pfSense

DHCPD: deny MAC Deny entries instead of ignore. Fixes #12923

Do not add HTTPClient entries if netboot is disabled. Issue #12892

Skip gateway if interface is down. Fixes #12920

OpenVPN status TAP mode double entries fix. Issue #12884

Restart gateways monitor on dynamic interface down. Fixes #12920

Status Interfaces SPF details fix. Feature #8861

Encrypt/Decrypt Robustness & Testing. Issue #12897

• Move cleanup to separate function.
• Be more aggressive with cleanup when performing multiple crypto
  attempts.
• Only fall back to old iterations or legacy when decrypting as
  there is no need to attempt these when encrypting new content....

OpenVPN status incorrect TAP mode RA server+empty tunnel. Fixes #12884

Define dnsmasq upstream DNS via --server option. Fixes #12902

Show SFP module details on status_interfaces.php. Implements #8861

Fix infinite CPU loop on failed restore

When restoring a backup with wrong password or a user custom iterations count different than 10k or 500k, GUI timed out in an infinite CPU loop

Revert "captiveportal: fix ipfw rules"

This reverts commit 9dac41af43a5b977a604098688776987c4f76722.

DHCPD HTTPClient option for static mappings. Fixes #12896

Merge pull request #4551 from luckman212/dpinger_dont_add_static_routes

adds option to not auto-create static routes for dpinger (squashed)

DHCPD HTTPClient custom option. Fixes #12892

Increase OpenSSL iterations. Issue #12556

When encrypting and decrypting content such as config.xml backups,
increase the default number of iterations used by OpenSSL when deriving
the key material. Fall back to previous default and also retain the old
legacy behavior.

syslog: Update filters now that the rule format has changed

We no longer have '@1(0)' but '@1' at the start of rules. This used to
be where we kept the trackerid, but that's now supplanted by the
ridentifier, so the field isn't useful any more, and has been removed...

Remove default gateway if Mark Gateway is set. Fixes #12536

Do not remove net.link.ifqmaxlen from /boot/loader.conf.local. Fixes #12862

Add option for pw hash algo. Implements #12855

Namecheap DDNS response parse change. Fixes #12816

If the first attempt to parse the response fails, try again without the
XML declaration. The server may not be sending an accurate XML
declaration.

Fix dynamic IPv6 gateway address resolution. Issue #12847

Fix php syntax. Fixes #12831

LAGG hashing option. Implements #12819

Dynamic NPT support. Implements #4881

Multiple DHCP6 WAN connections. Fixes #6880

Use random_bytes() to generate salt for SHA512 password hashing. Fixes #12801

Merge pull request #4555 from zacwest/dnsimple-v6

Merge pull request #4554 from lmcquade/master

Merge pull request #4549 from hpeters/master

Remove quotes from TOS values. Fixes #12803

The quotes are no longer required by pf.

See also: #4302

Fallback to package \"name\" during package reinstall on restore. Fixes #12766

Allow the selection of "any" interface in floating rules. Implements #12392

SNMP service restart improvements. Fixes #12611

IGMP Proxy service improvements. Fixes #12609

Always restart gateway monitoring and services on interface UP/START event. Fixes #11570

Clear aliases,filter,shaper and natconf flags on filter_configure(). Fixes #12678

DNS Resolver restart improvements. Fixes #12612

Remove unused add_hostname_to_watch() from ipsec_setup_gwifs(). Issue #12645

Fix full path to executable files. Issue #11941

Keep command line history WebGUI option. Implements #12675

Optimize openvpn_resync_all(). Fixes #12628

Delete static default route if default gateway is NONE. Fixes #12536 #11692

CARP status check for RADVD with link-local address. Fixes #12582

Remove link-local scope from IPv6 addresses in filter_nat_rules_generate_if(). Fixes #11984

GleSYS DDNS return code check fix. Issue #12672

Add IPv6 scope to DHCP6 link-local routes. Fixes #11764

Skip out-of-range entries on DHCP6 service start. Fixes #12527

Generate unbound ACLs for OpenVPN CSO. Fixes #12636

Initialize $cmp with an empty array. Fixes #12749

Static IPv6 route delete fix. Issue #12728

Update Static Route and OpenVPN alias name when the alias is renamed. Fixes #12727

