function delete_static_route($id) { global $config, $a_routes, $changedesc_prefix; if (!isset($a_routes[$id])) { return; } $targets = array(); if (is_alias($a_routes[$id]['network'])) { foreach (filter_expand_alias_array($a_routes[$id]['network']) as $tgt) { if (is_ipaddrv4($tgt)) { $tgt .= "/32"; } else { if (is_ipaddrv6($tgt)) { $tgt .= "/128"; } } if (!is_subnet($tgt)) { continue; } $targets[] = $tgt; } } else { $targets[] = $a_routes[$id]['network']; } foreach ($targets as $tgt) { $family = is_subnetv6($tgt) ? "-inet6" : "-inet"; mwexec("/sbin/route delete {$family} " . escapeshellarg($tgt)); } unset($targets); }
/** * delete gateway * @param int $id sequence item in $a_gateways * @param array $a_gateways gateway list */ function delete_gateway_item($id, $a_gateways) { global $config; if (!isset($a_gateways[$id])) { return; } /* NOTE: Cleanup static routes for the monitor ip if any */ if (!empty($a_gateways[$id]['monitor']) && $a_gateways[$id]['monitor'] != "dynamic" && is_ipaddr($a_gateways[$id]['monitor']) && $a_gateways[$id]['gateway'] != $a_gateways[$id]['monitor']) { if (is_ipaddrv4($a_gateways[$id]['monitor'])) { mwexec("/sbin/route delete " . escapeshellarg($a_gateways[$id]['monitor'])); } else { mwexec("/sbin/route delete -inet6 " . escapeshellarg($a_gateways[$id]['monitor'])); } } if ($config['interfaces'][$a_gateways[$id]['friendlyiface']]['gateway'] == $a_gateways[$id]['name']) { unset($config['interfaces'][$a_gateways[$id]['friendlyiface']]['gateway']); } unset($config['gateways']['gateway_item'][$a_gateways[$id]['attribute']]); }
if ($_POST['domainsearchlist']) { $domain_array = preg_split("/[ ;]+/", $_POST['domainsearchlist']); foreach ($domain_array as $curdomain) { if (!is_domain($curdomain)) { $input_errors[] = gettext("A valid domain search list must be specified."); break; } } } if ($_POST['ntp1'] && !is_ipaddrv4($_POST['ntp1']) || $_POST['ntp2'] && !is_ipaddrv4($_POST['ntp2'])) { $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary NTP servers."); } if ($_POST['tftp'] && !is_ipaddrv4($_POST['tftp']) && !is_domain($_POST['tftp']) && !is_URL($_POST['tftp'])) { $input_errors[] = gettext("A valid IP address or hostname must be specified for the TFTP server."); } if ($_POST['nextserver'] && !is_ipaddrv4($_POST['nextserver'])) { $input_errors[] = gettext("A valid IP address must be specified for the network boot server."); } if (!$input_errors) { $mapent = array(); $mapent['mac'] = $_POST['mac']; $mapent['cid'] = $_POST['cid']; $mapent['ipaddr'] = $_POST['ipaddr']; $mapent['hostname'] = $_POST['hostname']; $mapent['descr'] = $_POST['descr']; $mapent['arp_table_static_entry'] = $_POST['arp_table_static_entry'] ? true : false; $mapent['filename'] = $_POST['filename']; $mapent['rootpath'] = $_POST['rootpath']; $mapent['defaultleasetime'] = $_POST['deftime']; $mapent['maxleasetime'] = $_POST['maxtime']; unset($mapent['winsserver']);
unset($input_errors); unset($do_traceroute); /* input validation */ $reqdfields = explode(" ", "host ttl"); $reqdfieldsn = array(gettext("Host"),gettext("ttl")); do_input_validation($_REQUEST, $reqdfields, $reqdfieldsn, $input_errors); if (($_REQUEST['ttl'] < 1) || ($_REQUEST['ttl'] > MAX_TTL)) { $input_errors[] = sprintf(gettext("Maximum number of hops must be between 1 and %s"), MAX_TTL); } $host = trim($_REQUEST['host']); $ipproto = $_REQUEST['ipproto']; if (($ipproto == "ipv4") && is_ipaddrv6($host)) $input_errors[] = gettext("When using IPv4, the target host must be an IPv4 address or hostname."); if (($ipproto == "ipv6") && is_ipaddrv4($host)) $input_errors[] = gettext("When using IPv6, the target host must be an IPv6 address or hostname."); if (!$input_errors) { $sourceip = $_REQUEST['sourceip']; $do_traceroute = true; $ttl = $_REQUEST['ttl']; $resolve = $_REQUEST['resolve']; } } else $resolve = true; if (!isset($do_traceroute)) { $do_traceroute = false; $host = ''; $ttl = DEFAULT_TTL;
$section->addInput(new Form_Input('domain', 'Domain', 'text', $pconfig['domain'], ['placeholder' => 'mycorp.com, home, office, private, etc.']))->setHelp('Do not use \'local\' as a domain name. It will cause local ' . 'hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve ' . 'local hosts not running mDNS.'); $form->add($section); $section = new Form_Section('DNS Server Settings'); for ($i = 1; $i < 5; $i++) { // if (!isset($pconfig['dns'.$i])) // continue; $group = new Form_Group('DNS Server ' . $i); $group->add(new Form_Input('dns' . $i, 'DNS Server', 'text', $pconfig['dns' . $i]))->setHelp($i == 4 ? 