From e10d25b4c3109347a43a729f8c098138272fe1e7 Mon Sep 17 00:00:00 2001 From: CarlGill Date: Mon, 5 Sep 2016 21:28:05 -0400 Subject: Added support for CloudFlares Proxy. Included a checkbox to enable and disable this feature when CloudeFlare type is selected. Included proxied variable in the update script as well. Defaults to false, as the is the current functionality Added help text Updated Last tested date Hope this helps other people. I use both dynDNS and the Proxy service. And by default without this feature, the proxy gets disabled. This is a huge problem, as I have all traffic blocked except for CloudFlare. And because I have certain other security features enabled, when the Proxy goes disabled, The Site goes down hard to end users. With this feature, I can ensure the proxy stays enabled. --- src/etc/inc/dyndns.class | 7 +++++-- src/etc/inc/services.inc | 1 + src/usr/local/www/services_dyndns_edit.php | 29 +++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/etc/inc/dyndns.class b/src/etc/inc/dyndns.class index 270abd5..875a646 100644 --- a/src/etc/inc/dyndns.class +++ b/src/etc/inc/dyndns.class @@ -95,7 +95,7 @@ * SelfHost - Last Tested: 26 December 2011 * Amazon Route 53 - Last tested: 01 April 2012 * DNS-O-Matic - Last Tested: 9 September 2010 - * CloudFlare - Last Tested: 17 July 2016 + * CloudFlare - Last Tested: 05 September 2016 * CloudFlare IPv6 - Last Tested: 17 July 2016 * Eurodns - Last Tested: 27 June 2013 * GratisDNS - Last Tested: 15 August 2012 @@ -133,6 +133,7 @@ var $_FQDN; var $_dnsIP; var $_dnsWildcard; + var $_dnsProxied; var $_dnsMX; var $_dnsBackMX; var $_dnsServer; @@ -164,7 +165,7 @@ * - $For custom requests, $dnsUpdateURL is parsed for '%IP%', which is replaced with the new IP. */ function updatedns ($dnsService = '', $dnsHost = '', $dnsDomain = '', $dnsUser = '', $dnsPass = '', - $dnsWildcard = 'OFF', $dnsMX = '', $dnsIf = '', $dnsBackMX = '', + $dnsWildcard = 'OFF', $dnsProxied = false, $dnsMX = '', $dnsIf = '', $dnsBackMX = '', $dnsServer = '', $dnsPort = '', $dnsUpdateURL = '', $forceUpdate = false, $dnsZoneID ='', $dnsTTL='', $dnsResultMatch = '', $dnsRequestIf = '', $dnsID = '', $dnsVerboseLog = false, $curlIpresolveV4 = false, $curlSslVerifypeer = true) { @@ -233,6 +234,7 @@ $this->_dnsServer = $dnsServer; $this->_dnsPort = $dnsPort; $this->_dnsWildcard = $dnsWildcard; + $this->_dnsProxied = $dnsProxied; $this->_dnsMX = $dnsMX; $this->_dnsZoneID = $dnsZoneID; $this->_dnsTTL = $dnsTTL; @@ -727,6 +729,7 @@ $hostData = array( "content" => "{$this->_dnsIP}", "type" => "{$recordType}", + "proxied" => $this->_dnsProxied, "name" => "{$this->_dnsHost}" ); $data_json = json_encode($hostData); diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 0d4ab92..259f791 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -1951,6 +1951,7 @@ function services_dyndns_configure_client($conf) { $dnsUser = $conf['username'], $dnsPass = $conf['password'], $dnsWildcard = $conf['wildcard'], + $dnsProxied = $conf['proxied'], $dnsMX = $conf['mx'], $dnsIf = "{$conf['interface']}", $dnsBackMX = NULL, diff --git a/src/usr/local/www/services_dyndns_edit.php b/src/usr/local/www/services_dyndns_edit.php index 060d624..fbc9807 100644 --- a/src/usr/local/www/services_dyndns_edit.php +++ b/src/usr/local/www/services_dyndns_edit.php @@ -64,6 +64,7 @@ if (isset($id) && isset($a_dyndns[$id])) { $pconfig['enable'] = !isset($a_dyndns[$id]['enable']); $pconfig['interface'] = $a_dyndns[$id]['interface']; $pconfig['wildcard'] = isset($a_dyndns[$id]['wildcard']); + $pconfig['proxied'] = isset($a_dyndns[$id]['proxied']); $pconfig['verboselog'] = isset($a_dyndns[$id]['verboselog']); $pconfig['curl_ipresolve_v4'] = isset($a_dyndns[$id]['curl_ipresolve_v4']); $pconfig['curl_ssl_verifypeer'] = isset($a_dyndns[$id]['curl_ssl_verifypeer']); @@ -157,6 +158,7 @@ if ($_POST) { $dyndns['domainname'] = $_POST['domainname']; $dyndns['mx'] = $_POST['mx']; $dyndns['wildcard'] = $_POST['wildcard'] ? true : false; + $dyndns['proxied'] = $_POST['proxied'] ? true : false; $dyndns['verboselog'] = $_POST['verboselog'] ? true : false; $dyndns['curl_ipresolve_v4'] = $_POST['curl_ipresolve_v4'] ? true : false; $dyndns['curl_ssl_verifypeer'] = $_POST['curl_ssl_verifypeer'] ? true : false; @@ -322,6 +324,15 @@ $section->addInput(new Form_Checkbox( )); $section->addInput(new Form_Checkbox( + 'proxied', + 'CloudFlare Proxy', + 'Enable Proxy', + $pconfig['proxied'] +))->setHelp('Note: This enables CloudFlares Virtual DNS proxy. When Enabled it will route all traffic '. + 'through their servers. By Default this is disabled and your Real IP is exposed.'. + 'More info: CloudFlare Blog'); + +$section->addInput(new Form_Checkbox( 'verboselog', 'Verbose logging', 'Enable verbose logging', @@ -440,6 +451,7 @@ events.push(function() { hideInput('host', true); hideInput('mx', true); hideCheckbox('wildcard', true); + hideCheckbox('proxied', true); hideInput('zoneid', true); hideInput('ttl', true); break; @@ -455,6 +467,7 @@ events.push(function() { hideInput('host', false); hideInput('mx', false); hideCheckbox('wildcard', false); + hideCheckbox('proxied', true); hideInput('zoneid', false); hideInput('ttl', false); break; @@ -468,9 +481,24 @@ events.push(function() { hideInput('host', false); hideInput('mx', false); hideCheckbox('wildcard', false); + hideCheckbox('proxied', true); hideInput('zoneid', true); hideInput('ttl', true); break; + case "cloudflare-v6": + case "cloudflare": + hideGroupInput('domainname', true); + hideInput('resultmatch', true); + hideInput('updateurl', true); + hideInput('requestif', true); + hideCheckbox('curl_ipresolve_v4', true); + hideCheckbox('curl_ssl_verifypeer', true); + hideInput('host', false); + hideInput('mx', false); + hideCheckbox('wildcard', false); + hideCheckbox('proxied', false); + hideInput('zoneid', true); + hideInput('ttl', true); default: hideGroupInput('domainname', true); hideInput('resultmatch', true); @@ -481,6 +509,7 @@ events.push(function() { hideInput('host', false); hideInput('mx', false); hideCheckbox('wildcard', false); + hideCheckbox('proxied', true); hideInput('zoneid', true); hideInput('ttl', true); } -- cgit v1.1 From 7be23d53705ccbcee64d3236bf74b34c513da686 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Wed, 21 Dec 2016 15:26:17 +0000 Subject: User Defined DUID User may define a DUID to use in System->Advanced->Networking. The entered DUID is validated for composition and length, if valid it is stored in the config.xml. On call of wan_dhcp6_configure() the DUID is written to file to be read by dhcp6c on launch. --- src/etc/inc/interfaces.inc | 7 ++++++ src/etc/inc/util.inc | 36 +++++++++++++++++++++++++++ src/usr/local/www/system_advanced_network.php | 22 ++++++++++++++++ 3 files changed, 65 insertions(+) diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc index be68bdd..eaac41c 100644 --- a/src/etc/inc/interfaces.inc +++ b/src/etc/inc/interfaces.inc @@ -3868,6 +3868,13 @@ function interface_dhcpv6_configure($interface = "wan", $wancfg) { $wanif = get_real_interface($interface, "inet6"); $dhcp6cconf = ""; + if (!empty($config['system']['global-v6duid'])) { + // Write the DUID file + if(!write_dhcp6_duid($config['system']['global-v6duid'])) { + log_error(gettext("Failed to write user DUID file!")); + } + } + if ($wancfg['adv_dhcp6_config_file_override']) { // DHCP6 Config File Override $dhcp6cconf = DHCP6_Config_File_Override($wancfg, $wanif); diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index 528fe0e..f8fceea 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -2542,4 +2542,40 @@ function validateipaddr(&$addr, $type, $label, &$err_msg, $alias=false) { return false; } + + +/* returns true if $dhcp6duid is a valid duid entrry */ +function is_duid($dhcp6duid) { + $values = explode(":", $dhcp6duid); + if (count($values) != 16 || strlen($dhcp6duid) != 47) { + return false; + } + for ($i = 0; $i < 16; $i++) { + if (ctype_xdigit($values[$i]) == false) + return false; + if (hexdec($values[$i]) < 0 || hexdec($values[$i]) > 255) + return false; + } + return true; +} + +/* Write the DHCP6 DUID file */ +function write_dhcp6_duid($duidstring) { + // Create the hex array from the dhcp6duid config entry and write to file + global $g; + + if(!is_duid($duidstring)) { + log_error(gettext("Error: attempting to write DUID file - Invalid DUID detected")); + return false; + } + $temp = str_replace(":","",$duidstring); + $duid_binstring = pack("H*",$temp); + if ($fd = fopen("{$g['vardb_path']}/dhcp6c_duid", "wb")) { + fwrite($fd, $duid_binstring); + fclose($fd); + return true; + } + log_error(gettext("Error: attempting to write DUID file - File write error")); + return false; +} ?> diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 06a4e2d..b453045 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -40,6 +40,7 @@ require_once("shaper.inc"); $pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']); $pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr']; $pconfig['ipv6allow'] = isset($config['system']['ipv6allow']); +$pconfig['global-v6duid'] = $config['system']['global-v6duid']; $pconfig['prefer_ipv4'] = isset($config['system']['prefer_ipv4']); $pconfig['sharednet'] = $config['system']['sharednet']; $pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksumoffloading']); @@ -83,6 +84,18 @@ if ($_POST) { unset($config['system']['prefer_ipv4']); } + if (!empty($_POST['global-v6duid'])) { + $_POST['global-v6duid'] = strtolower(str_replace("-", ":", $_POST['global-v6duid'])); + if (!is_duid($_POST['global-v6duid'])) { + $input_errors[] = gettext("A valid DUID must be specified"); + } else { + $config['system']['global-v6duid'] = $_POST['global-v6duid']; + } + } + else { + unset($config['system']['global-v6duid']); + } + if ($_POST['sharednet'] == "yes") { $config['system']['sharednet'] = true; system_disable_arp_wrong_if(); @@ -186,6 +199,15 @@ $section->addInput(new Form_Checkbox( ))->setHelp('By default, if IPv6 is configured and a hostname resolves IPv6 and IPv4 addresses, '. 'IPv6 will be used. If this option is selected, IPv4 will be preferred over IPv6.'); +$section->addInput(new Form_Input( + 'global-v6duid', + 'DHCP6 DUID', + 'text', + $pconfig['global-v6duid'], + ['placeholder' => 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'] + ))->setWidth(9)->sethelp('Enter the DUID to use here. Use this option if using RAM Disk, as the DUID will be lost on reboot. The existing DUID may be found in var/db/dhcp6_duid.' .'
' . + 'NOTE: Do not use this option with multiple DHCP6 interfaces.'); + $form->add($section); $section = new Form_Section('Network Interfaces'); -- cgit v1.1 From aff01dbd97c10731b98bc70c32ac19822c95d304 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Wed, 21 Dec 2016 21:39:23 +0000 Subject: Text change --- src/usr/local/www/system_advanced_network.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index b453045..7b0f725 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -119,8 +119,8 @@ if ($_POST) { if ($_POST['disablelargereceiveoffloading'] == "yes") { $config['system']['disablelargereceiveoffloading'] = true; } else { - unset($config['system']['disablelargereceiveoffloading']); - } + unset($config['system']['disablelargereceiveoffloading']); hi +} setup_microcode(); @@ -206,7 +206,7 @@ $section->addInput(new Form_Input( $pconfig['global-v6duid'], ['placeholder' => 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'] ))->setWidth(9)->sethelp('Enter the DUID to use here. Use this option if using RAM Disk, as the DUID will be lost on reboot. The existing DUID may be found in var/db/dhcp6_duid.' .'
' . - 'NOTE: Do not use this option with multiple DHCP6 interfaces.'); + 'NOTE: Do not use this option with multiple DHCP6 WAN interfaces.'); $form->add($section); $section = new Form_Section('Network Interfaces'); -- cgit v1.1 From 016b7b5d06a1633528726e97c9274b25067a6771 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Thu, 22 Dec 2016 13:44:41 +0000 Subject: Typo correct --- src/usr/local/www/system_advanced_network.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 7b0f725..be6cd0f 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -119,8 +119,8 @@ if ($_POST) { if ($_POST['disablelargereceiveoffloading'] == "yes") { $config['system']['disablelargereceiveoffloading'] = true; } else { - unset($config['system']['disablelargereceiveoffloading']); hi -} + unset($config['system']['disablelargereceiveoffloading']); + } setup_microcode(); -- cgit v1.1 From c0a3864eb85a2cae67b6c39321c7138fb7a9a6cb Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Thu, 22 Dec 2016 19:56:47 +0000 Subject: Added real DUID placeholder, new text and call to new get_duid_from_file() function. --- src/usr/local/www/system_advanced_network.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index be6cd0f..c607ee3 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -158,6 +158,7 @@ $tab_array[] = array(gettext("Networking"), true, "system_advanced_network.php") $tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php"); $tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php"); $tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php"); +$duid = get_duid_from_file(); display_top_tabs($tab_array); $form = new Form; @@ -204,9 +205,11 @@ $section->addInput(new Form_Input( 'DHCP6 DUID', 'text', $pconfig['global-v6duid'], - ['placeholder' => 'xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'] - ))->setWidth(9)->sethelp('Enter the DUID to use here. Use this option if using RAM Disk, as the DUID will be lost on reboot. The existing DUID may be found in var/db/dhcp6_duid.' .'
' . - 'NOTE: Do not use this option with multiple DHCP6 WAN interfaces.'); + ['placeholder' => $duid] + ))->setWidth(9)->sethelp('The current DUID is displayed above. You may enter a new DUID whuch will be used on the next WAN interface UP event.' .'
' . + 'Unless you enter a DUID the system will default to using the DUID created by the client on start, this DUID is NOT saved to config.' . + 'It is strongly recommended if you use RAM disk to enter a DUID here and then SAVE, the DUID will then be saved to config also and' . + ' will be active on the next WAN interface UP event.'); $form->add($section); $section = new Form_Section('Network Interfaces'); -- cgit v1.1 From 9e08a2bdbe21e94fb392cc67ce39cd43bbb1b383 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Thu, 22 Dec 2016 20:00:39 +0000 Subject: Added get_duid_from_file() function Used in System->Advanced->Networking to display the current DUID in the placeholder for setting the DUID. --- src/etc/inc/util.inc | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index f8fceea..63ffb9f 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -2578,4 +2578,35 @@ function write_dhcp6_duid($duidstring) { log_error(gettext("Error: attempting to write DUID file - File write error")); return false; } +/* returns duid string from 'vardb_path']}/dhcp6c_duid' */ +function get_duid_from_file() +{ + global $g; + + $count = 0; + + if ($fd = fopen("{$g['vardb_path']}/dhcp6c_duid", "r")) { + + if(filesize("{$g['vardb_path']}/dhcp6c_duid")==16) { + + $string = fread($fd,filesize("{$g['vardb_path']}/dhcp6c_duid")); + + while($count < 16) { + + $a = $string[$count]; + $duid_ASCII .= bin2hex($a); + $count++; + if($count < 16) { + $duid_ASCII .= ":"; + } + } + } + fclose($fd); + } + //if no file or error with read then the string returns blanked DUID string + if($count != 16) { + return "--:--:--:--:--:--:--:--:--:--:--:--:--:--:--:--"; + } + return($duid_ASCII); +} ?> -- cgit v1.1 From e8165036d22ed0b3efa15a3cd2e64f015393552f Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Thu, 22 Dec 2016 20:03:01 +0000 Subject: format correction --- src/usr/local/www/system_advanced_network.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index c607ee3..b36f7d0 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -119,7 +119,7 @@ if ($_POST) { if ($_POST['disablelargereceiveoffloading'] == "yes") { $config['system']['disablelargereceiveoffloading'] = true; } else { - unset($config['system']['disablelargereceiveoffloading']); + unset($config['system']['disablelargereceiveoffloading']); } setup_microcode(); -- cgit v1.1 From 1b17a4c9a49d648091811c6ec49eb633a9bfb9a6 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Fri, 23 Dec 2016 08:20:43 +0000 Subject: changed to text to reflect standard text in other options. --- src/usr/local/www/system_advanced_network.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index b36f7d0..8b8c7a8 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -208,8 +208,8 @@ $section->addInput(new Form_Input( ['placeholder' => $duid] ))->setWidth(9)->sethelp('The current DUID is displayed above. You may enter a new DUID whuch will be used on the next WAN interface UP event.' .'
' . 'Unless you enter a DUID the system will default to using the DUID created by the client on start, this DUID is NOT saved to config.' . - 'It is strongly recommended if you use RAM disk to enter a DUID here and then SAVE, the DUID will then be saved to config also and' . - ' will be active on the next WAN interface UP event.'); + 'It is strongly recommended if you use RAM disk to enter a DUID here and then save. The saved DUID will take effect after a machine'. + ' reboot or re-configure of the WAN interface(s).'); $form->add($section); $section = new Form_Section('Network Interfaces'); -- cgit v1.1 From 8212a76549de6101984c2dd66d2b0ce8d921c649 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Fri, 23 Dec 2016 08:39:40 +0000 Subject: tidy --- src/etc/inc/util.inc | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index 63ffb9f..1bf81da 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -2586,14 +2586,10 @@ function get_duid_from_file() $count = 0; if ($fd = fopen("{$g['vardb_path']}/dhcp6c_duid", "r")) { - if(filesize("{$g['vardb_path']}/dhcp6c_duid")==16) { - - $string = fread($fd,filesize("{$g['vardb_path']}/dhcp6c_duid")); - - while($count < 16) { - - $a = $string[$count]; + $buffer = fread($fd,filesize("{$g['vardb_path']}/dhcp6c_duid")); + while($count < 16) { + $a = $buffer[$count]; $duid_ASCII .= bin2hex($a); $count++; if($count < 16) { -- cgit v1.1 From 2acedbbf6b51b1068e336193eff1ccada4724c1f Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Tue, 27 Dec 2016 19:57:04 +0000 Subject: Changes as requested --- src/etc/inc/util.inc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index 1bf81da..799bafe 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -2543,7 +2543,6 @@ function validateipaddr(&$addr, $type, $label, &$err_msg, $alias=false) { return false; } - /* returns true if $dhcp6duid is a valid duid entrry */ function is_duid($dhcp6duid) { $values = explode(":", $dhcp6duid); @@ -2578,19 +2577,20 @@ function write_dhcp6_duid($duidstring) { log_error(gettext("Error: attempting to write DUID file - File write error")); return false; } + /* returns duid string from 'vardb_path']}/dhcp6c_duid' */ function get_duid_from_file() { global $g; + $duid_ASCII = ""; $count = 0; if ($fd = fopen("{$g['vardb_path']}/dhcp6c_duid", "r")) { if(filesize("{$g['vardb_path']}/dhcp6c_duid")==16) { - $buffer = fread($fd,filesize("{$g['vardb_path']}/dhcp6c_duid")); - while($count < 16) { - $a = $buffer[$count]; - $duid_ASCII .= bin2hex($a); + $buffer = fread($fd,16); + while($count < 16) { + $duid_ASCII .= bin2hex($buffer[$count]); $count++; if($count < 16) { $duid_ASCII .= ":"; @@ -2600,7 +2600,7 @@ function get_duid_from_file() fclose($fd); } //if no file or error with read then the string returns blanked DUID string - if($count != 16) { + if(!is_duid($duid_ASCII)) { return "--:--:--:--:--:--:--:--:--:--:--:--:--:--:--:--"; } return($duid_ASCII); -- cgit v1.1 From 3033c93fb23ae00b06a8a8c12252ad33df526233 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Tue, 27 Dec 2016 19:59:21 +0000 Subject: Changes as requested --- src/usr/local/www/system_advanced_network.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 8b8c7a8..3c34e8c 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -91,8 +91,7 @@ if ($_POST) { } else { $config['system']['global-v6duid'] = $_POST['global-v6duid']; } - } - else { + } else { unset($config['system']['global-v6duid']); } -- cgit v1.1 From 15dcf1320c08eb9339eda3e6fdf04599c51694b7 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Wed, 28 Dec 2016 12:51:23 +0100 Subject: dyndns.class, fix json curl body parsing for Cloudflare by not including headers --- src/etc/inc/dyndns.class | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/etc/inc/dyndns.class b/src/etc/inc/dyndns.class index 8f1dcd9..8eff761 100644 --- a/src/etc/inc/dyndns.class +++ b/src/etc/inc/dyndns.class @@ -359,8 +359,7 @@ curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); } - if ($this->_dnsService != 'ods' and $this->_dnsService != 'route53 ') { - curl_setopt($ch, CURLOPT_HEADER, 1); + if ($this->_dnsService != 'ods') { curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, 'if!' . $realparentif); @@ -774,7 +773,6 @@ $server = 'https://api.dnsimple.com/v1/domains/'; $token = $this->_dnsUser . ':' . $this->_dnsPass; $jsondata = '{"record":{"content":"' . $this->_dnsIP . '","ttl":"' . $this->_dnsTTL . '"}}'; - curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT"); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json', 'X-DNSimple-Token: ' . $token)); curl_setopt($ch, CURLOPT_URL, $server . $this->_dnsHost . '/records/' . $this->_dnsZoneID); @@ -821,6 +819,7 @@ break; } if ($this->_dnsService != 'ods') { + curl_setopt($ch, CURLOPT_HEADER, 1); $response = curl_exec($ch); $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); $header = substr($response, 0, $header_size); @@ -834,7 +833,7 @@ * Private Function (added 12 July 2005) [beta] * Retrieve Update Status */ - function _checkStatus($ch, $data) { + function _checkStatus($ch, $data, $header) { if ($this->_dnsVerboseLog) { log_error(sprintf(gettext('Dynamic DNS %1$s (%2$s): _checkStatus() starting.'), $this->_dnsService, $this->_FQDN)); } -- cgit v1.1 From 416322ee7d7db1fe9d8d416017e4546162bbb766 Mon Sep 17 00:00:00 2001 From: marjohn56 Date: Thu, 29 Dec 2016 09:16:30 +0000 Subject: Changes whuch to which... fat fingers --- src/usr/local/www/system_advanced_network.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 3c34e8c..7361bd3 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -205,7 +205,7 @@ $section->addInput(new Form_Input( 'text', $pconfig['global-v6duid'], ['placeholder' => $duid] - ))->setWidth(9)->sethelp('The current DUID is displayed above. You may enter a new DUID whuch will be used on the next WAN interface UP event.' .'
' . + ))->setWidth(9)->sethelp('The current DUID is displayed above. You may enter a new DUID which will be used on the next WAN interface UP event.' .'
' . 'Unless you enter a DUID the system will default to using the DUID created by the client on start, this DUID is NOT saved to config.' . 'It is strongly recommended if you use RAM disk to enter a DUID here and then save. The saved DUID will take effect after a machine'. ' reboot or re-configure of the WAN interface(s).'); -- cgit v1.1 From 025ec94a3285c129d2e14b00b629e811b83a9330 Mon Sep 17 00:00:00 2001 From: plumbeo Date: Tue, 27 Dec 2016 21:32:43 +0100 Subject: Captive portal: work around race condition between captiveportal_disconnect_all() and captiveportal_prune_old() Captiveportal_disconnect_all() loops through the active users and disconnects them immediately but doesn't remove them from the user database, only adding them to a list that is processed after the end of the loop. Since the loop can take several seconds if there are many users connected, captiveportal_prune_old() can be called after some users have been disconnected but before they're removed from the database. When this happens and the user has an idle timeout set, captiveportal_prune_old() tries to find the last activity time and gets an invalid value because the user has already been removed from the fw table, so it uses the login time as last activity time. Finally, if the login time is more than one idle timeout in the past, it tries to disconnect again the user and sends a RADIUS Accounting-Stop packet with termination-cause Idle-Timeout and zero Acct-Input-Octets/Acct-Output-Octets that overwrites the correct packet sent by captiveportal_disconnect_all(). To work around it, remove the users from the database before disconnecting them (this fixes only the case where captiveportal_disconnect_all() runs before captiveportal_prune_old()). --- src/etc/inc/captiveportal.inc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index 31b7149..e1ee093 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -1089,7 +1089,11 @@ function captiveportal_disconnect_all($term_cause = 6, $logoutReason = "DISCONNE $radiussrvs = captiveportal_get_radius_servers(); $cpdb = captiveportal_read_db(); - $unsetindexes = array(); + /* remove immediately the active users from the database to avoid races */ + $unsetindexes = array_column($cpdb,5); + if (!empty($unsetindexes)) { + captiveportal_remove_entries($unsetindexes); + } foreach ($cpdb as $cpentry) { if (empty($cpentry[11])) { @@ -1099,13 +1103,8 @@ function captiveportal_disconnect_all($term_cause = 6, $logoutReason = "DISCONNE captiveportal_disconnect($cpentry, $radiusservers, $term_cause); captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], $logoutReason); - $unsetindexes[] = $cpentry[5]; } unset($cpdb); - - if (!empty($unsetindexes)) { - captiveportal_remove_entries($unsetindexes); - } } /* send RADIUS acct stop for all current clients */ -- cgit v1.1 From d793617ee9b4c3f66575737df3e8f6cf04e7c782 Mon Sep 17 00:00:00 2001 From: plumbeo Date: Wed, 28 Dec 2016 02:15:46 +0100 Subject: Captive portal: use locking to avoid race conditions between rc.prunecaptiveportal and captiveportal_disconnect_all() Convert rc.prunecaptiveportal to lock()/unlock()/try_lock() and use the lock to ensure that there aren't race conditions between it and captiveportal_disconnect_all(). --- src/etc/inc/captiveportal.inc | 12 ++++++++++++ src/etc/rc.prunecaptiveportal | 18 ++++++++---------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index e1ee093..7d8d71e 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -1086,6 +1086,16 @@ function captiveportal_disconnect_client($sessionid, $term_cause = 1, $logoutRea function captiveportal_disconnect_all($term_cause = 6, $logoutReason = "DISCONNECT") { global $g, $config, $cpzone, $cpzoneid; + /* check if we're pruning old entries and eventually wait */ + $rcprunelock = try_lock("rcprunecaptiveportal{$cpzone}", 60); + + /* if we still don't have the lock, unlock forcefully and take it */ + if (!$rcprunelock) { + log_error("CP zone ${cpzone}: could not obtain the lock for more than 60 seconds, lock taken forcefully to disconnect all users"); + unlock_force("rcprunecaptiveportal{$cpzone}"); + $rcprunelock = lock("rcprunecaptiveportal{$cpzone}", LOCK_EX); + } + $radiussrvs = captiveportal_get_radius_servers(); $cpdb = captiveportal_read_db(); @@ -1105,6 +1115,8 @@ function captiveportal_disconnect_all($term_cause = 6, $logoutReason = "DISCONNE captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], $logoutReason); } unset($cpdb); + + unlock($rcprunelock); } /* send RADIUS acct stop for all current clients */ diff --git a/src/etc/rc.prunecaptiveportal b/src/etc/rc.prunecaptiveportal index 8a5253b..89e6328 100755 --- a/src/etc/rc.prunecaptiveportal +++ b/src/etc/rc.prunecaptiveportal @@ -43,18 +43,16 @@ if (!is_array($config['captiveportal'][$cpzone])) { } $cpzoneid = $config['captiveportal'][$cpzone]['zoneid']; -if (file_exists("{$g['tmp_path']}/.rc.prunecaptiveportal.{$cpzone}.running")) { - $stat = stat("{$g['tmp_path']}/.rc.prunecaptiveportal.{$cpzone}.running"); - if (time() - $stat['mtime'] >= 120) { - @unlink("{$g['tmp_path']}/.rc.prunecaptiveportal.{$cpzone}.running"); - } else { - log_error("Skipping CP pruning process because previous/another instance is already running"); - return; - } +$rcprunelock = try_lock("rcprunecaptiveportal{$cpzone}", 3); + +if (!$rcprunelock) { + log_error("Skipping CP pruning process for zone {$cpzone} because previous/another instance is already running"); + unlock_force("rcprunecaptiveportal{$cpzone}"); + return; } -@file_put_contents("{$g['tmp_path']}/.rc.prunecaptiveportal.{$cpzone}.running", ""); captiveportal_prune_old(); -@unlink("{$g['tmp_path']}/.rc.prunecaptiveportal.{$cpzone}.running"); + +unlock($rcprunelock); ?> -- cgit v1.1 From 3ece6d5404e0d4a53243d12e6b58793fad66dd5a Mon Sep 17 00:00:00 2001 From: plumbeo Date: Thu, 29 Dec 2016 18:43:13 +0100 Subject: Captive portal: rework logging and RADIUS accounting when disabling a zone or rebooting Make captiveportal_radius_stop_all() log the disconnections in the system log and fix it so that it works with the zone id parameter and sends complete RADIUS accounting packets. Since several zones can share the same RADIUS server, send an Accounting-Off packet only when rebooting, not when disabling a zone. --- src/etc/inc/captiveportal.inc | 52 +++++++++++++++++++++---------------------- src/etc/inc/system.inc | 7 ++++-- 2 files changed, 31 insertions(+), 28 deletions(-) diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index 31b7149..8215057 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -347,15 +347,10 @@ EOD; @unlink("{$g['varetc_path']}/captiveportal-{$cpzone}-error.html"); @unlink("{$g['varetc_path']}/captiveportal-{$cpzone}-logout.html"); - captiveportal_radius_stop_all(); + captiveportal_radius_stop_all(10); // NAS-Request captiveportal_filterdns_configure(); - /* send Accounting-Off to server */ - if (!platform_booting()) { - captiveportal_send_server_accounting(true); - } - /* remove old information */ unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db"); unlink_if_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db"); @@ -1109,32 +1104,37 @@ function captiveportal_disconnect_all($term_cause = 6, $logoutReason = "DISCONNE } /* send RADIUS acct stop for all current clients */ -function captiveportal_radius_stop_all() { - global $config, $cpzone; +function captiveportal_radius_stop_all($term_cause = 6, $logoutReason = "DISCONNECT") { + global $g, $config, $cpzone, $cpzoneid; - if (!isset($config['captiveportal'][$cpzone]['radacct_enable'])) { - return; + $cpdb = captiveportal_read_db(); + + $radacct = isset($config['captiveportal'][$cpzone]['radacct_enable']) ? true : false; + if ($radacct) { + $radiusservers = captiveportal_get_radius_servers(); } - $radiusservers = captiveportal_get_radius_servers(); - if (!empty($radiusservers)) { - $cpdb = captiveportal_read_db(); - foreach ($cpdb as $cpentry) { - if (empty($cpentry[11])) { - $cpentry[11] = 'first'; - } - if (!empty($radiusservers[$cpentry[11]])) { - RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno - $cpentry[4], // username - $cpentry[5], // sessionid - $cpentry[0], // start time - $radiusservers[$cpentry[11]], - $cpentry[2], // clientip - $cpentry[3], // clientmac - 7); // Admin Reboot + foreach ($cpdb as $cpentry) { + if ($radacct) { + if (!empty($radiusservers)) { + if (empty($cpentry[11])) { + $cpentry[11] = 'first'; + } + if (!empty($radiusservers[$cpentry[11]])) { + RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno + $cpentry[4], // username + $cpentry[5], // sessionid + $cpentry[0], // start time + $radiusservers[$cpentry[11]], + $cpentry[2], // clientip + $cpentry[3], // clientmac + $term_cause); + } } } + captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], $logoutReason); } + unset($cpdb); } function captiveportal_passthrumac_configure_entry($macent, $pipeinrule = false) { diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 5df1562..af8e7de 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1927,13 +1927,16 @@ function system_reboot_sync() { } function system_reboot_cleanup() { - global $config, $cpzone; + global $config, $cpzone, $cpzoneid; mwexec("/usr/local/bin/beep.sh stop"); require_once("captiveportal.inc"); if (is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpzone=>$cp) { - captiveportal_radius_stop_all(); + /* send Accounting-Stop packet for all clients, termination cause 'Admin-Reboot' */ + $cpzoneid = $cp[zoneid]; + captiveportal_radius_stop_all(7); // Admin-Reboot + /* Send Accounting-Off packet to the RADIUS server */ captiveportal_send_server_accounting(true); } } -- cgit v1.1 From fdb0479758339e083f7745d738c9999d86af150f Mon Sep 17 00:00:00 2001 From: jskyboo Date: Thu, 29 Dec 2016 13:52:51 -0800 Subject: Fix ntp gps status - trim sat in use - gps ok for GPGLL - lat & lon direction for GPGGA & GPGLL - sat in use text position fixed --- src/usr/local/www/status_ntpd.php | 18 ++++++++++++------ .../local/www/widgets/widgets/ntp_status.widget.php | 4 ++-- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/usr/local/www/status_ntpd.php b/src/usr/local/www/status_ntpd.php index 56725ab..c37052d 100644 --- a/src/usr/local/www/status_ntpd.php +++ b/src/usr/local/www/status_ntpd.php @@ -110,6 +110,8 @@ if (!isset($config['ntpd']['noquery'])) { $gps_lat = $gps_lat * (($gps_vars[4] == "N") ? 1 : -1); $gps_lon = $gps_lon_deg + $gps_lon_min; $gps_lon = $gps_lon * (($gps_vars[6] == "E") ? 1 : -1); + $gps_la = $gps_vars[4]; + $gps_lo = $gps_vars[6]; } elseif (substr($tmp, 0, 6) == '$GPGGA') { $gps_vars = explode(",", $tmp); $gps_ok = $gps_vars[6]; @@ -123,9 +125,11 @@ if (!isset($config['ntpd']['noquery'])) { $gps_lon = $gps_lon * (($gps_vars[5] == "E") ? 1 : -1); $gps_alt = $gps_vars[9]; $gps_alt_unit = $gps_vars[10]; - $gps_sat = $gps_vars[7]; + $gps_sat = (int)$gps_vars[7]; + $gps_la = $gps_vars[3]; + $gps_lo = $gps_vars[5]; } elseif (substr($tmp, 0, 6) == '$GPGLL') { - $gps_vars = explode(",", $tmp); + $gps_vars = preg_split('/[,\*]+/', $tmp); $gps_ok = ($gps_vars[6] == "A"); $gps_lat_deg = substr($gps_vars[1], 0, 2); $gps_lat_min = substr($gps_vars[1], 2) / 60.0; @@ -135,6 +139,8 @@ if (!isset($config['ntpd']['noquery'])) { $gps_lat = $gps_lat * (($gps_vars[2] == "N") ? 1 : -1); $gps_lon = $gps_lon_deg + $gps_lon_min; $gps_lon = $gps_lon * (($gps_vars[4] == "E") ? 1 : -1); + $gps_la = $gps_vars[2]; + $gps_lo = $gps_vars[4]; } } } @@ -205,7 +211,7 @@ function print_status() { } function print_gps() { - global $gps_lat, $gps_lon, $gps_lat_deg, $gps_lon_deg, $gps_lat_min, $gps_lon_min, $gps_vars, + global $gps_lat, $gps_lon, $gps_lat_deg, $gps_lon_deg, $gps_lat_min, $gps_lon_min, $gps_la, $gps_lo, $gps_alt, $gps_alt_unit, $gps_sat, $gps_satview, $gps_goo_lnk; print("\n"); @@ -214,7 +220,7 @@ function print_gps() { print(" ("); printf("%d%s", $gps_lat_deg, "°"); printf("%.5f", $gps_lat_min*60); - print($gps_vars[4]); + print($gps_la); print(")"); print("\n"); print("\n"); @@ -222,7 +228,7 @@ function print_gps() { print(" ("); printf("%d%s", $gps_lon_deg, "°"); printf("%.5f", $gps_lon_min*60); - print($gps_vars[6]); + print($gps_lo); print(")"); print("\n"); @@ -233,7 +239,7 @@ function print_gps() { } if (isset($gps_sat) || isset($gps_satview)) { - print(''); + print(''); if (isset($gps_satview)) { print(gettext('in view ') . intval($gps_satview)); diff --git a/src/usr/local/www/widgets/widgets/ntp_status.widget.php b/src/usr/local/www/widgets/widgets/ntp_status.widget.php index b47a6fd..e29f381 100644 --- a/src/usr/local/www/widgets/widgets/ntp_status.widget.php +++ b/src/usr/local/www/widgets/widgets/ntp_status.widget.php @@ -105,11 +105,11 @@ if ($_REQUEST['updateme']) { $gps_lon = $gps_lon * (($gps_vars[5] == "E") ? 1 : -1); $gps_alt = $gps_vars[9]; $gps_alt_unit = $gps_vars[10]; - $gps_sat = $gps_vars[7]; + $gps_sat = (int)$gps_vars[7]; $gps_la = $gps_vars[3]; $gps_lo = $gps_vars[5]; } elseif (substr($tmp, 0, 6) == '$GPGLL') { - $gps_vars = explode(",", $tmp); + $gps_vars = preg_split('/[,\*]+/', $tmp); $gps_ok = ($gps_vars[6] == "A"); $gps_lat_deg = substr($gps_vars[1], 0, 2); $gps_lat_min = substr($gps_vars[1], 2) / 60.0; -- cgit v1.1 From 76895c7f1d77c8e17913a3ddf87636fc4d50058d Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Sat, 31 Dec 2016 17:10:23 +0545 Subject: firewall_rules_edit stop Floating field displaying Seems to fix https://redmine.pfsense.org/issues/7057 But I have not looked underneath the hood - just copied the way other hidden fields are done in that code. --- src/usr/local/www/firewall_rules_edit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 6cea900..2688982 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -1239,7 +1239,7 @@ if ($if == "FloatingRules" || isset($pconfig['floating'])) { ) )); - $section->addInput(new Form_Input( + $form->addGlobal(new Form_Input( 'floating', 'Floating', 'hidden', -- cgit v1.1 From 5e391e58439fa189518370fa8d16ffd2e8a1002d Mon Sep 17 00:00:00 2001 From: stilez Date: Sat, 31 Dec 2016 11:42:53 +0000 Subject: Improve labels + help text for IPv6 tunneling options * Move the help message to be on the group as a whole not just the IP input field * Clarify the IP field (label states "IP address and explains tunelling, but whgat address should be entered and should it be IPv4, IPv6 or either? This isn't made clear. * Group title uses the term "tunneling" and this is probably the most commonly understandable term, so keep it consistent and don;'t switch to "encapsulation" halfway through. (We use the term "encapsulation" in the help text already so it's there for purists) --- src/usr/local/www/system_advanced_network.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 06a4e2d..f5fdf73 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -158,23 +158,25 @@ $section->addInput(new Form_Checkbox( ))->setHelp('NOTE: This does not disable any IPv6 features on the firewall, it only '. 'blocks traffic.'); + $group = new Form_Group('IPv6 over IPv4 Tunneling'); $group->add(new Form_Checkbox( 'ipv6nat_enable', 'IPv6 over IPv4 Tunneling', - 'Enable IPv4 NAT encapsulation of IPv6 packets', + 'Enable IPv6 over IPv4 tunneling', $pconfig['ipv6nat_enable'] )); $group->add(new Form_Input( 'ipv6nat_ipaddr', - 'IP address', + 'IP address of tunneling peer', 'text', $pconfig['ipv6nat_ipaddr'] -))->setHelp('Enable IPv4 NAT encapsulation of IPv6 packets.
