foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) + if (isset($ph1ent['disabled'])) { continue; + } if (strpos($ph1ent['interface'], '_vip')) { $vpninterface = explode('_vip', $ph1ent['interface']); $ifacesuse[] = get_real_interface($vpninterface[0]); - } else { - $vpninterface = get_failover_interface($ph1ent['interface']); + } else { + $vpninterface = get_failover_interface($ph1ent['interface']); if (strpos($vpninterface, '_vip')) { $vpninterface = explode('_vip', $vpninterface); $ifacesuse[] = get_real_interface($vpninterface[0]); - } elseif (!empty($vpninterface)) + } elseif (!empty($vpninterface)) { $ifacesuse[] = $vpninterface; + } } - - if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) + + if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) { $aggressive_mode_psk = true; + } $ikeid = $ph1ent['ikeid']; $listeniflist = get_real_interface($a_phase1['interface']); @@ -217,26 +241,30 @@ function vpn_ipsec_configure($restart = false) continue; } - if(!in_array($ep,$ipmap)) + if (!in_array($ep, $ipmap)) { $ipmap[] = $ep; + } /* see if this tunnel has a hostname for the remote-gateway. If so, try to resolve it now and add it to the list for filterdns */ - if (isset ($ph1ent['mobile'])) + if (isset ($ph1ent['mobile'])) { continue; + } $rg = $ph1ent['remote-gateway']; if (!is_ipaddr($rg)) { $filterdns_list[] = "{$rg}"; add_hostname_to_watch($rg); - if (!platform_booting()) + if (!platform_booting()) { $rg = resolve_retry($rg); - if (!is_ipaddr($rg)) + } + if (!is_ipaddr($rg)) { continue; + } } - if(array_search($rg, $rgmap)) { + if (array_search($rg, $rgmap)) { log_error("The remote gateway {$rg} already exists on another phase 1 entry"); continue; } @@ -245,24 +273,27 @@ function vpn_ipsec_configure($restart = false) if (is_array($a_phase2)) { /* step through each phase2 entry */ foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) + if (isset($ph2ent['disabled'])) { continue; + } - if ($ikeid != $ph2ent['ikeid']) + if ($ikeid != $ph2ent['ikeid']) { continue; + } /* add an ipsec pinghosts entry */ if ($ph2ent['pinghost']) { - if (!is_array($iflist)) + if (!is_array($iflist)) { $iflist = get_configured_interface_list(); - $viplist = get_configured_vips_list(); + } $srcip = null; $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if(is_ipaddrv6($ph2ent['pinghost'])) { + if (is_ipaddrv6($ph2ent['pinghost'])) { foreach ($iflist as $ifent => $ifname) { $interface_ip = get_interface_ipv6($ifent); - if(!is_ipaddrv6($interface_ip)) + if (!is_ipaddrv6($interface_ip)) { continue; + } if (ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; @@ -271,8 +302,9 @@ function vpn_ipsec_configure($restart = false) } else { foreach ($iflist as $ifent => $ifname) { $interface_ip = get_interface_ip($ifent); - if(!is_ipaddrv4($interface_ip)) + if (!is_ipaddrv4($interface_ip)) { continue; + } if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; @@ -281,6 +313,7 @@ function vpn_ipsec_configure($restart = false) } /* if no valid src IP was found in configured interfaces, try the vips */ if (is_null($srcip)) { + $viplist = get_configured_vips_list(); foreach ($viplist as $vip) { if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { $srcip = $vip['ipaddr']; @@ -289,13 +322,14 @@ function vpn_ipsec_configure($restart = false) } } $dstip = $ph2ent['pinghost']; - if(is_ipaddrv6($dstip)) { + if (is_ipaddrv6($dstip)) { $family = "inet6"; } else { $family = "inet"; } - if (is_ipaddr($srcip)) + if (is_ipaddr($srcip)) { $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; + } } } } @@ -306,20 +340,23 @@ function vpn_ipsec_configure($restart = false) unset($iflist); $accept_unencrypted = ""; - if (isset($config['ipsec']['acceptunencryptedmainmode'])) + if (isset($config['ipsec']['acceptunencryptedmainmode'])) { $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; + } $stronconf = ''; - if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) + if (file_exists("{$g['varetc_path']}/ipsec/strongswan.conf")) { $stronconf = file_get_contents("{$g['varetc_path']}/ipsec/strongswan.conf"); + } $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; if ($aggressive_mode_psk) { log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); - if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) + if (!empty($stronconf) && strpos($stronconf, 'i_dont_care_about_security_and_use_aggressive_mode_psk') === FALSE) { $restart = true; + } $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; - } + } $unity_enabled = 'yes'; if (isset($config['ipsec']['unityplugin'])) { @@ -354,7 +391,7 @@ function vpn_ipsec_configure($restart = false) $strongswan = <<<EOD -# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. +# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. starter { load_warning = no } @@ -416,44 +453,56 @@ EOD; if (is_array($a_client) && isset($a_client['enable'])) { $strongswan .= "\t\tattr {\n"; - if ($a_client['pool_address'] && $a_client['pool_netbits']) + if ($a_client['pool_address'] && $a_client['pool_netbits']) { $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + } $cfgservers = array(); - if (!empty($a_client['dns_server1'])) + if (!empty($a_client['dns_server1'])) { $cfgservers[] = $a_client['dns_server1']; - if (!empty($a_client['dns_server2'])) + } + if (!empty($a_client['dns_server2'])) { $cfgservers[] = $a_client['dns_server2']; - if (!empty($a_client['dns_server3'])) + } + if (!empty($a_client['dns_server3'])) { $cfgservers[] = $a_client['dns_server3']; - if (!empty($a_client['dns_server4'])) + } + if (!empty($a_client['dns_server4'])) { $cfgservers[] = $a_client['dns_server4']; + } - if (!empty($cfgservers)) + if (!empty($cfgservers)) { $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; + } unset($cfgservers); $cfgservers = array(); - if (!empty($a_client['wins_server1'])) + if (!empty($a_client['wins_server1'])) { $cfgservers[] = $a_client['wins_server1']; - if (!empty($a_client['wins_server2'])) + } + if (!empty($a_client['wins_server2'])) { $cfgservers[] = $a_client['wins_server2']; - if (!empty($cfgservers)) + } + if (!empty($cfgservers)) { $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; + } unset($cfgservers); if (isset($a_client['net_list']) && is_array($a_phase2)) { $net_list = ''; foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) + if (isset($ph2ent['disabled'])) { continue; + } - if (!isset($ph2ent['mobile'])) + if (!isset($ph2ent['mobile'])) { continue; + } $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if (!empty($net_list)) + if (!empty($net_list)) { $net_list .= ","; + } $net_list .= $localid; } @@ -476,14 +525,17 @@ EOD; $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; } - if (!empty($a_client['login_banner'])) + if (!empty($a_client['login_banner'])) { $strongswan .= "\t\t\t28672 = \"{$a_client['login_banner']}\"\n"; + } - if (isset($a_client['save_passwd'])) + if (isset($a_client['save_passwd'])) { $strongswan .= "\t\t\t28673 = 1\n"; + } - if ($a_client['pfs_group']) + if ($a_client['pfs_group']) { $strongswan .= "\t\t\t28679 = \"{$a_client['pfs_group']}\"\n"; + } $strongswan .= "\t\t}\n"; if ($a_client['user_source'] != "none") { @@ -493,10 +545,12 @@ EOD; $firstsed = 0; $authcfgs = explode(",", $a_client['user_source']); foreach ($authcfgs as $authcfg) { - if ($firstsed > 0) + if ($firstsed > 0) { $strongswan .= ","; - if ($authcfg == "system") + } + if ($authcfg == "system") { $authcfg = "Local Database"; + } $strongswan .= $authcfg; $firstsed = 1; } @@ -536,8 +590,9 @@ EOD; if (is_array($a_phase1) && count($a_phase1)) { foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) + if (isset($ph1ent['disabled'])) { continue; + } if (strstr($ph1ent['authentication_method'], 'rsa') || in_array($ph1ent['authentication_method'], array('eap-mschapv2', 'eap-tls', 'eap-radius'))) { @@ -576,12 +631,15 @@ EOD; $myid = trim($myid_data); - if (empty($peerid_data)) + if (empty($peerid_data)) { continue; + } if ($myid_type == 'fqdn' && !empty($myid)) { $myid = "@{$myid}"; } + + $myid = isset($ph1ent['mobile']) ? trim($myid_data) : "%any"; $peerid = ($peerid_data != 'allusers') ? trim($peerid_data) : ''; @@ -609,10 +667,12 @@ EOD; /* add PSKs for mobile clients */ if (is_array($ipseccfg['mobilekey'])) { foreach ($ipseccfg['mobilekey'] as $key) { - if ($key['ident'] == "allusers") + if ($key['ident'] == "allusers") { $key['ident'] = '%any'; - if (empty($key['type'])) + } + if (empty($key['type'])) { $key['type'] = 'PSK'; + } $pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); @@ -632,7 +692,7 @@ EOD; /* begin ipsec.conf */ $ipsecconf = ""; $enablecompression = false; - if (is_array($a_phase1) && count($a_phase1)) { + if (is_array($a_phase1) && count($a_phase1)) { $ipsecconf .= "# This file is automatically generated. Do not edit\n"; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; @@ -659,17 +719,20 @@ EOD; } foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) + if (isset($ph1ent['disabled'])) { continue; + } - if ($ph1ent['mode'] == "aggressive") + if ($ph1ent['mode'] == "aggressive") { $aggressive = "yes"; - else + } else { $aggressive = "no"; + } $ep = ipsec_get_phase1_src($ph1ent); - if (!$ep) + if (!$ep) { continue; + } $ikeid = $ph1ent['ikeid']; $keyexchange = "ikev1"; @@ -678,22 +741,25 @@ EOD; if ($ph1ent['iketype'] == "ikev2") { $keyexchange = "ikev2"; //$passive = "start"; - } else if ($ph1ent['iketype'] == "auto") + } else if ($ph1ent['iketype'] == "auto") { $keyexchange = "ike"; + } } if (isset($ph1ent['mobile'])) { $right_spec = "%any"; $passive = 'add'; } else { - if (isset($ph1ent['responderonly'])) + if (isset($ph1ent['responderonly'])) { $passive = 'add'; + } $right_spec = $ph1ent['remote-gateway']; - if (is_ipaddr($right_spec)) + if (is_ipaddr($right_spec)) { $sourcehost = $right_spec; - else + } else { $sourcehost = $rgmap['remote-gateway']; + } if ($ph1ent['protocol'] == 'inet') { if (strpos($ph1ent['interface'], '_vip')) { @@ -710,7 +776,7 @@ EOD; $vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse); } } - + if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) { $gatewayip = get_interface_gateway($vpninterface); $interfaceip = get_interface_ip($vpninterface); @@ -739,7 +805,7 @@ EOD; $vpninterface = convert_real_interface_to_friendly_interface_name($ifacesuse); } } - + if (!empty($ifacesuse) && interface_has_gateway($vpninterface)) { $gatewayip = get_interface_gateway_v6($vpninterface); $interfaceip = get_interface_ipv6($vpninterface); @@ -757,136 +823,174 @@ EOD; } list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, 'local'); - if ($myid_type != 'address') + if ($myid_type != 'address' && $myid_type != 'keyid' && $myid_type != 'asn1dn') { $myid_data = "{$myid_type}:{$myid_data}"; + } elseif ($myid_type == "asn1dn" && !empty($myid_data)) { + if ($myid_data[0] == '#') { + /* asn1dn needs double quotes */ + $myid_data = "\"{$myid_type}:{$myid_data}\""; + } else { + $myid_data = "\"{$myid_data}\""; + } + } + $leftid = ''; + if (!empty($myid_data)) { + $leftid = "leftid = {$myid_data}"; + } /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ $peerid_spec = ''; if (!isset($ph1ent['mobile'])) { list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap); - if ($peerid_type != 'address') + if ($peerid_type != 'address' && $peerid_type != 'keyid' && $peerid_type != 'asn1dn') { $peerid_spec = "{$peerid_type}:{$peerid_data}"; - else + } elseif ($peerid_type == "asn1dn") { + /* asn1dn needs double quotes */ + if ($peerid_data[0] == '#') { + $peerid_spec = "\"{$peerid_type}:{$peerid_data}\""; + } elseif (!empty($peerid_data)) { + $peerid_spec = "\"{$peerid_data}\""; + } + } else { $peerid_spec = $peerid_data; + } } if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { $ealgosp1 = ''; $ealg_id = $ph1ent['encryption-algorithm']['name']; $ealg_kl = $ph1ent['encryption-algorithm']['keylen']; - if ($ealg_kl) + if ($ealg_kl) { $ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; - else + } else { $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; + } $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); - if (!empty($modp)) + if (!empty($modp)) { $ealgosp1 .= "-{$modp}"; + } $ealgosp1 .