pfSense

Remove duplicate 'ppp' case in switch statement

Allow to configure new modes for phase1 according to RFC 5903 by manually merging pull request #1501 partially. While here preserve style.

Merge pull request #1617 from Gertjanpfsense/master

Implement make bofre break feature avaliable on strongswan 5.3.0 useful for IKEv2. Fixes #4626

Do not try to add package tabs info to config

Remove broken code that was supposed to add packages tabs entries to
config.xml. Since tag['name'] doesn't exist, it only adds the first item
of first installed package, and in the end this is not used at all since...

Merge pull request #1620 from ibauersachs/newipsecdns-eap-radius

Fix php module names since check is case sensitive

Make auth_get_authserver_list available to vpn.inc

This is a follow-up to PR #1612 and avoids a crash in this script at random times.

Update voucher.inc

As https://redmine.pfsense.org/issues/4625

Fixes #4625 correct disconnection of users especially when called from xmlrpc code.

Merge pull request #1612 from ibauersachs/ipsec-mobile-eap-radius

Always do a filter reload in vpn_ipsec_configure to ensure the ruleset is
updated where necessary in every IPsec change scenario.

Remove boot_serial='yes' from loader.conf when serial is disabled, error introduced by me on commit 986e77a2eab

Fix unbound warning when dnsallowoverride off and forwarding on

Reported in forum: https://forum.pfsense.org/index.php?topic=92437.0

The $ns array was being used further down, but if dnsallowoverride was off, the array never got created.

Define var_path global key since it is being used in interfaces.inc, but it was not being declared anywhere

Add support for EAP-RADIUS to IKEv2 Mobile Clients

Merge pull request #1601 from phil-davis/check-overlapping-subnets

Re-enable verification for selfhost since their chain issue is resolved. Ticket #4545

set forcesync to 1 by default for now, testing potential impact for Ticket #4523.

Revert "Make forcesync default to the same behavior as freebsd rather than as intended for cf cards. People with issues on CF can enable the tunable"

This reverts commit 34dced26198480d7b02e80578df40336fef89043.

Make forcesync default to the same behavior as freebsd rather than as intended for cf cards. People with issues on CF can enable the tunable

Remove redundant/unused call to kldstat

Fix operator

Fix typo in variable name

Merge pull request #1603 from phil-davis/patch-1

Don't remove all of /usr/local/libdata as obsolete files. User-installed
package contents may live there, factory default configs live there.

Merge pull request #1605 from Robert-Nelson/issue-4603

Merge pull request #1600 from Robert-Nelson/remove-obsolete-logging

Only initialize package's log if it doesn't exist

Fix OpenVPN server listening on associated IPv6 address

As reported in forum https://forum.pfsense.org/index.php?topic=92174.0
If the ordinary interface is selected for an OpenVPN server and an IPV6 protocol is selected (e.g. UDP6) then al is good, the "local" line in the server1.conf is written with the primary IPv6 address of the interface....

Setup ADI boards to boot only using serial to avoid duplicated output when VGA redirection is enabled

Check for overlapping subnets when saving interface addresses

This checks if a static IP address entered for an interface has a subnet
that overlaps with any other configured subnet. e.g.:
LAN is IPv4 10.10.12.1/24
Then try to set OPT1 to 10.10.13.1/23 - it overlaps with LAN because...

Remove obsolete logging code which is duplicated in system_syslogd_start()

Merge pull request #1467 from PiBa-NL/php_errorlog

Skip reflection rdrs where the interface doesn't have an IP. Ticket #4564

Allow disabling the APIPA block via hidden config option. Very rarely necessary or desirable, but Amazon VPC VPNs use that as their tunnel subnet with BGP setups.

Only restore rrd.tgz where platform is appropriate, or RAM disk being
used, otherwise you're restoring a probably old backup file. Ticket #4531

Add Super Micro C2758 to the list of known platforms

Merge pull request #1595 from dneuhaeuser/patch-1

Merge pull request #1597 from phil-davis/Common-typos

php error logging should 're-fix' with less side effects for now.. https://redmine.pfsense.org/issues/4143

Code style

Couple of spaces for new code merged from an old repo/branch

Un-screw-up merge

Include additional subnets for RAs in radvd.conf. Ticket #4468

Conflicts:
etc/inc/services.inc

Fix up Ticket #4504 implementation. Match config style with other areas. Use a config setting to disable, rather than enable, this functionality since it's enabled by default so the tag isn't necessary in the default config. Remove now unnecessary config upgrade code.

fix type. Ticket #4504

Few minor text typos

Note that advertise is spelt with an "s" in other places in the GUI, so
making it consistent in services_ntpd - but maybe Americans do spell it
"advertize" these days?

add etc/inc/array_intersect_key.inc to obsoletedfiles

shouldn't need this as its own inc anymore, but only changing in master since 2_2 nearing release

uploadbar dir no longer needed

verify certs by default here

Prevent empty addresses for being put in the ruleset. Ticket #4564

Ticket #4504 actually make it correct

Upgraded configurations should keep the default configuration of bypassing lan from ipsec. Ticket #4504

Fixes #4504 Provide a newline to generate proper config

Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel

small correction of relative paths to icons

Only use mobile clients PFS config with mobile ph2ent. Ticket #4538

Conflicts:
etc/inc/vpn.inc

disable SSL validation for selfhost since it fails. Ticket #4545

enable ike_name for daemon facility as well, to add connection identifiers to logs.

