pfSense

Update the years in the Copyright notice.

Introduce Kea DHCP

Update DDNS split host+domain list. Fixes #14783

Align pfSense and OS locale names. Fixes #13776

Extend support for SCTP in firewall and NAT rules. Implement #14640

Work around weak certificates for nginx. Implements #14672

• Generalize and move function that creates self-signed certs
• Detect weak cert when starting GUI and re-generate
• Check for weak cert in GUI on upgrade and re-generate
• Check for weak cert in Captive Portal zones on upgrade and...

Check OpenVPN instances for deprecated items

• Check for weak certificate digests. Implements #14677
• Check for deprecated encryption and digests. Implements #14686

Refactor translation target for outbound NAT

Add dynamic DNS support for Porkbun DNS, closes #14402

Signed-off-by: Nita Vesa <nita.vesa@elektrik.link>

Use the new notation from 877e6b53c7e76f0bcb02621d290a4e325941fd1c.

No functional changes.

Add the missing 'pkg_repos_path' global.

Rerported and tested by: KrisM

Add iwlwifi support

Update memory calulations. Implements #14011

• Update memory usage calculation for system info widget
• Add RRD data sources for new memory areas
• Upgrade code to expand current memory RRD file with new DS entries
• Make code that composes the commands which fetch memory info more...

Update copyright years to include 2023

Rector direct global g accesses

Use rtrim for trimming whitespace and EOLs from version files

Cleanup globals.inc. Use single quotes on scalar strings.

Add append hook to globals.inc.

Remove duplicate reserved alias names. Fix #13524

ipsec: disable any tunnels using 3des, blowfish, cast128 or md5 during upgrades

Redmine: #9247

Update reserved alias names. Fix #13524

Silence warnings about missing global key 'booting'

store dnsmasq custom_options as base64

Captive Portal ipfw->pf transition. Todo #13100

New methods for killing states. Implements #12092

LAGG hashing option. Implements #12819

Multiple DHCP6 WAN connections. Fixes #6880

Allow the selection of "any" interface in floating rules. Implements #12392

Keep command line history WebGUI option. Implements #12675

Update the Copyright year of the files owned by Rubicon/Netgate.

Backup and Restore SSH Host Key(s). Feature #11118

Bump up the config version to match a change in plus.

• Removes disk usage from system information widget
• Adds Pfsense\Services\Filesystem\ library
• Adds new disk widget

Update IPsec Filter Mode text. Implements #12289

VTI mode also works for transport mode (e.g. GRE), so note that as well.

Install ACB cron job on upgrade

Prototype cron script to upload ACB backups per #12193

IPsec updates to address multiple issues

• Configure/apply code changes. * Vast performance increase. Fixes #12026 * Changed connection naming to be easier to interpret. Issue #11910
• VTI interface numbering changes. * Name is now "ipsec<reqid>" since reqid is unique per P2 and a low number....

IPsec PKCS#11 support as an optional feature. Issue #11933

1:1 NAT IPsec/OpenVPN/L2TP/PPPoE and interface groups input validation fix. Issue #11751

Add IPsec GUI control for Child SA Start Action. Implements #11576

VTI: Fix interface number limit

Code introduced by commit 3b85b43bb4b tried to keep the old way used to
decided VTI interface number using reqid and index but it was wrong and
allowed numbers bigger than limit (32767) to be used.

This commit removes this logic completely and use incremental numbers...

WireGuard removal: Fix config

Keep `wgpeer` item defined as an array on xmlparse.inc to prevent errors
on config files while they already have WG config items. It can be
safely removed in the next major version.

Created a new config upgrade code to remove wireguard items from config...

Remove WireGuard support

Out of an abundance of caution while we investigate the claims about
WireGuard in public, we need to remove it from pfSense Plus and CE in
order to shield customers from potential risk.

Add option to set IPsec filtering mode. Implements #11395

User can choose between filtering enc (tunnel+VTI) or filtering on
assigned VTI interface tabs (VTI only, drops all tunnel mode traffic).
See https://redmine.pfsense.org/issues/11395 for details.

Typo

Add registered trdemark symbol where appropriate

Retire VXLAN support

VXLAN support is not enterprise ready and after internal discussion we
decided we are not able to support it. We are committed to release
features only when they are ready.

Fixes the saving of peers settings in GUI.

The previous commits had a few mistakes which were fixed in here.

Fixes the WG configuration path and creation.

The GUI is now working as expected to add, edit and save the WG tunnel entries.

Outlines config.xml => wireguard config files utility

IPsec P1/P2 expiration and replacement refresh. Implements #11219

Update the Copyright year.

A subsequent commit will deal with .po's.

Add product_label global variable

Introduce product_label global variable, by default with same value of
product_name. The idea is to make it easier for rebranded products to
change the name on all visual texts while internal structures are
preserved.

While here, remove deprecated $g['platform'] and also replace places...

Remove use of deprecated $g['platform']

Unbound custom TLS port fix. Issue #11051

OpenVPN data cipher negotiation updates. Fixes #10919

• Rename "NCP Algorithms" to "Data Encryption Algorithms" to reflect the change in OpenVPN (frontend and backend, e.g. "ncp-ciphers" changes to "data_ciphers")
• Change "Encryption Algorithm" to "Fallback Data Encryption Algorithm" and move it below "Data Encryption Algorithms"...

Set correct cat command path. Fixes #11032

Create key and zone section for static DHCP mappings. Issue #10224

System DNS Server changes. Implements #10931

There are significant changes here, but ultimately should be a smooth
transition. See https://redmine.pfsense.org/issues/10931 for more
details.

Backup/restore DHCP v4/v6 leases. Implements #10910

Remove extra 00 padding of VTI interface names. Issue #9592

Upgrade PHP to 7.4.x

Add a system option to handle the queue API usage in hn NICs.

A single queue is used in order to enable the ALTQ support, but some people may
prefer performance over the ALTQ features.

Ticket: #9647

Fix #9647.

Instead of forcing the defaults in the OS driver (introducing yet another
change), set the default to enable ALTQ support for hnX NICs in loader.conf.

Ticket: #9647

Merge pull request #4362 from vktg/pf25rtwnregexp

Bump up config version to 20.6.

Create an upgrade function to run console_configure() and force an update
of the boot loader settings.

This is intended to force the Switch settings update (in factory).

pfSense 2.5 rtwn(4) wireless regexp. Fixes #10677

Fix duplicate upgrade function. Fixes #10652

Use close_action=trap, not hold. Fixes #10632

Feature #10392: Improved/unified wording, removed link3, fixed empty() vs !== bug, fixed upgrade code. Increased config to 20.3.

Fix #10525: Handle Chinese (Hong Kong / Taiwan) locale rename

Update SSL refs to SSL/TLS. Fixes #10172

Remove some outdated references. Issue #10156

This is 2020. Issue #9245

Rework IPsec P1 Lifetime GUI options. Fixes #9983

Move syslog format var to syslog.inc. Issue #9808

In some cases, PHP is unhappy with calls to gettext() in globals.inc

Add option for RFC5424 syslog format. Implements #9808

Lower default_cert_expiredays warning threshold to 27 days

Even at 28, ACME still sometimes warns unnecessarily just before renewal.

Merge pull request #4098 from vktg/delzombiealiases

Restructure OpenVPN settings directory layout

• Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to
  /var/etc/openvpn/<mode><id>/<x>
• This keeps all settings for each client and server in a clean
  structure
• Move to CApath style CA structure for OpenVPN, which implements #9915...

Rename IPsec "RSA" options to "Certificate". Implements #9903

Lower default cert expire days to 28.

At 30 days, an ACME cert may not have triggered automatic renewal yet,
so it would warn unnecessarily.

Update globals.inc

Update globals.inc

Add periodic framework to allow for daily/weekly/monthly tasks. Issue #7332

Add settings to control certificate expiration notifications. Issue #7332

Note that the notices themselves do not yet exist. Those are still a
work in progress.

When resetting all logs, also reset non-syslog logs. Fixes #9802

Add dedicated auth log. Implements #9754

Ensure log cat programs do not emit error messages.

Log setting/size review. Fixes #9734

• Move default GUI line limit and log size defaults to $g rather than
  hardcoding.
• Set default GUI line limit to 500 (up from 50)
• Set max GUI line limit to 200000 (up from 2000)
• Set default log size to 512000 (500 KiB, previous clog default was 511488)...

Relocate newsyslog cron install task. Fixes #9730

Add log compression type option. Issue #9711

Change logging to plain text, deprecate clog. Issue #8350

Fix copyright message years to reflect BSDP -> ESF -> Netgate

Add athp to wireless regex list. Fixes #9600

Merge pull request #4035 from emmtbot/ddns-linode

bump config
Implement redmine #5644

Fix #8821: Deprecate Growl Notifications

Growl appears to be abandoned upstream. No updates in ~5 years, and few if
any users on pfSense

Deprecate the built-in relayd Load Balancer. Closes #9386

It is not available on FreeBSD 12 with OpenSSL 1.1.x.

Users can migrate to the HAProxy package.

Remove unnecessary expiretable cron jobs for ssh/gui lockout. Issue #9223

Move PHP to 7.3.x