Actions
Bug #8480
closed
common/user name not expaned in openvpn.attributes.php (when doing per-user fw rules)
Start date:
04/24/2018
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3
Affected Architecture:
All
Description
As requested on forums (https://forum.pfsense.org/index.php?topic=146908.0) opening bug report.
It seems there are some issues with passing environment, as the aforementioned script responsible for parsing cisco-avpairs is unable to get the user name and tries to install PF rules at blank anchor - 'openvpn/' instead of 'openvpn/<user>'. The pairs themselves are parsed correctly (tested that separately), but the only end effect is always something like this in the logs:
Apr 19 16:06:41 openvpn user 'msl' authenticated Apr 19 16:06:41 openvpn /openvpn.auth-user.php: The command '/sbin/pfctl -a 'openvpn/' -f /tmp/ovpn_2060''.rules' returned exit code '1', the output was 'pfctl: pfctl_rules'
The code in question is:
if (!empty($rules)) {
$pid = posix_getpid();
@file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
@unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
}
Common name should be set correctly by the following part, but for some reason it isn't:
if (empty($common_name)) {
$common_name = getenv("common_name");
if (empty($common_name)) {
$common_name = getenv("username");
}
}
Updated by
Actions