1
|
<?php
|
2
|
/*
|
3
|
* globals.inc
|
4
|
*
|
5
|
* part of pfSense (https://www.pfsense.org)
|
6
|
* Copyright (c) 2004-2013 BSD Perimeter
|
7
|
* Copyright (c) 2013-2016 Electric Sheep Fencing
|
8
|
* Copyright (c) 2014-2025 Rubicon Communications, LLC (Netgate)
|
9
|
* All rights reserved.
|
10
|
*
|
11
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
12
|
* you may not use this file except in compliance with the License.
|
13
|
* You may obtain a copy of the License at
|
14
|
*
|
15
|
* http://www.apache.org/licenses/LICENSE-2.0
|
16
|
*
|
17
|
* Unless required by applicable law or agreed to in writing, software
|
18
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
19
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
20
|
* See the License for the specific language governing permissions and
|
21
|
* limitations under the License.
|
22
|
*/
|
23
|
|
24
|
// Global defines
|
25
|
|
26
|
// Automatic panel collapse
|
27
|
define('COLLAPSIBLE', 0x08);
|
28
|
define('SEC_CLOSED', 0x04);
|
29
|
define('SEC_OPEN', 0x00);
|
30
|
|
31
|
// IP address types
|
32
|
define('IPV4', 4);
|
33
|
define('IPV6', 6);
|
34
|
define('IPV4V6', 2);
|
35
|
define('ALIAS', 1);
|
36
|
|
37
|
// Interface Name Size
|
38
|
define('IF_NAMESIZE', 15); /* 16 minus the terminating NULL */
|
39
|
|
40
|
// AddPassword method defines
|
41
|
define('DMYPWD', '********');
|
42
|
|
43
|
// Captive Portal aliases prefix
|
44
|
define('CPPREFIX', 'cpzoneid_');
|
45
|
|
46
|
$version_file = '/etc/version';
|
47
|
$version_patch_file = $version_file . 'patch';
|
48
|
|
49
|
$product_version = rtrim(file_get_contents($version_file));
|
50
|
$present_year = date('Y');
|
51
|
|
52
|
global $g;
|
53
|
$g = [
|
54
|
'acbbackuppath' => '/cf/conf/acb/',
|
55
|
'event_address' => 'unix:///var/run/check_reload_status',
|
56
|
'factory_shipped_username' => 'admin',
|
57
|
'factory_shipped_password' => 'pfsense',
|
58
|
'upload_path' => '/root',
|
59
|
'dhcpd_chroot_path' => '/var/dhcpd',
|
60
|
'unbound_chroot_path' => '/var/unbound',
|
61
|
'var_path' => '/var',
|
62
|
'varrun_path' => '/var/run',
|
63
|
'varetc_path' => '/var/etc',
|
64
|
'vardb_path' => '/var/db',
|
65
|
'varlog_path' => '/var/log',
|
66
|
'etc_path' => '/etc',
|
67
|
'tmp_path' => '/tmp',
|
68
|
'tmp_path_user_code' => '/tmp/user_code',
|
69
|
'conf_path' => '/conf',
|
70
|
'conf_default_path' => '/conf.default',
|
71
|
'cf_path' => '/cf',
|
72
|
'cf_conf_path' => '/cf/conf',
|
73
|
'www_path' => '/usr/local/www',
|
74
|
'xml_rootobj' => 'pfsense',
|
75
|
'admin_group' => 'admins',
|
76
|
'product_name' => 'pfSense',
|
77
|
'product_label' => 'pfSense',
|
78
|
'product_label_html' => 'Netgate pfSense<sup>®</sup>',
|
79
|
'product_version' => $product_version,
|
80
|
'product_copyright_years' => '2004 - ' . $present_year,
|
81
|
'disablehelpmenu' => false,
|
82
|
'disablehelpicon' => false,
|
83
|
'disablecrashreporter' => false,
|
84
|
'debug' => false,
|
85
|
'latest_config' => '23.9',
|
86
|
'minimum_ram_warning' => '101',
|
87
|
'minimum_ram_warning_text' => '128 MB',
|
88
|
'wan_interface_name' => 'wan',
|
89
|
'captiveportal_path' => '/usr/local/captiveportal',
|
90
|
'captiveportal_element_path' => '/var/db/cpelements',
|
91
|
'captiveportal_element_sizelimit' => 1048576,
|
92
|
'captiveportal_rules_interval' => 50,
|
93
|
'services_dhcp_server_enable' => true,
|
94
|
'wireless_regex' => '/^(ath|athp|bwi|bwn|ipw|iwi|iwlwifi|iwm|iwn|malo|mwl|ral|rsu|rtwn|rum|run|uath|upgt|ural|urtw|urtwn|wi|wpi|wtap|zyd)[0-9]+/',
|
95
|
'help_base_url' => '/help.php',
|
96
|
'pkg_prefix' => 'pfSense-pkg-',
|
97
|
'default_timezone' => 'Etc/UTC',
|
98
|
'language' => 'en_US',
|
99
|
'default_config_backup_count' => 30,
|
100
|
'default_cert_expiredays' => 27,
|
101
|
'default_log_entries' => 500,
|
102
|
'default_log_size' => 512000,
|
103
|
'minimumtableentries_bogonsv6' => 400000,
|
104
|
'alternativemetaports' => ['vmware', 'php72', 'php73', 'php74'],
|
105
|
