diff options
57 files changed, 1116 insertions, 639 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index b291c38..3a0bb64 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!-- pfSense default system configuration --> <pfsense> - <version>7.8</version> + <version>7.9</version> <lastchange></lastchange> <theme>pfsense_ng</theme> <sysctl> diff --git a/etc/devd.conf b/etc/devd.conf index 244af48..d6731d8 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -30,12 +30,12 @@ notify 100 { # When a USB keyboard arrives, attach it as the console keyboard. attach 100 { device-name "ukbd0"; - action "kbdcontrol -k /dev/ukbd0 < /dev/console"; + action "kbdcontrol -k /dev/ukbd0 < /dev/console 2>/dev/null"; }; detach 100 { device-name "ukbd0"; - action "kbdcontrol -k /dev/kbd0 < /dev/console"; + action "kbdcontrol -k /dev/kbd0 < /dev/console 2>/dev/null"; }; # diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 4ebb010..5d6074e 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -809,12 +809,11 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t captiveportal_free_ipfw_ruleno($dbent[1]); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); } @@ -827,18 +826,15 @@ function captiveportal_disconnect_client($sessionid, $term_cause = 1, $logoutRea $radiusservers = captiveportal_get_radius_servers(); $unsetindex = array(); - $cpdblck = lock('captiveportaldb', LOCK_EX); - /* read database */ - $cpdb = captiveportal_read_db(true); + $cpdb = captiveportal_read_db(); /* find entry */ if (isset($cpdb[$sessionid])) { $cpentry = $cpdb[$sessionid]; /* write database */ $unsetindex[] = $sessionid; - captiveportal_write_db($cpdb, true, $unsetindex); - unlock($cpdblck); + captiveportal_write_db($cpdb, false, $unsetindex); captiveportal_disconnect($cpentry, $radiusservers, $term_cause); captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT"); @@ -1115,29 +1111,29 @@ function captiveportal_init_radius_servers() { /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { - global $g; - - $cprdsrvlck = lock('captiveportalradius'); - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", - FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) { - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + global $g; + + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; } } - unlock($cprdsrvlck); - return $radiusservers; } - unlock($cprdsrvlck); - return false; + return $radiusservers; + } + + unlock($cprdsrvlck); + return false; } /* log successful captive portal authentication to syslog */ diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 01209b9..07fdf95 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -98,7 +98,9 @@ $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); - + + $dyndnslck = lock($dnsHost, LOCK_EX); + if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': @@ -128,6 +130,7 @@ // Ensure that we where able to lookup the IP if(!is_ipaddr($this->_ifIP)) { log_error("There was an error trying to determine the IP for interface - {$dnsIf}({$this->_if}). Probably interface has no ip or is down. Dyndns update not possible for {$dnsService}."); + unlock($dyndnslck); return; } @@ -162,6 +165,8 @@ break; } } + + unlock($dyndnslck); } /* @@ -178,7 +183,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 120); // Completely empirical } switch ($this->_dnsService) { @@ -197,10 +202,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dhs': $needsIP = TRUE; @@ -228,10 +229,6 @@ curl_setopt($ch, CURLOPT_URL, '{$server}{$port}'); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'noip': $needsIP = TRUE; @@ -243,10 +240,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&pass=' . urlencode($this->_dnsPass) . '&hostname=' . $this->_dnsHost.'&ip=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'easydns': $needsIP = TRUE; @@ -259,10 +252,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=' . $this->_dnsBackMX); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'hn': $needsIP = TRUE; @@ -275,10 +264,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?ver=1&IP=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'zoneedit': $needsIP = FALSE; @@ -293,11 +278,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, "{$server}{$port}?host=" .$this->_dnsHost); - - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dyns': $needsIP = FALSE; @@ -308,10 +288,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'ods': $needsIP = FALSE; @@ -349,33 +325,21 @@ break; } } - $this->_checkStatus($code); + $this->_checkStatus(0, $code); break; case 'freedns': $needIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsexit': $needsIP = TRUE; curl_setopt($ch, CURLOPT_URL, 'http://www.dnsexit.com/RemoteUpdate.sv?login='.$this->_dnsUser. '&password='.$this->_dnsPass.'&host='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred:" . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'loopia': $needsIP = TRUE; curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_URL, 'https://dns.loopia.se/XDynDNSServer/XDynDNS.php?hostname='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'opendns': $needsIP = FALSE; @@ -389,19 +353,11 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'staticcling': $needsIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://www.staticcling.org/update.html?login='.$this->_dnsUser.'&pass='.$this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occured: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsomatic': /* Example syntax @@ -418,10 +374,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NOCHG'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Request completed. DNS-O-Matic reported: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'namecheap': /* Example: @@ -433,10 +385,6 @@ list($hostname, $domain) = explode(".", $this->_dnsHost, 2); $server = "https://dynamicdns.park-your-domain.com/update?host={$hostname}&domain={$domain}&password={$this->_dnsPass}&ip={$this->_dnsIP}"; curl_setopt($ch, CURLOPT_URL, $server); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'he-net': $needsIP = FALSE; @@ -445,14 +393,15 @@ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass); curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost); - $data = curl_exec($ch); - if(@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; default: break; } + if ($this->_dnsService != 'ods') { + $data = curl_exec($ch); + $this->_checkStatus($ch, $data); + @curl_close($ch); + } } /* @@ -463,6 +412,12 @@ log_error("DynDns: DynDns _checkStatus() starting."); log_error("DynDns: Current Service: {$this->_dnsService}"); $successful_update = false; + if ($this->_dnsService != 'ods' && @curl_error($ch)) { + $status = "Curl error occurred: " . curl_error($ch); + log_error($status); + $this->status = $status; + return; + } switch ($this->_dnsService) { case 'dnsomatic': if (preg_match('/badauth/i', $data)) { @@ -961,7 +916,7 @@ curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); - curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 78ad19f..e5bc59a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -430,7 +430,7 @@ function filter_generate_scrubing() { } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) continue; /* set up MSS clamping */ if($scrubcfg['mss'] <> "" && is_numeric($scrubcfg['mss']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp" && @@ -519,7 +519,7 @@ function filter_generate_aliases() { $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; $aliases .= " }\"\n"; } - } else { + } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; $aliases .= " }\"\n"; } @@ -802,8 +802,8 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if (is_array($config['pppoes']['pppoe'])) { - $FilterIflist['pppoe'] = array(); + if (is_array($config['pppoes']['pppoe']) && (count($config['pppoes']['pppoe']) > 0)) { + $pppoeifs = array(); foreach($config['pppoes']['pppoe'] as $pppoe) { if ($pppoe['mode'] == "server") { $oic = array(); @@ -817,9 +817,11 @@ function filter_generate_optcfg_array() { $oic['sn'] = $pppoe['pppoe_subnet']; else $oic['sn'] = "32"; - $FilterIflist['pppoe'][] = $oic; + $pppoeifs[] = $oic; } } + if (count($pppoeifs)) + $FilterIflist['pppoe'] = $pppoeifs; } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { @@ -1383,6 +1385,12 @@ function filter_nat_rules_generate() { } } } + /* IPsec mode_cfg subnet */ + if (isset($config['ipsec']['client']['enable']) && + !empty($config['ipsec']['client']['pool_address']) && + !empty($config['ipsec']['client']['pool_netbits'])) { + $tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} "; + } $natrules .= "\n# Subnets to NAT \n"; $tonathosts .= "127.0.0.0/8 "; if($numberofnathosts > 4) { @@ -1744,6 +1752,11 @@ function filter_generate_user_rule($rule) { } else if(!array_key_exists($rule['interface'], $FilterIflist)) { foreach($FilterIflist as $oc) $item .= $oc['descr']; return "# {$item} {$rule['interface']} array key does not exist for " . $rule['descr']; + } else if((array_key_exists($rule['interface'], $FilterIflist)) + && (is_array($FilterIflist[$rule['interface']])) + && (is_array($FilterIflist[$rule['interface']][0]))) { + /* Currently this only case for this is the pppoe server. There should be an existing macro with this name. */ + $aline['interface'] = " on \$" . $rule['interface'] . " "; } else $aline['interface'] = " on \$" . $FilterIflist[$rule['interface']]['descr'] . " "; $ifcfg = $FilterIflist[$rule['interface']]; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 7037933..6993148 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -91,7 +91,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "7.8", + "latest_config" => "7.9", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index f5c35ca..097b1ff 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -367,7 +367,7 @@ function return_gateway_groups_array() { $gateways_arr = return_gateways_array(); $gateway_groups_array = array(); - if (0) { + if (isset($config['system']['gw_switch_default'])) { /* * NOTE: The code below is meant to replace the default gateway when it goes down. * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6040de6..6f8e0d0 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -449,6 +449,10 @@ function ipsec_dump_sad() case 3: $cursa['aalgo'] = $linea[1]; break; + case 8: + $sadata = explode("(", $linea[1]); + $cursa['data'] = $sadata[0] . " B"; + break; } } $i++; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 4ba2f3f..cb35d99 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -367,8 +367,8 @@ function openvpn_reconfigure($mode, $settings) { // server specific settings if ($mode == 'server') { - list($ip, $mask) = explode('/', $settings['tunnel_network']); - $mask = gen_subnet_mask($mask); + list($ip, $cidr) = explode('/', $settings['tunnel_network']); + $mask = gen_subnet_mask($cidr); // configure tls modes switch($settings['mode']) { @@ -383,8 +383,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { case 'p2p_tls': - $conf .