diff options
-rw-r--r-- | config/tinc/tinc.inc | 323 |
1 files changed, 187 insertions, 136 deletions
diff --git a/config/tinc/tinc.inc b/config/tinc/tinc.inc index 82d5b453..65f07e32 100644 --- a/config/tinc/tinc.inc +++ b/config/tinc/tinc.inc @@ -1,204 +1,255 @@ <?php - +/* + tinc.inc + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include_once('guiconfig.inc'); is needed for clear_log_file() during package installation while booting. + * However, guiconfig.inc includes authgui.inc which requires a valid php session_auth() and exits when not found. + * So we include the function here. +*/ if (!function_exists('clear_log_file')) { -//include_once('guiconfig.inc'); // needed for clear_log_file() during package installation while booting -//however guiconfig.inc includes authgui.inc which requires a valid php session_auth(), and exits when not found.. -//so include the function here.. + function clear_log_file($logfile = "/var/log/system.log", $restart_syslogd = true) { global $config, $g; - if ($restart_syslogd) + if ($restart_syslogd) { exec("/usr/bin/killall syslogd"); - if(isset($config['system']['disablesyslogclog'])) { + } + if (isset($config['system']['disablesyslogclog'])) { unlink($logfile); touch($logfile); } else { $log_size = isset($config['syslog']['logfilesize']) ? $config['syslog']['logfilesize'] : "511488"; - if(isset($config['system']['usefifolog'])) + if (isset($config['system']['usefifolog'])) { exec("/usr/sbin/fifolog_create -s {$log_size} " . escapeshellarg($logfile)); - else + } else { exec("/usr/local/sbin/clog -i -s {$log_size} " . escapeshellarg($logfile)); + } } - if ($restart_syslogd) + if ($restart_syslogd) { system_syslogd_start(); + } } } function tinc_save() { - global $config; + global $config, $configpath; + $configpath = '/usr/local/etc/tinc/'; + conf_mount_rw(); - exec("/bin/mv -f /usr/local/etc/tinc /usr/local/etc/tinc.old"); - safe_mkdir("/usr/local/etc/tinc"); - safe_mkdir("/usr/local/etc/tinc/hosts"); - exec("touch /usr/local/etc/tinc/WARNING-ENTIRE_DIRECTORY_ERASED_ON_SAVE_FROM_GUI"); + + rename("{$configpath}", "{$configpath}.old"); + safe_mkdir("{$configpath}"); + safe_mkdir("{$configpath}/hosts"); + touch("{$configpath}/WARNING-ENTIRE_DIRECTORY_ERASED_ON_SAVE_FROM_GUI"); $tincconf = &$config['installedpackages']['tinc']['config'][0]; - $fout = fopen("/usr/local/etc/tinc/tinc.conf","w"); + $fout = fopen("{$configpath}/tinc.conf", "w"); // No proper config, bail out. - if (!isset($tincconf['name']) || empty($tincconf['name'])) + if (!isset($tincconf['name']) || empty($tincconf['name'])) { + log_error("[tinc] Cannot configure (name not set). Check your configuration."); return; + } - fwrite($fout, "name=".$tincconf['name']."\n"); - fwrite($fout, "AddressFamily=".$tincconf['addressfamily']."\n"); - if(!is_array($config['installedpackages']['tinchosts']['config'])) { $config['installedpackages']['tinchosts']['config']=Array(); } - foreach($config['installedpackages']['tinchosts']['config'] as $host) { - if($host['connect']) - { + fwrite($fout, "name=" . $tincconf['name'] . "\n"); + fwrite($fout, "AddressFamily=" . $tincconf['addressfamily'] . "\n"); + if (!is_array($config['installedpackages']['tinchosts']['config'])) { + $config['installedpackages']['tinchosts']['config']= array(); + } + foreach ($config['installedpackages']['tinchosts']['config'] as $host) { + if($host['connect']) { fwrite($fout, "ConnectTo=" . $host['name'] . "\n"); } - - $_output = "Address=".$host['address']."\n"; - $_output .= "Subnet=".$host['subnet']."\n"; - $_output .= base64_decode($host['extra'])."\n"; - $_output .= base64_decode($host['cert_pub'])."\n"; - file_put_contents('/usr/local/etc/tinc/hosts/'.$host['name'],$_output); - if($host['host_up']) - { - file_put_contents('/usr/local/etc/tinc/hosts/'.$host['name'].'-up',str_replace("\r", "", base64_decode($host['host_up']))."\n"); - chmod('/usr/local/etc/tinc/hosts/'.$host['name'].'-up', 0744); + + $_output = "Address=" . $host['address'] . "\n"; + $_output .= "Subnet=" . $host['subnet'] . "\n"; + $_output .= base64_decode($host['extra']) . "\n"; + $_output .= base64_decode($host['cert_pub']) . "\n"; + file_put_contents("{$configpath}/hosts/" . $host['name'], $_output); + if ($host['host_up']) { + file_put_contents("{$configpath}/hosts/" . $host['name'] . '-up', str_replace("\r", "", base64_decode($host['host_up'])) . "\n"); + chmod("{$configpath}/hosts/" . $host['name'] . '-up', 0744); } - if($host['host_down']) - { - file_put_contents('/usr/local/etc/tinc/hosts/'.$host['name'].'-down',str_replace("\r", "", base64_decode($host['host_down']))."\n"); - chmod('/usr/local/etc/tinc/hosts/'.$host['name'].'-down', 0744); + if ($host['host_down']) { + file_put_contents("{$configpath}/hosts/" . $host['name'] . '-down', str_replace("\r", "", base64_decode($host['host_down'])) . "\n"); + chmod("{$configpath}/hosts/" . $host['name'] . '-down', 0744); } } - fwrite($fout, base64_decode($tincconf['extra'])."\n"); + fwrite($fout, base64_decode($tincconf['extra']) . "\n"); fclose($fout); // Check if we need to generate a new RSA key pair. - if ($tincconf['gen_rsa']) - { - safe_mkdir("/usr/local/etc/tinc/tmp"); - exec("/usr/local/sbin/tincd -c /usr/local/etc/tinc/tmp -K"); - $tincconf['cert_pub'] = base64_encode(file_get_contents('/usr/local/etc/tinc/tmp/rsa_key.pub')); - $tincconf['cert_key'] = base64_encode(file_get_contents('/usr/local/etc/tinc/tmp/rsa_key.priv')); + if ($tincconf['gen_rsa']) { + safe_mkdir("{$configpath}/tmp"); + exec("/usr/local/sbin/tincd -c {$configpath}/tmp -K"); + $tincconf['cert_pub'] = base64_encode(file_get_contents("{$configpath}/tmp/rsa_key.pub")); + $tincconf['cert_key'] = base64_encode(file_get_contents("{$configpath}/tmp/rsa_key.priv")); $tincconf['gen_rsa'] = false; $config['installedpackages']['tinc']['config'][0]['cert_pub'] = $tincconf['cert_pub']; $config['installedpackages']['tinc']['config'][0]['cert_key'] = $tincconf['cert_key']; $config['installedpackages']['tinc']['config'][0]['gen_rsa'] = $tincconf['gen_rsa']; - rmdir_recursive("/usr/local/etc/tinc/tmp"); - write_config(); + rmdir_recursive("{$configpath}/tmp"); + write_config("[tinc] New RSA key pair generated."); } $_output = "Subnet=" . $tincconf['localsubnet'] . "\n"; $_output .= base64_decode($tincconf['host_extra']) . "\n"; $_output .= base64_decode($tincconf['cert_pub']) . "\n"; - file_put_contents('/usr/local/etc/tinc/hosts/' . $tincconf['name'],$_output); - file_put_contents('/usr/local/etc/tinc/rsa_key.priv',base64_decode($tincconf['cert_key'])."\n"); - chmod("/usr/local/etc/tinc/rsa_key.priv", 0600); - if($tincconf['tinc_up']) - { + file_put_contents("{$configpath}/hosts/" . $tincconf['name'], $_output); + file_put_contents("{$configpath}/rsa_key.priv", base64_decode($tincconf['cert_key']) . "\n"); + chmod("{$configpath}/rsa_key.priv", 0600); + if ($tincconf['tinc_up']) { $_output = base64_decode($tincconf['tinc_up']) . "\n"; - } - else - { + } else { $_output = "ifconfig \$INTERFACE " . $tincconf['localip'] . " netmask " . $tincconf['vpnnetmask'] . "\n"; $_output .