public function addInput(Form_Input $input)
 {
     $group = new Form_Group($input->getTitle());
     $group->add($input);
     $this->add($group);
     return $input;
 }

 public function addPassword(Form_Input $input)
 {
     $group = new Form_Group($input->getTitle());
     if ($input->getValue() != "") {
         $input->setValue(DMYPWD);
     }
     $input->setType("password");
     $group->add($input);
     $confirm = clone $input;
     $confirm->setName($confirm->getName() . "_confirm");
     $confirm->setHelp("Confirm");
     $group->add($confirm);
     $this->add($group);
     return $input;
 }

    } else {
        $section->addInput(new Form_Input('auth_algs', null, 'hidden', '1'));
    }
    $section->addInput(new Form_Select('wpa_pairwise', 'WPA Pairwise', isset($pconfig['wpa_pairwise']) ? $pconfig['wpa_pairwise'] : 'CCMP', ['CCMP TKIP' => 'Both', 'CCMP' => 'AES (recommended)', 'TKIP' => 'TKIP']));
    $section->addInput(new Form_Input('wpa_group_rekey', 'WPA Pre-Shared Key', 'number', $pconfig['wpa_group_rekey'] ? $pconfig['wpa_group_rekey'] : "60", ['min' => '1', 'max' => 9999]))->setHelp('Specified in seconds. Allowed values are 1-9999. Must be shorter than Master Key Regeneration time');
    $section->addInput(new Form_Input('wpa_gmk_rekey', 'Master Key Regeneration', 'number', $pconfig['wpa_gmk_rekey'] ? $pconfig['wpa_gmk_rekey'] : "3600", ['min' => '1', 'max' => 9999]))->setHelp('Specified in seconds. Allowed values are 1-9999. Must be longer than Key Rotation time');
    $section->addInput(new Form_Checkbox('wpa_strict_rekey', 'Strict Key Regeneration', 'Force the AP to rekey whenever a client disassociates', $pconfig['wpa_strict_rekey'], 'yes'));
    $form->add($section);
    $section = new Form_Section('802.1x RADIUS options');
    $section->addInput(new Form_Checkbox('ieee8021x', 'IEEE802.1X', 'Enable 802.1X authentication', $pconfig['ieee8021x'], 'yes'))->setHelp('This option requires that the "Enable WPA box" is checked');
    $group = new Form_Group('Primary 802.1X server');
    $group->add(new Form_IpAddress('auth_server_addr', 'IP Address', $pconfig['auth_server_addr']))->setHelp('IP address.  (Commonly a Radius server (FreeRadius, Internet Authentication Services, etc.)');
    $group->add(new Form_Input('auth_server_port', 'Port', 'number', $pconfig['auth_server_port']))->setHelp('Server port. Leave blank for the default port 1812');
    $group->add(new Form_Input('auth_server_shared_secret', 'Shared secret', 'number', $pconfig['auth_server_shared_secret']))->setHelp('Shared secret');
    $section->add($group);
    $group = new Form_Group('Secondary 802.1X server');
    $group->add(new Form_IpAddress('auth_server_addr2', 'IP Address', $pconfig['auth_server_addr2']))->setHelp('IP address.  (Commonly a Radius server (FreeRadius, Internet Authentication Services, etc.)');
    $group->add(new Form_Input('auth_server_port2', 'Port', 'number', $pconfig['auth_server_port2']))->setHelp('Server port. Leave blank for the default port 1812');
    $group->add(new Form_Input('auth_server_shared_secret2', 'Shared secret', 'number', $pconfig['auth_server_shared_secret2']))->setHelp('Shared secret');
    $section->add($group);
    $section->addInput(new Form_Checkbox('rsn_preauth', 'Authentication Roaming Preauth', null, $pconfig['rsn_preauth'], 'yes'));
    $form->add($section);
}
$section = new Form_Section('Private networks');
$section->addInput(new Form_Checkbox('blockpriv', 'Block private networks', '', $pconfig['blockpriv'], 'yes'))->setHelp('Blocks traffic from IP addresses that are reserved for private networks per RFC 1918 (10/8, 172.16/12, 192.168/16) ' . ' as well as loopback addresses (127/8). You should generally leave this option turned on, unless your WAN network ' . 'lies in such a private address space, too.');
$section->addInput(new Form_Checkbox('blockbogons', 'Block bogon networks', '', $pconfig['blockbogons'], 'yes'))->setHelp('Blocks traffic from reserved IP addresses (but not RFC 1918) or not yet assigned by IANA. Bogons are prefixes that should ' . 'never appear in the Internet routing table, and so should not appear as the source address in any packets you receive.' . '<br />' . 'Note: The update frequency can be changed under System->Advanced Firewall/NAT settings');
$form->add($section);
$form->addGlobal(new Form_Input('if', null, 'hidden', $if));
if ($wancfg['if'] == $a_ppps[$pppid]['if']) {
    $form->addGlobal(new Form_Input('ppp_port', null, 'hidden', $pconfig['port']));
}

function createDestinationServerInputGroup($value = null)
{
    $group = new Form_Group('Destination server');
    $group->add(new Form_IpAddress('server', 'Destination server', $value))->setWidth(4)->setHelp('This is the IPv6 address of the server to which DHCPv6 requests are relayed.')->setIsRepeated();
    $group->enableDuplication(null, true);
    // Buttons are in-line with the input
    return $group;
}

$section = new Form_Section('Existing Certificate Authority');
$section->addClass('toggle-existing collapse');
$section->addInput(new Form_Textarea('cert', 'Certificate data', $pconfig['cert']))->setHelp('Paste a certificate in X.509 PEM format here.');
$section->addInput(new Form_Textarea('key', 'Certificate Private Key (optional)', $pconfig['key']))->setHelp('Paste the private key for the above certificate here. This is ' . 'optional in most cases, but is required when generating a ' . 'Certificate Revocation List (CRL).');
$section->addInput(new Form_Input('serial', 'Serial for next certificate', 'number', $pconfig['serial']))->setHelp('Enter a decimal number to be used as the serial number for the next ' . 'certificate to be created using this CA.');
$form->add($section);
$section = new Form_Section('Internal Certificate Authority');
$section->addClass('toggle-internal', 'toggle-intermediate', 'collapse');
$allCas = array();
foreach ($a_ca as $ca) {
    if (!$ca['prv']) {
        continue;
    }
    $allCas[$ca['refid']] = $ca['descr'];
}
$group = new Form_Group('Signing Certificate Authority');
$group->addClass('toggle-intermediate', 'collapse');
$group->add(new Form_Select('caref', null, $pconfig['caref'], $allCas));
$section->add($group);
$section->addInput(new Form_Select('keylen', 'Key length (bits)', $pconfig['keylen'], array_combine($ca_keylens, $ca_keylens)));
$section->addInput(new Form_Select('digest_alg', 'Digest Algorithm', $pconfig['digest_alg'], array_combine($openssl_digest_algs, $openssl_digest_algs)))->setHelp('NOTE: It is recommended to use an algorithm stronger than SHA1 ' . 'when possible.');
$section->addInput(new Form_Input('lifetime', 'Lifetime (days)', 'number', $pconfig['lifetime']));
$section->addInput(new Form_Select('dn_country', 'Country Code', $pconfig['dn_country'], $dn_cc));
$section->addInput(new Form_Input('dn_state', 'State or Province', 'text', $pconfig['dn_state'], ['placeholder' => 'e.g. Texas']));
$section->addInput(new Form_Input('dn_city', 'City', 'text', $pconfig['dn_city'], ['placeholder' => 'e.g. Austin']));
$section->addInput(new Form_Input('dn_organization', 'Organization', 'text', $pconfig['dn_organization'], ['placeholder' => 'e.g. My Company Inc']));
$section->addInput(new Form_Input('dn_organizationalunit', 'Organizational Unit', 'text', $pconfig['dn_organizationalunit'], ['placeholder' => 'e.g. My Department Name (optional)']));
$section->addInput(new Form_Input('dn_email', 'Email Address', 'email', $pconfig['dn_email'], ['placeholder' => 'e.g. [email protected]']));
$section->addInput(new Form_Input('dn_commonname', 'Common Name', 'text', $pconfig['dn_commonname'], ['placeholder' => 'e.g. internal-ca']));
$form->add($section);
print $form;

}
$form = new Form();
$section = new Form_Section('Edit Virtual IP');
$group = new Form_Group('Type');
$group->add(new Form_Checkbox('mode', null, 'IP Alias', $pconfig['mode'] == "ipalias", 'ipalias'))->displayAsRadio();
$group->add(new Form_Checkbox('mode', null, 'CARP', $pconfig['mode'] == "carp", 'carp'))->displayAsRadio();
$group->add(new Form_Checkbox('mode', null, 'Proxy ARP', $pconfig['mode'] == "proxyarp", 'proxyarp'))->displayAsRadio();
$group->add(new Form_Checkbox('mode', null, 'Other', $pconfig['mode'] == "other", 'other'))->displayAsRadio();
$section->add($group);
$section->addInput(new Form_Select('interface', 'Interface', $pconfig['interface'], build_if_list()));
$section->addInput(new Form_Select('type', 'Address type', !$pconfig['range'] && $pconfig['subnet_bits'] == 32 || !isset($pconfig['subnet']) ? 'single' : 'network', array('single' => 'Single address', 'network' => 'Network')))->addClass('typesel');
$section->addInput(new Form_IpAddress('subnet', 'Address(es)', $pconfig['subnet']))->addMask('subnet_bits', $pconfig['subnet_bits'])->setHelp('<span id="address_note"></span>');
$section->addInput(new Form_Checkbox('noexpand', 'Expansion', 'Disable expansion of this entry into IPs on NAT lists (e.g. 192.168.1.0/24 expands to 256 entries.) ', isset($pconfig['noexpand'])));
$section->addInput(new Form_Input('password', 'Virtual IP Password', 'password', $pconfig['password']))->setHelp('Enter the VHID group password.');
$section->addInput(new Form_Select('vhid', 'VHID Group', $pconfig['vhid'], array_combine(range(1, 255, 1), range(1, 255, 1))))->setHelp('Enter the VHID group that the machines will share');
$group = new Form_Group('Advertising frequency');
$group->add(new Form_Select('advbase', 'Base', $pconfig['advbase'], array_combine(range(1, 254, 1), range(1, 254, 1))))->setHelp('Base');
$group->add(new Form_Select('advskew', 'Skew', $pconfig['advskew'], array_combine(range(0, 254, 1), range(0, 254, 1))))->setHelp('Skew');
$group->setHelp('The frequency that this machine will advertise. 0 means usually master. Otherwise the lowest combination of both values in the cluster determines the master.');
$section->add($group);
$section->addInput(new Form_Input('descr', 'Description', 'text', $pconfig['descr']))->setHelp('You may enter a description here for your reference (not parsed).');
if (isset($id) && $a_vip[$id]) {
    $section->addInput(new Form_Input('id', null, 'hidden', $id));
}
$section->addInput(new Form_Input('uniqid', null, 'hidden', $pconfig['uniqid']));
$form->add($section);
print $form;
?>

