function delete_static_route($id) { global $config, $a_routes; if (!isset($a_routes[$id])) { return; } $targets = array(); if (is_alias($a_routes[$id]['network'])) { foreach (filter_expand_alias_array($a_routes[$id]['network']) as $tgt) { if (is_ipaddrv4($tgt)) { $tgt .= "/32"; } elseif (is_ipaddrv6($tgt)) { $tgt .= "/128"; } if (!is_subnet($tgt)) { continue; } $targets[] = $tgt; } } else { $targets[] = $a_routes[$id]['network']; } foreach ($targets as $tgt) { $family = is_subnetv6($tgt) ? "-inet6" : "-inet"; mwexec("/sbin/route delete {$family} " . escapeshellarg($tgt)); } unset($targets); }
function fixup_host($value, $position) { $host = strip_host_logic($value); $not = has_not($value) ? "not " : ""; $andor = ($position > 0) ? get_host_boolean($value, $host) : ""; if (is_ipaddr($host)) return "{$andor}host {$not}" . $host; elseif (is_subnet($host)) return "{$andor}net {$not}" . $host; else return ""; }
function easyrule_parse_pass($int, $proto, $src, $dst, $dstport = 0, $ipproto = "inet") { /* Check for valid int, srchost, dsthost, dstport, and proto */ $protocols_with_ports = array('tcp', 'udp'); $src = trim($src, "[]"); $dst = trim($dst, "[]"); if (!empty($int) && !empty($proto) && !empty($src) && !empty($dst)) { $int = easyrule_find_rule_interface($int); if ($int === false) { return gettext("Invalid interface for pass rule:") . ' ' . htmlspecialchars($int); } if (getprotobyname($proto) == -1) { return gettext("Invalid protocol for pass rule:") . ' ' . htmlspecialchars($proto); } if (!is_ipaddr($src) && !is_subnet($src) && !is_ipaddroralias($src) && !is_specialnet($src)) { return gettext("Tried to pass invalid source IP:") . ' ' . htmlspecialchars($src); } if (!is_ipaddr($dst) && !is_subnet($dst) && !is_ipaddroralias($dst) && !is_specialnet($dst)) { return gettext("Tried to pass invalid destination IP:") . ' ' . htmlspecialchars($dst); } if (in_array($proto, $protocols_with_ports)) { if (empty($dstport)) { return gettext("Missing destination port:") . ' ' . htmlspecialchars($dstport); } if (!is_port($dstport) && $dstport != "any") { return gettext("Tried to pass invalid destination port:") . ' ' . htmlspecialchars($dstport); } } else { $dstport = 0; } /* Should have valid input... */ if (easyrule_pass_rule_add($int, $proto, $src, $dst, $dstport, $ipproto)) { return gettext("Successfully added pass rule!"); } else { return gettext("Failed to add pass rule."); } } else { return gettext("Missing parameters for pass rule."); } return gettext("Unknown pass error."); }
} $new_targets[] = $tgt; } } if (!isset($id)) { $id = count($a_routes); } $oroute = $a_routes[$id]; if (!empty($oroute)) { $old_targets = array(); if (is_alias($oroute['network'])) { foreach (filter_expand_alias_array($oroute['network']) as $tgt) { if (is_ipaddr($tgt)) { $tgt .= "/32"; } if (!is_subnet($tgt)) { continue; } $old_targets[] = $tgt; } } else { $old_targets[] = $oroute['network']; } } $overlaps = array_intersect($current_targets, $new_targets); $overlaps = array_diff($overlaps, $old_targets); if (count($overlaps)) { $input_errors[] = gettext("A route to these destination networks already exists") . ": " . implode(", ", $overlaps); } if (!$input_errors) { $route = array();
