Merge remote-tracking branch 'mainline/master' into inc

17 files changed, 476 insertions, 101 deletions

diff --git a/etc/ca_countries b/etc/ca_countries
new file mode 100644
index 0000000..291711c
--- /dev/null
+++ b/etc/ca_countries
@@ -0,0 +1,245 @@
+US United States of America
+CA Canada
+AX Aland Islands
+AD Andorra
+AE United Arab Emirates
+AF Afghanistan
+AG Antigua and Barbuda
+AI Anguilla
+AL Albania
+AM Armenia
+AN Netherlands Antilles
+AO Angola
+AQ Antarctica
+AR Argentina
+AS American Samoa
+AT Austria
+AU Australia
+AW Aruba
+AZ Azerbaijan
+BA Bosnia and Herzegovina
+BB Barbados
+BD Bangladesh
+BE Belgium
+BF Burkina Faso
+BG Bulgaria
+BH Bahrain
+BI Burundi
+BJ Benin
+BM Bermuda
+BN Brunei Darussalam
+BO Bolivia
+BR Brazil
+BS Bahamas
+BT Bhutan
+BV Bouvet Island
+BW Botswana
+BZ Belize
+CA Canada
+CC Cocos (Keeling) Islands
+CF Central African Republic
+CH Switzerland
+CI Cote D'Ivoire (Ivory Coast)
+CK Cook Islands
+CL Chile
+CM Cameroon
+CN China
+CO Colombia
+CR Costa Rica
+CS Czechoslovakia (former)
+CV Cape Verde
+CX Christmas Island
+CY Cyprus
+CZ Czech Republic
+DE Germany
+DJ Djibouti
+DK Denmark
+DM Dominica
+DO Dominican Republic
+DZ Algeria
+EC Ecuador
+EE Estonia
+EG Egypt
+EH Western Sahara
+ER Eritrea
+ES Spain
+ET Ethiopia
+FI Finland
+FJ Fiji
+FK Falkland Islands (Malvinas)
+FM Micronesia
+FO Faroe Islands
+FR France
+FX France, Metropolitan
+GA Gabon
+GB Great Britain (UK)
+GD Grenada
+GE Georgia
+GF French Guiana
+GG Guernsey
+GH Ghana
+GI Gibraltar
+GL Greenland
+GM Gambia
+GN Guinea
+GP Guadeloupe
+GQ Equatorial Guinea
+GR Greece
+GS S. Georgia and S. Sandwich Isls.
+GT Guatemala
+GU Guam
+GW Guinea-Bissau
+GY Guyana
+HK Hong Kong
+HM Heard and McDonald Islands
+HN Honduras
+HR Croatia (Hrvatska)
+HT Haiti
+HU Hungary
+ID Indonesia
+IE Ireland
+IL Israel
+IM Isle of Man
+IN India
+IO British Indian Ocean Territory
+IS Iceland
+IT Italy
+JE Jersey
+JM Jamaica
+JO Jordan
+JP Japan
+KE Kenya
+KG Kyrgyzstan
+KH Cambodia
+KI Kiribati
+KM Comoros
+KN Saint Kitts and Nevis
+KR Korea (South)
+KW Kuwait
+KY Cayman Islands
+KZ Kazakhstan
+LA Laos
+LC Saint Lucia
+LI Liechtenstein
+LK Sri Lanka
+LS Lesotho
+LT Lithuania
+LU Luxembourg
+LV Latvia
+LY Libya
+MA Morocco
+MC Monaco
+MD Moldova
+ME Montenegro
+MG Madagascar
+MH Marshall Islands
+MK Macedonia
+ML Mali
+MM Myanmar
+MN Mongolia
+MO Macau
+MP Northern Mariana Islands
+MQ Martinique
+MR Mauritania
+MS Montserrat
+MT Malta
+MU Mauritius
+MV Maldives
+MW Malawi
+MX Mexico
+MY Malaysia
+MZ Mozambique
+NA Namibia
+NC New Caledonia
+NE Niger
+NF Norfolk Island
+NG Nigeria
+NI Nicaragua
+NL Netherlands
+NO Norway
+NP Nepal
+NR Nauru
+NT Neutral Zone
+NU Niue
+NZ New Zealand (Aotearoa)
+OM Oman
+PA Panama
+PE Peru
+PF French Polynesia
+PG Papua New Guinea
+PH Philippines
+PK Pakistan
+PL Poland
+PM St. Pierre and Miquelon
+PN Pitcairn
+PR Puerto Rico
+PS Palestinian Territory
+PT Portugal
+PW Palau
+PY Paraguay
+QA Qatar
+RE Reunion
+RO Romania
+RS Serbia
+RU Russian Federation
+RW Rwanda
+SA Saudi Arabia
+SB Solomon Islands
+SC Seychelles
+SE Sweden
+SG Singapore
+SH St. Helena
+SI Slovenia
+SJ Svalbard and Jan Mayen Islands
+SK Slovak Republic
+SL Sierra Leone
+SM San Marino
+SN Senegal
+SR Suriname
+ST Sao Tome and Principe
+SU USSR (former)
+SV El Salvador
+SZ Swaziland
+TC Turks and Caicos Islands
+TD Chad
+TF French Southern Territories
+TG Togo
+TH Thailand
+TJ Tajikistan
+TK Tokelau
+TM Turkmenistan
+TN Tunisia
+TO Tonga
+TP East Timor
+TR Turkey
+TT Trinidad and Tobago
+TV Tuvalu
+TW Taiwan
+TZ Tanzania
+UA Ukraine
+UG Uganda
+UM US Minor Outlying Islands
+US United States
+UY Uruguay
+UZ Uzbekistan
+VA Vatican City State (Holy See)
+VC Saint Vincent and the Grenadines
+VE Venezuela
+VG Virgin Islands (British)
+VI Virgin Islands (U.S.)
+VN Viet Nam
+VU Vanuatu
+WF Wallis and Futuna Islands
+WS Samoa
+YE Yemen
+YT Mayotte
+ZA South Africa
+ZM Zambia
+COM US Commercial
+EDU US Educational
+GOV US Government
+INT International
+MIL US Military
+NET Network
+ORG Non-Profit Organization
+ARPA Old style Arpanet
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
index 5d6074e..a6bdb33 100644
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@@ -652,6 +652,13 @@ function captiveportal_prune_old() {
 	 *	had a chance to iterate over all accounts.
 	 */
 	$unsetindexes = array();
+	$voucher_needs_sync = false;
+	/* 
+	 * Snapshot the time here to use for calculation to speed up the process.
+	 * If something is missed next run will catch it!
+	 */
+	$pruning_time = time();
+	$stop_time = $pruning_time;
 	foreach ($cpdb as $cpentry) {
 
