From 00de826a848416b220aa170d710231ef27ea2113 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 4 Feb 2016 16:50:04 +0100 Subject: [PATCH] (legacy) spacing and curly braces in system.inc --- src/etc/inc/system.inc | 2685 ++++++++++++++++++++-------------------- 1 file changed, 1365 insertions(+), 1320 deletions(-) diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index c4b8de3e4..f44d13a5f 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1,222 +1,229 @@ . - All rights reserved. + Copyright (C) 2003-2004 Manuel Kasper . + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ function activate_powerd() { - global $config; + global $config; - if (is_process_running('powerd')) { - exec('/usr/bin/killall powerd'); - } + if (is_process_running('powerd')) { + exec('/usr/bin/killall powerd'); + } - if(isset($config['system']['powerd_enable'])) { - $ac_mode = "hadp"; - if (!empty($config['system']['powerd_ac_mode'])) - $ac_mode = $config['system']['powerd_ac_mode']; + if(isset($config['system']['powerd_enable'])) { + $ac_mode = "hadp"; + if (!empty($config['system']['powerd_ac_mode'])) { + $ac_mode = $config['system']['powerd_ac_mode']; + } - $battery_mode = "hadp"; - if (!empty($config['system']['powerd_battery_mode'])) - $battery_mode = $config['system']['powerd_battery_mode']; + $battery_mode = "hadp"; + if (!empty($config['system']['powerd_battery_mode'])) { + $battery_mode = $config['system']['powerd_battery_mode']; + } - $normal_mode = "hadp"; - if (!empty($config['system']['powerd_normal_mode'])) - $normal_mode = $config['system']['powerd_normal_mode']; - - mwexec("/usr/sbin/powerd -b $battery_mode -a $ac_mode -n $normal_mode"); - } + $normal_mode = "hadp"; + if (!empty($config['system']['powerd_normal_mode'])) { + $normal_mode = $config['system']['powerd_normal_mode']; + } + mwexec("/usr/sbin/powerd -b $battery_mode -a $ac_mode -n $normal_mode"); + } } function get_default_sysctl_value($id) { - $sysctls = array( - "debug.pfftpproxy" => "0", - "hw.syscons.kbd_reboot" => "0", - "kern.ipc.maxsockbuf" => "4262144", - "kern.randompid" => "347", - "kern.random.sys.harvest.interrupt" => 0, - "kern.random.sys.harvest.point_to_point" => 0, - "kern.random.sys.harvest.ethernet" => 0, - "kern.filedelay" => "5", - "kern.dirdelay" => "4", - "kern.metadelay" => "3", - "net.bpf.zerocopy_enable" => 1, - "net.inet.ip.portrange.first" => "1024", - "net.inet.tcp.blackhole" => "2", - "net.inet.udp.blackhole" => "1", - "net.inet.ip.random_id" => "1", - "net.inet.tcp.drop_synfin" => "1", - "net.inet.ip.redirect" => "1", - "net.inet6.ip6.redirect" => "1", - "net.inet6.ip6.use_tempaddr" => "0", - "net.inet6.ip6.prefer_tempaddr" => "0", - "net.inet.tcp.syncookies" => "1", - "net.inet.tcp.recvspace" => "65228", - "net.inet.tcp.sendspace" => "65228", - "net.inet.ip.fastforwarding" => "0", - 'net.inet.ip.sourceroute' => '0', - 'net.inet.ip.accept_sourceroute' => '0', - 'net.inet.icmp.drop_redirect' => '0', - 'net.inet.icmp.log_redirect' => '0', - "net.inet.tcp.delayed_ack" => "0", - "net.inet.udp.maxdgram" => "57344", - "net.inet.ip.intr_queue_maxlen" => "1000", - "net.inet.tcp.log_debug" => "0", - "net.inet.tcp.tso" => "1", - "net.inet.icmp.icmplim" => "0", - "net.inet.ip.process_options" => 0, - "net.inet.udp.checksum" => 1, - "net.link.bridge.pfil_onlyip" => "0", - "net.link.bridge.pfil_member" => "1", - "net.link.bridge.pfil_bridge" => "0", - "net.link.tap.user_open" => "1", - "net.route.netisr_maxqlen" => 1024, - "net.inet.icmp.reply_from_interface" => 1, - "vfs.read_max" => "32", - ); + $sysctls = array( + "debug.pfftpproxy" => "0", + "hw.syscons.kbd_reboot" => "0", + "kern.ipc.maxsockbuf" => "4262144", + "kern.randompid" => "347", + "kern.random.sys.harvest.interrupt" => 0, + "kern.random.sys.harvest.point_to_point" => 0, + "kern.random.sys.harvest.ethernet" => 0, + "kern.filedelay" => "5", + "kern.dirdelay" => "4", + "kern.metadelay" => "3", + "net.bpf.zerocopy_enable" => 1, + "net.inet.ip.portrange.first" => "1024", + "net.inet.tcp.blackhole" => "2", + "net.inet.udp.blackhole" => "1", + "net.inet.ip.random_id" => "1", + "net.inet.tcp.drop_synfin" => "1", + "net.inet.ip.redirect" => "1", + "net.inet6.ip6.redirect" => "1", + "net.inet6.ip6.use_tempaddr" => "0", + "net.inet6.ip6.prefer_tempaddr" => "0", + "net.inet.tcp.syncookies" => "1", + "net.inet.tcp.recvspace" => "65228", + "net.inet.tcp.sendspace" => "65228", + "net.inet.ip.fastforwarding" => "0", + 'net.inet.ip.sourceroute' => '0', + 'net.inet.ip.accept_sourceroute' => '0', + 'net.inet.icmp.drop_redirect' => '0', + 'net.inet.icmp.log_redirect' => '0', + "net.inet.tcp.delayed_ack" => "0", + "net.inet.udp.maxdgram" => "57344", + "net.inet.ip.intr_queue_maxlen" => "1000", + "net.inet.tcp.log_debug" => "0", + "net.inet.tcp.tso" => "1", + "net.inet.icmp.icmplim" => "0", + "net.inet.ip.process_options" => 0, + "net.inet.udp.checksum" => 1, + "net.link.bridge.pfil_onlyip" => "0", + "net.link.bridge.pfil_member" => "1", + "net.link.bridge.pfil_bridge" => "0", + "net.link.tap.user_open" => "1", + "net.route.netisr_maxqlen" => 1024, + "net.inet.icmp.reply_from_interface" => 1, + "vfs.read_max" => "32", + ); - if (isset($sysctls[$id])) { - return $sysctls[$id]; - } + if (isset($sysctls[$id])) { + return $sysctls[$id]; + } - return null; + return null; } function activate_sysctls() { - global $config; + global $config; - $sysctls = array( - "net.enc.in.ipsec_bpf_mask" => "0x0002", - "net.enc.in.ipsec_filter_mask" => "0x0002", - "net.enc.out.ipsec_bpf_mask" => "0x0001", - "net.enc.out.ipsec_filter_mask" => "0x0001", - ); + $sysctls = array( + "net.enc.in.ipsec_bpf_mask" => "0x0002", + "net.enc.in.ipsec_filter_mask" => "0x0002", + "net.enc.out.ipsec_bpf_mask" => "0x0001", + "net.enc.out.ipsec_filter_mask" => "0x0001", + ); - if (isset($config['sysctl']['item'])) { - foreach($config['sysctl']['item'] as $tunable) { - if ($tunable['value'] == 'default') { - $value = get_default_sysctl_value($tunable['tunable']); - } else { - $value = $tunable['value']; - } + if (isset($config['sysctl']['item'])) { + foreach($config['sysctl']['item'] as $tunable) { + if ($tunable['value'] == 'default') { + $value = get_default_sysctl_value($tunable['tunable']); + } else { + $value = $tunable['value']; + } + $sysctls[$tunable['tunable']] = $value; + } + } - $sysctls[$tunable['tunable']] = $value; - } - } - - set_sysctl($sysctls); + set_sysctl($sysctls); } function system_resolvconf_generate($dynupdate = false) { - global $config; + global $config; - $syscfg = $config['system']; + $syscfg = $config['system']; - // Do not create blank domain lines, it breaks tools like dig. - if($syscfg['domain']) - $resolvconf = "domain {$syscfg['domain']}\n"; + // Do not create blank domain lines, it breaks tools like dig. + if($syscfg['domain']) { + $resolvconf = "domain {$syscfg['domain']}\n"; + } - if (((isset($config['dnsmasq']['enable']) && (empty($config['dnsmasq']['interface']) || in_array("lo0", explode(",", $config['dnsmasq']['interface'])))) - || (isset($config['unbound']['enable'])) && (empty($config['unbound']['active_interface']) || in_array("lo0", explode(",", $config['unbound']['active_interface'])))) - && !isset($config['system']['dnslocalhost'])) - $resolvconf .= "nameserver 127.0.0.1\n"; + if (((isset($config['dnsmasq']['enable']) && (empty($config['dnsmasq']['interface']) || in_array("lo0", explode(",", $config['dnsmasq']['interface'])))) + || (isset($config['unbound']['enable'])) && (empty($config['unbound']['active_interface']) || in_array("lo0", explode(",", $config['unbound']['active_interface'])))) + && !isset($config['system']['dnslocalhost'])) { + $resolvconf .= "nameserver 127.0.0.1\n"; + } - if (isset($syscfg['dnsallowoverride'])) { - /* get dynamically assigned DNS servers (if any) */ - $ns = array_unique(get_searchdomains()); - foreach($ns as $searchserver) { - if($searchserver) - $resolvconf .= "search {$searchserver}\n"; - } - $ns = array_unique(get_nameservers()); - foreach($ns as $nameserver) { - if($nameserver) - $resolvconf .= "nameserver $nameserver\n"; - } - } - if (isset($syscfg['dnsserver']) && is_array($syscfg['dnsserver'])) { - foreach ($syscfg['dnsserver'] as $ns) { - if ($ns) - $resolvconf .= "nameserver $ns\n"; - } - } + if (isset($syscfg['dnsallowoverride'])) { + /* get dynamically assigned DNS servers (if any) */ + $ns = array_unique(get_searchdomains()); + foreach($ns as $searchserver) { + if($searchserver) { + $resolvconf .= "search {$searchserver}\n"; + } + } + $ns = array_unique(get_nameservers()); + foreach($ns as $nameserver) { + if($nameserver) { + $resolvconf .= "nameserver $nameserver\n"; + } + } + } + if (isset($syscfg['dnsserver']) && is_array($syscfg['dnsserver'])) { + foreach ($syscfg['dnsserver'] as $ns) { + if ($ns) { + $resolvconf .= "nameserver $ns\n"; + } + } + } - // Add EDNS support - if (isset($config['unbound']['enable']) && isset($config['unbound']['edns'])) - $resolvconf .= "options edns0\n"; + // Add EDNS support + if (isset($config['unbound']['enable']) && isset($config['unbound']['edns'])) { + $resolvconf .= "options edns0\n"; + } - $dnslock = lock('resolvconf', LOCK_EX); + $dnslock = lock('resolvconf', LOCK_EX); - $fd = fopen('/etc/resolv.conf', 'w'); - if (!$fd) { - printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); - unlock($dnslock); - return 1; - } + $fd = fopen('/etc/resolv.conf', 'w'); + if (!$fd) { + printf("Error: cannot open resolv.conf in system_resolvconf_generate().\n"); + unlock($dnslock); + return 1; + } - fwrite($fd, $resolvconf); - fclose($fd); - chmod('/etc/resolv.conf', 0644); + fwrite($fd, $resolvconf); + fclose($fd); + chmod('/etc/resolv.conf', 0644); - if (!file_exists("/var/run/booting")) { - /* restart dhcpd (nameservers may have changed) */ - if (!$dynupdate) - services_dhcpd_configure(); - } + if (!file_exists("/var/run/booting")) { + /* restart dhcpd (nameservers may have changed) */ + if (!$dynupdate) { + services_dhcpd_configure(); + } + } - /* setup static routes for DNS servers. */ - for ($dnscounter=1; $dnscounter<5; $dnscounter++) { - /* setup static routes for dns servers */ - $dnsgw = "dns{$dnscounter}gw"; - if (isset($config['system'][$dnsgw])) { - $gwname = $config['system'][$dnsgw]; - if (($gwname <> "") && ($gwname <> "none")) { - $gatewayip = lookup_gateway_ip_by_name($gwname); - if (is_ipaddrv4($gatewayip)) { - /* dns server array starts at 0 */ - $dnscountermo = $dnscounter - 1; - mwexec("/sbin/route delete -host " . $syscfg['dnsserver'][$dnscountermo]); - mwexec("/sbin/route add -host " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}"); - } - if (is_ipaddrv6($gatewayip)) { - /* dns server array starts at 0 */ - $dnscountermo = $dnscounter - 1; - mwexec("/sbin/route delete -host -inet6 " . $syscfg['dnsserver'][$dnscountermo]); - mwexec("/sbin/route add -host -inet6 " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}"); - } - } - } - } + /* setup static routes for DNS servers. */ + for ($dnscounter=1; $dnscounter<5; $dnscounter++) { + /* setup static routes for dns servers */ + $dnsgw = "dns{$dnscounter}gw"; + if (isset($config['system'][$dnsgw])) { + $gwname = $config['system'][$dnsgw]; + if (($gwname <> "") && ($gwname <> "none")) { + $gatewayip = lookup_gateway_ip_by_name($gwname); + if (is_ipaddrv4($gatewayip)) { + /* dns server array starts at 0 */ + $dnscountermo = $dnscounter - 1; + mwexec("/sbin/route delete -host " . $syscfg['dnsserver'][$dnscountermo]); + mwexec("/sbin/route add -host " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}"); + } + if (is_ipaddrv6($gatewayip)) { + /* dns server array starts at 0 */ + $dnscountermo = $dnscounter - 1; + mwexec("/sbin/route delete -host -inet6 " . $syscfg['dnsserver'][$dnscountermo]); + mwexec("/sbin/route add -host -inet6 " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}"); + } + } + } + } - unlock($dnslock); - - return 0; + unlock($dnslock); + return 0; } function get_country_codes() @@ -232,771 +239,802 @@ function get_country_codes() } } } - return $dn_cc; } function get_firmware_mirrors() { - $mirrors = array(); + $mirrors = array(); - $mirrors['default'] = '(default)'; - $mirrors['https://opnsense.aivian.org'] = 'Aivian (Shaoxing, CN)'; - $mirrors['https://opnsense.c0urier.net'] = 'c0urier.net (Lund, SE)'; - $mirrors['https://fleximus.org/mirror/opnsense'] = 'Fleximus (Roubaix, FR)'; - $mirrors['http://mirror.ams1.nl.leaseweb.net/opnsense'] = 'LeaseWeb (Amsterdam, NL)'; - $mirrors['http://mirror.fra10.de.leaseweb.net/opnsense'] = 'LeaseWeb (Frankfurt, DE)'; - $mirrors['http://mirror.sfo12.us.leaseweb.net/opnsense'] = 'LeaseWeb (San Francisco, US)'; - $mirrors['http://mirror.wdc1.us.leaseweb.net/opnsense'] = 'LeaseWeb (Washington, D.C., US)'; - $mirrors['http://mirrors.nycbug.org/pub/opnsense'] = 'NYC*BUG (New York, US)'; - $mirrors['http://pkg.opnsense.org'] = 'OPNsense (Amsterdam, NL)'; - $mirrors['http://mirror.ragenetwork.de/opnsense'] = 'RageNetwork (Munich, DE)'; - $mirrors['http://mirrors.supranet.net/pub/opnsense'] = 'Supranet Communications (Middleton, US)'; + $mirrors['default'] = '(default)'; + $mirrors['https://opnsense.aivian.org'] = 'Aivian (Shaoxing, CN)'; + $mirrors['https://opnsense.c0urier.net'] = 'c0urier.net (Lund, SE)'; + $mirrors['https://fleximus.org/mirror/opnsense'] = 'Fleximus (Roubaix, FR)'; + $mirrors['http://mirror.ams1.nl.leaseweb.net/opnsense'] = 'LeaseWeb (Amsterdam, NL)'; + $mirrors['http://mirror.fra10.de.leaseweb.net/opnsense'] = 'LeaseWeb (Frankfurt, DE)'; + $mirrors['http://mirror.sfo12.us.leaseweb.net/opnsense'] = 'LeaseWeb (San Francisco, US)'; + $mirrors['http://mirror.wdc1.us.leaseweb.net/opnsense'] = 'LeaseWeb (Washington, D.C., US)'; + $mirrors['http://mirrors.nycbug.org/pub/opnsense'] = 'NYC*BUG (New York, US)'; + $mirrors['http://pkg.opnsense.org'] = 'OPNsense (Amsterdam, NL)'; + $mirrors['http://mirror.ragenetwork.de/opnsense'] = 'RageNetwork (Munich, DE)'; + $mirrors['http://mirrors.supranet.net/pub/opnsense'] = 'Supranet Communications (Middleton, US)'; - return $mirrors; + return $mirrors; } function get_firmware_flavours() { - $flavours = array(); + $flavours = array(); - $flavours['default'] = '(default)'; - $flavours['libressl'] = 'LibreSSL'; - $flavours['latest'] = 'OpenSSL'; + $flavours['default'] = '(default)'; + $flavours['libressl'] = 'LibreSSL'; + $flavours['latest'] = 'OpenSSL'; - return $flavours; + return $flavours; } function get_zoneinfo() { - return timezone_identifiers_list(DateTimeZone::ALL ^ DateTimeZone::UTC); + return timezone_identifiers_list(DateTimeZone::ALL ^ DateTimeZone::UTC); } function get_searchdomains() { - global $config; + global $config; - $master_list = array(); + $master_list = array(); - // Read in dhclient nameservers - $search_list = glob("/var/etc/searchdomain_*"); - if (is_array($search_list)) { - foreach($search_list as $fdns) { - $contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if (!is_array($contents)) - continue; - foreach ($contents as $dns) { - if(is_hostname($dns)) - $master_list[] = $dns; - } - } - } + // Read in dhclient nameservers + $search_list = glob("/var/etc/searchdomain_*"); + if (is_array($search_list)) { + foreach($search_list as $fdns) { + $contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if (!is_array($contents)) { + continue; + } + foreach ($contents as $dns) { + if(is_hostname($dns)) { + $master_list[] = $dns; + } + } + } + } - return $master_list; + return $master_list; } function get_nameservers() { - global $config; - $master_list = array(); + global $config; + $master_list = array(); - // Read in dhclient nameservers - $dns_lists = glob("/var/etc/nameserver_*"); - if (is_array($dns_lists)) { - foreach($dns_lists as $fdns) { - $contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if (!is_array($contents)) - continue; - foreach ($contents as $dns) { - if(is_ipaddr($dns)) - $master_list[] = $dns; - } - } - } + // Read in dhclient nameservers + $dns_lists = glob("/var/etc/nameserver_*"); + if (is_array($dns_lists)) { + foreach($dns_lists as $fdns) { + $contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if (!is_array($contents)) { + continue; + } + foreach ($contents as $dns) { + if(is_ipaddr($dns)) { + $master_list[] = $dns; + } + } + } + } - // Read in any extra nameservers - if(file_exists("/var/etc/nameservers.conf")) { - $dns_s = file("/var/etc/nameservers.conf", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - if(is_array($dns_s)) { - foreach($dns_s as $dns) - if (is_ipaddr($dns)) - $master_list[] = $dns; - } - } + // Read in any extra nameservers + if(file_exists("/var/etc/nameservers.conf")) { + $dns_s = file("/var/etc/nameservers.conf", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + if(is_array($dns_s)) { + foreach($dns_s as $dns) { + if (is_ipaddr($dns)) { + $master_list[] = $dns; + } + } + } + } - return $master_list; + return $master_list; } function system_hosts_generate() { - global $config; + global $config; - $syscfg = $config['system']; - $dnsmasqcfg = $config['dnsmasq']; + $syscfg = $config['system']; + $dnsmasqcfg = $config['dnsmasq']; - $hosts = "127.0.0.1 localhost localhost.{$syscfg['domain']}\n"; - $lhosts = ""; - $dhosts = ""; + $hosts = "127.0.0.1 localhost localhost.{$syscfg['domain']}\n"; + $lhosts = ""; + $dhosts = ""; - if (isset($config['interfaces']['lan'])) { - $cfgip = get_interface_ip("lan"); - if (is_ipaddr($cfgip)) - $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; - } else { - $sysiflist = get_configured_interface_list(); - foreach ($sysiflist as $sysif) { - if (!interface_has_gateway($sysif)) { - $cfgip = get_interface_ip($sysif); - if (is_ipaddr($cfgip)) { - $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; - break; - } - } - } - } + if (isset($config['interfaces']['lan'])) { + $cfgip = get_interface_ip("lan"); + if (is_ipaddr($cfgip)) { + $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + } + } else { + $sysiflist = get_configured_interface_list(); + foreach ($sysiflist as $sysif) { + if (!interface_has_gateway($sysif)) { + $cfgip = get_interface_ip($sysif); + if (is_ipaddr($cfgip)) { + $hosts .= "{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']} {$syscfg['hostname']}\n"; + break; + } + } + } + } - if (isset($dnsmasqcfg['enable'])) { - if (!isset($dnsmasqcfg['hosts']) || !is_array($dnsmasqcfg['hosts'])) - $dnsmasqcfg['hosts'] = array(); + if (isset($dnsmasqcfg['enable'])) { + if (!isset($dnsmasqcfg['hosts']) || !is_array($dnsmasqcfg['hosts'])) { + $dnsmasqcfg['hosts'] = array(); + } - foreach ($dnsmasqcfg['hosts'] as $host) { - if ($host['host']) - $lhosts .= "{$host['ip']} {$host['host']}.{$host['domain']} {$host['host']}\n"; - else - $lhosts .= "{$host['ip']} {$host['domain']}\n"; - if (!isset($host['aliases']) || !is_array($host['aliases']) || !is_array($host['aliases']['item'])) { - continue; - } - foreach ($host['aliases']['item'] as $alias) { - if ($alias['host']) - $lhosts .= "{$host['ip']} {$alias['host']}.{$alias['domain']} {$alias['host']}\n"; - else - $lhosts .= "{$host['ip']} {$alias['domain']}\n"; - } - } - if (isset($dnsmasqcfg['regdhcpstatic']) && is_array($config['dhcpd'])) { - foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) { - if (isset($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) { - foreach ($dhcpifconf['staticmap'] as $host) { - if ($host['ipaddr'] && $host['hostname'] && $host['domain']) { - $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$host['domain']} {$host['hostname']}\n"; - } elseif ($host['ipaddr'] && $host['hostname'] && $dhcpifconf['domain']) { - $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n"; - } elseif ($host['ipaddr'] && $host['hostname']) { - $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n"; - } - } - } - } - } - if (isset($dnsmasqcfg['regdhcpstatic']) && is_array($config['dhcpdv6'])) { - foreach ($config['dhcpdv6'] as $dhcpif => $dhcpifconf) { - if (isset($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) { - foreach ($dhcpifconf['staticmap'] as $host) { - if ($host['ipaddrv6'] && $host['hostname'] && $host['domain']) { - $dhosts .= "{$host['ipaddrv6']} {$host['hostname']}.{$host['domain']} {$host['hostname']}\n"; - } elseif ($host['ipaddrv6'] && $host['hostname'] && $dhcpifconf['domain']) { - $dhosts .= "{$host['ipaddrv6']} {$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n"; - } elseif ($host['ipaddrv6'] && $host['hostname']) { - $dhosts .= "{$host['ipaddrv6']} {$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n"; - } - } - } - } - } + foreach ($dnsmasqcfg['hosts'] as $host) { + if ($host['host']) { + $lhosts .= "{$host['ip']} {$host['host']}.{$host['domain']} {$host['host']}\n"; + } else { + $lhosts .= "{$host['ip']} {$host['domain']}\n"; + } + if (!isset($host['aliases']) || !is_array($host['aliases']) || !is_array($host['aliases']['item'])) { + continue; + } + foreach ($host['aliases']['item'] as $alias) { + if ($alias['host']) { + $lhosts .= "{$host['ip']} {$alias['host']}.{$alias['domain']} {$alias['host']}\n"; + } else { + $lhosts .= "{$host['ip']} {$alias['domain']}\n"; + } + } + } + if (isset($dnsmasqcfg['regdhcpstatic']) && is_array($config['dhcpd'])) { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) { + if (isset($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) { + foreach ($dhcpifconf['staticmap'] as $host) { + if ($host['ipaddr'] && $host['hostname'] && $host['domain']) { + $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$host['domain']} {$host['hostname']}\n"; + } elseif ($host['ipaddr'] && $host['hostname'] && $dhcpifconf['domain']) { + $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n"; + } elseif ($host['ipaddr'] && $host['hostname']) { + $dhosts .