diff options
Diffstat (limited to 'src/usr')
93 files changed, 1120 insertions, 618 deletions
diff --git a/src/usr/local/www/crash_reporter.php b/src/usr/local/www/crash_reporter.php index 9a74c3e..4bb2ad7 100644 --- a/src/usr/local/www/crash_reporter.php +++ b/src/usr/local/www/crash_reporter.php @@ -103,8 +103,10 @@ exec("/bin/cat /tmp/PHP_errors.log", $php_errors); if (count($php_errors) > 0) { $crash_reports .= "\nPHP Errors:\n"; $crash_reports .= implode("\n", $php_errors) . "\n\n"; + } else { + $crash_reports .= "\nNo PHP errors found.\n"; } - if (is_array($crash_files)) { + if (count($crash_files) > 0) { foreach ($crash_files as $cf) { if (filesize($cf) < FILE_SIZE) { $crash_reports .= "\nFilename: {$cf}\n"; @@ -112,7 +114,7 @@ exec("/bin/cat /tmp/PHP_errors.log", $php_errors); } } } else { - echo gettext("Could not locate any crash data."); + $crash_reports .= "\nNo FreeBSD crash data found.\n"; } ?> <div class="panel panel-default"> diff --git a/src/usr/local/www/css/pfSense-BETA.css b/src/usr/local/www/css/pfSense-BETA.css index 4550601..dbf35a4 100644 --- a/src/usr/local/www/css/pfSense-BETA.css +++ b/src/usr/local/www/css/pfSense-BETA.css @@ -86,3 +86,10 @@ a.fa, i.fa { .ui-widget { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; } + +/** This style adds a gray outline around unchecked checkboxes to +make them more visible. Unfortunately the exact alignment of those +outlines varies considerably with browser/OS **/ +input[type="checkbox"]:not(:checked) { + outline: 1px solid #888888; +} diff --git a/src/usr/local/www/css/pfSense.css b/src/usr/local/www/css/pfSense.css index 6cf0945..6c43c24 100644 --- a/src/usr/local/www/css/pfSense.css +++ b/src/usr/local/www/css/pfSense.css @@ -70,7 +70,7 @@ h1 a:hover, h1 a:active { } /* Zero-width optional linebreaks can help the browser to linebreak at 'good' places. - Unfortunately the two most compatible options aren't consistently supported. + Unfortunately the two most compatible options aren't consistently supported. "\00200B" or #8203; is part of unicode and widely implemented; and <wbr> is widely supported even on old browsers but not IE<5.5 and IE>7. http://stackoverflow.com/a/23759279/2238378 suggests a neat "80%" solution for broad diff --git a/src/usr/local/www/diag_reboot.php b/src/usr/local/www/diag_reboot.php index 8b6229e..8052e40 100644 --- a/src/usr/local/www/diag_reboot.php +++ b/src/usr/local/www/diag_reboot.php @@ -43,8 +43,8 @@ $guiretry = 20; // Seconds to try again if $guitimeout was not long enough $pgtitle = array(gettext("Diagnostics"), gettext("Reboot")); include("head.inc"); - -if (($_SERVER['REQUEST_METHOD'] == 'POST') && ($_POST['override'] != "yes")) { +if (($_SERVER['REQUEST_METHOD'] == 'POST') && (empty($_POST['override']) || + ($_POST['override'] != "yes"))): if (DEBUG) { print_info_box(gettext("Not actually rebooting (DEBUG is set true)."), 'success'); } else { @@ -98,7 +98,7 @@ events.push(function() { //]]> </script> <?php -} else { +else: ?> @@ -135,6 +135,6 @@ events.push(function() { </script> <?php -} +endif; include("foot.inc"); diff --git a/src/usr/local/www/firewall_aliases.php b/src/usr/local/www/firewall_aliases.php index 55069d8..ec98e15 100644 --- a/src/usr/local/www/firewall_aliases.php +++ b/src/usr/local/www/firewall_aliases.php @@ -48,15 +48,8 @@ if ($_POST) { $retval = 0; /* reload all components that use aliases */ - $retval = filter_configure(); + $retval |= filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = "success"; - } else { - $savemsg = $retval; - $class = "danger"; - } if ($retval == 0) { clear_subsystem_dirty('aliases'); } @@ -99,8 +92,7 @@ if ($_GET['act'] == "del") { // Static routes find_alias_reference(array('staticroutes', 'route'), array('network'), $alias_name, $is_alias_referenced, $referenced_by); if ($is_alias_referenced == true) { - $savemsg = sprintf(gettext("Cannot delete alias. Currently in use by %s."), htmlspecialchars($referenced_by)); - $class = "danger"; + $delete_error = sprintf(gettext("Cannot delete alias. Currently in use by %s."), htmlspecialchars($referenced_by)); } else { if (preg_match("/urltable/i", $a_aliases[$_GET['id']]['type'])) { // this is a URL table type alias, delete its file as well @@ -173,8 +165,11 @@ $shortcut_section = "aliases"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, $class); +if ($delete_error) { + print_info_box($delete_error, 'danger'); +} +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('aliases')) { diff --git a/src/usr/local/www/firewall_nat.php b/src/usr/local/www/firewall_nat.php index 3fd7c36..681c981 100644 --- a/src/usr/local/www/firewall_nat.php +++ b/src/usr/local/www/firewall_nat.php @@ -86,7 +86,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/apply"); @@ -186,8 +185,8 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("Port Forward")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_nat_1to1.php b/src/usr/local/www/firewall_nat_1to1.php index 5ae075b..87f9169 100644 --- a/src/usr/local/www/firewall_nat_1to1.php +++ b/src/usr/local/www/firewall_nat_1to1.php @@ -68,7 +68,6 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('natconf'); @@ -122,8 +121,8 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("1:1")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_nat_npt.php b/src/usr/local/www/firewall_nat_npt.php index b585d99..e2d7856 100644 --- a/src/usr/local/www/firewall_nat_npt.php +++ b/src/usr/local/www/firewall_nat_npt.php @@ -69,7 +69,6 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('natconf'); @@ -122,8 +121,8 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("NPt")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_nat_out.php b/src/usr/local/www/firewall_nat_out.php index 6915780..a09988c 100644 --- a/src/usr/local/www/firewall_nat_out.php +++ b/src/usr/local/www/firewall_nat_out.php @@ -82,12 +82,6 @@ if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - } else { - $savemsg = $retval; - } - if ($retval == 0) { clear_subsystem_dirty('natconf'); clear_subsystem_dirty('filter'); @@ -139,7 +133,7 @@ if ($_POST['save']) { } } } - $savemsg = gettext("Default rules for each interface have been created."); + $default_rules_msg = gettext("Default rules for each interface have been created."); unset($FilterIflist, $GatewaysList); } @@ -206,8 +200,12 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("Outbound")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($default_rules_msg) { + print_info_box($default_rules_msg, 'success'); +} + +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 9e72d9c..f280691 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -1245,7 +1245,7 @@ if ($if == "FloatingRules" || isset($pconfig['floating'])) { ) )); - $section->addInput(new Form_Input( + $form->addGlobal(new Form_Input( 'floating', 'Floating', 'hidden', diff --git a/src/usr/local/www/firewall_shaper.php b/src/usr/local/www/firewall_shaper.php index 82410cc..ef50e8b 100644 --- a/src/usr/local/www/firewall_shaper.php +++ b/src/usr/local/www/firewall_shaper.php @@ -121,19 +121,11 @@ if ($_GET) { } if (write_config()) { + $changes_applied = true; $retval = 0; $retval |= filter_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } } else { - $savemsg = gettext("Unable to write config.xml (Access Denied?)."); - $class = 'warning'; + $no_write_config_msg = gettext("Unable to write config.xml (Access Denied?)."); } $dfltmsg = true; @@ -280,17 +272,9 @@ if ($_POST) { } } else if ($_POST['apply']) { write_config(); - + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } + $retval |= filter_configure(); /* reset rrd queues */ system("rm -f /var/db/rrd/*queuedrops.rrd"); @@ -369,8 +353,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); +if ($no_write_config_msg) { + print_info_box($no_write_config_msg, 'danger'); +} + +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { @@ -452,7 +440,7 @@ if (!$dfltmsg && $sform) { </table> </div> -<?php if (empty(get_interface_list_to_show())): ?> +<?php if (empty(get_interface_list_to_show()) && (!is_array($altq_list_queues) || (count($altq_list_queues) == 0))): ?> <div> <div class="infoblock blockopen"> <?php print_info_box(gettext("This firewall does not have any interfaces assigned that are capable of using ALTQ traffic shaping."), 'danger', false); ?> diff --git a/src/usr/local/www/firewall_shaper_queues.php b/src/usr/local/www/firewall_shaper_queues.php index 0bdb99e..a25c470 100644 --- a/src/usr/local/www/firewall_shaper_queues.php +++ b/src/usr/local/www/firewall_shaper_queues.php @@ -167,15 +167,7 @@ if ($_POST['apply']) { $retval = 0; /* Setup pf rules since the user may have changed the optimization value */ - $retval = filter_configure(); - $savemsg = get_std_save_message($retval); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'alert-success'; - } else { - $savemsg = $retval; - $class = 'alert-danger'; - } + $retval |= filter_configure(); /* reset rrd queues */ system("rm -f /var/db/rrd/*queuedrops.rrd"); @@ -198,8 +190,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { @@ -231,7 +223,7 @@ display_top_tabs($tab_array); </div> </form> -<?php if (empty(get_interface_list_to_show())): ?> +<?php if (empty(get_interface_list_to_show()) && (!is_array($altq_list_queues) || (count($altq_list_queues) == 0))): ?> <div> <div class="infoblock blockopen"> <?php print_info_box(gettext("This firewall does not have any interfaces assigned that are capable of using ALTQ traffic shaping."), 'danger', false); ?> diff --git a/src/usr/local/www/firewall_shaper_vinterface.php b/src/usr/local/www/firewall_shaper_vinterface.php index 74526e9..5de573f 100644 --- a/src/usr/local/www/firewall_shaper_vinterface.php +++ b/src/usr/local/www/firewall_shaper_vinterface.php @@ -134,20 +134,11 @@ if ($_GET) { } } if (write_config()) { + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - - if (stristr($retval, "error") != true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'danger'; - } - + $retval |= filter_configure(); } else { - $savemsg = gettext("Unable to write config.xml (Access Denied?)."); - $class = 'danger'; + $no_write_config_msg = gettext("Unable to write config.xml (Access Denied?)."); } $dfltmsg = true; @@ -271,16 +262,9 @@ if ($_POST) { } else if ($_POST['apply']) { write_config(); + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - - if (stristr($retval, "error") != true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'danger'; - } + $retval |= filter_configure(); /* XXX: TODO Make dummynet pretty graphs */ // enable_rrd_graphing(); @@ -369,8 +353,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); +if ($no_write_config_msg) { + print_info_box($no_write_config_msg, 'danger'); +} + +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { diff --git a/src/usr/local/www/firewall_shaper_wizards.php b/src/usr/local/www/firewall_shaper_wizards.php index 594ed63..b9d647e 100644 --- a/src/usr/local/www/firewall_shaper_wizards.php +++ b/src/usr/local/www/firewall_shaper_wizards.php @@ -42,14 +42,7 @@ if ($_POST['apply']) { $retval = 0; /* Setup pf rules since the user may have changed the optimization value */ - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } + $retval |= filter_configure(); /* reset rrd queues */ unlink_if_exists("/var/db/rrd/*queuedrops.rrd"); @@ -82,8 +75,8 @@ $tab_array[] = array(gettext("Limiters"), false, "firewall_shaper_vinterface.php $tab_array[] = array(gettext("Wizards"), true, "firewall_shaper_wizards.php"); display_top_tabs($tab_array); -if ($savemsg) { - print_info_box($savemsg, $class); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { diff --git a/src/usr/local/www/firewall_virtual_ip.php b/src/usr/local/www/firewall_virtual_ip.php index 33a1f4f..a15a60b 100644 --- a/src/usr/local/www/firewall_virtual_ip.php +++ b/src/usr/local/www/firewall_virtual_ip.php @@ -79,7 +79,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('vip'); } @@ -240,8 +239,8 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); -} else if ($savemsg) { - print_info_box($savemsg, 'success'); +} else if ($_POST['apply']) { + print_apply_result_box($retval); } else if (is_subsystem_dirty('vip')) { print_apply_box(gettext("The VIP configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); } diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index d4fc383..c9e78dc 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -323,6 +323,27 @@ function print_apply_box($msg) { print_info_box($msg, "warning", "apply", gettext("Apply Changes"), 'fa-check', 'success'); } +// Format and print a box reporting that changes have been applied +// $retval = status value from the functions called to apply the changes +// 0 is good +// non-zero is a problem +// $extra_text = optional extra text to display after the standard message +function print_apply_result_box($retval, $extra_text="") { + $result_msg = get_std_save_message($retval); + if ($retval === 0) { + // 0 is success + $severity = "success"; + } else { + // non-zero means there was some problem + $severity = "warning"; + } + + if (strlen($extra_text) > 0) { + $result_msg .= " " . $extra_text; + } + print_info_box($result_msg, $severity); +} + /* * Print Bootstrap callout * @@ -350,10 +371,16 @@ function print_callout($msg, $class = 'info', $heading = '') { echo $callout; } -function get_std_save_message($ok) { +function get_std_save_message($retval) { $filter_related = false; $filter_pages = array("nat", "filter"); - $to_return = gettext("The changes have been applied successfully."); + if ($retval === 0) { + // 0 is success + $to_return = gettext("The changes have been applied successfully."); + } else { + // non-zero means there was some problem + $to_return = gettext("There was a problem applying the changes. See the <a href=\"status_logs.php\">System Logs</a>."); + } foreach ($filter_pages as $fp) { if (stristr($_SERVER['SCRIPT_FILENAME'], $fp)) { $filter_related = true; @@ -508,7 +535,7 @@ function genhtmltitle($title) { $bc = ""; } - return $heading . $bc; + return $bc; } /* update the changedesc and changecount(er) variables */ diff --git a/src/usr/local/www/head.inc b/src/usr/local/www/head.inc index 24bf835..6205772 100644 --- a/src/usr/local/www/head.inc +++ b/src/usr/local/www/head.inc @@ -425,7 +425,7 @@ $allow_clear_notices = false; if (are_notices_pending()) { // Evaluate user privs to determine if notices should be displayed, and if the user can clear them. $user_entry = getUserEntry($_SESSION['Username']); - if (userHasPrivilege($user_entry, "user-view-clear-notices") || userHasPrivilege($user_entry, "page-all")) { + if (isAdminUID($_SESSION['Username']) || userHasPrivilege($user_entry, "user-view-clear-notices") || userHasPrivilege($user_entry, "page-all")) { $display_notices = true; $allow_clear_notices = true; } elseif (userHasPrivilege($user_entry, "user-view-notices")) { diff --git a/src/usr/local/www/interfaces.php b/src/usr/local/www/interfaces.php index a63144d..8391461 100755 --- a/src/usr/local/www/interfaces.php +++ b/src/usr/local/www/interfaces.php @@ -407,11 +407,14 @@ if (isset($wancfg['wireless'])) { } +$changes_applied = false; + if ($_POST['apply']) { unset($input_errors); if (!is_subsystem_dirty('interfaces')) { $input_errors[] = gettext("The settings have already been applied!"); } else { + $retval = 0; unlink_if_exists("{$g['tmp_path']}/config.cache"); clear_subsystem_dirty('interfaces'); @@ -440,24 +443,24 @@ if ($_POST['apply']) { } } /* restart snmp so that it binds to correct address */ - services_snmpd_configure(); + $retval |= services_snmpd_configure(); /* sync filter configuration */ setup_gateways_monitor(); clear_subsystem_dirty('interfaces'); - filter_configure(); + $retval |= filter_configure(); enable_rrd_graphing(); + $changes_applied = true; + if (is_subsystem_dirty('staticroutes') && (system_routing_configure() == 0)) { clear_subsystem_dirty('staticroutes'); } } @unlink("{$g['tmp_path']}/.interfaces.apply"); - header("Location: interfaces.php?if={$if}"); - exit; } else if ($_POST) { unset($input_errors); @@ -1611,7 +1614,7 @@ function check_wireless_mode() { if (!interface_wireless_clone("{$wlanif}_", $wancfg)) { $input_errors[] = sprintf(gettext("Unable to change mode to %s. The maximum number of wireless clones supported in this mode may have been reached."), $wlan_modes[$wancfg['wireless']['mode']]); } else { - mwexec("/sbin/ifconfig " . escapeshellarg($wlanif) . "_ destroy"); + pfSense_interface_destroy("{$wlanif}_"); } $wancfg['wireless']['mode'] = $old_wireless_mode; } @@ -1695,11 +1698,10 @@ if (is_subsystem_dirty('interfaces')) { gettext("Don't forget to adjust the DHCP Server range if needed after applying.")); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } - $form = new Form(); $section = new Form_Section('General Configuration'); diff --git a/src/usr/local/www/interfaces_assign.php b/src/usr/local/www/interfaces_assign.php index b647fea..26b7a88 100644 --- a/src/usr/local/www/interfaces_assign.php +++ b/src/usr/local/www/interfaces_assign.php @@ -244,7 +244,7 @@ if (isset($_POST['add']) && isset($_POST['if_add'])) { write_config(); - $savemsg = gettext("Interface has been added."); + $action_msg = gettext("Interface has been added."); $class = "success"; } @@ -255,15 +255,9 @@ if (isset($_POST['add']) && isset($_POST['if_add'])) { } else { write_config(); - $retval = filter_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = "success"; - } else { - $savemsg = $retval; - $class = "danger"; - } + $changes_applied = true; + $retval = 0; + $retval |= filter_configure(); } } else if (isset($_POST['Submit'])) { @@ -438,7 +432,7 @@ if (isset($_POST['add']) && isset($_POST['if_add'])) { link_interface_to_vlans($realid, "update"); - $savemsg = gettext("Interface has been deleted."); + $action_msg = gettext("Interface has been deleted."); $class = "success"; } } @@ -464,14 +458,14 @@ include("head.inc"); if (file_exists("/var/run/interface_mismatch_reboot_needed")) { if ($_POST) { if ($rebootingnow) { - $savemsg = gettext("The system is now rebooting. Please wait."); + $action_msg = gettext("The system is now rebooting. Please wait."); $class = "success"; } else { $applymsg = gettext("Reboot is needed. Please apply the settings in order to reboot."); $class = "warning"; } } else { - $savemsg = gettext("Interface mismatch detected. Please resolve the mismatch, save and then click 'Apply Changes'. The firewall will reboot afterwards."); + $action_msg = gettext("Interface mismatch detected. Please resolve the mismatch, save and then click 'Apply Changes'. The firewall will reboot afterwards."); $class = "warning"; } } @@ -482,8 +476,10 @@ if (file_exists("/tmp/reload_interfaces")) { echo "<br /></p>\n"; } elseif ($applymsg) { print_apply_box($applymsg); -} elseif ($savemsg) { - print_info_box($savemsg, $class); +} elseif ($action_msg) { + print_info_box($action_msg, $class); +} elseif ($changes_applied) { + print_apply_result_box($retval); } pfSense_handle_custom_code("/usr/local/pkg/interfaces_assign/pre_input_errors"); diff --git a/src/usr/local/www/interfaces_bridge.php b/src/usr/local/www/interfaces_bridge.php index c9631d7..359af1c 100644 --- a/src/usr/local/www/interfaces_bridge.php +++ b/src/usr/local/www/interfaces_bridge.php @@ -60,7 +60,7 @@ if ($_GET['act'] == "del") { if (!does_interface_exist($a_bridges[$_GET['id']]['bridgeif'])) { log_error("Bridge interface does not exist, skipping ifconfig destroy."); } else { - mwexec("/sbin/ifconfig " . $a_bridges[$_GET['id']]['bridgeif'] . " destroy"); + pfSense_interface_destroy($a_bridges[$_GET['id']]['bridgeif']); } unset($a_bridges[$_GET['id']]); diff --git a/src/usr/local/www/interfaces_gif.php b/src/usr/local/www/interfaces_gif.php index 1797092..b0581ec 100644 --- a/src/usr/local/www/interfaces_gif.php +++ b/src/usr/local/www/interfaces_gif.php @@ -56,7 +56,7 @@ if ($_GET['act'] == "del") { } else if (gif_inuse($_GET['id'])) { $input_errors[] = gettext("This gif TUNNEL cannot be deleted because it is still being used as an interface."); } else { - mwexec("/sbin/ifconfig " . $a_gifs[$_GET['id']]['gifif'] . " destroy"); + pfSense_interface_destroy($a_gifs[$_GET['id']]['gifif']); unset($a_gifs[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_gre.php b/src/usr/local/www/interfaces_gre.php index a69edd6..9f2d8c0 100644 --- a/src/usr/local/www/interfaces_gre.php +++ b/src/usr/local/www/interfaces_gre.php @@ -57,7 +57,7 @@ if ($_GET['act'] == "del") { } else if (gre_inuse($_GET['id'])) { $input_errors[] = gettext("This GRE tunnel cannot be deleted because it is still being used as an interface."); } else { - mwexec("/sbin/ifconfig " . $a_gres[$_GET['id']]['greif'] . " destroy"); + pfSense_interface_destroy($a_gres[$_GET['id']]['greif']); unset($a_gres[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_lagg.php b/src/usr/local/www/interfaces_lagg.php index c521558..23deb7d 100644 --- a/src/usr/local/www/interfaces_lagg.php +++ b/src/usr/local/www/interfaces_lagg.php @@ -63,7 +63,7 @@ if ($_GET['act'] == "del") { } else if (lagg_inuse($_GET['id'])) { $input_errors[] = gettext("This LAGG interface cannot be deleted because it is still being used."); } else { - mwexec_bg("/sbin/ifconfig " . $a_laggs[$_GET['id']]['laggif'] . " destroy"); + pfSense_interface_destroy($a_laggs[$_GET['id']]['laggif']); unset($a_laggs[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_qinq.php b/src/usr/local/www/interfaces_qinq.php index 63fa1b4..1997c19 100644 --- a/src/usr/local/www/interfaces_qinq.php +++ b/src/usr/local/www/interfaces_qinq.php @@ -67,7 +67,7 @@ if ($_GET['act'] == "del") { } mwexec("/usr/sbin/ngctl shutdown {$qinq['vlanif']}qinq:"); mwexec("/usr/sbin/ngctl shutdown {$qinq['vlanif']}:"); - mwexec("/sbin/ifconfig {$qinq['vlanif']} destroy"); + pfSense_interface_destroy($qinq['vlanif']); unset($a_qinqs[$id]); write_config(); diff --git a/src/usr/local/www/interfaces_wireless.php b/src/usr/local/www/interfaces_wireless.php index dafe49d..304eca2 100644 --- a/src/usr/local/www/interfaces_wireless.php +++ b/src/usr/local/www/interfaces_wireless.php @@ -57,7 +57,7 @@ if ($_GET['act'] == "del") { if (clone_inuse($_GET['id'])) { $input_errors[] = gettext("This wireless clone cannot be deleted because it is assigned as an interface."); } else { - mwexec("/sbin/ifconfig " . $a_clones[$_GET['id']]['cloneif'] . " destroy"); + pfSense_interface_destroy($a_clones[$_GET['id']]['cloneif']); unset($a_clones[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_wireless_edit.php b/src/usr/local/www/interfaces_wireless_edit.php index 419f9c6..d30b5c4 100644 --- a/src/usr/local/www/interfaces_wireless_edit.php +++ b/src/usr/local/www/interfaces_wireless_edit.php @@ -125,7 +125,7 @@ if ($_POST) { } else { if (isset($id) && $a_clones[$id]) { if ($clone['if'] != $a_clones[$id]['if']) { - mwexec("/sbin/ifconfig " . $a_clones[$id]['cloneif'] . " destroy"); + pfSense_interface_destroy($a_clones[$id]['cloneif']); } $input_errors[] = sprintf(gettext("Created with id %s"), $id); $a_clones[$id] = $clone; diff --git a/src/usr/local/www/js/pfSense.js b/src/usr/local/www/js/pfSense.js index da33129..2a6bc16 100644 --- a/src/usr/local/www/js/pfSense.js +++ b/src/usr/local/www/js/pfSense.js @@ -143,7 +143,7 @@ $(function() { // Use element title in the confirmation message, or if not available // the element value $('.btn-danger, .fa-trash').on('click', function(e){ - if (!($(this).hasClass('no-confirm'))) { + if (!($(this).hasClass('no-confirm')) && !($(this).hasClass('icon-embed-btn'))) { var msg = $.trim(this.textContent).toLowerCase(); if (!msg) @@ -230,7 +230,7 @@ $(function() { $('.table-rowdblclickedit>tbody>tr').dblclick(function () { $(this).find(".fa-pencil")[0].click(); }); - + // Focus first input $(':input:enabled:visible:first').focus(); @@ -238,7 +238,7 @@ $(function() { $(this).css('height', 80).resizable({minHeight: 80, minWidth: 200}).parent().css('padding-bottom', 0); $(this).css('height', 78); }); - + // Run in-page defined events while (func = window.events.shift()) func(); diff --git a/src/usr/local/www/js/pfSenseHelpers.js b/src/usr/local/www/js/pfSenseHelpers.js index b77ec1f..2eac30a 100644 --- a/src/usr/local/www/js/pfSenseHelpers.js +++ b/src/usr/local/www/js/pfSenseHelpers.js @@ -353,9 +353,9 @@ function add_row() { $('[id^=delete]').click(function(event) { if ($('.repeatable').length > 1) { if ((typeof retainhelp) == "undefined") - moveHelpText(event.target.id); + moveHelpText($(this).attr("id")); - delete_row(event.target.id); + delete_row($(this).attr("id")); } else { alert('The last row may not be deleted.'); } @@ -375,9 +375,9 @@ $('[id^=addrow]').click(function() { $('[id^=delete]').click(function(event) { if ($('.repeatable').length > 1) { if ((typeof retainhelp) == "undefined") - moveHelpText(event.target.id); + moveHelpText($(this).attr("id")); - delete_row(event.target.id); + delete_row($(this).attr("id")); } else { alert('The last row may not be deleted.'); } diff --git a/src/usr/local/www/load_balancer_monitor.php b/src/usr/local/www/load_balancer_monitor.php index a6875ca..f85f972 100644 --- a/src/usr/local/www/load_balancer_monitor.php +++ b/src/usr/local/www/load_balancer_monitor.php @@ -43,7 +43,6 @@ if ($_POST) { $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } } @@ -79,8 +78,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/load_balancer_pool.php b/src/usr/local/www/load_balancer_pool.php index d9788cd..48b33ee 100644 --- a/src/usr/local/www/load_balancer_pool.php +++ b/src/usr/local/www/load_balancer_pool.php @@ -47,7 +47,6 @@ if ($_POST) { $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } } @@ -93,8 +92,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/load_balancer_setting.php b/src/usr/local/www/load_balancer_setting.php index 9ae4a95..a8470c3 100644 --- a/src/usr/local/www/load_balancer_setting.php +++ b/src/usr/local/www/load_balancer_setting.php @@ -46,7 +46,6 @@ if ($_POST) { $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } else { unset($input_errors); @@ -92,8 +91,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/load_balancer_virtual_server.php b/src/usr/local/www/load_balancer_virtual_server.php index f07c7ac..8082203 100644 --- a/src/usr/local/www/load_balancer_virtual_server.php +++ b/src/usr/local/www/load_balancer_virtual_server.php @@ -45,7 +45,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); /* Wipe out old relayd anchors no longer in use. */ cleanup_lb_marked(); clear_subsystem_dirty('loadbalancer'); @@ -113,8 +112,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/pkg_edit.php b/src/usr/local/www/pkg_edit.php index bfb4514..ba8815d 100644 --- a/src/usr/local/www/pkg_edit.php +++ b/src/usr/local/www/pkg_edit.php @@ -1500,6 +1500,10 @@ if ($pkg['custom_php_after_form_command']) { eval($pkg['custom_php_after_form_command']); } + +$hidemsg = gettext("Show Advanced Options"); +$showmsg = gettext("Hide Advanced Options"); + if ($pkg['fields']['field'] != "") { ?> <script type="text/javascript"> //<![CDATA[ @@ -1520,10 +1524,10 @@ if ($pkg['fields']['field'] != "") { ?> if (advanced_visible) { $('.advancedoptions').show(); - $("#showadv").prop('value', 'Hide advanced Options'); + $("#showadv").html('<i class="fa fa-cog icon-embed-btn"></i>' + "<?=$showmsg?>"); } else { $('.advancedoptions').hide(); - $("#showadv").prop('value', 'Show advanced Options'); + $("#showadv").html('<i class="fa fa-cog icon-embed-btn"></i>' + "<?=$hidemsg?>"); } }); diff --git a/src/usr/local/www/services_captiveportal.php b/src/usr/local/www/services_captiveportal.php index 4922a07..14a9293 100644 --- a/src/usr/local/www/services_captiveportal.php +++ b/src/usr/local/www/services_captiveportal.php @@ -512,10 +512,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Configuration"), true, "services_captiveportal.php?zone={$cpzone}"); $tab_array[] = array(gettext("MACs"), false, "services_captiveportal_mac.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_hostname.php b/src/usr/local/www/services_captiveportal_hostname.php index d93dd79..433f5b9 100644 --- a/src/usr/local/www/services_captiveportal_hostname.php +++ b/src/usr/local/www/services_captiveportal_hostname.php @@ -98,10 +98,6 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Configuration"), false, "services_captiveportal.php?zone={$cpzone}"); $tab_array[] = array(gettext("MACs"), false, "services_captiveportal_mac.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_ip.php b/src/usr/local/www/services_captiveportal_ip.php index b2da179..0a729eb 100644 --- a/src/usr/local/www/services_captiveportal_ip.php +++ b/src/usr/local/www/services_captiveportal_ip.php @@ -92,10 +92,6 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Configuration"), false, "services_captiveportal.php?zone={$cpzone}"); $tab_array[] = array(gettext("MACs"), false, "services_captiveportal_mac.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_mac.php b/src/usr/local/www/services_captiveportal_mac.php index 8e37a1e..79cfee3 100644 --- a/src/usr/local/www/services_captiveportal_mac.php +++ b/src/usr/local/www/services_captiveportal_mac.php @@ -76,7 +76,6 @@ if ($_POST) { mwexec("/sbin/ipfw {$g['tmp_path']}/passthrumac_gui"); @unlink("{$g['tmp_path']}/passthrumac_gui"); } - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('passthrumac'); } @@ -152,8 +151,8 @@ if ($_GET['act'] == "del") { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('passthrumac')) { diff --git a/src/usr/local/www/services_captiveportal_vouchers_edit.php b/src/usr/local/www/services_captiveportal_vouchers_edit.php index bad9d32..8f3e1e0 100644 --- a/src/usr/local/www/services_captiveportal_vouchers_edit.php +++ b/src/usr/local/www/services_captiveportal_vouchers_edit.php @@ -175,10 +175,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form(); $section = new Form_Section('Voucher Rolls'); diff --git a/src/usr/local/www/services_captiveportal_zones.php b/src/usr/local/www/services_captiveportal_zones.php index 12f301c..6454a2a 100644 --- a/src/usr/local/www/services_captiveportal_zones.php +++ b/src/usr/local/www/services_captiveportal_zones.php @@ -60,10 +60,6 @@ $pgtitle = array(gettext("Services"), gettext("Captive Portal")); $shortcut_section = "captiveportal"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - if (is_subsystem_dirty('captiveportal')) { print_apply_box(gettext("The Captive Portal entry list has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); } diff --git a/src/usr/local/www/services_checkip_edit.php b/src/usr/local/www/services_checkip_edit.php index 932366e..2774c27 100644 --- a/src/usr/local/www/services_checkip_edit.php +++ b/src/usr/local/www/services_checkip_edit.php @@ -110,10 +110,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form; $section = new Form_Section('Check IP Service'); diff --git a/src/usr/local/www/services_dhcp.php b/src/usr/local/www/services_dhcp.php index 426f1c3..db5ce1c 100644 --- a/src/usr/local/www/services_dhcp.php +++ b/src/usr/local/www/services_dhcp.php @@ -610,39 +610,38 @@ if (isset($_POST['save'])) { } if ((isset($_POST['save']) || isset($_POST['apply'])) && (!$input_errors)) { + $changes_applied = true; $retval = 0; $retvaldhcp = 0; $retvaldns = 0; /* dnsmasq_configure calls dhcpd_configure */ /* no need to restart dhcpd twice */ if (isset($config['dnsmasq']['enable']) && isset($config['dnsmasq']['regdhcpstatic'])) { - $retvaldns = services_dnsmasq_configure(); + $retvaldns |= services_dnsmasq_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('hosts'); clear_subsystem_dirty('staticmaps'); } } else if (isset($config['unbound']['enable']) && isset($config['unbound']['regdhcpstatic'])) { - $retvaldns = services_unbound_configure(); + $retvaldns |= services_unbound_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('unbound'); clear_subsystem_dirty('hosts'); clear_subsystem_dirty('staticmaps'); } } else { - $retvaldhcp = services_dhcpd_configure(); + $retvaldhcp |= services_dhcpd_configure(); if ($retvaldhcp == 0) { clear_subsystem_dirty('staticmaps'); } } if ($dhcpd_enable_changed) { - $retvalfc = filter_configure(); + $retvalfc |= filter_configure(); } if ($retvaldhcp == 1 || $retvaldns == 1 || $retvalfc == 1) { $retval = 1; } - - $savemsg = get_std_save_message($retval); } if ($act == "delpool") { @@ -733,8 +732,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticmaps')) { diff --git a/src/usr/local/www/services_dhcp_relay.php b/src/usr/local/www/services_dhcp_relay.php index e824b44..fc8e367 100644 --- a/src/usr/local/www/services_dhcp_relay.php +++ b/src/usr/local/www/services_dhcp_relay.php @@ -114,10 +114,10 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = services_dhcrelay_configure(); - $savemsg = get_std_save_message($retval); - filter_configure(); + $retval |= services_dhcrelay_configure(); + $retval |= filter_configure(); } } @@ -135,8 +135,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $form = new Form; diff --git a/src/usr/local/www/services_dhcpv6.php b/src/usr/local/www/services_dhcpv6.php index 44afcc4..820f89b 100644 --- a/src/usr/local/www/services_dhcpv6.php +++ b/src/usr/local/www/services_dhcpv6.php @@ -44,30 +44,30 @@ function dhcpv6_apply_changes($dhcpdv6_enable_changed) { /* dnsmasq_configure calls dhcpd_configure */ /* no need to restart dhcpd twice */ if (isset($config['dnsmasq']['enable']) && isset($config['dnsmasq']['regdhcpstatic'])) { - $retvaldns = services_dnsmasq_configure(); + $retvaldns |= services_dnsmasq_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('hosts'); clear_subsystem_dirty('staticmaps'); } } else if (isset($config['unbound']['enable']) && isset($config['unbound']['regdhcpstatic'])) { - $retvaldns = services_unbound_configure(); + $retvaldns |= services_unbound_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('unbound'); clear_subsystem_dirty('staticmaps'); } } else { - $retvaldhcp = services_dhcpd_configure(); + $retvaldhcp |= services_dhcpd_configure(); if ($retvaldhcp == 0) { clear_subsystem_dirty('staticmaps'); } } if ($dhcpdv6_enable_changed) { - $retvalfc = filter_configure(); + $retvalfc |= filter_configure(); } if ($retvaldhcp == 1 || $retvaldns == 1 || $retvalfc == 1) { $retval = 1; } - return get_std_save_message($retval); + return $retval; } if (!