diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/captiveportal.inc | 28 | ||||
-rw-r--r-- | etc/inc/certs.inc | 37 | ||||
-rw-r--r-- | etc/inc/config.console.inc | 15 | ||||
-rw-r--r-- | etc/inc/filter.inc | 28 | ||||
-rw-r--r-- | etc/inc/globals.inc | 7 | ||||
-rw-r--r-- | etc/inc/gwlb.inc | 6 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 107 | ||||
-rwxr-xr-x | etc/inc/ipsec.auth-user.php | 2 | ||||
-rw-r--r-- | etc/inc/ipsec.inc | 6 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 16 | ||||
-rw-r--r-- | etc/inc/services.inc | 14 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 6 | ||||
-rw-r--r-- | etc/inc/system.inc | 90 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 5 | ||||
-rw-r--r-- | etc/inc/zeromq.inc | 2 | ||||
-rw-r--r-- | etc/phpshellsessions/enablecarp | 2 | ||||
-rw-r--r-- | etc/phpshellsessions/generateguicert | 8 | ||||
-rwxr-xr-x | etc/rc.bootup | 1 | ||||
-rwxr-xr-x | etc/rc.initial | 22 | ||||
-rwxr-xr-x | etc/rc.initial.firmware_update | 9 | ||||
-rwxr-xr-x | etc/rc.php-fpm_restart | 11 | ||||
-rwxr-xr-x | etc/rc.update_bogons.sh | 8 | ||||
-rw-r--r-- | etc/skel/dot.tcshrc | 2 |
23 files changed, 274 insertions, 158 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 000db23..a5029a5 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -937,7 +937,7 @@ function captiveportal_radius_stop_all() { } } -function captiveportal_passthrumac_configure_entry($macent) { +function captiveportal_passthrumac_configure_entry($macent, $pipeinrule = false) { global $config, $g, $cpzone; $bwUp = 0; @@ -954,14 +954,22 @@ function captiveportal_passthrumac_configure_entry($macent) { $ruleno = captiveportal_get_next_ipfw_ruleno(); if ($macent['action'] == 'pass') { + $rules = ""; $pipeno = captiveportal_get_next_dn_ruleno(); $pipeup = $pipeno; - $_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16"); + if ($pipeinrule == true) + $_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16"); + else + $rules .= "pipe {$pipeno} config bw {$bwUp}Kbit/s queue 100 buckets 16\n"; + $pipedown = $pipeno + 1; - $_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16"); + if ($pipeinrule == true) + $_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16"); + else + $rules .= "pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16\n"; - $rules = "add {$ruleno} pipe {$pipeup} ip from any to any MAC any {$macent['mac']}\n"; + $rules .= "add {$ruleno} pipe {$pipeup} ip from any to any MAC any {$macent['mac']}\n"; $ruleno++; $rules .= "add {$ruleno} pipe {$pipedown} ip from any to any MAC {$macent['mac']} any\n"; } @@ -1000,9 +1008,15 @@ function captiveportal_passthrumac_configure($lock = false) { $rules = ""; - if (is_array($config['captiveportal'][$cpzone]['passthrumac'])) - foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $macent) - $rules .= captiveportal_passthrumac_configure_entry($macent); + if (is_array($config['captiveportal'][$cpzone]['passthrumac'])) { + $nentries = count($config['captiveportal'][$cpzone]['passthrumac']); + foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $macent) { + if ($nentries > 100) + $rules .= captiveportal_passthrumac_configure_entry($macent, true); + else + $rules .= captiveportal_passthrumac_configure_entry($macent); + } + } return $rules; } diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc index 8df3e5d..bf9f899 100644 --- a/etc/inc/certs.inc +++ b/etc/inc/certs.inc @@ -270,22 +270,28 @@ function cert_import(& $cert, $crt_str, $key_str) { function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") { - $ca =& lookup_ca($caref); - if (!$ca) - return false; + $cert['type'] = $type; - $ca_str_crt = base64_decode($ca['crt']); - $ca_str_key = base64_decode($ca['prv']); - $ca_res_crt = openssl_x509_read($ca_str_crt); - $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); - if(!$ca_res_key) return false; - $ca_serial = ++$ca['serial']; + if ($type != "self-signed") { + $cert['caref'] = $caref; + $ca =& lookup_ca($caref); + if (!$ca) + return false; + + $ca_str_crt = base64_decode($ca['crt']); + $ca_str_key = base64_decode($ca['prv']); + $ca_res_crt = openssl_x509_read($ca_str_crt); + $ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => "")); + if(!$ca_res_key) return false; + $ca_serial = ++$ca['serial']; + } switch ($type) { case "ca": $cert_type = "v3_ca"; break; case "server": + case "self-signed": $cert_type = "server"; break; default: @@ -312,11 +318,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di $res_key = openssl_pkey_new($args); if(!