diff options
| author | Warren Baker <warren@decoy.co.za> | 2011-09-28 01:24:19 +0200 |
|---|---|---|
| committer | Warren Baker <warren@decoy.co.za> | 2011-09-28 01:24:19 +0200 |
| commit | c6b67d94011e4c91388100a7f6a0b274f64e555a (patch) | |
| tree | 388ed6dfb314149f2d6aeda55cec447f9ee31fef | |
| parent | c437156bf59cb3a689761670e9e040e9a8ceaa62 (diff) | |
| download | pfsense-packages-c6b67d94011e4c91388100a7f6a0b274f64e555a.tar.gz pfsense-packages-c6b67d94011e4c91388100a7f6a0b274f64e555a.tar.bz2 pfsense-packages-c6b67d94011e4c91388100a7f6a0b274f64e555a.zip | |
Start the support IPv6 ACLs
| -rw-r--r-- | config/unbound/unbound_acls.php | 860 | ||||
| -rw-r--r-- | config/unbound/unbound_acls_edit.php | 277 |
2 files changed, 1137 insertions, 0 deletions
diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php new file mode 100644 index 00000000..d1b501d6 --- /dev/null +++ b/config/unbound/unbound_acls.php @@ -0,0 +1,860 @@ +<?php +/* $Id$ */ +/* + unbound_acls.php + part of pfSense (http://www.pfsense.com/) + + Copyright (C) 2011 Warren Baker <warren@decoy.co.za> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if(!is_process_running("unbound")) { + Header("Location: /pkg_edit.php?xml=unbound.xml&id=0"); + exit; +} + +if (!is_array($config['installedpackages']['unboundacls'][0]['config'])) + $config['installedpackages']['unboundacls'][0]['config'] = array(); + +$a_acls = &$config['installedpackages']['unboundacls'][0]['config']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$act = $_GET['act']; +if (isset($_POST['act'])) + $act = $_POST['act']; + +if ($_GET['act'] == "del") { + + if (!$a_client[$id]) { + pfSenseHeader("vpn_openvpn_client.php"); + exit; + } + + openvpn_delete('client', $a_client[$id]); + unset($a_client[$id]); + write_config(); + $savemsg = gettext("Client successfully deleted")."<br/>"; +} + +if($_GET['act']=="new"){ + $pconfig['autokey_enable'] = "yes"; + $pconfig['tlsauth_enable'] = "yes"; + $pconfig['autotls_enable'] = "yes"; + $pconfig['interface'] = "wan"; + $pconfig['server_port'] = 1194; +} + +if($_GET['act']=="edit"){ + + if (isset($id) && $a_client[$id]) { + + $pconfig['disable'] = isset($a_client[$id]['disable']); + $pconfig['mode'] = $a_client[$id]['mode']; + $pconfig['protocol'] = $a_client[$id]['protocol']; + $pconfig['interface'] = $a_client[$id]['interface']; + if (!empty($a_client[$id]['ipaddr'])) { + $pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$id]['ipaddr']; + } + $pconfig['local_port'] = $a_client[$id]['local_port']; + $pconfig['server_addr'] = $a_client[$id]['server_addr']; + $pconfig['server_port'] = $a_client[$id]['server_port']; + $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; + $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; + $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; + $pconfig['proxy_user'] = $a_client[$id]['proxy_user']; + $pconfig['proxy_passwd'] = $a_client[$id]['proxy_passwd']; + $pconfig['proxy_authtype'] = $a_client[$id]['proxy_authtype']; + $pconfig['description'] = $a_client[$id]['description']; + $pconfig['custom_options'] = $a_client[$id]['custom_options']; + $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; + $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; + + if ($pconfig['mode'] != "p2p_shared_key") { + $pconfig['caref'] = $a_client[$id]['caref']; + $pconfig['certref'] = $a_client[$id]['certref']; + if ($a_client[$id]['tls']) { + $pconfig['tlsauth_enable'] = "yes"; + $pconfig['tls'] = base64_decode($a_client[$id]['tls']); + } + } else + $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); + $pconfig['crypto'] = $a_client[$id]['crypto']; + $pconfig['engine'] = $a_client[$id]['engine']; + + $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; + $pconfig['remote_network'] = $a_client[$id]['remote_network']; + $pconfig['compression'] = $a_client[$id]['compression']; + $pconfig['passtos'] = $a_client[$id]['passtos']; + + // just in case the modes switch + $pconfig['autokey_enable'] = "yes"; + $pconfig['autotls_enable'] = "yes"; + } +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + if (isset($id) && $a_client[$id]) + $vpnid = $a_client[$id]['vpnid']; + else + $vpnid = 0; + + if ($pconfig['mode'] != "p2p_shared_key") + $tls_mode = true; + else + $tls_mode = false; + + /* input validation */ + if ($pconfig['local_port']) { + + if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) + $input_errors[] = $result; + + $portused = openvpn_port_used($pconfig['protocol'], $pconfig['local_port']); + if (($portused != $vpnid) && ($portused != 0)) + $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); + } + + if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) + $input_errors[] = $result; + + if ($pconfig['proxy_addr']) { + + if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) + $input_errors[] = $result; + + if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) + $input_errors[] = $result; + + if ($pconfig['proxy_authtype'] != "none") { + if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd'])) + $input_errors[] = gettext("User name and password are required for proxy with authentication."); + } + } + + if($pconfig['tunnel_network']) + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($pconfig['autokey_enable']) + $pconfig['shared_key'] = openvpn_create_key(); + + if (!$tls_mode && !$pconfig['autokey_enable']) + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); + + if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) + if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) + $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + + /* If we are not in shared key mode, then we need the CA/Cert. */ + if ($pconfig['mode'] != "p2p_shared_key") { + $reqdfields = explode(" ", "caref certref"); + $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + } elseif (!$pconfig['autokey_enable']) { + /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ + $reqdfields = array('shared_key'); + $reqdfieldsn = array(gettext('Shared key')); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { + + $client = array(); + + if ($vpnid) + $client['vpnid'] = $vpnid; + else + $client['vpnid'] = openvpn_vpnid_next(); + + if ($_POST['disable'] == "yes") + $client['disable'] = true; + $client['protocol'] = $pconfig['protocol']; + $client['dev_mode'] = $pconfig['dev_mode']; + list($client['interface'], $client['ipaddr']) = explode ("|",$pconfig['interface']); + $client['local_port'] = $pconfig['local_port']; + $client['server_addr'] = $pconfig['server_addr']; + $client['server_port'] = $pconfig['server_port']; + $client['resolve_retry'] = $pconfig['resolve_retry']; + $client['proxy_addr'] = $pconfig['proxy_addr']; + $client['proxy_port'] = $pconfig['proxy_port']; + $client['proxy_authtype'] = $pconfig['proxy_authtype']; + $client['proxy_user'] = $pconfig['proxy_user']; + $client['proxy_passwd'] = $pconfig['proxy_passwd']; + $client['description'] = $pconfig['description']; + $client['mode'] = $pconfig['mode']; + $client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); + + if ($tls_mode) { + $client['caref'] = $pconfig['caref']; + $client['certref'] = $pconfig['certref']; + if ($pconfig['tlsauth_enable']) { + if ($pconfig['autotls_enable']) + $pconfig['tls'] = openvpn_create_key(); + $client['tls'] = base64_encode($pconfig['tls']); + } + } else { + $client['shared_key'] = base64_encode($pconfig['shared_key']); + } + $client['crypto'] = $pconfig['crypto']; + $client['engine'] = $pconfig['engine']; + + $client['tunnel_network'] = $pconfig['tunnel_network']; + $client['remote_network'] = $pconfig['remote_network']; + $client['compression'] = $pconfig['compression']; + $client['passtos'] = $pconfig['passtos']; + + if (isset($id) && $a_client[$id]) + $a_client[$id] = $client; + else + $a_client[] = $client; + + openvpn_resync('client', $client); + write_config(); + + header("Location: vpn_openvpn_client.php"); + exit; + } +} + + +$pgtitle = "Services: Unbound DNS Forwarder: Access Lists"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php +if (!$savemsg) + $savemsg = ""; + +if ($input_errors) + print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + <ul id="tabnav"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Unbound DNS Settings"), false, "/pkg_edit.php?xml=unbound.xml&id=0"); + $tab_array[] = array(gettext("Unbound DNS Advanced Settings"), false, "/pkg_edit.php?xml=unbound_advanced.xml&id=0"); + $tab_array[] = array(gettext("Unbound DNS ACLs"), true, "/unbound_acls.php"); + $tab_array[] = array(gettext("Unbound DNS Status"), false, "/unbound_status.php"); + display_top_tabs($tab_array, true); + ?> + </ul> + </td> + </tr> + <tr> + <td class="tabcont"> + + <?php if($act=="new" || $act=="edit"): ?> + + <form action="unbound_acls.php" method="post" name="iform" id="iform" onsubmit="presubmit()"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("General information"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['disable'],$chk); ?