pfSense

Add a ZFS reservation of 10%

Automatic outbound NAT for Reflection IPv6 support. Fixes #12500

Add Chelsio T6 CXGBE (cc) to ALTq capable list. Fixes #12499

Do not detach ng_ether from physical interfaces

There's no measurable performance impact¹ of leaving an unused ng_ether
node attached to ethernet interfaces, so don't waste time trying to
ensure we only attach to interfaces where we expect to use netgraph....

IPsec SPD status updates. Implements #12397

• Fix backend parsing of setkey data
• Check for VTI vs tunnel mode
• Output mode in GUI status, and VTI interface name if available
• Make directionality of endpoints and arrow icon match in both the
  direction column and tunnel endpoints column.

Elliptic Curve 25519, 448 bit -> Elliptic Curve 448, 448 bit PH2 rename. Fixes #12350

Delete stale OpenVPN RADIUS ACL generated rules. Fixes #12481

DNS check optimization for NDP diag page. Fixes #11512

Fix OpenVPN status page halt function when client_id=0. Issue #12416

IPsec PC/SC daemon status / services page fix. Issue #12468

Remove stale captiveportal_online_users file on boot. Fixes #12455

Send reboot/reroot/halt notification. Implements #12441

Reset CP DB on unclean shutdown if preservedb option is not enabled. Fixes #12355

GRE/GIF interface configure fix. Issue #12288

Elliptic Curve 25519, 448 bit -> Elliptic Curve 448, 448 bit rename. Fixes #12350

Mute kernel messages on dummynet and thermal hardware modules load. Fixes #12454

Use proxy for DDNS Check IP Services. Feature #12342

Dynamic DNS proxy option. Fixes #12342

Slack Notifications. Feature #12291

Do not check subnet overlapping on 6RD interfaces. Fixes #12371

DNS check optimization. Fixes #11512

IPv6 Port Forwarding Proxy+NAT input validation. Fixes #12319

Improve XMLRPC Sync for dhcpd. Fixes #10955

Allow to halt OpenVPN client on status page. Issue #12416

Do not show Configuring IPsec VTI interfaces message at boot if no VTIs are configured. Fixes #12419.

Remove unused function from pfsense-utils.inc. Todo #12406

Fixes redmine #12396

Bump up the config version to match a change in plus.

Keep 'enableserial_force' in /conf when a factory reset is performed.

Ticket: #6880

Do not restart IPsec on every gateway alarm. Fixes #12039

additional fix #7801 Include IPsec P2 address type in vpn_networks

Fix disk widget upgrade script assuming widgets always have an index

• Removes disk usage from system information widget
• Adds Pfsense\Services\Filesystem\ library
• Adds new disk widget

captiveportal: fix ipfw rules

When we authorise a client we add it to the *auth(up|down) tables.
This means traffic will pass and not be forwarded, as piped traffic does
not pass through the firewall again (if net.inet.ip.fw.one_pass is set).

However, these rules are 'layer2', so when the traffic is passed it's...

Initial commit of useful dependencies provided by Composer

Make ssh PermitRootLogin conditional. Fixes #12346

IPsec Widget none/disabled tunnels fixes. Issue #12337

Yandex PDD DDNS token fix. Issue #12331

Add boot msgs for final IPsec steps. Issue #12328

Use correct var f/OpenVPN IPv6 ACL. Fixes #12333

Fix variable name when referencing an OpenVPN IPv6 tunnel network while
creating a DNS Resolver ACL entry.

While here, also add a safety check to ensure we never attempt to add an
ACL with an empty address.

Fix the option 4 in menu, factory reset.

Correctly resolve VTI remote addr. Fixes #12328

Use ipsec_get_phase1_dst() to resolve an IPsec P1 remote gateway
address rather than passing an FQDN directly to ifconfig

IPsec PH2 AH proposals order fix. Issue #12323

OpenVPN exit notify & inactive incompatibilities

• Ignore exit notify in problematic cases. Fixes #12102
• Ignore inactive seconds in problematic cases. Fixes #12219
• Warn against using these options in problematic scenarios
• Hide from the GUI in obvious incompatible scenarios

Cleanup and improve easyrule. Fixes #12151

OpenVPN Aliases support. Implements #2668

Consider GWG in ipsec_force_reload. Fixes #12315

Rename a few missing Netgate devices.

Super Micro XG-1537 -> Super Micro 1537
Super Micro XG-1541 -> Super Micro 1541

Add null check. Fixes #9092

If the value is undefined in config.xml this will be null, not an empty
string.

Fix a typo in the Netgate 5100 name.

Rename the Netgate devices.

