diff options
| -rw-r--r-- | config/freeradius2/freeradius.inc | 122 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusclients.xml | 12 | ||||
| -rw-r--r-- | config/haproxy/haproxy.inc | 13 | ||||
| -rw-r--r-- | config/haproxy/haproxy.xml | 3 | ||||
| -rwxr-xr-x | config/haproxy/haproxy_global.php | 2 | ||||
| -rw-r--r-- | config/mailreport/mail_reports.inc | 2 | ||||
| -rw-r--r-- | config/tinydns/tinydns_status.php | 6 |
7 files changed, 96 insertions, 64 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index a5f8d15f..ac65ed88 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -56,26 +56,15 @@ function freeradius_deinstall_command() { function freeradius_install_command() { global $config; conf_mount_rw(); - /* - $handle = opendir(RADDB); - while (false != ($file = readdir($handle))) { - if (false != ($pos = strpos($file, '.sample'))) { - $newfile = substr($file, 0, $pos); - if (copy(RADDB . "/$file", RADDB . "/$newfile")) - unlink(RADDB . "/$file"); - } - } - closedir($handle); - */ // We create here different folders for different counters. - exec("chown -R root:wheel /usr/local/etc/raddb"); + if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); } + if (!file_exists("/var/log/radacct/timecounter/")) { exec("mkdir /var/log/radacct/timecounter"); } + exec("mkdir /usr/local/etc/raddb/scripts"); - exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); - exec("touch /var/log/radutmp && touch /var/log/radwtmp"); - exec("mkdir /var/log/radacct/datacounter/daily" && "mkdir /var/log/radacct/datacounter/weekly" && "mkdir /var/log/radacct/datacounter/monthly" && "mkdir /var/log/radacct/datacounter/forever"); - exec("mkdir /var/log/radacct/timecounter"); - exec("chown -R root:wheel /var/log"); + if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp"); } + if (!file_exists("/var/log/radwtmp")) { exec("touch /var/log/radwtmp"); } + exec("chown -R root:wheel /usr/local/etc/raddb && chown -R root:wheel /usr/local/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct"); // creating a backup file of the original policy.conf no matter if user checked this or not if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { @@ -94,37 +83,38 @@ function freeradius_install_command() { if (file_exists("/usr/local/etc/raddb/sites-enabled/inner-tunnel")) { unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); } // We need some additional files in /usr/local/lib for the LDAP module. We fetch these files dependent on the architecture. - // For i386 systems - if (exec("uname -m") == "i386") { - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10"); - exec("chmod 0755 /usr/local/lib/libasn1.so.10"); - exec("chmod 0755 /usr/local/lib/libgssapi.so.10"); - exec("chmod 0755 /usr/local/lib/libheimntlm.so.10"); - exec("chmod 0755 /usr/local/lib/libhx509.so.10"); - exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); - exec("chmod 0755 /usr/local/lib/libroken.so.10"); - } - // For amd64 systems - else { - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10"); - exec("chmod 0755 /usr/local/lib/libasn1.so.10"); - exec("chmod 0755 /usr/local/lib/libgssapi.so.10"); - exec("chmod 0755 /usr/local/lib/libheimntlm.so.10"); - exec("chmod 0755 /usr/local/lib/libhx509.so.10"); - exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); - exec("chmod 0755 /usr/local/lib/libroken.so.10"); + if (!file_exists("/usr/local/lib/libasn1.so.10") || !file_exists("/usr/local/lib/libgssapi.so.10") || !file_exists("/usr/local/lib/libheimntlm.so.10") || !file_exists("/usr/local/lib/libhx509.so.10") || !file_exists("/usr/local/lib/ldd/libkrb5.so.10") || !file_exists("/usr/local/lib/libroken.so.10")) { + // For i386 systems + if (exec("uname -m") == "i386") { + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10"); + exec("chmod 0755 /usr/local/lib/libasn1.so.10"); + exec("chmod 0755 /usr/local/lib/libgssapi.so.10"); + exec("chmod 0755 /usr/local/lib/libheimntlm.so.10"); + exec("chmod 0755 /usr/local/lib/libhx509.so.10"); + exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); + exec("chmod 0755 /usr/local/lib/libroken.so.10"); + } + // For amd64 