| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
Fixes #4202
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I was just using console menu option 16 Restart PHP-FPM and it hung on a nanoBSD system.
I found /tmp/php_errors.txt with this in it:
"override rw-r--r-- root/wheel for /usr/local/etc/php.ini?"
Flying blind at the console I entered "y", then /tmp/php_errors.txt had this:
--------
rm: /usr/local/etc/php.ini: Read-only file system
override rw-r--r-- root/wheel for /usr/local/lib/php.ini?
--------
Pressed return at the console and it proceeded, presumably without re-writing php.ini
It works much better when the file system is mounted RW :)
|
|
|
|
| |
on ruleset to avoid memory pressure and the timelimit will than be enforced by the caller
|
|
|
|
|
|
| |
many entries. This makes it not reach the execution timeout with large entries."
This reverts commit 7077addc5a5058fab4b4dc7678270c1000d342c9.
|
|
|
|
| |
there but it was not being used during init_rules process.
|
|
|
|
|
|
|
|
|
| |
of passthrough entries.
Set the time limit to 0 and restore it back to default value when this is detected.
* Do not leak pipes when reloading ruleset for CP since this will consume available descriptors.
This has been noted before but considered fixed, this is the real fix actually for dnpipes.
|
|
|
|
| |
crypt() check fails and also is useless to override it since the parameter is passed by value and not by reference.
|
|
|
|
| |
entries. This makes it not reach the execution timeout with large entries.
|
|
|
|
| |
This made the piep configuration to be wrong at least for passthrough entries. Ticket #3932
|
|
|
|
|
|
|
|
| |
When a dynamic gateway is disabled (by the user through the webGUI), it was still being returned by return_gateways_array(). But when called like that, disabled gateways should not be returned. The first part of the routine was correctly skipping disabled gateways, but then the later part would effectively re-generate those dynamic gateways on-the-fly and not realise they should be skipped because they were disabled.
This code now remembers gateway details of all the gateways, including skipped ones, so the dynamic gateway code can easily realise all gateways that have been already processed, even those that were processed and skipped.
Forum: https://forum.pfsense.org/index.php?topic=86565.0
It fixes Gateway Status Widget - now if a dynamic gateway is disabled, it does not appear on the display.
This will also stop disabled dynamic gateways from being returned to other callers. So there may/will be impacts on other parts of the system when a user disables a dynamic gateway. e.g. filter.inc - a gateway that has been disabled by a user canot be used in rules any more.
|
|
|
|
| |
special chars in shell and HTTP GET parameter passing. Probably should add POST support to fcgicli.
|
| |
|
|
|
|
| |
name is the one needed here.
|
| |
|
|
|
|
|
|
| |
out too. Revert "PEAR static method call warning"
This reverts commit 4751f76a6772147097906b699d4216ae38c58c39.
|
|
|
|
|
|
| |
messages"
This reverts commit 91b9a02fb131746c67fdf9f34282f123a13f1b13.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Forum https://forum.pfsense.org/index.php?topic=86478.0
PEAR is used by
IPv6.inc
auth.inc
captiveportal.inc
radius.inc
xmlrpc_client.inc
radius_accounting.inc
radius_authentication.inc
I have just changed this 1 function to "public static"
Also used are:
PEAR::raiseError
PEAR::loadExtension (already has "static function")
Not sure if PEAR::raiseError will throw a similar "static method" call
warning, not game to touch it.
|
|
|
|
| |
with a crash report, this is more noise than useful at this stage in 2.2.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix various files that can emit messages like:
PHP Strict Standards: Non-static method SimplePie_Misc::array_unique()
should not be called statically, assuming $this from incompatible
context in /etc/inc/simplepie/simplepie.inc on line 5508
php-fpm[16262]: /rc.newipsecdns: PHP ERROR: Type: 8192, File:
/etc/inc/shaper.inc, Line: 4365, Message: Assigning the return value of
new by reference is deprecated
Some of these style messages have been reported on the forum, e.g.
https://forum.pfsense.org/index.php?topic=86448.0
I had RSS widget on, and simplepie sent the system beserk telling about
all this stuff.
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Move redundant code to a function parse_aliases_file(). Before the max
number of items was not being respected when URL content is updated,
only when alias was saved. Same was happening with ip/subnet/port
validation and user could end up with a bad pf.conf
- Remove unused variables
These changes were based on Pull Request #1264. It should fix #4189
Submitted by:▸ PiBa-NL
|
|
|
|
| |
be run if the VIP is in the INIT state.
|
| |
|
|
|
|
| |
would need a refresh to check if cookie was set or not. Use javascript to do a simple test
|
|
|
|
| |
parameters were out of order and expiration time was being set as value. It should fix #4069
|
| |
|
|
|
|
| |
it for now at least. Ticket #4186
|
|
|
|
|
|
|
|
| |
are placed strangely)
A few functions such as ipcmp(), subnet_expand(), and check_subnets_overlap() are in illogical places - away from all the other ip comparison and subnet basic functions and in the middle of alias handling and interface enumeration.