= "server {$ip} {$mask}\n"; - $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 + if ($cidr < 30) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index b2897dd..bbdf7c8 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2207,4 +2207,42 @@ function load_mac_manufacturer_table() { } +/****f* pfsense-utils/is_ipaddr_configured + * NAME + * is_ipaddr_configured + * INPUTS + * IP Address to check. + * RESULT + * returns true if the IP Address is + * configured and present on this device. +*/ +function is_ipaddr_configured($ipaddr) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($ipaddr, $ilips) == 0) + return true; + } +} + +/****f* pfsense-utils/pfSense_handle_custom_code + * NAME + * pfSense_handle_custom_code + * INPUTS + * directory name to process + * RESULT + * globs the directory and includes the files + */ +function pfSense_handle_custom_code($src_dir) { + // Allow extending of the nat edit page and include custom input validation + if(is_dir("$src_dir")) { + $cf = glob($src_dir . "/*.inc"); + foreach($cf as $nf) { + if($nf == "." || $nf == "..") + continue; + // Include the extra handler + include("$nf"); + } + } +} + ?> diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 1798f85..b735375 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -141,10 +141,10 @@ function get_pkg_id($pkg_name) { /****f* pkg-utils/get_pkg_info * NAME - * get_pkg_info - Retrive package information from pfsense.com. + * get_pkg_info - Retrieve package information from pfsense.com. * INPUTS - * $pkgs - 'all' to retrive all packages, an array containing package names otherwise - * $info - 'all' to retrive all information, an array containing keys otherwise + * $pkgs - 'all' to retrieve all packages, an array containing package names otherwise + * $info - 'all' to retrieve all information, an array containing keys otherwise * RESULT * $raw_versions - Array containing retrieved information, indexed by package name. ******/ diff --git a/etc/inc/priv.defs.inc b/etc/inc/priv.defs.inc index 335c681..c3db0cb 100644 --- a/etc/inc/priv.defs.inc +++ b/etc/inc/priv.defs.inc @@ -955,6 +955,12 @@ $priv_list['page-system-usermanager']['descr'] = gettext("Allow access to the 'S $priv_list['page-system-usermanager']['match'] = array(); $priv_list['page-system-usermanager']['match'][] = "system_usermanager.php*"; +$priv_list['page-system-usermanager-passwordmg'] = array(); +$priv_list['page-system-usermanager-passwordmg']['name'] = "WebCfg - System: User Password Manager page"; +$priv_list['page-system-usermanager-passwordmg']['descr'] = "Allow access to the 'System: User Password Manager' page."; +$priv_list['page-system-usermanager-passwordmg']['match'] = array(); +$priv_list['page-system-usermanager-passwordmg']['match'][] = "system_usermanager_passwordmg.php*"; + $priv_list['page-system-usermanager_addcert'] = array(); $priv_list['page-system-usermanager_addcert']['name'] = gettext("WebCfg - System: User Manager: Add Certificate"); $priv_list['page-system-usermanager_addcert']['descr'] = gettext("Allow access to the 'User Manager: Add Certificate' page."); diff --git a/etc/inc/system.inc b/etc/inc/system.inc index ea0be9b..bf69eda 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -116,9 +116,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $dnslock = lock('resolvconf', LOCK_EX); + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); if (!$fd) { printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); return 1; } @@ -148,7 +151,9 @@ function system_resolvconf_generate($dynupdate = false) { } } } - + + unlock($dnslock); + return 0; } @@ -1251,6 +1256,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); + // mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 60490aa..714e11d 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2490,4 +2490,11 @@ function upgrade_077_to_078() { $config['pptpd']['radius'] = $radarr; } } + +function upgrade_078_to_079() { + global $g; + /* Delete old and unused RRD file */ + unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd"); +} + ?> diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index f7f5b01..dda49d2 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -37,6 +37,53 @@ if(!function_exists('captiveportal_syslog')) require_once("captiveportal.inc"); +function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) { + global $g, $config; + require_once("xmlrpc.inc"); + if($port == "443") + $url = "https://{$syncip}"; + else + $url = "http://{$syncip}"; + + /* Construct code that is run on remote machine */ + $method = 'pfsense.exec_php'; + $execcmd = <<<EOF + require_once('/etc/inc/captiveportal.inc'); + require_once('/etc/inc/voucher.inc'); + voucher_expire(\$vouchers); + +EOF; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("Captive Portal Voucher XMLRPC sync data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!is_object($resp)) { + $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); + return false; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); + return false; + } else { + log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + $toreturn = XML_RPC_Decode($resp->value()); + + return $toreturn; +} + function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = "1", $stop_time = null) { global $g, $config; require_once("xmlrpc.inc"); @@ -138,6 +185,93 @@ EOF; return $toreturn['timeleft']; } +function voucher_expire($voucher_received) { + global $g, $config; + + $voucherlck = lock('voucher', LOCK_EX); + + // XMLRPC Call over to the master Voucher node + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + xmlrpc_sync_voucher_expire($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); + } + + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + foreach ($config['voucher']['roll'] as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } + + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $active_dirty = false; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + $active_dirty = true; + unset($active_vouchers[$roll][$voucher]); + } + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + // mark bit for this voucher as used + if (!(ord($bitstring[$roll][$pos]) & $mask)) + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire"); + } else + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } else + // hmm, thats weird ... not what I expected + captiveportal_syslog("$voucher invalid: $result !!"); + } + + // Refresh active DBs + if ($active_dirty == true) { + foreach ($active_vouchers as $roll => $active) + voucher_write_active_db($roll, $active); + } + + // Write back the used DB's + if (is_array($bitstring)) { + foreach ($bitstring as $roll => $used) { + if(is_array($used)) { + foreach($used as $u) + voucher_write_used_db($roll, base64_encode($u)); + } else { + voucher_write_used_db($roll, base64_encode($used)); + } + } + } + + unlock($voucherlck); + + return true; +} + /* * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list @@ -146,17 +280,16 @@ EOF; * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; + global $g, $config; - $voucherlck = lock('voucher', LOCK_EX); + $voucherlck = lock('voucher', LOCK_EX); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } @@ -170,105 +303,102 @@ function voucher_auth($voucher_received, $test = 0) { } } - // split into an array. Useful for multiple vouchers given - $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); - $error = 0; - $test_result = array(); // used to display for voucher test option in GUI - $total_minutes = 0; - $first_voucher = ""; - $first_voucher_roll = 0; - - // go through all received vouchers, check their valid and extract - // Roll# and Ticket# using the external readvoucher binary - - foreach ($a_vouchers_received as $voucher) { - - $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) - continue; // seems too short to be a voucher! - - $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); - list($status, $roll, $nr) = explode(" ", $result); - if ($status == "OK") { - if (!$first_voucher) { - // store first voucher. Thats the one we give the timecredit - $first_voucher = $voucher; - $first_voucher_roll = $roll; - } - // check if we have this ticket on a registered roll for this ticket - if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { - // voucher is from a registered roll. - if (!isset($active_vouchers[$roll])) - $active_vouchers[$roll] = voucher_read_active_db($roll); - // valid voucher. Store roll# and ticket# - if (!empty($active_vouchers[$roll][$voucher])) { - list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); - // we have an already active voucher here. - $remaining = intval((($timestamp + (60*$minutes)) - time())/60); - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) active and good for %4$d Minutes'), $voucher, $roll, $nr, $remaining); - $total_minutes += $remaining; - } else { - // voucher not used. Check if ticket Id is on the roll (not too high) - // and if the ticket is marked used. - // check if voucher already marked as used - if (!isset($bitstring[$roll])) - $bitstring[$roll] = voucher_read_used_db($roll); - $pos = $nr >> 3; // divide by 8 -> octet - $mask = 1 << ($nr % 8); - if (ord($bitstring[$roll][$pos]) & $mask) { - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) already used and expired'), $voucher, $roll, $nr); - captiveportal_syslog(sprintf(gettext('%1$s (%2$s/%3$s) already used and expired'), $voucher, $roll, $nr)); - $total_minutes = -1; // voucher expired - $error++; - } else { - // mark bit for this voucher as used - $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) good for %4$d Minutes'), $voucher, $roll, $nr, $minutes_per_roll[$roll]); - $total_minutes += $minutes_per_roll[$roll]; - } - } - } else { - $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s): not found on any registererd Roll'), $voucher, $roll, $nr); - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); - } - } else { - // hmm, thats weird ... not what I expected - $test_result[] = sprintf(gettext('%1$s invalid: %2$s !!'),$voucher,$result); - captiveportal_syslog("$voucher invalid: $result !!"); - $error++; - } - } + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $error = 0; + $test_result = array(); // used to display for voucher test option in GUI + $total_minutes = 0; + $first_voucher = ""; + $first_voucher_roll = 0; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + if (!