Skip to content

O
OpnSense
Commit e30a5623 authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

ipsec: merge plugin framework usage from master

parent 45c4a28b
Hide whitespace changes
Inline Side-by-side
Showing with 144 additions and 184 deletions
plist
View file @ e30a5623
......@@ -21,8 +21,6 @@
/usr/local/etc/inc/gwlb.inc
/usr/local/etc/inc/interfaces.inc
/usr/local/etc/inc/interfaces.lib.inc
/usr/local/etc/inc/ipsec.auth-user.php
/usr/local/etc/inc/ipsec.inc
/usr/local/etc/inc/legacy_bindings.inc
/usr/local/etc/inc/notices.basic_sasl_client.inc
/usr/local/etc/inc/notices.cram_md5_sasl_client.inc
......@@ -43,9 +41,10 @@
/usr/local/etc/inc/plugins.inc.d/dyndns.inc
/usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
/usr/local/etc/inc/plugins.inc.d/dyndns/r53.inc
/usr/local/etc/inc/plugins.inc.d/if_ipsec.inc
/usr/local/etc/inc/plugins.inc.d/if_openvpn.inc
/usr/local/etc/inc/plugins.inc.d/ipfw.inc
/usr/local/etc/inc/plugins.inc.d/ipsec.inc
/usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php
/usr/local/etc/inc/plugins.inc.d/netflow.inc
/usr/local/etc/inc/plugins.inc.d/ntpd.inc
/usr/local/etc/inc/plugins.inc.d/openssh.inc
......
src/etc/inc/interfaces.inc
View file @ e30a5623
......@@ -1034,7 +1034,7 @@ function interfaces_configure($verbose = false)
if ($reload) {
system_routing_configure('', $verbose);
ipsec_configure($verbose);
ipsec_configure_do($verbose);
plugins_configure('dns', $verbose);
services_dhcpd_configure('all', array(), $verbose);
}
......@@ -2760,17 +2760,9 @@ function interface_configure($interface = 'wan', $reloadall = false, $linkupeven
if ($reloadall == true) {
system_routing_configure($interface);
/* reload ipsec tunnels */
ipsec_configure();
/* restart dns servers */
ipsec_configure_do();
plugins_configure('dns');
/* reload dhcpd (interface enabled/disabled status may have changed) */
services_dhcpd_configure();
/* update dyndns */
configd_run("dyndns reload {$interface}");
configd_run("rfc2136 reload {$interface}");
}
......
src/etc/inc/plugins.inc.d/if_ipsec.inc deleted 100644 → 0
View file @ 45c4a28b
<?php
/*
Copyright (C) 2016 Deciso B.V.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
function if_ipsec_syslog()
{
$logfacilities = array();
$logfacilities['ipsec'] = array(
'facility' => array('charon'),
'remote' => 'vpn',
);
return $logfacilities;
}
function if_ipsec_services()
{
global $config;
$services = array();
if (!empty($config['ipsec']['enable']) || !empty($config['ipsec']['client']['enable'])) {
$pconfig = array();
$pconfig['name'] = 'strongswan';
$pconfig['description'] = gettext('IPsec VPN');
$pconfig['pidfile'] = '/var/run/charon.pid';
$pconfig['configd'] = array(
'restart' => array('ipsec restart'),
'start' => array('ipsec start'),
'stop' => array('ipsec stop'),
);
$services[] = $pconfig;
}
return $services;
}
function if_ipsec_interfaces()
{
global $config;
$interfaces = array();
if (isset($config['ipsec']['phase1']) && isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase1'] as $ph1ent) {
if (!empty($ph1ent['disabled'])) {
continue;
}
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if (!empty($ph2ent['disabled']) || $ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
if ((!empty($ph2ent['mobile']) && empty($config['ipsec']['client']['enable'])) ||
empty($config['ipsec']['enable'])) {
continue;
}
$oic = array('enable' => true);
$oic['if'] = 'enc0';
$oic['descr'] = 'IPsec';
$oic['type'] = 'none';
$oic['virtual'] = true;
$oic['networks'] = array();
$interfaces['enc0'] = $oic;
break 2;
}
}
}
return $interfaces;
}
function if_ipsec_xmlrpc_sync()
{
$result = array();
$result[] = array(
'description' => gettext('IPsec'),
'section' => 'ipsec',
'id' => 'ipsec',
);
return $result;
}
src/etc/inc/ipsec.inc src/etc/inc/plugins.inc.d/ipsec.inc
View file @ e30a5623
<?php
/*
Copyright (C) 2016 Deciso B.V.
