diff options
30 files changed, 1029 insertions, 781 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 9470158..738dd53 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,6 +1,6 @@ <?xml version="1.0"?> <pfsense> - <version>11.2</version> + <version>11.3</version> <lastchange/> <theme>pfsense_ng</theme> <system> diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index cf529f9..413b108 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -448,6 +448,23 @@ function captiveportal_init_webgui_zone($cpcfg) { } } +function captiveportal_init_rules_byinterface($interface) { + global $cpzone, $cpzoneid, $config; + + if (!is_array($config['captiveportal'])) + return; + + foreach ($config['captiveportal'] as $cpkey => $cp) { + $cpzone = $cpkey; + $cpzoneid = $cp['zoneid']; + $cpinterfaces = explode(",", $cp['interface']); + if (in_array($interface, $cpinterfaces)) { + captiveportal_init_rules(); + break; + } + } +} + /* reinit will disconnect all users, be careful! */ function captiveportal_init_rules($reinit = false) { global $config, $g, $cpzone, $cpzoneid; @@ -1783,8 +1800,11 @@ function portal_mac_radius($clientmac,$clientip) { function captiveportal_reapply_attributes($cpentry, $attributes) { global $config, $cpzone, $g; - $dwfaultbw_up = isset($config['captiveportal'][$cpzone]['bwdefaultup']) ? $config['captiveportal'][$cpzone]['bwdefaultup'] : 0; - $dwfaultbw_down = isset($config['captiveportal'][$cpzone]['bwdefaultdn']) ? $config['captiveportal'][$cpzone]['bwdefaultdn'] : 0; + if (isset($config['captiveportal'][$cpzone]['peruserbw'])) { + $dwfaultbw_up = isset($config['captiveportal'][$cpzone]['bwdefaultup']) ? $config['captiveportal'][$cpzone]['bwdefaultup'] : 0; + $dwfaultbw_down = isset($config['captiveportal'][$cpzone]['bwdefaultdn']) ? $config['captiveportal'][$cpzone]['bwdefaultdn'] : 0; + } else + $dwfaultbw_up = $dwfaultbw_down = 0; $bw_up = isset($attributes['bw_up']) ? round(intval($attributes['bw_up'])/1000, 2) : $dwfaultbw_up; $bw_down = isset($attributes['bw_down']) ? round(intval($attributes['bw_down'])/1000, 2) : $dwfaultbw_down; $bw_up_pipeno = $cpentry[1]; @@ -1961,8 +1981,11 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut return; } - $dwfaultbw_up = isset($config['captiveportal'][$cpzone]['bwdefaultup']) ? $config['captiveportal'][$cpzone]['bwdefaultup'] : 0; - $dwfaultbw_down = isset($config['captiveportal'][$cpzone]['bwdefaultdn']) ? $config['captiveportal'][$cpzone]['bwdefaultdn'] : 0; + if (isset($config['captiveportal'][$cpzone]['peruserbw'])) { + $dwfaultbw_up = isset($config['captiveportal'][$cpzone]['bwdefaultup']) ? $config['captiveportal'][$cpzone]['bwdefaultup'] : 0; + $dwfaultbw_down = isset($config['captiveportal'][$cpzone]['bwdefaultdn']) ? $config['captiveportal'][$cpzone]['bwdefaultdn'] : 0; + } else + $dwfaultbw_up = $dwfaultbw_down = 0; $bw_up = isset($attributes['bw_up']) ? round(intval($attributes['bw_up'])/1000, 2) : $dwfaultbw_up; $bw_down = isset($attributes['bw_down']) ? round(intval($attributes['bw_down'])/1000, 2) : $dwfaultbw_down; diff --git a/etc/inc/filter_log.inc b/etc/inc/filter_log.inc index b6d2eb2..073d44f 100644 --- a/etc/inc/filter_log.inc +++ b/etc/inc/filter_log.inc @@ -404,7 +404,7 @@ function handle_ajax($nentries, $tail = 50) { $log_row['proto'] .= ":{$log_row['tcpflags']}"; $img = "<a href=\"#\" onClick=\"javascript:getURL('diag_logs_filter.php?getrulenum={$log_row['rulenum']},{$log_row['rulenum']}', outputrule);\">{$img}</a>"; - $new_rules .= "{$img}||{$log_row['time']}||{$log_row['interface']}||{$log_row['srcip']}||{$log_row['dst']}||{$log_row['proto']}||" . time() . "||\n"; + $new_rules .= "{$img}||{$log_row['time']}||{$log_row['interface']}||{$log_row['srcip']}||{$log_row['srcport']}||{$log_row['dstip']}||{$log_row['dstport']}||{$log_row['proto']}||{$log_row['version']}||" . time() . "||\n"; } } echo $new_rules; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index be72578..1d7e04d 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -73,7 +73,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "11.2", + "latest_config" => "11.3", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 672d314..7322e44 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -3079,7 +3079,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven system_routing_configure($interface); /* reload ipsec tunnels */ - vpn_ipsec_configure(); + send_event("service reload ipsecdns"); /* restart dnsmasq or unbound */ if (isset($config['dnsmasq']['enable'])) @@ -3090,9 +3090,10 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven /* update dyndns */ send_event("service reload dyndns {$interface}"); - /* XXX: which CPZONE? Needed? */ /* reload captive portal */ - captiveportal_init_rules(); + if (!function_exists('captiveportal_init_rules_byinterface')) + require_once('captiveportal.inc'); + captiveportal_init_rules_byinterface($interface); } } @@ -3974,7 +3975,7 @@ function interface_group_setup(&$groupname /* The parameter is an array */) { $members = explode(" ", $groupname['members']); foreach($members as $ifs) { $realif = get_real_interface($ifs); - if ($realif) + if ($realif && does_interface_exist($realif)) mwexec("/sbin/ifconfig {$realif} group {$groupname['ifname']}"); } @@ -3995,7 +3996,8 @@ function is_interface_group($if) { function interface_group_add_member($interface, $groupname) { $interface = get_real_interface($interface); - mwexec("/sbin/ifconfig {$interface} group " . escapeshellarg($groupname), true); + if (does_interface_exist($interface)) + mwexec("/sbin/ifconfig {$interface} group " . escapeshellarg($groupname), true); } /* COMPAT Function */ diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 7a4469f..da6ebcc 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -363,89 +363,6 @@ function ipsec_phase2_status(&$ipsec_status, &$phase2) { return false; } -/* - * Return IPsec SA details - */ -function ipsec_lookup_ipsec_sa(& $spd,& $sad,$dir,$in_srcip,$in_dstip,$in_srcid,$in_dstid) { - - /* match the phase1/2 to an SP */ - $in_srcip = ipsec_fixup_ip($in_srcip); - $in_dstip = ipsec_fixup_ip($in_dstip); - $in_srcid = ipsec_fixup_ip($in_srcid); - $in_dstid = ipsec_fixup_ip($in_dstid); - - foreach($spd as $sp) { - - /* match direction */ - - if($dir != $sp['dir']) - continue; - - /* match IPs */ - - if($in_srcip != ipsec_fixup_ip($sp['src'])) - continue; - if($in_dstip != ipsec_fixup_ip($sp['dst'])) - continue; - - /* add netbits for address IDs */ - - $sp_srcid = $sp['srcid']; - $sp_dstid = $sp['dstid']; - - if (!strstr($sp_srcid,"/")) { - if (is_ipaddrv4($sp_srcid)) - $sp_srcid .= '/32'; - elseif (is_ipaddrv6($sp_srcid)) - $sp_srcid .= '/128'; - } - if (!strstr($sp_dstid,"/")) { - if (is_ipaddrv4($sp_dstid)) - $sp_dstid .= '/32'; - elseif (is_ipaddrv6($sp_dstid)) - $sp_dstid .= '/128'; - } - - /* match IDs */ - - if($in_srcid != ipsec_fixup_ip($sp_srcid)) - continue; - if($in_dstid != ipsec_fixup_ip($sp_dstid)) - continue; - - /* match the SP to a unique SA by reqid */ - - foreach($sad as $sa) { - - /* match REQIDs */ - - if($sa[reqid] != $sp[reqid]) - continue; - - /* sanitize for NAT-T ports */ - - $sa_srcip = $sa['src']; - $sa_dstip = $sa['dst']; - - if (strstr($sa_srcip,"[")) - $sa_srcip = substr($sa_srcip,0,strcspn($sa_srcip,"[")); - if (strstr($sa_dstip,"[")) - $sa_dstip = substr($sa_dstip,0,strcspn($sa_dstip,"[")); - - /* match IPs */ - - if($in_srcip != ipsec_fixup_ip($sa_srcip)) - continue; - if($in_dstip != ipsec_fixup_ip($sa_dstip)) - continue; - - return $sa; - } - } - - return NULL; -} - function ipsec_smp_dump_status() { global $config, $g, $custom_listtags; @@ -654,6 +571,22 @@ function ipsec_get_descr($ikeid) { return $descr; } +function ipsec_get_phase1($ikeid) { + global $config; + + if (!isset($config['ipsec']['phase1']) || + !is_array($config['ipsec']['phase1'])) + return ''; + + $a_phase1 = $config['ipsec']['phase1']; + foreach ($a_phase1 as $p1) { + if ($p1['ikeid'] == $ikeid) { + return $p1; + } + } + unset($a_phase1); +} + function ipsec_fixup_ip($ipaddr) { if (is_ipaddrv6($ipaddr) || is_subnetv6($ipaddr)) return Net_IPv6::compress(Net_IPv6::uncompress($ipaddr)); diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 2c23131..c45256a 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -445,6 +445,12 @@ function openvpn_reconfigure($mode, $settings) { /* add the device to the openvpn group */ mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " group openvpn"); + + $ifname = convert_real_interface_to_friendly_interface_name($devname); + $grouptmp = link_interface_to_group($ifname); + if (!empty($grouptmp)) + array_walk($grouptmp, 'interface_group_add_member'); + unset($grouptmp, $ifname); } $pfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid"; diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 7f6af33..ba24c88 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -182,6 +182,15 @@ function system_resolvconf_generate($dynupdate = false) { fwrite($fd, $resolvconf); fclose($fd); + // Prevent resolvconf(8) from rewriting our resolv.conf + $fd = fopen("{$g['varetc_path']}/resolvconf.conf", "w"); + if (!$fd) { + printf("Error: cannot open resolvconf.conf in system_resolvconf_generate().\n"); + return 1; + } + fwrite($fd, "resolv_conf=\"/dev/null\"\n"); + fclose($fd); + if (!platform_booting()) { /* restart dhcpd (nameservers may have changed) */ if (!