$res_key) return false; + // If this is a self-signed cert, blank out the CA and sign with the cert's key + if ($type == "self-signed") { + $ca = null; + $ca_res_crt = null; + $ca_res_key = $res_key; + $ca_serial = 0; + $cert['type'] = "server"; + } + // generate a certificate signing request $res_csr = openssl_csr_new($dn, $res_key, $args); if(!$res_csr) return false; - // self sign the certificate + // sign the certificate using an internal CA $res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime, $args, $ca_serial); if(!$res_crt) return false; @@ -327,10 +342,8 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di return false; // return our certificate information - $cert['caref'] = $caref; $cert['crt'] = base64_encode($str_crt); $cert['prv'] = base64_encode($str_key); - $cert['type'] = $type; return true; } diff --git a/etc/inc/config.console.inc b/etc/inc/config.console.inc index 2d15dc2..6c956fb 100644 --- a/etc/inc/config.console.inc +++ b/etc/inc/config.console.inc @@ -191,13 +191,6 @@ EOD; echo <<<EOD -*NOTE* {$g['product_name']} requires {$g['minimum_nic_count_text']} assigned interface(s) to function. - If you do not have {$g['minimum_nic_count_text']} interfaces you CANNOT continue. - - If you do not have at least {$g['minimum_nic_count']} *REAL* network interface card(s) - or one interface with multiple VLANs then {$g['product_name']} - *WILL NOT* function correctly. - If you do not know the names of your interfaces, you may choose to use auto-detection. In that case, disconnect all interfaces now before hitting 'a' to initiate auto detection. @@ -231,12 +224,8 @@ EOD; } if($lanif == "") { - if($g['minimum_nic_count'] < 2) { - break; - } else { - fclose($fp); - return; - } + /* It is OK to have just a WAN, without a LAN so break if the user does not want LAN. */ + break; } if ($lanif === "a") diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 38680f7..79fb652 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2091,14 +2091,14 @@ function filter_generate_port(& $rule, $target = "source", $isnat = false) { function filter_address_add_vips_subnets(&$subnets, $if, $not) { global $FilterIflist; - if (!isset($FilterIflist[$if]['vips']) || !is_array($FilterIflist[$if]['vips'])) - return; - $if_subnets = array($subnets); if ($not == true) $subnets = "!{$subnets}"; + if (!isset($FilterIflist[$if]['vips']) || !is_array($FilterIflist[$if]['vips'])) + return; + foreach ($FilterIflist[$if]['vips'] as $vip) { foreach ($if_subnets as $subnet) if (ip_in_subnet($vip['ip'], $subnet)) @@ -2141,8 +2141,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ipv6']; if(!is_ipaddrv6($opt_ip)) return ""; - $src = $opt_ip . "/" . - $FilterIflist["opt{$optmatch[1]}"]['snv6']; + $src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6']; /* check for opt$NUMip here */ } else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { $src = $FilterIflist["opt{$matches[1]}"]['ipv6']; @@ -2156,8 +2155,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; if(!is_ipaddrv4($opt_ip)) return ""; - $src = $opt_ip . "/" . - $FilterIflist["opt{$optmatch[1]}"]['sn']; + $src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn']; /* check for opt$NUMip here */ } else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { $src = $FilterIflist["opt{$matches[1]}"]['ip']; @@ -2262,10 +2260,9 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { (strpos($src, '{') === false)) $src = " !{$src}"; } - if (is_subnet($src)) - filter_address_add_vips_subnets($src, $rule[$target]['network'], - isset($rule[$target]['not'])); } + if (is_subnet($src)) + filter_address_add_vips_subnets($src, $rule[$target]['network'], isset($rule[$target]['not'])); } else if($rule[$target]['address']) { $expsrc = alias_expand($rule[$target]['address']); if(isset($rule[$target]['not'])) @@ -2445,7 +2442,7 @@ function filter_generate_user_rule($rule) { $l7_present = true; $l7rule =& $layer7_rules_list[$rule['l7container']]; $l7_structures = $l7rule->get_unique_structures(); - $aline['divert'] = "divert " . $l7rule->GetRPort() . " "; + $aline['divert'] = "divert-to " . $l7rule->GetRPort() . " "; } if (($rule['protocol'] == "icmp") && $rule['icmptype'] && ($rule['ipprotocol'] == "inet")) $aline['icmp-type'] = "icmp-type {$rule['icmptype']} "; @@ -2684,7 +2681,7 @@ function filter_rules_generate() { $ipfrules .= "anchor \"relayd/*\"\n"; /* OpenVPN user rules from radius */ $ipfrules .= "anchor \"openvpn/*\"\n"; - /* IPSec user rules from radius */ + /* IPsec user rules from radius */ $ipfrules .= "anchor \"ipsec/*\"\n"; # BEGIN OF firewall rules /* default block logging? */ @@ -2706,6 +2703,11 @@ function filter_rules_generate() { $tracker = $saved_tracker; $ipfrules .