From 05771a248503a0af661195f3e8759fc04370ea2b Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 25 May 2011 20:28:10 +0000 Subject: Provide a voucher_expire function so that voucher can be expired through a POST. --- etc/inc/voucher.inc | 355 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 243 insertions(+), 112 deletions(-) (limited to 'etc') diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index 8d41e05..e6a44c4 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -37,6 +37,53 @@ if(!function_exists('captiveportal_syslog')) require_once("captiveportal.inc"); +function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) { + global $g, $config; + require_once("xmlrpc.inc"); + if($port == "443") + $url = "https://{$syncip}"; + else + $url = "http://{$syncip}"; + + /* Construct code that is run on remote machine */ + $method = 'pfsense.exec_php'; + $execcmd = <<setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!is_object($resp)) { + $error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", ""); + return false; + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("CaptivePortalVoucherSync", $error, "Error code received", ""); + return false; + } else { + log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + $toreturn = XML_RPC_Decode($resp->value()); + + return $toreturn; +} + function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = "1", $stop_time = null) { global $g, $config; require_once("xmlrpc.inc"); @@ -138,6 +185,93 @@ EOF; return $toreturn['timeleft']; } +function voucher_expire($voucher_received) { + global $g, $config; + + $voucherlck = lock('voucher', LOCK_EX); + + // XMLRPC Call over to the master Voucher node + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; + xmlrpc_sync_voucher_expire($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); + } + + // read rolls into assoc array with rollid as key and minutes as value + $tickets_per_roll = array(); + $minutes_per_roll = array(); + if (is_array($config['voucher']['roll'])) { + foreach ($config['voucher']['roll'] as $rollent) { + $tickets_per_roll[$rollent['number']] = $rollent['count']; + $minutes_per_roll[$rollent['number']] = $rollent['minutes']; + } + } + + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $active_dirty = false; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + $active_dirty = true; + unset($active_vouchers[$roll][$voucher]); + } + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + // mark bit for this voucher as used + if (!(ord($bitstring[$roll][$pos]) & $mask)) + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire"); + } else + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } else + // hmm, thats weird ... not what I expected + captiveportal_syslog("$voucher invalid: $result !!"); + } + + // Refresh active DBs + if ($active_dirty == true) { + foreach ($active_vouchers as $roll => $active) + voucher_write_active_db($roll, $active); + } + + // Write back the used DB's + if (is_array($bitstring)) { + foreach ($bitstring as $roll => $used) { + if(is_array($used)) { + foreach($used as $u) + voucher_write_used_db($roll, base64_encode($u)); + } else { + voucher_write_used_db($roll, base64_encode($used)); + } + } + } + + unlock($voucherlck); + + return true; +} + /* * Authenticate a voucher and return the remaining time credit in minutes * if $test is set, don't mark the voucher as used nor add it to the list @@ -146,17 +280,16 @@ EOF; * but return a more verbose error and result message back */ function voucher_auth($voucher_received, $test = 0) { - global $g, $config; + global $g, $config; - $voucherlck = lock('voucher', LOCK_EX); + $voucherlck = lock('voucher', LOCK_EX); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_time_used = xmlrpc_sync_used_voucher($voucher_received, $syncip, $syncport, $syncpass, $vouchersyncusername); } @@ -170,105 +303,102 @@ function voucher_auth($voucher_received, $test = 0) { } } - // split into an array. Useful for multiple vouchers given - $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); - $error = 0; - $test_result = array(); // used to display for voucher test option in GUI - $total_minutes = 0; - $first_voucher = ""; - $first_voucher_roll = 0; - - // go through all received vouchers, check their valid and extract - // Roll# and Ticket# using the external readvoucher binary - - foreach ($a_vouchers_received as $voucher) { - - $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) - continue; // seems too short to be a voucher! - - $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); - list($status, $roll, $nr) = explode(" ", $result); - if ($status == "OK") { - if (!$first_voucher) { - // store first voucher. Thats the one we give the timecredit - $first_voucher = $voucher; - $first_voucher_roll = $roll; - } - // check if we have this ticket on a registered roll for this ticket - if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { - // voucher is from a registered roll. - if (!isset($active_vouchers[$roll])) - $active_vouchers[$roll] = voucher_read_active_db($roll); - // valid voucher. Store roll# and ticket# - if (!empty($active_vouchers[$roll][$voucher])) { - list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); - // we have an already active voucher here. - $remaining = intval((($timestamp + (60*$minutes)) - time())/60); - $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; - $total_minutes += $remaining; - } else { - // voucher not used. Check if ticket Id is on the roll (not too high) - // and if the ticket is marked used. - // check if voucher already marked as used - if (!isset($bitstring[$roll])) - $bitstring[$roll] = voucher_read_used_db($roll); - $pos = $nr >> 3; // divide by 8 -> octet - $mask = 1 << ($nr % 8); - if (ord($bitstring[$roll][$pos]) & $mask) { - $test_result[] = "$voucher ($roll/$nr) already used and expired"; + // split into an array. Useful for multiple vouchers given + $a_vouchers_received = split("[\t\n\r ]+",$voucher_received); + $error = 0; + $test_result = array(); // used to display for voucher test option in GUI + $total_minutes = 0; + $first_voucher = ""; + $first_voucher_roll = 0; + + // go through all received vouchers, check their valid and extract + // Roll# and Ticket# using the external readvoucher binary + foreach ($a_vouchers_received as $voucher) { + $v = escapeshellarg($voucher); + if (strlen($voucher) < 3) + continue; // seems too short to be a voucher! + + $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher.cfg -k {$g['varetc_path']}/voucher.public -- $v"); + list($status, $roll, $nr) = explode(" ", $result); + if ($status == "OK") { + if (!