pfSense

<?php

/*

 * guiconfig.inc

 *

 * part of pfSense (https://www.pfsense.org)

 * Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)

 * All rights reserved.

 *

 * originally based on m0n0wall (http://m0n0.ch/wall)

 * Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>.

 * All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions are met:

 *

 * 1. Redistributions of source code must retain the above copyright notice,

 *    this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in

 *    the documentation and/or other materials provided with the

 *    distribution.

 *

 * 3. All advertising materials mentioning features or use of this software

 *    must display the following acknowledgment:

 *    "This product includes software developed by the pfSense Project

 *    for use in the pfSense® software distribution. (http://www.pfsense.org/).

 *

 * 4. The names "pfSense" and "pfSense Project" must not be used to

 *    endorse or promote products derived from this software without

 *    prior written permission. For written permission, please contact

 *    coreteam@pfsense.org.

 *

 * 5. Products derived from this software may not be called "pfSense"

 *    nor may "pfSense" appear in their names without prior written

 *    permission of the Electric Sheep Fencing, LLC.

 *

 * 6. Redistributions of any form whatsoever must retain the following

 *    acknowledgment:

 *

 * "This product includes software developed by the pfSense Project

 * for use in the pfSense software distribution (http://www.pfsense.org/).

 *

 * THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY

 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR

 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 * OF THE POSSIBILITY OF SUCH DAMAGE.

 */

/* Include authentication routines */

/* THIS MUST BE ABOVE ALL OTHER CODE */

if (!$nocsrf) {

	function csrf_startup() {

		global $config;

		csrf_conf('rewrite-js', '/csrf/csrf-magic.js');

		$timeout_minutes = isset($config['system']['webgui']['session_timeout']) ? $config['system']['webgui']['session_timeout'] : 240;

		csrf_conf('expires', $timeout_minutes * 60);

	}

	require_once("csrf/csrf-magic.php");

}

/* make sure nothing is cached */

if (!$omit_nocacheheaders) {

	header("Expires: 0");

	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

	header("Cache-Control: no-cache, no-store, must-revalidate");

	header("Pragma: no-cache");

}

header("X-Frame-Options: SAMEORIGIN");

require_once("authgui.inc");

/* parse the configuration and include all configuration functions */

require_once("functions.inc");

/* Include the autoloader for all the GUI display classes */

require_once("classes/autoload.inc.php");

/* used by progress bar */

$lastseen = "-1";

$navlevelsep = ": ";	/* navigation level separator string */

$mandfldhtml = "";		/* display this before mandatory input fields */

$mandfldhtmlspc = "";	/* same as above, but with spacing */

if (!function_exists('set_language')) {

	require_once("pfsense-utils.inc");

}

set_language();

/* Some ajax scripts still need access to GUI */

if (!$ignorefirmwarelock) {

	if (is_subsystem_dirty('firmwarelock')) {

		if (!$d_isfwfile) {

			header("Location: system_update.php");

			exit;

		} else {

			return;

		}

	}

}

/* Reserved table names to avoid collision */

$reserved_table_names = array(

	"bogons",

	"bogonsv6",

	"negate_networks",

	"snort2c",

	"sshlockout",

	"tonatsubnets",

	"virusprot",

	"vpn_networks",

	"webConfiguratorlockout"

);

$firewall_rules_dscp_types = array(

	"af11",

	"af12",

	"af13",

	"af21",

	"af22",

	"af23",

	"af31",

	"af32",

	"af33",

	"af41",

	"af42",

	"af43",

	"VA",

	"EF",

	"cs1",

	"cs2",

	"cs3",

	"cs4",

	"cs5",

	"cs6",

	"cs7",

	"0x01",

	"0x02",

	"0x04");

$auth_server_types = array(

	'ldap' => "LDAP",

	'radius' => "RADIUS");

$ldap_urltypes = array(

	'TCP - Standard' => 389,

	'TCP - STARTTLS' => 389,

	'SSL - Encrypted' => 636);

$ldap_scopes = array(

	'one' => gettext("One Level"),

	'subtree' => gettext("Entire Subtree"));

$ldap_protvers = array(

	2,

	3);

$ldap_templates = array(

	'open' => array(

		'desc' => "OpenLDAP",

		'attr_user' => "cn",

		'attr_group' => "cn",

		'attr_member' => "member"),

	'msad' => array(

		'desc' => "Microsoft AD",

		'attr_user' => "samAccountName",

		'attr_group' => "cn",

		'attr_member' => "memberOf"),

	'edir' => array(

		'desc' => "Novell eDirectory",

		'attr_user' => "cn",

		'attr_group' => "cn",

		'attr_member' => "uniqueMember"));

$radius_srvcs = array(

	'both' => gettext("Authentication and Accounting"),

	'auth' => gettext("Authentication"),

	'acct' => gettext("Accounting"));

$netbios_nodetypes = array(

	'0' => "none",

	'1' => "b-node",

	'2' => "p-node",

	'4' => "m-node",

	'8' => "h-node");

/* some well known ports */

$wkports = array(

	5999 => "CVSup",

	53 => "DNS",

	21 => "FTP",

	3000 => "HBCI",

	80 => "HTTP",

	443 => "HTTPS",

	5190 => "ICQ",

	113 => "IDENT/AUTH",

	143 => "IMAP",

	993 => "IMAP/S",

	4500 => "IPsec NAT-T",

	500 => "ISAKMP",

	1701 => "L2TP",

	389 => "LDAP",

	1755 => "MMS/TCP",

	7000 => "MMS/UDP",

	445 => "MS DS",

	3389 => "MS RDP",

	1512 => "MS WINS",

	1863 => "MSN",

	119 => "NNTP",

	123 => "NTP",

	138 => "NetBIOS-DGM",

	137 => "NetBIOS-NS",

	139 => "NetBIOS-SSN",

	1194 => "OpenVPN",

	110 => "POP3",

	995 => "POP3/S",

	1723 => "PPTP",

	1812 => "RADIUS",

	1813 => "RADIUS accounting",

	5004 => "RTP",

	5060 => "SIP",

	25 => "SMTP",

	465 => "SMTP/S",

	161 => "SNMP",

	162 => "SNMP-Trap",

	22 => "SSH",

	3478 => "STUN",

	587 => "SUBMISSION",

	3544 => "Teredo",

	23 => "Telnet",

	69 => "TFTP",

	5900 => "VNC");

/* TCP flags */

$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg", "ece", "cwr");

$specialnets = array(

	"(self)" => gettext("This Firewall"),

	"pppoe" => gettext("PPPoE clients"),

	"l2tp" => gettext("L2TP clients"));

$spiflist = get_configured_interface_with_descr(false, true);

foreach ($spiflist as $ifgui => $ifdesc) {

	$specialnets[$ifgui] = $ifdesc . " net";

	$specialnets[$ifgui . 'ip'] = $ifdesc . " address";

}

$medias = array(

	"auto" => gettext("autoselect"),

	"100full" => gettext("100BASE-TX full-duplex"),

	"100half" => gettext("100BASE-TX half-duplex"),

	"10full" => gettext("10BASE-T full-duplex"),

	"10half" => gettext("10BASE-T half-duplex"));

$wlan_modes = array(

	"bss" => gettext("Infrastructure (BSS)"),

	"adhoc" => gettext("Ad-hoc (IBSS)"),

	"hostap" => gettext("Access Point"));

function do_input_validation($postdata, $reqdfields, $reqdfieldsn, &$input_errors) {

	/* check for bad control characters */

	foreach ($postdata as $pn => $pd) {

		if (is_string($pd) && preg_match("/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]/", $pd)) {

			$input_errors[] = sprintf(gettext("The field %s contains invalid characters."), $pn);

		}

	}

	for ($i = 0; $i < count($reqdfields); $i++) {

		if ($postdata[$reqdfields[$i]] == "") {

			$input_errors[] = sprintf(gettext("The field %s is required."), $reqdfieldsn[$i]);

		}

	}

}

function print_input_errors($input_errors) {

	echo '<div class="alert alert-danger input-errors">';

	echo '<p>' . gettext('The following input errors were detected:') . '</p>';

	echo '<ul>';

	foreach ($input_errors as $ierr) {

		echo '<li>' . htmlspecialchars($ierr) . '</li>';

	}

	echo '</ul>';

	echo '</div>';

}

function verify_gzip_file($fname) {

	$returnvar = mwexec("/usr/bin/gzip -t " . escapeshellarg($fname));

	if ($returnvar != 0) {

		return 0;

	} else {

		return 1;

	}

}

// print_info_box() has been updated so that any required button is explicitly created, rather than relying on the detection of certain

// strings in the message (such as "apply"). print_info_box_np() has been exterminated.