} if ($_POST['target'] && !is_ipaddr($_POST['target']) && !is_subnet($_POST['target']) && !is_alias($_POST['target']) && !isset($_POST['nonat']) && !($_POST['target'] == "other-subnet")) { $input_errors[] = gettext("A valid target IP address must be specified."); } if ($_POST['target'] == "other-subnet") { if (!is_ipaddr($_POST['targetip'])) { $input_errors[] = gettext("A valid target IP must be specified when using the 'Other Subnet' type."); } if (!is_numericint($_POST['targetip_subnet'])) { $input_errors[] = gettext("A valid target bit count must be specified when using the 'Other Subnet' type."); } } /* Verify Pool Options */ $poolopts = ""; if ($_POST['poolopts']) { if (is_subnet($_POST['target']) || $_POST['target'] == "other-subnet") { $poolopts = $_POST['poolopts']; } elseif (is_alias($_POST['target'])) { if (substr($_POST['poolopts'], 0, 11) == "round-robin") { $poolopts = $_POST['poolopts']; } else { $input_errors[] = gettext("Only Round Robin pool options may be chosen when selecting an alias."); } } } /* if user has selected any as source, set it here */ if ($_POST['source_type'] == "any") { $osn = "any"; } else { if ($_POST['source_type'] == "(self)") { $osn = "(self)";
$impip = $implinea[0]; $impdesc = trim($implinea[1]); if (strlen($impdesc) < 200) { if (strpos($impdesc, "||") === false && substr($impdesc, 0, 1) != "|" && substr($impdesc, -1, 1) != "|") { $iprange_type = is_iprange($impip); if ($iprange_type == 4) { list($startip, $endip) = explode('-', $impip); $rangesubnets = ip_range_to_subnet_array($startip, $endip); $imported_ips = array_merge($imported_ips, $rangesubnets); $rangedescs = array_fill(0, count($rangesubnets), $impdesc); $imported_descs = array_merge($imported_descs, $rangedescs); } else { if ($iprange_type == 6) { $input_errors[] = sprintf(gettext('IPv6 address ranges are not supported (%s)'), $impip); } else { if (!is_ipaddr($impip) && !is_subnet($impip) && !is_hostname($impip) && !empty($impip)) { $input_errors[] = sprintf(gettext("%s is not an IP address. Please correct the error to continue"), $impip); } elseif (!empty($impip)) { $imported_ips[] = $impip; $imported_descs[] = $impdesc; } } } } else { if (!$desc_fmt_err_found) { $input_errors[] = gettext("Descriptions may not start or end with vertical bar (|) or contain double vertical bar ||."); $desc_fmt_err_found = true; } } } else { if (!$desc_len_err_found) {
if (!empty($_POST['tablename'])) { $tablename = $_POST['tablename']; } if (isset($_POST['act']) && $_POST['act'] == 'update_bogons') { try { configd_run("filter update bogons"); } catch (Exception $e) { $savemsg = gettext("The bogons database has NOT been updated."); } finally { $savemsg = gettext("The bogons database has been updated."); } echo $savemsg; exit; } elseif (isset($_POST['act']) && $_POST['act'] == 'delete') { // delete entry if ((is_ipaddr($_REQUEST['address']) || is_subnet($_REQUEST['address'])) && !empty($tablename)) { $delEntry = escapeshellarg($_REQUEST['address']); $delTable = escapeshellarg($tablename); configd_run("filter delete table {$delTable} {$delEntry}"); header("Location: diag_tables.php?tablename=" . $tablename); exit; } } elseif (isset($_POST['act']) && $_POST['act'] == 'flush') { $delTable = escapeshellarg($tablename); configd_run("filter delete table {$delTable} ALL"); header("Location: diag_tables.php?tablename=" . $tablename); exit; } } // fetch list of tables and content of selected table $tables = json_decode(configd_run("filter list tables json"));
?> </td> <td style="font-weight:bold;" align="right"> <?php echo gettext("Filter expression:"); ?> <input type="text" name="filter" class="formfld search" value="<?php echo htmlspecialchars($_GET['filter']); ?> " size="30" /> <input type="submit" class="formbtn" value="<?php echo gettext("Filter"); ?> " /> <?php if (is_ipaddr($_GET['filter']) || is_subnet($_GET['filter'])) { ?> <input type="submit" class="formbtn" name="killfilter" value="<?php echo gettext("Kill"); ?> " /> <?php } ?> <td> </tr> </table> </form> </td> </tr> <tr>
