Skip to content

O
OpnSense
Commit a3a46bfe authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(legacy) cleanup vpn_ipsec_configure in vpn.inc and fix ikev1 non mobile multiple phase2

parent 4a439011
Show whitespace changes
Inline Side-by-side
Showing with 499 additions and 459 deletions
src/etc/inc/vpn.inc
View file @ a3a46bfe
......@@ -87,9 +87,9 @@ function vpn_ipsec_convert_to_modp($index)
return $convertion;
}
function vpn_ipsec_configure($ipchg = false)
function vpn_ipsec_configure()
{
global $config, $g, $sa, $sn, $p1_ealgos, $p2_ealgos;
global $config, $p2_ealgos;
/* get the automatic ping_hosts.sh ready */
@unlink('/var/db/ipsecpinghosts');
......@@ -102,6 +102,7 @@ function vpn_ipsec_configure($ipchg = false)
$a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array();
$a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array();
$a_client = isset($config['ipsec']['client']) ? $config['ipsec']['client'] : array();
$aggressive_psk = false ; // if one of the phase 1 entries has aggressive/psk combination, this will be set true
if (!isset($ipseccfg['enable'])) {
/* try to stop charon */
......@@ -146,7 +147,6 @@ function vpn_ipsec_configure($ipchg = false)
$ipmap = array();
$rgmap = array();
$filterdns_list = array();
unset($iflist);
if (is_array($a_phase1) && count($a_phase1)) {
$ipsecpinghosts = "";
......@@ -157,6 +157,9 @@ function vpn_ipsec_configure($ipchg = false)
$ikeid = $ph1ent['ikeid'];
if ($ph1ent['mode'] == "aggressive" && in_array($ph1ent['authentication_method'], array("pre_shared_key", "xauth_psk_server"))) {
$aggressive_psk = true;
}
$ep = ipsec_get_phase1_src($ph1ent);
if (!is_ipaddr($ep))
continue;
......@@ -199,7 +202,7 @@ function vpn_ipsec_configure($ipchg = false)
/* add an ipsec pinghosts entry */
if ($ph2ent['pinghost']) {
if (!is_array($iflist)) {
if (!isset($iflist) || !is_array($iflist)) {
$iflist = get_configured_interface_list();
}
$viplist = get_configured_vips_list();
......@@ -254,6 +257,12 @@ function vpn_ipsec_configure($ipchg = false)
}
unset($iflist);
$cnf_add_to_charon_section = "";
$cnf_add_to_charon_section .= $aggressive_psk ? "\ti_dont_care_about_security_and_use_aggressive_mode_psk=yes\n":"";
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list'])) {
$cnf_add_to_charon_section .= "\tcisco_unity = yes\n";
}
$strongswan = <<<EOD
#Automatically generated please do not modify
......@@ -268,14 +277,10 @@ charon {
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000;
# XXX: There is not much choice here really users win their security!
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
{$cnf_add_to_charon_section}
# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
identifier = charon
# default level to the LOG_DAEMON facility
daemon {
......@@ -287,54 +292,50 @@ charon {
ike_name = yes
}
}
EOD;
if (is_array($a_client) && isset($a_client['enable']) && isset($a_client['net_list']))
$strongswan .= "\tcisco_unity = yes\n";
$strongswan .= "\tplugins {\n";
if (is_array($a_client) && isset($a_client['enable'])) {
$strongswan .= "\t\tattr {\n";
if ($a_client['pool_address'] && $a_client['pool_netbits'])
if ($a_client['pool_address'] && $a_client['pool_netbits']) {
$strongswan .= "\t\tsubnet = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$cfgservers = array();
if (!empty($a_client['dns_server1']))
$cfgservers[] = $a_client['dns_server1'];
if (!empty($a_client['dns_server2']))
$cfgservers[] = $a_client['dns_server2'];
if (!empty($a_client['dns_server3']))
$cfgservers[] = $a_client['dns_server3'];
if (!empty($a_client['dns_server4']))
