From f79fac8f25496d8d106487e029a1a708d0131dcb Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 08:16:44 +0100 Subject: [PATCH 01/16] src: first shuffling for splitting off plugins from core --- src/etc/inc/plugins.inc | 31 +++++++++++++++++++ src/etc/inc/{ => plugins.inc.d}/vpn.inc | 0 src/etc/rc.bootup | 2 +- src/etc/rc.filter_configure_sync | 3 +- src/etc/rc.initial.setlanip | 2 +- src/etc/rc.initial.setports | 2 +- src/etc/rc.linkup | 2 +- src/etc/rc.newipsecdns | 2 +- src/etc/rc.newwanip | 2 +- src/etc/rc.newwanipv6 | 2 +- src/etc/rc.reload_all | 2 +- src/etc/rc.reload_interfaces | 3 +- src/www/diag_ipsec_leases.php | 2 +- src/www/diag_ipsec_sad.php | 2 +- src/www/diag_ipsec_spd.php | 2 +- src/www/diag_logs_vpn.inc | 2 +- src/www/interfaces.php | 3 +- src/www/interfaces_assign.php | 2 +- src/www/status_services.php | 2 +- src/www/system_advanced_misc.php | 2 +- src/www/system_gateway_groups_edit.php | 2 +- src/www/vpn_ipsec.php | 2 +- src/www/vpn_ipsec_keys.php | 2 +- src/www/vpn_ipsec_keys_edit.php | 2 +- src/www/vpn_ipsec_mobile.php | 2 +- src/www/vpn_ipsec_phase1.php | 2 +- src/www/vpn_ipsec_phase2.php | 2 +- src/www/vpn_ipsec_settings.php | 2 +- src/www/vpn_l2tp.php | 2 +- src/www/vpn_l2tp_users.php | 2 +- src/www/vpn_l2tp_users_edit.php | 2 +- src/www/vpn_pppoe.php | 2 +- src/www/vpn_pppoe_edit.php | 2 +- src/www/vpn_pptp.php | 2 +- src/www/vpn_pptp_users.php | 2 +- src/www/vpn_pptp_users_edit.php | 2 +- .../widgets/services_status.widget.php | 2 +- 37 files changed, 66 insertions(+), 38 deletions(-) create mode 100644 src/etc/inc/plugins.inc rename src/etc/inc/{ => plugins.inc.d}/vpn.inc (100%) diff --git a/src/etc/inc/plugins.inc b/src/etc/inc/plugins.inc new file mode 100644 index 000000000..307a10e3e --- /dev/null +++ b/src/etc/inc/plugins.inc @@ -0,0 +1,31 @@ + + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +foreach (glob('/usr/local/etc/inc/plugins.inc.d/*.inc') as $plugin) { + require_once $plugin; +} diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc similarity index 100% rename from src/etc/inc/vpn.inc rename to src/etc/inc/plugins.inc.d/vpn.inc diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index 47d7e16be..fa92392c4 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -150,7 +150,7 @@ require_once("vslb.inc"); echo "."; require_once("filter.inc"); echo "."; -require_once("vpn.inc"); +require_once("plugins.inc"); echo "."; require_once("openvpn.inc"); echo "."; diff --git a/src/etc/rc.filter_configure_sync b/src/etc/rc.filter_configure_sync index 768c22448..6a237692f 100755 --- a/src/etc/rc.filter_configure_sync +++ b/src/etc/rc.filter_configure_sync @@ -30,11 +30,10 @@ require_once("config.inc"); require_once("util.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); require_once("services.inc"); - filter_configure_sync(); diff --git a/src/etc/rc.initial.setlanip b/src/etc/rc.initial.setlanip index 498944998..c703672af 100755 --- a/src/etc/rc.initial.setlanip +++ b/src/etc/rc.initial.setlanip @@ -32,7 +32,7 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("openvpn.inc"); require_once("util.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("filter.inc"); require_once("rrd.inc"); require_once("util.inc"); diff --git a/src/etc/rc.initial.setports b/src/etc/rc.initial.setports index 82dafe157..12b63e4d3 100755 --- a/src/etc/rc.initial.setports +++ b/src/etc/rc.initial.setports @@ -32,7 +32,7 @@ require_once("config.inc"); require_once("config.console.inc"); require_once("filter.inc"); require_once("util.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("rrd.inc"); require_once("system.inc"); require_once("services.inc"); diff --git a/src/etc/rc.linkup b/src/etc/rc.linkup index 3e1ae9059..4fd3d308a 100755 --- a/src/etc/rc.linkup +++ b/src/etc/rc.linkup @@ -31,6 +31,7 @@ require_once("config.inc"); require_once("filter.inc"); require_once("interfaces.inc"); +require_once('plugins.inc'); require_once('openvpn.inc'); require_once("util.inc"); require_once("system.inc"); @@ -72,7 +73,6 @@ function handle_argument_group($iface, $argument2) { case "start": log_error("DEVD Ethernet attached event for {$iface}"); log_error("HOTPLUG: Configuring interface {$iface}"); - require_once("vpn.inc"); // Do not try to readd to bridge otherwise em(4) has problems interface_configure($iface, true, true); break; diff --git a/src/etc/rc.newipsecdns b/src/etc/rc.newipsecdns index 0a981d773..ea003d921 100755 --- a/src/etc/rc.newipsecdns +++ b/src/etc/rc.newipsecdns @@ -32,7 +32,7 @@ require_once("util.inc"); require_once("config.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip index 35f3c3e73..96d60ed72 100755 --- a/src/etc/rc.newwanip +++ b/src/etc/rc.newwanip @@ -31,7 +31,7 @@ /* parse the configuration and include all functions used below */ require_once("config.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("openvpn.inc"); require_once("rrd.inc"); require_once("util.inc"); diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6 index 1fc0407f5..0359f9359 100755 --- a/src/etc/rc.newwanipv6 +++ b/src/etc/rc.newwanipv6 @@ -32,7 +32,7 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("openvpn.inc"); require_once("services.inc"); require_once("rrd.inc"); diff --git a/src/etc/rc.reload_all b/src/etc/rc.reload_all index 67361b0c3..498edea64 100755 --- a/src/etc/rc.reload_all +++ b/src/etc/rc.reload_all @@ -31,7 +31,7 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("openvpn.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("util.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); diff --git a/src/etc/rc.reload_interfaces b/src/etc/rc.reload_interfaces index 0f4a6f3a5..c2c2b4504 100755 --- a/src/etc/rc.reload_interfaces +++ b/src/etc/rc.reload_interfaces @@ -31,10 +31,9 @@ require_once("config.inc"); require_once("filter.inc"); require_once("util.inc"); require_once("openvpn.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("system.inc"); require_once("interfaces.inc"); -require_once("openvpn.inc"); require_once("pfsense-utils.inc"); require_once("services.inc"); require_once("unbound.inc"); diff --git a/src/www/diag_ipsec_leases.php b/src/www/diag_ipsec_leases.php index 878754c28..5a8805566 100644 --- a/src/www/diag_ipsec_leases.php +++ b/src/www/diag_ipsec_leases.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_sad.php b/src/www/diag_ipsec_sad.php index d35217d89..a3e51ad5b 100644 --- a/src/www/diag_ipsec_sad.php +++ b/src/www/diag_ipsec_sad.php @@ -29,7 +29,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_spd.php b/src/www/diag_ipsec_spd.php index f728d69b4..22b1a310b 100644 --- a/src/www/diag_ipsec_spd.php +++ b/src/www/diag_ipsec_spd.php @@ -29,7 +29,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_logs_vpn.inc b/src/www/diag_logs_vpn.inc index 657fa610a..e4774356f 100644 --- a/src/www/diag_logs_vpn.inc +++ b/src/www/diag_logs_vpn.inc @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("system.inc"); require_once("interfaces.inc"); diff --git a/src/www/interfaces.php b/src/www/interfaces.php index aed80be0c..9510ffa95 100644 --- a/src/www/interfaces.php +++ b/src/www/interfaces.php @@ -32,10 +32,9 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("filter.inc"); require_once("rrd.inc"); -require_once("vpn.inc"); require_once("system.inc"); require_once("interfaces.inc"); require_once("openvpn.inc"); diff --git a/src/www/interfaces_assign.php b/src/www/interfaces_assign.php index 16f9718db..632ae9efd 100644 --- a/src/www/interfaces_assign.php +++ b/src/www/interfaces_assign.php @@ -30,7 +30,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("rrd.inc"); require_once("system.inc"); require_once("interfaces.inc"); diff --git a/src/www/status_services.php b/src/www/status_services.php index 4992c72ed..f411f1c3b 100644 --- a/src/www/status_services.php +++ b/src/www/status_services.php @@ -36,7 +36,7 @@ require_once("unbound.inc"); require_once("pfsense-utils.inc"); require_once("openvpn.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("interfaces.inc"); require_once("rrd.inc"); diff --git a/src/www/system_advanced_misc.php b/src/www/system_advanced_misc.php index 8ca09590d..ffeb91f58 100644 --- a/src/www/system_advanced_misc.php +++ b/src/www/system_advanced_misc.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("vslb.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/system_gateway_groups_edit.php b/src/www/system_gateway_groups_edit.php index f255242cb..bd2a48706 100644 --- a/src/www/system_gateway_groups_edit.php +++ b/src/www/system_gateway_groups_edit.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php index cb28b940f..895b491a2 100644 --- a/src/www/vpn_ipsec.php +++ b/src/www/vpn_ipsec.php @@ -30,7 +30,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec_keys.php b/src/www/vpn_ipsec_keys.php index f508932c9..787a96907 100644 --- a/src/www/vpn_ipsec_keys.php +++ b/src/www/vpn_ipsec_keys.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("filter.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_keys_edit.php b/src/www/vpn_ipsec_keys_edit.php index 40c9496c7..9a43d9b02 100644 --- a/src/www/vpn_ipsec_keys_edit.php +++ b/src/www/vpn_ipsec_keys_edit.php @@ -29,7 +29,7 @@ require_once("interfaces.inc"); require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); if (!isset($config['ipsec']) || !is_array($config['ipsec'])) { diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php index 2c0a678d8..658b21084 100644 --- a/src/www/vpn_ipsec_mobile.php +++ b/src/www/vpn_ipsec_mobile.php @@ -30,7 +30,7 @@ require_once("interfaces.inc"); require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index 1cca9b144..6ad2402ac 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec_phase2.php b/src/www/vpn_ipsec_phase2.php index 9cc42fbb3..3dabb199f 100644 --- a/src/www/vpn_ipsec_phase2.php +++ b/src/www/vpn_ipsec_phase2.php @@ -30,7 +30,7 @@ require_once("guiconfig.inc"); require_once("interfaces.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); /** diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php index 0f7a50750..240a903a4 100644 --- a/src/www/vpn_ipsec_settings.php +++ b/src/www/vpn_ipsec_settings.php @@ -29,7 +29,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_l2tp.php b/src/www/vpn_l2tp.php index a5c3f920b..ce3cbef82 100644 --- a/src/www/vpn_l2tp.php +++ b/src/www/vpn_l2tp.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_l2tp_users.php b/src/www/vpn_l2tp_users.php index fc6cb5bd8..f8529ab77 100644 --- a/src/www/vpn_l2tp_users.php +++ b/src/www/vpn_l2tp_users.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); if (!isset($config['l2tp']['user'])) { $config['l2tp']['user'] = array(); diff --git a/src/www/vpn_l2tp_users_edit.php b/src/www/vpn_l2tp_users_edit.php index 7307b0435..af58d5f78 100644 --- a/src/www/vpn_l2tp_users_edit.php +++ b/src/www/vpn_l2tp_users_edit.php @@ -44,7 +44,7 @@ function l2tp_users_sort() } require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php'); diff --git a/src/www/vpn_pppoe.php b/src/www/vpn_pppoe.php index 826bff3cb..8456e667b 100644 --- a/src/www/vpn_pppoe.php +++ b/src/www/vpn_pppoe.php @@ -29,7 +29,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("interfaces.inc"); if (!is_array($config['pppoes'])) { diff --git a/src/www/vpn_pppoe_edit.php b/src/www/vpn_pppoe_edit.php index dc75e2416..4755b88b5 100644 --- a/src/www/vpn_pppoe_edit.php +++ b/src/www/vpn_pppoe_edit.php @@ -29,7 +29,7 @@ */ require_once("guiconfig.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("interfaces.inc"); function vpn_pppoe_get_id() diff --git a/src/www/vpn_pptp.php b/src/www/vpn_pptp.php index c81d0625f..6f24db36f 100644 --- a/src/www/vpn_pptp.php +++ b/src/www/vpn_pptp.php @@ -30,7 +30,7 @@ require_once('guiconfig.inc'); require_once('interfaces.inc'); require_once('filter.inc'); -require_once('vpn.inc'); +require_once('plugins.inc'); require_once("pfsense-utils.inc"); if (!is_array($config['pptpd']['radius'])) { diff --git a/src/www/vpn_pptp_users.php b/src/www/vpn_pptp_users.php index 3950dae07..1881882fd 100644 --- a/src/www/vpn_pptp_users.php +++ b/src/www/vpn_pptp_users.php @@ -28,7 +28,7 @@ */ require_once('guiconfig.inc'); -require_once('vpn.inc'); +require_once('plugins.inc'); if (!is_array($config['pptpd']['user'])) { $config['pptpd']['user'] = array(); diff --git a/src/www/vpn_pptp_users_edit.php b/src/www/vpn_pptp_users_edit.php index 2355df0d4..b2bfc5795 100644 --- a/src/www/vpn_pptp_users_edit.php +++ b/src/www/vpn_pptp_users_edit.php @@ -44,7 +44,7 @@ function pptpd_users_sort() } require_once('guiconfig.inc'); -require_once('vpn.inc'); +require_once('plugins.inc'); if (!is_array($config['pptpd']['user'])) { $config['pptpd']['user'] = array(); diff --git a/src/www/widgets/widgets/services_status.widget.php b/src/www/widgets/widgets/services_status.widget.php index 126cd2b11..b1ae2f60d 100644 --- a/src/www/widgets/widgets/services_status.widget.php +++ b/src/www/widgets/widgets/services_status.widget.php @@ -33,7 +33,7 @@ $nocsrf = true; require_once("guiconfig.inc"); require_once("services.inc"); -require_once("vpn.inc"); +require_once("plugins.inc"); require_once("widgets/include/services_status.inc"); require_once("interfaces.inc"); From d7df9ecf10c4bc8950f4610894b9c5b5027055f9 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 08:31:04 +0100 Subject: [PATCH 02/16] src: move ipsec.inc require to top pages For now plugins.inc and ipsec.inc will coexist on pages that may need only one or none to avoid unefined function errors. This will be pruned after investigating the contents of both files... --- src/etc/inc/plugins.inc.d/vpn.inc | 3 --- src/etc/rc.bootup | 2 ++ src/etc/rc.filter_configure_sync | 1 + src/etc/rc.initial.setlanip | 1 + src/etc/rc.initial.setports | 1 + src/etc/rc.linkup | 1 + src/etc/rc.newipsecdns | 1 + src/etc/rc.newwanip | 1 + src/etc/rc.newwanipv6 | 1 + src/etc/rc.reload_all | 1 + src/etc/rc.reload_interfaces | 1 + src/www/diag_ipsec_leases.php | 1 + src/www/diag_ipsec_sad.php | 1 + src/www/diag_ipsec_spd.php | 1 + src/www/interfaces.php | 1 + src/www/interfaces_assign.php | 1 + src/www/status_services.php | 1 + src/www/system_advanced_misc.php | 1 + src/www/system_gateway_groups_edit.php | 1 + src/www/vpn_ipsec.php | 1 + src/www/vpn_ipsec_keys.php | 1 + src/www/vpn_ipsec_keys_edit.php | 1 + src/www/vpn_ipsec_mobile.php | 1 + src/www/vpn_ipsec_phase1.php | 1 + src/www/vpn_ipsec_phase2.php | 1 + src/www/vpn_ipsec_settings.php | 1 + src/www/widgets/widgets/services_status.widget.php | 1 + 27 files changed, 27 insertions(+), 3 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 3729d264a..87b86e66e 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -29,9 +29,6 @@ POSSIBILITY OF SUCH DAMAGE. */ -require_once("ipsec.inc"); - - /* include all configuration functions */ function vpn_ipsec_convert_to_modp($index) { diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index fa92392c4..a08b80727 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -152,6 +152,8 @@ require_once("filter.inc"); echo "."; require_once("plugins.inc"); echo "."; +require_once("ipsec.inc"); +echo "."; require_once("openvpn.inc"); echo "."; require_once("rrd.inc"); diff --git a/src/etc/rc.filter_configure_sync b/src/etc/rc.filter_configure_sync index 6a237692f..dbcd5787f 100755 --- a/src/etc/rc.filter_configure_sync +++ b/src/etc/rc.filter_configure_sync @@ -30,6 +30,7 @@ require_once("config.inc"); require_once("util.inc"); require_once("filter.inc"); +require_once("ipsec.inc"); require_once("plugins.