.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
/*
pfSense_MODULE: base
*/
/* Include authentication routines */
/* THIS MUST BE ABOVE ALL OTHER CODE */
if(!$nocsrf) {
function csrf_startup() {
csrf_conf('rewrite-js', '/csrf/csrf-magic.js');
}
require_once("csrf/csrf-magic.php");
}
require_once("authgui.inc");
/* make sure nothing is cached */
if (!$omit_nocacheheaders) {
header("Expires: 0");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
}
/* parse the configuration and include all configuration functions */
require_once("functions.inc");
/* Pull in all the gui related display classes) */
foreach (scandir("/usr/local/www/classes/") as $file) {
if (stristr($file, ".inc") !== false) {
require_once("classes/{$file}");
}
}
/*
* if user has selected a custom template, use it.
* otherwise default to pfsense template
*/
if($config['theme'] <> "")
$g['theme'] = $config['theme'];
else
$g['theme'] = "pfsense";
/*
* If this device is an apple ipod/iphone
* switch the theme to one that works with it.
*/
$apple_ua = array("iPhone","iPod", "iPad");
foreach($apple_ua as $useragent)
if(strstr($_SERVER['HTTP_USER_AGENT'], $useragent))
$g['theme'] = "pfsense";
/* used by progress bar */
$lastseen = "-1";
$navlevelsep = ": "; /* navigation level separator string */
$mandfldhtml = ""; /* display this before mandatory input fields */
$mandfldhtmlspc = ""; /* same as above, but with spacing */
/* Some ajax scripts still need access to GUI */
if(!$ignorefirmwarelock) {
if (is_subsystem_dirty('firmwarelock')) {
if (!$d_isfwfile) {
header("Location: system_firmware.php");
exit;
} else {
return;
}
}
}
$firewall_rules_dscp_types = array("af11",
"af12",
"af13",
"af21",
"af22",
"af23",
"af31",
"af32",
"af33",
"af41",
"af42",
"af43",
"EF",
"1-64",
"0x10",
"0x04-0xfc");
$auth_server_types = array(
'ldap' => "LDAP",
'radius' => "Radius");
$ldap_urltypes = array(
'TCP - Standard' => 389,
'SSL - Encrypted' => 636);
$ldap_scopes = array(
'one' => "One Level",
'subtree' => "Entire Subtree");
$ldap_protvers = array(
2,
3);
$ldap_templates = array(
'open' => array(
'desc' => "OpenLDAP",
'attr_user' => "cn",
'attr_group' => "cn",
'attr_member' => "member"),
'msad' => array(
'desc' => "Microsoft AD",
'attr_user' => "samAccountName",
'attr_group' => "cn",
'attr_member' => "memberOf"),
'edir' => array(
'desc' => "Novell eDirectory",
'attr_user' => "cn",
'attr_group' => "cn",
'attr_member' => "uniqueMember"));
$radius_srvcs = array(
'both' => "Authentication and Accounting",
'auth' => "Authentication",
'acct' => "Accounting");
$netbios_nodetypes = array(
'0' => "none",
'1' => "b-node",
'2' => "p-node",
'4' => "m-node",
'5' => "h-node");
/* some well knows ports */
$wkports = array(
5999 => "CVSup",
53 => "DNS",
21 => "FTP",
3000 => "HBCI",
80 => "HTTP",
443 => "HTTPS",
5190 => "ICQ",
113 => "IDENT/AUTH",
143 => "IMAP",
993 => "IMAP/S",
4500 => "IPsec NAT-T",
500 => "ISAKMP",
1701 => "L2TP",
389 => "LDAP",
1755 => "MMS/TCP",
7000 => "MMS/UDP",
445 => "MS DS",
3389 => "MS RDP",
1512 => "MS WINS",
1863 => "MSN",
119 => "NNTP",
123 => "NTP",
138 => "NetBIOS-DGM",
137 => "NetBIOS-NS",
139 => "NetBIOS-SSN",
1194 => "OpenVPN",
110 => "POP3",
995 => "POP3/S",
1723 => "PPTP",
1812 => "RADIUS",
1813 => "RADIUS accounting",
5004 => "RTP",
5060 => "SIP",
25 => "SMTP",
465 => "SMTP/S",
161 => "SNMP",
162 => "SNMP-Trap",
22 => "SSH",
3478 => "STUN",