<div id="infoblock">
	<?php 

$section->addInput(new Form_Checkbox('decrypt', 'Encryption', 'Configuration file is encrypted.', false));
$section->addInput(new Form_Input('decrypt_password', null, 'password', null, ['placeholder' => 'Password']));
$section->addInput(new Form_Input('decrypt_passconf', null, 'password', null, ['placeholder' => 'Confirm password']));
$group = new Form_Group('');
$group->add(new Form_Button('Submit', 'Restore configuration'))->setHelp('The firewall will reboot after restoring the configuration.')->removeClass('btn-primary')->addClass('btn-danger');
$section->add($group);
$form->add($section);
if ($config['installedpackages']['package'] != "" || is_subsystem_dirty("packagelock")) {
    $section = new Form_Section('Package functions');
    if ($config['installedpackages']['package'] != "") {
        $group = new Form_Group('');
        $group->add(new Form_Button('Submit', 'Reinstall packages'))->setHelp('Click this button to reinstall all system packages.  This may take a while.')->removeClass('btn-primary')->addClass('btn-warning');
        $section->add($group);
    }
    if (is_subsystem_dirty("packagelock")) {
        $group = new Form_Group('');
        $group->add(new Form_Button('Submit', 'Clear Package Lock'))->setHelp('Click this button to clear the package lock if a package fails to reinstall properly after an upgrade.')->removeClass('btn-primary')->addClass('btn-warning');
        $section->add($group);
    }
    $form->add($section);
}
print $form;
?>
<script type="text/javascript">
//<![CDATA[
events.push(function(){
	//---------- "Standard" show/hide functions ---------------------------------------------------

	// Hides all elements of the specified class. This will usually be a section or group
	function hideClass(s_class, hide) {
		if(hide)

$section->addInput(new Form_StaticText('Additional BOOTP/DHCP Options', $btnadv));
$section = new Form_Section('Additional BOOTP/DHCP Options');
$section->addClass('adnlopts');
$section->addInput(new Form_StaticText(null, '<div class="alert alert-info"> ' . gettext('Enter the DHCP option number and the value for each item you would like to include in the DHCP lease information.') . ' ' . sprintf(gettext('For a list of available options please visit this %1$s URL%2$s'), '<a href="http://www.iana.org/assignments/bootp-dhcp-parameters/" target="_blank">', '</a></div>')));
if (!$pconfig['numberoptions']) {
    $pconfig['numberoptions']['item'] = array(array('number' => '', 'type' => 'text', 'value' => ''));
}
$customitemtypes = array('text' => gettext('Text'), 'string' => gettext('String'), 'boolean' => gettext('Boolean'), 'unsigned integer 8' => gettext('Unsigned 8-bit integer'), 'unsigned integer 16' => gettext('Unsigned 16-bit integer'), 'unsigned integer 32' => gettext('Unsigned 32-bit integer'), 'signed integer 8' => gettext('Signed 8-bit integer'), 'signed integer 16' => gettext('Signed 16-bit integer'), 'signed integer 32' => gettext('Signed 32-bit integer'), 'ip-address' => gettext('IP address or host'));
$numrows = count($item) - 1;
$counter = 0;
$numrows = count($pconfig['numberoptions']['item']) - 1;
foreach ($pconfig['numberoptions']['item'] as $item) {
    $number = $item['number'];
    $itemtype = $item['type'];
    $value = base64_decode($item['value']);
    $group = new Form_Group($counter == 0 ? 'Option' : null);
    $group->addClass('repeatable');
    $group->add(new Form_Input('number' . $counter, null, 'text', $number))->setHelp($numrows == $counter ? 'Number' : null);
    $group->add(new Form_Select('itemtype' . $counter, null, $itemtype, $customitemtypes))->setWidth(3)->setHelp($numrows == $counter ? 'Type' : null);
    $group->add(new Form_Input('value' . $counter, null, 'text', $value))->setHelp($numrows == $counter ? 'Value' : null);
    $group->add(new Form_Button('deleterow' . $counter, 'Delete'))->removeClass('btn-primary')->addClass('btn-warning');
    $section->add($group);
    $counter++;
}
$section->addInput(new Form_Button('addrow', 'Add'))->removeClass('btn-primary')->addClass('btn-success');
$form->add($section);
if ($pconfig['netboot']) {
    $sectate = COLLAPSIBLE | SEC_OPEN;
} else {
    $sectate = COLLAPSIBLE | SEC_CLOSED;
}

    if ($gw == "") {
        continue;
    }
    $gateways[$gwname] = $gw['name'] . (empty($gw['gateway']) ? '' : ' - ' . $gateway_addr_str);
}
foreach ((array) $a_gatewaygroups as $gwg_name => $gwg_data) {
    if (empty($pconfig['ipprotocol']) || $pconfig['ipprotocol'] == $gwg_data['ipprotocol']) {
        $gateways[$gwg_name] = $gwg_name;
    }
}
$section->addInput(new Form_Select('gateway', 'Gateway', $pconfig['gateway'], $gateways))->setHelp('Leave as \'default\' to use the system routing table. Or choose a ' . 'gateway to utilize policy based routing.');
$group = new Form_Group('In / Out pipe');
$group->add(new Form_Select('dnpipe', 'DNpipe', $pconfig['dnpipe'], array('' => 'none') + array_keys($dnqlist)));
$group->add(new Form_Select('pdnpipe', 'PDNpipe', $pconfig['pdnpipe'], array('' => 'none') + array_keys($dnqlist)));
$section->add($group)->setHelp('Choose the Out queue/Virtual interface only if ' . 'you have also selected In. The Out selection is applied to traffic leaving ' . 'the interface where the rule is created, In is applied to traffic coming ' . 'into the chosen interface.<br />If you are creating a floating rule, if the ' . 'direction is In then the same rules apply, if the direction is out the ' . 'selections are reverted Out is for incoming and In is for outgoing.');
$group = new Form_Group('Ackqueue / Queue');
$list = array('' => 'none');
if (!is_array($qlist)) {
    $qlist = array();
}
foreach ($qlist as $q => $qkey) {
    if (isset($ifdisp[$q])) {
        $list[$q] = $ifdisp[$q];
    } else {
        $list[$q] = $q;
    }
}
$group->add(new Form_Select('ackqueue', 'Ackqueue', $pconfig['ackqueue'], $list));
$group->add(new Form_Select('defaultqueue', 'Default Queue', $pconfig['defaultqueue'], $list));
$section->add($group)->setHelp('Choose the Acknowledge Queue only if you have ' . 'selected Queue.');
$section->addInput(new Form_Select('l7container', 'Layer7', $pconfig['l7container'], array_keys($l7clist)))->setHelp('Choose a Layer7 container to apply application protocol inspection ' . 'rules. These are valid for TCP and UDP protocols only.');

$section->addInput(new Form_Input('decrypt_password', 'Password', 'password', null, ['placeholder' => 'Password']));
$group = new Form_Group('');
// Note: ID attribute of each element created is to be unique.  Not being used, suppressing it.
$group->add(new Form_Button('Submit', 'Restore Configuration', null, 'fa-undo'))->setHelp('The firewall will reboot after restoring the configuration.')->addClass('btn-danger restore')->setAttribute('id');
$section->add($group);
$form->add($section);
if ($config['installedpackages']['package'] != "" || is_subsystem_dirty("packagelock")) {
    $section = new Form_Section('Package Functions');
    if ($config['installedpackages']['package'] != "") {
        $group = new Form_Group('');
        // Note: ID attribute of each element created is to be unique.  Not being used, suppressing it.
        $group->add(new Form_Button('Submit', 'Reinstall Packages', null, 'fa-retweet'))->setHelp('Click this button to reinstall all system packages.  This may take a while.')->addClass('btn-success')->setAttribute('id');
        $section->add($group);
    }
    if (is_subsystem_dirty("packagelock")) {
        $group = new Form_Group('');
        // Note: ID attribute of each element created is to be unique.  Not being used, suppressing it.
        $group->add(new Form_Button('Submit', 'Clear Package Lock', null, 'fa-wrench'))->setHelp('Click this button to clear the package lock if a package fails to reinstall properly after an upgrade.')->addClass('btn-warning')->setAttribute('id');
        $section->add($group);
    }
    $form->add($section);
}
print $form;
?>
<script type="text/javascript">
//<![CDATA[
events.push(function() {

	// ------- Show/hide sections based on checkbox settings --------------------------------------

	function hideSections(hide) {

$tab_array[3] = array(gettext("Advanced Settings"), true, "vpn_ipsec_settings.php");
display_top_tabs($tab_array);
$form = new Form();
$section = new Form_Section('Start IPsec in debug mode based on sections selected');
foreach ($ipsec_log_cats as $cat => $desc) {
    $section->addInput(new Form_Select($cat, $desc, $pconfig[$cat], $ipsec_log_sevs))->setWidth(2);
}
$section->addInput(new Form_StaticText('', ''))->setHelp('Launches IPsec in debug mode so that more verbose logs will be generated to aid in troubleshooting.');
$form->add($section);
$section = new Form_Section('IPsec Advanced Settings');
$section->addInput(new Form_Select('uniqueids', 'Configure Unique IDs as', $pconfig['uniqueids'], $ipsec_idhandling))->setHelp('Whether a particular participant ID should be kept unique, with any new IKE_SA using an ID ' . 'deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new ' . 'IKE_SA using the same ID is almost invariably intended to replace an old one. ' . 'The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an ' . 'INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. ' . 'The daemon also accepts the value <b>keep</b> to reject ' . 'new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes.');
$section->addInput(new Form_Checkbox('compression', 'IP Compression', 'Enable IPCompression', $pconfig['compression']))->setHelp('IPComp compression of content is proposed on the connection.');
$section->addInput(new Form_Checkbox('enableinterfacesuse', 'Strict interface binding', 'Enable strict interface binding', $pconfig['enableinterfacesuse']))->setHelp('Enable strongSwan\'s interfaces_use option to bind specific interfaces only. This option is known to break IPsec with dynamic IP interfaces. This is not recommended at this time.');
$section->addInput(new Form_Checkbox('acceptunencryptedmainmode', 'Unencrypted payloads in IKEv1 Main Mode', 'Accept unencrypted ID and HASH payloads in IKEv1 Main Mode', $pconfig['acceptunencryptedmainmode']))->setHelp('Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication.' . 'This is very similar to Aggressive Mode, and has the same security implications: ' . 'A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload.' . 'It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).');
$section->addInput(new Form_Checkbox('maxmss_enable', 'Enable Maximum MSS', 'Enable MSS clamping on VPN traffic', $pconfig['maxmss_enable']))->toggles('.toggle-maxmss', 'collapse');
$group = new Form_Group('Maximum MSS');
$group->addClass('toggle-maxmss collapse');
if (!empty($pconfig['maxmss_enable'])) {
    $group->addClass('in');
}
$group->add(new Form_Input('maxmss', 'Maximum MSS', 'text', $pconfig['maxmss'] ? $pconfig['maxmss'] : '1400'))->setHelp('Enable MSS clamping on TCP flows over VPN. ' . 'This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes. ');
$section->add($group);
$section->addInput(new Form_Checkbox('unityplugin', 'Disable Cisco Extensions', 'Disable Unity Plugin', $pconfig['unityplugin']))->setHelp('Disable Unity Plugin which provides Cisco Extension support as Split-Include, Split-Exclude, Split-Dns, ...');
$section->addInput(new Form_Checkbox('strictcrlpolicy', 'Strict CRL Checking', 'Enable strict Certificate Revocation List checking', $pconfig['strictcrlpolicy']))->setHelp('Check this to require availability of a fresh CRL for peer authentication based on RSA signatures to succeed.');
$section->addInput(new Form_Checkbox('makebeforebreak', 'Make before Break', 'Initiate IKEv2 reauthentication with a make-before-break', $pconfig['makebeforebreak']))->setHelp('instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication ' . 'by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps ' . 'during reauthentication, but requires support for overlapping SAs by the peer');
$section->addInput(new Form_Checkbox('autoexcludelanaddress', 'Auto-exclude LAN address', 'Enable bypass for LAN interface IP', !$pconfig['noshuntlaninterfaces']))->setHelp('Exclude traffic from LAN subnet to LAN IP address from IPsec.');
$form->add($section);
print $form;
?>

<?php 

$section = new Form_Section('Graph settings');
$group = new Form_Group('Options');
$group->add(new Form_Select('option', 'Graphs', $curoption, build_options()))->setHelp('Graph');
$group->add(new Form_Select('style', 'Style', $curstyle, $styles))->setHelp('Style');
$group->add(new Form_Select('period', 'Period', $curperiod, $periods))->setHelp('Period');
if ($curcat == 'custom') {
    $group->setHelp('Any changes to these option may not take affect until the next auto-refresh.');
}
$section->add($group);
if ($curcat == 'custom') {
    $section->addInput(new Form_Input('cat', null, 'hidden', 'custom'));
    $tz = date_default_timezone_get();
    $tz_msg = gettext("Enter date and/or time. Current timezone:") . " {$tz}";
    $start_fmt = strftime("%m/%d/%Y %H:%M:%S", $start);
    $end_fmt = strftime("%m/%d/%Y %H:%M:%S", $end);
    $group = new Form_Group('');
    $group->add(new Form_Input('start', 'Start', 'datetime', $start_fmt))->setHelp('Start');
    $group->add(new Form_Input('end', 'End', 'datetime', $end_fmt))->setHelp('End');
    if ($curcat != 'custom') {
        $group->setHelp('Any changes to these option may not take affect until the next auto-refresh');
    }
    $section->add($group);
    $form->add($section);
    print $form;
    $curdatabase = $curoption;
    $graph = "custom-{$curdatabase}";
    if (in_array($curdatabase, $custom_databases)) {
        $id = "{$graph}-{$curoption}-{$curdatabase}";
        $id = preg_replace('/\\./', '_', $id);
        ?>
		<div class="panel panel-default">

}
// Get the MAC address
$ip = $_SERVER['REMOTE_ADDR'];
$mymac = `/usr/sbin/arp -an | grep '('{$ip}')' | head -n 1 | cut -d" " -f4`;
$mymac = str_replace("\n", "", $mymac);
include "head.inc";
if ($input_errors) {
    print_input_errors($input_errors);
}
$form = new Form();
$section = new Form_Section('Edit MAC Address Rules');
$section->addInput(new Form_Select('action', 'Action', strtolower($pconfig['action']), array('pass' => gettext('Pass'), 'block' => gettext('Block'))))->setHelp('Choose what to do with packets coming from this MAC address.');
$macaddress = new Form_Input('mac', 'MAC Address', 'text', $pconfig['mac'], ['placeholder' => 'xx:xx:xx:xx:xx:xx']);
$btnmymac = new Form_Button('btnmymac', 'Copy My MAC', null, 'fa-clone');
$btnmymac->setAttribute('type', 'button')->removeClass('btn-primary')->addClass('btn-success btn-sm');
$group = new Form_Group('MAC Address');
$group->add($macaddress);
$group->add($btnmymac);
$group->setHelp('6 hex octets separated by colons');
$section->add($group);
$section->addInput(new Form_Input('descr', 'Description', 'text', $pconfig['descr']))->setHelp('A description may be entered here for administrative reference (not parsed)');
$section->addInput(new Form_Input('bw_up', 'Bandwidth up', 'text', $pconfig['bw_up']))->setHelp('Enter an upload limit to be enforced on this MAC in Kbit/s');
$section->addInput(new Form_Input('bw_down', 'Bandwidth down', 'text', $pconfig['bw_down']))->setHelp('Enter a download limit to be enforced on this MAC in Kbit/s');
$section->addInput(new Form_Input('zone', null, 'hidden', $cpzone));
if (isset($id) && $a_passthrumacs[$id]) {
    $section->addInput(new Form_Input('id', null, 'hidden', $id));
}
if (isset($pconfig['username']) && $pconfig['username']) {
    $section->addInput(new Form_Input('username', null, 'hidden', $pconfig['username']));
}
$form->add($section);

$numrows = count($item) - 1;
$usernames = $pconfig['username'];
//DEBUG
//$usernames = 'sbeaver:TXlQYXNzd2Q=:192.168.1.1 smith:TXlQYXNzd2Q=:192.168.2.1 sjones:TXlQYXNzd2Q=:192.168.3.1 salpha:TXlQYXNzd2Q=:192.168.4.1';
if ($usernames == "") {
    $usernames = '::';
}
if ($usernames != "") {
    $item = explode(" ", $usernames);
    $numrows = count($item) - 1;
    foreach ($item as $ww) {
        $wws = explode(":", $ww);
        $user = $wws[0];
        $passwd = base64_decode($wws[1]);
        $ip = $wws[2];
        $group = new Form_Group($counter == 0 ? 'User table' : null);
        $group->addClass('repeatable');
        $group->add(new Form_Input('username' . $counter, null, 'text', $user))->setHelp($numrows == $counter ? 'User name' : null);
        $group->add(new Form_Input('password' . $counter, null, 'password', $passwd))->setHelp($numrows == $counter ? 'Password' : null);
        $group->add(new Form_IpAddress('ip' . $counter, null, $ip))->setHelp($numrows == $counter ? 'IP Address' : null);
        $group->add(new Form_Button('deleterow' . $counter, 'Delete'))->removeClass('btn-primary')->addClass('btn-warning');
        $section->add($group);
        $counter++;
    }
}
$btnaddrow = new Form_Button('addrow', 'Add user');
$btnaddrow->removeClass('btn-primary')->addClass('btn-success');
$section->addInput(new Form_StaticText(null, ' ' . $btnaddrow));
// Hidden fields
if (isset($id)) {
    $section->addInput(new Form_Input('id', null, 'hidden', htmlspecialchars($id, ENT_QUOTES | ENT_HTML401)));

    $group->add(new Form_Input('dns_server4', null, 'text', $pconfig['dns_server4']))->setHelp('Server 4');
    $section->add($group);
    // NTP servers
    $section->addInput(new Form_Checkbox('ntp_server_enable', 'NTP Servers', 'Provide an NTP server list to clients', $pconfig['ntp_server_enable']))->toggles('.ntpservers');
    $group = new Form_Group(null);
    $group->addClass('ntpservers');
    $group->add(new Form_Input('ntp_server1', null, 'text', $pconfig['ntp_server1']))->setHelp('Server 1');
    $group->add(new Form_Input('ntp_server2', null, 'text', $pconfig['ntp_server2']))->setHelp('Server 2');
    $section->add($group);
    // NTP servers - For this section we need to use Javascript hiding since there
    // are nested toggles
    $section->addInput(new Form_Checkbox('netbios_enable', 'NetBIOS Options', 'Enable NetBIOS over TCP/IP', $pconfig['netbios_enable']))->setHelp('If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled. ');
    $section->addInput(new Form_Select('netbios_ntype', 'Node Type', $pconfig['netbios_ntype'], $netbios_nodetypes))->setHelp('Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), ' . 'and h-node (query name server, then broadcast). ');
    $section->addInput(new Form_Input('netbios_scope', null, 'text', $pconfig['netbios_scope']))->setHelp('A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. ' . 'The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. ');
    $section->addInput(new Form_Checkbox('wins_server_enable', 'WINS servers', 'Provide a WINS server list to clients', $pconfig['wins_server_enable']));
    $group = new Form_Group(null);
    $group->add(new Form_Input('wins_server1', null, 'text', $pconfig['wins_server1']))->setHelp('Server 1');
    $group->add(new Form_Input('wins_server2', null, 'text', $pconfig['wins_server2']))->setHelp('Server 2');
    $group->addClass('winsservers');
    $section->add($group);
    $section->addInput(new Form_Textarea('custom_options', 'Advanced', $pconfig['custom_options']))->setHelp('Enter any additional options you would like to add for this client specific override, separated by a semicolon. ' . '<br />' . 'EXAMPLE: push "route 10.0.0.0 255.255.255.0"; ');
    // The hidden fields
    $section->addInput(new Form_Input('act', null, 'hidden', $act));
    if (isset($id) && $a_csc[$id]) {
        $section->addInput(new Form_Input('id', null, 'hidden', $id));
    }
    $form->add($section);
    print $form;
    ?>

<script type="text/javascript">

display_top_tabs($tab_array, true);
if ($act == "new" || $act == "edit") {
    $form = new Form();
    $section = new Form_Section('New Access List');
    $section->addInput(new Form_Input('aclid', null, 'hidden', $id));
    $section->addInput(new Form_Input('act', null, 'hidden', $act));
    $section->addInput(new Form_Input('aclname', 'Access List name', 'text', $pconfig['aclname']))->setHelp('Provide an Access List name.');
    $section->addInput(new Form_Select('aclaction', 'Action', strtolower($pconfig['aclaction']), array('allow' => 'Allow', 'deny' => 'Deny', 'refuse' => 'Refuse', 'allow snoop' => 'Allow Snoop')))->setHelp($actionHelp);
    $section->addInput(new Form_Input('description', 'Description', 'text', $pconfig['description']))->setHelp('You may enter a description here for your reference.');
    $numrows = count($networkacl) - 1;
    $counter = 0;
    foreach ($networkacl as $item) {
        $network = $item['acl_network'];
        $cidr = $item['mask'];
        $description = $item['description'];
        $group = new Form_Group($counter == 0 ? 'Networks' : '');
        $group->add(new Form_IpAddress('acl_network' . $counter, null, $network))->addMask('mask' . $counter, $cidr)->setWidth(4)->setHelp($counter == $numrows ? 'Network/mask' : null);
        $group->add(new Form_Input('description' . $counter, null, 'text', $description))->setHelp($counter == $numrows ? 'Description' : null);
        $group->add(new Form_Button('deleterow' . $counter, 'Delete'))->removeClass('btn-primary')->addClass('btn-warning');
        $group->addClass('repeatable');
        $section->add($group);
        $counter++;
    }
    $form->addGlobal(new Form_Button('addrow', 'Add network'))->removeClass('btn-primary')->addClass('btn-success');
    $form->add($section);
    print $form;
} else {
    // NOT 'edit' or 'add'
    ?>
<div class="panel panel-default">
	<div class="panel-heading"><h2 class="panel-title"><?php 

$tab_array[] = array(htmlspecialchars(gettext("Firewall & NAT")), true, "system_advanced_firewall.php");
$tab_array[] = array(gettext("Networking"), false, "system_advanced_network.php");
$tab_array[] = array(gettext("Miscellaneous"), false, "system_advanced_misc.php");
$tab_array[] = array(gettext("System Tunables"), false, "system_advanced_sysctl.php");
$tab_array[] = array(gettext("Notifications"), false, "system_advanced_notifications.php");
display_top_tabs($tab_array);
?>
<div id="container"><?php 
$form = new Form();
$section = new Form_Section('Firewall Advanced');
$section->addInput(new Form_Checkbox('scrubnodf', 'IP Do-Not-Fragment compatibility', 'Clear invalid DF bits instead of dropping the packets', isset($config['system']['scrubnodf'])))->setHelp('This allows for communications with hosts that generate fragmented ' . 'packets with the don\'t fragment (DF) bit set. Linux NFS is known to do this. ' . 'This will cause the filter to not drop such packets but instead clear the don\'t ' . 'fragment bit.');
$section->addInput(new Form_Checkbox('scrubrnid', 'IP Random id generation', 'Insert a stronger ID into IP header of packets passing through the filter.', isset($config['system']['scrubrnid'])))->setHelp('Replaces the IP identification field of packets with random values to ' . 'compensate for operating systems that use predictable values. This option only ' . 'applies to packets that are not fragmented after the optional packet ' . 'reassembly.');
$section->addInput($input = new Form_Select('optimization', 'Firewall Optimization Options', $config['system']['optimization'], array('normal' => 'Normal', 'high-latency' => gettext('High-latency'), 'aggressive' => gettext('Aggressive'), 'conservative' => gettext('Conservative'))))->setHelp('Select the type of state table optimization to use');
$section->addInput(new Form_Checkbox('disablefilter', 'Disable Firewall', 'Disable all packet filtering.', isset($config['system']['disablefilter'])))->setHelp('Note: This converts %s into a routing only platform!<br/>' . 'Note: This will also turn off NAT! To only disable NAT, ' . 'and not firewall rules, visit the <a href="firewall_nat_out.php">Outbound ' . 'NAT</a> page.', [$g["product_name"]]);
$section->addInput(new Form_Checkbox('disablescrub', 'Disable Firewall Scrub', 'Disables the PF scrubbing option which can sometimes interfere with NFS traffic.', isset($config['system']['disablescrub'])));
$group = new Form_Group('Firewall Adaptive Timeouts');
$group->add(new Form_Input('adaptivestart', 'Adaptive start', 'number', $pconfig['adaptivestart'], ['min' => 1]))->setHelp('When the number of state entries exceeds this value, adaptive ' . 'scaling begins.  All timeout values are scaled linearly with factor ' . '(adaptive.end - number of states) / (adaptive.end - adaptive.start).');
$group->add(new Form_Input('adaptiveend', 'Adaptive end', 'number', $pconfig['adaptiveend'], ['min' => 1]))->setHelp('When reaching this number of state entries, all timeout values ' . 'become zero, effectively purging all state entries immediately.  This ' . 'value is used to define the scale factor, it should not actually be ' . 'reached (set a lower state limit, see below).');
$group->setHelp('Timeouts for states can be scaled adaptively as the number of ' . 'state table entries grows. Leave blank for the default (0)');
$section->add($group);
$section->addInput(new Form_Input('maximumstates', 'Firewall Maximum States', 'number', $pconfig['maximumstates'], ['min' => 1, 'placeholder' => pfsense_default_state_size()]))->setHelp('Maximum number of connections to hold in the firewall state table. ' . '<br/>Note: Leave this blank for the default. On this system the default ' . 'size is: %d', [pfsense_default_state_size()]);
$section->addInput(new Form_Input('maximumtableentries', 'Firewall Maximum Table Entries', 'text', $pconfig['maximumtableentries'], ['placeholder' => pfsense_default_table_entries_size()]))->setHelp('Maximum number of table entries for systems such as aliases, ' . 'sshlockout, snort, etc, combined.<br/>Note: Leave this blank for the ' . 'default. On this system the default size is: %d', [pfsense_default_table_entries_size()]);
$section->addInput(new Form_Input('maximumfrags', 'Firewall Maximum Fragment Entries', 'text', $pconfig['maximumfrags']))->setHelp('Maximum number of packet fragments to hold for reassembly by scrub rules. Leave this blank for the default (5000)');
$section->addInput(new Form_Checkbox('bypassstaticroutes', 'Static route filtering', 'Bypass firewall rules for traffic on the same interface', $pconfig['bypassstaticroutes']))->setHelp('This option only applies if one or more static routes have been defined. ' . 'If it is enabled, traffic that enters and leaves through the same ' . 'interface will not be checked by the firewall. This may be desirable in some ' . 'situations where multiple subnets are connected to the same interface.');
$section->addInput(new Form_Checkbox('disablevpnrules', 'Disable Auto-added VPN rules', 'Disable all auto-added VPN rules.', isset($config['system']['disablevpnrules'])))->setHelp('Note: This disables automatically added rules for IPsec.');
$section->addInput(new Form_Checkbox('disablereplyto', 'Disable reply-to', 'Disable reply-to on WAN rules', $pconfig['disablereplyto']))->setHelp('With Multi-WAN it is generally desired to ensure traffic leaves the same ' . 'interface it arrives on, hence reply-to is added automatically by default. When ' . 'using bridging, this behavior must be disabled if the WAN gateway IP is ' . 'different from the gateway IP of the hosts behind the bridged interface.');
$section->addInput(new Form_Checkbox('disablenegate', 'Disable Negate rules', 'Disable Negate rule on policy routing rules', $pconfig['disablenegate']))->setHelp('With Multi-WAN it is generally desired to ensure traffic reaches directly ' . 'connected networks and VPN networks when using policy routing. This can be disabled ' . 'for special purposes but it requires manually creating rules for these networks.');
$section->addInput(new Form_Input('aliasesresolveinterval', 'Aliases Hostnames Resolve Interval', 'text', $pconfig['aliasesresolveinterv