pfSense

Fix sshguard config/command. Fixes #9971

Also requires sshguard patch

This is 2020. Issue #9245

Move igmpproxy logs to routing.log. Fixes #10139

Fix #9285: Move ping-check option from global to per-subnet

(cherry picked from commit 5197e3e3a3b0ee048785e2ffb4222d7cba4e6c74)

use disablepingcheck as option name

(cherry picked from commit a0541b292d4cde76b9e95c1d8cbd99f5f26afee5)

add an option to the DHCP server to disable the ping check feature

(cherry picked from commit 7847e55fa2cd5813adb1ee4aa888b694957109b9)

Revert "Fix #9285: Move ping-check option from global to per-subnet"

This reverts commit 9133e01dc049920d716b045a86e78a9a05d98354.

Update copyright notice years. Issue #9245

Update copyright notice years. Issue #9245

Add Gandi LiveDNS DynDNS client.

(cherry picked from commit edfe22f8bae894eb678f3e7060cc91cea6f664da)

Prevent OpenVPN tunnel network reuse. Fixes #3244

Ensures that a submitted tunnel network is not already in use on other
OpenVPN client or server instances, to avoid conflicts.

(cherry picked from commit 19a0636d7c0e0178209406480cc383853f0d3f72)

Add exit notify to OpenVPN servers/clients. Implements #9078

(cherry picked from commit 7591a72a5108a2ac28d28745cec43ea282869aae)

Correct jQuery include

(cherry picked from commit bb31e48e2c1eea6a7a3925f5398bce17c19f3af4)

Don't dedup DNS from dyn sources if override is disabled. Fixes #9963

(cherry picked from commit f829d7e2967d170f09756937e9076e87d5f9e2d7)

simplify queue stats parser

(cherry picked from commit 5a0f6513bfe2ba1da87505dbb7b97c6b4479bf34)

support variable value length in queue stats parser

(cherry picked from commit e5deede539e4164256e5243b22f3ee963fc35ea7)

Add packages to version string to support composite update

(cherry picked from commit 725c8134d390eefb4bb258893a27a278176158ac)

Fix #6846: Properly detect Super Micro C2558/C2758

(cherry picked from commit 4de6f04d5f4eb69e9293dad6f47ce66f7d3baec1)

Add RFC 8031 Group 31 to IPsec. Implements #9531

(cherry picked from commit 4fc267484e604509b072b398642f19cb6797ef21)

Typo fix

(cherry picked from commit 463d5d11726084575b166dffe4b85164b2f5a5c3)

Enforce limiter delay 0<=x<=10000. Fixes #9921

(cherry picked from commit 8afa74bb099d75962a5efb8a603981c0249f91a0)

CDATA escape more auth-related fields. Fixes #9327

(cherry picked from commit 327ad811aa5f965ba805ea78f879c759ca0fdafa)

Correct VTI IPv6 test and syntax. Fixes #9801

(cherry picked from commit 1d9fbb716543110ac245e2749f8c06fc77480a77)

Fix #3743: Allow OpenVPN keepalive configuration

- Remove hardcoded 'keepalive 10 60' configuration
- Added 'inactive seconds' option
- Let user configure 'keepalive interval timeout'. It defaults to 10 60
as it was hardcoded until now
- Let user define ping and chose between ping-exit or ping-restart...

Suppress errors from touch when marking GW down. Fixes #9851

(cherry picked from commit 83794361b7135aaef4e47b35bd27df7da6ce023c)

Fix OpenVPN keepalive default values. Fixes #3473

(cherry picked from commit 99d7e8c10e96e6f22ad47973d07258cd02426fe6)

Update privilege definitions

Reduce default GUI cert lifetime to 825 days. Issue #9825

Add root warning to HA node sync privilege.

