| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| | |
is_ipaddr() returns the type of IP if valid. Use this to simplify the function
|
| | |
| |
| |
| | |
include it in the ruleset regardless so it doesn't generate any filter errors. Ticket #6181
|
| |\ \ |
|
| | |/
| |
| |
| | |
This will add linklocal fallback where no IPv6 is otherwise configured to allow login using this IPs
|
| | | |
|
| |/
|
| |
Function isn't used in main or packages repo, and in any case would need a complete rewrite to handle IPv6.
|
| | |
|
| |
|
|
|
|
| |
is_unqualified_hostname as well."
This reverts commit 94ccdcb8a4d6f7789fd39c4b6e9876bb689de9a4.
|
| | |
|
| | |
|
| |
|
|
| |
Remove "you" personalizations.
|
| |
|
|
| |
custom restrictions for arbitrary networks. Fixes #4463
|
| |
|
|
|
|
|
|
| |
Handle URL table aliases similar to bogons tables. Suppress record remove buttons.
Update (download) only the selected URL table alias instead of all of them.
Retain full line comments in downloaded URL table files so we can view and use them.
When URL table file full line comments are present, provide view option in info box.
Increase ability to extract last update date from wider variety of URL table file comments.
|
| | |
|
| |
|
|
| |
at time of config restore. Ticket #5892
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Spotteb by @loos-br
|
| |
|
|
|
| |
This function takes an IPv6 subnet and return an array containing all
DNS PTR zones
|
| | |
|
| |
|
|
|
|
|
|
| |
selected type of VIP addresses: CARP, IP alias or all VIPs (default).
It seems that a few packages still rely on this.
Ticket #5885
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that current CARP implementation is not much different from an IP alias.
This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:
- A friendly interface name (lan, wan, opt1, etc.);
- A Virtual IP - VIP alias (_vip{$uniqid}) - CARP or IP Alias.
The parent of a CARP is always a friendly interface. The parent of an IP alias can be a friendly interface or a CARP (this is the only case of recursion of a VIP).
This commit removes a few cases where CARP were still considered a interface (the old CARP implementation), fixes all the wrong cases of strpos() being used to detect a VIP address (wont work as it returns '0' which fails when tested as 'TRUE'), review the usage of CARP and IP alias as services bind addresses, fixes general issues of adding and editing VIP addresses.
The following subsystems were affected by this changes:
- IPSEC;
- OpenVPN;
- dnsmasq;
- NTP;
- gateways and gateway groups;
- IPv6 RA;
- GRE interfaces;
- CARP status;
- Referrer authentication.
Fixes (and/or revisit) the following tickets:
- Ticket #3257
- Ticket #3716
- Ticket #4450
- Ticket #4858
- Ticket #5441
- Ticket #5442
- Ticket #5500
- Ticket #5783
- Ticket #5844
|
| |
|
| |
See forum https://forum.pfsense.org/index.php?topic=106547.0 for discussion if this is wanted.
|
| |
|
|
|
|
| |
Forum: https://forum.pfsense.org/index.php?topic=106470.0
I believe that this should work OK on both 32 and 64 bit systems. A 32-bit system will convert big values of $bytes and big numbers like 1099511627776 to float first, then do the comparison. 64-bit systems will do (int) comparisons. Either way, in the end, the value is sprintf() into a float anyway.
I have tested on a 64-bit system.
I don't have access to a 32-bit system right now, so somebody should check that to make sure my theory works in practice.
|
| |\ |
|
| | |
| |
| | |
Used explode to array rather than to a list, and tested array size, so as not to assume it has exactly 2 parts separated by "/".
|
| | | |
|
| | | |
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Resubmit of two PRs that couldn't be merged due to basecode conflicts
is_linklocal() - tightened and made correctly IPv4/v6 agnostic per RFCs
is_literalipaddrv6() - simplified
is_hostnamewithport() - simplified
IS_LINKLOCAL()
is_linklocal has a few issues, including validating as linklocal, addresses that aren't linklocal according to RFC 4291, validating as a linklocal address input that could contain arbitrary text/no validation of reasonableness on any %(scope/interface) present, and appearing from its function name to be suitable for all linklocal addresses but actually not IPv4/v6 agnostic.
1) IPv4/6 agnostic: while IPv4 linklocal testing isn't much needed, not it should probably be recognised because some code handling linklocal may reasonably expect is_linklocal() to be IPv4/IPv6 agnostic.
2) For IPv6, it tests at least, that the purported scope/interface is [0-9a-z]+ otherwise user input or other text such as "fe80::%\n;ARBIRARYTEXT;" would be validated as a linklocal address and inserted into pf and perhaps other places without further detection, leading to possible vulnerabilities. Also tests scope/interface for a reasonable length of <= 64 chars "just in case". But it doesn't test more than this (and probably should test for valid scope/interface if present).
3) Follows RFC 4291 exactly: IPv6 linklocal isn't just "fe80::", it requires the rest of the first 64 bits to be zero too. The RFC defines it as '1111111010' + 54 zeros (Ref: https://tools.ietf.org/html/rfc4291#section-2.5.6 )
4) Returns 4 or 6 to give a more exact response to the calling function as to whether the match was an IPv4 linklocal or IPv6 linklocal address (both evaluate to True for Boolean test purposes such as "if (is_linklocal(...))")
Note: Net_IPv6::_Ip2Bin() can return shorter binary strings for IPv4 or "junk" input. So this code tests that it returned a 128 bit length, which ensure it was meaningful IPv6.
IS_HOSTNAMEWITHPORT()
simplified - we don't need to pop() or assign a new variable just to test 2nd member of the array
IS_LITERALIPADDRV6()
simplified - we don't need an expensive preg_match() to test if it's a valid IPv6 wrapped in "[" ... "]"
|
| | | |
| | |
| | |
| | |
| | | |
Calculate colspans in casenumber of columns change again
"bytes" => "B" to reduce column width
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Inspired by pull request #1901 from marcelloc/hitcount_23_02.
State visualization and kill will be committed in a subsequent commit.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The subnet overlap functions came up as a concern while fixing redmine 5702.
Specifically -
The "canonical" function check_subnets_overlap() doesn't handle IPv6 (util.inc has standardised on v4/v6/agnostic versions, but this doesn't fit). Fixed by adding transparent detection of v4/v6 and a specific IPv4-only version
The IPv6 version is wrong (if sub1 *contains* sub2 then neither of sub1's endpoints will be detected as "inrange" of sub2 and result will be incorrect: this logic error has been fixed recently in other code too)
Bad data isn't detected - this still isn't detected for compatibility and is tagged "FIXME" instead to look at in future. Reason - not to break anything, at present always returns "overlap = true/false", not "true/false/invalid input".
because CIDR overlap implies containment, the IPv4 version uses a very efficient logic, namely calculates largest size subnet and checks this is same for both. Adopting this for both, and simplifying, makes these functions far "neater"
The old v4 version allowed for non-numeric $bits which doesn't make sense and I've omitted. Cannot think of a single situation where we would provide empty or bad data when we actually mean a /32 single IP.
Solution in this commit - a canonical "overlap" test (IPv4/IPv6 agnostic), IPv4/v6 "overlap" versions that actually do the work, in each case using the same logic as the old v4 (identify largest bit size and test if subnets created are valid and identical), and tag lack of "bad data" detection as fixme for now, returning FALSE instead to avoid breaking anything until fixed. Should be transparent from outside.
|
| | |
| |
| |
| |
| |
| | |
long2ip32 (FIXED RESUBMIT of #2152)"
This reverts commit 4557e3fba627c91c37afba04681cdabf71eccf57.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Self explanatory. If these functions find themselves trying to convert non-int data (or an x64 int with non-zeros in any bits >32) to dotted IPv4, or non-dotted IPv4 to integer IPv4 values, something's wrong and they shouldn't return a value that looks like they succeeded.
The original PR caused issues with VPN. This was because, to check the presence of any bits beyond #32 were zero (if INT was 64 bits or larger), the operator >>32 was used. Unfortunately this was undefined on x32 platforms. (See https://forum.pfsense.org/index.php?topic=104175 ).
The fix below was tested on x32, on the same thread.
TEST PR'ed IN #2152 (FAILS ON x32):
return ((is_int($ip) && ($ip >> 32) == 0) ? long2ip($ip & 0xFFFFFFFF) : '');
TEST NOW USED (SEEMS RELIABLE ON ALL SYSTEM INT SIZES):
return ((is_int($ip) && ($ip & ~0xFFFFFFFF) == 0) ? long2ip($ip & 0xFFFFFFFF) : '');
Other than this line and a comment, this code is identical to PR #2152
|
| | |
|
| |
|
|
| |
https://forum.pfsense.org/index.php?topic=104175.0
|
| |
|
|
|
|
|
| |
and use it in services_dhcp rather than trying to do the similar
calculation in-line.
Should fix redmine #5654 and probably a bunch of other things that use
gen_subnet_max
|
| |
|
|
|
| |
Line 578 of the previous commit had a bonus ")".
Code style also fixed up.
|
