pfSense

Add RFC 8031 Group 31 to IPsec. Implements #9531

Use correct certificate path for LDAP

Implement new OpenVPN advanced options privilege. Fixes #9511

Remove Advanced box from OpenVPN Wizard. Issue #9511

Fix ACB privileges. Fixes #9519

Strengthen path privilege check. Fixes #9513

• Removes/resolves any relative paths in the submitted URL
• Validates that the file exists
• Trims the path component off after in a nicer way

Make widget privilege matching more specific. Fixes #9512

Add warning for OpenVPN client, server, and override privileges.

Since these can use OpenVPN advanced directives to call external
scripts, they can be used to run commands that the user may not
otherwise have access to run.

Issue #9510

Encode download parameter before use. Fixes #9508

Encode descr in the WOL widget. Fixes #9507

Encode output in status_filter_reload.php. Fixes #9499

Init array before use

Update status.php to use ping-auth for pubkey

Fix another typo

status.php updates

• Ensure firewall info is generated when run from the CLI
• For SG-1100, also include its public key

Fix a typo.

Reported by: jimt

Fix typo

Rewrite unbound remotecontrol.conf when it is empty. Fixes #9470

Revert "Change ovpn_auth_verify_async to php-cgi. Fixes #9460"

check_reload_status 0.0.10 fixes the original issue, this can go back
the way it was.

This reverts commit ce76f299853dccb036de229f08a30013593c98fd.

Change ovpn_auth_verify_async to php-cgi. Fixes #9460

Add parens around NAT reflection rule interface. Fixes #9446

Do now show scheduler icon when scheduler tag is empty

Spotted by: Oliveira MaisSecurity <oliveira@maissecurity.com.br>

Use new/stronger openssl options for crypt_data(). Fixes #9421

Retry with legacy options if new options fail, so we can still
read old style data from previous encryption runs (e.g. old encrypted
backups, ACB entries, etc)

Better error handling and suppression to prevent issues like #9421.

Update openssl syntax for crypt_data(). Fixes #9420

LDAP TLS option update. Implements #9417

Use the same regex used in parse_firewall_log_line().

No functional changes.

Fix empty log files in the GUI. Fixes #9415

• filterlog log entries now have a pid after the process
• CARP/VRRP entries did not set a source and so were not logged

While here, add CARP details to proto field of GUI log view.

Fix CA/Cert search description. Issue #9412

Fix bonus closing tag. Issue #9412

Add sorting and search to CA/Certs. Implements #9412

Correct OSCP Must-Staple cert check for OpenSSL 1.1.1. Fixes #9408

Create /var/crash after creating /var RAM disk. Fixes #9409

Test modules path before scanning. Fixes #9400

Update obsoleted files from FreeBSD 11 -> 12

Add missing obsoleted files

Deprecate the built-in relayd Load Balancer. Closes #9386

It is not available on FreeBSD 12 with OpenSSL 1.1.x.

Users can migrate to the HAProxy package.

Fix the spamming of warnings about ttyv0 not being available on ARM64 devices.

While here, use a more meaningful name for the function.

Generate hints for the kernel loader.

Initialized entries variable before use. Fixes #9359

Use only sshguard table for blocking ssh/gui attacks. Issue #9223

Remove unnecessary expiretable cron jobs for ssh/gui lockout. Issue #9223

Remove unnecessary expiretable cron jobs for ssh/gui lockout. Issue #9223

Fix output buffering when downloading config backups. Fixes #9390

Revert "Remove definitions of conf_mount_r[ow]"

Leave functions declaration for now to prevent errors during upgrade.

This reverts commit da3ef5a3b359edb27bb9bb2b88a93cfb5ea8a0d1.

Update SMART status page with more detail/commands. Implements #9367

Fix more illegal offset errors. Issue #9366

Target the proper loop in switch statements. Issue #9365

Fix some illegal offset errors. Issue #9366

Fix deeper continues. Issue #9365

Target the proper loop in switch statements. Issue #9365

Move PHP to 7.3.x

Add support for PHP 7.3.x

Remove PHP 5.x support

Comment out all pfSense_fsync() calls until it's properly fixed

pfSense_fsync() call just before rename() is breaking it. Comment out for now until it's fixed

Remove definitions of conf_mount_r[ow]

Remove /etc/conf_mount_r[ow]

Remove all calls to conf_mount_r[ow]

Revert "pfSense_fsync() call just before rename() is breaking it. Comment out for now until it's fixed"

pfSense_fsync() is fixed now

This reverts commit cea9d3b7dc6f7ac8450a2a8f4b630b1b6b69827b.

Update loader.conf when maximumtableentries changes

On Firewall -> Advanced -> Firewall, when maximumtableentries item
changes, make sure /boot/loader.conf is changed accordingly. If the
value is bigger than sysctl net.pf.request_maxcount, then warn user that...

Add net.pf.request_maxcount to loader.conf

On FreeBSD 12 and newer pf uses this sysctl to define maximum number of
items supported by its allocations. Make sure it's always present in
/boot/loader.conf and set it to the same value of config item for
system -> maximumtableentries

Remove invalid MACs from sshd_config

pfSense_fsync() call just before rename() is breaking it. Comment out for now until it's fixed

Update translation files

Regenerate pot

Update privileges

Update gwlb.inc

(cherry picked from commit 58d009bc41137e77d799e53a8ce8c02215274eac)

Update gwlb.inc

Correct BUG 9004 -> set the default gateway when system start and a gateway_group is default IPV4 gateway

(cherry picked from commit 67dd34a0996c14fdfeb1823e07fb3c82748d3794)

Fix OU Name DN entry when creating a user cert. Fixes #9317

Correct syntax error in diag_backup.php. Fixes #9316

Bump version to 2.5.0-DEVELOPMENT and use RELENG_2_5 branch, based on FreeBSD 12.x

Force the <enableserial> on when restoring a backup on a device with serial only console.

Affects multiple devices.

Ticket #1547

Fix limiter selection validation.

Test $sform before use, fixes #9313

Ticket #9308: Sort country codes

Fix #9308: Obsolete now unused /etc/ca_countries

Ticket #9308: Replace use of /etc/ca_countries by get_cert_country_codes()

Ticket #9308: Implement get_cert_country_codes() to get the list of country codes to be used by CAs and Certs

Make get_countr_code() parameter default to 'ALL'

Add back DNS over TLS host verification code. Fixes #8602

Requires Unbound 1.9.0_1 from pfsense/freebsd-ports, which fixes a bug
in Unbound 1.9.0 which did not fully implement OpenSSL 1.0.2 host
validation support. See https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5

Add validation and encoding to various firewall advanced values. Issue #9294

Encode shaper queue name before printing. Issue #9294

Validation is already present and prevents bad values from being
entered.

Input validation and encoding of IGMP proxy addresses. Issue #9294

Validate NTP GPS type, encode output. Issue #9294

Encode traceroute error message. Issue #9294

Validate submitted interfaces. Issue #9294

Fix input validation of webguiproto. Issue #9294

type cast traffic graph inputs to fix #9072

status.php optimizations. Implements #9290

• Rewrites the command output so it is first written to files, then read through line-by-line to PHP. Should be much more efficient and consume less memory, making the previously "too large" commands viable.
• Increase verboseness of ifconfig output, add supported media...

Fix desc of OpenVPN sync to show that it also syncs certs. Fixes #9283

Fix handling of special swap cases. Fixes #9281

Packet capture page fixes. Fixes #9239

• Add "None" output level
• Detect large files and refuse to print them in the GUI textarea
• Ensure output buffering is off before doing readfile to avoid PHP
  consuming memory while downloading a large capture.

Init array for 6o4 tunneling Fixes #9264

Allow a trailing dot in a hostname on diag_dns.php. Fixes #9276

Remove links to DNSStuf tools. Fixes #9275

Fix saving IPv6 over IPv4 tunneling NAT setting. Fixes #9264

Convert rc.disable_hdd_apm to use camcontrol

Update copyright notices to 2019. Happy New Year

Change alias name/pf keyword check to be case insensitive. Fixes #9231

Ensure IPsec P1 entries have a 'protocol' value. Fixes #9207