pfSense

Ticket #4418 Actually make each entry a clear token to strongswan parser for dns_split

Ticket #4418 make sure the dns_split is separated with spaces rather than space or comma to comply with strongswan requirements.

Ticket #4418 Make the DNS names attr 28675 space separated as identified by Jeffrey Dvornek

remove old, unused code

Initialize var and move unset outside the loop

Do not request prefix delegation if no tracking interfaces are setup to
use it. Ticket #4436

Handle reverse lookup domain overrides

that match exactly a whole block of private address space.
e.g. if the user has checked "Do not forward private reverse lookups" and also adds adds a domain override that matches a whole block of private address space, such as:...

Fix PTR records for aliases in host overrides

Preserve "add routers" value across loop for each interface

Forum: https://forum.pfsense.org/index.php?topic=89302.0

If the user put "none" in the 'gateway' field for the DHCP settings of an interface, that would set $add_routers to false at line 742. Coming around the loop again for a subsequent interface, and going through the else line 744, nothing would set $add_routers back to true (actually back to the value originally calculated at line 461)....

fix Net_IPv6::compress() to properly handle all-zeros address

The existing implementation of Net_IPv6::compress produces an empty
string when compressing the all-zeros ("::") address; fix this by
checking for empty return values and replacing them with "::".

add dhcp6.name-servers option with DHCPD-PD regardless of PD length

The existing code only includes a v6 name server IP in the
automatically generated dhcpdv6 configuration for tracking interfaces if
there are additional prefixes that can be delegated on to the next...

Do not add PTR records for aliases in host overrides

Modified DynDns -> Eurodns url

Clean up some old, possibly stale, files when restarting php-fpm

add a couple unnecessary bsdinstaller files to obsoletedfiles

remove unused dfuife files.

Don't hard code harden-referral-path. It defaults to no, so no behavior change, and that setting is unlikely to ever become a default. This allows users to configure an override to enable this option if desired. part of Ticket #4399

Add GUI control for MOBIKE. Hide it when IKEv1 selected. Enable toggling of NAT-T field display so it's on for IKEv1, off for IKEv2. Do same for reauth while here. Ticket #3979

Wait a bit after sending a TERM to syslogd as in some instances it can take too long to stop, and it fails to restart because it's still running at that point. Add a KILL in case it's still running after that. Ticket #4393

Unobsolete libpcre.so.1

Surrond the some mobile clients attributes with " ( quote ) to help the strongswan parser identify properly the values. Ticket #4418

Unobsolete crypto tools and athstats, ticket #4239

DHCPv6 client rules MUST come before bogons. Add a comment that hopefully
sticks out so this stops getting broken. Ticket #3395

Fixes #4390 Properly return the vip subnet now that the CARP might not match its parent interface subnet.

Fixes #4389 The VIP interfaces cannot be assigned since they are just an identification of the VIP for tracking. Consider that when configuring gif/gre. Also on bridges you cannot set a vip interface as its member.

Check if notification is disabled

in send_smtp_message()
Other packages like arpwatch sm.php and cron job output as reported in forum https://forum.pfsense.org/index.php?topic=88347.0 call send_smtp_message() directly, currently bypassing notification disabled checks. I think those packages [are intended to | should be] respecting the notifications disabled setting. People in the forum certainly expect them to respect this setting....

Random text typos

that I noticed.

Remove unset variable, spotted by phil-davis

rrset-cache-size should == 2 * msg-cache-size. Ticket #4367

Fixes #4370 Use the curlies to not confuse php

Actually fix even the openvpn auth user script with proper checks. I thought this was fixes already!

Fixes #4329, Fix even tls.auth script by using proper isset() test as the fixes for other authentication scripts.

Fixes #4397 Make mtu configuration before the ip address assignment. This fixes the issues of link routes having the wrong mtu configured on them.

also add v6 IPs to hosts in the same manner v4 IPs are added. Ticket #4395

remove CGN from "Block private networks" as it was in 2.0x and earlier
releases since it specifically notes RFC 1918 and CGN is more bogon.
Ticket #4379

Fixes #4381 this was a leftover of the change of zoneids to start from 2.

Use web-gui setting for pap or chap instead of having it hard-coded to chap.

Firmware upgrade script text changes

while I am looking at this, might as well correct these.
No function problems or impact.

Fix restartipsec command line script.

Fixes #3669 Handle properly recording of the ipv6 interface new ip and do not issues commands that cannot succeed.

In last case, use dmesg.boot do detect ALIX boards when hw.model is not enough

Silent kenv when smbios.system.product is not present. While here, add VirtualBox to the list of virtualenvs

Allow IPseec clients to properly connect and not stomp over each other. Reported-by https://forum.pfsense.org/index.php?topic=87980.0

Properly calculate the 6rd default gateway honoring netmasks other than /32

Ticket #4353 fix typo on unset var spotted-by: Phil Davis

speedup 'function is_port($port)' speed by skipping calls to getservbyname when possible

need $g here so product_name is set in user agent

Fixes #4360 allow marking a connection as responder only, the same behviour as mobile connections

Fixes #4359 Allow controlling uniqueids

Fixes #4353 Identify when strongswan.conf needs a reload and restart ipsec service.

Firewall Log does not display logged IGMP packets

If IGMP packets are logged (either pass or block) then parse_filter_line did not set their src and dst IP.
Later in the subroutine, it zapped the filter line because it did not have a src and dst.
This fixes it. Now the IGMP lines in /var/log/filter.log appear on the Firewall Log GUI.

Fixes #4340 encode username same as with password to avoid issues with special chars.

Set update_url and update_manifest automatically based on version being or not a RELEASE

Fixes #4274 same fix as #4302 enclose in double quotes to tell yacc this is a string to be parsed.

Apparently yacc became more strict in FreeBSD 10. Fixes #4302

Fixes #4275 use double quotes on asn1dn specification so strongswan properly interprets it

Reload filter when IPsec is disabled, fixes #4245

Add support for 0x20 DNS random bit support. Fixes #4205

Support choice of SMTP Authentication Mechanisms

https://redmine.pfsense.org/issues/4176
I have left some documentation here of other mechanisms that someone might care about in future (or not). I left the array with name=>desc so it will be easy if new mechanisms come along that need a description different to the name.

Fix #4318 - gen_subnetv4_max() not working on 32bit

Dynamic DNS wildcard typo

Self-explanatory, just a dumb typo bug

Unimportant typos in user and group manager

that do not effect anything.

Simplify use of other serial ports setting all of them as onifconsole when serial is enabled

Change version to 2.2.1-DEVELOPMENT

Fixes #4257 With the platform_booting() fixes a regression was done on openvpn tap interfaces or dynamic ones that are part of a bridge.

Allow during bootup rc.newwanip to continue up to a ceratin part to handle bridges or other complex interfaces.

Save the tradition and point to used binaries here

When configuring radvd, check if carp is enabled. Ticket #4252

Do not translate function return string

Fix typo in function name

Strict comparison not necessary here, and makes this fail to work as
intended. Fixes #4258

Ticket #4254 do not put duplicate interface names

Ticket #4254 Actually use proper variables allover to have correct route added

Ticket #4254 Actually use proper interface to check if gateway exists

Ticket #4254 Use proper variable

Ticket #4254 actually use the info on the protocol of the vpn sepcification to be more sure on the family to use

Ticket #4254 Handle even hosts specified throguh dns name

Ticket #4524 Bring back static routes on ipsec to make sure charon does not send traffic through wrong iface. This handles properly ipv6

Be compliant with gatway groups specified on ipsec. Ticket #4254

Ticket #4254 Actually fix this on 2.2 branch since vips are not handled by get_real_interface apparently!

When radvd is configured on a CARP interface, enable it when it is MASTER and disable when go to BACKUP. It should fix #4252

Ticket #4254 specify the list of interfaces to be used by charon. This is a workaround for now. Being investigated the fix.

Use the parent NIC rather than the VIP. Fixes part of Ticket #4252

The reset button check should happen on all platforms, not only NanoBSD

Add reset button support for APU and FW7541

add detection for 7541, APU

Set $arch accordingly to release

change update URLs for release

Bump to 2.2-RELEASE

Validate if both IP address and subnet are valid and the same version. Fixes #4223

Just do an update since it will handle itself properly.

Revert "Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own."

This reverts commit 1ada4c8c514cc33b0df6238b7f2f177078bfe2e8.

Revert "Fix typos introduced by chaning to explicit id specification when necessary. Fixes #4202"

This reverts commit 324311043385aed357ca8838bde2c3af3111e564.

Add RSA keys even for eap-mschapv2

Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15

Oops add missing curly

Also take care of ph1 mobile settings for eap-tls

Obsolete libpng15 in favour of libpng16

Correctly handle number of cores and power of 2. Merged from the package already had this. Fixes #4212

Add some saftey belts here to be safe

Heh bump the config version