diff options
Diffstat (limited to 'src/etc')
81 files changed, 1709 insertions, 2520 deletions
diff --git a/src/etc/ascii-art/pfsense-logo-small.txt b/src/etc/ascii-art/pfsense-logo-small.txt deleted file mode 100644 index 01d8bc5..0000000 --- a/src/etc/ascii-art/pfsense-logo-small.txt +++ /dev/null @@ -1,5 +0,0 @@ - ___ - ___/ f \ -/ p \___/ Sense -\___/ \ - \___/
\ No newline at end of file diff --git a/src/etc/crontab b/src/etc/crontab deleted file mode 100644 index 8be8494..0000000 --- a/src/etc/crontab +++ /dev/null @@ -1,5 +0,0 @@ -SHELL=/bin/sh -PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin -HOME=/var/log -#minute hour mday month wday who command -#
\ No newline at end of file diff --git a/src/etc/ddb.conf b/src/etc/ddb.conf deleted file mode 100644 index 65f49c2..0000000 --- a/src/etc/ddb.conf +++ /dev/null @@ -1,3 +0,0 @@ -script lockinfo=show locks; show alllocks; show lockedvnods -script kdb.enter.default=textdump set; capture on; run lockinfo; show pcpu; bt; ps; alltrace; capture off; call doadump; reset -script kdb.enter.witness=run lockinfo diff --git a/src/etc/disktab b/src/etc/disktab deleted file mode 100644 index 5726c4d..0000000 --- a/src/etc/disktab +++ /dev/null @@ -1,204 +0,0 @@ -# $FreeBSD: stable/10/etc/disktab 242462 2012-11-02 00:17:30Z eadler $ -# -# Disk geometry and partition layout tables. -# See disktab(5) for format of this file. -# - -# -# Floppy formats: -# -# To make a filesystem on a floppy: -# fdformat [-f <size>] fd<drive>[.<size>] -# disklabel -B -r -w fd<drive>[.<size>] fd<size> -# newfs <opts> fd<drive>[.<size>] -# -# with <opts>: -# -t 2 - two heads -# -u 9|15|18 - sectors per track -# (using the default value of 1/4096 is not much useful for floppies) -# -l 1 - interleave 1 (for most floppies) -# -i 65536 - bytes of data per i-node -# (the default -i value will render you with a floppy wasting way -# too much space in i-node areas) -# - -fd360:\ - :ty=floppy:se#512:nt#2:rm#300:ns#9:nc#40:\ - :pa#720:oa#0:ba#4096:fa#512:\ - :pc#720:oc#0:bc#4096:fc#512: - -fd720:\ - :ty=floppy:se#512:nt#2:rm#300:ns#9:nc#80:\ - :pa#1440:oa#0:ba#4096:fa#512:\ - :pc#1440:oc#0:bc#4096:fc#512: - -fd1200|floppy5|5in|5.25in High Density Floppy:\ - :ty=floppy:se#512:nt#2:rm#360:ns#15:nc#80:\ - :pa#2400:oa#0:ba#4096:fa#512:\ - :pc#2400:oc#0:bc#4096:fc#512: - -fd1440|floppy|floppy3|3in|3.5in High Density Floppy:\ - :ty=floppy:se#512:nt#2:rm#300:ns#18:nc#80:\ - :pa#2880:oa#0:ba#4096:fa#512:\ - :pc#2880:oc#0:bc#4096:fc#512: - -fd2880|2.88MB 3.5in Extra High Density Floppy:\ - :ty=floppy:se#512:nt#2:rm#300:ns#36:nc#80:\ - :pa#5760:oa#0:ba#4096:fa#512:\ - :pb#5760:ob#0:bb#4096:fa#512:\ - :pc#5760:oc#0:bb#4096:fa#512: - -# -# Stressed floppy-formats. No guarantees given. -# - -fd800:\ - :ty=floppy:se#512:nt#2:rm#300:ns#10:nc#80:\ - :pa#1600:oa#0:ba#4096:fa#512:\ - :pc#1600:oc#0:bc#4096:fc#512: - -fd820:\ - :ty=floppy:se#512:nt#2:rm#300:ns#10:nc#82:\ - :pa#1640:oa#0:ba#4096:fa#512:\ - :pc#1640:oc#0:bc#4096:fc#512: - -fd1480:\ - :ty=floppy:se#512:nt#2:rm#300:ns#18:nc#82:\ - :pa#2952:oa#0:ba#4096:fa#512:\ - :pc#2952:oc#0:bc#4096:fc#512: - -fd1720:\ - :ty=floppy:se#512:nt#2:rm#300:ns#21:nc#82:\ - :pa#3444:oa#0:ba#4096:fa#512:\ - :pc#3444:oc#0:bc#4096:fc#512: - -# -# LS-120 floppy-format. -# -fd120m|floppy120|floppy120m|3.5in LS-120 Floppy:\ - :ty=floppy:se#512:nt#8:rm#300:ns#32:nc#963:\ - :pa#246528:oa#0:ba#4096:fa#512:\ - :pc#246528:oc#0:bc#4096:fc#512: - -# -# Harddisk formats -# -qp120at|Quantum Peripherals 120MB IDE:\ - :dt=ESDI:ty=winchester:se#512:nt#9:ns#32:nc#813:sf: \ - :pa#13824:oa#0:ta=4.2BSD:ba#4096:fa#512: \ - :pb#13824:ob#13824:tb=swap: \ - :pc#234144:oc#0: \ - :ph#206496:oh#27648:th=4.2BSD:bh#4096:fh#512: - -pan60|Panasonic Laptop's 60MB IDE:\ - :dt=ST506:ty=winchester:se#512:nt#13:ns#17:nc#565:\ - :pa#13260:oa#0:ta=4.2BSD:ba#4096:fa#512:\ - :pb#13260:ob#13260:tb=swap: \ - :pc#124865:oc#0: \ - :ph#97682:oh#26520:th=4.2BSD:bh#4096:fh#512: - -mk156|toshiba156|Toshiba MK156 156Mb:\ - :dt=SCSI:ty=winchester:se#512:nt#10:ns#35:nc#825:\ - :pa#15748:oa#0:ba#4096:fa#512:ta=4.2BSD:\ - :pb#15748:ob#15748:tb=swap:\ - :pc#288750:oc#0:\ - :ph#257250:oh#31500:bh#4096:fh#512:th=4.2BSD: - -cp3100|Connor Peripherals 100MB IDE:\ - :dt=ST506:ty=winchester:se#512:nt#8:ns#33:nc#766: \ - :pa#12144:oa#0:ta=4.2BSD:ba#4096:fa#512: \ - :pb#12144:ob#12144:tb=swap: \ - :pc#202224:oc#0: \ - :ph#177936:oh#24288:th=4.2BSD:bh#4096:fh#512: - -# a == root -# b == swap -# c == d == whole disk -# e == /var -# f == scratch -# h == /usr - -cp3100new|Connor Peripherals 100MB IDE, with a different configuration:\ - :dt=ST506:ty=winchester:se#512:nt#8:ns#33:nc#766: \ - :pa#15840:oa#0:ta=4.2BSD:ba#4096:fa#512: \ - :pb#24288:ob#15840:tb=swap: \ - :pc#202224:oc#0: \ - :pd#202224:od#0: \ - :pe#15840:oe#40128:te=4.2BSD:be#4096:fe#512: \ - :pg#15840:og#55968:tg=4.2BSD:bg#4096:fg#512: \ - :ph#130416:oh#71808:th=4.2BSD:bh#4096:fh#512: - -maxtor4380|Maxtor XT4380E ESDI :\ - :dt=ESDI:ty=winchester:se#512:nt#15:ns#36:nc#1222:sf: \ - :pa#21600:oa#0:ta=4.2BSD:ba#4096:fa#512:\ - :pb#21600:ob#21600:tb=swap: \ - :pc#659880:oc#0: \ - :pd#216000:od#53200:td=4.2BSD:bd#4096:fd#512: \ - :ph#398520:oh#269200:th=4.2BSD:bh#4096:fh#512: - -miniscribe9380|compaq38|Miniscribe 9380 ESDI :\ - :ty=winchester:dt=ESDI:se#512:nt#15:ns#35:nc#1223:rm#3600:sf: \ - :pa#21000:oa#0:ba#8192:fa#1024:ta=4.2BSD: \ - :pb#42000:ob#21000:tb=swap: \ - :pc#642075:oc#0: \ - :pd#21000:od#63000:bd#8192:fd#1024:td=4.2BSD: \ - :ph#556500:oh#84000:bh#8192:fh#1024:th=4.2BSD: - -ida4|compaq88|Compaq IDA (4 drives) :\ - :ty=winchester:dt=IDA:se#512:nt#16:ns#63:nc#1644:rm#3600:\ - :pa#20160:oa#0:ba#8192:fa#1024:ta=4.2BSD: \ - :pb#80640:ob#20160:tb=swap: \ - :pc#1659168:oc#0: \ - :pd#201600:od#100800:bd#8192:fd#1024:td=4.2BSD: \ - :pe#20160:oe#1310400:be#8192:fe#1024:te=4.2BSD: \ - :ph#1008000:oh#302400:bh#8192:fh#1024:th=4.2BSD: \ - :pg#302400:og#1330560:bg#4096:fg#512:tg=4.2BSD: - -fuji513|Fujitsu M22XXXX: \ - :ty=winchester:dt=ESDI:se#512:nt#16:ns#63:nc#954:rm#3600:\ - :pa#20160:oa#82656:ba#4096:fa#512:ta=4.2BSD: \ - :pb#40320:ob#102816:tb=swap: \ - :pc#961632:oc#0: \ - :ph#656208:oh#143136:bh#4096:fh#512:th=4.2BSD: - -sony650|Sony 650 MB MOD|\ - :ty=removable:dt=SCSI:se#512:nt#1:ns#31:nc#18600:ts#1:rm#4800:\ - :pc#576600:oc#0:\ - :pa#576600:oa#0:ta=4.2BSD:ba#8192:fa#1024: - -mta3230|mo230|IBM MTA-3230 230 Meg 3.5inch Magneto-Optical:\ - :ty=removeable:dt=SCSI:rm#3600:\ - :se#512:nt#64:ns#32:nc#216:sc#2048:su#444384:\ - :pa#444384:oa#0:ba#4096:fa#0:ta=4.2BSD:\ - :pc#444384:oc#0: - -minimum:ty=mfs:se#512:nt#1:rm#300:\ - :ns#2880:nc#1:\ - :pa#2880:oa#0:ba#4096:fa#512:\ - :pc#2880:oc#0:bc#4096:fc#512: - -minimum2:ty=mfs:se#512:nt#1:rm#300:\ - :ns#5760:nc#1:\ - :pa#5760:oa#0:ba#4096:fa#512:\ - :pc#5760:oc#0:bc#4096:fc#512: - -minimum3:ty=mfs:se#512:nt#1:rm#300:\ - :ns#8640:nc#1:\ - :pa#8640:oa#0:ba#4096:fa#512:\ - :pc#8640:oc#0:bc#4096:fc#512: - -zip100|zip 100:\ - :ty=removable:se#512:nc#96:nt#64:ns#32:\ - :pa#196608:oa#0:ba#4096:fa#512:\ - :pc#196608:oc#0:bc#4096:fc#512: - -zip250|zip 250:\ - :ty=removable:se#512:nc#239:nt#64:ns#32:\ - :pa#489472:oa#0:ba#4096:fa#512:\ - :pc#489472:oc#0:bc#4096:fc#512: - -orb2200|orb22|orb:\ - :ty=removable:ns#63:nt#128:nc#4273:sc#1008:su#4307184:se#512:\ - :pa#4307184:oa#0:ba#8192:fa#1024:\ - :pc#4307184:oc#0:bc#8192:fc#1024: - diff --git a/src/etc/group b/src/etc/group deleted file mode 100644 index a0ca8ce..0000000 --- a/src/etc/group +++ /dev/null @@ -1,31 +0,0 @@ -wheel:*:0:root,admin -daemon:*:1:daemon -kmem:*:2:root -sys:*:3:root -tty:*:4:root -operator:*:5:root -mail:*:6: -bin:*:7: -news:*:8: -man:*:9: -games:*:13: -staff:*:20:root -sshd:*:22: -smmsp:*:25: -mailnull:*:26: -guest:*:31:root -bind:*:53: -unbound:*:59: -proxy:*:62: -_pflogd:*:64: -_dhcp:*:65: -authpf:*:63: -uucp:*:66: -dialer:*:68: -network:*:69: -www:*:80: -nogroup:*:65533: -nobody:*:65534: -audit:*:77: -_ntp:*:123: -_relayd:*:913: diff --git a/src/etc/hosts.allow b/src/etc/hosts.allow deleted file mode 100644 index ab11cc0..0000000 --- a/src/etc/hosts.allow +++ /dev/null @@ -1,5 +0,0 @@ -# -# hosts.allow access control file for "tcp wrapped" applications. -# -ALL : ALL : allow - diff --git a/src/etc/inc/IPv6.inc b/src/etc/inc/IPv6.inc index 7dbf45a..d297ed1 100644 --- a/src/etc/inc/IPv6.inc +++ b/src/etc/inc/IPv6.inc @@ -557,7 +557,7 @@ class Net_IPv6 if (false !== strpos($uip, '::') ) { - list($ip1, $ip2) = explode('::', $uip); + list($ip1, $ip2, $ip3) = explode('::', $uip); if ("" == $ip1) { @@ -606,21 +606,27 @@ class Net_IPv6 $uip = "0:0:0:0:0:0:0:0"; + if (isset($ip3)) { // ::::xxx - not good + if ("" == $ip3) { // :::: + $ip3 = 0; // Give back a 9th "0" + } + $uip .= ":" . $ip3; + } + } else if (-1 == $c1) { // ::xxx - $fill = str_repeat('0:', 7-$c2); + $fill = str_repeat('0:', max(1, 7-$c2)); $uip = str_replace('::', $fill, $uip); } else if (-1 == $c2) { // xxx:: - $fill = str_repeat(':0', 7-$c1); + $fill = str_repeat(':0', max(1, 7-$c1)); $uip = str_replace('::', $fill, $uip); } else { // xxx::xxx - $fill = str_repeat(':0:', max(1, 6-$c2-$c1)); + $fill = ':' . str_repeat('0:', max(1, 6-$c2-$c1)); $uip = str_replace('::', $fill, $uip); - $uip = str_replace('::', ':', $uip); } } @@ -894,7 +900,7 @@ class Net_IPv6 $ipv6 = explode(':', $ipPart[0]); foreach($ipv6 as $element) { // made a validate precheck - if(!preg_match('/[0-9a-fA-F]*/', $element)) { + if(!preg_match('/^[0-9a-fA-F]*$/', $element)) { return false; } } @@ -921,7 +927,7 @@ class Net_IPv6 } - if (8 == $count) { + if (8 == $count and empty($ipPart[1])) { return true; diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 1cac566..9e2cded 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -205,8 +205,9 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ break; } } - $interface_list_ipv6s = get_configured_ipv6_addresses(); + $interface_list_ipv6s = get_configured_ipv6_addresses(true); foreach ($interface_list_ipv6s as $ilipv6s) { + $ilipv6s = explode('%', $ilipv6s)[0]; if (strcasecmp($referrer_host, $ilipv6s) == 0) { $found_host = true; break; @@ -271,8 +272,14 @@ function index_users() { function & getUserEntry($name) { global $debug, $config, $userindex; + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + if (isset($userindex[$name])) { return $config['system']['user'][$userindex[$name]]; + } elseif ($authcfg['type'] != "Local Database") { + $user = array(); + $user['name'] = $name; + return $user; } } @@ -312,13 +319,25 @@ function & getGroupEntryByGID($gid) { } function get_user_privileges(& $user) { + global $config; + + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + $names = array(); $privs = $user['priv']; if (!is_array($privs)) { $privs = array(); } - $names = local_user_get_groups($user, true); + if ($authcfg['type'] == "ldap") { + $names = @ldap_get_groups($user['name'], $authcfg); + } elseif ($authcfg['type'] == "radius") { + $names = @radius_get_groups($_SESSION['user_radius_attributes']); + } + + if (empty($names)) { + $names = local_user_get_groups($user, true); + } foreach ($names as $name) { $group = getGroupEntry($name); @@ -391,15 +410,23 @@ function local_sync_accounts() { if ($fd) { while (!feof($fd)) { $line = explode(":", fgets($fd)); - if (((!strncmp($line[0], "_", 1)) || ($line[2] < 2000) || ($line[2] > 65000)) && ($line[0] != "admin")) { - continue; + if ($line[0] != "admin") { + if (!strncmp($line[0], "_", 1)) { + continue; + } + if ($line[2] < 2000) { + continue; + } + if ($line[2] > 65000) { + continue; + } } /* * If a crontab was created to user, pw userdel will be interactive and * can cause issues. Just remove crontab before run it when necessary */ unlink_if_exists("/var/cron/tabs/{$line[0]}"); - $cmd = "/usr/sbin/pw userdel -n '{$line[0]}'"; + $cmd = "/usr/sbin/pw userdel -n " . escapeshellarg($line[0]); if ($debug) { log_error(sprintf(gettext("Running: %s"), $cmd)); } @@ -423,7 +450,7 @@ function local_sync_accounts() { if ($line[2] > 65000) { continue; } - $cmd = "/usr/sbin/pw groupdel {$line[2]}"; + $cmd = "/usr/sbin/pw groupdel -g " . escapeshellarg($line[2]); if ($debug) { log_error(sprintf(gettext("Running: %s"), $cmd)); } @@ -522,18 +549,25 @@ function local_user_set(& $user) { pclose($fd); $userattrs = explode(":", trim($pwread)); + $skel_dir = '/etc/skel'; + /* determine add or mod */ if (($userattrs[0] != $user['name']) || (!strncmp($pwread, "pw:", 3))) { - $user_op = "useradd -m -k /etc/skel -o"; + $user_op = "useradd -m -k " . escapeshellarg($skel_dir) . " -o"; } else { $user_op = "usermod"; } $comment = str_replace(array(":", "!", "@"), " ", $user['descr']); /* add or mod pw db */ - $cmd = "/usr/sbin/pw {$user_op} -q -u {$user_uid} -n {$user_name}". - " -g {$user_group} -s {$user_shell} -d {$user_home}". - " -c ".escapeshellarg($comment)." -H 0 2>&1"; + $cmd = "/usr/sbin/pw {$user_op} -q " . + " -u " . escapeshellarg($user_uid) . + " -n " . escapeshellarg($user_name) . + " -g " . escapeshellarg($user_group) . + " -s " . escapeshellarg($user_shell) . + " -d " . escapeshellarg($user_home) . + " -c " . escapeshellarg($comment) . + " -H 0 2>&1"; if ($debug) { log_error(sprintf(gettext("Running: %s"), $cmd)); @@ -553,6 +587,14 @@ function local_user_set(& $user) { @chown($user_home, $user_name); @chgrp($user_home, $user_group); + /* Make sure all users have last version of config files */ + foreach (glob("{$skel_dir}/dot.*") as $dot_file) { + $target = $user_home . '/' . substr(basename($dot_file), 3); + @copy($dot_file, $target); + @chown($target, $user_name); + @chgrp($target, $user_group); + } + /* write out ssh authorized key file */ if ($user['authorizedkeys']) { if (!is_dir("{$user_home}/.ssh")) { @@ -567,7 +609,7 @@ function local_user_set(& $user) { } $un = $lock_account ? "" : "un"; - exec("/usr/sbin/pw {$un}lock {$user_name} -q 2>/dev/null"); + exec("/usr/sbin/pw {$un}lock " . escapeshellarg($user_name) . " -q 2>/dev/null"); conf_mount_ro(); } @@ -595,7 +637,7 @@ function local_user_del($user) { } /* delete from pw db */ - $cmd = "/usr/sbin/pw userdel -n {$user['name']} {$rmhome}"; + $cmd = "/usr/sbin/pw userdel -n " . escapeshellarg($user['name']) . " " . escapeshellarg($rmhome); if ($debug) { log_error(sprintf(gettext("Running: %s"), $cmd)); @@ -743,14 +785,17 @@ function local_group_set($group, $reset = false) { } /* determine add or mod */ - if (mwexec("/usr/sbin/pw groupshow -g {$group_gid} 2>&1") == 0) { + if (mwexec("/usr/sbin/pw groupshow -g " . escapeshellarg($group_gid) . " 2>&1", true) == 0) { $group_op = "groupmod -l"; } else { $group_op = "groupadd -n"; } /* add or mod group db */ - $cmd = "/usr/sbin/pw {$group_op} {$group_name} -g {$group_gid} -M '{$group_members}' 2>&1"; + $cmd = "/usr/sbin/pw {$group_op} " . + escapeshellarg($group_name) . + " -g " . escapeshellarg($group_gid) . + " -M " . escapeshellarg($group_members) . " 2>&1"; if ($debug) { log_error(sprintf(gettext("Running: %s"), $cmd)); @@ -763,7 +808,7 @@ function local_group_del($group) { global $debug; /* delete from group db */ - $cmd = "/usr/sbin/pw groupdel {$group['name']}"; + $cmd = "/usr/sbin/pw groupdel " . escapeshellarg($group['name']); if ($debug) { log_error(sprintf(gettext("Running: %s"), $cmd)); @@ -863,7 +908,7 @@ function ldap_test_bind($authcfg) { $ldapbindun = $authcfg['ldap_binddn']; $ldapbindpw = $authcfg['ldap_bindpw']; $ldapver = $authcfg['ldap_protver']; - $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; if (empty($ldapbndun) || empty($ldapbindpw)) { $ldapanon = true; } else { @@ -947,7 +992,7 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { $ldapname = $authcfg['name']; $ldapfallback = false; $ldapscope = $authcfg['ldap_scope']; - $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; } else { return false; } @@ -1080,7 +1125,7 @@ function ldap_get_groups($username, $authcfg) { $ldapname = $authcfg['name']; $ldapfallback = false; $ldapscope = $authcfg['ldap_scope']; - $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; } else { return false; } @@ -1223,7 +1268,7 @@ function ldap_backed($username, $passwd, $authcfg) { $ldapver = $authcfg['ldap_protver']; $ldapname = $authcfg['name']; $ldapscope = $authcfg['ldap_scope']; - $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5; } else { return false; } @@ -1423,8 +1468,15 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array()) { */ function radius_get_groups($attributes) { $groups = array(); - if (!empty($attributes) && is_array($attributes) && !empty($attributes['class'])) { - $groups = explode(";", $attributes['class']); + if (!empty($attributes) && is_array($attributes) && (!empty($attributes['class']) || !empty($attributes['class_int']))) { + /* Some RADIUS servers return multiple class attributes, so check them all. */ + $groups = array(); + if (!empty($attributes['class']) && is_array($attributes['class'])) { + foreach ($attributes['class'] as $class) { + $groups = array_unique(array_merge($groups, explode(";", $class))); + } + } + foreach ($groups as & $grp) { $grp = trim($grp); if (strtolower(substr($grp, 0, 3)) == "ou=") { @@ -1462,6 +1514,66 @@ function is_account_disabled($username) { return false; } +function get_user_settings($username) { + global $config; + $settings = array(); + $settings['widgets'] = $config['widgets']; + $settings['webgui']['dashboardcolumns'] = $config['system']['webgui']['dashboardcolumns']; + $settings['webgui']['webguihostnamemenu'] = $config['system']['webgui']['webguihostnamemenu']; + $settings['webgui']['webguicss'] = $config['system']['webgui']['webguicss']; + $settings['webgui']['dashboardavailablewidgetspanel'] = isset($config['system']['webgui']['dashboardavailablewidgetspanel']); + $settings['webgui']['webguifixedmenu'] = isset($config['system']['webgui']['webguifixedmenu']); + $settings['webgui']['webguileftcolumnhyper'] = isset($config['system']['webgui']['webguileftcolumnhyper']); + $settings['webgui']['systemlogsfilterpanel'] = isset($config['system']['webgui']['systemlogsfilterpanel']); + $settings['webgui']['systemlogsmanagelogpanel'] = isset($config['system']['webgui']['systemlogsmanagelogpanel']); + $settings['webgui']['statusmonitoringsettingspanel'] = isset($config['system']['webgui']['statusmonitoringsettingspanel']); + $settings['webgui']['pagenamefirst'] = isset($config['system']['webgui']['pagenamefirst']); + $user = getUserEntry($username); + if (isset($user['customsettings'])) { + $settings['customsettings'] = true; + if (isset($user['widgets'])) { + // This includes the 'sequence', and any widgetname-config per-widget settings. + $settings['widgets'] = $user['widgets']; + } + if (isset($user['dashboardcolumns'])) { + $settings['webgui']['dashboardcolumns'] = $user['dashboardcolumns']; + } + if (isset($user['webguicss'])) { + $settings['webgui']['webguicss'] = $user['webguicss']; + } + if (isset($user['webguihostnamemenu'])) { + $settings['webgui']['webguihostnamemenu'] = $user['webguihostnamemenu']; + } + $settings['webgui']['dashboardavailablewidgetspanel'] = isset($user['dashboardavailablewidgetspanel']); + $settings['webgui']['webguifixedmenu'] = isset($user['webguifixedmenu']); + $settings['webgui']['webguileftcolumnhyper'] = isset($user['webguileftcolumnhyper']); + $settings['webgui']['systemlogsfilterpanel'] = isset($user['systemlogsfilterpanel']); + $settings['webgui']['systemlogsmanagelogpanel'] = isset($user['systemlogsmanagelogpanel']); + $settings['webgui']['statusmonitoringsettingspanel'] = isset($user['statusmonitoringsettingspanel']); + $settings['webgui']['pagenamefirst'] = isset($user['pagenamefirst']); + } else { + $settings['customsettings'] = false; + } + + if ($settings['webgui']['dashboardcolumns'] < 1) { + $settings['webgui']['dashboardcolumns'] = 2; + } + + return $settings; +} + +function save_widget_settings($username, $settings) { + global $config, $userindex; + $user = getUserEntry($username); + if (isset($user['customsettings'])) { + $config['system']['user'][$userindex[$username]]['widgets'] = $settings; + write_config(sprintf(gettext("Widget configuration has been changed for user %s."), $username)); + } else { + $config['widgets'] = $settings; + write_config(gettext("Widget configuration has been changed.")); + } +} + function auth_get_authserver($name) { global $config; diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index e1289ac..5396e6d 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -72,6 +72,11 @@ if (!session_auth()) { $allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']); /* + * Get user-based preference settings so they can be easily referenced. + */ +$user_settings = get_user_settings($_SESSION['Username']); + +/* * redirect to first allowed page if requesting a wrong url */ @@ -123,7 +128,7 @@ session_commit(); * determine if the user is allowed access to the requested page */ function display_error_form($http_code, $desc) { - global $config, $g; + global $config, $user_settings, $g; if (isAjax()) { printf(gettext('Error: %1$s Description: %2$s'), $http_code, $desc); @@ -132,11 +137,11 @@ function display_error_form($http_code, $desc) { $cssfile = "/css/pfSense.css"; - if (isset($config['system']['webgui']['webguicss'])) { - if (file_exists("/usr/local/www/css/" . $config['system']['webgui']['webguicss'])) { - $cssfile = "/css/" . $config['system']['webgui']['webguicss']; + if (isset($user_settings['webgui']['webguicss'])) { + if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) { + $cssfile = "/css/" . $user_settings['webgui']['webguicss']; + } } -} ?> <!DOCTYPE html> @@ -234,11 +239,14 @@ if ($local_ip == false) { } } +// For the login form, get the settings of no particular user. +// That ensures we will use the system default theme for the login form. +$user_settings = get_user_settings(""); $cssfile = "/css/pfSense.css"; -if (isset($config['system']['webgui']['webguicss'])) { - if (file_exists("/usr/local/www/css/" . $config['system']['webgui']['webguicss'])) { - $cssfile = "/css/" . $config['system']['webgui']['webguicss']; +if (isset($user_settings['webgui']['webguicss'])) { + if (file_exists("/usr/local/www/css/" . $user_settings['webgui']['webguicss'])) { + $cssfile = "/css/" . $user_settings['webgui']['webguicss']; } } @@ -262,7 +270,7 @@ if (isset($config['system']['webgui']['webguicss'])) { <?php if (is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) { $nifty_background = "#999"; - print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br /><br />If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); + print_info_box(gettext("The IP address being used to access this router is not configured locally, which may be forwarded by NAT or other means. <br /><br />If this forwarding is unexpected, it should be verified that a man-in-the-middle attack is not taking place.")); } $loginautocomplete = isset($config['system']['webgui']['loginautocomplete']) ? '' : 'autocomplete="off"'; @@ -277,7 +285,7 @@ if (isset($config['system']['webgui']['webguicss'])) { <?php if (!empty($_SESSION['Login_Error'])): ?> <div class="alert alert-danger" role="alert"><?=$_SESSION['Login_Error'];?></div> <?php endif ?> - <div class="alert alert-warning hidden" id="no_cookies"><?= gettext("Your browser must support cookies to login."); ?></div> + <div class="alert alert-warning hidden" id="no_cookies"><?= gettext("The browser must support cookies to login."); ?></div> <form method="post" <?= $loginautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>" class="form-horizontal"> <div class="form-group"> @@ -323,6 +331,6 @@ if (isset($config['system']['webgui']['webguicss'])) { //]]> </script> <?php -require('foot.inc'); +require_once('foot.inc'); } // end function diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index 0b620b1..e2f6a51 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -1489,7 +1489,7 @@ function captiveportal_opendb() { if (!is_numericint($cpzoneid)) { if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpkey => $cp) { - if ($cpzone == $cp['zone']) { + if ($cpzone == $cpkey) { $cpzoneid = $cp['zoneid']; } } @@ -1956,8 +1956,8 @@ function portal_reply_page($redirurl, $type = null, $message = null, $clientmac /* substitute other variables */ $ourhostname = portal_hostname_from_client_ip($clientip); $protocol = (isset($cpcfg['httpslogin'])) ? 'https://' : 'http://'; - $htmltext = str_replace("\$PORTAL_ACTION\$", "{$protocol}{$ourhostname}/index.php?zone={$cpcfg['zone']}", $htmltext); - $htmltext = str_replace("#PORTAL_ACTION#", "{$protocol}{$ourhostname}/index.php?zone={$cpcfg['zone']}", $htmltext); + $htmltext = str_replace("\$PORTAL_ACTION\$", "{$protocol}{$ourhostname}/index.php?zone={$cpzone}", $htmltext); + $htmltext = str_replace("#PORTAL_ACTION#", "{$protocol}{$ourhostname}/index.php?zone={$cpzone}", $htmltext); $htmltext = str_replace("\$PORTAL_ZONE\$", htmlspecialchars($cpzone), $htmltext); $htmltext = str_replace("\$PORTAL_REDIRURL\$", htmlspecialchars($redirurl), $htmltext); @@ -2086,7 +2086,7 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri /* read in client database */ $query = "WHERE ip = '{$clientip}'"; - $tmpusername = strtolower($username); + $tmpusername = SQLite3::escapeString(strtolower($username)); if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) { $query .