3544 => "Teredo",
23 => "Telnet",
69 => "TFTP",
5900 => "VNC");
/* TCP flags */
$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
$specialnets = array("pptp" => "PPTP clients", "pppoe" => "PPPoE clients", "l2tp" => "L2TP clients");
$spiflist = get_configured_interface_with_descr(false, true);
foreach ($spiflist as $ifgui => $ifdesc) {
$specialnets[$ifgui] = $ifdesc . " net";
$specialnets[$ifgui . 'ip'] = $ifdesc . " address";
}
$medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex",
"100half" => "100BASE-TX half-duplex", "10full" => "10BASE-T full-duplex",
"10half" => "10BASE-T half-duplex");
$wlan_modes = array("bss" => "Infrastructure (BSS)", "adhoc" => "Ad-hoc (IBSS)",
"hostap" => "Access Point");
/* platforms that support firmware updating */
$fwupplatforms = array('pfSense', 'net45xx', 'net48xx', 'generic-pc', 'embedded', 'wrap', 'nanobsd');
function do_input_validation($postdata, $reqdfields, $reqdfieldsn, $input_errors) {
/* check for bad control characters */
foreach ($postdata as $pn => $pd) {
if (is_string($pd) && preg_match("/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]/", $pd)) {
$input_errors[] = "The field '" . $pn . "' contains invalid characters.";
}
}
for ($i = 0; $i < count($reqdfields); $i++) {
if ($_POST[$reqdfields[$i]] == "" && $_REQUEST[$reqdfields[$i]] == "") {
$input_errors[] = "The field '" . $reqdfieldsn[$i] . "' is required.";
}
}
}
function print_input_errors($input_errors) {
global $g;
print <<
|
The following input errors were detected:
EOF;
foreach ($input_errors as $ierr) {
echo "- " . htmlspecialchars($ierr) . "
";
}
print <<
|
EOF2;
}
function verify_gzip_file($fname) {
$returnvar = mwexec("/usr/bin/gzip -t " . escapeshellarg($fname));
if ($returnvar != 0)
return 0;
else
return 1;
}
function print_info_box_np($msg, $name="apply",$value="Apply changes") {
global $g, $nifty_redbox, $nifty_blackbox, $nifty_background;
// Set the Nifty background color if one is not set already (defaults to white)
if($nifty_background == "")
$nifty_background = "#FFF";
if(stristr($msg, gettext("apply")) != false || stristr($msg, gettext("save")) != false || stristr($msg, gettext("create")) != false) {
$savebutton = "";
$savebutton .= "";
if($_POST['if'])
$savebutton .= "";
$savebutton.=" | ";
}
$nifty_redbox = "#990000";
$nifty_blackbox = "#000000";
$themename = $g['theme'];
if(file_exists("/usr/local/www/themes/{$themename}/tabcontrols.php")) {
$toeval = file_get_contents("/usr/local/www/themes/{$themename}/tabcontrols.php");
eval($toeval);
}
if(file_exists("/usr/local/www/themes/{$themename}/infobox.php")) {
$toeval = file_get_contents("/usr/local/www/themes/{$themename}/infobox.php");
eval($toeval);
}
if(!$savebutton) {
$savebutton = ' | ';
}
echo <<
|
{$msg}
|
{$savebutton}
|
EOFnp;
}
function print_info_box_np_undo($msg, $name="apply",$value="Apply changes", $undo) {
global $g;
if(stristr($msg, "apply") != false || stristr($msg, "save") != false || stristr($msg, "create") != false) {
$savebutton = "";
$savebutton .= " ";
$savebutton .= " ";
$savebutton.=" | ";
if($_POST['if'])
$savebutton .= "";
}
$nifty_redbox = "#990000";
$nifty_blackbox = "#000000";
$themename = $g['theme'];
if(file_exists("/usr/local/www/themes/{$themename}/tabcontrols.php")) {
$toeval = file_get_contents("/usr/local/www/themes/{$themename}/tabcontrols.php");
eval($toeval);
}
