OPNSense/core 4261e92src/opnsense/mvc/app/views/layout_partials form_input_tr.volt

mvc/forms, accept style keyword on all input types, needed when working on 
https://github.com/opnsense/core/issues/2787

(cherry picked from commit 9f675d4078af6e162f3112850b33cd9817c20779)

OPNSense/tools 1fb368dconfig/18.7 ports.conf, config/19.1 ports.conf

config: compatiblity issues for now

OPNSense/core 7025657src/etc/inc/plugins.inc.d unbound.inc

unbound: spacing, cleanups, proper IPv4 and IPv6 lookup

OPNSense/core 821f7eesrc/etc/inc util.inc, src/etc/inc/plugins.inc.d unbound.inc

unbound: remove superflous msort() function

(cherry picked from commit 490a68e8c13af4d1252e06a3cf849b5ae5878fc4)

OPNSense/core c246acbsrc/etc/inc system.inc, src/etc/inc/plugins.inc.d unbound.inc

unbound: set up a full chroot including local log socket #2791

(cherry picked from commit 2d5d392bc2b722ab9f52aeb624d42317a78288fb)

OPNSense/core 9c927cdsrc/etc/inc interfaces.inc

interfaces: get pfsync0 mtu from real interface

(cherry picked from commit 15acbad935feff843b201b3379c744173a588441)
(cherry picked from commit a1a153946a8849a7459b1e83909177f72c6cce93)

OPNSense/core d4b6021src/etc/inc interfaces.inc

on link down, don't try to remove carp addresses, for 
https://github.com/opnsense/core/issues/2780

(cherry picked from commit e720c570d9282220679bbc260d0284fcad0babf9)

OPNSense/core 86e103dsrc/etc/inc util.inc

system: zap unused argument in get_configured_ip_aliases_list()

(cherry picked from commit 352428ba5c4b8a03151afe1089331bd452469542)

OPNSense/core 653c3d4src/etc/inc config.inc

system: small config read changes from master
DeltaFile
+24-24src/etc/inc/config.inc
+24-241 files

OPNSense/core 352428bsrc/etc/inc util.inc

system: zap unused argument in get_configured_ip_aliases_list()

OPNSense/core b9b2049src/etc/inc util.inc

system: more utils changes (manual merges)
DeltaFile
+13-21src/etc/inc/util.inc
+13-211 files

OPNSense/core e804f9bsrc/etc/inc util.inc

system: cleanups in utility functions
DeltaFile
+21-27src/etc/inc/util.inc
+21-271 files

OPNSense/plugins 0fc7a42www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx index.volt

www/nginx: working prototype of key value map

OPNSense/core 2cdfd44src/opnsense/mvc/app/models/OPNsense/Core/ACL ACL.xml, src/opnsense/service/templates/OPNsense/Filter filter_tables.conf

firewall: switch to alias API take two

OPNSense/core 0525c8bsrc/opnsense/mvc/app/models/OPNsense/Base BaseModel.php, src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseField.php

mvc: refactor __items

PR: https://github.com/opnsense/core/issues/2670

(cherry picked from commit faca5333674cab7921447dfb5020c300cc84f6d0)
(cherry picked from commit 8fba640bc680c8d7a03453445baac5d6ce831048)
(cherry picked from commit 597df08183d289f7c62f39d30a4d4a837f3fd21c)
(cherry picked from commit 239e89fd5f7787fe26f0bbb42604c65a8826b8a9)

OPNSense/core c280fecsrc/www diag_testport.php diag_ping.php

interfaes: merge part of get_possible_listen_ips() removal

OPNSense/core 749f7f7src/etc rc.newwanipv6

interfaces: top part of fix faulty DNS in IPv6 #2822
DeltaFile
+10-2src/etc/rc.newwanipv6
+10-21 files