= " OR (username != 'unauthenticated' AND lower(username) = '{$tmpusername}')"; } @@ -2289,7 +2289,7 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri $message = 0; } - include("{$g['varetc_path']}/captiveportal-{$cpzone}-logout.html"); + include_once("{$g['varetc_path']}/captiveportal-{$cpzone}-logout.html"); } else { portal_reply_page($my_redirurl, "redir", "Just redirect the user."); diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc index d49f478..6033477 100644 --- a/src/etc/inc/certs.inc +++ b/src/etc/inc/certs.inc @@ -56,7 +56,7 @@ define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf"); require_once("functions.inc"); global $openssl_digest_algs; -$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512"); +$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512", "whirlpool"); global $openssl_crl_status; $openssl_crl_status = array( @@ -582,6 +582,14 @@ function cert_get_modulus($str_crt, $decode = true, $type = "crt") { } return $modulus; } + +/* Same but returns modulus keysize not modulus itself */ +function cert_get_modulus_keysize($str_crt, $decode = true, $type = "crt") { + // modulus usually returned as "modulus=.....". Remove anything before an "=" and return 4 x (hex string length) + $raw_modulus = explode('=', cert_get_modulus($str_crt, $decode, $type)); + return strlen(array_pop($raw_modulus))*4; +} + function csr_get_modulus($str_crt, $decode = true) { return cert_get_modulus($str_crt, $decode, "csr"); } diff --git a/src/etc/inc/config.console.inc b/src/etc/inc/config.console.inc index 54ad6c8..a5606a6 100644 --- a/src/etc/inc/config.console.inc +++ b/src/etc/inc/config.console.inc @@ -125,7 +125,7 @@ EOD; "If VLANs will not be used, or only for optional interfaces, it is typical to\n" . "say no here and use the webConfigurator to configure VLANs later, if required.") . "\n"; - echo "\n" . gettext("Do you want to set up VLANs now [y|n]?") . " "; + echo "\n" . gettext("Should VLANs be set up now [y|n]?") . " "; if ($auto_assign) { $key = timeout(); @@ -139,15 +139,14 @@ EOD; !!! Auto Assigning Interfaces !!! -For installation purposes, you must plug in at least one NIC -for the LAN connection. If you plug in a second NIC it will be -assigned to WAN. Otherwise, WAN will be temporarily assigned to the -next available NIC found regardless of activity. You should -assign and configure the WAN interface according to your requirements +For setup purposes, there must be at least one NIC connected for +the LAN. If a second NIC is connected, it will be assigned to the +WAN. Otherwise, WAN will be temporarily assigned to the next +available NIC found regardless of activity. The WAN interface +should then be assigned and configured as required. -If you haven't plugged in any network cables yet, -now is the time to do so. -The system will keep trying until you do. +Please make the pfSense NIC connections now. +The system will continue checking until they have been made. Searching for active interfaces... @@ -213,9 +212,9 @@ EOD; echo <<<EOD -If you do not know the names of the interfaces, you may choose to use -auto-detection. In that case, disconnect all interfaces now before -hitting 'a' to initiate auto detection. +If the names of the interfaces are not known, auto-detection can +be used instead. To use auto-detection, please disconnect all +interfaces before pressing 'a' to begin the process. EOD; @@ -362,6 +361,9 @@ EOD; if (isset($config['dhcpd']['lan'])) { unset($config['dhcpd']['lan']); } + if (isset($config['dhcpdv6']['lan'])) { + unset($config['dhcpdv6']['lan']); + } if (isset($config['interfaces']['lan']['if'])) { unset($config['interfaces']['lan']['if']); } @@ -477,7 +479,7 @@ EOD; return; } - echo gettext("One moment while we reload the settings..."); + echo gettext("One moment while the settings are reloading..."); echo gettext(" done!") . "\n"; touch("{$g['tmp_path']}/assign_complete"); @@ -576,6 +578,14 @@ function vlan_setup() { continue; } + if (is_array($config['vlans']['vlan'])) { + foreach ($config['vlans']['vlan'] as $existingvlan) { + if ($vlan['if'] == $existingvlan['if'] && $vlan['tag'] == $existingvlan['tag']) { + printf("\n\n" . gettext("This parent interface and VLAN already created.")); + continue 2; + } + } + } $config['vlans']['vlan'][] = $vlan; $vlanif++; } diff --git a/src/etc/inc/config.inc b/src/etc/inc/config.inc index dacd6d8..070a26a 100644 --- a/src/etc/inc/config.inc +++ b/src/etc/inc/config.inc @@ -69,9 +69,9 @@ if (!$ARCH) { $ARCH = php_uname("m"); } -// Set memory limit to 256M on amd64. +// Set memory limit to 512M on amd64. if ($ARCH == "amd64") { - ini_set("memory_limit", "256M"); + ini_set("memory_limit", "512M"); } else { ini_set("memory_limit", "128M"); } diff --git a/src/etc/inc/config.lib.inc b/src/etc/inc/config.lib.inc index 117f29d..0a2c921 100644 --- a/src/etc/inc/config.lib.inc +++ b/src/etc/inc/config.lib.inc @@ -138,7 +138,7 @@ function parse_config($parse = false) { if (!$parse) { if (file_exists($g['tmp_path'] . '/config.cache')) { $config = unserialize(file_get_contents($g['tmp_path'] . '/config.cache')); - if (is_null($config)) { + if (!is_array($config)) { $parse = true; } } else { @@ -377,6 +377,9 @@ function conf_mount_rw() { function conf_mount_ro() { global $g, $config; + // do nothing here. redmine #6184 + return; + /* Do not trust $g['platform'] since this can be clobbered during factory reset. */ $platform = trim(file_get_contents("/etc/platform")); /* do not umount on cdrom or pfSense platforms */ @@ -789,7 +792,7 @@ function cleanup_backupcache($lock = false) { global $g; $i = false; - $revisions = get_config_backup_count(); + $revisions = intval(is_numericint($config['system']['backupcount']) ? $config['system']['backupcount'] : $g['default_config_backup_count']); if (!$lock) { $lockkey = lock('config'); @@ -994,17 +997,6 @@ function make_config_revision_entry($desc = null, $override_user = null) { return $revision; } -function get_config_backup_count() { - global $config, $g; - if (isset($config['system']['backupcount']) && is_numeric($config['system']['backupcount']) && ($config['system']['backupcount'] >= 0)) { - return intval($config['system']['backupcount']); - } elseif ($g['platform'] == "nanobsd") { - return 5; - } else { - return 30; - } -} - function pfSense_clear_globals() { global $config, $FilterIfList, $GatewaysList, $filterdns, $aliases, $aliastable; diff --git a/src/etc/inc/dyndns.class b/src/etc/inc/dyndns.class index 1454fa0..10887a7 100644 --- a/src/etc/inc/dyndns.class +++ b/src/etc/inc/dyndns.class @@ -12,6 +12,7 @@ * - DynS (dyns.org) * - ZoneEdit (zoneedit.com) * - FreeDNS (freedns.afraid.org) + * - FreeDNS IPv6 (freedns.afraid.org) * - Loopia (loopia.se) * - StaticCling (staticcling.org) * - DNSexit (dnsexit.com) @@ -33,8 +34,8 @@ * - DNSimple (dnsimple.com) * - Google Domains (domains.google.com) * - DNS Made Easy (www.dnsmadeeasy.com) - * - SPDNS (spdns.de) - * - SPDNS IPv6 (spdns.de) + * - SPDYN (spdyn.de) + * - SPDYN IPv6 (spdyn.de) * +----------------------------------------------------+ * Requirements: * - PHP version 4.0.2 or higher with the CURL Library and the PCRE Library @@ -60,7 +61,8 @@ * ZoneEdit - Last Tested: NEVER * Dyns - Last Tested: NEVER * ODS - Last Tested: 02 August 2005 - * FreeDNS - Last Tested: 23 Feb 2011 + * FreeDNS - Last Tested: 01 May 2016 + * FreeDNS IPv6 - Last Tested: 01 May 2016 * Loopia - Last Tested: NEVER * StaticCling - Last Tested: 27 April 2006 * DNSexit - Last Tested: 20 July 2008 @@ -81,8 +83,8 @@ * DNSimple - Last Tested: 09 February 2015 * Google Domains - Last Tested: 27 April 2015 * DNS Made Easy - Last Tested: 27 April 2015 - * SPDNS - Last Tested: 04 December 2015 - * SPDNS IPv6 - Last Tested: 04 December 2015 + * SPDYN - Last Tested: 02 July 2016 + * SPDYN IPv6 - Last Tested: 02 July 2016 * +====================================================+ * * @author E.Kristensen @@ -169,6 +171,7 @@ if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': + case 'freedns-v6': if (!$dnsHost) $this->_error(5); break; case 'namecheap': @@ -192,7 +195,8 @@ switch ($dnsService) { case 'he-net-v6': case 'custom-v6': - case 'spdns-v6': + case 'spdyn-v6': + case 'freedns-v6': $this->_useIPv6 = true; break; default: @@ -249,6 +253,7 @@ case 'dyns': case 'ods': case 'freedns': + case 'freedns-v6': case 'loopia': case 'staticcling': case 'dnsexit': @@ -269,8 +274,8 @@ case 'dnsimple': case 'googledomains': case 'dnsmadeeasy': - case 'spdns': - case 'spdns-v6': + case 'spdyn': + case 'spdyn-v6': $this->_update(); if ($this->_dnsDummyUpdateDone == true) { // If a dummy update was needed, then sleep a while and do the update again to put the proper address back. @@ -494,6 +499,7 @@ $this->_checkStatus(0, $code); break; case 'freedns': + case 'freedns-v6': $needIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass); break; @@ -594,7 +600,7 @@ /* Setting Variables */ $hostname = "{$this->_dnsHost}."; - $ZoneID = $this->_dnsZoneID; + $ZoneID = trim($this->_dnsZoneID); $AccessKeyId = $this->_dnsUser; $SecretAccessKey = $this->_dnsPass; $NewIP = $this->_dnsIP; @@ -630,7 +636,7 @@ } /* Check if we need to update DNS Record */ - if ($OldIP !== $NewIP) { + if ($OldIP !== $NewIP || $OldTTL !== $NewTTL) { if (!empty($OldIP)) { /* Your Hostname already exists, deleting and creating it again */ $changes = array(); @@ -786,11 +792,11 @@ $server = "https://cp.dnsmadeeasy.com/servlet/updateip"; curl_setopt($ch, CURLOPT_URL, $server . '?username=' . $this->_dnsUser . '&password=' . $this->_dnsPass . '&id=' . $this->_dnsHost . '&ip=' . $this->_dnsIP); break; - case 'spdns': - case 'spdns-v6': + case 'spdyn': + case 'spdyn-v6': $needsIP = FALSE; curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); - $server = "https://update.spdns.de/nic/update"; + $server = "https://update.spdyn.de/nic/update"; $port = ""; if ($this->_dnsServer) { $server = $this->_dnsServer; @@ -1048,7 +1054,7 @@ } else if (preg_match('/403/i', $data)) { $status = $status_intro . $error_str . gettext("Database Error - There was a server-sided database error."); } else if (preg_match('/405/i', $data)) { - $status = $status_intro . $error_str . sprintf(gettext("Hostname Error - The hostname (%s) doesn't belong to you."), $this->_dnsHost); + $status = $status_intro . $error_str . sprintf(gettext("Hostname Error - The hostname (%s) doesn't belong to user (%s)."), $this->_dnsHost, $this->_dnsUser); } else if (preg_match('/200/i', $data)) { $status = $status_intro . $success_str . gettext("IP Address Updated Successfully!"); $successful_update = true; @@ -1069,6 +1075,7 @@ } break; case 'freedns': + case 'freedns-v6': if (preg_match("/has not changed./i", $data)) { $status = $status_intro . $success_str . gettext("No Change In IP Address"); $successful_update = true; @@ -1398,8 +1405,8 @@ break; } break; - case 'spdns': - case 'spdns-v6': + case 'spdyn': + case 'spdyn-v6': if (preg_match('/notfqdn/i', $data)) { $status = $status_intro . $error_str . gettext("Not A FQDN!"); } else if (preg_match('/nohost/i', $data)) { diff --git a/src/etc/inc/easyrule.inc b/src/etc/inc/easyrule.inc index 59e5d53..6304088 100644 --- a/src/etc/inc/easyrule.inc +++ b/src/etc/inc/easyrule.inc @@ -145,7 +145,18 @@ function easyrule_block_rule_create($int = 'wan', $ipproto = "inet") { /* Do not translate this, it's considered a username which cannot contain international characters */ $filterent['created'] = make_config_revision_entry(null, "Easy Rule"); - array_splice($a_filter, 0, 0, array($filterent)); + // Refer to firewall_rules_edit.php separators updating code. + // Using same code, variables, and techniques here. + $after = -1; // Place rule at top and move all separators. + array_splice($a_filter, $after+1, 0, array($filterent)); + + $tmpif = $int; + + // Update the separators + $a_separators = &$config['filter']['separator'][strtolower($tmpif)]; + $ridx = ifridx($tmpif, $after); // get rule index within interface + $mvnrows = +1; + move_separators($a_separators, $ridx, $mvnrows); return true; } diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 6f0bc46..fe3bd1b 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -850,7 +850,8 @@ function filter_generate_aliases() { // TODO: Change it when pf supports tables with ports $urlfn = alias_expand_urltable($aliased['name']); if ($urlfn) { - $aliases .= "{$aliased['name']} = \"{ " . preg_replace("/\n/", " ", file_get_contents($urlfn)) . " }\"\n"; + $ports_tmp = parse_aliases_file($urlfn, "urltable_ports", "-1", false); + $aliases .= "{$aliased['name']} = \"{ " . preg_replace("/\n/", " ", implode("\n", $ports_tmp)) . " }\"\n"; } break; case "port": @@ -1907,6 +1908,7 @@ function filter_nat_rules_generate() { } $natif = $FilterIflist[$natif]['if']; + $nat_if_list = array(); if (isset($rule['nobinat'])) { $natrules .= "no binat on {$natif} from {$srcaddr} to {$dstaddr}\n"; @@ -1918,8 +1920,6 @@ function filter_nat_rules_generate() { if ((isset($config['system']['enablebinatreflection']) || $rule['natreflection'] == "enable") && ($rule['natreflection'] != "disable")) { $nat_if_list = filter_get_reflection_interfaces($natif); - } else { - $nat_if_list = array(); } $natrules .= "binat on {$natif} from {$srcaddr} to {$dstaddr} -> {$target}{$sn1}\n"; @@ -2570,6 +2570,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = "(self)"; break; case 'pppoe': + /* XXX: This needs to be fixed somehow! */ if (is_array($FilterIflist['pppoe'])) { $pppoesav6 = gen_subnetv6($FilterIflist['pppoe'][0]['ipv6'], $FilterIflist['pppoe'][0]['snv6']); $pppoesnv6 = $FilterIflist['pppoe'][0]['snv6']; @@ -2609,7 +2610,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { case 'pppoe': /* XXX: This needs to be fixed somehow! */ if (is_array($FilterIflist['pppoe'])) { - $pppoesa = gen_subnet($FilterIflist['pppoe'][0]['ip'], $FilterIflist['pppoe'][0]['sn']); + $pppoesa = gen_subnet($FilterIflist['pppoe'][0]['sa'], $FilterIflist['pppoe'][0]['sn']); $pppoesn = $FilterIflist['pppoe'][0]['sn']; $src = "{$pppoesa}/{$pppoesn}"; } @@ -2667,7 +2668,11 @@ function filter_generate_user_rule($rule) { $ifliste = ""; foreach ($interfaces as $iface) { if (array_key_exists($iface, $FilterIflist)) { - $ifliste .= " " . $FilterIflist[$iface]['if'] . " "; + if (isset($FilterIflist[$iface]['if'])) { + $ifliste .= " " . $FilterIflist[$iface]['if'] . " "; + } else if (isset($FilterIflist[$iface][0]['if'])) { + $ifliste .= " " . $FilterIflist[$iface][0]['if'] . " "; + } } } if ($ifliste <> "") { @@ -2903,11 +2908,9 @@ function filter_generate_user_rule($rule) { * # keep state * works with TCP, UDP, and ICMP. * # modulate state - * works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) - * for packets matching this rule. + * deprecated * # synproxy state * proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. - * This option includes the functionality of keep state and modulate state combined. * # none * do not use state mechanisms to keep track. this is only useful if your doing advanced * queueing in certain situations. please check the faq. @@ -3360,7 +3363,6 @@ EOD; case "pptp": $ipfrules .= <<<EOD # allow PPTP client -pass in {$log['pass']} on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" pass in {$log['pass']} on \${$oc['descr']} proto gre from any to any keep state tracker {$increment_tracker($tracker)} label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}" EOD; @@ -4255,7 +4257,7 @@ function ifridx($if, $ridx) { if ($ridx < 0) { return $ridx; } - + $i = $ifridx = 0; if (is_array($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $rulen => $filterent) { diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc index 8b2e6ae..f5c253c 100644 --- a/src/etc/inc/globals.inc +++ b/src/etc/inc/globals.inc @@ -99,7 +99,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "15.0", + "latest_config" => "15.5", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", @@ -121,6 +121,17 @@ $iptos = array("lowdelay", "throughput", "reliability"); /* TCP flags */ $tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr"); +if (file_exists("/etc/version.patch")) { + $g["product_version_patch"] = trim(file_get_contents("/etc/version.patch"), " \n"); +} else { + $g["product_version_patch"] = "0"; +} + +$g['product_version_string'] = $g['product_version']; +if (is_numeric($g["product_version_patch"]) && $g["product_version_patch"] != "0") { + $g['product_version_string'] .= "-p{$g['product_version_patch']}"; +} + if (file_exists("/etc/platform")) { $arch = php_uname("m"); @@ -140,11 +151,17 @@ if (file_exists("/etc/platform")) { if ($g['platform'] == "nanobsd") { $g['firmware_update_text']="pfSense-*.img.gz"; $g['hidebackupbeforeupgrade'] = true; - + $g['default_config_backup_count'] = 5; } else { $g['firmware_update_text']="pfSense-*.tgz"; + $g['default_config_backup_count'] = 30; } -} +} else { + // shouldn't happen but "just in case" no platform were detected + $g['platform'] = 'undetected'; + $g['default_config_backup_count'] = 30; +} + if (file_exists("{$g['etc_path']}/default-config-flavor")) { $flavor_array = file("{$g['etc_path']}/default-config-flavor"); @@ -194,12 +211,17 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.enc.in.ipsec_filter_mask" => "0x0002", "net.key.preferred_oldsa" => "0", "net.inet.carp.senderr_demotion_factor" => 0, /* Do not demote CARP for interface send errors */ - "net.pfsync.carp_demotion_factor" => 0 /* Do not demote CARP for pfsync errors */ + "net.pfsync.carp_demotion_factor" => 0, /* Do not demote CARP for pfsync errors */ + "net.raw.recvspace" => 65536, + "net.raw.sendspace" => 65536, + "net.inet.raw.recvspace" => 131072, + "net.inet.raw.maxdgram" => 131072, + "kern.corefile" => "/root/%N.core" /* Write all core files to /root/ so they do not consume space on other slices */ ); /* Include override values for the above if needed. If the file doesn't exist, don't try to load it. */ if (file_exists("/etc/inc/globals_override.inc")) { - @include("globals_override.inc"); + @include_once("globals_override.inc"); } /* Read all XML files in following dir and load menu entries */ @@ -223,4 +245,15 @@ if (file_exists("{$g['cf_conf_path']}/enableserial_force")) { $config_parsed = false; +/* Factory default check IP service. */ +$factory_default_checkipservice = array( + "enable" => true, + "name" => 'Default', + "url" => 'http://checkip.dyndns.org', +// "username" => '', +// "password" => '', +// "verifysslpeer" => true, + "descr" => 'Default Check IP Service' +); + ?> diff --git a/src/etc/inc/gwlb.inc b/src/etc/inc/gwlb.inc index 134690d..42cde7d 100644 --- a/src/etc/inc/gwlb.inc +++ b/src/etc/inc/gwlb.inc @@ -79,7 +79,7 @@ function running_dpinger_processes() { } foreach ($pidfiles as $pidfile) { - if (preg_match('/^dpinger_(.+)_([^_]+)_([^_]+)\.pid$/', + if (preg_match('/^dpinger_(.+)~([^~]+)~([^~]+)\.pid$/', basename($pidfile), $matches)) { $socket_file = preg_replace('/\.pid$/', '.sock', $pidfile); @@ -128,10 +128,16 @@ function start_dpinger($gateway) { $dpinger_defaults = return_dpinger_defaults(); - $pidfile = "{$g['varrun_path']}/dpinger_{$gateway['name']}_" . - "{$gateway['gwifip']}_{$gateway['monitor']}.pid"; - $socket = "{$g['varrun_path']}/dpinger_{$gateway['name']}_" . - "{$gateway['gwifip']}_{$gateway['monitor']}.sock"; + $prefix = "{$g['varrun_path']}/dpinger_{$gateway['name']}~" . + "{$gateway['gwifip']}~{$gateway['monitor']}"; + # dpinger socket path should not be longer then uaddr.sun_path + if (strlen($pidfile) > 95) { + $prefix = "{$g['varrun_path']}/dpinger_{$gateway['name']}~" . + substr(md5($gateway['gwifip']),0,8) . "~" . + $gateway['monitor']; + } + $pidfile = $prefix . ".pid"; + $socket = $prefix . ".sock"; $alarm_cmd = "{$g['etc_path']}/rc.gateway_alarm"; $params = "-S "; /* Log warnings via syslog */ @@ -261,7 +267,7 @@ function setup_gateways_monitor() { } else if ($gateway['ipprotocol'] == "inet6") { // This is an IPv6 gateway... if (is_linklocal($gateway['gateway']) && get_ll_scope($gateway['gateway']) == '') { - $gateways_arr[$gwname]['gateway'] .= '%' . $gateway['interface']; + $gateway['gateway'] .= '%' . $gateway['interface']; } if (is_linklocal($gateway['monitor'])) { @@ -861,6 +867,9 @@ function fixup_default_gateway($ipprotocol, $gateways_status, $gateways_arr) { log_error("Default gateway down setting {$upgw} as default!"); if (is_ipaddrv6($gateways_arr[$upgw]['gateway'])) { $inetfamily = "-inet6"; + if (is_linklocal($gateways_arr[$upgw]['gateway']) && get_ll_scope($gateways_arr[$upgw]['gateway']) == '') { + $gateways_arr[$upgw]['gateway'] .= "%" . $gateways_arr[$upgw]['interface']; + } } else { $inetfamily = "-inet"; } @@ -874,6 +883,14 @@ function fixup_default_gateway($ipprotocol, $gateways_status, $gateways_arr) { if ($ipprotocol == 'inet' && !is_ipaddrv4($gateways_arr[$dfltgwname]['gateway'])) { return; } + if ($ipprotocol == 'inet6') { + if (is_linklocal($gateways_arr[$upgw]['gateway']) && get_ll_scope($gateways_arr[$upgw]['gateway']) == '') { + $gateways_arr[$upgw]['gateway'] .= "%" . $gateways_arr[$upgw]['interface']; + } + if (is_linklocal($gateways_arr[$dfltgwname]['gateway']) && get_ll_scope($gateways_arr[$dfltgwname]['gateway']) == '') { + $gateways_arr[$dfltgwname]['gateway'] .= "%" . $gateways_arr[$dfltgwname]['interface']; + } + } if ($defaultgw != $gateways_arr[$dfltgwname]['gateway']) { mwexec("/sbin/route change -{$ipprotocol} default {$gateways_arr[$dfltgwname]['gateway']}"); } @@ -925,15 +942,15 @@ function return_gateway_groups_array() { $status = $gateways_status[$gwname]; $gwdown = false; if (stristr($status['status'], "down")) { - $msg = sprintf(gettext('MONITOR: %1$s is down, omitting from routing group %2$s'), $group['name'], $gwname); + $msg = sprintf(gettext('MONITOR: %1$s is down, omitting from routing group %2$s'), $gwname, $group['name']); $gwdown = true; } else if (stristr($status['status'], "loss") && strstr($group['trigger'], "loss")) { /* packet loss */ - $msg = sprintf(gettext('MONITOR: %1$s has packet loss, omitting from routing group %2$s'), $group['name'], $gwname); + $msg = sprintf(gettext('MONITOR: %1$s has packet loss, omitting from routing group %2$s'), $gwname, $group['name']); $gwdown = true; } else if (stristr($status['status'], "delay") && strstr($group['trigger'] , "latency")) { /* high latency */ - $msg = sprintf(gettext('MONITOR: %1$s has high latency, omitting from routing group %2$s'), $group['name'], $gwname); + $msg = sprintf(gettext('MONITOR: %1$s has high latency, omitting from routing group %2$s'), $gwname, $group['name']); $gwdown = true; } if ($gwdown == true) { diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc index cefa7ab..a4d0825 100644 --- a/src/etc/inc/interfaces.inc +++ b/src/etc/inc/interfaces.inc @@ -318,17 +318,17 @@ function interface_qinq_configure(&$vlan, $fd = NULL) { pfSense_ngctl_attach(".", $qinqif); if (!empty($vlanif) && does_interface_exist($vlanif)) { - fwrite($fd, "shutdown {$qinqif}qinq:\n"); - exec("/usr/sbin/ngctl msg {$qinqif}qinq: gettable", $result); + fwrite($fd, "shutdown {$vlanif}qinq:\n"); + exec("/usr/sbin/ngctl msg {$vlanif}qinq: gettable", $result); if (empty($result)) { - fwrite($fd, "mkpeer {$qinqif}: vlan lower downstream\n"); - fwrite($fd, "name {$qinqif}:lower {$vlanif}qinq\n"); - fwrite($fd, "connect {$qinqif}: {$vlanif}qinq: upper nomatch\n"); + fwrite($fd, "mkpeer {$vlanif}: vlan lower downstream\n"); + fwrite($fd, "name {$vlanif}:lower {$vlanif}qinq\n"); + fwrite($fd, "connect {$vlanif}: {$vlanif}qinq: upper nomatch\n"); } } else { - fwrite($fd, "mkpeer {$qinqif}: vlan lower downstream\n"); - fwrite($fd, "name {$qinqif}:lower {$vlanif}qinq\n"); - fwrite($fd, "connect {$qinqif}: {$vlanif}qinq: upper nomatch\n"); + fwrite($fd, "mkpeer {$vlanif}: vlan lower downstream\n"); + fwrite($fd, "name {$vlanif}:lower {$vlanif}qinq\n"); + fwrite($fd, "connect {$vlanif}: {$vlanif}qinq: upper nomatch\n"); } /* invalidate interface cache */ @@ -798,8 +798,6 @@ function interface_lagg_configure($lagg) { hardware_offloading_applyflags($member); mwexec("/sbin/ifconfig " . escapeshellarg($laggif) . " laggport " . escapeshellarg($member)); } - pfSense_interface_capabilities($laggif, -$flags_off); - pfSense_interface_capabilities($laggif, $flags_on); mwexec("/sbin/ifconfig {$laggif} laggproto " . escapeshellarg($lagg['proto'])); @@ -878,15 +876,6 @@ function interface_gre_configure(&$gre, $grekey = "") { } else { mwexec("/sbin/ifconfig {$greif} " . escapeshellarg($gre['tunnel-local-addr']) . " " . escapeshellarg($gre['tunnel-remote-addr']) . " netmask " . gen_subnet_mask($gre['tunnel-remote-net'])); } - if (isset($gre['link0'])) { - pfSense_interface_flags($greif, IFF_LINK0); - } - if (isset($gre['link1'])) { - pfSense_interface_flags($greif, IFF_LINK1); - } - if (isset($gre['link2'])) { - pfSense_interface_flags($greif, IFF_LINK2); - } if ($greif) { interfaces_bring_up($greif); @@ -998,12 +987,12 @@ function interface_gif_configure(&$gif, $gifkey = "") { } else { mwexec("/sbin/ifconfig {$gifif} " . escapeshellarg($gif['tunnel-local-addr']) . " " . escapeshellarg($gif['tunnel-remote-addr']) . " netmask " . gen_subnet_mask($gif['tunnel-remote-net'])); } - if (isset($gif['link0'])) { - pfSense_interface_flags($gifif, IFF_LINK0); - } if (isset($gif['link1'])) { pfSense_interface_flags($gifif, IFF_LINK1); } + if (isset($gif['link2'])) { + pfSense_interface_flags($gifif, IFF_LINK2); + } if ($gifif) { interfaces_bring_up($gifif); $gifmtu = ""; @@ -1181,7 +1170,7 @@ function interfaces_configure() { log_error(sprintf(gettext("Configuring %s"), $ifname)); } - // bridge interface needs reconfigure, then re-add VIPs, to ensure find_interface_ip is correct. + // bridge interface needs reconfigure, then re-add VIPs, to ensure find_interface_ip is correct. // redmine #3997 interface_reconfigure($if, $reload); interfaces_vips_configure($if); @@ -1204,10 +1193,11 @@ function interfaces_configure() { /* reload dhcpd (interface enabled/disabled status may have changed) */ services_dhcpd_configure(); - /* restart dnsmasq or unbound */ if (isset($config['dnsmasq']['enable'])) { services_dnsmasq_configure(); - } elseif (isset($config['unbound']['enable'])) { + } + + if (isset($config['unbound']['enable'])) { services_unbound_configure(); } } @@ -2079,8 +2069,9 @@ EOD; } /* fire up mpd */ - mwexec("/usr/local/sbin/mpd5 -b -k -d {$g['varetc_path']} -f mpd_{$interface}.conf -p {$g['varrun_path']}/" . - escapeshellarg($ppp['type']) . "_{$interface}.pid -s ppp " . escapeshellarg($ppp['type']) . "client"); + mwexec("/usr/local/sbin/mpd5 -b -k -d {$g['varetc_path']} -f mpd_{$interface}.conf -p " . + escapeshellarg("{$g['varrun_path']}/{$ppp['type']}_{$interface}.pid") . " -s ppp " . + escapeshellarg("{$ppp['type']}client")); // Check for PPPoE periodic reset request if ($type == "pppoe") { @@ -2870,7 +2861,7 @@ EOD; /* set ack timers according to users preference (if he/she has any) */ if ($distance) { fwrite($fd_set, "# Enable ATH distance settings\n"); - fwrite($fd_set, "/sbin/athctrl.sh -i {$baseif} -d {$distance}\n"); + fwrite($fd_set, "/usr/local/sbin/athctrl.sh -i {$baseif} -d {$distance}\n"); } if (isset($wlcfg['wpa']['enable'])) { @@ -3469,10 +3460,11 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven /* reload ipsec tunnels */ send_event("service reload ipsecdns"); - /* restart dnsmasq or unbound */ if (isset($config['dnsmasq']['enable'])) { services_dnsmasq_configure(); - } elseif (isset($config['unbound']['enable'])) { + } + + if (isset($config['unbound']['enable'])) { services_unbound_configure(); } @@ -3509,8 +3501,8 @@ function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = /* always configure a link-local of fe80::1:1 on the track6 interfaces */ $realif = get_real_interface($interface); - $linklocal = find_interface_ipv6_ll($realif); - if (!empty($linklocal)) { + $linklocal = find_interface_ipv6_ll($realif, true); + if (!empty($linklocal) && $linklocal != "fe80::1:1%{$realif}") { mwexec("/sbin/ifconfig {$realif} inet6 {$linklocal} delete"); } /* XXX: This might break for good on a carp installation using link-local as network ips */ @@ -3519,7 +3511,7 @@ function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = $trackcfg = $config['interfaces'][$wancfg['track6-interface']]; if (!isset($trackcfg['enable'])) { - log_error(sprintf(gettext('Interface %1$s tracking non-existant interface %2$s'), $interface, $wancfg['track6-interface'])); + log_error(sprintf(gettext('Interface %1$s tracking non-existent interface %2$s'), $interface, $wancfg['track6-interface'])); return; } @@ -3553,7 +3545,7 @@ function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = break; } - if ($linkupevent == false) { + if ($linkupevent == false && !platform_booting()) { if (!function_exists('services_dhcpd_configure')) { require_once("services.inc"); } @@ -3562,6 +3554,10 @@ function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = services_unbound_configure(); } + if (isset($config['dnsmasq']['enable'])) { + services_dnsmasq_configure(); + } + services_dhcpd_configure("inet6"); } @@ -3584,7 +3580,7 @@ function interface_track6_6rd_configure($interface = "lan", $lancfg) { $wancfg = $config['interfaces'][$lancfg['track6-interface']]; if (empty($wancfg)) { - log_error(sprintf(gettext('Interface %1$s tracking non-existant interface %2$s'), $interface, $lancfg['track6-interface'])); + log_error(sprintf(gettext('Interface %1$s tracking non-existent interface %2$s'), $interface, $lancfg['track6-interface'])); return; } @@ -3648,7 +3644,7 @@ function interface_track6_6to4_configure($interface = "lan", $lancfg) { $wancfg = $config['interfaces'][$lancfg['track6-interface']]; if (empty($wancfg)) { - log_error(sprintf(gettext('Interface %1$s tracking non-existant interface %2$s'), $interface, $lancfg['track6-interface'])); + log_error(sprintf(gettext('Interface %1$s tracking non-existent interface %2$s'), $interface, $lancfg['track6-interface'])); return; } @@ -4001,7 +3997,7 @@ function interface_dhcpv6_configure($interface = "wan", $wancfg) { $rtsoldscript .