Disconnecting...

From: mkasper Date: Sat, 7 Jan 2006 22:48:05 +0000 (+0000) Subject: Import m0n0wall 1.2b2 files. X-Git-Url: https://git.gsnw.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=668a87e9d2011047a8e315981d288ca1ab90c017;p=m0n0chwall.git Import m0n0wall 1.2b2 files. git-svn-id: https://svn.m0n0.ch/wall/trunk@8 e36fee2c-cc09-0410-a7cc-ebac5c6737de --- diff --git a/captiveportal/index.php b/captiveportal/index.php index 5094cc0..c264625 100644 --- a/captiveportal/index.php +++ b/captiveportal/index.php @@ -45,43 +45,42 @@ $orig_request = $_ENV['CAPTIVE_REQPATH']; $lockfile = "{$g['varrun_path']}/captiveportal.lock"; $clientip = $_ENV['REMOTE_ADDR']; +if (!$clientip) { + /* not good - bail out */ + exit; +} + /* find MAC address for client */ -if ($clientip) { - $clientmac = arp_get_mac_by_ip($clientip); - if (!$clientmac) { - /* unable to find MAC address - shouldn't happen! - bail out */ - exit; - } +$clientmac = arp_get_mac_by_ip($clientip); +if (!$clientmac && !isset($config['captiveportal']['nomacfilter'])) { + /* unable to find MAC address - shouldn't happen! - bail out */ + exit; } -if (portal_mac_fixed($clientmac)) { +if ($clientmac && portal_mac_fixed($clientmac)) { /* punch hole in ipfw for pass thru mac addresses */ - portal_allow($clientip, $clientmac,"unauthenticated") ; + portal_allow($clientip, $clientmac, "unauthenticated"); } else if ($_POST['accept'] && file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { /* authenticate against radius server */ - - $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db","r"); - if($fd) { - $line = trim(fgets($fd)); - if($line) - list($radiusip,$radiusport,$radiuskey) = explode(",",$line) ; - } - fclose($fd) ; + $radiusservers = captiveportal_get_radius_servers(); - if($_POST['auth_user'] && $_POST['auth_pass']) { + if ($_POST['auth_user'] && $_POST['auth_pass']) { $auth_val = RADIUS_AUTHENTICATION($_POST['auth_user'], $_POST['auth_pass'], - $radiusip,$radiusport, - $radiuskey) ; + $radiusservers[0]['ipaddr'], + $radiusservers[0]['port'], + $radiusservers[0]['key']); if ($auth_val == 2) { - portal_allow($clientip, $clientmac,$_POST['auth_user']) ; - if(isset($config['captiveportal']['radacct_enable'])) { + $sessionid = portal_allow($clientip, $clientmac, $_POST['auth_user']); + if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { $auth_val = RADIUS_ACCOUNTING_START($_POST['auth_user'], - $radiusip,$radiusport, - $radiuskey) ; - } + $sessionid, + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } } else { readfile("{$g['varetc_path']}/captiveportal-error.html"); } @@ -90,9 +89,9 @@ if (portal_mac_fixed($clientmac)) { } } else if ($_POST['accept'] && $clientip) { - portal_allow($clientip, $clientmac,"unauthenticated") ; -} else if ($_POST['logout_id'] && ($clientmac == $_POST['logout_id']) ) { - disconnect_client($_POST['logout_id']) ; + portal_allow($clientip, $clientmac, "unauthenticated"); +} else if ($_POST['logout_id']) { + disconnect_client($_POST['logout_id']); echo << Disconnecting... @@ -167,20 +166,25 @@ function portal_allow($clientip,$clientmac,$clientuser) { if (!$ruleno) $ruleno = 10000; /* first rule number */ - $saved_ruleno = $ruleno ; + $saved_ruleno = $ruleno; + + /* generate unique session ID */ + $tod = gettimeofday(); + $sessionid = substr(md5(mt_rand() . $tod['sec'] . $tod['usec'] . $clientip . $clientmac), 0, 16); /* add ipfw rules for layer 3 */ exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from $clientip to any in"); exec("/sbin/ipfw add $ruleno set 2 skipto 50000 ip from any to $clientip out"); /* add ipfw rules for layer 2 */ - $l2ruleno = $ruleno + 10000; - exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in"); - exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out"); + if (!isset($config['captiveportal']['nomacfilter'])) { + $l2ruleno = $ruleno + 10000; + exec("/sbin/ipfw add $l2ruleno set 3 deny all from $clientip to any not MAC any $clientmac layer2 in"); + exec("/sbin/ipfw add $l2ruleno set 3 deny all from any to $clientip not MAC $clientmac any layer2 out"); + } - /* read in passthru mac database */ - - $cpdb = array() ; + /* read in client database */ + $cpdb = array(); $fd = @fopen("{$g['vardb_path']}/captiveportal.db", "r"); if ($fd) { @@ -190,24 +194,25 @@ function portal_allow($clientip,$clientmac,$clientuser) { $cpdb[] = explode(",",$line); } } - fclose($fd) ; + fclose($fd); } + + $radiusservers = captiveportal_get_radius_servers(); - /* find entry and delete it */ - + /* find an existing entry and delete it */ for ($i = 0; $i < count($cpdb); $i++) { - if(!strcasecmp($cpdb[$i][3],$clientmac)) { - if(isset($config['captiveportal']['radacct_enable']) && - file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + if(!strcasecmp($cpdb[$i][2],$clientip)) { + if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid $cpdb[$i][0], // start time - $config['captiveportal']['radiusip'], - $config['captiveportal']['radiusport'], - $config['captiveportal']['radiuskey'] ) ; - } + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); - unset($cpdb[$i]) ; + unset($cpdb[$i]); break; } } @@ -218,8 +223,8 @@ function portal_allow($clientip,$clientmac,$clientuser) { foreach ($cpdb as $cpent) { fwrite($fd, join(",", $cpent) . "\n"); } - /* write in this new entry for clientmac */ - fwrite($fd, time().",{$ruleno},{$clientip},{$clientmac},{$clientuser}\n") ; + /* write in this new entry */ + fwrite($fd, time().",{$ruleno},{$clientip},{$clientmac},{$clientuser},{$sessionid}\n") ; fclose($fd); } @@ -267,7 +272,7 @@ if (LogoutWin) { LogoutWin.document.write('