$g['services_dhcp_server_enable']) { @@ -184,7 +184,8 @@ if (is_array($dhcrelaycfg) && isset($dhcrelaycfg['enable']) && isset($dhcrelaycf } if (isset($_POST['apply'])) { - $savemsg = dhcpv6_apply_changes(false); + $changes_applied = true; + $retval = dhcpv6_apply_changes(false); } elseif (isset($_POST['save'])) { unset($input_errors); @@ -459,7 +460,8 @@ if (isset($_POST['apply'])) { write_config(); - $savemsg = dhcpv6_apply_changes($dhcpdv6_enable_changed); + $changes_applied = true; + $retval = dhcpv6_apply_changes($dhcpdv6_enable_changed); } } @@ -492,8 +494,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticmaps')) { diff --git a/src/usr/local/www/services_dhcpv6_relay.php b/src/usr/local/www/services_dhcpv6_relay.php index b6f1964..8f4135b 100644 --- a/src/usr/local/www/services_dhcpv6_relay.php +++ b/src/usr/local/www/services_dhcpv6_relay.php @@ -115,9 +115,9 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = services_dhcrelay6_configure(); - $savemsg = get_std_save_message($retval); + $retval |= services_dhcrelay6_configure(); } } @@ -135,8 +135,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $form = new Form; diff --git a/src/usr/local/www/services_dnsmasq.php b/src/usr/local/www/services_dnsmasq.php index fb74e7b..2885edd 100644 --- a/src/usr/local/www/services_dnsmasq.php +++ b/src/usr/local/www/services_dnsmasq.php @@ -113,8 +113,7 @@ domains_sort(); if ($_POST) { if ($_POST['apply']) { $retval = 0; - $retval = services_dnsmasq_configure(); - $savemsg = get_std_save_message($retval); + $retval |= services_dnsmasq_configure(); // Reload filter (we might need to sync to CARP hosts) filter_configure(); @@ -232,8 +231,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('hosts')) { diff --git a/src/usr/local/www/services_dyndns_edit.php b/src/usr/local/www/services_dyndns_edit.php index 55860f0..f270f75 100644 --- a/src/usr/local/www/services_dyndns_edit.php +++ b/src/usr/local/www/services_dyndns_edit.php @@ -64,6 +64,7 @@ if (isset($id) && isset($a_dyndns[$id])) { $pconfig['enable'] = !isset($a_dyndns[$id]['enable']); $pconfig['interface'] = $a_dyndns[$id]['interface']; $pconfig['wildcard'] = isset($a_dyndns[$id]['wildcard']); + $pconfig['proxied'] = isset($a_dyndns[$id]['proxied']); $pconfig['verboselog'] = isset($a_dyndns[$id]['verboselog']); $pconfig['curl_ipresolve_v4'] = isset($a_dyndns[$id]['curl_ipresolve_v4']); $pconfig['curl_ssl_verifypeer'] = isset($a_dyndns[$id]['curl_ssl_verifypeer']); @@ -158,6 +159,7 @@ if ($_POST) { $dyndns['domainname'] = $_POST['domainname']; $dyndns['mx'] = $_POST['mx']; $dyndns['wildcard'] = $_POST['wildcard'] ? true : false; + $dyndns['proxied'] = $_POST['proxied'] ? true : false; $dyndns['verboselog'] = $_POST['verboselog'] ? true : false; $dyndns['curl_ipresolve_v4'] = $_POST['curl_ipresolve_v4'] ? true : false; $dyndns['curl_ssl_verifypeer'] = $_POST['curl_ssl_verifypeer'] ? true : false; @@ -244,10 +246,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form; $section = new Form_Section('Dynamic DNS Client'); @@ -323,6 +321,15 @@ $section->addInput(new Form_Checkbox( )); $section->addInput(new Form_Checkbox( + 'proxied', + 'CloudFlare Proxy', + 'Enable Proxy', + $pconfig['proxied'] +))->setHelp('Note: This enables CloudFlares Virtual DNS proxy. When Enabled it will route all traffic '. + 'through their servers. By Default this is disabled and your Real IP is exposed.'. + 'More info: <a href="https://blog.cloudflare.com/announcing-virtual-dns-ddos-mitigation-and-global-distribution-for-dns-traffic/" target="_blank">CloudFlare Blog</a>'); + +$section->addInput(new Form_Checkbox( 'verboselog', 'Verbose logging', 'Enable verbose logging', @@ -441,6 +448,7 @@ events.push(function() { hideInput('host', true); hideInput('mx', true); hideCheckbox('wildcard', true); + hideCheckbox('proxied', true); hideInput('zoneid', true); hideInput('ttl', true); break; @@ -456,6 +464,7 @@ events.push(function() { hideInput('host', false); hideInput('mx', false); hideCheckbox('wildcard', false); + hideCheckbox('proxied', true); hideInput('zoneid', false); hideInput('ttl', false); break; @@ -472,9 +481,24 @@ events.push(function() { hideInput('host', false); hideInput('mx', false); hideCheckbox('wildcard', false); + hideCheckbox('proxied', true); hideInput('zoneid', true); hideInput('ttl', true); break; + case "cloudflare-v6": + case "cloudflare": + hideGroupInput('domainname', true); + hideInput('resultmatch', true); + hideInput('updateurl', true); + hideInput('requestif', true); + hideCheckbox('curl_ipresolve_v4', true); + hideCheckbox('curl_ssl_verifypeer', true); + hideInput('host', false); + hideInput('mx', false); + hideCheckbox('wildcard', false); + hideCheckbox('proxied', false); + hideInput('zoneid', true); + hideInput('ttl', true); default: hideGroupInput('domainname', true); hideInput('resultmatch', true); @@ -485,6 +509,7 @@ events.push(function() { hideInput('host', false); hideInput('mx', false); hideCheckbox('wildcard', false); + hideCheckbox('proxied', true); hideInput('zoneid', true); hideInput('ttl', true); } diff --git a/src/usr/local/www/services_igmpproxy.php b/src/usr/local/www/services_igmpproxy.php index f3b8775..5de6aa1 100644 --- a/src/usr/local/www/services_igmpproxy.php +++ b/src/usr/local/www/services_igmpproxy.php @@ -42,15 +42,10 @@ $a_igmpproxy = &$config['igmpproxy']['igmpentry']; if ($_POST) { $pconfig = $_POST; + $changes_applied = true; $retval = 0; /* reload all components that use igmpproxy */ - $retval = services_igmpproxy_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - } else { - $savemsg = $retval; - } + $retval |= services_igmpproxy_configure(); clear_subsystem_dirty('igmpproxy'); } @@ -68,8 +63,8 @@ if ($_GET['act'] == "del") { $pgtitle = array(gettext("Services"), gettext("IGMP Proxy")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('igmpproxy')) { diff --git a/src/usr/local/www/services_ntpd.php b/src/usr/local/www/services_ntpd.php index 2adcfe0..47804c5 100644 --- a/src/usr/local/www/services_ntpd.php +++ b/src/usr/local/www/services_ntpd.php @@ -53,6 +53,10 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + if ((strlen($pconfig['ntporphan']) > 0) && (!is_numericint($pconfig['ntporphan']) || ($pconfig['ntporphan'] < 1) || ($pconfig['ntporphan'] > 15))) { + $input_errors[] = gettext("The supplied value for NTP Orphan Mode is invalid."); + } + if (!$input_errors) { if (is_array($_POST['interface'])) { $config['ntpd']['interface'] = implode(",", $_POST['interface']); @@ -91,11 +95,7 @@ if ($_POST) { } $config['system']['timeservers'] = trim($timeservers); - if (!empty($_POST['ntporphan']) && ($_POST['ntporphan'] < 17) && ($_POST['ntporphan'] != '12')) { - $config['ntpd']['orphan'] = $_POST['ntporphan']; - } elseif (isset($config['ntpd']['orphan'])) { - unset($config['ntpd']['orphan']); - } + $config['ntpd']['orphan'] = trim($pconfig['ntporphan']); if (!empty($_POST['logpeer'])) { $config['ntpd']['logpeer'] = $_POST['logpeer']; @@ -151,9 +151,9 @@ if ($_POST) { write_config("Updated NTP Server Settings"); + $changes_applied = true; $retval = 0; - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $retval |= system_ntp_configure(); } } @@ -192,8 +192,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/services_ntpd_acls.php b/src/usr/local/www/services_ntpd_acls.php index 19c057d..ea80ea4 100644 --- a/src/usr/local/www/services_ntpd_acls.php +++ b/src/usr/local/www/services_ntpd_acls.php @@ -150,9 +150,9 @@ if ($_POST) { write_config("Updated NTP ACL Settings"); + $changes_applied = true; $retval = 0; - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $retval |= system_ntp_configure(); } } @@ -165,8 +165,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/services_ntpd_gps.php b/src/usr/local/www/services_ntpd_gps.php index 971d57e..f06e03e 100644 --- a/src/usr/local/www/services_ntpd_gps.php +++ b/src/usr/local/www/services_ntpd_gps.php @@ -154,8 +154,9 @@ if ($_POST) { write_config(gettext("Updated NTP GPS Settings")); - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $changes_applied = true; + $retval = 0; + $retval |= system_ntp_configure(); } else { /* set defaults if they do not already exist */ if (!is_array($config['ntpd']) || !is_array($config['ntpd']['gps']) || empty($config['ntpd']['gps']['type'])) { @@ -192,6 +193,10 @@ $pgtitle = array(gettext("Services"), gettext("NTP"), gettext("Serial GPS")); $shortcut_section = "ntp"; include("head.inc"); +if ($changes_applied) { + print_apply_result_box($retval); +} + $tab_array = array(); $tab_array[] = array(gettext("Settings"), false, "services_ntpd.php"); $tab_array[] = array(gettext("ACLs"), false, "services_ntpd_acls.php"); diff --git a/src/usr/local/www/services_ntpd_pps.php b/src/usr/local/www/services_ntpd_pps.php index da987f7..c3d70df 100644 --- a/src/usr/local/www/services_ntpd_pps.php +++ b/src/usr/local/www/services_ntpd_pps.php @@ -91,9 +91,9 @@ if ($_POST) { write_config("Updated NTP PPS Settings"); + $changes_applied = true; $retval = 0; - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $retval |= system_ntp_configure(); } } @@ -107,8 +107,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/services_pppoe.php b/src/usr/local/www/services_pppoe.php index a8b0f03..85b3531 100644 --- a/src/usr/local/www/services_pppoe.php +++ b/src/usr/local/www/services_pppoe.php @@ -59,7 +59,6 @@ if ($_POST) { } $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('vpnpppoe'); } } @@ -83,8 +82,8 @@ $pgtitle = array(gettext("Services"), gettext("PPPoE Server")); $shortcut_section = "pppoes"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('vpnpppoe')) { diff --git a/src/usr/local/www/services_pppoe_edit.php b/src/usr/local/www/services_pppoe_edit.php index 633af97..014f21d 100644 --- a/src/usr/local/www/services_pppoe_edit.php +++ b/src/usr/local/www/services_pppoe_edit.php @@ -285,10 +285,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form(); $section = new Form_Section('PPPoE Server Configuration'); diff --git a/src/usr/local/www/services_rfc2136_edit.php b/src/usr/local/www/services_rfc2136_edit.php index 41a7c5b..4ca7cb8 100644 --- a/src/usr/local/www/services_rfc2136_edit.php +++ b/src/usr/local/www/services_rfc2136_edit.php @@ -152,10 +152,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form; $section = new Form_Section('RFC 2136 Client'); diff --git a/src/usr/local/www/services_router_advertisements.php b/src/usr/local/www/services_router_advertisements.php index e369d37..367aedb 100644 --- a/src/usr/local/www/services_router_advertisements.php +++ b/src/usr/local/www/services_router_advertisements.php @@ -54,7 +54,7 @@ if ($config['installedpackages']['olsrd']) { } if (!$_GET['if']) { - $savemsg = gettext("The DHCPv6 Server can only be enabled on interfaces configured with static, non unique local IP addresses.") . "<br />" . + $info_msg = gettext("The DHCPv6 Server can only be enabled on interfaces configured with static, non unique local IP addresses.") . "<br />" . gettext("Only interfaces configured with a static IP will be shown."); } @@ -243,8 +243,9 @@ if ($_POST) { } write_config(); - $retval = services_radvd_configure(); - $savemsg = get_std_save_message($retval); + $changes_applied = true; + $retval = 0; + $retval |= services_radvd_configure(); } } @@ -261,8 +262,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); +} + +if ($info_msg) { + print_info_box($info_msg, 'success'); } /* active tabs */ diff --git a/src/usr/local/www/services_snmp.php b/src/usr/local/www/services_snmp.php index 66caf4f..0811cc9 100644 --- a/src/usr/local/www/services_snmp.php +++ b/src/usr/local/www/services_snmp.php @@ -33,6 +33,8 @@ require_once("guiconfig.inc"); require_once("functions.inc"); +$specplatform = system_identify_specific_platform(); + if (!is_array($config['snmpd'])) { $config['snmpd'] = array(); $config['snmpd']['rocommunity'] = "public"; @@ -161,9 +163,9 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = services_snmpd_configure(); - $savemsg = get_std_save_message($retval); + $retval |= services_snmpd_configure(); } } @@ -200,8 +202,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $form = new Form(); @@ -316,12 +318,14 @@ $group->add(new Form_MultiCheckbox( $pconfig['pf'] )); -$group->add(new Form_MultiCheckbox( - 'hostres', - null, - 'Host Resources', - $pconfig['hostres'] -)); +if (!(($specplatform['name'] == 'VMware') && (file_exists('/dev/cd0')))) { + $group->add(new Form_MultiCheckbox( + 'hostres', + null, + 'Host Resources', + $pconfig['hostres'] + )); +} $group->add(new Form_MultiCheckbox( 'ucd', @@ -338,6 +342,14 @@ $group->add(new Form_MultiCheckbox( )); $section->add($group); +if ((($specplatform['name'] == 'VMware') && (file_exists('/dev/cd0')))) { + $section->addInput(new Form_StaticText( + NULL, + NULL + ))->setHelp(sprint_info_box('The hostres module is not compatible with VMware virtual ' . + 'machines configured with a virtual CD/DVD Drive.', 'warning', false)); +} + $form->add($section); $section = new Form_Section('Interface Binding'); diff --git a/src/usr/local/www/services_unbound.php b/src/usr/local/www/services_unbound.php index b79548c..c2ba2b7 100644 --- a/src/usr/local/www/services_unbound.php +++ b/src/usr/local/www/services_unbound.php @@ -88,8 +88,8 @@ if (empty($a_unboundcfg['system_domain_local_zone_type'])) { if ($_POST) { if ($_POST['apply']) { - $retval = services_unbound_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= services_unbound_configure(); if ($retval == 0) { clear_subsystem_dirty('unbound'); } @@ -128,7 +128,7 @@ if ($_POST) { } } if ($founddns == false) { - $input_errors[] = gettext("At least one DNS server must be specified under System>General Setup to enable Forwarding mode."); + $input_errors[] = gettext("At least one DNS server must be specified under System > General Setup to enable Forwarding mode."); } } @@ -244,8 +244,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('unbound')) { @@ -317,7 +317,9 @@ $section->addInput(new Form_Checkbox( 'DNS Query Forwarding', 'Enable Forwarding Mode', $pconfig['forwarding'] -)); +))->setHelp(sprintf('If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under'. + ' %sSystem > General Setup%s or those obtained via DHCP/PPP on WAN'. + ' (if DNS Server Override is enabled there).','<a href="system.php">','</a>')); $section->addInput(new Form_Checkbox( 'regdhcp', @@ -326,7 +328,7 @@ $section->addInput(new Form_Checkbox( $pconfig['regdhcp'] ))->setHelp(sprintf('If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered'. ' in the DNS Resolver, so that their name can be resolved.'