pfSense

<?php

/*

 * config.lib.inc

 *

 * part of pfSense (https://www.pfsense.org)

 * Copyright (c) 2004-2016 Electric Sheep Fencing, LLC

 * Copyright (c) 2009 Erik Kristensen

 * All rights reserved.

 *

 * originally part of m0n0wall (http://m0n0.ch/wall)

 * Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.

 * All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions are met:

 *

 * 1. Redistributions of source code must retain the above copyright notice,

 *    this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in

 *    the documentation and/or other materials provided with the

 *    distribution.

 *

 * 3. All advertising materials mentioning features or use of this software

 *    must display the following acknowledgment:

 *    "This product includes software developed by the pfSense Project

 *    for use in the pfSense® software distribution. (http://www.pfsense.org/).

 *

 * 4. The names "pfSense" and "pfSense Project" must not be used to

 *    endorse or promote products derived from this software without

 *    prior written permission. For written permission, please contact

 *    coreteam@pfsense.org.

 *

 * 5. Products derived from this software may not be called "pfSense"

 *    nor may "pfSense" appear in their names without prior written

 *    permission of the Electric Sheep Fencing, LLC.

 *

 * 6. Redistributions of any form whatsoever must retain the following

 *    acknowledgment:

 *

 * "This product includes software developed by the pfSense Project

 * for use in the pfSense software distribution (http://www.pfsense.org/).

 *

 * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY

 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR

 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 * OF THE POSSIBILITY OF SUCH DAMAGE.

 */

/****f* config/encrypted_configxml

 * NAME

 *   encrypted_configxml - Checks to see if config.xml is encrypted and if so, prompts to unlock.

 * INPUTS

 *   None

 * RESULT

 *   $config 	- rewrites config.xml without encryption

 ******/

function encrypted_configxml() {

	global $g, $config;

	if (!file_exists($g['conf_path'] . "/config.xml")) {

		return;

	}

	if (!platform_booting()) {

		return;

	}

	$configtxt = file_get_contents($g['conf_path'] . "/config.xml");

	if (tagfile_deformat($configtxt, $configtxt, "config.xml")) {

		$fp = fopen('php://stdin', 'r');

		$data = "";

		echo "\n\n*** Encrypted config.xml detected ***\n";

		while ($data == "") {

			echo "\nEnter the password to decrypt config.xml: ";

			$decrypt_password = chop(fgets($fp));

			$data = decrypt_data($configtxt, $decrypt_password);

			if (!strstr($data, "<pfsense>")) {

				$data = "";

			}

			if ($data) {

				$fd = fopen($g['conf_path'] . "/config.xml.tmp", "w");

				fwrite($fd, $data);

				fclose($fd);

				exec("/bin/mv {$g['conf_path']}/config.xml.tmp {$g['conf_path']}/config.xml");

				echo "\n" . gettext("Config.xml unlocked.") . "\n";

				fclose($fp);

				pfSense_fsync("{$g['conf_path']}/config.xml");

			} else {

				echo "\n" . gettext("Invalid password entered.  Please try again.") . "\n";

			}

		}

	}

}

/****f* config/parse_config

 * NAME

 *   parse_config - Read in config.cache or config.xml if needed and return $config array

 * INPUTS

 *   $parse       - boolean to force parse_config() to read config.xml and generate config.cache

 * RESULT

 *   $config      - array containing all configuration variables

 ******/

function parse_config($parse = false) {

	global $g, $config_parsed, $config_extra;

	$lockkey = lock('config');

	$config_parsed = false;

	if (!file_exists("{$g['conf_path']}/config.xml") || filesize("{$g['conf_path']}/config.xml") == 0) {

		$last_backup = discover_last_backup();

		if ($last_backup) {

			log_error(gettext("No config.xml found, attempting last known config restore."));

			file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", "");

			restore_backup("{$g['conf_path']}/backup/{$last_backup}");

		} else {

			unlock($lockkey);

			die(gettext("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup."));

		}

	}

	if (platform_booting(true)) {

		echo ".";

	}

	// Check for encrypted config.xml

	encrypted_configxml();

	if (!$parse) {

		if (file_exists($g['tmp_path'] . '/config.cache')) {

			$config = unserialize(file_get_contents($g['tmp_path'] . '/config.cache'));

			if (!is_array($config)) {

				$parse = true;

			}

		} else {

			$parse = true;

		}

	}

	if ($parse == true) {

		if (!file_exists($g['conf_path'] . "/config.xml")) {

			if (platform_booting(true)) {

				echo ".";

			}

			log_error("No config.xml found, attempting last known config restore.");

			file_notice("config.xml", "No config.xml found, attempting last known config restore.", "pfSenseConfigurator", "");

			$last_backup = discover_last_backup();

			if ($last_backup) {

				restore_backup("/cf/conf/backup/{$last_backup}");

			} else {

				log_error(gettext("Could not restore config.xml."));

				unlock($lockkey);

				die(gettext("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup."));

			}

		}

		$config = parse_xml_config($g['conf_path'] . '/config.xml', array($g['xml_rootobj'], 'pfsense'));

		if ($config == -1) {

			$last_backup = discover_last_backup();

			if ($last_backup) {

				restore_backup("/cf/conf/backup/{$last_backup}");

			} else {

				log_error(gettext("Could not restore config.xml."));

				unlock($lockkey);

				die("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup.");

			}

		}

		generate_config_cache($config);

	}

	if (platform_booting(true)) {

		echo ".";

	}

	$config_parsed = true;

	unlock($lockkey);

	alias_make_table($config);

	return $config;

}

/****f* config/generate_config_cache

 * NAME

 *   generate_config_cache - Write serialized configuration to cache.

 * INPUTS

 *   $config	- array containing current firewall configuration

 * RESULT

 *   boolean	- true on completion

 ******/

function generate_config_cache($config) {

	global $g, $config_extra;

	$configcache = fopen($g['tmp_path'] . '/config.cache', "w");

	fwrite($configcache, serialize($config));

	fclose($configcache);

	pfSense_fsync("{$g['tmp_path']}/config.cache");

	unset($configcache);

	/* Used for config.extra.xml */

	if (file_exists($g['tmp_path'] . '/config.extra.cache') && $config_extra) {

		$configcacheextra = fopen($g['tmp_path'] . '/config.extra.cache', "w");

		fwrite($configcacheextra, serialize($config_extra));

		fclose($configcacheextra);

		pfSense_fsync("{$g['tmp_path']}/config.extra.cache");

		unset($configcacheextra);

	}

}

function discover_last_backup() {

	$backups = glob('/cf/conf/backup/*.xml');

	$last_backup = "";

	$last_mtime = 0;

	foreach ($backups as $backup) {

		if (filemtime($backup) > $last_mtime) {

			$last_mtime = filemtime($backup);

			$last_backup = $backup;

		}

	}

	return basename($last_backup);

}

function restore_backup($file) {

	global $g;

	if (file_exists($file)) {

		conf_mount_rw();

		unlink_if_exists("{$g['tmp_path']}/config.cache");

		copy("$file", "/cf/conf/config.xml");

		pfSense_fsync("/cf/conf/config.xml");

		pfSense_fsync($g['conf_path']);

		disable_security_checks();

		log_error(sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file));

		file_notice("config.xml", sprintf(gettext('%1$s is restoring the configuration %2$s'), $g['product_name'], $file), "pfSenseConfigurator", "");

		conf_mount_ro();

	}

}

/****f* config/parse_config_bootup

 * NAME

 *   parse_config_bootup - Bootup-specific configuration checks.

