'/cf/conf/acb/', 'event_address' => 'unix:///var/run/check_reload_status', 'factory_shipped_username' => 'admin', 'factory_shipped_password' => 'pfsense', 'upload_path' => '/root', 'dhcpd_chroot_path' => '/var/dhcpd', 'unbound_chroot_path' => '/var/unbound', 'var_path' => '/var', 'varrun_path' => '/var/run', 'varetc_path' => '/var/etc', 'vardb_path' => '/var/db', 'varlog_path' => '/var/log', 'etc_path' => '/etc', 'tmp_path' => '/tmp', 'tmp_path_user_code' => '/tmp/user_code', 'conf_path' => '/conf', 'conf_default_path' => '/conf.default', 'cf_path' => '/cf', 'cf_conf_path' => '/cf/conf', 'www_path' => '/usr/local/www', 'xml_rootobj' => 'pfsense', 'admin_group' => 'admins', 'product_name' => 'pfSense', 'product_label' => 'pfSense', 'product_label_html' => 'Netgate pfSense^®', 'product_version' => $product_version, 'product_copyright_years' => '2004 - ' . $present_year, 'disablehelpmenu' => false, 'disablehelpicon' => false, 'disablecrashreporter' => false, 'debug' => false, 'latest_config' => '23.3', 'minimum_ram_warning' => '101', 'minimum_ram_warning_text' => '128 MB', 'wan_interface_name' => 'wan', 'captiveportal_path' => '/usr/local/captiveportal', 'captiveportal_element_path' => '/var/db/cpelements', 'captiveportal_element_sizelimit' => 1048576, 'captiveportal_rules_interval' => 50, 'services_dhcp_server_enable' => true, 'wireless_regex' => '/^(ath|athp|bwi|bwn|ipw|iwi|iwlwifi|iwm|iwn|malo|mwl|ral|rsu|rtwn|rum|run|uath|upgt|ural|urtw|urtwn|wi|wpi|wtap|zyd)[0-9]+/', 'help_base_url' => '/help.php', 'pkg_prefix' => 'pfSense-pkg-', 'default_timezone' => 'Etc/UTC', 'language' => 'en_US', 'default_config_backup_count' => 30, 'default_cert_expiredays' => 27, 'default_log_entries' => 500, 'default_log_size' => 512000, 'minimumtableentries_bogonsv6' => 400000, 'alternativemetaports' => ['vmware', 'php72', 'php73', 'php74'], 'backuppath' => [ 'captiveportal' => '/var/db/captiveportal*.db', 'dhcpd' => '{/var/dhcpd/var/db/dhcpd.leases,/var/lib/kea/dhcp4.leases}', 'dhcpdv6' => '{/var/dhcpd/var/db/dhcpd6.leases,/var/lib/kea/dhcp6.leases}', 'voucher' => '/var/db/voucher_*.db' ], 'cp_prefix' => 'cpzoneid', 'booting' => false ]; /* IP TOS flags */ global $iptos; $iptos = ['lowdelay', 'throughput', 'reliability']; /* TCP flags */ global $tcpflags; $tcpflags = ['syn', 'ack', 'fin', 'rst', 'psh', 'urg', 'ece', 'cwr']; if (file_exists($version_patch_file)) { $g['product_version_patch'] = rtrim(file_get_contents($version_patch_file)); } else { $g['product_version_patch'] = '0'; } $g['product_version_string'] = g_get('product_version'); if (is_numeric(g_get('product_version_patch')) && g_get('product_version_patch') != '0') { $g['product_version_string'] .= '-p'. g_get('product_version_patch'); } $flavor_file = g_get('etc_path') . '/default-config-flavor'; if (file_exists($flavor_file)) { $flavor_array = file($flavor_file); $g['default-config-flavor'] = chop($flavor_array[0]); } else { $g['default-config-flavor'] = ''; } $g['openvpn_base'] = g_get('varetc_path') . '/openvpn'; $g['pkg_repos_path'] = '/usr/local/etc/' . $g['product_name'] . '/pkg/repos'; /* Default sysctls */ global $sysctls; $sysctls = [ 'net.inet.ip.portrange.first' => '1024', 'net.inet.tcp.blackhole' => '2', 'net.inet.udp.blackhole' => '1', 'net.inet.ip.random_id' => '1', 'net.inet.tcp.drop_synfin' => '1', 'net.inet.ip.redirect' => '1', 'net.inet6.ip6.redirect' => '1', 'net.inet6.ip6.use_tempaddr' => '0', 'net.inet6.ip6.prefer_tempaddr' => '0', 'net.inet.tcp.syncookies' => '1', 'net.inet.tcp.recvspace' => '65228', 'net.inet.tcp.sendspace' => '65228', 'net.inet.tcp.delayed_ack' => '0', 'net.inet.udp.maxdgram' => '57344', 'net.link.bridge.pfil_onlyip' => '0', 'net.link.bridge.pfil_member' => '1', 'net.link.bridge.pfil_bridge' => '0', 'net.link.tap.user_open' => '1', 'net.link.vlan.mtag_pcp' => '1', 'kern.randompid' => '347', 'net.inet.ip.intr_queue_maxlen' => '1000', 'hw.syscons.kbd_reboot' => '0', 'net.inet.tcp.log_debug' => '0', 'net.inet.tcp.tso' => '1', 'net.inet.icmp.icmplim' => '0', 'vfs.read_max' => '32', 'kern.ipc.maxsockbuf' => '4262144', 'net.inet.ip.process_options' => 0, 'kern.random.harvest.mask' => '351', 'net.route.netisr_maxqlen' => 1024, 'net.inet.udp.checksum' => 1, 'net.inet.icmp.reply_from_interface' => 1, 'net.inet6.ip6.rfc6204w3' => 1, 'net.key.preferred_oldsa' => '0', 'net.inet.carp.senderr_demotion_factor' => 0, /* Do not demote CARP for interface send errors */ 'net.pfsync.carp_demotion_factor' => 0, /* Do not demote CARP for pfsync errors */ 'net.raw.recvspace' => 65536, 'net.raw.sendspace' => 65536, 'net.inet.raw.recvspace' => 131072, 'net.inet.raw.maxdgram' => 131072, 'kern.corefile' => '/root/%N.core' /* Write all core files to /root/ so they do not consume space on other slices */ ]; $machine_type = php_uname('m'); if (($machine_type == 'arm') || ($machine_type == 'arm64')) { $sysctls['kern.shutdown.secure_halt'] = 1; } /* Read all XML files in following dir and load menu entries */ $g['ext_menu_path'] = '/usr/local/share/'. g_get('product_name') . '/menu'; /* Cache file used to store pfSense version */ $g['version_cache_file'] = g_get('varrun_path') . '/' . g_get('product_name') . '_version'; $g['version_cache_refresh'] = 7200; /* 2h */ if (file_exists(g_get('cf_conf_path') . '/enableserial_force')) { $g['enableserial_force'] = true; } global $config_parsed; $config_parsed = false; /* Factory default check IP service. */ global $factory_default_checkipservice; $factory_default_checkipservice = [ 'enable' => true, 'name' => 'Default', 'url' => 'http://checkip.dyndns.org', 'descr' => 'Default Check IP Service', ]; global $dyndns_split_domain_types; $dyndns_split_domain_types = [ 'cloudflare', 'cloudflare-v6', 'cloudns', "digitalocean", "digitalocean-v6", "gandi-livedns", "gandi-livedns-v6", 'godaddy', 'godaddy-v6', 'gratisdns', 'linode', 'linode-v6', "mythicbeasts", "mythicbeasts-v6", 'namecheap', "name.com", "name.com-v6", "onecom", "onecom-v6", 'porkbun', 'porkbun-v6', "yandex", "yandex-v6", ]; // pf tokens from FreeBSD source /sbin/pfctl/parse.y global $pf_reserved_keywords; $pf_reserved_keywords = [ // Original tokens 'all', 'allow-opts', 'altq', 'anchor', 'antispoof', 'any', 'bandwidth', 'binat', 'binat-anchor', 'bitmask', 'block', 'block-policy', 'buckets', 'cbq', 'code', 'codelq', 'crop', 'debug', 'divert-reply', 'divert-to', 'dnpipe', 'dnqueue', 'drop', 'drop-ovl', 'dup-to', 'ether', 'fail-policy', 'fairq', 'fastroute', 'file', 'fingerprints', 'flags', 'floating', 'flush', 'for', 'fragment', 'from', 'global', 'group', 'hfsc', 'hogs', 'hostid', 'icmp-type', 'icmp6-type', 'if-bound', 'in', 'include', 'inet', 'inet6', 'interval', 'keep', 'keepcounters', 'l3', 'label', 'limit', 'linkshare', 'load', 'log', 'loginterface', 'map-e-portset', 'match', 'max', 'max-mss', 'max-src-conn', 'max-src-conn-rate', 'max-src-nodes', 'max-src-states', 'min-ttl', 'modulate', 'nat', 'nat-anchor', 'no', 'no-df', 'no-route', 'no-sync', 'on', 'optimization', 'os', 'out', 'overload', 'pass', 'port', 'prio', 'priority', 'priq', 'probability', 'proto', 'qlimit', 'queue', 'quick', 'random', 'random-id', 'rdr', 'rdr-anchor', 'realtime', 'reassemble', 'reply-to', 'require-order', 'return', 'return-icmp', 'return-icmp6', 'return-rst', 'ridentifier', 'round-robin', 'route', 'route-to', 'rtable', 'rule', 'ruleset-optimization', 'scrub', 'set', 'set-tos', 'skip', 'sloppy', 'source-hash', 'source-track', 'state', 'state-defaults', 'state-policy', 'static-port', 'sticky-address', 'syncookies', 'synproxy', 'table', 'tag', 'tagged', 'target', 'tbrsize', 'timeout', 'to', 'tos', 'ttl', 'upperlimit', 'urpf-failed', 'user', // Original tokens in fuzzy format 'allowopts', 'binatanchor', 'blockpolicy', 'divertreply', 'divertto', 'duptoicmptype', 'icmp6type', 'ifboundmaxmss', 'maxsrcconn', 'maxsrcconnrate', 'maxsrcnodes', 'maxsrcstates', 'minttl', 'natanchornodf', 'noroute', 'nosync', 'randomidrdranchor', 'replyto', 'requireorderreturnicmp', 'returnicmp6', 'returnrstroundrobinrouteto', 'ruleset_optimization', 'settos', 'sourcehash', 'sourcetrackstatedefaults', 'statepolicy', 'staticport', 'stickyaddress', 'urpffailed', 'dropovl', 'failpolicy', 'mapeportset', // Custom tokens 'arrow', 'codel', 'error', 'filename', 'fragcrop', 'fragdrop', 'IPsec', 'L2TP', 'maximummin', 'OpenVPN', 'pppoe', 'pptp' ]; /* Reserved table names to avoid collision */ global $reserved_table_names; $reserved_table_names = [ 'bogons', 'bogonsv6', 'negate_networks', 'snort2c', 'sshguard', 'tonatsubnets', 'virusprot', 'vpn_networks', ]; /* VLAN Prio values. */ global $vlanprio_values; $vlanprio_values = [ 'bk' => 0, 'be' => 1, 'ee' => 2, 'ca' => 3, 'vi' => 4, 'vo' => 5, 'ic' => 6, 'nc' => 7, ]; global $vlanprio; $vlanprio = [ 'bk' => 'Background (BK, 0)', 'be' => 'Best Effort (BE, 1)', 'ee' => 'Excellent Effort (EE, 2)', 'ca' => 'Critical Applications (CA, 3)', 'vi' => 'Video (VI, 4)', 'vo' => 'Voice (VO, 5)', 'ic' => 'Internetwork Control (IC, 6)', 'nc' => 'Network Control (NC, 7)', ]; global $system_log_files; $system_log_files = [ 'system', 'filter', 'dhcpd', 'vpn', 'poes', 'l2tps', 'openvpn', 'portalauth', 'ipsec', 'ppp', 'wireless', 'nginx', 'ntpd', 'gateways', 'resolver', 'routing', 'auth' ]; global $system_log_non_syslog_files; $system_log_non_syslog_files = ['dmesg.boot', 'utx.log', 'userlog']; global $system_log_compression_types; $system_log_compression_types = [ 'bzip2' => [ 'flag' => 'J', 'cat' => '/usr/bin/bzcat -qf', 'ext' => 'bz2', ], 'gzip' => [ 'flag' => 'Z', 'cat' => '/usr/bin/zcat -qf', 'ext' => 'gz', ], 'xz' => [ 'flag' => 'X', 'cat' => '/usr/bin/xzcat -qf', 'ext' => 'xz', ], 'zstd' => [ 'flag' => 'Y', 'cat' => '/usr/bin/zstdcat -qqf', 'ext' => 'zst', ], 'none' => [ 'flag' => '', 'cat' => '/bin/cat', 'ext' => '', ], ]; global $ddnsdomainkeyalgorithms; $ddnsdomainkeyalgorithms = [ 'hmac-md5' => 'HMAC-MD5 (legacy default)', 'hmac-sha1' => 'HMAC-SHA1', 'hmac-sha224' => 'HMAC-SHA224', 'hmac-sha256' => 'HMAC-SHA256 (current bind9 default)', 'hmac-sha384' => 'HMAC-SHA384', 'hmac-sha512' => 'HMAC-SHA512 (most secure)', ]; global $ipsec_filtermodes; $ipsec_filtermodes = [ 'enc' => 'Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)', 'if_ipsec' => 'Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic', ]; global $ipsec_filter_sysctl; $ipsec_filter_sysctl = [ 'enc' => [ 'net.inet.ipsec.filtertunnel' => '0x0000', 'net.inet6.ipsec6.filtertunnel' => '0x0000', 'net.enc.out.ipsec_bpf_mask' => '0x0001', 'net.enc.out.ipsec_filter_mask' => '0x0001', 'net.enc.in.ipsec_bpf_mask' => '0x0002', 'net.enc.in.ipsec_filter_mask' => '0x0002', ], 'if_ipsec' => [ 'net.inet.ipsec.filtertunnel' => '0x0001', 'net.inet6.ipsec6.filtertunnel' => '0x0001', 'net.enc.out.ipsec_bpf_mask' => '0x0000', 'net.enc.out.ipsec_filter_mask' => '0x0000', 'net.enc.in.ipsec_bpf_mask' => '0x0000', 'net.enc.in.ipsec_filter_mask' => '0x0000', ], ]; global $vpn_and_ppp_ifs; $vpn_and_ppp_ifs = ['l2tp', 'pppoe', 'enc0', 'openvpn']; global $ssh_keys; $ssh_keys = [ ['type' => 'rsa', 'suffix' => 'rsa_'], ['type' => 'ed25519', 'suffix' => 'ed25519_'], ]; global $sshConfigDir; $sshConfigDir = '/etc/ssh'; global $lagg_hash_list; $lagg_hash_list = [ 'l2,l3,l4' => 'Layer 2/3/4 (default)', 'l2' => 'Layer 2 (MAC Address)', 'l3' => 'Layer 3 (IP Address)', 'l4' => 'Layer 4 (Port Number)', 'l2,l3' => 'Layer 2/3 (MAC + IP)', 'l3,l4' => 'Layer 3/4 (IP + Port)', 'l2,l4' => 'Layer 2/4 (MAC + Port)', ]; /** * Check if the global $g variable contains a $key * * @param string $key The key * @param bool $isset Also perform isset check * * @return bool */ function g_has(string $key, bool $isset = false) : bool { global $g; return (array_key_exists($key, $g) && (!$isset || isset($g[$key]))); } /** * Get the global $g variable value by $key * * @param string $key The key * @param mixed $default The value to return on a key miss * * @return mixed */ function g_get(string $key, mixed $default = null) : mixed { global $g; return (g_has($key, true) ? $g[$key] : $default); } /** * Set the global $g variable value by $key * * @param string $key The key * @param mixed $value The value * @param bool $force Force set (can replace) the value * * @return mixed */ function g_set(string $key, mixed $value, bool $force = false) : mixed { global $g; if ($force || !g_has($key, true)) { $g[$key] = $value; } return (g_get($key)); } /** * Unset the global $g variable value by $key * * @param string $key The key * * @return void */ function g_unset(string $key) : void { global $g; if (g_has($key)) { unset($g[$key]); } } /** * Determine if the system is currently booting * * @return bool */ function is_platform_booting() : bool { return (g_get('booting', false) || file_exists(g_get('varrun_path') . '/booting')); } /** * Determine if PHP is executing in cli context * * @return bool */ function is_cli_sapi() : bool { if (defined('STDIN')) { return (true); } if (PHP_SAPI === 'cli') { return (true); } if (array_key_exists('SHELL', $_ENV)) { return (true); } return (false); } /** * Determine if the system is booting * * @deprecated Prefer the use of is_platform_booting * * @param bool $only_on_console Require cli execution context * * @return bool */ function platform_booting(bool $only_on_console = false) : bool { return (is_platform_booting() && (!$only_on_console || is_cli_sapi())); } /** * Check if a file can be included * * @param string $filename * * @return bool */ function can_include(string $filename) : bool { // short-circuit on absolute paths before checking relative include paths return (file_exists($filename) || (bool) stream_resolve_include_path($filename)); } /** * Get a list of known protocols * * @param string $type Filter the returned list based on the type * * @return array */ function get_ipprotocols(?string $type = ''):array { $exclude = []; $ipprotocols = [ 'any' => gettext('Any'), 'tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', 'icmp' => 'ICMP', 'esp' => 'ESP', 'ah' => 'AH', 'gre' => 'GRE', 'etherip' => 'EoIP', 'ipv6' => 'IPV6', 'igmp' => 'IGMP', 'pim' => 'PIM', 'ospf' => 'OSPF', 'sctp' => 'SCTP', 'carp' => 'CARP', 'pfsync' => 'PFSYNC' ]; switch ($type) { case 'portsonly': $ipprotocols = [ 'tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', 'sctp' => 'SCTP' ]; break; case 'outboundnat': $exclude = ['EoIP', 'PIM', 'OSPF']; break; case 'portforward': $exclude = ['EoIP', 'CARP', 'PFSYNC']; break; default: break; } return array_diff($ipprotocols, $exclude); } // source pfSense Plus specific globals last if (can_include('globals.plus.inc')) { include_once('globals.plus.inc'); }