= "/usr/bin/logger -t rtsold \"Starting dhcp6 client for interface {$interface}({$wanif})\"\n"; /* Add wide-dhcp6c shell script here. Because we can not pass a argument to it. */ if (!@file_put_contents("{$g['varetc_path']}/rtsold_{$wanif}_script.sh", $rtsoldscript)) { - printf("Error: cannot open rtsold_{$interface}_script.sh in interface_dhcpv6_configure() for writing.\n"); + printf("Error: cannot open rtsold_{$wanif}_script.sh in interface_dhcpv6_configure() for writing.\n"); unset($rtsoldscript); return 1; } @@ -4234,7 +4230,7 @@ retry 15; select-timeout 0; initial-interval 1; {$dhclientconf_hostname} - script "/sbin/dhclient-script"; + script "/usr/local/sbin/pfSense-dhclient-script"; EOD; if (is_ipaddrv4($wancfg['dhcprejectfrom'])) { @@ -4350,6 +4346,9 @@ function DHCP_Config_File_Advanced($interface, $wancfg, $wanif) { $dhclientconf .= "{$required_options}"; $dhclientconf .= "{$option_modifiers}"; $dhclientconf .= "\n"; + if (is_ipaddrv4($wancfg['dhcprejectfrom'])) { + $dhclientconf .= "reject {$wancfg['dhcprejectfrom']};\n"; + } $dhclientconf .= "\tscript \"/sbin/dhclient-script\";\n"; $dhclientconf .= "}\n"; @@ -4971,6 +4970,7 @@ function interface_find_child_cfgmtu($realiface) { $interface = convert_real_interface_to_friendly_interface_name($realiface); $vlans = link_interface_to_vlans($realiface); + $qinqs = link_interface_to_qinqs($realiface); $bridge = link_interface_to_bridge($realiface); if (!empty($interface)) { $gifs = link_interface_to_gif($interface); @@ -4994,6 +4994,19 @@ function interface_find_child_cfgmtu($realiface) { } } } + if (is_array($qinqs)) { + foreach ($qinqs as $qinq) { + $ifass = convert_real_interface_to_friendly_interface_name($qinq['vlanif']); + if (empty($ifass)) { + continue; + } + if (!empty($config['interfaces'][$ifass]['mtu'])) { + if (intval($config['interfaces'][$ifass]['mtu']) > $mtu) { + $mtu = intval($config['interfaces'][$ifass]['mtu']); + } + } + } + } if (is_array($gifs)) { foreach ($gifs as $gif) { $ifass = convert_real_interface_to_friendly_interface_name($gif['gifif']); @@ -5055,20 +5068,47 @@ function link_interface_to_vlans($int, $action = "") { } } +function link_interface_to_qinqs($int, $action = "") { + global $config; + + if (empty($int)) { + return; + } + + if (is_array($config['qinqs']['qinqentry'])) { + $ifaces = array(); + foreach ($config['qinqs']['qinqentry'] as $qinq) { + if ($int == $qinq['if']) { + if ($action == "update") { + interfaces_bring_up($int); + } else { + $ifaces[$qinq['tag']] = $qinq; + } + } + } + if (!empty($ifaces)) { + return $ifaces; + } + } +} + function link_interface_to_vips($int, $action = "", $vhid = '') { global $config; + $updatevips = false; if (is_array($config['virtualip']['vip'])) { $result = array(); foreach ($config['virtualip']['vip'] as $vip) { - if (substr($vip['interface'], 0, 4) == "_vip") + if (substr($vip['interface'], 0, 4) == "_vip") { $iface = get_configured_vip_interface($vip['interface']); - else + } else { $iface = $vip['interface']; - if ($int != $iface) + } + if ($int != $iface) { continue; + } if ($action == "update") { - interfaces_vips_configure($int); + $updatevips = true; } else { if (empty($vhid) || ($vhid == $vip['vhid']) || substr($vip['interface'], 0, 4) == "_vip") { @@ -5076,6 +5116,9 @@ function link_interface_to_vips($int, $action = "", $vhid = '') { } } } + if ($updatevips === true) { + interfaces_vips_configure($int); + } return $result; } @@ -5372,7 +5415,7 @@ function get_interface_ip($interface = "wan") { } } -function get_interface_ipv6($interface = "wan", $flush = false) { +function get_interface_ipv6($interface = "wan", $flush = false, $linklocal_fallback = false) { global $config; if (substr($interface, 0, 4) == '_vip') { @@ -5421,7 +5464,7 @@ function get_interface_ipv6($interface = "wan", $flush = false) { * NOTE: On the case when only the prefix is requested, * the communication on WAN will be done over link-local. */ - if (is_array($config['interfaces'][$interface]) && isset($config['interfaces'][$interface]['dhcp6prefixonly'])) { + if ($linklocal_fallback || (is_array($config['interfaces'][$interface]) && isset($config['interfaces'][$interface]['dhcp6prefixonly']))) { $curip = find_interface_ipv6_ll($realif, $flush); if ($curip && is_ipaddrv6($curip) && ($curip != "::")) { return $curip; diff --git a/src/etc/inc/notices.inc b/src/etc/inc/notices.inc index 86413ba..b5b7dcb 100644 --- a/src/etc/inc/notices.inc +++ b/src/etc/inc/notices.inc @@ -53,6 +53,7 @@ */ require_once("globals.inc"); +require_once("functions.inc"); require_once("led.inc"); $notice_path = $g['tmp_path'] . '/notices'; @@ -71,11 +72,12 @@ $smtp_authentication_mechanisms = array( * NAME * file_notice * INPUTS - * $id, $notice, $category, $url, $priority + * $id, $notice, $category, $url, $priority, $local_only * RESULT * Files a notice and kicks off the various alerts, smtp, growl, system log, LED's, etc. + * If $local_only is true then the notice is not sent to external places (smtp, growl) ******/ -function file_notice($id, $notice, $category = "General", $url = "", $priority = 1) { +function file_notice($id, $notice, $category = "General", $url = "", $priority = 1, $local_only = false) { /* * $category - Category that this notice should be displayed under. This can be arbitrary, * but a page must be set to receive this messages for it to be displayed. @@ -89,11 +91,11 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority = } $queuekey = time(); $toqueue = array( - 'id' => $id, - 'notice' => $notice, - 'url' => $url, - 'category' => $category, - 'priority' => $priority, + 'id' => htmlentities($id), + 'notice' => htmlentities($notice), + 'url' => htmlentities($url), + 'category' => htmlentities($category), + 'priority' => htmlentities($priority), ); while (isset($queue[$queuekey])) { $queuekey++; @@ -101,7 +103,7 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority = $queue[$queuekey] = $toqueue; $queueout = fopen($notice_path, "w"); if (!$queueout) { - log_error(printf(gettext("Could not open %s for writing"), $notice_path)); + log_error(sprintf(gettext("Could not open %s for writing"), $notice_path)); return; } fwrite($queueout, serialize($queue)); @@ -114,8 +116,10 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority = /* wrap & alix */ led_normalize(); led_morse(1, 'sos'); - notify_via_growl($notice); - notify_via_smtp($notice); + if (!$local_only) { + notify_via_growl($notice); + notify_via_smtp($notice); + } return $queuekey; } @@ -428,9 +432,14 @@ function notify_via_growl($message, $force=false) { $growl_name = $config['notifications']['growl']['name']; $growl_notification = $config['notifications']['growl']['notification_name']; - if (!empty($growl_ip) && (is_ipaddr($growl_ip) || dns_get_record($growl_ip, DNS_A) || dns_get_record($growl_ip, DNS_AAAA))) { - $growl = new Growl($growl_ip, $growl_password, $growl_name); - $growl->notify("{$growl_notification}", gettext(sprintf("%s (%s) - Notification", $g['product_name'], $hostname)), "{$message}"); + if (!empty($growl_ip)) { + if (is_ipaddr($growl_ip) || dns_check_record($growl_ip, A) || dns_check_record($growl_ip, AAAA)) { + $growl = new Growl($growl_ip, $growl_password, $growl_name); + $growl->notify("{$growl_notification}", gettext(sprintf("%s (%s) - Notification", $g['product_name'], $hostname)), "{$message}"); + } else { + // file_notice to local only to prevent file_notice from calling back to growl in a loop + file_notice("growl", gettext("Growl IP Address is invalid. Check the setting in System Advanced Notifications."), "General", "", 1, true); + } } /* Store last message sent to avoid spamming */ @@ -455,10 +464,15 @@ function register_via_growl() { $growl_name = $config['notifications']['growl']['name']; $growl_notification = $config['notifications']['growl']['notification_name']; - if ($growl_ip) { - $growl = new Growl($growl_ip, $growl_password, $growl_name); - $growl->addNotification($growl_notification); - $growl->register(); + if (!empty($growl_ip)) { + if (is_ipaddr($growl_ip) || dns_check_record($growl_ip, A) || dns_check_record($growl_ip, AAAA)) { + $growl = new Growl($growl_ip, $growl_password, $growl_name); + $growl->addNotification($growl_notification); + $growl->register(); + } else { + // file_notice to local only to prevent file_notice from calling back to growl in a loop + file_notice("growl", gettext("Growl IP Address is invalid. Check the setting in System Advanced Notifications."), "General", "", 1, true); + } } } diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 502d770..fb11747 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -103,7 +103,8 @@ $openvpn_verbosity_level = array( global $openvpn_dh_lengths; $openvpn_dh_lengths = array( - 1024, 2048, 4096); + 1024, 2048, 3072, 4096, 7680, 8192, 15360, 16384 +); global $openvpn_cert_depths; $openvpn_cert_depths = array( @@ -763,8 +764,8 @@ function openvpn_reconfigure($mode, $settings) { // server specific settings if ($mode == 'server') { - list($ip, $cidr) = explode('/', $settings['tunnel_network']); - list($ipv6, $prefix) = explode('/', $settings['tunnel_networkv6']); + list($ip, $cidr) = explode('/', trim($settings['tunnel_network'])); + list($ipv6, $prefix) = explode('/', trim($settings['tunnel_networkv6'])); $mask = gen_subnet_mask($cidr); // configure tls modes @@ -939,7 +940,7 @@ function openvpn_reconfigure($mode, $settings) { } if (!empty($settings['tunnel_network'])) { - list($ip, $cidr) = explode('/', $settings['tunnel_network']); + list($ip, $cidr) = explode('/', trim($settings['tunnel_network'])); $mask = gen_subnet_mask($cidr); list($ip1, $ip2) = openvpn_get_interface_ip($ip, $cidr); if ($settings['dev_mode'] == 'tun') { @@ -950,7 +951,7 @@ function openvpn_reconfigure($mode, $settings) { } if (!empty($settings['tunnel_networkv6'])) { - list($ipv6, $prefix) = explode('/', $settings['tunnel_networkv6']); + list($ipv6, $prefix) = explode('/', trim($settings['tunnel_networkv6'])); list($ipv6_1, $ipv6_2) = openvpn_get_interface_ipv6($ipv6, $prefix); if ($settings['dev_mode'] == 'tun') { $conf .= "ifconfig-ipv6 {$ipv6_2} {$ipv6_1}\n"; @@ -1007,8 +1008,16 @@ function openvpn_reconfigure($mode, $settings) { case 'server_tls': case 'server_tls_user': case 'server_user': - $ca = lookup_ca($settings['caref']); - openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca"); + // ca_chain() expects parameter to be passed by reference. + // avoid passing the whole settings array, as param names or + // types might change in future releases. + $param = array('caref' => $settings['caref']); + $ca = ca_chain($param); + $ca = base64_encode($ca); + + openvpn_add_keyfile($ca, $conf, $mode_id, "ca"); + + unset($ca, $param); if (!empty($settings['certref'])) { $cert = lookup_cert($settings['certref']); @@ -1251,7 +1260,7 @@ function openvpn_resync_csc(& $settings) { $csc_conf = $conf; if (!empty($serversettings['tunnel_network']) && !empty($settings['tunnel_network'])) { - list($ip, $mask) = explode('/', $settings['tunnel_network']); + list($ip, $mask) = explode('/', trim($settings['tunnel_network'])); if (($serversettings['dev_mode'] == 'tap') || ($serversettings['topology'] == "subnet")) { $csc_conf .= "ifconfig-push {$ip} " . gen_subnet_mask($mask) . "\n"; } else { @@ -1415,7 +1424,7 @@ function openvpn_get_active_servers($type="multipoint") { $server['vpnid'] = $settings['vpnid']; $server['mgmt'] = "server{$server['vpnid']}"; $socket = "unix://{$g['varetc_path']}/openvpn/{$server['mgmt']}.sock"; - list($tn, $sm) = explode('/', $settings['tunnel_network']); + list($tn, $sm) = explode('/', trim($settings['tunnel_network'])); if ((($server['mode'] == "p2p_shared_key") || ($sm >= 30)) && ($type == "p2p")) { $servers[] = openvpn_get_client_status($server, $socket); @@ -1736,7 +1745,7 @@ function openvpn_clear_route($mode, $settings) { if (empty($settings['tunnel_network'])) { return; } - list($ip, $cidr) = explode('/', $settings['tunnel_network']); + list($ip, $cidr) = explode('/', trim($settings['tunnel_network'])); $mask = gen_subnet_mask($cidr); $clear_route = false; diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc index 77ca8e2..5f38101 100644 --- a/src/etc/inc/pfsense-utils.inc +++ b/src/etc/inc/pfsense-utils.inc @@ -162,6 +162,242 @@ function get_dns_servers() { return array_unique($dns_servers); } +/****f* pfsense-utils/get_css_files + * NAME + * get_css_files - get a list of the available CSS files (themes) + * INPUTS + * none + * RESULT + * $csslist - an array of the CSS files + ******/ +function get_css_files() { + $csslist = array(); + + // List pfSense files, then any BETA files followed by any user-contributed files + $cssfiles = glob("/usr/local/www/css/*.css"); + + if (is_array($cssfiles)) { + arsort($cssfiles); + $usrcss = $pfscss = $betacss = array(); + + foreach ($cssfiles as $css) { + if (strpos($css, "BETA") != 0) { + array_push($betacss, $css); + } else if (strpos($css, "pfSense") != 0) { + array_push($pfscss, $css); + } else { + array_push($usrcss, $css); + } + } + + $css = array_merge($pfscss, $betacss, $usrcss); + + foreach ($css as $file) { + $file = basename($file); + $csslist[$file] = pathinfo($file, PATHINFO_FILENAME); + } + } + return $csslist; +} + +/****f* pfsense-utils/gen_webguicss_field + * NAME + * gen_webguicss_field + * INPUTS + * Pointer to section object + * Initial value for the field + * RESULT + * no return value, section object is updated + ******/ +function gen_webguicss_field(&$section, $value) { + + $csslist = get_css_files(); + + if (!isset($csslist[$value])) { + $value = "pfSense.css"; + } + + $section->addInput(new Form_Select( + 'webguicss', + 'Theme', + $value, + $csslist + ))->setHelp(sprintf(gettext('Choose an alternative css file (if installed) to change the appearance of the webConfigurator. css files are located in /usr/local/www/css/%s'), '<span id="csstxt"></span>')); +} + +/****f* pfsense-utils/gen_webguifixedmenu_field + * NAME + * gen_webguifixedmenu_field + * INPUTS + * Pointer to section object + * Initial value for the field + * RESULT + * no return value, section object is updated + ******/ +function gen_webguifixedmenu_field(&$section, $value) { + + $section->addInput(new Form_Select( + 'webguifixedmenu', + 'Top Navigation', + $value, + ["" => gettext("Scrolls with page"), "fixed" => gettext("Fixed (Remains visible at top of page)")] + ))->setHelp("The fixed option is intended for large screens only."); +} + +/****f* pfsense-utils/gen_webguihostnamemenu_field + * NAME + * gen_webguihostnamemenu_field + * INPUTS + * Pointer to section object + * Initial value for the field + * RESULT + * no return value, section object is updated + ******/ +function gen_webguihostnamemenu_field(&$section, $value) { + + $section->addInput(new Form_Select( + 'webguihostnamemenu', + 'Hostname in Menu', + $value, + ["" => gettext("Default (No hostname)"), "hostonly" => gettext("Hostname only"), "fqdn" => gettext("Fully Qualified Domain Name")] + ))->setHelp("Replaces the Help menu title in the Navbar with the system hostname or FQDN."); +} + +/****f* pfsense-utils/gen_dashboardcolumns_field + * NAME + * gen_dashboardcolumns_field + * INPUTS + * Pointer to section object + * Initial value for the field + * RESULT + * no return value, section object is updated + ******/ +function gen_dashboardcolumns_field(&$section, $value) { + + if (($value < 1) || ($value > 4)) { + $value = 2; + } + + $section->addInput(new Form_Input( + 'dashboardcolumns', + 'Dashboard Columns', + 'number', + $value, + [min => 1, max => 4] + )); +} + +/****f* pfsense-utils/gen_associatedpanels_fields + * NAME + * gen_associatedpanels_fields + * INPUTS + * Pointer to section object + * Initial value for each of the fields + * RESULT + * no return value, section object is updated + ******/ +function gen_associatedpanels_fields(&$section, $value1, $value2, $value3, $value4) { + + $group = new Form_Group('Associated Panels Show/Hide'); + + $group->add(new Form_Checkbox( + 'dashboardavailablewidgetspanel', + null, + 'Available Widgets', + $value1 + ))->setHelp('Show the Available Widgets panel on the Dashboard.'); + + $group->add(new Form_Checkbox( + 'systemlogsfilterpanel', + null, + 'Log Filter', + $value2 + ))->setHelp('Show the Log Filter panel in System Logs.'); + + $group->add(new Form_Checkbox( + 'systemlogsmanagelogpanel', + null, + 'Manage Log', + $value3 + ))->setHelp('Show the Manage Log panel in System Logs.'); + + $group->add(new Form_Checkbox( + 'statusmonitoringsettingspanel', + null, + 'Monitoring Settings', + $value4 + ))->setHelp('Show the Settings panel in Status Monitoring.'); + + $group->setHelp('These options allow certain panels to be automatically hidden on page load. A control is provided in the title bar to un-hide the panel.'); + + $section->add($group); +} + +/****f* pfsense-utils/gen_webguileftcolumnhyper_field + * NAME + * gen_webguileftcolumnhyper_field + * INPUTS + * Pointer to section object + * Initial value for the field + * RESULT + * no return value, section object is updated + ******/ +function gen_webguileftcolumnhyper_field(&$section, $value) { + + $section->addInput(new Form_Checkbox( + 'webguileftcolumnhyper', + 'Left Column Labels', + 'Active', + $value + ))->setHelp('If selected, clicking a label in the left column will select/toggle the first item of the group.'); +} + +/****f* pfsense-utils/gen_pagenamefirst_field + * NAME + * gen_pagenamefirst_field + * INPUTS + * Pointer to section object + * Initial value for the field + * RESULT + * no return value, section object is updated + ******/ +function gen_pagenamefirst_field(&$section, $value) { + + $section->addInput(new Form_Checkbox( + 'pagenamefirst', + 'Browser tab text', + 'Display page name first in browser tab', + $value + ))->setHelp('When this is unchecked, the browser tab shows the host name followed '. + 'by the current page. Check this box to display the current page followed by the '. + 'host name.'); +} + +/****f* pfsense-utils/gen_user_settings_fields + * NAME + * gen_user_settings_fields + * INPUTS + * Pointer to section object + * Array of initial values for the fields + * RESULT + * no return value, section object is updated + ******/ +function gen_user_settings_fields(&$section, $pconfig) { + + gen_webguicss_field($section, $pconfig['webguicss']); + gen_webguifixedmenu_field($section, $pconfig['webguifixedmenu']); + gen_webguihostnamemenu_field($section, $pconfig['webguihostnamemenu']); + gen_dashboardcolumns_field($section, $pconfig['dashboardcolumns']); + gen_associatedpanels_fields( + $section, + $pconfig['dashboardavailablewidgetspanel'], + $pconfig['systemlogsfilterpanel'], + $pconfig['systemlogsmanagelogpanel'], + $pconfig['statusmonitoringsettingspanel']); + gen_webguileftcolumnhyper_field($section, $pconfig['webguileftcolumnhyper']); + gen_pagenamefirst_field($section, $pconfig['pagenamefirst']); +} + function hardware_offloading_applyflags($iface) { global $config; @@ -503,6 +739,9 @@ function get_filename_from_url($url) { function get_dir($dir) { $dir_array = array(); $d = dir($dir); + if(!is_object($d)) { + return array(); + } while (false !== ($entry = $d->read())) { array_push($dir_array, $entry); } @@ -971,17 +1210,17 @@ function setup_serial_port($when = "save", $path = "") { if (isset($config['system']['disableconsolemenu'])) { $console_type = 'Pc'; - $serial_type = 'std.' . $serialspeed; + $serial_type = '3wire'; } else { $console_type = 'al.Pc'; - $serial_type = 'al.' . $serialspeed; + $serial_type = 'al.3wire'; } foreach ($ttys_split as $tty) { if (stristr($tty, "ttyv0")) { - fwrite($fd, "ttyv0 \"/usr/libexec/getty {$console_type}\" cons25 on secure\n"); + fwrite($fd, "ttyv0 \"/usr/libexec/getty {$console_type}\" xterm on secure\n"); } else if (stristr($tty, "ttyu")) { $ttyn = substr($tty, 0, 5); - fwrite($fd, "{$ttyn} \"/usr/libexec/getty {$serial_type}\" cons25 {$on_off} secure\n"); + fwrite($fd, "{$ttyn} \"/usr/libexec/getty {$serial_type}\" vt100 {$on_off} secure\n"); } else { fwrite($fd, $tty . "\n"); } @@ -1144,27 +1383,18 @@ function is_pppoe_server_enabled() { return $pppoeenable; } -function convert_seconds_to_hms($sec) { - $min = $hrs = 0; - if ($sec != 0) { - $min = floor($sec/60); - $sec %= 60; - } - if ($min != 0) { - $hrs = floor($min/60); - $min %= 60; - } - if ($sec < 10) { - $sec = "0".$sec; +/* Optional arg forces hh:mm:ss without days */ +function convert_seconds_to_dhms($sec, $showhoursonly = false) { + if (!is_numericint($sec)) { + return '-'; } - if ($min < 10) { - $min = "0".$min; - } - if ($hrs < 10) { - $hrs = "0".$hrs; - } - $result = $hrs.":".$min.":".$sec; - return $result; + // FIXME: When we move to PHP 7 we can use "intdiv($sec % X, Y)" etc + list($d, $h, $m, $s) = array( (int)($showhoursonly ? 0 : $sec/86400), + (int)(($showhoursonly ? $sec : $sec % 86400)/3600), + (int)(($sec % 3600)/60), + $sec % 60 + ); + return ($d > 0 ? $d . 'd ' : '') . sprintf('%02d:%02d:%02d', $h, $m, $s); } /* Compute the total uptime from the ppp uptime log file in the conf directory */ @@ -1177,7 +1407,7 @@ function get_ppp_uptime($port) { foreach ($uptime_data as $upt) { $sec += substr($upt, 1 + strpos($upt, " ")); } - return convert_seconds_to_hms($sec); + return convert_seconds_to_dhms($sec); } else { $total_time = gettext("No history data found!"); return $total_time; @@ -1351,7 +1581,7 @@ function get_interface_info($ifdescr) { if (file_exists("{$g['varrun_path']}/{$link_type}_{$ifdescr}.pid")) { $sec = trim(`/usr/local/sbin/ppp-uptime.sh {$ifinfo['if']}`); - $ifinfo['ppp_uptime'] = convert_seconds_to_hms($sec); + $ifinfo['ppp_uptime'] = convert_seconds_to_dhms($sec); } if ($ifinfo['status'] == "up") { @@ -1929,6 +2159,11 @@ function parse_aliases_file($filename, $type = "url", $max_items = -1, $kflc = f * RETURNS an array of ip subnets and ip's or ports and port-ranges, returns NULL upon a error conditions (file not found) */ + if (!file_exists($filename)) { + log_error(sprintf(gettext("Could not process non-existent file from alias: %s"), $filename)); + return null; + } + if (filesize($filename) == 0) { log_error(sprintf(gettext("Could not process empty file from alias: %s"), $filename)); return null; @@ -1957,8 +2192,8 @@ function parse_aliases_file($filename, $type = "url", $max_items = -1, $kflc = f if (!empty($tmp_str)) { $tmp = $tmp_str; } - $valid = ($type == "url" && (is_ipaddr($tmp) || is_subnet($tmp))) || - ($type == "url_ports" && (is_port($tmp) || is_portrange($tmp))); + $valid = (($type == "url" || $type == "urltable") && (is_ipaddr($tmp) || is_subnet($tmp))) || + (($type == "url_ports" || $type == "urltable_ports") && (is_port($tmp) || is_portrange($tmp))); if ($valid) { $items[] = $tmp; if (count($items) == $max_items) { @@ -2150,8 +2385,8 @@ function pfs_version_compare($cur_time, $cur_text, $remote) { } return $v; } -function process_alias_urltable($name, $url, $freq, $forceupdate=false, $validateonly=false) { - global $config; +function process_alias_urltable($name, $type, $url, $freq, $forceupdate=false, $validateonly=false) { + global $g, $config; $urltable_prefix = "/var/db/aliastables/"; $urltable_filename = $urltable_prefix . $name . ".txt"; @@ -2177,15 +2412,25 @@ function process_alias_urltable($name, $url, $freq, $forceupdate=false, $validat if (download_file($url, $tmp_urltable_filename, $verify_ssl)) { // Convert lines that begin with '$' or ';' to comments '#' instead of deleting them. mwexec("/usr/bin/sed -i \"\" -E 's/^[[:space:]]*($|#|;)/#/g; /^#/!s/\;.*//g;' ". escapeshellarg($tmp_urltable_filename)); - if (alias_get_type($name) == "urltable_ports") { - $ports = parse_aliases_file($tmp_urltable_filename, "url_ports", "-1", true); - $ports = group_ports($ports, true); - file_put_contents($urltable_filename, implode("\n", $ports)); + + $type = ($type) ? $type : alias_get_type($name); // If empty type passed, try to get it from config. + + $parsed_contents = parse_aliases_file($tmp_urltable_filename, $type, "-1", true); + if ($type == "urltable_ports") { + $parsed_contents = group_ports($parsed_contents, true); + } + if (is_array($parsed_contents)) { + file_put_contents($urltable_filename, implode("\n", $parsed_contents)); } else { - $urltable = parse_aliases_file($tmp_urltable_filename, "url", "-1", true); - if (is_array($urltable)) { - file_put_contents($urltable_filename, implode("\n", $urltable)); - } + touch($urltable_filename); + } + + /* If this backup is still there on a full install, but we aren't going to use ram disks, remove the archive since this is a transition. */ + if (($g['platform'] == $g['product_name']) && !isset($config['system']['use_mfs_tmpvar'])) { + unlink_if_exists("{$g['cf_conf_path']}/RAM_Disk_Store{$urltable_filename}.tgz"); + } else { + /* Update the RAM disk store with the new/updated table file. */ + mwexec("cd / && /usr/bin/tar -czf \"{$g['cf_conf_path']}/RAM_Disk_Store{$urltable_filename}.tgz\" -C / \"{$urltable_filename}\""); } unlink_if_exists($tmp_urltable_filename); } else { @@ -2478,7 +2723,7 @@ function get_country_name($country_code) { return ""; } - $country_names_xml = "/usr/local/share/mobile-broadband-provider-info/iso_3166-1_list_en.xml"; + $country_names_xml = "/usr/local/share/pfSense/iso_3166-1_list_en.xml"; $country_names_contents = file_get_contents($country_names_xml); $country_names = xml2array($country_names_contents); @@ -2729,7 +2974,7 @@ function pfSense_handle_custom_code($src_dir) { continue; } // Include the extra handler - include("$nf"); + include_once("$nf"); } } } @@ -3085,4 +3330,36 @@ function pkg_call_plugins($plugin_type, $plugin_params) { return $results; } +function restore_aliastables() { + global $g, $config; + + $dbpath = "{$g['vardb_path']}/aliastables/"; + + /* restore the alias tables, if we have them */ + $files = glob("{$g['cf_conf_path']}/RAM_Disk_Store{$dbpath}*.tgz"); + if (count($files)) { + echo "Restoring alias tables..."; + foreach ($files as $file) { + if (file_exists($file)) { + $aliastablesrestore = ""; + $aliastablesreturn = ""; + exec("cd /;LANG=C /usr/bin/tar -xzf {$file} 2>&1", $aliastablesrestore, $aliastablesreturn); + $aliastablesrestore = implode(" ", $aliastablesrestore); + if ($aliastablesreturn <> 0) { + log_error(sprintf(gettext('Alias table restore failed exited with %1$s, the error is: %2$s %3$s%4$s'), $aliastablesreturn, $aliastablesrestore, $file, "\n")); + } else { + log_error(sprintf(gettext('Alias table restore succeeded exited with %1$s, the result is: %2$s %3$s%4$s'), $aliastablesreturn, $aliastablesrestore, $dbpath.basename($file, ".tgz"), "\n")); + } + } + /* If this backup is still there on a full install, but we aren't going to use ram disks, remove the archive since this is a transition. */ + if (($g['platform'] == $g['product_name']) && !isset($config['system']['use_mfs_tmpvar'])) { + unlink_if_exists("{$file}"); + } + } + echo "done.\n"; + return true; + } + return false; +} + ?> diff --git a/src/etc/inc/pkg-utils.inc b/src/etc/inc/pkg-utils.inc index 48cce82..35526d1 100644 --- a/src/etc/inc/pkg-utils.inc +++ b/src/etc/inc/pkg-utils.inc @@ -83,6 +83,14 @@ if (!function_exists("pkg_debug")) { } } +/* Validate if pkg name is valid */ +function pkg_valid_name($pkgname) { + global $g; + + $pattern = "/^{$g['pkg_prefix']}[a-zA-Z0-9\.\-_]+$/"; + return preg_match($pattern, $pkgname); +} + /* Remove pkg_prefix from package name if it's present */ function pkg_remove_prefix(&$pkg_name) { global $g; @@ -106,9 +114,19 @@ function pkg_env($extra_env = array()) { $pkg_env_vars = array( "LANG" => "C", "HTTP_USER_AGENT" => $user_agent, - "ASSUME_ALWAYS_YES" => "true" + "ASSUME_ALWAYS_YES" => "true", + "FETCH_TIMEOUT" => 5, + "FETCH_RETRY" => 2 ); + if (!empty($config['system']['proxyurl'])) { + $http_proxy = $config['system']['proxyurl']; + if (!empty($config['system']['proxyport'])) { + $http_proxy .= ':' . $config['system']['proxyport']; + } + $pkg_env_vars['HTTP_PROXY'] = $http_proxy; + } + if ($g['platform'] == "nanobsd" || isset($config['system']['use_mfs_tmpvar'])) { $pkg_env_vars['PKG_DBDIR'] = '/root/var/db/pkg'; @@ -372,12 +390,30 @@ function get_pkg_info($pkgs = 'all', $info = 'all', $only_local = false) { $pkgs = $g['pkg_prefix']; } + if (!function_exists('is_subsystem_dirty')) { + require_once("util.inc"); + } + + /* Do not run remote operations if pkg has a lock */ + if (is_subsystem_dirty('pkg')) { + $only_local = true; + $lock = false; + } else { + $lock = true; + } + $extra_param = ""; if ($only_local) { $extra_param = "-U "; } - $rc = pkg_exec("search {$extra_param}--raw-format json-compact " . $pkgs, $out, $err); + if ($lock) { + mark_subsystem_dirty('pkg'); + } + $rc = pkg_exec("search {$extra_param}-R --raw-format json-compact " . $pkgs, $out, $err); + if ($lock) { + clear_subsystem_dirty('pkg'); + } if ($rc != 0) { update_status("\n" . gettext( @@ -960,34 +996,54 @@ function delete_package_xml($package_name, $when = "post-deinstall") { function package_reinstall_all() { global $g, $config, $pkg_interface; - if (!isset($config['installedpackages']['package']) || - !is_array($config['installedpackages']['package'])) { + $upgrade = (file_exists('/conf/needs_package_sync') && platform_booting()); + + if ((!isset($config['installedpackages']['package']) || + !is_array($config['installedpackages']['package'])) && !$upgrade) { return true; } - $upgrade = (file_exists('/conf/needs_package_sync') && platform_booting()); - /* During boot after upgrade, wait for internet connection */ if ($upgrade) { - update_status(gettext("Waiting for internet connection to update pkg metadata and finish package reinstallation")); - while (true) { + update_status(gettext("Waiting for Internet connection to update pkg metadata and finish package reinstallation")); + $ntries = 3; + while ($ntries > 0) { if (pkg_update(true)) { break; } update_status('.'); sleep(1); + $ntries--; } update_status("\n"); + + if ($ntries == 0) { + file_notice(gettext("Package reinstall"), + gettext("Package reinstall process was ABORTED due to lack of internet connectivity")); + return false; + } } $pkg_info = get_pkg_info(); - foreach ($config['installedpackages']['package'] as $package) { + if ($upgrade && + file_exists("{$g['cf_conf_path']}/packages_to_reinstall_after_upgrade.txt")) { + $package_list = file("{$g['cf_conf_path']}/packages_to_reinstall_after_upgrade.txt", + FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + unlink_if_exists("{$g['cf_conf_path']}/packages_to_reinstall_after_upgrade.txt"); + } else { + $package_list = array(); + foreach ($config['installedpackages']['package'] as $package) { + $package_list[] = get_package_internal_name($package); + } + } + + foreach ($package_list as $package) { $found = false; - $internal_name = get_package_internal_name($package); foreach ($pkg_info as $pkg) { pkg_remove_prefix($pkg['name']); - if ($pkg['name'] == $internal_name) { + if ($pkg['name'] == $package) { + pkg_install($g['pkg_prefix'] . $package, true); $found = true; break; } @@ -999,17 +1055,12 @@ function package_reinstall_all() { } file_notice(gettext("Package reinstall"), - sprintf(gettext("Package %s does not exist in current %s version and it has been removed."), $package['name'], $g['product_name'])); - uninstall_package($package['name']); + sprintf(gettext("Package %s does not exist in current %s version and it has been removed."), + $package, $g['product_name'])); + uninstall_package($package); } } - /* Obsoleted packages were removed, lets reinstall all remaining */ - foreach ($config['installedpackages']['package'] as $package) { - $internal_name = get_package_internal_name($package); - pkg_install($g['pkg_prefix'] . $internal_name, true); - } - return true; } @@ -1082,7 +1133,6 @@ function get_base_pkg_name() { /* XXX: Use pkg annotation */ if (is_pkg_installed($g['product_name'] . '-base-' . $g['platform'])) { - return $g['product_name']; return $g['product_name'] . '-base-' . $g['platform']; } else if (is_pkg_installed($g['product_name'] . '-base')) { return $g['product_name'] . '-base'; @@ -1091,7 +1141,7 @@ function get_base_pkg_name() { } /* Verify if system needs upgrade (meta package or base) */ -function get_system_pkg_version() { +function get_system_pkg_version($baseonly = false) { global $g; $base_pkg = get_base_pkg_name(); @@ -1111,8 +1161,7 @@ function get_system_pkg_version() { } } - if (empty($pkg_info) || - $pkg_info['version'] == $pkg_info['installed_version']) { + if (empty($pkg_info) || (!$baseonly && ($pkg_info['version'] == $pkg_info['installed_version']))) { $info = get_pkg_info($meta_pkg); $pkg_name = $meta_pkg; diff --git a/src/etc/inc/priv.defs.inc b/src/etc/inc/priv.defs.inc index fa3859b..8deb4d7 100644 --- a/src/etc/inc/priv.defs.inc +++ b/src/etc/inc/priv.defs.inc @@ -646,6 +646,18 @@ $priv_list['page-services-captiveportal-editzones']['descr'] = gettext("Allow ac $priv_list['page-services-captiveportal-editzones']['match'] = array(); $priv_list['page-services-captiveportal-editzones']['match'][] = "services_captiveportal_zones_edit.php*"; +$priv_list['page-services-checkipservices'] = array(); +$priv_list['page-services-checkipservices']['name'] = gettext("WebCfg - Services: Check IP Service"); +$priv_list['page-services-checkipservices']['descr'] = gettext("Allow access to the 'Services: Check IP Service' page."); +$priv_list['page-services-checkipservices']['match'] = array(); +$priv_list['page-services-checkipservices']['match'][] = "services_checkip.php*"; + +$priv_list['page-services-checkipedit'] = array(); +$priv_list['page-services-checkipedit']['name'] = gettext("WebCfg - Services: Check IP Service: Edit"); +$priv_list['page-services-checkipedit']['descr'] = gettext("Allow access to the 'Services: Check IP Service: Edit' page."); +$priv_list['page-services-checkipedit']['match'] = array(); +$priv_list['page-services-checkipedit']['match'][] = "services_checkip_edit.php*"; + $priv_list['page-services-dhcpserver'] = array(); $priv_list['page-services-dhcpserver']['name'] = gettext("WebCfg - Services: DHCP Server"); $priv_list['page-services-dhcpserver']['descr'] = gettext("Allow access to the 'Services: DHCP Server' page."); @@ -770,7 +782,7 @@ $priv_list['page-services-rfc2136edit'] = array(); $priv_list['page-services-rfc2136edit']['name'] = gettext("WebCfg - Services: RFC 2136 Client: Edit"); $priv_list['page-services-rfc2136edit']['descr'] = gettext("Allow access to the 'Services: RFC 2136 Client: Edit' page."); $priv_list['page-services-rfc2136edit']['match'] = array(); -$priv_list['page-services-rfc2136edit']['match'][] = "services_rfc2136.php*"; +$priv_list['page-services-rfc2136edit']['match'][] = "services_rfc2136_edit.php*"; $priv_list['page-services-router-advertisements'] = array(); $priv_list['page-services-router-advertisements']['name'] = gettext("WebCfg - Services: Router Advertisements"); @@ -1159,6 +1171,12 @@ $priv_list['page-system-update-settings']['descr'] = gettext("Allow access to th $priv_list['page-system-update-settings']['match'] = array(); $priv_list['page-system-update-settings']['match'][] = "system_update_settings.php*"; +$priv_list['page-system-user-settings'] = array(); +$priv_list['page-system-user-settings']['name'] = gettext("WebCfg - System: User Settings"); +$priv_list['page-system-user-settings']['descr'] = gettext("Allow access to the 'System: User Settings' page."); +$priv_list['page-system-user-settings']['match'] = array(); +$priv_list['page-system-user-settings']['match'][] = "system_user_settings.php*"; + $priv_list['page-system-usermanager'] = array(); $priv_list['page-system-usermanager']['name'] = gettext("WebCfg - System: User Manager"); $priv_list['page-system-usermanager']['descr'] = gettext("Allow access to the 'System: User Manager' page."); diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index 6315f72..b0fcea0 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -88,14 +88,14 @@ function get_priv_files($directory) { $dir_array = get_priv_files("/etc/inc/priv"); foreach ($dir_array as $file) { if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) { - include("/etc/inc/priv/{$file}"); + include_once("/etc/inc/priv/{$file}"); } } if (is_dir("/usr/local/pkg/priv")) { $dir_array = get_priv_files("/usr/local/pkg/priv"); foreach ($dir_array as $file) { if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) { - include("/usr/local/pkg/priv/{$file}"); + include_once("/usr/local/pkg/priv/{$file}"); } } } diff --git a/src/etc/inc/radius.inc b/src/etc/inc/radius.inc index a63b831..326b359 100644 --- a/src/etc/inc/radius.inc +++ b/src/etc/inc/radius.inc @@ -480,7 +480,10 @@ class Auth_RADIUS extends PEAR { break; case RADIUS_CLASS: - $this->attributes['class'] = radius_cvt_string($data); + if (!array($this->attributes['class'])) { + $this->attributes['class'] = array(); + } + $this->attributes['class'][] = radius_cvt_string($data); break; case RADIUS_FRAMED_PROTOCOL: diff --git a/src/etc/inc/rrd.inc b/src/etc/inc/rrd.inc index 5c6bfdb..074c05f 100644 --- a/src/etc/inc/rrd.inc +++ b/src/etc/inc/rrd.inc @@ -54,23 +54,6 @@ /* include all configuration functions */ -global $rrd_graph_list; -$rrd_graph_list = array("eighthour", "day", "week", "month", "quarter", "year", "fouryear"); -global $rrd_period_list; -$rrd_period_list = array("absolute" => gettext("Absolute Timespans"), "current" => gettext("Current Period"), "previous" => gettext("Previous Period")); -global $rrd_graph_length_list; -$rrd_graph_length_list = array( - "eighthour" => 28800, - "day" => 86400, - "week" => 604800, - "month" => 2678400, - "quarter" => 7948800, - "year" => 31622400, - "fouryear" => 126230400); -global $rrd_style_list; -$rrd_style_list = array('inverse' => gettext('Inverse'), - 'absolute' => gettext('Absolute')); - function dump_rrd_to_xml($rrddatabase, $xmldumpfile) { $rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool"; unlink_if_exists($xmldumpfile); @@ -1017,13 +1000,13 @@ for sock in {$g['varrun_path']}/dpinger_*.sock; do if echo "\$delay" | grep -Eqv '^[0-9]+\$'; then delay="U" else - # Convert delay to millisecond + # Convert delay from microseconds to seconds delay=\$(echo "scale=7; \$delay / 1000 / 1000" | /usr/bin/bc) fi if echo "\$stddev" | grep -Eqv '^[0-9]+\$'; then stddev="U" else - # Convert stddev to millisecond + # Convert stddev from microseconds to seconds stddev=\$(echo "scale=7; \$stddev / 1000 / 1000" | /usr/bin/bc) fi @@ -1070,7 +1053,9 @@ EOD; $databases = glob("{$rrddbpath}/*.rrd"); foreach ($databases as $database) { - chown($database, "nobody"); + if (file_exists($database)) { + chown($database, "nobody"); + } } if (platform_booting()) { diff --git a/src/etc/inc/service-utils.inc b/src/etc/inc/service-utils.inc index 99a7285..319084c 100644 --- a/src/etc/inc/service-utils.inc +++ b/src/etc/inc/service-utils.inc @@ -510,6 +510,8 @@ function get_service_status_icon($service, $withtext = true, $smallicon = false) return $output; } +/* This function is no longer required since services now use the POST method via JavaScript + Commenting out for now. It should be removed in the next version // This version proved GET formatted links function get_service_control_GET_links($service, $addname = false) { @@ -562,6 +564,7 @@ function get_service_control_GET_links($service, $addname = false) { return $output; } +*/ function get_service_control_links($service, $addname = false) { global $g; diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 5b08056..103aa1b 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -55,8 +55,8 @@ OF THE POSSIBILITY OF SUCH DAMAGE. */ -define('DYNDNS_PROVIDER_VALUES', 'citynetwork cloudflare custom custom-v6 dnsexit dnsimple dnsmadeeasy dnsomatic dyndns dyndns-custom dyndns-static dyns easydns eurodns freedns glesys googledomains gratisdns he-net he-net-v6 he-net-tunnelbroker loopia namecheap noip noip-free ods opendns ovh-dynhost route53 selfhost spdns spdns-v6 zoneedit'); -define('DYNDNS_PROVIDER_DESCRIPTIONS', 'City Network,CloudFlare,Custom,Custom (v6),DNSexit,DNSimple,DNS Made Easy,DNS-O-Matic,DynDNS (dynamic),DynDNS (custom),DynDNS (static),DyNS,easyDNS,Euro Dns,freeDNS,GleSYS,Google Domains,GratisDNS,HE.net,HE.net (v6),HE.net Tunnelbroker,Loopia,Namecheap,No-IP,No-IP (free),ODS.org,OpenDNS,OVH DynHOST,Route 53,SelfHost,SPDNS,SPDNS (v6),ZoneEdit'); +define('DYNDNS_PROVIDER_VALUES', 'citynetwork cloudflare custom custom-v6 dnsexit dnsimple dnsmadeeasy dnsomatic dyndns dyndns-custom dyndns-static dyns easydns eurodns freedns freedns-v6 glesys googledomains gratisdns he-net he-net-v6 he-net-tunnelbroker loopia namecheap noip noip-free ods opendns ovh-dynhost route53 selfhost spdyn spdyn-v6 zoneedit'); +define('DYNDNS_PROVIDER_DESCRIPTIONS', 'City Network,CloudFlare,Custom,Custom (v6),DNSexit,DNSimple,DNS Made Easy,DNS-O-Matic,DynDNS (dynamic),DynDNS (custom),DynDNS (static),DyNS,easyDNS,Euro Dns,freeDNS,freeDNS (v6),GleSYS,Google Domains,GratisDNS,HE.net,HE.net (v6),HE.net Tunnelbroker,Loopia,Namecheap,No-IP,No-IP (free),ODS.org,OpenDNS,OVH DynHOST,Route 53,SelfHost,SPDYN,SPDYN (v6),ZoneEdit'); /* implement ipv6 route advertising daemon */ function services_radvd_configure($blacklist = array()) { @@ -131,6 +131,10 @@ function services_radvd_configure($blacklist = array()) { $ifcfgsnv6 = get_interface_subnetv6($dhcpv6if); $subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6); + if (!is_subnetv6($subnetv6 . "/" . $ifcfgsnv6)) { + log_error("radvd: skipping configuration for interface $dhcpv6if because its subnet or prefix length is invalid."); + continue; + } $radvdifs[$realif] = $realif; $radvdconf .= "# Generated for DHCPv6 Server $dhcpv6if\n"; @@ -139,8 +143,22 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "\tUnicastOnly on;\n"; } $radvdconf .= "\tAdvSendAdvert on;\n"; - $radvdconf .= "\tMinRtrAdvInterval 5;\n"; - $radvdconf .= "\tMaxRtrAdvInterval 20;\n"; + + if (is_numericint($dhcpv6ifconf['raminrtradvinterval'])) { + $radvdconf .= "\tMinRtrAdvInterval {$dhcpv6ifconf['raminrtradvinterval']};\n"; + } else { + $radvdconf .= "\tMinRtrAdvInterval 5;\n"; + } + + if (is_numericint($dhcpv6ifconf['ramaxrtradvinterval'])) { + $radvdconf .= "\tMaxRtrAdvInterval {$dhcpv6ifconf['ramaxrtradvinterval']};\n"; + } else { + $radvdconf .= "\tMaxRtrAdvInterval 20;\n"; + } + if (is_numericint($dhcpv6ifconf['raadvdefaultlifetime'])) { + $radvdconf .= "\tAdvDefaultLifetime {$dhcpv6ifconf['raadvdefaultlifetime']};\n"; + } + $mtu = get_interface_mtu($realif); if (is_numeric($mtu)) { $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; @@ -333,8 +351,16 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "# Generated config for {$autotype} delegation from {$trackif} on {$if}\n"; $radvdconf .= "interface {$realif} {\n"; $radvdconf .= "\tAdvSendAdvert on;\n"; - $radvdconf .= "\tMinRtrAdvInterval 3;\n"; - $radvdconf .= "\tMaxRtrAdvInterval 10;\n"; + if (is_numericint($dhcpv6ifconf['raminrtradvinterval'])) { + $radvdconf .= "\tMinRtrAdvInterval {$dhcpv6ifconf['raminrtradvinterval']};\n"; + } else { + $radvdconf .= "\tMinRtrAdvInterval 5;\n"; + } + if (is_numericint($dhcpv6ifconf['ramaxrtradvinterval'])) { + $radvdconf .= "\tMaxRtrAdvInterval {$dhcpv6ifconf['ramaxrtradvinterval']};\n"; + } else { + $radvdconf .= "\tMaxRtrAdvInterval 10;\n"; + } $mtu = get_interface_mtu($realif); if (is_numeric($mtu)) { $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; @@ -342,7 +368,7 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "\tAdvLinkMTU 1280;\n"; } $radvdconf .= "\tAdvOtherConfigFlag on;\n"; - $radvdconf .= "\t\tprefix {$subnetv6}/{$ifcfgsnv6} {\n"; + $radvdconf .= "\tprefix {$subnetv6}/{$ifcfgsnv6} {\n"; $radvdconf .= "\t\tAdvOnLink on;\n"; $radvdconf .= "\t\tAdvAutonomous on;\n"; $radvdconf .= "\t\tAdvRouterAddr on;\n"; @@ -705,7 +731,7 @@ EOPP; if ($octet < $start_octet) { continue; } - $ptr_domain .= (empty($ptr_domain) ? '' : '.'); + $ptr_domain .= ((empty($ptr_domain) && $ptr_domain !== "0") ? '' : '.'); $ptr_domain .= $revsubnet[$octet]; } $ptr_domain .= ".in-addr.arpa"; @@ -1444,7 +1470,7 @@ EOD; $ntpservers[] = $ntpserver; } if (count($ntpservers) > 0) { - $dhcpdv6conf .= " option dhcp6.sntp-servers " . join(",", $dhcpv6ifconf['ntpserver']) . ";\n"; + $dhcpdv6conf .= " option dhcp6.sntp-servers " . join(",", $dhcpv6ifconf['ntpserver']) . ";\n"; } } // tftp-server-name @@ -1634,7 +1660,12 @@ EOD; fclose($igmpfl); unset($igmpconf); - mwexec_bg("/usr/local/sbin/igmpproxy -v {$g['tmp_path']}/igmpproxy.conf"); + if (isset($config['syslog']['igmpxverbose'])) { + mwexec_bg("/usr/local/sbin/igmpproxy -v {$g['tmp_path']}/igmpproxy.conf"); + } else { + mwexec_bg("/usr/local/sbin/igmpproxy {$g['tmp_path']}/igmpproxy.conf"); + } + log_error(gettext("Started IGMP proxy service.")); return 0; @@ -1963,7 +1994,7 @@ function services_dyndns_configure($int = "") { } function dyndnsCheckIP($int) { - global $config; + global $config, $factory_default_checkipservice; $ip_address = get_interface_ip($int); if (is_private_ip($ip_address)) { $gateways_status = return_gateways_status(true); @@ -1972,14 +2003,35 @@ function dyndnsCheckIP($int) { if (stristr($gateways_status[$config['interfaces'][$int]['gateway']]['status'], "down")) { return "down"; } - $hosttocheck = "http://checkip.dyndns.org"; + + // Append the factory default check IP service to the list (if not disabled). + if (!isset($config['checkipservices']['disable_factory_default'])) { + $config['checkipservices']['checkipservice'][] = $factory_default_checkipservice; + } + + // Use the first enabled check IP service as the default. + if (is_array($config['checkipservices']['checkipservice'])) { + foreach ($config['checkipservices']['checkipservice'] as $i => $checkipservice) { + if (isset($checkipservice['enable'])) { + $url = $checkipservice['url']; + $username = $checkipservice['username']; + $password = $checkipservice['password']; + $verifysslpeer = isset($checkipservice['verifysslpeer']); + break; + } + } + } + + $hosttocheck = $url; $ip_ch = curl_init($hosttocheck); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); - curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); + curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, $verifysslpeer); curl_setopt($ip_ch, CURLOPT_INTERFACE, 'host!' . $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); + curl_setopt($ip_ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY); + curl_setopt($ip_ch, CURLOPT_USERPWD, "{$username}:{$password}"); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); @@ -2581,7 +2633,7 @@ function configure_cron() { if (is_array($config['cron']['item'])) { $crontab_contents .= "#\n"; - $crontab_contents .= "# " . gettext("pfSense specific crontab entries") . "\n"; + $crontab_contents .= "# pfSense specific crontab entries\n"; $crontab_contents .= "# " .gettext("Created:") . " " . date("F j, Y, g:i a") . "\n"; $crontab_contents .= "#\n"; diff --git a/src/etc/inc/shaper.inc b/src/etc/inc/shaper.inc index 33266fb..b0b3ab3 100644 --- a/src/etc/inc/shaper.inc +++ b/src/etc/inc/shaper.inc @@ -881,7 +881,7 @@ class altq_root_queue { $section->addInput(new Form_Input( 'tbrconfig', - 'TRB Size', + 'TBR Size', 'number', $this->GetTbrConfig() ))->setHelp('Adjusts the size, in bytes, of the token bucket regulator. If not specified, heuristics based on the interface ' . @@ -3315,7 +3315,7 @@ class dummynet_class { if ($data['plr'] && (!is_numeric($data['plr']) || ($data['plr'] < 0) || ($data['plr'] > 1))) { - $input_errors[] = gettext("Plr must be a value between 0 and 1."); + $input_errors[] = gettext("Packet Loss Rate must be a value between 0 and 1."); } if ($data['buckets'] && (!is_numeric($data['buckets']) || ($data['buckets'] < 16) || ($data['buckets'] > 65535))) { @@ -3332,12 +3332,12 @@ class dummynet_class { } if (isset($data['maskbits']) && ($data['maskbits'] <> "")) { if ((!is_numeric($data['maskbits'])) || ($data['maskbits'] <= 0) || ($data['maskbits'] > 32)) { - $input_errors[] = gettext("IPV4 bit mask must be blank or numeric value between 1 and 32."); + $input_errors[] = gettext("IPv4 bit mask must be blank or numeric value between 1 and 32."); } } if (isset($data['maskbitsv6']) && ($data['maskbitsv6'] <> "")) { if ((!is_numeric($data['maskbitsv6'])) || ($data['maskbitsv6'] <= 0) || ($data['maskbitsv6'] > 128)) { - $input_errors[] = gettext("IPV6 bit mask must be blank or numeric value between 1 and 128."); + $input_errors[] = gettext("IPv6 bit mask must be blank or numeric value between 1 and 128."); } } } @@ -3433,7 +3433,7 @@ class dnpipe_class extends dummynet_class { $q->ReadConfig($queue); $q->validate_input($queue, $input_errors); if (count($input_errors)) { - log_error(sprintf(gettext('SHAPER: could not create queue %1$s on interface %2$s because: %3$s'), $q->GetQname(), $interface, print_r($input_errors, true))); + log_error(sprintf(gettext('SHAPER: Could not create queue %1$s on interface %2$s because: %3$s'), $q->GetQname(), $interface, print_r($input_errors, true))); return $q; } $number = dnqueue_find_nextnumber(); @@ -3500,13 +3500,13 @@ class dnpipe_class extends dummynet_class { } } if ($schedule == 0 && $entries > 1) { - $input_errors[] = gettext("A schedule needs to be specified for every additional entry"); + $input_errors[] = gettext("A schedule needs to be specified for every additional entry."); } if ($schedulenone > 0 && $entries > 1) { - $input_errors[] = gettext("If more than one bandwidth configured all schedules need to be selected"); + $input_errors[] = gettext("If more than one bandwidth configured all schedules need to be selected."); } if ($entries == 0) { - $input_errors[] = gettext("At least one bw specification is necessary"); + $input_errors[] = gettext("At least one bw specification is necessary."); } if ($data['delay'] && (!is_numeric($data['delay']))) { $input_errors[] = gettext("Delay must be an integer."); @@ -3879,15 +3879,6 @@ EOD; $bandwidth = $this->GetBandwidth(); - // Delete a row -// if(isset($_GET['delbwrow']) && (count($bandwidth) > 0)) -// unset($bandwidth[$_GET['delbwrow']]); - - // Add a row -// if($_GET['newbwrow']) { -// array_push($bandwidth, array(count($bandwidth) => array('bw' => '', 'burst' => '', 'bwscale' => 'Kb', 'bwsched' => 'none') )); -// } - if (is_array($bandwidth)) { $section->addInput(new Form_StaticText( 'Bandwidth', @@ -3913,14 +3904,14 @@ EOD; null, $mask['bits'], array_combine(range(32, 1, -1), range(32, 1, -1)) - ))->setHelp('IPV4 mask bits' . '<br />' . '255.255.255.255/?'); + ))->setHelp('IPv4 mask bits' . '<br />' . '255.255.255.255/?'); $group->add(new Form_Select( 'maskbitsv6', null, $mask['bitsv6'], array_combine(range(128, 1, -1), range(128, 1, -1)) - ))->setHelp('IPV6 mask bits' . '<br />' . '<span style="font-family:consolas">ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/?</span>'); + ))->setHelp('IPv6 mask bits' . '<br />' . '<span style="font-family:consolas">ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/?</span>'); $section->add($group); @@ -3940,7 +3931,7 @@ EOD; 'Delay (ms)', 'text', $this->GetDelay() > 0 ? $this->GetDelay():null - ))->setHelp('In most cases, zero (0) should specified here (or leave the field empty)'); + ))->setHelp('In most cases, zero (0) should specified here (or leave the field empty).'); $section->addInput(new Form_Input( 'plr', @@ -3949,7 +3940,7 @@ EOD; $this->GetPlr(), ['step' => '0.001', 'min' => '0.000'] ))->setHelp('In most cases, zero (0) should be specified here (or leave the field empty). ' . - 'A value of 0.001 means one packet in 1000 gets dropped'); + 'A value of 0.001 means one packet in 1000 gets dropped.'); $section->addInput(new Form_Input( 'qlimit', @@ -3964,7 +3955,7 @@ EOD; 'Bucket size (slots)', 'number', $this->GetBuckets() - ))->setHelp('In most cases, this field should be left empty. It increases the hash size set'); + ))->setHelp('In most cases, this field should be left empty. It increases the hash size set.'); $sform->add($section); @@ -4217,14 +4208,14 @@ class dnqueue_class extends dummynet_class { null, $mask['bits'], array_combine(range(32, 1, -1), range(32, 1, -1)) - ))->setHelp('IPV4 mask bits' . '<br />' . '255.255.255.255/?'); + ))->setHelp('IPv4 mask bits' . '<br />' . '255.255.255.255/?'); $group->add(new Form_Select( 'maskbitsv6', null, $mask['bitsv6'], array_combine(range(128, 1, -1), range(128, 1, -1)) - ))->setHelp('IPV6 mask bits' . '<br />' . '<span style="font-family:consolas">ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/?</span>'); + ))->setHelp('IPv6 mask bits' . '<br />' . '<span style="font-family:consolas">ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/?</span>'); $section->add($group); @@ -4613,18 +4604,26 @@ function filter_generate_dummynet_rules() { read_dummynet_config(); $dn_rules = ""; + $max_qlimit = "100"; // OS default foreach ($dummynet_pipe_list as $dn) { $dn_rules .= $dn->build_rules(); + $this_qlimit = $dn->GetQlimit(); + if ($this_qlimit > $max_qlimit) { + $max_qlimit = $this_qlimit; + } + } + if (!is_numericint($max_qlimit)) { + $max_qlimit = "100"; } - if (!empty($dn_rules)) { if (!is_module_loaded("dummynet.ko")) { mwexec("/sbin/kldload dummynet"); - set_sysctl(array( - "net.inet.ip.dummynet.io_fast" => "1", - "net.inet.ip.dummynet.hash_size" => "256" - )); } + set_sysctl(array( + "net.inet.ip.dummynet.io_fast" => "1", + "net.inet.ip.dummynet.hash_size" => "256", + "net.inet.ip.dummynet.pipe_slot_limit" => $max_qlimit + )); file_put_contents("{$g['tmp_path']}/rules.limiter", $dn_rules); mwexec("/sbin/ipfw {$g['tmp_path']}/rules.limiter"); } @@ -4667,9 +4666,14 @@ function build_iface_without_this_queue($iface, $qname) { } $default_shaper_msg = sprintf(gettext("Welcome to the %s Traffic Shaper."), $g['product_name']) . "<br />"; -$default_shaper_msg .= gettext("The tree on the left navigates through the queues.