Fix logic to find available next number for limiters and queues. It fixes #3998

Merge pull request #1319 from phil-davis/patch-1
Merge pull request #1326 from phil-davis/patch-5
2014-11-13 10:10:00 -02:00 · 2014-11-05 07:12:17 -02:00 · 2014-11-05 07:06:52 -02:00 · 2014-11-05 07:06:44 -02:00 · 2014-11-04 12:44:17 -05:00 · 2014-11-03 14:12:05 +05:45
383 changed files with 19925 additions and 8362 deletions
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!-- pfSense default system configuration -->
 <pfsense>
-	<version>9.5</version>
+	<version>9.8</version>
 	<lastchange></lastchange>
 	<theme>pfsense_ng</theme>
 	<sysctl>
@ -198,6 +198,7 @@
 		<timeservers>0.pfsense.pool.ntp.org</timeservers>
 		<webgui>
 			<protocol>https</protocol>
+			<noautocomplete/>
 		</webgui>
 		<disablenatreflection>yes</disablenatreflection>
 		<!-- <disableconsolemenu/> -->
@ -213,6 +214,7 @@
 		<bogons>
 			<interval>monthly</interval>
 		</bogons>
+		<kill_states/>
 	</system>
 	<interfaces>
 		<wan>
@ -642,15 +644,6 @@
 		-->
 	</proxyarp>
 	<cron>
-		<item>
-			<minute>0</minute>
-			<hour>*</hour>
-			<mday>*</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>/usr/bin/nice -n20 newsyslog</command>
-		</item>
 		<item>
 			<minute>1,31</minute>
 			<hour>0-5</hour>
--- a/etc/ca_countries
+++ b/etc/ca_countries
@ -234,12 +234,4 @@ WS Samoa
 YE Yemen
 YT Mayotte
 ZA South Africa
-ZM Zambia
-COM US Commercial
-EDU US Educational
-GOV US Government
-INT International
-MIL US Military
-NET Network
-ORG Non-Profit Organization
-ARPA Old style Arpanet
+ZM Zambia
--- a/etc/ecl.php
+++ b/etc/ecl.php
@ -50,7 +50,7 @@ function get_swap_disks() {
 function get_disk_slices($disk) {
 	global $g, $debug;
 	$slices_array = array();
-	$slices = trim(exec("/bin/ls /dev/{$disk}s* 2>/dev/null"));
+	$slices = trim(exec("/bin/ls " . escapeshellarg("/dev/" . $disk . "s*") . " 2>/dev/null"));
 	$slices = str_replace("/dev/", "", $slices);
 	if($slices == "ls: No match.") 
 		return;
@ -61,7 +61,7 @@ function get_disk_slices($disk) {
 function get_disks() {
 	global $g, $debug;
 	$disks_array = array();
-	$disks = exec("/sbin/sysctl kern.disks | cut -d':' -f2");
+	$disks = exec("/sbin/sysctl -n kern.disks");
 	$disks_s = explode(" ", $disks);
 	foreach($disks_s as $disk) 
 		if(trim($disk))
@ -91,7 +91,7 @@ function test_config($file_location) {
 		return;
 	// config.xml was found.  ensure it is sound.
 	$root_obj = trim("<{$g['xml_rootobj']}>");
-	$xml_file_head = exec("/usr/bin/head -2 {$file_location} | /usr/bin/tail -n1");
+	$xml_file_head = exec("/usr/bin/head -2 " . escapeshellarg($file_location) . " | /usr/bin/tail -n1");
 	if($debug) {
 		echo "\nroot obj  = $root_obj";
 		echo "\nfile head = $xml_file_head";
--- a/etc/gettytab.bak
+++ b/etc/gettytab.bak
@ -0,0 +1,225 @@
+# $FreeBSD: src/etc/gettytab,v 1.22 2004/06/06 11:46:27 schweikh Exp $
+#	from: @(#)gettytab	5.14 (Berkeley) 3/27/91
+#
+# Most of the table entries here are just copies of the old getty table,
+# it is by no means certain, or even likely, that any of them are optimal
+# for any purpose whatever.  Nor is it likely that more than a couple are
+# even correct.
+#
+# The default gettytab entry, used to set defaults for all other
+# entries, and in cases where getty is called with no table name.
+#
+# cb, ce and ck are desirable on most crt's.  The non-crt entries need to
+# be changed to turn them off (:cb@:ce@:ck@:).
+#
+# lc should always be on; it's a remainder of some stone age when there
+# have been terminals around not being able of handling lower-case
+# characters. Those terminals aren't supported any longer, but getty is
+# `smart' about them by default.
+#
+# Parity defaults to even, but the Pc entry and all the `std' entries
+# specify no parity.   The different parities are:
+#     (none): same as ep for getty.  login will use terminal as is.
+#     ep:     getty will use raw mode (cs8 -parenb) (unless rw is set) and
+#             fake parity.  login will use even parity (cs7 parenb -parodd).
+#     op:     same as ep except odd parity (cs7 parenb parodd) for login.
+#             getty will fake odd parity as well.
+#     ap:     same as ep except -inpck instead of inpck for login.
+#             ap overrides op and ep.
+#     np:     1. don't fake parity in getty.  The fake parity garbles
+#                characters on non-terminals (like pccons) that don't
+#                support parity.  It would probably better for getty not to
+#                try to fake parity.  It could just use cbreak mode so as
+#                not to force cs8 and let the hardware handle the parity.
+#                login has to be rely on the hardware anyway.
+#             2. set cs8 -parenb -istrip -inpck.
+#     ep:op:  same as ap.
+#
+default:\
+	::cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
+	:if=/etc/issue:
+
+#
+# Fixed speed entries
+#
+#	The "std.NNN" names are known to the special case
+#	portselector code in getty, however they can
+#	be assigned to any table desired.
+#	The "NNN-baud" names are known to the special case
+#	autobaud code in getty, and likewise can
+#	be assigned to any table desired (hopefully the same speed).
+#
+a|std.110|110-baud:\
+	:np:nd#1:cd#1:uc:sp#110:
+b|std.134|134.5-baud:\
+	:np:nd#1:cd#2:ff#1:td#1:sp#134:ht:nl:
+1|std.150|150-baud:\
+	:np:nd#1:cd#2:td#1:fd#1:sp#150:ht:nl:lm=\E\72\6\6\17login\72 :
+c|std.300|300-baud:\
+	:np:nd#1:cd#1:sp#300:
+d|std.600|600-baud:\
+	:np:nd#1:cd#1:sp#600:
+f|std.1200|1200-baud:\
+	:np:fd#1:sp#1200:
+6|std.2400|2400-baud:\
+	:np:sp#2400:
+7|std.4800|4800-baud:\
+	:np:sp#4800:
+2|std.9600|9600-baud:\
+	:np:sp#9600:
+g|std.19200|19200-baud:\
+	:np:sp#19200:
+std.38400|38400-baud:\
+	:np:sp#38400:
+std.57600|57600-baud:\
+	:np:sp#57600:
+std.115200|115200-baud:\
+	:np:sp#115200:
+std.230400|230400-baud:\
+	:np:sp#230400:
+
+#
+# Entry specifying explicit device settings.  See termios(4) and
+# /usr/include/termios.h, too.  The entry forces the tty into
+# CLOCAL mode (so no DCD is required), and uses Xon/Xoff flow control.
+#
+# cflags: CLOCAL | HUPCL | CREAD | CS8
+# oflags: OPOST | ONLCR | OXTABS
+# iflags: IXOFF | IXON | ICRNL | IGNPAR
+# lflags: IEXTEN | ICANON | ISIG | ECHOCTL | ECHO | ECHOK | ECHOE | ECHOKE
+#
+# The `0' flags don't have input enabled.  The `1' flags don't echo.
+# (Echoing is done inside getty itself.)
+#
+local.9600|CLOCAL tty @ 9600 Bd:\
+	:c0#0x0000c300:c1#0x0000cb00:c2#0x0000cb00:\
+	:o0#0x00000007:o1#0x00000002:o2#0x00000007:\
+	:i0#0x00000704:i1#0x00000000:i2#0x00000704:\
+	:l0#0x000005cf:l1#0x00000000:l2#0x000005cf:\
+	:sp#9600:
+
+#
+# Dial in rotary tables, speed selection via 'break'
+#
+0|d300|Dial-300:\
+	:nx=d1200:cd#2:sp#300:
+d1200|Dial-1200:\
+	:nx=d150:fd#1:sp#1200:
+d150|Dial-150:\
+	:nx=d110:lm@:tc=150-baud:
+d110|Dial-110:\
+	:nx=d300:tc=300-baud:
+
+#
+# Fast dialup terminals, 2400/1200/300 rotary (can start either way)
+#
+D2400|d2400|Fast-Dial-2400:\
+	:nx=D1200:tc=2400-baud:
+3|D1200|Fast-Dial-1200:\
+	:nx=D300:tc=1200-baud:
+5|D300|Fast-Dial-300:\
+	:nx=D2400:tc=300-baud:
+
+#
+#telebit (19200)
+#
+t19200:\
+	:nx=t2400:tc=19200-baud:
+t2400:\
+	:nx=t1200:tc=2400-baud:
+t1200:\
+	:nx=t19200:tc=1200-baud:
+
+#
+#telebit (9600)
+#
+t9600:\
+	:nx=t2400a:tc=9600-baud:
+t2400a:\
+	:nx=t1200a:tc=2400-baud:
+t1200a:\
+	:nx=t9600:tc=1200-baud:
+
+#
+# Odd special case terminals
+#
+-|tty33|asr33|Pity the poor user of this beast:\
+	:tc=110-baud:
+
+4|Console|Console Decwriter II:\
+	:nd@:cd@:rw:tc=300-baud:
+
+e|Console-1200|Console Decwriter III:\
+	:fd@:nd@:cd@:rw:tc=1200-baud:
+
+i|Interdata console:\
+	:uc:sp#0:
+
+l|lsi chess terminal:\
+	:sp#300:
+
+X|Xwindow|X window system:\
+	:fd@:nd@:cd@:rw:sp#9600:
+
+P|Pc|Pc console:\
+	:ht:np:sp#115200:al=root:
+
+bootupcli:\
+	tc=std.9600:\
+	:ht:np:sp#115200:al=root:
+
+#
+# Wierdo special case for fast crt's with hardcopy devices
+#
+8|T9600|CRT with hardcopy:\
+	:nx=T300:tc=9600-baud:
+9|T300|CRT with hardcopy (300):\
+	:nx=T9600:tc=300-baud:
+
+#
+# Plugboard, and misc other terminals
+#
+plug-9600|Plugboard-9600:\
+	:pf#1:tc=9600-baud:
+p|P9600|Plugboard-9600-rotary:\
+	:pf#1:nx=P300:tc=9600-baud:
+q|P300|Plugboard-300:\
+	:pf#1:nx=P1200:tc=300-baud:
+r|P1200|Plugboard-1200:\
+	:pf#1:nx=P9600:tc=1200-baud:
+
+#
+# XXXX Port selector
+#
+s|DSW|Port Selector:\
+	:ps:sp#2400:
+
+#
+# Auto-baud speed detect entry for Micom 600.
+# Special code in getty will switch this out
+# to one of the NNN-baud entries.
+#
+A|Auto-baud:\
+	:ab:sp#2400:f0#040:
+
+#
+# autologin - automatically log in as root
+#
+
+autologin|al.9600:\
+	::tc=std.9600:
+
+#
+# Entries for 3-wire serial terminals.  These don't supply carrier, so
+# clocal needs to be set, and crtscts needs to be unset.
+#
+3wire.9600|9600-3wire:\
+	:np:nc:sp#9600:
+3wire.38400|38400-3wire:\
+	:np:nc:sp#38400:
+3wire.57600|57600-3wire:\
+	:np:nc:sp#57600:
+3wire.115200|115200-3wire:\
+	:np:nc:sp#115200:
+3wire.230400|230400-3wire:\
+	:np:nc:sp#230400:
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@ -55,7 +55,7 @@ $security_passed = true;
 /* If this function doesn't exist, we're being called from Captive Portal or 
   another internal subsystem which does not include authgui.inc */
 if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) {
-	/* DNS ReBinding attack prevention.  http://redmine.pfsense.org/issues/708 */
+	/* DNS ReBinding attack prevention.  https://redmine.pfsense.org/issues/708 */
 	$found_host = false;

