fix interface assignment menus running off VGA screen
Remove leftover :
When using VGA console, interface assignment can be a real pain in the ass because of the standard 80 columns width.
Dmesg reports the many interface description names in very long strings that don't fit in a row, this breaks the nice appearance of the interface list in the assignment menu....
Merge pull request #1842 from phil-davis/GW-Widget-Monitor-IP-2-2
Merge pull request #1894 from doktornotor/patch-6
Make the openvpn-server IP address consistent with CSC overrides behavior
Merge pull request #1888 from phil-davis/TGdesc22
Merge pull request #1837 from phil-davis/patch-5
allow port ranges for natport. Ticket #5156
Merge pull request #1811 from phil-davis/patch-10
Work around a chicken-and-egg problem in user syncing. See #5152See also: 5372d26d9d25d751d16865ed9d46869d3b0ec5e1
Merge pull request #1887 from doktornotor/patch-8
Remove useless log spam. Ticket #4102
Check if our version of roll data is valid and if necessary, initializethe database.
This fix the case where the database is not initialized because the usedfield in backup file is empty.
Fix the issue #5113.
Only add 6rd rules if there is an IPv4 IP defined for the gateway,otherwise ruleset ends up invalid. Ticket #4935
Fix incorrect netmask sent to client with static IP set in RADIUS (Bug #5129)
Misc encoding/display issues in the Load Balancer code
Encode server name in OpenVPN widget
Add description as a display option on Traffic Graph RELENG_2_2
Backport from master
Merge pull request #1834 from phil-davis/patch-1
Merge pull request #1840 from phil-davis/patch-6
Merge pull request #1844 from doktornotor/patch-5
Merge pull request #1845 from doktornotor/patch-6
Merge pull request #1835 from phil-davis/patch-2
Fix identification of IPv6 interface with PPP-type ifaces and DHCP6 (2.2.x)
For RELENG_2_2 - same thing as #1886
This has been broken ever since commited in 420aa48
As noted on https://redmine.pfsense.org/issues/3670 - the get_interface_ipv6() function in /etc/inc/interfaces.php incorrectly identifies the interface as the physical hardware interface. As a result, no global IPv6 address can be found (empty $ifcfgipv6) - https://redmine.pfsense.org/issues/3556
Encode auth server name before display.
Encode alias description details before attempting to display them.
Encode the rule description before displaying back to the user in an error when attempting to delete an in-use alias.
Strip HTML tags from a notice to avoid a potential XSS
make sure that cron is running before reconfiguring it (RELENG_2_2)
Same as #1828.
remove routed service, is being handled by the package (RELENG_2_2)
Same as #1829 for RELENG_2_2. This does not do any good there now.
Handle multiple notices in the same second RELENG_2_2
Backport of https://github.com/pfsense/pfsense/pull/1823
Redmine #5046 UEFI network booting arch 00:09
Redmine #4925 Fix version comparison for RELENG_2_2
Backport of https://github.com/pfsense/pfsense/pull/1826
Protect unset() with isset() for RELENG_2_2
Backport of https://github.com/pfsense/pfsense/pull/1821 to RELENG_2_2
Encode OpenVPN descriptions before display on OpenVPN status
Encode the OpenVPN server description before display on OpenVPN status
Ensure the current RRD graph category is encoded before display
Fix handling of the description in the shaper code.
Fix titles in status.php, filename can't have a slash.
Fix source address selection on Test Port to handle VIPs properly.
Fix a potential XSS in voucher testing.
Properly declare an error when a too-short voucher is submitted.
The "enableallowallwan" script should also allow bogons, or it makes running test firewalls with RFC5735/6890 test network style WANs a pain.
Add support for LDAP RFC2307 style group membership. Implements #4923
To activate, check the box for RFC2307 in the LDAP server settings and fill in the group object class (typically posixGroup).
Provide an LDAP server timeout field. Default to 25 seconds. Part of ticket #3383
Previous default was ~1m20sec.
Don't lowercase the whole group name
Fix GUI auth from RADIUS to grab group names from the Class attribute. Implements #935
The RADIUS server must populate the Class attribute with a string, semicolon-separated, of user groups. Similar to LDAP, local groups must exist with matching names, and privileges are determined by the local matching groups.
Ignore case when comparing package versions
So that "versions" that probably are the same will be compared the same:"Utility-1.0" and "utility-1.0" "2.3.4_5 pkg v1.2" and "2.3.4_5 pkg V1.2" and "2.3.4_5 Pkg V1.2" and...
This will allow people to modify the case of the version text however they like without making the istalled packages list look like there is an upgrade (or downgrade).
Compare package version strings with compare_pkg_versions
This fixes redmine #4924
Provide compare_pkg_versions
This function parses and compares two strings to see which one seems to represent the greater "version". It splits the strings into pieces that are digits and pieces that are anything else. e.g."utility-24.9_5 pkg v4.5" becomes...
only read file if it exists, and only foreach if an array.
Allow to create empty bogons on nanoBSD
If for some reason the bogons file/s do not exist then this code createsempty ones before making any use of them in the rule set.On nanoBSD this can fail if the file system is mount RO.Protect against this possibility by use conf_mount_rw and conf_mount_ro
This is handled above now.
More safety belts on CP DB open
Take more care when attempting to open the CP database. Don't assume it's valid before attempting to use it.
Reinitialize the captive portal database for a zone if it is corrupt/unreadable. Fixes #4904
remove the destination server's interface(s) from dhcrelay. Ticket #4908
remove more old, unused platform stuff
Fix killing of individual states for IPv6. Ticket #4906
fix whitespace
Use the appropriate source and dest IPs for all state types. Ticket #4907
remove old unused nopccard_platforms
sync rc.firmware_auto with master
Check both greater and less than for the configuration version in XMLRPC sync. Fixes #4902
Use an alternate method to find VIP targets that should be allowed for Captive Portal. Fixes #4903
Add "sockstat" output to status.php
Move cleargpt.sh and cleargmirror.sh scripts to main repo
Strip any \r when parsing URL table ports file
If the URL table ports file at the URL specified has lines separated by "\r\n" rather than just "\n", then the code here ends up with ports that look like "80\r" "443\r" ... and group_ports() does not match any of those and the final file ends up empty. That seems a shame just because the file was made in some editor that put "\r\n" line breaks. I messed about for a while trying to make my URL table ports alias work until I realized this....
Fix typo in variable name, spotted by Phil Davis
Change version to 2.2.5-DEVELOPMENT
Merge pull request #1794 from phil-davis/patch-8
Consider url_port alias type when checking port-type aliases V2
This time I have typed url_ports correctly.
add a check to avoid foreach on non-array
Upgrade config to 11.9. Changes IPsec peer ID for EAP types to "any", to retain previous behavior.
Change the log for CRLs with no data (exists but no certs revoked) to a warning since it's not technically an error.
Add 'any' option for peer ID, for mobile IPsec scenarios where you can't or don't want to check peer ID.
Lower LoginGraceTime to 30s, should be plenty long for users, and mitigates the password login attempt bypass bug in OpenSSH. Ticket #4875
Display monitor IP on Gateways widget
This version is for system patches to 2.2.4 systems
Bump to 2.2.4-RELEASE
Only omit rightid for PSK mobile types. Flip the logic here as the 2_1 !logic gets ugly.
change iketype auto to ikev2 on upgrade. Ticket #4873
Remove "auto", it's just a synonym for IKEv2. Ticket #4873
include vpn.inc so IPsec CRL reload works. require_once filter.inc invpn.inc for callers there that haven't already included it.
Most of the flowtable bits were removed some time ago, take out the last of them too.
When a CRL is updated, refresh strongswan's CRLs.
Merge pull request #1775 from phil-davis/Interfaces-Widget-2-2
Add isset check for strictcrlpolicy
To be consistent with the checks in the rest of this code.
make the IPsec bypass LAN from LAN subnet to LAN subnet rather than fromLAN subnet to LAN IP. Same end result except it'll work for VIPs on sameinterface now.
Add IPsec advanced option for strict CRL checking
fix typo
Handle IPsec Advanced Settings save before IPsec is enabled
If the Advanced Settings are saved before any other IPsec is set up then $config['ipsec'] can be just the empty string. As a result you can get:a) If you select some debug settings then those are not saved. The code to save those settings was only executed when $config['ipsec'] was already an array. Actually the code already did the necessary "if isset() then unset()" stuuf. So I just took the the "if is_array()" away from the code block....
write out built-in CRLs for strongswan
Interfaces widget use more obscure separator RELENG_2_2
Redmine #4859 fix for RELENG_2_2
Unset old CA and Cert in left system config
Unset any old CA and Cert in the system section that might still be there from when upgrade_066_to_067 did not unset them. That will tidy up old configs that had the conversion done originally but these old sections were left behind.
Allocate dnpipe and dnqueue numbers even if no filter rules
It would be quite unusual to have no filter rules array, but if that is indeed the case then the first part of this code that sets dnpipe and dnqueue numbers should execute anyway.
Captive Portal zoneid upgrade fix var name typo
With the typo, this empty() test would always have been true. So maybe on upgrade some existing captive portal zoneid values have been getting overwritten by this even number counter? Or?
Add "netstat -ni" to status.php
Allow pre-filling (but no automatic action) of the download filename on exec.php. Setup a link to download the status output.tgz in status.php