(legacy) cleanup, move content of ipsec.attributes.php into ipsec.auth-user.php

a9935f8a · Ad Schellevis · 4075a285 · 4075a285 · a9935f8a
Commit a9935f8a authored Jul 23, 2015 by Ad Schellevis
Show whitespace changes
Inline Side-by-side

Showing with 158 additions and 185 deletions

ipsec.attributes.php src/etc/inc/ipsec.attributes.php +0 -184

ipsec.auth-user.php src/etc/inc/ipsec.auth-user.php +158 -1

No files found.
--- a/src/etc/inc/ipsec.attributes.php
+++ b/src/etc/inc/ipsec.attributes.php
-<?php
-/*
-        Copyright (C) 2011-2012 Ermal Luçi
-        All rights reserved.
-        Redistribution and use in source and binary forms, with or without
-        modification, are permitted provided that the following conditions are met:
-        1. Redistributions of source code must retain the above copyright notice,
-           this list of conditions and the following disclaimer.
-        2. Redistributions in binary form must reproduce the above copyright
-           notice, this list of conditions and the following disclaimer in the
-           documentation and/or other materials provided with the distribution.
-        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-        POSSIBILITY OF SUCH DAMAGE.
-*/
-require_once("util.inc");
-if (empty($common_name)) {
-	$common_name = getenv("common_name");
-	if (empty($common_name))
-		$common_name = getenv("username");
-}
-function cisco_to_cidr($addr) {
-	if (!is_ipaddr($addr))
-		return 0;
-	$mask = decbin(~ip2long($addr));
-	$mask = substr($mask, -32);
-	$k = 0;
-	for ($i = 0; $i <= 32; $i++) {
-		$k += intval($mask[$i]);
-	}
-	return $k;
-}
-function cisco_extract_index($prule) {
-	$index = explode("#", $prule);
-	if (is_numeric($index[1]))
-		return intval($index[1]);
-	else
-		syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index");
-	return -1;;
-}
-function parse_cisco_acl($attribs) {
-	global $attributes;
-	if (!is_array($attribs))
-		return "";
-	$devname = "enc0";
-	$finalrules = "";
-	if (is_array($attribs['ciscoavpair'])) {
-		$inrules = array();
-		$outrules = array();
-		foreach ($attribs['ciscoavpair'] as $avrules) {
-			$rule = explode("=", $avrules);
-			$dir = "";
-			if (strstr($rule[0], "inacl")) {
-				$dir = "in";
-			} else if (strstr($rule[0], "outacl"))
-				$dir = "out";
-			else if (strstr($rule[0], "dns-servers")) {
-				$attributes['dns-servers'] = explode(" ", $rule[1]);
-				continue;
-			} else if (strstr($rule[0], "route")) {
-				if (!is_array($attributes['routes']))
-					$attributes['routes'] = array();
-				$attributes['routes'][] = $rule[1];
-				continue;
-			}
-			$rindex = cisco_extract_index($rule[0]);
-			if ($rindex < 0)
-				continue;
-			$rule = $rule[1];
-			$rule = explode(" ", $rule);
-			$tmprule = "";
-			$index = 0;
-			$isblock = false;
-			if ($rule[$index] == "permit")
-				$tmprule = "pass {$dir} quick on {$devname} ";
-			else if ($rule[$index] == "deny") {
-				//continue;
-				$isblock = true;
-				$tmprule = "block {$dir} quick on {$devname} ";
-			} else {
-				continue;
-			}
-			$index++;
-			switch ($rule[$index]) {
-			case "tcp":
-			case "udp":
-				$tmprule .= "proto {$rule[$index]} ";
-				break;
-			}
-			$index++;
-			/* Source */
-			if (trim($rule[$index]) == "host") {
-				$index++;
-				$tmprule .= "from {$rule[$index]} ";
-				$index++;
-				if ($isblock == true)
-					$isblock = false;
-			} else if (trim($rule[$index]) == "any") {
-				$tmprule .= "from any";
-				$index++;
-			} else {
-				$tmprule .= "from {$rule[$index]}";
-				$index++;
-				$netmask = cisco_to_cidr($rule[$index]);
-				$tmprule .= "/{$netmask} ";
-				$index++;
-				if ($isblock == true)
-					$isblock = false;
-			}
-			/* Destination */
-			if (trim($rule[$index]) == "host") {
-				$index++;
-				$tmprule .= "to {$rule[$index]} ";
-				$index++;
-				if ($isblock == true)
-					$isblock = false;
-			} else if (trim($rule[$index]) == "any") {
-				$index++;
-				$tmprule .= "to any";
-			} else {
-				$tmprule .= "to {$rule[$index]}";
-				$index++;
-				$netmask = cisco_to_cidr($rule[$index]);
-				$tmprule .= "/{$netmask} ";
-				$index++;
-				if ($isblock == true)
-					$isblock = false;
-			}
-			if ($isblock == true)
-				continue;
-			if ($dir == "in")
-				$inrules[$rindex] = $tmprule;
-			else if ($dir == "out")
-				$outrules[$rindex] = $tmprule;
-		}
-		$state = "";
-		if (!empty($outrules))
-			$state = "no state";
-		ksort($inrules, SORT_NUMERIC);
-		foreach ($inrules as $inrule)
-			$finalrules .= "{$inrule} {$state}\n";
-		if (!empty($outrules)) {
-			ksort($outrules, SORT_NUMERIC);