if(file_exists("/usr/local/www/themes/{$themename}/infobox.php")) {
$toeval = file_get_contents("/usr/local/www/themes/{$themename}/infobox.php");
eval($toeval);
}
if(!$savebutton) {
$savebutton = ' | ';
}
echo <<
|
{$msg}
|
{$savebutton}
{$undobutton}
|
EOFnp;
}
function print_info_box($msg) {
print_info_box_np($msg);
}
function get_std_save_message($ok) {
global $d_sysrebootreqd_path;
$filter_related = false;
$filter_pages = array("nat", "filter");
$to_return = "The changes have been applied successfully.";
foreach($filter_pages as $fp)
if(stristr($_SERVER['SCRIPT_FILENAME'], $fp))
$filter_related = true;
if($filter_related)
$to_return .= "
You can also monitor the filter reload progress.";
return $to_return;
}
function pprint_address($adr) {
global $specialnets;
if (isset($adr['any'])) {
$padr = "*";
} else if ($adr['network']) {
$padr = $specialnets[$adr['network']];
} else {
$padr = $adr['address'];
}
if (isset($adr['not']))
$padr = "! " . $padr;
return $padr;
}
function pprint_port($port) {
global $wkports;
$pport = "";
if (!$port)
return "*";
else {
$srcport = explode("-", $port);
if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
$pport = $srcport[0];
if ($wkports[$srcport[0]]) {
$pport .= " (" . $wkports[$srcport[0]] . ")";
}
} else
$pport .= $srcport[0] . " - " . $srcport[1];
}
return $pport;
}
function firewall_check_for_advanced_options(&$item) {
$item_set = "";
if($item['max'])
$item_set .= "max {$item['max']} ";
if($item['max-src-nodes'])
$item_set .= "max-src-nodes {$item['max-src-nodes']} ";
if($item['max-src-conn'])
$item_set .= "max-src-conn {$item['max-src-conn']} ";
if($item['max-src-states'])
$item_set .= "max-src-states {$item['max-src-states']} ";
if($item['statetype'] != "keep state" && $item['statetype'] != "")
$item_set .= "statetype {$item['statetype']} ";
if($item['statetimeout'])
$item_set .= "statetimeout {$item['statetimeout']} ";
if($item['nosync'])
$item_set .= "nosync ";
if($item['max-src-conn-rate'])
$item_set .= "max-src-conn-rate {$item['max-src-conn-rate']} ";
if($item['max-src-conn-rates'])
$item_set .= "max-src-conn-rates {$item['max-src-conn-rates']} ";
if($item['gateway'])
$item_set .= "gateway {$item['gateway']} ";
if($item['dnpipe'])
$item_set .= "limiter {$item['dnpipe']} ";
if($item['pdnpipe'])
$item_set .= "limiter {$item['pdnpipe']} ";
if($item['l7container'])
$item_set .= "layer7 {$item['l7container']} ";
if($item['tag'])
$item_set .= "tag {$item['tag']} ";
if($item['tagged'])
$item_set .= "tagged {$item['tagged']} ";
if(isset($item['allowopts']))
$item_set .= "allowopts ";
if(isset($item['disablereplyto']))
$item_set .= "disable reply-to ";
if($item['tcpflags_any'] || $item['tcpflags1'] || $item['tcpflags2'])
$item_set .= "tcpflags set";
return $item_set;
}
function gentitle($title) {
global $navlevelsep;
if(!is_array($title))
return $title;
else
return join($navlevelsep, $title);
}
function genhtmltitle($title) {
global $config;
return gentitle($title);
}
/* update the changedesc and changecount(er) variables */
function update_changedesc($update) {
global $changedesc;
global $changecount;
$changedesc .= " {$update}";
$changecount++;
}
function clear_log_file($logfile = "/var/log/system.log") {
global $config, $g;
exec("/usr/bin/killall syslogd");
if(isset($config['system']['disablesyslogclog'])) {
unlink($logfile);
touch($logfile);
} else {
if(isset($config['system']['usefifolog']))
