diff --git a/Doxyfile b/Doxyfile index 2c34dda..b94568d 100644 --- a/Doxyfile +++ b/Doxyfile @@ -1,11 +1,11 @@ -# Doxyfile 1.8.20 +# Doxyfile 1.9.1 #--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- DOXYFILE_ENCODING = UTF-8 PROJECT_NAME = "PF Rule Editor" -PROJECT_NUMBER = 6.8 +PROJECT_NUMBER = 6.9 PROJECT_BRIEF = PROJECT_LOGO = OUTPUT_DIRECTORY = ./docs @@ -15,9 +15,9 @@ OUTPUT_LANGUAGE = English OUTPUT_TEXT_DIRECTION = None BRIEF_MEMBER_DESC = YES REPEAT_BRIEF = YES -ABBREVIATE_BRIEF = "The $name class " \ - "The $name widget " \ - "The $name file " \ +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ is \ provides \ specifies \ @@ -73,6 +73,7 @@ EXTRACT_STATIC = NO EXTRACT_LOCAL_CLASSES = YES EXTRACT_LOCAL_METHODS = NO EXTRACT_ANON_NSPACES = NO +RESOLVE_UNNAMED_PARAMS = YES HIDE_UNDOC_MEMBERS = NO HIDE_UNDOC_CLASSES = NO HIDE_FRIEND_COMPOUNDS = NO @@ -154,7 +155,6 @@ VERBATIM_HEADERS = YES # Configuration options related to the alphabetical class index #--------------------------------------------------------------------------- ALPHABETICAL_INDEX = YES -COLS_IN_ALPHA_INDEX = 5 IGNORE_PREFIX = #--------------------------------------------------------------------------- # Configuration options related to the HTML output @@ -318,6 +318,8 @@ COLLABORATION_GRAPH = YES GROUP_GRAPHS = YES UML_LOOK = NO UML_LIMIT_NUM_FIELDS = 10 +DOT_UML_DETAILS = NO +DOT_WRAP_THRESHOLD = 17 TEMPLATE_RELATIONS = NO INCLUDE_GRAPH = YES INCLUDED_BY_GRAPH = YES diff --git a/README.md b/README.md index 19410d8..7116ebe 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Using PFRE, you can develop rules from scratch or modify existing ones: A couple of notes about the requirements, design decisions, and implementation of PFRE: -- PFRE does not provide any wizards nor tries to simplify rule development by hiding details. On the contrary, it enables the user by providing as much relevant detail as possible. +- PFRE does not provide any wizards nor even try to simplify rule development by hiding details. On the contrary, it enables the user by providing as much relevant detail as possible. - PFRE aims to generate text ruleset output as close to what a system administrator would produce as possible: + PFRE tries to be true to the original rule file loaded: PFRE does not insert any extra lines into its output, such as PFRE specific marks or rule generation dates (you cannot tell if its output is generated by PFRE or not). + You can insert blank lines between rules: Blank lines are of a separate rule type. @@ -50,8 +50,8 @@ A couple of notes about the requirements, design decisions, and implementation o Here are the basic steps to obtain a working PFRE installation: -- Install OpenBSD 6.8, perhaps on a VM. -- Install PHP 7.4.10, php-pcntl, and php-cgi. +- Install OpenBSD 6.9, perhaps on a VM. +- Install PHP 8.0.3, php-pcntl, and php-cgi. - Copy the files in PFRE src folder to /var/www/htdocs/pfre/. - Configure httpd.conf for PFRE. - Create admin and user users, and set their passwords. @@ -66,7 +66,7 @@ The OpenBSD installation guide is at [faq4](http://www.openbsd.org/faq/faq4.html Here are a couple of guidelines: -- You can download install68.iso available at OpenBSD mirrors. +- You can download install69.iso available at OpenBSD mirrors. - It may be easier to install a PFRE test system on a VM of your choice, e.g. VMware or VirtualBox, rather than bare hardware. - 512MB RAM and 8GB HD should be more than enough. - If you want to obtain a packet filtering firewall, make sure the VM has at least 2 ethernet interfaces: @@ -91,18 +91,18 @@ Set the $PKG\_PATH env variable to the cache folder you have just created: Download the required packages from an OpenBSD mirror and copy them to $PKG\_PATH. The following is the list of files you should have under $PKG\_PATH: argon2-20190702.tgz - bzip2-1.0.8.tgz + bzip2-1.0.8p0.tgz femail-1.0p1.tgz femail-chroot-1.0p3.tgz - gettext-runtime-0.21.tgz + gettext-runtime-0.21p1.tgz libiconv-1.16p0.tgz libsodium-1.0.18p1.tgz libxml-2.9.10p2.tgz - oniguruma-6.9.5pl1p0.tgz - pcre2-10.35.tgz - php-7.4.10.tgz - php-cgi-7.4.10.tgz - php-pcntl-7.4.10.tgz + oniguruma-6.9.6.tgz + pcre2-10.36.tgz + php-8.0.3.tgz + php-cgi-8.0.3.tgz + php-pcntl-8.0.3.tgz xz-5.2.5.tgz Install PHP, php-pcntl, and php-cgi by running the following commands, which should install their dependencies as well: @@ -118,18 +118,18 @@ If you want to see if all required packages are installed successfully, run the Here is the expected output of that command: argon2-20190702 C implementation of Argon2 - password hashing function - bzip2-1.0.8 block-sorting file compressor, unencumbered + bzip2-1.0.8p0 block-sorting file compressor, unencumbered femail-1.0p1 simple SMTP client femail-chroot-1.0p3 simple SMTP client for chrooted web servers - gettext-runtime-0.21 GNU gettext runtime libraries and programs + gettext-runtime-0.21p1 GNU gettext runtime libraries and programs libiconv-1.16p0 character set conversion library libsodium-1.0.18p1 library for network communications and cryptography libxml-2.9.10p2 XML parsing library - oniguruma-6.9.5pl1p0 regular expressions library - pcre2-10.35 perl-compatible regular expression library, version 2 - php-7.4.10 server-side HTML-embedded scripting language - php-cgi-7.4.10 php CGI binary - php-pcntl-7.4.10 PCNTL extensions for php + oniguruma-6.9.6 regular expressions library + pcre2-10.36 perl-compatible regular expression library, version 2 + php-8.0.3 server-side HTML-embedded scripting language + php-cgi-8.0.3 php CGI binary + php-pcntl-8.0.3 PCNTL extensions for php xz-5.2.5 LZMA compression and decompression tools ### Install PFRE @@ -208,15 +208,22 @@ However, you are advised to pick a better password than soner123. Go to /usr/local/bin/ and create a link to php executable: # cd /usr/local/bin - # ln -s php-7.4 php + # ln -s php-8.0 php -Edit the /etc/php-7.4.ini file to disable NOTICE messages, otherwise they may disturb pfctl test reports: +Edit the /etc/php-8.0.ini file to disable NOTICE messages and write error messages to syslog, otherwise they may disturb pfctl test reports: error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT & ~E_NOTICE + ignore_repeated_errors = On + ignore_repeated_source = On + error_log = syslog -To enable pcntl, go to /etc/php-7.4/ and create the pcntl.ini file: +Also, edit the /etc/php-fpm.conf file to write error messages to syslog: - # cd /etc/php-7.4/ + error_log = syslog + +To enable pcntl, go to /etc/php-8.0/ and create the pcntl.ini file: + + # cd /etc/php-8.0/ # touch pcntl.ini And add the following line to pcntl.ini: @@ -255,9 +262,9 @@ If you want the web server to be started automatically after a reboot, first cop Then add the following lines to it: - if [ -x /usr/local/sbin/php-fpm-7.4 ]; then + if [ -x /usr/local/sbin/php-fpm-8.0 ]; then echo 'PHP CGI server' - /usr/local/sbin/php-fpm-7.4 + /usr/local/sbin/php-fpm-8.0 fi Create the rc.conf.local file under /etc/ @@ -282,7 +289,7 @@ And uncomment the line which enables forwarding of IPv4 packets: Now you can either reboot the system or start the php cgi server and the web server manually using the following commands: - # /usr/local/sbin/php-fpm-7.4 + # /usr/local/sbin/php-fpm-8.0 # /usr/sbin/httpd Finally, if you point your web browser to the IP address of PFRE, you should see the login page. And you should be able to log in by entering admin:soner123 as user and password. diff --git a/src/Controller/sh.php b/src/Controller/sh.php index 9592ce5..7ef6db1 100755 --- a/src/Controller/sh.php +++ b/src/Controller/sh.php @@ -22,19 +22,19 @@ /** @file * Login shell for users. * - * We set login shells of admin and user users to sh.php. + * We set the login shells of admin and user users to sh.php. * - * Using a shell script to pass args to Controller commands would expand - * those args, hence might cause security issues. + * Using a shell script to pass args to the Controller commands would expand + * those args, hence could cause security issues. * - * Now instead we make sure args are never expanded and users cannot drop to a - * command shell: + * Now instead we make sure the args are never expanded and the users cannot + * drop to a command shell: * - use sh.php as login shell - * - pass all args to it as an ssh command (-c option) without any shell - * expansion + * - pass all args to it as an ssh command (the -c option of phpseclib channel + * exec), without any shell expansion * - validate all args within sh.php - * - convert them to a string enclosed between single quotes (so no expansion - * again) + * - convert them to a string enclosed between single quotes, so no expansion + * again * - exec ctlr.php passing the args string to it * * @todo Continually check for security issues. diff --git a/src/View/lib/libauth.php b/src/View/lib/libauth.php index b340c53..f154d1e 100644 --- a/src/View/lib/libauth.php +++ b/src/View/lib/libauth.php @@ -73,7 +73,8 @@ function wui_syslog($prio, $file, $func, $line, $msg) openlog('wui', LOG_PID, LOG_LOCAL0); if ($prio <= $LOG_LEVEL) { - $useratip= $_SESSION['USER'].'@'.filter_input(INPUT_SERVER, 'REMOTE_ADDR'); + $user= array_key_exists('USER', $_SESSION) ? $_SESSION['USER'] : 'NA'; + $useratip= $user.'@'.filter_input(INPUT_SERVER, 'REMOTE_ADDR'); $func= $func == '' ? 'NA' : $func; $log= "$LOG_PRIOS[$prio] $useratip $file: $func ($line): $msg"; if (!syslog($prio, $log)) { diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre.po index edf29b5..40d6542 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre_CONTROL.