diff options
30 files changed, 448 insertions, 289 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 711dae4..083e77c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1366,6 +1366,24 @@ function filter_nat_rules_automatic_tonathosts($with_descr = false) { if($oc['sa']) { $tonathosts[] = "{$oc['sa']}/{$oc['sn']}"; $descriptions[] = $oc['descr']; + if (isset($oc['vips']) && is_array($oc['vips'])) { + $if_subnets = array("{$oc['sa']}/{$oc['sn']}"); + foreach ($oc['vips'] as $vip) { + if (!is_ipaddrv4($vip['ip'])) + continue; + + foreach ($if_subnets as $subnet) + if (ip_in_subnet($vip['ip'], $subnet)) + continue 2; + + $network = gen_subnet($vip['ip'], $vip['sn']); + $tonathosts[] = $network . '/' . $vip['sn']; + $descriptions[] = "Virtual IP ({$oc['descr']})"; + $if_subnets[] = $network . '/' . $vip['sn']; + unset($network); + } + unset($if_subnets); + } } } diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 6c1b52c..dd2f033 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -29,7 +29,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - pfSense_BUILDER_BINARIES: /usr/local/sbin/setkey + pfSense_BUILDER_BINARIES: /sbin/setkey pfSense_MODULE: ipsec */ @@ -324,11 +324,11 @@ function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { global $config; if (!is_array($config['ipsec'])) - return; + return false; if (!is_array($config['ipsec']['phase1'])) - return; + return false; if (empty($config['ipsec']['phase1'])) - return; + return false; foreach ($config['ipsec']['phase1'] as $ph1tmp) { if ($ph1tmp['ikeid'] == $ph2ent['ikeid']) { @@ -343,13 +343,15 @@ function ipsec_lookup_phase1(& $ph2ent,& $ph1ent) { /* * Check phase1 communications status */ -function ipsec_phase1_status(& $ph1ent) { - - $loc_ip = get_ipsec_tunnel_src($ph1ent); - $rmt_ip = $ph1ent['remote-gateway']; +function ipsec_phase1_status($ipsec_status, $ikeid) { - if (ipsec_lookup_ipsakmp_sa($loc_ip,$rmt_ip)) - return true; + foreach ($ipsec_status as $ike) { + if ($ike['id'] != $ikeid) + continue; + if ($ike['status'] == 'established') + return true; + break; + } return false; } @@ -357,23 +359,10 @@ function ipsec_phase1_status(& $ph1ent) { /* * Check phase2 communications status */ -function ipsec_phase2_status(& $spd,& $sad,& $ph1ent,& $ph2ent) { - - $loc_ip = ipsec_get_phase1_src($ph1ent); - $rmt_ip = ipsec_get_phase1_dst($ph1ent); +function ipsec_phase2_status($ipsec_status, &$phase2) { - $loc_id = ipsec_idinfo_to_cidr($ph2ent['localid'],true,$ph2ent['mode']); - if (!empty($ph2ent['natlocalid'])) - $natloc_id = ipsec_idinfo_to_cidr($ph2ent['natlocalid'],true,$ph2ent['mode']); - $rmt_id = ipsec_idinfo_to_cidr($ph2ent['remoteid'],true,$ph2ent['mode']); - - /* check for established SA in both directions */ - if( ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id)) { - if (empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"in",$rmt_ip,$loc_ip,$rmt_id,$loc_id)) - return true; - else if (!empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id)) - return true; - } + if (ipsec_lookup_phase1($ph2ent,$ph1ent)) + return ipsec_phase1_status($ipsec_status, $ph1ent['ikeid']); return false; } @@ -509,7 +498,7 @@ function ipsec_smp_dump_status() { */ function ipsec_dump_spd() { - $fd = @popen("/usr/local/sbin/setkey -DP", "r"); + $fd = @popen("/sbin/setkey -DP", "r"); $spd = array(); if ($fd) { while (!feof($fd)) { @@ -559,7 +548,7 @@ function ipsec_dump_spd() */ function ipsec_dump_sad() { - $fd = @popen("/usr/local/sbin/setkey -D", "r"); + $fd = @popen("/sbin/setkey -D", "r"); $sad = array(); if ($fd) { while (!feof($fd)) { @@ -687,10 +676,6 @@ function ipsec_get_descr($ikeid) { return $descr; } -function ipsec_get_descr_by_peerconfig($peerconfig) { - return ipsec_get_descr(substr($peerconfig, strrpos($peerconfig, '-') + 1)); -} - function ipsec_disconnect_mobile($username) { if (empty($username)) return false; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 5b1d5ac..6ac92fa 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -903,7 +903,7 @@ function openvpn_delete($mode, & $settings) { mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " name " . escapeshellarg($tunname)); /* remove the configuration files */ - array_map('unlink', glob("{$g['varetc_path']}/openvpn/{$mode_id}.*")); + @array_map('unlink', glob("{$g['varetc_path']}/openvpn/{$mode_id}.*")); } function openvpn_cleanup_csc($common_name) { diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 4a19c7b..417d6b3 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -598,6 +598,7 @@ function get_pbi_binaries($pbi) { return $result; } + function install_package($package, $pkg_info = "", $force_install = false) { global $g, $config, $static_output, $pkg_interface; @@ -637,28 +638,10 @@ function install_package($package, $pkg_info = "", $force_install = false) { log_error(sprintf(gettext('Beginning package installation for %s .'), $pkg_info['name'])); $static_output .= sprintf(gettext("Beginning package installation for %s ."), $pkg_info['name']); update_status($static_output); + /* fetch the package's configuration file */ - if($pkg_info['config_file'] != "") { - $static_output .= "\n" . gettext("Downloading package configuration file... "); - update_output_window($static_output); - pkg_debug(gettext("Downloading package configuration file...") . "\n"); - $fetchto = substr(strrchr($pkg_info['config_file'], '/'), 1); - download_file_with_progress_bar($pkg_info['config_file'], '/usr/local/pkg/' . $fetchto); - if(!file_exists('/usr/local/pkg/' . $fetchto)) { - pkg_debug(gettext("ERROR! Unable to fetch package configuration file. Aborting installation.") . "\n"); - if($pkg_interface == "console") - print "\n" . gettext("ERROR! Unable to fetch package configuration file. Aborting package installation.") . "\n"; - else { - $static_output .= gettext("failed!\n\nInstallation aborted.\n"); - update_output_window($static_output); - echo "<br />Show <a href=\"pkg_mgr_install.php?showlog=true\">install log</a></center>"; - } - conf_mount_ro(); - return -1; - } - $static_output .= gettext("done.") . "\n"; - update_output_window($static_output); - } + pkg_fetch_config_file($package, $pkg_info); + /* add package information to config.xml */ $pkgid = get_pkg_id($pkg_info['name']); $static_output .= gettext("Saving updated package information...") . " "; @@ -761,6 +744,7 @@ function install_package_xml($pkg) { } } } + $configfile = substr(strrchr($pkg_info['config_file'], '/'), 1); if(file_exists("/usr/local/pkg/" . $configfile)) { $static_output .