Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
a9935f8a
Commit
a9935f8a
authored
Jul 23, 2015
by
Ad Schellevis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(legacy) cleanup, move content of ipsec.attributes.php into ipsec.auth-user.php
parent
4075a285
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
158 additions
and
185 deletions
+158
-185
ipsec.attributes.php
src/etc/inc/ipsec.attributes.php
+0
-184
ipsec.auth-user.php
src/etc/inc/ipsec.auth-user.php
+158
-1
No files found.
src/etc/inc/ipsec.attributes.php
deleted
100644 → 0
View file @
4075a285
<?php
/*
Copyright (C) 2011-2012 Ermal Luçi
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
require_once
(
"util.inc"
);
if
(
empty
(
$common_name
))
{
$common_name
=
getenv
(
"common_name"
);
if
(
empty
(
$common_name
))
$common_name
=
getenv
(
"username"
);
}
function
cisco_to_cidr
(
$addr
)
{
if
(
!
is_ipaddr
(
$addr
))
return
0
;
$mask
=
decbin
(
~
ip2long
(
$addr
));
$mask
=
substr
(
$mask
,
-
32
);
$k
=
0
;
for
(
$i
=
0
;
$i
<=
32
;
$i
++
)
{
$k
+=
intval
(
$mask
[
$i
]);
}
return
$k
;
}
function
cisco_extract_index
(
$prule
)
{
$index
=
explode
(
"#"
,
$prule
);
if
(
is_numeric
(
$index
[
1
]))
return
intval
(
$index
[
1
]);
else
syslog
(
LOG_WARNING
,
"Error parsing rule
{
$prule
}
: Could not extract index"
);
return
-
1
;;
}
function
parse_cisco_acl
(
$attribs
)
{
global
$attributes
;
if
(
!
is_array
(
$attribs
))
return
""
;
$devname
=
"enc0"
;
$finalrules
=
""
;
if
(
is_array
(
$attribs
[
'ciscoavpair'
]))
{
$inrules
=
array
();
$outrules
=
array
();
foreach
(
$attribs
[
'ciscoavpair'
]
as
$avrules
)
{
$rule
=
explode
(
"="
,
$avrules
);
$dir
=
""
;
if
(
strstr
(
$rule
[
0
],
"inacl"
))
{
$dir
=
"in"
;
}
else
if
(
strstr
(
$rule
[
0
],
"outacl"
))
$dir
=
"out"
;
else
if
(
strstr
(
$rule
[
0
],
"dns-servers"
))
{
$attributes
[
'dns-servers'
]
=
explode
(
" "
,
$rule
[
1
]);
continue
;
}
else
if
(
strstr
(
$rule
[
0
],
"route"
))
{
if
(
!
is_array
(
$attributes
[
'routes'
]))
$attributes
[
'routes'
]
=
array
();
$attributes
[
'routes'
][]
=
$rule
[
1
];
continue
;
}
$rindex
=
cisco_extract_index
(
$rule
[
0
]);
if
(
$rindex
<
0
)
continue
;
$rule
=
$rule
[
1
];
$rule
=
explode
(
" "
,
$rule
);
$tmprule
=
""
;
$index
=
0
;
$isblock
=
false
;
if
(
$rule
[
$index
]
==
"permit"
)
$tmprule
=
"pass
{
$dir
}
quick on
{
$devname
}
"
;
else
if
(
$rule
[
$index
]
==
"deny"
)
{
//continue;
$isblock
=
true
;
$tmprule
=
"block
{
$dir
}
quick on
{
$devname
}
"
;
}
else
{
continue
;
}
$index
++
;
switch
(
$rule
[
$index
])
{
case
"tcp"
:
case
"udp"
:
$tmprule
.=
"proto
{
$rule
[
$index
]
}
"
;
break
;
}
$index
++
;
/* Source */
if
(
trim
(
$rule
[
$index
])
==
"host"
)
{
$index
++
;
$tmprule
.=
"from
{
$rule
[
$index
]
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
else
if
(
trim
(
$rule
[
$index
])
==
"any"
)
{
$tmprule
.=
"from any"
;
$index
++
;
}
else
{
$tmprule
.=
"from
{
$rule
[
$index
]
}
"
;
$index
++
;
$netmask
=
cisco_to_cidr
(
$rule
[
$index
]);
$tmprule
.=
"/
{
$netmask
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
/* Destination */
if
(
trim
(
$rule
[
$index
])
==
"host"
)
{
$index
++
;
$tmprule
.=
"to
{
$rule
[
$index
]
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
else
if
(
trim
(
$rule
[
$index
])
==
"any"
)
{
$index
++
;
$tmprule
.=
"to any"
;
}
else
{
$tmprule
.=
"to
{
$rule
[
$index
]
}
"
;
$index
++
;
$netmask
=
cisco_to_cidr
(
$rule
[
$index
]);
$tmprule
.=
"/
{
$netmask
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
if
(
$isblock
==
true
)
continue
;
if
(
$dir
==
"in"
)
$inrules
[
$rindex
]
=
$tmprule
;
else
if
(
$dir
==
"out"
)
$outrules
[
$rindex
]
=
$tmprule
;
}
$state
=
""
;
if
(
!