= "!"; } if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { - if ($passive == "route") + if ($passive == "route") { $dpdline = "dpdaction = restart"; - else + } else { $dpdline = "dpdaction = clear"; + } $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; - } else + } else { $dpdline = "dpdaction = none"; + } $ikelifeline = ''; - if ($ph1ent['lifetime']) + if ($ph1ent['lifetime']) { $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; + } $rightsourceip = NULL; - if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) + if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) { $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + } $authentication = ""; switch ($ph1ent['authentication_method']) { - case 'eap-mschapv2': - if (isset($ph1ent['mobile'])) { - $authentication = "eap_identity=%any\n\t"; - $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - } - break; - case 'eap-tls': - if (isset($ph1ent['mobile'])) { - $authentication = "eap_identity=%identity\n\t"; - $authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - } else { - $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; - if (!empty($ph1ent['certref'])) + case 'eap-mschapv2': + if (isset($ph1ent['mobile'])) { + $authentication = "eap_identity=%any\n\t"; + $authentication .= "leftauth=pubkey\n\trightauth=eap-mschapv2"; + if (!empty($ph1ent['certref'])) { + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + } + break; + case 'eap-tls': + if (isset($ph1ent['mobile'])) { + $authentication = "eap_identity=%identity\n\t"; + $authentication .= "leftauth=pubkey\n\trightauth=eap-tls"; + if (!empty($ph1ent['certref'])) { + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + } else { + $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; + if (!empty($ph1ent['certref'])) { + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + } + break; + case 'eap-radius': + if (isset($ph1ent['mobile'])) { + $authentication = "eap_identity=%identity\n\t"; + $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; + if (!empty($ph1ent['certref'])) { + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + } else { + $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; + if (!empty($ph1ent['certref'])) { + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + } + break; + case 'xauth_rsa_server': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth-generic"; + if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - } - break; - case 'eap-radius': - if (isset($ph1ent['mobile'])) { - $authentication = "eap_identity=%identity\n\t"; - $authentication .= "leftauth=pubkey\n\trightauth=eap-radius"; - if (!empty($ph1ent['certref'])) + } + break; + case 'xauth_psk_server': + $authentication = "leftauth = psk\n\trightauth = psk"; + $authentication .= "\n\trightauth2 = xauth-generic"; + break; + case 'pre_shared_key': + $authentication = "leftauth = psk\n\trightauth = psk"; + break; + case 'rsasig': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - } else { - $authentication = "leftauth=eap-radius\n\trightauth=eap-radius"; - if (!empty($ph1ent['certref'])) + } + break; + case 'hybrid_rsa_server': + $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth"; + if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - } - break; - case 'xauth_rsa_server': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth-generic"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'xauth_psk_server': - $authentication = "leftauth = psk\n\trightauth = psk"; - $authentication .= "\n\trightauth2 = xauth-generic"; - break; - case 'pre_shared_key': - $authentication = "leftauth = psk\n\trightauth = psk"; - break; - case 'rsasig': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'hybrid_rsa_server': - $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; + } + break; } $left_spec = $ep; - if (isset($ph1ent['reauth_enable'])) + if (isset($ph1ent['reauth_enable'])) { $reauth = "reauth = no"; - else + } else { $reauth = "reauth = yes"; - if (isset($ph1ent['rekey_enable'])) + } + if (isset($ph1ent['rekey_enable'])) { $rekey = "rekey = no"; - else + } else { $rekey = "rekey = yes"; + } - if ($ph1ent['nat_traversal'] == 'off') + if ($ph1ent['nat_traversal'] == 'off') { $forceencaps = 'forceencaps = no'; - else if ($ph1ent['nat_traversal'] == 'force') + } else if ($ph1ent['nat_traversal'] == 'force') { $forceencaps = 'forceencaps = yes'; - else + } else { $forceencaps = 'forceencaps = no'; - - if ($ph1ent['mobike'] == 'on') + } + + if ($ph1ent['mobike'] == 'on') { $mobike = 'mobike = yes'; - else + } else { $mobike = 'mobike = no'; + } $ipseclifetime = 0; $rightsubnet_spec = array(); @@ -896,14 +1000,17 @@ EOD; $ealgoESPsp2arr = array(); if (is_array($a_phase2) && count($a_phase2)) { foreach ($a_phase2 as $ph2ent) { - if ($ikeid != $ph2ent['ikeid']) + if ($ikeid != $ph2ent['ikeid']) { continue; + } - if (isset($ph2ent['disabled'])) + if (isset($ph2ent['disabled'])) { continue; + } - if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) + if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) { continue; + } if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { $tunneltype = "type = tunnel"; @@ -912,8 +1019,8 @@ EOD; $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ - if (($localid_type == "none" || $localid_type == "mobile") - && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { + if (($localid_type == "none" || $localid_type == "mobile") && + isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid) == 1)) { $left_spec = '%any'; } else { if ($localid_type != "address") { @@ -925,13 +1032,15 @@ EOD; continue; } if (!empty($ph2ent['natlocalid'])) { - $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); + $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); if ($ph2ent['natlocalid']['type'] != "address") { - if (is_subnet($natleftsubnet_data)) + if (is_subnet($natleftsubnet_data)) { $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; + } } else { - if (is_ipaddr($natleftsubnet_data)) + if (is_ipaddr($natleftsubnet_data)) { $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; + } } $natfilterrules = true; } @@ -961,8 +1070,9 @@ EOD; } } - if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) + if (isset($a_client['pfs_group']) && isset($ph2ent['mobile'])) { $ph2ent['pfsgroup'] = $a_client['pfs_group']; + } if ($ph2ent['protocol'] == 'esp') { if (is_array($ph2ent['encryption-algorithm-option'])) { @@ -971,30 +1081,33 @@ EOD; $ealg_kl = $ealg['keylen']; if (!empty($ealg_kl) && $ealg_kl == "auto") { - if (empty($p2_ealgos) || !is_array($p2_ealgos)) + if (empty($p2_ealgos) || !is_array($p2_ealgos)) { require("ipsec.inc"); + } $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; /* XXX: in some cases where include ordering is suspect these variables * are somehow 0 and we enter this loop forever and timeout after 900 * seconds wrecking bootup */ - if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { + if ($key_hi != 0 and $key_lo != 0 and $key_step != 0) { for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { foreach ($ph2ent['hash-algorithm-option'] as $halgo) { $halgo = str_replace('hmac_', '', $halgo); $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) + if (!empty($modp)) { $tmpealgo .= "-{$modp}"; + } $ealgoESPsp2arr[] = $tmpealgo; } } else { $tmpealgo = "{$ealg_id}{$keylen}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) + if (!empty($modp)) { $tmpealgo .= "-{$modp}"; + } $ealgoESPsp2arr[] = $tmpealgo; } } @@ -1005,15 +1118,17 @@ EOD; $halgo = str_replace('hmac_', '', $halgo); $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) + if (!empty($modp)) { $tmpealgo .= "-{$modp}"; + } $ealgoESPsp2arr[] = $tmpealgo; } } else { $tmpealgo = "{$ealg_id}{$ealg_kl}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) + if (!empty($modp)) { $tmpealgo .= "-{$modp}"; + } $ealgoESPsp2arr[] = $tmpealgo; } } @@ -1024,8 +1139,9 @@ EOD; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); - if (!empty($modp)) + if (!empty($modp)) { $tmpAHalgo = "-{$modp}"; + } $ealgoAHsp2arr[] = $tmpAHalgo; } } @@ -1034,8 +1150,9 @@ EOD; $reqids[] = $ph2ent['reqid']; if (!empty($ph2ent['lifetime'])) { - if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) + if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) { $ipseclifetime = intval($ph2ent['lifetime']); + } } } @@ -1054,7 +1171,7 @@ EOD; auto = {$passive} left = {$left_spec} right = {$right_spec} - leftid = {$myid_data} + {$leftid} EOD; @@ -1062,61 +1179,74 @@ EOD; $ipsecconnect .= "\tcompress = yes\n"; $enablecompression = true; } - if (!empty($ikelifeline)) + if (!empty($ikelifeline)) { $ipsecconnect .= "\t{$ikelifeline}\n"; - if ($ipseclifetime > 0) + } + if ($ipseclifetime > 0) { $ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n"; - if (!empty($rightsourceip)) + } + if (!empty($rightsourceip)) { $ipsecconnect .= "{$rightsourceip}"; - if (!empty($ealgosp1)) + } + if (!empty($ealgosp1)) { $ipsecconnect .= "\t{$ealgosp1}\n"; - if (!empty($ealgoAHsp2arr)) + } + if (!empty($ealgoAHsp2arr)) { $ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; - if (!empty($ealgoESPsp2arr)) + } + if (!empty($ealgoESPsp2arr)) { $ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; - if (!empty($authentication)) + } + if (!empty($authentication)) { $ipsecconnect .= "\t{$authentication}\n"; - if (!empty($peerid_spec)) + } + if (!empty($peerid_spec)) { $ipsecconnect .= "\trightid = {$peerid_spec}\n"; - if ($keyexchange == 'ikev1') + } + if ($keyexchange == 'ikev1') { $ipsecconnect .= "\taggressive = {$aggressive}\n"; + } if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') { if (!empty($rightsubnet_spec)) { $ipsecfin = ''; foreach ($rightsubnet_spec as $idx => $rsubnet) { $ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n"; - //if (!empty($reqids[$idx])) + //if (!empty($reqids[$idx])) { // $ipsecfin .= "\treqid = " . $reqids[$idx] . "\n"; + //} $ipsecfin .= $ipsecconnect; $ipsecfin .= "\trightsubnet = {$rsubnet}\n"; $ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; } - } else + } else { log_error("No phase2 specifications for tunnel with REQID = {$ikeid}"); + } } else { $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n"; - //if (!empty($reqids[$idx])) + //if (!empty($reqids[$idx])) { // $ipsecfin .= "\treqid = " . $reqids[0] . "\n"; + //} $ipsecfin .= $ipsecconnect; if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) { $tempsubnets = array(); - foreach ($rightsubnet_spec as $rightsubnet) + foreach ($rightsubnet_spec as $rightsubnet) { $tempsubnets[$rightsubnet] = $rightsubnet; + } $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n"; unset($tempsubnets, $rightsubnet); } if (!empty($leftsubnet_spec)) { $tempsubnets = array(); - foreach ($leftsubnet_spec as $leftsubnet) + foreach ($leftsubnet_spec as $leftsubnet) { $tempsubnets[$leftsubnet] = $leftsubnet; + } $ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n"; unset($tempsubnets, $leftsubnet); } } $ipsecconf .