pfSense

miniupnpd: Generate miniupnpd config using more explicit bools

The miniupnp config section has boolean flags that are either true with the value
'on', and are inferred to be false by omission or an empty value. To be more
explicit when generating the miniupnpd config, compare these values to 'on'...

Fix rule label for default IPsec rules. Fix #16095

Fix new log preference checkboxes

Fix regression from 7dc6055725cd400c04ead94560cda876de3f253d

Move IPv4 link-locak firewall logs into a separate log preference. Implement #16092

Fix a type while here as well.

Activate snort2c log preference

Followup to b67a4eae7b9b815480789b08aa0c847f5689dede.

Move snort2c firewall logs into a separate log preference. Implement #16092

Include reason for firewall log actions. Implement #15415, Fix #16093

Show the rule for packets dropped due to IP options

When clicking the Action icon for a firewall rule log, the rule is not
shown when it's a "pass" rule that dropped the packet due to IP options.

Refactor firewall logging preferences

Move the firewall logging preferences to a single string[] variable and
make it a global. No functional changes.

Revise log preferences descriptions

Move log preferences to a separate form section

Strip manufacturer from MAC field passed to WoL from ARP table. Fixes #15162

Remove references to old CSS classes

Refactor filter_rules_compare()

Improve readability and avoid code duplication.

Add GUI support for NAT64 rules with route-to

https://redmine.pfsense.org/issues/2358

Insert rules at the correct index when adding it at the top. Fix #16076

Fix the mount(8) return value checking.

With the fix the system will not try to remount a successful mounted slice
with another file system type.

Restore the original intention of the code while avoid potential problems.

Spotted by: SteveW - in a test with the kernel debug options enabled.

Fix typo in upgrade_238_to_239()

Add a sequence number to each rule during rule sort. Fix #16076

The 'for' loop first checks if the rule at that iteration exists and
breaks if not. When the rules array contains a gap, the 'for' loop breaks
early and potentially misses additional rules that need to be sorted. Fix...

Sync admin group changes. Fix #15898

The admin group needs to be removed and readded for its settings to sync.

This reverts commit 3e0facb20fa46a13bf7b70d6ddb1970b00485eb2.

Add combined IPv4/6 system aliases

https://redmine.pfsense.org/issues/15776

Fall back to routing via the interface for dynamic gateway monitoring IPs

It's possible that when setup_gateways_monitor() is called, the gateway
address is not yet available. To avoid routing the monitoring address via
another gateway, fall back to routing via the gateway's interface instead.

Don't set invalid config value for ntpd interfaces. Fix #16063

This regressed after the config access refactor. To keep the same behavior
from before the refactor, simply set the correct values.

Fix clobbered cron configuration on upgrade

Fix typo in Firewall State Policy description

Clarify failover state-killing behavior for gateway groups

Properly quote these variables and use the built-in echo

Remove SED as it is now unused

Simplify clearing the arp table by using functionality built into arp(1)

Properly quote these variables and avoid using test -o

Avoid using test -o and use || instead

Properly quote these variables and clean up some spacing

Properly quote these variables and use the correct equals

Properly quote these variables

Fix using proper equals and separate this test properly

Clarify descriptions for State Killing on Gateway Recovery

Force a DDNS update when changing interfaces. Fix #16046

Remove redundant call to dyndnsCheckIP()

The variable '$this->_dnsIP' is set when the object is constructed and
when the function '_detectChange()' is called. It is additionally set in
the function '_checkStatus()' - this is redundant since by this point the...

Respect the RR type implied by the DDNS Service Type. Fix #16045

Background:
In previous pfSense versions, the RR type and the IP address family used
to make the DDNS request were assumed to be the same and could be
overridden for specific DDNS services. The implementation of #11177 avoids...

Exclude states that don't match the selected interface. Fix #16043

Improve performance of state display in diag_dump_states.php

The variable $killdstip was previously used in the tool-tip for the kill
state icon which later changed to reference srcip/dstip instead. Improve
the performance by removing this variable, assigning each state's date in...

kea: don't define pd-pools using ISC config

kea: ensure all (rogue) instances are terminated. For #16019

Compare system version using the pfSense-system package

This returns the previous behavior of comparing the package which has the
product dependencies.

Exclude the ramdisk restore log from the archive

The ramdisk restore log is meant to log the latest restore attempt. It
must be excluded from the archive to avoid clobbering the active log used
while the archive is being extracted.

Add a reminder to stop/start the RA service when the prefix has changed

The DeprecatePrefix option for radvd only triggers on shutdown.

Followup to 646389402feb2dd94171d7c81d4be67feef4f8d8.

Reduce rc.newwanipv6 actions on RENEW

This change passes the dhcp6c REASON to the script. The script uses this
to retain the previous behavior for REASONs other than RENEW. If the
reason is RENEW, action is only taken when there has been a change. Also
include the REASON in the info log message....

Trigger rc.newwanipv6 on dhcp6c RENEW

The upstream DHCPv6 server may respond to the RENEW with a different
prefix hence the rc.newwanipv6 script should be called. The script should
avoid taking action as appropriate when the address has not changed.

Part of https://redmine.pfsense.org/issues/12947

Fix regression when configuring the interface MAC address

Followup to dbb8c4840dbd75f28528a3ce4a0070091d95336a

Generate the UUID using the external interface MAC

Use the configured external interface to generate the UUID and serial for
miniupnpd.conf. Additionally, resort to using a random MAC on failure.

Handle a null return from pfSense_get_ifaddrs()

- Update the usage of get_interface_addresses() to handle a null return
- Update the usage of get_interface_mac() to handle an empty string
- Remove unused argument from interface_qinq2_configure()

Improve various pieces here, properly quote variables, use = properly, and use || instead of -o

Simplify fetching the physical mem and do the calulation in shell instead of using expr(1)

let is not valid in shell and fix the calculation too

Remove useless use of cat

Fix spacing and use tabs consistently

Properly quote variables and switch to $( ) instead of backticks

Properly quote these variables

Improve these tests by avoiding -a which might cause commands to run on the right-hand side

Instead of using a negative -z test, use -n

Improve these tests by avoiding -a and -o which might cause commands to run on the right-hand side

Simplify checking the exit code from these commands

SC2086: Properly quote these variables

Simplify generating the random time to sleep by using jot(1)

Simplify this check

Remove unnecessary case statement since tar now uses libarchive and handles the different types of compression automatically

Fix the case where pfSense_get_ifaddrs() returns NULL.

It happens when the interface has no address (triggered with pppoe).

Simplify rc.restore_ramdisk_store

Reorganize how RAM disks are created

This improves things by moving the read of the sizes for the RAM disks
up before things are unmounted and so we have a good linker cache for
xmllint to run and also avoids spawning another shell just to mount the
RAM disks.

Setup the dynamic linker before we call xmllint

Move dictionary.pfsense into PREFIX where it belongs

Shell exit codes are between 0-255

Simplify these calculations by doing them directly in the shell

Pet shellcheck SC2086 and properly quote variables

Replace cut with awk.

The awk can deal with multiple spaces and/or tabs as delimiters for the input.

While here, quote a couple of variables.

Consider the linklocal_fallback value when checking the interface cache

This is needed to make sure that callers to find_interface_ipv6() using
different linklocal_fallback values receive the correct data.

Followup to ec7c1879da64f8a39e4aa8103c351768118af03d...

Add the swap partition created by growfs to the system fstab.

Fixes the missing swap partition with the emmc-serial images.

Ticket: #10888

Allow renaming when duplicating a gateway. Fix #16036

Fix condition check in get_interface_addresses()

Followup to ec7c1879da64f8a39e4aa8103c351768118af03d

kea: Introduce kea-specific UI and config for DHCP-PD

Don't include LL addresses by default in get_interface_addresses()

- Update get_interface_addresses() to make including the IPv6 LL address
optional. It defaults to the function's previous behavior.
- Update find_interface_ipv6() to pass the $linklocal_fallback preference...

unbound: filter link-local addrs from host_entries.conf. Fixes #16035

Fix regression with IPv6 LL addresses

- Update does_vip_exist() to correctly compare LL VIPs that include the
interface in the address (e.g. '%lo0').
- Return the previous find_interface_ipv6_ll() behavior of including the
the interface in the LL address....

Bump config version

Include Captive Portal zone description in messages

Remove the old Captive Portal configuration 'zone'

Consolidate Captive Portal zone name references from config

This change updates the code which uses the "captiveportal/<zone>/zone"
path to instead use "captiveportal/<zone>". The latter path is chosen
since most code that references the name uses this path and has the least...

Include all IPv6 address flags in get_interface_addresses()

Select an interface IPv6 address based on priority

pfSense_getall_interface_addresses() is deprecated

Use pfSense_get_ifaddrs() instead which now includes LL addresses.

Modernize this check as using x-prefix is not needed any longer

Config access regression when installing cron jobs with RAM disks

Respect binding to IPv6 when updating AAAA records using RFC2136. Fix #16028

- Move the "local" nsupdate configuration line condition so that it is
set when "recordtype" is AAAA.
- Don't clobber the "$if" variable with the loop since it's also used
later with "get_interface_ipv6($if)"; this fixes the IPv6 status....

Respect address family for RFC2136 when calling dyndnsCheckIP()

The "usepublicip" option is only used for IPv4.

Fix RFC2136 status info

- Use the correct variable name
- Remove the duplicate IPv6 file check

ppp-ipv6: Fix indent

Fix ACB syntax error w/o password. Issue #16013

Do not use the lua script on armv7, it is not supported.

Fixes the warnings at boot.

ACB Device Key Changes + General Refresh

- Changed default method of device key generation.
Implements #16016
- Added mechanism to change the device key.
Implements #16015
- Added download function for device key(s).
Implements #16015
- Fixed detection of changes since previous backup to skip redundant...