'backuppath' => [
|
106
|
'captiveportal' => '/var/db/captiveportal*.db',
|
107
|
'dhcpd' => '{/var/dhcpd/var/db/dhcpd.leases,/var/lib/kea/dhcp4.leases}',
|
108
|
'dhcpdv6' => '{/var/dhcpd/var/db/dhcpd6.leases,/var/lib/kea/dhcp6.leases}',
|
109
|
'voucher' => '/var/db/voucher_*.db'
|
110
|
],
|
111
|
'cp_prefix' => 'cpzoneid',
|
112
|
'booting' => false,
|
113
|
'rrddbpath' => '/var/db/rrd',
|
114
|
'rrdtool' => '/usr/bin/nice -n20 /usr/local/bin/rrdtool'
|
115
|
];
|
116
|
|
117
|
/* IP TOS flags */
|
118
|
global $iptos;
|
119
|
$iptos = ['lowdelay', 'throughput', 'reliability'];
|
120
|
|
121
|
/* TCP flags */
|
122
|
global $tcpflags;
|
123
|
$tcpflags = ['syn', 'ack', 'fin', 'rst', 'psh', 'urg', 'ece', 'cwr'];
|
124
|
|
125
|
if (file_exists($version_patch_file)) {
|
126
|
$g['product_version_patch'] = rtrim(file_get_contents($version_patch_file));
|
127
|
} else {
|
128
|
$g['product_version_patch'] = '0';
|
129
|
}
|
130
|
|
131
|
$g['product_version_string'] = g_get('product_version');
|
132
|
if (is_numeric(g_get('product_version_patch')) && g_get('product_version_patch') != '0') {
|
133
|
$g['product_version_string'] .= '-p'. g_get('product_version_patch');
|
134
|
}
|
135
|
|
136
|
$flavor_file = g_get('etc_path') . '/default-config-flavor';
|
137
|
if (file_exists($flavor_file)) {
|
138
|
$flavor_array = file($flavor_file);
|
139
|
$g['default-config-flavor'] = chop($flavor_array[0]);
|
140
|
} else {
|
141
|
$g['default-config-flavor'] = '';
|
142
|
}
|
143
|
|
144
|
$g['openvpn_base'] = g_get('varetc_path') . '/openvpn';
|
145
|
|
146
|
$g['pkg_repos_path'] = '/usr/local/etc/' . $g['product_name'] . '/pkg/repos';
|
147
|
|
148
|
/* Default sysctls */
|
149
|
global $sysctls;
|
150
|
$sysctls = [
|
151
|
'net.inet.ip.portrange.first' => '1024',
|
152
|
'net.inet.tcp.blackhole' => '2',
|
153
|
'net.inet.udp.blackhole' => '1',
|
154
|
'net.inet.ip.random_id' => '1',
|
155
|
'net.inet.tcp.drop_synfin' => '1',
|
156
|
'net.inet.ip.redirect' => '1',
|
157
|
'net.inet6.ip6.redirect' => '1',
|
158
|
'net.inet6.ip6.use_tempaddr' => '0',
|
159
|
'net.inet6.ip6.prefer_tempaddr' => '0',
|
160
|
'net.inet.tcp.syncookies' => '1',
|
161
|
'net.inet.tcp.recvspace' => '65228',
|
162
|
'net.inet.tcp.sendspace' => '65228',
|
163
|
'net.inet.tcp.delayed_ack' => '0',
|
164
|
'net.inet.udp.maxdgram' => '57344',
|
165
|
'net.link.bridge.pfil_onlyip' => '0',
|
166
|
'net.link.bridge.pfil_member' => '1',
|
167
|
'net.link.bridge.pfil_bridge' => '0',
|
168
|
'net.link.tap.user_open' => '1',
|
169
|
'net.link.vlan.mtag_pcp' => '1',
|
170
|
'kern.randompid' => '347',
|
171
|
'net.inet.ip.intr_queue_maxlen' => '1000',
|
172
|
'hw.syscons.kbd_reboot' => '0',
|
173
|
'net.inet.tcp.log_debug' => '0',
|
174
|
'net.inet.tcp.tso' => '1',
|
175
|
'net.inet.icmp.icmplim' => '0',
|
176
|
'vfs.read_max' => '32',
|
177
|
'kern.ipc.maxsockbuf' => '4262144',
|
178
|
'net.inet.ip.process_options' => 0,
|
179
|
'kern.random.harvest.mask' => '351',
|
180
|
'net.route.netisr_maxqlen' => 1024,
|
181
|
'net.inet.udp.checksum' => 1,
|
182
|
'net.inet.icmp.reply_from_interface' => 1,
|
183
|
'net.inet6.ip6.rfc6204w3' => 1,
|
184
|
'net.key.preferred_oldsa' => '0',
|
185
|
'net.inet.carp.senderr_demotion_factor' => 0, /* Do not demote CARP for interface send errors */
|
186
|
'net.pfsync.carp_demotion_factor' => 0, /* Do not demote CARP for pfsync errors */
|
187
|
'net.raw.recvspace' => 65536,
|
188
|
'net.raw.sendspace' => 65536,
|
189
|
'net.inet.raw.recvspace' => 131072,
|
190
|
'net.inet.raw.maxdgram' => 131072,
|
191
|
'kern.corefile' => '/root/%N.core' /* Write all core files to /root/ so they do not consume space on other slices */
|
192
|
];
|
193
|
|
194
|
$machine_type = php_uname('m');
|
195
|
if (($machine_type == 'arm') || ($machine_type == 'arm64')) {
|
196
|
$sysctls['kern.shutdown.secure_halt'] = 1;
|
197
|
}
|
198
|
|
199
|
/* Read all XML files in following dir and load menu entries */
|
200
|