. - ' The domain in %sSystem: General Setup%s should also be set to the proper value.','<a href="system.php">','</a>')); + ' The domain in %sSystem > General Setup%s should also be set to the proper value.','<a href="system.php">','</a>')); $section->addInput(new Form_Checkbox( 'regdhcpstatic', @@ -334,7 +336,7 @@ $section->addInput(new Form_Checkbox( 'Register DHCP static mappings in the DNS Resolver', $pconfig['regdhcpstatic'] ))->setHelp(sprintf('If this option is set, then DHCP static mappings will be registered in the DNS Resolver, so that their name can be resolved. '. - 'The domain in %sSystem: General Setup%s should also be set to the proper value.','<a href="system.php">','</a>')); + 'The domain in %sSystem > General Setup%s should also be set to the proper value.','<a href="system.php">','</a>')); $btnadv = new Form_Button( 'btnadvcustom', @@ -555,7 +557,7 @@ endforeach; " service (if enabled) will automatically serve the LAN IP". " address as a DNS server to DHCP clients so they will use". " the DNS Resolver. If Forwarding is enabled, the DNS Resolver will use the DNS servers". - " entered in %sSystem: General Setup%s". + " entered in %sSystem > General Setup%s". " or those obtained via DHCP or PPP on WAN if "Allow". " DNS server list to be overridden by DHCP/PPP on WAN"". " is checked."), '<a href="system.php">', '</a>'), 'info', false); ?> diff --git a/src/usr/local/www/services_unbound_acls.php b/src/usr/local/www/services_unbound_acls.php index 1174202..31e2180 100644 --- a/src/usr/local/www/services_unbound_acls.php +++ b/src/usr/local/www/services_unbound_acls.php @@ -99,8 +99,8 @@ if ($_POST) { } if ($_POST['apply']) { - $retval = services_unbound_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= services_unbound_configure(); if ($retval == 0) { clear_subsystem_dirty('unbound'); } @@ -185,8 +185,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('unbound')) { diff --git a/src/usr/local/www/services_unbound_advanced.php b/src/usr/local/www/services_unbound_advanced.php index 14bb376..1f869de 100644 --- a/src/usr/local/www/services_unbound_advanced.php +++ b/src/usr/local/www/services_unbound_advanced.php @@ -77,8 +77,8 @@ if (isset($config['unbound']['use_caps'])) { if ($_POST) { if ($_POST['apply']) { - $retval = services_unbound_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= services_unbound_configure(); if ($retval == 0) { clear_subsystem_dirty('unbound'); } @@ -192,8 +192,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('unbound')) { diff --git a/src/usr/local/www/status_gateways.php b/src/usr/local/www/status_gateways.php index d633fab..5b5125c 100644 --- a/src/usr/local/www/status_gateways.php +++ b/src/usr/local/www/status_gateways.php @@ -140,11 +140,17 @@ display_top_tabs($tab_array); $online = gettext("Warning, Latency") . ': ' . $status['delay']; $bgcolor = "bg-warning"; } elseif ($status['status'] == "none") { - $online = gettext("Online"); + if ($status['monitor_disable'] || ($status['monitorip'] == "none")) { + $online = gettext("Online (unmonitored)"); + } else { + $online = gettext("Online"); + } $bgcolor = "bg-success"; } } else if (isset($gateway['monitor_disable'])) { - $online = gettext("Online"); + // Note: return_gateways_status() always returns an array entry for all gateways, + // so this "else if" never happens. + $online = gettext("Online (unmonitored)"); $bgcolor = "bg-success"; } else { $online = gettext("Pending"); diff --git a/src/usr/local/www/status_lb_pool.php b/src/usr/local/www/status_lb_pool.php index 911e891..7d22242 100644 --- a/src/usr/local/www/status_lb_pool.php +++ b/src/usr/local/www/status_lb_pool.php @@ -68,7 +68,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } else { /* Keep a list of servers we find in POST variables */ @@ -110,6 +109,10 @@ if (is_subsystem_dirty('loadbalancer')) { print_apply_box(gettext("The load balancer configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); } +if ($_POST['apply']) { + print_apply_result_box($retval); +} + /* active tabs */ $tab_array = array(); $tab_array[] = array(gettext("Pools"), true, "status_lb_pool.php"); diff --git a/src/usr/local/www/status_logs.php b/src/usr/local/www/status_logs.php index 7435974..74f94a9 100644 --- a/src/usr/local/www/status_logs.php +++ b/src/usr/local/www/status_logs.php @@ -99,8 +99,8 @@ if (in_array($logfile, array('system', 'gateways', 'routing', 'resolver', 'wirel } include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } diff --git a/src/usr/local/www/status_logs_common.inc b/src/usr/local/www/status_logs_common.inc index f35b9a2..be05902 100644 --- a/src/usr/local/www/status_logs_common.inc +++ b/src/usr/local/www/status_logs_common.inc @@ -584,8 +584,10 @@ function manage_log_code() { return; } - global $logfile, $specific_log, $config, $pconfig, $save_settings, $input_errors, $savemsg; + global $logfile, $specific_log, $config, $pconfig, $save_settings, $input_errors, $extra_save_msg, $retval, $changes_applied; + $changes_applied = false; + $extra_save_msg = ""; $specific_log = basename($logfile) . '_settings'; // Common to All Logs @@ -711,28 +713,27 @@ function manage_log_code() { } } + $retval = 0; + $changes_applied = true; // If any of the logging settings were changed then backup and sync (standard write_config). Otherwise only write config (don't backup, don't sync). - if ($logging_changed) { - write_config($desc = gettext("Log Display Settings Saved: ") . gettext($allowed_logs[$logfile]["name"]), $backup = true, $write_config_only = false); - $retval = 0; - $retval = system_syslogd_start(); - $savemsg = gettext("The changes have been applied successfully."); - } else { - write_config($desc = gettext("Log Display Settings Saved (no backup, no sync): ") . gettext($allowed_logs[$logfile]["name"]), $backup = false, $write_config_only = true); - $savemsg = ''; - } + if ($logging_changed) { + write_config($desc = gettext("Log Display Settings Saved: ") . gettext($allowed_logs[$logfile]["name"]), $backup = true, $write_config_only = false); + system_syslogd_start(); + } else { + write_config($desc = gettext("Log Display Settings Saved (no backup, no sync): ") . gettext($allowed_logs[$logfile]["name"]), $backup = false, $write_config_only = true); + } // Specific to System General (main) Log - if ($logfile == 'system') { - if ($nginx_logging_changed) { - ob_flush(); - flush(); - log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); - send_event("service restart webgui"); - $savemsg .= "<br />" . gettext("WebGUI process is restarting."); + if ($logfile == 'system') { + if ($nginx_logging_changed) { + ob_flush(); + flush(); + log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); + send_event("service restart webgui"); + $extra_save_msg = gettext("WebGUI process is restarting."); + } } - } // Specific to Firewall Log if ($logfile == 'filter') { @@ -740,8 +741,6 @@ function manage_log_code() { require_once("filter.inc"); $retval |= filter_configure(); filter_pflog_start(true); - - $savemsg = get_std_save_message($retval); } } } diff --git a/src/usr/local/www/status_logs_filter.php b/src/usr/local/www/status_logs_filter.php index 4c37c91..2f1b86e 100644 --- a/src/usr/local/www/status_logs_filter.php +++ b/src/usr/local/www/status_logs_filter.php @@ -102,12 +102,11 @@ status_logs_common_code(); $pgtitle = array(gettext("Status"), gettext("System Logs"), gettext($allowed_logs[$logfile]["name"]), $view_title); include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } - // Tab Array tab_array_logs_common(); diff --git a/src/usr/local/www/status_logs_filter_dynamic.php b/src/usr/local/www/status_logs_filter_dynamic.php index 4ea4d4a..04d70c2 100644 --- a/src/usr/local/www/status_logs_filter_dynamic.php +++ b/src/usr/local/www/status_logs_filter_dynamic.php @@ -82,12 +82,11 @@ status_logs_common_code(); $pgtitle = array(gettext("Status"), gettext("System Logs"), gettext($allowed_logs[$logfile]["name"]), $view_title); include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } - // Tab Array tab_array_logs_common(); diff --git a/src/usr/local/www/status_logs_filter_summary.php b/src/usr/local/www/status_logs_filter_summary.php index 124d190..333c97e 100644 --- a/src/usr/local/www/status_logs_filter_summary.php +++ b/src/usr/local/www/status_logs_filter_summary.php @@ -67,12 +67,11 @@ status_logs_common_code(); $pgtitle = array(gettext("Status"), gettext("System Logs"), gettext($allowed_logs[$logfile]["name"]), $view_title); include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } - // Tab Array tab_array_logs_common(); diff --git a/src/usr/local/www/status_logs_settings.php b/src/usr/local/www/status_logs_settings.php index 33881ed..add7a80 100644 --- a/src/usr/local/www/status_logs_settings.php +++ b/src/usr/local/www/status_logs_settings.php @@ -80,7 +80,7 @@ function is_valid_syslog_server($target) { if ($_POST['resetlogs'] == gettext("Reset Log Files")) { clear_all_log_files(true); - $savemsg .= gettext("The log files have been reset."); + $reset_msg = gettext("The log files have been reset."); } elseif ($_POST) { unset($input_errors); $pconfig = $_POST; @@ -162,8 +162,9 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { write_config(); + $changes_applied = true; $retval = 0; - $retval = system_syslogd_start(); + system_syslogd_start(); if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) || ($oldnologdefaultpass !== isset($config['syslog']['nologdefaultpass'])) || ($oldnologbogons !== isset($config['syslog']['nologbogons'])) || @@ -171,14 +172,12 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { $retval |= filter_configure(); } - $savemsg = get_std_save_message($retval); - if ($oldnolognginx !== isset($config['syslog']['nolognginx'])) { ob_flush(); flush(); log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); send_event("service restart webgui"); - $savemsg .= "<br />" . gettext("WebGUI process is restarting."); + $extra_save_msg = gettext("WebGUI process is restarting."); } filter_pflog_start(true); @@ -204,8 +203,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($reset_msg) { + print_info_box($reset_msg, 'success'); +} + +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); } $tab_array = array(); diff --git a/src/usr/local/www/status_ntpd.php b/src/usr/local/www/status_ntpd.php index 56725ab..c37052d 100644 --- a/src/usr/local/www/status_ntpd.php +++ b/src/usr/local/www/status_ntpd.php @@ -110,6 +110,8 @@ if (!isset($config['ntpd']['noquery'])) { $gps_lat = $gps_lat * (($gps_vars[4] == "N") ? 1 : -1); $gps_lon = $gps_lon_deg + $gps_lon_min; $gps_lon = $gps_lon * (($gps_vars[6] == "E") ? 1 : -1); + $gps_la = $gps_vars[4]; + $gps_lo = $gps_vars[6]; } elseif (substr($tmp, 0, 6) == '$GPGGA') { $gps_vars = explode(",", $tmp); $gps_ok = $gps_vars[6]; @@ -123,9 +125,11 @@ if (!isset($config['ntpd']['noquery'])) { $gps_lon = $gps_lon * (($gps_vars[5] == "E") ? 1 : -1); $gps_alt = $gps_vars[9]; $gps_alt_unit = $gps_vars[10]; - $gps_sat = $gps_vars[7]; + $gps_sat = (int)$gps_vars[7]; + $gps_la = $gps_vars[3]; + $gps_lo = $gps_vars[5]; } elseif (substr($tmp, 0, 6) == '$GPGLL') { - $gps_vars = explode(",", $tmp); + $gps_vars = preg_split('/[,\*]+/', $tmp); $gps_ok = ($gps_vars[6] == "A"); $gps_lat_deg = substr($gps_vars[1], 0, 2); $gps_lat_min = substr($gps_vars[1], 2) / 60.0; @@ -135,6 +139,8 @@ if (!isset($config['ntpd']['noquery'])) { $gps_lat = $gps_lat * (($gps_vars[2] == "N") ? 1 : -1); $gps_lon = $gps_lon_deg + $gps_lon_min; $gps_lon = $gps_lon * (($gps_vars[4] == "E") ? 1 : -1); + $gps_la = $gps_vars[2]; + $gps_lo = $gps_vars[4]; } } } @@ -205,7 +211,7 @@ function print_status() { } function print_gps() { - global $gps_lat, $gps_lon, $gps_lat_deg, $gps_lon_deg, $gps_lat_min, $gps_lon_min, $gps_vars, + global $gps_lat, $gps_lon, $gps_lat_deg, $gps_lon_deg, $gps_lat_min, $gps_lon_min, $gps_la, $gps_lo, $gps_alt, $gps_alt_unit, $gps_sat, $gps_satview, $gps_goo_lnk; print("<tr>\n"); @@ -214,7 +220,7 @@ function print_gps() { print(" ("); printf("%d%s", $gps_lat_deg, "°"); printf("%.5f", $gps_lat_min*60); - print($gps_vars[4]); + print($gps_la); print(")"); print("</td>\n"); print("<td>\n"); @@ -222,7 +228,7 @@ function print_gps() { print(" ("); printf("%d%s", $gps_lon_deg, "°"); printf("%.5f", $gps_lon_min*60); - print($gps_vars[6]); + print($gps_lo); print(")"); print("</td>\n"); @@ -233,7 +239,7 @@ function print_gps() { } if (isset($gps_sat) || isset($gps_satview)) { - print('<td class="text-center">'); + print('<td>'); if (isset($gps_satview)) { print(gettext('in view ') . intval($gps_satview)); diff --git a/src/usr/local/www/status_openvpn.php b/src/usr/local/www/status_openvpn.php index 9997703..0a71ac2 100644 --- a/src/usr/local/www/status_openvpn.php +++ b/src/usr/local/www/status_openvpn.php @@ -312,7 +312,13 @@ include("head.inc"); ?> <td><?=htmlspecialchars($client['name']);?></td> <td><?=$client['status'];?></td> <td><?=$client['connect_time'];?></td> - <td><?=$client['local_host'];?>:<?=$client['local_port'];?></td> + <td> + <?php if (empty($client['local_host']) && empty($client['local_port'])): ?> + (pending) + <?php else: ?> + <?=$client['local_host'];?>:<?=$client['local_port'];?> + <?php endif; ?> + </td> <td> <?=$client['virtual_addr'];?> <?php if (!empty($client['virtual_addr']) && !empty($client['virtual_addr6'])): ?> @@ -320,7 +326,13 @@ include("head.inc"); ?> <?php endif; ?> <?=$client['virtual_addr6'];?> </td> - <td><?=$client['remote_host'];?>:<?=$client['remote_port'];?></td> + <td> + <?php if (empty($client['remote_host']) && empty($client['remote_port'])): ?> + (pending) + <?php else: ?> + <?=$client['remote_host'];?>:<?=$client['remote_port'];?> + <?php endif; ?> + </td> <td><?=format_bytes($client['bytes_sent']);?> / <?=format_bytes($client['bytes_recv']);?></td> <td> <table> diff --git a/src/usr/local/www/system.php b/src/usr/local/www/system.php index 83ab5e7..86b9d76 100644 --- a/src/usr/local/www/system.php +++ b/src/usr/local/www/system.php @@ -93,6 +93,38 @@ if ($pconfig['timezone'] <> $_POST['timezone']) { } $timezonelist = system_get_timezone_list(); +$timezonedesc = $timezonelist; + +/* + * Etc/GMT entries work the opposite way to what people expect. + * Ref: https://github.com/eggert/tz/blob/master/etcetera and Redmine issue 7089 + * Add explanatory text to entries like: + * Etc/GMT+1 and Etc/GMT-1 + * but not: + * Etc/GMT or Etc/GMT+0 + */ +foreach ($timezonedesc as $idx => $desc) { + if (substr($desc, 0, 7) != "Etc/GMT" || substr($desc, 8, 1) == "0") { + continue; + } + + $direction = substr($desc, 7, 1); + + switch ($direction) { + case '-': + $direction_str = gettext('AHEAD of'); + break; + case '+': + $direction_str = gettext('BEHIND'); + break; + default: + continue; + } + + $hr_offset = substr($desc, 8); + $timezonedesc[$idx] = $desc . " " . + sprintf(ngettext('(%1$s hour %2$s GMT)', '(%1$s hours %2$s GMT)', $hr_offset), $hr_offset, $direction_str); +} $multiwan = false; $interfaces = get_configured_interface_list(); @@ -314,8 +346,9 @@ if ($_POST) { write_config($changedesc); } + $changes_applied = true; $retval = 0; - $retval = system_hostname_configure(); + $retval |= system_hostname_configure(); $retval |= system_hosts_generate(); $retval |= system_resolvconf_generate(); if (isset($config['dnsmasq']['enable'])) { @@ -332,8 +365,6 @@ if ($_POST) { // Reload the filter - plugins might need to be run. $retval |= filter_configure(); - - $savemsg = get_std_save_message($retval); } unset($ignore_posted_dnsgw); @@ -346,8 +377,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } ?> <div id="container"> @@ -391,7 +422,8 @@ for ($i=1; $i<5; $i++) { ))->setHelp(($i == 4) ? 'Address':null); $help = "Enter IP addresses to be used by the system for DNS resolution. " . - "These are also used for the DHCP service, DNS forwarder and for PPTP VPN clients."; + "These are also used for the DHCP service, DNS Forwarder and DNS Resolver " . + "when it has DNS Query Forwarding enabled."; if ($multiwan) { $options = array('none' => 'none'); @@ -433,18 +465,18 @@ $section->addInput(new Form_Checkbox( $pconfig['dnsallowoverride'] ))->setHelp(sprintf(gettext('If this option is set, %s will use DNS servers '. 'assigned by a DHCP/PPP server on WAN for its own purposes (including '. - 'the DNS forwarder). However, they will not be assigned to DHCP and PPTP '. - 'VPN clients.'), $g['product_name'])); + 'the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP '. + 'clients.'), $g['product_name'])); $section->addInput(new Form_Checkbox( 'dnslocalhost', 'Disable DNS Forwarder', - 'Do not use the DNS Forwarder as a DNS server for the firewall', + 'Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall', $pconfig['dnslocalhost'] ))->setHelp('By default localhost (127.0.0.1) will be used as the first DNS '. 