diff options
Diffstat (limited to 'config')
66 files changed, 2252 insertions, 1285 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 69cc2126..63960b9e 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -49,7 +49,10 @@ function apache_mod_security_install() { generate_apache_configuration(); $filename = "apache_mod_security.sh"; - $start = APACHEDIR . "/sbin/httpd -k start"; + if (APACHEDIR != "/usr/local") { + $start = "/sbin/ldconfig -m " . APACHEDIR . "/lib\n"; + } + $start .= APACHEDIR . "/sbin/httpd -k start"; $stop = APACHEDIR . "/sbin/httpd -k stop"; write_rcfile(array( @@ -73,6 +76,9 @@ function apache_mod_security_deinstall() { // Check Apache configuration syntax function apache_mod_security_checkconfig() { global $config, $g; + if (APACHEDIR != "/usr/local") { + mwexec("/sbin/ldconfig -m " . APACHEDIR . "/lib"); + } $status = mwexec(APACHEDIR . "/sbin/httpd -t"); if ($status) { $input_errors[] = "[apache_mod_security]: There was an error parsing the Apache configuration: {$status}"; @@ -550,7 +556,7 @@ LoadModule status_module libexec/{$apache_version}/mod_status.so LoadModule autoindex_module libexec/{$apache_version}/mod_autoindex.so LoadModule asis_module libexec/{$apache_version}/mod_asis.so LoadModule info_module libexec/{$apache_version}/mod_info.so -LoadModule cgi_module libexec/{$apache_version}/mod_cgi.so +# LoadModule cgi_module libexec/{$apache_version}/mod_cgi.so LoadModule vhost_alias_module libexec/{$apache_version}/mod_vhost_alias.so LoadModule negotiation_module libexec/{$apache_version}/mod_negotiation.so LoadModule dir_module libexec/{$apache_version}/mod_dir.so diff --git a/config/apache_mod_security/apache_mod_security.priv.inc b/config/apache_mod_security/apache_mod_security.priv.inc new file mode 100644 index 00000000..e3989c9f --- /dev/null +++ b/config/apache_mod_security/apache_mod_security.priv.inc @@ -0,0 +1,42 @@ +<?php +/* + apache_mod_security.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-apache-modsecurity'] = array(); +$priv_list['page-services-apache-modsecurity']['name'] = "WebCfg - Services: ModSecurity/Apache Proxy Server"; +$priv_list['page-services-apache-modsecurity']['descr'] = "Allow access to ModSecurity/Apache Proxy Server package GUI"; + +$priv_list['page-services-apache-modsecurity']['match'] = array(); +$priv_list['page-services-apache-modsecurity']['match'][] = "pkg.php?xml=apache_mod_security.xml*"; +$priv_list['page-services-apache-modsecurity']['match'][] = "pkg.php?xml=apache_mod_security_settings.xml*"; +$priv_list['page-services-apache-modsecurity']['match'][] = "pkg_edit.php?xml=apache_mod_security.xml*"; +$priv_list['page-services-apache-modsecurity']['match'][] = "pkg_edit.php?xml=apache_mod_security_settings.xml*"; +$priv_list['page-services-apache-modsecurity']['match'][] = "apache_mod_security_view_logs.php*"; + +?> diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index ee8c7fbb..a5b6e009 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>apache_mod_security</name> - <version>0.1.8</version> + <version>0.1.9</version> <title>Services: Mod_Security+Apache+Proxy: Site Proxies</title> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> <menu> @@ -62,6 +62,10 @@ <item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/priv/inc/</prefix> + <item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/apache_mod_security/apache_mod_security_settings.xml</item> </additional_files_needed> diff --git a/config/apcupsd/apcupsd.priv.inc b/config/apcupsd/apcupsd.priv.inc new file mode 100644 index 00000000..5526b99f --- /dev/null +++ b/config/apcupsd/apcupsd.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + apcupsd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-apcupsd'] = array(); +$priv_list['page-services-apcupsd']['name'] = "WebCfg - Services: apcupsd"; +$priv_list['page-services-apcupsd']['descr'] = "Allow access to apcupsd package GUI"; +$priv_list['page-services-apcupsd']['match'] = array(); +$priv_list['page-services-apcupsd']['match'][] = "pkg_edit.php?xml=apcupsd.xml*"; +$priv_list['page-services-apcupsd']['match'][] = "apcupsd_status.php*"; + +?> diff --git a/config/apcupsd/apcupsd.xml b/config/apcupsd/apcupsd.xml index 38c84e81..cb33b8ef 100644 --- a/config/apcupsd/apcupsd.xml +++ b/config/apcupsd/apcupsd.xml @@ -41,17 +41,20 @@ </copyright> <name>Apcupsd</name> <title>Services: Apcupsd (General)</title> - <category>Monitoring</category> - <version>0.3.7</version> + <version>0.3.9</version> <include_file>/usr/local/pkg/apcupsd.inc</include_file> - <addedit_string>Apcupsd has been created/modified.</addedit_string> - <delete_string>Apcupsd has been deleted.</delete_string> + <addedit_string>Apcupsd configuration has been created/modified.</addedit_string> + <delete_string>Apcupsd configuration has been deleted.</delete_string> <restart_command>/usr/local/etc/rc.d/apcupsd.sh restart</restart_command> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/apcupsd/apcupsd.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/apcupsd/apcupsd.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/apcupsd/apcupsd_status.php</item> <prefix>/usr/local/www/</prefix> </additional_files_needed> @@ -67,18 +70,18 @@ <name>Apcupsd</name> <tooltiptext>Setup Apcupsd specific settings</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=apcupsd.xml&id=0</url> + <url>/pkg_edit.php?xml=apcupsd.xml</url> </menu> <service> <name>apcupsd</name> <rcfile>apcupsd.sh</rcfile> <executable>apcupsd</executable> - <description>Apcupsd a daemon for controlling APC UPSes</description> + <description>APC UPS Daemon</description> </service> <tabs> <tab> <text>General</text> - <url>/pkg_edit.php?xml=apcupsd.xml&id=0</url> + <url>/pkg_edit.php?xml=apcupsd.xml</url> <active/> </tab> <tab> @@ -88,19 +91,19 @@ </tabs> <fields> <field> - <name>General configuration parameters</name> + <name>General Configuration Parameters</name> <type>listtopic</type> </field> <field> <fielddescr>Enable</fielddescr> <fieldname>apcupsdenabled</fieldname> - <description>Enable APC UPS Daemon service</description> + <description>Enable APC UPS Daemon service.</description> <type>checkbox</type> </field> <field> <fielddescr>UPS Name</fielddescr> <fieldname>upsname</fieldname> - <description>Use this to give your UPS a name in log files and such</description> + <description>Use this to give your UPS a name in log files and such.</description> <type>input</type> <size>60</size> <required>true</required> @@ -199,7 +202,7 @@ <field> <fielddescr>Kill on Power Fail</fielddescr> <fieldname>killonpowerfail</fieldname> - <description>Hibernate UPS on powerfail</description> + <description>Hibernate UPS on powerfail.</description> <type>checkbox</type> </field> <field> @@ -322,7 +325,7 @@ <default_value>3551</default_value> </field> <field> - <name>Configuration statements used if sharing</name> + <name>UPS Sharing Configuration</name> <type>listtopic</type> </field> <field> diff --git a/config/autoconfigbackup/autoconfigbackup.php b/config/autoconfigbackup/autoconfigbackup.php index 5bf40736..9a7d67a1 100644 --- a/config/autoconfigbackup/autoconfigbackup.php +++ b/config/autoconfigbackup/autoconfigbackup.php @@ -82,6 +82,10 @@ if ($_REQUEST['download']) { $pgtitle = "Diagnostics: Auto Configuration Backup"; } +/* Set up time zones for conversion. See #5250 */ +$acbtz = new DateTimeZone('America/Chicago'); +$mytz = new DateTimeZone(date_default_timezone_get()); + include("head.inc"); function get_hostnames() { @@ -193,7 +197,9 @@ function get_hostnames() { $savemsg = "An error occurred while trying to remove the item from portal.pfsense.org."; } else { curl_close($curl_session); - $savemsg = "Backup revision {$_REQUEST['rmver']} has been removed."; + $budate = new DateTime($_REQUEST['rmver'], $acbtz); + $budate->setTimezone($mytz); + $savemsg = "Backup revision " . htmlspecialchars($budate->format(DATE_RFC2822)) . " has been removed."; } print_info_box($savemsg); } @@ -350,12 +356,19 @@ EOF; // Loop through and create new confvers $data_split = split("\n", $data); $confvers = array(); + foreach ($data_split as $ds) { $ds_split = split($oper_sep, $ds); $tmp_array = array(); $tmp_array['username'] = $ds_split[0]; $tmp_array['reason'] = $ds_split[1]; $tmp_array['time'] = $ds_split[2]; + + /* Convert the time from server time to local. See #5250 */ + $budate = new DateTime($tmp_array['time'], $acbtz); + $budate->setTimezone($mytz); + $tmp_array['localtime'] = $budate->format(DATE_RFC2822); + if ($ds_split[2] && $ds_split[0]) { $confvers[] = $tmp_array; } @@ -398,16 +411,16 @@ EOF; foreach ($confvers as $cv): ?> <tr valign="top"> - <td class="listlr"> <?= $cv['time']; ?></td> + <td class="listlr"> <?= $cv['localtime']; ?></td> <td class="listbg"> <?= $cv['reason']; ?></td> <td colspan="2" valign="middle" class="list" nowrap="nowrap"> - <a title="Restore this revision" onclick="return confirm('Are you sure you want to restore <?= $cv['time']; ?>?')" href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&newver=<?=urlencode($cv['time']);?>"> + <a title="Restore this revision" onclick="return confirm('Are you sure you want to restore <?= $cv['localtime']; ?>?')" href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&newver=<?=urlencode($cv['time']);?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="" /> </a> <a title="Show info" href="autoconfigbackup.php?download=<?=urlencode($cv['time']);?>&hostname=<?=urlencode($hostname)?>&reason=<?php echo urlencode($cv['reason']);?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_down.gif" width="17" height="17" border="0" alt="" /> </a> - <a title="Delete" onclick="return confirm('Are you sure you want to delete <?= $cv['time']; ?>?')"href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&rmver=<?=urlencode($cv['time']);?>"> + <a title="Delete" onclick="return confirm('Are you sure you want to delete <?= $cv['localtime']; ?>?')"href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&rmver=<?=urlencode($cv['time']);?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="" /> </a> </td> diff --git a/config/autoconfigbackup/autoconfigbackup.xml b/config/autoconfigbackup/autoconfigbackup.xml index dd83a9c7..f2fd8785 100644 --- a/config/autoconfigbackup/autoconfigbackup.xml +++ b/config/autoconfigbackup/autoconfigbackup.xml @@ -43,7 +43,7 @@ <description>Automatically backs up your pfSense configuration. All contents are encrypted before being sent to the server. Requires Gold Subscription from https://portal.pfsense.org</description> <requirements>pfSense Portal subscription</requirements> <name>AutoConfigBackup</name> - <version>1.29</version> + <version>1.32</version> <title>Diagnostics: Auto Configuration Backup</title> <savetext>Change</savetext> <include_file>/usr/local/pkg/autoconfigbackup.inc</include_file> diff --git a/config/checkmk-agent/checkmk.inc b/config/checkmk-agent/checkmk.inc index 67d82e6b..1ab92400 100644 --- a/config/checkmk-agent/checkmk.inc +++ b/config/checkmk-agent/checkmk.inc @@ -27,10 +27,11 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once("filter.inc"); +require_once("pfsense-utils.inc"); +require_once("util.inc"); + define('ETC_SERVICES', '/etc/services'); -define('ETC_INETD', '/etc/inetd.conf'); -define('ETC_HOSTS_ALLOW', '/etc/hosts.allow'); -define('ETC_RC_CONF', '/etc/rc.conf.local'); function checkmk_install() { /* @@ -39,24 +40,62 @@ function checkmk_install() { */ $checkmk_bin = "/usr/local/bin/check_mk_agent"; $checkmk_url = 'http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=e13899bde8bdafe13780427811c8153c59be807f'; - mwexec("fetch -o {$checkmk_bin} \"{$checkmk_url}\""); + mwexec("/usr/bin/fetch -o {$checkmk_bin} \"{$checkmk_url}\""); chmod($checkmk_bin, 0755); - sync_package_checkmk(); + /* Detect possible junk left over after previous bad package versions */ + checkmk_decrapify(); +} + +function checkmk_deinstall() { + /* Remove entry from /etc/services file */ + checkmk_cleanup_etc_services_file(); + /* Remove check_mk_agent script fetched via checkmk_install() */ + unlink_if_exists("/usr/local/bin/check_mk_agent"); + /* Detect possible junk left over after previous bad package versions */ + checkmk_decrapify(); +} + +function checkmk_decrapify() { + $i = 0; + if (exec("/usr/bin/wc -l /etc/hosts.allow | /usr/bin/awk '{ print $1 }'") > 5) { + log_error("[check_mk-agent] Possibly redundant lines found in /etc/hosts.allow."); + $i++; + } + if (exec("/usr/bin/wc -l /etc/inetd.conf | /usr/bin/awk '{ print $1 }'") > 1) { + log_error("[check_mk-agent] Possibly redundant lines found in /etc/inetd.conf."); + $i++; + } + if (file_exists("/etc/rc.conf.local")) { + log_error("[check_mk-agent] /etc/rc.conf.local file found; this file does not exist normally on pfSense."); + $i++; + } + if ($i > 0) { + log_error("[check_mk-agent] Inconsistent configuration files; possibly caused by previous check_mk package versions."); + log_error("[check_mk-agent] Please, compare those against default distribution files at https://github.com/pfsense/pfsense and fix as required manually."); + file_notice("check_mk-agent", "Inconsistent configuration files found, possibly caused by previous check_mk package versions. See Status - System Logs - General for details.", "Packages", ""); + } } function checkmk_text_area_decode($text) { return preg_replace('/\r\n/', "\n", base64_decode($text)); } +function checkmk_cleanup_etc_services_file() { + preg_match_all("/check_mk.*/", file_get_contents(ETC_SERVICES), $matches); + foreach ($matches[0] as $match => $value) { + if (!empty($value)) { + remove_text_from_file(ETC_SERVICES, "{$value}\n"); + } + } +} + function sync_package_checkmk() { global $config, $g, $mk_config; - $update_conf = 0; if (!is_array($config['installedpackages']['checkmk']['config'])) { return; } - $mk_config = $config['installedpackages']['checkmk']['config'][0]; $checkmk_bin = "/usr/local/bin/check_mk_agent"; @@ -71,193 +110,200 @@ function sync_package_checkmk() { conf_mount_rw(); - - /* Check services file. */ - $mk_services = file(ETC_SERVICES); + /* Check /etc/services file; remove any previous entries first since port could have changed */ + checkmk_cleanup_etc_services_file(); $port = ($mk_config['checkmkport'] ? $mk_config['checkmkport'] : "6556"); - foreach ($mk_services as $mk_service) { - if (!preg_match("/check_mk/", $mk_service)) { - $mk_service_file.=chop($mk_service)."\n"; - } - } - if ($mk_config['checkmkenable']=="on") { - $mk_service_file .= "check_mk {$port}/tcp #check_mk agent\n"; - file_put_contents(ETC_SERVICES, $mk_service_file, LOCK_EX); - } - - /* Check inetd file. */ - $mk_inetds = file(ETC_INETD); - foreach ($mk_inetds as $mk_inetd) { - if (!preg_match("/check_mk/",$mk_inetd)) { - $mk_inetd_file.=chop($mk_inetd)."\n"; - } - } - if ($mk_config['checkmkenable']=="on") { - $mk_inetd_file .= "check_mk stream tcp nowait root /usr/local/bin/check_mk_agent check_mk\n"; - } - file_put_contents(ETC_INETD, $mk_inetd_file, LOCK_EX); - - /* Check hosts.allow file. */ - $mk_hosts = file(ETC_HOSTS_ALLOW); - $inet_daemons_count = 0; - foreach ($mk_hosts as $mk_host) { - if (!preg_match("/check_mk/",$mk_host)) { - $mk_hosts_file .= chop($mk_host) . "\n"; - } - if (preg_match("/^\w+/")) { - $inet_daemons_count++; - } - } if ($mk_config['checkmkenable'] == "on") { - foreach (explode(',',$mk_config['checkmkhosts']) as $check_mk_host) { - $mk_hosts_file .= "check_mk : {$check_mk_host} : allow\n"; - $inet_daemons_count++; - } + $mk_service_file = "check_mk {$port}/tcp #check_mk agent\n"; + add_text_to_file(ETC_SERVICES, $mk_service_file); } - file_put_contents(ETC_HOSTS_ALLOW, $mk_hosts_file, LOCK_EX); - /* Check inetd daemon rc_conf option. */ - $mk_rc_confs= file(ETC_RC_CONF); - foreach ($mk_rc_confs as $mk_rc_conf) { - if (!preg_match("/inetd_/",$mk_rc_conf)) { - $mk_rc_conf_file .= chop($mk_rc_conf)."\n"; + conf_mount_ro(); + + /* Run XMLRPC sync if not booting */ + if (function_exists("platform_booting")) { + if (platform_booting()) { + return; } + } elseif ($g['booting']) { + return; + } else { + checkmk_sync_on_changes(); } - if ($mk_config['checkmkenable']=="on") { - $mk_rc_conf_file .= 'inetd_enable="YES"' . "\n"; - $mk_rc_conf_file .= 'inetd_flags="-wW"' . "\n"; - } +} - file_put_contents(ETC_RC_CONF, $mk_rc_conf_file, LOCK_EX); - if ($inet_daemons_count > 0) { - mwexec("/etc/rc.d/inetd restart"); +function checkmk_generate_rules($type) { + global $config; + + if (is_array($config['installedpackages']['checkmk']['config'])) { + $mk_config = $config['installedpackages']['checkmk']['config'][0]; } else { - mwexec("/etc/rc.d/inetd stop"); + $mk_config = array(); } - - /* Write config if any file from filesystem was loaded. */ - if ($update_conf > 0) { - write_config(); + $mk_config = $config['installedpackages']['checkmk']['config'][0]; + if ($mk_config['checkmkenable'] != "on") { + return; } - conf_mount_ro(); + if ($type != "nat") { + return; + } - checkmk_sync_on_changes(); + /* Add checkmk daemon to inetd */ + $inetd_fd = fopen("/var/etc/inetd.conf", "a+"); + fwrite($inetd_fd, "check_mk\t\tstream\ttcp\tnowait\t\troot\t/usr/local/bin/check_mk_agent\tcheck_mk \n"); + fclose($inetd_fd); + + /* Generate NAT rules */ + if (!empty($mk_config['checkmkifaces'])) { + $checkmkifs = explode(",", $mk_config['checkmkifaces']); + $checkmkhosts = $mk_config['checkmkhosts'] ?: "any"; + $checkmkport = $mk_config['checkmkport'] ?: "6556"; + foreach ($checkmkifs as $checkmkif) { + if (empty($checkmkif)) { + continue; + } + $interface = get_real_interface($checkmkif); + if (empty($interface)) { + continue; + } + $ip = find_interface_ip($interface); + if (!is_ipaddrv4($ip)) { + continue; + } + + if (is_subnetv4($checkmkhosts) || is_ipaddr($checkmkhosts) || $checkmkhosts == "any") { + $natrules .= "rdr on {$interface} proto tcp from {$checkmkhosts} to {$ip} port {$checkmkport} -> 127.0.0.1 port {$checkmkport}\n"; + } elseif (is_alias($checkmkhosts)) { + $natrules .