'Address' : null); $help = "Enter IP addresses to be used by the system for DNS resolution. " . "These are also used for the DHCP service, DNS forwarder and for PPTP VPN clients."; if ($multiwan) { $options = array('none' => 'none'); foreach ($arr_gateways as $gwname => $gwitem) { if (is_ipaddrv4(lookup_gateway_ip_by_name($pconfig[$dnsgw])) && is_ipaddrv6($gwitem['gateway'])) { continue; } if (is_ipaddrv6(lookup_gateway_ip_by_name($pconfig[$dnsgw])) && is_ipaddrv4($gwitem['gateway'])) { continue; } $options[$gwname] = $gwname . ' - ' . $gwitem['friendlyiface'] . ' - ' . $gwitem['gateway']; } $group->add(new Form_Select('dns' . $i . 'gw', 'Gateway', $pconfig['dns' . $i . 'gw'], $options))->setHelp($i == 4 ? 'Gateway' : null); $help .= '<br/>' . "In addition, optionally select the gateway for each DNS server. " . "When using multiple WAN connections there should be at least one unique DNS server per gateway."; } if ($i == 4) { $group->setHelp($help); } $section->add($group); } $section->addInput(new Form_Checkbox('dnsallowoverride', 'DNS Server Override', 'Allow DNS server list to be overridden by DHCP/PPP on WAN', $pconfig['dnsallowoverride']))->setHelp(sprintf(gettext('If this option is set, %s will use DNS servers ' . 'assigned by a DHCP/PPP server on WAN for its own purposes (including ' . 'the DNS forwarder). However, they will not be assigned to DHCP and PPTP ' . 'VPN clients.'), $g['product_name'])); $section->addInput(new Form_Checkbox('dnslocalhost', 'Disable DNS Forwarder', 'Do not use the DNS Forwarder as a DNS server for the firewall', $pconfig['dnslocalhost']))->setHelp('By default localhost (127.0.0.1) will be used as the first DNS ' . 'server where the DNS Forwarder or DNS Resolver is enabled and set to ' . 'listen on Localhost, so system can use the local DNS service to perform ' . 'lookups. Checking this box omits localhost from the list of DNS servers.'); $form->add($section);
$reqdfieldsn = array(gettext('Shared key')); } if ($pconfig['dev_mode'] != "tap") { $reqdfields[] = 'tunnel_network'; $reqdfieldsn[] = gettext('Tunnel network'); } else { if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) { $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed."); } if ($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end'] || !$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end']) { $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined."); } if ($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start'])) { $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address."); } if ($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end'])) { $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address."); } if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) { $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); } } do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); if (count($input_errors) == 0) { // validation correct, save data $server = array(); // delete(rename) old interface so a new TUN or TAP interface can be created. if (isset($id) && $pconfig['dev_mode'] != $a_server[$id]['dev_mode']) { openvpn_delete('server', $a_server[$id]); } // 1 on 1 copy of config attributes
$tls_mode = true; } else { $tls_mode = false; } // generate new key if (!empty($pconfig['autokey_enable'])) { $pconfig['shared_key'] = openvpn_create_key(); } /* input validation */ if (strpos($pconfig['interface'], '|') !== false) { list($iv_iface, $iv_ip) = explode("|", $pconfig['interface']); } else { $iv_iface = $pconfig['interface']; $iv_ip = null; } if (is_ipaddrv4($iv_ip) && stristr($pconfig['protocol'], "6") !== false) { $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address."); } elseif (is_ipaddrv6($iv_ip) && stristr($pconfig['protocol'], "6") === false) { $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address."); } elseif (stristr($pconfig['protocol'], "6") === false && !get_interface_ip($iv_iface) && $pconfig['interface'] != "any") { $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address."); } elseif (stristr($pconfig['protocol'], "6") !== false && !get_interface_ipv6($iv_iface) && $pconfig['interface'] != "any") { $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address."); } if (!empty($pconfig['local_port'])) { if (empty($pconfig['local_port']) || !is_numeric($pconfig['local_port']) || $pconfig['local_port'] < 0 || $pconfig['local_port'] > 65535) { $input_errors[] = "The field Local port must contain a valid port, ranging from 0 to 65535."; } $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid); if ($portused != $vpnid && $portused != 0) { $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