 	/* Either a IPv6 address with or without a alternate port */
@ -86,6 +86,13 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
 				break;
 			}

+	if(is_array($config['dnsupdates']['dnsupdate']) && !$found_host)
+		foreach($config['dnsupdates']['dnsupdate'] as $rfc2136)
+			if(strcasecmp($rfc2136['host'], $http_host) == 0) {
+				$found_host = true;
+				break;
+			}
+
 	if(!empty($config['system']['webgui']['althostnames']) && !$found_host) {
 		$althosts = explode(" ", $config['system']['webgui']['althostnames']);
 		foreach ($althosts as $ah)
@ -123,6 +130,7 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui']['
 			if(strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0
 					|| strcasecmp($referrer_host, $config['system']['hostname']) == 0)
 				$found_host = true;
+
 			if(!empty($config['system']['webgui']['althostnames']) && !$found_host) {
 				$althosts = explode(" ", $config['system']['webgui']['althostnames']);
 				foreach ($althosts as $ah) {
@ -132,6 +140,21 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui']['
 					}
 				}
 			}
+
+			if(is_array($config['dyndnses']['dyndns']) && !$found_host)
+				foreach($config['dyndnses']['dyndns'] as $dyndns)
+					if(strcasecmp($dyndns['host'], $referrer_host) == 0) {
+						$found_host = true;
+						break;
+					}
+
+			if(is_array($config['dnsupdates']['dnsupdate']) && !$found_host)
+				foreach($config['dnsupdates']['dnsupdate'] as $rfc2136)
+					if(strcasecmp($rfc2136['host'], $referrer_host) == 0) {
+						$found_host = true;
+						break;
+					}
+
 			if(!$found_host) {
 				$interface_list_ips = get_configured_ip_addresses();
 				foreach($interface_list_ips as $ilips) {
@ -438,18 +461,18 @@ function local_user_set(& $user) {
 		mkdir($user_home, 0700);
 		mwexec("/bin/cp /root/.* {$home_base}/", true);
 	}
-	chown($user_home, $user_name);
-	chgrp($user_home, $user_group);
+	@chown($user_home, $user_name);
+	@chgrp($user_home, $user_group);

 	/* write out ssh authorized key file */
 	if($user['authorizedkeys']) {
 		if (!is_dir("{$user_home}/.ssh")) {
-			mkdir("{$user_home}/.ssh", 0700);
-			chown("{$user_home}/.ssh", $user_name);
+			@mkdir("{$user_home}/.ssh", 0700);
+			@chown("{$user_home}/.ssh", $user_name);
 		}
 		$keys = base64_decode($user['authorizedkeys']);
-		file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
-		chown("{$user_home}/.ssh/authorized_keys", $user_name);
+		@file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
+		@chown("{$user_home}/.ssh/authorized_keys", $user_name);
 	} else
 		unlink_if_exists("{$user_home}/.ssh/authorized_keys");

@ -742,6 +765,8 @@ function ldap_test_bind($authcfg) {
 	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
 	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
 
+	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+	$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
 	if ($ldapanon == true) {
 		if (!($res = @ldap_bind($ldap))) {
 			@ldap_close($ldap);
@ -813,6 +838,8 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
 	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
 	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);

+	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+	$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
 	if ($ldapanon == true) {
                if (!($res = @ldap_bind($ldap))) {
 			log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname));
@ -862,7 +889,7 @@ function ldap_get_groups($username, $authcfg) {
 	if(!$username) 
 		return false;

-	if(stristr($username, "@")) {
+	if(!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
 		$username_split = explode("@", $username);
 		$username = $username_split[0];		
 	}
@ -925,6 +952,8 @@ function ldap_get_groups($username, $authcfg) {
 	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);

 	/* bind as user that has rights to read group attributes */
+	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+	$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
 	if ($ldapanon == true) {
                if (!($res = @ldap_bind($ldap))) {
 			log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname));
@ -984,7 +1013,7 @@ function ldap_backed($username, $passwd, $authcfg) {
 	if(!function_exists("ldap_connect"))
 		return;

-	if(stristr($username, "@")) {
+	if(!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
 		$username_split = explode("@", $username);
 		$username = $username_split[0];        
 	}
@ -1060,6 +1089,8 @@ function ldap_backed($username, $passwd, $authcfg) {

 	/* ok, its up.  now, lets bind as the bind user so we can search it */
 	$error = false;
+	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+	$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
 	if ($ldapanon == true) {
                if (!($res = @ldap_bind($ldap)))
                        $error = true;
@ -1089,9 +1120,12 @@ function ldap_backed($username, $passwd, $authcfg) {
 		log_auth(sprintf(gettext("Now Searching for %s in directory."), $username));
 	/* Iterate through the user containers for search */
 	foreach ($ldac_splits as $i => $ldac_split) {
+		$ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split;
+		$ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter;
+		$ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}";
 		/* Make sure we just use the first user we find */
 		if ($debug)
-			log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, $ldac_split, $ldapfilter));
+			log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter)));
 		if ($ldapscope == "one")
 			$ldapfunc = "ldap_list";
 		else
@ -1100,7 +1134,7 @@ function ldap_backed($username, $passwd, $authcfg) {
 		if (stristr($ldac_split, "DC=") || empty($ldapbasedn))
 			$search	 = @$ldapfunc($ldap,$ldac_split,$ldapfilter);
 		else
-			$search  = @$ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter);
+			$search  = @$ldapfunc($ldap,$ldapsearchbasedn,$ldapfilter);
 		if (!$search) {
 			log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
 			continue;
@ -1123,14 +1157,17 @@ function ldap_backed($username, $passwd, $authcfg) {
 	}

 	/* Now lets bind as the user we found */
+	$passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd;
 	if (!($res = @ldap_bind($ldap, $userdn, $passwd))) {
 		log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap)));
 		@ldap_unbind($ldap);
 		return false;
 	}

-	if ($debug)
+	if ($debug) {
+		$userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn;
 		log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
+	}

 	/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
 	@ldap_unbind($ldap);
@ -1305,16 +1342,14 @@ function session_auth() {
 	global $HTTP_SERVER_VARS, $config, $_SESSION, $page;

 	// Handle HTTPS httponly and secure flags
-	if($config['system']['webgui']['protocol'] == "https") {
-		$currentCookieParams = session_get_cookie_params();
-		session_set_cookie_params(
-			$currentCookieParams["lifetime"],
-			$currentCookieParams["path"],
-			NULL,
-			true,
-			true
-		);
-	}
+	$currentCookieParams = session_get_cookie_params();
+	session_set_cookie_params(
+		$currentCookieParams["lifetime"],
+		$currentCookieParams["path"],
+		NULL,
+		($config['system']['webgui']['protocol'] == "https"),
+		true
+	);

 	if (!session_id())
 		session_start();
@ -1324,6 +1359,8 @@ function session_auth() {
 		$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
 		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || 
 		    authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+			// Generate a new id to avoid session fixation
+			session_regenerate_id();
 			$_SESSION['Logged_In'] = "True";
 			$_SESSION['Username'] = $_POST['usernamefld'];
 			$_SESSION['last_access'] = time();
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@ -258,7 +258,7 @@ $have_cookies = isset($_COOKIE["cookie_test"]);
 	<body onload="page_load()">
 		<div id="login">
 			<?php 
-				if(is_ipaddr($http_host) && !$local_ip) {
+				if(is_ipaddr($http_host) && !$local_ip && !isset($config['system']['webgui']['nohttpreferercheck'])) {
 					$nifty_background = "#999";
 					print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br/><br/>If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); 
 				}
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@ -1,9 +1,9 @@
 <?php
 /*
 	captiveportal.inc
-	part of pfSense (http://www.pfSense.org)
+	part of pfSense (https://www.pfsense.org)
 	Copyright (C) 2004-2011 Scott Ullrich <sullrich@gmail.com>
-	Copyright (C) 2009-2012 Ermal Luçi <eri@pfsense.org>
+	Copyright (C) 2009-2012 Ermal Lu<EFBFBD>i <eri@pfsense.org>
 	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.

 	originally part of m0n0wall (http://m0n0.ch/wall)
@ -153,9 +153,9 @@ function captiveportal_load_modules() {
 		/* make sure ipfw is not on pfil hooks */
 		mwexec("/sbin/sysctl net.inet.ip.pfil.inbound=\"pf\" net.inet6.ip6.pfil.inbound=\"pf\"" .
 		       " net.inet.ip.pfil.outbound=\"pf\" net.inet6.ip6.pfil.outbound=\"pf\"");
-		/* Activate layer2 filtering */
-		mwexec("/sbin/sysctl net.link.ether.ipfw=1 net.inet.ip.fw.one_pass=1");
 	}
+	/* Activate layer2 filtering */
+	mwexec("/sbin/sysctl net.link.ether.ipfw=1 net.inet.ip.fw.one_pass=1");

 	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
 	if (!is_module_loaded("dummynet.ko")) {
@ -362,6 +362,9 @@ EOD;
 		/* remove old information */
 		unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db");
 		unlink_if_exists("{$g['vardb_path']}/captiveportal_radius_{$cpzone}.db");
+		unlink_if_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules");
+		/* Release allocated pipes for this zone */
+		captiveportal_free_dnrules();

 		mwexec("/usr/local/sbin/ipfw_context -d {$cpzone}", true);

@ -618,12 +621,6 @@ function captiveportal_prune_old() {
 	/* NOTE: while this can be simplified in non radius case keep as is for now */
 	$cpdb = captiveportal_read_db();

-	/*
-	 * To make sure we iterate over ALL accounts on every run the count($cpdb) is moved
-	 * outside of the loop. Otherwise the loop would evaluate count() on every iteration
-	 * and since $i would increase and count() would decrement they would meet before we
-	 * had a chance to iterate over all accounts.
-	 */
 	$unsetindexes = array();
 	$voucher_needs_sync = false;
 	/* 
@ -636,9 +633,9 @@ function captiveportal_prune_old() {

 		$timedout = false;
 		$term_cause = 1;
-		if (empty($cpentry[10]))
-			$cpentry[10] = 'first';
-		$radiusservers = $radiussrvs[$cpentry[10]];
+		if (empty($cpentry[11]))
+			$cpentry[11] = 'first';
+		$radiusservers = $radiussrvs[$cpentry[11]];

 		/* hard timeout? */
 		if ($timeout) {
@ -718,13 +715,14 @@ function captiveportal_prune_old() {
 						$cpentry[3]); // clientmac
 				} else if ($cpcfg['reauthenticateacct'] == "interimupdate") {
 					$session_time = $pruning_time - $cpentry[0];
-					if (!empty($cpentry[10]) && $cpentry[10] > 60)
-						$interval = $cpentry[10];
+					if (!empty($cpentry[10]) && intval($cpentry[10]) > 60)
+						$interval = intval($cpentry[10]);
 					else
 						$interval = 0;
 					$past_interval_min = ($session_time > $interval);
-					$within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);
-					if (($interval > 0 && $past_interval_min && $within_interval) || $interval === 0) {
+					if (!empty($interval))
+						$within_interval = ($session_time % $interval >= 0 && $session_time % $interval <= 59);
+					if (empty($interval) || ($interval > 0 && $past_interval_min && $within_interval)) {
 						RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno
 							$cpentry[4], // username
 							$cpentry[5], // sessionid
@ -777,27 +775,29 @@ function captiveportal_prune_old_automac() {
 		$writecfg = false;
 		foreach ($config['captiveportal'][$cpzone]['passthrumac'] as $eid => $emac) {
 			if ($emac['logintype'] == "voucher") {
-				if (isset($tmpvoucherdb[$emac['username']])) {
-					$temac = $config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]];
-					$ruleno = captiveportal_get_ipfw_passthru_ruleno($temac['mac']);
-					$pipeno = captiveportal_get_dn_passthru_ruleno($temac['mac']);
-					if ($ruleno) {
-						captiveportal_free_ipfw_ruleno($ruleno);
-						$macrules .= "delete {$ruleno}";
-						++$ruleno;
-						$macrules .= "delete {$ruleno}";
+				if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) {
+					if (isset($tmpvoucherdb[$emac['username']])) {
+						$temac = $config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]];
+						$ruleno = captiveportal_get_ipfw_passthru_ruleno($temac['mac']);
+						$pipeno = captiveportal_get_dn_passthru_ruleno($temac['mac']);
+						if ($ruleno) {
+							captiveportal_free_ipfw_ruleno($ruleno);
+							$macrules .= "delete {$ruleno}";
+							++$ruleno;
+							$macrules .= "delete {$ruleno}";
+						}
+						if ($pipeno) {
+							captiveportal_free_dn_ruleno($pipeno);
+							$macrules .= "pipe delete {$pipeno}\n";
+							++$pipeno;
+							$macrules .= "pipe delete {$pipeno}\n";
+						}
+						$writecfg = true;
+						captiveportal_logportalauth($temac['username'], $temac['mac'], $temac['ip'], "DUPLICATE {$temac['username']} LOGIN - TERMINATING OLD SESSION");
+						unset($config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]);
 					}
-					if ($pipeno) {
-						captiveportal_free_dn_ruleno($pipeno);
-						$macrules .= "pipe delete {$pipeno}\n";
-						++$pipeno;
-						$macrules .= "pipe delete {$pipeno}\n";
-					}
-					$writecfg = true;
-					captiveportal_logportalauth($temac['username'], $temac['mac'], $temac['ip'], "DUPLICATE {$temac['username']} LOGIN - TERMINATING OLD SESSION");
-					unset($config['captiveportal'][$cpzone]['passthrumac'][$tmpvoucherdb[$emac['username']]]);
+					$tmpvoucherdb[$emac['username']] = $eid;
 				}
-				$tmpvoucherdb[$emac['username']] = $eid;
 				if (voucher_auth($emac['username']) <= 0) {
 					$ruleno = captiveportal_get_ipfw_passthru_ruleno($emac['mac']);
 					$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
@ -819,6 +819,7 @@ function captiveportal_prune_old_automac() {
 				}
 			}
 		}
+		unset($tmpvoucherdb);
 		if (!empty($macrules)) {
 			@file_put_contents("{$g['tmp_path']}/macentry.prunerules.tmp", $macrules);
 			unset($macrules);
@ -895,9 +896,9 @@ function captiveportal_disconnect_client($sessionid, $term_cause = 1, $logoutRea
 		captiveportal_write_db("DELETE FROM captiveportal WHERE sessionid = '{$sessionid}'");

 		foreach ($result as $cpentry) {
-			if (empty($cpentry[10]))
-				$cpentry[10] = 'first';
-			captiveportal_disconnect($cpentry, $radiusservers[$cpentry[10]], $term_cause);
+			if (empty($cpentry[11]))
+				$cpentry[11] = 'first';
+			captiveportal_disconnect($cpentry, $radiusservers[$cpentry[11]], $term_cause);
 			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "DISCONNECT");
 		}
 		unset($result);
@ -915,14 +916,14 @@ function captiveportal_radius_stop_all() {
 	if (!empty($radiusservers)) {
 		$cpdb = captiveportal_read_db();
 		foreach ($cpdb as $cpentry) {
-			if (empty($cpentry[10]))
-				$cpentry[10] = 'first';
-			if (!empty($radiusservers[$cpentry[10]])) {
+			if (empty($cpentry[11]))
+				$cpentry[11] = 'first';
+			if (!empty($radiusservers[$cpentry[11]])) {
 				RADIUS_ACCOUNTING_STOP($cpentry[1], // ruleno
 					$cpentry[4], // username
 					$cpentry[5], // sessionid
 					$cpentry[0], // start time
-					$radiusservers[$cpentry[10]],
+					$radiusservers[$cpentry[11]],
 					$cpentry[2], // clientip
 					$cpentry[3], // clientmac
 					7); // Admin Reboot
@ -932,9 +933,18 @@ function captiveportal_radius_stop_all() {
 }

 function captiveportal_passthrumac_configure_entry($macent) {
+	global $cpzone, $config;

-	$bwUp = empty($macent['bw_up']) ? 0 : $macent['bw_up'];
-	$bwDown = empty($macent['bw_down']) ? 0 : $macent['bw_down'];
+	$bwUp = 0;
+	if (!empty($macent['bw_up']))
+		$bwUp = $macent['bw_up'];
+	else if (isset($config['captiveportal'][$cpzone]['bwdefaultup']))
+		$bwUp = $config['captiveportal'][$cpzone]['bwdefaultup'];
+	$bwDown = 0;
+	if (!empty($macent['bw_down']))
+		$bwDown = $macent['bw_down'];
+	else if (isset($config['captiveportal'][$cpzone]['bwdefaultdn']))
+		$bwDown = $config['captiveportal'][$cpzone]['bwdefaultdn'];

 	$ruleno = captiveportal_get_next_ipfw_ruleno();
 	$pipeno = captiveportal_get_next_dn_ruleno();
@ -944,9 +954,9 @@ function captiveportal_passthrumac_configure_entry($macent) {
 	$_gb = @pfSense_pipe_action("pipe {$pipeup} config bw {$bwUp}Kbit/s queue 100 buckets 16");
 	$pipedown = $pipeno + 1;
 	$_gb = @pfSense_pipe_action("pipe {$pipedown} config bw {$bwDown}Kbit/s queue 100 buckets 16");
-	$rules .= "add {$ruleno} pipe {$pipeup} ip from any to any MAC {$macent['mac']} any\n";
+	$rules .= "add {$ruleno} pipe {$pipeup} ip from any to any MAC any {$macent['mac']}\n";
 	$ruleno++;
-	$rules .= "add {$ruleno} pipe {$pipedown} ip from any to any MAC any {$macent['mac']}\n";
+	$rules .= "add {$ruleno} pipe {$pipedown} ip from any to any MAC {$macent['mac']} any\n";

 	return $rules;
 }
@ -1001,8 +1011,16 @@ function captiveportal_allowedip_configure_entry($ipent, $ishostname = false) {

 	$rules = "";
 	$cp_filterdns_conf = "";
-	$enBwup = empty($ipent['bw_up']) ? 0 : intval($ipent['bw_up']);
-	$enBwdown = empty($ipent['bw_down']) ? 0 : intval($ipent['bw_down']);
+	$enBwup = 0;
+	if (!empty($ipent['bw_up']))
+		$enBwup = intval($ipent['bw_up']);
+	else if (isset($config['captiveportal'][$cpzone]['bwdefaultup']))
+		$enBwup = $config['captiveportal'][$cpzone]['bwdefaultup'];
+	$enBwdown = 0;
+	if (!empty($ipent['bw_down']))
+		$enBwdown = intval($ipent['bw_down']);
+	else if (isset($config['captiveportal'][$cpzone]['bwdefaultdn']))
+		$enBwdown = $config['captiveportal'][$cpzone]['bwdefaultdn'];

 	$pipeno = captiveportal_get_next_dn_ruleno();
 	$_gb = @pfSense_pipe_action("pipe {$pipeno} config bw {$enBwup}Kbit/s queue 100 buckets 16");
@ -1200,7 +1218,7 @@ function radius($username,$password,$clientip,$clientmac,$type, $radiusctx = nul
 	$pipeno = captiveportal_get_next_dn_ruleno();

 	/* If the pool is empty, return appropriate message and fail authentication */
-	if (is_null($pipeno)) {
+	if (empty($pipeno)) {
 		$auth_list = array();
 		$auth_list['auth_val'] = 1;
 		$auth_list['error'] = "System reached maximum login capacity";
@ -1228,7 +1246,9 @@ function radius($username,$password,$clientip,$clientmac,$type, $radiusctx = nul
 			$auth_list,
 			$pipeno,
 			$radiusctx);
-	}
+	} else {
+	         captiveportal_free_dn_ruleno($pipeno);
+	       }

 	return $auth_list;
 }
@ -1241,7 +1261,7 @@ function captiveportal_opendb() {
 	else {
 		$errormsg = "";
 		$DB = @sqlite_open("{$g['vardb_path']}/captiveportal{$cpzone}.db");
-		if (@sqlite_exec($DB, "CREATE TABLE captiveportal (allow_time INTEGER, pipeno INTEGER, ip TEXT, mac TEXT, username TEXT, sessionid TEXT, bpassword TEXT, session_timeout INTEGER, idle_timeout INTEGER, session_terminate_time INTEGER, interim_interval INTEGER) ", $errormsg)) {
+		if (@sqlite_exec($DB, "CREATE TABLE captiveportal (allow_time INTEGER, pipeno INTEGER, ip TEXT, mac TEXT, username TEXT, sessionid TEXT, bpassword TEXT, session_timeout INTEGER, idle_timeout INTEGER, session_terminate_time INTEGER, interim_interval INTEGER, radiusctx TEXT) ", $errormsg)) {
 			@sqlite_exec($DB, "CREATE UNIQUE INDEX idx_active ON captiveportal (sessionid, username)");
 			@sqlite_exec($DB, "CREATE INDEX user ON captiveportal (username)");
 			@sqlite_exec($DB, "CREATE INDEX ip ON captiveportal (ip)");
@ -1319,17 +1339,8 @@ function captiveportal_write_elements() {
 	
 	$cpcfg = $config['captiveportal'][$cpzone];