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); diff --git a/src/etc/rc.initial.setlanip b/src/etc/rc.initial.setlanip index c703672af..b769eab2d 100755 --- a/src/etc/rc.initial.setlanip +++ b/src/etc/rc.initial.setlanip @@ -33,6 +33,7 @@ require_once("interfaces.inc"); require_once("openvpn.inc"); require_once("util.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("filter.inc"); require_once("rrd.inc"); require_once("util.inc"); diff --git a/src/etc/rc.initial.setports b/src/etc/rc.initial.setports index 12b63e4d3..f69a2c221 100755 --- a/src/etc/rc.initial.setports +++ b/src/etc/rc.initial.setports @@ -33,6 +33,7 @@ require_once("config.console.inc"); require_once("filter.inc"); require_once("util.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("rrd.inc"); require_once("system.inc"); require_once("services.inc"); diff --git a/src/etc/rc.linkup b/src/etc/rc.linkup index 4fd3d308a..eeaad9f26 100755 --- a/src/etc/rc.linkup +++ b/src/etc/rc.linkup @@ -32,6 +32,7 @@ require_once("config.inc"); require_once("filter.inc"); require_once("interfaces.inc"); require_once('plugins.inc'); +require_once('ipsec.inc'); require_once('openvpn.inc'); require_once("util.inc"); require_once("system.inc"); diff --git a/src/etc/rc.newipsecdns b/src/etc/rc.newipsecdns index ea003d921..9833c4529 100755 --- a/src/etc/rc.newipsecdns +++ b/src/etc/rc.newipsecdns @@ -33,6 +33,7 @@ require_once("util.inc"); require_once("config.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once('ipsec.inc'); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip index 96d60ed72..f69a0ea20 100755 --- a/src/etc/rc.newwanip +++ b/src/etc/rc.newwanip @@ -32,6 +32,7 @@ require_once("config.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once('ipsec.inc'); require_once("openvpn.inc"); require_once("rrd.inc"); require_once("util.inc"); diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6 index 0359f9359..e117da459 100755 --- a/src/etc/rc.newwanipv6 +++ b/src/etc/rc.newwanipv6 @@ -33,6 +33,7 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once('ipsec.inc'); require_once("openvpn.inc"); require_once("services.inc"); require_once("rrd.inc"); diff --git a/src/etc/rc.reload_all b/src/etc/rc.reload_all index 498edea64..dccf3cee6 100755 --- a/src/etc/rc.reload_all +++ b/src/etc/rc.reload_all @@ -32,6 +32,7 @@ require_once("interfaces.inc"); require_once("openvpn.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once('ipsec.inc'); require_once("util.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); diff --git a/src/etc/rc.reload_interfaces b/src/etc/rc.reload_interfaces index c2c2b4504..9abb6118c 100755 --- a/src/etc/rc.reload_interfaces +++ b/src/etc/rc.reload_interfaces @@ -31,6 +31,7 @@ require_once("config.inc"); require_once("filter.inc"); require_once("util.inc"); require_once("openvpn.inc"); +require_once('ipsec.inc'); require_once("plugins.inc"); require_once("system.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_leases.php b/src/www/diag_ipsec_leases.php index 5a8805566..aa137773d 100644 --- a/src/www/diag_ipsec_leases.php +++ b/src/www/diag_ipsec_leases.php @@ -29,6 +29,7 @@ require_once("guiconfig.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_sad.php b/src/www/diag_ipsec_sad.php index a3e51ad5b..2b61463e5 100644 --- a/src/www/diag_ipsec_sad.php +++ b/src/www/diag_ipsec_sad.php @@ -30,6 +30,7 @@ require_once("guiconfig.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_spd.php b/src/www/diag_ipsec_spd.php index 22b1a310b..3dfbfd53d 100644 --- a/src/www/diag_ipsec_spd.php +++ b/src/www/diag_ipsec_spd.php @@ -30,6 +30,7 @@ require_once("guiconfig.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/interfaces.php b/src/www/interfaces.php index 9510ffa95..f191d4051 100644 --- a/src/www/interfaces.php +++ b/src/www/interfaces.php @@ -37,6 +37,7 @@ require_once("filter.inc"); require_once("rrd.inc"); require_once("system.inc"); require_once("interfaces.inc"); +require_once("ipsec.inc"); require_once("openvpn.inc"); require_once("pfsense-utils.inc"); require_once("services.inc"); diff --git a/src/www/interfaces_assign.php b/src/www/interfaces_assign.php index 632ae9efd..08166b3d5 100644 --- a/src/www/interfaces_assign.php +++ b/src/www/interfaces_assign.php @@ -34,6 +34,7 @@ require_once("plugins.inc"); require_once("rrd.inc"); require_once("system.inc"); require_once("interfaces.inc"); +require_once("ipsec.inc"); require_once("openvpn.inc"); require_once("pfsense-utils.inc"); require_once("services.inc"); diff --git a/src/www/status_services.php b/src/www/status_services.php index f411f1c3b..fcd571e3f 100644 --- a/src/www/status_services.php +++ b/src/www/status_services.php @@ -37,6 +37,7 @@ require_once("pfsense-utils.inc"); require_once("openvpn.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("interfaces.inc"); require_once("rrd.inc"); diff --git a/src/www/system_advanced_misc.php b/src/www/system_advanced_misc.php index ffeb91f58..87bec40c4 100644 --- a/src/www/system_advanced_misc.php +++ b/src/www/system_advanced_misc.php @@ -32,6 +32,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("vslb.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/system_gateway_groups_edit.php b/src/www/system_gateway_groups_edit.php index bd2a48706..7057a79c8 100644 --- a/src/www/system_gateway_groups_edit.php +++ b/src/www/system_gateway_groups_edit.php @@ -29,6 +29,7 @@ require_once("guiconfig.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php index 895b491a2..803d14515 100644 --- a/src/www/vpn_ipsec.php +++ b/src/www/vpn_ipsec.php @@ -31,6 +31,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec_keys.php b/src/www/vpn_ipsec_keys.php index 787a96907..19dd3ed60 100644 --- a/src/www/vpn_ipsec_keys.php +++ b/src/www/vpn_ipsec_keys.php @@ -29,6 +29,7 @@ require_once("guiconfig.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("filter.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_keys_edit.php b/src/www/vpn_ipsec_keys_edit.php index 9a43d9b02..ac36b01a0 100644 --- a/src/www/vpn_ipsec_keys_edit.php +++ b/src/www/vpn_ipsec_keys_edit.php @@ -30,6 +30,7 @@ require_once("interfaces.inc"); require_once("guiconfig.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); if (!isset($config['ipsec']) || !is_array($config['ipsec'])) { diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php index 658b21084..12fdf1edc 100644 --- a/src/www/vpn_ipsec_mobile.php +++ b/src/www/vpn_ipsec_mobile.php @@ -31,6 +31,7 @@ require_once("interfaces.inc"); require_once("guiconfig.inc"); require_once("filter.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index 6ad2402ac..0d6af4a00 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -31,6 +31,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); +require_once("ipsec.inc"); require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_phase2.php b/src/www/vpn_ipsec_phase2.php index 3dabb199f..3609da6df 100644 --- a/src/www/vpn_ipsec_phase2.php +++ b/src/www/vpn_ipsec_phase2.php @@ -30,6 +30,7 @@ require_once("guiconfig.inc"); require_once("interfaces.inc"); +require_once("ipsec.inc"); require_once("plugins.inc"); require_once("services.inc"); diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php index 240a903a4..7c5de287c 100644 --- a/src/www/vpn_ipsec_settings.php +++ b/src/www/vpn_ipsec_settings.php @@ -29,6 +29,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); +require_once("ipsec.inc"); require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/widgets/widgets/services_status.widget.php b/src/www/widgets/widgets/services_status.widget.php index b1ae2f60d..03760ea16 100644 --- a/src/www/widgets/widgets/services_status.widget.php +++ b/src/www/widgets/widgets/services_status.widget.php @@ -34,6 +34,7 @@ $nocsrf = true; require_once("guiconfig.inc"); require_once("services.inc"); require_once("plugins.inc"); +require_once("ipsec.inc"); require_once("widgets/include/services_status.inc"); require_once("interfaces.inc"); From 1373b01a9551f6e5008309eae7a979fd08f348d5 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 08:49:18 +0100 Subject: [PATCH 03/16] plugins: move ipsec functions to ipsec.inc --- src/etc/inc/ipsec.inc | 930 +++++++++++++++++++++++++++++- src/etc/inc/plugins.inc.d/vpn.inc | 929 +---------------------------- 2 files changed, 929 insertions(+), 930 deletions(-) diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index 3ad24d69e..ce630197f 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -1,8 +1,9 @@ + +/* include all configuration functions */ +function vpn_ipsec_convert_to_modp($index) +{ + $convertion = ""; + switch ($index) { + case '1': + $convertion = "modp768"; + break; + case '2': + $convertion = "modp1024"; + break; + case '5': + $convertion = "modp1536"; + break; + case '14': + $convertion = "modp2048"; + break; + case '15': + $convertion = "modp3072"; + break; + case '16': + $convertion = "modp4096"; + break; + case '17': + $convertion = "modp6144"; + break; + case '18': + $convertion = "modp8192"; + break; + } + + return $convertion; +} + +function vpn_ipsec_configure() +{ + global $config, $p2_ealgos, $ipsec_loglevels; + + /* get the automatic ping_hosts.sh ready */ + @unlink('/var/db/ipsecpinghosts'); + touch('/var/db/ipsecpinghosts'); + + // Prefer older IPsec SAs (advanced setting) + if (isset($config['ipsec']['preferoldsa'])) { + set_single_sysctl("net.key.preferred_oldsa", "-30"); + } else { + set_single_sysctl("net.key.preferred_oldsa", "0"); + } + + $syscfg = $config['system']; + $ipseccfg = $config['ipsec']; + $a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array(); + $a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array(); + $a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array(); + $aggressive_psk = false ; // if one of the phase 1 entries has aggressive/psk combination, this will be set true + + if (!isset($ipseccfg['enable'])) { + /* try to stop charon */ + mwexec('/usr/local/sbin/ipsec stop'); + /* Stop dynamic monitoring */ + killbypid('/var/run/filterdns-ipsec.pid'); + + /* wait for process to die */ + sleep(2); + + /* disallow IPSEC, it is off */ + mwexec("/sbin/ifconfig enc0 down"); + set_single_sysctl("net.inet.ip.ipsec_in_use", "0"); + + return 0; + } else { + $certpath = "/usr/local/etc/ipsec.d/certs"; + $capath = "/usr/local/etc/ipsec.d/cacerts"; + $keypath = "/usr/local/etc/ipsec.d/private"; + + mwexec("/sbin/ifconfig enc0 up"); + set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); + + /* needed directories for config files */ + @mkdir($capath); + @mkdir($keypath); + @mkdir($certpath); + @mkdir('/usr/local/etc/ipsec.d'); + @mkdir('/usr/local/etc/ipsec.d/crls'); + @mkdir('/usr/local/etc/ipsec.d/aacerts'); + @mkdir('/usr/local/etc/ipsec.d/acerts'); + @mkdir('/usr/local/etc/ipsec.d/ocspcerts'); + @mkdir('/usr/local/etc/ipsec.d/reqs'); + + if (file_exists("/var/run/booting")) { + echo gettext("Configuring IPsec VPN... "); + } + + /* fastforwarding is not compatible with ipsec tunnels */ + set_single_sysctl("net.inet.ip.fastforwarding", "0"); + + /* resolve all local, peer addresses and setup pings */ + $ipmap = array(); + $rgmap = array(); + $filterdns_list = array(); + $ipsecpinghosts = ""; + /* step through each phase1 entry */ + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) { + continue; + } + + if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) { + $aggressive_psk = true; + } + $ep = ipsec_get_phase1_src($ph1ent); + if (!is_ipaddr($ep)) { + continue; + } + + + if(!in_array($ep,$ipmap)) { + $ipmap[] = $ep; + } + + /* see if this tunnel has a hostname for the remote-gateway. If so, + try to resolve it now and add it to the list for filterdns */ + + if (isset ($ph1ent['mobile'])) { + continue; + } + + $rg = $ph1ent['remote-gateway']; + + if (!is_ipaddr($rg)) { + $filterdns_list[] = "{$rg}"; + add_hostname_to_watch($rg); + if(! file_exists("/var/run/booting")) { + $rg = resolve_retry($rg); + } + if (!is_ipaddr($rg)) { + continue; + } + } + if(array_search($rg, $rgmap)) { + log_error("The remote gateway {$rg} already exists on another phase 1 entry"); + continue; + } + $rgmap[$ph1ent['remote-gateway']] = $rg; + + /* step through each phase2 entry */ + foreach ($a_phase2 as $ph2ent) { + if (isset($ph2ent['disabled'])) { + continue; + } + + if ($ph1ent['ikeid'] != $ph2ent['ikeid']) { + continue; + } + + /* add an ipsec pinghosts entry */ + if ($ph2ent['pinghost']) { + if (!isset($iflist) || !is_array($iflist)) { + $iflist = get_configured_interface_list(); + } + $viplist = get_configured_vips_list(); + $srcip = null; + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + if(is_ipaddrv6($ph2ent['pinghost'])) { + foreach ($iflist as $ifent => $ifname) { + $interface_ip = get_interface_ipv6($ifent); + if (!is_ipaddrv6($interface_ip)) { + continue; + } + if (ip_in_subnet($interface_ip, $local_subnet)) { + $srcip = $interface_ip; + break; + } + } + } else { + foreach ($iflist as $ifent => $ifname) { + $interface_ip = get_interface_ip($ifent); + if (!is_ipaddrv4($interface_ip)) { + continue; + } + if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { + $srcip = $interface_ip; + break; + } + } + } + /* if no valid src IP was found in configured interfaces, try the vips */ + if (is_null($srcip)) { + foreach ($viplist as $vip) { + if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { + $srcip = $vip['ipaddr']; + break; + } + } + } + $dstip = $ph2ent['pinghost']; + if(is_ipaddrv6($dstip)) { + $family = "inet6"; + } else { + $family = "inet"; + } + if (is_ipaddr($srcip)) { + $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; + } + } + } + } + @file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts); + + $cnf_add_to_charon_section = ""; + $cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":""; + if (isset($a_client['enable']) && isset($a_client['net_list'])) { + $cnf_add_to_charon_section .= "\tcisco_unity = yes\n"; + } + + $strongswan = << 0) { + $strongswan .= ","; + } + if ($authcfg == "system") { + $authcfg = "Local Database"; + } + $strongswan .= $authcfg; + $firstsed = 1; + } + $strongswan .= "\n"; + $strongswan .= "\t}\n"; + } + } + + $strongswan .= "\t}\n}\n"; + @file_put_contents("/usr/local/etc/strongswan.conf", $strongswan); + unset($strongswan); + + /* generate CA certificates files */ + if (isset($config['ca'])) { + foreach ($config['ca'] as $ca) { + if (!isset($ca['crt'])) { + log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr'])); + continue; + } + $cert = base64_decode($ca['crt']); + $x509cert = openssl_x509_parse(openssl_x509_read($cert)); + if (!is_array($x509cert) || !isset($x509cert['hash'])) { + log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); + continue; + } + $fname = "{$capath}/{$x509cert['hash']}.0.crt"; + if (!@file_put_contents($fname, $cert)) { + log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); + continue; + } + unset($cert); + } + } + + $pskconf = ""; + + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) { + continue; + } + + if (!empty($ph1ent['certref'])) { + $cert = lookup_cert($ph1ent['certref']); + + if (empty($cert)) { + log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); + continue; + } + + @chmod($certpath, 0600); + + $ph1keyfile = "{$keypath}/cert-{$ph1ent['ikeid']}.key"; + if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); + continue; + } + @chmod($ph1keyfile, 0600); + + $ph1certfile = "{$certpath}/cert-{$ph1ent['ikeid']}.crt"; + if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { + log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); + @unlink($ph1keyfile); + continue; + } + @chmod($ph1certfile, 0600); + + /* XXX" Traffic selectors? */ + $pskconf .= " : RSA {$ph1keyfile}\n"; + } else { + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + + if (empty($peerid_data)) { + continue; + } + + $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; + $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; + if (!empty($ph1ent['pre-shared-key'])) { + $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; + } + } + } + + /* Add user PSKs */ + if (isset($config['system']['user']) && is_array($config['system']['user'])) { + foreach ($config['system']['user'] as $user) { + if (!empty($user['ipsecpsk'])) { + $pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; + } + } + unset($user); + } + + /* add PSKs for mobile clients */ + if (isset($ipseccfg['mobilekey'])) { + foreach ($ipseccfg['mobilekey'] as $key) { + if ($key['ident'] == "allusers") { + $key['ident'] = ''; + } + $pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; + } + unset($key); + } + + @file_put_contents("/usr/local/etc/ipsec.secrets", $pskconf); + chmod("/usr/local/etc/ipsec.secrets", 0600); + unset($pskconf); + + $natfilterrules = false; + /* begin ipsec.conf */ + $ipsecconf = ""; + if (count($a_phase1)) { + $ipsecconf .= "# This file is automatically generated. Do not edit\n"; + $ipsecconf .= "config setup\n\tuniqueids = yes\n"; + // parse debug tags + $cfg_loglevels = array(); + if (isset($ipsec_loglevels)) { + foreach ($ipsec_loglevels as $lkey => $ldescr) { + if (isset($config['ipsec']["ipsec_{$lkey}"]) && is_numeric($config['ipsec']["ipsec_{$lkey}"]) && + intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { + $cfg_loglevels[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) ; + } + } + } + $ipsecconf .= "\tcharondebug=\"" .implode(',', $cfg_loglevels) . "\"\n"; + + foreach ($a_phase1 as $ph1ent) { + if (isset($ph1ent['disabled'])) { + continue; + } + + if ($ph1ent['mode'] == "aggressive") { + $aggressive = "yes"; + } else { + $aggressive = "no"; + } + + $ep = ipsec_get_phase1_src($ph1ent); + if (empty($ep)) { + continue; + } + + $keyexchange = "ikev1"; + if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { + $keyexchange = "ikev2"; + } + + if (isset($ph1ent['mobile'])) { + $right_spec = "%any"; + } else { + $right_spec = $ph1ent['remote-gateway']; + } + + if (!empty($ph1ent['auto'])) { + $conn_auto = $ph1ent['auto']; + } elseif (isset($ph1ent['mobile'])) { + $conn_auto = 'add'; + } else { + $conn_auto = 'route'; + } + + list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); + list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); + + /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ + $peerid_spec = ''; + if (!isset($ph1ent['mobile'])) { + $peerid_spec = $peerid_data; + } + + if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { + $ealg_id = $ph1ent['encryption-algorithm']['name']; + if (isset($ph1ent['encryption-algorithm']['keylen'])){ + $ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}"; + } else { + $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; + } + $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); + if (!empty($modp)) { + $ealgosp1 .= "-{$modp}"; + } + $ealgosp1 .= "!"; + } + + if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) { + if ($conn_auto == "route") { + $dpdline = "dpdaction = restart"; + } else { + $dpdline = "dpdaction = clear"; + } + $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; + $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); + $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; + } else { + $dpdline = "dpdaction = none"; + } + + if (!empty($ph1ent['lifetime'])) { + $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; + } else { + $ikelifeline = ''; + } + + $rightsourceip = NULL; + if (!empty($a_client['pool_address']) && isset($ph1ent['mobile']) ) { + $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; + } + + $authentication = ""; + switch ($ph1ent['authentication_method']) { + case 'eap-tls': + $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; + break; + case 'xauth_rsa_server': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth-generic"; + break; + case 'xauth_psk_server': + $authentication = "leftauth = psk\n\trightauth = psk"; + $authentication .= "\n\trightauth2 = xauth-generic"; + break; + case 'pre_shared_key': + $authentication = "leftauth = psk\n\trightauth = psk"; + break; + case 'rsasig': + $authentication = "leftauth = pubkey\n\trightauth = pubkey"; + break; + case 'hybrid_rsa_server': + $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; + $authentication .= "\n\trightauth2 = xauth"; + break; + } + if (!empty($ph1ent['certref'])) { + $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; + } + if (!empty($ph1ent['caref'])) { + $ca = lookup_ca($ph1ent['caref']);; + if (!empty($ca)) { + $rightca = ""; + foreach (cert_get_subject_array($ca['crt']) as $ca_field) { + $rightca .= "{$ca_field['a']}={$ca_field['v']}/"; + } + $authentication .= "\n\trightca=\"/$rightca\""; + } + } + $left_spec = $ep; + + if (isset($ph1ent['reauth_enable'])) { + $reauth = "reauth = no"; + } else { + $reauth = "reauth = yes"; + } + + if (isset($ph1ent['rekey_enable'])) { + $rekey = "rekey = no"; + } else { + $rekey = "rekey = yes"; + } + + $forceencaps = 'forceencaps = no' ; + if (!empty($ph1ent['nat_traversal']) && $ph1ent['nat_traversal'] == 'force') { + $forceencaps = 'forceencaps = yes'; + } + + $ipseclifetime = 0; + $rightsubnet_spec = array(); + $leftsubnet_spec = array(); + $ealgoAHsp2arr = array(); + $ealgoESPsp2arr = array(); + + + if (count($a_phase2)) { + foreach ($a_phase2 as $ph2ent) { + if ($ph1ent['ikeid'] != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) { + continue; + } + if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){ + continue; + } + + if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { + $tunneltype = "type = tunnel"; + $localid_type = $ph2ent['localid']['type']; + $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); + /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ + if (($localid_type == "none" || $localid_type == "mobile") + && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ph1ent['ikeid'])==1)) { + $left_spec = '%any'; + } else { + if ($localid_type != "address") { + $localid_type = "subnet"; + } + // Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. + if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) { + log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); + continue; + } + if (!empty($ph2ent['natlocalid'])) { + $natfilterrules = true; + } + } + + $leftsubnet_spec[] = $leftsubnet_data; + + if (!isset($ph2ent['mobile'])) { + $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + $rightsubnet_spec[] = $tmpsubnet; + } else if (!empty($a_client['pool_address'])) { + $rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; + } + } else { + $tunneltype = "type = transport"; + if ((($ph1ent['authentication_method'] == "xauth_psk_server") || + ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { + $left_spec = "%any"; + } else { + $tmpsubnet = ipsec_get_phase1_src($ph1ent); + $leftsubnet_spec[] = $tmpsubnet; + } + if (!isset($ph2ent['mobile'])) { + $rightsubnet_spec[] = $right_spec; + } + } + if (isset($a_client['pfs_group'])) { + $ph2ent['pfsgroup'] = $a_client['pfs_group']; + } + if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'esp') { + $ealgoESPsp2arr_details = array(); + if (is_array($ph2ent['encryption-algorithm-option'])) { + foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { + $ealg_id = $ealg['name']; + if (isset($ealg['keylen'])) { + $ealg_kl = $ealg['keylen']; + } else { + $ealg_kl = null; + } + + if ($ealg_kl == "auto") { + $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; + $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; + $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; + /* XXX: in some cases where include ordering is suspect these variables + * are somehow 0 and we enter this loop forever and timeout after 900 + * seconds wrecking bootup */ + if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { + for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) { + $tmpealgo .= "-{$modp}"; + } + $ealgoESPsp2arr_details[] = $tmpealgo; + } + } else { + $tmpealgo = "{$ealg_id}{$keylen}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) { + $tmpealgo .= "-{$modp}"; + } + $ealgoESPsp2arr_details[] = $tmpealgo; + } + } + } + } else { + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + foreach ($ph2ent['hash-algorithm-option'] as $halgo) { + $halgo = str_replace('hmac_', '', $halgo); + $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) { + $tmpealgo .= "-{$modp}"; + } + $ealgoESPsp2arr_details[] = $tmpealgo; + } + } else { + $tmpealgo = "{$ealg_id}{$ealg_kl}"; + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + if (!empty($modp)) { + $tmpealgo .= "-{$modp}"; + } + $ealgoESPsp2arr_details[] = $tmpealgo; + } + } + } + } + $ealgoESPsp2arr[] = $ealgoESPsp2arr_details; + } else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') { + $ealgoAHsp2arr_details = array(); + if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { + $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { + $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); + if (!empty($modp)) { + $tmpAHalgo = "-{$modp}"; + } + $ealgoAHsp2arr_details[] = $tmpAHalgo; + } + } + $ealgoAHsp2arr[] = $ealgoAHsp2arr_details; + } + + if (!empty($ph2ent['lifetime'])) { + if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) { + $ipseclifetime = intval($ph2ent['lifetime']); + } + } + } + } + + $connEntry =<<> + aggressive = {$aggressive} + fragmentation = yes + keyexchange = {$keyexchange} + {$reauth} + {$rekey} + {$forceencaps} + installpolicy = yes + {$tunneltype} + {$dpdline} + auto = {$conn_auto} + left = {$left_spec} + right = {$right_spec} + leftid = {$myid_data} + {$ikelifeline} + +EOD; + + if ($ipseclifetime > 0) { + $connEntry .= "\tlifetime = {$ipseclifetime}s\n"; + } + if (!empty($rightsourceip)) { + $connEntry .= "{$rightsourceip}"; + } + if (!empty($ealgosp1)) { + $connEntry .= "\t{$ealgosp1}\n"; + } + if (!empty($authentication)) { + $connEntry .= "\t{$authentication}\n"; + } + if (!empty($peerid_spec)) { + $connEntry .= "\trightid = {$peerid_spec}\n"; + } + + // append ipsec connections + if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') { + // ikev1 not mobile + for ($idx = 0 ; $idx < count($leftsubnet_spec) ; ++$idx) { + if (count($leftsubnet_spec) == 1) { + $tmpconf = str_replace('<>', "{$ph1ent['ikeid']}", $connEntry); + } else { + // suffix connection with sequence number + $tmpconf = str_replace('<>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry); + } + $tmpconf .= "\trightsubnet =" . $rightsubnet_spec[$idx]. "\n" ; + $tmpconf .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; + if (!empty($ealgoESPsp2arr[$idx])) { + $tmpconf .= "\tesp = " . join(',', $ealgoESPsp2arr[$idx]) . "!\n"; + } + if (!empty($ealgoAHsp2arr[$idx])) { + $connEntry .= "\tah = " . join(',', $ealgoAHsp2arr[$idx]) . "!\n"; + } + $ipsecconf .= $tmpconf; + } + } else { + // mobile and ikev2 + $tmpconf = str_replace('<>', "{$ph1ent['ikeid']}", $connEntry); + if (!empty($rightsubnet_spec)) { + $tmpconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; + } + if (!empty($leftsubnet_spec)) { + $tmpconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; + } + // merge esp phase 2 arrays. + $esp_content = array(); + foreach ($ealgoESPsp2arr as $ealgoESPsp2arr_details) { + foreach ($ealgoESPsp2arr_details as $esp_item) { + if (!in_array($esp_item, $esp_content)) { + $esp_content[] = $esp_item; + } + } + } + // merge ah phase 2 arrays. + $ah_content = array(); + foreach ($ealgoAHsp2arr as $ealgoAHsp2arr_details) { + foreach ($ealgoAHsp2arr_details as $ah_item) { + if (!in_array($ah_item, $ah_content)) { + $ah_content[] = $ah_item; + } + } + } + if (!empty($esp_content)) { + $tmpconf .= "\tesp = " . join(',', $esp_content) . "!\n"; + } + if (!empty($ah_content)) { + $tmpconf .= "\tah = " . join(',', $ah_content) . "!\n"; + } + $ipsecconf .= $tmpconf; + } + } + } + } + // dump file, replace tabs for 2 spaces + @file_put_contents("/usr/local/etc/ipsec.conf", str_replace("\t",' ', $ipsecconf)); + unset($ipsecconf); + /* end ipsec.conf */ + + /* mange process */ + if (isvalidpid('/var/run/charon.pid')) { + /* Read secrets */ + mwexec('/usr/local/sbin/ipsec rereadall', false); + /* Update configuration changes */ + mwexec('/usr/local/sbin/ipsec reload', false); + } else { + mwexec("/usr/local/sbin/ipsec start", false); + } + + if ($natfilterrules == true) { + filter_configure(); + } + + /* start filterdns, if necessary */ + if (count($filterdns_list) > 0) { + $interval = 60; + if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) { + $interval = $ipseccfg['dns-interval']; + } + + $hostnames = ""; + array_unique($filterdns_list); + foreach ($filterdns_list as $hostname) { + $hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n"; + } + file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames); + unset($hostnames); + + if (isvalidpid('/var/run/filterdns-ipsec.pid')) { + killbypid('/var/run/filterdns-ipsec.pid', 'HUP'); + } else { + mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i {$interval} -c /usr/local/etc/filterdns-ipsec.hosts -d 1"); + } + } else { + killbypid('/var/run/filterdns-ipsec.pid'); + } + + if (file_exists("/var/run/booting")) { + echo "done\n"; + } + + return count($filterdns_list); +} + +/* + * Forcefully restart IPsec + * This is required for when dynamic interfaces reload + * For all other occasions the normal vpn_ipsec_configure() + * will gracefully reload the settings without restarting + */ +function vpn_ipsec_force_reload($interface = '') +{ + global $config; + + $ipseccfg = $config['ipsec']; + + if (!empty($interface) && isset($ipseccfg['phase1']) && is_array($ipseccfg['phase1'])) { + $found = false; + foreach ($ipseccfg['phase1'] as $ipsec) { + if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) { + $found = true; + break; + } + } + if (!