* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 55eb745e65ade706d6ded851086a42f2a1b8803b
@ 2015-09-28 13:36 git
0 siblings, 0 replies; only message in thread
From: git @ 2015-09-28 13:36 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 260730 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 55eb745e65ade706d6ded851086a42f2a1b8803b (commit)
via dfe630f77c780c17238ae23392e52e68a41ab892 (commit)
via c400bc2d7dc1c4e1f784f5bbd8c2d898b1faf97a (commit)
via c6fba315ecd044bd53350641c2e6f27d9df785de (commit)
via b1881251d6cdd92c7e887813395386afe9692944 (commit)
via 4b046d735d28012d215276ea08272f298e1e8ba1 (commit)
via d86694ad1f5c1553d57028af0bd8de58ca6d5f39 (commit)
via 624615ee0731c45eff6bc964aa053d5e481aa30f (commit)
via ed1d0fbdbe0a2c7990ac984ebeed4e74c7bd3955 (commit)
via 9dd14089ce95dfc9277e121f95d994005f860e60 (commit)
via 7c8e022c4b3c7d184e4cee8f79b5e7d63f464759 (commit)
via 8792caad90e968894fa55909b725055e7ac8f5c5 (commit)
via 3db584817d41c055c462a77ac9fb50491766beaf (commit)
via 36f7fe6a38c7923ac0e25a677484542f9388520a (commit)
from c9f0174979e9de685906e12a22e7625cd92dc90f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 55eb745e65ade706d6ded851086a42f2a1b8803b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:35:54 2015 +0100
core95: Ship changed files
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit dfe630f77c780c17238ae23392e52e68a41ab892
Merge: c400bc2 3db5848
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:33:49 2015 +0100
Merge remote-tracking branch 'ms/experimental-vlan-hotplugging' into next
commit c400bc2d7dc1c4e1f784f5bbd8c2d898b1faf97a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:25:53 2015 +0100
core95: Ship changed files
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c6fba315ecd044bd53350641c2e6f27d9df785de
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:24:44 2015 +0100
connections.cgi: Support multiple subnets for IPsec
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b1881251d6cdd92c7e887813395386afe9692944
Merge: 4b046d7 7c8e022
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:21:18 2015 +0100
Merge remote-tracking branch 'ms/ipsec-subnets' into next
commit 4b046d735d28012d215276ea08272f298e1e8ba1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:08:17 2015 +0100
Start Core Update 95
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d86694ad1f5c1553d57028af0bd8de58ca6d5f39
Merge: 624615e 9dd1408
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Sep 28 14:05:26 2015 +0100
Merge branch 'master' into next
commit 624615ee0731c45eff6bc964aa053d5e481aa30f
Author: Lars Schuhmacher <larsen007(a)web.de>
Date: Fri Sep 25 23:01:17 2015 +0200
vpnmain.cgi - Replace spaces with tab characters and fix indentation
Replaced spaces with tab characters. Fixed indentation.
This is based on http://patchwork.ipfire.org/patch/88/ so that patch must be applied before.
Signed-off-by: Lars Schuhmacher <larsen007(a)web.de>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ed1d0fbdbe0a2c7990ac984ebeed4e74c7bd3955
Author: Lars Schuhmacher <larsen007(a)web.de>
Date: Fri Sep 25 00:04:08 2015 +0200
IPsec: Remove GUI option for "Roadwarrior virtual IP"
This setting stems from IPCop (and probably Openswan) and causes a problem.
Fixes bug #10496.
Signed-off-by: Lars Schuhmacher <larsen007(a)web.de>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7c8e022c4b3c7d184e4cee8f79b5e7d63f464759
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Sep 22 00:26:14 2015 +0100
firewall: Support multiple subnets per IPsec tunnel
Fixes #10929
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 8792caad90e968894fa55909b725055e7ac8f5c5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Aug 25 21:52:11 2015 +0100
ipsec: Support using multiple subnets per tunnel
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3db584817d41c055c462a77ac9fb50491766beaf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sun Aug 2 22:23:59 2015 +0100
Remove old VLAN initscript
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 36f7fe6a38c7923ac0e25a677484542f9388520a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sun Aug 2 22:18:33 2015 +0100
udev: Add hotplugging for VLAN devices
The VLAN devices will now automatically be created after
a parent device has been added.
Mainly this will resolve a race-condition between udev
initialising the network adapters and sysvinit running
scripts that will do the initialisation of the VLAN.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/firewall/firewall-lib.pl | 5 +-
config/rootfiles/common/armv5tel/initscripts | 2 -
config/rootfiles/common/i586/initscripts | 2 -
config/rootfiles/common/udev | 1 +
.../rootfiles/core/94/filelists/Email-Date-Format | 1 -
config/rootfiles/core/94/filelists/MIME-Lite | 1 -
config/rootfiles/core/{94 => 95}/exclude | 0
config/rootfiles/core/95/filelists/files | 8 +
config/rootfiles/core/{94 => 95}/meta | 0
config/rootfiles/{oldcore/93 => core/95}/update.sh | 14 +-
config/rootfiles/{core => oldcore}/94/exclude | 0
.../{core => oldcore}/94/filelists/armv5tel/glibc | 0
.../rootfiles/{core => oldcore}/94/filelists/bind | 0
.../{core => oldcore}/94/filelists/chkconfig | 0
.../{core => oldcore}/94/filelists/coreutils | 0
.../rootfiles/{core => oldcore}/94/filelists/dma | 0
.../{core => oldcore}/94/filelists/dnsmasq | 0
.../rootfiles/{core => oldcore}/94/filelists/file | 0
.../rootfiles/{core => oldcore}/94/filelists/files | 0
.../{core => oldcore}/94/filelists/fireinfo | 0
.../{core => oldcore}/94/filelists/hdparm | 0
.../{core => oldcore}/94/filelists/i586/glibc | 0
.../{core => oldcore}/94/filelists/iproute2 | 0
.../{core => oldcore}/94/filelists/libgcrypt | 0
.../{core => oldcore}/94/filelists/libgpg-error | 0
.../{core => oldcore}/94/filelists/openssh | 0
.../rootfiles/{core => oldcore}/94/filelists/pcre | 0
.../oldcore/94/filelists/perl-Email-Date-Format | 1 +
.../rootfiles/oldcore/94/filelists/perl-MIME-Lite | 1 +
.../{core => oldcore}/94/filelists/rrdtool | 0
.../rootfiles/{core => oldcore}/94/filelists/setup | 0
.../rootfiles/{core => oldcore}/94/filelists/squid | 0
config/rootfiles/oldcore/{93 => 94}/meta | 0
config/rootfiles/{core => oldcore}/94/update.sh | 0
config/udev/60-net.rules | 4 +
.../udev/network-hotplug-vlan | 82 +-
html/cgi-bin/connections.cgi | 18 +-
html/cgi-bin/vpnmain.cgi | 4385 ++++++++++----------
langs/de/cgi-bin/de.pl | 1 -
langs/en/cgi-bin/en.pl | 1 -
langs/es/cgi-bin/es.pl | 1 -
langs/fr/cgi-bin/fr.pl | 1 -
langs/it/cgi-bin/it.pl | 1 -
langs/nl/cgi-bin/nl.pl | 1 -
langs/pl/cgi-bin/pl.pl | 1 -
langs/ru/cgi-bin/ru.pl | 1 -
langs/tr/cgi-bin/tr.pl | 1 -
lfs/initscripts | 1 -
lfs/udev | 2 +
make.sh | 2 +-
50 files changed, 2257 insertions(+), 2282 deletions(-)
delete mode 120000 config/rootfiles/core/94/filelists/Email-Date-Format
delete mode 120000 config/rootfiles/core/94/filelists/MIME-Lite
copy config/rootfiles/core/{94 => 95}/exclude (100%)
create mode 100644 config/rootfiles/core/95/filelists/files
rename config/rootfiles/core/{94 => 95}/meta (100%)
copy config/rootfiles/{oldcore/93 => core/95}/update.sh (89%)
rename config/rootfiles/{core => oldcore}/94/exclude (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/armv5tel/glibc (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/bind (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/chkconfig (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/coreutils (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/dma (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/dnsmasq (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/file (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/files (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/fireinfo (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/hdparm (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/i586/glibc (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/iproute2 (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/libgcrypt (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/libgpg-error (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/openssh (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/pcre (100%)
create mode 120000 config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format
create mode 120000 config/rootfiles/oldcore/94/filelists/perl-MIME-Lite
rename config/rootfiles/{core => oldcore}/94/filelists/rrdtool (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/setup (100%)
rename config/rootfiles/{core => oldcore}/94/filelists/squid (100%)
copy config/rootfiles/oldcore/{93 => 94}/meta (100%)
rename config/rootfiles/{core => oldcore}/94/update.sh (100%)
rename src/initscripts/init.d/network-vlans => config/udev/network-hotplug-vlan (60%)
Difference in files:
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index b389fac..eabd9a4 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -391,8 +391,9 @@ sub get_address
# IPsec networks.
} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
my $network_address = &get_ipsec_net_ip($value, 11);
- if ($network_address) {
- push(@ret, [$network_address, ""]);
+ my @nets = split(/\|/, $network_address);
+ foreach my $net (@nets) {
+ push(@ret, [$net, ""]);
}
# The firewall's own IP addresses.
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index b4cd8f8..a174c5b 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -62,7 +62,6 @@ etc/rc.d/init.d/mounttmpfs
#etc/rc.d/init.d/netsnmpd
etc/rc.d/init.d/network
etc/rc.d/init.d/network-trigger
-etc/rc.d/init.d/network-vlans
#etc/rc.d/init.d/networking
etc/rc.d/init.d/networking/any
etc/rc.d/init.d/networking/blue
@@ -232,7 +231,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S85firewall
etc/rc.d/rcsysinit.d/S90network-trigger
-etc/rc.d/rcsysinit.d/S91network-vlans
etc/rc.d/rcsysinit.d/S92rngd
etc/rc.d/rc3.d/S15fireinfo
#etc/sysconfig
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 878ba66..84c432a 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -64,7 +64,6 @@ etc/rc.d/init.d/mounttmpfs
#etc/rc.d/init.d/netsnmpd
etc/rc.d/init.d/network
etc/rc.d/init.d/network-trigger
-etc/rc.d/init.d/network-vlans
#etc/rc.d/init.d/networking
etc/rc.d/init.d/networking/any
etc/rc.d/init.d/networking/blue
@@ -237,7 +236,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S85firewall
etc/rc.d/rcsysinit.d/S90network-trigger
-etc/rc.d/rcsysinit.d/S91network-vlans
etc/rc.d/rcsysinit.d/S92rngd
etc/rc.d/rc3.d/S15fireinfo
#etc/sysconfig
diff --git a/config/rootfiles/common/udev b/config/rootfiles/common/udev
index d01c461..4d51954 100644
--- a/config/rootfiles/common/udev
+++ b/config/rootfiles/common/udev
@@ -29,6 +29,7 @@ lib/udev
#lib/udev/init-net-rules.sh
#lib/udev/mtd_probe
#lib/udev/network-hotplug-rename
+#lib/udev/network-hotplug-vlan
#lib/udev/rule_generator.functions
#lib/udev/rules.d
#lib/udev/rules.d/25-alsa.rules
diff --git a/config/rootfiles/core/94/exclude b/config/rootfiles/core/94/exclude
deleted file mode 100644
index 4c7aa5a..0000000
--- a/config/rootfiles/core/94/exclude
+++ /dev/null
@@ -1,22 +0,0 @@
-boot/config.txt
-etc/alternatives
-etc/collectd.custom
-etc/ipsec.conf
-etc/ipsec.secrets
-etc/ipsec.user.conf
-etc/ipsec.user.secrets
-etc/localtime
-etc/shadow
-etc/ssh/ssh_config
-etc/ssh/sshd_config
-etc/ssl/openssl.cnf
-etc/sudoers
-etc/sysconfig/firewall.local
-etc/sysconfig/rc.local
-etc/udev/rules.d/30-persistent-network.rules
-srv/web/ipfire/html/proxy.pac
-var/ipfire/ovpn
-var/lib/alternatives
-var/log/cache
-var/state/dhcp/dhcpd.leases
-var/updatecache
diff --git a/config/rootfiles/core/94/filelists/Email-Date-Format b/config/rootfiles/core/94/filelists/Email-Date-Format
deleted file mode 120000
index b98751e..0000000
--- a/config/rootfiles/core/94/filelists/Email-Date-Format
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/Email-Date-Format
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/MIME-Lite b/config/rootfiles/core/94/filelists/MIME-Lite
deleted file mode 120000
index c388805..0000000
--- a/config/rootfiles/core/94/filelists/MIME-Lite
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/MIME-Lite
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/armv5tel/glibc b/config/rootfiles/core/94/filelists/armv5tel/glibc
deleted file mode 120000
index 4c70d72..0000000
--- a/config/rootfiles/core/94/filelists/armv5tel/glibc
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/armv5tel/glibc
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/bind b/config/rootfiles/core/94/filelists/bind
deleted file mode 120000
index 48a0eba..0000000
--- a/config/rootfiles/core/94/filelists/bind
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/bind
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/chkconfig b/config/rootfiles/core/94/filelists/chkconfig
deleted file mode 120000
index 00ef4cf..0000000
--- a/config/rootfiles/core/94/filelists/chkconfig
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/chkconfig
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/coreutils b/config/rootfiles/core/94/filelists/coreutils
deleted file mode 120000
index 7351ed2..0000000
--- a/config/rootfiles/core/94/filelists/coreutils
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/coreutils
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/dma b/config/rootfiles/core/94/filelists/dma
deleted file mode 120000
index 60f4682..0000000
--- a/config/rootfiles/core/94/filelists/dma
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/dma
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/dnsmasq b/config/rootfiles/core/94/filelists/dnsmasq
deleted file mode 120000
index d469c74..0000000
--- a/config/rootfiles/core/94/filelists/dnsmasq
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/dnsmasq
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/file b/config/rootfiles/core/94/filelists/file
deleted file mode 120000
index 0c60e43..0000000
--- a/config/rootfiles/core/94/filelists/file
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/file
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files
deleted file mode 100644
index e63a611..0000000
--- a/config/rootfiles/core/94/filelists/files
+++ /dev/null
@@ -1,26 +0,0 @@
-etc/system-release
-etc/issue
-etc/rc.d/init.d/networking/red
-etc/rc.d/init.d/snort
-etc/rc.d/init.d/sshd
-srv/web/ipfire/cgi-bin/connscheduler.cgi
-srv/web/ipfire/cgi-bin/dhcp.cgi
-srv/web/ipfire/cgi-bin/dnsforward.cgi
-srv/web/ipfire/cgi-bin/hosts.cgi
-srv/web/ipfire/cgi-bin/logs.cgi/log.dat
-srv/web/ipfire/cgi-bin/mac.cgi
-srv/web/ipfire/cgi-bin/mail.cgi
-srv/web/ipfire/cgi-bin/modem.cgi
-srv/web/ipfire/cgi-bin/ovpnmain.cgi
-srv/web/ipfire/cgi-bin/pppsetup.cgi
-srv/web/ipfire/cgi-bin/proxy.cgi
-srv/web/ipfire/cgi-bin/qos.cgi
-srv/web/ipfire/cgi-bin/time.cgi
-srv/web/ipfire/cgi-bin/updatexlrator.cgi
-srv/web/ipfire/cgi-bin/urlfilter.cgi
-srv/web/ipfire/cgi-bin/vpnmain.cgi
-srv/web/ipfire/cgi-bin/wakeonlan.cgi
-srv/web/ipfire/cgi-bin/wireless.cgi
-var/ipfire/langs
-var/ipfire/menu.d/40-services.menu
-var/ipfire/network-functions.pl
diff --git a/config/rootfiles/core/94/filelists/fireinfo b/config/rootfiles/core/94/filelists/fireinfo
deleted file mode 120000
index c461155..0000000
--- a/config/rootfiles/core/94/filelists/fireinfo
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/fireinfo
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/hdparm b/config/rootfiles/core/94/filelists/hdparm
deleted file mode 120000
index b644751..0000000
--- a/config/rootfiles/core/94/filelists/hdparm
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/hdparm
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/i586/glibc b/config/rootfiles/core/94/filelists/i586/glibc
deleted file mode 120000
index 943021f..0000000
--- a/config/rootfiles/core/94/filelists/i586/glibc
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/i586/glibc
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/iproute2 b/config/rootfiles/core/94/filelists/iproute2
deleted file mode 120000
index 05f0f71..0000000
--- a/config/rootfiles/core/94/filelists/iproute2
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/iproute2
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/libgcrypt b/config/rootfiles/core/94/filelists/libgcrypt
deleted file mode 120000
index 2df12a2..0000000
--- a/config/rootfiles/core/94/filelists/libgcrypt
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/libgcrypt
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/libgpg-error b/config/rootfiles/core/94/filelists/libgpg-error
deleted file mode 120000
index cad4313..0000000
--- a/config/rootfiles/core/94/filelists/libgpg-error
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/libgpg-error
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/openssh b/config/rootfiles/core/94/filelists/openssh
deleted file mode 120000
index d8c77fd..0000000
--- a/config/rootfiles/core/94/filelists/openssh
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/openssh
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/pcre b/config/rootfiles/core/94/filelists/pcre
deleted file mode 120000
index b390d9a..0000000
--- a/config/rootfiles/core/94/filelists/pcre
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/pcre
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/rrdtool b/config/rootfiles/core/94/filelists/rrdtool
deleted file mode 120000
index 7a82e41..0000000
--- a/config/rootfiles/core/94/filelists/rrdtool
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/rrdtool
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/setup b/config/rootfiles/core/94/filelists/setup
deleted file mode 120000
index 209374b..0000000
--- a/config/rootfiles/core/94/filelists/setup
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/setup
\ No newline at end of file
diff --git a/config/rootfiles/core/94/filelists/squid b/config/rootfiles/core/94/filelists/squid
deleted file mode 120000
index 2dc8372..0000000
--- a/config/rootfiles/core/94/filelists/squid
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/core/94/meta b/config/rootfiles/core/94/meta
deleted file mode 100644
index d547fa8..0000000
--- a/config/rootfiles/core/94/meta
+++ /dev/null
@@ -1 +0,0 @@
-DEPS=""
diff --git a/config/rootfiles/core/94/update.sh b/config/rootfiles/core/94/update.sh
deleted file mode 100644
index ff9797c..0000000
--- a/config/rootfiles/core/94/update.sh
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/bin/bash
-############################################################################
-# #
-# This file is part of the IPFire Firewall. #
-# #
-# IPFire is free software; you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation; either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# IPFire is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with IPFire; if not, write to the Free Software #
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
-# #
-# Copyright (C) 2015 IPFire-Team <info(a)ipfire.org>. #
-# #
-############################################################################
-#
-. /opt/pakfire/lib/functions.sh
-/usr/local/bin/backupctrl exclude >/dev/null 2>&1
-
-# Remove old core updates from pakfire cache to save space...
