pfSense

vslb.inc - Add missing include, use sigkillbyname()

Add QinQ interfaces to the list of interfaces not to check (Bug #4669)

Remove dummy config_lock() and config_unlock() functions

Been no-op for ages (https://github.com/pfsense/pfsense/commit/0027de0a544438f146cfc94f005fd6f4ba9f94d7).

Refactor is_port_or functions

(cherry picked from commit fe108b671d09cf34a11270e286dcd4c4ce1c0597)

Add underscores to is_port* function names

(cherry picked from commit 593e9fe32d2959cd823fe5da55714ccfb9a0e958)

Merge pull request #3672 from phil-davis/handle-empty-port-alias-RELENG_2_3_3

Correct definition of ports for SMB used by the shaper wizard. Fixes #7434

Redmine #7428 Hanlde empty port alias

Refactor filter_generate_nested_alias

Provide functions for checking port range alias combinations

Fix handling of port ranges in this validation test. Ticket #7421

File a notice and omit rule(s) using a missing port alias. Fixes #7421

Don't process empty anchors as it could lead to flushing more than intended when cleaning up after relayd. Fixes #7396

Run custom deinstall commands during the deinstall phase instead of post-deinstall, otherwise they will never get run. Fixes #7401

Perform a filter reload after starting relayd so it does not leave the firewall without pf tables. Fixes #7396

Revert "C2758 is VGA only too"

This reverts commit e4324dcebd54bfc498bffd6d02b0afd7d8c674b9.

C2758 is VGA only too

Fix #7364 Console assigned VLAN disappears after reboot

(cherry picked from commit 75a1149e0104561446e6f90f98d98c6c13c52996)

Use the same cache filename pattern for RFC2136 IPv6 items as used by dyndns

Use | to separate dyndns IPv4 fields on cache file as done by rfc2136 items and for all IPv6 items

Setup XG-154x console to VGA only

Remove whirlpool from the list of CA/Cert digest algorithms as it does not work properly. OpenSSL claims it's not valid ("unknown signature algorithm"). Fixes #7370
While I'm here, stop needlessly repeating the algo list, it's a global in certs.inc, so use that single copy of the list.

Allow CloudFlare DDNS entries to use "" or "." for the hostname portion of the domain in the GUI to update the domain's @ record. Then in the backend code, remove that from the FQDN since CloudFlare doesn't like that to be sent explicitly. Fixes #7357

Fix is confirmed to work by two forum users: https://forum.pfsense.org/index.php?topic=122099.msg699763#msg699763

While I'm here, fix the case when the admin account has been removed.

When resetting admin account via /etc/rc.initial.password, Check if the admin account is expired and reset if needed. Fixes #7354

Fix the pkg_call() and set the timeout to a sane value (Bug #6594)
(cherry picked from commit 9c91c7bd747074b8cdaa90e8810f0c2df081f72d)

Fix #7299 and other stuff

As far as I can see, filter_generate_user_rule() is always supposed to be called with 'ipprotocol' set to 'inet' or 'inet6'. The cases of rules for both ('inet46') are handled by calling filter_generate_user_rule() twice, passing 'inet' then 'inet6'....

Captive portal: fix "Disconnect All" button

Welcome 2.3.3-RELEASE

Fix #7257: Use pfSense-upgrade to look for new versions

Revert "Add privs to control display of notices"

Fix #7051

This reverts commit 04665e78537906f7375668ca665cba17f95a4864.

Revert "Use cached groups in get_user_privileges"

This reverts commit c7c79905d3e0fd01172d373a15a1d0d77a5728e8.

Use cached groups in get_user_privileges

(cherry picked from commit 7abc3f992e5dd5bff53495844ce944163d6d1d9b)

Fix ldap_get_groups return value when down

In some places ldap_get_groups has:
```
return memberof;
```
It should have the "$" in front, so it will return the $memberof array (that is empty when this happens).

This causes issues for callers that expect to have a return value that is either false, an empty array, or an array of the groups....

Update version string at end of boot RELENG_2_3

When there is an upgrade, the echo here was outputting a stale value of the version. For example, on first upgrade from 2.3.3-DEVELOPMENT to 2.3.3-RC the console had:

pfSense (pfSense) 2.3.3-DEVELOPMENT amd6 Sat Feb 11 14:24:27 CST 2017...