 		$timedout = false;
@@ -659,7 +666,7 @@ function captiveportal_prune_old() {
 
 		/* hard timeout? */
 		if ($timeout) {
-			if ((time() - $cpentry[0]) >= $timeout) {
+			if (($pruning_time - $cpentry[0]) >= $timeout) {
 				$timedout = true;
 				$term_cause = 5; // Session-Timeout
 			}
@@ -667,7 +674,7 @@ function captiveportal_prune_old() {
 
 		/* Session-Terminate-Time */
 		if (!$timedout && !empty($cpentry[9])) {
-			if (time() >= $cpentry[9]) {
+			if ($pruning_time >= $cpentry[9]) {
 				$timedout = true;
 				$term_cause = 5; // Session-Timeout
 			}
@@ -682,7 +689,7 @@ function captiveportal_prune_old() {
 			 *	We "fix" this by setting lastact to the login timestamp. 
 			 */
 			$lastact = $lastact ? $lastact : $cpentry[0];
-			if ($lastact && ((time() - $lastact) >= $uidletimeout)) {
+			if ($lastact && (($pruning_time - $lastact) >= $uidletimeout)) {
 				$timedout = true;
 				$term_cause = 4; // Idle-Timeout
 				$stop_time = $lastact; // Entry added to comply with WISPr
@@ -691,15 +698,16 @@ function captiveportal_prune_old() {
 
 		/* if vouchers are configured, activate session timeouts */
 		if (!$timedout && isset($config['voucher']['enable']) && !empty($cpentry[7])) {
-			if (time() >= ($cpentry[0] + $cpentry[7])) {
+			if ($pruning_time >= ($cpentry[0] + $cpentry[7])) {
 				$timedout = true;
 				$term_cause = 5; // Session-Timeout
+				$voucher_needs_sync = true;
 			}
 		}
 
 		/* if radius session_timeout is enabled and the session_timeout is not null, then check if the user should be logged out */
 		if (!$timedout && isset($config['captiveportal']['radiussession_timeout']) && !empty($cpentry[7])) {
-			if (time() >= ($cpentry[0] + $cpentry[7])) {
+			if ($pruning_time >= ($cpentry[0] + $cpentry[7])) {
 				$timedout = true;
 				$term_cause = 5; // Session-Timeout
 			}
@@ -762,6 +770,10 @@ function captiveportal_prune_old() {
 		}
 	}
 
+	if ($voucher_needs_sync == true)
+		/* Triger a sync of the vouchers on config */
+		send_event("service sync vouchers");
+
 	/* write database */
 	if (!empty($unsetindexes))
 		captiveportal_write_db($cpdb, false, $unsetindexes);
@@ -814,7 +826,7 @@ function captiveportal_disconnect($dbent, $radiusservers,$term_cause = 1,$stop_t
 		$syncport = $config['voucher']['vouchersyncport'];
 		$syncpass = $config['voucher']['vouchersyncpass'];
 		$vouchersyncusername = $config['voucher']['vouchersyncusername'];
-		$remote_status = xmlrpc_sync_voucher_disconnect($dben, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time);
+		$remote_status = xmlrpc_sync_voucher_disconnect($dbent, $syncip, $syncport, $syncpass, $vouchersyncusername, $term_cause, $stop_time);
 	}
 
 }
@@ -1195,7 +1207,7 @@ function radius($username,$password,$clientip,$clientmac,$type) {
 }
 
 /* read captive portal DB into array */
-function captiveportal_read_db($locked = false) {
+function captiveportal_read_db($locked = false, $index = 5 /* sessionid by default */) {
 	global $g;
 
 	$cpdb = array();
@@ -1209,7 +1221,7 @@ function captiveportal_read_db($locked = false) {
 			if ($line) {
 				$cpe = explode(",", $line);
 				/* Hash by session id */
-				$cpdb[$cpe[5]] = $cpe;
+				$cpdb[$cpe[$index]] = $cpe;
 			}
 		}
 		fclose($fd);
@@ -1229,8 +1241,12 @@ function captiveportal_write_db($cpdb, $locked = false, $remove = false) {
 	if (is_array($remove)) {
 		if (!empty($remove)) {
 			$cpdb = captiveportal_read_db(true);
-			foreach ($remove as $key)
-				unset($cpdb[$key]);
+			foreach ($remove as $key) {
+				if (is_array($key))
+					log_error("Captive portal Array passed as unset index: " . print_r($key, true));
+				else
+					unset($cpdb[$key]);
+			}
 		} else
 			return; //This makes sure no record removal calls
 	}
@@ -1609,6 +1625,9 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 		}
 	}
 
+	/* Snaphost the timestamp */
+	$allow_time = time();
+
 	foreach ($cpdb as $sid => $cpentry) {
 		/* on the same ip */
 		if($cpentry[2] == $clientip) {
@@ -1619,7 +1638,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 		elseif (($attributes['voucher']) && ($username != 'unauthenticated') && ($cpentry[4] == $username)) {
 			// user logged in with an active voucher. Check for how long and calculate 
 			// how much time we can give him (voucher credit - used time)
-			$remaining_time = $cpentry[0] + $cpentry[7] - time();
+			$remaining_time = $cpentry[0] + $cpentry[7] - $allow_time;
 			if ($remaining_time < 0)    // just in case. 
 				$remaining_time = 0;
 
@@ -1713,7 +1732,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 
 			/* encode password in Base64 just in case it contains commas */
 			$bpassword = base64_encode($password);
-			$cpdb[] = array(time(), $ruleno, $clientip, $clientmac, $username, $sessionid, $bpassword,
+			$cpdb[] = array($allow_time, $ruleno, $clientip, $clientmac, $username, $sessionid, $bpassword,
 				$attributes['session_timeout'], $attributes['idle_timeout'], $attributes['session_terminate_time']);
 
 			/* rewrite information to database */
diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc
index 7232d14..d5e0f62 100644
--- a/etc/inc/config.lib.inc
+++ b/etc/inc/config.lib.inc
@@ -342,8 +342,10 @@ function conf_mount_rw() {
 function conf_mount_ro() {
 	global $g;
 
+	/* Do not trust $g['platform'] since this can be clobbered during factory reset. */
+	$platform = trim(file_get_contents("/etc/platform"));
 	/* do not umount on cdrom or pfSense platforms */
-	if($g['platform'] == "cdrom" or $g['platform'] == "pfSense")
+	if($platform == "cdrom" or $platform == "pfSense")
 		return;
 
 	if($g['booting'])
diff --git a/etc/inc/dyndns.class b/etc/inc/dyndns.class
index 07fdf95..340fbc1 100644
--- a/etc/inc/dyndns.class
+++ b/etc/inc/dyndns.class
@@ -408,7 +408,7 @@
 		 * Private Function (added 12 July 2005) [beta]
 		 *   Retrieve Update Status
 		 */
-		function _checkStatus($data) {
+		function _checkStatus($ch, $data) {
 			log_error("DynDns: DynDns _checkStatus() starting.");
 			log_error("DynDns: Current Service: {$this->_dnsService}");
 			$successful_update = false;
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index e5bc59a..3ca5d3d 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -505,11 +505,13 @@ function filter_expand_alias($alias_name)
 }
 
 function filter_generate_aliases() {
-	global $config, $FilterIflist;
+	global $config, $FilterIflist, $after_filter_configure_run;
+
 	if(isset($config['system']['developerspew'])) {
 		$mt = microtime();
 		echo "filter_generate_aliases() being called $mt\n";
 	}
+
 	$alias = "#System aliases\n ";
 	$aliases = "loopback = \"{ lo0 }\"\n";
 