-core=94
-for (( i=1; i<=$core; i++ ))
-do
- rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
-done
-
-# Stop services
-/etc/init.d/squid stop
-/etc/init.d/sshd stop
-/etc/init.d/dnsmasq stop
-
-# Extract files
-extract_files
-
-# Update Language cache
-/usr/local/bin/update-lang-cache
-
-# Update SSH configuration
-sed -i /etc/ssh/sshd_config \
- -e 's/^#PermitRootLogin yes$/PermitRootLogin yes/'
-
-# Move away old and unsupported keys
-mv -f /etc/ssh/ssh_host_dsa_key{,.old}
-# Regenerating weak RSA keys
-mv -f /etc/ssh/ssh_host_key{,.old}
-mv -f /etc/ssh/ssh_host_rsa_key{,.old}
-
-# Update crontab
-sed -i /var/spool/cron/root.orig -e "/Force an update once a month/d"
-sed -i /var/spool/cron/root.orig -e "/ddns update-all --force/d"
-
-grep -q "dma -q" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig
-
-# Retry sending spooled mails regularly
-%hourly * /usr/sbin/dma -q
-
-# Cleanup the mail spool directory
-%weekly * * /usr/sbin/dma-cleanup-spool
-EOF
-
-fcrontab -z &>/dev/null
-
-# Start services
-/etc/init.d/dnsmasq start
-/etc/init.d/sshd start
-/etc/init.d/squid start
-
-# This update need a reboot...
-#touch /var/run/need_reboot
-
-# Finish
-/etc/init.d/fireinfo start
-sendprofile
-# Update grub config to display new core version
-if [ -e /boot/grub/grub.cfg ]; then
- grub-mkconfig -o /boot/grub/grub.cfg
-fi
-sync
-
-# Don't report the exitcode last command
-exit 0
diff --git a/config/rootfiles/core/95/exclude b/config/rootfiles/core/95/exclude
new file mode 100644
index 0000000..4c7aa5a
--- /dev/null
+++ b/config/rootfiles/core/95/exclude
@@ -0,0 +1,22 @@
+boot/config.txt
+etc/alternatives
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files
new file mode 100644
index 0000000..949c88b
--- /dev/null
+++ b/config/rootfiles/core/95/filelists/files
@@ -0,0 +1,8 @@
+etc/system-release
+etc/issue
+lib/udev/network-hotplug-vlan
+lib/udev/rules.d/60-net.rules
+srv/web/ipfire/cgi-bin/connections.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+usr/lib/firewall/firewall-lib.pl
+var/ipfire/langs
diff --git a/config/rootfiles/core/95/meta b/config/rootfiles/core/95/meta
new file mode 100644
index 0000000..d547fa8
--- /dev/null
+++ b/config/rootfiles/core/95/meta
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/core/95/update.sh b/config/rootfiles/core/95/update.sh
new file mode 100644
index 0000000..388e18d
--- /dev/null
+++ b/config/rootfiles/core/95/update.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2015 IPFire-Team <info(a)ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=95
+for (( i=1; i<=$core; i++ ))
+do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Remove files
+rm -f /etc/rc.d/init.d/network-vlans
+rm -f /etc/rc.d/rcsysinit.d/S91network-vlans
+
+# Stop services
+
+# Extract files
+extract_files
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Start services
+
+# This update need a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+ grub-mkconfig -o /boot/grub/grub.cfg
+fi
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/config/rootfiles/oldcore/94/exclude b/config/rootfiles/oldcore/94/exclude
new file mode 100644
index 0000000..4c7aa5a
--- /dev/null
+++ b/config/rootfiles/oldcore/94/exclude
@@ -0,0 +1,22 @@
+boot/config.txt
+etc/alternatives
+etc/collectd.custom
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/oldcore/94/filelists/armv5tel/glibc b/config/rootfiles/oldcore/94/filelists/armv5tel/glibc
new file mode 120000
index 0000000..4c70d72
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/armv5tel/glibc
@@ -0,0 +1 @@
+../../../../common/armv5tel/glibc
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/bind b/config/rootfiles/oldcore/94/filelists/bind
new file mode 120000
index 0000000..48a0eba
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/bind
@@ -0,0 +1 @@
+../../../common/bind
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/chkconfig b/config/rootfiles/oldcore/94/filelists/chkconfig
new file mode 120000
index 0000000..00ef4cf
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/chkconfig
@@ -0,0 +1 @@
+../../../common/chkconfig
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/coreutils b/config/rootfiles/oldcore/94/filelists/coreutils
new file mode 120000
index 0000000..7351ed2
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/coreutils
@@ -0,0 +1 @@
+../../../common/coreutils
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/dma b/config/rootfiles/oldcore/94/filelists/dma
new file mode 120000
index 0000000..60f4682
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/dma
@@ -0,0 +1 @@
+../../../common/dma
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/dnsmasq b/config/rootfiles/oldcore/94/filelists/dnsmasq
new file mode 120000
index 0000000..d469c74
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/dnsmasq
@@ -0,0 +1 @@
+../../../common/dnsmasq
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/file b/config/rootfiles/oldcore/94/filelists/file
new file mode 120000
index 0000000..0c60e43
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/file
@@ -0,0 +1 @@
+../../../common/file
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/files b/config/rootfiles/oldcore/94/filelists/files
new file mode 100644
index 0000000..e63a611
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/files
@@ -0,0 +1,26 @@
+etc/system-release
+etc/issue
+etc/rc.d/init.d/networking/red
+etc/rc.d/init.d/snort
+etc/rc.d/init.d/sshd
+srv/web/ipfire/cgi-bin/connscheduler.cgi
+srv/web/ipfire/cgi-bin/dhcp.cgi
+srv/web/ipfire/cgi-bin/dnsforward.cgi
+srv/web/ipfire/cgi-bin/hosts.cgi
+srv/web/ipfire/cgi-bin/logs.cgi/log.dat
+srv/web/ipfire/cgi-bin/mac.cgi
+srv/web/ipfire/cgi-bin/mail.cgi
+srv/web/ipfire/cgi-bin/modem.cgi
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/pppsetup.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/qos.cgi
+srv/web/ipfire/cgi-bin/time.cgi
+srv/web/ipfire/cgi-bin/updatexlrator.cgi
+srv/web/ipfire/cgi-bin/urlfilter.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+srv/web/ipfire/cgi-bin/wakeonlan.cgi
+srv/web/ipfire/cgi-bin/wireless.cgi
+var/ipfire/langs
+var/ipfire/menu.d/40-services.menu
+var/ipfire/network-functions.pl
diff --git a/config/rootfiles/oldcore/94/filelists/fireinfo b/config/rootfiles/oldcore/94/filelists/fireinfo
new file mode 120000
index 0000000..c461155
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/fireinfo
@@ -0,0 +1 @@
+../../../common/fireinfo
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/hdparm b/config/rootfiles/oldcore/94/filelists/hdparm
new file mode 120000
index 0000000..b644751
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/hdparm
@@ -0,0 +1 @@
+../../../common/hdparm
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/i586/glibc b/config/rootfiles/oldcore/94/filelists/i586/glibc
new file mode 120000
index 0000000..943021f
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/i586/glibc
@@ -0,0 +1 @@
+../../../../common/i586/glibc
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/iproute2 b/config/rootfiles/oldcore/94/filelists/iproute2
new file mode 120000
index 0000000..05f0f71
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/iproute2
@@ -0,0 +1 @@
+../../../common/iproute2
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/libgcrypt b/config/rootfiles/oldcore/94/filelists/libgcrypt
new file mode 120000
index 0000000..2df12a2
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/libgcrypt
@@ -0,0 +1 @@
+../../../common/libgcrypt
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/libgpg-error b/config/rootfiles/oldcore/94/filelists/libgpg-error
new file mode 120000
index 0000000..cad4313
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/libgpg-error
@@ -0,0 +1 @@
+../../../common/libgpg-error
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/openssh b/config/rootfiles/oldcore/94/filelists/openssh
new file mode 120000
index 0000000..d8c77fd
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/openssh
@@ -0,0 +1 @@
+../../../common/openssh
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/pcre b/config/rootfiles/oldcore/94/filelists/pcre
new file mode 120000
index 0000000..b390d9a
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/pcre
@@ -0,0 +1 @@
+../../../common/pcre
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format b/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format
new file mode 120000
index 0000000..9980811
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format
@@ -0,0 +1 @@
+../../../common/perl-Email-Date-Format
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite b/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite
new file mode 120000
index 0000000..aa0aa6b
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite
@@ -0,0 +1 @@
+../../../common/perl-MIME-Lite
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/rrdtool b/config/rootfiles/oldcore/94/filelists/rrdtool
new file mode 120000
index 0000000..7a82e41
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/rrdtool
@@ -0,0 +1 @@
+../../../common/rrdtool
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/setup b/config/rootfiles/oldcore/94/filelists/setup
new file mode 120000
index 0000000..209374b
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/setup
@@ -0,0 +1 @@
+../../../common/setup
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/filelists/squid b/config/rootfiles/oldcore/94/filelists/squid
new file mode 120000
index 0000000..2dc8372
--- /dev/null
+++ b/config/rootfiles/oldcore/94/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/94/meta b/config/rootfiles/oldcore/94/meta
new file mode 100644
index 0000000..d547fa8
--- /dev/null
+++ b/config/rootfiles/oldcore/94/meta
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/oldcore/94/update.sh b/config/rootfiles/oldcore/94/update.sh
new file mode 100644
index 0000000..ff9797c
--- /dev/null
+++ b/config/rootfiles/oldcore/94/update.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2015 IPFire-Team <info(a)ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+# Remove old core updates from pakfire cache to save space...
+core=94
+for (( i=1; i<=$core; i++ ))
+do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/squid stop
+/etc/init.d/sshd stop
+/etc/init.d/dnsmasq stop
+
+# Extract files
+extract_files
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Update SSH configuration
+sed -i /etc/ssh/sshd_config \
+ -e 's/^#PermitRootLogin yes$/PermitRootLogin yes/'
+
+# Move away old and unsupported keys
+mv -f /etc/ssh/ssh_host_dsa_key{,.old}
+# Regenerating weak RSA keys
+mv -f /etc/ssh/ssh_host_key{,.old}
+mv -f /etc/ssh/ssh_host_rsa_key{,.old}
+
+# Update crontab
+sed -i /var/spool/cron/root.orig -e "/Force an update once a month/d"
+sed -i /var/spool/cron/root.orig -e "/ddns update-all --force/d"
+
+grep -q "dma -q" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig
+
+# Retry sending spooled mails regularly
+%hourly * /usr/sbin/dma -q
+
+# Cleanup the mail spool directory
+%weekly * * /usr/sbin/dma-cleanup-spool
+EOF
+
+fcrontab -z &>/dev/null
+
+# Start services
+/etc/init.d/dnsmasq start
+/etc/init.d/sshd start
+/etc/init.d/squid start
+
+# This update need a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+ grub-mkconfig -o /boot/grub/grub.cfg
+fi
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/config/udev/60-net.rules b/config/udev/60-net.rules
index 4f22a1e..dc39ff0 100644
--- a/config/udev/60-net.rules
+++ b/config/udev/60-net.rules
@@ -1,3 +1,7 @@
# Call a script that checks for the right name of the new device.
# If it matches the configuration it will be renamed accordingly.
ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-rename", RESULT=="?*", NAME="$result"
+
+# Call a script that will create all virtual devices for a parent device
+# that has just come up.
+ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-vlan"
diff --git a/config/udev/network-hotplug-vlan b/config/udev/network-hotplug-vlan
new file mode 100644
index 0000000..f7b6a9d
--- /dev/null
+++ b/config/udev/network-hotplug-vlan
@@ -0,0 +1,87 @@
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2015 IPFire Team <info(a)ipfire.org> #
+# #
+############################################################################
+
+[ -n "${INTERFACE}" ] || exit 2
+
+CONFIG_FILE="/var/ipfire/ethernet/vlans"
+
+# Skip immediately if no configuration file has been found.
+[ -e "${CONFIG_FILE}" ] || exit 0
+
+eval $(/usr/local/bin/readhash ${CONFIG_FILE})
+
+for interface in green0 red0 blue0 orange0; do
+ case "${interface}" in
+ green*)
+ PARENT_DEV=${GREEN_PARENT_DEV}
+ VLAN_ID=${GREEN_VLAN_ID}
+ MAC_ADDRESS=${GREEN_MAC_ADDRESS}
+ ;;
+ red*)
+ PARENT_DEV=${RED_PARENT_DEV}
+ VLAN_ID=${RED_VLAN_ID}
+ MAC_ADDRESS=${RED_MAC_ADDRESS}
+ ;;
+ blue*)
+ PARENT_DEV=${BLUE_PARENT_DEV}
+ VLAN_ID=${BLUE_VLAN_ID}
+ MAC_ADDRESS=${BLUE_MAC_ADDRESS}
+ ;;
+ orange*)
+ PARENT_DEV=${ORANGE_PARENT_DEV}
+ VLAN_ID=${ORANGE_VLAN_ID}
+ MAC_ADDRESS=${ORANGE_MAC_ADDRESS}
+ ;;
+ esac
+
+ # If the parent device does not match the interface that
+ # has just come up, we will go on for the next one.
+ [ "${PARENT_DEV}" = "${INTERFACE}" ] || continue
+
+ # Check if the interface does already exists.
+ # If so, we skip creating it.
+ if [ -d "/sys/class/net/${interface}" ]; then
+ echo "Interface ${interface} already exists." >&2
+ continue
+ fi
+
+ if [ -z "${VLAN_ID}" ]; then
+ echo "${interface}: You did not set the VLAN ID." >&2
+ continue
+ fi
+
+ # Build command line.
+ command="ip link add link ${PARENT_DEV} name ${interface}"
+ if [ -n "${MAC_ADDRESS}" ]; then
+ command="${command} address ${MAC_ADDRESS}"
+ fi
+ command="${command} type vlan id ${VLAN_ID}"
+
+ echo "Creating VLAN interface ${interface}..."
+ ${command}
+
+ # Bring up the parent device.
+ ip link set ${PARENT_DEV} up
+done
+
+exit 0
diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi
index 4eb9cd7..85a9cd7 100644
--- a/html/cgi-bin/connections.cgi
+++ b/html/cgi-bin/connections.cgi
@@ -261,15 +261,19 @@ close(IPSEC);
foreach my $line (@ipsec) {
my @vpn = split(',', $line);
- my ($network, $mask) = split("/", $vpn[12]);
- if (!&General::validip($mask)) {
- $mask = ipv4_cidr2msk($mask);
- }
+ my @subnets = split('|', $vpn[12]);
+ for my $subnet (@subnets) {
+ my ($network, $mask) = split("/", $subnet);
+
+ if (!&General::validip($mask)) {
+ $mask = ipv4_cidr2msk($mask);
+ }
- push(@network, $network);
- push(@masklen, $mask);
- push(@colour, ${Header::colourvpn});
+ push(@network, $network);
+ push(@masklen, $mask);
+ push(@colour, ${Header::colourvpn});
+ }
}
if (-e "${General::swroot}/ovpn/n2nconf") {
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 65fc80f..b697b0a 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -40,8 +40,7 @@ undef (@dummy);
###
### Initialize variables
###
-my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status
- # (let the ipsec do its job)
+my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status (let the ipsec do its job)
my %netsettings=();
our %cgiparams=();
our %vpnsettings=();
@@ -132,306 +131,300 @@ sub valid_dns_host {
### Just return true is one interface is vpn enabled
###
sub vpnenabled {
- return ($vpnsettings{'ENABLED'} eq 'on');
+ return ($vpnsettings{'ENABLED'} eq 'on');
}
###
-### old version: maintain serial number to one, without explication.
-### this : let the counter go, so that each cert is numbered.
+### old version: maintain serial number to one, without explication.
+### this: let the counter go, so that each cert is numbered.
###
-sub cleanssldatabase
-{
- if (open(FILE, ">${General::swroot}/certs/serial")) {
- print FILE "01";
- close FILE;
- }
- if (open(FILE, ">${General::swroot}/certs/index.txt")) {
- print FILE "";
- close FILE;
- }
- unlink ("${General::swroot}/certs/index.txt.old");
- unlink ("${General::swroot}/certs/serial.old");
- unlink ("${General::swroot}/certs/01.pem");
+sub cleanssldatabase {
+ if (open(FILE, ">${General::swroot}/certs/serial")) {
+ print FILE "01";
+ close FILE;
+ }
+ if (open(FILE, ">${General::swroot}/certs/index.txt")) {
+ print FILE "";
+ close FILE;
+ }
+ unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/serial.old");
+ unlink ("${General::swroot}/certs/01.pem");
}
-sub newcleanssldatabase
-{
- if (! -s "${General::swroot}/certs/serial" ) {
- open(FILE, ">${General::swroot}/certs/serial");
- print FILE "01";
- close FILE;
- }
- if (! -s ">${General::swroot}/certs/index.txt") {
- system ("touch ${General::swroot}/certs/index.txt");
- }
- unlink ("${General::swroot}/certs/index.txt.old");
- unlink ("${General::swroot}/certs/serial.old");
-# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
+sub newcleanssldatabase {
+ if (! -s "${General::swroot}/certs/serial" ) {
+ open(FILE, ">${General::swroot}/certs/serial");
+ print FILE "01";
+ close FILE;
+ }
+ if (! -s ">${General::swroot}/certs/index.txt") {
+ system ("touch ${General::swroot}/certs/index.txt");
+ }
+ unlink ("${General::swroot}/certs/index.txt.old");
+ unlink ("${General::swroot}/certs/serial.old");
+# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
}
###
### Call openssl and return errormessage if any
###
sub callssl ($) {
- my $opt = shift;
- my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
- my $ret = '';
- foreach my $line (split (/\n/, $retssl)) {
- &General::log("ipsec", "$line") if (0); # 1 for verbose logging
- $ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
- }
- if ($ret) {
- $ret= &Header::cleanhtml($ret);
- }
- return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
+ my $opt = shift;
+ my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
+ my $ret = '';
+ foreach my $line (split (/\n/, $retssl)) {
+ &General::log("ipsec", "$line") if (0); # 1 for verbose logging
+ $ret .= '<br>'.$line if ( $line =~ /error|unknown/ );
+ }
+ if ($ret) {
+ $ret= &Header::cleanhtml($ret);
+ }
+ return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ;
}
###
### Obtain a CN from given cert
###
sub getCNfromcert ($) {
- #&General::log("ipsec", "Extracting name from $_[0]...");
- my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
- $temp = $1;
- $temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
- $temp =~ s/,//g;
- $temp =~ s/\'//g;
- return $temp;
+ #&General::log("ipsec", "Extracting name from $_[0]...");
+ my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
+ $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+ $temp =~ s/,//g;
+ $temp =~ s/\'//g;
+ return $temp;
}
###
### Obtain Subject from given cert
###
sub getsubjectfromcert ($) {
- #&General::log("ipsec", "Extracting subject from $_[0]...");
- my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
- $temp =~ /Subject: (.*)[\n]/;
- $temp = $1;
- $temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
- return $temp;
+ #&General::log("ipsec", "Extracting subject from $_[0]...");
+ my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
+ $temp =~ /Subject: (.*)[\n]/;
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+ return $temp;
}
###
-### Combine local subnet and connection name to make a unique name for each connection section
+### Combine local subnet and connection name to make a unique name for each connection section
### (this sub is not used now)
###
sub makeconnname ($) {
- my $conn = shift;
- my $subnet = shift;
-
- $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask
- my $ip = unpack('N', &Socket::inet_aton($1));
- if (length ($2) > 2) {
- my $mm = unpack('N', &Socket::inet_aton($2));
- while ( ($mm & 1)==0 ) {
- $ip >>= 1;
- $mm >>= 1;
- };
- } else {
- $ip >>= (32 - $2);
- }
- return sprintf ("%s-%X", $conn, $ip);
+ my $conn = shift;
+ my $subnet = shift;
+
+ $subnet =~ /^(.*?)\/(.*?)$/; # $1=IP $2=mask
+ my $ip = unpack('N', &Socket::inet_aton($1));
+ if (length ($2) > 2) {
+ my $mm = unpack('N', &Socket::inet_aton($2));
+ while ( ($mm & 1)==0 ) {
+ $ip >>= 1;
+ $mm >>= 1;
+ };
+ } else {
+ $ip >>= (32 - $2);
+ }
+ return sprintf ("%s-%X", $conn, $ip);