Use real interface here for dhcrelay v6. Ticket #4572

Don't omit hosts specified as "0". Ticket #4573

Merge pull request #1594 from phil-davis/patch-1

call this RCC-VE rather than C2358

Add a check for whether IPsec is enabled, so it doesn't spit out "IPsec
daemon not running or has a problem!" when IPsec isn't enabled.

Bug #4566 Only route-to a gateway if it is not force_down

When generating policy-routing rules there was no check if a gateway had force-down set, so gateway with force_down set would still get policy-routing rules written for it, even if skip_rules_gw_down was enabled.

Fix IPsec Advanced Settings uniqueids. It was neither set in strongswan config, nor picked up correctly in the UI.

Fix brackets

that I broke - sorry, I did test on a 2.2.1 system but then had to make my changes into a master version to submit the pull request. Obviously I missed this!
Chris noticed it it 2.2-RELENG branch already with commit https://github.com/pfsense/pfsense/commit/e593bac7e025eaec50e2591557c76fe27c254b32

Remove wireless cards from ALTQ-capable interfaces, since ALTQ is broken on wlandev in FreeBSD 10.x at the moment. Ticket #4406

Merge pull request #1572 from jlduran/no-server-header

Merge pull request #1578 from Robert-Nelson/rfc2136_ignore_ipv4_ipv6

Include net.key.preferred_oldsa in the sysctl list, set to 0 (disable) so
it doesn't fall through to the default (1).

Change to Record Type with A and AAAA as values.

Use address types instead of addresses.

Merge branch 'master' into rfc2136_ignore_ipv4_ipv6

Merge pull request #1586 from phil-davis/patch-6

Merge pull request #1584 from phil-davis/patch-2

Merge pull request #1575 from k-paulius/misc-dhcp6c

Always include general setup DNS servers in unbound.conf

when forwarding mode is on.
The General Setup setting "Allow DNS server list to be overridden by DHCP/PPP on WAN" has always been used in dnsmasq to ADD DHCP/PPP provided DNS servers to the list, while also keeping the DNS servers specified in General Setup. That behavior is needed if:...

Disable lighttpd server header

Set the `server.tag` to an empty string to prevent lighttpd from
displaying the version number in the header.

Only list nameservers once in resolv.conf

I was on a test system and had an upstream DNS server IP specified in System-General Setup. WAN was setup with a static IP and a gateway to that upstream device. All good.
Then I also checked "Allow DNS server list to be overridden by DHCP/PPP on WAN" and changed WAN to be DHCP. It received by DHCP the same DNS server IP that already happened to be in General Setup (and the same gateway IP - not the issue here)....

Eliminate the "this_device" test from the resync check in rc.openvpn.
It is not necessary to check, as the only times a gateway event should trigger the VPN to restart are when the current and new devices differ.
This also allows us to simplify the code a bit and eliminate some single-use variables....

The logic of this test seems to be incorrect.
If the interface is the same, this test will fail, and that's the one case that should not need a resync.
The logic in this test has been flipped and reversed a few times over the years and without comments it's difficult to discern its true purpose.

Supress errors when opening custom DHCP config file and check if content was successfully retrieved. Prevents PHP from throwing error in case file does not exist.

Log to syslog and get rid of useless variable.

Use radio buttons to select between IPv4, IPv6 or Both.

Be consistent about Unbound service descriptive name

Forum: https://forum.pfsense.org/index.php?topic=91075.0

For DNS Forwarder (dnsmasq)
1) dnsmasq is the name of the service
2) DNS Forwarder is the text description

Make Unbound consistent with that, so that menu names and services status display and... work in the same way:...

Add option to not register IPv4 and/or IPv6 addresses.

Merge pull request #1486 from jlduran/patch-1

Remove old dhcp6c and rtsold config scripts when bringing down interface.

Supress errors when opening custom DHCP6 config file and check if content was successfully retrieved.
Prevents PHP from throwing error in case file does not exist.

A mix of literal tabs, spaces and \t is used in dhcp6c config file code. Convert evertyhing to use \t.

DHCP6 config file override, advanced and basic settings override each other so put them in single
if/else statement rather than always generating all three setting types.

Add option for wireless standard "auto", to omit "mode" entirely from ifconfig. This shouldn't be necessary, but specifying mode has proven to trigger driver problems that don't exist if it's left unspecified (such as FreeBSD PR 198680). Chosing "auto" fixes ath(4) BSS mode issues otherwise preventing it from connecting.

Use `none` instead of a whitespace in sshd_config

Use the `none` keyword instead of a whitespace to disable the FreeBSD version in sshd_config.

Merge pull request #1564 from phil-davis/patch-2

Use subnet address in OPT net rules

Example: LAN IP 10.0.1.1/24 OPT1 IP 10.0.2.1/24
Rules with SRC or DST LANnet correctly have 10.0.0.0/24 (the subnet base address) in /tmp/rules.debug
Rules with SRC or DST OPT1net have 10.0.2.1/24 (the OPT1 IP address with OPT1 net mask) in /tmp/rules.debug...

Update get_possible_traffic_source_addresses returned array format

With this change it looks to me like the way it is intended to be, based
on what was done to get_possible_listen_ips()
Please review and check if this is what was intended for the code. With...

txpower was disabled for good reason it would appear, it triggers syntax errors in some configurations. Disable it again since it's been disabled for years, and comment out the user-facing config portion for now since it doesn't do anything. Ticket #4516

correct missing == in ipsec.inc