(cherry picked from commit 03b8b94ed86ca85510e7d00e035d30eab7e3a43b)

Initialize array to avoid a PHP error in upgrade_144_to_145(). Fixes #9840

(cherry picked from commit 8e0d33ec48792e13839a0181031664261269c220)

Fixes #9362: proxied value must be a boolean

(cherry picked from commit 888635338d63e8b21297e3b25f0ff545fe9c4c41)

Image upload validation improvements. Fixes #9804

• Make functions for validating images against a pre-defined list of
  approved types
• Change the picture widget to use these functions
• Add validation for uploaded Captive Portal logo/background images

(cherry picked from commit 09d597434c9ccb456c8f207649dbe43fd5ff85db)

Fix #9674: Do not set duplicate-cn in p2p_shared_key mode

Fix #9285: Move ping-check option from global to per-subnet

(cherry picked from commit 5197e3e3a3b0ee048785e2ffb4222d7cba4e6c74)

Add IPsec DH/PFS groups 25/26/27. Implements #9757

(cherry picked from commit 21bee0287caf76bb7ab63ec29b0ecf7435940a06)

openvpn: cleaning default case handling in switch statements

(cherry picked from commit f93ec3853fc0c01760606994422e9e8fc0d645c9)

change after review

(cherry picked from commit f08369ec248f2733eb2b69db23aa042e27ec04de)

Update text

(cherry picked from commit cef01bcb95add6acc13edb16739e10d7ed8ba6e2)

Added tlsauth keydir options to openvpn client and server

(cherry picked from commit 8698f918d170d3836037d3a39b4e1f8aa6389f6d)

Deduplicate code in openvpn.inc

(cherry picked from commit f7335af377d41262654bdbd7d7cf0e2993fb71d1)

Remove unnecessary variable

(cherry picked from commit 1d13560cb36db0d5f7cec9fa9d6295445333ba95)

Improve efficiency of resync checks.

GW Group changes are checked iff the interface is not the empty string or the interface in question is not the same as the OpenVPN interface.

(cherry picked from commit 15f8062b42b3b2849d5dd7fdde9170d4785e84e4)

Add ability for OpenVPN instances to resync on IP changes and on boot.

OpenVPN instances resync if interface IP change occurs.
At boot, the interface is the empty string, so resync is mandatory to generate OpenVPN files in /var/etc/openvpn.

(cherry picked from commit 7071aab3b2c70bbed531e0f82bedab3273484843)

Add else clause for cases when OpenVPN interface file does not exist.

- Prevents potential race condition at startup resulting in failure to start OpenVPN instances.
- In cases where interface file is not present the openvpn_resync function handles a restart correctly....

Update openvpn.inc to allow OpenVPN instances to resync when running on a gateway group.

Implementation now checks if OpenVPN client/server running on gateway group should resync when IP changes occur or if cables are unplugged/replugged.

(cherry picked from commit c46d0b12d606b2249f4b5305994e8c3e750634eb)

Remove deprecated comments since username tag got CDATA

(cherry picked from commit 1dcaf2d816721704bfb05ae2587c09e37c873e71)

Ticket #6195: Use CDATA on username tag

After discuss with JimP we agreed it would be a better approach than
bdaa5235d4 if we add username tag to the list of tags that use CDATA

(cherry picked from commit ce76d1e41bf3673e74041c53c230e6880e890dfa)

Fix handing of DNSimple API response

It seems DNSimple started using HTTP/2, which broke the regex the dnsimple updater was using to check for success. I changed it to use the CURLINFO_HTTP_CODE instead.

I noticed several other providers are using the regex status match instead of HTTP_CODE, but I didn't touch those. I haven't written any PHP in 20 years, and I don't use those providers to test them. This change works for me for DNSimple now....

Do not use constructor with the same name of class, it's going to be deprecated

(cherry picked from commit d43154fee7d7c2a5a007f36da7d86a94bd197a85)

Fixed #8014

Fixed wildcard variable not being set correctly.
Updated CURLOPT_URL according to provider's documentation.
Added support for MX records.