') ; LogoutWin.document.write('Click the button below to disconnect

'); LogoutWin.document.write('

'); @@ -285,6 +290,34 @@ EOD; } else { header("Location: " . $redirurl); } + + return $sessionid; +} + +/* read RADIUS servers into array */ +function captiveportal_get_radius_servers() { + + global $g; + + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db","r"); + if ($fd) { + $radiusservers = array(); + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; + } + } + fclose($fd); + + return $radiusservers; + } + } + + return false; } /* lock captive portal information, decide that the lock file is stale after @@ -317,10 +350,10 @@ function portal_unlock() { unlink($lockfile); } -/* remove a single client by mac address - by Dinesh Nair Thu Jul 29 18:46:38 MYT 2004 +/* remove a single client by session ID + by Dinesh Nair */ -function disconnect_client($macaddr) { +function disconnect_client($sessionid) { global $g, $config; @@ -336,22 +369,24 @@ function disconnect_client($macaddr) { $cpdb[] = explode(",",$line); } } - fclose($fd) ; + fclose($fd); } + $radiusservers = captiveportal_get_radius_servers(); + /* find entry */ for ($i = 0; $i < count($cpdb); $i++) { - if ($cpdb[$i][3] == $macaddr) { + if ($cpdb[$i][5] == $sessionid) { /* this client needs to be deleted - remove ipfw rules */ - if(isset($config['captiveportal']['radacct_enable']) && - file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + if(isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid $cpdb[$i][0], // start time - $config['captiveportal']['radiusip'], - $config['captiveportal']['radiusport'], - $config['captiveportal']['radiuskey'] ) ; - } + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); unset($cpdb[$i]); break; @@ -364,6 +399,7 @@ function disconnect_client($macaddr) { foreach ($cpdb as $cpent) { fwrite($fd, join(",", $cpent) . "\n"); } + fclose($fd); } portal_unlock(); diff --git a/captiveportal/radius_accounting.inc b/captiveportal/radius_accounting.inc index 94922d4..7004971 100644 --- a/captiveportal/radius_accounting.inc +++ b/captiveportal/radius_accounting.inc @@ -29,11 +29,9 @@ */ -function RADIUS_ACCOUNTING_START($username,$radiusip,$radiusport,$radiuskey) { +function RADIUS_ACCOUNTING_START($username,$sessionid,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; - - $radiusport=getservbyname("radacct","udp"); exec("/bin/hostname", $nasHostname) ; if(!$nasHostname[0]) @@ -50,7 +48,6 @@ function RADIUS_ACCOUNTING_START($username,$radiusip,$radiusport,$radiuskey) { echo "
radius-port: $radiusport
radius-host: $radiusip
username: $username

\n"; $thisidentifier=rand()%256; - $sessionid = $username."-".$nasHostname[0] ; $length=4+ // header 16+ // auth code @@ -122,11 +119,9 @@ function RADIUS_ACCOUNTING_START($username,$radiusip,$radiusport,$radiuskey) { // See RFC2866 for this. } -function RADIUS_ACCOUNTING_STOP($ruleno,$username,$start_time,$radiusip,$radiusport,$radiuskey) { +function RADIUS_ACCOUNTING_STOP($ruleno,$username,$sessionid,$start_time,$radiusip,$radiusport,$radiuskey) { $sharedsecret=$radiuskey ; # $debug = 1 ; - - $radiusport=getservbyname("radacct","udp"); exec("/bin/hostname", $nasHostname) ; if(!$nasHostname[0]) @@ -155,7 +150,6 @@ function RADIUS_ACCOUNTING_STOP($ruleno,$username,$start_time,$radiusip,$radiusp echo "
radius-port: $radiusport
radius-host: $radiusip
username: $username

\n"; $thisidentifier=rand()%256; - $sessionid = $username."-".$nasHostname[0] ; $length=4+ // header 16+ // auth code diff --git a/captiveportal/radius_authentication.inc b/captiveportal/radius_authentication.inc index c81836f..af30df1 100644 --- a/captiveportal/radius_authentication.inc +++ b/captiveportal/radius_authentication.inc @@ -32,14 +32,6 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusip,$radiusport,$radius $sharedsecret=$radiuskey ; # $debug = 1 ; - if(!$radiusport) - $radiusport=0 ; - - // check your /etc/services. Some radius servers - // listen on port 1812, some on 1645. - if ($radiusport==0) - $radiusport=getservbyname("radius","udp"); - exec("/bin/hostname", $nasHostname) ; if(!$nasHostname[0]) $nasHostname[0] = "m0n0wall" ; diff --git a/etc/rc b/etc/rc index 0d26ae9..ddae7c5 100644 --- a/etc/rc +++ b/etc/rc @@ -24,8 +24,9 @@ mkdir /var/run /var/log /var/etc /var/db # generate circular logfiles clog -i -s 262144 /var/log/system.log clog -i -s 262144 /var/log/filter.log +clog -i -s 65536 /var/log/vpn.log clog -i -s 32768 /var/log/dhcpd.log -chmod 0600 /var/log/system.log /var/log/filter.log /var/log/dhcpd.log +chmod 0600 /var/log/*.log adjkerntz -i diff --git a/etc/rc.initial b/etc/rc.initial index d1fe44a..d311fea 100644 --- a/etc/rc.initial +++ b/etc/rc.initial @@ -3,7 +3,7 @@ # /etc/rc.initial # part of m0n0wall (http://neon1.net/m0n0wall) # -# Copyright (C) 2003 Manuel Kasper . +# Copyright (C) 2003-2004 Manuel Kasper . # All rights reserved. # make sure the user can't kill us by pressing Ctrl-C @@ -41,6 +41,7 @@ echo "2) Set up LAN IP address" echo "3) Reset webGUI password" echo "4) Reset to factory defaults" echo "5) Reboot system" +echo "6) Ping host" echo read -p "Enter a number: " opmode @@ -62,6 +63,9 @@ case ${opmode} in 5) /etc/rc.initial.reboot ;; +6) + /etc/rc.initial.ping + ;; esac done diff --git a/phpconf/inc/captiveportal.inc b/phpconf/inc/captiveportal.inc index 83db7f8..d5d78b1 100644 --- a/phpconf/inc/captiveportal.inc +++ b/phpconf/inc/captiveportal.inc @@ -189,16 +189,22 @@ EOD; if($config['captiveportal']['radiusport']) $radiusport = $config['captiveportal']['radiusport'] ; + else + $radiusport = 1812; - if($config['captiveportal']['radiuskey']) - $radiuskey = $config['captiveportal']['radiuskey'] ; + if($config['captiveportal']['radiusacctport']) + $radiusacctport = $config['captiveportal']['radiusacctport'] ; + else + $radiusacctport = 1813; + + $radiuskey = $config['captiveportal']['radiuskey']; $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db", "w"); if (!$fd) { printf("Error: cannot open radius DB file in captiveportal_configure().\n"); return 1; } else { - fwrite($fd,$radiusip . "," . $radiusport . "," . $radiuskey) ; + fwrite($fd,$radiusip . "," . $radiusport . "," . $radiusacctport . "," . $radiuskey) ; } fclose($fd) ; } @@ -308,7 +314,7 @@ EOD; } /* remove clients that have been around for longer than the specified amount of time */ -/* db file structure: timestamp,ipfw_rule_no,clientip,clientmac */ +/* db file structure: timestamp,ipfw_rule_no,clientip,clientmac,username,sessionid */ function captiveportal_prune_old() { global $g, $config; @@ -332,6 +338,8 @@ function captiveportal_prune_old() { /* read database */ $cpdb = captiveportal_read_db(); + $radiusservers = captiveportal_get_radius_servers(); + for ($i = 0; $i < count($cpdb); $i++) { $timedout = false; @@ -351,14 +359,14 @@ function captiveportal_prune_old() { if ($timedout) { /* this client needs to be deleted - remove ipfw rules */ - if(isset($config['captiveportal']['radacct_enable']) && - file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid $cpdb[$i][0], // start time - $config['captiveportal']['radiusip'], - $config['captiveportal']['radiusport'], - $config['captiveportal']['radiuskey'] ) ; + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); } mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); unset($cpdb[$i]); @@ -380,19 +388,20 @@ function captiveportal_disconnect_client($id) { /* read database */ $cpdb = captiveportal_read_db(); + $radiusservers = captiveportal_get_radius_servers(); /* find entry */ for ($i = 0; $i < count($cpdb); $i++) { if ($cpdb[$i][1] == $id) { /* this client needs to be deleted - remove ipfw rules */ - if(isset($config['captiveportal']['radacct_enable']) && - file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + if (isset($config['captiveportal']['radacct_enable']) && isset($radiusservers[0])) { RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid $cpdb[$i][0], // start time - $config['captiveportal']['radiusip'], - $config['captiveportal']['radiusport'], - $config['captiveportal']['radiuskey'] ) ; + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); } mwexec("/sbin/ipfw delete " . $cpdb[$i][1] . " " . ($cpdb[$i][1]+10000)); unset($cpdb[$i]); @@ -408,22 +417,23 @@ function captiveportal_disconnect_client($id) { /* send RADIUS acct stop for all current clients */ function captiveportal_radius_stop_all() { - global $g, $config ; - - if(!isset($config['captiveportal']['radacct_enable']) || - !file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { - return ; - } + global $g, $config; captiveportal_lock() ; $cpdb = captiveportal_read_db() ; - for ($i = 0; $i < count($cpdb); $i++) { - RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno - $cpdb[$i][4], // username - $cpdb[$i][0], // start time - $config['captiveportal']['radiusip'], - $config['captiveportal']['radiusport'], - $config['captiveportal']['radiuskey'] ) ; + + $radiusservers = captiveportal_get_radius_servers(); + + if (isset($radiusservers[0])) { + for ($i = 0; $i < count($cpdb); $i++) { + RADIUS_ACCOUNTING_STOP($cpdb[$i][1], // ruleno + $cpdb[$i][4], // username + $cpdb[$i][5], // sessionid + $cpdb[$i][0], // start time + $radiusservers[0]['ipaddr'], + $radiusservers[0]['acctport'], + $radiusservers[0]['key']); + } } captiveportal_unlock() ; } @@ -569,6 +579,32 @@ function captiveportal_write_db($cpdb) { } } +/* read RADIUS servers into array */ +function captiveportal_get_radius_servers() { + + global $g; + + if (file_exists("{$g['vardb_path']}/captiveportal_radius.db")) { + $fd = @fopen("{$g['vardb_path']}/captiveportal_radius.db","r"); + if ($fd) { + $radiusservers = array(); + while (!feof($fd)) { + $line = trim(fgets($fd)); + if ($line) { + $radsrv = array(); + list($radsrv['ipaddr'],$radsrv['port'],$radsrv['acctport'],$radsrv['key']) = explode(",",$line); + $radiusservers[] = $radsrv; + } + } + fclose($fd); + + return $radiusservers; + } + } + + return false; +} + /* lock captive portal information, decide that the lock file is stale after 10 seconds */ function captiveportal_lock() { diff --git a/phpconf/inc/filter.inc b/phpconf/inc/filter.inc index 975a36a..f1eb24c 100644 --- a/phpconf/inc/filter.inc +++ b/phpconf/inc/filter.inc @@ -49,6 +49,13 @@ function filter_configure() { if ($g['booting']) echo "Configuring firewall... "; + /* set TCP timeouts */ + $tcpidletimeout = 9000; + if ($config['filter']['tcpidletimeout']) + $tcpidletimeout = $config['filter']['tcpidletimeout']; + mwexec("/sbin/sysctl net.inet.ipf.fr_tcpidletimeout={$tcpidletimeout}"); + mwexec("/sbin/sysctl net.inet.ipf.fr_tcphalfclosed=480"); + /* generate ipnat rules */ $ipnatrules = filter_nat_rules_generate(); @@ -782,6 +789,10 @@ EOD; } } + if (($rule['protocol'] == "icmp") && $rule['icmptype']) { + $line .= "icmp-type {$rule['icmptype']} "; + } + if ($type == "pass") { $line .= "keep state "; diff --git a/phpconf/inc/functions.inc b/phpconf/inc/functions.inc index 423042e..eab4b82 100644 --- a/phpconf/inc/functions.inc +++ b/phpconf/inc/functions.inc @@ -36,5 +36,6 @@ require_once("filter.inc"); require_once("shaper.inc"); require_once("vpn.inc"); require_once("captiveportal.inc"); +require_once("openvpn.inc"); ?> diff --git a/phpconf/inc/globals.inc b/phpconf/inc/globals.inc index 0068b3a..eef6cff 100644 --- a/phpconf/inc/globals.inc +++ b/phpconf/inc/globals.inc @@ -47,7 +47,8 @@ $g = array( "n_pptp_units" => 16, "pptp_subnet" => 28, "debug" => false, - "latest_config" => "1.4" + "latest_config" => "1.4", + "nopccard_platforms" => array("wrap", "net48xx") ); ?> diff --git a/phpconf/inc/interfaces.inc b/phpconf/inc/interfaces.inc index 70eda73..ba5f839 100644 --- a/phpconf/inc/interfaces.inc +++ b/phpconf/inc/interfaces.inc @@ -102,6 +102,16 @@ function interfaces_lan_configure() { mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . " link " . escapeshellarg($lancfg['spoofmac'])); + /* media */ + if ($lancfg['media'] || $lancfg['mediaopt']) { + $cmd = "/sbin/ifconfig " . escapeshellarg($lancfg['if']); + if ($lancfg['media']) + $cmd .= " media " . escapeshellarg($lancfg['media']); + if ($lancfg['mediaopt']) + $cmd .= " mediaopt " . escapeshellarg($lancfg['mediaopt']); + mwexec($cmd); + } + mwexec("/sbin/ifconfig " . escapeshellarg($lancfg['if']) . " " . escapeshellarg($lancfg['ipaddr'] . "/" . $lancfg['subnet'])); @@ -129,6 +139,9 @@ function interfaces_lan_configure() { /* reload webgui */ system_webgui_start(); + + /* reload captive portal */ + captiveportal_configure(); } if ($g['booting']) @@ -207,6 +220,22 @@ function interfaces_optional_configure_if($opti) { mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . " link " . escapeshellarg($optcfg['spoofmac'])); + /* media */ + if ($optcfg['media'] || $optcfg['mediaopt']) { + $cmd = "/sbin/ifconfig " . escapeshellarg($optcfg['if']); + if ($optcfg['media']) + $cmd .= " media " . escapeshellarg($optcfg['media']); + if ($optcfg['mediaopt']) + $cmd .