$dynupdate) @@ -1417,7 +1426,7 @@ function system_ntp_setup_gps($serialport) { conf_mount_rw(); // Create symlink that ntpd requires unlink_if_exists($gps_device); - symlink($serialport, $gps_device); + @symlink($serialport, $gps_device); /* Send the following to the GPS port to initialize the GPS */ if (is_array($config['ntpd']) && is_array($config['ntpd']['gps']) && !empty($config['ntpd']['gps']['type'])) { @@ -1511,7 +1520,7 @@ function system_ntp_configure($start_ntpd=true) { $ntpcfg .= "\n"; /* Add PPS configuration */ - if (!empty($config['ntpd']['pps']) + if (is_array($config['ntpd']['pps']) && !empty($config['ntpd']['pps']['port']) && file_exists('/dev/'.$config['ntpd']['pps']['port']) && system_ntp_setup_pps($config['ntpd']['pps']['port'])) { $ntpcfg .= "\n"; @@ -1550,7 +1559,7 @@ function system_ntp_configure($start_ntpd=true) { /* End PPS configuration */ /* Add GPS configuration */ - if (!empty($config['ntpd']['gps']) + if (is_array($config['ntpd']['gps']) && !empty($config['ntpd']['gps']['port']) && file_exists('/dev/'.$config['ntpd']['gps']['port']) && system_ntp_setup_gps($config['ntpd']['gps']['port'])) { $ntpcfg .= "\n"; @@ -1608,7 +1617,7 @@ function system_ntp_configure($start_ntpd=true) { $ntpcfg .= $config['ntpd']['gps']['refid']; } $ntpcfg .= "\n"; - }elseif (!empty($config['ntpd']['gpsport']) + }elseif (is_array($config['ntpd']) && !empty($config['ntpd']['gpsport']) && file_exists('/dev/'.$config['ntpd']['gpsport']) && system_ntp_setup_gps($config['ntpd']['gpsport'])) { /* This handles a 2.1 and earlier config */ diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index d0e594f..e9e77cc 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -3455,6 +3455,9 @@ function upgrade_110_to_111() { } } + if (isset($new['custom_options']) && !empty($new['custom_options'])) + $new['custom_options'] = str_replace(';', "\n", $new['custom_options']); + /* Following options were removed, bring them as custom_options */ if (isset($pkg['stats']) && $pkg['stats'] == "on") { if (isset($pkg['stats_interval'])) @@ -3500,4 +3503,20 @@ function upgrade_111_to_112() { ); } +function upgrade_112_to_113() { + global $config; + + if (isset($config['notifications']['smtp']['ssl']) && + $config['notifications']['smtp']['ssl'] == "checked") + $config['notifications']['smtp']['ssl'] = true; + else + unset($config['notifications']['smtp']['ssl']); + + if (isset($config['notifications']['smtp']['tls']) && + $config['notifications']['smtp']['tls'] == "checked") + $config['notifications']['smtp']['tls'] = true; + else + unset($config['notifications']['smtp']['tls']); +} + ?> diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index b2101f3..4e168b0 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -109,10 +109,6 @@ function vpn_ipsec_configure($ipchg = false) $syscfg = $config['system']; $ipseccfg = $config['ipsec']; - $a_phase1 = $config['ipsec']['phase1']; - $a_phase2 = $config['ipsec']['phase2']; - $a_client = $config['ipsec']['client']; - if (!isset($ipseccfg['enable'])) { /* try to stop charon */ mwexec("/usr/local/sbin/ipsec stop"); @@ -127,691 +123,689 @@ function vpn_ipsec_configure($ipchg = false) set_single_sysctl("net.inet.ip.ipsec_in_use", "0"); return 0; - } else { - $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; - $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; - $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; - - mwexec("/sbin/ifconfig enc0 up"); - set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); - /* needed for config files */ - if (!is_dir("{$g['varetc_path']}/ipsec")) - mkdir("{$g['varetc_path']}/ipsec"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); - if (!is_dir($capath)) - mkdir($capath); - if (!is_dir($keypath)) - mkdir($keypath); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); - if (!is_dir($certpath)) - mkdir($certpath); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); - if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) - mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); - - - if (platform_booting()) - echo gettext("Configuring IPsec VPN... "); - - /* fastforwarding is not compatible with ipsec tunnels */ - set_single_sysctl("net.inet.ip.fastforwarding", "0"); - - /* resolve all local, peer addresses and setup pings */ - $ipmap = array(); - $rgmap = array(); - $filterdns_list = array(); - $listeniflist = array(); - $aggressive_mode_psk = false; - unset($iflist); - if (is_array($a_phase1) && count($a_phase1)) { - - $ipsecpinghosts = ""; - /* step through each phase1 entry */ - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) - continue; + } - if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) - $aggressive_mode_psk = true; + $a_phase1 = $config['ipsec']['phase1']; + $a_phase2 = $config['ipsec']['phase2']; + $a_client = $config['ipsec']['client']; - $ikeid = $ph1ent['ikeid']; - $listeniflist = get_real_interface($a_phase1['interface']); + $certpath = "{$g['varetc_path']}/ipsec/ipsec.d/certs"; + $capath = "{$g['varetc_path']}/ipsec/ipsec.d/cacerts"; + $keypath = "{$g['varetc_path']}/ipsec/ipsec.d/private"; + + mwexec("/sbin/ifconfig enc0 up"); + set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); + /* needed for config files */ + if (!is_dir("{$g['varetc_path']}/ipsec")) + mkdir("{$g['varetc_path']}/ipsec"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d"); + if (!is_dir($capath)) + mkdir($capath); + if (!is_dir($keypath)) + mkdir($keypath); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/crls")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/crls"); + if (!is_dir($certpath)) + mkdir($certpath); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/aacerts"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/acerts")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/acerts"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/ocspcerts"); + if (!is_dir("{$g['varetc_path']}/ipsec/ipsec.d/reqs")) + mkdir("{$g['varetc_path']}/ipsec/ipsec.d/reqs"); + - $ep = ipsec_get_phase1_src($ph1ent); - if (!is_ipaddr($ep)) - continue; + if (platform_booting()) + echo gettext("Configuring IPsec VPN... "); - if(!in_array($ep,$ipmap)) - $ipmap[] = $ep; + /* fastforwarding is not compatible with ipsec tunnels */ + set_single_sysctl("net.inet.ip.fastforwarding", "0"); - /* see if this tunnel has a hostname for the remote-gateway. If so, - try to resolve it now and add it to the list for filterdns */ + /* resolve all local, peer addresses and setup pings */ + $ipmap = array(); + $rgmap = array(); + $filterdns_list = array(); + $listeniflist = array(); + $aggressive_mode_psk = false; + unset($iflist); + if (is_array($a_phase1) && count($a_phase1)) { - if (isset ($ph1ent['mobile'])) - continue; + $ipsecpinghosts = ""; + /* step through each phase1 entry */ + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) + continue; - $rg = $ph1ent['remote-gateway']; + if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) + $aggressive_mode_psk = true; - if (!is_ipaddr($rg)) { - $filterdns_list[] = "{$rg}"; - add_hostname_to_watch($rg); - if (!platform_booting()) - $rg = resolve_retry($rg); - if (!is_ipaddr($rg)) - continue; - } - if(array_search($rg, $rgmap)) { - log_error("The remote gateway {$rg} already exists on another phase 1 entry"); + $ikeid = $ph1ent['ikeid']; + $listeniflist = get_real_interface($a_phase1['interface']); + + $ep = ipsec_get_phase1_src($ph1ent); + if (!is_ipaddr($ep)) + continue; + + if(!in_array($ep,$ipmap)) + $ipmap[] = $ep; + + /* see if this tunnel has a hostname for the remote-gateway. If so, + try to resolve it now and add it to the list for filterdns */ + + if (isset ($ph1ent['mobile'])) + continue; + + $rg = $ph1ent['remote-gateway']; + + if (!is_ipaddr($rg)) { + $filterdns_list[] = "{$rg}"; + add_hostname_to_watch($rg); + if (!platform_booting()) + $rg = resolve_retry($rg); + if (!is_ipaddr($rg)) continue; - } - $rgmap[$ph1ent['remote-gateway']] = $rg; + } + if(array_search($rg, $rgmap)) { + log_error("The remote gateway {$rg} already exists on another phase 1 entry"); + continue; + } + $rgmap[$ph1ent['remote-gateway']] = $rg; - if (is_array($a_phase2)) { - /* step through each phase2 entry */ - foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) - continue; + if (is_array($a_phase2)) { + /* step through each phase2 entry */ + foreach ($a_phase2 as $ph2ent) { + if (isset($ph2ent['disabled'])) + continue; - if ($ikeid != $ph2ent['ikeid']) - continue; + if ($ikeid != $ph2ent['ikeid']) + continue; - /* add an ipsec pinghosts entry */ - if ($ph2ent['pinghost']) { - if (!is_array($iflist)) - $iflist = get_configured_interface_list(); - $viplist = get_configured_vips_list(); - $srcip = null; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if(is_ipaddrv6($ph2ent['pinghost'])) { - foreach ($iflist as $ifent => $ifname) { - $interface_ip = get_interface_ipv6($ifent); - if(!is_ipaddrv6($interface_ip)) - continue; - if (ip_in_subnet($interface_ip, $local_subnet)) { - $srcip = $interface_ip; - break; - } - } - } else { - foreach ($iflist as $ifent => $ifname) { - $interface_ip = get_interface_ip($ifent); - if(!is_ipaddrv4($interface_ip)) - continue; - if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { - $srcip = $interface_ip; - break; - } + /* add an ipsec pinghosts entry */ + if ($ph2ent['pinghost']) { + if (!is_array($iflist)) + $iflist = get_configured_interface_list(); + $viplist = get_configured_vips_list(); + $srcip = null; + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + if(is_ipaddrv6($ph2ent['pinghost'])) { + foreach ($iflist as $ifent => $ifname) { + $interface_ip = get_interface_ipv6($ifent); + if(!is_ipaddrv6($interface_ip)) + continue; + if (ip_in_subnet($interface_ip, $local_subnet)) { + $srcip = $interface_ip; + break; } } - /* if no valid src IP was found in configured