pfSense

Allow Dynamic DNS wildcards for Cloudflare #9361

(cherry picked from commit acfc36435c5a06e188917d11598f999a37f78469)

Update services_dyndns_edit.php

(cherry picked from commit 8b3e2e26f3082c78979842992acd1849ba42fcb3)

Azure DDNS whitespace only

(cherry picked from commit ed5b58a752a2241ce052851def2a7c846361146d)

Add Dynamic DNS support for Linode #9268

(cherry picked from commit b923a8251ca4b899936156db48fb9253745c41e3)

Fixed #8907
Support field size option in select control

(cherry picked from commit 7f486e5af62396622ca63b922ec6725de4df2bb5)

Add GUI option for IPsec tunnel closeaction. Fixes #9767

(cherry picked from commit 85c85e89ec7fad6974cd008d1f25676adf8e288d)

Sanitize barnyard_dbpwd in status.php output. Fixes #9764

(cherry picked from commit 24994f9a9df9a44e36cb544586684a5fecd61cda)

status.php: Sanitize snort/suricata oink and etpro codes.

(cherry picked from commit 17640476a57a41415fec579c40faebbfeff0022d)

status.php: Restrict thoth tests to arm64. Fixes NG 2569

(cherry picked from commit 12cf8e3fd03ab48f8798e148378e532758621a50)

Correct input validation for firewall rule VLAN priority/set. Fixes #9763

(cherry picked from commit 93db39ba1b7a72ad936a76aee2fe059a35b8af40)

Fixed #9731
by validating widget key with regex

(cherry picked from commit 42839d824d51cad3a8a55fccb2dc96368568ce8e)

status.php: Sanitize zabbix TLS psk info. Fixes #9729

(cherry picked from commit 60a7d1e1201f43ec48b0ad374ded1c15eb29e14e)

status.php: Sanitize influx_pass and cert_key. Fixes #9727 Fixes #9728

(cherry picked from commit 8bc944bbcba57f74934b87dcea4e7621f0743584)

Do not list OpenVPN interfaces as usable by DHCP relay. Fixes #8443

(cherry picked from commit c3667958a9e34dd0a4e4b736beb934ca55a0f82f)

Use batch mode for top so it displays process list w/o terminal. Fixes #9522

While here, set a high number of processes to display and also remove
the use of 'cut' which limited column length. With current display
method it's unnecessary.

(cherry picked from commit 4b84c39dbed64f221a052ec5be1fa325f71a413b)

Add auth server name change input validation. Fixes #9692

(cherry picked from commit 24c4275d7882352330fafd517fc948cba27bb979)

Allow NAT-T to be set with IKEv2. Fixes #9695

(cherry picked from commit 9c4f5b95eed5534ab797f104ad9f687359bd4818)

Add kernel memory usage to status.php. Implements #9705

(cherry picked from commit df5862939e7449294305a4f270ebfdce2a99c42d)

Redact ACB encryption PW. Fixes #9694

(cherry picked from commit 603764cbb089d2d0b6cd049d8ff8c8fae43d63d7)

Apply the same fix from issue #8469 to DHCPv6. Fixes #9448

(cherry picked from commit 7ba6788b155b92ad8c488c2891c9fe2601fe5c14)

User & Group Manager: Improve Deny Config Write Handling. Fixes #9259

• Denies all changes if a user has the Deny Config Write privilege.
  Previously it only denied the config write but some OS operations were
  performed.
• Sets an input error so the user is notified that their attempt failed....

Only prevent deleting IPsec VTI P2 when set to VTI. Fixes #9258

(cherry picked from commit 37c6083084617e3fd079876352109ff38aa6613b)

Correct wording of CA/Cert CN input validation. Fixes #9234

(cherry picked from commit 0c51971bafc708dc034663f79c04c7d187ddeece)

Fixup format of XMLRPC auth error to match GUI auth error.

(cherry picked from commit 6e0d47510ee553f5219c08c097c32d377985822b)

Picture widget corrections. Fixes #9610

• Sanitize user input before using as path/filenames
• Use a more accurate method of determining image type on read
• More sanity checks before reading images.

(cherry picked from commit 2c544ac61ce98f716d50b8e5961d7dfba66804b5)

Encode error output in services_captiveportal_mac.php. Fixes #9609

(cherry picked from commit d31362b69d5d52dc196dc72f66e830cd1e6e9a4f)

Encode hostname in services_acb.php before use. Fixes #9584

(cherry picked from commit fe482ccc1eaf59137b29008bc040faaad25088f0)

Ensure NTP values are treated as numbers before use. Fixes #9558

(cherry picked from commit c92dbfc189ee4cc66726d817f47e5473f8ffe147)

Add GUI components for MDS mitigation. Implements #9532

While here, add option to disable PTI display in sysinfo widget.
Implements #9323

(cherry picked from commit 42c48efe1c326273079ac38176098a1993f8ae88)

Use correct variable in IP address validation check for DNS. Fixes #9543

(cherry picked from commit 912562c4d76e9b629e99d44c56b363147d9ded0d)

Remove wildcards incorrectly used in isAllowedPage(). Fixes #9541

(cherry picked from commit cf529cbe33ae53f3f95b37a227da141b97465f20)

Fix a potential source of PHP errors when saving per-log settings. Fixes #9540

While here, fix save descriptions.

Implement new OpenVPN advanced options privilege. Fixes #9511

(cherry picked from commit 4a1841a1fabcba0100f6a4f505fc1e132c29da20)

Remove Advanced box from OpenVPN Wizard. Issue #9511

(cherry picked from commit b8ca6554d022e99921835a2fdb35103f41a7302e)

Fix ACB privileges. Fixes #9519

(cherry picked from commit 18c1de41332473dacd8a24ddf34e558f6366c714)

Add back DNS over TLS host verification code. Fixes #8602

Requires Unbound 1.9.0_1 from pfsense/freebsd-ports, which fixes a bug
in Unbound 1.9.0 which did not fully implement OpenSSL 1.0.2 host
validation support. See https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5...

status.php updates

• Ensure firewall info is generated when run from the CLI
• For SG-1100, also include its public key

(cherry picked from commit 2309b26a2b4643d9b4d0ea9be371004a781acc09)

Fix another typo

(cherry picked from commit a0930ca608eb6b22b256c95ab2d829932b085f82)

Fix typo

(cherry picked from commit 929cc874f6d32908739cc30e70c0eeba25127fb8)

Update copyright notices to 2019. Happy New Year

(cherry picked from commit 0b4c14a491664053aad3cc76e1ffd67b70ff2da1)

Add warning for OpenVPN client, server, and override privileges.

Since these can use OpenVPN advanced directives to call external
scripts, they can be used to run commands that the user may not
otherwise have access to run.

Issue #9510

(cherry picked from commit f75b0eb8e781570a84e8700b150e09e081ccacfe)

Encode download parameter before use. Fixes #9508

(cherry picked from commit ce77c104eee92cfbbc0d84980e60899295dadeac)

Encode descr in the WOL widget. Fixes #9507

(cherry picked from commit 5789a02eab9b2ebbcb1f28d1d037b408b436a853)

Encode output in status_filter_reload.php. Fixes #9499

(cherry picked from commit 1af9400d594cd183d011f22fa9b3a7630570a250)

Init array before use

(cherry picked from commit a8a0b1321d2a477772aac4d0034d819b61f2c9bf)

Do now show scheduler icon when scheduler tag is empty

Spotted by: Oliveira MaisSecurity <oliveira@maissecurity.com.br>

Initialized entries variable before use. Fixes #9359

(cherry picked from commit 9146639e722b4d437d19b5ade1157ae01849a313)

Use only sshguard table for blocking ssh/gui attacks. Issue #9223

(cherry picked from commit 555a9ab5c01101ddab7daa41f35d379d1c39b26e)