= "{$host['ipaddr']} {$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n"; + } + } + } + } + } + if (isset($dnsmasqcfg['regdhcpstatic']) && is_array($config['dhcpdv6'])) { + foreach ($config['dhcpdv6'] as $dhcpif => $dhcpifconf) { + if (isset($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) { + foreach ($dhcpifconf['staticmap'] as $host) { + if ($host['ipaddrv6'] && $host['hostname'] && $host['domain']) { + $dhosts .= "{$host['ipaddrv6']} {$host['hostname']}.{$host['domain']} {$host['hostname']}\n"; + } elseif ($host['ipaddrv6'] && $host['hostname'] && $dhcpifconf['domain']) { + $dhosts .= "{$host['ipaddrv6']} {$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n"; + } elseif ($host['ipaddrv6'] && $host['hostname']) { + $dhosts .= "{$host['ipaddrv6']} {$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n"; + } + } + } + } + } - if (isset($dnsmasqcfg['dhcpfirst'])) { - $hosts .= $dhosts . $lhosts; - } else { - $hosts .= $lhosts . $dhosts; - } - } + if (isset($dnsmasqcfg['dhcpfirst'])) { + $hosts .= $dhosts . $lhosts; + } else { + $hosts .= $lhosts . $dhosts; + } + } - /* - * Do not remove this because dhcpleases monitors with kqueue - * it needs to be * killed before writing to hosts files. - */ - killbypid('/var/run/dhcpleases.pid'); + /* + * Do not remove this because dhcpleases monitors with kqueue + * it needs to be * killed before writing to hosts files. + */ + killbypid('/var/run/dhcpleases.pid'); - $fd = fopen('/etc/hosts', 'w'); - if (!$fd) { - log_error("Error: cannot open hosts file in system_hosts_generate().\n"); - return 1; - } - fwrite($fd, $hosts); - fclose($fd); + $fd = fopen('/etc/hosts', 'w'); + if (!$fd) { + log_error("Error: cannot open hosts file in system_hosts_generate().\n"); + return 1; + } + fwrite($fd, $hosts); + fclose($fd); - if (isset($config['unbound']['enable'])) { - unbound_hosts_generate(); - } + if (isset($config['unbound']['enable'])) { + unbound_hosts_generate(); + } - system_dhcpleases_configure(); + system_dhcpleases_configure(); - return 0; + return 0; } function system_dhcpleases_configure() { - global $config, $g; + global $config, $g; - /* Start the monitoring process for dynamic dhcpclients. */ - if ((isset($config['dnsmasq']['enable']) && isset($config['dnsmasq']['regdhcp'])) - || (isset($config['unbound']['enable']) && isset($config['unbound']['regdhcp']))) { - /* Make sure we do not error out */ - mwexec("/bin/mkdir -p {$g['dhcpd_chroot_path']}/var/db"); - if (!file_exists("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases")) { - @touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases"); - } - if (isvalidpid('/var/run/dhcpleases.pid')) { - killbypid('/var/run/dhcpleases.pid', 'HUP'); - } else { - /* To ensure we do not start multiple instances of dhcpleases, perform some clean-up first. */ - killbyname('dhcpleases'); - @unlink('/var/run/dhcpleases.pid'); - if (isset($config['unbound']['enable'])) { - $dns_pid = 'unbound.pid'; - } else { - $dns_pid = 'dnsmasq.pid'; - } - mwexecf( - '/usr/local/sbin/dhcpleases -l %s -d %s -p %s -h %s', - array( - "{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases", - $config['system']['domain'], - "/var/run/{$dns_pid}", - '/etc/hosts' - ) - ); - } - } else { - killbypid('/var/run/dhcpleases.pid'); - } + /* Start the monitoring process for dynamic dhcpclients. */ + if ((isset($config['dnsmasq']['enable']) && isset($config['dnsmasq']['regdhcp'])) + || (isset($config['unbound']['enable']) && isset($config['unbound']['regdhcp']))) { + /* Make sure we do not error out */ + mwexec("/bin/mkdir -p {$g['dhcpd_chroot_path']}/var/db"); + if (!file_exists("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases")) { + @touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases"); + } + if (isvalidpid('/var/run/dhcpleases.pid')) { + killbypid('/var/run/dhcpleases.pid', 'HUP'); + } else { + /* To ensure we do not start multiple instances of dhcpleases, perform some clean-up first. */ + killbyname('dhcpleases'); + @unlink('/var/run/dhcpleases.pid'); + if (isset($config['unbound']['enable'])) { + $dns_pid = 'unbound.pid'; + } else { + $dns_pid = 'dnsmasq.pid'; + } + mwexecf( + '/usr/local/sbin/dhcpleases -l %s -d %s -p %s -h %s', + array( + "{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases", + $config['system']['domain'], + "/var/run/{$dns_pid}", + '/etc/hosts' + ) + ); + } + } else { + killbypid('/var/run/dhcpleases.pid'); + } } function system_hostname_configure() { - global $config; + global $config; - $syscfg = $config['system']; + $syscfg = $config['system']; - /* set hostname */ - $status = mwexec("/bin/hostname " . - escapeshellarg("{$syscfg['hostname']}.{$syscfg['domain']}")); + /* set hostname */ + $status = mwexec("/bin/hostname " . + escapeshellarg("{$syscfg['hostname']}.{$syscfg['domain']}")); - /* Setup host GUID ID. This is used by ZFS. */ - mwexec("/etc/rc.d/hostid start"); + /* Setup host GUID ID. This is used by ZFS. */ + mwexec("/etc/rc.d/hostid start"); - return $status; + return $status; } function system_routing_configure($interface = '') { - global $config; + global $config; - $gatewayip = ""; - $interfacegw = ""; - $foundgw = false; - $gatewayipv6 = ""; - $interfacegwv6 = ""; - $foundgwv6 = false; - /* tack on all the hard defined gateways as well */ - if (isset($config['gateways']['gateway_item'])) { - array_map('unlink', glob('/tmp/*_defaultgw{,v6}', GLOB_BRACE)); - foreach ($config['gateways']['gateway_item'] as $gateway) { - if (isset($gateway['defaultgw'])) { - if ($gateway['ipprotocol'] != "inet6" && (is_ipaddrv4($gateway['gateway']) || $gateway['gateway'] == "dynamic")) { - if(strstr($gateway['gateway'], ":")) - continue; - if ($gateway['gateway'] == "dynamic") - $gateway['gateway'] = get_interface_gateway($gateway['interface']); - $gatewayip = $gateway['gateway']; - $interfacegw = $gateway['interface']; - if (!empty($gateway['interface'])) { - $defaultif = get_real_interface($gateway['interface']); - if ($defaultif) - @file_put_contents("/tmp/{$defaultif}_defaultgw", $gateway['gateway']); - } - $foundgw = true; - } else if ($gateway['ipprotocol'] == "inet6" && (is_ipaddrv6($gateway['gateway']) || $gateway['gateway'] == "dynamic")) { - if ($gateway['gateway'] == "dynamic") - $gateway['gateway'] = get_interface_gateway_v6($gateway['interface']); - $gatewayipv6 = $gateway['gateway']; - $interfacegwv6 = $gateway['interface']; - if (!empty($gateway['interface'])) { - $defaultifv6 = get_real_interface($gateway['interface']); - if ($defaultifv6) - @file_put_contents("/tmp/{$defaultifv6}_defaultgwv6", $gateway['gateway']); - } - $foundgwv6 = true; - } - } - if ($foundgw === true && $foundgwv6 === true) - break; - } - } - if (!$foundgw) { - $defaultif = get_real_interface("wan"); - $interfacegw = "wan"; - $gatewayip = get_interface_gateway("wan"); - @touch("/tmp/{$defaultif}_defaultgw"); - } - if (!$foundgwv6) { - $defaultifv6 = get_real_interface("wan"); - $interfacegwv6 = "wan"; - $gatewayipv6 = get_interface_gateway_v6("wan"); - @touch("/tmp/{$defaultif}_defaultgwv6"); - } + $gatewayip = ""; + $interfacegw = ""; + $foundgw = false; + $gatewayipv6 = ""; + $interfacegwv6 = ""; + $foundgwv6 = false; + /* tack on all the hard defined gateways as well */ + if (isset($config['gateways']['gateway_item'])) { + array_map('unlink', glob('/tmp/*_defaultgw{,v6}', GLOB_BRACE)); + foreach ($config['gateways']['gateway_item'] as $gateway) { + if (isset($gateway['defaultgw'])) { + if ($gateway['ipprotocol'] != "inet6" && (is_ipaddrv4($gateway['gateway']) || $gateway['gateway'] == "dynamic")) { + if(strstr($gateway['gateway'], ":")) { + continue; + } + if ($gateway['gateway'] == "dynamic") { + $gateway['gateway'] = get_interface_gateway($gateway['interface']); + } + $gatewayip = $gateway['gateway']; + $interfacegw = $gateway['interface']; + if (!empty($gateway['interface'])) { + $defaultif = get_real_interface($gateway['interface']); + if ($defaultif) { + @file_put_contents("/tmp/{$defaultif}_defaultgw", $gateway['gateway']); + } + } + $foundgw = true; + } else if ($gateway['ipprotocol'] == "inet6" && (is_ipaddrv6($gateway['gateway']) || $gateway['gateway'] == "dynamic")) { + if ($gateway['gateway'] == "dynamic") { + $gateway['gateway'] = get_interface_gateway_v6($gateway['interface']); + } + $gatewayipv6 = $gateway['gateway']; + $interfacegwv6 = $gateway['interface']; + if (!empty($gateway['interface'])) { + $defaultifv6 = get_real_interface($gateway['interface']); + if ($defaultifv6) { + @file_put_contents("/tmp/{$defaultifv6}_defaultgwv6", $gateway['gateway']); + } + } + $foundgwv6 = true; + } + } + if ($foundgw === true && $foundgwv6 === true) { + break; + } + } + } + if (!$foundgw) { + $defaultif = get_real_interface("wan"); + $interfacegw = "wan"; + $gatewayip = get_interface_gateway("wan"); + @touch("/tmp/{$defaultif}_defaultgw"); + } + if (!$foundgwv6) { + $defaultifv6 = get_real_interface("wan"); + $interfacegwv6 = "wan"; + $gatewayipv6 = get_interface_gateway_v6("wan"); + @touch("/tmp/{$defaultif}_defaultgwv6"); + } - if (!empty($interface) && $interface != $interfacegw) - ; - else if (is_ipaddrv4($gatewayip)) { - log_error("ROUTING: remove current default route to $gatewayip"); - mwexec("/sbin/route delete default"); - log_error("ROUTING: setting default route to $gatewayip"); - mwexec("/sbin/route add -inet default " . escapeshellarg($gatewayip)); - } + if (!empty($interface) && $interface != $interfacegw) + ; + elseif (is_ipaddrv4($gatewayip)) { + log_error("ROUTING: remove current default route to $gatewayip"); + mwexec("/sbin/route delete default"); + log_error("ROUTING: setting default route to $gatewayip"); + mwexec("/sbin/route add -inet default " . escapeshellarg($gatewayip)); + } - if (!empty($interface) && $interface != $interfacegwv6) - ; - else if (is_ipaddrv6($gatewayipv6)) { - $ifscope = ""; - if (is_linklocal($gatewayipv6)) - $ifscope = "%{$defaultifv6}"; - log_error("ROUTING: setting IPv6 default route to {$gatewayipv6}{$ifscope}"); - mwexec("/sbin/route delete -inet6 default " . escapeshellarg("{$gatewayipv6}{$ifscope}")); - mwexec("/sbin/route add -inet6 default " . escapeshellarg("{$gatewayipv6}{$ifscope}")); - } + if (!empty($interface) && $interface != $interfacegwv6) + ; + elseif (is_ipaddrv6($gatewayipv6)) { + $ifscope = ""; + if (is_linklocal($gatewayipv6)) { + $ifscope = "%{$defaultifv6}"; + } + log_error("ROUTING: setting IPv6 default route to {$gatewayipv6}{$ifscope}"); + mwexec("/sbin/route delete -inet6 default " . escapeshellarg("{$gatewayipv6}{$ifscope}")); + mwexec("/sbin/route add -inet6 default " . escapeshellarg("{$gatewayipv6}{$ifscope}")); + } - system_staticroutes_configure($interface, false); + system_staticroutes_configure($interface, false); - return 0; + return 0; } /* Compare the current hostname DNS to the DNS cache we made * if it has changed we return the old records * if no change we return false */ function compare_hostname_to_dnscache($hostname) { - if(!is_dir("/var/db/dnscache")) { - mkdir("/var/db/dnscache"); - } - $hostname = trim($hostname); - if(is_readable("/var/db/dnscache/{$hostname}")) { - $oldcontents = file_get_contents("/var/db/dnscache/{$hostname}"); - } else { - $oldcontents = ""; - } - if((is_fqdn($hostname)) && (!is_ipaddr($hostname))) { - $domrecords = array(); - $domips = array(); - exec("host -t A " . escapeshellarg($hostname), $domrecords, $rethost); - if($rethost == 0) { - foreach($domrecords as $domr) { - $doml = explode(" ", $domr); - $domip = $doml[3]; - /* fill array with domain ip addresses */ - if(is_ipaddr($domip)) { - $domips[] = $domip; - } - } - } - sort($domips); - $contents = ""; - if(! empty($domips)) { - foreach($domips as $ip) { - $contents .= "$ip\n"; - } + if(!is_dir("/var/db/dnscache")) { + mkdir("/var/db/dnscache"); + } + $hostname = trim($hostname); + if(is_readable("/var/db/dnscache/{$hostname}")) { + $oldcontents = file_get_contents("/var/db/dnscache/{$hostname}"); + } else { + $oldcontents = ""; + } + if((is_fqdn($hostname)) && (!is_ipaddr($hostname))) { + $domrecords = array(); + $domips = array(); + exec("host -t A " . escapeshellarg($hostname), $domrecords, $rethost); + if($rethost == 0) { + foreach($domrecords as $domr) { + $doml = explode(" ", $domr); + $domip = $doml[3]; + /* fill array with domain ip addresses */ + if(is_ipaddr($domip)) { + $domips[] = $domip; } + } } + sort($domips); + $contents = ""; + if(! empty($domips)) { + foreach($domips as $ip) { + $contents .= "$ip\n"; + } + } + } - if(trim($oldcontents) != trim($contents)) { - log_error(sprintf(gettext('DNSCACHE: Found old IP %s and new IP %s'), $oldcontents, $contents)); - return ($oldcontents); - } else { - return false; - } + if(trim($oldcontents) != trim($contents)) { + log_error(sprintf(gettext('DNSCACHE: Found old IP %s and new IP %s'), $oldcontents, $contents)); + return ($oldcontents); + } else { + return false; + } } function system_staticroutes_configure($interface = '', $update_dns = false) { - global $config, $aliastable; + global $config, $aliastable; - $filterdns_list = array(); + $filterdns_list = array(); - $static_routes = get_staticroutes(false, true); - if (count($static_routes)) { - $gateways_arr = return_gateways_array(false, true); + $static_routes = get_staticroutes(false, true); + if (count($static_routes)) { + $gateways_arr = return_gateways_array(false, true); - foreach ($static_routes as $rtent) { - if (empty($gateways_arr[$rtent['gateway']])) { - log_error(sprintf(gettext("Static Routes: Gateway IP could not be found for %s"), $rtent['network'])); - continue; - } - $gateway = $gateways_arr[$rtent['gateway']]; - if (!empty($interface) && $interface != $gateway['friendlyiface']) - continue; + foreach ($static_routes as $rtent) { + if (empty($gateways_arr[$rtent['gateway']])) { + log_error(sprintf(gettext("Static Routes: Gateway IP could not be found for %s"), $rtent['network'])); + continue; + } + $gateway = $gateways_arr[$rtent['gateway']]; + if (!empty($interface) && $interface != $gateway['friendlyiface']) { + continue; + } - $gatewayip = $gateway['gateway']; - $interfacegw = $gateway['interface']; + $gatewayip = $gateway['gateway']; + $interfacegw = $gateway['interface']; - $blackhole = ""; - if (!strcasecmp("Null", substr($rtent['gateway'], 0, 3))) - $blackhole = "-blackhole"; + $blackhole = ""; + if (!strcasecmp("Null", substr($rtent['gateway'], 0, 3))) { + $blackhole = "-blackhole"; + } - if (!is_fqdn($rtent['network']) && !is_subnet($rtent['network'])) - continue; + if (!is_fqdn($rtent['network']) && !is_subnet($rtent['network'])) { + continue; + } - $dnscache = array(); - if ($update_dns === true) { - if (is_subnet($rtent['network'])) - continue; - $dnscache = explode("\n", trim(compare_hostname_to_dnscache($rtent['network']))); - if (empty($dnscache)) - continue; - } + $dnscache = array(); + if ($update_dns === true) { + if (is_subnet($rtent['network'])) { + continue; + } + $dnscache = explode("\n", trim(compare_hostname_to_dnscache($rtent['network']))); + if (empty($dnscache)) { + continue; + } + } - if (is_subnet($rtent['network'])) - $ips = array($rtent['network']); - else { - if (!isset($rtent['disabled'])) - $filterdns_list[] = $rtent['network']; - $ips = add_hostname_to_watch($rtent['network']); - } + if (is_subnet($rtent['network'])) { + $ips = array($rtent['network']); + } else { + if (!isset($rtent['disabled'])) { + $filterdns_list[] = $rtent['network']; + } + $ips = add_hostname_to_watch($rtent['network']); + } - foreach ($dnscache as $ip) { - if (in_array($ip, $ips)) - continue; - mwexec("/sbin/route delete " . escapeshellarg($ip), true); - } + foreach ($dnscache as $ip) { + if (in_array($ip, $ips)) { + continue; + } + mwexec("/sbin/route delete " . escapeshellarg($ip), true); + } - if (isset($rtent['disabled'])) { - /* XXX: This is a bit dangerous in case of routing daemons!? */ - foreach ($ips as $ip) - mwexec("/sbin/route delete " . escapeshellarg($ip), true); - continue; - } + if (isset($rtent['disabled'])) { + /* XXX: This is a bit dangerous in case of routing daemons!? */ + foreach ($ips as $ip) { + mwexec("/sbin/route delete " . escapeshellarg($ip), true); + } + continue; + } - foreach ($ips as $ip) { - if (is_ipaddrv4($ip)) - $ip .= "/32"; - else if (is_ipaddrv6($ip)) - $ip .= "/128"; + foreach ($ips as $ip) { + if (is_ipaddrv4($ip)) { + $ip .= "/32"; + } elseif (is_ipaddrv6($ip)) { + $ip .= "/128"; + } + $inet = (is_subnetv6($ip) ? "-inet6" : "-inet"); + $cmd = " {$inet} {$blackhole} " . escapeshellarg($ip) . " "; + if (is_subnet($ip)) { + if (is_ipaddr($gatewayip)) { + mwexec("/sbin/route delete".$cmd . escapeshellarg($gatewayip)); + mwexec("/sbin/route add".$cmd . escapeshellarg($gatewayip)); + } elseif (!empty($interfacegw)) { + mwexec("/sbin/route delete".$cmd . "-iface " . escapeshellarg($interfacegw)); + mwexec("/sbin/route add".$cmd . "-iface " . escapeshellarg($interfacegw)); + } + } + } + } + unset($gateways_arr); + } + unset($static_routes); - $inet = (is_subnetv6($ip) ? "-inet6" : "-inet"); + if ($update_dns === false) { + if (count($filterdns_list)) { + $interval = 60; + $hostnames = ""; + array_unique($filterdns_list); + foreach ($filterdns_list as $hostname) { + $hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py routedns reload'\n"; + } + file_put_contents("/var/etc/filterdns-route.hosts", $hostnames); + unset($hostnames); - $cmd = " {$inet} {$blackhole} " . escapeshellarg($ip) . " "; + if (isvalidpid('/var/run/filterdns-route.pid')) { + killbypid('/var/run/filterdns-route.pid', 'HUP'); + } else { + mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-route.pid -i {$interval} -c /var/etc/filterdns-route.hosts -d 1"); + } + } else { + killbypid('/var/run/filterdns-route.pid'); + } + } + unset($filterdns_list); - if (is_subnet($ip)) - if (is_ipaddr($gatewayip)) { - mwexec("/sbin/route delete".$cmd . escapeshellarg($gatewayip)); - mwexec("/sbin/route add".$cmd . escapeshellarg($gatewayip)); - } - else if (!empty($interfacegw)) { - mwexec("/sbin/route delete".$cmd . "-iface " . escapeshellarg($interfacegw)); - mwexec("/sbin/route add".$cmd . "-iface " . escapeshellarg($interfacegw)); - } - } - } - unset($gateways_arr); - } - unset($static_routes); - - if ($update_dns === false) { - if (count($filterdns_list)) { - $interval = 60; - $hostnames = ""; - array_unique($filterdns_list); - foreach ($filterdns_list as $hostname) - $hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py routedns reload'\n"; - file_put_contents("/var/etc/filterdns-route.hosts", $hostnames); - unset($hostnames); - - if (isvalidpid('/var/run/filterdns-route.pid')) { - killbypid('/var/run/filterdns-route.pid', 'HUP'); - } else { - mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-route.pid -i {$interval} -c /var/etc/filterdns-route.hosts -d 1"); - } - } else { - killbypid('/var/run/filterdns-route.pid'); - } - } - unset($filterdns_list); - - return 0; + return 0; } function system_routing_enable() { - global $config; + global $config; - set_sysctl(array( - "net.inet.ip.forwarding" => "1", - "net.inet6.ip6.forwarding" => "1" - )); + set_sysctl(array( + "net.inet.ip.forwarding" => "1", + "net.inet6.ip6.forwarding" => "1" + )); } function system_syslogd_fixup_server($server) { - /* If it's an IPv6 IP alone, encase it in brackets */ - if (is_ipaddrv6($server)) - return "[$server]"; - else - return $server; + /* If it's an IPv6 IP alone, encase it in brackets */ + if (is_ipaddrv6($server)) { + return "[$server]"; + } else { + return $server; + } } function system_syslogd_get_remote_servers($syslogcfg, $facility = "*.*") { - // Rather than repeatedly use the same code, use this function to build a list of remote servers. - $facility .= " ". - $remote_servers = ""; - $pad_to = 56; - $padding = ceil(($pad_to - strlen($facility))/8)+1; - if(!empty($syslogcfg['remoteserver'])) { - $remote_servers .= "{$facility}" . str_repeat("\t", $padding) . "@" . system_syslogd_fixup_server($syslogcfg['remoteserver']) . "\n"; - } - if(!empty($syslogcfg['remoteserver2'])) { - $remote_servers .= "{$facility}" . str_repeat("\t", $padding) . "@" . system_syslogd_fixup_server($syslogcfg['remoteserver2']) . "\n"; - } - if(!empty($syslogcfg['remoteserver3'])) { - $remote_servers .= "{$facility}" . str_repeat("\t", $padding) . "@" . system_syslogd_fixup_server($syslogcfg['remoteserver3']) . "\n"; - } - return $remote_servers; + // Rather than repeatedly use the same code, use this function to build a list of remote servers. + $facility .= " ". + $remote_servers = ""; + $pad_to = 56; + $padding = ceil(($pad_to - strlen($facility))/8)+1; + if(!empty($syslogcfg['remoteserver'])) { + $remote_servers .= "{$facility}" . str_repeat("\t", $padding) . "@" . system_syslogd_fixup_server($syslogcfg['remoteserver']) . "\n"; + } + if(!empty($syslogcfg['remoteserver2'])) { + $remote_servers .= "{$facility}" . str_repeat("\t", $padding) . "@" . system_syslogd_fixup_server($syslogcfg['remoteserver2']) . "\n"; + } + if(!empty($syslogcfg['remoteserver3'])) { + $remote_servers .