 * RESULT

 *   null

 ******/

function parse_config_bootup() {

	global $config, $g;

	if (platform_booting()) {

		echo ".";

	}

	$lockkey = lock('config');

	if (!file_exists("{$g['conf_path']}/config.xml")) {

		if (platform_booting()) {

			if (strstr($g['platform'], "cdrom")) {

				/* try copying the default config. to the floppy */

				echo gettext("Resetting factory defaults...") . "\n";

				reset_factory_defaults(true, false);

				if (!file_exists("{$g['conf_path']}/config.xml")) {

					echo gettext("No XML configuration file found - using factory defaults.\n" .

								 "Make sure that the configuration floppy disk with the conf/config.xml\n" .

								 "file is inserted. If it isn't, the configuration changes will be lost\n" .

								 "on reboot.\n");

				}

			} else {

				$last_backup = discover_last_backup();

				if ($last_backup) {

					log_error("No config.xml found, attempting last known config restore.");

					file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", "");

					restore_backup("/cf/conf/backup/{$last_backup}");

				}

				if (!file_exists("{$g['conf_path']}/config.xml")) {

					echo sprintf(gettext("XML configuration file not found.  %s cannot continue booting."), $g['product_name']) . "\n";

					unlock($lockkey);

					mwexec("/sbin/halt");

					exit;

				}

				log_error("Last known config found and restored.  Please double check the configuration file for accuracy.");

				file_notice("config.xml", gettext("Last known config found and restored.  Please double check the configuration file for accuracy."), "pfSenseConfigurator", "");

			}

		} else {

			unlock($lockkey);

			log_error(gettext("Could not find a usable configuration file! Exiting...."));

			exit(0);

		}

	}

	if (filesize("{$g['conf_path']}/config.xml") == 0) {

		$last_backup = discover_last_backup();

		if ($last_backup) {

			log_error(gettext("No config.xml found, attempting last known config restore."));

			file_notice("config.xml", gettext("No config.xml found, attempting last known config restore."), "pfSenseConfigurator", "");

			restore_backup("{$g['conf_path']}/backup/{$last_backup}");

		} else {

			unlock($lockkey);

			die(gettext("Config.xml is corrupted and is 0 bytes.  Could not restore a previous backup."));

		}

	}

	unlock($lockkey);

	$config = parse_config(true);

	if ((float)$config['version'] > (float)$g['latest_config']) {

		echo <<<EOD

*******************************************************************************

* WARNING!                                                                    *

* The current configuration has been created with a newer version of {$g['product_name']}  *

* than this one! This can lead to serious misbehavior and even security       *

* holes! You are urged to either upgrade to a newer version of {$g['product_name']} or     *

* revert to the default configuration immediately!                            *

*******************************************************************************

EOD;

		}

	/* make alias table (for faster lookups) */

	alias_make_table($config);

}

/****f* config/conf_mount_rw

 * NAME

 *   conf_mount_rw - Mount filesystems read/write.

 * RESULT

 *   null

 ******/

/* mount flash card read/write */

function conf_mount_rw() {

	global $g, $config;

	/* do not mount on cdrom platform */

	if ($g['platform'] == "cdrom" or $g['platform'] == $g['product_name']) {

		return;

	}

	if ((refcount_reference(1000) > 1) && is_writable("/")) {

		return;

	}

	$status = mwexec("/sbin/mount -u -w -o sync,noatime {$g['cf_path']}");

	if ($status <> 0) {

		if (platform_booting()) {

			echo gettext("/cf Filesystem is dirty.") . "\n";

		}

		$status = mwexec("/sbin/mount -u -w -o sync,noatime {$g['cf_path']}");

	}

	/*    if the platform is soekris or wrap or $product, lets mount the

	 *    compact flash cards root.

	*/

	$status = mwexec("/sbin/mount -u -w -o sync,noatime /");

	/* we could not mount this correctly. */

	if ($status <> 0) {

		log_error(gettext("/ File system is dirty."));

		$status = mwexec("/sbin/mount -u -w -o sync,noatime /");

	}

	mark_subsystem_dirty('mount');

}

/****f* config/conf_mount_ro

 * NAME

 *   conf_mount_ro - Mount filesystems readonly.

 * RESULT

 *   null

 ******/

function conf_mount_ro() {

	global $g, $config;

	// do nothing here. redmine #6184

	return;

	/* Do not trust $g['platform'] since this can be clobbered during factory reset. */

	$platform = trim(file_get_contents("/etc/platform"));

	/* do not umount on cdrom or pfSense platforms */

	if ($platform == "cdrom" or $platform == $g['product_name']) {

		return;

	}

	if (refcount_unreference(1000) > 0) {

		return;

	}

	if (isset($config['system']['nanobsd_force_rw'])) {

		return;

	}

	if (platform_booting()) {

		return;

	}

	clear_subsystem_dirty('mount');

	/* sync data, then force a remount of /cf */

	pfSense_fsync($g['cf_path']);

	mwexec("/sbin/mount -u -r -f -o sync,noatime {$g['cf_path']}");

	mwexec("/sbin/mount -u -r -f -o sync,noatime /");

}

/****f* config/convert_config

 * NAME

 *   convert_config - Attempt to update config.xml.

 * DESCRIPTION

 *   convert_config() reads the current global configuration

 *   and attempts to convert it to conform to the latest

 *   config.xml version. This allows major formatting changes

 *   to be made with a minimum of breakage.

 * RESULT

 *   null

 ******/

/* convert configuration, if necessary */

function convert_config() {

	global $config, $g;

	$now = date("H:i:s");

	log_error(sprintf(gettext("Start Configuration upgrade at %s, set execution timeout to 15 minutes"), $now));

	//ini_set("max_execution_time", "900");

	/* special case upgrades */

	/* fix every minute crontab bogons entry */

	if (is_array($config['cron'])) {

		$cron_item_count = count($config['cron']['item']);

		for ($x = 0; $x < $cron_item_count; $x++) {

			if (stristr($config['cron']['item'][$x]['command'], "rc.update_bogons.sh")) {

				if ($config['cron']['item'][$x]['hour'] == "*") {

					$config['cron']['item'][$x]['hour'] = "3";

					write_config(gettext("Updated bogon update frequency to 3am"));

					log_error(gettext("Updated bogon update frequency to 3am"));

				}

			}

		}

	}

	if ($config['version'] == $g['latest_config']) {

		return;		/* already at latest version */

	}

	// Save off config version

	$prev_version = $config['version'];

	include_once('auth.inc');

	include_once('upgrade_config.inc');

	if (file_exists("/etc/inc/upgrade_config_custom.inc")) {

		include_once("upgrade_config_custom.inc");

	}

	/* Loop and run upgrade_VER_to_VER() until we're at current version */

	while ($config['version'] < $g['latest_config']) {

		$cur = $config['version'] * 10;

		$next = $cur + 1;

		$migration_function = sprintf('upgrade_%03d_to_%03d', $cur, $next);

		if (function_exists($migration_function)) {

			$migration_function();

		}

		$migration_function = "{$migration_function}_custom";

		if (function_exists($migration_function)) {

			$migration_function();

		}

		$config['version'] = sprintf('%.1f', $next / 10);

		if (platform_booting()) {

			echo ".";

		}

	}

	$now = date("H:i:s");

	log_error(sprintf(gettext("Ended Configuration upgrade at %s"), $now));

	if ($prev_version != $config['version']) {

		write_config(sprintf(gettext('Upgraded config version level from %1$s to %2$s'), $prev_version, $config['version']));

	}

}

/****f* config/safe_write_file

 * NAME

 *   safe_write_file - Write a file out atomically

 * DESCRIPTION

 *   safe_write_file() Writes a file out atomically by first writing to a

 *   temporary file of the same name but ending with the pid of the current

 *   process, them renaming the temporary file over the original.

 * INPUTS

 *   $filename  - string containing the filename of the file to write

 *   $content   - string containing the file content to write to file

 *   $force_binary      - boolean denoting whether we should force binary

 *   mode writing.

 * RESULT

 *   boolean - true if successful, false if not

 ******/

function safe_write_file($file, $content, $force_binary) {

	$tmp_file = $file . "." . getmypid();

	$write_mode = $force_binary ? "wb" : "w";

	$fd = fopen($tmp_file, $write_mode);

	if (!$fd) {

		// Unable to open temporary file for writing

		return false;

	}

	if (!fwrite($fd, $content)) {

		// Unable to write to temporary file

		fclose($fd);

		return false;

	}

	fflush($fd);

	fclose($fd);

	if (!pfSense_fsync($tmp_file) || !rename($tmp_file, $file)) {

		// Unable to move temporary file to original

		@unlink($tmp_file);

		return false;

	}

	// Sync file before returning

	return pfSense_fsync($file);

}

/****f* config/write_config

 * NAME

 *   write_config - Backup and write the firewall configuration.

 * DESCRIPTION

 *   write_config() handles backing up the current configuration,

 *   applying changes, and regenerating the configuration cache.

 * INPUTS

 *   $desc	- string containing the a description of configuration changes

 *   $backup	- boolean: do not back up current configuration if false.

 *   $write_config_only	- boolean: do not sync or reload anything; just save the configuration if true.

 * RESULT

 *   null

 ******/

/* save the system configuration */

function write_config($desc="Unknown", $backup = true, $write_config_only = false) {

	global $config, $g;

	if (!empty($_SERVER['REMOTE_ADDR'])) {

		if (!session_id()) {

			@session_start();

		}

		if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) {

			$user = getUserEntry($_SESSION['Username']);

			if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) {

				session_commit();

				return false;

			}

		}

	}

	if (!isset($argc)) {

		session_commit();

	}

	if ($backup) {

		backup_config();

	}

	$config['revision'] = make_config_revision_entry($desc);

	conf_mount_rw();

	$lockkey = lock('config', LOCK_EX);

	/* generate configuration XML */

	$xmlconfig = dump_xml_config($config, $g['xml_rootobj']);

	/* write new configuration */

	if (!safe_write_file("{$g['cf_conf_path']}/config.xml", $xmlconfig, false)) {

		log_error(gettext("WARNING: Config contents could not be saved. Could not open file!"));

		unlock($lockkey);

		file_notice("config.xml", sprintf(gettext("Unable to open %s/config.xml for writing in write_config()%s"), $g['cf_conf_path'], "\n"));

		return -1;

	}

	cleanup_backupcache(true);

	/* re-read configuration */

	/* NOTE: We assume that the file can be parsed since we wrote it. */

	$config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);

	if ($config == -1) {

		copy("{$g['conf_path']}/config.xml", "{$g['conf_path']}/config.xml.bad");

		$last_backup = discover_last_backup();

		if ($last_backup) {

			restore_backup("/cf/conf/backup/{$last_backup}");

			$config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);

			if (platform_booting()) {

				echo "\n\n ************** WARNING **************";

				echo "\n\n Configuration could not be validated. A previous configuration was restored. \n";

				echo "\n The failed configuration file has been saved as {$g['conf_path']}/config.xml.bad \n\n";

			}

		} else {

			log_error(gettext("Could not restore config.xml."));

		}

	} else {

		generate_config_cache($config);

	}

	unlock($lockkey);

	if ($write_config_only) {

		/* tell kernel to sync fs data */

		conf_mount_ro();

		return $config;

	}

	unlink_if_exists("/usr/local/pkg/pf/carp_sync_client.php");

	/* tell kernel to sync fs data */

	conf_mount_ro();

	/* sync carp entries to other firewalls */

	carp_sync_client();

	if (is_dir("/usr/local/pkg/write_config")) {

		/* process packager manager custom rules */

		run_plugins("/usr/local/pkg/write_config/");

	}

	return $config;

}

/****f* config/reset_factory_defaults

 * NAME

 *   reset_factory_defaults - Reset the system to its default configuration.

 * RESULT

 *   integer	- indicates completion

 ******/

function reset_factory_defaults($lock = false, $reboot_required = true) {

	global $g;

	conf_mount_rw();

	/* Remove all additional packages */

	mwexec("/bin/sh /usr/local/sbin/{$g['product_name']}-upgrade " .

	    "-r ALL_PACKAGES");

	if (!$lock) {

		$lockkey = lock('config', LOCK_EX);

	}

	/* create conf directory, if necessary */

	safe_mkdir($g['cf_conf_path']);

	/* clear out /conf */

	$dh = opendir($g['conf_path']);

	while ($filename = readdir($dh)) {

		if (($filename != ".") && ($filename != "..") &&

		    (!is_dir($g['conf_path'] . "/" . $filename))) {

			unlink_if_exists($g['conf_path'] . "/" . $filename);

		}

	}

	closedir($dh);

	unlink_if_exists($g['tmp_path'] . "/config.cache");

	/* copy default configuration */

	copy("{$g['conf_default_path']}/config.xml",

	    "{$g['cf_conf_path']}/config.xml");

	disable_security_checks();

	/* call the wizard */

	if ($reboot_required) {

		// If we need a reboot first then touch a different trigger file.

		touch("/conf/trigger_initial_wizard_after_reboot");

	} else {

		touch("/conf/trigger_initial_wizard");

	}

	if (!$lock) {

		unlock($lockkey);

	}

	conf_mount_ro();

	setup_serial_port();

	return 0;

}

function config_restore($conffile) {

	global $config, $g;

	if (!file_exists($conffile)) {

		return 1;

	}

	backup_config();

	conf_mount_rw();

	$lockkey = lock('config', LOCK_EX);

	unlink_if_exists("{$g['tmp_path']}/config.cache");

	copy($conffile, "{$g['cf_conf_path']}/config.xml");

	disable_security_checks();

	unlock($lockkey);

	$config = parse_config(true);

	conf_mount_ro();

	write_config(sprintf(gettext("Reverted to %s."), array_pop(explode("/", $conffile))), false);

	return 0;

}

function config_install($conffile) {

	global $config, $g;

	if (!file_exists($conffile)) {

		return 1;

	}

	if (!config_validate("{$conffile}")) {

		return 1;

	}

	if (platform_booting()) {

		echo gettext("Installing configuration...") . "\n";

	} else {

		log_error(gettext("Installing configuration ...."));

	}

	conf_mount_rw();

	$lockkey = lock('config', LOCK_EX);

	copy($conffile, "{$g['conf_path']}/config.xml");

	disable_security_checks();

	/* unlink cache file if it exists */

	if (file_exists("{$g['tmp_path']}/config.cache")) {

		unlink("{$g['tmp_path']}/config.cache");

	}

	unlock($lockkey);

	conf_mount_ro();

	return 0;

}

/*

 * Disable security checks for DNS rebind and HTTP referrer until next time

 * they pass (or reboot), to aid in preventing accidental lockout when

 * restoring settings like hostname, domain, IP addresses, and settings

 * related to the DNS rebind and HTTP referrer checks.

 * Intended for use when restoring a configuration or directly

 * modifying config.xml without an unconditional reboot.

 */

function disable_security_checks() {

	global $g;

	touch("{$g['tmp_path']}/disable_security_checks");

}

/* Restores security checks.  Should be called after all succeed. */

function restore_security_checks() {

	global $g;

	unlink_if_exists("{$g['tmp_path']}/disable_security_checks");

}

/* Returns status of security check temporary disable. */

function security_checks_disabled() {

	global $g;

	return file_exists("{$g['tmp_path']}/disable_security_checks");

}

function config_validate($conffile) {

	global $g, $xmlerr;

	$xml_parser = xml_parser_create();

	if (!($fp = fopen($conffile, "r"))) {

		$xmlerr = gettext("XML error: unable to open file");

		return false;

	}

	while ($data = fread($fp, 4096)) {

		if (!xml_parse($xml_parser, $data, feof($fp))) {

			$xmlerr = sprintf(gettext('%1$s at line %2$d'),

						xml_error_string(xml_get_error_code($xml_parser)),

						xml_get_current_line_number($xml_parser));

			return false;

		}

	}

	xml_parser_free($xml_parser);

	fclose($fp);

	return true;

}

function cleanup_backupcache($lock = false) {

	global $config, $g;

	$i = false;

	$revisions = intval(is_numericint($config['system']['backupcount']) ? $config['system']['backupcount'] : $g['default_config_backup_count']);

	if (!$lock) {

		$lockkey = lock('config');

	}

	conf_mount_rw();

	$backups = get_backups();

	if ($backups) {

		$baktimes = $backups['versions'];

		unset($backups['versions']);

	} else {

		$backups = array();

		$baktimes = array();

	}

	$newbaks = array();

	$bakfiles = glob($g['cf_conf_path'] . "/backup/config-*");

	$tocache = array();

	foreach ($bakfiles as $backup) { // Check for backups in the directory not represented in the cache.

		$backupsize = filesize($backup);

		if ($backupsize == 0) {

			unlink($backup);

			continue;

		}

		$backupexp = explode('-', $backup);

		$backupexp = explode('.', array_pop($backupexp));

		$tocheck = array_shift($backupexp);

		unset($backupexp);

		if (!in_array($tocheck, $baktimes)) {

			$i = true;

			if (platform_booting()) {

				echo ".";

			}

			$newxml = parse_xml_config($backup, array($g['xml_rootobj'], 'pfsense'));

			if ($newxml == "-1") {

				log_error(sprintf(gettext("The backup cache file %s is corrupted.  Unlinking."), $backup));

				unlink($backup);

				log_error(sprintf(gettext("The backup cache file %s is corrupted.  Unlinking."), $backup));

				continue;

			}

			if ($newxml['revision']['description'] == "") {

				$newxml['revision']['description'] = "Unknown";

			}

			if ($newxml['version'] == "") {

				$newxml['version'] = "?";

			}

			$tocache[$tocheck] = array('description' => $newxml['revision']['description'], 'version' => $newxml['version'], 'filesize' => $backupsize);

		}

	}

	foreach ($backups as $checkbak) {

		if (count(preg_grep('/' . $checkbak['time'] . '/i', $bakfiles)) != 0) {

			$newbaks[] = $checkbak;

		} else {

			$i = true;

			if (platform_booting()) print " " . $tocheck . "r";

		}

	}

	foreach ($newbaks as $todo) {

		$tocache[$todo['time']] = array('description' => $todo['description'], 'version' => $todo['version'], 'filesize' => $todo['filesize']);

	}

	if (is_int($revisions) and (count($tocache) > $revisions)) {

		$toslice = array_slice(array_keys($tocache), 0, $revisions);

		foreach ($toslice as $sliced) {

			$newcache[$sliced] = $tocache[$sliced];

		}

		foreach ($tocache as $version => $versioninfo) {

			if (!in_array($version, array_keys($newcache))) {

				unlink_if_exists($g['conf_path'] . '/backup/config-' . $version . '.xml');

			}

		}

		$tocache = $newcache;

	}

	$bakout = fopen($g['cf_conf_path'] . '/backup/backup.cache', "w");

	fwrite($bakout, serialize($tocache));

	fclose($bakout);

	pfSense_fsync("{$g['cf_conf_path']}/backup/backup.cache");

	conf_mount_ro();

	if (!$lock) {

		unlock($lockkey);

	}

}