Denial of Service with IPv6 Router Advertisements. Where a system is
using DHCPv6 WAN type, devices on the same broadcast domain as that
WAN can send crafted packets causing the system to lose IPv6 Internet
Multiple OpenSSL vulnerabilities. Most aren’t applicable, and worst
impact is denial of service.
Fixed invalid ruleset generation when using port forwards with
destination “any” on a DHCP client WAN-type interface, have pure NAT
mode reflection enabled, and have the interface with link up but
unable to reach a DHCP server for an extended period.
Allow the use of version IPv4+IPv6 on firewall rules without
restrictions on protocol. The former restrictions date back to
earlier base software versions, and are no longer applicable.
Omit route-to from rules specifying a specific gateway when that
gateway is forced down.
Use the subnet address when forming rules for networks, rather than
the interface IP address
Added SCTP to the protocol drop-down for firewall rules
Enforce disabling of “prefer old SAs” option. When the GUI
configuration checkbox was removed in 2.2.1, it fell through to the
default of the underlying software in many cases, leaving the option
enabled instead of disabled. Having this option enabled will cause
connectivity problems after rekeying in many circumstances. Upgrading
to 2.2.2 will fix this.
strongSwan upgraded to 5.3.0
Don’t apply mobile IPsec phase 2 PFS configuration to non-mobile
Atheros wireless driver updated to latest from FreeBSD 11-CURRENT.
Not many changes since 2.2.1-RELEASE.
Wireless cards removed from ALTQ-capable interfaces (traffic shaper
capability) since that isn’t supported at the moment.
New option “auto” added for Standard. This omits configuring mode
with ifconfig, which currently can trigger driver problems that don’t
exist when not specified. Standard “auto” is preferred, and possibly
required, for BSS and IBSS wireless modes with Atheros cards (at a
minimum, potentially others).
SSL certificate validation disabled for selfhost - their certificate
chain had a problem that made OpenSSL fail verification, making the
#4545 The provider
fixed the issue after 2.2.2-RELEASE, so verification has been
re-enabled for 2.2.3 and newer.