$first_voucher) { + // store first voucher. Thats the one we give the timecredit + $first_voucher = $voucher; + $first_voucher_roll = $roll; + } + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); + // we have an already active voucher here. + $remaining = intval((($timestamp + (60*$minutes)) - time())/60); + $test_result[] = sprintf(gettext('%1$s (%2$s/%3$s) active and good for %4$d Minutes'), $voucher, $roll, $nr, $remaining); + $total_minutes += $remaining; + } else { + // voucher not used. Check if ticket Id is on the roll (not too high) + // and if the ticket is marked used. + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + if (ord($bitstring[$roll][$pos]) & $mask) { + $test_result[] = "$voucher ($roll/$nr) already used and expired"; + captiveportal_syslog("$voucher ($roll/$nr) already used and expired"); + $total_minutes = -1; // voucher expired + $error++; + } else { + // mark bit for this voucher as used + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; + $total_minutes += $minutes_per_roll[$roll]; + } + } + } else { + $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } + } else { + // hmm, thats weird ... not what I expected + $test_result[] = "$voucher invalid: $result !!"; + captiveportal_syslog("$voucher invalid: $result !!"); + $error++; + } + } - // if this was a test call, we're done. Return the result. - if ($test) { - if ($error) { - $test_result[] = gettext("Access denied!"); - } else { - $test_result[] = sprintf(gettext("Access granted for %d Minutes in total."), $total_minutes); - } - unlock($voucherlck); - return $test_result; - } + // if this was a test call, we're done. Return the result. + if ($test) { + if ($error) { + $test_result[] = gettext("Access denied!"); + } else { + $test_result[] = sprintf(gettext("Access granted for %d Minutes in total."),$total_minutes); + } + unlock($voucherlck); - // if we had an error (one of the vouchers is invalid), return 0. - // Discussion: we could return the time remaining for good vouchers, but then - // the user wouldn't know that he used at least one invalid voucher. + return $test_result; + } - if ($error) { + // if we had an error (one of the vouchers is invalid), return 0. + // Discussion: we could return the time remaining for good vouchers, but then + // the user wouldn't know that he used at least one invalid voucher. + if ($error) { unlock($voucherlck); - if ($total_minutes > 0) // probably not needed, but want to make sure - $total_minutes = 0; // we only report -1 (expired) or 0 (no access) - return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS - } + if ($total_minutes > 0) // probably not needed, but want to make sure + $total_minutes = 0; // we only report -1 (expired) or 0 (no access) + return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS + } // If we did a XMLRPC sync earlier check the timeleft - if(!empty($a_voucher['vouchersyncdbip'])) + if (!empty($config['voucher']['vouchersyncdbip'])) if($remote_time_used < $total_minutes) $total_minutes = $remote_time_used; - // All given vouchers were valid and this isn't simply a test. - // Write back the used DB's - + // All given vouchers were valid and this isn't simply a test. + // Write back the used DB's if (is_array($bitstring)) { foreach ($bitstring as $roll => $used) { if(is_array($used)) { @@ -280,24 +410,23 @@ function voucher_auth($voucher_received, $test = 0) { } } - // Active DB: we only add the first voucher if multiple given - // and give that one all the time credit. This allows the user to logout and - // log in later using just the first voucher. It also keeps username limited - // to one voucher and that voucher shows the correct time credit in 'active vouchers' - - if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { - list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); - } else { - $timestamp = time(); // new voucher - $minutes = $total_minutes; - } + // Active DB: we only add the first voucher if multiple given + // and give that one all the time credit. This allows the user to logout and + // log in later using just the first voucher. It also keeps username limited + // to one voucher and that voucher shows the correct time credit in 'active vouchers' + if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { + list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); + } else { + $timestamp = time(); // new voucher + $minutes = $total_minutes; + } - $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; - voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); + $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; + voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - unlock($voucherlck); + unlock($voucherlck); - return $total_minutes; + return $total_minutes; } function voucher_configure($sync = false) { @@ -430,6 +559,8 @@ function voucher_read_active_db($roll) { function voucher_write_active_db($roll, $active) { global $g; + if (!is_array($active)) + return; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); if ($fd) { foreach($active as $voucher => $value) diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 455c07d..bd985b2 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -481,7 +481,7 @@ function vpn_ipsec_configure($ipchg = false) $natt = $ph1ent['nat_traversal']; $init = "on"; - $genp = "off"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "off"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim"; $passive = ""; if (isset($ph1ent['mobile'])) { @@ -490,10 +490,10 @@ function vpn_ipsec_configure($ipchg = false) /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; - $genp = "on"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "on"; } else { $init = "off"; - $genp = "unique"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "unique"; } } @@ -864,8 +864,7 @@ EOD; /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); - mwexec("/sbin/route delete -host {$rgip}"); - mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); + mwexec("/sbin/route delete -host {$rgip}; /sbin/route add -host {$rgip} {$gatewayip}", true); } } } @@ -913,7 +912,7 @@ EOD; $hostnames = ""; array_unique($filterdns_list); foreach ($filterdns_list as $hostname) - $hostnames .= "cmd {$hostname} '/etc/rc.newipsecdns'\n"; + $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); diff --git a/etc/rc.bootup b/etc/rc.bootup index e71c430..2f0c2cd 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -322,7 +322,7 @@ system_do_shell_commands(); /* start IPsec tunnels */ vpn_ipsec_configure(); /* Reload dynamic hostname tunnels after bootup finishes */ -mwexec_bg("/etc/rc.newipsecdns"); +send_event("service reload ipsecdns"); /* start SNMP service */ services_snmpd_configure(); diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 6acadc0..af0e5cc 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -390,7 +390,7 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { update_filter_reload_status("Signaling CARP reload signal..."); carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); if (is_array($mergesections)) - carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.merge_config_section'); + carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.restore_config_section'); $cli = new XML_RPC_Client('/xmlrpc.php', $synchronizetoip, $port); $params = array( XML_RPC_encode($carp['password']) diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 0395099..93eb089 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -51,7 +51,7 @@ function restart_packages() { /* restart packages */ system_ntp_configure(); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); - mwexec_bg("/etc/rc.start_packages"); + send_event("reload packages"); } /* Interface IP address has changed */ diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup index 67aceaf..5a138ed 100755 --- a/etc/rc.php_ini_setup +++ b/etc/rc.php_ini_setup @@ -112,6 +112,8 @@ PHPMODULES="$PHPMODULES pdo" PHPMODULES="$PHPMODULES sqlite" # ZeroMQ PHPMODULES="$PHPMODULES zmq" +# SSH2 +PHPMODULES="$PHPMODULES ssh2" # pfSense extensions PHPMODULES="$PHPMODULES pfSense" diff --git a/etc/rc.restart_webgui b/etc/rc.restart_webgui index 463f934..e74f201 100755 --- a/etc/rc.restart_webgui +++ b/etc/rc.restart_webgui @@ -8,10 +8,15 @@ require("shaper.inc"); require("captiveportal.inc"); require("rrd.inc"); -mwexec("killall -9 lighttpd"); - echo "Restarting webConfigurator..."; +sigkillbyname("lighttpd", "INT"); + +while (is_process_running("lighttpd")) { + echo '.'; + sleep(1); +} + system_webgui_start(); captiveportal_init_webgui(); diff --git a/etc/rc.shutdown b/etc/rc.shutdown index 14faf80..c7e8b25 100755 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -5,10 +5,6 @@ if ! /usr/bin/lockf -s -t 30 /tmp/config.lock /usr/bin/true; then exit -1 fi -if [ -e /dev/ukbd0 ]; then - /usr/sbin/vidcontrol -s 2 -fi - product=`cat /etc/inc/globals.inc | grep product_name | cut -d'"' -f4` echo diff --git a/etc/rc.stop_packages b/etc/rc.stop_packages index 95e77fd..f20fa04 100755..100644 --- a/etc/rc.stop_packages +++ b/etc/rc.stop_packages @@ -51,7 +51,7 @@ else { if (is_array($config['installedpackages']['package'])) { foreach($config['installedpackages']['package'] as $package) { - echo " Stoping package {$package['name']}..."; + echo " Stopping package {$package['name']}..."; stop_service($package['name']); unset($rcfiles["{$rcfileprefix}{$package['name']}.sh"]); echo "done.\n"; @@ -61,7 +61,7 @@ if (is_array($config['installedpackages']['package'])) { $shell = @popen("/bin/sh", "w"); if ($shell) { foreach ($rcfiles as $rcfile => $number) { - echo " Stoping {$rcfile}..."; + echo " Stopping {$rcfile}..."; fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1"); echo "done.\n"; } diff --git a/usr/local/pkg/routed.inc b/usr/local/pkg/routed.inc index 4d1b1d8..ec730d5 100644 --- a/usr/local/pkg/routed.inc +++ b/usr/local/pkg/routed.inc @@ -39,10 +39,15 @@ function setup_routed() { if (isset($config['installedpackages']['routed']['config'][0]['enable']) && $config['installedpackages']['routed']['config'][0]['enable'] == "on") { /* if user selected individual interfaces */ - $ifarr = explode(",", $config['installedpackages']['routed']['config'][0]['iface_array']); + $ifarr = array_flip(explode(",", $config['installedpackages']['routed']['config'][0]['iface_array'])); + $allifs = get_interface_arr(); if (!empty($ifarr)) { - foreach($ifarr as $ifname) { - $gw .= setup_etc_gateways($ifname, 'enable'); + foreach($allifs as $ifname) { + $friendly_ifname = convert_real_interface_to_friendly_interface_name($ifname); + if (array_key_exists($friendly_ifname, $ifarr)) + $gw .= setup_etc_gateways($ifname, 'enable'); + else + $gw .= setup_etc_gateways($ifname, 'disable'); } } else /* setup for all interfaces */ @@ -76,7 +81,7 @@ function setup_etc_gateways($iface="", $mode="") { } break; case "disable": - $ret .= "no_rip "; + $ret .= "no_rip_out no_solicit no_rdisc no_rdisc_adv"; break; default: diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php index 598f4d6..9d28375 100755 --- a/usr/local/www/diag_backup.php +++ b/usr/local/www/diag_backup.php @@ -158,6 +158,8 @@ if ($_POST) { $mode = "restore"; else if (stristr($_POST['Submit'], gettext("Reinstall"))) $mode = "reinstallpackages"; + else if (stristr($_POST['Submit'], gettext("Clear Package Lock"))) + $mode = "clearpackagelock"; else if (stristr($_POST['Submit'], gettext("Download"))) $mode = "download"; else if (stristr($_POST['Submit'], gettext("Restore version"))) @@ -470,6 +472,9 @@ if ($_POST) { header("Location: pkg_mgr_install.php?mode=reinstallall"); exit; + } else if ($mode == "clearpackagelock") { + clear_subsystem_dirty('packagelock'); + $savemsg = "Package Lock Cleared"; } else if ($mode == "restore_ver") { $input_errors[] = gettext("XXX - this feature may hose your config (do NOT backrev configs!) - billm"); if ($ver2restore <> "") { @@ -655,13 +660,17 @@ function backuparea_change(obj) { <td colspan="2" class="list" height="12"> </td> </tr> <tr> - <td colspan="2" class="listtopic"><?=gettext("Reinstall packages"); ?></td> + <td colspan="2" class="listtopic"><?=gettext("Package Functions"); ?></td> </tr> <tr> <td width="22%" valign="baseline" class="vncell"> </td> <td width="78%" class="vtable"> <p><?=gettext("Click this button to reinstall all system packages. This may take a while."); ?> <br /><br /> <input name="Submit" type="submit" class="formbtn" id="reinstallpackages" value="<?=gettext("Reinstall packages"); ?>"> + <br/> + <br/> + <p><?