-	/* delete any existing elements */
-	if (is_dir($g['captiveportal_element_path'])) {
-		$dh = opendir($g['captiveportal_element_path']);
-		while (($file = readdir($dh)) !== false) {
-			if ($file != "." && $file != "..")
-				unlink($g['captiveportal_element_path'] . "/" . $file);
-		}
-		closedir($dh);
-	} else {
+	if (!is_dir($g['captiveportal_element_path']))
 		@mkdir($g['captiveportal_element_path']);
-	}

 	if (is_array($cpcfg['element'])) {
 		conf_mount_rw();
@ -1338,8 +1349,8 @@ function captiveportal_write_elements() {
 				printf(gettext("Error: cannot open '%s' in captiveportal_write_elements()%s"), $data['name'], "\n");
 				return 1;
 			}
-			unlink_if_exists("{$g['captiveportal_path']}/{$data['name']}");
-			@symlink("{$g['captiveportal_element_path']}/{$data['name']}", "{$g['captiveportal_path']}/{$data['name']}");
+			if (!file_exists("{$g['captiveportal_path']}/{$data['name']}"))
+				@symlink("{$g['captiveportal_element_path']}/{$data['name']}", "{$g['captiveportal_path']}/{$data['name']}");
 		}
 		conf_mount_ro();
 	}
@ -1347,31 +1358,57 @@ function captiveportal_write_elements() {
 	return 0;
 }

+function captiveportal_free_dnrules($rulenos_start = 2000, $rulenos_range_max = 64500) {
+	global $cpzone;
+
+	$cpruleslck = lock("captiveportalrulesdn", LOCK_EX);
+	if (file_exists("{$g['vardb_path']}/captiveportaldn.rules")) {
+		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules"));
+		$ridx = $rulenos_start;
+		while ($ridx < $rulenos_range_max) {
+			if ($rules[$ridx] == $cpzone) {
+				$rules[$ridx] = false;
+				$ridx++;
+				$rules[$ridx] = false;
+				$ridx++;
+			} else
+				$ridx += 2;
+		}
+		file_put_contents("{$g['vardb_path']}/captiveportaldn.rules", serialize($rules));
+		unset($rules);
+	}
+	unlock($cpruleslck);
+}
+
 function captiveportal_get_next_dn_ruleno($rulenos_start = 2000, $rulenos_range_max = 64500) {
-	global $config, $g;
+	global $config, $g, $cpzone;

 	$cpruleslck = lock("captiveportalrulesdn", LOCK_EX);
 	$ruleno = 0;
 	if (file_exists("{$g['vardb_path']}/captiveportaldn.rules")) {
 		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules"));
-		for ($ridx = $rulenos_start; $ridx < $rulenos_range_max; $ridx++) {
-			if ($rules[$ridx]) {
+		$ridx = $rulenos_start;
+		while ($ridx < $rulenos_range_max) {
+			if (empty($rules[$ridx])) {
+				$ruleno = $ridx;
+				$rules[$ridx] = $cpzone;
 				$ridx++;
-				continue;
+				$rules[$ridx] = $cpzone;
+				break;
+			} else {
+				$ridx += 2;
 			}
-			$ruleno = $ridx;
-			$rules[$ridx] = "used";
-			$rules[++$ridx] = "used";
-			break;
 		}
 	} else {
 		$rules = array_pad(array(), $rulenos_range_max, false);
-		$rules[$rulenos_start] = "used";
-		$rules[++$rulenos_start] = "used";
 		$ruleno = $rulenos_start;
+		$rules[$rulenos_start] = $cpzone;
+		$rulenos_start++;
+		$rules[$rulenos_start] = $cpzone;
 	}
 	file_put_contents("{$g['vardb_path']}/captiveportaldn.rules", serialize($rules));
 	unlock($cpruleslck);
+	unset($rules);

 	return $ruleno;
 }
@ -1383,8 +1420,10 @@ function captiveportal_free_dn_ruleno($ruleno) {
 	if (file_exists("{$g['vardb_path']}/captiveportaldn.rules")) {
 		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules"));
 		$rules[$ruleno] = false;
-		$rules[++$ruleno] = false;
+		$ruleno++;
+		$rules[$ruleno] = false;
 		file_put_contents("{$g['vardb_path']}/captiveportaldn.rules", serialize($rules));
+		unset($rules);
 	}
 	unlock($cpruleslck);
 }
@ -1397,17 +1436,19 @@ function captiveportal_get_dn_passthru_ruleno($value) {
 		return NULL;

 	$cpruleslck = lock("captiveportalrulesdn", LOCK_EX);
+	$ruleno = NULL;
 	if (file_exists("{$g['vardb_path']}/captiveportaldn.rules")) {
 		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportaldn.rules"));
-		$ruleno = intval(`/sbin/ipfw -x {$cpzone} show | /usr/bin/grep {$value} |  /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 5 | /usr/bin/head -n 1`);
-		if ($rules[$ruleno]) {
-			unlock($cpruleslck);
-			return $ruleno;
-		}
+		unset($output);
+		$_gb = exec("/sbin/ipfw -x {$cpzone} show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/awk '{print $5}' | /usr/bin/head -n 1", $output);
+		$ruleno = intval($output[0]);
+		if (!$rules[$ruleno])
+			$ruleno = NULL;
+		unset($rules);
 	}
-
 	unlock($cpruleslck);
-	return NULL;
+
+	return $ruleno;
 }

 /*
@ -1426,28 +1467,33 @@ function captiveportal_get_next_ipfw_ruleno($rulenos_start = 2, $rulenos_range_m
 	$ruleno = 0;
 	if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) {
 		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"));
-		for ($ridx = 2; $ridx < ($rulenos_range_max - $rulenos_start); $ridx++) {
-			if ($rules[$ridx]) {
+		$ridx = $rulenos_start;
+		while ($ridx < $rulenos_range_max) {
+			if (empty($rules[$ridx])) {
+				$ruleno = $ridx;
+				$rules[$ridx] = $cpzone;
+				$ridx++;
+				$rules[$ridx] = $cpzone;
+				break;
+			} else {
 				/* 
 				 * This allows our traffic shaping pipes to be the in pipe the same as ruleno 
 				 * and the out pipe ruleno + 1.
 				 */
-				$ridx++;
-				continue;
+				$ridx += 2;
 			}
-			$ruleno = $ridx;
-			$rules[$ridx] = "used";
-			$rules[++$ridx] = "used";
-			break;
 		}
 	} else {
 		$rules = array_pad(array(), $rulenos_range_max, false);
-		$rules[$rulenos_start] = "used";
-		$rules[++$rulenos_start] = "used";
-		$ruleno = 2;
+		$ruleno = $rulenos_start;
+		$rules[$rulenos_start] = $cpzone;
+		$rulenos_start++;
+		$rules[$rulenos_start] = $cpzone;
 	}
 	file_put_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules", serialize($rules));
 	unlock($cpruleslck);
+	unset($rules);
+
 	return $ruleno;
 }

@ -1462,10 +1508,12 @@ function captiveportal_free_ipfw_ruleno($ruleno) {
 	if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) {
 		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"));
 		$rules[$ruleno] = false;
-		$rules[++$ruleno] = false;
+		$ruleno++;
+		$rules[$ruleno] = false;
 		file_put_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules", serialize($rules));
 	}
 	unlock($cpruleslck);
+	unset($rules);
 }

 function captiveportal_get_ipfw_passthru_ruleno($value) {
@ -1476,17 +1524,19 @@ function captiveportal_get_ipfw_passthru_ruleno($value) {
 		return NULL;

 	$cpruleslck = lock("captiveportalrules{$cpzone}", LOCK_EX);
+	$ruleno = NULL;
 	if (file_exists("{$g['vardb_path']}/captiveportal_{$cpzone}.rules")) {
 		$rules = unserialize(file_get_contents("{$g['vardb_path']}/captiveportal_{$cpzone}.rules"));
-		$ruleno = intval(`/sbin/ipfw -x {$cpzone} show | /usr/bin/grep {$value} |  /usr/bin/grep -v grep | /usr/bin/cut -d " " -f 1 | /usr/bin/head -n 1`);
-		if ($rules[$ruleno]) {
-			unlock($cpruleslck);
-			return $ruleno;
-		}
+		unset($output);
+		$_gb = exec("/sbin/ipfw -x {$cpzone} show | /usr/bin/grep {$value} | /usr/bin/grep -v grep | /usr/bin/awk '{print $1}' | /usr/bin/head -n 1", $output);
+		$ruleno = intval($output[0]);
+		if (!$rules[$ruleno])
+			$ruleno = NULL;
 	}
-
 	unlock($cpruleslck);
-	return NULL;
+	unset($rules);
+
+	return $ruleno;
 }

 /**
@ -1783,8 +1833,9 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 		$radiusctx = 'first';

 	foreach ($cpdb as $cpentry) {
-		if (empty($cpentry[10]))
-			$cpentry[10] = 'first';
+		if (empty($cpentry[11])) {
+			$cpentry[11] = 'first';
+		}
 		/* on the same ip */
 		if ($cpentry[2] == $clientip) {
 			if (isset($config['captiveportal'][$cpzone]['nomacfilter']) || $cpentry[3] == $clientmac)
@ -1802,7 +1853,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 				$remaining_time = 0;

 			/* This user was already logged in so we disconnect the old one */
-			captiveportal_disconnect($cpentry,$radiusservers[$cpentry[10]],13);
+			captiveportal_disconnect($cpentry,$radiusservers[$cpentry[11]],13);
 			captiveportal_logportalauth($cpentry[4],$cpentry[3],$cpentry[2],"CONCURRENT LOGIN - TERMINATING OLD SESSION");
 			$unsetindexes[] = $cpentry[5];
 			break;
@ -1811,7 +1862,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 			/* on the same username */
 			if (strcasecmp($cpentry[4], $username) == 0) {
 				/* This user was already logged in so we disconnect the old one */
-				captiveportal_disconnect($cpentry,$radiusservers[$cpentry[10]],13);
+				captiveportal_disconnect($cpentry,$radiusservers[$cpentry[11]],13);
 				captiveportal_logportalauth($cpentry[4],$cpentry[3],$cpentry[2],"CONCURRENT LOGIN - TERMINATING OLD SESSION");
 				$unsetindexes[] = $cpentry[5];
 				break;
@ -1851,7 +1902,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 			unlock($cpdblck);
 			$macrules = captiveportal_passthrumac_configure_entry($mac);
 			file_put_contents("{$g['tmp_path']}/macentry_{$cpzone}.rules.tmp", $macrules);
-			mwexec("/sbin/ipfw -x {$cpzone}-q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp");
+			mwexec("/sbin/ipfw -x {$cpzone} -q {$g['tmp_path']}/macentry_{$cpzone}.rules.tmp");
 			$writecfg = true;
 		} else {
 			/* See if a pipeno is passed, if not start sessions because this means there isn't one atm */
@ -1902,13 +1953,14 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut

 			/* encode password in Base64 just in case it contains commas */
 			$bpassword = base64_encode($password);
-			$insertquery  = "INSERT INTO captiveportal (allow_time, pipeno, ip, mac, username, sessionid, bpassword, session_timeout, idle_timeout, session_terminate_time, interim_interval) ";
+			$insertquery  = "INSERT INTO captiveportal (allow_time, pipeno, ip, mac, username, sessionid, bpassword, session_timeout, idle_timeout, session_terminate_time, interim_interval, radiusctx) ";
 			$insertquery .= "VALUES ({$allow_time}, {$pipeno}, '{$clientip}', '{$clientmac}', '{$safe_username}', '{$sessionid}', '{$bpassword}', ";
-			$insertquery .= "{$session_timeout}, {$idle_timeout}, {$session_terminate_time}, {$interim_interval})";
+			$insertquery .= "{$session_timeout}, {$idle_timeout}, {$session_terminate_time}, {$interim_interval}, '{$radiusctx}')";