= $ipsecfin; unset($ipsecfin); - } } @@ -1124,14 +1254,15 @@ EOD; unset($ipsecconf); /* end ipsec.conf */ - if ($enablecompression === true) + if ($enablecompression === true) { set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 1); - else + } else { set_single_sysctl('net.inet.ipcomp.ipcomp_enable', 0); + } - /* mange process */ + /* manage process */ if ($restart === true) { - mwexec("/usr/local/sbin/ipsec restart", false); + mwexec("/usr/local/sbin/ipsec restart", false); } else { if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) { /* Update configuration changes */ @@ -1139,28 +1270,31 @@ EOD; mwexec("/usr/local/sbin/ipsec rereadall", false); mwexec("/usr/local/sbin/ipsec reload", false); } else { - mwexec("/usr/local/sbin/ipsec start", false); + mwexec("/usr/local/sbin/ipsec start", false); } } - if ($natfilterrules == true) + if ($natfilterrules == true) { filter_configure(); + } /* start filterdns, if necessary */ if (count($filterdns_list) > 0) { $interval = 60; - if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) + if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) { $interval = $ipseccfg['dns-interval']; + } $hostnames = ""; array_unique($filterdns_list); - foreach ($filterdns_list as $hostname) + foreach ($filterdns_list as $hostname) { $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; + } file_put_contents("{$g['varetc_path']}/ipsec/filterdns-ipsec.hosts", $hostnames); unset($hostnames); - if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) + if (isvalidpid("{$g['varrun_path']}/filterdns-ipsec.pid")) { sigkillbypid("{$g['varrun_path']}/filterdns-ipsec.pid", "HUP"); - else { + } else { mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/ipsec/filterdns-ipsec.hosts -d 1"); } } else { @@ -1168,8 +1302,9 @@ EOD; @unlink("{$g['varrun_path']}/filterdns-ipsec.pid"); } - if (platform_booting()) + if (platform_booting()) { echo "done\n"; + } return count($filterdns_list); } @@ -1210,8 +1345,9 @@ function vpn_ipsec_force_reload($interface = "") { function vpn_setup() { global $g; - if ($g['platform'] == 'jail') + if ($g['platform'] == 'jail') { return; + } /* start pptpd */ vpn_pptpd_configure(); @@ -1229,8 +1365,9 @@ function vpn_netgraph_support() { $realif = get_real_interface($iface); /* Get support for netgraph(4) from the nic */ $ifinfo = pfSense_get_interface_addresses($realif); - if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) + if (!empty($ifinfo) && in_array($ifinfo['iftype'], array("ether", "vlan", "bridge"))) { pfSense_ngctl_attach(".", $realif); + } } } @@ -1241,11 +1378,13 @@ function vpn_pptpd_configure() { $pptpdcfg = $config['pptpd']; if (platform_booting()) { - if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) + if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) { return 0; + } - if (platform_booting(true)) + if (platform_booting(true)) { echo gettext("Configuring PPTP VPN service... "); + } } else { /* kill mpd */ killbypid("{$g['varrun_path']}/pptp-vpn.pid"); @@ -1270,11 +1409,12 @@ function vpn_pptpd_configure() { } /* make sure pptp-vpn directory exists */ - if (!file_exists("{$g['varetc_path']}/pptp-vpn")) + if (!file_exists("{$g['varetc_path']}/pptp-vpn")) { mkdir("{$g['varetc_path']}/pptp-vpn"); + } switch ($pptpdcfg['mode']) { - case 'server' : + case 'server': /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/pptp-vpn/mpd.conf", "w"); if (!$fd) { @@ -1337,23 +1477,27 @@ EOD; EOD; } - if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") - $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; + if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") { + $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; + } if (!empty($pptpdcfg['dns1'])) { $mpdconf .= " set ipcp dns " . $pptpdcfg['dns1']; - if (!empty($pptpdcfg['dns2'])) + if (!empty($pptpdcfg['dns2'])) { $mpdconf .= " " . $pptpdcfg['dns2']; + } $mpdconf .= "\n"; } elseif (isset ($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); - if ($syscfg['dnsserver'][0]) + if ($syscfg['dnsserver'][0]) { $mpdconf .= " " . $syscfg['dnsserver'][0]; + } $mpdconf .= "\n"; } elseif (isset($config['unbound']['enable'])) { $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); - if ($syscfg['dnsserver'][0]) + if ($syscfg['dnsserver'][0]) { $mpdconf .= " " . $syscfg['dnsserver'][0]; + } $mpdconf .= "\n"; } elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; @@ -1366,15 +1510,15 @@ EOD; set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport} EOD; - if (isset ($pptpdcfg['radius']['server2']['enable'])) { - $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812; - $acctport = $authport + 1; - $mpdconf .=<<<EOD + if (isset ($pptpdcfg['radius']['server2']['enable'])) { + $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812; + $acctport = $authport + 1; + $mpdconf .=<<<EOD set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport} EOD; - } - $mpdconf .=<<<EOD + } + $mpdconf .=<<<EOD set radius retries 3 set radius timeout 10 set auth enable radius-auth @@ -1448,12 +1592,13 @@ EOD; break; - case 'redir' : + case 'redir': break; } - if (platform_booting()) + if (platform_booting()) { echo "done\n"; + } return 0; } @@ -1462,8 +1607,9 @@ function vpn_pppoes_configure() { global $config; if (is_array($config['pppoes']['pppoe'])) { - foreach ($config['pppoes']['pppoe'] as $pppoe) + foreach ($config['pppoes']['pppoe'] as $pppoe) { vpn_pppoe_configure($pppoe); + } } } @@ -1473,12 +1619,14 @@ function vpn_pppoe_configure(&$pppoecfg) { $syscfg = $config['system']; /* create directory if it does not exist */ - if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) + if (!is_dir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn")) { mkdir("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn"); + } if (platform_booting()) { - if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) + if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) { return 0; + } echo gettext("Configuring PPPoE Server service... "); } else { @@ -1492,14 +1640,15 @@ function vpn_pppoe_configure(&$pppoecfg) { switch ($pppoecfg['mode']) { - case 'server' : + case 'server': $pppoe_interface = get_real_interface($pppoecfg['interface']); - if ($pppoecfg['paporchap'] == "chap") + if ($pppoecfg['paporchap'] == "chap") { $paporchap = "set link enable chap"; - else + } else { $paporchap = "set link enable pap"; + } /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w"); @@ -1519,16 +1668,16 @@ function vpn_pppoe_configure(&$pppoecfg) { $clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i); if (isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['server']['enable'])) { - $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; + $issue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; } else { - $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; + $issue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } $mpdconf .=<<<EOD poes{$pppoecfg['pppoeid']}{$i}: new -i poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} poes{$pppoecfg['pppoeid']}{$i} - {$isssue_ip_type} + {$issue_ip_type} load pppoe_standard EOD; @@ -1566,18 +1715,21 @@ EOD; if (!empty($pppoecfg['dns1'])) { $mpdconf .= " set ipcp dns " . $pppoecfg['dns1']; - if (!empty($pppoecfg['dns2'])) + if (!empty($pppoecfg['dns2'])) { $mpdconf .= " " . $pppoecfg['dns2']; + } $mpdconf .= "\n"; } elseif (isset ($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); - if ($syscfg['dnsserver'][0]) + if ($syscfg['dnsserver'][0]) { $mpdconf .= " " . $syscfg['dnsserver'][0]; + } $mpdconf .= "\n"; } elseif (isset ($config['unbound']['enable'])) { $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); - if ($syscfg['dnsserver'][0]) + if ($syscfg['dnsserver'][0]) { $mpdconf .= " " . $syscfg['dnsserver'][0]; + } $mpdconf .= "\n"; } elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; @@ -1586,10 +1738,12 @@ EOD; if (isset ($pppoecfg['radius']['server']['enable'])) { $radiusport = ""; $radiusacctport = ""; - if (isset($pppoecfg['radius']['server']['port'])) + if (isset($pppoecfg['radius']['server']['port'])) { $radiusport = $pppoecfg['radius']['server']['port']; - if (isset($pppoecfg['radius']['server']['acctport'])) + } + if (isset($pppoecfg['radius']['server']['acctport'])) { $radiusacctport = $pppoecfg['radius']['server']['acctport']; + } $mpdconf .=<<<EOD set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport} set radius retries 3 @@ -1648,7 +1802,7 @@ EOD; if (!empty($pppoecfg['username'])) { $item = explode(" ", $pppoecfg['username']); - foreach($item as $userdata) { + foreach ($item as $userdata) { $data = explode(":", $userdata); $mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n"; } @@ -1661,8 +1815,9 @@ EOD; } /* Check if previous instance is still up */ - while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) + while (file_exists("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid") && isvalidpid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid")) { killbypid("{$g['varrun_path']}/pppoe{$pppoecfg['pppoeid']}-vpn.pid"); + } /* Get support for netgraph(4) from the nic */ pfSense_ngctl_attach(".", $pppoe_interface); @@ -1672,8 +1827,9 @@ EOD; break; } - if (platform_booting()) + if (platform_booting()) { echo gettext("done") . "\n"; + } return 0; } @@ -1685,12 +1841,14 @@ function vpn_l2tp_configure() { $l2tpcfg = $config['l2tp']; /* create directory if it does not exist */ - if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) + if (!is_dir("{$g['varetc_path']}/l2tp-vpn")) { mkdir("{$g['varetc_path']}/l2tp-vpn"); + } if (platform_booting()) { - if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) + if (!$l2tpcfg['mode'] || ($l2tpcfg['mode'] == "off")) { return 0; + } echo gettext("Configuring l2tp VPN service... "); } else { @@ -1703,16 +1861,18 @@ function vpn_l2tp_configure() { } /* make sure l2tp-vpn directory exists */ - if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) + if (!file_exists("{$g['varetc_path']}/l2tp-vpn")) { mkdir("{$g['varetc_path']}/l2tp-vpn"); + } switch ($l2tpcfg['mode']) { - case 'server' : - if ($l2tpcfg['paporchap'] == "chap") + case 'server': + if ($l2tpcfg['paporchap'] == "chap") { $paporchap = "set link enable chap"; - else + } else { $paporchap = "set link enable pap"; + } /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/l2tp-vpn/mpd.conf", "w"); @@ -1735,16 +1895,16 @@ EOD; $clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i); if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) { - $isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0"; + $issue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0"; } else { - $isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32"; + $issue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 {$clientip}/32"; } $mpdconf .=<<<EOD l2tp{$i}: new -i l2tp{$i} l2tp{$i} l2tp{$i} - {$isssue_ip_type} + {$issue_ip_type} load l2tp_standard EOD; @@ -1775,21 +1935,24 @@ EOD; } if (is_ipaddr($l2tpcfg['dns1'])) { $mpdconf .= " set ipcp dns " . $l2tpcfg['dns1']; - if (is_ipaddr($l2tpcfg['dns2'])) + if (is_ipaddr($l2tpcfg['dns2'])) { $mpdconf .= " " . $l2tpcfg['dns2']; + } $mpdconf .= "\n"; } elseif (isset ($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); - if ($syscfg['dnsserver'][0]) + if ($syscfg['dnsserver'][0]) { $mpdconf .= " " . $syscfg['dnsserver'][0]; + } $mpdconf .= "\n"; } elseif (isset ($config['unbound']['enable'])) { $mpdconf .= " set ipcp dns " . get_interface_ip("lan"); - if ($syscfg['dnsserver'][0]) + if ($syscfg['dnsserver'][0]) { $mpdconf .= " " . $syscfg['dnsserver'][0]; + } $mpdconf .= "\n"; } elseif (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { - $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; + $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset ($l2tpcfg['radius']['enable'])) { @@ -1831,8 +1994,9 @@ l2tp{$i}: set l2tp disable originate EOD; - if (!empty($l2tpcfg['secret'])) + if (!empty($l2tpcfg['secret'])) { $mpdlinks .= "set l2tp secret {$l2tpcfg['secret']}\n"; + } } fwrite($fd, $mpdlinks); @@ -1849,8 +2013,9 @@ EOD; $mpdsecret = "\n\n"; if (is_array($l2tpcfg['user'])) { - foreach ($l2tpcfg['user'] as $user) + foreach ($l2tpcfg['user'] as $user) { $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; + } } fwrite($fd, $mpdsecret); @@ -1865,12 +2030,13 @@ EOD; break; - case 'redir' : + case 'redir': break; } - if (platform_booting()) + if (platform_booting()) { echo "done\n"; + } return 0; } diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index d0c5244..683fac5 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -311,13 +311,17 @@ function relayd_configure($kill_first=false) { for ($k = 0; $k < count($src_port_array) && $k < count($dest_port_array); $k += 1) { $src_port = $src_port_array[$k]; $dest_port = $dest_port_array[$k]; + if (is_portrange($dest_port)) { + $dest_ports = explode(':', $dest_port); + $dest_port = $dest_ports[0]; + } $name = $vs_a[$i]['name']; if ($append_ip_to_name) { $name .= "_" . $j; } if ($append_port_to_name) { - $name .= "_" . $src_port; + $name .