The reset button check should happen on all platforms, not only NanoBSD
Add reset button support for APU and FW7541
add detection for 7541, APU
Ticket #3997, teach code to track carp through uniqids(). Missing carp GUI changes and upgrade code
Prevent resolvconf(8) from stomping all over our newly generatedresolv.conf and subsequent updates.
Enforce some more checking to avoid https://forum.pfsense.org/index.php?topic=85580.0
syslogd can't just be HUPed to pick up its new config, as many of thoseare command line arguments. Go back to 2.1x and prior behavior of TERM andrestart. Fixes source IP use with syslog among other config changes.
Disable RC4 ciphers in lighttpd
fix IPv6 static routes, is_ipaddrv6 returns true for strings including aCIDR mask, which then ended up broken.
Cleanup whitespace.
also take into account the "all" option in Unbound Network Interfaces whensetting 127.0.0.1 into resolv.conf.
Rather than set the g['booting'] on globals provide a function to test for that doing the right checks
correct logic here to omit 127.0.0.1 from resolv.conf when no DNS resolver bound there.
d DHCPLeases starting before Unbound/DNSMasq and returning a pid not found message. Add missing reload feature
also check port of dnsmasq/unbound and skip 127.0.0.1 in resolv.conf ifnot port 53. Ticket #4022
don't blow away previous contents of this variable. fixes #4022
Take unbound into consideration when creating /etc/hosts, also use new unbound parameters for dhcpleases when it's necessary, helps ticket #4011
Make sure dhcpleases use correct pid file for dnsmasq or unbound. Fixes #4008
Strengthen check
Do not require the default sysctl items to be set on the config.xml but rather extract the definitions from the sysctl tree. Also to reduce config.xml size
Actually make default sysctls reside on globals.inc and use those by default this allows to trim down the config.xml sysctl and also fixes #3666 by setting set source interface on reply of icmp
Make ipsec_starter log go to ipsec.log rather than system one
add a route debug option to log info about route commands executed (where those aren't already logged) to help with troubleshooting various routing scenarios.
fix comment
Fixes #3941. When optimizations of the loops were made this brought the problems of overriding default gateway by dynamic interfaces. Try to stick to the first found for now!
Remove redundancy as pointed out by phil-davis
Decode recently created cert and key. It fixes #3964. While here, fix logical condition to create a new cert if crt or key is not present
domain and search should not both be defined in resolv.conf per FreeBSD man page and handbook (only the latter is actually used). Change this to just not use domain, and set the search to the system's domain where not using the function that generates the search list for dynamic WANs.
Fix descriptions and cn on generated GUI cert to be consistent.
Tame the poodle. Disable SSLv3.
Teach the certificate generation code how to make a self-signed certificate, and change the GUI cert generation code to use it. Also, move the GUI cert generation code to its own function so we can add a GUI option to regenerate it later.Also use some more sane defaults for the contents of the default self-signed certificate's fields so it will be more unique and less likely to trigger problems in browser certificate storage handling.
update comment to reflect breakage caused here and reference associated redmine ticket, not high priority, can be fixed later
Add powerd normal mode flag (-n)
Move dhcp6c log to dhcpd.log, it fixes #3799
Concat var before call escapeshellarg
Make dhcpleases use unbound pid when it's configured
Convert almost all /sbin/sysctl calls to php functions
remove openbgpd bits from system_gateways_edit and system.inc. The packagematch is case-sensitive and hasn't matched the openbgpd package's name inat least 5 years, so it doesn't do anything. It's far from functional inany useful manner even fixing that issue.
bind HTTP->HTTPS redirect to IPv6 too. Ticket #3437
Send HUP to restart syslogd rather than trying to restart it, thus loosing messages
make sure unbound is included here
If Unbound is been used then make sure to reload when system_hosts_generate() is called
Move clog from /usr to /usr/local
Add filterlog to separatefacilitylog to avoid logs going elsewhere
Use the daemon name to send the filter logs
Resolver has no option for remote syslog, remove wrong copy/paste that was adding it when apinger was enabled
Merge pull request #1118 from phil-davis/patch-3
Make sure that the DNS Forwarder/Resolver is actually capable of accepting queries on localhost before using it as a DNS server.
Cut paste bug fix in Remote Syslog DHCP events
apinger is repeated here from the code above, but it should be dhcp.Forum https://forum.pfsense.org/index.php?topic=73734.0Selecting to remote syslog "Gateway Monitor events" would also switch on "DHCP service events" unintentionally.
Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale/invalid and there is still a running instance.
Remove remenants of pccardd from FreeBSD 5
Avoid placing an empty "interface listen" directive in ntpd.conf
standardize URLs
Correct variable name, while here unset some large var
Make this a bit more efficient
Remove broken 'dynamic6' gateway, we already have ipprotocol to tell us the IP version, leave it more simple using only 'dynamic'. It helps #3484
silence any errors
More code fixes for ntpd
Update system.inc
Corrections made as requested
Add new NTPd functions
Really need the interface where v6 is running toa dd the gateway/route rather than the one used for the configuration. This Fixes #3357
Check for tmp captiveportal dir before making it
In forum: https://forum.pfsense.org/index.php/topic,72483.0.htmlWarning: mkdir(): File exists in /etc/inc/system.inc on line 878Not sure if you would rather call safe_mkdir here?
Add escapeshellarg() calls on exec parameters. While I'm here, replace some exec() calls by php functions like symlink, copy, unlink, mkdir
Using "limited" for ntp in this way denies client access. Issue #3384
Add EDNS support for to resolv.conf
Fix typo on variable name, it fixes #3414
Fix openssl path
ports ntp moved to sbin, follow
Use "disable monitor" in NTP config to mitigate CVE-2013-5211.
Add 'limited' to ntpd restrict list to workaround CVE-2013-5211. It fixes #3384
Add a setting to allow the user to specify the clog file size so more (or less) entries may be kept in the raw logs. Retain previous default size values if the user has not specified a preferred size. Files can only be resized when initialized, so provide a "Reset All Logs" button as well to force clear all logs and set them up at the new size.
Mute the output of the command since its not really useful
Switch to php-fpm for lighty and check_reload_status will use it. Step by step will migrate the other calls
Teach system_timezone_configure() to deal with symlinks to avoid having timezone misconfigured. This fixes #3293
Add source address selection to syslog settings, so it can work more effectively over a VPN. Fixes #355
Use new names for get_memory parameters
Use ntpdate from ports also and obsolete base one
use correct domain names when registering static DHCP entries in DNS
When registering static DHCP entries in DNS, we first try to use the domain name configured for the static entry (if any), then the domain name configured in the DHCP server settings for the corresponding interface (if any), and as a last resort the system domain name....
Disable the BEAST protection by default because the GUI will break if you use this and have a Hifn card installed. Others may break similarly. Change it into a checkbox option, off by default, and automatically disable it if a conflicting card has been detected.
support mitigating BEAST attack
According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_30
"...by setting
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
you can mitigate BEAST attacks."
Add independent logging choices to disable logging of bogon network rules and private network rules. Add upgrade code to obey the existing behavior for users (if default block logging was disabled, so is bogon/private rule blocking). Also add a checkbox to disable the lighttpd log for people who don't want their system log spammed by lighty.
Use family parameter for v6 to get correct interface
Provide full path to route binary
Actually try to get the real interface for v6 family to correctly get stf(virtual) interfaces
Fixes to get routes + dns working:
. Simplify code using new parameter of get_staticroutes(). Check for subnets instead of ip addrs. Avoid touch filterdns when we are just updating dns
Use filterdns to update static routes using hostnames
Split system_routing_configure() and teach it to deal with hostnames
Simplify logic
Replace all linklocal checks by is_linklocal()
Shuffle some more logs around to more appropriate places.
Send filterdns logs to the resolver log.
Fix dnsmasq host overrides 'enabled' check.
Fix dnsmasq host overrides and dhcp integration
. Do not execute following actions when dnsmasq is disabled: . Add host overrides to /etc/hosts . Register DHCP leases in DNS Forwarder . Register DHCP static mappings in DNS forwarder
It should fix issue reported at following forum post:...
Show IPv6 link-local IPs as specific sources for ping, traceroute, and port testing.
Make fe80: addresses check case insensitive
Move some code to a function to avoid future duplication. Allow autocomplete on ping page. Add more escaping to command.
Remove *_defaultgwv6 also
Make sure captiveportal section of config is an array, reported on ticket #2838
Avoid Warning: Invalid argument supplied for foreach() in /etc/inc/system.inc
Warning: Invalid argument supplied for foreach() in /etc/inc/system.inc
Don't use captiveportal configuration option variable if it isn't set