<br />" - . "Buttons at the bottom represent queue actions and are activated accordingly."); - $dn_default_shaper_msg = $default_shaper_msg; +$shaper_msg = gettext("The tree on the left navigates through the %s."); +$default_shaper_msg .= sprintf($shaper_msg, gettext("queues")) . "<br />"; +$dn_default_shaper_msg .= sprintf($shaper_msg, gettext("limiters")) . "<br />"; + +$shaper_msg = gettext("Buttons at the bottom represent %s actions and are activated accordingly."); +$default_shaper_msg .= sprintf($shaper_msg, gettext("queue")); +$dn_default_shaper_msg .= sprintf($shaper_msg, gettext("limiter")); + ?> diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index dc8f902..f0b53d7 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -352,11 +352,11 @@ function system_hosts_generate() { if ($config['interfaces']['lan']) { $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { - $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\n"; } $cfgipv6 = get_interface_ipv6("lan"); if (is_ipaddrv6($cfgipv6)) { - $hosts .= "{$cfgipv6} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + $hosts .= "{$cfgipv6} {$syscfg['hostname']}.{$syscfg['domain']}\n"; } } else { $sysiflist = get_configured_interface_list(); @@ -365,12 +365,12 @@ function system_hosts_generate() { if (!interface_has_gateway($sysif)) { $cfgip = get_interface_ip($sysif); if (is_ipaddr($cfgip)) { - $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\n"; $hosts_if_found = true; } $cfgipv6 = get_interface_ipv6($sysif); if (is_ipaddrv6($cfgipv6)) { - $hosts .= "{$cfgipv6} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + $hosts .= "{$cfgipv6} {$syscfg['hostname']}.{$syscfg['domain']}\n"; $hosts_if_found = true; } if ($hosts_if_found == true) { @@ -387,7 +387,7 @@ function system_hosts_generate() { foreach ($dnsmasqcfg['hosts'] as $host) { if ($host['host'] || $host['host'] == "0") { - $lhosts .= "{$host['ip']} {$host['host']}.{$host['domain']} {$host['host']}\n"; + $lhosts .= "{$host['ip']} {$host['host']}.{$host['domain']}\n"; } else { $lhosts .= "{$host['ip']} {$host['domain']}\n"; } @@ -396,7 +396,7 @@ function system_hosts_generate() { } foreach ($host['aliases']['item'] as $alias) { if ($alias['host'] || $alias['host'] == "0") { - $lhosts .= "{$host['ip']} {$alias['host']}.{$alias['domain']} {$alias['host']}\n"; + $lhosts .= "{$host['ip']} {$alias['host']}.{$alias['domain']}\n"; } else { $lhosts .= "{$host['ip']} {$alias['domain']}\n"; } @@ -407,11 +407,11 @@ function system_hosts_generate() { if (is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) { foreach ($dhcpifconf['staticmap'] as $host) { if ($host['ipaddr'] && $host['hostname'] && $host['domain']) { - $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$host['domain']} {$host['hostname']}\n"; + $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$host['domain']}\n"; } else if ($host['ipaddr'] && $host['hostname'] && $dhcpifconf['domain']) { - $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n"; + $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$dhcpifconf['domain']}\n"; } else if ($host['ipaddr'] && $host['hostname']) { - $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n"; + $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']}\n"; } } } @@ -431,11 +431,11 @@ function system_hosts_generate() { $ipaddrv6 = merge_ipv6_delegated_prefix(get_interface_ipv6($dhcpif), $ipaddrv6, $pdlen); } if ($host['domain']) { - $dhosts .= "{$ipaddrv6} {$host['hostname']}.{$host['domain']} {$host['hostname']}\n"; + $dhosts .= "{$ipaddrv6} {$host['hostname']}.{$host['domain']}\n"; } else if ($dhcpifconf['domain']) { - $dhosts .= "{$ipaddrv6} {$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n"; + $dhosts .= "{$ipaddrv6} {$host['hostname']}.{$dhcpifconf['domain']}\n"; } else { - $dhosts .= "{$ipaddrv6} {$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n"; + $dhosts .= "{$ipaddrv6} {$host['hostname']}.{$syscfg['domain']}\n"; } } } @@ -745,6 +745,10 @@ function system_staticroutes_configure($interface = "", $update_dns = false) { if (is_subnet($ip)) { if (is_ipaddr($gatewayip)) { + if (is_linklocal($gatewayip) == "6" && !strpos($gatewayip, '%')) { + // add interface scope for link local v6 routes + $gatewayip .= "%$interfacegw"; + } mwexec($cmd . escapeshellarg($gatewayip)); if (isset($config['system']['route-debug'])) { $mt = microtime(); @@ -1297,7 +1301,6 @@ http { server_tokens off; sendfile on; - keepalive_timeout 65; access_log syslog:server=unix:/var/run/log,facility=local5 combined; @@ -1305,6 +1308,9 @@ EOD; if ($captive_portal !== false) { $nginx_config .= "\tlimit_conn_zone \$binary_remote_addr zone=addr:10m;\n"; + $nginx_config .= "\tkeepalive_timeout 0;\n"; + } else { + $nginx_config .= "\tkeepalive_timeout 75;\n"; } if ($cert <> "" and $key <> "") { @@ -1361,7 +1367,7 @@ EOD; $nginx_config .= <<<EOD root "{$document_root}"; location / { - index index.html index.htm index.php; + index index.php index.html index.htm; } location ~ \.php$ { @@ -1543,7 +1549,7 @@ function system_ntp_setup_gps($serialport) { /* Add /etc/remote entry in case we need to read from the GPS with tip */ if (intval(`grep -c '^gps0' /etc/remote`) == 0) { - @file_put_contents("/etc/remote", "gps0:dv={$serialport}:br#{$gpsbaud}:pa=none:", FILE_APPEND); + @file_put_contents("/etc/remote", "gps0:dv={$serialport}:br#{$gpsbaud}:pa=none:\n", FILE_APPEND); } conf_mount_ro(); @@ -1956,20 +1962,6 @@ function system_do_shell_commands($early = 0) { } } -function system_console_configure() { - global $config, $g; - if (isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "system_console_configure() being called $mt\n"; - } - - if (isset($config['system']['disableconsolemenu'])) { - touch("{$g['varetc_path']}/disableconsole"); - } else { - unlink_if_exists("{$g['varetc_path']}/disableconsole"); - } -} - function system_dmesg_save() { global $g; if (isset($config['system']['developerspew'])) { @@ -2001,6 +1993,9 @@ function system_dmesg_save() { fclose($fd); unset($dmesg); + + // vm-bhyve expects dmesg.boot at the standard location + @symlink("{$g['varlog_path']}/dmesg.boot", "{$g['varrun_path']}/dmesg.boot"); return 0; } @@ -2170,9 +2165,11 @@ function system_identify_specific_platform() { $hw_model = get_single_sysctl('hw.model'); /* Try to guess from smbios strings */ - unset($output); - $_gb = exec('/bin/kenv smbios.system.product 2>/dev/null', $output); - switch ($output[0]) { + unset($product); + unset($maker); + $_gb = exec('/bin/kenv smbios.system.product 2>/dev/null', $product); + $_gb = exec('/bin/kenv smbios.system.maker 2>/dev/null', $maker); + switch ($product[0]) { case 'FW7541': return (array('name' => 'FW7541', 'descr' => 'Netgate FW7541')); break; @@ -2212,6 +2209,11 @@ function system_identify_specific_platform() { case 'SYS-5018D-FN4T': return (array('name' => 'XG-1540', 'descr' => 'Super Micro XG-1540')); break; + case 'Virtual Machine': + if ($maker[0] == "Microsoft Corporation") { + return (array('name' => 'Hyper-V', 'descr' => 'Hyper-V Virtual Machine')); + } + break; } /* the rest of the code only deals with 'embedded' platforms */ diff --git a/src/etc/inc/unbound.inc b/src/etc/inc/unbound.inc index 8a678a4..5d006bf 100644 --- a/src/etc/inc/unbound.inc +++ b/src/etc/inc/unbound.inc @@ -581,12 +581,11 @@ function unbound_add_domain_overrides($pvt_rev="", $cfgsubdir = "") { $domain_entries .= "local-zone: \"$domain\" typetransparent\n"; } } else { - $domain_entries .= "stub-zone:\n"; + $domain_entries .= "forward-zone:\n"; $domain_entries .= "\tname: \"$domain\"\n"; foreach ($ips as $ip) { - $domain_entries .= "\tstub-addr: $ip\n"; + $domain_entries .= "\tforward-addr: $ip\n"; } - $domain_entries .= "\tstub-prime: no\n"; } } @@ -626,9 +625,6 @@ function unbound_add_host_entries($cfgsubdir = "") { $added_ptr[$host['ipaddr']] = true; } $unbound_entries .= "local-data: \"{$host['fqdn']} {$type} {$host['ipaddr']}\"\n"; - if (isset($host['name'])) { - $unbound_entries .= "local-data: \"{$host['name']} {$type} {$host['ipaddr']}\"\n"; - } } // Write out entries diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc index 2d0ab84..52aa482 100644 --- a/src/etc/inc/upgrade_config.inc +++ b/src/etc/inc/upgrade_config.inc @@ -54,10 +54,10 @@ */ if (!function_exists("dump_rrd_to_xml")) { - require("rrd.inc"); + require_once("rrd.inc"); } if (!function_exists("read_altq_config")) { - require("shaper.inc"); + require_once("shaper.inc"); } /* Upgrade functions must be named: @@ -3487,8 +3487,8 @@ function upgrade_104_to_105() { } function upgrade_105_to_106() { - - /* NOTE: This entry can be reused for something else since the upgrade code was reverted */ + /* NOTE: This upgrade code was reverted. See redmine ticket #3967 and + https://github.com/pfsense/pfsense/commit/6f55af1c25f5232ffe905a90f5f97aad4c87bdfa */ } function upgrade_106_to_107() { @@ -4134,7 +4134,7 @@ function upgrade_129_to_130() { /* Change OpenVPN topology_subnet checkbox into topology multi-select #5526 */ if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as & $serversettings) { - if (isset($serversettings['topology_subnet'])) { + if (strtolower($serversettings['topology_subnet']) == "yes") { unset($serversettings['topology_subnet']); $serversettings['topology'] = "subnet"; } else { @@ -4147,6 +4147,12 @@ function upgrade_129_to_130() { function upgrade_130_to_131() { global $config; + // Default dpinger parameters at time of this upgrade (2.3) + $default_interval = 500; + $default_alert_interval = 1000; + $default_loss_interval = 2000; + $default_time_period = 60000; + if (isset($config['syslog']['apinger'])) { $config['syslog']['dpinger'] = true; unset($config['syslog']['apinger']); @@ -4161,35 +4167,76 @@ function upgrade_130_to_131() { return; } - foreach ($config['gateways']['gateway_item'] as &$gw) { - // dpinger uses milliseconds - if (isset($gw['interval']) && - is_numeric($gw['interval'])) { - $gw['interval'] = $gw['interval'] * 1000; - } - if (isset($gw['down']) && - is_numeric($gw['down'])) { - $gw['loss_interval'] = $gw['down'] * 1000; - unset($gw['down']); - } + if (is_array($config['gateways']['gateway_item'])) { + foreach ($config['gateways']['gateway_item'] as &$gw) { + // dpinger uses milliseconds + if (isset($gw['interval']) && + is_numeric($gw['interval'])) { + $gw['interval'] = $gw['interval'] * 1000; + } - if (isset($gw['avg_delay_samples'])) { - unset($gw['avg_delay_samples']); - } - if (isset($gw['avg_delay_samples_calculated'])) { - unset($gw['avg_delay_samples_calculated']); - } - if (isset($gw['avg_loss_samples'])) { - unset($gw['avg_loss_samples']); - } - if (isset($gw['avg_loss_samples_calculated'])) { - unset($gw['avg_loss_samples_calculated']); - } - if (isset($gw['avg_loss_delay_samples'])) { - unset($gw['avg_loss_delay_samples']); - } - if (isset($gw['avg_loss_delay_samples_calculated'])) { - unset($gw['avg_loss_delay_samples_calculated']); + if (isset($gw['interval'])) { + $effective_interval = $gw['interval']; + } else { + $effective_interval = $default_interval; + } + + if (isset($gw['down']) && + is_numeric($gw['down'])) { + $gw['time_period'] = $gw['down'] * 1000; + unset($gw['down']); + } + + if (isset($gw['time_period'])) { + $effective_time_period = $gw['time_period']; + } else { + $effective_time_period = $default_time_period; + } + + if (isset($gw['latencyhigh'])) { + // Default loss_interval is 2000, but must be set + // higher if latencyhigh is higher. + if ($gw['latencyhigh'] > $default_loss_interval) { + $gw['loss_interval'] = $gw['latencyhigh']; + } + } + + if (isset($gw['loss_interval'])) { + $effective_loss_interval = $gw['loss_interval']; + } else { + $effective_loss_interval = $default_loss_interval; + } + + if (isset($gw['interval'])) { + // Default alert_interval is 1000, but must be set + // higher if interval is higher. + if ($gw['interval'] > $default_alert_interval) { + $gw['alert_interval'] = $gw['interval']; + } + } + + if ((($effective_interval * 2) + $effective_loss_interval) >= $effective_time_period) { + $gw['time_period'] = ($effective_interval * 2) + $effective_loss_interval + 1; + } + + if (isset($gw['avg_delay_samples'])) { + unset($gw['avg_delay_samples']); + } + if (isset($gw['avg_delay_samples_calculated'])) { + unset($gw['avg_delay_samples_calculated']); + } + if (isset($gw['avg_loss_samples'])) { + unset($gw['avg_loss_samples']); + } + if (isset($gw['avg_loss_samples_calculated'])) { + unset($gw['avg_loss_samples_calculated']); + } + if (isset($gw['avg_loss_delay_samples'])) { + unset($gw['avg_loss_delay_samples']); + } + if (isset($gw['avg_loss_delay_samples_calculated'])) { + unset($gw['avg_loss_delay_samples_calculated']); + } } } } @@ -4273,16 +4320,20 @@ function upgrade_134_to_135() { function upgrade_135_to_136() { global $config; + $l7_active = false; if (isset($config['l7shaper'])) { - file_notice("L7shaper", gettext("Layer 7 shaping is no longer supported. Its configuration has been removed.")); unset($config['l7shaper']); if (is_array($config['filter']['rule'])) { foreach ($config['filter']['rule'] as $idx => $rule) { if (isset($rule['l7container'])) { unset($config['filter']['rule'][$idx]['l7container']); + $l7_active = true; } } } + if ($l7_active) { + file_notice("L7shaper", gettext("Layer 7 shaping is no longer supported. Its configuration has been removed.")); + } } } @@ -4356,6 +4407,7 @@ function upgrade_140_to_141() { global $config; // retain OpenVPN's net30 default topology for upgraded client configs so they still work + // This is for 2.3 ALPHA to a later 2.3, not 2.2.x upgrades, which had no topology setting on clients if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as $idx => $ovpnclient) { if (!isset($ovpnclient['topology'])) { @@ -4718,13 +4770,6 @@ function upgrade_147_to_148() { // Ensure there are no spaces in group names by // replacing spaces with underscores if (is_array($config['system']['group'])) { - $exgrps = array(); - - // Make a list of the existing group names so we can check for dups - foreach ($config['system']['group'] as $grp) { - $exgrps[] = $grp['name']; - } - $cleargroups = false; foreach ($config['system']['group'] as $idx => $grp) { if (strstr($grp['name'], " ")) { @@ -4787,4 +4832,176 @@ function upgrade_149_to_150() { } } } + +function upgrade_150_to_151() { + global $config; + + // Default dpinger parameters at time of this upgrade (2.3.1) + $default_interval = 500; + $default_alert_interval = 1000; + $default_loss_interval = 2000; + $default_time_period = 60000; + $default_latencyhigh = 500; + + // Check advanced gateway parameter relationships in case they are incorrect + if (is_array($config['gateways']['gateway_item'])) { + foreach ($config['gateways']['gateway_item'] as &$gw) { + if (isset($gw['interval'])) { + $effective_interval = $gw['interval']; + } else { + $effective_interval = $default_interval; + } + + if (isset($gw['alert_interval'])) { + $effective_alert_interval = $gw['alert_interval']; + } else { + $effective_alert_interval = $default_alert_interval; + } + + if (isset($gw['loss_interval'])) { + $effective_loss_interval = $gw['loss_interval']; + } else { + $effective_loss_interval = $default_loss_interval; + } + + if (isset($gw['time_period'])) { + $effective_time_period = $gw['time_period']; + } else { + $effective_time_period = $default_time_period; + } + + if (isset($gw['latencyhigh'])) { + $effective_latencyhigh = $gw['latencyhigh']; + } else { + $effective_latencyhigh = $default_latencyhigh; + } + + // Loss interval has to be at least as big as high latency. + if ($effective_latencyhigh > $effective_loss_interval) { + $effective_loss_interval = $gw['loss_interval'] = $effective_latencyhigh; + } + + // Alert interval has to be at least as big as probe interval. + if ($effective_interval > $effective_alert_interval) { + $gw['alert_interval'] = $effective_interval; + } + + // The time period for averaging has to be more than 2 probes plus the loss interval. + if ((($effective_interval * 2) + $effective_loss_interval) >= $effective_time_period) { + $gw['time_period'] = ($effective_interval * 2) + $effective_loss_interval + 1; + } + } + } +} + +function upgrade_151_to_152() { + global $g, $config; + + require_once("/etc/inc/services.inc"); + + // Remove these cron jobs on full install if not using ramdisk. + if (($g['platform'] == $g['product_name']) && !isset($config['system']['use_mfs_tmpvar'])) { + install_cron_job("/etc/rc.backup_rrd.sh", false); + install_cron_job("/etc/rc.backup_dhcpleases.sh", false); + } +} + +function upgrade_152_to_153() { + global $config; + + if (is_array($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $idx => $vip) { + if (substr($vip['interface'], 0, 4) == "_vip") { + // using new VIP format + continue; + } else if (strstr($vip['interface'], "_vip")) { + // using old VIP format, update + $config['virtualip']['vip'][$idx]['interface'] = get_vip_from_oldcarp($vip['interface']); + } + } + } + + // upgrade GIFs using VIP to new format + if (is_array($config['gifs']['gif'])) { + foreach ($config['gifs']['gif'] as $idx => $gif) { + if (substr($gif['if'], 0, 4) == "_vip") { + // using new VIP format + continue; + } else if (strstr($gif['if'], "_vip")) { + // using old VIP format, update + $config['gifs']['gif'][$idx]['if'] = get_vip_from_oldcarp($gif['if']); + } + } + } + + // upgrade GREs using VIP to new format + if (is_array($config['gres']['gre'])) { + foreach ($config['gres']['gre'] as $idx => $gre) { + if (substr($gre['if'], 0, 4) == "_vip") { + // using new VIP format + continue; + } else if (strstr($gre['if'], "_vip")) { + // using old VIP format, update + $config['gres']['gre'][$idx]['if'] = get_vip_from_oldcarp($gre['if']); + } + } + } + + // upgrade gateway groups using VIPs + if (is_array($config['gateways']['gateway_group'])) { + foreach ($config['gateways']['gateway_group'] as $idx => $gw) { + if (is_array($gw['item'])) { + $newitems = array(); + $gwvipchange = false; + foreach ($gw['item'] as $item) { + if (strstr($item, "|_vip")) { + // using new VIP format + $newitems[] = $item; + continue; + } else if (strstr($item, "_vip")) { + // using old VIP format, update + $gwitemarr = explode("|", $item); + $gwitemarr[2] = get_vip_from_oldcarp($gwitemarr[2]); + $newitems[] = implode("|", $gwitemarr); + $gwvipchange = true; + } else { + $newitems[] = $item; + } + } + if ($gwvipchange) { + $config['gateways']['gateway_group'][$idx]['item'] = $newitems; + } + } + } + } +} + +function upgrade_153_to_154() { + /* NOTE: This upgrade code was reverted. See redmine ticket #6118 and + https://github.com/pfsense/pfsense/commit/538a3c04a6b6671151e913b06b2f340b6f8ee222 */ +} + +/* Clean up old GRE/GIF options. See Redmine tickets #6586 and #6587 */ +function upgrade_154_to_155() { + global $config; + + if (is_array($config['gifs']['gif'])) { + foreach ($config['gifs']['gif'] as $idx => $gif) { + if (isset($gif['link0'])) { + unset($config['gifs']['gif'][$idx]['link0']); + } + } + } + + if (is_array($config['gres']['gre'])) { + foreach ($config['gres']['gre'] as $idx => $gre) { + if (isset($gre['link0'])) { + unset($config['gres']['gre'][$idx]['link0']); + } + if (isset($gre['link2'])) { + unset($config['gres']['gre'][$idx]['link2']); + } + } + } +} ?> diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index 7449dc8..1682914 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -839,12 +839,9 @@ function is_subnetoralias($subnet) { Returns 0 for bad data or if cannot represent size as an INT when $exact is set. */ function subnet_size($subnet, $exact=false) { $parts = explode("/", $subnet); - if (count($parts) == 2) { - if (is_ipaddrv4($parts[0])) { - return subnet_size_by_netmask(4, $parts[1], $exact); - } elseif (is_ipaddrv6($parts[0])) { - return subnet_size_by_netmask(6, $parts[1], $exact); - } + $iptype = is_ipaddr($parts[0]); + if (count($parts) == 2 && $iptype) { + return subnet_size_by_netmask($iptype, $parts[1], $exact); } return 0; } @@ -877,17 +874,7 @@ function subnet_size_by_netmask($iptype, $bits, $exact=false) { } } - -function subnet_expand($subnet) { - if (is_subnetv4($subnet)) { - return subnetv4_expand($subnet); - } else if (is_subnetv6($subnet)) { - return subnetv6_expand($subnet); - } else { - return $subnet; - } -} - +/* function used by pfblockerng */ function subnetv4_expand($subnet) { $result = array(); list ($ip, $bits) = explode("/", $subnet); @@ -1058,25 +1045,61 @@ function is_macaddr($macaddr, $partial=false) { return preg_match('/^[0-9A-F]{2}(?:[:][0-9A-F]{2}){'.$repeat.'}$/i', $macaddr) == 1 ? true : false; } -/* returns true if $name is a valid name for an alias - returns NULL if a reserved word is used - returns FALSE for bad chars in the name - this allows calling code to determine what the problem was. - aliases cannot be: - bad chars: anything except a-z 0-9 and underscore - bad names: empty string, pure numeric, pure underscore - reserved words: pre-defined service/protocol/port names which should not be ambiguous, and the words "port" and "pass" */ - -function is_validaliasname($name) { +/* + If $return_message is true then + returns a text message about the reason that the name is invalid. + the text includes the type of "thing" that is being checked, passed in $object. (e.g. "alias", "gateway group", "schedule") + else + returns true if $name is a valid name for an alias + returns false if $name is not a valid name for an alias + + Aliases cannot be: + bad chars: anything except a-z 0-9 and underscore + bad names: empty string, pure numeric, pure underscore + reserved words: pre-defined service/protocol/port names which should not be ambiguous, and the words "port" and "pass" */ + +function is_validaliasname($name, $return_message = false, $object = "alias") { /* Array of reserved words */ $reserved = array("port", "pass"); if (!is_string($name) || strlen($name) >= 32 || preg_match('/(^_*$|^\d*$|[^a-z0-9_])/i', $name)) { - return false; + if ($return_message) { + return sprintf(gettext('The %1$s name must be less than 32 characters long, may not consist of only numbers, may not consist of only underscores, and may only contain the following characters: %2$s'), $object, 'a-z, A-Z, 0-9, _'); + } else { + return false; + } } - if (in_array($name, $reserved, true) || getservbyname($name, "tcp") || getservbyname($name, "udp") || getprotobyname($name)) { - return; /* return NULL */ + if (in_array($name, $reserved, true)) { + if ($return_message) { + return sprintf(gettext('The %1$s name must not be either of the reserved words %2$s or %3$s.'), $object, "'port'", "'pass'"); + } else { + return false; + } } - return true; + if (getprotobyname($name)) { + if ($return_message) { + return sprintf(gettext('The %1$s name must not be a well-known IP protocol name such as TCP, UDP, ICMP etc.'), $object); + } else { + return false; + } + } + if (getservbyname($name, "tcp") || getservbyname($name, "udp")) { + if ($return_message) { + return sprintf(gettext('The %1$s name must not be a well-known TCP or UDP port name such as ssh, smtp, pop3, tftp, http, openvpn etc.'), $object); + } else { + return false; + } + } + if ($return_message) { + return sprintf(gettext("The %1$s name is valid."), $object); + } else { + return true; + } +} + +/* returns a text message indicating if the alias name is valid, or the reason it is not valid. */ +function invalidaliasnamemsg($name, $object = "alias") { + return is_validaliasname($name, true, $object); } /* returns true if $port is a valid TCP/UDP port */ @@ -1433,13 +1456,13 @@ function get_configured_ip_addresses() { * IPv6 addresses. * */ -function get_configured_ipv6_addresses() { +function get_configured_ipv6_addresses($linklocal_fallback = false) { require_once("interfaces.inc"); $ipv6_array = array(); $interfaces = get_configured_interface_list(); if (is_array($interfaces)) { foreach ($interfaces as $int) { - $ipaddrv6 = get_interface_ipv6($int); + $ipaddrv6 = get_interface_ipv6($int, false, $linklocal_fallback); $ipv6_array[$int] = $ipaddrv6; } } @@ -1750,7 +1773,11 @@ function alias_expand_urltable($name) { if (is_array($config['aliases']['alias'])) { foreach ($config['aliases']['alias'] as $alias) { if (preg_match("/urltable/i", $alias['type']) && ($alias['name'] == $name)) { - if (is_URL($alias["url"]) && file_exists($urltable_filename) && filesize($urltable_filename)) { + if (is_URL($alias["url"]) && file_exists($urltable_filename)) { + if (!filesize($urltable_filename)) { + // file exists, but is empty, try to sync + send_event("service sync alias {$name}"); + } return $urltable_filename; } else { send_event("service sync alias {$name}"); @@ -2067,8 +2094,10 @@ function unmute_kernel_msgs() { } function start_devd() { + global $g; + /* Use the undocumented -q options of devd to quiet its log spamming */ - $_gb = exec("/sbin/devd -q"); + $_gb = exec("/sbin/devd -q -f /etc/{$g['product_name']}-devd.conf"); sleep(1); unset($_gb); } diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc index 4265004..0316c5e 100644 --- a/src/etc/inc/vpn.inc +++ b/src/etc/inc/vpn.inc @@ -58,6 +58,7 @@ require_once("ipsec.inc"); require_once("filter.inc"); +require_once("auth.inc"); function vpn_update_daemon_loglevel($category, $level) { global $ipsec_log_cats, $ipsec_log_sevs; @@ -152,6 +153,8 @@ function vpn_ipsec_convert_to_modp($index) { function vpn_ipsec_configure($restart = false) { global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos, $ipsec_idhandling; + $ipsecstartlock = lock('ipsec', LOCK_EX); + /* get the automatic ping_hosts.sh ready */ unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts"); touch("{$g['vardb_path']}/ipsecpinghosts"); @@ -174,6 +177,7 @@ function vpn_ipsec_configure($restart = false) { /* IPSEC is off, shutdown enc interface.*/ mwexec("/sbin/ifconfig enc0 down"); + unlock($ipsecstartlock); return 0; } @@ -187,9 +191,6 @@ function vpn_ipsec_configure($restart = false) { $crlpath = "{$g['varetc_path']}/ipsec/ipsec.d/crls"; mwexec("/sbin/ifconfig enc0 up"); - if (php_uname('m') != "amd64") { - set_single_sysctl("net.inet.ipsec.directdispatch", "0"); - } /* needed for config files */ if (!is_dir("{$g['varetc_path']}/ipsec")) { @@ -806,7 +807,7 @@ EOD; if (empty($key['type'])) { $key['type'] = 'PSK'; } - $pskconf .= "{$myid} {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; + $pskconf .= " {$key['ident']} : {$key['type']} 0s" . base64_encode($key['pre-shared-key']) . "\n"; } unset($key); } @@ -1110,6 +1111,7 @@ EOD; $authentication .= "\n\trightauth2 = xauth-generic"; if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + $authentication .= "\n\tleftsendcert=always"; } if (isset($casub)) { $authentication .= "\n\trightca=\"$casub\""; @@ -1126,6 +1128,7 @@ EOD; $authentication = "leftauth = pubkey\n\trightauth = pubkey"; if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + $authentication .= "\n\tleftsendcert=always"; } if (isset($casub)) { $authentication .= "\n\trightca=\"$casub\""; @@ -1135,6 +1138,7 @@ EOD; $authentication = "leftauth = pubkey\n\trightauth = xauth-generic"; if (!empty($ph1ent['certref'])) { $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + $authentication .