= "_" . str_replace(":", "_", $src_port); } if (($vs_a[$i]['mode'] == 'relay') || ($vs_a[$i]['relay_protocol'] == 'dns')) { diff --git a/etc/pfSense.obsoletedfiles b/etc/pfSense.obsoletedfiles index a5989b1..e90c4b1 100644 --- a/etc/pfSense.obsoletedfiles +++ b/etc/pfSense.obsoletedfiles @@ -923,6 +923,7 @@ /usr/local/www/javascript/jquery.js /usr/local/www/javascript/jquery/jquery-ui.custom.css /usr/local/www/javascript/jquery/jquery-ui.custom.min.js +/usr/local/www/javascript/NetUtils.js /usr/local/www/javascript/scriptaculous/CHANGELOG /usr/local/www/javascript/scriptaculous/MIT-LICENSE /usr/local/www/javascript/system_advanced diff --git a/etc/phpshellsessions/restartipsec b/etc/phpshellsessions/restartipsec index cadff25..ebbe9b3 100644 --- a/etc/phpshellsessions/restartipsec +++ b/etc/phpshellsessions/restartipsec @@ -1,5 +1,7 @@ ! echo "Restarting ipsec..." require_once("config.inc"); +require_once("filter.inc"); +require_once("auth.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); vpn_ipsec_configure(true); @@ -342,11 +342,6 @@ echo -n "." /sbin/ldconfig -elf /usr/lib /usr/local/lib /lib /etc/rc.d/ldconfig start 2>/dev/null -# Make sure /etc/rc.conf doesn't exist. -if [ -f /etc/rc.conf ]; then - /bin/rm -rf /etc/rc.conf -fi - if [ ! "$PLATFORM" = "jail" ]; then # Launching kbdmux(4) if [ -f "/dev/kbdmux0" ]; then diff --git a/etc/rc.carpbackup b/etc/rc.carpbackup index e518e23..2a5ce2a 100755 --- a/etc/rc.carpbackup +++ b/etc/rc.carpbackup @@ -4,6 +4,7 @@ /* rc.carpbackup part of pfSense (https://www.pfsense.org) + Copyright (C) 2004-2015 Electric Sheep Fencing LLC Copyright (C) 2004 Scott Ullrich All rights reserved. @@ -61,6 +62,15 @@ if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-client' log_error("Stopping OpenVPN client instance on {$friendly_descr} because of transition to CARP backup."); openvpn_restart('client', $settings); } + // check for gateway groups specifying CARP IPs + $a_groups = return_gateway_groups_array(); + if (is_array($a_groups[$settings['interface']])) { + // interface of this instance is a gateway group, check for CARP VIP + if (strstr($a_groups[$settings['interface']][0]['vip'], "_vip")) { + log_error("Stopping OpenVPN client instance on {$friendly_descr} because of transition to CARP backup."); + openvpn_restart('client', $settings); + } + } } } @@ -85,4 +95,4 @@ $pluginparams['event'] = 'rc.carpbackup'; $pluginparams['interface'] = $argument; pkg_call_plugins('plugin_carp', $pluginparams); -?> +?>
\ No newline at end of file diff --git a/etc/rc.carpmaster b/etc/rc.carpmaster index d9d9879..81f7b3b 100755 --- a/etc/rc.carpmaster +++ b/etc/rc.carpmaster @@ -4,6 +4,7 @@ /* rc.carpmaster part of pfSense (https://www.pfsense.org) + Copyright (C) 2004-2015 Electric Sheep Fencing LLC Copyright (C) 2004 Scott Ullrich All rights reserved. @@ -61,6 +62,15 @@ if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-client' log_error("Starting OpenVPN client instance on {$friendly_descr} because of transition to CARP master."); openvpn_restart('client', $settings); } + // check for gateway groups specifying CARP IPs + $a_groups = return_gateway_groups_array(); + if (is_array($a_groups[$settings['interface']])) { + // interface of this instance is a gateway group, check for CARP VIP + if (strstr($a_groups[$settings['interface']][0]['vip'], "_vip")) { + log_error("Starting OpenVPN client instance on {$friendly_descr} because of transition to CARP master."); + openvpn_restart('client', $settings); + } + } } } if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-server'])) { @@ -69,6 +79,15 @@ if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-server' log_error("Starting OpenVPN instance on {$friendly_descr} because of transition to CARP master."); openvpn_restart('server', $settings); } + // check for gateway groups specifying CARP IPs + $a_groups = return_gateway_groups_array(); + if (is_array($a_groups[$settings['interface']])) { + // interface of this instance is a gateway group, check for CARP VIP + if (strstr($a_groups[$settings['interface']][0]['vip'], "_vip")) { + log_error("Starting OpenVPN instance on {$friendly_descr} because of transition to CARP master."); + openvpn_restart('server', $settings); + } + } } } @@ -93,4 +112,4 @@ $pluginparams['event'] = 'rc.carpmaster'; $pluginparams['interface'] = $argument; pkg_call_plugins('plugin_carp', $pluginparams); -?> +?>
\ No newline at end of file diff --git a/etc/rc.conf b/etc/rc.conf new file mode 100644 index 0000000..01cd50f --- /dev/null +++ b/etc/rc.conf @@ -0,0 +1 @@ +# THIS FILE DOES NOTHING, DO NOT MAKE CONFIG CHANGES HERE diff --git a/etc/rc.firmware b/etc/rc.firmware index c7a92aa..0b6f3ed 100755 --- a/etc/rc.firmware +++ b/etc/rc.firmware @@ -525,7 +525,6 @@ delta_update) remove_chflags binary_update $IMG restore_chflags - rm -rf /etc/rc.conf rm -rf /etc/motd find / -name CVS -type d -exec rm {} \; rm -rf /usr/savecore/* diff --git a/tmp/pre_upgrade_command b/tmp/pre_upgrade_command index 5bfd891..2ad365f 100644 --- a/tmp/pre_upgrade_command +++ b/tmp/pre_upgrade_command @@ -6,11 +6,11 @@ PRIOR_VERSION=`uname -r | cut -d'.' -f1` echo $PRIOR_VERSION > /tmp/pre_upgrade_version -# Activate sync on root filesystem. See ticket #4523 +# De-activate sync on root filesystem. See ticket #4523 # Back up original fstab /bin/cp /etc/fstab /etc/fstab.orig -# Activate sync on the root slice only. This will not match NanoBSD since it already has sync,noatime -/usr/bin/sed -i '' 's/^\(\/.*[[:space:]]*\/[[:space:]]*ufs[[:space:]]*\)rw\([[:space:]]*[[:digit:]][[:space:]]*[[:digit:]]\)$/\1rw,sync\2/' /etc/fstab +# De-activate sync on the root slice only. This will not match NanoBSD since it already has sync,noatime +/usr/bin/sed -i '' 's/^\(\/.*[[:space:]]*\/[[:space:]]*ufs[[:space:]]*\)rw,sync\([[:space:]]*[[:digit:]][[:space:]]*[[:digit:]]\)$/\1rw\2/' /etc/fstab # Hack to workaround ticket #3749 if [ ${PRIOR_VERSION} -le 8 ] && grep -q 'sh /etc/rc.reboot' /etc/rc.firmware; then diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index 00a0d4e..ded7a85 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -52,7 +52,11 @@ require_once("shaper.inc"); $pgtitle = array(gettext("Firewall"),gettext("Aliases"),gettext("Edit")); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_aliases.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_aliases.php'); +} // Keywords not allowed in names $reserved_keywords = array("all", "pass", "block", "out", "queue", "max", "min", "pptp", "pppoe", "L2TP", "OpenVPN", "IPsec"); @@ -255,6 +259,7 @@ if ($_POST) { $wrongaliases = ""; $desc_fmt_err_found = false; $alias_address_count = 0; + $input_addresses = array(); // First trim and expand the input data. // Users can paste strings like "10.1.2.0/24 10.3.0.0/16 9.10.11.0/24" into an address box. @@ -635,8 +640,8 @@ function update_box_type() { typesel_change(); add_alias_control(this); } - document.getElementById ("addressnetworkport").firstChild.data = "{$url_str}"; - document.getElementById ("onecolumn").firstChild.data = "{$url_str}"; + document.getElementById ("addressnetworkport").firstChild.data = "{$urltable_str}"; + document.getElementById ("onecolumn").firstChild.data = "{$urltable_str}"; document.getElementById ("twocolumn").firstChild.data = "{$update_freq_str}"; document.getElementById ("threecolumn").firstChild.data = ""; document.getElementById ("threecolumn").style.display = 'none'; @@ -648,8 +653,8 @@ function update_box_type() { typesel_change(); add_alias_control(this); } - document.getElementById ("addressnetworkport").firstChild.data = "{$url_str}"; - document.getElementById ("onecolumn").firstChild.data = "{$url_str}"; + document.getElementById ("addressnetworkport").firstChild.data = "{$urltable_ports_str}"; + document.getElementById ("onecolumn").firstChild.data = "{$urltable_ports_str}"; document.getElementById ("twocolumn").firstChild.data = "{$update_freq_str}"; document.getElementById ("threecolumn").firstChild.data = ""; document.getElementById ("threecolumn").style.display = 'none'; @@ -822,6 +827,7 @@ if (empty($tab)) { <td width="78%"> <input id="submit" name="submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> </td> </tr> </table> diff --git a/usr/local/www/firewall_aliases_import.php b/usr/local/www/firewall_aliases_import.php index 40bdf20..f29c9b5 100755 --- a/usr/local/www/firewall_aliases_import.php +++ b/usr/local/www/firewall_aliases_import.php @@ -49,7 +49,11 @@ require("shaper.inc"); $pgtitle = array(gettext("Firewall"),gettext("Aliases"),gettext("Bulk import")); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_aliases.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_aliases.php'); +} // Add all Load balance names to reserved_keywords if (is_array($config['load_balancer']['lbpool'])) @@ -63,7 +67,7 @@ if (!is_array($config['aliases']['alias'])) $config['aliases']['alias'] = array(); $a_aliases = &$config['aliases']['alias']; -if($_POST['aliasimport'] <> "") { +if ($_POST) { $reqdfields = explode(" ", "name aliasimport"); $reqdfieldsn = array(gettext("Name"),gettext("Aliases")); @@ -214,6 +218,7 @@ include("head.inc"); <td width="78%"> <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> </td> </tr> </table> diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index 783e4bf..44bd062 100644 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -46,7 +46,11 @@ require_once("interfaces.inc"); require_once("filter.inc"); require("shaper.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_1to1.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_1to1.php'); +} $specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); $ifdisp = get_configured_interface_with_descr(); @@ -535,6 +539,7 @@ if ($input_errors) <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_1to1[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 76c30ba..41ff619 100644 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -46,7 +46,11 @@ require_once("itemid.inc"); require_once("filter.inc"); require("shaper.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat.php'); +} $specialsrcdst = explode(" ", "any (self) pptp pppoe l2tp openvpn"); $ifdisp = get_configured_interface_with_descr(); @@ -895,6 +899,7 @@ $has_updated_time = (isset($a_nat[$id]['updated']) && is_array($a_nat[$id]['upda <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_nat[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/firewall_nat_npt_edit.php b/usr/local/www/firewall_nat_npt_edit.php index a5685e9..506ce13 100644 --- a/usr/local/www/firewall_nat_npt_edit.php +++ b/usr/local/www/firewall_nat_npt_edit.php @@ -59,7 +59,11 @@ require_once("interfaces.inc"); require_once("filter.inc"); require("shaper.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_npt.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_npt.php'); +} $ifdisp = get_configured_interface_with_descr(); foreach ($ifdisp as $kif => $kdescr) { @@ -277,6 +281,7 @@ external prefix."); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_npt[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 2162695..eb99406 100644 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -46,7 +46,11 @@ require("guiconfig.inc"); require_once("filter.inc"); require("shaper.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_out.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_out.php'); +} if (!is_array($config['nat']['outbound'])) $config['nat']['outbound'] = array(); @@ -827,6 +831,7 @@ function poolopts_change() { <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_out[$id]): ?> diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 03c6912..e221f7f 100644 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -46,7 +46,11 @@ require("guiconfig.inc"); require_once("filter.inc"); require("shaper.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_rules.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_rules.php'); +} function is_posnumericint($arg) { // Note that to be safe we do not allow any leading zero - "01", "007" @@ -1736,6 +1740,7 @@ $has_updated_time = (isset($a_filter[$id]['updated']) && is_array($a_filter[$id] <br /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_filter[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <input name="tracker" type="hidden" value="<?=htmlspecialchars($pconfig['tracker']);?>"> diff --git a/usr/local/www/firewall_schedule_edit.php b/usr/local/www/firewall_schedule_edit.php index 5759863..fea0b31 100644 --- a/usr/local/www/firewall_schedule_edit.php +++ b/usr/local/www/firewall_schedule_edit.php @@ -61,7 +61,11 @@ require_once("shaper.inc"); $pgtitle = array(gettext("Firewall"),gettext("Schedules"),gettext("Edit")); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_schedule.