pfSense

Improve OpenVPN Data Cipher handling. Fixes #12677

(cherry picked from commit 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89)

netgate-ca.pem is now in the base image at /usr/local/share/${product_name}/ssl/netgate-ca.pem

Improve solo weighted GW in Failover. Issue #12660

If there is only one gateway to add in a macro definition, there is
no point in repeating the string based on the gateway weight.

This is a potential contributing cause to issue #12660

Disable DNS Resolver recursion if the selected outgoing interfaces are not available. Fixes #12460

Originally-By: Viktor Gurov

Revert "Use OpenVPN async client-connect, clear stale rules, add option to limit connections per user. Implements #12407 and #12332 and #12267"

This reverts commit 7aaa20d95a345c4688e8786c755c7d0433451688.

Update the Copyright year of the files owned by Rubicon/Netgate.

Create port forward rules for PPPoE Servers interface. Fixes #12452

Fix SSH keys permissions on restore. Fixes #12637

Do not update Dynamic DNS if the public IP address cannot be determined. Fixes #12617

Ignore DynDNS requestif for non-custom providers. Fixes #12631

Merge pull request #4550 from znerol-forks/fix/master/radvd-search-list

Merge pull request #4546 from olehfb/namedotcom_dyndns

Initialize searchliststring variable in every loop iteration

Add tag 1 to Captive Portal passthrough MAC table. Fixes #12615

Do not update DNS RFC2136 if the public IP address cannot be determined. Fixes #12617

Pushover notifications fix. Issue #12614

Use Trusted Store CAs for Dynamic DNS. Fixes #12589

Bounce dipinger when bringing down interface that has a gateway

One.com DDNS update. Issue #12352

(cherry picked from commit 9a84d3b0b5e4709a5bde99d3edf4f8e89524b602)

Init tracker ID before filter reload. Fixes #12588

syslog: fix ridentifier retrieval when looking up by rule number

pf rules no longer include the ridentifier immediately after the rule
number but instead list it as a separate keyword like this:

@4(0) block drop in log inet all label "Default deny rule IPv4" ridentifier 1000105583...

syslog: fix ridentifier retrieval

pf rules no longer include the ridentifier immediately after the rule
number but instead list it as a separate keyword like this:

@4(0) block drop in log inet all label "Default deny rule IPv4" ridentifier 1000105583

...

Rename 'tracker' to 'ridentifier'

FreeBSD has included our 'tracker' functionality, but calls it
'ridentifier' instead. Change the rule generating code to cope with
that.

IPsec IKEv2 Retransmission options. Implements #12184

Revert "Certmanager mvc"

This reverts commit 033c3ae82d20ca5760ed483cf8d0c947764b2371

Certmanager mvc

IPsec on backup CARP group validation. Fixes #12566

Add dynamic DNS service provider Name.com, closes #12567

SNMP IPv6 support. Implements #12325

Input validation to prevent removing a gateway if it is still in use by DNS servers. Fixes #8390

Backup and Restore SSH Host Key(s). Feature #11118

Static routes handling update. Fixes #11599 #11895 #7547

• Confirmation box to apply static routes add/route/change
• Reloading routes using aliases after changing the alias
• Correct route updates after changing destination or gateway

Allow to select 3 (8s) NTP min poll value. Implements #9439

DNS check improvements for fw check and ACB. Fixes #12141

Use OpenVPN async client-connect, clear stale rules, add option to limit connections per user. Implements #12407 and #12332 and #12267

Port Forward checks for special interfaces and reflection type. Fixes #12452

NTP Peer mode. Implements #11496

Automatic outbound NAT for Reflection IPv6 support. Fixes #12500

Add Chelsio T6 CXGBE (cc) to ALTq capable list. Fixes #12499

Do not detach ng_ether from physical interfaces

There's no measurable performance impact¹ of leaving an unused ng_ether
node attached to ethernet interfaces, so don't waste time trying to
ensure we only attach to interfaces where we expect to use netgraph....

IPsec SPD status updates. Implements #12397

• Fix backend parsing of setkey data
• Check for VTI vs tunnel mode
• Output mode in GUI status, and VTI interface name if available
• Make directionality of endpoints and arrow icon match in both the
  direction column and tunnel endpoints column.

Elliptic Curve 25519, 448 bit -> Elliptic Curve 448, 448 bit PH2 rename. Fixes #12350

Delete stale OpenVPN RADIUS ACL generated rules. Fixes #12481

DNS check optimization for NDP diag page. Fixes #11512

Fix OpenVPN status page halt function when client_id=0. Issue #12416

IPsec PC/SC daemon status / services page fix. Issue #12468

Remove stale captiveportal_online_users file on boot. Fixes #12455

Reset CP DB on unclean shutdown if preservedb option is not enabled. Fixes #12355

GRE/GIF interface configure fix. Issue #12288

Elliptic Curve 25519, 448 bit -> Elliptic Curve 448, 448 bit rename. Fixes #12350

Mute kernel messages on dummynet and thermal hardware modules load. Fixes #12454

Use proxy for DDNS Check IP Services. Feature #12342

Dynamic DNS proxy option. Fixes #12342

Slack Notifications. Feature #12291

Do not check subnet overlapping on 6RD interfaces. Fixes #12371

DNS check optimization. Fixes #11512

IPv6 Port Forwarding Proxy+NAT input validation. Fixes #12319

Allow to halt OpenVPN client on status page. Issue #12416

Do not show Configuring IPsec VTI interfaces message at boot if no VTIs are configured. Fixes #12419.

Remove unused function from pfsense-utils.inc. Todo #12406

Fixes redmine #12396

Bump up the config version to match a change in plus.

Keep 'enableserial_force' in /conf when a factory reset is performed.

Ticket: #6880

additional fix #7801 Include IPsec P2 address type in vpn_networks

Fix disk widget upgrade script assuming widgets always have an index

• Removes disk usage from system information widget
• Adds Pfsense\Services\Filesystem\ library
• Adds new disk widget

captiveportal: fix ipfw rules

When we authorise a client we add it to the *auth(up|down) tables.
This means traffic will pass and not be forwarded, as piped traffic does
not pass through the firewall again (if net.inet.ip.fw.one_pass is set).

However, these rules are 'layer2', so when the traffic is passed it's...

IPsec Widget none/disabled tunnels fixes. Issue #12337

Yandex PDD DDNS token fix. Issue #12331

Use correct var f/OpenVPN IPv6 ACL. Fixes #12333

Fix variable name when referencing an OpenVPN IPv6 tunnel network while
creating a DNS Resolver ACL entry.

While here, also add a safety check to ensure we never attempt to add an
ACL with an empty address.

Correctly resolve VTI remote addr. Fixes #12328

Use ipsec_get_phase1_dst() to resolve an IPsec P1 remote gateway
address rather than passing an FQDN directly to ifconfig

IPsec PH2 AH proposals order fix. Issue #12323

OpenVPN exit notify & inactive incompatibilities

• Ignore exit notify in problematic cases. Fixes #12102
• Ignore inactive seconds in problematic cases. Fixes #12219
• Warn against using these options in problematic scenarios
• Hide from the GUI in obvious incompatible scenarios

Cleanup and improve easyrule. Fixes #12151

OpenVPN Aliases support. Implements #2668

Consider GWG in ipsec_force_reload. Fixes #12315

Rename a few missing Netgate devices.

Super Micro XG-1537 -> Super Micro 1537
Super Micro XG-1541 -> Super Micro 1541

Add null check. Fixes #9092

If the value is undefined in config.xml this will be null, not an empty
string.

Fix a typo in the Netgate 5100 name.

Rename the Netgate devices.

XG-15xx -> 15xx
SG-5100 -> Netgate-5100

Revert "Clean up some messy HTML in the cert/ca display code. Prep for future MVC changes."

This reverts commit 8d4fcd7ac1167894136e337fc619e63fa7200fa0.

Increase default RA intervals. Fixes #12280

Increase default RA intervals. Fixes #12280

This code path was not included in the original diff.

radvd: Avoid empty AdvDNSSLLifetime (Fixes #12173)

Make sure $raadvdnsslifetime is defined on second foreach

Disable newsyslog compression w/ZFS. Issue #12011

ZFS compresses /var/log by default. If the ZFS dataset /var/log has
compression enabled on the first boot post install or factory reset,
then set a flag to disable newsyslog compression unless the user
overrides the setting in the configuration....

Don't wait on manual IPsec actions. Fixes #12298

Use a timeout with swanctl --initiate, and use --force for swanctl
--terminate. This will allow the commands to succeed and return without
waiting on the remote to respond. The negotiation continues in the...

IPv6 fix for setdefaultgateway(). Issue #12282

Update IPsec Filter Mode text. Implements #12289

VTI mode also works for transport mode (e.g. GRE), so note that as well.

Increase default IPv6 router advertisement (RA) intervals and lifetime. Fixes #12280

Allow to use nested URL alias in URL alias. Fixes #11863

Regex cleanup should also kill {}. Fixes #12257

It's not used often (and less in the GUI) and can be a source of
problems with large numbers of repetitions even outside of grouped
expressions.

Use SHA512 to hash user password. Implements #10298

Original commit by Viktor Gurov

Ensure Unbound python script exists. Fixes #12274

Check to make sure a referenced python script exsits before attempting
to use it in the Unbound configuration. If the file does not exist,
Unbound will fail to start.

Correct grep usage where needed. Fixes #12265

Regex cleanup change. Fixes #12257

Rather than attempting to cleanup group repetition, just discard the
unwanted pattern.

Move IPsec Mobile additional configuration attributes to strongswan.conf. Fixes #11447

Fix IPsec PH1 with Remote Gateway 0.0.0.0 rules creation. Issue #12262

VLAN/QinQ-only interface mismatch detection. Fixes #12170

More route display changes. Fixes #12257

• Move escape_filter_regex() from syslog.inc to util.inc since it will
  be used by things other than syslog.
• Add some basic regex sanity and consistency check functions
• Cleanup diag_routes.php route filter before use...

Do not delete disabled routes. Fixes #10706