-			foreach ($outrules as $outrule)
-				$finalrules .= "{$outrule} {$state}\n";
-		}
-	}
-	return $finalrules;
-}
-$rules = parse_cisco_acl($attributes);
-if (!empty($rules)) {
-	$pid = getmypid();
-	@file_put_contents("/tmp/ipsec_{$pid}{$common_name}.rules", $rules);
-	mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f /tmp/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
-	@unlink("/tmp/ipsec_{$pid}{$common_name}.rules");
-}
--- a/src/etc/inc/ipsec.auth-user.php
+++ b/src/etc/inc/ipsec.auth-user.php
@@ -38,6 +38,150 @@ require_once("config.inc");
 require_once("radius.inc");
 require_once("auth.inc");
 require_once("interfaces.inc");
+require_once("util.inc");
+function cisco_to_cidr($addr) {
+	if (!is_ipaddr($addr))
+		return 0;
+	$mask = decbin(~ip2long($addr));
+	$mask = substr($mask, -32);
+	$k = 0;
+	for ($i = 0; $i <= 32; $i++) {
+		$k += intval($mask[$i]);
+	}
+	return $k;
+}
+function cisco_extract_index($prule) {
+	$index = explode("#", $prule);
+	if (is_numeric($index[1]))
+		return intval($index[1]);
+	else
+		syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index");
+	return -1;;
+}
+function parse_cisco_acl($attribs) {
+	global $attributes;
+	if (!is_array($attribs))
+		return "";
+	$devname = "enc0";
+	$finalrules = "";
+	if (is_array($attribs['ciscoavpair'])) {
+		$inrules = array();
+		$outrules = array();
+		foreach ($attribs['ciscoavpair'] as $avrules) {
+			$rule = explode("=", $avrules);
+			$dir = "";
+			if (strstr($rule[0], "inacl")) {
+				$dir = "in";
+			} else if (strstr($rule[0], "outacl"))
+				$dir = "out";
+			else if (strstr($rule[0], "dns-servers")) {
+				$attributes['dns-servers'] = explode(" ", $rule[1]);
+				continue;
+			} else if (strstr($rule[0], "route")) {
+				if (!is_array($attributes['routes']))
+					$attributes['routes'] = array();
+				$attributes['routes'][] = $rule[1];
+				continue;
+			}
+			$rindex = cisco_extract_index($rule[0]);
+			if ($rindex < 0)
+				continue;
+			$rule = $rule[1];
+			$rule = explode(" ", $rule);
+			$tmprule = "";
+			$index = 0;
+			$isblock = false;
+			if ($rule[$index] == "permit")
+				$tmprule = "pass {$dir} quick on {$devname} ";
+			else if ($rule[$index] == "deny") {
+				//continue;
+				$isblock = true;
+				$tmprule = "block {$dir} quick on {$devname} ";
+			} else {
+				continue;
+			}
+			$index++;
+			switch ($rule[$index]) {
+			case "tcp":
+			case "udp":
+				$tmprule .= "proto {$rule[$index]} ";
+				break;
+			}
+			$index++;
+			/* Source */
+			if (trim($rule[$index]) == "host") {
+				$index++;
+				$tmprule .= "from {$rule[$index]} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			} else if (trim($rule[$index]) == "any") {
+				$tmprule .= "from any";
+				$index++;
+			} else {
+				$tmprule .= "from {$rule[$index]}";
+				$index++;
+				$netmask = cisco_to_cidr($rule[$index]);
+				$tmprule .= "/{$netmask} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			}
+			/* Destination */
+			if (trim($rule[$index]) == "host") {
+				$index++;
+				$tmprule .= "to {$rule[$index]} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			} else if (trim($rule[$index]) == "any") {
+				$index++;
+				$tmprule .= "to any";
+			} else {
+				$tmprule .= "to {$rule[$index]}";
+				$index++;
+				$netmask = cisco_to_cidr($rule[$index]);
+				$tmprule .= "/{$netmask} ";
+				$index++;
+				if ($isblock == true)
+					$isblock = false;
+			}
+			if ($isblock == true)
+				continue;
+			if ($dir == "in")
+				$inrules[$rindex] = $tmprule;
+			else if ($dir == "out")
+				$outrules[$rindex] = $tmprule;
+		}
+		$state = "";
+		if (!empty($outrules))
+			$state = "no state";
+		ksort($inrules, SORT_NUMERIC);
+		foreach ($inrules as $inrule)
+			$finalrules .= "{$inrule} {$state}\n";
+		if (!empty($outrules)) {
+			ksort($outrules, SORT_NUMERIC);
+			foreach ($outrules as $outrule)
+				$finalrules .= "{$outrule} {$state}\n";
+		}
+	}
+	return $finalrules;
+}
 /**
 * Get the NAS-Identifier
@@ -139,7 +283,20 @@ if ($authenticated == false) {
 	}
 }
-@include_once('ipsec.attributes.php');
+if (empty($common_name)) {
+	$common_name = getenv("common_name");
+	if (empty($common_name))
+		$common_name = getenv("username");
+}
+$rules = parse_cisco_acl($attributes);
+if (!empty($rules)) {
+	$pid = getmypid();
+	@file_put_contents("/tmp/ipsec_{$pid}{$common_name}.rules", $rules);
+	mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f /tmp/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
+	@unlink("/tmp/ipsec_{$pid}{$common_name}.rules");
+}
 syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
 closelog();