interfaces, try the vips */ - if (is_null($srcip)) { - foreach ($viplist as $vip) { - if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { - $srcip = $vip['ipaddr']; - break; - } + } else { + foreach ($iflist as $ifent => $ifname) { + $interface_ip = get_interface_ip($ifent); + if(!is_ipaddrv4($interface_ip)) + continue; + if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { + $srcip = $interface_ip; + break; } } - $dstip = $ph2ent['pinghost']; - if(is_ipaddrv6($dstip)) { - $family = "inet6"; - } else { - $family = "inet"; + } + /* if no valid src IP was found in configured interfaces, try the vips */ + if (is_null($srcip)) { + foreach ($viplist as $vip) { + if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { + $srcip = $vip['ipaddr']; + break; + } } - if (is_ipaddr($srcip)) - $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; } + $dstip = $ph2ent['pinghost']; + if(is_ipaddrv6($dstip)) { + $family = "inet6"; + } else { + $family = "inet"; + } + if (is_ipaddr($srcip)) + $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; } } } - @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); - unset($ipsecpinghosts); } - unset($iflist); + @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts); + unset($ipsecpinghosts); + } + unset($iflist); - $accept_unencrypted = ""; - if (isset($config['ipsec']['acceptunencryptedmainmode'])) - $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; + $accept_unencrypted = ""; + if (isset($config['ipsec']['acceptunencryptedmainmode'])) + $accept_unencrypted = "accept_unencrypted_mainmode_messages = yes"; - $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; - if ($aggressive_mode_psk) { - log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); - $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; - } - $strongswan = <<<EOD + $i_dont_care_about_security_and_use_aggressive_mode_psk = ""; + if ($aggressive_mode_psk) { + log_error("WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration."); + $i_dont_care_about_security_and_use_aggressive_mode_psk = "i_dont_care_about_security_and_use_aggressive_mode_psk=yes"; + } + $strongswan = <<<EOD # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. starter { - load_warning = no +load_warning = no } charon { - # number of worker threads in charon - threads = 16 - ikesa_table_size = 32 - ikesa_table_segments = 4 - init_limit_half_open = 1000 - install_routes = no - {$i_dont_care_about_security_and_use_aggressive_mode_psk} - {$accept_unencrypted} - cisco_unity = yes - - # And two loggers using syslog. The subsections define the facility to log - # to, currently one of: daemon, auth. - syslog { - identifier = charon - # default level to the LOG_DAEMON facility - daemon { - } - # very minimalistic IKE auditing logs to LOG_AUTHPRIV - auth { - default = -1 - ike = 1 - ike_name = yes - } +# number of worker threads in charon +threads = 16 +ikesa_table_size = 32 +ikesa_table_segments = 4 +init_limit_half_open = 1000 +install_routes = no +{$i_dont_care_about_security_and_use_aggressive_mode_psk} +{$accept_unencrypted} +cisco_unity = yes + +# And two loggers using syslog. The subsections define the facility to log +# to, currently one of: daemon, auth. +syslog { + identifier = charon + # default level to the LOG_DAEMON facility + daemon { } + # very minimalistic IKE auditing logs to LOG_AUTHPRIV + auth { + default = -1 + ike = 1 + ike_name = yes + } +} EOD; - $strongswan .= "\tplugins {\n"; - - if (is_array($a_client) && isset($a_client['enable'])) { - $strongswan .= "\t\tattr {\n"; - if ($a_client['pool_address'] && $a_client['pool_netbits']) - $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; - - $cfgservers = array(); - if (!empty($a_client['dns_server1'])) - $cfgservers[] = $a_client['dns_server1']; - if (!empty($a_client['dns_server2'])) - $cfgservers[] = $a_client['dns_server2']; - if (!empty($a_client['dns_server3'])) - $cfgservers[] = $a_client['dns_server3']; - if (!empty($a_client['dns_server4'])) - $cfgservers[] = $a_client['dns_server4']; - - if (!empty($cfgservers)) - $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; - unset($cfgservers); - $cfgservers = array(); - if (!empty($a_client['wins_server1'])) - $cfgservers[] = $a_client['wins_server1']; - if (!empty($a_client['wins_server2'])) - $cfgservers[] = $a_client['wins_server2']; - if (!empty($cfgservers)) - $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; - unset($cfgservers); - - if (isset($a_client['net_list'])) { - $net_list = ''; - foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) - continue; - - if (!isset($ph2ent['mobile'])) - continue; + $strongswan .= "\tplugins {\n"; + + if (is_array($a_client) && isset($a_client['enable'])) { + $strongswan .= "\t\tattr {\n"; + if ($a_client['pool_address'] && $a_client['pool_netbits']) + $strongswan .= "\t\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + + $cfgservers = array(); + if (!empty($a_client['dns_server1'])) + $cfgservers[] = $a_client['dns_server1']; + if (!empty($a_client['dns_server2'])) + $cfgservers[] = $a_client['dns_server2']; + if (!empty($a_client['dns_server3'])) + $cfgservers[] = $a_client['dns_server3']; + if (!empty($a_client['dns_server4'])) + $cfgservers[] = $a_client['dns_server4']; + + if (!empty($cfgservers)) + $strongswan .= "\t\t\tdns = " . implode(",", $cfgservers) . "\n"; + unset($cfgservers); + $cfgservers = array(); + if (!empty($a_client['wins_server1'])) + $cfgservers[] = $a_client['wins_server1']; + if (!empty($a_client['wins_server2'])) + $cfgservers[] = $a_client['wins_server2']; + if (!empty($cfgservers)) + $strongswan .= "\t\t\tnbns = " . implode(",", $cfgservers) . "\n"; + unset($cfgservers); + + if (isset($a_client['net_list'])) { + $net_list = ''; + foreach ($a_phase2 as $ph2ent) { + if (isset($ph2ent['disabled'])) + continue; - $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + if (!isset($ph2ent['mobile'])) + continue; - if (!empty($net_list)) - $net_list .= ","; - $net_list .= $localid; - } + $localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if (!empty($net_list)) { - $strongswan .= "\t\t\tsplit-include = {$net_list}\n"; - unset($net_list); - } + if (!empty($net_list)) + $net_list .= ","; + $net_list .= $localid; } - if (!empty($a_client['dns_domain'])) { - $strongswan .= "\t\t\t# Search domain and default domain\n"; - $strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n"; - if (empty($a_client['dns_split'])) - $strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}"; - $strongswan .= "\n"; + if (!empty($net_list)) { + $strongswan .= "\t\t\tsplit-include = {$net_list}\n"; + unset($net_list); } + } - if (!empty($a_client['dns_split'])) { - $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; - } - - if (!empty($a_client['login_banner'])) - $strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n"; - - if (isset($a_client['save_passwd'])) - $strongswan .= "\t\t\t28673 = 1\n"; + if (!empty($a_client['dns_domain'])) { + $strongswan .= "\t\t\t# Search domain and default domain\n"; + $strongswan .= "\t\t\t28674 = {$a_client['dns_domain']}\n"; + if (empty($a_client['dns_split'])) + $strongswan .= "\t\t\t28675 = {$a_client['dns_domain']}"; + $strongswan .= "\n"; + } - if ($a_client['pfs_group']) - $strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n"; - $strongswan .= "\t\t}\n"; + if (!empty($a_client['dns_split'])) { + $strongswan .= "\t\t\t28675 = {$a_client['dns_split']}\n"; + } - if ($a_client['user_source'] != "none") { - $strongswan .= "\t\txauth-generic {\n"; - $strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n"; - $strongswan .= "\t\t\tauthcfg = "; - $firstsed = 0; - $authcfgs = explode(",", $a_client['user_source']); - foreach ($authcfgs as $authcfg) { - if ($firstsed > 0) - $strongswan .= ","; - if ($authcfg == "system") - $authcfg = "Local Database"; - $strongswan .= $authcfg; - $firstsed = 1; - } - $strongswan .= "\n"; - $strongswan .= "\t\t}\n"; + if (!empty($a_client['login_banner'])) + $strongswan .= "\t\t\t28672 = {$a_client['login_banner']}\n"; + + if (isset($a_client['save_passwd'])) + $strongswan .= "\t\t\t28673 = 1\n"; + + if ($a_client['pfs_group']) + $strongswan .= "\t\t\t28679 = {$a_client['pfs_group']}\n"; + $strongswan .= "\t\t}\n"; + + if ($a_client['user_source'] != "none") { + $strongswan .= "\t\txauth-generic {\n"; + $strongswan .= "\t\t\tscript = /etc/inc/ipsec.auth-user.php\n"; + $strongswan .= "\t\t\tauthcfg = "; + $firstsed = 0; + $authcfgs = explode(",", $a_client['user_source']); + foreach ($authcfgs as $authcfg) { + if ($firstsed > 0) + $strongswan .= ","; + if ($authcfg == "system") + $authcfg = "Local Database"; + $strongswan .= $authcfg; + $firstsed = 1; } + $strongswan .= "\n"; + $strongswan .= "\t\t}\n"; } + } - $strongswan .= "\t}\n}\n"; - @file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan); - unset($strongswan); + $strongswan .= "\t}\n}\n"; + @file_put_contents("{$g['varetc_path']}/ipsec/strongswan.conf", $strongswan); + unset($strongswan); - /* generate CA certificates files */ - if (is_array($config['ca']) && count($config['ca'])) { - foreach ($config['ca'] as $ca) { - if (!isset($ca['crt'])) { - log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr'])); - continue; - } - $cert = base64_decode($ca['crt']); - $x509cert = openssl_x509_parse(openssl_x509_read($cert)); - if (!is_array($x509cert) || !isset($x509cert['hash'])) { - log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); - continue; - } - $fname = "{$capath}/{$x509cert['hash']}.0.crt"; - if (!