@@ -555,9 +557,10 @@ function filter_generate_aliases() {
 			case "network":
 			case "url":
 				$tableaddrs = "{$addrlist}{$extralias}";
-				if(empty($tableaddrs))
+				if(empty($tableaddrs)) {
 					$aliases .= "table <{$aliased['name']}> persist\n";
-				else
+					$after_filter_configure_run[] = "/sbin/pfctl -T flush -t " . escapeshellarg($aliased['name']);
+				} else
 					$aliases .= "table <{$aliased['name']}> { {$addrlist}{$extralias} } \n";
 
 				$aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n";
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
index 6993148..3bd0de2 100644
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@@ -91,7 +91,7 @@ $g = array(
 	"disablecrashreporter" => false,
 	"crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "7.9",
+	"latest_config" => "8.0",
 	"nopkg_platforms" => array("cdrom"),
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
index 1858be4..0fe6bfc 100644
--- a/etc/inc/interfaces.inc
+++ b/etc/inc/interfaces.inc
@@ -84,6 +84,46 @@ function does_interface_exist($interface) {
 		return false;
 }
 
+/*
+ * does_vip_exist($vip): return true or false if a vip is
+ * configured.
+ */
+function does_vip_exist($vip) {
+	global $config;
+	
+	if(!$vip)
+		return false;
+
+
+	switch ($vip['mode']) {
+	case "carp":
+	case "carpdev":
+		$realif = "vip{$vip['vhid']}";
+		if (!does_interface_exist($realif)) {
+			return false;
+		}
+		break;
+	case "ipalias":
+		$realif = get_real_interface($vip['interface']);
+		if (!does_interface_exist($realif)) {
+			return false;
+		}
+		break;
+	case "proxyarp":
+		/* XXX: Implement this */
+	default:
+		return false;
+	}
+
+	$ifacedata = pfSense_getall_interface_addresses($realif);
+	foreach ($ifacedata as $vipips) {
+		if ($vipips == "{$vip['subnet']}/{$vip['subnet_bits']}")
+			return true;
+	}
+
+	return false;
+}
+
 function interface_netgraph_needed($interface = "wan") {
 	global $config;
 
@@ -3277,8 +3317,12 @@ function link_interface_to_vips($int, $action = "") {
 		foreach ($config['virtualip']['vip'] as $vip) {
 			if ($int == $vip['interface']) {
 				if ($action == "update") {
-					interface_vip_bring_down($vip);
-					interfaces_vips_configure($int);
+					if ($vip['mode'] == "carp" && !does_interface_exist("vip{$vip['vhid']}"))
+						interfaces_vips_configure($int);
+					else {
+						interface_vip_bring_down($vip);
+						interfaces_vips_configure($int);
+					}
 				} else
 					return $vip;
 			}
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index bf69eda..f427cec 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -86,7 +86,9 @@ function system_resolvconf_generate($dynupdate = false) {
 
 	$syscfg = $config['system'];
 
-	$resolvconf = "domain {$syscfg['domain']}\n";
+	// Do not create blank domain lines, it breaks tools like dig.
+	if($syscfg['domain'])
+		$resolvconf = "domain {$syscfg['domain']}\n";
 
 	$havedns = false;
 
@@ -739,8 +741,10 @@ function system_webgui_start() {
 	}
 
 	/* generate lighttpd configuration */
+	$max_procs = ($config['system']['webgui']['max_procs']) ? $config['system']['webgui']['max_procs'] : 2;
 	system_generate_lighty_config("{$g['varetc_path']}/lighty-webConfigurator.conf",
-		$crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/");
+		$crt, $key, $ca, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/",
+		"cert.pem", "ca.pem", $max_procs);
 
 	/* attempt to start lighthttpd */
 	$res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-webConfigurator.conf");
@@ -820,6 +824,7 @@ function system_generate_lighty_config($filename,
 	}
 
 	// Ramp up captive portal max procs
+	//  Work relative to the default of 2, for values that would be >2.
 	if($captive_portal == true)  {
 		if($avail > 65 and $avail < 98) {
 			$max_procs = 1;
@@ -828,38 +833,38 @@ function system_generate_lighty_config($filename,
 			$max_procs = 2;
 		}
 		if($avail > 127 and $avail < 256) {
-			$max_procs = 3;
+			$max_procs += 1;
 		}
 		if($avail > 255 and $avail < 384) {
-			$max_procs = 4;
+			$max_procs += 2;
 		}
 		if($avail > 383) {
-			$max_procs = 5;
+			$max_procs += 3;
 		}
 	}
 
 	if($captive_portal == true)  {	
 		$bin_environment =  <<<EOC
-        "bin-environment" => (
-           "PHP_FCGI_CHILDREN" => "$max_procs",
-           "PHP_FCGI_MAX_REQUESTS" => "500"
-        ), 
+			"bin-environment" => (
+				"PHP_FCGI_CHILDREN" => "$max_procs",
+				"PHP_FCGI_MAX_REQUESTS" => "500"
+			),
 EOC;
 