Copyright (C) 2008 Shrew Soft Inc
Copyright (C) 2008 Ermal Luçi
Copyright (C) 2004-2007 Scott Ullrich
......@@ -110,6 +111,98 @@ $p2_pfskeygroups = array(
18 => '18 (8192 bit)'
);
function ipsec_configure()
{
return array(
'interface' => array('ipsec_configure_do:2'),
);
}
function ipsec_syslog()
{
$logfacilities = array();
$logfacilities['ipsec'] = array(
'facility' => array('charon'),
'remote' => 'vpn',
);
return $logfacilities;
}
function ipsec_services()
{
global $config;
$services = array();
if (!empty($config['ipsec']['enable']) || !empty($config['ipsec']['client']['enable'])) {
$pconfig = array();
$pconfig['name'] = 'strongswan';
$pconfig['description'] = gettext('IPsec VPN');
$pconfig['pidfile'] = '/var/run/charon.pid';
$pconfig['configd'] = array(
'restart' => array('ipsec restart'),
'start' => array('ipsec start'),
'stop' => array('ipsec stop'),
);
$services[] = $pconfig;
}
return $services;
}
function ipsec_interfaces()
{
global $config;
$interfaces = array();
if (isset($config['ipsec']['phase1']) && isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase1'] as $ph1ent) {
if (!empty($ph1ent['disabled'])) {
continue;
}
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if (!empty($ph2ent['disabled']) || $ph1ent['ikeid'] != $ph2ent['ikeid']) {
continue;
}
if ((!empty($ph2ent['mobile']) && empty($config['ipsec']['client']['enable'])) ||
empty($config['ipsec']['enable'])) {
continue;
}
$oic = array('enable' => true);
$oic['if'] = 'enc0';
$oic['descr'] = 'IPsec';
$oic['type'] = 'none';
$oic['virtual'] = true;
$oic['networks'] = array();
$interfaces['enc0'] = $oic;
break 2;
}
}
}
return $interfaces;
}
function ipsec_xmlrpc_sync()
{
$result = array();
$result[] = array(
'description' => gettext('IPsec'),
'section' => 'ipsec',
'id' => 'ipsec',
);
return $result;
}
/*
* Return phase1 local address
*/
......@@ -439,10 +532,24 @@ function ipsec_convert_to_modp($index)
return $convertion;
}
function ipsec_configure($verbose = false)
function ipsec_configure_do($verbose = false, $interface = '')
{
global $config, $p2_ealgos, $ipsec_loglevels;
if (!empty($interface)) {
$active = false;
if (isset($config['ipsec']['phase1'])) {
foreach ($config['ipsec']['phase1'] as $phase1) {
if (!isset($phase1['disabled']) && $phase1['interface'] == $interface) {
$active = true;
}
}
}
if (!$active) {
return;
}
}
/* get the automatic ping_hosts.sh ready */
@unlink('/var/db/ipsecpinghosts');
@touch('/var/db/ipsecpinghosts');
......@@ -745,7 +852,7 @@ EOD;
}
if ($a_client['user_source'] != "none" && $disable_xauth == false) {
$strongswan .= "\t\txauth-generic {\n";
$strongswan .= "\t\t\tscript = /usr/local/etc/inc/ipsec.auth-user.php\n";
$strongswan .= "\t\t\tscript = /usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php\n";
$strongswan .= "\t\t\tauthcfg = ";
$firstsed = 0;
$authcfgs = explode(",", $a_client['user_source']);
......@@ -886,7 +993,6 @@ EOD;
}
$conn_params = "";
$aggressive = $ph1ent['mode'] == "aggressive" ? "yes" : "no";
$mobike = !empty($ph1ent['mobike']) ? "mobike = no" : " mobike = yes";
$ep = ipsec_get_phase1_src($ph1ent);
if (empty($ep)) {
......@@ -896,6 +1002,7 @@ EOD;
$keyexchange = "ikev1";
if (!empty($ph1ent['iketype']) && $ph1ent['iketype'] != "ikev1") {
$keyexchange = "ikev2";
$mobike = !empty($ph1ent['mobike']) ? "mobike = no" : "mobike = yes";
}
if (isset($ph1ent['mobile'])) {
......@@ -1034,7 +1141,7 @@ EOD;
continue;
}
if (($ph2ent['mode'] == 'tunnel') or ($ph2ent['mode'] == 'tunnel6')) {