> + <input name="disable" type="checkbox" value="yes" <?=$chk;?>/> + </td> + <td> + + <span class="vexpl"> + <strong><?=gettext("Disable this Access List"); ?></strong><br> + </span> + </td> + </tr> + </table> + <?=gettext("Set this option to disable this access list without removing it from the list"); ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server Mode");?></td> + <td width="78%" class="vtable"> + <select name='mode' id='mode' class="formselect" onchange='mode_change()'> + <?php + foreach ($openvpn_client_modes as $name => $desc): + $selected = ""; + if ($pconfig['mode'] == $name) + $selected = "selected"; + ?> + <option value="<?=$name;?>" <?=$selected;?>><?=$desc;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol");?></td> + <td width="78%" class="vtable"> + <select name='protocol' class="formselect"> + <?php + foreach ($openvpn_prots as $prot): + $selected = ""; + if ($pconfig['protocol'] == $prot) + $selected = "selected"; + ?> + <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Device mode");?></td> + <td width="78%" class="vtable"> + <select name='dev_mode' class="formselect"> + <?php + foreach ($openvpn_dev_mode as $mode): + $selected = ""; + if ($pconfig['dev_mode'] == $mode) + $selected = "selected"; + ?> + <option value="<?=$mode;?>" <?=$selected;?>><?=$mode;?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Interface"); ?></td> + <td width="78%" class="vtable"> + <select name="interface" class="formselect"> + <?php + $interfaces = get_configured_interface_with_descr(); + $carplist = get_configured_carp_interface_list(); + foreach ($carplist as $cif => $carpip) + $interfaces[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")"; + $aliaslist = get_configured_ip_aliases_list(); + foreach ($aliaslist as $aliasip => $aliasif) + $interfaces[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; + $interfaces['any'] = "any"; + foreach ($interfaces as $iface => $ifacename): + $selected = ""; + if ($iface == $pconfig['interface']) + $selected = "selected"; + ?> + <option value="<?=$iface;?>" <?=$selected;?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select> <br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Local port");?></td> + <td width="78%" class="vtable"> + <input name="local_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['local_port']);?>"/> + <br/> + <?=gettext("Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server host or address");?></td> + <td width="78%" class="vtable"> + <input name="server_addr" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['server_addr']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server port");?></td> + <td width="78%" class="vtable"> + <input name="server_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['server_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy host or address");?></td> + <td width="78%" class="vtable"> + <input name="proxy_addr" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['proxy_addr']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy port");?></td> + <td width="78%" class="vtable"> + <input name="proxy_port" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['proxy_port']);?>"/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Proxy authentication extra options");?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td align="right" width="25%"> + <span class="vexpl"> + <?=gettext("Authentication method"); ?> : + </span> + </td> + <td> + <select name="proxy_authtype" id="proxy_authtype" class="formfld select" onChange="useproxy_changed()"> + <option value="none" <?php if ($pconfig['proxy_authtype'] == "none") echo "selected"; ?>><?=gettext("none"); ?></option> + <option value="basic" <?php if ($pconfig['proxy_authtype'] == "basic") echo "selected"; ?>><?=gettext("basic"); ?></option> + <option value="ntlm" <?php if ($pconfig['proxy_authtype'] == "ntlm") echo "selected"; ?>><?=gettext("ntlm"); ?></option> + </select> + </td> + </tr> + </table> + <br /> + <table border="0" cellpadding="2" cellspacing="0" id="proxy_authtype_opts" style="display:none"> + <tr> + <td align="right" width="25%"> + <span class="vexpl"> + <?=gettext("Username"); ?> : + </span> + </td> + <td> + <input name="proxy_user" id="proxy_user" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['proxy_user']);?>" /> + </td> + </tr> + <tr> + <td align="right" width="25%"> + <span class="vexpl"> + <?=gettext("Password"); ?