 	} else if ($avail > 0 and $avail < 128) {
 		$bin_environment = <<<EOC
-		"bin-environment" => (
-			"PHP_FCGI_CHILDREN" => "$max_procs",
-			"PHP_FCGI_MAX_REQUESTS" => "2",
-	),
+			"bin-environment" => (
+				"PHP_FCGI_CHILDREN" => "$max_procs",
+				"PHP_FCGI_MAX_REQUESTS" => "2",
+			),
 
 EOC;
 	} else
 		$bin_environment =  <<<EOC
-        "bin-environment" => (
-           "PHP_FCGI_CHILDREN" => "$max_procs",
-           "PHP_FCGI_MAX_REQUESTS" => "500"
-        ), 
+			"bin-environment" => (
+				"PHP_FCGI_CHILDREN" => "$max_procs",
+				"PHP_FCGI_MAX_REQUESTS" => "500"
+			),
 EOC;
 
 	if($fast_cgi_enable == true) {
@@ -874,7 +879,7 @@ fastcgi.server = ( ".php" =>
 			"socket" => "{$g['tmp_path']}/php-fastcgi.socket",
 			"min-procs" => 0,
 			"max-procs" => {$max_procs},
-			{$bin_environment}			
+{$bin_environment}
 			"bin-path" => "/usr/local/bin/php"
 		)
 	)
@@ -1171,9 +1176,16 @@ function system_ntp_configure() {
 		$xmlsettings = $config['installedpackages']['openntpd']['config'][0];
 		if ($xmlsettings['enable'] == 'on') {
 			$ifaces = explode(',', $xmlsettings['interface']);
-			$ifaces = array_map('get_real_interface', $ifaces);
-			$ifaces = array_filter($ifaces, 'does_interface_exist');
-			$ips = array_map('find_interface_ip', $ifaces);
+			$ips = array();
+			foreach ($ifaces as $if) {
+				if (is_ipaddr($if)) {
+					$ips[] = $if;
+				} else {
+					$if = get_real_interface($if);
+					if (does_interface_exist($if))
+						$ips[] = find_interface_ip($if);
+				}
+			}
 			foreach ($ips as $ip) {
 				if (is_ipaddr($ip))
 					$ntpcfg .= "listen on $ip\n";
@@ -1494,4 +1506,23 @@ function system_get_dmesg_boot() {
 	return file_get_contents("{$g['varlog_path']}/dmesg.boot");
 }
 
+function openntpd_get_listen_ips() {
+	$interfaces = get_configured_interface_with_descr();
+	$carplist = get_configured_carp_interface_list();
+	$listenips = array();
+	foreach ($carplist as $cif => $carpip)
+		$interfaces[$cif] = $carpip." (".get_vip_descr($carpip).")";
+	$aliaslist = get_configured_ip_aliases_list();
+	foreach ($aliaslist as $aliasip => $aliasif)
+		$interfaces[$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
+	foreach ($interfaces as $iface => $ifacename) {
+		$tmp["name"]  = $ifacename;
+		$tmp["value"] = $iface;
+		$listenips[] = $tmp;
+	}
+	$tmp["name"]  = "Localhost";
+	$tmp["value"] = "lo0";
+	$listenips[] = $tmp;
+	return $listenips;
+}
 ?>
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index 714e11d..e7e632a 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -2497,4 +2497,15 @@ function upgrade_078_to_079() {
 	unlink_if_exists("{$g['vardb_path']}/rrd/captiveportal-totalusers.rrd");
 }
 
+function upgrade_079_to_080() {
+	global $config;
+
+	/* Upgrade config in 1.2.3 specifying a username other than admin for synching. */
+	if (!empty($config['system']['username']) && is_array($config['installedpackages']['carpsettings']) &&
+		is_array($config['installedpackages']['carpsettings']['config'])) {
+		$config['installedpackages']['carpsettings']['config'][0]['username'] = $config['system']['username'];
+		unset($config['system']['username']);
+	}
+}
+
 ?>
diff --git a/etc/inc/util.inc b/etc/inc/util.inc
index b353004..e27c1b0 100644
--- a/etc/inc/util.inc
+++ b/etc/inc/util.inc
@@ -1250,29 +1250,30 @@ function is_interface_vlan_mismatch() {
 }
 
 function is_interface_mismatch() {
-        global $config, $g;
+	global $config, $g;
 
-        /* XXX: Should we process only enabled interfaces?! */
-        $do_assign = false;
-        $i = 0;
+	$do_assign = false;
+	$i = 0;
 	if (is_array($config['interfaces'])) {
-        	foreach ($config['interfaces'] as $ifname => $ifcfg) {
-                	if (preg_match("/^enc|^cua|^tun|^l2tp|^pptp|^ppp|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_wlan/i", $ifcfg['if'])) {
-                        	$i++;
-                	}
-                	else if (does_interface_exist($ifcfg['if']) == false) {
+		foreach ($config['interfaces'] as $ifname => $ifcfg) {
+			if (preg_match("/^enc|^cua|^tun|^l2tp|^pptp|^ppp|^ovpn|^gif|^gre|^lagg|^bridge|vlan|_wlan/i", $ifcfg['if'])) {
+				// Do not check these interfaces.
+				$i++;
+				continue;
+			}
+			else if (does_interface_exist($ifcfg['if']) == false) {
 				$do_assign = true;
-                	} else
-                        	$i++;
-        	}
+			} else
+				$i++;
+		}
 	}
 
