This commit deals with ipsec.conf file drafting. In terms of mobile clients option 'rightsourceip' now may be:
1) empty if no pools are configured;
2) %pool_address%/%pool_netbits% for an IPv4 only option;
3) %pool_address_v6%/%pool_netbits_v6% for an IPv6 only option;
4) %pool_address%/%pool_netbits%,%pool_address_v6%/%pool_netbits_v6% for a dual stack option.
Registrations of static mappings do not always use the system domain. The domains configured for individual static mappings or for the DHCP servers always had higher priority. Static mapping registrations work for both DHCPv6 and DHCPv4, dynamic lease registrations only for DHCPv4.
Registrations of static mappings do not always use the system domain. The domains configured for individual static mappings or for the DHCP servers always had higher priority. Static mapping registrations work for both DHCPv6 and DHCPv4, dynamic lease registrations only for DHCPv4.
'domain' was replaced by 'domainsearchlist' in #3824 because 'domain' is not used by dhcpdv6. But it is used by unbound and dnsmasq for DNS registration of DHCP static mappings. Just set it to the first entry of the domain search list.
'domain' was removed in #3824 because it is not used by dhcpdv6. But it is used by unbound and dnsmasq for DNS registration of DHCP static mappings. Just set it to the first entry of the domain search list.
Always check if voucher is not expired (either
because of never expires or because of expiry
date is in the future) and ensure session timeout
will be the lowest of validity based on the first
usage, the starttime or expiry (if not never expires).
If one of those conditions is not true, reject
authentication.
Fix#3930
For tracking LAN interfaces with manual configuration disabled, some odd radvd configuration choices were made:
MinRtrAdvInterval / MaxRtrAdvInterval were set to very low values (3 / 10) for no apparent reason. Now removed so radvd defaults (200 / 600) will be used.
The DHCPv6 server is enabled and configured with a range6, but the Managed flag was not set. Now set to on.
DeprecatePrefix was only set if the IPv6 configuration type of the tracked WAN interface was SLAAC. Now always set to on.
small improvement when trying to create a new cert for a user, you need to delete the old cert, which is difficult to distinct because both have the same name (validity helps) and the new cert very often needs to use the same ca, set this one as default when requesting a new one.
The Router Address flag "indicates that the Prefix field contains a complete IP address assigned to the sending router" (RFC 6275). This does not apply, we only send a prefix. This flag is only relevant for Mobile IPv6.
It has been there (for unknown reasons) since pfSense switched to radvd 8 years ago: 3f9cc8e44c