This provides an '. - 'RFC 2893 compatibility mechanism that can be used to tunneling IPv6 packets over '. - 'IPv4 routing infrastructures. If enabled, don\'t forget to add a firewall rule to '. - 'permit IPv6 packets.'); +))->setHelp('The IPv4 address of the tunneling peer'); + +$group->setHelp('These options create an RFC 2893 compatible mechanism for IPv4 NAT encapsulation of IPv6 packets, that can be used ' . + 'to tunnel IPv6 packets over IPv4 routing infrastructures. A firewall rule to allow passing of IPv6 packets ' . + 'must also be created.'); $section->add($group); -- cgit v1.1 From a56e37ca671873418e82382a8466b8014bf4bc83 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 1 Jan 2017 23:42:43 +0100 Subject: Improve - System - General - DNS Server Settings descriptions - Add missing DNS Resolver references - Nuke PPTP VPN mentions - Use letter case consistently. The "Disable DNS Forwarder" option naming is rather unfortunate as well (would be much better with something like "Use local DNS server"), but changing that would require documentation changes. --- src/usr/local/www/system.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/usr/local/www/system.php b/src/usr/local/www/system.php index 83ab5e7..ff82c9a 100644 --- a/src/usr/local/www/system.php +++ b/src/usr/local/www/system.php @@ -391,7 +391,8 @@ for ($i=1; $i<5; $i++) { ))->setHelp(($i == 4) ? 'Address':null); $help = "Enter IP addresses to be used by the system for DNS resolution. " . - "These are also used for the DHCP service, DNS forwarder and for PPTP VPN clients."; + "These are also used for the DHCP service, DNS Forwarder and DNS Resolver " . + "(if it has DNS Query Forwarding enabled)."; if ($multiwan) { $options = array('none' => 'none'); @@ -433,18 +434,18 @@ $section->addInput(new Form_Checkbox( $pconfig['dnsallowoverride'] ))->setHelp(sprintf(gettext('If this option is set, %s will use DNS servers '. 'assigned by a DHCP/PPP server on WAN for its own purposes (including '. - 'the DNS forwarder). However, they will not be assigned to DHCP and PPTP '. - 'VPN clients.'), $g['product_name'])); + 'the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP '. + 'clients.'), $g['product_name'])); $section->addInput(new Form_Checkbox( 'dnslocalhost', 'Disable DNS Forwarder', - 'Do not use the DNS Forwarder as a DNS server for the firewall', + 'Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall', $pconfig['dnslocalhost'] ))->setHelp('By default localhost (127.0.0.1) will be used as the first DNS '. 'server where the DNS Forwarder or DNS Resolver is enabled and set to '. - 'listen on Localhost, so system can use the local DNS service to perform '. - 'lookups. Checking this box omits localhost from the list of DNS servers.'); + 'listen on localhost, so system can use the local DNS service to perform '. + 'lookups. Checking this box omits localhost from the list of DNS servers in resolv.conf.'); $form->add($section); -- cgit v1.1 From 58523c575f9d075f0a8195e0889606955c76b227 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 2 Jan 2017 00:09:28 +0100 Subject: Improve Unbound forwarding mode description Make this consistent with System - General Setup - DNS Server Settings. --- src/usr/local/www/services_unbound.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/usr/local/www/services_unbound.php b/src/usr/local/www/services_unbound.php index b79548c..09f2be5 100644 --- a/src/usr/local/www/services_unbound.php +++ b/src/usr/local/www/services_unbound.php @@ -317,7 +317,9 @@ $section->addInput(new Form_Checkbox( 'DNS Query Forwarding', 'Enable Forwarding Mode', $pconfig['forwarding'] -)); +))->setHelp(sprintf('If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under'. + ' %sSystem: General Setup%s or those obtained via DHCP/PPP on WAN'. + ' (if DNS Server Override is enabled there).','','')); $section->addInput(new Form_Checkbox( 'regdhcp', -- cgit v1.1 From 128b93e04dc4a01de6972f34a8e43f6428b2b5ea Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Mon, 2 Jan 2017 12:53:32 +0545 Subject: OpenVPN Client 2.4 save correct protocol This needs to be fixed the same as vpn_openvpn_server.php --- src/usr/local/www/vpn_openvpn_client.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 399d099..5cfd6f9 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -447,7 +447,7 @@ if ($act=="new" || $act=="edit"): 'protocol', 'Protocol', $pconfig['protocol'], - array_combine($openvpn_prots, $openvpn_prots) + $openvpn_prots )); $section->addInput(new Form_Select( -- cgit v1.1 From 80d3effa960ab23112233d2dfb50c35161bd7e03 Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 08:34:51 -0500 Subject: Make sure $openvpn_dh_lengths is declared global. Ticket #7065 --- src/etc/inc/openvpn.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 727a4af..35be079 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -638,7 +638,7 @@ function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "") } function openvpn_reconfigure($mode, $settings) { - global $g, $config, $openvpn_tls_server_modes; + global $g, $config, $openvpn_tls_server_modes, $openvpn_dh_lengths; if (empty($settings)) { return; -- cgit v1.1 From c337280901d3eedf98e195bd99d30d2ed9d4df1e Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 09:50:26 -0500 Subject: Fix up wording of the DUID option. --- src/usr/local/www/system_advanced_network.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 7361bd3..b99dad8 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -205,10 +205,13 @@ $section->addInput(new Form_Input( 'text', $pconfig['global-v6duid'], ['placeholder' => $duid] - ))->setWidth(9)->sethelp('The current DUID is displayed above. You may enter a new DUID which will be used on the next WAN interface UP event.' .'
' . - 'Unless you enter a DUID the system will default to using the DUID created by the client on start, this DUID is NOT saved to config.' . - 'It is strongly recommended if you use RAM disk to enter a DUID here and then save. The saved DUID will take effect after a machine'. - ' reboot or re-configure of the WAN interface(s).'); + ))->setWidth(9)->sethelp('This is the DHCPv6 Unique Identifier (DUID) used by the firewall when requesting an IPv6 address. ' . + '
' . + 'By default, the firewall automatically creates a dynamic DUID which is not saved in the firewall configuration. '. + 'To ensure the same DUID is retained by the firewall at all times, enter a DUID in this field. ' . + 'The new DUID will take effect after a reboot or when the WAN interface(s) are reconfigured by the firewall.' . + '
' . + 'If the firewall is configured to use a RAM disk for /var, the best practice is to store a DUID here otherwise the DUID will change on each reboot. '); $form->add($section); $section = new Form_Section('Network Interfaces'); -- cgit v1.1 From cee543b79910c5225cd0636cef87a95f085d406a Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Mon, 2 Jan 2017 10:41:34 -0200 Subject: Fix indent --- src/usr/local/www/system_advanced_misc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/system_advanced_misc.php b/src/usr/local/www/system_advanced_misc.php index 817b745..796a32b 100644 --- a/src/usr/local/www/system_advanced_misc.php +++ b/src/usr/local/www/system_advanced_misc.php @@ -590,7 +590,7 @@ events.push(function() { } }); - drb = ""; + drb = ""; if (drb == "yes") { $('form').append(""); -- cgit v1.1 From dc6d47759f716a0ecf4065988945b02d0486742b Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Mon, 2 Jan 2017 12:51:20 -0200 Subject: Check if array key exist before read its value --- src/usr/local/www/diag_reboot.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/usr/local/www/diag_reboot.php b/src/usr/local/www/diag_reboot.php index 8b6229e..8052e40 100644 --- a/src/usr/local/www/diag_reboot.php +++ b/src/usr/local/www/diag_reboot.php @@ -43,8 +43,8 @@ $guiretry = 20; // Seconds to try again if $guitimeout was not long enough $pgtitle = array(gettext("Diagnostics"), gettext("Reboot")); include("head.inc"); - -if (($_SERVER['REQUEST_METHOD'] == 'POST') && ($_POST['override'] != "yes")) { +if (($_SERVER['REQUEST_METHOD'] == 'POST') && (empty($_POST['override']) || + ($_POST['override'] != "yes"))): if (DEBUG) { print_info_box(gettext("Not actually rebooting (DEBUG is set true)."), 'success'); } else { @@ -98,7 +98,7 @@ events.push(function() { //]]> @@ -135,6 +135,6 @@ events.push(function() { Date: Mon, 2 Jan 2017 12:53:03 -0200 Subject: Pass specific filename to tar and rm during rrd backup --- src/etc/rc.backup_rrd.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/etc/rc.backup_rrd.sh b/src/etc/rc.backup_rrd.sh index 7914bd1..873652f 100755 --- a/src/etc/rc.backup_rrd.sh +++ b/src/etc/rc.backup_rrd.sh @@ -13,12 +13,13 @@ if [ -d "${RRDDBPATH}" ]; then xmlfile="${rrdfile%.rrd}.xml" tgzfile="${rrdfile%.rrd}.tgz" /usr/bin/nice -n20 /usr/local/bin/rrdtool dump "$rrdfile" "$xmlfile" - cd / && /usr/bin/tar -czf "${tgzfile}" -C / "${RRDDBPATH#/}"/*.xml - /bin/rm -f "${RRDDBPATH}"/*.xml + /usr/bin/tar -czf "${tgzfile}" -C / ${xmlfile#/} + /bin/rm -f ${xmlfile} tgzlist="${tgzlist} @${tgzfile}" done + if [ -n "${tgzlist}" ]; then - cd / && /usr/bin/tar -czf "${CF_CONF_PATH}/rrd.tgz" ${tgzlist} + /usr/bin/tar -czf "${CF_CONF_PATH}/rrd.tgz" -C / ${tgzlist} /bin/rm -f "${RRDDBPATH}"/*.tgz fi fi -- cgit v1.1 From 9bf6cdc135ddf108bc08f048687130c09cd09f4b Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Mon, 2 Jan 2017 12:54:00 -0200 Subject: Ticket #6096: Remove target before try to move, also use mv -f to avoid human interaction --- src/etc/pfSense-rc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/etc/pfSense-rc b/src/etc/pfSense-rc index 382da91..4d2c3fb 100755 --- a/src/etc/pfSense-rc +++ b/src/etc/pfSense-rc @@ -122,14 +122,16 @@ if [ "${USE_MFS_TMPVAR}" != "true" -a -f /root/var/db/pkg/local.sqlite ]; then MOVE_PKG_DATA=1 rm -rf /var/db/pkg 2>/dev/null rm -rf /var/cache/pkg 2>/dev/null - mv /root/var/db/pkg /var/db - mv /root/var/cache/pkg /var/cache + mv -f /root/var/db/pkg /var/db + mv -f /root/var/cache/pkg /var/cache # If use MFS var is enabled, move files to a safe place elif [ "${USE_MFS_TMPVAR}" = "true" -a -f /var/db/pkg/local.sqlite ]; then MOVE_PKG_DATA=1 + rm -rf /root/var/db/pkg 2>/dev/null + rm -rf /root/var/cache/pkg 2>/dev/null /bin/mkdir -p /root/var/db /root/var/cache - mv /var/db/pkg /root/var/db - mv /var/cache/pkg /root/var/cache + mv -f /var/db/pkg /root/var/db + mv -f /var/cache/pkg /root/var/cache fi if [ "${USE_MFS_TMPVAR}" = "true" ]; then -- cgit v1.1 From f09aede6c0f692d93603ad2b3794fe0d78a4cf36 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Mon, 2 Jan 2017 12:54:26 -0200 Subject: Ticket #6096: Add PKG_DBDIR and PKG_CACHEDIR to user environment --- src/etc/skel/dot.shrc | 6 ++++++ src/etc/skel/dot.tcshrc | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/src/etc/skel/dot.shrc b/src/etc/skel/dot.shrc index e72197b..e9f0ca6 100644 --- a/src/etc/skel/dot.shrc +++ b/src/etc/skel/dot.shrc @@ -32,6 +32,12 @@ if [ "${HTTP_PROXY_AUTH_USER}" != "" ] && [ "${HTTP_PROXY_AUTH_PASS}" != "" ]; t export HTTP_PROXY_AUTH fi +USE_MFS_TMPVAR=$(/usr/local/sbin/read_xml_tag.sh boolean system/use_mfs_tmpvar) +if [ "${USE_MFS_TMPVAR}" = "true" ]; then + export PKG_DBDIR='/root/var/db/pkg' + export PKG_CACHEDIR='/root/var/cache/pkg' +fi + # Detect interactive logins and display the shell unset _interactive if [ -n "${SSH_TTY}" ]; then diff --git a/src/etc/skel/dot.tcshrc b/src/etc/skel/dot.tcshrc index db9846f..28e3fc8 100644 --- a/src/etc/skel/dot.tcshrc +++ b/src/etc/skel/dot.tcshrc @@ -55,3 +55,9 @@ if ( ${http_proxy_auth_user} != "" && ${http_proxy_auth_pass} != "" ) then set http_proxy_auth="basic:*:${http_proxy_auth_user}:${http_proxy_auth_pass}" setenv HTTP_PROXY_AUTH "${http_proxy_auth}" endif + +set use_mfs_tmpvar=`/usr/local/sbin/read_xml_tag.sh boolean system/use_mfs_tmpvar` +if ( $use_mfs_tmpvar == "true" ) then + setenv PKG_DBDIR '/root/var/db/pkg' + setenv PKG_CACHEDIR '/root/var/cache/pkg' +endif -- cgit v1.1 From 8ccb89f5e9d80be0dc04fd2391c84b7293e890ba Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Mon, 2 Jan 2017 10:09:36 -0500 Subject: Theoretical fix for #6972 --- src/usr/local/www/js/pfSense.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/usr/local/www/js/pfSense.js b/src/usr/local/www/js/pfSense.js index da33129..c07f857 100644 --- a/src/usr/local/www/js/pfSense.js +++ b/src/usr/local/www/js/pfSense.js @@ -143,7 +143,7 @@ $(function() { // Use element title in the confirmation message, or if not available // the element value $('.btn-danger, .fa-trash').on('click', function(e){ - if (!($(this).hasClass('no-confirm'))) { + if ( !($(this).hasClass('no-confirm')) && !($(this).hasClass('icon-embed-btn')) ) { var msg = $.trim(this.textContent).toLowerCase(); if (!msg) @@ -230,7 +230,7 @@ $(function() { $('.table-rowdblclickedit>tbody>tr').dblclick(function () { $(this).find(".fa-pencil")[0].click(); }); - + // Focus first input $(':input:enabled:visible:first').focus(); @@ -238,7 +238,7 @@ $(function() { $(this).css('height', 80).resizable({minHeight: 80, minWidth: 200}).parent().css('padding-bottom', 0); $(this).css('height', 78); }); - + // Run in-page defined events while (func = window.events.shift()) func(); -- cgit v1.1 From 243181851d026adbae843761e7ca0f967973e767 Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Mon, 2 Jan 2017 10:16:40 -0500 Subject: Revert "Theoretical fix for #6972" This reverts commit 335e63d66ce8af690d1a144d4ec6b385cbe39af4. --- src/usr/local/www/js/pfSense.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/usr/local/www/js/pfSense.js b/src/usr/local/www/js/pfSense.js index c07f857..da33129 100644 --- a/src/usr/local/www/js/pfSense.js +++ b/src/usr/local/www/js/pfSense.js @@ -143,7 +143,7 @@ $(function() { // Use element title in the confirmation message, or if not available // the element value $('.btn-danger, .fa-trash').on('click', function(e){ - if ( !($(this).hasClass('no-confirm')) && !($(this).hasClass('icon-embed-btn')) ) { + if (!($(this).hasClass('no-confirm'))) { var msg = $.trim(this.textContent).toLowerCase(); if (!msg) @@ -230,7 +230,7 @@ $(function() { $('.table-rowdblclickedit>tbody>tr').dblclick(function () { $(this).find(".fa-pencil")[0].click(); }); - + // Focus first input $(':input:enabled:visible:first').focus(); @@ -238,7 +238,7 @@ $(function() { $(this).css('height', 80).resizable({minHeight: 80, minWidth: 200}).parent().css('padding-bottom', 0); $(this).css('height', 78); }); - + // Run in-page defined events while (func = window.events.shift()) func(); -- cgit v1.1 From 3d116b5c8d5c6474821d3a6607f9fa929df2f481 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 2 Jan 2017 16:27:15 +0100 Subject: Update format --- src/usr/local/www/services_unbound.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/usr/local/www/services_unbound.php b/src/usr/local/www/services_unbound.php index 09f2be5..6067941 100644 --- a/src/usr/local/www/services_unbound.php +++ b/src/usr/local/www/services_unbound.php @@ -128,7 +128,7 @@ if ($_POST) { } } if ($founddns == false) { - $input_errors[] = gettext("At least one DNS server must be specified under System>General Setup to enable Forwarding mode."); + $input_errors[] = gettext("At least one DNS server must be specified under System > General Setup to enable Forwarding mode."); } } @@ -318,7 +318,7 @@ $section->addInput(new Form_Checkbox( 'Enable Forwarding Mode', $pconfig['forwarding'] ))->setHelp(sprintf('If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under'. - ' %sSystem: General Setup%s or those obtained via DHCP/PPP on WAN'. + ' %sSystem > General Setup%s or those obtained via DHCP/PPP on WAN'. ' (if DNS Server Override is enabled there).','','')); $section->addInput(new Form_Checkbox( @@ -328,7 +328,7 @@ $section->addInput(new Form_Checkbox( $pconfig['regdhcp'] ))->setHelp(sprintf('If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered'. ' in the DNS Resolver, so that their name can be resolved.'. - ' The domain in %sSystem: General Setup%s should also be set to the proper value.','','')); + ' The domain in %sSystem > General Setup%s should also be set to the proper value.','','')); $section->addInput(new Form_Checkbox( 'regdhcpstatic', @@ -336,7 +336,7 @@ $section->addInput(new Form_Checkbox( 'Register DHCP static mappings in the DNS Resolver', $pconfig['regdhcpstatic'] ))->setHelp(sprintf('If this option is set, then DHCP static mappings will be registered in the DNS Resolver, so that their name can be resolved. '. - 'The domain in %sSystem: General Setup%s should also be set to the proper value.','','')); + 'The domain in %sSystem > General Setup%s should also be set to the proper value.','','')); $btnadv = new Form_Button( 'btnadvcustom', @@ -557,7 +557,7 @@ endforeach; " service (if enabled) will automatically serve the LAN IP". " address as a DNS server to DHCP clients so they will use". " the DNS Resolver. If Forwarding is enabled, the DNS Resolver will use the DNS servers". - " entered in %sSystem: General Setup%s". + " entered in %sSystem > General Setup%s". " or those obtained via DHCP or PPP on WAN if "Allow". " DNS server list to be overridden by DHCP/PPP on WAN"". " is checked."), '', ''), 'info', false); ?> -- cgit v1.1 From 6c1e85e544814d336b47fbc782a6aff77ea7301f Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 2 Jan 2017 16:28:28 +0100 Subject: Change wording --- src/usr/local/www/system.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/system.php b/src/usr/local/www/system.php index ff82c9a..980e773 100644 --- a/src/usr/local/www/system.php +++ b/src/usr/local/www/system.php @@ -392,7 +392,7 @@ for ($i=1; $i<5; $i++) { $help = "Enter IP addresses to be used by the system for DNS resolution. " . "These are also used for the DHCP service, DNS Forwarder and DNS Resolver " . - "(if it has DNS Query Forwarding enabled)."; + "when it has DNS Query Forwarding enabled."; if ($multiwan) { $options = array('none' => 'none'); -- cgit v1.1 From fab3c245cfb52964cebdab2ea47dddb21731352a Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Mon, 2 Jan 2017 11:34:38 -0500 Subject: Fixed #6972 I was only able to reproduce tis issue using Chrome, but it should now be resolved --- src/usr/local/www/js/pfSense.js | 6 +++--- src/usr/local/www/js/pfSenseHelpers.js | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/usr/local/www/js/pfSense.js b/src/usr/local/www/js/pfSense.js index da33129..2a6bc16 100644 --- a/src/usr/local/www/js/pfSense.js +++ b/src/usr/local/www/js/pfSense.js @@ -143,7 +143,7 @@ $(function() { // Use element title in the confirmation message, or if not available // the element value $('.btn-danger, .fa-trash').on('click', function(e){ - if (!($(this).hasClass('no-confirm'))) { + if (!($(this).hasClass('no-confirm')) && !($(this).hasClass('icon-embed-btn'))) { var msg = $.trim(this.textContent).toLowerCase(); if (!msg) @@ -230,7 +230,7 @@ $(function() { $('.table-rowdblclickedit>tbody>tr').dblclick(function () { $(this).find(".fa-pencil")[0].click(); }); - + // Focus first input $(':input:enabled:visible:first').focus(); @@ -238,7 +238,7 @@ $(function() { $(this).css('height', 80).resizable({minHeight: 80, minWidth: 200}).parent().css('padding-bottom', 0); $(this).css('height', 78); }); - + // Run in-page defined events while (func = window.events.shift()) func(); diff --git a/src/usr/local/www/js/pfSenseHelpers.js b/src/usr/local/www/js/pfSenseHelpers.js index b77ec1f..e879f15 100644 --- a/src/usr/local/www/js/pfSenseHelpers.js +++ b/src/usr/local/www/js/pfSenseHelpers.js @@ -375,9 +375,9 @@ $('[id^=addrow]').click(function() { $('[id^=delete]').click(function(event) { if ($('.repeatable').length > 1) { if ((typeof retainhelp) == "undefined") - moveHelpText(event.target.id); + moveHelpText($(this).attr("id")); - delete_row(event.target.id); + delete_row($(this).attr("id")); } else { alert('The last row may not be deleted.'); } -- cgit v1.1 From 2906d13941ce07e59e5977f75a5bf5a8b1987b68 Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 12:17:41 -0500 Subject: Fix printing of local/remote host in OpenVPN status for Client Instances. If the client was not connected it was printing a ":" and nothing else in the field which was odd/confusing. Ticket #2766 --- src/usr/local/www/status_openvpn.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/status_openvpn.php b/src/usr/local/www/status_openvpn.php index 9997703..0a71ac2 100644 --- a/src/usr/local/www/status_openvpn.php +++ b/src/usr/local/www/status_openvpn.php @@ -312,7 +312,13 @@ include("head.inc"); ?> - : + + + (pending) + + : + + @@ -320,7 +326,13 @@ include("head.inc"); ?> - : + + + (pending) + + : + + / -- cgit v1.1 From c66990a8b0f1b8f2246946a6fe7445d6696e13c5 Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 13:52:33 -0500 Subject: Fix up and enchance the help text for DH parameters, point to the doc wiki for info on how to generate new ones. Also add help text for ECDH Curve. #7063 --- src/usr/local/www/vpn_openvpn_server.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 433b689..8da8fee 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -775,14 +775,24 @@ if ($act=="new" || $act=="edit"): 'DH Parameter Length', $pconfig['dh_length'], $openvpn_dh_lengths - ))->setHelp(count($a_cert) ? '':sprintf('No Certificates defined. One may be created here: %s', 'System > Cert. Manager')); + ))->setHelp('Diffie-Hellman (DH) parameter set used for key exchange.' . + '
' . + sprint_info_box('Only DH parameter sets which exist in /etc/ are shown. ' . + '
' . + 'Generating new or stronger DH parameters is CPU-intensive and must be performed manually. ' . + 'Consult the doc wiki article on DH Parameters ' . + 'for information on generating new or stronger paramater sets.', 'info', false) . + '
'); $section->addInput(new Form_Select( 'ecdh_curve', 'ECDH Curve', $pconfig['ecdh_curve'], openvpn_get_curvelist() - )); + ))->setHelp('The Elliptic Curve to use for key exchange. ' . + '
' . + 'The curve from the server certificate is used by default when the server uses an ECDSA certificate. ' . + 'Otherwise, secp384r1 is used as a fallback.'); if (!$pconfig['shared_key']) { $section->addInput(new Form_Checkbox( -- cgit v1.1 From a4b3624650aa46c9dc4a20afc5b522c6b9191904 Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 21:24:07 -0500 Subject: Bring compression options in line with OpenVPN 2.4. Note that the old style options are deprecated/legacy but don't remove yet, for compatibility. Implements #7064 --- src/etc/inc/openvpn.inc | 45 +++++++++++++++++++++++++------- src/usr/local/www/vpn_openvpn_server.php | 12 +++++++++ 2 files changed, 47 insertions(+), 10 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 35be079..9a8289a 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -119,11 +119,16 @@ $openvpn_client_modes = array( global $openvpn_compression_modes; $openvpn_compression_modes = array( - '' => gettext("No Preference"), - 'noadapt' => gettext("No Preference and Adaptive Compression Disabled"), - 'no' => gettext("Disabled - No Compression"), - 'adaptive' => gettext("Enabled with Adaptive Compression"), - 'yes' => gettext("Enabled without Adaptive Compression")); + '' => gettext("Omit Preference (Use OpenVPN Default)"), + 'lz4' => gettext("LZ4 Compression [compress lz4]"), + 'lz4-v2' => gettext("LZ4 Comression v2 [compress lz4-v2]"), + 'lzo' => gettext("LZO Compression [compress lzo, equivalent to comp-lzo yes for compatibility]"), + 'stub' => gettext("Enable Compression (stub) [compress]"), + 'noadapt' => gettext("Omit Preference, + Disable Adaptive LZO Compression [Legacy style, comp-noadapt]"), + 'adaptive' => gettext("Adaptive LZO Compression [Legacy style, comp-lzo adaptive]"), + 'yes' => gettext("LZO Compression [Legacy style, comp-lzo yes]"), + 'no' => gettext("No LZO Compression [Legacy style, comp-lzo no]"), +); global $openvpn_topologies; $openvpn_topologies = array( @@ -1082,11 +1087,31 @@ function openvpn_reconfigure($mode, $settings) { break; } - if (!empty($settings['compression'])) { - if ($settings['compression'] == "noadapt") { - $conf .= "comp-noadapt\n"; - } else { - $conf .= "comp-lzo {$settings['compression']}\n"; + $compression = ""; + switch ($settings['compression']) { + case 'lz4': + case 'lz4-v2': + case 'lzo': + case 'stub': + $compression .= "compress {$settings['compression']}"; + break; + case 'noadapt': + $compression .= "comp-noadapt"; + break; + case 'adaptive': + case 'yes': + case 'no': + $compression .= "comp-lzo {$settings['compression']}"; + break; + default: + /* Add nothing to the configuration */ + break; + } + + if (!empty($compression)) { + $conf .= "{$compression}\n"; + if ($settings['compression_push']) { + $conf .= "push \"{$compression}\"\n"; } } diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 8da8fee..452826d 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -165,6 +165,7 @@ if ($_GET['act'] == "edit") { $pconfig['local_networkv6'] = $a_server[$id]['local_networkv6']; $pconfig['maxclients'] = $a_server[$id]['maxclients']; $pconfig['compression'] = $a_server[$id]['compression']; + $pconfig['compression_push'] = $a_server[$id]['compression_push']; $pconfig['passtos'] = $a_server[$id]['passtos']; $pconfig['client2client'] = $a_server[$id]['client2client']; @@ -498,6 +499,7 @@ if ($_POST) { $server['local_networkv6'] = $pconfig['local_networkv6']; $server['maxclients'] = $pconfig['maxclients']; $server['compression'] = $pconfig['compression']; + $server['compression_push'] = $pconfig['compression_push']; $server['passtos'] = $pconfig['passtos']; $server['client2client'] = $pconfig['client2client']; @@ -962,6 +964,13 @@ if ($act=="new" || $act=="edit"): 'packets is not being compressed efficiently.'); $section->addInput(new Form_Checkbox( + 'compression_push', + 'Push Compression', + 'Push the selected Compression setting to connecting clients.', + $pconfig['compression_push'] + )); + + $section->addInput(new Form_Checkbox( 'passtos', 'Type-of-Service', 'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.', @@ -1308,6 +1317,7 @@ events.push(function() { hideCheckbox('autokey_enable', true); hideInput('shared_key', false); hideInput('topology', false); + hideCheckbox('compression_push', false); break; case "server_tls_user": hideInput('tls', false); @@ -1319,6 +1329,7 @@ events.push(function() { hideCheckbox('autokey_enable', true); hideInput('shared_key', true); hideInput('topology', false); + hideCheckbox('compression_push', false); break; case "p2p_shared_key": hideInput('tls', true); @@ -1335,6 +1346,7 @@ events.push(function() { hideCheckbox('autokey_enable', true); hideInput('shared_key', false); hideInput('topology', true); + hideCheckbox('compression_push', true); break; } -- cgit v1.1 From c13c0fd0fe547fa8e35997d7ede7f8a6b33088fa Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 22:18:13 -0500 Subject: Reject the invalid OpenVPN combination of static key + GCM. Fixes #7068 --- src/usr/local/www/vpn_openvpn_client.php | 4 ++++ src/usr/local/www/vpn_openvpn_server.php | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 5cfd6f9..78d638d 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -293,6 +293,10 @@ if ($_POST) { } } + if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) { + $input_errors[] = gettext("CGM Encryption Algorithms cannot be used with Shared Key mode."); + } + /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { $reqdfields = explode(" ", "caref"); diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 452826d..b30a908 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -415,6 +415,10 @@ if ($_POST) { $reqdfieldsn = array(gettext('Shared key')); } + if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) { + $input_errors[] = gettext("CGM Encryption Algorithms cannot be used with Shared Key mode."); + } + if ($pconfig['dev_mode'] != "tap") { $reqdfields[] = 'tunnel_network'; $reqdfieldsn[] = gettext('Tunnel network'); -- cgit v1.1 From 46c06ade87cbea59d1113a23a5d91f15dab9048c Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 2 Jan 2017 22:35:51 -0500 Subject: Fix typo. Ticket #7068 --- src/usr/local/www/vpn_openvpn_client.php | 2 +- src/usr/local/www/vpn_openvpn_server.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 78d638d..a8089c8 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -294,7 +294,7 @@ if ($_POST) { } if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) { - $input_errors[] = gettext("CGM Encryption Algorithms cannot be used with Shared Key mode."); + $input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode."); } /* If we are not in shared key mode, then we need the CA/Cert. */ diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index b30a908..0468e22 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -416,7 +416,7 @@ if ($_POST) { } if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['crypto'], "GCM")) { - $input_errors[] = gettext("CGM Encryption Algorithms cannot be used with Shared Key mode."); + $input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode."); } if ($pconfig['dev_mode'] != "tap") { -- cgit v1.1 From 44c423566b6eff18ec43ee77edddb94e3a3aa858 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Tue, 3 Jan 2017 10:50:22 +0545 Subject: Report problems applying changes 1) Strictly keep track of the accumulating $retval from calls to various functions that apply changes. 2) Use new function print_apply_result_box() to print a suitable message in a suitable severity based on $retval --- src/usr/local/www/firewall_aliases.php | 19 ++++------ src/usr/local/www/firewall_nat.php | 5 ++- src/usr/local/www/firewall_nat_1to1.php | 5 ++- src/usr/local/www/firewall_nat_npt.php | 5 ++- src/usr/local/www/firewall_nat_out.php | 16 ++++----- src/usr/local/www/firewall_shaper.php | 32 ++++++----------- src/usr/local/www/firewall_shaper_queues.php | 14 ++------ src/usr/local/www/firewall_shaper_vinterface.php | 34 ++++++------------ src/usr/local/www/firewall_shaper_wizards.php | 13 ++----- src/usr/local/www/firewall_virtual_ip.php | 5 ++- src/usr/local/www/guiconfig.inc | 31 +++++++++++++++-- src/usr/local/www/interfaces.php | 16 +++++---- src/usr/local/www/interfaces_assign.php | 26 ++++++-------- src/usr/local/www/load_balancer_monitor.php | 5 ++- src/usr/local/www/load_balancer_pool.php | 5 ++- src/usr/local/www/load_balancer_setting.php | 5 ++- src/usr/local/www/load_balancer_virtual_server.php | 5 ++- src/usr/local/www/services_captiveportal_mac.php | 5 ++- src/usr/local/www/services_dhcp.php | 15 ++++---- src/usr/local/www/services_dhcp_relay.php | 10 +++--- src/usr/local/www/services_dhcpv6.php | 20 ++++++----- src/usr/local/www/services_dhcpv6_relay.php | 8 ++--- src/usr/local/www/services_dnsmasq.php | 7 ++-- src/usr/local/www/services_igmpproxy.php | 13 +++---- src/usr/local/www/services_ntpd.php | 9 ++--- src/usr/local/www/services_ntpd_acls.php | 9 ++--- src/usr/local/www/services_ntpd_gps.php | 9 +++-- src/usr/local/www/services_ntpd_pps.php | 8 ++--- src/usr/local/www/services_pppoe.php | 5 ++- .../local/www/services_router_advertisements.php | 15 +++++--- src/usr/local/www/services_snmp.php | 8 ++--- src/usr/local/www/services_unbound.php | 8 ++--- src/usr/local/www/services_unbound_acls.php | 8 ++--- src/usr/local/www/services_unbound_advanced.php | 8 ++--- src/usr/local/www/status_lb_pool.php | 5 ++- src/usr/local/www/status_logs.php | 4 +-- src/usr/local/www/status_logs_common.inc | 40 +++++++++++----------- src/usr/local/www/status_logs_filter.php | 5 ++- src/usr/local/www/status_logs_filter_dynamic.php | 5 ++- src/usr/local/www/status_logs_filter_summary.php | 5 ++- src/usr/local/www/status_logs_settings.php | 17 +++++---- src/usr/local/www/system.php | 9 +++-- src/usr/local/www/system_advanced_admin.php | 11 +++--- src/usr/local/www/system_advanced_firewall.php | 15 +++----- src/usr/local/www/system_advanced_misc.php | 12 +++---- src/usr/local/www/system_advanced_network.php | 16 ++++----- src/usr/local/www/system_advanced_sysctl.php | 5 ++- src/usr/local/www/system_gateway_groups.php | 7 ++-- src/usr/local/www/system_gateways.php | 8 ++--- src/usr/local/www/system_groupmanager_addprivs.php | 12 +------ src/usr/local/www/system_routes.php | 7 ++-- src/usr/local/www/system_usermanager_addprivs.php | 12 +------ src/usr/local/www/vpn_ipsec.php | 20 +++++------ src/usr/local/www/vpn_ipsec_keys.php | 10 +++--- src/usr/local/www/vpn_ipsec_mobile.php | 9 +++-- src/usr/local/www/vpn_ipsec_settings.php | 14 +++----- src/usr/local/www/vpn_l2tp.php | 13 +++---- src/usr/local/www/vpn_l2tp_users.php | 7 ++-- 58 files changed, 302 insertions(+), 372 deletions(-) diff --git a/src/usr/local/www/firewall_aliases.php b/src/usr/local/www/firewall_aliases.php index 55069d8..ec98e15 100644 --- a/src/usr/local/www/firewall_aliases.php +++ b/src/usr/local/www/firewall_aliases.php @@ -48,15 +48,8 @@ if ($_POST) { $retval = 0; /* reload all components that use aliases */ - $retval = filter_configure(); + $retval |= filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = "success"; - } else { - $savemsg = $retval; - $class = "danger"; - } if ($retval == 0) { clear_subsystem_dirty('aliases'); } @@ -99,8 +92,7 @@ if ($_GET['act'] == "del") { // Static routes find_alias_reference(array('staticroutes', 'route'), array('network'), $alias_name, $is_alias_referenced, $referenced_by); if ($is_alias_referenced == true) { - $savemsg = sprintf(gettext("Cannot delete alias. Currently in use by %s."), htmlspecialchars($referenced_by)); - $class = "danger"; + $delete_error = sprintf(gettext("Cannot delete alias. Currently in use by %s."), htmlspecialchars($referenced_by)); } else { if (preg_match("/urltable/i", $a_aliases[$_GET['id']]['type'])) { // this is a URL table type alias, delete its file as well @@ -173,8 +165,11 @@ $shortcut_section = "aliases"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, $class); +if ($delete_error) { + print_info_box($delete_error, 'danger'); +} +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('aliases')) { diff --git a/src/usr/local/www/firewall_nat.php b/src/usr/local/www/firewall_nat.php index 3fd7c36..681c981 100644 --- a/src/usr/local/www/firewall_nat.php +++ b/src/usr/local/www/firewall_nat.php @@ -86,7 +86,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/apply"); @@ -186,8 +185,8 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("Port Forward")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_nat_1to1.php b/src/usr/local/www/firewall_nat_1to1.php index 5ae075b..87f9169 100644 --- a/src/usr/local/www/firewall_nat_1to1.php +++ b/src/usr/local/www/firewall_nat_1to1.php @@ -68,7 +68,6 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('natconf'); @@ -122,8 +121,8 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("1:1")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_nat_npt.php b/src/usr/local/www/firewall_nat_npt.php index b585d99..e2d7856 100644 --- a/src/usr/local/www/firewall_nat_npt.php +++ b/src/usr/local/www/firewall_nat_npt.php @@ -69,7 +69,6 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('natconf'); @@ -122,8 +121,8 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("NPt")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_nat_out.php b/src/usr/local/www/firewall_nat_out.php index 6915780..a09988c 100644 --- a/src/usr/local/www/firewall_nat_out.php +++ b/src/usr/local/www/firewall_nat_out.php @@ -82,12 +82,6 @@ if ($_POST['apply']) { $retval = 0; $retval |= filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - } else { - $savemsg = $retval; - } - if ($retval == 0) { clear_subsystem_dirty('natconf'); clear_subsystem_dirty('filter'); @@ -139,7 +133,7 @@ if ($_POST['save']) { } } } - $savemsg = gettext("Default rules for each interface have been created."); + $default_rules_msg = gettext("Default rules for each interface have been created."); unset($FilterIflist, $GatewaysList); } @@ -206,8 +200,12 @@ if (isset($_POST['del_x'])) { $pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("Outbound")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($default_rules_msg) { + print_info_box($default_rules_msg, 'success'); +} + +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('natconf')) { diff --git a/src/usr/local/www/firewall_shaper.php b/src/usr/local/www/firewall_shaper.php index 82410cc..77850ed 100644 --- a/src/usr/local/www/firewall_shaper.php +++ b/src/usr/local/www/firewall_shaper.php @@ -121,19 +121,11 @@ if ($_GET) { } if (write_config()) { + $changes_applied = true; $retval = 0; $retval |= filter_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } } else { - $savemsg = gettext("Unable to write config.xml (Access Denied?)