Wrap this in an is_array() test, or else if you have no manually configured DNS servers, saving the DHCP settings produces a PHP error.
Merge pull request #986 from andrespetralli/master
Re-enabling static lease updates
Small correction for clear code
Ticket #3484 Correct the case for GRE tunnels as well since they behave the same. GRE seems to need the prefixlen 128 specified all the time so do it explicitly to be on safe side
Ticket #3484 Note that for now prefixlen is useless in ipv6 tunnels. IPv4 accepts them
Fixes #3484. Provide a dynamic gateway for gif v6 tunnels so it can be used on firewall rules etc. The guide for setting up this tunnels on docs need to change to leave the gif interface as none type. People upgrading need to fix this themselves with a not on release notes. This can be fixed if the kernel condition is relaxed to allow setting the prefixlen on the tunnel as ipv4
Make the IPSec status page work with strongswan
Oops forgot the query message
Add a function to read the status of connections/SAs/SPDs from smp plugin of StrongSWAN. No need to go through the setkey dumps
Make xmlreader parse any document and properly consider listtags specified and attributes. Probably should be made the default due to its speed.
Parse even attributes when present
Push log changes for IPSec and fix generation of strongswan.conf and ipsec.secrets to be properly considered
Fix #3483 only use IPv4 DNS servers in DHCP v4 conf
Make is_linklocal case-insensitive and fix #3433
Fix #2302, save custom uploaded l7 pattern files on config.xml and replicate it to slave
Set variable after make sure it's defined and has elements
Fix whitespace and indent
Properly detect when there are issues with communicating with syncip and to use the local DB for this. Otherwise detect if the remote says the voucher is not valid say its not valid.
Properly compile the query to insert the values. Pointy-hat: myself. While here respect the redirurl when passed to portal_allow and use proper function to do redirection.
Merge pull request #959 from stilez/patch-3
Tighten is_subnet() functions
Ticket #2627. Just pass the array over no need to traverse it
Fixes #2627. When an interface goes down try to shut the RAs and dhcpd6 service on that interface
Avoid recursion of convert_real_interface_to_friendly_interface_name with get_parent and on linkup of parent interface properly configure especially useful on ppp type links
Merge pull request #960 from stilez/patch-4
Tighten is_validaliasname()
Be friendly to memory
Fix problem with the voucher synching that was introduced during conversion to zones
is_validaliasname() treats "empty string" as a valid alias name, it probably shouldn't.
I suspect it also should not allow purely numeric names ('53'), or pure underscore ('_'), or reserved port names ('tcp', 'http'), as valid alias names for other things. Too much risk of issue/ambiguity which isn't helpful in a router/security device, and no obvious upside to it....
The is_subnet(), is_subnetv4() and is_subnetv6() functions have significant issues in their coding logic.
Issues:
1) Functions use is_numeric(), so they validate invalid bitcount parts such as '1.1.1.1/6.5' or '::8000/94.7' as valid subnet strings...
Rather than having issues with not started radvd try to start radvd to discover by itself the prefix on the interface by using the special directive :: on the prefix declaration. Related to many tickets and forum posts
Correct obvious bug in IPv6.inc
s/PEAR.php/PEAR.inc/
Actually take latest one from github. It has some more checks and more execution time penalities but catches more errors
Update IPV6.inc to latest 1.2.1 version
If set use the default bandwidth setting on the CP even for mac passthrough. Reported-by: https://forum.pfsense.org/index.php/topic,72761.0.html
Use the default bw specification if configured even for allowed ip and hostname.
Do some more error checking and put secondary radius attributes only if configured. Probably radius configuration should be merged with central server for logins!
silence any errors
Tighten is_numeric()
Improvements:
1) avoids 'expensive' preg_match() and is a more exact test2) fixes logic whereby an empty string or anything converted to an empty string, is deemed a valid 'numeric' value
(If an empty string can validate as numeric, it's possible that in some cases a number is expected and missing in a string, but not detected, causing malformed rules or subnet bitcounts, and unexpected issues or vulnerabilities)...
More code fixes for ntpd
Merge pull request #929 from nagyrobi/patch-3
Update system.inc
Merge pull request #928 from nagyrobi/patch-2
Update rrd.inc
Fix #3469
Before downloading file to process urltable, there is a random waittime between 5 and 60 seconds. Because of this, the difference betweenfile mtime and current time can be less than $freq * 86400 and it'll beskipped. Add 90 seconds (60 of max random wait + 30 just to be sure) to...
Fix #3468, wording fix
Merge pull request #945 from phildd/master
Enhance interface gateway data entry descriptions
Only add dhcpv6 client allow rules if ipv6allow is set
Move 'allow dhcpv6 client' rules above block bogonsv6 ones, it should fix #3395
corrected path
Corrections made as requested
Add new NTPd functions
Add NTP graphing to RRD
Update priv.defs.inc
Revert "Replaced gethostbyname() with gethostbynamel() to get a list of all IPs associated with the dns name and add them to the allowed list"
This change is not needed, filterdns will handle it.
This reverts commit d460371416d4e2cfef976d5a7616f63f6faa203f.
Do not do any operations on system libraries. Nowdays pbis are used and those do not break things by definition
Merge pull request #891 from PiBa-NL/captive_disable
captive portal, don't generate rules for a disabled portal
Merge pull request #890 from N0YB/Gateway_Monitor
Gateway Monitor Advanced Settings
Merge pull request #904 from dv-user1/master
Replaced gethostbyname() with gethostbynamel() to get a list of all IPs ...
Revert "Pass the family to the get_real_interface function to retrieve the correct real interface. Might help Ticket #3357"
This reverts commit cb431dbf47c53b72119bd8feca0217e1c25d998b.
Really need the interface where v6 is running toa dd the gateway/route rather than the one used for the configuration. This Fixes #3357
Pass the family to the get_real_interface function to retrieve the correct real interface. Might help Ticket #3357
Put a timeout of 30 seconds to aid with Ticket #3412
Move this global declaration to the proper file rather than backend code
Use correct parameter (bootfile-url) to configure netboot on DHCPdv6, it fixes #3421
Fix typo on variable name and really add custom options for dhcpdv6
Normally when an ip is set the interface comes up on BSD stacks. Though push this commit which Fixes #3281
Whitespace fix
Grab exec result just to be careful
Put a kludge for now which Fixes #3280. It should be improved later on to have proper handling and overloading of configuration functions
Consider setting of noconcurrent login for passthrough expiry of users. Fixes #3340
Merge 10 -> 10.1 and 10.1 -> 10.2 function upgrade since the recent changes done on 2.1.1 for Ticket #3441
Use the 11th column for the radius context rather than overriding the interim interval field with it. Fixes #3447
Add a knob to let the user select which console (video or serial) is preferred in cases where there are multiple consoles present. Also provide a way to force this preference.
Add a mechanism by which the serial port can be forced on always regardless of the config setting. (useful for nano+vga setups)
Add https to update URLs and replace RELENG_8_3 by RELENG_10_0
Abort installation when pbi_add fails
Obsolete old ipsec tools files
Be specific on the authentication method to use since xauth-eap will be active as well
Correct script path
Remove references to racoon and correct some handling of ipsec configuration
Remove copy paste leftover
If specified add authentication script configuration to strongswan.conf
Remove not used anymore parameters
Teach script to read authentication servers from environment
Fix symlink calls adding full link name, it fixes issue reported at https://forum.pfsense.org/index.php/topic,72405.0.html
Properly set the configuration here based on https://forum.pfsense.org/index.php/topic,68531.0.html
Make improvement to the check
Check for tmp captiveportal dir before making it
In forum: https://forum.pfsense.org/index.php/topic,72483.0.htmlWarning: mkdir(): File exists in /etc/inc/system.inc on line 878Not sure if you would rather call safe_mkdir here?
Declare $config global so we can test the pkg_nochecksig option
Replaced gethostbyname() with gethostbynamel() to get a list of all IPs associated with the dns name and add them to the allowed list
Add specific permission for easyrule.
Add support for signed PBI, help ticket #3365:
- Add an option to allow user to accept unsigned packages- The only missing part is public key, that needs to be added to/var/db/pbi/keys/pfSense.ssl
Fix test, allows restoring last backup in the list. Fixes #3438
First swing at converting from racoon to StrongSWAN.It allows to use existing configurations on xml to generate StrongSWAN configurations.So its only IKEv1
escapeshellarg() is not required here
Teach php-fpm about our required environment path
Revert "Set PATH before call pbi related binaries"
This was pushed by mistake
This reverts commit 4c9bda43f5bcfd5ba9812c84199bbe4f1f158960.
Silent recently added symlink() calls
Fix some wrong escapeshellarg() calls