> : + </span> + </td> + <td> + <input name="proxy_passwd" id="proxy_passwd" type="password" class="formfld pwd" size="20" value="<?=htmlspecialchars($pconfig['proxy_passwd']);?>" /> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Server host name resolution"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['resolve_retry'],$chk); ?> + <input name="resolve_retry" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + <?=gettext("Infinitely resolve server"); ?> + </span> + </td> + </tr> + </table> + <?=gettext("Continuously attempt to resolve the server host " . + "name. Useful when communicating with a server " . + "that is not permanently connected to the Internet"); ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td> + <td width="78%" class="vtable"> + <input name="description" type="text" class="formfld unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>"> + <br> + <?=gettext("You may enter a description here for your reference (not parsed)"); ?>. + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Cryptographic Settings"); ?></td> + </tr> + <tr id="tls"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("TLS Authentication"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['tlsauth_enable'],$chk); ?> + <input name="tlsauth_enable" id="tlsauth_enable" type="checkbox" value="yes" <?=$chk;?> onClick="tlsauth_change()"> + </td> + <td> + <span class="vexpl"> + <?=gettext("Enable authentication of TLS packets"); ?>. + </span> + </td> + </tr> + </table> + <?php if (!$pconfig['tls']): ?> + <table border="0" cellpadding="2" cellspacing="0" id='tlsauth_opts'> + <tr> + <td> + <?php set_checked($pconfig['autotls_enable'],$chk); ?> + <input name="autotls_enable" id="autotls_enable" type="checkbox" value="yes" <?=$chk;?> onClick="autotls_change()"> + </td> + <td> + <span class="vexpl"> + <?=gettext("Automatically generate a shared TLS authentication key"); ?>. + </span> + </td> + </tr> + </table> + <?php endif; ?> + <table border="0" cellpadding="2" cellspacing="0" id='autotls_opts'> + <tr> + <td> + <textarea name="tls" cols="65" rows="7" class="formpre"><?=htmlspecialchars($pconfig['tls']);?></textarea> + <br/> + <?=gettext("Paste your shared key here"); ?>. + </td> + </tr> + </table> + </td> + </tr> + <tr id="tls_ca"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Peer Certificate Authority"); ?></td> + <td width="78%" class="vtable"> + <?php if (count($a_ca)): ?> + <select name='caref' class="formselect"> + <?php + foreach ($a_ca as $ca): + $selected = ""; + if ($pconfig['caref'] == $ca['refid']) + $selected = "selected"; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <?php endforeach; ?> + </select> + <?php else: ?> + <b>No Certificate Authorities defined.</b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. + <?php endif; ?> + </td> + </tr> + <tr id="tls_cert"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Client Certificate"); ?></td> + <td width="78%" class="vtable"> + <?php if (count($a_cert)): ?> + <select name='certref' class="formselect"> + <?php + foreach ($a_cert as $cert): + $selected = ""; + $caname = ""; + $inuse = ""; + $revoked = ""; + $ca = lookup_ca($cert['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + if (cert_in_use($cert['refid'])) + $inuse = " *In Use"; + if (is_cert_revoked($cert)) + $revoked = " *Revoked"; + ?> + <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> + <?php endforeach; ?> + </select> + <?php else: ?> + <b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>. + <?php endif; ?> + </td> + </tr> + <tr id="psk"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Shared Key"); ?></td> + <td width="78%" class="vtable"> + <?php if (!$pconfig['shared_key']): ?> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['autokey_enable'],$chk); ?> + <input name="autokey_enable" type="checkbox" value="yes" <?=$chk;?> onClick="autokey_change()"> + </td> + <td> + <span class="vexpl"> + <?=gettext("Automatically generate a shared key"); ?>. + </span> + </td> + </tr> + </table> + <?php endif; ?> + <table border="0" cellpadding="2" cellspacing="0" id='autokey_opts'> + <tr> + <td> + <textarea name="shared_key" cols="65" rows="7" class="formpre"><?=htmlspecialchars($pconfig['shared_key']);?></textarea> + <br/> + <?=gettext("Paste your shared key here"); ?>. + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Encryption algorithm"); ?></td> + <td width="78%" class="vtable"> + <select name="crypto" class="formselect"> + <?php + $cipherlist = openvpn_get_cipherlist(); + foreach ($cipherlist as $name => $desc): + $selected = ''; + if ($name == $pconfig['crypto']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr id="engine"> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Hardware Crypto"); ?></td> + <td width="78%" class="vtable"> + <select name="engine" class="formselect"> + <?php + $engines = openvpn_get_engines(); + foreach ($engines as $name => $desc): + $selected = ''; + if ($name == $pconfig['engine']) + $selected = ' selected'; + ?> + <option value="<?=$name;?>"<?=$selected?>> + <?=htmlspecialchars($desc);?> + </option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Tunnel Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Tunnel Network"); ?></td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> + <?=gettext("This is the virtual network used for private " . + "communications between this client and the " . + "server expressed using CIDR (eg. 10.0.8.0/24). " . + "The first network address is assumed to be the " . + "server address and the second network address " . + "will be assigned to the client virtual " . + "interface"); ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Remote Network"); ?></td> + <td width="78%" class="vtable"> + <input name="remote_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['remote_network']);?>"> + <br> + <?=gettext("This is a network that will be routed through " . + "the tunnel, so that a site-to-site VPN can be " . + "established without manually changing the " . + "routing tables. Expressed as a CIDR range. If " . + "this is a site-to-site VPN, enter here the " . + "remote LAN here. You may leave this blank to " . + "only communicate with other clients"); ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Limit outgoing bandwidth");?></td> + <td width="78%" class="vtable"> + <input name="use_shaper" type="text" class="formfld unknown" size="5" value="<?=htmlspecialchars($pconfig['use_shaper']);?>"/> + <br/> + <?=gettext("Maximum outgoing bandwidth for this tunnel. " . + "Leave empty for no limit. The input value has " . + "to be something between 100 bytes/sec and 100 " . + "Mbytes/sec (entered as bytes per second)"); ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Compression"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['compression'],$chk); ?> + <input name="compression" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + <?=gettext("Compress tunnel packets using the LZO algorithm"); ?>. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Type-of-Service"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <?php set_checked($pconfig['passtos'],$chk); ?> + <input name="passtos" type="checkbox" value="yes" <?=$chk;?>> + </td> + <td> + <span class="vexpl"> + <?=gettext("Set the TOS IP header value of tunnel packets to match the encapsulated packet value"); ?>. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="2" class="list" height="12"></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Advanced configuration"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Advanced"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td> + <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=htmlspecialchars($pconfig['custom_options']);?></textarea><br/> + <?=gettext("Enter any additional options you would like to add to the OpenVPN client configuration here, separated by a semicolon"); ?><br/> + <?=gettext("EXAMPLE: route 10.0.0.0 255.255.255.0;"); ?> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="save" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> + <input name="act" type="hidden" value="<?=$act;?>"> + <?php if (isset($id) && $a_client[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> + + <?php else: ?> + + <table class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <thead> + <tr> + <td width="25%" class="listhdrr"><?=gettext("Access List Name"); ?></td> + <td width="25%" class="listhdrr"><?=gettext("Action"); ?></td> + <td width="40%" class="listhdrr"><?=gettext("Description"); ?></td> + <td width="10%" class="list"></td> + </tr> + </thead> + <tbody> + <?php + $i = 0; + foreach($a_acls as $acl): + $disabled = "NO"; + if (isset($client['disable'])) + $disabled = "YES"; + $server = "{$client['server_addr']}:{$client['server_port']}"; + ?> + <tr ondblclick="document.location='unbound_acls.php?act=edit&id=<?=$i;?>'"> + <td class="listlr"> + <?=$disabled;?