clear_subsystem_dirty('unbound'); } } else { if (!$deleting) { // input validation - only allow 50 entries in a single ACL for ($x = 0; $x < 50; $x++) { if (isset($pconfig["acl_network{$x}"])) { $networkacl[$x] = array(); $networkacl[$x]['acl_network'] = $pconfig["acl_network{$x}"]; $networkacl[$x]['mask'] = $pconfig["mask{$x}"]; $networkacl[$x]['description'] = $pconfig["description{$x}"]; if (!is_ipaddr($networkacl[$x]['acl_network'])) { $input_errors[] = gettext("You must enter a valid IP address for each row under Networks."); } if (is_ipaddr($networkacl[$x]['acl_network'])) { if (!is_subnet($networkacl[$x]['acl_network'] . "/" . $networkacl[$x]['mask'])) { $input_errors[] = gettext("You must enter a valid IPv4 netmask for each IPv4 row under Networks."); } } else { if (function_exists("is_ipaddrv6")) { if (!is_ipaddrv6($networkacl[$x]['acl_network'])) { $input_errors[] = gettext("You must enter a valid IPv6 address for {$networkacl[$x]['acl_network']}."); } else { if (!is_subnetv6($networkacl[$x]['acl_network'] . "/" . $networkacl[$x]['mask'])) { $input_errors[] = gettext("You must enter a valid IPv6 netmask for each IPv6 row under Networks."); } } } else { $input_errors[] = gettext("You must enter a valid IP address for each row under Networks."); } }
} } } else { // IP alias - host or network $iprange_type = is_iprange($impip); if ($iprange_type == 4) { list($startip, $endip) = explode('-', $impip); $rangesubnets = ip_range_to_subnet_array($startip, $endip); $imported_ips = array_merge($imported_ips, $rangesubnets); $rangedescs = array_fill(0, count($rangesubnets), $impdesc); $imported_descs = array_merge($imported_descs, $rangedescs); } else { if ($iprange_type == 6) { $input_errors[] = sprintf(gettext('IPv6 address ranges are not supported (%s)'), $impip); } else { $is_subnet = is_subnet($impip); if (!is_ipaddr($impip) && !$is_subnet && !is_hostname($impip) && !empty($impip)) { $input_errors[] = sprintf(gettext("%s is not an IP address. Please correct the error to continue"), $impip); } elseif (!empty($impip)) { if ($is_subnet) { $alias_type = "network"; } $imported_ips[] = $impip; $imported_descs[] = $impdesc; } } } } } else { if (!$desc_fmt_err_found) { $input_errors[] = gettext("Descriptions may not start or end with vertical bar (|) or contain double vertical bar ||.");
if (!(in_array($pconfig['source'], array("any", "(self)")) || is_ipaddroralias($pconfig['source']))) { $input_errors[] = gettext("A valid source must be specified."); } if (!empty($pconfig['source_subnet']) && !is_numericint($pconfig['source_subnet'])) { $input_errors[] = gettext("A valid source bit count must be specified."); } if (!(in_array($pconfig['destination'], array("any", "(self)")) || is_ipaddroralias($pconfig['destination']))) { $input_errors[] = gettext("A valid destination must be specified."); } if (!empty($pconfig['destination_subnet']) && !is_numericint($pconfig['destination_subnet'])) { $input_errors[] = gettext("A valid destination bit count must be specified."); } if ($pconfig['destination'] == "any" && !empty($pconfig['destination_not'])) { $input_errors[] = gettext("Negating destination address of \"any\" is invalid."); } if (!empty($pconfig['targetip']) && !is_ipaddr($pconfig['targetip']) && !is_subnet($pconfig['targetip']) && !is_alias($pconfig['targetip']) && empty($pconfig['nonat'])) { $input_errors[] = gettext("A valid target IP address must be specified."); } /* Verify Pool Options */ if (!empty($pconfig['targetip']) && !is_alias($pconfig['targetip']) && substr($pconfig['poolopts'], 0, 11) == "round-robin") { $input_errors[] = gettext("Only Round Robin pool options may be chosen when selecting an alias."); } if (count($input_errors) == 0) { $natent = array(); $natent['source'] = array(); $natent['destination'] = array(); $natent['descr'] = $pconfig['descr']; $natent['interface'] = $pconfig['interface']; $natent['poolopts'] = $pconfig['poolopts']; if (isset($a_out[$id]['created']) && is_array($a_out[$id]['created'])) { $natent['created'] = $a_out[$id]['created'];
if ("https" === $_POST['webguiproto']) { $reqdfields = array_merge($reqdfields, explode(" ", "certificate privatekey")); $reqdfieldsn = array_merge($reqdfieldsn, array(gettext("Certificate"), gettext("Private key"))); $reqdfieldst = array_merge($reqdfieldst, explode(" ", "certificate privatekey")); } if (!empty($_POST['webguiport'])) { $reqdfields = array_merge($reqdfields, array("webguiport")); $reqdfieldsn = array_merge($reqdfieldsn, array(gettext("Port"))); $reqdfieldst = array_merge($reqdfieldst, array("port")); } do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); do_input_validation_type($_POST, $reqdfields, $reqdfieldsn, $reqdfieldst, $input_errors); if (!empty($_POST['webguihostsallow'])) { foreach (explode(' ', $_POST['webguihostsallow']) as $a) { list($hp, $np) = explode('/', $a); if (!is_ipaddr($hp) || !empty($np) && !is_subnet($a)) { $input_errors[] = gettext("A valid IP address or CIDR notation must be specified for the hosts allow."); } } } if ($_POST['dns1'] && !is_ipv4addr($_POST['dns1']) || $_POST['dns2'] && !is_ipv4addr($_POST['dns2'])) { $input_errors[] = gettext("A valid IPv4 address must be specified for the primary/secondary DNS server."); } if ($_POST['ipv6dns1'] && !is_ipv6addr($_POST['ipv6dns1']) || $_POST['ipv6dns2'] && !is_ipv6addr($_POST['ipv6dns2'])) { $input_errors[] = gettext("A valid IPv6 address must be specified for the primary/secondary DNS server."); } if (isset($_POST['ntp_enable'])) { $t = (int) $_POST['ntp_updateinterval']; if ($t < 0 || $t > 0 && $t < 6 || $t > 1440) { $input_errors[] = gettext("The time update interval must be either between 6 and 1440."); }
/** * start capture operation * @param array $option, options to pass to tpcdump (interface, promiscuous, snaplen, fam, host, proto, port) */ function start_capture($options) { $cmd_opts = array(); $filter_opts = array(); $intf = get_real_interface($options['interface']); $cmd_opts[] = '-i ' . $intf; if (empty($options['promiscuous'])) { // disable promiscuous mode $cmd_opts[] = '-p'; } if (!empty($options['snaplen']) && is_numeric($options['snaplen'])) { // setup Packet Length $cmd_opts[] = '-s ' . $options['snaplen']; } if (!empty($options['count']) && is_numeric($options['count'])) { // setup count $cmd_opts[] = '-c ' . $options['count']; } if (!empty($options['fam']) && in_array($options['fam'], array('ip', 'ip6'))) { // filter address family $filter_opts[] = $options['fam']; } if (!empty($options['proto'])) { // filter protocol $filter_opts[] = $options['proto']; } if (!empty($options['host'])) { // filter host argument $filter = ''; $prev_token = ''; foreach (explode(' ', $options['host']) as $token) { if (in_array(trim($token), array('and', 'or'))) { $filter .= $token; } elseif (is_ipaddr($token)) { $filter .= "host " . $prev_token . " " . $token; } elseif (is_subnet($token)) { $filter .= "net " . $prev_token . " " . $token; } if (trim($token) == 'not') { $prev_token = 'not'; } else { $prev_token = ''; } $filter .= " "; } $filter_opts[] = "( " . $filter . " )"; } if (!empty($options['port'])) { // filter port $filter_opts[] = "port " . str_replace("!", "not ", $options['port']); } if (!empty($intf)) { $cmd = '/usr/sbin/tcpdump '; $cmd .= implode(' ', $cmd_opts); $cmd .= ' -w /root/packetcapture.cap '; $cmd .= " " . escapeshellarg(implode(' and ', $filter_opts)); //delete previous packet capture if it exists if (file_exists('/root/packetcapture.cap')) { unlink('/root/packetcapture.cap'); } mwexec_bg($cmd); } }
if (file_exists("{$temp_filename}/aliases")) { $file_contents = file_get_contents("{$temp_filename}/aliases"); $file_contents = str_replace("#", "\n#", $file_contents); $file_contents_split = explode("\n", $file_contents); foreach ($file_contents_split as $fc) { // Stop at 3000 items, aliases larger than that tend to break both pf and the WebGUI. if ($address_count >= 3000) { break; } $tmp = trim($fc); if (stristr($fc, "#")) { $tmp_split = explode("#", $tmp); $tmp = trim($tmp_split[0]); } $tmp = trim($tmp); if (!empty($tmp) && (is_ipaddr($tmp) || is_subnet($tmp))) { $address[] = $tmp; $isfirst = 1; $address_count++; } } if ($isfirst == 0) { /* nothing was found */ $input_errors[] = gettext("You must provide a valid URL. Could not fetch usable data."); $dont_update = true; break; } $alias['aliasurl'][] = $_POST['address' . $x]; mwexec("/bin/rm -rf {$temp_filename}"); } else { $input_errors[] = gettext("You must provide a valid URL.");
?> </div></td> <td><div id="twocolumn">CIDR</div></td> <td><div id="threecolumn"><?php echo gettext("Description"); ?> </div></td> </tr> <?php $counter = 0; if ($pconfig['address'] != "") { $addresses = explode(" ", $pconfig['address']); $details = explode("||", $pconfig['detail']); while ($counter < count($addresses)) { if (is_subnet($addresses[$counter])) { list($address, $address_subnet) = explode("/", $addresses[$counter]); } else { $address = $addresses[$counter]; $address_subnet = ""; } ?> <tr> <td> <input autocomplete="off" name="address<?php echo $counter; ?> " type="text" class="formfldalias ipv4v6" id="address<?php echo $counter; ?> " size="30" value="<?php
$section->addInput(new Form_Select('type', 'Type', isset($pconfig['type']) ? $pconfig['type'] : $tab, $types)); $form->add($section); $section = new Form_Section($section_str[$tab]); // Make somewhere to park the help text, and give it a class so we can update it later $section->addInput(new Form_StaticText('Hint', '<span class="helptext">' . $help[$tab] . '</span>')); // If no addresses have been defined, we'll make up a blank set if ($pconfig['address'] == "") { $pconfig['address'] = ''; $pconfig['address_subnet'] = ''; $pconfig['detail'] = ''; } $counter = 0; $addresses = explode(" ", $pconfig['address']); $details = explode("||", $pconfig['detail']); while ($counter < count($addresses)) { if ($pconfig['type'] != "host" && is_subnet($addresses[$counter])) { list($address, $address_subnet) = explode("/", $addresses[$counter]); } else { $address = $addresses[$counter]; $address_subnet = ""; } $group = new Form_Group($counter == 0 ? $label_str[$tab] : ''); $group->addClass('repeatable'); $group->add(new Form_IpAddress('address' . $counter, 'Address', $address))->addMask('address_subnet' . $counter, $address_subnet)->setWidth(4)->setPattern('[0-9, a-z, A-Z and .'); $group->add(new Form_Input('detail' . $counter, 'Description', 'text', $details[$counter]))->setWidth(4); $group->add(new Form_Button('deleterow' . $counter, 'Delete'))->removeClass('btn-primary')->addClass('btn-warning'); $section->add($group); $counter++; } $form->addGlobal(new Form_Button('addrow', $btn_str[$tab]))->removeClass('btn-primary')->addClass('btn-success addbtn'); $form->add($section);