= "{$facility}" . str_repeat("\t", $padding) . "@" . system_syslogd_fixup_server($syslogcfg['remoteserver3']) . "\n"; + } + return $remote_servers; } function system_syslogd_start() { - global $config, $g; - $retval = null; + global $config, $g; + $retval = null; - /* XXX temporary hook for newsyslog.conf regeneration */ - configd_run('template reload OPNsense.Syslog'); + /* XXX temporary hook for newsyslog.conf regeneration */ + configd_run('template reload OPNsense.Syslog'); - mwexec('/etc/rc.d/hostid start'); + mwexec('/etc/rc.d/hostid start'); - $syslogcfg = $config['syslog']; + $syslogcfg = $config['syslog']; - if (file_exists('/var/run/booting')) { - echo gettext('Starting syslog...'); - } + if (file_exists('/var/run/booting')) { + echo gettext('Starting syslog...'); + } - $log_directive = '%'; - $syslogd_extra = ''; + $log_directive = '%'; + $syslogd_extra = ''; - if (isset($syslogcfg)) { - $separatelogfacilities = array( - 'apinger', - 'bgpd', - 'charon', - 'dhclient', - 'dhcp6c', - 'dhcpd', - 'dhcrelay', - 'dnsmasq', - 'filterdns', - 'filterlog', - 'hostapd', - 'l2tps', - 'miniupnpd', - 'ntp', - 'ntpd', - 'ntpdate', - 'olsrd', - 'openvpn', - 'ospfd', - 'poes', - 'ppp', - 'pptps', - 'radvd', - 'relayd', - 'routed', - 'unbound', - 'zebra', - ); - $syslogconf = ''; + if (isset($syslogcfg)) { + $separatelogfacilities = array( + 'apinger', + 'bgpd', + 'charon', + 'dhclient', + 'dhcp6c', + 'dhcpd', + 'dhcrelay', + 'dnsmasq', + 'filterdns', + 'filterlog', + 'hostapd', + 'l2tps', + 'miniupnpd', + 'ntp', + 'ntpd', + 'ntpdate', + 'olsrd', + 'openvpn', + 'ospfd', + 'poes', + 'ppp', + 'pptps', + 'radvd', + 'relayd', + 'routed', + 'unbound', + 'zebra', + ); + $syslogconf = ''; - // create structure with log section definitions and config tags for remote usage - $syslogconfs = array(); - $syslogconfs['routing'] = array("conf" => "!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd" , "remote" => null); - $syslogconfs['ntpd'] = array("conf" => "!ntp,ntpd,ntpdate", "remote" => null); - $syslogconfs['ppps'] = array("conf" => "!ppp", "remote" => null); - $syslogconfs['pptps'] = array("conf" => "!pptps", "remote" => null); - $syslogconfs['poes'] = array("conf" => "!poes", "remote" => null); - $syslogconfs['l2tps'] = array("conf" => "!l2tps", "remote" => null); - $syslogconfs['ipsec'] = array("conf" => "!charon", "remote" => null); - $syslogconfs['openvpn'] = array("conf" => "!openvpn", "remote" => "vpn"); - $syslogconfs['gateways'] = array("conf" => "!apinger", "remote" => "apinger"); - $syslogconfs['resolver'] = array("conf" => "!dnsmasq,filterdns,unbound", "remote" => null); - $syslogconfs['dhcpd'] = array("conf" => "!dhcpd,dhcrelay,dhclient,dhcp6c", "remote" => "dhcp"); - $syslogconfs['relayd'] = array("conf" => "!relayd", "remote" => "relayd"); - $syslogconfs['wireless'] = array("conf" => "!hostapd", "remote" => "hostapd"); - $syslogconfs['filter'] = array("conf" => "!filterlog", "remote" => "filter"); + // create structure with log section definitions and config tags for remote usage + $syslogconfs = array(); + $syslogconfs['routing'] = array("conf" => "!radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd" , "remote" => null); + $syslogconfs['ntpd'] = array("conf" => "!ntp,ntpd,ntpdate", "remote" => null); + $syslogconfs['ppps'] = array("conf" => "!ppp", "remote" => null); + $syslogconfs['pptps'] = array("conf" => "!pptps", "remote" => null); + $syslogconfs['poes'] = array("conf" => "!poes", "remote" => null); + $syslogconfs['l2tps'] = array("conf" => "!l2tps", "remote" => null); + $syslogconfs['ipsec'] = array("conf" => "!charon", "remote" => null); + $syslogconfs['openvpn'] = array("conf" => "!openvpn", "remote" => "vpn"); + $syslogconfs['gateways'] = array("conf" => "!apinger", "remote" => "apinger"); + $syslogconfs['resolver'] = array("conf" => "!dnsmasq,filterdns,unbound", "remote" => null); + $syslogconfs['dhcpd'] = array("conf" => "!dhcpd,dhcrelay,dhclient,dhcp6c", "remote" => "dhcp"); + $syslogconfs['relayd'] = array("conf" => "!relayd", "remote" => "relayd"); + $syslogconfs['wireless'] = array("conf" => "!hostapd", "remote" => "hostapd"); + $syslogconfs['filter'] = array("conf" => "!filterlog", "remote" => "filter"); - foreach ($syslogconfs as $logTopic => $logConfig) { - $syslogconf .= "{$logConfig['conf']}\n"; - if (!isset($syslogcfg['disablelocallogging'])) { - $syslogconf .= "*.* {$log_directive}/var/log/{$logTopic}.log\n"; - } - if ($logConfig['remote'] != null && !empty($syslogcfg[$logConfig['remote']]) && !empty($syslogcfg['enable'])) { - $syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.*"); - } - } + foreach ($syslogconfs as $logTopic => $logConfig) { + $syslogconf .= "{$logConfig['conf']}\n"; + if (!isset($syslogcfg['disablelocallogging'])) { + $syslogconf .= "*.* {$log_directive}/var/log/{$logTopic}.log\n"; + } + if ($logConfig['remote'] != null && !empty($syslogcfg[$logConfig['remote']]) && !empty($syslogcfg['enable'])) { + $syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.*"); + } + } - $facilitylist = implode(',', array_unique($separatelogfacilities)); - $syslogconf .= "!-{$facilitylist}\n"; - if (!isset($syslogcfg['disablelocallogging'])) - $syslogconf .= << "") - $portarg = "{$config['system']['webgui']['port']}"; + /* non-standard port? */ + if (isset($config['system']['webgui']['port']) && $config['system']['webgui']['port'] <> "") { + $portarg = "{$config['system']['webgui']['port']}"; + } - if ($config['system']['webgui']['protocol'] == "https") { - // Ensure that we have a webConfigurator CERT - $cert =& lookup_cert($config['system']['webgui']['ssl-certref']); - if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) { - if (!is_array($config['ca'])) - $config['ca'] = array(); - $a_ca =& $config['ca']; - if (!is_array($config['cert'])) - $config['cert'] = array(); - $a_cert =& $config['cert']; - log_error("Creating SSL Certificate for this host"); - $cert = array(); - $cert['refid'] = uniqid(); - $cert['descr'] = gettext("webConfigurator default"); - mwexec( - /* XXX ought to be replaced by PHP calls */ - '/usr/local/bin/openssl req -new ' . - '-newkey rsa:4096 -sha256 -days 365 -nodes -x509 ' . - '-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' . - '-keyout /tmp/ssl.key -out /tmp/ssl.crt' - ); - $crt = file_get_contents('/tmp/ssl.crt'); - $key = file_get_contents('/tmp/ssl.key'); - unlink('/tmp/ssl.key'); - unlink('/tmp/ssl.crt'); - cert_import($cert, $crt, $key); - $a_cert[] = $cert; - $config['system']['webgui']['ssl-certref'] = $cert['refid']; - write_config(gettext("Importing HTTPS certificate")); - } else { - $crt = base64_decode($cert['crt']); - $key = base64_decode($cert['prv']); - } + if ($config['system']['webgui']['protocol'] == "https") { + // Ensure that we have a webConfigurator CERT + $cert =& lookup_cert($config['system']['webgui']['ssl-certref']); + if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) { + if (!is_array($config['ca'])) { + $config['ca'] = array(); + } + $a_ca =& $config['ca']; + if (!is_array($config['cert'])) { + $config['cert'] = array(); + } + $a_cert =& $config['cert']; + log_error("Creating SSL Certificate for this host"); + $cert = array(); + $cert['refid'] = uniqid(); + $cert['descr'] = gettext("webConfigurator default"); + mwexec( + /* XXX ought to be replaced by PHP calls */ + '/usr/local/bin/openssl req -new ' . + '-newkey rsa:4096 -sha256 -days 365 -nodes -x509 ' . + '-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' . + '-keyout /tmp/ssl.key -out /tmp/ssl.crt' + ); + $crt = file_get_contents('/tmp/ssl.crt'); + $key = file_get_contents('/tmp/ssl.key'); + unlink('/tmp/ssl.key'); + unlink('/tmp/ssl.crt'); + cert_import($cert, $crt, $key); + $a_cert[] = $cert; + $config['system']['webgui']['ssl-certref'] = $cert['refid']; + write_config(gettext("Importing HTTPS certificate")); + } else { + $crt = base64_decode($cert['crt']); + $key = base64_decode($cert['prv']); + } - if (!$config['system']['webgui']['port']) { - $portarg = '443'; - } + if (!$config['system']['webgui']['port']) { + $portarg = '443'; + } - $ca = ca_chain($cert); - } + $ca = ca_chain($cert); + } - /* generate lighttpd configuration */ - system_generate_lighty_config("/var/etc/lighty-webConfigurator.conf", - $crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/", - "cert.pem", "ca.pem"); + /* generate lighttpd configuration */ + system_generate_lighty_config("/var/etc/lighty-webConfigurator.conf", + $crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/", + "cert.pem", "ca.pem"); - /* kill any running lighttpd */ - killbypid('/var/run/lighty-webConfigurator.pid'); + /* kill any running lighttpd */ + killbypid('/var/run/lighty-webConfigurator.pid'); - sleep(1); + sleep(1); - /* regenerate the php.ini files in case the setup has changed */ - mwexec('/usr/local/etc/rc.php_ini_setup'); + /* regenerate the php.ini files in case the setup has changed */ + mwexec('/usr/local/etc/rc.php_ini_setup'); - /* attempt to start lighthttpd and return true if ok */ - return !mwexec("/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf"); + /* attempt to start lighthttpd and return true if ok */ + return !mwexec("/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf"); } /* @@ -1007,29 +1045,29 @@ function system_webgui_start() * [1] real (actual) memory of the system, should be the size of the RAM card/s - e.g. 256 MBytes */ function get_memory() { - $physmem = get_single_sysctl("hw.physmem"); - $realmem = get_single_sysctl("hw.realmem"); - /* convert from bytes to megabytes */ - return array(($physmem/1048576),($realmem/1048576)); + $physmem = get_single_sysctl("hw.physmem"); + $realmem = get_single_sysctl("hw.realmem"); + /* convert from bytes to megabytes */ + return array(($physmem/1048576),($realmem/1048576)); } function system_generate_lighty_config( - $filename, - $cert, - $key, - $ca, - $pid_file, - $port = 80, - $document_root = '/usr/local/www/', - $cert_location = 'cert.pem', - $ca_location = 'ca.pem') + $filename, + $cert, + $key, + $ca, + $pid_file, + $port = 80, + $document_root = '/usr/local/www/', + $cert_location = 'cert.pem', + $ca_location = 'ca.pem') { - global $config; + global $config; - @mkdir('/tmp/lighttpdcompress'); + @mkdir('/tmp/lighttpdcompress'); - $http_rewrite_rules = << "/usr/local/opnsense/www/" ) alias.url += ( "/api/" => "/usr/local/opnsense/www/" ) @@ -1038,44 +1076,45 @@ url.rewrite-if-not-file = ( "^/ui/(.*)$" => "/ui/index.php?