Project

General

Profile

Bug #8480

common/user name not expaned in openvpn.attributes.php (when doing per-user fw rules)

Added by Michal Soltys about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
04/24/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.3
Affected Architecture:
All

Description

As requested on forums (https://forum.pfsense.org/index.php?topic=146908.0) opening bug report.

It seems there are some issues with passing environment, as the aforementioned script responsible for parsing cisco-avpairs is unable to get the user name and tries to install PF rules at blank anchor - 'openvpn/' instead of 'openvpn/<user>'. The pairs themselves are parsed correctly (tested that separately), but the only end effect is always something like this in the logs:

Apr 19 16:06:41     openvpn         user 'msl' authenticated
Apr 19 16:06:41     openvpn         /openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules'

The code in question is:

if (!empty($rules)) {
        $pid = posix_getpid();
        @file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
        mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
        @unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
}

Common name should be set correctly by the following part, but for some reason it isn't:

if (empty($common_name)) {
    $common_name = getenv("common_name");
    if (empty($common_name)) {
        $common_name = getenv("username");
    }
}

Associated revisions

Revision a2e92e18 (diff)
Added by Jim Pingle about 1 year ago

Since OpenVPN user attributes come from RADIUS which keys off username, use that and not common_name which may be empty. Fixes #8480

Revision d62d089d (diff)
Added by Jim Pingle about 1 year ago

Since OpenVPN user attributes come from RADIUS which keys off username, use that and not common_name which may be empty. Fixes #8480

(cherry picked from commit a2e92e18a35112ec59d18d3555f89668d9e07a11)

History

#1 Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 1 year ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
  • Affected Architecture set to All

#3 Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.4.4 to 2.4.3-p1

#4 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF