summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* fix up textChris Buechler2015-01-076-8/+8
|
* fix strongswan conf file generation with ipcomp. Ticket #4182Chris Buechler2015-01-071-1/+1
|
* Fixes #4188 use the same reqid over same phase1 but different phase2 ↵Ermal LUÇI2015-01-081-1/+1
| | | | connections. The dashboard will be fixed with the ticket already open. This should fix a lot of instabilities reported on the forums for people having a dozen or more tunnels
* Correct the sense of the check by default unity is enabledErmal LUÇI2015-01-071-2/+2
|
* Provide an advanced setting to be able to disable Unity Plugin(Cisco extensions)Ermal LUÇI2015-01-072-1/+21
|
* Move to specifically specifying the ID type apart when an ip address to have ↵Ermal LUÇI2015-01-072-31/+35
| | | | strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.
* Don't hard code the target IP in auto-generated outbound NAT rules, useChris Buechler2015-01-071-2/+2
| | | | previous behavior of setting it to the interface IP.
* split is deprecated move to explodeErmal LUÇI2015-01-071-2/+2
|
* split is deprecated move to explodeErmal LUÇI2015-01-071-2/+2
|
* split is deprecated move to explodeErmal LUÇI2015-01-071-4/+4
|
* split is deprecated move to explodeErmal LUÇI2015-01-071-1/+1
|
* fix textChris Buechler2015-01-071-1/+1
|
* fix spelling of compressionChris Buechler2015-01-072-7/+7
|
* Fixes #4182 by properly managing IPcomp on ipsec tunnels.Ermal LUÇI2015-01-073-15/+19
| | | | Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.
* Fix #4146:Renato Botelho2015-01-071-2/+2
| | | | | | | | | | | | | OpenVPN create the tun/tap interface and, when set an IP address to it, mark it as UP. In some scenarios, when TAP is set as bridge and doesn't have an IP address set on it, it never goes up and tunnel doesn't work. If rc.newwanip is called for this TAP interface, UP flag is set, but, rc.newwanip is not executed when system is booting. Since it's always rename the interface and add it the group, make sure it's up here.
* Log PHP errors. Ticket #4143Chris Buechler2015-01-071-0/+10
|
* Enforce subnet check here to avoid any issues resulting from function call.Ermal LUÇI2015-01-062-2/+2
|
* Remove useless check, CARP does not depend of interface having another IP ↵Renato Botelho2015-01-061-16/+0
| | | | set before
* Remove some extra spacesRenato Botelho2015-01-061-2/+2
|
* Fix typo on variable nameRenato Botelho2015-01-061-1/+1
|
* Tighten and IPv6-ify gen_subnet() etcstilez2015-01-061-27/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tightens, canonicalises and improves for IPv6, the functions gen_subnet(), gen_subnetv6(), gen_subnet_max(), gen_subnetv6_max() Changes are transparent to calling code. Issues: 1) gen_subnet() and gen_subnet_max() will validate both IPv4 and IPv6 as valid args, but will then try to process an IPv6 subnet bitwise as x32 LONG without further checking, causing erroneous but apparently valid responses. 2) None of the functions properly sanitise their input: if $bits is >32 or >128, or even a non-integer, erroneous results will be passed back to the calling code as valid data without checking, again causing erroneous but apparently valid responses. 3) 3 of the 4 functions return an empty string for invalid but gen_subnetv6_max() returns a numeric value for invalid. Both responses loose-evaluate as False, but consistency is better. Fixes and improvements: 1) The unspecified functions gen_subnet() and gen_subnet_max() now handle all args correctly, and don't mishandle if unexpectedly passed IPv6 or bad data. 2) Names are now canonical: gen_subnet(), gen_subnet_max() are now IPv4/v6 agnostic, and IPv4-only versions gen_subnetv4() and gen_subnetv4_max() are added as expected to exist, to match existing functions gen_subnetv6() and gen_subnetv6_max(). 3) The return value for bad args is made consistent (empty string = False). 4) gen_subnetv6_max() now uses Net_IPv6's Ip2Bin() and Bin2Ip() functions and simple string manipulation rather than bitwise operations, so it's guaranteed 32-bit safe (compared to 128-bit bitwise operations in current code which seem less certain?) 5) Changes are transparent - the canonical functions still work exactly as before on IPv4 (only with proper bad arg validation) but also now work on IPv6 transparently, and on arbitrary IPv4/IPv6 data, similar to other functions like is_ipaddr(). Tested and handles valid but uncommon edge cases of /0, /32 (IPv4) and /128 (IPv6) correctly. Also avoids inet_ntop/pton if that's a real issue (previous PR comment had asked to avoid these functions)
* OpenVPN backend authentication fix key and translationPhil Davis2015-01-061-3/+3
| | | | | | | | | The array returned by auth_get_authserver_list() has key as the fixed name of each available authentication mode - e.g. "Local Database". The array value ["name"] has the name string translated into the selected GUI language. Use the key do determine which items are selected, and as the value that ends up being stored in the config. Use ["name"] for display. Forum report: https://forum.pfsense.org/index.php?topic=86326.0 Redmine Bug #4180
* Revert "FreeBSD fails to set advskew back to 0 after you set it to any other"Renato Botelho2015-01-061-16/+4
| | | | | | A patch was added to allow set advskew back to 0 This reverts commit eea2ad5d61b2cbcf2957207fb0f13769c203cb36.
