aboutsummaryrefslogtreecommitdiffstats
path: root/packages
diff options
context:
space:
mode:
authorSeth Mos <seth.mos@xs4all.nl>2007-01-17 09:49:51 +0000
committerSeth Mos <seth.mos@xs4all.nl>2007-01-17 09:49:51 +0000
commit5fbe459e2ba938aa7a0235bf118adf1bad8592e7 (patch)
tree5169e6e9c5da7047a7e7092be7d2061a2b92e067 /packages
parent222073c445f094e20afedd2bc6c5031cf0d9fff2 (diff)
downloadpfsense-packages-5fbe459e2ba938aa7a0235bf118adf1bad8592e7.tar.gz
pfsense-packages-5fbe459e2ba938aa7a0235bf118adf1bad8592e7.tar.bz2
pfsense-packages-5fbe459e2ba938aa7a0235bf118adf1bad8592e7.zip
Bump version to p12
********* NOTE: the format for the white,black,nac,donotcache,banned and unrestricted fields has changed! ********* * fields now use newlines instead of csv so it is easier to import white and blacklists. * fix acl creation and ordering.
Diffstat (limited to 'packages')
-rw-r--r--packages/squid/squid.inc75
-rw-r--r--packages/squid/squid.xml3
-rw-r--r--packages/squid/squid_auth.xml3
-rw-r--r--packages/squid/squid_cache.xml3
-rw-r--r--packages/squid/squid_nac.xml15
5 files changed, 60 insertions, 39 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
index 5b9b9156..1fb343ab 100644
--- a/packages/squid/squid.inc
+++ b/packages/squid/squid.inc
@@ -47,7 +47,7 @@ function squid_get_real_interface_address($iface) {
$iface = convert_friendly_interface_to_real_interface_name($iface);
$line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
- list($dummy, $ip, $dummy2, $netmask) = explode(' ', $line);
+ list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line);
return array($ip, long2ip(hexdec($netmask)));
}
@@ -182,7 +182,7 @@ function squid_before_form_general($pkg) {
array_shift($values);
$name = array();
foreach ($values as $value)
- $names[] = implode(' ', explode('_', $value));
+ $names[] = implode(" ", explode("_", $value));
$i = 0;
foreach ($pkg['fields']['field'] as $field) {
@@ -258,7 +258,7 @@ function squid_validate_cache($post, $input_errors) {
$input_errors[] = 'You must enter a valid value for \'Minimum object size\'';
if ($post['donotcache'] != "") {
- foreach (explode(',', $post['donotcache']) as $host) {
+ foreach (split("\n", $post['donotcache']) as $host) {
$host = trim($host);
if (!is_ipaddr($host) && !is_domain($host))
$input_errors[] = "The host '$host' is not a valid IP or host name";
@@ -270,7 +270,7 @@ function squid_validate_cache($post, $input_errors) {
}
function squid_validate_nac($post, $input_errors) {
- $allowed_subnets = explode(',', trim($post['allowed_subnets']));
+ $allowed_subnets = explode("\n", $post['allowed_subnets']);
foreach ($allowed_subnets as $subnet) {
$subnet = trim($subnet);
if (!empty($subnet) && !is_subnet($subnet))
@@ -278,7 +278,7 @@ function squid_validate_nac($post, $input_errors) {
}
foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) {
- foreach (explode(',', $post[$hosts]) as $host) {
+ foreach (explode("\n", $post[$hosts]) as $host) {
$host = trim($host);
if (!empty($host) && !is_ipaddr($host))
$input_errors[] = "The host '$host' is not a valid IP address";
@@ -286,14 +286,14 @@ function squid_validate_nac($post, $input_errors) {
}
foreach (array('unrestricted_macs', 'banned_macs') as $macs) {
- foreach (explode(',', $post[$macs]) as $mac) {
+ foreach (explode("\n", $post[$macs]) as $mac) {
$mac = trim($mac);
if (!empty($mac) && !is_macaddr($mac))
$input_errors[] = "The mac '$mac' is not a valid MAC address";
}
}
- foreach (explode(',', $post['timelist']) as $time) {
+ foreach (explode(",", $post['timelist']) as $time) {
$time = trim($time);
if (!empty($time) && !squid_is_timerange($time))
$input_errors[] = "The time range '$time' is not a valid time range";
@@ -349,14 +349,14 @@ function squid_validate_auth($post, $input_errors) {
$input_errors[] = 'The field \'RADIUS secret\' is required';
break;
case 'msnt':
- foreach (explode(',', trim($post['msnt_secondary'])) as $server) {
+ foreach (explode(",", trim($post['msnt_secondary'])) as $server) {
if (!empty($server) && !is_ipaddr($server) && !is_domain($server))
$input_errors[] = "The host '$server' is not a valid IP address or domain name";
}
break;
}
- $no_auth = explode(',', trim($post['no_auth_hosts']));
+ $no_auth = explode("\n", $post['no_auth_hosts']);
foreach ($no_auth as $host) {
$host = trim($host);
if (!empty($host) && !is_subnet($host))
@@ -375,14 +375,14 @@ function squid_resync_general() {
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan');
$real_ifaces = array();
- foreach (explode(',', $ifaces) as $i => $iface) {
+ foreach (explode(",", $ifaces) as $i => $iface) {
$real_ifaces[] = squid_get_real_interface_address($iface);
if($real_ifaces[$i][0]) {
if (($settings['transparent_proxy'] == 'on')) {
$conf .= "http_port 127.0.0.1:80 transparent\n";
}
} else {
- foreach (explode(',', $ifaces) as $i => $iface) {
+ foreach (explode(",", $ifaces) as $i => $iface) {
$real_ifaces[] = squid_get_real_interface_address($iface);
if($real_ifaces[$i][0]) {
$conf .= "http_port {$real_ifaces[$i][0]}:$port\n";
@@ -461,7 +461,7 @@ offline_mode $offline_mode
EOD;
- $donotcache = trim(implode("\n", array_map('trim', explode(',', $settings['donotcache']))));
+ $donotcache = base64_decode($settings['donotcache']);
if (!empty($donotcache)) {
file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
@@ -520,7 +520,14 @@ acl dynamic urlpath_regex cgi-bin \?