}
###
### Write a config file.
###
###Type=Host : GUI can choose the interface used (RED,GREEN,BLUE) and
### the side is always defined as 'left'.
-### configihash[14]: 'VHOST' is allowed
###
sub writeipsecfiles {
- my %lconfighash = ();
- my %lvpnsettings = ();
- &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);
- &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);
-
- open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";
- open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";
- flock CONF, 2;
- flock SECRETS, 2;
- print CONF "version 2\n\n";
- print CONF "conn %default\n";
- print CONF "\tkeyingtries=%forever\n";
- print CONF "\n";
-
- # Add user includes to config file
- if (-e "/etc/ipsec.user.conf") {
- print CONF "include /etc/ipsec.user.conf\n";
- print CONF "\n";
- }
-
- print SECRETS "include /etc/ipsec.user.secrets\n";
-
- if (-f "${General::swroot}/certs/hostkey.pem") {
- print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
- }
- my $last_secrets = ''; # old the less specifics connections
-
- foreach my $key (keys %lconfighash) {
- next if ($lconfighash{$key}[0] ne 'on');
-
- #remote peer is not set? => use '%any'
- $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
-
- my $localside;
- if ($lconfighash{$key}[26] eq 'BLUE') {
- $localside = $netsettings{'BLUE_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'GREEN') {
- $localside = $netsettings{'GREEN_ADDRESS'};
- } elsif ($lconfighash{$key}[26] eq 'ORANGE') {
- $localside = $netsettings{'ORANGE_ADDRESS'};
- } else { # it is RED
- $localside = $lvpnsettings{'VPN_IP'};
- }
-
- print CONF "conn $lconfighash{$key}[1]\n";
- print CONF "\tleft=$localside\n";
- my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
- print CONF "\tleftsubnet=$cidr_net\n";
- print CONF "\tleftfirewall=yes\n";
- print CONF "\tlefthostaccess=yes\n";
-
- print CONF "\tright=$lconfighash{$key}[10]\n";
- if ($lconfighash{$key}[3] eq 'net') {
- my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
- print CONF "\trightsubnet=$cidr_net\n";
- } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
- print CONF "\trightsubnet=vhost:%no,%priv\n";
- }
-
- # Local Cert and Remote Cert (unless auth is DN dn-auth)
- if ($lconfighash{$key}[4] eq 'cert') {
- print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
- print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
- }
-
- # Local and Remote IDs
- print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
- print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
-
- # Is PFS enabled?
- my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
-
- # Algorithms
- if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
- my @encs = split('\|', $lconfighash{$key}[18]);
- my @ints = split('\|', $lconfighash{$key}[19]);
- my @groups = split('\|', $lconfighash{$key}[20]);
-
- my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
- print CONF "\tike=" . join(",", @algos);
-
- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
- print CONF "!\n";
- } else {
- print CONF "\n";
- }
+ my %lconfighash = ();
+ my %lvpnsettings = ();
+ &General::readhasharray("${General::swroot}/vpn/config", \%lconfighash);
+ &General::readhash("${General::swroot}/vpn/settings", \%lvpnsettings);
+
+ open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!";
+ open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!";
+ flock CONF, 2;
+ flock SECRETS, 2;
+ print CONF "version 2\n\n";
+ print CONF "conn %default\n";
+ print CONF "\tkeyingtries=%forever\n";
+ print CONF "\n";
+
+ # Add user includes to config file
+ if (-e "/etc/ipsec.user.conf") {
+ print CONF "include /etc/ipsec.user.conf\n";
+ print CONF "\n";
}
- if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
- my @encs = split('\|', $lconfighash{$key}[21]);
- my @ints = split('\|', $lconfighash{$key}[22]);
- my @groups = split('\|', $lconfighash{$key}[23]);
+ print SECRETS "include /etc/ipsec.user.secrets\n";
+
+ if (-f "${General::swroot}/certs/hostkey.pem") {
+ print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
+ }
+ my $last_secrets = ''; # old the less specifics connections
- # Use IKE grouptype if no ESP group type has been selected
- # (for backwards compatibility)
- if ($lconfighash{$key}[23] eq "") {
- @groups = split('\|', $lconfighash{$key}[20]);
+ foreach my $key (keys %lconfighash) {
+ next if ($lconfighash{$key}[0] ne 'on');
+
+ #remote peer is not set? => use '%any'
+ $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq '');
+
+ my $localside;
+ if ($lconfighash{$key}[26] eq 'BLUE') {
+ $localside = $netsettings{'BLUE_ADDRESS'};
+ } elsif ($lconfighash{$key}[26] eq 'GREEN') {
+ $localside = $netsettings{'GREEN_ADDRESS'};
+ } elsif ($lconfighash{$key}[26] eq 'ORANGE') {
+ $localside = $netsettings{'ORANGE_ADDRESS'};
+ } else { # it is RED
+ $localside = $lvpnsettings{'VPN_IP'};
}
- my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
- print CONF "\tesp=" . join(",", @algos);
+ print CONF "conn $lconfighash{$key}[1]\n";
+ print CONF "\tleft=$localside\n";
+ print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+ print CONF "\tleftfirewall=yes\n";
+ print CONF "\tlefthostaccess=yes\n";
+ print CONF "\tright=$lconfighash{$key}[10]\n";
- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
- print CONF "!\n";
- } else {
- print CONF "\n";
+ if ($lconfighash{$key}[3] eq 'net') {
+ print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
}
- }
- # IKE V1 or V2
- if (! $lconfighash{$key}[29]) {
- $lconfighash{$key}[29] = "ikev1";
- }
- print CONF "\tkeyexchange=$lconfighash{$key}[29]\n";
+ # Local Cert and Remote Cert (unless auth is DN dn-auth)
+ if ($lconfighash{$key}[4] eq 'cert') {
+ print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n";
+ print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
+ }
- # Lifetimes
- print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
- print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]);
+ # Local and Remote IDs
+ print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
+ print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
- # Compression
- print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
+ # Is PFS enabled?
+ my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
- # Force MOBIKE?
- if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) {
- print CONF "\tmobike=yes\n";
- }
+ # Algorithms
+ if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
+ my @encs = split('\|', $lconfighash{$key}[18]);
+ my @ints = split('\|', $lconfighash{$key}[19]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
- # Dead Peer Detection
- my $dpdaction = $lconfighash{$key}[27];
- print CONF "\tdpdaction=$dpdaction\n";
+ my @algos = &make_algos("ike", \@encs, \@ints, \@groups, 1);
+ print CONF "\tike=" . join(",", @algos);
- # If the dead peer detection is disabled and IKEv2 is used,
- # dpddelay must be set to zero, too.
- if ($dpdaction eq "none") {
- if ($lconfighash{$key}[29] eq "ikev2") {
- print CONF "\tdpddelay=0\n";
+ if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
+ }
}
- } else {
- my $dpddelay = $lconfighash{$key}[31];
- if (!$dpddelay) {
- $dpddelay = 30;
- }
- print CONF "\tdpddelay=$dpddelay\n";
- my $dpdtimeout = $lconfighash{$key}[30];
- if (!$dpdtimeout) {
- $dpdtimeout = 120;
- }
- print CONF "\tdpdtimeout=$dpdtimeout\n";
- }
-
- # Build Authentication details: LEFTid RIGHTid : PSK psk
- my $psk_line;
- if ($lconfighash{$key}[4] eq 'psk') {
- $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
- $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
- $psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
- # if the line contains %any, it is less specific than two IP or ID, so move it at end of file.
- if ($psk_line =~ /%any/) {
- $last_secrets .= $psk_line;
- } else {
- print SECRETS $psk_line;
- }
- print CONF "\tauthby=secret\n";
- } else {
- print CONF "\tauthby=rsasig\n";
- print CONF "\tleftrsasigkey=%cert\n";
- print CONF "\trightrsasigkey=%cert\n";
- }
- # Automatically start only if a net-to-net connection
- if ($lconfighash{$key}[3] eq 'host') {
- print CONF "\tauto=add\n";
- print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
- } else {
- print CONF "\tauto=start\n";
- }
+ if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) {
+ my @encs = split('\|', $lconfighash{$key}[21]);
+ my @ints = split('\|', $lconfighash{$key}[22]);
+ my @groups = split('\|', $lconfighash{$key}[23]);
+
+ # Use IKE grouptype if no ESP group type has been selected
+ # (for backwards compatibility)
+ if ($lconfighash{$key}[23] eq "") {
+ @groups = split('\|', $lconfighash{$key}[20]);
+ }
- # Fragmentation
- print CONF "\tfragmentation=yes\n";
+ my @algos = &make_algos("esp", \@encs, \@ints, \@groups, ($pfs eq "on"));
+ print CONF "\tesp=" . join(",", @algos);
- print CONF "\n";
- }#foreach key
-
- # Add post user includes to config file
- # After the GUI-connections allows to patch connections.
- if (-e "/etc/ipsec.user-post.conf") {
- print CONF "include /etc/ipsec.user-post.conf\n";
- print CONF "\n";
- }
-
- print SECRETS $last_secrets if ($last_secrets);
- close(CONF);
- close(SECRETS);
+ if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
+ print CONF "!\n";
+ } else {
+ print CONF "\n";
+ }
+ }
+
+ # IKE V1 or V2
+ if (! $lconfighash{$key}[29]) {
+ $lconfighash{$key}[29] = "ikev1";
+ }
+
+ print CONF "\tkeyexchange=$lconfighash{$key}[29]\n";
+
+ # Lifetimes
+ print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]);
+ print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]);
+
+ # Compression
+ print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on');
+
+ # Force MOBIKE?
+ if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) {
+ print CONF "\tmobike=yes\n";
+ }
+
+ # Dead Peer Detection
+ my $dpdaction = $lconfighash{$key}[27];
+ print CONF "\tdpdaction=$dpdaction\n";
+
+ # If the dead peer detection is disabled and IKEv2 is used,
+ # dpddelay must be set to zero, too.
+ if ($dpdaction eq "none") {
+ if ($lconfighash{$key}[29] eq "ikev2") {
+ print CONF "\tdpddelay=0\n";
+ }
+ } else {
+ my $dpddelay = $lconfighash{$key}[31];
+ if (!$dpddelay) {
+ $dpddelay = 30;
+ }
+ print CONF "\tdpddelay=$dpddelay\n";
+ my $dpdtimeout = $lconfighash{$key}[30];
+ if (!$dpdtimeout) {
+ $dpdtimeout = 120;
+ }
+ print CONF "\tdpdtimeout=$dpdtimeout\n";
+ }
+
+ # Build Authentication details: LEFTid RIGHTid : PSK psk
+ my $psk_line;
+ if ($lconfighash{$key}[4] eq 'psk') {
+ $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ;
+ $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address?
+ $psk_line .= " : PSK '$lconfighash{$key}[5]'\n";
+ # if the line contains %any, it is less specific than two IP or ID, so move it at end of file.
+ if ($psk_line =~ /%any/) {
+ $last_secrets .= $psk_line;
+ } else {
+ print SECRETS $psk_line;
+ }
+ print CONF "\tauthby=secret\n";
+ } else {
+ print CONF "\tauthby=rsasig\n";
+ print CONF "\tleftrsasigkey=%cert\n";
+ print CONF "\trightrsasigkey=%cert\n";
+ }
+
+ # Automatically start only if a net-to-net connection
+ if ($lconfighash{$key}[3] eq 'host') {
+ print CONF "\tauto=add\n";
+ print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
+ } else {
+ print CONF "\tauto=start\n";
+ }
+
+ # Fragmentation
+ print CONF "\tfragmentation=yes\n";
+
+ print CONF "\n";
+ } #foreach key
+
+ # Add post user includes to config file
+ # After the GUI-connections allows to patch connections.
+ if (-e "/etc/ipsec.user-post.conf") {
+ print CONF "include /etc/ipsec.user-post.conf\n";
+ print CONF "\n";
+ }
+
+ print SECRETS $last_secrets if ($last_secrets);
+ close(CONF);
+ close(SECRETS);
}
# Hook to regenerate the configuration files.
@@ -444,779 +437,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") {
### Save main settings
###
if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
- || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
- $errormessage = $Lang::tr{'invalid input for hostname'};
- goto SAVE_ERROR;
- }
-
- unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
- $errormessage = $Lang::tr{'invalid time period'};
- goto SAVE_ERROR;
- }
-
- if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
- $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
- goto SAVE_ERROR;
- }
-
- $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
- $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
- $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
- $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
- &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
- &writeipsecfiles();
- if (&vpnenabled) {
- system('/usr/local/bin/ipsecctrl', 'S');
- } else {
- system('/usr/local/bin/ipsecctrl', 'D');
- }
- sleep $sleepDelay;
- SAVE_ERROR:
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+ unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})
+ || $cgiparams{'VPN_IP'} eq '%defaultroute' ) {
+ $errormessage = $Lang::tr{'invalid input for hostname'};
+ goto SAVE_ERROR;
+ }
+
+ unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds !
+ $errormessage = $Lang::tr{'invalid time period'};
+ goto SAVE_ERROR;
+ }
+
+ if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
+ $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
+ goto SAVE_ERROR;
+ }
+
+ $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
+ $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
+ $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
+ $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
+ &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &writeipsecfiles();
+ if (&vpnenabled) {
+ system('/usr/local/bin/ipsecctrl', 'S');
+ } else {
+ system('/usr/local/bin/ipsecctrl', 'D');
+ }
+ sleep $sleepDelay;
+ SAVE_ERROR:
###
### Reset all step 2
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
-
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[4] eq 'cert') {
- delete $confighash{$key};
- }
- }
- while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {
- unlink $file
- }
- &cleanssldatabase();
- if (open(FILE, ">${General::swroot}/vpn/caconfig")) {
- print FILE "";
- close FILE;
- }
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
- system('/usr/local/bin/ipsecctrl', 'R');
- sleep $sleepDelay;
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[4] eq 'cert') {
+ delete $confighash{$key};
+ }
+ }
+ while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) {
+ unlink $file
+ }
+ &cleanssldatabase();
+ if (open(FILE, ">${General::swroot}/vpn/caconfig")) {
+ print FILE "";
+ close FILE;
+ }
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
###
### Reset all step 1
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
- print <<END
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', '');
+ &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
+ print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <table width='100%'>
- <tr>
- <td align='center'>
- <input type='hidden' name='AREUSURE' value='yes' />
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
- $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
- </tr><tr>
- <td align='center'>
- <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
+ <table width='100%'>
+ <tr>
+ <td align='center'>
+ <input type='hidden' name='AREUSURE' value='yes' />
+ <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
+ </td>
+ </tr><tr>
+ <td align='center'>
+ <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
- </tr>
- </table>
+ </tr>
+ </table>
</form>
END
- ;
- &Header::closebox();
- &Header::closebigbox();
- &Header::closepage();
- exit (0);
+;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
###
### Upload CA Certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
- $errormessage = $Lang::tr{'name must only contain characters'};
- goto UPLOADCA_ERROR;
- }
-
- if (length($cgiparams{'CA_NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
- goto VPNCONF_ERROR;
- }
-
- if ($cgiparams{'CA_NAME'} eq 'ca') {
- $errormessage = $Lang::tr{'name is invalid'};
- goto UPLOAD_CA_ERROR;
- }
-
- # Check if there is no other entry with this name
- foreach my $key (keys %cahash) {
- if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
- $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
- goto UPLOADCA_ERROR;
- }
- }
-
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto UPLOADCA_ERROR;
- }
- # Move uploaded ca to a temporary file
- (my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto UPLOADCA_ERROR;
- }
- my $temp = `/usr/bin/openssl x509 -text -in $filename`;
- if ($temp !~ /CA:TRUE/i) {
- $errormessage = $Lang::tr{'not a valid ca certificate'};
- unlink ($filename);
- goto UPLOADCA_ERROR;
- } else {
- move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
- if ($? ne 0) {
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
- unlink ($filename);
- goto UPLOADCA_ERROR;
- }
- }
-
- my $key = &General::findhasharraykey (\%cahash);
- $cahash{$key}[0] = $cgiparams{'CA_NAME'};
- $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- system('/usr/local/bin/ipsecctrl', 'R');
- sleep $sleepDelay;
-
- UPLOADCA_ERROR:
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ goto UPLOADCA_ERROR;
+ }
+
+ if (length($cgiparams{'CA_NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'CA_NAME'} eq 'ca') {
+ $errormessage = $Lang::tr{'name is invalid'};
+ goto UPLOAD_CA_ERROR;
+ }
+
+ # Check if there is no other entry with this name
+ foreach my $key (keys %cahash) {
+ if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
+ $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
+ goto UPLOADCA_ERROR;
+ }
+ }
+
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto UPLOADCA_ERROR;
+ }
+ # Move uploaded ca to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto UPLOADCA_ERROR;
+ }
+ my $temp = `/usr/bin/openssl x509 -text -in $filename`;
+ if ($temp !~ /CA:TRUE/i) {
+ $errormessage = $Lang::tr{'not a valid ca certificate'};
+ unlink ($filename);
+ goto UPLOADCA_ERROR;
+ } else {
+ move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ goto UPLOADCA_ERROR;
+ }
+ }
+
+ my $key = &General::findhasharraykey (\%cahash);
+ $cahash{$key}[0] = $cgiparams{'CA_NAME'};
+ $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+
+ UPLOADCA_ERROR:
###
### Display ca certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "<pre>$output</pre>\n";
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', '');
+ &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
+ my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
###
### Export ca certificate to browser
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
- print "Content-Type: application/force-download\n";
- print "Content-Type: application/octet-stream\r\n";
- print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
- print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
- exit(0);
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
+ print "Content-Type: application/force-download\n";
+ print "Content-Type: application/octet-stream\r\n";
+ print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
+ print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+ exit(0);
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
###
### Remove ca certificate (step 2)
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
- foreach my $key (keys %confighash) {
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
- if ($test =~ /: OK/) {
- # Delete connection
- system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
- unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
- unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
- delete $confighash{$key};
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
- }
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
+ foreach my $key (keys %confighash) {
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
+ if ($test =~ /: OK/) {
+ # Delete connection
+ system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
+ unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+ unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
+ delete $confighash{$key};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ }
+ }
+ unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+ delete $cahash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
}
- unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
- delete $cahash{$cgiparams{'KEY'}};
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
- system('/usr/local/bin/ipsecctrl', 'R');
- sleep $sleepDelay;
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
###
### Remove ca certificate (step 1)
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
-
- my $assignedcerts = 0;
- if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
- foreach my $key (keys %confighash) {
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
- if ($test =~ /: OK/) {
- $assignedcerts++;
- }
- }
- if ($assignedcerts) {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
- print <<END
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <table width='100%'>
- <tr>
- <td align='center'>
- <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
- <input type='hidden' name='AREUSURE' value='yes' /></td>
- </tr><tr>
- <td align='center'>
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>
- $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td>
- </tr><tr>
- <td align='center'>
- <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
- <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
- </tr>
- </table>
- </form>
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+
+ my $assignedcerts = 0;
+ if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
+ foreach my $key (keys %confighash) {
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
+ if ($test =~ /: OK/) {
+ $assignedcerts++;
+ }
+ }
+ if ($assignedcerts) {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', '');
+ &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
+ print <<END
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%'>
+ <tr>
+ <td align='center'>
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+ <input type='hidden' name='AREUSURE' value='yes' /></td>
+ </tr><tr>
+ <td align='center'>
+ <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td>
+ </tr><tr>
+ <td align='center'>
+ <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
+ <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
+ </tr>
+ </table>
+ </form>
END
- ;
- &Header::closebox();
- &Header::closebigbox();
- &Header::closepage();
- exit (0);
+;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
+ } else {
+ unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+ delete $cahash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ system('/usr/local/bin/ipsecctrl', 'R');
+ sleep $sleepDelay;
+ }
} else {
- unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
- delete $cahash{$cgiparams{'KEY'}};
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
- system('/usr/local/bin/ipsecctrl', 'R');
- sleep $sleepDelay;
+ $errormessage = $Lang::tr{'invalid key'};
}
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
###
### Display root certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
$cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
- my $output;
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
- &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
- } else {
- &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
- $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
- }
- $output = &Header::cleanhtml($output,"y");
- print "<pre>$output</pre>\n";
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
+ my $output;
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', '');
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
+ &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
+ $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
+ } else {
+ &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
+ $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
+ }
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
###
### Export root certificate to browser
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
- if ( -f "${General::swroot}/ca/cacert.pem" ) {
- print "Content-Type: application/force-download\n";
- print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
- print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
- exit(0);
- }
+ if ( -f "${General::swroot}/ca/cacert.pem" ) {
+ print "Content-Type: application/force-download\n";
+ print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
+ print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
+ exit(0);
+ }
###
### Export host certificate to browser
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
- if ( -f "${General::swroot}/certs/hostcert.pem" ) {
- print "Content-Type: application/force-download\n";
- print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
- print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
- exit(0);
- }
+ if ( -f "${General::swroot}/certs/hostcert.pem" ) {
+ print "Content-Type: application/force-download\n";
+ print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
+ print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
+ exit(0);
+ }
###
### Form for generating/importing the caroot+host certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
- $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
-
- if (-f "${General::swroot}/ca/cacert.pem") {
- $errormessage = $Lang::tr{'valid root certificate already exists'};
- goto ROOTCERT_SKIP;
- }
-
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- # fill in initial values
- if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
- if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
- my $ipaddr = <IPADDR>;
- close IPADDR;
- chomp ($ipaddr);
- $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
- if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
- $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
- }
- }
- $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
- &General::log("ipsec", "Importing from p12...");
+ $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
+
+ if (-f "${General::swroot}/ca/cacert.pem") {
+ $errormessage = $Lang::tr{'valid root certificate already exists'};
+ goto ROOTCERT_SKIP;
+ }
+
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ # fill in initial values
+ if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
+ if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
+ my $ipaddr = <IPADDR>;
+ close IPADDR;
+ chomp ($ipaddr);
+ $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+ if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
+ $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
+ }
+ }
+ $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'});
+ } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
+ &General::log("ipsec", "Importing from p12...");
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto ROOTCERT_ERROR;
- }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto ROOTCERT_ERROR;
+ }
- # Move uploaded certificate request to a temporary file
- (my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto ROOTCERT_ERROR;
- }
+ # Move uploaded certificate request to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto ROOTCERT_ERROR;
+ }
- # Extract the CA certificate from the file
- &General::log("ipsec", "Extracting caroot from p12...");
- if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -cacerts -nokeys";
- $opt .= " -in $filename";
- $opt .= " -out /tmp/newcacert";
- $errormessage = &callssl ($opt);
- } else { #child
- print "$cgiparams{'P12_PASS'}\n";
- exit (0);
- }
-
- # Extract the Host certificate from the file
- if (!$errormessage) {
- &General::log("ipsec", "Extracting host cert from p12...");
- if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -clcerts -nokeys";
- $opt .= " -in $filename";
- $opt .= " -out /tmp/newhostcert";
- $errormessage = &callssl ($opt);
- } else { #child
- print "$cgiparams{'P12_PASS'}\n";
- exit (0);
- }
- }
-
- # Extract the Host key from the file
- if (!$errormessage) {
- &General::log("ipsec", "Extracting private key from p12...");
- if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -nocerts -nodes";
- $opt .= " -in $filename";
- $opt .= " -out /tmp/newhostkey";
- $errormessage = &callssl ($opt);
- } else { #child
- print "$cgiparams{'P12_PASS'}\n";
- exit (0);
- }
- }
-
- if (!$errormessage) {
- &General::log("ipsec", "Moving cacert...");
- move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
- }
-
- if (!$errormessage) {
- &General::log("ipsec", "Moving host cert...");
- move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
- }
-
- if (!$errormessage) {
- &General::log("ipsec", "Moving private key...");
- move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
- }
-
- #cleanup temp files
- unlink ($filename);
- unlink ('/tmp/newcacert');
- unlink ('/tmp/newhostcert');
- unlink ('/tmp/newhostkey');
- if ($errormessage) {
- unlink ("${General::swroot}/ca/cacert.pem");
- unlink ("${General::swroot}/certs/hostcert.pem");
- unlink ("${General::swroot}/certs/hostkey.pem");
- goto ROOTCERT_ERROR;
- }
+ # Extract the CA certificate from the file
+ &General::log("ipsec", "Extracting caroot from p12...");
+ if (open(STDIN, "-|")) {
+ my $opt = " pkcs12 -cacerts -nokeys";
+ $opt .= " -in $filename";
+ $opt .= " -out /tmp/newcacert";
+ $errormessage = &callssl ($opt);
+ } else { #child
+ print "$cgiparams{'P12_PASS'}\n";
+ exit (0);
+ }
- # Create empty CRL cannot be done because we don't have
- # the private key for this CAROOT
- # IPFire can only import certificates
+ # Extract the Host certificate from the file
+ if (!$errormessage) {
+ &General::log("ipsec", "Extracting host cert from p12...");
+ if (open(STDIN, "-|")) {
+ my $opt = " pkcs12 -clcerts -nokeys";
+ $opt .= " -in $filename";
+ $opt .= " -out /tmp/newhostcert";
+ $errormessage = &callssl ($opt);
+ } else { #child
+ print "$cgiparams{'P12_PASS'}\n";
+ exit (0);
+ }
+ }
- &General::log("ipsec", "p12 import completed!");
- &cleanssldatabase();
- goto ROOTCERT_SUCCESS;
-
- } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
-
- # Validate input since the form was submitted
- if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
- $errormessage = $Lang::tr{'organization cant be empty'};
- goto ROOTCERT_ERROR;
- }
- if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
- $errormessage = $Lang::tr{'organization too long'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for organization'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
- $errormessage = $Lang::tr{'hostname cant be empty'};
- goto ROOTCERT_ERROR;
- }
- unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
- $errormessage = $Lang::tr{'invalid input for hostname'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
- $errormessage = $Lang::tr{'invalid input for e-mail address'};
- goto ROOTCERT_ERROR;
- }
- if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
- $errormessage = $Lang::tr{'e-mail address too long'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for department'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for city'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for state or province'};
- goto ROOTCERT_ERROR;
- }
- if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
- $errormessage = $Lang::tr{'invalid input for country'};
- goto ROOTCERT_ERROR;
- }
- #the exact syntax is a list comma separated of
- # email:any-validemail
- # URI: a uniform resource indicator
- # DNS: a DNS domain name
- # RID: a registered OBJECT IDENTIFIER
- # IP: an IP address
- # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
-
- if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
- $errormessage = $Lang::tr{'vpn altname syntax'};
- goto VPNCONF_ERROR;
- }
-
- # Copy the cgisettings to vpnsettings and save the configfile
- $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
- $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
- $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
- $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
- $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
- $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
- $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
- &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
+ # Extract the Host key from the file
+ if (!$errormessage) {
+ &General::log("ipsec", "Extracting private key from p12...");
+ if (open(STDIN, "-|")) {
+ my $opt = " pkcs12 -nocerts -nodes";
+ $opt .= " -in $filename";
+ $opt .= " -out /tmp/newhostkey";
+ $errormessage = &callssl ($opt);
+ } else { #child
+ print "$cgiparams{'P12_PASS'}\n";
+ exit (0);
+ }
+ }
- # Replace empty strings with a .
- (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
- (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
- (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
-
- # Create the CA certificate
- if (!$errormessage) {
- &General::log("ipsec", "Creating cacert...");
- if (open(STDIN, "-|")) {
- my $opt = " req -x509 -sha256 -nodes";
- $opt .= " -days 999999";
- $opt .= " -newkey rsa:4096";
- $opt .= " -keyout ${General::swroot}/private/cakey.pem";
- $opt .= " -out ${General::swroot}/ca/cacert.pem";
-
- $errormessage = &callssl ($opt);
- } else { #child
- print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
- print "$state\n";
- print "$city\n";
- print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
- print "$ou\n";
- print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
- print "$cgiparams{'ROOTCERT_EMAIL'}\n";
- exit (0);
- }
- }
-
- # Create the Host certificate request
- if (!$errormessage) {
- &General::log("ipsec", "Creating host cert...");
- if (open(STDIN, "-|")) {
- my $opt = " req -sha256 -nodes";
- $opt .= " -newkey rsa:2048";
- $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
- $opt .= " -out ${General::swroot}/certs/hostreq.pem";
- $errormessage = &callssl ($opt);
- } else { #child
- print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
- print "$state\n";
- print "$city\n";
- print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
- print "$ou\n";
- print "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
- print "$cgiparams{'ROOTCERT_EMAIL'}\n";
- print ".\n";
- print ".\n";
- exit (0);
- }
- }
+ if (!$errormessage) {
+ &General::log("ipsec", "Moving cacert...");
+ move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem");
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+ }
+
+ if (!$errormessage) {
+ &General::log("ipsec", "Moving host cert...");
+ move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem");
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+ }
+
+ if (!$errormessage) {
+ &General::log("ipsec", "Moving private key...");
+ move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem");
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+ }
+
+ #cleanup temp files
+ unlink ($filename);
+ unlink ('/tmp/newcacert');
+ unlink ('/tmp/newhostcert');
+ unlink ('/tmp/newhostkey');
+ if ($errormessage) {
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ goto ROOTCERT_ERROR;
+ }
- # Sign the host certificate request
- if (!$errormessage) {
- &General::log("ipsec", "Self signing host cert...");
+ # Create empty CRL cannot be done because we don't have
+ # the private key for this CAROOT
+ # IPFire can only import certificates
- #No easy way for specifying the contain of subjectAltName without writing a config file...
- my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
- print $fh <<END
- basicConstraints=CA:FALSE
- nsComment="OpenSSL Generated Certificate"
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid,issuer:always
- extendedKeyUsage = serverAuth
+ &General::log("ipsec", "p12 import completed!");
+ &cleanssldatabase();
+ goto ROOTCERT_SUCCESS;
+
+ } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
+
+ # Validate input since the form was submitted
+ if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
+ $errormessage = $Lang::tr{'organization cant be empty'};
+ goto ROOTCERT_ERROR;
+ }
+ if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
+ $errormessage = $Lang::tr{'organization too long'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for organization'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
+ $errormessage = $Lang::tr{'hostname cant be empty'};
+ goto ROOTCERT_ERROR;
+ }
+ unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
+ $errormessage = $Lang::tr{'invalid input for hostname'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
+ $errormessage = $Lang::tr{'invalid input for e-mail address'};
+ goto ROOTCERT_ERROR;
+ }
+ if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
+ $errormessage = $Lang::tr{'e-mail address too long'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for department'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for city'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for state or province'};
+ goto ROOTCERT_ERROR;
+ }
+ if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
+ $errormessage = $Lang::tr{'invalid input for country'};
+ goto ROOTCERT_ERROR;
+ }
+ #the exact syntax is a list comma separated of
+ # email:any-validemail
+ # URI: a uniform resource indicator
+ # DNS: a DNS domain name
+ # RID: a registered OBJECT IDENTIFIER
+ # IP: an IP address
+ # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
+
+ if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
+ $errormessage = $Lang::tr{'vpn altname syntax'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Copy the cgisettings to vpnsettings and save the configfile
+ $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
+ $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
+ $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
+ $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
+ $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
+ $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
+ $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
+ &General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
+
+ # Replace empty strings with a .
+ (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
+ (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
+ (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
+
+ # Create the CA certificate
+ if (!$errormessage) {
+ &General::log("ipsec", "Creating cacert...");
+ if (open(STDIN, "-|")) {
+ my $opt = " req -x509 -sha256 -nodes";
+ $opt .= " -days 999999";
+ $opt .= " -newkey rsa:4096";
+ $opt .= " -keyout ${General::swroot}/private/cakey.pem";
+ $opt .= " -out ${General::swroot}/ca/cacert.pem";
+
+ $errormessage = &callssl ($opt);
+ } else { #child
+ print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
+ print "$state\n";
+ print "$city\n";
+ print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
+ print "$ou\n";
+ print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
+ print "$cgiparams{'ROOTCERT_EMAIL'}\n";
+ exit (0);
+ }
+ }
+
+ # Create the Host certificate request
+ if (!$errormessage) {
+ &General::log("ipsec", "Creating host cert...");
+ if (open(STDIN, "-|")) {
+ my $opt = " req -sha256 -nodes";
+ $opt .= " -newkey rsa:2048";
+ $opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
+ $opt .= " -out ${General::swroot}/certs/hostreq.pem";
+ $errormessage = &callssl ($opt);
+ } else { #child
+ print "$cgiparams{'ROOTCERT_COUNTRY'}\n";
+ print "$state\n";
+ print "$city\n";
+ print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
+ print "$ou\n";
+ print "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
+ print "$cgiparams{'ROOTCERT_EMAIL'}\n";
+ print ".\n";
+ print ".\n";
+ exit (0);
+ }
+ }
+
+ # Sign the host certificate request
+ if (!$errormessage) {
+ &General::log("ipsec", "Self signing host cert...");
+
+ #No easy way for specifying the contain of subjectAltName without writing a config file...
+ my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
+ print $fh <<END
+ basicConstraints=CA:FALSE
+ nsComment="OpenSSL Generated Certificate"
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid,issuer:always
+ extendedKeyUsage = serverAuth
END
;
- print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
- close ($fh);
-
- my $opt = " ca -md sha256 -days 999999";
- $opt .= " -batch -notext";
- $opt .= " -in ${General::swroot}/certs/hostreq.pem";
- $opt .= " -out ${General::swroot}/certs/hostcert.pem";
- $opt .= " -extfile $v3extname";
- $errormessage = &callssl ($opt);
- unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
- unlink ($v3extname);
- }
-
- # Create an empty CRL
- if (!$errormessage) {
- &General::log("ipsec", "Creating emptycrl...");
- my $opt = " ca -gencrl";
- $opt .= " -out ${General::swroot}/crls/cacrl.pem";
- $errormessage = &callssl ($opt);
- }
-
- # Successfully build CA / CERT!
- if (!$errormessage) {
- &cleanssldatabase();
- goto ROOTCERT_SUCCESS;
- }
-
- #Cleanup
- unlink ("${General::swroot}/ca/cacert.pem");
- unlink ("${General::swroot}/certs/hostkey.pem");
- unlink ("${General::swroot}/certs/hostcert.pem");
- unlink ("${General::swroot}/crls/cacrl.pem");
- &cleanssldatabase();
- }
-
- ROOTCERT_ERROR:
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', $errormessage);
- if ($errormessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
- print "<class name='base'>$errormessage";
- print " </class>";
- &Header::closebox();
- }
- &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
- print <<END
- <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
- <table width='100%' border='0' cellspacing='1' cellpadding='0'>
- <tr><td width='40%' class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td>
- <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img src='/blob.gif' alt='*' /></td>
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'your department'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'city'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'state or province'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'country'}:</td>
- <td class='base'><select name='ROOTCERT_COUNTRY'>
+ print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
+ close ($fh);
+
+ my $opt = " ca -md sha256 -days 999999";
+ $opt .= " -batch -notext";
+ $opt .= " -in ${General::swroot}/certs/hostreq.pem";
+ $opt .= " -out ${General::swroot}/certs/hostcert.pem";
+ $opt .= " -extfile $v3extname";
+ $errormessage = &callssl ($opt);
+ unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed
+ unlink ($v3extname);
+ }
+
+ # Create an empty CRL
+ if (!$errormessage) {
+ &General::log("ipsec", "Creating emptycrl...");
+ my $opt = " ca -gencrl";
+ $opt .= " -out ${General::swroot}/crls/cacrl.pem";
+ $errormessage = &callssl ($opt);
+ }
+
+ # Successfully build CA / CERT!
