pfSense

Include additional subnets for RAs in radvd.conf. Ticket #4468

Fix up Ticket #4504 implementation. Match config style with other areas. Use a config setting to disable, rather than enable, this functionality since it's enabled by default so the tag isn't necessary in the default config. Remove now unnecessary config upgrade code.

fix type. Ticket #4504

Remove array_intersect_key here too, definitely not needed. add to obsoletedfiles

uploadbar dir no longer needed

Prevent empty addresses for being put in the ruleset. Ticket #4564

Ticket #4504 actually make it correct

Upgraded configurations should keep the default configuration of bypassing lan from ipsec. Ticket #4504

Fixes #4504 Provide a newline to generate proper config

Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel

Only use mobile clients PFS config with mobile ph2ent. Ticket #4538

disable SSL validation for selfhost since it fails. Ticket #4545

enable ike_name for daemon facility as well, to add connection identifiers to logs.

Use real interface here for dhcrelay v6. Ticket #4572

0 could be valid for hostname aliases too. Ticket #4573

Don't omit hosts specified as "0". Ticket #4573

Bug #4566 Only route-to a gateway if it is not force_down

When generating policy-routing rules there was no check if a gateway had force-down set, so gateway with force_down set would still get policy-routing rules written for it, even if skip_rules_gw_down was enabled.

call this RCC-VE rather than C2358

Add a check for whether IPsec is enabled, so it doesn't spit out "IPsec
daemon not running or has a problem!" when IPsec isn't enabled.

Merge manually pull request #1593

Remove wireless cards from ALTQ-capable interfaces, since ALTQ is broken on wlandev in FreeBSD 10.x at the moment. Ticket #4406

add missing )

Include net.key.preferred_oldsa in the sysctl list, set to 0 (disable) so
it doesn't fall through to the default (1).

Always include general setup DNS servers in unbound.conf

when forwarding mode is on.
The General Setup setting "Allow DNS server list to be overridden by DHCP/PPP on WAN" has always been used in dnsmasq to ADD DHCP/PPP provided DNS servers to the list, while also keeping the DNS servers specified in General Setup. That behavior is needed if:...

Only list nameservers once in resolv.conf

I was on a test system and had an upstream DNS server IP specified in System-General Setup. WAN was setup with a static IP and a gateway to that upstream device. All good.
Then I also checked "Allow DNS server list to be overridden by DHCP/PPP on WAN" and changed WAN to be DHCP. It received by DHCP the same DNS server IP that already happened to be in General Setup (and the same gateway IP - not the issue here)....

Eliminate the "this_device" test from the resync check in rc.openvpn.
It is not necessary to check, as the only times a gateway event should trigger the VPN to restart are when the current and new devices differ.
This also allows us to simplify the code a bit and eliminate some single-use variables....

The logic of this test seems to be incorrect.
If the interface is the same, this test will fail, and that's the one case that should not need a resync.
The logic in this test has been flipped and reversed a few times over the years and without comments it's difficult to discern its true purpose.

Be consistent about Unbound service descriptive name

Forum: https://forum.pfsense.org/index.php?topic=91075.0

For DNS Forwarder (dnsmasq)
1) dnsmasq is the name of the service
2) DNS Forwarder is the text description

Make Unbound consistent with that, so that menu names and services status display and... work in the same way:...

Use `none` instead of a whitespace in sshd_config

Use the `none` keyword instead of a whitespace to disable the FreeBSD version in sshd_config.

Add option for wireless standard "auto", to omit "mode" entirely from ifconfig. This shouldn't be necessary, but specifying mode has proven to trigger driver problems that don't exist if it's left unspecified (such as FreeBSD PR 198680). Chosing "auto" fixes ath(4) BSS mode issues otherwise preventing it from connecting.

Bump version to 2.2.2-DEVELOPMENT

Use subnet address in OPT net rules

Example: LAN IP 10.0.1.1/24 OPT1 IP 10.0.2.1/24
Rules with SRC or DST LANnet correctly have 10.0.0.0/24 (the subnet base address) in /tmp/rules.debug
Rules with SRC or DST OPT1net have 10.0.2.1/24 (the OPT1 IP address with OPT1 net mask) in /tmp/rules.debug...

It's time for 2.2.1-RELEASE

txpower was disabled for good reason it would appear, it triggers syntax errors in some configurations. Disable it again since it's been disabled for years, and comment out the user-facing config portion for now since it doesn't do anything. Ticket #4516

add missing double == in ipsec.inc

Missin double equals in captiveportal.inc

Looking at where this is nested inside various if statements, I do not think this error did too much harm - only to the $mac['descr'] - in this particular code flow $username is not used for important stuff after this point....

Set txpower since that seems to work fine now. Explicitly set authmode wpa here, though it's also handled by the supplicant/authenticator. Ticket #4516

Do not start filterdns during boot until a proper fix is done. Ticket #4296

If we bail not being able to find the P1 source, log an error.

White space in ipsec.inc

White space in filter.inc
Conflicts:
etc/inc/filter.inc

use-compression is no longer a valid config option in lighttpd, it can't be enabled. This just throws an error in the log, remove it.

Fix IPsec on CARP IPs, broken when fixing IPsec with gateway groups and VIPs.

Move libstrongswan-unity.so when Unity plugin is disabled so it can't modify the P2. Workaround for Ticket #4178

Conflicts:
etc/inc/vpn.inc

Remove -U from mtree call used to restore files permissions, this is replacing symlink targets by the old values. Ticket #4328

add granular control of state timeouts. Ticket #4509

Explicit disable ssl.use-compression on lighty config. It should fix #4230

Remove BEAST protection option since default cipher is now good and works with hifn cards

Add a log message when hostres SNMP module is ignored on APU boards

Disable SNMP hostres module on APU boards until we figure out why it's crashing on this specific board. Ticket #4403

Leave adaptive.start and end at their defaults (60% and 120% of the state limit, respectively) if not user-overridden.

Update cipher-list in web interface to prefer PFS. Ticket #4230

Check for not up, rather than down, as there are a variety of potential
statuses that are not up. Ticket #4502

Need global $ipsec_idhandling here.

Don't enable interfaces_use by default. Add checkbox to enable on Advanced
tab, in case there are scenarios where it's desirable. Ticket #4341

Conflicts:
etc/inc/vpn.inc

Check if it's an array before call foreach(). Ticket

Stop trying to fix dns_split during strongswan config generation, we have an upgrade code in place for that, it should fix #4418

dns_split was a comma separated list and moved to use space as separator, provide upgrade code to make sure old configs are converted. Since there was a config upgrade version 11.7 only on master, I pushed it to 11.8 and used dns_split one as 11.7 to be able to backport it to RELENG_2_2. Ticket #4418

Use get_failover_interface here to find appropriate interface. Ticket #4482

Conflicts:
etc/inc/ipsec.inc

same change as previous commit, for IPv6. Ticket #4482

Use the parent interface, not the _vip for interfaces_use. Part of Ticket #4482

Destroy stf interface when 6rd or 6to4 tunnel is disabled. Fixes #4471

Conflicts:
etc/inc/interfaces.inc

Be nicer when checking if alias is numeric

Because an ordinary port can be numeric here.
Forum https://forum.pfsense.org/index.php?topic=89906.0
Conflicts:
etc/inc/util.inc

Remove the harden-glue option entirely and hard code it to yes. Ticket #4402

Skip any numeric-only aliases in the ruleset to prevent errors from those
who configured them on previous versions where that was allowed. Ticket

Add missing comma. Fixes #4485

Enable UnicastOnly in radvd for ovpn* interfaces. Ticket #4455

Tweak the carp demotion factors slightly to avoid CARP transitions that are most likely unnecessary.

Be safe use require_once in zeromq

I was testing code and just doing stuff like:
require_once("zeromq.inc");
in Diagnostics->Command Prompt, PHP Execute
That brings an error because underneath that PHP Execute code it has already included auth.inc
I guess zeromq.inc is used quite separately to the rest of the system, and must be OK just having a "require" here. But it seems safer to always use require_once, just in case it gets called in a new way/sequence....

Remove "Prefer old SA" option, and ignore it in all existing configurations. Breaks things in many cases with strongSwan. For the very rare circumstances where this is actually desirable, it's just a sysctl that can be set in tunables.

Ancient bug on upgrade_014_to_015

This code looked silly the way it was, with the construct:
$var = $var;
unset($var);

Seems it was accidentally changed to this way many years ago by https://github.com/pfsense/pfsense/commit/588a183b0e58f09932ffef35cc0003cca2313aba...

Fix type (trime->trim)

interface_netgraph_needed can miss setting found equals true

This routine seems to go looking to see if the passed-in interface is PPP-style. At the end, if it is not PPP-style then it calls pfsense_ngctl_detach.
This foreach loop in its current state will always exit after the first iteration that is not mode "server". But it looks like it should look through all the 'pppoe' entries until it finds the interface or gets to the end....

remove unused legacy code

Log ifconfig commands used to setup wireless interfaces

Put the bits to use the new reset utility

Ticket #4418 Actually make each entry a clear token to strongswan parser for dns_split

Ticket #4418 make sure the dns_split is separated with spaces rather than space or comma to comply with strongswan requirements.

Ticket #4418 Make the DNS names attr 28675 space separated as identified by Jeffrey Dvornek

remove old, unused code

Initialize var and move unset outside the loop

Do not request prefix delegation if no tracking interfaces are setup to
use it. Ticket #4436

Handle reverse lookup domain overrides

that match exactly a whole block of private address space.
e.g. if the user has checked "Do not forward private reverse lookups" and also adds adds a domain override that matches a whole block of private address space, such as:...

Fix PTR records for aliases in host overrides

Preserve "add routers" value across loop for each interface

Forum: https://forum.pfsense.org/index.php?topic=89302.0

If the user put "none" in the 'gateway' field for the DHCP settings of an interface, that would set $add_routers to false at line 742. Coming around the loop again for a subsequent interface, and going through the else line 744, nothing would set $add_routers back to true (actually back to the value originally calculated at line 461)....

fix Net_IPv6::compress() to properly handle all-zeros address

The existing implementation of Net_IPv6::compress produces an empty
string when compressing the all-zeros ("::") address; fix this by
checking for empty return values and replacing them with "::".

add dhcp6.name-servers option with DHCPD-PD regardless of PD length

The existing code only includes a v6 name server IP in the
automatically generated dhcpdv6 configuration for tracking interfaces if
there are additional prefixes that can be delegated on to the next...

Do not add PTR records for aliases in host overrides

Modified DynDns -> Eurodns url

Clean up some old, possibly stale, files when restarting php-fpm

add a couple unnecessary bsdinstaller files to obsoletedfiles

remove unused dfuife files.

Don't hard code harden-referral-path. It defaults to no, so no behavior change, and that setting is unlikely to ever become a default. This allows users to configure an override to enable this option if desired. part of Ticket #4399

Add GUI control for MOBIKE. Hide it when IKEv1 selected. Enable toggling of NAT-T field display so it's on for IKEv1, off for IKEv2. Do same for reauth while here. Ticket #3979

Wait a bit after sending a TERM to syslogd as in some instances it can take too long to stop, and it fails to restart because it's still running at that point. Add a KILL in case it's still running after that. Ticket #4393

Unobsolete libpcre.so.1

Surrond the some mobile clients attributes with " ( quote ) to help the strongswan parser identify properly the values. Ticket #4418

Unobsolete crypto tools and athstats, ticket #4239

DHCPv6 client rules MUST come before bogons. Add a comment that hopefully
sticks out so this stops getting broken. Ticket #3395

Fixes #4390 Properly return the vip subnet now that the CARP might not match its parent interface subnet.