EOD;
- $allowed = implode(' ', array_map('trim', explode(',', $settings['allowed_subnets'])));
+ $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets']));
+ $allowed = "";
+ foreach ($allowed_subnets as $subnet) {
+ if(!empty($subnet)) {
+ $subnet = trim($subnet);
+ $allowed .= "$subnet ";
+ }
+ }
if (!empty($allowed)) {
$conf .= "acl allowed_subnets src $allowed\n";
$valid_acls[] = 'allowed_subnets';
@@ -532,7 +539,7 @@ EOD;
'blacklist' => 'dstdom_regex -i',
);
foreach ($options as $option => $directive) {
- $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option]))));
+ $contents = base64_decode($settings[$option]);
if (!empty($contents)) {
file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents);
$conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n";
@@ -607,10 +614,10 @@ EOD;
'throttle_cdimages' => $cdimages,
'throttle_multimedia' => $multimedia) as $field => $set) {
if ($settings[$field] == 'on')
- $exts = array_merge($exts, explode(',', $set));
+ $exts = array_merge($exts, explode(",", $set));
}
- foreach (explode(',', $settings['throttle_others']) as $ext) {
+ foreach (explode(",", $settings['throttle_others']) as $ext) {
if (!empty($ext)) $exts[] = $ext;
}
@@ -634,60 +641,66 @@ function squid_resync_auth() {
global $config, $valid_acls;
$settings = $config['installedpackages']['squidauth']['config'][0];
+ $settingsnac = $config['installedpackages']['squidnac']['config'][0];
$settingsconfig = $config['installedpackages']['squid']['config'][0];
$conf = '';
// Deny the banned guys before allowing the good guys
- $banned = array('banned_hosts');
- $banned = array_filter($banned, 'squid_is_valid_acl');
- foreach ($banned as $acl) {
- if(! empty($settings[$banned])) {
- $conf .= "http_access deny $acl\n";
+ if(! empty($settingsnac['banned_hosts'])) {
+ if (squid_is_valid_acl('banned_hosts')) {
+ $conf .= "# These hosts are banned\n";
+ $conf .= "http_access deny banned_hosts\n";
+ }
+ }
+ if(! empty($settingsnac['banned_macs'])) {
+ if (squid_is_valid_acl('banned_macs')) {
+ $conf .= "# These macs are banned\n";
+ $conf .= "http_access deny banned_macs\n";
}
}
// Unrestricted hosts take precendence over blacklist
- if(! empty($settings['unrestricted_hosts'])) {
+ if(! empty($settingsnac['unrestricted_hosts'])) {
if (squid_is_valid_acl('unrestricted_hosts')) {
$conf .= "# These hosts do not have any restrictions\n";
$conf .= "http_access allow unrestricted_hosts\n";
}
}
- if(! empty($settings['unrestricted_macs'])) {
+ if(! empty($settingsnac['unrestricted_macs'])) {
if (squid_is_valid_acl('unrestricted_macs')) {
$conf .= "# These hosts do not have any restrictions\n";
$conf .= "http_access allow unrestricted_macs\n";
}
}
- // Whitelist and blacklist also take precendence
- if(! empty($settings['whitelist'])) {
+ // Whitelist and blacklist also take precendence over other allow rules
+ if(! empty($settingsnac['whitelist'])) {
if (squid_is_valid_acl('whitelist')) {
$conf .= "# Always allow access to whitelist domains\n";
$conf .= "http_access allow whitelist\n";
}
}
- if(! empty($settings['blacklist'])) {
+ if(! empty($settingsnac['blacklist'])) {
if (squid_is_valid_acl('blacklist')) {
$conf .= "# Block access to blacklist domains\n";
$conf .= "http_access deny blacklist\n";
}
}
- $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
+ $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on');
$auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none');
// Allow the remaining ACLs if no authentication is set
if ($auth_method == 'none') {
if ($settingsconfig['allow_interface'] == 'on') {
+ $conf .= "# Allow local network(s) on interface(s)\n";
$allowed = array('localnet', 'allowed_subnets');
$allowed = array_filter($allowed, 'squid_is_valid_acl');
foreach ($allowed as $acl)
- $conf .= "# Allow local network(s) on interface(s)\n";
$conf .= "http_access allow $acl\n";
}
}
else {
- $noauth = implode(' ', array_map('trim', explode(',', $settings['no_auth_hosts'])));
+ $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts'])));
if (!empty($noauth)) {
$conf .= "acl noauth src $noauth\n";
$valid_acls[] = 'noauth';
@@ -724,7 +737,7 @@ EOD;
// Onto the ACLs
$password = array('localnet', 'allowed_subnets');
