Correct the ipsec status pages to show proper information as needed.
Correct processing and assignment on ikeid variable so it does the right thing
Use proper path to setkey now that ipsec-tools are not used anymore
Correct the functions for returning tunnel status to use strongswan status reports
Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
Add filter.so to list of extensions loaded for 2.2
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Do not accept proposal out of that configured even for IKEv2 even though there is no possibility in the GUI to set more than one proposal for Phase1 so far.
Restore behaviour as with racoon to trigger tunnel startup from traffic that needs to go into the tunnel. Even related to Ticket #3806.
Do not show errors from trying to delete a socket or similar
rightsourceip must be used with PSK+Xauth.
This is required for PSK+Xauth. I'll commit that clarification in a bit.Revert "Revert "Fix assignment of tunnel IPs to mobile clients.""
This reverts commit 23ba08fc940b711f3b44551199890dc8e28a63b6.
Revert "Fix assignment of tunnel IPs to mobile clients." This normally is not needed since the attr plugin deals with all this.
This reverts commit 00311d6a841c0f6fc162ea11da06569f10220f5e.
Actually disable this plugin for now. It was not really needed for solving the issues with IKEv1
Move dhcp6c log to dhcpd.log, it fixes #3799
Remove double defined 'localhost' on the list of networks to create outbound NAT rules. It should fix #3800
Do not create automatic outbound NAT rule for disabled openvpn servers and clients
Fix assignment of tunnel IPs to mobile clients.
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Avoid a "Cannot use string offset as an array" error if the packages section of the config is missing.
Correct this so the dpdaction is created properly as restart
Do a reload on the cofniguration which is better than update. Also let the keyingtries to 3 rather than forever to avoid problems on recovery.
Change the logic of the vpn config generation to make connectivity more stable especially ipsec. Also for IKEv1 just generate the policies and only on traffic start them.
Move the rekey to yes always to avoid issues.
Per the dhcpd.conf man page and other documentation from ISC, mclt must not be defined on the secondary.
Escape the individual dnsmasq advanced/custom options
Do not try to rekey for IKEv1.
Use a uniqid() to track phase2 entries to avoid confustion and various mistakes when modifying and editing them.
Fix for #3785 - 'strongswan config being generated with ike SA lifetime set to value of ipsec SA lifetime'
Remove even the config.cache from /tmp to avoid issues while here
Fix #3781 - 'strongswan dpdtimeout value not generated correctly'
Fix for bug 3769
Fix #983 - Add IP aliases subnets to interface subnet macro on GUI, since I'm here also fix not rules for PPTP clients macro.
Concat var before call escapeshellarg
Make dhcpleases use unbound pid when it's configured
Fix shell script syntax, it should fix #3361
Detect when protocol changes and invalidate session to get a new cookie with secure flag set according. It fixes #3714
Merge pull request #1247 from DasTestament/master
Use cron.pid to get pid number and avoid kill minicron processes. It fixes #3757
Don't use pfsense name in comment
Use $product instead of pfSense when logging the version to syslog
Log pfsense version to syslog after bootup
Make sure scripts have necessary attributes and use its shebang line instead of force sh to call it. This will help to prevent or workaround issues similar to #3749 in the future
In some cases, new /bin/sh binary doesn't work properly before reboot during a upgrade, and because of that /etc/rc.reboot is not executed and system doesn't reboot. Source /etc/rc.reboot instead of open a new sh session to avoid it happening again in future versions (ticket #3749)
use HTTPS for files.pfsense.org for update_bogons and priv_url in pkg-utils
no () around qlength here
qlimit must be included here
Convert almost all /sbin/sysctl calls to php functions
Fix sysctl name
Add set_single_sysctl(), a wrapper to set_sysctl() to make it simple to set value of a single sysctl
Add get_single_sysctl(), a wrapper to get_sysctl() to make it simple to get value of a single sysctl
Remove extra spaces and tabs
Remove extra quote and fix syntax
use HTTPS for dyndns providers that support it
Use a php function rather tan using exec. Suggested-by: garga
Remove all .xml file generated from upgrade since it makes /var full
Add one more seatbelt to prevent tar to attempt to overwrite /dev items
Back to cons25 for now since we found some issues with xterm on serial console
un-obsolete gettytab.bak
Also check and verify the package server's SSL certificate if using HTTPS. Issue 484Our current XMLRPC client version doesn't have support on its own to validate this in a way we can use to test in a usable for printing an error message. For now, a cURL query to the XMLRPC URL is used in its place.