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_schedule.php'); +} $dayArray = array (gettext('Mon'),gettext('Tues'),gettext('Wed'),gettext('Thur'),gettext('Fri'),gettext('Sat'),gettext('Sun')); $monthArray = array (gettext('January'),gettext('February'),gettext('March'),gettext('April'),gettext('May'),gettext('June'),gettext('July'),gettext('August'),gettext('September'),gettext('October'),gettext('November'),gettext('December')); @@ -1167,6 +1171,7 @@ EOD; <td width="85%"> <input id="submit" name="submit" type="submit" onclick="return checkForRanges();" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_schedules[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php index 5e5692b..4761631 100644 --- a/usr/local/www/firewall_virtual_ip_edit.php +++ b/usr/local/www/firewall_virtual_ip_edit.php @@ -55,7 +55,11 @@ require("guiconfig.inc"); require_once("filter.inc"); require("shaper.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_virtual_ip.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_virtual_ip.php'); +} if (!is_array($config['virtualip']['vip'])) { $config['virtualip']['vip'] = array(); @@ -499,6 +503,7 @@ function typesel_change() { <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_vip[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/index.php b/usr/local/www/index.php index 33939db..e162876 100644 --- a/usr/local/www/index.php +++ b/usr/local/www/index.php @@ -215,7 +215,7 @@ EOF; or preg_match("/^ubsec.: (.*?),/", $dmesgl, $matches) or preg_match("/^padlock.: <(.*?)>,/", $dmesgl, $matches) or preg_match("/^glxsb.: (.*?),/", $dmesgl, $matches) - or preg_match("/^aesni.: (.*?),/", $dmesgl, $matches)) { + or preg_match("/^aesni.: <(.*?)>/", $dmesgl, $matches)) { $hwcrypto = $matches[1]; break; } diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 381024f..d1b1726 100644 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -55,7 +55,11 @@ require_once("rrd.inc"); require_once("vpn.inc"); require_once("xmlparse_attr.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces.php'); +} // Get configured interface list $ifdescrs = get_configured_interface_with_descr(false, true); @@ -3452,6 +3456,7 @@ $types6 = array("none" => gettext("None"), "staticv6" => gettext("Static IPv6"), <br /> <input id="save" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input id="cancel" type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <input name="if" type="hidden" id="if" value="<?=htmlspecialchars($if);?>" /> <?php if ($wancfg['if'] == $a_ppps[$pppid]['if']) : ?> <input name="ppp_port" type="hidden" value="<?=htmlspecialchars($pconfig['port']);?>" /> diff --git a/usr/local/www/interfaces_bridge_edit.php b/usr/local/www/interfaces_bridge_edit.php index 1a1813c..02ba1b2 100644 --- a/usr/local/www/interfaces_bridge_edit.php +++ b/usr/local/www/interfaces_bridge_edit.php @@ -41,7 +41,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_bridge.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_bridge.php'); +} if (!is_array($config['bridges']['bridged'])) $config['bridges']['bridged'] = array(); @@ -604,6 +608,7 @@ function show_source_port_range() { <input type="hidden" name="bridgeif" value="<?=htmlspecialchars($pconfig['bridgeif']); ?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_bridges[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/interfaces_gif_edit.php b/usr/local/www/interfaces_gif_edit.php index a290e97..341f465 100644 --- a/usr/local/www/interfaces_gif_edit.php +++ b/usr/local/www/interfaces_gif_edit.php @@ -41,7 +41,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_gif.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_gif.php'); +} if (!is_array($config['gifs']['gif'])) $config['gifs']['gif'] = array(); @@ -74,8 +78,8 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - $reqdfields = explode(" ", "if tunnel-remote-addr tunnel-remote-net tunnel-local-addr"); - $reqdfieldsn = array(gettext("Parent interface,Local address, Remote tunnel address, Remote tunnel network, Local tunnel address")); + $reqdfields = explode(" ", "if remote-addr tunnel-local-addr tunnel-remote-addr tunnel-remote-net"); + $reqdfieldsn = array(gettext("Parent interface"), gettext("gif remote address"), gettext("gif tunnel local address"), gettext("gif tunnel remote address"), gettext("gif tunnel remote netmask")); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); @@ -232,6 +236,7 @@ include("head.inc"); <input type="hidden" name="gifif" value="<?=htmlspecialchars($pconfig['gifif']); ?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_gifs[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/interfaces_gre_edit.php b/usr/local/www/interfaces_gre_edit.php index b360f17..cd9f226 100644 --- a/usr/local/www/interfaces_gre_edit.php +++ b/usr/local/www/interfaces_gre_edit.php @@ -42,7 +42,11 @@ require("guiconfig.inc"); require_once("functions.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_gre.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_gre.php'); +} if (!is_array($config['gres']['gre'])) $config['gres']['gre'] = array(); @@ -73,8 +77,8 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - $reqdfields = explode(" ", "if tunnel-remote-addr tunnel-remote-net tunnel-local-addr"); - $reqdfieldsn = array(gettext("Parent interface"),gettext("Local address"),gettext("Remote tunnel address"),gettext("Remote tunnel network"), gettext("Local tunnel address")); + $reqdfields = explode(" ", "if remote-addr tunnel-local-addr tunnel-remote-addr tunnel-remote-net"); + $reqdfieldsn = array(gettext("Parent interface"), gettext("Remote tunnel endpoint IP address"), gettext("Local tunnel IP address"), gettext("Remote tunnel IP address"), gettext("Remote tunnel network")); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); @@ -235,6 +239,7 @@ include("head.inc"); <input type="hidden" name="greif" value="<?=htmlspecialchars($pconfig['greif']); ?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_gres[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/interfaces_lagg_edit.php b/usr/local/www/interfaces_lagg_edit.php index fdf9b08..9cef07b 100644 --- a/usr/local/www/interfaces_lagg_edit.php +++ b/usr/local/www/interfaces_lagg_edit.php @@ -41,7 +41,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_lagg.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_lagg.php'); +} if (!is_array($config['laggs']['lagg'])) $config['laggs']['lagg'] = array(); @@ -234,6 +238,7 @@ include("head.inc"); <input type="hidden" name="laggif" value="<?=htmlspecialchars($pconfig['laggif']); ?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_laggs[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/interfaces_ppps_edit.php b/usr/local/www/interfaces_ppps_edit.php index a0a432f..2ab9997 100644 --- a/usr/local/www/interfaces_ppps_edit.php +++ b/usr/local/www/interfaces_ppps_edit.php @@ -46,7 +46,11 @@ require("guiconfig.inc"); require("functions.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_ppps.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_ppps.php'); +} define("CRON_MONTHLY_PATTERN", "0 0 1 * *"); define("CRON_WEEKLY_PATTERN", "0 0 * * 0"); @@ -244,17 +248,19 @@ if ($_POST) { $input_errors[] = gettext("A valid PPPoE reset year must be specified. Don't select a year in the past!"); } - foreach($_POST['interfaces'] as $iface){ - if ($_POST['localip'][$iface] && !is_ipaddr($_POST['localip'][$iface])) - $input_errors[] = sprintf(gettext("A valid local IP address must be specified for %s."),$iface); - if ($_POST['gateway'][$iface] && !is_ipaddr($_POST['gateway'][$iface]) && !is_hostname($_POST['gateway'][$iface])) - $input_errors[] = sprintf(gettext("A valid gateway IP address OR hostname must be specified for %s."),$iface); - if ($_POST['bandwidth'][$iface] && !is_numericint($_POST['bandwidth'][$iface])) - $input_errors[] = sprintf(gettext("The bandwidth value for %s must be an integer."),$iface); - if ($_POST['mtu'][$iface] && ($_POST['mtu'][$iface] < 576)) - $input_errors[] = sprintf(gettext("The MTU for %s must be greater than 576 bytes."),$iface); - if ($_POST['mru'][$iface] && ($_POST['mru'][$iface] < 576)) - $input_errors[] = sprintf(gettext("The MRU for %s must be greater than 576 bytes."),$iface); + if (is_array($_POST['interfaces'])) { + foreach($_POST['interfaces'] as $iface){ + if ($_POST['localip'][$iface] && !is_ipaddr($_POST['localip'][$iface])) + $input_errors[] = sprintf(gettext("A valid local IP address must be specified for %s."),$iface); + if ($_POST['gateway'][$iface] && !is_ipaddr($_POST['gateway'][$iface]) && !is_hostname($_POST['gateway'][$iface])) + $input_errors[] = sprintf(gettext("A valid gateway IP address OR hostname must be specified for %s."),$iface); + if ($_POST['bandwidth'][$iface] && !is_numericint($_POST['bandwidth'][$iface])) + $input_errors[] = sprintf(gettext("The bandwidth value for %s must be an integer."),$iface); + if ($_POST['mtu'][$iface] && ($_POST['mtu'][$iface] < 576)) + $input_errors[] = sprintf(gettext("The MTU for %s must be greater than 576 bytes."),$iface); + if ($_POST['mru'][$iface] && ($_POST['mru'][$iface] < 576)) + $input_errors[] = sprintf(gettext("The MRU for %s must be greater than 576 bytes."),$iface); + } } /* @@ -442,7 +448,12 @@ $types = array("select" => gettext("Select"), "ppp" => "PPP", "pppoe" => "PPPoE" if (!is_dir("/var/spool/lock")) mwexec("/bin/mkdir -p /var/spool/lock"); // $serialports = pfSense_get_modem_devices(); - $serialports = glob("/dev/cua?[0-9]{,.[0-9]}", GLOB_BRACE); + // Match files in /dev starting with "cua" then: + // [a-zA-Z] = any single alpha character e.g. like "cuau" + // [0-9] = a digit from 0 to 9 + // stuff in {} = the various possible digit and dot combinations to allow an optional 2nd digit, dot, followed by 1 or 2 optional digits + // This supports up to 100 device numbers (0 to 99), e.g. cuau0 cuau1 ... cuau10 cuau11 ... cuau99 and also possibilities like cuau1.1 cuau1.11 cuau11.1 cuau11.11 + $serialports = glob("/dev/cua[a-zA-Z][0-9]{,.[0-9],.[0-9][0-9],[0-9],[0-9].[0-9],[0-9].[0-9][0-9]}", GLOB_BRACE); $serport_count = 0; foreach ($serialports as $port) { $serport_count++; @@ -794,6 +805,7 @@ $types = array("select" => gettext("Select"), "ppp" => "PPP", "pppoe" => "PPPoE" <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <input name="ptpid" type="hidden" value="<?=htmlspecialchars($pconfig['ptpid']);?>" /> <?php if (isset($id) && $a_ppps[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> diff --git a/usr/local/www/interfaces_qinq.php b/usr/local/www/interfaces_qinq.php index 78cd46c..2c6775d 100644 --- a/usr/local/www/interfaces_qinq.php +++ b/usr/local/www/interfaces_qinq.php @@ -65,8 +65,6 @@ if ($_GET['act'] == "del") { /* check if still in use */ if (qinq_inuse($id)) { $input_errors[] = gettext("This QinQ cannot be deleted because it is still being used as an interface."); - } elseif (empty($a_qinqs[$id]['vlanif']) || !does_interface_exist($a_qinqs[$id]['vlanif'])) { - $input_errors[] = gettext("QinQ interface does not exist"); } else { $qinq =& $a_qinqs[$id]; diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 4395d12..5b7d544 100644 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -42,7 +42,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_vlan.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_vlan.php'); +} if (!is_array($config['vlans']['vlan'])) $config['vlans']['vlan'] = array(); @@ -202,6 +206,7 @@ include("head.inc"); <input type="hidden" name="vlanif" value="<?=htmlspecialchars($pconfig['vlanif']); ?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_vlans[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/interfaces_wireless_edit.php b/usr/local/www/interfaces_wireless_edit.php index 6a7f7b7..3f4490d 100644 --- a/usr/local/www/interfaces_wireless_edit.php +++ b/usr/local/www/interfaces_wireless_edit.php @@ -41,7 +41,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_wireless.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/interfaces_wireless.php'); +} if (!is_array($config['wireless'])) $config['wireless'] = array(); @@ -200,6 +204,7 @@ include("head.inc"); <input type="hidden" name="cloneif" value="<?