+ if (!$errormessage) {
+ &cleanssldatabase();
+ goto ROOTCERT_SUCCESS;
+ }
+
+ #Cleanup
+ unlink ("${General::swroot}/ca/cacert.pem");
+ unlink ("${General::swroot}/certs/hostkey.pem");
+ unlink ("${General::swroot}/certs/hostcert.pem");
+ unlink ("${General::swroot}/crls/cacrl.pem");
+ &cleanssldatabase();
+ }
+
+ ROOTCERT_ERROR:
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+ if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
+ &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
+ print <<END
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+ <tr><td width='40%' class='base'>$Lang::tr{'organization name'}: <img src='/blob.gif' alt='*' /></td>
+ <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'ipfires hostname'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'your department'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'city'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'state or province'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'country'}:</td>
+ <td class='base'><select name='ROOTCERT_COUNTRY'>
END
- ;
- foreach my $country (sort keys %{Countries::countries}) {
- print "<option value='$Countries::countries{$country}'";
- if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
- print " selected='selected'";
- }
- print ">$country</option>";
- }
- print <<END
- </select></td></tr>
- <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+;
+ foreach my $country (sort keys %{Countries::countries}) {
+ print "<option value='$Countries::countries{$country}'";
+ if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
+ print " selected='selected'";
+ }
+ print ">$country</option>";
+ }
+ print <<END
+ </select></td></tr>
+ <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
<td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr>
- <tr><td> </td>
- <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
- <tr><td class='base' colspan='2' align='left'>
- <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
- $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
- </td></tr>
- <tr><td colspan='2'><hr></td></tr>
- <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
- <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr>
- <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
- <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr>
- <tr><td> </td>
- <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr>
- <tr><td class='base' colspan='2' align='left'>
- <img src='/blob.gif' alt='*' /> $Lang::tr{'required field'}</td></tr>
- </table></form>
+ <tr><td> </td>
+ <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr>
+ <tr><td class='base' colspan='2' align='left'>
+ <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
+ $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
+ </td></tr>
+ <tr><td colspan='2'><hr></td></tr>
+ <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
+ <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr>
+ <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
+ <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr>
+ <tr><td> </td>
+ <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr>
+ <tr><td class='base' colspan='2' align='left'>
+ <img src='/blob.gif' alt='*' /> $Lang::tr{'required field'}</td></tr>
+ </table></form>
END
- ;
- &Header::closebox();
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
-
- ROOTCERT_SUCCESS:
- if (&vpnenabled) {
- system('/usr/local/bin/ipsecctrl', 'S');
- sleep $sleepDelay;
- }
- ROOTCERT_SKIP:
+;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+
+ ROOTCERT_SUCCESS:
+ if (&vpnenabled) {
+ system('/usr/local/bin/ipsecctrl', 'S');
+ sleep $sleepDelay;
+ }
+ ROOTCERT_SKIP:
###
### Export PKCS12 file to browser
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- print "Content-Type: application/force-download\n";
- print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
- print "Content-Type: application/octet-stream\r\n\r\n";
- print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
- exit (0);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ print "Content-Type: application/force-download\n";
+ print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
+ print "Content-Type: application/octet-stream\r\n\r\n";
+ print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
+ exit (0);
###
### Display certificate
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
-
- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', '');
- &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
- my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
- $output = &Header::cleanhtml($output,"y");
- print "<pre>$output</pre>\n";
- &Header::closebox();
- print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
- }
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', '');
+ &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
+ my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+ $output = &Header::cleanhtml($output,"y");
+ print "<pre>$output</pre>\n";
+ &Header::closebox();
+ print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
+ }
###
### Export Certificate to browser
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
- print "Content-Type: application/force-download\n";
- print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
- print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
- exit (0);
- }
+ if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
+ print "Content-Type: application/force-download\n";
+ print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
+ print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+ exit (0);
+ }
###
### Enable/Disable connection
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
-
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
-
- if ($confighash{$cgiparams{'KEY'}}) {
- if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
- $confighash{$cgiparams{'KEY'}}[0] = 'on';
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
- system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
+
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+ if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
+ $confighash{$cgiparams{'KEY'}}[0] = 'on';
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
+ } else {
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+ $confighash{$cgiparams{'KEY'}}[0] = 'off';
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ }
+ sleep $sleepDelay;
} else {
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
- $confighash{$cgiparams{'KEY'}}[0] = 'off';
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
+ $errormessage = $Lang::tr{'invalid key'};
}
- sleep $sleepDelay;
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
###
### Restart connection
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- if ($confighash{$cgiparams{'KEY'}}) {
- if (&vpnenabled) {
- system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
- sleep $sleepDelay;
+ if ($confighash{$cgiparams{'KEY'}}) {
+ if (&vpnenabled) {
+ system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+ sleep $sleepDelay;
+ }
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
}
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
###
### Remove connection
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
-
- if ($confighash{$cgiparams{'KEY'}}) {
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
- unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
- unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
- delete $confighash{$cgiparams{'KEY'}};
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+ unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ delete $confighash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
&General::firewall_reload();
###
### Choose between adding a host-net or net-net connection
@@ -1227,535 +1220,545 @@ END
&Header::openbigbox('100%', 'left', '', '');
&Header::openbox('100%', 'left', $Lang::tr{'connection type'});
print <<END
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <b>$Lang::tr{'connection type'}:</b><br />
- <table>
- <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <b>$Lang::tr{'connection type'}:</b><br />
+ <table>
+ <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td>
<td class='base'>$Lang::tr{'host to net vpn'}</td>
- </tr><tr>
+ </tr><tr>
<td><input type='radio' name='TYPE' value='net' /></td>
<td class='base'>$Lang::tr{'net to net vpn'}</td>
- </tr><tr>
+ </tr><tr>
<td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>
- </tr>
- </table></form>
+ </tr>
+ </table></form>
END
- ;
+;
&Header::closebox();
&Header::closebigbox();
&Header::closepage();
exit (0);
###
-### Adding/Editing/Saving a connection
+### Adding/Editing/Saving a connection
###
} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
- ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
- ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
-
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
-
- if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
- if (! $confighash{$cgiparams{'KEY'}}[0]) {
- $errormessage = $Lang::tr{'invalid key'};
- goto VPNCONF_END;
- }
- $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
- $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
- $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
- $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
- $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
- #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6];
- $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
- $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
- $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];
- $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
- $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
- $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
- $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
- $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
- $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
- $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
- $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
- $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
- $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
- $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
- $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
- if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
- $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
- }
- $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
- $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
- $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
- $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
- $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
- $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
- $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
- $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+ ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
+ ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
- if (!$cgiparams{'DPD_DELAY'}) {
- $cgiparams{'DPD_DELAY'} = 30;
- }
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- if (!$cgiparams{'DPD_TIMEOUT'}) {
- $cgiparams{'DPD_TIMEOUT'} = 120;
- }
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
+ if (! $confighash{$cgiparams{'KEY'}}[0]) {
+ $errormessage = $Lang::tr{'invalid key'};
+ goto VPNCONF_END;
+ }
+ $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
+ $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
+ $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
+ $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
+ $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
+ #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6];
+ $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7];
+ my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
+ $cgiparams{'LOCAL_SUBNET'} = join(/\|/, @local_subnets);
+ $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9];
+ $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
+ my @remote_subnets = split(",", $confighash{$cgiparams{'KEY'}}[11]);
+ $cgiparams{'REMOTE_SUBNET'} = join(/\|/, @remote_subnets);
+ $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
+ $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
+ $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
+ $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
+ $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
+ $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
+ $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
+ $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
+ $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
+ $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
+ if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
+ $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
+ }
+ $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
+ $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
+ $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
+ $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
+ $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
+ $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
+ $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+
+ if (!$cgiparams{'DPD_DELAY'}) {
+ $cgiparams{'DPD_DELAY'} = 30;
+ }
- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
- $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
- if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
- $errormessage = $Lang::tr{'connection type is invalid'};
- goto VPNCONF_ERROR;
- }
+ if (!$cgiparams{'DPD_TIMEOUT'}) {
+ $cgiparams{'DPD_TIMEOUT'} = 120;
+ }
- if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
- $errormessage = $Lang::tr{'name must only contain characters'};
- goto VPNCONF_ERROR;
- }
+ } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+ $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+ if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
+ $errormessage = $Lang::tr{'connection type is invalid'};
+ goto VPNCONF_ERROR;
+ }
- if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
- $errormessage = $Lang::tr{'name is invalid'};
- goto VPNCONF_ERROR;
- }
+ if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ goto VPNCONF_ERROR;
+ }
- if (length($cgiparams{'NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
- goto VPNCONF_ERROR;
- }
+ if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
+ $errormessage = $Lang::tr{'name is invalid'};
+ goto VPNCONF_ERROR;
+ }
- # Check if there is no other entry with this name
- if (! $cgiparams{'KEY'}) { #only for add
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
- $errormessage = $Lang::tr{'a connection with this name already exists'};
- goto VPNCONF_ERROR;
+ if (length($cgiparams{'NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
}
- }
- }
- if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};
- goto VPNCONF_ERROR;
- }
+ # Check if there is no other entry with this name
+ if (! $cgiparams{'KEY'}) { #only for add
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
- if ($cgiparams{'REMOTE'}) {
- if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
- if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};
- goto VPNCONF_ERROR;
- } else {
- if (&valid_dns_host($cgiparams{'REMOTE'})) {
- $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
- }
+ if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
+ $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ goto VPNCONF_ERROR;
}
- }
- }
- unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
- $errormessage = $Lang::tr{'local subnet is invalid'};
- goto VPNCONF_ERROR;
- }
+ if ($cgiparams{'REMOTE'}) {
+ if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) {
+ if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
+ $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ goto VPNCONF_ERROR;
+ } else {
+ if (&valid_dns_host($cgiparams{'REMOTE'})) {
+ $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
+ }
+ }
+ }
+ }
- # Allow only one roadwarrior/psk without remote IP-address
- if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') {
- foreach my $key (keys %confighash) {
- if ( ($cgiparams{'KEY'} ne $key) &&
- ($confighash{$key}[4] eq 'psk') &&
- ($confighash{$key}[10] eq '') ) {
- $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
- goto VPNCONF_ERROR;
+ my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
+ foreach my $subnet (@local_subnets) {
+ unless (&Network::check_subnet($subnet)) {
+ $errormessage = $Lang::tr{'local subnet is invalid'};
+ goto VPNCONF_ERROR;
+ }
}
- }
- }
- if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
- $errormessage = $Lang::tr{'remote subnet is invalid'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto VPNCONF_ERROR;
- }
+ # Allow only one roadwarrior/psk without remote IP-address
+ if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') {
+ foreach my $key (keys %confighash) {
+ if ( ($cgiparams{'KEY'} ne $key) &&
+ ($confighash{$key}[4] eq 'psk') &&
+ ($confighash{$key}[10] eq '') ) {
+ $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
- # Allow nothing or a string (DN,FDQN,) beginning with @
- # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck
- if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
- ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
- (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
- ) {
- $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' .
- 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' .
- 'FQDN: @ipfire.org<br />' .
- 'USER_FQDN: info(a)ipfire.org<br />' .
- 'IPV4_ADDR: 123.123.123.123';
- goto VPNCONF_ERROR;
- }
- # If Auth is DN, verify existance of Remote ID.
- if ( $cgiparams{'REMOTE_ID'} eq '' && (
- $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation
- $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing
- $errormessage = $Lang::tr{'vpn missing remote id'};
- goto VPNCONF_ERROR;
- }
+ if ($cgiparams{'TYPE'} eq 'net') {
+ my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
+ foreach my $subnet (@remote_subnets) {
+ unless (&Network::check_subnet($subnet)) {
+ $errormessage = $Lang::tr{'remote subnet is invalid'};
+ goto VPNCONF_ERROR;
+ }
+ }
+ }
- if ($cgiparams{'TYPE'} eq 'net'){
- $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
- if ($warnmessage ne ''){
- $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+ if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto VPNCONF_ERROR;
}
- }
- if ($cgiparams{'AUTH'} eq 'psk') {
- if (! length($cgiparams{'PSK'}) ) {
- $errormessage = $Lang::tr{'pre-shared key is too short'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'PSK'} =~ /'/) {
- $cgiparams{'PSK'} =~ tr/'/ /;
- $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
- goto VPNCONF_ERROR;
- }
+ # Allow nothing or a string (DN,FDQN,) beginning with @
+ # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck
+ if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
+ ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) ||
+ (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne ''))
+ ) {
+ $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' .
+ 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' .
+ 'FQDN: @ipfire.org<br />' .
+ 'USER_FQDN: info(a)ipfire.org<br />' .
+ 'IPV4_ADDR: 123.123.123.123';
+ goto VPNCONF_ERROR;
+ }
+ # If Auth is DN, verify existance of Remote ID.
+ if ( $cgiparams{'REMOTE_ID'} eq '' && (
+ $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation
+ $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing
+ $errormessage = $Lang::tr{'vpn missing remote id'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'TYPE'} eq 'net'){
+ $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
+ if ($warnmessage ne ''){
+ $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+ }
+ }
+
+ if ($cgiparams{'AUTH'} eq 'psk') {
+ if (! length($cgiparams{'PSK'}) ) {
+ $errormessage = $Lang::tr{'pre-shared key is too short'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'PSK'} =~ /'/) {
+ $cgiparams{'PSK'} =~ tr/'/ /;
+ $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
+ goto VPNCONF_ERROR;
+ }
} elsif ($cgiparams{'AUTH'} eq 'certreq') {
- if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
- goto VPNCONF_ERROR;
- }
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto VPNCONF_ERROR;
- }
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto VPNCONF_ERROR;
+ }
- # Move uploaded certificate request to a temporary file
- (my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto VPNCONF_ERROR;
- }
+ # Move uploaded certificate request to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto VPNCONF_ERROR;
+ }
- # Sign the certificate request
- &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
- my $opt = " ca -md sha256 -days 999999";
+ # Sign the certificate request
+ &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
+ my $opt = " ca -md sha256 -days 999999";
$opt .= " -batch -notext";
$opt .= " -in $filename";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
- if ( $errormessage = &callssl ($opt) ) {
- unlink ($filename);
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- &cleanssldatabase();
- goto VPNCONF_ERROR;
- } else {
- unlink ($filename);
- &cleanssldatabase();
- }
-
- $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- if ($cgiparams{'CERT_NAME'} eq '') {
- $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
- goto VPNCONF_ERROR;
- }
+ if ( $errormessage = &callssl ($opt) ) {
+ unlink ($filename);
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ &cleanssldatabase();
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ($filename);
+ &cleanssldatabase();
+ }
+
+ $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ if ($cgiparams{'CERT_NAME'} eq '') {
+ $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
+ goto VPNCONF_ERROR;
+ }
} elsif ($cgiparams{'AUTH'} eq 'pkcs12') {
&General::log("ipsec", "Importing from p12...");
if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto ROOTCERT_ERROR;
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto ROOTCERT_ERROR;
}
# Move uploaded certificate request to a temporary file
(my $fh, my $filename) = tempfile( );
if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto ROOTCERT_ERROR;
+ $errormessage = $!;
+ goto ROOTCERT_ERROR;
}
# Extract the CA certificate from the file
&General::log("ipsec", "Extracting caroot from p12...");
if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -cacerts -nokeys";
+ my $opt = " pkcs12 -cacerts -nokeys";
$opt .= " -in $filename";
$opt .= " -out /tmp/newcacert";
- $errormessage = &callssl ($opt);
- } else { #child
- print "$cgiparams{'P12_PASS'}\n";
- exit (0);
- }
-
- # Extract the Host certificate from the file
- if (!$errormessage) {
- &General::log("ipsec", "Extracting host cert from p12...");
- if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -clcerts -nokeys";
- $opt .= " -in $filename";
- $opt .= " -out /tmp/newhostcert";
$errormessage = &callssl ($opt);
- } else { #child
+ } else { #child
print "$cgiparams{'P12_PASS'}\n";
exit (0);
- }
- }
-
- if (!$errormessage) {
- &General::log("ipsec", "Moving cacert...");
- #If CA have new subject, add it to our list of CA
- my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert'));
- my @names;
- foreach my $x (keys %cahash) {
- $casubject='' if ($cahash{$x}[1] eq $casubject);
- unshift (@names,$cahash{$x}[0]);
- }
- if ($casubject) { # a new one!
- my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
- if ($temp !~ /CA:TRUE/i) {
- $errormessage = $Lang::tr{'not a valid ca certificate'};
- } else {
- #compute a name for it
- my $idx=0;
- while (grep(/Imported-$idx/, @names) ) {$idx++};
- $cgiparams{'CA_NAME'}="Imported-$idx";
- $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert'));
- move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
- if (!$errormessage) {
- my $key = &General::findhasharraykey (\%cahash);
- $cahash{$key}[0] = $cgiparams{'CA_NAME'};
- $cahash{$key}[1] = $casubject;
- &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
- system('/usr/local/bin/ipsecctrl', 'R');
- }
- }
- }
+ }
+
+ # Extract the Host certificate from the file
+ if (!$errormessage) {
+ &General::log("ipsec", "Extracting host cert from p12...");
+ if (open(STDIN, "-|")) {
+ my $opt = " pkcs12 -clcerts -nokeys";
+ $opt .= " -in $filename";
+ $opt .= " -out /tmp/newhostcert";
+ $errormessage = &callssl ($opt);
+ } else { #child
+ print "$cgiparams{'P12_PASS'}\n";
+ exit (0);
+ }
+ }
+
+ if (!$errormessage) {
+ &General::log("ipsec", "Moving cacert...");
+ #If CA have new subject, add it to our list of CA
+ my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert'));
+ my @names;
+ foreach my $x (keys %cahash) {
+ $casubject='' if ($cahash{$x}[1] eq $casubject);
+ unshift (@names,$cahash{$x}[0]);
+ }
+ if ($casubject) { # a new one!
+ my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
+ if ($temp !~ /CA:TRUE/i) {
+ $errormessage = $Lang::tr{'not a valid ca certificate'};
+ } else {
+ #compute a name for it
+ my $idx=0;
+ while (grep(/Imported-$idx/, @names) ) {$idx++};
+ $cgiparams{'CA_NAME'}="Imported-$idx";
+ $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert'));
+ move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+ if (!$errormessage) {
+ my $key = &General::findhasharraykey (\%cahash);
+ $cahash{$key}[0] = $cgiparams{'CA_NAME'};
+ $cahash{$key}[1] = $casubject;
+ &General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ system('/usr/local/bin/ipsecctrl', 'R');
+ }
+ }
+ }
}
if (!$errormessage) {
- &General::log("ipsec", "Moving host cert...");
- move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
- }
+ &General::log("ipsec", "Moving host cert...");
+ move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0);
+ }
#cleanup temp files
unlink ($filename);
unlink ('/tmp/newcacert');
unlink ('/tmp/newhostcert');
if ($errormessage) {
- unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- goto VPNCONF_ERROR;
+ unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ goto VPNCONF_ERROR;
}
&General::log("ipsec", "p12 import completed!");
} elsif ($cgiparams{'AUTH'} eq 'certfile') {
- if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
- goto VPNCONF_ERROR;
- }
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto VPNCONF_ERROR;
- }
- # Move uploaded certificate to a temporary file
- (my $fh, my $filename) = tempfile( );
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto VPNCONF_ERROR;
- }
-
- # Verify the certificate has a valid CA and move it
- &General::log("ipsec", "Validating imported cert against our known CA...");
- my $validca = 1; #assume ok
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
- if ($test !~ /: OK/) {
- my $validca = 0;
- foreach my $key (keys %cahash) {
- $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
- if ($test =~ /: OK/) {
- $validca = 1;
- last;
- }
- }
- }
- if (! $validca) {
- $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
- unlink ($filename);
- goto VPNCONF_ERROR;
- } else {
- move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- if ($? ne 0) {
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
- unlink ($filename);
- goto VPNCONF_ERROR;
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto VPNCONF_ERROR;
+ }
+ # Move uploaded certificate to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto VPNCONF_ERROR;
}
- }
- $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- if ($cgiparams{'CERT_NAME'} eq '') {
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
- goto VPNCONF_ERROR;
- }
+ # Verify the certificate has a valid CA and move it
+ &General::log("ipsec", "Validating imported cert against our known CA...");
+ my $validca = 1; #assume ok
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
+ if ($test !~ /: OK/) {
+ my $validca = 0;
+ foreach my $key (keys %cahash) {
+ $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
+ if ($test =~ /: OK/) {
+ $validca = 1;
+ last;
+ }
+ }
+ }
+ if (! $validca) {
+ $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
+ unlink ($filename);
+ goto VPNCONF_ERROR;
+ } else {
+ move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ goto VPNCONF_ERROR;
+ }
+ }
+
+ $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ if ($cgiparams{'CERT_NAME'} eq '') {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
+ goto VPNCONF_ERROR;
+ }
} elsif ($cgiparams{'AUTH'} eq 'certgen') {
- if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
- goto VPNCONF_ERROR;
- }
- # Validate input since the form was submitted
- if (length($cgiparams{'CERT_NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
- $errormessage = $Lang::tr{'invalid input for name'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
- $errormessage = $Lang::tr{'invalid input for e-mail address'};
- goto VPNCONF_ERROR;
- }
- if (length($cgiparams{'CERT_EMAIL'}) > 40) {
- $errormessage = $Lang::tr{'e-mail address too long'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for department'};
- goto VPNCONF_ERROR;
- }
- if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
- $errormessage = $Lang::tr{'organization too long'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
- $errormessage = $Lang::tr{'invalid input for organization'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for city'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for state or province'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
- $errormessage = $Lang::tr{'invalid input for country'};
- goto VPNCONF_ERROR;
- }
- #the exact syntax is a list comma separated of
- # email:any-validemail
- # URI: a uniform resource indicator
- # DNS: a DNS domain name
- # RID: a registered OBJECT IDENTIFIER
- # IP: an IP address
- # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
-
- if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
- $errormessage = $Lang::tr{'vpn altname syntax'};
- goto VPNCONF_ERROR;
- }
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ # Validate input since the form was submitted
+ if (length($cgiparams{'CERT_NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ $errormessage = $Lang::tr{'invalid input for name'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
+ $errormessage = $Lang::tr{'invalid input for e-mail address'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_EMAIL'}) > 40) {
+ $errormessage = $Lang::tr{'e-mail address too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for department'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
+ $errormessage = $Lang::tr{'organization too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ $errormessage = $Lang::tr{'invalid input for organization'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for city'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for state or province'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
+ $errormessage = $Lang::tr{'invalid input for country'};
+ goto VPNCONF_ERROR;
+ }
+ #the exact syntax is a list comma separated of
+ # email:any-validemail
+ # URI: a uniform resource indicator
+ # DNS: a DNS domain name
+ # RID: a registered OBJECT IDENTIFIER
+ # IP: an IP address
+ # example: email:franck(a)foo.com,IP:10.0.0.10,DNS:franck.foo.com
+
+ if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :\/,\.\-_@]*$/) {
+ $errormessage = $Lang::tr{'vpn altname syntax'};
+ goto VPNCONF_ERROR;
+ }
- if (length($cgiparams{'CERT_PASS1'}) < 5) {
- $errormessage = $Lang::tr{'password too short'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
- $errormessage = $Lang::tr{'passwords do not match'};
- goto VPNCONF_ERROR;
- }
+ if (length($cgiparams{'CERT_PASS1'}) < 5) {
+ $errormessage = $Lang::tr{'password too short'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
+ $errormessage = $Lang::tr{'passwords do not match'};
+ goto VPNCONF_ERROR;
+ }
- # Replace empty strings with a .
