function delete_static_route($id)
{
global $config, $a_routes;
if (!isset($a_routes[$id])) {
return;
}
$targets = array();
if (is_alias($a_routes[$id]['network'])) {
foreach (filter_expand_alias_array($a_routes[$id]['network']) as $tgt) {
if (is_ipaddrv4($tgt)) {
$tgt .= "/32";
} elseif (is_ipaddrv6($tgt)) {
$tgt .= "/128";
}
if (!is_subnet($tgt)) {
continue;
}
$targets[] = $tgt;
}
} else {
$targets[] = $a_routes[$id]['network'];
}
foreach ($targets as $tgt) {
$family = is_subnetv6($tgt) ? "-inet6" : "-inet";
mwexec("/sbin/route delete {$family} " . escapeshellarg($tgt));
}
unset($targets);
}
function fixup_host($value, $position) {
$host = strip_host_logic($value);
$not = has_not($value) ? "not " : "";
$andor = ($position > 0) ? get_host_boolean($value, $host) : "";
if (is_ipaddr($host))
return "{$andor}host {$not}" . $host;
elseif (is_subnet($host))
return "{$andor}net {$not}" . $host;
else
return "";
}
function easyrule_parse_pass($int, $proto, $src, $dst, $dstport = 0, $ipproto = "inet")
{
/* Check for valid int, srchost, dsthost, dstport, and proto */
$protocols_with_ports = array('tcp', 'udp');
$src = trim($src, "[]");
$dst = trim($dst, "[]");
if (!empty($int) && !empty($proto) && !empty($src) && !empty($dst)) {
$int = easyrule_find_rule_interface($int);
if ($int === false) {
return gettext("Invalid interface for pass rule:") . ' ' . htmlspecialchars($int);
}
if (getprotobyname($proto) == -1) {
return gettext("Invalid protocol for pass rule:") . ' ' . htmlspecialchars($proto);
}
if (!is_ipaddr($src) && !is_subnet($src) && !is_ipaddroralias($src) && !is_specialnet($src)) {
return gettext("Tried to pass invalid source IP:") . ' ' . htmlspecialchars($src);
}
if (!is_ipaddr($dst) && !is_subnet($dst) && !is_ipaddroralias($dst) && !is_specialnet($dst)) {
return gettext("Tried to pass invalid destination IP:") . ' ' . htmlspecialchars($dst);
}
if (in_array($proto, $protocols_with_ports)) {
if (empty($dstport)) {
return gettext("Missing destination port:") . ' ' . htmlspecialchars($dstport);
}
if (!is_port($dstport) && $dstport != "any") {
return gettext("Tried to pass invalid destination port:") . ' ' . htmlspecialchars($dstport);
}
} else {
$dstport = 0;
}
/* Should have valid input... */
if (easyrule_pass_rule_add($int, $proto, $src, $dst, $dstport, $ipproto)) {
return gettext("Successfully added pass rule!");
} else {
return gettext("Failed to add pass rule.");
}
} else {
return gettext("Missing parameters for pass rule.");
}
return gettext("Unknown pass error.");
}
}
$new_targets[] = $tgt;
}
}
if (!isset($id)) {
$id = count($a_routes);
}
$oroute = $a_routes[$id];
if (!empty($oroute)) {
$old_targets = array();
if (is_alias($oroute['network'])) {
foreach (filter_expand_alias_array($oroute['network']) as $tgt) {
if (is_ipaddr($tgt)) {
$tgt .= "/32";
}
if (!is_subnet($tgt)) {
continue;
}
$old_targets[] = $tgt;
}
} else {
$old_targets[] = $oroute['network'];
}
}
$overlaps = array_intersect($current_targets, $new_targets);
$overlaps = array_diff($overlaps, $old_targets);
if (count($overlaps)) {
$input_errors[] = gettext("A route to these destination networks already exists") . ": " . implode(", ", $overlaps);
}
if (!$input_errors) {
$route = array();
}
if ($_POST['target'] && !is_ipaddr($_POST['target']) && !is_subnet($_POST['target']) && !is_alias($_POST['target']) && !isset($_POST['nonat']) && !($_POST['target'] == "other-subnet")) {
$input_errors[] = gettext("A valid target IP address must be specified.");
}
if ($_POST['target'] == "other-subnet") {
if (!is_ipaddr($_POST['targetip'])) {
$input_errors[] = gettext("A valid target IP must be specified when using the 'Other Subnet' type.");
}
if (!is_numericint($_POST['targetip_subnet'])) {
$input_errors[] = gettext("A valid target bit count must be specified when using the 'Other Subnet' type.");
