Merge remote branch 'mainline/master' into inc

17 files changed, 286 insertions, 57 deletions

diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
index c27eac0..874c99c 100644
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@@ -369,7 +369,7 @@ EOD;
 <HEAD><TITLE>Redirecting...</TITLE></HEAD>
 <BODY>
 <SPAN STYLE="font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">
-<B>Redirecting to <A HREF="{$my_redirurl}">{$my_redirurl}</A>...</B>
+<B>Redirecting to <A HREF="<?=\$my_redirurl;?>"><?=\$my_redirurl;?></A>...</B>
 </SPAN>
 <SCRIPT LANGUAGE="JavaScript">
 <!--
@@ -380,8 +380,8 @@ if (LogoutWin) {
     LogoutWin.document.write('<BODY BGCOLOR="#435370">');
     LogoutWin.document.write('<DIV ALIGN="center" STYLE="color: #ffffff; font-family: Tahoma, Verdana, Arial, Helvetica, sans-serif; font-size: 11px;">') ;
     LogoutWin.document.write('<B>Click the button below to disconnect</B><P>');
-    LogoutWin.document.write('<FORM METHOD="POST" ACTION="{$logouturl}">');
-    LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="{$sessionid}">');
+    LogoutWin.document.write('<FORM METHOD="POST" ACTION="<?=\$logouturl;?>">');
+    LogoutWin.document.write('<INPUT NAME="logout_id" TYPE="hidden" VALUE="<?=\$sessionid;?>">');
     LogoutWin.document.write('<INPUT NAME="logout" TYPE="submit" VALUE="Logout">');
     LogoutWin.document.write('</FORM>');
     LogoutWin.document.write('</DIV></BODY>');
@@ -389,7 +389,7 @@ if (LogoutWin) {
     LogoutWin.document.close();
 }
 
-document.location.href="{$my_redirurl}";
+document.location.href="<?=\$my_redirurl;?>";
 -->
 </SCRIPT>
 </BODY>
diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index 9ac7120..0a9e342 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -1,8 +1,9 @@
 <?php
 /* $Id$ */
 /*
-		Copyright (C) 2008 Shrew Soft Inc
-		All rights reserved.
+	Copyright (C) 2008 Shrew Soft Inc
+	Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
+	All rights reserved.
 
         Redistribution and use in source and binary forms, with or without
         modification, are permitted provided that the following conditions are met:
@@ -67,6 +68,25 @@ function & lookup_cert($refid) {
 	return false;
 }
 
+function & lookup_cert_by_name($name) {
+	global $config;
+	if (is_array($config['cert']))
+		foreach ($config['cert'] as & $cert)
+			if ($cert['name'] == $name)
+				return $cert;
+}
+
+function & lookup_crl($refid) {
+	global $config;
+
+	if (is_array($config['crl']))
+		foreach ($config['crl'] as & $crl)
+			if ($crl['refid'] == $refid)
+				return $crl;
+
+	return false;
+}
+
 function ca_chain_array(& $cert) {
 	if($cert['caref']) {
 		$chain = array();
@@ -145,7 +165,7 @@ function ca_create(& $ca, $keylen, $lifetime, $dn) {
 		"encrypt_key" => false);
 
 	// generate a new key pair
-	$res_key = openssl_pkey_new();
+	$res_key = openssl_pkey_new($args);
 
 	// generate a certificate signing request
 	$res_csr = openssl_csr_new($dn, $res_key, $args);
@@ -201,7 +221,7 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn) {
 		"encrypt_key" => false);
 
 	// generate a new key pair
-	$res_key = openssl_pkey_new();
+	$res_key = openssl_pkey_new($args);
 
 	// generate a certificate signing request
 	$res_csr = openssl_csr_new($dn, $res_key, $args);
@@ -231,7 +251,7 @@ function csr_generate(& $cert, $keylen, $dn) {
 		"encrypt_key" => false);
 
 	// generate a new key pair
-	$res_key = openssl_pkey_new();
+	$res_key = openssl_pkey_new($args);
 
 	// generate a certificate signing request
 	$res_csr = openssl_csr_new($dn, $res_key, $args);
@@ -301,6 +321,10 @@ function cert_get_subject_array($crt) {
 	$str_crt = base64_decode($crt);
 	$inf_crt = openssl_x509_parse($str_crt);
 	$components = $inf_crt['subject'];
+
+	if (!is_array($components))
+		return;
+
 	$subject_array = array();
 
 	foreach($components as $a => $v)
@@ -397,4 +421,140 @@ function cert_in_use($certref) {
 		is_ipsec_cert($certref));
 }
 
+/*
+CRL code is a *WORK IN PROGRESS* do not try to use these functions yet.
+
+OpenSSL CRL status code constants.
+OCSP_REVOKED_STATUS_NOSTATUS
+OCSP_REVOKED_STATUS_UNSPECIFIED
+OCSP_REVOKED_STATUS_KEYCOMPROMISE
+OCSP_REVOKED_STATUS_CACOMPROMISE
+OCSP_REVOKED_STATUS_AFFILIATIONCHANGED
+OCSP_REVOKED_STATUS_SUPERSEDED
+OCSP_REVOKED_STATUS_CESSATIONOFOPERATION
+OCSP_REVOKED_STATUS_CERTIFICATEHOLD
+OCSP_REVOKED_STATUS_REMOVEFROMCRL
+*/
+
+$openssl_crl_status = array(
+	OCSP_REVOKED_STATUS_NOSTATUS              => "No Status (default)",
+	OCSP_REVOKED_STATUS_UNSPECIFIED           => "Unspecified",
+	OCSP_REVOKED_STATUS_KEYCOMPROMISE         => "Key Compromise",
+	OCSP_REVOKED_STATUS_CACOMPROMISE          => "CA Compromise",
+	OCSP_REVOKED_STATUS_AFFILIATIONCHANGED    => "Affiliation Changed",
+	OCSP_REVOKED_STATUS_SUPERSEDED            => "Superseded",
+	OCSP_REVOKED_STATUS_CESSATIONOFOPERATION  => "Cessation of Operation",
+	OCSP_REVOKED_STATUS_CERTIFICATEHOLD       => "Certificate Hold",
+	OCSP_REVOKED_STATUS_REMOVEFROMCRL         => "Remove from CRL"
+);
+
+function crl_create(& $crl, $caref, $name, $serial=0, $lifetime=9999) {
+	global $config;
+	$ca =& lookup_ca($caref);
+	if (!$ca)
+		return false;
+	$crl['name'] = $name;
+	$crl['caref'] = $caref;
+	$crl['serial'] = $serial;
+	$crl['lifetime'] = $lifetime;
+	$crl['cert'] = array();
+	$crl_res = crl_update($crl);
+	$config['crl'][] = $crl;
+	return $crl_res;
+}
+
+function crl_update(& $crl) {
+	global $config;
+	$ca =& lookup_ca($crl['caref']);
+	if (!$ca)
+		return false;
+	// If we have text but no certs, it was imported and cannot be updated.
+	if (!empty($crl['text']) && empty($crl['cert']))
+		return false;
+	$crl['serial']++;
+	$ca_str_crt = base64_decode($ca['crt']);
+	$ca_str_key = base64_decode($ca['prv']);
+	$crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']);
+	foreach ($crl['cert'] as $cert) {
+		openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]);
+	}
+	openssl_crl_export($crl_res, $crl_text, $ca_str_key);
+	$crl['text'] = base64_encode($crl_text);
+	return $crl_res;
+}
+
+function cert_revoke($cert, & $crl, $reason=OCSP_REVOKED_STATUS_UNSPECIFIED) {
+	global $config;
+	if (is_cert_revoked($cert, $crl['refid']))
+		return true;
+	// If we have text but no certs, it was imported and cannot be updated.
+	if (!is_crl_internal($crl))
+		return false;
+	$cert["reason"] = $reason;
+	$cert["revoke_time"] = time();
+	$crl["cert"][] = $cert;
+	crl_update($crl);
+	return true;
+}
+
+function cert_unrevoke($cert, & $crl) {
+	global $config;
+	if (!is_crl_internal($crl))
+		return false;
+	foreach ($crl['cert'] as $id => $rcert) {
+		if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name'])) {
+			unset($crl['cert'][$id]);
+			crl_update($crl);
+			return true;
+		}
+	}
+	return false;
+}
+
+function is_cert_revoked($cert, $crlref = "") {
+	global $config;
+	if (!is_array($config['crl']))
+		return false;
+
+	if (!empty($crlref)) {
+		$crl = crl_lookup($crlref);
+		if (!is_array($crl['cert']))
+			return false;
+		foreach ($crl['cert'] as $rcert) {
+			if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name']))
+				return true;
+		}
+	} else {
+		foreach ($config['crl'] as $crl) {
+			if (!is_array($crl['cert']))
+				continue;
+			foreach ($crl['cert'] as $rcert) {
+				if (($rcert['refid'] == $cert['refid']) || ($rcert['name'] == $cert['name']))
+					return true;
+			}
+		}
+	}
+	return false;
+}
+
+function is_openvpn_server_crl($crlref) {
+	global $config;
+	if (!is_array($config['openvpn']['openvpn-server']))
+		return;
+	foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
+		if (!empty($ovpns['crlref']) && ($ovpns['crlref'] == $crlref))
+			return true;
+	}
+	return false;
+}
+
+// Keep this general to allow for future expansion. See cert_in_use() above.
+function crl_in_use($crlref) {
+	return (is_openvpn_server_crl($crlref));
+}
+
+function is_crl_internal($crl) {
+	return !(!empty($crl['text']) && empty($crl['cert']));
+}
+
 ?>
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 2b1493c..c9d8b92 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1916,6 +1916,7 @@ function filter_rules_generate() {
 	$pptpdcfg = $config['pptpd'];
 	$pppoecfg = $config['pppoe'];
 