$first_voucher) { + // store first voucher. Thats the one we give the timecredit + $first_voucher = $voucher; + $first_voucher_roll = $roll; + } + // check if we have this ticket on a registered roll for this ticket + if ($tickets_per_roll[$roll] && ($nr <= $tickets_per_roll[$roll])) { + // voucher is from a registered roll. + if (!isset($active_vouchers[$roll])) + $active_vouchers[$roll] = voucher_read_active_db($roll); + // valid voucher. Store roll# and ticket# + if (!empty($active_vouchers[$roll][$voucher])) { + list($timestamp,$minutes) = explode(",", $active_vouchers[$roll][$voucher]); + // we have an already active voucher here. + $remaining = intval((($timestamp + (60*$minutes)) - time())/60); + $test_result[] = "$voucher ($roll/$nr) active and good for $remaining Minutes"; + $total_minutes += $remaining; + } else { + // voucher not used. Check if ticket Id is on the roll (not too high) + // and if the ticket is marked used. + // check if voucher already marked as used + if (!isset($bitstring[$roll])) + $bitstring[$roll] = voucher_read_used_db($roll); + $pos = $nr >> 3; // divide by 8 -> octet + $mask = 1 << ($nr % 8); + if (ord($bitstring[$roll][$pos]) & $mask) { + $test_result[] = "$voucher ($roll/$nr) already used and expired"; captiveportal_syslog("$voucher ($roll/$nr) already used and expired"); - $total_minutes = -1; // voucher expired - $error++; - } else { - // mark bit for this voucher as used - $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); - $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; - $total_minutes += $minutes_per_roll[$roll]; - } - } - } else { - $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; - captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); - } - } else { - // hmm, thats weird ... not what I expected - $test_result[] = "$voucher invalid: $result !!"; - captiveportal_syslog("$voucher invalid: $result !!"); - $error++; - } - } + $total_minutes = -1; // voucher expired + $error++; + } else { + // mark bit for this voucher as used + $bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask); + $test_result[] = "$voucher ($roll/$nr) good for {$minutes_per_roll[$roll]} Minutes"; + $total_minutes += $minutes_per_roll[$roll]; + } + } + } else { + $test_result[] = "$voucher ($roll/$nr): not found on any registererd Roll"; + captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll"); + } + } else { + // hmm, thats weird ... not what I expected + $test_result[] = "$voucher invalid: $result !!"; + captiveportal_syslog("$voucher invalid: $result !!"); + $error++; + } + } - // if this was a test call, we're done. Return the result. - if ($test) { - if ($error) { - $test_result[] = "Access denied!"; - } else { - $test_result[] = "Access granted for $total_minutes Minutes in total."; - } - unlock($voucherlck); - return $test_result; - } + // if this was a test call, we're done. Return the result. + if ($test) { + if ($error) { + $test_result[] = "Access denied!"; + } else { + $test_result[] = "Access granted for $total_minutes Minutes in total."; + } + unlock($voucherlck); - // if we had an error (one of the vouchers is invalid), return 0. - // Discussion: we could return the time remaining for good vouchers, but then - // the user wouldn't know that he used at least one invalid voucher. + return $test_result; + } - if ($error) { + // if we had an error (one of the vouchers is invalid), return 0. + // Discussion: we could return the time remaining for good vouchers, but then + // the user wouldn't know that he used at least one invalid voucher. + if ($error) { unlock($voucherlck); - if ($total_minutes > 0) // probably not needed, but want to make sure - $total_minutes = 0; // we only report -1 (expired) or 0 (no access) - return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS - } + if ($total_minutes > 0) // probably not needed, but want to make sure + $total_minutes = 0; // we only report -1 (expired) or 0 (no access) + return $total_minutes; // well, at least one voucher had errors. Say NO ACCESS + } // If we did a XMLRPC sync earlier check the timeleft - if(!empty($a_voucher['vouchersyncdbip'])) + if (!empty($config['voucher']['vouchersyncdbip'])) if($remote_time_used < $total_minutes) $total_minutes = $remote_time_used; - // All given vouchers were valid and this isn't simply a test. - // Write back the used DB's - + // All given vouchers were valid and this isn't simply a test. + // Write back the used DB's if (is_array($bitstring)) { foreach ($bitstring as $roll => $used) { if(is_array($used)) { @@ -280,24 +410,23 @@ function voucher_auth($voucher_received, $test = 0) { } } - // Active DB: we only add the first voucher if multiple given - // and give that one all the time credit. This allows the user to logout and - // log in later using just the first voucher. It also keeps username limited - // to one voucher and that voucher shows the correct time credit in 'active vouchers' - - if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { - list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); - } else { - $timestamp = time(); // new voucher - $minutes = $total_minutes; - } + // Active DB: we only add the first voucher if multiple given + // and give that one all the time credit. This allows the user to logout and + // log in later using just the first voucher. It also keeps username limited + // to one voucher and that voucher shows the correct time credit in 'active vouchers' + if (!empty($active_vouchers[$first_voucher_roll][$first_voucher])) { + list($timestamp, $minutes) = explode(",", $active_vouchers[$first_voucher_roll][$first_voucher]); + } else { + $timestamp = time(); // new voucher + $minutes = $total_minutes; + } - $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; - voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); + $active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes"; + voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]); - unlock($voucherlck); + unlock($voucherlck); - return $total_minutes; + return $total_minutes; } function voucher_configure($sync = false) { @@ -430,6 +559,8 @@ function voucher_read_active_db($roll) { function voucher_write_active_db($roll, $active) { global $g; + if (!is_array($active)) + return; $fd = fopen("{$g['vardb_path']}/voucher_active_$roll.db", "w"); if ($fd) { foreach($active as $voucher => $value) -- cgit v1.1 From 5c723d9fccffe78e1650c574427100760d0faf5e Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 26 May 2011 00:00:57 +0200 Subject: Remove out-dated RRD file as it will cause broken images to appear on RRD graphs page. --- etc/inc/globals.inc | 2 +- etc/inc/upgrade_config.inc | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 7037933..6993148 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -91,7 +91,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "7.8", + "latest_config" => "7.9", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index a158ded..8a1bd68 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2490,4 +2490,10 @@ function upgrade_077_to_078() { $config['pptpd']['radius'] = $radarr; } } + +function upgrade_078_to_079() { + /* Delete old and unused RRD file */ + unlink_if_exists("/var/db/rrd/captiveportal-totalusers.rrd"); +} + ?> -- cgit v1.1 From 474f36d1b277b3e0732496bf0ca8aa1659710809 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 25 May 2011 18:00:54 -0400 Subject: * Add is_ipaddr_configured() so that people do not need to reinvent the wheel for this task * Check to make sure the administrator is not entering the IP address of the same host preventing a issue where the firewall will sync the voucher database to itself and cause the webConfigurator to crash. --- etc/inc/interfaces.inc | 2 +- etc/inc/pfsense-utils.inc | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 393833f..63f380a 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -3728,4 +3728,4 @@ function get_vip_descr($ipaddress) { return ""; } -?> +?> \ No newline at end of file diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index ca16634..a673685 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2207,4 +2207,21 @@ function load_mac_manufacturer_table() { } -?> +/****f* pfsense-utils/is_ipaddr_configured + * NAME + * is_ipaddr_configured + * INPUTS + * IP Address to check. + * RESULT + * returns true if the IP Address is + * configured and present on this device. +*/ +function is_ipaddr_configured($ipaddr) { + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($ipaddr, $ilips) == 0) + return true; + } +} + +?> \ No newline at end of file -- cgit v1.1 From 838e4eb8762a000509cf98e3bd5e2a2cceac06ff Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 26 May 2011 00:43:28 +0200 Subject: Rather make use of $global variable for RRD path. --- etc/inc/upgrade_config.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 8a1bd68..c380378 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -2492,8 +2492,9 @@ function upgrade_077_to_078() { } function upgrade_078_to_079() { + global $g; /* Delete old and unused RRD file */ - unlink_if_exists("/var/db/rrd/captiveportal-totalusers.rrd"); + unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd"); } ?> -- cgit v1.1 From d65962a7736ae9917182007f4ee0862193fc910f Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 25 May 2011 19:42:48 -0400 Subject: Adding a new hook system for firewall nat edit and firewall rules edit page. Basically if the directory exists it will suck in the files to extend these pags. /usr/local/pkg/firewall_nat/input_validation /usr/local/pkg/firewall_nat/pre_write_config /usr/local/pkg/firewall_nat/htmlphpearly /usr/local/pkg/firewall_nat/htmlphplate /usr/local/pkg/firewall_rules/input_validation /usr/local/pkg/firewall_rules/pre_write_config /usr/local/pkg/firewall_rules/htmlphpearly /usr/local/pkg/firewall_rules/htmlphplate --- etc/inc/pfsense-utils.inc | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'etc') diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index a673685..6241a1e 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2224,4 +2224,17 @@ function is_ipaddr_configured($ipaddr) { } } +function pfSense_handle_custom_code($src_dir) { + // Allow extending of the nat edit page and include custom input validation + if(is_dir("$src_dir")) { + $cf = glob($src_dir); + foreach($cf as $nf) { + if($nf == "." || $nf == "..") + continue; + // Include the extra handler + include("$src_dir/$nf"); + } + } +} + ?> \ No newline at end of file -- cgit v1.1 From e4a8ed97395866b353f99f5473e1fd413f5a05a0 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 25 May 2011 19:51:00 -0400 Subject: Add function header --- etc/inc/pfsense-utils.inc | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'etc') diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 6241a1e..01d3762 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2224,6 +2224,14 @@ function is_ipaddr_configured($ipaddr) { } } +/****f* pfsense-utils/pfSense_handle_custom_code + * NAME + * pfSense_handle_custom_code + * INPUTS + * directory name to process + * RESULT + * globs the directory and includes the files + */ function pfSense_handle_custom_code($src_dir) { // Allow extending of the nat edit page and include custom input validation if(is_dir("$src_dir")) { -- cgit v1.1 From adcf909ae96b5c573ce868bff22442b00f857f47 Mon Sep 17 00:00:00 2001 From: Ermal Date: Thu, 26 May 2011 19:39:58 +0000 Subject: Just use the long reference here instead of creating potential dangerous reference. --- etc/inc/captiveportal.inc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'etc') diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index a66c6cb..336b8e8 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -809,12 +809,11 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t captiveportal_free_ipfw_ruleno($dbent[1]); // XMLRPC Call over to the master Voucher node - $a_voucher = &$config['voucher']; - if(!empty($a_voucher['vouchersyncdbip'])) { - $syncip = $a_voucher['vouchersyncdbip']; - $syncport = $a_voucher['vouchersyncport']; - $syncpass = $a_voucher['vouchersyncpass']; - $vouchersyncusername = $a_voucher['vouchersyncusername']; + if(!empty($config['voucher']['vouchersyncdbip'])) { + $syncip = $config['voucher']['vouchersyncdbip']; + $syncport = $config['voucher']['vouchersyncport']; + $syncpass = $config['voucher']['vouchersyncpass']; + $vouchersyncusername = $config['voucher']['vouchersyncusername']; $remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time); } -- cgit v1.1 From dfb30a896c7c6ccbc19330d8cc2ef00e20725f2c Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 07:56:11 +0000 Subject: Trigger reloading of packages through check_reload_status so it can serialize the calls to not DoS the OS with processes triggered from this. Ticket #1534 --- etc/rc.newwanip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 0395099..93eb089 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -51,7 +51,7 @@ function restart_packages() { /* restart packages */ system_ntp_configure(); log_error("{$g['product_name']} package system has detected an ip change $oldip -> $curwanip ... Restarting packages."); - mwexec_bg("/etc/rc.start_packages"); + send_event("reload packages"); } /* Interface IP address has changed */ -- cgit v1.1 From 224ddbadab18d56f6f6ffef408ff24f3c5161303 Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 08:24:32 +0000 Subject: Silence the route changing since it fills the logs with not needed info. --- etc/inc/vpn.inc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f595c9b..2411caf 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -864,8 +864,7 @@ EOD; /* FIXME: does adding route-to and reply-to on the in/outbound * rules fix this? smos@ 13-01-2009 */ // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); - mwexec("/sbin/route delete -host {$rgip}"); - mwexec("/sbin/route add -host {$rgip} {$gatewayip}"); + mwexec("/sbin/route delete -host {$rgip}; /sbin/route add -host {$rgip} {$gatewayip}", true); } } } -- cgit v1.1 From 71070cc55fff338e93ed945e429b585acf72d4bb Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 10:45:05 +0000 Subject: Ticket #1545. Lock each dnsHost to be updated to prevent running two instances in parallell. --- etc/inc/dyndns.class | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 01209b9..e155c20 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -98,7 +98,9 @@ $this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . ".debug"; log_error("DynDns: updatedns() starting"); - + + $dyndnslck = lock($dnsHost, LOCK_EX); + if (!$dnsService) $this->_error(2); switch ($dnsService) { case 'freedns': @@ -128,6 +130,7 @@ // Ensure that we where able to lookup the IP if(!is_ipaddr($this->_ifIP)) { log_error("There was an error trying to determine the IP for interface - {$dnsIf}({$this->_if}). Probably interface has no ip or is down. Dyndns update not possible for {$dnsService}."); + unlock($dyndnslck); return; } @@ -162,6 +165,8 @@ break; } } + + unlock($dyndnslck); } /* -- cgit v1.1 From 93b8df2a16137c737b5e7d16a070cb3e341cc1ec Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 10:46:33 +0000 Subject: Increase timeout to 2 minutes. Ticket #1545. --- etc/inc/dyndns.class | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index e155c20..65defb2 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -183,7 +183,7 @@ curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_INTERFACE, $this->_ifIP); - curl_setopt($ch, CURLOPT_TIMEOUT, 60); // Completely empirical + curl_setopt($ch, CURLOPT_TIMEOUT, 120); // Completely empirical } switch ($this->_dnsService) { @@ -966,7 +966,7 @@ curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); - curl_setopt($ip_ch, CURLOPT_TIMEOUT, 60); + curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); -- cgit v1.1 From a1b86994a0b2895d0d81fb12f680639bfc1d9b42 Mon Sep 17 00:00:00 2001 From: Ermal Date: Fri, 27 May 2011 15:32:02 +0000 Subject: Ticket #1534. Try to stop packages during reboot of system. --- etc/inc/system.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/inc/system.inc b/etc/inc/system.inc index e2c02aa..347de9b 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1251,6 +1251,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); + mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { -- cgit v1.1 From 685c977602be47c6b80204953d398171ca7cb0b9 Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 27 May 2011 11:56:54 -0400 Subject: Some extra protection against putting empty values into the ruleset. --- etc/inc/filter.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 3ce44a3..47a3bad 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -429,7 +429,7 @@ function filter_generate_scrubing() { } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) continue; /* set up MSS clamping */ if($scrubcfg['mss'] <> "" && is_numeric($scrubcfg['mss']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp" && @@ -518,7 +518,7 @@ function filter_generate_aliases() { $aliases .= "{$ifcfg[0]['descr']} = \"{ {$ifcfg[0]['if']}"; $aliases .= " }\"\n"; } - } else { + } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}"; $aliases .= " }\"\n"; } -- cgit v1.1 From f40a03a45cc5394bd61861e1dcf327befac16eee Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 27 May 2011 12:01:33 -0400 Subject: Only add pppoe to the interfaces list if it both has an entry and is in server mode (i.e. not disabled.) --- etc/inc/filter.inc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 47a3bad..e5e173c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -801,8 +801,8 @@ function filter_generate_optcfg_array() { $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; } - if (is_array($config['pppoes']['pppoe'])) { - $FilterIflist['pppoe'] = array(); + if (is_array($config['pppoes']['pppoe']) && (count($config['pppoes']['pppoe']) > 0)) { + $pppoeifs = array(); foreach($config['pppoes']['pppoe'] as $pppoe) { if ($pppoe['mode'] == "server") { $oic = array(); @@ -816,9 +816,11 @@ function filter_generate_optcfg_array() { $oic['sn'] = $pppoe['pppoe_subnet']; else $oic['sn'] = "32"; - $FilterIflist['pppoe'][] = $oic; + $pppoeifs[] = $oic; } } + if (count($pppoeifs)) + $FilterIflist['pppoe'] = $pppoeifs; } /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) { -- cgit v1.1 From d97ff036ab05751ea499553792e0ae5fc73fb3f6 Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 30 May 2011 13:11:03 +0000 Subject: Prevent races on resovlconf generation as well by adding a lock. --- etc/inc/system.inc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 347de9b..72b2e0d 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -116,9 +116,12 @@ function system_resolvconf_generate($dynupdate = false) { } } + $dnslock = lock('resolvconf', LOCK_EX); + $fd = fopen("{$g['varetc_path']}/resolv.conf", "w"); if (!$fd) { printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); return 1; } @@ -148,7 +151,9 @@ function system_resolvconf_generate($dynupdate = false) { } } } - + + unlock($dnslock); + return 0; } -- cgit v1.1 From 3dbceb92140459d4ffff77df33dcc150c4e01d00 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 30 May 2011 12:02:41 -0400 Subject: Include .inc files for plugin system --- etc/inc/pfsense-utils.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 01d3762..c75ae20 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2235,12 +2235,12 @@ function is_ipaddr_configured($ipaddr) { function pfSense_handle_custom_code($src_dir) { // Allow extending of the nat edit page and include custom input validation if(is_dir("$src_dir")) { - $cf = glob($src_dir); + $cf = glob($src_dir . "/*.inc"); foreach($cf as $nf) { if($nf == "." || $nf == "..") continue; // Include the extra handler - include("$src_dir/$nf"); + include("$nf"); } } } -- cgit v1.1 From 85055175a102caa0f0bd07f50546553b36d935c9 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 11:57:49 -0400 Subject: Remove old vidcontrol cruft lingering from long long ago --- etc/rc.shutdown | 4 ---- 1 file changed, 4 deletions(-) (limited to 'etc') diff --git a/etc/rc.shutdown b/etc/rc.shutdown index 14faf80..c7e8b25 100755 --- a/etc/rc.shutdown +++ b/etc/rc.shutdown @@ -5,10 +5,6 @@ if ! /usr/bin/lockf -s -t 30 /tmp/config.lock /usr/bin/true; then exit -1 fi -if [ -e /dev/ukbd0 ]; then - /usr/sbin/vidcontrol -s 2 -fi - product=`cat /etc/inc/globals.inc | grep product_name | cut -d'"' -f4` echo -- cgit v1.1 From 456026b5425b64cba3d4632712c63a0c661a5e27 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 31 May 2011 13:50:00 -0400 Subject: Use pfsense.restore_config_section --- etc/rc.filter_synchronize | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 6acadc0..af0e5cc 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -390,7 +390,7 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) { update_filter_reload_status("Signaling CARP reload signal..."); carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port); if (is_array($mergesections)) - carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.merge_config_section'); + carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.restore_config_section'); $cli = new XML_RPC_Client('/xmlrpc.php', $synchronizetoip, $port); $params = array( XML_RPC_encode($carp['password']) -- cgit v1.1 From 0ca52cfffdd7f043dbcca3159668992611504f86 Mon Sep 17 00:00:00 2001 From: Bill Marquette Date: Tue, 31 May 2011 13:32:25 -0700 Subject: fix typoes --- etc/rc.stop_packages | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100755 => 100644 etc/rc.stop_packages (limited to 'etc') diff --git a/etc/rc.stop_packages b/etc/rc.stop_packages old mode 100755 new mode 100644 index 95e77fd..f20fa04 --- a/etc/rc.stop_packages +++ b/etc/rc.stop_packages @@ -51,7 +51,7 @@ else { if (is_array($config['installedpackages']['package'])) { foreach($config['installedpackages']['package'] as $package) { - echo " Stoping package {$package['name']}..."; + echo " Stopping package {$package['name']}..."; stop_service($package['name']); unset($rcfiles["{$rcfileprefix}{$package['name']}.sh"]); echo "done.\n"; @@ -61,7 +61,7 @@ if (is_array($config['installedpackages']['package'])) { $shell = @popen("/bin/sh", "w"); if ($shell) { foreach ($rcfiles as $rcfile => $number) { - echo " Stoping {$rcfile}..."; + echo " Stopping {$rcfile}..."; fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1"); echo "done.\n"; } -- cgit v1.1 From f4645d7f48536903d9426137c99438fd0c25a080 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 1 Jun 2011 14:03:57 +0000 Subject: Add tunable, by default disabled, to enable the default gateway switching feature when the default one 'disappears'. --- etc/inc/gwlb.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 9b4c32b..66a0af3 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -367,7 +367,7 @@ function return_gateway_groups_array() { $gateways_arr = return_gateways_array(); $gateway_groups_array = array(); - if (0) { + if (isset($config['system']['gw_switch_default'])) { /* * NOTE: The code below is meant to replace the default gateway when it goes down. * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. -- cgit v1.1 From 2e88102db07966b24dabb559e300ba88ed849da3 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 1 Jun 2011 17:39:27 -0400 Subject: Disable this until it can be properly fixed. --- etc/inc/system.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 72b2e0d..7e105ab 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1256,7 +1256,7 @@ function system_reboot_cleanup() { captiveportal_radius_stop_all(); require_once("voucher.inc"); voucher_save_db_to_config(); - mwexec("/etc/rc.stop_packages"); + // mwexec("/etc/rc.stop_packages"); } function system_do_shell_commands($early = 0) { -- cgit v1.1 From f451ea09a29a7ba21bd67bdfbc8c66f89245f0a9 Mon Sep 17 00:00:00 2001 From: jim-p Date: Thu, 2 Jun 2011 12:47:53 -0400 Subject: Show how much data has passed on an SAD entry. --- etc/inc/ipsec.inc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'etc') diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index e15a14c..7371702 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -449,6 +449,10 @@ function ipsec_dump_sad() case 3: $cursa['aalgo'] = $linea[1]; break; + case 8: + $sadata = explode("(", $linea[1]); + $cursa['data'] = $sadata[0] . " B"; + break; } } $i++; -- cgit v1.1 From 8c0199ea8bcf4cebb4218c28da7f0039d1ff07d6 Mon Sep 17 00:00:00 2001 From: lgcosta Date: Fri, 3 Jun 2011 04:14:13 -0300 Subject: Better management for reload lighttpd --- etc/rc.restart_webgui | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/rc.restart_webgui b/etc/rc.restart_webgui index 463f934..d1fbc21 100755 --- a/etc/rc.restart_webgui +++ b/etc/rc.restart_webgui @@ -8,10 +8,15 @@ require("shaper.inc"); require("captiveportal.inc"); require("rrd.inc"); -mwexec("killall -9 lighttpd"); - echo "Restarting webConfigurator..."; +mwexec("killall -INT lighttpd"); + +while (exec("ps ax | grep lighttpd | grep -v grep")) { + echo '.'; + sleep(1); +} + system_webgui_start(); captiveportal_init_webgui(); -- cgit v1.1 From 327d958a5db136c51e28992201bf4100980869de Mon Sep 17 00:00:00 2001 From: lgcosta Date: Fri, 3 Jun 2011 04:25:46 -0300 Subject: fixed for use pfsense API --- etc/rc.restart_webgui | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/rc.restart_webgui b/etc/rc.restart_webgui index d1fbc21..e74f201 100755 --- a/etc/rc.restart_webgui +++ b/etc/rc.restart_webgui @@ -10,9 +10,9 @@ require("rrd.inc"); echo "Restarting webConfigurator..."; -mwexec("killall -INT lighttpd"); +sigkillbyname("lighttpd", "INT"); -while (exec("ps ax | grep lighttpd | grep -v grep")) { +while (is_process_running("lighttpd")) { echo '.'; sleep(1); } -- cgit v1.1 From 5dc6c9102cdc2f9fc464da75bbaef594eebec10a Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 3 Jun 2011 09:20:58 -0400 Subject: When making a P2P SSL/TLS OpenVPN server, if the given CIDR for the tunnel network is a /30, don't use the OpenVPN server directive. See ticket #1417 --- etc/inc/openvpn.inc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 7f82975..edd22be 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -367,8 +367,8 @@ function openvpn_reconfigure($mode, $settings) { // server specific settings if ($mode == 'server') { - list($ip, $mask) = explode('/', $settings['tunnel_network']); - $mask = gen_subnet_mask($mask); + list($ip, $cidr) = explode('/', $settings['tunnel_network']); + $mask = gen_subnet_mask($cidr); // configure tls modes switch($settings['mode']) { @@ -383,8 +383,13 @@ function openvpn_reconfigure($mode, $settings) { // configure p2p/server modes switch($settings['mode']) { case 'p2p_tls': - $conf .= "server {$ip} {$mask}\n"; - $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 + if ($cidr < 30) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } case 'p2p_shared_key': $baselong = ip2long32($ip) & ip2long($mask); $ip1 = long2ip32($baselong + 1); -- cgit v1.1 From 5cd9e96a426fa1d62928d93a2539376912033349 Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 3 Jun 2011 09:50:53 -0400 Subject: Add a GUI selection for racoon's generate_policy directive since it may be useful in certain configurations, especially for mobile clients. --- etc/inc/vpn.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 2411caf..5e014fd 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -481,7 +481,7 @@ function vpn_ipsec_configure($ipchg = false) $natt = $ph1ent['nat_traversal']; $init = "on"; - $genp = "off"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "off"; $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "claim"; $passive = ""; if (isset($ph1ent['mobile'])) { @@ -490,10 +490,10 @@ function vpn_ipsec_configure($ipchg = false) /* Mimic 1.2.3's behavior for pure-psk mobile tunnels */ if ($ph1ent['authentication_method'] == "pre_shared_key") { $pcheck = !empty($ph1ent['proposal_check']) ? $ph1ent['proposal_check'] : $pcheck = "obey"; - $genp = "on"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "on"; } else { $init = "off"; - $genp = "unique"; + $genp = !empty($ph1ent['generate_policy']) ? $ph1ent['generate_policy'] : "unique"; } } -- cgit v1.1 From bd4b09826c4f0a6ecae94c99a9fdfa8bf7bc4a95 Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 3 Jun 2011 14:53:07 -0400 Subject: If a mode_cfg subnet is defined for IPsec, also add it to outbound NAT. --- etc/inc/filter.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index e5e173c..0988093 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1384,6 +1384,12 @@ function filter_nat_rules_generate() { } } } + /* IPsec mode_cfg subnet */ + if (isset($config['ipsec']['client']['enable']) && + !empty($config['ipsec']['client']['pool_address']) && + !empty($config['ipsec']['client']['pool_netbits'])) { + $tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} "; + } $natrules .= "\n# Subnets to NAT \n"; $tonathosts .= "127.0.0.0/8 "; if($numberofnathosts > 4) { -- cgit v1.1 From 5b542ae5055e3667f317f099753f38c89ffbbc9c Mon Sep 17 00:00:00 2001 From: Bill Marquette Date: Fri, 3 Jun 2011 17:29:25 -0500 Subject: Typoes --- etc/inc/pkg-utils.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 070dade..ebc2df2 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -141,10 +141,10 @@ function get_pkg_id($pkg_name) { /****f* pkg-utils/get_pkg_info * NAME - * get_pkg_info - Retrive package information from pfsense.com. + * get_pkg_info - Retrieve package information from pfsense.com. * INPUTS - * $pkgs - 'all' to retrive all packages, an array containing package names otherwise - * $info - 'all' to retrive all information, an array containing keys otherwise + * $pkgs - 'all' to retrieve all packages, an array containing package names otherwise + * $info - 'all' to retrieve all information, an array containing keys otherwise * RESULT * $raw_versions - Array containing retrieved information, indexed by package name. ******/ -- cgit v1.1 From 425ba70828642b66b19e5888c2b4d0c63250cf79 Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 6 Jun 2011 10:22:00 +0000 Subject: Ticket #1545. Take into account curl errors during dyndns service checks otherwise will just mark some updates as successful even though they are not. --- etc/inc/dyndns.class | 74 +++++++++------------------------------------------- 1 file changed, 12 insertions(+), 62 deletions(-) (limited to 'etc') diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class index 65defb2..07fdf95 100644 --- a/etc/inc/dyndns.class +++ b/etc/inc/dyndns.class @@ -202,10 +202,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dhs': $needsIP = TRUE; @@ -233,10 +229,6 @@ curl_setopt($ch, CURLOPT_URL, '{$server}{$port}'); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'noip': $needsIP = TRUE; @@ -248,10 +240,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&pass=' . urlencode($this->_dnsPass) . '&hostname=' . $this->_dnsHost.'