}
}
/* Verify Pool Options */
$poolopts = "";
if ($_POST['poolopts']) {
if (is_subnet($_POST['target']) || $_POST['target'] == "other-subnet") {
$poolopts = $_POST['poolopts'];
} elseif (is_alias($_POST['target'])) {
if (substr($_POST['poolopts'], 0, 11) == "round-robin") {
$poolopts = $_POST['poolopts'];
} else {
$input_errors[] = gettext("Only Round Robin pool options may be chosen when selecting an alias.");
}
}
}
/* if user has selected any as source, set it here */
if ($_POST['source_type'] == "any") {
$osn = "any";
} else {
if ($_POST['source_type'] == "(self)") {
$osn = "(self)";
$impip = $implinea[0];
$impdesc = trim($implinea[1]);
if (strlen($impdesc) < 200) {
if (strpos($impdesc, "||") === false && substr($impdesc, 0, 1) != "|" && substr($impdesc, -1, 1) != "|") {
$iprange_type = is_iprange($impip);
if ($iprange_type == 4) {
list($startip, $endip) = explode('-', $impip);
$rangesubnets = ip_range_to_subnet_array($startip, $endip);
$imported_ips = array_merge($imported_ips, $rangesubnets);
$rangedescs = array_fill(0, count($rangesubnets), $impdesc);
$imported_descs = array_merge($imported_descs, $rangedescs);
} else {
if ($iprange_type == 6) {
$input_errors[] = sprintf(gettext('IPv6 address ranges are not supported (%s)'), $impip);
} else {
if (!is_ipaddr($impip) && !is_subnet($impip) && !is_hostname($impip) && !empty($impip)) {
$input_errors[] = sprintf(gettext("%s is not an IP address. Please correct the error to continue"), $impip);
} elseif (!empty($impip)) {
$imported_ips[] = $impip;
$imported_descs[] = $impdesc;
}
}
}
} else {
if (!$desc_fmt_err_found) {
$input_errors[] = gettext("Descriptions may not start or end with vertical bar (|) or contain double vertical bar ||.");
$desc_fmt_err_found = true;
}
}
} else {
if (!$desc_len_err_found) {
if (!empty($_POST['tablename'])) {
$tablename = $_POST['tablename'];
}
if (isset($_POST['act']) && $_POST['act'] == 'update_bogons') {
try {
configd_run("filter update bogons");
} catch (Exception $e) {
$savemsg = gettext("The bogons database has NOT been updated.");
} finally {
$savemsg = gettext("The bogons database has been updated.");
}
echo $savemsg;
exit;
} elseif (isset($_POST['act']) && $_POST['act'] == 'delete') {
// delete entry
if ((is_ipaddr($_REQUEST['address']) || is_subnet($_REQUEST['address'])) && !empty($tablename)) {
$delEntry = escapeshellarg($_REQUEST['address']);
$delTable = escapeshellarg($tablename);
configd_run("filter delete table {$delTable} {$delEntry}");
header("Location: diag_tables.php?tablename=" . $tablename);
exit;
}
} elseif (isset($_POST['act']) && $_POST['act'] == 'flush') {
$delTable = escapeshellarg($tablename);
configd_run("filter delete table {$delTable} ALL");
header("Location: diag_tables.php?tablename=" . $tablename);
exit;
}
}
// fetch list of tables and content of selected table
$tables = json_decode(configd_run("filter list tables json"));
?>
</td>
<td style="font-weight:bold;" align="right">
<?php
echo gettext("Filter expression:");
?>
<input type="text" name="filter" class="formfld search" value="<?php
echo htmlspecialchars($_GET['filter']);
?>
" size="30" />
<input type="submit" class="formbtn" value="<?php
echo gettext("Filter");
?>
" />
<?php
if (is_ipaddr($_GET['filter']) || is_subnet($_GET['filter'])) {
?>
<input type="submit" class="formbtn" name="killfilter" value="<?php
echo gettext("Kill");
?>
" />
<?php
}
?>
<td>
</tr>
</table>
</form>
</td>
</tr>
<tr>
clear_subsystem_dirty('unbound');
}
} else {
if (!$deleting) {
// input validation - only allow 50 entries in a single ACL
for ($x = 0; $x < 50; $x++) {
if (isset($pconfig["acl_network{$x}"])) {
$networkacl[$x] = array();
$networkacl[$x]['acl_network'] = $pconfig["acl_network{$x}"];
$networkacl[$x]['mask'] = $pconfig["mask{$x}"];