systems + else { + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10"); + exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10"); + exec("chmod 0755 /usr/local/lib/libasn1.so.10"); + exec("chmod 0755 /usr/local/lib/libgssapi.so.10"); + exec("chmod 0755 /usr/local/lib/libheimntlm.so.10"); + exec("chmod 0755 /usr/local/lib/libhx509.so.10"); + exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); + exec("chmod 0755 /usr/local/lib/libroken.so.10"); + } } - // We run this here just to suppress some warnings on syslog if file doesn't exist freeradius_authorizedmacs_resync(); @@ -789,6 +779,23 @@ function freeradius_clients_resync() { $varrequiremessageauthenticator = $item['varrequiremessageauthenticator']; $varclientnastype = $item['varclientnastype']; $varclientmaxconnections = $item['varclientmaxconnections']; + $varclientlogininput = ($item['varclientlogininput']?$item['varclientlogininput']:'### login = !root ###'); + $varclientpasswordinput = ($item['varclientpasswordinput']?$item['varclientpasswordinput']:'### password = someadminpass ###'); + + if ($item['varclientlogininput'] == '') { + $varclientlogin = '### login = !root ###'; + } + else { + $varclientlogin = "login = $varclientlogininput"; + } + if ($item['varclientpasswordinput'] == '') { + $varclientpassword = '### password = someadminpass ###'; + } + else { + $varclientpassword = "password = $varclientpasswordinput"; + } + + $conf .= <<<EOD client "$varclientshortname" { @@ -799,10 +806,8 @@ client "$varclientshortname" { max_connections = $varclientmaxconnections shortname = $varclientshortname nastype = $varclientnastype - #login = !root - #password = someadminpas - #virtual_server = home1 - #coa_server = coa + $varclientlogin + $varclientpassword } EOD; @@ -831,6 +836,8 @@ EOD; function freeradius_eapconf_resync() { global $config; + // We make this write enabled here because embedded systems need to write certs in ../raddb/certs/ folder + conf_mount_rw(); $conf = ''; $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; @@ -1064,7 +1071,6 @@ else { EOD; $filename = RADDB . '/eap.conf'; - conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); conf_mount_ro(); @@ -2341,6 +2347,8 @@ EOD; function freeradius_allcertcnf_resync() { global $config; + // We need to make this write enabled for embedded systems to write certs + conf_mount_rw(); // Only proceed these steps if freeRADIUS Cert-Manager is activated. if pfSense cert manager is used skip this. @@ -2448,6 +2456,8 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { else { return; } +// Read-only because of embedded systems +conf_mount_r0(); } //end of function // ##### The following part is based on the code of pfblocker ##### @@ -3952,12 +3962,8 @@ function freeradius_modulesmotp_resync() { $conf .= <<<EOD exec motp { wait = yes - program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{User-Name} %{User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" - input_pairs = reply - #output_pairs = config - } - - + program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" + } EOD; $filename = RADDB . '/modules/motp'; diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index be066937..2bf24ecc 100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -221,6 +221,18 @@ <default_value>16</default_value> </field> <field> + <fielddescr>NAS Login</fielddescr> + <fieldname>varclientlogininput</fieldname> + <description><![CDATA[If your NAS supports it you can use SNMP or finger for simultaneous-use checks instead of (s)radutmp file and accounting. Leave empty to choose (s)radutmp. (Default: empty)]]></description> + <type>input</type> + </field> + <field> + <fielddescr>NAS Password</fielddescr> + <fieldname>varclientpasswordinput</fieldname> + <description><![CDATA[If your NAS supports it you can use SNMP or finger for simultaneous-use checks instead of (s)radutmp file and accounting. Leave empty to choose (s)radutmp. (Default: empty)]]></description> + <type>input</type> + </field> + <field> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> <description><![CDATA[Enter any description you like for this client.]]