= "\n\tleftsendcert=always"; } break; } @@ -1265,7 +1269,7 @@ EOD; if (!empty($ealg_kl) && $ealg_kl == "auto") { if (empty($p2_ealgos) || !is_array($p2_ealgos)) { - require("ipsec.inc"); + require_once("ipsec.inc"); } $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; @@ -1359,10 +1363,11 @@ EOD; EOD; + /* Disable ipcomp for now. redmine #6167 if (isset($config['ipsec']['compression'])) { $ipsecconnect .= "\tcompress = yes\n"; $enablecompression = true; - } + } */ if (!empty($ikelifeline)) { $ipsecconnect .= "\t{$ikelifeline}\n"; } @@ -1387,7 +1392,7 @@ EOD; if (!empty($peerid_spec)) { $ipsecconnect .= "\trightid = {$peerid_spec}\n"; } - if ($keyexchange == 'ikev1') { + if ($keyexchange != 'ikev2') { $ipsecconnect .= "\taggressive = {$aggressive}\n"; } @@ -1495,6 +1500,7 @@ EOD; echo "done\n"; } + unlock($ipsecstartlock); return count($filterdns_list); } diff --git a/src/etc/inc/xmlparse.inc b/src/etc/inc/xmlparse.inc index 8f397a2..6c438fc 100644 --- a/src/etc/inc/xmlparse.inc +++ b/src/etc/inc/xmlparse.inc @@ -66,11 +66,12 @@ function listtags() { 'acls', 'alias', 'aliasurl', 'allowedip', 'allowedhostname', 'authserver', 'bridged', 'build_port_path', 'ca', 'cacert', 'cert', 'crl', 'clone', 'config', 'container', 'columnitem', + 'checkipservice', 'depends_on_package', 'disk', 'dnsserver', 'dnsupdate', 'domainoverrides', 'dyndns', 'earlyshellcmd', 'element', 'encryption-algorithm-option', 'field', 'fieldname', 'gateway_item', 'gateway_group', 'gif', 'gre', 'group', - 'hash-algorithm-option', 'hosts', 'member', 'ifgroupentry', 'igmpentry', 'interface_array', 'item', 'key', + 'hash-algorithm-option', 'hosts', 'ifgroupentry', 'igmpentry', 'interface_array', 'item', 'key', 'lagg', 'lbaction', 'lbpool', 'l7rules', 'lbprotocol', 'member', 'menu', 'tab', 'mobilekey', 'monitor_type', 'mount', 'npt', 'ntpserver', @@ -311,7 +312,8 @@ function dump_xml_config_sub($arr, $indent) { (substr($ent, 0, 9) == "ldap_bind") || (substr($ent, 0, 11) == "ldap_basedn") || (substr($ent, 0, 18) == "ldap_authcn") || - (substr($ent, 0, 19) == "ldap_extended_query")) { + (substr($ent, 0, 19) == "ldap_extended_query") || + (substr($ent, 0, 5) == "text")) { $xmlconfig .= "<$ent><![CDATA[" . htmlentities($val) . "]]></$ent>\n"; } else { $xmlconfig .= "<$ent>" . htmlentities($val) . "</$ent>\n"; diff --git a/src/etc/inc/xmlreader.inc b/src/etc/inc/xmlreader.inc index 420061b..87117ee 100644 --- a/src/etc/inc/xmlreader.inc +++ b/src/etc/inc/xmlreader.inc @@ -66,11 +66,12 @@ function listtags() { 'acls', 'alias', 'aliasurl', 'allowedip', 'allowedhostname', 'authserver', 'bridged', 'build_port_path', 'ca', 'cacert', 'cert', 'crl', 'clone', 'config', 'container', 'columnitem', + 'checkipservice', 'depends_on_package', 'disk', 'dnsserver', 'dnsupdate', 'domainoverrides', 'dyndns', 'earlyshellcmd', 'element', 'encryption-algorithm-option', 'field', 'fieldname', 'gateway_item', 'gateway_group', 'gif', 'gre', 'group', - 'hash-algorithm-option', 'hosts', 'member', 'ifgroupentry', 'igmpentry', 'interface_array', 'item', 'key', + 'hash-algorithm-option', 'hosts', 'ifgroupentry', 'igmpentry', 'interface_array', 'item', 'key', 'lagg', 'lbaction', 'lbpool', 'l7rules', 'lbprotocol', 'member', 'menu', 'tab', 'mobilekey', 'monitor_type', 'mount', 'npt', 'ntpserver', diff --git a/src/etc/login.conf b/src/etc/login.conf deleted file mode 100644 index 98324e2..0000000 --- a/src/etc/login.conf +++ /dev/null @@ -1,317 +0,0 @@ -# login.conf - login class capabilities database. -# -# Remember to rebuild the database after each change to this file: -# -# cap_mkdb /etc/login.conf -# -# This file controls resource limits, accounting limits and -# default user environment settings. -# -# $FreeBSD: src/etc/login.conf,v 1.34.2.6 2002/07/02 20:06:18 dillon Exp $ -# - -# Default settings effectively disable resource limits, see the -# examples below for a starting point to enable them. - -# defaults -# These settings are used by login(1) by default for classless users -# Note that entries like "cputime" set both "cputime-cur" and "cputime-max" - -default:\ - :passwd_format=md5:\ - :copyright=/etc/COPYRIGHT:\ - :welcome=/dev/null:\ - :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ - :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ - :nologin=/var/run/nologin:\ - :cputime=unlimited:\ - :datasize=unlimited:\ - :stacksize=unlimited:\ - :memorylocked=unlimited:\ - :memoryuse=unlimited:\ - :filesize=unlimited:\ - :coredumpsize=unlimited:\ - :openfiles=unlimited:\ - :maxproc=unlimited:\ - :sbsize=unlimited:\ - :vmemoryuse=unlimited:\ - :idletime=unlimited:\ - :priority=0:\ - :ignoretime@:\ - :umask=022: - - -# -# A collection of common class names - forward them all to 'default' -# (login would normally do this anyway, but having a class name -# here suppresses the diagnostic) -# -standard:\ - :tc=default: -xuser:\ - :tc=default: -staff:\ - :tc=default: -daemon:\ - :tc=default: -news:\ - :tc=default: -dialer:\ - :tc=default: - -# -# Root can always login -# -# N.B. login_getpwclass(3) will use this entry for the root account, -# in preference to 'default'. -root:\ - :ignorenologin:\ - :tc=default: - -# -# Russian Users Accounts. Setup proper environment variables. -# -russian|Russian Users Accounts:\ - :charset=KOI8-R:\ - :lang=ru_RU.KOI8-R:\ - :tc=default: - - -###################################################################### -###################################################################### -## -## Example entries -## -###################################################################### -###################################################################### - -## Example defaults -## These settings are used by login(1) by default for classless users -## Note that entries like "cputime" set both "cputime-cur" and "cputime-max" -# -#default:\ -# :cputime=infinity:\ -# :datasize-cur=22M:\ -# :stacksize-cur=8M:\ -# :memorylocked-cur=10M:\ -# :memoryuse-cur=30M:\ -# :filesize=infinity:\ -# :coredumpsize=infinity:\ -# :maxproc-cur=64:\ -# :openfiles-cur=64:\ -# :priority=0:\ -# :requirehome@:\ -# :umask=022:\ -# :tc=auth-defaults: -# -# -## -## standard - standard user defaults -## -#standard:\ -# :copyright=/etc/COPYRIGHT:\ -# :welcome=/etc/motd:\ -# :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ -# :path=~/bin /bin /usr/bin /usr/local/bin:\ -# :manpath=/usr/share/man /usr/local/man:\ -# :nologin=/var/run/nologin:\ -# :cputime=1h30m:\ -# :datasize=8M:\ -# :vmemoryuse=100M:\ -# :stacksize=2M:\ -# :memorylocked=4M:\ -# :memoryuse=8M:\ -# :filesize=8M:\ -# :coredumpsize=8M:\ -# :openfiles=24:\ -# :maxproc=32:\ -# :priority=0:\ -# :requirehome:\ -# :passwordtime=90d:\ -# :umask=002:\ -# :ignoretime@:\ -# :tc=default: -# -# -## -## users of X (needs more resources!) -## -#xuser:\ -# :manpath=/usr/share/man /usr/X11R6/man /usr/local/man:\ -# :cputime=4h:\ -# :datasize=12M:\ -# :vmemoryuse=infinity:\ -# :stacksize=4M:\ -# :filesize=8M:\ -# :memoryuse=16M:\ -# :openfiles=32:\ -# :maxproc=48:\ -# :tc=standard: -# -# -## -## Staff users - few restrictions and allow login anytime -## -#staff:\ -# :ignorenologin:\ -# :ignoretime:\ -# :requirehome@:\ -# :accounted@:\ -# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ -# :umask=022:\ -# :tc=standard: -# -# -## -## root - fallback for root logins -## -#root:\ -# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ -# :cputime=infinity:\ -# :datasize=infinity:\ -# :stacksize=infinity:\ -# :memorylocked=infinity:\ -# :memoryuse=infinity:\ -# :filesize=infinity:\ -# :coredumpsize=infinity:\ -# :openfiles=infinity:\ -# :maxproc=infinity:\ -# :memoryuse-cur=32M:\ -# :maxproc-cur=64:\ -# :openfiles-cur=1024:\ -# :priority=0:\ -# :requirehome@:\ -# :umask=022:\ -# :tc=auth-root-defaults: -# -# -## -## Settings used by /etc/rc -## -#daemon:\ -# :coredumpsize@:\ -# :coredumpsize-cur=0:\ -# :datasize=infinity:\ -# :datasize-cur@:\ -# :maxproc=512:\ -# :maxproc-cur@:\ -# :memoryuse-cur=64M:\ -# :memorylocked-cur=64M:\ -# :openfiles=1024:\ -# :openfiles-cur@:\ -# :stacksize=16M:\ -# :stacksize-cur@:\ -# :tc=default: -# -# -## -## Settings used by news subsystem -## -#news:\ -# :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ -# :cputime=infinity:\ -# :filesize=128M:\ -# :datasize-cur=64M:\ -# :stacksize-cur=32M:\ -# :coredumpsize-cur=0:\ -# :maxmemorysize-cur=128M:\ -# :memorylocked=32M:\ -# :maxproc=128:\ -# :openfiles=256:\ -# :tc=default: -# -# -## -## The dialer class should be used for a dialup PPP/SLIP accounts -## Welcome messages/news suppressed -## -#dialer:\ -# :hushlogin:\ -# :requirehome@:\ -# :cputime=unlimited:\ -# :filesize=2M:\ -# :datasize=2M:\ -# :stacksize=4M:\ -# :coredumpsize=0:\ -# :memoryuse=4M:\ -# :memorylocked=1M:\ -# :maxproc=16:\ -# :openfiles=32:\ -# :tc=standard: -# -# -## -## Site full-time 24/7 PPP/SLIP connections -## - no time accounting, restricted to access via dialin lines -## -#site:\ -# :ignoretime:\ -# :passwordtime@:\ -# :refreshtime@:\ -# :refreshperiod@:\ -# :sessionlimit@:\ -# :autodelete@:\ -# :expireperiod@:\ -# :graceexpire@:\ -# :gracetime@:\ -# :warnexpire@:\ -# :warnpassword@:\ -# :idletime@:\ -# :sessiontime@:\ -# :daytime@:\ -# :weektime@:\ -# :monthtime@:\ -# :warntime@:\ -# :accounted@:\ -# :tc=dialer:\ -# :tc=staff: -# -# -## -## Example standard accounting entries for subscriber levels -## -# -#subscriber|Subscribers:\ -# :accounted:\ -# :refreshtime=180d:\ -# :refreshperiod@:\ -# :sessionlimit@:\ -# :autodelete=30d:\ -# :expireperiod=180d:\ -# :graceexpire=7d:\ -# :gracetime=10m:\ -# :warnexpire=7d:\ -# :warnpassword=7d:\ -# :idletime=30m:\ -# :sessiontime=4h:\ -# :daytime=6h:\ -# :weektime=40h:\ -# :monthtime=120h:\ -# :warntime=4h:\ -# :tc=standard: -# -# -## -## Subscriber accounts. These accounts have their login times -## accounted and have access limits applied. -## -#subppp|PPP Subscriber Accounts:\ -# :tc=dialer:\ -# :tc=subscriber: -# -# -#subslip|SLIP Subscriber Accounts:\ -# :tc=dialer:\ -# :tc=subscriber: -# -# -#subshell|Shell Subscriber Accounts:\ -# :tc=subscriber: -# -## -## If you want some of the accounts to use traditional UNIX DES based -## password hashes. -## -#des_users:\ -# :passwd_format=des:\ -# :tc=default: diff --git a/src/etc/master.passwd b/src/etc/master.passwd deleted file mode 100644 index c2cc461..0000000 --- a/src/etc/master.passwd +++ /dev/null @@ -1,29 +0,0 @@ -# $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $ -# -root:$2b$10$13u6qwCOwODv34GyCMgdWub6oQF3RX0rG7c3d3X4JvzuEmAXLYDd2:0:0::0:0:Charlie &:/root:/bin/sh -toor:*:0:0::0:0:Bourne-again Superuser:/root: -daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin -operator:*:2:5::0:0:System &:/:/usr/sbin/nologin -bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin -tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin -kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin -games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin -news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin -man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin -sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin -smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin -mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin -bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin -unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin -proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin -_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin -www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin -nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin -dhcpd:*:1002:1002::0:0:DHCP Daemon:/nonexistent:/sbin/nologin -admin:$2b$10$13u6qwCOwODv34GyCMgdWub6oQF3RX0rG7c3d3X4JvzuEmAXLYDd2:0:0::0:0:Admin User:/root:/bin/sh -_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin -_isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin -uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico -pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin -_ntp:*:123:123::0:0:NTP daemon:/var/empty:/sbin/nologin -_relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologin diff --git a/src/etc/mtree/BSD.local.dist b/src/etc/mtree/BSD.local.dist deleted file mode 100644 index e69de29..0000000 --- a/src/etc/mtree/BSD.local.dist +++ /dev/null diff --git a/src/etc/networks b/src/etc/networks deleted file mode 100644 index 92982b5..0000000 --- a/src/etc/networks +++ /dev/null @@ -1,17 +0,0 @@ -# $FreeBSD: src/etc/networks,v 1.3 1999/08/27 23:23:42 peter Exp $ -# @(#)networks 5.1 (Berkeley) 6/30/90 -# -# Your Local Networks Database -# -your-net 127 # your comment -your-netmask 255.255.255 # subnet mask for your-net - -# -# Your subnets -# -subnet1 127.0.1 alias1 # comment 1 -subnet2 127.0.2 alias2 # comment 2 - -# -# Internet networks (from nic.ddn.mil) -# diff --git a/src/etc/passwd b/src/etc/passwd deleted file mode 100644 index 040f3e5..0000000 --- a/src/etc/passwd +++ /dev/null @@ -1,26 +0,0 @@ -root:*:0:0:Charlie &:/root:/bin/sh -toor:*:0:0:Bourne-again Superuser:/root: -daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin -operator:*:2:5:System &:/:/usr/sbin/nologin -bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin -tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin -kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin -games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin -news:*:8:8:News Subsystem:/:/usr/sbin/nologin -man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin -sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin -smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin -mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin -bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin -unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin -proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin -_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin -uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico -pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin -www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin -nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin -distcc:*:1001:1001:Distcc:/home/distcc:/sbin/nologin -dhcpd:*:1002:1002:DHCP Daemon:/nonexistent:/sbin/nologin -admin:*:0:0:Admin User:/home/admin:/bin/sh -_ntp:*:123:123:NTP daemon:/var/empty:/sbin/nologin -_relayd:*:913:913:Relay Daemon:/var/empty:/usr/sbin/nologin diff --git a/src/etc/pf.os b/src/etc/pf.os deleted file mode 100644 index 56c7cbf..0000000 --- a/src/etc/pf.os +++ /dev/null @@ -1,698 +0,0 @@ -# $FreeBSD: stable/10/etc/pf.os 244096 2012-12-10 20:52:52Z delphij $ -# $OpenBSD: pf.os,v 1.26 2012/08/03 12:25:16 jsg Exp $ -# passive OS fingerprinting -# ------------------------- -# -# SYN signatures. Those signatures work for SYN packets only (duh!). -# -# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> -# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# -# -# This fingerprint database is adapted from Michal Zalewski's p0f passive -# operating system package. The last database sync was from a Nov 3 2003 -# p0f.fp. -# -# -# Each line in this file specifies a single fingerprint. Please read the -# information below carefully before attempting to append any signatures -# reported as UNKNOWN to this file to avoid mistakes. -# -# We use the following set metrics for fingerprinting: -# -# - Window size (WSS) - a highly OS dependent setting used for TCP/IP -# performance control (max. amount of data to be sent without ACK). -# Some systems use a fixed value for initial packets. On other -# systems, it is a multiple of MSS or MTU (MSS+40). In some rare -# cases, the value is just arbitrary. -# -# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number -# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' -# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the -# value of nn is not fixed (unlikely), just copy the Snn or Tnn token -# literally. If you know this device has a simple stack and a fixed -# MTU, you can however multiply S value by MSS, or T value by MSS+40, -# and put it instead of Snn or Tnn. -# -# If WSS otherwise looks like a fixed value (for example a multiple -# of two), or if you can confirm the value is fixed, please quote -# it literally. If there's no apparent pattern in WSS chosen, you -# should consider wildcarding this value. -# -# - Overall packet size - a function of all IP and TCP options and bugs. -# -# NEW SIGNATURE: Copy this value literally. -# -# - Initial TTL - We check the actual TTL of a received packet. It can't -# be higher than the initial TTL, and also shouldn't be dramatically -# lower (maximum distance is defined as 40 hops). -# -# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. -# You need to determine the initial TTL. The best way to do it is to -# check the documentation for a remote system, or check its settings. -# A fairly good method is to simply round the observed TTL up to -# 32, 64, 128, or 255, but it should be noted that some obscure devices -# might not use round TTLs (in particular, some shoddy appliances use -# "original" initial TTL settings). If not sure, you can see how many -# hops you're away from the remote party with traceroute or mtr. -# -# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU -# discovery. Others do not bother. -# -# NEW SIGNATURE: Copy this value literally. -# -# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f -# uses it to determine link type of the remote host. -# -# NEW SIGNATURE: Always wildcard this value, except for rare cases when -# you have an appliance with a fixed value, know the system supports only -# a very limited number of network interface types, or know the system -# is using a value it pulled out of nowhere. Specific unique MSS -# can be used to tell Google crawlbots from the rest of the population. -# -# - Window scaling (WSCALE) - this feature is used to scale WSS. -# It extends the size of a TCP/IP window to 32 bits. Some modern -# systems implement this feature. -# -# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set -# to zero or other low value. There's usually no need to wildcard this -# parameter. -# -# - Timestamp - some systems that implement timestamps set them to -# zero in the initial SYN. This case is detected and handled appropriately. -# -# - Selective ACK permitted - a flag set by systems that implement -# selective ACK functionality. -# -# - The sequence of TCP all options (MSS, window scaling, selective ACK -# permitted, timestamp, NOP). Other than the options previously -# discussed, p0f also checks for timestamp option (a silly -# extension to broadcast your uptime ;-), NOP options (used for -# header padding) and sackOK option (selective ACK feature). -# -# NEW SIGNATURE: Copy the sequence literally. -# -# To wildcard any value (except for initial TTL or TCP options), replace -# it with '*'. You can also use a modulo operator to match any values -# that divide by nnn - '%nnn'. -# -# Fingerprint entry format: -# -# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details -# -# wwww - window size (can be *, %nnn, Snn or Tnn). The special values -# "S" and "T" which are a multiple of MSS or a multiple of MTU -# respectively. -# ttt - initial TTL -# D - don't fragment bit (0 - not set, 1 - set) -# ss - overall SYN packet size -# OOO - option value and order specification (see below) -# OS - OS genre (Linux, Solaris, Windows) -# Version - OS Version (2.0.27 on x86, etc) -# Subtype - OS subtype or patchlevel (SP3, lo0) -# details - Generic OS details -# -# If OS genre starts with '*', p0f will not show distance, link type -# and timestamp data. It is useful for userland TCP/IP stacks of -# network scanners and so on, where many settings are randomized or -# bogus. -# -# If OS genre starts with @, it denotes an approximate hit for a group -# of operating systems (signature reporting still enabled in this case). -# Use this feature at the end of this file to catch cases for which -# you don't have a precise match, but can tell it's Windows or FreeBSD -# or whatnot by looking at, say, flag layout alone. -# -# Option block description is a list of comma or space separated -# options in the order they appear in the packet: -# -# N - NOP option -# Wnnn - window scaling option, value nnn (or * or %nnn) -# Mnnn - maximum segment size option, value nnn (or * or %nnn) -# S - selective ACK OK -# T - timestamp -# T0 - timestamp with a zero value -# -# To denote no TCP options, use a single '.'. -# -# Please report any additions to this file, or any inaccuracies or -# problems spotted, to the maintainers: lcamtuf@coredump.cx, -# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet -# capture of the relevant SYN packet(s) -# -# A test and submission page is available at -# http://lcamtuf.coredump.cx/p0f-help/ -# -# -# WARNING WARNING WARNING -# ----------------------- -# -# Do not add a system X as OS Y just because NMAP says so. It is often -# the case that X is a NAT firewall. While nmap is talking to the -# device itself, p0f is fingerprinting the guy behind the firewall -# instead. -# -# When in doubt, use common sense, don't add something that looks like -# a completely different system as Linux or FreeBSD or LinkSys router. -# Check DNS name, establish a connection to the remote host and look -# at SYN+ACK - does it look similar? -# -# Some users tweak their TCP/IP settings - enable or disable RFC1323 -# functionality, enable or disable timestamps or selective ACK, -# disable PMTU discovery, change MTU and so on. Always compare a new rule -# to other fingerprints for this system, and verify the system isn't -# "customized" before adding it. It is OK to add signature variants -# caused by a commonly used software (personal firewalls, security -# packages, etc), but it makes no sense to try to add every single -# possible /proc/sys/net/ipv4 tweak on Linux or so. -# -# KEEP IN MIND: Some packet firewalls configured to normalize outgoing -# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, -# normalize packets. Signatures will not correspond to the originating -# system (and probably not quite to the firewall either). -# -# NOTE: Try to keep this file in some reasonable order, from most to -# least likely systems. This will speed up operation. Also keep most -# generic and broad rules near the end. -# - -########################## -# Standard OS signatures # -########################## - -# ----------------- AIX --------------------- - -# AIX is first because its signatures are close to NetBSD, MacOS X and -# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... -# This is a shoddy hack, though. - -45046:64:0:44:M*: AIX:4.3::AIX 4.3 -16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier - -16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 -16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 -32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 -32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 -65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 -65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 -65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 - -# ----------------- Linux ------------------- - -# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support) -512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x -16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x - -# Endian snafu! Nelson says "ha-ha": -2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac -64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac - - -S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) - -S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) -S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer -S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7 -S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7 - -S4:64:1:60:M*,S,T,N,W5: Linux:2.6::Linux 2.6 (newer, 1) -S4:64:1:60:M*,S,T,N,W6: Linux:2.6::Linux 2.6 (newer, 2) -S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 3) -T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4) - -S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0 - -S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4) -S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 -S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) -S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4) - -S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer -S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 -S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 - -# Popular cluster config scripts disable timestamps and -# selective ACK: -S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster - -# This needs to be investigated. On some systems, WSS -# is selected as a multiple of MTU instead of MSS. I got -# many submissions for this for many late versions of 2.4: -T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) - -# This happens only over loopback, but let's make folks happy: -32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) -S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) - -# Opera visitors: -16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) -32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) - -# Some fairly common mods: -S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps -S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps - - -# ----------------- FreeBSD ----------------- - -16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2 -16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2 -16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2 -16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 - -1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 - -57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) -57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9 - -32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X) -32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) -65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X) -65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X) -65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2 -65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2 - -# XXX need quirks support -# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1) -# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2) -# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3) -# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323) - -# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) - -# ----------------- NetBSD ------------------ - -16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 -65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) -16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 -16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) -65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) -65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF) -32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization) - -# ----------------- OpenBSD ----------------- - -16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) -16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8 -16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df) -57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0 -57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df) - -65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera) - -16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9 -16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df) - -# ----------------- Solaris ----------------- - -S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 -S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 -S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 - -S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 -S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 -S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 -S44:255:1:44:M*: Solaris:2.7::Solaris 7 - -4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x - -S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta) -32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203 - -# ----------------- IRIX -------------------- - -49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 -61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 -49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) -49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) - -61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 -49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 - -49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27 - - -# ----------------- Tru64 ------------------- - -32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4) -32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 -8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) -61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) - -# ----------------- OpenVMS ----------------- - -6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) - -# ----------------- MacOS ------------------- - -# XXX Need EOL tcp opt support -# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic - -# XXX some of these use EOL too -16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) -16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) -16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP) -32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2 -65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4) - - -# ----------------- Windows ----------------- - -# Windows TCP/IP stack is a mess. For most recent XP, 2000 and -# even 98, the patchlevel, not the actual OS version, is more -# relevant to the signature. They share the same code, so it would -# seem. Luckily for us, almost all Windows 9x boxes have an -# awkward MSS of 536, which I use to tell one from another -# in most difficult cases. - -8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows) -S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95 -8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b - -# There were so many tweaking tools and so many stack versions for -# Windows 98 it is no longer possible to tell them from each other -# without some very serious research. Until then, there's an insane -# number of signatures, for your amusement: - -S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) -8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL) -%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98 -%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98 -S4:64:1:48:M*,N,N,S: Windows:98::Windows 98 -S6:64:1:48:M*,N,N,S: Windows:98::Windows 98 -S12:64:1:48:M*,N,N,S: Windows:98::Windows 98 -T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 -32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 -37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 -46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) -65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack) -S16:128:1:48:M*,N,N,S: Windows:98::Windows 98 -S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 -S26:128:1:48:M*,N,N,S: Windows:98::Windows 98 -T30:128:1:48:M*,N,N,S: Windows:98::Windows 98 -32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 -60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 -60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 - -# What's with 1414 on NT? -T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a -64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a -8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) - -# Windows XP and 2000. Most of the signatures that were -# either dubious or non-specific (no service pack data) -# were deleted and replaced with generics at the end. - -65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 -65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 -%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) -%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222) -S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3 -S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3 -S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1 -S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1 -40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 - -S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+ -S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+ -S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 -S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3 -S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3 -64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3 -64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3 -32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4 -32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4 - -8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7 - -# Odds, ends, mods: - -S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco -S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco -65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone -16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm? -2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server - -44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?) -S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2 -32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS - - -# No need to be more specific, it passes: -# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk -# there is an equiv similar generic sig w/o the quirk - -# ----------------- HP/UX ------------------- - -32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 -32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 -32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 -32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 - -# Whoa. Hardcore WSS. -0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) - -# ----------------- RiscOS ------------------ - -# We don't yet support the ?12 TCP option -#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 -12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10 - -# XXX quirk -# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00 - - - -# ----------------- BSD/OS ------------------ - -# Once again, power of two WSS is also shared by MacOS X with DF set -8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) -8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) - - -# ---------------- NewtonOS ----------------- - -4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 - -# ---------------- NeXTSTEP ----------------- - -S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3 -S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 - -# ------------------ BeOS ------------------- - -1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 -12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x - -# ------------------ OS/400 ----------------- - -8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 -8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 -4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 - -# XXX quirk -# 28672:64:0:44:M1460:A:OS/390:? - -# ------------------ ULTRIX ----------------- - -16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 - -# ------------------- QNX ------------------- - -S16:64:0:44:M512: QNX:::QNX demodisk - -# ------------------ Novell ----------------- - -16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 -6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 -6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ? - -6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3 - - -# ----------------- SCO ------------------ -S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 -S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3 -S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0 - -# ------------------- DOS ------------------- - -2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 -T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro) - -# ------------------ OS/2 ------------------- - -S56:64:0:44:M512: OS/2:4::OS/2 4 -28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0 - -# ----------------- TOPS-20 ----------------- - -# Another hardcore MSS, one of the ACK leakers hunted down. -# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7 -0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7 - -# ----------------- FreeMiNT ---------------- - -S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari) - -# ------------------ AMIGA ------------------ - -# XXX TCP option 12 -# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack - -# ------------------ Plan9 ------------------ - -65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4 - -# ----------------- AMIGAOS ----------------- - -16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX - -########################################### -# Appliance / embedded / other signatures # -########################################### - -# ---------- Firewalls / routers ------------ - -S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) -S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) -4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x - -# XXX TCP option 12 -# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 -# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 - -S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50 - -8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway - -S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router - - - -# ------- Switches and other stuff ---------- - -4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc -S8:255:0:44:M*: Cisco:12008::Cisco 12008 -60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch -64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client - - -# ---------- Caches and whatnots ------------ - -S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache - -32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x -16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 -65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5 -65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow -8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 -20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1 - -65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1 -8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1 - -S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine - -27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) - -65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler -S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg - -16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) - -65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200 - -32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine - -# ----------- Embedded systems -------------- - -S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C -S5:255:0:44:M536: PalmOS:3::PalmOS 3/4 -S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 -S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 -2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) -S29:255:0:44:M536: PalmOS:5::PalmOS 5.0 -16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie) -S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo) - -S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 - -8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?) -8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?) -S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?) -S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?) - - -# Perhaps S4? -5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 - -32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 - -S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 - -4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 -T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027) -S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?) - -S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 - -3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0 - -#################### -# Fancy signatures # -#################### - -1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) -2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) -3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) -4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) - -# Requires quirks support -# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1) -# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2) -# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3) -# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4) - -1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) -2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) -3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) -4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) - -32767:64:0:40:.: *NAST:::NASTsyn scan - -# Requires quirks support -# 12345:255:0:40:.:A:-p0f:sendsyn utility - - -##################################### -# Generic signatures - just in case # -##################################### - -#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x -#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x - -*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) -*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) -*:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) -*:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) -*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) -*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) -*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) -*:128:1:48:M536,N,N,S: @Windows:98::Windows 98 -*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 -*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 - - diff --git a/src/etc/devd.conf b/src/etc/pfSense-devd.conf index ea67ba6..ea67ba6 100644 --- a/src/etc/devd.conf +++ b/src/etc/pfSense-devd.conf diff --git a/src/etc/rc b/src/etc/pfSense-rc index 514bfd0..be98e1e 100755 --- a/src/etc/rc +++ b/src/etc/pfSense-rc @@ -1,8 +1,6 @@ #!/bin/sh -# $Id$ - -# /etc/rc - master bootup script, invokes php setup +# /etc/pfSense-rc - master bootup script, invokes php setup # part of pfSense by Scott Ullrich # Copyright (C) 2004-2010 Scott Ullrich, All rights reserved. # originally based on m0n0wall (http://neon1.net/m0n0wall) @@ -25,6 +23,18 @@ PLATFORM=`/bin/cat /etc/platform` # Set our current version version=`/bin/cat /etc/version` +# Version patch +version_patch="0" +if [ -f /etc/version.patch ]; then + version_patch=`/bin/cat /etc/version.patch` +fi + +if [ "${version_patch}" = "0" ]; then + version_patch="" +else + version_patch=" (Patch ${version_patch})" +fi + # Read product_name from $g, defaults to pfSense # Use php -n here because we are not ready to load extensions yet product=$(/usr/local/bin/php -n /usr/local/sbin/read_global_var product_name pfSense) @@ -127,6 +137,10 @@ if [ "${PLATFORM}" != "cdrom" ]; then fi fi +# Make sure /home exists +[ -d /home ] \ + || mkdir /home + /bin/rm -f /root/force_fsck /bin/rm -f /root/TRIM_set /bin/rm -f /root/TRIM_unset @@ -182,10 +196,10 @@ else fi echo -cat /etc/ascii-art/pfsense-logo-small.txt +cat /usr/local/share/pfSense/ascii-art/pfsense-logo-small.txt echo echo -echo "Welcome to ${product} ${version}${platformbanner}..." +echo "Welcome to ${product} ${version}${version_patch}${platformbanner}..." echo /sbin/conscontrol mute off >/dev/null @@ -361,6 +375,15 @@ echo "done." # Second upgrade stage /usr/local/sbin/${product}-upgrade -y -b 2 +# Copy default openssl config file +[ -d /etc/ssl ] \ + || mkdir -p /etc/ssl +[ -f /usr/local/share/${product}/ssl/openssl.cnf ] \ + && cp -f /usr/local/share/${product}/ssl/openssl.cnf /etc/ssl +mkdir -p /usr/local/openssl >/dev/null 2>&1 +ln -sf /etc/ssl/openssl.cnf \ + /usr/local/openssl/openssl.cnf + # Run the php.ini setup file and populate # /usr/local/etc/php.ini /etc/rc.php_ini_setup 2>/tmp/php_errors.txt @@ -397,6 +420,12 @@ if [ "${PLATFORM}" = "nanobsd" ]; then /sbin/mount -u -f -r -o sync,noatime /cf fi +# Copy custom logo over if it's present +if [ -d /usr/local/share/${product}/custom_logos ]; then + cp -f /usr/local/share/${product}/custom_logos/*png \ + /usr/local/www +fi + /etc/rc.bootup # /etc/rc.bootup unset $g['booting'], and removes file @@ -439,7 +468,7 @@ fi # Log product version to syslog BUILDTIME=`cat /etc/version.buildtime` ARCH=`uname -m` -echo "$product ($PLATFORM) $version $ARCH $BUILDTIME" +echo "$product ($PLATFORM) ${version}${version_patch} $ARCH $BUILDTIME" echo "Bootup complete" diff --git a/src/etc/rc.shutdown b/src/etc/pfSense-rc.shutdown index dec0267..0c4962a 100755 --- a/src/etc/rc.shutdown +++ b/src/etc/pfSense-rc.shutdown @@ -33,6 +33,7 @@ DISK_NAME=`/bin/df /var/db/rrd | /usr/bin/tail -1 | /usr/bin/awk '{print $1;}'` DISK_TYPE=`/usr/bin/basename ${DISK_NAME} | /usr/bin/cut -c1-2` # If we are not on a full install, or if the full install wants RAM disks, or if the full install _was_ using RAM disks, but isn't for the next boot... if [ "${PLATFORM}" != "${product}" ] || [ "${USE_MFS_TMPVAR}" = "true" ] || [ "${DISK_TYPE}" = "md" ]; then + /etc/rc.backup_aliastables.sh /etc/rc.backup_rrd.sh /etc/rc.backup_dhcpleases.sh fi diff --git a/src/etc/pfSense.obsoletedfiles b/src/etc/pfSense.obsoletedfiles index 7df07d8..85de7f3 100644 --- a/src/etc/pfSense.obsoletedfiles +++ b/src/etc/pfSense.obsoletedfiles @@ -5,6 +5,7 @@ /boot/device.hints_wrap /boot/loader.conf_wrap /dist +/etc/ascii-art/pfsense-logo-small.txt /etc/auth.conf /etc/current-supfile /etc/defaults/pccard.conf @@ -166,6 +167,7 @@ /lib/libz.so.5 /root/latest.tgz.sha256 /sbin/atacontrol +/sbin/athctrl.sh /sbin/idmapd /sbin/ip6fw /sbin/mount_devfs @@ -741,6 +743,7 @@ /usr/local/share/locale/zh_CN.GB2312 /usr/local/share/locale/zh_TW.Big5 /usr/local/share/misc +/usr/local/share/mobile-broadband-provider-info/iso_3166-1_list_en.xml /usr/local/share/nls /usr/local/share/pbi-keys /usr/local/share/pfSense/pfSense-repo-devel.conf @@ -754,6 +757,7 @@ /usr/local/www/classes/maintable.inc /usr/local/www/code-syntax-highlighter /usr/local/www/csrf/csrf-secret.php +/usr/local/www/css/table.css /usr/local/www/datetimepicker.js /usr/local/www/dfly-pg.gif /usr/local/www/dfuife.cgi diff --git a/src/etc/phpshellsessions/disablecarpmaint b/src/etc/phpshellsessions/disablecarpmaint new file mode 100644 index 0000000..06dee48 --- /dev/null +++ b/src/etc/phpshellsessions/disablecarpmaint @@ -0,0 +1,5 @@ +! echo "Disabling CARP maintenance mode..." +require_once("interfaces.inc"); + +interfaces_carp_set_maintenancemode(false); + diff --git a/src/etc/phpshellsessions/enablecarpmaint b/src/etc/phpshellsessions/enablecarpmaint new file mode 100644 index 0000000..1a63dd2 --- /dev/null +++ b/src/etc/phpshellsessions/enablecarpmaint @@ -0,0 +1,5 @@ +! echo "Enabling CARP maintenance mode..." +require_once("interfaces.inc"); + +interfaces_carp_set_maintenancemode(true); + diff --git a/src/etc/phpshellsessions/gitsync b/src/etc/phpshellsessions/gitsync index 32722fe..a8b8cc7 100644 --- a/src/etc/phpshellsessions/gitsync +++ b/src/etc/phpshellsessions/gitsync @@ -20,7 +20,7 @@ $GITSYNC_MERGE = "/root/.gitsync_merge"; /* NOTE: Set branches here */ $branches = array( - "master" => "2.3 development branch", + "master" => "2.4 development branch", "build_commit" => "The commit originally used to build the image" ); @@ -38,6 +38,12 @@ $valid_args = array( "--minimal" => "\tPerform a minimal copy of only the updated files.\n" . "\tNot recommended if the system has files modified by any method other\n" . "\tthan gitsync.\n", + "--diff" => "\tPerform a copy of only the files that are different or missing.\n" . + "\tRecommended for SSD if system has files modified by any method other\n" . + "\tthan gitsync.\n", + "--verbose" => "\tDisplay constructed command. In combination with the --diff\n" . + "\toption, display the array of different and missing files.\n", + "--dry-run" => "\tDry-run only. No files copied.\n", "--help" => "\tDisplay this help list.\n" ); $args = array(); @@ -68,6 +74,69 @@ while (!empty($temp_args)) { } } +if (!function_exists('post_cvssync_commands')) { +function post_cvssync_commands() { + echo "===> Removing FAST-CGI temporary files...\n"; + exec("find /tmp -name \"php-fastcgi.socket*\" -exec rm -rf {} \;"); + exec("find /tmp -name \"*.tmp\" -exec rm -rf {} \;"); + + exec("rm -rf /tmp/xcache/* 2>/dev/null"); + + echo "===> Upgrading configuration (if needed)...\n"; + convert_config(); + + echo "===> Configuring filter..."; + exec("/etc/rc.filter_configure_sync"); + exec("pfctl -f /tmp/rules.debug"); + echo "\n"; + + if (file_exists("/etc/rc.php_ini_setup")) { + echo "===> Running /etc/rc.php_ini_setup..."; + exec("/etc/rc.php_ini_setup >/dev/null 2>&1"); + echo "\n"; + } + + /* lock down console if necessary */ + echo "===> Locking down the console if needed...\n"; + reload_ttys(); + + echo "===> Signaling PHP and nginx restart..."; + $fd = fopen("/tmp/restart_nginx", "w"); + fwrite($fd, "#!/bin/sh\n"); + fwrite($fd, "sleep 5\n"); + fwrite($fd, "/usr/local/sbin/pfSctl -c 'service restart webgui'\n"); + fclose($fd); + mwexec_bg("sh /tmp/restart_nginx"); + echo "\n"; +} +} + +if (!function_exists('isUrl')) { +function isUrl($url = "") { + if ($url) { + if (strstr($url, "rcs.pfsense.org") or + strstr($url, "mainline") or + strstr($url, ".git") or + strstr($url, "git://")) { + return true; + } + } + return false; +} +} + +if (!function_exists('run_cmds')) { +function run_cmds($cmds) { + global $debug; + foreach ($cmds as $cmd) { + if ($debug) { + echo "Running $cmd"; + } + exec($cmd); + } +} +} + unlink_if_exists("/tmp/config.cache"); conf_mount_rw(); @@ -298,8 +367,10 @@ if (isset($args["--minimal"])) { $old_revision = trim(file_get_contents("/etc/version.lastcommit")); } $files_to_copy = strtr(shell_exec("cd $CODIR/pfSenseGITREPO/pfSenseGITREPO && {$GIT_BIN} diff --name-only --relative=src " . escapeshellarg($old_revision)), "\n", " "); + $tar_options = '-C ./src'; } else { - $files_to_copy = '-C ./src .'; + $files_to_copy = '.'; + $tar_options = '-C ./src'; } // Save new commit ID for later minimal file copies @@ -324,16 +395,74 @@ exec("rm -rf {$CODIR}/pfSenseGITREPO/pfSenseGITREPO/src/conf*"); exec("rm -rf {$CODIR}/pfSenseGITREPO/pfSenseGITREPO/src/cf 2>/dev/null"); @chmod("{$CODIR}/pfSenseGITREPO/pfSenseGITREPO/src/tmp", 01777); +if(isset($args["--diff"])) { + # Find different and missing files. + $different_missing_files = shell_exec("/usr/bin/diff -qr / $CODIR/pfSenseGITREPO/pfSenseGITREPO/src/ | /usr/bin/grep -E '^(Files .*? and $CODIR/pfSenseGITREPO/pfSenseGITREPO/src/.*? differ)|(Only in $CODIR/pfSenseGITREPO/pfSenseGITREPO/src/)'"); + + # Get the path of each different or missing file. + preg_match_all('@(?:^Files .*? and '.$CODIR.'/pfSenseGITREPO/pfSenseGITREPO/src/(.*?) differ.*?$)@sim', $different_missing_files, $different_files_array, PREG_PATTERN_ORDER); + preg_match_all('@(?:^Only in '.$CODIR.'/pfSenseGITREPO/pfSenseGITREPO/src/(.*?)$)@sim', $different_missing_files, $missing_files_array, PREG_PATTERN_ORDER); + + # Deal with diff's output format of missing files (path: missing_file). + foreach ($missing_files_array[1] as $key => $file) { + + # Most of the time there will be only the one ': ' injected by diff output. So global replace with dir delimiter (/) is fine. + $tmp = str_replace(": ", "/", $file, $count); + if ($count == 1) + $file = ltrim($tmp, "/"); + + # For the very rare case a path component (dir or file) contains ': ' as well, then need to find and replace only the ': ' injected by diff output. + else { + $tmp = $file; + do { + $pos = strrpos($tmp, ": "); + if ($pos) { + $tmp = substr($tmp, 0, $pos); + $res = is_dir("$CODIR/pfSenseGITREPO/pfSenseGITREPO/src/$tmp/"); + } + } while (!$res && $pos); + + if ($res) + $file = ltrim($tmp . "/" . substr($file, $pos+2), "/"); + } + + $missing_files_array[1][$key] = $file; + } + + # Convert the list from array to space separated quoted strings. Quoted for white space file name support. + $different_files = $missing_files = ''; + if (count($different_files_array[1]) > 0) + $different_files .= '"' . implode('" "', $different_files_array[1]) . '"'; + if (count($missing_files_array[1]) > 0) + $missing_files .= '"' . implode('" "', $missing_files_array[1]) . '"'; + + # Files to be copied. + $files_to_copy = trim($different_files . " " . $missing_files); + $tar_options = '-C ./src'; + + if(isset($args["--verbose"])) { + echo "===> Different Files: \n"; + print_r($different_files_array[1]); + echo "===> Missing Files: \n"; + print_r($missing_files_array[1]); + } +} + echo "===> Installing new files...\n"; if ($g['platform'] == $g['product_name']) { - $command = "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO ; tar -cpf - {$files_to_copy} | (cd / ; tar -Uxpf -)"; + $command = "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO ; tar -cpf - {$tar_options} {$files_to_copy} | (cd / ; tar -Uxpf -)"; } else { - $command = "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO ; tar -cpf - {$files_to_copy} | (cd / ; tar -xpf -) 2>/dev/null"; + $command = "cd $CODIR/pfSenseGITREPO/pfSenseGITREPO ; tar -cpf - {$tar_options} {$files_to_copy} | (cd / ; tar -xpf -) 2>/dev/null"; } if (!empty($files_to_copy)) { - exec($command); + if(isset($args["--verbose"])) { + echo "===> Command: \n$command\n"; + } + if(!isset($args["--dry-run"])) { + exec($command); + } } else { echo "Already up-to-date.\n"; $upgrading = true; @@ -362,62 +491,4 @@ if (!$upgrading) { echo "Your system is now sync'd.\n\n"; } -function post_cvssync_commands() { - echo "===> Removing FAST-CGI temporary files...\n"; - exec("find /tmp -name \"php-fastcgi.socket*\" -exec rm -rf {} \;"); - exec("find /tmp -name \"*.tmp\" -exec rm -rf {} \;"); - - exec("rm -rf /tmp/xcache/* 2>/dev/null"); - - echo "===> Upgrading configuration (if needed)...\n"; - convert_config(); - - echo "===> Configuring filter..."; - exec("/etc/rc.filter_configure_sync"); - exec("pfctl -f /tmp/rules.debug"); - echo "\n"; - - if (file_exists("/etc/rc.php_ini_setup")) { - echo "===> Running /etc/rc.php_ini_setup..."; - exec("/etc/rc.php_ini_setup >/dev/null 2>&1"); - echo "\n"; - } - - /* lock down console if necessary */ - echo "===> Locking down the console if needed...\n"; - reload_ttys(); - - echo "===> Signaling PHP and nginx restart..."; - $fd = fopen("/tmp/restart_nginx", "w"); - fwrite($fd, "#!/bin/sh\n"); - fwrite($fd, "sleep 5\n"); - fwrite($fd, "/usr/local/sbin/pfSctl -c 'service restart webgui'\n"); - fclose($fd); - mwexec_bg("sh /tmp/restart_nginx"); - echo "\n"; - -} - -function isUrl($url = "") { - if ($url) { - if (strstr($url, "rcs.pfsense.org") or - strstr($url, "mainline") or - strstr($url, ".git") or - strstr($url, "git://")) { - return true; - } - } - return false; -} - -function run_cmds($cmds) { - global $debug; - foreach ($cmds as $cmd) { - if ($debug) { - echo "Running $cmd"; - } - exec($cmd); - } -} - conf_mount_ro(); diff --git a/src/etc/phpshellsessions/resetwebgui b/src/etc/phpshellsessions/resetwebgui new file mode 100644 index 0000000..ab7ee0d --- /dev/null +++ b/src/etc/phpshellsessions/resetwebgui @@ -0,0 +1,26 @@ +global $config; + +$config = parse_config(true); +$default_theme = "pfSense.css"; +$default_columns = 2; +$default_widgets = "system_information:col1:show,interfaces:col2:show"; + +echo "Resetting webGUI:\n"; +echo " Theme to " . $default_theme . "\n"; +echo " Dashboard columns to " . $default_columns . "\n"; +echo " Top navigation to scroll\n"; +echo " Widgets to System Information and Interfaces\n"; +echo "..."; + +$config['system']['webgui']['webguicss'] = $default_theme; +$config['system']['webgui']['dashboardcolumns'] = $default_columns; + +if (isset($config['system']['webgui']['webguifixedmenu'])) { + unset($config['system']['webgui']['webguifixedmenu']); +} + +$config['widgets']['sequence'] = $default_widgets; + +write_config("pfSsh.php reset webGUI"); + +echo "done.\n";
\ No newline at end of file diff --git a/src/etc/platform b/src/etc/platform deleted file mode 100644 index 8443722..0000000 --- a/src/etc/platform +++ /dev/null @@ -1 +0,0 @@ -pfSense
\ No newline at end of file diff --git a/src/etc/rc.backup_aliastables.sh b/src/etc/rc.backup_aliastables.sh new file mode 100755 index 0000000..dfc8b72 --- /dev/null +++ b/src/etc/rc.backup_aliastables.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +: ${DBPATH:=/var/db/aliastables} +: ${CF_CONF_PATH:=/cf/conf} + +: ${RAM_Disk_Store:=${CF_CONF_PATH}/RAM_Disk_Store/${DBPATH}} + +# Save the alias tables database to the RAM disk store. +if [ -d "${DBPATH}" ]; then + [ -z "$NO_REMOUNT" ] && /etc/rc.conf_mount_rw + + if [ ! -d "${RAM_Disk_Store}" ]; then + mkdir -p "${RAM_Disk_Store}" + fi + + for aliastablefile in "${DBPATH}"/* ; do + filename="$(basename ${aliastablefile})" + if [ ! -f "${RAM_Disk_Store}/${filename}.tgz" ]; then + cd / && /usr/bin/tar -czf "${RAM_Disk_Store}/${filename}.tgz" -C / "${DBPATH}/${filename}" + fi + done + + [ -z "$NO_REMOUNT" ] && /etc/rc.conf_mount_ro +fi diff --git a/src/etc/rc.banner b/src/etc/rc.banner index 6204d29..fbd4ba0 100755 --- a/src/etc/rc.banner +++ b/src/etc/rc.banner @@ -34,17 +34,21 @@ require_once("gwlb.inc"); require_once("interfaces.inc"); - $platform = trim(file_get_contents("{$g['etc_path']}/platform")); $hostname = $config['system']['hostname']; $product = $g['product_name']; $machine = trim(`uname -m`); $hideplatform = $g['hideplatform']; if (!$hideplatform) { - $platformbanner = "-{$platform}"; + if ($g['platform'] == $g['product_name']) { + $platform = "full-install"; + } else { + $platform = $g['platform']; + } + $platformbanner = " {$platform}"; } - print "*** Welcome to {$product} {$g['product_version']}{$platformbanner} ({$machine}) on {$hostname} ***\n"; + print "*** Welcome to {$product} {$g['product_version_string']} ({$machine}{$platformbanner}) on {$hostname} ***\n"; $iflist = get_configured_interface_with_descr(false, true); foreach ($iflist as $ifname => $friendly) { diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index 5c8b613..9f7f3a7 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -59,13 +59,13 @@ function rescue_detect_keypress() { } // If R or I was pressed do our logic here if (in_array($key, array("r", "R"))) { - putenv("TERM=cons25"); + putenv("TERM=xterm"); echo "\n\nRecovery mode selected...\n"; - passthru("/usr/bin/env TERM=cons25 /bin/tcsh"); + passthru("/usr/bin/env TERM=xterm /bin/tcsh"); } else { - putenv("TERM=cons25"); + putenv("TERM=xterm"); echo "\n\nInstaller mode selected...\n"; - passthru("/usr/bin/env TERM=cons25 /bin/tcsh -c /scripts/lua_installer"); + passthru("/usr/bin/env TERM=xterm /bin/tcsh -c /scripts/lua_installer"); } passthru("/etc/rc.reboot"); @@ -230,6 +230,9 @@ interfaces_loopback_configure(); /* start syslogd */ system_syslogd_start(); +/* restore alias tables */ +restore_aliastables(); + echo "Starting Secure Shell Services..."; send_event("service reload sshd"); echo "done.\n"; @@ -316,8 +319,8 @@ echo "done.\n"; /* start load balancer daemon */ relayd_configure(); -/* configure console menu */ -system_console_configure(); +/* configure console menu and serial port*/ +setup_serial_port(); /* start DHCP service */ services_dhcpd_configure(); @@ -419,7 +422,9 @@ if (file_exists('/conf/needs_package_sync') && } /* Detect installed binary pkgs that are not registered in the system */ -register_all_installed_packages(); +if ($g['platform'] != "cdrom") { + register_all_installed_packages(); +} /* Give syslogd a kick after everything else has been initialized, otherwise it can occasionally fail to route syslog messages properly on both IPv4 and IPv6 */ diff --git a/src/etc/rc.captiveportal_configure b/src/etc/rc.captiveportal_configure index 586583d..ca44f06 100755 --- a/src/etc/rc.captiveportal_configure +++ b/src/etc/rc.captiveportal_configure @@ -28,11 +28,11 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("config.inc"); -require("functions.inc"); +require_once("config.inc"); +require_once("functions.inc"); require_once("filter.inc"); -require("shaper.inc"); -require("captiveportal.inc"); +require_once("shaper.inc"); +require_once("captiveportal.inc"); captiveportal_configure(); diff --git a/src/etc/rc.captiveportal_configure_mac b/src/etc/rc.captiveportal_configure_mac index b0daf68..1cdd44e 100755 --- a/src/etc/rc.captiveportal_configure_mac +++ b/src/etc/rc.captiveportal_configure_mac @@ -28,11 +28,11 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("config.inc"); -require("functions.inc"); +require_once("config.inc"); +require_once("functions.inc"); require_once("filter.inc"); -require("shaper.inc"); -require("captiveportal.inc"); +require_once("shaper.inc"); +require_once("captiveportal.inc"); global $cpzone; diff --git a/src/etc/rc.d/hostid b/src/etc/rc.d/hostid deleted file mode 100755 index 37ea173..0000000 --- a/src/etc/rc.d/hostid +++ /dev/null @@ -1,137 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2007 Pawel Jakub Dawidek <pjd@FreeBSD.org> -# Copyright (c) 2015 Xin LI <delphij@FreeBSD.org> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# PROVIDE: hostid -# REQUIRE: sysctl -# KEYWORD: nojail - -. /etc/rc.subr - -name="hostid" -start_cmd="hostid_start" -stop_cmd=":" -reset_cmd="hostid_reset" -extra_commands="reset" -rcvar="hostid_enable" - -hostid_set() -{ - uuid=$1 - # Generate hostid based on hostuuid - take first four bytes from md5(uuid). - id=`echo -n $uuid | /sbin/md5` - id="0x${id%????????????????????????}" - - # Set both kern.hostuuid and kern.hostid. - # - check_startmsgs && echo "Setting hostuuid: ${uuid}." - ${SYSCTL} kern.hostuuid="${uuid}" >/dev/null - check_startmsgs && echo "Setting hostid: ${id}." - ${SYSCTL} kern.hostid=${id} >/dev/null -} - -valid_hostid() -{ - uuid=$1 - - x="[0-9a-f]" - y=$x$x$x$x - - # Check against a blacklist before - # accepting the UUID. - case "${uuid}" in - 00000000-0000-0000-0000-000000000000) - ;; - 00020003-0004-0005-0006-000700080009) - ;; - 03000200-0400-0500-0006-000700080009) - ;; - 07090201-0103-0301-0807-060504030201) - ;; - 11111111-1111-1111-1111-111111111111) - ;; - 11111111-2222-3333-4444-555555555555) - ;; - 4c4c4544-0000-2010-8020-80c04f202020) - ;; - 58585858-5858-5858-5858-585858585858) - ;; - 890e2d14-cacd-45d1-ae66-bc80e8bfeb0f) - ;; - 8e275844-178f-44a8-aceb-a7d7e5178c63) - ;; - dc698397-fa54-4cf2-82c8-b1b5307a6a7f) - ;; - fefefefe-fefe-fefe-fefe-fefefefefefe) - ;; - *-ffff-ffff-ffff-ffffffffffff) - ;; - $y$y-$y-$y-$y-$y$y$y) - return 0 - ;; - esac - - return 1 -} - -hostid_generate() -{ - # First look for UUID in hardware. - # If not found, fall back to software-generated UUID. - uuid=`uuidgen` - hostid_set $uuid -} - -hostid_reset() -{ - hostid_generate - # Store newly generated UUID in ${hostid_file}. - echo $uuid > ${hostid_file} - if [ $? -ne 0 ]; then - warn "could not store hostuuid in ${hostid_file}." - fi -} - -hostid_start() -{ - # If ${hostid_file} already exists, we take UUID from there. - if [ -r ${hostid_file} ]; then - read saved_hostid < ${hostid_file} - if valid_hostid ${saved_hostid}; then - hostid_set `cat ${hostid_file}` - exit 0 - fi - fi - - # No hostid file, generate UUID. - hostid_generate -} - -load_rc_config $name -run_rc_command "$1" diff --git a/src/etc/rc.initial b/src/etc/rc.initial index 572188f..6fe3b6a 100755 --- a/src/etc/rc.initial +++ b/src/etc/rc.initial @@ -82,7 +82,7 @@ echo "" echo " 0) Logout (SSH only) 9) pfTop" echo " 1) Assign Interfaces 10) Filter Logs" echo " 2) Set interface(s) IP address 11) Restart webConfigurator" -echo " 3) Reset webConfigurator password 12) ${product} Developer Shell" +echo " 3) Reset webConfigurator password 12) PHP shell + ${product} tools" echo " 4) Reset to factory defaults 13) Update from console" echo " 5) Reboot system ${sshd_option}" echo " 6) Halt system 15) Restore recent configuration" @@ -158,7 +158,7 @@ case ${opmode} in ;; 99) if [ -e /dev/ukbd0 ]; then - env TERM=cons25 /scripts/lua_installer + env TERM=xterm /scripts/lua_installer else /scripts/lua_installer fi diff --git a/src/etc/rc.initial.password b/src/etc/rc.initial.password index 969745b..b8a0e9b 100755 --- a/src/etc/rc.initial.password +++ b/src/etc/rc.initial.password @@ -32,7 +32,7 @@ /* parse the configuration and include all functions used below */ require_once("config.inc"); - require("auth.inc"); + require_once("auth.inc"); require_once("functions.inc"); require_once("shaper.inc"); diff --git a/src/etc/rc.linkup b/src/etc/rc.linkup index 881f3d7..fcbd2a7 100755 --- a/src/etc/rc.linkup +++ b/src/etc/rc.linkup @@ -156,6 +156,7 @@ if (!empty($realiface)) { } } } + filter_configure(); unlock($rclinkuplock); } ?> diff --git a/src/etc/rc.newipsecdns b/src/etc/rc.newipsecdns index 7c5428a..c4581ae 100755 --- a/src/etc/rc.newipsecdns +++ b/src/etc/rc.newipsecdns @@ -46,7 +46,7 @@ if (file_exists("{$g['varrun_path']}/booting")) { return; } -if (isset($config['ipsec']['enable'])) { +if (ipsec_enabled()) { sleep(15); log_error("IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing."); } else { diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip index 4831043..6946918 100755 --- a/src/etc/rc.newwanip +++ b/src/etc/rc.newwanip @@ -106,6 +106,7 @@ if (empty($interface)) { if (platform_booting()) { return; } + log_error("rc.newwanip called with empty interface."); filter_configure(); restart_packages(); return; @@ -189,6 +190,15 @@ if (!empty($gre)) { } } +if (platform_booting()) { + // avoid race conditions in many of the below functions that occur during boot + // setting up gateways monitor doesn't seem to have issues here, and fixes the + // most commonly encountered bugs from earlier versions when everything below + // was skipped during boot + setup_gateways_monitor(); + exit; +} + /* * We need to force sync VPNs on such even when the IP is the same for dynamic interfaces. * Even with the same IP the VPN software is unhappy with the IP disappearing, and we diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6 index bd46bdf..23867f1 100755 --- a/src/etc/rc.newwanipv6 +++ b/src/etc/rc.newwanipv6 @@ -74,6 +74,7 @@ if (empty($argument)) { $interface_descr = convert_friendly_interface_to_friendly_descr($interface); if (empty($interface)) { + log_error("rc.newwanipv6 called with empty interface"); filter_configure(); return; } @@ -144,6 +145,11 @@ system_routing_configure($interface); /* reconfigure our gateway monitor */ setup_gateways_monitor(); +if (platform_booting()) { + // avoid race conditions in many of the below functions that occur during boot + exit; +} + /* signal filter reload */ filter_configure(); diff --git a/src/etc/rc.php-fpm_restart b/src/etc/rc.php-fpm_restart index a9a9ee1..eb64e7b 100755 --- a/src/etc/rc.php-fpm_restart +++ b/src/etc/rc.php-fpm_restart @@ -10,6 +10,11 @@ sleep 2 /etc/rc.php_ini_setup 2>/tmp/php_errors.txt /bin/rm -f /var/run/php-fpm.pid 2>/dev/null /bin/rm -f /var/run/php-fpm.socket 2>/dev/null +if [ -f /tmp/xmlrpc.lock ]; then + echo ">>> Found XMLRPC lock. Removing." + echo ">>> Found XMLRPC lock. Removing." | /usr/bin/logger -p daemon.info -i -t rc.php-fpm_restart + rm /tmp/xmlrpc.lock +fi /etc/rc.conf_mount_ro echo ">>> Restarting php-fpm" | /usr/bin/logger -p daemon.info -i -t rc.php-fpm_restart echo ">>> Starting php-fpm" diff --git a/src/etc/rc.php_ini_setup b/src/etc/rc.php_ini_setup index a3cc7ed3..dfb8139 100755 --- a/src/etc/rc.php_ini_setup +++ b/src/etc/rc.php_ini_setup @@ -27,6 +27,7 @@ # Set our operating platform PLATFORM=`/bin/cat /etc/platform` +VERSION=`/bin/cat /etc/version` MIN_REALMEM_FOR_OPCACHE=512 EXTENSIONSDIR="/usr/local/lib/php/20131226/" @@ -173,6 +174,12 @@ if [ -z "${TIMEZONE}" ]; then TIMEZONE=$(/usr/local/sbin/read_global_var default_timezone "Etc/UTC") fi +if echo "${VERSION}" | grep -q RELEASE; then + error_reporting="error_reporting = E_ERROR | E_PARSE" +else + error_reporting="" +fi + # Get a loaded module list in the stock php # Populate a dummy php.ini to avoid # the file being clobbered and the firewall @@ -184,6 +191,7 @@ expose_php = Off implicit_flush = true magic_quotes_gpc = Off max_execution_time = 900 +request_terminate_timeout = 900 max_input_time = 1800 max_input_vars = 5000 register_argc_argv = On @@ -205,6 +213,7 @@ extension_dir=${EXTENSIONSDIR} date.timezone="${TIMEZONE}" session.hash_bits_per_character = 5 session.hash_function = 1 +${error_reporting} ; Extensions @@ -265,7 +274,7 @@ suhosin.post.max_value_length = 500000 suhosin.request.max_array_index_length = 256 suhosin.request.max_vars = 5000 suhosin.request.max_value_length = 500000 -suhosin.memory_limit = 512435456 +suhosin.memory_limit = 536870912 EOF diff --git a/src/etc/rc.reboot b/src/etc/rc.reboot index 00169bf..b5ad618 100755 --- a/src/etc/rc.reboot +++ b/src/etc/rc.reboot @@ -24,6 +24,7 @@ DISK_NAME=`/bin/df /var/db/rrd | /usr/bin/tail -1 | /usr/bin/awk '{print $1;}'` DISK_TYPE=`/usr/bin/basename ${DISK_NAME} | /usr/bin/cut -c1-2` # If we are not on a full install, or if the full install wants RAM disks, or if the full install _was_ using RAM disks, but isn't for the next boot... if [ "${PLATFORM}" != "${product}" ] || [ "${USE_MFS_TMPVAR}" = "true" ] || [ "${DISK_TYPE}" = "md" ]; then + /etc/rc.backup_aliastables.sh /etc/rc.backup_rrd.sh /etc/rc.backup_dhcpleases.sh fi diff --git a/src/etc/rc.restart_webgui b/src/etc/rc.restart_webgui index 45034ac..a65a8aa 100755 --- a/src/etc/rc.restart_webgui +++ b/src/etc/rc.restart_webgui @@ -2,10 +2,10 @@ <?php -require("config.inc"); -require("functions.inc"); -require("shaper.inc"); -require("captiveportal.inc"); +require_once("config.inc"); +require_once("functions.inc"); +require_once("shaper.inc"); +require_once("captiveportal.inc"); require_once("rrd.inc"); echo "Restarting webConfigurator..."; diff --git a/src/etc/rc.update_bogons.sh b/src/etc/rc.update_bogons.sh index 85cb7df..493ce76 100755 --- a/src/etc/rc.update_bogons.sh +++ b/src/etc/rc.update_bogons.sh @@ -128,7 +128,7 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS else if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6 - echo "Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off" | logger + echo "Bogons V6 file downloaded but not updating IPv6 bogons table because it is not in use." | logger else echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger fi diff --git a/src/etc/rc.update_urltables b/src/etc/rc.update_urltables index 887dfac..8a2c00b 100755 --- a/src/etc/rc.update_urltables +++ b/src/etc/rc.update_urltables @@ -49,7 +49,7 @@ if (count($todo) > 0) { continue; } - $r = process_alias_urltable($t['name'], $t['url'], $t['freq'], $forceupdate); + $r = process_alias_urltable($t['name'], $t['type'], $t['url'], $t['freq'], $forceupdate); if ($r == 1) { $result = ""; // TODO: Change it when pf supports tables with ports diff --git a/src/etc/shells b/src/etc/shells deleted file mode 100644 index 3ccb4dc..0000000 --- a/src/etc/shells +++ /dev/null @@ -1,12 +0,0 @@ -# $FreeBSD: src/etc/shells,v 1.5 2000/04/27 21:58:46 ache Exp $ -# -# List of acceptable shells for chpass(1). -# Ftpd will not allow users to connect who are not using -# one of these shells. - -/bin/sh -/bin/csh -/bin/tcsh -/etc/rc.initial -/usr/local/sbin/ssh_tunnel_shell - diff --git a/src/etc/motd b/src/etc/skel/dot.hushlogin index e69de29..e69de29 100644 --- a/src/etc/motd +++ b/src/etc/skel/dot.hushlogin diff --git a/src/etc/skel/dot.profile b/src/etc/skel/dot.profile index 700597a..6ef0bee 100644 --- a/src/etc/skel/dot.profile +++ b/src/etc/skel/dot.profile @@ -1,5 +1,18 @@ # Detect interactive logins and display the shell -if [ -n "${SSH_TTY}" -o "${TERM}" = "cons25" ]; then +unset _interactive +if [ -n "${SSH_TTY}" ]; then + _interactive=1 +else + case "${TERM}" in + cons25|xterm|vt100|vt102|vt220) + _interactive=1 + ;; + esac +fi + +if [ -n "${_interactive}" ]; then + echo "INTERACTIVE" /etc/rc.initial exit fi + echo "NON" diff --git a/src/etc/skel/dot.shrc b/src/etc/skel/dot.shrc index d3c9208..e75c845 100644 --- a/src/etc/skel/dot.shrc +++ b/src/etc/skel/dot.shrc @@ -8,7 +8,18 @@ if [ "${HTTP_PROXY}" != "" ]; then fi # Detect interactive logins and display the shell -if [ -n "${SSH_TTY}" -o "${TERM}" = "cons25" ]; then +unset _interactive +if [ -n "${SSH_TTY}" ]; then + _interactive=1 +else + case "${TERM}" in + cons25|xterm|vt100|vt102|vt220) + _interactive=1 + ;; + esac +fi + +if [ -n "${_interactive}" ]; then /etc/rc.initial exit fi diff --git a/src/etc/ssh/sshd_config b/src/etc/ssh/sshd_config deleted file mode 100644 index f2f288b..0000000 --- a/src/etc/ssh/sshd_config +++ /dev/null @@ -1,103 +0,0 @@ -# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ -# $FreeBSD: src/crypto/openssh/sshd_config,v 1.40 2004/04/20 09:37:29 des Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -# Note that some of FreeBSD's defaults differ from OpenBSD's, and -# FreeBSD has a few additional options. - -#VersionAddendum FreeBSD-20040419 - -#Port 22 -#Protocol 2 -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -#obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# Change to yes to enable built-in password authentication. -#PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable PAM authentication -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'no' to disable PAM authentication (via challenge-response) -# and session processing. -#UsePAM yes - -#AllowTcpForwarding yes -#GatewayPorts no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no - -#PidFile /var/run/sshd.pid -#MaxStartups 10 - -# no default banner path -#Banner /some/path - -Compression yes -ClientAliveInterval 30 -ClientAliveCountMax 5 -UseDNS no -X11Forwarding no - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server diff --git a/src/etc/sshd b/src/etc/sshd index 044cc2b..eebd601 100755 --- a/src/etc/sshd +++ b/src/etc/sshd @@ -47,7 +47,6 @@ $keys = array( array('type' => 'rsa', 'suffix' => 'rsa_'), - array('type' => 'ecdsa', 'suffix' => 'ecdsa_'), array('type' => 'ed25519', 'suffix' => 'ed25519_') ); @@ -98,33 +97,40 @@ } /* Include default configuration for pfSense */ + /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */ $sshconf = "# This file is automatically generated at startup\n"; - $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; - $sshconf .= "PermitRootLogin yes\n"; + $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n"; + /* Run the server on another port if we have one defined */ + $sshconf .= "Port $sshport\n"; + /* Only allow protocol 2, because we say so */ + $sshconf .= "Protocol 2\n"; + foreach ($keys as $key) { + $sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n"; + } $sshconf .= "Compression yes\n"; $sshconf .= "ClientAliveInterval 30\n"; - $sshconf .= "UseDNS no\n"; - $sshconf .= "X11Forwarding no\n"; + $sshconf .= "PermitRootLogin yes\n"; if (isset($config['system']['ssh']['sshdkeyonly'])) { $sshconf .= "# Login via Key only\n"; - $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "PubkeyAuthentication yes\n"; } else { $sshconf .= "# Login via Key and Password\n"; - $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "PubkeyAuthentication yes\n"; } - $sshconf .= "# override default of no subsystems\n"; - $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; - /* Only allow protocol 2, because we say so */ - $sshconf .= "Protocol 2\n"; - /* Run the server on another port if we have one defined */ - $sshconf .= "Port $sshport\n"; + $sshconf .= "UseDNS no\n"; + $sshconf .= "UsePAM no\n"; + $sshconf .= "LoginGraceTime 30s\n"; /* Hide FreeBSD version */ $sshconf .= "VersionAddendum none\n"; - $sshconf .= "LoginGraceTime 30s\n"; + $sshconf .= "X11Forwarding no\n"; + $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n"; + $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n"; + $sshconf .= "# override default of no subsystems\n"; + $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n"; /* Apply package SSHDCond settings if config file exists */ if (file_exists("/etc/sshd_extra")) { @@ -172,7 +178,7 @@ mark_subsystem_dirty('sshdkeys'); echo " Generating Keys:\n"; foreach ($generate_keys as $key) { - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t {$key['type']} -N '' -f {$sshConfigDir}/ssh_host_{$key['suffix']}key"); + $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t {$key['type']} -b 4096 -N '' -f {$sshConfigDir}/ssh_host_{$key['suffix']}key"); } clear_subsystem_dirty('sshdkeys'); file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", ""); diff --git a/src/etc/ssl/openssl.cnf b/src/etc/ssl/openssl.cnf deleted file mode 100644 index 3ea2df5..0000000 --- a/src/etc/ssl/openssl.cnf +++ /dev/null @@ -1,309 +0,0 @@ -# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.6 2004/03/17 17:44:38 nectar Exp $ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# -# -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# default SAN value if $ENV::SAN is not defined -# -SAN = - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several certificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -#crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file - -x509_extensions = usr_cert # The extensions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -# copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -distinguished_name=req_distinguished_name -req_extensions = v3_req -prompt=no - -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -#input_password="" -#output_password="" - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = US -#countryName_default = AU -#countryName_min = 2 -#countryName_max = 2 - -stateOrProvinceName = Somewhere -#stateOrProvinceName_default = Somestate - -localityName = Somecity - -0.organizationName = CompanyName -#0.organizationName_default = SampleNameDefault - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (eg, YOUR name) -#commonName_max = 64 - -emailAddress = Email Address -#emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated User Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=clientAuth - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ usr_cert_san ] - -# copy of [ usr_cert ] plus nonempty Subject Alternative Names -basicConstraints=CA:FALSE -nsComment = "OpenSSL Generated User Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=clientAuth -subjectAltName=$ENV::SAN - -[ server ] - -# Make a cert with nsCertType=server -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2 -keyUsage = digitalSignature, keyEncipherment - -[ server_san ] - -# copy of [ server ] plus nonempty Subject Alternative Names -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2 -keyUsage = digitalSignature, keyEncipherment -subjectAltName=$ENV::SAN - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. -keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ v3_ca_san ] - -# copy of [ v3_ca ] plus nonempty Subject Alternative Names -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:true -subjectAltName=$ENV::SAN - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/src/etc/syslog.conf b/src/etc/syslog.conf deleted file mode 100644 index 6f29538..0000000 --- a/src/etc/syslog.conf +++ /dev/null @@ -1,12 +0,0 @@ -local0.* %/var/log/filter.log -local3.* %/var/log/vpn.log -local4.* %/var/log/portalauth.log -local7.* %/var/log/dhcpd.log -local7.none %/var/log/system.log -kern.debug;lpr.info;mail.crit; %/var/log/system.log -news.err;local3.none;local4.none; %/var/log/system.log -*.notice; %/var/log/system.log -local0.none;daemon.info %/var/log/system.log -daemon.info;security.* %/var/log/ipsec.log -auth.info;authpriv.info %/var/log/system.log -auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf diff --git a/src/etc/ttys b/src/etc/ttys deleted file mode 100644 index 382c6a7..0000000 --- a/src/etc/ttys +++ /dev/null @@ -1,49 +0,0 @@ -# -# $FreeBSD: stable/10/etc/etc.amd64/ttys 267236 2014-06-08 17:50:07Z nwhitehorn $ -# @(#)ttys 5.1 (Berkeley) 4/17/89 -# -# This file specifies various information about terminals on the system. -# It is used by several different programs. Common entries for the -# various columns include: -# -# name The name of the terminal device. -# -# getty The program to start running on the terminal. Typically a -# getty program, as the name implies. Other common entries -# include none, when no getty is needed, and xdm, to start the -# X Window System. -# -# type The initial terminal type for this port. For hardwired -# terminal lines, this will contain the type of terminal used. -# For virtual consoles, the correct type is typically xterm. -# Other common values include dialup for incoming modem ports, and -# unknown when the terminal type cannot be predetermined. -# -# status Must be on or off. If on, init will run the getty program on -# the specified port. If the word "secure" appears, this tty -# allows root login. -# -# name getty type status comments -# -# If console is marked "insecure", then init will ask for the root password -# when going to single-user mode. -console none unknown off secure -# -ttyv0 "/usr/libexec/getty al.Pc" cons25 on secure -# Virtual terminals -ttyv1 "/usr/libexec/getty Pc" xterm off secure -ttyv2 "/usr/libexec/getty Pc" xterm off secure -ttyv3 "/usr/libexec/getty Pc" xterm off secure -ttyv4 "/usr/libexec/getty Pc" xterm off secure -ttyv5 "/usr/libexec/getty Pc" xterm off secure -ttyv6 "/usr/libexec/getty Pc" xterm off secure -ttyv7 "/usr/libexec/getty Pc" xterm off secure -ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure -# Serial terminals -# The 'dialup' keyword identifies dialin lines to login, fingerd etc. -ttyu0 "/usr/libexec/getty al.115200" cons25 onifconsole secure -ttyu1 "/usr/libexec/getty al.115200" cons25 onifconsole secure -ttyu2 "/usr/libexec/getty al.115200" cons25 onifconsole secure -ttyu3 "/usr/libexec/getty al.115200" cons25 onifconsole secure -# Dumb console -dcons "/usr/libexec/getty std.9600" vt100 off secure diff --git a/src/etc/version b/src/etc/version index 008d7ae..f011c81 100644 --- a/src/etc/version +++ b/src/etc/version @@ -1 +1 @@ -2.4-DEVELOPMENT +2.4.0-DEVELOPMENT |