@file_put_contents($fname, $cert)) { - log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); - continue; - } - unset($cert); + /* generate CA certificates files */ + if (is_array($config['ca']) && count($config['ca'])) { + foreach ($config['ca'] as $ca) { + if (!isset($ca['crt'])) { + log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr'])); + continue; + } + $cert = base64_decode($ca['crt']); + $x509cert = openssl_x509_parse(openssl_x509_read($cert)); + if (!is_array($x509cert) || !isset($x509cert['hash'])) { + log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); + continue; + } + $fname = "{$capath}/{$x509cert['hash']}.0.crt"; + if (!@file_put_contents($fname, $cert)) { + log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); + continue; } + unset($cert); } + } - $pskconf = ""; + $pskconf = ""; - if (is_array($a_phase1) && count($a_phase1)) { - foreach ($a_phase1 as $ph1ent) { + if (is_array($a_phase1) && count($a_phase1)) { + foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) - continue; + if (isset($ph1ent['disabled'])) + continue; - if (strstr($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') { - $certline = ''; + if (strstr($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') { + $certline = ''; - $ikeid = $ph1ent['ikeid']; - $cert = lookup_cert($ph1ent['certref']); + $ikeid = $ph1ent['ikeid']; + $cert = lookup_cert($ph1ent['certref']); - if (!$cert) { - log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); - continue; - } + if (!$cert) { + log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); + continue; + } - @chmod($certpath, 0600); + @chmod($certpath, 0600); - $ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; - if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); - continue; - } - @chmod($ph1keyfile, 0600); + $ph1keyfile = "{$keypath}/cert-{$ikeid}.key"; + if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); + continue; + } + @chmod($ph1keyfile, 0600); - $ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; - if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); - @unlink($ph1keyfile); - continue; - } - @chmod($ph1certfile, 0600); + $ph1certfile = "{$certpath}/cert-{$ikeid}.crt"; + if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); + @unlink($ph1keyfile); + continue; + } + @chmod($ph1certfile, 0600); - /* XXX" Traffic selectors? */ - $pskconf .= " : RSA {$ph1keyfile}\n"; - } else { - list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); - list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + /* XXX" Traffic selectors? */ + $pskconf .= " : RSA {$ph1keyfile}\n"; + } else { + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); - if (empty($peerid_data)) - continue; + if (empty($peerid_data)) + continue; - $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; - $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; - if (!empty($ph1ent['pre-shared-key'])) - $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; - } + $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; + $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; + if (!empty($ph1ent['pre-shared-key'])) + $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; } } + } - /* Add user PSKs */ - if (is_array($config['system']) && is_array($config['system']['user'])) { - foreach ($config['system']['user'] as $user) { - if (!empty($user['ipsecpsk'])) { - $pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; - } + /* Add user PSKs */ + if (is_array($config['system']) && is_array($config['system']['user'])) { + foreach ($config['system']['user'] as $user) { + if (!empty($user['ipsecpsk'])) { + $pskconf .= "{$myid} {$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; } - unset($user); } + unset($user); + } - /* add PSKs for mobile clients */ - if (is_array($ipseccfg['mobilekey'])) { - foreach ($ipseccfg['mobilekey'] as $key) { - if ($key['ident'] == "allusers") - $key['ident'] = ''; - $pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; - } - unset($key); + /* add PSKs for mobile clients */ + if (is_array($ipseccfg['mobilekey'])) { + foreach ($ipseccfg['mobilekey'] as $key) { + if ($key['ident'] == "allusers") + $key['ident'] = ''; + $pskconf .= "{$myid} {$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; } + unset($key); + } - @file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf); - chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600); - unset($pskconf); + @file_put_contents("{$g['varetc_path']}/ipsec/ipsec.secrets", $pskconf); + chmod("{$g['varetc_path']}/ipsec/ipsec.secrets", 0600); + unset($pskconf); - $natfilterrules = false; - /* begin ipsec.conf */ - $ipsecconf = ""; - if (is_array($a_phase1) && count($a_phase1)) { + $natfilterrules = false; + /* begin ipsec.conf */ + $ipsecconf = ""; + if (is_array($a_phase1) && count($a_phase1)) { - $ipsecconf .= "# This file is automatically generated. Do not edit\n"; - $ipsecconf .= "config setup\n\tuniqueids = yes\n"; - $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; + $ipsecconf .= "# This file is automatically generated. Do not edit\n"; + $ipsecconf .= "config setup\n\tuniqueids = yes\n"; + $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) - continue; + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) + continue; - if ($ph1ent['mode'] == "aggressive") - $aggressive = "yes"; - else - $aggressive = "no"; - - $ep = ipsec_get_phase1_src($ph1ent); - if (!$ep) - continue; + if ($ph1ent['mode'] == "aggressive") + $aggressive = "yes"; + else + $aggressive = "no"; + + $ep = ipsec_get_phase1_src($ph1ent); + if (!$ep) + continue; + + $ikeid = $ph1ent['ikeid']; + $keyexchange = "ikev1"; + $passive = "route"; + if (!empty($ph1ent['iketype'])) { + if ($ph1ent['iketype'] == "ikev2") { + $keyexchange = "ikev2"; + //$passive = "start"; + } else if ($ph1ent['iketype'] == "auto") + $keyexchange = "ike"; + } - $ikeid = $ph1ent['ikeid']; - $keyexchange = "ikev1"; - $passive = "route"; - if (!empty($ph1ent['iketype'])) { - if ($ph1ent['iketype'] == "ikev2") { - $keyexchange = "ikev2"; - //$passive = "start"; - } else if ($ph1ent['iketype'] == "auto") - $keyexchange = "ike"; - } + if (isset($ph1ent['mobile'])) { + $right_spec = "%any"; + $passive = 'add'; + } else + $right_spec = $ph1ent['remote-gateway']; + + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + + /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ + $peerid_spec = ''; + if (!isset($ph1ent['mobile'])) + $peerid_spec = $peerid_data; + + if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { + $ealgosp1 = ''; + $ealg_id = $ph1ent['encryption-algorithm']['name']; + $ealg_kl = $ph1ent['encryption-algorithm']['keylen']; + if ($ealg_kl) + $ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; + else + $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; - if (isset($ph1ent['mobile'])) { - $right_spec = "%any"; - $passive = 'add'; - } else - $right_spec = $ph1ent['remote-gateway']; + $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); + if (!empty($modp)) + $ealgosp1 .= "-{$modp}"; - list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); - list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + $ealgosp1 .= "!"; + } - /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ - $peerid_spec = ''; - if (!isset($ph1ent['mobile'])) - $peerid_spec = $peerid_data; - - if (is_array($ph1ent['encryption-algorithm']) && !empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { - $ealgosp1 = ''; - $ealg_id = $ph1ent['encryption-algorithm']['name']; - $ealg_kl = $ph1ent['encryption-algorithm']['keylen']; - if ($ealg_kl) - $ealgosp1 = "ike = {$ealg_id}{$ealg_kl}-{$ph1ent['hash-algorithm']}"; - else - $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; - - $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); - if (!empty($modp)) - $ealgosp1 .= "-{$modp}"; - - $ealgosp1 .= "!"; - } + if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { + if ($passive == "route") + $dpdline = "dpdaction = restart"; + else + $dpdline = "dpdaction = clear"; + $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; + $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); + $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; + } else + $dpdline = "dpdaction = none"; + + $ikelifeline = ''; + if ($ph1ent['lifetime']) + $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; + + $rightsourceip = NULL; + if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) + $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + + $authentication = ""; + switch ($ph1ent['authentication_method']) { + case 'eap-tls': + $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + case 'xauth_rsa_server': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth-generic"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + case 'xauth_psk_server': + $authentication = "leftauth = psk\n\trightauth = psk"; + $authentication .= "\n\trightauth2 = xauth-generic"; + break; + case 'pre_shared_key': + $authentication = "leftauth = psk\n\trightauth = psk"; + break; + case 'rsasig': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + case 'hybrid_rsa_server': + $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth"; + if (!empty($ph1ent['certref'])) + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + break; + } - if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { - if ($passive == "route") - $dpdline = "dpdaction = restart"; - else - $dpdline = "dpdaction = clear"; - $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; - $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); - $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; - } else - $dpdline = "dpdaction = none"; - - $ikelifeline = ''; - if ($ph1ent['lifetime']) - $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; - - $rightsourceip = NULL; - if (isset($ph1ent['mobile']) && !empty($a_client['pool_address'])) - $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; - - $authentication = ""; - switch ($ph1ent['authentication_method']) { - case 'eap-tls': - $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'xauth_rsa_server': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth-generic"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'xauth_psk_server': - $authentication = "leftauth = psk\n\trightauth = psk"; - $authentication .