pfSense

Ticket #4254 Use proper variable

Ticket #4254 actually use the info on the protocol of the vpn sepcification to be more sure on the family to use

Ticket #4254 Handle even hosts specified throguh dns name

Ticket #4524 Bring back static routes on ipsec to make sure charon does not send traffic through wrong iface. This handles properly ipv6

Be compliant with gatway groups specified on ipsec. Ticket #4254

Ticket #4254 Actually fix this on 2.2 branch since vips are not handled by get_real_interface apparently!

When radvd is configured on a CARP interface, enable it when it is MASTER and disable when go to BACKUP. It should fix #4252

Ticket #4254 specify the list of interfaces to be used by charon. This is a workaround for now. Being investigated the fix.

Use the parent NIC rather than the VIP. Fixes part of Ticket #4252

The reset button check should happen on all platforms, not only NanoBSD

Add reset button support for APU and FW7541

add detection for 7541, APU

Set $arch accordingly to release

change update URLs for release

Bump to 2.2-RELEASE

Validate if both IP address and subnet are valid and the same version. Fixes #4223

Just do an update since it will handle itself properly.

Revert "Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own."

This reverts commit 1ada4c8c514cc33b0df6238b7f2f177078bfe2e8.

Revert "Fix typos introduced by chaning to explicit id specification when necessary. Fixes #4202"

This reverts commit 324311043385aed357ca8838bde2c3af3111e564.

Add RSA keys even for eap-mschapv2

Add EAP-MSChapv2 implementation for Windows ipsec support as reported here https://forum.pfsense.org/index.php?topic=81657.15

Oops add missing curly

Also take care of ph1 mobile settings for eap-tls

Obsolete libpng15 in favour of libpng16

Correctly handle number of cores and power of 2. Merged from the package already had this. Fixes #4212

Add some saftey belts here to be safe

Heh bump the config version

To avoid issues with clashing SAIDs go back to specifying the reqid in strongswan config.

To be able to manage this first upgrade the config to assign each phase2 an reqid
Second use that during config generation

Ticket #4208

Unbound is compiled with libevent so setting this to always be 4096.

Allow for overhead and up maximum limit from 8 to 32, also only set it if its set to 4 or above. Fixes https://forum.pfsense.org/index.php?topic=78356.msg472781#msg472781

Do not leak firewall rules as well when (re)creating rules

Fix spell typo spotted by phil-davis

Fix typos introduced by chaning to explicit id specification when necessary. Fixes #4202

Fix cut paste brain fade

Restart PHP-FPM allow to setup ini file

I was just using console menu option 16 Restart PHP-FPM and it hung on a nanoBSD system.
I found /tmp/php_errors.txt with this in it:
"override rw-r--r-- root/wheel for /usr/local/etc/php.ini?"
Flying blind at the console I entered "y", then /tmp/php_errors.txt had this:...

Use this generation now of committing pipes directly and only rules to put on ruleset to avoid memory pressure and the timelimit will than be enforced by the caller

Revert "Ticket #3932 Use array_map to get more parallelism when there are many entries. This makes it not reach the execution timeout with large entries."

This reverts commit 7077addc5a5058fab4b4dc7678270c1000d342c9.

Actually improve the previous resource leak commit since the function is there but it was not being used during init_rules process.

• Try to autodetect if the execution limit needs to be raised on big number of passthrough entries.
  Set the time limit to 0 and restore it back to default value when this is detected.

• Do not leak pipes when reloading ruleset for CP since this will consume available descriptors....

Do not override the passwd string. First it prevents the md5 working if the crypt() check fails and also is useless to override it since the parameter is passed by value and not by reference.

Ticket #3932 Use array_map to get more parallelism when there are many entries. This makes it not reach the execution timeout with large entries.

Fix inherent issues with isset and empty values set as true by our parser. This made the piep configuration to be wrong at least for passthrough entries. Ticket #3932

Do not return disabled dynamic gateways

When a dynamic gateway is disabled (by the user through the webGUI), it was still being returned by return_gateways_array(). But when called like that, disabled gateways should not be returned. The first part of the routine was correctly skipping disabled gateways, but then the later part would effectively re-generate those dynamic gateways on-the-fly and not realise they should be skipped because they were disabled....

