Project

General

Profile

Download (13.8 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/* $Id$ */
3
/*
4
	firewall_virtual_ip.php
5
	part of pfSense (https://www.pfsense.org/)
6

    
7
	Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
8
	Copyright (C) 2013-2015 Electric Sheep Fencing, LP
9
	All rights reserved.
10

    
11
	Includes code from m0n0wall which is:
12
	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
13
	All rights reserved.
14

    
15
	Includes code from pfSense which is:
16
	Copyright (C) 2004-2005 Scott Ullrich <geekgod@pfsense.com>.
17
	All rights reserved.
18

    
19
	Redistribution and use in source and binary forms, with or without
20
	modification, are permitted provided that the following conditions are met:
21

    
22
	1. Redistributions of source code must retain the above copyright notice,
23
	   this list of conditions and the following disclaimer.
24

    
25
	2. Redistributions in binary form must reproduce the above copyright
26
	   notice, this list of conditions and the following disclaimer in the
27
	   documentation and/or other materials provided with the distribution.
28

    
29
	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
30
	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
31
	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
32
	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
33
	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
34
	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35
	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
36
	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
37
	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
38
	POSSIBILITY OF SUCH DAMAGE.
39
*/
40
/*
41
	pfSense_BUILDER_BINARIES:	/sbin/ifconfig
42
	pfSense_MODULE:	interfaces
43
*/
44

    
45
##|+PRIV
46
##|*IDENT=page-firewall-virtualipaddresses
47
##|*NAME=Firewall: Virtual IP Addresses page
48
##|*DESCR=Allow access to the 'Firewall: Virtual IP Addresses' page.
49
##|*MATCH=firewall_virtual_ip.php*
50
##|-PRIV
51

    
52
require("guiconfig.inc");
53
require_once("functions.inc");
54
require_once("filter.inc");
55
require_once("shaper.inc");
56

    
57
if (!is_array($config['virtualip']['vip'])) {
58
	$config['virtualip']['vip'] = array();
59
}
60
$a_vip = &$config['virtualip']['vip'];
61

    
62
if ($_POST) {
63
	$pconfig = $_POST;
64

    
65
	if ($_POST['apply']) {
66
		$check_carp = false;
67
		if (file_exists("{$g['tmp_path']}/.firewall_virtual_ip.apply")) {
68
			$toapplylist = unserialize(file_get_contents("{$g['tmp_path']}/.firewall_virtual_ip.apply"));
69
			foreach ($toapplylist as $vid => $ovip) {
70
				if (!empty($ovip)) {
71
					interface_vip_bring_down($ovip);
72
				}
73
				if ($a_vip[$vid]) {
74
					switch ($a_vip[$vid]['mode']) {
75
						case "ipalias":
76
							interface_ipalias_configure($a_vip[$vid]);
77
							break;
78
						case "proxyarp":
79
							interface_proxyarp_configure($a_vip[$vid]['interface']);
80
							break;
81
						case "carp":
82
							$check_carp = true;
83
							interface_carp_configure($a_vip[$vid]);
84
							break;
85
						default:
86
							break;
87
					}
88
				}
89
			}
90
			@unlink("{$g['tmp_path']}/.firewall_virtual_ip.apply");
91
		}
92
		/* Before changing check #4633 */
93
		if ($check_carp === true && !get_carp_status()) {
94
			set_single_sysctl("net.inet.carp.allow", "1");
95
		}
96

    
97
		$retval = 0;
98
		$retval |= filter_configure();
99
		$savemsg = get_std_save_message($retval);
100

    
101
		clear_subsystem_dirty('vip');
102
	}
103
}
104

    
105
if ($_GET['act'] == "del") {
106
	if ($a_vip[$_GET['id']]) {
107
		/* make sure no inbound NAT mappings reference this entry */
108
		if (is_array($config['nat']['rule'])) {
109
			foreach ($config['nat']['rule'] as $rule) {
110
				if($rule['destination']['address'] <> "") {
111
					if ($rule['destination']['address'] == $a_vip[$_GET['id']]['subnet']) {
112
						$input_errors[] = gettext("This entry cannot be deleted because it is still referenced by at least one NAT mapping.");
113
						break;
114
					}
115
				}
116
			}
117
		}
118

    
119
		/* make sure no OpenVPN server or client references this entry */
120
		$openvpn_types_a = array("openvpn-server" => gettext("server"), "openvpn-client" => gettext("client"));
121
		foreach ($openvpn_types_a as $openvpn_type => $openvpn_type_text) {
122
			if (is_array($config['openvpn'][$openvpn_type])) {
123
				foreach ($config['openvpn'][$openvpn_type] as $openvpn) {
124
					if ($openvpn['ipaddr'] <> "") {
125
						if ($openvpn['ipaddr'] == $a_vip[$_GET['id']]['subnet']) {
126
							if (strlen($openvpn['description'])) {
127
								$openvpn_desc = $openvpn['description'];
128
							} else {
129
								$openvpn_desc = $openvpn['ipaddr'] . ":" . $openvpn['local_port'];
130
							}
131
							$input_errors[] = sprintf(gettext("This entry cannot be deleted because it is still referenced by OpenVPN %s %s."), $openvpn_type_text, $openvpn_desc);
132
							break;
133
						}
134
					}
135
				}
136
			}
137
		}
138

    
139
		if (is_ipaddrv6($a_vip[$_GET['id']]['subnet'])) {
140
			$is_ipv6 = true;
141
			$subnet = gen_subnetv6($a_vip[$_GET['id']]['subnet'], $a_vip[$_GET['id']]['subnet_bits']);
142
			$if_subnet_bits = get_interface_subnetv6($a_vip[$_GET['id']]['interface']);
143
			$if_subnet = gen_subnetv6(get_interface_ipv6($a_vip[$_GET['id']]['interface']), $if_subnet_bits);
144
		} else {
145
			$is_ipv6 = false;
146
			$subnet = gen_subnet($a_vip[$_GET['id']]['subnet'], $a_vip[$_GET['id']]['subnet_bits']);
147
			$if_subnet_bits = get_interface_subnet($a_vip[$_GET['id']]['interface']);
148
			$if_subnet = gen_subnet(get_interface_ip($a_vip[$_GET['id']]['interface']), $if_subnet_bits);
149
		}
150

    
151
		$subnet .= "/" . $a_vip[$_GET['id']]['subnet_bits'];
152
		$if_subnet .= "/" . $if_subnet_bits;
153

    
154
		if (is_array($config['gateways']['gateway_item'])) {
155
			foreach($config['gateways']['gateway_item'] as $gateway) {
156
				if ($a_vip[$_GET['id']]['interface'] != $gateway['interface']) {
157
					continue;
158
				}
159
				if ($is_ipv6 && $gateway['ipprotocol'] == 'inet') {
160
					continue;
161
				}
162
				if (!$is_ipv6 && $gateway['ipprotocol'] == 'inet6') {
163
					continue;
164
				}
165
				if (ip_in_subnet($gateway['gateway'], $if_subnet)) {
166
					continue;
167
				}
168

    
169
				if (ip_in_subnet($gateway['gateway'], $subnet)) {
170
					$input_errors[] = gettext("This entry cannot be deleted because it is still referenced by at least one Gateway.");
171
					break;
172
				}
173
			}
174
		}
175

    
176
		if ($a_vip[$_GET['id']]['mode'] == "ipalias") {
177
			$subnet = gen_subnet($a_vip[$_GET['id']]['subnet'], $a_vip[$_GET['id']]['subnet_bits']) . "/" . $a_vip[$_GET['id']]['subnet_bits'];
178
			$found_if = false;
179
			$found_carp = false;
180
			$found_other_alias = false;
181

    
182
			if ($subnet == $if_subnet) {
183
				$found_if = true;
184
			}
185

    
186
			$vipiface = $a_vip[$_GET['id']]['interface'];
187
			foreach ($a_vip as $vip_id => $vip) {
188
				if ($vip_id == $_GET['id']) {
189
					continue;
190
				}
191

    
192
				if ($vip['interface'] == $vipiface && ip_in_subnet($vip['subnet'], $subnet)) {
193
					if ($vip['mode'] == "carp") {
194
						$found_carp = true;
195
					} else if ($vip['mode'] == "ipalias") {
196
						$found_other_alias = true;
197
					}
198
				}
199
			}
200