= "\n\trightauth2 = xauth-generic"; - break; - case 'pre_shared_key': - $authentication = "leftauth = psk\n\trightauth = psk"; - break; - case 'rsasig': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - case 'hybrid_rsa_server': - $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth"; - if (!empty($ph1ent['certref'])) - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - break; - } + $left_spec = $ep; - $left_spec = $ep; + if (isset($ph1ent['reauth_enable'])) + $reauth = "reauth = no"; + else + $reauth = "reauth = yes"; + if (isset($ph1ent['rekey_enable'])) + $rekey = "rekey = no"; + else + $rekey = "rekey = yes"; - if (isset($ph1ent['reauth_enable'])) - $reauth = "reauth = no"; - else - $reauth = "reauth = yes"; - if (isset($ph1ent['rekey_enable'])) - $rekey = "rekey = no"; - else - $rekey = "rekey = yes"; + if ($ph1ent['nat_traversal'] == 'off') + $forceencaps = 'forceencaps = no'; + else if ($ph1ent['nat_traversal'] == 'force') + $forceencaps = 'forceencaps = yes'; + else + $forceencaps = 'forceencaps = no'; + + $ipseclifetime = 0; + $rightsubnet_spec = array(); + $leftsubnet_spec = array(); + $ealgoAHsp2arr = array(); + $ealgoESPsp2arr = array(); + if (is_array($a_phase2) && count($a_phase2)) { + foreach ($a_phase2 as $ph2ent) { + if ($ikeid != $ph2ent['ikeid']) + continue; - if ($ph1ent['nat_traversal'] == 'off') - $forceencaps = 'forceencaps = no'; - else if ($ph1ent['nat_traversal'] == 'force') - $forceencaps = 'forceencaps = yes'; - else - $forceencaps = 'forceencaps = no'; - - $ipseclifetime = 0; - $rightsubnet_spec = array(); - $leftsubnet_spec = array(); - $ealgoAHsp2arr = array(); - $ealgoESPsp2arr = array(); - if (is_array($a_phase2) && count($a_phase2)) { - foreach ($a_phase2 as $ph2ent) { - if ($ikeid != $ph2ent['ikeid']) - continue; + if (isset($ph2ent['disabled'])) + continue; - if (isset($ph2ent['disabled'])) - continue; + if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) + continue; - if (isset($ph2ent['mobile']) && !isset($a_client['enable'])) - continue; + if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { + $tunneltype = "type = tunnel"; - if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { - $tunneltype = "type = tunnel"; + $localid_type = $ph2ent['localid']['type']; + $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); - $localid_type = $ph2ent['localid']['type']; - $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); - /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ - if (($localid_type == "none" || $localid_type == "mobile") - && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { - $left_spec = '%any'; - } else { - if ($localid_type != "address") { - $localid_type = "subnet"; - } - // Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. - if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) { - log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); - continue; - } - if (!empty($ph2ent['natlocalid'])) { - $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); - if ($ph2ent['natlocalid']['type'] != "address") { - if (is_subnet($natleftsubnet_data)) - $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; - } else { - if (is_ipaddr($natleftsubnet_data)) - $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; - } - $natfilterrules = true; + /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ + if (($localid_type == "none" || $localid_type == "mobile") + && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ikeid)==1)) { + $left_spec = '%any'; + } else { + if ($localid_type != "address") { + $localid_type = "subnet"; + } + // Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. + if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) { + log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); + continue; + } + if (!empty($ph2ent['natlocalid'])) { + $natleftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['natlocalid'], false, $ph2ent['mode']); + if ($ph2ent['natlocalid']['type'] != "address") { + if (is_subnet($natleftsubnet_data)) + $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; + } else { + if (is_ipaddr($natleftsubnet_data)) + $leftsubnet_data = "{$natleftsubnet_data}|{$leftsubnet_data}"; } + $natfilterrules = true; } + } - if (empty($leftsubnet_spec[$leftsubnet_data])) - $leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data; + $leftsubnet_spec[] = $leftsubnet_data; - if (!isset($ph2ent['mobile'])) { - $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); - if (empty($rightsubnet_spec[$tmpsubnet])) - $rightsubnet_spec[$tmpsubnet] = $tmpsubnet; - } else if (!empty($a_client['pool_address'])) { - if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"])) - $rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; - } - } else { - $tunneltype = "type = transport"; + if (!isset($ph2ent['mobile'])) { + $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + $rightsubnet_spec[] = $tmpsubnet; + } else if (!empty($a_client['pool_address'])) { + $rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; + } + } else { + $tunneltype = "type = transport"; - if ((($ph1ent['authentication_method'] == "xauth_psk_server") || - ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { - $left_spec = "%any"; - } else { - $tmpsubnet = ipsec_get_phase1_src($ph1ent); - if ($leftsubnet_spec[$tmpsubnet]) - $leftsubnet_spec[$tmpsubnet] = $tmpsubnet; - } + if ((($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { + $left_spec = "%any"; + } else { + $tmpsubnet = ipsec_get_phase1_src($ph1ent); + $leftsubnet_spec[] = $tmpsubnet; + } - if (!isset($ph2ent['mobile'])) { - if (empty($rightsubnet_spec[$right_spec])) - $rightsubnet_spec[$right_spec] = $right_spec; - } + if (!isset($ph2ent['mobile'])) { + $rightsubnet_spec[] = $right_spec; } + } - if (isset($a_client['pfs_group'])) - $ph2ent['pfsgroup'] = $a_client['pfs_group']; - - if ($ph2ent['protocol'] == 'esp') { - if (is_array($ph2ent['encryption-algorithm-option'])) { - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - $ealg_kl = $ealg['keylen']; - - if (!empty($ealg_kl) && $ealg_kl == "auto") { - if (empty($p2_ealgos) || !is_array($p2_ealgos)) - require("ipsec.inc"); - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - /* XXX: in some cases where include ordering is suspect these variables - * are somehow 0 and we enter this loop forever and timeout after 900 - * seconds wrecking bootup */ - if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) - $tmpealgo .= "-{$modp}"; - $ealgoESPsp2arr[] = $tmpealgo; - } - } else { - $tmpealgo = "{$ealg_id}{$keylen}"; + if (isset($a_client['pfs_group'])) + $ph2ent['pfsgroup'] = $a_client['pfs_group']; + + if ($ph2ent['protocol'] == 'esp') { + if (is_array($ph2ent['encryption-algorithm-option'])) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + $ealg_id = $ealg['name']; + $ealg_kl = $ealg['keylen']; + + if (!empty($ealg_kl) && $ealg_kl == "auto") { + if (empty($p2_ealgos) || !is_array($p2_ealgos)) + require("ipsec.inc"); + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + /* XXX: in some cases where include ordering is suspect these variables + * are somehow 0 and we enter this loop forever and timeout after 900 + * seconds wrecking bootup */ + if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; $ealgoESPsp2arr[] = $tmpealgo; } - } - } - } else { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; + } else { + $tmpealgo = "{$ealg_id}{$keylen}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; $ealgoESPsp2arr[] = $tmpealgo; } - } else { - $tmpealgo = "{$ealg_id}{$ealg_kl}"; + } + } + } else { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; $ealgoESPsp2arr[] = $tmpealgo; } + } else { + $tmpealgo = "{$ealg_id}{$ealg_kl}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) + $tmpealgo .= "-{$modp}"; + $ealgoESPsp2arr[] = $tmpealgo; } } } - } else if ($ph2ent['protocol'] == 'ah') { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { - $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); - if (!empty($modp)) - $tmpAHalgo = "-{$modp}"; - $ealgoAHsp2arr[] = $tmpAHalgo; - } + } + } else if ($ph2ent['protocol'] == 'ah') { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { + $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); + if (!empty($modp)) + $tmpAHalgo = "-{$modp}"; + $ealgoAHsp2arr[] = $tmpAHalgo; } } + } - if (!empty($ph2ent['lifetime'])) { - if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) - $ipseclifetime = intval($ph2ent['lifetime']); - } - + if (!empty($ph2ent['lifetime'])) { + if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) + $ipseclifetime = intval($ph2ent['lifetime']); } - } - $ipsecconf .=<<<EOD + } + } -conn con{$ph1ent['ikeid']} + $ipsecconnect =<<<EOD fragmentation = yes keyexchange = {$keyexchange} {$reauth} {$forceencaps} {$rekey} - reqid = {$ikeid} installpolicy = yes {$tunneltype} {$dpdline} @@ -822,31 +816,62 @@ conn con{$ph1ent['ikeid']} EOD; - if (!empty($ikelifeline)) - $ipsecconf .= "\t{$ikelifeline}\n"; - if ($ipseclifetime > 0) - $ipsecconf .