= " mediaopt " . escapeshellarg($optcfg['mediaopt']); + mwexec($cmd); + } + + /* OpenVPN configuration? */ + if (isset($optcfg['ovpn'])) { + if (strstr($if, "tap")) + ovpn_link_tap(); + } + /* bridged? */ if ($optcfg['bridge']) { mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . @@ -316,13 +345,9 @@ function interfaces_wan_configure() { if (file_exists("{$g['varetc_path']}/mpd.links")) { unlink("{$g['varetc_path']}/mpd.links"); } - /* remove ipsec.wanip, if it exists */ - if (file_exists("{$g['vardb_path']}/ipsec.wanip")) { - unlink("{$g['vardb_path']}/ipsec.wanip"); - } - /* remove bigpond.wanip, if it exists */ - if (file_exists("{$g['vardb_path']}/bigpond.wanip")) { - unlink("{$g['vardb_path']}/bigpond.wanip"); + /* remove wanip, if it exists */ + if (file_exists("{$g['vardb_path']}/wanip")) { + unlink("{$g['vardb_path']}/wanip"); } } @@ -337,6 +362,16 @@ function interfaces_wan_configure() { if ($wancfg['spoofmac']) mwexec("/sbin/ifconfig " . escapeshellarg($wancfg['if']) . " link " . escapeshellarg($wancfg['spoofmac'])); + + /* media */ + if ($wancfg['media'] || $wancfg['mediaopt']) { + $cmd = "/sbin/ifconfig " . escapeshellarg($wancfg['if']); + if ($wancfg['media']) + $cmd .= " media " . escapeshellarg($wancfg['media']); + if ($wancfg['mediaopt']) + $cmd .= " mediaopt " . escapeshellarg($wancfg['mediaopt']); + mwexec($cmd); + } switch ($wancfg['ipaddr']) { @@ -441,14 +476,35 @@ function interfaces_wan_pppoe_configure() { printf("Error: cannot open mpd.conf in interfaces_wan_pppoe_configure().\n"); return 1; } - + + $idle = 0; + + if (isset($pppoecfg['ondemand'])) { + $ondemand = "enable"; + if ($pppoecfg['timeout']) + $idle = $pppoecfg['timeout']; + } else { + $ondemand = "disable"; + } + $mpdconf = << $client) { + if (isset($client['enable'])) { + + if ($g['booting']) + echo "Starting OpenVPN client $id... "; + + /* kill any running openvpn daemon */ + killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid"); + + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$id}.pem"); + + /* Copy the TLS-Client certs & keys to disk */ + /*$fd = @fopen("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem", "w");*/ + $fd = fopen("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['ca_cert'])."\n"); + fclose($fd); + } + else + trigger_error("OVPN: No open for CA", E_USER_NOTICE); + $fd = fopen($g['vardb_path']."/ovpn_cli_cert_".$id.".pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['cli_cert'])."\n"); + fclose($fd); + } + $fd = fopen($g['vardb_path']."/ovpn_cli_key_".$id.".pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['cli_key'])."\n"); + fclose($fd); + } + + /* Start openvpn for this client */ + mwexec("/usr/local/sbin/openvpn " . ovpn_cli_config_generate($id)); + + if ($g['booting']) + /* Send the boot message */ + echo "done\n"; + } + else { + if (!$g['booting']){ + /* stop any processes, unload the tap module */ + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$id}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$id}.pem"); + killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid"); + if ($client['type'] == "tap") + ovpn_unlink_tap(); + } + } + } + return 0; + +} + +/* Kill off a running client process */ +function ovpn_client_kill($id) { + global $g; + + killbypid("{$g['varrun_path']}/ovpn_client{$id}.pid"); + return 0; +} + +function ovpn_cli_config_generate($id) { + /* configure the named client */ + global $config, $g; + $client = $config['ovpn']['client']['tunnel']; + + /* Client support in 2.0 is very simple */ + + $ovpn_config = "--client --daemon --verb 1 "; + + /* pid file */ + $ovpn_config .= "--writepid {$g['varrun_path']}/ovpn_client{$id}.pid "; + + /* interface */ + $ovpn_config .= "--dev {$client[$id]['if']} "; + + /* protocol */ + $ovpn_config .= "--proto {$client[$id]['proto']} "; + + /* port */ + $ovpn_config .= "--lport {$client[$id]['cport']} "; + + /* server location */ + $ovpn_config .= "--remote {$client[$id]['saddr']} {$client[$id]['sport']} "; + + /* TLS-Server params */ + $ovpn_config .= "--ca {$g['vardb_path']}/ovpn_ca_cert_{$id}.pem "; + $ovpn_config .= "--cert {$g['vardb_path']}/ovpn_cli_cert_{$id}.pem "; + $ovpn_config .= "--key {$g['vardb_path']}/ovpn_cli_key_{$id}.pem "; + + /* Data channel encryption cipher*/ + $ovpn_config .