XG-15xx -> 15xx
SG-5100 -> Netgate-5100

Revert "Clean up some messy HTML in the cert/ca display code. Prep for future MVC changes."

This reverts commit 8d4fcd7ac1167894136e337fc619e63fa7200fa0.

Increase default RA intervals. Fixes #12280

Increase default RA intervals. Fixes #12280

This code path was not included in the original diff.

radvd: Avoid empty AdvDNSSLLifetime (Fixes #12173)

Make sure $raadvdnsslifetime is defined on second foreach

Disable newsyslog compression w/ZFS. Issue #12011

ZFS compresses /var/log by default. If the ZFS dataset /var/log has
compression enabled on the first boot post install or factory reset,
then set a flag to disable newsyslog compression unless the user
overrides the setting in the configuration....

Don't wait on manual IPsec actions. Fixes #12298

Use a timeout with swanctl --initiate, and use --force for swanctl
--terminate. This will allow the commands to succeed and return without
waiting on the remote to respond. The negotiation continues in the...

IPv6 fix for setdefaultgateway(). Issue #12282

Change /var/run to tmpfs. Implements #12145

Update IPsec Filter Mode text. Implements #12289

VTI mode also works for transport mode (e.g. GRE), so note that as well.

Increase default IPv6 router advertisement (RA) intervals and lifetime. Fixes #12280

Convert RAM disks to tmpfs. Implements #12145

Allow to use nested URL alias in URL alias. Fixes #11863

Regex cleanup should also kill {}. Fixes #12257

It's not used often (and less in the GUI) and can be a source of
problems with large numbers of repetitions even outside of grouped
expressions.

Use SHA512 to hash user password. Implements #10298

Original commit by Viktor Gurov

Ensure Unbound python script exists. Fixes #12274

Check to make sure a referenced python script exsits before attempting
to use it in the Unbound configuration. If the file does not exist,
Unbound will fail to start.

Correct grep usage where needed. Fixes #12265

Regex cleanup change. Fixes #12257

Rather than attempting to cleanup group repetition, just discard the
unwanted pattern.

Move IPsec Mobile additional configuration attributes to strongswan.conf. Fixes #11447

Fix IPsec PH1 with Remote Gateway 0.0.0.0 rules creation. Issue #12262

VLAN/QinQ-only interface mismatch detection. Fixes #12170

More route display changes. Fixes #12257

• Move escape_filter_regex() from syslog.inc to util.inc since it will
  be used by things other than syslog.
• Add some basic regex sanity and consistency check functions
• Cleanup diag_routes.php route filter before use...

Do not delete disabled routes. Fixes #10706

Prevent deletion of OpenVPN instances with assigned interfaces. Fixes #12224

Reconfigure stacked IP Aliases on parent CARP VIP changes. Fixes #12227

Display Gateway IPv6 on status_interfaces.php regardless of Gateway IPv4 status. Fixes #12253

Fix is_hostname() regression. Issue #12245

Update convert_friendly_interface_to_friendly_descr() to show IP Alias description. Fixes #11337

Use client-connect/client-disconnect script for Remote Access (SSL/TLS) server mode. Fixes #12238

Set $retries=10 in resolve_retry() to improve resolution timeout. Fixes #12196

1:1 NAT rules creation update. Fixes #12168

• Fix 1:1 NAT rule creation when Any is selected for Internal IP
• Fix 1:1 NAT rule creation when Any is selected for Internal IP on 6RD/6to4 interface

Parse ARM 32/64 network boot options on Static DHCP Mapping page. Fixes #12216

Do not create disabled IPsec VTI interfaces. Fixes #12212

Router Advertisements fixes. Issue #12173

• Set AdvDNSSLLifetime value to 3*MaxRtrAdvInterval per RFC 8106
• Provide DNS configuration via radvd checkbox fix

Write CRL files only if certificate authentication is used in IPsec. Fixes #12195

Hide pcscd service from the service list if IPsec PKCS11 support is disabled. Todo #11933

NTP Server SHA256 authentification support. Implements #12213

Delete OpenVPN related config files for disabled instance. Fixes #12223

Support for UEFI HTTP Boot option in DHCP config. Implements #11659

Wireless Channel/Width Issues fix. Issue #12234

Clean up some messy HTML in the cert/ca display code. Prep for future MVC changes.

Merge pull request #4512 from jvandervyver/master

Merge pull request #4530 from Alexilmarranen/master

Merge pull request #4534 from Uglymotha/master

OpenVPN status f/tap+empty tunnel net Fixes #12232

Correct syntax. Fixes #12229

Improve NTP serial port validation. Fixes #12191

Init [''system']['acb']

Ensure ACB config section exists

Install ACB cron job on upgrade