summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix #4090:Renato Botelho2015-01-055-5/+12
| | | | | | | | | - Unbound advanced options may contain double quotes and it breaks the syntax when a backup is restored because newlines are trimmed. Save it in base64 format is a safe way to prevent it - Bump config version to 11.5 - Provide upgrade code to encode current config or the one that came from unbound package on 2.1.5
* It's supposed to remove windows EOL here, not ;Renato Botelho2015-01-051-1/+1
|
* Make it possible to backup/restore 'DNS Resolver' section individuallyRenato Botelho2015-01-051-0/+1
|
* Do not monitor a gateway that has not got DHCP yetPhil Davis2015-01-051-0/+3
| | | | | | | | | | | | | | | | | | | | | | When an interface is waiting to get DHCP, but the cable is physically-electrically connected to the upstream device, the interface has an IPv4 address 0.0.0.0 - that was getting past here and, if the interface gateway had a monitor IP specified, that monitor IP was being put into apinger.conf and being monitored. Because the interface has not got a gateway yet, no static route is added to force the traffic for the monitor IP out the particular interface. So the traffic to the monitor IP can follow the default route and perhaps succeed in getting out another WAN to the monitor IP. The downstream results of this were: 1) Gateway status appears up and reports real RTT and Loss statistics, even though the interface is down. 2) Generation of rules for a gateway group that has this gateway as tier1 will think it is up, and thus try to policy-route traffic to it - which then does not get anywhere. 3) DynDNS status of a gateway group that has this gateway as tier1 shows the cached IP in red - it thinks the interface/gateway is up and tries to find the public IP by trying to get to checkip.dyndns.com through the interface/gateway. That of course fails. 4) I'm sure there are other things that depend on checking gateway and gateway group status that would also be getting it wrong in this condition, because apinger is being told to monitor, and manages to successfully monitor, an interface/gateway that has not yet got DHCP. When waiting for DHCP, ifconfig shows like this on my system (WAN is on a cable to a VLAN switch): vr0_vlan70: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 00:0d:b9:24:59:c0 inet6 fe80::20d:b9ff:fe24:59c0%vr0_vlan70 prefixlen 64 scopeid 0xf inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 70 vlanpcp: 0 parent interface: vr0 From what I can see, this little 2-line fix ends up correcting all the downstream effects I listed above. Should fix RedMine #4094
* Fix track6 prefix id range check, reported by jimpRenato Botelho2015-01-021-1/+1
|
* Allow blank source port in diag_testportPhil Davis2015-01-021-15/+10
| | | | | Reported by forum https://forum.pfsense.org/index.php?topic=86146.0 Also, if there are input validation errors, save the user-entered data and re-display it, making it easier for the user to just correct the data in error and press Test again. It was blanking out all the entered data.
* Fix lineup of copyright linesPhil Davis2015-01-01296-1503/+1578
| | | | | and module names and other bits of formatting and typos in header comment sections.
* Remove duplicate copyrightPhil Davis2015-01-013-4/+1
| | | | Noticed these had the copyright twice
* Use binat, not nat, where IPsec NAT is configured with an address for local ↵Chris Buechler2014-12-311-10/+6
| | | | and NAT. Ticket #4169
* Welcome 2015Renato Botelho2014-12-31299-305/+305
|
* Add config upgrade code to make sure iketype is set, bump config version to ↵Renato Botelho2014-12-313-2/+14
| | | | 11.4. It fixes #4163
* libreadline.so.6 is not supposed to be obsoleted, fixes #4159Renato Botelho2014-12-311-1/+0
|
* Allow IPv6 on loopback even where IPv6 is otherwise disabled. The intent of ↵Chris Buechler2014-12-311-0/+3
| | | | that feature is to prevent IPv6 from communicating on the network. Blocking it on localhost can result in issues and is unnecessary. Ticket #4074
* Reload Unbound after IP changes, to fix issues noted in Ticket #4095. Do so ↵Chris Buechler2014-12-302-0/+7
| | | | before Dynamic DNS updates occur to ensure the host has functioning DNS.