=htmlspecialchars($pconfig['cloneif']); ?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_clones[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/javascript/NetUtils.js b/usr/local/www/javascript/NetUtils.js deleted file mode 100644 index b1c9ffb..0000000 --- a/usr/local/www/javascript/NetUtils.js +++ /dev/null @@ -1,114 +0,0 @@ -/* - NetUtils.js - part of pfSense (https://www.pfsense.org) - Various helper functions for IPv6 support. - - Copyright (C) 2007 Simon Cornelius P. Umacob <simoncpu@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -function NetUtils_changeIPVersionMask(field, version) { - switch(version){ - case 'IPv4': - NetUtils_clearOptions(document.getElementById(field)); - NetUtils_loadMaskIPv4(document.getElementById(field), 32); - - break; - case 'IPv6': - NetUtils_clearOptions(document.getElementById(field)); - NetUtils_loadMaskIPv6(document.getElementById(field), 64); - - break; - case 'IPv4_net': - NetUtils_clearOptions(document.getElementById(field)); - NetUtils_loadMaskIPv4(document.getElementById(field), 32, 1, 31); - - break; - case 'IPv6_net': - NetUtils_clearOptions(document.getElementById(field)); - NetUtils_loadMaskIPv6(document.getElementById(field), 64, 1, 63); - - break; - } -} - -function NetUtils_clearOptions(obj) { - var len = obj.length; - - for (var i = 0; i < len; i++) { - obj[0] = null; - } -} - -function NetUtils_loadMaskIPv4(obj, sel, min, max) { - var min, - max, - j = 0; - - min = min == undefined ? 1 : min; - max = max == undefined ? 32 : max; - - for (var i = max; i >= min; i--) { - obj[j] = new Option(i, i); - if (sel == i) { - obj[j].selected = true; - } - j++; - } -} - -function NetUtils_loadMaskIPv6(obj, sel, min, max) { - var min, - max, - j = 0; - - min = min == undefined ? 1 : min; - max = max == undefined ? 64 : max; - - if ((max % 4) != 0) { - obj[j++] = new Option(max, max); - - /** - * NOTE: This solution is a kludge. - * If you have a better way, don't hesitate - * to change this. Please send patches. :) - */ - for (var i = 1; i <= 3; i++) { - if (((max - i) % 4) == 0) { - max = max - i; - break; - } - } - } - - for (var i = max; i >= min; i -= 4) { - obj[j] = new Option(i, i); - if (sel == i) { - obj[j].selected = true; - } - j++; - } -} - diff --git a/usr/local/www/load_balancer_monitor_edit.php b/usr/local/www/load_balancer_monitor_edit.php index 280244b..bed35d8 100644 --- a/usr/local/www/load_balancer_monitor_edit.php +++ b/usr/local/www/load_balancer_monitor_edit.php @@ -42,7 +42,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/load_balancer_monitor.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/load_balancer_monitor.php'); +} if (!is_array($config['load_balancer']['monitor_type'])) { $config['load_balancer']['monitor_type'] = array(); @@ -360,6 +364,7 @@ function updateType(t){ <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_monitor[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/load_balancer_pool_edit.php b/usr/local/www/load_balancer_pool_edit.php index d397ad8..457087b 100644 --- a/usr/local/www/load_balancer_pool_edit.php +++ b/usr/local/www/load_balancer_pool_edit.php @@ -44,7 +44,11 @@ require("guiconfig.inc"); require_once("filter.inc"); require_once("util.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/load_balancer_pool.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/load_balancer_pool.php'); +} if (!is_array($config['load_balancer']['lbpool'])) { $config['load_balancer']['lbpool'] = array(); @@ -336,6 +340,7 @@ if (is_array($pconfig['servers'])) { <br /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" onclick="AllServers('serversSelect', true); AllServers('serversDisabledSelect', true);" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_pool[$id] && $_GET['act'] != 'dup'): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/load_balancer_virtual_server_edit.php b/usr/local/www/load_balancer_virtual_server_edit.php index 102b520..8e6ffe8 100644 --- a/usr/local/www/load_balancer_virtual_server_edit.php +++ b/usr/local/www/load_balancer_virtual_server_edit.php @@ -43,7 +43,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/load_balancer_virtual_server.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/load_balancer_virtual_server.php'); +} if (!is_array($config['load_balancer']['virtual_server'])) { $config['load_balancer']['virtual_server'] = array(); @@ -59,7 +63,7 @@ if (isset($id) && $a_vs[$id]) { $pconfig = $a_vs[$id]; } else { // Sane defaults - $pconfig['mode'] = 'redirect'; + $pconfig['mode'] = 'redirect_mode'; } $changedesc = gettext("Load Balancer: Virtual Server:") . " "; @@ -71,12 +75,12 @@ if ($_POST) { /* input validation */ switch($pconfig['mode']) { - case "redirect": { + case "redirect_mode": { $reqdfields = explode(" ", "ipaddr name mode"); $reqdfieldsn = array(gettext("IP Address"),gettext("Name"),gettext("Mode")); break; } - case "relay": { + case "relay_mode": { $reqdfields = explode(" ", "ipaddr name mode relay_protocol"); $reqdfieldsn = array(gettext("IP Address"),gettext("Name"),gettext("Relay Protocol")); break; @@ -281,6 +285,7 @@ include("head.inc"); <td align="left" valign="bottom" width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Submit"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_vs[$id] && $_GET['act'] != 'dup'): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index 6145949..303c53e 100644 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -984,7 +984,7 @@ function enable_change(enable_change) { if ($pconfig['certref'] == $cert['refid']) $selected = " selected=\"selected\""; ?> - <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['descr'];?></option> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=htmlspecialchars($cert['descr']);?></option> <?php endforeach; ?> </select> <?php else: ?> diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index 2f02802..5b807d9 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -49,7 +49,11 @@ require("shaper.inc"); require("captiveportal.inc"); require_once("voucher.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_captiveportal_vouchers.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_captiveportal_vouchers.php'); +} $cpzone = $_GET['zone']; if (isset($_POST['zone'])) @@ -637,6 +641,7 @@ function enable_change(enable_change) { <input type="hidden" name="exponent" id="exponent" value="<?=$pconfig['exponent'];?>" /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" onclick="enable_change(true); before_save();" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> </td> </tr> <tr> diff --git a/usr/local/www/services_dhcp.php b/usr/local/www/services_dhcp.php index b80cce5..294d2f4 100644 --- a/usr/local/www/services_dhcp.php +++ b/usr/local/www/services_dhcp.php @@ -992,10 +992,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Dynamic DNS");?></td> <td width="78%" class="vtable"> - <div id="showddnsbox"> + <div id="showddnsbox" <?php if ($pconfig['ddnsupdate'] || !empty($pconfig['ddnsdomain']) || !empty($pconfig['ddnsdomainprimary']) || !empty($pconfig['ddnsdomainkeyname']) || !empty($pconfig['ddnsdomainkey'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_ddns_config()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show Dynamic DNS");?> </div> - <div id="showddns" style="display:none"> + <div id="showddns" <?php if (!$pconfig['ddnsupdate'] && empty($pconfig['ddnsdomain']) && empty($pconfig['ddnsdomainprimary']) && empty($pconfig['ddnsdomainkeyname']) && empty($pconfig['ddnsdomainkey'])) echo "style='display:none'"; ?>> <input style="vertical-align:middle" type="checkbox" value="yes" name="ddnsupdate" id="ddnsupdate" <?php if($pconfig['ddnsupdate']) echo " checked=\"checked\""; ?> /> <b><?=gettext("Enable registration of DHCP client names in DNS.");?></b><br /> <br/> @@ -1014,10 +1014,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("MAC Address Control");?></td> <td width="78%" class="vtable"> - <div id="showmaccontrolbox"> + <div id="showmaccontrolbox" <?php if (!empty($pconfig['mac_allow']) || !empty($pconfig['mac_deny'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_maccontrol_config()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show MAC Address Control");?> </div> - <div id="showmaccontrol" style="display:none"> + <div id="showmaccontrol" <?php if (empty($pconfig['mac_allow']) && empty($pconfig['mac_deny'])) echo "style='display:none'"; ?>> <input name="mac_allow" type="text" class="formfld unknown" id="mac_allow" size="20" value="<?=htmlspecialchars($pconfig['mac_allow']);?>" /><br /> <?=gettext("Enter a list of partial MAC addresses to allow, comma separated, no spaces, such as ");?>00:00:00,01:E5:FF<br /> <input name="mac_deny" type="text" class="formfld unknown" id="mac_deny" size="20" value="<?=htmlspecialchars($pconfig['mac_deny']);?>" /><br /> @@ -1028,10 +1028,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("NTP servers");?></td> <td width="78%" class="vtable"> - <div id="showntpbox"> + <div id="showntpbox" <?php if (!empty($pconfig['ntp1']) || !empty($pconfig['ntp2'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_ntp_config()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show NTP configuration");?> </div> - <div id="showntp" style="display:none"> + <div id="showntp" <?php if (empty($pconfig['ntp1']) && empty($pconfig['ntp2'])) echo "style='display:none'"; ?>> <input name="ntp1" type="text" class="formfld unknown" id="ntp1" size="20" value="<?=htmlspecialchars($pconfig['ntp1']);?>" /><br /> <input name="ntp2" type="text" class="formfld unknown" id="ntp2" size="20" value="<?=htmlspecialchars($pconfig['ntp2']);?>" /> </div> @@ -1040,10 +1040,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("TFTP server");?></td> <td width="78%" class="vtable"> - <div id="showtftpbox"> + <div id="showtftpbox" <?php if (!empty($pconfig['tftp'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_tftp_config()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show TFTP configuration");?> </div> - <div id="showtftp" style="display:none"> + <div id="showtftp" <?php if (empty($pconfig['tftp'])) echo "style='display:none'"; ?>> <input name="tftp" type="text" class="formfld unknown" id="tftp" size="50" value="<?=htmlspecialchars($pconfig['tftp']);?>" /><br /> <?=gettext("Leave blank to disable. Enter a full hostname or IP for the TFTP server.");?> </div> @@ -1052,10 +1052,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("LDAP URI");?></td> <td width="78%" class="vtable"> - <div id="showldapbox"> + <div id="showldapbox" <?php if (!empty($pconfig['ldap'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_ldap_config()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show LDAP configuration");?> </div> - <div id="showldap" style="display:none"> + <div id="showldap" <?php if (empty($pconfig['ldap'])) echo "style='display:none'"; ?>> <input name="ldap" type="text" class="formfld unknown" id="ldap" size="80" value="<?=htmlspecialchars($pconfig['ldap']);?>" /><br /> <?=gettext("Leave blank to disable. Enter a full URI for the LDAP server in the form ldap://ldap.example.com/dc=example,dc=com");?> </div> @@ -1064,10 +1064,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Enable network booting");?></td> <td width="78%" class="vtable"> - <div id="shownetbootbox"> + <div id="shownetbootbox" <?php if ($pconfig['netboot'] || !empty($pconfig['nextserver']) || !empty($pconfig['filename']) || !empty($pconfig['filename32']) || !empty($pconfig['filename64']) || !empty($pconfig['rootpath'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_netboot_config()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show Network booting");?> </div> - <div id="shownetboot" style="display:none"> + <div id="shownetboot" <?php if (!$pconfig['netboot'] && empty($pconfig['nextserver']) && empty($pconfig['filename']) && empty($pconfig['filename32']) && empty($pconfig['filename64']) && empty($pconfig['rootpath'])) echo "style='display:none'"; ?>> <input style="vertical-align:middle" type="checkbox" value="yes" name="netboot" id="netboot" <?php if($pconfig['netboot']) echo " checked=\"checked\""; ?> /> <b><?=gettext("Enables network booting.");?