It's time to 2.3.3-RC

5th try
- change $do_ping default value to 'true' (which emulates the previous default behavior) to avoid any unexpected results

(cherry picked from commit 20cf8d8e20fa28c16e86ce0d91e57e4d78427d26)

4th attempt!
- Reworked based on recent comments from @rbgarga

(cherry picked from commit c516cb287a78f7b05459e7fcba410f443d8eb8af)

3rd try!
- incorporate suggestions from @rbgarga with slight modification

(cherry picked from commit 6c2f093000b05285546e81dd1a578fc9b573b72b)

2nd try. . .

/etc/inc/util.inc:
- arp_get_mac_by_ip() updated to support IPv6
- attempt at code streamline

/usr/local/www/services_dhcp_edit.php:
- streamline code, now just a simple call to arp_get_mac_by_ip()

(cherry picked from commit dd83f869b79a858bd74c7a8bb4adcd49217445b0)

Add a pfSense php shell playback script to show the gateway status. Ticket #7046

Add a function to format and return plain text output showing the gateway status, for use by a shell script and status.php. Ticket #7046

Add playback scripts to drill into pf tables and anchors to list their contents.

Require Name field in Shaper

(cherry picked from commit 40dcb4b61a2c1213a0b3e213c78fddac845a0117)

fbegin.inc and fend.inc obsolete

(cherry picked from commit 5af0922d75724e1eac89017173457f57842387f8)

implement AWS API v4 signing

(cherry picked from commit ac5ee07ee1daef2f43e728895290ca6d11efe0f3)

commit initial fix; need to add hooks for region to zone id

(cherry picked from commit cb5961d1fa64a45cbec5ef5d677b57f8d62f50b5)

Simplify logic

Set ntp gps mode for pgrmf even if no other modes are being set.

(cherry picked from commit 821110e8ff76564c23783c554fc89cd9458683ac)

Add to NTP GPS processing of PGRMF sentence

(cherry picked from commit 6924a2bf34a70cd33284a28ca3575f33f9834375)

get_service_status_icon fix description_state format

If "description_state" is requested here, there are too many "%s" substitutions in the string for sprintf().

Also, to help translators, number all the "%s" substitutions. Then translators can rearrange the text and variable order if they need to....

Remove unused broken functions

Not sure what was the idea here, but these are not used anywhere, do nothing as they immediately call ```return false;``` plus the second one is also misnamed.
(cherry picked from commit edba33b5a567ab8c9d4827fa26a25bd9649e3fac)

Misc cleanups at get_pkg_info()

• rename function args to be clearer what they do ($local_only was quite ambiguous, at first sight it could mean any of: "don't update local catalog copy", "only check local catalog copy", or "only report local installed pkgs")...

fix copy/paste - I think!
(cherry picked from commit 2f633b526075b2ed5e0e160ef6f0d025b509bd70)

use wrapped version of pkg info -e instead
(cherry picked from commit e5f96a2cb3c0cad0c828148bd7b8d45c130a9b17)

get_pkg_info() fallback using pkg info if no local copy of repo catalog (resubmit)

Resubmit of PR #3157 with fix.

The issue in #3157 was that `pkg info` and `pkg search`, undocumented in man pages, seem to handle things differently if no packages match the pattern string. `pkg search` gives an error "No packages match [$pkgs]", whereas `pkg search` doesn't give an error....

Introduce is_intrange() to validate a range of integers delimited by ':' or '-'

Force compress for where_is_ipaddr_configured check_localip

(cherry picked from commit f0b1358dfe520ad3b771127127daed970ba2c0a0)

Force compress for where_is_ipaddr_configured

(cherry picked from commit cde28bfa0e11f268485ec1f6ccb73a3a2f66448f)

Always force compress when calling Net_IPv6

(cherry picked from commit 587995fb57f91894d1f8eb6b296a9fe2fa111fac)

Remove unused variable $cfglckkeyconsumers

Fix #7141 Add a priv for UPNP

so users can grant access to Services->UPNP
Note: Status->UPNP already has a priv and it works.
(cherry picked from commit a5a899e4388f2737a6d1cdc82c7325c20fb72ee4)

Fix #7139 Accessing help about this page

from a user that does not have admin or all page privilege.
(cherry picked from commit 166540830275318c8dec9199d8a9ee0e605f606a)

Fix #7136 Start OpenVPN on ordinary VIP

(cherry picked from commit ddf99718d5f1f4545483c39d3759fdfbb788b0fb)

Remove extra parenthesis and blank line

Simplify logic

Fix #7118 icmp-type any

When 'any' is selected as the ICMP type, do not write 'icmp-type any' in the rule, just leave it out.