$g['ext_menu_path'] = '/usr/local/share/'. g_get('product_name') . '/menu';
|
201
|
|
202
|
/* Cache file used to store pfSense version */
|
203
|
$g['version_cache_file'] = g_get('varrun_path') . '/' . g_get('product_name') . '_version';
|
204
|
$g['version_cache_refresh'] = 7200; /* 2h */
|
205
|
|
206
|
if (file_exists(g_get('cf_conf_path') . '/enableserial_force')) {
|
207
|
$g['enableserial_force'] = true;
|
208
|
}
|
209
|
|
210
|
global $config_parsed;
|
211
|
$config_parsed = false;
|
212
|
|
213
|
/* Factory default check IP service. */
|
214
|
global $factory_default_checkipservice;
|
215
|
$factory_default_checkipservice = [
|
216
|
'enable' => true,
|
217
|
'name' => 'Default',
|
218
|
'url' => 'http://checkip.dyndns.org',
|
219
|
'descr' => 'Default Check IP Service',
|
220
|
];
|
221
|
|
222
|
global $dyndns_split_domain_types;
|
223
|
$dyndns_split_domain_types = [
|
224
|
'cloudflare', 'cloudflare-v6',
|
225
|
'cloudns',
|
226
|
"digitalocean", "digitalocean-v6",
|
227
|
"gandi-livedns", "gandi-livedns-v6",
|
228
|
'godaddy', 'godaddy-v6',
|
229
|
'gratisdns',
|
230
|
'linode', 'linode-v6',
|
231
|
'luadns', 'luadns-v6',
|
232
|
"mythicbeasts", "mythicbeasts-v6",
|
233
|
'namecheap',
|
234
|
"name.com", "name.com-v6",
|
235
|
"onecom", "onecom-v6",
|
236
|
'porkbun', 'porkbun-v6',
|
237
|
"yandex", "yandex-v6",
|
238
|
];
|
239
|
|
240
|
// pf tokens from FreeBSD source /sbin/pfctl/parse.y
|
241
|
global $pf_reserved_keywords;
|
242
|
$pf_reserved_keywords = [
|
243
|
// Original tokens
|
244
|
'all', 'allow-opts', 'altq', 'anchor', 'antispoof', 'any', 'bandwidth', 'binat', 'binat-anchor', 'bitmask',
|
245
|
'block', 'block-policy', 'buckets', 'cbq', 'code', 'codelq', 'crop', 'debug', 'divert-reply', 'divert-to',
|
246
|
'dnpipe', 'dnqueue', 'drop', 'drop-ovl', 'dup-to', 'ether', 'fail-policy', 'fairq', 'fastroute', 'file',
|
247
|
'fingerprints', 'flags', 'floating', 'flush', 'for', 'fragment', 'from', 'global', 'group', 'hfsc', 'hogs',
|
248
|
'hostid', 'icmp-type', 'icmp6-type', 'if-bound', 'in', 'include', 'inet', 'inet6', 'interval', 'keep',
|
249
|
'keepcounters', 'l3', 'label', 'limit', 'linkshare', 'load', 'log', 'loginterface', 'map-e-portset', 'match',
|
250
|
'max', 'max-mss', 'max-src-conn', 'max-src-conn-rate', 'max-src-nodes', 'max-src-states', 'min-ttl', 'modulate',
|
251
|
'nat', 'nat-anchor', 'no', 'no-df', 'no-route', 'no-sync', 'on', 'optimization', 'os', 'out', 'overload',
|
252
|
'pass', 'port', 'prio', 'priority', 'priq', 'probability', 'proto', 'qlimit', 'queue', 'quick', 'random',
|
253
|
'random-id', 'rdr', 'rdr-anchor', 'realtime', 'reassemble', 'reply-to', 'require-order', 'return', 'return-icmp',
|
254
|
'return-icmp6', 'return-rst', 'ridentifier', 'round-robin', 'route', 'route-to', 'rtable', 'rule',
|
255
|
'ruleset-optimization', 'scrub', 'set', 'set-tos', 'skip', 'sloppy', 'source-hash', 'source-track', 'state',
|
256
|
'state-defaults', 'state-policy', 'static-port', 'sticky-address', 'syncookies', 'synproxy', 'table', 'tag',
|
257
|
'tagged', 'target', 'tbrsize', 'timeout', 'to', 'tos', 'ttl', 'upperlimit', 'urpf-failed', 'user',
|
258
|
// Original tokens in fuzzy format
|
259
|
'allowopts', 'binatanchor', 'blockpolicy', 'divertreply', 'divertto', 'duptoicmptype', 'icmp6type', 'ifboundmaxmss',
|
260
|
'maxsrcconn', 'maxsrcconnrate', 'maxsrcnodes', 'maxsrcstates', 'minttl', 'natanchornodf', 'noroute', 'nosync',
|
261
|
'randomidrdranchor', 'replyto', 'requireorderreturnicmp', 'returnicmp6', 'returnrstroundrobinrouteto',
|
262
|
'ruleset_optimization', 'settos', 'sourcehash', 'sourcetrackstatedefaults', 'statepolicy', 'staticport',
|
263
|
'stickyaddress', 'urpffailed', 'dropovl', 'failpolicy', 'mapeportset',
|
264
|
// Custom tokens
|
265
|
'arrow', 'codel', 'error', 'filename', 'fragcrop', 'fragdrop', 'IPsec', 'L2TP', 'maximummin', 'OpenVPN',
|
266
|
'pppoe', 'pptp'
|
267
|
];
|
268
|
|
269
|
/**
|
270
|
* User-accessible read-only aliases reserved for system use.
