Fix #3866 Firewall Log Filtering
on master
This really does not need the =
Remove wrongly used type
Ooops restore this
Inverse the sense of the toggles to avoid configuration upgrades
Actually use the new toggles
Only for movile users
Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
Make this work properly and not throw out errors.
Add a function to redirect to a page passing parameters through POST
Fixes #3666. Set the sysctl net.inet.icmp.reply_from_interface to 1 to use the incoming interface to send the icmp reply from. It uses another part of patch to pf to undo NAT if it was already performed before
Add security priviledge for new page
Fix path to xml and make sure the parser will see the custom tags
Add pages missing from the Status > Traffic Graph privilege that are required for the full page to load
Merge pull request #1260 from DasTestament/master
Make use of the xml output from stroke leases command
Change is_port() to only validate a single port, we have is_portrange() for specific cases. Make necessary adjustments after check all is_port() calls. It fixes #3857
Return something meaningful until the widget is made to work correctly
Remove racoon references
Remove traces of older implementation still present
Put some tuning on number of half open connection possible in one time.
Provide some parallellizm on the IKESA lookups for heavy loaded boxes.
Actually roll this back since it was a testing glitch
Also here be more strict on checking to return proper result. (some missed from previous commit)
Also here be more strict on checking to return proper result
Merge pull request #1273 from fsSnowboard/master
Make sure dhclient is not running before start it, it fixes console interface setup when interface is using dhcpv4. It should also help #3482
Implement a function to kill dhclient process, sometimes it takes a little time to die, so use a sleep(1) there
find_dhclient_process() returns an int, not string
Be more explicit
Correct log prepending value
Some device names are bigger now (eg vtnet, ixgbe, cxgbe)
Correct generating loglevels for startup through ipsec.conf
Fix minor typo to name and port range
Typo on the name of the FaceTime shape rule, and missing 1 from GoogleTalk port range.
Fix guess_interface_from_ip() to account for differences in netstat output. Fixes #3853
Blah unconditionally set rightsourceip per https://forum.pfsense.org/index.php?topic=80300.0 Until pools can be supported properly.
As pointed out by Ermal, VIPs should go first in the list since NAT is first match. Ticket #983
igmpproxy param -d doesn't like the space before optarg. Fixes #3852
Fixes #3664, actually make sense of this function to work properly
Fixes #3823 Properly parse auth tags as variables
Add more services and reorder
Add following shaping rules:ARMA 3WIIEA OriginGames For Windows LiveCrysis 3DeadSpace 2DeadSpace 3DragonAge2MassEffect3FacetimeGoogle HangoutsTeamSpeak 3VentriloiTunes RadoIMAP/SPOP3/SSMTP/SApple Mobile Sync...
Fix subnet display for IPsec status. Ticket #3826
Merge pull request #1258 from yarick123/master
Fix match for help pages privileges, it fixes #3777
Do not use regex to check filetype to avoid being wrong since . is a regex metachar. It fixes #3817
Merge pull request #1255 from leleobhz/master
Take virtual IPs into consideration for automatic outbound NAT rules, it should now fix #983
delete the dhcpd.pid file before starting dhcpd. Fixes bug where on rare occasions a stale PID file could prevent dhcpd from starting until it's manually deleted.
fix #3515
Move the fetching of a package's config file and additional files to separate functions, and then have the "xml" package button perform these so that it is not only a redundant copy of the "pkg" reinstall button. This can help ensure a package files are in a known-good state before other actions are performed, in case the deinstall would fail or behave erratically due to other files being missing.
Correct the ipsec status pages to show proper information as needed.
Correct processing and assignment on ikeid variable so it does the right thing
Use proper path to setkey now that ipsec-tools are not used anymore
Correct the functions for returning tunnel status to use strongswan status reports
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.
Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.
Do not show errors from trying to delete a socket or similar
rightsourceip must be used with PSK+Xauth.
This is required for PSK+Xauth. I'll commit that clarification in a bit.Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""
This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.
cherry pic from 'hotfix/3347-Certificate_Authority_SAN_names_not_working':
bugfix #3347: Certificate Authority SAN names not working in 2.1
subjectAltName can be set only via configuration file - created three extra sections in openssl.cnf to use in case of existing subjectAltName....
Revert "Fix assignment of tunnel IPs to mobile clients." This normally is not needed since the attr plugin deals with all this.
This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.
Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1
Move dhcp6c log to dhcpd.log, it fixes #3799
Remove double defined 'localhost' on the list of networks to create outbound NAT rules. It should fix #3800
Do not create automatic outbound NAT rule for disabled openvpn servers and clients
Fix assignment of tunnel IPs to mobile clients.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Avoid a "Cannot use string offset as an array" error if the packages section of the config is missing.
Correct this so the dpdaction is created properly as restart
Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.
Move the rekey to yes always to avoid issues.
Per the dhcpd.conf man page and other documentation from ISC, mclt must not be defined on the secondary.
Escape the individual dnsmasq advanced/custom options
Do not try to rekey for IKEv1.
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'
Remove even the config.cache from /tmp to avoid issues while here
Fix #3781 - 'strongswan dpdtimeout value not generated correctly'
Fix for bug 3769
Fix #983 - Add IP aliases subnets to interface subnet macro on GUI, since I'm here also fix not rules for PPTP clients macro.
Concat var before call escapeshellarg
Make dhcpleases use unbound pid when it's configured
Fix shell script syntax, it should fix #3361
Detect when protocol changes and invalidate session to get a new cookie with secure flag set according. It fixes #3714
Merge pull request #1247 from DasTestament/master
Use cron.pid to get pid number and avoid kill minicron processes. It fixes #3757
use HTTPS for files.pfsense.org for update_bogons and priv_url in pkg-utils
no () around qlength here
qlimit must be included here
Convert almost all /sbin/sysctl calls to php functions
Fix sysctl name
Add set_single_sysctl(), a wrapper to set_sysctl() to make it simple to set value of a single sysctl
Add get_single_sysctl(), a wrapper to get_sysctl() to make it simple to get value of a single sysctl
Remove extra spaces and tabs
Remove extra quote and fix syntax
use HTTPS for dyndns providers that support it