Commit 180d611a authored by Franco Fichtner's avatar Franco Fichtner

ipsec: move/merge into plugins

parent 9b694b70
......@@ -23,8 +23,6 @@
/usr/local/etc/inc/gwlb.inc
/usr/local/etc/inc/interfaces.inc
/usr/local/etc/inc/interfaces.lib.inc
/usr/local/etc/inc/ipsec.auth-user.php
/usr/local/etc/inc/ipsec.inc
/usr/local/etc/inc/legacy_bindings.inc
/usr/local/etc/inc/notices.basic_sasl_client.inc
/usr/local/etc/inc/notices.cram_md5_sasl_client.inc
......@@ -43,10 +41,11 @@
/usr/local/etc/inc/plugins.inc
/usr/local/etc/inc/plugins.inc.d/dnsmasq.inc
/usr/local/etc/inc/plugins.inc.d/if_group.inc
/usr/local/etc/inc/plugins.inc.d/if_ipsec.inc
/usr/local/etc/inc/plugins.inc.d/if_legacy_opt.inc
/usr/local/etc/inc/plugins.inc.d/if_openvpn.inc
/usr/local/etc/inc/plugins.inc.d/ipfw.inc
/usr/local/etc/inc/plugins.inc.d/ipsec.inc
/usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php
/usr/local/etc/inc/plugins.inc.d/netflow.inc
/usr/local/etc/inc/plugins.inc.d/ntpd.inc
/usr/local/etc/inc/plugins.inc.d/pf.inc
......
......@@ -1034,7 +1034,7 @@ function interfaces_configure($verbose = false)
if ($reload) {
system_routing_configure('', $verbose);
ipsec_configure($verbose);
ipsec_configure_do($verbose);
dnsmasq_configure_do($verbose);
unbound_configure_do($verbose);
services_dhcpd_configure('all', array(), $verbose);
......@@ -2769,7 +2769,7 @@ function interface_configure($interface = 'wan', $reloadall = false, $linkupeven
system_routing_configure($interface);
/* reload ipsec tunnels */
ipsec_configure();
ipsec_configure_do();
/* restart dns servers */
dnsmasq_configure_do();
......
<?php
/*
Copyright (C) 2016 Deciso B.V.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
function if_ipsec_syslog()
{
$logfacilities = array();
$logfacilities['ipsec'] = array(
'facility' => array('charon'),
'remote' => 'vpn',
);
return $logfacilities;
}
function if_ipsec_services()
{
global $config;
$services = array();
if (!empty($config['ipsec']['enable']) || !empty($config['ipsec']['client']['enable'])) {
$pconfig = array();
$pconfig['name'] = 'strongswan';
$pconfig['description'] = gettext('IPsec VPN');
$pconfig['pidfile'] = '/var/run/charon.pid';
$pconfig['configd'] = array(
'restart' => array('ipsec restart'),
'start' => array('ipsec start'),
'stop' => array('ipsec stop'),
);
$services[] = $pconfig;
}
return $services;
}
function if_ipsec_interfaces()
{
global $config;
$interfaces = array();
if (isset($config['ipsec']['phase1']) && isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase1'] as $ph1ent) {
if (!empty($ph1ent['disabled'])) {
continue;
}
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if (!empty($ph2ent['disabled']) || $ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
if ((!empty($ph2ent['mobile']) && empty($config['ipsec']['client']['enable'])) ||
empty($config['ipsec']['enable'])) {
continue;
}
$oic = array('enable' => true);
$oic['if'] = 'enc0';
$oic['descr'] = 'IPsec';
$oic['type'] = 'none';
$oic['virtual'] = true;
$oic['networks'] = array();
$interfaces['enc0'] = $oic;
break 2;
}
}
}
return $interfaces;
}
function if_ipsec_xmlrpc_sync()
{
$result = array();
$result[] = array(
'description' => gettext('IPsec'),
'section' => 'ipsec',
'id' => 'ipsec',
);
return $result;
}
<?php
/*
Copyright (C) 2016 Deciso B.V.
Copyright (C) 2008 Shrew Soft Inc
Copyright (C) 2008 Ermal Luçi
Copyright (C) 2004-2007 Scott Ullrich
......@@ -98,6 +99,40 @@ $p2_protos = array(
'ah' => 'AH'
);
function ipsec_syslog()
{
$logfacilities = array();
$logfacilities['ipsec'] = array(
'facility' => array('charon'),
'remote' => 'vpn',
);
return $logfacilities;
}
function ipsec_services()
{
global $config;
$services = array();
if (!empty($config['ipsec']['enable']) || !empty($config['ipsec']['client']['enable'])) {
$pconfig = array();
$pconfig['name'] = 'strongswan';
$pconfig['description'] = gettext('IPsec VPN');
$pconfig['pidfile'] = '/var/run/charon.pid';
$pconfig['configd'] = array(
'restart' => array('ipsec restart'),
'start' => array('ipsec start'),
'stop' => array('ipsec stop'),
);
$services[] = $pconfig;
}
return $services;
}
$p2_pfskeygroups = array(
0 => 'off',
1 => '1 (768 bit)',
......@@ -110,6 +145,57 @@ $p2_pfskeygroups = array(
18 => '18 (8192 bit)'
);
function ipsec_interfaces()
{
global $config;
$interfaces = array();
if (isset($config['ipsec']['phase1']) && isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase1'] as $ph1ent) {
if (!empty($ph1ent['disabled'])) {
continue;
}
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if (!empty($ph2ent['disabled']) || $ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
if ((!empty($ph2ent['mobile']) && empty($config['ipsec']['client']['enable'])) ||
empty($config['ipsec']['enable'])) {
continue;
}
$oic = array('enable' => true);
$oic['if'] = 'enc0';
$oic['descr'] = 'IPsec';
$oic['type'] = 'none';
$oic['virtual'] = true;
$oic['networks'] = array();
$interfaces['enc0'] = $oic;
break 2;
}
}
}
return $interfaces;
}
function ipsec_xmlrpc_sync()
{
$result = array();
$result[] = array(
'description' => gettext('IPsec'),
'section' => 'ipsec',
'id' => 'ipsec',
);
return $result;
}
/*
* Return phase1 local address
*/
......@@ -439,7 +525,7 @@ function ipsec_convert_to_modp($index)
return $convertion;
}
function ipsec_configure($verbose = false)
function ipsec_configure_do($verbose = false)
{
global $config, $p2_ealgos, $ipsec_loglevels;
......@@ -745,7 +831,7 @@ EOD;
}
if ($a_client['user_source'] != "none" && $disable_xauth == false) {
$strongswan .= "\t\txauth-generic {\n";
$strongswan .= "\t\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\t\tscript = /usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php\n";
$strongswan .= "\t\t\tauthcfg = ";
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
......
