function delete_static_route($id)
{
global $config, $a_routes, $changedesc_prefix;
if (!isset($a_routes[$id])) {
return;
}
$targets = array();
if (is_alias($a_routes[$id]['network'])) {
foreach (filter_expand_alias_array($a_routes[$id]['network']) as $tgt) {
if (is_ipaddrv4($tgt)) {
$tgt .= "/32";
} else {
if (is_ipaddrv6($tgt)) {
$tgt .= "/128";
}
}
if (!is_subnet($tgt)) {
continue;
}
$targets[] = $tgt;
}
} else {
$targets[] = $a_routes[$id]['network'];
}
foreach ($targets as $tgt) {
$family = is_subnetv6($tgt) ? "-inet6" : "-inet";
mwexec("/sbin/route delete {$family} " . escapeshellarg($tgt));
}
unset($targets);
}
/**
* delete gateway
* @param int $id sequence item in $a_gateways
* @param array $a_gateways gateway list
*/
function delete_gateway_item($id, $a_gateways)
{
global $config;
if (!isset($a_gateways[$id])) {
return;
}
/* NOTE: Cleanup static routes for the monitor ip if any */
if (!empty($a_gateways[$id]['monitor']) && $a_gateways[$id]['monitor'] != "dynamic" && is_ipaddr($a_gateways[$id]['monitor']) && $a_gateways[$id]['gateway'] != $a_gateways[$id]['monitor']) {
if (is_ipaddrv4($a_gateways[$id]['monitor'])) {
mwexec("/sbin/route delete " . escapeshellarg($a_gateways[$id]['monitor']));
} else {
mwexec("/sbin/route delete -inet6 " . escapeshellarg($a_gateways[$id]['monitor']));
}
}
if ($config['interfaces'][$a_gateways[$id]['friendlyiface']]['gateway'] == $a_gateways[$id]['name']) {
unset($config['interfaces'][$a_gateways[$id]['friendlyiface']]['gateway']);
}
unset($config['gateways']['gateway_item'][$a_gateways[$id]['attribute']]);
}
if ($_POST['domainsearchlist']) {
$domain_array = preg_split("/[ ;]+/", $_POST['domainsearchlist']);
foreach ($domain_array as $curdomain) {
if (!is_domain($curdomain)) {
$input_errors[] = gettext("A valid domain search list must be specified.");
break;
}
}
}
if ($_POST['ntp1'] && !is_ipaddrv4($_POST['ntp1']) || $_POST['ntp2'] && !is_ipaddrv4($_POST['ntp2'])) {
$input_errors[] = gettext("A valid IP address must be specified for the primary/secondary NTP servers.");
}
if ($_POST['tftp'] && !is_ipaddrv4($_POST['tftp']) && !is_domain($_POST['tftp']) && !is_URL($_POST['tftp'])) {
$input_errors[] = gettext("A valid IP address or hostname must be specified for the TFTP server.");
}
if ($_POST['nextserver'] && !is_ipaddrv4($_POST['nextserver'])) {
$input_errors[] = gettext("A valid IP address must be specified for the network boot server.");
}
if (!$input_errors) {
$mapent = array();
$mapent['mac'] = $_POST['mac'];
$mapent['cid'] = $_POST['cid'];
$mapent['ipaddr'] = $_POST['ipaddr'];
$mapent['hostname'] = $_POST['hostname'];
$mapent['descr'] = $_POST['descr'];
$mapent['arp_table_static_entry'] = $_POST['arp_table_static_entry'] ? true : false;
$mapent['filename'] = $_POST['filename'];
$mapent['rootpath'] = $_POST['rootpath'];
$mapent['defaultleasetime'] = $_POST['deftime'];
$mapent['maxleasetime'] = $_POST['maxtime'];
unset($mapent['winsserver']);
unset($input_errors);
unset($do_traceroute);
/* input validation */
$reqdfields = explode(" ", "host ttl");
$reqdfieldsn = array(gettext("Host"),gettext("ttl"));
do_input_validation($_REQUEST, $reqdfields, $reqdfieldsn, $input_errors);
if (($_REQUEST['ttl'] < 1) || ($_REQUEST['ttl'] > MAX_TTL)) {
$input_errors[] = sprintf(gettext("Maximum number of hops must be between 1 and %s"), MAX_TTL);
}
$host = trim($_REQUEST['host']);
$ipproto = $_REQUEST['ipproto'];
if (($ipproto == "ipv4") && is_ipaddrv6($host))
$input_errors[] = gettext("When using IPv4, the target host must be an IPv4 address or hostname.");
if (($ipproto == "ipv6") && is_ipaddrv4($host))
$input_errors[] = gettext("When using IPv6, the target host must be an IPv6 address or hostname.");
if (!$input_errors) {
$sourceip = $_REQUEST['sourceip'];
$do_traceroute = true;
$ttl = $_REQUEST['ttl'];
$resolve = $_REQUEST['resolve'];
}
} else
$resolve = true;
if (!isset($do_traceroute)) {
$do_traceroute = false;
$host = '';
$ttl = DEFAULT_TTL;
$section->addInput(new Form_Input('domain', 'Domain', 'text', $pconfig['domain'], ['placeholder' => 'mycorp.com, home, office, private, etc.']))->setHelp('Do not use \'local\' as a domain name. It will cause local ' . 'hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve ' . 'local hosts not running mDNS.');
$form->add($section);
$section = new Form_Section('DNS Server Settings');
for ($i = 1; $i < 5; $i++) {
// if (!isset($pconfig['dns'.$i]))
// continue;
$group = new Form_Group('DNS Server ' . $i);
$group->add(new Form_Input('dns' . $i, 'DNS Server', 'text', $pconfig['dns' . $i]))->setHelp($i == 4 ? 'Address' : null);
$help = "Enter IP addresses to be used by the system for DNS resolution. " . "These are also used for the DHCP service, DNS forwarder and for PPTP VPN clients.";
if ($multiwan) {
$options = array('none' => 'none');
foreach ($arr_gateways as $gwname => $gwitem) {
if (is_ipaddrv4(lookup_gateway_ip_by_name($pconfig[$dnsgw])) && is_ipaddrv6($gwitem['gateway'])) {
continue;
}
if (is_ipaddrv6(lookup_gateway_ip_by_name($pconfig[$dnsgw])) && is_ipaddrv4($gwitem['gateway'])) {
continue;
}
$options[$gwname] = $gwname . ' - ' . $gwitem['friendlyiface'] . ' - ' . $gwitem['gateway'];
}
$group->add(new Form_Select('dns' . $i . 'gw', 'Gateway', $pconfig['dns' . $i . 'gw'], $options))->setHelp($i == 4 ? 'Gateway' : null);
$help .= '<br/>' . "In addition, optionally select the gateway for each DNS server. " . "When using multiple WAN connections there should be at least one unique DNS server per gateway.";
}
if ($i == 4) {
$group->setHelp($help);
}
$section->add($group);
}
$section->addInput(new Form_Checkbox('dnsallowoverride', 'DNS Server Override', 'Allow DNS server list to be overridden by DHCP/PPP on WAN', $pconfig['dnsallowoverride']))->setHelp(sprintf(gettext('If this option is set, %s will use DNS servers ' . 'assigned by a DHCP/PPP server on WAN for its own purposes (including ' . 'the DNS forwarder). However, they will not be assigned to DHCP and PPTP ' . 'VPN clients.'), $g['product_name']));
$section->addInput(new Form_Checkbox('dnslocalhost', 'Disable DNS Forwarder', 'Do not use the DNS Forwarder as a DNS server for the firewall', $pconfig['dnslocalhost']))->setHelp('By default localhost (127.0.0.1) will be used as the first DNS ' . 'server where the DNS Forwarder or DNS Resolver is enabled and set to ' . 'listen on Localhost, so system can use the local DNS service to perform ' . 'lookups. Checking this box omits localhost from the list of DNS servers.');
$form->add($section);
$reqdfieldsn = array(gettext('Shared key'));
}
if ($pconfig['dev_mode'] != "tap") {
$reqdfields[] = 'tunnel_network';
$reqdfieldsn[] = gettext('Tunnel network');
} else {
if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) {
$input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
}
if ($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end'] || !$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end']) {
$input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
}
if ($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start'])) {
$input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
}
if ($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end'])) {
$input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
}
if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) {
$input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
}
}
do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
if (count($input_errors) == 0) {
// validation correct, save data
$server = array();
// delete(rename) old interface so a new TUN or TAP interface can be created.
if (isset($id) && $pconfig['dev_mode'] != $a_server[$id]['dev_mode']) {
openvpn_delete('server', $a_server[$id]);
}
// 1 on 1 copy of config attributes
$tls_mode = true;
} else {
$tls_mode = false;
}
// generate new key
if (!empty($pconfig['autokey_enable'])) {
$pconfig['shared_key'] = openvpn_create_key();
}
/* input validation */
if (strpos($pconfig['interface'], '|') !== false) {
list($iv_iface, $iv_ip) = explode("|", $pconfig['interface']);
} else {
$iv_iface = $pconfig['interface'];
$iv_ip = null;
}
if (is_ipaddrv4($iv_ip) && stristr($pconfig['protocol'], "6") !== false) {
$input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address.");
} elseif (is_ipaddrv6($iv_ip) && stristr($pconfig['protocol'], "6") === false) {
$input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address.");
} elseif (stristr($pconfig['protocol'], "6") === false && !get_interface_ip($iv_iface) && $pconfig['interface'] != "any") {
$input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
} elseif (stristr($pconfig['protocol'], "6") !== false && !get_interface_ipv6($iv_iface) && $pconfig['interface'] != "any") {
$input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
}
if (!empty($pconfig['local_port'])) {
if (empty($pconfig['local_port']) || !is_numeric($pconfig['local_port']) || $pconfig['local_port'] < 0 || $pconfig['local_port'] > 65535) {
$input_errors[] = "The field Local port must contain a valid port, ranging from 0 to 65535.";
}
$portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
if ($portused != $vpnid && $portused != 0) {
$input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
function build_carp_list()
{