- (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
- (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
- (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
+ # Replace empty strings with a .
+ (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
+ (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
+ (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
- # Create the Client certificate request
- &General::log("ipsec", "Creating a cert...");
+ # Create the Client certificate request
+ &General::log("ipsec", "Creating a cert...");
- if (open(STDIN, "-|")) {
- my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
- $opt .= " -newkey rsa:2048";
- $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
- $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
+ if (open(STDIN, "-|")) {
+ my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+ $opt .= " -newkey rsa:2048";
+ $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
+ $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
+
+ if ( $errormessage = &callssl ($opt) ) {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ goto VPNCONF_ERROR;
+ }
+ } else { #child
+ print "$cgiparams{'CERT_COUNTRY'}\n";
+ print "$state\n";
+ print "$city\n";
+ print "$cgiparams{'CERT_ORGANIZATION'}\n";
+ print "$ou\n";
+ print "$cgiparams{'CERT_NAME'}\n";
+ print "$cgiparams{'CERT_EMAIL'}\n";
+ print ".\n";
+ print ".\n";
+ exit (0);
+ }
- if ( $errormessage = &callssl ($opt) ) {
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
- goto VPNCONF_ERROR;
- }
- } else { #child
- print "$cgiparams{'CERT_COUNTRY'}\n";
- print "$state\n";
- print "$city\n";
- print "$cgiparams{'CERT_ORGANIZATION'}\n";
- print "$ou\n";
- print "$cgiparams{'CERT_NAME'}\n";
- print "$cgiparams{'CERT_EMAIL'}\n";
- print ".\n";
- print ".\n";
- exit (0);
- }
-
- # Sign the client certificate request
- &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
-
- #No easy way for specifying the contain of subjectAltName without writing a config file...
- my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
- print $fh <<END
- basicConstraints=CA:FALSE
- nsComment="OpenSSL Generated Certificate"
- subjectKeyIdentifier=hash
- extendedKeyUsage=clientAuth
- authorityKeyIdentifier=keyid,issuer:always
+ # Sign the client certificate request
+ &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
+
+ #No easy way for specifying the contain of subjectAltName without writing a config file...
+ my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX');
+ print $fh <<END
+ basicConstraints=CA:FALSE
+ nsComment="OpenSSL Generated Certificate"
+ subjectKeyIdentifier=hash
+ extendedKeyUsage=clientAuth
+ authorityKeyIdentifier=keyid,issuer:always
END
;
- print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
- close ($fh);
-
- my $opt = " ca -md sha256 -days 999999 -batch -notext";
- $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
- $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
- $opt .= " -extfile $v3extname";
-
- if ( $errormessage = &callssl ($opt) ) {
- unlink ($v3extname);
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- &cleanssldatabase();
- goto VPNCONF_ERROR;
- } else {
- unlink ($v3extname);
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
- &cleanssldatabase();
- }
-
- # Create the pkcs12 file
- &General::log("ipsec", "Packing a pkcs12 file...");
- $opt = " pkcs12 -export";
- $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
- $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
- $opt .= " -name \"$cgiparams{'NAME'}\"";
- $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}";
- $opt .= " -certfile ${General::swroot}/ca/cacert.pem";
- $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
- $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";
-
- if ( $errormessage = &callssl ($opt) ) {
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");
- goto VPNCONF_ERROR;
- } else {
- unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
- }
+ print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
+ close ($fh);
+
+ my $opt = " ca -md sha256 -days 999999 -batch -notext";
+ $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
+ $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
+ $opt .= " -extfile $v3extname";
+
+ if ( $errormessage = &callssl ($opt) ) {
+ unlink ($v3extname);
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ &cleanssldatabase();
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ($v3extname);
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem");
+ &cleanssldatabase();
+ }
+
+ # Create the pkcs12 file
+ &General::log("ipsec", "Packing a pkcs12 file...");
+ $opt = " pkcs12 -export";
+ $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
+ $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
+ $opt .= " -name \"$cgiparams{'NAME'}\"";
+ $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}";
+ $opt .= " -certfile ${General::swroot}/ca/cacert.pem";
+ $opt .= " -caname \"$vpnsettings{'ROOTCERT_ORGANIZATION'} CA\"";
+ $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12";
+
+ if ( $errormessage = &callssl ($opt) ) {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem");
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12");
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem");
+ }
} elsif ($cgiparams{'AUTH'} eq 'cert') {
- ;# Nothing, just editing
+ ;# Nothing, just editing
} elsif ($cgiparams{'AUTH'} eq 'auth-dn') {
- $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file'
+ $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file'
} else {
- $errormessage = $Lang::tr{'invalid input for authentication method'};
- goto VPNCONF_ERROR;
+ $errormessage = $Lang::tr{'invalid input for authentication method'};
+ goto VPNCONF_ERROR;
}
# 1)Error message here is not accurate.
@@ -1763,37 +1766,39 @@ END
# 3)Present since initial version (1.3.2.11), it isn't a bug correction
# Check if there is no other entry with this certificate name
#if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && ($cgiparams{'AUTH'} ne 'auth-dn')) {
- # foreach my $key (keys %confighash) {
+ # foreach my $key (keys %confighash) {
# if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
- # $errormessage = $Lang::tr{'a connection with this common name already exists'};
- # goto VPNCONF_ERROR;
+ # $errormessage = $Lang::tr{'a connection with this common name already exists'};
+ # goto VPNCONF_ERROR;
+ # }
# }
- # }
#}
- # Save the config
+ # Save the config
my $key = $cgiparams{'KEY'};
if (! $key) {
- $key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";}
+ $key = &General::findhasharraykey (\%confighash);
+ foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";}
}
$confighash{$key}[0] = $cgiparams{'ENABLED'};
$confighash{$key}[1] = $cgiparams{'NAME'};
if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
- $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
+ $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
}
$confighash{$key}[3] = $cgiparams{'TYPE'};
if ($cgiparams{'AUTH'} eq 'psk') {
- $confighash{$key}[4] = 'psk';
- $confighash{$key}[5] = $cgiparams{'PSK'};
+ $confighash{$key}[4] = 'psk';
+ $confighash{$key}[5] = $cgiparams{'PSK'};
} else {
- $confighash{$key}[4] = 'cert';
+ $confighash{$key}[4] = 'cert';
}
if ($cgiparams{'TYPE'} eq 'net') {
- $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
+ my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
+ $confighash{$key}[11] = join('|', @remote_subnets);
}
$confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
- $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
+ my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
+ $confighash{$key}[8] = join('|', @local_subnets);
$confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
$confighash{$key}[10] = $cgiparams{'REMOTE'};
$confighash{$key}[25] = $cgiparams{'REMARK'};
@@ -1801,7 +1806,7 @@ END
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
$confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
- #dont forget advanced value
+ # don't forget advanced value
$confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'};
$confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'};
$confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'};
@@ -1814,44 +1819,43 @@ END
$confighash{$key}[13] = $cgiparams{'COMPRESSION'};
$confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'};
$confighash{$key}[28] = $cgiparams{'PFS'};
- $confighash{$key}[14] = $cgiparams{'VHOST'};
$confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'};
$confighash{$key}[31] = $cgiparams{'DPD_DELAY'};
$confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};
- #free unused fields!
+ # free unused fields!
$confighash{$key}[6] = 'off';
$confighash{$key}[15] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
if (&vpnenabled) {
- system('/usr/local/bin/ipsecctrl', 'S', $key);
- sleep $sleepDelay;
+ system('/usr/local/bin/ipsecctrl', 'S', $key);
+ sleep $sleepDelay;
}
if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
- $cgiparams{'KEY'} = $key;
- $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
+ $cgiparams{'KEY'} = $key;
+ $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
}
goto VPNCONF_END;
- } else { # add new connection
- $cgiparams{'ENABLED'} = 'on';
+} else { # add new connection
+ $cgiparams{'ENABLED'} = 'on';
if ( ! -f "${General::swroot}/private/cakey.pem" ) {
- $cgiparams{'AUTH'} = 'psk';
+ $cgiparams{'AUTH'} = 'psk';
} elsif ( ! -f "${General::swroot}/ca/cacert.pem") {
- $cgiparams{'AUTH'} = 'certfile';
+ $cgiparams{'AUTH'} = 'certfile';
} else {
- $cgiparams{'AUTH'} = 'certgen';
+ $cgiparams{'AUTH'} = 'certgen';
}
- $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
- $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
- $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
- $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
- $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
- $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
- $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
+ $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'};
+ $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'};
+ $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
+ $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
+ $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
+ $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
- # choose appropriate dpd action
+ # choose appropriate dpd action
if ($cgiparams{'TYPE'} eq 'host') {
$cgiparams{'DPD_ACTION'} = 'clear';
} else {
@@ -1872,64 +1876,63 @@ END
# Default IKE Version to v2
if (!$cgiparams{'IKE_VERSION'}) {
- $cgiparams{'IKE_VERSION'} = 'ikev2';
+ $cgiparams{'IKE_VERSION'} = 'ikev2';
}
# ID are empty
- $cgiparams{'LOCAL_ID'} = '';
+ $cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
- $cgiparams{'IKE_LIFETIME'} = '3'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
- $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23];
- $cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
- $cgiparams{'COMPRESSION'} = 'on'; #[13];
- $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
- $cgiparams{'PFS'} = 'on'; #[28];
- $cgiparams{'VHOST'} = 'on'; #[14];
- }
-
- VPNCONF_ERROR:
- $checked{'ENABLED'}{'off'} = '';
- $checked{'ENABLED'}{'on'} = '';
- $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
-
- $checked{'EDIT_ADVANCED'}{'off'} = '';
- $checked{'EDIT_ADVANCED'}{'on'} = '';
- $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";
-
- $checked{'AUTH'}{'psk'} = '';
- $checked{'AUTH'}{'certreq'} = '';
- $checked{'AUTH'}{'certgen'} = '';
- $checked{'AUTH'}{'certfile'} = '';
- $checked{'AUTH'}{'pkcs12'} = '';
- $checked{'AUTH'}{'auth-dn'} = '';
- $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
-
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', $errormessage);
- if ($errormessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
- print "<class name='base'>$errormessage";
- print " </class>";
- &Header::closebox();
- }
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
+ $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
+ $cgiparams{'IKE_LIFETIME'} = '3'; #[16];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
+ $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23];
+ $cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
+ $cgiparams{'COMPRESSION'} = 'on'; #[13];
+ $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
+ $cgiparams{'PFS'} = 'on'; #[28];
+}
- if ($warnmessage) {
- &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
- print "<class name='base'>$warnmessage";
- print " </class>";
- &Header::closebox();
- }
+VPNCONF_ERROR:
+ $checked{'ENABLED'}{'off'} = '';
+ $checked{'ENABLED'}{'on'} = '';
+ $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+
+ $checked{'EDIT_ADVANCED'}{'off'} = '';
+ $checked{'EDIT_ADVANCED'}{'on'} = '';
+ $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'";
+
+ $checked{'AUTH'}{'psk'} = '';
+ $checked{'AUTH'}{'certreq'} = '';
+ $checked{'AUTH'}{'certgen'} = '';
+ $checked{'AUTH'}{'certfile'} = '';
+ $checked{'AUTH'}{'pkcs12'} = '';
+ $checked{'AUTH'}{'auth-dn'} = '';
+ $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
+
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+ if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
+
+ if ($warnmessage) {
+ &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
+ print "<class name='base'>$warnmessage";
+ print " </class>";
+ &Header::closebox();
+ }
- print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
- print<<END
+ print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+ print<<END
<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />
<input type='hidden' name='IKE_VERSION' value='$cgiparams{'IKE_VERSION'}' />
<input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' />
@@ -1943,178 +1946,183 @@ END
<input type='hidden' name='COMPRESSION' value='$cgiparams{'COMPRESSION'}' />
<input type='hidden' name='ONLY_PROPOSED' value='$cgiparams{'ONLY_PROPOSED'}' />
<input type='hidden' name='PFS' value='$cgiparams{'PFS'}' />
- <input type='hidden' name='VHOST' value='$cgiparams{'VHOST'}' />
<input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' />
<input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' />
<input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' />
<input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' />
END
- ;
- if ($cgiparams{'KEY'}) {
- print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
- print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />";
- print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
- }
-
- &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}");
- print "<table width='100%'>";
- if (!$cgiparams{'KEY'}) {
- print <<EOF;
- <tr>
- <td width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' /></td>
- <td width='30%'>
- <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' />
- </td>
- <td colspan="2"></td>
- </tr>
+;
+ if ($cgiparams{'KEY'}) {
+ print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
+ print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />";
+ print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
+ }
+
+ &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}");
+ print "<table width='100%'>";
+ if (!$cgiparams{'KEY'}) {
+ print <<EOF;
+ <tr>
+ <td width='20%'>$Lang::tr{'name'}: <img src='/blob.gif' alt='*' /></td>
+ <td width='30%'>
+ <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' />
+ </td>
+ <td colspan="2"></td>
+ </tr>
EOF
- }
+ }
- my $disabled;
- my $blob;
- if ($cgiparams{'TYPE'} eq 'host') {
+ my $disabled;
+ my $blob;
+ if ($cgiparams{'TYPE'} eq 'host') {
$disabled = "disabled='disabled'";
- } elsif ($cgiparams{'TYPE'} eq 'net') {
+ } elsif ($cgiparams{'TYPE'} eq 'net') {
$blob = "<img src='/blob.gif' alt='*' />";
- };
+ };
- print <<END
+ my @local_subnets = split(/\|/, $cgiparams{'LOCAL_SUBNET'});
+ my $local_subnets = join(",", @local_subnets);
+
+ my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
+ my $remote_subnets = join(",", @remote_subnets);
+
+ print <<END
<tr>
<td width='20%'>$Lang::tr{'enabled'}</td>
<td width='30%'>
- <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
+ <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} />
+ </td>
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
+ <td width='30%'>
+ <input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
+ </td>
+ </tr>
+ <tr>
+ <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td>
+ <td width='30%'>
+ <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
+ </td>
+ <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td>
+ <td width='30%'>
+ <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
</td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'} <img src='/blob.gif' alt='*' /></td>
- <td width='30%'>
- <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" />
- </td>
- </tr>
- <tr>
- <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}: $blob</td>
- <td width='30%'>
- <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" />
- </td>
- <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'} $blob</td>
- <td width='30%'>
- <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" />
- </td>
</tr>
<tr>
- <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
- <td width='30%'>
- <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" />
- </td>
- <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td>
- <td width='30%'>
- <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" />
- </td>
+ <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
+ <td width='30%'>
+ <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" />
+ </td>
+ <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td>
+ <td width='30%'>
+ <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" />
+ </td>
</tr>
<tr><td colspan="4"><br /></td></tr>
<tr>
- <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td>
- <td colspan='3'>
- <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" />
- </td>
- </tr>
-END
- ;
- if (!$cgiparams{'KEY'}) {
- print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";
- }
- print "</table>";
- &Header::closebox();
-
- if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
- &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
- print <<END
- <table width='100%' cellpadding='0' cellspacing='5' border='0'>
- <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
- <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td>
+ <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td>
+ <td colspan='3'>
+ <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" />
+ </td>
</tr>
- </table>
END
- ;
+;
+ if (!$cgiparams{'KEY'}) {
+ print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>";
+ }
+ print "</table>";
&Header::closebox();
- } elsif (! $cgiparams{'KEY'}) {
- my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
- $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
- my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
- &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
- print <<END
- <table width='100%' cellpadding='0' cellspacing='5' border='0'>
- <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
- <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
- <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
- <tr><td colspan='3' bgcolor='#000000'></td></tr>
- <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
- <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
- <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr>
- <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
- <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
- <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td>
- <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr>
- <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td>
- <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr>
- <tr><td colspan='3' bgcolor='#000000'></td></tr>
- <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
- <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td> </td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'users fullname or system hostname'}: <img src='/blob.gif' alt='*' /></td>
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'users email'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'users department'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'organization name'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'city'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'state or province'}:</td>
- <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'country'}:</td>
- <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
+ if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
+ &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
+ print <<END
+ <table width='100%' cellpadding='0' cellspacing='5' border='0'>
+ <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
+ <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td>
+ </tr>
+ </table>
END
- ;
- foreach my $country (sort keys %{Countries::countries}) {
- print "\t\t\t<option value='$Countries::countries{$country}'";
- if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
- print " selected='selected'";
- }
- print ">$country</option>\n";
+;
+ &Header::closebox();
+ } elsif (! $cgiparams{'KEY'}) {
+ my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : '';
+ $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled);
+ my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';
+
+ &Header::openbox('100%', 'left', $Lang::tr{'authentication'});
+ print <<END
+ <table width='100%' cellpadding='0' cellspacing='5' border='0'>
+ <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td>
+ <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td>
+ <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
+ <tr><td colspan='3' bgcolor='#000000'></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
+ <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td>
+ <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
+ <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
+ <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td>
+ <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td>
+ <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr>
+ <tr><td colspan='3' bgcolor='#000000'></td></tr>
+ <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
+ <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td> </td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'users fullname or system hostname'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'users email'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'users department'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'organization name'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'city'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'state or province'}:</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'country'}:</td>
+ <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
+END
+;
+ foreach my $country (sort keys %{Countries::countries}) {
+ print "\t\t\t<option value='$Countries::countries{$country}'";
+ if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
+ print " selected='selected'";
+ }
+ print ">$country</option>\n";
+ }
+ print <<END
+ </select></td></tr>
+
+ <tr><td> </td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
+ <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td>
+ <td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
+ <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'} ($Lang::tr{'confirmation'}): <img src='/blob.gif' alt='*' /></td>
+ <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
+ </table>
+END
+;
+ &Header::closebox();
}
- print <<END
- </select></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td>
- <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td>
- <td class='base'>$Lang::tr{'pkcs12 file password'}: <img src='/blob.gif' alt='*' /></td>
- <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
- <tr><td> </td><td class='base'>$Lang::tr{'pkcs12 file password'} ($Lang::tr{'confirmation'}): <img src='/blob.gif' alt='*' /></td>
- <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
- </table>
-END
- ;
- &Header::closebox();
- }
-
- print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
- if ($cgiparams{'KEY'}) {
- print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
- }
- print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
- &Header::closebigbox();
- &Header::closepage();
- exit (0);
-
- VPNCONF_END:
+ print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
+ if ($cgiparams{'KEY'}) {
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
+ }
+ print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
+ &Header::closebigbox();
+ &Header::closepage();
+ exit (0);
+
+ VPNCONF_END:
}
###
@@ -2122,303 +2130,288 @@ END
###
if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) {
- &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- if (! $confighash{$cgiparams{'KEY'}}) {
- $errormessage = $Lang::tr{'invalid key'};
- goto ADVANCED_END;
- }
-
- if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
- # I didn't read any incompatibilities here....
