From 362c9bb03f1d321e00d78d7b89b9c7ccc628b4cd Mon Sep 17 00:00:00 2001 From: jim-p Date: Sun, 23 Sep 2012 19:21:00 -0400 Subject: Don't die silently if the time is too far off. Fix from: dhatz --- etc/inc/system.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 0f3d263..6bf32f3 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1287,6 +1287,7 @@ function system_ntp_configure($start_ntpd=true) { $ntpcfg = "# \n"; $ntpcfg .= "# pfSense ntp configuration file \n"; $ntpcfg .= "# \n\n"; + $ntpcfg .= "tinker panic 0 \n"; if (!empty($config['ntpd']['gpsport']) && file_exists('/dev/'.$config['ntpd']['gpsport']) -- cgit v1.1 From 14551ae0a5769475c5bbeaaf9fd62e32419d6a27 Mon Sep 17 00:00:00 2001 From: bcyrill Date: Mon, 24 Sep 2012 21:48:22 +0300 Subject: Update etc/inc/priv.defs.inc Include privileges for Diagnostics Sockets page --- etc/inc/priv.defs.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/inc/priv.defs.inc b/etc/inc/priv.defs.inc index b747bfd..46181cf 100644 --- a/etc/inc/priv.defs.inc +++ b/etc/inc/priv.defs.inc @@ -60,6 +60,12 @@ $priv_list['page-diagnostics-showstates']['descr'] = gettext("Allow access to th $priv_list['page-diagnostics-showstates']['match'] = array(); $priv_list['page-diagnostics-showstates']['match'][] = "diag_dump_states.php*"; +$priv_list['page-diagnostics-sockets'] = array(); +$priv_list['page-diagnostics-sockets']['name'] = gettext("WebCfg - Diagnostics: Sockets page"); +$priv_list['page-diagnostics-sockets']['descr'] = gettext("Allow access to the 'Diagnostics: Sockets' page."); +$priv_list['page-diagnostics-sockets']['match'] = array(); +$priv_list['page-diagnostics-sockets']['match'][] = "diag_sockets.php*"; + $priv_list['page-status-ipsec'] = array(); $priv_list['page-status-ipsec']['name'] = gettext("WebCfg - Status: IPsec page"); $priv_list['page-status-ipsec']['descr'] = gettext("Allow access to the 'Status: IPsec' page."); -- cgit v1.1 From f00278f1e8cc2a534f13a6f3510aed85ebe11bd4 Mon Sep 17 00:00:00 2001 From: Pierre POMES Date: Tue, 25 Sep 2012 08:17:50 -0400 Subject: Ticket #2635: during ipsec reload, do not generate spd for disabled ph1 --- etc/inc/vpn.inc | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 618dec3..36e1ca9 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -1834,14 +1834,16 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) { } } /* add new SPD policies to replace them */ - $spdconf .= "spdadd {$family} {$local_subnet} " . - "{$remote_subnet} any -P out ipsec " . - "{$phase2['protocol']}/tunnel/{$ep}-" . - "{$rgip}/unique;\n"; - $spdconf .= "spdadd {$family} {$remote_subnet} " . - "{$local_subnet} any -P in ipsec " . - "{$phase2['protocol']}/tunnel/{$rgip}-" . - "{$ep}/unique;\n"; + if (!isset($phase1['disabled'])) { + $spdconf .= "spdadd {$family} {$local_subnet} " . + "{$remote_subnet} any -P out ipsec " . + "{$phase2['protocol']}/tunnel/{$ep}-" . + "{$rgip}/unique;\n"; + $spdconf .= "spdadd {$family} {$remote_subnet} " . + "{$local_subnet} any -P in ipsec " . + "{$phase2['protocol']}/tunnel/{$rgip}-" . + "{$ep}/unique;\n"; + } log_error(sprintf(gettext("Reloading IPsec tunnel '%1\$s'. Previous IP '%2\$s', current IP '%3\$s'. Reloading policy"), $phase1['descr'], $old_gw, $rgip)); -- cgit v1.1 From fd3515f2b78184125e0f16a4a991660003ff7cd0 Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 26 Sep 2012 09:43:41 -0400 Subject: Separate default gateway switching code to its own function, fix it to only operate on one address family at a time. Old method wouldn't re-set inet gateway if there was an inet6 default. --- etc/inc/gwlb.inc | 104 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 54 insertions(+), 50 deletions(-) (limited to 'etc') diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 20149b4..1068e48 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -657,6 +657,58 @@ function return_gateways_array($disabled = false, $localhost = false) { return($gateways_arr); } +function