global $carplist;
$list = array('address' => gettext('Interface Address'));
foreach ($carplist as $vip => $address) {
if ($gateway['ipprotocol'] == "inet" && !is_ipaddrv4($address)) {
continue;
}
if ($gateway['ipprotocol'] == "inet6" && !is_ipaddrv6($address)) {
continue;
}
$list[$vip] = "{$vip} - {$address}";
}
return $list;
}
if (is_ipaddr($_POST['monitor'])) {
$gateway['monitor'] = $_POST['monitor'];
}
if (isset($_POST['data_payload']) && $_POST['data_payload'] > 0) {
$gateway['data_payload'] = $_POST['data_payload'];
}
/* NOTE: If gateway ip is changed need to cleanup the old static interface route */
if ($_POST['monitor'] != "dynamic" && !empty($a_gateway_item[$realid]) && is_ipaddr($a_gateway_item[$realid]['gateway']) && $gateway['gateway'] != $a_gateway_item[$realid]['gateway'] && isset($a_gateway_item[$realid]["nonlocalgateway"])) {
$realif = get_real_interface($a_gateway_item[$realid]['interface']);
$inet = !is_ipaddrv4($a_gateway_item[$realid]['gateway']) ? "-inet6" : "-inet";
$cmd = "/sbin/route delete {$inet} " . escapeshellarg($a_gateway_item[$realid]['gateway']) . " -iface " . escapeshellarg($realif);
mwexec($cmd);
}
/* NOTE: If monitor ip is changed need to cleanup the old static route */
if ($_POST['monitor'] != "dynamic" && !empty($a_gateway_item[$realid]) && is_ipaddr($a_gateway_item[$realid]['monitor']) && $_POST['monitor'] != $a_gateway_item[$realid]['monitor'] && $gateway['gateway'] != $a_gateway_item[$realid]['monitor']) {
if (is_ipaddrv4($a_gateway_item[$realid]['monitor'])) {
mwexec("/sbin/route delete " . escapeshellarg($a_gateway_item[$realid]['monitor']));
} else {
mwexec("/sbin/route delete -inet6 " . escapeshellarg($a_gateway_item[$realid]['monitor']));
}
}
if ($_POST['defaultgw'] == "yes" || $_POST['defaultgw'] == "on") {
$i = 0;
/* remove the default gateway bits for all gateways with the same address family */
foreach ($a_gateway_item as $gw) {
if ($gateway['ipprotocol'] == $gw['ipprotocol']) {
unset($config['gateways']['gateway_item'][$i]['defaultgw']);
if ($gw['interface'] != $_POST['interface'] && $gw['defaultgw']) {
$reloadif = $gw['interface'];
}
}
}
if (is_ipaddr($pconfig['src']) && is_ipaddr($pconfig['dst'])) {
if (!validate_address_family($pconfig['src'], $pconfig['dst'])) {
$input_errors[] = sprintf(gettext("The Source IP address %s Address Family differs from the destination %s."), $pconfig['src'], $pconfig['dst']);
}
if ((is_ipaddrv6($pconfig['src']) || is_ipaddrv6($pconfig['dst'])) && $pconfig['ipprotocol'] == "inet") {
$input_errors[] = gettext("You can not use IPv6 addresses in IPv4 rules.");
}
if ((is_ipaddrv4($pconfig['src']) || is_ipaddrv4($pconfig['dst'])) && $pconfig['ipprotocol'] == "inet6") {
$input_errors[] = gettext("You can not use IPv4 addresses in IPv6 rules.");
}
}
if (is_ipaddrv4($pconfig['src']) && $pconfig['srcmask'] > 32) {
$input_errors[] = gettext("Invalid subnet mask on IPv4 source");
}
if (is_ipaddrv4($pconfig['dst']) && $pconfig['dstmask'] > 32) {
$input_errors[] = gettext("Invalid subnet mask on IPv4 destination");
}
if ((is_ipaddr($pconfig['src']) || is_ipaddr($pconfig['dst'])) && $pconfig['ipprotocol'] == "inet46") {
$input_errors[] = gettext("You can not use a IPv4 or IPv6 address in combined IPv4 + IPv6 rules.");
}
if (!empty($pconfig['os'])) {
if ($pconfig['protocol'] != "tcp") {
$input_errors[] = gettext("OS detection is only valid with protocol tcp.");
}
if (!in_array($pconfig['os'], $ostypes)) {
$input_errors[] = gettext("Invalid OS detection selection. Please select a valid OS.");
}
}
if (!empty($pconfig['floating']) && !empty($pconfig['gateway']) && (empty($pconfig['direction']) || $pconfig['direction'] == "any")) {
$input_errors[] = gettext("You can not use gateways in Floating rules without choosing a direction.");
if ($_POST['gateway'] && !is_ipaddrv6($_POST['gateway'])) {
$input_errors[] = gettext("A valid IPv6 address must be specified for the gateway.");
}
if ($_POST['dns1'] && !is_ipaddrv6($_POST['dns1']) || $_POST['dns2'] && !is_ipaddrv6($_POST['dns2']) || $_POST['dns3'] && !is_ipaddrv6($_POST['dns3']) || $_POST['dns4'] && !is_ipaddrv6($_POST['dns4'])) {
$input_errors[] = gettext("A valid IPv6 address must be specified for each of the DNS servers.");
}
if ($_POST['deftime'] && (!is_numeric($_POST['deftime']) || $_POST['deftime'] < 60)) {
$input_errors[] = gettext("The default lease time must be at least 60 seconds.");
}
if ($_POST['maxtime'] && (!is_numeric($_POST['maxtime']) || $_POST['maxtime'] < 60 || $_POST['maxtime'] <= $_POST['deftime'])) {
$input_errors[] = gettext("The maximum lease time must be at least 60 seconds and higher than the default lease time.");
}
if ($_POST['ddnsdomain'] && !is_domain($_POST['ddnsdomain'])) {
$input_errors[] = gettext("A valid domain name must be specified for the dynamic DNS registration.");
}
if ($_POST['ddnsdomain'] && !is_ipaddrv4($_POST['ddnsdomainprimary'])) {
$input_errors[] = gettext("A valid primary domain name server IPv4 address must be specified for the dynamic domain name.");
}
if ($_POST['ddnsdomainkey'] && !$_POST['ddnsdomainkeyname'] || $_POST['ddnsdomainkeyname'] && !$_POST['ddnsdomainkey']) {
$input_errors[] = gettext("You must specify both a valid domain key and key name.");
}
if ($_POST['domainsearchlist']) {
$domain_array = preg_split("/[ ;]+/", $_POST['domainsearchlist']);
foreach ($domain_array as $curdomain) {
if (!is_domain($curdomain)) {
$input_errors[] = gettext("A valid domain search list must be specified.");
break;
}
}
}
if ($_POST['ntp1'] && !is_ipaddrv6($_POST['ntp1']) || $_POST['ntp2'] && !is_ipaddrv6($_POST['ntp2'])) {
}
//]]>
</script>
<?php
echo "<textarea id=\"testportCaptured\" style=\"width:98%\" name=\"code\" rows=\"15\" cols=\"66\" readonly=\"readonly\">";
$result = "";
$nc_base_cmd = "/usr/bin/nc";
$nc_args = "-w " . escapeshellarg($timeout);
if (!$showtext) {
$nc_args .= " -z ";
}
if (!empty($srcport)) {
$nc_args .= " -p " . escapeshellarg($srcport) . " ";
}
/* Attempt to determine the interface address, if possible. Else try both. */
if (is_ipaddrv4($host)) {
$ifaddr = $sourceip == "any" ? "" : get_interface_ip($sourceip);
$nc_args .= " -4";
} elseif (is_ipaddrv6($host)) {
if ($sourceip == "any") {
$ifaddr = "";
} else {
if (is_linklocal($sourceip)) {
$ifaddr = $sourceip;
} else {
$ifaddr = get_interface_ipv6($sourceip);
}
}
$nc_args .= " -6";
} else {
switch ($ipprotocol) {
if (empty($suricatacfg['libhtp_policy']['item'])) {
$http_hosts_default_policy = "default-config:\n personality: IDS\n request-body-limit: 4096\n response-body-limit: 4096\n";
$http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n uri-include-all: no\n";
} else {
foreach ($suricatacfg['libhtp_policy']['item'] as $k => $v) {
if ($v['bind_to'] != "all") {
$engine = "server-config:\n - {$v['name']}:\n";
$tmp = trim(filter_expand_alias($v['bind_to']));
if (!empty($tmp)) {
$engine .= " address: [";
$tmp = preg_replace('/\\s+/', ',', $tmp);
$list = explode(',', $tmp);
foreach ($list as $addr) {
if (is_ipaddrv6($addr) || is_subnetv6($addr)) {
$engine .= "\"{$addr}\", ";
} elseif (is_ipaddrv4($addr) || is_subnetv4($addr)) {
$engine .= "{$addr}, ";
} else {
log_error("[suricata] WARNING: invalid IP address value '{$addr}' in Alias {$v['bind_to']} will be ignored.");
continue;
}
}
$engine = trim($engine, ' ,');
$engine .= "]\n";
$engine .= " personality: {$v['personality']}\n request-body-limit: {$v['request-body-limit']}\n";
$engine .= " response-body-limit: {$v['response-body-limit']}\n";
$engine .= " double-decode-path: {$v['double-decode-path']}\n";
$engine .= " double-decode-query: {$v['double-decode-query']}\n";
$engine .= " uri-include-all: {$v['uri-include-all']}\n";
$http_hosts_policy .= " {$engine}\n";
} else {
$hostname = "";
}
$src_icons = "";
$dst_icons = $alert_ip . " " . $supp_ip . " ";
}
// Determine Country Code of Host
if (is_ipaddrv4($host)) {
$country = substr(exec("{$pathgeoip} -f {$pathgeoipdat} {$host}"), 23, 2);
} else {
$country = substr(exec("{$pathgeoip6} -f {$pathgeoipdat6} {$host}"), 26, 2);
}
// IP Query Grep Exclusion
$pfb_ex1 = "grep -v 'pfB\\_\\|\\_v6\\.txt'";
$pfb_ex2 = "grep -v 'pfB\\_\\|/32\\|/24\\|\\_v6\\.txt' | grep -m1 '/'";
// Find List which contains Blocked IP Host
if (is_ipaddrv4($host) && $pfb_query != "Country") {
// Search for exact IP Match
$host1 = preg_replace("/(\\d{1,3})\\.(\\d{1,3}).(\\d{1,3}).(\\d{1,3})/", '\'$1\\.$2\\.$3\\.$4\'', $host);
$pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\\///' -e 's/:.*//' -e 's/\\..*/ /' | {$pfb_ex1}");
// Search for IP in /24 CIDR
if (empty($pfb_query)) {
$host1 = preg_replace("/(\\d{1,3})\\.(\\d{1,3}).(\\d{1,3}).(\\d{1,3})/", '\'$1\\.$2\\.$3\\.0/24\'', $host);
$pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\\///' -e 's/\\.txt:/ /' | {$pfb_ex1}");
}
// Search for First Two IP Octets in CIDR Matches Only. Skip any pfB (Country Lists) or /32,/24 Addresses.
if (empty($pfb_query)) {
$host1 = preg_replace("/(\\d{1,3})\\.(\\d{1,3}).(\\d{1,3}).(\\d{1,3})/", '\'^$1\\.$2\\.\'', $host);
$pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\\///' -e 's/\\.txt:/ /' | {$pfb_ex2}");
}
// Search for First Two IP Octets in CIDR Matches Only (Subtract 1 from second Octet on each loop).
// Skip (Country Lists) or /32,/24 Addresses.