##|+PRIV ##|*IDENT=page-diagnostics-tables ##|*NAME=Diagnostics: PF Table IP addresses ##|*DESCR=Allow access to the 'Diagnostics: Tables' page. ##|*MATCH=diag_tables.php* ##|-PRIV $pgtitle = array(gettext("Diagnostics"), gettext("Tables")); $shortcut_section = "aliases"; require_once "guiconfig.inc"; // Set default table $tablename = "sshlockout"; if ($_REQUEST['type']) { $tablename = $_REQUEST['type']; } if ($_REQUEST['delete']) { if (is_ipaddr($_REQUEST['delete']) || is_subnet($_REQUEST['delete'])) { exec("/sbin/pfctl -t " . escapeshellarg($_REQUEST['type']) . " -T delete " . escapeshellarg($_REQUEST['delete']), $delete); echo htmlentities($_REQUEST['delete']); } exit; } if ($_REQUEST['deleteall']) { exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries); if (is_array($entries)) { foreach ($entries as $entryA) { $entry = trim($entryA); exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T delete " . escapeshellarg($entry), $delete); } } } if (($tablename == "bogons" || $tablename == "bogonsv6") && $_POST['Download']) {
$tab_array[] = array(gettext("States"), true, "diag_dump_states.php"); if (isset($config['system']['lb_use_sticky'])) { $tab_array[] = array(gettext("Source Tracking"), false, "diag_dump_states_sources.php"); } $tab_array[] = array(gettext("Reset States"), false, "diag_resetstate.php"); display_top_tabs($tab_array); // Start of tab content $current_statecount = `pfctl -si | grep "current entries" | awk '{ print \$3 }'`; require_once 'classes/Form.class.php'; $form = new Form(false); $section = new Form_Section('State filter'); $section->addInput(new Form_Input('filter', 'Filter expression', 'text', $_POST['filter'], ['placeholder' => 'Simple filter such as 192.168, v6, icmp or ESTABLISHED'])); $filterbtn = new Form_Button('filterbtn', 'Filter', null); $filterbtn->removeClass('btn-primary')->addClass('btn-default btn-sm'); $section->addInput(new Form_StaticText('', $filterbtn)); if (isset($_POST['filter']) && (is_ipaddr($_POST['filter']) || is_subnet($_POST['filter']))) { $killbtn = new Form_Button('killfilter', 'Kill States'); $killbtn->removeClass('btn-primary')->addClass('btn-danger btn-sm'); $section->addInput(new Form_StaticText('Kill filtered states', $killbtn))->setHelp('Remove all states to and from the filtered address'); } $form->add($section); print $form; ?> <table class="table table-striped"> <thead> <tr> <th><?php echo gettext("Int"); ?> </th> <th><?php
} if ($do_tcpdump) { $matches = array(); if (in_array($fam, $fams)) { $matches[] = $fam; } if (in_array($proto, $protos)) { $matches[] = $proto; } if ($port != "") { $matches[] = "port " . $port; } if ($host != "") { if (is_ipaddr($host)) { $matches[] = "host " . $host; } elseif (is_subnet($host)) { $matches[] = "net " . $host; } } if ($count != "0") { $searchcount = "-c " . $count; } else { $searchcount = ""; } $selectedif = convert_friendly_interface_to_real_interface_name($selectedif); if ($action == gettext("Start")) { $matchstr = implode($matches, " and "); echo "<strong>" . gettext("Packet Capture is running.") . "</strong><br/>"; mwexec_bg("/usr/sbin/tcpdump -i {$selectedif} {$searchcount} -s {$packetlength} -w {$fp}{$fn} {$matchstr}"); // echo "/usr/sbin/tcpdump -i $selectedif $searchcount -s $packetlength -w $fp$fn $matchstr"; } else {