_url=/$1" , ) EOD; - $server_upload_dirs = "server.upload-dirs = ( \"/root/\", \"/tmp/\", \"/var/\" )\n"; - $server_max_request_size = "server.max-request-size = 2097152"; - $cgi_config = "cgi.assign = ( \".cgi\" => \"\" )"; + $server_upload_dirs = "server.upload-dirs = ( \"/root/\", \"/tmp/\", \"/var/\" )\n"; + $server_max_request_size = "server.max-request-size = 2097152"; + $cgi_config = "cgi.assign = ( \".cgi\" => \"\" )"; - if (empty($port)) - $lighty_port = "80"; - else - $lighty_port = $port; + if (empty($port)) { + $lighty_port = "80"; + } else { + $lighty_port = $port; + } - if(!isset($config['syslog']['nologlighttpd'])) { - $lighty_use_syslog = << - ( "localhost" => - ( - "socket" => "{$fast_cgi_path}", - "max-procs" => 2, - "bin-environment" => ( - "PHP_FCGI_CHILDREN" => "3", - "PHP_FCGI_MAX_REQUESTS" => "100" - ), - "bin-path" => "/usr/local/bin/php-cgi" - ) - ) + ( "localhost" => + ( + "socket" => "{$fast_cgi_path}", + "max-procs" => 2, + "bin-environment" => ( + "PHP_FCGI_CHILDREN" => "3", + "PHP_FCGI_MAX_REQUESTS" => "100" + ), + "bin-path" => "/usr/local/bin/php-cgi" + ) + ) ) EOD; - $lighty_config = << "" and $key <> "") { - $lighty_config .= "\n"; - $lighty_config .= "## ssl configuration\n"; - $lighty_config .= "ssl.engine = \"enable\"\n"; - $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n"; - if($ca <> "") - $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; - } - $lighty_config .= " }\n"; + $lighty_config .= "server.bind = \"0.0.0.0\"\n"; + $lighty_config .= "server.port = {$lighty_port}\n"; + $lighty_config .= "\$SERVER[\"socket\"] == \"0.0.0.0:{$lighty_port}\" { }\n"; + $lighty_config .= "\$SERVER[\"socket\"] == \"[::]:{$lighty_port}\" { \n"; + if($cert <> "" and $key <> "") { + $lighty_config .= "\n"; + $lighty_config .= "## ssl configuration\n"; + $lighty_config .= "ssl.engine = \"enable\"\n"; + $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n"; + if($ca <> "") { + $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; + } + } + $lighty_config .= " }\n"; - $lighty_config .= << "access 50 hours", + "" => "access 50 hours", ) EOD; - $cert = str_replace("\r", "", $cert); - $key = str_replace("\r", "", $key); - $ca = str_replace("\r", "", $ca); + $cert = str_replace("\r", "", $cert); + $key = str_replace("\r", "", $key); + $ca = str_replace("\r", "", $ca); - $cert = str_replace("\n\n", "\n", $cert); - $key = str_replace("\n\n", "\n", $key); - $ca = str_replace("\n\n", "\n", $ca); + $cert = str_replace("\n\n", "\n", $cert); + $key = str_replace("\n\n", "\n", $key); + $ca = str_replace("\n\n", "\n", $ca); - if($cert <> "" and $key <> "") { - $fd = fopen("/var/etc/{$cert_location}", "w"); - if (!$fd) { - printf(gettext("Error: cannot open cert.pem in system_webgui_start().%s"), "\n"); - return 1; - } - chmod("/var/etc/{$cert_location}", 0600); - fwrite($fd, $cert); - fwrite($fd, "\n"); - fwrite($fd, $key); - fclose($fd); - if(!(empty($ca) || (strlen(trim($ca)) == 0))) { - $fd = fopen("/var/etc/{$ca_location}", "w"); - if (!$fd) { - printf(gettext("Error: cannot open ca.pem in system_webgui_start().%s"), "\n"); - return 1; - } - chmod("/var/etc/{$ca_location}", 0600); - fwrite($fd, $ca); - fclose($fd); - } - $lighty_config .= "\n"; - $lighty_config .= "## " . gettext("ssl configuration") . "\n"; - $lighty_config .= "ssl.engine = \"enable\"\n"; - $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n"; + if($cert <> "" and $key <> "") { + $fd = fopen("/var/etc/{$cert_location}", "w"); + if (!$fd) { + printf(gettext("Error: cannot open cert.pem in system_webgui_start().%s"), "\n"); + return 1; + } + chmod("/var/etc/{$cert_location}", 0600); + fwrite($fd, $cert); + fwrite($fd, "\n"); + fwrite($fd, $key); + fclose($fd); + if(!(empty($ca) || (strlen(trim($ca)) == 0))) { + $fd = fopen("/var/etc/{$ca_location}", "w"); + if (!$fd) { + printf(gettext("Error: cannot open ca.pem in system_webgui_start().%s"), "\n"); + return 1; + } + chmod("/var/etc/{$ca_location}", 0600); + fwrite($fd, $ca); + fclose($fd); + } + $lighty_config .= "\n"; + $lighty_config .= "## " . gettext("ssl configuration") . "\n"; + $lighty_config .= "ssl.engine = \"enable\"\n"; + $lighty_config .= "ssl.pemfile = \"/var/etc/{$cert_location}\"\n\n"; - // Harden SSL a bit for PCI conformance testing - $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; + // Harden SSL a bit for PCI conformance testing + $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; - $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL; + $lighty_config .= 'ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"' . PHP_EOL; - if(!(empty($ca) || (strlen(trim($ca)) == 0))) - $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; - } + if(!(empty($ca) || (strlen(trim($ca)) == 0))) { + $lighty_config .= "ssl.ca-file = \"/var/etc/{$ca_location}\"\n\n"; + } + } - // Add HTTP to HTTPS redirect - if ($config['system']['webgui']['protocol'] == "https" && !isset($config['system']['webgui']['disablehttpredirect'])) { - if($lighty_port != "443") { - $redirectport = ":{$lighty_port}"; - } else { - $redirectport = ""; - } - $lighty_config .= << "https://%1{$redirectport}/$1" ) - } + \$HTTP["host"] =~ "(.*)" { + url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" ) + } } \$SERVER["socket"] == "[::]:80" { - \$HTTP["host"] =~ "(.*)" { - url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" ) - } + \$HTTP["host"] =~ "(.*)" { + url.redirect = ( "^/(.*)" => "https://%1{$redirectport}/$1" ) + } } EOD; - } + } - $fd = fopen("{$filename}", "w"); - if (!$fd) { - printf(gettext("Error: cannot open %s in system_generate_lighty_config().%s"), $filename, "\n"); - return 1; - } - fwrite($fd, $lighty_config); - fclose($fd); - - return 0; + $fd = fopen("{$filename}", "w"); + if (!$fd) { + printf(gettext("Error: cannot open %s in system_generate_lighty_config().%s"), $filename, "\n"); + return 1; + } + fwrite($fd, $lighty_config); + fclose($fd); + return 0; } function system_firmware_configure() { - global $config; + global $config; - /* our own ABI prefix on the mirror */ - $osabi = '16.1'; + /* our own ABI prefix on the mirror */ + $osabi = '16.1'; - /* rewrite the config via the defaults */ - $origin_conf = '/usr/local/etc/pkg/repos/origin.conf'; - copy("${origin_conf}.sample", $origin_conf); + /* rewrite the config via the defaults */ + $origin_conf = '/usr/local/etc/pkg/repos/origin.conf'; + copy("${origin_conf}.sample", $origin_conf); - if (isset($config['system']['firmware']['mirror'])) { - configd_run('firmware mirror ' . escapeshellarg( - str_replace('/', '\/', $config['system']['firmware']['mirror']) - )); - } + if (isset($config['system']['firmware']['mirror'])) { + configd_run('firmware mirror ' . escapeshellarg( + str_replace('/', '\/', $config['system']['firmware']['mirror']) + )); + } - if (isset($config['system']['firmware']['flavour'])) { - configd_run('firmware flavour ' . escapeshellarg( - str_replace('/', '\/', $osabi . '/' . $config['system']['firmware']['flavour']) - )); - } + if (isset($config['system']['firmware']['flavour'])) { + configd_run('firmware flavour ' . escapeshellarg( + str_replace('/', '\/', $osabi . '/' . $config['system']['firmware']['flavour']) + )); + } } function system_timezone_configure() { - global $config; + global $config; - $syscfg = $config['system']; + $syscfg = $config['system']; - if (file_exists("/var/run/booting")) - echo gettext("Setting timezone..."); + if (file_exists("/var/run/booting")) { + echo gettext("Setting timezone..."); + } - /* extract appropriate timezone file */ - $timezone = $syscfg['timezone']; - $timezones = get_zoneinfo(); + /* extract appropriate timezone file */ + $timezone = $syscfg['timezone']; + $timezones = get_zoneinfo(); - // Reset to default if empty or not existend - if (empty($timezone) || !in_array($timezone, $timezones)) { - $timezone = 'Etc/UTC'; - } + // Reset to default if empty or not existend + if (empty($timezone) || !in_array($timezone, $timezones)) { + $timezone = 'Etc/UTC'; + } - // Apply timezone - copy(sprintf('/usr/share/zoneinfo/%s', $timezone), '/etc/localtime'); + // Apply timezone + copy(sprintf('/usr/share/zoneinfo/%s', $timezone), '/etc/localtime'); - mwexec("sync"); + mwexec("sync"); - if (file_exists("/var/run/booting")) - echo gettext("done.") . "\n"; + if (file_exists("/var/run/booting")) { + echo gettext("done.") . "\n"; + } } function system_ntp_setup_gps($serialport) { - global $config; - $gps_device = '/dev/gps0'; - $serialport = '/dev/'.$serialport; + global $config; + $gps_device = '/dev/gps0'; + $serialport = '/dev/'.$serialport; - if (!file_exists($serialport)) - return false; + if (!file_exists($serialport)) { + return false; + } - // Create symlink that ntpd requires - @unlink($gps_device); - symlink($serialport, $gps_device); + // Create symlink that ntpd requires + @unlink($gps_device); + symlink($serialport, $gps_device); - /* Send the following to the GPS port to initialize the GPS */ - if (isset($config['ntpd']['gps'])) { - $gps_init = base64_decode($config['ntpd']['gps']['initcmd']); - } else { - $gps_init = base64_decode('JFBVQlgsNDAsR1NWLDAsMCwwLDAqNTkNCiRQVUJYLDQwLEdMTCwwLDAsMCwwKjVDDQokUFVCWCw0MCxaREEsMCwwLDAsMCo0NA0KJFBVQlgsNDAsVlRHLDAsMCwwLDAqNUUNCiRQVUJYLDQwLEdTViwwLDAsMCwwKjU5DQokUFVCWCw0MCxHU0EsMCwwLDAsMCo0RQ0KJFBVQlgsNDAsR0dBLDAsMCwwLDANCiRQVUJYLDQwLFRYVCwwLDAsMCwwDQokUFVCWCw0MCxSTUMsMCwwLDAsMCo0Ng0KJFBVQlgsNDEsMSwwMDA3LDAwMDMsNDgwMCwwDQokUFVCWCw0MCxaREEsMSwxLDEsMQ=='); - } + /* Send the following to the GPS port to initialize the GPS */ + if (isset($config['ntpd']['gps'])) { + $gps_init = base64_decode($config['ntpd']['gps']['initcmd']); + } else { + $gps_init = base64_decode('JFBVQlgsNDAsR1NWLDAsMCwwLDAqNTkNCiRQVUJYLDQwLEdMTCwwLDAsMCwwKjVDDQokUFVCWCw0MCxaREEsMCwwLDAsMCo0NA0KJFBVQlgsNDAsVlRHLDAsMCwwLDAqNUUNCiRQVUJYLDQwLEdTViwwLDAsMCwwKjU5DQokUFVCWCw0MCxHU0EsMCwwLDAsMCo0RQ0KJFBVQlgsNDAsR0dBLDAsMCwwLDANCiRQVUJYLDQwLFRYVCwwLDAsMCwwDQokUFVCWCw0MCxSTUMsMCwwLDAsMCo0Ng0KJFBVQlgsNDEsMSwwMDA3LDAwMDMsNDgwMCwwDQokUFVCWCw0MCxaREEsMSwxLDEsMQ=='); + } - /* XXX: Why not file_put_contents to the device */ - @file_put_contents('/tmp/gps.init', $gps_init); - `cat /tmp/gps.init > $serialport`; + /* XXX: Why not file_put_contents to the device */ + @file_put_contents('/tmp/gps.init', $gps_init); + `cat /tmp/gps.init > $serialport`; - /* Add /etc/remote entry in case we need to read from the GPS with tip */ - if (intval(`grep -c '^gps0' /etc/remote`) == 0) { - $gpsbaud = '4800'; - if (is_array($config['ntpd']) && is_array($config['ntpd']['gps']) && !empty($config['ntpd']['gps']['speed'])) { - switch($config['ntpd']['gps']['speed']) { - case '16': - $gpsbaud = '9600'; - break; - case '32': - $gpsbaud = '19200'; - break; - case '48': - $gpsbaud = '38400'; - break; - case '64': - $gpsbaud = '57600'; - break; - case '80': - $gpsbaud = '115200'; - break; - } - } - @file_put_contents("/etc/remote", "gps0:dv={$serialport}:br#{$gpsbaud}:pa=none:", FILE_APPEND); - } + /* Add /etc/remote entry in case we need to read from the GPS with tip */ + if (intval(`grep -c '^gps0' /etc/remote`) == 0) { + $gpsbaud = '4800'; + if (is_array($config['ntpd']) && is_array($config['ntpd']['gps']) && !empty($config['ntpd']['gps']['speed'])) { + switch($config['ntpd']['gps']['speed']) { + case '16': + $gpsbaud = '9600'; + break; + case '32': + $gpsbaud = '19200'; + break; + case '48': + $gpsbaud = '38400'; + break; + case '64': + $gpsbaud = '57600'; + break; + case '80': + $gpsbaud = '115200'; + break; + } + } + @file_put_contents("/etc/remote", "gps0:dv={$serialport}:br#{$gpsbaud}:pa=none:", FILE_APPEND); + } - return true; + return true; } function system_ntp_setup_pps($serialport) { - $pps_device = '/dev/pps0'; - $serialport = "/dev/{$serialport}"; + $pps_device = '/dev/pps0'; + $serialport = "/dev/{$serialport}"; - if (!file_exists($serialport)) { - return false; - } + if (!file_exists($serialport)) { + return false; + } - // Create symlink that ntpd requires - @unlink($pps_device); - @symlink($serialport, $pps_device); + // Create symlink that ntpd requires + @unlink($pps_device); + @symlink($serialport, $pps_device); - return true; + return true; } function system_ntp_configure($start_ntpd = true) { - global $config; + global $config; - $driftfile = '/var/db/ntpd.drift'; - $statsdir = '/var/log/ntp'; - $gps_device = '/dev/gps0'; + $driftfile = '/var/db/ntpd.drift'; + $statsdir = '/var/log/ntp'; + $gps_device = '/dev/gps0'; - @mkdir($statsdir, 0755); + @mkdir($statsdir, 0755); - if (!isset($config['ntpd']) || !is_array($config['ntpd'])) { - $config['ntpd'] = array(); - } + if (!isset($config['ntpd']) || !is_array($config['ntpd'])) { + $config['ntpd'] = array(); + } - $ntpcfg = "# \n"; - $ntpcfg .