(cherry picked from commit cedc8184606a4cfdf6cb7542e43d205205005865)

Make factory test case insensitive

(cherry picked from commit 552a41fbd37aa61f50e62f29876485c9775345cc)

Revise update check to provide a more consistent version string, and to provide it in JSON format

(cherry picked from commit 819165020041ee46f423a7ead5aca855dac28cdb)

IPsec ID type parsing changes. Fixes #9243

• Move code to function to avoid unnecessary duplication of code
• Clean up the logic to avoid further redundancies
• Set keyid type to be quoted and to have its type prefixed

(cherry picked from commit 3a73fc74ca54b1167fbecfb679d0e634f5f1ab2e)

Routing, actually show the "(default)" mark on the default route as it is present on the OS

Most obvious problem was when manually switching from WANGW1 to WANGW2 it showed both as (default) after saving the setting and before applying it. Also after applying it would require another page refresh to show the updated situation. Also add a little information box that shows what (Default) means for the user....

Bug #9218

(cherry picked from commit adc6ddbdbbb465fd3cb58d931465ac93b1fdedb6)

Fixed #9693
Allow ACB to be suppressed by including magic string in the backup description
Transmit max number of manual backups in the ACB

(cherry picked from commit 6f6299a3a6aca1b7baf5d80d6d24325100363939)

Instead of restarting pkgs, add an IPsec reload hook they can use instead. Fixes #9668

(cherry picked from commit a264f870479c36ac1599b936bbdd547f0f8a99ec)

Update dyndns.class

(cherry picked from commit 0c43f8256edf08e473caae8c7dad0936ada2fd90)

Update services.inc

(cherry picked from commit 443a8b1beca07d1490f170c972c1c00ecb39baa7)

Azure DDNS whitespace only

(cherry picked from commit ed5b58a752a2241ce052851def2a7c846361146d)

Linode Dynamic DNS syntax fixes

(cherry picked from commit bd0a29ea21d0a5230b74410a7a4c1289fef38e89)

Add Dynamic DNS support for Linode #9268

(cherry picked from commit b923a8251ca4b899936156db48fb9253745c41e3)

Fix AzureV6 DynDNS client

`AAAARecords` in the Azure DNS API is case sensitive

Documentation: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/createorupdate
(cherry picked from commit 1ca156ea0875014b5175855c9fe8459950173d0b)

Add GUI option for IPsec tunnel closeaction. Fixes #9767

(cherry picked from commit 85c85e89ec7fad6974cd008d1f25676adf8e288d)

IPSec: Just destroy interface if it exists and it's not booting

Based on PR: https://github.com/pfsense/pfsense/pull/4076

Recognize more Netgate hardware automatically. Fixes #8051

(cherry picked from commit f301aa594787b4d44c6779df3c924fa724ffa3b8)

Fix some model detection instances. Issue #8051

(cherry picked from commit fc89ce5b594f20a3d4819f01500f561893580d41)

Add 127.0.0.0/8 to Unbound private-address list. Fixes #9708

(cherry picked from commit afeb18ff0ecaec2e9d0da1801fe9cebf5b99a3ca)

Add 'encryption_password' to the $cdata_fields array. Fixes #7186

(cherry picked from commit 9d4ace0bf544b3190d31484cac684bca4dac2a0b)

Add some exception handling to auth attempts. Fixes #9150

(cherry picked from commit d832b6ce47a90fea03443401d072eb91906b6fc7)

Initialize VLAN array in console setup. Fixes #9582

(cherry picked from commit 45f95753963e497b5ce14493f9cca05336d75c7b)

Set IPsec VTI MTU to configured value at boot. Implements #9111

(cherry picked from commit 3334f9c4cd7111c624ba2395b91c065d7dd338b1)

Teach dhcrelay about upstream and downstream interfaces. Fixes #9466

No config changes or UI changes, it is handled automatically.

