pfSense

Only cache CP RADIUS Auth credentials when reauthentication is enabled. Fixes #7528

(cherry picked from commit d4e42c54a2b7d9c955b11ad3034a186a73159f1a)
(cherry picked from commit ed44d5fb36f1f69196417e3feab2a9d6df4a47c8)

Fix #7508 stop write_config after reset_factory_defaults

(cherry picked from commit 3dcaae882cdfdd86826be4db9b38ce04389701ec)

Work around broken wizard rules for ticket #7434

Fix comparisons for CDATA tags in config

Some length numbers here do not match the strings they are comparing with. That looks very odd.
Note that:
```
substr($ent, 0, 5) == "text"
```
will return true when $ent is "text". So actually this "works". But it returns false if $ent is "text1" "texta" etc....

Vendor MAC Retention File Consolidate

Use a single file for vendor MAC retention (vendor_mac).
a) Writes only one file during boot up rather than a file for each interface.
b) More efficient than numerous tiny files.
c) Friendlier to write cycle sensitive media in a RAM disk disabled system.

Vendor MAC Retention File Relocate

Relocate the vendor MAC retention file to /var/db directory.
a) It's more at home here with other network interface stuff.
b) Friendlier to write cycle sensitive media in a RAM disk enabled system.

Vendor MAC Restore Logic

Only use the vendor MAC retention file for restoring the vendor MAC when not booting.
a) During boot up the current MAC that is obtained from the system is the vendor MAC.
b) Using this eliminates the inefficient need to open the vendor MAC retention file for every interface during system boot up.

Spoof MAC Var Name

Rename 'spoof_mac' var to generic 'mac_addr'.
a) It may be the vendor MAC or a spoofed MAC.
b) Update the comment re: not reapplying an already applied MAC.

Fix #7120: Restore vendor mac address when spoofmac is set to blank

Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496

Update services.inc
(cherry picked from commit 2e3768baa8e6e5793ce165f0d8f60b25bdbdb444)

Update dyndns.class
(cherry picked from commit 74533d412818113372b7b1a4e46db48313fd965d)

Update services.inc
(cherry picked from commit 1bfa06953e0f440c3d6b71bbb3d671ef524899d4)

Refactor update_alias_names_upon_change

(cherry picked from commit 24807bfeaec218948937a1fdc2b4e863319e41a0)

Remove redundant check, get_pkg_info() call uses a parameter to return only installed packages

Fix indent and spaces

Use correct function (is_pkg_installed) and unbreak get_pkg_info()

add validation via validate_ipv4_list to interfaces.inc

Adds ability to ignore DHCP offers from multiple servers
- Forum thread: https://forum.pfsense.org/index.php?topic=124046.msg705100#msg705100
- related dhclient source:
https://github.com/pfsense/FreeBSD-src/blob/devel/sbin/dhclient/clparse.c#L945

changed files:...

vslb.inc - Add missing include, use sigkillbyname()

Add QinQ interfaces to the list of interfaces not to check (Bug #4669)

Remove dummy config_lock() and config_unlock() functions

Been no-op for ages (https://github.com/pfsense/pfsense/commit/0027de0a544438f146cfc94f005fd6f4ba9f94d7).

load package add-on tabs into config to avoid parsing all installed package xml's, fix tabgroup filter

(cherry picked from commit bc0661b7b32a99016b9e71b0ece969f6584034c2)

Refactor is_port_or functions

(cherry picked from commit fe108b671d09cf34a11270e286dcd4c4ce1c0597)

Add underscores to is_port* function names

(cherry picked from commit 593e9fe32d2959cd823fe5da55714ccfb9a0e958)

Merge pull request #3671 from phil-davis/handle-empty-port-alias-RELENG_2_3

Correct definition of ports for SMB used by the shaper wizard. Fixes #7434

Redmine #7428 Hanlde empty port alias

Refactor filter_generate_nested_alias

Provide functions for checking port range alias combinations

Fix handling of port ranges in this validation test. Ticket #7421

File a notice and omit rule(s) using a missing port alias. Fixes #7421

Don't process empty anchors as it could lead to flushing more than intended when cleaning up after relayd. Fixes #7396

Run custom deinstall commands during the deinstall phase instead of post-deinstall, otherwise they will never get run. Fixes #7401

Perform a filter reload after starting relayd so it does not leave the firewall without pf tables. Fixes #7396

Revert "C2758 is VGA only too"

This reverts commit 0a00b197976e638199ab88b823ec6c75ad9a99b2.

C2758 is VGA only too

Fix #7364 Console assigned VLAN disappears after reboot

(cherry picked from commit 75a1149e0104561446e6f90f98d98c6c13c52996)

Setup XG-154x console to VGA only

Remove whirlpool from the list of CA/Cert digest algorithms as it does not work properly. OpenSSL claims it's not valid ("unknown signature algorithm"). Fixes #7370
While I'm here, stop needlessly repeating the algo list, it's a global in certs.inc, so use that single copy of the list.

Remove unused base_packages variable from globals
(cherry picked from commit 40f5b3e22effc3319afea306a7d691a5e6934c37)

Allow CloudFlare DDNS entries to use "" or "." for the hostname portion of the domain in the GUI to update the domain's @ record. Then in the backend code, remove that from the FQDN since CloudFlare doesn't like that to be sent explicitly. Fixes #7357

Fix is confirmed to work by two forum users: https://forum.pfsense.org/index.php?topic=122099.msg699763#msg699763

Fix 7294 keep full rule description

Signed-off-by: Phil Davis <phil.davis@inf.org>
(cherry picked from commit 680e15baef76a9c598d52d3f2b9ab498077336a8)

Add a function to normalize CR and CRLF-style newlines to Unix LF

See Bug #5306.
(cherry picked from commit 117776e0c01e68a8b65584d86d7b8b56fe75c9d0)

Services - Status Icon - Sort Order

Make status column sort order work correctly with the icons.
Also refactor get_service_status_icon() output string construction to be cleaner and clearer.

(2.4, 2.3)

(cherry picked from commit 446505a9f9be7f43e4515658f1a5444bc3732a3f)

certificatemanager, link certificate to the proper CA after completing the CSR request

(cherry picked from commit 7fd7fbcff3304285f4407bec2ae62bab7195bcc4)

Fix the pkg_call() and set the timeout to a sane value (Bug #6594)
(cherry picked from commit 9c91c7bd747074b8cdaa90e8810f0c2df081f72d)

Use the same cache filename pattern for RFC2136 IPv6 items as used by dyndns

Use | to separate dyndns IPv4 fields on cache file as done by rfc2136 items and for all IPv6 items

Fix #7299 and other stuff

As far as I can see, filter_generate_user_rule() is always supposed to be called with 'ipprotocol' set to 'inet' or 'inet6'. The cases of rules for both ('inet46') are handled by calling filter_generate_user_rule() twice, passing 'inet' then 'inet6'....

Only start dhcpleases if DHCP server is enabled (Bug #6750)
(cherry picked from commit 3d8b01e8c6392b4177572d540c8160c7e6e071ca)

Captive portal: fix "Disconnect All" button

(cherry picked from commit 4fb2b17772928f39add5fc0529e94ed07a09de31)

Fix #7257: Use pfSense-upgrade to look for new versions

Revert "Add privs to control display of notices"

Fix #7051

This reverts commit 04665e78537906f7375668ca665cba17f95a4864.

Revert "Use cached groups in get_user_privileges"

This reverts commit 855826896509a1a0bec77a51535a8f004b4ca570.

Use cached groups in get_user_privileges

(cherry picked from commit 7abc3f992e5dd5bff53495844ce944163d6d1d9b)

Fix ldap_get_groups return value when down

In some places ldap_get_groups has:
```
return memberof;
```
It should have the "$" in front, so it will return the $memberof array (that is empty when this happens).

This causes issues for callers that expect to have a return value that is either false, an empty array, or an array of the groups....

5th try
- change $do_ping default value to 'true' (which emulates the previous default behavior) to avoid any unexpected results

(cherry picked from commit 20cf8d8e20fa28c16e86ce0d91e57e4d78427d26)

4th attempt!
- Reworked based on recent comments from @rbgarga

(cherry picked from commit c516cb287a78f7b05459e7fcba410f443d8eb8af)

3rd try!
- incorporate suggestions from @rbgarga with slight modification

(cherry picked from commit 6c2f093000b05285546e81dd1a578fc9b573b72b)

2nd try. . .

/etc/inc/util.inc:
- arp_get_mac_by_ip() updated to support IPv6
- attempt at code streamline

/usr/local/www/services_dhcp_edit.php:
- streamline code, now just a simple call to arp_get_mac_by_ip()

(cherry picked from commit dd83f869b79a858bd74c7a8bb4adcd49217445b0)

Add a function to format and return plain text output showing the gateway status, for use by a shell script and status.php. Ticket #7046

Require Name field in Shaper

(cherry picked from commit 40dcb4b61a2c1213a0b3e213c78fddac845a0117)

implement AWS API v4 signing

(cherry picked from commit ac5ee07ee1daef2f43e728895290ca6d11efe0f3)

commit initial fix; need to add hooks for region to zone id

(cherry picked from commit cb5961d1fa64a45cbec5ef5d677b57f8d62f50b5)

Simplify logic

Set ntp gps mode for pgrmf even if no other modes are being set.