* IPsec Widget allow for old settings that have no iketypePhil Davis2014-12-301-1/+1
| | | | | | as mentioned in https://forum.pfsense.org/index.php?topic=84527.msg471919#msg471919 This change makes it work like similar if tests in /usr/local/wwwvpn_ipsec.php, and code in /etc/inc/vpn.inc that effectively defaults to ikev1 when iketype is not specified. This should make the code here be executed and make $ikeid get the correct value to be used in later code.
* Allow for old settings that have no iketypePhil Davis2014-12-301-1/+1
| | | | | | This bit of code looks like it could do with the same test as https://github.com/pfsense/pfsense/pull/1412 This is executed when the "Connect" button is pressed from Status->IPsec Somebody with these problematic old IPsec entries could test this - with current code I suspect that disconnect followed by connect - it will not connect. With this change it will (might?) connect again.
* Only set route-to and reply-to on ESP and ISAKMP rules if the remote ↵Chris Buechler2014-12-301-12/+18
| | | | endpoint is not within the parent interface's subnet. Ticket #4157
* Check for fqdn peerid/myids and prepend @ so strongswan does not try to be ↵Ermal2014-12-301-3/+3
| | | | smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
* Check for fqdn peerid/myids and prepend @ so strongswan does not try to be ↵Ermal LUÇI2014-12-301-5/+13
| | | | smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
* Oops this should be 0s rather than 00. Linked with Ticket #4158Ermal2014-12-301-3/+3
|
* ipsec_smp_dump_status get out of loop if errorPhil Davis2014-12-301-0/+7
| | | | | | | | when reading response from socket. Otherwise it would be in a loop and end up like: https://forum.pfsense.org/index.php?topic=86039.msg471848#msg471848 PHP Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/ipsec.inc on line 383 This code runs on my system, but I do not know how to induce the possible loop condition to actually test if it would really break out and return nicely.
* Unbreak IPsec rules generation for IPsec over CARP. Should help even Ticket ↵Ermal LUÇI2014-12-301-1/+1
| | | | #4157
* Use base64 encoded secrets which Fixes #4158Ermal LUÇI2014-12-301-4/+4
|
* Captive portal spellingPhil Davis2014-12-301-2/+2
|
* Standardise text in priv listPhil Davis2014-12-301-5/+5
|
* Simplify cron array comparisonPhil Davis2014-12-291-7/+1
| | | | | This works fine - I had not thought about how arrays are compared. Using "==" checks that the key/value pairs match in both arrays, regardless of the order the arrays happen to be in, which is what we want here. Using "===" would insist that the key/value pairs are also in the same order in the array and that the types and everything match identically, which we do not require.
* Minimise config updates when checking cron jobsPhil Davis2014-12-291-3/+17
|
* Backout pull request #1391Colin Fleming2014-12-296-95/+0
| | | | | | https://forum.pfsense.org/index.php?topic=85944.0 Backout pull request #13191
* Fix unbound shortcut linksPhil Davis2014-12-289-15/+21
| | | | | | | | | | | | Fixes redmine #4151 1) Make the naming in shortcuts.inc more clear - forwarder=dnsmasq resolver=unbound 2) Make the value of $shortcuts_section correct in each dnsmasq and unbound php code 3) Make diag_logs_resolver.php smarter, so if dnsmasq is enabled, then show shortcuts for dnsmasq, otherwise show shortcuts for unbound. 4) Fix some references to forwarder in unbound code - should be resolver.
* clarify message here after customer feedback, it wasn't meant to imply "only ↵Chris Buechler2014-12-262-2/+2
| | | | a reboot will re-enable" but that's how some people have read it.
* Update /etc/ttys from new partition when upgrading nanobsd, and in this case ↵Renato Botelho2014-12-261-3/+5
| | | | do not call reload_ttys(). It should fix #4140
* Remove unused variableRenato Botelho2014-12-261-3/+0
|
* Move this check before full sync to disable dnsmasq/unbound in the first ↵Renato Botelho2014-12-261-12/+12
| | | | time it's sync'd
* Add dnsmasq and unbound config sections to full sync, it fixes #4076 that is ↵Renato Botelho2014-12-261-1/+1
| | | | caused because boolean config fields are not disabled on secondary
* Display tunnel description on IPsec widgetPhil Davis2014-12-261-45/+49
| | | | | | | | | There was not even code to attempt to display the description. Also, when I first created a phase1 and there were no phase2 yet, the widget spat out the warning for the line: foreach ($config['ipsec']['phase2'] as $ph2ent){ ... So I enclosed that in a block: if (isset($config['ipsec']['phase2'])) { ... } Tabbing that block in makes the diff look big when there really is little change - a diff ignoring spacing will look much nicer!
* Correct even other areas of CP using pfSense_ipfw_getTablestats function.Ermal LUÇI2014-12-243-3/+3
|
* Correctly call function for retrieving stats from ipfw. Fixes #4131Ermal LUÇI2014-12-241-2/+2
|
* Fixes #4130 Check for a certain size of file to start showing data on ↵Ermal LUÇI2014-12-241-0/+4
| | | | dashboard and avoiding xml parser errors
* Fix displaying description for IKEv1 connected tunnelsErmal LUÇI2014-12-242-11/+8
|
* Oops remove variable with same name unused!Ermal LUÇI2014-12-241-1/+1
|
* Add checks for ghost phase2 and no need to check for number of phase2 hereErmal LUÇI2014-12-241-3/+3
|
* Correct skipping of disabled tunnelsErmal LUÇI2014-12-241-1/+1
|
* Make this function readbleErmal LUÇI2014-12-241-5/+4
|
* Correct status counter of inactive tunnelsErmal LUÇI2014-12-241-0/+8
|
* Merge pull request #1395 from wagonza/RELENG_2_2Renato Botelho2014-12-242-21/+1
|\
| * Remove option that has now been merged into infra-host-ttl.Warren Baker2014-12-192-21/+1
| |
* | Oops do not override ipsec status array!Ermal LUÇI2014-12-231-2/+2
| |
* | Reboot not required for password protect console menuPhil Davis2014-12-231-2/+0
| | | | | | | | On my systems I can toggle and save "Password protect the console menu" back and forth and the console switches back and forth from the menu to a login prompt in real time. IMHO a reboot is no longer needed. Remove this note might save some people unnecessary reboot time.
* | Handle firewall log widget display formatsPhil Davis2014-12-231-10/+46
| | | | | | | | | | | | | | | | | | | | | | the same way for the initial display and for updated rows done by Java Script. Now we receive the source IP and port, destination IP and port, all in separate fields so they can be put together in whatever combination for display. IPv6 displayed addresses are shown inside "[ ]" so that any following port has the standard syntax like "[a:b::c:d]:123" - this makes it obvious that the last numbers are a port number, and not part of the IPv6 address. The "title" has IP+Port - that is displayed when hovering over the box in general. The href to diag_dns.php has hover text "Reverse Resolve with DNS" and the "?host=" sends just the IP address (without IPv6 square brackets). The text displayed in the link is the IP address (with square brackets if an IPv6 address). For the destination column, if there is a destinaion port, it is displayed in ordinary text ":port" after the IP address. The blank not-displayed row at the end of the table is removed - this fixes the problem with counting the rows of the table where rows would disappear at each update.
* | Interfaces widget remove blank line if no IPv4 addressPhil Davis2014-12-231-2/+1
| | | | | | | | | | If the interface had an IPv6 address but no IPv4 address, there was a blank line where the IPv4 address would have been. There is no need for that, and one day IPv4 will be old legacy and systems will routinely have no IPv4 addresses at all - they will all be IPv6. Might as well make that look ordinary on the display now. The br goes in the div so we can put it in and out from the AJAX also.
OpenPOWER on IntegriCloud