- #if ($cgiparams{'VHOST'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') {
- # $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'};
- # goto ADVANCED_ERROR;
- #}
- my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
+ &General::readhash("${General::swroot}/vpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ if (! $confighash{$cgiparams{'KEY'}}) {
+ $errormessage = $Lang::tr{'invalid key'};
+ goto ADVANCED_END;
+ }
+
+ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+ my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for ike lifetime'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
+ $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
+ goto ADVANCED_ERROR;
+ }
+ @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
+ if ($#temp < 0) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ foreach my $val (@temp) {
+ if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+ }
+ if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for esp keylife'};
+ goto ADVANCED_ERROR;
+ }
+ if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
+ $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};
+ goto ADVANCED_ERROR;
+ }
+
+ if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) ||
+ ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) ||
+ ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) ||
+ ($cgiparams{'PFS'} !~ /^(|on|off)$/)) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto ADVANCED_ERROR;
+ }
+
+ if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for dpd delay'};
+ goto ADVANCED_ERROR;
+ }
+
+ if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) {
+ $errormessage = $Lang::tr{'invalid input for dpd timeout'};
+ goto ADVANCED_ERROR;
+ }
+
+ $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
+ $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
+ $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
+ $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
+ $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
+ $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
+ $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
+ $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
+ $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
+ $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'};
+ $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
+ $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
+ $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
+ $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'};
+ $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
+ $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
+ $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
+ &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
+ &writeipsecfiles();
+ if (&vpnenabled) {
+ system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+ sleep $sleepDelay;
+ }
+ goto ADVANCED_END;
+ } else {
+ $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
+ $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
+ $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
+ $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
+ $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
+ $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
+ $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
+ $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
+ if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
+ $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
+ }
+ $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
+ $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
+ $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
+ $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
+ $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
+ $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
+ $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
+ $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+
+ if (!$cgiparams{'DPD_DELAY'}) {
+ $cgiparams{'DPD_DELAY'} = 30;
+ }
+
+ if (!$cgiparams{'DPD_TIMEOUT'}) {
+ $cgiparams{'DPD_TIMEOUT'} = 120;
+ }
}
+
+ ADVANCED_ERROR:
+ $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'3des'} = '';
+ $checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
+ $checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
+ $checked{'IKE_ENCRYPTION'}{'camellia128'} = '';
+ my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
+ foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
+ $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
+ $checked{'IKE_INTEGRITY'}{'sha2_384'} = '';
+ $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
+ $checked{'IKE_INTEGRITY'}{'sha'} = '';
+ $checked{'IKE_INTEGRITY'}{'md5'} = '';
+ $checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- }
+ foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'IKE_GROUPTYPE'}{'768'} = '';
+ $checked{'IKE_GROUPTYPE'}{'1024'} = '';
+ $checked{'IKE_GROUPTYPE'}{'1536'} = '';
+ $checked{'IKE_GROUPTYPE'}{'2048'} = '';
+ $checked{'IKE_GROUPTYPE'}{'3072'} = '';
+ $checked{'IKE_GROUPTYPE'}{'4096'} = '';
+ $checked{'IKE_GROUPTYPE'}{'6144'} = '';
+ $checked{'IKE_GROUPTYPE'}{'8192'} = '';
@temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- }
- if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) {
- $errormessage = $Lang::tr{'invalid input for ike lifetime'};
- goto ADVANCED_ERROR;
- }
- if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) {
- $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'};
- goto ADVANCED_ERROR;
- }
+ foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
+
+ # 768 is not supported by strongswan
+ $checked{'IKE_GROUPTYPE'}{'768'} = '';
+
+ $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'3des'} = '';
+ $checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
+ $checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
+ $checked{'ESP_ENCRYPTION'}{'camellia128'} = '';
@temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- }
+ foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
+ $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
+ $checked{'ESP_INTEGRITY'}{'sha2_384'} = '';
+ $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
+ $checked{'ESP_INTEGRITY'}{'sha1'} = '';
+ $checked{'ESP_INTEGRITY'}{'md5'} = '';
+ $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
@temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- }
+ foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
+ $checked{'ESP_GROUPTYPE'}{'768'} = '';
+ $checked{'ESP_GROUPTYPE'}{'1024'} = '';
+ $checked{'ESP_GROUPTYPE'}{'1536'} = '';
+ $checked{'ESP_GROUPTYPE'}{'2048'} = '';
+ $checked{'ESP_GROUPTYPE'}{'3072'} = '';
+ $checked{'ESP_GROUPTYPE'}{'4096'} = '';
+ $checked{'ESP_GROUPTYPE'}{'6144'} = '';
+ $checked{'ESP_GROUPTYPE'}{'8192'} = '';
+ $checked{'ESP_GROUPTYPE'}{'none'} = '';
@temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
- if ($#temp < 0) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- foreach my $val (@temp) {
- if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
- }
- if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) {
- $errormessage = $Lang::tr{'invalid input for esp keylife'};
- goto ADVANCED_ERROR;
- }
- if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) {
- $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'};
- goto ADVANCED_ERROR;
- }
-
- if (
- ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) ||
- ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) ||
- ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) ||
- ($cgiparams{'PFS'} !~ /^(|on|off)$/) ||
- ($cgiparams{'VHOST'} !~ /^(|on|off)$/)
- ){
- $errormessage = $Lang::tr{'invalid input'};
- goto ADVANCED_ERROR;
- }
-
- if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) {
- $errormessage = $Lang::tr{'invalid input for dpd delay'};
- goto ADVANCED_ERROR;
- }
-
- if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) {
- $errormessage = $Lang::tr{'invalid input for dpd timeout'};
- goto ADVANCED_ERROR;
- }
-
- $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'};
- $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'};
- $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'};
- $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'};
- $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'};
- $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'};
- $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'};
- $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'};
- $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'};
- $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'};
- $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'};
- $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'};
- $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'};
- $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'};
- $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'};
- $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'};
- $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'};
- $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'};
- &General::writehasharray("${General::swroot}/vpn/config", \%confighash);
- &writeipsecfiles();
- if (&vpnenabled) {
- system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
- sleep $sleepDelay;
- }
- goto ADVANCED_END;
- } else {
- $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
- $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
- $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19];
- $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20];
- $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16];
- $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21];
- $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22];
- $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23];
- if ($cgiparams{'ESP_GROUPTYPE'} eq "") {
- $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'};
- }
- $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17];
- $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13];
- $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24];
- $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28];
- $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14];
- $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
- $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30];
- $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31];
- $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32];
+ foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }
- if (!$cgiparams{'DPD_DELAY'}) {
- $cgiparams{'DPD_DELAY'} = 30;
- }
+ $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
+ $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ;
+ $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
+ $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
- if (!$cgiparams{'DPD_TIMEOUT'}) {
- $cgiparams{'DPD_TIMEOUT'} = 120;
- }
+ $selected{'IKE_VERSION'}{'ikev1'} = '';
+ $selected{'IKE_VERSION'}{'ikev2'} = '';
+ $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) {
- $cgiparams{'VHOST'} = 'off';
- }
- }
-
- ADVANCED_ERROR:
- $checked{'IKE_ENCRYPTION'}{'aes256'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes192'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes128'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = '';
- $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = '';
- $checked{'IKE_ENCRYPTION'}{'3des'} = '';
- $checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
- $checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
- $checked{'IKE_ENCRYPTION'}{'camellia128'} = '';
- my @temp = split('\|', $cgiparams{'IKE_ENCRYPTION'});
- foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; }
- $checked{'IKE_INTEGRITY'}{'sha2_512'} = '';
- $checked{'IKE_INTEGRITY'}{'sha2_384'} = '';
- $checked{'IKE_INTEGRITY'}{'sha2_256'} = '';
- $checked{'IKE_INTEGRITY'}{'sha'} = '';
- $checked{'IKE_INTEGRITY'}{'md5'} = '';
- $checked{'IKE_INTEGRITY'}{'aesxcbc'} = '';
- @temp = split('\|', $cgiparams{'IKE_INTEGRITY'});
- foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; }
- $checked{'IKE_GROUPTYPE'}{'768'} = '';
- $checked{'IKE_GROUPTYPE'}{'1024'} = '';
- $checked{'IKE_GROUPTYPE'}{'1536'} = '';
- $checked{'IKE_GROUPTYPE'}{'2048'} = '';
- $checked{'IKE_GROUPTYPE'}{'3072'} = '';
- $checked{'IKE_GROUPTYPE'}{'4096'} = '';
- $checked{'IKE_GROUPTYPE'}{'6144'} = '';
- $checked{'IKE_GROUPTYPE'}{'8192'} = '';
- @temp = split('\|', $cgiparams{'IKE_GROUPTYPE'});
- foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; }
-
- # 768 is not supported by strongswan
- $checked{'IKE_GROUPTYPE'}{'768'} = '';
-
- $checked{'ESP_ENCRYPTION'}{'aes256'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes192'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes128'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = '';
- $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = '';
- $checked{'ESP_ENCRYPTION'}{'3des'} = '';
- $checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
- $checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
- $checked{'ESP_ENCRYPTION'}{'camellia128'} = '';
- @temp = split('\|', $cgiparams{'ESP_ENCRYPTION'});
- foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; }
- $checked{'ESP_INTEGRITY'}{'sha2_512'} = '';
- $checked{'ESP_INTEGRITY'}{'sha2_384'} = '';
- $checked{'ESP_INTEGRITY'}{'sha2_256'} = '';
- $checked{'ESP_INTEGRITY'}{'sha1'} = '';
- $checked{'ESP_INTEGRITY'}{'md5'} = '';
- $checked{'ESP_INTEGRITY'}{'aesxcbc'} = '';
- @temp = split('\|', $cgiparams{'ESP_INTEGRITY'});
- foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; }
- $checked{'ESP_GROUPTYPE'}{'768'} = '';
- $checked{'ESP_GROUPTYPE'}{'1024'} = '';
- $checked{'ESP_GROUPTYPE'}{'1536'} = '';
- $checked{'ESP_GROUPTYPE'}{'2048'} = '';
- $checked{'ESP_GROUPTYPE'}{'3072'} = '';
- $checked{'ESP_GROUPTYPE'}{'4096'} = '';
- $checked{'ESP_GROUPTYPE'}{'6144'} = '';
- $checked{'ESP_GROUPTYPE'}{'8192'} = '';
- $checked{'ESP_GROUPTYPE'}{'none'} = '';
- @temp = split('\|', $cgiparams{'ESP_GROUPTYPE'});
- foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }
-
- $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ;
- $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ;
- $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ;
- $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;
- $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ;
-
- $selected{'IKE_VERSION'}{'ikev1'} = '';
- $selected{'IKE_VERSION'}{'ikev2'} = '';
- $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";
-
- $selected{'DPD_ACTION'}{'clear'} = '';
- $selected{'DPD_ACTION'}{'hold'} = '';
- $selected{'DPD_ACTION'}{'restart'} = '';
- $selected{'DPD_ACTION'}{'none'} = '';
- $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
-
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', $errormessage);
-
- if ($errormessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
- print "<class name='base'>$errormessage";
- print " </class>";
- &Header::closebox();
- }
+ $selected{'DPD_ACTION'}{'clear'} = '';
+ $selected{'DPD_ACTION'}{'hold'} = '';
+ $selected{'DPD_ACTION'}{'restart'} = '';
+ $selected{'DPD_ACTION'}{'none'} = '';
+ $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";
- if ($warnmessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
- print "<class name='base'>$warnmessage";
- print " </class>";
- &Header::closebox();
- }
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+
+ if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage";
+ print " </class>";
+ &Header::closebox();
+ }
- &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:");
- print <<EOF
- <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ADVANCED' value='yes' />
- <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+ if ($warnmessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+ print "<class name='base'>$warnmessage";
+ print " </class>";
+ &Header::closebox();
+ }
- <table width='100%'>
+ &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:");
+ print <<EOF
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ADVANCED' value='yes' />
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+ <table width='100%'>
<thead>
<tr>
<th width="15%"></th>
@@ -2564,14 +2557,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
</td>
</tr>
</tbody>
- </table>
+ </table>
<br><br>
<h2>$Lang::tr{'dead peer detection'}</h2>
- <table width="100%">
- <tr>
+ <table width="100%">
+ <tr>
<td width="15%">$Lang::tr{'dpd action'}:</td>
<td>
<select name='DPD_ACTION'>
@@ -2594,11 +2587,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
<input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' />
</td>
</tr>
- </table>
+ </table>
- <hr>
+ <hr>
- <table width="100%">
+ <table width="100%">
<tr>
<td>
<label>
@@ -2632,18 +2625,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
</td>
</tr>
EOF
- ;
- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
- print "<tr><td><input type='hidden' name='VHOST' value='off' /></td></tr>";
- } elsif ($confighash{$cgiparams{'KEY'}}[10]) {
- print "<tr><td><label><input type='checkbox' name='VHOST' $checked{'VHOST'} disabled='disabled' />";
- print " $Lang::tr{'vpn vhost'}</label></td></tr>";
- } else {
- print "<tr><td><label><input type='checkbox' name='VHOST' $checked{'VHOST'} />";
- print " $Lang::tr{'vpn vhost'}</label></td></tr>";
- }
-
- print <<EOF;
+;
+
+ print <<EOF;
<tr>
<td align='left' colspan='1'><img src='/blob.gif' align='top' alt='*' /> $Lang::tr{'required field'}</td>
<td align='right' colspan='2'>
@@ -2651,58 +2635,58 @@ EOF
<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' />
</td>
</tr>
- </table></form>
+ </table></form>
EOF
- &Header::closebox();
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+ exit(0);
- ADVANCED_END:
+ ADVANCED_END:
}
###
### Default status page
###
- %cgiparams = ();
- %cahash = ();
- %confighash = ();
- &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);
- &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
- &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
- $cgiparams{'CA_NAME'} = '';
-
- my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
-
- # suggest a default name for this side
- if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
- if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
- my $ipaddr = <IPADDR>;
- close IPADDR;
- chomp ($ipaddr);
- $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
- if ($cgiparams{'VPN_IP'} eq '') {
- $cgiparams{'VPN_IP'} = $ipaddr;
- }
- }
- }
- # no IP found, use %defaultroute
- $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
-
- $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
- $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
-
- &Header::showhttpheaders();
- &Header::openpage($Lang::tr{'ipsec'}, 1, '');
- &Header::openbigbox('100%', 'left', '', $errormessage);
-
- if ($errormessage) {
- &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
- print "<class name='base'>$errormessage\n";
- print " </class>\n";
- &Header::closebox();
- }
+ %cgiparams = ();
+ %cahash = ();
+ %confighash = ();
+ &General::readhash("${General::swroot}/vpn/settings", \%cgiparams);
+ &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash);
+ &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
+ $cgiparams{'CA_NAME'} = '';
+
+ my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
+
+ # suggest a default name for this side
+ if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
+ if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
+ my $ipaddr = <IPADDR>;
+ close IPADDR;
+ chomp ($ipaddr);
+ $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
+ if ($cgiparams{'VPN_IP'} eq '') {
+ $cgiparams{'VPN_IP'} = $ipaddr;
+ }
+ }
+ }
+ # no IP found, use %defaultroute
+ $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
+
+ $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
+ $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
+
+ &Header::showhttpheaders();
+ &Header::openpage($Lang::tr{'ipsec'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+
+ if ($errormessage) {
+ &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+ print "<class name='base'>$errormessage\n";
+ print " </class>\n";
+ &Header::closebox();
+ }
if ($warnmessage) {
&Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
@@ -2714,61 +2698,61 @@ EOF
exit 0;
}
- &Header::openbox('100%', 'left', $Lang::tr{'global settings'});
- print <<END
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <table width='100%'>
- <tr>
+ &Header::openbox('100%', 'left', $Lang::tr{'global settings'});
+ print <<END
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%'>
+ <tr>
<td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}: <img src='/blob.gif' alt='*' /></td>
<td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
<td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
- </tr>
+ </tr>
END
- ;
+;
print <<END
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
+ <tr>
+ <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}: <img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td>
<td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td>
- </tr>
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td>
+ </tr>
+ <tr>
+ <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td>
<td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
- </tr>
+ </tr>
</table>
<br>
<hr />
<table width='100%'>
<tr>
- <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
- <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
+ <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td>
+ <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
</tr>
<tr>
- <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td>
- <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
- <td></td>
+ <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /> </td>
+ <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td>
+ <td></td>
</tr>
</table>
END
-;
- print "</form>";
- &Header::closebox();
-
- &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'});
- print <<END
- <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
- <tr>
+;
+ print "</form>";
+ &Header::closebox();
+
+ &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'});
+ print <<END
+ <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
+ <tr>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
<th width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
<th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th>
<th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
<th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
<th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th>
- </tr>
+ </tr>
END
- ;
- my $id = 0;
- my $gif;
- foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
+;
+ my $id = 0;
+ my $gif;
+ foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
if ($id % 2) {
@@ -2781,302 +2765,304 @@ END
print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>";
if ($confighash{$key}[2] eq '%auth-dn') {
- print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
