Update etc/inc/priv.defs.inc
Include privileges for Diagnostics Sockets page
Don't die silently if the time is too far off. Fix from: dhatz
Allow for changing OpenVPN TUN to TAP device mode without reboot.
We should also resync openvpn clients since they can use gateway groups too.
don't log here, users can define their own logging rules if they want logging
Merge pull request #223 from PiBa-NL/master
Firewall log, alternating color rows & sorting improvements.
gitsync: Improve parameter handling to allow hyphenated options anywhere in the parameter list. (previously only allowed them at the end)
gitsync: Add --minimal parameter that installs only the updated files.
Fix special build_commit tag that was broken from previous change to how it read the file with the commit ID.
Add support for multiple DHCP pools within the interface's subnet, and allow most of the settings for the main range to be set specific inside the pool. (e.g. it allows setting different gateways and DNS for different pools). Still needs improved input validation to prevent overlapping ranges/pools.
(line endings UNIX format..)Firewall log alternating colored rowsFirewall log sortableFixed several sorting issues in widgets and other pagesSorting now possible on multiple rows in the header tablesSorting now possible for text that starts with IPv4:port
Force resync of vpns and dns even if the IP doesn't change in rc.newwanip, since we could be doing failover/failback for these services.
Add note about mac matching and media type.
Add some safety checks against empty entries
Allow/deny access to DHCP by partial MAC matching.
Make the openvpn resync less intrusive, only trigger this if the OpenVPN interface is actually a gateway group name. Otherwise we skip.
Make the gateway group member check a boolean, might convert to something else at a later time so we could check group memberships.Also launch the dyndns configure if the dyndns interface is a gateway group name, could check membership later if we wanted.
Always prepend the hostname we are working on
Make sure we process dyndns interfaces that use a failover group when processed from rc.newwanip, which just passes a interface.
Add function that checks if the interface is part of a gateway group.
Reference the correct variable here, it was broken before and could never have worked.
Remove the filter configure call as this could otherwise lead to a recursive filter configure.
Bail here so we don't make invalid rules for IPsec if this is empty.
Added a setting for configuring the firewall log to either:-Not load descriptions-Show descriptions in a column-Show descriptions on a second row (after a click on 'show descriptions')
'fixed' a few html validation issues..
Changed firewall log to show the applied rule description directly on screen, also layout optimization for "Show raw filter logs".
Don't add ldapcfg to racoon.conf since we're not using racoon's built-in LDAP support now. Moving to external script-based auth, see ticket #1112
No need for these other lines on nanobsd, and it can interfere with booting on some devices.
Add another test here for Nano+VGA to preserve the console selection.
Fix up tcpdump for pflog stop/start a little, consolodate code, and restart tcpdump for pflog when saving log settings.
Simplify schedules code and some styly nits
Month matching for scheduler rules
Fix some obvious things in the firewall scheduled rules code. If a user has some rules with a month specified and some without, then this will make a difference. Might fix bug #2614?
Correct filter tdr install_cron function
Don't put this rule in if $carp_int is empty, it makes an invalid rule. Fixes #2605
Restructure these IP/subnet tests so they don't break transport mode.
Fix bug reported in http://forum.pfsense.org/index.php/topic,53000.0.html
Tidy console package install progress percentage
This makes the file download percentage progress come out at the end of the line. New values are updated by using backspaces to rub out the previous value.
Fix ntp config syntax for the version we're using
Try harder to determine hostname when sending e-mail.
This file won't exist at bootup yet, drop it from the sanity test.
Teach ntpd how to get its time from a local GPS on serial.
Correct carp rules and a weird nat rule on carp so they actually generate what they are meant for
Fix secondary auth source to reference the zone like everything else in this section does, which is where the gui stores the value.
Put propper curlies since this is themeaning of this test so its readble
Remove extra curly to allow checking braces closure easily in vi[m]
More shortcuts
Add a hidden menu option to forcefully kill php, lighty, and then restart the GUI. (Can't make it a part of rc.restart_webgui since killing php would also kill the script itself.)
Remove comments which may begin with a ';' so URL Table entries like SpamHaus' drop list can be used
Refine the formatting of the service status icon a bit depending on its context.
Add some safety belts.
Add/use some more similarly styled icons here, for a more consistent look.
Fixup openvpn shortcut bar status/control
Give status icon a title/tooltip
Print service title in tooltip for shortcut bar
Start revamp of shortcuts, central file to hold links, also service status/control, added to dns forwarder as example.
Fixup output formatting
Consolodate a bunch of duplicate service status code
Add forgotten "ipv6 remote network", clean up a couple bits, make sure local network box is hidden for shared key servers.
Catch another error here
Make sure we don't have any extra whitespace here.
Change rcfileprefix to a constant
Minor text typo in DynDNS log message
I noticed the "Inital" typo in my syslog, so thought I might as well scan through the DynDNS messages and fix it up.
Minor fix to percentage output on pkg install
A variable not changed in a cut-paste.When on console, update_progress_bar should also only be called for 1-9 then every 10% progress, to reduce serial output volume.
Activate more Hash, DH, and PFS options that are available in racoon now. Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.
Ensure conf_mount_rw and conf_mount_ro are matched
On nanobsd, running /etc/rc.update_bogons.sh gives:[2.1-BETA0][admin@test02.homedomain]/tmp(12): /etc/rc.update_bogons.sh 1/etc/rc.update_bogons.sh: cannot create /etc/bogonsv6: Read-only file systemThe code does 1 conf_mount_rw but 2 conf_mount_ro...
Tidy package cleanup output
Add a "done." and newline after "Cleaning up..." Then when output is going to the serial console the next line will start cleanly and %age figures will not write over the top of "Clean".
Tidy up percentage logging to console
When on the console, the code only intended to update the percentage downloaded every 10%. Due to string-and-int type differences, the test was not working, all percentages were being logged. This is fixed.Also, add a newline after 100% - then whatever outputs next gets a clean start on a new line of output....
Ensure this gets a set default value or things can break
Correct variable name. Fixes #2571
Silence tar command to not garble console
To not clobber the console add \r when outputing status information on console
Correct mod_evasive setting per CP to confirm to what the CP page description says. Resolves #2270
Refine test
Do some cleanup of code for zones
Correct generation of lighty config for CP now that zone is passed as parameter
Merge pull request #196 from mtharp/dhcpv6-relay
Get DHCPv6 relay working (#1663)
Try to keep existing files rather than unlinking/replacing when restoring the package libraries during a package removal. Needs some testing, but for NanoBSD it fixes #1049
Unlock on return
There is no need to remove the @ from function names. Also properly unlock in case of exception. Size is constant and we know it no need for extra call to shmop. Put some more error checking just in case
Don't conf_mount_rw every time packages are listed
Every time System:Packages is selected, the code does a conf_mount_rw, checks for existence of some dirs, then does conf_mount_ro. This makes navigating the package install GUI slow on nanobsd, and it is not needed....
Make access to shared memory atomic
Use lock and unlock to make sure that all incrementing and decrementing of the reference count in the shared memory section is atomic. This ensures that there are not unusual timing conditions that could see 2 callers trying to update the reference count at the same time, which could result in the count never returning to zero. If that happened, then the filesystems would never be restored to read-only. (this is really just relevant to nanobsd) (note that shmop_* calls in php do not do any locking themselves - callers must coordinate their own access to the shared memory section)...
Construct the arguments to dhcrelay -6 correctly
Implements ticket #1663
Fix negative test
Pad data when adding to refcount reference, to avoid some oddities with how php handles such data. http://forum.pfsense.org/index.php/topic,51188.msg278141.html#msg278141
Remove this filter configure call, something else will take care of this and we don't need to do that here.
Supress the error message if the ldap bind doesnt happen
99./8 is not private IP space
Add the new 100.64/10 nat 444 CGN/LSN shared transition space netblock here. Also add it as a private network in the private network block
Merge pull request #192 from phil-davis/master
Validate advanced gateway monitoring settings
Allow dom_title width parameter to be null
This prevents warning messages if called without the width parameter - reported in forum http://forum.pfsense.org/index.php/topic,51822.0.htmlThe code already handles width being NULL or blank, it just needs to be explicitly defaulted when the parameter is not passed at all.
Put apinger default values into a function
The default advanced apinger parameter values are now returned by function return_apinger_defaults. So they can easily be obtained by any code that cares.
Add done after NTP Time Client start message
Add a done and newline so the console messages at boot all line up the same.
Merge pull request #98 from namezero111111/patch-1
Minimal non-intrusive change for SSHDCond package extra parameters
Remove unused set_time_limit in php.ini
Expand cipher list and remove a cipher that Safari on iOS does not like after recent lighttpd changes. Fixes #2553
Fix these perms too
Fix perms on rc.openvpn, seems to work with that set.
Actually reflect the right timeout values for redmine ticket #2552
Set the date.timezone from the XML directly when we setup PHP to prevent messagesAdjust the timeouts to something more sane then 99999999. Do note that these might need to be adjusted later.Also note that most of these are not applicable when used from the CLI....