+	$ipfrules = "";
 	//$ipfrules .= discover_pkg_rules("filter");
 
 	/* if captive portal is enabled, ensure that access to this port
diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc
index 326e972..02d8711 100644
--- a/etc/inc/gwlb.inc
+++ b/etc/inc/gwlb.inc
@@ -149,10 +149,11 @@ EOD;
 		if (!is_ipaddr($gwifip))
 			continue; //Skip this target
 
-		$apingercfg .= "target \"{$gateway['monitor']}\" {\n";
+		$apingercfg = "target \"{$gateway['monitor']}\" {\n";
 		$apingercfg .= "	description \"{$name}\"\n";
 		$apingercfg .= "	srcip \"{$gwifip}\"\n";
 		$alarms = "";
+		$alarmscfg = "";
 		$override = false;
 		if (!empty($gateway['lowloss'])) {
 			$alarmscfg .= "alarm loss \"{$name}loss\" {\n";
@@ -270,16 +271,9 @@ function return_gateways_array($disabled = false) {
 
 	$gateways_arr = array();
 
-	/* Loop through all interfaces with a gateway and add it to a array */
-	if ($disabled == false) {
-		$iflist = get_configured_interface_with_descr();
-	} else {
-		$iflist = get_configured_interface_with_descr(false, true);
-	}
-
 	$i = 0;
 	/* Process/add all the configured gateways. */
-	if(is_array($config['gateways']['gateway_item'])) {
+	if (is_array($config['gateways']['gateway_item'])) {
 		foreach($config['gateways']['gateway_item'] as $gateway) {
 			if($gateway['gateway'] == "dynamic") {
 				$gateway['gateway'] = get_interface_gateway($gateway['interface']);
@@ -293,6 +287,13 @@ function return_gateways_array($disabled = false) {
 
 			$gateway['friendlyiface'] = $gateway['interface'];
 			$gateway['interface'] = get_real_interface($gateway['interface']);
+			/* Some interface like wan might be default but have no info recorded 
+			 * the config.
+			 */
+			if ($gateway['friendlyiface'] == "wan" && !isset($gateway['defaultgw'])) {
+				if (file_exists("{$g['tmp_path']}/{$gateway['interface']}_defaultgw"))
+					$gateway['defaultgw'] = true;
+			}
 			/* include the gateway index as the attribute */
 			$gateway['attribute'] = $i;
 
@@ -301,6 +302,12 @@ function return_gateways_array($disabled = false) {
 		}
 	} 
 
+	/* Loop through all interfaces with a gateway and add it to a array */
+	if ($disabled == false)
+		$iflist = get_configured_interface_with_descr();
+	else
+		$iflist = get_configured_interface_with_descr(false, true);
+
 	/* Process/add dynamic gateways. */
 	foreach($iflist as $ifname => $friendly ) {
 		if(! interface_has_gateway($ifname))
@@ -311,12 +318,16 @@ function return_gateways_array($disabled = false) {
 		$gateway['gateway'] = get_interface_gateway($ifname, $gateway['dynamic']);
 		$gateway['interface'] = get_real_interface($ifname);
 		$gateway['friendlyiface'] = $ifname;
-		$gateway['name'] = "{$friendly}";
+		$gateway['name'] = $friendly;
 		$gateway['attribute'] = "system";
 	
+		if ($gateway['dynamic'] == "default") {
+			$gateway['defaultgw'] = true;
+			$gateway['dynamic'] = true;
+		}
 		/* Loopback dummy for dynamic interfaces without a IP */
-		if(!is_ipaddr($gateway['gateway']) && $gateway['dynamic'] == true)
-			 $gateway['gateway'] = "dynamic";
+		if (!is_ipaddr($gateway['gateway']) && $gateway['dynamic'] == true)
+			$gateway['gateway'] = "dynamic";
 
 		/* automatically skip known static and dynamic gateways we have a array entry for */
 		foreach($gateways_arr as $gateway_item) {
@@ -506,7 +517,10 @@ function get_interface_gateway($interface, &$dynamic = false) {
                 $realif = get_real_interface($interface);
                 if (file_exists("{$g['tmp_path']}/{$realif}_router")) {
                         $gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n");
-			$dynamic = true;
+			if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw"))
+				$dynamic = "default";
+			else
+				$dynamic = true;
                 }
         }
 
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
index 74efd96..f4d224e 100644
--- a/etc/inc/interfaces.inc
+++ b/etc/inc/interfaces.inc
@@ -886,6 +886,8 @@ function interface_bring_down($interface = "wan", $destroy = false) {
 	unlink_if_exists("{$g['tmp_path']}/{$realif}up");
 	unlink_if_exists("{$g['vardb_path']}/{$interface}ip");
 	unlink_if_exists("{$g['tmp_path']}/{$realif}_router");
+	unlink_if_exists("{$g['varetc_path']}/nameserver_{$realif}");
+	unlink_if_exists("{$g['varetc_path']}/searchdomain_{$realif}");
 	
 	/* hostapd and wpa_supplicant do not need to be running when the interface is down.
 	 * They will also use 100% CPU if running after the wireless clone gets deleted. */
@@ -2544,15 +2546,15 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven
 			/* reload ipsec tunnels */
 			vpn_ipsec_configure();
 
+			/* restart dnsmasq */
+			services_dnsmasq_configure();
+
 			/* update dyndns */
 			services_dyndns_configure($interface);
 
 			/* force DNS update */
 			services_dnsupdate_process($interface);
 
-			/* restart dnsmasq */
-			services_dnsmasq_configure();
-
 			/* reload captive portal */
 			captiveportal_init_rules();
 
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index d150dd5..1e7e9b8 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -506,8 +506,10 @@ function openvpn_reconfigure($mode,& $settings) {
 			openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
 			if ($mode == 'server')
 				$conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n";
-			if ($settings['crl'])
-				openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify");
+			if (!empty($settings['crlref'])) {
+				$crl = lookup_crl($settings['crlref']);
+				openvpn_add_keyfile($crl['text'], $conf, $mode_id, "crl-verify");
+			}
 			if ($settings['tls']) {
 				if (stristr($settings['mode'], "server"))
 					$tlsopt = 0;
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc
index 7efdd86..8e0233e 100644
--- a/etc/inc/pfsense-utils.inc
+++ b/etc/inc/pfsense-utils.inc
@@ -1700,8 +1700,10 @@ function version_get_string_value($a) {
 		2 => "ALPHA",
 		3 => "BETA",
 		4 => "B",
-		5 => "RC",
-		6 => "RELEASE"
+		5 => "C",
+		6 => "D",
+		7 => "RC",
+		8 => "RELEASE"
 	);
 	$major = 0;
 	$minor = 0;
diff --git a/etc/inc/service-utils.inc b/etc/inc/service-utils.inc
index 281da52..925ff4f 100644
--- a/etc/inc/service-utils.inc
+++ b/etc/inc/service-utils.inc
@@ -41,9 +41,14 @@
 $rcfileprefix = "/usr/local/etc/rc.d/";
 function write_rcfile($params) {
 	global $g;
+	global $rcfileprefix;
+
+	if (!file_exists("{$rcfileprefix}{$params['file']}") && !touch("{$rcfileprefix}{$params['file']}"))
+		return false;
 
 	if (!is_writable("{$rcfileprefix}{$params['file']}") || empty($params['start']))
 		return false;
+
 	$towrite = "#!/bin/sh\n";
 	$towrite .= "# This file was automatically generated\n# by the {$g['product_website']} service handler.\n\n";
 
@@ -75,6 +80,7 @@ function write_rcfile($params) {
 
 function start_service($name) {
 	global $config;
+	global $rcfileprefix;
 
 	/* make sure service is stopped before starting */
 	stop_service($name);
@@ -106,6 +112,7 @@ function start_service($name) {
 
 function stop_service($name) {
 	global $config;
+	global $rcfileprefix;
 
 	if ($config['installedpackages']['service']) {
 		foreach($config['installedpackages']['service'] as $service) {
diff --git a/etc/inc/services.inc b/etc/inc/services.inc
index 879741f..b784108 100644
--- a/etc/inc/services.inc
+++ b/etc/inc/services.inc
@@ -621,9 +621,6 @@ function services_dyndns_configure($int = "") {
 			services_dyndns_configure_client($dyndns);
 
 			sleep(1);
-
-			if (!empty($int))
-				break;
 		}
 
 		if ($g['booting'])
@@ -1283,7 +1280,7 @@ function configure_cron() {
 	file_put_contents("/etc/crontab", $crontab_contents);
 
 	/* do a HUP kill to force sync changes */
-	exec('/usr/bin/killall -HUP cron');
+	exec('/bin/pkill -HUP cron');
 
 	conf_mount_ro();
 }
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 0e725c9..422ae77 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -99,6 +99,13 @@ function system_resolvconf_generate($dynupdate = false) {
 
 	if (isset($syscfg['dnsallowoverride'])) {
 		/* get dynamically assigned DNS servers (if any) */
+		$ns = array_unique(get_searchdomains());
+		foreach($ns as $searchserver) {
+			if($searchserver) {
+				$resolvconf .= "search {$searchserver}\n";
+				$havedns = true;
+			}
+		}
 		$ns = array_unique(get_nameservers());
 		foreach($ns as $nameserver) {
 			if($nameserver) {
@@ -146,6 +153,23 @@ function system_resolvconf_generate($dynupdate = false) {
 	return 0;
 }
 
+function get_searchdomains() {
+	global $config, $g;
+
+	$master_list = array();
+	
+	// Read in dhclient nameservers
+	$search_list = split("\n", `/bin/cat /var/etc/searchdomain_* 2>/dev/null`);
+	if (is_array($search_lists)) {
+		foreach($search_lists as $dns) {
+			if(is_hostname($dns)) 
+				$master_list[] = $dns;
+		}
+	}
+
+	return $master_list;
+}
+
 function get_nameservers() {
 	global $config, $g;
 	$master_list = array();
@@ -359,6 +383,8 @@ function system_routing_configure($interface = "") {
 			if (isset($gateways_arr[$rtent['gateway']])) {
 				$gatewayip = $gateways_arr[$rtent['gateway']]['gateway'];
 				$interfacegw = $gateways_arr[$rtent['gateway']]['interface'];
+				if ($interface == $gateways_arr[$rtent['gateway']]['friendlyiface'])
+					continue;
 			} else if (is_ipaddr($rtent['gateway'])) {
 				$gatewayip = $rtent['gateway'];
 			} else {
diff --git a/etc/inc/util.inc b/etc/inc/util.inc
index a1a8762..a46fae3 100644
--- a/etc/inc/util.inc
+++ b/etc/inc/util.inc
@@ -140,13 +140,19 @@ function unlock($cfglckkey = 0) {
 function send_event($cmd) {
 	global $g;
 