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php
echo gettext("IPv4 Upstream Gateway");
?>
</td>
<td width="78%" class="vtable">
<select name="gateway" class="formselect" id="gateway">
<option value="none" selected="selected"><?php
echo gettext("None");
?>
</option>
<?php
if (count($a_gateways) > 0) {
foreach ($a_gateways as $gateway) {
if ($gateway['interface'] == $if && is_ipaddrv4($gateway['gateway'])) {
?>
<option value="<?php
echo $gateway['name'];
?>
" <?php
if ($gateway['name'] == $pconfig['gateway']) {
echo "selected=\"selected\"";
}
?>
>
<?php
echo htmlspecialchars($gateway['name']) . " - " . htmlspecialchars($gateway['gateway']);
?>
</option>
<?php
}
?>
<option value="address" <?php
echo $selected_key == "address" ? "selected=\"selected\"" : "";
?>
>
<?php
echo gettext("Interface Address");
?>
</option>
<?php
foreach (get_configured_carp_interface_list() as $vip => $address) {
if (!preg_match("/^{$gateway['friendlyiface']}_/i", $vip)) {
continue;
}
if ($gateway['ipprotocol'] == "inet" && !is_ipaddrv4($address)) {
continue;
}
if ($gateway['ipprotocol'] == "inet6" && !is_ipaddrv6($address)) {
continue;
}
?>
<option value="<?php
echo $vip;
?>
" <?php
echo $selected_key == $vip ? "selected=\"selected\"" : "";
?>
>
<?php
echo $vip;
$pconfig['link1'] = isset($a_gifs[$id]['link1']);
$pconfig['link0'] = isset($a_gifs[$id]['link0']);
$pconfig['descr'] = $a_gifs[$id]['descr'];
}
if ($_POST) {
unset($input_errors);
$pconfig = $_POST;
/* input validation */
$reqdfields = explode(" ", "if tunnel-remote-addr tunnel-remote-net tunnel-local-addr");
$reqdfieldsn = array(gettext("Parent interface,Local address, Remote tunnel address, Remote tunnel network, Local tunnel address"));
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (!is_ipaddr($_POST['tunnel-local-addr']) || !is_ipaddr($_POST['tunnel-remote-addr']) || !is_ipaddr($_POST['remote-addr'])) {
$input_errors[] = gettext("The tunnel local and tunnel remote fields must have valid IP addresses.");
}
$alias = strstr($_POST['if'], '|');
if (is_ipaddrv4($alias) && !is_ipaddrv4($_POST['remote-addr']) || is_ipaddrv6($alias) && !is_ipaddrv6($_POST['remote-addr'])) {
$input_errors[] = gettext("The alias IP address family has to match the family of the remote peer address.");
}
foreach ($a_gifs as $gif) {
if (isset($id) && $a_gifs[$id] && $a_gifs[$id] === $gif) {
continue;
}
/* FIXME: needs to perform proper subnet checks in the feature */
if ($gif['if'] == $interface && $gif['tunnel-remote-addr'] == $_POST['tunnel-remote-addr']) {
$input_errors[] = sprintf(gettext("A gif with the network %s is already defined."), $gif['tunnel-remote-addr']);
break;
}
}
if (!$input_errors) {
$gif = array();
list($gif['if'], $gif['ipaddr']) = explode("|", $_POST['if']);
}
if ($_POST) {
unset($input_errors);
$pconfig = $_POST;
/* input validation */
$reqdfields = explode(" ", "if remote-addr tunnel-local-addr tunnel-remote-addr tunnel-remote-net");
$reqdfieldsn = array(gettext("Parent interface"), gettext("Remote tunnel endpoint IP address"), gettext("Local tunnel IP address"), gettext("Remote tunnel IP address"), gettext("Remote tunnel network"));
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (!is_ipaddr($_POST['tunnel-local-addr']) || !is_ipaddr($_POST['tunnel-remote-addr']) || !is_ipaddr($_POST['remote-addr'])) {
$input_errors[] = gettext("The tunnel local and tunnel remote fields must have valid IP addresses.");
}
if (!is_numericint($_POST['tunnel-remote-net'])) {
$input_errors[] = gettext("The GRE tunnel subnet must be an integer.");
}
if (is_ipaddrv4($_POST['tunnel-local-addr'])) {
if (!is_ipaddrv4($_POST['tunnel-remote-addr'])) {
$input_errors[] = gettext("The GRE Tunnel remote address must be IPv4 where tunnel local address is IPv4.");
}
if ($_POST['tunnel-remote-net'] > 32 || $_POST['tunnel-remote-net'] < 1) {
$input_errors[] = gettext("The GRE tunnel subnet must be an integer between 1 and 32.");
}
}
if (is_ipaddrv6($_POST['tunnel-local-addr'])) {
if (!is_ipaddrv6($_POST['tunnel-remote-addr'])) {
$input_errors[] = gettext("The GRE Tunnel remote address must be IPv6 where tunnel local address is IPv6.");
}
if ($_POST['tunnel-remote-net'] > 128 || $_POST['tunnel-remote-net'] < 1) {
$input_errors[] = gettext("The GRE tunnel subnet must be an integer between 1 and 128.");
}
}
foreach ($a_gres as $gre) {
<?php if (is_subsystem_dirty('staticmaps')): ?><br/>
<?php print_info_box_np(gettext("The static mapping configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));?><br />
<?php endif; ?>
<section class="col-xs-12">
<?php
/* active tabs */
$tab_array = array();
$tabscounter = 0;
$i = 0;
foreach ($iflist as $ifent => $ifname) {
$oc = $config['interfaces'][$ifent];
