pfSense

<?php

/*

 * config.lib.inc

 *

 * part of pfSense (https://www.pfsense.org)

 * Copyright (c) 2004-2018 Rubicon Communications, LLC (Netgate)

 * Copyright (c) 2009 Erik Kristensen

 * All rights reserved.

 *

 * originally part of m0n0wall (http://m0n0.ch/wall)

 * Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.

 * All rights reserved.

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

/****f* config/encrypted_configxml

 * NAME

 *   encrypted_configxml - Checks to see if config.xml is encrypted and if so, prompts to unlock.

 * INPUTS

 *   None

 * RESULT

 *   $config 	- rewrites config.xml without encryption

 ******/

function encrypted_configxml() {

	global $g, $config;

	if (!file_exists($g['conf_path'] . "/config.xml")) {

		return;

	}

	if (!platform_booting()) {

		return;

	}

	$configtxt = file_get_contents($g['conf_path'] . "/config.xml");

	if (tagfile_deformat($configtxt, $configtxt, "config.xml")) {

		$fp = fopen('php://stdin', 'r');

		$data = "";

		echo "\n\n*** Encrypted config.xml detected ***\n";

		while ($data == "") {

			echo "\nEnter the password to decrypt config.xml: ";

			$decrypt_password = chop(fgets($fp));

			$data = decrypt_data($configtxt, $decrypt_password);

			if (!strstr($data, "<pfsense>")) {

				$data = "";

			}

			if ($data) {

				$fd = fopen($g['conf_path'] . "/config.xml.tmp", "w");

				fwrite($fd, $data);

				fclose($fd);

				exec("/bin/mv {$g['conf_path']}/config.xml.tmp {$g['conf_path']}/config.xml");

				echo "\n" . gettext("Config.xml unlocked.") . "\n";

				fclose($fp);

				pfSense_fsync("{$g['conf_path']}/config.xml");

			} else {

				echo "\n" . gettext("Invalid password entered.  Please try again.") . "\n";

			}

		}

	}

}

/****f* config/parse_config

 * NAME

 *   parse_config - Read in config.cache or config.xml if needed and return $config array

 * INPUTS

 *   $parse       - boolean to force parse_config() to read config.xml and generate config.cache

 * RESULT

 *   $config      - array containing all configuration variables

 ******/

function parse_config($parse = false) {

	global $g, $config_parsed, $config_extra;

	$lockkey = lock('config');

	$config_parsed = false;

	if (!file_exists("{$g['conf_path']}/config.xml") || filesize("{$g['conf_path']}/config.xml") == 0) {

		$last_backup = discover_last_backup();

		if ($last_backup) {

			log_error(gettext("No config.xml found, attempting last known config restore."));

			file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", "");

			restore_backup("{$g['conf_path']}/backup/{$last_backup}");

		} else {

			unlock($lockkey);

			die(gettext("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup."));

		}

	}

	if (platform_booting(true)) {

		echo ".";

	}

	// Check for encrypted config.xml

	encrypted_configxml();

	if (!$parse) {

		if (file_exists($g['tmp_path'] . '/config.cache')) {

			$config = unserialize(file_get_contents($g['tmp_path'] . '/config.cache'));

			if (!is_array($config)) {

				$parse = true;

			}

		} else {

			$parse = true;

		}

	}

	if ($parse == true) {

		if (!file_exists($g['conf_path'] . "/config.xml")) {

			if (platform_booting(true)) {

				echo ".";

			}

			log_error("No config.xml found, attempting last known config restore.");

			file_notice("config.xml", "No config.xml found, attempting last known config restore.", "pfSenseConfigurator", "");

			$last_backup = discover_last_backup();

			if ($last_backup) {

				restore_backup("/cf/conf/backup/{$last_backup}");

			} else {

				log_error(gettext("Could not restore config.xml."));

				unlock($lockkey);

				die(gettext("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup."));

			}

		}

		$config = parse_xml_config($g['conf_path'] . '/config.xml', array($g['xml_rootobj'], 'pfsense'));

		if ($config == -1) {

			$last_backup = discover_last_backup();

			if ($last_backup) {

				restore_backup("/cf/conf/backup/{$last_backup}");

			} else {

				log_error(gettext("Could not restore config.xml."));

				unlock($lockkey);

				die("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.");

			}

		}

		generate_config_cache($config);

	}

	if (platform_booting(true)) {

		echo ".";

	}

	$config_parsed = true;

	unlock($lockkey);

	alias_make_table($config);

	return $config;

}

/****f* config/generate_config_cache

 * NAME

 *   generate_config_cache - Write serialized configuration to cache.

