| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
- Unbound advanced options may contain double quotes and it breaks the
syntax when a backup is restored because newlines are trimmed. Save it
in base64 format is a safe way to prevent it
- Bump config version to 11.5
- Provide upgrade code to encode current config or the one that came
from unbound package on 2.1.5
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an interface is waiting to get DHCP, but the cable is physically-electrically connected to the upstream device, the interface has an IPv4 address 0.0.0.0 - that was getting past here and, if the interface gateway had a monitor IP specified, that monitor IP was being put into apinger.conf and being monitored. Because the interface has not got a gateway yet, no static route is added to force the traffic for the monitor IP out the particular interface. So the traffic to the monitor IP can follow the default route and perhaps succeed in getting out another WAN to the monitor IP.
The downstream results of this were:
1) Gateway status appears up and reports real RTT and Loss statistics, even though the interface is down.
2) Generation of rules for a gateway group that has this gateway as tier1 will think it is up, and thus try to policy-route traffic to it - which then does not get anywhere.
3) DynDNS status of a gateway group that has this gateway as tier1 shows the cached IP in red - it thinks the interface/gateway is up and tries to find the public IP by trying to get to checkip.dyndns.com through the interface/gateway. That of course fails.
4) I'm sure there are other things that depend on checking gateway and gateway group status that would also be getting it wrong in this condition, because apinger is being told to monitor, and manages to successfully monitor, an interface/gateway that has not yet got DHCP.
When waiting for DHCP, ifconfig shows like this on my system (WAN is on a cable to a VLAN switch):
vr0_vlan70: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:0d:b9:24:59:c0
inet6 fe80::20d:b9ff:fe24:59c0%vr0_vlan70 prefixlen 64 scopeid 0xf
inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 70 vlanpcp: 0 parent interface: vr0
From what I can see, this little 2-line fix ends up correcting all the downstream effects I listed above.
Should fix RedMine #4094
|
| |
|
|
|
|
|
| |
Reported by forum https://forum.pfsense.org/index.php?topic=86146.0
Also, if there are input validation errors, save the user-entered data and re-display it, making it easier for the user to just correct the data in error and press Test again. It was blanking out all the entered data.
|
|
|
|
|
| |
and module names and other bits of formatting and typos in header
comment sections.
|
|
|
|
| |
Noticed these had the copyright twice
|
|
|
|
| |
and NAT. Ticket #4169
|
| |
|
|
|
|
| |
11.4. It fixes #4163
|
| |
|
|
|
|
| |
that feature is to prevent IPv6 from communicating on the network. Blocking it on localhost can result in issues and is unnecessary. Ticket #4074
|
|
|
|
| |
before Dynamic DNS updates occur to ensure the host has functioning DNS.
|
|
|
|
|
|
| |
as mentioned in https://forum.pfsense.org/index.php?topic=84527.msg471919#msg471919
This change makes it work like similar if tests in /usr/local/wwwvpn_ipsec.php, and code in /etc/inc/vpn.inc that effectively defaults to ikev1 when iketype is not specified.
This should make the code here be executed and make $ikeid get the correct value to be used in later code.
|
|
|
|
|
|
| |
This bit of code looks like it could do with the same test as https://github.com/pfsense/pfsense/pull/1412
This is executed when the "Connect" button is pressed from Status->IPsec
Somebody with these problematic old IPsec entries could test this - with current code I suspect that disconnect followed by connect - it will not connect. With this change it will (might?) connect again.
|
|
|
|
| |
endpoint is not within the parent interface's subnet. Ticket #4157
|
|
|
|
| |
smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
|
|
|
|
| |
smart. Also use %any for myid instead of risking of putting the wrong value in the secrets file for traffic selector
|
| |
|
|
|
|
|
|
|
|
| |
when reading response from socket.
Otherwise it would be in a loop and end up like: https://forum.pfsense.org/index.php?topic=86039.msg471848#msg471848
PHP Fatal error: Maximum execution time of 900 seconds exceeded in /etc/inc/ipsec.inc on line 383
This code runs on my system, but I do not know how to induce the possible loop condition to actually test if it would really break out and return nicely.
|
|
|
|
| |
#4157
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This works fine - I had not thought about how arrays are compared. Using "==" checks that the key/value pairs match in both arrays, regardless of the order the arrays happen to be in, which is what we want here.
Using "===" would insist that the key/value pairs are also in the same order in the array and that the types and everything match identically, which we do not require.
|
| |
|
|
|
|
|
|
| |
https://forum.pfsense.org/index.php?topic=85944.0
Backout pull request #13191
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes redmine #4151
1) Make the naming in shortcuts.inc more clear - forwarder=dnsmasq
resolver=unbound
2) Make the value of $shortcuts_section correct in each dnsmasq and
unbound php code
3) Make diag_logs_resolver.php smarter, so if dnsmasq is enabled, then
show shortcuts for dnsmasq, otherwise show shortcuts for unbound.
4) Fix some references to forwarder in unbound code - should be
resolver.
|
|
|
|
| |
a reboot will re-enable" but that's how some people have read it.
|
|
|
|
| |
do not call reload_ttys(). It should fix #4140
|
| |
|
|
|
|
| |
time it's sync'd
|
|
|
|
| |
caused because boolean config fields are not disabled on secondary
|
|
|
|
|
|
|
|
|
| |
There was not even code to attempt to display the description.
Also, when I first created a phase1 and there were no phase2 yet, the widget spat out the warning for the line:
foreach ($config['ipsec']['phase2'] as $ph2ent){ ...
So I enclosed that in a block:
if (isset($config['ipsec']['phase2'])) { ... }
Tabbing that block in makes the diff look big when there really is little change - a diff ignoring spacing will look much nicer!
|
| |
|
| |
|
|
|
|
| |
dashboard and avoiding xml parser errors
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
| | |
|
| |
| |
| |
| | |
On my systems I can toggle and save "Password protect the console menu" back and forth and the console switches back and forth from the menu to a login prompt in real time. IMHO a reboot is no longer needed. Remove this note might save some people unnecessary reboot time.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the same way for the initial display and for updated rows done by Java Script. Now we receive the source IP and port, destination IP and port, all in separate fields so they can be put together in whatever combination for display.
IPv6 displayed addresses are shown inside "[ ]" so that any following port has the standard syntax like "[a:b::c:d]:123" - this makes it obvious that the last numbers are a port number, and not part of the IPv6 address.
The "title" has IP+Port - that is displayed when hovering over the box in general.
The href to diag_dns.php has hover text "Reverse Resolve with DNS" and the "?host=" sends just the IP address (without IPv6 square brackets).
The text displayed in the link is the IP address (with square brackets if an IPv6 address).
For the destination column, if there is a destinaion port, it is displayed in ordinary text ":port" after the IP address.
The blank not-displayed row at the end of the table is removed - this fixes the problem with counting the rows of the table where rows would disappear at each update.
|
| |
| |
| |
| |
| | |
If the interface had an IPv6 address but no IPv4 address, there was a blank line where the IPv4 address would have been. There is no need for that, and one day IPv4 will be old legacy and systems will routinely have no IPv4 addresses at all - they will all be IPv6. Might as well make that look ordinary on the display now.
The br goes in the div so we can put it in and out from the AJAX also.
|