'server where the DNS Forwarder or DNS Resolver is enabled and set to '. - 'listen on Localhost, so system can use the local DNS service to perform '. - 'lookups. Checking this box omits localhost from the list of DNS servers.'); + 'listen on localhost, so system can use the local DNS service to perform '. + 'lookups. Checking this box omits localhost from the list of DNS servers in resolv.conf.'); $form->add($section); @@ -454,8 +486,9 @@ $section->addInput(new Form_Select( 'timezone', 'Timezone', $pconfig['timezone'], - array_combine($timezonelist, $timezonelist) -))->setHelp('Select the timezone or location within the timezone to be used by this system.'); + array_combine($timezonelist, $timezonedesc) +))->setHelp('Select a geographic region name (Continent/Location) to determine the timezone for the firewall. ' . + '<br/>Choose a special or "Etc" zone only in cases where the geographic zones do not properly handle the clock offset required for this firewall.'); $section->addInput(new Form_Input( 'timeservers', diff --git a/src/usr/local/www/system_advanced_admin.php b/src/usr/local/www/system_advanced_admin.php index b7207c4..d0da2a3 100644 --- a/src/usr/local/www/system_advanced_admin.php +++ b/src/usr/local/www/system_advanced_admin.php @@ -263,11 +263,12 @@ if ($_POST) { write_config(); - $retval = filter_configure(); - $savemsg = get_std_save_message($retval); + $changes_applied = true; + $retval = 0; + $retval |= filter_configure(); if ($restart_webgui) { - $savemsg .= sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."), $url); + $extra_save_msg = sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."), $url); } setup_serial_port(); @@ -287,8 +288,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); } $tab_array = array(); diff --git a/src/usr/local/www/system_advanced_firewall.php b/src/usr/local/www/system_advanced_firewall.php index 1d0e811..e74d8f5 100644 --- a/src/usr/local/www/system_advanced_firewall.php +++ b/src/usr/local/www/system_advanced_firewall.php @@ -356,15 +356,9 @@ if ($_POST) { killbypid("{$g['varrun_path']}/filterdns.pid"); } + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } + $retval |= filter_configure(); } } @@ -374,8 +368,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/system_advanced_misc.php b/src/usr/local/www/system_advanced_misc.php index 817b745..3d1268b 100644 --- a/src/usr/local/www/system_advanced_misc.php +++ b/src/usr/local/www/system_advanced_misc.php @@ -251,6 +251,13 @@ if ($_POST) { unset($config['system']['dhcpbackup']); } } + if (isset($_POST['logsbackup'])) { + if (($_POST['logsbackup'] > 0) && ($_POST['logsbackup'] <= 24)) { + $config['system']['logsbackup'] = intval($_POST['logsbackup']); + } else { + unset($config['system']['logsbackup']); + } + } // Add/Remove RAM disk periodic backup cron jobs according to settings and installation type. // Remove the cron jobs on full install if not using RAM disk. @@ -258,21 +265,19 @@ if ($_POST) { if (!isset($config['system']['use_mfs_tmpvar'])) { install_cron_job("/etc/rc.backup_rrd.sh", false); install_cron_job("/etc/rc.backup_dhcpleases.sh", false); + install_cron_job("/etc/rc.backup_logs.sh", false); } else { install_cron_job("/etc/rc.backup_rrd.sh", ($config['system']['rrdbackup'] > 0), $minute="0", "*/{$config['system']['rrdbackup']}"); install_cron_job("/etc/rc.backup_dhcpleases.sh", ($config['system']['dhcpbackup'] > 0), $minute="0", "*/{$config['system']['dhcpbackup']}"); + install_cron_job("/etc/rc.backup_logs.sh", ($config['system']['logsbackup'] > 0), $minute="0", "*/{$config['system']['logsbackup']}"); } write_config(); + $changes_applied = true; $retval = 0; system_resolvconf_generate(true); - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - } else { - $savemsg = gettext($retval); - } + $retval |= filter_configure(); activate_powerd(); load_crypto(); @@ -291,8 +296,8 @@ if ($input_errors) { unset($pconfig['doreboot']); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); @@ -541,6 +546,16 @@ $section->addInput(new Form_Input( 'it can be restored automatically on the next boot. Keep in mind that the more '. 'frequent the backup, the more writes will happen to the media.'); +$section->addInput(new Form_Input( + 'logsbackup', + 'Periodic Logs Backup', + 'number', + $config['system']['logsbackup'], + ['min' => 0, 'max' => 24, 'placeholder' => 'Period between 1 and 24 hours'] +))->setHelp('This will periodically backup the log directory so '. + 'it can be restored automatically on the next boot. Keep in mind that the more '. + 'frequent the backup, the more writes will happen to the media.'); + $form->add($section); $section = new Form_Section('Hardware Settings'); @@ -590,7 +605,7 @@ events.push(function() { } }); - drb = "<?=$pconfig['doreboot']?>"; + drb = "<?=$pconfig['doreboot']?>"; if (drb == "yes") { $('form').append("<input type=\"hidden\" name=\"override\" value=\"yes\" />"); diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 06a4e2d..f90240f 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -40,6 +40,7 @@ require_once("shaper.inc"); $pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']); $pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr']; $pconfig['ipv6allow'] = isset($config['system']['ipv6allow']); +$pconfig['global-v6duid'] = $config['system']['global-v6duid']; $pconfig['prefer_ipv4'] = isset($config['system']['prefer_ipv4']); $pconfig['sharednet'] = $config['system']['sharednet']; $pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksumoffloading']); @@ -55,6 +56,14 @@ if ($_POST) { $input_errors[] = gettext("An IP address to NAT IPv6 packets must be specified."); } + if (!empty($_POST['global-v6duid'])) { + $_POST['global-v6duid'] = format_duid($_POST['global-v6duid']); + $pconfig['global-v6duid'] = $_POST['global-v6duid']; + if (!is_duid($_POST['global-v6duid'])) { + $input_errors[] = gettext("A valid DUID must be specified"); + } + } + ob_flush(); flush(); if (!$input_errors) { @@ -83,6 +92,12 @@ if ($_POST) { unset($config['system']['prefer_ipv4']); } + if (!empty($_POST['global-v6duid'])) { + $config['system']['global-v6duid'] = $_POST['global-v6duid']; + } else { + unset($config['system']['global-v6duid']); + } + if ($_POST['sharednet'] == "yes") { $config['system']['sharednet'] = true; system_disable_arp_wrong_if(); @@ -117,14 +132,9 @@ if ($_POST) { // Set preferred protocol prefer_ipv4_or_ipv6(); - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - $class = 'success'; - } else { - $savemsg = gettext($retval); - $class = 'warning'; - } + $changes_applied = true; + $retval = 0; + $retval |= filter_configure(); } } @@ -134,8 +144,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); @@ -145,6 +156,7 @@ $tab_array[] = array(gettext("Networking"), true, "system_advanced_network.php") $tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php"); $tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php"); $tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php"); +$duid = get_duid_from_file(); display_top_tabs($tab_array); $form = new Form; @@ -158,23 +170,27 @@ $section->addInput(new Form_Checkbox( ))->setHelp('NOTE: This does not disable any IPv6 features on the firewall, it only '. 'blocks traffic.'); -$group = new Form_Group('IPv6 over IPv4 Tunneling'); + +$group = new Form_Group('IPv6 over IPv4'); + $group->add(new Form_Checkbox( 'ipv6nat_enable', 'IPv6 over IPv4 Tunneling', - 'Enable IPv4 NAT encapsulation of IPv6 packets', + 'Enable IPv6 over IPv4 tunneling', $pconfig['ipv6nat_enable'] )); $group->add(new Form_Input( 'ipv6nat_ipaddr', - 'IP address', + 'IPv4 address of Tunnel Peer', 'text', $pconfig['ipv6nat_ipaddr'] -))->setHelp('Enable IPv4 NAT encapsulation of IPv6 packets. <br/>This provides an '. - 'RFC 2893 compatibility mechanism that can be used to tunneling IPv6 packets over '. - 'IPv4 routing infrastructures. If enabled, don\'t forget to add a firewall rule to '. - 'permit IPv6 packets.'); +)); + +$group->setHelp('These options create an RFC 2893 compatible mechanism for IPv4 NAT encapsulation of IPv6 packets, ' . + 'that can be used to tunnel IPv6 packets over IPv4 routing infrastructures. ' . + 'IPv6 firewall rules are <a href="firewall_rules.php">also required</a>, to control and pass encapsulated traffic.'); + $section->add($group); @@ -186,6 +202,20 @@ $section->addInput(new Form_Checkbox( ))->setHelp('By default, if IPv6 is configured and a hostname resolves IPv6 and IPv4 addresses, '. 'IPv6 will be used. If this option is selected, IPv4 will be preferred over IPv6.'); +$section->addInput(new Form_Input( + 'global-v6duid', + 'DHCP6 DUID', + 'text', + $pconfig['global-v6duid'], + ['placeholder' => $duid] + ))->setWidth(9)->sethelp('This is the DHCPv6 Unique Identifier (DUID) used by the firewall when requesting an IPv6 address. ' . + '<br />' . + 'By default, the firewall automatically creates a dynamic DUID which is not saved in the firewall configuration. '. + 'To ensure the same DUID is retained by the firewall at all times, enter a DUID in this field. ' . + 'The new DUID will take effect after a reboot or when the WAN interface(s) are reconfigured by the firewall.' . + '<br />' . + 'If the firewall is configured to use a RAM disk for /var, the best practice is to store a DUID here otherwise the DUID will change on each reboot. '); + $form->add($section); $section = new Form_Section('Network Interfaces'); diff --git a/src/usr/local/www/system_advanced_sysctl.php b/src/usr/local/www/system_advanced_sysctl.php index 3ab51fd..a8556b9 100644 --- a/src/usr/local/www/system_advanced_sysctl.php +++ b/src/usr/local/www/system_advanced_sysctl.php @@ -87,7 +87,6 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; system_setup_sysctl(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('sysctl'); } @@ -129,8 +128,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('sysctl') && ($act != "edit" )) { diff --git a/src/usr/local/www/system_crlmanager.php b/src/usr/local/www/system_crlmanager.php index 58ea4cd..f5d3b3d 100644 --- a/src/usr/local/www/system_crlmanager.php +++ b/src/usr/local/www/system_crlmanager.php @@ -82,12 +82,14 @@ if (!$thiscrl && (($act != "") && ($act != "new"))) { pfSenseHeader("system_crlmanager.php"); $act=""; $savemsg = gettext("Invalid CRL reference."); + $class = "danger"; } if ($act == "del") { $name = htmlspecialchars($thiscrl['descr']); if (crl_in_use($id)) { $savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted."), $name); + $class = "danger"; } else { foreach ($a_crl as $cid => $acrl) { if ($acrl['refid'] == $thiscrl['refid']) { @@ -96,6 +98,7 @@ if ($act == "del") { } write_config("Deleted CRL {$name}."); $savemsg = sprintf(gettext("Certificate Revocation List %s successfully deleted."), $name); + $class = "success"; } } @@ -177,12 +180,14 @@ if ($act == "delcert") { $crlname = htmlspecialchars($thiscrl['descr']); if (cert_unrevoke($thiscert, $thiscrl)) { $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s."), $certname, $crlname); + $class = "success"; // refresh IPsec and OpenVPN CRLs openvpn_refresh_crls(); vpn_ipsec_configure(); write_config($savemsg); } else { $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s."), $certname, $crlname); + $class = "danger"; } $act="edit"; } @@ -327,7 +332,7 @@ if ($input_errors) { } if ($savemsg) { - print_info_box($savemsg, 'success'); + print_info_box($savemsg, $class); } $tab_array = array(); diff --git a/src/usr/local/www/system_gateway_groups.php b/src/usr/local/www/system_gateway_groups.php index c8f956d..436faec 100644 --- a/src/usr/local/www/system_gateway_groups.php +++ b/src/usr/local/www/system_gateway_groups.php @@ -49,13 +49,12 @@ if ($_POST) { $retval = 0; - $retval = system_routing_configure(); + $retval |= system_routing_configure(); send_multiple_events(array("service reload dyndnsall", "service reload ipsecdns", "filter reload")); /* reconfigure our gateway monitor */ setup_gateways_monitor(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('staticroutes'); } @@ -106,8 +105,8 @@ $shortcut_section = "gateway-groups"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticroutes')) { diff --git a/src/usr/local/www/system_gateways.php b/src/usr/local/www/system_gateways.php index 9eb95de..2927f0f 100644 --- a/src/usr/local/www/system_gateways.php +++ b/src/usr/local/www/system_gateways.php @@ -53,7 +53,7 @@ if ($_POST) { $retval = 0; - $retval = system_routing_configure(); + $retval |= system_routing_configure(); $retval |= system_resolvconf_generate(); $retval |= filter_configure(); /* reconfigure our gateway monitor */ @@ -61,7 +61,6 @@ if ($_POST) { /* Dynamic DNS on gw groups may have changed */ send_event("service reload dyndnsall"); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('staticroutes'); } @@ -230,8 +229,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); + +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticroutes')) { diff --git a/src/usr/local/www/system_groupmanager_addprivs.php b/src/usr/local/www/system_groupmanager_addprivs.php index 69ffadc..c165078 100644 --- a/src/usr/local/www/system_groupmanager_addprivs.php +++ b/src/usr/local/www/system_groupmanager_addprivs.php @@ -89,19 +89,13 @@ if ($_POST) { } } - $retval = write_config(); - $savemsg = get_std_save_message($retval); + write_config(); pfSenseHeader("system_groupmanager.php?act=edit&groupid={$groupid}"); exit; } } -/* if ajax is calling, give them an update message */ -if (isAjax()) { - print_info_box($savemsg, 'success'); -} - function build_priv_list() { global $spriv_list, $a_group; @@ -138,10 +132,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), true, "system_groupmanager.php"); diff --git a/src/usr/local/www/system_routes.php b/src/usr/local/www/system_routes.php index cac6cce..48925c1 100644 --- a/src/usr/local/www/system_routes.php +++ b/src/usr/local/www/system_routes.php @@ -61,12 +61,11 @@ if ($_POST) { @unlink("{$g['tmp_path']}/.system_routes.apply"); } - $retval = system_routing_configure(); + $retval |= system_routing_configure(); $retval |= filter_configure(); /* reconfigure our gateway monitor */ setup_gateways_monitor(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('staticroutes'); } @@ -218,8 +217,8 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticroutes')) { print_apply_box(gettext("The static route configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); diff --git a/src/usr/local/www/system_usermanager_addprivs.php b/src/usr/local/www/system_usermanager_addprivs.php index d649cff..8babcd5 100644 --- a/src/usr/local/www/system_usermanager_addprivs.php +++ b/src/usr/local/www/system_usermanager_addprivs.php @@ -85,8 +85,7 @@ if ($_POST) { $a_user['priv'] = sort_user_privs($a_user['priv']); local_user_set($a_user); - $retval = write_config(); - $savemsg = get_std_save_message($retval); + write_config(); post_redirect("system_usermanager.php", array('act' => 'edit', 'userid' => $userid)); @@ -125,21 +124,12 @@ function get_root_priv_item_text() { return($priv_text); } -/* if ajax is calling, give them an update message */ -if (isAjax()) { - print_info_box($savemsg, 'success'); -} - include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Users"), true, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index a6df556..501070d 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -93,15 +93,17 @@ if ($_REQUEST['ajax']) { } } -$pconfig['session_timeout'] = &$config['system']['webgui']['session_timeout']; +$pconfig['session_timeout'] = $config['system']['webgui']['session_timeout']; if (isset($config['system']['webgui']['authmode'])) { - $pconfig['authmode'] = &$config['system']['webgui']['authmode']; + $pconfig['authmode'] = $config['system']['webgui']['authmode']; } else { $pconfig['authmode'] = "Local Database"; } -$pconfig['backend'] = &$config['system']['webgui']['backend']; +$pconfig['backend'] = $config['system']['webgui']['backend']; + +$pconfig['auth_refresh_time'] = $config['system']['webgui']['auth_refresh_time']; // Page title for main admin $pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Settings")); @@ -119,6 +121,13 @@ if ($_POST) { } } + if (isset($_POST['auth_refresh_time'])) { + $timeout = intval($_POST['auth_refresh_time']); + if (!is_numeric($timeout) || $timeout < 0 || $timeout > 3600 ) { + $input_errors[] = gettext("Authentication refresh time must be an integer between 0 and 3600 (inclusive)."); + } + } + if (($_POST['authmode'] == "Local Database") && $_POST['savetest']) { $savemsg = gettext("Settings have been saved, but the test was not performed because it is not supported for local databases."); } @@ -146,6 +155,12 @@ if ($_POST) { } else { unset($config['system']['webgui']['authmode']); } + + if (isset($_POST['auth_refresh_time']) && $_POST['auth_refresh_time'] != "") { + $config['system']['webgui']['auth_refresh_time'] = intval($_POST['auth_refresh_time']); + } else { + unset($config['system']['webgui']['auth_refresh_time']); + } write_config(); @@ -200,6 +215,15 @@ $section->addInput(new Form_Select( $auth_servers )); +$section->addInput(new Form_Input( + 'auth_refresh_time', + 'Auth Refresh Time', + 'number', + $pconfig['auth_refresh_time'], + ['min' => 0, 'max' => 3600] +))->setHelp('Time in seconds to cache authentication results. The default is 30 seconds, maximum 3600 (one hour). '. + 'Shorter times result in more frequent queries to authentication servers.'); + $form->addGlobal(new Form_Button( 'savetest', 'Save & Test', diff --git a/src/usr/local/www/vpn_ipsec.php b/src/usr/local/www/vpn_ipsec.php index 64b628d..4a69ad4 100644 --- a/src/usr/local/www/vpn_ipsec.php +++ b/src/usr/local/www/vpn_ipsec.php @@ -50,11 +50,11 @@ $a_phase2 = &$config['ipsec']['phase2']; if ($_POST) { if ($_POST['apply']) { - $retval = vpn_ipsec_configure(); + $ipsec_dynamic_hosts = vpn_ipsec_configure(); /* reload the filter in the background */ - filter_configure(); - $savemsg = get_std_save_message($retval); - if ($retval >= 0) { + $retval = 0; + $retval |= filter_configure(); + if ($ipsec_dynamic_hosts >= 0) { if (is_subsystem_dirty('ipsec')) { clear_subsystem_dirty('ipsec'); } @@ -228,13 +228,13 @@ $tab_array[] = array(gettext("Pre-Shared Keys"), false, "vpn_ipsec_keys.php"); $tab_array[] = array(gettext("Advanced Settings"), false, "vpn_ipsec_settings.php"); display_top_tabs($tab_array); - if ($savemsg) { - print_info_box($savemsg, 'success'); - } +if ($_POST['apply']) { + print_apply_result_box($retval); +} - if (is_subsystem_dirty('ipsec')) { - print_apply_box(gettext("The IPsec tunnel configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); - } +if (is_subsystem_dirty('ipsec')) { + print_apply_box(gettext("The IPsec tunnel configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); +} ?> <form name="mainform" method="post"> diff --git a/src/usr/local/www/vpn_ipsec_keys.php b/src/usr/local/www/vpn_ipsec_keys.php index 46b2e7a..25acd38 100644 --- a/src/usr/local/www/vpn_ipsec_keys.php +++ b/src/usr/local/www/vpn_ipsec_keys.php @@ -50,10 +50,10 @@ foreach ($config['system']['user'] as $id => $user) { } if (isset($_POST['apply'])) { - $retval = vpn_ipsec_configure(); + vpn_ipsec_configure(); /* reload the filter in the background */ - filter_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= filter_configure(); if (is_subsystem_dirty('ipsec')) { clear_subsystem_dirty('ipsec'); } @@ -74,8 +74,8 @@ $shortcut_section = "ipsec"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('ipsec')) { diff --git a/src/usr/local/www/vpn_ipsec_mobile.php b/src/usr/local/www/vpn_ipsec_mobile.php index 05df61d..f9c0dde 100644 --- a/src/usr/local/www/vpn_ipsec_mobile.php +++ b/src/usr/local/www/vpn_ipsec_mobile.php @@ -129,9 +129,8 @@ if ($_POST['create']) { if ($_POST['apply']) { $retval = 0; /* NOTE: #4353 Always restart ipsec when mobile clients settings change */ - $retval = vpn_ipsec_configure(true); - $savemsg = get_std_save_message($retval); - if ($retval >= 0) { + $ipsec_dynamic_hosts = vpn_ipsec_configure(true); + if ($ipsec_dynamic_hosts >= 0) { if (is_subsystem_dirty('ipsec')) { clear_subsystem_dirty('ipsec'); } @@ -400,8 +399,8 @@ include("head.inc"); </script> <?php -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('ipsec')) { print_apply_box(gettext("The IPsec tunnel configuration has been changed.") . "<br />" . gettext("The changes must be applied for them to take effect.")); diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php index 4360837..9e21937 100644 --- a/src/usr/local/www/vpn_ipsec_settings.php +++ b/src/usr/local/www/vpn_ipsec_settings.php @@ -33,16 +33,7 @@ require_once("shaper.inc"); require_once("ipsec.inc"); require_once("vpn.inc"); -$def_loglevel = '1'; - -foreach (array_keys($ipsec_log_cats) as $cat) { - if (isset($config['ipsec']['logging'][$cat])) { - $pconfig[$cat] = $config['ipsec']['logging'][$cat]; - } else { - $pconfig[$cat] = $def_loglevel; - } -} - +$pconfig['logging'] = ipsec_get_loglevels(); $pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']); $pconfig['strictcrlpolicy'] = isset($config['ipsec']['strictcrlpolicy']); $pconfig['makebeforebreak'] = isset($config['ipsec']['makebeforebreak']); @@ -59,8 +50,10 @@ if ($_POST) { $pconfig = $_POST; foreach ($ipsec_log_cats as $cat => $desc) { - if (!in_array(intval($pconfig[$cat]), array_keys($ipsec_log_sevs), true)) { + if (!in_array(intval($pconfig['logging_' . $cat]), array_keys($ipsec_log_sevs), true)) { $input_errors[] = sprintf(gettext("A valid value must be specified for %s debug."), $desc); + } else { + $pconfig['logging'][$cat] = $pconfig['logging_' . $cat]; } } @@ -79,12 +72,12 @@ if ($_POST) { * get set when we save, even if it's to the default level. */ foreach (array_keys($ipsec_log_cats) as $cat) { - if (!isset($pconfig[$cat])) { + if (!isset($pconfig['logging'][$cat])) { continue; } - if ($pconfig[$cat] != $config['ipsec']['logging'][$cat]) { - $config['ipsec']['logging'][$cat] = $pconfig[$cat]; - vpn_update_daemon_loglevel($cat, $pconfig[$cat]); + if ($pconfig['logging'][$cat] != $config['ipsec']['logging'][$cat]) { + $config['ipsec']['logging'][$cat] = $pconfig['logging'][$cat]; + vpn_update_daemon_loglevel($cat, $pconfig['logging'][$cat]); } } @@ -172,20 +165,11 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - $class = 'success'; - } else { - $savemsg = gettext($retval); - $class = 'warning'; - } + $retval |= filter_configure(); vpn_ipsec_configure($needsrestart); - - header("Location: vpn_ipsec_settings.php"); - return; } // The logic value sent by $POST for autoexcludelanaddress is opposite to @@ -220,8 +204,8 @@ function maxmss_checked(obj) { </script> <?php -if ($savemsg) { - print_info_box($savemsg, $class); +if ($changes_applied) { + print_apply_result_box($retval); } if ($input_errors) { @@ -241,9 +225,9 @@ $section = new Form_Section('IPsec Logging Controls'); foreach ($ipsec_log_cats as $cat => $desc) { $section->addInput(new Form_Select( - $cat, + 'logging_' . $cat, $desc, - $pconfig[$cat], + $pconfig['logging'][$cat], $ipsec_log_sevs ))->setWidth(2); } diff --git a/src/usr/local/www/vpn_l2tp.php b/src/usr/local/www/vpn_l2tp.php index 1adf21b..29cddc1 100644 --- a/src/usr/local/www/vpn_l2tp.php +++ b/src/usr/local/www/vpn_l2tp.php @@ -159,14 +159,9 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = vpn_l2tp_configure(); - $savemsg = get_std_save_message($retval); - - /* if ajax is calling, give them an update message */ - if (isAjax()) { - print_info_box($savemsg, 'success'); - } + $retval |= vpn_l2tp_configure(); } } @@ -178,8 +173,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/vpn_l2tp_users.php b/src/usr/local/www/vpn_l2tp_users.php index 3bfaec1..4c31eb8 100644 --- a/src/usr/local/www/vpn_l2tp_users.php +++ b/src/usr/local/www/vpn_l2tp_users.php @@ -44,9 +44,8 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; if (!is_subsystem_dirty('rebootreq')) { - $retval = vpn_l2tp_configure(); + $retval |= vpn_l2tp_configure(); } - $savemsg = get_std_save_message($retval); if ($retval == 0) { if (is_subsystem_dirty('l2tpusers')) { clear_subsystem_dirty('l2tpusers'); @@ -67,8 +66,8 @@ if ($_GET['act'] == "del") { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (isset($config['l2tp']['radius']['enable'])) { diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 399d099..e3bc9f1 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("openvpn.inc"); require_once("pkg-utils.inc"); -global $openvpn_topologies; +global $openvpn_topologies, $openvpn_tls_modes; if (!is_array($config['openvpn']['openvpn-client'])) { $config['openvpn']['openvpn-client'] = array(); @@ -90,6 +90,8 @@ if ($_GET['act'] == "del") { } if ($_GET['act'] == "new") { + $pconfig['ncp_enable'] = "enabled"; + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; @@ -129,6 +131,16 @@ if ($_GET['act'] == "edit") { $pconfig['description'] = $a_client[$id]['description']; $pconfig['custom_options'] = $a_client[$id]['custom_options']; $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; + if (isset($a_client[$id]['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = $a_client[$id]['ncp-ciphers']; + } else { + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; + } + if (isset($a_client[$id]['ncp_enable'])) { + $pconfig['ncp_enable'] = $a_client[$id]['ncp_enable']; + } else { + $pconfig['ncp_enable'] = "enabled"; + } $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; if ($pconfig['mode'] != "p2p_shared_key") { @@ -137,6 +149,7 @@ if ($_GET['act'] == "edit") { if ($a_client[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_client[$id]['tls']); + $pconfig['tls_type'] = $a_client[$id]['tls_type']; } } else { $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); @@ -180,6 +193,11 @@ if ($_POST) { $vpnid = 0; } + $cipher_validation_list = array_keys(openvpn_get_cipherlist()); + if (!in_array($pconfig['crypto'], $cipher_validation_list)) { + $input_errors[] = gettext("The selected Encryption Algorithm is not valid."); + } + list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']); if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { $input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected."); @@ -289,12 +307,26 @@ if ($_POST) { if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + $input_errors[] = gettext("The field 'TLS Key' does not appear to be valid"); + } + if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) { + $input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid"); } } + if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) { + $input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode."); + } + /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { + if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) { + foreach ($pconfig['ncp-ciphers'] as $ncpc) { + if (!in_array(trim($ncpc), $cipher_validation_list)) { + $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + } + } + } $reqdfields = explode(" ", "caref"); $reqdfieldsn = array(gettext("Certificate Authority")); } elseif (!$pconfig['autokey_enable']) { @@ -317,6 +349,15 @@ if ($_POST) { $client = array(); + if (isset($id) && $a_client[$id] && + $pconfig['dev_mode'] <> $a_client[$id]['dev_mode']) { + /* + * delete old interface so a new TUN or TAP interface + * can be created. + */ + openvpn_delete('client', $a_client[$id]); + } + foreach ($simplefields as $stat) { if (($stat == 'auth_pass') && ($_POST[$stat] == DMYPWD)) { $client[$stat] = $a_client[$id]['auth_pass']; @@ -361,6 +402,7 @@ if ($_POST) { $pconfig['tls'] = openvpn_create_key(); } $client['tls'] = base64_encode($pconfig['tls']); + $client['tls_type'] = $pconfig['tls_type']; } } else { $client['shared_key'] = base64_encode($pconfig['shared_key']); @@ -381,6 +423,12 @@ if ($_POST) { $client['route_no_exec'] = $pconfig['route_no_exec']; $client['verbosity_level'] = $pconfig['verbosity_level']; + if (!empty($pconfig['ncp-ciphers'])) { + $client['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } + + $client['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled"; + if (isset($id) && $a_client[$id]) { $a_client[$id] = $client; } else { @@ -393,6 +441,10 @@ if ($_POST) { header("Location: vpn_openvpn_client.php"); exit; } + + if (!empty($pconfig['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } } $pgtitle = array(gettext("VPN"), gettext("OpenVPN"), gettext("Clients")); @@ -447,22 +499,23 @@ if ($act=="new" || $act=="edit"): 'protocol', 'Protocol', $pconfig['protocol'], - array_combine($openvpn_prots, $openvpn_prots) + $openvpn_prots )); $section->addInput(new Form_Select( 'dev_mode', 'Device mode', empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'], - array_combine($openvpn_dev_mode, $openvpn_dev_mode) - )); + $openvpn_dev_mode + ))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." . + "<br/>\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)"); $section->addInput(new Form_Select( 'interface', 'Interface', $pconfig['interface'], openvpn_build_if_list() - )); + ))->setHelp("The interface used by the firewall to originate this OpenVPN client connection"); $section->addInput(new Form_Input( 'local_port', @@ -477,21 +530,30 @@ if ($act=="new" || $act=="edit"): 'Server host or address', 'text', $pconfig['server_addr'] - )); + ))->setHelp("The IP address or hostname of the OpenVPN server."); + + $section->addInput(new Form_Checkbox( + 'resolve_retry', + 'Server hostname resolution', + 'Infinitely resolve server ', + $pconfig['resolve_retry'] + ))->setHelp('Continuously attempt to resolve the server host name. ' . + 'Useful when communicating with a server that is not permanently connected to the Internet.'); $section->addInput(new Form_Input( 'server_port', 'Server port', 'number', $pconfig['server_port'] - )); + ))->setHelp("The port used by the server to receive client connections."); $section->addInput(new Form_Input( 'proxy_addr', 'Proxy host or address', 'text', $pconfig['proxy_addr'] - )); + ))->setHelp("The address for an HTTP Proxy this client can use to connect to a remote server." . + "<br/>TCP must be used for the client and server protocol."); $section->addInput(new Form_Input( 'proxy_port', @@ -502,10 +564,10 @@ if ($act=="new" || $act=="edit"): $section->addInput(new Form_Select( 'proxy_authtype', - 'Proxy Auth. - Extra options', + 'Proxy Authentication', $pconfig['proxy_authtype'], array('none' => gettext('none'), 'basic' => gettext('basic'), 'ntlm' => gettext('ntlm')) - )); + ))->setHelp("The type of authentication used by the proxy server."); $section->addInput(new Form_Input( 'proxy_user', @@ -521,14 +583,6 @@ if ($act=="new" || $act=="edit"): $pconfig['proxy_passwd'] )); - $section->addInput(new Form_Checkbox( - 'resolve_retry', - 'Server hostname resolution', - 'Infinitely resolve server ', - $pconfig['resolve_retry'] - ))->setHelp('Continuously attempt to resolve the server host name. ' . - 'Useful when communicating with a server that is not permanently connected to the Internet.'); - $section->addInput(new Form_Input( 'description', 'Description', @@ -560,25 +614,38 @@ if ($act=="new" || $act=="edit"): $section->addInput(new Form_Checkbox( 'tlsauth_enable', - 'TLS authentication', - 'Enable authentication of TLS packets.', + 'TLS Configuration', + 'Use a TLS Key', $pconfig['tlsauth_enable'] - )); + ))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " . + "This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." . + "The TLS Key does not have any effect on tunnel data."); if (!$pconfig['tls']) { $section->addInput(new Form_Checkbox( 'autotls_enable', null, - 'Automatically generate a shared TLS authentication key.', + 'Automatically generate a TLS Key.', $pconfig['autotls_enable'] )); } $section->addInput(new Form_Textarea( 'tls', - 'Key', + 'TLS Key', $pconfig['tls'] - ))->setHelp('Paste the shared key here'); + ))->setHelp("Paste the TLS key here." . + "<br/>" . + "This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. "); + + $section->addInput(new Form_Select( + 'tls_type', + 'TLS Key Usage Mode', + empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'], + $openvpn_tls_modes + ))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " . + "<br/>" . + "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation."); if (count($a_ca)) { $list = array(); @@ -640,14 +707,60 @@ if ($act=="new" || $act=="edit"): 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() - )); + ))->setHelp('The Encryption Algorithm used for data channel packets when Negotiable Cryptographic Parameter (NCP) support is not available.'); + + $section->addInput(new Form_Checkbox( + 'ncp_enable', + 'Enable NCP', + 'Enable Negotiable Cryptographic Parameters', + ($pconfig['ncp_enable'] == "enabled") + ))->setHelp( 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' . + 'Encryption Algorithms from those selected in the NCP Algorithms list below.' . + '<div class="infoblock">' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '<br />' . + 'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '</div>'); + + foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) { + $ncp_ciphers_list[$cipher] = $cipher; + } + $group = new Form_Group('NCP Algorithms'); + + $group->add(new Form_Select( + 'availciphers', + null, + array(), + openvpn_get_cipherlist(), + true + ))->setAttribute('size', '10') + ->setHelp('Available NCP Encryption Algorithms<br />Click to add or remove an algorithm from the list'); + + $group->add(new Form_Select( + 'ncp-ciphers', + null, + array(), + $ncp_ciphers_list, + true + ))->setReadonly() + ->setAttribute('size', '10') + ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list'); + + $group->setHelp( 'The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' . + '<div class="infoblock">' . sprint_info_box( + 'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' . + 'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) . + '</div>'); + + $section->add($group); $section->addInput(new Form_Select( 'digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist() - ))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); + ))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.' . + '<br />' . + 'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.' . + '<br />' . + 'Leave this set to SHA1 unless the server uses a different value. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select( 'engine', @@ -768,7 +881,7 @@ if ($act=="new" || $act=="edit"): $act )); - if (isset($id) && $a_server[$id]) { + if (isset($id) && $a_client[$id]) { $section->addInput(new Form_Input( 'id', null, @@ -896,6 +1009,7 @@ events.push(function() { // Process "Automatically generate a shared TLS authentication key" checkbox function autotls_change() { hideInput('tls', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); + hideInput('tls_type', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); } // ---------- Monitor elements for change and call the appropriate display functions ------------------------------ @@ -930,6 +1044,45 @@ events.push(function() { autotls_change(); }); + function updateCiphers(mem) { + var found = false; + + // If the cipher exists, remove it + $('[id="ncp-ciphers[]"] option').each(function() { + if($(this).val() == mem) { + $(this).remove(); + found = true; + } + }); + + // If not, add it + if (!found) { + $('[id="ncp-ciphers[]"]').append(new Option(mem , mem)); + } + + // Unselect all options + $('[id="availciphers[]"] option:selected').removeAttr("selected"); + } + + // On click, update the ciphers list + $('[id="availciphers[]"]').click(function () { + updateCiphers($(this).val()); + }); + + // On click, remove the cipher from the list + $('[id="ncp-ciphers[]"]').click(function () { + if ($(this).val() != null) { + updateCiphers($(this).val()); + } + }); + + // Make sure the "Available ciphers" selector is not submitted with the form, + // and select all of the chosen ciphers so that they are submitted + $('form').submit(function() { + $("#availciphers" ).prop( "disabled", true); + $('[id="ncp-ciphers[]"] option').attr("selected", "selected"); + }); + // ---------- Set initial page display state ---------------------------------------------------------------------- mode_change(); autokey_change(); diff --git a/src/usr/local/www/vpn_openvpn_csc.php b/src/usr/local/www/vpn_openvpn_csc.php index 16ba076..65932c2 100644 --- a/src/usr/local/www/vpn_openvpn_csc.php +++ b/src/usr/local/www/vpn_openvpn_csc.php @@ -74,6 +74,7 @@ if ($_GET['act'] == "edit") { $pconfig['description'] = $a_csc[$id]['description']; $pconfig['tunnel_network'] = $a_csc[$id]['tunnel_network']; + $pconfig['tunnel_networkv6'] = $a_csc[$id]['tunnel_networkv6']; $pconfig['local_network'] = $a_csc[$id]['local_network']; $pconfig['local_networkv6'] = $a_csc[$id]['local_networkv6']; $pconfig['remote_network'] = $a_csc[$id]['remote_network']; @@ -132,7 +133,10 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) { + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network')) { + $input_errors[] = $result; + } + if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) { $input_errors[] = $result; } @@ -219,6 +223,7 @@ if ($_POST) { $csc['block'] = $pconfig['block']; $csc['description'] = $pconfig['description']; $csc['tunnel_network'] = $pconfig['tunnel_network']; + $csc['tunnel_networkv6'] = $pconfig['tunnel_networkv6']; $csc['local_network'] = $pconfig['local_network']; $csc['local_networkv6'] = $pconfig['local_networkv6']; $csc['remote_network'] = $pconfig['remote_network']; @@ -320,7 +325,7 @@ if ($act == "new" || $act == "edit"): $pconfig['server_list'], $serveroptionlist, true - ))->setHelp('Select the servers for which the override will apply. Selecting no servers will also apply the override to all servers.'); + ))->setHelp('Select the servers that will utilize this override. When no servers are selected, the override will apply to all servers.'); $section->addInput(new Form_Checkbox( @@ -332,24 +337,24 @@ if ($act == "new" || $act == "edit"): $section->addInput(new Form_Input( 'common_name', - 'Common name', + 'Common Name', 'text', $pconfig['common_name'] - ))->setHelp('Enter the client\'s X.509 common name.'); + ))->setHelp('Enter the X.509 common name for the client certificate, or the username for VPNs utilizing password authentication. This match is case sensitive.'); $section->addInput(new Form_Input( 'description', 'Description', 'text', $pconfig['description'] - ))->setHelp('A description may be entered here for administrative reference (not parsed). '); + ))->setHelp('A description for administrative reference (not parsed).'); $section->addInput(new Form_Checkbox( 'block', 'Connection blocking', - 'Block this client connection based on its common name. ', + 'Block this client connection based on its common name.', $pconfig['block'] - ))->setHelp('Don\'t use this option to permanently disable a client due to a compromised key or password. Use a CRL (certificate revocation list) instead. '); + ))->setHelp('Prevents the client from connecting to this server. Do not use this option to permanently disable a client due to a compromised key or password. Use a CRL (certificate revocation list) instead.'); $form->add($section); @@ -357,45 +362,57 @@ if ($act == "new" || $act == "edit"): $section->addInput(new Form_Input( 'tunnel_network', - 'Tunnel Network', + 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network'] - ))->setHelp('This is the virtual network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.0/24). ' . - 'The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface. '); + ))->setHelp('The virtual IPv4 network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24). ' . + '<br />' . + 'With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server. ' . + '<br />' . + 'With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.'); + + $section->addInput(new Form_Input( + 'tunnel_networkv6', + 'IPv6 Tunnel Network', + 'text', + $pconfig['tunnel_networkv6'] + ))->setHelp('The virtual IPv6 network used for private communications between this client and the server expressed using prefix (e.g. 2001:db9:1:1::100/64). ' . + '<br />' . + 'Enter the client IPv6 address and prefix. The prefix must match the IPv6 Tunnel Network prefix on the server. '); $section->addInput(new Form_Input( 'local_network', 'IPv4 Local Network/s', 'text', $pconfig['local_network'] - ))->setHelp('These are the IPv4 networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR ranges. ' . '<br />' . - 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); + ))->setHelp('These are the IPv4 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR networks. ' . '<br />' . + 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); $section->addInput(new Form_Input( 'local_networkv6', 'IPv6 Local Network/s', 'text', $pconfig['local_networkv6'] - ))->setHelp('These are the IPv4 networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.' . '<br />' . - 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); + ))->setHelp('These are the IPv6 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.' . '<br />' . + 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); $section->addInput(new Form_Input( 'remote_network', 'IPv4 Remote Network/s', 'text', $pconfig['remote_network'] - ))->setHelp('These are the IPv4 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . - 'Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.' . '<br />' . - 'NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.'); + ))->setHelp('These are the IPv4 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . + 'Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.' . '<br />' . + 'NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.'); $section->addInput(new Form_Input( 'remote_networkv6', 'IPv6 Remote Network/s', 'text', $pconfig['remote_networkv6'] - ))->setHelp('These are the IPv6 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . - 'Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.' . '<br />' . - 'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.'); + ))->setHelp('These are the IPv6 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . + 'Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.' . '<br />' . + 'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.'); $section->addInput(new Form_Checkbox( 'gwredir', diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 433b689..efd3b26 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("openvpn.inc"); require_once("pkg-utils.inc"); -global $openvpn_topologies; +global $openvpn_topologies, $openvpn_tls_modes; if (!is_array($config['openvpn']['openvpn-server'])) { $config['openvpn']['openvpn-server'] = array(); @@ -96,6 +96,8 @@ if ($_GET['act'] == "del") { } if ($_GET['act'] == "new") { + $pconfig['ncp_enable'] = "enabled"; + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; @@ -117,6 +119,16 @@ if ($_GET['act'] == "edit") { $pconfig['mode'] = $a_server[$id]['mode']; $pconfig['protocol'] = $a_server[$id]['protocol']; $pconfig['authmode'] = $a_server[$id]['authmode']; + if (isset($a_server[$id]['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers']; + } else { + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; + } + if (isset($a_server[$id]['ncp_enable'])) { + $pconfig['ncp_enable'] = $a_server[$id]['ncp_enable']; + } else { + $pconfig['ncp_enable'] = "enabled"; + } $pconfig['dev_mode'] = $a_server[$id]['dev_mode']; $pconfig['interface'] = $a_server[$id]['interface']; @@ -132,6 +144,7 @@ if ($_GET['act'] == "edit") { if ($a_server[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_server[$id]['tls']); + $pconfig['tls_type'] = $a_server[$id]['tls_type']; } $pconfig['caref'] = $a_server[$id]['caref']; @@ -165,6 +178,7 @@ if ($_GET['act'] == "edit") { $pconfig['local_networkv6'] = $a_server[$id]['local_networkv6']; $pconfig['maxclients'] = $a_server[$id]['maxclients']; $pconfig['compression'] = $a_server[$id]['compression']; + $pconfig['compression_push'] = $a_server[$id]['compression_push']; $pconfig['passtos'] = $a_server[$id]['passtos']; $pconfig['client2client'] = $a_server[$id]['client2client']; @@ -240,8 +254,8 @@ if ($_GET['act'] == "edit") { $pconfig['push_register_dns'] = $a_server[$id]['push_register_dns']; } } -if ($_POST) { +if ($_POST) { unset($input_errors); $pconfig = $_POST; @@ -251,6 +265,11 @@ if ($_POST) { $vpnid = 0; } + $cipher_validation_list = array_keys(openvpn_get_cipherlist()); + if (!in_array($pconfig['crypto'], $cipher_validation_list)) { + $input_errors[] = gettext("The selected Encryption Algorithm is not valid."); + } + list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']); if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { $input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected."); @@ -328,7 +347,10 @@ if ($_POST) { if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + $input_errors[] = gettext("The field 'TLS Key' does not appear to be valid"); + } + if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) { + $input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid"); } } @@ -406,6 +428,14 @@ if ($_POST) { $input_errors[] = gettext("The specified ECDH Curve is invalid."); } + if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) { + foreach ($pconfig['ncp-ciphers'] as $ncpc) { + if (!in_array(trim($ncpc), $cipher_validation_list)) { + $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + } + } + } + $reqdfields = explode(" ", "caref certref"); $reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate")); } elseif (!$pconfig['autokey_enable']) { @@ -414,6 +444,10 @@ if ($_POST) { $reqdfieldsn = array(gettext('Shared key')); } + if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) { + $input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode."); + } + if ($pconfig['dev_mode'] != "tap") { $reqdfields[] = 'tunnel_network'; $reqdfieldsn[] = gettext('Tunnel network'); @@ -435,14 +469,20 @@ if ($_POST) { $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); } } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (!$input_errors) { $server = array(); - if ($id && $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { - openvpn_delete('server', $a_server[$id]);// delete(rename) old interface so a new TUN or TAP interface can be created. + if (isset($id) && $a_server[$id] && + $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { + /* + * delete old interface so a new TUN or TAP interface + * can be created. + */ + openvpn_delete('server', $a_server[$id]); } if ($vpnid) { @@ -471,6 +511,7 @@ if ($_POST) { $pconfig['tls'] = openvpn_create_key(); } $server['tls'] = base64_encode($pconfig['tls']); + $server['tls_type'] = $pconfig['tls_type']; } $server['caref'] = $pconfig['caref']; $server['crlref'] = $pconfig['crlref']; @@ -498,6 +539,7 @@ if ($_POST) { $server['local_networkv6'] = $pconfig['local_networkv6']; $server['maxclients'] = $pconfig['maxclients']; $server['compression'] = $pconfig['compression']; + $server['compression_push'] = $pconfig['compression_push']; $server['passtos'] = $pconfig['passtos']; $server['client2client'] = $pconfig['client2client']; @@ -559,6 +601,12 @@ if ($_POST) { $server['duplicate_cn'] = true; } + if (!empty($pconfig['ncp-ciphers'])) { + $server['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } + + $server['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled"; + if (isset($id) && $a_server[$id]) { $a_server[$id] = $server; } else { @@ -572,6 +620,11 @@ if ($_POST) { header("Location: vpn_openvpn_server.php"); exit; } + + if (!empty($pconfig['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } + if (!empty($pconfig['authmode'])) { $pconfig['authmode'] = implode(",", $pconfig['authmode']); } @@ -629,9 +682,14 @@ if ($act=="new" || $act=="edit"): $options = array(); $authmodes = array(); - $authmodes = explode(",", $pconfig['authmode']); + $auth_servers = auth_get_authserver_list(); + + foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) { + $ncp_ciphers_list[$cipher] = $cipher; + } + // If no authmodes set then default to selecting the first entry in auth_servers if (empty($authmodes[0]) && !empty(key($auth_servers))) { $authmodes[0] = key($auth_servers); @@ -660,15 +718,16 @@ if ($act=="new" || $act=="edit"): 'dev_mode', 'Device mode', empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'], - array_combine($openvpn_dev_mode, $openvpn_dev_mode) - )); + $openvpn_dev_mode + ))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." . + "<br/>\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)"); $section->addInput(new Form_Select( 'interface', 'Interface', $pconfig['interface'], openvpn_build_if_list() - )); + ))->setHelp("The interface or Virtual IP address where OpenVPN will receive client connections."); $section->addInput(new Form_Input( 'local_port', @@ -676,7 +735,7 @@ if ($act=="new" || $act=="edit"): 'number', $pconfig['local_port'], ['min' => '0'] - )); + ))->setHelp("The port used by OpenVPN to receive client connections."); $section->addInput(new Form_Input( 'description', @@ -691,25 +750,38 @@ if ($act=="new" || $act=="edit"): $section->addInput(new Form_Checkbox( 'tlsauth_enable', - 'TLS authentication', - 'Enable authentication of TLS packets.', + 'TLS Configuration', + 'Use a TLS Key', $pconfig['tlsauth_enable'] - )); + ))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " . + "This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." . + "The TLS Key does not have any effect on tunnel data."); if (!