= "\tlifetime = {$ipseclifetime}s\n"; - if (!empty($rightsourceip)) - $ipsecconf .= "{$rightsourceip}"; - if (!empty($rightsubnet_spec)) - $ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; - if (!empty($leftsubnet_spec)) - $ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; - if (!empty($ealgosp1)) - $ipsecconf .= "\t{$ealgosp1}\n"; - if (!empty($ealgoAHsp2arr)) - $ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; - if (!empty($ealgoESPsp2arr)) - $ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; - if (!empty($authentication)) - $ipsecconf .= "\t{$authentication}\n"; - if (!empty($peerid_spec)) - $ipsecconf .= "\trightid = {$peerid_spec}\n"; - if ($keyexchange == 'ikev1') - $ipsecconf .= "\taggressive = {$aggressive}\n"; + if (!empty($ikelifeline)) + $ipsecconnect .= "\t{$ikelifeline}\n"; + if ($ipseclifetime > 0) + $ipsecconnect .= "\tlifetime = {$ipseclifetime}s\n"; + if (!empty($rightsourceip)) + $ipsecconnect .= "{$rightsourceip}"; + if (!empty($ealgosp1)) + $ipsecconnect .= "\t{$ealgosp1}\n"; + if (!empty($ealgoAHsp2arr)) + $ipsecconnect .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; + if (!empty($ealgoESPsp2arr)) + $ipsecconnect .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; + if (!empty($authentication)) + $ipsecconnect .= "\t{$authentication}\n"; + if (!empty($peerid_spec)) + $ipsecconnect .= "\trightid = {$peerid_spec}\n"; + if ($keyexchange == 'ikev1') + $ipsecconnect .= "\taggressive = {$aggressive}\n"; + + if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') { + if (!empty($rightsubnet_spec)) { + $ipsecfin = ''; + foreach ($rightsubnet_spec as $idx => $rsubnet) { + $ipsecfin .= "\nconn con{$ph1ent['ikeid']}00{$idx}\n"; + $ipsecfin .= "\treqid = {$ikeid}00{$idx}\n"; + $ipsecfin .= $ipsecconnect; + $ipsecfin .= "\trightsubnet = {$rsubnet}\n"; + $ipsecfin .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; + } + } else + log_error("No phase2 specifications for tunnel with REQID = {$ikeid}"); + } else { + $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n"; + $ipsecfin .= "\treqid = {$ikeid}\n"; + $ipsecfin .= $ipsecconnect; + if (!empty($rightsubnet_spec)) { + $tempsubnets = array(); + foreach ($rightsubnet_spec as $rightsubnet) + $tempsubnets[$rightsubnet] = $rightsubnet; + $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n"; + unset($tempsubnets, $rightsubnet); + } + if (!empty($leftsubnet_spec)) { + $tempsubnets = array(); + foreach ($leftsubnet_spec as $leftsubnet) + $tempsubnets[$leftsubnet] = $leftsubnet; + $ipsecfin .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; + unset($tempsubnets, $leftsubnet); + } } + $ipsecconf .= $ipsecfin; + unset($ipsecfin); + } } + @file_put_contents("{$g['varetc_path']}/ipsec/ipsec.conf", $ipsecconf); unset($ipsecconf); /* end ipsec.conf */ @@ -273,6 +273,11 @@ if [ ! -L /etc/resolv.conf ]; then /bin/ln -s /var/etc/resolv.conf /etc/resolv.conf fi +if [ ! -L /etc/resolvconf.conf ]; then + /bin/rm -rf /etc/resolvconf.conf + /bin/ln -s /var/etc/resolvconf.conf /etc/resolvconf.conf +fi + # Setup compatibility link for packages that # have trouble overriding the PREFIX configure # argument since we build our packages in a diff --git a/etc/rc.linkup b/etc/rc.linkup index 59e2089..925260c 100755 --- a/etc/rc.linkup +++ b/etc/rc.linkup @@ -141,7 +141,9 @@ if (!empty($realiface)) { foreach ($ports as $pid => $parent_if) { /* The loop here is because ppp types can have real and assigned interfaces as members */ $tmpiface = get_real_interface($parent_if); - $tmpiface = convert_real_interface_to_friendly_interface_name($tmpiface); + if ($tmpiface != $realiface) + continue; + $tmpiface = convert_real_interface_to_friendly_interface_name($ppp['if']); if (!empty($tmpiface)) interface_configure($tmpiface, true, true); } diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php index 391e29b..e6347c5 100644 --- a/usr/local/www/diag_ipsec.php +++ b/usr/local/www/diag_ipsec.php @@ -55,8 +55,20 @@ require("ipsec.inc"); if ($_GET['act'] == 'connect') { if (ctype_digit($_GET['ikeid'])) { - mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid'])); - mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid'])); + $ph1ent = ipsec_get_phase1($_GET['ikeid']); + if (!empty($ph1ent)) { + if ($ph1ent['iketype'] == 'ikev1') { + $ph2entries = ipsec_get_number_of_phase2($_GET['ikeid']); + for ($i = 0; $i < $ph2entries; $i++) { + $connid = escapeshellarg("con{$_GET['ikeid']}00{$i}"); + mwexec("/usr/local/sbin/ipsec down {$connid}"); + mwexec("/usr/local/sbin/ipsec up {$connid}"); + } + } else { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid'])); + mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid'])); + } + } } } else if ($_GET['act'] == 'ikedisconnect') { if (ctype_digit($_GET['ikeid'])) { @@ -122,7 +134,11 @@ $status = ipsec_smp_dump_status(); if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])): foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa): $con_id = substr($ikesa['peerconfig'], 3); - $ipsecconnected[$con_id] = $con_id; + if ($ikesa['version'] == 1) { + $ph1idx = substr($con_id, 0, strrpos(substr($con_id, 0, -1), '00')); + $ipsecconnected[$ph1idx] = $ph1idx; + } else + $ipsecconnected[$con_id] = $con_id; if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id'])) $icon = "pass"; diff --git a/usr/local/www/diag_logs_filter_dynamic.php b/usr/local/www/diag_logs_filter_dynamic.php index d4722f0..2413bf2 100755 --- a/usr/local/www/diag_logs_filter_dynamic.php +++ b/usr/local/www/diag_logs_filter_dynamic.php @@ -1,7 +1,7 @@ <?php /* $Id$ */ /* - diag_logs_filter.php + diag_logs_filter_dynamic.php part of pfSesne Copyright (C) 2004-2009 Scott Ullrich Copyright (C) 2013-2014 Electric Sheep Fencing, LP @@ -83,11 +83,29 @@ include("head.inc"); ?> /* Called by the AJAX updater */ function format_log_line(row) { - var i = 0; - var line = '<td class="listMRlr nowrap" align="center">' + row[i++] + '<\/td>'; - while (i < 6) { - line += '<td class="listMRr nowrap">' + row[i++] + '<\/td>'; + if ( row[8] == '6' ) { + srcIP = '[' + row[3] + ']'; + dstIP = '[' + row[5] + ']'; + } else { + srcIP = row[3]; + dstIP = row[5]; } + + if ( row[4] == '' ) + srcPort = ''; + else + srcPort = ':' + row[4]; + if ( row[6] == '' ) + dstPort = ''; + else + dstPort = ':' + row[6]; + + var line = '<td class="listMRlr" align="center">' + row[0] + '</td>' + + '<td class="listMRr nowrap">' + row[1] + '</td>' + + '<td class="listMRr nowrap">' + row[2] + '</td>' + + '<td class="listMRr nowrap">' + srcIP + srcPort + '</td>' + + '<td class="listMRr nowrap">' + dstIP + dstPort + '</td>' + + '<td class="listMRr nowrap">' + row[7] + '</td>'; return line; } //]]> @@ -145,7 +163,25 @@ include("head.inc"); $rowIndex = 0; foreach ($filterlog as $filterent): $evenRowClass = $rowIndex % 2 ? " listMReven" : " listMRodd"; - $rowIndex++;?> + $rowIndex++; + if ($filterent['version'] == '6') { + $srcIP = "[" . htmlspecialchars($filterent['srcip']) . "]"; + $dstIP = "[" . htmlspecialchars($filterent['dstip']) . "]"; + } else { + $srcIP = htmlspecialchars($filterent['srcip']); + $dstIP = htmlspecialchars($filterent['dstip']); + } + + if ($filterent['srcport']) + $srcPort = ":" . htmlspecialchars($filterent['srcport']); + else + $srcPort = ""; + + if ($filterent['dstport']) + $dstPort = ":" . htmlspecialchars($filterent['dstport']); + else + $dstPort = ""; + ?> <tr class="<?=$evenRowClass?>"> <td class="listMRlr nowrap" align="center"> <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);"> @@ -154,8 +190,8 @@ include("head.inc"); </td> <td class="listMRr nowrap"><?php echo htmlspecialchars($filterent['time']);?></td> <td class="listMRr nowrap"><?php echo htmlspecialchars($filterent['interface']);?></td> - <td class="listMRr nowrap"><?php echo htmlspecialchars($filterent['src']);?></td> - <td class="listMRr nowrap"><?php echo htmlspecialchars($filterent['dst']);?></td> + <td class="listMRr nowrap"><?php echo $srcIP . $srcPort;?></td> + <td class="listMRr nowrap"><?php echo $dstIP . $dstPort;?></td> <?php if ($filterent['proto'] == "TCP") $filterent['proto'] .= ":{$filterent['tcpflags']}"; @@ -163,7 +199,6 @@ include("head.inc"); <td class="listMRr nowrap"><?php echo htmlspecialchars($filterent['proto']);?></td> </tr> <?php endforeach; ?> - <tr style="display:none;"><td></td></tr> </tbody> </table> </div> diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 531df4c..9379885 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -433,9 +433,14 @@ echo get_shortcut_log_link($shortcut_section, true); <?php /* if upgrade in progress, alert user */ -if(is_subsystem_dirty('packagelock')) { - $pgtitle = array(gettext("System"),gettext("Package Manager")); - print_info_box(gettext("Packages are currently being reinstalled in the background.<p>Do not make changes in the GUI until this is complete.") . "<p><img src='/themes/{$g['theme']}/images/icons/icon_fw-update.gif' alt='firmware update' />"); +if (is_subsystem_dirty('packagelock') || (file_exists('/conf/needs_package_sync') && platform_booting())) { + if (file_exists('/conf/needs_package_sync') && platform_booting()) { + $info_text = sprintf(gettext("%s is booting then packages will be reinstalled in the background.<p>Do not make changes in the GUI until this is complete."), $g['product_name']); + } else { + $pgtitle = array(gettext("System"),gettext("Package Manager")); + $info_text = gettext("Packages are currently being reinstalled in the background.