+ print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>";
} elsif ($confighash{$key}[4] eq 'cert') {
- print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>";
+ print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>";
} else {
- print "<td align='left' $col> </td>";
+ print "<td align='left' $col> </td>";
}
print "<td align='center' $col>$confighash{$key}[25]</td>";
my $col1="bgcolor='${Header::colourred}'";
# get real state
my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
foreach my $line (@status) {
- if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
- ($line =~ /$confighash{$key}[1]\{.*INSTALLED/))
- {
- $col1="bgcolor='${Header::colourgreen}'";
- $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
- }
- }
- # move to blueif really down
+ if (($line =~ /\"$confighash{$key}[1]\".*IPsec SA established/) ||
+ ($line =~ /$confighash{$key}[1]\{.*INSTALLED/)) {
+ $col1="bgcolor='${Header::colourgreen}'";
+ $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
+ }
+ }
+ # move to blue if really down
if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) {
$col1="bgcolor='${Header::colourblue}'";
- $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
+ $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
}
print <<END
<td align='center' $col1>$active</td>
<td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
</td>
END
- ;
+;
if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
- print <<END
- <td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ print <<END
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' />
<input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
<input type='hidden' name='KEY' value='$key' />
- </form>
- </td>
+ </form>
+ </td>
END
- ; } else {
- print "<td width='2%' $col> </td>";
+;
+ } else {
+ print "<td width='2%' $col> </td>";
}
- if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
- print <<END
- <td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
+ print <<END
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' />
<input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
<input type='hidden' name='KEY' value='$key' />
- </form>
+ </form>
</td>
END
- ; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
- print <<END
- <td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+;
+ } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) {
+ print <<END
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' />
<input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
<input type='hidden' name='KEY' value='$key' />
- </form>
+ </form>
</td>
END
- ; } else {
- print "<td width='2%' $col> </td>";
+;
+ } else {
+ print "<td width='2%' $col> </td>";
}
print <<END
<td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
</td>
<td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
- <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
</td>
<td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
- <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
+ <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
</td>
</tr>
END
- ;
+;
$id++;
- }
- print "</table>";
-
- # If the config file contains entries, print Key to action icons
- if ( $id ) {
- print <<END
- <table>
- <tr>
- <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
- <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
- <td class='base'>$Lang::tr{'click to disable'}</td>
- <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
- <td class='base'>$Lang::tr{'show certificate'}</td>
- <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
- <td class='base'>$Lang::tr{'edit'}</td>
- <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
- <td class='base'>$Lang::tr{'remove'}</td>
- </tr>
- <tr>
- <td> </td>
- <td> <img src='/images/off.gif' alt='?OFF' /></td>
- <td class='base'>$Lang::tr{'click to enable'}</td>
- <td> <img src='/images/floppy.gif' alt='?FLOPPY' /></td>
- <td class='base'>$Lang::tr{'download certificate'}</td>
- <td> <img src='/images/reload.gif' alt='?RELOAD'/></td>
- <td class='base'>$Lang::tr{'restart'}</td>
- </tr>
- </table>
+ }
+ print "</table>";
+
+ # If the config file contains entries, print Key to action icons
+ if ( $id ) {
+ print <<END
+ <table>
+ <tr>
+ <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+ <td> <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
+ <td class='base'>$Lang::tr{'click to disable'}</td>
+ <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
+ <td class='base'>$Lang::tr{'show certificate'}</td>
+ <td> <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
+ <td class='base'>$Lang::tr{'edit'}</td>
+ <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
+ <td class='base'>$Lang::tr{'remove'}</td>
+ </tr>
+ <tr>
+ <td> </td>
+ <td> <img src='/images/off.gif' alt='?OFF' /></td>
+ <td class='base'>$Lang::tr{'click to enable'}</td>
+ <td> <img src='/images/floppy.gif' alt='?FLOPPY' /></td>
+ <td class='base'>$Lang::tr{'download certificate'}</td>
+ <td> <img src='/images/reload.gif' alt='?RELOAD'/></td>
+ <td class='base'>$Lang::tr{'restart'}</td>
+ </tr>
+ </table>
END
- ;
- }
+;
+ }
- print <<END
- <table width='100%'>
- <tr><td align='right' colspan='9'>
+ print <<END
+ <table width='100%'>
+ <tr><td align='right' colspan='9'>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
</form>
- </td></tr>
- </table>
+ </td></tr>
+ </table>
END
- ;
- &Header::closebox();
+;
+ &Header::closebox();
- &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}");
- print <<EOF
- <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
- <tr>
+ &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}");
+ print <<EOF
+ <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
+ <tr>
<th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
<th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
<th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
- </tr>
+ </tr>
EOF
- ;
- my $col1="bgcolor='$color{'color22'}'";
+;
+ my $col1="bgcolor='$color{'color22'}'";
my $col2="bgcolor='$color{'color20'}'";
- if (-f "${General::swroot}/ca/cacert.pem") {
- my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem"));
- print <<END
- <tr>
- <td class='base' $col1>$Lang::tr{'root certificate'}</td>
- <td class='base' $col1>$casubject</td>
- <td width='3%' align='center' $col1>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
- <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' />
- </form>
- </td>
- <td width='3%' align='center' $col1>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
- </form>
- </td>
- <td width='4%' $col1> </td></tr>
+ if (-f "${General::swroot}/ca/cacert.pem") {
+ my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem"));
+ print <<END
+ <tr>
+ <td class='base' $col1>$Lang::tr{'root certificate'}</td>
+ <td class='base' $col1>$casubject</td>
+ <td width='3%' align='center' $col1>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' />
+ </form>
+ </td>
+ <td width='3%' align='center' $col1>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
+ </form>
+ </td>
+ <td width='4%' $col1> </td></tr>
END
- ;
- } else {
- # display rootcert generation buttons
- print <<END
- <tr>
- <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
- <td class='base' $col1>$Lang::tr{'not present'}</td>
- <td colspan='3' $col1> </td></tr>
+;
+ } else {
+ # display rootcert generation buttons
+ print <<END
+ <tr>
+ <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
+ <td class='base' $col1>$Lang::tr{'not present'}</td>
+ <td colspan='3' $col1> </td></tr>
END
- ;
- }
+;
+ }
- if (-f "${General::swroot}/certs/hostcert.pem") {
- my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));
+ if (-f "${General::swroot}/certs/hostcert.pem") {
+ my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));
- print <<END
- <tr>
- <td class='base' $col2>$Lang::tr{'host certificate'}</td>
- <td class='base' $col2>$hostsubject</td>
- <td width='3%' align='center' $col2>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
- <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' />
- </form>
- </td>
- <td width='3%' align='center' $col2>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" />
- <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
- </form>
- </td>
- <td width='4%' $col2> </td></tr>
+ print <<END
+ <tr>
+ <td class='base' $col2>$Lang::tr{'host certificate'}</td>
+ <td class='base' $col2>$hostsubject</td>
+ <td width='3%' align='center' $col2>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
+ <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' />
+ </form>
+ </td>
+ <td width='3%' align='center' $col2>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" />
+ <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
+ </form>
+ </td>
+ <td width='4%' $col2> </td></tr>
END
- ;
- } else {
- # Nothing
- print <<END
- <tr>
- <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
- <td class='base' $col2>$Lang::tr{'not present'}</td>
- <td colspan='3' $col2> </td></tr>
+;
+ } else {
+ # Nothing
+ print <<END
+ <tr>
+ <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
+ <td class='base' $col2>$Lang::tr{'not present'}</td>
+ <td colspan='3' $col2> </td></tr>
END
- ;
- }
-
+;
+ }
+
my $rowcolor = 0;
if (keys %cahash > 0) {
foreach my $key (keys %cahash) {
- if ($rowcolor++ % 2) {
- print "<tr>";
- $col="bgcolor='$color{'color20'}'";
- } else {
- print "<tr>";
- $col="bgcolor='$color{'color22'}'";
- }
- print "<td class='base' $col>$cahash{$key}[0]</td>\n";
- print "<td class='base' $col>$cahash{$key}[1]</td>\n";
- print <<END
- <td align='center' $col>
- <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
- </td>
- <td align='center' $col>
- <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
- </td>
- <td align='center' $col>
- <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
- <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' />
- <input type='hidden' name='KEY' value='$key' />
- </form>
- </td>
- </tr>
+ if ($rowcolor++ % 2) {
+ print "<tr>";
+ $col="bgcolor='$color{'color20'}'";
+ } else {
+ print "<tr>";
+ $col="bgcolor='$color{'color22'}'";
+ }
+ print "<td class='base' $col>$cahash{$key}[0]</td>\n";
+ print "<td class='base' $col>$cahash{$key}[1]</td>\n";
+ print <<END
+ <td align='center' $col>
+ <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
+ </td>
+ <td align='center' $col>
+ <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' />
+ <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
+ </td>
+ <td align='center' $col>
+ <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
+ <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' />
+ <input type='hidden' name='KEY' value='$key' />
+ </form>
+ </td>
+ </tr>
END
- ;
+;
+ }
}
- }
- print "</table>";
-
- # If the file contains entries, print Key to action icons
- if ( -f "${General::swroot}/ca/cacert.pem") {
- print <<END
- <table><tr>
- <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
- <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
- <td class='base'>$Lang::tr{'show certificate'}</td>
- <td> <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>
- <td class='base'>$Lang::tr{'download certificate'}</td>
- </tr></table>
+ print "</table>";
+
+ # If the file contains entries, print Key to action icons
+ if ( -f "${General::swroot}/ca/cacert.pem") {
+ print <<END
+ <table><tr>
+ <td class='boldbase'> <b>$Lang::tr{'legend'}:</b></td>
+ <td> <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
+ <td class='base'>$Lang::tr{'show certificate'}</td>
+ <td> <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>
+ <td class='base'>$Lang::tr{'download certificate'}</td>
+ </tr></table>
END
- ;
- }
- my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>";
- print <<END
- <br>
- <hr />
- <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
- <table width='100%' border='0' cellspacing='1' cellpadding='0'>
- $createCA
- <tr>
+;
+ }
+ my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>";
+ print <<END
+ <br>
+ <hr />
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0' cellspacing='1' cellpadding='0'>
+ $createCA
+ <tr>
<td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}: <img src='/blob.gif' alt='*' /></td>
<td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' /> </td>
<td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>
<td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>
- </tr>
- <tr>
+ </tr>
+ <tr>
<td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td>
<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td>
- </tr>
- </table>
- </form>
+ </tr>
+ </table>
+ </form>
END
- ;
- &Header::closebox();
- &Header::closebigbox();
- &Header::closepage();
+;
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
sub array_unique($) {
my $array = shift;
@@ -3132,3 +3118,16 @@ sub make_algos($$$$$) {
return &array_unique(\@algos);
}
+
+sub make_subnets($) {
+ my $subnets = shift;
+
+ my @nets = split(/\|/, $subnets);
+ my @cidr_nets = ();
+ foreach my $net (@nets) {
+ my $cidr_net = &General::ipcidr($net);
+ push(@cidr_nets, $cidr_net);
+ }
+
+ return join(",", @cidr_nets);
+}
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index c21bac5..a3c8228 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2620,7 +2620,6 @@
'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik',
'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik',
'vpn subjectaltname' => 'Subjekt Alternativer Name',
-'vpn vhost' => 'Roadwarrior virtuelle IP (manchmal auch Inner-IP genannt)',
'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert',
'warn when traffic reaches' => 'Warnen wenn Traffic x % erreicht',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 783fd0f..55cf228 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2664,7 +2664,6 @@
'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics',
'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics',
'vpn subjectaltname' => 'Subject Alt Name',
-'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)',
'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
'waiting to synchronize clock' => 'Waiting to synchronize clock',
'warn when traffic reaches' => 'Warn when traffic reaches x %',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index c0422b1..e24e75e 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -2107,7 +2107,6 @@
'vpn red name' => 'Dirección IP pública o FQDN para la interfaz RED o<%defaultroute>',
'vpn remote id' => 'ID Remoto',
'vpn subjectaltname' => 'Nombre alternativo en Asunto',
-'vpn vhost' => 'IP virtual Roadwarris (también referida como ip-interior)',
'vpn watch' => 'Reinciar vpn net-to-net cuando la ip remota cambie (dyndns)',
'waiting to synchronize clock' => 'Esperando sincronización con el reloj',
'warn when traffic reaches' => 'Advertir cuando el tráfico alcance x %',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index 43e69a7..0d173ae 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -2111,7 +2111,6 @@
'vpn red name' => 'IP publique ou nom de domaine complet pour l\'interface ROUGE ou <%defaultroute>',
'vpn remote id' => 'ID Distant',
'vpn subjectaltname' => 'Subject Alt Name',
-'vpn vhost' => 'IP Virtuelle Roadwarrior (parfois appelée Inner-IP)',
'vpn watch' => 'Redémarrer net-to-net VPN si IP hôte distant change (dyndns).',
'waiting to synchronize clock' => 'Attendre la synchronisation de l\'horloge',
'warn when traffic reaches' => 'Avertir lorsque le trafic atteint x %',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 0623bd5..950f700 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -2586,7 +2586,6 @@
'vpn red name' => 'IP pubblico o il nome di dominio completo per l\'interfaccia RED o <%defaultroute>',
'vpn remote id' => 'Remote ID',
'vpn subjectaltname' => 'Subject Alt Name',
-'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)',
'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
'waiting to synchronize clock' => 'Waiting to synchronize clock',
'warn when traffic reaches' => 'Warn when traffic reaches x %',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index f748b74..9d90a08 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -2529,7 +2529,6 @@
'vpn red name' => 'Publiek IP of FQDN voor RODE interface of <%defaultroute>',
'vpn remote id' => 'Remote ID',
'vpn subjectaltname' => 'Onderwerp Alt Naam',
-'vpn vhost' => 'Roadwarrior virtual IP (Ook wel Inner-IP genoemd)',
'vpn watch' => 'Herstart net-to-net vpn wanneer remote peer IP verandert (dyndns).',
'waiting to synchronize clock' => 'Wachten op synchronisatie van klok',
'warn when traffic reaches' => 'Waarschuw wanneer verkeer x % bereikt',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 30cc81e..47abf2c 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -2120,7 +2120,6 @@
'vpn red name' => 'Publiczne IP lub FQDN interfejsu RED lub <%defaultroute>',
'vpn remote id' => 'Zdalne ID',
'vpn subjectaltname' => 'Subject Alt Name',
-'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)',
'vpn watch' => 'Uruchom ponownie vpn net-to-net kiedy zmieni się IP zdalnej końcówki (dyndns).',
'waiting to synchronize clock' => 'Oczekiwanie na synchronizację zegara',
'warn when traffic reaches' => 'Ostrzegaj kiedy ruch osiągnie x %',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 8cf985b..6840f81 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -2115,7 +2115,6 @@
'vpn red name' => 'Внешний IP или FQDN для RED интерфейса или <%defaultroute>',
'vpn remote id' => 'Удалённый ID',
'vpn subjectaltname' => 'Subject Alt Name',
-'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)',
'vpn watch' => 'Перезапускать net-to-net vpn когда удалённый IP меняется (dyndns).',
'waiting to synchronize clock' => 'Ожидается синхронизация',
'warn when traffic reaches' => 'Предупреждать когда трафик возрастает до x %',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 5426a06..782bc00 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -2609,7 +2609,6 @@
'vpn red name' => 'KIRMIZI arabirim veya <%defaultroute> için gerçek IP veya FQDN',
'vpn remote id' => 'Uzak kimlik (ID)',
'vpn subjectaltname' => 'Alternatif konu adı',
-'vpn vhost' => 'Roadwarrior sanal IP (bazen iç IP olarakta adlandırılır)',
'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.',
'waiting to synchronize clock' => 'Saat eşleştirmesi bekleniyor',
'warn when traffic reaches' => 'Trafik x % değere ulaştığında uyar',
diff --git a/lfs/initscripts b/lfs/initscripts
index 4005941..141fd66 100755
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -177,7 +177,6 @@ $(TARGET) :
ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet
ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall
ln -sf ../init.d/network-trigger /etc/rc.d/rcsysinit.d/S90network-trigger
- ln -sf ../init.d/network-vlans /etc/rc.d/rcsysinit.d/S91network-vlans
ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd
ln -sf ../init.d/wlanclient /etc/rc.d/rc0.d/K82wlanclient
ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient
diff --git a/lfs/udev b/lfs/udev
index e58839c..7d5bdbc 100644
--- a/lfs/udev
+++ b/lfs/udev
@@ -107,6 +107,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install network rules.
install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-rename \
/lib/udev/network-hotplug-rename
+ install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-vlan \
+ /lib/udev/network-hotplug-vlan
install -v -m 644 $(DIR_SRC)/config/udev/60-net.rules \
/lib/udev/rules.d
diff --git a/make.sh b/make.sh
index c5cf466..95877a4 100755
--- a/make.sh
+++ b/make.sh
@@ -25,7 +25,7 @@
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.17" # Version number
-CORE="94" # Core Level (Filename)
+CORE="95" # Core Level (Filename)
PAKFIRE_CORE="94" # Core Level (PAKFIRE)
GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
diff --git a/src/initscripts/init.d/network-vlans b/src/initscripts/init.d/network-vlans
deleted file mode 100644
index a6a75c3..0000000
--- a/src/initscripts/init.d/network-vlans
+++ /dev/null
@@ -1,113 +0,0 @@
-#!/bin/bash
-############################################################################
-# #
-# This file is part of the IPFire Firewall. #
-# #
-# IPFire is free software; you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation; either version 2 of the License, or #
-# (at your option) any later version. #
-# #
-# IPFire is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with IPFire; if not, write to the Free Software #
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
-# #
-# Copyright (C) 2012 IPFire Team <info(a)ipfire.org> #
-# #
-############################################################################
-
-CONFIG_FILE="/var/ipfire/ethernet/vlans"
-
-# Skip immediately if no configuration file has been found.
-[ -e "${CONFIG_FILE}" ] || exit 0
-
-eval $(/usr/local/bin/readhash ${CONFIG_FILE})
-
-# This is start or stop.
-action=${1}
-
-for interface in green0 red0 blue0 orange0; do
- case "${interface}" in
- green*)
- PARENT_DEV=${GREEN_PARENT_DEV}
- VLAN_ID=${GREEN_VLAN_ID}
- MAC_ADDRESS=${GREEN_MAC_ADDRESS}
- ;;
- red*)
- PARENT_DEV=${RED_PARENT_DEV}
- VLAN_ID=${RED_VLAN_ID}
- MAC_ADDRESS=${RED_MAC_ADDRESS}
- ;;
- blue*)
- PARENT_DEV=${BLUE_PARENT_DEV}
- VLAN_ID=${BLUE_VLAN_ID}
- MAC_ADDRESS=${BLUE_MAC_ADDRESS}
- ;;
- orange*)
- PARENT_DEV=${ORANGE_PARENT_DEV}
- VLAN_ID=${ORANGE_VLAN_ID}
- MAC_ADDRESS=${ORANGE_MAC_ADDRESS}
- ;;
- esac
-
- case "${action}" in
- start)
- # If no parent device has been configured, we assume
- # that this interface is not set up for VLANs and
- # silently go on.
- [ -z "${PARENT_DEV}" ] && continue
-
- # Check if the interface does already exists.
- # If so, we skip creating it.
- if [ -d "/sys/class/net/${interface}" ]; then
- echo "Interface ${interface} already exists." >&2
- continue
- fi
-
- # Check if the parent interface exists.
- if [ ! -d "/sys/class/net/${PARENT_DEV}" ]; then
- echo "${interface}: Parent device is not set or does not exist: ${PARENT_DEV}" >&2
- continue
- fi
-
- if [ -z "${VLAN_ID}" ]; then
- echo "${interface}: You did not set the VLAN ID." >&2
- continue
- fi
-
- # Build command line.
- command="ip link add link ${PARENT_DEV} name ${interface}"
- if [ -n "${MAC_ADDRESS}" ]; then
- command="${command} address ${MAC_ADDRESS}"
- fi
- command="${command} type vlan id ${VLAN_ID}"
-
- echo "Creating VLAN interface ${interface}..."
- ${command}
-
- # Bring up the parent device.
- ip link set ${PARENT_DEV} up
- ;;
-
- stop)
- if [ ! -e "/proc/net/vlan/${interface}" ]; then
- echo "${interface} is not a VLAN interface. Skipping."
- continue
- fi
-
- echo "Removing VLAN interface ${interface}..."
- ip link set ${interface} down
- ip link delete ${interface}
- ;;
-
- *)
- echo "Invalid action: ${action}"
- exit 1
- ;;
- esac
-done
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-09-28 13:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-28 13:36 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 55eb745e65ade706d6ded851086a42f2a1b8803b git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox