2.4.3 New Features and Changes

From pfSense Documentation
Revision as of 15:28, 16 February 2018 by Jimp (talk | contribs) (Created page with "Category:FAQCategory:Releases =Security / Errata= * Added validation for RRD parameters to ensure passed filenames are valid [https://redmine.pfsense.org/issues/8269...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Security / Errata

  • Added validation for RRD parameters to ensure passed filenames are valid #8269
  • Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages
  • Fixed a potential XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
  • Fixed a potential XSS vector in traffic_graphs.widget.php settings #8302 pfSense-SA-18_03.webgui
  • Fixed a potential CSRF issue in service control request processing #8296
  • Enabled CSRF protection for all dashboard widgets #8301
  • Added encoding for firewall schedule range descriptions #8259
  • Changed sshd to use delayed compression #8245
  • Increased PHP-FPM resources on systems with over 1GB RAM to improve performance #8125
  • Imported a netstat fix for ARM platforms to improve performance and reduce CPU usage, especially on the Dashboard #8237
  • Fixed a memory leak in the pfSense_getall_interface_addresses() function in the pfSense PHP module #8249

Traffic Shaping / Limiters

  • Fixed hangs due to Limiters and pfsync in HA #4310
  • Added the Chelsio cxl driver to the list of ALTQ capable interfaces #7607
  • Fixed an issue with limiters that had fractional bandwidth values #8091
  • Changed status_queues.php to provide 'realtime' statistics #8185


  • Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family #6886
  • Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups #8186
  • Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn't have an IP address #8239
  • Added IPv6 LAN Network to the IPsec LAN bypass list #8321


  • Fixed an error message encountered by a few users when manually killing OpenVPN connections #8266
  • Added an OpenVPN tap bridge configuration option to push the bridged interface address to clients as a route-gateway for routes/redirects #8267
  • Added an option to the DNS Resolver which allows registering the CN of OpenVPN clients as hostnames #6847
  • Added an option to OpenVPN clients and servers to suppress creation of IPv4 or IPv6 gateway addresses for an interface #6848
  • Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
  • Updated the OpenVPN wizard with the current UDP and TCP protocol selections #8298
  • Added the interface for a VPN to the OpenVPN client and server list screens


  • Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time #4031
  • Added a notification when the firewall boot sequence is complete #7643


  • Fixed issues with the IPsec dashboard widget causes GUI failure #6318
  • Changed the Dynamic DNS Widget so it shows the description of custom entries to identify them #7843
  • Fixed a reference to deprecated updateGatewayDisplays() function in the Gateways dashboard widget #8303
  • Added a setting to the temperature widget to display readings in Fahrenheit 8205


  • Added an option to the DHCP Server Dynamic DNS configuration to set the server key algorithm #6621
  • Added DDNS Client Updates option to DHCPv4 #7131
  • Fixed handling of the DHCPv6 DDNS reverse zone key #6319
  • Fixed DHCPv4 static mappings so that multiple MAC for same DHCP address or hostname are allowed #8220
  • Fixed a potential issue in detecting primary/secondary node in a failover configuration
  • Improved DHCP relay destination interface discovery

Dynamic DNS

  • Added an option for RFC 2136 Dynamic DNS server key algorithm #8244
  • Added an option for RFC 2136 source address used to send updates #8278
  • Fixed issues with Dynamic DNS updates using a gateway group when the primary route is down #8333
  • Added GoDaddy Dynamic DNS provider

Interfaces / VIPs

  • Fixed issues on assign_interfaces.php with large numbers of interfaces #6400
  • Fixed handling of CARP VIPs on disabled interfaces at boot time #6677
  • Fixed issues with radvd being enabled on a disconnected interface #6974
  • Fixed issues with rtsold on VLAN interfaces #7412
  • Fixed issues with dhcp6c lock files after unclean shutdown when using "Do not wait for an RA" on IPv6 WAN interface #8106
  • Added a feature to allow pppoe on a CARP VIP so it will only be active on whichever node is master #8184
  • Fixed an error when editing PPP interfaces on a system with no VIPs #8322
  • Added VLAN priority tagging for DHCPv6 client requests #8200
  • Added support for configuring the DUID type for an IPv6 interfaces #8191
  • Allow custom INIT string for PPP modem SIM Pin and APN settings
  • Added an indicator for disabled interfaces on status_interfaces.php
  • Fixed an issue with the PPP linkup and linkdown scripts and cellular modems
  • Fixed the NID generation utility to work with systems having more than 16 hardware interfaces #8319


  • Fixed reinstall process for missing packages #8183

Captive Portal

  • Fixed Pass-through MAC automatic additions so it does not add duplicate entries #8226
  • Fixed a missing global definition in Captive Portal pass-through MAC removal #8238
  • Fixed Captive Portal voucher sync errors when vouchers are expired or disconnected while the secondary node is master #8317


  • Fixed automatic SAN handling when the CN of a certificate contains a space #8252
  • Fixed input validation for Certificate SAN values to disallow IP addresses for FQDN/Hostname entries #8275


  • Fixed handling of the Router Lifetime value on services_router_advertisements.php so it allows a value of 0 #7502
  • Added ospf6d to the routing log
  • Allow recursive aliases to be used with static routes


  • Fixed various pf "busy" errors when the ruleset is reloaded
  • Fixed issues with editing firewall rules in non-English languages that contain single quotes in translated strings #8219
  • Added an option to disable drag-and-drop of firewall and NAT rules
  • Added a check to prevent 1:1 NAT rules with missing information from being added to the ruleset


  • Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
  • Added support for custom shutdown scripts in /usr/local/etc/rc.d #8182
  • Fixed a references to an undefined function while restoring a config.xml file from an older version #8231
  • Added support to diag_packet_capture.php to capture traffic on the loopback interface #8257
  • Fixed an issue with the RAM disk warning pop-up appearing when no changes were made #8268
  • Fixed an issue where a user with no privileges could not logout #8297
  • Fixed an issue with the address familiy selection for remote syslog servers using IPv6 #8323
  • Silenced warnings from sysctl that otherwise went to stderr
  • Increased maximum username length from 16 to 32 characters to catch up to the current allowed length in FreeBSD