 			/* store information to database */
 			captiveportal_write_db($insertquery);
 			unlock($cpdblck);
+			unset($insertquery, $bpassword);

 			if (isset($config['captiveportal'][$cpzone]['radacct_enable']) && !empty($radiusservers[$radiusctx])) {
 				$acct_val = RADIUS_ACCOUNTING_START($pipeno, $username, $sessionid, $radiusservers[$radiusctx], $clientip, $clientmac);
@ -1916,8 +1968,13 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 					captiveportal_logportalauth($username,$clientmac,$clientip,$type,"RADIUS ACCOUNTING FAILED");
 			}
 		}
-	} else
+	} else {
+		/* NOTE: #3062-11 If the pipeno has been allocated free it to not DoS the CP and maintain proper operation as in radius() case */
+		if (!is_null($pipeno))
+			captiveportal_free_dn_ruleno($pipeno);
+
 		unlock($cpdblck);
+	}

 	if ($writecfg == true)
 		write_config();
@ -1925,10 +1982,10 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 	/* redirect user to desired destination */
 	if (!empty($attributes['url_redirection']))
 		$my_redirurl = $attributes['url_redirection'];
+	else if (!empty($redirurl))
+		$my_redirurl = $redirurl;
 	else if (!empty($config['captiveportal'][$cpzone]['redirurl']))
 		$my_redirurl = $config['captiveportal'][$cpzone]['redirurl'];
-	else
-		$my_redirurl = $redirurl;

 	if(isset($config['captiveportal'][$cpzone]['logoutwin_enable']) && !$passthrumac) {
 		$ourhostname = portal_hostname_from_client_ip($clientip);
@ -1943,7 +2000,7 @@ function portal_allow($clientip,$clientmac,$username,$password = null, $attribut
 		include("{$g['varetc_path']}/captiveportal-{$cpzone}-logout.html");

 	} else {
-		header("Location: " . $my_redirurl);
+		portal_reply_page($my_redirurl, "redir", "Just redirect the user.");
 	}

 	return $sessionid;
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@ -34,8 +34,21 @@ define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf");

 require_once("functions.inc");

+global $openssl_digest_algs;
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");

+global $openssl_crl_status;
+$openssl_crl_status = array(
+	OCSP_REVOKED_STATUS_NOSTATUS              => "No Status (default)",
+	OCSP_REVOKED_STATUS_UNSPECIFIED           => "Unspecified",
+	OCSP_REVOKED_STATUS_KEYCOMPROMISE         => "Key Compromise",
+	OCSP_REVOKED_STATUS_CACOMPROMISE          => "CA Compromise",
+	OCSP_REVOKED_STATUS_AFFILIATIONCHANGED    => "Affiliation Changed",
+	OCSP_REVOKED_STATUS_SUPERSEDED            => "Superseded",
+	OCSP_REVOKED_STATUS_CESSATIONOFOPERATION  => "Cessation of Operation",
+	OCSP_REVOKED_STATUS_CERTIFICATEHOLD       => "Certificate Hold"
+);
+
 function & lookup_ca($refid) {
 	global $config;

@ -257,22 +270,28 @@ function cert_import(& $cert, $crt_str, $key_str) {

 function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $digest_alg = "sha256") {

-	$ca =& lookup_ca($caref);
-	if (!$ca)
-		return false;
+	$cert['type'] = $type;

-	$ca_str_crt = base64_decode($ca['crt']);
-	$ca_str_key = base64_decode($ca['prv']);
-	$ca_res_crt = openssl_x509_read($ca_str_crt);
-	$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
-	if(!$ca_res_key) return false;
-	$ca_serial = ++$ca['serial'];
+	if ($type != "self-signed") {
+		$cert['caref'] = $caref;
+		$ca =& lookup_ca($caref);
+		if (!$ca)
+			return false;
+
+		$ca_str_crt = base64_decode($ca['crt']);
+		$ca_str_key = base64_decode($ca['prv']);
+		$ca_res_crt = openssl_x509_read($ca_str_crt);
+		$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
+		if(!$ca_res_key) return false;
+		$ca_serial = ++$ca['serial'];
+	}

 	switch ($type) {
 		case "ca":
 			$cert_type = "v3_ca";
 			break;
 		case "server":
+		case "self-signed":
 			$cert_type = "server";
 			break;
 		default:
@ -291,11 +310,20 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
 	$res_key = openssl_pkey_new($args);
 	if(!$res_key) return false;

+	// If this is a self-signed cert, blank out the CA and sign with the cert's key
+	if ($type == "self-signed") {
+		$ca           = null;
+		$ca_res_crt   = null;
+		$ca_res_key   = $res_key;
+		$ca_serial    = 0;
+		$cert['type'] = "server";
+	}
+
 	// generate a certificate signing request
 	$res_csr = openssl_csr_new($dn, $res_key, $args);
 	if(!$res_csr) return false;

-	// self sign the certificate
+	// sign the certificate using an internal CA
 	$res_crt = openssl_csr_sign($res_csr, $ca_res_crt, $ca_res_key, $lifetime,
 				 $args, $ca_serial);
 	if(!$res_crt) return false;
@ -306,10 +334,8 @@ function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $type="user", $di
 		return false;

 	// return our certificate information
-	$cert['caref'] = $caref;
 	$cert['crt'] = base64_encode($str_crt);
 	$cert['prv'] = base64_encode($str_key);
-	$cert['type'] = $type;

 	return true;
 }
@ -482,6 +508,16 @@ function cert_get_dates($str_crt, $decode = true) {
 	return array($start, $end);
 }

+function cert_get_serial($str_crt, $decode = true) {
+	if ($decode)
+		$str_crt = base64_decode($str_crt);
+	$crt_details = openssl_x509_parse($str_crt);
+	if (isset($crt_details['serialNumber']) && !empty($crt_details['serialNumber']))
+		return $crt_details['serialNumber'];
+	else
+		return NULL;
+}
+
 function prv_get_modulus($str_crt, $decode = true){
 	return cert_get_modulus($str_crt, $decode, "prv");
 }
@ -561,32 +597,6 @@ function cert_in_use($certref) {
 		is_captiveportal_cert($certref));
 }

-/*
-CRL code is a *WORK IN PROGRESS* do not try to use these functions yet.
-
-OpenSSL CRL status code constants.
-OCSP_REVOKED_STATUS_NOSTATUS
-OCSP_REVOKED_STATUS_UNSPECIFIED
-OCSP_REVOKED_STATUS_KEYCOMPROMISE
-OCSP_REVOKED_STATUS_CACOMPROMISE
-OCSP_REVOKED_STATUS_AFFILIATIONCHANGED
-OCSP_REVOKED_STATUS_SUPERSEDED
-OCSP_REVOKED_STATUS_CESSATIONOFOPERATION
-OCSP_REVOKED_STATUS_CERTIFICATEHOLD
-OCSP_REVOKED_STATUS_REMOVEFROMCRL
-*/
-
-$openssl_crl_status = array(
-	OCSP_REVOKED_STATUS_NOSTATUS              => "No Status (default)",
-	OCSP_REVOKED_STATUS_UNSPECIFIED           => "Unspecified",
-	OCSP_REVOKED_STATUS_KEYCOMPROMISE         => "Key Compromise",
-	OCSP_REVOKED_STATUS_CACOMPROMISE          => "CA Compromise",
-	OCSP_REVOKED_STATUS_AFFILIATIONCHANGED    => "Affiliation Changed",
-	OCSP_REVOKED_STATUS_SUPERSEDED            => "Superseded",
-	OCSP_REVOKED_STATUS_CESSATIONOFOPERATION  => "Cessation of Operation",
-	OCSP_REVOKED_STATUS_CERTIFICATEHOLD       => "Certificate Hold"
-);
-
 function crl_create(& $crl, $caref, $name, $serial=0, $lifetime=9999) {
 	global $config;
 	$ca =& lookup_ca($caref);
@ -658,6 +668,22 @@ function cert_unrevoke($cert, & $crl) {
 	return false;
 }

+/* Compare two certificates to see if they match. */
+function cert_compare($cert1, $cert2) {
+	/* Ensure two certs are identical by first checking that their issuers match, then
+		subjects, then serial numbers, and finally the moduli. Anything less strict
+		could accidentally count two similar, but different, certificates as
+		being identical. */
+	$c1 = base64_decode($cert1['crt']);
+	$c2 = base64_decode($cert2['crt']);
+	if ((cert_get_issuer($c1, false) == cert_get_issuer($c2, false))
+		&& (cert_get_subject($c1, false) == cert_get_subject($c2, false))
+		&& (cert_get_serial($c1, false) == cert_get_serial($c2, false))
+		&& (cert_get_modulus($c1, false) == cert_get_modulus($c2, false)))
+		return true;
+	return false;
+}
+
 function is_cert_revoked($cert, $crlref = "") {
 	global $config;
 	if (!is_array($config['crl']))
@ -668,7 +694,7 @@ function is_cert_revoked($cert, $crlref = "") {
 		if (!is_array($crl['cert']))
 			return false;
 		foreach ($crl['cert'] as $rcert) {
-			if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr']))
+			if (cert_compare($rcert, $cert))
 				return true;
 		}
 	} else {
@ -676,7 +702,7 @@ function is_cert_revoked($cert, $crlref = "") {
 			if (!is_array($crl['cert']))
 				continue;
 			foreach ($crl['cert'] as $rcert) {
-				if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr']))
+				if (cert_compare($rcert, $cert))
 					return true;
 			}
 		}
--- a/etc/inc/config.console.inc
+++ b/etc/inc/config.console.inc
@ -51,13 +51,14 @@ function set_networking_interfaces_ports() {
 	$fp = fopen('php://stdin', 'r');

 	$memory = get_memory();
-	$avail = $memory[1];
+	$physmem = $memory[0];
+	$realmem = $memory[1];

-	if($avail < $g['minimum_ram_warning']) {
+	if($physmem < $g['minimum_ram_warning']) {
 		echo "\n\n\n";
 		echo gettext("DANGER!  WARNING!  ACHTUNG!") . "\n\n";
 		printf(gettext("%s requires *AT LEAST* %s RAM to function correctly.%s"), $g['product_name'], $g['minimum_ram_warning_text'], "\n");
-		printf(gettext("Only (%s) MB RAM has been detected.%s"), $avail, "\n");
+		printf(gettext("Only (%s) MB RAM has been detected, with (%s) available to %s.%s"), $realmem, $physmem, $g['product_name'], "\n");
 		echo "\n" . gettext("Press ENTER to continue.") . " ";
 		fgets($fp);
 		echo "\n";
--- a/etc/inc/config.lib.inc
+++ b/etc/inc/config.lib.inc
@ -308,10 +308,7 @@ function conf_mount_rw() {
 	if($g['platform'] == "cdrom" or $g['platform'] == "pfSense")
 		return;

