Correct the ipsec status pages to show proper information as needed.
Correct processing and assignment on ikeid variable so it does the right thing
Use proper path to setkey now that ipsec-tools are not used anymore
Correct the functions for returning tunnel status to use strongswan status reports
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.
Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.
Do not show errors from trying to delete a socket or similar
rightsourceip must be used with PSK+Xauth.
This is required for PSK+Xauth. I'll commit that clarification in a bit.Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""
This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.
Revert "Fix assignment of tunnel IPs to mobile clients." This normally is not needed since the attr plugin deals with all this.
This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.
Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1
Move dhcp6c log to dhcpd.log, it fixes #3799
Remove double defined 'localhost' on the list of networks to create outbound NAT rules. It should fix #3800
Do not create automatic outbound NAT rule for disabled openvpn servers and clients
Fix assignment of tunnel IPs to mobile clients.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Avoid a "Cannot use string offset as an array" error if the packages section of the config is missing.
Correct this so the dpdaction is created properly as restart
Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.
Move the rekey to yes always to avoid issues.
Per the dhcpd.conf man page and other documentation from ISC, mclt must not be defined on the secondary.
Escape the individual dnsmasq advanced/custom options
Do not try to rekey for IKEv1.
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'
Remove even the config.cache from /tmp to avoid issues while here
Fix #3781 - 'strongswan dpdtimeout value not generated correctly'
Fix for bug 3769
Fix #983 - Add IP aliases subnets to interface subnet macro on GUI, since I'm here also fix not rules for PPTP clients macro.
Concat var before call escapeshellarg
Make dhcpleases use unbound pid when it's configured
Fix shell script syntax, it should fix #3361
Detect when protocol changes and invalidate session to get a new cookie with secure flag set according. It fixes #3714
Merge pull request #1247 from DasTestament/master
Use cron.pid to get pid number and avoid kill minicron processes. It fixes #3757
use HTTPS for files.pfsense.org for update_bogons and priv_url in pkg-utils
no () around qlength here
qlimit must be included here
Convert almost all /sbin/sysctl calls to php functions
Fix sysctl name
Add set_single_sysctl(), a wrapper to set_sysctl() to make it simple to set value of a single sysctl
Add get_single_sysctl(), a wrapper to get_sysctl() to make it simple to get value of a single sysctl
Remove extra spaces and tabs
Remove extra quote and fix syntax
use HTTPS for dyndns providers that support it
Use a php function rather tan using exec. Suggested-by: garga
Remove all .xml file generated from upgrade since it makes /var full
Back to cons25 for now since we found some issues with xterm on serial console
Also check and verify the package server's SSL certificate if using HTTPS. Issue 484Our current XMLRPC client version doesn't have support on its own to validate this in a way we can use to test in a usable for printing an error message. For now, a cURL query to the XMLRPC URL is used in its place.
More refinements to the unofficial package repository warning ( Issue #484 ) -- Now also shows on Dashboard and installed package list. Cleaned up some code and shuffled things around to avoid unnecessary repetition.
Set proper serial parameters on boot.config and loader.conf for nanobsd without vga
Detect if an unofficial package repository is in use and warn the user. Part of issue #484 (more to go)
Make proper checks to check if we should or not enable serial console
Fix typo on var name
Fix #3647 and other improvements:
- Remove auto_login(), now gettytab is a constant file- Add reload_ttys(), that will send a SIGHUP to init and make it reload /etc/ttys- Change serial speed on /etc/ttys when necessary- Change console and serial auto_login on /etc/ttys when necessary...
Remove unused function color()
fixes #3713
Fix #3725:
- Fix match_filter_field() and also simplify logic- Fix $filterfieldsarray initialization- Avoid to have double spaces on filterfieldsarray['act']- Fix filter on Firewall Logs
Set default serial speed to 115200 for 2.2, fixes #3715
Merge pull request #1238 from DasTestament/master
Add the AESGCM and XCBC on the list of algos availble
Actually use ph1ent ikeid here otherwise will duplicate ids here.
Fix dscp values and provide a config upgrade to fix values stored in config.xml. This is a proper fix for #3688
Update openvpn.inc
Add local/www to the list of directories that needs to be symlink'd to reduce PBI differences between 2.1 and 2.2
Added verbosity check in case when verbosity_level is absent in config.xml
Removed unnecessary "else {";
Merge pull request #1239 from phil-davis/patch-9
Remove extra data after space and fix pf rule syntax. It should fix #3688
Replace some backticks by exec ans simplify commands
Remove more backtick abuse
Add -n for 2 remaining sysctl calls, also replace backtick by exec
Add full path for dmesg and replace backtick by exec
Only include a scheduled rule if it is strictly before the end time
The exact moment of the end time is the end of the schedule. We do not want to include a rule when filter_configure_sync wakes up at 00:15:00 etc and is on a not-slow system that processes this code during the interval 00:15:00 to 00:15:01. This should help intermittent issues with schedules not finishing at the appropriate 15-minute boundary. Might help or fix #3558
Change the option for webconfig login autocomplete from opt-in to opt-out, also bump config version and write a function to keep the current status on upgrades
Always set httponly attribute on cookies
Add comment I forgot on last commit
Re-generate session ID on a successful login to avoid session fixation
patchpack1
-Fix #3401 (Added tun option "Disable IPv6" -Added new options: route-nopull, route-noexec, verb;
Create some symlinks inside pbi dir to reduce differences between 2.1 and 2.2 and avoid the need to change a lot of PBI scripts
Merge pull request #1034 from vsquared56/master
Replace Header() calls by lowercase
Merge pull request #1222 from phil-davis/patch-8
Bring the code of captiveportal up to speed with its module counterpart requirments
Fix i386 default URL for snapshots
Fix #3665, show IPSec tunnel description on status page
Fix #3702, make sure tunnel inside IP is set when interface changes
Fix #3700 and other syntax issues:
- Remove G parameter from pfctl since it doesn't exist anymore Initialize $old_router- Fix sh syntax on variable assign, it couldn't have space before =- Simplify logic- Avoid flush states twice, if it was done on IP change, don't do it...
Add some protection to parameters that come through _GET
Allow the user to select "None" for OpenVPN client certificate, so long as they supply and auth user/pass. Ticket #3633
Silent pbi_info
Reduce possible noise
Handle firewall log filter regex input better bug #3689
If the user inputs an invalid regex in any of the filter fields, then a page full of "warning" messages appear in the GUI, about whatever is invalid.If for some reason the user wants to match a forward slash somewhere, then they have to realize to escape it, doing "\/" instead of just "/". Be nice to this special case, because the user does not necessarily know that "/" is being used as the delimiter in the preg_match call. Turn "/" into "\/" (when the "\" is not already put in by the user)....
allow ipaliases to be configured on lo0
Fix variable name
remove openbgpd bits from system_gateways_edit and system.inc. The packagematch is case-sensitive and hasn't matched the openbgpd package's name inat least 5 years, so it doesn't do anything. It's far from functional inany useful manner even fixing that issue.
Bring in proper gmirror support for the GUI and notifications.Made a general gmirror library to perform various gmirror tasks and get information, using some of the former widget logic to start. Updated widget to use this new code.Added a Diag > GEOM Mirrors page that displays information about existing mirrors and perform various management tasks. Current actions include rebuilding a drive, forgetting disconnected mirror drives, insert/remove, deactivate/activate, clearing medatada. It's now possible to use the GUI to rebuild a failed mirror by performing a forget, then insert action to replace a missing/dead drive....