$found) { + log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface)); + return; + } + } + + /* if ipsec is enabled, start up again */ + if (isset($ipseccfg['enable'])) { + log_error(gettext("Forcefully reloading IPsec")); + vpn_ipsec_configure(); + } +} diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 87b86e66e..37e27f5e5 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -1,9 +1,9 @@ All rights reserved. @@ -29,933 +29,6 @@ POSSIBILITY OF SUCH DAMAGE. */ -/* include all configuration functions */ -function vpn_ipsec_convert_to_modp($index) -{ - $convertion = ""; - switch ($index) { - case '1': - $convertion = "modp768"; - break; - case '2': - $convertion = "modp1024"; - break; - case '5': - $convertion = "modp1536"; - break; - case '14': - $convertion = "modp2048"; - break; - case '15': - $convertion = "modp3072"; - break; - case '16': - $convertion = "modp4096"; - break; - case '17': - $convertion = "modp6144"; - break; - case '18': - $convertion = "modp8192"; - break; - } - - return $convertion; -} - -function vpn_ipsec_configure() -{ - global $config, $p2_ealgos, $ipsec_loglevels; - - /* get the automatic ping_hosts.sh ready */ - @unlink('/var/db/ipsecpinghosts'); - touch('/var/db/ipsecpinghosts'); - - // Prefer older IPsec SAs (advanced setting) - if (isset($config['ipsec']['preferoldsa'])) { - set_single_sysctl("net.key.preferred_oldsa", "-30"); - } else { - set_single_sysctl("net.key.preferred_oldsa", "0"); - } - - $syscfg = $config['system']; - $ipseccfg = $config['ipsec']; - $a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array(); - $a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array(); - $a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array(); - $aggressive_psk = false ; // if one of the phase 1 entries has aggressive/psk combination, this will be set true - - if (!isset($ipseccfg['enable'])) { - /* try to stop charon */ - mwexec('/usr/local/sbin/ipsec stop'); - /* Stop dynamic monitoring */ - killbypid('/var/run/filterdns-ipsec.pid'); - - /* wait for process to die */ - sleep(2); - - /* disallow IPSEC, it is off */ - mwexec("/sbin/ifconfig enc0 down"); - set_single_sysctl("net.inet.ip.ipsec_in_use", "0"); - - return 0; - } else { - $certpath = "/usr/local/etc/ipsec.d/certs"; - $capath = "/usr/local/etc/ipsec.d/cacerts"; - $keypath = "/usr/local/etc/ipsec.d/private"; - - mwexec("/sbin/ifconfig enc0 up"); - set_single_sysctl("net.inet.ip.ipsec_in_use", "1"); - - /* needed directories for config files */ - @mkdir($capath); - @mkdir($keypath); - @mkdir($certpath); - @mkdir('/usr/local/etc/ipsec.d'); - @mkdir('/usr/local/etc/ipsec.d/crls'); - @mkdir('/usr/local/etc/ipsec.d/aacerts'); - @mkdir('/usr/local/etc/ipsec.d/acerts'); - @mkdir('/usr/local/etc/ipsec.d/ocspcerts'); - @mkdir('/usr/local/etc/ipsec.d/reqs'); - - if (file_exists("/var/run/booting")) { - echo gettext("Configuring IPsec VPN... "); - } - - /* fastforwarding is not compatible with ipsec tunnels */ - set_single_sysctl("net.inet.ip.fastforwarding", "0"); - - /* resolve all local, peer addresses and setup pings */ - $ipmap = array(); - $rgmap = array(); - $filterdns_list = array(); - $ipsecpinghosts = ""; - /* step through each phase1 entry */ - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) { - continue; - } - - if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) { - $aggressive_psk = true; - } - $ep = ipsec_get_phase1_src($ph1ent); - if (!is_ipaddr($ep)) { - continue; - } - - - if(!in_array($ep,$ipmap)) { - $ipmap[] = $ep; - } - - /* see if this tunnel has a hostname for the remote-gateway. If so, - try to resolve it now and add it to the list for filterdns */ - - if (isset ($ph1ent['mobile'])) { - continue; - } - - $rg = $ph1ent['remote-gateway']; - - if (!is_ipaddr($rg)) { - $filterdns_list[] = "{$rg}"; - add_hostname_to_watch($rg); - if(! file_exists("/var/run/booting")) { - $rg = resolve_retry($rg); - } - if (!is_ipaddr($rg)) { - continue; - } - } - if(array_search($rg, $rgmap)) { - log_error("The remote gateway {$rg} already exists on another phase 1 entry"); - continue; - } - $rgmap[$ph1ent['remote-gateway']] = $rg; - - /* step through each phase2 entry */ - foreach ($a_phase2 as $ph2ent) { - if (isset($ph2ent['disabled'])) { - continue; - } - - if ($ph1ent['ikeid'] != $ph2ent['ikeid']) { - continue; - } - - /* add an ipsec pinghosts entry */ - if ($ph2ent['pinghost']) { - if (!isset($iflist) || !is_array($iflist)) { - $iflist = get_configured_interface_list(); - } - $viplist = get_configured_vips_list(); - $srcip = null; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); - if(is_ipaddrv6($ph2ent['pinghost'])) { - foreach ($iflist as $ifent => $ifname) { - $interface_ip = get_interface_ipv6($ifent); - if (!is_ipaddrv6($interface_ip)) { - continue; - } - if (ip_in_subnet($interface_ip, $local_subnet)) { - $srcip = $interface_ip; - break; - } - } - } else { - foreach ($iflist as $ifent => $ifname) { - $interface_ip = get_interface_ip($ifent); - if (!is_ipaddrv4($interface_ip)) { - continue; - } - if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { - $srcip = $interface_ip; - break; - } - } - } - /* if no valid src IP was found in configured interfaces, try the vips */ - if (is_null($srcip)) { - foreach ($viplist as $vip) { - if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { - $srcip = $vip['ipaddr']; - break; - } - } - } - $dstip = $ph2ent['pinghost']; - if(is_ipaddrv6($dstip)) { - $family = "inet6"; - } else { - $family = "inet"; - } - if (is_ipaddr($srcip)) { - $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n"; - } - } - } - } - @file_put_contents('/var/db/ipsecpinghosts', $ipsecpinghosts); - - $cnf_add_to_charon_section = ""; - $cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":""; - if (isset($a_client['enable']) && isset($a_client['net_list'])) { - $cnf_add_to_charon_section .= "\tcisco_unity = yes\n"; - } - - $strongswan = << 0) { - $strongswan .= ","; - } - if ($authcfg == "system") { - $authcfg = "Local Database"; - } - $strongswan .= $authcfg; - $firstsed = 1; - } - $strongswan .= "\n"; - $strongswan .= "\t}\n"; - } - } - - $strongswan .= "\t}\n}\n"; - @file_put_contents("/usr/local/etc/strongswan.conf", $strongswan); - unset($strongswan); - - /* generate CA certificates files */ - if (isset($config['ca'])) { - foreach ($config['ca'] as $ca) { - if (!isset($ca['crt'])) { - log_error(sprintf(gettext("Error: Invalid certificate info for %s"), $ca['descr'])); - continue; - } - $cert = base64_decode($ca['crt']); - $x509cert = openssl_x509_parse(openssl_x509_read($cert)); - if (!is_array($x509cert) || !isset($x509cert['hash'])) { - log_error(sprintf(gettext("Error: Invalid certificate hash info for %s"), $ca['descr'])); - continue; - } - $fname = "{$capath}/{$x509cert['hash']}.0.crt"; - if (!@file_put_contents($fname, $cert)) { - log_error(sprintf(gettext("Error: Cannot write IPsec CA file for %s"), $ca['descr'])); - continue; - } - unset($cert); - } - } - - $pskconf = ""; - - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) { - continue; - } - - if (!empty($ph1ent['certref'])) { - $cert = lookup_cert($ph1ent['certref']); - - if (empty($cert)) { - log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name'])); - continue; - } - - @chmod($certpath, 0600); - - $ph1keyfile = "{$keypath}/cert-{$ph1ent['ikeid']}.key"; - if (!file_put_contents($ph1keyfile, base64_decode($cert['prv']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 key file for %s"), $ph1ent['name'])); - continue; - } - @chmod($ph1keyfile, 0600); - - $ph1certfile = "{$certpath}/cert-{$ph1ent['ikeid']}.crt"; - if (!file_put_contents($ph1certfile, base64_decode($cert['crt']))) { - log_error(sprintf(gettext("Error: Cannot write phase1 certificate file for %s"), $ph1ent['name'])); - @unlink($ph1keyfile); - continue; - } - @chmod($ph1certfile, 0600); - - /* XXX" Traffic selectors? */ - $pskconf .= " : RSA {$ph1keyfile}\n"; - } else { - list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); - list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); - - if (empty($peerid_data)) { - continue; - } - - $myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : ""; - $peerid = ($peerid_data != "allusers") ? trim($peerid_data) : ""; - if (!empty($ph1ent['pre-shared-key'])) { - $pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n"; - } - } - } - - /* Add user PSKs */ - if (isset($config['system']['user']) && is_array($config['system']['user'])) { - foreach ($config['system']['user'] as $user) { - if (!empty($user['ipsecpsk'])) { - $pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n"; - } - } - unset($user); - } - - /* add PSKs for mobile clients */ - if (isset($ipseccfg['mobilekey'])) { - foreach ($ipseccfg['mobilekey'] as $key) { - if ($key['ident'] == "allusers") { - $key['ident'] = ''; - } - $pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n"; - } - unset($key); - } - - @file_put_contents("/usr/local/etc/ipsec.secrets", $pskconf); - chmod("/usr/local/etc/ipsec.secrets", 0600); - unset($pskconf); - - $natfilterrules = false; - /* begin ipsec.conf */ - $ipsecconf = ""; - if (count($a_phase1)) { - $ipsecconf .= "# This file is automatically generated. Do not edit\n"; - $ipsecconf .= "config setup\n\tuniqueids = yes\n"; - // parse debug tags - $cfg_loglevels = array(); - if (isset($ipsec_loglevels)) { - foreach ($ipsec_loglevels as $lkey => $ldescr) { - if (isset($config['ipsec']["ipsec_{$lkey}"]) && is_numeric($config['ipsec']["ipsec_{$lkey}"]) && - intval($config['ipsec']["ipsec_{$lkey}"]) >= 1 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5) { - $cfg_loglevels[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) ; - } - } - } - $ipsecconf .= "\tcharondebug=\"" .implode(',', $cfg_loglevels) . "\"\n"; - - foreach ($a_phase1 as $ph1ent) { - if (isset($ph1ent['disabled'])) { - continue; - } - - if ($ph1ent['mode'] == "aggressive") { - $aggressive = "yes"; - } else { - $aggressive = "no"; - } - - $ep = ipsec_get_phase1_src($ph1ent); - if (empty($ep)) { - continue; - } - - $keyexchange = "ikev1"; - if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") { - $keyexchange = "ikev2"; - } - - if (isset($ph1ent['mobile'])) { - $right_spec = "%any"; - } else { - $right_spec = $ph1ent['remote-gateway']; - } - - if (!empty($ph1ent['auto'])) { - $conn_auto = $ph1ent['auto']; - } elseif (isset($ph1ent['mobile'])) { - $conn_auto = 'add'; - } else { - $conn_auto = 'route'; - } - - list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); - list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap); - - /* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */ - $peerid_spec = ''; - if (!isset($ph1ent['mobile'])) { - $peerid_spec = $peerid_data; - } - - if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) { - $ealg_id = $ph1ent['encryption-algorithm']['name']; - if (isset($ph1ent['encryption-algorithm']['keylen'])){ - $ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}"; - } else { - $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; - } - $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); - if (!empty($modp)) { - $ealgosp1 .= "-{$modp}"; - } - $ealgosp1 .= "!"; - } - - if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) { - if ($conn_auto == "route") { - $dpdline = "dpdaction = restart"; - } else { - $dpdline = "dpdaction = clear"; - } - $dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s"; - $dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1); - $dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s"; - } else { - $dpdline = "dpdaction = none"; - } - - if (!empty($ph1ent['lifetime'])) { - $ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s"; - } else { - $ikelifeline = ''; - } - - $rightsourceip = NULL; - if (!empty($a_client['pool_address']) && isset($ph1ent['mobile']) ) { - $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n"; - } - - $authentication = ""; - switch ($ph1ent['authentication_method']) { - case 'eap-tls': - $authentication = "leftauth=eap-tls\n\trightauth=eap-tls"; - break; - case 'xauth_rsa_server': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth-generic"; - break; - case 'xauth_psk_server': - $authentication = "leftauth = psk\n\trightauth = psk"; - $authentication .= "\n\trightauth2 = xauth-generic"; - break; - case 'pre_shared_key': - $authentication = "leftauth = psk\n\trightauth = psk"; - break; - case 'rsasig': - $authentication = "leftauth = pubkey\n\trightauth = pubkey"; - break; - case 'hybrid_rsa_server': - $authentication = "leftauth = xauth-generic\n\trightauth = pubkey"; - $authentication .= "\n\trightauth2 = xauth"; - break; - } - if (!empty($ph1ent['certref'])) { - $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt"; - } - if (!empty($ph1ent['caref'])) { - $ca = lookup_ca($ph1ent['caref']);; - if (!empty($ca)) { - $rightca = ""; - foreach (cert_get_subject_array($ca['crt']) as $ca_field) { - $rightca .= "{$ca_field['a']}={$ca_field['v']}/"; - } - $authentication .= "\n\trightca=\"/$rightca\""; - } - } - $left_spec = $ep; - - if (isset($ph1ent['reauth_enable'])) { - $reauth = "reauth = no"; - } else { - $reauth = "reauth = yes"; - } - - if (isset($ph1ent['rekey_enable'])) { - $rekey = "rekey = no"; - } else { - $rekey = "rekey = yes"; - } - - $forceencaps = 'forceencaps = no' ; - if (!empty($ph1ent['nat_traversal']) && $ph1ent['nat_traversal'] == 'force') { - $forceencaps = 'forceencaps = yes'; - } - - $ipseclifetime = 0; - $rightsubnet_spec = array(); - $leftsubnet_spec = array(); - $ealgoAHsp2arr = array(); - $ealgoESPsp2arr = array(); - - - if (count($a_phase2)) { - foreach ($a_phase2 as $ph2ent) { - if ($ph1ent['ikeid'] != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) { - continue; - } - if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){ - continue; - } - - if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) { - $tunneltype = "type = tunnel"; - $localid_type = $ph2ent['localid']['type']; - $leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']); - /* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */ - if (($localid_type == "none" || $localid_type == "mobile") - && isset($ph1ent['mobile']) && (ipsec_get_number_of_phase2($ph1ent['ikeid'])==1)) { - $left_spec = '%any'; - } else { - if ($localid_type != "address") { - $localid_type = "subnet"; - } - // Don't let an empty subnet into config, it can cause parse errors. Ticket #2201. - if (!is_ipaddr($leftsubnet_data) && !is_subnet($leftsubnet_data) && ($leftsubnet_data != "0.0.0.0/0")) { - log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); - continue; - } - if (!empty($ph2ent['natlocalid'])) { - $natfilterrules = true; - } - } - - $leftsubnet_spec[] = $leftsubnet_data; - - if (!isset($ph2ent['mobile'])) { - $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); - $rightsubnet_spec[] = $tmpsubnet; - } else if (!empty($a_client['pool_address'])) { - $rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; - } - } else { - $tunneltype = "type = transport"; - if ((($ph1ent['authentication_method'] == "xauth_psk_server") || - ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { - $left_spec = "%any"; - } else { - $tmpsubnet = ipsec_get_phase1_src($ph1ent); - $leftsubnet_spec[] = $tmpsubnet; - } - if (!isset($ph2ent['mobile'])) { - $rightsubnet_spec[] = $right_spec; - } - } - if (isset($a_client['pfs_group'])) { - $ph2ent['pfsgroup'] = $a_client['pfs_group']; - } - if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'esp') { - $ealgoESPsp2arr_details = array(); - if (is_array($ph2ent['encryption-algorithm-option'])) { - foreach ($ph2ent['encryption-algorithm-option'] as $ealg) { - $ealg_id = $ealg['name']; - if (isset($ealg['keylen'])) { - $ealg_kl = $ealg['keylen']; - } else { - $ealg_kl = null; - } - - if ($ealg_kl == "auto") { - $key_hi = $p2_ealgos[$ealg_id]['keysel']['hi']; - $key_lo = $p2_ealgos[$ealg_id]['keysel']['lo']; - $key_step = $p2_ealgos[$ealg_id]['keysel']['step']; - /* XXX: in some cases where include ordering is suspect these variables - * are somehow 0 and we enter this loop forever and timeout after 900 - * seconds wrecking bootup */ - if ($key_hi != 0 and $key_lo !