summaryrefslogtreecommitdiffstats
path: root/src/etc
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix #6153Renato Botelho2017-01-121-0/+4
| | | | | | Initialize cached IP and Time on loop for RFC2136 items, without this the items used on last loop iteration will be used again and second item on the same interface will not be updated
* Ticket #6340:Renato Botelho2017-01-121-5/+11
| | | | | | | | | - Stop misusing fsck -F parameter, it's supposed to be used when you plan to run background fsck after filesystems are mounted, what is not the case on pfSense - Increase attempts to mount all filesystems as read-write to 10 - If we cannot mount filesystems as read-write, start a recovery shell and after it finishes, reboot system
* Simplify logicRenato Botelho2017-01-111-5/+3
|
* Fix #6712Renato Botelho2017-01-111-1/+1
| | | | Use system_hosts_entries to generate unbound host_entries.conf
* Ticket #6712: Create system_hosts_entries()Renato Botelho2017-01-111-24/+21
| | | | This function will return an array all items to be added to /etc/hosts.
* Ticket #6712: Create system_hosts_dhcpd_entries()Renato Botelho2017-01-111-78/+104
| | | | | This function will return an array with dhcpd and dhcpdv6 items to be added to /etc/hosts.
* Ticket #6712: Create system_hosts_override_entries()Renato Botelho2017-01-111-23/+51
| | | | | This function will return an array with dnsmasq or unbound items to be added to /etc/hosts
* Ticket #6712: Deprecate read_hosts()Renato Botelho2017-01-111-30/+1
| | | | Read local items from system_hosts_local_entries()
* Ticket #6712: Create system_hosts_local_entries()Renato Botelho2017-01-111-36/+62
| | | | | | This function will return an array with 127.0.0.1, ::1 and LAN (or first interface with no gateway when LAN is not there) items to be added to /etc/hosts
* Kill dhcpleases after we are sure we can write /etc/hostsRenato Botelho2017-01-111-7/+8
|
* Fix styleRenato Botelho2017-01-111-58/+111
|
* Make sure IP address is v4 before create /etc/hosts entryRenato Botelho2017-01-111-2/+2
|
* Exclude non-qualified hostnames from hosts file. Ticket #6064Chris Buechler2017-01-111-12/+12
|
* Do not write a 'restrict' line to the NTP config if it will be empty. Fixes ↵jim-p2017-01-111-10/+12
| | | | #7110
* Only include files that ends with .incRenato Botelho2017-01-111-2/+3
|
* Add requirestatefilter. Implements #7069.derelict-pf2017-01-111-0/+20
| | | | (cherry picked from commit 0a3150896bc412868cfb79473293ed81c87a50a7)
* Captive portal: make captiveportal_disconnect_all() fasterplumbeo2017-01-111-15/+11
| | | | | | | captiveportal_disconnect_all() removes the users one at a time and in some cases, when many hundreds of users are connected, can take up to several dozens of seconds to complete. Instead of looping through all users, send all the accounting information, reset the user database and delete all the active rules and reinit them. Use locking to prevent new users from logging in until the function ends. (cherry picked from commit 47f967856ef25557d87430026e8b208a8852381f)
* openvpn, check for valid pid using isvalidpid()PiBa-NL2017-01-111-4/+2
| | | | (cherry picked from commit a1b39e949ab3a0e53ac4c1837f5d2c02b28142f3)
* openvpn, make sure config is written and not overwritten while starting ↵PiBa-NL2017-01-111-3/+20
| | | | | | openvpn, and wait for pid of child process to be written before exiting function (cherry picked from commit 8845e137b630497d47a8ce93fb072e47419f8af5)
* Revert "get_pkg_info() fallback using pkg info if no local copy of repo catalog"Renato Botelho2017-01-101-27/+6
| | | | This reverts commit 46237e23f35db70a917939609061dce7b7f955f9.
* Correctly report unmonitored gateway statusPhil Davis2017-01-051-0/+2
| | | | | | | | | | | | | | If an alternate monitor IP has been entered and saved, then the user checks "Disable Gateway Monitoring" and saves, the alternate monitor IP is retained in the config - that is handy for when unchecking "Disable Gateway Monitoring" later on. But the Gateways widget and Status Gateways do not correctly understand this combination. The gateway status shows as "Online" when it is intended to show "Online (unmonitored)". This PR corrects this. (cherry picked from commit 0c5d4e8d3e4dc81a9c7eb883a40296493e9faa2b)
* get_pkg_info() fallback using pkg info if no local copy of repo catalogstilez2017-01-051-6/+27
| | | | | | | | | | | | | | | | | | | | | *Current behaviour* At the moment, get_pkg_info() is used to get all information on packages. The parameter _$local_only_ is set to request info directly from the local copy of the repo catalog (using -U) without requesting the remote repo catalog or updating the local copy from the remote repo catalog. If the calling code wants only installed pkgs, it filters the returned list of pkgs looking for _$pkg['installed'] == true_. There's a couple of problems with this method as it stands, due to the behaviour of pkg search -U. 1. When the remote catalog is requested and the request failed, the local copy is also deleted. If this happens, then pkg search returns an error even with -U, so even if all we wanted was to know from get_pkg_info() was the names of locally installed packages, it can't be used for this (even though this info doesn't need access to a remote repo catalog) 2. This behaviour, and the use of get_pkg_info() as the main method to get a list of installed pfSense packages and their data, means that any time we don't have a network connection or for any reason get_pkg_info() fails to access the repo catalog remotely, we become blocked from *any* inquiry, lookup, listing, or action on *all* optional packages, even if our desired action wouldn't need remote access to complete. We remain unable to do these things until remote repo access is obtained again and a catalog copy can be re-acquired. 3. This also means that nothing to do with getting installed package information or removal can occur offline either. *Change made* It's likely that when code explicitly requests $local_only, it isn't expecting or requiring the local copy to be up to date. So I've modified the code as follows: 1. New optional parameter $installed_only to explicitly request installed pkg info only (faster if we know that no remote request will be needed) 2. If $local_only is set and pkg search failed, retry falling back to pkg info to at least provide info on matching installed packages. This is probably more helpful than returning an error, as the assumption with $local_only is not "latest data in repo" so no harm done, and it allows pkg code to at least operate on local pkgs at all times, if not other pkgs in the repo. (cherry picked from commit e47af756de79d4e8b0356cf22f72f62f09e9ad7d)
* Remove unnecessary referenceRenato Botelho2017-01-041-1/+1
|
* Captive portal: rework logging and RADIUS accounting when disabling a zone ↵plumbeo2017-01-042-28/+31
| | | | | | | | | | or rebooting Make captiveportal_radius_stop_all() log the disconnections in the system log and fix it so that it works with the zone id parameter and sends complete RADIUS accounting packets. Since several zones can share the same RADIUS server, send an Accounting-Off packet only when rebooting, not when disabling a zone. (cherry picked from commit 3ece6d5404e0d4a53243d12e6b58793fad66dd5a)
* Captive portal: use locking to avoid race conditions between ↵plumbeo2017-01-042-10/+20
| | | | | | | | rc.prunecaptiveportal and captiveportal_disconnect_all() Convert rc.prunecaptiveportal to lock()/unlock()/try_lock() and use the lock to ensure that there aren't race conditions between it and captiveportal_disconnect_all(). (cherry picked from commit d793617ee9b4c3f66575737df3e8f6cf04e7c782)
* Captive portal: work around race condition between ↵plumbeo2017-01-041-6/+5
| | | | | | | | | | | | | | | | captiveportal_disconnect_all() and captiveportal_prune_old() Captiveportal_disconnect_all() loops through the active users and disconnects them immediately but doesn't remove them from the user database, only adding them to a list that is processed after the end of the loop. Since the loop can take several seconds if there are many users connected, captiveportal_prune_old() can be called after some users have been disconnected but before they're removed from the database. When this happens and the user has an idle timeout set, captiveportal_prune_old() tries to find the last activity time and gets an invalid value because the user has already been removed from the fw table, so it uses the login time as last activity time. Finally, if the login time is more than one idle timeout in the past, it tries to disconnect again the user and sends a RADIUS Accounting-Stop packet with termination-cause Idle-Timeout and zero Acct-Input-Octets/Acct-Output-Octets that overwrites the correct packet sent by captiveportal_disconnect_all(). To work around it, remove the users from the database before disconnecting them (this fixes only the case where captiveportal_disconnect_all() runs before captiveportal_prune_old()). (cherry picked from commit 025ec94a3285c129d2e14b00b629e811b83a9330)
* dyndns.class, fix json curl body parsing for Cloudflare by not including headersPiBa-NL2017-01-041-4/+3
| | | | (cherry picked from commit 15dcf1320c08eb9339eda3e6fdf04599c51694b7)
* Added support for CloudFlares Proxy.CarlGill2017-01-042-2/+6
| | | | | | | | | | | | | | | | | | | | | | Included a checkbox to enable and disable this feature when CloudeFlare type is selected. Included proxied variable in the update script as well. Defaults to false, as the is the current functionality Added help text Updated Last tested date Hope this helps other people. I use both dynDNS and the Proxy service. And by default without this feature, the proxy gets disabled. This is a huge problem, as I have all traffic blocked except for CloudFlare. And because I have certain other security features enabled, when the Proxy goes disabled, The Site goes down hard to end users. With this feature, I can ensure the proxy stays enabled. (cherry picked from commit e10d25b4c3109347a43a729f8c098138272fe1e7)
* Rework openvpn_vpnid_next() and remove duplicated codeRenato Botelho2017-01-041-26/+18
|
* Fix #6357: Validate if RFC2136 dyndns updates succeededRenato Botelho2017-01-031-10/+25
|
* Ticket #6096: Add PKG_DBDIR and PKG_CACHEDIR to user environmentRenato Botelho2017-01-022-0/+12
|
* Ticket #6096: Remove target before try to move, also use mv -f to avoid ↵Renato Botelho2017-01-021-4/+6
| | | | human interaction
* Pass specific filename to tar and rm during rrd backupRenato Botelho2017-01-021-3/+4
|
* Standardize privilege name capitalizationPhil Davis2017-01-021-36/+36
| | | | | | | | While looking at some privilege stuff, I noticed that various capitlization looked inconsistent down the list. This makes the list look more consistent. (cherry picked from commit 48157a04dde7b3a56776417cdc7b5e457a660733)
* add gettext() to icmptype descriptionsstilez2016-12-301-43/+43
| | | | (cherry picked from commit fa16b2f9c1162ec90bed0099c0ae25e36d9fd9b0)
* typostilez2016-12-301-1/+1
| | | | (cherry picked from commit 58aa4d7ce3d0c602516e8d7691fc0137b593262c)
* Enhance ICMP rulesstilez2016-12-301-64/+50
| | | | | See main PR details (cherry picked from commit 4784d8cef74bac4d1397fbfd7312c08912d8890a)
* Add privs to control display of noticesPhil Davis2016-12-301-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a suggested way to allow control of the display and clearing of notices. The use case is: 1) A user with minimal page privs (e.g. can just change their password, or access a few status pages or...) should not be automatically able to see notices or clear them. Because notices might contain critical system information which discloses some problem with the system, and clearing them would prevent a full firewall administrator from seeing them. For this implementation: a) Users with all pages (admin, anyone in the admins group or with pages-all priv) will see notices and can clear them. b) Users with user-view-notices can see the notices but not cleaer them. c) Users with user-view-clear-notices can see the notices and also clear them. d) Other users do not see notices. In its current implementation, this is not totally backward-compatible. Users who have only a few page privs will see notices prior to upgrade, then after upgrade they will not be able to see notices. The firewall administrator will have to grant them user-view-notices or user-view-clear-notices if they wish these users to see and/or clear notices. it would be possible to automatically add these privs to existing users as a config upgrade step, but actually I suspect that in 99% of cases the firewall admin would not really want such users to see/clear notices. Discussion welcome... (cherry picked from commit 5280f021be09955252c42b6fe036424b69605dd4)
* Fix #6982: Remove wrong global definition of use_filterdns and pass it as ↵Renato Botelho2016-12-301-2/+2
| | | | reference
* Revert "Fix #6920: Do not include stale .inc files"Renato Botelho2016-12-291-50/+21
| | | | | | It's 2.4 only, merged accidentally This reverts commit 87913c3053c83c5d8473d6e24f39c38833d75b47.
* Fix #6920: Do not include stale .inc filesRenato Botelho2016-12-291-21/+50
| | | | | | | | | | | Packages can declare a function called $pkgname_generate_rules() and it will be executed during filter reload process and add the hability to package insert necessary firewall rules. Code was listing all files /usr/local/pkg/*.inc and processing all of them without any kind of check, what lead to the error reported in #6920. Change the code to read only .inc files that belongs to currently installed packages.
* Refactor to use notify_all_remotePhil Davis2016-12-281-2/+1
| | | | | While looking at notices.inc I noticed (pardon the pun) that notify_all_remote did exactly the same as these 2 lines of code. notify_all_remote() might as well be used here, to save having the same code repeated. (cherry picked from commit a2e35163df4b1048efac70a7d9a5c9b60de0ed64)
* Remove unused variableRenato Botelho2016-12-281-5/+4
|
* Captive portal: add button to disconnect all usersplumbeo2016-12-271-0/+26
| | | | | | Add a function to disconnect all logged in users and a button to call it in the captive portal status page. (cherry picked from commit feab4e54a446050555f4708d173977968f58918d)
* Add new "Ignore client identifiers" DHCP featureBrett Keller2016-12-271-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Exposes the underlying dhcpd configuration option "ignore-client-uids" in the pfSense "Services / DHCP Server" GUI by adding an "Ignore client identifiers" checkbox. As of ISC dhcpd version 4.3.0+, there is a new configuration statement available, "ignore-client-uids". According to the ISC's documentation, "If the 'ignore-client-uids' statement is present and has a value of 'true' or 'on', the UID for clients will not be recorded." While this behavior does not strictly adhere to the DHCP specification, it can be very useful in environments where devices on the network dual boot or PXE boot. Normally, if the network stacks in a single device's different operating systems (including PXE firmware) make DHCP requests with differing client identifiers, the server will treat each request with a unique identifier as having come from a unique client, even when they come from the same device. Thus, different operating systems on the same device and NIC might hold different leases with different IP addresses. Once activated, the "ignore-client-uids" option tells the DHCP server not to record client identifiers in new DHCP leases, which forces the server to fall back on hardware (MAC) addresses to uniquely identify clients. Now different operating systems on the same device and NIC will hold the same lease (based on MAC address), which should keep a device's IP address consistent regardless of its currently running operating system. Same as with most other general and pool-specific DHCP server options in pfSense, note that turning on this option only affects new leases. Any leases that existed prior to enabling this option will still contain their respective client identifiers. Manually deleting older leases or flushing the entire lease table can expedite a full migration to the new server behavior, if desired. (cherry picked from commit 11ee0c6d6f311215411cc0d15298ad075864ad2e)
* Add case for 59 to prefix functionsPhil Davis2016-12-271-0/+2
| | | | | Maybe these functions should have a case added for prefix length 59? (cherry picked from commit 231fe9543c696bb2dcdc7f090a561fe74ff8e9a7)
* Fix #3560 correctly handle disabled static routesPhil Davis2016-12-275-7/+18
| | | | | | | | | | | | | | | | | | | | | | | 1) util.inc - add parameter to get_staticroutes() so the caller can choose to see all static routes or only the ones that are currently enabled. 2) filter.inc - just process enabled static routes when making direct networks list, tonathosts etc. 3) services.inc - only include enabled static routes when making confogs for DHCP(6) Relay. 4) unbound.inc - only include enable static routes in unbound_acls_config 5) rc.newroutedns - only trigger if there is an enabled static route. Note: GUI validation has been left as-is. e.g. in system_gateways we don not allow to delete a gateway if there is a disabled static route using it... If people want to delete "higher level" stuff, then they need to first delete the disabled static route(s). Otherwise it will get rather "risky" having disabled static routes in the config that refer to gateways that no longer exist, or have a subnet range that now matches a local interafce or... (cherry picked from commit cf08b49e20810a0aa953561892b1d5bee353957e)
* Fix nested aliases with FQDN (Fixes #6982)Renato Botelho2016-12-271-4/+3
| | | | | | Make $use_filterdns a parameter. It needs to be persistent across recursive calls otherwise it ends up not adding necessary items to filterdns depending of how items are sorted
* Refactor interface_has_dhcpPhil Davis2016-12-221-19/+21
| | | | | | to reduce nesting (cherry picked from commit 5e22050335c939572a43fd7b3e161d7ede5ff5a0)
* Fix #7031 Allow interfaces that use DHCP for OpenVPNPhil Davis2016-12-221-0/+46
| | | | | | | | even though the interface (or gateway group) has not yet actually received an IP address. This is useful when setting up a new system that is currently offline. (cherry picked from commit 0f2cf2a1c47192e8394cbcec6ee291b7e753ac4b)
OpenPOWER on IntegriCloud