= gettext("Loading package configuration... "); @@ -784,50 +768,9 @@ function install_package_xml($pkg) { $static_output .= gettext("done.") . "\n"; update_output_window($static_output); } - /* download additional files */ - if(is_array($pkg_config['additional_files_needed'])) { - $static_output .= gettext("Additional files... "); - $static_orig = $static_output; - update_output_window($static_output); - foreach($pkg_config['additional_files_needed'] as $afn) { - $filename = get_filename_from_url($afn['item'][0]); - if($afn['chmod'] <> "") - $pkg_chmod = $afn['chmod']; - else - $pkg_chmod = ""; - if($afn['prefix'] <> "") - $prefix = $afn['prefix']; - else - $prefix = "/usr/local/pkg/"; + pkg_fetch_additional_files($pkg, $pkg_info); - if(!is_dir($prefix)) - safe_mkdir($prefix); - $static_output .= $filename . " "; - update_output_window($static_output); - if (download_file_with_progress_bar($afn['item'][0], $prefix . $filename) !== true) { - $static_output .= "failed.\n"; - @unlink($prefix . $filename); - update_output_window($static_output); - return false; - } - if(stristr($filename, ".tgz") <> "") { - pkg_debug(gettext("Extracting tarball to -C for ") . $filename . "...\n"); - $tarout = ""; - exec("/usr/bin/tar xvzf " . escapeshellarg($prefix . $filename) . " -C / 2>&1", $tarout); - pkg_debug(print_r($tarout, true) . "\n"); - } - if($pkg_chmod <> "") { - pkg_debug(sprintf(gettext('Changing file mode to %1$s for %2$s%3$s%4$s'), $pkg_chmod, $prefix, $filename, "\n")); - @chmod($prefix . $filename, $pkg_chmod); - system("/bin/chmod {$pkg_chmod} {$prefix}{$filename}"); - } - $static_output = $static_orig; - update_output_window($static_output); - } - $static_output .= gettext("done.") . "\n"; - update_output_window($static_output); - } /* if a require exists, include it. this will * show us where an error exists in a package * instead of making us blindly guess @@ -1488,4 +1431,114 @@ function package_server_mismatch_message() { . '<a href="/pkg_mgr_settings.php">' . gettext("Package Manager Settings") . '</a>'; } + +function pkg_fetch_config_file($package, $pkg_info = "") { + global $g, $config, $static_output, $pkg_interface; + conf_mount_rw(); + + if(empty($pkg_info) or !is_array($pkg_info[$package])) { + $pkg_info = get_pkg_info(array($package)); + $pkg_info = $pkg_info[$package]; // We're only dealing with one package, so we can strip away the extra array. + if (empty($pkg_info)) { + conf_mount_ro(); + return -1; + } + } + + /* fetch the package's configuration file */ + if($pkg_info['config_file'] != "") { + $static_output .= "\n" . gettext("Downloading package configuration file... "); + update_output_window($static_output); + pkg_debug(gettext("Downloading package configuration file...") . "\n"); + $fetchto = substr(strrchr($pkg_info['config_file'], '/'), 1); + download_file_with_progress_bar($pkg_info['config_file'], '/usr/local/pkg/' . $fetchto); + if(!file_exists('/usr/local/pkg/' . $fetchto)) { + pkg_debug(gettext("ERROR! Unable to fetch package configuration file. Aborting installation.") . "\n"); + if($pkg_interface == "console") + print "\n" . gettext("ERROR! Unable to fetch package configuration file. Aborting package installation.") . "\n"; + else { + $static_output .= gettext("failed!\n\nInstallation aborted.\n"); + update_output_window($static_output); + echo "<br />Show <a href=\"pkg_mgr_install.php?showlog=true\">install log</a></center>"; + } + conf_mount_ro(); + return -1; + } + $static_output .= gettext("done.") . "\n"; + update_output_window($static_output); + } + conf_mount_ro(); + return true; +} + + +function pkg_fetch_additional_files($package, $pkg_info = "") { + global $g, $config, $static_output, $pkg_interface; + conf_mount_rw(); + + if(empty($pkg_info) or !is_array($pkg_info[$package])) { + $pkg_info = get_pkg_info(array($package)); + $pkg_info = $pkg_info[$package]; // We're only dealing with one package, so we can strip away the extra array. + if (empty($pkg_info)) { + conf_mount_ro(); + return -1; + } + } + + $configfile = substr(strrchr($pkg_info['config_file'], '/'), 1); + if(file_exists("/usr/local/pkg/" . $configfile)) { + $static_output .= gettext("Loading package configuration... "); + update_output_window($static_output); + $pkg_config = parse_xml_config_pkg("/usr/local/pkg/" . $configfile, "packagegui"); + $static_output .= gettext("done.") . "\n"; + update_output_window($static_output); + /* download additional files */ + if(is_array($pkg_config['additional_files_needed'])) { + $static_output .= gettext("Additional files... "); + $static_orig = $static_output; + update_output_window($static_output); + foreach($pkg_config['additional_files_needed'] as $afn) { + $filename = get_filename_from_url($afn['item'][0]); + if($afn['chmod'] <> "") + $pkg_chmod = $afn['chmod']; + else + $pkg_chmod = ""; + + if($afn['prefix'] <> "") + $prefix = $afn['prefix']; + else + $prefix = "/usr/local/pkg/"; + + if(!is_dir($prefix)) + safe_mkdir($prefix); + $static_output .= $filename . " "; + update_output_window($static_output); + if (download_file_with_progress_bar($afn['item'][0], $prefix . $filename) !== true) { + $static_output .= "failed.\n"; + @unlink($prefix . $filename); + update_output_window($static_output); + return false; + } + if(stristr($filename, ".tgz") <> "") { + pkg_debug(gettext("Extracting tarball to -C for ") . $filename . "...\n"); + $tarout = ""; + exec("/usr/bin/tar xvzf " . escapeshellarg($prefix . $filename) . " -C / 2>&1", $tarout); + pkg_debug(print_r($tarout, true) . "\n"); + } + if($pkg_chmod <> "") { + pkg_debug(sprintf(gettext('Changing file mode to %1$s for %2$s%3$s%4$s'), $pkg_chmod, $prefix, $filename, "\n")); + @chmod($prefix . $filename, $pkg_chmod); + system("/bin/chmod {$pkg_chmod} {$prefix}{$filename}"); + } + $static_output = $static_orig; + update_output_window($static_output); + } + $static_output .= gettext("done.") . "\n"; + update_output_window($static_output); + } + conf_mount_ro(); + return true; + } +} + ?