= "ifconfig \$INTERFACE group tinc\n"; } - file_put_contents('/usr/local/etc/tinc/tinc-up',$_output); - chmod("/usr/local/etc/tinc/tinc-up", 0744); - if($tincconf['tinc_down']) - { - file_put_contents('/usr/local/etc/tinc/tinc-down',str_replace("\r", "", base64_decode($tincconf['tinc_down'])) . "\n"); - chmod("/usr/local/etc/tinc/tinc-down", 0744); - } - if($tincconf['host_up']) - { - file_put_contents('/usr/local/etc/tinc/host-up',str_replace("\r", "", base64_decode($tincconf['host_up'])) . "\n"); - chmod("/usr/local/etc/tinc/host-up", 0744); - } - if($tincconf['host_down']) - { - file_put_contents('/usr/local/etc/tinc/host-down',str_replace("\r", "", base64_decode($tincconf['host_down'])) . "\n"); - chmod("/usr/local/etc/tinc/host-down", 0744); - } - if($tincconf['subnet_up']) - { - file_put_contents('/usr/local/etc/tinc/subnet-up',str_replace("\r", "", base64_decode($tincconf['subnet_up'])) . "\n"); - chmod("/usr/local/etc/tinc/subnet-up", 0744); - } - if($tincconf['subnet_down']) - { - file_put_contents('/usr/local/etc/tinc/subnet-down',str_replace("\r", "", base64_decode($tincconf['subnet_down'])) . "\n"); - chmod("/usr/local/etc/tinc/subnet-down", 0744); - } - system("/usr/local/etc/rc.d/tinc.sh restart 2>/dev/null"); - rmdir_recursive("/usr/local/etc/tinc.old"); + file_put_contents("{$configpath}/tinc-up", $_output); + chmod("{$configpath}/tinc-up", 0744); + if ($tincconf['tinc_down']) { + file_put_contents("{$configpath}/tinc-down", str_replace("\r", "", base64_decode($tincconf['tinc_down'])) . "\n"); + chmod("{$configpath}/tinc-down", 0744); + } + if ($tincconf['host_up']) { + file_put_contents("{$configpath}/host-up", str_replace("\r", "", base64_decode($tincconf['host_up'])) . "\n"); + chmod("{$configpath}/host-up", 0744); + } + if ($tincconf['host_down']) { + file_put_contents("{$configpath}/host-down", str_replace("\r", "", base64_decode($tincconf['host_down'])) . "\n"); + chmod("{$configpath}/host-down", 0744); + } + if ($tincconf['subnet_up']) { + file_put_contents("{$configpath}/subnet-up", str_replace("\r", "", base64_decode($tincconf['subnet_up'])) . "\n"); + chmod("{$configpath}/subnet-up", 0744); + } + if ($tincconf['subnet_down']) { + file_put_contents("{$configpath}/subnet-down", str_replace("\r", "", base64_decode($tincconf['subnet_down'])) . "\n"); + chmod("{$configpath}/subnet-down", 0744); + } + + $pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3); + if ($pfs_version == "2.2") { + $pbietcpath = '/usr/pbi/tinc-' . php_uname("m") . '/local/etc'; + unlink_if_exists("{$pbietcpath}/tinc"); + symlink($configpath, "{$pbietcpath}/tinc"); + } + + if ($tincconf['enable'] != "") { + restart_service("tinc"); + } elseif (is_process_running("tincd")); { + stop_service("tinc"); + } + rmdir_recursive("/usr/local/etc/tinc.old"); conf_mount_ro(); } function tinc_install() { global $config; + safe_mkdir("/usr/local/etc/tinc"); safe_mkdir("/usr/local/etc/tinc/hosts"); - $_rcfile['file']='tinc.sh'; - $_rcfile['start'].="/usr/local/sbin/tincd --config=/usr/local/etc/tinc\n\t"; - $_rcfile['stop'].="/usr/local/sbin/tincd --kill \n\t"; - write_rcfile($_rcfile); + $rc['file'] = 'tinc.sh'; + $rc['start'] .= "/usr/local/sbin/tincd --config=/usr/local/etc/tinc\n\t"; + $rc['stop'] .= "/usr/local/sbin/tincd --kill \n\t"; + write_rcfile($rc); unlink_if_exists("/usr/local/etc/rc.d/tincd"); clear_log_file("/var/log/tinc.log"); - - conf_mount_rw(); - /* Create Interface Group */ - if (!is_array($config['ifgroups']['ifgroupentry'])) - $config['ifgroups']['ifgroupentry'] = array(); - - $a_ifgroups = &$config['ifgroups']['ifgroupentry']; - $ifgroupentry = array(); - $ifgroupentry['members'] = ''; - $ifgroupentry['descr'] = 'tinc mesh VPN interface group'; - $ifgroupentry['ifname'] = 'tinc'; - $a_ifgroups[] = $ifgroupentry; + /* Create Interface Group */ + if (!is_array($config['ifgroups']['ifgroupentry'])) { + $config['ifgroups']['ifgroupentry'] = array(); + } - /* XXX: Do not remove this. */ - mwexec("/bin/rm -f /tmp/config.cache"); + $a_ifgroups = &$config['ifgroups']['ifgroupentry']; + $ifgroupentry = array(); + $ifgroupentry['members'] = ''; + $ifgroupentry['descr'] = 'tinc mesh VPN interface group'; + $ifgroupentry['ifname'] = 'tinc'; + $a_ifgroups[] = $ifgroupentry; - write_config(); + /* XXX: Do not remove this. WTH?! */ + mwexec("/bin/rm -f /tmp/config.cache"); - conf_mount_ro(); + write_config("[tinc] Package installed."); } function tinc_deinstall() { global $config; - /* Remove Interface Group */ - conf_mount_rw(); - if (!is_array($config['ifgroups']['ifgroupentry'])) - $config['ifgroups']['ifgroupentry'] = array(); - - $a_ifgroups = &$config['ifgroups']['ifgroupentry']; - - $myid=-1; - $i = 0; - foreach ($a_ifgroups as $ifgroupentry) - { - if($ifgroupentry['ifname']=='tinc') - { - $myid=$i; - break; - } - $i++; - } - - if ($myid >= 0 && $a_ifgroups[$myid]) - { - $members = explode(" ", $a_ifgroups[$_GET['id']]['members']); - foreach ($members as $ifs) - { - $realif = get_real_interface($ifs); - if ($realif) - mwexec("/sbin/ifconfig {$realif} -group " . escapeshellarg($a_ifgroups[$_GET['id']]['ifname'])); - } - unset($a_ifgroups[$myid]); - mwexec("/bin/rm -f /tmp/config.cache"); - write_config(); - } - conf_mount_ro(); + /* Remove Interface Group */ + if (!is_array($config['ifgroups']['ifgroupentry'])) { + $config['ifgroups']['ifgroupentry'] = array(); + } + + $a_ifgroups = &$config['ifgroups']['ifgroupentry']; + + $myid = -1; + $i = 0; + foreach ($a_ifgroups as $ifgroupentry) { + if ($ifgroupentry['ifname'] == 'tinc') { + $myid = $i; + break; + } + $i++; + } + + if ($myid >= 0 && $a_ifgroups[$myid]) { + $members = explode(" ", $a_ifgroups[$_GET['id']]['members']); + foreach ($members as $ifs) { + $realif = get_real_interface($ifs); + if ($realif) { + mwexec("/sbin/ifconfig {$realif} -group " . escapeshellarg($a_ifgroups[$_GET['id']]['ifname'])); + } + } + unset($a_ifgroups[$myid]); + /* WTH?! */ + mwexec("/bin/rm -f /tmp/config.cache"); + write_config("[tinc] Package uninstalled."); + } rmdir_recursive("/var/tmp/tinc"); rmdir_recursive("/usr/local/etc/tinc*"); - unlink_if_exists("/usr/local/etc/rc.d/tinc.sh"); } +function tinc_validate_input($post, &$input_errors) { + if ($post['localip']) { + if ((!is_ipaddr($post['localip'])) && (!is_hostname($post['localip']))) { + $input_errors[] = gettext("'Local IP' must be a valid IP address or hostname."); + } + } + if ($post['address']) { + if ((!is_ipaddr($post['address'])) && (!is_hostname($post['address']))) { + $input_errors[] = gettext("'Host Address' must be a valid IP address or hostname."); + } + } + if (($post['localsubnet']) && (!is_subnet($post['localsubnet']))) { + $input_errors[] = gettext("'Local Subnet' must be a valid subnet."); + } + if (($post['subnet']) && (!is_subnet($post['subnet']))) { + $input_errors[] = gettext("'Subnet' must be a valid subnet."); + } +} ?> |