."); - $class = 'warning'; + $no_write_config_msg = gettext("Unable to write config.xml (Access Denied?)."); } $dfltmsg = true; @@ -280,17 +272,9 @@ if ($_POST) { } } else if ($_POST['apply']) { write_config(); - + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } + $retval |= filter_configure(); /* reset rrd queues */ system("rm -f /var/db/rrd/*queuedrops.rrd"); @@ -369,8 +353,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); +if ($no_write_config_msg) { + print_info_box($no_write_config_msg, 'danger'); +} + +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { diff --git a/src/usr/local/www/firewall_shaper_queues.php b/src/usr/local/www/firewall_shaper_queues.php index 0bdb99e..e148150 100644 --- a/src/usr/local/www/firewall_shaper_queues.php +++ b/src/usr/local/www/firewall_shaper_queues.php @@ -167,15 +167,7 @@ if ($_POST['apply']) { $retval = 0; /* Setup pf rules since the user may have changed the optimization value */ - $retval = filter_configure(); - $savemsg = get_std_save_message($retval); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'alert-success'; - } else { - $savemsg = $retval; - $class = 'alert-danger'; - } + $retval |= filter_configure(); /* reset rrd queues */ system("rm -f /var/db/rrd/*queuedrops.rrd"); @@ -198,8 +190,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { diff --git a/src/usr/local/www/firewall_shaper_vinterface.php b/src/usr/local/www/firewall_shaper_vinterface.php index 74526e9..5de573f 100644 --- a/src/usr/local/www/firewall_shaper_vinterface.php +++ b/src/usr/local/www/firewall_shaper_vinterface.php @@ -134,20 +134,11 @@ if ($_GET) { } } if (write_config()) { + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - - if (stristr($retval, "error") != true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'danger'; - } - + $retval |= filter_configure(); } else { - $savemsg = gettext("Unable to write config.xml (Access Denied?)."); - $class = 'danger'; + $no_write_config_msg = gettext("Unable to write config.xml (Access Denied?)."); } $dfltmsg = true; @@ -271,16 +262,9 @@ if ($_POST) { } else if ($_POST['apply']) { write_config(); + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - - if (stristr($retval, "error") != true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'danger'; - } + $retval |= filter_configure(); /* XXX: TODO Make dummynet pretty graphs */ // enable_rrd_graphing(); @@ -369,8 +353,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); +if ($no_write_config_msg) { + print_info_box($no_write_config_msg, 'danger'); +} + +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { diff --git a/src/usr/local/www/firewall_shaper_wizards.php b/src/usr/local/www/firewall_shaper_wizards.php index 594ed63..b9d647e 100644 --- a/src/usr/local/www/firewall_shaper_wizards.php +++ b/src/usr/local/www/firewall_shaper_wizards.php @@ -42,14 +42,7 @@ if ($_POST['apply']) { $retval = 0; /* Setup pf rules since the user may have changed the optimization value */ - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } + $retval |= filter_configure(); /* reset rrd queues */ unlink_if_exists("/var/db/rrd/*queuedrops.rrd"); @@ -82,8 +75,8 @@ $tab_array[] = array(gettext("Limiters"), false, "firewall_shaper_vinterface.php $tab_array[] = array(gettext("Wizards"), true, "firewall_shaper_wizards.php"); display_top_tabs($tab_array); -if ($savemsg) { - print_info_box($savemsg, $class); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('shaper')) { diff --git a/src/usr/local/www/firewall_virtual_ip.php b/src/usr/local/www/firewall_virtual_ip.php index 33a1f4f..a15a60b 100644 --- a/src/usr/local/www/firewall_virtual_ip.php +++ b/src/usr/local/www/firewall_virtual_ip.php @@ -79,7 +79,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('vip'); } @@ -240,8 +239,8 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); -} else if ($savemsg) { - print_info_box($savemsg, 'success'); +} else if ($_POST['apply']) { + print_apply_result_box($retval); } else if (is_subsystem_dirty('vip')) { print_apply_box(gettext("The VIP configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); } diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index d4fc383..7fa8e5d 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -323,6 +323,27 @@ function print_apply_box($msg) { print_info_box($msg, "warning", "apply", gettext("Apply Changes"), 'fa-check', 'success'); } +// Format and print a box reporting that changes have been applied +// $retval = status value from the functions called to apply the changes +// 0 is good +// non-zero is a problem +// $extra_text = optional extra text to display after the standard message +function print_apply_result_box($retval, $extra_text="") { + $result_msg = get_std_save_message($retval); + if ($retval === 0) { + // 0 is success + $severity = "success"; + } else { + // non-zero means there was some problem + $severity = "warning"; + } + + if (strlen($extra_text) > 0) { + $result_msg .= " " . $extra_text; + } + print_info_box($result_msg, $severity); +} + /* * Print Bootstrap callout * @@ -350,10 +371,16 @@ function print_callout($msg, $class = 'info', $heading = '') { echo $callout; } -function get_std_save_message($ok) { +function get_std_save_message($retval) { $filter_related = false; $filter_pages = array("nat", "filter"); - $to_return = gettext("The changes have been applied successfully."); + if ($retval === 0) { + // 0 is success + $to_return = gettext("The changes have been applied successfully."); + } else { + // non-zero means there was some problem + $to_return = gettext("There was a problem applying the changes. See the System Logs."); + } foreach ($filter_pages as $fp) { if (stristr($_SERVER['SCRIPT_FILENAME'], $fp)) { $filter_related = true; diff --git a/src/usr/local/www/interfaces.php b/src/usr/local/www/interfaces.php index a63144d..6f206fc 100755 --- a/src/usr/local/www/interfaces.php +++ b/src/usr/local/www/interfaces.php @@ -407,11 +407,14 @@ if (isset($wancfg['wireless'])) { } +$changes_applied = false; + if ($_POST['apply']) { unset($input_errors); if (!is_subsystem_dirty('interfaces')) { $input_errors[] = gettext("The settings have already been applied!"); } else { + $retval = 0; unlink_if_exists("{$g['tmp_path']}/config.cache"); clear_subsystem_dirty('interfaces'); @@ -440,24 +443,24 @@ if ($_POST['apply']) { } } /* restart snmp so that it binds to correct address */ - services_snmpd_configure(); + $retval |= services_snmpd_configure(); /* sync filter configuration */ setup_gateways_monitor(); clear_subsystem_dirty('interfaces'); - filter_configure(); + $retval |= filter_configure(); enable_rrd_graphing(); + $changes_applied = true; + if (is_subsystem_dirty('staticroutes') && (system_routing_configure() == 0)) { clear_subsystem_dirty('staticroutes'); } } @unlink("{$g['tmp_path']}/.interfaces.apply"); - header("Location: interfaces.php?if={$if}"); - exit; } else if ($_POST) { unset($input_errors); @@ -1695,11 +1698,10 @@ if (is_subsystem_dirty('interfaces')) { gettext("Don't forget to adjust the DHCP Server range if needed after applying.")); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } - $form = new Form(); $section = new Form_Section('General Configuration'); diff --git a/src/usr/local/www/interfaces_assign.php b/src/usr/local/www/interfaces_assign.php index b647fea..26b7a88 100644 --- a/src/usr/local/www/interfaces_assign.php +++ b/src/usr/local/www/interfaces_assign.php @@ -244,7 +244,7 @@ if (isset($_POST['add']) && isset($_POST['if_add'])) { write_config(); - $savemsg = gettext("Interface has been added."); + $action_msg = gettext("Interface has been added."); $class = "success"; } @@ -255,15 +255,9 @@ if (isset($_POST['add']) && isset($_POST['if_add'])) { } else { write_config(); - $retval = filter_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = "success"; - } else { - $savemsg = $retval; - $class = "danger"; - } + $changes_applied = true; + $retval = 0; + $retval |= filter_configure(); } } else if (isset($_POST['Submit'])) { @@ -438,7 +432,7 @@ if (isset($_POST['add']) && isset($_POST['if_add'])) { link_interface_to_vlans($realid, "update"); - $savemsg = gettext("Interface has been deleted."); + $action_msg = gettext("Interface has been deleted."); $class = "success"; } } @@ -464,14 +458,14 @@ include("head.inc"); if (file_exists("/var/run/interface_mismatch_reboot_needed")) { if ($_POST) { if ($rebootingnow) { - $savemsg = gettext("The system is now rebooting. Please wait."); + $action_msg = gettext("The system is now rebooting. Please wait."); $class = "success"; } else { $applymsg = gettext("Reboot is needed. Please apply the settings in order to reboot."); $class = "warning"; } } else { - $savemsg = gettext("Interface mismatch detected. Please resolve the mismatch, save and then click 'Apply Changes'. The firewall will reboot afterwards."); + $action_msg = gettext("Interface mismatch detected. Please resolve the mismatch, save and then click 'Apply Changes'. The firewall will reboot afterwards."); $class = "warning"; } } @@ -482,8 +476,10 @@ if (file_exists("/tmp/reload_interfaces")) { echo "

\n"; } elseif ($applymsg) { print_apply_box($applymsg); -} elseif ($savemsg) { - print_info_box($savemsg, $class); +} elseif ($action_msg) { + print_info_box($action_msg, $class); +} elseif ($changes_applied) { + print_apply_result_box($retval); } pfSense_handle_custom_code("/usr/local/pkg/interfaces_assign/pre_input_errors"); diff --git a/src/usr/local/www/load_balancer_monitor.php b/src/usr/local/www/load_balancer_monitor.php index a6875ca..f85f972 100644 --- a/src/usr/local/www/load_balancer_monitor.php +++ b/src/usr/local/www/load_balancer_monitor.php @@ -43,7 +43,6 @@ if ($_POST) { $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } } @@ -79,8 +78,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/load_balancer_pool.php b/src/usr/local/www/load_balancer_pool.php index d9788cd..48b33ee 100644 --- a/src/usr/local/www/load_balancer_pool.php +++ b/src/usr/local/www/load_balancer_pool.php @@ -47,7 +47,6 @@ if ($_POST) { $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } } @@ -93,8 +92,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/load_balancer_setting.php b/src/usr/local/www/load_balancer_setting.php index 9ae4a95..a8470c3 100644 --- a/src/usr/local/www/load_balancer_setting.php +++ b/src/usr/local/www/load_balancer_setting.php @@ -46,7 +46,6 @@ if ($_POST) { $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } else { unset($input_errors); @@ -92,8 +91,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/load_balancer_virtual_server.php b/src/usr/local/www/load_balancer_virtual_server.php index f07c7ac..8082203 100644 --- a/src/usr/local/www/load_balancer_virtual_server.php +++ b/src/usr/local/www/load_balancer_virtual_server.php @@ -45,7 +45,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); /* Wipe out old relayd anchors no longer in use. */ cleanup_lb_marked(); clear_subsystem_dirty('loadbalancer'); @@ -113,8 +112,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('loadbalancer')) { diff --git a/src/usr/local/www/services_captiveportal_mac.php b/src/usr/local/www/services_captiveportal_mac.php index 8e37a1e..79cfee3 100644 --- a/src/usr/local/www/services_captiveportal_mac.php +++ b/src/usr/local/www/services_captiveportal_mac.php @@ -76,7 +76,6 @@ if ($_POST) { mwexec("/sbin/ipfw {$g['tmp_path']}/passthrumac_gui"); @unlink("{$g['tmp_path']}/passthrumac_gui"); } - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('passthrumac'); } @@ -152,8 +151,8 @@ if ($_GET['act'] == "del") { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('passthrumac')) { diff --git a/src/usr/local/www/services_dhcp.php b/src/usr/local/www/services_dhcp.php index 426f1c3..db5ce1c 100644 --- a/src/usr/local/www/services_dhcp.php +++ b/src/usr/local/www/services_dhcp.php @@ -610,39 +610,38 @@ if (isset($_POST['save'])) { } if ((isset($_POST['save']) || isset($_POST['apply'])) && (!$input_errors)) { + $changes_applied = true; $retval = 0; $retvaldhcp = 0; $retvaldns = 0; /* dnsmasq_configure calls dhcpd_configure */ /* no need to restart dhcpd twice */ if (isset($config['dnsmasq']['enable']) && isset($config['dnsmasq']['regdhcpstatic'])) { - $retvaldns = services_dnsmasq_configure(); + $retvaldns |= services_dnsmasq_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('hosts'); clear_subsystem_dirty('staticmaps'); } } else if (isset($config['unbound']['enable']) && isset($config['unbound']['regdhcpstatic'])) { - $retvaldns = services_unbound_configure(); + $retvaldns |= services_unbound_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('unbound'); clear_subsystem_dirty('hosts'); clear_subsystem_dirty('staticmaps'); } } else { - $retvaldhcp = services_dhcpd_configure(); + $retvaldhcp |= services_dhcpd_configure(); if ($retvaldhcp == 0) { clear_subsystem_dirty('staticmaps'); } } if ($dhcpd_enable_changed) { - $retvalfc = filter_configure(); + $retvalfc |= filter_configure(); } if ($retvaldhcp == 1 || $retvaldns == 1 || $retvalfc == 1) { $retval = 1; } - - $savemsg = get_std_save_message($retval); } if ($act == "delpool") { @@ -733,8 +732,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticmaps')) { diff --git a/src/usr/local/www/services_dhcp_relay.php b/src/usr/local/www/services_dhcp_relay.php index e824b44..fc8e367 100644 --- a/src/usr/local/www/services_dhcp_relay.php +++ b/src/usr/local/www/services_dhcp_relay.php @@ -114,10 +114,10 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = services_dhcrelay_configure(); - $savemsg = get_std_save_message($retval); - filter_configure(); + $retval |= services_dhcrelay_configure(); + $retval |= filter_configure(); } } @@ -135,8 +135,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $form = new Form; diff --git a/src/usr/local/www/services_dhcpv6.php b/src/usr/local/www/services_dhcpv6.php index 44afcc4..820f89b 100644 --- a/src/usr/local/www/services_dhcpv6.php +++ b/src/usr/local/www/services_dhcpv6.php @@ -44,30 +44,30 @@ function dhcpv6_apply_changes($dhcpdv6_enable_changed) { /* dnsmasq_configure calls dhcpd_configure */ /* no need to restart dhcpd twice */ if (isset($config['dnsmasq']['enable']) && isset($config['dnsmasq']['regdhcpstatic'])) { - $retvaldns = services_dnsmasq_configure(); + $retvaldns |= services_dnsmasq_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('hosts'); clear_subsystem_dirty('staticmaps'); } } else if (isset($config['unbound']['enable']) && isset($config['unbound']['regdhcpstatic'])) { - $retvaldns = services_unbound_configure(); + $retvaldns |= services_unbound_configure(); if ($retvaldns == 0) { clear_subsystem_dirty('unbound'); clear_subsystem_dirty('staticmaps'); } } else { - $retvaldhcp = services_dhcpd_configure(); + $retvaldhcp |= services_dhcpd_configure(); if ($retvaldhcp == 0) { clear_subsystem_dirty('staticmaps'); } } if ($dhcpdv6_enable_changed) { - $retvalfc = filter_configure(); + $retvalfc |= filter_configure(); } if ($retvaldhcp == 1 || $retvaldns == 1 || $retvalfc == 1) { $retval = 1; } - return get_std_save_message($retval); + return $retval; } if (!$g['services_dhcp_server_enable']) { @@ -184,7 +184,8 @@ if (is_array($dhcrelaycfg) && isset($dhcrelaycfg['enable']) && isset($dhcrelaycf } if (isset($_POST['apply'])) { - $savemsg = dhcpv6_apply_changes(false); + $changes_applied = true; + $retval = dhcpv6_apply_changes(false); } elseif (isset($_POST['save'])) { unset($input_errors); @@ -459,7 +460,8 @@ if (isset($_POST['apply'])) { write_config(); - $savemsg = dhcpv6_apply_changes($dhcpdv6_enable_changed); + $changes_applied = true; + $retval = dhcpv6_apply_changes($dhcpdv6_enable_changed); } } @@ -492,8 +494,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticmaps')) { diff --git a/src/usr/local/www/services_dhcpv6_relay.php b/src/usr/local/www/services_dhcpv6_relay.php index b6f1964..8f4135b 100644 --- a/src/usr/local/www/services_dhcpv6_relay.php +++ b/src/usr/local/www/services_dhcpv6_relay.php @@ -115,9 +115,9 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = services_dhcrelay6_configure(); - $savemsg = get_std_save_message($retval); + $retval |= services_dhcrelay6_configure(); } } @@ -135,8 +135,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $form = new Form; diff --git a/src/usr/local/www/services_dnsmasq.php b/src/usr/local/www/services_dnsmasq.php index fb74e7b..2885edd 100644 --- a/src/usr/local/www/services_dnsmasq.php +++ b/src/usr/local/www/services_dnsmasq.php @@ -113,8 +113,7 @@ domains_sort(); if ($_POST) { if ($_POST['apply']) { $retval = 0; - $retval = services_dnsmasq_configure(); - $savemsg = get_std_save_message($retval); + $retval |= services_dnsmasq_configure(); // Reload filter (we might need to sync to CARP hosts) filter_configure(); @@ -232,8 +231,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('hosts')) { diff --git a/src/usr/local/www/services_igmpproxy.php b/src/usr/local/www/services_igmpproxy.php index f3b8775..5de6aa1 100644 --- a/src/usr/local/www/services_igmpproxy.php +++ b/src/usr/local/www/services_igmpproxy.php @@ -42,15 +42,10 @@ $a_igmpproxy = &$config['igmpproxy']['igmpentry']; if ($_POST) { $pconfig = $_POST; + $changes_applied = true; $retval = 0; /* reload all components that use igmpproxy */ - $retval = services_igmpproxy_configure(); - - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - } else { - $savemsg = $retval; - } + $retval |= services_igmpproxy_configure(); clear_subsystem_dirty('igmpproxy'); } @@ -68,8 +63,8 @@ if ($_GET['act'] == "del") { $pgtitle = array(gettext("Services"), gettext("IGMP Proxy")); include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } if (is_subsystem_dirty('igmpproxy')) { diff --git a/src/usr/local/www/services_ntpd.php b/src/usr/local/www/services_ntpd.php index 2adcfe0..81b1e02 100644 --- a/src/usr/local/www/services_ntpd.php +++ b/src/usr/local/www/services_ntpd.php @@ -151,9 +151,9 @@ if ($_POST) { write_config("Updated NTP Server Settings"); + $changes_applied = true; $retval = 0; - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $retval |= system_ntp_configure(); } } @@ -192,8 +192,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/services_ntpd_acls.php b/src/usr/local/www/services_ntpd_acls.php index 19c057d..ea80ea4 100644 --- a/src/usr/local/www/services_ntpd_acls.php +++ b/src/usr/local/www/services_ntpd_acls.php @@ -150,9 +150,9 @@ if ($_POST) { write_config("Updated NTP ACL Settings"); + $changes_applied = true; $retval = 0; - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $retval |= system_ntp_configure(); } } @@ -165,8 +165,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/services_ntpd_gps.php b/src/usr/local/www/services_ntpd_gps.php index 971d57e..f06e03e 100644 --- a/src/usr/local/www/services_ntpd_gps.php +++ b/src/usr/local/www/services_ntpd_gps.php @@ -154,8 +154,9 @@ if ($_POST) { write_config(gettext("Updated NTP GPS Settings")); - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $changes_applied = true; + $retval = 0; + $retval |= system_ntp_configure(); } else { /* set defaults if they do not already exist */ if (!is_array($config['ntpd']) || !is_array($config['ntpd']['gps']) || empty($config['ntpd']['gps']['type'])) { @@ -192,6 +193,10 @@ $pgtitle = array(gettext("Services"), gettext("NTP"), gettext("Serial GPS")); $shortcut_section = "ntp"; include("head.inc"); +if ($changes_applied) { + print_apply_result_box($retval); +} + $tab_array = array(); $tab_array[] = array(gettext("Settings"), false, "services_ntpd.php"); $tab_array[] = array(gettext("ACLs"), false, "services_ntpd_acls.php"); diff --git a/src/usr/local/www/services_ntpd_pps.php b/src/usr/local/www/services_ntpd_pps.php index da987f7..c3d70df 100644 --- a/src/usr/local/www/services_ntpd_pps.php +++ b/src/usr/local/www/services_ntpd_pps.php @@ -91,9 +91,9 @@ if ($_POST) { write_config("Updated NTP PPS Settings"); + $changes_applied = true; $retval = 0; - $retval = system_ntp_configure(); - $savemsg = get_std_save_message($retval); + $retval |= system_ntp_configure(); } } @@ -107,8 +107,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/services_pppoe.php b/src/usr/local/www/services_pppoe.php index a8b0f03..85b3531 100644 --- a/src/usr/local/www/services_pppoe.php +++ b/src/usr/local/www/services_pppoe.php @@ -59,7 +59,6 @@ if ($_POST) { } $retval = 0; $retval |= filter_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('vpnpppoe'); } } @@ -83,8 +82,8 @@ $pgtitle = array(gettext("Services"), gettext("PPPoE Server")); $shortcut_section = "pppoes"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('vpnpppoe')) { diff --git a/src/usr/local/www/services_router_advertisements.php b/src/usr/local/www/services_router_advertisements.php index e369d37..367aedb 100644 --- a/src/usr/local/www/services_router_advertisements.php +++ b/src/usr/local/www/services_router_advertisements.php @@ -54,7 +54,7 @@ if ($config['installedpackages']['olsrd']) { } if (!$_GET['if']) { - $savemsg = gettext("The DHCPv6 Server can only be enabled on interfaces configured with static, non unique local IP addresses.") . "
" . + $info_msg = gettext("The DHCPv6 Server can only be enabled on interfaces configured with static, non unique local IP addresses.") . "
" . gettext("Only interfaces configured with a static IP will be shown."); } @@ -243,8 +243,9 @@ if ($_POST) { } write_config(); - $retval = services_radvd_configure(); - $savemsg = get_std_save_message($retval); + $changes_applied = true; + $retval = 0; + $retval |= services_radvd_configure(); } } @@ -261,8 +262,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); +} + +if ($info_msg) { + print_info_box($info_msg, 'success'); } /* active tabs */ diff --git a/src/usr/local/www/services_snmp.php b/src/usr/local/www/services_snmp.php index 66caf4f..58bf88e 100644 --- a/src/usr/local/www/services_snmp.php +++ b/src/usr/local/www/services_snmp.php @@ -161,9 +161,9 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = services_snmpd_configure(); - $savemsg = get_std_save_message($retval); + $retval |= services_snmpd_configure(); } } @@ -200,8 +200,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $form = new Form(); diff --git a/src/usr/local/www/services_unbound.php b/src/usr/local/www/services_unbound.php index b79548c..10893d1 100644 --- a/src/usr/local/www/services_unbound.php +++ b/src/usr/local/www/services_unbound.php @@ -88,8 +88,8 @@ if (empty($a_unboundcfg['system_domain_local_zone_type'])) { if ($_POST) { if ($_POST['apply']) { - $retval = services_unbound_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= services_unbound_configure(); if ($retval == 0) { clear_subsystem_dirty('unbound'); } @@ -244,8 +244,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('unbound')) { diff --git a/src/usr/local/www/services_unbound_acls.php b/src/usr/local/www/services_unbound_acls.php index 1174202..31e2180 100644 --- a/src/usr/local/www/services_unbound_acls.php +++ b/src/usr/local/www/services_unbound_acls.php @@ -99,8 +99,8 @@ if ($_POST) { } if ($_POST['apply']) { - $retval = services_unbound_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= services_unbound_configure(); if ($retval == 0) { clear_subsystem_dirty('unbound'); } @@ -185,8 +185,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('unbound')) { diff --git a/src/usr/local/www/services_unbound_advanced.php b/src/usr/local/www/services_unbound_advanced.php index 14bb376..1f869de 100644 --- a/src/usr/local/www/services_unbound_advanced.php +++ b/src/usr/local/www/services_unbound_advanced.php @@ -77,8 +77,8 @@ if (isset($config['unbound']['use_caps'])) { if ($_POST) { if ($_POST['apply']) { - $retval = services_unbound_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= services_unbound_configure(); if ($retval == 0) { clear_subsystem_dirty('unbound'); } @@ -192,8 +192,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('unbound')) { diff --git a/src/usr/local/www/status_lb_pool.php b/src/usr/local/www/status_lb_pool.php index 911e891..7d22242 100644 --- a/src/usr/local/www/status_lb_pool.php +++ b/src/usr/local/www/status_lb_pool.php @@ -68,7 +68,6 @@ if ($_POST) { $retval = 0; $retval |= filter_configure(); $retval |= relayd_configure(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('loadbalancer'); } else { /* Keep a list of servers we find in POST variables */ @@ -110,6 +109,10 @@ if (is_subsystem_dirty('loadbalancer')) { print_apply_box(gettext("The load balancer configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); } +if ($_POST['apply']) { + print_apply_result_box($retval); +} + /* active tabs */ $tab_array = array(); $tab_array[] = array(gettext("Pools"), true, "status_lb_pool.php"); diff --git a/src/usr/local/www/status_logs.php b/src/usr/local/www/status_logs.php index 7435974..74f94a9 100644 --- a/src/usr/local/www/status_logs.php +++ b/src/usr/local/www/status_logs.php @@ -99,8 +99,8 @@ if (in_array($logfile, array('system', 'gateways', 'routing', 'resolver', 'wirel } include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } diff --git a/src/usr/local/www/status_logs_common.inc b/src/usr/local/www/status_logs_common.inc index f35b9a2..7a1d9c2 100644 --- a/src/usr/local/www/status_logs_common.inc +++ b/src/usr/local/www/status_logs_common.inc @@ -584,8 +584,10 @@ function manage_log_code() { return; } - global $logfile, $specific_log, $config, $pconfig, $save_settings, $input_errors, $savemsg; + global $logfile, $specific_log, $config, $pconfig, $save_settings, $input_errors, $extra_save_msg, $retval, $changes_applied; + $changes_applied = false; + $extra_save_msg = ""; $specific_log = basename($logfile) . '_settings'; // Common to All Logs @@ -711,37 +713,35 @@ function manage_log_code() { } } + $retval = 0; // If any of the logging settings were changed then backup and sync (standard write_config). Otherwise only write config (don't backup, don't sync). - if ($logging_changed) { - write_config($desc = gettext("Log Display Settings Saved: ") . gettext($allowed_logs[$logfile]["name"]), $backup = true, $write_config_only = false); - $retval = 0; - $retval = system_syslogd_start(); - $savemsg = gettext("The changes have been applied successfully."); - } else { - write_config($desc = gettext("Log Display Settings Saved (no backup, no sync): ") . gettext($allowed_logs[$logfile]["name"]), $backup = false, $write_config_only = true); - $savemsg = ''; - } + if ($logging_changed) { + write_config($desc = gettext("Log Display Settings Saved: ") . gettext($allowed_logs[$logfile]["name"]), $backup = true, $write_config_only = false); + $changes_applied = true; + $retval |= system_syslogd_start(); + } else { + write_config($desc = gettext("Log Display Settings Saved (no backup, no sync): ") . gettext($allowed_logs[$logfile]["name"]), $backup = false, $write_config_only = true); + } // Specific to System General (main) Log - if ($logfile == 'system') { - if ($nginx_logging_changed) { - ob_flush(); - flush(); - log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); - send_event("service restart webgui"); - $savemsg .= "
" . gettext("WebGUI process is restarting."); + if ($logfile == 'system') { + if ($nginx_logging_changed) { + ob_flush(); + flush(); + log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); + send_event("service restart webgui"); + $extra_save_msg = gettext("WebGUI process is restarting."); + } } - } // Specific to Firewall Log if ($logfile == 'filter') { if ($firewall_logging_changed) { require_once("filter.inc"); + $changes_applied = true; $retval |= filter_configure(); filter_pflog_start(true); - - $savemsg = get_std_save_message($retval); } } } diff --git a/src/usr/local/www/status_logs_filter.php b/src/usr/local/www/status_logs_filter.php index 4c37c91..2f1b86e 100644 --- a/src/usr/local/www/status_logs_filter.php +++ b/src/usr/local/www/status_logs_filter.php @@ -102,12 +102,11 @@ status_logs_common_code(); $pgtitle = array(gettext("Status"), gettext("System Logs"), gettext($allowed_logs[$logfile]["name"]), $view_title); include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } - // Tab Array tab_array_logs_common(); diff --git a/src/usr/local/www/status_logs_filter_dynamic.php b/src/usr/local/www/status_logs_filter_dynamic.php index 4ea4d4a..04d70c2 100644 --- a/src/usr/local/www/status_logs_filter_dynamic.php +++ b/src/usr/local/www/status_logs_filter_dynamic.php @@ -82,12 +82,11 @@ status_logs_common_code(); $pgtitle = array(gettext("Status"), gettext("System Logs"), gettext($allowed_logs[$logfile]["name"]), $view_title); include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } - // Tab Array tab_array_logs_common(); diff --git a/src/usr/local/www/status_logs_filter_summary.php b/src/usr/local/www/status_logs_filter_summary.php index 124d190..333c97e 100644 --- a/src/usr/local/www/status_logs_filter_summary.php +++ b/src/usr/local/www/status_logs_filter_summary.php @@ -67,12 +67,11 @@ status_logs_common_code(); $pgtitle = array(gettext("Status"), gettext("System Logs"), gettext($allowed_logs[$logfile]["name"]), $view_title); include("head.inc"); -if (!$input_errors && $savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); $manage_log_active = false; } - // Tab Array tab_array_logs_common(); diff --git a/src/usr/local/www/status_logs_settings.php b/src/usr/local/www/status_logs_settings.php index 33881ed..fe7f04e 100644 --- a/src/usr/local/www/status_logs_settings.php +++ b/src/usr/local/www/status_logs_settings.php @@ -80,7 +80,7 @@ function is_valid_syslog_server($target) { if ($_POST['resetlogs'] == gettext("Reset Log Files")) { clear_all_log_files(true); - $savemsg .= gettext("The log files have been reset."); + $reset_msg = gettext("The log files have been reset."); } elseif ($_POST) { unset($input_errors); $pconfig = $_POST; @@ -162,8 +162,9 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { write_config(); + $changes_applied = true; $retval = 0; - $retval = system_syslogd_start(); + $retval |= system_syslogd_start(); if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) || ($oldnologdefaultpass !== isset($config['syslog']['nologdefaultpass'])) || ($oldnologbogons !== isset($config['syslog']['nologbogons'])) || @@ -171,14 +172,12 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { $retval |= filter_configure(); } - $savemsg = get_std_save_message($retval); - if ($oldnolognginx !== isset($config['syslog']['nolognginx'])) { ob_flush(); flush(); log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); send_event("service restart webgui"); - $savemsg .= "