$cfgservers[] = $a_client['dns_server4'];
if (!empty($cfgservers))
foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {
if (!empty($a_client[$dns_server])) {
$cfgservers[] = $a_client[$dns_server];
}
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tdns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
$cfgservers = array();
if (!empty($a_client['wins_server1']))
if (!empty($a_client['wins_server1'])) {
$cfgservers[] = $a_client['wins_server1'];
if (!empty($a_client['wins_server2']))
}
if (!empty($a_client['wins_server2'])) {
$cfgservers[] = $a_client['wins_server2'];
if (!empty($cfgservers))
}
if (!empty($cfgservers)) {
$strongswan .= "\t\tnbns = " . implode(",", $cfgservers) . "\n";
}
unset($cfgservers);
if (isset($a_client['net_list'])) {
$net_list = '';
foreach ($a_phase2 as $ph2ent) {
if (isset($ph2ent['disabled']))
if (isset($ph2ent['disabled'])) {
continue;
if (!isset($ph2ent['mobile']))
}
if (!isset($ph2ent['mobile'])) {
continue;
}
$localid = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if (!empty($net_list))
if (!empty($net_list)) {
$net_list .= ",";
}
$net_list .= $localid;
}
......@@ -347,8 +348,9 @@ EOD;
if (!empty($a_client['dns_domain'])) {
$strongswan .= "\t\t# Search domain and default domain\n";
$strongswan .= "\t\t28674 = {$a_client['dns_domain']}\n";
if (empty($a_client['dns_split']))
if (empty($a_client['dns_split'])) {
$strongswan .= "\t\t28675 = {$a_client['dns_domain']}";
}
$strongswan .= "\n";
}
......@@ -356,14 +358,17 @@ EOD;
$strongswan .= "\t\t28675 = {$a_client['dns_split']}\n";
}
if (!empty($a_client['login_banner']))
if (!empty($a_client['login_banner'])) {
$strongswan .= "\t\t28672 = {$a_client['login_banner']}\n";
}
if (isset($a_client['save_passwd']))
if (isset($a_client['save_passwd'])) {
$strongswan .= "\t\t28673 = yes\n";
}
if ($a_client['pfs_group'])
if (!empty($a_client['pfs_group'])) {
$strongswan .= "\t\t28679 = {$a_client['pfs_group']}\n";
}
$strongswan .= "\t\t}\n";
if ($a_client['user_source'] != "none") {
......@@ -373,10 +378,12 @@ EOD;
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
foreach ($authcfgs as $authcfg) {
if ($firstsed > 0)
if ($firstsed > 0) {
$strongswan .= ",";
if ($authcfg == "system")
}
if ($authcfg == "system") {
$authcfg = "Local Database";
}
$strongswan .= $authcfg;
$firstsed = 1;
}
......@@ -415,17 +422,16 @@ EOD;
if (is_array($a_phase1) && count($a_phase1)) {
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled']))
if (isset($ph1ent['disabled'])) {
continue;
}
if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
$certline = '';
$ikeid = $ph1ent['ikeid'];
$cert = lookup_cert($ph1ent['certref']);
if (!$cert) {
if (empty($cert)) {
log_error(sprintf(gettext("Error: Invalid phase1 certificate reference for %s"), $ph1ent['name']));
continue;
}
......@@ -458,14 +464,15 @@ EOD;
$myid = isset($ph1ent['mobile']) ? trim($myid_data) . " " : "";
$peerid = ($peerid_data != "allusers") ? trim($peerid_data) : "";
if (!empty($ph1ent['pre-shared-key']))
if (!empty($ph1ent['pre-shared-key'])) {
$pskconf .= $myid . $peerid . " : PSK \"" . trim($ph1ent['pre-shared-key']) . "\"\n";
}
}
}
}
/* Add user PSKs */
if (is_array($config['system']) && is_array($config['system']['user'])) {
if (isset($config['system']['user']) && is_array($config['system']['user'])) {
foreach ($config['system']['user'] as $user) {
if (!empty($user['ipsecpsk'])) {
$pskconf .= "{$user['name']} : PSK \"{$user['ipsecpsk']}\"\n";
......@@ -477,8 +484,9 @@ EOD;
/* add PSKs for mobile clients */
if (isset($ipseccfg['mobilekey'])) {
foreach ($ipseccfg['mobilekey'] as $key) {
if ($key['ident'] == "allusers")
if ($key['ident'] == "allusers") {
$key['ident'] = '';
}
$pskconf .= "{$key['ident']} : PSK \"{$key['pre-shared-key']}\"\n";
}
unset($key);
......@@ -492,23 +500,25 @@ EOD;
/* begin ipsec.conf */
$ipsecconf = "";
if (is_array($a_phase1) && count($a_phase1)) {
$ipsecconf .= "# This file is automatically generated. Do not edit\n";
$ipsecconf .= "config setup\n\tuniqueids = yes\n";
$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
foreach ($a_phase1 as $ph1ent) {
if (isset($ph1ent['disabled']))
if (isset($ph1ent['disabled'])) {
continue;
}
if ($ph1ent['mode'] == "aggressive")
if ($ph1ent['mode'] == "aggressive") {
$aggressive = "yes";
else
} else {
$aggressive = "no";
}
$ep = ipsec_get_phase1_src($ph1ent);
if (!$ep)
if (empty($ep)) {
continue;
}
$ikeid = $ph1ent['ikeid'];
$keyexchange = "ikev1";
......@@ -516,65 +526,72 @@ EOD;
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
$keyexchange = "ikev2";
//$passive = "start";
} else
} else {
$passive = "route";
}
if (isset($ph1ent['mobile'])) {
$right_spec = "%any";
$passive = 'add';
} else
} else {
$right_spec = $ph1ent['remote-gateway'];
}
list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local");
list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, "peer", $rgmap);
/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
$peerid_spec = '';
if (!isset($ph1ent['mobile']))
if (!isset($ph1ent['mobile'])) {
$peerid_spec = $peerid_data;
}
if (!empty($ph1ent['encryption-algorithm']['name']) && !empty($ph1ent['hash-algorithm'])) {
$ealgosp1 = '';
$ealg_id = $ph1ent['encryption-algorithm']['name'];
if (isset($ph1ent['encryption-algorithm']['keylen'])){
$ealgosp1 = "ike = {$ealg_id}{$ph1ent['encryption-algorithm']['keylen']}-{$ph1ent['hash-algorithm']}";
} else {
$ealgosp1 = "ike = {$ealg_id}-{$ph1ent['hash-algorithm']}";
}
$modp = vpn_ipsec_convert_to_modp($ph1ent['dhgroup']);
if (!empty($modp))
if (!empty($modp)) {
$ealgosp1 .= "-{$modp}";
}
$ealgosp1 .= "!";
}
if ($ph1ent['dpd_delay'] && $ph1ent['dpd_maxfail']) {
if ($passive == "route")
if (!empty($ph1ent['dpd_delay']) && !empty($ph1ent['dpd_maxfail'])) {
if ($passive == "route") {
$dpdline = "dpdaction = restart";
else
} else {
$dpdline = "dpdaction = clear";
}
$dpdline .= "\n\tdpddelay = {$ph1ent['dpd_delay']}s";
$dpdtimeout = $ph1ent['dpd_delay'] * ($ph1ent['dpd_maxfail'] + 1);
$dpdline .= "\n\tdpdtimeout = {$dpdtimeout}s";
} else
} else {
$dpdline = "dpdaction = none";
}
$ikelifeline = '';
if ($ph1ent['lifetime'])
if (!empty($ph1ent['lifetime'])) {
$ikelifeline = "ikelifetime = {$ph1ent['lifetime']}s";
} else {
$ikelifeline = '';
}
$rightsourceip = NULL;
if (!empty($a_client['pool_address']))
if (!empty($a_client['pool_address'])) {
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
}
$authentication = "";
switch ($ph1ent['authentication_method']) {
case 'eap-tls':
$authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
if (!empty($ph1ent['certref']))
if (!empty($ph1ent['certref'])) {
$authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
}
break;
case 'xauth_rsa_server':
$authentication = "leftauth = pubkey\n\trightauth = pubkey";
......@@ -595,37 +612,38 @@ EOD;
$authentication .= "\n\trightauth2 = xauth";
break;
}
$left_spec = $ep;
if (isset($ph1ent['reauth_enable']))
if (isset($ph1ent['reauth_enable'])) {
$reauth = "reauth = no";
else
} else {
$reauth = "reauth = yes";
if (isset($ph1ent['rekey_enable']))
}
if (isset($ph1ent['rekey_enable'])) {
$rekey = "rekey = no";
else
} else {
$rekey = "rekey = yes";
}
$ipseclifetime = 0;
$rightsubnet_spec = array();