> diff --git a/etc/inc/services.inc b/etc/inc/services.inc index b3c6d33..3099b62 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -893,6 +893,10 @@ EOD; if (!file_exists("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases")) @touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases"); + /* make sure there isn't a stale dhcpd.pid file, which can make dhcpd fail to start. */ + /* if we get here, dhcpd has been killed and is not started yet */ + unlink_if_exists("{$g['dhcpd_chroot_path']}{$g['varrun_path']}/dhcpd.pid"); + /* fire up dhcpd in a chroot */ if (count($dhcpdifs) > 0) { mwexec("/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot {$g['dhcpd_chroot_path']} -cf /etc/dhcpd.conf -pf {$g['varrun_path']}/dhcpd.pid " . @@ -1300,6 +1304,10 @@ EOD; if (!file_exists("{$g['dhcpd_chroot_path']}/var/db/dhcpd6.leases")) @touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd6.leases"); + /* make sure there isn't a stale dhcpdv6.pid file, which may make dhcpdv6 fail to start. */ + /* if we get here, dhcpdv6 has been killed and is not started yet */ + unlink_if_exists("{$g['dhcpd_chroot_path']}{$g['varrun_path']}/dhcpdv6.pid"); + /* fire up dhcpd in a chroot */ if (count($dhcpdv6ifs) > 0) { mwexec("/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot {$g['dhcpd_chroot_path']} -cf /etc/dhcpdv6.conf -pf {$g['varrun_path']}/dhcpdv6.pid " . diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 2d8dcfd..0a9ce06 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -173,6 +173,7 @@ function vpn_ipsec_configure($ipchg = false) if (isset($ph1ent['disabled'])) continue; + $ikeid = $ph1ent['ikeid']; $listeniflist = get_real_interface($a_phase1['interface']); $ep = ipsec_get_phase1_src($ph1ent); @@ -207,12 +208,10 @@ function vpn_ipsec_configure($ipchg = false) if (is_array($a_phase2)) { /* step through each phase2 entry */ foreach ($a_phase2 as $ph2ent) { - $ikeid = $ph2ent['ikeid']; - if (isset($ph2ent['disabled'])) continue; - if ($ikeid != $ph1ent['ikeid']) + if ($ikeid != $ph2ent['ikeid']) continue; /* add an ipsec pinghosts entry */ @@ -281,9 +280,6 @@ charon { # number of worker threads in charon threads = 16 - # NOTE: Allows to send multiple subnets for IKEv1 - cisco_unity = yes - # XXX: There is not much choice here really users win their security! i_dont_care_about_security_and_use_aggressive_mode_psk=yes @@ -439,6 +435,7 @@ EOD; if (strstr($authmethod,'rsa')) { + $ikeid = $ph1ent['ikeid']; $cert = lookup_cert($ph1ent['certref']); if (!$cert) { @@ -535,10 +532,12 @@ EOD; if (!$ep) continue; + $ikeid = $ph1ent['ikeid']; $keyexchange = "ikev1"; + $passive = "route"; if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { $keyexchange = "ikev2"; - $passive = "start"; + //$passive = "start"; } else $passive = "route"; @@ -569,8 +568,7 @@ EOD; if (!empty($modp)) $ealgosp1 .= "-{$modp}"; - if ($keyexchange == "ikev1") - $ealgosp1 .= "!"; + $ealgosp1 .= "!"; } if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) { @@ -589,6 +587,7 @@ EOD; $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; $authentication = ""; + $rightsourceip = NULL; switch ($ph1ent['authentication_method']) { case 'xauth_rsa_server': $authentication = "leftauth = pubkey\n\trightauth = pubkey"; @@ -597,6 +596,8 @@ EOD; case 'xauth_psk_server': $authentication = "leftauth = psk\n\trightauth = psk"; $authentication .= "\n\trightauth2 = xauth-generic"; + if (!empty($a_client['pool_address'])) + $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; break; case 'pre_shared_key': $authentication = "leftauth = psk\n\trightauth = psk"; @@ -613,15 +614,13 @@ EOD; $left_spec = $ep; $ipseclifetime = 0; - $rightsourceip = NULL; $rightsubnet_spec = array(); $leftsubnet_spec = array(); $ealgoAHsp2arr = array(); $ealgoESPsp2arr = array(); if (is_array($a_phase2) && count($a_phase2)) { foreach ($a_phase2 as $ph2ent) { - $ikeid = $ph2ent['ikeid']; - if ($ikeid != $ph1ent['ikeid']) + if ($ikeid != $ph2ent['ikeid']) continue; if (isset($ph2ent['disabled'])) @@ -661,13 +660,16 @@ EOD; } } - $leftsubnet_spec[] = $leftsubnet_data; + if (empty($leftsubnet_spec[$leftsubnet_data])) + $leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data; if (!isset($ph2ent['mobile'])) { - $rightsubnet_spec[] = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + if (empty($rightsubnet_spec[$tmpsubnet])) + $rightsubnet_spec[$tmpsubnet] = $tmpsubnet; } else if (!empty($a_client['pool_address'])) { - $rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; - $rightsourceip = "\trightsourceip={$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"])) + $rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; } } else { $tunneltype = "type = transport"; @@ -676,18 +678,22 @@ EOD; ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { $left_spec = "%any"; } else { - $leftsubnet_spec[] = ipsec_get_phase1_src($ph1ent); + $tmpsubnet = ipsec_get_phase1_src($ph1ent); + if ($leftsubnet_spec[$tmpsubnet]) + $leftsubnet_spec[$tmpsubnet] = $tmpsubnet; } - if (!isset($ph2ent['mobile'])) - $rightsubnet_spec[] = $right_spec; + if (!isset($ph2ent['mobile'])) { + if (empty($rightsubnet_spec[$right_spec])) + $rightsubnet_spec[$right_spec] = $right_spec; + } } if (isset($a_client['pfs_group'])) $ph2ent['pfsgroup'] = $a_client['pfs_group']; if ($ph2ent['protocol'] == 'esp') { - if (is_array($ph2ent['encryption-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + if (is_array($ph2ent['encryption-algorithm-option'])) { foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { $ealg_id = $ealg['name']; $ealg_kl = $ealg['keylen']; @@ -703,9 +709,17 @@ EOD; * seconds wrecking bootup */ if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) + $tmpealgo .= "-{$modp}"; + $ealgoESPsp2arr[] = $tmpealgo; + } + } else { + $tmpealgo = "{$ealg_id}{$keylen}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; @@ -714,9 +728,17 @@ EOD; } } } else { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) + $tmpealgo .= "-{$modp}"; + $ealgoESPsp2arr[] = $tmpealgo; + } + } else { + $tmpealgo = "{$ealg_id}{$ealg_kl}"; $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) $tmpealgo .= "-{$modp}"; @@ -726,7 +748,7 @@ EOD; } } } else if ($ph2ent['protocol'] == 'ah') { - if (is_array($ph2ent['hash-algorithm-option'])) { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); @@ -778,8 +800,10 @@ EOD; $ipsecconf .= "\t{$ealgosp1}\n"; if (!empty($ealgoAHsp2arr)) $ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n"; - if (!empty($ealgoESPsp2arr)) + if (!empty($ealgoESPsp2arr)) { + file_put_contents("/var/etc/ipsec/dump_test", print_r($ealgoESPsp2arr, true)); $ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n"; + } if (!empty($authentication)) $ipsecconf .