$networkacl[$x]['description'] = $pconfig["description{$x}"];
if (!is_ipaddr($networkacl[$x]['acl_network'])) {
$input_errors[] = gettext("You must enter a valid IP address for each row under Networks.");
}
if (is_ipaddr($networkacl[$x]['acl_network'])) {
if (!is_subnet($networkacl[$x]['acl_network'] . "/" . $networkacl[$x]['mask'])) {
$input_errors[] = gettext("You must enter a valid IPv4 netmask for each IPv4 row under Networks.");
}
} else {
if (function_exists("is_ipaddrv6")) {
if (!is_ipaddrv6($networkacl[$x]['acl_network'])) {
$input_errors[] = gettext("You must enter a valid IPv6 address for {$networkacl[$x]['acl_network']}.");
} else {
if (!is_subnetv6($networkacl[$x]['acl_network'] . "/" . $networkacl[$x]['mask'])) {
$input_errors[] = gettext("You must enter a valid IPv6 netmask for each IPv6 row under Networks.");
}
}
} else {
$input_errors[] = gettext("You must enter a valid IP address for each row under Networks.");
}
}
}
}
} else {
// IP alias - host or network
$iprange_type = is_iprange($impip);
if ($iprange_type == 4) {
list($startip, $endip) = explode('-', $impip);
$rangesubnets = ip_range_to_subnet_array($startip, $endip);
$imported_ips = array_merge($imported_ips, $rangesubnets);
$rangedescs = array_fill(0, count($rangesubnets), $impdesc);
$imported_descs = array_merge($imported_descs, $rangedescs);
} else {
if ($iprange_type == 6) {
$input_errors[] = sprintf(gettext('IPv6 address ranges are not supported (%s)'), $impip);
} else {
$is_subnet = is_subnet($impip);
if (!is_ipaddr($impip) && !$is_subnet && !is_hostname($impip) && !empty($impip)) {
$input_errors[] = sprintf(gettext("%s is not an IP address. Please correct the error to continue"), $impip);
} elseif (!empty($impip)) {
if ($is_subnet) {
$alias_type = "network";
}
$imported_ips[] = $impip;
$imported_descs[] = $impdesc;
}
}
}
}
} else {
if (!$desc_fmt_err_found) {
$input_errors[] = gettext("Descriptions may not start or end with vertical bar (|) or contain double vertical bar ||.");
if (!(in_array($pconfig['source'], array("any", "(self)")) || is_ipaddroralias($pconfig['source']))) {
$input_errors[] = gettext("A valid source must be specified.");
}
if (!empty($pconfig['source_subnet']) && !is_numericint($pconfig['source_subnet'])) {
$input_errors[] = gettext("A valid source bit count must be specified.");
}
if (!(in_array($pconfig['destination'], array("any", "(self)")) || is_ipaddroralias($pconfig['destination']))) {
$input_errors[] = gettext("A valid destination must be specified.");
}
if (!empty($pconfig['destination_subnet']) && !is_numericint($pconfig['destination_subnet'])) {
$input_errors[] = gettext("A valid destination bit count must be specified.");
}
if ($pconfig['destination'] == "any" && !empty($pconfig['destination_not'])) {
$input_errors[] = gettext("Negating destination address of \"any\" is invalid.");
}
if (!empty($pconfig['targetip']) && !is_ipaddr($pconfig['targetip']) && !is_subnet($pconfig['targetip']) && !is_alias($pconfig['targetip']) && empty($pconfig['nonat'])) {
$input_errors[] = gettext("A valid target IP address must be specified.");
}
/* Verify Pool Options */
if (!empty($pconfig['targetip']) && !is_alias($pconfig['targetip']) && substr($pconfig['poolopts'], 0, 11) == "round-robin") {
$input_errors[] = gettext("Only Round Robin pool options may be chosen when selecting an alias.");
}
if (count($input_errors) == 0) {
$natent = array();
$natent['source'] = array();
$natent['destination'] = array();
$natent['descr'] = $pconfig['descr'];
$natent['interface'] = $pconfig['interface'];
$natent['poolopts'] = $pconfig['poolopts'];
if (isset($a_out[$id]['created']) && is_array($a_out[$id]['created'])) {
$natent['created'] = $a_out[$id]['created'];
if ("https" === $_POST['webguiproto']) {
