pfSense

Enforce some more checking to avoid https://forum.pfsense.org/index.php?topic=85580.0

include $myid in these PSK lines. Ticket #4126

Simplify logic using a proper function as spotted by Ermal

Replace ; by newlines when upgrading custom_options from unbound packages, it's related to ticket #4090

Add openvpn interfaces to group when they are created, it should fix #4110

Check if interface exist before try to add it to group

Bump latest_config version that I forgot on previous commit. Spotted by Jim Pingle

syslogd can't just be HUPed to pick up its new config, as many of those
are command line arguments. Go back to 2.1x and prior behavior of TERM and
restart. Fixes source IP use with syslog among other config changes.

Add a cron item to expire items from webConfiguratorlockout, also add config upgrade code. This fixes #4122

Check if interface is disabled when configuring DHCP server. It fixes #4119

Give the proper value for the logging level since even 0 is the correct value coming from GUI.

Make logic more visible as suggested by Ermal

Teach interface_vip_bring_down() to deal with IP Alias over CARP

Use newline to separate unbound custom options during config upgrade, it should fix #4104

Where binding Unbound to *:53, set "interface-automatic: yes" so replies are sourced from the correct IP. Ideally this should always work this way, but setting this causes Unbound to bind to *:53, which shouldn't happen where specific interfaces are chosen. Ticket #4111

Split ICMP and ICMPv6 types on Firewall Rules

- Remove redundant declaration of $icmptypes and move it to a common
place (filter.inc)
- Add missing ICMP types for v4
- Add ICMPv6 types
- Adjust javascripts to show correct options depending of IP Protocol...

Make sure this message is only displayed on console

get_failover_interface() is already called inside get_interface_ip(v6), no need to call it twice. It should fix #4089

Use exit instead of return here, otherwise script's return code is always 0 and user with wrong password is authenticated

Disable RC4 ciphers in lighttpd

dyn.dns.he.net uses a self-signed cert, disable verification for it.

Don't try to launch 3gstats unless it's on a valid device.

Proper CA certificates are in place to validate SSL in these cases where it previously couldn't be, remove disabling of verification.

replace spaces with tabs

After discussion with Ermal, remove this to force consumers to send things
properly. I fixed the scenario in Unbound where it was sending IPs to
these functions rather than an interface, so this has no functional diff.

Don't include link-locals as unbound interface candidates

Unbound does not presently support link-local interfaces.

Fix update url since now we have RELENG_2_2

Proper fix was put on f658bac
Revert "Can't skip this if booting, ends up breaking config. Ticket #4071"

This reverts commit effb3a3cfe4e57b781f35ba8a145eb627014d8ce.

change the ordering of dhcpd_configure and unbound_configure here, claims on forum it fixes issue I can't seem to replicate.

Merge pull request #1360 from jean-m-cyr/master

Link local interfaces don't have subnet.. don't create access-control statement

Selecting link local interface for unbound causes invalid access-control
statement in unbound config since link local address doesn't have
subnet.

Can't skip this if booting, ends up breaking config. Ticket #4071

fix IPv6 static routes, is_ipaddrv6 returns true for strings including a
CIDR mask, which then ended up broken.

Change our default resolv-retry back to OpenVPN's default. Changing this
didn't help the ticket where it was intended to help, which was later
fixed differently. This change in defaults is problematic in a lot of
scenarios, go back to the way things were before. Ticket #3894

Merge pull request #1357 from DasTestament/patch-1

reload Unbound here, fixes some instances of PD-assigned v6 IPs missing from unbound.conf

If get_interface_ip(v6) is passed an IP, return the IP.

Properly set up interface binding for v6 link local IPs. Ticket #4021

except had to comment out the fix for now because of #4062 to avoid config breakage.

Preserve exit code lost from s/exit/return/

Cleanup whitespace.

Remove exit from as much as possible backend code

Comment out copy paste of v4 code. No need to delete arp entries on v6.

Comment out copy paste of v4 code. No need to delete arp entries on v6.

also take into account the "all" option in Unbound Network Interfaces when
setting 127.0.0.1 into resolv.conf.

Update filter.inc

Add missing gettext.

p.s: Is it really needed to log? Lots of rules causes lots of spam on ifaces without gw. Such kind of this logging should be controllable by user via option at least.

Unlink temporary xml file to avoid filling up space with junk files

Only set i_dont_care_about_security_and_use_aggressive_mode_psk=yes where there is a P1 with aggressive+PSK enabled. Log a warning when such a configuration is in use.

Correctly delete xml file after restore and conversion to rrd

When doing "Generating RRD graphs" at bootup, the data is restored from /cf/conf/rrd.tgz into xml format files in /var/db/rrd. Those xml files are then convert to rrd files. After that, the xml files should be deleted - but the xml file path was not quite right, so they were not being deleted....