Fixes #4177 convert password to base64 to be submitted to avoid issues with special chars in shell and HTTP GET parameter passing. Probably should add POST support to fcgicli.

Fixes #3281 do not undo any changes already done for gif/gre interface.

Let the kernel handle REQID rather than handling it manually. The connection name is the one needed here.

Add tracker and label to IPv4 Link-Local block rules.

After the other set of changes had unexpected complications, let's back this out too. Revert "PEAR static method call warning"

This reverts commit 4751f76a6772147097906b699d4216ae38c58c39.

This broke a variety of things. Revert "Deprecated and non-static method messages"

This reverts commit 91b9a02fb131746c67fdf9f34282f123a13f1b13.

PEAR static method call warning

Forum https://forum.pfsense.org/index.php?topic=86478.0
PEAR is used by
IPv6.inc
auth.inc
captiveportal.inc
radius.inc
xmlrpc_client.inc
radius_accounting.inc
radius_authentication.inc

I have just changed this 1 function to "public static"...

disable this PHP error logging, errors that are really significant end up with a crash report, this is more noise than useful at this stage in 2.2.

Catch packets on all iunterfaces and send them out the correct one. Fixes #4174

Deprecated and non-static method messages

Fix various files that can emit messages like:
PHP Strict Standards: Non-static method SimplePie_Misc::array_unique()
should not be called statically, assuming $this from incompatible
context in /etc/inc/simplepie/simplepie.inc on line 5508...

Improve URL and URL ports alias update data:

- Move redundant code to a function parse_aliases_file(). Before the max
number of items was not being respected when URL content is updated,
only when alias was saved. Same was happening with ip/subnet/port
validation and user could end up with a bad pf.conf...

Change OpenVPN CARP VIP test to be more accurate. The client should also not be run if the VIP is in the INIT state.

Unobsolete libcurl.so.4 since it's installed by recent versions of curl package

Fix check for cookies, the way it was implemented didn't work because it would need a refresh to check if cookie was set or not. Use javascript to do a simple test

Add a value to cookie, otherwise it's not set. Before my last change parameters were out of order and expiration time was being set as value. It should fix #4069

This is not the place for this setting and werid its here!

some lagg modes are missing vlanmtu, but work fine with VLANs. Work around it for now at least. Ticket #4186

"Like with like" - move a few functions to better places in the code (they are placed strangely)

A few functions such as ipcmp(), subnet_expand(), and check_subnets_overlap() are in illogical places - away from all the other ip comparison and subnet basic functions and in the middle of alias handling and interface enumeration....

fix strongswan conf file generation with ipcomp. Ticket #4182

Fixes #4188 use the same reqid over same phase1 but different phase2 connections. The dashboard will be fixed with the ticket already open. This should fix a lot of instabilities reported on the forums for people having a dozen or more tunnels

Correct the sense of the check by default unity is enabled

Provide an advanced setting to be able to disable Unity Plugin(Cisco extensions)

Move to specifically specifying the ID type apart when an ip address to have strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.

Don't hard code the target IP in auto-generated outbound NAT rules, use
previous behavior of setting it to the interface IP.

split is deprecated move to explode

fix spelling of compression

Fixes #4182 by properly managing IPcomp on ipsec tunnels.
Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.

Fix #4146:

OpenVPN create the tun/tap interface and, when set an IP address to
it, mark it as UP. In some scenarios, when TAP is set as bridge and
doesn't have an IP address set on it, it never goes up and tunnel
doesn't work.

If rc.newwanip is called for this TAP interface, UP flag is set, but,...

Log PHP errors. Ticket #4143

Enforce subnet check here to avoid any issues resulting from function call.

Remove useless check, CARP does not depend of interface having another IP set before

Remove some extra spaces

Fix typo on variable name

Tighten and IPv6-ify gen_subnet() etc

Tightens, canonicalises and improves for IPv6, the functions
gen_subnet(), gen_subnetv6(), gen_subnet_max(), gen_subnetv6_max()

Changes are transparent to calling code.