exec("/usr/sbin/fifolog_create -s 511488 {$logfile}");
else
exec("/usr/sbin/clog -i -s 511488 {$logfile}");
}
system_syslogd_start();
}
function dump_clog($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") {
global $g, $config;
$sor = isset($config['syslog']['reverse']) ? "-r" : "";
$logarr = "";
$grepline = " ";
if(is_array($grepfor))
foreach($grepfor as $agrep)
$grepline .= " | grep \"$agrep\"";
if(is_array($grepinvert))
foreach($grepinvert as $agrep)
$grepline .= " | grep -v \"$agrep\"";
if(file_exists($logfile) && filesize($logfile) == 0) {
$logarr = array("Log file started.");
} else {
if($config['system']['disablesyslogclog']) {
exec("cat {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
} else {
if(isset($config['system']['usefifolog']))
exec("/usr/sbin/fifolog_reader {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
else
exec("/usr/sbin/clog {$logfile}{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n {$tail}", $logarr);
}
}
foreach ($logarr as $logent) {
$logent = preg_split("/\s+/", $logent, 6);
echo "\n";
if ($withorig) {
if(isset($config['system']['usefifolog'])) {
$entry_date_time = htmlspecialchars(date("F j, Y, g:i a","" . $logent[1] . ""));
$entry_text = htmlspecialchars($logent[5]);
} else {
$entry_date_time = htmlspecialchars(join(" ", array_slice($logent, 0, 3)));
$entry_text = htmlspecialchars($logent[4] . " " . $logent[5]);
}
echo "{$entry_date_time} | \n";
echo "{$entry_text} | \n";
} else {
echo "" . htmlspecialchars($logent[5]) . " | \n";
}
echo "
\n";
}
}
function return_clog($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "", $grepreverse = false) {
global $g, $config;
$sor = (isset($config['syslog']['reverse']) || $grepreverse) ? "-r" : "";
$logarr = "";
$grepline = " ";
if(is_array($grepfor))
foreach($grepfor as $agrep)
$grepline .= " | grep \"$agrep\"";
if(is_array($grepinvert))
foreach($grepinvert as $agrep)
$grepline .= " | grep -v \"$agrep\"";
if($config['system']['disablesyslogclog']) {
exec("cat {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
} else {
if(isset($config['system']['usefifolog'])) {
exec("/usr/sbin/fifolog_reader {$logfile}{$grepline} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
} else {
exec("/usr/sbin/clog {$logfile}{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n {$tail}", $logarr);
}
}
return($logarr);
}
/* Check if variable has changed, update and log if it has
* returns true if var changed
* varname = variable name in plain text
* orig = original value
* new = new value
*/
function update_if_changed($varname, & $orig, $new) {
if (is_array($orig) && is_array($new)) {
$a_diff = array_diff($orig, $new);
foreach ($a_diff as $diff) {
update_changedesc("removed {$varname}: \"{$diff}\"");
}
$a_diff = array_diff($new, $orig);
foreach ($a_diff as $diff) {
update_changedesc("added {$varname}: \"{$diff}\"");
}
$orig = $new;
return true;
} else {
if ($orig != $new) {
update_changedesc("{$varname}: \"{$orig}\" -> \"{$new}\"");
$orig = $new;
return true;
}
}
return false;
}
function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) {
if (isset($adr['any']))
$padr = "any";
else if ($adr['network'])
$padr = $adr['network'];
else if ($adr['address']) {
list($padr, $pmask) = explode("/", $adr['address']);
if (!$pmask)
$pmask = 32;
}
if (isset($adr['not']))
$pnot = 1;
else
$pnot = 0;
if ($adr['port']) {