= "rdr on {$interface} proto tcp from \${$checkmkhosts} to {$ip} port {$checkmkport} -> 127.0.0.1 port {$checkmkport}\n"; + } + } + } + return $natrules; } function checkmk_validate_input($post, &$input_errors) { - foreach ($post as $key => $value) { - if (empty($value)) { - continue; - } - if (substr($key, 0, 3) == "port" && !preg_match("/^\d+$/", $value)) { - $input_errors[] = "{$value} is no a valid port number"; - } - if (substr($key, 0, 11) == "description" && !preg_match("@^[a-zA-Z0-9 _/.-]+$@", $value)) { - $input_errors[] = "Do not use special characters on description"; - } - if (substr($key, 0, 8) == "fullfile" && !preg_match("@^[a-zA-Z0-9_/.-]+$@", $value)) { - $input_errors[] = "Do not use special characters on filename"; - } - + if (!empty($post["checkmkport"]) && !is_port($post["checkmkport"])) { + $input_errors[] = "You must specify a valid port in 'Listen Port' field."; + + } + if (empty($post["checkmkifaces"])) { + $input_errors[] = "One or more 'Listen Interface(s)' must be selected"; + } + if (!empty($post["checkmkhosts"]) && !(is_alias($post["checkmkhosts"]) || is_subnetv4($post["checkmkhosts"]) || is_ipaddrv4($post["checkmkhosts"]))) { + $input_errors[] = "You must specify a valid IP address, subnet or alias in 'Hosts Allowed' field."; } } /* Uses XMLRPC to synchronize the changes to a remote node. */ function checkmk_sync_on_changes() { - global $config, $g; + global $config; + if (is_array($config['installedpackages']['checkmksync']['config'])) { $checkmk_sync = $config['installedpackages']['checkmksync']['config'][0]; $synconchanges = $checkmk_sync['synconchanges']; - $synctimeout = $checkmk_sync['synctimeout']; + $synctimeout = $checkmk_sync['synctimeout'] ?: '250'; switch ($synconchanges) { case "manual": - if (is_array($checkmk_sync[row])) { - $rs = $checkmksync[row]; + if (is_array($checkmk_sync['row'])) { + $rs = $checkmk_sync['row']; } else { - log_error("[check_mk-agent] XMLRPC sync is enabled but there is no hosts to push on squid config."); + log_error("[check_mk-agent] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; $rs[0]['username'] = $system_carp['username']; $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[check_mk-agent] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } } else { - log_error("[check_mk-agent] XMLRPC sync is enabled but there is no system backup hosts to push squid config."); + log_error("[check_mk-agent] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; } break; default: return; - break; + break; } if (is_array($rs)) { log_error("[check_mk-agent] XMLRPC sync is starting."); foreach ($rs as $sh) { - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($sh['username']) { - $username = $sh['username']; - } else { - $username = 'admin'; - } - if ($password && $sync_to_ip) { - checkmk_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + checkmk_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[check_mk-agent] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } } - log_error("[check_mk-agent] XMLRPC sync is ending."); } + log_error("[check_mk-agent] XMLRPC sync completed."); } - } + } } /* Do the actual XMLRPC sync. */ -function checkmk_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { +function checkmk_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if (!$username) { + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[check_mk-agent] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - if (!$password) { - return; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - if (!$sync_to_ip) { - return; - } + $url = "{$protocol}://{$sync_to_ip}"; - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* If port is empty, let's rely on the protocol selection. */ - if ($port == "") { - if($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $synchronizetoip .= $sync_to_ip; - - /* xml will hold the sections to sync. */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['checkmk'] = $config['installedpackages']['checkmk']; - /* Assemble XMLRPC payload. */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* Set a few variables needed for sync code; borrowed from filter.inc. */ - $url = $synchronizetoip; - log_error("[check_mk-agent] Beginning checkmk XMLRPC sync to {$url}:{$port}."); + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -265,17 +311,17 @@ function checkmk_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) if ($g['debug']) { $cli->setDebug(1); } - /* Send our XMLRPC message and timeout after 250 seconds. */ + /* Send our XMLRPC message and timeout after defined sync timeout value */ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "[check_mk-agent] A communications error occurred while attempting checkmk XMLRPC sync with {$url}:{$port}."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[check_mk-agent] {$error}"); file_notice("sync_settings", $error, "checkmk Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "[check_mk-agent] An error code was received while attempting checkmk XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[check_mk-agent] {$error}"); file_notice("sync_settings", $error, "checkmk Settings Sync", ""); } else { log_error("[check_mk-agent] XMLRPC sync successfully completed with {$url}:{$port}."); @@ -286,25 +332,21 @@ function checkmk_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) $execcmd = "require_once('/usr/local/pkg/checkmk.inc');\n"; $execcmd .= "sync_package_checkmk();"; /* Assemble XMLRPC payload. */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("[check_mk-agent] XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "[check_mk-agent] A communications error occurred while attempting checkmk XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[check_mk-agent] {$error}"); file_notice("sync_settings", $error, "checkmk Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "[check_mk-agent] An error code was received while attempting checkmk XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[check_mk-agent] {$error}"); file_notice("sync_settings", $error, "checkmk Settings Sync", ""); } else { log_error("[check_mk-agent] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); diff --git a/config/checkmk-agent/checkmk.xml b/config/checkmk-agent/checkmk.xml index b24edca7..6ded083c 100644 --- a/config/checkmk-agent/checkmk.xml +++ b/config/checkmk-agent/checkmk.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>checkmk</name> - <version>0.1.5</version> + <version>0.1.6</version> <title>check_mk Agent</title> <include_file>/usr/local/pkg/checkmk.inc</include_file> <additional_files_needed> @@ -63,22 +63,26 @@ <section>Diagnostics</section> <url>/pkg_edit.php?xml=checkmk.xml</url> </menu> + <service> + <name>check_mk</name> + <executable>inetd</executable> + <description>check_mk Agent</description> + </service> <tabs> <tab> - <text>Config</text> + <text>Settings</text> <url>/pkg_edit.php?xml=checkmk.xml</url> <active/> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=checkmk_sync.xml</url> </tab> </tabs> <fields> <field> <type>listtopic</type> - <fieldname>temp</fieldname> - <name>check_mk Agent Configuration</name> + <name>General Settings</name> </field> <field> <fielddescr>Enable check_mk Agent</fielddescr> @@ -91,19 +95,29 @@ For reference, see <a href="https://github.com/sileht/check_mk/tree/master/doc">project documentation at GitHub</a>. ]]> </description> - <required/> </field> <field> <fielddescr>Listen Port</fielddescr> <fieldname>checkmkport</fieldname> <type>input</type> <size>10</size> - <description>Enter port to listen on. Leave empty to use Default port 6556.</description> + <default_value>6556</default_value> + <description>Enter port to listen on. (Default: 6556)</description> + <required/> + </field> + <field> + <fielddescr>Listen Interface(s)</fielddescr> + <fieldname>checkmkifaces</fieldname> + <type>interfaces_selection</type> + <size>5</size> + <description>Select interface(s) to listen on.</description> + <hideinterfaceregex>loopback</hideinterfaceregex> + <required/> </field> <field> - <fielddescr>Hosts.allow</fielddescr> + <fielddescr>Hosts Allowed</fielddescr> <fieldname>checkmkhosts</fieldname> - <description>Enter hosts (comma separated) that can communicate with this agent.</description> + <description>Enter an IP address, subnet or alias for host(s) that can communicate with this agent. (Leave empty to allow any host.)</description> <type>input</type> <size>60</size> </field> @@ -111,13 +125,16 @@ <custom_php_install_command> checkmk_install(); </custom_php_install_command> + <custom_php_deinstall_command> + checkmk_deinstall(); + </custom_php_deinstall_command> <custom_php_validation_command> checkmk_validate_input($_POST, $input_errors); </custom_php_validation_command> - <custom_delete_php_command> - sync_package_checkmk(); - </custom_delete_php_command> <custom_php_resync_config_command> sync_package_checkmk(); </custom_php_resync_config_command> + <filter_rules_needed> + checkmk_generate_rules + </filter_rules_needed> </packagegui> diff --git a/config/checkmk-agent/checkmk_sync.xml b/config/checkmk-agent/checkmk_sync.xml index 1165152c..c08d280f 100644 --- a/config/checkmk-agent/checkmk_sync.xml +++ b/config/checkmk-agent/checkmk_sync.xml @@ -42,16 +42,16 @@ ]]> </copyright> <name>checkmksync</name> - <version>0.1.4</version> + <version>0.1.6</version> <title>check_mk Agent: Sync</title> <include_file>/usr/local/pkg/checkmk.inc</include_file> <tabs> <tab> - <text>Config</text> + <text>Settings</text> <url>/pkg_edit.php?xml=checkmk.xml</url> </tab> <tab> - <text>XMLRPC Sync</text> + <text>Sync</text> <url>/pkg_edit.php?xml=checkmk_sync.xml</url> <active/> </tab> @@ -59,88 +59,91 @@ <fields> <field> <type>listtopic</type> - <fieldname>temp</fieldname> - <name>Enable check_mk configuration sync</name> + <name>XMLRPC Sync</name> </field> <field> - <fielddescr>Sync Option</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync check_mk configuration changes.</description> + <description> + <![CDATA[ + Select a sync method for check_mk agent.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> - <option> - <name>Sync to configured system backup server</name> - <value>auto</value> - </option> - <option> - <name>Sync to host(s) defined below</name> - <value>manual</value> - </option> - <option> - <name>Do not sync this package configuration</name> - <value>disabled</value> - </option> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> </options> </field> <field> <fielddescr>Sync Timeout</fielddescr> <fieldname>synctimeout</fieldname> - <description>Select sync max wait time</description> + <description>XMLRPC timeout in seconds.</description> <type>select</type> <required/> <default_value>250</default_value> <options> - <option> - <name>250 seconds (Default)</name> - <value>250</value> - </option> - <option> - <name>120 seconds</name> - <value>120</value> - </option> - <option> - <name>90 seconds</name> - <value>90</value> - </option> - <option> - <name>60 seconds</name> - <value>60</value> - </option> - <option> - <name>30 seconds</name> - <value>30</value> - </option> + <option><name>250 seconds (Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> </options> </field> <field> - <fielddescr>Remote Servers</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr>IP Address</fielddescr> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>20</size> - <required/> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> </rowhelperfield> <rowhelperfield> - <fielddescr>Username</fielddescr> + <fielddescr>Username (admin)</fielddescr> <fieldname>username</fieldname> - <description>Username on remote server</description> + <description><![CDATA[Enter the username account for administration.]]></description> <type>input</type> <size>20</size> </rowhelperfield> <rowhelperfield> - <fielddescr>Password</fielddescr> + <fielddescr>Admin Password</fielddescr> <fieldname>password</fieldname> - <description>Password for remote server</description> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> - <required/> </rowhelperfield> </rowhelper> </field> @@ -148,7 +151,4 @@ <custom_php_resync_config_command> checkmk_sync_on_changes(); </custom_php_resync_config_command> - <custom_php_command_before_form> - unset($_POST['temp']); - </custom_php_command_before_form> </packagegui> diff --git a/config/ipguard/ipguard.inc b/config/ipguard/ipguard.inc index 68e08e9f..d51e4fe2 100644 --- a/config/ipguard/ipguard.inc +++ b/config/ipguard/ipguard.inc @@ -31,7 +31,6 @@ require_once("config.inc"); require_once("util.inc"); function ipguard_custom_php_deinstall_command() { - stop_service('ipguard'); unlink_if_exists("/usr/local/etc/rc.d/ipguard.sh"); $files = glob("/usr/local/etc/ipguard_*.conf"); unlink_if_exists($files); @@ -50,8 +49,7 @@ function ipguard_custom_php_write_config() { } if (is_array($config['installedpackages']['ipguard']['config'])) { - // Read config - $new_config=array(); + $new_config = array(); foreach ($config['installedpackages']['ipguard']['config'] as $ipguard) { if ($ipguard['enable'] && $ipguard['interface'] && $ipguard['mac'] && $ipguard['ip']) { $new_config[$ipguard['interface']] .= "{$ipguard['mac']} {$ipguard['ip']} {$ipguard['description']}\n"; @@ -59,8 +57,8 @@ function ipguard_custom_php_write_config() { } } - $start=""; - $stop="pkill -anx ipguard"; + $start = ""; + $stop = "/bin/pkill -anx ipguard"; conf_mount_rw(); /* Create rc script and restart service if ipguard is enabled */ if (count($new_config) > 0 && $ipguard['enable']) { @@ -81,13 +79,8 @@ function ipguard_custom_php_write_config() { $iface = convert_friendly_interface_to_real_interface_name($key); $start .= "/usr/local/sbin/ipguard -l /var/log/ipguard_{$key}.log -p /var/run/ipguard_{$key}.pid -f {$conf_file} -u 300 -z {$iface}\n\t"; } - write_rcfile(array( - 'file' => 'ipguard.sh', - 'start' => $start, - 'stop' => $stop - )); + write_rcfile(array('file' => 'ipguard.sh', 'start' => $start, 'stop' => $stop)); restart_service('ipguard'); - } else { /* Otherwise, stop the service and remove rc script */ stop_service('ipguard'); @@ -96,7 +89,6 @@ function ipguard_custom_php_write_config() { } conf_mount_ro(); - /* Sync config with other pfSense servers */ ipguard_sync_on_changes(); } @@ -104,64 +96,111 @@ function ipguard_custom_php_write_config() { function ipguard_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['ipguardsync'])) { - if ($config['installedpackages']['ipguardsync']['config'][0]['synconchanges']) { + if (is_array($config['installedpackages']['ipguardsync']['config'])) { + $ipguard_sync = $config['installedpackages']['ipguardsync']['config'][0]; + $synconchanges = $ipguard_sync['synconchanges']; + $synctimeout = $ipguard_sync['synctimeout'] ?: '250'; + switch ($synconchanges) { + case "manual": + if (is_array($ipguard_sync['row'])) { + $rs = $ipguard_sync['row']; + } else { + log_error("[ipguard] XMLRPC sync is enabled but there are no hosts configured as replication targets."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[ipguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } + } else { + log_error("[ipguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)) { log_error("[ipguard] XMLRPC sync is starting."); - foreach ($config['installedpackages']['ipguardsync']['config'] as $rs ) { - foreach ($rs['row'] as $sh) { + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; $password = $sh['password']; - if ($password && $sync_to_ip) { - ipguard_do_xmlrpc_sync($sync_to_ip, $password); + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + ipguard_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[ipguard] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); } } } - log_error("[ipguard] XMLRPC sync is ending."); + log_error("[ipguard] XMLRPC sync completed."); } - } + } } /* Do the actual XMLRPC sync */ -function ipguard_do_xmlrpc_sync($sync_to_ip, $password) { - global $config, $g; +function ipguard_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { + global $config; - if (!$password) { + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[ipguard] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - if (!$sync_to_ip) { - return; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - $username = 'admin'; - $xmlrpc_sync_neighbor = $sync_to_ip; - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* If port is empty, let's rely on the protocol selection */ - if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $synchronizetoip .= $sync_to_ip; + $url = "{$protocol}://{$sync_to_ip}"; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['ipguard'] = $config['installedpackages']['ipguard']; - /* Assemble XMLRPC payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* Set a few variables needed for sync code; borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("Beginning ipguard XMLRPC sync to {$url}:{$port}."); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -169,49 +208,45 @@ function ipguard_do_xmlrpc_sync($sync_to_ip, $password) { if ($g['debug']) { $cli->setDebug(1); } - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* Send our XMLRPC message and timeout after defined sync timeout value */ + $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting ipguard XMLRPC sync with {$url}:{$port}."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[ipguard] {$error}"); file_notice("sync_settings", $error, "ipguard Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting ipguard XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[ipguard] {$error}"); file_notice("sync_settings", $error, "ipguard Settings Sync", ""); } else { - log_error("ipguard XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[ipguard] XMLRPC sync successfully completed with {$url}:{$port}."); } - /* tell ipguard to reload our settings on the destination sync host. */ + /* Tell ipguard to reload our settings on the destination sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/ipguard.inc');\n"; $execcmd .