Fix output buffering when downloading config backups. Fixes #9390

(cherry picked from commit 4015b03d4b184e546cb3590430fee6f9953ce23e)

Update privileges

(cherry picked from commit 3b3e31c248b8185372251f8bd2fbc2a95652a7ec)

Fix OU Name DN entry when creating a user cert. Fixes #9317

(cherry picked from commit 354b1c750d9eeb9ccf0dc22033c9c813ec88e6f3)

Correct syntax error in diag_backup.php. Fixes #9316

(cherry picked from commit e0b32eb9e6b040fd14025b5c32644959ba67250e)

Force the <enableserial> on when restoring a backup on a device with serial only console.

Affects multiple devices.

Ticket #1547

(cherry picked from commit c91af4ac6a6b501b59a542acb4ace05e2b10e3ea)

Fix limiter selection validation.

(cherry picked from commit d0e9c310708fe7be6de86fe082f57e1fc27ce143)

Test $sform before use, fixes #9313

(cherry picked from commit 069585172e6408195b16bbe3090aeba56699ee51)

Ticket #9308: Replace use of /etc/ca_countries by get_cert_country_codes()

Make get_countr_code() parameter default to 'ALL'

Add validation and encoding to various firewall advanced values. Issue #9294

(cherry picked from commit 62baf0777924b2c21c832db3c0040988e7451c61)

Input validation and encoding of IGMP proxy addresses. Issue #9294

(cherry picked from commit 261916e5d3f833a58d5cef1afdadc7495ec2c74b)

Validate NTP GPS type, encode output. Issue #9294

(cherry picked from commit 938988609c306fcd44e25a053745c4b8332eeeb5)

Encode traceroute error message. Issue #9294

(cherry picked from commit 57ccd08bf7ee05b9a00750a1fd9cf8f148e0c9ac)

Validate submitted interfaces. Issue #9294

(cherry picked from commit 5cc7d21dc08be6c65a2bf7f8f4481dc13f4ae115)

Fix input validation of webguiproto. Issue #9294

(cherry picked from commit 56888f24ca2715e678a1324633a08d3a611b4136)

status.php optimizations. Implements #9290

• Rewrites the command output so it is first written to files, then read through line-by-line to PHP. Should be much more efficient and consume less memory, making the previously "too large" commands viable.
• Increase verboseness of ifconfig output, add supported media...

Fix desc of OpenVPN sync to show that it also syncs certs. Fixes #9283

(cherry picked from commit 9f3b87d898e1fa8a5bfa40758e5747515cc38ad4)

Packet capture page fixes. Fixes #9239

• Add "None" output level
• Detect large files and refuse to print them in the GUI textarea
• Ensure output buffering is off before doing readfile to avoid PHP
  consuming memory while downloading a large capture.

(cherry picked from commit 36192f4a459ec5d5baf06819102ba783c1725ba1)

Init array for 6o4 tunneling Fixes #9264

(cherry picked from commit 5345b25405101eba3112c1d5daef99bd3b308533)

Allow a trailing dot in a hostname on diag_dns.php. Fixes #9276

(cherry picked from commit e56c473d7c4c2e7de71c43420c844e452dbcfa82)

Remove links to DNSStuf tools. Fixes #9275

(cherry picked from commit 08c49b4d74b87bf34dd46a37837147b857eb8859)

Fix saving IPv6 over IPv4 tunneling NAT setting. Fixes #9264

(cherry picked from commit 3fcf5ad71216922921801d85d063d360fde5566f)

Change alias name/pf keyword check to be case insensitive. Fixes #9231

(cherry picked from commit 2c5d3b1e5002598cb799a182ccc1d6e66d3aac5d)

Init filter rules in firewall_nat.php. Fixes #9193

(cherry picked from commit 701728c0778cbb4ccf95ebfad30bf56339d1a7e3)

Fix DigitalOcean DynDNS client

Fixes the check on the return value since it's been updated to use
HTTP/2 syntax. Also adds logic to allow using `@` to denote updating the
root domain A record as well.

(cherry picked from commit 5878d529949aafef165acdce8e7daae234c9d2c4)

Minor fixes related to #9121

(cherry picked from commit 6f9729c0a53be67ced6d52e6e33dba6b237083ab)

Remove obsolete OLSRD code. Implements #9117

(cherry picked from commit 592bec817f152a7536572a675079776138827cc8)

Rework cert keylen/digest validation. Fixes #9180

(cherry picked from commit ed76624bf01c0d1718d427919145bf4e5f949264)

Fix array init in setup_wizard.xml. Fixes #9170

(cherry picked from commit f5f79fcc24241f0a76f6a7fe9b32917bee64e393)

Do not call interfaces_vlan_configure() every time an interface is edited in GUI.

This is just necessary when a parent interface is changed and we have to propagate the changes to all clones (MTU, FLAGS and others).

Add a logic to detect when a parent interface is changed and only then call interfaces_vlan_configure()....

Make the WF2Q+ the default scheduler for the dummynet limiters.

The WF2Q+ was the default scheduler in previous versions, it is well tested and support dynamic queues.

Add a note for the FIFO scheduler to make clear that it does not support dynamic queues (by design) and as such, it is working as intended....

Allow no username for FreeDNS-v6

Also include that and Digital Ocean in the help text.

(cherry picked from commit 92c39e9b923792a58b56323a7e2fb46f608b447f)

Fix #9121: Initialize arrays to prevent PHP 7 errors

Fix #8937: Show hwaddr for LAGG members

Fix few spelling issues
Ticket #9134

(cherry picked from commit 85a8f9b0ce0d0fac6f361bc5dfd09c67607020f1)

Update src/usr/local/www/vendor/d3/d3.min.js

Restored d3.min.js

(cherry picked from commit 2dd0ba04705396981dfc6d75ec6910799ba8846d)

Update src/usr/local/www/vendor/d3/d3.min.js

make sure to only pass valid options when supported by the browser

(cherry picked from commit 125ae17e59a54c2315c68336a02bf45a7820bf5b)

Removed js warnings

(cherry picked from commit 36742b464a1b4449e52cbd0b539fece507a3b23e)

Fix #9071: Make sure pkg metadata is updated when repo config changes

Remove unused variable

Simplify logic to remove packages section from backup

Initialize QinQ arrays before use. Fixes #9109

(cherry picked from commit 439d9beba0213c96281d8ff6b09ccb8136b1a0aa)

Fix change detection of GUI web server toggles. Fixes #9105

(cherry picked from commit 8207fac69158ad4a56deab4a4b4f6f4c3c361b81)

Add checkbox to disable SMTP SSL cert verification. Implements #9001

The default action is to validate the certificate. If the user knows the
server does not have a valid certificate (e.g. self-signed), this option
will allow encryption to be used without validating the identity of the...

Prevent CRL from using too large a lifetime on ARM. Fixes #9098

(cherry picked from commit 9aa8f6a864905c0e3738c337a51f0772b0c5eb93)

Improve handling of empty cert tags. Fixes #9099

(cherry picked from commit ca4456b95c53e89cf6b428a999ae15367b753073)

Prevent log size from being too large, which breaks clog. Fixes #9081

(cherry picked from commit 8bd36425b4bc46e5bbcc940a4d20bfbb2a0011ba)

Prevent PHP error when saving log config. Fixes #9095

(cherry picked from commit 4c4e294b0f1523827fa21066521674a435c8f670)

Add help text to sshguard whitelist
Reduce delete button size
Change label text to "Add address"

(cherry picked from commit 5514e368421171482e3e5b945f4c999cc0153fa8)

Fix #8864: Let users modify sshguard parameters and whitelist

Array initialization in NAT pages. Fixes #9080

(cherry picked from commit 42ad3b8b51e12b9e4c89b94e2a191495318f42dc)

Validate and protect powerd option values. Fixes #9061

(cherry picked from commit 3be699295e5cb7be24cc5361700be1a8b759e26c)