-	if (!isset($config['system']['nanobsd_force_rw']) && (refcount_reference(1000) > 1))
-		return;
-
-	if (isset($config['system']['nanobsd_force_rw']) && is_writable("/"))
+	if ((refcount_reference(1000) > 1) && is_writable("/"))
 		return;

 	$status = mwexec("/sbin/mount -u -w -o sync,noatime {$g['cf_path']}");
@ -348,12 +345,15 @@ function conf_mount_ro() {
 	/* Do not trust $g['platform'] since this can be clobbered during factory reset. */
 	$platform = trim(file_get_contents("/etc/platform"));
 	/* do not umount on cdrom or pfSense platforms */
-	if($platform == "cdrom" or $platform == "pfSense" or isset($config['system']['nanobsd_force_rw']))
+	if($platform == "cdrom" or $platform == "pfSense")
 		return;

 	if (refcount_unreference(1000) > 0)
 		return;

+	if(isset($config['system']['nanobsd_force_rw']))
+		return;
+
 	if($g['booting'])
 		return;

@ -384,14 +384,16 @@ function convert_config() {

 	/* special case upgrades */
 	/* fix every minute crontab bogons entry */
-	$cron_item_count = count($config['cron']['item']);
-	for($x=0; $x<$cron_item_count; $x++) {
-		if(stristr($config['cron']['item'][$x]['command'], "rc.update_bogons.sh")) {
-			if($config['cron']['item'][$x]['hour'] == "*" ) {
-		        $config['cron']['item'][$x]['hour'] = "3";
-		 		write_config(gettext("Updated bogon update frequency to 3am"));
-		 		log_error(gettext("Updated bogon update frequency to 3am"));
-		 	}       
+	if (is_array($config['cron'])) {
+		$cron_item_count = count($config['cron']['item']);
+		for($x=0; $x<$cron_item_count; $x++) {
+			if(stristr($config['cron']['item'][$x]['command'], "rc.update_bogons.sh")) {
+				if($config['cron']['item'][$x]['hour'] == "*" ) {
+				$config['cron']['item'][$x]['hour'] = "3";
+					write_config(gettext("Updated bogon update frequency to 3am"));
+					log_error(gettext("Updated bogon update frequency to 3am"));
+				}       
+			}
 		}
 	}
 	if ($config['version'] == $g['latest_config'])
--- a/etc/inc/dyndns.class
+++ b/etc/inc/dyndns.class
@ -19,11 +19,13 @@
 	 *    - OpenDNS (opendns.com)
 	 *    - Namecheap (namecheap.com)
 	 *    - HE.net (dns.he.net)
+	 *    - HE.net IPv6 (dns.he.net)
 	 *    - HE.net Tunnelbroker IP update (ipv4.tunnelbroker.net)
 	 *    - SelfHost (selfhost.de)
 	 *    - Amazon Route 53 (aws.amazon.com)
 	 *    - DNS-O-Matic (dnsomatic.com)
 	 *    - Custom DDNS (any URL)
+	 *    - Custom DDNS IPv6 (any URL)
 	 * +----------------------------------------------------+
 	 *  Requirements:
 	 *    - PHP version 4.0.2 or higher with the CURL Library and the PCRE Library
@ -55,7 +57,8 @@
 	 *  DNSexit	   - Last Tested: 20 July 2008
 	 *  OpenDNS	   - Last Tested: 4 August 2008
 	 *  Namecheap	   - Last Tested: 31 August 2010
-	 *  HE.net         - Last Tested: NEVER
+	 *  HE.net         - Last Tested: 7 July 2013
+	 *  HE.net IPv6    - Last Tested: 7 July 2013
 	 *  HE.net Tunnel  - Last Tested: 28 June 2011
 	 *  SelfHost       - Last Tested: 26 December 2011
 	 *  Amazon Route 53 - Last tested: 01 April 2012
@ -74,6 +77,7 @@

 	class updatedns {
 		var $_cacheFile;
+		var $_cacheFile_v6;
 		var $_debugFile;
 		var $_UserAgent = 'User-Agent: phpDynDNS/0.7';
 		var $_errorVerbosity = 0;
@ -100,6 +104,7 @@
 		var $_dnsMaxCacheAgeDays;
 		var $_dnsDummyUpdateDone;
 		var $_forceUpdateNeeded;
+		var $_useIPv6;
 		
 		/* 
 		 * Public Constructor Function (added 12 July 05) [beta]
@ -119,6 +124,7 @@
 			global $config, $g;
 			
 			$this->_cacheFile = "{$g['conf_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . "{$dnsID}.cache";
+			$this->_cacheFile_v6 = "{$g['conf_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . "{$dnsID}_v6.cache";
 			$this->_debugFile = "{$g['varetc_path']}/dyndns_{$dnsIf}{$dnsService}" . escapeshellarg($dnsHost) . "{$dnsID}.debug";

 			$this->_dnsVerboseLog = $dnsVerboseLog;
@ -149,6 +155,14 @@
 				if (!$dnsHost) $this->_error(5);
 			}
 			
+			switch ($dnsService) {
+			case 'he-net-v6':
+			case 'custom-v6':
+				$this->_useIPv6 = true;
+				break;
+			default:
+				$this->_useIPv6 = false;
+			}
 			$this->_dnsService = strtolower($dnsService);
 			$this->_dnsUser = $dnsUser;
 			$this->_dnsPass = $dnsPass;
@ -201,9 +215,11 @@
 				case 'staticcling':
 				case 'dnsexit':
 				case 'custom':
+				case 'custom-v6':
 				case 'opendns':
 				case 'namecheap':
 				case 'he-net':
+				case 'he-net-v6':
 				case 'selfhost':
 				case 'he-net-tunnelbroker':
 				case 'route53':
@ -293,7 +309,7 @@
 				case 'noip-free':
 					$needsIP = TRUE;
 					curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
-					$server = "http://dynupdate.no-ip.com/ducupdate.php";
+					$server = "https://dynupdate.no-ip.com/ducupdate.php";
 					$port = "";
 					if($this->_dnsServer)
 						$server = $this->_dnsServer;
@ -315,7 +331,7 @@
 					$needsIP = TRUE;
 					curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
 					curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass);
-					$server = "http://members.easydns.com/dyn/dyndns.php";
+					$server = "https://members.easydns.com/dyn/dyndns.php";
 					$port = "";
 					if($this->_dnsServer)
 						$server = $this->_dnsServer;
@ -351,7 +367,7 @@
 					break;
 				case 'dyns':
 					$needsIP = FALSE;
-					$server = "http://www.dyns.cx/postscript011.php";
+					$server = "https://www.dyns.cx/postscript011.php";
 					$port = "";
 					if($this->_dnsServer)
 						$server = $this->_dnsServer;
@ -399,11 +415,11 @@
 					break;
 				case 'freedns':
 					$needIP = FALSE;
-					curl_setopt($ch, CURLOPT_URL, 'http://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass);
+					curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass);
 					break;
 				case 'dnsexit':
 					$needsIP = TRUE;
-					curl_setopt($ch, CURLOPT_URL, 'http://www.dnsexit.com/RemoteUpdate.sv?login='.$this->_dnsUser. '&password='.$this->_dnsPass.'&host='.$this->_dnsHost.'&myip='.$this->_dnsIP);
+					curl_setopt($ch, CURLOPT_URL, 'https://www.dnsexit.com/RemoteUpdate.sv?login='.$this->_dnsUser. '&password='.$this->_dnsPass.'&host='.$this->_dnsHost.'&myip='.$this->_dnsIP);
 					break;
 				case 'loopia':
 					$needsIP = TRUE;
@ -427,7 +443,7 @@

 				case 'staticcling':
 					$needsIP = FALSE;
-					curl_setopt($ch, CURLOPT_URL, 'http://www.staticcling.org/update.html?login='.$this->_dnsUser.'&pass='.$this->_dnsPass);
+					curl_setopt($ch, CURLOPT_URL, 'https://www.staticcling.org/update.html?login='.$this->_dnsUser.'&pass='.$this->_dnsPass);
 					break;	                    
 				case 'dnsomatic':
 					/* Example syntax 
@ -438,8 +454,16 @@
 						log_error("DNS-O-Matic: DNS update() starting.");
 					if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") $this->_dnsWildcard = "ON";
 					curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
-					curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass);
-					$server = "https://" . $this->_dnsUser . ":" . $this->_dnsPass . "@updates.dnsomatic.com/nic/update?hostname=";
+					/*
+					Reference: https://www.dnsomatic.com/wiki/api
+						DNS-O-Matic usernames are 3-25 characters.
+						DNS-O-Matic passwords are 6-20 characters.
+						All ASCII letters and numbers accepted.
+						Dots, dashes, and underscores allowed, but not at the beginning or end of the string.
+					Required: "rawurlencode" http://www.php.net/manual/en/function.rawurlencode.php
+						Encodes the given string according to RFC 3986.
+					*/
+					$server = "https://" . rawurlencode($this->_dnsUser) . ":" . rawurlencode($this->_dnsPass) . "@updates.dnsomatic.com/nic/update?hostname=";
 					if($this->_dnsServer)
 						$server = $this->_dnsServer;
 					if($this->_dnsPort)
@ -464,6 +488,7 @@
 					curl_setopt($ch, CURLOPT_URL, $server);
 					break;
 				case 'he-net':
+				case 'he-net-v6':
 					$needsIP = FALSE;
 					if ($this->_dnsVerboseLog)
 						log_error("HE.net ({$this->_dnsHost}): DNS update() starting.");
@ -554,6 +579,7 @@
 					$this->_checkStatus(0, $result);
 					break;
 				case 'custom':
+				case 'custom-v6':
 					if ($this->_dnsVerboseLog)
 						log_error("Custom DDNS ({$this->_dnsHost}): DNS update() starting.");
 					if (strstr($this->dnsUpdateURL, "%IP%")) {$needsIP = TRUE;} else {$needsIP = FALSE;}
@ -904,6 +930,7 @@
 					break;
 					
 				case 'he-net':
+				case 'he-net-v6':
 					if (preg_match("/badip/i", $data)) {
 						$status = "phpDynDNS: (Error) Bad Request - The IP provided was invalid.";
 					} else if (preg_match('/nohost/i', $data)) {
@ -970,6 +997,7 @@
 					$successful_update = true;
 					break;
 				case 'custom':
+				case 'custom-v6':
 					$successful_update = false;
 					if ($this->_dnsResultMatch == "") {
 						$successful_update = true;
@ -994,13 +1022,20 @@
 				/* Write WAN IP to cache file */
 				$wan_ip = $this->_checkIP();
 				conf_mount_rw();
-				if ($wan_ip > 0) {
+				if ($this->_useIPv6 == false && $wan_ip > 0) {
 					$currentTime = time();
 					notify_all_remote(sprintf(gettext("DynDNS updated IP Address on %s (%s) to %s"), convert_real_interface_to_friendly_descr($this->_if), $this->_if, $wan_ip));
 					log_error("phpDynDNS: updating cache file {$this->_cacheFile}: {$wan_ip}");
 					@file_put_contents($this->_cacheFile, "{$wan_ip}:{$currentTime}");
 				} else
 					@unlink($this->_cacheFile);
+				if ($this->_useIPv6 == true && $wan_ip > 0) {
+					$currentTime = time();
+					notify_all_remote(sprintf(gettext("DynDNS updated IPv6 Address on %s (%s) to %s"), convert_real_interface_to_friendly_descr($this->_if), $this->_if, $wan_ip));
+					log_error("phpDynDNS: updating cache file {$this->_cacheFile_v6}: {$wan_ip}");
+					@file_put_contents($this->_cacheFile_v6, "{$wan_ip}|{$currentTime}");
+				} else
+					@unlink($this->_cacheFile_v6);
 				conf_mount_ro();
 			}
 			$this->status = $status;
@ -1055,7 +1090,7 @@
 		/*
 		 * Private Function (added 12 July 05) [beta]
 		 *   - Detect whether or not IP needs to be updated.
-		 *      | Written Specifically for pfSense (pfsense.com) may
+		 *      | Written Specifically for pfSense (https://www.pfsense.org) may
 		 *      | work with other systems. pfSense base is FreeBSD.
 		 */
 		function _detectChange() {
@ -1073,20 +1108,38 @@
 			}
 			$log_error = "DynDns ({$this->_dnsHost}): Current WAN IP: {$wan_ip} ";

-			if (file_exists($this->_cacheFile)) {
-				$contents = file_get_contents($this->_cacheFile);
-				list($cacheIP,$cacheTime) = explode(':', $contents);
-				$this->_debug($cacheIP.'/'.$cacheTime);
-				$initial = false;
-				$log_error .= "Cached IP: {$cacheIP} ";
+			if ($this->_useIPv6 == true) {
+				if (file_exists($this->_cacheFile_v6)) {
+					$contents = file_get_contents($this->_cacheFile_v6);
+					list($cacheIP,$cacheTime) = explode('|', $contents);
+					$this->_debug($cacheIP.'/'.$cacheTime);
+					$initial = false;
+					$log_error .= "Cached IPv6: {$cacheIP} ";
+				} else {
+					conf_mount_rw();
+					$cacheIP = '::';
+					@file_put_contents($this->_cacheFile, "::|{$currentTime}");
+					conf_mount_ro();
+					$cacheTime = $currentTime;
+					$initial = true;
+					$log_error .= "No Cached IPv6 found.";
+				}
 			} else {
-				conf_mount_rw();
-				$cacheIP = '0.0.0.0';
-				@file_put_contents($this->_cacheFile, "0.0.0.0:{$currentTime}");
-				conf_mount_ro();
-				$cacheTime = $currentTime;
-				$initial = true;
-				$log_error .= "No Cached IP found.";
+				if (file_exists($this->_cacheFile)) {
+					$contents = file_get_contents($this->_cacheFile);
+					list($cacheIP,$cacheTime) = explode(':', $contents);
+					$this->_debug($cacheIP.'/'.$cacheTime);
+					$initial = false;
+					$log_error .= "Cached IP: {$cacheIP} ";
+				} else {
+					conf_mount_rw();
+					$cacheIP = '0.0.0.0';
+					@file_put_contents($this->_cacheFile, "0.0.0.0:{$currentTime}");
+					conf_mount_ro();
+					$cacheTime = $currentTime;
+					$initial = true;
+					$log_error .= "No Cached IP found.";
+				}
 			}
 			if ($this->_dnsVerboseLog)
 				log_error($log_error);
@ -1148,10 +1201,16 @@
 			if ($debug)
 				log_error("DynDns ({$this->_dnsHost}): _checkIP() starting.");

-			$ip_address = find_interface_ip($this->_if);
-			if (!is_ipaddr($ip_address))
-				return 0;
-			if (is_private_ip($ip_address)) {
+			if ($this->_useIPv6 == true) {
+				$ip_address = find_interface_ipv6($this->_if);
+				if (!is_ipaddrv6($ip_address))
+					return 0;
+			} else {
+				$ip_address = find_interface_ip($this->_if);
+				if (!is_ipaddr($ip_address))
+					return 0;
+			}
+			if ($this->_useIPv6 == false && is_private_ip($ip_address)) {
 				$hosttocheck = "checkip.dyndns.org";
 				$try = 0;
 				while ($try < 3) {
@ -1170,6 +1229,9 @@
 				curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);
 				curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30');
 				curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120);
+				if ($this->_useIPv6 == false) {
+					curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+				}	
 				$ip_result_page = curl_exec($ip_ch);
 				curl_close($ip_ch);
 				$ip_result_decoded = urldecode($ip_result_page);
--- a/etc/inc/easyrule.inc
+++ b/etc/inc/easyrule.inc
@ -71,7 +71,7 @@ function easyrule_find_rule_interface($int) {
 	return false;
 }

-function easyrule_block_rule_exists($int = 'wan') {
+function easyrule_block_rule_exists($int = 'wan', $ipproto = "inet") {
 	global $blockaliasname, $config;
 	/* No rules, we we know it doesn't exist */
 	if (!is_array($config['filter']['rule'])) {
@ -82,7 +82,8 @@ function easyrule_block_rule_exists($int = 'wan') {
 	foreach ($config['filter']['rule'] as $rule) {
 		if (!is_array($rule) || !is_array($rule['source']))
 			continue;
-		if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int) && ($rule['ipprotocol'] == $ipproto))
+		$checkproto = isset($rule['ipprotocol']) ? $rule['ipprotocol'] : "inet";
+		if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int) && ($checkproto == $ipproto))
 			return true;
 	}
 	return false;
@ -272,7 +273,7 @@ function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport, $ipp
 	if ($proto == "icmp")
 		$filterent['icmptype'] = 'echoreq';

-	if (strtolower($proto) == "icmp6")
+	if ((strtolower($proto) == "icmp6") || (strtolower($proto) == "icmpv6"))
 		$filterent['protocol'] = "icmp";

 	if (is_subnet($srchost)) {
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@ -58,6 +58,29 @@ $filterdns = array();
 /* Used for aliases and interface macros */
 $aliases = "";

+function fix_rule_label($descr) {
+	$descr = str_replace('"', '', $descr);
+	if (strlen($descr) > 63)
+		return substr($descr, 0, 60) . "...";
+	else
+		return $descr;
+}
+
+function is_bogonsv6_used() {
+	global $config, $g;
+	# Only use bogonsv6 table if IPv6 Allow is on, and at least 1 enabled interface also has "blockbogons" enabled.
+	$usebogonsv6 = false;
+	if (isset($config['system']['ipv6allow'])) {
+		foreach ($config['interfaces'] as $ifacedata) {
+			if(isset($ifacedata['enable']) && isset($ifacedata['blockbogons'])) {
+				$usebogonsv6 = true;
+				break;
+			}
+		}
+	}
+	return $usebogonsv6;
+}
+
 function flowtable_configure() {
 	global $config, $g;

@ -93,13 +116,16 @@ function filter_pflog_start($kill_first = false) {
 	}
 	mute_kernel_msgs();
 	$output = 0;
-	exec("/bin/pgrep -af 'tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0'", $output, $retval);
+	$tcpdump_cmd = "tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0";
+	exec("/bin/pgrep -af '{$tcpdump_cmd}'", $output, $retval);
 	if ($kill_first && ($output[0] > 1)) {
 		mwexec("/bin/kill {$output[0]}");
 		usleep(1000);
+		/* Ensure the restart below runs */
+		$retval = 1;
 	}
 	if($retval != 0)
-		mwexec_bg("/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
+		mwexec_bg("/usr/sbin/{$tcpdump_cmd} | logger -t pf -p local0.info");
 	unmute_kernel_msgs();
 }

@ -126,6 +152,7 @@ function filter_delete_states_for_down_gateways() {
 	if (isset($config['system']['kill_states']))
 		return;

+	$any_gateway_down = false;
 	$a_gateways = return_gateways_status();
 	if (is_array($GatewaysList)) {
 		foreach ($GatewaysList as $gwname => $gateway) {
@ -139,20 +166,13 @@ function filter_delete_states_for_down_gateways() {
 				continue;
 			$gwstatus =& $a_gateways[$gateway['monitor']];
 			if (strstr($gwstatus['status'], "down")) {
-				if (!empty($gateway['interface']))
-					$gwiface = $gateway['interface'];
-				else
-					$gwiface = get_real_interface($gateway['friendlyiface']);
-				$cmd = "/sbin/pfctl -i {$gwiface} -Fs";
-				mwexec($cmd);
-				$gwip = $gateway['gateway'];
-				if (is_ipaddr($gwip)) {
-					$cmd = "/sbin/pfctl -i {$gwiface} -Fs -G {$gwip}";
-					mwexec($cmd);
-				}
+				$any_gateway_down = true;
+				break;
 			}
 		}
 	}
+	if ($any_gateway_down == true)
+		mwexec("/sbin/pfctl -Fs");
 }

 /* reload filter sync */
@ -221,10 +241,6 @@ function filter_configure_sync($delete_states_if_needed = true) {
 		return;
 	}

-	// Copy rules.debug to rules.debug.old
-	if(file_exists("{$g['tmp_path']}/rules.debug"))
-		@copy("{$g['tmp_path']}/rules.debug", "{$g['tmp_path']}/rules.debug.old");
-
 	$limitrules = "";
 	/* Define the maximum number of tables the system can handle (should be at least aliases*2+some spare) */
 	$maxtables = is_numeric($config['system']['maximumtables']) ? $config['system']['maximumtables'] : "3000";
@ -277,11 +293,13 @@ function filter_configure_sync($delete_states_if_needed = true) {
 	$rules .= "{$altq_queues}\n";
 	$rules .= "{$natrules}\n";
 	$rules .= "{$pfrules}\n";
-
 	$rules .= discover_pkg_rules("filter");

-	@file_put_contents("{$g['tmp_path']}/rules.limits", $limitrules);
-	mwexec("/sbin/pfctl -o basic -f {$g['tmp_path']}/rules.limits");
+	unset($aliases, $gateways, $altq_queues, $natrules, $pfrules);
+
+	// Copy rules.debug to rules.debug.old
+	if(file_exists("{$g['tmp_path']}/rules.debug"))
+		@copy("{$g['tmp_path']}/rules.debug", "{$g['tmp_path']}/rules.debug.old");

 	if (!@file_put_contents("{$g['tmp_path']}/rules.debug", $rules, LOCK_EX)) {
 		log_error("WARNING: Could not write new rules!");
@ -289,6 +307,8 @@ function filter_configure_sync($delete_states_if_needed = true) {
 		return;
 	}