= "--cipher {$client[$id]['crypto']} "; + + //trigger_error("OVPN: $ovpn_config", E_USER_NOTICE); + return $ovpn_config; +} + +/* Define an OVPN tunnel interface in the interfaces array for each client */ +function ovpn_client_iface(){ + global $config; + + foreach ($config['ovpn']['client']['tunnel'] as $id => $client) { + if (isset($client['enable'])) { + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == "client{$id}")) + /* Already an interface defined - overwrite */ + break; + } + else { + /* No existing entry, this is first unused */ + $config['interfaces'][$ifname] = array(); + break; + } + $i++; + } + if (isset($client['descr'])) + $config['interfaces'][$ifname]['descr'] = $client['descr']; + else + $config['interfaces'][$ifname]['descr'] = "OVPN client-{$id}"; + $config['interfaces'][$ifname]['if'] = $client['if']; + $config['interfaces'][$ifname]['ipaddr'] = "0.0.0.0"; + $config['interfaces'][$ifname]['subnet'] = "0"; + $config['interfaces'][$ifname]['enable'] = isset($client['enable']) ? true : false; + $config['interfaces'][$ifname]['ovpn'] = "client{$id}"; + write_config(); + } + } + return "OpenVPN client interfaces defined"; +} + +/* Delete a client interface definition */ +function ovpn_client_iface_del($id) { + global $config; + + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == "client{$id}")) + unset($config['interfaces'][$ifname]); + } + } +} + +/******************/ +/* Misc functions */ + +/* Calculate the last address in a range given the start and /prefix */ +function ovpn_calc_end($start, $prefix){ + + $first = ip2long($start); + $last = pow(2,(32 - $prefix)) - 1 + $first; + return long2ip($last); +} + +/* Calculate a mask given a /prefix */ +function ovpn_calc_mask($prefix){ + + return long2ip(ip2long("255.255.255.255") - (pow( 2, (32 - $prefix)) - 1)); +} + +/* Read in a file from the $_FILES array */ +function ovpn_get_file($file){ + global $g; + + if (!is_uploaded_file($_FILES[$file]['tmp_name'])){ + trigger_error("Bad file upload".$_FILES[$file]['error'], E_USER_NOTICE); + return NULL; + } + $contents = file_get_contents($_FILES[$file]['tmp_name']); + return $contents; +} + + +/* Get the IP address of a specified interface */ +function ovpn_get_ip($iface){ + global $config; + + if ($iface == 'wan') + return get_current_wan_address(); + + if ($config['interfaces'][$iface]['bridge']) + /* No bridging (yet) */ + return false; + return $config['interfaces'][$iface]['ipaddr']; +} + +/* Get a list of the cipher options supported by OpenVPN */ +function ovpn_get_cipher_list(){ + +/* exec("/usr/local/sbin/openvpn --show-ciphers", $raw); + print_r ($raw); + + $ciphers = preg_grep('/ bit default key /', $raw); + + for($i = 0; $i 'DES-CBC (64 bit)', + 'RC2-CBC' => 'RC2-CBC (128 bit)', + 'DES-EDE-CBC' => 'DES-EDE-CBC (128 bit)', + 'DES-EDE3-CBC' => 'DES-EDE3-CBC (192 bit)', + 'DESX-CBC' => 'DESX-CBC (192 bit)', + 'BF-CBC' => 'BF-CBC (128 bit)', + 'RC2-40-CBC' => 'RC2-40-CBC (40 bit)', + 'CAST5-CBC' => 'CAST5-CBC (128 bit)', + 'RC5-CBC' => 'RC5-CBC (128 bit)', + 'RC2-64-CBC' => 'RC2-64-CBC (64 bit)', + 'AES-128-CBC' => 'AES-128-CBC (128 bit)', + 'AES-192-CBC' => 'AES-192-CBC (192 bit)', + 'AES-256-CBC' => 'AES-256-CBC (256 bit)'); + return $cipher_list; +} + + +/* Build a list of the current real interfaces */ +function ovpn_real_interface_list(){ + global $config; + + $interfaces = array('all' => 'ALL', + 'lan' => 'LAN', + 'wan' => 'WAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if (isset($config['interfaces']['opt' . $i]['ovpn'])) + /* Hide our own interface */ + break; + if (isset($config['interfaces']['opt' . $i]['enable'])) + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + } + return $interfaces; +} + + +/* lock openvpn information, decide that the lock file is stale after + 10 seconds */ +function ovpn_lock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/ovpn.lock"; + + $n = 0; + while ($n < 10) { + /* open the lock file in append mode to avoid race condition */ + if ($fd = @fopen($lockfile, "x")) { + /* succeeded */ + fclose($fd); + return; + } else { + /* file locked, wait and try again */ + sleep(1); + $n++; + } + } +} + +/* unlock configuration file */ +function ovpn_unlock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/ovpn.lock"; + + if (file_exists($lockfile)) + unlink($lockfile); +} + +?> diff --git a/phpconf/inc/services.inc b/phpconf/inc/services.inc index 4ca0d6e..17bc959 100644 --- a/phpconf/inc/services.inc +++ b/phpconf/inc/services.inc @@ -94,15 +94,17 @@ EOD; $dnscfg .= " option domain-name \"{$dhcpifconf['domain']}\";\n"; } - if (isset($config['dnsmasq']['enable'])) { + if (is_array($dhcpifconf['dnsserver']) && ($dhcpifconf['dnsserver'][0])) { + $dnscfg .= " option domain-name-servers " . join(",", $dhcpifconf['dnsserver']) . ";"; + } else if (isset($config['dnsmasq']['enable'])) { $dnscfg .= " option domain-name-servers " . $ifcfg['ipaddr'] . ";"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $dnscfg .= " option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";"; - } - - $dhcpdconf .= "subnet $subnet netmask $subnetmask {\n"; - $dhcpdconf .= " pool {\n"; - if (isset($dhcpifconf['denyunknown'])) + } + + $dhcpdconf .= "subnet $subnet netmask $subnetmask {\n"; + $dhcpdconf .= " pool {\n"; + if (isset($dhcpifconf['denyunknown'])) $dhcpdconf .= " deny unknown clients;\n"; if ($dhcpifconf['gateway']) @@ -177,6 +179,76 @@ EOD; return 0; } +function services_dhcrelay_configure() { + global $config, $g; + + /* kill any running dhcrelay */ + killbypid("{$g['varrun_path']}/dhcrelay.pid"); + + $dhcrelaycfg = $config['dhcrelay']; + + /* DHCPRelay enabled on any interfaces? */ + $dhcrelayenable = false; + foreach ($dhcrelaycfg as $dhcrelayif => $dhcrelayifconf) { + if (isset($dhcrelayifconf['enable']) && + (($dhcrelayif == "lan") || + (isset($config['interfaces'][$dhcrelayif]['enable']) && + $config['interfaces'][$dhcrelayif]['if'] && (!$config['interfaces'][$dhcrelayif]['bridge'])))) + $dhcrelayenable = true; + } + + if (!$dhcrelayenable) + return 0; + + if ($g['booting']) + echo "Starting DHCP relay service... "; + else + sleep(1); + + $dhcrelayifs = array(); + foreach ($dhcrelaycfg as $dhcrelayif => $dhcrelayifconf) { + + $ifcfg = $config['interfaces'][$dhcrelayif]; + + if (!isset($dhcrelayifconf['enable']) || + (($dhcrelayif != "lan") && + (!isset($ifcfg['enable']) || !$ifcfg['if'] || $ifcfg['bridge']))) + continue; + + $dhcrelayifs[] = $ifcfg['if']; + } + + /* In order for the relay to work, it needs to be active on the + interface in which the destination server sits */ + foreach ($config['interfaces'] as $ifname) { + $subnet = $ifname['ipaddr'] . "/" . $ifname['subnet']; + if (ip_in_subnet($dhcrelaycfg['server'],$subnet)) + $destif = $ifname['if']; + } + + if (!isset($destif)) + $destif = $config['interfaces']['wan']['if']; + + $dhcrelayifs[] = $destif; + $dhcrelayifs = array_unique($dhcrelayifs); + + /* fire up dhcrelay */ + $cmd = "/usr/local/sbin/dhcrelay -i " . join(" -i ", $dhcrelayifs); + + if (isset($dhcrelaycfg['agentoption'])) + $cmd .= " -a -m replace"; + + $cmd .= " {$dhcrelaycfg['server']}"; + mwexec($cmd); + + if (!$g['booting']) { + filter_configure(); + } else + echo "done\n"; + + return 0; +} + function services_dyndns_reset() { global $config, $g; diff --git a/phpconf/inc/shaper.inc b/phpconf/inc/shaper.inc index 322ec37..ce4a5c5 100644 --- a/phpconf/inc/shaper.inc +++ b/phpconf/inc/shaper.inc @@ -313,8 +313,8 @@ function shaper_rules_generate() { if ($rule['iplen']) $line .= "iplen {$rule['iplen']} "; - - if ($rule['iptos']) + + if ($rule['iptos']) $line .= "iptos {$rule['iptos']} "; if ($rule['tcpflags']) diff --git a/phpconf/inc/system.inc b/phpconf/inc/system.inc index 95d5b2e..d2c0b33 100644 --- a/phpconf/inc/system.inc +++ b/phpconf/inc/system.inc @@ -194,19 +194,26 @@ function system_syslogd_start() { $syslogconf = << diff --git a/webgui/diag_backup.php b/webgui/diag_backup.php index 0224427..888651c 100644 --- a/webgui/diag_backup.php +++ b/webgui/diag_backup.php @@ -45,9 +45,13 @@ if ($_POST) { if ($mode) { if ($mode == "download") { config_lock(); + + $fn = "config-" . $config['system']['hostname'] . "." . + $config['system']['domain'] . "-" . date("YmdHis") . ".xml"; + $fs = filesize($g['conf_path'] . "/config.xml"); header("Content-Type: application/octet-stream"); - header("Content-Disposition: attachment; filename=config.xml"); + header("Content-Disposition: attachment; filename=$fn"); header("Content-Length: $fs"); readfile($g['conf_path'] . "/config.xml"); config_unlock(); @@ -70,7 +74,7 @@ if ($_POST) { -m0n0wall webGUI - Diagnostics: Backup/restore +<?=gentitle("Diagnostics: Backup/restore");?> diff --git a/webgui/diag_defaults.php b/webgui/diag_defaults.php index 95d00d6..3ba3ea0 100644 --- a/webgui/diag_defaults.php +++ b/webgui/diag_defaults.php @@ -45,7 +45,7 @@ if ($_POST) { -m0n0wall webGUI - Diagnostics: Factory defaults +<?=gentitle("Diagnostics: Factory defaults");?> diff --git a/webgui/diag_dhcp_leases.php b/webgui/diag_dhcp_leases.php index 58a7d55..4b730fa 100644 --- a/webgui/diag_dhcp_leases.php +++ b/webgui/diag_dhcp_leases.php @@ -34,7 +34,7 @@ require("guiconfig.inc"); -m0n0wall webGUI - Diagnostics: DHCP leases +<?=gentitle("Diagnostics: DHCP leases");?> diff --git a/webgui/diag_ipsec_sad.php b/webgui/diag_ipsec_sad.php index 7c5f2d5..caba9d1 100644 --- a/webgui/diag_ipsec_sad.php +++ b/webgui/diag_ipsec_sad.php @@ -34,7 +34,7 @@ require("guiconfig.inc"); -m0n0wall webGUI - Diagnostics: IPsec +<?=gentitle("Diagnostics: IPsec");?> diff --git a/webgui/diag_ipsec_spd.php b/webgui/diag_ipsec_spd.php index 4d166e4..80cd066 100644 --- a/webgui/diag_ipsec_spd.php +++ b/webgui/diag_ipsec_spd.php @@ -34,7 +34,7 @@ require("guiconfig.inc"); -m0n0wall webGUI - Diagnostics: IPsec +<?=gentitle("Diagnostics: IPsec");?> diff --git a/webgui/diag_logs.php b/webgui/diag_logs.php index 08931fb..fe4d41a 100644 --- a/webgui/diag_logs.php +++ b/webgui/diag_logs.php @@ -64,7 +64,7 @@ function dump_clog($logfile, $tail, $withorig = true) { -m0n0wall webGUI - Diagnostics: System logs +<?=gentitle("Diagnostics: System logs");?> @@ -78,6 +78,7 @@ function dump_clog($logfile, $tail, $withorig = true) {

System

diff --git a/webgui/diag_logs_dhcp.php b/webgui/diag_logs_dhcp.php index 75bc392..ba13ee3 100644 --- a/webgui/diag_logs_dhcp.php +++ b/webgui/diag_logs_dhcp.php @@ -64,7 +64,7 @@ function dump_clog($logfile, $tail, $withorig = true) { -m0n0wall webGUI - Diagnostics: System logs +<?=gentitle("Diagnostics: System logs");?> @@ -78,6 +78,7 @@ function dump_clog($logfile, $tail, $withorig = true) {

DHCP

diff --git a/webgui/diag_logs_filter.php b/webgui/diag_logs_filter.php index 07a8e23..fece0ac 100644 --- a/webgui/diag_logs_filter.php +++ b/webgui/diag_logs_filter.php @@ -119,7 +119,7 @@ function format_ipf_ip($ipfip) { -m0n0wall webGUI - Diagnostics: System logs +<?=gentitle("Diagnostics: System logs");?> @@ -133,6 +133,7 @@ function format_ipf_ip($ipfip) {

Firewall

diff --git a/webgui/diag_logs_settings.php b/webgui/diag_logs_settings.php index 1e495fc..7868c56 100644 --- a/webgui/diag_logs_settings.php +++ b/webgui/diag_logs_settings.php @@ -36,6 +36,7 @@ $pconfig['nentries'] = $config['syslog']['nentries']; $pconfig['remoteserver'] = $config['syslog']['remoteserver']; $pconfig['filter'] = isset($config['syslog']['filter']); $pconfig['dhcp'] = isset($config['syslog']['dhcp']); +$pconfig['vpn'] = isset($config['syslog']['vpn']); $pconfig['system'] = isset($config['syslog']['system']); $pconfig['enable'] = isset($config['syslog']['enable']); $pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); @@ -63,6 +64,7 @@ if ($_POST) { $config['syslog']['remoteserver'] = $_POST['remoteserver']; $config['syslog']['filter'] = $_POST['filter'] ? true : false; $config['syslog']['dhcp'] = $_POST['dhcp'] ? true : false; + $config['syslog']['vpn'] = $_POST['vpn'] ? true : false; $config['syslog']['system'] = $_POST['system'] ? true : false; $config['syslog']['enable'] = $_POST['enable'] ? true : false; $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); @@ -87,7 +89,7 @@ if ($_POST) { -m0n0wall webGUI - Diagnostics: System logs +<?=gentitle("Diagnostics: System logs");?> + + + + +

Services: DHCP relay

+ + + + + + + +

+ + + + + + + + + + + + + + + + + +

	+ onClick="enable_change(false)"> + Enable DHCP relay on + + interface
	+> + Append circuit ID and agent ID to requests + If this is checked, the DHCP relay will append the circuit ID (m0n0wall interface number) and the agent ID to the DHCP request.
Destination server	+ onClick="enable_change(false)"> Proxy requests to DHCP server on WAN subnet + + + This is the IP address of the server to which the DHCP packet is relayed. Select "Proxy requests to DHCP server on WAN subnet" to relay DHCP packets to the server that was used on the WAN interface. +
	+ + +

+ + + + diff --git a/webgui/services_dnsmasq.php b/webgui/services_dnsmasq.php index a08ffb3..00cd5af 100644 --- a/webgui/services_dnsmasq.php +++ b/webgui/services_dnsmasq.php @@ -76,7 +76,7 @@ if ($_GET['act'] == "del") { -m0n0wall webGUI - Services: DNS forwarder +<?=gentitle("Services: DNS forwarder");?> @@ -93,13 +93,13 @@ if ($_GET['act'] == "del") {

- > + > Enable DNS forwarder

- > + > Register DHCP leases in DNS forwarder
If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered diff --git a/webgui/services_dnsmasq_edit.php b/webgui/services_dnsmasq_edit.php index b7f26e3..810a415 100644 --- a/webgui/services_dnsmasq_edit.php +++ b/webgui/services_dnsmasq_edit.php @@ -104,7 +104,7 @@ if ($_POST) { -m0n0wall webGUI - Services: DNS forwarder: Edit host +<?=gentitle("Services: DNS forwarder: Edit host");?> diff --git a/webgui/services_dyndns.php b/webgui/services_dyndns.php index 85d2394..f40c6c6 100644 --- a/webgui/services_dyndns.php +++ b/webgui/services_dyndns.php @@ -88,7 +88,7 @@ if ($_POST) { -m0n0wall webGUI - Services: Dynamic DNS client +<?=gentitle("Services: Dynamic DNS client");?>