<p>Do not make changes in the GUI until this is complete."); + } + print_info_box($info_text . "<p><img src='/themes/{$g['theme']}/images/icons/icon_fw-update.gif' alt='firmware update' />"); } $pgtitle_output = true; ?> diff --git a/usr/local/www/help.php b/usr/local/www/help.php index 5e53c27..a6a5e27 100644 --- a/usr/local/www/help.php +++ b/usr/local/www/help.php @@ -14,8 +14,8 @@ $helppages = array( /* These pages are confirmed to work and have usable content */ 'index.php' => 'https://doc.pfsense.org/index.php/Dashboard', 'license.php' => 'https://www.pfsense.org/about-pfsense/#legal', - 'miniupnpd.xml' => 'https://doc.pfsense.org/index.php/What_is_UPnP', - 'status_upnp.php' => 'https://doc.pfsense.org/index.php/What_is_UPnP', + 'miniupnpd.xml' => 'https://doc.pfsense.org/index.php/What_are_UPnP_and_NAT-PMP', + 'status_upnp.php' => 'https://doc.pfsense.org/index.php/What_are_UPnP_and_NAT-PMP', 'firewall_virtual_ip.php' => 'https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses', 'firewall_virtual_ip_edit.php' => 'https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses', 'firewall_aliases.php' => 'https://doc.pfsense.org/index.php/Aliases', diff --git a/usr/local/www/includes/functions.inc.php b/usr/local/www/includes/functions.inc.php index f2d8cf0..4a212ec 100644 --- a/usr/local/www/includes/functions.inc.php +++ b/usr/local/www/includes/functions.inc.php @@ -336,7 +336,10 @@ function get_interfacestatus() { } $data .= ","; if ($ifinfo['ipaddr']) - $data .= htmlspecialchars($ifinfo['ipaddr']); + $data .= "<strong>" . htmlspecialchars($ifinfo['ipaddr']) . "</strong>"; + $data .= ","; + if ($ifinfo['ipaddrv6']) + $data .= "<strong>" . htmlspecialchars($ifinfo['ipaddrv6']) . "</strong>"; $data .= ","; if ($ifinfo['status'] != "down") $data .= htmlspecialchars($ifinfo['media']); diff --git a/usr/local/www/index.php b/usr/local/www/index.php index 57aee4a..7041b72 100644 --- a/usr/local/www/index.php +++ b/usr/local/www/index.php @@ -145,8 +145,13 @@ if (!is_array($config['widgets'])) { if(file_exists('/conf/needs_package_sync')) { if($config['installedpackages'] <> '' && is_array($config['installedpackages']['package'])) { if($g['platform'] == "pfSense" || $g['platform'] == "nanobsd") { - header('Location: pkg_mgr_install.php?mode=reinstallall'); - exit; + ## If the user has logged into webGUI quickly while the system is booting then do not redirect them to + ## the package reinstall page. That is about to be done by the boot script anyway. + ## The code in fbegin.inc will put up a notice to the user. + if (!platform_booting()) { + header('Location: pkg_mgr_install.php?mode=reinstallall'); + exit; + } } } else { conf_mount_rw(); diff --git a/usr/local/www/javascript/filter_log.js b/usr/local/www/javascript/filter_log.js index 2cee6d4..66a7309 100644 --- a/usr/local/www/javascript/filter_log.js +++ b/usr/local/www/javascript/filter_log.js @@ -59,7 +59,7 @@ function fetch_new_rules_callback(callback_data) { for(var x=0; x<data_split.length-1; x++) { /* loop through rows */ row_split = data_split[x].split("||"); - lastsawtime = row_split[6]; + lastsawtime = row_split[9]; var tmp = format_log_line(row_split); if ( !(tmp) ) continue; diff --git a/usr/local/www/javascript/index/ajax.js b/usr/local/www/javascript/index/ajax.js index 47c1ee7..d2ac90e 100644 --- a/usr/local/www/javascript/index/ajax.js +++ b/usr/local/www/javascript/index/ajax.js @@ -150,25 +150,31 @@ function updateInterfaces(x){ interfaces_split = x.split("~"); interfaces_split.each(function(iface){ details = iface.split(","); + if (details[2] == '') + ipv4_details = ''; + else + ipv4_details = details[2] + '<br />'; switch(details[1]) { case "up": jQuery('#' + details[0] + '-up').css("display","inline"); jQuery('#' + details[0] + '-down').css("display","none"); jQuery('#' + details[0] + '-block').css("display","none"); - jQuery('#' + details[0] + '-ip').html(details[2]); - jQuery('#' + details[0] + '-media').html(details[3]); + jQuery('#' + details[0] + '-ip').html(ipv4_details); + jQuery('#' + details[0] + '-ipv6').html(details[3]); + jQuery('#' + details[0] + '-media').html(details[4]); break; case "down": jQuery('#' + details[0] + '-down').css("display","inline"); jQuery('#' + details[0] + '-up').css("display","none"); jQuery('#' + details[0] + '-block').css("display","none"); - jQuery('#' + details[0] + '-ip').html(details[2]); - jQuery('#' + details[0] + '-media').html(details[3]); + jQuery('#' + details[0] + '-ip').html(ipv4_details); + jQuery('#' + details[0] + '-ipv6').html(details[3]); + jQuery('#' + details[0] + '-media').html(details[4]); break; case "block": - jQuery('#' + details[0] + '-block').css("display","inline"); - jQuery('#' + details[0] + '-down').css("display","none"); - jQuery('#' + details[0] + '-up').css("display","none"); + jQuery('#' + details[0] + '-block').css("display","inline"); + jQuery('#' + details[0] + '-down').css("display","none"); + jQuery('#' + details[0] + '-up').css("display","none"); break; } }); diff --git a/usr/local/www/services_captiveportal.php b/usr/local/www/services_captiveportal.php index 2248f54..42b0a0d 100644 --- a/usr/local/www/services_captiveportal.php +++ b/usr/local/www/services_captiveportal.php @@ -994,10 +994,10 @@ function enable_change(enable_change) { list($host) = explode(":", $_SERVER['HTTP_HOST']); $zoneid = $pconfig['zoneid'] ? $pconfig['zoneid'] : 8000; if ($pconfig['httpslogin_enable']) { - $port = $pconfig['listenporthttps'] ? $pconfig['listenporthttps'] : ($zoneid + 1); + $port = $pconfig['listenporthttps'] ? $pconfig['listenporthttps'] : ($zoneid + 8001); $href = "https://{$host}:{$port}"; } else { - $port = $pconfig['listenporthttp'] ? $pconfig['listenporthttp'] : $zoneid; + $port = $pconfig['listenporthttp'] ? $pconfig['listenporthttp'] : ($zoneid + 8000); $href = "http://{$host}:{$port}"; } ?> @@ -1017,10 +1017,10 @@ function enable_change(enable_change) { gettext('Upload an HTML/PHP file for the portal page here (leave blank to keep the current one). ' . 'Make sure to include a form (POST to %1$s) with a submit button (%2$s) and a hidden field with %3$s and %4$s. ' . 'Include the %5$s and %6$s and/or %7$s input fields if authentication is enabled, otherwise it will always fail.'), - ""{$PORTAL_ACTION}"", + '"$PORTAL_ACTION$"', "name="accept"", "name="redirurl"", - "value="{$PORTAL_REDIRURL}"", + 'value="$PORTAL_REDIRURL$"', ""auth_user"", ""auth_pass"", ""auth_voucher""); diff --git a/usr/local/www/themes/_corporate/all.css b/usr/local/www/themes/_corporate/all.css index 1b75d1b..b97ba4e 100644 --- a/usr/local/www/themes/_corporate/all.css +++ b/usr/local/www/themes/_corporate/all.css @@ -99,6 +99,22 @@ form { a { text-decoration: none; } +a:link { + color: #0000CC; +} + +a:visited { + color: #0000CC; +} + +a:active { + color: #0000CC; +} + +a:hover { + color: #0000CC; +} + form input { font-size: 1.1em; } diff --git a/usr/local/www/themes/code-red/all.css b/usr/local/www/themes/code-red/all.css index 25548e2..fddc89a 100644 --- a/usr/local/www/themes/code-red/all.css +++ b/usr/local/www/themes/code-red/all.css @@ -154,6 +154,23 @@ form { a { text-decoration: none; } + +a:link { + color: #0000CC; +} + +a:visited { + color: #0000CC; +} + +a:active { + color: #0000CC; +} + +a:hover { + color: #0000CC; +} + form input { font-size: 1.1em; } diff --git a/usr/local/www/themes/metallic/all.css b/usr/local/www/themes/metallic/all.css index a5b7c70..b1c78e7 100644 --- a/usr/local/www/themes/metallic/all.css +++ b/usr/local/www/themes/metallic/all.css @@ -142,6 +142,23 @@ form { a { text-decoration: none; } + +a:link { + color: #0000CC; +} + +a:visited { + color: #0000CC; +} + +a:active { + color: #0000CC; +} + +a:hover { + color: #0000CC; +} + form input { font-size: 1.1em; } diff --git a/usr/local/www/themes/nervecenter/all.css b/usr/local/www/themes/nervecenter/all.css index a7cda13..7fb626c 100644 --- a/usr/local/www/themes/nervecenter/all.css +++ b/usr/local/www/themes/nervecenter/all.css @@ -154,6 +154,23 @@ form { a { text-decoration: none; } + +a:link { + color: #0000CC; +} + +a:visited { + color: #0000CC; +} + +a:active { + color: #0000CC; +} + +a:hover { + color: #0000CC; +} + form input { font-size: 1.1em; } diff --git a/usr/local/www/themes/pfsense-dropdown/all.css b/usr/local/www/themes/pfsense-dropdown/all.css index 3bfdca4..37e0441 100644 --- a/usr/local/www/themes/pfsense-dropdown/all.css +++ b/usr/local/www/themes/pfsense-dropdown/all.css @@ -76,6 +76,23 @@ form { a { text-decoration: none; } + +a:link { + color: #0000CC; +} + +a:visited { + color: #0000CC; +} + +a:active { + color: #0000CC; +} + +a:hover { + color: #0000CC; +} + form input { font-size: 1.1em; } diff --git a/usr/local/www/themes/pfsense/all.css b/usr/local/www/themes/pfsense/all.css index 07afe1e..3846854 100644 --- a/usr/local/www/themes/pfsense/all.css +++ b/usr/local/www/themes/pfsense/all.css @@ -75,6 +75,23 @@ form { a { text-decoration: none; } + +a:link { + color: #0000CC; +} + +a:visited { + color: #0000CC; +} + +a:active { + color: #0000CC; +} + +a:hover { + color: #0000CC; +} + form input { font-size: 1.1em; } diff --git a/usr/local/www/widgets/widgets/interfaces.widget.php b/usr/local/www/widgets/widgets/interfaces.widget.php index 4cdee4e..8dbcad0 100644 --- a/usr/local/www/widgets/widgets/interfaces.widget.php +++ b/usr/local/www/widgets/widgets/interfaces.widget.php @@ -59,19 +59,22 @@ foreach ($ifdescrs as $ifdescr => $ifname): $icon = 'cablenic'; if ($ifinfo['status'] == "up" || $ifinfo['status'] == "associated") { - $status = '-up'; - $status_text = 'up'; - $status_icon = 'icon_interface_up.gif'; + $known_status = true; + $up_display = "inline"; + $down_display = "none"; + $block_display = "none"; } elseif ($ifinfo['status'] == "no carrier") { - $status = '-down'; - $status_text = 'down'; - $status_icon = 'icon_interface_down.gif'; + $known_status = true; + $up_display = "none"; + $down_display = "inline"; + $block_display = "none"; } elseif ($ifinfo['status'] == "down") { - $status = '-block'; - $status_text = 'disabled'; - $status_icon = 'icon_block.gif'; + $known_status = true; + $up_display = "none"; + $down_display = "none"; + $block_display = "inline"; } else - $status = ''; + $known_status = false; ?