Issues:

1) gen_subnet() and gen_subnet_max() will validate both IPv4 and IPv6 as valid args, but will then try to process an IPv6 subnet bitwise as x32 LONG without further checking, causing erroneous but apparently valid responses....

Revert "FreeBSD fails to set advskew back to 0 after you set it to any other"

A patch was added to allow set advskew back to 0

This reverts commit eea2ad5d61b2cbcf2957207fb0f13769c203cb36.

Add secure flag when necessary to cookie_test, as we do for session cookie, to avoid false positives in common vulnerabilities scanners. It fixes #4069

Allow IPv6 on loopback needs quick

The following block uses "quick" which causes that block to come into effect before the "pass in" here. The pass rule also needs to be "quick".
Problem noted by Andy Sayler on https://redmine.pfsense.org/issues/4074
Before this change, an attempt to manually do something local with IPv6 fails:...

Limit unbound so-rcvbuf: 8m

Issue reported here: https://forum.pfsense.org/index.php?topic=78356.msg472781#msg472781
Most unbound doc places mention setting it at up to 8m. I'm sure it would be possible to investigate more and find a way to make unbound+FreeBSD be able to go higher than 8m. But probably 8m is sufficient for everyone anyway (judging by what the unbound docs seem to assume will be a good value on a busy system)....

Fix #4090:

- Unbound advanced options may contain double quotes and it breaks the
syntax when a backup is restored because newlines are trimmed. Save it
in base64 format is a safe way to prevent it
- Bump config version to 11.5
- Provide upgrade code to encode current config or the one that came...

It's supposed to remove windows EOL here, not ;

Do not monitor a gateway that has not got DHCP yet

When an interface is waiting to get DHCP, but the cable is physically-electrically connected to the upstream device, the interface has an IPv4 address 0.0.0.0 - that was getting past here and, if the interface gateway had a monitor IP specified, that monitor IP was being put into apinger.conf and being monitored. Because the interface has not got a gateway yet, no static route is added to force the traffic for the monitor IP out the particular interface. So the traffic to the monitor IP can follow the default route and perhaps succeed in getting out another WAN to the monitor IP....

Fix lineup of copyright lines

and module names and other bits of formatting and typos in header
comment sections.

Use binat, not nat, where IPsec NAT is configured with an address for local and NAT. Ticket #4169

Welcome 2015

Add config upgrade code to make sure iketype is set, bump config version to 11.4. It fixes #4163

libreadline.so.6 is not supposed to be obsoleted, fixes #4159

Allow IPv6 on loopback even where IPv6 is otherwise disabled. The intent of that feature is to prevent IPv6 from communicating on the network. Blocking it on localhost can result in issues and is unnecessary. Ticket #4074

Reload Unbound after IP changes, to fix issues noted in Ticket #4095. Do so before Dynamic DNS updates occur to ensure the host has functioning DNS.

Only set route-to and reply-to on ESP and ISAKMP rules if the remote endpoint is not within the parent interface's subnet. Ticket #4157

Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector

Check for fqdn peerid/myids and prepend @ so strongswan does not try to be smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector

Oops this should be 0s rather than 00. Linked with Ticket #4158

ipsec_smp_dump_status get out of loop if error

when reading response from socket.
Otherwise it would be in a loop and end up like: https://forum.pfsense.org/index.php?topic=86039.msg471848#msg471848
PHP Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/ipsec.inc on line 383...

Unbreak IPsec rules generation for IPsec over CARP. Should help even Ticket #4157

Use base64 encoded secrets which Fixes #4158

Standardise text in priv list

Simplify cron array comparison

This works fine - I had not thought about how arrays are compared. Using "==" checks that the key/value pairs match in both arrays, regardless of the order the arrays happen to be in, which is what we want here.
Using "===" would insist that the key/value pairs are also in the same order in the array and that the types and everything match identically, which we do not require.