= "ipguard_custom_php_write_config();"; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("ipguard XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting ipguard XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[ipguard] {$error}"); file_notice("sync_settings", $error, "ipguard Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting ipguard XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[ipguard] {$error}"); file_notice("sync_settings", $error, "ipguard Settings Sync", ""); } else { - log_error("ipguard XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[ipguard] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/ipguard/ipguard.priv.inc b/config/ipguard/ipguard.priv.inc new file mode 100644 index 00000000..bfa0e71a --- /dev/null +++ b/config/ipguard/ipguard.priv.inc @@ -0,0 +1,41 @@ +<?php +/* + ipguard.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-firewall-ipguard'] = array(); +$priv_list['page-firewall-ipguard']['name'] = "WebCfg - Firewall: IPguard package"; +$priv_list['page-firewall-ipguard']['descr'] = "Allow access to IPguard package GUI"; + +$priv_list['page-firewall-ipguard']['match'] = array(); +$priv_list['page-firewall-ipguard']['match'][] = "pkg.php?xml=ipguard.xml*"; +$priv_list['page-firewall-ipguard']['match'][] = "pkg.php?xml=ipguard_sync.xml*"; +$priv_list['page-firewall-ipguard']['match'][] = "pkg_edit.php?xml=ipguard.xml*"; +$priv_list['page-firewall-ipguard']['match'][] = "pkg_edit.php?xml=ipguard_sync.xml*"; + +?> diff --git a/config/ipguard/ipguard.xml b/config/ipguard/ipguard.xml index 2b13e7e0..71ea7fa2 100644 --- a/config/ipguard/ipguard.xml +++ b/config/ipguard/ipguard.xml @@ -42,14 +42,12 @@ ]]> </copyright> <name>ipguard</name> - <version>0.1.1</version> + <version>0.1.3</version> <title>Firewall: IPguard</title> - <description>IPguard MACs/IP</description> <savetext>Save</savetext> <include_file>/usr/local/pkg/ipguard.inc</include_file> <menu> <name>IPguard</name> - <tooltiptext>Tool designed to protect LAN IP address space by ARP spoofing.</tooltiptext> <section>Firewall</section> <url>/pkg.php?xml=ipguard.xml</url> </menu> @@ -65,6 +63,10 @@ <item>https://packages.pfsense.org/packages/config/ipguard/ipguard.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/ipguard/ipguard.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/ipguard/ipguard_sync.xml</item> </additional_files_needed> diff --git a/config/ipguard/ipguard_sync.xml b/config/ipguard/ipguard_sync.xml index 609dd6ca..e477ce3f 100755 --- a/config/ipguard/ipguard_sync.xml +++ b/config/ipguard/ipguard_sync.xml @@ -42,8 +42,8 @@ ]]> </copyright> <name>ipguardsync</name> - <version>0.1.1</version> - <title>IPguard - Sync</title> + <version>0.1.3</version> + <title>Firewall: IPguard: Sync</title> <include_file>/usr/local/pkg/ipguard.inc</include_file> <tabs> <tab> @@ -62,30 +62,89 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync configuration changes</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description> + <![CDATA[ + Select a sync method for IPguard.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> + <type>select</type> + <required/> + <default_value>disabled</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> </field> <field> - <fielddescr>Remote Server</fielddescr> + <fielddescr>Sync Timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>XMLRPC timeout in seconds.</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds (Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> + </field> + <field> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> - <type>input</type> - <size>20</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>20</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> + <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> + <type>input</type> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Username (admin)</fielddescr> + <fieldname>username</fieldname> + <description><![CDATA[Enter the username account for administration.]]></description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> + <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> </rowhelper> </field> </fields> diff --git a/config/ladvd/ladvd.inc b/config/ladvd/ladvd.inc index da37a1a9..c1d769ab 100644 --- a/config/ladvd/ladvd.inc +++ b/config/ladvd/ladvd.inc @@ -36,18 +36,24 @@ require_once("pkg-utils.inc"); function ladvd_resync_config() { global $config; - conf_mount_rw(); - - if (!is_array($config['installedpackages']['ladvd'])) + if (!is_array($config['installedpackages']['ladvd'])) { return; - if (!is_array($config['installedpackages']['ladvd']['config'])) + } + if (!is_array($config['installedpackages']['ladvd']['config'])) { return; + } $ladvd_conf = &$config['installedpackages']['ladvd']['config'][0]; + conf_mount_rw(); /* ladvd is turned off in package settings */ - if (empty($ladvd_conf['enable'])) + if (empty($ladvd_conf['enable'])) { + if (is_service_running("ladvd")) { + stop_service("ladvd"); + } + unlink_if_exists("/usr/local/etc/rc.d/ladvd.sh"); return; + } $cmdline = ""; @@ -98,7 +104,12 @@ function ladvd_resync_config() { ) ); - restart_service("ladvd"); + if (is_service_running("ladvd")) { + restart_service("ladvd"); + } else { + start_service("ladvd"); + } + sleep(1); conf_mount_ro(); } diff --git a/config/ladvd/ladvd.priv.inc b/config/ladvd/ladvd.priv.inc new file mode 100644 index 00000000..5dd30d44 --- /dev/null +++ b/config/ladvd/ladvd.priv.inc @@ -0,0 +1,43 @@ +<?php +/* + ladvd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-ladvd'] = array(); +$priv_list['page-services-ladvd']['name'] = "WebCfg - Services: ladvd"; +$priv_list['page-services-ladvd']['descr'] = "Allow access to ladvd package GUI"; +$priv_list['page-services-ladvd']['match'] = array(); +$priv_list['page-services-ladvd']['match'][] = "pkg_edit.php?xml=ladvd.xml*"; + +$priv_list['page-services-ladvd-status'] = array(); +$priv_list['page-services-ladvd-status']['name'] = "WebCfg - Status: ladvd"; +$priv_list['page-services-ladvd-status']['descr'] = "Allow access to ladvd status page"; +$priv_list['page-services-ladvd-status']['match'] = array(); +$priv_list['page-services-ladvd-status']['match'][] = "status_ladvd.php*"; + +?> diff --git a/config/ladvd/ladvd.xml b/config/ladvd/ladvd.xml index 5862afca..42c6485e 100644 --- a/config/ladvd/ladvd.xml +++ b/config/ladvd/ladvd.xml @@ -44,17 +44,19 @@ </copyright> <description>Link Layer Discovery Protocol</description> <name>LADVD</name> - <version>1.0.4.2</version> + <version>1.0.4.3</version> <category>Network Management</category> <title>Services: LADVD</title> - <savetext>Save</savetext> <include_file>/usr/local/pkg/ladvd.inc</include_file> - <aftersaveredirect>/pkg_edit.php?xml=ladvd.xml&id=0</aftersaveredirect> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/ladvd/ladvd.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/ladvd/ladvd.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/ladvd/status_ladvd.php</item> </additional_files_needed> @@ -62,7 +64,7 @@ <name>LADVD</name> <tooltiptext>Modify LADVD settings.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=ladvd.xml&id=0</url> + <url>/pkg_edit.php?xml=ladvd.xml</url> </menu> <menu> <name>LADVD Status</name> @@ -74,12 +76,12 @@ <name>ladvd</name> <rcfile>ladvd.sh</rcfile> <executable>ladvd</executable> - <description>Send and decode link layer advertisements.</description> + <description>Link Layer Discovery Protocol Daemon</description> </service> <tabs> <tab> <text>General</text> - <url>/pkg_edit.php?xml=ladvd.xml&id=0</url> + <url>/pkg_edit.php?xml=ladvd.xml</url> <active/> </tab> <tab> @@ -89,7 +91,7 @@ </tabs> <fields> <field> - <fielddescr>Enable ladvd</fielddescr> + <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> <description>Enable or disable ladvd.</description> <enablefields>iface_array[],autoenable,silent,management,location,lldp,cdp,edp,ndp</enablefields> @@ -105,7 +107,7 @@ <description>Select the interfaces that LADVD will bind to. You can use the CTRL or COMMAND key to select multiple interfaces.</description> </field> <field> - <fielddescr>Auto-enable protocols</fielddescr> + <fielddescr>Auto-Enable Protocols</fielddescr> <fieldname>autoenable</fieldname> <description>Auto-enable protocols based on received packets (also enables receive mode).</description> <type>checkbox</type> @@ -113,11 +115,11 @@ <field> <fielddescr>Silent</fielddescr> <fieldname>silent</fieldname> - <description>Silent, don't transmit packets.</description> + <description>Silent mode, do not transmit packets.</description> <type>checkbox</type> </field> <field> - <fielddescr>Management interfaces</fielddescr> + <fielddescr>Management Interfaces</fielddescr> <fieldname>management</fieldname> <value>lan</value> <type>interfaces_selection</type> @@ -151,7 +153,7 @@ <field> <fielddescr>Enable NDP</fielddescr> <fieldname>ndp</fieldname> - <description>Enable NDP (Nortel Discovery Protocol) formerly called SynOptics Network Management Protocol (SONMP).</description> + <description>Enable NDP (Nortel Discovery Protocol); formerly called SynOptics Network Management Protocol (SONMP).</description> <type>checkbox</type> </field> </fields> diff --git a/config/lcdproc-dev/lcdproc.priv.inc b/config/lcdproc-dev/lcdproc.priv.inc new file mode 100644 index 00000000..6b2c061f --- /dev/null +++ b/config/lcdproc-dev/lcdproc.priv.inc @@ -0,0 +1,40 @@ +<?php +/* + lcdproc.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-lcdproc'] = array(); +$priv_list['page-services-lcdproc']['name'] = "WebCfg - Services: LCDproc package"; +$priv_list['page-services-lcdproc']['descr'] = "Allow access to LCDproc package GUI"; +$priv_list['page-services-lcdproc']['match'] = array(); +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc_screens.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc_screens.xml*"; + +?> diff --git a/config/lcdproc-dev/lcdproc.xml b/config/lcdproc-dev/lcdproc.xml index ce62cb5c..e5915e69 100644 --- a/config/lcdproc-dev/lcdproc.xml +++ b/config/lcdproc-dev/lcdproc.xml @@ -45,31 +45,35 @@ </copyright> <title>Services: LCDproc</title> <name>lcdproc</name> - <version>0.9.13</version> + <version>0.9.15</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> <active/> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> </tab> </tabs> <menu> <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc-dev/lcdproc.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/lcdproc-dev/lcdproc.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc-dev/lcdproc_screens.xml</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> diff --git a/config/lcdproc-dev/lcdproc_screens.xml b/config/lcdproc-dev/lcdproc_screens.xml index c3ba7aa1..ca2b0f87 100644 --- a/config/lcdproc-dev/lcdproc_screens.xml +++ b/config/lcdproc-dev/lcdproc_screens.xml @@ -44,18 +44,18 @@ ]]> </copyright> <title>Services: LCDproc: Screens</title> - <name>lcdproc_screens</name> - <version>0.9.13</version> + <name>lcdprocscreens</name> + <version>0.9.15</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> <active/> </tab> </tabs> @@ -63,7 +63,7 @@ <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <fields> <field> diff --git a/config/lcdproc/lcdproc.priv.inc b/config/lcdproc/lcdproc.priv.inc new file mode 100644 index 00000000..6b2c061f --- /dev/null +++ b/config/lcdproc/lcdproc.priv.inc @@ -0,0 +1,40 @@ +<?php +/* + lcdproc.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-lcdproc'] = array(); +$priv_list['page-services-lcdproc']['name'] = "WebCfg - Services: LCDproc package"; +$priv_list['page-services-lcdproc']['descr'] = "Allow access to LCDproc package GUI"; +$priv_list['page-services-lcdproc']['match'] = array(); +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc_screens.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc_screens.xml*"; + +?> diff --git a/config/lcdproc/lcdproc.xml b/config/lcdproc/lcdproc.xml index 4f109e47..33e61288 100644 --- a/config/lcdproc/lcdproc.xml +++ b/config/lcdproc/lcdproc.xml @@ -45,31 +45,35 @@ </copyright> <title>Services: LCDproc</title> <name>lcdproc</name> - <version>1.0.3</version> + <version>1.0.5</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> <active/> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> </tab> </tabs> <menu> <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc/lcdproc.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/lcdproc/lcdproc.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc/lcdproc_screens.xml</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> diff --git a/config/lcdproc/lcdproc_screens.xml b/config/lcdproc/lcdproc_screens.xml index def770e6..6b6e283b 100644 --- a/config/lcdproc/lcdproc_screens.xml +++ b/config/lcdproc/lcdproc_screens.xml @@ -44,18 +44,18 @@ ]]> </copyright> <title>Services: LCDproc: Screens</title> - <name>lcdproc_screens</name> - <version>1.0.3</version> + <name>lcdprocscreens</name> + <version>1.0.5</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> <active/> </tab> </tabs> @@ -63,7 +63,7 @@ <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <fields> <field> diff --git a/config/mtr-nox11/mtr-nox11.priv.inc b/config/mtr-nox11/mtr-nox11.priv.inc new file mode 100644 index 00000000..22e2488c --- /dev/null +++ b/config/mtr-nox11/mtr-nox11.priv.inc @@ -0,0 +1,37 @@ +<?php +/* + mtr-nox11.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-diagnostics-mtr-nox11'] = array(); +$priv_list['page-diagnostics-mtr-nox11']['name'] = "WebCfg - Diagnostics: mtr-nox11"; +$priv_list['page-diagnostics-mtr-nox11']['descr'] = "Allow access to mtr-nox11 package GUI"; +$priv_list['page-diagnostics-mtr-nox11']['match'] = array(); +$priv_list['page-diagnostics-mtr-nox11']['match'][] = "pkg_edit.php?xml=mtr-nox11.xml*"; + +?> diff --git a/config/mtr-nox11/mtr-nox11.xml b/config/mtr-nox11/mtr-nox11.xml index 396e860d..133f61f2 100644 --- a/config/mtr-nox11/mtr-nox11.xml +++ b/config/mtr-nox11/mtr-nox11.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ @@ -8,7 +8,7 @@ /* ====================================================================================== */ /* mtr-nox11.xml - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2014-2015 ESF, LLC All rights reserved. */ @@ -40,23 +40,21 @@ /* ====================================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> <name>mtr</name> - <version>0.85_3</version> + <version>0.85.4</version> <title>Diagnostics: mtr</title> <savetext>Run mtr</savetext> <preoutput>yes</preoutput> - <!-- Invokes a simple input menu and will not update the configuration database. --> <donotsave>true</donotsave> - <!-- Menu is where this packages menu will appear --> <menu> <name>mtr</name> - <tooltiptext>mtr combines the functionality of the "traceroute" and "ping" programs into a single network diagnostic tool</tooltiptext> <section>Diagnostics</section> - <configfile>mtr-nox11.xml</configfile> + <url>/pkg_edit.php?xml=mtr-nox11.xml</url> </menu> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/mtr-nox11/mtr-nox11.priv.inc</item> + </additional_files_needed> <fields> <field> <fielddescr>IP or Hostname</fielddescr> @@ -70,7 +68,7 @@ <fieldname>count</fieldname> <description>This is the number of pings to send, each one takes 1 second.</description> <type>input</type> - <typehint>(Defaults to 10)</typehint> + <typehint>(Defaults to 10.)</typehint> </field> <field> <fielddescr>No DNS Lookup</fielddescr> @@ -111,8 +109,8 @@ $int_interval = (is_numeric($_POST['interval']) ? (abs(intval($_POST['interval']))) : 1); if (!is_hostname($_POST['hostname']) && !is_ipaddr($_POST['hostname'])) { - echo "<div class=\"errmsg\">ERROR: No valid IP or Hostname given. Fix this and try again!</div>"; - echo "\n<input class=\"formbtn\" type=\"button\" value=\"Back to mtr\" onclick=\"history.back()\">"; + echo "<strong><span class='errmsg'>ERROR:</span> No valid IP or Hostname given. Fix this and try again!</strong>\n"; + echo "\n<input class='formbtn' type='button' value='Back to mtr' onclick='history.back()'>"; die(); } @@ -136,7 +134,7 @@ $mtr_options .= " " . $_POST['hostname']; echo "Running mtr $mtr_options:\n\n"; system("/usr/local/sbin/mtr" . $mtr_options); - echo "\n<input class=\"formbtn\" type=\"button\" value=\"Back to mtr\" onclick=\"history.back()\">"; + echo "\n<input class='formbtn' type='button' value='Back to mtr' onclick='history.back()'>"; ]]> </custom_add_php_command> </packagegui> diff --git a/config/netio/netio.priv.inc b/config/netio/netio.priv.inc new file mode 100644 index 00000000..f07d33dc --- /dev/null +++ b/config/netio/netio.priv.inc @@ -0,0 +1,43 @@ +<?php +/* + netio.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-diagnostics-netio-client'] = array(); +$priv_list['page-diagnostics-netio-client']['name'] = "WebCfg - Diagnostics: netio client"; +$priv_list['page-diagnostics-netio-client']['descr'] = "Allow access to netio client GUI"; +$priv_list['page-diagnostics-netio-client']['match'] = array(); +$priv_list['page-diagnostics-netio-client']['match'][] = "pkg_edit.php?xml=netio.xml*"; + +$priv_list['page-diagnostics-netio-server'] = array(); +$priv_list['page-diagnostics-netio-server']['name'] = "WebCfg - Diagnostics: netio server"; +$priv_list['page-diagnostics-netio-server']['descr'] = "Allow access to netio server GUI"; +$priv_list['page-diagnostics-netio-server']['match'] = array(); +$priv_list['page-diagnostics-netio-server']['match'][] = "pkg_edit.php?xml=netioserver.xml*"; + +?> diff --git a/config/netio/netio.xml b/config/netio/netio.xml index 34f188c2..3bb079d8 100644 --- a/config/netio/netio.xml +++ b/config/netio/netio.xml @@ -42,16 +42,21 @@ ]]> </copyright> <name>netio</name> - <version>1.27</version> - <title>netio: Client</title> + <version>1.28</version> + <title>Diagnostics: netio: Client</title> + <savetext>Run netio client</savetext> <preoutput>yes</preoutput> <donotsave>true</donotsave> <menu> <name>netio</name> - <tooltiptext>Run netio in client or server mode.</tooltiptext> <section>Diagnostics</section> - <configfile>netio.xml</configfile> + <url>/pkg_edit.php?xml=netio.xml</url> </menu> + <service> + <name>netio</name> + <executable>netio</executable> + <description>netio Network Throughput Benchmark Server/Client</description> + </service> <tabs> <tab> <text>Client</text> @@ -64,6 +69,11 @@ </tab> </tabs> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/netio/netio.priv.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/netio/netioserver.xml</item> </additional_files_needed> <fields> @@ -78,16 +88,17 @@ <fieldname>port</fieldname> <description>Enter the port that netio will connect to. (Default: 18767)</description> <type>input</type> + <default_value>18767</default_value> </field> </fields> <custom_add_php_command> <![CDATA[ mwexec("/usr/bin/killall netio"); - $netio_options = ""; - if ($_POST['port'] != "") { - $netio_options .= " -p {$_POST['port']}"; - $netio_options .= $_POST['hostname']; - system("/usr/local/bin/netio " . $netio_options); + if ($_POST['port'] != "" && $_POST['hostname'] != "") { + $port = escapeshellarg($_POST['port']); + $hostname = escapeshellarg($_POST['hostname']); + $netio_options = "-p {$port} {$hostname}"; + system("/usr/local/bin/netio {$netio_options}"); } ]]> </custom_add_php_command> diff --git a/config/netio/netioserver.xml b/config/netio/netioserver.xml index da73e902..bbe32665 100644 --- a/config/netio/netioserver.xml +++ b/config/netio/netioserver.xml @@ -42,16 +42,11 @@ ]]> </copyright> <name>netioserver</name> - <version>1.27</version> - <title>netio: Server</title> + <version>1.28</version> + <title>Diagnostics: netio: Server</title> + <savetext>Run netio server</savetext> <preoutput>yes</preoutput> <donotsave>true</donotsave> - <menu> - <name>netio</name> - <tooltiptext>Run netio in client or server mode.</tooltiptext> - <section>Diagnostics</section> - <configfile>netio.xml</configfile> - </menu> <tabs> <tab> <text>Client</text> @@ -69,14 +64,15 @@ <fieldname>port</fieldname> <description>Enter the port that netio will bind to. (Default: 18767)</description> <type>input</type> + <default_value>18767</default_value> </field> </fields> <custom_add_php_command> <![CDATA[ mwexec("/usr/bin/killall netio"); - if($_POST['port'] != "") { - $netioserver_options = " -p {$_POST['port']}"; - system("/usr/local/bin/netio -s" . $netioserver_options); + if ($_POST['port'] != "") { + $port = escapeshellarg($_POST['port']); + system("/usr/local/bin/netio -s -p {$port}"); } ]]> </custom_add_php_command> diff --git a/config/notes/notes.priv.inc b/config/notes/notes.priv.inc new file mode 100644 index 00000000..fe4adae4 --- /dev/null +++ b/config/notes/notes.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + notes.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-status-notes'] = array(); +$priv_list['page-status-notes']['name'] = "WebCfg - Status: Notes"; +$priv_list['page-status-notes']['descr'] = "Allow access to Notes package GUI"; +$priv_list['page-status-notes']['match'] = array(); +$priv_list['page-status-notes']['match'][] = "pkg.php?xml=notes.xml*"; +$priv_list['page-status-notes']['match'][] = "pkg_edit.php?xml=notes.xml*"; + +?> diff --git a/config/notes/notes.xml b/config/notes/notes.xml index 03c0a01a..d6fb9abf 100644 --- a/config/notes/notes.xml +++ b/config/notes/notes.xml @@ -43,23 +43,29 @@ </copyright> <description>Notes</description> <name>Notes</name> - <version>0.2.6</version> - <title>Settings</title> + <version>0.2.8</version> + <title>Status: Notes</title> + <aftersaveredirect>/pkg.php?xml=notes.xml</aftersaveredirect> + <addedit_string>[notes] Successfully created/modified a note.</addedit_string> + <delete_string>[notes] Successfully deleted a note.</delete_string> <menu> <name>Notes</name> - <tooltiptext>Notes.</tooltiptext> <section>Status</section> <configfile>notes.xml</configfile> <url>/pkg.php?xml=notes.xml</url> </menu> <tabs> <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=notes.xml</url> + <text>Notes</text> + <url>/pkg.php?xml=notes.xml</url> <active/> </tab> </tabs> <configpath>installedpackages->package->$packagename->configuration->notes</configpath> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/notes/notes.priv.inc</item> + </additional_files_needed> <adddeleteeditpagefields> <columnitem> <fielddescr>Title</fielddescr> @@ -69,6 +75,9 @@ <fielddescr>Category</fielddescr> <fieldname>category</fieldname> </columnitem> + <addtext>Add a new note</addtext> + <edittext>Edit this note</edittext> + <deletetext>Delete this note</deletetext> </adddeleteeditpagefields> <fields> <field> diff --git a/config/ntop2/ntop.inc b/config/ntop2/ntop.inc new file mode 100644 index 00000000..da017eac --- /dev/null +++ b/config/ntop2/ntop.inc @@ -0,0 +1,157 @@ +<?php +/* + ntop.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2011-2013 Jim Pingle + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +require_once("pkg-utils.inc"); + +function ntop_php_install_command() { + safe_mkdir("/var/db/ntop/rrd/graphics", 0755); + mwexec("/bin/chmod -R 0755 /var/db/ntop"); + mwexec("/usr/sbin/chown -R nobody:nobody /var/db/ntop"); + mwexec("/bin/cp -Rp /usr/local/lib/X11/fonts/webfonts/ /usr/local/lib/X11/fonts/TTF/"); + ntop_upgrade_config(); +} + +function ntop_php_deinstall_command() { + global $config; + + /* Wipe data and settings if the user does not wish to keep them */ + if (is_array($config['installedpackages']['ntop'])) { + $ntop_config = $config['installedpackages']['ntop']['config'][0]; + } else { + $ntop_config = array(); + } + if ($ntop_config['keepdata'] != "on") { + if (is_dir("/var/db/ntop/")) { + mwexec("rm -rf /var/db/ntop/"); + } + unset($config['installedpackages']['ntop']); + write_config("[ntop] Removed package settings on uninstall."); + log_error(gettext("[ntop] Removed package data and settings since 'Keep Data/Settings' is disabled.")); + } +} + +function ntop_upgrade_config() { + global $config; + /* Fix flipped --no-interface-merge configuration meaning */ + if (is_array($config['installedpackages']['ntop'])) { + if (isset($config['installedpackages']['ntop']['config'][0]['allowmerge'])) { + $config['installedpackages']['ntop']['config'][0]['disallowmerge'] = "on"; + unset($config['installedpackages']['ntop']['config'][0]['allowmerge']); + } + } +} + +function sync_package_ntop() { + global $config, $g; + + if (is_array($config['installedpackages']['ntop'])) { + $ntop_config = $config['installedpackages']['ntop']['config'][0]; + } else { + $ntop_config = array(); + } + conf_mount_rw(); + + /* Just stop services and unlink rc script if disabled */ + if ($ntop_config['enable'] != "on") { + ntop_stop_service(); + unlink_if_exists("/usr/local/etc/rc.d/ntop.sh"); + return; + } + + /* Set up ntop interfaces */ + $ifaces_final = ""; + $first = 0; + $mergeifs = $ntop_config['disallowmerge'] == "on" ? "-M" : ""; + + foreach ($ntop_config['interface_array'] as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + if ($if) { + if ($first == 1) { + $ifaces_final .= ","; + } + $ifaces_final .= $if; + $first = 1; + } + } + + $start = "/usr/local/bin/ntop -i {$ifaces_final} -u root -d -4 {$mergeifs} -x 8102 -X 8192 &"; + write_rcfile(array("file" => "ntop.sh", "start" => $start, "stop" => "/usr/bin/killall ntop")); + + /* Set up admin password and (re)start services if not booting */ + if ((function_exists("platform_booting")) && (!platform_booting())) { + ntop_stop_service(); + ntop_set_password(); + start_service("ntop"); + } elseif (!($g['booting'])) { + ntop_stop_service(); + ntop_set_password(); + start_service("ntop"); + } + + conf_mount_ro(); +} + +function ntop_stop_service() { + if (is_service_running("ntop")) { + stop_service("ntop"); + // Wait for ntop to shut down cleanly. + for ($i = 0; $i <= 10; $i++) { + if (!is_process_running("ntop")) { + break; + } + sleep(2); + } + } +} + +function ntop_set_password() { + global $config; + + if (is_array($config['installedpackages']['ntop'])) { + $ntop_config = $config['installedpackages']['ntop']['config'][0]; + } else { + $ntop_config = array(); + } + $ntop_password = $ntop_config['password'] ?: "admin"; + unlink_if_exists("/var/db/ntop/ntop_pw.db"); + mwexec("/usr/local/bin/ntop --set-admin-password={$ntop_password}"); + sleep(2); +} + +function ntop_validate_input($post, &$input_errors) { + if (empty($post['password']) || empty($post['passwordagain'])) { + $input_errors[] = "You must provide (and confirm) ntop's password."; + } + + if ($post['password'] != $post['passwordagain']) { + $input_errors[] = "The provided passwords did not match."; + } +} + +?> diff --git a/config/ntop2/ntop.priv.inc b/config/ntop2/ntop.priv.inc new file mode 100644 index 00000000..e8c80977 --- /dev/null +++ b/config/ntop2/ntop.priv.inc @@ -0,0 +1,37 @@ +<?php +/* + ntop.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-diagnostics-ntop'] = array(); +$priv_list['page-diagnostics-ntop']['name'] = "WebCfg - Diagnostics: ntop package"; +$priv_list['page-diagnostics-ntop']['descr'] = "Allow access to ntop package GUI"; +$priv_list['page-diagnostics-ntop']['match'] = array(); +$priv_list['page-diagnostics-ntop']['match'][] = "pkg_edit.php?xml=ntop.xml*"; + +?> diff --git a/config/ntop2/ntop.xml b/config/ntop2/ntop.xml index 6ba86525..5aab1e53 100644 --- a/config/ntop2/ntop.xml +++ b/config/ntop2/ntop.xml @@ -1,28 +1,31 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2008 Scott Ullrich + ntop.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2011-2013 Jim Pingle + Copyright (C) 2015 ESF, LLC All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -35,19 +38,26 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ +/* ====================================================================================== */ ]]> </copyright> <name>ntop</name> - <version>3.0</version> + <version>2.3.2</version> <title>Diagnostics: ntop Settings</title> - <savetext>Change</savetext> - <aftersaveredirect>pkg_edit.php?xml=ntop.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/ntop.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/ntop2/ntop.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/ntop2/ntop.priv.inc</item> + </additional_files_needed> + <aftersaveredirect>pkg_edit.php?xml=ntop.xml</aftersaveredirect> <menu> <name>ntop Settings</name> - <tooltiptext>Set ntop settings such as password and port.</tooltiptext> <section>Diagnostics</section> - <url>/pkg_edit.php?xml=ntop.xml&id=0</url> + <url>/pkg_edit.php?xml=ntop.xml</url> </menu> <menu> <name>ntop</name> @@ -60,12 +70,12 @@ <name>ntop</name> <rcfile>ntop.sh</rcfile> <executable>ntop</executable> - <description>NTOP bandwidth monitoring/graphing</description> + <description>NTOP Network Traffic Monitor</description> </service> <tabs> <tab> - <text>ntop Settings</text> - <url>/pkg_edit.php?xml=ntop.xml&id=0</url> + <text>Settings</text> + <url>/pkg_edit.php?xml=ntop.xml</url> <active/> </tab> <tab> @@ -75,15 +85,37 @@ </tabs> <fields> <field> + <fielddescr>Enable ntop</fielddescr> + <fieldname>enable</fieldname> + <description>Check this to enable ntop.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Keep Data/Settings</fielddescr> + <fieldname>keepdata</fieldname> + <description> + <![CDATA[ + Check this to keep ntop settings, graphs and traffic data. (Default: on)<br /> + <strong><span class="errmsg">Note:</span> If 'Keep Data/Settings' is disabled, all settings and data will be wiped on package uninstall/reinstall/upgrade!</strong> + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> <fielddescr>ntop Admin Password</fielddescr> <fieldname>password</fieldname> - <description>Enter the password for the NTOP Web GUI. Minimum 5 characters.</description> + <description>Enter the password for the NTOP Web GUI. Minimum 5 characters.</description> <type>password</type> + <required>true</required> + <size>20</size> </field> <field> - <fielddescr>ntop Admin Password AGAIN</fielddescr> + <fielddescr>Confirm ntop Admin Password</fielddescr> <fieldname>passwordagain</fieldname> <type>password</type> + <required>true</required> + <size>20</size> </field> <field> <fielddescr>Interface</fielddescr> @@ -92,82 +124,30 @@ <size>3</size> <value>lan</value> <multiple>true</multiple> + <hideinterfaceregex>loopback</hideinterfaceregex> </field> <field> - <fielddescr>Allow merging interfaces<br>(Def: Do not merge)</fielddescr> - <fieldname>allowmerge</fieldname> + <fielddescr>Disallow merging interfaces</fielddescr> + <fieldname>disallowmerge</fieldname> + <description> + <![CDATA[ + By default, traffic information obtained by all the interfaces is merged together as if the traffic was seen by only one interface.<br /> + Use this option to keep traffic separate by interface. (Default: Disabled) + ]]> + </description> <type>checkbox</type> </field> </fields> - <custom_php_global_functions> - <![CDATA[ - function sync_package_ntop() { - conf_mount_rw(); - global $config; - global $input_errors; - if ($_POST) { - $config['installedpackages']['ntop']['config'] = array(); - $config['installedpackages']['ntop']['config'][0] = $_POST; - } - $ntop_config =& $config['installedpackages']['ntop']['config'][0]; - $if_final = ""; - $ifaces_final = ""; - system("/bin/mkdir -p /var/db/ntop"); - system("/bin/mkdir -p /var/db/ntop/rrd"); - system("/bin/mkdir -p /var/db/ntop/rrd/graphics"); - system("/bin/chmod -R 755 /var/db/ntop"); - system("/usr/sbin/chown -R nobody:nobody /var/db/ntop"); - system("/bin/cp -Rp /usr/local/lib/X11/fonts/webfonts/ /usr/local/lib/X11/fonts/TTF/"); - $first = 0; - $mergeifs = ($ntop_config['allowmerge'] == "on") ? "" : "-M"; - foreach($ntop_config['interface_array'] as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - if($if) { - if($first == 1) - $ifaces_final .= ","; - $ifaces_final .= $if; - $first = 1; - } - } - $start = "/usr/local/bin/ntop -i {$ifaces_final} -u root -d -4 {$mergeifs} -x 8102 -X 8192 &"; - write_rcfile(array( - "file" => "ntop.sh", - "start" => $start, - "stop" => "/usr/bin/killall ntop" - ) - ); - if (is_service_running("ntop")) { - stop_service("ntop"); - // Wait for ntop to shut down cleanly. - sleep(20); - } - if (empty($ntop_config['password'])) - $ntop_config['password'] = "admin"; - unlink_if_exists("/var/db/ntop/ntop_pw.db"); - exec("/usr/local/bin/ntop --set-admin-password={$ntop_config['password']}"); - sleep(2); - start_service("ntop"); - conf_mount_ro(); - } - ]]> - </custom_php_global_functions> - <custom_add_php_command> - sync_package_ntop(); - </custom_add_php_command> + <custom_php_install_command> + ntop_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + ntop_php_deinstall_command(); + </custom_php_deinstall_command> <custom_php_resync_config_command> sync_package_ntop(); </custom_php_resync_config_command> - <custom_php_install_command> - sync_package_ntop(); - </custom_php_install_command> <custom_php_validation_command> - <![CDATA[ - if ($_POST) { - if (empty($_POST['password']) || empty($_POST['passwordagain'])) - $input_errors[] = "You must provide (and confirm) ntop's password."; - if ($_POST['password'] != $_POST['passwordagain']) - $input_errors[] = "The provided passwords did not match."; - } - ]]> + ntop_validate_input($_POST, $input_errors); </custom_php_validation_command> </packagegui> diff --git a/config/ntopng/ntopng.inc b/config/ntopng/ntopng.inc index 73db1ab0..92b0c5dd 100644 --- a/config/ntopng/ntopng.inc +++ b/config/ntopng/ntopng.inc @@ -94,6 +94,14 @@ function ntopng_sync_package() { $ifaces = ""; $ntopng_config =& $config['installedpackages']['ntopng']['config'][0]; + + /* Just stop services and unlink rc script if disabled */ + if ($ntopng_config['enable'] != "on") { + ntopng_services_stop(); + unlink_if_exists("/usr/local/etc/rc.d/ntopng.sh"); + return; + } + foreach ($ntopng_config['interface_array'] as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if ($if) { @@ -168,19 +176,15 @@ function ntopng_sync_package() { /* Set up admin password */ ntopng_set_redis_password(); - /* Restart services if enabled and not booting */ + /* (Re)start services if not booting */ if ((function_exists("platform_booting")) && (!platform_booting())) { ntopng_services_stop(); - if ($ntopng_config['enable'] == "on") { - start_service("ntopng"); - sleep(20); - } + start_service("ntopng"); + sleep(20); } elseif (!($g['booting'])) { ntopng_services_stop(); - if ($ntopng_config['enable'] == "on") { - start_service("ntopng"); - sleep(20); - } + start_service("ntopng"); + sleep(20); } } diff --git a/config/ntopng/ntopng.priv.inc b/config/ntopng/ntopng.priv.inc new file mode 100644 index 00000000..6db26f02 --- /dev/null +++ b/config/ntopng/ntopng.priv.inc @@ -0,0 +1,37 @@ +<?php +/* + ntopng.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-diagnostics-ntopng'] = array(); +$priv_list['page-diagnostics-ntopng']['name'] = "WebCfg - Diagnostics: ntopng package"; +$priv_list['page-diagnostics-ntopng']['descr'] = "Allow access to ntopng package GUI"; +$priv_list['page-diagnostics-ntopng']['match'] = array(); +$priv_list['page-diagnostics-ntopng']['match'][] = "pkg_edit.php?xml=ntopng.xml*"; + +?> diff --git a/config/ntopng/ntopng.xml b/config/ntopng/ntopng.xml index ee1a4d3e..9cd51aea 100644 --- a/config/ntopng/ntopng.xml +++ b/config/ntopng/ntopng.xml @@ -39,13 +39,17 @@ ]]> </copyright> <name>ntopng</name> - <version>0.8.0</version> + <version>0.8.2</version> <title>Diagnostics: ntopng Settings</title> <include_file>/usr/local/pkg/ntopng.inc</include_file> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/ntopng/ntopng.inc</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/ntopng/ntopng.priv.inc</item> + </additional_files_needed> <aftersaveredirect>pkg_edit.php?xml=ntopng.xml</aftersaveredirect> <menu> <name>ntopng Settings</name> diff --git a/config/nut/nut.priv.inc b/config/nut/nut.priv.inc new file mode 100644 index 00000000..44cb7402 --- /dev/null +++ b/config/nut/nut.priv.inc @@ -0,0 +1,40 @@ +<?php +/* + nut.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-nut'] = array(); +$priv_list['page-services-nut']['name'] = "WebCfg - Services: NUT package"; +$priv_list['page-services-nut']['descr'] = "Allow access to NUT package GUI"; + +$priv_list['page-services-nut']['match'] = array(); +$priv_list['page-services-nut']['match'][] = "pkg_edit.php?xml=nut.xml*"; +$priv_list['page-services-nut']['match'][] = "status_nut.php*"; +$priv_list['page-services-nut']['match'][] = "ups_status.widget.php*"; + +?