(cherry picked from commit 821110e8ff76564c23783c554fc89cd9458683ac)

Add to NTP GPS processing of PGRMF sentence

(cherry picked from commit 6924a2bf34a70cd33284a28ca3575f33f9834375)

get_service_status_icon fix description_state format

If "description_state" is requested here, there are too many "%s" substitutions in the string for sprintf().

Also, to help translators, number all the "%s" substitutions. Then translators can rearrange the text and variable order if they need to....

Remove unused broken functions

Not sure what was the idea here, but these are not used anywhere, do nothing as they immediately call ```return false;``` plus the second one is also misnamed.
(cherry picked from commit edba33b5a567ab8c9d4827fa26a25bd9649e3fac)

Misc cleanups at get_pkg_info()

• rename function args to be clearer what they do ($local_only was quite ambiguous, at first sight it could mean any of: "don't update local catalog copy", "only check local catalog copy", or "only report local installed pkgs")...

fix copy/paste - I think!
(cherry picked from commit 2f633b526075b2ed5e0e160ef6f0d025b509bd70)

use wrapped version of pkg info -e instead
(cherry picked from commit e5f96a2cb3c0cad0c828148bd7b8d45c130a9b17)

get_pkg_info() fallback using pkg info if no local copy of repo catalog (resubmit)

Resubmit of PR #3157 with fix.

The issue in #3157 was that `pkg info` and `pkg search`, undocumented in man pages, seem to handle things differently if no packages match the pattern string. `pkg search` gives an error "No packages match [$pkgs]", whereas `pkg search` doesn't give an error....

Introduce is_intrange() to validate a range of integers delimited by ':' or '-'

Force compress for where_is_ipaddr_configured check_localip

(cherry picked from commit f0b1358dfe520ad3b771127127daed970ba2c0a0)

Force compress for where_is_ipaddr_configured

(cherry picked from commit cde28bfa0e11f268485ec1f6ccb73a3a2f66448f)

Always force compress when calling Net_IPv6

(cherry picked from commit 587995fb57f91894d1f8eb6b296a9fe2fa111fac)

Remove unused variable $cfglckkeyconsumers

Fix #7141 Add a priv for UPNP

so users can grant access to Services->UPNP
Note: Status->UPNP already has a priv and it works.
(cherry picked from commit a5a899e4388f2737a6d1cdc82c7325c20fb72ee4)

Fix #7139 Accessing help about this page

from a user that does not have admin or all page privilege.
(cherry picked from commit 166540830275318c8dec9199d8a9ee0e605f606a)

Fix #7136 Start OpenVPN on ordinary VIP

(cherry picked from commit ddf99718d5f1f4545483c39d3759fdfbb788b0fb)

Remove extra parenthesis and blank line

Simplify logic

Fix #7118 icmp-type any

When 'any' is selected as the ICMP type, do not write 'icmp-type any' in the rule, just leave it out.

Fix #7105: Old rules may not have ipprotocol defined, consider it icmp6-type only when ipprotocol is inet6

Redmine #5549 Allow variable number of DNS Servers

(cherry picked from commit a2d23e88596deab6bbed2818385a0b72c913843a)

Fix #6153

Initialize cached IP and Time on loop for RFC2136 items, without this
the items used on last loop iteration will be used again and second
item on the same interface will not be updated

Simplify logic

Fix #6712

Use system_hosts_entries to generate unbound host_entries.conf

Ticket #6712: Create system_hosts_entries()

This function will return an array all items to be added to /etc/hosts.

Ticket #6712: Create system_hosts_dhcpd_entries()

This function will return an array with dhcpd and dhcpdv6 items to be added to
/etc/hosts.

Ticket #6712: Create system_hosts_override_entries()

This function will return an array with dnsmasq or unbound items to be added to
/etc/hosts

Ticket #6712: Deprecate read_hosts()

Read local items from system_hosts_local_entries()

Ticket #6712: Create system_hosts_local_entries()

This function will return an array with 127.0.0.1, ::1 and LAN (or
first interface with no gateway when LAN is not there) items to be
added to /etc/hosts

Kill dhcpleases after we are sure we can write /etc/hosts

Fix style

Make sure IP address is v4 before create /etc/hosts entry

Exclude non-qualified hostnames from hosts file. Ticket #6064

Do not write a 'restrict' line to the NTP config if it will be empty. Fixes #7110