= "\t{$authentication}\n"; if (!empty($peerid_spec)) diff --git a/etc/rc.initial b/etc/rc.initial index 03d9131..2277280 100755 --- a/etc/rc.initial +++ b/etc/rc.initial @@ -61,9 +61,8 @@ fi product=`grep product_name /etc/inc/globals.inc | cut -d'"' -f4` hidebanner=`grep hidebanner /etc/inc/globals.inc | cut -d'"' -f4` -# Check to see if SSH is listening. -SSHD=`/usr/bin/sockstat -4l | grep "*.22" | wc -l` -if [ "$SSHD" -gt 0 ]; then +# Check to see if SSH is running. +if pgrep -q -a -F /var/run/sshd.pid sshd >/dev/null 2>&1; then sshd_option="14) Disable Secure Shell (sshd)"; else sshd_option="14) Enable Secure Shell (sshd)"; diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup index e069ad4..94de766 100755 --- a/etc/rc.php_ini_setup +++ b/etc/rc.php_ini_setup @@ -137,6 +137,8 @@ PHPMODULES="$PHPMODULES pfSense" PHPMODULES="$PHPMODULES json" # bcmath PHPMODULES="$PHPMODULES bcmath" +# filter +PHPMODULES="$PHPMODULES filter" PHP_ZEND_MODULES="ioncube_loader" PHP_ZEND_MODULES_TS="ioncube_loader_ts" diff --git a/etc/rc.shutdown b/etc/rc.shutdown index c63e5e5..2102ff4 100755 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -24,7 +24,7 @@ export PATH # temporary files on shutdown from /tmp/ PLATFORM=`cat /etc/platform` if [ "$PLATFORM" = "pfSense" ]; then - find -x /tmp/* -type f -exec rm -f {} \; + find -x /tmp/* -type f -exec rm -f {} \; >/dev/null 2>&1 fi USE_MFS_TMPVAR=`/usr/bin/grep -c use_mfs_tmpvar /cf/conf/config.xml` diff --git a/usr/local/sbin/ppp-linkup b/usr/local/sbin/ppp-linkup index 9e4aafd..2d1eb33 100755 --- a/usr/local/sbin/ppp-linkup +++ b/usr/local/sbin/ppp-linkup @@ -1,61 +1,62 @@ #!/bin/sh +export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin + if [ "${2}" == "inet" ]; then - OLD_ROUTER=`/bin/cat /tmp/${1}_router` - if [ "${OLD_ROUTER}" != "" ]; then + OLD_ROUTER=`cat /tmp/${1}_router` + if [ -n "${OLD_ROUTER}" ]; then echo "Removing states to old router ${OLD_ROUTER}" | logger -t ppp-linkup - /sbin/pfctl -i ${1} -k 0.0.0.0/0 -k ${OLD_ROUTER}/32 - /sbin/pfctl -i ${1} -k ${OLD_ROUTER}/32 -k 0.0.0.0/0 + pfctl -i ${1} -k 0.0.0.0/0 -k ${OLD_ROUTER}/32 + pfctl -i ${1} -k ${OLD_ROUTER}/32 -k 0.0.0.0/0 fi # let the configuration system know that the ipv4 has changed. - /bin/echo ${4} > /tmp/${1}_router - /bin/echo ${3} > /tmp/${1}_ip - /usr/bin/touch /tmp/${1}up + echo ${4} > /tmp/${1}_router + echo ${3} > /tmp/${1}_ip + touch /tmp/${1}up - ALLOWOVERRIDE=`/usr/bin/grep -c dnsallowoverride /conf/config.xml` - if [ ${ALLOWOVERRIDE} -gt 0 ]; then + if grep -q dnsallowoverride /conf/config.xml; then # write nameservers to file - if [ "`echo ${6}|grep -c dns1`" -gt 0 ]; then - DNS1=`echo ${6} |awk '{print ${2}}'` - echo "${DNS1}"> /var/etc/nameserver_${1} - /sbin/route change "${DNS1}" ${4} + echo -n "" > /var/etc/nameserver_${1} + if echo "${6}" | grep -q dns1; then + DNS1=`echo "${6}" | awk '{print $2}'` + echo "${DNS1}" >> /var/etc/nameserver_${1} + route change "${DNS1}" ${4} fi - if [ "`echo ${7}|grep -c dns2`" -gt 0 ]; then - DNS2=`echo ${7} |awk '{print ${2}}'` + if echo "${7}" | grep -q dns2; then + DNS2=`echo "${7}" | awk '{print $2}'` echo "${DNS2}" >> /var/etc/nameserver_${1} - /sbin/route change "${DNS2}" ${4} + route change "${DNS2}" ${4} fi - /usr/local/sbin/pfSctl -c 'service reload dns' - /bin/sleep 1 + pfSctl -c 'service reload dns' + sleep 1 fi - /usr/local/sbin/pfSctl -c "interface newip ${1}" -fi + pfSctl -c "interface newip ${1}" -if [ "${2}" == "inet6" ]; then +elif [ "${2}" == "inet6" ]; then # let the configuration system know that the ipv6 has changed. - /bin/echo ${4} |cut -d% -f1 > /tmp/${1}_routerv6 - /bin/echo ${3} |cut -d% -f1 > /tmp/${1}_ipv6 - /usr/bin/touch /tmp/${1}upv6 + echo ${4} |cut -d% -f1 > /tmp/${1}_routerv6 + echo ${3} |cut -d% -f1 > /tmp/${1}_ipv6 + touch /tmp/${1}upv6 - ALLOWOVERRIDE=`/usr/bin/grep -c dnsallowoverride /conf/config.xml` - if [ ${ALLOWOVERRIDE} -gt 0 ]; then + if grep -q dnsallowoverride /conf/config.xml; then # write nameservers to file - if [ "`echo ${6}|grep -c dns1`" -gt 0 ]; then - DNS1=`echo ${6} |awk '{print ${2}}'` - echo "${DNS1}"> /var/etc/nameserver_v6${1} - /sbin/route change -inet6 "${DNS1}" ${4} + echo -n "" > /var/etc/nameserver_v6${1} + if echo "${6}" | grep -q dns1; then + DNS1=`echo "${6}" | awk '{print $2}'` + echo "${DNS1}" >> /var/etc/nameserver_v6${1} + route change -inet6 "${DNS1}" ${4} fi - if [ "`echo ${7}|grep -c dns2`" -gt 0 ]; then - DNS2=`echo ${7} |awk '{print ${2}}'` + if echo "${7}" | grep -q dns2; then + DNS2=`echo "${7}" | awk '{print $2}'` echo "${DNS2}" >> /var/etc/nameserver_v6${1} - /sbin/route change -inet6 "${DNS2}" ${4} + route change -inet6 "${DNS2}" ${4} fi - /usr/local/sbin/pfSctl -c 'service reload dns' - /bin/sleep 1 + pfSctl -c 'service reload dns' + sleep 1 fi - /usr/local/sbin/pfSctl -c "interface newipv6 ${1}" + pfSctl -c "interface newipv6 ${1}" fi exit 0 diff --git a/usr/local/www/diag_confbak.php b/usr/local/www/diag_confbak.php index 5fd6796..4d631a3 100644 --- a/usr/local/www/diag_confbak.php +++ b/usr/local/www/diag_confbak.php @@ -210,7 +210,7 @@ include("head.inc"); <?php if (is_array($confvers)): ?> <tr> <td colspan="7" class="list"> - <?= gettext("To view the differences between an older configuration and a newer configuration, select the older configuration using the left column of radio options and select the newer configuration in the right colomn, then press the Diff button."); ?> + <?= gettext("To view the differences between an older configuration and a newer configuration, select the older configuration using the left column of radio options and select the newer configuration in the right column, then press the Diff button."); ?> <br /><br /> </td> </tr> diff --git a/usr/local/www/diag_dns.php b/usr/local/www/diag_dns.php index 69a93a3..415b714 100644 --- a/usr/local/www/diag_dns.php +++ b/usr/local/www/diag_dns.php @@ -37,7 +37,11 @@ require("guiconfig.inc"); $host = trim($_REQUEST['host'], " \t\n\r\0\x0B[];\"'"); $host_esc = escapeshellarg($host); -$a_aliases = &$config['aliases']['alias']; +if (is_array($config['aliases']['alias'])) { + $a_aliases = &$config['aliases']['alias']; +} else { + $a_aliases = array(); +} $aliasname = str_replace(array(".","-"), "_", $host); $alias_exists = false; $counter=0; diff --git a/usr/local/www/diag_ipsec.php b/usr/local/www/diag_ipsec.php index ad6c463..33b0c85 100644 --- a/usr/local/www/diag_ipsec.php +++ b/usr/local/www/diag_ipsec.php @@ -52,16 +52,16 @@ require("guiconfig.inc"); include("head.inc"); require("ipsec.inc"); -if ($_GET['act'] == "connect") { - if (is_ipaddrv4($_GET['remoteid']) && is_ipaddrv4($_GET['source'])) { - exec("/sbin/ping -S " . escapeshellarg($_GET['source']) . " -c 1 " . escapeshellarg($_GET['remoteid'])); +if ($_GET['act'] == 'connect') { + if (ctype_digit($_GET['ikeid'])) { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid'])); + mwexec("/usr/local/sbin/ipsec up con" . escapeshellarg($_GET['ikeid'])); } - else if (is_ipaddrv6($_GET['remoteid']) && is_ipaddrv6($_GET['source'])) { - exec("/sbin/ping6 -S " . escapeshellarg($_GET['source']) . " -c 1 " . escapeshellarg($_GET['remoteid'])); +} else if ($_GET['act'] == 'ikedisconnect') { + if (ctype_digit($_GET['ikeid'])) { + mwexec("/usr/local/sbin/ipsec down con" . escapeshellarg($_GET['ikeid'])); } -} - -if ($_GET['act'] == "disconnect") { +} else if ($_GET['act'] == 'disconnect') { if (!empty($_GET['user'])) { ipsec_disconnect_mobile($_GET['user']); sleep(1); @@ -107,23 +107,31 @@ $status = ipsec_smp_dump_status(); <th class="listhdrr nowrap"><?php echo gettext("Remote IP");?