&ip=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'easydns': $needsIP = TRUE; @@ -264,10 +252,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=' . $this->_dnsBackMX); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'hn': $needsIP = TRUE; @@ -280,10 +264,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?ver=1&IP=' . $this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'zoneedit': $needsIP = FALSE; @@ -298,11 +278,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, "{$server}{$port}?host=" .$this->_dnsHost); - - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dyns': $needsIP = FALSE; @@ -313,10 +288,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'ods': $needsIP = FALSE; @@ -354,33 +325,21 @@ break; } } - $this->_checkStatus($code); + $this->_checkStatus(0, $code); break; case 'freedns': $needIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsexit': $needsIP = TRUE; curl_setopt($ch, CURLOPT_URL, 'http://www.dnsexit.com/RemoteUpdate.sv?login='.$this->_dnsUser. '&password='.$this->_dnsPass.'&host='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred:" . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'loopia': $needsIP = TRUE; curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass); curl_setopt($ch, CURLOPT_URL, 'https://dns.loopia.se/XDynDNSServer/XDynDNS.php?hostname='.$this->_dnsHost.'&myip='.$this->_dnsIP); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'opendns': $needsIP = FALSE; @@ -394,19 +353,11 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server .$port); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'staticcling': $needsIP = FALSE; curl_setopt($ch, CURLOPT_URL, 'http://www.staticcling.org/update.html?login='.$this->_dnsUser.'&pass='.$this->_dnsPass); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occured: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'dnsomatic': /* Example syntax @@ -423,10 +374,6 @@ if($this->_dnsPort) $port = ":" . $this->_dnsPort; curl_setopt($ch, CURLOPT_URL, $server . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard='.$this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NOCHG'); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Request completed. DNS-O-Matic reported: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'namecheap': /* Example: @@ -438,10 +385,6 @@ list($hostname, $domain) = explode(".", $this->_dnsHost, 2); $server = "https://dynamicdns.park-your-domain.com/update?host={$hostname}&domain={$domain}&password={$this->_dnsPass}&ip={$this->_dnsIP}"; curl_setopt($ch, CURLOPT_URL, $server); - $data = curl_exec($ch); - if (@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; case 'he-net': $needsIP = FALSE; @@ -450,14 +393,15 @@ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass); curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost); - $data = curl_exec($ch); - if(@curl_error($ch)) log_error("Curl error occurred: " . curl_error($ch)); - curl_close($ch); - $this->_checkStatus($data); break; default: break; } + if ($this->_dnsService != 'ods') { + $data = curl_exec($ch); + $this->_checkStatus($ch, $data); + @curl_close($ch); + } } /* @@ -468,6 +412,12 @@ log_error("DynDns: DynDns _checkStatus() starting."); log_error("DynDns: Current Service: {$this->_dnsService}"); $successful_update = false; + if ($this->_dnsService != 'ods' && @curl_error($ch)) { + $status = "Curl error occurred: " . curl_error($ch); + log_error($status); + $this->status = $status; + return; + } switch ($this->_dnsService) { case 'dnsomatic': if (preg_match('/badauth/i', $data)) { -- cgit v1.1 From e33be77c0e37a98721ad20d2381ba6e5b6fc1f57 Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 6 Jun 2011 10:53:42 +0000 Subject: Ticket #1412. Fixing the access login to the user manager presented another problem since now users cannot change their passwords anymore. Allow this through another page and an extra priviledge needed to be added to the user for allowing them to change the password. --- etc/inc/priv.defs.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/inc/priv.defs.inc b/etc/inc/priv.defs.inc index 941120c..4a4855e 100644 --- a/etc/inc/priv.defs.inc +++ b/etc/inc/priv.defs.inc @@ -955,6 +955,12 @@ $priv_list['page-system-usermanager']['descr'] = "Allow access to the 'System: U $priv_list['page-system-usermanager']['match'] = array(); $priv_list['page-system-usermanager']['match'][] = "system_usermanager.php*"; +$priv_list['page-system-usermanager-passwordmg'] = array(); +$priv_list['page-system-usermanager-passwordmg']['name'] = "WebCfg - System: User Password Manager page"; +$priv_list['page-system-usermanager-passwordmg']['descr'] = "Allow access to the 'System: User Password Manager' page."; +$priv_list['page-system-usermanager-passwordmg']['match'] = array(); +$priv_list['page-system-usermanager-passwordmg']['match'][] = "system_usermanager_passwordmg.php*"; + $priv_list['page-system-usermanager_addcert'] = array(); $priv_list['page-system-usermanager_addcert']['name'] = "WebCfg - System: User Manager: Add Certificate"; $priv_list['page-system-usermanager_addcert']['descr'] = "Allow access to the 'User Manager: Add Certificate' page."; -- cgit v1.1 From ac07425a65b3590c1f391c96b31406ae4942064d Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 6 Jun 2011 12:40:38 +0000 Subject: Fix whitespace. --- etc/inc/captiveportal.inc | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) (limited to 'etc') diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 336b8e8..1d4356f 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -1114,29 +1114,29 @@ function captiveportal_init_radius_servers() { /* read RADIUS servers into array */ function captiveportal_get_radius_servers() { - global $g; - - $cprdsrvlck = lock('captiveportalradius'); - if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - $radiusservers = array(); - $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", - FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if ($cpradiusdb) { - foreach($cpradiusdb as $cpradiusentry) { - $line = trim($cpradiusentry); - if ($line) { - $radsrv = array(); - list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); - $radiusservers[] = $radsrv; - } + global $g; + + $cprdsrvlck = lock('captiveportalradius'); + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $radiusservers = array(); + $cpradiusdb = file("{$g['vardb_path']}/captiveportal_radius.db", + FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if ($cpradiusdb) { + foreach($cpradiusdb as $cpradiusentry) { + $line = trim($cpradiusentry); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; } } - unlock($cprdsrvlck); - return $radiusservers; } - unlock($cprdsrvlck); - return false; + return $radiusservers; + } + + unlock($cprdsrvlck); + return false; } /* log successful captive portal authentication to syslog */ -- cgit v1.1 From 7d6be855ce80a6dcf0cd984f14386aae1b876edb Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 6 Jun 2011 13:12:55 +0000 Subject: Correct possible lock leak. --- etc/inc/captiveportal.inc | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 1d4356f..609bfed 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -826,18 +826,15 @@ function captiveportal_disconnect_client($sessionid, $term_cause = 1, $logoutRea $radiusservers = captiveportal_get_radius_servers(); $unsetindex = array(); - $cpdblck = lock('captiveportaldb', LOCK_EX); - /* read database */ - $cpdb = captiveportal_read_db(true); + $cpdb = captiveportal_read_db(); /* find entry */ if (isset($cpdb[$sessionid])) { $cpentry = $cpdb[$sessionid]; /* write database */ $unsetindex[] = $sessionid; - captiveportal_write_db($cpdb, true, $unsetindex); - unlock($cpdblck); + captiveportal_write_db($cpdb, false, $unsetindex); captiveportal_disconnect($cpentry, $radiusservers, $term_cause); captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT"); -- cgit v1.1 From a9c489c7ab68e9c853b37a3f132fbc2c53363bbb Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 6 Jun 2011 10:36:45 -0400 Subject: Fix pppoe server user rule generation. Fixes #1577 --- etc/inc/filter.inc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'etc') diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0988093..9b0c0be 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1751,6 +1751,11 @@ function filter_generate_user_rule($rule) { } else if(!array_key_exists($rule['interface'], $FilterIflist)) { foreach($FilterIflist as $oc) $item .= $oc['descr']; return "# {$item} {$rule['interface']} array key does not exist for " . $rule['descr']; + } else if((array_key_exists($rule['interface'], $FilterIflist)) + && (is_array($FilterIflist[$rule['interface']])) + && (is_array($FilterIflist[$rule['interface']][0]))) { + /* Currently this only case for this is the pppoe server. There should be an existing macro with this name. */ + $aline['interface'] = " on \$" . $rule['interface'] . " "; } else $aline['interface'] = " on \$" . $FilterIflist[$rule['interface']]['descr'] . " "; $ifcfg = $FilterIflist[$rule['interface']]; -- cgit v1.1 From 63dfc7efc121aae384584449128214cc874d38fd Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 6 Jun 2011 12:04:47 -0400 Subject: Suppress keyboard device errors on bootup --- etc/devd.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/devd.conf b/etc/devd.conf index 244af48..d6731d8 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -30,12 +30,12 @@ notify 100 { # When a USB keyboard arrives, attach it as the console keyboard. attach 100 { device-name "ukbd0"; - action "kbdcontrol -k /dev/ukbd0 < /dev/console"; + action "kbdcontrol -k /dev/ukbd0 < /dev/console 2>/dev/null"; }; detach 100 { device-name "ukbd0"; - action "kbdcontrol -k /dev/kbd0 < /dev/console"; + action "kbdcontrol -k /dev/kbd0 < /dev/console 2>/dev/null"; }; # -- cgit v1.1 From f6bf0661e176db8199a75ac4d842a090b3f95569 Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 6 Jun 2011 17:57:26 +0000 Subject: Switch this to check_reload_status event to see if it solves any possible issues of nohup blocking signals to be delivered to filterdns proces. --- etc/rc.bootup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/rc.bootup b/etc/rc.bootup index e71c430..1b71d00 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -322,7 +322,7 @@ system_do_shell_commands(); /* start IPsec tunnels */ vpn_ipsec_configure(); /* Reload dynamic hostname tunnels after bootup finishes */ -mwexec_bg("/etc/rc.newipsecdns"); +send_event("reload ipsecdns"); /* start SNMP service */ services_snmpd_configure(); -- cgit v1.1 From 4e19284675cafa8c81ed86e86e9554e4b80d6ecb Mon Sep 17 00:00:00 2001 From: Ermal Date: Mon, 6 Jun 2011 18:12:52 +0000 Subject: Correct event calling during bootup for rc.newipsecdns and also convert the command executed during an ipsec even to go through check_reload_status which will prevent races on calling rc.newipsecdns. Which might lead to many filterdns processes. --- etc/inc/vpn.inc | 2 +- etc/rc.bootup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 5e014fd..7c08ccb 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -912,7 +912,7 @@ EOD; $hostnames = ""; array_unique($filterdns_list); foreach ($filterdns_list as $hostname) - $hostnames .= "cmd {$hostname} '/etc/rc.newipsecdns'\n"; + $hostnames .= "cmd {$hostname} '/usr/local/sbin/pfSctl -c \"service reload ipsecdns\"'\n"; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); diff --git a/etc/rc.bootup b/etc/rc.bootup index 1b71d00..2f0c2cd 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -322,7 +322,7 @@ system_do_shell_commands(); /* start IPsec tunnels */ vpn_ipsec_configure(); /* Reload dynamic hostname tunnels after bootup finishes */ -send_event("reload ipsecdns"); +send_event("service reload ipsecdns"); /* start SNMP service */ services_snmpd_configure(); -- cgit v1.1 From c88ff708b622450b4bd2704f0e2473b491761afc Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Mon, 6 Jun 2011 17:09:48 -0400 Subject: Include ssh2 module if available --- etc/rc.php_ini_setup | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup index 67aceaf..5a138ed 100755 --- a/etc/rc.php_ini_setup +++ b/etc/rc.php_ini_setup @@ -112,6 +112,8 @@ PHPMODULES="$PHPMODULES pdo" PHPMODULES="$PHPMODULES sqlite" # ZeroMQ PHPMODULES="$PHPMODULES zmq" +# SSH2 +PHPMODULES="$PHPMODULES ssh2" # pfSense extensions PHPMODULES="$PHPMODULES pfSense" -- cgit v1.1