Fix #7105: Old rules may not have ipprotocol defined, consider it icmp6-type only when ipprotocol is inet6

Make sure /var/tmp permissions are correct. Fixes #7120

Redmine #5549 Allow variable number of DNS Servers

(cherry picked from commit a2d23e88596deab6bbed2818385a0b72c913843a)

Fix #6153

Initialize cached IP and Time on loop for RFC2136 items, without this
the items used on last loop iteration will be used again and second
item on the same interface will not be updated

Ticket #6340:

- Stop misusing fsck F parameter, it's supposed to be used when you
plan to run background fsck after filesystems are mounted, what is
not the case on pfSense
Increase attempts to mount all filesystems as read-write to 10
- If we cannot mount filesystems as read-write, start a recovery shell...

Simplify logic

Fix #6712

Use system_hosts_entries to generate unbound host_entries.conf

Ticket #6712: Create system_hosts_entries()

This function will return an array all items to be added to /etc/hosts.

Ticket #6712: Create system_hosts_dhcpd_entries()

This function will return an array with dhcpd and dhcpdv6 items to be added to
/etc/hosts.

Ticket #6712: Create system_hosts_override_entries()

This function will return an array with dnsmasq or unbound items to be added to
/etc/hosts

Ticket #6712: Deprecate read_hosts()

Read local items from system_hosts_local_entries()

Ticket #6712: Create system_hosts_local_entries()

This function will return an array with 127.0.0.1, ::1 and LAN (or
first interface with no gateway when LAN is not there) items to be
added to /etc/hosts

Kill dhcpleases after we are sure we can write /etc/hosts

Fix style

Make sure IP address is v4 before create /etc/hosts entry

Exclude non-qualified hostnames from hosts file. Ticket #6064

Do not write a 'restrict' line to the NTP config if it will be empty. Fixes #7110

Only include files that ends with .inc

Add requirestatefilter. Implements #7069.

(cherry picked from commit 0a3150896bc412868cfb79473293ed81c87a50a7)

Captive portal: make captiveportal_disconnect_all() faster

captiveportal_disconnect_all() removes the users one at a time and in some cases, when many hundreds of users are connected, can take up to several dozens of seconds to complete.
Instead of looping through all users, send all the accounting information, reset the user database and delete all the active rules and reinit them. Use locking to prevent new users from logging in until the function ends....

openvpn, check for valid pid using isvalidpid()

(cherry picked from commit a1b39e949ab3a0e53ac4c1837f5d2c02b28142f3)

openvpn, make sure config is written and not overwritten while starting openvpn, and wait for pid of child process to be written before exiting function

(cherry picked from commit 8845e137b630497d47a8ce93fb072e47419f8af5)

Revert "get_pkg_info() fallback using pkg info if no local copy of repo catalog"

This reverts commit 46237e23f35db70a917939609061dce7b7f955f9.

Correctly report unmonitored gateway status

If an alternate monitor IP has been entered and saved, then the user
checks "Disable Gateway Monitoring" and saves, the alternate monitor IP
is retained in the config - that is handy for when unchecking "Disable...

get_pkg_info() fallback using pkg info if no local copy of repo catalog

Current behaviour

At the moment, get_pkg_info() is used to get all information on packages. The parameter $local_only is set to request info directly from the local copy of the repo catalog (using -U) without requesting the remote repo catalog or updating the local copy from the remote repo catalog. If the calling code wants only installed pkgs, it filters the returned list of pkgs looking for $pkg['installed'] == true....

Remove unnecessary reference

Captive portal: rework logging and RADIUS accounting when disabling a zone or rebooting

Make captiveportal_radius_stop_all() log the disconnections in the system log and fix it so that it works with the zone id parameter and sends complete RADIUS accounting packets....

Captive portal: use locking to avoid race conditions between rc.prunecaptiveportal and captiveportal_disconnect_all()

Convert rc.prunecaptiveportal to lock()/unlock()/try_lock() and use the lock to ensure that there aren't race conditions between it and captiveportal_disconnect_all()....

Captive portal: work around race condition between captiveportal_disconnect_all() and captiveportal_prune_old()

Captiveportal_disconnect_all() loops through the active users and disconnects them immediately but doesn't remove them from the user database, only adding them to a list that is processed after the end of the loop....

dyndns.class, fix json curl body parsing for Cloudflare by not including headers

(cherry picked from commit 15dcf1320c08eb9339eda3e6fdf04599c51694b7)

Added support for CloudFlares Proxy.
Included a checkbox to enable and disable this feature when CloudeFlare
type is selected.
Included proxied variable in the update script as well.

Defaults to false, as the is the current functionality

Added help text...

Rework openvpn_vpnid_next() and remove duplicated code

Fix #6357: Validate if RFC2136 dyndns updates succeeded