if ((is_array($config['dhcpd'][$ifent]) && !isset($config['dhcpd'][$ifent]['enable']) && (!is_ipaddrv4($oc['ipaddr']))) ||
(!is_array($config['dhcpd'][$ifent]) && (!is_ipaddrv4($oc['ipaddr']))))
continue;
if ($ifent == $if)
$active = true;
else
$active = false;
$tab_array[] = array($ifname, $active, "services_dhcp.php?if={$ifent}");
$tabscounter++;
}
if ($tabscounter == 0) {
echo "</section>";
echo "</div>";
echo "</div>";
echo "</section>";
include("foot.inc");
exit;
$input_errors[] = gettext("A valid NAT local network IPv6 address must be specified or you need to change Mode to IPv4");
}
break;
}
}
switch ($pconfig['remoteid_type']) {
case "network":
if ($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) {
$input_errors[] = gettext("A valid remote network bit count must be specified.");
}
// address rules also apply to network type (hence, no break)
// address rules also apply to network type (hence, no break)
case "address":
if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) {
$input_errors[] = gettext("A valid remote network IP address must be specified.");
} elseif (is_ipaddrv4($pconfig['remoteid_address']) && $pconfig['mode'] != "tunnel") {
$input_errors[] = gettext("A valid remote network IPv4 address must be specified or you need to change Mode to IPv6");
} elseif (is_ipaddrv6($pconfig['remoteid_address']) && $pconfig['mode'] != "tunnel6") {
$input_errors[] = gettext("A valid remote network IPv6 address must be specified or you need to change Mode to IPv4");
}
break;
}
}
/* Validate enabled phase2's are not duplicates */
if (isset($pconfig['mobile'])) {
/* User is adding phase 2 for mobile phase1 */
foreach ($config['ipsec']['phase2'] as $key => $name) {
if (isset($name['mobile']) && $name['uniqid'] != $pconfig['uniqid']) {
/* check duplicate localids only for mobile clents */
$localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']);
$entered = array();
$idtracker++;
}
if (empty($_POST['password'])) {
$input_errors[] = gettext("You must specify a CARP password that is shared between the two VHID members.");
}
if ($_POST['interface'] == 'lo0') {
$input_errors[] = gettext("For this type of vip localhost is not allowed.");
} else {
if (strpos($_POST['interface'], '_vip')) {
$input_errors[] = gettext("A CARP parent interface can only be used with IP Alias type Virtual IPs.");
}
}
break;
case 'ipalias':
if (strstr($_POST['interface'], "_vip")) {
if (is_ipaddrv4($_POST['subnet'])) {
$parent_ip = get_interface_ip($_POST['interface']);
$parent_sn = get_interface_subnet($_POST['interface']);
$subnet = gen_subnet($parent_ip, $parent_sn);
} else {
if (is_ipaddrv6($_POST['subnet'])) {
$parent_ip = get_interface_ipv6($_POST['interface']);
$parent_sn = get_interface_subnetv6($_POST['interface']);
$subnet = gen_subnetv6($parent_ip, $parent_sn);
}
}
if (isset($parent_ip) && !ip_in_subnet($_POST['subnet'], "{$subnet}/{$parent_sn}") && !ip_in_interface_alias_subnet(link_carp_interface_to_parent($_POST['interface']), $_POST['subnet'])) {
$cannot_find = $_POST['subnet'] . "/" . $_POST['subnet_bits'];
$input_errors[] = sprintf(gettext("Sorry, we could not locate an interface with a matching subnet for %s. Please add an IP alias in this subnet on this interface."), $cannot_find);
}
unset($parent_ip, $parent_sn, $subnet);
if (!$pconfig['mobile']) {
$reqdfields[] = "remotegw";
$reqdfieldsn[] = gettext("Remote gateway");
}
do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
if (isset($validate_pskey) && isset($pconfig['pskey']) && !preg_match('/^[[:ascii:]]*$/', $pconfig['pskey'])) {
unset($validate_pskey);
$input_errors[] = gettext("Pre-Shared Key contains invalid characters.");
}
if ($pconfig['lifetime'] && !is_numericint($pconfig['lifetime'])) {
$input_errors[] = gettext("The P1 lifetime must be an integer.");
}
if ($pconfig['remotegw']) {
if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])) {
$input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
} elseif (is_ipaddrv4($pconfig['remotegw']) && $pconfig['protocol'] != "inet") {
$input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or protocol needs to be changed to IPv6");
} elseif (is_ipaddrv6($pconfig['remotegw']) && $pconfig['protocol'] != "inet6") {
$input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or protocol needs to be changed to IPv4");
}
}
if ($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled'])) {
$t = 0;
foreach ($a_phase1 as $ph1tmp) {
if ($p1index != $t) {
$tremotegw = $pconfig['remotegw'];
if ($ph1tmp['remote-gateway'] == $tremotegw && !isset($ph1tmp['disabled'])) {
$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']);
}
}
$t++;
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
if ($_POST['host'] && !is_hostname($_POST['host'])) {