function build_carp_list() { global $carplist; $list = array('address' => gettext('Interface Address')); foreach ($carplist as $vip => $address) { if ($gateway['ipprotocol'] == "inet" && !is_ipaddrv4($address)) { continue; } if ($gateway['ipprotocol'] == "inet6" && !is_ipaddrv6($address)) { continue; } $list[$vip] = "{$vip} - {$address}"; } return $list; }
if (is_ipaddr($_POST['monitor'])) { $gateway['monitor'] = $_POST['monitor']; } if (isset($_POST['data_payload']) && $_POST['data_payload'] > 0) { $gateway['data_payload'] = $_POST['data_payload']; } /* NOTE: If gateway ip is changed need to cleanup the old static interface route */ if ($_POST['monitor'] != "dynamic" && !empty($a_gateway_item[$realid]) && is_ipaddr($a_gateway_item[$realid]['gateway']) && $gateway['gateway'] != $a_gateway_item[$realid]['gateway'] && isset($a_gateway_item[$realid]["nonlocalgateway"])) { $realif = get_real_interface($a_gateway_item[$realid]['interface']); $inet = !is_ipaddrv4($a_gateway_item[$realid]['gateway']) ? "-inet6" : "-inet"; $cmd = "/sbin/route delete {$inet} " . escapeshellarg($a_gateway_item[$realid]['gateway']) . " -iface " . escapeshellarg($realif); mwexec($cmd); } /* NOTE: If monitor ip is changed need to cleanup the old static route */ if ($_POST['monitor'] != "dynamic" && !empty($a_gateway_item[$realid]) && is_ipaddr($a_gateway_item[$realid]['monitor']) && $_POST['monitor'] != $a_gateway_item[$realid]['monitor'] && $gateway['gateway'] != $a_gateway_item[$realid]['monitor']) { if (is_ipaddrv4($a_gateway_item[$realid]['monitor'])) { mwexec("/sbin/route delete " . escapeshellarg($a_gateway_item[$realid]['monitor'])); } else { mwexec("/sbin/route delete -inet6 " . escapeshellarg($a_gateway_item[$realid]['monitor'])); } } if ($_POST['defaultgw'] == "yes" || $_POST['defaultgw'] == "on") { $i = 0; /* remove the default gateway bits for all gateways with the same address family */ foreach ($a_gateway_item as $gw) { if ($gateway['ipprotocol'] == $gw['ipprotocol']) { unset($config['gateways']['gateway_item'][$i]['defaultgw']); if ($gw['interface'] != $_POST['interface'] && $gw['defaultgw']) { $reloadif = $gw['interface']; } }
} if (is_ipaddr($pconfig['src']) && is_ipaddr($pconfig['dst'])) { if (!validate_address_family($pconfig['src'], $pconfig['dst'])) { $input_errors[] = sprintf(gettext("The Source IP address %s Address Family differs from the destination %s."), $pconfig['src'], $pconfig['dst']); } if ((is_ipaddrv6($pconfig['src']) || is_ipaddrv6($pconfig['dst'])) && $pconfig['ipprotocol'] == "inet") { $input_errors[] = gettext("You can not use IPv6 addresses in IPv4 rules."); } if ((is_ipaddrv4($pconfig['src']) || is_ipaddrv4($pconfig['dst'])) && $pconfig['ipprotocol'] == "inet6") { $input_errors[] = gettext("You can not use IPv4 addresses in IPv6 rules."); } } if (is_ipaddrv4($pconfig['src']) && $pconfig['srcmask'] > 32) { $input_errors[] = gettext("Invalid subnet mask on IPv4 source"); } if (is_ipaddrv4($pconfig['dst']) && $pconfig['dstmask'] > 32) { $input_errors[] = gettext("Invalid subnet mask on IPv4 destination"); } if ((is_ipaddr($pconfig['src']) || is_ipaddr($pconfig['dst'])) && $pconfig['ipprotocol'] == "inet46") { $input_errors[] = gettext("You can not use a IPv4 or IPv6 address in combined IPv4 + IPv6 rules."); } if (!empty($pconfig['os'])) { if ($pconfig['protocol'] != "tcp") { $input_errors[] = gettext("OS detection is only valid with protocol tcp."); } if (!in_array($pconfig['os'], $ostypes)) { $input_errors[] = gettext("Invalid OS detection selection. Please select a valid OS."); } } if (!empty($pconfig['floating']) && !empty($pconfig['gateway']) && (empty($pconfig['direction']) || $pconfig['direction'] == "any")) { $input_errors[] = gettext("You can not use gateways in Floating rules without choosing a direction.");
if ($_POST['gateway'] && !is_ipaddrv6($_POST['gateway'])) { $input_errors[] = gettext("A valid IPv6 address must be specified for the gateway."); } if ($_POST['dns1'] && !is_ipaddrv6($_POST['dns1']) || $_POST['dns2'] && !is_ipaddrv6($_POST['dns2']) || $_POST['dns3'] && !is_ipaddrv6($_POST['dns3']) || $_POST['dns4'] && !is_ipaddrv6($_POST['dns4'])) { $input_errors[] = gettext("A valid IPv6 address must be specified for each of the DNS servers."); } if ($_POST['deftime'] && (!is_numeric($_POST['deftime']) || $_POST['deftime'] < 60)) { $input_errors[] = gettext("The default lease time must be at least 60 seconds."); } if ($_POST['maxtime'] && (!is_numeric($_POST['maxtime']) || $_POST['maxtime'] < 60 || $_POST['maxtime'] <= $_POST['deftime'])) { $input_errors[] = gettext("The maximum lease time must be at least 60 seconds and higher than the default lease time."); } if ($_POST['ddnsdomain'] && !is_domain($_POST['ddnsdomain'])) { $input_errors[] = gettext("A valid domain name must be specified for the dynamic DNS registration."); } if ($_POST['ddnsdomain'] && !is_ipaddrv4($_POST['ddnsdomainprimary'])) { $input_errors[] = gettext("A valid primary domain name server IPv4 address must be specified for the dynamic domain name."); } if ($_POST['ddnsdomainkey'] && !