=gettext("Click this button to clear the package lock if a package fails to reinstall properly after an upgrade."); ?> <br /><br /> + <input name="Submit" type="submit" class="formbtn" id="clearpackagelock" value="<?=gettext("Clear Package Lock"); ?>"> </td> </tr> <?php } ?> diff --git a/usr/local/www/diag_ipsec_sad.php b/usr/local/www/diag_ipsec_sad.php index 7ee8b72..e08feba 100755 --- a/usr/local/www/diag_ipsec_sad.php +++ b/usr/local/www/diag_ipsec_sad.php @@ -90,6 +90,7 @@ if ($_GET['act'] == "del") { <td nowrap class="listhdrr"><?=gettext("SPI");?></td> <td nowrap class="listhdrr"><?=gettext("Enc. alg.");?></td> <td nowrap class="listhdr"><?=gettext("Auth. alg.");?></td> + <td nowrap class="listhdr"><?=gettext("Data");?></td> <td nowrap class="list"></td> </tr> <?php foreach ($sad as $sa): ?> @@ -100,6 +101,7 @@ if ($_GET['act'] == "del") { <td class="listr"><?=htmlspecialchars($sa['spi']);?></td> <td class="listr"><?=htmlspecialchars($sa['ealgo']);?></td> <td class="listr"><?=htmlspecialchars($sa['aalgo']);?></td> + <td class="listr"><?=htmlspecialchars($sa['data']);?></td> <td class="list" nowrap> <?php $args = "src=" . rawurlencode($sa['src']); diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 89d1555..e86035f 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -89,7 +89,10 @@ if ($g['platform'] == "pfSense" or $g['platform'] == "nanobsd") $system_menu[] = array(gettext("Setup Wizard"), "/wizard.php?xml=setup_wizard.xml"); $system_menu[] = array(gettext("Routing"), "/system_gateways.php"); $system_menu[] = array(gettext("Cert Manager"), "/system_camanager.php"); -$system_menu[] = array(gettext("User Manager"), "/system_usermanager.php"); +if (!isAllowedPage("system_usermanager.php*")) + $system_menu[] = array(gettext("User Manager"), "/system_usermanager_passwordmg.php"); +else + $system_menu[] = array(gettext("User Manager"), "/system_usermanager.php"); $system_menu = msort(array_merge($system_menu, return_ext_menu("System")),0); // Interfaces diff --git a/usr/local/www/firewall_aliases.php b/usr/local/www/firewall_aliases.php index 4a16bac..575240c 100755 --- a/usr/local/www/firewall_aliases.php +++ b/usr/local/www/firewall_aliases.php @@ -160,7 +160,7 @@ include("head.inc"); <?php print_info_box_np(gettext("The alias list has been changed.") . "<br>" . gettext("You must apply the changes in order for them to take effect."));?> <?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0" class="tabcont"> <tr> <td width="25%" class="listhdrr"><?=gettext("Name"); ?></td> <td width="25%" class="listhdrr"><?=gettext("Values"); ?></td> diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index e9f4577..135d0e9 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -99,6 +99,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface external"); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 3dc1d83..5aa069c 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -101,6 +101,7 @@ if (isset($_GET['dup'])) /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ +unset($input_errors); foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); @@ -173,7 +174,6 @@ if ($_POST) { $_POST['dsttype'] = "single"; } - unset($input_errors); $pconfig = $_POST; /* input validation */ @@ -290,6 +290,9 @@ if ($_POST) { } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); + if (!$input_errors) { $natent = array(); @@ -410,6 +413,9 @@ if ($_POST) { mark_subsystem_dirty('filter'); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); + // Update the NAT entry now if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -443,6 +449,10 @@ include("fbegin.inc"); ?> <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Redirect entry"); ?></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphpearly"); +?> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td> <td width="78%" class="vtable"> @@ -817,6 +827,10 @@ include("fbegin.inc"); ?> </select> </td> </tr><?php endif; ?> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/htmlphplate"); +?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> </td> diff --git a/usr/local/www/firewall_nat_out.php b/usr/local/www/firewall_nat_out.php index e6b5900..b8506d8 100755 --- a/usr/local/www/firewall_nat_out.php +++ b/usr/local/www/firewall_nat_out.php @@ -125,6 +125,17 @@ if (isset($_POST['save']) && $_POST['save'] == "Save") { $natent['natport'] = ""; $a_out[] = $natent; + $natent = array(); + $natent['source']['network'] = "127.0.0.0/8"; + $natent['dstport'] = ""; + $natent['descr'] = sprintf(gettext('Auto created rule for localhost to %1$s'),$ifdesc2); + $natent['target'] = ""; + $natent['interface'] = $if2; + $natent['destination']['any'] = true; + $natent['staticnatport'] = false; + $natent['natport'] = "1024:65535"; + $a_out[] = $natent; + /* PPTP subnet */ if (($config['pptpd']['mode'] == "server") && is_private_ip($config['pptpd']['remoteip'])) { $pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+$config['pptpd']['n_pptp_units'])); diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2..72bc556 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -46,7 +46,7 @@ require("filter.inc"); require("shaper.inc"); if (!is_array($config['nat']['advancedoutbound'])) - $config['nat']['advancedoutbound'] = array(); + $config['nat']['advancedoutbound'] = array(); if (!is_array($config['nat']['advancedoutbound']['rule'])) { $config['nat']['advancedoutbound']['rule'] = array(); @@ -115,6 +115,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); @@ -209,6 +218,9 @@ if ($_POST) { } } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/input_validation"); + if (!$input_errors) { $natent = array(); $natent['source']['network'] = $osn; @@ -265,6 +277,9 @@ if ($_POST) { $natent['destination']['not'] = true; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/pre_write_config"); + if (isset($id) && $a_out[$id]) { $a_out[$id] = $natent; } else { @@ -387,6 +402,10 @@ function poolopts_change() { <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Advanced Outbound NAT entry");?></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphpearly"); +?> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Do not NAT");?></td> <td width="78%" class="vtable"> @@ -620,6 +639,10 @@ any)");?></td> <br> <span class="vexpl"><?=gettext("You may enter a description here " . "for your reference (not parsed).");?></span></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_aon/htmlphplate"); +?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php index daf577a..82d0323 100755 --- a/usr/local/www/firewall_rules.php +++ b/usr/local/www/firewall_rules.php @@ -126,12 +126,12 @@ if($_REQUEST['dragdroporder']) { $icmptypes = array( "" => gettext("any"), + "echoreq" => gettext("Echo request"), "echorep" => gettext("Echo reply"), "unreach" => gettext("Destination unreachable"), "squench" => gettext("Source quench"), "redir" => gettext("Redirect"), "althost" => gettext("Alternate Host"), - "echoreq" => gettext("Echo"), "routeradv" => gettext("Router advertisement"), "routersol" => gettext("Router solicitation"), "timex" => gettext("Time exceeded"), diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index c051518..acebe3c 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -253,19 +253,6 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - /* run through $_POST items encoding HTML entties so that the user - * cannot think he is slick and perform a XSS attack on the unwilling - */ - foreach ($_POST as $key => $value) { - $temp = str_replace(">", "", $value); - - if (isset($_POST['floating']) && $key == "interface") - continue; - $newpost = htmlentities($temp); - if($newpost <> $temp) - $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); - } - /* input validation */ $reqdfields = explode(" ", "type proto"); if ( isset($a_filter[$id]['associated-rule-id'])===false ) { @@ -401,6 +388,9 @@ if ($_POST) { $input_errors[] = gettext("If you specify TCP flags that should be set you should specify out of which flags as well."); } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/input_validation"); + if (!$input_errors) { $filterent = array(); $filterent['id'] = $_POST['ruleid']>0?$_POST['ruleid']:''; @@ -544,6 +534,9 @@ if ($_POST) { $filterent['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); + if (isset($id) && $a_filter[$id]) $a_filter[$id] = $filterent; else { @@ -554,6 +547,7 @@ if ($_POST) { } filter_rules_sort(); + write_config(); mark_subsystem_dirty('filter'); @@ -596,6 +590,10 @@ include("head.inc"); <tr> <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Firewall rule");?></td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphpearly"); +?> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Action");?></td> <td width="78%" class="vtable"> @@ -748,12 +746,12 @@ include("head.inc"); <?php $icmptypes = array( "" => gettext("any"), + "echoreq" => gettext("Echo request"), "echorep" => gettext("Echo reply"), "unreach" => gettext("Destination unreachable"), "squench" => gettext("Source quench"), "redir" => gettext("Redirect"), "althost" => gettext("Alternate Host"), - "echoreq" => gettext("Echo"), "routeradv" => gettext("Router advertisement"), "routersol" => gettext("Router solicitation"), "timex" => gettext("Time exceeded"), @@ -1381,6 +1379,10 @@ include("head.inc"); </div> </td> </tr> +<?php + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphplate"); +?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 6b3aefd..63fadab 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -249,6 +249,7 @@ function print_input_errors($input_errors) { global $g; print <<<EOF + <div id='inputerrorsdiv' name='inputerrorsdiv'> <p> <table border="0" cellspacing="0" cellpadding="4" width="100%"> <tr> @@ -269,6 +270,7 @@ EOF; </span> </td></tr> </table> + </div> </p> <br> EOF2; diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 899e209..b37b6cb 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -711,6 +711,15 @@ if ($_POST['apply']) { } else { $wancfg['mss'] = $_POST['mss']; } + if (empty($_POST['mediaopt'])) { + unset($wancfg['media']); + unset($wancfg['mediaopt']); + } else { + $mediaopts = explode(' ', $_POST['mediaopt']); + if ($mediaopts[0] != ''){ $wancfg['media'] = $mediaopts[0]; } + if ($mediaopts[1] != ''){ $wancfg['mediaopt'] = $mediaopts[1]; } + else { unset($wancfg['mediaopt']); } + } if (isset($wancfg['wireless'])) { handle_wireless_post(); } @@ -897,6 +906,21 @@ function check_wireless_mode() { } } +// Find all possible media options for the interface +$mediaopts_list = array(); +$intrealname = $config['interfaces'][$if]['if']; +exec("/sbin/ifconfig -m $intrealname | grep \"media \"", $mediaopts); +foreach ($mediaopts as $mediaopt){ + preg_match("/media (.*)/", $mediaopt, $matches); + if (preg_match("/(.*) mediaopt (.*)/", $matches[1], $matches1)){ + // there is media + mediaopt like "media 1000baseT mediaopt full-duplex" + array_push($mediaopts_list, $matches1[1] . " " . $matches1[2]); + }else{ + // there is only media like "media 1000baseT" + array_push($mediaopts_list, $matches[1]); + } +} + $pgtitle = array(gettext("Interfaces"), $pconfig['descr']); $statusurl = "status_interfaces.php"; @@ -1128,7 +1152,7 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" <?php endif; ?> <br> <?=gettext("This field can be used to modify (\"spoof\") the MAC " . - "address of the WAN interface"); ?><br> + "address of this interface"); ?><br> <?=gettext("(may be required with some cable connections)"); ?><br> <?=gettext("Enter a MAC address in the following format: xx:xx:xx:xx:xx:xx " . "or leave blank"); ?> @@ -1153,6 +1177,36 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" "header size) will be in effect."); ?> </td> </tr> + <?php + if (count($mediaopts_list) > 0){ + $mediaopt_from_config = $config['interfaces'][$if]['media'] . ' ' . $config['interfaces'][$if]['mediaopt']; + echo "<tr>"; + echo '<td valign="top" class="vncell">' . gettext("Speed and duplex") . '</td>'; + echo '<td class="vtable">'; + echo '<div id="showadvmediabox"'; + if ($mediaopt_from_config != 'autoselect ' && $mediaopt_from_config != ' ') echo " style='display:none'>"; + else echo '>'; + echo '<input type="button" onClick="show_advanced_media()" value="' . gettext("Advanced") . '"></input> - ' . gettext("Show advanced option"); + echo "</div>"; + echo '<div id="showmediaadv" '; + if ($mediaopt_from_config == 'autoselect ' || $mediaopt_from_config == ' ') echo "style='display:none'>"; + else echo '>'; + echo '<select name="mediaopt" class="formselect" id="mediaopt">'; + print "<option value=\"\">Default</option>"; + foreach($mediaopts_list as $mediaopt){ + if ($mediaopt != rtrim($mediaopt_from_config)){ + print "<option value=\"$mediaopt\">" . gettext("$mediaopt") . "</option>"; + } else { + print "<option value=\"$mediaopt\" selected>" . gettext("$mediaopt") . "</option>"; + } + } + echo '</select><br>'; + echo gettext("Here you can explicitly set speed and duplex mode for this interface. WARNING: You MUST leave this set to autonegotiate unless the port this interface connects to has its speed and duplex forced."); + echo '</div>'; + echo '</td>'; + echo '</tr>'; + } + ?> <tr> <td colspan="2" valign="top" height="16"></td> </tr> @@ -2157,6 +2211,11 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" report_failure(); } } + function show_advanced_media() { + document.getElementById("showadvmediabox").innerHTML=''; + aodiv = document.getElementById('showmediaadv'); + aodiv.style.display = "block"; + } <?php echo "show_allcfg(document.iform.enable);"; echo "updateType('{$pconfig['type']}');\n"; diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 145fe0a..08f1a53 100755 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -97,9 +97,13 @@ if ($_POST) { if (!$input_errors) { if (isset($id) && $a_vlans[$id]) { - if ($a_vlans[$id]['if'] != $_POST['if']) - // Destroy previous vlan - pfSense_interface_destroy($a_vlans[$id]['if']); + if (($a_vlans[$id]['if'] != $_POST['if']) || ($a_vlans[$id]['tag'] != $_POST['tag'])) { + if (!empty($a_vlans[$id]['vlanif'])) + // Destroy previous vlan + pfSense_interface_destroy($a_vlans[$id]['vlanif']); + else + pfSense_interface_destroy("{$a_vlans[$id]['if']}_vlan{$a_vlans[$id]['tag']}"); + } } $vlan = array(); $vlan['if'] = $_POST['if']; diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index 23e6cd9..4526028 100755 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -474,7 +474,7 @@ value="<?=htmlspecialchars($pconfig['maxprocperip']);?>"> <?=gettext("per client </tr> <tr> <td colspan="2"><input name="auth_method" type="radio" id="auth_method" value="local" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="local") echo "checked"; ?>> - <?=gettext("Local"); ?> <a href="system_usermanager.php"><?=gettext("User Manager"); ?></a></td> + <?=gettext("Local"); ?> <a href="system_usermanager.php"><?=gettext("User Manager"); ?></a> / <?=gettext("Vouchers"); ?></td> </tr> <tr> <td colspan="2"><input name="auth_method" type="radio" id="auth_method" value="radius" onClick="enable_change(false)" <?php if($pconfig['auth_method']=="radius") echo "checked"; ?>> @@ -520,8 +520,7 @@ value="<?=htmlspecialchars($pconfig['maxprocperip']);?>"> <?=gettext("per client </tr> <tr> <td class="vncell" valign="top"><?=gettext("Shared secret"); ?> </td> - <td class="vtable"><input name="radiuskey2" type="text" class="formfld unknown" id="radiuskey2" size="16" -value="<?=htmlspecialchars($pconfig['radiuskey2']);?>"></td> + <td class="vtable"><input name="radiuskey2" type="text" class="formfld unknown" id="radiuskey2" size="16" value="<?=htmlspecialchars($pconfig['radiuskey2']);?>"></td> </tr> <tr> <td colspan="2" class="list" height="12"></td> diff --git a/usr/local/www/services_captiveportal_ip_edit.php b/usr/local/www/services_captiveportal_ip_edit.php index fd87c5b..01d52a2 100755 --- a/usr/local/www/services_captiveportal_ip_edit.php +++ b/usr/local/www/services_captiveportal_ip_edit.php @@ -159,6 +159,9 @@ include("head.inc"); <form action="services_captiveportal_ip_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit allowed ip rule");?></td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Direction"); ?></td> <td width="78%" class="vtable"> <select name="dir" class="formfld"> diff --git a/usr/local/www/services_captiveportal_mac.php b/usr/local/www/services_captiveportal_mac.php index 25c250c..f42ac80 100755 --- a/usr/local/www/services_captiveportal_mac.php +++ b/usr/local/www/services_captiveportal_mac.php @@ -108,6 +108,7 @@ if ($_GET['act'] == "del") { if ($a_passthrumacs[$_GET['id']]) { $ruleno = captiveportal_get_ipfw_passthru_ruleno($a_passthrumacs[$_GET['id']]['mac']); if ($ruleno) { + captiveportal_free_ipfw_ruleno($ruleno); mwexec("/sbin/ipfw delete {$ruleno}; /sbin/ipfw delete " . ++$ruleno); } unset($a_passthrumacs[$_GET['id']]); diff --git a/usr/local/www/services_captiveportal_mac_edit.php b/usr/local/www/services_captiveportal_mac_edit.php index aabf4b3..07f6d8c 100755 --- a/usr/local/www/services_captiveportal_mac_edit.php +++ b/usr/local/www/services_captiveportal_mac_edit.php @@ -153,6 +153,9 @@ include("head.inc"); <?php if ($input_errors) print_input_errors($input_errors); ?> <form action="services_captiveportal_mac_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit Pass-through MAC address");?></td> + </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("MAC address"); ?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index 19171f4..f5af953 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -39,6 +39,8 @@ $statusurl = "status_captiveportal_vouchers.php"; $logurl = "diag_logs_auth.php"; +if ($_POST['postafterlogin']) + $nocsrf= true; require("guiconfig.inc"); require("functions.inc"); require("filter.inc"); @@ -163,6 +165,12 @@ $pconfig['vouchersyncusername'] = $config['voucher']['vouchersyncusername']; if ($_POST) { unset($input_errors); + + if ($_POST['postafterlogin']) { + voucher_expire($_POST['voucher_expire']); + exit; + } + $pconfig = $_POST; /* input validation */ @@ -198,6 +206,8 @@ if ($_POST) { $input_errors[] = gettext("This doesn't look like an RSA Public key."); if ($_POST['privatekey'] && (!strstr($_POST['privatekey'],"BEGIN RSA PRIVATE KEY"))) $input_errors[] = gettext("This doesn't look like an RSA Private key."); + if ($_POST['vouchersyncdbip'] && (is_ipaddr_configured($_POST['vouchersyncdbip']))) + $input_errors[] = gettext("You cannot sync the voucher database to this host (itself)."); } if (!$input_errors) { @@ -558,7 +568,8 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncellreq"><?=gettext("Synchronize Voucher Database IP"); ?></td> <td width="78%" class="vtable"> <input name="vouchersyncdbip" type="text" class="formfld" id="vouchersyncdbip" size="17" value="<?=htmlspecialchars($pconfig['vouchersyncdbip']);?>"> - <br><?=gettext("IP address of master nodes webConfigurator to synchronize voucher database and used vouchers from."); ?> + <br/><?=gettext("IP address of master nodes webConfigurator to synchronize voucher database and used vouchers from."); ?> + <br/><?=gettext("NOTE: this should be setup on the slave nodes and not the primary node!"); ?> </td> </tr> <tr> diff --git a/usr/local/www/services_wol.php b/usr/local/www/services_wol.php index cdc3e6a..37d4155 100755 --- a/usr/local/www/services_wol.php +++ b/usr/local/www/services_wol.php @@ -156,7 +156,7 @@ include("head.inc"); <br> <?=gettext("Wake all clients at once: ");?><a href="services_wol.php?wakeall=true"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_wol_all.gif" width="17" height="17" border="0"></a><p/> <?=gettext("Or Click the MAC address to wake up an individual device:");?> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="0" cellspacing="0" class="tabcont"> <tr> <td width="15%" class="listhdrr"><?=gettext("Interface");?></td> <td width="25%" class="listhdrr"><?=gettext("MAC address");?></td> diff --git a/usr/local/www/status_interfaces.php b/usr/local/www/status_interfaces.php index 6c98a34..db88536 100755 --- a/usr/local/www/status_interfaces.php +++ b/usr/local/www/status_interfaces.php @@ -180,7 +180,7 @@ include("head.inc"); <?php $mac=$ifinfo['macaddr']; $mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]); - if(isset($mac_man[$mac_hi])){ print "<span title=\"$mac\">" . htmlspecialchars($mac_man[$mac_hi]); print "</span>"; } + if(isset($mac_man[$mac_hi])){ print "<span>" . $mac . " - " . htmlspecialchars($mac_man[$mac_hi]); print "</span>"; } else {print htmlspecialchars($mac);} ?> </td> diff --git a/usr/local/www/status_rrd_graph_img.php b/usr/local/www/status_rrd_graph_img.php index a2aa6d2..15a096b 100644 --- a/usr/local/www/status_rrd_graph_img.php +++ b/usr/local/www/status_rrd_graph_img.php @@ -940,8 +940,9 @@ elseif((strstr($curdatabase, "-loggedin.rrd")) && (file_exists("$rrddbpath$curda $graphcmd .= "--height 200 --width 620 "; $graphcmd .= "DEF:\"$curif-loggedinusers=$rrddbpath$curdatabase:loggedinusers:AVERAGE\" "; $graphcmd .= "CDEF:\"$curif-totalusers_t=PREV,UN,0,PREV,IF,$curif-loggedinusers,+\" "; - $graphcmd .= "AREA:\"$curif-totalusers_t#{$colorcaptiveportalusers[0]}:Total logged in users\" "; - $graphcmd .= "GPRINT:\"$curif-totalusers_t:MAX:%8.0lf \\n\" "; + $graphcmd .= "CDEF:\"$curif-totalusers_d=$curif-totalusers_t,FLOOR\" "; + $graphcmd .= "AREA:\"$curif-totalusers_d#{$colorcaptiveportalusers[0]}:Total logged in users\" "; + $graphcmd .= "GPRINT:\"$curif-totalusers_d:MAX:%8.0lf \\n\" "; $graphcmd .= "COMMENT:\"\\n\" "; $graphcmd .= "COMMENT:\"\t\t\t\t\t\t\t\t\t\t\t\t\t`date +\"%b %d %H\:%M\:%S %Y\"`\" "; } diff --git a/usr/local/www/system_advanced_misc.php b/usr/local/www/system_advanced_misc.php index 51857ab..2264365 100644 --- a/usr/local/www/system_advanced_misc.php +++ b/usr/local/www/system_advanced_misc.php @@ -56,6 +56,7 @@ $pconfig['proxyuser'] = $config['system']['proxyuser']; $pconfig['proxypass'] = $config['system']['proxypass']; $pconfig['harddiskstandby'] = $config['system']['harddiskstandby']; $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']); +$pconfig['gw_switch_default'] = isset($config['system']['gw_switch_default']); $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); $pconfig['racoondebug_enable'] = isset($config['ipsec']['racoondebug']); $pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']); @@ -106,6 +107,11 @@ if ($_POST) { else unset($config['system']['lb_use_sticky']); + if($_POST['gw_switch_default'] == "yes") + $config['system']['gw_switch_default'] = true; + else + unset($config['system']['gw_switch_default']); + if($_POST['preferoldsa_enable'] == "yes") $config['ipsec']['preferoldsa'] = true; else @@ -272,6 +278,15 @@ function maxmss_checked(obj) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Load Balancing"); ?></td> + <td width="78%" class="vtable"> + <input name="gw_switch_default" type="checkbox" id="gw_switch_default" value="yes" <?php if ($pconfig['gw_switch_default']) echo "checked=\"checked\""; ?> /> + <strong><?=gettext("Allow default gateway switching"); ?></strong><br/> + <?=gettext("If the link where the default gateway resides fails " . + "switch the default gateway to another available one."); ?> + </td> + </tr> + <tr> <td colspan="2" class="list" height="12"> </td> </tr> <tr> diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index e1b83f2..5541f83 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -92,6 +92,8 @@ if ($act == "del") { unset($a_ca[$id]); write_config(); $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), $name) . "<br/>"; + pfSenseHeader("system_camanager.php"); + exit; } if ($act == "edit") { diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index cc1c65a..470f0cd 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -94,6 +94,8 @@ if ($act == "del") { unset($a_cert[$id]); write_config(); $savemsg = sprintf(gettext("Certificate %s successfully deleted"), $name) . "<br/>"; + pfSenseHeader("system_certmanager.php"); + exit; } if ($act == "new") { diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index d810cb9..783eb0f 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -49,311 +49,304 @@ require("certs.inc"); require("guiconfig.inc"); -if (isAllowedPage("system_usermanager")) { - // start admin user code - $pgtitle = array(gettext("System"),gettext("User Manager")); +// start admin user code +$pgtitle = array(gettext("System"),gettext("User Manager")); - $id = $_GET['id']; - if (isset($_POST['id'])) - $id = $_POST['id']; +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; - if (!is_array($config['system']['user'])) - $config['system']['user'] = array(); +if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); - $a_user = &$config['system']['user']; +$a_user = &$config['system']['user']; - if ($_GET['act'] == "deluser") { +if ($_GET['act'] == "deluser") { - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } - - local_user_del($a_user[$id]); - $userdeleted = $a_user[$id]['name']; - unset($a_user[$id]); - write_config(); - $savemsg = gettext("User")." {$userdeleted} ". - gettext("successfully deleted")."<br/>"; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); + exit; } - if ($_GET['act'] == "delpriv") { - - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } + local_user_del($a_user[$id]); + $userdeleted = $a_user[$id]['name']; + unset($a_user[$id]); + write_config(); + $savemsg = gettext("User")." {$userdeleted} ". + gettext("successfully deleted")."<br/>"; +} +else if ($_GET['act'] == "delpriv") { - $privdeleted = $priv_list[$a_user[$id]['priv'][$_GET['privid']]]['name']; - unset($a_user[$id]['priv'][$_GET['privid']]); - local_user_set($a_user[$id]); - write_config(); - $_GET['act'] = "edit"; - $savemsg = gettext("Privilege")." {$privdeleted} ". - gettext("successfully deleted")."<br/>"; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); + exit; } - if ($_GET['act'] == "expcert") { - - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } - - $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - - $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.crt"); - $exp_data = base64_decode($cert['crt']); - $exp_size = strlen($exp_data); + $privdeleted = $priv_list[$a_user[$id]['priv'][$_GET['privid']]]['name']; + unset($a_user[$id]['priv'][$_GET['privid']]); + local_user_set($a_user[$id]); + write_config(); + $_GET['act'] = "edit"; + $savemsg = gettext("Privilege")." {$privdeleted} ". + gettext("successfully deleted")."<br/>"; +} +else if ($_GET['act'] == "expcert") { - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); exit; } - if ($_GET['act'] == "expckey") { - - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } + $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); + $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.crt"); + $exp_data = base64_decode($cert['crt']); + $exp_size = strlen($exp_data); - $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.key"); - $exp_data = base64_decode($cert['prv']); - $exp_size = strlen($exp_data); + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename={$exp_name}"); + header("Content-Length: $exp_size"); + echo $exp_data; + exit; +} +else if ($_GET['act'] == "expckey") { - header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename={$exp_name}"); - header("Content-Length: $exp_size"); - echo $exp_data; + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); exit; } - if ($_GET['act'] == "delcert") { + $cert =& lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - if (!$a_user[$id]) { - pfSenseHeader("system_usermanager.php"); - exit; - } + $exp_name = urlencode("{$a_user[$id]['name']}-{$cert['descr']}.key"); + $exp_data = base64_decode($cert['prv']); + $exp_size = strlen($exp_data); - $certdeleted = lookup_cert($a_user[$id]['cert'][$_GET['certid']]); - $certdeleted = $certdeleted['descr']; - unset($a_user[$id]['cert'][$_GET['certid']]); - write_config(); - $_GET['act'] = "edit"; - $savemsg = gettext("Certificate")." {$certdeleted} ". - gettext("association removed.")."<br/>"; - } + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename={$exp_name}"); + header("Content-Length: $exp_size"); + echo $exp_data; + exit; +} +else if ($_GET['act'] == "delcert") { - if ($_GET['act'] == "edit") { - if (isset($id) && $a_user[$id]) { - $pconfig['usernamefld'] = $a_user[$id]['name']; - $pconfig['descr'] = $a_user[$id]['descr']; - $pconfig['expires'] = $a_user[$id]['expires']; - $pconfig['groups'] = local_user_get_groups($a_user[$id]); - $pconfig['utype'] = $a_user[$id]['scope']; - $pconfig['uid'] = $a_user[$id]['uid']; - $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); - $pconfig['priv'] = $a_user[$id]['priv']; - $pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk']; - $pconfig['disabled'] = isset($a_user[$id]['disabled']); - } + if (!$a_user[$id]) { + pfSenseHeader("system_usermanager.php"); + exit; } - if ($_GET['act'] == "new") { - /* - * set this value cause the text field is read only - * and the user should not be able to mess with this - * setting. - */ - $pconfig['utype'] = "user"; - $pconfig['lifetime'] = 3650; + $certdeleted = lookup_cert($a_user[$id]['cert'][$_GET['certid']]); + $certdeleted = $certdeleted['descr']; + unset($a_user[$id]['cert'][$_GET['certid']]); + write_config(); + $_GET['act'] = "edit"; + $savemsg = gettext("Certificate")." {$certdeleted} ". + gettext("association removed.")."<br/>"; +} +else if ($_GET['act'] == "edit") { + if (isset($id) && $a_user[$id]) { + $pconfig['usernamefld'] = $a_user[$id]['name']; + $pconfig['descr'] = $a_user[$id]['descr']; + $pconfig['expires'] = $a_user[$id]['expires']; + $pconfig['groups'] = local_user_get_groups($a_user[$id]); + $pconfig['utype'] = $a_user[$id]['scope']; + $pconfig['uid'] = $a_user[$id]['uid']; + $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); + $pconfig['priv'] = $a_user[$id]['priv']; + $pconfig['ipsecpsk'] = $a_user[$id]['ipsecpsk']; + $pconfig['disabled'] = isset($a_user[$id]['disabled']); } +} +else if ($_GET['act'] == "new") { + /* + * set this value cause the text field is read only + * and the user should not be able to mess with this + * setting. + */ + $pconfig['utype'] = "user"; + $pconfig['lifetime'] = 3650; +} - if ($_POST) { - unset($input_errors); - $pconfig = $_POST; +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; - /* input validation */ - if (isset($id) && ($a_user[$id])) { - $reqdfields = explode(" ", "usernamefld"); - $reqdfieldsn = array(gettext("Username")); + /* input validation */ + if (isset($id) && ($a_user[$id])) { + $reqdfields = explode(" ", "usernamefld"); + $reqdfieldsn = array(gettext("Username")); + } else { + if (empty($_POST['name'])) { + $reqdfields = explode(" ", "usernamefld passwordfld1"); + $reqdfieldsn = array( + gettext("Username"), + gettext("Password")); } else { - if (empty($_POST['name'])) { - $reqdfields = explode(" ", "usernamefld passwordfld1"); - $reqdfieldsn = array( - gettext("Username"), - gettext("Password")); - } else { - $reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime"); - $reqdfieldsn = array( - gettext("Username"), - gettext("Password"), - gettext("Descriptive name"), - gettext("Certificate authority"), - gettext("Key length"), - gettext("Lifetime")); - } + $reqdfields = explode(" ", "usernamefld passwordfld1 name caref keylen lifetime"); + $reqdfieldsn = array( + gettext("Username"), + gettext("Password"), + gettext("Descriptive name"), + gettext("Certificate authority"), + gettext("Key length"), + gettext("Lifetime")); } + } - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) - $input_errors[] = gettext("The username contains invalid characters."); + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) + $input_errors[] = gettext("The username contains invalid characters."); - if (strlen($_POST['usernamefld']) > 16) - $input_errors[] = gettext("The username is longer than 16 characters."); + if (strlen($_POST['usernamefld']) > 16) + $input_errors[] = gettext("The username is longer than 16 characters."); - if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) - $input_errors[] = gettext("The passwords do not match."); + if (($_POST['passwordfld1']) && ($_POST['passwordfld1'] != $_POST['passwordfld2'])) + $input_errors[] = gettext("The passwords do not match."); - if (isset($id) && $a_user[$id]) - $oldusername = $a_user[$id]['name']; - else - $oldusername = ""; - /* make sure this user name is unique */ - if (!$input_errors) { - foreach ($a_user as $userent) { - if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { - $input_errors[] = gettext("Another entry with the same username already exists."); - break; - } + if (isset($id) && $a_user[$id]) + $oldusername = $a_user[$id]['name']; + else + $oldusername = ""; + /* make sure this user name is unique */ + if (!$input_errors) { + foreach ($a_user as $userent) { + if ($userent['name'] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { + $input_errors[] = gettext("Another entry with the same username already exists."); + break; } } - /* also make sure it is not reserved */ - if (!$input_errors) { - $system_users = explode("\n", file_get_contents("/etc/passwd")); - foreach ($system_users as $s_user) { - $ent = explode(":", $s_user); - if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { - $input_errors[] = gettext("That username is reserved by the system."); - break; - } + } + /* also make sure it is not reserved */ + if (!$input_errors) { + $system_users = explode("\n", file_get_contents("/etc/passwd")); + foreach ($system_users as $s_user) { + $ent = explode(":", $s_user); + if ($ent[0] == $_POST['usernamefld'] && $oldusername != $_POST['usernamefld']) { + $input_errors[] = gettext("That username is reserved by the system."); + break; } } + } - /* - * Check for a valid expirationdate if one is set at all (valid means, - * strtotime() puts out a time stamp so any strtotime compatible time - * format may be used. to keep it simple for the enduser, we only - * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs - * like "+1 day", which will be converted to MM/DD/YYYY based on "now". - * Otherwhise such an entry would lead to an invalid expiration data. - */ - if ($_POST['expires']){ - if(strtotime($_POST['expires']) > 0){ - if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($_POST['expires'])))) { - // Allow items to lie in the past which ends up disabling. - } else { - //convert from any strtotime compatible date to MM/DD/YYYY - $expdate = strtotime($_POST['expires']); - $_POST['expires'] = date("m/d/Y",$expdate); - } + /* + * Check for a valid expirationdate if one is set at all (valid means, + * strtotime() puts out a time stamp so any strtotime compatible time + * format may be used. to keep it simple for the enduser, we only + * claim to accept MM/DD/YYYY as inputs. Advanced users may use inputs + * like "+1 day", which will be converted to MM/DD/YYYY based on "now". + * Otherwhise such an entry would lead to an invalid expiration data. + */ + if ($_POST['expires']){ + if(strtotime($_POST['expires']) > 0){ + if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($_POST['expires'])))) { + // Allow items to lie in the past which ends up disabling. } else { - $input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead."); + //convert from any strtotime compatible date to MM/DD/YYYY + $expdate = strtotime($_POST['expires']); + $_POST['expires'] = date("m/d/Y",$expdate); } + } else { + $input_errors[] = gettext("Invalid expiration date format; use MM/DD/YYYY instead."); } + } - if (!empty($_POST['name'])) { - $ca = lookup_ca($_POST['caref']); - if (!$ca) - $input_errors[] = gettext("Invalid internal Certificate Authority") . "\n"; - } + if (!empty($_POST['name'])) { + $ca = lookup_ca($_POST['caref']); + if (!$ca) + $input_errors[] = gettext("Invalid internal Certificate Authority") . "\n"; + } - /* if this is an AJAX caller then handle via JSON */ - if (isAjax() && is_array($input_errors)) { - input_errors2Ajax($input_errors); - exit; - } + /* if this is an AJAX caller then handle via JSON */ + if (isAjax() && is_array($input_errors)) { + input_errors2Ajax($input_errors); + exit; + } - if (!$input_errors) { - conf_mount_rw(); - $userent = array(); - if (isset($id) && $a_user[$id]) - $userent = $a_user[$id]; - - isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; - - /* the user name was modified */ - if ($_POST['usernamefld'] <> $_POST['oldusername']) - $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; - - /* the user password was mofified */ - if ($_POST['passwordfld1']) - local_user_set_password($userent, $_POST['passwordfld1']); - - $userent['name'] = $_POST['usernamefld']; - $userent['descr'] = $_POST['descr']; - $userent['expires'] = $_POST['expires']; - $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); - $userent['ipsecpsk'] = $_POST['ipsecpsk']; - - if($_POST['disabled']) - $userent['disabled'] = true; - else - unset($userent['disabled']); - - if (isset($id) && $a_user[$id]) - $a_user[$id] = $userent; - else { - if (!empty($_POST['name'])) { - $cert = array(); - $cert['refid'] = uniqid(); - $userent['cert'] = array(); - - $cert['descr'] = $_POST['name']; - - $subject = cert_get_subject_array($ca['crt']); - - $dn = array( - 'countryName' => $subject[0]['v'], - 'stateOrProvinceName' => $subject[1]['v'], - 'localityName' => $subject[2]['v'], - 'organizationName' => $subject[3]['v'], - 'emailAddress' => $subject[4]['v'], - 'commonName' => $userent['name']); - - cert_create($cert, $_POST['caref'], $_POST['keylen'], - (int)$_POST['lifetime'], $dn); - - if (!is_array($config['cert'])) - $config['cert'] = array(); - $config['cert'][] = $cert; - $userent['cert'][] = $cert['refid']; - } - $userent['uid'] = $config['system']['nextuid']++; - /* Add the user to All Users group. */ - foreach ($config['system']['group'] as $gidx => $group) { - if ($group['name'] == "all") { - if (!is_array($config['system']['group'][$gidx]['member'])) - $config['system']['group'][$gidx]['member'] = array(); - $config['system']['group'][$gidx]['member'][] = $userent['uid']; - break; - } - } + if (!$input_errors) { + conf_mount_rw(); + $userent = array(); + if (isset($id) && $a_user[$id]) + $userent = $a_user[$id]; - $a_user[] = $userent; - } + isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; + + /* the user name was modified */ + if ($_POST['usernamefld'] <> $_POST['oldusername']) + $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; - local_user_set_groups($userent,$_POST['groups']); - local_user_set($userent); - write_config(); + /* the user password was mofified */ + if ($_POST['passwordfld1']) + local_user_set_password($userent, $_POST['passwordfld1']); - if(is_dir("/etc/inc/privhooks")) - run_plugins("/etc/inc/privhooks"); + $userent['name'] = $_POST['usernamefld']; + $userent['descr'] = $_POST['descr']; + $userent['expires'] = $_POST['expires']; + $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $userent['ipsecpsk'] = $_POST['ipsecpsk']; + + if($_POST['disabled']) + $userent['disabled'] = true; + else + unset($userent['disabled']); + + if (isset($id) && $a_user[$id]) + $a_user[$id] = $userent; + else { + if (!empty($_POST['name'])) { + $cert = array(); + $cert['refid'] = uniqid(); + $userent['cert'] = array(); + + $cert['descr'] = $_POST['name']; + + $subject = cert_get_subject_array($ca['crt']); + + $dn = array( + 'countryName' => $subject[0]['v'], + 'stateOrProvinceName' => $subject[1]['v'], + 'localityName' => $subject[2]['v'], + 'organizationName' => $subject[3]['v'], + 'emailAddress' => $subject[4]['v'], + 'commonName' => $userent['name']); + + cert_create($cert, $_POST['caref'], $_POST['keylen'], + (int)$_POST['lifetime'], $dn); + + if (!is_array($config['cert'])) + $config['cert'] = array(); + $config['cert'][] = $cert; + $userent['cert'][] = $cert['refid']; + } + $userent['uid'] = $config['system']['nextuid']++; + /* Add the user to All Users group. */ + foreach ($config['system']['group'] as $gidx => $group) { + if ($group['name'] == "all") { + if (!is_array($config['system']['group'][$gidx]['member'])) + $config['system']['group'][$gidx]['member'] = array(); + $config['system']['group'][$gidx]['member'][] = $userent['uid']; + break; + } + } - conf_mount_ro(); - - pfSenseHeader("system_usermanager.php"); + $a_user[] = $userent; } + + local_user_set_groups($userent,$_POST['groups']); + local_user_set($userent); + write_config(); + + if(is_dir("/etc/inc/privhooks")) + run_plugins("/etc/inc/privhooks"); + + conf_mount_ro(); + + pfSenseHeader("system_usermanager.php"); } +} - include("head.inc"); +include("head.inc"); ?> <body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> @@ -871,98 +864,4 @@ function sshkeyClicked(obj) { </table> <?php include("fend.inc");?> </body> - -<?php - - // end admin user code - -} else { - - // start normal user code - - $pgtitle = array(gettext("System"),gettext("User Password")); - - if (isset($_POST['save'])) { - unset($input_errors); - - /* input validation */ - $reqdfields = explode(" ", "passwordfld1"); - $reqdfieldsn = array(gettext("Password")); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if ($_POST['passwordfld1'] != $_POST['passwordfld2']) - $input_errors[] = gettext("The passwords do not match."); - - if (!$input_errors) { - // all values are okay --> saving changes - $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1'])); - local_user_set($config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]); - write_config(); - $savemsg = gettext("Password successfully changed") . "<br />"; - } - } - - /* determine if user is not local to system */ - $islocal = false; - foreach($config['system']['user'] as $user) - if($user['name'] == $_SESSION['Username']) - $islocal = true; -?> - -<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> -<?php - include("head.inc"); - include("fbegin.inc"); - if ($input_errors) - print_input_errors($input_errors); - if ($savemsg) - print_info_box($savemsg); - - if($islocal == false) { - echo gettext("Sorry, you cannot change the password for a LDAP user."); - include("fend.inc"); - exit; - } -?> -<div id="mainarea"> - <div class="tabcont"> - <form action="system_usermanager.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td colspan="2" valign="top" class="listtopic"><?=$HTTP_SERVER_VARS['AUTH_USER']?>'s <?=gettext("Password"); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell" rowspan="2"><?=gettext("Password"); ?></td> - <td width="78%" class="vtable"> - <input name="passwordfld1" type="password" class="formfld pwd" id="passwordfld1" size="20" /> - </td> - </tr> - <tr> - <td width="78%" class="vtable"> - <input name="passwordfld2" type="password" class="formfld pwd" id="passwordfld2" size="20" /> - <?=gettext("(confirmation)");?> - <br/> - <span class="vexpl"> - <?=gettext("Select a new password");?> - </span> - </td> - </tr> - <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="save" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> - </td> - </tr> - </table> - </form> - </div> -</div> -<?php include("fend.inc");?> -</body> - -<?php - -} // end of normal user code - -?> +</html> diff --git a/usr/local/www/system_usermanager_passwordmg.php b/usr/local/www/system_usermanager_passwordmg.php new file mode 100644 index 0000000..b8b3f76 --- /dev/null +++ b/usr/local/www/system_usermanager_passwordmg.php @@ -0,0 +1,128 @@ +<?php +/* $Id$ */ +/* + Copyright (C) 2011 Ermal Luçi + system_usermanager.php + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_BUILDER_BINARIES: + pfSense_MODULE: auth +*/ + +##|+PRIV +##|*IDENT=page-system-usermanager-passwordmg +##|*NAME=System: User Password Manager page +##|*DESCR=Allow access to the 'System: User Password Manager' page. +##|*MATCH=system_usermanager_passwordmg.php* +##|-PRIV + +require_once("certs.inc"); +require_once("guiconfig.inc"); + +$pgtitle = array(gettext("System"),gettext("User Password")); + +if (isset($_POST['save'])) { + unset($input_errors); + /* input validation */ + + $reqdfields = explode(" ", "passwordfld1"); + $reqdfieldsn = array(gettext("Password")); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['passwordfld1'] != $_POST['passwordfld2']) + $input_errors[] = gettext("The passwords do not match."); + + if (!$input_errors) { + // all values are okay --> saving changes + $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1'])); + local_user_set($config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]); + + write_config(); + + $savemsg = gettext("Password successfully changed") . "<br />"; + } +} + +/* determine if user is not local to system */ +$islocal = false; +foreach($config['system']['user'] as $user) + if($user['name'] == $_SESSION['Username']) + $islocal = true; + +?> + +<body link="#000000" vlink="#000000" alink="#000000" onload="<?= $jsevents["body"]["onload"] ?>"> +<?php +include("head.inc"); +include("fbegin.inc"); + +if ($input_errors) + print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); + +if ($islocal == false) { + echo gettext("Sorry, you cannot change the password for a non-local user."); + include("fend.inc"); + exit; +} + +?> + +<div id="mainarea"> + <div class="tabcont"> + <form action="system_usermanager_passwordmg.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=$HTTP_SERVER_VARS['AUTH_USER']?>'s <?=gettext("Password"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell" rowspan="2"><?=gettext("Password"); ?></td> + <td width="78%" class="vtable"> + <input name="passwordfld1" type="password" class="formfld pwd" id="passwordfld1" size="20" /> + </td> + </tr> + <tr> + <td width="78%" class="vtable"> + <input name="passwordfld2" type="password" class="formfld pwd" id="passwordfld2" size="20" /> + <?=gettext("(confirmation)");?> + <br/> + <span class="vexpl"> + <?=gettext("Select a new password");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="<?=gettext("Save");?>" /> + </td> + </tr> + </table> + </form> + </div> +</div> +<?php include("fend.inc");?> +</body> +</html> diff --git a/usr/local/www/themes/pfsense_ng/all.css b/usr/local/www/themes/pfsense_ng/all.css index 650d52d..b89299d 100644 --- a/usr/local/www/themes/pfsense_ng/all.css +++ b/usr/local/www/themes/pfsense_ng/all.css @@ -1333,7 +1333,7 @@ div#log span.log-protocol-mini-header { /* Sortable tables */ table.sortable thead { cursor: default; - background-color: #EEEEEE; +<!-- background-color: #EEEEEE; this causing light gray rectangles to the right of many tables in gui --> padding-right: 12px; padding-left: 12px; padding-top: 12px; diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 465c607..54ed505 100755 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -375,6 +375,9 @@ include("head.inc"); <a href="vpn_ipsec.php?act=delph2&p2index=<?=$j;?>" onclick="return confirm('<?=gettext("Do you really want to delete this phase2 entry?"); ?>')"> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete phase2 entry"); ?>" width="17" height="17" border="0"> </a> + <a href="vpn_ipsec_phase2.php?dup=<?=$j;?>"> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new Phase 2 based on this one"); ?>" width="17" height="17" border="0"> + </a> </td> </tr> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 7cc8ac0..b4890ad 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -89,6 +89,7 @@ if (isset($p1index) && $a_phase1[$p1index]) { $pconfig['dhgroup'] = $a_phase1[$p1index]['dhgroup']; $pconfig['lifetime'] = $a_phase1[$p1index]['lifetime']; $pconfig['authentication_method'] = $a_phase1[$p1index]['authentication_method']; + $pconfig['generate_policy'] = $a_phase1[$p1index]['generate_policy']; $pconfig['proposal_check'] = $a_phase1[$p1index]['proposal_check']; if (($pconfig['authentication_method'] == "pre_shared_key") || @@ -307,6 +308,7 @@ if ($_POST) { $ph1ent['certref'] = $pconfig['certref']; $ph1ent['caref'] = $pconfig['caref']; $ph1ent['authentication_method'] = $pconfig['authentication_method']; + $ph1ent['generate_policy'] = $pconfig['generate_policy']; $ph1ent['proposal_check'] = $pconfig['proposal_check']; $ph1ent['descr'] = $pconfig['descr']; $ph1ent['nat_traversal'] = $pconfig['nat_traversal']; @@ -644,6 +646,22 @@ function dpdchkbox_change() { </span> </td> </tr> + <tr id="generate_policy"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Policy Generation"); ?></td> + <td width="78%" class="vtable"> + <select name="generate_policy" class="formselect"> + <option value="" <?php if (empty($pconfig['generate_policy'])) echo "selected"; ?>>Default</option> + <option value="on" <?php if ($pconfig['generate_policy'] == "on") echo "selected"; ?>>On</option> + <option value="off" <?php if ($pconfig['generate_policy'] == "off") echo "selected"; ?>>Off</option> + <option value="require" <?php if ($pconfig['generate_policy'] == "require") echo "selected"; ?>>Require</option> + <option value="unique" <?php if ($pconfig['generate_policy'] == "unique") echo "selected"; ?>>Unique</option> + </select> + <br> + <span class="vexpl"> + <?=gettext("When working as a responder (as with mobile clients), this controls how policies are generated based on SA proposals."); ?> + </span> + </td> + </tr> <tr id="proposal_check"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Proposal Checking"); ?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index d45b0d6..395b81e 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -140,9 +140,64 @@ if ($_POST) { break; } } - - /* TODO : Validate enabled phase2's are not duplicates */ - + /* Validate enabled phase2's are not duplicates */ + if (isset($pconfig['mobile'])){ + /* User is adding phase 2 for mobile phase1 */ + foreach($a_phase2 as $key => $name){ + if (isset($name['mobile'])){ + /* check duplicate localids only for mobile clents */ + $localid_data = ipsec_idinfo_to_cidr($name['localid']); + $entered = array(); + $entered['type'] = $pconfig['localid_type']; + if (isset($pconfig['localid_address'])) $entered['address'] = $pconfig['localid_address']; + if (isset($pconfig['localid_netbits'])) $entered['netbits'] = $pconfig['localid_netbits']; + $entered_localid_data = ipsec_idinfo_to_cidr($entered); + if ($localid_data == $entered_localid_data){ + if (!isset($pconfig['p2index'])){ + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + }else if ($pconfig['p2index'] != $key){ + /* editing p2 and entered p2 networks match with different p2 for given p1 */ + $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients."); + break; + } + } + } + } + }else{ + /* User is adding phase 2 for site-to-site phase1 */ + $input_error = 0; + foreach($a_phase2 as $key => $name){ + if (!isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid']){ + /* check duplicate subnets only for given phase1 */ + $localid_data = ipsec_idinfo_to_cidr($name['localid']); + $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid']); + $entered_local = array(); + $entered_local['type'] = $pconfig['localid_type']; + if (isset($pconfig['localid_address'])) $entered_local['address'] = $pconfig['localid_address']; + if (isset($pconfig['localid_netbits'])) $entered_local['netbits'] = $pconfig['localid_netbits']; + $entered_localid_data = ipsec_idinfo_to_cidr($entered_local); + $entered_remote = array(); + $entered_remote['type'] = $pconfig['remoteid_type']; + if (isset($pconfig['remoteid_address'])) $entered_remote['address'] = $pconfig['remoteid_address']; + if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits']; + $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote); + if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) { + if (!isset($pconfig['p2index'])){ + /* adding new p2 entry */ + $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); + break; + }else if ($pconfig['p2index'] != $key){ + /* editing p2 and entered p2 networks match with different p2 for given p1 */ + $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1."); + break; + } + } + } + } + } + $ealgos = pconfig_to_ealgos($pconfig); if (!count($ealgos)) { diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 4b9fc74..97b7769 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -350,10 +350,6 @@ function autotls_change() { <?php if (!$savemsg) $savemsg = ""; -if (count($a_ca) == 0) - $savemsg .= "You have no Certificate Authorities defined. You must visit the <a href=\"system_camanager.php\">Certificate Manager</a> to make one."; -if (count($a_cert) == 0) - $savemsg .= "<br/>You have no Certificates defined. You must visit the <a href=\"system_camanager.php\">Certificate Manager</a> to make one."; if ($input_errors) print_input_errors($input_errors); @@ -632,6 +628,7 @@ if ($savemsg) <tr id="tls_ca"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Authority"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_ca)): ?> <select name='caref' class="formselect"> <?php foreach ($a_ca as $ca): @@ -642,11 +639,15 @@ if ($savemsg) <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificate Authorities defined.</b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_cert"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Client Certificate"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_cert)): ?> <select name='certref' class="formselect"> <?php foreach ($a_cert as $cert): @@ -667,6 +668,9 @@ if ($savemsg) <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="psk"> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 4a24e2e..b08c481 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -555,10 +555,6 @@ function netbios_change() { <?php if (!$savemsg) $savemsg = ""; -if (count($a_ca) == 0) - $savemsg .= "You have no Certificate Authorities defined. You can visit the <a href=\"system_camanager.php\">Certificate Manager</a> or use the <a href=\"wizard.php?xml=openvpn_wizard.xml\">Wizard.</a> to create one. "; -if (count($a_cert) == 0) - $savemsg .= "<br/>You have no Certificates defined. You can visit the <a href=\"system_camanager.php\">Certificate Manager</a> or use the <a href=\"wizard.php?xml=openvpn_wizard.xml\">Wizard.</a> to create one. "; if ($input_errors) print_input_errors($input_errors); @@ -768,6 +764,7 @@ if ($savemsg) <tr id="tls_ca"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Authority"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_ca)): ?> <select name='caref' class="formselect"> <?php foreach ($a_ca as $ca): @@ -778,11 +775,15 @@ if ($savemsg) <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificate Authorities defined.</b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_crl"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Revocation List"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_crl)): ?> <select name='crlref' class="formselect"> <option value="">None</option> <?php @@ -799,11 +800,15 @@ if ($savemsg) <option value="<?=$crl['refid'];?>" <?=$selected;?>><?=$crl['descr'] . $caname;?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificate Revocation Lists (CRLs) defined.</b> <br/>Create one under <a href="system_crlmanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_cert"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Server Certificate"); ?></td> <td width="78%" class="vtable"> + <?php if (count($a_cert)): ?> <select name='certref' class="formselect"> <?php foreach ($a_cert as $cert): @@ -824,6 +829,9 @@ if ($savemsg) <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> </select> + <?php else: ?> + <b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php endif; ?> </td> </tr> <tr id="tls_dh"> diff --git a/usr/local/www/xmlrpc.php b/usr/local/www/xmlrpc.php index 97fbc45..500700a 100755 --- a/usr/local/www/xmlrpc.php +++ b/usr/local/www/xmlrpc.php @@ -271,8 +271,14 @@ $merge_config_section_sig = array( function merge_config_section_xmlrpc($raw_params) { global $config, $xmlrpc_g; - - return restore_config_section_xmlrpc($raw_params); + $params = xmlrpc_params_to_php($raw_params); + if(!xmlrpc_auth($params)) + return $xmlrpc_g['return']['authfail']; + $config_new = array_overlay($config, $params[0]); + $config = $config_new; + $mergedkeys = implode(",", array_keys($params[0])); + write_config(sprintf(gettext("Merged in config (%s sections) from XMLRPC client."), $mergedkeys)); + return $xmlrpc_g['return']['true']; } /*****************************/ @@ -448,4 +454,17 @@ $server = new XML_RPC_Server( unlock($xmlrpclockkey); + function array_overlay($a1,$a2) + { + foreach($a1 as $k => $v) { + if(!array_key_exists($k,$a2)) continue; + if(is_array($v) && is_array($a2[$k])){ + $a1[$k] = array_overlay($v,$a2[$k]); + }else{ + $a1[$k] = $a2[$k]; + } + } + return $a1; + } + ?> |