= "# OPNsense ntp configuration file \n"; - $ntpcfg .= "# \n\n"; - $ntpcfg .= "tinker panic 0 \n"; + $ntpcfg = "# \n"; + $ntpcfg .= "# OPNsense ntp configuration file \n"; + $ntpcfg .= "# \n\n"; + $ntpcfg .= "tinker panic 0 \n"; - /* Add Orphan mode */ - $ntpcfg .= "# Orphan mode stratum\n"; - $ntpcfg .= 'tos orphan '; - if (!empty($config['ntpd']['orphan'])) { - $ntpcfg .= $config['ntpd']['orphan']; - }else{ - $ntpcfg .= '12'; - } - $ntpcfg .= "\n"; + /* Add Orphan mode */ + $ntpcfg .= "# Orphan mode stratum\n"; + $ntpcfg .= 'tos orphan '; + if (!empty($config['ntpd']['orphan'])) { + $ntpcfg .= $config['ntpd']['orphan']; + }else{ + $ntpcfg .= '12'; + } + $ntpcfg .= "\n"; - /* Add PPS configuration */ - if (!empty($config['ntpd']['pps']) - && file_exists('/dev/'.$config['ntpd']['pps']['port']) - && system_ntp_setup_pps($config['ntpd']['pps']['port'])) { - $ntpcfg .= "\n"; - $ntpcfg .= "# PPS Setup\n"; - $ntpcfg .= 'server 127.127.22.0'; - $ntpcfg .= ' minpoll 4 maxpoll 4'; - if (empty($config['ntpd']['pps']['prefer'])) { /*note: this one works backwards */ - $ntpcfg .= ' prefer'; - } - if (!empty($config['ntpd']['pps']['noselect'])) { - $ntpcfg .= ' noselect '; - } - $ntpcfg .= "\n"; - $ntpcfg .= 'fudge 127.127.22.0'; - if (!empty($config['ntpd']['pps']['fudge1'])) { - $ntpcfg .= ' time1 '; - $ntpcfg .= $config['ntpd']['pps']['fudge1']; - } - if (!empty($config['ntpd']['pps']['flag2'])) { - $ntpcfg .= ' flag2 1'; - } - if (!empty($config['ntpd']['pps']['flag3'])) { - $ntpcfg .= ' flag3 1'; - }else{ - $ntpcfg .= ' flag3 0'; - } - if (!empty($config['ntpd']['pps']['flag4'])) { - $ntpcfg .= ' flag4 1'; - } - if (!empty($config['ntpd']['pps']['refid'])) { - $ntpcfg .= ' refid '; - $ntpcfg .= $config['ntpd']['pps']['refid']; - } - $ntpcfg .= "\n"; - } - /* End PPS configuration */ + /* Add PPS configuration */ + if (!empty($config['ntpd']['pps']) + && file_exists('/dev/'.$config['ntpd']['pps']['port']) + && system_ntp_setup_pps($config['ntpd']['pps']['port'])) { + $ntpcfg .= "\n"; + $ntpcfg .= "# PPS Setup\n"; + $ntpcfg .= 'server 127.127.22.0'; + $ntpcfg .= ' minpoll 4 maxpoll 4'; + if (empty($config['ntpd']['pps']['prefer'])) { /*note: this one works backwards */ + $ntpcfg .= ' prefer'; + } + if (!empty($config['ntpd']['pps']['noselect'])) { + $ntpcfg .= ' noselect '; + } + $ntpcfg .= "\n"; + $ntpcfg .= 'fudge 127.127.22.0'; + if (!empty($config['ntpd']['pps']['fudge1'])) { + $ntpcfg .= ' time1 '; + $ntpcfg .= $config['ntpd']['pps']['fudge1']; + } + if (!empty($config['ntpd']['pps']['flag2'])) { + $ntpcfg .= ' flag2 1'; + } + if (!empty($config['ntpd']['pps']['flag3'])) { + $ntpcfg .= ' flag3 1'; + } else{ + $ntpcfg .= ' flag3 0'; + } + if (!empty($config['ntpd']['pps']['flag4'])) { + $ntpcfg .= ' flag4 1'; + } + if (!empty($config['ntpd']['pps']['refid'])) { + $ntpcfg .= ' refid '; + $ntpcfg .= $config['ntpd']['pps']['refid']; + } + $ntpcfg .= "\n"; + } + /* End PPS configuration */ - /* Add GPS configuration */ - if (isset($config['ntpd']['gps']['port']) - && file_exists('/dev/'.$config['ntpd']['gps']['port']) - && system_ntp_setup_gps($config['ntpd']['gps']['port'])) { - $ntpcfg .= "\n"; - $ntpcfg .= "# GPS Setup\n"; - $ntpcfg .= 'server 127.127.20.0 mode '; - if (!empty($config['ntpd']['gps']['nmea']) || !empty($config['ntpd']['gps']['speed']) || !empty($config['ntpd']['gps']['subsec'])) { - if (!empty($config['ntpd']['gps']['nmea'])) { - $ntpmode = (int) $config['ntpd']['gps']['nmea']; - } - if (!empty($config['ntpd']['gps']['speed'])) { - $ntpmode += (int) $config['ntpd']['gps']['speed']; - } - if (!empty($config['ntpd']['gps']['subsec'])) { - $ntpmode += 128; - } - $ntpcfg .= (string) $ntpmode; - }else{ - $ntpcfg .= '0'; - } - $ntpcfg .= ' minpoll 4 maxpoll 4'; - if (empty($config['ntpd']['gps']['prefer'])) { /*note: this one works backwards */ - $ntpcfg .= ' prefer'; - } - if (!empty($config['ntpd']['gps']['noselect'])) { - $ntpcfg .= ' noselect '; - } - $ntpcfg .= "\n"; - $ntpcfg .= 'fudge 127.127.20.0'; - if (!empty($config['ntpd']['gps']['fudge1'])) { - $ntpcfg .= ' time1 '; - $ntpcfg .= $config['ntpd']['gps']['fudge1']; - } - if (!empty($config['ntpd']['gps']['fudge2'])) { - $ntpcfg .= ' time2 '; - $ntpcfg .= $config['ntpd']['gps']['fudge2']; - } - if (!empty($config['ntpd']['gps']['flag1'])) { - $ntpcfg .= ' flag1 1'; - }else{ - $ntpcfg .= ' flag1 0'; - } - if (!empty($config['ntpd']['gps']['flag2'])) { - $ntpcfg .= ' flag2 1'; - } - if (!empty($config['ntpd']['gps']['flag3'])) { - $ntpcfg .= ' flag3 1'; - }else{ - $ntpcfg .= ' flag3 0'; - } - if (!empty($config['ntpd']['gps']['flag4'])) { - $ntpcfg .= ' flag4 1'; - } - if (!empty($config['ntpd']['gps']['refid'])) { - $ntpcfg .= ' refid '; - $ntpcfg .= $config['ntpd']['gps']['refid']; - } - $ntpcfg .= "\n"; - } - /* End GPS configuration */ + /* Add GPS configuration */ + if (isset($config['ntpd']['gps']['port']) + && file_exists('/dev/'.$config['ntpd']['gps']['port']) + && system_ntp_setup_gps($config['ntpd']['gps']['port'])) { + $ntpcfg .= "\n"; + $ntpcfg .= "# GPS Setup\n"; + $ntpcfg .= 'server 127.127.20.0 mode '; + if (!empty($config['ntpd']['gps']['nmea']) || !empty($config['ntpd']['gps']['speed']) || !empty($config['ntpd']['gps']['subsec'])) { + if (!empty($config['ntpd']['gps']['nmea'])) { + $ntpmode = (int) $config['ntpd']['gps']['nmea']; + } + if (!empty($config['ntpd']['gps']['speed'])) { + $ntpmode += (int) $config['ntpd']['gps']['speed']; + } + if (!empty($config['ntpd']['gps']['subsec'])) { + $ntpmode += 128; + } + $ntpcfg .= (string) $ntpmode; + } else{ + $ntpcfg .= '0'; + } + $ntpcfg .= ' minpoll 4 maxpoll 4'; + if (empty($config['ntpd']['gps']['prefer'])) { /*note: this one works backwards */ + $ntpcfg .= ' prefer'; + } + if (!empty($config['ntpd']['gps']['noselect'])) { + $ntpcfg .= ' noselect '; + } + $ntpcfg .= "\n"; + $ntpcfg .= 'fudge 127.127.20.0'; + if (!empty($config['ntpd']['gps']['fudge1'])) { + $ntpcfg .= ' time1 '; + $ntpcfg .= $config['ntpd']['gps']['fudge1']; + } + if (!empty($config['ntpd']['gps']['fudge2'])) { + $ntpcfg .= ' time2 '; + $ntpcfg .= $config['ntpd']['gps']['fudge2']; + } + if (!empty($config['ntpd']['gps']['flag1'])) { + $ntpcfg .= ' flag1 1'; + } else{ + $ntpcfg .= ' flag1 0'; + } + if (!empty($config['ntpd']['gps']['flag2'])) { + $ntpcfg .= ' flag2 1'; + } + if (!empty($config['ntpd']['gps']['flag3'])) { + $ntpcfg .= ' flag3 1'; + } else{ + $ntpcfg .= ' flag3 0'; + } + if (!empty($config['ntpd']['gps']['flag4'])) { + $ntpcfg .= ' flag4 1'; + } + if (!empty($config['ntpd']['gps']['refid'])) { + $ntpcfg .= ' refid '; + $ntpcfg .= $config['ntpd']['gps']['refid']; + } + $ntpcfg .= "\n"; + } + /* End GPS configuration */ - $ntpcfg .= "\n\n# Upstream Servers\n"; - /* foreach through ntp servers and write out to ntpd.conf */ - foreach (explode(' ', $config['system']['timeservers']) as $ts) { - $ntpcfg .= "server {$ts} iburst maxpoll 9"; - if (isset($config['ntpd']['prefer']) && substr_count($config['ntpd']['prefer'], $ts)) $ntpcfg .= ' prefer'; - if (isset($config['ntpd']['noselect']) && substr_count($config['ntpd']['noselect'], $ts)) $ntpcfg .= ' noselect'; - $ntpcfg .= "\n"; - } - unset($ts); + $ntpcfg .= "\n\n# Upstream Servers\n"; + /* foreach through ntp servers and write out to ntpd.conf */ + foreach (explode(' ', $config['system']['timeservers']) as $ts) { + $ntpcfg .= "server {$ts} iburst maxpoll 9"; + if (isset($config['ntpd']['prefer']) && substr_count($config['ntpd']['prefer'], $ts)) { + $ntpcfg .= ' prefer'; + } + if (isset($config['ntpd']['noselect']) && substr_count($config['ntpd']['noselect'], $ts)) { + $ntpcfg .= ' noselect'; + } + $ntpcfg .= "\n"; + } + unset($ts); - $ntpcfg .= "\n\n"; - $ntpcfg .= "disable monitor\n"; //prevent NTP reflection attack, see https://ics-cert.us-cert.gov/advisories/ICSA-14-051-04 - if (!empty($config['ntpd']['clockstats']) || !empty($config['ntpd']['loopstats']) || !empty($config['ntpd']['peerstats'])) { - $ntpcfg .= "enable stats\n"; - $ntpcfg .= 'statistics'; - if (!empty($config['ntpd']['clockstats'])) { - $ntpcfg .= ' clockstats'; - } - if (!empty($config['ntpd']['loopstats'])) { - $ntpcfg .= ' loopstats'; - } - if (!empty($config['ntpd']['peerstats'])) { - $ntpcfg .= ' peerstats'; - } - $ntpcfg .= "\n"; - } - $ntpcfg .= "statsdir {$statsdir}\n"; - $ntpcfg .= 'logconfig =syncall +clockall'; - if (!empty($config['ntpd']['logpeer'])) { - $ntpcfg .= ' +peerall'; - } - if (!empty($config['ntpd']['logsys'])) { - $ntpcfg .= ' +sysall'; - } - $ntpcfg .= "\n"; - $ntpcfg .= "driftfile {$driftfile}\n"; - /* Access restrictions */ - $ntpcfg .= 'restrict default'; - if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */ - $ntpcfg .= ' kod limited'; - } - if (empty($config['ntpd']['nomodify'])) { /*note: this one works backwards */ - $ntpcfg .= ' nomodify'; - } - if (!empty($config['ntpd']['noquery'])) { - $ntpcfg .= ' noquery'; - } - if (empty($config['ntpd']['nopeer'])) { /*note: this one works backwards */ - $ntpcfg .= ' nopeer'; - } - if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */ - $ntpcfg .= ' notrap'; - } - if (!empty($config['ntpd']['noserve'])) { - $ntpcfg .= ' noserve'; - } - $ntpcfg .= "\nrestrict -6 default"; - if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */ - $ntpcfg .= ' kod limited'; - } - if (empty($config['ntpd']['nomodify'])) { /*note: this one works backwards */ - $ntpcfg .