2.4.3 New Features and Changes

Security / Errata

  • FreeBSD-SA-18:01.ipsec
  • Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
  • IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
  • Added a CPU Microcode update mechanism (cpuctl module, sysutils/devcpu-data port)
  • Imported a FreeBSD patch to fix boot issues when running as a hypervisor guest on AMD Family 15h processors (FreeBSD PR #213155)
  • Added validation for RRD parameters to ensure passed filenames are valid #8269
  • Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages
  • Fixed a potential XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
  • Fixed a potential XSS vector in traffic_graphs.widget.php settings #8302 pfSense-SA-18_03.webgui
  • Fixed a potential CSRF issue in service control request processing #8296
  • Enabled CSRF protection for all dashboard widgets #8301
  • Added encoding for firewall schedule range descriptions #8259
  • Changed sshd to use delayed compression #8245
  • Increased PHP-FPM resources on systems with over 1GB RAM to improve performance #8125
  • Imported a netstat fix for ARM platforms to improve performance and reduce CPU usage, especially on the Dashboard #8237
  • Fixed a memory leak in the pfSense_getall_interface_addresses() function in the pfSense PHP module #8249
  • Hardware support for the XG-7100, including:
    • C3000 NIC support (factory installations only)
    • C3000 SoC support (factory installations only)
    • Marvell 88E6190 switch support (factory installations only)

Traffic Shaping / Limiters

  • Fixed hangs due to Limiters and pfsync in HA #4310
  • Added the Chelsio cxl driver to the list of ALTQ capable interfaces #7607
  • Fixed an issue with limiters that had fractional bandwidth values #8091
  • Changed status_queues.php to provide ‘realtime’ statistics #8185

IPsec

  • Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family #6886
  • Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups #8186
  • Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn’t have an IP address #8239
  • Added IPv6 LAN Network to the IPsec LAN bypass list #8321

OpenVPN

  • Fixed an error message encountered by a few users when manually killing OpenVPN connections #8266
  • Added an OpenVPN tap bridge configuration option to push the bridged interface address to clients as a route-gateway for routes/redirects #8267
  • Added an option to the DNS Resolver which allows registering the CN of OpenVPN clients as hostnames #6847
  • Added an option to OpenVPN clients and servers to suppress creation of IPv4 or IPv6 gateway addresses for an interface #6848
  • Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
  • Updated the OpenVPN wizard with the current UDP and TCP protocol selections #8298
  • Added the interface for a VPN to the OpenVPN client and server list screens

Notifications

  • Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time #4031
  • Added a notification when the firewall boot sequence is complete #7643

Dashboard

  • Fixed issues with the IPsec dashboard widget causes GUI failure #6318
  • Changed the Dynamic DNS Widget so it shows the description of custom entries to identify them #7843
  • Fixed a reference to deprecated updateGatewayDisplays() function in the Gateways dashboard widget #8303
  • Added a setting to the temperature widget to display readings in Fahrenheit 8205
  • Changed the picture widget so the picture is stored on the firewall filesystem and not in config.xml to reduce the size of backup data #8371
    • On upgrade, pictures will be moved out of config.xml, so backup this file separately if it is important

DHCP

  • Added an option to the DHCP Server Dynamic DNS configuration to set the server key algorithm #6621
  • Added DDNS Client Updates option to DHCPv4 #7131
  • Fixed handling of the DHCPv6 DDNS reverse zone key #6319
  • Fixed DHCPv4 static mappings so that multiple MAC for same DHCP address or hostname are allowed #8220
  • Fixed a potential issue in detecting primary/secondary node in a failover configuration
  • Improved DHCP relay destination interface discovery
  • Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database #7413

Dynamic DNS

  • Added an option for RFC 2136 Dynamic DNS server key algorithm #8244
  • Added an option for RFC 2136 source address used to send updates #8278
  • Fixed issues with Dynamic DNS updates using a gateway group when the primary route is down #8333
  • Added GoDaddy Dynamic DNS provider

Interfaces / VIPs

  • Fixed issues on assign_interfaces.php with large numbers of interfaces #6400
  • Fixed handling of CARP VIPs on disabled interfaces at boot time #6677
  • Fixed issues with radvd being enabled on a disconnected interface #6974
  • Fixed issues with rtsold on VLAN interfaces #7412
  • Fixed issues with dhcp6c lock files after unclean shutdown when using “Do not wait for an RA” on IPv6 WAN interface #8106
  • Added a feature to allow pppoe on a CARP VIP so it will only be active on whichever node is master #8184
  • Fixed an error when editing PPP interfaces on a system with no VIPs #8322
  • Added VLAN priority tagging for DHCPv6 client requests #8200
  • Added support for configuring the DUID type for an IPv6 interfaces #8191
  • Allow custom INIT string for PPP modem SIM Pin and APN settings
  • Added an indicator for disabled interfaces on status_interfaces.php
  • Fixed an issue with the PPP linkup and linkdown scripts and cellular modems
  • Fixed an issue where the combination of CARP with bridging could lead to a deadlock #8056

Packages

  • Fixed reinstall process for missing packages #8183

Captive Portal

  • Fixed Pass-through MAC automatic additions so it does not add duplicate entries #8226
  • Fixed a missing global definition in Captive Portal pass-through MAC removal #8238
  • Fixed Captive Portal voucher sync errors when vouchers are expired or disconnected while the secondary node is master #8317
  • Fixed Captive Portal voucher synchronization between HA nodes #7972

Certificates

  • Fixed automatic SAN handling when the CN of a certificate contains a space #8252
  • Fixed input validation for Certificate SAN values to disallow IP addresses for FQDN/Hostname entries #8275

Gateways/Routing

  • Fixed handling of the Router Lifetime value on services_router_advertisements.php so it allows a value of 0 #7502
  • Added ospf6d to the routing log
  • Allow recursive aliases to be used with static routes

Rules/NAT

  • Fixed various pf “busy” errors when the ruleset is reloaded
  • Fixed issues with editing firewall rules in non-English languages that contain single quotes in translated strings #8219
  • Added an option to disable drag-and-drop of firewall and NAT rules
  • Added a check to prevent 1:1 NAT rules with missing information from being added to the ruleset
  • Added firewall rule tracking ID to rule list (in counter tooltip) and firewall rule edit page #8348
  • Fixed cases where automatic or scripted rules were not getting tracking IDs #8353
  • Added a check to prevent automatic outbound firewall rules with missing information from being added to the ruleset #8360

Users/Authentication

  • Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes #7469
  • Fixed an issue where a user with no privileges could not logout #8297
  • Increased maximum username length from 16 to 32 characters to catch up to the current allowed length in FreeBSD
  • Fixed required field markings on LDAP authentication server configuration fields #8337
  • Fixed display of the LDAP host when testing the GUI authentication source #8338

Misc

  • Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
  • Added support for custom shutdown scripts in /usr/local/etc/rc.d #8182
  • Fixed a references to an undefined function while restoring a config.xml file from an older version #8231
  • Added support to diag_packet_capture.php to capture traffic on the loopback interface #8257
  • Fixed an issue with the RAM disk warning pop-up appearing when no changes were made #8268
  • Fixed an issue with the address familiy selection for remote syslog servers using IPv6 #8323
  • Silenced warnings from sysctl that otherwise went to stderr
  • Added a disk size check to ZFS to prevent it from being used on disk which are too small to contain the OS and swap space #7308
  • Added a check to prevent pfSense-upgrade from running as a non-root user #7762
  • Added an option to disable the IGMP Proxy service #8356
  • Fixed an issue with package handling when restoring a configuration that contains a branch configuration that is not valid for the target system version #8208