No change to functional code, just moving to earlier in the file (next to other IP compare and subnet functions) for ease of future contributors.
|
| |
|
|
|
|
| |
connections. The dashboard will be fixed with the ticket already open. This should fix a lot of instabilities reported on the forums for people having a dozen or more tunnels
|
| |
|
| |
|
|
|
|
| |
strongswan do proper behaviour. Also for DynDNS names use the dns type id so strongswan does the resolving by its own.
|
|
|
|
| |
previous behavior of setting it to the interface IP.
|
| |
|
| |
|
|
|
|
| |
Also retires IPsec force reloading advanced sysctl since its useless nowdays with strongswan and remove its call on rc.newipsecdns.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN create the tun/tap interface and, when set an IP address to
it, mark it as UP. In some scenarios, when TAP is set as bridge and
doesn't have an IP address set on it, it never goes up and tunnel
doesn't work.
If rc.newwanip is called for this TAP interface, UP flag is set, but,
rc.newwanip is not executed when system is booting.
Since it's always rename the interface and add it the group, make sure
it's up here.
|
| |
|
| |
|
|
|
|
| |
set before
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tightens, canonicalises and improves for IPv6, the functions
gen_subnet(), gen_subnetv6(), gen_subnet_max(), gen_subnetv6_max()
Changes are transparent to calling code.
Issues:
1) gen_subnet() and gen_subnet_max() will validate both IPv4 and IPv6 as valid args, but will then try to process an IPv6 subnet bitwise as x32 LONG without further checking, causing erroneous but apparently valid responses.
2) None of the functions properly sanitise their input: if $bits is >32 or >128, or even a non-integer, erroneous results will be passed back to the calling code as valid data without checking, again causing erroneous but apparently valid responses.
3) 3 of the 4 functions return an empty string for invalid but gen_subnetv6_max() returns a numeric value for invalid. Both responses loose-evaluate as False, but consistency is better.
Fixes and improvements:
1) The unspecified functions gen_subnet() and gen_subnet_max() now handle all args correctly, and don't mishandle if unexpectedly passed IPv6 or bad data.
2) Names are now canonical: gen_subnet(), gen_subnet_max() are now IPv4/v6 agnostic, and IPv4-only versions gen_subnetv4() and gen_subnetv4_max() are added as expected to exist, to match existing functions gen_subnetv6() and gen_subnetv6_max().
3) The return value for bad args is made consistent (empty string = False).
4) gen_subnetv6_max() now uses Net_IPv6's Ip2Bin() and Bin2Ip() functions and simple string manipulation rather than bitwise operations, so it's guaranteed 32-bit safe (compared to 128-bit bitwise operations in current code which seem less certain?)
5) Changes are transparent - the canonical functions still work exactly as before on IPv4 (only with proper bad arg validation) but also now work on IPv6 transparently, and on arbitrary IPv4/IPv6 data, similar to other functions like is_ipaddr().
Tested and handles valid but uncommon edge cases of /0, /32 (IPv4) and /128 (IPv6) correctly. Also avoids inet_ntop/pton if that's a real issue (previous PR comment had asked to avoid these functions)
|
|
|
|
|
|
| |
A patch was added to allow set advskew back to 0
This reverts commit eea2ad5d61b2cbcf2957207fb0f13769c203cb36.
|
|
|
|
| |
to avoid false positives in common vulnerabilities scanners. It fixes #4069
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following block uses "quick" which causes that block to come into effect before the "pass in" here. The pass rule also needs to be "quick".
Problem noted by Andy Sayler on https://redmine.pfsense.org/issues/4074
Before this change, an attempt to manually do something local with IPv6 fails:
[2.2-RC][root@xxx]/root: ntpq -pn
ntpq: write to localhost failed: Operation not permitted
After this change, it works:
[2.2-RC][root@xxx]/root: ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*27.114.150.12 193.190.230.65 2 u 21 64 377 1424.66 -126.52 371.131
Note that there are other pass rules later for IPv6 necessary functions, loopback... that do not have "quick". Those are correct and help to allow various essential IPv6 stuff, but still let someone block it with user rules (which will have quick), in the case when IPv6 Allow is checked.
This one here is just for the special case of IPv6 Allow not set, and in this case this special IPv6 pass-block sequence needs to be done with "quick" so we can be sure it applies regardless of whatever other IPv6 might come later.
|