2.4.3 New Features and Changes¶
New features and changes for this release of pfSense® software:
Security / Errata¶
Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
Added a CPU Microcode update mechanism (cpuctl module, sysutils/devcpu-data port)
Imported a FreeBSD patch to fix boot issues when running as a hypervisor guest on AMD Family 15h processors (FreeBSD PR #213155)
Added validation for RRD parameters to ensure passed filenames are valid #8269
Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages
Fixed a potential XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
Fixed a potential XSS vector in traffic_graphs.widget.php settings #8302 pfSense-SA-18_03.webgui
Fixed a potential CSRF issue in service control request processing #8296
Enabled CSRF protection for all dashboard widgets #8301
Added encoding for firewall schedule range descriptions #8259
Changed sshd to use delayed compression #8245
Increased PHP-FPM resources on systems with over 1GB RAM to improve performance #8125
Imported a netstat fix for ARM platforms to improve performance and reduce CPU usage, especially on the Dashboard #8237
Fixed a memory leak in the pfSense_getall_interface_addresses() function in the pfSense PHP module #8249
Hardware support for the XG-7100, including:
C3000 NIC support (factory installations only)
C3000 SoC support (factory installations only)
Marvell 88E6190 switch support (factory installations only)
Traffic Shaping / Limiters¶
IPsec¶
Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family #6886
Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups #8186
Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn’t have an IP address #8239
Added IPv6 LAN Network to the IPsec LAN bypass list #8321
OpenVPN¶
Fixed an error message encountered by a few users when manually killing OpenVPN connections #8266
Added an OpenVPN tap bridge configuration option to push the bridged interface address to clients as a route-gateway for routes/redirects #8267
Added an option to the DNS Resolver which allows registering the CN of OpenVPN clients as hostnames #6847
Added an option to OpenVPN clients and servers to suppress creation of IPv4 or IPv6 gateway addresses for an interface #6848
Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
Updated the OpenVPN wizard with the current UDP and TCP protocol selections #8298
Added the interface for a VPN to the OpenVPN client and server list screens
Notifications¶
Dashboard¶
Fixed issues with the IPsec dashboard widget causes GUI failure #6318
Changed the Dynamic DNS Widget so it shows the description of custom entries to identify them #7843
Fixed a reference to deprecated updateGatewayDisplays() function in the Gateways dashboard widget #8303
Added a setting to the temperature widget to display readings in Fahrenheit 8205
Changed the picture widget so the picture is stored on the firewall filesystem and not in config.xml to reduce the size of backup data #8371
On upgrade, pictures will be moved out of config.xml, so backup this file separately if it is important
DHCP¶
Added an option to the DHCP Server Dynamic DNS configuration to set the server key algorithm #6621
Added DDNS Client Updates option to DHCPv4 #7131
Fixed handling of the DHCPv6 DDNS reverse zone key #6319
Fixed DHCPv4 static mappings so that multiple MAC for same DHCP address or hostname are allowed #8220
Fixed a potential issue in detecting primary/secondary node in a failover configuration
Improved DHCP relay destination interface discovery
Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database #7413
Dynamic DNS¶
Interfaces / VIPs¶
Fixed issues on assign_interfaces.php with large numbers of interfaces #6400
Fixed handling of CARP VIPs on disabled interfaces at boot time #6677
Fixed issues with radvd being enabled on a disconnected interface #6974
Fixed issues with rtsold on VLAN interfaces #7412
Fixed issues with dhcp6c lock files after unclean shutdown when using “Do not wait for an RA” on IPv6 WAN interface #8106
Added a feature to allow pppoe on a CARP VIP so it will only be active on whichever node is master #8184
Fixed an error when editing PPP interfaces on a system with no VIPs #8322
Added VLAN priority tagging for DHCPv6 client requests #8200
Added support for configuring the DUID type for an IPv6 interfaces #8191
Allow custom INIT string for PPP modem SIM Pin and APN settings
Added an indicator for disabled interfaces on status_interfaces.php
Fixed an issue with the PPP linkup and linkdown scripts and cellular modems
Fixed an issue where the combination of CARP with bridging could lead to a deadlock #8056
Captive Portal¶
Fixed Pass-through MAC automatic additions so it does not add duplicate entries #8226
Fixed a missing global definition in Captive Portal pass-through MAC removal #8238
Fixed Captive Portal voucher sync errors when vouchers are expired or disconnected while the secondary node is master #8317
Fixed Captive Portal voucher synchronization between HA nodes #7972
Certificates¶
Gateways/Routing¶
Fixed handling of the Router Lifetime value on services_router_advertisements.php so it allows a value of 0 #7502
Added ospf6d to the routing log
Allow recursive aliases to be used with static routes
Rules/NAT¶
Fixed various pf “busy” errors when the ruleset is reloaded
Fixed issues with editing firewall rules in non-English languages that contain single quotes in translated strings #8219
Added an option to disable drag-and-drop of firewall and NAT rules
Added a check to prevent 1:1 NAT rules with missing information from being added to the ruleset
Added firewall rule tracking ID to rule list (in counter tooltip) and firewall rule edit page #8348
Fixed cases where automatic or scripted rules were not getting tracking IDs #8353
Added a check to prevent automatic outbound firewall rules with missing information from being added to the ruleset #8360
Users/Authentication¶
Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes #7469
Fixed an issue where a user with no privileges could not logout #8297
Increased maximum username length from 16 to 32 characters to catch up to the current allowed length in FreeBSD
Fixed required field markings on LDAP authentication server configuration fields #8337
Fixed display of the LDAP host when testing the GUI authentication source #8338
Misc¶
Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
Added support for custom shutdown scripts in /usr/local/etc/rc.d #8182
Fixed a references to an undefined function while restoring a config.xml file from an older version #8231
Added support to diag_packet_capture.php to capture traffic on the loopback interface #8257
Fixed an issue with the RAM disk warning pop-up appearing when no changes were made #8268
Fixed an issue with the address familiy selection for remote syslog servers using IPv6 #8323
Silenced warnings from sysctl that otherwise went to stderr
Added a disk size check to ZFS to prevent it from being used on disk which are too small to contain the OS and swap space #7308
Added a check to prevent pfSense-upgrade from running as a non-root user #7762
Added an option to disable the IGMP Proxy service #8356
Fixed an issue with package handling when restoring a configuration that contains a branch configuration that is not valid for the target system version #8208