if (($ph2ent['mode'] == 'tunnel') || ($ph2ent['mode'] == 'tunnel6')) {
$tunneltype = "type = tunnel";
$localid_type = $ph2ent['localid']['type'];
$leftsubnet_data = ipsec_idinfo_to_cidr($ph2ent['localid'], false, $ph2ent['mode']);
......@@ -1172,10 +1279,10 @@ conn con<<connectionId>>
aggressive = {$aggressive}
fragmentation = yes
keyexchange = {$keyexchange}
{$mobike}
{$reauth}
{$rekey}
{$forceencaps}
{$mobike}
installpolicy = yes
{$tunneltype}
{$dpdline}
......@@ -1336,16 +1443,3 @@ EOD;
return count($filterdns_list);
}
function ipsec_configured_on_interface($interface)
{
global $config;
if (isset($config['ipsec']['phase1'])) {
foreach ($config['ipsec']['phase1'] as $phase1) {
if (!isset($phase1['disabled']) && $phase1['interface'] == $interface) {
return true;
}
}
}
return false;
}
src/etc/inc/services.inc
View file @ e30a5623
......@@ -43,10 +43,10 @@
* as plugins, but the things listed below are viable
* targets in the future:
*/
require_once('ipsec.inc');
require_once('openvpn.inc');
require_once('plugins.inc.d/dnsmasq.inc');
require_once('plugins.inc.d/dyndns.inc');
require_once('plugins.inc.d/ipsec.inc');
require_once('plugins.inc.d/rfc2136.inc');
require_once('plugins.inc.d/openssh.inc');
require_once('plugins.inc.d/unbound.inc');
......
src/etc/inc/xmlrpc/legacy.inc
View file @ e30a5623
......@@ -255,7 +255,7 @@ function restore_config_section_xmlrpc($new_config)
}
if (isset($old_config['ipsec']['enable']) !== isset($config['ipsec']['enable'])) {
ipsec_configure();
ipsec_configure_do();
}
unset($old_config);
......
src/etc/rc.bootup
View file @ e30a5623
......@@ -120,7 +120,7 @@ configd_run('template reload *');
plugins_configure('bootup', true);
/* start IPsec tunnels */
$ipsec_dynamic_hosts = ipsec_configure(true);
$ipsec_dynamic_hosts = ipsec_configure_do(true);
rrd_configure(true);
system_powerd_configure(true);
......@@ -134,7 +134,7 @@ system_syslogd_start(true);
/* If there are ipsec dynamic hosts try again to reload the tunnels as rc.newipsecdns does */
if ($ipsec_dynamic_hosts) {
ipsec_configure(true);
ipsec_configure_do(true);
}
if (is_install_media()) {
......
src/etc/rc.newipsecdns
View file @ e30a5623
......@@ -31,7 +31,7 @@
require_once("util.inc");
require_once("config.inc");
require_once("filter.inc");
require_once('ipsec.inc');
require_once('plugins.inc.d/ipsec.inc');
require_once('auth.inc');
require_once("interfaces.inc");
......@@ -46,5 +46,5 @@ if (file_exists('/var/run/booting')) {
}
$ipseclck = lock('ipsecdns', LOCK_EX);
ipsec_configure();
ipsec_configure_do(true);
unlock($ipseclck);
src/etc/rc.newwanip
View file @ e30a5623
......@@ -181,21 +181,16 @@ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interface
@file_put_contents("/var/db/{$interface}_cacheip", $curwanip);
}
/* reconfigure IPsec tunnels */
if (ipsec_configured_on_interface($interface)) {
ipsec_configure();
}
/* start OpenVPN server & clients */
if (substr($interface_real, 0, 4) != "ovpn") {
openvpn_resync_all($interface);
}
/* reload plugins */
plugins_configure('interface', false, array($interface));
/* reload graphing functions */
rrd_configure();
/* reload plugins */
plugins_configure('interface');
}
/* reload filter, don't try to sync to carp slave */
......
src/etc/rc.newwanipv6
View file @ e30a5623
......@@ -121,9 +121,7 @@ if (is_ipaddrv6($oldipv6)) {
// Still need to sync VPNs on PPPoE and such, as even with the same IP the VPN software is unhappy with the IP disappearing.