$pconfig['tls']) { $section->addInput(new Form_Checkbox( 'autotls_enable', null, - 'Automatically generate a shared TLS authentication key.', + 'Automatically generate a TLS Key.', $pconfig['autotls_enable'] )); } $section->addInput(new Form_Textarea( 'tls', - 'Key', + 'TLS Key', $pconfig['tls'] - ))->setHelp('Paste the shared key here'); + ))->setHelp("Paste the TLS key here." . + "<br/>" . + "This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. "); + + $section->addInput(new Form_Select( + 'tls_type', + 'TLS Key Usage Mode', + empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'], + $openvpn_tls_modes + ))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " . + "<br/>" . + "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation."); if (count($a_ca)) { @@ -775,14 +847,24 @@ if ($act=="new" || $act=="edit"): 'DH Parameter Length', $pconfig['dh_length'], $openvpn_dh_lengths - ))->setHelp(count($a_cert) ? '':sprintf('No Certificates defined. One may be created here: %s', '<a href="system_camanager.php">System > Cert. Manager</a>')); + ))->setHelp('Diffie-Hellman (DH) parameter set used for key exchange.' . + '<div class="infoblock">' . + sprint_info_box('Only DH parameter sets which exist in /etc/ are shown. ' . + '<br/>' . + 'Generating new or stronger DH parameters is CPU-intensive and must be performed manually. ' . + 'Consult <a href="https://doc.pfsense.org/index.php/DH_Parameters">the doc wiki article on DH Parameters</a> ' . + 'for information on generating new or stronger paramater sets.', 'info', false) . + '</div>'); $section->addInput(new Form_Select( 'ecdh_curve', 'ECDH Curve', $pconfig['ecdh_curve'], openvpn_get_curvelist() - )); + ))->setHelp('The Elliptic Curve to use for key exchange. ' . + '<br/>' . + 'The curve from the server certificate is used by default when the server uses an ECDSA certificate. ' . + 'Otherwise, secp384r1 is used as a fallback.'); if (!$pconfig['shared_key']) { $section->addInput(new Form_Checkbox( @@ -804,14 +886,57 @@ if ($act=="new" || $act=="edit"): 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() - )); + ))->setHelp('The Encryption Algorithm used for data channel packets when Negotiable Cryptographic Parameter (NCP) support is not available.'); + + $section->addInput(new Form_Checkbox( + 'ncp_enable', + 'Enable NCP', + 'Enable Negotiable Cryptographic Parameters', + ($pconfig['ncp_enable'] == "enabled") + ))->setHelp( 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' . + 'Encryption Algorithms from those selected in the NCP Algorithms list below.' . + '<div class="infoblock">' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '<br />' . + 'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '</div>'); + + $group = new Form_Group('NCP Algorithms'); + + $group->add(new Form_Select( + 'availciphers', + null, + array(), + openvpn_get_cipherlist(), + true + ))->setAttribute('size', '10') + ->setHelp('Available NCP Encryption Algorithms<br />Click to add or remove an algorithm from the list'); + + $group->add(new Form_Select( + 'ncp-ciphers', + null, + array(), + $ncp_ciphers_list, + true + ))->setReadonly() + ->setAttribute('size', '10') + ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list'); + + $group->setHelp( 'The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' . + '<div class="infoblock">' . sprint_info_box( + 'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' . + 'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) . + '</div>'); + + $section->add($group); $section->addInput(new Form_Select( 'digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist() - ))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); + ))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.' . + '<br />' . + 'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.' . + '<br />' . + 'Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select( 'engine', @@ -952,6 +1077,13 @@ if ($act=="new" || $act=="edit"): 'packets is not being compressed efficiently.'); $section->addInput(new Form_Checkbox( + 'compression_push', + 'Push Compression', + 'Push the selected Compression setting to connecting clients.', + $pconfig['compression_push'] + )); + + $section->addInput(new Form_Checkbox( 'passtos', 'Type-of-Service', 'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.', @@ -1290,6 +1422,7 @@ events.push(function() { case "server_tls": case "server_user": hideInput('tls', false); + hideInput('tls_type', false); hideInput('certref', false); hideInput('dh_length', false); hideInput('ecdh_curve', false); @@ -1298,9 +1431,11 @@ events.push(function() { hideCheckbox('autokey_enable', true); hideInput('shared_key', false); hideInput('topology', false); + hideCheckbox('compression_push', false); break; case "server_tls_user": hideInput('tls', false); + hideInput('tls_type', false); hideInput('certref', false); hideInput('dh_length', false); hideInput('ecdh_curve', false); @@ -1309,9 +1444,11 @@ events.push(function() { hideCheckbox('autokey_enable', true); hideInput('shared_key', true); hideInput('topology', false); + hideCheckbox('compression_push', false); break; case "p2p_shared_key": hideInput('tls', true); + hideInput('tls_type', true); hideInput('caref', true); hideInput('crlref', true); hideLabel('Peer Certificate Revocation list', true); @@ -1325,6 +1462,7 @@ events.push(function() { hideCheckbox('autokey_enable', true); hideInput('shared_key', false); hideInput('topology', true); + hideCheckbox('compression_push', true); break; } @@ -1394,10 +1532,12 @@ events.push(function() { function autotls_change() { if (($('#mode').val() == 'p2p_shared_key') || (!$('#tlsauth_enable').prop('checked'))) { hideInput('tls', true); + hideInput('tls_type', true); hideInput('autotls_enable', true); } else { hideInput('autotls_enable', false); hideInput('tls', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); + hideInput('tls_type', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); } } @@ -1617,6 +1757,45 @@ events.push(function() { $('#certtype').html(errmsg); }); + function updateCiphers(mem) { + var found = false; + + // If the cipher exists, remove it + $('[id="ncp-ciphers[]"] option').each(function() { + if($(this).val() == mem) { + $(this).remove(); + found = true; + } + }); + + // If not, add it + if (!found) { + $('[id="ncp-ciphers[]"]').append(new Option(mem , mem)); + } + + // Unselect all options + $('[id="availciphers[]"] option:selected').removeAttr("selected"); + } + + // On click, update the ciphers list + $('[id="availciphers[]"]').click(function () { + updateCiphers($(this).val()); + }); + + // On click, remove the cipher from the list + $('[id="ncp-ciphers[]"]').click(function () { + if ($(this).val() != null) { + updateCiphers($(this).val()); + } + }); + + // Make sure the "Available ciphers" selector is not submitted with the form, + // and select all of the chosen ciphers so that they are submitted + $('form').submit(function() { + $("#availciphers" ).prop( "disabled", true); + $('[id="ncp-ciphers[]"] option').attr("selected", "selected"); + }); + // ---------- Set initial page display state ---------------------------------------------------------------------- mode_change(); autokey_change(); diff --git a/src/usr/local/www/widgets/widgets/gateways.widget.php b/src/usr/local/www/widgets/widgets/gateways.widget.php index 34f4d2e..c854df5 100644 --- a/src/usr/local/www/widgets/widgets/gateways.widget.php +++ b/src/usr/local/www/widgets/widgets/gateways.widget.php @@ -38,12 +38,29 @@ if ($_REQUEST && $_REQUEST['ajax']) { } if ($_POST) { + + if (!is_array($user_settings["widgets"]["gateways_widget"])) { $user_settings["widgets"]["gateways_widget"] = array(); } + if (isset($_POST["display_type"])) { $user_settings["widgets"]["gateways_widget"]["display_type"] = $_POST["display_type"]; } + + if (is_array($_POST['show'])) { + $validNames = array(); + $a_gateways = return_gateways_array(); + + foreach ($a_gateways as $gname => $gateway) { + array_push($validNames, $gname); + } + + $user_settings["widgets"]["gateways_widget"]["gatewaysfilter"] = implode(',', array_diff($validNames, $_POST['show'])); + } else { + $user_settings["widgets"]["gateways_widget"]["gatewaysfilter"] = ""; + } + save_widget_settings($_SESSION['Username'], $user_settings["widgets"], gettext("Updated gateways widget settings via dashboard.")); header("Location: /"); exit(0); @@ -71,55 +88,86 @@ $widgetperiod = isset($config['widgets']['period']) ? $config['widgets']['period </table> </div> <!-- close the body we're wrapped in and add a configuration-panel --> -</div> - -<div id="widget-<?=$widgetname?>_panel-footer" class="panel-footer collapse"> -<input type="hidden" id="gateways-config" name="gateways-config" value="" /> - -<div id="gateways-settings" class="widgetconfigdiv" > - <form action="/widgets/widgets/gateways.widget.php" method="post" name="gateways_widget_iform" id="gateways_widget_iform"> - Display: - <?php - $display_type_gw_ip = "checked"; - $display_type_monitor_ip = ""; - $display_type_both_ip = ""; - if (isset($user_settings["widgets"]["gateways_widget"]["display_type"])) { - $selected_radio = $user_settings["widgets"]["gateways_widget"]["display_type"]; - if ($selected_radio == "gw_ip") { - $display_type_gw_ip = "checked"; - $display_type_monitor_ip = ""; - $display_type_both_ip = ""; - } else if ($selected_radio == "monitor_ip") { - $display_type_gw_ip = ""; - $display_type_monitor_ip = "checked"; - $display_type_both_ip = ""; - } else if ($selected_radio == "both_ip") { - $display_type_gw_ip = ""; - $display_type_monitor_ip = ""; - $display_type_both_ip = "checked"; - } +</div><div id="widget-<?=$widgetname?>_panel-footer" class="panel-footer collapse"> +<form action="/widgets/widgets/gateways.widget.php" method="post" class="form-horizontal"> + <div class="form-group"> + <label class="col-sm-3 control-label"><?=gettext('Display')?></label> + <?php + $display_type_gw_ip = "checked"; + $display_type_monitor_ip = ""; + $display_type_both_ip = ""; + if (isset($user_settings["widgets"]["gateways_widget"]["display_type"])) { + $selected_radio = $user_settings["widgets"]["gateways_widget"]["display_type"]; + if ($selected_radio == "gw_ip") { + $display_type_gw_ip = "checked"; + $display_type_monitor_ip = ""; + $display_type_both_ip = ""; + } else if ($selected_radio == "monitor_ip") { + $display_type_gw_ip = ""; + $display_type_monitor_ip = "checked"; + $display_type_both_ip = ""; + } else if ($selected_radio == "both_ip") { + $display_type_gw_ip = ""; + $display_type_monitor_ip = ""; + $display_type_both_ip = "checked"; } - ?> - - <div class="radio"> - <label><input name="display_type" type="radio" id="display_type_gw_ip" value="gw_ip" <?=$display_type_gw_ip;?> onchange="updateGatewayDisplays();" /> <?=gettext('Gateway IP')?></label> - </div> - <div class="radio"> - <label><input name="display_type" type="radio" id="display_type_monitor_ip" value="monitor_ip" <?=$display_type_monitor_ip;?> onchange="updateGatewayDisplays();" /><?=gettext('Monitor IP')?></label> + } +?> + <div class="col-sm-6"> + <div class="radio"> + <label><input name="display_type" type="radio" id="display_type_gw_ip" value="gw_ip" <?=$display_type_gw_ip;?> onchange="updateGatewayDisplays();" /> <?=gettext('Gateway IP')?></label> + </div> + <div class="radio"> + <label><input name="display_type" type="radio" id="display_type_monitor_ip" value="monitor_ip" <?=$display_type_monitor_ip;?> onchange="updateGatewayDisplays();" /><?=gettext('Monitor IP')?></label> + </div> + <div class="radio"> + <label><input name="display_type" type="radio" id="display_type_both_ip" value="both_ip" <?=$display_type_both_ip;?> onchange="updateGatewayDisplays();" /><?=gettext('Both')?></label> + </div> </div> - <div class="radio"> - <label><input name="display_type" type="radio" id="display_type_both_ip" value="both_ip" <?=$display_type_both_ip;?> onchange="updateGatewayDisplays();" /><?=gettext('Both')?></label> + </div> + + <br /> + + <div class="panel panel-default col-sm-10"> + <div class="panel-body"> + <div class="table responsive"> + <table class="table table-striped table-hover table-condensed"> + <thead> + <tr> + <th><?=gettext("Gateway")?></th> + <th><?=gettext("Show")?></th> + </tr> + </thead> + <tbody> +<?php + $a_gateways = return_gateways_array(); + $hiddengateways = explode(",", $user_settings["widgets"]["gateways_widget"]["gatewaysfilter"]); + $idx = 0; + + foreach ($a_gateways as $gname => $gateway): +?> + <tr> + <td><?=$gname?></td> + <td class="col-sm-2"><input id="show[]" name ="show[]" value="<?=$gname?>" type="checkbox" <?=(!in_array($gname, $hiddengateways) ? 'checked':'')?>></td> + </tr> +<?php + endforeach; +?> + </tbody> + </table> + </div> </div> - <br /> - <button id="submit_settings" name="submit_settings" type="submit" onclick="return updatePref();" class="btn btn-primary btn-sm" value="<?=gettext('Save Settings')?>"> - <i class="fa fa-save icon-embed-btn"></i> - <?=gettext('Save Settings')?> - </button> + </div> - </form> -</div> + <div class="form-group"> + <div class="col-sm-offset-3 col-sm-6"> + <button type="submit" class="btn btn-primary"><i class="fa fa-save icon-embed-btn"></i><?=gettext('Save')?></button> + <button id="showallgateways" type="button" class="btn btn-info"><i class="fa fa-undo icon-embed-btn"></i><?=gettext('All')?></button> + </div> + </div> +</form> -<script type="text/javascript"> +<script> //<![CDATA[ function get_gw_stats() { @@ -140,6 +188,12 @@ $widgetperiod = isset($config['widgets']['period']) ? $config['widgets']['period } events.push(function(){ + $("#showallgateways").click(function() { + $("[id^=show]").each(function() { + $(this).prop("checked", true); + }); + }); + // Start polling for updates some small random number of seconds from now (so that all the widgets don't // hit the server at exactly the same time) setTimeout(get_gw_stats, Math.floor((Math.random() * 10000) + 1000)); @@ -163,7 +217,15 @@ function compose_table_body_contents() { $display_type = "gw_ip"; } + $hiddengateways = explode(",", $user_settings["widgets"]["gateways_widget"]["gatewaysfilter"]); + $gw_displayed = false; + foreach ($a_gateways as $gname => $gateway) { + if (in_array($gname, $hiddengateways)) { + continue; + } + + $gw_displayed = true; $rtnstr .= "<tr>\n"; $rtnstr .= "<td>\n"; $rtnstr .= htmlspecialchars($gateway['name']) . "<br />"; @@ -233,7 +295,7 @@ function compose_table_body_contents() { $online = gettext("Latency"); $bgcolor = "warning"; // khaki } elseif ($gateways_status[$gname]['status'] == "none") { - if ($gateways_status[$gname]['monitorip'] == "none") { + if ($gateways_status[$gname]['monitor_disable'] || ($gateways_status[$gname]['monitorip'] == "none")) { $online = gettext("Online <br/>(unmonitored)"); } else { $online = gettext("Online"); @@ -254,6 +316,18 @@ function compose_table_body_contents() { $rtnstr .= '<td class="bg-' . $bgcolor . '">' . $online . "</td>\n"; $rtnstr .= "</tr>\n"; } + + if (!$gw_displayed) { + $rtnstr .= '<tr>'; + $rtnstr .= '<td colspan="5">'; + if (count($a_gateways)) { + $rtnstr .= gettext('All gateways are hidden.'); + } else { + $rtnstr .= gettext('No gateways found.'); + } + $rtnstr .= '</td>'; + $rtnstr .= '</tr>'; + } return($rtnstr); } ?> diff --git a/src/usr/local/www/widgets/widgets/ntp_status.widget.php b/src/usr/local/www/widgets/widgets/ntp_status.widget.php index b47a6fd..e29f381 100644 --- a/src/usr/local/www/widgets/widgets/ntp_status.widget.php +++ b/src/usr/local/www/widgets/widgets/ntp_status.widget.php @@ -105,11 +105,11 @@ if ($_REQUEST['updateme']) { $gps_lon = $gps_lon * (($gps_vars[5] == "E") ? 1 : -1); $gps_alt = $gps_vars[9]; $gps_alt_unit = $gps_vars[10]; - $gps_sat = $gps_vars[7]; + $gps_sat = (int)$gps_vars[7]; $gps_la = $gps_vars[3]; $gps_lo = $gps_vars[5]; } elseif (substr($tmp, 0, 6) == '$GPGLL') { - $gps_vars = explode(",", $tmp); + $gps_vars = preg_split('/[,\*]+/', $tmp); $gps_ok = ($gps_vars[6] == "A"); $gps_lat_deg = substr($gps_vars[1], 0, 2); $gps_lat_min = substr($gps_vars[1], 2) / 60.0; |