|
271
|
*
|
272
|
* Entries must have the name as the key. Each entry must have a name,
|
273
|
* type, and description. Possible values are:
|
274
|
* - name: Same value as the key; used for compatibility with other functions.
|
275
|
* - url: A URL string for URL* types. Alternatively it may be a file path.
|
276
|
* If a file path is given, the alias is assumed to be processed
|
277
|
* separately such as with rc.update_bogons.sh.
|
278
|
* - type: The alias type.
|
279
|
* - descr: A string value.
|
280
|
* - address: A string of space-separated values; may be defined
|
281
|
* dynamically e.g. during filter ruleset generation.
|
282
|
* - detail: An optional string value.
|
283
|
*
|
284
|
* @global array $reserved_table_names
|
285
|
*/
|
286
|
global $reserved_table_names;
|
287
|
$reserved_table_names = [
|
288
|
'bogons' => [
|
289
|
'name' => 'bogons',
|
290
|
'type' => 'urltable',
|
291
|
'url' => '/etc/bogons',
|
292
|
'descr' => 'IPv4 bogons.',
|
293
|
'address' => '',
|
294
|
'detail' => ''
|
295
|
],
|
296
|
'bogonsv6' => [
|
297
|
'name' => 'bogonsv6',
|
298
|
'type' => 'urltable',
|
299
|
'url' => '/etc/bogonsv6',
|
300
|
'descr' => 'IPv6 bogons.',
|
301
|
'address' => '',
|
302
|
'detail' => ''
|
303
|
],
|
304
|
'sshguard' => [
|
305
|
'name' => 'sshguard',
|
306
|
'type' => 'host',
|
307
|
'descr' => 'Hosts blocked by SSH login protection.',
|
308
|
'address' => '',
|
309
|
'detail' => ''
|
310
|
],
|
311
|
'snort2c' => [
|
312
|
'name' => 'snort2c',
|
313
|
'type' => 'host',
|
314
|
'descr' => 'Hosts blocked by IDS.',
|
315
|
'address' => '',
|
316
|
'detail' => ''
|
317
|
],
|
318
|
'virusprot' => [
|
319
|
'name' => 'virusprot',
|
320
|
'type' => 'host',
|
321
|
'descr' => 'Hosts blocked by rule restrictions.',
|
322
|
'address' => '',
|
323
|
'detail' => ''
|
324
|
],
|
325
|
'vpn_networks' => [
|
326
|
'name' => 'vpn_networks',
|
327
|
'type' => 'network',
|
328
|
'descr' => 'Networks for IPsec, OpenVPN, and PPPoE servers.',
|
329
|
'address' => '',
|
330
|
'detail' => ''
|
331
|
],
|
332
|
'negate_networks' => [
|
333
|
'name' => 'negate_networks',
|
334
|
'type' => 'network',
|
335
|
'descr' => 'Networks to exclude from policy routing rules with any destination.',
|
336
|
'address' => '',
|
337
|
'detail' => ''
|
338
|
],
|
339
|
'tonatsubnets' => [
|
340
|
'name' => 'tonatsubnets',
|
341
|
'type' => 'network',
|
342
|
'descr' => 'Networks handled by automatic outbound NAT.',
|
343
|
'address' => '',
|
344
|
'detail' => ''
|
345
|
],
|
346
|
];
|
347
|
|
348
|
function add_reserved_table(array $table, array $values) {
|
349
|
global $reserved_table_names;
|
350
|
if (!array_key_exists('name', $table)) {
|
351
|
return;
|
352
|
}
|
353
|
$table['address'] = implode(' ', array_keys($values));
|
354
|
$table['detail'] = implode('||', array_values($values));
|
355
|
$reserved_table_names[$table['name']] = $table;
|
356
|
}
|
357
|
|
358
|
add_reserved_table(
|
359
|
[
|
360
|
'name' => '_loopback4_',
|
361
|
'type' => 'network',
|
362
|
'descr' => 'IPv4 loopback network.',
|
363
|
],
|
364
|
[
|
365
|
'127.0.0.0/8' => 'Loopback', // RFC1122
|
366
|
],
|
367
|
);
|
368
|
add_reserved_table(
|
369
|
[
|
370
|
'name' => '_loopback6_',
|
371
|
'type' => 'network',
|
372
|
'descr' => 'IPv6 loopback network.',
|
373
|
],
|
374
|
[
|
375
|
'::1/128' => 'Loopback Address', // RFC4291
|
376
|
],
|
377
|
);
|
378
|
add_reserved_table(
|
379
|
[
|
380
|
'name' => '_loopback46_',
|
381
|
'type' => 'network',
|
382
|
'descr' => 'IPv4 and IPv6 loopback networks.',
|
383
|
],
|
384
|
[
|
385
|
'_loopback4_' => 'IPv4 Loopback',
|
386
|
'_loopback6_' => 'IPv6 Loopback',
|
387
|
],
|
388
|
);
|
389
|
|
390
|
add_reserved_table(
|
391
|
[
|
392
|
'name' => '_linklocal4_',
|
393
|
'type' => 'network',
|
394
|
'descr' => 'IPv4 link-local networks.',
|
395
|
],
|
396
|
[
|
397
|
'169.254.0.0/16' => 'Link Local', // RFC3927
|
398
|
],
|
399
|
);
|
400
|
add_reserved_table(
|
401
|
[
|
402
|
'name' => '_linklocal6_',
|
403
|
'type' => 'network',
|
404
|
'descr' => 'IPv6 link-local networks.',
|
405
|
],
|
406
|
[
|
407
|
'fe80::/10' => 'Linked-Scoped Unicast', // RFC4291
|
408
|
],
|
409
|
);
|
410
|
add_reserved_table(
|
411
|
[
|
412
|
'name' => '_linklocal46_',
|
413
|
'type' => 'network',
|
414
|
'descr' => 'IPv4 and IPv6 link-local networks.',
|
415
|
],
|
416
|
[
|
417
|
'_linklocal4_' => 'IPv4 link-local networks',
|
418
|
'_linklocal6_' => 'IPv6 link-local networks',
|
419
|
],
|
420
|
);
|
421
|
|
422
|
add_reserved_table(
|
423
|
[
|
424
|
'name' => '_private4_',
|
425
|
'type' => 'network',
|
426
|
'descr' => 'IPv4 private networks.',
|
427
|
],
|
428
|
[
|
429
|
'10.0.0.0/8' => 'Private-Use', // RFC1918
|
430
|
'172.16.0.0/12' => 'Private-Use', // RFC1918
|
431
|
'192.168.0.0/16' => 'Private-Use', // RFC1918
|
432
|
|
433
|
],
|
434
|
);
|
435
|
add_reserved_table(
|
436
|
[
|
437
|
'name' => '_private6_',
|
438
|
'type' => 'network',
|
439
|
'descr' => 'IPv6 private networks.',
|
440
|
],
|
441
|
[
|
442
|
'fc00::/7' => 'Unique-Local', // RFC4193
|
443
|
],
|
444
|
);
|
445
|
add_reserved_table(
|
446
|
[
|
447
|
'name' => '_private46_',
|
448
|
'type' => 'network',
|
449
|
'descr' => 'IPv4 and IPv6 private networks.',
|
450
|
],
|
451
|
[
|
452
|
'_private4_' => 'IPv4 private networks',
|
453
|
'_private6_' => 'IPv6 private networks',
|
454
|
],
|
455
|
);
|
456
|
|
457
|
add_reserved_table(
|
458
|
[
|
459
|
'name' => '_multicast4_',
|
460
|
'type' => 'network',
|
461
|
'descr' => 'IPv4 multicast networks.',
|
462
|
],
|
463
|
[
|
464
|
'224.0.0.0/4' => 'Multicast', // RFC5771
|
465
|
],
|
466
|
);
|
467
|
add_reserved_table(
|
468
|
[
|
469
|
'name' => '_multicast6_',
|
470
|
'type' => 'network',
|
471
|
'descr' => 'IPv6 multicast networks.',
|
472
|
],
|
473
|
[
|
474
|
'ff00::/8' => 'Multicast', // RFC4291
|
475
|
],
|
476
|
);
|
477
|
add_reserved_table(
|
478
|
[
|
479
|
'name' => '_multicast46_',
|
480
|
'type' => 'network',
|
481
|
'descr' => 'IPv4 and IPv6 multicast networks.',
|
482
|
],
|
483
|
[
|
484
|
'_multicast4_' => 'IPv4 multicast networks',
|
485
|
'_multicast6_' => 'IPv6 multicast networks',
|
486
|
],
|
487
|
);
|
488
|
|
489
|
add_reserved_table(
|
490
|
[
|
491
|
'name' => '_reserved4_',
|
492
|
'type' => 'network',
|
493
|
'descr' => 'IPv4 networks reserved for local use.',
|
494
|
],
|
495
|
[
|
496
|
'0.0.0.0/8' => 'This host on this network', // RFC1122
|
497
|
'10.0.0.0/8' => 'Private-Use', // RFC1918
|
498
|
'100.64.0.0/10' => 'Shared Address Space', // RFC6598
|
499
|
'127.0.0.0/8' => 'Loopback', // RFC1122
|
500
|
'169.254.0.0/16' => 'Link Local', // RFC3927
|
501
|
'172.16.0.0/12' => 'Private-Use', // RFC1918
|
502
|
'192.0.0.0/24' => 'IETF Protocol Assignments', // RFC6890
|
503
|
'192.0.2.0/24' => 'Documentation (TEST-NET-1)', // RFC5737
|
504
|
'192.88.99.0/24' => '6to4 Relay Anycast', // RFC3068
|
505
|
'192.168.0.0/16' => 'Private-Use', // RFC1918
|
506
|
'198.18.0.0/15' => 'Benchmarking', //RFC2544
|
507
|
'198.51.100.0/24' => 'Documentation (TEST-NET-2)', // RFC5737
|
508
|
'203.0.113.0/24' => 'Documentation (TEST-NET-3)', // RFC5737
|
509
|
'224.0.0.0/4' => 'Multicast', // RFC5771
|
510
|
'240.0.0.0/4' => 'Reserved', // RFC1112
|
511
|
'255.255.255.255/32' => 'Limited Broadcast', // RFC0919
|
512
|
]
|
513
|
);
|
514
|
add_reserved_table(
|
515
|
[
|
516
|
'name' => '_reserved6_',
|
517
|
'type' => 'network',
|
518
|
'descr' => 'IPv6 networks reserved for local use.',
|
519
|
],
|
520
|
[
|
521
|
'::1/128' => 'Loopback Address', // RFC4291
|
522
|
'::/128' => 'Unspecified Address', // RFC4291
|
523
|
'::ffff:0:0/96' => 'IPv4-mapped Address', // RFC4291
|
524
|
'64:ff9b::/96' => 'IPv4-IPv6 Translation', // RFC6052
|
525
|
'64:ff9b:1::/48' => 'Local-Use IPv4/IPv6 Translation', // RFC8215
|
526
|
'100::/64' => 'Discard-Only Address Block', // RFC6666
|
527
|
'2001::/23' => 'IETF Protocol Assignments', // RFC2928
|
528
|
'2001:2::/48' => 'Benchmarking', // RFC5180
|
529
|
'2001:db8::/32' => 'Documentation', // RFC3849
|
530
|
'2002::/16' => '6to4', // RFC3056
|
531
|
'3fff::/20' => 'Documentation', // RFC9637
|
532
|
'5f00::/16' => 'Segment Routing (SRv6) SIDs', // RFC9602
|
533
|
'fc00::/7' => 'Unique-Local', // RFC4193
|
534
|
'fe80::/10' => 'Linked-Scoped Unicast', // RFC4291
|
535
|
'ff00::/8' => 'Multicast', // RFC4291
|
536
|
]
|
537
|
);
|
538
|
add_reserved_table(
|
539
|
[
|
540
|
'name' => '_reserved46_',
|
541
|
'type' => 'network',
|
542
|
'descr' => 'IPv4 and IPv6 networks reserved for local use.',
|
543
|
],
|
544
|
[
|
545
|
'_reserved4_' => 'IPv4 networks reserved for local use',
|
546
|
'_reserved6_' => 'IPv6 networks reserved for local use',
|
547
|
],
|
548
|
);
|
549
|
|
550
|
/* VLAN Prio values. */
|
551
|
global $vlanprio_values;
|
552
|
$vlanprio_values = [
|
553
|
'bk' => 0,
|
554
|
'be' => 1,
|
555
|
'ee' => 2,
|
556
|
'ca' => 3,
|
557
|
'vi' => 4,
|
558
|
'vo' => 5,
|
559
|
'ic' => 6,
|
560
|
'nc' => 7,
|
561
|
];
|
562
|
|
563
|
global $vlanprio;
|
564
|
$vlanprio = [
|
565
|
'bk' => 'Background (BK, 0)',
|
566
|
'be' => 'Best Effort (BE, 1)',
|
567
|
'ee' => 'Excellent Effort (EE, 2)',
|
568
|
'ca' => 'Critical Applications (CA, 3)',
|
569
|
'vi' => 'Video (VI, 4)',
|
570
|
'vo' => 'Voice (VO, 5)',
|
571
|
'ic' => 'Internetwork Control (IC, 6)',
|
572
|
'nc' => 'Network Control (NC, 7)',
|
573
|
];
|
574
|
|
575
|
global $system_log_files;
|
576
|
$system_log_files = [
|
577
|
'system', 'filter', 'dhcpd', 'vpn', 'poes', 'l2tps', 'openvpn',
|
578
|
'portalauth', 'ipsec', 'ppp', 'wireless', 'nginx', 'ntpd', 'gateways',
|
579
|
'resolver', 'routing', 'auth'
|
580
|
];
|
581
|
|
582
|
global $system_log_non_syslog_files;
|
583
|
$system_log_non_syslog_files = ['dmesg.boot', 'utx.log', 'userlog'];
|
584
|
|
585
|
global $system_log_compression_types;
|
586
|
$system_log_compression_types = [
|
587
|
'bzip2' => [
|
588
|
'flag' => 'J',
|
589
|
'cat' => '/usr/bin/bzcat -qf',
|
590
|
'ext' => 'bz2',
|
591
|
],
|
592
|
'gzip' => [
|
593
|
'flag' => 'Z',
|
594
|
'cat' => '/usr/bin/zcat -qf',
|
595
|
'ext' => 'gz',
|
596
|
],
|
597
|
'xz' => [
|
598
|
'flag' => 'X',
|
599
|
'cat' => '/usr/bin/xzcat -qf',
|
600
|
'ext' => 'xz',
|
601
|
],
|
602
|
'zstd' => [
|
603
|
'flag' => 'Y',
|
604
|
'cat' => '/usr/bin/zstdcat -qqf',
|
605
|
'ext' => 'zst',
|
606
|
],
|
607
|
'none' => [
|
608
|
'flag' => '',
|
609
|
'cat' => '/bin/cat',
|
610
|
'ext' => '',
|
611
|
],
|
612
|
];
|
613
|
|
614
|
global $ddnsdomainkeyalgorithms;
|
615
|
$ddnsdomainkeyalgorithms = [
|
616
|
'hmac-md5' => 'HMAC-MD5 (legacy default)',
|
617
|
'hmac-sha1' => 'HMAC-SHA1',
|
618
|
'hmac-sha224' => 'HMAC-SHA224',
|
619
|
'hmac-sha256' => 'HMAC-SHA256 (current bind9 default)',
|
620
|
'hmac-sha384' => 'HMAC-SHA384',
|
621
|
'hmac-sha512' => 'HMAC-SHA512 (most secure)',
|
622
|
];
|
623
|
|
624
|
global $ipsec_filtermodes;
|
625
|
$ipsec_filtermodes = [
|
626
|
'enc' => 'Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)',
|
627
|
'if_ipsec' => 'Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic',
|
628
|
];
|
629
|
|
630
|
global $ipsec_filter_sysctl;
|
631
|
$ipsec_filter_sysctl = [
|
632
|
'enc' => [
|
633
|
'net.inet.ipsec.filtertunnel' => '0x0000',
|
634
|
'net.inet6.ipsec6.filtertunnel' => '0x0000',
|
635
|
'net.enc.out.ipsec_bpf_mask' => '0x0001',
|
636
|
'net.enc.out.ipsec_filter_mask' => '0x0001',
|
637
|
'net.enc.in.ipsec_bpf_mask' => '0x0002',
|
638
|
'net.enc.in.ipsec_filter_mask' => '0x0002',
|
639
|
],
|
640
|
'if_ipsec' => [
|
641
|
'net.inet.ipsec.filtertunnel' => '0x0001',
|
642
|
'net.inet6.ipsec6.filtertunnel' => '0x0001',
|
643
|
'net.enc.out.ipsec_bpf_mask' => '0x0000',
|
644
|
'net.enc.out.ipsec_filter_mask' => '0x0000',
|
645
|
'net.enc.in.ipsec_bpf_mask' => '0x0000',
|
646
|
'net.enc.in.ipsec_filter_mask' => '0x0000',
|
647
|
],
|
648
|
];
|
649
|
|
650
|
global $vpn_and_ppp_ifs;
|
651
|
$vpn_and_ppp_ifs = ['l2tp', 'pppoe', 'enc0', 'openvpn'];
|
652
|
|
653
|
global $ssh_keys;
|
654
|
$ssh_keys = [
|
655
|
['type' => 'rsa', 'suffix' => 'rsa_'],
|
656
|
['type' => 'ed25519', 'suffix' => 'ed25519_'],
|
657
|
];
|
658
|
|
659
|
global $sshConfigDir;
|
660
|
$sshConfigDir = '/etc/ssh';
|
661
|
|
662
|
global $lagg_hash_list;
|
663
|
$lagg_hash_list = [
|
664
|
'l2,l3,l4' => 'Layer 2/3/4 (default)',
|
665
|
'l2' => 'Layer 2 (MAC Address)',
|
666
|
'l3' => 'Layer 3 (IP Address)',
|
667
|
'l4' => 'Layer 4 (Port Number)',
|
668
|
'l2,l3' => 'Layer 2/3 (MAC + IP)',
|
669
|
'l3,l4' => 'Layer 3/4 (IP + Port)',
|
670
|
'l2,l4' => 'Layer 2/4 (MAC + Port)',
|
671
|
];
|
672
|
|
673
|
/**
|
674
|
* Check if the global $g variable contains a $key
|
675
|
*
|
676
|
* @param string $key The key
|
677
|
* @param bool $isset Also perform isset check
|
678
|
*
|
679
|
* @return bool
|
680
|
*/
|
681
|
function g_has(string $key, bool $isset = false) : bool
|
682
|
{
|
683
|
global $g;
|
684
|
return (array_key_exists($key, $g) && (!$isset || isset($g[$key])));
|
685
|
}
|
686
|
|
687
|
/**
|
688
|
* Get the global $g variable value by $key
|
689
|
*
|
690
|
* @param string $key The key
|
691
|
* @param mixed $default The value to return on a key miss
|
692
|
*
|
693
|
* @return mixed
|
694
|
*/
|
695
|
function g_get(string $key, mixed $default = null) : mixed
|
696
|
{
|
697
|
global $g;
|
698
|
return (g_has($key, true) ? $g[$key] : $default);
|
699
|
}
|
700
|
|
701
|
/**
|
702
|
* Set the global $g variable value by $key
|
703
|
*
|
704
|
* @param string $key The key
|
705
|
* @param mixed $value The value
|
706
|
* @param bool $force Force set (can replace) the value
|
707
|
*
|
708
|
* @return mixed
|
709
|
*/
|
710
|
function g_set(string $key, mixed $value, bool $force = false) : mixed
|
711
|
{
|
712
|
global $g;
|
713
|
if ($force || !g_has($key, true)) {
|
714
|
$g[$key] = $value;
|
715
|
}
|
716
|
return (g_get($key));
|
717
|
}
|
718
|
|
719
|
/**
|
720
|
* Unset the global $g variable value by $key
|
721
|
*
|
722
|
* @param string $key The key
|
723
|
*
|
724
|
* @return void
|
725
|
*/
|
726
|
function g_unset(string $key) : void
|
727
|
{
|
728
|
global $g;
|
729
|
if (g_has($key)) {
|
730
|
unset($g[$key]);
|
731
|
}
|
732
|
}
|
733
|
|
734
|
/**
|
735
|
* Determine if the system is currently booting
|
736
|
*
|
737
|
* @return bool
|
738
|
*/
|
739
|
function is_platform_booting() : bool
|
740
|
{
|
741
|
return (g_get('booting', false) || file_exists(g_get('varrun_path') . '/booting'));
|
742
|
}
|
743
|
|
744
|
/**
|
745
|
* Determine if PHP is executing in cli context
|
746
|
*
|
747
|
* @return bool
|
748
|
*/
|
749
|
function is_cli_sapi() : bool
|
750
|
{
|
751
|
if (defined('STDIN')) {
|
752
|
return (true);
|
753
|
}
|
754
|
|
755
|
if (PHP_SAPI === 'cli') {
|
756
|
return (true);
|
757
|
}
|
758
|
|
759
|
if (array_key_exists('SHELL', $_ENV)) {
|
760
|
return (true);
|
761
|
}
|
762
|
|
763
|
return (false);
|
764
|
}
|
765
|
|
766
|
/**
|
767
|
* Determine if the system is booting
|
768
|
*
|
769
|
* @deprecated Prefer the use of is_platform_booting
|
770
|
*
|
771
|
* @param bool $only_on_console Require cli execution context
|
772
|
*
|
773
|
* @return bool
|
774
|
*/
|
775
|
function platform_booting(bool $only_on_console = false) : bool
|
776
|
{
|
777
|
return (is_platform_booting() && (!$only_on_console || is_cli_sapi()));
|
778
|
}
|
779
|
|
780
|
/**
|
781
|
* Check if a file can be included
|
782
|
*
|
783
|
* @param string $filename
|
784
|
*
|
785
|
* @return bool
|
786
|
*/
|
787
|
function can_include(string $filename) : bool
|
788
|
{
|
789
|
// short-circuit on absolute paths before checking relative include paths
|
790
|
return (file_exists($filename) || (bool) stream_resolve_include_path($filename));
|
791
|
}
|
792
|
|
793
|
/**
|
794
|
* Get a list of known protocols
|
795
|
*
|
796
|
* @param string $type Filter the returned list based on the type
|
797
|
*
|
798
|
* @return array
|
799
|
*/
|
800
|
function get_ipprotocols(?string $type = ''):array {
|
801
|
$exclude = [];
|
802
|
$ipprotocols = [
|
803
|
'any' => gettext('Any'),
|
804
|
'tcp' => 'TCP',
|
805
|
'udp' => 'UDP',
|
806
|
'tcp/udp' => 'TCP/UDP',
|
807
|
'icmp' => 'ICMP',
|
808
|
'esp' => 'ESP',
|
809
|
'ah' => 'AH',
|
810
|
'gre' => 'GRE',
|
811
|
'etherip' => 'EoIP',
|
812
|
'ipv6' => 'IPV6',
|
813
|
'igmp' => 'IGMP',
|
814
|
'pim' => 'PIM',
|
815
|
'ospf' => 'OSPF',
|
816
|
'sctp' => 'SCTP',
|
817
|
'carp' => 'CARP',
|
818
|
'pfsync' => 'PFSYNC'
|
819
|
];
|
820
|
|
821
|
switch ($type) {
|
822
|
case 'portsonly':
|
823
|
$ipprotocols = [
|
824
|
'tcp' => 'TCP',
|
825
|
'udp' => 'UDP',
|
826
|
'tcp/udp' => 'TCP/UDP',
|
827
|
'sctp' => 'SCTP'
|
828
|
];
|
829
|
break;
|
830
|
case 'outboundnat':
|
831
|
$exclude = ['EoIP', 'PIM', 'OSPF'];
|
832
|
break;
|
833
|
case 'portforward':
|
834
|
$exclude = ['EoIP', 'CARP', 'PFSYNC'];
|
835
|
break;
|
836
|
default:
|
837
|
break;
|
838
|
}
|
839
|
|
840
|
return array_diff($ipprotocols, $exclude);
|
841
|
}
|
842
|
|
843
|
// source pfSense Plus specific globals last
|
844
|
if (can_include('globals.plus.inc')) {
|
845
|
include_once('globals.plus.inc');
|
846
|
}
|