    
201
			if ($found_carp === true && $found_other_alias === false && $found_if === false) {
202
				$input_errors[] = gettext("This entry cannot be deleted because it is still referenced by a CARP IP with the description") . " {$vip['descr']}.";
203
			}
204
		} else if ($a_vip[$_GET['id']]['mode'] == "carp") {
205
			$vipiface = "{$a_vip[$_GET['id']]['interface']}_vip{$a_vip[$_GET['id']]['vhid']}";
206
			foreach ($a_vip as $vip) {
207
				if ($vipiface == $vip['interface'] && $vip['mode'] == "ipalias") {
208
					$input_errors[] = gettext("This entry cannot be deleted because it is still referenced by an IP alias entry with the description") . " {$vip['descr']}.";
209
				}
210
			}
211
		}
212

    
213
		if (!$input_errors) {
214
			if (!session_id()) {
215
				session_start();
216
			}
217
			$user = getUserEntry($_SESSION['Username']);
218
			if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) {
219
				header("Location: firewall_virtual_ip.php");
220
				exit;
221
			}
222
			session_commit();
223

    
224
			// Special case since every proxyarp vip is handled by the same daemon.
225
			if ($a_vip[$_GET['id']]['mode'] == "proxyarp") {
226
				$viface = $a_vip[$_GET['id']]['interface'];
227
				unset($a_vip[$_GET['id']]);
228
				interface_proxyarp_configure($viface);
229
			} else {
230
				interface_vip_bring_down($a_vip[$_GET['id']]);
231
				unset($a_vip[$_GET['id']]);
232
			}
233
			if (count($config['virtualip']['vip']) == 0) {
234
				unset($config['virtualip']['vip']);
235
			}
236
			write_config();
237
			header("Location: firewall_virtual_ip.php");
238
			exit;
239
		}
240
	}
241
} else if ($_GET['changes'] == "mods" && is_numericint($_GET['id'])) {
242
	$id = $_GET['id'];
243
}
244

    
245
$pgtitle = array(gettext("Firewall"),gettext("Virtual IP Addresses"));
246
include("head.inc");
247

    
248
?>
249
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
250
<?php include("fbegin.inc"); ?>
251
<form action="firewall_virtual_ip.php" method="post">
252
<?php
253
	if ($input_errors) {
254
		print_input_errors($input_errors);
255
	} else if ($savemsg) {
256
		print_info_box($savemsg);
257
	} else if (is_subsystem_dirty('vip')) {
258
		print_info_box_np(gettext("The VIP configuration has been changed.")."<br />".gettext("You must apply the changes in order for them to take effect."));
259
	}
260
?>
261
<br />
262
<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="virtual ip">
263
	<tr><td class="tabnavtbl">
264
	<?php
265
		/* active tabs */
266
		$tab_array = array();
267
		$tab_array[] = array(gettext("Virtual IPs"), true, "firewall_virtual_ip.php");
268
		$tab_array[] = array(gettext("CARP Settings"), false, "system_hasync.php");
269
		display_top_tabs($tab_array);
270
	?>
271
	</td></tr>
272
	<tr>
273
		<td><input type="hidden" id="id" name="id" value="<?php echo htmlspecialchars($id); ?>" /></td>
274
	</tr>
275
	<tr>
276
		<td>
277
			<div id="mainarea">
278
				<table class="tabcont sortable" width="100%" border="0" cellpadding="0" cellspacing="0" summary="main area">
279
					<tr>
280
						<td width="30%" class="listhdrr"><?=gettext("Virtual IP address");?></td>
281
						<td width="10%" class="listhdrr"><?=gettext("Interface");?></td>
282
						<td width="10%" class="listhdrr"><?=gettext("Type");?></td>
283
						<td width="40%" class="listhdr"><?=gettext("Description");?></td>
284
						<td width="10%" class="list">
285
							<table border="0" cellspacing="0" cellpadding="1" summary="edit">
286
								<tr>
287
									<td width="17"></td>
288
									<td valign="middle"><a href="firewall_virtual_ip_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="edit" /></a></td>
289
								</tr>
290
							</table>
291
						</td>
292
					</tr>
293
					<?php
294
						$interfaces = get_configured_interface_with_descr(false, true);
295
						$carplist = get_configured_carp_interface_list();
296
						foreach ($carplist as $cif => $carpip) {
297
							$interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")";
298
						}
299
						$interfaces['lo0'] = "Localhost";
300
						$i = 0;
301
						foreach ($a_vip as $vipent):
302
							if($vipent['subnet'] <> "" or $vipent['range'] <> "" or $vipent['subnet_bits'] <> "" or (isset($vipent['range']['from']) && $vipent['range']['from'] <> "")):
303
					?>
304
					<tr>
305
						<td class="listlr" ondblclick="document.location='firewall_virtual_ip_edit.php?id=<?=$i;?>';">
306
						<?php
307
							if (($vipent['type'] == "single") || ($vipent['type'] == "network")) {
308
								if($vipent['subnet_bits']) {
309
									echo "{$vipent['subnet']}/{$vipent['subnet_bits']}";
310
								}
311
							}
312
							if ($vipent['type'] == "range") {
313
								echo "{$vipent['range']['from']}-{$vipent['range']['to']}";
314
							}
315
							if($vipent['mode'] == "carp") {
316
								echo " (vhid {$vipent['vhid']})";
317
							}
318
						?>
319
						</td>
320
						<td class="listr" ondblclick="document.location='firewall_virtual_ip_edit.php?id=<?=$i;?>';">
321
							<?=htmlspecialchars($interfaces[$vipent['interface']]);?>&nbsp;
322
						</td>
323
						<td class="listr" align="center" ondblclick="document.location='firewall_virtual_ip_edit.php?id=<?=$i;?>';">
324
							<?php if($vipent['mode'] == "proxyarp") echo "<img src='./themes/".$g['theme']."/images/icons/icon_parp.gif' title='Proxy ARP' alt='proxy arp' />"; elseif($vipent['mode'] == "carp") echo "<img src='./themes/".$g['theme']."/images/icons/icon_carp.gif' title='CARP' alt='carp' />"; elseif($vipent['mode'] == "other") echo "<img src='./themes/".$g['theme']."/images/icons/icon_other.gif' title='Other' alt='other' />"; elseif($vipent['mode'] == "ipalias") echo "<img src='./themes/".$g['theme']."/images/icons/icon_ifalias.gif' title='IP Alias' alt='ip alias' />";?>
325
						</td>
326
						<td class="listbg" ondblclick="document.location='firewall_virtual_ip_edit.php?id=<?=$i;?>';">
327
							<?=htmlspecialchars($vipent['descr']);?>&nbsp;
328
						</td>
329
						<td class="list nowrap">
330
							<table border="0" cellspacing="0" cellpadding="1" summary="icons">
331
								<tr>
332
									<td valign="middle"><a href="firewall_virtual_ip_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" alt="edit" /></a></td>
333
									<td valign="middle"><a href="firewall_virtual_ip.php?act=del&amp;id=<?=$i;?>" onclick="return confirm('<?=gettext('Do you really want to delete this entry?');?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="delete" /></a></td>
334
								</tr>
335
							</table>
336
						</td>
337
					</tr>
338
					<?php
339
							endif;
340
							$i++;
341
						endforeach;
342
					?>
343
				<tfoot>
344
					<tr>
345
						<td class="list" colspan="4"></td>
346
						<td class="list">
347
							<table border="0" cellspacing="0" cellpadding="1" summary="edit">
348
								<tr>
349
									<td width="17"></td>
350
									<td valign="middle"><a href="firewall_virtual_ip_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="edit" /></a></td>
351
								</tr>
352
							</table>
353
						</td>
354
					</tr>
355
					<tr>
356
						<td colspan="5">
357
							<p>
358
								<span class="vexpl"><span class="red"><strong><?=gettext("Note:");?><br /></strong></span>
359
								<?=gettext("The virtual IP addresses defined on this page may be used in");?><a href="firewall_nat.php"> <?=gettext("NAT"); ?> </a><?=gettext("mappings.");?><br />
360
								<?=gettext("You can check the status of your CARP Virtual IPs and interfaces ");?><a href="carp_status.php"><?=gettext("here");?></a>.</span>
361
							</p>
362
						</td>
363
					</tr>
364
				</tfoot>
365
				</table>
366
			</div><!-- div:mainarea -->
367
		</td>
368
	</tr>
369
</table>
370
</form>
371
<?php include("fend.inc"); ?>
372
</body>
373
</html>
(80-80/252)