-	$fd = fsockopen($g['event_address']);
-	if ($fd) {
-		fwrite($fd, $cmd);
-		$resp = fread($fd, 4096);
-		if ($resp != "OK\n")
-			log_error("send_event: sent {$cmd} got {$resp}");
-		fclose($fd);
+	$try = 0;
+	while ($try < 3) {
+		$fd = @fsockopen($g['event_address']);
+		if ($fd) {
+			fwrite($fd, $cmd);
+			$resp = fread($fd, 4096);
+			if ($resp != "OK\n")
+				log_error("send_event: sent {$cmd} got {$resp}");
+			fclose($fd);
+			$try = 3;
+		} else
+			mwexec_bg("/usr/bin/nice -n20 /usr/local/sbin/check_reload_status");
+		$try++;
 	}
 }
 
@@ -1043,7 +1049,7 @@ function safe_mkdir($path, $mode=0755) {
         global $g;
 
         if (!is_file($path) && !is_dir($path)) {
-                return @mkdir($path, $mode);
+                return @mkdir($path, $mode, true);
         } else {
                 return false;
         }
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index d3ec496..c5802fc 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -86,10 +86,7 @@ function vpn_ipsec_configure($ipchg = false)
 	unlink_if_exists("{$g['vardb_path']}/ipsecpinghosts");
 	touch("{$g['vardb_path']}/ipsecpinghosts");
 
-	if(isset($config['ipsec']['preferoldsa']))
-		mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
-	else
-		mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
+	vpn_ipsec_configure_preferoldsa();
 
 	$syscfg = $config['system'];
 	$ipseccfg = $config['ipsec'];
@@ -159,7 +156,7 @@ function vpn_ipsec_configure($ipchg = false)
 				$rg = $ph1ent['remote-gateway'];
 
 				if (!is_ipaddr($rg)) {
-					$dnswatch_list[] = "{$rg} = value";
+					$dnswatch_list[] = "{$rg}=value";
 					add_hostname_to_watch($rg);
 					$rg = resolve_retry($rg);
 					if (!$rg)
@@ -1711,4 +1708,11 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) {
 	return true;
 }
 
+function vpn_ipsec_configure_preferoldsa() {
+	global $config;
+	if(isset($config['ipsec']['preferoldsa']))
+		mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
+	else
+		mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
+}
 ?>
diff --git a/etc/phpshellsessions/gitsync b/etc/phpshellsessions/gitsync
index 5efa4d7..6f7a53f 100644
--- a/etc/phpshellsessions/gitsync
+++ b/etc/phpshellsessions/gitsync
@@ -284,10 +284,6 @@ function post_cvssync_commands() {
 	echo "===> Upgrading configuration (if needed)...\n";
 	convert_config();
 
-	echo "===> Restarting check_reload_status...\n";
-	exec("killall check_reload_status");
-	mwexec_bg("nohup /usr/bin/nice -n20 /usr/local/sbin/check_reload_status");
-
 	echo "===> Configuring filter...";
 	exec("/etc/rc.filter_configure_sync");
 	exec("pfctl -f /tmp/rules.debug");
@@ -308,7 +304,7 @@ function post_cvssync_commands() {
 	fwrite($fd, "#!/bin/sh\n");
 	fwrite($fd, "sleep 5\n");
 	fwrite($fd, "killall php\n");
-	fwrite($fd, "touch /tmp/restart_webgui\n");
+	fwrite($fd, "/usr/local/sbin/pfSctl -c 'service restart webgui'\n");
 	fclose($fd);
 	mwexec_bg("sh /tmp/restart_lighty");
 	echo "\n";
diff --git a/etc/rc b/etc/rc
index aef09c9..f7ae21e 100755
--- a/etc/rc
+++ b/etc/rc
@@ -4,7 +4,7 @@
 
 # /etc/rc - master bootup script, invokes php setup
 # part of pfSense by Scott Ullrich
-# Copyright (C) 2004 Scott Ullrich, All rights reserved.
+# Copyright (C) 2004-2010 Scott Ullrich, All rights reserved.
 # originally based on m0n0wall (http://neon1.net/m0n0wall)
 # Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
 # All rights reserved.
@@ -328,12 +328,19 @@ fi
 
 echo "done."
 