$reqdfields = array_merge($reqdfields, explode(" ", "certificate privatekey"));
$reqdfieldsn = array_merge($reqdfieldsn, array(gettext("Certificate"), gettext("Private key")));
$reqdfieldst = array_merge($reqdfieldst, explode(" ", "certificate privatekey"));
}
if (!empty($_POST['webguiport'])) {
$reqdfields = array_merge($reqdfields, array("webguiport"));
$reqdfieldsn = array_merge($reqdfieldsn, array(gettext("Port")));
$reqdfieldst = array_merge($reqdfieldst, array("port"));
}
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
do_input_validation_type($_POST, $reqdfields, $reqdfieldsn, $reqdfieldst, $input_errors);
if (!empty($_POST['webguihostsallow'])) {
foreach (explode(' ', $_POST['webguihostsallow']) as $a) {
list($hp, $np) = explode('/', $a);
if (!is_ipaddr($hp) || !empty($np) && !is_subnet($a)) {
$input_errors[] = gettext("A valid IP address or CIDR notation must be specified for the hosts allow.");
}
}
}
if ($_POST['dns1'] && !is_ipv4addr($_POST['dns1']) || $_POST['dns2'] && !is_ipv4addr($_POST['dns2'])) {
$input_errors[] = gettext("A valid IPv4 address must be specified for the primary/secondary DNS server.");
}
if ($_POST['ipv6dns1'] && !is_ipv6addr($_POST['ipv6dns1']) || $_POST['ipv6dns2'] && !is_ipv6addr($_POST['ipv6dns2'])) {
$input_errors[] = gettext("A valid IPv6 address must be specified for the primary/secondary DNS server.");
}
if (isset($_POST['ntp_enable'])) {
$t = (int) $_POST['ntp_updateinterval'];
if ($t < 0 || $t > 0 && $t < 6 || $t > 1440) {
$input_errors[] = gettext("The time update interval must be either between 6 and 1440.");
}
/**
* start capture operation
* @param array $option, options to pass to tpcdump (interface, promiscuous, snaplen, fam, host, proto, port)
*/
function start_capture($options)
{
$cmd_opts = array();
$filter_opts = array();
$intf = get_real_interface($options['interface']);
$cmd_opts[] = '-i ' . $intf;
if (empty($options['promiscuous'])) {
// disable promiscuous mode
$cmd_opts[] = '-p';
}
if (!empty($options['snaplen']) && is_numeric($options['snaplen'])) {
// setup Packet Length
$cmd_opts[] = '-s ' . $options['snaplen'];
}
if (!empty($options['count']) && is_numeric($options['count'])) {
// setup count
$cmd_opts[] = '-c ' . $options['count'];
}
if (!empty($options['fam']) && in_array($options['fam'], array('ip', 'ip6'))) {
// filter address family
$filter_opts[] = $options['fam'];
}
if (!empty($options['proto'])) {
// filter protocol
$filter_opts[] = $options['proto'];
}
if (!empty($options['host'])) {
// filter host argument
$filter = '';
$prev_token = '';
foreach (explode(' ', $options['host']) as $token) {
if (in_array(trim($token), array('and', 'or'))) {
$filter .= $token;
} elseif (is_ipaddr($token)) {
$filter .= "host " . $prev_token . " " . $token;
} elseif (is_subnet($token)) {
$filter .= "net " . $prev_token . " " . $token;
}
if (trim($token) == 'not') {
$prev_token = 'not';
} else {
$prev_token = '';
}
$filter .= " ";
}
$filter_opts[] = "( " . $filter . " )";
}
if (!empty($options['port'])) {
// filter port
$filter_opts[] = "port " . str_replace("!", "not ", $options['port']);
}
if (!empty($intf)) {
$cmd = '/usr/sbin/tcpdump ';
$cmd .= implode(' ', $cmd_opts);
$cmd .= ' -w /root/packetcapture.cap ';
$cmd .= " " . escapeshellarg(implode(' and ', $filter_opts));
//delete previous packet capture if it exists
if (file_exists('/root/packetcapture.cap')) {
unlink('/root/packetcapture.cap');
}
mwexec_bg($cmd);
}
}
if (file_exists("{$temp_filename}/aliases")) {
$file_contents = file_get_contents("{$temp_filename}/aliases");
$file_contents = str_replace("#", "\n#", $file_contents);
$file_contents_split = explode("\n", $file_contents);
foreach ($file_contents_split as $fc) {
// Stop at 3000 items, aliases larger than that tend to break both pf and the WebGUI.