- $passwordless = array('unrestricted_hosts', 'unrestricted_macs');
+ $passwordless = array('unrestricted_hosts');
if ($settings['unrestricted_auth'] == 'on') {
// Even the unrestricted hosts should authenticate
$password = array_merge($password, $passwordless);
@@ -924,7 +937,7 @@ function squid_generate_rules($type) {
return;
}
- $ifaces = explode(',', $squid_conf['active_interface']);
+ $ifaces = explode(",", $squid_conf['active_interface']);
$ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces);
$port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128);
diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml
index a1c46fee..5ebbfd10 100644
--- a/packages/squid/squid.xml
+++ b/packages/squid/squid.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<packagegui>
<name>squid</name>
- <version>2.6.5_1-p11</version>
+ <version>2.6.5_1-p12</version>
<include_file>/usr/local/pkg/squid.inc</include_file>
<!-- Installation -->
<additional_files_needed>
@@ -115,6 +115,7 @@
<fieldname>log_dir</fieldname>
<fielddescr>Log store directory</fielddescr>
<description>The directory where the log will be stored (note: do not end with a / mark)</description>
+ <required/>
<type>input</type>
<size>60</size>
<default_value>/var/squid/log</default_value>
diff --git a/packages/squid/squid_auth.xml b/packages/squid/squid_auth.xml
index 9367231d..2f20d755 100644
--- a/packages/squid/squid_auth.xml
+++ b/packages/squid/squid_auth.xml
@@ -132,8 +132,9 @@
<field>
<fieldname>no_auth_hosts</fieldname>
<fielddescr>Subnets that don't need authentication</fielddescr>
- <description>A comma-separated list of subnets (in CIDR range, e.g.: 10.5.0.0/16, 192.168.1.50/32) whose hosts won't be asked for authentication to access the proxy.</description>
+ <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>
diff --git a/packages/squid/squid_cache.xml b/packages/squid/squid_cache.xml
index ee5db606..b13409f6 100644
--- a/packages/squid/squid_cache.xml
+++ b/packages/squid/squid_cache.xml
@@ -121,8 +121,9 @@
<field>
<fielddescr>Do not cache</fielddescr>
<fieldname>donotcache</fieldname>
- <description>The specified domains or IP addresses (separated by commas) will never be cached.</description>
+ <description>Enter each domain or IP address on a new line that should never be cached.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>
diff --git a/packages/squid/squid_nac.xml b/packages/squid/squid_nac.xml
index 9b6268ee..0d5128b8 100644
--- a/packages/squid/squid_nac.xml
+++ b/packages/squid/squid_nac.xml
@@ -38,40 +38,45 @@
<field>
<fieldname>allowed_subnets</fieldname>
<fielddescr>Allowed subnets</fielddescr>
- <description>Those are the subnets (separated by commas) that are allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description>
+ <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>
<field>
<fieldname>unrestricted_hosts</fieldname>
<fielddescr>Unrestricted IPs</fielddescr>
- <description>The IP addresses specified here (separated by commas) won't be filtered out by the other access control directives set in this page.</description>
+ <description>Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>
<field>
<fieldname>banned_hosts</fieldname>
<fielddescr>Banned host addresses</fielddescr>
- <description>The IP addresses specified here (separated by commas) won't be allowed to use the proxy.</description>
+ <description>Enter each IP address on a new line that is not to be allowed to use the proxy.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>
<field>
<fieldname>whitelist</fieldname>
<fielddescr>Whitelist</fielddescr>
- <description>Those are the destination domains (separated by commas) that will be accessable to the users that are allowed to use the proxy.</description>
+ <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>
<field>
<fieldname>blacklist</fieldname>
<fielddescr>Blacklist</fielddescr>
- <description>Those are the destination domains (separated by commas) that will be blocked to the users that are allowed to use the proxy.</description>
+ <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy.</description>
<type>textarea</type>
+ <encoding>base64</encoding>
<rows>5</rows>
<cols>50</cols>
</field>