> <tr> <td class="vncellt" rowspan="2"> @@ -85,16 +88,22 @@ foreach ($ifdescrs as $ifdescr => $ifname): ?> </td> <?php - if ($status === ''): - echo htmlspecialchars($ifinfo['status']); - else: + if ($known_status): ?> <td rowspan="2" class="listr" align="center"> - <div id="<?php echo $ifname . $status;?>" style="display:inline" > - <img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$status_icon;?>" title="<?=$ifname;?> is <?=$status_text;?>" alt="<?=$status;?>" /> + <div id="<?php echo $ifname . "-up";?>" style="display:<?=$up_display;?>" > + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_interface_up.gif" title="<?=$ifname;?> is up" alt="up" /> + </div> + <div id="<?php echo $ifname . "-down";?>" style="display:<?=$down_display;?>" > + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_interface_down.gif" title="<?=$ifname;?> is down" alt="down" /> + </div> + <div id="<?php echo $ifname . "-block";?>" style="display:<?=$block_display;?>" > + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" title="<?=$ifname;?> is disabled" alt="block" /> </div> </td> <?php + else: + echo htmlspecialchars($ifinfo['status']); endif; ?> <td class="listr"> @@ -103,19 +112,8 @@ foreach ($ifdescrs as $ifdescr => $ifname): </tr> <tr> <td class="listr"> -<?php - if($ifinfo['ipaddr'] != ""): -?> - <div id="<?php echo $ifname;?>-ip" style="display:inline"><strong><?=htmlspecialchars($ifinfo['ipaddr']);?> </strong></div> - <br /> -<?php - endif; - if ($ifinfo['ipaddrv6'] != ""): -?> + <div id="<?php echo $ifname;?>-ip" style="display:inline"><strong><?=htmlspecialchars($ifinfo['ipaddr']);?> </strong><?php if ($ifinfo['ipaddr']) echo "<br />";?></div> <div id="<?php echo $ifname;?>-ipv6" style="display:inline"><strong><?=htmlspecialchars($ifinfo['ipaddrv6']);?> </strong></div> -<?php - endif; -?> </td> </tr> <?php diff --git a/usr/local/www/widgets/widgets/ipsec.widget.php b/usr/local/www/widgets/widgets/ipsec.widget.php index e510005..8d29e6a 100644 --- a/usr/local/www/widgets/widgets/ipsec.widget.php +++ b/usr/local/www/widgets/widgets/ipsec.widget.php @@ -39,7 +39,7 @@ require_once("guiconfig.inc"); require_once("functions.inc"); require_once("ipsec.inc"); -if (isset($config['ipsec']['phase1'])){?> +if (isset($config['ipsec']['phase1'])) { ?> <div> </div> <?php $tab_array = array(); @@ -56,39 +56,58 @@ if (isset($config['ipsec']['phase1'])){?> $activecounter = 0; $inactivecounter = 0; + if (!is_array($ipsec_status['query'])) { + $ipsec_status['query'] = array(); + $ipsec_status['query']['ikesalist'] = array(); + $ipsec_status['query']['ikesalist']['ikesa'] = array(); + } else if (is_array($ipsec_status['query']['ikesalist'])) { + $ipsec_status['query']['ikesalist'] = array(); + $ipsec_status['query']['ikesalist']['ikesa'] = array(); + } else if (is_array($ipsec_status['query']['ikesalist']['ikesa'])) + $ipsec_status['query']['ikesalist']['ikesa'] = array(); + $ipsec_detail_array = array(); + $ikev1num = array(); foreach ($config['ipsec']['phase2'] as $ph2ent){ if ($ph2ent['remoteid']['type'] == "mobile") continue; ipsec_lookup_phase1($ph2ent,$ph1ent); - if (!isset($ph1ent['disabled']) && !isset($ph2ent['disabled'])) { - if (is_array($ipsec_status['query']) && - is_array($ipsec_status['query']['ikesalist']) && - is_array($ipsec_status['query']['ikesalist']['ikesa'])) { - foreach ($ipsec_status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa) { - if ($ph1ent['ikeid'] == substr($ikesa['peerconfig'], 3)) { - $ikeid = $ikesa['id']; - if (ipsec_phase1_status($ipsec_status['query']['ikesalist']['ikesa'], $ikeid)) { - /* tunnel is up */ - $iconfn = "true"; - $activecounter++; - } else { - /* tunnel is down */ - $iconfn = "false"; - $inactivecounter++; - } - } + if (isset($ph1ent['disabled']) && isset($ph2ent['disabled'])) + continue; + + $ph2number = ipsec_get_number_of_phase2($ph1ent['ikeid']); + if ($ph1ent['iketype'] == 'ikev1' && $ph2number > 1) { + if (!isset($ikev1num[$ph1ent['ikeid']])) + $ikev1num[$ph1ent['ikeid']] = 0; + else + $ikev1num[$ph1ent['ikeid']]++; + $ikeid = "con{$ph1ent['ikeid']}00" . $ikev1num[$ph1ent['ikeid']]; + } else + $ikeid = "con{$ph1ent['ikeid']}"; + + foreach ($ipsec_status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa) { + if ($ikeid == $ikesa['peerconfig']) { + $ph2ikeid = $ikesa['id']; + if (ipsec_phase1_status($ipsec_status['query']['ikesalist']['ikesa'], $ph2ikeid)) { + /* tunnel is up */ + $iconfn = "true"; + $activecounter++; + } else { + /* tunnel is down */ + $iconfn = "false"; + $inactivecounter++; } } - - $ipsec_detail_array[] = array('src' => convert_friendly_interface_to_friendly_descr($ph1ent['interface']), - 'dest' => $ph1ent['remote-gateway'], - 'remote-subnet' => ipsec_idinfo_to_text($ph2ent['remoteid']), - 'descr' => $ph2ent['descr'], - 'status' => $iconfn); } + + $ipsec_detail_array[] = array('src' => convert_friendly_interface_to_friendly_descr($ph1ent['interface']), + 'dest' => $ph1ent['remote-gateway'], + 'remote-subnet' => ipsec_idinfo_to_text($ph2ent['remoteid']), + 'descr' => $ph2ent['descr'], + 'status' => $iconfn); } + unset($ikev1num); } if (isset($config['ipsec']['phase2'])){ ?> diff --git a/usr/local/www/widgets/widgets/log.widget.php b/usr/local/www/widgets/widgets/log.widget.php index fb240fb..2677ee5 100644 --- a/usr/local/www/widgets/widgets/log.widget.php +++ b/usr/local/www/widgets/widgets/log.widget.php @@ -105,11 +105,30 @@ else /* Called by the AJAX updater */ function format_log_line(row) { - var line = '<td class="listMRlr" align="center">' + row[0] + '<\/td>' + - '<td class="listMRr ellipsis" title="' + row[1] + '">' + row[1].slice(0,-3) + '<\/td>' + - '<td class="listMRr ellipsis" title="' + row[2] + '">' + row[2] + '<\/td>' + - '<td class="listMRr ellipsis" title="' + row[3] + '">' + row[3] + '<\/td>' + - '<td class="listMRr ellipsis" title="' + row[4] + '">' + row[4] + '<\/td>'; + var rrText = "<?php echo gettext("Reverse Resolve with DNS"); ?>"; + + if ( row[8] == '6' ) { + srcIP = '[' + row[3] + ']'; + dstIP = '[' + row[5] + ']'; + } else { + srcIP = row[3]; + dstIP = row[5]; + } + + if ( row[4] == '' ) + srcPort = ''; + else + srcPort = ':' + row[4]; + if ( row[6] == '' ) + dstPort = ''; + else + dstPort = ':' + row[6]; + + var line = '<td class="listMRlr" align="center">' + row[0] + '</td>' + + '<td class="listMRr ellipsis" title="' + row[1] + '">' + row[1].slice(0,-3) + '</td>' + + '<td class="listMRr ellipsis" title="' + row[2] + '">' + row[2] + '</td>' + + '<td class="listMRr ellipsis" title="' + srcIP + srcPort + '"><a href="diag_dns.php?host=' + row[3] + '" title="' + rrText + '">' + srcIP + '</a></td>' + + '<td class="listMRr ellipsis" title="' + dstIP + dstPort + '"><a href="diag_dns.php?host=' + row[5] + '" title="' + rrText + '">' + dstIP + '</a>' + dstPort + '</td>'; var nentriesacts = "<?php echo $nentriesacts; ?>"; var nentriesinterfaces = "<?php echo $nentriesinterfaces; ?>"; @@ -188,6 +207,24 @@ function format_log_line(row) { foreach ($filterlog as $filterent): $evenRowClass = $rowIndex % 2 ? " listMReven" : " listMRodd"; $rowIndex++; + if ($filterent['version'] == '6') { + $srcIP = "[" . htmlspecialchars($filterent['srcip']) . "]"; + $dstIP = "[" . htmlspecialchars($filterent['dstip']) . "]"; + } else { + $srcIP = htmlspecialchars($filterent['srcip']); + $dstIP = htmlspecialchars($filterent['dstip']); + } + + if ($filterent['srcport']) + $srcPort = ":" . htmlspecialchars($filterent['srcport']); + else + $srcPort = ""; + + if ($filterent['dstport']) + $dstPort = ":" . htmlspecialchars($filterent['dstport']); + else + $dstPort = ""; + ?> <tr class="<?=$evenRowClass?>"> <td class="listMRlr nowrap" align="center"> @@ -197,19 +234,18 @@ function format_log_line(row) { </td> <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['time']);?>"><?php echo substr(htmlspecialchars($filterent['time']),0,-3);?></td> <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['interface']);?>"><?php echo htmlspecialchars($filterent['interface']);?></td> - <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['src']);?>"> + <td class="listMRr ellipsis nowrap" title="<?php echo $srcIP . $srcPort;?>"> <a href="diag_dns.php?host=<?php echo "{$filterent['srcip']}"; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"> - <?php echo htmlspecialchars($filterent['srcip']);?></a></td> - <td class="listMRr ellipsis nowrap" title="<?php echo htmlspecialchars($filterent['dst']);?>"> + <?php echo $srcIP;?></a></td> + <td class="listMRr ellipsis nowrap" title="<?php echo $dstIP . $dstPort;?>"> <a href="diag_dns.php?host=<?php echo "{$filterent['dstip']}"; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"> - <?php echo htmlspecialchars($filterent['dstip']);?></a><?php echo ":" . htmlspecialchars($filterent['dstport']);?></td> + <?php echo $dstIP;?></a><?php echo $dstPort;?></td> <?php if ($filterent['proto'] == "TCP") $filterent['proto'] .= ":{$filterent['tcpflags']}"; ?> </tr> <?php endforeach; ?> - <tr style="display:none;"><td></td></tr> </tbody> </table> |
