diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/auth.inc | 2 | ||||
| -rw-r--r-- | etc/inc/config.lib.inc | 11 | ||||
| -rw-r--r-- | etc/inc/filter.inc | 7 | ||||
| -rw-r--r-- | etc/inc/gwlb.inc | 36 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 2 | ||||
| -rw-r--r-- | etc/inc/priv/user.priv.inc | 6 | ||||
| -rw-r--r-- | etc/inc/rrd.inc | 3 | ||||
| -rw-r--r-- | etc/inc/services.inc | 4 | ||||
| -rw-r--r-- | etc/inc/system.inc | 4 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 4 | ||||
| -rw-r--r-- | etc/inc/vpn.inc | 3 | ||||
| -rwxr-xr-x | etc/rc.newwanip | 3 |
12 files changed, 70 insertions, 15 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index ec794d0..8dc0fe7 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -367,6 +367,8 @@ function local_user_set(& $user) { $user_shell = "/usr/local/bin/scponly"; } elseif (userHasPrivilege($user, "user-ssh-tunnel")) { $user_shell = "/usr/local/sbin/ssh_tunnel_shell"; + } elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) { + $user_shell = "/sbin/nologin"; } else { $user_shell = "/sbin/nologin"; $lock_account = true; diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 1b7766a..859eb8e 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -534,10 +534,17 @@ function write_config($desc="Unknown", $backup = true) { /* NOTE: We assume that the file can be parsed since we wrote it. */ $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); if ($config == -1) { + copy("{$g['conf_path']}/config.xml", "{$g['conf_path']}/config.xml.bad"); $last_backup = discover_last_backup(); - if ($last_backup) + if ($last_backup) { restore_backup("/cf/conf/backup/{$last_backup}"); - else + $config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); + if ($g['booting']) { + echo "\n\n ************** WARNING **************"; + echo "\n\n Configuration could not be validated. A previous configuration was restored. \n"; + echo "\n The failed configuration file has been saved as {$g['conf_path']}/config.xml.bad} \n\n"; + } + } else log_error(gettext("Could not restore config.xml.")); } else generate_config_cache($config); diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0424748..6ba15e7 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1063,6 +1063,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $toadd_array = array_merge($toadd_array, range($loc_pt[0], $loc_pt[0] + $delta)); if(!empty($toadd_array)) { + $target = explode(" ", trim($target)); foreach($toadd_array as $tda) { if (empty($tda)) continue; @@ -1074,7 +1075,6 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $socktype = "stream"; $dash_u = ""; } - $target = explode(" ", trim($target)); foreach ($target as $targip) { if (empty($targip)) continue; @@ -2419,7 +2419,7 @@ EOD; } } /* PPTPd enabled? */ - if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) { + if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off") && !isset($config['system']['disablevpnrules'])) { if($pptpdcfg['mode'] == "server") $pptpdtarget = get_interface_ip(); else @@ -2870,6 +2870,9 @@ function filter_generate_ipsec_rules() { echo "filter_generate_ipsec_rules() being called $mt\n"; } + if (isset($config['system']['disablevpnrules'])) + return "\n# VPN Rules not added disabled in System->Advanced.\n"; + $ipfrules = "\n# VPN Rules\n"; /* Is IP Compression enabled? */ if(isset($config['ipsec']['ipcomp'])) diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index cc9aa74..f7cd6ab 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -372,6 +372,40 @@ function return_gateway_groups_array() { $gateways_arr = return_gateways_array(); $gateway_groups_array = array(); + /* + * NOTE: The code below is meant to replace the default gateway when it goes down. + * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. + */ + $upgw = ""; + $dfltgwdown = false; + $dfltgwfound = false; + foreach ($gateways_arr as $gwname => $gwsttng) { + if (isset($gwsttng['defaultgw'])) { + $dfltgwfound = true; + if (stristr($gateways_status[$gwname]['status'], "down")) + $dfltgwdown = true; + } + /* Keep a record of the last up gateway */ + if (empty($upgw) && !stristr($gateways_status[$gwname]['status'], "down")) + $upgw = $gwname; + if ($dfltgwdown == true && !empty($upgw)) + break; + } + if ($dfltgwfound == false) { + $gwname = convert_friendly_interface_to_friendly_descr("wan"); + if (stristr($gateways_status[$gwname]['status'], "down")) + $dfltgwdown = true; + } + if ($dfltgwdown == true && !empty($upgw)) { + if ($gateways_arr[$upgw]['gateway'] == "dynamic") + $gateways_arr[$upgw]['gateway'] = get_interface_gateway($gateways_arr[$upgw]['friendlyiface']); + if (is_ipaddr($gateways_arr[$upgw]['gateway'])) { + log_error("Default gateway down setting {$upgw} as default!"); + mwexec("/sbin/route delete -inet default; /sbin/route add -inet default {$gateways_arr[$upgw]['gateway']}"); + } + } + unset($upgw, $dfltgwfound, $dfltgwdown, $gwname, $gwsttng); + if (is_array($config['gateways']['gateway_group'])) { foreach($config['gateways']['gateway_group'] as $group) { /* create array with group gateways members seperated by tier */ @@ -390,7 +424,7 @@ function return_gateway_groups_array() { $status = $gateways_status[$gwname]; $gwdown = false; if (stristr($status['status'], "down")) { - $msg = "MONITOR: {$gwname} has high latency, removing from routing group"; + $msg = "MONITOR: {$gwname} is down, removing from routing group"; $gwdown = true; } else if (stristr($status['status'], "loss") && strstr($group['trigger'], "loss")) { /* packet loss */ diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index df531c7..56f6cf5 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -382,13 +382,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { - case 'p2p_tls': case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); $ip2 = long2ip32($baselong + 2); $conf .= "ifconfig $ip1 $ip2\n"; break; + case 'p2p_tls': case 'server_tls': case 'server_user': case 'server_tls_user': diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc index 779f2bb..bfc7f59 100644 --- a/etc/inc/priv/user.priv.inc +++ b/etc/inc/priv/user.priv.inc @@ -21,6 +21,12 @@ $priv_list['user-ssh-tunnel']['descr'] = "Indicates whether the user is able to "Note: User - System - Copy files conflicts with ". "this privilege."; +$priv_list['user-ipsec-xauth-dialin'] = array(); +$priv_list['user-ipsec-xauth-dialin']['name'] = "User - VPN - IPsec xauth Dialin"; +$priv_list['user-ipsec-xauth-dialin']['descr'] = "Indicates whether the user is allowed to dial in via IPsec xauth ". + "(Note: Does not allow shell access, but may allow ". + "the user to create ssh tunnels)"; + $priv_list['user-l2tp-dialin'] = array(); $priv_list['user-l2tp-dialin']['name'] = "User - VPN - L2TP Dialin"; $priv_list['user-l2tp-dialin']['descr'] = "Indicates whether the user is allowed to dial in via L2TP"; diff --git a/etc/inc/rrd.inc b/etc/inc/rrd.inc index 2951450..529080c 100644 --- a/etc/inc/rrd.inc +++ b/etc/inc/rrd.inc @@ -813,9 +813,8 @@ function enable_rrd_graphing() { } function kill_traffic_collector() { - mwexec("killall top", true); mwexec("killall rrdtool", true); - mwexec("/bin/pkill -f updaterrd.sh", true); + mwexec("/bin/pkill -a -f updaterrd.sh", true); } ?> diff --git a/etc/inc/services.inc b/etc/inc/services.inc index a76496a..c7421d4 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -770,14 +770,14 @@ EOD; function services_igmpproxy_configure() { global $config, $g; - $iflist = get_configured_interface_list(); - /* kill any running igmpproxy */ killbyname("igmpproxy"); if (!is_array($config['igmpproxy']['igmpentry'])) return 1; + $iflist = get_configured_interface_list(); + $igmpconf = <<<EOD ##------------------------------------------------------ diff --git a/etc/inc/system.inc b/etc/inc/system.inc index f478189..e522ec1 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1261,11 +1261,11 @@ function system_ntp_configure() { $ips = array_map('find_interface_ip', $ifaces); foreach ($ips as $ip) { if (is_ipaddr($ip)) - $ntpdcfg .= "listen on $ip\n"; + $ntpcfg .= "listen on $ip\n"; } } } - $ntpdcfg .= "\n"; + $ntpcfg .= "\n"; /* open configuration for wrting or bail */ $fd = fopen("{$g['varetc_path']}/ntpd.conf","w"); diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 2ffa7ed..5104940 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1470,12 +1470,12 @@ function upgrade_051_to_052() { $server['caref'] = $ca['refid']; /* create a crl entry if needed */ - if (!empty($server['crl'])) { + if (!empty($server['crl'][0])) { $crl = array(); $crl['refid'] = uniqid(); $crl['descr'] = "Imported OpenVPN CRL #{$index}"; $crl['caref'] = $ca['refid']; - $crl['text'] = $server['crl']; + $crl['text'] = $server['crl'][0]; if(!is_array($config['crl'])) $config['crl'] = array(); $config['crl'][] = $crl; diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 6a179c6..37f791a 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -926,7 +926,8 @@ EOD; mwexec("/usr/local/sbin/setkey -F", false); sleep("0.1"); /* start racoon */ - mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf", false); + $ipsecdebug = isset($config['ipsec']['racoondebug']) ? "-d -v" : ""; + mwexec("/usr/local/sbin/racoon {$ipsecdebug} -f {$g['varetc_path']}/racoon.conf", false); sleep("0.1"); /* load SPD */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf", false); diff --git a/etc/rc.newwanip b/etc/rc.newwanip index f4e59c7..654d0dd 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -138,6 +138,9 @@ if (substr($interface_real, 0, 4) != "ovpn") /* reload graphing functions */ enable_rrd_graphing(); +/* reload igmpproxy */ +services_igmpproxy_configure(); + restart_packages(); ?> |