></th> <th class="listhdrr nowrap"><?php echo gettext("Role");?></th> <th class="listhdrr nowrap"><?php echo gettext("Status");?></th> + <td class="list nowrap"></td> </tr> </thead> <tbody> <?php if (is_array($status['query']) && is_array($status['query']['ikesalist']) && is_array($status['query']['ikesalist']['ikesa'])) { foreach ($status['query']['ikesalist']['ikesa'] as $ikeid => $ikesa) { + if (ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ikesa['id'])) { + $icon = "pass"; + } elseif(!isset($config['ipsec']['enable'])) { + $icon = "block"; + } else { + $icon = "reject"; + } ?> <tr> <td class="listlr"> - <?php echo htmlspecialchars(ipsec_get_descr_by_peerconfig($ikesa['peerconfig']));?> + <?php echo "({$ikesa['id']}) " . htmlspecialchars(ipsec_get_descr($ikesa['id']));?> </td> <td class="listr"> <?php if (!is_array($ikesa['local'])) echo "Unknown"; else { if (!empty($ikesa['local']['identification'])) - echo htmlspecialchars($ikesa['local']['identification']) . '<br />' . htmlspecialchars($ikesa['local']['spi']); + echo htmlspecialchars($ikesa['local']['identification']); else echo 'Unknown'; } @@ -137,7 +145,7 @@ $status = ipsec_smp_dump_status(); echo htmlspecialchars($ikesa['local']['address']) . ':' . htmlspecialchars($ikesa['local']['port']); else echo 'Unknown'; - if ($ikesa['local']['nat']) + if ($ikesa['local']['nat'] != 'false') echo " NAT-T"; } ?> @@ -147,7 +155,7 @@ $status = ipsec_smp_dump_status(); echo "Unknown"; else { if (!empty($ikesa['remote']['identification'])) - echo htmlspecialchars($ikesa['remote']['identification']) . '<br />' . htmlspecialchars($ikesa['remote']['spi']); + echo htmlspecialchars($ikesa['remote']['identification']); else echo 'Unknown'; } @@ -161,7 +169,7 @@ $status = ipsec_smp_dump_status(); echo htmlspecialchars($ikesa['remote']['address']) . ':' . htmlspecialchars($ikesa['remote']['port']); else echo 'Unknown'; - if ($ikesa['remote']['nat']) + if ($ikesa['remote']['nat'] != 'false') echo " NAT-T"; } ?> @@ -170,10 +178,25 @@ $status = ipsec_smp_dump_status(); <?php echo htmlspecialchars($ikesa['role']);?> </td> <td class="listr"> - <?php echo htmlspecialchars($ikesa['status']);?> + <center> + <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_<?php echo $icon; ?>.gif" title="<?php echo $ikesa['status']; ?>" alt=""/> + <br/><?php echo htmlspecialchars($ikesa['status']);?> + </center> </td> - <td class="listbg"> - <?php ?> + <td > + <?php if ($icon != "pass"): ?> + <center> + <a href="diag_ipsec.php?act=connect&ikeid=<?php echo $ikesa['id']; ?>"> + <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_service_start.gif" alt="Connect VPN" title="Connect VPN" border="0"/> + </a> + </center> + <?php else: ?> + <center> + <a href="diag_ipsec.php?act=ikedisconnect&ikeid=<?php echo $ikesa['id']; ?>"> + <img src ="/themes/<?php echo $g['theme']; ?>/images/icons/icon_service_stop.gif" alt="Disconnect VPN" title="Disconnect VPN" border="0"/> + </a> + </center> + <?php endif; ?> </td> <td valign="middle" class="list nowrap"> <table border="0" cellspacing="0" cellpadding="1" summary=""> diff --git a/usr/local/www/diag_ipsec_spd.php b/usr/local/www/diag_ipsec_spd.php index d156105..3c854af 100644 --- a/usr/local/www/diag_ipsec_spd.php +++ b/usr/local/www/diag_ipsec_spd.php @@ -32,7 +32,7 @@ */ /* - pfSense_BUILDER_BINARIES: /usr/local/sbin/setkey + pfSense_BUILDER_BINARIES: /sbin/setkey pfSense_MODULE: ipsec */ @@ -50,16 +50,6 @@ $pgtitle = array(gettext("Status"),gettext("IPsec"),gettext("SPD")); $shortcut_section = "ipsec"; include("head.inc"); -/* delete any SP? */ -if ($_GET['act'] == "del") { - $fd = @popen("/usr/local/sbin/setkey -c > /dev/null 2>&1", "w"); - if ($fd) { - fwrite($fd, "spddelete {$_GET['srcid']} {$_GET['dstid']} any -P {$_GET['dir']} ;\n"); - pclose($fd); - sleep(1); - } -} - $spd = ipsec_dump_spd(); ?> @@ -106,9 +96,6 @@ $spd = ipsec_dump_spd(); $args .= "&dstid=".rawurlencode($sp['dstid']); $args .= "&dir=".rawurlencode($sp['dir']); ?> - <a href="diag_ipsec_spd.php?act=del&<?=$args;?>" onclick="return confirm('<?= gettext("Do you really want to delete this security policy?"); ?>')"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="delete" /> - </a> </td> </tr> <?php endforeach; ?> diff --git a/usr/local/www/diag_ipsec_xml.php b/usr/local/www/diag_ipsec_xml.php index b2c2ad6..2d74c1b 100644 --- a/usr/local/www/diag_ipsec_xml.php +++ b/usr/local/www/diag_ipsec_xml.php @@ -50,15 +50,14 @@ $ipsec_status = array(); $a_phase2 = &$config['ipsec']['phase2']; -$spd = ipsec_dump_spd(); -$sad = ipsec_dump_sad(); +$status = ipsec_smp_dump_status(); -if(is_array($a_phase2)) { +if (is_array($status['query']) && $status['query']['ikesalist'] && $status['query']['ikesalist']['ikesa'])) { foreach ($a_phase2 as $ph2ent) { ipsec_lookup_phase1($ph2ent,$ph1ent); $tunnel = array(); if (!isset($ph2ent['disabled']) && !isset($ph1ent['disabled'])) { - if(ipsec_phase2_status($spd,$sad,$ph1ent,$ph2ent)) + if(ipsec_phase1_status($status['query']['ikesalist']['ikesa'], $ph1ent['ikeid'])) $tunnel['state'] = "up"; elseif(!isset($config['ipsec']['enable'])) $tunnel['state'] = "disabled"; diff --git a/usr/local/www/diag_logs_filter.php b/usr/local/www/diag_logs_filter.php index d12ad43..5595fc6 100644 --- a/usr/local/www/diag_logs_filter.php +++ b/usr/local/www/diag_logs_filter.php @@ -91,9 +91,8 @@ if ($filterlogentries_submit) { $actpass = getGETPOSTsettingvalue('actpass', null); $actblock = getGETPOSTsettingvalue('actblock', null); - $actreject = getGETPOSTsettingvalue('actreject', null); - $filterfieldsarray['act'] = str_replace(" ", " ", trim($actpass . " " . $actblock . " " . $actreject)); + $filterfieldsarray['act'] = str_replace(" ", " ", trim($actpass . " " . $actblock)); $filterfieldsarray['act'] = $filterfieldsarray['act'] != "" ? $filterfieldsarray['act'] : 'All'; $filterfieldsarray['time'] = getGETPOSTsettingvalue('filterlogentries_time', null); $filterfieldsarray['interface'] = getGETPOSTsettingvalue('filterlogentries_interfaces', null); @@ -175,7 +174,6 @@ include("head.inc"); <div align="left"> <input id="actpass" name="actpass" type="checkbox" value="Pass" <?php if (in_arrayi('Pass', $Include_Act)) echo "checked=\"checked\""; ?