=0 and $key_step !=0) { - for ($keylen = $key_hi; $keylen >= $key_lo; $keylen -= $key_step) { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) { - $tmpealgo .= "-{$modp}"; - } - $ealgoESPsp2arr_details[] = $tmpealgo; - } - } else { - $tmpealgo = "{$ealg_id}{$keylen}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) { - $tmpealgo .= "-{$modp}"; - } - $ealgoESPsp2arr_details[] = $tmpealgo; - } - } - } - } else { - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - foreach ($ph2ent['hash-algorithm-option'] as $halgo) { - $halgo = str_replace('hmac_', '', $halgo); - $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) { - $tmpealgo .= "-{$modp}"; - } - $ealgoESPsp2arr_details[] = $tmpealgo; - } - } else { - $tmpealgo = "{$ealg_id}{$ealg_kl}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - if (!empty($modp)) { - $tmpealgo .= "-{$modp}"; - } - $ealgoESPsp2arr_details[] = $tmpealgo; - } - } - } - } - $ealgoESPsp2arr[] = $ealgoESPsp2arr_details; - } else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') { - $ealgoAHsp2arr_details = array(); - if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); - foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { - $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); - if (!empty($modp)) { - $tmpAHalgo = "-{$modp}"; - } - $ealgoAHsp2arr_details[] = $tmpAHalgo; - } - } - $ealgoAHsp2arr[] = $ealgoAHsp2arr_details; - } - - if (!empty($ph2ent['lifetime'])) { - if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) { - $ipseclifetime = intval($ph2ent['lifetime']); - } - } - } - } - - $connEntry =<<> - aggressive = {$aggressive} - fragmentation = yes - keyexchange = {$keyexchange} - {$reauth} - {$rekey} - {$forceencaps} - installpolicy = yes - {$tunneltype} - {$dpdline} - auto = {$conn_auto} - left = {$left_spec} - right = {$right_spec} - leftid = {$myid_data} - {$ikelifeline} - -EOD; - - if ($ipseclifetime > 0) { - $connEntry .= "\tlifetime = {$ipseclifetime}s\n"; - } - if (!empty($rightsourceip)) { - $connEntry .= "{$rightsourceip}"; - } - if (!empty($ealgosp1)) { - $connEntry .= "\t{$ealgosp1}\n"; - } - if (!empty($authentication)) { - $connEntry .= "\t{$authentication}\n"; - } - if (!empty($peerid_spec)) { - $connEntry .= "\trightid = {$peerid_spec}\n"; - } - - // append ipsec connections - if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') { - // ikev1 not mobile - for ($idx = 0 ; $idx < count($leftsubnet_spec) ; ++$idx) { - if (count($leftsubnet_spec) == 1) { - $tmpconf = str_replace('<>', "{$ph1ent['ikeid']}", $connEntry); - } else { - // suffix connection with sequence number - $tmpconf = str_replace('<>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry); - } - $tmpconf .= "\trightsubnet =" . $rightsubnet_spec[$idx]. "\n" ; - $tmpconf .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n"; - if (!empty($ealgoESPsp2arr[$idx])) { - $tmpconf .= "\tesp = " . join(',', $ealgoESPsp2arr[$idx]) . "!\n"; - } - if (!empty($ealgoAHsp2arr[$idx])) { - $connEntry .= "\tah = " . join(',', $ealgoAHsp2arr[$idx]) . "!\n"; - } - $ipsecconf .= $tmpconf; - } - } else { - // mobile and ikev2 - $tmpconf = str_replace('<>', "{$ph1ent['ikeid']}", $connEntry); - if (!empty($rightsubnet_spec)) { - $tmpconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n"; - } - if (!empty($leftsubnet_spec)) { - $tmpconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n"; - } - // merge esp phase 2 arrays. - $esp_content = array(); - foreach ($ealgoESPsp2arr as $ealgoESPsp2arr_details) { - foreach ($ealgoESPsp2arr_details as $esp_item) { - if (!in_array($esp_item, $esp_content)) { - $esp_content[] = $esp_item; - } - } - } - // merge ah phase 2 arrays. - $ah_content = array(); - foreach ($ealgoAHsp2arr as $ealgoAHsp2arr_details) { - foreach ($ealgoAHsp2arr_details as $ah_item) { - if (!in_array($ah_item, $ah_content)) { - $ah_content[] = $ah_item; - } - } - } - if (!empty($esp_content)) { - $tmpconf .= "\tesp = " . join(',', $esp_content) . "!\n"; - } - if (!empty($ah_content)) { - $tmpconf .= "\tah = " . join(',', $ah_content) . "!\n"; - } - $ipsecconf .= $tmpconf; - } - } - } - } - // dump file, replace tabs for 2 spaces - @file_put_contents("/usr/local/etc/ipsec.conf", str_replace("\t",' ', $ipsecconf)); - unset($ipsecconf); - /* end ipsec.conf */ - - /* mange process */ - if (isvalidpid('/var/run/charon.pid')) { - /* Read secrets */ - mwexec('/usr/local/sbin/ipsec rereadall', false); - /* Update configuration changes */ - mwexec('/usr/local/sbin/ipsec reload', false); - } else { - mwexec("/usr/local/sbin/ipsec start", false); - } - - if ($natfilterrules == true) { - filter_configure(); - } - - /* start filterdns, if necessary */ - if (count($filterdns_list) > 0) { - $interval = 60; - if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) { - $interval = $ipseccfg['dns-interval']; - } - - $hostnames = ""; - array_unique($filterdns_list); - foreach ($filterdns_list as $hostname) { - $hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n"; - } - file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames); - unset($hostnames); - - if (isvalidpid('/var/run/filterdns-ipsec.pid')) { - killbypid('/var/run/filterdns-ipsec.pid', 'HUP'); - } else { - mwexec("/usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i {$interval} -c /usr/local/etc/filterdns-ipsec.hosts -d 1"); - } - } else { - killbypid('/var/run/filterdns-ipsec.pid'); - } - - if (file_exists("/var/run/booting")) { - echo "done\n"; - } - - return count($filterdns_list); -} - -/* - * Forcefully restart IPsec - * This is required for when dynamic interfaces reload - * For all other occasions the normal vpn_ipsec_configure() - * will gracefully reload the settings without restarting - */ -function vpn_ipsec_force_reload($interface = '') -{ - global $config; - - $ipseccfg = $config['ipsec']; - - if (!empty($interface) && isset($ipseccfg['phase1']) && is_array($ipseccfg['phase1'])) { - $found = false; - foreach ($ipseccfg['phase1'] as $ipsec) { - if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) { - $found = true; - break; - } - } - if (!$found) { - log_error(sprintf(gettext("Ignoring IPsec reload since there are no tunnels on interface %s"), $interface)); - return; - } - } - - /* if ipsec is enabled, start up again */ - if (isset($ipseccfg['enable'])) { - log_error(gettext("Forcefully reloading IPsec")); - vpn_ipsec_configure(); - } -} - -/* master setup for vpn (mpd) */ function vpn_setup() { /* start pptpd */ From c68033bc465d28c173d8f7d1280eba553d3f6419 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 08:58:45 +0100 Subject: [PATCH 04/16] ipsec: strip vpn_ prefix from backend functions for clarity --- src/etc/inc/interfaces.inc | 4 ++-- src/etc/inc/ipsec.inc | 22 +++++++++++----------- src/etc/inc/xmlrpc/legacy.inc | 2 +- src/etc/rc.bootup | 4 ++-- src/etc/rc.newipsecdns | 7 ++++--- src/etc/rc.newwanip | 2 +- src/etc/rc.newwanipv6 | 4 ++-- src/www/vpn_ipsec.php | 4 ++-- src/www/vpn_ipsec_keys.php | 7 ++----- src/www/vpn_ipsec_mobile.php | 9 ++------- src/www/vpn_ipsec_phase1.php | 2 +- src/www/vpn_ipsec_settings.php | 3 +-- 12 files changed, 31 insertions(+), 39 deletions(-) diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc index 9d93ad2ab..63559950d 100644 --- a/src/etc/inc/interfaces.inc +++ b/src/etc/inc/interfaces.inc @@ -1183,7 +1183,7 @@ function interfaces_configure() system_routing_configure(); /* reload IPsec tunnels */ - vpn_ipsec_configure(); + ipsec_configure(); /* reload dhcpd (interface enabled/disabled status may have changed) */ services_dhcpd_configure(); @@ -3164,7 +3164,7 @@ function interface_configure($interface = 'wan', $reloadall = false, $linkupeven system_routing_configure($interface); /* reload ipsec tunnels */ - vpn_ipsec_configure(); + ipsec_configure(); /* restart dnsmasq or unbound */ if (isset($config['dnsmasq']['enable'])) { diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc index ce630197f..50631a195 100644 --- a/src/etc/inc/ipsec.inc +++ b/src/etc/inc/ipsec.inc @@ -400,7 +400,7 @@ function ipsec_find_id(& $ph1ent, $side = "local", $rgmap = array()) { } /* include all configuration functions */ -function vpn_ipsec_convert_to_modp($index) +function ipsec_convert_to_modp($index) { $convertion = ""; switch ($index) { @@ -433,7 +433,7 @@ function vpn_ipsec_convert_to_modp($index) return $convertion; } -function vpn_ipsec_configure() +function ipsec_configure() { global $config, $p2_ealgos, $ipsec_loglevels; @@ -913,7 +913,7 @@ EOD; } else { $ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}"; } - $modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']); + $modp = ipsec_convert_to_modp($ph1ent['dhgroup']); if (!empty($modp)) { $ealgosp1 .= "-{$modp}"; } @@ -1086,7 +1086,7 @@ EOD; foreach ($ph2ent['hash-algorithm-option'] as $halgo) { $halgo = str_replace('hmac_', '', $halgo); $tmpealgo = "{$ealg_id}{$keylen}-{$halgo}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + $modp = ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) { $tmpealgo .= "-{$modp}"; } @@ -1094,7 +1094,7 @@ EOD; } } else { $tmpealgo = "{$ealg_id}{$keylen}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + $modp = ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) { $tmpealgo .= "-{$modp}"; } @@ -1107,7 +1107,7 @@ EOD; foreach ($ph2ent['hash-algorithm-option'] as $halgo) { $halgo = str_replace('hmac_', '', $halgo); $tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + $modp = ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) { $tmpealgo .= "-{$modp}"; } @@ -1115,7 +1115,7 @@ EOD; } } else { $tmpealgo = "{$ealg_id}{$ealg_kl}"; - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + $modp = ipsec_convert_to_modp($ph2ent['pfsgroup']); if (!empty($modp)) { $tmpealgo .= "-{$modp}"; } @@ -1128,7 +1128,7 @@ EOD; } else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') { $ealgoAHsp2arr_details = array(); if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) { - $modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']); + $modp = ipsec_convert_to_modp($ph2ent['pfsgroup']); foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) { $tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo); if (!empty($modp)) { @@ -1295,10 +1295,10 @@ EOD; /* * Forcefully restart IPsec * This is required for when dynamic interfaces reload - * For all other occasions the normal vpn_ipsec_configure() + * For all other occasions the normal ipsec_configure() * will gracefully reload the settings without restarting */ -function vpn_ipsec_force_reload($interface = '') +function ipsec_force_reload($interface = '') { global $config; @@ -1321,6 +1321,6 @@ function vpn_ipsec_force_reload($interface = '') /* if ipsec is enabled, start up again */ if (isset($ipseccfg['enable'])) { log_error(gettext("Forcefully reloading IPsec")); - vpn_ipsec_configure(); + ipsec_configure(); } } diff --git a/src/etc/inc/xmlrpc/legacy.inc b/src/etc/inc/xmlrpc/legacy.inc index d4e253cfb..2adfafc5d 100644 --- a/src/etc/inc/xmlrpc/legacy.inc +++ b/src/etc/inc/xmlrpc/legacy.inc @@ -256,7 +256,7 @@ function restore_config_section_xmlrpc($new_config) } if (isset($old_config['ipsec']['enable']) !== isset($config['ipsec']['enable'])) { - vpn_ipsec_configure(); + ipsec_configure(); } unset($old_config); diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index a08b80727..dc98b15d0 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -319,7 +319,7 @@ filter_configure_sync(); vpn_setup(); /* start IPsec tunnels */ -$ipsec_dynamic_hosts = vpn_ipsec_configure(); +$ipsec_dynamic_hosts = ipsec_configure(); /* start SNMP service */ services_snmpd_configure(); @@ -360,7 +360,7 @@ system_syslogd_start(); /* If there are ipsec dynamic hosts try again to reload the tunnels as rc.newipsecdns does */ if ($ipsec_dynamic_hosts) { - vpn_ipsec_configure(); + ipsec_configure(); filter_configure(); } diff --git a/src/etc/rc.newipsecdns b/src/etc/rc.newipsecdns index 9833c4529..c69bd7cf1 100755 --- a/src/etc/rc.newipsecdns +++ b/src/etc/rc.newipsecdns @@ -50,9 +50,10 @@ if (isset($config['ipsec']['enable'])) { $ipseclck = lock('ipsecdns', LOCK_EX); -vpn_ipsec_configure(); +ipsec_configure(); -if (isset($config['ipsec']['failoverforcereload'])) - vpn_ipsec_force_reload(); +if (isset($config['ipsec']['failoverforcereload'])) { + ipsec_force_reload(); +} unlock($ipseclck); diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip index f69a0ea20..7856bb396 100755 --- a/src/etc/rc.newwanip +++ b/src/etc/rc.newwanip @@ -201,7 +201,7 @@ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interface services_dyndns_configure($interface); /* reconfigure IPsec tunnels */ - vpn_ipsec_force_reload($interface); + ipsec_force_reload($interface); /* start OpenVPN server & clients */ if (substr($interface_real, 0, 4) != "ovpn") { diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6 index e117da459..2da1c56b8 100755 --- a/src/etc/rc.newwanipv6 +++ b/src/etc/rc.newwanipv6 @@ -127,7 +127,7 @@ if (is_ipaddrv6($oldipv6)) { // Still need to sync VPNs on PPPoE and such, as even with the same IP the VPN software is unhappy with the IP disappearing. if (in_array($config['interfaces'][$interface]['ipaddrv6'], array('pppoe', 'pptp', 'ppp'))) { /* reconfigure IPsec tunnels */ - vpn_ipsec_force_reload($interface); + ipsec_force_reload($interface); /* start OpenVPN server & clients */ if (substr($interface_real, 0, 4) != "ovpn") @@ -147,7 +147,7 @@ services_dnsupdate_process($interface); services_dyndns_configure($interface); /* reconfigure IPsec tunnels */ -vpn_ipsec_force_reload($interface); +ipsec_force_reload($interface); /* start OpenVPN server & clients */ if (substr($interface_real, 0, 4) != "ovpn") diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php index 803d14515..fd0b83e5f 100644 --- a/src/www/vpn_ipsec.php +++ b/src/www/vpn_ipsec.php @@ -79,7 +79,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $a_phase1 = &$config['ipsec']['phase1']; $a_phase2 = &$config['ipsec']['phase2']; if (isset($_POST['apply'])) { - $retval = vpn_ipsec_configure(); + $retval = ipsec_configure(); /* reload the filter in the background */ filter_configure(); $savemsg = get_std_save_message(); @@ -91,7 +91,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } elseif (isset($_POST['save'])) { $config['ipsec']['enable'] = !empty($_POST['enable']) ? true : false; write_config(); - vpn_ipsec_configure(); + ipsec_configure(); header("Location: vpn_ipsec.php"); exit; } elseif (!empty($_POST['act']) && $_POST['act'] == "delphase1" ) { diff --git a/src/www/vpn_ipsec_keys.php b/src/www/vpn_ipsec_keys.php index 19dd3ed60..22c6f7b82 100644 --- a/src/www/vpn_ipsec_keys.php +++ b/src/www/vpn_ipsec_keys.php @@ -57,13 +57,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { } } elseif (isset($_POST['apply'])) { // apply changes - $retval = vpn_ipsec_configure(); - /* reload the filter in the background */ + ipsec_configure(); filter_configure(); $savemsg = get_std_save_message(); - if (is_subsystem_dirty('ipsec')) { - clear_subsystem_dirty('ipsec'); - } + clear_subsystem_dirty('ipsec'); } else { // nothing to post, redirect header("Location: vpn_ipsec_keys.php"); diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php index 12fdf1edc..4a63eaf21 100644 --- a/src/www/vpn_ipsec_mobile.php +++ b/src/www/vpn_ipsec_mobile.php @@ -90,14 +90,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { exit; } elseif (isset($_POST['apply'])) { // apply changes - $retval = 0; - $retval = vpn_ipsec_configure(); + ipsec_configure(); $savemsg = get_std_save_message(); - if ($retval >= 0) { - if (is_subsystem_dirty('ipsec')) { - clear_subsystem_dirty('ipsec'); - } - } + clear_subsystem_dirty('ipsec'); header("Location: vpn_ipsec_mobile.php?savemsg=".