Fix bracketing of if statement in unbound

Stops message:
Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/unbound.inc on line 607
The problem was introduced when lines 607-608 were added without adding these brackets.
IMHO programming standards should include ALWAYS using brackets for "if" and other similar statements. That way this sort of code addition accident does not happen. But I guess there are others who have different opinions.

fix syntax on prefix6 for DHCPv6 PD

Add input validation on vpn_ipsec_settings.php. Fixes #4052.

Skip v6 WANs in Unbound access-control. Ticket #4023

fix v6 access-control in Unbound, Ticket #4023

Ticket #4009 Force serial console whenever the installer told us so.

check if Unbound is enabled in addition to dnsmasq for v6 DNS assignment. Fixes #4051

Fix input validation for DNS resolver when localhost is enabled in resolv.conf and "all" chosen in Network Interfaces. While here, set something other than '' when all is chosen.

Correct some logic and remove temporary files

Make restore one by one to help https://forum.pfsense.org/index.php?topic=84693.0

Correct typo on variable. Should help https://forum.pfsense.org/index.php?topic=84451.0

Add a parameter on platform_booting to help detect if it's on GUI on console and use it in appropriate places, it fixes #4049

Fix sapi name check to detect if it's on console, ticket #4049

Remove the . here they just confuse things as in Ticket #4049. Also check that the script is called from console to trigger the convertion and mounting of floppy.

Remove these booting settings since are useless

Remove these booting settings since are useless

Bring back the old way of waiting for 3 times of 10seconds on bootup for a ppp type interface to come up. while here also do bringup of virtual interfaces only when not booting

Use function for determining if its ppp type

Cleanup some code and use function for easier management

Add option to disable auto-added access-control entries for users who want to manually manage ACLs. Ticket #4023

Fixes #4040 for pppoe use static route with -iface option to help when more than one pppoe has the same gateway. Also kill states when reloading apinger to catch up with new route

Make the parsing of setkey -d(SAs) more reliable. Fixes #4043

Correct logic of skipping for gif/gre/bridge on top of _vips. Even though this is not anymore a problem in 10 since the vip is on the physical interface but for now its ok.

Put the safety belts for rrds on its proper location. No need to create /tmp and change permissions on these paths

Fix Unbound host_entries.conf warnings on console during boot

system_hosts_generate() tried to make /var/unbound/host_entries.conf at various times in the boot sequence before the main Unbound start code was called. But these early calls to unbound-related things did not have any check to see if /var/unbound was created yet....

Setup rrd dir before calling create_gateway_quality_rrd

Stops error:
ERROR: opening '/var/db/rrd/WAN_DHCP-quality.rrd': No such file or directory
in system log during boot.
Forum: https://forum.pfsense.org/index.php?topic=84627.0

Use the undocumented -q options of devd to reduce spamming on logs. pfSense scripts do their logging so not necessary to have devd in there.

Do not run this during bootup

Optimize

Do not run this code during upgrade and if ost is booting up

Actually comment this code out since it causes more troubles than solves for any type

Just indent code to make it more readble.

Make at least the code correct here even though it does not make sense on what it does!

Mute this since only spams logs when interface is not there

Move these functions nearby since thy are related

Actually get the correct value here!

Actually consider parentmtu 0 here to get the real value when unassgined

Properly respect other configured MTUs for other vlans. Properly respect parent of vlan MTU if configured. Also avoid errors when possible. This helps VLANs MTU handling but all the other interfaces as gre/gif/... needs the same handling. It is better to require reboot on MTU changes especially on complex configurations.

Partially revert the previous modification on vlan mtu. The function job is to find the biggest mtu between vlans and let it do that

convert_real_interface_to_friendly_interface_name() goes and checks the parent and this gives wrong information 99.9 percent of the time on scenarios like when this is called for unassigned vlans etc, while its real purpose is just to check if the interface is assigned and return the intermeddiate/config name of the interface. Leave the get_parent_option there in the function but it needs to be asked specifically for.

Skip the interface being configured from the list to check the mtu

Seems somehow globals.inc are not being sucked in on the GUIgit diff! Make this a requirement here!

Add checks for requirement as array here. Reported-by: garga

Fix the function missing from config.inc. Spotted-by: garga

Rather than set the g['booting'] on globals provide a function to test for that doing the right checks

Remove the booting signal if not needed to fix some issues reported on the GUI

Use the new available function

include 169.254./16 in unbound's DNS rebinding protection

include Unbound access-control entries for local IPv6 networks reachable via static route. Ticket #4023

Skip interface subnets for IPv4 here, this is best handled via the NAT networks list. Ticket #4023

Use the subnets automatic outbound NAT uses for tonatsubnets for Unbound's access-control config, as this is a good source of what networks are internal. Ticket #4023

correct logic here to omit 127.0.0.1 from resolv.conf when no DNS resolver bound there.

fix typo