> + </td> + <td class="listr"> + <?=htmlspecialchars($client['protocol']);?> + </td> + <td class="listr"> + <?=htmlspecialchars($server);?> + </td> + <td class="listbg"> + <?=htmlspecialchars($client['description']);?> + </td> + <td valign="middle" nowrap class="list"> + <a href="unbound_acls.php?act=edit&id=<?=$i;?>"> + <img src="./themes/<?=$g['theme'];?>/images/icons/icon_e.gif" title="<?=gettext("edit client"); ?>" width="17" height="17" border="0"> + </a> + + <a href="unbound_acls.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this client?"); ?>')"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" title="<?=gettext("delete client"); ?>" width="17" height="17" border="0"> + </a> + </td> + </tr> + <?php + $i++; + endforeach; + ?> + </tbody> + <tfoot> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <a href="unbound_acls.php?act=new"><img src="./themes/<?=$g['theme'];?>/images/icons/icon_plus.gif" title="<?=gettext("add client"); ?>" width="17" height="17" border="0"> + </a> + </td> + </tr> + <tr> + <td colspan="4"> + <p> + <?=gettext("Access Lists to control access to Unbound can be defined here.");?> + </p> + </td> + </tr> + </tfoot> + </table> + + <?php endif; ?> + + </td> + </tr> +</table> +<script language="JavaScript"> +<!-- +mode_change(); +autokey_change(); +//--> +</script> +</body> +<?php include("fend.inc"); ?> + +<?php + +/* local utility functions */ + +function set_checked($var,& $chk) { + if($var) + $chk = 'checked'; + else + $chk = ''; +} + +?>
\ No newline at end of file diff --git a/config/unbound/unbound_acls_edit.php b/config/unbound/unbound_acls_edit.php new file mode 100644 index 00000000..db1f9bdb --- /dev/null +++ b/config/unbound/unbound_acls_edit.php @@ -0,0 +1,277 @@ +<?php +/* $Id$ */ +/* + unbound_acls_edit.php + part of pfSense (http://www.pfsense.com) + Copyright (C) 2011 Warren Baker (warren@decoy.co.za) + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['unboundacls']['config'])) { + $config['installedpackages']['unboundacls']['config'] = array(); +} + +$a_acl = &$config['installedpackages']['unboundacls']['config']; + +$id = $_GET['id']; +if (is_numeric($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_acl[$id]) { + + if (!isset($a_acl[$id]['aclaction'])) + $pconfig['aclaction'] = "allow"; + else + $pconfig['aclaction'] = $a_acl[$id]['aclaction']; + + $pconfig['descr'] = $a_acl[$id]['descr']; + +} else { + /* defaults */ + $pconfig['aclaction'] = "allow"; +} + +if ($_POST) { + + print_r($_POST); + exit; + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "src"); + $reqdfieldsn = explode(",", "Source"); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($pconfig['ipprotocol'] == "inet") { + if(!is_ipaddr($pconfig['inetsrc'])) + $input_errors[] = gettext("You must enter a valid IPv4 IP address."); + } else { + if(!is_ipaddrv6($pconfig['inet6src'])) + $input_errors[] = gettext("You must enter a valid IPv6 IP address."); + } + + + if (!$input_errors) { + $aclent = array(); + $aclent['aclaction'] = $_POST['aclaction']; + + if ($pconfig['ipprotocol'] == "inet") { + $aclent['acl_network'] = $_POST['inetsrc']."/".$_POST['inetsrcmask']; + + } else { + $aclent['acl_network'] = $_POST['inet6src']."/".$_POST['inet6srcmask']; + + } + strncpy($aclent['descr'], $_POST['descr'], 52); + + + if ($_POST['disabled']) + $aclent['disabled'] = true; + else + unset($aclent['disabled']); + + + + if (isset($id) && $a_acl[$id]) + $a_acl[$id] = $aclent; + else { + if (is_numeric($after)) + array_splice($a_acl, $after+1, 0, array($aclent)); + else + $a_acl[] = $aclent; + } + + write_config(); + + header("Location: unbound_acls.php"); + exit; + } +} + +$pgtitle = array(gettext("Services"),gettext("Unbound ACLs"),gettext("Edit")); +$statusurl = "unbound_status.php"; +$logurl = "diag_pkglogs.php?pkg=Unbound"; + +$page_filename = "unbound_acls_edit.php"; +include("head.inc"); + +?> +<script type="text/javascript" language="javascript" src="/javascript/row_helper_dynamic.js"> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="Effect.Appear('inet', { duration : 0.5 });"> +<script language="JavaScript"> +function doFade( optionValue ) +{ + switch( optionValue ) + { + case "inet" : + Effect.Appear('IPV4',{ duration: 0.5 }); + Effect.Fade('IPV6', { duration: 0.1 }); + break; + + case "inet6" : + Effect.Appear('IPV6',{ duration: 0.5 }); + Effect.Fade('IPV4', { duration: 0.1 }); + break; + + } +} +</script> + +<?php include("fbegin.inc"); ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> + +<form action="unbound_acls_edit.php" method="post" name="iform" id="iform"> +<input type='hidden' name="aclid" value="<?