list($pbeginport, $pendport) = explode("-", $adr['port']);
if (!$pendport)
$pendport = $pbeginport;
} else if (!is_alias($pbeginport) && !is_alias($pendport)) {
$pbeginport = "any";
$pendport = "any";
}
}
function pconfig_to_address(&$adr, $padr, $pmask, $pnot=false, $pbeginport=0, $pendport=0) {
$adr = array();
if ($padr == "any")
$adr['any'] = true;
else if (is_specialnet($padr))
$adr['network'] = $padr;
else {
$adr['address'] = $padr;
if ($pmask != 32)
$adr['address'] .= "/" . $pmask;
}
if ($pnot)
$adr['not'] = true;
else
unset($adr['not']);
if (($pbeginport != 0) && ($pbeginport != "any")) {
if ($pbeginport != $pendport)
$adr['port'] = $pbeginport . "-" . $pendport;
else
$adr['port'] = $pbeginport;
}
if(is_alias($pbeginport)) {
$adr['port'] = $pbeginport;
}
}
function is_specialnet($net) {
global $specialsrcdst;
if(!$net)
return false;
if (in_array($net, $specialsrcdst))
return true;
else
return false;
}
//function to create widget tabs when called
function display_widget_tabs(& $tab_array) {
echo "";
$tabscounter = 0;
foreach ($tab_array as $ta) {
$dashpos = strpos($ta[2],'-');
$tabname = $ta[2] . "-tab";
$tabclass = substr($ta[2],0,$dashpos);
$tabclass = $tabclass . "-class";
if ($ta[1] == true) {
$tabActive = "table-cell";
$tabNonActive = "none";
}
else {
$tabActive = "none";
$tabNonActive = "table-cell";
}
echo "
";
echo " {$ta[0]}";
echo " ";
echo "
";
echo "
";
echo " {$ta[0]}";
echo " ";
echo "
";
}
echo "";
echo "
";
}
// Return inline javascript file or CSS to minimizie
// request count going back to server.
function outputJavaScriptFileInline($javascript) {
if(file_exists($javascript)) {
echo "\n\n";
} else {
echo "\n\n\n\n";
}
}
function outputCSSPrintFileInline($css) {
if(file_exists($css)) {
echo "\n\n";
} else {
echo "\n\n\n\n";
}
}
function outputCSSFileInline($css) {
if(file_exists($css)) {
echo "\n\n";
} else {
echo "\n\n\n\n";
}
}
$rfc2616 = array(
100 => "100 Continue",
101 => "101 Switching Protocols",
200 => "200 OK",
201 => "201 Created",
202 => "202 Accepted",
203 => "203 Non-Authoritative Information",
204 => "204 No Content",
205 => "205 Reset Content",
206 => "206 Partial Content",
300 => "300 Multiple Choices",
301 => "301 Moved Permanently",
302 => "302 Found",
303 => "303 See Other",
304 => "304 Not Modified",
305 => "305 Use Proxy",
306 => "306 (Unused)",
307 => "307 Temporary Redirect",
400 => "400 Bad Request",
401 => "401 Unauthorized",
402 => "402 Payment Required",
403 => "403 Forbidden",
404 => "404 Not Found",
405 => "405 Method Not Allowed",
406 => "406 Not Acceptable",
407 => "407 Proxy Authentication Required",
408 => "408 Request Timeout",
409 => "409 Conflict",
410 => "410 Gone",
411 => "411 Length Required",
412 => "412 Precondition Failed",
413 => "413 Request Entity Too Large",
414 => "414 Request-URI Too Long",
415 => "415 Unsupported Media Type",
416 => "416 Requested Range Not Satisfiable",
417 => "417 Expectation Failed",
500 => "500 Internal Server Error",
501 => "501 Not Implemented",
502 => "502 Bad Gateway",
503 => "503 Service Unavailable",
504 => "504 Gateway Timeout",
505 => "505 HTTP Version Not Supported"
);
function is_rfc2616_code($code) {
global $rfc2616;
if (isset($rfc2616[$code]))
return true;
else
return false;
}
function print_rfc2616_select($tag, $current){
global $rfc2616;
/* Default to 200 OK if not set */
if ($current == "")
$current = 200;
echo "