if ($address_count >= 3000) {
break;
}
$tmp = trim($fc);
if (stristr($fc, "#")) {
$tmp_split = explode("#", $tmp);
$tmp = trim($tmp_split[0]);
}
$tmp = trim($tmp);
if (!empty($tmp) && (is_ipaddr($tmp) || is_subnet($tmp))) {
$address[] = $tmp;
$isfirst = 1;
$address_count++;
}
}
if ($isfirst == 0) {
/* nothing was found */
$input_errors[] = gettext("You must provide a valid URL. Could not fetch usable data.");
$dont_update = true;
break;
}
$alias['aliasurl'][] = $_POST['address' . $x];
mwexec("/bin/rm -rf {$temp_filename}");
} else {
$input_errors[] = gettext("You must provide a valid URL.");
?>
</div></td>
<td><div id="twocolumn">CIDR</div></td>
<td><div id="threecolumn"><?php
echo gettext("Description");
?>
</div></td>
</tr>
<?php
$counter = 0;
if ($pconfig['address'] != "") {
$addresses = explode(" ", $pconfig['address']);
$details = explode("||", $pconfig['detail']);
while ($counter < count($addresses)) {
if (is_subnet($addresses[$counter])) {
list($address, $address_subnet) = explode("/", $addresses[$counter]);
} else {
$address = $addresses[$counter];
$address_subnet = "";
}
?>
<tr>
<td>
<input autocomplete="off" name="address<?php
echo $counter;
?>
" type="text" class="formfldalias ipv4v6" id="address<?php
echo $counter;
?>
" size="30" value="<?php
$section->addInput(new Form_Select('type', 'Type', isset($pconfig['type']) ? $pconfig['type'] : $tab, $types));
$form->add($section);
$section = new Form_Section($section_str[$tab]);
// Make somewhere to park the help text, and give it a class so we can update it later
$section->addInput(new Form_StaticText('Hint', '<span class="helptext">' . $help[$tab] . '</span>'));
// If no addresses have been defined, we'll make up a blank set
if ($pconfig['address'] == "") {
$pconfig['address'] = '';
$pconfig['address_subnet'] = '';
$pconfig['detail'] = '';
}
$counter = 0;
$addresses = explode(" ", $pconfig['address']);
$details = explode("||", $pconfig['detail']);
while ($counter < count($addresses)) {
if ($pconfig['type'] != "host" && is_subnet($addresses[$counter])) {
list($address, $address_subnet) = explode("/", $addresses[$counter]);
} else {
$address = $addresses[$counter];
$address_subnet = "";
}
$group = new Form_Group($counter == 0 ? $label_str[$tab] : '');
$group->addClass('repeatable');
$group->add(new Form_IpAddress('address' . $counter, 'Address', $address))->addMask('address_subnet' . $counter, $address_subnet)->setWidth(4)->setPattern('[0-9, a-z, A-Z and .');
$group->add(new Form_Input('detail' . $counter, 'Description', 'text', $details[$counter]))->setWidth(4);
$group->add(new Form_Button('deleterow' . $counter, 'Delete'))->removeClass('btn-primary')->addClass('btn-warning');
$section->add($group);
$counter++;
}
$form->addGlobal(new Form_Button('addrow', $btn_str[$tab]))->removeClass('btn-primary')->addClass('btn-success addbtn');
$form->add($section);
##|+PRIV
##|*IDENT=page-diagnostics-tables
##|*NAME=Diagnostics: PF Table IP addresses
##|*DESCR=Allow access to the 'Diagnostics: Tables' page.
##|*MATCH=diag_tables.php*
##|-PRIV
$pgtitle = array(gettext("Diagnostics"), gettext("Tables"));
$shortcut_section = "aliases";
require_once "guiconfig.inc";
// Set default table
$tablename = "sshlockout";
if ($_REQUEST['type']) {
$tablename = $_REQUEST['type'];
}
if ($_REQUEST['delete']) {
if (is_ipaddr($_REQUEST['delete']) || is_subnet($_REQUEST['delete'])) {
exec("/sbin/pfctl -t " . escapeshellarg($_REQUEST['type']) . " -T delete " . escapeshellarg($_REQUEST['delete']), $delete);
echo htmlentities($_REQUEST['delete']);
}
exit;
}
if ($_REQUEST['deleteall']) {
exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
if (is_array($entries)) {
foreach ($entries as $entryA) {
$entry = trim($entryA);
exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T delete " . escapeshellarg($entry), $delete);
}
}
}
if (($tablename == "bogons" || $tablename == "bogonsv6") && $_POST['Download']) {
$tab_array[] = array(gettext("States"), true, "diag_dump_states.php");
if (isset($config['system']['lb_use_sticky'])) {
$tab_array[] = array(gettext("Source Tracking"), false, "diag_dump_states_sources.php");
}
$tab_array[] = array(gettext("Reset States"), false, "diag_resetstate.php");
display_top_tabs($tab_array);
// Start of tab content
$current_statecount = `pfctl -si | grep "current entries" | awk '{ print \$3 }'`;
require_once 'classes/Form.class.php';
$form = new Form(false);
$section = new Form_Section('State filter');
$section->addInput(new Form_Input('filter', 'Filter expression', 'text', $_POST['filter'], ['placeholder' => 'Simple filter such as 192.168, v6, icmp or ESTABLISHED']));
$filterbtn = new Form_Button('filterbtn', 'Filter', null);
$filterbtn->removeClass('btn-primary')->addClass('btn-default btn-sm');
$section->addInput(new Form_StaticText('', $filterbtn));
if (isset($_POST['filter']) && (is_ipaddr($_POST['filter']) || is_subnet($_POST['filter']))) {
$killbtn = new Form_Button('killfilter', 'Kill States');
$killbtn->removeClass('btn-primary')->addClass('btn-danger btn-sm');
$section->addInput(new Form_StaticText('Kill filtered states', $killbtn))->setHelp('Remove all states to and from the filtered address');
}
$form->add($section);
print $form;
?>
<table class="table table-striped">
<thead>
<tr>
<th><?php
echo gettext("Int");
?>
</th>
<th><?php
}
if ($do_tcpdump) {
$matches = array();
if (in_array($fam, $fams)) {
$matches[] = $fam;
}
if (in_array($proto, $protos)) {
$matches[] = $proto;
}
if ($port != "") {
$matches[] = "port " . $port;
}
if ($host != "") {
if (is_ipaddr($host)) {
$matches[] = "host " . $host;
} elseif (is_subnet($host)) {
$matches[] = "net " . $host;
}
}
if ($count != "0") {
$searchcount = "-c " . $count;
} else {
$searchcount = "";
}
$selectedif = convert_friendly_interface_to_real_interface_name($selectedif);
if ($action == gettext("Start")) {
$matchstr = implode($matches, " and ");
echo "<strong>" . gettext("Packet Capture is running.") . "</strong><br/>";
mwexec_bg("/usr/sbin/tcpdump -i {$selectedif} {$searchcount} -s {$packetlength} -w {$fp}{$fn} {$matchstr}");
// echo "/usr/sbin/tcpdump -i $selectedif $searchcount -s $packetlength -w $fp$fn $matchstr";
} else {