> diff --git a/config/nut/nut.xml b/config/nut/nut.xml index e066bc83..061a77de 100644 --- a/config/nut/nut.xml +++ b/config/nut/nut.xml @@ -41,7 +41,7 @@ ]]> </copyright> <name>nut</name> - <version>2.1.1</version> + <version>2.1.2</version> <title>Services: NUT</title> <savetext>Change</savetext> <aftersaveredirect>/status_nut.php</aftersaveredirect> @@ -65,7 +65,7 @@ </tab> <tab> <text>NUT Settings</text> - <url>/pkg_edit.php?xml=nut.xml&id=0</url> + <url>/pkg_edit.php?xml=nut.xml</url> <active/> </tab> </tabs> @@ -74,6 +74,10 @@ <item>https://packages.pfsense.org/packages/config/nut/nut.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/nut/nut.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/nut/status_nut.php</item> </additional_files_needed> diff --git a/config/phpsysinfo/phpsysinfo.inc b/config/phpsysinfo/phpsysinfo.inc deleted file mode 100644 index 54ece241..00000000 --- a/config/phpsysinfo/phpsysinfo.inc +++ /dev/null @@ -1,156 +0,0 @@ -<?php -function phpsysinfo_install_deinstall() { - conf_mount_rw(); - exec("cd /var/db/pkg/ && pkg_delete `ls | grep mbmon`"); - exec("rm -d -R /usr/local/www/phpsysinfo"); - conf_mount_ro(); -} - -function phpsysinfo_install_config() { -global $config, $g; - conf_mount_rw(); - exec("cd .."); - exec("tar -zxovf /usr/local/pkg/phpsysinfo-2.5.4.tar.gz"); - exec("mv phpsysinfo /usr/local/www/phpsysinfo"); - -// link shared libraries -// if ((!file_exists("/lib/libm.so.4")) AND (file_exists("/lib/libm.so.5"))) { -// exec("ln -s /lib/libm.so.5 /lib/libm.so.4"); -// } - - /* lines need in config.php */ -$default_lng = en; -$default_template= pfSense; -$hide_picklist = "false"; -$show_vhostname = "false"; -$sensor_program = '""'; -$show_mount_point = "false"; -$show_inodes = "false"; -$hide_mounts = "array()"; -$hide_fstypes = "array()"; -$loadbar = "false"; -$showerrors = "false"; -$temperatureformat = '"c-f"'; -$hide_picklist = $config['installedpackages']['phpsysinfo']['config'][0]['hidepicklist']; -if($hide_picklist) - $hide_picklist = "true"; - else - $hide_picklist = "false"; - $sensor_program = $config['installedpackages']['phpsysinfo']['config'][0]['sensorprogram']; -if($sensor_program) - $sensor_program= "mbmon"; - else - $sensor_program = '""'; - $show_mount_point = $config['installedpackages']['phpsysinfo']['config'][0]['showmountpoint']; -if($show_mount_point) - $show_mount_point = "true"; - else - $show_mount_point = "false"; - $hide_fstypes = $config['installedpackages']['phpsysinfo']['config'][0]['hidefstypes']; -if($hide_fstypes) - $hide_fstypes = "$hide_fstypes"; - $show_inodes = $config['installedpackages']['phpsysinfo']['config'][0]['showinodes']; -if($show_inodes) - $show_inodes = "true"; - else - $show_inodes = "false"; - $loadbar = $config['installedpackages']['phpsysinfo']['config'][0]['loadbar']; -if($loadbar) - $loadbar = "true"; - else - $loadbar = "false"; - $showerrors = $config['installedpackages']['phpsysinfo']['config'][0]['showerrors']; -if($showerrors) - $showerrors = "true"; - else - $showerrors = "false"; - $hf = fopen("/usr/local/www/phpsysinfo/config.php","w"); -if(!$hf) { - log_error("could not open /usr/local/www/phpsysinfo/config.php for writing"); -exit; -} - -fwrite($hf, '<?php'); -fwrite($hf, "\n"); -// webpath but not used -fwrite($hf, '$webpath = "";'); -fwrite($hf, "\n"); -// define the default lang and template here -fwrite($hf, '$default_lng='); -fwrite($hf, "'"); -fwrite($hf, $default_lng); -fwrite($hf, "'"); -fwrite($hf, ';'); -fwrite($hf, "\n"); -fwrite($hf, '$default_template='); -fwrite($hf, "'"); -fwrite($hf, $default_template); -fwrite($hf, "'"); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// hide language and template picklist -// false = display picklist -// true = do not display picklist -fwrite($hf, '$hide_picklist = '); -fwrite($hf, $hide_picklist); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// display the virtual host name and address -// default is canonical host name and address -fwrite($hf, '$show_vhostname = '); -fwrite($hf, $show_vhostname); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// define the motherboard monitoring program here -fwrite($hf, '$sensor_program = '); -fwrite($hf, $sensor_program); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// show mount point -fwrite($hf, '$show_mount_point = '); -fwrite($hf, $show_mount_point); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// show bind -fwrite($hf, '$show_bind = false;'); -fwrite($hf, "\n"); -// show inode usage -fwrite($hf, '$show_inodes = '); -fwrite($hf, $show_inodes); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// show inode usage -fwrite($hf, '$hide_mounts = '); -fwrite($hf, $hide_mounts); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// Hide filesystem typess. Example: 'tmpfs', 'usbfs' -fwrite($hf, '$hide_fstypes = array('); -fwrite($hf, $hide_fstypes); -fwrite($hf, ');'); -fwrite($hf, "\n"); -// show a graph for current cpuload -fwrite($hf, '$loadbar = '); -fwrite($hf, $loadbar); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// e.g. $addpaths = array('/opt/bin', '/opt/sbin'); -fwrite($hf, '$addpaths = array();'); -fwrite($hf, "\n"); -// display error messages at the top of the page -fwrite($hf, '$showerrors = '); -fwrite($hf, $showerrors); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// format in which temperature is displayed -fwrite($hf, '$temperatureformat = '); -fwrite($hf, $temperatureformat); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// The end of the config file -fwrite($hf, '?>'); -fwrite($hf, "\n"); -fclose($hf); - conf_mount_ro(); -} -?> diff --git a/config/phpsysinfo/phpsysinfo.xml b/config/phpsysinfo/phpsysinfo.xml deleted file mode 100644 index 550c0785..00000000 --- a/config/phpsysinfo/phpsysinfo.xml +++ /dev/null @@ -1,121 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>phpsysinfo</name> - <version>1.0</version> - <title>phpsysinfo</title> - <aftersaveredirect>/pkg_edit.php?xml=phpsysinfo.xml&id=0</aftersaveredirect> - <include_file>/usr/local/pkg/phpsysinfo.inc</include_file> - <menu> - <name>phpsysinfo</name> - <tooltiptext></tooltiptext> - <section>Status</section> - <url>/pkg_edit.php?xml=phpsysinfo.xml&id=0</url> - </menu> - <tabs> - <tab> - <text>phpsysinfo</text> - <url>/pkg_edit.php?xml=phpsysinfo.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Access phpsysinfo</text> - <url>/phpsysinfo</url> - </tab> - </tabs> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0644</chmod> - <item>https://packages.pfsense.org/packages/config/phpsysinfo/phpsysinfo.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0644</chmod> - <item>https://files.pfsense.org/packages/phpsysinfo-2.5.4.tar.gz</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Hide picklist</fielddescr> - <fieldname>hidepicklist</fieldname> - <description>Hide language and template picklist</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show mbmon</fielddescr> - <fieldname>sensorprogram</fieldname> - <description>Define the motherboard monitoring program here. Note that not all motherboards are supported and some only partly.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show mount point</fielddescr> - <fieldname>showmountpoint</fieldname> - <description>Show mount point</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show inodes</fielddescr> - <fieldname>showinodes</fieldname> - <description>Show inode usage</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show loadbar</fielddescr> - <fieldname>loadbar</fieldname> - <description>Show a graph for current cpuload</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show errors</fielddescr> - <fieldname>showerrors</fieldname> - <description>Display error messages at the top of the page. Note that vmstat is added in 1.0.1-SNAPSHOT-03-15-2007 and later</description> - <type>checkbox</type> - </field> - </fields> - <custom_php_resync_config_command>phpsysinfo_install_config();</custom_php_resync_config_command> - <custom_php_install_command>phpsysinfo_install_config();</custom_php_install_command> - <custom_php_deinstall_command>phpsysinfo_install_deinstall();</custom_php_deinstall_command> -</packagegui> diff --git a/config/routed/routed.inc b/config/routed/routed.inc index 3bcef0aa..c83b0052 100644 --- a/config/routed/routed.inc +++ b/config/routed/routed.inc @@ -29,7 +29,6 @@ */ function setup_routed() { global $config; - $gw = ""; if (!is_array($config['installedpackages']['routed'])) { return; @@ -37,6 +36,10 @@ function setup_routed() { if (!is_array($config['installedpackages']['routed']['config'])) { return; } + + $gw = ""; + conf_mount_rw(); + if (isset($config['installedpackages']['routed']['config'][0]['enable']) && $config['installedpackages']['routed']['config'][0]['enable'] == "on") { /* if user selected individual interfaces */ @@ -55,21 +58,30 @@ function setup_routed() { /* setup for all interfaces */ $gw = setup_etc_gateways(); } - conf_mount_rw(); file_put_contents("/etc/gateways", $gw); - conf_mount_ro(); - restart_service("routed"); + routed_write_rcfile(); + if (is_service_running("routed")) { + restart_service("routed"); + } else { + start_service("routed"); + } } else { - stop_service("routed"); + if (is_service_running("routed")) { + stop_service("routed"); + } + unlink_if_exists("/etc/gateways"); + unlink_if_exists("/usr/local/etc/rc.d/routed.sh"); } + + conf_mount_ro(); } -function setup_etc_gateways($iface="", $mode="") { +function setup_etc_gateways($iface = "", $mode = "") { global $config; $ret = ""; if ($iface != "") { - $realif=convert_friendly_interface_to_real_interface_name($iface); + $realif = convert_friendly_interface_to_real_interface_name($iface); if (!empty($realif)) { $ret = "if={$realif} "; } @@ -104,7 +116,7 @@ function setup_etc_gateways($iface="", $mode="") { return $ret; } -function routed_install_command() { +function routed_write_rcfile() { write_rcfile(array( "file" => "routed.sh", "start" => "/usr/bin/nohup /sbin/routed > /dev/null 2>&1 &", @@ -114,7 +126,7 @@ function routed_install_command() { } function routed_deinstall_command() { - stop_service("routed"); + unlink_if_exists("/etc/gateways"); unlink_if_exists("/usr/local/etc/rc.d/routed.sh"); } diff --git a/config/routed/routed.priv.inc b/config/routed/routed.priv.inc new file mode 100644 index 00000000..f0068f81 --- /dev/null +++ b/config/routed/routed.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + routed.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-routed'] = array(); +$priv_list['page-services-routed']['name'] = "WebCfg - Services: Routed"; +$priv_list['page-services-routed']['descr'] = "Allow access to routed package GUI"; +$priv_list['page-services-routed']['match'] = array(); +$priv_list['page-services-routed']['match'][] = "pkg.php?xml=routed.xml*"; +$priv_list['page-services-routed']['match'][] = "pkg_edit.php?xml=routed.xml*"; + +?> diff --git a/config/routed/routed.xml b/config/routed/routed.xml index b38d7ee3..960cf83b 100644 --- a/config/routed/routed.xml +++ b/config/routed/routed.xml @@ -42,17 +42,23 @@ ]]> </copyright> <name>routed</name> - <version>1.2</version> + <version>1.2.2</version> <title>Services: RIP</title> <include_file>/usr/local/pkg/routed.inc</include_file> + <aftersaveredirect>pkg_edit.php?xml=routed.xml</aftersaveredirect> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/routed/routed.inc</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/routed/routed.priv.inc</item> + </additional_files_needed> <menu> <name>RIP</name> <section>Services</section> <configfile>routed.xml</configfile> - <url>pkg_edit.php?xml=routed.xml&id=0</url> + <url>pkg_edit.php?xml=routed.xml</url> </menu> <service> <name>routed</name> @@ -117,13 +123,9 @@ <type>checkbox</type> </field> </fields> - <aftersaveredirect>pkg_edit.php?xml=routed.xml&id=0</aftersaveredirect> <custom_php_resync_config_command> setup_routed(); </custom_php_resync_config_command> - <custom_php_install_command> - routed_install_command(); - </custom_php_install_command> <custom_php_deinstall_command> routed_deinstall_command(); </custom_php_deinstall_command> diff --git a/config/rrd-summary/rrd-summary.priv.inc b/config/rrd-summary/rrd-summary.priv.inc new file mode 100644 index 00000000..f75315e8 --- /dev/null +++ b/config/rrd-summary/rrd-summary.priv.inc @@ -0,0 +1,37 @@ +<?php +/* + rrd-summary.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-status-rrd-summary'] = array(); +$priv_list['page-status-rrd-summary']['name'] = "WebCfg - Status: RRD Summary"; +$priv_list['page-status-rrd-summary']['descr'] = "Allow access to RRD Summary package GUI"; +$priv_list['page-status-rrd-summary']['match'] = array(); +$priv_list['page-status-rrd-summary']['match'][] = "status_rrd_summary.php*"; + +?> diff --git a/config/rrd-summary/rrd-summary.xml b/config/rrd-summary/rrd-summary.xml index 67c20937..309f23d1 100644 --- a/config/rrd-summary/rrd-summary.xml +++ b/config/rrd-summary/rrd-summary.xml @@ -43,7 +43,7 @@ </copyright> <description>RRD Summary Page</description> <name>RRD Summary</name> - <version>1.2</version> + <version>1.2.1</version> <title>Status: RRD Summary</title> <menu> <name>RRD Summary</name> @@ -52,6 +52,10 @@ <url>/status_rrd_summary.php</url> </menu> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/rrd-summary/rrd-summary.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/rrd-summary/status_rrd_summary.php</item> </additional_files_needed> diff --git a/config/shellcmd/shellcmd.priv.inc b/config/shellcmd/shellcmd.priv.inc new file mode 100644 index 00000000..ae64514d --- /dev/null +++ b/config/shellcmd/shellcmd.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + shellcmd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-shellcmd'] = array(); +$priv_list['page-services-shellcmd']['name'] = "WebCfg - Services: shellcmd"; +$priv_list['page-services-shellcmd']['descr'] = "Allow access to shellcmd package GUI"; +$priv_list['page-services-shellcmd']['match'] = array(); +$priv_list['page-services-shellcmd']['match'][] = "pkg.php?xml=shellcmd.xml*"; +$priv_list['page-services-shellcmd']['match'][] = "pkg_edit.php?xml=shellcmd.xml*"; + +?> diff --git a/config/shellcmd/shellcmd.xml b/config/shellcmd/shellcmd.xml index ea3144ff..78b876ff 100644 --- a/config/shellcmd/shellcmd.xml +++ b/config/shellcmd/shellcmd.xml @@ -42,8 +42,8 @@ ]]> </copyright> <name>Shellcmd Settings</name> - <version>1.0</version> - <title>Shellcmd Settings</title> + <version>1.0.1</version> + <title>Services: Shellcmd Settings</title> <include_file>/usr/local/pkg/shellcmd.inc</include_file> <aftersaveredirect>/pkg.php?xml=shellcmd.xml</aftersaveredirect> <addedit_string>[shellcmd] Successfully created/modified custom (early)shellcmd.</addedit_string> @@ -66,6 +66,10 @@ <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/shellcmd/shellcmd.inc</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/shellcmd/shellcmd.priv.inc</item> + </additional_files_needed> <adddeleteeditpagefields> <columnitem> <fielddescr>Command</fielddescr> diff --git a/config/spamd/spamd.priv.inc b/config/spamd/spamd.priv.inc new file mode 100644 index 00000000..5a9c622b --- /dev/null +++ b/config/spamd/spamd.priv.inc @@ -0,0 +1,46 @@ +<?php +/* + spamd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-spamd'] = array(); +$priv_list['page-services-spamd']['name'] = "WebCfg - Services: spamd"; +$priv_list['page-services-spamd']['descr'] = "Allow access to spamd package GUI"; + +$priv_list['page-services-spamd']['match'] = array(); +$priv_list['page-services-spamd']['match'][] = "pkg.php?xml=spamd.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg.php?xml=spamd_whitelist.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg.php?xml=spamd_settings.xml*"; + +$priv_list['page-services-spamd']['match'][] = "pkg_edit.php?xml=spamd.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg_edit.php?xml=spamd_whitelist.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg_edit.php?xml=spamd_settings.xml*"; + +$priv_list['page-services-spamd']['match'][] = "spamd_db.php*"; + +?> diff --git a/config/spamd/spamd.xml b/config/spamd/spamd.xml index 337aad00..7e11b9a9 100644 --- a/config/spamd/spamd.xml +++ b/config/spamd/spamd.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>spamdsources</name> - <version>1.1.6</version> + <version>1.1.7</version> <title>SpamD: External Sources</title> <include_file>/usr/local/pkg/spamd.inc</include_file> <backup_file>/var/db/spamd</backup_file> @@ -100,6 +100,10 @@ <item>https://packages.pfsense.org/packages/config/spamd/spamd.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/spamd/spamd.