 * INPUTS

 *   $config	- array containing current firewall configuration

 * RESULT

 *   boolean	- true on completion

 ******/

function generate_config_cache($config) {

	global $g, $config_extra;

	$configcache = fopen($g['tmp_path'] . '/config.cache', "w");

	fwrite($configcache, serialize($config));

	fclose($configcache);

	pfSense_fsync("{$g['tmp_path']}/config.cache");

	unset($configcache);

	/* Used for config.extra.xml */

	if (file_exists($g['tmp_path'] . '/config.extra.cache') && $config_extra) {

		$configcacheextra = fopen($g['tmp_path'] . '/config.extra.cache', "w");

		fwrite($configcacheextra, serialize($config_extra));

		fclose($configcacheextra);

		pfSense_fsync("{$g['tmp_path']}/config.extra.cache");

		unset($configcacheextra);

	}

}

function discover_last_backup() {

	$backups = glob('/cf/conf/backup/*.xml');

	$last_backup = "";

	$last_mtime = 0;

	foreach ($backups as $backup) {

		if (filemtime($backup) > $last_mtime) {

			$last_mtime = filemtime($backup);

			$last_backup = $backup;

		}

	}

	return basename($last_backup);

}

function restore_backup($file) {

	global $g;

	if (file_exists($file)) {

		unlink_if_exists("{$g['tmp_path']}/config.cache");

		copy("$file", "/cf/conf/config.xml");

		pfSense_fsync("/cf/conf/config.xml");

		pfSense_fsync($g['conf_path']);

		disable_security_checks();

		log_error(sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file));

		file_notice("config.xml", sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file), "pfSenseConfigurator", "");

	}

}

/****f* config/parse_config_bootup

 * NAME

 *   parse_config_bootup - Bootup-specific configuration checks.

 * RESULT

 *   null

 ******/

function parse_config_bootup() {

	global $config, $g;

	if (platform_booting()) {

		echo ".";

	}

	$lockkey = lock('config');

	if (!file_exists("{$g['conf_path']}/config.xml")) {

		if (platform_booting()) {

			$last_backup = discover_last_backup();

			if ($last_backup) {

				log_error("No config.xml found, attempting last known config restore.");

				file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", "");

				restore_backup("/cf/conf/backup/{$last_backup}");

			}

			if (!file_exists("{$g['conf_path']}/config.xml")) {

				echo sprintf(gettext("XML configuration file not found.  %s cannot continue booting."), $g['product_name']) . "\n";

				unlock($lockkey);

				mwexec("/sbin/halt");

				exit;

			}

			log_error("Last known config found and restored.  Please double check the configuration file for accuracy.");

			file_notice("config.xml", gettext("Last known config found and restored.  Please double check the configuration file for accuracy."), "pfSenseConfigurator", "");

		} else {

			unlock($lockkey);

			log_error(gettext("Could not find a usable configuration file! Exiting...."));

			exit(0);

		}

	}

	if (filesize("{$g['conf_path']}/config.xml") == 0) {

		$last_backup = discover_last_backup();

		if ($last_backup) {

			log_error(gettext("No config.xml found, attempting last known config restore."));

			file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", "");

			restore_backup("{$g['conf_path']}/backup/{$last_backup}");

		} else {

			unlock($lockkey);

			die(gettext("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup."));

		}

	}

	unlock($lockkey);

	$config = parse_config(true);

	if ((float)$config['version'] > (float)$g['latest_config']) {

		echo <<<EOD

*******************************************************************************

* WARNING!                                                                    *

* The current configuration has been created with a newer version of {$g['product_name']}  *

* than this one! This can lead to serious misbehavior and even security       *

* holes! You are urged to either upgrade to a newer version of {$g['product_name']} or     *

* revert to the default configuration immediately!                            *

*******************************************************************************

EOD;

		}

	/* make alias table (for faster lookups) */

	alias_make_table($config);

}

/****f* config/conf_mount_rw

 * NAME

 *   conf_mount_rw - Mount filesystems read/write.

 * RESULT

 *   null

 ******/

/* mount flash card read/write */

function conf_mount_rw() {

	/* Obsoleted. Keep it here untill all calls are removed */

	return;

}

/****f* config/conf_mount_ro

 * NAME

 *   conf_mount_ro - Mount filesystems readonly.

 * RESULT

 *   null

 ******/

function conf_mount_ro() {

	/* Obsoleted. Keep it here untill all calls are removed */

	return;

}

/****f* config/convert_config

 * NAME

 *   convert_config - Attempt to update config.xml.

 * DESCRIPTION

 *   convert_config() reads the current global configuration

 *   and attempts to convert it to conform to the latest

 *   config.xml version. This allows major formatting changes

 *   to be made with a minimum of breakage.

 * RESULT

 *   null

 ******/

/* convert configuration, if necessary */

function convert_config() {

	global $config, $g;

	$now = date("H:i:s");

	log_error(sprintf(gettext("Start Configuration upgrade at %s, set execution timeout to 15 minutes"), $now));

	//ini_set("max_execution_time", "900");

	/* special case upgrades */

	/* fix every minute crontab bogons entry */

	if (is_array($config['cron'])) {

		$cron_item_count = count($config['cron']['item']);

		for ($x = 0; $x < $cron_item_count; $x++) {

			if (stristr($config['cron']['item'][$x]['command'], "rc.update_bogons.sh")) {

				if ($config['cron']['item'][$x]['hour'] == "*") {

					$config['cron']['item'][$x]['hour'] = "3";

					write_config(gettext("Updated bogon update frequency to 3am"));

					log_error(gettext("Updated bogon update frequency to 3am"));

				}

			}

		}

	}

	// Save off config version

	$prev_version = $config['version'];

	include_once('auth.inc');

	include_once('upgrade_config.inc');

	if (file_exists("/etc/inc/upgrade_config_custom.inc")) {

		include_once("upgrade_config_custom.inc");

	}

	if ($config['version'] == $g['latest_config']) {

		additional_config_upgrade();

		return;		/* already at latest version */

	}

	if (!is_array($config['system']['already_run_config_upgrade'])) {

		$config['system']['already_run_config_upgrade'] = array();

	}

	$already_run = $config['system']['already_run_config_upgrade'];

	/* Loop and run upgrade_VER_to_VER() until we're at current version */

	while ($config['version'] < $g['latest_config']) {

		$cur = $config['version'] * 10;

		$next = $cur + 1;

		$migration_function = sprintf('upgrade_%03d_to_%03d', $cur,

		    $next);

		foreach (array("", "_custom") as $suffix) {

			$migration_function .= $suffix;

			if (!function_exists($migration_function)) {

				continue;

			}

			if (isset($already_run[$migration_function])) {

				/* Already executed, skip now */

				unset($config['system']

				    ['already_run_config_upgrade']

				    [$migration_function]);

			} else {

				$migration_function();

			}

		}

		$config['version'] = sprintf('%.1f', $next / 10);

		if (platform_booting()) {

			echo ".";

		}

	}

	if ($prev_version != $config['version']) {

		$now = date("H:i:s");

		log_error(sprintf(gettext("Ended Configuration upgrade at %s"), $now));

		write_config(sprintf(gettext('Upgraded config version level from %1$s to %2$s'), $prev_version, $config['version']));

	}

	additional_config_upgrade();

}

/****f* config/safe_write_file

 * NAME

 *   safe_write_file - Write a file out atomically

 * DESCRIPTION

 *   safe_write_file() Writes a file out atomically by first writing to a

 *   temporary file of the same name but ending with the pid of the current

 *   process, them renaming the temporary file over the original.

 * INPUTS

 *   $filename  - string containing the filename of the file to write

 *   $content   - string or array containing the file content to write to file

 *   $force_binary      - boolean denoting whether we should force binary

 *   mode writing.

 * RESULT

 *   boolean - true if successful, false if not

 ******/

function safe_write_file($file, $content, $force_binary = false) {

	$tmp_file = $file . "." . getmypid();

	$write_mode = $force_binary ? "wb" : "w";

	$fd = fopen($tmp_file, $write_mode);

	if (!$fd) {

		// Unable to open temporary file for writing

		return false;

	}

	if (is_array($content)) {

		foreach ($content as $line) {

			if (!fwrite($fd, $line . "\n")) {

				// Unable to write to temporary file

				fclose($fd);

				return false;

			}

		}

	} elseif (!fwrite($fd, $content)) {

		// Unable to write to temporary file

		fclose($fd);

		return false;

	}

	fflush($fd);

	fclose($fd);

	if (!pfSense_fsync($tmp_file) || !rename($tmp_file, $file)) {

		// Unable to move temporary file to original

		@unlink($tmp_file);

		return false;

	}

	// Sync file before returning

	return pfSense_fsync($file);

}

/****f* config/write_config

 * NAME

 *   write_config - Backup and write the firewall configuration.

 * DESCRIPTION

 *   write_config() handles backing up the current configuration,

 *   applying changes, and regenerating the configuration cache.

 * INPUTS

 *   $desc	- string containing the a description of configuration changes

 *   $backup	- boolean: do not back up current configuration if false.

 *   $write_config_only	- boolean: do not sync or reload anything; just save the configuration if true.

 * RESULT

 *   null

 ******/

/* save the system configuration */

function write_config($desc="Unknown", $backup = true, $write_config_only = false) {

	global $config, $g;

	if (!empty($_SERVER['REMOTE_ADDR'])) {

		@phpsession_begin();

		if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) {

			$user = getUserEntry($_SESSION['Username']);

			if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) {

				syslog(LOG_AUTHPRIV, sprintf(gettext("Save config permission denied by the 'User - Config: Deny Config Write' permission for user '%s'."), get_config_user()));

				phpsession_end(true);

				return false;

			}

		}

		if (!isset($argc)) {

			phpsession_end(true);

		}

	}

	if (isset($config['reset_factory_defaults'])) {

		/*

		   We have put a default config.xml on disk and are about to reboot

		   or reload it. Do not let any system or package code try to save

		   state to config because that would overwrite the default config

		   with the running config.

		*/

		return false;

	}

	if ($backup) {

		backup_config();

	}

	$config['revision'] = make_config_revision_entry($desc);

	$lockkey = lock('config', LOCK_EX);

	/* generate configuration XML */

	$xmlconfig = dump_xml_config($config, $g['xml_rootobj']);

	/* write new configuration */

	if (!safe_write_file("{$g['cf_conf_path']}/config.xml", $xmlconfig)) {

		log_error(gettext("WARNING: Config contents could not be saved. Could not open file!"));

		unlock($lockkey);

		file_notice("config.xml", sprintf(gettext('Unable to open %1$s/config.xml for writing in write_config()%2$s'), $g['cf_conf_path'], "\n"));

		return -1;

	}

	cleanup_backupcache(true);

	/* re-read configuration */

	/* NOTE: We assume that the file can be parsed since we wrote it. */

	$config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);

	if ($config == -1) {

		copy("{$g['conf_path']}/config.xml", "{$g['conf_path']}/config.xml.bad");

		$last_backup = discover_last_backup();

		if ($last_backup) {

			restore_backup("/cf/conf/backup/{$last_backup}");

			$config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);

			if (platform_booting()) {

				echo "\n\n ************** WARNING **************";

				echo "\n\n Configuration could not be validated. A previous configuration was restored. \n";

				echo "\n The failed configuration file has been saved as {$g['conf_path']}/config.xml.bad \n\n";

			}

		} else {

			log_error(gettext("Could not restore config.xml."));

		}

	} else {

		generate_config_cache($config);

	}

	unlock($lockkey);

	if ($write_config_only) {

		return $config;

	}

	unlink_if_exists("/usr/local/pkg/pf/carp_sync_client.php");

	/* sync carp entries to other firewalls */

	carp_sync_client();

	if (is_dir("/usr/local/pkg/write_config")) {

		/* process packager manager custom rules */

		run_plugins("/usr/local/pkg/write_config/");

	}

	// Try the core AutoConfigBackup system

	if (is_array($config['system']['acb']) && $config['system']['acb']['enable'] == "yes") {

		require_once("acb.inc");

		upload_config();

	}

	return $config;

}

/****f* config/reset_factory_defaults

 * NAME

 *   reset_factory_defaults - Reset the system to its default configuration.

 * RESULT

 *   integer	- indicates completion

 ******/

function reset_factory_defaults($lock = false, $reboot_required = true) {

	global $config, $g;

	/* Remove all additional packages */

	mwexec("/bin/sh /usr/local/sbin/{$g['product_name']}-upgrade " .