......@@ -45,8 +45,8 @@
*/
require_once('dyndns.class');
require_once('plugins.inc.d/dnsmasq.inc');
require_once('ipsec.inc');
require_once('openvpn.inc');
require_once('plugins.inc.d/ipsec.inc');
require_once('openvpn.inc'); /* XXX move to plugin */
require_once('plugins.inc.d/unbound.inc');
function generate_ipv6_from_mac($mac)
......
......@@ -256,7 +256,7 @@ function restore_config_section_xmlrpc($new_config)
}
if (isset($old_config['ipsec']['enable']) !== isset($config['ipsec']['enable'])) {
ipsec_configure();
ipsec_configure_do();
}
unset($old_config);
......
......@@ -116,7 +116,7 @@ filter_configure_sync(true);
plugins_configure('bootup', true);
/* start IPsec tunnels */
$ipsec_dynamic_hosts = ipsec_configure(true);
$ipsec_dynamic_hosts = ipsec_configure_do(true);
enable_rrd_graphing(true);
system_powerd_configure(true);
......@@ -130,7 +130,7 @@ system_syslogd_start(true);
/* If there are ipsec dynamic hosts try again to reload the tunnels as rc.newipsecdns does */
if ($ipsec_dynamic_hosts) {
ipsec_configure(true);
ipsec_configure_do(true);
}
// generate configuration data for all installed templates
......
......@@ -32,7 +32,7 @@
require_once("util.inc");
require_once("config.inc");
require_once("filter.inc");
require_once('ipsec.inc');
require_once('plugins.inc.d/ipsec.inc');
require_once('auth.inc');
require_once("interfaces.inc");
......@@ -47,5 +47,5 @@ if (file_exists('/var/run/booting')) {
}
$ipseclck = lock('ipsecdns', LOCK_EX);
ipsec_configure();
ipsec_configure_do();
unlock($ipseclck);
......@@ -189,7 +189,7 @@ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interface
/* reconfigure IPsec tunnels */
if (ipsec_configured_on_interface($interface)) {
ipsec_configure();
ipsec_configure_do();
}
/* start OpenVPN server & clients */
......
......@@ -123,7 +123,7 @@ if (is_ipaddrv6($oldipv6)) {
if (in_array($config['interfaces'][$interface]['ipaddrv6'], array('pppoe', 'pptp', 'ppp'))) {
/* reconfigure IPsec tunnels */
if (ipsec_configured_on_interface($interface)) {
ipsec_configure();
ipsec_configure_do();
}
/* start OpenVPN server & clients */
......@@ -147,7 +147,7 @@ services_dyndns_configure($interface);
/* reconfigure IPsec tunnels */
if (ipsec_configured_on_interface($interface)) {
ipsec_configure();
ipsec_configure_do();
}
/* start OpenVPN server & clients */
......
......@@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......
......@@ -29,7 +29,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......
......@@ -29,7 +29,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......
......@@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -77,7 +77,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$a_phase1 = &$config['ipsec']['phase1'];
$a_phase2 = &$config['ipsec']['phase2'];
if (isset($_POST['apply'])) {
ipsec_configure();
ipsec_configure_do();
filter_configure();
$savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec');
......@@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
unset($config['ipsec']['enable']);
}
write_config();
ipsec_configure();
ipsec_configure_do();
filter_configure();
clear_subsystem_dirty('ipsec');
header(url_safe('Location: /vpn_ipsec.php'));
......
......@@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("filter.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -55,7 +55,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
} elseif (isset($_POST['apply'])) {
// apply changes
ipsec_configure();
ipsec_configure_do();
filter_configure();
$savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec');
......
......@@ -29,7 +29,7 @@
require_once("interfaces.inc");
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
if (!isset($config['ipsec']) || !is_array($config['ipsec'])) {
......
......@@ -30,7 +30,7 @@
require_once("interfaces.inc");
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
if (!isset($config['ipsec']) || !is_array($config['ipsec'])) {
......@@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
exit;
} elseif (isset($_POST['apply'])) {
// apply changes
ipsec_configure();
ipsec_configure_do();
$savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec');
header(url_safe('Location: /vpn_ipsec_mobile.php?savemsg=%s', array($savemsg)));
......
......@@ -31,7 +31,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -414,7 +414,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
/* if the remote gateway changed and the interface is not WAN then remove route */
/* the ipsec_configure() handles adding the route */
if ($pconfig['interface'] <> "wan") {
if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) {
mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
......
......@@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("interfaces.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
/**
......
......@@ -29,7 +29,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -83,7 +83,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
write_config();
$savemsg = get_std_save_message();
filter_configure();
ipsec_configure();
ipsec_configure_do();
}
$service_hook = 'ipsec';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment