Project

General

Profile

Download (22.8 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
 * globals.inc
4
 *
5
 * part of pfSense (https://www.pfsense.org)
6
 * Copyright (c) 2004-2013 BSD Perimeter
7
 * Copyright (c) 2013-2016 Electric Sheep Fencing
8
 * Copyright (c) 2014-2025 Rubicon Communications, LLC (Netgate)
9
 * All rights reserved.
10
 *
11
 * Licensed under the Apache License, Version 2.0 (the "License");
12
 * you may not use this file except in compliance with the License.
13
 * You may obtain a copy of the License at
14
 *
15
 * http://www.apache.org/licenses/LICENSE-2.0
16
 *
17
 * Unless required by applicable law or agreed to in writing, software
18
 * distributed under the License is distributed on an "AS IS" BASIS,
19
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
 * See the License for the specific language governing permissions and
21
 * limitations under the License.
22
 */
23

    
24
// Global defines
25

    
26
// Automatic panel collapse
27
define('COLLAPSIBLE', 0x08);
28
define('SEC_CLOSED', 0x04);
29
define('SEC_OPEN', 0x00);
30

    
31
// IP address types
32
define('IPV4', 4);
33
define('IPV6', 6);
34
define('IPV4V6', 2);
35
define('ALIAS', 1);
36

    
37
// Interface Name Size
38
define('IF_NAMESIZE', 15);	/* 16 minus the terminating NULL */
39

    
40
// AddPassword method defines
41
define('DMYPWD', '********');
42

    
43
// Captive Portal aliases prefix
44
define('CPPREFIX', 'cpzoneid_');
45

    
46
$version_file = '/etc/version';
47
$version_patch_file = $version_file . 'patch';
48

    
49
$product_version = rtrim(file_get_contents($version_file));
50
$present_year = date('Y');
51

    
52
global $g;
53
$g = [
54
	'acbbackuppath' => '/cf/conf/acb/',
55
	'event_address' => 'unix:///var/run/check_reload_status',
56
	'factory_shipped_username' => 'admin',
57
	'factory_shipped_password' => 'pfsense',
58
	'upload_path' => '/root',
59
	'dhcpd_chroot_path' => '/var/dhcpd',
60
	'unbound_chroot_path' => '/var/unbound',
61
	'var_path' => '/var',
62
	'varrun_path' => '/var/run',
63
	'varetc_path' => '/var/etc',
64
	'vardb_path' => '/var/db',
65
	'varlog_path' => '/var/log',
66
	'etc_path' => '/etc',
67
	'tmp_path' => '/tmp',
68
	'tmp_path_user_code' => '/tmp/user_code',
69
	'conf_path' => '/conf',
70
	'conf_default_path' => '/conf.default',
71
	'cf_path' => '/cf',
72
	'cf_conf_path' => '/cf/conf',
73
	'www_path' => '/usr/local/www',
74
	'xml_rootobj' => 'pfsense',
75
	'admin_group' => 'admins',
76
	'product_name' => 'pfSense',
77
	'product_label' => 'pfSense',
78
	'product_label_html' => 'Netgate pfSense<sup>&#174;</sup>',
79
	'product_version' => $product_version,
80
	'product_copyright_years' => '2004 - ' . $present_year,
81
	'disablehelpmenu' => false,
82
	'disablehelpicon' => false,
83
	'disablecrashreporter' => false,
84
	'debug' => false,
85
	'latest_config' => '23.9',
86
	'minimum_ram_warning' => '101',
87
	'minimum_ram_warning_text' => '128 MB',
88
	'wan_interface_name' => 'wan',
89
	'captiveportal_path' => '/usr/local/captiveportal',
90
	'captiveportal_element_path' => '/var/db/cpelements',
91
	'captiveportal_element_sizelimit' => 1048576,
92
	'captiveportal_rules_interval' => 50,
93
	'services_dhcp_server_enable' => true,
94
	'wireless_regex' => '/^(ath|athp|bwi|bwn|ipw|iwi|iwlwifi|iwm|iwn|malo|mwl|ral|rsu|rtwn|rum|run|uath|upgt|ural|urtw|urtwn|wi|wpi|wtap|zyd)[0-9]+/',
95
	'help_base_url' => '/help.php',
96
	'pkg_prefix' => 'pfSense-pkg-',
97
	'default_timezone' => 'Etc/UTC',
98
	'language' => 'en_US',
99
	'default_config_backup_count' => 30,
100
	'default_cert_expiredays' => 27,
101
	'default_log_entries' => 500,
102
	'default_log_size' => 512000,
103
	'minimumtableentries_bogonsv6' => 400000,
104
	'alternativemetaports' => ['vmware', 'php72', 'php73', 'php74'],
105
	'backuppath' => [
106
		'captiveportal' => '/var/db/captiveportal*.db',
107
		'dhcpd' => '{/var/dhcpd/var/db/dhcpd.leases,/var/lib/kea/dhcp4.leases}',
108
		'dhcpdv6' => '{/var/dhcpd/var/db/dhcpd6.leases,/var/lib/kea/dhcp6.leases}',
109
		'voucher' => '/var/db/voucher_*.db'
110
	],
111
	'cp_prefix' => 'cpzoneid',
112
	'booting' => false,
113
	'rrddbpath' => '/var/db/rrd',
114
	'rrdtool' => '/usr/bin/nice -n20 /usr/local/bin/rrdtool'
115
];
116

    
117
/* IP TOS flags */
118
global $iptos;
119
$iptos = ['lowdelay', 'throughput', 'reliability'];
120

    
121
/* TCP flags */
122
global $tcpflags;
123
$tcpflags = ['syn', 'ack', 'fin', 'rst', 'psh', 'urg', 'ece', 'cwr'];
124

    
125
if (file_exists($version_patch_file)) {
126
	$g['product_version_patch'] = rtrim(file_get_contents($version_patch_file));
127
} else {
128
	$g['product_version_patch'] = '0';
129
}
130

    
131
$g['product_version_string'] = g_get('product_version');
132
if (is_numeric(g_get('product_version_patch')) && g_get('product_version_patch') != '0') {
133
	$g['product_version_string'] .= '-p'. g_get('product_version_patch');
134
}
135

    
136
$flavor_file = g_get('etc_path') . '/default-config-flavor';
137
if (file_exists($flavor_file)) {
138
	$flavor_array = file($flavor_file);
139
	$g['default-config-flavor'] = chop($flavor_array[0]);
140
} else {
141
	$g['default-config-flavor'] = '';
142
}
143

    
144
$g['openvpn_base'] = g_get('varetc_path') . '/openvpn';
145

    
146
$g['pkg_repos_path'] = '/usr/local/etc/' . $g['product_name'] . '/pkg/repos';
147

    
148
/* Default sysctls */
149
global $sysctls;
150
$sysctls = [
151
	'net.inet.ip.portrange.first' => '1024',
152
	'net.inet.tcp.blackhole' => '2',
153
	'net.inet.udp.blackhole' => '1',
154
	'net.inet.ip.random_id' => '1',
155
	'net.inet.tcp.drop_synfin' => '1',
156
	'net.inet.ip.redirect' => '1',
157
	'net.inet6.ip6.redirect' => '1',
158
	'net.inet6.ip6.use_tempaddr' => '0',
159
	'net.inet6.ip6.prefer_tempaddr' => '0',
160
	'net.inet.tcp.syncookies' => '1',
161
	'net.inet.tcp.recvspace' => '65228',
162
	'net.inet.tcp.sendspace' => '65228',
163
	'net.inet.tcp.delayed_ack' => '0',
164
	'net.inet.udp.maxdgram' => '57344',
165
	'net.link.bridge.pfil_onlyip' => '0',
166
	'net.link.bridge.pfil_member' => '1',
167
	'net.link.bridge.pfil_bridge' => '0',
168
	'net.link.tap.user_open' => '1',
169
	'net.link.vlan.mtag_pcp' => '1',
170
	'kern.randompid' => '347',
171
	'net.inet.ip.intr_queue_maxlen' => '1000',
172
	'hw.syscons.kbd_reboot' => '0',
173
	'net.inet.tcp.log_debug' => '0',
174
	'net.inet.tcp.tso' => '1',
175
	'net.inet.icmp.icmplim' => '0',
176
	'vfs.read_max' => '32',
177
	'kern.ipc.maxsockbuf' => '4262144',
178
	'net.inet.ip.process_options' => 0,
179
	'kern.random.harvest.mask' => '351',
180
	'net.route.netisr_maxqlen' => 1024,
181
	'net.inet.udp.checksum' => 1,
182
	'net.inet.icmp.reply_from_interface' => 1,
183
	'net.inet6.ip6.rfc6204w3' => 1,
184
	'net.key.preferred_oldsa' => '0',
185
	'net.inet.carp.senderr_demotion_factor' => 0, /* Do not demote CARP for interface send errors */
186
	'net.pfsync.carp_demotion_factor' => 0, /* Do not demote CARP for pfsync errors */
187
	'net.raw.recvspace' => 65536,
188
	'net.raw.sendspace' => 65536,
189
	'net.inet.raw.recvspace' => 131072,
190
	'net.inet.raw.maxdgram' => 131072,
191
	'kern.corefile' => '/root/%N.core' /* Write all core files to /root/ so they do not consume space on other slices */
192
];
193

    
194
$machine_type = php_uname('m');
195
if (($machine_type == 'arm') || ($machine_type == 'arm64')) {
196
	$sysctls['kern.shutdown.secure_halt'] = 1;
197
}
198

    
199
/* Read all XML files in following dir and load menu entries */
200
$g['ext_menu_path'] = '/usr/local/share/'. g_get('product_name') . '/menu';
201

    
202
/* Cache file used to store pfSense version */
203
$g['version_cache_file'] = g_get('varrun_path') . '/' . g_get('product_name') . '_version';
204
$g['version_cache_refresh'] = 7200; /* 2h */
205

    
206
if (file_exists(g_get('cf_conf_path') . '/enableserial_force')) {
207
	$g['enableserial_force'] = true;
208
}
209

    
210
global $config_parsed;
211
$config_parsed = false;
212

    
213
/* Factory default check IP service. */
214
global $factory_default_checkipservice;
215
$factory_default_checkipservice = [
216
	'enable' => true,
217
	'name' => 'Default',
218
	'url' => 'http://checkip.dyndns.org',
219
	'descr' => 'Default Check IP Service',
220
];
221

    
222
global $dyndns_split_domain_types;
223
$dyndns_split_domain_types = [
224
	'cloudflare', 'cloudflare-v6',
225
	'cloudns',
226
	"digitalocean", "digitalocean-v6",
227
	"gandi-livedns", "gandi-livedns-v6",
228
	'godaddy', 'godaddy-v6',
229
	'gratisdns',
230
	'linode', 'linode-v6',
231
	'luadns', 'luadns-v6',
232
	"mythicbeasts", "mythicbeasts-v6",
233
	'namecheap',
234
	"name.com", "name.com-v6",
235
	"onecom", "onecom-v6",
236
	'porkbun', 'porkbun-v6',
237
	"yandex", "yandex-v6",
238
];
239

    
240
// pf tokens from FreeBSD source /sbin/pfctl/parse.y
241
global $pf_reserved_keywords;
242
$pf_reserved_keywords = [
243
	// Original tokens
244
	'all', 'allow-opts', 'altq', 'anchor', 'antispoof', 'any', 'bandwidth', 'binat', 'binat-anchor', 'bitmask',
245
	'block', 'block-policy', 'buckets', 'cbq', 'code', 'codelq', 'crop', 'debug', 'divert-reply', 'divert-to',
246
	'dnpipe', 'dnqueue', 'drop', 'drop-ovl', 'dup-to', 'ether', 'fail-policy', 'fairq', 'fastroute', 'file',
247
	'fingerprints', 'flags', 'floating', 'flush', 'for', 'fragment', 'from', 'global', 'group', 'hfsc', 'hogs',
248
	'hostid', 'icmp-type', 'icmp6-type', 'if-bound', 'in', 'include', 'inet', 'inet6', 'interval', 'keep',
249
	'keepcounters', 'l3', 'label', 'limit', 'linkshare', 'load', 'log', 'loginterface', 'map-e-portset', 'match',
250
	'max', 'max-mss', 'max-src-conn', 'max-src-conn-rate', 'max-src-nodes', 'max-src-states', 'min-ttl', 'modulate',
251
	'nat', 'nat-anchor', 'no', 'no-df', 'no-route', 'no-sync', 'on', 'optimization', 'os', 'out', 'overload',
252
	'pass', 'port', 'prio', 'priority', 'priq', 'probability', 'proto', 'qlimit', 'queue', 'quick', 'random',
253
	'random-id', 'rdr', 'rdr-anchor', 'realtime', 'reassemble', 'reply-to', 'require-order', 'return', 'return-icmp',
254
	'return-icmp6', 'return-rst', 'ridentifier', 'round-robin', 'route', 'route-to', 'rtable', 'rule',
255
	'ruleset-optimization', 'scrub', 'set', 'set-tos', 'skip', 'sloppy', 'source-hash', 'source-track', 'state',
256
	'state-defaults', 'state-policy', 'static-port', 'sticky-address', 'syncookies', 'synproxy', 'table', 'tag',
257
	'tagged', 'target', 'tbrsize', 'timeout', 'to', 'tos', 'ttl', 'upperlimit', 'urpf-failed', 'user',
258
	// Original tokens in fuzzy format
259
	'allowopts', 'binatanchor', 'blockpolicy', 'divertreply', 'divertto', 'duptoicmptype', 'icmp6type', 'ifboundmaxmss',
260
	'maxsrcconn', 'maxsrcconnrate', 'maxsrcnodes', 'maxsrcstates', 'minttl', 'natanchornodf', 'noroute', 'nosync',
261
	'randomidrdranchor', 'replyto', 'requireorderreturnicmp', 'returnicmp6', 'returnrstroundrobinrouteto',
262
	'ruleset_optimization', 'settos', 'sourcehash', 'sourcetrackstatedefaults', 'statepolicy', 'staticport',
263
	'stickyaddress', 'urpffailed', 'dropovl', 'failpolicy', 'mapeportset',
264
	// Custom tokens
265
	'arrow', 'codel', 'error', 'filename', 'fragcrop', 'fragdrop', 'IPsec', 'L2TP', 'maximummin', 'OpenVPN',
266
	'pppoe', 'pptp'
267
];
268

    
269
/**
270
 * User-accessible read-only aliases reserved for system use.
271
 * 
272
 * Entries must have the name as the key. Each entry must have a name,
273
 * type, and description. Possible values are:
274
 * - name: Same value as the key; used for compatibility with other functions.
275
 * - url: A URL string for URL* types. Alternatively it may be a file path.
276
 *        If a file path is given, the alias is assumed to be processed
277
 *        separately such as with rc.update_bogons.sh.
278
 * - type: The alias type.
279
 * - descr: A string value.
280
 * - address: A string of space-separated values; may be defined
281
 *            dynamically e.g. during filter ruleset generation.
282
 * - detail: An optional string value.
283
 * 
284
 * @global array $reserved_table_names
285
 */
286
global $reserved_table_names;
287
$reserved_table_names = [
288
	'bogons' => [
289
		'name' => 'bogons',
290
		'type' => 'urltable',
291
		'url' => '/etc/bogons',
292
		'descr' => 'IPv4 bogons.',
293
		'address' => '',
294
		'detail' => ''
295
	],
296
	'bogonsv6' => [
297
		'name' => 'bogonsv6',
298
		'type' => 'urltable',
299
		'url' => '/etc/bogonsv6',
300
		'descr' => 'IPv6 bogons.',
301
		'address' => '',
302
		'detail' => ''
303
	],
304
	'sshguard' => [
305
		'name' => 'sshguard',
306
		'type' => 'host',
307
		'descr' => 'Hosts blocked by SSH login protection.',
308
		'address' => '',
309
		'detail' => ''
310
	],
311
	'snort2c' => [
312
		'name' => 'snort2c',
313
		'type' => 'host',
314
		'descr' => 'Hosts blocked by IDS.',
315
		'address' => '',
316
		'detail' => ''
317
	],
318
	'virusprot' => [
319
		'name' => 'virusprot',
320
		'type' => 'host',
321
		'descr' => 'Hosts blocked by rule restrictions.',
322
		'address' => '',
323
		'detail' => ''
324
	],
325
	'vpn_networks' => [
326
		'name' => 'vpn_networks',
327
		'type' => 'network',
328
		'descr' => 'Networks for IPsec, OpenVPN, and PPPoE servers.',
329
		'address' => '',
330
		'detail' => ''
331
	],
332
	'negate_networks' => [
333
		'name' => 'negate_networks',
334
		'type' => 'network',
335
		'descr' => 'Networks to exclude from policy routing rules with any destination.',
336
		'address' => '',
337
		'detail' => ''
338
	],
339
	'tonatsubnets' => [
340
		'name' => 'tonatsubnets',
341
		'type' => 'network',
342
		'descr' => 'Networks handled by automatic outbound NAT.',
343
		'address' => '',
344
		'detail' => ''
345
	],
346
];
347

    
348
function add_reserved_table(array $table, array $values) {
349
	global $reserved_table_names;
350
	if (!array_key_exists('name', $table)) {
351
		return;
352
	}
353
	$table['address'] = implode(' ', array_keys($values));
354
	$table['detail'] = implode('||', array_values($values));
355
	$reserved_table_names[$table['name']] = $table;
356
}
357

    
358
add_reserved_table(
359
	[
360
		'name' => '_loopback4_',
361
		'type' => 'network',
362
		'descr' => 'IPv4 loopback network.',
363
	],
364
	[
365
		'127.0.0.0/8' => 'Loopback', // RFC1122
366
	],
367
);
368
add_reserved_table(
369
	[
370
		'name' => '_loopback6_',
371
		'type' => 'network',
372
		'descr' => 'IPv6 loopback network.',
373
	],
374
	[
375
		'::1/128' => 'Loopback Address', // RFC4291
376
	],
377
);
378
add_reserved_table(
379
	[
380
		'name' => '_loopback46_',
381
		'type' => 'network',
382
		'descr' => 'IPv4 and IPv6 loopback networks.',
383
	],
384
	[
385
		'_loopback4_' => 'IPv4 Loopback',
386
		'_loopback6_' => 'IPv6 Loopback',
387
	],
388
);
389

    
390
add_reserved_table(
391
	[
392
		'name' => '_linklocal4_',
393
		'type' => 'network',
394
		'descr' => 'IPv4 link-local networks.',
395
	],
396
	[
397
		'169.254.0.0/16' => 'Link Local', // RFC3927
398
	],
399
);
400
add_reserved_table(
401
	[
402
		'name' => '_linklocal6_',
403
		'type' => 'network',
404
		'descr' => 'IPv6 link-local networks.',
405
	],
406
	[
407
		'fe80::/10' => 'Linked-Scoped Unicast', // RFC4291
408
	],
409
);
410
add_reserved_table(
411
	[
412
		'name' => '_linklocal46_',
413
		'type' => 'network',
414
		'descr' => 'IPv4 and IPv6 link-local networks.',
415
	],
416
	[
417
		'_linklocal4_' => 'IPv4 link-local networks',
418
		'_linklocal6_' => 'IPv6 link-local networks',
419
	],
420
);
421

    
422
add_reserved_table(
423
	[
424
		'name' => '_private4_',
425
		'type' => 'network',
426
		'descr' => 'IPv4 private networks.',
427
	],
428
	[
429
		'10.0.0.0/8' => 'Private-Use', // RFC1918
430
		'172.16.0.0/12' => 'Private-Use', // RFC1918
431
		'192.168.0.0/16' => 'Private-Use', // RFC1918
432

    
433
	],
434
);
435
add_reserved_table(
436
	[
437
		'name' => '_private6_',
438
		'type' => 'network',
439
		'descr' => 'IPv6 private networks.',
440
	],
441
	[
442
		'fc00::/7' => 'Unique-Local', // RFC4193
443
	],
444
);
445
add_reserved_table(
446
	[
447
		'name' => '_private46_',
448
		'type' => 'network',
449
		'descr' => 'IPv4 and IPv6 private networks.',
450
	],
451
	[
452
		'_private4_' => 'IPv4 private networks',
453
		'_private6_' => 'IPv6 private networks',
454
	],
455
);
456

    
457
add_reserved_table(
458
	[
459
		'name' => '_multicast4_',
460
		'type' => 'network',
461
		'descr' => 'IPv4 multicast networks.',
462
	],
463
	[
464
		'224.0.0.0/4' => 'Multicast', // RFC5771
465
	],
466
);
467
add_reserved_table(
468
	[
469
		'name' => '_multicast6_',
470
		'type' => 'network',
471
		'descr' => 'IPv6 multicast networks.',
472
	],
473
	[
474
		'ff00::/8' => 'Multicast', // RFC4291
475
	],
476
);
477
add_reserved_table(
478
	[
479
		'name' => '_multicast46_',
480
		'type' => 'network',
481
		'descr' => 'IPv4 and IPv6 multicast networks.',
482
	],
483
	[
484
		'_multicast4_' => 'IPv4 multicast networks',
485
		'_multicast6_' => 'IPv6 multicast networks',
486
	],
487
);
488

    
489
add_reserved_table(
490
	[
491
		'name' => '_reserved4_',
492
		'type' => 'network',
493
		'descr' => 'IPv4 networks reserved for local use.',
494
	],
495
	[
496
		'0.0.0.0/8' => 'This host on this network', // RFC1122
497
		'10.0.0.0/8' => 'Private-Use', // RFC1918
498
		'100.64.0.0/10' => 'Shared Address Space', // RFC6598
499
		'127.0.0.0/8' => 'Loopback', // RFC1122
500
		'169.254.0.0/16' => 'Link Local', // RFC3927
501
		'172.16.0.0/12' => 'Private-Use', // RFC1918
502
		'192.0.0.0/24' => 'IETF Protocol Assignments', // RFC6890
503
		'192.0.2.0/24' => 'Documentation (TEST-NET-1)', // RFC5737
504
		'192.88.99.0/24' => '6to4 Relay Anycast', // RFC3068
505
		'192.168.0.0/16' => 'Private-Use', // RFC1918
506
		'198.18.0.0/15' => 'Benchmarking', //RFC2544
507
		'198.51.100.0/24' => 'Documentation (TEST-NET-2)', // RFC5737
508
		'203.0.113.0/24' => 'Documentation (TEST-NET-3)', // RFC5737
509
		'224.0.0.0/4' => 'Multicast', // RFC5771
510
		'240.0.0.0/4' => 'Reserved', // RFC1112
511
		'255.255.255.255/32' => 'Limited Broadcast', // RFC0919
512
	]
513
);
514
add_reserved_table(
515
	[
516
		'name' => '_reserved6_',
517
		'type' => 'network',
518
		'descr' => 'IPv6 networks reserved for local use.',
519
	],
520
	[
521
		'::1/128' => 'Loopback Address', // RFC4291
522
		'::/128' => 'Unspecified Address', // RFC4291
523
		'::ffff:0:0/96' => 'IPv4-mapped Address', // RFC4291
524
		'64:ff9b::/96' => 'IPv4-IPv6 Translation', // RFC6052
525
		'64:ff9b:1::/48' => 'Local-Use IPv4/IPv6 Translation', // RFC8215
526
		'100::/64' => 'Discard-Only Address Block', // RFC6666
527
		'2001::/23' => 'IETF Protocol Assignments', // RFC2928
528
		'2001:2::/48' => 'Benchmarking', // RFC5180
529
		'2001:db8::/32' => 'Documentation', // RFC3849
530
		'2002::/16' => '6to4', // RFC3056
531
		'3fff::/20' => 'Documentation', // RFC9637
532
		'5f00::/16' => 'Segment Routing (SRv6) SIDs', // RFC9602
533
		'fc00::/7' => 'Unique-Local', // RFC4193
534
		'fe80::/10' => 'Linked-Scoped Unicast', // RFC4291
535
		'ff00::/8' => 'Multicast', // RFC4291
536
	]
537
);
538
add_reserved_table(
539
	[
540
		'name' => '_reserved46_',
541
		'type' => 'network',
542
		'descr' => 'IPv4 and IPv6 networks reserved for local use.',
543
	],
544
	[
545
		'_reserved4_' => 'IPv4 networks reserved for local use',
546
		'_reserved6_' => 'IPv6 networks reserved for local use',
547
	],
548
);
549

    
550
/* VLAN Prio values. */
551
global $vlanprio_values;
552
$vlanprio_values = [
553
	'bk' => 0,
554
	'be' => 1,
555
	'ee' => 2,
556
	'ca' => 3,
557
	'vi' => 4,
558
	'vo' => 5,
559
	'ic' => 6,
560
	'nc' => 7,
561
];
562

    
563
global $vlanprio;
564
$vlanprio = [
565
	'bk' => 'Background (BK, 0)',
566
	'be' => 'Best Effort (BE, 1)',
567
	'ee' => 'Excellent Effort (EE, 2)',
568
	'ca' => 'Critical Applications (CA, 3)',
569
	'vi' => 'Video (VI, 4)',
570
	'vo' => 'Voice (VO, 5)',
571
	'ic' => 'Internetwork Control (IC, 6)',
572
	'nc' => 'Network Control (NC, 7)',
573
];
574

    
575
global $system_log_files;
576
$system_log_files = [
577
	'system', 'filter', 'dhcpd', 'vpn', 'poes', 'l2tps', 'openvpn',
578
	'portalauth', 'ipsec', 'ppp', 'wireless', 'nginx', 'ntpd', 'gateways',
579
	'resolver', 'routing', 'auth'
580
];
581

    
582
global $system_log_non_syslog_files;
583
$system_log_non_syslog_files = ['dmesg.boot', 'utx.log', 'userlog'];
584

    
585
global $system_log_compression_types;
586
$system_log_compression_types = [
587
	'bzip2' => [
588
			'flag' => 'J',
589
			'cat' => '/usr/bin/bzcat -qf',
590
			'ext' => 'bz2',
591
	],
592
	'gzip' => [
593
			'flag' => 'Z',
594
			'cat' => '/usr/bin/zcat -qf',
595
			'ext' => 'gz',
596
	],
597
	'xz' => [
598
			'flag' => 'X',
599
			'cat' => '/usr/bin/xzcat -qf',
600
			'ext' => 'xz',
601
	],
602
	'zstd' => [
603
			'flag' => 'Y',
604
			'cat' => '/usr/bin/zstdcat -qqf',
605
			'ext' => 'zst',
606
	],
607
	'none' => [
608
			'flag' => '',
609
			'cat' => '/bin/cat',
610
			'ext' => '',
611
	],
612
];
613

    
614
global $ddnsdomainkeyalgorithms;
615
$ddnsdomainkeyalgorithms = [
616
	'hmac-md5' => 'HMAC-MD5 (legacy default)',
617
	'hmac-sha1' => 'HMAC-SHA1',
618
	'hmac-sha224' => 'HMAC-SHA224',
619
	'hmac-sha256' => 'HMAC-SHA256 (current bind9 default)',
620
	'hmac-sha384' => 'HMAC-SHA384',
621
	'hmac-sha512' => 'HMAC-SHA512 (most secure)',
622
];
623

    
624
global $ipsec_filtermodes;
625
$ipsec_filtermodes = [
626
	'enc' => 'Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)',
627
	'if_ipsec' => 'Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic',
628
];
629

    
630
global $ipsec_filter_sysctl;
631
$ipsec_filter_sysctl = [
632
	'enc' => [
633
		'net.inet.ipsec.filtertunnel'   => '0x0000',
634
		'net.inet6.ipsec6.filtertunnel' => '0x0000',
635
		'net.enc.out.ipsec_bpf_mask'    => '0x0001',
636
		'net.enc.out.ipsec_filter_mask' => '0x0001',
637
		'net.enc.in.ipsec_bpf_mask'     => '0x0002',
638
		'net.enc.in.ipsec_filter_mask'  => '0x0002',
639
	],
640
	'if_ipsec' => [
641
		'net.inet.ipsec.filtertunnel'   => '0x0001',
642
		'net.inet6.ipsec6.filtertunnel' => '0x0001',
643
		'net.enc.out.ipsec_bpf_mask'    => '0x0000',
644
		'net.enc.out.ipsec_filter_mask' => '0x0000',
645
		'net.enc.in.ipsec_bpf_mask'     => '0x0000',
646
		'net.enc.in.ipsec_filter_mask'  => '0x0000',
647
	],
648
];
649

    
650
global $vpn_and_ppp_ifs;
651
$vpn_and_ppp_ifs = ['l2tp', 'pppoe', 'enc0', 'openvpn'];
652

    
653
global $ssh_keys;
654
$ssh_keys = [
655
	['type' => 'rsa', 'suffix' => 'rsa_'],
656
	['type' => 'ed25519', 'suffix' => 'ed25519_'],
657
];
658

    
659
global $sshConfigDir;
660
$sshConfigDir = '/etc/ssh';
661

    
662
global $lagg_hash_list;
663
$lagg_hash_list = [
664
	'l2,l3,l4' => 'Layer 2/3/4 (default)',
665
	'l2' => 'Layer 2 (MAC Address)',
666
	'l3' => 'Layer 3 (IP Address)',
667
	'l4' => 'Layer 4 (Port Number)',
668
	'l2,l3' => 'Layer 2/3 (MAC + IP)',
669
	'l3,l4' => 'Layer 3/4 (IP + Port)',
670
	'l2,l4' => 'Layer 2/4 (MAC + Port)',
671
];
672

    
673
/**
674
 * Check if the global $g variable contains a $key
675
 *
676
 * @param string $key The key
677
 * @param bool $isset Also perform isset check
678
 *
679
 * @return bool
680
 */
681
function g_has(string $key, bool $isset = false) : bool
682
{
683
	global $g;
684
	return (array_key_exists($key, $g) && (!$isset || isset($g[$key])));
685
}
686

    
687
/**
688
 * Get the global $g variable value by $key
689
 *
690
 * @param string $key The key
691
 * @param mixed $default The value to return on a key miss
692
 *
693
 * @return mixed
694
 */
695
function g_get(string $key, mixed $default = null) : mixed
696
{
697
	global $g;
698
	return (g_has($key, true) ? $g[$key] : $default);
699
}
700

    
701
/**
702
 * Set the global $g variable value by $key
703
 *
704
 * @param string $key The key
705
 * @param mixed $value The value
706
 * @param bool $force Force set (can replace) the value
707
 *
708
 * @return mixed
709
 */
710
function g_set(string $key, mixed $value, bool $force = false) : mixed
711
{
712
	global $g;
713
	if ($force || !g_has($key, true)) {
714
		$g[$key] = $value;
715
	}
716
	return (g_get($key));
717
}
718

    
719
/**
720
 * Unset the global $g variable value by $key
721
 *
722
 * @param string $key The key
723
 *
724
 * @return void
725
 */
726
function g_unset(string $key) : void
727
{
728
	global $g;
729
	if (g_has($key)) {
730
		unset($g[$key]);
731
	}
732
}
733

    
734
/**
735
 * Determine if the system is currently booting
736
 *
737
 * @return bool
738
 */
739
function is_platform_booting() : bool
740
{
741
	return (g_get('booting', false) || file_exists(g_get('varrun_path') . '/booting'));
742
}
743

    
744
/**
745
 * Determine if PHP is executing in cli context
746
 *
747
 * @return bool
748
 */
749
function is_cli_sapi() : bool
750
{
751
	if (defined('STDIN')) {
752
		return (true);
753
	}
754

    
755
	if (PHP_SAPI === 'cli') {
756
		return (true);
757
	}
758

    
759
	if (array_key_exists('SHELL', $_ENV)) {
760
		return (true);
761
	}
762

    
763
	return (false);
764
}
765

    
766
/**
767
 * Determine if the system is booting
768
 *
769
 * @deprecated Prefer the use of is_platform_booting
770
 *
771
 * @param bool $only_on_console Require cli execution context
772
 *
773
 * @return bool
774
 */
775
function platform_booting(bool $only_on_console = false) : bool
776
{
777
	return (is_platform_booting() && (!$only_on_console || is_cli_sapi()));
778
}
779

    
780
/**
781
 * Check if a file can be included
782
 *
783
 * @param string $filename
784
 *
785
 * @return bool
786
 */
787
function can_include(string $filename) : bool
788
{
789
	// short-circuit on absolute paths before checking relative include paths
790
	return (file_exists($filename) || (bool) stream_resolve_include_path($filename));
791
}
792

    
793
/**
794
 * Get a list of known protocols
795
 *
796
 * @param string $type Filter the returned list based on the type
797
 *
798
 * @return array
799
 */
800
function get_ipprotocols(?string $type = ''):array {
801
	$exclude = [];
802
	$ipprotocols = [
803
		'any' => gettext('Any'),
804
		'tcp' => 'TCP',
805
		'udp' => 'UDP',
806
		'tcp/udp' => 'TCP/UDP',
807
		'icmp' => 'ICMP',
808
		'esp' => 'ESP',
809
		'ah' => 'AH',
810
		'gre' => 'GRE',
811
		'etherip' => 'EoIP',
812
		'ipv6' => 'IPV6',
813
		'igmp' => 'IGMP',
814
		'pim' => 'PIM',
815
		'ospf' => 'OSPF',
816
		'sctp' => 'SCTP',
817
		'carp' => 'CARP',
818
		'pfsync' => 'PFSYNC'
819
	];
820

    
821
	switch ($type) {
822
		case 'portsonly':
823
			$ipprotocols = [
824
				'tcp' => 'TCP',
825
				'udp' => 'UDP',
826
				'tcp/udp' => 'TCP/UDP',
827
				'sctp' => 'SCTP'
828
			];
829
			break;
830
		case 'outboundnat':
831
			$exclude = ['EoIP', 'PIM', 'OSPF'];
832
			break;
833
		case 'portforward':
834
			$exclude = ['EoIP', 'CARP', 'PFSYNC'];
835
			break;
836
		default:
837
			break;
838
	}
839

    
840
	return array_diff($ipprotocols, $exclude);
841
}
842

    
843
// source pfSense Plus specific globals last
844
if (can_include('globals.plus.inc')) {
845
	include_once('globals.plus.inc');
846
}
(19-19/61)