$leftsubnet_spec = array();
$ealgoAHsp2arr = array();
$ealgoESPsp2arr = array();
if (is_array($a_phase2) && count($a_phase2)) {
foreach ($a_phase2 as $ph2ent) {
if ($ikeid != $ph2ent['ikeid'])
continue;
if (isset($ph2ent['disabled']))
if ($ikeid != $ph2ent['ikeid'] || isset($ph2ent['disabled'])) {
continue;
if (isset($ph2ent['mobile']) && !isset($a_client['enable']))
}
if (isset($ph2ent['mobile']) && !isset($a_client['enable'])){
continue;
}
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
$tunneltype = "type = tunnel";
$localid_type = $ph2ent['localid']['type'];
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
/* Do not print localid in some cases, such as a pure-psk or psk/xauth single phase2 mobile tunnel */
......@@ -654,39 +672,31 @@ EOD;
}
}
if (empty($leftsubnet_spec[$leftsubnet_data]))
$leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data;
$leftsubnet_spec[] = $leftsubnet_data;
if (!isset($ph2ent['mobile'])) {
$tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
if (empty($rightsubnet_spec[$tmpsubnet]))
$rightsubnet_spec[$tmpsubnet] = $tmpsubnet;
$rightsubnet_spec[] = $tmpsubnet;
} else if (!empty($a_client['pool_address'])) {
if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"]))
$rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
$rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}";
}
} else {
$tunneltype = "type = transport";
if ((($ph1ent['authentication_method'] == "xauth_psk_server") ||
($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) {
$left_spec = "%any";
} else {
$tmpsubnet = ipsec_get_phase1_src($ph1ent);
if ($leftsubnet_spec[$tmpsubnet])
$leftsubnet_spec[$tmpsubnet] = $tmpsubnet;
$leftsubnet_spec[] = $tmpsubnet;
}
if (!isset($ph2ent['mobile'])) {
if (empty($rightsubnet_spec[$right_spec]))
$rightsubnet_spec[$right_spec] = $right_spec;
$rightsubnet_spec[] = $right_spec;
}
}
if (isset($a_client['pfs_group']))
if (isset($a_client['pfs_group'])) {
$ph2ent['pfsgroup'] = $a_client['pfs_group'];
if ($ph2ent['protocol'] == 'esp') {
}
if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'esp') {
if (is_array($ph2ent['encryption-algorithm-option'])) {
foreach ($ph2ent['encryption-algorithm-option'] as $ealg) {
$ealg_id = $ealg['name'];
......@@ -696,7 +706,6 @@ EOD;
$ealg_kl = null;
}
if (!empty($ealg_kl) && $ealg_kl == "auto") {
$key_hi = $p2_ealgos[$ealg_id]['keysel']['hi'];
$key_lo = $p2_ealgos[$ealg_id]['keysel']['lo'];
......@@ -711,15 +720,17 @@ EOD;
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$keylen}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
} else {
$tmpealgo = "{$ealg_id}{$keylen}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
}
......@@ -730,43 +741,46 @@ EOD;
$halgo = str_replace('hmac_', '', $halgo);
$tmpealgo = "{$ealg_id}{$ealg_kl}-{$halgo}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
} else {
$tmpealgo = "{$ealg_id}{$ealg_kl}";
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
if (!empty($modp))
if (!empty($modp)) {
$tmpealgo .= "-{$modp}";
}
$ealgoESPsp2arr[] = $tmpealgo;
}
}
}
}
} else if ($ph2ent['protocol'] == 'ah') {
} else if (isset($ph2ent['protocol']) && $ph2ent['protocol'] == 'ah') {
if (!empty($ph2ent['hash-algorithm-option']) && is_array($ph2ent['hash-algorithm-option'])) {
$modp = vpn_ipsec_convert_to_modp($ph2ent['pfsgroup']);
foreach ($ph2ent['hash-algorithm-option'] as $tmpAHalgo) {
$tmpAHalgo = str_replace('hmac_', '', $tmpAHalgo);
if (!empty($modp))
if (!empty($modp)) {
$tmpAHalgo = "-{$modp}";
}
$ealgoAHsp2arr[] = $tmpAHalgo;
}
}
}
if (!empty($ph2ent['lifetime'])) {
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime']))