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre_CONTROL.po index a8ffe91..91721bd 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre_CONTROL.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre_CONTROL.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre_HELPBOX.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre_HELPBOX.po index 4fb6791..210df6b 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre_HELPBOX.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre_HELPBOX.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre_MENU.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre_MENU.po index 1d64eee..131e3c3 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre_MENU.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre_MENU.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre_NOTICE.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre_NOTICE.po index 5820c87..9d60acb 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre_NOTICE.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre_NOTICE.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre_TITLE.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre_TITLE.po index 2c8091b..83ba60d 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre_TITLE.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre_TITLE.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/pfre__.po b/src/View/locale/tr_TR/LC_MESSAGES/pfre__.po index 7a102c6..afccb56 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/pfre__.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/pfre__.po @@ -4,7 +4,7 @@ # msgid "" msgstr "" -"Project-Id-Version: PFRE 6.8\n" +"Project-Id-Version: PFRE 6.9\n" "Last-Translator: Soner Tari \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" diff --git a/src/View/pf/pf.conf.html b/src/View/pf/pf.conf.html index 64b1efc..b1d8b7f 100644 --- a/src/View/pf/pf.conf.html +++ b/src/View/pf/pf.conf.html @@ -815,11 +815,12 @@ route-to The route-to option routes the packet to the specified - interface with an optional address for the next hop. When a - route-to rule creates state, only packets that pass in the same - direction as the filter rule specifies will be routed in this - way. Packets passing in the opposite direction (replies) are - not affected and are routed normally. + destination address instead of the destination address in the + packet header. When a route-to rule creates state, only + packets that pass in the same direction as the filter rule + specifies will be routed in this way. Packets passing in the + opposite direction (replies) are not affected and are routed + normally. For the dup-to, reply-to, and route-to route options for which there is a single redirection address which has a subnet mask smaller than 32 for @@ -1591,6 +1592,7 @@ modulate state. Rules with synproxy state will not work if pf(4) operates on a bridge(4). + Also they act on incoming SYN packets only. Example: @@ -2187,8 +2189,7 @@ interface-list = [ "!" ] ( interface-name | interface-group ) [ [ "," ] interface-list ] route = ( "route-to" | "reply-to" | "dup-to" ) - ( routehost | "{" routehost-list "}" ) - [ pooltype ] + ( redirhost | "{" redirhost-list "}" ) af = "inet" | "inet6" protospec = "proto" ( proto-name | proto-number | @@ -2207,14 +2208,11 @@ address [ "/" mask-bits ] [ "weight" number ] | "<" string ">" ) redirhost = address [ "/" mask-bits ] - routehost = host | host "@" interface-name | - "(" interface-name [ address [ "/" mask-bits ] ] ")" address = ( interface-name | interface-group | "(" ( interface-name | interface-group ) ")" | hostname | ipv4-dotted-quad | ipv6-coloned-hex ) host-list = host [ [ "," ] host-list ] redirhost-list = redirhost [ [ "," ] redirhost-list ] - routehost-list = routehost [ [ "," ] routehost-list ] port = "port" ( unary-op | binary-op | "{" op-list "}" ) portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] @@ -2286,7 +2284,7 @@ HISTORY The pf.conf file format first appeared in OpenBSD 3.0. -OpenBSD 6.8 February 10, 2020 OpenBSD 6.8 +OpenBSD 6.9 February 1, 2021 OpenBSD 6.9 diff --git a/src/create_po.sh b/src/create_po.sh index 0d70d4b..23b1268 100755 --- a/src/create_po.sh +++ b/src/create_po.sh @@ -81,7 +81,7 @@ if ! xgettext -L "PHP" -s \ --copyright-holder="Soner Tari, The PFRE project" \ --msgid-bugs-address="sonertari@gmail.com" \ --package-name="PFRE" \ - --package-version="6.8" \ + --package-version="6.9" \ -j -o $LOCALE_FILE \ -f files.txt; then echo "FAILED generating $LOCALE_FILE" diff --git a/src/lib/defs.php b/src/lib/defs.php index f43a752..fe76745 100644 --- a/src/lib/defs.php +++ b/src/lib/defs.php @@ -23,7 +23,7 @@ */ /// Project version. -define('VERSION', '6.8'); +define('VERSION', '6.9'); $ROOT= dirname(dirname(dirname(__FILE__))); $SRC_ROOT= dirname(dirname(__FILE__));