pfSense

Refactor use of return_gateways_array() with get_gateways(). Fix #14893

Most calls to return_gateways_array() do not need the gateway list to be
recreated. get_gateways() can filter the gateway list, and indexing is
moved from return_gateways_array() to get_gateways() to avoid using...

Use the interface name for the reserved system alias suffix. Fix #14866

Align pfSense and OS locale names. Fixes #13776

Prevent running upgrade code on first boot. Fixes #14698

• Update default config to current latest revision number
• Add safety belt check to not flag an empty GUI cert as weak when it
  will be handled naturally during GUI startup without a spurious
  notice/warning.

Support specialnets in outbound NAT source/destination. Implement #3288
Also, show an asterisk in place of 'Any' for the source,
and avoid generating oNAT rules with invalid aliases.

Work around weak certificates for nginx. Implements #14672

• Generalize and move function that creates self-signed certs
• Detect weak cert when starting GUI and re-generate
• Check for weak cert in GUI on upgrade and re-generate
• Check for weak cert in Captive Portal zones on upgrade and...

Check OpenVPN instances for deprecated items

• Check for weak certificate digests. Implements #14677
• Check for deprecated encryption and digests. Implements #14686

Refactor outbound NAT target config field
Don't keep a separate target field, and handle
some older configs on upgrade.

Revert "Refactor outbound NAT target config field"

This reverts commit 5557bc594916a5a6ff51ac8ed319a6ad436d3475.

Refactor outbound NAT target config field
There's no need to keep a separate target field,
and now it's easier to implement #3288.

Use pf macros for <interface> subnets. Fix #6799
This changes the behavior of '<if> subnet' in generated firewall/NAT
rules. The previous behavior expands '<if> subnet' to a list of subnets
in PHP then generates filter rules with that list. Instead, create a pf...

Refactor translation target for outbound NAT

inc/upgrade_config: PHP 8.x issues. Fixes #14400

Fixup IPsec enc algo PHP 8 issues. Fixes #14009

Update memory calulations. Implements #14011

• Update memory usage calculation for system info widget
• Add RRD data sources for new memory areas
• Upgrade code to expand current memory RRD file with new DS entries
• Make code that composes the commands which fetch memory info more...

Update copyright years to include 2023

Rector direct global g accesses

Rector some direct config gets with complex paths.

Rector some config unsets with complex paths.

Rector some direct config gets with pure scalar paths.

Rector some more direct config unsets with pure scalar paths

Spelling fixes. Fix #13357

• Incorrect input validation for `dhcp6c` `keyinfo expire` `forever` keyword in `interfaces.inc`.
• Incorrect input validation for associated rule's `Source Port` in `firewall_rules_edit.php`.
• Incorrect `voucher*.` file lock reference in `status_captiveportal_voucher_rolls.php`....

Refine IPsec deprecation behavior. Issue #13648

P1 and P2 entries are only disabled if they have no remaining valid combinations of options. This way tunnels that just had one bad entry selected can continue working.

ipsec: disable any tunnels using 3des, blowfish, cast128 or md5 during upgrades

Redmine: #9247

Replace multilevel array accesses regarding v4 and v6 gateways

store dnsmasq custom_options as base64

Update config 215 to 216 fix. Issue #13097

CLI history option optimization. Fixes #12675

There is no longer a need to use the ~/.keephistory flag file. Scripts
can check the config.xml value for a user directly.

New methods for killing states. Implements #12092

Multiple DHCP6 WAN connections. Fixes #6880

Allow the selection of "any" interface in floating rules. Implements #12392

Keep command line history WebGUI option. Implements #12675

Update the Copyright year of the files owned by Rubicon/Netgate.

Bump up the config version to match a change in plus.

Fix disk widget upgrade script assuming widgets always have an index

• Removes disk usage from system information widget
• Adds Pfsense\Services\Filesystem\ library
• Adds new disk widget

Ensure ACB config section exists

Install ACB cron job on upgrade

IPsec updates to address multiple issues

• Configure/apply code changes. * Vast performance increase. Fixes #12026 * Changed connection naming to be easier to interpret. Issue #11910
• VTI interface numbering changes. * Name is now "ipsec<reqid>" since reqid is unique per P2 and a low number....

IPsec PKCS#11 support as an optional feature. Issue #11933

Add IPsec GUI control for Child SA Start Action. Implements #11576

Fix PHP error in upgrade code. Fixes #11801

Change upgrade_212_to_213() so it unsets variables individually after
first testing if they are set. This avoids an error if a tunnel entry
does not contain a value or has a deeper config issue which renders it...

VTI: Fix interface number limit

Code introduced by commit 3b85b43bb4b tried to keep the old way used to
decided VTI interface number using reqid and index but it was wrong and
allowed numbers bigger than limit (32767) to be used.

This commit removes this logic completely and use incremental numbers...

WireGuard removal: Fix config

Keep `wgpeer` item defined as an array on xmlparse.inc to prevent errors
on config files while they already have WG config items. It can be
safely removed in the next major version.

Created a new config upgrade code to remove wireguard items from config...

