summaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAgeFilesLines
* Bump latest_config version that I forgot on previous commit. Spotted by Jim ↵Renato Botelho2014-12-171-1/+1
| | | | Pingle
* syslogd can't just be HUPed to pick up its new config, as many of thoseChris Buechler2014-12-171-3/+3
| | | | | are command line arguments. Go back to 2.1x and prior behavior of TERM and restart. Fixes source IP use with syslog among other config changes.
* Add a cron item to expire items from webConfiguratorlockout, also add config ↵Renato Botelho2014-12-171-0/+14
| | | | upgrade code. This fixes #4122
* Check if interface is disabled when configuring DHCP server. It fixes #4119Renato Botelho2014-12-171-2/+5
|
* Give the proper value for the logging level since even 0 is the correct ↵Ermal LUÇI2014-12-171-1/+1
| | | | value coming from GUI.
* Make logic more visible as suggested by ErmalRenato Botelho2014-12-161-1/+6
|
* Teach interface_vip_bring_down() to deal with IP Alias over CARPRenato Botelho2014-12-161-1/+7
|
* Add DNS Resolver to the list of services to be sync'd on HA, make sure it ↵Renato Botelho2014-12-151-2/+6
| | | | and DNS Forwarder are not enabled simultaneously. It fixes #4067
* Use newline to separate unbound custom options during config upgrade, it ↵Renato Botelho2014-12-151-4/+4
| | | | should fix #4104
* Where binding Unbound to *:53, set "interface-automatic: yes" so replies are ↵Chris Buechler2014-12-131-0/+1
| | | | sourced from the correct IP. Ideally this should always work this way, but setting this causes Unbound to bind to *:53, which shouldn't happen where specific interfaces are chosen. Ticket #4111
* Validation of y/n answers in setlanipPhil Davis2014-12-121-31/+33
| | | | | | | At the moment the user can answer "yes" to most of the questions, but then later code only checks if the answer is "y". Thus you can type in "yes" in some places, have it accepted, but actually the negative action is taken. That is weird and will mess up people who try typing a whole string starting with "y". With this change it makes the user type one of "y", "yes", "n", "no". When they type 1 of those, it is turned into either "y" or "n". Then the existing implementation logic all works as expected. Hopefully this is the "final" version that fixes the behavior of the (y/n) questions. I also included the bit at 296-297 which adds the CIDR bit-count range to the prompt, so the user can see exactly what input is valid/expected there. Redmine issue #4100
* rc.initial.setlanip fix validation of CIDR within rangePhil Davis2014-12-121-1/+1
| | | | Currently this allows the user to input any number for the CIDR. I happened to try 44 for an IPv4 CIDR when playing. This fixes that little bug - I think it is good to commit that first/separately so it can be identified apart from the other (y/n) checking/handling I am working on. Better to have separate commits for distinct bugs.
* Split ICMP and ICMPv6 types on Firewall RulesRenato Botelho2014-12-111-0/+61
| | | | | | | | | | | - Remove redundant declaration of $icmptypes and move it to a common place (filter.inc) - Add missing ICMP types for v4 - Add ICMPv6 types - Adjust javascripts to show correct options depending of IP Protocol - Hide ICMP type selection when protocol is IPv4+v6 It fixes #3389
* Fix #4099:Renato Botelho2014-12-111-1/+3
| | | | | | - When interface is 'lo0', strpos returns 0, that is erroneously considered false (boolean) on the test. Be more strict on strpos return to avoid skiping lo0 ip aliases during sync.
* Improve check if no OpenVPN definedPhil Davis2014-12-111-1/+2
| | | | | Alternate version of https://github.com/pfsense/pfsense/pull/1376 This version retains the is_array() checks and then only does the count() if the is_array() is true. Take whichever version you like.
* Setup ddb on all platforms. On full install it will save the dump, on ↵jim-p2014-12-102-6/+6
| | | | | | NanoBSD it will print to console and auto-reboot. This way, a router running NanoBSD won't sit at a db> prompt indefinitely if it crashes.
* Make sure this message is only displayed on consoleRenato Botelho2014-12-101-1/+2
|
* get_failover_interface() is already called inside get_interface_ip(v6), no ↵Renato Botelho2014-12-101-4/+2
| | | | need to call it twice. It should fix #4089
* Use exit instead of return here, otherwise script's return code is always 0 ↵Renato Botelho2014-12-081-4/+4
| | | | and user with wrong password is authenticated
* Provide success return indication from console_configure_dhcpdPhil Davis2014-12-071-0/+1
| | | | | | Recent commit https://github.com/pfsense/pfsense/commit/9ea554ee5cb25ea3bf5bb6bf7997c6c7379ce349 added testing of the return status of console_configure_dhcpd() - this let a user effectively abort from doing anything if they have answered "y" to prompt_for_enable_dhcp_server() and are being asked for the start and end of the range, and then decide they do not want to proceed. However, even when they gave good answers, status 0 was being returned. This prevented changes ever being implemented. Redmine: https://redmine.pfsense.org/issues/4080 The fix is to return 1 at the routine end, when all is good and the code should proceed.