	    "-r ALL_PACKAGES -f");

	if (!$lock) {

		$lockkey = lock('config', LOCK_EX);

	}

	/* create conf directory, if necessary */

	safe_mkdir($g['cf_conf_path']);

	/* clear out /conf */

	$dh = opendir($g['conf_path']);

	while ($filename = readdir($dh)) {

		if (($filename != ".") && ($filename != "..") &&

		    (!is_dir($g['conf_path'] . "/" . $filename))) {

			unlink_if_exists($g['conf_path'] . "/" . $filename);

		}

	}

	closedir($dh);

	unlink_if_exists($g['tmp_path'] . "/config.cache");

	/* copy default configuration */

	copy("{$g['conf_default_path']}/config.xml",

	    "{$g['cf_conf_path']}/config.xml");

	disable_security_checks();

	/*

	   Let write_config know that we are awaiting reload of the current config

	   to factory defaults. Either the system is about to reboot, throwing away

	   the current in-memory config as it shuts down, or the in-memory config

	   is about to be reloaded on-the-fly by parse_config.

	   In both cases, we want to ensure that write_config does not flush the

	   in-memory config back to disk.

	*/

	$config['reset_factory_defaults'] = true;

	/* call the wizard */

	if ($reboot_required) {

		// If we need a reboot first then touch a different trigger file.

		touch("/conf/trigger_initial_wizard_after_reboot");

	} else {

		touch("/conf/trigger_initial_wizard");

	}

	if (!$lock) {

		unlock($lockkey);

	}

	setup_serial_port();

	return 0;

}

function config_restore($conffile) {

	global $config, $g;

	if (!file_exists($conffile)) {

		return 1;

	}

	backup_config();

	$lockkey = lock('config', LOCK_EX);

	unlink_if_exists("{$g['tmp_path']}/config.cache");

	copy($conffile, "{$g['cf_conf_path']}/config.xml");

	disable_security_checks();

	unlock($lockkey);

	$config = parse_config(true);

	write_config(sprintf(gettext("Reverted to %s."), array_pop(explode("/", $conffile))), false);

	return 0;

}

function config_install($conffile) {

	global $config, $g;

	if (!file_exists($conffile)) {

		return 1;

	}

	if (!config_validate("{$conffile}")) {

		return 1;

	}

	if (platform_booting()) {

		echo gettext("Installing configuration...") . "\n";

	} else {

		log_error(gettext("Installing configuration ...."));

	}

	$lockkey = lock('config', LOCK_EX);

	copy($conffile, "{$g['conf_path']}/config.xml");

	disable_security_checks();

	/* unlink cache file if it exists */

	if (file_exists("{$g['tmp_path']}/config.cache")) {

		unlink("{$g['tmp_path']}/config.cache");

	}

	unlock($lockkey);

	return 0;

}

/*

 * Disable security checks for DNS rebind and HTTP referrer until next time

 * they pass (or reboot), to aid in preventing accidental lockout when

 * restoring settings like hostname, domain, IP addresses, and settings

 * related to the DNS rebind and HTTP referrer checks.

 * Intended for use when restoring a configuration or directly

 * modifying config.xml without an unconditional reboot.

 */

function disable_security_checks() {

	global $g;

	touch("{$g['tmp_path']}/disable_security_checks");

}

/* Restores security checks.  Should be called after all succeed. */

function restore_security_checks() {

	global $g;

	unlink_if_exists("{$g['tmp_path']}/disable_security_checks");

}

/* Returns status of security check temporary disable. */

function security_checks_disabled() {

	global $g;

	return file_exists("{$g['tmp_path']}/disable_security_checks");

}

function config_validate($conffile) {

	global $g, $xmlerr;

	$xml_parser = xml_parser_create();

	if (!($fp = fopen($conffile, "r"))) {

		$xmlerr = gettext("XML error: unable to open file");

		return false;

	}

	while ($data = fread($fp, 4096)) {

		if (!xml_parse($xml_parser, $data, feof($fp))) {

			$xmlerr = sprintf(gettext('%1$s at line %2$d'),

						xml_error_string(xml_get_error_code($xml_parser)),

						xml_get_current_line_number($xml_parser));

			return false;

		}

	}

	xml_parser_free($xml_parser);

	fclose($fp);

	return true;

}

function cleanup_backupcache($lock = false) {

	global $config, $g;

	$i = false;

	$revisions = intval(is_numericint($config['system']['backupcount']) ? $config['system']['backupcount'] : $g['default_config_backup_count']);

	if (!$lock) {

		$lockkey = lock('config');

	}

	$backups = get_backups();

	if ($backups) {

		$baktimes = $backups['versions'];

		unset($backups['versions']);

	} else {

		$backups = array();

		$baktimes = array();

	}

	$newbaks = array();

	$bakfiles = glob($g['cf_conf_path'] . "/backup/config-*");

	$tocache = array();

	foreach ($bakfiles as $backup) { // Check for backups in the directory not represented in the cache.

		$backupsize = filesize($backup);

		if ($backupsize == 0) {

			unlink($backup);

			continue;

		}

		$backupexp = explode('-', $backup);

		$backupexp = explode('.', array_pop($backupexp));

		$tocheck = array_shift($backupexp);

		unset($backupexp);

		if (!in_array($tocheck, $baktimes)) {

			$i = true;

			if (platform_booting()) {

				echo ".";

			}

			try {

				$newxml = parse_xml_config($backup, array($g['xml_rootobj'], 'pfsense'));

			} catch (Exception $exc) {

				log_error(sprintf(gettext("The backup cache file %s is corrupted. Parser error message: %s"), $backup, $exc->getMessage()));

				$newxml = "-1";

			}

			if ($newxml == "-1") {

				log_error(sprintf(gettext("The backup cache file %s is corrupted.  Unlinking."), $backup));

				unlink($backup);

				continue;

			}

			if ($newxml['revision']['description'] == "") {

				$newxml['revision']['description'] = "Unknown";

			}

			if ($newxml['version'] == "") {

				$newxml['version'] = "?";

			}

			$tocache[$tocheck] = array('description' => $newxml['revision']['description'], 'version' => $newxml['version'], 'filesize' => $backupsize);

		}

	}

	foreach ($backups as $checkbak) {

		if (count(preg_grep('/' . $checkbak['time'] . '/i', $bakfiles)) != 0) {

			$newbaks[] = $checkbak;

		} else {

			$i = true;

			if (platform_booting()) print " " . $tocheck . "r";

		}

	}

	foreach ($newbaks as $todo) {

		$tocache[$todo['time']] = array('description' => $todo['description'], 'version' => $todo['version'], 'filesize' => $todo['filesize']);

	}

	if (is_int($revisions) and (count($tocache) > $revisions)) {

		$toslice = array_slice(array_keys($tocache), 0, $revisions);

		$newcache = array();

		foreach ($toslice as $sliced) {

			$newcache[$sliced] = $tocache[$sliced];

		}

		foreach ($tocache as $version => $versioninfo) {

			if (!in_array($version, array_keys($newcache))) {

				unlink_if_exists($g['conf_path'] . '/backup/config-' . $version . '.xml');

			}

		}

		$tocache = $newcache;

	}

	$bakout = fopen($g['cf_conf_path'] . '/backup/backup.cache', "w");

	fwrite($bakout, serialize($tocache));

	fclose($bakout);

	pfSense_fsync("{$g['cf_conf_path']}/backup/backup.cache");

	if (!$lock) {

		unlock($lockkey);

	}

}

function get_backups() {

	global $g;

	if (file_exists("{$g['cf_conf_path']}/backup/backup.cache")) {

		$confvers = unserialize(file_get_contents("{$g['cf_conf_path']}/backup/backup.cache"));

		$bakvers = array_keys($confvers);

		$toreturn = array();

		sort($bakvers);

		// 	$bakvers = array_reverse($bakvers);

		foreach (array_reverse($bakvers) as $bakver) {

			$toreturn[] = array('time' => $bakver, 'description' => $confvers[$bakver]['description'], 'version' => $confvers[$bakver]['version'], 'filesize' => $confvers[$bakver]['filesize']);

		}

	} else {

		return false;

	}

	$toreturn['versions'] = $bakvers;

	return $toreturn;

}

function backup_config() {

	global $config, $g;

	/* Create backup directory if needed */

	safe_mkdir("{$g['cf_conf_path']}/backup");

	if ($config['revision']['time'] == "") {

		$baktime = 0;

	} else {

		$baktime = $config['revision']['time'];

	}

	if ($config['revision']['description'] == "") {

		$bakdesc = "Unknown";

	} else {

		$bakdesc = $config['revision']['description'];

	}

	$bakver = ($config['version'] == "") ? "?" : $config['version'];

	$bakfilename = $g['cf_conf_path'] . '/backup/config-' . $baktime . '.xml';

	copy($g['cf_conf_path'] . '/config.xml', $bakfilename);

	if (file_exists($g['cf_conf_path'] . '/backup/backup.cache')) {