Retire VXLAN support

VXLAN support is not enterprise ready and after internal discussion we
decided we are not able to support it. We are committed to release
features only when they are ready.

IPsec P1/P2 expiration and replacement refresh. Implements #11219

Update the Copyright year.

A subsequent commit will deal with .po's.

Add product_label global variable

Introduce product_label global variable, by default with same value of
product_name. The idea is to make it easier for rebranded products to
change the name on all visual texts while internal structures are
preserved.

While here, remove deprecated $g['platform'] and also replace places...

Unbound custom TLS port fix. Issue #11051

OpenVPN data cipher negotiation updates. Fixes #10919

• Rename "NCP Algorithms" to "Data Encryption Algorithms" to reflect the change in OpenVPN (frontend and backend, e.g. "ncp-ciphers" changes to "data_ciphers")
• Change "Encryption Algorithm" to "Fallback Data Encryption Algorithm" and move it below "Data Encryption Algorithms"...

System DNS Server changes. Implements #10931

There are significant changes here, but ultimately should be a smooth
transition. See https://redmine.pfsense.org/issues/10931 for more
details.

Style changes

Fix indent

Remove extra 00 padding of VTI interface names. Issue #9592

Add a system option to handle the queue API usage in hn NICs.

A single queue is used in order to enable the ALTQ support, but some people may
prefer performance over the ALTQ features.

Ticket: #9647

Fix syntax error.

Fix #9647.

Instead of forcing the defaults in the OS driver (introducing yet another
change), set the default to enable ALTQ support for hnX NICs in loader.conf.

Ticket: #9647

Bump up config version to 20.6.

Create an upgrade function to run console_configure() and force an update
of the boot loader settings.

This is intended to force the Switch settings update (in factory).

More complete IPsec close_action conversion. Fixes #10632

Fix duplicate upgrade function. Fixes #10652

Merge pull request #4150 from Augustin-FL/captiveportal-db-sync

Use close_action=trap, not hold. Fixes #10632

Improve handling of an empty IPsec phase1 tag. Fixes #10580

Also fixes another PHP error after config upgrade which behaved in a
similar way.

Create a new page dedicated to backward sync
Implement Redmine #97

Feature #10392: Improved/unified wording, removed link3, fixed empty() vs !== bug, fixed upgrade code. Increased config to 20.3.

Feature #10392: Removed IPv4/IPv6 selection. Added code for configuration migration on upgrade.

Fix #10525: Handle Chinese (Hong Kong / Taiwan) locale rename

More safety belts for upgrade_174_to_175(). Fixes #10458

Update SSL refs to SSL/TLS. Fixes #10172

This is 2020. Issue #9245

Rework IPsec P1 Lifetime GUI options. Fixes #9983

Rename IPsec "RSA" options to "Certificate". Implements #9903

Add periodic framework to allow for daily/weekly/monthly tasks. Issue #7332

Initialize array to avoid a PHP error in upgrade_144_to_145(). Fixes #9840

Fix random typos

Relocate newsyslog cron install task. Fixes #9730

Don't add .log to filename twice. Issue #8350

Change logging to plain text, deprecate clog. Issue #8350

Fix copyright message years to reflect BSDP -> ESF -> Netgate

bump config
Implement redmine #5644

Fix #8821: Deprecate Growl Notifications

Growl appears to be abandoned upstream. No updates in ~5 years, and few if
any users on pfSense

Deprecate the built-in relayd Load Balancer. Closes #9386

It is not available on FreeBSD 12 with OpenSSL 1.1.x.

Users can migrate to the HAProxy package.

Remove unnecessary expiretable cron jobs for ssh/gui lockout. Issue #9223

Update copyright notices to 2019. Happy New Year

Ensure IPsec P1 entries have a 'protocol' value. Fixes #9207

Fix #9121: Initialize arrays to prevent PHP 7 errors

Skip empty IPsec P1 during upgrade to 17.5. Fixes #9083

ssh settings upgrade fixes

ssh settings alignment. Fixes #8974

Remove redundant settings stored in the wrong place
Store all ssh settings in the same place
Initialize this array before use

Fix a PHP error when upgrading gateways

Fix #7694: Replace sshlockout_pf by sshguard

Upgrade config : Move captiveportal authentication to use user manager

FEC LAGG is deprecated, remove from GUI and change on upgrade. Fixes #8734

Create cron array if it doesn't exist on upgrade.

(cherry picked from commit aabd093849d61eacdf7bdcb584c812638b3732a0)

Integrate ACB into core. Add config migration.

routing, add option 'automatic' for gateway selection, and allow manual ordering of gateways

Make GUI/config values for gateway groups match what the backend code expects. Fixes #8586

Improve default gateway upgrade code. Ticket #8504

Gateways, allow for configuring a gatewaygroup as the default gateway.
-Avoid changing routes by just visiting a webgui page.
-Avoid change some unneeded events when nothing changed.

Captive portal: add option to choose whether to use the bandwidth limits retrieved from RADIUS or not

Automatically upgrade config to preserve old RADIUS bandwidth limits behaviour on existing installations.