" . gettext("WebGUI process is restarting."); + $extra_save_msg = gettext("WebGUI process is restarting."); } filter_pflog_start(true); @@ -204,8 +203,12 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($reset_msg) { + print_info_box($reset_msg, 'success'); +} + +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); } $tab_array = array(); diff --git a/src/usr/local/www/system.php b/src/usr/local/www/system.php index 83ab5e7..492caa0 100644 --- a/src/usr/local/www/system.php +++ b/src/usr/local/www/system.php @@ -314,8 +314,9 @@ if ($_POST) { write_config($changedesc); } + $changes_applied = true; $retval = 0; - $retval = system_hostname_configure(); + $retval |= system_hostname_configure(); $retval |= system_hosts_generate(); $retval |= system_resolvconf_generate(); if (isset($config['dnsmasq']['enable'])) { @@ -332,8 +333,6 @@ if ($_POST) { // Reload the filter - plugins might need to be run. $retval |= filter_configure(); - - $savemsg = get_std_save_message($retval); } unset($ignore_posted_dnsgw); @@ -346,8 +345,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } ?>
diff --git a/src/usr/local/www/system_advanced_admin.php b/src/usr/local/www/system_advanced_admin.php index b7207c4..d0da2a3 100644 --- a/src/usr/local/www/system_advanced_admin.php +++ b/src/usr/local/www/system_advanced_admin.php @@ -263,11 +263,12 @@ if ($_POST) { write_config(); - $retval = filter_configure(); - $savemsg = get_std_save_message($retval); + $changes_applied = true; + $retval = 0; + $retval |= filter_configure(); if ($restart_webgui) { - $savemsg .= sprintf("
" . gettext("One moment...redirecting to %s in 20 seconds."), $url); + $extra_save_msg = sprintf("
" . gettext("One moment...redirecting to %s in 20 seconds."), $url); } setup_serial_port(); @@ -287,8 +288,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval, $extra_save_msg); } $tab_array = array(); diff --git a/src/usr/local/www/system_advanced_firewall.php b/src/usr/local/www/system_advanced_firewall.php index 1d0e811..e74d8f5 100644 --- a/src/usr/local/www/system_advanced_firewall.php +++ b/src/usr/local/www/system_advanced_firewall.php @@ -356,15 +356,9 @@ if ($_POST) { killbypid("{$g['varrun_path']}/filterdns.pid"); } + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message($retval); - $class = 'success'; - } else { - $savemsg = $retval; - $class = 'warning'; - } + $retval |= filter_configure(); } } @@ -374,8 +368,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/system_advanced_misc.php b/src/usr/local/www/system_advanced_misc.php index 796a32b..d43d591 100644 --- a/src/usr/local/www/system_advanced_misc.php +++ b/src/usr/local/www/system_advanced_misc.php @@ -265,14 +265,10 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; system_resolvconf_generate(true); - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - } else { - $savemsg = gettext($retval); - } + $retval |= filter_configure(); activate_powerd(); load_crypto(); @@ -291,8 +287,8 @@ if ($input_errors) { unset($pconfig['doreboot']); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index b99dad8..67c80c5 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -129,14 +129,9 @@ if ($_POST) { // Set preferred protocol prefer_ipv4_or_ipv6(); - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - $class = 'success'; - } else { - $savemsg = gettext($retval); - $class = 'warning'; - } + $changes_applied = true; + $retval = 0; + $retval |= filter_configure(); } } @@ -146,8 +141,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, $class); + +if ($changes_applied) { + print_apply_result_box($retval); } $tab_array = array(); diff --git a/src/usr/local/www/system_advanced_sysctl.php b/src/usr/local/www/system_advanced_sysctl.php index 3ab51fd..a8556b9 100644 --- a/src/usr/local/www/system_advanced_sysctl.php +++ b/src/usr/local/www/system_advanced_sysctl.php @@ -87,7 +87,6 @@ if ($_POST) { if ($_POST['apply']) { $retval = 0; system_setup_sysctl(); - $savemsg = get_std_save_message($retval); clear_subsystem_dirty('sysctl'); } @@ -129,8 +128,8 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('sysctl') && ($act != "edit" )) { diff --git a/src/usr/local/www/system_gateway_groups.php b/src/usr/local/www/system_gateway_groups.php index c8f956d..436faec 100644 --- a/src/usr/local/www/system_gateway_groups.php +++ b/src/usr/local/www/system_gateway_groups.php @@ -49,13 +49,12 @@ if ($_POST) { $retval = 0; - $retval = system_routing_configure(); + $retval |= system_routing_configure(); send_multiple_events(array("service reload dyndnsall", "service reload ipsecdns", "filter reload")); /* reconfigure our gateway monitor */ setup_gateways_monitor(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('staticroutes'); } @@ -106,8 +105,8 @@ $shortcut_section = "gateway-groups"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticroutes')) { diff --git a/src/usr/local/www/system_gateways.php b/src/usr/local/www/system_gateways.php index 9eb95de..2927f0f 100644 --- a/src/usr/local/www/system_gateways.php +++ b/src/usr/local/www/system_gateways.php @@ -53,7 +53,7 @@ if ($_POST) { $retval = 0; - $retval = system_routing_configure(); + $retval |= system_routing_configure(); $retval |= system_resolvconf_generate(); $retval |= filter_configure(); /* reconfigure our gateway monitor */ @@ -61,7 +61,6 @@ if ($_POST) { /* Dynamic DNS on gw groups may have changed */ send_event("service reload dyndnsall"); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('staticroutes'); } @@ -230,8 +229,9 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); + +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticroutes')) { diff --git a/src/usr/local/www/system_groupmanager_addprivs.php b/src/usr/local/www/system_groupmanager_addprivs.php index ad07c1c..5c25e59 100644 --- a/src/usr/local/www/system_groupmanager_addprivs.php +++ b/src/usr/local/www/system_groupmanager_addprivs.php @@ -88,19 +88,13 @@ if ($_POST) { } } - $retval = write_config(); - $savemsg = get_std_save_message($retval); + write_config(); pfSenseHeader("system_groupmanager.php?act=edit&groupid={$groupid}"); exit; } } -/* if ajax is calling, give them an update message */ -if (isAjax()) { - print_info_box($savemsg, 'success'); -} - function build_priv_list() { global $spriv_list, $a_group; @@ -123,10 +117,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), true, "system_groupmanager.php"); diff --git a/src/usr/local/www/system_routes.php b/src/usr/local/www/system_routes.php index cac6cce..48925c1 100644 --- a/src/usr/local/www/system_routes.php +++ b/src/usr/local/www/system_routes.php @@ -61,12 +61,11 @@ if ($_POST) { @unlink("{$g['tmp_path']}/.system_routes.apply"); } - $retval = system_routing_configure(); + $retval |= system_routing_configure(); $retval |= filter_configure(); /* reconfigure our gateway monitor */ setup_gateways_monitor(); - $savemsg = get_std_save_message($retval); if ($retval == 0) { clear_subsystem_dirty('staticroutes'); } @@ -218,8 +217,8 @@ include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('staticroutes')) { print_apply_box(gettext("The static route configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); diff --git a/src/usr/local/www/system_usermanager_addprivs.php b/src/usr/local/www/system_usermanager_addprivs.php index ee6d416..3b2ec2e 100644 --- a/src/usr/local/www/system_usermanager_addprivs.php +++ b/src/usr/local/www/system_usermanager_addprivs.php @@ -84,8 +84,7 @@ if ($_POST) { $a_user['priv'] = sort_user_privs($a_user['priv']); local_user_set($a_user); - $retval = write_config(); - $savemsg = get_std_save_message($retval); + write_config(); post_redirect("system_usermanager.php", array('act' => 'edit', 'userid' => $userid)); @@ -110,21 +109,12 @@ function build_priv_list() { return($list); } -/* if ajax is calling, give them an update message */ -if (isAjax()) { - print_info_box($savemsg, 'success'); -} - include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Users"), true, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); diff --git a/src/usr/local/www/vpn_ipsec.php b/src/usr/local/www/vpn_ipsec.php index 64b628d..4a69ad4 100644 --- a/src/usr/local/www/vpn_ipsec.php +++ b/src/usr/local/www/vpn_ipsec.php @@ -50,11 +50,11 @@ $a_phase2 = &$config['ipsec']['phase2']; if ($_POST) { if ($_POST['apply']) { - $retval = vpn_ipsec_configure(); + $ipsec_dynamic_hosts = vpn_ipsec_configure(); /* reload the filter in the background */ - filter_configure(); - $savemsg = get_std_save_message($retval); - if ($retval >= 0) { + $retval = 0; + $retval |= filter_configure(); + if ($ipsec_dynamic_hosts >= 0) { if (is_subsystem_dirty('ipsec')) { clear_subsystem_dirty('ipsec'); } @@ -228,13 +228,13 @@ $tab_array[] = array(gettext("Pre-Shared Keys"), false, "vpn_ipsec_keys.php"); $tab_array[] = array(gettext("Advanced Settings"), false, "vpn_ipsec_settings.php"); display_top_tabs($tab_array); - if ($savemsg) { - print_info_box($savemsg, 'success'); - } +if ($_POST['apply']) { + print_apply_result_box($retval); +} - if (is_subsystem_dirty('ipsec')) { - print_apply_box(gettext("The IPsec tunnel configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); - } +if (is_subsystem_dirty('ipsec')) { + print_apply_box(gettext("The IPsec tunnel configuration has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); +} ?>
diff --git a/src/usr/local/www/vpn_ipsec_keys.php b/src/usr/local/www/vpn_ipsec_keys.php index 46b2e7a..25acd38 100644 --- a/src/usr/local/www/vpn_ipsec_keys.php +++ b/src/usr/local/www/vpn_ipsec_keys.php @@ -50,10 +50,10 @@ foreach ($config['system']['user'] as $id => $user) { } if (isset($_POST['apply'])) { - $retval = vpn_ipsec_configure(); + vpn_ipsec_configure(); /* reload the filter in the background */ - filter_configure(); - $savemsg = get_std_save_message($retval); + $retval = 0; + $retval |= filter_configure(); if (is_subsystem_dirty('ipsec')) { clear_subsystem_dirty('ipsec'); } @@ -74,8 +74,8 @@ $shortcut_section = "ipsec"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg); +if ($_POST['apply']) { + print_apply_result_box($retval); } if (is_subsystem_dirty('ipsec')) { diff --git a/src/usr/local/www/vpn_ipsec_mobile.php b/src/usr/local/www/vpn_ipsec_mobile.php index 05df61d..f9c0dde 100644 --- a/src/usr/local/www/vpn_ipsec_mobile.php +++ b/src/usr/local/www/vpn_ipsec_mobile.php @@ -129,9 +129,8 @@ if ($_POST['create']) { if ($_POST['apply']) { $retval = 0; /* NOTE: #4353 Always restart ipsec when mobile clients settings change */ - $retval = vpn_ipsec_configure(true); - $savemsg = get_std_save_message($retval); - if ($retval >= 0) { + $ipsec_dynamic_hosts = vpn_ipsec_configure(true); + if ($ipsec_dynamic_hosts >= 0) { if (is_subsystem_dirty('ipsec')) { clear_subsystem_dirty('ipsec'); } @@ -400,8 +399,8 @@ include("head.inc"); " . gettext("The changes must be applied for them to take effect.")); diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php index 4360837..3bcfa1d 100644 --- a/src/usr/local/www/vpn_ipsec_settings.php +++ b/src/usr/local/www/vpn_ipsec_settings.php @@ -172,15 +172,9 @@ if ($_POST) { write_config(); + $changes_applied = true; $retval = 0; - $retval = filter_configure(); - if (stristr($retval, "error") <> true) { - $savemsg = get_std_save_message(gettext($retval)); - $class = 'success'; - } else { - $savemsg = gettext($retval); - $class = 'warning'; - } + $retval |= filter_configure(); vpn_ipsec_configure($needsrestart); @@ -220,8 +214,8 @@ function maxmss_checked(obj) { Date: Tue, 3 Jan 2017 14:01:02 +0545 Subject: Ignore return from system_syslogd_start system_syslogd_start returns the retrn value from mwexec_bg, which is the PID of the background process. It is not an error status. So do not use it here. --- src/usr/local/www/status_logs_common.inc | 5 ++--- src/usr/local/www/status_logs_settings.php | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/usr/local/www/status_logs_common.inc b/src/usr/local/www/status_logs_common.inc index 7a1d9c2..be05902 100644 --- a/src/usr/local/www/status_logs_common.inc +++ b/src/usr/local/www/status_logs_common.inc @@ -714,12 +714,12 @@ function manage_log_code() { } $retval = 0; + $changes_applied = true; // If any of the logging settings were changed then backup and sync (standard write_config). Otherwise only write config (don't backup, don't sync). if ($logging_changed) { write_config($desc = gettext("Log Display Settings Saved: ") . gettext($allowed_logs[$logfile]["name"]), $backup = true, $write_config_only = false); - $changes_applied = true; - $retval |= system_syslogd_start(); + system_syslogd_start(); } else { write_config($desc = gettext("Log Display Settings Saved (no backup, no sync): ") . gettext($allowed_logs[$logfile]["name"]), $backup = false, $write_config_only = true); } @@ -739,7 +739,6 @@ function manage_log_code() { if ($logfile == 'filter') { if ($firewall_logging_changed) { require_once("filter.inc"); - $changes_applied = true; $retval |= filter_configure(); filter_pflog_start(true); } diff --git a/src/usr/local/www/status_logs_settings.php b/src/usr/local/www/status_logs_settings.php index fe7f04e..add7a80 100644 --- a/src/usr/local/www/status_logs_settings.php +++ b/src/usr/local/www/status_logs_settings.php @@ -164,7 +164,7 @@ if ($_POST['resetlogs'] == gettext("Reset Log Files")) { $changes_applied = true; $retval = 0; - $retval |= system_syslogd_start(); + system_syslogd_start(); if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) || ($oldnologdefaultpass !== isset($config['syslog']['nologdefaultpass'])) || ($oldnologbogons !== isset($config['syslog']['nologbogons'])) || -- cgit v1.1 From 3cb0c7c312d4c17cb75e8ce9fff3a28c706d76a5 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Tue, 3 Jan 2017 14:05:26 +0545 Subject: vpn_ipsec_settings - do not redirect on save When the user presses save, and there are no input errors, the data is saved - good. But the page redirects away to itself, which is not necessary. It is preventing the "saved successfully" message from being seen. --- src/usr/local/www/vpn_ipsec_settings.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php index 3bcfa1d..fa24a53 100644 --- a/src/usr/local/www/vpn_ipsec_settings.php +++ b/src/usr/local/www/vpn_ipsec_settings.php @@ -177,9 +177,6 @@ if ($_POST) { $retval |= filter_configure(); vpn_ipsec_configure($needsrestart); - - header("Location: vpn_ipsec_settings.php"); - return; } // The logic value sent by $POST for autoexcludelanaddress is opposite to -- cgit v1.1 From 3bfb38f99cd1c15b5d502b3dbabc913226550d9c Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 3 Jan 2017 11:34:21 -0200 Subject: Fix #6357: Validate if RFC2136 dyndns updates succeeded --- src/etc/inc/services.inc | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index ffabbbd..a50d32e 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2546,6 +2546,7 @@ function services_dnsupdate_process($int = "", $updatehost = "", $forced = false $wanipv6 = get_interface_ipv6($if); $cacheFile = "{$g['conf_path']}/dyndns_{$dnsupdate['interface']}_rfc2136_" . escapeshellarg($dnsupdate['host']) . "_{$dnsupdate['server']}.cache"; + $cacheFilev6 = $cacheFile . ".ipv6"; $currentTime = time(); if ($wanip || $wanipv6) { @@ -2599,8 +2600,8 @@ EOD; if (file_exists($cacheFile)) { list($cachedipv4, $cacheTimev4) = explode("|", file_get_contents($cacheFile)); } - if (file_exists("{$cacheFile}.ipv6")) { - list($cachedipv6, $cacheTimev6) = explode("|", file_get_contents("{$cacheFile}.ipv6")); + if (file_exists($cacheFilev6)) { + list($cachedipv6, $cacheTimev6) = explode("|", file_get_contents($cacheFilev6)); } // 25 Days @@ -2612,15 +2613,13 @@ EOD; if (($wanip != $cachedipv4) || (($currentTime - $cacheTimev4) > $maxCacheAgeSecs) || $forced) { $upinst .= "update delete {$dnsupdate['host']}. A\n"; $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} A {$wanip}\n"; - $notify_text .= sprintf(gettext('DynDNS updated IP Address (A) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanip) . "\n"; - @file_put_contents($cacheFile, "{$wanip}|{$currentTime}"); - log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFile, $wanip)); $need_update = true; } else { log_error(sprintf(gettext("phpDynDNS: Not updating %s A record because the IP address has not changed."), $dnsupdate['host'])); } } else { @unlink($cacheFile); + unset($cacheFile); } /* Update IPv6 if we have it. */ @@ -2628,15 +2627,13 @@ EOD; if (($wanipv6 != $cachedipv6) || (($currentTime - $cacheTimev6) > $maxCacheAgeSecs) || $forced) { $upinst .= "update delete {$dnsupdate['host']}. AAAA\n"; $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} AAAA {$wanipv6}\n"; - $notify_text .= sprintf(gettext('DynDNS updated IPv6 Address (AAAA) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanipv6) . "\n"; - @file_put_contents("{$cacheFile}.ipv6", "{$wanipv6}|{$currentTime}"); - log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s.ipv6: %2$s'), $cacheFile, $wanipv6)); $need_update = true; } else { log_error(sprintf(gettext("phpDynDNS: Not updating %s AAAA record because the IPv6 address has not changed."), $dnsupdate['host'])); } } else { - @unlink("{$cacheFile}.ipv6"); + @unlink($cacheFilev6); + unset($cacheFilev6); } $upinst .= "\n"; /* mind that trailing newline! */ @@ -2650,7 +2647,25 @@ EOD; $cmd .= " -v"; } $cmd .= " {$g['varetc_path']}/nsupdatecmds{$i}"; - mwexec_bg($cmd); + if (mwexec($cmd) == 0) { + if (!empty($cacheFile)) { + @file_put_contents($cacheFile, "{$wanip}|{$currentTime}"); + log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFile, $wanip)); + $notify_text .= sprintf(gettext('DynDNS updated IP Address (A) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanip) . "\n"; + } + if (!empty($cacheFilev6)) { + @file_put_contents($cacheFilev6, "{$wanipv6}|{$currentTime}"); + log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFilev6, $wanipv6)); + $notify_text .= sprintf(gettext('DynDNS updated IPv6 Address (AAAA) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanipv6) . "\n"; + } + } else { + if (!empty($cacheFile)) { + log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (A) for %1$s (%2$s)'), $dnsupdate['host'], $wanip)); + } + if (!empty($cacheFilev6)) { + log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (AAAA) for %1$s (%2$s)'), $dnsupdate['host'], $wanipv6)); + } + } unset($cmd); } } -- cgit v1.1 From 858e0d8dbddb01a231b3b6fe7dbbed79d2e55eb6 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 3 Jan 2017 11:39:26 -0200 Subject: Rework logic and reduce indent levels. No functional changes --- src/etc/inc/services.inc | 289 ++++++++++++++++++++++++----------------------- 1 file changed, 148 insertions(+), 141 deletions(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index a50d32e..2863a6b 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2509,170 +2509,177 @@ function services_dnsupdate_process($int = "", $updatehost = "", $forced = false } /* Dynamic DNS updating active? */ - if (is_array($config['dnsupdates']['dnsupdate'])) { - $notify_text = ""; - $gwgroups = return_gateway_groups_array(); - foreach ($config['dnsupdates']['dnsupdate'] as $i => $dnsupdate) { - if (!isset($dnsupdate['enable'])) { - continue; - } - /* - * If it's using a gateway group, check if interface is - * the active gateway for that group - */ - $group_int = ''; - if (is_array($gwgroups[$dnsupdate['interface']])) { - if (!empty($gwgroups[$dnsupdate['interface']][0]['vip'])) { - $group_int = $gwgroups[$dnsupdate['interface']][0]['vip']; - } else { - $group_int = $gwgroups[$dnsupdate['interface']][0]['int']; - } - } - if (!empty($int) && ($int != $dnsupdate['interface']) && ($int != $group_int)) { - continue; - } - if (!empty($updatehost) && ($updatehost != $dnsupdate['host'])) { - continue; - } - - /* determine interface name */ - $if = get_failover_interface($dnsupdate['interface']); + if (!is_array($config['dnsupdates']['dnsupdate'])) { + return 0; + } - if (isset($dnsupdate['usepublicip'])) { - $wanip = dyndnsCheckIP($if); + $notify_text = ""; + $gwgroups = return_gateway_groups_array(); + foreach ($config['dnsupdates']['dnsupdate'] as $i => $dnsupdate) { + if (!isset($dnsupdate['enable'])) { + continue; + } + /* + * If it's using a gateway group, check if interface is + * the active gateway for that group + */ + $group_int = ''; + if (is_array($gwgroups[$dnsupdate['interface']])) { + if (!empty($gwgroups[$dnsupdate['interface']][0]['vip'])) { + $group_int = $gwgroups[$dnsupdate['interface']][0]['vip']; } else { - $wanip = get_interface_ip($if); + $group_int = $gwgroups[$dnsupdate['interface']][0]['int']; } + } + if (!empty($int) && ($int != $dnsupdate['interface']) && ($int != $group_int)) { + continue; + } + if (!empty($updatehost) && ($updatehost != $dnsupdate['host'])) { + continue; + } - $wanipv6 = get_interface_ipv6($if); - $cacheFile = "{$g['conf_path']}/dyndns_{$dnsupdate['interface']}_rfc2136_" . escapeshellarg($dnsupdate['host']) . "_{$dnsupdate['server']}.cache"; - $cacheFilev6 = $cacheFile . ".ipv6"; - $currentTime = time(); + /* determine interface name */ + $if = get_failover_interface($dnsupdate['interface']); - if ($wanip || $wanipv6) { - $keyname = $dnsupdate['keyname']; - /* trailing dot */ - if (substr($keyname, -1) != ".") { - $keyname .= "."; - } + if (isset($dnsupdate['usepublicip'])) { + $wanip = dyndnsCheckIP($if); + } else { + $wanip = get_interface_ip($if); + } - $hostname = $dnsupdate['host']; - /* trailing dot */ - if (substr($hostname, -1) != ".") { - $hostname .= "."; - } + $wanipv6 = get_interface_ipv6($if); + $cacheFile = "{$g['conf_path']}/dyndns_{$dnsupdate['interface']}_rfc2136_" . escapeshellarg($dnsupdate['host']) . "_{$dnsupdate['server']}.cache"; + $cacheFilev6 = $cacheFile . ".ipv6"; + $currentTime = time(); + + if (!$wanip && !$wanipv6) { + continue; + } + + $keyname = $dnsupdate['keyname']; + /* trailing dot */ + if (substr($keyname, -1) != ".") { + $keyname .= "."; + } + + $hostname = $dnsupdate['host']; + /* trailing dot */ + if (substr($hostname, -1) != ".") { + $hostname .= "."; + } - /* write private key file - this is dumb - public and private keys are the same for HMAC-MD5, - but nsupdate insists on having both */ - $fd = fopen("{$g['varetc_path']}/K{$i}{$keyname}+157+00000.private", "w"); - $privkey = << $maxCacheAgeSecs) || $forced) { - $upinst .= "update delete {$dnsupdate['host']}. A\n"; - $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} A {$wanip}\n"; - $need_update = true; - } else { - log_error(sprintf(gettext("phpDynDNS: Not updating %s A record because the IP address has not changed."), $dnsupdate['host'])); - } - } else { - @unlink($cacheFile); - unset($cacheFile); - } + /* Update IPv4 if we have it. */ + if (is_ipaddrv4($wanip) && $dnsupdate['recordtype'] != "AAAA") { + if (($wanip != $cachedipv4) || (($currentTime - $cacheTimev4) > $maxCacheAgeSecs) || $forced) { + $upinst .= "update delete {$dnsupdate['host']}. A\n"; + $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} A {$wanip}\n"; + $need_update = true; + } else { + log_error(sprintf(gettext("phpDynDNS: Not updating %s A record because the IP address has not changed."), $dnsupdate['host'])); + } + } else { + @unlink($cacheFile); + unset($cacheFile); + } - /* Update IPv6 if we have it. */ - if (is_ipaddrv6($wanipv6) && $dnsupdate['recordtype'] != "A") { - if (($wanipv6 != $cachedipv6) || (($currentTime - $cacheTimev6) > $maxCacheAgeSecs) || $forced) { - $upinst .= "update delete {$dnsupdate['host']}. AAAA\n"; - $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} AAAA {$wanipv6}\n"; - $need_update = true; - } else { - log_error(sprintf(gettext("phpDynDNS: Not updating %s AAAA record because the IPv6 address has not changed."), $dnsupdate['host'])); - } - } else { - @unlink($cacheFilev6); - unset($cacheFilev6); - } + /* Update IPv6 if we have it. */ + if (is_ipaddrv6($wanipv6) && $dnsupdate['recordtype'] != "A") { + if (($wanipv6 != $cachedipv6) || (($currentTime - $cacheTimev6) > $maxCacheAgeSecs) || $forced) { + $upinst .= "update delete {$dnsupdate['host']}. AAAA\n"; + $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} AAAA {$wanipv6}\n"; + $need_update = true; + } else { + log_error(sprintf(gettext("phpDynDNS: Not updating %s AAAA record because the IPv6 address has not changed."), $dnsupdate['host'])); + } + } else { + @unlink($cacheFilev6); + unset($cacheFilev6); + } - $upinst .= "\n"; /* mind that trailing newline! */ + $upinst .= "\n"; /* mind that trailing newline! */ - if ($need_update) { - @file_put_contents("{$g['varetc_path']}/nsupdatecmds{$i}", $upinst); - unset($upinst); - /* invoke nsupdate */ - $cmd = "/usr/local/bin/nsupdate -k {$g['varetc_path']}/K{$i}{$keyname}+157+00000.key"; - if (isset($dnsupdate['usetcp'])) { - $cmd .= " -v"; - } - $cmd .= " {$g['varetc_path']}/nsupdatecmds{$i}"; - if (mwexec($cmd) == 0) { - if (!empty($cacheFile)) { - @file_put_contents($cacheFile, "{$wanip}|{$currentTime}"); - log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFile, $wanip)); - $notify_text .= sprintf(gettext('DynDNS updated IP Address (A) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanip) . "\n"; - } - if (!empty($cacheFilev6)) { - @file_put_contents($cacheFilev6, "{$wanipv6}|{$currentTime}"); - log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFilev6, $wanipv6)); - $notify_text .= sprintf(gettext('DynDNS updated IPv6 Address (AAAA) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanipv6) . "\n"; - } - } else { - if (!empty($cacheFile)) { - log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (A) for %1$s (%2$s)'), $dnsupdate['host'], $wanip)); - } - if (!empty($cacheFilev6)) { - log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (AAAA) for %1$s (%2$s)'), $dnsupdate['host'], $wanipv6)); - } - } - unset($cmd); - } - } + if (!$need_update) { + continue; + } + + @file_put_contents("{$g['varetc_path']}/nsupdatecmds{$i}", $upinst); + unset($upinst); + /* invoke nsupdate */ + $cmd = "/usr/local/bin/nsupdate -k {$g['varetc_path']}/K{$i}{$keyname}+157+00000.key"; + if (isset($dnsupdate['usetcp'])) { + $cmd .= " -v"; } - if (!empty($notify_text)) { - notify_all_remote($notify_text); + $cmd .= " {$g['varetc_path']}/nsupdatecmds{$i}"; + if (mwexec($cmd) == 0) { + if (!empty($cacheFile)) { + @file_put_contents($cacheFile, "{$wanip}|{$currentTime}"); + log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFile, $wanip)); + $notify_text .= sprintf(gettext('DynDNS updated IP Address (A) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanip) . "\n"; + } + if (!empty($cacheFilev6)) { + @file_put_contents($cacheFilev6, "{$wanipv6}|{$currentTime}"); + log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFilev6, $wanipv6)); + $notify_text .= sprintf(gettext('DynDNS updated IPv6 Address (AAAA) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanipv6) . "\n"; + } + } else { + if (!empty($cacheFile)) { + log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (A) for %1$s (%2$s)'), $dnsupdate['host'], $wanip)); + } + if (!empty($cacheFilev6)) { + log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (AAAA) for %1$s (%2$s)'), $dnsupdate['host'], $wanipv6)); + } } + unset($cmd); + } + + if (!empty($notify_text)) { + notify_all_remote($notify_text); } return 0; -- cgit v1.1 From 23adb26ddf2ddc7261254807557411c11743f13d Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 3 Jan 2017 11:50:11 -0200 Subject: Break some long lines, no functional changes --- src/etc/inc/services.inc | 97 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 70 insertions(+), 27 deletions(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 2863a6b..034a1f6 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2548,7 +2548,10 @@ function services_dnsupdate_process($int = "", $updatehost = "", $forced = false } $wanipv6 = get_interface_ipv6($if); - $cacheFile = "{$g['conf_path']}/dyndns_{$dnsupdate['interface']}_rfc2136_" . escapeshellarg($dnsupdate['host']) . "_{$dnsupdate['server']}.cache"; + $cacheFile = $g['conf_path'] . + "/dyndns_{$dnsupdate['interface']}_rfc2136_" . + escapeshellarg($dnsupdate['host']) . + "_{$dnsupdate['server']}.cache"; $cacheFilev6 = $cacheFile . ".ipv6"; $currentTime = time(); @@ -2568,10 +2571,13 @@ function services_dnsupdate_process($int = "", $updatehost = "", $forced = false $hostname .= "."; } - /* write private key file - this is dumb - public and private keys are the same for HMAC-MD5, - but nsupdate insists on having both */ - $fd = fopen("{$g['varetc_path']}/K{$i}{$keyname}+157+00000.private", "w"); + /* + * write private key file + * this is dumb - public and private keys are the same for + * HMAC-MD5, but nsupdate insists on having both + */ + $fd = fopen($g['varetc_path'] . + "/K{$i}{$keyname}+157+00000.private", "w"); $privkey = << $maxCacheAgeSecs) || $forced) { - $upinst .= "update delete {$dnsupdate['host']}. A\n"; - $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} A {$wanip}\n"; + if (($wanip != $cachedipv4) || $forced || + (($currentTime - $cacheTimev4) > $maxCacheAgeSecs)) { + $upinst .= "update delete " . + "{$dnsupdate['host']}. A\n"; + $upinst .= "update add {$dnsupdate['host']}. " . + "{$dnsupdate['ttl']} A {$wanip}\n"; $need_update = true; } else { - log_error(sprintf(gettext("phpDynDNS: Not updating %s A record because the IP address has not changed."), $dnsupdate['host'])); + log_error(sprintf(gettext( + "phpDynDNS: Not updating %s A record because the IP address has not changed."), + $dnsupdate['host'])); } } else { @unlink($cacheFile); @@ -2630,12 +2645,17 @@ EOD; /* Update IPv6 if we have it. */ if (is_ipaddrv6($wanipv6) && $dnsupdate['recordtype'] != "A") { - if (($wanipv6 != $cachedipv6) || (($currentTime - $cacheTimev6) > $maxCacheAgeSecs) || $forced) { - $upinst .= "update delete {$dnsupdate['host']}. AAAA\n"; - $upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} AAAA {$wanipv6}\n"; + if (($wanipv6 != $cachedipv6) || $forced || + (($currentTime - $cacheTimev6) > $maxCacheAgeSecs)) { + $upinst .= "update delete " . + "{$dnsupdate['host']}. AAAA\n"; + $upinst .= "update add {$dnsupdate['host']}. " . + "{$dnsupdate['ttl']} AAAA {$wanipv6}\n"; $need_update = true; } else { - log_error(sprintf(gettext("phpDynDNS: Not updating %s AAAA record because the IPv6 address has not changed."), $dnsupdate['host'])); + log_error(sprintf(gettext( + "phpDynDNS: Not updating %s AAAA record because the IPv6 address has not changed."), + $dnsupdate['host'])); } } else { @unlink($cacheFilev6); @@ -2648,31 +2668,54 @@ EOD; continue; } - @file_put_contents("{$g['varetc_path']}/nsupdatecmds{$i}", $upinst); + @file_put_contents("{$g['varetc_path']}/nsupdatecmds{$i}", + $upinst); unset($upinst); /* invoke nsupdate */ - $cmd = "/usr/local/bin/nsupdate -k {$g['varetc_path']}/K{$i}{$keyname}+157+00000.key"; + $cmd = "/usr/local/bin/nsupdate -k " . + "{$g['varetc_path']}/K{$i}{$keyname}+157+00000.key"; + if (isset($dnsupdate['usetcp'])) { $cmd .= " -v"; } + $cmd .= " {$g['varetc_path']}/nsupdatecmds{$i}"; + if (mwexec($cmd) == 0) { if (!empty($cacheFile)) { - @file_put_contents($cacheFile, "{$wanip}|{$currentTime}"); - log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFile, $wanip)); - $notify_text .= sprintf(gettext('DynDNS updated IP Address (A) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanip) . "\n"; + @file_put_contents($cacheFile, + "{$wanip}|{$currentTime}"); + log_error(sprintf(gettext( + 'phpDynDNS: updating cache file %1$s: %2$s'), + $cacheFile, $wanip)); + $notify_text .= sprintf(gettext( + 'DynDNS updated IP Address (A) for %1$s on %2$s (%3$s) to %4$s'), + $dnsupdate['host'], + convert_real_interface_to_friendly_descr($if), + $if, $wanip) . "\n"; } if (!empty($cacheFilev6)) { - @file_put_contents($cacheFilev6, "{$wanipv6}|{$currentTime}"); - log_error(sprintf(gettext('phpDynDNS: updating cache file %1$s: %2$s'), $cacheFilev6, $wanipv6)); - $notify_text .= sprintf(gettext('DynDNS updated IPv6 Address (AAAA) for %1$s on %2$s (%3$s) to %4$s'), $dnsupdate['host'], convert_real_interface_to_friendly_descr($if), $if, $wanipv6) . "\n"; + @file_put_contents($cacheFilev6, + "{$wanipv6}|{$currentTime}"); + log_error(sprintf(gettext( + 'phpDynDNS: updating cache file %1$s: %2$s'), + $cacheFilev6, $wanipv6)); + $notify_text .= sprintf(gettext( + 'DynDNS updated IPv6 Address (AAAA) for %1$s on %2$s (%3$s) to %4$s'), + $dnsupdate['host'], + convert_real_interface_to_friendly_descr($if), + $if, $wanipv6) . "\n"; } } else { if (!empty($cacheFile)) { - log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (A) for %1$s (%2$s)'), $dnsupdate['host'], $wanip)); + log_error(sprintf(gettext( + 'phpDynDNS: ERROR while updating IP Address (A) for %1$s (%2$s)'), + $dnsupdate['host'], $wanip)); } if (!empty($cacheFilev6)) { - log_error(sprintf(gettext('phpDynDNS: ERROR while updating IP Address (AAAA) for %1$s (%2$s)'), $dnsupdate['host'], $wanipv6)); + log_error(sprintf(gettext( + 'phpDynDNS: ERROR while updating IP Address (AAAA) for %1$s (%2$s)'), + $dnsupdate['host'], $wanipv6)); } } unset($cmd); -- cgit v1.1 From b712dd529e2445fc20e983815a80a4e8ea109760 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 3 Jan 2017 12:27:52 -0200 Subject: Make sure ZFS partiion is mounted read-write before try to change items in filesystem --- src/etc/pfSense-rc | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/etc/pfSense-rc b/src/etc/pfSense-rc index 4d2c3fb..7658bf8 100755 --- a/src/etc/pfSense-rc +++ b/src/etc/pfSense-rc @@ -105,6 +105,20 @@ while [ ${mount_rc} -ne 0 -a ${attempts} -lt 3 ]; do attempts=$((attempts+1)) done +# Handle ZFS read-only case +/sbin/kldstat -qm zfs +if [ $? -eq 0 ]; then + ZFSFSAVAILABLE=$(/sbin/zfs mount 2>/dev/null | wc -l) + if [ $ZFSFSAVAILABLE -eq 0 ]; then + /sbin/kldunload zfs + elif [ -f /usr/bin/grep ]; then + ZFSROOT=`/sbin/zfs mount | /usr/bin/grep ' /$' | /usr/bin/cut -d ' ' -f 1` + if [ "$ZFSROOT" != "" ]; then + /sbin/zfs set readonly=off $ZFSROOT + fi + fi +fi + # If /conf is a directory, convert it to a symlink to /cf/conf if [ -d "/conf" ]; then # If item is not a symlink then rm and recreate @@ -152,20 +166,6 @@ fi /bin/rm -f /root/TRIM_set /bin/rm -f /root/TRIM_unset -# Handle ZFS read-only case -/sbin/kldstat -qm zfs -if [ $? -eq 0 ]; then - ZFSFSAVAILABLE=$(/sbin/zfs mount 2>/dev/null | wc -l) - if [ $ZFSFSAVAILABLE -eq 0 ]; then - /sbin/kldunload zfs - elif [ -f /usr/bin/grep ]; then - ZFSROOT=`/sbin/zfs mount | /usr/bin/grep ' /$' | /usr/bin/cut -d ' ' -f 1` - if [ "$ZFSROOT" != "" ]; then - /sbin/zfs set readonly=off $ZFSROOT - fi - fi -fi - # Disable APM on ATA drives. Leaving this on will kill drives long-term, especially laptop drives, by generating excessive Load Cycles. if [ -f /etc/rc.disable_hdd_apm ]; then /etc/rc.disable_hdd_apm -- cgit v1.1 From c854afcc3d7830414a2514a640248a5b239569a3 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 3 Jan 2017 10:28:59 -0500 Subject: Add --tls-crypt support for OpenVPN servers and clients. Implements #7071 --- src/etc/inc/openvpn.inc | 20 ++++++++++++---- src/usr/local/www/vpn_openvpn_client.php | 35 +++++++++++++++++++++------- src/usr/local/www/vpn_openvpn_server.php | 39 +++++++++++++++++++++++++------- 3 files changed, 74 insertions(+), 20 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 9a8289a..6c24186 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -137,6 +137,12 @@ $openvpn_topologies = array( // 'p2p => gettext("Peer to Peer -- One IP address per client peer-to-peer style. Does not work on Windows.") ); +global $openvpn_tls_modes; +$openvpn_tls_modes = array( + 'auth' => gettext("TLS Authentication"), + 'crypt' => gettext("TLS Encryption and Authentication"), +); + function openvpn_build_mode_list() { global $openvpn_server_modes; @@ -1077,12 +1083,18 @@ function openvpn_reconfigure($mode, $settings) { openvpn_add_keyfile($crl['text'], $conf, $mode_id, "crl-verify"); } if ($settings['tls']) { - if ($mode == "server") { - $tlsopt = 0; + if ($settings['tls_type'] == "crypt") { + $tls_directive = "tls-crypt"; + $tlsopt = ""; } else { - $tlsopt = 1; + $tls_directive = "tls-auth"; + if ($mode == "server") { + $tlsopt = 0; + } else { + $tlsopt = 1; + } } - openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth", $tlsopt); + openvpn_add_keyfile($settings['tls'], $conf, $mode_id, $tls_directive, $tlsopt); } break; } diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index a8089c8..94f6381 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("openvpn.inc"); require_once("pkg-utils.inc"); -global $openvpn_topologies; +global $openvpn_topologies, $openvpn_tls_modes; if (!is_array($config['openvpn']['openvpn-client'])) { $config['openvpn']['openvpn-client'] = array(); @@ -137,6 +137,7 @@ if ($_GET['act'] == "edit") { if ($a_client[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_client[$id]['tls']); + $pconfig['tls_type'] = $a_server[$id]['tls_type']; } } else { $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); @@ -289,7 +290,10 @@ if ($_POST) { if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + $input_errors[] = gettext("The field 'TLS Key' does not appear to be valid"); + } + if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) { + $input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid"); } } @@ -365,6 +369,7 @@ if ($_POST) { $pconfig['tls'] = openvpn_create_key(); } $client['tls'] = base64_encode($pconfig['tls']); + $client['tls_type'] = $pconfig['tls_type']; } } else { $client['shared_key'] = base64_encode($pconfig['shared_key']); @@ -564,25 +569,38 @@ if ($act=="new" || $act=="edit"): $section->addInput(new Form_Checkbox( 'tlsauth_enable', - 'TLS authentication', - 'Enable authentication of TLS packets.', + 'TLS Configuration', + 'Use a TLS Key', $pconfig['tlsauth_enable'] - )); + ))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " . + "This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." . + "The TLS Key does not have any effect on tunnel data."); if (!$pconfig['tls']) { $section->addInput(new Form_Checkbox( 'autotls_enable', null, - 'Automatically generate a shared TLS authentication key.', + 'Automatically generate a TLS Key.', $pconfig['autotls_enable'] )); } $section->addInput(new Form_Textarea( 'tls', - 'Key', + 'TLS Key', $pconfig['tls'] - ))->setHelp('Paste the shared key here'); + ))->setHelp("Paste the TLS key here." . + "
" . + "This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. "); + + $section->addInput(new Form_Select( + 'tls_type', + 'TLS Key Usage Mode', + empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'], + $openvpn_tls_modes + ))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " . + "
" . + "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation."); if (count($a_ca)) { $list = array(); @@ -900,6 +918,7 @@ events.push(function() { // Process "Automatically generate a shared TLS authentication key" checkbox function autotls_change() { hideInput('tls', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); + hideInput('tls_type', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); } // ---------- Monitor elements for change and call the appropriate display functions ------------------------------ diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 0468e22..a093f63 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("openvpn.inc"); require_once("pkg-utils.inc"); -global $openvpn_topologies; +global $openvpn_topologies, $openvpn_tls_modes; if (!is_array($config['openvpn']['openvpn-server'])) { $config['openvpn']['openvpn-server'] = array(); @@ -132,6 +132,7 @@ if ($_GET['act'] == "edit") { if ($a_server[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_server[$id]['tls']); + $pconfig['tls_type'] = $a_server[$id]['tls_type']; } $pconfig['caref'] = $a_server[$id]['caref']; @@ -329,7 +330,10 @@ if ($_POST) { if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + $input_errors[] = gettext("The field 'TLS Key' does not appear to be valid"); + } + if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) { + $input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid"); } } @@ -476,6 +480,7 @@ if ($_POST) { $pconfig['tls'] = openvpn_create_key(); } $server['tls'] = base64_encode($pconfig['tls']); + $server['tls_type'] = $pconfig['tls_type']; } $server['caref'] = $pconfig['caref']; $server['crlref'] = $pconfig['crlref']; @@ -697,25 +702,38 @@ if ($act=="new" || $act=="edit"): $section->addInput(new Form_Checkbox( 'tlsauth_enable', - 'TLS authentication', - 'Enable authentication of TLS packets.', + 'TLS Configuration', + 'Use a TLS Key', $pconfig['tlsauth_enable'] - )); + ))->setHelp("A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. " . + "This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections." . + "The TLS Key does not have any effect on tunnel data."); if (!$pconfig['tls']) { $section->addInput(new Form_Checkbox( 'autotls_enable', null, - 'Automatically generate a shared TLS authentication key.', + 'Automatically generate a TLS Key.', $pconfig['autotls_enable'] )); } $section->addInput(new Form_Textarea( 'tls', - 'Key', + 'TLS Key', $pconfig['tls'] - ))->setHelp('Paste the shared key here'); + ))->setHelp("Paste the TLS key here." . + "
" . + "This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. "); + + $section->addInput(new Form_Select( + 'tls_type', + 'TLS Key Usage Mode', + empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'], + $openvpn_tls_modes + ))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " . + "
" . + "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation."); if (count($a_ca)) { @@ -1313,6 +1331,7 @@ events.push(function() { case "server_tls": case "server_user": hideInput('tls', false); + hideInput('tls_type', false); hideInput('certref', false); hideInput('dh_length', false); hideInput('ecdh_curve', false); @@ -1325,6 +1344,7 @@ events.push(function() { break; case "server_tls_user": hideInput('tls', false); + hideInput('tls_type', false); hideInput('certref', false); hideInput('dh_length', false); hideInput('ecdh_curve', false); @@ -1337,6 +1357,7 @@ events.push(function() { break; case "p2p_shared_key": hideInput('tls', true); + hideInput('tls_type', true); hideInput('caref', true); hideInput('crlref', true); hideLabel('Peer Certificate Revocation list', true); @@ -1420,10 +1441,12 @@ events.push(function() { function autotls_change() { if (($('#mode').val() == 'p2p_shared_key') || (!$('#tlsauth_enable').prop('checked'))) { hideInput('tls', true); + hideInput('tls_type', true); hideInput('autotls_enable', true); } else { hideInput('autotls_enable', false); hideInput('tls', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); + hideInput('tls_type', $('#autotls_enable').prop('checked') || !$('#tlsauth_enable').prop('checked')); } } -- cgit v1.1 From b8b6a303312b29f927df2b3f679195ab1f051447 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 3 Jan 2017 10:39:34 -0500 Subject: Add some help text to OpenVPN client/server for encryption and auth digest. --- src/usr/local/www/vpn_openvpn_client.php | 8 ++++++-- src/usr/local/www/vpn_openvpn_server.php | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 94f6381..e92d99f 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -662,14 +662,18 @@ if ($act=="new" || $act=="edit"): 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() - )); + ))->setHelp('The Encryption Algorithm used for data channel packets.'); $section->addInput(new Form_Select( 'digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist() - ))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); + ))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.' . + '
' . + 'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.' . + '
' . + 'Leave this set to SHA1 unless the server uses a different value. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select( 'engine', diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index a093f63..7cb744b 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -838,14 +838,18 @@ if ($act=="new" || $act=="edit"): 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() - )); + ))->setHelp('The Encryption Algorithm used for data channel packets.'); $section->addInput(new Form_Select( 'digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist() - ))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); + ))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.' . + '
' . + 'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.' . + '
' . + 'Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select( 'engine', -- cgit v1.1 From 4cfd15a94a97445d1334ad87bddf0c3700f74bf2 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 3 Jan 2017 11:47:20 -0500 Subject: Replace "client-cert-not-required" with "verify-client-cert none". Fixes #7073 --- src/etc/inc/openvpn.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 6c24186..f46d3b3 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -877,7 +877,7 @@ function openvpn_reconfigure($mode, $settings) { // configure user auth modes switch ($settings['mode']) { case 'server_user': - $conf .= "client-cert-not-required\n"; + $conf .= "verify-client-cert none\n"; case 'server_tls_user': /* username-as-common-name is not compatible with server-bridge */ if (stristr($conf, "server-bridge") === false) { -- cgit v1.1 From b399d623158affc84b8175dd5ceeca8946f5ef7e Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 20:52:13 +0000 Subject: SESSION remembers authentication instead of checking for every HTTP request --- src/etc/inc/priv.inc | 76 +++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 18 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index c430ced..9a2d28c 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -3,24 +3,56 @@ * priv.inc * * part of pfSense (https://www.pfsense.org) - * Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) + * Copyright (c) 2004-2016 Electric Sheep Fencing, LLC * Copyright (c) 2005-2006 Bill Marquette * Copyright (c) 2006 Paul Taylor . * Copyright (c) 2008 Shrew Soft Inc * Copyright (c) 2003-2006 Manuel Kasper . * All rights reserved. * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: * - * http://www.apache.org/licenses/LICENSE-2.0 + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgment: + * "This product includes software developed by the pfSense Project + * for use in the pfSense® software distribution. (http://www.pfsense.org/). + * + * 4. The names "pfSense" and "pfSense Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * coreteam@pfsense.org. + * + * 5. Products derived from this software may not be called "pfSense" + * nor may "pfSense" appear in their names without prior written + * permission of the Electric Sheep Fencing, LLC. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * + * "This product includes software developed by the pfSense Project + * for use in the pfSense software distribution (http://www.pfsense.org/). + * + * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("priv.defs.inc"); @@ -267,14 +299,22 @@ function getAllowedPages($username, &$attributes = array()) { $allowed_pages = array(); $allowed_groups = array(); - if ($_SESSION['remoteauth']) { - $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") { - $allowed_groups = @ldap_get_groups($username, $authcfg); - } elseif ($authcfg['type'] == "radius") { - $allowed_groups = @radius_get_groups($attributes); - } + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + // obtain ldap groups if we are in ldap mode + if ($authcfg['type'] == "ldap") { + if ( !isset($_SESSION["ldap_allowed_groups"]) ) { + $allowed_groups = @ldap_get_groups($username, $authcfg); + $_SESSION["ldap_allowed_groups"] = $allowed_groups; + } else { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } + } elseif ($authcfg['type'] == "radius") { + if ( !isset($_SESSION["radius_allowed_groups"]) ) { + $allowed_groups = @radius_get_groups($attributes); + $_SESSION["radius_allowed_groups"] = $allowed_groups; + } else { + $allowed_groups = $_SESSION["radius_allowed_groups"]; + } } if (!$allowed_groups) { // search for a local user by name -- cgit v1.1 From 9416a5a35c6281f6b61d7f442933cd6369dfd89c Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 20:59:53 +0000 Subject: SESSION remembers authentication instead of checking for every HTTP request --- src/etc/inc/priv.inc | 517 +++++++++++++++++++++------------------------------ 1 file changed, 217 insertions(+), 300 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index 9a2d28c..14dd7e4 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -3,356 +3,273 @@ * priv.inc * * part of pfSense (https://www.pfsense.org) - * Copyright (c) 2004-2016 Electric Sheep Fencing, LLC + * Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) * Copyright (c) 2005-2006 Bill Marquette * Copyright (c) 2006 Paul Taylor . * Copyright (c) 2008 Shrew Soft Inc * Copyright (c) 2003-2006 Manuel Kasper . * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. + * http://www.apache.org/licenses/LICENSE-2.0 * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgment: - * "This product includes software developed by the pfSense Project - * for use in the pfSense® software distribution. (http://www.pfsense.org/). - * - * 4. The names "pfSense" and "pfSense Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * coreteam@pfsense.org. - * - * 5. Products derived from this software may not be called "pfSense" - * nor may "pfSense" appear in their names without prior written - * permission of the Electric Sheep Fencing, LLC. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * - * "This product includes software developed by the pfSense Project - * for use in the pfSense software distribution (http://www.pfsense.org/). - * - * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ - require_once("priv.defs.inc"); - /* Load and process custom privs. */ function get_priv_files($directory) { - $dir_array = array(); - if (!is_dir($directory)) { - return; - } - if ($dh = opendir($directory)) { - while (($file = readdir($dh)) !== false) { - $canadd = 0; - if ($file == ".") { - $canadd = 1; - } - if ($file == "..") { - $canadd = 1; - } - if ($canadd == 0) { - array_push($dir_array, $file); - } - } - closedir($dh); - } - if (!is_array($dir_array)) { - return; - } - return $dir_array; + $dir_array = array(); + if (!is_dir($directory)) { + return; + } + if ($dh = opendir($directory)) { + while (($file = readdir($dh)) !== false) { + $canadd = 0; + if ($file == ".") { + $canadd = 1; + } + if ($file == "..") { + $canadd = 1; + } + if ($canadd == 0) { + array_push($dir_array, $file); + } + } + closedir($dh); + } + if (!is_array($dir_array)) { + return; + } + return $dir_array; } - // Load and sort privs $dir_array = get_priv_files("/etc/inc/priv"); foreach ($dir_array as $file) { - if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) { - include_once("/etc/inc/priv/{$file}"); - } + if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) { + include_once("/etc/inc/priv/{$file}"); + } } if (is_dir("/usr/local/pkg/priv")) { - $dir_array = get_priv_files("/usr/local/pkg/priv"); - foreach ($dir_array as $file) { - if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) { - include_once("/usr/local/pkg/priv/{$file}"); - } - } + $dir_array = get_priv_files("/usr/local/pkg/priv"); + foreach ($dir_array as $file) { + if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) { + include_once("/usr/local/pkg/priv/{$file}"); + } + } } - if (is_array($priv_list)) { - sort_privs($priv_list); + sort_privs($priv_list); } - function cmp_privkeys($a, $b) { - /* user privs at the top */ - $auser = strncmp("user-", $a, 5); - $buser = strncmp("user-", $b, 5); - if ($auser != $buser) { - return $auser - $buser; - } - - /* name compare others */ - return strcasecmp($a, $b); + /* user privs at the top */ + $auser = strncmp("user-", $a, 5); + $buser = strncmp("user-", $b, 5); + if ($auser != $buser) { + return $auser - $buser; + } + /* name compare others */ + return strcasecmp($a, $b); } - function sort_privs(& $privs) { - uksort($privs, "cmp_privkeys"); + uksort($privs, "cmp_privkeys"); } - function cmp_page_matches($page, & $matches, $fullwc = true) { - -// $dbg_matches = implode(",", $matches); -// log_error("debug: checking page {$page} match with {$dbg_matches}"); - - if (!is_array($matches)) { - return false; - } - - /* skip any leading fwdslash */ - $test = strpos($page, "/"); - if ($test !== false && $test == 0) { - $page = substr($page, 1); - } - - /* look for a match */ - foreach ($matches as $match) { - - /* possibly ignore full wildcard match */ - if (!$fullwc && !strcmp($match , "*")) { - continue; - } - - /* compare exact or wildcard match */ - $match = str_replace(array(".", "*", "?"), array("\.", ".*", "\?"), $match); - $result = preg_match("@^/{$match}$@", "/{$page}"); - - if ($result) { - return true; - } - } - - return false; +// $dbg_matches = implode(",", $matches); +// log_error("debug: checking page {$page} match with {$dbg_matches}"); + if (!is_array($matches)) { + return false; + } + /* skip any leading fwdslash */ + $test = strpos($page, "/"); + if ($test !== false && $test == 0) { + $page = substr($page, 1); + } + /* look for a match */ + foreach ($matches as $match) { + /* possibly ignore full wildcard match */ + if (!$fullwc && !strcmp($match , "*")) { + continue; + } + /* compare exact or wildcard match */ + $match = str_replace(array(".", "*", "?"), array("\.", ".*", "\?"), $match); + $result = preg_match("@^/{$match}$@", "/{$page}"); + if ($result) { + return true; + } + } + return false; } - function map_page_privname($page) { - global $priv_list; - - foreach ($priv_list as $pname => $pdata) { - if (strncmp($pname, "page-", 5)) { - continue; - } - $fullwc = false; - if (!strcasecmp($page, "any")||!strcmp($page, "*")) { - $fullwc = true; - } - if (cmp_page_matches($page, $pdata['match'], $fullwc)) { - return $pname; - } - } - - return false; + global $priv_list; + foreach ($priv_list as $pname => $pdata) { + if (strncmp($pname, "page-", 5)) { + continue; + } + $fullwc = false; + if (!strcasecmp($page, "any")||!strcmp($page, "*")) { + $fullwc = true; + } + if (cmp_page_matches($page, $pdata['match'], $fullwc)) { + return $pname; + } + } + return false; } - function get_user_privdesc(& $user) { - global $priv_list; - - $privs = array(); - - $user_privs = $user['priv']; - if (!is_array($user_privs)) { - $user_privs = array(); - } - - $names = local_user_get_groups($user, true); - - foreach ($names as $name) { - $group = getGroupEntry($name); - $group_privs = $group['priv']; - if (!is_array($group_privs)) { - continue; - } - foreach ($group_privs as $pname) { - if (in_array($pname, $user_privs)) { - continue; - } - if (!$priv_list[$pname]) { - continue; - } - $priv = $priv_list[$pname]; - $priv['group'] = $group['name']; - $privs[] = $priv; - } - } - - foreach ($user_privs as $pname) { - if ($priv_list[$pname]) { - $privs[] = $priv_list[$pname]; - } - } - - return $privs; + global $priv_list; + $privs = array(); + $user_privs = $user['priv']; + if (!is_array($user_privs)) { + $user_privs = array(); + } + $names = local_user_get_groups($user, true); + foreach ($names as $name) { + $group = getGroupEntry($name); + $group_privs = $group['priv']; + if (!is_array($group_privs)) { + continue; + } + foreach ($group_privs as $pname) { + if (in_array($pname, $user_privs)) { + continue; + } + if (!$priv_list[$pname]) { + continue; + } + $priv = $priv_list[$pname]; + $priv['group'] = $group['name']; + $privs[] = $priv; + } + } + foreach ($user_privs as $pname) { + if ($priv_list[$pname]) { + $privs[] = $priv_list[$pname]; + } + } + return $privs; } - function isAllowed($username, $page) { - global $_SESSION; - - if (!isset($username)) { - return false; - } - - /* admin/root access check */ - $user = getUserEntry($username); - if (isset($user)) { - if (isset($user['uid'])) { - if ($user['uid'] == 0) { - return true; - } - } - } - - /* user privilege access check */ - if (cmp_page_matches($page, $_SESSION['page-match'])) { - return true; - } - - return false; + global $_SESSION; + if (!isset($username)) { + return false; + } + /* admin/root access check */ + $user = getUserEntry($username); + if (isset($user)) { + if (isset($user['uid'])) { + if ($user['uid'] == 0) { + return true; + } + } + } + /* user privilege access check */ + if (cmp_page_matches($page, $_SESSION['page-match'])) { + return true; + } + return false; } - - function isAllowedPage($page) { - global $_SESSION; - - - $username = $_SESSION['Username']; - - if (!isset($username)) { - return false; - } - - /* admin/root access check */ - $user = getUserEntry($username); - if (isset($user)) { - if (isset($user['uid'])) { - if ($user['uid'] == 0) { - return true; - } - } - } - - /* user privilege access check */ - return cmp_page_matches($page, $_SESSION['page-match']); + global $_SESSION; + $username = $_SESSION['Username']; + if (!isset($username)) { + return false; + } + /* admin/root access check */ + $user = getUserEntry($username); + if (isset($user)) { + if (isset($user['uid'])) { + if ($user['uid'] == 0) { + return true; + } + } + } + /* user privilege access check */ + return cmp_page_matches($page, $_SESSION['page-match']); } - function getPrivPages(& $entry, & $allowed_pages) { - global $priv_list; - - if (!is_array($entry['priv'])) { - return; - } - - foreach ($entry['priv'] as $pname) { - if (strncmp($pname, "page-", 5)) { - continue; - } - $priv = &$priv_list[$pname]; - if (!is_array($priv)) { - continue; - } - $matches = &$priv['match']; - if (!is_array($matches)) { - continue; - } - foreach ($matches as $match) { - $allowed_pages[] = $match; - } - } + global $priv_list; + if (!is_array($entry['priv'])) { + return; + } + foreach ($entry['priv'] as $pname) { + if (strncmp($pname, "page-", 5)) { + continue; + } + $priv = &$priv_list[$pname]; + if (!is_array($priv)) { + continue; + } + $matches = &$priv['match']; + if (!is_array($matches)) { + continue; + } + foreach ($matches as $match) { + $allowed_pages[] = $match; + } + } } - function getAllowedPages($username, &$attributes = array()) { - global $config, $_SESSION; - - if (!function_exists("ldap_connect")) { - return; - } - - $allowed_pages = array(); - $allowed_groups = array(); - - $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") { + global $config, $_SESSION; + if (!function_exists("ldap_connect")) { + return; + } + $allowed_pages = array(); + $allowed_groups = array(); + if ($_SESSION['remoteauth']) { + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + // obtain ldap groups if we are in ldap mode + if ($authcfg['type'] == "ldap") { if ( !isset($_SESSION["ldap_allowed_groups"]) ) { - $allowed_groups = @ldap_get_groups($username, $authcfg); + $allowed_groups = @ldap_get_groups($username, $authcfg); $_SESSION["ldap_allowed_groups"] = $allowed_groups; } else { $allowed_groups = $_SESSION["ldap_allowed_groups"]; } - } elseif ($authcfg['type'] == "radius") { + } elseif ($authcfg['type'] == "radius") { if ( !isset($_SESSION["radius_allowed_groups"]) ) { $allowed_groups = @radius_get_groups($attributes); $_SESSION["radius_allowed_groups"] = $allowed_groups; } else { $allowed_groups = $_SESSION["radius_allowed_groups"]; } - } - if (!$allowed_groups) { - // search for a local user by name - $local_user = getUserEntry($username); - - // obtain local user pages and groups if we have a local user - if ($local_user) { - getPrivPages($local_user, $allowed_pages); - $allowed_groups = local_user_get_groups($local_user); - } - } - - // build a list of allowed pages - if (is_array($config['system']['group']) && is_array($allowed_groups)) { - foreach ($config['system']['group'] as $group) { - if (in_array($group['name'], $allowed_groups)) { - getPrivPages($group, $allowed_pages); - } - } - } - -// $dbg_pages = implode(",", $allowed_pages); -// $dbg_groups = implode(",", $allowed_groups); -// log_error("debug: user {$username} groups = {$dbg_groups}"); -// log_error("debug: user {$username} pages = {$dbg_pages}"); - - $_SESSION['page-match'] = $allowed_pages; - - return $allowed_pages; + } + } + if (!$allowed_groups) { + // search for a local user by name + $local_user = getUserEntry($username); + // obtain local user pages and groups if we have a local user + if ($local_user) { + getPrivPages($local_user, $allowed_pages); + $allowed_groups = local_user_get_groups($local_user); + } + } + // build a list of allowed pages + if (is_array($config['system']['group']) && is_array($allowed_groups)) { + foreach ($config['system']['group'] as $group) { + if (in_array($group['name'], $allowed_groups)) { + getPrivPages($group, $allowed_pages); + } + } + } +// $dbg_pages = implode(",", $allowed_pages); +// $dbg_groups = implode(",", $allowed_groups); +// log_error("debug: user {$username} groups = {$dbg_groups}"); +// log_error("debug: user {$username} pages = {$dbg_pages}"); + $_SESSION['page-match'] = $allowed_pages; + return $allowed_pages; } - function sort_user_privs($privs) { - // Privileges to place first, to redirect properly. - $priority_privs = array("page-dashboard-all", "page-system-login-logout"); - - $fprivs = array_intersect($privs, $priority_privs); - $sprivs = array_diff($privs, $priority_privs); - - return array_merge($fprivs, $sprivs); + // Privileges to place first, to redirect properly. + $priority_privs = array("page-dashboard-all", "page-system-login-logout"); + $fprivs = array_intersect($privs, $priority_privs); + $sprivs = array_diff($privs, $priority_privs); + return array_merge($fprivs, $sprivs); } ?> -- cgit v1.1 From 745b809582596e07b75ed2023737b27ea51631fa Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 22:18:50 +0000 Subject: Cache authentication for a short time Currently there is an authentication lookup for every GET; a single page load can cause dozens of lookups and hundreds of lines of logs (and continuous logs in the case of pages with widgets). This change allows pfsense to remember authentication, but forces recheck after a short time in case of access revocations/changes. --- src/etc/inc/priv.inc | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index 14dd7e4..a724b07 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -224,20 +224,26 @@ function getAllowedPages($username, &$attributes = array()) { $allowed_groups = array(); if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + // cache auth results for a short time to prevent hammering auth services & logs + $recheck_time = 30; // obtain ldap groups if we are in ldap mode if ($authcfg['type'] == "ldap") { - if ( !isset($_SESSION["ldap_allowed_groups"]) ) { + if ( isset($_SESSION["ldap_allowed_groups"]) && + ( time() <= $_SESSION["auth_check_time"]+ $recheck_time) ) { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } else { $allowed_groups = @ldap_get_groups($username, $authcfg); $_SESSION["ldap_allowed_groups"] = $allowed_groups; - } else { - $allowed_groups = $_SESSION["ldap_allowed_groups"]; + $_SESSION["auth_check_time"] = time(); } } elseif ($authcfg['type'] == "radius") { - if ( !isset($_SESSION["radius_allowed_groups"]) ) { + if ( isset($_SESSION["radius_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time) ) { + $allowed_groups = $_SESSION["radius_allowed_groups"]; + } else { $allowed_groups = @radius_get_groups($attributes); $_SESSION["radius_allowed_groups"] = $allowed_groups; - } else { - $allowed_groups = $_SESSION["radius_allowed_groups"]; + $_SESSION["auth_check_time"] = time(); } } } -- cgit v1.1 From 02b8b883c1a463f1f39c6c92ab52bd26146ca381 Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 22:26:34 +0000 Subject: Cache authentication for a short time Currently there is an authentication lookup for every GET; a single page load can cause dozens of lookups and hundreds of lines of logs (and continuous logs in the case of pages with widgets). This change allows pfsense to remember authentication, but forces recheck after a short time in case of access revocations/changes. --- src/etc/inc/priv.inc | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index c430ced..117cf4a 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -270,11 +270,28 @@ function getAllowedPages($username, &$attributes = array()) { if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") { - $allowed_groups = @ldap_get_groups($username, $authcfg); - } elseif ($authcfg['type'] == "radius") { - $allowed_groups = @radius_get_groups($attributes); - } + // cache auth results for a short time to prevent hammering auth services & logs + $recheck_time = 30; + // obtain ldap groups if we are in ldap mode + if ($authcfg['type'] == "ldap") { + if ( isset($_SESSION["ldap_allowed_groups"]) && + ( time() <= $_SESSION["auth_check_time"]+ $recheck_time) ) { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } else { + $allowed_groups = @ldap_get_groups($username, $authcfg); + $_SESSION["ldap_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } elseif ($authcfg['type'] == "radius") { + if ( isset($_SESSION["radius_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time) ) { + $allowed_groups = $_SESSION["radius_allowed_groups"]; + } else { + $allowed_groups = @radius_get_groups($attributes); + $_SESSION["radius_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } } if (!$allowed_groups) { // search for a local user by name -- cgit v1.1 From 6240c8fe88033e5cb5bbcbf8b68b0020de8ef5a6 Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 23:06:10 +0000 Subject: Override default timer if set in system config --- src/etc/inc/priv.