empty
(
$outrules
))
$state
=
"no state"
;
ksort
(
$inrules
,
SORT_NUMERIC
);
foreach
(
$inrules
as
$inrule
)
$finalrules
.=
"
{
$inrule
}
{
$state
}
\n
"
;
if
(
!
empty
(
$outrules
))
{
ksort
(
$outrules
,
SORT_NUMERIC
);
foreach
(
$outrules
as
$outrule
)
$finalrules
.=
"
{
$outrule
}
{
$state
}
\n
"
;
}
}
return
$finalrules
;
}
$rules
=
parse_cisco_acl
(
$attributes
);
if
(
!
empty
(
$rules
))
{
$pid
=
getmypid
();
@
file_put_contents
(
"/tmp/ipsec_
{
$pid
}{
$common_name
}
.rules"
,
$rules
);
mwexec
(
"/sbin/pfctl -a "
.
escapeshellarg
(
"ipsec/
{
$common_name
}
"
)
.
" -f /tmp/ipsec_
{
$pid
}
"
.
escapeshellarg
(
$common_name
)
.
".rules"
);
@
unlink
(
"/tmp/ipsec_
{
$pid
}{
$common_name
}
.rules"
);
}
src/etc/inc/ipsec.auth-user.php
View file @
a9935f8a
...
...
@@ -38,6 +38,150 @@ require_once("config.inc");
require_once
(
"radius.inc"
);
require_once
(
"auth.inc"
);
require_once
(
"interfaces.inc"
);
require_once
(
"util.inc"
);
function
cisco_to_cidr
(
$addr
)
{
if
(
!
is_ipaddr
(
$addr
))
return
0
;
$mask
=
decbin
(
~
ip2long
(
$addr
));
$mask
=
substr
(
$mask
,
-
32
);
$k
=
0
;
for
(
$i
=
0
;
$i
<=
32
;
$i
++
)
{
$k
+=
intval
(
$mask
[
$i
]);
}
return
$k
;
}
function
cisco_extract_index
(
$prule
)
{
$index
=
explode
(
"#"
,
$prule
);
if
(
is_numeric
(
$index
[
1
]))
return
intval
(
$index
[
1
]);
else
syslog
(
LOG_WARNING
,
"Error parsing rule
{
$prule
}
: Could not extract index"
);
return
-
1
;;
}
function
parse_cisco_acl
(
$attribs
)
{
global
$attributes
;
if
(
!
is_array
(
$attribs
))
return
""
;
$devname
=
"enc0"
;
$finalrules
=
""
;
if
(
is_array
(
$attribs
[
'ciscoavpair'
]))
{
$inrules
=
array
();
$outrules
=
array
();
foreach
(
$attribs
[
'ciscoavpair'
]
as
$avrules
)
{
$rule
=
explode
(
"="
,
$avrules
);
$dir
=
""
;
if
(
strstr
(
$rule
[
0
],
"inacl"
))
{
$dir
=
"in"
;
}
else
if
(
strstr
(
$rule
[
0
],
"outacl"
))
$dir
=
"out"
;
else
if
(
strstr
(
$rule
[
0
],
"dns-servers"
))
{
$attributes
[
'dns-servers'
]
=
explode
(
" "
,
$rule
[
1
]);
continue
;
}
else
if
(
strstr
(
$rule
[
0
],
"route"
))
{
if
(
!
is_array
(
$attributes
[
'routes'
]))
$attributes
[
'routes'
]
=
array
();
$attributes
[
'routes'
][]
=
$rule
[
1
];
continue
;
}
$rindex
=
cisco_extract_index
(
$rule
[
0
]);
if
(
$rindex
<
0
)
continue
;
$rule
=
$rule
[
1
];
$rule
=
explode
(
" "
,
$rule
);
$tmprule
=
""
;
$index
=
0
;
$isblock
=
false
;
if
(
$rule
[
$index
]
==
"permit"
)
$tmprule
=
"pass
{
$dir
}
quick on
{
$devname
}
"
;
else
if
(
$rule
[
$index
]
==
"deny"
)
{
//continue;
$isblock
=
true
;
$tmprule
=
"block
{
$dir
}
quick on
{
$devname
}
"
;
}
else
{
continue
;
}
$index
++
;
switch
(
$rule
[
$index
])
{
case
"tcp"
:
case
"udp"
:
$tmprule
.=
"proto
{
$rule
[
$index
]
}
"
;
break
;
}
$index
++
;
/* Source */
if
(
trim
(
$rule
[
$index
])
==
"host"
)
{
$index
++
;
$tmprule
.=
"from
{
$rule
[
$index
]
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
else
if
(
trim
(
$rule
[
$index
])
==
"any"
)
{
$tmprule
.=
"from any"
;
$index
++
;
}
else
{
$tmprule
.=
"from
{
$rule
[
$index
]
}
"
;
$index
++
;
$netmask
=
cisco_to_cidr
(
$rule
[
$index
]);
$tmprule
.=
"/
{
$netmask
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
/* Destination */
if
(
trim
(
$rule
[
$index
])
==
"host"
)
{
$index
++
;
$tmprule
.=
"to
{
$rule
[
$index
]
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
else
if
(
trim
(
$rule
[
$index
])
==
"any"
)
{
$index
++
;
$tmprule
.=
"to any"
;
}
else
{
$tmprule
.=
"to
{
$rule
[
$index
]
}
"
;
$index
++
;
$netmask
=
cisco_to_cidr
(
$rule
[
$index
]);
$tmprule
.=
"/
{
$netmask
}
"
;
$index
++
;
if
(
$isblock
==
true
)
$isblock
=
false
;
}
if
(
$isblock
==
true
)
continue
;
if
(
$dir
==
"in"
)
$inrules
[
$rindex
]
=
$tmprule
;
else
if
(
$dir
==
"out"
)
$outrules
[
$rindex
]
=
$tmprule
;
}
$state
=
""
;
if
(
!
empty
(
$outrules
))
$state
=
"no state"
;
ksort
(
$inrules
,
SORT_NUMERIC
);
foreach
(
$inrules
as
$inrule
)
$finalrules
.=
"
{
$inrule
}
{
$state
}
\n
"
;
if
(
!
empty
(
$outrules
))
{
ksort
(
$outrules
,
SORT_NUMERIC
);
foreach
(
$outrules
as
$outrule
)
$finalrules
.=
"
{
$outrule
}
{
$state
}
\n
"
;
}
}
return
$finalrules
;
}
/**
* Get the NAS-Identifier
...
...
@@ -139,7 +283,20 @@ if ($authenticated == false) {
}
}
@
include_once
(
'ipsec.attributes.php'
);
if
(
empty
(
$common_name
))
{
$common_name
=
getenv
(
"common_name"
);
if
(
empty
(
$common_name
))
$common_name
=
getenv
(
"username"
);
}
$rules
=
parse_cisco_acl
(
$attributes
);
if
(
!
empty
(
$rules
))
{
$pid
=
getmypid
();
@
file_put_contents
(
"/tmp/ipsec_
{
$pid
}{
$common_name
}
.rules"
,
$rules
);
mwexec
(
"/sbin/pfctl -a "
.
escapeshellarg
(
"ipsec/
{
$common_name
}
"
)
.
" -f /tmp/ipsec_
{
$pid
}
"
.
escapeshellarg
(
$common_name
)
.
".rules"
);
@
unlink
(
"/tmp/ipsec_
{
$pid
}{
$common_name
}
.rules"
);
}
syslog
(
LOG_NOTICE
,
"user '
{
$username
}
' authenticated
\n
"
);
closelog
();
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment