Do not include disabled OpenVPN in vpn_networks and negate_networks
Fix errant display of "0 table deleted" during filter reload on console.
Remove failover peer IP settings from DHCPv6, DHCPv6 doesn't support failover the way that DHPv4 did. Fixes #3184
Disable kill_states by default on upgrade, it fixes #3183
Allow for easier override on $g values if needed.
Correct check to match the right vip based on configured ip. Reported-by: http://forum.pfsense.org/index.php/topic,66234.0.html
Ticket #3181 do the state flushing only on down gateway detection rather than any time.
Actually the / here is not needed.
Introduce two new functions to be used on locking.
- try_lock: used for trying to get an EXCLUSIVE lock for a specified timeout by default of 5- unlock_force: which just releases any locks held on a specified lock
Use this new functions on rc.openvpn to avoid spurious stale locks around.
Make the operation of saving old rule nearby the writing operation to be logical to spot
Sprinkle some unsets to reduce footprint and correct some whitespaces
filter_generate_port error log function name
Absolutely minor adjustment to make the error log message refer to the new function name.
Fixes #3173 if any port information exists on the rule than put it on the NEGATE rule generated.
Remove SPD when disable phase2, it fixes #2719
Merge pull request #796 from phil-davis/master
Traffic Shaper GUI text typos
Merge pull request #793 from shahidsheikh/master
Fix #3174 Handling of gateway groups in openvpn_restart()
Bring back static routes to fix issues reported on Ticext #3179
Fix #3004:
. Create a function to replace strings on deep associative arrays. Use the recent created function array_replace_values_recursive to fix VIP interface names instead of touch config.xml directly
Make sure RRD data is restored from backup before upgrading data and a new backup is done after. It should fix #2159
and note the Queue Limit is a number of packets (not packets per second)
touch up text, s/nat/NAT/
Fix #3174 Handling of gateway groups in openvpn_restart()If the underlying vip of a gateway group that an openvpn client is boundto is in backup mode then the client should not start.
shaper burst may be blank, but if not then must be numeric
Fix #3172, return_gateway_groups_array() was returning the last vip since it was using wrong variable name on iteration
Dummynet does not require burst size specification
Dummynet traffic shaper does not require burst size specification andassumes 0 if not specified. Allow user to leave burst field blank/
Provide get_uptime_sec in a common include file
so it is available to anything that cares.
Use new names for get_memory parameters
Use hw.physmem when calculating pfsense_default_state_size
hw.physmem is the actual amount of memory that FreeBSD/pfSense can get its hands on, so use this for the calculation.
Use updated get_memory var names
The value of minimum_ram_warning is designed to be compared to hw.physmem - so do that. Usse the appropriate physmem or realmem value in each place.
Improve var names in get_memory
realmem is the amount of actual (real) memory installed - the size of the RAM card - e.g. 256MBphysmem is the amount of memory available to FreeBSD after BIOS, video... has stolen some of realmem.The variable names currently used are not very helpful for code readability. This standardises them. No functional change here.
Support the names used by the status page as well as those used internally by service entries.
Delete old route for remote gateway when its IP changes. It fixes #3155
Fixup check for existing easyrule block rule to account for the ipproto and when the ipproto is blank.
Add scope to target when it is a link-local, it helps ticket #3150
Attempt to recognize pfsync entries from pf logs.
Fix selection of IPv6 target IP for IPv6 Outbound NAT rules.
This makes it possible (without source hacking) to do many:1 NAT of IPv6.
Some will rejoice. Some will curse.
This should really only be done in limited, specific circumstances. Don't develop the IPv4 NAT mentality with IPv6.
Use ntpdate from ports also and obsolete base one
Ooops fix this to add only th einterface
Add scope identifier to target when its link-local
Add also a special case so the correct ip is returned for the case when WAN is v4 PPP type and v6 is DHCP but with option fetch v6 info from v4.
When using DHCPv6 and only requesting a prefix the communication on the WAN interface will be over link-local so return the link-local address of the interface in this case rather than nothing.
Optimize a bit to try and convrt back to friendly interface only when needed
Resolves #2627. When WANv4 is PPP and v6 is DHCP but the option get v6 info from v4 is ticked the real interface is different. For WANv4 is pppXX and for v6 is the real underlying interface. Take this into consideration during interface_bring_down to properly cleanup things
Correctly remove IPv6 addresses from the interface rather than just erroring out. The same trick that works for IPv4 of not specifying address does not work with v6
Even if called with wrong parameters try to do something rather than return here.
Add the check even here when dealing with ipv6 addreses
Handle link local addresses with embedded interface scope on is_ipaddrv6 and also on dnsmasq which is not yet there for these addresses
Unbreak limitrules and probably pfblocker errors. Spotted-by: Jim
When renaming or deleting a virtual server, clean up the old relayd anchor name. Otherwise the rules are still there and valid, and will cause problems as they will override the new VS settings. Also clear out the anchors when stopping relayd or starting fresh that way no old settings could conflict.
Cleanup some code that is not needed anymore
Use pfSense module functions for finding interface v6 addresses. The addresses will be not in friendly format as returned by getnameinfo
Remove prior CSC entry when cleaning up. Fixes #3143
Declare globals as global before defining them in openvpn.inc
Force apinger to write the status file before getting gateway status
Ticket #3139 try to detect if the popen is closed from an error
Fix interface selections on UPnP to show the customized descriptions entered by the user. While here, add an external interface selection knob. Fixes #3141
Conflicts:
etc/inc/pkg-utils.inc
Fix #1047
Remove duplicate polling set
Show apinger as a service when active, and display its status on gateway-related pages.
Don't print this message for a mobile IPsec setup. It's normal for it to not have an endpoint, and not worth spamming the log about.
Try to do the loading operations as close as possible to avoid any issues coming from it
Correct bandwidth assignment so the configuration is not reverted courtesy of ipfw(4) swapped arguments. Reported-by: http://forum.pfsense.org/index.php/topic,65069.0.html
Reload apinger now that we can rather than restarting. Related to Ticket #3119
fix text - s/occured/occurred/
the state type is required/valid for all specifications of protocol, notjust the ones formerly listed. For instance, sloppy is valid (and widelyused on 2.0.x and some older 2.1x) with "any" protocol.
Resolves #3121. Fix the command so it does perform correctly
Add Zone to the messages logged on syslog from CP to easy troubleshooting
Reorder reverse lookup overrides so user-specified ones are effective
If the user specifies a domain override for 10.in-addr.arpa and also specifies "Do not forward private reverse lookups" then the user-specified entry is not effective. But the code was supposed to allow users to specify individual reverse lookup domain overrides that took precedence....
Fix up filter_pflog_start - optimize some code, and fix $retval so that it will be restarted correctly after killing it.
Show the name of the unresolvable alias name as well as the rule description to avoid ambiguity.
use correct domain names when registering static DHCP entries in DNS
When registering static DHCP entries in DNS, we first try to use the domain name configured for the static entry (if any), then the domain name configured in the DHCP server settings for the corresponding interface (if any), and as a last resort the system domain name....
Fix #3113, fix multiple english spell errors s/seperet/separat/
Optimization has nothing to do with limits
Fix #3106, parse 'not' rules right on destination for port forward + reflection proxy rules
Allow advanced options state-related parameters to be used for TCP, UDP and ICMP
Allows the state-related parameters to be specified for UDP and ICMP as well as TCP. Discussed in forum http://forum.pfsense.org/index.php/topic,64653.0.html
Update rrd.inc
Fix this errorphp: rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/system-mbuf.rrd N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 4 data source readings (got 5) from N:U:U:U:U:U'
Implement an option to allow using the IPv4 connectivity interface for sending the dhcpv6 information. Usually useful for ppp[oe] type links and some ISP
Merge pull request #718 from N0YB/Advanced_DHCP_Client_Options
Fix required options syntax typo
3652 days worth is a too much. Scale it back to more reasonable 1.25 x maximum used data (2284 days).
Handle IPv6 in ip_in_interface_alias_subnet()
Merge pull request #714 from phil-davis/master
Minimize inclusion of bogonsv6
Disable the BEAST protection by default because the GUI will break if you use this and have a Hifn card installed. Others may break similarly. Change it into a checkbox option, off by default, and automatically disable it if a conflicting card has been detected.
If "Allow IPv6" is on, but actually there is no enabled interface with "Block bogon networks" enabled, then we also do not need to include the bogonsv6 table into pf.This allows some more flexibility for users to leave "Allow IPv6" checked, but still not use up memory for bogonsv6.
Don't blow up the config if someone enters int'l chars in an LDAP attribute/DN field. Ticket #2227
Add LDAP server options to control UTF8-encoding of parameters. Fixes #2227. While I'm here, add a checkbox to prevent the stripping of @ from the LDAP username if the user wants the full name transmitted.
Add an RRD graph for MBUFs under system. Tweaks welcome.
Don't generate reflection rules if reflection is disabled for that rule.
Do not break ppp type interfaces on v6
For ppp interfaces the real interface is not present anymore in the xml config section of the interface. Due to this do some more work on extracting the real interface when ipv4 is pppoe/ppp/... and ipv6 configuration files will use the wrong interface to request information from provider. Reported-by: http://forum.pfsense.org/index.php/topic,64483.0.html
Enable filtering on ipfw sysctl not dependent on ipfw module otherwise issue reported here http://forum.pfsense.org/index.php/topic,64412.0.html happens
Ignore errors/warnings from these calls
support mitigating BEAST attack
According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_30
"...by setting
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
you can mitigate BEAST attacks."
Merge pull request #712 from phil-davis/master
Correctly decide if dhcrelay (v4) is enabled
Correctly decide if dhcrelay is enabled
Merge pull request #711 from phil-davis/master
Teach services code about start stop restart of dhcrelay6
Teach service start stop restart about dhcrelay6
Consistent dhcrelay6 pid file location
Merge pull request #710 from phil-davis/master
Start DHCrelay6 on boot
Fix #3091, fix bad var assignment