if (in_array($config['interfaces'][$interface]['ipaddrv6'], array('pppoe', 'pptp', 'ppp'))) {
/* reconfigure IPsec tunnels */
if (ipsec_configured_on_interface($interface)) {
ipsec_configure();
}
ipsec_configure_do(false, $interface);
/* start OpenVPN server & clients */
if (substr($interface_real, 0, 4) != "ovpn") {
......@@ -138,18 +136,13 @@ if (is_ipaddrv6($oldipv6)) {
file_put_contents("/var/db/{$interface}_cacheipv6", $curwanipv6);
}
/* reconfigure IPsec tunnels */
if (ipsec_configured_on_interface($interface)) {
ipsec_configure();
}
/* start OpenVPN server & clients */
if (substr($interface_real, 0, 4) != 'ovpn') {
openvpn_resync_all($interface);
}
/* reload plugins */
plugins_configure('interface', false, array($interface));
/* reload graphing functions */
rrd_configure();
/* reload plugins */
plugins_configure('interface');
src/www/diag_ipsec_leases.php
View file @ e30a5623
......@@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......
src/www/diag_ipsec_sad.php
View file @ e30a5623
......@@ -29,7 +29,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......
src/www/diag_ipsec_spd.php
View file @ e30a5623
......@@ -29,7 +29,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......
src/www/vpn_ipsec.php
View file @ e30a5623
......@@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -77,7 +77,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$a_phase1 = &$config['ipsec']['phase1'];
$a_phase2 = &$config['ipsec']['phase2'];
if (isset($_POST['apply'])) {
ipsec_configure();
ipsec_configure_do();
filter_configure();
$savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec');
......@@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
unset($config['ipsec']['enable']);
}
write_config();
ipsec_configure();
ipsec_configure_do();
filter_configure();
clear_subsystem_dirty('ipsec');
header(url_safe('Location: /vpn_ipsec.php'));
......
src/www/vpn_ipsec_keys.php
View file @ e30a5623
......@@ -28,7 +28,7 @@
*/
require_once("guiconfig.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("filter.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -55,7 +55,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
} elseif (isset($_POST['apply'])) {
// apply changes
ipsec_configure();
ipsec_configure_do();
filter_configure();
$savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec');
......
src/www/vpn_ipsec_keys_edit.php
View file @ e30a5623
......@@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("interfaces.inc");
require_once("services.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
if (!isset($config['ipsec']) || !is_array($config['ipsec'])) {
$config['ipsec'] = array();
......
src/www/vpn_ipsec_mobile.php
View file @ e30a5623
......@@ -31,7 +31,7 @@ require_once("guiconfig.inc");
require_once("interfaces.inc");
require_once("filter.inc");
require_once("services.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
if (!isset($config['ipsec']) || !is_array($config['ipsec'])) {
$config['ipsec'] = array();
......@@ -88,7 +88,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
exit;
} elseif (isset($_POST['apply'])) {
// apply changes
ipsec_configure();
ipsec_configure_do();
$savemsg = get_std_save_message();
clear_subsystem_dirty('ipsec');
header(url_safe('Location: /vpn_ipsec_mobile.php?savemsg=%s', array($savemsg)));
......
src/www/vpn_ipsec_phase1.php
View file @ e30a5623
......@@ -31,7 +31,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -414,7 +414,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
/* if the remote gateway changed and the interface is not WAN then remove route */
/* the ipsec_configure() handles adding the route */
if ($pconfig['interface'] <> "wan") {
if ($old_ph1ent['remote-gateway'] <> $pconfig['remote-gateway']) {
mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
......
src/www/vpn_ipsec_phase2.php
View file @ e30a5623
......@@ -30,7 +30,7 @@
require_once("guiconfig.inc");
require_once("interfaces.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
/**
......
src/www/vpn_ipsec_settings.php
View file @ e30a5623
......@@ -29,7 +29,7 @@
require_once("guiconfig.inc");
require_once("filter.inc");
require_once("ipsec.inc");
require_once("plugins.inc.d/ipsec.inc");
require_once("services.inc");
require_once("interfaces.inc");
......@@ -83,7 +83,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
write_config();
$savemsg = get_std_save_message();
filter_configure();
ipsec_configure();
ipsec_configure_do();
}
$service_hook = 'ipsec';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023