More refinements to the unofficial package repository warning ( Issue #484 ) -- Now also shows on Dashboard and installed package list. Cleaned up some code and shuffled things around to avoid unnecessary repetition.
Set proper serial parameters on boot.config and loader.conf for nanobsd without vga
Detect if an unofficial package repository is in use and warn the user. Part of issue #484 (more to go)
Make proper checks to check if we should or not enable serial console
Fix typo on var name
Obsolete ttys_wrap and gettytab.bak
Fix #3647 and other improvements:
- Remove auto_login(), now gettytab is a constant file- Add reload_ttys(), that will send a SIGHUP to init and make it reload /etc/ttys- Change serial speed on /etc/ttys when necessary- Change console and serial auto_login on /etc/ttys when necessary...
Stop restoring gettytab.bak since it doesn't exist anymore
Sync etc/ttys with FreeBSD 10-STABLE, change default console for al.Pc and default serial for al.115200
Sync gettytab with FreeBSD 10-STABLE, also reduce customizations, the only difference is al.Pc entry, for Pc with auto login
Remove unused function color()
Delete gettytab.bak and ttys_wrap, they are not needed anymore
fixes #3713
Fix #3725:
- Fix match_filter_field() and also simplify logic- Fix $filterfieldsarray initialization- Avoid to have double spaces on filterfieldsarray['act']- Fix filter on Firewall Logs
Add a BETA key for PBI signature check, this will be replaced by the final one before RELEASE. Ticket #3365
Fix dir name
Set default serial speed to 115200 for 2.2, fixes #3715
Merge pull request #1238 from DasTestament/master
Add the AESGCM and XCBC on the list of algos availble
Actually use ph1ent ikeid here otherwise will duplicate ids here.
Fix dscp values and provide a config upgrade to fix values stored in config.xml. This is a proper fix for #3688
Update openvpn.inc
Add local/www to the list of directories that needs to be symlink'd to reduce PBI differences between 2.1 and 2.2
Added verbosity check in case when verbosity_level is absent in config.xml
Removed unnecessary "else {";
Merge pull request #1239 from phil-davis/patch-9
Remove extra data after space and fix pf rule syntax. It should fix #3688
Replace some backticks by exec ans simplify commands
Remove more backtick abuse
Add -n for 2 remaining sysctl calls, also replace backtick by exec
Add full path for dmesg and replace backtick by exec
Only include a scheduled rule if it is strictly before the end time
The exact moment of the end time is the end of the schedule. We do not want to include a rule when filter_configure_sync wakes up at 00:15:00 etc and is on a not-slow system that processes this code during the interval 00:15:00 to 00:15:01. This should help intermittent issues with schedules not finishing at the appropriate 15-minute boundary. Might help or fix #3558
Change the option for webconfig login autocomplete from opt-in to opt-out, also bump config version and write a function to keep the current status on upgrades
Always set httponly attribute on cookies
Add comment I forgot on last commit
Re-generate session ID on a successful login to avoid session fixation
patchpack1
-Fix #3401 (Added tun option "Disable IPv6" -Added new options: route-nopull, route-noexec, verb;
Create some symlinks inside pbi dir to reduce differences between 2.1 and 2.2 and avoid the need to change a lot of PBI scripts
Avoid keeping old files from previous sessions on /tmp/configbak
cf/ dir is removed below, do not need to remove the file here