Fix inherent issues with isset and empty values set as true by our parser. This made the piep configuration to be wrong at least for passthrough entries. Ticket #3932
Do not return disabled dynamic gateways
When a dynamic gateway is disabled (by the user through the webGUI), it was still being returned by return_gateways_array(). But when called like that, disabled gateways should not be returned. The first part of the routine was correctly skipping disabled gateways, but then the later part would effectively re-generate those dynamic gateways on-the-fly and not realise they should be skipped because they were disabled....
Fixes #4177 convert password to base64 to be submitted to avoid issues with special chars in shell and HTTP GET parameter passing. Probably should add POST support to fcgicli.
Fixes #3281 do not undo any changes already done for gif/gre interface.
Let the kernel handle REQID rather than handling it manually. The connection name is the one needed here.
Add tracker and label to IPv4 Link-Local block rules.
After the other set of changes had unexpected complications, let's back this out too. Revert "PEAR static method call warning"
This reverts commit 4751f76a6772147097906b699d4216ae38c58c39.
This broke a variety of things. Revert "Deprecated and non-static method messages"
This reverts commit 91b9a02fb131746c67fdf9f34282f123a13f1b13.
PEAR static method call warning
Forum https://forum.pfsense.org/index.php?topic=86478.0PEAR is used byIPv6.incauth.inccaptiveportal.incradius.incxmlrpc_client.incradius_accounting.incradius_authentication.inc
I have just changed this 1 function to "public static"...
disable this PHP error logging, errors that are really significant end up with a crash report, this is more noise than useful at this stage in 2.2.
Catch packets on all iunterfaces and send them out the correct one. Fixes #4174
Deprecated and non-static method messages
Fix various files that can emit messages like:PHP Strict Standards: Non-static method SimplePie_Misc::array_unique()should not be called statically, assuming $this from incompatiblecontext in /etc/inc/simplepie/simplepie.inc on line 5508...
Improve URL and URL ports alias update data:
- Move redundant code to a function parse_aliases_file(). Before the maxnumber of items was not being respected when URL content is updated,only when alias was saved. Same was happening with ip/subnet/portvalidation and user could end up with a bad pf.conf...
Change OpenVPN CARP VIP test to be more accurate. The client should also not be run if the VIP is in the INIT state.
Fix check for cookies, the way it was implemented didn't work because it would need a refresh to check if cookie was set or not. Use javascript to do a simple test
Add a value to cookie, otherwise it's not set. Before my last change parameters were out of order and expiration time was being set as value. It should fix #4069
This is not the place for this setting and werid its here!
some lagg modes are missing vlanmtu, but work fine with VLANs. Work around it for now at least. Ticket #4186
"Like with like" - move a few functions to better places in the code (they are placed strangely)
A few functions such as ipcmp(), subnet_expand(), and check_subnets_overlap() are in illogical places - away from all the other ip comparison and subnet basic functions and in the middle of alias handling and interface enumeration....
fix strongswan conf file generation with ipcomp. Ticket #4182
Fixes #4188 use the same reqid over same phase1 but different phase2 connections. The dashboard will be fixed with the ticket already open. This should fix a lot of instabilities reported on the forums for people having a dozen or more tunnels
Correct the sense of the check by default unity is enabled
Provide an advanced setting to be able to disable Unity Plugin(Cisco extensions)
Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.
Don't hard code the target IP in auto-generated outbound NAT rules, useprevious behavior of setting it to the interface IP.
split is deprecated move to explode
fix spelling of compression
Fixes #4182 by properly managing IPcomp on ipsec tunnels.Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.
Fix #4146:
OpenVPN create the tun/tap interface and, when set an IP address toit, mark it as UP. In some scenarios, when TAP is set as bridge anddoesn't have an IP address set on it, it never goes up and tunneldoesn't work.
If rc.newwanip is called for this TAP interface, UP flag is set, but,...
Log PHP errors. Ticket #4143
Enforce subnet check here to avoid any issues resulting from function call.
Remove useless check, CARP does not depend of interface having another IP set before
Remove some extra spaces
Fix typo on variable name
Tighten and IPv6-ify gen_subnet() etc
Tightens, canonicalises and improves for IPv6, the functionsgen_subnet(), gen_subnetv6(), gen_subnet_max(), gen_subnetv6_max()
Changes are transparent to calling code.
Issues:
1) gen_subnet() and gen_subnet_max() will validate both IPv4 and IPv6 as valid args, but will then try to process an IPv6 subnet bitwise as x32 LONG without further checking, causing erroneous but apparently valid responses....
Revert "FreeBSD fails to set advskew back to 0 after you set it to any other"
A patch was added to allow set advskew back to 0
This reverts commit eea2ad5d61b2cbcf2957207fb0f13769c203cb36.
Add secure flag when necessary to cookie_test, as we do for session cookie, to avoid false positives in common vulnerabilities scanners. It fixes #4069
Allow IPv6 on loopback needs quick
The following block uses "quick" which causes that block to come into effect before the "pass in" here. The pass rule also needs to be "quick".Problem noted by Andy Sayler on https://redmine.pfsense.org/issues/4074Before this change, an attempt to manually do something local with IPv6 fails:...
Limit unbound so-rcvbuf: 8m
Issue reported here: https://forum.pfsense.org/index.php?topic=78356.msg472781#msg472781Most unbound doc places mention setting it at up to 8m. I'm sure it would be possible to investigate more and find a way to make unbound+FreeBSD be able to go higher than 8m. But probably 8m is sufficient for everyone anyway (judging by what the unbound docs seem to assume will be a good value on a busy system)....
Fix #4090:
- Unbound advanced options may contain double quotes and it breaks thesyntax when a backup is restored because newlines are trimmed. Save itin base64 format is a safe way to prevent it- Bump config version to 11.5- Provide upgrade code to encode current config or the one that came...
It's supposed to remove windows EOL here, not ;
Do not monitor a gateway that has not got DHCP yet
When an interface is waiting to get DHCP, but the cable is physically-electrically connected to the upstream device, the interface has an IPv4 address 0.0.0.0 - that was getting past here and, if the interface gateway had a monitor IP specified, that monitor IP was being put into apinger.conf and being monitored. Because the interface has not got a gateway yet, no static route is added to force the traffic for the monitor IP out the particular interface. So the traffic to the monitor IP can follow the default route and perhaps succeed in getting out another WAN to the monitor IP....
Fix lineup of copyright lines
and module names and other bits of formatting and typos in headercomment sections.
Use binat, not nat, where IPsec NAT is configured with an address for local and NAT. Ticket #4169
Welcome 2015
Add config upgrade code to make sure iketype is set, bump config version to 11.4. It fixes #4163
Allow IPv6 on loopback even where IPv6 is otherwise disabled. The intent of that feature is to prevent IPv6 from communicating on the network. Blocking it on localhost can result in issues and is unnecessary. Ticket #4074
Only set route-to and reply-to on ESP and ISAKMP rules if the remote endpoint is not within the parent interface's subnet. Ticket #4157
Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
Oops this should be 0s rather than 00. Linked with Ticket #4158
ipsec_smp_dump_status get out of loop if error
when reading response from socket.Otherwise it would be in a loop and end up like: https://forum.pfsense.org/index.php?topic=86039.msg471848#msg471848PHP Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/ipsec.inc on line 383...
Unbreak IPsec rules generation for IPsec over CARP. Should help even Ticket #4157
Use base64 encoded secrets which Fixes #4158
Standardise text in priv list
Simplify cron array comparison
This works fine - I had not thought about how arrays are compared. Using "==" checks that the key/value pairs match in both arrays, regardless of the order the arrays happen to be in, which is what we want here.Using "===" would insist that the key/value pairs are also in the same order in the array and that the types and everything match identically, which we do not require.
Minimise config updates when checking cron jobs
Update /etc/ttys from new partition when upgrading nanobsd, and in this case do not call reload_ttys(). It should fix #4140
Remove unused variable
Correctly call function for retrieving stats from ipfw. Fixes #4131
Fixes #4130 Check for a certain size of file to start showing data on dashboard and avoiding xml parser errors
Fix displaying description for IKEv1 connected tunnels
Make this function readble
Merge pull request #1395 from wagonza/RELENG_2_2
Allow dot at end of FQDN for a host
Redmine #4124 has discussion of this.
Pass src dst IP port through to firewall log
and IP version. So that the receiving code can easily have each pat of the IP addresses and ports, and display them as it wishes.
Prevent resolvconf(8) from stomping all over our newly generatedresolv.conf and subsequent updates.
Add config upgrade code to validate changes made on c2fe67eb and d269747b. It fixes #4134
Correct ipsec status page to make connect button work
Manually merge vpn.inc from master since cherry-picking is very messy to perform.
Correct issue with not reloading CP properly on calling interface configure.
Fix issue reported on https://forum.pfsense.org/index.php?topic=85737.0
Do not apply bw limits if the setting is not enabled in CP. Though still respect radius attributes for now with this setting. Resolves #4127
Correct the leftsubnet specification for transport mode.
Ooops fix this identation on final config
Remove option that has now been merged into infra-host-ttl.
Remove unused function
Enforce some more checking to avoid https://forum.pfsense.org/index.php?topic=85580.0
include $myid in these PSK lines. Ticket #4126
Simplify logic using a proper function as spotted by Ermal
Replace ; by newlines when upgrading custom_options from unbound packages, it's related to ticket #4090
Add openvpn interfaces to group when they are created, it should fix #4110
Check if interface exist before try to add it to group
Bump latest_config version that I forgot on previous commit. Spotted by Jim Pingle
syslogd can't just be HUPed to pick up its new config, as many of thoseare command line arguments. Go back to 2.1x and prior behavior of TERM andrestart. Fixes source IP use with syslog among other config changes.
Add a cron item to expire items from webConfiguratorlockout, also add config upgrade code. This fixes #4122
Check if interface is disabled when configuring DHCP server. It fixes #4119
Give the proper value for the logging level since even 0 is the correct value coming from GUI.
Make logic more visible as suggested by Ermal
Teach interface_vip_bring_down() to deal with IP Alias over CARP
Use newline to separate unbound custom options during config upgrade, it should fix #4104
Where binding Unbound to *:53, set "interface-automatic: yes" so replies are sourced from the correct IP. Ideally this should always work this way, but setting this causes Unbound to bind to *:53, which shouldn't happen where specific interfaces are chosen. Ticket #4111
Split ICMP and ICMPv6 types on Firewall Rules
- Remove redundant declaration of $icmptypes and move it to a commonplace (filter.inc)- Add missing ICMP types for v4- Add ICMPv6 types- Adjust javascripts to show correct options depending of IP Protocol...
Make sure this message is only displayed on console
get_failover_interface() is already called inside get_interface_ip(v6), no need to call it twice. It should fix #4089
Use exit instead of return here, otherwise script's return code is always 0 and user with wrong password is authenticated
Disable RC4 ciphers in lighttpd
dyn.dns.he.net uses a self-signed cert, disable verification for it.
Don't try to launch 3gstats unless it's on a valid device.
Proper CA certificates are in place to validate SSL in these cases where it previously couldn't be, remove disabling of verification.