$savemsg); exit; } elseif (isset($_POST['submit'])) { diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index 0d6af4a00..fed99a090 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -400,7 +400,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } /* if the remote gateway changed and the interface is not WAN then remove route */ - /* the vpn_ipsec_configure() handles adding the route */ + /* the ipsec_configure() handles adding the route */ if ($pconfig['interface'] <> "wan") { if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) { mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}"); diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php index 7c5de287c..b11e052fa 100644 --- a/src/www/vpn_ipsec_settings.php +++ b/src/www/vpn_ipsec_settings.php @@ -100,9 +100,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { write_config(); $savemsg = get_std_save_message(); - filter_configure(); - vpn_ipsec_configure(); + ipsec_configure(); } $service_hook = 'ipsec'; From 93e47fac388d9b9d8983f60b0677d9844ad63823 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 09:15:16 +0100 Subject: [PATCH 05/16] plugins: clean up a bit, add temporary laucher for functions --- src/etc/inc/plugins.inc | 8 ++++++++ src/etc/inc/plugins.inc.d/vpn.inc | 29 ++++++++++------------------- src/etc/rc.bootup | 10 ++++++++-- src/www/vpn_pptp.php | 5 +---- src/www/vpn_pptp_users.php | 9 ++------- 5 files changed, 29 insertions(+), 32 deletions(-) diff --git a/src/etc/inc/plugins.inc b/src/etc/inc/plugins.inc index 307a10e3e..51945897f 100644 --- a/src/etc/inc/plugins.inc +++ b/src/etc/inc/plugins.inc @@ -29,3 +29,11 @@ foreach (glob('/usr/local/etc/inc/plugins.inc.d/*.inc') as $plugin) { require_once $plugin; } + +/* XXX must be reworked to work dynamically, not by name */ +function plugins_hook_xxx($name) +{ + if (function_exists($name)) { + return $name(); + } +} diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 37e27f5e5..4c07107ee 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -29,18 +29,6 @@ POSSIBILITY OF SUCH DAMAGE. */ -function vpn_setup() -{ - /* start pptpd */ - vpn_pptpd_configure(); - - /* start pppoe server */ - vpn_pppoes_configure(); - - /* setup l2tp */ - vpn_l2tp_configure(); -} - function vpn_netgraph_support() { $iflist = get_configured_interface_list(); foreach ($iflist as $iface) { @@ -275,16 +263,19 @@ EOD; return 0; } -function vpn_pppoes_configure() { - global $config; +function vpn_pppoes_configure() +{ + global $config; - if (isset($config['pppoes']['pppoe']) && is_array($config['pppoes']['pppoe'])) { - foreach ($config['pppoes']['pppoe'] as $pppoe) - vpn_pppoe_configure($pppoe); - } + if (isset($config['pppoes']['pppoe'])) { + foreach ($config['pppoes']['pppoe'] as $pppoe) { + vpn_pppoe_configure($pppoe); + } + } } -function vpn_pppoe_configure(&$pppoecfg) { +function vpn_pppoe_configure(&$pppoecfg) +{ global $config; $syscfg = $config['system']; diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index dc98b15d0..76dd1e1b2 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -315,8 +315,14 @@ configd_run("dyndns reload"); /* Run a filter configure now that most all services have started */ filter_configure_sync(); -/* setup pppoe and pptp */ -vpn_setup(); +/* start pptpd */ +plugins_hook_xxx('vpn_pptpd_configure'); + +/* start pppoe server */ +plugins_hook_xxx('vpn_pppoes_configure'); + +/* setup l2tp */ +plugins_hook_xxx('vpn_l2tp_configure'); /* start IPsec tunnels */ $ipsec_dynamic_hosts = ipsec_configure(); diff --git a/src/www/vpn_pptp.php b/src/www/vpn_pptp.php index 6f24db36f..f7edf9afd 100644 --- a/src/www/vpn_pptp.php +++ b/src/www/vpn_pptp.php @@ -187,11 +187,8 @@ if ($_POST) { } write_config(); - - $retval = 0; - $retval = vpn_pptpd_configure(); $savemsg = get_std_save_message(); - + vpn_pptpd_configure(); filter_configure(); } } diff --git a/src/www/vpn_pptp_users.php b/src/www/vpn_pptp_users.php index 1881882fd..e8e00cc52 100644 --- a/src/www/vpn_pptp_users.php +++ b/src/www/vpn_pptp_users.php @@ -39,14 +39,9 @@ if ($_POST) { $pconfig = $_POST; if ($_POST['apply']) { - $retval = 0; - $retval = vpn_setup(); + vpn_pptpd_configure(); $savemsg = get_std_save_message(); - if ($retval == 0) { - if (is_subsystem_dirty('pptpusers')) { - clear_subsystem_dirty('pptpusers'); - } - } + clear_subsystem_dirty('pptpusers'); } } From c9b7076609220ed96927492e691cd319ec76afea Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 09:42:46 +0100 Subject: [PATCH 06/16] plugins: don't need so many includes --- src/etc/rc.filter_configure_sync | 1 - src/etc/rc.initial.setlanip | 1 - src/etc/rc.initial.setports | 1 - src/etc/rc.linkup | 1 - src/etc/rc.newipsecdns | 1 - src/etc/rc.newwanip | 1 - src/etc/rc.newwanipv6 | 1 - src/etc/rc.reload_all | 1 - src/etc/rc.reload_interfaces | 1 - src/www/diag_ipsec_leases.php | 1 - src/www/diag_ipsec_sad.php | 1 - src/www/diag_ipsec_spd.php | 1 - src/www/diag_logs_vpn.inc | 1 - src/www/interfaces.php | 1 - src/www/interfaces_assign.php | 1 - src/www/status_services.php | 1 - src/www/system_advanced_misc.php | 2 -- src/www/system_gateway_groups_edit.php | 1 - src/www/vpn_ipsec.php | 1 - src/www/vpn_ipsec_keys.php | 1 - src/www/vpn_ipsec_keys_edit.php | 1 - src/www/vpn_ipsec_mobile.php | 1 - src/www/vpn_ipsec_phase1.php | 1 - src/www/vpn_ipsec_phase2.php | 1 - src/www/vpn_ipsec_settings.php | 1 - src/www/vpn_l2tp.php | 2 +- src/www/vpn_l2tp_users.php | 2 +- src/www/vpn_l2tp_users_edit.php | 2 +- src/www/vpn_pppoe.php | 2 +- src/www/vpn_pppoe_edit.php | 1 - src/www/vpn_pptp.php | 2 +- src/www/vpn_pptp_users.php | 2 +- src/www/vpn_pptp_users_edit.php | 5 ++--- src/www/widgets/widgets/services_status.widget.php | 1 - 34 files changed, 8 insertions(+), 37 deletions(-) diff --git a/src/etc/rc.filter_configure_sync b/src/etc/rc.filter_configure_sync index dbcd5787f..82cdca710 100755 --- a/src/etc/rc.filter_configure_sync +++ b/src/etc/rc.filter_configure_sync @@ -31,7 +31,6 @@ require_once("config.inc"); require_once("util.inc"); require_once("filter.inc"); require_once("ipsec.inc"); -require_once("plugins.inc"); require_once("system.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/etc/rc.initial.setlanip b/src/etc/rc.initial.setlanip index b769eab2d..68a83c83d 100755 --- a/src/etc/rc.initial.setlanip +++ b/src/etc/rc.initial.setlanip @@ -32,7 +32,6 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("openvpn.inc"); require_once("util.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("filter.inc"); require_once("rrd.inc"); diff --git a/src/etc/rc.initial.setports b/src/etc/rc.initial.setports index f69a2c221..ab4485714 100755 --- a/src/etc/rc.initial.setports +++ b/src/etc/rc.initial.setports @@ -32,7 +32,6 @@ require_once("config.inc"); require_once("config.console.inc"); require_once("filter.inc"); require_once("util.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("rrd.inc"); require_once("system.inc"); diff --git a/src/etc/rc.linkup b/src/etc/rc.linkup index eeaad9f26..88ed019ec 100755 --- a/src/etc/rc.linkup +++ b/src/etc/rc.linkup @@ -31,7 +31,6 @@ require_once("config.inc"); require_once("filter.inc"); require_once("interfaces.inc"); -require_once('plugins.inc'); require_once('ipsec.inc'); require_once('openvpn.inc'); require_once("util.inc"); diff --git a/src/etc/rc.newipsecdns b/src/etc/rc.newipsecdns index c69bd7cf1..6a4139986 100755 --- a/src/etc/rc.newipsecdns +++ b/src/etc/rc.newipsecdns @@ -32,7 +32,6 @@ require_once("util.inc"); require_once("config.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once('ipsec.inc'); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip index 7856bb396..b4e072503 100755 --- a/src/etc/rc.newwanip +++ b/src/etc/rc.newwanip @@ -31,7 +31,6 @@ /* parse the configuration and include all functions used below */ require_once("config.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once('ipsec.inc'); require_once("openvpn.inc"); require_once("rrd.inc"); diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6 index 2da1c56b8..1a11b493d 100755 --- a/src/etc/rc.newwanipv6 +++ b/src/etc/rc.newwanipv6 @@ -32,7 +32,6 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once('ipsec.inc'); require_once("openvpn.inc"); require_once("services.inc"); diff --git a/src/etc/rc.reload_all b/src/etc/rc.reload_all index dccf3cee6..5a2bff7b5 100755 --- a/src/etc/rc.reload_all +++ b/src/etc/rc.reload_all @@ -31,7 +31,6 @@ require_once("config.inc"); require_once("interfaces.inc"); require_once("openvpn.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once('ipsec.inc'); require_once("util.inc"); require_once("system.inc"); diff --git a/src/etc/rc.reload_interfaces b/src/etc/rc.reload_interfaces index 9abb6118c..42f1a95e0 100755 --- a/src/etc/rc.reload_interfaces +++ b/src/etc/rc.reload_interfaces @@ -32,7 +32,6 @@ require_once("filter.inc"); require_once("util.inc"); require_once("openvpn.inc"); require_once('ipsec.inc'); -require_once("plugins.inc"); require_once("system.inc"); require_once("interfaces.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/diag_ipsec_leases.php b/src/www/diag_ipsec_leases.php index aa137773d..d9b37edae 100644 --- a/src/www/diag_ipsec_leases.php +++ b/src/www/diag_ipsec_leases.php @@ -28,7 +28,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_sad.php b/src/www/diag_ipsec_sad.php index 2b61463e5..cc192383c 100644 --- a/src/www/diag_ipsec_sad.php +++ b/src/www/diag_ipsec_sad.php @@ -29,7 +29,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_ipsec_spd.php b/src/www/diag_ipsec_spd.php index 3dfbfd53d..89aea8e00 100644 --- a/src/www/diag_ipsec_spd.php +++ b/src/www/diag_ipsec_spd.php @@ -29,7 +29,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/diag_logs_vpn.inc b/src/www/diag_logs_vpn.inc index e4774356f..e1f6a3251 100644 --- a/src/www/diag_logs_vpn.inc +++ b/src/www/diag_logs_vpn.inc @@ -28,7 +28,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("system.inc"); require_once("interfaces.inc"); diff --git a/src/www/interfaces.php b/src/www/interfaces.php index f191d4051..b081bfff5 100644 --- a/src/www/interfaces.php +++ b/src/www/interfaces.php @@ -32,7 +32,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("filter.inc"); require_once("rrd.inc"); require_once("system.inc"); diff --git a/src/www/interfaces_assign.php b/src/www/interfaces_assign.php index 08166b3d5..5143fec0c 100644 --- a/src/www/interfaces_assign.php +++ b/src/www/interfaces_assign.php @@ -30,7 +30,6 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once("rrd.inc"); require_once("system.inc"); require_once("interfaces.inc"); diff --git a/src/www/status_services.php b/src/www/status_services.php index fcd571e3f..d35810f00 100644 --- a/src/www/status_services.php +++ b/src/www/status_services.php @@ -36,7 +36,6 @@ require_once("unbound.inc"); require_once("pfsense-utils.inc"); require_once("openvpn.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("interfaces.inc"); require_once("rrd.inc"); diff --git a/src/www/system_advanced_misc.php b/src/www/system_advanced_misc.php index 87bec40c4..6e4d83483 100644 --- a/src/www/system_advanced_misc.php +++ b/src/www/system_advanced_misc.php @@ -31,7 +31,6 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("vslb.inc"); require_once("system.inc"); @@ -39,7 +38,6 @@ require_once("pfsense-utils.inc"); require_once("services.inc"); require_once("interfaces.inc"); - $crypto_modules = array('glxsb' => gettext("AMD Geode LX Security Block"), 'aesni' => gettext("AES-NI CPU-based Acceleration") ); diff --git a/src/www/system_gateway_groups_edit.php b/src/www/system_gateway_groups_edit.php index 7057a79c8..075d93959 100644 --- a/src/www/system_gateway_groups_edit.php +++ b/src/www/system_gateway_groups_edit.php @@ -28,7 +28,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php index fd0b83e5f..500d6bc1f 100644 --- a/src/www/vpn_ipsec.php +++ b/src/www/vpn_ipsec.php @@ -30,7 +30,6 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_keys.php b/src/www/vpn_ipsec_keys.php index 22c6f7b82..5a93b7351 100644 --- a/src/www/vpn_ipsec_keys.php +++ b/src/www/vpn_ipsec_keys.php @@ -28,7 +28,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("filter.inc"); require_once("services.inc"); diff --git a/src/www/vpn_ipsec_keys_edit.php b/src/www/vpn_ipsec_keys_edit.php index ac36b01a0..2d3d6be53 100644 --- a/src/www/vpn_ipsec_keys_edit.php +++ b/src/www/vpn_ipsec_keys_edit.php @@ -29,7 +29,6 @@ require_once("interfaces.inc"); require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php index 4a63eaf21..4014a424a 100644 --- a/src/www/vpn_ipsec_mobile.php +++ b/src/www/vpn_ipsec_mobile.php @@ -30,7 +30,6 @@ require_once("interfaces.inc"); require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php index fed99a090..00c075499 100644 --- a/src/www/vpn_ipsec_phase1.php +++ b/src/www/vpn_ipsec_phase1.php @@ -32,7 +32,6 @@ require_once("guiconfig.inc"); require_once("filter.inc"); require_once("ipsec.inc"); -require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_ipsec_phase2.php b/src/www/vpn_ipsec_phase2.php index 3609da6df..c3b3a1dd9 100644 --- a/src/www/vpn_ipsec_phase2.php +++ b/src/www/vpn_ipsec_phase2.php @@ -31,7 +31,6 @@ require_once("guiconfig.inc"); require_once("interfaces.inc"); require_once("ipsec.inc"); -require_once("plugins.inc"); require_once("services.inc"); /** diff --git a/src/www/vpn_ipsec_settings.php b/src/www/vpn_ipsec_settings.php index b11e052fa..126594cc0 100644 --- a/src/www/vpn_ipsec_settings.php +++ b/src/www/vpn_ipsec_settings.php @@ -30,7 +30,6 @@ require_once("guiconfig.inc"); require_once("filter.inc"); require_once("ipsec.inc"); -require_once("plugins.inc"); require_once("services.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_l2tp.php b/src/www/vpn_l2tp.php index ce3cbef82..3c3a76305 100644 --- a/src/www/vpn_l2tp.php +++ b/src/www/vpn_l2tp.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); +require_once("plugins.inc.d/vpn.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); diff --git a/src/www/vpn_l2tp_users.php b/src/www/vpn_l2tp_users.php index f8529ab77..7829611cc 100644 --- a/src/www/vpn_l2tp_users.php +++ b/src/www/vpn_l2tp_users.php @@ -28,7 +28,7 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); +require_once("plugins.inc.d/vpn.inc"); if (!isset($config['l2tp']['user'])) { $config['l2tp']['user'] = array(); diff --git a/src/www/vpn_l2tp_users_edit.php b/src/www/vpn_l2tp_users_edit.php index af58d5f78..6fe45f4d7 100644 --- a/src/www/vpn_l2tp_users_edit.php +++ b/src/www/vpn_l2tp_users_edit.php @@ -44,7 +44,7 @@ function l2tp_users_sort() } require_once("guiconfig.inc"); -require_once("plugins.inc"); +require_once("plugins.inc.d/vpn.inc"); $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php'); diff --git a/src/www/vpn_pppoe.php b/src/www/vpn_pppoe.php index 8456e667b..93230268d 100644 --- a/src/www/vpn_pppoe.php +++ b/src/www/vpn_pppoe.php @@ -29,7 +29,7 @@ require_once("guiconfig.inc"); require_once("filter.inc"); -require_once("plugins.inc"); +require_once("plugins.inc.d/vpn.inc"); require_once("interfaces.inc"); if (!is_array($config['pppoes'])) { diff --git a/src/www/vpn_pppoe_edit.php b/src/www/vpn_pppoe_edit.php index 4755b88b5..b543cb93c 100644 --- a/src/www/vpn_pppoe_edit.php +++ b/src/www/vpn_pppoe_edit.php @@ -29,7 +29,6 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc"); require_once("interfaces.inc"); function vpn_pppoe_get_id() diff --git a/src/www/vpn_pptp.php b/src/www/vpn_pptp.php index f7edf9afd..b010cf64a 100644 --- a/src/www/vpn_pptp.php +++ b/src/www/vpn_pptp.php @@ -30,7 +30,7 @@ require_once('guiconfig.inc'); require_once('interfaces.inc'); require_once('filter.inc'); -require_once('plugins.inc'); +require_once('plugins.inc.d/vpn.inc'); require_once("pfsense-utils.inc"); if (!is_array($config['pptpd']['radius'])) { diff --git a/src/www/vpn_pptp_users.php b/src/www/vpn_pptp_users.php index e8e00cc52..569820011 100644 --- a/src/www/vpn_pptp_users.php +++ b/src/www/vpn_pptp_users.php @@ -28,7 +28,7 @@ */ require_once('guiconfig.inc'); -require_once('plugins.inc'); +require_once('plugins.inc.d/vpn.inc'); if (!is_array($config['pptpd']['user'])) { $config['pptpd']['user'] = array(); diff --git a/src/www/vpn_pptp_users_edit.php b/src/www/vpn_pptp_users_edit.php index b2bfc5795..f790a79f5 100644 --- a/src/www/vpn_pptp_users_edit.php +++ b/src/www/vpn_pptp_users_edit.php @@ -34,17 +34,16 @@ function pptpusercmp($a, $b) function pptpd_users_sort() { - global $config; + global $config; if (!is_array($config['ppptpd']['user'])) { return; } - usort($config['pptpd']['user'], "pptpusercmp"); + usort($config['pptpd']['user'], "pptpusercmp"); } require_once('guiconfig.inc'); -require_once('plugins.inc'); if (!is_array($config['pptpd']['user'])) { $config['pptpd']['user'] = array(); diff --git a/src/www/widgets/widgets/services_status.widget.php b/src/www/widgets/widgets/services_status.widget.php index 03760ea16..a4ae272c7 100644 --- a/src/www/widgets/widgets/services_status.widget.php +++ b/src/www/widgets/widgets/services_status.widget.php @@ -33,7 +33,6 @@ $nocsrf = true; require_once("guiconfig.inc"); require_once("services.inc"); -require_once("plugins.inc"); require_once("ipsec.inc"); require_once("widgets/include/services_status.inc"); require_once("interfaces.inc"); From cbd9ffb5f951f639241fa5eb3cce8ee564ce0aa9 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 17:13:26 +0100 Subject: [PATCH 07/16] plugins: make plugins.inc side-effect free The rules are simple: * plugins_configure() requires all available plugins, probes their configure functions and then calls the advertised functions. * All GUI pages must directly include their includes in plugins.inc.d to not overly pollute their loading phase. --- src/etc/inc/plugins.inc | 37 ++++++++++++++++++++++++++----- src/etc/inc/plugins.inc.d/vpn.inc | 9 ++++++++ src/etc/rc.bootup | 10 ++------- 3 files changed, 42 insertions(+), 14 deletions(-) diff --git a/src/etc/inc/plugins.inc b/src/etc/inc/plugins.inc index 51945897f..2fbe2e5b3 100644 --- a/src/etc/inc/plugins.inc +++ b/src/etc/inc/plugins.inc @@ -26,14 +26,39 @@ * POSSIBILITY OF SUCH DAMAGE. */ -foreach (glob('/usr/local/etc/inc/plugins.inc.d/*.inc') as $plugin) { - require_once $plugin; +function plugin_scan() +{ + $path = '/usr/local/etc/inc/plugins.inc.d/'; + $ext = '.inc'; + + $ret = array(); + + $plugins = glob($path . '*' . $ext); + if (!is_array($plugins)) { + return $ret; + } + + sort($plugins); + + foreach ($plugins as $plugin) { + $name = preg_replace('/' . preg_quote($path, '/') . '/', '', $plugin); + $name = preg_replace('/' . preg_quote($ext, '/') . '/', '', $name); + $ret[$name] = $plugin; + } + + return $ret; } -/* XXX must be reworked to work dynamically, not by name */ -function plugins_hook_xxx($name) +function plugins_configure() { - if (function_exists($name)) { - return $name(); + foreach (plugin_scan() as $name => $path) { + require_once $path; + $func = sprintf('%s_configure', $name); + if (function_exists($func)) { + $workers = $func(); + foreach ($workers as $worker) { + $worker(); + } + } } } diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 4c07107ee..5cb53f897 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -29,6 +29,15 @@ POSSIBILITY OF SUCH DAMAGE. */ +function vpn_configure() +{ + return array( + 'vpn_pptpd_configure', + 'vpn_pppoes_configure', + 'vpn_l2tp_configure' + ); +} + function vpn_netgraph_support() { $iflist = get_configured_interface_list(); foreach ($iflist as $iface) { diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index 76dd1e1b2..95d6ef74d 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -315,14 +315,8 @@ configd_run("dyndns reload"); /* Run a filter configure now that most all services have started */ filter_configure_sync(); -/* start pptpd */ -plugins_hook_xxx('vpn_pptpd_configure'); - -/* start pppoe server */ -plugins_hook_xxx('vpn_pppoes_configure'); - -/* setup l2tp */ -plugins_hook_xxx('vpn_l2tp_configure'); +/* Run all registered plugins */ +plugins_configure(); /* start IPsec tunnels */ $ipsec_dynamic_hosts = ipsec_configure(); From 9709336b25c3f516389bf6a431eff3704c4d8f24 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 17:57:11 +0100 Subject: [PATCH 08/16] plugins: add hooks for services --- src/etc/inc/plugins.inc | 18 ++++++++++++++++++ src/etc/inc/plugins.inc.d/vpn.inc | 17 +++++++++++++++++ src/etc/inc/services.inc | 7 +++++++ src/www/diag_logs_pptp.php | 3 +++ src/www/vpn_pptp.php | 5 ++++- src/www/vpn_pptp_users.php | 3 +++ 6 files changed, 52 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/plugins.inc b/src/etc/inc/plugins.inc index 2fbe2e5b3..48505c3aa 100644 --- a/src/etc/inc/plugins.inc +++ b/src/etc/inc/plugins.inc @@ -49,6 +49,24 @@ function plugin_scan() return $ret; } +function plugins_services() +{ + $services = array(); + + foreach (plugin_scan() as $name => $path) { + require_once $path; + $func = sprintf('%s_services', $name); + if (function_exists($func)) { + $workers = $func(); + foreach ($workers as $work) { + $services[] = $work; + } + } + } + + return $services; +} + function plugins_configure() { foreach (plugin_scan() as $name => $path) { diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 5cb53f897..841600b31 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -38,6 +38,23 @@ function vpn_configure() ); } +function vpn_services() +{ + global $config; + + $services = array(); + + if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == 'server') { + $pconfig = array(); + $pconfig['name'] = 'pptpd'; + $pconfig['description'] = gettext('PPTP Server'); + $pconfig['pidfile'] = '/var/run/pptp-vpn.pid'; + $services[] = $pconfig; + } + + return $services; +} + function vpn_netgraph_support() { $iflist = get_configured_interface_list(); foreach ($iflist as $iface) { diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 51fbc9d38..4ca59623f 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2747,6 +2747,13 @@ function find_service_by_name($names, $filter = array()) $services = services_get(); + if (function_exists('plugins_services')) { + /* only pull plugins if plugins.inc was included before */ + foreach (plugins_services() as $service) { + $services[] = $service; + } + } + foreach ($services as $service) { foreach ($names as $name) { if ($service['name'] != $name) { diff --git a/src/www/diag_logs_pptp.php b/src/www/diag_logs_pptp.php index affbccbd9..7330edf6e 100644 --- a/src/www/diag_logs_pptp.php +++ b/src/www/diag_logs_pptp.php @@ -19,4 +19,7 @@ $tab_array = array(); $tab_array[] = array(gettext("PPTP Logins"), $mode != "raw", "/diag_logs_pptp.php"); $tab_array[] = array(gettext("PPTP Raw"), $mode == "raw", "/diag_logs_pptp.php?mode=raw"); +require_once 'services.inc'; +$service_hook = 'pptpd'; + require_once 'diag_logs_vpn.inc'; diff --git a/src/www/vpn_pptp.php b/src/www/vpn_pptp.php index b010cf64a..cddfb5586 100644 --- a/src/www/vpn_pptp.php +++ b/src/www/vpn_pptp.php @@ -30,8 +30,9 @@ require_once('guiconfig.inc'); require_once('interfaces.inc'); require_once('filter.inc'); -require_once('plugins.inc.d/vpn.inc'); +require_once('services.inc'); require_once("pfsense-utils.inc"); +require_once('plugins.inc.d/vpn.inc'); if (!is_array($config['pptpd']['radius'])) { $config['pptpd']['radius'] = array(); @@ -193,6 +194,8 @@ if ($_POST) { } } +$service_hook = 'pptpd'; + include("head.inc"); ?> diff --git a/src/www/vpn_pptp_users.php b/src/www/vpn_pptp_users.php index 569820011..f747124de 100644 --- a/src/www/vpn_pptp_users.php +++ b/src/www/vpn_pptp_users.php @@ -28,6 +28,7 @@ */ require_once('guiconfig.inc'); +require_once('services.inc'); require_once('plugins.inc.d/vpn.inc'); if (!is_array($config['pptpd']['user'])) { @@ -55,6 +56,8 @@ if ($_GET['act'] == "del") { } } +$service_hook = 'pptpd'; + include("head.inc"); $main_buttons = array( From 07bafdf64ca8ee7f8c051f99fc3fcbe30938547f Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 18:45:20 +0100 Subject: [PATCH 09/16] services: enrich with plugins --- src/www/status_services.php | 6 ++++++ src/www/widgets/widgets/services_status.widget.php | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/src/www/status_services.php b/src/www/status_services.php index d35810f00..d5d635f93 100644 --- a/src/www/status_services.php +++ b/src/www/status_services.php @@ -177,6 +177,12 @@ function service_control_restart($name, $extras) $services = services_get(); +require_once 'plugins.inc'; + +foreach (plugins_services() as $service) { + $services[] = $service; +} + if (count($services) > 0) { uasort($services, "service_name_compare"); } diff --git a/src/www/widgets/widgets/services_status.widget.php b/src/www/widgets/widgets/services_status.widget.php index a4ae272c7..26789a20a 100644 --- a/src/www/widgets/widgets/services_status.widget.php +++ b/src/www/widgets/widgets/services_status.widget.php @@ -39,6 +39,12 @@ require_once("interfaces.inc"); $services = services_get(); +require_once 'plugins.inc'; + +foreach (plugins_services() as $service) { + $services[] = $service; +} + if (isset($_POST['servicestatusfilter'])) { $config['widgets']['servicestatusfilter'] = htmlspecialchars($_POST['servicestatusfilter'], ENT_QUOTES | ENT_HTML401); write_config("Saved Service Status Filter via Dashboard"); From 40516e542e9a422621fe2fa3c3620bfc8320d0dc Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 19:17:43 +0100 Subject: [PATCH 10/16] pptp: improve edit page like l2tp already does --- src/www/vpn_pptp_users_edit.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/www/vpn_pptp_users_edit.php b/src/www/vpn_pptp_users_edit.php index f790a79f5..1d91bbb31 100644 --- a/src/www/vpn_pptp_users_edit.php +++ b/src/www/vpn_pptp_users_edit.php @@ -44,6 +44,8 @@ function pptpd_users_sort() } require_once('guiconfig.inc'); +require_once('services.inc'); +require_once('plugins.inc.d/vpn.inc'); if (!is_array($config['pptpd']['user'])) { $config['pptpd']['user'] = array(); @@ -123,16 +125,18 @@ if ($_POST) { } else { $a_secret[] = $secretent; } - pptpd_users_sort(); + pptpd_users_sort(); write_config(); - mark_subsystem_dirty('pptpusers'); + vpn_pptpd_configure(); header("Location: vpn_pptp_users.php"); exit; } } +$service_hook = 'pptpd'; + include("head.inc"); ?> From 4635ac7b98bb8dc717234b6cbf9495248ebb81ba Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 19:18:15 +0100 Subject: [PATCH 11/16] l2tp: make it shine (as a service) --- src/etc/inc/plugins.inc.d/vpn.inc | 10 +++++++++- src/www/diag_logs_l2tp.php | 3 +++ src/www/vpn_l2tp.php | 5 ++++- src/www/vpn_l2tp_users.php | 3 +++ src/www/vpn_l2tp_users_edit.php | 9 +++++---- 5 files changed, 24 insertions(+), 6 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 841600b31..cb61169f9 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -44,7 +44,7 @@ function vpn_services() $services = array(); - if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == 'server') { + if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] != 'off') { $pconfig = array(); $pconfig['name'] = 'pptpd'; $pconfig['description'] = gettext('PPTP Server'); @@ -52,6 +52,14 @@ function vpn_services() $services[] = $pconfig; } + if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] != 'off') { + $pconfig = array(); + $pconfig['name'] = 'l2tpd'; + $pconfig['description'] = gettext('L2TP Server'); + $pconfig['pidfile'] = '/var/run/l2tp-vpn.pid'; + $services[] = $pconfig; + } + return $services; } diff --git a/src/www/diag_logs_l2tp.php b/src/www/diag_logs_l2tp.php index 5bea2fe32..f3a0f17c9 100644 --- a/src/www/diag_logs_l2tp.php +++ b/src/www/diag_logs_l2tp.php @@ -19,4 +19,7 @@ $tab_array = array(); $tab_array[] = array(gettext("L2TP Logins"), $mode != "raw", "/diag_logs_l2tp.php"); $tab_array[] = array(gettext("L2TP Raw"), $mode == "raw", "/diag_logs_l2tp.php?mode=raw"); +require_once 'services.inc'; +$service_hook = 'l2tpd'; + require_once 'diag_logs_vpn.inc'; diff --git a/src/www/vpn_l2tp.php b/src/www/vpn_l2tp.php index 3c3a76305..0bbf88c44 100644 --- a/src/www/vpn_l2tp.php +++ b/src/www/vpn_l2tp.php @@ -28,9 +28,10 @@ */ require_once("guiconfig.inc"); -require_once("plugins.inc.d/vpn.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); +require_once("services.inc"); +require_once("plugins.inc.d/vpn.inc"); if (!isset($config['l2tp']['radius']) || !is_array($config['l2tp']['radius'])) { $config['l2tp']['radius'] = array(); @@ -164,6 +165,8 @@ if ($_POST) { } } +$service_hook = 'l2tpd'; + include("head.inc"); ?> diff --git a/src/www/vpn_l2tp_users.php b/src/www/vpn_l2tp_users.php index 7829611cc..5fdfb8d1f 100644 --- a/src/www/vpn_l2tp_users.php +++ b/src/www/vpn_l2tp_users.php @@ -28,6 +28,7 @@ */ require_once("guiconfig.inc"); +require_once("services.inc"); require_once("plugins.inc.d/vpn.inc"); if (!isset($config['l2tp']['user'])) { @@ -62,6 +63,8 @@ if ($_GET['act'] == "del") { } } +$service_hook = 'l2tpd'; + include("head.inc"); diff --git a/src/www/vpn_l2tp_users_edit.php b/src/www/vpn_l2tp_users_edit.php index 6fe45f4d7..3f3768300 100644 --- a/src/www/vpn_l2tp_users_edit.php +++ b/src/www/vpn_l2tp_users_edit.php @@ -44,6 +44,7 @@ function l2tp_users_sort() } require_once("guiconfig.inc"); +require_once("services.inc"); require_once("plugins.inc.d/vpn.inc"); $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php'); @@ -122,18 +123,18 @@ if ($_POST) { } else { $a_secret[] = $secretent; } + l2tp_users_sort(); - write_config(); - - $retval = vpn_l2tp_configure(); + vpn_l2tp_configure(); header("Location: vpn_l2tp_users.php"); - exit; } } +$service_hook = 'l2tpd'; + include("head.inc"); ?> From 269b9b6a1b723705f1482376bdd93fcdd770a544 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 19 Feb 2016 19:39:02 +0100 Subject: [PATCH 12/16] plugins: support start and restart --- src/etc/inc/plugins.inc | 13 ++++ src/etc/inc/plugins.inc.d/vpn.inc | 99 +++++++++++++++++++------------ src/www/guiconfig.inc | 4 +- src/www/vpn_l2tp_users.php | 11 +--- 4 files changed, 79 insertions(+), 48 deletions(-) diff --git a/src/etc/inc/plugins.inc b/src/etc/inc/plugins.inc index 48505c3aa..402c7761a 100644 --- a/src/etc/inc/plugins.inc +++ b/src/etc/inc/plugins.inc @@ -49,6 +49,19 @@ function plugin_scan() return $ret; } +function plugins_action($service, $action) +{ + if (!isset($service['plugin'])) { + return; + } + + /* avoid auto-loading, it must have been required before */ + $func = sprintf('%s_action', $service['plugin']); + if (function_exists($func)) { + $func($service, $action); + } +} + function plugins_services() { $services = array(); diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index cb61169f9..ced93e06a 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -1,33 +1,34 @@ - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ + * Coypright (C) 2016 Franco Fichtner + * Copyright (C) 2008 Shrew Soft Inc + * Copyright (C) 2008 Ermal Luçi + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2003-2004 Manuel Kasper + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ function vpn_configure() { @@ -45,24 +46,48 @@ function vpn_services() $services = array(); if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] != 'off') { - $pconfig = array(); - $pconfig['name'] = 'pptpd'; - $pconfig['description'] = gettext('PPTP Server'); - $pconfig['pidfile'] = '/var/run/pptp-vpn.pid'; - $services[] = $pconfig; + $services[] = array( + 'description' => gettext('PPTP Server'), + 'pidfile' => '/var/run/pptp-vpn.pid', + 'plugin' => 'vpn', + 'name' => 'pptpd', + ); } if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] != 'off') { - $pconfig = array(); - $pconfig['name'] = 'l2tpd'; - $pconfig['description'] = gettext('L2TP Server'); - $pconfig['pidfile'] = '/var/run/l2tp-vpn.pid'; - $services[] = $pconfig; + $services[] = array( + 'description' => gettext('L2TP Server'), + 'pidfile' => '/var/run/l2tp-vpn.pid', + 'plugin' => 'vpn', + 'name' => 'l2tpd', + ); } return $services; } +function vpn_action($service, $action) +{ + if ($action != 'start' && $action != 'restart') { + /* XXX also need stop */ + return; + } + + switch ($service['name']) { + case 'l2tpd': + vpn_l2tp_configure(); + break; + case 'pptpd': + vpn_pptpd_configure(); + break; + case 'pppoe': + /* XXX TBD */ + break; + default: + break; + } +} + function vpn_netgraph_support() { $iflist = get_configured_interface_list(); foreach ($iflist as $iface) { diff --git a/src/www/guiconfig.inc b/src/www/guiconfig.inc index bf5f86434..cc55f8578 100644 --- a/src/www/guiconfig.inc +++ b/src/www/guiconfig.inc @@ -273,8 +273,8 @@ function print_service_banner($service) } } -function get_std_save_message() { - global $d_sysrebootreqd_path; +function get_std_save_message() +{ $filter_related = false; $filter_pages = array("nat", "filter"); $to_return = gettext("The changes have been applied successfully."); diff --git a/src/www/vpn_l2tp_users.php b/src/www/vpn_l2tp_users.php index 5fdfb8d1f..b5897e87d 100644 --- a/src/www/vpn_l2tp_users.php +++ b/src/www/vpn_l2tp_users.php @@ -40,16 +40,9 @@ if ($_POST) { $pconfig = $_POST; if ($_POST['apply']) { - $retval = 0; - if (!is_subsystem_dirty('rebootreq')) { - $retval = vpn_l2tp_configure(); - } + vpn_l2tp_configure(); $savemsg = get_std_save_message(); - if ($retval == 0) { - if (is_subsystem_dirty('l2tpusers')) { - clear_subsystem_dirty('l2tpusers'); - } - } + clear_subsystem_dirty('l2tpusers'); } } From 669f6e03ebed65d63b3c59419bc5c86726195674 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sat, 20 Feb 2016 12:12:59 +0100 Subject: [PATCH 13/16] plugins: rules change, plugins.inc is required now This is done so that services.inc can load plugins when plugins.inc was invoked, if not, it stays clear of the extra work. --- src/www/diag_logs_l2tp.php | 1 - src/www/diag_logs_pptp.php | 1 - src/www/diag_logs_vpn.inc | 2 ++ src/www/status_services.php | 3 +-- src/www/vpn_l2tp.php | 1 + src/www/vpn_l2tp_users.php | 1 + src/www/vpn_l2tp_users_edit.php | 1 + src/www/vpn_pptp.php | 1 + src/www/vpn_pptp_users.php | 1 + src/www/vpn_pptp_users_edit.php | 1 + src/www/widgets/widgets/services_status.widget.php | 5 ++--- 11 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/www/diag_logs_l2tp.php b/src/www/diag_logs_l2tp.php index f3a0f17c9..6a8709194 100644 --- a/src/www/diag_logs_l2tp.php +++ b/src/www/diag_logs_l2tp.php @@ -19,7 +19,6 @@ $tab_array = array(); $tab_array[] = array(gettext("L2TP Logins"), $mode != "raw", "/diag_logs_l2tp.php"); $tab_array[] = array(gettext("L2TP Raw"), $mode == "raw", "/diag_logs_l2tp.php?mode=raw"); -require_once 'services.inc'; $service_hook = 'l2tpd'; require_once 'diag_logs_vpn.inc'; diff --git a/src/www/diag_logs_pptp.php b/src/www/diag_logs_pptp.php index 7330edf6e..20ed8de46 100644 --- a/src/www/diag_logs_pptp.php +++ b/src/www/diag_logs_pptp.php @@ -19,7 +19,6 @@ $tab_array = array(); $tab_array[] = array(gettext("PPTP Logins"), $mode != "raw", "/diag_logs_pptp.php"); $tab_array[] = array(gettext("PPTP Raw"), $mode == "raw", "/diag_logs_pptp.php?mode=raw"); -require_once 'services.inc'; $service_hook = 'pptpd'; require_once 'diag_logs_vpn.inc'; diff --git a/src/www/diag_logs_vpn.inc b/src/www/diag_logs_vpn.inc index e1f6a3251..205c714b5 100644 --- a/src/www/diag_logs_vpn.inc +++ b/src/www/diag_logs_vpn.inc @@ -29,6 +29,8 @@ require_once("guiconfig.inc"); require_once("system.inc"); +require_once('services.inc'); +require_once('plugins.inc'); require_once("interfaces.inc"); if (empty($config['syslog']['nentries'])) { diff --git a/src/www/status_services.php b/src/www/status_services.php index d5d635f93..f645f5297 100644 --- a/src/www/status_services.php +++ b/src/www/status_services.php @@ -30,6 +30,7 @@ require_once("guiconfig.inc"); require_once("services.inc"); +require_once('plugins.inc'); require_once("vslb.inc"); require_once("system.inc"); require_once("unbound.inc"); @@ -177,8 +178,6 @@ function service_control_restart($name, $extras) $services = services_get(); -require_once 'plugins.inc'; - foreach (plugins_services() as $service) { $services[] = $service; } diff --git a/src/www/vpn_l2tp.php b/src/www/vpn_l2tp.php index 0bbf88c44..66abff2e9 100644 --- a/src/www/vpn_l2tp.php +++ b/src/www/vpn_l2tp.php @@ -31,6 +31,7 @@ require_once("guiconfig.inc"); require_once("pfsense-utils.inc"); require_once("interfaces.inc"); require_once("services.inc"); +require_once("plugins.inc"); require_once("plugins.inc.d/vpn.inc"); if (!isset($config['l2tp']['radius']) || !is_array($config['l2tp']['radius'])) { diff --git a/src/www/vpn_l2tp_users.php b/src/www/vpn_l2tp_users.php index b5897e87d..b7e82f99c 100644 --- a/src/www/vpn_l2tp_users.php +++ b/src/www/vpn_l2tp_users.php @@ -29,6 +29,7 @@ require_once("guiconfig.inc"); require_once("services.inc"); +require_once("plugins.inc"); require_once("plugins.inc.d/vpn.inc"); if (!isset($config['l2tp']['user'])) { diff --git a/src/www/vpn_l2tp_users_edit.php b/src/www/vpn_l2tp_users_edit.php index 3f3768300..55832e66d 100644 --- a/src/www/vpn_l2tp_users_edit.php +++ b/src/www/vpn_l2tp_users_edit.php @@ -45,6 +45,7 @@ function l2tp_users_sort() require_once("guiconfig.inc"); require_once("services.inc"); +require_once("plugins.inc"); require_once("plugins.inc.d/vpn.inc"); $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php'); diff --git a/src/www/vpn_pptp.php b/src/www/vpn_pptp.php index cddfb5586..fa9edcf3a 100644 --- a/src/www/vpn_pptp.php +++ b/src/www/vpn_pptp.php @@ -31,6 +31,7 @@ require_once('guiconfig.inc'); require_once('interfaces.inc'); require_once('filter.inc'); require_once('services.inc'); +require_once("plugins.inc"); require_once("pfsense-utils.inc"); require_once('plugins.inc.d/vpn.inc'); diff --git a/src/www/vpn_pptp_users.php b/src/www/vpn_pptp_users.php index f747124de..d7a0bd97e 100644 --- a/src/www/vpn_pptp_users.php +++ b/src/www/vpn_pptp_users.php @@ -29,6 +29,7 @@ require_once('guiconfig.inc'); require_once('services.inc'); +require_once("plugins.inc"); require_once('plugins.inc.d/vpn.inc'); if (!is_array($config['pptpd']['user'])) { diff --git a/src/www/vpn_pptp_users_edit.php b/src/www/vpn_pptp_users_edit.php index 1d91bbb31..24e60bd85 100644 --- a/src/www/vpn_pptp_users_edit.php +++ b/src/www/vpn_pptp_users_edit.php @@ -45,6 +45,7 @@ function pptpd_users_sort() require_once('guiconfig.inc'); require_once('services.inc'); +require_once("plugins.inc"); require_once('plugins.inc.d/vpn.inc'); if (!is_array($config['pptpd']['user'])) { diff --git a/src/www/widgets/widgets/services_status.widget.php b/src/www/widgets/widgets/services_status.widget.php index 26789a20a..a002d9656 100644 --- a/src/www/widgets/widgets/services_status.widget.php +++ b/src/www/widgets/widgets/services_status.widget.php @@ -33,14 +33,13 @@ $nocsrf = true; require_once("guiconfig.inc"); require_once("services.inc"); +require_once('plugins.inc'); require_once("ipsec.inc"); -require_once("widgets/include/services_status.inc"); require_once("interfaces.inc"); +require_once("widgets/include/services_status.inc"); $services = services_get(); -require_once 'plugins.inc'; - foreach (plugins_services() as $service) { $services[] = $service; } From e8fa56c5acbf4352bc7917cb9b4225dd6032238e Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sat, 20 Feb 2016 12:18:33 +0100 Subject: [PATCH 14/16] services: bubble down plugins_services hook This way, the caller only needs to specify plugins.inc on the top to let the subsystem(s) know plugin hooks need to be executed. --- src/etc/inc/services.inc | 14 +++++++------- src/www/status_services.php | 4 ---- src/www/widgets/widgets/services_status.widget.php | 4 ---- 3 files changed, 7 insertions(+), 15 deletions(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 4ca59623f..4089c96bd 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2736,6 +2736,13 @@ function services_get() 'name' => 'configd', ); + if (function_exists('plugins_services')) { + /* only pull plugins if plugins.inc was included before */ + foreach (plugins_services() as $service) { + $services[] = $service; + } + } + return $services; } @@ -2747,13 +2754,6 @@ function find_service_by_name($names, $filter = array()) $services = services_get(); - if (function_exists('plugins_services')) { - /* only pull plugins if plugins.inc was included before */ - foreach (plugins_services() as $service) { - $services[] = $service; - } - } - foreach ($services as $service) { foreach ($names as $name) { if ($service['name'] != $name) { diff --git a/src/www/status_services.php b/src/www/status_services.php index f645f5297..a8873cebb 100644 --- a/src/www/status_services.php +++ b/src/www/status_services.php @@ -178,10 +178,6 @@ function service_control_restart($name, $extras) $services = services_get(); -foreach (plugins_services() as $service) { - $services[] = $service; -} - if (count($services) > 0) { uasort($services, "service_name_compare"); } diff --git a/src/www/widgets/widgets/services_status.widget.php b/src/www/widgets/widgets/services_status.widget.php index a002d9656..cd4325c69 100644 --- a/src/www/widgets/widgets/services_status.widget.php +++ b/src/www/widgets/widgets/services_status.widget.php @@ -40,10 +40,6 @@ require_once("widgets/include/services_status.inc"); $services = services_get(); -foreach (plugins_services() as $service) { - $services[] = $service; -} - if (isset($_POST['servicestatusfilter'])) { $config['widgets']['servicestatusfilter'] = htmlspecialchars($_POST['servicestatusfilter'], ENT_QUOTES | ENT_HTML401); write_config("Saved Service Status Filter via Dashboard"); From 3b42ee7e80376a73127d5e7dad05685273380dad Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sat, 20 Feb 2016 12:27:55 +0100 Subject: [PATCH 15/16] plugins: try something new :) --- src/etc/inc/plugins.inc | 13 ------------ src/etc/inc/plugins.inc.d/vpn.inc | 34 +++++++++---------------------- 2 files changed, 10 insertions(+), 37 deletions(-) diff --git a/src/etc/inc/plugins.inc b/src/etc/inc/plugins.inc index 402c7761a..48505c3aa 100644 --- a/src/etc/inc/plugins.inc +++ b/src/etc/inc/plugins.inc @@ -49,19 +49,6 @@ function plugin_scan() return $ret; } -function plugins_action($service, $action) -{ - if (!isset($service['plugin'])) { - return; - } - - /* avoid auto-loading, it must have been required before */ - $func = sprintf('%s_action', $service['plugin']); - if (function_exists($func)) { - $func($service, $action); - } -} - function plugins_services() { $services = array(); diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index ced93e06a..77a25d76c 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -49,7 +49,10 @@ function vpn_services() $services[] = array( 'description' => gettext('PPTP Server'), 'pidfile' => '/var/run/pptp-vpn.pid', - 'plugin' => 'vpn', + 'php' => array( + 'restart' => array('vpn_pptpd_configure'), + 'start' => array('vpn_pptpd_configure'), + ), 'name' => 'pptpd', ); } @@ -58,36 +61,19 @@ function vpn_services() $services[] = array( 'description' => gettext('L2TP Server'), 'pidfile' => '/var/run/l2tp-vpn.pid', - 'plugin' => 'vpn', + 'php' => array( + 'restart' => array('vpn_l2tp_configure'), + 'start' => array('vpn_l2tp_configure'), + ), 'name' => 'l2tpd', ); } + /* XXX pppoe server instances too */ + return $services; } -function vpn_action($service, $action) -{ - if ($action != 'start' && $action != 'restart') { - /* XXX also need stop */ - return; - } - - switch ($service['name']) { - case 'l2tpd': - vpn_l2tp_configure(); - break; - case 'pptpd': - vpn_pptpd_configure(); - break; - case 'pppoe': - /* XXX TBD */ - break; - default: - break; - } -} - function vpn_netgraph_support() { $iflist = get_configured_interface_list(); foreach ($iflist as $iface) { From 6d7d0bc357070778fac9147e4e3c9e548cd0d952 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sun, 21 Feb 2016 20:02:21 +0100 Subject: [PATCH 16/16] vpn: plug pppoe servers into services --- src/etc/inc/plugins.inc.d/vpn.inc | 43 ++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/plugins.inc.d/vpn.inc b/src/etc/inc/plugins.inc.d/vpn.inc index 77a25d76c..557b0c145 100644 --- a/src/etc/inc/plugins.inc.d/vpn.inc +++ b/src/etc/inc/plugins.inc.d/vpn.inc @@ -69,7 +69,23 @@ function vpn_services() ); } - /* XXX pppoe server instances too */ + if (isset($config['pppoes']['pppoe'])) { + foreach ($config['pppoes']['pppoe'] as $pppoecfg) { + if (isset($pppoecfg['mode']) || $pppoecfg['mode'] != 'off') { + $services[] = array( + 'description' => gettext('PPPoE Server') . ': ' . htmlspecialchars($pppoecfg['descr']), + 'php' => array( + 'restart' => array('vpn_pppoe_configure_by_id'), + 'start' => array('vpn_pppoe_configure_by_id'), + 'args' => array('pppoeid'), + ), + 'pidfile' => "/var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid", + 'pppoeid' => $pppoecfg['pppoeid'], + 'name' => 'pppoed', + ); + } + } + } return $services; } @@ -319,6 +335,31 @@ function vpn_pppoes_configure() } } +function vpn_pppoe_configure_by_id($id) +{ + global $config; + + $found = null; + + if (isset($config['pppoes']['pppoe'])) { + foreach ($config['pppoes']['pppoe'] as $pppoe) { + if (!isset($pppoe['mode']) || $pppoe['mode'] == 'off') { + continue; + } + if ($id != 0 && $id == $pppoe['pppoeid']) { + $found = $pppoe; + break; + } + } + } + + if ($found == null) { + return; + } + + vpn_pppoe_configure($found); +} + function vpn_pppoe_configure(&$pppoecfg) { global $config;