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/spamd/spamd_settings.xml</item> </additional_files_needed> @@ -180,6 +184,6 @@ custom_php_deinstall_command(); </custom_php_deinstall_command> <filter_rules_needed> - spamd_generate_rules(); + spamd_generate_rules </filter_rules_needed> </packagegui> diff --git a/config/squidGuard-devel/squidguard.inc b/config/squidGuard-devel/squidguard.inc index 0be94a6f..c9d51b8d 100644 --- a/config/squidGuard-devel/squidguard.inc +++ b/config/squidGuard-devel/squidguard.inc @@ -1,36 +1,34 @@ <?php -# ------------------------------------------------------------------------------ -/* squidguard.inc - +/* + squidguard.inc + part of pfSense (https://www.pfSense.org/) Copyright (C) 2006-2011 Serg Dvoriancev Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2013 Marcello Coutinho - - part of pfSense (www.pfSense.com) - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -# ------------------------------------------------------------------------------ - require_once('globals.inc'); require_once('config.inc'); require_once('util.inc'); @@ -103,10 +101,22 @@ sg_init(convert_pfxml_to_sgxml()); # ============================================================================== function squidguard_validate($post, &$input_errors) { + global $config, $g; $submit = isset($_GET['submit']) ? $_GET['submit'] : $_POST['submit']; # check config if 'Apply' - if ($submit === APPLY_BTN) sg_check_config_data($input_errors); + if ($submit === APPLY_BTN) { + // XXX:Bug #4608 + if (($g['platform'] == "pfSense") && isset($config['system']['use_mfs_tmpvar'])) { + $input_errors[] = "Please, disable 'Use RAM Disks' under System: Advanced: Miscellaneous to avoid SquidGuard configuration breakage on reboot."; + } + if ($g['platform'] != "pfSense") { + if ($post['blacklist'] != "" || $post['blacklist_proxy'] != "" || $post['blacklist_url'] != "") { + $input_errors[] = "Blacklists usage is NOT supported on NanoBSD. Disable 'Blacklist' option in 'General settings'."; + } + } + sg_check_config_data($input_errors); + } } # ------------------------------------------------------------------------------ @@ -1469,100 +1479,114 @@ function squidguard_blacklist_list() return $res; } -// ##### The following part is based on the code of pfblocker ##### - /* Uses XMLRPC to synchronize the changes to a remote node */ function squidguard_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['squidguardsync'])){ + + if (is_array($config['installedpackages']['squidguardsync'])) { $synconchanges = $config['installedpackages']['squidguardsync']['config'][0]['varsyncenablexmlrpc']; - $varsynctimeout = $config['installedpackages']['squidguardsync']['config'][0]['varsynctimeout']; - } - else - { + $varsynctimeout = $config['installedpackages']['squidguardsync']['config'][0]['varsynctimeout'] ?: '150'; + } else { return; } - // if checkbox is NOT checked do nothing - switch ($synconchanges){ + switch ($synconchanges) { case "manual": - if (is_array($config['installedpackages']['squidguardsync']['config'][0]['row'])){ - $rs=$config['installedpackages']['squidguardsync']['config'][0]['row']; - } - else{ - log_error("[Squidguard] xmlrpc sync is enabled but there is no hosts to push on Squidguard config."); + if (is_array($config['installedpackages']['squidguardsync']['config'][0]['row'])) { + $rs = $config['installedpackages']['squidguardsync']['config'][0]['row']; + } else { + log_error("[Squidguard] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; - } + } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['varsyncdestinenable']="on"; - $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); - $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; - $rs[0]['varsyncpassword']=$system_carp['password']; - $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); - if (! is_ipaddr($system_carp['synchronizetoip'])){ - log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); - return; - } + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['varsyncusername'] = $system_carp['username']; + $rs[0]['varsyncpassword'] = $system_carp['password']; + $rs[0]['varsyncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == 'http') { + $rs[0]['varsyncprotocol'] = 'http'; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['varsyncprotocol'] = 'https'; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443'; } - else{ - log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + if ($system_carp['synchronizetoip'] == "") { + log_error("[Squidguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['varsyncdestinenable'] = TRUE; } - break; + } else { + log_error("[Squidguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; default: return; - break; - } - if (is_array($rs)){ - log_error("[SquidGuard] xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); - foreach($rs as $sh){ - if($sh['varsyncdestinenable']){ - $varsyncprotocol = $sh['varsyncprotocol']; - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $varsyncport = $sh['varsyncport']; - if($password && $sync_to_ip) - squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); - else - log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + break; + } + if (is_array($rs)) { + log_error("[SquidGuard] XMLRPC sync is starting with timeout {$varsynctimeout} seconds."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['varsyncdestinenable']) { + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $username = $sh['varsyncusername'] ?: 'admin'; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; } - else { - log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; } + if (!is_port($varsyncport)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + squidguard_do_xmlrpc_sync($sync_to_ip, $varsyncport, $varsyncprotocol, $username, $password, $varsynctimeout); + } else { + log_error("[SquidGuard] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } else { + log_error("[SquidGuard] XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); } - log_error("[SquidGuard] xmlrpc sync is ending."); - } + } + log_error("[SquidGuard] XMLRPC sync is ending."); + } } /* Do the actual XMLRPC sync */ -function squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { +function squidguard_do_xmlrpc_sync($sync_to_ip, $varsyncport, $varsyncprotocol, $username, $password, $varsynctimeout) { global $config, $g; - if($varsynctimeout == '' || $varsynctimeout == 0) - $varsynctimeout = 150; - - if(!$password) - return; - - if(!$sync_to_ip) - return; - - if(!$varsyncport) + if ($username == "" || $password == "" || $sync_to_ip == "" || $varsyncport == "" || $varsyncprotocol == "") { + log_error("[SquidGuard] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; + } - if(!$varsyncprotocol) - return; - - // Check and choose correct protocol type, port number and IP address - $synchronizetoip .= "$varsyncprotocol" . '://'; - $port = "$varsyncport"; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } - $synchronizetoip .= $sync_to_ip; + $url = "{$varsyncprotocol}://{$sync_to_ip}"; + $port = $varsyncport; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['squidguardgeneral'] = $config['installedpackages']['squidguardgeneral']; $xml['squidguardacl'] = $config['installedpackages']['squidguardacl']; @@ -1570,82 +1594,74 @@ function squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn $xml['squidguarddest'] = $config['installedpackages']['squidguarddest']; $xml['squidguardrewrite'] = $config['installedpackages']['squidguardrewrite']; $xml['squidguardtime'] = $config['installedpackages']['squidguardtime']; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("SquidGuard: Beginning squidguard XMLRPC sync with {$url}:{$port}."); + + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ + log_error("[SquidGuard] Beginning XMLRPC sync with {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after $varsynctimeout seconds */ + $cli->setCredentials($username, $password); + if ($g['debug']) { + $cli->setDebug(1); + } + /* Send our XMLRPC message and timeout after $varsynctimeout seconds */ + $resp = $cli->send($msg, $varsynctimeout); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); - if(!$resp) { - $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port}."; - log_error("SquidGuard: $error"); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $varsynctimeout); - $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error("SquidGuard: $error"); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } else { - log_error("SquidGuard: XMLRPC has synced data successfully with {$url}:{$port}."); - } - - /* tell squidguard to reload our settings on the destionation sync host. */ + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("[SquidGuard] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* Tell Squidguard to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/squidguard.inc');\n"; - // pfblocker just needed one fuction to reload after XMLRPC. squidguard needs more so we point to a fuction below which contains all fuctions + // Squidguard needs more functions; we point to a function below which contains all the required functions $execcmd .= "squidguard_all_after_XMLRPC_resync();"; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); - log_error("SquidGuard XMLRPC is reloading data on {$url}:{$port}."); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); + + log_error("[SquidGuard] XMLRPC is reloading data on {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $varsynctimeout); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); - if(!$resp) { - $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; - log_error($error); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $varsynctimeout); - $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } else { - log_error("SquidGuard: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); - } + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("[SquidGuard] XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + } } -// ##### The part above is based on the code of pfblocker ##### - -// This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files +// This function restarts all other needed functions after XMLRPC sync so that the content of .XML + .INC will be written in the files // Adding more functions will increase the time to sync function squidguard_all_after_XMLRPC_resync() { - + squidguard_resync_acl(); squidguard_resync_dest(); squidguard_resync(); - - log_error("SquidGuard: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); + + log_error("[SquidGuard] Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); } ?> diff --git a/config/squidGuard-devel/squidguard.xml b/config/squidGuard-devel/squidguard.xml index b7874f82..a7742917 100644 --- a/config/squidGuard-devel/squidguard.xml +++ b/config/squidGuard-devel/squidguard.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidguardgeneral</name> - <version>1.5.8</version> + <version>1.5.9</version> <title>Proxy filter SquidGuard: General settings</title> <include_file>/usr/local/pkg/squidguard.inc</include_file> <!-- Installation --> @@ -148,7 +148,13 @@ <field> <fielddescr>Enable</fielddescr> <fieldname>squidguard_enable</fieldname> - <description><![CDATA[Check this option to enable squidGuard]]></description> + <description> + <![CDATA[ + Check this option to enable squidGuard.<br /> + <strong><span class="errmsg">Important: </span></strong>Please set up at least one category on the 'Target Categories' tab before enabling. + See <a href="https://forum.pfsense.org/index.php?topic=94312.0">this link for details</a>. + ]]> + </description> <type>checkbox</type> </field> <field> @@ -244,8 +250,14 @@ <field> <fielddescr>Blacklist</fielddescr> <fieldname>blacklist</fieldname> - <description><![CDATA[Check this option to enable blacklist]]></description> + <description> + <![CDATA[ + Check this option to enable blacklist.<br /> + <strong><span class="errmsg">Do NOT enable this on NanoBSD installs!</span></strong> + ]]> + </description> <type>checkbox</type> + <enablefields>blacklist_proxy,blacklist_url</enablefields> </field> <field> <fielddescr>Blacklist proxy</fielddescr> diff --git a/config/squidGuard-devel/squidguard_sync.xml b/config/squidGuard-devel/squidguard_sync.xml index f0537faf..7ab2cc6c 100644 --- a/config/squidGuard-devel/squidguard_sync.xml +++ b/config/squidGuard-devel/squidguard_sync.xml @@ -1,54 +1,50 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> + <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -squidguardsync.xml -part of pfSense (http://www.pfSense.com) -Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> -Copyright (C) 2013 Marcello Coutinho -based on pfblocker_sync.xml -All rights reserved. - -Based on m0n0wall (http://m0n0.ch/wall) -Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. -All rights reserved. + squidguardsync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. -1. Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ -]]></copyright> - <description><![CDATA[Describe your package here]]></description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> +/* ====================================================================================== */ + ]]> + </copyright> <name>squidguardsync</name> - <version>1.3_1 pkg v.1.9</version> - <title>Proxy filter SquidGuard: XMLRPC Sync</title> + <version>1.5.9</version> + <title>SquidGuard Proxy Filter: XMLRPC Sync</title> <include_file>/usr/local/pkg/squidguard.inc</include_file> <tabs> <tab> @@ -97,11 +93,16 @@ POSSIBILITY OF SUCH DAMAGE. <field> <fielddescr>Enable Sync</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> - <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <description> + <![CDATA[ + Select a sync method for SquidGuard.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> <option><name>Sync to host(s) defined below</name><value>manual</value></option> @@ -109,28 +110,28 @@ POSSIBILITY OF SUCH DAMAGE. </options> </field> <field> - <fielddescr>XMLRPC timeout</fielddescr> + <fielddescr>XMLRPC Timeout</fielddescr> <fieldname>varsynctimeout</fieldname> - <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> + <description>XMLRPC timeout in seconds. (Default: 150)</description> <type>input</type> - <default_value>150</default_value> + <default_value>150</default_value> <size>5</size> </field> - <field> - <fielddescr>Destination Server</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> <fielddescr>Enable</fielddescr> <fieldname>varsyncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> <type>checkbox</type> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI Protocol</fielddescr> + <fielddescr>Protocol</fielddescr> <fieldname>varsyncprotocol</fieldname> - <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> <type>select</type> <default_value>HTTP</default_value> <options> @@ -139,21 +140,21 @@ POSSIBILITY OF SUCH DAMAGE. </options> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI IP-Address</fielddescr> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>varsyncipaddress</fieldname> - <description><![CDATA[IP Address of the destination host.]]></description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>15</size> + <size>40</size> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI Port</fielddescr> + <fielddescr>Port</fielddescr> <fieldname>varsyncport</fieldname> - <description><![CDATA[Choose the port of the destination host.]]></description> + <description><![CDATA[Choose the sync port of the destination host.]]></description> <type>input</type> <size>3</size> </rowhelperfield> - <rowhelperfield> - <fielddescr>GUI Admin Password</fielddescr> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> <fieldname>varsyncpassword</fieldname> <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> @@ -162,9 +163,6 @@ POSSIBILITY OF SUCH DAMAGE. </rowhelper> </field> </fields> - <custom_delete_php_command> - squidguard_sync_on_changes(); - </custom_delete_php_command> <custom_php_resync_config_command> squidguard_sync_on_changes(); </custom_php_resync_config_command> diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc index c4c47bcc..65e1ef50 100644 --- a/config/squidGuard/squidguard.inc +++ b/config/squidGuard/squidguard.inc @@ -1,36 +1,34 @@ <?php -# ------------------------------------------------------------------------------ -/* squidguard.inc - +/* + squidguard.inc + part of pfSense (https://www.pfSense.org/) Copyright (C) 2006-2011 Serg Dvoriancev Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2013 Marcello Coutinho - - part of pfSense (www.pfSense.com) - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -# ------------------------------------------------------------------------------ - require_once('globals.inc'); require_once('config.inc'); require_once('util.inc'); @@ -103,10 +101,22 @@ sg_init(convert_pfxml_to_sgxml()); # ============================================================================== function squidguard_validate(&$post, &$input_errors) { + global $config, $g; $submit = isset($_GET['submit']) ? $_GET['submit'] : $_POST['submit']; # check config if 'Apply' - if ($submit === APPLY_BTN) sg_check_config_data($input_errors); + if ($submit === APPLY_BTN) { + // XXX:Bug #4608 + if (($g['platform'] == "pfSense") && isset($config['system']['use_mfs_tmpvar'])) { + $input_errors[] = "Please, disable 'Use RAM Disks' under System: Advanced: Miscellaneous to avoid SquidGuard configuration breakage on reboot."; + } + if ($g['platform'] != "pfSense") { + if ($post['blacklist'] != "" || $post['blacklist_proxy'] != "" || $post['blacklist_url'] != "") { + $input_errors[] = "Blacklists usage is NOT supported on NanoBSD. Disable 'Blacklist' option in 'General settings'."; + } + } + sg_check_config_data($input_errors); + } } # ------------------------------------------------------------------------------ @@ -1470,100 +1480,114 @@ function squidguard_blacklist_list() return $res; } -// ##### The following part is based on the code of pfblocker ##### - /* Uses XMLRPC to synchronize the changes to a remote node */ function squidguard_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['squidguardsync'])){ + + if (is_array($config['installedpackages']['squidguardsync'])) { $synconchanges = $config['installedpackages']['squidguardsync']['config'][0]['varsyncenablexmlrpc']; - $varsynctimeout = $config['installedpackages']['squidguardsync']['config'][0]['varsynctimeout']; - } - else - { + $varsynctimeout = $config['installedpackages']['squidguardsync']['config'][0]['varsynctimeout'] ?: '150'; + } else { return; } - // if checkbox is NOT checked do nothing - switch ($synconchanges){ + switch ($synconchanges) { case "manual": - if (is_array($config['installedpackages']['squidguardsync']['config'][0]['row'])){ - $rs=$config['installedpackages']['squidguardsync']['config'][0]['row']; - } - else{ - log_error("[Squidguard] xmlrpc sync is enabled but there is no hosts to push on Squidguard config."); + if (is_array($config['installedpackages']['squidguardsync']['config'][0]['row'])) { + $rs = $config['installedpackages']['squidguardsync']['config'][0]['row']; + } else { + log_error("[Squidguard] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; - } + } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['varsyncdestinenable']="on"; - $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); - $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; - $rs[0]['varsyncpassword']=$system_carp['password']; - $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); - if (! is_ipaddr($system_carp['synchronizetoip'])){ - log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); - return; - } + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['varsyncusername'] = $system_carp['username']; + $rs[0]['varsyncpassword'] = $system_carp['password']; + $rs[0]['varsyncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == 'http') { + $rs[0]['varsyncprotocol'] = 'http'; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['varsyncprotocol'] = 'https'; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443'; } - else{ - log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + if ($system_carp['synchronizetoip'] == "") { + log_error("[Squidguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['varsyncdestinenable'] = TRUE; } - break; + } else { + log_error("[Squidguard] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; default: return; - break; - } - if (is_array($rs)){ - log_error("[SquidGuard] xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); - foreach($rs as $sh){ - if($sh['varsyncdestinenable']){ - $varsyncprotocol = $sh['varsyncprotocol']; - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $varsyncport = $sh['varsyncport']; - if($password && $sync_to_ip) - squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); - else - log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + break; + } + if (is_array($rs)) { + log_error("[SquidGuard] XMLRPC sync is starting with timeout {$varsynctimeout} seconds."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['varsyncdestinenable']) { + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $username = $sh['varsyncusername'] ?: 'admin'; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; } - else { - log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; } + if (!is_port($varsyncport)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + squidguard_do_xmlrpc_sync($sync_to_ip, $varsyncport, $varsyncprotocol, $username, $password, $varsynctimeout); + } else { + log_error("[SquidGuard] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } else { + log_error("[SquidGuard] XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); } - log_error("[SquidGuard] xmlrpc sync is ending."); - } + } + log_error("[SquidGuard] XMLRPC sync is ending."); + } } /* Do the actual XMLRPC sync */ -function squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { +function squidguard_do_xmlrpc_sync($sync_to_ip, $varsyncport, $varsyncprotocol, $username, $password, $varsynctimeout) { global $config, $g; - if($varsynctimeout == '' || $varsynctimeout == 0) - $varsynctimeout = 150; - - if(!$password) - return; - - if(!$sync_to_ip) - return; - - if(!$varsyncport) + if ($username == "" || $password == "" || $sync_to_ip == "" || $varsyncport == "" || $varsyncprotocol == "") { + log_error("[SquidGuard] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; + } - if(!$varsyncprotocol) - return; - - // Check and choose correct protocol type, port number and IP address - $synchronizetoip .= "$varsyncprotocol" . '://'; - $port = "$varsyncport"; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } - $synchronizetoip .= $sync_to_ip; + $url = "{$varsyncprotocol}://{$sync_to_ip}"; + $port = $varsyncport; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['squidguardgeneral'] = $config['installedpackages']['squidguardgeneral']; $xml['squidguardacl'] = $config['installedpackages']['squidguardacl']; @@ -1571,82 +1595,74 @@ function squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn $xml['squidguarddest'] = $config['installedpackages']['squidguarddest']; $xml['squidguardrewrite'] = $config['installedpackages']['squidguardrewrite']; $xml['squidguardtime'] = $config['installedpackages']['squidguardtime']; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("SquidGuard: Beginning squidguard XMLRPC sync with {$url}:{$port}."); + + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ + log_error("[SquidGuard] Beginning XMLRPC sync with {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after $varsynctimeout seconds */ + $cli->setCredentials($username, $password); + if ($g['debug']) { + $cli->setDebug(1); + } + /* Send our XMLRPC message and timeout after $varsynctimeout seconds */ + $resp = $cli->send($msg, $varsynctimeout); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); - if(!$resp) { - $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port}."; - log_error("SquidGuard: $error"); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $varsynctimeout); - $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error("SquidGuard: $error"); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } else { - log_error("SquidGuard: XMLRPC has synced data successfully with {$url}:{$port}."); - } - - /* tell squidguard to reload our settings on the destionation sync host. */ + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("[SquidGuard] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* Tell Squidguard to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/squidguard.inc');\n"; - // pfblocker just needed one fuction to reload after XMLRPC. squidguard needs more so we point to a fuction below which contains all fuctions + // Squidguard needs more functions; we point to a function below which contains all the required functions $execcmd .= "squidguard_all_after_XMLRPC_resync();"; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); - log_error("SquidGuard XMLRPC is reloading data on {$url}:{$port}."); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); + + log_error("[SquidGuard] XMLRPC is reloading data on {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $varsynctimeout); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); - if(!$resp) { - $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; - log_error($error); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $varsynctimeout); - $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "squidguard Settings Sync", ""); - } else { - log_error("SquidGuard: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); - } + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[SquidGuard] {$error}"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("[SquidGuard] XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + } } -// ##### The part above is based on the code of pfblocker ##### - -// This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files +// This function restarts all other needed functions after XMLRPC sync so that the content of .XML + .INC will be written in the files // Adding more functions will increase the time to sync function squidguard_all_after_XMLRPC_resync() { - + squidguard_resync_acl(); squidguard_resync_dest(); squidguard_resync(); - - log_error("SquidGuard: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); + + log_error("[SquidGuard] Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); } ?> diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml index e7514f63..91922324 100644 --- a/config/squidGuard/squidguard.xml +++ b/config/squidGuard/squidguard.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidguardgeneral</name> - <version>1.9.16</version> + <version>1.9.17</version> <title>Proxy filter SquidGuard: General settings</title> <include_file>/usr/local/pkg/squidguard.inc</include_file> <!-- Installation --> @@ -148,7 +148,13 @@ <field> <fielddescr>Enable</fielddescr> <fieldname>squidguard_enable</fieldname> - <description><![CDATA[Check this option to enable squidGuard]]></description> + <description> + <![CDATA[ + Check this option to enable squidGuard.<br /> + <strong><span class="errmsg">Important: </span></strong>Please set up at least one category on the 'Target Categories' tab before enabling. + See <a href="https://forum.pfsense.org/index.php?topic=94312.0">this link for details</a>. + ]]> + </description> <type>checkbox</type> </field> <field> @@ -244,8 +250,14 @@ <field> <fielddescr>Blacklist</fielddescr> <fieldname>blacklist</fieldname> - <description><![CDATA[Check this option to enable blacklist]]></description> + <description> + <![CDATA[ + Check this option to enable blacklist.<br /> + <strong><span class="errmsg">Do NOT enable this on NanoBSD installs!</span></strong> + ]]> + </description> <type>checkbox</type> + <enablefields>blacklist_proxy,blacklist_url</enablefields> </field> <field> <fielddescr>Blacklist proxy</fielddescr> diff --git a/config/squidGuard/squidguard_sync.xml b/config/squidGuard/squidguard_sync.xml index f0537faf..2d50ca24 100644 --- a/config/squidGuard/squidguard_sync.xml +++ b/config/squidGuard/squidguard_sync.xml @@ -1,54 +1,50 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> + <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -squidguardsync.xml -part of pfSense (http://www.pfSense.com) -Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> -Copyright (C) 2013 Marcello Coutinho -based on pfblocker_sync.xml -All rights reserved. - -Based on m0n0wall (http://m0n0.ch/wall) -Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. -All rights reserved. + squidguardsync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. -1. Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ -]]></copyright> - <description><![CDATA[Describe your package here]]></description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> +/* ====================================================================================== */ + ]]> + </copyright> <name>squidguardsync</name> - <version>1.3_1 pkg v.1.9</version> - <title>Proxy filter SquidGuard: XMLRPC Sync</title> + <version>1.9.17</version> + <title>SquidGuard Proxy Filter: XMLRPC Sync</title> <include_file>/usr/local/pkg/squidguard.inc</include_file> <tabs> <tab> @@ -97,11 +93,16 @@ POSSIBILITY OF SUCH DAMAGE. <field> <fielddescr>Enable Sync</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> - <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <description> + <![CDATA[ + Select a sync method for SquidGuard.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> <option><name>Sync to host(s) defined below</name><value>manual</value></option> @@ -109,28 +110,28 @@ POSSIBILITY OF SUCH DAMAGE. </options> </field> <field> - <fielddescr>XMLRPC timeout</fielddescr> + <fielddescr>XMLRPC Timeout</fielddescr> <fieldname>varsynctimeout</fieldname> - <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> + <description>XMLRPC timeout in seconds. (Default: 150)</description> <type>input</type> - <default_value>150</default_value> + <default_value>150</default_value> <size>5</size> </field> - <field> - <fielddescr>Destination Server</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> <fielddescr>Enable</fielddescr> <fieldname>varsyncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> <type>checkbox</type> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI Protocol</fielddescr> + <fielddescr>Protocol</fielddescr> <fieldname>varsyncprotocol</fieldname> - <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> <type>select</type> <default_value>HTTP</default_value> <options> @@ -139,21 +140,21 @@ POSSIBILITY OF SUCH DAMAGE. </options> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI IP-Address</fielddescr> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>varsyncipaddress</fieldname> - <description><![CDATA[IP Address of the destination host.]]></description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>15</size> + <size>40</size> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI Port</fielddescr> + <fielddescr>Port</fielddescr> <fieldname>varsyncport</fieldname> - <description><![CDATA[Choose the port of the destination host.]]></description> + <description><![CDATA[Choose the sync port of the destination host.]]></description> <type>input</type> <size>3</size> </rowhelperfield> - <rowhelperfield> - <fielddescr>GUI Admin Password</fielddescr> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> <fieldname>varsyncpassword</fieldname> <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> @@ -162,9 +163,6 @@ POSSIBILITY OF SUCH DAMAGE. </rowhelper> </field> </fields> - <custom_delete_php_command> - squidguard_sync_on_changes(); - </custom_delete_php_command> <custom_php_resync_config_command> squidguard_sync_on_changes(); </custom_php_resync_config_command> diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index e2c4735c..7c7e9e80 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ </copyright> <description>Suricata IDS/IPS Package</description> <name>suricata</name> - <version>2.0.8 pkg v2.1.6</version> + <version>2.1.9</version> <title>Services: Suricata IDS</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <menu> diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index c4e438ba..81c7c503 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -86,6 +86,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_id'])) $pconfig['barnyard_sensor_id'] = "0"; + if (empty($pconfig['barnyard_xff_logging'])) + $pconfig['barnyard_xff_logging'] = "off"; + if (empty($pconfig['barnyard_xff_mode'])) + $pconfig['barnyard_xff_mode'] = "extra-data"; + if (empty($pconfig['barnyard_xff_deployment'])) + $pconfig['barnyard_xff_deployment'] = "reverse"; + if (empty($pconfig['barnyard_xff_header'])) + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; } if ($_POST['save']) { @@ -129,6 +137,9 @@ if ($_POST['save']) { $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer."); } + if (empty($_POST['barnyard_xff_header']) && $_POST['barnyard_xff_logging'] == "on") + $input_errors[] = gettext("The value for the X-Forwarded-For Header cannot be blank when X-Forwarded-For logging is enabled."); + // Validate inputs if MySQL database loggging enabled if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) @@ -172,11 +183,13 @@ if ($_POST['save']) { $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; $natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off'; + $natent['barnyard_xff_logging'] = $_POST['barnyard_xff_logging'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_xff_header']) $natent['barnyard_xff_header'] = $_POST['barnyard_xff_header']; else $natent['barnyard_xff_header'] = 'X-Forwarded-For'; if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); @@ -335,6 +348,56 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Logging"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_logging" id="barnyard_xff_logging" type="checkbox" value="on" <?php if ($pconfig['barnyard_xff_logging'] == "on") echo "checked"; ?> onClick="toggle_xff_log_options()"/> + <?php echo gettext("Enable logging of X-Forwarded-For IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> + </td> + </tr> + <tbody id="xff_options"> + <tr id="barnyard_xff_mode_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Mode"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_mode" id="barnyard_xff_mode" class="formselect"> + <?php + $xff_modes = array( "extra-data", "overwrite" ); + foreach ($xff_modes as $mode) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_mode']) + $selected = " selected"; + echo "<option value='{$mode}'{$selected}>" . $mode . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Operation Mode. Default is ") . "<strong>" . gettext("extra-data") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_deployment_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Deployment"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_deployment" id="barnyard_xff_deployment" class="formselect"> + <?php + $xff_deployments = array( "reverse", "forward" ); + foreach ($xff_deployments as $deployment) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_deployment']) + $selected = " selected"; + echo "<option value='{$deployment}'{$selected}>" . $deployment . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Deployment. Default is ") . "<strong>" . gettext("reverse") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_header_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Header"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_header" type="text" class="formfld unknown" id="barnyard_xff_header" + size="18" value="<?=htmlspecialchars($pconfig['barnyard_xff_header']); ?>"/> + <?php echo gettext("Enter header where actual IP address is reported. Default is ") . "<strong>" . + gettext("X-Forwarded-For") . "</strong>."; ?><br/><br/><?php echo gettext("If more than one IP address is present, the last one will be used.") ?> + </td> + </tr> + </tbody> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> </tr> <tr> @@ -600,6 +663,16 @@ function toggle_bro_ids() { document.getElementById("bro_ids_config_rows").style.display = ""; } +function toggle_xff_log_options() { + var endis = !(document.iform.barnyard_xff_logging.checked); + if (endis) { + document.getElementById("xff_options").style.display = "none"; + } + else { + document.getElementById("xff_options").style.display = ""; + } +} + function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. @@ -610,6 +683,10 @@ function enable_change(enable_change) { document.iform.barnyard_obfuscate_ip.disabled = endis; document.iform.barnyard_sensor_id.disabled = endis; document.iform.barnyard_sensor_name.disabled = endis; + document.iform.barnyard_xff_logging.disabled = endis; + document.iform.barnyard_xff_mode.disabled = endis; + document.iform.barnyard_xff_deployment.disabled = endis; + document.iform.barnyard_xff_header.disabled = endis; document.iform.barnyard_mysql_enable.disabled = endis; document.iform.barnyard_dbhost.disabled = endis; document.iform.barnyard_dbname.disabled = endis; @@ -636,6 +713,7 @@ toggle_mySQL(); toggle_syslog(); toggle_local_syslog(); toggle_bro_ids(); +toggle_xff_log_options(); enable_change(false); </script> diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 67334957..e245d71e 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -13,7 +13,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -43,7 +43,7 @@ require_once("service-utils.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); require_once("/usr/local/pkg/suricata/suricata_defs.inc"); -global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules; +global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules, $static_output; $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; @@ -264,7 +264,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $pkg_interface, $last_curl_error, $update_errors, $static_output; $suricatadir = SURICATADIR; $filename_md5 = basename($file_dst); @@ -301,7 +301,8 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { $suricata_err_msg = gettext("Server returned error code {$rc}."); if ($pkg_interface <> "console") { update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}")); + $static_output .= gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}"); + update_output_window($static_output); } log_error(gettext("[Suricata] {$desc} md5 download failed...")); log_error(gettext("[Suricata] Server returned error code {$rc}...")); @@ -333,7 +334,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $pkg_interface, $last_curl_error, $update_errors, $static_output; $suricatadir = SURICATADIR; $filename = basename($file_dst); @@ -354,8 +355,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { // Test integrity of the rules file. Turn off update if file has wrong md5 hash if ($file_md5 != trim(md5_file($file_dst))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file MD5 checksum failed...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("{$desc} file MD5 checksum failed!\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] {$desc} file download failed. Bad MD5 checksum...")); log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst))); log_error(gettext("[Suricata] Expected File MD5: {$file_md5}")); @@ -369,8 +372,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { return true; } else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file download failed...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("{$desc} file download failed!\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SURICATA_RULES_UPD_LOGFILE); if ($pkg_interface == "console") @@ -451,7 +456,8 @@ if ($emergingthreats == 'on') { if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting {$et_name} rules...")); - update_output_window(gettext("Installing {$et_name} rules...")); + $static_output .= gettext("Installing {$et_name} rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); @@ -509,7 +515,8 @@ if ($emergingthreats == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of {$et_name} rules completed...")); - update_output_window(gettext("Installation of {$et_name} rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/emerging"); @@ -525,7 +532,8 @@ if ($snortdownload == 'on') { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); + $static_output .= gettext("Installing Sourcefire VRT rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); @@ -549,7 +557,6 @@ if ($snortdownload == 'on') { /* extract base etc files */ if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); } exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -564,7 +571,8 @@ if ($snortdownload == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); } @@ -576,7 +584,8 @@ if ($snortcommunityrules == 'on') { if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort GPLv2 Community Rules...")); - update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); + $static_output .= gettext("Installing Snort GPLv2 Community Rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); @@ -599,7 +608,8 @@ if ($snortcommunityrules == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); - update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/community"); @@ -680,17 +690,20 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; if ($pkg_interface <> "console"){ update_status(gettext($tmp)); - update_output_window(gettext("Please wait while Suricata interface files are being updated...")); + $static_output .= $tmp; + update_output_window($static_output); } suricata_apply_customizations($value, $if_real); $tmp = "\t" . $tmp . "\n"; error_log($tmp, 3, SURICATA_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } } else { if ($pkg_interface <> "console") { - update_output_window(gettext("Warning: No interfaces configured for Suricata were found...")); - update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them...")); + $static_output .= gettext("Warning: No interfaces configured for Suricata were found!\nNo interfaces currently have Suricata configured and enabled on them."); + update_output_window($static_output); } error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, SURICATA_RULES_UPD_LOGFILE); } @@ -707,7 +720,6 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') { if ($pkg_interface <> "console") { update_status(gettext('Signaling Suricata to live-load the new set of rules...')); - update_output_window(gettext("Please wait ... the process should complete in a few seconds...")); } log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled...")); error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, SURICATA_RULES_UPD_LOGFILE); @@ -721,34 +733,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = else { if ($pkg_interface <> "console") { update_status(gettext('Restarting Suricata to activate the new set of rules...')); - update_output_window(gettext("Please wait ... restarting Suricata will take some time...")); + $static_output .= gettext("Restarting Suricata..."); + update_output_window($static_output); } error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); restart_service("suricata"); - if ($pkg_interface <> "console") - update_output_window(gettext("Suricata has restarted with your new set of rules...")); + if ($pkg_interface <> "console") { + $static_output .= gettext(" done.\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] Suricata has restarted with your new set of rules...")); error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, SURICATA_RULES_UPD_LOGFILE); } } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } // Remove old $tmpfname files if (is_dir("{$tmpfname}")) { if ($pkg_interface <> "console") { update_status(gettext("Cleaning up after rules extraction...")); - update_output_window(gettext("Removing {$tmpfname} directory...")); + $static_output .= gettext("Removing {$tmpfname} directory..."); + update_output_window($static_output); } rmdir_recursive("{$tmpfname}"); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } if ($pkg_interface <> "console") { update_status(gettext("The Rules update has finished...")); - update_output_window(""); + $static_output .= gettext("Rules update task complete.\n"); + update_output_window($static_output); } log_error(gettext("[Suricata] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SURICATA_RULES_UPD_LOGFILE); diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index 9467ea7c..4be8dc35 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -250,8 +250,11 @@ elseif ($_POST['ResetAll']) { $pconfig['flow_icmp_emerg_new_timeout'] = '10'; $pconfig['flow_icmp_emerg_established_timeout'] = '100'; - $pconfig['stream_memcap'] = '33554432'; + // The default 'stream_memcap' value must be calculated as follows: + // 216 * prealloc_sessions * number of threads = memory use in bytes + // 64 MB is a decent all-around default, but some setups need more. $pconfig['stream_prealloc_sessions'] = '32768'; + $pconfig['stream_memcap'] = '67108864'; $pconfig['reassembly_memcap'] = '67108864'; $pconfig['reassembly_depth'] = '1048576'; $pconfig['reassembly_to_server_chunk'] = '2560'; @@ -298,7 +301,7 @@ elseif ($_POST['save'] || $_POST['apply']) { if ($_POST['flow_icmp_emerg_new_timeout'] != "") { $natent['flow_icmp_emerg_new_timeout'] = $_POST['flow_icmp_emerg_new_timeout']; }else{ $natent['flow_icmp_emerg_new_timeout'] = "10"; } if ($_POST['flow_icmp_emerg_established_timeout'] != "") { $natent['flow_icmp_emerg_established_timeout'] = $_POST['flow_icmp_emerg_established_timeout']; }else{ $natent['flow_icmp_emerg_established_timeout'] = "100"; } - if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "33554432"; } + if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "67108864"; } if ($_POST['stream_prealloc_sessions'] != "") { $natent['stream_prealloc_sessions'] = $_POST['stream_prealloc_sessions']; }else{ $natent['stream_prealloc_sessions'] = "32768"; } if ($_POST['enable_midstream_sessions'] == "on") { $natent['enable_midstream_sessions'] = 'on'; }else{ $natent['enable_midstream_sessions'] = 'off'; } if ($_POST['enable_async_sessions'] == "on") { $natent['enable_async_sessions'] = 'on'; }else{ $natent['enable_async_sessions'] = 'off'; } @@ -764,8 +767,11 @@ if ($savemsg) { <input name="stream_memcap" type="text" class="formfld unknown" id="stream_memcap" size="9" value="<?=htmlspecialchars($pconfig['stream_memcap']);?>"> <?php echo gettext("Max memory to be used by stream engine. Default is ") . - "<strong>" . gettext("33,554,432") . "</strong>" . gettext(" bytes (32MB)"); ?><br/><br/> - <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine."); ?> + "<strong>" . gettext("67,108,864") . "</strong>" . gettext(" bytes (64MB)"); ?><br/><br/> + <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine. ");?><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("This number will likely need to be increased beyond the default value in systems with more than 4 processor cores. " . + "If Suricata fails to start and logs a memory allocation error, increase this value in 4 MB chunks until Suricata starts successfully."); ?> </td> </tr> <tr> diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 328702b9..3394ad4c 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files'])) else $pcap_log_max_files = "1000"; +// Unified2 Alert Log Settings if ($suricatacfg['barnyard_enable'] == 'on') $barnyard2_enabled = "yes"; else @@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id'])) else $unified2_sensor_id = "0"; +// Unified2 X-Forwarded-For logging options +if ($suricatacfg['barnyard_xff_logging'] == 'on') { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: yes"; + if (!empty($suricatacfg['barnyard_xff_mode'])) + $unified2_xff_output .= "\n mode: {$suricatacfg['barnyard_xff_mode']}"; + else + $unified2_xff_output .= "\n mode: extra-data"; + if (!empty($suricatacfg['barnyard_xff_deployment'])) + $unified2_xff_output .= "\n deployment: {$suricatacfg['barnyard_xff_deployment']}"; + else + $unified2_xff_output .= "\n deployment: reverse"; + if (!empty($suricatacfg['barnyard_xff_header'])) + $unified2_xff_output .= "\n header: {$suricatacfg['barnyard_xff_header']}"; + else + $unified2_xff_output .= "\n header: X-Forwarded-For"; +} +else { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: no"; +} + // EVE JSON log output settings if ($suricatacfg['enable_eve_log'] == 'on') $enable_eve_log = "yes"; @@ -494,7 +517,7 @@ else if (!empty($suricatacfg['stream_memcap'])) $stream_memcap = $suricatacfg['stream_memcap']; else - $stream_memcap = "33554432"; + $stream_memcap = "67108864"; if (!empty($suricatacfg['stream_prealloc_sessions'])) $stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions']; diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 013cde3e..26fbd12e 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -308,7 +308,7 @@ if ($input_errors) <td><input name="snort_rules_file" type="text" class="formfld unknown" id="snort_rules_file" size="52" value="<?=htmlspecialchars($pconfig['snort_rules_file']);?>"/><br/> <?php echo gettext("Enter the rules tarball filename (filename only, do not include the URL.)"); ?> - <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2962.tar.gz");?><br/><br/></td> + <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2976.tar.gz");?><br/><br/></td> </tr> <tr> <td valign="top" align="right"><span class="vexpl"><strong><?php echo gettext("Oinkmaster Code:"); ?></strong></span> </td> diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 4319182d..f188194d 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -372,7 +372,7 @@ if ($_POST["save"] && !$input_errors) { $natent['flow_icmp_emerg_new_timeout'] = '10'; $natent['flow_icmp_emerg_established_timeout'] = '100'; - $natent['stream_memcap'] = '33554432'; + $natent['stream_memcap'] = '67108864'; $natent['stream_prealloc_sessions'] = '32768'; $natent['reassembly_memcap'] = '67108864'; $natent['reassembly_depth'] = '1048576'; diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 2fd5f96e..4a4a489f 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -471,6 +471,26 @@ foreach ($rule as &$r) { $updated_cfg = true; } + /**********************************************************/ + /* Create interface Unified2 XFF log settings if not set */ + /**********************************************************/ + if (!isset($pconfig['barnyard_xff_logging'])) { + $pconfig['barnyard_xff_logging'] = "off"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_mode'])) { + $pconfig['barnyard_xff_mode'] = "extra-data"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_deployment'])) { + $pconfig['barnyard_xff_deployment'] = "reverse"; + $updated_cfg = true; + } + if (empty($pconfig['barnyard_xff_header'])) { + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index ea1d7b0a..42722d79 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -13,7 +13,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -50,7 +50,7 @@ require_once("functions.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); require("/usr/local/pkg/suricata/suricata_defs.inc"); -global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include; +global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include, $static_output; /**************************************** * Define any new constants here that * @@ -201,11 +201,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = /****************************************************************/ /* Do one-time settings migration for new version configuration */ - update_output_window(gettext("Please wait... migrating settings to new configuration...")); + $static_output .= gettext("\nMigrating settings to new configuration..."); + update_output_window($static_output); include('/usr/local/pkg/suricata/suricata_migrate_config.php'); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Suricata] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $suricata_gui_include = true; include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php'); @@ -219,7 +220,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $if_real = get_real_interface($suricatacfg['interface']); $suricata_uuid = $suricatacfg['uuid']; $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; - update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...")); + $static_output .= gettext("Generating YAML configuration file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "..."); + update_output_window($static_output); // Pull in the PHP code that generates the suricata.yaml file // variables that will be substituted further down below. @@ -238,6 +240,9 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = // create barnyard2.conf file for interface if ($suricatacfg['barnyard_enable'] == 'on') suricata_generate_barnyard2_conf($suricatacfg, $if_real); + + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } // create Suricata bootup file suricata.sh @@ -259,17 +264,21 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = } $rebuild_rules = false; - if ($pkg_interface <> "console") - update_output_window(gettext("Finished rebuilding Suricata configuration files...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("Finished rebuilding Suricata configuration from saved settings.\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] Finished rebuilding installation from saved settings...")); // Only try to start Suricata if not in reboot if (!$g['booting']) { if ($pkg_interface <> "console") { update_status(gettext("Starting Suricata using rebuilt configuration...")); - update_output_window(gettext("Please wait while Suricata is started...")); + $static_output .= gettext("Starting Suricata using the rebuilt configuration..."); + update_output_window($static_output); mwexec_bg("{$rcdir}suricata.sh start"); - update_output_window(gettext("Suricata is starting as a background task using the rebuilt configuration...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } else mwexec_bg("{$rcdir}suricata.sh start"); @@ -291,6 +300,7 @@ write_config("Suricata pkg v{$config['installedpackages']['package'][get_pkg_id( // Done with post-install, so clear flag unset($g['suricata_postinstall']); log_error(gettext("[Suricata] Package post-installation tasks completed...")); +update_status(""); return true; ?> diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index a8b06ebe..82723958 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -54,6 +54,7 @@ outputs: filename: unified2.alert limit: {$unified2_log_limit} sensor-id: {$unified2_sensor_id} + {$unified2_xff_output} - http-log: enabled: {$http_log_enabled} diff --git a/config/systempatches/patches.inc b/config/systempatches/patches.inc index 2298e170..92825799 100644 --- a/config/systempatches/patches.inc +++ b/config/systempatches/patches.inc @@ -29,6 +29,7 @@ */ require_once("globals.inc"); require_once("util.inc"); +require_once("pfsense-utils.inc"); global $git_root_url, $patch_suffix, $patch_dir, $patch_cmd; $git_root_url = "https://github.com/pfsense/pfsense/commit/"; @@ -88,8 +89,20 @@ function patch_test_revert($patch, $fulldetail=false) { /* Fetch a patch from a URL or github */ function patch_fetch(& $patch) { + global $g; $url = patch_fixup_url($patch['location']); - $text = @file_get_contents($url); + $temp_filename = tempnam("{$g['tmp_path']}/", "system_patches"); + /* + * Backwards compatibility with older 2.1.x pfSense versions + * that did not contain download_file() function in pfsense-utils.inc + */ + if (!function_exists("download_file")) { + download_file_with_progress_bar($url, $temp_filename); + } else { + download_file($url, $temp_filename); + } + $text = @file_get_contents($temp_filename); + unlink($temp_filename); if (empty($text)) { return false; } else { |