$_POST['ddnsdomainkeyname'] || $_POST['ddnsdomainkeyname'] && !$_POST['ddnsdomainkey']) { $input_errors[] = gettext("You must specify both a valid domain key and key name."); } if ($_POST['domainsearchlist']) { $domain_array = preg_split("/[ ;]+/", $_POST['domainsearchlist']); foreach ($domain_array as $curdomain) { if (!is_domain($curdomain)) { $input_errors[] = gettext("A valid domain search list must be specified."); break; } } } if ($_POST['ntp1'] && !is_ipaddrv6($_POST['ntp1']) || $_POST['ntp2'] && !is_ipaddrv6($_POST['ntp2'])) {
} //]]> </script> <?php echo "<textarea id=\"testportCaptured\" style=\"width:98%\" name=\"code\" rows=\"15\" cols=\"66\" readonly=\"readonly\">"; $result = ""; $nc_base_cmd = "/usr/bin/nc"; $nc_args = "-w " . escapeshellarg($timeout); if (!$showtext) { $nc_args .= " -z "; } if (!empty($srcport)) { $nc_args .= " -p " . escapeshellarg($srcport) . " "; } /* Attempt to determine the interface address, if possible. Else try both. */ if (is_ipaddrv4($host)) { $ifaddr = $sourceip == "any" ? "" : get_interface_ip($sourceip); $nc_args .= " -4"; } elseif (is_ipaddrv6($host)) { if ($sourceip == "any") { $ifaddr = ""; } else { if (is_linklocal($sourceip)) { $ifaddr = $sourceip; } else { $ifaddr = get_interface_ipv6($sourceip); } } $nc_args .= " -6"; } else { switch ($ipprotocol) {
if (empty($suricatacfg['libhtp_policy']['item'])) { $http_hosts_default_policy = "default-config:\n personality: IDS\n request-body-limit: 4096\n response-body-limit: 4096\n"; $http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n uri-include-all: no\n"; } else { foreach ($suricatacfg['libhtp_policy']['item'] as $k => $v) { if ($v['bind_to'] != "all") { $engine = "server-config:\n - {$v['name']}:\n"; $tmp = trim(filter_expand_alias($v['bind_to'])); if (!empty($tmp)) { $engine .= " address: ["; $tmp = preg_replace('/\\s+/', ',', $tmp); $list = explode(',', $tmp); foreach ($list as $addr) { if (is_ipaddrv6($addr) || is_subnetv6($addr)) { $engine .= "\"{$addr}\", "; } elseif (is_ipaddrv4($addr) || is_subnetv4($addr)) { $engine .= "{$addr}, "; } else { log_error("[suricata] WARNING: invalid IP address value '{$addr}' in Alias {$v['bind_to']} will be ignored."); continue; } } $engine = trim($engine, ' ,'); $engine .= "]\n"; $engine .= " personality: {$v['personality']}\n request-body-limit: {$v['request-body-limit']}\n"; $engine .= " response-body-limit: {$v['response-body-limit']}\n"; $engine .= " double-decode-path: {$v['double-decode-path']}\n"; $engine .= " double-decode-query: {$v['double-decode-query']}\n"; $engine .= " uri-include-all: {$v['uri-include-all']}\n"; $http_hosts_policy .= " {$engine}\n"; } else {
$hostname = ""; } $src_icons = ""; $dst_icons = $alert_ip . " " . $supp_ip . " "; } // Determine Country Code of Host if (is_ipaddrv4($host)) { $country = substr(exec("{$pathgeoip} -f {$pathgeoipdat} {$host}"), 23, 2); } else { $country = substr(exec("{$pathgeoip6} -f {$pathgeoipdat6} {$host}"), 26, 2); } // IP Query Grep Exclusion $pfb_ex1 = "grep -v 'pfB\\_\\|\\_v6\\.txt'"; $pfb_ex2 = "grep -v 'pfB\\_\\|/32\\|/24\\|\\_v6\\.txt' | grep -m1 '/'"; // Find List which contains Blocked IP Host if (is_ipaddrv4($host) && $pfb_query != "Country") { // Search for exact IP Match $host1 = preg_replace("/(\\d{1,3})\\.(\\d{1,3}).(\\d{1,3}).(\\d{1,3})/", '\'$1\\.$2\\.$3\\.$4\'', $host); $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\\///' -e 's/:.*//' -e 's/\\..*/ /' | {$pfb_ex1}"); // Search for IP in /24 CIDR if (empty($pfb_query)) { $host1 = preg_replace("/(\\d{1,3})\\.(\\d{1,3}).(\\d{1,3}).(\\d{1,3})/", '\'$1\\.$2\\.$3\\.0/24\'', $host); $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\\///' -e 's/\\.txt:/ /' | {$pfb_ex1}"); } // Search for First Two IP Octets in CIDR Matches Only. Skip any pfB (Country Lists) or /32,/24 Addresses. if (empty($pfb_query)) { $host1 = preg_replace("/(\\d{1,3})\\.(\\d{1,3}).(\\d{1,3}).(\\d{1,3})/", '\'^$1\\.$2\\.\'', $host); $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\\///' -e 's/\\.txt:/ /' | {$pfb_ex2}"); } // Search for First Two IP Octets in CIDR Matches Only (Subtract 1 from second Octet on each loop). // Skip (Country Lists) or /32,/24 Addresses.
</tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("IPv4 Upstream Gateway"); ?> </td> <td width="78%" class="vtable"> <select name="gateway" class="formselect" id="gateway"> <option value="none" selected="selected"><?php echo gettext("None"); ?> </option> <?php if (count($a_gateways) > 0) { foreach ($a_gateways as $gateway) { if ($gateway['interface'] == $if && is_ipaddrv4($gateway['gateway'])) { ?> <option value="<?php echo $gateway['name']; ?> " <?php if ($gateway['name'] == $pconfig['gateway']) { echo "selected=\"selected\""; } ?> > <?php echo htmlspecialchars($gateway['name']) . " - " . htmlspecialchars($gateway['gateway']); ?> </option> <?php
} ?> <option value="address" <?php echo $selected_key == "address" ? "selected=\"selected\"" : ""; ?> > <?php echo gettext("Interface Address"); ?> </option> <?php foreach (get_configured_carp_interface_list() as $vip => $address) { if (!preg_match("/^{$gateway['friendlyiface']}_/i", $vip)) { continue; } if ($gateway['ipprotocol'] == "inet" && !is_ipaddrv4($address)) { continue; } if ($gateway['ipprotocol'] == "inet6" && !is_ipaddrv6($address)) { continue; } ?> <option value="<?php echo $vip; ?> " <?php echo $selected_key == $vip ? "selected=\"selected\"" : ""; ?> > <?php echo $vip;
$pconfig['link1'] = isset($a_gifs[$id]['link1']); $pconfig['link0'] = isset($a_gifs[$id]['link0']); $pconfig['descr'] = $a_gifs[$id]['descr']; } if ($_POST) { unset($input_errors); $pconfig = $_POST; /* input validation */ $reqdfields = explode(" ", "if tunnel-remote-addr tunnel-remote-net tunnel-local-addr"); $reqdfieldsn = array(gettext("Parent interface,Local address, Remote tunnel address, Remote tunnel network, Local tunnel address")); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (!is_ipaddr($_POST['tunnel-local-addr']) || !is_ipaddr($_POST['tunnel-remote-addr']) || !is_ipaddr($_POST['remote-addr'])) { $input_errors[] = gettext("The tunnel local and tunnel remote fields must have valid IP addresses."); } $alias = strstr($_POST['if'], '|'); if (is_ipaddrv4($alias) && !is_ipaddrv4($_POST['remote-addr']) || is_ipaddrv6($alias) && !is_ipaddrv6($_POST['remote-addr'])) { $input_errors[] = gettext("The alias IP address family has to match the family of the remote peer address."); } foreach ($a_gifs as $gif) { if (isset($id) && $a_gifs[$id] && $a_gifs[$id] === $gif) { continue; } /* FIXME: needs to perform proper subnet checks in the feature */ if ($gif['if'] == $interface && $gif['tunnel-remote-addr'] == $_POST['tunnel-remote-addr']) { $input_errors[] = sprintf(gettext("A gif with the network %s is already defined."), $gif['tunnel-remote-addr']); break; } } if (!$input_errors) { $gif = array(); list($gif['if'], $gif['ipaddr']) = explode("|", $_POST['if']);
} if ($_POST) { unset($input_errors); $pconfig = $_POST; /* input validation */ $reqdfields = explode(" ", "if remote-addr tunnel-local-addr tunnel-remote-addr tunnel-remote-net"); $reqdfieldsn = array(gettext("Parent interface"), gettext("Remote tunnel endpoint IP address"), gettext("Local tunnel IP address"), gettext("Remote tunnel IP address"), gettext("Remote tunnel network")); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (!is_ipaddr($_POST['tunnel-local-addr']) || !is_ipaddr($_POST['tunnel-remote-addr']) || !is_ipaddr($_POST['remote-addr'])) { $input_errors[] = gettext("The tunnel local and tunnel remote fields must have valid IP addresses."); } if (!is_numericint($_POST['tunnel-remote-net'])) { $input_errors[] = gettext("The GRE tunnel subnet must be an integer."); } if (is_ipaddrv4($_POST['tunnel-local-addr'])) { if (!is_ipaddrv4($_POST['tunnel-remote-addr'])) { $input_errors[] = gettext("The GRE Tunnel remote address must be IPv4 where tunnel local address is IPv4."); } if ($_POST['tunnel-remote-net'] > 32 || $_POST['tunnel-remote-net'] < 1) { $input_errors[] = gettext("The GRE tunnel subnet must be an integer between 1 and 32."); } } if (is_ipaddrv6($_POST['tunnel-local-addr'])) { if (!is_ipaddrv6($_POST['tunnel-remote-addr'])) { $input_errors[] = gettext("The GRE Tunnel remote address must be IPv6 where tunnel local address is IPv6."); } if ($_POST['tunnel-remote-net'] > 128 || $_POST['tunnel-remote-net'] < 1) { $input_errors[] = gettext("The GRE tunnel subnet must be an integer between 1 and 128."); } } foreach ($a_gres as $gre) {
<?php if (is_subsystem_dirty('staticmaps')): ?><br/> <?php print_info_box_np(gettext("The static mapping configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));?><br /> <?php endif; ?> <section class="col-xs-12"> <?php /* active tabs */ $tab_array = array(); $tabscounter = 0; $i = 0; foreach ($iflist as $ifent => $ifname) { $oc = $config['interfaces'][$ifent]; if ((is_array($config['dhcpd'][$ifent]) && !isset($config['dhcpd'][$ifent]['enable']) && (!is_ipaddrv4($oc['ipaddr']))) || (!is_array($config['dhcpd'][$ifent]) && (!is_ipaddrv4($oc['ipaddr'])))) continue; if ($ifent == $if) $active = true; else $active = false; $tab_array[] = array($ifname, $active, "services_dhcp.php?if={$ifent}"); $tabscounter++; } if ($tabscounter == 0) { echo "</section>"; echo "</div>"; echo "</div>"; echo "</section>"; include("foot.inc"); exit;