$input_errors[] = gettext("The hostname can only contain the characters A-Z, 0-9 and '-'.");
}
if ($_POST['domain'] && !is_domain($_POST['domain'])) {
$input_errors[] = gettext("A valid domain must be specified.");
}
if ($_POST['ip'] && !is_ipaddr($_POST['ip'])) {
$input_errors[] = gettext("A valid IP address must be specified.");
}
/* check for overlaps */
foreach ($a_hosts as $hostent) {
if (isset($id) && $a_hosts[$id] && $a_hosts[$id] === $hostent) {
continue;
}
if ($hostent['host'] == $_POST['host'] && $hostent['domain'] == $_POST['domain'] && (is_ipaddrv4($hostent['ip']) && is_ipaddrv4($_POST['ip']) || is_ipaddrv6($hostent['ip']) && is_ipaddrv6($_POST['ip']))) {
$input_errors[] = gettext("This host/domain already exists.");
break;
}
}
if (!$input_errors) {
$hostent = array();
$hostent['host'] = $_POST['host'];
$hostent['domain'] = $_POST['domain'];
$hostent['ip'] = $_POST['ip'];
$hostent['descr'] = $_POST['descr'];
if (isset($id) && $a_hosts[$id]) {
$a_hosts[$id] = $hostent;
} else {
$a_hosts[] = $hostent;
}
if ($_POST || $_REQUEST['host']) {
unset($input_errors);
unset($do_ping);
/* input validation */
$reqdfields = explode(" ", "host count");
$reqdfieldsn = array(gettext("Host"), gettext("Count"));
do_input_validation($_REQUEST, $reqdfields, $reqdfieldsn, $input_errors);
if ($_REQUEST['count'] < 1 || $_REQUEST['count'] > MAX_COUNT) {
$input_errors[] = sprintf(gettext("Count must be between 1 and %s"), MAX_COUNT);
}
$host = trim($_REQUEST['host']);
$ipproto = $_REQUEST['ipproto'];
if ($ipproto == "ipv4" && is_ipaddrv6($host)) {
$input_errors[] = gettext("When using IPv4, the target host must be an IPv4 address or hostname.");
}
if ($ipproto == "ipv6" && is_ipaddrv4($host)) {
$input_errors[] = gettext("When using IPv6, the target host must be an IPv6 address or hostname.");
}
if (!$input_errors) {
$do_ping = true;
$sourceip = $_REQUEST['sourceip'];
$count = $_POST['count'];
if (preg_match('/[^0-9]/', $count)) {
$count = DEFAULT_COUNT;
}
}
}
if (!isset($do_ping)) {
$do_ping = false;
$host = '';
$count = DEFAULT_COUNT;
<br />
<?php
}
?>
<section class="col-xs-12">
<?php
/* active tabs */
$tab_array = array();
$tabscounter = 0;
$i = 0;
foreach ($iflist as $ifent => $ifname) {
$oc = $config['interfaces'][$ifent];
if (is_array($config['dhcpd'][$ifent]) && !isset($config['dhcpd'][$ifent]['enable']) && !is_ipaddrv4($oc['ipaddr']) || !is_array($config['dhcpd'][$ifent]) && !is_ipaddrv4($oc['ipaddr'])) {
continue;
}
if ($ifent == $if) {
$active = true;
} else {
$active = false;
}
$tab_array[] = array($ifname, $active, "services_dhcp.php?if={$ifent}");
$tabscounter++;
}
if ($tabscounter == 0) {
echo "</section>";
echo "</div>";
echo "</div>";
echo "</section>";
continue;
}
$old_targets[] = $tgt;
}
} else {
$old_targets[] = $oroute['network'];
}
}
$overlaps = array_intersect($current_targets, $new_targets);
$overlaps = array_diff($overlaps, $old_targets);
if (count($overlaps)) {
$input_errors[] = gettext("A route to these destination networks already exists") . ": " . implode(", ", $overlaps);
}
if (is_array($config['interfaces'])) {
foreach ($config['interfaces'] as $if) {
if (is_ipaddrv4($_POST['network']) && isset($if['ipaddr']) && isset($if['subnet']) && is_ipaddrv4($if['ipaddr']) && is_numeric($if['subnet']) && $_POST['network_subnet'] == $if['subnet'] && gen_subnet($_POST['network'], $_POST['network_subnet']) == gen_subnet($if['ipaddr'], $if['subnet'])) {
$input_errors[] = sprintf(gettext("This network conflicts with address configured on interface %s."), $if['descr']);
} else {
if (is_ipaddrv6($_POST['network']) && isset($if['ipaddrv6']) && isset($if['subnetv6']) && is_ipaddrv6($if['ipaddrv6']) && is_numeric($if['subnetv6']) && $_POST['network_subnet'] == $if['subnetv6'] && gen_subnetv6($_POST['network'], $_POST['network_subnet']) == gen_subnetv6($if['ipaddrv6'], $if['subnetv6'])) {
$input_errors[] = sprintf(gettext("This network conflicts with address configured on interface %s."), $if['descr']);
}
}
}
}
if (!$input_errors) {
$route = array();
$route['network'] = $osn;
$route['gateway'] = $_POST['gateway'];
$route['descr'] = $_POST['descr'];
if ($_POST['disabled']) {
$route['disabled'] = true;
function build_gateway_list()
{
global $a_gateways, $if;
$list = array("none" => "None");
foreach ($a_gateways as $gateway) {
if ($gateway['interface'] == $if && is_ipaddrv4($gateway['gateway'])) {
$list[$gateway['name']] = $gateway['name'] . " - " . $gateway['gateway'];
}
}
return $list;
}
* See the License for the specific language governing permissions and
* limitations under the License.
*/
##|+PRIV
##|*IDENT=page-diagnostics-arptable
##|*NAME=Diagnostics: ARP Table
##|*DESCR=Allow access to the 'Diagnostics: ARP Table' page.
##|*MATCH=diag_arp.php*
##|-PRIV
@ini_set('zlib.output_compression', 0);
@ini_set('implicit_flush', 1);
require_once "guiconfig.inc";
// delete arp entry
if (isset($_GET['deleteentry'])) {
$ip = $_GET['deleteentry'];
if (is_ipaddrv4($ip)) {
$ret = mwexec("arp -d " . $_GET['deleteentry'], true);
} else {
$ret = 1;
}
if ($ret) {
$savemsg = sprintf(gettext("%s is not a valid IPv4 address or could not be deleted."), $ip);
$savemsgtype = 'alert-warning';
} else {
$savemsg = sprintf(gettext("The ARP cache entry for %s has been deleted."), $ip);
$savemsgtype = 'success';
}
}
function leasecmp($a, $b)
{
return strcmp($a[$_GET['order']], $b[$_GET['order']]);
<option value="" ><?php
echo gettext("default");
?>
</option>
<?php
/* build a list of gateways */
$gateways = return_gateways_array();
// add statically configured gateways to list
foreach ($gateways as $gwname => $gw) {
if ($pconfig['ipprotocol'] == "inet46") {
continue;
}
if ($pconfig['ipprotocol'] == "inet6" && !($gw['ipprotocol'] == "inet6" || is_ipaddrv6($gw['gateway']))) {
continue;
}
if ($pconfig['ipprotocol'] == "inet" && !($gw['ipprotocol'] == "inet" || is_ipaddrv4($gw['gateway']))) {
continue;
}
if ($gw == "") {
continue;
}
if ($gwname == $pconfig['gateway']) {
$selected = " selected=\"selected\"";
} else {
$selected = "";
}
$gateway_addr_str = empty($gw['gateway']) ? "" : " - " . $gw[gateway];
echo "<option value=\"{$gwname}\" {$selected}>{$gw['name']}{$gateway_addr_str}</option>\n";
}
/* add gateway groups to the list */
if (is_array($a_gatewaygroups)) {
function ip_range_to_subnet_array_temp($ip1, $ip2)
{
if (is_ipaddrv4($ip1) && is_ipaddrv4($ip2)) {
$proto = 'ipv4';
// for clarity
$bits = 32;
$ip1bin = decbin(ip2long32($ip1));
$ip2bin = decbin(ip2long32($ip2));
} elseif (is_ipaddrv6($ip1) && is_ipaddrv6($ip2)) {
$proto = 'ipv6';
$bits = 128;
$ip1bin = Net_IPv6::_ip2Bin($ip1);
$ip2bin = Net_IPv6::_ip2Bin($ip2);
} else {
return array();
}
// it's *crucial* that binary strings are guaranteed the expected length; do this for certainty even though for IPv6 it's redundant
$ip1bin = str_pad($ip1bin, $bits, '0', STR_PAD_LEFT);
$ip2bin = str_pad($ip2bin, $bits, '0', STR_PAD_LEFT);
if ($ip1bin === $ip2bin) {
return array($ip1 . '/' . $bits);
}
if (strcmp($ip1bin, $ip2bin) > 0) {
list($ip1bin, $ip2bin) = array($ip2bin, $ip1bin);
}
// swap contents of ip1 <= ip2
$rangesubnets = array();
$netsize = 0;
do {
// at loop start, $ip1 is guaranteed strictly less than $ip2 (important for edge case trapping and preventing accidental binary wrapround)
// which means the assignments $ip1 += 1 and $ip2 -= 1 will always be "binary-wrapround-safe"
// step #1 if start ip (as shifted) ends in any '1's, then it must have a single cidr to itself (any cidr would include the '0' below it)
if (substr($ip1bin, -1, 1) == '1') {
// the start ip must be in a separate one-IP cidr range
$new_subnet_ip = substr($ip1bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize);
$rangesubnets[$new_subnet_ip] = $bits - $netsize;
$n = strrpos($ip1bin, '0');
//can't be all 1's
$ip1bin = ($n == 0 ? '' : substr($ip1bin, 0, $n)) . '1' . str_repeat('0', $bits - $n - 1);
// BINARY VERSION OF $ip1 += 1
}
// step #2, if end ip (as shifted) ends in any zeros then that must have a cidr to itself (as cidr cant span the 1->0 gap)
if (substr($ip2bin, -1, 1) == '0') {
// the end ip must be in a separate one-IP cidr range
$new_subnet_ip = substr($ip2bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize);
$rangesubnets[$new_subnet_ip] = $bits - $netsize;
$n = strrpos($ip2bin, '1');
//can't be all 0's
$ip2bin = ($n == 0 ? '' : substr($ip2bin, 0, $n)) . '0' . str_repeat('1', $bits - $n - 1);
// BINARY VERSION OF $ip2 -= 1
// already checked for the edge case where end = start+1 and start ends in 0x1, above, so it's safe
}
// this is the only edge case arising from increment/decrement.
// it happens if the range at start of loop is exactly 2 adjacent ips, that spanned the 1->0 gap. (we will have enumerated both by now)
if (strcmp($ip2bin, $ip1bin) < 0) {
continue;
}
// step #3 the start and end ip MUST now end in '0's and '1's respectively
// so we have a non-trivial range AND the last N bits are no longer important for CIDR purposes.
$shift = $bits - max(strrpos($ip1bin, '0'), strrpos($ip2bin, '1'));
// num of low bits which are '0' in ip1 and '1' in ip2
$ip1bin = str_repeat('0', $shift) . substr($ip1bin, 0, $bits - $shift);
$ip2bin = str_repeat('0', $shift) . substr($ip2bin, 0, $bits - $shift);
$netsize += $shift;
if ($ip1bin === $ip2bin) {
// we're done.
$new_subnet_ip = substr($ip1bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize);
$rangesubnets[$new_subnet_ip] = $bits - $netsize;
continue;
}
// at this point there's still a remaining range, and either startip ends with '1', or endip ends with '0'. So repeat cycle.
} while (strcmp($ip1bin, $ip2bin) < 0);
// subnets are ordered by bit size. Re sort by IP ("naturally") and convert back to IPv4/IPv6
ksort($rangesubnets, SORT_STRING);
$out = array();
foreach ($rangesubnets as $ip => $netmask) {
if ($proto == 'ipv4') {
$i = str_split($ip, 8);
$out[] = implode('.', array(bindec($i[0]), bindec($i[1]), bindec($i[2]), bindec($i[3]))) . '/' . $netmask;
} else {
$out[] = Net_IPv6::compress(Net_IPv6::_bin2Ip($ip)) . '/' . $netmask;
}
}
return $out;
}