-        if ($g['minimum_nic_count'] > $i) {
-                $do_assign = true;
-        } else if (file_exists("{$g['tmp_path']}/assign_complete"))
-                $do_assign = false;
+	if ($g['minimum_nic_count'] > $i) {
+		$do_assign = true;
+	} else if (file_exists("{$g['tmp_path']}/assign_complete"))
+	$do_assign = false;
 
-        return $do_assign;
+	return $do_assign;
 }
 
 /* sync carp entries to other firewalls */
diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc
index dda49d2..d50269f 100644
--- a/etc/inc/voucher.inc
+++ b/etc/inc/voucher.inc
@@ -29,7 +29,7 @@
 */
 
 /*
-	pfSense_BUILDER_BINARIES:	/usr/local/bin/voucher	/usr/local/bin/minicron
+	pfSense_BUILDER_BINARIES:	/usr/local/bin/voucher
 	pfSense_MODULE:	captiveportal
 */
 
@@ -213,6 +213,9 @@ function voucher_expire($voucher_received) {
 	$a_vouchers_received = split("[\t\n\r ]+",$voucher_received); 
 	$active_dirty = false;
 
+	$cpdb = captiveportal_read_db(false, 4); /* Indexed by Voucher */
+	$unsetindexes[] = array();
+
 	// go through all received vouchers, check their valid and extract
 	// Roll# and Ticket# using the external readvoucher binary
 	foreach ($a_vouchers_received as $voucher) {
@@ -242,6 +245,15 @@ function voucher_expire($voucher_received) {
 				if (!(ord($bitstring[$roll][$pos]) & $mask))
 					$bitstring[$roll][$pos] = chr(ord($bitstring[$roll][$pos]) | $mask);
 				captiveportal_syslog("{$voucher} ({$roll}/{$nr}) forced to expire");
+
+				/* Check if this voucher has any active sessions */
+				if (isset($cpdb[$voucher])) {
+					$cpentry = $cpdb[$voucher];
+					captiveportal_disconnect($cpentry,null,13);
+					captiveportal_logportalauth($cpentry[4],$cpentry[3],$cpentry[2],"FORCLY TERMINATING VOUCHER {$voucher} SESSION");
+					unset($cpdb[$voucher]);
+					$unsetindexes[] = $cpentry[5];
+				}
 			} else
 				captiveportal_syslog("$voucher ($roll/$nr): not found on any registererd Roll");
 		} else
@@ -253,6 +265,9 @@ function voucher_expire($voucher_received) {
 	if ($active_dirty == true) {
 		foreach ($active_vouchers as $roll => $active)
 			voucher_write_active_db($roll, $active);
+
+		/* Triger a sync of the vouchers on config */
+		send_event("service sync vouchers");
 	}
 
 	// Write back the used DB's
@@ -269,6 +284,10 @@ function voucher_expire($voucher_received) {
 
 	unlock($voucherlck);
 
+	/* Write database */
+	if (!empty($unsetindexes))
+		captiveportal_write_db($cpdb, false, $unsetindexes);
+
 	return true;
 }
 
@@ -424,6 +443,9 @@ function voucher_auth($voucher_received, $test = 0) {
 	$active_vouchers[$first_voucher_roll][$first_voucher] = "$timestamp,$minutes";
 	voucher_write_active_db($roll, $active_vouchers[$first_voucher_roll]);
 
+	/* Triger a sync of the vouchers on config */
+	send_event("service sync vouchers");
+
 	unlock($voucherlck);
 
 	return $total_minutes;
@@ -432,9 +454,6 @@ function voucher_auth($voucher_received, $test = 0) {
 function voucher_configure($sync = false) {
 	global $config, $g;
 
-	/* kill any running minicron */
-	killbypid("{$g['varrun_path']}/vouchercron.pid");
-
 	if (!isset($config['voucher']['enable']))
 		return 0;
 
@@ -443,15 +462,6 @@ function voucher_configure($sync = false) {
 	if ($sync == true)
 	    captiveportal_syslog("Writing voucher db from sync data...");
 
-        // start cron if we're asked to save runtime DB periodically
-        // to XML config if it changed
-        $croninterval = $config['voucher']['saveinterval'] * 60; // need seconds. Config has minutes
-        if ($croninterval) {
-            /* start pruning process (interval defaults to 60 seconds) */
-            mwexec("/usr/local/bin/minicron $croninterval {$g['varrun_path']}/vouchercron.pid " .
-                    "/etc/rc.savevoucher");
-        }
-
 	$voucherlck = lock('voucher', LOCK_EX);
 
         /* write public key used to verify vouchers */
@@ -548,8 +558,12 @@ function voucher_read_active_db($roll) {
 				}
 			}
 			fclose($fd);
-			if ($dirty) // if we found expired entries, lets save our snapshot
+			if ($dirty) { // if we found expired entries, lets save our snapshot
 				voucher_write_active_db($roll, $active);
+
+				/* Triger a sync of the vouchers on config */
+				send_event("service sync vouchers");
+			}
 		}
 	}
 	return $active;
@@ -620,12 +634,12 @@ function voucher_log($priority, $message) {
 }
 
 /* Save active and used voucher DB into XML config and write it to flash
- * Called during reboot -> system_reboot_cleanup() and minicron
+ * Called during reboot -> system_reboot_cleanup() and every active voucher change
  */
 function voucher_save_db_to_config() {
     global $config, $g;
     
-    if (!isset($config['voucher']['enable']) || $config['voucher']['saveinterval'] == 0) 
+    if (!isset($config['voucher']['enable']))
         return;   // no vouchers or don't want to save DB's
 
     $voucherlck = lock('voucher', LOCK_EX);
@@ -653,7 +667,7 @@ function voucher_save_db_to_config() {
 
     unlock($voucherlck);
 
-    write_config();
+    write_config("Synching vouchers");
     return;
 }
 
diff --git a/etc/pfSense.obsoletedfiles b/etc/pfSense.obsoletedfiles
index a5857ce..d2ce3c1 100644
--- a/etc/pfSense.obsoletedfiles
+++ b/etc/pfSense.obsoletedfiles
@@ -46,6 +46,7 @@
 /usr/local/www/fred.png
 /usr/local/www/index.html
 /usr/local/www/system_usermanager_addcert.php
+/usr/local/www/filter_log.inc
 /usr/local/pkg/routed/routed.inc
 /usr/local/pkg/routed/routed.xml
-/usr/local/www/filter_log.inc
\ No newline at end of file
+/usr/local/pkg/carp.xml
diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize
index af0e5cc..fe8a30f 100755
--- a/etc/rc.filter_synchronize
+++ b/etc/rc.filter_synchronize
@@ -87,7 +87,7 @@ function remove_special_characters($string) {
 	return $string;
 }
 
-function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host_firmware_version') {
+function carp_check_version($url, $username, $password, $port = 80, $method = 'pfsense.host_firmware_version') {
 	global $config, $g;
 
 	if(file_exists("{$g['varrun_path']}/booting") || $g['booting'])
@@ -101,10 +101,8 @@ function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host
 		while ($numberofruns < 2) {
 			$msg = new XML_RPC_Message($method, $params);
 			$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
-			/* XXX: Configurable from the GUI?! */
-			$username = "admin";
 			$cli->setCredentials($username, $password);
-			if($numberofruns > 1)
+			if($numberofruns > 0)
 				$cli->setDebug(1);
 			/* send our XMLRPC message and timeout after 240 seconds */
 			$resp = $cli->send($msg, "240");
@@ -138,7 +136,7 @@ function carp_check_version($url, $password, $port = 80, $method = 'pfsense.host
 	return false;
 }
 
-function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsense.restore_config_section') {
+function carp_sync_xml($url, $username, $password, $sections, $port = 80, $method = 'pfsense.restore_config_section') {
 	global $config, $g;
 
 	if(file_exists("{$g['varrun_path']}/booting") || $g['booting'])
@@ -151,11 +149,11 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens
 