// $class = the bootstrap style class (default, info, warning, success, danger)

// $btnname and btntext describe the optional button and its display text, the default is an 'x' Close button.

// Note that there is also a shortcut function print_apply_box here that creates a standard "apply" box for you.

// In many cases just substitute that for print_info_box_np() to easily get a warning style "Apply changes" box.

function print_info_box($msg, $class="alert-warning", $btnname = "close", $btntext = "", $btnicon = "", $btnclass = "default") {

	if (strpos($class, "alert-") !== 0) {

		$class = 'alert-' . $class;

	}

	$msg = '<div class="pull-left">' . $msg . '</div>';

	if ($btnname === "close") {

		$msg = '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>' . $msg;

	} else if ($btnname != "") {

		if (empty($btntext)) {

			$btntext = $btnname;

		}

		if (!empty($btnicon)) {

			$btnicon = '<i class="fa ' . $btnicon . ' icon-embed-btn"></i>';

		}

		$msg .= '<form method="post" class="pull-right"><button type="submit" class="btn btn-' . $btnclass . '" name="'. $btnname . '" value="' . $btntext . '">' . $btnicon . $btntext . '</button>';

		if ($_POST['if']) {

			$msg .= "<input type=\"hidden\" name=\"if\" value=\"" . htmlspecialchars($_POST['if']) . "\" />";

		}

		$msg .= '</form>';

	}

	echo '<div class="alert ' . $class . ' clearfix" role="alert">' . $msg . '</div>';

}

function print_apply_box($msg) {

	print_info_box($msg, "warning", "apply", gettext("Apply Changes"), 'fa-check', 'success');

}

/*

 * Print Bootstrap callout

 *

 * @param string $msg     message to display

 * @param string $class   contextual class, defaults to info (default | danger | warning | info)

 * @param string $heading optional callout heading

 */

function print_callout($msg, $class = 'info', $heading = '') {

	if ('' == $msg) {

		return;

	}

	$class = strtolower($class);

	$callout = '';

	if ($class != 'default' && $class != 'danger' && $class != 'warning' && $class != 'info') {

		$class = 'info';

	}

	$callout .= '<div class="bs-callout bs-callout-' . $class . '">';

	if ('' != $heading) {

		$callout .= '<h4>' . $heading . '</h4>';

	}

	$callout .= $msg . '</div>';

	echo $callout;

}

function get_std_save_message($ok) {

	$filter_related = false;

	$filter_pages = array("nat", "filter");

	$to_return = gettext("The changes have been applied successfully.");

	foreach ($filter_pages as $fp) {

		if (stristr($_SERVER['SCRIPT_FILENAME'], $fp)) {

			$filter_related = true;

		}

	}

	if ($filter_related) {

		$to_return .= "<br />" . gettext("<a href=\"status_filter_reload.php\">Monitor</a> the filter reload progress.");

	}

	return $to_return;

}

function pprint_address($adr) {

	global $specialnets;

	if (isset($adr['any'])) {

		$padr = "*";

	} else if ($adr['network']) {

		$padr = $specialnets[$adr['network']];

	} else {

		$padr = $adr['address'];

	}

	if (isset($adr['not'])) {

		$padr = "! " . $padr;

	}

	return $padr;

}

function pprint_port($port) {

	global $wkports;

	$pport = "";

	if (!$port) {

		return "*";

	} else {

		$srcport = explode("-", $port);

		if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {

			$pport = $srcport[0];

			if ($wkports[$srcport[0]]) {

				$pport .= " (" . $wkports[$srcport[0]] . ")";

			}

		} else {

			$pport .= $srcport[0] . " - " . $srcport[1];

		}

	}

	return $pport;

}

function insert_word_breaks_in_domain_name($domain_name) {

	return str_replace('.', '<wbr>.', $domain_name);

}

function firewall_check_for_advanced_options(&$item) {

	$item_set = "";

	if ($item['os']) {

			$item_set .= "os {$item['os']} ";

	}

	if ($item['dscp']) {

		$item_set .= "dscp {$item['dscp']} ";

	}

	if ($item['max']) {

		$item_set .= "max {$item['max']} ";

	}

	if ($item['max-src-nodes']) {

		$item_set .= "max-src-nodes {$item['max-src-nodes']} ";

	}

	if ($item['max-src-conn']) {

		$item_set .= "max-src-conn {$item['max-src-conn']} ";

	}

	if ($item['max-src-states']) {

		$item_set .= "max-src-states {$item['max-src-states']} ";

	}

	if (isset($item['nopfsync'])) {

		$item_set .= "nopfsync ";

	}

	if ($item['statetype'] != "keep state" && $item['statetype'] != "") {

		$item_set .= "statetype {$item['statetype']} ";

	}

	if ($item['statetimeout']) {

		$item_set .= "statetimeout {$item['statetimeout']} ";

	}

	if (isset($item['nosync'])) {

		$item_set .= "no XMLRPC Sync ";

	}

	if ($item['max-src-conn-rate']) {

		$item_set .= "max-src-conn-rate {$item['max-src-conn-rate']} ";

	}

	if ($item['max-src-conn-rates']) {

		$item_set .= "max-src-conn-rates {$item['max-src-conn-rates']} ";

	}

	if ($item['vlanprio']) {

		$item_set .= "vlanprio {$item['vlanprio']} ";

	}

	if ($item['vlanprioset']) {

		$item_set .= "vlanprioset {$item['vlanprioset']} ";

	}

	if ($item['gateway']) {

		$item_set .= "gateway {$item['gateway']} ";

	}

	if ($item['dnpipe']) {

		$item_set .= "limiter {$item['dnpipe']} ";

	}

	if ($item['pdnpipe']) {

		$item_set .= "limiter {$item['pdnpipe']} ";

	}

	if ($item['ackqueue']) {

		$item_set .= "ackqueue {$item['ackqueue']} ";

	}

	if ($item['defaultqueue']) {

		$item_set .= "defaultqueue {$item['defaultqueue']} ";

	}

	if ($item['tag']) {

		$item_set .= "tag {$item['tag']} ";

	}

	if ($item['tagged']) {

		$item_set .= "tagged {$item['tagged']} ";

	}

	if (isset($item['allowopts'])) {

		$item_set .= "allowopts ";

	}

	if (isset($item['disablereplyto'])) {

		$item_set .= "disable reply-to ";

	}

	if ($item['tcpflags_any'] || $item['tcpflags1'] || $item['tcpflags2']) {

		$item_set .= "tcpflags set";

	}

	return $item_set;

}

function gentitle($title) {

	global $navlevelsep;

	if (!is_array($title)) {

		return $title;

	} else {

		return join($navlevelsep, $title);

	}

}

function genhtmltitle($title, $links=true) {

	$num_crumbs = count($title);

	// If the array contains only one element, there are no breadcrumbs, so don't

	// add anything else

	if ($num_crumbs > 1) {

		$bc = '<ol class="breadcrumb">';

		if (!is_array($links)) {

			$gen_default = ($links === true);

			$links = array_fill(0, $num_crumbs, '');

			// If no links passed, then default to a link to self on the last entry.

			if ($gen_default) {

				$links[$num_crumbs-1] = '@self';

			}

		}

		foreach ($title as $idx => $el) {

			$href = $links[$idx];

			if (strlen($href) > 0) {

				// For convenience, if the caller specifies '@self' then make a link

				// to the current page, including any query string.

				if ($href == '@self') {

					$href = $_SERVER['REQUEST_URI'];

				}

				if (substr($href, 0, 1) != '/') {

					$href = '/' . $href;

				}

				$bc .= '<li><a href="' . htmlentities($href) . '">' . $el . '</a></li>';

			} else {

				$bc .= '<li>' . $el . '</li>';

			}

		}

		$bc .= '</ol>';

	} else {

		$bc = "";

	}

	return $bc;

}

/* update the changedesc and changecount(er) variables */

function update_changedesc($update) {

	global $changedesc;

	global $changecount;

	$changedesc .= " {$update}";

	$changecount++;

}

// This version of dump_clog() does not output <td></td> or any other table elements.

function dump_clog_no_table($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") {

	global $g, $config;

	$sor = isset($config['syslog']['reverse']) ? "-r" : "";

	$specific_log = basename($logfile, '.log') . '_settings';

	if ($config['syslog'][$specific_log]['cronorder'] == 'forward') $sor = "";

	if ($config['syslog'][$specific_log]['cronorder'] == 'reverse') $sor = "-r";

	$logarr = array();

	$grepline = "  ";

	if (is_array($grepfor)) {

		$invert = '';

		if ((strpos($grepfor[0], '!') === 0)) {

			$grepfor[0] = substr($grepfor[0], 1);

			$invert = '-v';

		}

		$grepline .= " | /usr/bin/egrep {$invert} " . escapeshellarg(implode("|", $grepfor));

	}

	if (is_array($grepinvert)) {

		$grepline .= " | /usr/bin/egrep -v " . escapeshellarg(implode("|", $grepinvert));

	}

	if (is_dir($logfile)) {

		$logarr = array(sprintf(gettext("File %s is a directory."), $logfile));

	} elseif (file_exists($logfile) && filesize($logfile) == 0) {

		$logarr = array(gettext("Log file started."));

	} else {

		if ($config['system']['disablesyslogclog']) {

			exec("cat " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);

		} else {

			exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . "{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);

		}

	}

	echo "\n";

	$rows = 0;

	foreach ($logarr as $logent) {

		$rows++;

		$logent = preg_split("/\s+/", $logent, 6);

		if ($withorig) {

				$entry_date_time = htmlspecialchars(join(" ", array_slice($logent, 0, 3)));

				$entry_text = ($logent[3] ==  $config['system']['hostname']) ? "" : $logent[3] . " ";

				$entry_text .= htmlspecialchars($logent[4] . " " . $logent[5]);

				echo "{$entry_date_time}";

				echo " " . "{$entry_text}"	. "\n";

		} else {

				echo htmlspecialchars($logent[5]) . "\n";

		}

	}

	return($rows);

}

function dump_clog($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") {

	global $g, $config;

	$sor = isset($config['syslog']['reverse']) ? "-r" : "";

	$specific_log = basename($logfile, '.log') . '_settings';

	if ($config['syslog'][$specific_log]['cronorder'] == 'forward') $sor = "";

	if ($config['syslog'][$specific_log]['cronorder'] == 'reverse') $sor = "-r";

	$logarr = array();

	$grepline = "  ";

	if (is_array($grepfor)) {

		$invert = '';

		if ((strpos($grepfor[0], '!') === 0)) {

			$grepfor[0] = substr($grepfor[0], 1);

			$invert = '-v';

		}

		$grepline .= " | /usr/bin/egrep {$invert} " . escapeshellarg(implode("|", $grepfor));

	}

	if (is_array($grepinvert)) {

		$grepline .= " | /usr/bin/egrep -v " . escapeshellarg(implode("|", $grepinvert));

	}

	if (is_dir($logfile)) {

		$logarr = array(sprintf(gettext("File %s is a directory."), $logfile));

	} elseif (file_exists($logfile) && filesize($logfile) == 0) {

		$logarr = array(gettext("Log file started."));

	} else {

		if ($config['system']['disablesyslogclog']) {

			exec("cat " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);

		} else {

			exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . "{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);

		}

	}

	$rows = 0;

	foreach ($logarr as $logent) {

		$rows++;

		$logent = preg_split("/\s+/", $logent, 6);

		echo "<tr>\n";

		if ($withorig) {

			$entry_date_time = htmlspecialchars(join(" ", array_slice($logent, 0, 3)));

			$entry_text = ($logent[3] == $config['system']['hostname']) ? "" : $logent[3] . " ";

			$entry_text .= htmlspecialchars($logent[4] . " " . $logent[5]);

			echo "<td class=\"text-nowrap\">{$entry_date_time}</td>\n";

			echo "<td style=\"word-wrap:break-word; word-break:break-all; white-space:normal\">{$entry_text}</td>\n";

		} else {

				echo "<td>" . htmlspecialchars($logent[5]) . "</td>\n";

		}

		echo "</tr>\n";

	}

	return($rows);

}

function return_clog($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "", $grepreverse = false) {

	global $g, $config;

	$sor = (isset($config['syslog']['reverse']) || $grepreverse) ? "-r" : "";

	$specific_log = basename($logfile, '.log') . '_settings';

	if (($config['syslog'][$specific_log]['cronorder'] == 'forward') && !$grepreverse) $sor = "";

	if (($config['syslog'][$specific_log]['cronorder'] == 'reverse') ||  $grepreverse) $sor = "-r";

	$logarr = array();

	$grepline = "  ";

	if (is_array($grepfor)) {

		$grepline .= " | /usr/bin/egrep " . escapeshellarg(implode("|", $grepfor));

	}

	if (is_array($grepinvert)) {

		$grepline .= " | /usr/bin/egrep -v " . escapeshellarg(implode("|", $grepinvert));

	}

	if ($config['system']['disablesyslogclog']) {

		exec("cat " . escapeshellarg($logfile) . "{$grepline} | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);

	} else {

		exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . "{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n " . escapeshellarg($tail), $logarr);

	}

	return($logarr);

}

/* Check if variable has changed, update and log if it has

 * returns true if var changed

 * varname = variable name in plain text

 * orig = original value

 * new = new value

 */

function update_if_changed($varname, & $orig, $new) {

	if (is_array($orig) && is_array($new)) {

		$a_diff = array_diff($orig, $new);

		foreach ($a_diff as $diff) {

			update_changedesc("removed {$varname}: \"{$diff}\"");

		}

		$a_diff = array_diff($new, $orig);

		foreach ($a_diff as $diff) {

			update_changedesc("added {$varname}: \"{$diff}\"");

		}

		$orig = $new;

		return true;

	} else {

		if ($orig != $new) {

			update_changedesc("{$varname}: \"{$orig}\" -> \"{$new}\"");

			$orig = $new;

			return true;

		}

	}

	return false;

}

function address_to_pconfig($adr, &$padr, &$pmask, &$pnot, &$pbeginport, &$pendport) {

	if (isset($adr['any'])) {

		$padr = "any";

	} else if ($adr['network']) {

		$padr = $adr['network'];

	} else if ($adr['address']) {

		list($padr, $pmask) = explode("/", $adr['address']);

		if (!$pmask) {

			if (is_ipaddrv6($padr)) {

				$pmask = 128;

			} else {

				$pmask = 32;

			}

		}

	}

	if (isset($adr['not'])) {

		$pnot = 1;

	} else {

		$pnot = 0;

	}

	if ($adr['port']) {

		list($pbeginport, $pendport) = explode("-", $adr['port']);

		if (!$pendport) {

			$pendport = $pbeginport;

		}

	} else if (!is_alias($pbeginport) && !is_alias($pendport)) {

		$pbeginport = "any";

		$pendport = "any";

	}

}

function pconfig_to_address(&$adr, $padr, $pmask, $pnot = false, $pbeginport = 0, $pendport = 0) {

	$adr = array();

	if ($padr == "any") {

		$adr['any'] = true;

	} else if (is_specialnet($padr)) {

		$adr['network'] = $padr;

	} else {

		$adr['address'] = $padr;

		if (is_ipaddrv6($padr)) {

			if ($pmask != 128) {

				$adr['address'] .= "/" . $pmask;

			}

		} else {

			if ($pmask != 32) {

				$adr['address'] .= "/" . $pmask;

			}

		}

	}

	if ($pnot) {

		$adr['not'] = true;

	} else {

		unset($adr['not']);

	}

	if (($pbeginport != 0) && ($pbeginport != "any")) {

		if ($pbeginport != $pendport) {

			$adr['port'] = $pbeginport . "-" . $pendport;

		} else {

			$adr['port'] = $pbeginport;