=(isset($pconfig['aclid']) && $pconfig['aclid']>0)?htmlspecialchars($pconfig['aclid']):''?>"> + + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Edit ACL");?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Action");?></td> + <td width="78%" class="vtable"> + <select name="aclaction" class="formselect"> + <?php $types = explode(",", "Deny,Refuse,Allow,Allow Snoop"); foreach ($types as $type): ?> + <option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; ?>> + <?=htmlspecialchars($type);?> + </option> + <?php endforeach; ?> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Choose what to do with DNS requests that match the criteria specified below.");?> <br/> + <?=gettext("<b>Deny:</b> This actions stops queries from hosts within the netblock defined below.");?> <br/> + <?=gettext("<b>Refuse:</b> This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?> <br/> + <?=gettext("<b>Allow:</b> This actions allows queries from hosts within the netblock defined below.");?> <br/> + <?=gettext("<b>Allow Snoop:</b> This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?> <br/> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Disabled");?></td> + <td width="78%" class="vtable"> + <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong><?=gettext("Disable this ACL");?></strong><br /> + <span class="vexpl"><?=gettext("Set this option to disable this ACL without removing it from the list.");?></span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("TCP/IP Version");?></td> + <td width="78%" class="vtable"> + <select name="ipprotocol" class="formselect" onchange="doFade( this.value )"> + <?php $ipproto = array('inet' => 'IPv4','inet6' => 'IPv6'); + foreach ($ipproto as $proto => $name): ?> + <option value="<?=$proto;?>" + <?php if ($proto == $pconfig['ipprotocol']): ?> + selected="selected" + <?php endif; ?> + ><?=$name;?></option> + <?php endforeach; ?> + </select> + <strong><?=gettext("Select the Internet Protocol version this rule applies to");?></strong><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Networks");?></td> + <td width="78%" class="vtable"> + <script type="text/javascript" language='javascript'> + <!-- + rowname[0] = "acl_network"; + rowtype[0] = "input"; + rowname[1] = "mask"; + rowtype[1] = "select"; + --> + </script> + + <table border="0" cellspacing="0" cellpadding="0" id="IPV4"> + <tr> + <td> <?=gettext("Network");?></td> + <td> <?=gettext("CIDR");?></td> + </tr> + <tr> + <td><input name="src" type="text" id="src" size="20" value="<?php echo htmlspecialchars($pconfig['src']);?>"> / </td> + <td> + <select name="srcmask" class="formselect" id="srcmask"> +<?php for ($i = 31; $i > 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option> +<?php endfor; ?> + </select> + </td> + </tr> + </table> + + <table border="0" cellspacing="0" cellpadding="0" id="IPV6"> + <tr> + <td><?=gettext("Type:");?> </td> + <td> + <select name="inet6srctype" class="formselect" onChange="typeselinet6_change()"> + <option value="network"><?=gettext("Network");?></option> + </select> + </td> + </tr> + <tr> + <td><?=gettext("Network:");?> </td> + <td> + <input autocomplete='off' name="inet6src" type="text" id="inet6src" size="20" value="<?php echo htmlspecialchars($pconfig['inet6src']);?>"> / + <select name="inet6srcmask" class="formselect" id="inet6srcmask"> + <?php for ($i = 128; $i > 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['inet6srcmask']) echo "selected"; ?>><?=$i;?></option> + <?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Description");?></td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="52" maxlength="52" value="<?=htmlspecialchars($pconfig['descr']);?>"> + <br /> + <span class="vexpl"><?=gettext("You may enter a description here for your reference.");?></span> + </td> + </tr> + <tr> + <td> </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <br> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> <input type="button" class="formbtn" value="<?=gettext("Cancel"); ?>" onclick="history.back()"> +<?php if (isset($id) && $a_filter[$id]): ?> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> +<?php endif; ?> + <input name="after" type="hidden" value="<?=htmlspecialchars($after);?>"> + </td> + </tr> + </table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> |