$input_errors[] = gettext("A valid NAT local network IPv6 address must be specified or you need to change Mode to IPv4"); } break; } } switch ($pconfig['remoteid_type']) { case "network": if ($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits'] || !is_numeric($pconfig['remoteid_netbits'])) { $input_errors[] = gettext("A valid remote network bit count must be specified."); } // address rules also apply to network type (hence, no break) // address rules also apply to network type (hence, no break) case "address": if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) { $input_errors[] = gettext("A valid remote network IP address must be specified."); } elseif (is_ipaddrv4($pconfig['remoteid_address']) && $pconfig['mode'] != "tunnel") { $input_errors[] = gettext("A valid remote network IPv4 address must be specified or you need to change Mode to IPv6"); } elseif (is_ipaddrv6($pconfig['remoteid_address']) && $pconfig['mode'] != "tunnel6") { $input_errors[] = gettext("A valid remote network IPv6 address must be specified or you need to change Mode to IPv4"); } break; } } /* Validate enabled phase2's are not duplicates */ if (isset($pconfig['mobile'])) { /* User is adding phase 2 for mobile phase1 */ foreach ($config['ipsec']['phase2'] as $key => $name) { if (isset($name['mobile']) && $name['uniqid'] != $pconfig['uniqid']) { /* check duplicate localids only for mobile clents */ $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']); $entered = array();
$idtracker++; } if (empty($_POST['password'])) { $input_errors[] = gettext("You must specify a CARP password that is shared between the two VHID members."); } if ($_POST['interface'] == 'lo0') { $input_errors[] = gettext("For this type of vip localhost is not allowed."); } else { if (strpos($_POST['interface'], '_vip')) { $input_errors[] = gettext("A CARP parent interface can only be used with IP Alias type Virtual IPs."); } } break; case 'ipalias': if (strstr($_POST['interface'], "_vip")) { if (is_ipaddrv4($_POST['subnet'])) { $parent_ip = get_interface_ip($_POST['interface']); $parent_sn = get_interface_subnet($_POST['interface']); $subnet = gen_subnet($parent_ip, $parent_sn); } else { if (is_ipaddrv6($_POST['subnet'])) { $parent_ip = get_interface_ipv6($_POST['interface']); $parent_sn = get_interface_subnetv6($_POST['interface']); $subnet = gen_subnetv6($parent_ip, $parent_sn); } } if (isset($parent_ip) && !ip_in_subnet($_POST['subnet'], "{$subnet}/{$parent_sn}") && !ip_in_interface_alias_subnet(link_carp_interface_to_parent($_POST['interface']), $_POST['subnet'])) { $cannot_find = $_POST['subnet'] . "/" . $_POST['subnet_bits']; $input_errors[] = sprintf(gettext("Sorry, we could not locate an interface with a matching subnet for %s. Please add an IP alias in this subnet on this interface."), $cannot_find); } unset($parent_ip, $parent_sn, $subnet);
if (!$pconfig['mobile']) { $reqdfields[] = "remotegw"; $reqdfieldsn[] = gettext("Remote gateway"); } do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); if (isset($validate_pskey) && isset($pconfig['pskey']) && !preg_match('/^[[:ascii:]]*$/', $pconfig['pskey'])) { unset($validate_pskey); $input_errors[] = gettext("Pre-Shared Key contains invalid characters."); } if ($pconfig['lifetime'] && !is_numericint($pconfig['lifetime'])) { $input_errors[] = gettext("The P1 lifetime must be an integer."); } if ($pconfig['remotegw']) { if (!is_ipaddr($pconfig['remotegw']) && !is_domain($pconfig['remotegw'])) { $input_errors[] = gettext("A valid remote gateway address or host name must be specified."); } elseif (is_ipaddrv4($pconfig['remotegw']) && $pconfig['protocol'] != "inet") { $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or protocol needs to be changed to IPv6"); } elseif (is_ipaddrv6($pconfig['remotegw']) && $pconfig['protocol'] != "inet6") { $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or protocol needs to be changed to IPv4"); } } if ($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled'])) { $t = 0; foreach ($a_phase1 as $ph1tmp) { if ($p1index != $t) { $tremotegw = $pconfig['remotegw']; if ($ph1tmp['remote-gateway'] == $tremotegw && !isset($ph1tmp['disabled'])) { $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']); } } $t++;
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if ($_POST['host'] && !is_hostname($_POST['host'])) { $input_errors[] = gettext("The hostname can only contain the characters A-Z, 0-9 and '-'."); } if ($_POST['domain'] && !is_domain($_POST['domain'])) { $input_errors[] = gettext("A valid domain must be specified."); } if ($_POST['ip'] && !is_ipaddr($_POST['ip'])) { $input_errors[] = gettext("A valid IP address must be specified."); } /* check for overlaps */ foreach ($a_hosts as $hostent) { if (isset($id) && $a_hosts[$id] && $a_hosts[$id] === $hostent) { continue; } if ($hostent['host'] == $_POST['host'] && $hostent['domain'] == $_POST['domain'] && (is_ipaddrv4($hostent['ip']) && is_ipaddrv4($_POST['ip']) || is_ipaddrv6($hostent['ip']) && is_ipaddrv6($_POST['ip']))) { $input_errors[] = gettext("This host/domain already exists."); break; } } if (!$input_errors) { $hostent = array(); $hostent['host'] = $_POST['host']; $hostent['domain'] = $_POST['domain']; $hostent['ip'] = $_POST['ip']; $hostent['descr'] = $_POST['descr']; if (isset($id) && $a_hosts[$id]) { $a_hosts[$id] = $hostent; } else { $a_hosts[] = $hostent; }
if ($_POST || $_REQUEST['host']) { unset($input_errors); unset($do_ping); /* input validation */ $reqdfields = explode(" ", "host count"); $reqdfieldsn = array(gettext("Host"), gettext("Count")); do_input_validation($_REQUEST, $reqdfields, $reqdfieldsn, $input_errors); if ($_REQUEST['count'] < 1 || $_REQUEST['count'] > MAX_COUNT) { $input_errors[] = sprintf(gettext("Count must be between 1 and %s"), MAX_COUNT); } $host = trim($_REQUEST['host']); $ipproto = $_REQUEST['ipproto']; if ($ipproto == "ipv4" && is_ipaddrv6($host)) { $input_errors[] = gettext("When using IPv4, the target host must be an IPv4 address or hostname."); } if ($ipproto == "ipv6" && is_ipaddrv4($host)) { $input_errors[] = gettext("When using IPv6, the target host must be an IPv6 address or hostname."); } if (!$input_errors) { $do_ping = true; $sourceip = $_REQUEST['sourceip']; $count = $_POST['count']; if (preg_match('/[^0-9]/', $count)) { $count = DEFAULT_COUNT; } } } if (!isset($do_ping)) { $do_ping = false; $host = ''; $count = DEFAULT_COUNT;
<br /> <?php } ?> <section class="col-xs-12"> <?php /* active tabs */ $tab_array = array(); $tabscounter = 0; $i = 0; foreach ($iflist as $ifent => $ifname) { $oc = $config['interfaces'][$ifent]; if (is_array($config['dhcpd'][$ifent]) && !isset($config['dhcpd'][$ifent]['enable']) && !is_ipaddrv4($oc['ipaddr']) || !is_array($config['dhcpd'][$ifent]) && !is_ipaddrv4($oc['ipaddr'])) { continue; } if ($ifent == $if) { $active = true; } else { $active = false; } $tab_array[] = array($ifname, $active, "services_dhcp.php?if={$ifent}"); $tabscounter++; } if ($tabscounter == 0) { echo "</section>"; echo "</div>"; echo "</div>"; echo "</section>";
continue; } $old_targets[] = $tgt; } } else { $old_targets[] = $oroute['network']; } } $overlaps = array_intersect($current_targets, $new_targets); $overlaps = array_diff($overlaps, $old_targets); if (count($overlaps)) { $input_errors[] = gettext("A route to these destination networks already exists") . ": " . implode(", ", $overlaps); } if (is_array($config['interfaces'])) { foreach ($config['interfaces'] as $if) { if (is_ipaddrv4($_POST['network']) && isset($if['ipaddr']) && isset($if['subnet']) && is_ipaddrv4($if['ipaddr']) && is_numeric($if['subnet']) && $_POST['network_subnet'] == $if['subnet'] && gen_subnet($_POST['network'], $_POST['network_subnet']) == gen_subnet($if['ipaddr'], $if['subnet'])) { $input_errors[] = sprintf(gettext("This network conflicts with address configured on interface %s."), $if['descr']); } else { if (is_ipaddrv6($_POST['network']) && isset($if['ipaddrv6']) && isset($if['subnetv6']) && is_ipaddrv6($if['ipaddrv6']) && is_numeric($if['subnetv6']) && $_POST['network_subnet'] == $if['subnetv6'] && gen_subnetv6($_POST['network'], $_POST['network_subnet']) == gen_subnetv6($if['ipaddrv6'], $if['subnetv6'])) { $input_errors[] = sprintf(gettext("This network conflicts with address configured on interface %s."), $if['descr']); } } } } if (!$input_errors) { $route = array(); $route['network'] = $osn; $route['gateway'] = $_POST['gateway']; $route['descr'] = $_POST['descr']; if ($_POST['disabled']) { $route['disabled'] = true;
function build_gateway_list() { global $a_gateways, $if; $list = array("none" => "None"); foreach ($a_gateways as $gateway) { if ($gateway['interface'] == $if && is_ipaddrv4($gateway['gateway'])) { $list[$gateway['name']] = $gateway['name'] . " - " . $gateway['gateway']; } } return $list; }
* See the License for the specific language governing permissions and * limitations under the License. */ ##|+PRIV ##|*IDENT=page-diagnostics-arptable ##|*NAME=Diagnostics: ARP Table ##|*DESCR=Allow access to the 'Diagnostics: ARP Table' page. ##|*MATCH=diag_arp.php* ##|-PRIV @ini_set('zlib.output_compression', 0); @ini_set('implicit_flush', 1); require_once "guiconfig.inc"; // delete arp entry if (isset($_GET['deleteentry'])) { $ip = $_GET['deleteentry']; if (is_ipaddrv4($ip)) { $ret = mwexec("arp -d " . $_GET['deleteentry'], true); } else { $ret = 1; } if ($ret) { $savemsg = sprintf(gettext("%s is not a valid IPv4 address or could not be deleted."), $ip); $savemsgtype = 'alert-warning'; } else { $savemsg = sprintf(gettext("The ARP cache entry for %s has been deleted."), $ip); $savemsgtype = 'success'; } } function leasecmp($a, $b) { return strcmp($a[$_GET['order']], $b[$_GET['order']]);
<option value="" ><?php echo gettext("default"); ?> </option> <?php /* build a list of gateways */ $gateways = return_gateways_array(); // add statically configured gateways to list foreach ($gateways as $gwname => $gw) { if ($pconfig['ipprotocol'] == "inet46") { continue; } if ($pconfig['ipprotocol'] == "inet6" && !($gw['ipprotocol'] == "inet6" || is_ipaddrv6($gw['gateway']))) { continue; } if ($pconfig['ipprotocol'] == "inet" && !($gw['ipprotocol'] == "inet" || is_ipaddrv4($gw['gateway']))) { continue; } if ($gw == "") { continue; } if ($gwname == $pconfig['gateway']) { $selected = " selected=\"selected\""; } else { $selected = ""; } $gateway_addr_str = empty($gw['gateway']) ? "" : " - " . $gw[gateway]; echo "<option value=\"{$gwname}\" {$selected}>{$gw['name']}{$gateway_addr_str}</option>\n"; } /* add gateway groups to the list */ if (is_array($a_gatewaygroups)) {
function ip_range_to_subnet_array_temp($ip1, $ip2) { if (is_ipaddrv4($ip1) && is_ipaddrv4($ip2)) { $proto = 'ipv4'; // for clarity $bits = 32; $ip1bin = decbin(ip2long32($ip1)); $ip2bin = decbin(ip2long32($ip2)); } elseif (is_ipaddrv6($ip1) && is_ipaddrv6($ip2)) { $proto = 'ipv6'; $bits = 128; $ip1bin = Net_IPv6::_ip2Bin($ip1); $ip2bin = Net_IPv6::_ip2Bin($ip2); } else { return array(); } // it's *crucial* that binary strings are guaranteed the expected length; do this for certainty even though for IPv6 it's redundant $ip1bin = str_pad($ip1bin, $bits, '0', STR_PAD_LEFT); $ip2bin = str_pad($ip2bin, $bits, '0', STR_PAD_LEFT); if ($ip1bin === $ip2bin) { return array($ip1 . '/' . $bits); } if (strcmp($ip1bin, $ip2bin) > 0) { list($ip1bin, $ip2bin) = array($ip2bin, $ip1bin); } // swap contents of ip1 <= ip2 $rangesubnets = array(); $netsize = 0; do { // at loop start, $ip1 is guaranteed strictly less than $ip2 (important for edge case trapping and preventing accidental binary wrapround) // which means the assignments $ip1 += 1 and $ip2 -= 1 will always be "binary-wrapround-safe" // step #1 if start ip (as shifted) ends in any '1's, then it must have a single cidr to itself (any cidr would include the '0' below it) if (substr($ip1bin, -1, 1) == '1') { // the start ip must be in a separate one-IP cidr range $new_subnet_ip = substr($ip1bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize); $rangesubnets[$new_subnet_ip] = $bits - $netsize; $n = strrpos($ip1bin, '0'); //can't be all 1's $ip1bin = ($n == 0 ? '' : substr($ip1bin, 0, $n)) . '1' . str_repeat('0', $bits - $n - 1); // BINARY VERSION OF $ip1 += 1 } // step #2, if end ip (as shifted) ends in any zeros then that must have a cidr to itself (as cidr cant span the 1->0 gap) if (substr($ip2bin, -1, 1) == '0') { // the end ip must be in a separate one-IP cidr range $new_subnet_ip = substr($ip2bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize); $rangesubnets[$new_subnet_ip] = $bits - $netsize; $n = strrpos($ip2bin, '1'); //can't be all 0's $ip2bin = ($n == 0 ? '' : substr($ip2bin, 0, $n)) . '0' . str_repeat('1', $bits - $n - 1); // BINARY VERSION OF $ip2 -= 1 // already checked for the edge case where end = start+1 and start ends in 0x1, above, so it's safe } // this is the only edge case arising from increment/decrement. // it happens if the range at start of loop is exactly 2 adjacent ips, that spanned the 1->0 gap. (we will have enumerated both by now) if (strcmp($ip2bin, $ip1bin) < 0) { continue; } // step #3 the start and end ip MUST now end in '0's and '1's respectively // so we have a non-trivial range AND the last N bits are no longer important for CIDR purposes. $shift = $bits - max(strrpos($ip1bin, '0'), strrpos($ip2bin, '1')); // num of low bits which are '0' in ip1 and '1' in ip2 $ip1bin = str_repeat('0', $shift) . substr($ip1bin, 0, $bits - $shift); $ip2bin = str_repeat('0', $shift) . substr($ip2bin, 0, $bits - $shift); $netsize += $shift; if ($ip1bin === $ip2bin) { // we're done. $new_subnet_ip = substr($ip1bin, $netsize, $bits - $netsize) . str_repeat('0', $netsize); $rangesubnets[$new_subnet_ip] = $bits - $netsize; continue; } // at this point there's still a remaining range, and either startip ends with '1', or endip ends with '0'. So repeat cycle. } while (strcmp($ip1bin, $ip2bin) < 0); // subnets are ordered by bit size. Re sort by IP ("naturally") and convert back to IPv4/IPv6 ksort($rangesubnets, SORT_STRING); $out = array(); foreach ($rangesubnets as $ip => $netmask) { if ($proto == 'ipv4') { $i = str_split($ip, 8); $out[] = implode('.', array(bindec($i[0]), bindec($i[1]), bindec($i[2]), bindec($i[3]))) . '/' . $netmask; } else { $out[] = Net_IPv6::compress(Net_IPv6::_bin2Ip($ip)) . '/' . $netmask; } } return $out; }