fixup_default_gateway($ipprotocol, $gateways_status, $gateways_arr) { + global $config, $g; + /* + * NOTE: The code below is meant to replace the default gateway when it goes down. + * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. + */ + $upgw = ""; + $dfltgwdown = false; + $dfltgwfound = false; + foreach ($gateways_arr as $gwname => $gwsttng) { + if (($gwsttng['ipprotocol'] == $ipprotocol) && isset($gwsttng['defaultgw'])) { + $dfltgwfound = true; + $dfltgwname = $gwname; + if (!isset($gwsttng['monitor_disable']) && stristr($gateways_status[$gwname]['status'], "down")) + $dfltgwdown = true; + } + /* Keep a record of the last up gateway */ + /* XXX: Blacklist lan for now since it might cause issues to those who have a gateway set for it */ + if (empty($upgw) && ($gwsttng['ipprotocol'] == $ipprotocol) && (isset($gwsttng['monitor_disable']) || !stristr($gateways_status[$gwname]['status'], "down")) && $gwsttng[$gwname]['friendlyiface'] != "lan") + $upgw = $gwname; + if ($dfltgwdown == true && !empty($upgw)) + break; + } + if ($dfltgwfound == false) { + $gwname = convert_friendly_interface_to_friendly_descr("wan"); + if (!empty($gateways_status[$gwname]) && stristr($gateways_status[$gwname]['status'], "down")) + $dfltgwdown = true; + } + if ($dfltgwdown == true && !empty($upgw)) { + if (preg_match("/dynamic/i", $gateways_arr[$upgw]['gateway'])) + $gateways_arr[$upgw]['gateway'] = get_interface_gateway($gateways_arr[$upgw]['friendlyiface']); + if (is_ipaddr($gateways_arr[$upgw]['gateway'])) { + log_error("Default gateway down setting {$upgw} as default!"); + if(is_ipaddrv6($gateways_arr[$upgw]['gateway'])) { + $inetfamily = "-inet6"; + } else { + $inetfamily = "-inet"; + } + mwexec("/sbin/route change {$inetfamily} default {$gateways_arr[$upgw]['gateway']}"); + } + } else { + $defaultgw = trim(`/sbin/route -n get -{$ipprotocol} default | /usr/bin/grep gateway | /usr/bin/sed 's/gateway://g'`, " \n"); + if(is_ipaddrv6($gateways_arr[$dfltgwname]['gateway'])) { + $inetfamily = "-inet6"; + } else { + $inetfamily = "-inet"; + } + if ($defaultgw != $gateways_arr[$dfltgwname]['gateway']) + mwexec("/sbin/route change {$inetfamily} default {$gateways_arr[$dfltgwname]['gateway']}"); + } +} + /* * Return an array with all gateway groups with name as key * All gateway groups will be processed before returning the array. @@ -671,56 +723,8 @@ function return_gateway_groups_array() { $carplist = get_configured_carp_interface_list(); if (isset($config['system']['gw_switch_default'])) { - /* - * NOTE: The code below is meant to replace the default gateway when it goes down. - * This facilitates services running on pfSense itself and are not handled by a PBR to continue working. - */ - $upgw = ""; - $dfltgwdown = false; - $dfltgwfound = false; - foreach ($gateways_arr as $gwname => $gwsttng) { - if (isset($gwsttng['defaultgw'])) { - $dfltgwfound = true; - $dfltgwname = $gwname; - if (!isset($gwsttng['monitor_disable']) && stristr($gateways_status[$gwname]['status'], "down")) - $dfltgwdown = true; - } - /* Keep a record of the last up gateway */ - /* XXX: Blacklist lan for now since it might cause issues to those who have a gateway set for it */ - if (empty($upgw) && (isset($gwsttng['monitor_disable']) || !stristr($gateways_status[$gwname]['status'], "down")) && $gwsttng[$gwname]['friendlyiface'] != "lan") - $upgw = $gwname; - if ($dfltgwdown == true && !empty($upgw)) - break; - } - if ($dfltgwfound == false) { - $gwname = convert_friendly_interface_to_friendly_descr("wan"); - if (!empty($gateways_status[$gwname]) && stristr($gateways_status[$gwname]['status'], "down")) - $dfltgwdown = true; - } - if ($dfltgwdown == true && !empty($upgw)) { - if (preg_match("/dynamic/i", $gateways_arr[$upgw]['gateway'])) - $gateways_arr[$upgw]['gateway'] = get_interface_gateway($gateways_arr[$upgw]['friendlyiface']); - if (is_ipaddr($gateways_arr[$upgw]['gateway'])) { - log_error("Default gateway down setting {$upgw} as default!"); - if(is_ipaddrv6($gateways_arr[$upgw]['gateway'])) { - $inetfamily = "-inet6"; - } else { - $inetfamily = "-inet"; - } - mwexec("/sbin/route change {$inetfamily} default {$gateways_arr[$upgw]['gateway']}"); - } - } else { - $defaultgw = trim(`/sbin/route -n get -inet default | /usr/bin/grep gateway | /usr/bin/sed 's/gateway://g'`, " \n"); - if(is_ipaddrv6($gateways_arr[$dfltgwname]['gateway'])) { - $inetfamily = "-inet6"; - } else { - $inetfamily = "-inet"; - } - if ($defaultgw != $gateways_arr[$dfltgwname]['gateway']) - mwexec("/sbin/route change {$inetfamily} default {$gateways_arr[$dfltgwname]['gateway']}"); - } - - unset($upgw, $dfltgwfound, $dfltgwdown, $gwname, $gwsttng); + fixup_default_gateway("inet", $gateways_status, $gateways_arr); + fixup_default_gateway("inet6", $gateways_status, $gateways_arr); } if (is_array($config['gateways']['gateway_group'])) { foreach($config['gateways']['gateway_group'] as $group) { -- cgit v1.1 From 6e9b046e51f5728b8d8f0182b401476059040d1d Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 26 Sep 2012 13:20:39 -0400 Subject: Due to the DHCP pool tag needing to be an array, rename the old LB "pool" variable to something else so it's not interpreted as an array. --- etc/inc/globals.inc | 2 +- etc/inc/upgrade_config.inc | 17 +++++++++++++++++ etc/inc/vslb.inc | 16 ++++++++-------- 3 files changed, 26 insertions(+), 9 deletions(-) (limited to 'etc') diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 23c3a92..51fbc22 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -77,7 +77,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "8.9", + "latest_config" => "9.0", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index f7ae95d..4f66a8b 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -905,6 +905,8 @@ function upgrade_045_to_046() { $pool['behaviour'] = 'balance'; $pool['name'] = "{$vs_a[$i]['name']}-sitedown"; $pool['descr'] = sprintf(gettext("Sitedown pool for VS: %s"), $vs_a[$i]['name']); + if (is_array($vs_a[$i]['pool'])) + $vs_a[$i]['pool'] = $vs_a[$i]['pool'][0]; $pool['port'] = $pools[$vs_a[$i]['pool']]['port']; $pool['servers'] = array(); $pool['servers'][] = $vs_a[$i]['sitedown']; @@ -2930,4 +2932,19 @@ function upgrade_088_to_089() { } } } +function upgrade_089_to_090() { + global $config; + if (is_array($config['load_balancer']['virtual_server']) && count($config['load_balancer']['virtual_server'])) { + $vs_a = &$config['load_balancer']['virtual_server']; + for ($i = 0; isset($vs_a[$i]); $i++) { + if (is_array($vs_a[$i]['pool'])) { + $vs_a[$i]['poolname'] = $vs_a[$i]['pool'][0]; + unset($vs_a[$i]['pool']); + } elseif (!empty($vs_a[$i]['pool'])) { + $vs_a[$i]['poolname'] = $vs_a[$i]['pool']; + unset($vs_a[$i]['pool']); + } + } + } +} ?> diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 0a975f0..1aed862 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -267,12 +267,12 @@ function relayd_configure($kill_first=false) { for ($i = 0; isset($vs_a[$i]); $i++) { $append_port_to_name = false; - if (is_alias($pools[$vs_a[$i]['pool']]['port'])) { - $dest_port_array = filter_expand_alias_array($pools[$vs_a[$i]['pool']]['port']); + if (is_alias($pools[$vs_a[$i]['poolname']]['port'])) { + $dest_port_array = filter_expand_alias_array($pools[$vs_a[$i]['poolname']]['port']); $append_port_to_name = true; } else { - $dest_port_array = array($pools[$vs_a[$i]['pool']]['port']); + $dest_port_array = array($pools[$vs_a[$i]['poolname']]['port']); } if (is_alias($vs_a[$i]['port'])) { $src_port_array = filter_expand_alias_array($vs_a[$i]['port']); @@ -331,26 +331,26 @@ function relayd_configure($kill_first=false) { $conf .