Only request copyright file is ews.netgate.com is resolvable. Issue #12141

Use http_build_query() for Google Domains DDNS post data. Fixes #12754

Convert OpenVPN Tunnel Network to correct format on save. Issue #11416

Display interface interrupts. Fixes #12735

Add OpenVPN CSO to Automatic Outbound NAT. Fixes #12792

Correct NTP service status logic. Fixes #12775

Add UPnP NAT anchors before NAT rules. Fixes #7727

Delete temporary ACB files. Fixes #12745

Add IPv6 variant of DNSimple DynDNS Provider

Fix formatting. Add get_ll_scope() check.

Change get_gwgroup_members to include interface in link-local IPv6 addresses (Bug #12721)

Default repo selector to stable repo after upgrade to Plus

Detect correct setting for custom repo and call pkg_switch_repo to be sure

Revert clearing custom repo on boot

openvpn.tls-verify.php exec() output fix. Issue #11829

ldap_get_groups() return value fix. Issue #12699

Delete all custom files if the custom repo specification is incomplete

Improve OpenVPN Data Cipher handling. Fixes #12677

netgate-ca.pem is now in the base image at /usr/local/share/${product_name}/ssl/netgate-ca.pem

Improve solo weighted GW in Failover. Issue #12660

If there is only one gateway to add in a macro definition, there is
no point in repeating the string based on the gateway weight.

This is a potential contributing cause to issue #12660

Disable DNS Resolver recursion if the selected outgoing interfaces are not available. Fixes #12460

Originally-By: Viktor Gurov

Revert "Use OpenVPN async client-connect, clear stale rules, add option to limit connections per user. Implements #12407 and #12332 and #12267"

This reverts commit 7aaa20d95a345c4688e8786c755c7d0433451688.

Update the Copyright year of the files owned by Rubicon/Netgate.

Create port forward rules for PPPoE Servers interface. Fixes #12452

Fix SSH keys permissions on restore. Fixes #12637

Do not update Dynamic DNS if the public IP address cannot be determined. Fixes #12617

Ignore DynDNS requestif for non-custom providers. Fixes #12631

Merge branch 'pfsense:master' into master

Merge pull request #4550 from znerol-forks/fix/master/radvd-search-list

Merge pull request #4546 from olehfb/namedotcom_dyndns

Initialize searchliststring variable in every loop iteration

Add tag 1 to Captive Portal passthrough MAC table. Fixes #12615

Do not update DNS RFC2136 if the public IP address cannot be determined. Fixes #12617

Merge branch 'pfsense:master' into master

#12003 Prevent some pie aqm and fq_pie scheduler settings from being saved with limiters not using pie aqm or fq_pie scheduler.

Pushover notifications fix. Issue #12614

Use Trusted Store CAs for Dynamic DNS. Fixes #12589

Bounce dipinger when bringing down interface that has a gateway

One.com DDNS update. Issue #12352

(cherry picked from commit 9a84d3b0b5e4709a5bde99d3edf4f8e89524b602)

Init tracker ID before filter reload. Fixes #12588

#12003 This commit adds missing settings, zero and floating point support for those settings to the limiter scheduler fq_pie.

syslog: fix ridentifier retrieval when looking up by rule number

pf rules no longer include the ridentifier immediately after the rule
number but instead list it as a separate keyword like this:

@4(0) block drop in log inet all label "Default deny rule IPv4" ridentifier 1000105583...

syslog: fix ridentifier retrieval

pf rules no longer include the ridentifier immediately after the rule
number but instead list it as a separate keyword like this:

@4(0) block drop in log inet all label "Default deny rule IPv4" ridentifier 1000105583

...

Rename 'tracker' to 'ridentifier'

FreeBSD has included our 'tracker' functionality, but calls it
'ridentifier' instead. Change the rule generating code to cope with
that.

IPsec IKEv2 Retransmission options. Implements #12184

Revert "Certmanager mvc"

This reverts commit 033c3ae82d20ca5760ed483cf8d0c947764b2371

Certmanager mvc