OPNSense/core e01d6c7src/opnsense/scripts/firmware health.sh

firmware: unify temp file handling in health audit

OPNSense/ports 505c552opnsense/opnsense-update distinfo Makefile

opnsense/opnsense-update: base / kernel updates

OPNSense/core e23a636src/opnsense/scripts/firmware health.sh

firmware: finish mtree for base/kernel

OPNSense/core 84224e5src/opnsense/mvc/app/controllers/OPNsense/TrafficShaper/forms dialogPipe.xml dialogQueue.xml, src/opnsense/mvc/app/models/OPNsense/TrafficShaper TrafficShaper.xml

firewall: support PIE shaper

(cherry picked from commit c00b2f8bc96581b43f83dde7257dbd5183302712)
(cherry picked from commit 4ee3738cdb3c2a960cfe4f642959dec9e3c4804a)
(cherry picked from commit ae4973fb2e43e7dfeb118db4850375f00f3f7c08)
(cherry picked from commit 5e0cb74b4b213eb52e8d3c1e048a9058fa510692)
(cherry picked from commit 2a26272f120135eeebccabe9d51da82060b096c0)
(cherry picked from commit d7e17e060c5a76184d2f2cb2f61c884b32a7707a)
(cherry picked from commit 8697919555d56bbb33f85c876cb0287e079c9b57)
(cherry picked from commit b410530382ea8601b8ef0f33b3dd5950b07a5dc7)
(cherry picked from commit 869941a5cbdca07d1b2735d2419c0fff03ad2eeb)
(cherry picked from commit 81e5aaae78a9d3959c84e1ab656b2213aa259737)
(cherry picked from commit 927b68b232c9ecc5213eeec159f6021e315f1273)
(cherry picked from commit d1bbe29c6ab8edcc6eb5964f501c80c8a47f078d)
(cherry picked from commit bf348813487efaf8c9c3b8f5d5f693795d8e25ee)

OPNSense/core 702f9afsrc/etc/rc.syshook.d/carp 20-openvpn

openvpn: yes, this script is useful

But maybe it should be optional rather than mandatory /
with convoluted logic to figure out what to do.

OPNSense/plugins d0be2d2net/frr Makefile, net/frr/src/etc/inc/plugins.inc.d frr.inc

net/frr: CARP stop / start script

OPNSense/ports ba13bb1net/quagga Makefile

net/quagga: sync with upstream

Taken from: HardenedBSD

OPNSense/ports af67f0dnet/frr5 Makefile

net/frr5: sync with upstream

Taken from: HardenedBSD
DeltaFile
+1-1net/frr5/Makefile
+1-11 files

OPNSense/ports 2c5771enet/frr3 Makefile

net/frr3: sync with upstream

Taken from: HardenedBSD
DeltaFile
+1-1net/frr3/Makefile
+1-11 files

OPNSense/ports 855c674www/p5-Mojolicious distinfo pkg-plist

www/p5-Mojolicious: sync with upstream

Taken from: HardenedBSD

OPNSense/ports b3c416edevel/p5-Test-Script Makefile

devel/p5-Test-Script: sync with upstream

Taken from: HardenedBSD

OPNSense/ports fe4ebaesecurity/py-paramiko distinfo Makefile

security/py-paramiko: sync with upstream

Taken from: HardenedBSD

OPNSense/core be0cdebsrc/etc rc.freebsd, src/etc/inc system.inc

rc: improvements in FreeBSD startup scripting; closes #2569

* Use rcorder to correctly order the startup sequence, which
  will avoid further workarounds in plugins.
* Defer the execution of /etc/rc.d/ipfw due to bug #2569,
  while also removing the previous non-functional workaround.

OPNSense/ports f1f8babeditors/kak-lsp distinfo Makefile, math/openmesh pkg-plist

*/*: sync with upstream

Taken from: HardenedBSD

OPNSense/core 389b9d4src/opnsense/scripts/firmware check.sh

firmware: use named arguments in check script

OPNSense/core 8951a62src/etc/inc/plugins.inc.d webgui.inc

webgui: use interfaces_addresses() for interface binding

OPNSense/plugins d3bf1f9www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx IndexController.php, www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms sni_hostname_map.xml

www/nginx: work in progress map component mvc

OPNSense/core 8a7925fsrc/opnsense/mvc/app/library/OPNsense/Firewall ForwardRule.php

firewall: resolve interface address ":0" for port forwarding in kernel

OPNSense/core 1485c66src/opnsense/mvc/app/models/OPNsense/Base BaseModel.php, src/opnsense/mvc/script run_migrations.php

MVC/model migrations, show error message in run_migrations.php when migration fails.

(cherry picked from commit 7092d3c782833a4bec2ebd0a8f74d78c39bdb77a)

OPNSense/core 91c0e54src/opnsense/service/templates/OPNsense/Syslog syslog-ng.conf

system: syslog-ng version changes

(cherry picked from commit 020454f32e1dafb987ec86b1aa1114caf9c95e35)

OPNSense/core 942ddc9. plist, src/opnsense/scripts/interfaces list_interfaces.php

system: add configd call to return json structured interface data using 
`legacy_interfaces_details()`, while working on 
https://github.com/opnsense/core/issues/2787 missed something to return configured 
addresses.
No need to duplicate legacy_interfaces_details.

adds:
```
configctl interface list ifconfig
```

(cherry picked from commit a3cb1a0c59222a06d0a4827077f6aaabe9bdff3e)

OPNSense/core 144505e. plist, src/opnsense/scripts/interfaces list_interfaces.php

system: add configd call to return json structured interface data using 
`legacy_interfaces_details()`, while working on 
https://github.com/opnsense/core/issues/2787 missed something to return configured 
addresses.
No need to duplicate legacy_interfaces_details.

adds:
```
configctl interface list ifconfig
```

(cherry picked from commit a3cb1a0c59222a06d0a4827077f6aaabe9bdff3e)

OPNSense/core a6e8efbsrc/www vpn_ipsec_settings.php vpn_ipsec_phase1.php

ipsec: bring back service widget lost via 504c947bb7e9 in 2016

PR: https://github.com/opnsense/docs/pull/54
(cherry picked from commit e99ae7ad17baa46c06693adae6d747c084d90200)

OPNSense/core 1689e42. plist, src/opnsense/scripts/firmware audit.sh security.sh

firmware: rename audit script to security

OPNSense/core 71a768bsrc/etc/inc config.inc, src/man/man8 opnsense-version.8

firmware: remove last bits of firmware-product usage

OPNSense/core 4297993src/etc/inc services.inc

src: code style changes from master
DeltaFile
+18-18src/etc/inc/services.inc
+18-181 files

OPNSense/src ea449cdsys/net pfvar.h, sys/netpfil/pf pf_ioctl.c pf.c

MFC r334375, r334379:

pf: Replace rwlock on PF_RULES_LOCK with rmlock

Given that PF_RULES_LOCK is a mostly read lock, replace the rwlock with rmlock.
This change improves packet processing rate in high pps environments.
Benchmarking by olivier@ shows a 65% improvement in pps.

While here, also eliminate all appearances of "sys/rwlock.h" includes since it
is not used anymore.

Submitted by:   farrokhi@

OPNSense/src 4f962c3sys/netpfil/pf pf_norm.c

MFC r337969:

pf: Limit the maximum number of fragments per packet

Similar to the network stack issue fixed in r337782 pf did not limit the number
of fragments per packet, which could be exploited to generate high CPU loads
with a crafted series of packets.

Limit each packet to no more than 64 fragments. This should be sufficient on
typical networks to allow maximum-sized IP frames.

This addresses the issue for both IPv4 and IPv6.

Security:       CVE-2018-5391
Sponsored by:   Klara Systems

OPNSense/src 6f1207fsys/netpfil/pf if_pfsync.c

MFC r335816:

pfsync: Fix state sync during initial bulk update

States learned via pfsync from a peer with the same ruleset checksum were not
getting assigned to rules like they should because pfsync_in_upd() wasn't
passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import.

PR:            229092
Submitted by:   Kajetan Staszkiewicz <vegeta tuxpowered.net>
Obtained from:  OpenBSD
Sponsored by:   InnoGames GmbH

OPNSense/ports dcd5bd9. UPDATING, Mk bsd.gecko.mk bsd.ruby.mk

Framework: sync with upstream

Taken from: HardenedBSD

OPNSense/ports ebdbc0farchivers/zstd distinfo pkg-plist

archivers/zstd: sync with upstream

Taken from: HardenedBSD

OPNSense/ports c07270fnet/mpd5 Makefile

net/mpd5: sync with upstream

Taken from: HardenedBSD
DeltaFile
+6-2net/mpd5/Makefile
+6-21 files

OPNSense/ports 99119dfnet-mgmt/icinga2 pkg-plist distinfo

net-mgmt/icinga2: sync with upstream

Taken from: HardenedBSD