if ($ipseclifetime == 0 || intval($ipseclifetime) > intval($ph2ent['lifetime'])) {
$ipseclifetime = intval($ph2ent['lifetime']);
}
}
}
}
$ipsecconf .=<<<EOD
$connEntry =<<<EOD
conn con{$ph1ent['ikeid']}
conn con<<connectionId>>
aggressive = {$aggressive}
fragmentation = yes
keyexchange = {$keyexchange}
......@@ -780,34 +794,57 @@ conn con{$ph1ent['ikeid']}
left = {$left_spec}
right = {$right_spec}
leftid = {$myid_data}
{$ikelifeline}
EOD;
if (!empty($ikelifeline))
$ipsecconf .= "\t{$ikelifeline}\n";
if ($ipseclifetime > 0)
$ipsecconf .= "\tlifetime = {$ipseclifetime}s\n";
if (!empty($rightsourceip))
$ipsecconf .= "{$rightsourceip}";
if (!empty($rightsubnet_spec))
$ipsecconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
if (!empty($leftsubnet_spec))
$ipsecconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
if (!empty($ealgosp1))
$ipsecconf .= "\t{$ealgosp1}\n";
if (!empty($ealgoAHsp2arr))
$ipsecconf .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
if ($ipseclifetime > 0) {
$connEntry .= "\tlifetime = {$ipseclifetime}s\n";
}
if (!empty($rightsourceip)) {
$connEntry .= "{$rightsourceip}";
}
if (!empty($ealgosp1)) {
$connEntry .= "\t{$ealgosp1}\n";
}
if (!empty($ealgoAHsp2arr)) {
$connEntry .= "\tah = " . join(',', $ealgoAHsp2arr) . "!\n";
}
if (!empty($ealgoESPsp2arr)) {
$ipsecconf .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
$connEntry .= "\tesp = " . join(',', $ealgoESPsp2arr) . "!\n";
}
if (!empty($authentication)) {
$connEntry .= "\t{$authentication}\n";
}
if (!empty($peerid_spec)) {
$connEntry .= "\trightid = {$peerid_spec}\n";
}
// append ipsec connections
if (!isset($ph1ent['mobile']) && $keyexchange == 'ikev1') {
// ikev1 not mobile
for ($idx = 0 ; $idx < count($leftsubnet_spec) ; ++$idx) {
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
$tmpconf .= "\trightsubnet =" . $rightsubnet_spec[$idx]. "\n" ;
$tmpconf .= "\tleftsubnet = " . $leftsubnet_spec[$idx] . "\n";
$ipsecconf .= $tmpconf;
}
} else {
// mobile and ikev2
$tmpconf = str_replace('<<connectionId>>', "{$ph1ent['ikeid']}-00{$idx}", $connEntry);
if (!empty($rightsubnet_spec)) {
$tmpconf .= "\trightsubnet = " . join(",", $rightsubnet_spec) . "\n";
}
if (!empty($authentication))
$ipsecconf .= "\t{$authentication}\n";
if (!empty($peerid_spec))
$ipsecconf .= "\trightid = {$peerid_spec}\n";
if (!empty($leftsubnet_spec)) {
$tmpconf .= "\tleftsubnet = " . join(",", $leftsubnet_spec) . "\n";
}
$ipsecconf .= $tmpconf;
}
}
@file_put_contents("/usr/local/etc/ipsec.conf", $ipsecconf);
}
}
// dump file, replace tabs for 2 spaces
@file_put_contents("/usr/local/etc/ipsec.conf", str_replace("\t",' ', $ipsecconf));
unset($ipsecconf);
/* end ipsec.conf */
......@@ -828,13 +865,15 @@ EOD;
/* start filterdns, if necessary */
if (count($filterdns_list) > 0) {
$interval = 60;
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval']))
if (!empty($ipseccfg['dns-interval']) && is_numeric($ipseccfg['dns-interval'])) {
$interval = $ipseccfg['dns-interval'];
}
$hostnames = "";
array_unique($filterdns_list);
foreach ($filterdns_list as $hostname)
foreach ($filterdns_list as $hostname) {
$hostnames .= "cmd {$hostname} '/usr/local/opnsense/service/configd_ctl.py ipsecdns reload'\n";
}
file_put_contents("/usr/local/etc/filterdns-ipsec.hosts", $hostnames);
unset($hostnames);
......@@ -847,8 +886,9 @@ EOD;
killbypid('/var/run/filterdns-ipsec.pid');
}
if (file_exists("/var/run/booting"))
if (file_exists("/var/run/booting")) {
echo "done\n";
}
return count($filterdns_list);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023