From d7f430d3f66fa0461737b2cf2485649084c469e2 Mon Sep 17 00:00:00 2001 From: Warren Baker Date: Thu, 29 Sep 2011 21:06:07 +0200 Subject: Add support for IPv6 ACLs and mixing of both IPv6 and v4 ACLs --- config/unbound/unbound_acls.php | 805 ++++++++-------------------------------- 1 file changed, 158 insertions(+), 647 deletions(-) (limited to 'config/unbound/unbound_acls.php') diff --git a/config/unbound/unbound_acls.php b/config/unbound/unbound_acls.php index d1b501d6..b60de2dd 100644 --- a/config/unbound/unbound_acls.php +++ b/config/unbound/unbound_acls.php @@ -30,91 +30,46 @@ */ require("guiconfig.inc"); +require("unbound.inc"); if(!is_process_running("unbound")) { Header("Location: /pkg_edit.php?xml=unbound.xml&id=0"); exit; } -if (!is_array($config['installedpackages']['unboundacls'][0]['config'])) - $config['installedpackages']['unboundacls'][0]['config'] = array(); +if (!is_array($config['installedpackages']['unboundacls']['config'])) + $config['installedpackages']['unboundacls']['config'] = array(); -$a_acls = &$config['installedpackages']['unboundacls'][0]['config']; +$a_acls = &$config['installedpackages']['unboundacls']['config']; $id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; +if (isset($_POST['aclid'])) + $id = $_POST['aclid']; $act = $_GET['act']; if (isset($_POST['act'])) $act = $_POST['act']; -if ($_GET['act'] == "del") { - - if (!$a_client[$id]) { - pfSenseHeader("vpn_openvpn_client.php"); +if ($act == "del") { + if (!$a_acls[$id]) { + pfSenseHeader("unbound_acls.php"); exit; } - openvpn_delete('client', $a_client[$id]); - unset($a_client[$id]); + unset($a_acls[$id]); write_config(); - $savemsg = gettext("Client successfully deleted")."
"; + unbound_reconfigure(); + $savemsg = gettext("Access List successfully deleted")."
"; } -if($_GET['act']=="new"){ - $pconfig['autokey_enable'] = "yes"; - $pconfig['tlsauth_enable'] = "yes"; - $pconfig['autotls_enable'] = "yes"; - $pconfig['interface'] = "wan"; - $pconfig['server_port'] = 1194; +if ($act == "new") { + $id = unbound_get_next_id(); } -if($_GET['act']=="edit"){ - - if (isset($id) && $a_client[$id]) { - - $pconfig['disable'] = isset($a_client[$id]['disable']); - $pconfig['mode'] = $a_client[$id]['mode']; - $pconfig['protocol'] = $a_client[$id]['protocol']; - $pconfig['interface'] = $a_client[$id]['interface']; - if (!empty($a_client[$id]['ipaddr'])) { - $pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$id]['ipaddr']; - } - $pconfig['local_port'] = $a_client[$id]['local_port']; - $pconfig['server_addr'] = $a_client[$id]['server_addr']; - $pconfig['server_port'] = $a_client[$id]['server_port']; - $pconfig['resolve_retry'] = $a_client[$id]['resolve_retry']; - $pconfig['proxy_addr'] = $a_client[$id]['proxy_addr']; - $pconfig['proxy_port'] = $a_client[$id]['proxy_port']; - $pconfig['proxy_user'] = $a_client[$id]['proxy_user']; - $pconfig['proxy_passwd'] = $a_client[$id]['proxy_passwd']; - $pconfig['proxy_authtype'] = $a_client[$id]['proxy_authtype']; - $pconfig['description'] = $a_client[$id]['description']; - $pconfig['custom_options'] = $a_client[$id]['custom_options']; - $pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type']; - $pconfig['dev_mode'] = $a_client[$id]['dev_mode']; - - if ($pconfig['mode'] != "p2p_shared_key") { - $pconfig['caref'] = $a_client[$id]['caref']; - $pconfig['certref'] = $a_client[$id]['certref']; - if ($a_client[$id]['tls']) { - $pconfig['tlsauth_enable'] = "yes"; - $pconfig['tls'] = base64_decode($a_client[$id]['tls']); - } - } else - $pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']); - $pconfig['crypto'] = $a_client[$id]['crypto']; - $pconfig['engine'] = $a_client[$id]['engine']; - - $pconfig['tunnel_network'] = $a_client[$id]['tunnel_network']; - $pconfig['remote_network'] = $a_client[$id]['remote_network']; - $pconfig['compression'] = $a_client[$id]['compression']; - $pconfig['passtos'] = $a_client[$id]['passtos']; - - // just in case the modes switch - $pconfig['autokey_enable'] = "yes"; - $pconfig['autotls_enable'] = "yes"; +if ($act == "edit") { + if (isset($id) && $a_acls[$id]) { + $pconfig = $a_acls[$id]; + $networkacl = $a_acls[$id]['row']; } } @@ -123,134 +78,46 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - if (isset($id) && $a_client[$id]) - $vpnid = $a_client[$id]['vpnid']; - else - $vpnid = 0; - - if ($pconfig['mode'] != "p2p_shared_key") - $tls_mode = true; - else - $tls_mode = false; - - /* input validation */ - if ($pconfig['local_port']) { - - if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) - $input_errors[] = $result; - - $portused = openvpn_port_used($pconfig['protocol'], $pconfig['local_port']); - if (($portused != $vpnid) && ($portused != 0)) - $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); - } - - if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address')) - $input_errors[] = $result; - - if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port')) - $input_errors[] = $result; - - if ($pconfig['proxy_addr']) { - - if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address')) - $input_errors[] = $result; - - if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port')) - $input_errors[] = $result; - - if ($pconfig['proxy_authtype'] != "none") { - if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd'])) - $input_errors[] = gettext("User name and password are required for proxy with authentication."); + /* input validation - only allow 50 entries in a single ACL*/ + for($x=0; $x<50; $x++) { + if(isset($pconfig["acl_network{$x}"])) { + $networkacl[$x] = array(); + $networkacl[$x]['acl_network'] = $pconfig["acl_network{$x}"]; + $networkacl[$x]['mask'] = $pconfig["mask{$x}"]; + $networkacl[$x]['description'] = $pconfig["description{$x}"]; + if (!is_ipaddr($networkacl[$x]['acl_network'])) + $input_errors[] = gettext("You must enter a valid network IP address for {$networkacl[$x]['acl_network']}."); + + if (is_ipaddrv4($networkacl[$x]['acl_network'])) { + if (!is_subnet($networkacl[$x]['acl_network']."/".$networkacl[$x]['mask'])) + $input_errors[] = gettext("You must enter a valid IPv4 netmask for {$networkacl[$x]['acl_network']}/{$networkacl[$x]['mask']}."); + } else if (function_exists("is_ipaddrv6")) { + if (!is_ipaddrv6($networkacl[$x]['acl_network'])) + $input_errors[] = gettext("You must enter a valid IPv6 address for {$networkacl[$x]['acl_network']}."); + else if (!is_subnetv6($networkacl[$x]['acl_network']."/".$networkacl[$x]['mask'])) + $input_errors[] = gettext("You must enter a valid IPv6 netmask for {$networkacl[$x]['acl_network']}/{$networkacl[$x]['mask']}."); + } else + $input_errors[] = gettext("You must enter a valid IPv4 address for {$networkacl[$x]['acl_network']}."); } } - - if($pconfig['tunnel_network']) - if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'Tunnel network')) - $input_errors[] = $result; - - if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'Remote network')) - $input_errors[] = $result; - - if ($pconfig['autokey_enable']) - $pconfig['shared_key'] = openvpn_create_key(); - - if (!$tls_mode && !$pconfig['autokey_enable']) - if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || - !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) - $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); - - if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) - if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || - !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); - - /* If we are not in shared key mode, then we need the CA/Cert. */ - if ($pconfig['mode'] != "p2p_shared_key") { - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); - } elseif (!$pconfig['autokey_enable']) { - /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ - $reqdfields = array('shared_key'); - $reqdfieldsn = array(gettext('Shared key')); - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (!$input_errors) { - $client = array(); - - if ($vpnid) - $client['vpnid'] = $vpnid; - else - $client['vpnid'] = openvpn_vpnid_next(); - - if ($_POST['disable'] == "yes") - $client['disable'] = true; - $client['protocol'] = $pconfig['protocol']; - $client['dev_mode'] = $pconfig['dev_mode']; - list($client['interface'], $client['ipaddr']) = explode ("|",$pconfig['interface']); - $client['local_port'] = $pconfig['local_port']; - $client['server_addr'] = $pconfig['server_addr']; - $client['server_port'] = $pconfig['server_port']; - $client['resolve_retry'] = $pconfig['resolve_retry']; - $client['proxy_addr'] = $pconfig['proxy_addr']; - $client['proxy_port'] = $pconfig['proxy_port']; - $client['proxy_authtype'] = $pconfig['proxy_authtype']; - $client['proxy_user'] = $pconfig['proxy_user']; - $client['proxy_passwd'] = $pconfig['proxy_passwd']; - $client['description'] = $pconfig['description']; - $client['mode'] = $pconfig['mode']; - $client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); - - if ($tls_mode) { - $client['caref'] = $pconfig['caref']; - $client['certref'] = $pconfig['certref']; - if ($pconfig['tlsauth_enable']) { - if ($pconfig['autotls_enable']) - $pconfig['tls'] = openvpn_create_key(); - $client['tls'] = base64_encode($pconfig['tls']); - } - } else { - $client['shared_key'] = base64_encode($pconfig['shared_key']); - } - $client['crypto'] = $pconfig['crypto']; - $client['engine'] = $pconfig['engine']; - - $client['tunnel_network'] = $pconfig['tunnel_network']; - $client['remote_network'] = $pconfig['remote_network']; - $client['compression'] = $pconfig['compression']; - $client['passtos'] = $pconfig['passtos']; - - if (isset($id) && $a_client[$id]) - $a_client[$id] = $client; - else - $a_client[] = $client; - - openvpn_resync('client', $client); - write_config(); - - header("Location: vpn_openvpn_client.php"); + if(!$a_acls[$id]) + $a_acls[$id]['aclid'] = $id; + + if (isset($id) && $a_acls[$id]) { + $a_acls[$id]['aclid'] = $pconfig['aclid']; + $a_acls[$id]['aclname'] = $pconfig['aclname']; + $a_acls[$id]['aclaction'] = $pconfig['aclaction']; + $a_acls[$id]['description'] = $pconfig['description']; + $a_acls[$id]['row'] = array(); + foreach ($networkacl as $acl) + $a_acls[$id]['row'][] = $acl; + write_config(); + unbound_reconfigure(); + } + header("Location: unbound_acls.php"); exit; } } @@ -260,7 +127,31 @@ $pgtitle = "Services: Unbound DNS Forwarder: Access Lists"; include("head.inc"); ?> + + + + + + @@ -291,476 +183,119 @@ if ($savemsg) -
+ + + + - - - - - + - + - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - + - + - + - - - - - - - -
- - - - - -
- - /> - -   - -
-
-
- . -
- + +
+
- -
- -
- + + -
-
- +
- -
- -
- -
- -
- -
- - - - - -
- -   :  - - - -
-
- - - - - - - - - - + +
+ Deny: This actions stops queries from hosts within the netblock defined below.");?>
+ Refuse: This actions also stops queries from hosts within the netblock defined below, but sends back DNS rcode REFUSED error message back tot eh client.");?>
+ Allow: This actions allows queries from hosts within the netblock defined below.");?>
+ Allow Snoop: This actions allows recursive and nonrecursive access from hosts within the netblock defined below. Used for cache snooping and ideally should only be configured for your administrative host.");?>
+
- + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + +
+ + - - + + + -
- - > - - - - -
- . -
- -
- . -
- - - - - -
- - onClick="tlsauth_change()"> - - - . - -
- - - - - - -
- - onClick="autotls_change()"> - - - . - -
- - + + + - -
- -
- . +
-
- - - - No Certificate Authorities defined.
Create one under System > Cert Manager. - -
- - - - No Certificates defined.
Create one under System > Cert Manager. - -
- - - - -
- - onClick="autokey_change()"> + - - . - +
- - - -
- -
- . +
-
- -
- -
- -
- . -
- -
- . -
- -
- . -
- - - - - -
- - > - - - . - -
+
+ + " /> + + +
- - - - - -
- - > - - - . - -
+ +
+
 
- - - - -
-
-
- -
-
  - "> - - - - + +  
  + "> " onclick="history.back()">
@@ -781,23 +316,16 @@ if ($savemsg) - + - - - - + - + @@ -818,7 +346,7 @@ if ($savemsg) - " width="17" height="17" border="0"> + " width="17" height="17" border="0"> @@ -837,24 +365,7 @@ if ($savemsg) - - \ No newline at end of file -- cgit v1.2.3