= ' nomodify'; - } - if (!empty($config['ntpd']['noquery'])) { - $ntpcfg .= ' noquery'; - } - if (empty($config['ntpd']['nopeer'])) { /*note: this one works backwards */ - $ntpcfg .= ' nopeer'; - } - if (!empty($config['ntpd']['noserve'])) { - $ntpcfg .= ' noserve'; - } - if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */ - $ntpcfg .= ' notrap'; - } - $ntpcfg .= "\n"; + $ntpcfg .= "\n\n"; + $ntpcfg .= "disable monitor\n"; //prevent NTP reflection attack, see https://ics-cert.us-cert.gov/advisories/ICSA-14-051-04 + if (!empty($config['ntpd']['clockstats']) || !empty($config['ntpd']['loopstats']) || !empty($config['ntpd']['peerstats'])) { + $ntpcfg .= "enable stats\n"; + $ntpcfg .= 'statistics'; + if (!empty($config['ntpd']['clockstats'])) { + $ntpcfg .= ' clockstats'; + } + if (!empty($config['ntpd']['loopstats'])) { + $ntpcfg .= ' loopstats'; + } + if (!empty($config['ntpd']['peerstats'])) { + $ntpcfg .= ' peerstats'; + } + $ntpcfg .= "\n"; + } + $ntpcfg .= "statsdir {$statsdir}\n"; + $ntpcfg .= 'logconfig =syncall +clockall'; + if (!empty($config['ntpd']['logpeer'])) { + $ntpcfg .= ' +peerall'; + } + if (!empty($config['ntpd']['logsys'])) { + $ntpcfg .= ' +sysall'; + } + $ntpcfg .= "\n"; + $ntpcfg .= "driftfile {$driftfile}\n"; + /* Access restrictions */ + $ntpcfg .= 'restrict default'; + if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */ + $ntpcfg .= ' kod limited'; + } + if (empty($config['ntpd']['nomodify'])) { /*note: this one works backwards */ + $ntpcfg .= ' nomodify'; + } + if (!empty($config['ntpd']['noquery'])) { + $ntpcfg .= ' noquery'; + } + if (empty($config['ntpd']['nopeer'])) { /*note: this one works backwards */ + $ntpcfg .= ' nopeer'; + } + if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */ + $ntpcfg .= ' notrap'; + } + if (!empty($config['ntpd']['noserve'])) { + $ntpcfg .= ' noserve'; + } + $ntpcfg .= "\nrestrict -6 default"; + if (empty($config['ntpd']['kod'])) { /*note: this one works backwards */ + $ntpcfg .= ' kod limited'; + } + if (empty($config['ntpd']['nomodify'])) { /*note: this one works backwards */ + $ntpcfg .= ' nomodify'; + } + if (!empty($config['ntpd']['noquery'])) { + $ntpcfg .= ' noquery'; + } + if (empty($config['ntpd']['nopeer'])) { /*note: this one works backwards */ + $ntpcfg .= ' nopeer'; + } + if (!empty($config['ntpd']['noserve'])) { + $ntpcfg .= ' noserve'; + } + if (empty($config['ntpd']['notrap'])) { /*note: this one works backwards */ + $ntpcfg .= ' notrap'; + } + $ntpcfg .= "\n"; - /* A leapseconds file is really only useful if this clock is stratum 1 */ - $ntpcfg .= "\n"; - if (!empty($config['ntpd']['leapsec'])) { - $leapsec .= base64_decode($config['ntpd']['leapsec']); - file_put_contents('/var/db/leap-seconds', $leapsec); - $ntpcfg .= "leapfile /var/db/leap-seconds\n"; - } + /* A leapseconds file is really only useful if this clock is stratum 1 */ + $ntpcfg .= "\n"; + if (!empty($config['ntpd']['leapsec'])) { + $leapsec .= base64_decode($config['ntpd']['leapsec']); + file_put_contents('/var/db/leap-seconds', $leapsec); + $ntpcfg .= "leapfile /var/db/leap-seconds\n"; + } - $interfaces = array(); - if (isset($config['ntpd']['interface'])) { - $interfaces = explode(',', $config['ntpd']['interface']); - } + $interfaces = array(); + if (isset($config['ntpd']['interface'])) { + $interfaces = explode(',', $config['ntpd']['interface']); + } - if (is_array($interfaces) && count($interfaces)) { - $ntpcfg .= "interface ignore all\n"; - foreach ($interfaces as $interface) { - if (!is_ipaddr($interface)) { - $interface = get_real_interface($interface); - } - if (!empty($interface)) - $ntpcfg .= "interface listen {$interface}\n"; - } - } + if (is_array($interfaces) && count($interfaces)) { + $ntpcfg .= "interface ignore all\n"; + foreach ($interfaces as $interface) { + if (!is_ipaddr($interface)) { + $interface = get_real_interface($interface); + } + if (!empty($interface)) { + $ntpcfg .= "interface listen {$interface}\n"; + } + } + } - /* open configuration for wrting or bail */ - if (!@file_put_contents('/var/etc/ntpd.conf', $ntpcfg)) { - log_error("Could not open /var/etc/ntpd.conf for writing"); - return; - } + /* open configuration for wrting or bail */ + if (!@file_put_contents('/var/etc/ntpd.conf', $ntpcfg)) { + log_error("Could not open /var/etc/ntpd.conf for writing"); + return; + } - if (!$start_ntpd) { - /* write out the config and delay startup */ - mwexec_bg('/usr/local/sbin/ntpdate_sync_once.sh'); - return; - } + if (!$start_ntpd) { + /* write out the config and delay startup */ + mwexec_bg('/usr/local/sbin/ntpdate_sync_once.sh'); + return; + } - /* if ntpd is running, kill it */ - while (isvalidpid('/var/run/ntpd.pid')) { - killbypid('/var/run/ntpd.pid'); - usleep(200 * 1000); - } + /* if ntpd is running, kill it */ + while (isvalidpid('/var/run/ntpd.pid')) { + killbypid('/var/run/ntpd.pid'); + usleep(200 * 1000); + } - /* if /var/empty does not exist, create it */ - @mkdir('/var/empty', 0775, true); + /* if /var/empty does not exist, create it */ + @mkdir('/var/empty', 0775, true); - /* start opentpd, set time now and use new config */ - mwexecf( - '/usr/local/sbin/ntpd -g -c %s -p %s', - array('/var/etc/ntpd.conf', '/var/run/ntpd.pid') - ); + /* start opentpd, set time now and use new config */ + mwexecf( + '/usr/local/sbin/ntpd -g -c %s -p %s', + array('/var/etc/ntpd.conf', '/var/run/ntpd.pid') + ); - // Note that we are starting up - log_error("NTPD is starting up."); + // Note that we are starting up + log_error("NTPD is starting up."); } function system_halt($sync = false) { - $cmd ='/usr/local/etc/rc.halt'; + $cmd ='/usr/local/etc/rc.halt'; - if (!$sync) { - mwexec_bg($cmd); - } else { - mwexec($cmd); - } + if (!$sync) { + mwexec_bg($cmd); + } else { + mwexec($cmd); + } } function system_reboot($sync = false) { - $cmd ='/usr/local/etc/rc.reboot'; + $cmd ='/usr/local/etc/rc.reboot'; - if (!$sync) { - mwexec_bg($cmd); - } else { - mwexec($cmd); - } + if (!$sync) { + mwexec_bg($cmd); + } else { + mwexec($cmd); + } } function system_console_configure() { - setup_serial_port(); + setup_serial_port(); } function system_setup_sysctl() { - global $config; - - activate_sysctls(); - - if (isset($config['system']['sharednet'])) { - system_disable_arp_wrong_if(); - } + global $config; + activate_sysctls(); + if (isset($config['system']['sharednet'])) { + system_disable_arp_wrong_if(); + } } function system_disable_arp_wrong_if() { - global $config; - - set_sysctl(array( - "net.link.ether.inet.log_arp_wrong_iface" => "0", - "net.link.ether.inet.log_arp_movements" => "0" - )); + set_sysctl(array( + "net.link.ether.inet.log_arp_wrong_iface" => "0", + "net.link.ether.inet.log_arp_movements" => "0" + )); } function enable_watchdog() { - global $config; + global $config; - return; /* XXX delete or repair please */ + return; /* XXX delete or repair please */ - $install_watchdog = false; - $supported_watchdogs = array("Geode"); - $file = @file_get_contents('/var/run/dmesg.boot'); - foreach($supported_watchdogs as $sd) { - if(stristr($file, "Geode")) { - $install_watchdog = true; - } - } - if($install_watchdog == true) { - if(is_process_running("watchdogd")) - mwexec("/usr/bin/killall watchdogd", true); - exec("/usr/sbin/watchdogd"); - } + $install_watchdog = false; + $supported_watchdogs = array("Geode"); + $file = @file_get_contents('/var/run/dmesg.boot'); + foreach($supported_watchdogs as $sd) { + if(stristr($file, "Geode")) { + $install_watchdog = true; + } + } + if($install_watchdog == true) { + if(is_process_running("watchdogd")) { + mwexec("/usr/bin/killall watchdogd", true); + } + exec("/usr/sbin/watchdogd"); + } } - - function get_possible_listen_ips($include_ipv6_link_local=false) { - $interfaces = get_configured_interface_with_descr(); - $carplist = get_configured_carp_interface_list(); - $listenips = array(); - foreach ($carplist as $cif => $carpip) - $interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")"; - $aliaslist = get_configured_ip_aliases_list(); - foreach ($aliaslist as $aliasip => $aliasif) - $interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; - foreach ($interfaces as $iface => $ifacename) { - $tmp["name"] = $ifacename; - $tmp["value"] = $iface; - $listenips[] = $tmp; - if ($include_ipv6_link_local) { - $llip = find_interface_ipv6_ll(get_real_interface($iface)); - if (!empty($llip)) { - $tmp["name"] = "{$ifacename} IPv6 Link-Local"; - $tmp["value"] = $llip; - $listenips[] = $tmp; - } - } - } - $tmp["name"] = "Localhost"; - $tmp["value"] = "lo0"; - $listenips[] = $tmp; - return $listenips; + $interfaces = get_configured_interface_with_descr(); + $carplist = get_configured_carp_interface_list(); + $listenips = array(); + foreach ($carplist as $cif => $carpip) { + $interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")"; + } + $aliaslist = get_configured_ip_aliases_list(); + foreach ($aliaslist as $aliasip => $aliasif) { + $interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; + } + foreach ($interfaces as $iface => $ifacename) { + $tmp["name"] = $ifacename; + $tmp["value"] = $iface; + $listenips[] = $tmp; + if ($include_ipv6_link_local) { + $llip = find_interface_ipv6_ll(get_real_interface($iface)); + if (!empty($llip)) { + $tmp["name"] = "{$ifacename} IPv6 Link-Local"; + $tmp["value"] = $llip; + $listenips[] = $tmp; + } + } + } + $tmp["name"] = "Localhost"; + $tmp["value"] = "lo0"; + $listenips[] = $tmp; + return $listenips; } function get_possible_traffic_source_addresses($include_ipv6_link_local=false) { - global $config; - $sourceips = get_possible_listen_ips($include_ipv6_link_local); - foreach (array('server', 'client') as $mode) { - if (isset($config['openvpn']["openvpn-{$mode}"]) && is_array($config['openvpn']["openvpn-{$mode}"])) { - foreach ($config['openvpn']["openvpn-{$mode}"] as $id => $setting) { - if (!isset($setting['disable'])) { - $vpn = array(); - $vpn['value'] = 'ovpn' . substr($mode, 0, 1) . $setting['vpnid']; - $vpn['name'] = gettext("OpenVPN") . " ".$mode.": ".htmlspecialchars($setting['description']); - $sourceips[] = $vpn; - } - } - } - } - return $sourceips; + global $config; + $sourceips = get_possible_listen_ips($include_ipv6_link_local); + foreach (array('server', 'client') as $mode) { + if (isset($config['openvpn']["openvpn-{$mode}"]) && is_array($config['openvpn']["openvpn-{$mode}"])) { + foreach ($config['openvpn']["openvpn-{$mode}"] as $id => $setting) { + if (!isset($setting['disable'])) { + $vpn = array(); + $vpn['value'] = 'ovpn' . substr($mode, 0, 1) . $setting['vpnid']; + $vpn['name'] = gettext("OpenVPN") . " ".$mode.": ".htmlspecialchars($setting['description']); + $sourceips[] = $vpn; + } + } + } + } + return $sourceips; }