> /> Pass<br /> <input id="actblock" name="actblock" type="checkbox" value="Block" <?php if (in_arrayi('Block', $Include_Act)) echo "checked=\"checked\""; ?> /> Block<br /> - <input id="actreject" name="actreject" type="checkbox" value="Reject" <?php if (in_arrayi('Reject', $Include_Act)) echo "checked=\"checked\""; ?> /> Reject<br /> </div> </td> <td> diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 4710c29..1775d49 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -242,7 +242,7 @@ if (isset($config['system']['developer'])) { $diagnostics_menu = msort(array_merge($diagnostics_menu, return_ext_menu("Diagnostics")),0); $gold_menu = array(); -$gold_menu[] = array(gettext("pfSense Gold"), "https://portal.pfsense.org/gold-subscription.php"); +$gold_menu[] = array(gettext("pfSense Gold"), "https://www.pfsense.org/gold"); $gold_menu = msort(array_merge($gold_menu, return_ext_menu("Gold")),0); if(! $g['disablehelpmenu']) { diff --git a/usr/local/www/filebrowser/browser.php b/usr/local/www/filebrowser/browser.php index 4a456be..d8cbea3 100644 --- a/usr/local/www/filebrowser/browser.php +++ b/usr/local/www/filebrowser/browser.php @@ -91,25 +91,44 @@ endforeach; foreach($files as $file): $ext = strrchr($file, "."); - if($ext == ".css" ) $type = "code"; - elseif($ext == ".html") $type = "code"; - elseif($ext == ".xml" ) $type = "code"; - elseif($ext == ".rrd" ) $type = "database"; - elseif($ext == ".gif" ) $type = "image"; - elseif($ext == ".jpg" ) $type = "image"; - elseif($ext == ".png" ) $type = "image"; - elseif($ext == ".js" ) $type = "js"; - elseif($ext == ".pdf" ) $type = "pdf"; - elseif($ext == ".inc" ) $type = "php"; - elseif($ext == ".php" ) $type = "php"; - elseif($ext == ".conf") $type = "system"; - elseif($ext == ".pid" ) $type = "system"; - elseif($ext == ".sh" ) $type = "system"; - elseif($ext == ".bz2" ) $type = "zip"; - elseif($ext == ".gz" ) $type = "zip"; - elseif($ext == ".tgz" ) $type = "zip"; - elseif($ext == ".zip" ) $type = "zip"; - else $type = "generic"; + switch ($ext) { + case ".css": + case ".html": + case ".xml": + $type = "code"; + break; + case ".rrd": + $type = "database"; + break; + case ".gif": + case ".jpg": + case ".png": + $type = "image"; + break; + case ".js": + $type = "js"; + break; + case ".pdf": + $type = "pdf"; + break; + case ".inc": + case ".php": + $type = "php"; + break; + case ".conf": + case ".pid": + case ".sh": + $type = "system"; + break; + case ".bz2": + case ".gz": + case ".tgz": + case ".zip": + $type = "zip"; + break; + default: + $type = "generic"; + } $fqpn = "{$path}/{$file}"; diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index e3c0471..3479e8d 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -643,7 +643,7 @@ if (empty($tab)) { <td valign="top" class="vncellreq"><?=gettext("Name"); ?></td> <td class="vtable"> <input name="origname" type="hidden" id="origname" class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> - <input name="name" type="text" id="name" class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> + <input name="name" type="text" id="name" class="formfld unknown" size="40" maxlength="31" value="<?=htmlspecialchars($pconfig['name']);?>" /> <?php if (isset($id) && $a_aliases[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" /> <?php endif; ?> diff --git a/usr/local/www/firewall_aliases_import.php b/usr/local/www/firewall_aliases_import.php index 4151521..c028b3e 100755 --- a/usr/local/www/firewall_aliases_import.php +++ b/usr/local/www/firewall_aliases_import.php @@ -57,7 +57,7 @@ $reserved_ifs = get_configured_interface_list(false, true); $reserved_keywords = array_merge($reserved_keywords, $reserved_ifs, $reserved_table_names); if (!is_array($config['aliases']['alias'])) - $config['aliases']['alias'] = array(); + $config['aliases']['alias'] = array(); $a_aliases = &$config['aliases']['alias']; if($_POST['aliasimport'] <> "") { @@ -65,7 +65,7 @@ if($_POST['aliasimport'] <> "") { $reqdfieldsn = array(gettext("Name"),gettext("Aliases")); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - + if (is_validaliasname($_POST['name']) == false) $input_errors[] = gettext("The alias name may only consist of the characters") . " a-z, A-Z, 0-9, _."; @@ -75,17 +75,17 @@ if($_POST['aliasimport'] <> "") { /* Check for reserved keyword names */ - foreach($reserved_keywords as $rk) - if ($rk == $_POST['name']) - $input_errors[] = sprintf(gettext("Cannot use a reserved keyword as alias name %s"), $rk); - - /* check for name interface description conflicts */ - foreach($config['interfaces'] as $interface) { - if($interface['descr'] == $_POST['name']) { - $input_errors[] = gettext("An interface description with this name already exists."); - break; - } - } + foreach($reserved_keywords as $rk) + if ($rk == $_POST['name']) + $input_errors[] = sprintf(gettext("Cannot use a reserved keyword as alias name %s"), $rk); + + /* check for name interface description conflicts */ + foreach($config['interfaces'] as $interface) { + if($interface['descr'] == $_POST['name']) { + $input_errors[] = gettext("An interface description with this name already exists."); + break; + } + } if ($_POST['aliasimport']) { $tocheck = explode("\n", $_POST['aliasimport']); @@ -147,7 +147,7 @@ if($_POST['aliasimport'] <> "") { if (write_config()) mark_subsystem_dirty('aliases'); pfSenseHeader("firewall_aliases.php"); - + exit; } } @@ -163,38 +163,53 @@ include("head.inc"); <div id="inputerrors"></div> <table width="100%" border="0" cellpadding="6" cellspacing="0" summary="firewall alias import"> <tr> - <td colspan="2" valign="top" class="listtopic"><?=gettext("Alias Import"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Alias Import"); ?></td> </tr> <tr> - <td valign="top" class="vncellreq"><?=gettext("Alias Name"); ?></td> - <td class="vtable"> <input name="name" type="text" class="formfld unknown" id="name" size="40" value="<?