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index 117cf4a..39a71f9 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -272,6 +272,9 @@ function getAllowedPages($username, &$attributes = array()) { // obtain ldap groups if we are in ldap mode // cache auth results for a short time to prevent hammering auth services & logs $recheck_time = 30; + if (isset($config['system']['webgui']['auth_refresh_time'])) { + $recheck_time = $config['system']['webgui']['auth_refresh_time']; + } // obtain ldap groups if we are in ldap mode if ($authcfg['type'] == "ldap") { if ( isset($_SESSION["ldap_allowed_groups"]) && -- cgit v1.1 From 457c4151266e9a8a7ce5576275abe5c9212502e0 Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 23:16:25 +0000 Subject: GUI auth refresh timer preference --- src/usr/local/www/system_usermanager_settings.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 5a4e322..aa2c94c 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -146,6 +146,12 @@ if ($_POST) { unset($config['system']['webgui']['authmode']); } + if (isset($_POST['auth_refresh_time']) && $_POST['auth_refresh_time'] != "") { + $config['system']['webgui']['auth_refresh_time'] = intval($_POST['auth_refresh_time']); + } else { + unset($config['system']['webgui']['auth_refresh_time']); + } + write_config(); } @@ -199,6 +205,15 @@ $section->addInput(new Form_Select( $auth_servers )); +$section->addInput(new Form_Input( + 'auth_refresh_time', + 'Auth Refresh Time', + 'number', + $pconfig['auth_refresh_time'], + ['min' => 0, 'max' => 3600] +))->setHelp('Time in seconds to cache authentication results. The default is 30 seconds, maximum 3600 (one hour). '. + 'Shorter times result in more frequent queries to auth services, and more logs generated.'); + $form->addGlobal(new Form_Button( 'savetest', 'Save & Test', -- cgit v1.1 From 47ec605dc39fb0e3f1d4360dbcd35def43e33999 Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 23:23:02 +0000 Subject: Enable setting auth refresh time in GUI --- src/usr/local/www/system_usermanager_settings.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 5a4e322..865e496 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -145,6 +145,12 @@ if ($_POST) { } else { unset($config['system']['webgui']['authmode']); } + + if (isset($_POST['auth_refresh_time']) && $_POST['auth_refresh_time'] != "") { + $config['system']['webgui']['auth_refresh_time'] = intval($_POST['auth_refresh_time']); + } else { + unset($config['system']['webgui']['auth_refresh_time']); + } write_config(); @@ -199,6 +205,15 @@ $section->addInput(new Form_Select( $auth_servers )); +$section->addInput(new Form_Input( + 'auth_refresh_time', + 'Auth Refresh Time', + 'number', + $pconfig['auth_refresh_time'], + ['min' => 0, 'max' => 3600] +))->setHelp('Time in seconds to cache authentication results. The default is 30 seconds, maximum 3600 (one hour). '. + 'Shorter times result in more frequent queries to auth services, and more logs generated.'); + $form->addGlobal(new Form_Button( 'savetest', 'Save & Test', -- cgit v1.1 From 4034876f859528df937d46dae5cffcb3b057a12c Mon Sep 17 00:00:00 2001 From: scherma Date: Tue, 3 Jan 2017 23:31:36 +0000 Subject: Fix indentation --- src/etc/inc/priv.inc | 421 ++++++++++++++++++++++++++++----------------------- 1 file changed, 233 insertions(+), 188 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index 6134c8a..00c93c3 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -22,199 +22,241 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + require_once("priv.defs.inc"); + /* Load and process custom privs. */ function get_priv_files($directory) { - $dir_array = array(); - if (!is_dir($directory)) { - return; - } - if ($dh = opendir($directory)) { - while (($file = readdir($dh)) !== false) { - $canadd = 0; - if ($file == ".") { - $canadd = 1; - } - if ($file == "..") { - $canadd = 1; - } - if ($canadd == 0) { - array_push($dir_array, $file); - } - } - closedir($dh); - } - if (!is_array($dir_array)) { - return; - } - return $dir_array; + $dir_array = array(); + if (!is_dir($directory)) { + return; + } + if ($dh = opendir($directory)) { + while (($file = readdir($dh)) !== false) { + $canadd = 0; + if ($file == ".") { + $canadd = 1; + } + if ($file == "..") { + $canadd = 1; + } + if ($canadd == 0) { + array_push($dir_array, $file); + } + } + closedir($dh); + } + if (!is_array($dir_array)) { + return; + } + return $dir_array; } + // Load and sort privs $dir_array = get_priv_files("/etc/inc/priv"); foreach ($dir_array as $file) { - if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) { - include_once("/etc/inc/priv/{$file}"); - } + if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) { + include_once("/etc/inc/priv/{$file}"); + } } if (is_dir("/usr/local/pkg/priv")) { - $dir_array = get_priv_files("/usr/local/pkg/priv"); - foreach ($dir_array as $file) { - if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) { - include_once("/usr/local/pkg/priv/{$file}"); - } - } + $dir_array = get_priv_files("/usr/local/pkg/priv"); + foreach ($dir_array as $file) { + if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) { + include_once("/usr/local/pkg/priv/{$file}"); + } + } } + if (is_array($priv_list)) { - sort_privs($priv_list); + sort_privs($priv_list); } + function cmp_privkeys($a, $b) { - /* user privs at the top */ - $auser = strncmp("user-", $a, 5); - $buser = strncmp("user-", $b, 5); - if ($auser != $buser) { - return $auser - $buser; - } - /* name compare others */ - return strcasecmp($a, $b); + /* user privs at the top */ + $auser = strncmp("user-", $a, 5); + $buser = strncmp("user-", $b, 5); + if ($auser != $buser) { + return $auser - $buser; + } + + /* name compare others */ + return strcasecmp($a, $b); } + function sort_privs(& $privs) { - uksort($privs, "cmp_privkeys"); + uksort($privs, "cmp_privkeys"); } + function cmp_page_matches($page, & $matches, $fullwc = true) { -// $dbg_matches = implode(",", $matches); -// log_error("debug: checking page {$page} match with {$dbg_matches}"); - if (!is_array($matches)) { - return false; - } - /* skip any leading fwdslash */ - $test = strpos($page, "/"); - if ($test !== false && $test == 0) { - $page = substr($page, 1); - } - /* look for a match */ - foreach ($matches as $match) { - /* possibly ignore full wildcard match */ - if (!$fullwc && !strcmp($match , "*")) { - continue; - } - /* compare exact or wildcard match */ - $match = str_replace(array(".", "*", "?"), array("\.", ".*", "\?"), $match); - $result = preg_match("@^/{$match}$@", "/{$page}"); - if ($result) { - return true; - } - } - return false; + +// $dbg_matches = implode(",", $matches); +// log_error("debug: checking page {$page} match with {$dbg_matches}"); + + if (!is_array($matches)) { + return false; + } + + /* skip any leading fwdslash */ + $test = strpos($page, "/"); + if ($test !== false && $test == 0) { + $page = substr($page, 1); + } + + /* look for a match */ + foreach ($matches as $match) { + + /* possibly ignore full wildcard match */ + if (!$fullwc && !strcmp($match , "*")) { + continue; + } + + /* compare exact or wildcard match */ + $match = str_replace(array(".", "*", "?"), array("\.", ".*", "\?"), $match); + $result = preg_match("@^/{$match}$@", "/{$page}"); + + if ($result) { + return true; + } + } + + return false; } + function map_page_privname($page) { - global $priv_list; - foreach ($priv_list as $pname => $pdata) { - if (strncmp($pname, "page-", 5)) { - continue; - } - $fullwc = false; - if (!strcasecmp($page, "any")||!strcmp($page, "*")) { - $fullwc = true; - } - if (cmp_page_matches($page, $pdata['match'], $fullwc)) { - return $pname; - } - } - return false; + global $priv_list; + + foreach ($priv_list as $pname => $pdata) { + if (strncmp($pname, "page-", 5)) { + continue; + } + $fullwc = false; + if (!strcasecmp($page, "any")||!strcmp($page, "*")) { + $fullwc = true; + } + if (cmp_page_matches($page, $pdata['match'], $fullwc)) { + return $pname; + } + } + + return false; } + function get_user_privdesc(& $user) { - global $priv_list; - $privs = array(); - $user_privs = $user['priv']; - if (!is_array($user_privs)) { - $user_privs = array(); - } - $names = local_user_get_groups($user, true); - foreach ($names as $name) { - $group = getGroupEntry($name); - $group_privs = $group['priv']; - if (!is_array($group_privs)) { - continue; - } - foreach ($group_privs as $pname) { - if (in_array($pname, $user_privs)) { - continue; - } - if (!$priv_list[$pname]) { - continue; - } - $priv = $priv_list[$pname]; - $priv['group'] = $group['name']; - $privs[] = $priv; - } - } - foreach ($user_privs as $pname) { - if ($priv_list[$pname]) { - $privs[] = $priv_list[$pname]; - } - } - return $privs; + global $priv_list; + + $privs = array(); + + $user_privs = $user['priv']; + if (!is_array($user_privs)) { + $user_privs = array(); + } + + $names = local_user_get_groups($user, true); + + foreach ($names as $name) { + $group = getGroupEntry($name); + $group_privs = $group['priv']; + if (!is_array($group_privs)) { + continue; + } + foreach ($group_privs as $pname) { + if (in_array($pname, $user_privs)) { + continue; + } + if (!$priv_list[$pname]) { + continue; + } + $priv = $priv_list[$pname]; + $priv['group'] = $group['name']; + $privs[] = $priv; + } + } + + foreach ($user_privs as $pname) { + if ($priv_list[$pname]) { + $privs[] = $priv_list[$pname]; + } + } + + return $privs; } + function isAllowed($username, $page) { - global $_SESSION; - if (!isset($username)) { - return false; - } - /* admin/root access check */ - $user = getUserEntry($username); - if (isset($user)) { - if (isset($user['uid'])) { - if ($user['uid'] == 0) { - return true; - } - } - } - /* user privilege access check */ - if (cmp_page_matches($page, $_SESSION['page-match'])) { - return true; - } - return false; + global $_SESSION; + + if (!isset($username)) { + return false; + } + + /* admin/root access check */ + $user = getUserEntry($username); + if (isset($user)) { + if (isset($user['uid'])) { + if ($user['uid'] == 0) { + return true; + } + } + } + + /* user privilege access check */ + if (cmp_page_matches($page, $_SESSION['page-match'])) { + return true; + } + + return false; } + + function isAllowedPage($page) { - global $_SESSION; - $username = $_SESSION['Username']; - if (!isset($username)) { - return false; - } - /* admin/root access check */ - $user = getUserEntry($username); - if (isset($user)) { - if (isset($user['uid'])) { - if ($user['uid'] == 0) { - return true; - } - } - } - /* user privilege access check */ - return cmp_page_matches($page, $_SESSION['page-match']); + global $_SESSION; + + + $username = $_SESSION['Username']; + + if (!isset($username)) { + return false; + } + + /* admin/root access check */ + $user = getUserEntry($username); + if (isset($user)) { + if (isset($user['uid'])) { + if ($user['uid'] == 0) { + return true; + } + } + } + + /* user privilege access check */ + return cmp_page_matches($page, $_SESSION['page-match']); } + function getPrivPages(& $entry, & $allowed_pages) { - global $priv_list; - if (!is_array($entry['priv'])) { - return; - } - foreach ($entry['priv'] as $pname) { - if (strncmp($pname, "page-", 5)) { - continue; - } - $priv = &$priv_list[$pname]; - if (!is_array($priv)) { - continue; - } - $matches = &$priv['match']; - if (!is_array($matches)) { - continue; - } - foreach ($matches as $match) { - $allowed_pages[] = $match; - } - } + global $priv_list; + + if (!is_array($entry['priv'])) { + return; + } + + foreach ($entry['priv'] as $pname) { + if (strncmp($pname, "page-", 5)) { + continue; + } + $priv = &$priv_list[$pname]; + if (!is_array($priv)) { + continue; + } + $matches = &$priv['match']; + if (!is_array($matches)) { + continue; + } + foreach ($matches as $match) { + $allowed_pages[] = $match; + } + } } + function getAllowedPages($username, &$attributes = array()) { global $config, $_SESSION; @@ -227,32 +269,32 @@ function getAllowedPages($username, &$attributes = array()) { if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - // obtain ldap groups if we are in ldap mode - // cache auth results for a short time to prevent hammering auth services & logs + // cache auth results for a short time to prevent hammering auth services & logs $recheck_time = 30; - if (isset($config['system']['webgui']['auth_refresh_time'])) { - $recheck_time = $config['system']['webgui']['auth_refresh_time']; + if (isset($config['system']['webgui']['auth_refresh_time'])) { + $recheck_time = $config['system']['webgui']['auth_refresh_time']; } - // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") { - if ( isset($_SESSION["ldap_allowed_groups"]) && - ( time() <= $_SESSION["auth_check_time"]+ $recheck_time) ) { - $allowed_groups = $_SESSION["ldap_allowed_groups"]; - } else { - $allowed_groups = @ldap_get_groups($username, $authcfg); - $_SESSION["ldap_allowed_groups"] = $allowed_groups; - $_SESSION["auth_check_time"] = time(); - } + // obtain ldap groups if we are in ldap mode + if ($authcfg['type'] == "ldap") { + if ( isset($_SESSION["ldap_allowed_groups"]) && + ( time() <= $_SESSION["auth_check_time"]+ $recheck_time) ) { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } else { + $allowed_groups = @ldap_get_groups($username, $authcfg); + $_SESSION["ldap_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } } elseif ($authcfg['type'] == "radius") { if ( isset($_SESSION["radius_allowed_groups"]) && (time() <= $_SESSION["auth_check_time"] + $recheck_time) ) { $allowed_groups = $_SESSION["radius_allowed_groups"]; - } else { - $allowed_groups = @radius_get_groups($attributes); - $_SESSION["radius_allowed_groups"] = $allowed_groups; + } else { + $allowed_groups = @radius_get_groups($attributes); + $_SESSION["radius_allowed_groups"] = $allowed_groups; $_SESSION["auth_check_time"] = time(); - } + } } + } if (!$allowed_groups) { // search for a local user by name @@ -283,11 +325,14 @@ function getAllowedPages($username, &$attributes = array()) { return $allowed_pages; } + function sort_user_privs($privs) { - // Privileges to place first, to redirect properly. - $priority_privs = array("page-dashboard-all", "page-system-login-logout"); - $fprivs = array_intersect($privs, $priority_privs); - $sprivs = array_diff($privs, $priority_privs); - return array_merge($fprivs, $sprivs); + // Privileges to place first, to redirect properly. + $priority_privs = array("page-dashboard-all", "page-system-login-logout"); + + $fprivs = array_intersect($privs, $priority_privs); + $sprivs = array_diff($privs, $priority_privs); + + return array_merge($fprivs, $sprivs); } ?> -- cgit v1.1 From cc38ae2d937ad4013a5c6691ea37dc8a1007d338 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 3 Jan 2017 19:42:37 -0500 Subject: Build net-snmp for experimentation purposes. --- tools/conf/pfPorts/make.conf | 3 +++ tools/conf/pfPorts/poudriere_bulk | 1 + 2 files changed, 4 insertions(+) diff --git a/tools/conf/pfPorts/make.conf b/tools/conf/pfPorts/make.conf index 8eb39f7..2a66c9d 100644 --- a/tools/conf/pfPorts/make.conf +++ b/tools/conf/pfPorts/make.conf @@ -139,3 +139,6 @@ mail_postfix_SET_FORCE=PCRE SASL2 SPF TLS PERL shells_scponly_SET_FORCE=CHROOT SCP WILDCARDS WINSCP shells_scponly_UNSET_FORCE=DEFAULT_CHDIR DOCS GFTP RSYNC SVN SVNSERVE UNISON + +net-mgmt_net-snmp_SET_FORCE=IPV6 MFD_REWRITES +net-mgmt_net-snmp_UNSET_FORCE=AX_DISABLE_TRAP AX_SOCKONLY DOCS DUMMY JAIL MYSQL PERL PERL_EMBEDDED PYTHON SMUX TKMIB UNPRIVILEGED diff --git a/tools/conf/pfPorts/poudriere_bulk b/tools/conf/pfPorts/poudriere_bulk index 841ba47..60ab122 100644 --- a/tools/conf/pfPorts/poudriere_bulk +++ b/tools/conf/pfPorts/poudriere_bulk @@ -16,6 +16,7 @@ net/trafshow net/trafshow3 net/vnstat net-mgmt/dhcp_probe +net-mgmt/net-snmp sysutils/htop sysutils/grub2-bhyve sysutils/pstree -- cgit v1.1 From b743ea87552124be92c2b4de014c06a160ba3ef7 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 3 Jan 2017 21:35:20 -0500 Subject: Add some more help text to OpenVPN pages. --- src/etc/inc/openvpn.inc | 5 ++++- src/usr/local/www/vpn_openvpn_client.php | 34 +++++++++++++++++--------------- src/usr/local/www/vpn_openvpn_server.php | 9 +++++---- 3 files changed, 27 insertions(+), 21 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index f46d3b3..69fb804 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -43,7 +43,10 @@ $openvpn_prots = array( ); global $openvpn_dev_mode; -$openvpn_dev_mode = array("tun", "tap"); +$openvpn_dev_mode = array( + "tun" => "tun - Layer 3 Tunnel Mode", + "tap" => "tap - Layer 2 Tap Mode" +); global $openvpn_verbosity_level; $openvpn_verbosity_level = array( diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index e92d99f..467e198 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -463,15 +463,16 @@ if ($act=="new" || $act=="edit"): 'dev_mode', 'Device mode', empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'], - array_combine($openvpn_dev_mode, $openvpn_dev_mode) - )); + $openvpn_dev_mode + ))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." . + "
\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)"); $section->addInput(new Form_Select( 'interface', 'Interface', $pconfig['interface'], openvpn_build_if_list() - )); + ))->setHelp("The interface used by the firewall to originate this OpenVPN client connection"); $section->addInput(new Form_Input( 'local_port', @@ -486,21 +487,30 @@ if ($act=="new" || $act=="edit"): 'Server host or address', 'text', $pconfig['server_addr'] - )); + ))->setHelp("The IP address or hostname of the OpenVPN server."); + + $section->addInput(new Form_Checkbox( + 'resolve_retry', + 'Server hostname resolution', + 'Infinitely resolve server ', + $pconfig['resolve_retry'] + ))->setHelp('Continuously attempt to resolve the server host name. ' . + 'Useful when communicating with a server that is not permanently connected to the Internet.'); $section->addInput(new Form_Input( 'server_port', 'Server port', 'number', $pconfig['server_port'] - )); + ))->setHelp("The port used by the server to receive client connections."); $section->addInput(new Form_Input( 'proxy_addr', 'Proxy host or address', 'text', $pconfig['proxy_addr'] - )); + ))->setHelp("The address for an HTTP Proxy this client can use to connect to a remote server." . + "
TCP must be used for the client and server protocol."); $section->addInput(new Form_Input( 'proxy_port', @@ -511,10 +521,10 @@ if ($act=="new" || $act=="edit"): $section->addInput(new Form_Select( 'proxy_authtype', - 'Proxy Auth. - Extra options', + 'Proxy Authentication', $pconfig['proxy_authtype'], array('none' => gettext('none'), 'basic' => gettext('basic'), 'ntlm' => gettext('ntlm')) - )); + ))->setHelp("The type of authentication used by the proxy server."); $section->addInput(new Form_Input( 'proxy_user', @@ -530,14 +540,6 @@ if ($act=="new" || $act=="edit"): $pconfig['proxy_passwd'] )); - $section->addInput(new Form_Checkbox( - 'resolve_retry', - 'Server hostname resolution', - 'Infinitely resolve server ', - $pconfig['resolve_retry'] - ))->setHelp('Continuously attempt to resolve the server host name. ' . - 'Useful when communicating with a server that is not permanently connected to the Internet.'); - $section->addInput(new Form_Input( 'description', 'Description', diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 7cb744b..c53197a 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -671,15 +671,16 @@ if ($act=="new" || $act=="edit"): 'dev_mode', 'Device mode', empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'], - array_combine($openvpn_dev_mode, $openvpn_dev_mode) - )); + $openvpn_dev_mode + ))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." . + "
\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)"); $section->addInput(new Form_Select( 'interface', 'Interface', $pconfig['interface'], openvpn_build_if_list() - )); + ))->setHelp("The interface or Virtual IP address where OpenVPN will receive client connections."); $section->addInput(new Form_Input( 'local_port', @@ -687,7 +688,7 @@ if ($act=="new" || $act=="edit"): 'number', $pconfig['local_port'], ['min' => '0'] - )); + ))->setHelp("The port used by OpenVPN to receive client connections."); $section->addInput(new Form_Input( 'description', -- cgit v1.1 From 61d1ca3e0ffb0fb6a397edb8ca5d88f039787140 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Wed, 4 Jan 2017 15:30:45 +0545 Subject: Make appropriate success or danger boxes in system_crlmanager When there is a problem, the messages should be in a "danger" box. Note: It is a bit difficult to actual get the danger messages to appear in the UI, because the relevant "delete" buttons are not shown in the UI when delete is not valid. But it can be tested by starting to edit a CRL that is in use, then change the "edit=" to "del=" in the URL bar and send it. --- src/usr/local/www/system_crlmanager.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/usr/local/www/system_crlmanager.php b/src/usr/local/www/system_crlmanager.php index 58ea4cd..f5d3b3d 100644 --- a/src/usr/local/www/system_crlmanager.php +++ b/src/usr/local/www/system_crlmanager.php @@ -82,12 +82,14 @@ if (!$thiscrl && (($act != "") && ($act != "new"))) { pfSenseHeader("system_crlmanager.php"); $act=""; $savemsg = gettext("Invalid CRL reference."); + $class = "danger"; } if ($act == "del") { $name = htmlspecialchars($thiscrl['descr']); if (crl_in_use($id)) { $savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted."), $name); + $class = "danger"; } else { foreach ($a_crl as $cid => $acrl) { if ($acrl['refid'] == $thiscrl['refid']) { @@ -96,6 +98,7 @@ if ($act == "del") { } write_config("Deleted CRL {$name}."); $savemsg = sprintf(gettext("Certificate Revocation List %s successfully deleted."), $name); + $class = "success"; } } @@ -177,12 +180,14 @@ if ($act == "delcert") { $crlname = htmlspecialchars($thiscrl['descr']); if (cert_unrevoke($thiscert, $thiscrl)) { $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s."), $certname, $crlname); + $class = "success"; // refresh IPsec and OpenVPN CRLs openvpn_refresh_crls(); vpn_ipsec_configure(); write_config($savemsg); } else { $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s."), $certname, $crlname); + $class = "danger"; } $act="edit"; } @@ -327,7 +332,7 @@ if ($input_errors) { } if ($savemsg) { - print_info_box($savemsg, 'success'); + print_info_box($savemsg, $class); } $tab_array = array(); -- cgit v1.1 From 24a4f2ef15a09740a1c13850f85dc345f08cd653 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Wed, 4 Jan 2017 15:37:39 +0545 Subject: Remove unused print_info_box($savemsg) These are files that make no use of $savemsg. May as well remove the print_info_box($savemsg) to avoid future confusion for maintainers wondering why it is there. --- src/usr/local/www/services_captiveportal.php | 4 ---- src/usr/local/www/services_captiveportal_hostname.php | 4 ---- src/usr/local/www/services_captiveportal_ip.php | 4 ---- src/usr/local/www/services_captiveportal_vouchers_edit.php | 4 ---- src/usr/local/www/services_captiveportal_zones.php | 4 ---- src/usr/local/www/services_checkip_edit.php | 4 ---- src/usr/local/www/services_dyndns_edit.php | 4 ---- src/usr/local/www/services_pppoe_edit.php | 4 ---- src/usr/local/www/services_rfc2136_edit.php | 4 ---- 9 files changed, 36 deletions(-) diff --git a/src/usr/local/www/services_captiveportal.php b/src/usr/local/www/services_captiveportal.php index 4922a07..14a9293 100644 --- a/src/usr/local/www/services_captiveportal.php +++ b/src/usr/local/www/services_captiveportal.php @@ -512,10 +512,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Configuration"), true, "services_captiveportal.php?zone={$cpzone}"); $tab_array[] = array(gettext("MACs"), false, "services_captiveportal_mac.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_hostname.php b/src/usr/local/www/services_captiveportal_hostname.php index d93dd79..433f5b9 100644 --- a/src/usr/local/www/services_captiveportal_hostname.php +++ b/src/usr/local/www/services_captiveportal_hostname.php @@ -98,10 +98,6 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Configuration"), false, "services_captiveportal.php?zone={$cpzone}"); $tab_array[] = array(gettext("MACs"), false, "services_captiveportal_mac.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_ip.php b/src/usr/local/www/services_captiveportal_ip.php index b2da179..0a729eb 100644 --- a/src/usr/local/www/services_captiveportal_ip.php +++ b/src/usr/local/www/services_captiveportal_ip.php @@ -92,10 +92,6 @@ if ($_GET['act'] == "del" && !empty($cpzone) && isset($cpzoneid)) { include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $tab_array = array(); $tab_array[] = array(gettext("Configuration"), false, "services_captiveportal.php?zone={$cpzone}"); $tab_array[] = array(gettext("MACs"), false, "services_captiveportal_mac.php?zone={$cpzone}"); diff --git a/src/usr/local/www/services_captiveportal_vouchers_edit.php b/src/usr/local/www/services_captiveportal_vouchers_edit.php index bad9d32..8f3e1e0 100644 --- a/src/usr/local/www/services_captiveportal_vouchers_edit.php +++ b/src/usr/local/www/services_captiveportal_vouchers_edit.php @@ -175,10 +175,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form(); $section = new Form_Section('Voucher Rolls'); diff --git a/src/usr/local/www/services_captiveportal_zones.php b/src/usr/local/www/services_captiveportal_zones.php index 12f301c..6454a2a 100644 --- a/src/usr/local/www/services_captiveportal_zones.php +++ b/src/usr/local/www/services_captiveportal_zones.php @@ -60,10 +60,6 @@ $pgtitle = array(gettext("Services"), gettext("Captive Portal")); $shortcut_section = "captiveportal"; include("head.inc"); -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - if (is_subsystem_dirty('captiveportal')) { print_apply_box(gettext("The Captive Portal entry list has been changed.") . "
" . gettext("The changes must be applied for them to take effect.")); } diff --git a/src/usr/local/www/services_checkip_edit.php b/src/usr/local/www/services_checkip_edit.php index 932366e..2774c27 100644 --- a/src/usr/local/www/services_checkip_edit.php +++ b/src/usr/local/www/services_checkip_edit.php @@ -110,10 +110,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form; $section = new Form_Section('Check IP Service'); diff --git a/src/usr/local/www/services_dyndns_edit.php b/src/usr/local/www/services_dyndns_edit.php index 55860f0..ffd3cc4 100644 --- a/src/usr/local/www/services_dyndns_edit.php +++ b/src/usr/local/www/services_dyndns_edit.php @@ -244,10 +244,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form; $section = new Form_Section('Dynamic DNS Client'); diff --git a/src/usr/local/www/services_pppoe_edit.php b/src/usr/local/www/services_pppoe_edit.php index 633af97..014f21d 100644 --- a/src/usr/local/www/services_pppoe_edit.php +++ b/src/usr/local/www/services_pppoe_edit.php @@ -285,10 +285,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form(); $section = new Form_Section('PPPoE Server Configuration'); diff --git a/src/usr/local/www/services_rfc2136_edit.php b/src/usr/local/www/services_rfc2136_edit.php index 41a7c5b..4ca7cb8 100644 --- a/src/usr/local/www/services_rfc2136_edit.php +++ b/src/usr/local/www/services_rfc2136_edit.php @@ -152,10 +152,6 @@ if ($input_errors) { print_input_errors($input_errors); } -if ($savemsg) { - print_info_box($savemsg, 'success'); -} - $form = new Form; $section = new Form_Section('RFC 2136 Client'); -- cgit v1.1 From c6aca57dcfa8d1f5d19c1c50a1ef8fec3e2aba1f Mon Sep 17 00:00:00 2001 From: scherma Date: Wed, 4 Jan 2017 11:24:38 +0000 Subject: Remove duplicated if block --- src/usr/local/www/system_usermanager_settings.php | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 08be2a4..865e496 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -152,12 +152,6 @@ if ($_POST) { unset($config['system']['webgui']['auth_refresh_time']); } - if (isset($_POST['auth_refresh_time']) && $_POST['auth_refresh_time'] != "") { - $config['system']['webgui']['auth_refresh_time'] = intval($_POST['auth_refresh_time']); - } else { - unset($config['system']['webgui']['auth_refresh_time']); - } - write_config(); } -- cgit v1.1 From 65d0277db75211fd738b7de945cf014be2fa6b8e Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 11:07:30 -0200 Subject: Rework openvpn_vpnid_next() and remove duplicated code --- src/etc/inc/openvpn.inc | 44 ++++++++++++++++++-------------------------- 1 file changed, 18 insertions(+), 26 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 69fb804..0cb6962 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -349,37 +349,29 @@ function openvpn_vpnid_next() { function openvpn_port_used($prot, $interface, $port, $curvpnid = 0) { global $config; + $ovpn_settings = array(); if (is_array($config['openvpn']['openvpn-server'])) { - foreach ($config['openvpn']['openvpn-server'] as & $settings) { - if (isset($settings['disable'])) { - continue; - } - - if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) { - continue; - } - - if ($port == $settings['local_port'] && $prot == $settings['protocol'] && - ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) { - return $settings['vpnid']; - } - } + $ovpn_settings = $config['openvpn']['openvpn-server']; } - if (is_array($config['openvpn']['openvpn-client'])) { - foreach ($config['openvpn']['openvpn-client'] as & $settings) { - if (isset($settings['disable'])) { - continue; - } + $ovpn_settings = array_merge($ovpn_settings, + $config['openvpn']['openvpn-client']); + } - if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) { - continue; - } + foreach ($ovpn_settings as $settings) { + if (isset($settings['disable'])) { + continue; + } - if ($port == $settings['local_port'] && $prot == $settings['protocol'] && - ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) { - return $settings['vpnid']; - } + if ($curvpnid != 0 && $curvpnid == $settings['vpnid']) { + continue; + } + + if ($port == $settings['local_port'] && + $prot == $settings['protocol'] && + ($interface == $settings['interface'] || + $interface == "any" || $settings['interface'] == "any")) { + return $settings['vpnid']; } } -- cgit v1.1 From feec858c5d0120244f284aefcef9eb18fd7b38c9 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 08:40:44 -0500 Subject: Remove this extra comma. It's not causing a syntax error but it's also not necessary. --- src/etc/inc/openvpn.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 0cb6962..e8f786c 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -143,7 +143,7 @@ $openvpn_topologies = array( global $openvpn_tls_modes; $openvpn_tls_modes = array( 'auth' => gettext("TLS Authentication"), - 'crypt' => gettext("TLS Encryption and Authentication"), + 'crypt' => gettext("TLS Encryption and Authentication") ); function openvpn_build_mode_list() { -- cgit v1.1 From f69e098f41bb3937b244b557969009535a911ef4 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 11:43:26 -0200 Subject: Fix #7074: Fix automatic port number guessing Rework openvpn_port_used() to take care of following conflicts after ticket #7062 was committed: * "UDP" is dual stack and conflicts with "UDP4" and "UDP6" * "TCP" is dual stack and conflicts with "TCP4" and "TCP6" * "UDP4" and "UDP6" do not conflict unless interface is set to "any" * "TCP4" and "TCP6" do not conflict unless interface is set to "any" --- src/etc/inc/openvpn.inc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index e8f786c..dae6d6c 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -367,8 +367,17 @@ function openvpn_port_used($prot, $interface, $port, $curvpnid = 0) { continue; } + /* (TCP|UDP)(4|6) does not conflict unless interface is any */ + if (($interface != "any" && $settings['interface'] != "any") && + (strlen($prot) == 4) && + (strlen($settings['protocol']) == 4) && + substr($prot,0,3) == substr($settings['protocol'],0,3) && + substr($prot,3,1) != substr($settings['protocol'],3,1)) { + continue; + } + if ($port == $settings['local_port'] && - $prot == $settings['protocol'] && + substr($prot,0,3) == substr($settings['protocol'],0,3) && ($interface == $settings['interface'] || $interface == "any" || $settings['interface'] == "any")) { return $settings['vpnid']; -- cgit v1.1 From bd07fbdb4b81fc358b8fa55b06469dde7a3870df Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Wed, 4 Jan 2017 13:12:55 -0500 Subject: Partial solution to #7072 Requires "Back-end" stuff to actually use this, and should be copied to the client page too --- src/usr/local/www/vpn_openvpn_server.php | 103 ++++++++++++++++++++++++++++++- 1 file changed, 100 insertions(+), 3 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index c53197a..0900294 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -96,6 +96,8 @@ if ($_GET['act'] == "del") { } if ($_GET['act'] == "new") { + $pconfig['ncp_enable'] = "enabled"; + $pconfig['ncp-ciphers'] = "AES-256-GCM, AES-128-GCM"; $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; @@ -117,7 +119,9 @@ if ($_GET['act'] == "edit") { $pconfig['mode'] = $a_server[$id]['mode']; $pconfig['protocol'] = $a_server[$id]['protocol']; $pconfig['authmode'] = $a_server[$id]['authmode']; - $pconfig['dev_mode'] = $a_server[$id]['dev_mode']; + $pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers']; + $pconfig['ncp_enable'] = $a_server[$id]['ncp_enable']; + $pconfig['dev_mode'] = $a_server[$id]['ncp_enable']; $pconfig['interface'] = $a_server[$id]['interface']; if (!empty($a_server[$id]['ipaddr'])) { @@ -242,8 +246,8 @@ if ($_GET['act'] == "edit") { $pconfig['push_register_dns'] = $a_server[$id]['push_register_dns']; } } -if ($_POST) { +if ($_POST) { unset($input_errors); $pconfig = $_POST; @@ -444,6 +448,7 @@ if ($_POST) { $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); } } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (!$input_errors) { @@ -570,6 +575,12 @@ if ($_POST) { $server['duplicate_cn'] = true; } + if (!empty($pconfig['ncp-ciphers'])) { + $server['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } + + $server['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled"; + if (isset($id) && $a_server[$id]) { $a_server[$id] = $server; } else { @@ -583,6 +594,11 @@ if ($_POST) { header("Location: vpn_openvpn_server.php"); exit; } + + if (!empty($pconfig['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } + if (!empty($pconfig['authmode'])) { $pconfig['authmode'] = implode(",", $pconfig['authmode']); } @@ -640,9 +656,14 @@ if ($act=="new" || $act=="edit"): $options = array(); $authmodes = array(); - $authmodes = explode(",", $pconfig['authmode']); + $auth_servers = auth_get_authserver_list(); + + foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) { + $ncp_ciphers_list[$cipher] = $cipher; + } + // If no authmodes set then default to selecting the first entry in auth_servers if (empty($authmodes[0]) && !empty(key($auth_servers))) { $authmodes[0] = key($auth_servers); @@ -841,6 +862,45 @@ if ($act=="new" || $act=="edit"): openvpn_get_cipherlist() ))->setHelp('The Encryption Algorithm used for data channel packets.'); + $section->addInput(new Form_Checkbox( + 'ncp_enable', + 'Enable NCP', + 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' . + 'Encryption Algorithms from those selected in the NCP Encryption Algorithms list below.', + ($pconfig['ncp_enable'] == "enabled") + ))->setHelp('
' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '
' . + 'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '
'); + + $group = new Form_Group('NCP Algorithms'); + + $group->add(new Form_Select( + 'availciphers', + null, + array(), + openvpn_get_cipherlist(), + true + ))->setAttribute('size', '10') + ->setHelp('Available algorithms
Click to add or remove an algorithm from the list'); + + $group->add(new Form_Select( + 'ncp-ciphers', + null, + array(), + $ncp_ciphers_list, + true + ))->setReadonly() + ->setAttribute('size', '10') + ->setHelp('Algorithm list. Click an algorithm name to remove it from the list'); + + $group->setHelp('Available NCP Encryption Algorithms / Allowed NCP Encryption Algorithms' . + '
' . sprint_info_box( + 'Click an NCP Encryption Algorithm in the left-side list to add or remove it from the Allowed NCP Encryption Algorithms list.' . '
' . + 'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' . + 'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) . + '
'); + + $section->add($group); + $section->addInput(new Form_Select( 'digest', 'Auth digest algorithm', @@ -1671,6 +1731,43 @@ events.push(function() { $('#certtype').html(errmsg); }); + function updateCiphers(mem) { + var found = false; + + // If the cipher exists, remove it + $('[id="ncp-ciphers[]"] option').each(function() { + if($(this).val() == mem) { + $(this).remove(); + found = true; + } + }); + + // If not, add it + if (!found) { + $('[id="ncp-ciphers[]"]').append(new Option(mem , mem)); + } + + // Unselect all options + $('[id="availciphers[]"] option:selected').removeAttr("selected"); + } + + // On click, update the ciphers list + $('[id="availciphers[]"]').click(function () { + updateCiphers($(this).val()); + }); + + // On click, remove the cipher from the list + $('[id="ncp-ciphers[]"]').click(function () { + updateCiphers($(this).val()); + }); + + // Make sure hte "Availlable ciphers" selector is not submitted with the form, + // and select all of the chosen ciphers so that they are submitted + $('form').submit(function() { + $("#availciphers" ).prop( "disabled", true); + $('[id="ncp-ciphers[]"] option').attr("selected", "selected"); + }); + // ---------- Set initial page display state ---------------------------------------------------------------------- mode_change(); autokey_change(); -- cgit v1.1 From 6c00adf3316d2c5214f7e9cf2e5f138c32845d58 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 13:17:24 -0500 Subject: Fix copy/paste error --- src/usr/local/www/vpn_openvpn_server.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 0900294..fffbb8c 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -121,7 +121,7 @@ if ($_GET['act'] == "edit") { $pconfig['authmode'] = $a_server[$id]['authmode']; $pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers']; $pconfig['ncp_enable'] = $a_server[$id]['ncp_enable']; - $pconfig['dev_mode'] = $a_server[$id]['ncp_enable']; + $pconfig['dev_mode'] = $a_server[$id]['dev_mode']; $pconfig['interface'] = $a_server[$id]['interface']; if (!empty($a_server[$id]['ipaddr'])) { -- cgit v1.1 From 9d773c1792832948a119068434b76d1fd8e5bfb0 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 13:36:39 -0500 Subject: Fix NCP defaults when editing an OpenVPN server, some help changes/fixes for NCP as well. --- src/usr/local/www/vpn_openvpn_server.php | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index fffbb8c..8fd8438 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -119,8 +119,16 @@ if ($_GET['act'] == "edit") { $pconfig['mode'] = $a_server[$id]['mode']; $pconfig['protocol'] = $a_server[$id]['protocol']; $pconfig['authmode'] = $a_server[$id]['authmode']; - $pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers']; - $pconfig['ncp_enable'] = $a_server[$id]['ncp_enable']; + if (isset($a_server[$id]['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = $a_server[$id]['ncp-ciphers']; + } else { + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; + } + if (isset($a_server[$id]['ncp_enable'])) { + $pconfig['ncp_enable'] = $a_server[$id]['ncp_enable']; + } else { + $pconfig['ncp_enable'] = "enabled"; + } $pconfig['dev_mode'] = $a_server[$id]['dev_mode']; $pconfig['interface'] = $a_server[$id]['interface']; @@ -860,15 +868,16 @@ if ($act=="new" || $act=="edit"): 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() - ))->setHelp('The Encryption Algorithm used for data channel packets.'); + ))->setHelp('The Encryption Algorithm used for data channel packets when Negotiable Cryptographic Parameter (NCP) support is not available.'); $section->addInput(new Form_Checkbox( 'ncp_enable', 'Enable NCP', - 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' . - 'Encryption Algorithms from those selected in the NCP Encryption Algorithms list below.', + 'Enable Negotiable Cryptographic Parameters', ($pconfig['ncp_enable'] == "enabled") - ))->setHelp('
' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '
' . + ))->setHelp( 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' . + 'Encryption Algorithms from those selected in the NCP Algorithms list below.' . + '
' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '
' . 'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '
'); $group = new Form_Group('NCP Algorithms'); @@ -880,7 +889,7 @@ if ($act=="new" || $act=="edit"): openvpn_get_cipherlist(), true ))->setAttribute('size', '10') - ->setHelp('Available algorithms
Click to add or remove an algorithm from the list'); + ->setHelp('Available NCP Encryption Algorithms
Click to add or remove an algorithm from the list'); $group->add(new Form_Select( 'ncp-ciphers', @@ -890,11 +899,10 @@ if ($act=="new" || $act=="edit"): true ))->setReadonly() ->setAttribute('size', '10') - ->setHelp('Algorithm list. Click an algorithm name to remove it from the list'); + ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list'); - $group->setHelp('Available NCP Encryption Algorithms / Allowed NCP Encryption Algorithms' . + $group->setHelp( 'The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' . '
' . sprint_info_box( - 'Click an NCP Encryption Algorithm in the left-side list to add or remove it from the Allowed NCP Encryption Algorithms list.' . '
' . 'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' . 'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) . '
'); -- cgit v1.1 From 280f00096435bf7b511d8ab605f5fbc72738d1ec Mon Sep 17 00:00:00 2001 From: scherma Date: Wed, 4 Jan 2017 18:55:01 +0000 Subject: Set default in 'else' of if block --- src/etc/inc/priv.inc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index 00c93c3..fc9f122 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -269,11 +269,12 @@ function getAllowedPages($username, &$attributes = array()) { if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - // cache auth results for a short time to prevent hammering auth services & logs - $recheck_time = 30; - if (isset($config['system']['webgui']['auth_refresh_time'])) { - $recheck_time = $config['system']['webgui']['auth_refresh_time']; - } + // cache auth results for a short time to ease load on auth services & logs + if (isset($config['system']['webgui']['auth_refresh_time'])) { + $recheck_time = $config['system']['webgui']['auth_refresh_time']; + } else { + $recheck_time = 30; + } // obtain ldap groups if we are in ldap mode if ($authcfg['type'] == "ldap") { if ( isset($_SESSION["ldap_allowed_groups"]) && -- cgit v1.1 From c73367d281da3f894ed9e8c042ac03b8d7864340 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 13:57:47 -0500 Subject: Add backend support to OpenVPN for NCP. Ticket #7072 --- src/etc/inc/openvpn.inc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index dae6d6c..00829e2 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -1100,6 +1100,17 @@ function openvpn_reconfigure($mode, $settings) { } openvpn_add_keyfile($settings['tls'], $conf, $mode_id, $tls_directive, $tlsopt); } + + /* NCP support. If it is not set, assume enabled since that is OpenVPN's default. */ + if ($settings['ncp_enable'] == "disabled") { + $conf .= "ncp-disable\n"; + } else { + /* If the ncp-ciphers list is empty, don't specify a list so OpenVPN's default will be used. */ + if (!empty($settings['ncp-ciphers'])) { + $conf .= "ncp-ciphers " . str_replace(',', ':', $settings['ncp-ciphers']) . "\n"; + } + } + break; } -- cgit v1.1 From a5978b9adc8cac57040a9abedd01f9993567a59a Mon Sep 17 00:00:00 2001 From: scherma Date: Wed, 4 Jan 2017 18:58:43 +0000 Subject: Server side validation and description amendment --- src/usr/local/www/system_usermanager_settings.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 865e496..8782818 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -117,6 +117,13 @@ if ($_POST) { $input_errors[] = gettext("Session timeout must be an integer value."); } } + + if (isset($_POST['auth_refresh_time'])) { + $timeout = intval($_POST['auth_refresh_time']); + if ($timeout != "" && (!is_numeric($timeout) || $timeout < 0 || $timeout > 3600 )) { + $input_errors[] = gettext("Authentication refresh time must be an integer between 0 and 3600 (inclusive)."); + } + } if (($_POST['authmode'] == "Local Database") && $_POST['savetest']) { $savemsg = gettext("Settings have been saved, but the test was not performed because it is not supported for local databases."); @@ -212,7 +219,7 @@ $section->addInput(new Form_Input( $pconfig['auth_refresh_time'], ['min' => 0, 'max' => 3600] ))->setHelp('Time in seconds to cache authentication results. The default is 30 seconds, maximum 3600 (one hour). '. - 'Shorter times result in more frequent queries to auth services, and more logs generated.'); + 'Shorter times result in more frequent queries to authentication servers.'); $form->addGlobal(new Form_Button( 'savetest', -- cgit v1.1 From d66cfa3d2a0dec1c30931aa9a3b8458069eb373e Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 14:10:18 -0500 Subject: Validate the submitted Encryption Algorithm and NCP Algorithm list. Ticket #7072 --- src/usr/local/www/vpn_openvpn_server.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 8fd8438..4c9ae64 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -265,6 +265,11 @@ if ($_POST) { $vpnid = 0; } + $cipher_validation_list = array_keys(openvpn_get_cipherlist()); + if (!in_array($pconfig['crypto'], $cipher_validation_list)) { + $input_errors[] = gettext("The selected Encryption Algorithm is not valid."); + } + list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']); if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { $input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected."); @@ -423,6 +428,12 @@ if ($_POST) { $input_errors[] = gettext("The specified ECDH Curve is invalid."); } + foreach ($pconfig['ncp-ciphers'] as $ncpc) { + if (!in_array($ncpc, $cipher_validation_list)) { + $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + } + } + $reqdfields = explode(" ", "caref certref"); $reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate")); } elseif (!$pconfig['autokey_enable']) { -- cgit v1.1 From a095e8b278c82b2bab4884d3d14b2289105554b7 Mon Sep 17 00:00:00 2001 From: scherma Date: Wed, 4 Jan 2017 19:13:10 +0000 Subject: Load current saved value to display in GUI --- src/usr/local/www/system_usermanager_settings.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 8782818..cfc7ae7 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -102,6 +102,8 @@ if (isset($config['system']['webgui']['authmode'])) { $pconfig['backend'] = &$config['system']['webgui']['backend']; +$pconfig['auth_refresh_time'] = &$config['system']['webgui']['auth_refresh_time']; + // Page title for main admin $pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Settings")); -- cgit v1.1 From 9423ff32abaf2626ff82b5e7a86f82a389a9a454 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 14:45:29 -0500 Subject: Whitespace fixes. Ticket #7072 --- src/usr/local/www/vpn_openvpn_server.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 4c9ae64..7e9637f 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -1755,16 +1755,16 @@ events.push(function() { // If the cipher exists, remove it $('[id="ncp-ciphers[]"] option').each(function() { - if($(this).val() == mem) { - $(this).remove(); + if($(this).val() == mem) { + $(this).remove(); found = true; - } + } }); // If not, add it - if (!found) { + if (!found) { $('[id="ncp-ciphers[]"]').append(new Option(mem , mem)); - } + } // Unselect all options $('[id="availciphers[]"] option:selected').removeAttr("selected"); -- cgit v1.1 From fa351dd3c13e65dfabfb0f2ac2ed72b332276892 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 14:45:50 -0500 Subject: Add NCP options to OpenVPN client. Fixes #7072 --- src/usr/local/www/vpn_openvpn_client.php | 113 ++++++++++++++++++++++++++++++- 1 file changed, 112 insertions(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 467e198..197452d 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -90,6 +90,8 @@ if ($_GET['act'] == "del") { } if ($_GET['act'] == "new") { + $pconfig['ncp_enable'] = "enabled"; + $pconfig['ncp-ciphers'] = "AES-256-GCM, AES-128-GCM"; $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; @@ -129,6 +131,16 @@ if ($_GET['act'] == "edit") { $pconfig['description'] = $a_client[$id]['description']; $pconfig['custom_options'] = $a_client[$id]['custom_options']; $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; + if (isset($a_client[$id]['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = $a_client[$id]['ncp-ciphers']; + } else { + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; + } + if (isset($a_client[$id]['ncp_enable'])) { + $pconfig['ncp_enable'] = $a_client[$id]['ncp_enable']; + } else { + $pconfig['ncp_enable'] = "enabled"; + } $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; if ($pconfig['mode'] != "p2p_shared_key") { @@ -181,6 +193,11 @@ if ($_POST) { $vpnid = 0; } + $cipher_validation_list = array_keys(openvpn_get_cipherlist()); + if (!in_array($pconfig['crypto'], $cipher_validation_list)) { + $input_errors[] = gettext("The selected Encryption Algorithm is not valid."); + } + list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']); if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { $input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected."); @@ -303,6 +320,11 @@ if ($_POST) { /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { + foreach ($pconfig['ncp-ciphers'] as $ncpc) { + if (!in_array($ncpc, $cipher_validation_list)) { + $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + } + } $reqdfields = explode(" ", "caref"); $reqdfieldsn = array(gettext("Certificate Authority")); } elseif (!$pconfig['autokey_enable']) { @@ -390,6 +412,12 @@ if ($_POST) { $client['route_no_exec'] = $pconfig['route_no_exec']; $client['verbosity_level'] = $pconfig['verbosity_level']; + if (!empty($pconfig['ncp-ciphers'])) { + $client['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } + + $client['ncp_enable'] = $pconfig['ncp_enable'] ? "enabled":"disabled"; + if (isset($id) && $a_client[$id]) { $a_client[$id] = $client; } else { @@ -402,6 +430,10 @@ if ($_POST) { header("Location: vpn_openvpn_client.php"); exit; } + + if (!empty($pconfig['ncp-ciphers'])) { + $pconfig['ncp-ciphers'] = implode(",", $pconfig['ncp-ciphers']); + } } $pgtitle = array(gettext("VPN"), gettext("OpenVPN"), gettext("Clients")); @@ -664,7 +696,49 @@ if ($act=="new" || $act=="edit"): 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist() - ))->setHelp('The Encryption Algorithm used for data channel packets.'); + ))->setHelp('The Encryption Algorithm used for data channel packets when Negotiable Cryptographic Parameter (NCP) support is not available.'); + + $section->addInput(new Form_Checkbox( + 'ncp_enable', + 'Enable NCP', + 'Enable Negotiable Cryptographic Parameters', + ($pconfig['ncp_enable'] == "enabled") + ))->setHelp( 'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' . + 'Encryption Algorithms from those selected in the NCP Algorithms list below.' . + '
' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '
' . + 'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '
'); + + foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) { + $ncp_ciphers_list[$cipher] = $cipher; + } + $group = new Form_Group('NCP Algorithms'); + + $group->add(new Form_Select( + 'availciphers', + null, + array(), + openvpn_get_cipherlist(), + true + ))->setAttribute('size', '10') + ->setHelp('Available NCP Encryption Algorithms
Click to add or remove an algorithm from the list'); + + $group->add(new Form_Select( + 'ncp-ciphers', + null, + array(), + $ncp_ciphers_list, + true + ))->setReadonly() + ->setAttribute('size', '10') + ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list'); + + $group->setHelp( 'The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' . + '
' . sprint_info_box( + 'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' . + 'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) . + '
'); + + $section->add($group); $section->addInput(new Form_Select( 'digest', @@ -959,6 +1033,43 @@ events.push(function() { autotls_change(); }); + function updateCiphers(mem) { + var found = false; + + // If the cipher exists, remove it + $('[id="ncp-ciphers[]"] option').each(function() { + if($(this).val() == mem) { + $(this).remove(); + found = true; + } + }); + + // If not, add it + if (!found) { + $('[id="ncp-ciphers[]"]').append(new Option(mem , mem)); + } + + // Unselect all options + $('[id="availciphers[]"] option:selected').removeAttr("selected"); + } + + // On click, update the ciphers list + $('[id="availciphers[]"]').click(function () { + updateCiphers($(this).val()); + }); + + // On click, remove the cipher from the list + $('[id="ncp-ciphers[]"]').click(function () { + updateCiphers($(this).val()); + }); + + // Make sure hte "Availlable ciphers" selector is not submitted with the form, + // and select all of the chosen ciphers so that they are submitted + $('form').submit(function() { + $("#availciphers" ).prop( "disabled", true); + $('[id="ncp-ciphers[]"] option').attr("selected", "selected"); + }); + // ---------- Set initial page display state ---------------------------------------------------------------------- mode_change(); autokey_change(); -- cgit v1.1 From e2f0ad13b5c1305c03f5104819ec096d077e496b Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 15:28:28 -0500 Subject: Some improvements to the NCP validation. Ticket #7072 --- src/usr/local/www/vpn_openvpn_client.php | 8 +++++--- src/usr/local/www/vpn_openvpn_server.php | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 197452d..2e7b554 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -320,9 +320,11 @@ if ($_POST) { /* If we are not in shared key mode, then we need the CA/Cert. */ if ($pconfig['mode'] != "p2p_shared_key") { - foreach ($pconfig['ncp-ciphers'] as $ncpc) { - if (!in_array($ncpc, $cipher_validation_list)) { - $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) { + foreach ($pconfig['ncp-ciphers'] as $ncpc) { + if (!in_array($ncpc, $cipher_validation_list)) { + $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + } } } $reqdfields = explode(" ", "caref"); diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 7e9637f..cfaefa2 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -428,9 +428,11 @@ if ($_POST) { $input_errors[] = gettext("The specified ECDH Curve is invalid."); } - foreach ($pconfig['ncp-ciphers'] as $ncpc) { - if (!in_array($ncpc, $cipher_validation_list)) { - $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) { + foreach ($pconfig['ncp-ciphers'] as $ncpc) { + if (!in_array($ncpc, $cipher_validation_list)) { + $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); + } } } -- cgit v1.1 From 625b688ca4a7db168e9b2cea6c319728981cff00 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 15:35:08 -0500 Subject: Fix NCP breaking save on a new server/client. Ticket #7072 --- src/usr/local/www/vpn_openvpn_client.php | 4 ++-- src/usr/local/www/vpn_openvpn_server.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 2e7b554..fba3d43 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -91,7 +91,7 @@ if ($_GET['act'] == "del") { if ($_GET['act'] == "new") { $pconfig['ncp_enable'] = "enabled"; - $pconfig['ncp-ciphers'] = "AES-256-GCM, AES-128-GCM"; + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; @@ -322,7 +322,7 @@ if ($_POST) { if ($pconfig['mode'] != "p2p_shared_key") { if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) { foreach ($pconfig['ncp-ciphers'] as $ncpc) { - if (!in_array($ncpc, $cipher_validation_list)) { + if (!in_array(trim($ncpc), $cipher_validation_list)) { $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); } } diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index cfaefa2..e9d397a 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -97,7 +97,7 @@ if ($_GET['act'] == "del") { if ($_GET['act'] == "new") { $pconfig['ncp_enable'] = "enabled"; - $pconfig['ncp-ciphers'] = "AES-256-GCM, AES-128-GCM"; + $pconfig['ncp-ciphers'] = "AES-256-GCM,AES-128-GCM"; $pconfig['autokey_enable'] = "yes"; $pconfig['tlsauth_enable'] = "yes"; $pconfig['autotls_enable'] = "yes"; @@ -430,7 +430,7 @@ if ($_POST) { if (($pconfig['ncp_enable'] != "disabled") && !empty($pconfig['ncp-ciphers']) && is_array($pconfig['ncp-ciphers'])) { foreach ($pconfig['ncp-ciphers'] as $ncpc) { - if (!in_array($ncpc, $cipher_validation_list)) { + if (!in_array(trim($ncpc), $cipher_validation_list)) { $input_errors[] = gettext("One or more of the selected NCP Algorithms is not valid."); } } -- cgit v1.1 From 0a07be0287189cda229fab27ad733e9de3dc12f5 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 18:37:50 -0200 Subject: Destroy tun/tap device when delete OpenVPN tunnel --- src/etc/inc/openvpn.inc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 00829e2..38230e7 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -1288,11 +1288,8 @@ function openvpn_delete($mode, & $settings) { posix_kill($pid, SIGTERM); } - /* remove the device from the openvpn group */ - mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " -group openvpn"); - - /* restore the original adapter name */ - mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " name " . escapeshellarg($tunname)); + /* destroy the device */ + mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " destroy"); /* remove the configuration files */ @array_map('unlink', glob("{$g['varetc_path']}/openvpn/{$mode_id}.*")); -- cgit v1.1 From a075265e0a076419813622e0d69556915b6f40f2 Mon Sep 17 00:00:00 2001 From: stilez Date: Wed, 4 Jan 2017 20:52:39 +0000 Subject: Various wording changes --- src/usr/local/www/system_advanced_network.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index f5fdf73..9028b04 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -169,14 +169,14 @@ $group->add(new Form_Checkbox( $group->add(new Form_Input( 'ipv6nat_ipaddr', - 'IP address of tunneling peer', + 'Tunnel Peer\'s IP Address', 'text', $pconfig['ipv6nat_ipaddr'] ))->setHelp('The IPv4 address of the tunneling peer'); -$group->setHelp('These options create an RFC 2893 compatible mechanism for IPv4 NAT encapsulation of IPv6 packets, that can be used ' . - 'to tunnel IPv6 packets over IPv4 routing infrastructures. A firewall rule to allow passing of IPv6 packets ' . - 'must also be created.'); +$group->setHelp('These options create an RFC 2893 compatible mechanism for IPv4 NAT encapsulation of IPv6 packets, ' . + 'that can be used to tunnel IPv6 packets over IPv4 routing infrastructures. A firewall rule to pass IPv6 packets ' . + 'is also necessary.'); $section->add($group); -- cgit v1.1 From ef70380433e2889f5a97ec7ddfa858baa18bb6ac Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 18:52:43 -0200 Subject: Revert "Destroy tun/tap device when delete OpenVPN tunnel" This reverts commit 0a07be0287189cda229fab27ad733e9de3dc12f5. --- src/etc/inc/openvpn.inc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 38230e7..00829e2 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -1288,8 +1288,11 @@ function openvpn_delete($mode, & $settings) { posix_kill($pid, SIGTERM); } - /* destroy the device */ - mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " destroy"); + /* remove the device from the openvpn group */ + mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " -group openvpn"); + + /* restore the original adapter name */ + mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " name " . escapeshellarg($tunname)); /* remove the configuration files */ @array_map('unlink', glob("{$g['varetc_path']}/openvpn/{$mode_id}.*")); -- cgit v1.1 From 414aa3596b25a2ecf98b63d1a774ba7d92b7e76c Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 18:53:20 -0200 Subject: Remove direct calls to /sbin/ifconfig destroy by pfSense_interface_destroy() --- src/usr/local/www/interfaces.php | 2 +- src/usr/local/www/interfaces_bridge.php | 2 +- src/usr/local/www/interfaces_gif.php | 2 +- src/usr/local/www/interfaces_gre.php | 2 +- src/usr/local/www/interfaces_lagg.php | 2 +- src/usr/local/www/interfaces_qinq.php | 2 +- src/usr/local/www/interfaces_wireless.php | 2 +- src/usr/local/www/interfaces_wireless_edit.php | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/usr/local/www/interfaces.php b/src/usr/local/www/interfaces.php index a63144d..fcb5763 100755 --- a/src/usr/local/www/interfaces.php +++ b/src/usr/local/www/interfaces.php @@ -1611,7 +1611,7 @@ function check_wireless_mode() { if (!interface_wireless_clone("{$wlanif}_", $wancfg)) { $input_errors[] = sprintf(gettext("Unable to change mode to %s. The maximum number of wireless clones supported in this mode may have been reached."), $wlan_modes[$wancfg['wireless']['mode']]); } else { - mwexec("/sbin/ifconfig " . escapeshellarg($wlanif) . "_ destroy"); + pfSense_interface_destroy("{$wlanif}_"); } $wancfg['wireless']['mode'] = $old_wireless_mode; } diff --git a/src/usr/local/www/interfaces_bridge.php b/src/usr/local/www/interfaces_bridge.php index c9631d7..359af1c 100644 --- a/src/usr/local/www/interfaces_bridge.php +++ b/src/usr/local/www/interfaces_bridge.php @@ -60,7 +60,7 @@ if ($_GET['act'] == "del") { if (!does_interface_exist($a_bridges[$_GET['id']]['bridgeif'])) { log_error("Bridge interface does not exist, skipping ifconfig destroy."); } else { - mwexec("/sbin/ifconfig " . $a_bridges[$_GET['id']]['bridgeif'] . " destroy"); + pfSense_interface_destroy($a_bridges[$_GET['id']]['bridgeif']); } unset($a_bridges[$_GET['id']]); diff --git a/src/usr/local/www/interfaces_gif.php b/src/usr/local/www/interfaces_gif.php index 1797092..b0581ec 100644 --- a/src/usr/local/www/interfaces_gif.php +++ b/src/usr/local/www/interfaces_gif.php @@ -56,7 +56,7 @@ if ($_GET['act'] == "del") { } else if (gif_inuse($_GET['id'])) { $input_errors[] = gettext("This gif TUNNEL cannot be deleted because it is still being used as an interface."); } else { - mwexec("/sbin/ifconfig " . $a_gifs[$_GET['id']]['gifif'] . " destroy"); + pfSense_interface_destroy($a_gifs[$_GET['id']]['gifif']); unset($a_gifs[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_gre.php b/src/usr/local/www/interfaces_gre.php index a69edd6..9f2d8c0 100644 --- a/src/usr/local/www/interfaces_gre.php +++ b/src/usr/local/www/interfaces_gre.php @@ -57,7 +57,7 @@ if ($_GET['act'] == "del") { } else if (gre_inuse($_GET['id'])) { $input_errors[] = gettext("This GRE tunnel cannot be deleted because it is still being used as an interface."); } else { - mwexec("/sbin/ifconfig " . $a_gres[$_GET['id']]['greif'] . " destroy"); + pfSense_interface_destroy($a_gres[$_GET['id']]['greif']); unset($a_gres[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_lagg.php b/src/usr/local/www/interfaces_lagg.php index c521558..23deb7d 100644 --- a/src/usr/local/www/interfaces_lagg.php +++ b/src/usr/local/www/interfaces_lagg.php @@ -63,7 +63,7 @@ if ($_GET['act'] == "del") { } else if (lagg_inuse($_GET['id'])) { $input_errors[] = gettext("This LAGG interface cannot be deleted because it is still being used."); } else { - mwexec_bg("/sbin/ifconfig " . $a_laggs[$_GET['id']]['laggif'] . " destroy"); + pfSense_interface_destroy($a_laggs[$_GET['id']]['laggif']); unset($a_laggs[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_qinq.php b/src/usr/local/www/interfaces_qinq.php index 63fa1b4..1997c19 100644 --- a/src/usr/local/www/interfaces_qinq.php +++ b/src/usr/local/www/interfaces_qinq.php @@ -67,7 +67,7 @@ if ($_GET['act'] == "del") { } mwexec("/usr/sbin/ngctl shutdown {$qinq['vlanif']}qinq:"); mwexec("/usr/sbin/ngctl shutdown {$qinq['vlanif']}:"); - mwexec("/sbin/ifconfig {$qinq['vlanif']} destroy"); + pfSense_interface_destroy($qinq['vlanif']); unset($a_qinqs[$id]); write_config(); diff --git a/src/usr/local/www/interfaces_wireless.php b/src/usr/local/www/interfaces_wireless.php index dafe49d..304eca2 100644 --- a/src/usr/local/www/interfaces_wireless.php +++ b/src/usr/local/www/interfaces_wireless.php @@ -57,7 +57,7 @@ if ($_GET['act'] == "del") { if (clone_inuse($_GET['id'])) { $input_errors[] = gettext("This wireless clone cannot be deleted because it is assigned as an interface."); } else { - mwexec("/sbin/ifconfig " . $a_clones[$_GET['id']]['cloneif'] . " destroy"); + pfSense_interface_destroy($a_clones[$_GET['id']]['cloneif']); unset($a_clones[$_GET['id']]); write_config(); diff --git a/src/usr/local/www/interfaces_wireless_edit.php b/src/usr/local/www/interfaces_wireless_edit.php index 419f9c6..d30b5c4 100644 --- a/src/usr/local/www/interfaces_wireless_edit.php +++ b/src/usr/local/www/interfaces_wireless_edit.php @@ -125,7 +125,7 @@ if ($_POST) { } else { if (isset($id) && $a_clones[$id]) { if ($clone['if'] != $a_clones[$id]['if']) { - mwexec("/sbin/ifconfig " . $a_clones[$id]['cloneif'] . " destroy"); + pfSense_interface_destroy($a_clones[$id]['cloneif']); } $input_errors[] = sprintf(gettext("Created with id %s"), $id); $a_clones[$id] = $clone; -- cgit v1.1 From a0052ea3a5fe74246795d90bcacadd025801134a Mon Sep 17 00:00:00 2001 From: stilez Date: Wed, 4 Jan 2017 20:55:35 +0000 Subject: left label as comment above --- src/usr/local/www/system_advanced_network.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 9028b04..72e0321 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -159,7 +159,7 @@ $section->addInput(new Form_Checkbox( 'blocks traffic.'); -$group = new Form_Group('IPv6 over IPv4 Tunneling'); +$group = new Form_Group('IPv6 over IPv4'); $group->add(new Form_Checkbox( 'ipv6nat_enable', 'IPv6 over IPv4 Tunneling', -- cgit v1.1 From 54c90c3527b0a7c596a616cbf6fc58fd6663646a Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Wed, 4 Jan 2017 15:36:37 -0500 Subject: Minor help text change --- src/usr/local/www/vpn_openvpn_server.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index e9d397a..06c32da 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -912,7 +912,7 @@ if ($act=="new" || $act=="edit"): true ))->setReadonly() ->setAttribute('size', '10') - ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list'); + ->setHelp('Algorithm list.