* Add secure flag when necessary to cookie_test, as we do for session cookie, ↵Renato Botelho2015-01-061-1/+9
| | | | to avoid false positives in common vulnerabilities scanners. It fixes #4069
* Allow IPv6 on loopback needs quickPhil Davis2015-01-051-2/+2
| | | | | | | | | | | | | | | | The following block uses "quick" which causes that block to come into effect before the "pass in" here. The pass rule also needs to be "quick". Problem noted by Andy Sayler on https://redmine.pfsense.org/issues/4074 Before this change, an attempt to manually do something local with IPv6 fails: [2.2-RC][root@xxx]/root: ntpq -pn ntpq: write to localhost failed: Operation not permitted After this change, it works: [2.2-RC][root@xxx]/root: ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== *27.114.150.12 193.190.230.65 2 u 21 64 377 1424.66 -126.52 371.131 Note that there are other pass rules later for IPv6 necessary functions, loopback... that do not have "quick". Those are correct and help to allow various essential IPv6 stuff, but still let someone block it with user rules (which will have quick), in the case when IPv6 Allow is checked. This one here is just for the special case of IPv6 Allow not set, and in this case this special IPv6 pass-block sequence needs to be done with "quick" so we can be sure it applies regardless of whatever other IPv6 might come later.
* Limit unbound so-rcvbuf: 8mPhil Davis2015-01-051-1/+5
| | | | | | Issue reported here: https://forum.pfsense.org/index.php?topic=78356.msg472781#msg472781 Most unbound doc places mention setting it at up to 8m. I'm sure it would be possible to investigate more and find a way to make unbound+FreeBSD be able to go higher than 8m. But probably 8m is sufficient for everyone anyway (judging by what the unbound docs seem to assume will be a good value on a busy system). Anyway, here is my easy fix for this. Someone else feel free to investigate more if they really need to set so-rcvbuf higher.
* Fix #4090:Renato Botelho2015-01-055-5/+12
| | | | | | | | | - Unbound advanced options may contain double quotes and it breaks the syntax when a backup is restored because newlines are trimmed. Save it in base64 format is a safe way to prevent it - Bump config version to 11.5 - Provide upgrade code to encode current config or the one that came from unbound package on 2.1.5
* It's supposed to remove windows EOL here, not ;Renato Botelho2015-01-051-1/+1
|
* Make it possible to backup/restore 'DNS Resolver' section individuallyRenato Botelho2015-01-051-0/+1
|
* Do not monitor a gateway that has not got DHCP yetPhil Davis2015-01-051-0/+3
| | | | | | | | | | | | | | | | | | | | | | When an interface is waiting to get DHCP, but the cable is physically-electrically connected to the upstream device, the interface has an IPv4 address 0.0.0.0 - that was getting past here and, if the interface gateway had a monitor IP specified, that monitor IP was being put into apinger.conf and being monitored. Because the interface has not got a gateway yet, no static route is added to force the traffic for the monitor IP out the particular interface. So the traffic to the monitor IP can follow the default route and perhaps succeed in getting out another WAN to the monitor IP. The downstream results of this were: 1) Gateway status appears up and reports real RTT and Loss statistics, even though the interface is down. 2) Generation of rules for a gateway group that has this gateway as tier1 will think it is up, and thus try to policy-route traffic to it - which then does not get anywhere. 3) DynDNS status of a gateway group that has this gateway as tier1 shows the cached IP in red - it thinks the interface/gateway is up and tries to find the public IP by trying to get to checkip.dyndns.com through the interface/gateway. That of course fails. 4) I'm sure there are other things that depend on checking gateway and gateway group status that would also be getting it wrong in this condition, because apinger is being told to monitor, and manages to successfully monitor, an interface/gateway that has not yet got DHCP. When waiting for DHCP, ifconfig shows like this on my system (WAN is on a cable to a VLAN switch): vr0_vlan70: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 00:0d:b9:24:59:c0 inet6 fe80::20d:b9ff:fe24:59c0%vr0_vlan70 prefixlen 64 scopeid 0xf inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 70 vlanpcp: 0 parent interface: vr0 From what I can see, this little 2-line fix ends up correcting all the downstream effects I listed above. Should fix RedMine #4094
* Fix track6 prefix id range check, reported by jimpRenato Botelho2015-01-021-1/+1
|
* Allow blank source port in diag_testportPhil Davis2015-01-021-15/+10
| | | | | Reported by forum https://forum.pfsense.org/index.php?topic=86146.0 Also, if there are input validation errors, save the user-entered data and re-display it, making it easier for the user to just correct the data in error and press Test again. It was blanking out all the entered data.
* Fix lineup of copyright linesPhil Davis2015-01-01296-1503/+1578
| | | | | and module names and other bits of formatting and typos in header comment sections.
* Remove duplicate copyrightPhil Davis2015-01-013-4/+1
| | | | Noticed these had the copyright twice
* Use binat, not nat, where IPsec NAT is configured with an address for local ↵Chris Buechler2014-12-311-10/+6
| | | | and NAT. Ticket #4169
* Welcome 2015Renato Botelho2014-12-31299-305/+305
|
* Add config upgrade code to make sure iketype is set, bump config version to ↵Renato Botelho2014-12-313-2/+14
| | | | 11.4. It fixes #4163
* libreadline.so.6 is not supposed to be obsoleted, fixes #4159Renato Botelho2014-12-311-1/+0
|
* Allow IPv6 on loopback even where IPv6 is otherwise disabled. The intent of ↵Chris Buechler2014-12-311-0/+3
| | | | that feature is to prevent IPv6 from communicating on the network. Blocking it on localhost can result in issues and is unnecessary. Ticket #4074
* Reload Unbound after IP changes, to fix issues noted in Ticket #4095. Do so ↵Chris Buechler2014-12-302-0/+7
| | | | before Dynamic DNS updates occur to ensure the host has functioning DNS.
* IPsec Widget allow for old settings that have no iketypePhil Davis2014-12-301-1/+1
| | | | | | as mentioned in https://forum.pfsense.org/index.php?topic=84527.msg471919#msg471919 This change makes it work like similar if tests in /usr/local/wwwvpn_ipsec.php, and code in /etc/inc/vpn.inc that effectively defaults to ikev1 when iketype is not specified. This should make the code here be executed and make $ikeid get the correct value to be used in later code.
* Allow for old settings that have no iketypePhil Davis2014-12-301-1/+1
| | | | | | This bit of code looks like it could do with the same test as https://github.com/pfsense/pfsense/pull/1412 This is executed when the "Connect" button is pressed from Status->IPsec Somebody with these problematic old IPsec entries could test this - with current code I suspect that disconnect followed by connect - it will not connect. With this change it will (might?) connect again.
* Only set route-to and reply-to on ESP and ISAKMP rules if the remote ↵Chris Buechler2014-12-301-12/+18
| | | | endpoint is not within the parent interface's subnet. Ticket #4157
* Check for fqdn peerid/myids and prepend @ so strongswan does not try to be ↵Ermal2014-12-301-3/+3
| | | | smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
* Check for fqdn peerid/myids and prepend @ so strongswan does not try to be ↵Ermal LUÇI2014-12-301-5/+13
| | | | smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
* Oops this should be 0s rather than 00. Linked with Ticket #4158Ermal2014-12-301-3/+3
|
* ipsec_smp_dump_status get out of loop if errorPhil Davis2014-12-301-0/+7
| | | | | | | | when reading response from socket. Otherwise it would be in a loop and end up like: https://forum.pfsense.org/index.php?topic=86039.msg471848#msg471848 PHP Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/ipsec.inc on line 383 This code runs on my system, but I do not know how to induce the possible loop condition to actually test if it would really break out and return nicely.
* Unbreak IPsec rules generation for IPsec over CARP. Should help even Ticket ↵Ermal LUÇI2014-12-301-1/+1
| | | | #4157
* Use base64 encoded secrets which Fixes #4158Ermal LUÇI2014-12-301-4/+4
|
* Captive portal spellingPhil Davis2014-12-301-2/+2
|
OpenPOWER on IntegriCloud