= <<<EOD +# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, +# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but +# route-to can override that, causing problems such as in redmine #2073 +block in {$log['block']} quick from 169.254.0.0/16 to any +block in {$log['block']} quick from any to 169.254.0.0/16 #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- @@ -3563,7 +3565,7 @@ function filter_process_carp_rules($log) { return $lines; } -/* Generate IPSEC Filter Items */ +/* Generate IPsec Filter Items */ function filter_generate_ipsec_rules($log = array()) { global $config, $g, $FilterIflist, $tracker; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 4bb1410..de37f8b 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -77,8 +77,6 @@ $g = array( "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", - "minimum_nic_count" => "1", - "minimum_nic_count_text" => "*AT LEAST* 1", "wan_interface_name" => "wan", "nopccard_platforms" => array("wrap", "net48xx"), "xmlrpcbaseurl" => "https://packages.pfsense.org", @@ -104,7 +102,7 @@ if(file_exists("/etc/platform")) { //$arch = ($arch == "i386") ? "" : '/' . $arch; /* Full installs and NanoBSD use the same update directory and manifest in 2.x */ - $g['update_url']="https://snapshots.pfsense.org/FreeBSD_stable/10/{$arch}/pfSense_HEAD/.updaters/"; + $g['update_url']="https://snapshots.pfsense.org/FreeBSD_releng/10.1/{$arch}/pfSense_HEAD/.updaters/"; $g['update_manifest']="https://updates.pfSense.org/manifest"; $g['platform'] = trim(file_get_contents("/etc/platform")); @@ -154,7 +152,8 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.route.netisr_maxqlen" => 1024, "net.inet.udp.checksum" => 1, "net.bpf.zerocopy_enable" => 1, - "net.inet.icmp.reply_from_interface" => 1 + "net.inet.icmp.reply_from_interface" => 1, + "vfs.forcesync" => "0" ); /* Include override values for the above if needed. If the file doesn't exist, don't try to load it. */ diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index c5121fe..e32bea0 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -822,15 +822,15 @@ function return_gateway_groups_array() { $status = $gateways_status[$gwname]; $gwdown = false; if (stristr($status['status'], "down")) { - $msg = sprintf(gettext("MONITOR: %s is down, removing from routing group {$group['name']}"), $gwname); + $msg = sprintf(gettext("MONITOR: %s is down, omitting from routing group {$group['name']}"), $gwname); $gwdown = true; } else if (stristr($status['status'], "loss") && strstr($group['trigger'], "loss")) { /* packet loss */ - $msg = sprintf(gettext("MONITOR: %s has packet loss, removing from routing group {$group['name']}"), $gwname); + $msg = sprintf(gettext("MONITOR: %s has packet loss, omitting from routing group {$group['name']}"), $gwname); $gwdown = true; } else if (stristr($status['status'], "delay") && strstr($group['trigger'] , "latency")) { /* high latency */ - $msg = sprintf(gettext("MONITOR: %s has high latency, removing from routing group {$group['name']}"), $gwname); + $msg = sprintf(gettext("MONITOR: %s has high latency, omitting from routing group {$group['name']}"), $gwname); $gwdown = true; } if ($gwdown == true) { diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index a51d8be..684babd 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -730,7 +730,7 @@ function interfaces_lagg_configure($realif = "") { echo gettext("done.") . "\n"; } -function interface_lagg_configure(&$lagg) { +function interface_lagg_configure($lagg) { global $config, $g; if (!is_array($lagg)) @@ -747,30 +747,47 @@ function interface_lagg_configure(&$lagg) { } else $laggif = pfSense_interface_create("lagg"); - /* Calculate smaller mtu and enforce it */ - $smallermtu = 0; - foreach ($members as $member) { - $opts = pfSense_get_interface_addresses($member); - $mtu = $opts['mtu']; - if (!isset($opts['caps']['txcsum'])) - $commontx = false; - if (!isset($opts['caps']['rxcsum'])) - $commonrx = false; - if (!isset($opts['caps']['tso4'])) - $commontso4 = false; - if (!isset($opts['caps']['tso6'])) - $commontso6 = false; - if (!isset($opts['caps']['lro'])) - $commonlro = false; - if ($smallermtu == 0 && !empty($mtu)) - $smallermtu = $mtu; - else if (!empty($mtu) && $mtu < $smallermtu) - $smallermtu = $mtu; + /* Check if MTU was defined for this lagg interface */ + $lagg_mtu = 0; + if (is_array($config['interfaces'])) { + foreach ($config['interfaces'] as $ifname => $ifdata) { + if ($ifdata['if'] != $laggif) + continue; + + if (isset($ifdata['mtu']) && !empty($ifdata['mtu'])) { + $lagg_mtu = $ifdata['mtu']; + break; + } + } + } + + if ($lagg_mtu == 0) { + /* Calculate smaller mtu and enforce it */ + $smallermtu = 0; + foreach ($members as $member) { + $opts = pfSense_get_interface_addresses($member); + $mtu = $opts['mtu']; + if (!isset($opts['caps']['txcsum'])) + $commontx = false; + if (!isset($opts['caps']['rxcsum'])) + $commonrx = false; + if (!isset($opts['caps']['tso4'])) + $commontso4 = false; + if (!isset($opts['caps']['tso6'])) + $commontso6 = false; + if (!isset($opts['caps']['lro'])) + $commonlro = false; + if ($smallermtu == 0 && !empty($mtu)) + $smallermtu = $mtu; + else if (!empty($mtu) && $mtu < $smallermtu) + $smallermtu = $mtu; + } + $lagg_mtu = $smallermtu; } /* Just in case anything is not working well */ - if ($smallermtu == 0) - $smallermtu = 1500; + if ($lagg_mtu == 0) + $lagg_mtu = 1500; $flags_on = 0; $flags_off = 0; @@ -801,7 +818,7 @@ function interface_lagg_configure(&$lagg) { if (!array_key_exists($member, $checklist)) continue; /* make sure the parent interface is up */ - pfSense_interface_mtu($member, $smallermtu); + pfSense_interface_mtu($member, $lagg_mtu); pfSense_interface_capabilities($member, -$flags_off); pfSense_interface_capabilities($member, $flags_on); interfaces_bring_up($member); @@ -1925,12 +1942,12 @@ EOD; return 1; } -function interfaces_carp_setup() { +function interfaces_sync_setup() { global $g, $config; if (isset($config['system']['developerspew'])) { $mt = microtime(); - echo "interfaces_carp_setup() being called $mt\n"; + echo "interfaces_sync_setup() being called $mt\n"; } if ($g['booting']) { @@ -1959,7 +1976,7 @@ function interfaces_carp_setup() { unset($carp_sync_int); /* setup pfsync interface */ - if ($carp_sync_int and $pfsyncenabled) { + if (isset($carp_sync_int) and isset($pfsyncenabled)) { if (is_ipaddr($pfsyncpeerip)) $syncpeer = "syncpeer {$pfsyncpeerip}"; else @@ -2112,7 +2129,7 @@ function interfaces_vips_configure($interface = "") { } } if ($carp_setuped == true) - interfaces_carp_setup(); + interfaces_sync_setup(); if ($anyproxyarp == true) interface_proxyarp_configure(); } @@ -2184,19 +2201,17 @@ function interface_carp_configure(&$vip) { } if (is_ipaddrv4($vip['subnet'])) { - /* Ensure CARP IP really exists prior to loading up. */ + /* Ensure a IP on this interface exists prior to configuring CARP. */ $ww_subnet_ip = find_interface_ip($realif); - $ww_subnet_bits = find_interface_subnet($realif); - if (!ip_in_subnet($vip['subnet'], gen_subnet($ww_subnet_ip, $ww_subnet_bits) . "/" . $ww_subnet_bits) && !ip_in_interface_alias_subnet($vip['interface'], $vip['subnet'])) { - file_notice("CARP", sprintf(gettext("Sorry but we could not find a matching real interface subnet for the virtual IP address %s."), $vip['subnet']), "Firewall: Virtual IP", ""); + if (!is_ipaddrv4($ww_subnet_ip)) { + file_notice("CARP", sprintf(gettext("Sorry but we could not find a required assigned ip address on the interface for the virtual IP address %s."), $vip['subnet']), "Firewall: Virtual IP", ""); return; } } else if (is_ipaddrv6($vip['subnet'])) { - /* Ensure CARP IP really exists prior to loading up. */ + /* Ensure a IP on this interface exists prior to configuring CARP. */ $ww_subnet_ip = find_interface_ipv6($realif); - $ww_subnet_bits = find_interface_subnetv6($realif); - if (!ip_in_subnet($vip['subnet'], gen_subnetv6($ww_subnet_ip, $ww_subnet_bits) . "/" . $ww_subnet_bits) && !ip_in_interface_alias_subnet($vip['interface'], $vip['subnet'])) { - file_notice("CARP", sprintf(gettext("Sorry but we could not find a matching real interface subnet for the virtual IPv6 address %s."), $vip['subnet']), "Firewall: Virtual IP", ""); + if (!is_ipaddrv6($ww_subnet_ip)) { + file_notice("CARP", sprintf(gettext("Sorry but we could not find a required assigned ip address on the interface for the virtual IPv6 address %s."), $vip['subnet']), "Firewall: Virtual IP", ""); return; } } @@ -2221,7 +2236,7 @@ function interface_carp_configure(&$vip) { if (is_ipaddrv4($vip['subnet'])) mwexec("/sbin/ifconfig {$realif} " . escapeshellarg($vip['subnet']) . "/" . escapeshellarg($vip['subnet_bits']) . " alias vhid " . escapeshellarg($vip['vhid'])); else if (is_ipaddrv6($vip['subnet'])) - mwexec("/sbin/ifconfig {$realif} inet6 " . escapeshellarg($vip['subnet']) . " prefixlen " . escapeshellarg($vip['subnet_bits']) . " vhid " . escapeshellarg($vip['vhid'])); + mwexec("/sbin/ifconfig {$realif} inet6 " . escapeshellarg($vip['subnet']) . " prefixlen " . escapeshellarg($vip['subnet_bits']) . " alias vhid " . escapeshellarg($vip['vhid'])); return $realif; } @@ -3125,6 +3140,18 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven interface_vlan_adapt_mtu(link_interface_to_vlans($realhwif), $wancfg['mtu']); } else pfSense_interface_mtu($realif, $wancfg['mtu']); + } else if (substr($realif, 0, 4) == 'lagg') { + /* LAGG interface must be destroyed and re-created to change MTU */ + if ($wancfg['mtu'] != get_interface_mtu($realif)) { + if (isset($config['laggs']['lagg']) && is_array($config['laggs']['lagg'])) { + foreach ($config['laggs']['lagg'] as $lagg) { + if ($lagg['laggif'] == $realif) { + interface_lagg_configure($lagg); + break; + } + } + } + } } else { if ($wancfg['mtu'] != get_interface_mtu($realif)) pfSense_interface_mtu($realif, $wancfg['mtu']); @@ -3132,7 +3159,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven /* This case is needed when the parent of vlans is being configured */ interface_vlan_adapt_mtu(link_interface_to_vlans($realif), $wancfg['mtu']); } - /* XXX: What about gre/gif/lagg/.. ? */ + /* XXX: What about gre/gif/.. ? */ } if (does_interface_exist($wancfg['if'])) @@ -4493,12 +4520,6 @@ function find_number_of_created_carp_interfaces() { return `/sbin/ifconfig | grep "carp:" | wc -l`; } -function get_all_carp_interfaces() { - $ints = str_replace("\n", " ", `ifconfig | grep "carp:" -B2 | grep ": flag" | cut -d: -f1`); - $ints = explode(" ", $ints); - return $ints; -} - /* * find_carp_interface($ip): return the carp interface where an ip is defined */ diff --git a/etc/inc/ipsec.auth-user.php b/etc/inc/ipsec.auth-user.php index 1171735..8142b99 100755 --- a/etc/inc/ipsec.auth-user.php +++ b/etc/inc/ipsec.auth-user.php @@ -132,7 +132,7 @@ foreach ($authmodes as $authmode) { $user = getUserEntry($username); if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) { $authenticated = false; - syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPSec since the required privileges are missing.\n"); + syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n"); continue; } } diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index 77f948c..c8833c1 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -39,7 +39,7 @@ $ipsec_loglevels = array("dmn" => "Daemon", "mgr" => "SA Manager", "ike" => "IKE "job" => "Job Processing", "cfg" => "Configuration backend", "knl" => "Kernel Interface", "net" => "Networking", "asn" => "ASN encoding", "enc" => "Message encoding", "imc" => "Integrity checker", "imv" => "Integrity Verifier", "pts" => "Platform Trust Service", - "tls" => "TLS handler", "esp" => "IPSec traffic", "lib" => "StrongSWAN Lib"); + "tls" => "TLS handler", "esp" => "IPsec traffic", "lib" => "StrongSWAN Lib"); $my_identifier_list = array( 'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ), @@ -463,7 +463,7 @@ function ipsec_smp_dump_status() { global $config, $g, $custom_listtags; if (!file_exists("{$g['varrun_path']}/charon.xml")) { - log_error("IPSec daemon seems to have issues or not running!"); + log_error("IPsec daemon seems to have issues or not running!"); return; } @@ -607,7 +607,7 @@ function ipsec_dump_mobile() { $_gb = exec("/usr/local/sbin/ipsec stroke leases > {$g['tmp_path']}/strongswan_leases.xml"); if (!file_exists("{$g['tmp_path']}/strongswan_leases.xml")) { - log_error(gettext("IPSec daemon seems to have issues or not running! Could not display mobile user stats!")); + log_error(gettext("IPsec daemon seems to have issues or not running! Could not display mobile user stats!")); return array(); } diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 3892ba6..acca2df 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2510,6 +2510,7 @@ function load_mac_manufacturer_table() { * is_ipaddr_configured * INPUTS * IP Address to check. + * If ignore_if is a VIP (not carp), vip array index is passed after string _virtualip * RESULT * returns true if the IP Address is * configured and present on this device. @@ -2517,6 +2518,15 @@ function load_mac_manufacturer_table() { function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $check_subnets = false) { global $config; + $pos = strpos($ignore_if, '_virtualip'); + if ($pos !== false) { + $ignore_vip_id = substr($ignore_if, $pos+10); + $ignore_vip_if = substr($ignore_if, 0, $pos); + } else { + $ignore_vip_id = -1; + $ignore_vip_if = $ignore_if; + } + $isipv6 = is_ipaddrv6($ipaddr); if ($check_subnets) { @@ -2543,8 +2553,7 @@ function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $interface_list_ips = get_configured_ip_addresses(); foreach($interface_list_ips as $if => $ilips) { - /* Also ignore CARP interfaces, it'll be checked below */ - if ($ignore_if == $if || strstr($ignore_if, "_vip")) + if ($ignore_if == $if) continue; if (strcasecmp($ipaddr, $ilips) == 0) return true; @@ -2553,7 +2562,8 @@ function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $interface_list_vips = get_configured_vips_list(true); foreach ($interface_list_vips as $id => $vip) { - if ($ignore_if == $vip['if']) + /* Skip CARP interfaces here since they were already checked above */ + if ($id == $ignore_vip_id || (strstr($ignore_if, '_vip') && $ignore_vip_if == $vip['if'])) continue; if (strcasecmp($ipaddr, $vip['ipaddr']) == 0) return true; diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 2f2fc83..2c41ab6 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -358,10 +358,14 @@ function services_dhcpdv4_configure() { return 0; /* if OLSRD is enabled, allow WAN to house DHCP. */ - if($config['installedpackages']['olsrd']) + if (!function_exists('is_package_installed')) + require_once('pkg-utils.inc'); + if (is_package_installed('olsrd') && isset($config['installedpackages']['olsrd'])) foreach($config['installedpackages']['olsrd']['config'] as $olsrd) - if($olsrd['enable']) - $is_olsr_enabled = true; + if (isset($olsrd['enable']) && $olsrd['enable'] == "on") { + $is_olsr_enabled = true; + break; + } if ($g['booting']) { /* restore the leases, if we have them */ @@ -612,6 +616,10 @@ EOPP; $dhcpdconf .= " option domain-name-servers {$poolconf['dnsserver'][0]}"; if($poolconf['dnsserver'][1] <> "") $dhcpdconf .= ",{$poolconf['dnsserver'][1]}"; + if($poolconf['dnsserver'][2] <> "") + $dhcpdconf .= ",{$poolconf['dnsserver'][2]}"; + if($poolconf['dnsserver'][3] <> "") + $dhcpdconf .= ",{$poolconf['dnsserver'][3]}"; $dhcpdconf .= ";\n"; } diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index fddff92..cd52390 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -3044,7 +3044,8 @@ class dnpipe_class extends dummynet_class { $schedule = 0; $schedulenone = 0; $entries = 0; - for ($i = 0; $i < 30; $i++) { + /* XXX: Really no better way? */ + for ($i = 0; $i < 2900; $i++) { if (!empty($data["bwsched{$i}"])) { if ($data["bwsched{$i}"] != "none") $schedule++; @@ -3082,7 +3083,8 @@ class dnpipe_class extends dummynet_class { if (!empty($_POST)) { $bandwidth = array(); - for ($i = 0; $i < 30; $i++) { + /* XXX: Really no better way? */ + for ($i = 0; $i < 2900; $i++) { if (isset($q["bandwidth{$i}"]) && $q["bandwidth{$i}"] <> "") { $bw = array(); $bw['bw'] = $q["bandwidth{$i}"]; diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 9bb32ee..0add04c 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -57,7 +57,11 @@ function activate_powerd() { if (!empty($config['system']['powerd_battery_mode'])) $battery_mode = $config['system']['powerd_battery_mode']; - mwexec("/usr/sbin/powerd -b $battery_mode -a $ac_mode"); + $normal_mode = "hadp"; + if (!empty($config['system']['powerd_normal_mode'])) + $normal_mode = $config['system']['powerd_normal_mode']; + + mwexec("/usr/sbin/powerd -b $battery_mode -a $ac_mode -n $normal_mode"); } } @@ -105,10 +109,6 @@ function system_resolvconf_generate($dynupdate = false) { $syscfg = $config['system']; - // Do not create blank domain lines, it breaks tools like dig. - if($syscfg['domain']) - $resolvconf = "domain {$syscfg['domain']}\n"; - if (((isset($config['dnsmasq']['enable']) && (empty($config['dnsmasq']['interface']) || in_array("lo0", explode(",", $config['dnsmasq']['interface'])))) || (isset($config['unbound']['enable'])) && (empty($config['unbound']['active_interface']) || in_array("lo0", explode(",", $config['unbound']['active_interface'])))) && !isset($config['system']['dnslocalhost'])) @@ -126,6 +126,10 @@ function system_resolvconf_generate($dynupdate = false) { if($nameserver) $resolvconf .= "nameserver $nameserver\n"; } + } else { + // Do not create blank search/domain lines, it can break tools like dig. + if($syscfg['domain']) + $resolvconf = "search {$syscfg['domain']}\n"; } if (is_array($syscfg['dnsserver'])) { foreach ($syscfg['dnsserver'] as $ns) { @@ -540,7 +544,7 @@ function system_staticroutes_configure($interface = "", $update_dns = false) { } if (isset($rtent['disabled'])) { - /* XXX: This is a bit dangerous in case of routing daemons!? */ + /* XXX: This can break things by deleting routes that shouldn't be deleted - OpenVPN, dynamic routing scenarios, etc. redmine #3709 */ foreach ($ips as $ip) mwexec("/sbin/route delete " . escapeshellarg($ip), true); continue; @@ -826,6 +830,44 @@ EOD; return $retval; } +function system_webgui_create_certificate() { + global $config, $g; + + if (!is_array($config['ca'])) + $config['ca'] = array(); + $a_ca =& $config['ca']; + if (!is_array($config['cert'])) + $config['cert'] = array(); + $a_cert =& $config['cert']; + log_error("Creating SSL Certificate for this host"); + + $cert = array(); + $cert['refid'] = uniqid(); + $cert['descr'] = gettext("webConfigurator default ({$cert['refid']})"); + + $dn = array( + 'countryName' => "US", + 'stateOrProvinceName' => "State", + 'localityName' => "Locality", + 'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate", + 'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}", + 'commonName' => "{$config['system']['hostname']}-{$cert['refid']}"); + $old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */ + if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")){ + while($ssl_err = openssl_error_string()){ + log_error("Error creating WebGUI Certificate: openssl library returns: " . $ssl_err); + } + error_reporting($old_err_level); + return null; + } + error_reporting($old_err_level); + + $a_cert[] = $cert; + $config['system']['webgui']['ssl-certref'] = $cert['refid']; + write_config(gettext("Generated new self-signed HTTPS certificate ({$cert['refid']})")); + return $cert; +} + function system_webgui_start() { global $config, $g; @@ -847,37 +889,18 @@ function system_webgui_start() { if ($config['system']['webgui']['protocol'] == "https") { // Ensure that we have a webConfigurator CERT $cert =& lookup_cert($config['system']['webgui']['ssl-certref']); - if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) { - if (!is_array($config['ca'])) - $config['ca'] = array(); - $a_ca =& $config['ca']; - if (!is_array($config['cert'])) - $config['cert'] = array(); - $a_cert =& $config['cert']; - log_error("Creating SSL Certificate for this host"); - $cert = array(); - $cert['refid'] = uniqid(); - $cert['descr'] = gettext("webConfigurator default"); - mwexec("/usr/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key"); - mwexec("/usr/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt"); - $crt = file_get_contents("{$g['tmp_path']}/ssl.crt"); - $key = file_get_contents("{$g['tmp_path']}/ssl.key"); - unlink("{$g['tmp_path']}/ssl.key"); - unlink("{$g['tmp_path']}/ssl.crt"); - cert_import($cert, $crt, $key); - $a_cert[] = $cert; - $config['system']['webgui']['ssl-certref'] = $cert['refid']; - write_config(gettext("Importing HTTPS certificate")); - if(!$config['system']['webgui']['port']) - $portarg = "443"; - $ca = ca_chain($cert); + if(!is_array($cert) || !$cert['crt'] || !$cert['prv']) { + $cert = system_webgui_create_certificate(); + $crt = base64_decode($cert['crt']); + $key = base64_decode($cert['prv']); } else { $crt = base64_decode($cert['crt']); $key = base64_decode($cert['prv']); - if(!$config['system']['webgui']['port']) - $portarg = "443"; - $ca = ca_chain($cert); } + + if(!$config['system']['webgui']['port']) + $portarg = "443"; + $ca = ca_chain($cert); } /* generate lighttpd configuration */ @@ -1224,6 +1247,7 @@ EOD; // Harden SSL a bit for PCI conformance testing $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; + $lighty_config .= "ssl.use-sslv3 = \"disable\"\n"; /* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */ $fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r"); diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index e92f308..8344a20 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -290,6 +290,8 @@ charon { # XXX: There is not much choice here really users win their security! i_dont_care_about_security_and_use_aggressive_mode_psk=yes + cisco_unity = yes + # And two loggers using syslog. The subsections define the facility to log # to, currently one of: daemon, auth. syslog { @@ -308,9 +310,6 @@ charon { EOD; - if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) - $strongswan .= "\tcisco_unity = yes\n"; - $strongswan .= "\tplugins {\n"; if (is_array($a_client) && isset($a_client['enable'])) { diff --git a/etc/inc/zeromq.inc b/etc/inc/zeromq.inc index db40ce9..65589d0 100644 --- a/etc/inc/zeromq.inc +++ b/etc/inc/zeromq.inc @@ -273,7 +273,7 @@ function interfaces_carp_configure_zeromq($raw_params) { $params = $raw_params; if(zeromq_auth($raw_params) == false) return ZEROMQ_AUTH_FAIL; - interfaces_carp_setup(); + interfaces_sync_setup(); interfaces_vips_configure(); return ZEROMQ_FASLE; } diff --git a/etc/phpshellsessions/enablecarp b/etc/phpshellsessions/enablecarp index d486c04..b1c4a43 100644 --- a/etc/phpshellsessions/enablecarp +++ b/etc/phpshellsessions/enablecarp @@ -14,5 +14,5 @@ if(is_array($config['virtualip']['vip'])) { } } } -interfaces_carp_setup(); +interfaces_sync_setup(); set_single_sysctl("net.inet.carp.allow", "1"); diff --git a/etc/phpshellsessions/generateguicert b/etc/phpshellsessions/generateguicert new file mode 100644 index 0000000..925ab60 --- /dev/null +++ b/etc/phpshellsessions/generateguicert @@ -0,0 +1,8 @@ +require_once("system.inc"); + +echo gettext("Generating a new self-signed SSL certificate for the GUI..."); +$cert = system_webgui_create_certificate(); +echo gettext("Done.\n"); +echo gettext("Restarting webConfigurator..."); +send_event("service restart webgui"); +echo gettext("Done.\n");
\ No newline at end of file diff --git a/etc/rc.bootup b/etc/rc.bootup index 69eb486..1b150e3 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -265,6 +265,7 @@ echo "done.\n"; if(!$debugging) mute_kernel_msgs(); interfaces_configure(); +interfaces_sync_setup(); if(!$debugging) unmute_kernel_msgs(); diff --git a/etc/rc.initial b/etc/rc.initial index 2277280..6a666fb 100755 --- a/etc/rc.initial +++ b/etc/rc.initial @@ -81,16 +81,16 @@ fi # display a cheap menu echo "" -echo "" -echo " 0) Logout (SSH only) 8) Shell" -echo " 1) Assign Interfaces 9) pfTop" -echo " 2) Set interface(s) IP address 10) Filter Logs" -echo " 3) Reset webConfigurator password 11) Restart webConfigurator" -echo " 4) Reset to factory defaults 12) ${product} Developer Shell" -echo " 5) Reboot system 13) Upgrade from console" -echo " 6) Halt system ${sshd_option}" -echo " 7) Ping host 15) Restore recent configuration" -echo " ${option98}" +echo " 0) Logout (SSH only) 9) pfTop" +echo " 1) Assign Interfaces 10) Filter Logs" +echo " 2) Set interface(s) IP address 11) Restart webConfigurator" +echo " 3) Reset webConfigurator password 12) ${product} Developer Shell" +echo " 4) Reset to factory defaults 13) Upgrade from console" +echo " 5) Reboot system ${sshd_option}" +echo " 6) Halt system 15) Restore recent configuration" +echo " 7) Ping host 16) Restart PHP-FPM" +echo " 8) Shell" +echo " ${option98} " if [ "${option99}" != "" ]; then /bin/echo "${option99}" @@ -151,7 +151,7 @@ case ${opmode} in /etc/rc.restore_config_backup ;; 16) - /etc/rc.banner + /etc/rc.php-fpm_restart ;; 98) if [ ! -f /tmp/config_moved ]; then diff --git a/etc/rc.initial.firmware_update b/etc/rc.initial.firmware_update index 1deff88..4ae9adb 100755 --- a/etc/rc.initial.firmware_update +++ b/etc/rc.initial.firmware_update @@ -87,7 +87,14 @@ switch ($command) { } else { echo "\n\nWARNING.\n"; echo "\nCould not locate a sha256 file. We cannot verify the download once completed.\n\n"; - sleep(15); + echo "Do you still want to proceed with the upgrade [n]? "; + $answer = strtoupper(chop(fgets($fp))); + if ($answer == "Y" or $answer == "YES") { + echo "\nContinuing upgrade..."; + } else { + echo "\nUpgrade cancelled.\n\n"; + die; + } } if(file_exists("/root/firmware.tgz.sha256")) { $source_sha256 = trim(`cat /root/firmware.tgz.sha256 | awk '{ print \$4 }'`,"\r"); diff --git a/etc/rc.php-fpm_restart b/etc/rc.php-fpm_restart new file mode 100755 index 0000000..422b951 --- /dev/null +++ b/etc/rc.php-fpm_restart @@ -0,0 +1,11 @@ +#!/bin/sh + +/bin/pkill -F /var/run/php-fpm.pid +sleep 2 + +# Run the php.ini setup file and populate +# /usr/local/etc/php.ini and /usr/local/lib/php.ini +/etc/rc.php_ini_setup 2>/tmp/php_errors.txt +echo ">>> Restarting php-fpm" | /usr/bin/logger -p daemon.info -i -t rc.php-fpm_restart +/usr/local/sbin/php-fpm -c /usr/local/lib/php.ini -y /usr/local/lib/php-fpm.conf -RD 2>&1 >/dev/null + diff --git a/etc/rc.update_bogons.sh b/etc/rc.update_bogons.sh index d0aac9b..178d60e 100755 --- a/etc/rc.update_bogons.sh +++ b/etc/rc.update_bogons.sh @@ -84,6 +84,14 @@ if [ "$proc_error" != "" ]; then exit fi +HTTP_PROXY=`/usr/local/bin/xmllint --xpath 'string(//pfsense/system/proxyurl)' /conf/config.xml` +if [ "${HTTP_PROXY}" != "" ]; then + HTTP_PROXY_PORT=`/usr/local/bin/xmllint --xpath 'string(//pfsense/system/proxyport)' /conf/config.xml` + if [ "${HTTP_PROXY_PORT}" != "" ]; then + HTTP_PROXY="${HTTP_PROXY}:${HTTP_PROXY_PORT}" + fi + export HTTP_PROXY +fi BOGON_V4_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v4urlcksum}" | awk '{ print $4 }'` ON_DISK_V4_CKSUM=`md5 /tmp/bogons | awk '{ print $4 }'` BOGON_V6_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v6urlcksum}" | awk '{ print $4 }'` diff --git a/etc/skel/dot.tcshrc b/etc/skel/dot.tcshrc index cd20f2d..e03cc94 100644 --- a/etc/skel/dot.tcshrc +++ b/etc/skel/dot.tcshrc @@ -1,4 +1,4 @@ -set prompt="%{\033[0;1;33m%}[%{\033[0;1;37m%}`cat /etc/version`%{\033[0;1;33m%}]%{\033[0;1;33m%}%B[%{\033[0;1;37m%}%n%{\033[0;1;31m%}@%{\033[0;1;37m%}%M%{\033[0;1;33m%}]%{\033[0;1;32m%}%b%/%{\033[0;1;33m%}(%{\033[0;1;37m%}%h%{\033[0;1;33m%})%{\033[0;1;36m%}%{\033[0;1;31m%}:%{\033[0;0;0m%} " +set prompt="%{\033[0;1;33m%}[%{\033[0;1;37m%}`cat /etc/version`%{\033[0;1;33m%}]%{\033[0;1;33m%}%B[%{\033[0;1;37m%}%n%{\033[0;1;31m%}@%{\033[0;1;37m%}%M%{\033[0;1;33m%}]%{\033[0;1;32m%}%b%/%{\033[0;1;33m%}%{\033[0;1;36m%}%{\033[0;1;31m%}:%{\033[0;0;0m%} " set autologout="0" set autolist set color set colorcat setenv CLICOLOR "true" |