(cherry picked from commit f427d68dbca5ed9941b3bc01be1c4d81417c134f)

Privilege matching -- allow JS anchors. Fixes #9550

Attempts to detect a special case where a file does not actually
exist, and yet should be allowed since it is used by JavaScript.

So long as the anchor name doesn't contain any characters that might let...

Revert "LDAP TLS option update. Implements #9417"

This reverts commit efdba6ca75e001e8426b2ecab49f71b53d5c9e30.

Implement new OpenVPN advanced options privilege. Fixes #9511

(cherry picked from commit 4a1841a1fabcba0100f6a4f505fc1e132c29da20)

Fix ACB privileges. Fixes #9519

(cherry picked from commit 18c1de41332473dacd8a24ddf34e558f6366c714)

Rewrite unbound remotecontrol.conf when it is empty. Fixes #9470

(cherry picked from commit 4b70a2006e6afb7813344eec8cafb8570e67256b)

Add back DNS over TLS host verification code. Fixes #8602

Requires Unbound 1.9.0_1 from pfsense/freebsd-ports, which fixes a bug
in Unbound 1.9.0 which did not fully implement OpenSSL 1.0.2 host
validation support. See https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5...

Add parens around NAT reflection rule interface. Fixes #9446

(cherry picked from commit 8800ee6f90d2ac91ca9c2886bd260bc1a4e12893)

Fix typo

(cherry picked from commit 929cc874f6d32908739cc30e70c0eeba25127fb8)

Fix a typo.

Reported by: jimt

(cherry picked from commit b0945941088c7383882688a6c6e774eb831f6486)

#9096 - updated login title

(cherry picked from commit 814a7c2f1d828fedef13bb2bf326d8014e9e25bf)

LDAP TLS option update. Implements #9417

(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831)

Update copyright notices to 2019. Happy New Year

(cherry picked from commit 0b4c14a491664053aad3cc76e1ffd67b70ff2da1)

Strengthen path privilege check. Fixes #9513

• Removes/resolves any relative paths in the submitted URL
• Validates that the file exists
• Trims the path component off after in a nicer way

(cherry picked from commit 0604f68855ff65b92cdebd57a08a2ceccbef675c)

Make widget privilege matching more specific. Fixes #9512

(cherry picked from commit bc319bc01a4d709b39e4c93c7223d277ee666bff)

Add warning for OpenVPN client, server, and override privileges.

Since these can use OpenVPN advanced directives to call external
scripts, they can be used to run commands that the user may not
otherwise have access to run.

Issue #9510

(cherry picked from commit f75b0eb8e781570a84e8700b150e09e081ccacfe)

Initialized entries variable before use. Fixes #9359

(cherry picked from commit 9146639e722b4d437d19b5ade1157ae01849a313)

Use only sshguard table for blocking ssh/gui attacks. Issue #9223

(cherry picked from commit 555a9ab5c01101ddab7daa41f35d379d1c39b26e)

Remove unnecessary expiretable cron jobs for ssh/gui lockout. Issue #9223

(cherry picked from commit 397d9fff6df234d98ef2353b0b29912a14777442)

Update privileges

(cherry picked from commit 3b3e31c248b8185372251f8bd2fbc2a95652a7ec)

Merge pull request #4034 from kkr0kk/patch-2

Ticket #9308: Sort country codes

Ticket #9308: Implement get_cert_country_codes() to get the list of country codes to be used by CAs and Certs

Make get_countr_code() parameter default to 'ALL'

Encode shaper queue name before printing. Issue #9294

Validation is already present and prevents bad values from being
entered.

(cherry picked from commit 1072b9333c47df593420937361349b09a9b73639)

Update gwlb.inc

Update gwlb.inc

Correct BUG 9004 -> set the default gateway when system start and a gateway_group is default IPV4 gateway

Ensure IPsec P1 entries have a 'protocol' value. Fixes #9207

(cherry picked from commit d188b7251a83b4a8a39ba50dfaf9a1cba35cad17)