* Disable RC4 ciphers in lighttpdChris Buechler2014-12-051-2/+2
|
* Call filter_configure_sync() is a better fix for #4066, as pointed by ErmalRenato Botelho2014-12-051-3/+2
|
* Fix #4066:Renato Botelho2014-12-051-3/+12
| | | | | | | Make sure pf is configured before other services are restarted when WAN IP changes. The way it was before, 'pass out' rules with route-to still have old IP set as 'from' and some Dynamic DNS ended up not being updated.
* Add RELENG_2_2 to gitsyncRenato Botelho2014-12-051-0/+1
|
* dyn.dns.he.net uses a self-signed cert, disable verification for it.Chris Buechler2014-12-041-0/+1
|
* Don't try to launch 3gstats unless it's on a valid device.Chris Buechler2014-12-041-2/+4
|
* Proper CA certificates are in place to validate SSL in these cases where it ↵Chris Buechler2014-12-041-22/+3
| | | | previously couldn't be, remove disabling of verification.
* Merge pull request #1365 from jean-m-cyr/masterChris Buechler2014-12-041-1/+1
|\
| * Don't include link-locals as unbound interface candidatesJean Cyr2014-12-041-1/+1
| | | | | | | | Unbound does not presently support link-local interfaces.
* | The time has come - bump to 2.2-RCChris Buechler2014-12-041-1/+1
| |
* | After discussion with Ermal, remove this to force consumers to send thingsChris Buechler2014-12-041-7/+0
| | | | | | | | | | properly. I fixed the scenario in Unbound where it was sending IPs to these functions rather than an interface, so this has no functional diff.
* | replace spaces with tabsChris Buechler2014-12-041-2/+2
|/
* Proper fix was put on f658bacErmal LUÇI2014-12-041-1/+2
| | | | | | Revert "Can't skip this if booting, ends up breaking config. Ticket #4071" This reverts commit effb3a3cfe4e57b781f35ba8a145eb627014d8ce.
* Properly unset booting flags to allow dynamic ipsec tunnels to work correctlyErmal LUÇI2014-12-042-3/+6
|
* change the ordering of dhcpd_configure and unbound_configure here, claims on ↵Chris Buechler2014-12-041-3/+3
| | | | forum it fixes issue I can't seem to replicate.
* Merge pull request #1360 from jean-m-cyr/masterChris Buechler2014-12-031-5/+7
|\
| * Link local interfaces don't have subnet.. don't create access-control statementJean Cyr2014-12-031-5/+7
| | | | | | | | | | | | Selecting link local interface for unbound causes invalid access-control statement in unbound config since link local address doesn't have subnet.
* | Can't skip this if booting, ends up breaking config. Ticket #4071Chris Buechler2014-12-031-2/+1
|/
* fix IPv6 static routes, is_ipaddrv6 returns true for strings including aChris Buechler2014-12-031-3/+2
| | | | CIDR mask, which then ended up broken.
* Change our default resolv-retry back to OpenVPN's default. Changing thisChris Buechler2014-12-031-1/+1
| | | | | | didn't help the ticket where it was intended to help, which was later fixed differently. This change in defaults is problematic in a lot of scenarios, go back to the way things were before. Ticket #3894
* Merge pull request #1357 from DasTestament/patch-1Chris Buechler2014-12-021-1/+1
|\
| * Update filter.incDmitriy K.2014-12-011-1/+1
| | | | | | | | | | Add missing gettext. p.s: Is it really needed to log? Lots of rules causes lots of spam on ifaces without gw. Such kind of this logging should be controllable by user via option at least.
* | reload Unbound here, fixes some instances of PD-assigned v6 IPs missing from ↵Chris Buechler2014-12-021-0/+3
| | | | | | | | unbound.conf
* | If get_interface_ip(v6) is passed an IP, return the IP.Chris Buechler2014-12-022-6/+19
| | | | | | | | | | | | Properly set up interface binding for v6 link local IPs. Ticket #4021 except had to comment out the fix for now because of #4062 to avoid config breakage.
* | Use clog -f /var/log/filter.log to view firewall log entries, so they are ↵jim-p2014-12-021-1/+1
| | | | | | | | displayed in the new format.
* | wait 10 minutes before retrying on soft failures to avoid us getting DoSedChris Buechler2014-12-021-1/+1
| | | | | | | | | | if something is wrong there (like someone's system can't validate the cert)
* | don't include cert.pem in the obsoletedfiles list.Chris Buechler2014-12-021-1/+0
| |
* | Preserve exit code lost from s/exit/return/Ermal LUÇI2014-12-022-3/+3
| |
* | Cleanup whitespace.Ermal LUÇI2014-12-021-3/+1
| |
* | Remove exit from as much as possible backend codeErmal LUÇI2014-12-022-9/+9
| |
OpenPOWER on IntegriCloud