></description> diff --git a/config/haproxy/haproxy.inc b/config/haproxy/haproxy.inc index 72d9535d..96b57190 100644 --- a/config/haproxy/haproxy.inc +++ b/config/haproxy/haproxy.inc @@ -59,7 +59,7 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', 'mode' => '', 'syntax' => 'src'); function haproxy_custom_php_deinstall_command() { - exec("rm /usr/local/sbin/haproxy"); + exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); exec("rm /usr/local/pkg/haproxy.inc"); exec("rm /usr/local/www/haproxy*"); exec("rm /usr/local/etc/rc.d/haproxy.sh"); @@ -156,6 +156,17 @@ EOD; fclose($fd); exec("/etc/rc.d/devd restart"); + /* Workaround for the old package deleting the binary on unload instead of the package */ + if (!file_exists("/usr/local/sbin/haproxy")) { + if (substr(trim(`uname -r`), 0, 1) == "8") { + exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); + if (trim(`uname -m`) == 'i386') + exec("pkg_add -r http://e-sac.siteseguro.ws/pfsense/8/All/haproxy-1.4.18.tbz"); + else + exec("pkg_add -r http://e-sac.siteseguro.ws/pfsense/8/amd64/All/haproxy-1.4.18.tbz"); + } + } + /* Do XML upgrade from haproxy 0.31 to haproxy-dev */ if (is_array($config['installedpackages']['haproxy']['ha_servers'])) { /* We have an old config */ diff --git a/config/haproxy/haproxy.xml b/config/haproxy/haproxy.xml index ee2a2263..0c897dc7 100644 --- a/config/haproxy/haproxy.xml +++ b/config/haproxy/haproxy.xml @@ -96,10 +96,13 @@ <custom_php_resync_config_command> </custom_php_resync_config_command> <custom_php_install_command> + /* + included in package install $freebsdv=trim(`uname -r | cut -d'.' -f1`); conf_mount_rw(); `fetch -q -o /usr/local/sbin/ http://www.pfsense.org/packages/config/haproxy/binaries{$freebsdv}/haproxy`; exec("chmod a+rx /usr/local/sbin/haproxy"); + */ haproxy_custom_php_install_command(); </custom_php_install_command> <custom_php_deinstall_command> diff --git a/config/haproxy/haproxy_global.php b/config/haproxy/haproxy_global.php index 1ef28005..340c578b 100755 --- a/config/haproxy/haproxy_global.php +++ b/config/haproxy/haproxy_global.php @@ -289,7 +289,7 @@ function enable_change(enable_change) { foreach($config['virtualip']['vip'] as $carp): if ($carp['mode'] != "carp") continue; $ipaddress = $carp['subnet']; - $carp_int = find_carp_interface($ipaddress); + $carp_int = trim(find_carp_interface($ipaddress)); ?> <option value="<?=$carp_int;?>" <?php if (isset($pconfig['carpdev']) && $carp_int == $pconfig['carpdev']) echo "selected"; ?>> diff --git a/config/mailreport/mail_reports.inc b/config/mailreport/mail_reports.inc index 0460bbc6..48fbc868 100644 --- a/config/mailreport/mail_reports.inc +++ b/config/mailreport/mail_reports.inc @@ -195,7 +195,7 @@ function mail_report_send($headertext, $attachments) { if(is_array($attachments)) { foreach($attachments as $filename) { $shortname = basename($filename); - $mail->AddEmbeddedImage("$filename", $shortname, "$filename"); + $mail->AddEmbeddedImage($filename, $shortname, $shortname); $mail->Body .= "<br/><br/>{$shortname}<br/><img src=\"cid:{$shortname}\" />\n"; } } diff --git a/config/tinydns/tinydns_status.php b/config/tinydns/tinydns_status.php index 147001af..3a4b8545 100644 --- a/config/tinydns/tinydns_status.php +++ b/config/tinydns/tinydns_status.php @@ -87,8 +87,8 @@ if(strstr($pfSversion, "1.2")) <?php $pingdir = return_dir_as_array("/var/db/pingstatus"); -if(file_exists("/service/tinydns/root/data")) - $tinydns_data = file_get_contents("/service/tinydns/root/data"); +if(file_exists("/var/run/service/tinydns/root/data")) + $tinydns_data = file_get_contents("/var/run/service/tinydns/root/data"); else $tinydns_data = ""; if($config['installedpackages']['tinydnsdomains']) @@ -146,7 +146,7 @@ foreach($config['installedpackages']['tinydnsdomains']['config'] as $ping) { echo $ipaddress; if($row['loadbalance']) echo " (LB)"; - if(stristr($tinydns_data, "+{$hostname}:{$row['monitorip']}")) + if(stristr($tinydns_data, "+{$hostname}:{$row['failoverip']}")) $inservice = "<FONT COLOR='GREEN'>YES</FONT>"; else $inservice = "<FONT COLOR='BLUE'>NO</FONT>"; |