></b> <br/> @@ -1117,10 +1117,10 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Additional BOOTP/DHCP Options");?></td> <td width="78%" class="vtable"> - <div id="shownumbervaluebox"> + <div id="shownumbervaluebox" <?php if (!empty($pconfig['numberoptions'])) echo "style='display:none'"; ?>> <input type="button" onclick="show_shownumbervalue()" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show Additional BOOTP/DHCP Options");?> </div> - <div id="shownumbervalue" style="display:none"> + <div id="shownumbervalue" <?php if (empty($pconfig['numberoptions'])) echo "style='display:none'"; ?>> <table id="maintable" summary="bootp-dhcp options"> <tbody> <tr> diff --git a/usr/local/www/services_dhcp_edit.php b/usr/local/www/services_dhcp_edit.php index 840b526..457f684 100644 --- a/usr/local/www/services_dhcp_edit.php +++ b/usr/local/www/services_dhcp_edit.php @@ -60,7 +60,11 @@ if(!$g['services_dhcp_server_enable']) { require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dhcp.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dhcp.php'); +} $if = $_GET['if']; if ($_POST['if']) @@ -548,6 +552,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_maps[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_dhcpv6_edit.php b/usr/local/www/services_dhcpv6_edit.php index 76993e6..c21d525 100644 --- a/usr/local/www/services_dhcpv6_edit.php +++ b/usr/local/www/services_dhcpv6_edit.php @@ -54,7 +54,11 @@ function staticmaps_sort($ifgui) { require_once('globals.inc'); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dhcpv6.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dhcpv6.php'); +} if(!$g['services_dhcp_server_enable']) { header("Location: /"); @@ -248,6 +252,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_maps[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_dnsmasq_domainoverride_edit.php b/usr/local/www/services_dnsmasq_domainoverride_edit.php index d2c3181..7ac137d 100644 --- a/usr/local/www/services_dnsmasq_domainoverride_edit.php +++ b/usr/local/www/services_dnsmasq_domainoverride_edit.php @@ -41,7 +41,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dnsmasq.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dnsmasq.php'); +} if (!is_array($config['dnsmasq']['domainoverrides'])) { $config['dnsmasq']['domainoverrides'] = array(); @@ -163,6 +167,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_domainOverrides[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_dnsmasq_edit.php b/usr/local/www/services_dnsmasq_edit.php index d8d168a..3efc4d1 100644 --- a/usr/local/www/services_dnsmasq_edit.php +++ b/usr/local/www/services_dnsmasq_edit.php @@ -55,7 +55,11 @@ function hosts_sort() { require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dnsmasq.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_dnsmasq.php'); +} if (!is_array($config['dnsmasq']['hosts'])) $config['dnsmasq']['hosts'] = array(); @@ -304,6 +308,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_hosts[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_unbound_acls.php b/usr/local/www/services_unbound_acls.php index 7a1af28..50a8dbb 100644 --- a/usr/local/www/services_unbound_acls.php +++ b/usr/local/www/services_unbound_acls.php @@ -33,7 +33,11 @@ require("guiconfig.inc"); require("unbound.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_unbound_acls.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_unbound_acls.php'); +} if (!is_array($config['unbound']['acls'])) { $config['unbound']['acls'] = array(); @@ -315,6 +319,7 @@ include("head.inc"); <br /> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> </td> </tr> </table> diff --git a/usr/local/www/services_unbound_domainoverride_edit.php b/usr/local/www/services_unbound_domainoverride_edit.php index 821823b..82d5050 100644 --- a/usr/local/www/services_unbound_domainoverride_edit.php +++ b/usr/local/www/services_unbound_domainoverride_edit.php @@ -43,7 +43,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_unbound.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_unbound.php'); +} if (!is_array($config['unbound']['domainoverrides'])) $config['unbound']['domainoverrides'] = array(); @@ -158,6 +162,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_domainOverrides[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_unbound_host_edit.php b/usr/local/www/services_unbound_host_edit.php index 5c20e6c..52d7d80 100644 --- a/usr/local/www/services_unbound_host_edit.php +++ b/usr/local/www/services_unbound_host_edit.php @@ -42,7 +42,11 @@ ##|*MATCH=services_unbound_host_edit.php* ##|-PRIV -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_unbound.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_unbound.php'); +} function hostcmp($a, $b) { return strcasecmp($a['host'], $b['host']); @@ -309,6 +313,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_hosts[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/services_wol_edit.php b/usr/local/www/services_wol_edit.php index da43c6f..e882427 100644 --- a/usr/local/www/services_wol_edit.php +++ b/usr/local/www/services_wol_edit.php @@ -52,7 +52,11 @@ function wol_sort() { require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_wol.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/services_wol.php'); +} if (!is_array($config['wol']['wolentry'])) { $config['wol']['wolentry'] = array(); @@ -160,6 +164,7 @@ include("head.inc"); <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_wol[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 3f35cc2..d898054 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -342,7 +342,7 @@ function prot_change() { if ($pconfig['ssl-certref'] == $cert['refid']) $selected = "selected=\"selected\""; ?> - <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=htmlspecialchars($cert['descr']);?></option> <?php endforeach; if (!count($a_cert)) diff --git a/usr/local/www/system_advanced_sysctl.php b/usr/local/www/system_advanced_sysctl.php index 3b0a7bf..a63271e 100644 --- a/usr/local/www/system_advanced_sysctl.php +++ b/usr/local/www/system_advanced_sysctl.php @@ -45,7 +45,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_advanced_sysctl.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_advanced_sysctl.php'); +} if (!is_array($config['sysctl'])) $config['sysctl'] = array(); @@ -272,6 +276,7 @@ include("head.inc"); <td width="78%"> <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_tunable[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index 2588dda..a58ef0e 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -540,7 +540,7 @@ function select_clicked() { if ($pconfig['ldap_caref'] == $ca['refid']) $selected = "selected=\"selected\""; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> </select> <br /><span><?=gettext("This option is used if 'SSL Encrypted' option is choosen.");?> <br /> diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index cc73b51..4532b27 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -95,7 +95,7 @@ if ($act == "del") { $name = $a_ca[$id]['descr']; unset($a_ca[$id]); write_config(); - $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), $name) . "<br />"; + $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), htmlspecialchars($name)) . "<br />"; pfSenseHeader("system_camanager.php"); exit; } @@ -209,6 +209,10 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if ($pconfig['method'] != "existing") { /* Make sure we do not have invalid characters in the fields for the certificate */ + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + for ($i = 0; $i < count($reqdfields); $i++) { if ($reqdfields[$i] == 'dn_email'){ if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_email"])) @@ -455,7 +459,7 @@ function method_change() { if ($pconfig['caref'] == $ca['refid']) $selected = " selected=\"selected\""; ?> - <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> </select> </td> @@ -614,7 +618,7 @@ function method_change() { $issuer_ca = lookup_ca($ca['caref']); if ($issuer_ca) - $issuer_name = $issuer_ca['descr']; + $issuer_name = htmlspecialchars($issuer_ca['descr']); // TODO : Need gray certificate icon @@ -654,12 +658,12 @@ function method_change() { <tr> <td width="10%"> </td> <td width="20%"><?=gettext("Valid From")?>:</td> - <td width="70%"><?= $startdate ?></td> + <td width="70%"><?= htmlspecialchars($startdate) ?></td> </tr> <tr> <td> </td> <td><?=gettext("Valid Until")?>:</td> - <td><?= $enddate ?></td> + <td><?= htmlspecialchars($enddate) ?></td> </tr> </table> </td> diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index e6c7551..efd13bf 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -100,10 +100,9 @@ if ($act == "del") { exit; } - $name = $a_cert[$id]['descr']; unset($a_cert[$id]); write_config(); - $savemsg = sprintf(gettext("Certificate %s successfully deleted"), $name) . "<br />"; + $savemsg = sprintf(gettext("Certificate %s successfully deleted"), htmlspecialchars($a_cert[$id]['descr'])) . "<br />"; pfSenseHeader("system_certmanager.php"); exit; } @@ -296,6 +295,11 @@ if ($_POST) { } /* Make sure we do not have invalid characters in the fields for the certificate */ + + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + for ($i = 0; $i < count($reqdfields); $i++) { if (preg_match('/email/', $reqdfields[$i])){ /* dn_email or csr_dn_name */ if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST[$reqdfields[$i]])) @@ -422,6 +426,10 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + // old way /* make sure this csr and certificate subjects match */ // $subj_csr = csr_get_subject($pconfig['csr'], false); @@ -683,7 +691,7 @@ function internalca_change() { if ($pconfig['caref'] == $ca['refid']) $selected = " selected=\"selected\""; ?> - <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> </select> </td> @@ -994,7 +1002,7 @@ function internalca_change() { continue; $ca = lookup_ca($cert['caref']); if ($ca) - $caname = " (CA: {$ca['descr']})"; + $caname = " (CA: " . htmlspecialchars($ca['descr']) . ")"; if ($pconfig['certref'] == $cert['refid']) $selected = " selected=\"selected\""; if (cert_in_use($cert['refid'])) @@ -1002,7 +1010,7 @@ function internalca_change() { if (is_cert_revoked($cert)) $revoked = " *Revoked"; ?> - <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=htmlspecialchars($cert['descr']) . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> </select> </td> @@ -1110,7 +1118,7 @@ function internalca_change() { $ca = lookup_ca($cert['caref']); if ($ca) - $caname = $ca['descr']; + $caname = htmlspecialchars($ca['descr']); if($cert['prv']) $certimg = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png"; diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php index 8438ede..c1ed823 100644 --- a/usr/local/www/system_crlmanager.php +++ b/usr/local/www/system_crlmanager.php @@ -89,7 +89,7 @@ if (!$thiscrl && (($act != "") && ($act != "new"))) { } if ($act == "del") { - $name = $thiscrl['descr']; + $name = htmlspecialchars($thiscrl['descr']); if (crl_in_use($id)) { $savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted"), $name) . "<br />"; } else { @@ -173,19 +173,20 @@ if ($act == "delcert") { pfSenseHeader("system_crlmanager.php"); exit; } - $name = $thiscert['descr']; + $certname = htmlspecialchars($thiscert['descr']); + $crlname = htmlspecialchars($thiscrl['descr']); if (cert_unrevoke($thiscert, $thiscrl)) { - $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />"; + $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname) . "<br />"; openvpn_refresh_crls(); - write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr'])); + write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname)); } else { - $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />"; + $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $certname, $crlname) . "<br />"; } $act="edit"; } if ($_POST) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -205,6 +206,10 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { input_errors2Ajax($input_errors); @@ -341,7 +346,7 @@ function method_change() { $selected = "selected=\"selected\""; $rowIndex++; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; if ($rowIndex == 0) echo "<option></option>"; @@ -444,7 +449,7 @@ function method_change() { <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="revoke"> <thead> <tr> - <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']; ?></b></th> + <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . htmlspecialchars($crl['descr']); ?></b></th> <th width="10%" class="list"></th> </tr> <tr> @@ -465,11 +470,10 @@ function method_change() { </tr> <?php else: foreach($crl['cert'] as $i => $cert): - $name = htmlspecialchars($cert['descr']); ?> <tr> <td class="listlr"> - <?php echo $name; ?> + <?php echo htmlspecialchars($cert['descr']); ?> </td> <td class="listlr"> <?php echo $openssl_crl_status[$cert["reason"]]; ?> @@ -563,8 +567,6 @@ function method_change() { $i = 0; foreach($a_ca as $ca): - $name = htmlspecialchars($ca['descr']); - if($ca['prv']) { $cainternal = "YES"; } else @@ -578,7 +580,7 @@ function method_change() { <img src="<?=$caimg;?>" alt="CA" title="CA" border="0" height="16" width="16" /> </td> <td align="left" valign="middle"> - <?=$name;?> + <?=htmlspecialchars($ca['descr']);?> </td> </tr> </table> @@ -586,11 +588,11 @@ function method_change() { <td class="list"> <?php if ($cainternal == "YES"): ?> <a href="system_crlmanager.php?act=new&caref=<?php echo $ca['refid']; ?>"> - <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"),$ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"),htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> </a> <?php else: ?> <a href="system_crlmanager.php?act=new&caref=<?php echo $ca['refid']; ?>&importonly=yes"> - <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"),$ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"),htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> </a> <?php endif; ?> </td> @@ -604,7 +606,7 @@ function method_change() { $inuse = crl_in_use($tmpcrl['refid']); ?> <tr> - <td class="listlr"><?php echo $tmpcrl['descr']; ?></td> + <td class="listlr"><?php echo htmlspecialchars($tmpcrl['descr']); ?></td> <td class="listr"><?php echo ($internal) ? "YES" : "NO"; ?></td> <td class="listr"><?php echo ($internal) ? count($tmpcrl['cert']) : "Unknown (imported)"; ?></td> <td class="listr"><?php echo ($inuse) ? "YES" : "NO"; ?></td> diff --git a/usr/local/www/system_gateway_groups_edit.php b/usr/local/www/system_gateway_groups_edit.php index 11b4dd5..e32992a 100644 --- a/usr/local/www/system_gateway_groups_edit.php +++ b/usr/local/www/system_gateway_groups_edit.php @@ -44,7 +44,11 @@ require("guiconfig.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_gateway_groups.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_gateway_groups.php'); +} if (!is_array($config['gateways']['gateway_group'])) $config['gateways']['gateway_group'] = array(); @@ -346,6 +350,7 @@ jQuery(function ($) { <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_gateway_groups[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/system_gateways_edit.php b/usr/local/www/system_gateways_edit.php index 8432e60..e4d1565 100644 --- a/usr/local/www/system_gateways_edit.php +++ b/usr/local/www/system_gateways_edit.php @@ -43,7 +43,11 @@ require("guiconfig.inc"); require("pkg-utils.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_gateways.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_gateways.php'); +} $a_gateways = return_gateways_array(true, false, true); $a_gateways_arr = array(); @@ -860,6 +864,7 @@ function enable_change() { <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" onclick="enable_change()" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_gateways[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/system_hasync.php b/usr/local/www/system_hasync.php index 329b745..ea764d1 100755 --- a/usr/local/www/system_hasync.php +++ b/usr/local/www/system_hasync.php @@ -42,7 +42,11 @@ require("guiconfig.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_hasync.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_hasync.php'); +} if (!is_array($config['hasync'])) $config['hasync'] = array(); @@ -346,6 +350,7 @@ include("head.inc"); <input name="id" type="hidden" value="0" /> <input name="Submit" type="submit" class="formbtn" value="Save" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> </td> </tr> </table> diff --git a/usr/local/www/system_routes.php b/usr/local/www/system_routes.php index 2e037cd..c4e4fdd 100644 --- a/usr/local/www/system_routes.php +++ b/usr/local/www/system_routes.php @@ -138,11 +138,11 @@ if (isset($_POST['del_x'])) { if ($a_routes[$_GET['id']]) { if(isset($a_routes[$_GET['id']]['disabled'])) { unset($a_routes[$_GET['id']]['disabled']); - $changedesc = $changedesc_prefix . gettext("enabled route to") . " " . $a_routes[$id]['network']; + $changedesc = $changedesc_prefix . gettext("enabled route to") . " " . $a_routes[$_GET['id']]['network']; } else { delete_static_route($_GET['id']); $a_routes[$_GET['id']]['disabled'] = true; - $changedesc = $changedesc_prefix . gettext("disabled route to") . " " . $a_routes[$id]['network']; + $changedesc = $changedesc_prefix . gettext("disabled route to") . " " . $a_routes[$_GET['id']]['network']; } if (write_config($changedesc)) diff --git a/usr/local/www/system_routes_edit.php b/usr/local/www/system_routes_edit.php index 43de326..e69829c 100644 --- a/usr/local/www/system_routes_edit.php +++ b/usr/local/www/system_routes_edit.php @@ -45,7 +45,11 @@ require_once("filter.inc"); require_once("util.inc"); require_once("gwlb.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_routes.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/system_routes.php'); +} if (!is_array($config['staticroutes']['route'])) $config['staticroutes']['route'] = array(); @@ -334,6 +338,7 @@ include("head.inc"); <?php if (isset($id) && $a_routes[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> + <input name="referer" type="hidden" value="<?=$referer;?>" /> </td> </tr> </table> diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 1bc91ad..0744dbb 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -808,7 +808,7 @@ function sshkeyClicked(obj) { continue; $rowIndex++; ?> - <option value="<?=$ca['refid'];?>"><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>"><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; if ($rowIndex == 0) diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 009582e..5c7aec2 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -805,7 +805,7 @@ function dpdchkbox_change() { if ($pconfig['certref'] == $cert['refid']) $selected = "selected=\"selected\""; ?> - <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'];?></option> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=htmlspecialchars($cert['descr']);?></option> <?php endforeach; ?> </select> <br /> @@ -824,7 +824,7 @@ function dpdchkbox_change() { if ($pconfig['caref'] == $ca['refid']) $selected = "selected=\"selected\""; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> </select> <br /> diff --git a/usr/local/www/vpn_l2tp_users_edit.php b/usr/local/www/vpn_l2tp_users_edit.php index 2d905a0..1e2b9cf 100644 --- a/usr/local/www/vpn_l2tp_users_edit.php +++ b/usr/local/www/vpn_l2tp_users_edit.php @@ -55,7 +55,11 @@ function l2tp_users_sort() { require("guiconfig.inc"); require_once("vpn.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php'); +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php'); +} if (!is_array($config['l2tp']['user'])) { $config['l2tp']['user'] = array(); @@ -181,6 +185,7 @@ include("head.inc"); <td width="78%"> <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext('Save');?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=$referer;?>'" /> + <input name="referer" type="hidden" value="<?=$referer;?>" /> <?php if (isset($id) && $a_secret[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 7ec74ce..1c2652a 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -758,7 +758,7 @@ if ($savemsg) if ($pconfig['caref'] == $ca['refid']) $selected = "selected=\"selected\""; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> </select> <?php else: ?> @@ -778,7 +778,7 @@ if ($savemsg) $revoked = ""; $ca = lookup_ca($cert['caref']); if ($ca) - $caname = " (CA: {$ca['descr']})"; + $caname = " (CA: " . htmlspecialchars($ca['descr']) . ")"; if ($pconfig['certref'] == $cert['refid']) $selected = "selected=\"selected\""; if (cert_in_use($cert['refid'])) @@ -786,7 +786,7 @@ if ($savemsg) if (is_cert_revoked($cert)) $revoked = " *Revoked"; ?> - <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=htmlspecialchars($cert['descr']) . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> <option value="" <?PHP if (empty($pconfig['certref'])) echo "selected=\"selected\""; ?>>None (Username and/or Password required)</option> </select> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index b049c81..801575a 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -959,7 +959,7 @@ if ($savemsg) if ($pconfig['caref'] == $ca['refid']) $selected = "selected=\"selected\""; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> </select> <?php else: ?> @@ -979,12 +979,12 @@ if ($savemsg) $caname = ""; $ca = lookup_ca($crl['caref']); if ($ca) { - $caname = " (CA: {$ca['descr']})"; + $caname = " (CA: " . htmlspecialchars($ca['descr']) . ")"; if ($pconfig['crlref'] == $crl['refid']) $selected = "selected=\"selected\""; } ?> - <option value="<?=$crl['refid'];?>" <?=$selected;?>><?=$crl['descr'] . $caname;?></option> + <option value="<?=$crl['refid'];?>" <?=$selected;?>><?=htmlspecialchars($crl['descr']) . $caname;?></option> <?php endforeach; ?> </select> <?php else: ?> @@ -1005,7 +1005,7 @@ if ($savemsg) $revoked = ""; $ca = lookup_ca($cert['caref']); if ($ca) - $caname = " (CA: {$ca['descr']})"; + $caname = " (CA: " . htmlspecialchars($ca['descr']) . ")"; if ($pconfig['certref'] == $cert['refid']) $selected = "selected=\"selected\""; if (cert_in_use($cert['refid'])) @@ -1013,7 +1013,7 @@ if ($savemsg) if (is_cert_revoked($cert)) $revoked = " *Revoked"; ?> - <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=htmlspecialchars($cert['descr']) . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> </select> <?php else: ?> diff --git a/usr/local/www/wizards/openvpn_wizard.inc b/usr/local/www/wizards/openvpn_wizard.inc index 4603aa7..ee530a2 100644 --- a/usr/local/www/wizards/openvpn_wizard.inc +++ b/usr/local/www/wizards/openvpn_wizard.inc @@ -198,6 +198,10 @@ function step7_submitphpaction() { } } + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + $input_errors[] = "The field 'Descriptive Name' contains invalid characters."; + } + if (empty($_POST['descr']) || empty($_POST['keylength']) || empty($_POST['lifetime']) || empty($_POST['country']) || empty($_POST['state']) || empty($_POST['city']) || empty($_POST['organization']) || empty($_POST['email'])) { @@ -297,6 +301,10 @@ function step9_submitphpaction() { } } + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + $input_errors[] = "The field 'Descriptive Name' contains invalid characters."; + } + if (empty($_POST['descr']) || empty($_POST['keylength']) || empty($_POST['lifetime']) || empty($_POST['country']) || empty($_POST['state']) || empty($_POST['city']) || empty($_POST['organization']) || empty($_POST['email'])) { diff --git a/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc b/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc index b20334d..8c7a3fc 100644 --- a/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc +++ b/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc @@ -607,6 +607,12 @@ function step3_stepsubmitphpaction() { $config['ezshaper']['step3']['address'] = $_POST['upstream_sip_server']; if ($_POST['enable'] == 'on') $config['ezshaper']['step3']['enable'] = 'on'; + if (!empty($_POST['provider'])) { + $VoIPproviders = array("Generic", "VoicePulse", "Asterisk", "Panasonic"); + if (in_array($_POST['provider'], $VoIPproviders)) { + $config['ezshaper']['step3']['provider'] = $_POST['provider']; + } + } for ($i = 0; $i < $localint; $i++) { $config['ezshaper']['step3']["local{$i}download"] = $_POST["local{$i}download"]; $config['ezshaper']['step3']["local{$i}downloadspeed"] = $_POST["local{$i}downloadspeed"]; @@ -1732,4 +1738,4 @@ function wizard_get_bandwidthtype_scale($type = "b") { return intval($factor); } -?> +?>
\ No newline at end of file |