Click an algorithm name to remove it from the list'); $group->setHelp( 'The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' . '
' . sprint_info_box( -- cgit v1.1 From b191e31e964f424cae96b39023718aaca7e345e6 Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Wed, 4 Jan 2017 15:55:05 -0500 Subject: No longer add "null" to the selector when clicking a blank area --- src/usr/local/www/vpn_openvpn_client.php | 4 +++- src/usr/local/www/vpn_openvpn_server.php | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index fba3d43..4c87611 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -1062,7 +1062,9 @@ events.push(function() { // On click, remove the cipher from the list $('[id="ncp-ciphers[]"]').click(function () { - updateCiphers($(this).val()); + if ($(this).val() != null) { + updateCiphers($(this).val()); + } }); // Make sure hte "Availlable ciphers" selector is not submitted with the form, diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 06c32da..34e4bb0 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -1779,7 +1779,9 @@ events.push(function() { // On click, remove the cipher from the list $('[id="ncp-ciphers[]"]').click(function () { - updateCiphers($(this).val()); + if ($(this).val() != null) { + updateCiphers($(this).val()); + } }); // Make sure hte "Availlable ciphers" selector is not submitted with the form, -- cgit v1.1 From d37d7c3a8a6d626ff1d9cf95854ff3384c1dc771 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 19:04:36 -0200 Subject: Fix conditional to work as expected when $id == 0 --- src/usr/local/www/vpn_openvpn_server.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 34e4bb0..52672f8 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -476,8 +476,13 @@ if ($_POST) { $server = array(); - if ($id && $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { - openvpn_delete('server', $a_server[$id]);// delete(rename) old interface so a new TUN or TAP interface can be created. + if (isset($id) && $a_server[$id] && + $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { + /* + * delete old interface so a new TUN or TAP interface + * can be created. + */ + openvpn_delete('server', $a_server[$id]); } if ($vpnid) { -- cgit v1.1 From 9272a448d4a9607c7f503a695775fe9674539160 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 19:05:01 -0200 Subject: Remove unnecessary reference --- src/etc/inc/openvpn.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 00829e2..532e002 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -1257,7 +1257,7 @@ function openvpn_restart($mode, $settings) { unlock($lockhandle); } -function openvpn_delete($mode, & $settings) { +function openvpn_delete($mode, $settings) { global $g, $config; $vpnid = $settings['vpnid']; -- cgit v1.1 From 3b1642ff0d968c723f258c3a9a2059f0070d640f Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 19:05:10 -0200 Subject: Destroy tun/tap device when delete OpenVPN tunnel --- src/etc/inc/openvpn.inc | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 532e002..3128744 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -1263,13 +1263,6 @@ function openvpn_delete($mode, $settings) { $vpnid = $settings['vpnid']; $mode_id = $mode.$vpnid; - if (isset($settings['dev_mode'])) { - $tunname = "{$settings['dev_mode']}{$vpnid}"; - } else { - /* defaults to tun */ - $tunname = "tun{$vpnid}"; - } - if ($mode == "server") { $devname = "ovpns{$vpnid}"; } else { @@ -1288,11 +1281,8 @@ function openvpn_delete($mode, $settings) { posix_kill($pid, SIGTERM); } - /* remove the device from the openvpn group */ - mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " -group openvpn"); - - /* restore the original adapter name */ - mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " name " . escapeshellarg($tunname)); + /* destroy the device */ + pfSense_interface_destroy($devname); /* remove the configuration files */ @array_map('unlink', glob("{$g['varetc_path']}/openvpn/{$mode_id}.*")); -- cgit v1.1 From 16fbe9b7ee1abfb8b9504a8d1e90dcd7592f9fe2 Mon Sep 17 00:00:00 2001 From: stilez Date: Wed, 4 Jan 2017 21:11:24 +0000 Subject: change as commented and remove redundant help text --- src/usr/local/www/system_advanced_network.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/system_advanced_network.php b/src/usr/local/www/system_advanced_network.php index 72e0321..19f16d9 100644 --- a/src/usr/local/www/system_advanced_network.php +++ b/src/usr/local/www/system_advanced_network.php @@ -160,6 +160,7 @@ $section->addInput(new Form_Checkbox( $group = new Form_Group('IPv6 over IPv4'); + $group->add(new Form_Checkbox( 'ipv6nat_enable', 'IPv6 over IPv4 Tunneling', @@ -169,10 +170,10 @@ $group->add(new Form_Checkbox( $group->add(new Form_Input( 'ipv6nat_ipaddr', - 'Tunnel Peer\'s IP Address', + 'IPv4 address of Tunnel Peer', 'text', $pconfig['ipv6nat_ipaddr'] -))->setHelp('The IPv4 address of the tunneling peer'); +)); $group->setHelp('These options create an RFC 2893 compatible mechanism for IPv4 NAT encapsulation of IPv6 packets, ' . 'that can be used to tunnel IPv6 packets over IPv4 routing infrastructures. A firewall rule to pass IPv6 packets ' . -- cgit v1.1 From 21504a52fb0f5ad02dd374b171fdafb1cd68c709 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 19:14:15 -0200 Subject: As done on OpenVPN Server, delete tunnel when dev_mode changes so new device is created accordingly --- src/usr/local/www/vpn_openvpn_client.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 4c87611..d3666bb 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -349,6 +349,15 @@ if ($_POST) { $client = array(); + if (isset($id) && $a_client[$id] && + $pconfig['dev_mode'] <> $a_client[$id]['dev_mode']) { + /* + * delete old interface so a new TUN or TAP interface + * can be created. + */ + openvpn_delete('client', $a_client[$id]); + } + foreach ($simplefields as $stat) { if (($stat == 'auth_pass') && ($_POST[$stat] == DMYPWD)) { $client[$stat] = $a_client[$id]['auth_pass']; -- cgit v1.1 From a1650bb758b68eb909e7efb5094ac455c7f03475 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Wed, 4 Jan 2017 19:14:57 -0200 Subject: Fix a probably copy/paste error --- src/usr/local/www/vpn_openvpn_client.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index d3666bb..3ce2c95 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -149,7 +149,7 @@ if ($_GET['act'] == "edit") { if ($a_client[$id]['tls']) { $pconfig['tlsauth_enable'] = "yes"; $pconfig['tls'] = base64_decode($a_client[$id]['tls']); - $pconfig['tls_type'] = $a_server[$id]['tls_type']; + $pconfig['tls_type'] = $a_client[$id]['tls_type']; } } else { $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); @@ -881,7 +881,7 @@ if ($act=="new" || $act=="edit"): $act )); - if (isset($id) && $a_server[$id]) { + if (isset($id) && $a_client[$id]) { $section->addInput(new Form_Input( 'id', null, -- cgit v1.1 From b6dd335e6b81c89f2e4dd63cbd638853ebe2a275 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 20:51:25 -0500 Subject: Fix up OpenVPN CSC page help text, add IPv6 tunnel network. Fixes #7053 --- src/etc/inc/openvpn.inc | 7 +++++ src/usr/local/www/vpn_openvpn_csc.php | 57 +++++++++++++++++++++++------------ 2 files changed, 44 insertions(+), 20 deletions(-) diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc index 3128744..abef6a8 100644 --- a/src/etc/inc/openvpn.inc +++ b/src/etc/inc/openvpn.inc @@ -1356,6 +1356,13 @@ function openvpn_resync_csc(& $settings) { $csc_conf .= "ifconfig-push {$clientip} {$serverip}\n"; } } + + if (!empty($serversettings['tunnel_networkv6']) && !empty($settings['tunnel_networkv6'])) { + list($ipv6, $prefix) = explode('/', trim($serversettings['tunnel_networkv6'])); + list($ipv6_1, $ipv6_2) = openvpn_get_interface_ipv6($ipv6, $prefix); + $csc_conf .= "ifconfig-ipv6-push {$settings['tunnel_networkv6']} {$ipv6_1}\n"; + } + file_put_contents($csc_path, $csc_conf); chown($csc_path, 'nobody'); chgrp($csc_path, 'nobody'); diff --git a/src/usr/local/www/vpn_openvpn_csc.php b/src/usr/local/www/vpn_openvpn_csc.php index 16ba076..65932c2 100644 --- a/src/usr/local/www/vpn_openvpn_csc.php +++ b/src/usr/local/www/vpn_openvpn_csc.php @@ -74,6 +74,7 @@ if ($_GET['act'] == "edit") { $pconfig['description'] = $a_csc[$id]['description']; $pconfig['tunnel_network'] = $a_csc[$id]['tunnel_network']; + $pconfig['tunnel_networkv6'] = $a_csc[$id]['tunnel_networkv6']; $pconfig['local_network'] = $a_csc[$id]['local_network']; $pconfig['local_networkv6'] = $a_csc[$id]['local_networkv6']; $pconfig['remote_network'] = $a_csc[$id]['remote_network']; @@ -132,7 +133,10 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) { + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network')) { + $input_errors[] = $result; + } + if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) { $input_errors[] = $result; } @@ -219,6 +223,7 @@ if ($_POST) { $csc['block'] = $pconfig['block']; $csc['description'] = $pconfig['description']; $csc['tunnel_network'] = $pconfig['tunnel_network']; + $csc['tunnel_networkv6'] = $pconfig['tunnel_networkv6']; $csc['local_network'] = $pconfig['local_network']; $csc['local_networkv6'] = $pconfig['local_networkv6']; $csc['remote_network'] = $pconfig['remote_network']; @@ -320,7 +325,7 @@ if ($act == "new" || $act == "edit"): $pconfig['server_list'], $serveroptionlist, true - ))->setHelp('Select the servers for which the override will apply. Selecting no servers will also apply the override to all servers.'); + ))->setHelp('Select the servers that will utilize this override. When no servers are selected, the override will apply to all servers.'); $section->addInput(new Form_Checkbox( @@ -332,24 +337,24 @@ if ($act == "new" || $act == "edit"): $section->addInput(new Form_Input( 'common_name', - 'Common name', + 'Common Name', 'text', $pconfig['common_name'] - ))->setHelp('Enter the client\'s X.509 common name.'); + ))->setHelp('Enter the X.509 common name for the client certificate, or the username for VPNs utilizing password authentication. This match is case sensitive.'); $section->addInput(new Form_Input( 'description', 'Description', 'text', $pconfig['description'] - ))->setHelp('A description may be entered here for administrative reference (not parsed). '); + ))->setHelp('A description for administrative reference (not parsed).'); $section->addInput(new Form_Checkbox( 'block', 'Connection blocking', - 'Block this client connection based on its common name. ', + 'Block this client connection based on its common name.', $pconfig['block'] - ))->setHelp('Don\'t use this option to permanently disable a client due to a compromised key or password. Use a CRL (certificate revocation list) instead. '); + ))->setHelp('Prevents the client from connecting to this server. Do not use this option to permanently disable a client due to a compromised key or password. Use a CRL (certificate revocation list) instead.'); $form->add($section); @@ -357,45 +362,57 @@ if ($act == "new" || $act == "edit"): $section->addInput(new Form_Input( 'tunnel_network', - 'Tunnel Network', + 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network'] - ))->setHelp('This is the virtual network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.0/24). ' . - 'The first network address is assumed to be the server address and the second network address will be assigned to the client virtual interface. '); + ))->setHelp('The virtual IPv4 network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24). ' . + '
' . + 'With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server. ' . + '
' . + 'With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.'); + + $section->addInput(new Form_Input( + 'tunnel_networkv6', + 'IPv6 Tunnel Network', + 'text', + $pconfig['tunnel_networkv6'] + ))->setHelp('The virtual IPv6 network used for private communications between this client and the server expressed using prefix (e.g. 2001:db9:1:1::100/64). ' . + '
' . + 'Enter the client IPv6 address and prefix. The prefix must match the IPv6 Tunnel Network prefix on the server. '); $section->addInput(new Form_Input( 'local_network', 'IPv4 Local Network/s', 'text', $pconfig['local_network'] - ))->setHelp('These are the IPv4 networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR ranges. ' . '
' . - 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); + ))->setHelp('These are the IPv4 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR networks. ' . '
' . + 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); $section->addInput(new Form_Input( 'local_networkv6', 'IPv6 Local Network/s', 'text', $pconfig['local_networkv6'] - ))->setHelp('These are the IPv4 networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.' . '
' . - 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); + ))->setHelp('These are the IPv6 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.' . '
' . + 'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.'); $section->addInput(new Form_Input( 'remote_network', 'IPv4 Remote Network/s', 'text', $pconfig['remote_network'] - ))->setHelp('These are the IPv4 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . - 'Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.' . '
' . - 'NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.'); + ))->setHelp('These are the IPv4 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . + 'Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.' . '
' . + 'NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.'); $section->addInput(new Form_Input( 'remote_networkv6', 'IPv6 Remote Network/s', 'text', $pconfig['remote_networkv6'] - ))->setHelp('These are the IPv6 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . - 'Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.' . '
' . - 'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.'); + ))->setHelp('These are the IPv6 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' . + 'Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.' . '
' . + 'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.'); $section->addInput(new Form_Checkbox( 'gwredir', -- cgit v1.1 From 20fb094c759c9520c29c9d52e1a03086645bb9c5 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Thu, 5 Jan 2017 08:37:11 +0545 Subject: vpn_openvpn_server comment typo --- src/usr/local/www/vpn_openvpn_server.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index 52672f8..cbb33ba 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -1789,7 +1789,7 @@ events.push(function() { } }); - // Make sure hte "Availlable ciphers" selector is not submitted with the form, + // Make sure the "Available ciphers" selector is not submitted with the form, // and select all of the chosen ciphers so that they are submitted $('form').submit(function() { $("#availciphers" ).prop( "disabled", true); -- cgit v1.1 From 531c348639adb8b7e7d190e8fdab709fea61f61a Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 22:01:16 -0500 Subject: Correct the method used for input validation of NTP Orphan mode. Fixes #7034 --- src/usr/local/www/services_ntpd.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/usr/local/www/services_ntpd.php b/src/usr/local/www/services_ntpd.php index 2adcfe0..808d432 100644 --- a/src/usr/local/www/services_ntpd.php +++ b/src/usr/local/www/services_ntpd.php @@ -53,6 +53,10 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + if ((strlen($pconfig['ntporphan']) > 0) && (!is_numericint($pconfig['ntporphan']) || ($pconfig['ntporphan'] < 1) || ($pconfig['ntporphan'] > 15))) { + $input_errors[] = gettext("The supplied value for NTP Orphan Mode is invalid."); + } + if (!$input_errors) { if (is_array($_POST['interface'])) { $config['ntpd']['interface'] = implode(",", $_POST['interface']); @@ -91,11 +95,7 @@ if ($_POST) { } $config['system']['timeservers'] = trim($timeservers); - if (!empty($_POST['ntporphan']) && ($_POST['ntporphan'] < 17) && ($_POST['ntporphan'] != '12')) { - $config['ntpd']['orphan'] = $_POST['ntporphan']; - } elseif (isset($config['ntpd']['orphan'])) { - unset($config['ntpd']['orphan']); - } + $config['ntpd']['orphan'] = trim($pconfig['ntporphan']); if (!empty($_POST['logpeer'])) { $config['ntpd']['logpeer'] = $_POST['logpeer']; -- cgit v1.1 From 383bbc177d6c1beb719c8ad8ba2a05c25c3f71c3 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Thu, 5 Jan 2017 08:48:33 +0545 Subject: vpn_openvpn_client comment typo Same stuff was copied here --- src/usr/local/www/vpn_openvpn_client.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php index 3ce2c95..e3bc9f1 100644 --- a/src/usr/local/www/vpn_openvpn_client.php +++ b/src/usr/local/www/vpn_openvpn_client.php @@ -1076,7 +1076,7 @@ events.push(function() { } }); - // Make sure hte "Availlable ciphers" selector is not submitted with the form, + // Make sure the "Available ciphers" selector is not submitted with the form, // and select all of the chosen ciphers so that they are submitted $('form').submit(function() { $("#availciphers" ).prop( "disabled", true); -- cgit v1.1 From cd45956e512dd5efc122974bb87ca2bcd05010ca Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 4 Jan 2017 22:08:54 -0500 Subject: Fix label for consistency. --- src/usr/local/www/vpn_openvpn_server.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php index cbb33ba..efd3b26 100644 --- a/src/usr/local/www/vpn_openvpn_server.php +++ b/src/usr/local/www/vpn_openvpn_server.php @@ -917,7 +917,7 @@ if ($act=="new" || $act=="edit"): true ))->setReadonly() ->setAttribute('size', '10') - ->setHelp('Algorithm list.
Click an algorithm name to remove it from the list'); + ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list'); $group->setHelp( 'The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' . '
' . sprint_info_box( -- cgit v1.1 From 0c5d4e8d3e4dc81a9c7eb883a40296493e9faa2b Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Thu, 5 Jan 2017 13:42:22 +0545 Subject: Correctly report unmonitored gateway status If an alternate monitor IP has been entered and saved, then the user checks "Disable Gateway Monitoring" and saves, the alternate monitor IP is retained in the config - that is handy for when unchecking "Disable Gateway Monitoring" later on. But the Gateways widget and Status Gateways do not correctly understand this combination. The gateway status shows as "Online" when it is intended to show "Online (unmonitored)". This PR corrects this. --- src/etc/inc/gwlb.inc | 2 ++ src/usr/local/www/status_gateways.php | 10 ++++++++-- src/usr/local/www/widgets/widgets/gateways.widget.php | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/etc/inc/gwlb.inc b/src/etc/inc/gwlb.inc index b240c12..fdb0151 100644 --- a/src/etc/inc/gwlb.inc +++ b/src/etc/inc/gwlb.inc @@ -466,6 +466,8 @@ function return_gateways_status($byname = false) { $status[$target]['loss'] = ""; $status[$target]['status'] = "none"; } + + $status[$target]['monitor_disable'] = true; } return($status); } diff --git a/src/usr/local/www/status_gateways.php b/src/usr/local/www/status_gateways.php index d633fab..5b5125c 100644 --- a/src/usr/local/www/status_gateways.php +++ b/src/usr/local/www/status_gateways.php @@ -140,11 +140,17 @@ display_top_tabs($tab_array); $online = gettext("Warning, Latency") . ': ' . $status['delay']; $bgcolor = "bg-warning"; } elseif ($status['status'] == "none") { - $online = gettext("Online"); + if ($status['monitor_disable'] || ($status['monitorip'] == "none")) { + $online = gettext("Online (unmonitored)"); + } else { + $online = gettext("Online"); + } $bgcolor = "bg-success"; } } else if (isset($gateway['monitor_disable'])) { - $online = gettext("Online"); + // Note: return_gateways_status() always returns an array entry for all gateways, + // so this "else if" never happens. + $online = gettext("Online (unmonitored)"); $bgcolor = "bg-success"; } else { $online = gettext("Pending"); diff --git a/src/usr/local/www/widgets/widgets/gateways.widget.php b/src/usr/local/www/widgets/widgets/gateways.widget.php index 34f4d2e..c7c92bd 100644 --- a/src/usr/local/www/widgets/widgets/gateways.widget.php +++ b/src/usr/local/www/widgets/widgets/gateways.widget.php @@ -233,7 +233,7 @@ function compose_table_body_contents() { $online = gettext("Latency"); $bgcolor = "warning"; // khaki } elseif ($gateways_status[$gname]['status'] == "none") { - if ($gateways_status[$gname]['monitorip'] == "none") { + if ($gateways_status[$gname]['monitor_disable'] || ($gateways_status[$gname]['monitorip'] == "none")) { $online = gettext("Online
(unmonitored)"); } else { $online = gettext("Online"); -- cgit v1.1 From e47af756de79d4e8b0356cf22f72f62f09e9ad7d Mon Sep 17 00:00:00 2001 From: stilez Date: Thu, 5 Jan 2017 10:44:20 -0200 Subject: get_pkg_info() fallback using pkg info if no local copy of repo catalog *Current behaviour* At the moment, get_pkg_info() is used to get all information on packages. The parameter _$local_only_ is set to request info directly from the local copy of the repo catalog (using -U) without requesting the remote repo catalog or updating the local copy from the remote repo catalog. If the calling code wants only installed pkgs, it filters the returned list of pkgs looking for _$pkg['installed'] == true_. There's a couple of problems with this method as it stands, due to the behaviour of pkg search -U. 1. When the remote catalog is requested and the request failed, the local copy is also deleted. If this happens, then pkg search returns an error even with -U, so even if all we wanted was to know from get_pkg_info() was the names of locally installed packages, it can't be used for this (even though this info doesn't need access to a remote repo catalog) 2. This behaviour, and the use of get_pkg_info() as the main method to get a list of installed pfSense packages and their data, means that any time we don't have a network connection or for any reason get_pkg_info() fails to access the repo catalog remotely, we become blocked from *any* inquiry, lookup, listing, or action on *all* optional packages, even if our desired action wouldn't need remote access to complete. We remain unable to do these things until remote repo access is obtained again and a catalog copy can be re-acquired. 3. This also means that nothing to do with getting installed package information or removal can occur offline either. *Change made* It's likely that when code explicitly requests $local_only, it isn't expecting or requiring the local copy to be up to date. So I've modified the code as follows: 1. New optional parameter $installed_only to explicitly request installed pkg info only (faster if we know that no remote request will be needed) 2. If $local_only is set and pkg search failed, retry falling back to pkg info to at least provide info on matching installed packages. This is probably more helpful than returning an error, as the assumption with $local_only is not "latest data in repo" so no harm done, and it allows pkg code to at least operate on local pkgs at all times, if not other pkgs in the repo. --- src/etc/inc/pkg-utils.inc | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/src/etc/inc/pkg-utils.inc b/src/etc/inc/pkg-utils.inc index ea61beb..18b77e3 100644 --- a/src/etc/inc/pkg-utils.inc +++ b/src/etc/inc/pkg-utils.inc @@ -337,11 +337,13 @@ function get_package_internal_name($package_data) { } // Get information about packages. -function get_pkg_info($pkgs = 'all', $only_local = false) { +function get_pkg_info($pkgs = 'all', $local_only = false, $installed_only = false) { + global $g, $input_errors; $out = ''; $err = ''; + $rc = 0; unset($pkg_filter); if (is_array($pkgs)) { @@ -350,7 +352,7 @@ function get_pkg_info($pkgs = 'all', $only_local = false) { } if ($pkgs == 'all') { - $pkgs = $g['pkg_prefix']; + $pkgs = $g['pkg_prefix'] . '*'; // Allows same prefix to work with both pkg search + pkg info } if (!function_exists('is_subsystem_dirty')) { @@ -359,21 +361,39 @@ function get_pkg_info($pkgs = 'all', $only_local = false) { /* Do not run remote operations if pkg has a lock */ if (is_subsystem_dirty('pkg')) { - $only_local = true; + $local_only = true; $lock = false; } else { $lock = true; } $extra_param = ""; - if ($only_local) { + if ($local_only) { $extra_param = "-U "; } if ($lock) { mark_subsystem_dirty('pkg'); } - $rc = pkg_exec("search {$extra_param}-R --raw-format json-compact " . $pkgs, $out, $err); + + if (!$installed_only) { + // repo catalog search (either remote or local_only) + $rc = pkg_exec("search {$extra_param}-R --raw-format json-compact " . $pkgs, $out, $err); + } + if ($installed_only || ($local_only && $rc != 0)) { + /* use pkg info if (1) installed pkg search or (2) local catalog copy search requested + failed. + * + * The local repo catalog copy may be cleared if a previous call to pkg search couldn't get the + * remote repo catalog. + * + * If the calling code would have accepted local copy info (which isn't assumed up to date) then it + * makes sense to fall back on pkg info to at least return the known info about installed pkgs (pkg + * info should still work), instead of failing and returning no info at all. For example, this + * enables offline view + management of installed pkgs. + */ + + $rc = pkg_exec("info -R --raw-format json-compact " . $pkgs, $out, $err); + } if ($lock) { clear_subsystem_dirty('pkg'); } @@ -453,7 +473,8 @@ function get_pkg_info($pkgs = 'all', $only_local = false) { function register_all_installed_packages() { global $g, $config, $pkg_interface; - $pkg_info = get_pkg_info('all', true); + $pkg_info = get_pkg_info('all', true, true); + foreach ($pkg_info as $pkg) { if (!isset($pkg['installed'])) { -- cgit v1.1 From ea02e3cf5d54c9f1ebbe09d9fa5522c5c9916876 Mon Sep 17 00:00:00 2001 From: Steve Beaver Date: Thu, 5 Jan 2017 09:10:54 -0500 Subject: Completes fix for #6972 --- src/usr/local/www/js/pfSenseHelpers.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/js/pfSenseHelpers.js b/src/usr/local/www/js/pfSenseHelpers.js index e879f15..2eac30a 100644 --- a/src/usr/local/www/js/pfSenseHelpers.js +++ b/src/usr/local/www/js/pfSenseHelpers.js @@ -353,9 +353,9 @@ function add_row() { $('[id^=delete]').click(function(event) { if ($('.repeatable').length > 1) { if ((typeof retainhelp) == "undefined") - moveHelpText(event.target.id); + moveHelpText($(this).attr("id")); - delete_row(event.target.id); + delete_row($(this).attr("id")); } else { alert('The last row may not be deleted.'); } -- cgit v1.1 From bbb28670fbd6b22eebd8a00f45831662254e361f Mon Sep 17 00:00:00 2001 From: scherma Date: Thu, 5 Jan 2017 16:35:19 +0000 Subject: Corrected indentation style --- src/etc/inc/priv.inc | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/src/etc/inc/priv.inc b/src/etc/inc/priv.inc index fc9f122..c0bd6fb 100644 --- a/src/etc/inc/priv.inc +++ b/src/etc/inc/priv.inc @@ -269,32 +269,32 @@ function getAllowedPages($username, &$attributes = array()) { if ($_SESSION['remoteauth']) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - // cache auth results for a short time to ease load on auth services & logs + // cache auth results for a short time to ease load on auth services & logs if (isset($config['system']['webgui']['auth_refresh_time'])) { $recheck_time = $config['system']['webgui']['auth_refresh_time']; } else { $recheck_time = 30; } - // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") { - if ( isset($_SESSION["ldap_allowed_groups"]) && - ( time() <= $_SESSION["auth_check_time"]+ $recheck_time) ) { - $allowed_groups = $_SESSION["ldap_allowed_groups"]; - } else { - $allowed_groups = @ldap_get_groups($username, $authcfg); - $_SESSION["ldap_allowed_groups"] = $allowed_groups; - $_SESSION["auth_check_time"] = time(); - } - } elseif ($authcfg['type'] == "radius") { - if ( isset($_SESSION["radius_allowed_groups"]) && - (time() <= $_SESSION["auth_check_time"] + $recheck_time) ) { - $allowed_groups = $_SESSION["radius_allowed_groups"]; - } else { - $allowed_groups = @radius_get_groups($attributes); - $_SESSION["radius_allowed_groups"] = $allowed_groups; - $_SESSION["auth_check_time"] = time(); - } - } + // obtain ldap groups if we are in ldap mode + if ($authcfg['type'] == "ldap") { + if ( isset($_SESSION["ldap_allowed_groups"]) && + ( time() <= $_SESSION["auth_check_time"]+ $recheck_time) ) { + $allowed_groups = $_SESSION["ldap_allowed_groups"]; + } else { + $allowed_groups = @ldap_get_groups($username, $authcfg); + $_SESSION["ldap_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } elseif ($authcfg['type'] == "radius") { + if ( isset($_SESSION["radius_allowed_groups"]) && + (time() <= $_SESSION["auth_check_time"] + $recheck_time) ) { + $allowed_groups = $_SESSION["radius_allowed_groups"]; + } else { + $allowed_groups = @radius_get_groups($attributes); + $_SESSION["radius_allowed_groups"] = $allowed_groups; + $_SESSION["auth_check_time"] = time(); + } + } } if (!$allowed_groups) { -- cgit v1.1 From 1d3fbcc7dfef379e20543897596d3843ccba7485 Mon Sep 17 00:00:00 2001 From: scherma Date: Thu, 5 Jan 2017 17:21:24 +0000 Subject: Remove redundancy, more indentation cleanup --- src/usr/local/www/system_usermanager_settings.php | 34 +++++++++++------------ 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index cfc7ae7..4418f4f 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -92,17 +92,17 @@ if ($_REQUEST['ajax']) { } } -$pconfig['session_timeout'] = &$config['system']['webgui']['session_timeout']; +$pconfig['session_timeout'] = $config['system']['webgui']['session_timeout']; if (isset($config['system']['webgui']['authmode'])) { - $pconfig['authmode'] = &$config['system']['webgui']['authmode']; + $pconfig['authmode'] = $config['system']['webgui']['authmode']; } else { $pconfig['authmode'] = "Local Database"; } -$pconfig['backend'] = &$config['system']['webgui']['backend']; +$pconfig['backend'] = $config['system']['webgui']['backend']; -$pconfig['auth_refresh_time'] = &$config['system']['webgui']['auth_refresh_time']; +$pconfig['auth_refresh_time'] = $config['system']['webgui']['auth_refresh_time']; // Page title for main admin $pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Settings")); @@ -119,10 +119,10 @@ if ($_POST) { $input_errors[] = gettext("Session timeout must be an integer value."); } } - + if (isset($_POST['auth_refresh_time'])) { $timeout = intval($_POST['auth_refresh_time']); - if ($timeout != "" && (!is_numeric($timeout) || $timeout < 0 || $timeout > 3600 )) { + if (!is_numeric($timeout) || $timeout < 0 || $timeout > 3600 ) { $input_errors[] = gettext("Authentication refresh time must be an integer between 0 and 3600 (inclusive)."); } } @@ -155,11 +155,11 @@ if ($_POST) { unset($config['system']['webgui']['authmode']); } - if (isset($_POST['auth_refresh_time']) && $_POST['auth_refresh_time'] != "") { - $config['system']['webgui']['auth_refresh_time'] = intval($_POST['auth_refresh_time']); - } else { - unset($config['system']['webgui']['auth_refresh_time']); - } + if (isset($_POST['auth_refresh_time']) && $_POST['auth_refresh_time'] != "") { + $config['system']['webgui']['auth_refresh_time'] = intval($_POST['auth_refresh_time']); + } else { + unset($config['system']['webgui']['auth_refresh_time']); + } write_config(); @@ -215,13 +215,13 @@ $section->addInput(new Form_Select( )); $section->addInput(new Form_Input( - 'auth_refresh_time', - 'Auth Refresh Time', - 'number', - $pconfig['auth_refresh_time'], - ['min' => 0, 'max' => 3600] + 'auth_refresh_time', + 'Auth Refresh Time', + 'number', + $pconfig['auth_refresh_time'], + ['min' => 0, 'max' => 3600] ))->setHelp('Time in seconds to cache authentication results. The default is 30 seconds, maximum 3600 (one hour). '. - 'Shorter times result in more frequent queries to authentication servers.'); + 'Shorter times result in more frequent queries to authentication servers.'); $form->addGlobal(new Form_Button( 'savetest', -- cgit v1.1 From 80e7011fddd29a387c4c84b68c8c49dce4494729 Mon Sep 17 00:00:00 2001 From: jim-p Date: Thu, 5 Jan 2017 18:18:27 -0500 Subject: Return partial MAC address matching support to is_macaddr(). Fixes #7088 --- src/etc/inc/util.inc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index df5cdd0..4d157d7 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -986,12 +986,18 @@ function is_domain($domain, $allow_wildcard=false) { } /* returns true if $macaddr is a valid MAC address */ -function is_macaddr($macaddr) { +function is_macaddr($macaddr, $partial=false) { $values = explode(":", $macaddr); - if (count($values) != 6) { + + /* Verify if the MAC address has a proper amount of parts for either a partial or full match. */ + if ($partial) { + if ((count($values) < 1) || (count($values) > 6)) { + return false; + } + } elseif (count($values) != 6) { return false; } - for ($i = 0; $i < 6; $i++) { + for ($i = 0; $i < count($values); $i++) { if (ctype_xdigit($values[$i]) == false) return false; if (hexdec($values[$i]) < 0 || hexdec($values[$i]) > 255) -- cgit v1.1 From 1794ecbb8b37fc97bd1d2fe6ab7ecc19d87a9a68 Mon Sep 17 00:00:00 2001 From: jim-p Date: Thu, 5 Jan 2017 19:17:17 -0500 Subject: Handle the RA Search Domain List when writing out the RADVD config. Fixes #7081 --- src/etc/inc/services.inc | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 23edf62..7b02bbd 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -263,10 +263,22 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "\tRDNSS {$dnsstring} { };\n"; } } + + $searchlist = array(); + $domainsearchlist = explode(';', $dhcpv6ifconf['radomainsearchlist']); + foreach ($domainsearchlist as $sd) { + $sd = trim($sd); + if (is_hostname($sd)) { + $searchlist[] = $sd; + } + } + if (count($searchlist) > 0) { + $searchliststring = trim(implode(" ", $searchlist)); + } if (!empty($dhcpv6ifconf['domain'])) { - $radvdconf .= "\tDNSSL {$dhcpv6ifconf['domain']} { };\n"; + $radvdconf .= "\tDNSSL {$dhcpv6ifconf['domain']} {$searchliststring} { };\n"; } elseif (!empty($config['system']['domain'])) { - $radvdconf .= "\tDNSSL {$config['system']['domain']} { };\n"; + $radvdconf .= "\tDNSSL {$config['system']['domain']} {$searchliststring} { };\n"; } $radvdconf .= "};\n"; } -- cgit v1.1 From 0436b9a5197ac8c4646a006c0e351ecf66059193 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Fri, 6 Jan 2017 13:05:58 +0545 Subject: Redmine #7089 Add extra help about timezone We could also add some text like this to encourage users to choose the "Continent/City" time zones. --- src/usr/local/www/system.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/usr/local/www/system.php b/src/usr/local/www/system.php index 980e773..e1668b3 100644 --- a/src/usr/local/www/system.php +++ b/src/usr/local/www/system.php @@ -456,7 +456,8 @@ $section->addInput(new Form_Select( 'Timezone', $pconfig['timezone'], array_combine($timezonelist, $timezonelist) -))->setHelp('Select the timezone or location within the timezone to be used by this system.'); +))->setHelp('Select the timezone or location within the timezone to be used by this system. '. + 'Usually choose a "Continent/City". Only choose a special or "Etc" entry if you understand why you need to use it.'); $section->addInput(new Form_Input( 'timeservers', -- cgit v1.1 From d2b1c52f4cd0343fb5f0d136490041f9ededcea3 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Fri, 6 Jan 2017 16:12:21 +0545 Subject: Allow hiding of gateways in Gateways Widget Sometimes there are gateways that I do not care about, so it is handy to be able to save some space on the dashboard by hiding them. This uses similar code structure taken from service_status widget. I made the Save and Clear buttons and all that stuff use the same styles also. I guess that the way it was all done in the Services widget is the more "modern" way. --- .../local/www/widgets/widgets/gateways.widget.php | 140 ++++++++++++++------- 1 file changed, 96 insertions(+), 44 deletions(-) diff --git a/src/usr/local/www/widgets/widgets/gateways.widget.php b/src/usr/local/www/widgets/widgets/gateways.widget.php index c7c92bd..3916ffa 100644 --- a/src/usr/local/www/widgets/widgets/gateways.widget.php +++ b/src/usr/local/www/widgets/widgets/gateways.widget.php @@ -41,9 +41,24 @@ if ($_POST) { if (!is_array($user_settings["widgets"]["gateways_widget"])) { $user_settings["widgets"]["gateways_widget"] = array(); } + if (isset($_POST["display_type"])) { $user_settings["widgets"]["gateways_widget"]["display_type"] = $_POST["display_type"]; } + + if (is_array($_POST['gatewaysfilter'])) { + $validNames = array(); + $a_gateways = return_gateways_array(); + + foreach ($a_gateways as $gname => $gateway) { + array_push($validNames, $gname); + } + + $user_settings["widgets"]["gateways_widget"]["gatewaysfilter"] = implode(',', array_intersect($validNames, $_POST['gatewaysfilter'])); + } else { + $user_settings["widgets"]["gateways_widget"]["gatewaysfilter"] = ""; + } + save_widget_settings($_SESSION['Username'], $user_settings["widgets"], gettext("Updated gateways widget settings via dashboard.")); header("Location: /"); exit(0); @@ -71,55 +86,68 @@ $widgetperiod = isset($config['widgets']['period']) ? $config['widgets']['period
- - -