+# Ensure gettytab is of a sane size
+if [ `/bin/ls -la /etc/gettytab | /usr/bin/awk '{ print $5'}` -lt 512 ]; then
+	echo ">>> Restoring /etc/gettytab due to unusal size"
+	echo ">>> Restoring /etc/gettytab due to unusal size" | /usr/bin/logger
+	cp /etc/gettytab.bak /etc/gettytab
+fi
+
 # Recreate capabilities DB
 cap_mkdb /etc/login.conf
 
 # Run the php.ini setup file and populate
 # /usr/local/etc/php.ini and /usr/local/lib/php.ini
-. /etc/rc.php_ini_setup
+/etc/rc.php_ini_setup
 
 nohup /usr/bin/nice -n20 /usr/local/sbin/check_reload_status
 
diff --git a/etc/rc.bootup b/etc/rc.bootup
index 3e5647b..d6574ee 100755
--- a/etc/rc.bootup
+++ b/etc/rc.bootup
@@ -263,7 +263,7 @@ echo "done.\n";
 if($avail > 0 and $avail < 65) {
 	echo "System has less than 65 megabytes of ram {$avail}.  Delaying webConfigurator startup.\n";
 	/* start webConfigurator up on final pass */
-	touch("/tmp/restart_webgui");
+	mwexec("/usr/local/sbin/pfSctl -c 'service restart webgui'");
 } else {
 	/* start web server */
 	system_webgui_start();
diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize
index b8ab26a..5182f30 100755
--- a/etc/rc.filter_synchronize
+++ b/etc/rc.filter_synchronize
@@ -134,7 +134,9 @@ function carp_sync_xml($url, $password, $sections, $port = 80, $method = 'pfsens
 		$vipcnt = count($config_copy['virtualip']['vip']);
 		for ($x = 0; $x < $vipcnt; $x++) {
 			$config_copy['virtualip']['vip'][$x]['descr'] = remove_special_characters($config_copy['virtualip']['vip'][$x]['descr']);
-			if (isset ($config_copy['virtualip']['vip'][$x]['nosync']) or $config_copy['virtualip']['vip'][$x]['mode'] == "proxyarp")
+			if (isset ($config_copy['virtualip']['vip'][$x]['nosync']) or
+			    $config_copy['virtualip']['vip'][$x]['mode'] == "proxyarp" or
+			    $config_copy['virtualip']['vip'][$x]['mode'] == "ipalias")
 				unset ($config_copy['virtualip']['vip'][$x]);
 		}
 	}
@@ -322,4 +324,4 @@ if (is_array($config['installedpackages']['carpsettings']['config'])) {
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/etc/rc.newwanip b/etc/rc.newwanip
index 57c48bd..9d3d484 100755
--- a/etc/rc.newwanip
+++ b/etc/rc.newwanip
@@ -63,7 +63,7 @@ log_error("rc.newwanip: on (IP address: {$curwanip}) (interface: {$interface}) (
 
 if($curwanip == "0.0.0.0" || !is_ipaddr($curwanip)) {
         log_error("rc.newwanip: Failed to update {$interface} IP, restarting...");
-	interface_configure($interface);
+	send_event("interface reconfigure {$interface}");
         exit;
 }
 
@@ -81,6 +81,9 @@ file_put_contents("{$g['vardb_path']}/{$interface}_cacheip", $curwanip);
 if (is_ipaddr($oldip) && $curwanip == $oldip)
 	exit;
 
+/* reconfigure static routes (kernel may have deleted them) */
+system_routing_configure($interface);
+
 /* reconfigure our gateway monitor */
 setup_gateways_monitor();