diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/authgui.inc | 3 | ||||
| -rw-r--r-- | etc/inc/certs.inc | 18 | ||||
| -rw-r--r-- | etc/inc/filter.inc | 35 | ||||
| -rw-r--r-- | etc/inc/interfaces.inc | 28 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 1 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 4 | ||||
| -rw-r--r-- | etc/inc/vslb.inc | 108 | ||||
| -rw-r--r-- | etc/version | 2 |
8 files changed, 119 insertions, 80 deletions
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 650c7b9..070c0c2 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -232,8 +232,9 @@ if($config['virtualip']) { $nifty_background = "#999"; print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br/><br/>If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); } + $noautocomplete = isset($config['system']['webgui']['noautocomplete']) ? 'autocomplete="off"' : ''; ?> - <form id="iform" name="login_iform" method="post" action="<?=$_SERVER['SCRIPT_NAME'];?>"> + <form id="iform" name="login_iform" method="post" <?= $noautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>"> <h1></h1> <div id="inputerrors"><?=$_SESSION['Login_Error'];?></div> <p> diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 2b192c1..357ac05 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -479,14 +479,16 @@ function crl_update(& $crl) { if (!$ca) return false; // If we have text but no certs, it was imported and cannot be updated. - if (!empty($crl['text']) && empty($crl['cert'])) + if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert']))) return false; $crl['serial']++; $ca_str_crt = base64_decode($ca['crt']); $ca_str_key = base64_decode($ca['prv']); $crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']); - foreach ($crl['cert'] as $cert) { - openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + if (is_array($crl['cert']) && (count($crl['cert']) > 0)) { + foreach ($crl['cert'] as $cert) { + openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]); + } } openssl_crl_export($crl_res, $crl_text, $ca_str_key); $crl['text'] = base64_encode($crl_text); @@ -514,7 +516,13 @@ function cert_unrevoke($cert, & $crl) { foreach ($crl['cert'] as $id => $rcert) { if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) { unset($crl['cert'][$id]); - crl_update($crl); + if (count($crl['cert']) == 0) { + // Protect against accidentally switching the type to imported, for older CRLs + if (!isset($crl['method'])) + $crl['method'] = "internal"; + crl_update($crl); + } else + crl_update($crl); return true; } } @@ -564,7 +572,7 @@ function crl_in_use($crlref) { } function is_crl_internal($crl) { - return !(!empty($crl['text']) && empty($crl['cert'])); + return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal")); } ?> diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 2c8b19c..2404a23 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1568,14 +1568,6 @@ function filter_nat_rules_generate() { } } fclose($inetd_fd); // Close file handle - // Check if inetd is running, if not start it. If so, restart it gracefully. - $helpers = isvalidproc("inetd"); - if(file_exists("/var/etc/inetd.conf")) { - if(!$helpers) - mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); - else - sigkillbypid("/var/run/inetd.pid", "HUP"); - } if (isset($config['pptpd']['mode']) && ($config['pptpd']['mode'] != "off")) { if ($config['pptpd']['mode'] == "redir") { @@ -1595,6 +1587,15 @@ function filter_nat_rules_generate() { if(!empty($reflection_txt)) $natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt; + // Check if inetd is running, if not start it. If so, restart it gracefully. + $helpers = isvalidproc("inetd"); + if(file_exists("/var/etc/inetd.conf")) { + if(!$helpers) + mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf"); + else + sigkillbypid("/var/run/inetd.pid", "HUP"); + } + return $natrules; } @@ -2945,32 +2946,32 @@ function filter_generate_ipsec_rules() { } /* Add rules to allow IKE to pass */ - $shorttunneldescr = substr($descr, 0, 36); + $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label \"IPsec: {$shorttunneldescr} - inbound isakmp\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label \"IPsec: {$shorttunneldescr} - inbound nat-t\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound esp proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound ah proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index b3fd6db..015f0eb 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -417,6 +417,8 @@ function interface_bridge_configure(&$bridge) { $realif = get_real_interface($member); $opts = pfSense_get_interface_addresses($realif); $mtu = $opts['mtu']; + if (substr($realif, 0, 3) == "gif" && $mtu < 1500) + continue; if (!isset($opts['encaps']['txcsum'])) $commontx = false; if (!isset($opts['encaps']['rxcsum'])) @@ -2627,6 +2629,11 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } if (!empty($wancfg['mtu'])) pfSense_interface_mtu($realhwif, $wancfg['mtu']); + else { + $mtu = get_interface_default_mtu(remove_numbers($realhwif)); + if ($mtu != get_interface_mtu($realhwif)) + pfSense_interface_mtu($realhwif, $mtu); + } $options = pfSense_get_interface_addresses($realhwif); if (is_array($options) && isset($options['caps']['polling'])) { @@ -3962,6 +3969,27 @@ EOD; unlink_if_exists($cron_file); } +function get_interface_default_mtu($type = "ethernet") { + switch ($type) { + case "gre": + return 1476; + break; + case "gif": + return 1280; + break; + case "tun": + case "vlan": + case "tap": + case "ethernet": + default: + return 1500; + break; + } + + /* Never reached */ + return 1500; +} + function get_vip_descr($ipaddress) { global $config; diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index acb3d58..87d64ce 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -974,6 +974,7 @@ function openvpn_refresh_crls() { case 'server_user': if (!empty($settings['crlref'])) { $crl = lookup_crl($settings['crlref']); + crl_update($crl); $fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify"; file_put_contents($fpath, base64_decode($crl['text'])); @chmod($fpath, 0644); diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f34cf0f..24e5956 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -502,9 +502,9 @@ function vpn_ipsec_configure($ipchg = false) $passive = ""; if (isset($ph1ent['mobile'])) { $rgip = "anonymous"; + $passive = "passive on;"; /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { - $passive = "passive on;"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; $genp = "on"; } else { @@ -892,7 +892,7 @@ EOD; if(is_ipaddr($gatewayip)) { /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ - log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); + // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); mwexec("/sbin/route delete -host {$rgip}"); mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); } diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 79978c0..980bcd0 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -202,6 +202,7 @@ function relayd_configure() { /* reindex pools by name as we loop through the pools array */ $pools = array(); $conf .= "log updates \n"; + $conf .= "timeout 1000 \n"; /* Virtual server pools */ if(is_array($pool_a)) { for ($i = 0; isset($pool_a[$i]); $i++) { @@ -233,62 +234,61 @@ function relayd_configure() { $conf .= $proto; } } - if(is_array($vs_a)) { - for ($i = 0; isset($vs_a[$i]); $i++) { - switch($vs_a[$i]['mode']) { - case 'redirect_mode': { - $conf .= "redirect \"{$vs_a[$i]['name']}\" {\n"; - $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - if (isset($conf['system']['lb_use_sticky'])) - $conf .= " sticky-address\n"; - - # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing - if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - $conf .= "}\n"; - break; - } - case 'relay': { - $conf .= "relay \"{$vs_a[$i]['name']}\" {\n"; - $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; - $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - - if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; - $conf .= "}\n"; - break; - } - } - } - } - fwrite($fd, $conf); - fclose($fd); - - if (is_process_running('relayd')) { - if (! empty($vs_a)) { - // it's running and there is a config, just reload - mwexec("/usr/local/sbin/relayctl reload"); + if(is_array($vs_a)) { + for ($i = 0; isset($vs_a[$i]); $i++) { + switch($vs_a[$i]['mode']) { + case 'redirect_mode': { + $conf .= "redirect \"{$vs_a[$i]['name']}\" {\n"; + $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; + $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + if (isset($config['system']['lb_use_sticky'])) + $conf .= " sticky-address\n"; + + # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing + if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + $conf .= "}\n"; + break; + } + case 'relay': { + $conf .= "relay \"{$vs_a[$i]['name']}\" {\n"; + $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; + $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; + $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + + if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= "}\n"; + break; + } + } + } + } + fwrite($fd, $conf); + fclose($fd); + + if (is_process_running('relayd')) { + if (! empty($vs_a)) { + // it's running and there is a config, just reload + mwexec("/usr/local/sbin/relayctl reload"); + } else { + /* + * XXX: Something breaks our control connection with relayd + * and makes 'relayctl stop' not work + * rule reloads are the current suspect + * mwexec('/usr/local/sbin/relayctl stop'); + * returns "command failed" + */ + mwexec('pkill relayd'); + } } else { - /* - * XXX: Something breaks our control connection with relayd - * and makes 'relayctl stop' not work - * rule reloads are the current suspect - * mwexec('/usr/local/sbin/relayctl stop'); - * returns "command failed" - */ - mwexec('pkill relayd'); + if (! empty($vs_a)) { + // not running and there is a config, start it + mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf"); + } } - } else { - if (count($vs_a) > 0) { - // not running and there is a config, start it - mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf"); - } - } - } function get_lb_redirects() { diff --git a/etc/version b/etc/version index e252e34..5134f7e 100644 --- a/etc/version +++ b/etc/version @@ -1 +1 @@ -2.0-RC1-IPv6 +2.0-RC2-IPv6 |