= " protocol \"{$vs_a[$i]['relay_protocol']}\"\n"; } $lbmode = ""; - if ( $pools[$vs_a[$i]['pool']]['mode'] == "loadbalance" ) { + if ( $pools[$vs_a[$i]['poolname']]['mode'] == "loadbalance" ) { $lbmode = "mode loadbalance"; } - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$dest_port} {$lbmode} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= " forward to <{$vs_a[$i]['poolname']}> port {$dest_port} {$lbmode} {$check_a[$pools[$vs_a[$i]['poolname']]['monitor']]} \n"; if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$dest_port} {$lbmode} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$dest_port} {$lbmode} {$check_a[$pools[$vs_a[$i]['poolname']]['monitor']]} \n"; $conf .= "}\n"; } else { $conf .= "redirect \"{$name}\" {\n"; $conf .= " listen on {$ip} port {$src_port}\n"; - $conf .= " forward to <{$vs_a[$i]['pool']}> port {$dest_port} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= " forward to <{$vs_a[$i]['poolname']}> port {$dest_port} {$check_a[$pools[$vs_a[$i]['poolname']]['monitor']]} \n"; if (isset($config['system']['lb_use_sticky'])) $conf .= " sticky-address\n"; /* sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing */ if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) - $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$dest_port} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} \n"; + $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$dest_port} {$check_a[$pools[$vs_a[$i]['poolname']]['monitor']]} \n"; $conf .= "}\n"; } -- cgit v1.1 From 96f7a687af3b826c4e23150291e5d0c8ea1073a1 Mon Sep 17 00:00:00 2001 From: jim-p Date: Thu, 27 Sep 2012 00:43:57 -0400 Subject: Some more state killing refinements. --- etc/inc/interfaces.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index ec6e9cf..3747805 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -1153,6 +1153,12 @@ function interface_bring_down($interface = "wan", $destroy = false) { break; } + $old_router = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router")); +// log_error("Checking for old router states: {$g['tmp_path']}/{$realif}_router = {$old_router}"); + if (!empty($old_router)) { + log_error("Clearing states to old gateway {$old_router}."); + mwexec("/sbin/pfctl -b 0.0.0.0/32 -b {$old_router}/32"); + } /* remove interface up file if it exists */ unlink_if_exists("{$g['tmp_path']}/{$realif}up"); -- cgit v1.1 From 680d543da45c157f47ed007e54f7af08de640a43 Mon Sep 17 00:00:00 2001 From: jim-p Date: Thu, 27 Sep 2012 12:55:02 -0400 Subject: Add forgotten part of the IPsec split dns fix from yesterday --- etc/inc/vpn.inc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 36e1ca9..03941bb 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -390,7 +390,14 @@ function vpn_ipsec_configure($ipchg = false) if ($a_client['dns_domain']) { $racoonconf .= "\tdefault_domain \"{$a_client['dns_domain']}\";\n"; - $racoonconf .= "\tsplit_dns \"{$a_client['dns_domain']}\";\n"; + if (empty($a_client['dns_split'])) + $racoonconf .= "\tsplit_dns \"{$a_client['dns_domain']}\";\n"; + } + + if ($a_client['dns_split']) { + $domain_array = preg_split("/[ ,]+/",$a_client['dns_split']); + $domain_string = implode('", "', $domain_array); + $racoonconf .= "\tsplit_dns \"{$domain_string}\";\n"; } if ($a_client['pfs_group']) -- cgit v1.1 From 193a8e1f677de8ec7cf32edca927bf47a7139c78 Mon Sep 17 00:00:00 2001 From: jim-p Date: Sun, 30 Sep 2012 11:11:56 -0400 Subject: Revert "Allow for changing OpenVPN TUN to TAP device mode without reboot." -- Adds blank OpenVPN servers, see ticket #2643 This reverts commit c8bb7f1527a99c69784ab6c01d9050adcde6a8a0. --- etc/inc/openvpn.inc | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'etc') diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 8416264..bddb5c8 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -710,12 +710,7 @@ function openvpn_delete($mode, & $settings) { $vpnid = $settings['vpnid']; $mode_id = $mode.$vpnid; - if (isset($settings['dev_mode'])) - $tunname = "{$settings['dev_mode']}{$vpnid}"; - else { /* defaults to tun */ - $tunname = "tun{$vpnid}"; - } - + $tunname = "tun{$vpnid}"; if ($mode == "server") $devname = "ovpns{$vpnid}"; else -- cgit v1.1