 	/* strip out nosync items */
 	if (is_array($config_copy['nat']['advancedoutbound']['rule'])) {
-	$rulescnt = count($config_copy['nat']['advancedoutbound']['rule']);
-	for ($x = 0; $x < $rulescnt; $x++) {
-		$config_copy['nat']['advancedoutbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['advancedoutbound']['rule'][$x]['descr']);
-		if (isset ($config_copy['nat']['advancedoutbound']['rule'][$x]['nosync']))
-			unset ($config_copy['nat']['advancedoutbound']['rule'][$x]);
+		$rulescnt = count($config_copy['nat']['advancedoutbound']['rule']);
+		for ($x = 0; $x < $rulescnt; $x++) {
+			$config_copy['nat']['advancedoutbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['advancedoutbound']['rule'][$x]['descr']);
+			if (isset ($config_copy['nat']['advancedoutbound']['rule'][$x]['nosync']))
+				unset ($config_copy['nat']['advancedoutbound']['rule'][$x]);
 		}
 	}
 	if (is_array($config_copy['nat']['rule'])) {
@@ -218,8 +216,12 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens
 				$xml[$section] = backup_vip_config_section();
 				break;
 			case 'user':
+				$xml['system'][$section] = $config_copy['system'][$section];
+				$xml['system']['nextuid'] = $config_copy['system']['nextuid'];
+				break;
 			case 'group':
 				$xml['system'][$section] = $config_copy['system'][$section];
+				$xml['system']['nextgid'] = $config_copy['system']['nextgid'];
 				break;
 			default:
 				$xml[$section] = $config_copy[$section];
@@ -236,10 +238,8 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens
 		log_error("Beginning XMLRPC sync to {$url}:{$port}.");
 		$msg = new XML_RPC_Message($method, $params);
 		$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
-		/* XXX: Configurable from the GUI?! */
-		$username = "admin";
 		$cli->setCredentials($username, $password);
-		if($numberofruns > 1)
+		if($numberofruns > 0)
 			$cli->setDebug(1);
 		/* send our XMLRPC message and timeout after 240 seconds */
 		$resp = $cli->send($msg, "240");
@@ -258,8 +258,10 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens
 				log_error($error);
 				file_notice("sync_settings", $error, "Settings Sync", "");
 				exit;
-			} else
+			} else {
 				log_error("XMLRPC sync successfully completed with {$url}:{$port}.");
+				update_filter_reload_status("XMLRPC sync successfully completed with {$url}:{$port}.");
+			}
 			$numberofruns = 3;
 		}
 		$numberofruns++;
@@ -369,8 +371,8 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) {
 			$sections[] = 'crl';
 		}
 		if ($carp['synchronizeusers'] != "") {
-			$mergesections[] = 'user';
-			$mergesections[] = 'group';
+			$sections[] = 'user';
+			$sections[] = 'group';
 		} 
 		if ($carp['synchronizednsforwarder'] != "" and is_array($config['dnsmasq']))
 			$sections[] = 'dnsmasq';
@@ -384,21 +386,21 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) {
 		if ($carp['synchronizecaptiveportal'] != "" and is_array($config['vouchers']))
 			$sections[] = 'vouchers';
 		if (count($sections) > 0) {
-			if (!carp_check_version($synchronizetoip, $carp['password'], $port))
+			if (empty($carp['username']))
+				$username = "admin";
+			else
+				$username = $carp['username'];
+			if (!carp_check_version($synchronizetoip, $username, $carp['password'], $port))
 				break;
 				
 			update_filter_reload_status("Signaling CARP reload signal...");
-			carp_sync_xml($synchronizetoip, $carp['password'], $sections, $port);
-			if (is_array($mergesections))
-				carp_sync_xml($synchronizetoip, $carp['password'], $mergesections, $port, 'pfsense.restore_config_section');
+			carp_sync_xml($synchronizetoip, $username, $carp['password'], $sections, $port);
 			$cli = new XML_RPC_Client('/xmlrpc.php', $synchronizetoip, $port);
 			$params = array(
 				XML_RPC_encode($carp['password'])
 			);
 
 			$msg = new XML_RPC_Message('pfsense.filter_configure', $params);
-			/* XXX: Configurable from the GUI */
-			$username = "admin";
 			$cli->setCredentials($username, $carp['password']);
 			$resp = $cli->send($msg, "900");
 
diff --git a/etc/rc.initial.setlanip b/etc/rc.initial.setlanip
index e95acd4..fd60d6a 100755
--- a/etc/rc.initial.setlanip
+++ b/etc/rc.initial.setlanip
@@ -217,7 +217,7 @@
 	}
 
 	$upperifname = strtoupper($interface);
-	echo "\nPlease wait, saving and activating your changes to {$upperifname}...";
+	echo "\nPlease wait while the changes are saved to {$upperifname}...";
 	write_config(gettext("{$interface} IP configuration from console menu"));
 	interface_reconfigure(strtolower($upperifname));
 	echo " Reloading filter...";
diff --git a/etc/rc.newwanip b/etc/rc.newwanip
index 93eb089..a4fbde8 100755
--- a/etc/rc.newwanip
+++ b/etc/rc.newwanip
@@ -51,7 +51,7 @@ function restart_packages() {
 	/* restart packages */
 	system_ntp_configure();
 	log_error("{$g['product_name']} package system has detected an ip change $oldip ->  $curwanip ... Restarting packages.");		
-	send_event("reload packages");
+	send_event("service reload packages");
 }
 
 /* Interface IP address has changed */
diff --git a/etc/rc.php_ini_setup b/etc/rc.php_ini_setup
index 5a138ed..99efc39 100755
--- a/etc/rc.php_ini_setup
+++ b/etc/rc.php_ini_setup
@@ -116,6 +116,8 @@ PHPMODULES="$PHPMODULES zmq"
 PHPMODULES="$PHPMODULES ssh2"
 # pfSense extensions
 PHPMODULES="$PHPMODULES pfSense"
+# ion cube
+PHPMODULES="$PHPMODULES ioncube_loader"
 
 # Modules previously included.
 # can be turned on by touching
diff --git a/etc/version b/etc/version
index 3f0e26d..f197044 100644
--- a/etc/version
+++ b/etc/version
@@ -1 +1 @@
-2.0-RC2
+2.0-RC3