=htmlspecialchars($_POST['name']);?>" /> - <br /> <span class="vexpl"> - <?=gettext("The name of the alias may only consist of the characters \"a-z, A-Z and 0-9\"."); ?></span></td> + <td valign="top" class="vncellreq"><?=gettext("Alias Name"); ?></td> + <td class="vtable"> + <input name="name" type="text" class="formfld unknown" id="name" size="40" maxlength="31" value="<?=htmlspecialchars($_POST['name']);?>" /> + <br /> + <span class="vexpl"> + <?=gettext("The name of the alias may only consist of the characters \"a-z, A-Z and 0-9\"."); ?> + </span> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td> - <td width="78%" class="vtable"> <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($_POST['descr']);?>" /> - <br /> <span class="vexpl"><?=gettext("You may enter a description here " . - "for your reference (not parsed)"); ?>.</span></td> + <td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($_POST['descr']);?>" /> + <br /> + <span class="vexpl"> + <?=gettext("You may enter a description here for your reference (not parsed)"); ?>. + </span> + </td> </tr> <tr> - <td valign="top" class="vncellreq"><?=gettext("Aliases to import"); ?></td> - <td class="vtable"><textarea name="aliasimport" rows="15" cols="40"><?php echo $_POST['aliasimport']; ?></textarea> - <br /> <span class="vexpl"><?=gettext("Paste in the aliases to import separated by a carriage return. Common examples are lists of IPs, networks, blacklists, etc."); ?> - <br /> <?=gettext("The list may contain IP addresses, with or without CIDR prefix, IP ranges, blank lines (ignored) and an optional description after each IP. e.g.:"); ?> - <br />172.16.1.2 - <br />172.16.0.0/24 - <br />10.11.12.100-10.11.12.200 - <br />192.168.1.254 Home router - <br />10.20.0.0/16 Office network - <br />10.40.1.10-10.40.1.19 Managed switches</span></td> + <td valign="top" class="vncellreq"><?=gettext("Aliases to import"); ?></td> + <td class="vtable"> + <textarea name="aliasimport" rows="15" cols="40"><?php echo $_POST['aliasimport']; ?></textarea> + <br /> + <span class="vexpl"> + <?=gettext("Paste in the aliases to import separated by a carriage return. Common examples are lists of IPs, networks, blacklists, etc."); ?> + <br /> + <?=gettext("The list may contain IP addresses, with or without CIDR prefix, IP ranges, blank lines (ignored) and an optional description after each IP. e.g.:"); ?> + <br />172.16.1.2 + <br />172.16.0.0/24 + <br />10.11.12.100-10.11.12.200 + <br />192.168.1.254 Home router + <br />10.20.0.0/16 Office network + <br />10.40.1.10-10.40.1.19 Managed switches + </span> + </td> </tr> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> - <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> - <input class="formbtn" type="button" value="<?=gettext("Cancel"); ?>" onclick="history.back()" /> - </td></tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input id="submit" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>" /> + <input class="formbtn" type="button" value="<?=gettext("Cancel"); ?>" onclick="history.back()" /> + </td> + </tr> </table> @@ -202,7 +217,7 @@ include("head.inc"); </div> <?php include("fend.inc"); ?> - + <script type="text/javascript"> //<![CDATA[ NiftyCheck(); diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php index bf48e12..c33166b 100644 --- a/usr/local/www/firewall_virtual_ip_edit.php +++ b/usr/local/www/firewall_virtual_ip_edit.php @@ -113,8 +113,23 @@ if ($_POST) { if ($_POST['subnet']) { if (!is_ipaddr($_POST['subnet'])) $input_errors[] = gettext("A valid IP address must be specified."); - else if (is_ipaddr_configured($_POST['subnet'], "{$_POST['interface']}_vip{$id}")) - $input_errors[] = gettext("This IP address is being used by another interface or VIP."); + else { + if (isset($id) && isset($a_vip[$id])) { + $ignore_if = $a_vip[$id]['interface']; + $ignore_mode = $a_vip[$id]['mode']; + } else { + $ignore_if = $_POST['interface']; + $ignore_mode = $_POST['mode']; + } + + if ($ignore_mode == 'carp') + $ignore_if .= "_vip{$id}"; + + if (is_ipaddr_configured($_POST['subnet'], $ignore_if)) + $input_errors[] = gettext("This IP address is being used by another interface or VIP."); + + unset($ignore_if, $ignore_mode); + } } $natiflist = get_configured_interface_with_descr(); diff --git a/usr/local/www/interfaces_assign.php b/usr/local/www/interfaces_assign.php index 42ba60e..515ea92 100644 --- a/usr/local/www/interfaces_assign.php +++ b/usr/local/www/interfaces_assign.php @@ -384,7 +384,7 @@ if(file_exists("/var/run/interface_mismatch_reboot_needed")) else $savemsg = gettext("Reboot is needed. Please apply the settings in order to reboot."); } else { - $savemsg = gettext("Interface mismatch detected. Please resolve the mismatch and click Save. The firewall will reboot afterwards."); + $savemsg = gettext("Interface mismatch detected. Please resolve the mismatch and click 'Apply changes'. The firewall will reboot afterwards."); } ?> diff --git a/usr/local/www/pkg_mgr_install.php b/usr/local/www/pkg_mgr_install.php index 2f5d04c..945aa2d 100644 --- a/usr/local/www/pkg_mgr_install.php +++ b/usr/local/www/pkg_mgr_install.php @@ -226,6 +226,8 @@ if ($_GET) { filter_configure(); break; case 'reinstallxml': + pkg_fetch_config_file($pkgid); + pkg_fetch_additional_files($pkgid); case 'reinstallpkg': delete_package_xml($pkgid); if (install_package($pkgid) < 0) { diff --git a/usr/local/www/status.php b/usr/local/www/status.php index 5b1624a..93fe21e 100755 --- a/usr/local/www/status.php +++ b/usr/local/www/status.php @@ -29,7 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ /* - pfSense_BUILDER_BINARIES: /usr/bin/vmstat /usr/bin/netstat /sbin/dmesg /sbin/mount /usr/local/sbin/setkey /usr/local/sbin/pftop + pfSense_BUILDER_BINARIES: /usr/bin/vmstat /usr/bin/netstat /sbin/dmesg /sbin/mount /sbin/setkey /usr/local/sbin/pftop pfSense_BUILDER_BINARIES: /sbin/pfctl /sbin/sysctl /usr/bin/top /usr/bin/netstat /sbin/pfctl /sbin/ifconfig pfSense_MODULE: support */ @@ -180,8 +180,8 @@ defCmdT("dhcpd.conf","cat /var/dhcpd/etc/dhcpd.conf"); defCmdT("df","/bin/df"); defCmdT("racoon.conf","cat /var/etc/racoon.conf"); -defCmdT("SPD","/usr/local/sbin/setkey -DP"); -defCmdT("SAD","/usr/local/sbin/setkey -D"); +defCmdT("SPD","/sbin/setkey -DP"); +defCmdT("SAD","/sbin/setkey -D"); if(isset($config['system']['usefifolog'])) { defCmdT("last 200 system log entries","/usr/sbin/fifolog_reader /var/log/system.log 2>&1 | tail -n 200"); diff --git a/usr/local/www/themes/pfsense_ng/all.css b/usr/local/www/themes/pfsense_ng/all.css index 80dd171..46f74fa 100644 --- a/usr/local/www/themes/pfsense_ng/all.css +++ b/usr/local/www/themes/pfsense_ng/all.css @@ -428,7 +428,7 @@ table#marquee div#container div#scroller { #navigation ul li { float: left; position: relative; - width: 6.2em; + padding-right: 27px; top: 0px; } diff --git a/usr/local/www/themes/pfsense_ng_fs/all.css b/usr/local/www/themes/pfsense_ng_fs/all.css index c0898e9..7ccc4c7 100644 --- a/usr/local/www/themes/pfsense_ng_fs/all.css +++ b/usr/local/www/themes/pfsense_ng_fs/all.css @@ -389,7 +389,7 @@ table#marquee div#container div#scroller { #navigation ul li { float: left; position: relative; - width: 6.2em; + padding-right: 27px; top: 0px; } diff --git a/usr/local/www/vpn_ipsec.php b/usr/local/www/vpn_ipsec.php index 587c048..75118b5 100644 --- a/usr/local/www/vpn_ipsec.php +++ b/usr/local/www/vpn_ipsec.php @@ -102,7 +102,7 @@ if ($_GET['act'] == "delph1") if ($_GET['act'] == "delph2") { - if ($a_phase1[$_GET['p1index']] && $a_phase2[$_GET['p2index']]) { + if ($a_phase1[$_GET['p1index']]) { /* remove the phase2 entry */ foreach ($a_phase2 as $ph2idx => $ph2) { if ($ph2['uniqid'] == $_GET['p2index']) { @@ -374,10 +374,12 @@ include("head.inc"); <td class="listr nowrap"> <?=$spans;?> <?php - foreach ($ph2ent['hash-algorithm-option'] as $k => $ph2ha) { - if ($k) - echo ", "; - echo $p2_halgos[$ph2ha]; + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $k => $ph2ha) { + if ($k) + echo ", "; + echo $p2_halgos[$ph2ha]; + } } ?> <?=$spane;?> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 8a78065..461a708 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -127,8 +127,8 @@ if ($_POST) { $input_errors[] = gettext("A valid ikeid must be specified."); /* input validation */ - $reqdfields = explode(" ", "localid_type halgos uniqid"); - $reqdfieldsn = array(gettext("Local network type"),gettext("P2 Hash Algorithms"), gettext("Unique Identifier")); + $reqdfields = explode(" ", "localid_type uniqid"); + $reqdfieldsn = array(gettext("Local network type"), gettext("Unique Identifier")); if (!isset($pconfig['mobile'])){ $reqdfields[] = "remoteid_type"; $reqdfieldsn[] = gettext("Remote network type"); @@ -254,7 +254,17 @@ if ($_POST) { if (!count($ealgos)) { $input_errors[] = gettext("At least one encryption algorithm must be selected."); + } else { + if (empty($pconfig['halgos'])) { + foreach ($ealgos as $ealgo) { + if (!strpos($ealgo['name'], "gcm")) { + $input_errors[] = gettext("At least one hashing algorithm needs to be selected."); + break; + } + } + } } + } if (($_POST['lifetime'] && !is_numeric($_POST['lifetime']))) { $input_errors[] = gettext("The P2 lifetime must be an integer."); @@ -277,7 +287,10 @@ if ($_POST) { $ph2ent['protocol'] = $pconfig['proto']; $ph2ent['encryption-algorithm-option'] = $ealgos; - $ph2ent['hash-algorithm-option'] = $pconfig['halgos']; + if (!empty($pconfig['halgos'])) + $ph2ent['hash-algorithm-option'] = $pconfig['halgos']; + else + unset($ph2ent['hash-algorithm-option']); $ph2ent['pfsgroup'] = $pconfig['pfsgroup']; $ph2ent['lifetime'] = $pconfig['lifetime']; $ph2ent['pinghost'] = $pconfig['pinghost']; diff --git a/usr/local/www/widgets/widgets/traffic_graphs.widget.php b/usr/local/www/widgets/widgets/traffic_graphs.widget.php index 2dedc2d..3523bc1 100644 --- a/usr/local/www/widgets/widgets/traffic_graphs.widget.php +++ b/usr/local/www/widgets/widgets/traffic_graphs.widget.php @@ -98,12 +98,6 @@ if (isset($a_config["scale_type"])) { ?> <input type="hidden" id="traffic_graphs-config" name="traffic_graphs-config" value="" /> -<?php - //set variables for traffic graph - $width = "100%"; - $height = "150"; -?> - <div id="traffic_graphs-settings" class="widgetconfigdiv" style="display:none;"> <form action="/widgets/widgets/traffic_graphs.widget.php" method="post" name="iform" id="iform"> <?php foreach ($ifdescrs as $ifname => $ifdescr) { ?> @@ -173,11 +167,9 @@ foreach ($ifdescrs as $ifname => $ifdescr) { <div style="clear:both;"></div> </div> <div id="<?=$ifname;?>graphdiv" style="display:<?php echo $graphdisplay;?>"> - <object data="graph.php?ifnum=<?=$ifname;?>&ifname=<?=rawurlencode($ifdescr);?>&timeint=<?=$refreshinterval;?>&initdelay=<?=($graphcounter+1) * 2;?>"> + <object data="graph.php?ifnum=<?=$ifname;?>&ifname=<?=rawurlencode($ifdescr);?>&timeint=<?=$refreshinterval;?>&initdelay=<?=($graphcounter+1) * 2;?>" height="100%" width="100%"> <param name="id" value="graph" /> <param name="type" value="image/svg+xml" /> - <param name="width" value="<? echo $width; ?>" /> - <param name="height" value="<? echo $height; ?>" /> <param name="pluginspage" value="http://www.adobe.com/svg/viewer/install/auto" /> </object> </div> diff --git a/usr/local/www/wizards/setup_wizard.xml b/usr/local/www/wizards/setup_wizard.xml index 2556a05..0558250 100644 --- a/usr/local/www/wizards/setup_wizard.xml +++ b/usr/local/www/wizards/setup_wizard.xml @@ -53,7 +53,7 @@ <id>2</id> <title>Bling your pfSense with pfSense Gold</title> <disableheader>true</disableheader> - <description>Feel the power of a pfSense Gold subscription. Receive special benefits while supporting ongoing development of the Open Source pfSense project.<br/> <br/> Benefits include access to our AutoConfigBackup secure cloud based backup service for up to 10 hosts, pre-publication access to the updated pfSense: The Definitive Guide book in PDF, fully updated for the pfSense 2.1 release, and a monthly online MeetUp! Video conference to discuss and demonstrate advanced features and architectures using pfSense. <br/> <br/> Go to <a href="https://portal.pfsense.org/gold-subscription.php" target="_blank"> pfSense Gold Subscriptions</a> to sign up now <br/> <br/> </description> + <description>Feel the power of a pfSense Gold subscription. Receive special benefits while supporting ongoing development of the Open Source pfSense project.<br/> <br/> Benefits include access to our AutoConfigBackup secure cloud based backup service for up to 10 hosts, pre-publication access to the updated pfSense: The Definitive Guide book in PDF, fully updated for the pfSense 2.1 release, and a monthly online MeetUp! Video conference to discuss and demonstrate advanced features and architectures using pfSense. <br/> <br/> Go to <a href="https://www.pfsense.org/gold" target="_blank"> pfSense Gold Subscriptions</a> to sign up now <br/> <br/> </description> <fields> <field> <name>Next</name> |