+	@file_put_contents("{$g['tmp_path']}/rules.limits", $limitrules);
+	mwexec("/sbin/pfctl -Of {$g['tmp_path']}/rules.limits");
 	unset($rules, $limitrules);

 	if(isset($config['system']['developerspew'])) {
@ -302,33 +322,39 @@ function filter_configure_sync($delete_states_if_needed = true) {
 		echo "pfctl done at $mt\n";
 	}
 	/*
-	 * check for a error while loading the rules file.	if an error has occured
+	 * check for a error while loading the rules file.	if an error has occurred
 	 * then output the contents of the error to the caller
 	 */
 	if($rules_loading <> 0) {
+		$saved_line_error = $rules_error[0];
 		$line_error = explode(":", $rules_error[0]);
 		$line_number = $line_error[1];
 		$line_split = file("{$g['tmp_path']}/rules.debug");
 		if(is_array($line_split))
 			$line_error = sprintf(gettext('The line in question reads [%1$d]: %2$s'), $line_number, $line_split[$line_number-1]);
 		unset($line_split);
-		if ($line_error and $line_number) {
-			file_notice("filter_load", sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $rules_error[0], $line_error), "Filter Reload", "");
-			update_filter_reload_status(sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $rules_error[0], $line_error));
-			unlock($filterlck);
-			return;
-		}
+
 		/* Brutal ugly hack but required -- PF is stuck, unwedge */
 		if (strstr("$rules_error[0]", "busy")) {
 			exec("/sbin/pfctl -d; /sbin/pfctl -e; /sbin/pfctl -f {$g['tmp_path']}/rules.debug");
 			$error_msg = gettext("PF was wedged/busy and has been reset.");
 			file_notice("pf_busy", $error_msg, "pf_busy", "");
+		} else {
+			$_grbg = exec("/sbin/pfctl -o basic -f {$g['tmp_path']}/rules.debug.old 2>&1");
+		}
+		unset($rules_loading, $rules_error);
+
+		if ($line_error and $line_number) {
+			file_notice("filter_load", sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $saved_line_error, $line_error), "Filter Reload", "");
+			update_filter_reload_status(sprintf(gettext('There were error(s) loading the rules: %1$s - %2$s'), $saved_line_error, $line_error));
+			unlock($filterlck);
+			return;
 		}
 	}

-	# If allow IPv6 has been unchecked then we can remove any bogonsv6 table (if the table is not there, the kill is still fine).
-	if (!isset($config['system']['ipv6allow']))
-		$_grbg = exec("/sbin/pfctl -t bogonsv6 -T kill");
+	# If we are not using bogonsv6 then we can remove any bogonsv6 table from the running pf (if the table is not there, the kill is still fine).
+	if (!is_bogonsv6_used())
+		$_grbg = exec("/sbin/pfctl -t bogonsv6 -T kill 2>/dev/null");

 	update_filter_reload_status(gettext("Starting up layer7 daemon"));
 	layer7_start_l7daemon();
@ -343,7 +369,11 @@ function filter_configure_sync($delete_states_if_needed = true) {
 			 * FilterDNS has three debugging levels. The default choosen is 1.
 			 * Availabe are level 2 and greater then 2.
 			 */
-			mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns.pid -i 300 -c {$g['varetc_path']}/filterdns.conf -d 1");
+			if (isset($config['system']['aliasesresolveinterval']) && is_numeric($config['system']['aliasesresolveinterval']))
+				$resolve_interval = $config['system']['aliasesresolveinterval'];
+			else
+				$resolve_interval = 300;
+			mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns.pid -i {$resolve_interval} -c {$g['varetc_path']}/filterdns.conf -d 1");
 		}
 	} else {
 		killbypid("{$g['varrun_path']}/filterdns.pid");
@ -353,9 +383,12 @@ function filter_configure_sync($delete_states_if_needed = true) {
 	/* run items scheduled for after filter configure run */
 	$fda = fopen("{$g['tmp_path']}/commands.txt", "w");
 	if($fda) {
-		if($after_filter_configure_run)
+		if($after_filter_configure_run) {
 			foreach($after_filter_configure_run as $afcr)
 				fwrite($fda, $afcr . "\n");
+			unset($after_filter_configure_run);
+		}
+
 		/*
 		 *      we need a way to let a user run a shell cmd after each
 		 *      filter_configure() call.  run this xml command after
@ -371,6 +404,7 @@ function filter_configure_sync($delete_states_if_needed = true) {
 		mwexec("sh {$g['tmp_path']}/commands.txt &");
 		unlink("{$g['tmp_path']}/commands.txt");
 	}
+
 	/* if time based rules are enabled then swap in the set */
 	if($time_based_rules == true)
 		filter_tdr_install_cron(true);
@ -440,7 +474,7 @@ function filter_generate_scrubing() {
 	return $scrubrules;
 }

-function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddrnesting) {
+function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddrnesting, $all = false) {
 	global $aliastable, $filterdns;

 	$addresses = explode(" ", $alias);
@ -471,9 +505,9 @@ function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddr
 			}
 			/* We already expanded this alias so there is no neccessity to do it again. */
 			else if(!isset($aliasnesting[$address]))
-				$tmpline = filter_generate_nested_alias($name, $aliastable[$address], $aliasnesting, $aliasaddrnesting);
+				$tmpline = filter_generate_nested_alias($name, $aliastable[$address], $aliasnesting, $aliasaddrnesting, $all);
 		} else if(!isset($aliasaddrnesting[$address])) {
-			if (!is_ipaddr($address) && !is_subnet($address) && !is_port($address) && is_hostname($address)) {
+			if ($all === false && !is_ipaddr($address) && !is_subnet($address) && !is_port($address) && is_hostname($address)) {
 				if (!isset($filterdns["{$address}{$name}"]))
 					$filterdns["{$address}{$name}"] = "pf {$address} {$name}\n";
 				continue;
@ -501,12 +535,7 @@ function filter_expand_alias($alias_name, $all = false)
 			if($aliased['name'] == $alias_name) {
 				$aliasnesting = array();
 				$aliasaddrnesting = array();
-				$result = filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting);
-				if ($all === true)
-					foreach ($aliasaddrnesting as $addr)
-						if (!preg_match("/\s*$addr\s*/", $result))
-							$result .= " {$addr}";
-				return $result;
+				return filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting, $all);
 			}
 		}
 	}
@ -566,7 +595,7 @@ function filter_generate_aliases() {
 	if (!file_exists("/etc/bogonsv6"))
 		@file_put_contents("/etc/bogonsv6", "");
 	$aliases .= "table <bogons> persist file \"/etc/bogons\"\n";
-	if (isset($config['system']['ipv6allow']))
+	if (is_bogonsv6_used())
 		$aliases .= "table <bogonsv6> persist file \"/etc/bogonsv6\"\n";

 	$vpns_list = filter_get_vpns_list();
@ -646,6 +675,7 @@ function filter_generate_aliases() {
 	}
 	$result = "{$alias} \n";
 	$result .= "{$aliases}";
+
 	return $result;
 }

@ -754,10 +784,15 @@ function filter_get_vpns_list() {
 		if(is_array($config['openvpn']["openvpn-$type"])) {
 			foreach ($config['openvpn']["openvpn-$type"] as $settings) {
 				if(is_array($settings)) {
-					if (is_subnet($settings['remote_network']) && $settings['remote_network'] <> "0.0.0.0/0")
-						$vpns_arr[] = $settings['remote_network'];
-					if (is_subnet($settings['tunnel_network']) && $settings['tunnel_network'] <> "0.0.0.0/0")
-						$vpns_arr[] = $settings['tunnel_network'];
+					if (!isset($settings['disable'])) {
+						$remote_networks = explode(',', $settings['remote_network']);
+						foreach ($remote_networks as $remote_network) {
+							if (is_subnet($remote_network) && ($remote_network <> "0.0.0.0/0"))
+								$vpns_arr[] = $remote_network;
+						}
+						if (is_subnet($settings['tunnel_network']) && $settings['tunnel_network'] <> "0.0.0.0/0")
+							$vpns_arr[] = $settings['tunnel_network'];
+					}
 				}
 			}
 		}
@ -868,7 +903,7 @@ function filter_generate_optcfg_array() {
 		if(!is_ipaddrv6($oc['ipaddrv6']) && !empty($oc['ipaddrv6']))
 			$oic['type6'] = $oc['ipaddrv6'];
 		if (!empty($oc['track6-interface']))
-			$oc['track6-interface'] = $oc['track6-interface'];
+			$oic['track6-interface'] = $oc['track6-interface'];
 		$oic['sn'] = get_interface_subnet($if);
 		$oic['snv6'] = get_interface_subnetv6($if);
 		$oic['mtu'] = empty($oc['mtu']) ? 1500 : $oc['mtu'];
@ -1159,11 +1194,12 @@ function filter_generate_reflection_proxy($rule, $nordr, $rdr_ifs, $srcaddr, $ds
 		}

 		$dstaddr = explode(" ", $dstaddr_port);
-		if($dstaddr[2])
-			$rflctintrange = $dstaddr[2];
-		else
+		if($dstaddr[2]) {
+			$rflctintrange = array_pop($dstaddr);
+			array_pop($dstaddr);
+		} else
 			return "";
-		$dstaddr = $dstaddr[0];
+		$dstaddr = implode(" ", $dstaddr);
 		if(empty($dstaddr) || trim($dstaddr) == "0.0.0.0" || strtolower(trim($dstaddr)) == "port")
 			return "";

@ -1228,13 +1264,13 @@ function filter_generate_reflection_proxy($rule, $nordr, $rdr_ifs, $srcaddr, $ds
 					$delta = 0;

 				if(($inetdport + $delta + 1) - $starting_localhost_port_tmp > 500) {
-					log_error("Not installing nat reflection rules for a port range > 500");
+					log_error("Not installing NAT reflection rules for a port range > 500");
 					$inetdport = $starting_localhost_port;
 					$toadd_array = array();
 					$toomanyports = true;
 					break;
 				} else if(($inetdport + $delta) > 19990) {
-					log_error("Installing partial nat reflection rules. Maximum 1,000 reached.");
+					log_error("Installing partial NAT reflection rules. Maximum 1,000 reached.");
 					$delta = 19990 - $inetdport;
 					$loc_pt[1] = $loc_pt[0] + $delta;
 					if($delta == 0)
@ -1324,6 +1360,12 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "
 			$protocol = " proto {$proto}";
 	} else
 		$protocol = "";
+	/* Set tgt for IPv6 */ 
+	if ($proto == "ipv6") {
+		$natip = get_interface_ipv6($if);
+		if(is_ipaddrv6($natip))
+			$tgt = "{$natip}/128";
+	}
 	/* Add the hard set source port (useful for ISAKMP) */
 	if($natport != "")
 		$tgt .= " port {$natport}";
@ -1561,8 +1603,6 @@ function filter_nat_rules_generate() {
 			$netip = explode("/", $route['network']);
 			if (isset($GatewaysList[$route['gateway']])) {
 				$gateway =& $GatewaysList[$route['gateway']];
-				$gatewayip = $gateway['gateway'];
-				$interfacegw = $gateway['interface'];
 				if(!interface_has_gateway($gateway['interface']) && is_private_ip($netip[0])) {
 					$numberofnathosts++;
 					$tonathosts .= "{$route['network']} ";
@ -1573,10 +1613,8 @@ function filter_nat_rules_generate() {
 		foreach($FilterIflist as $ocname => $oc) {
 			if(!interface_has_gateway($ocname)) {
 				if(is_ipaddr($oc['alias-address'])) {
-					$aliastarget = $oc['alias-address'];
-					$aliassubnet = $oc['alias-subnet'];
 					$numberofnathosts++;
-					$tonathosts .= "{$oc['sa']}/{$oc['sn']} ";
+					$tonathosts .= "{$oc['alias-address']}/{$oc['alias-subnet']} ";
 				}
 				if($oc['sa']) {
 					$tonathosts .= "{$oc['sa']}/{$oc['sn']} ";
@ -1632,9 +1670,10 @@ function filter_nat_rules_generate() {
 			!empty($config['ipsec']['client']['pool_address']) &&
 			!empty($config['ipsec']['client']['pool_netbits'])) {
 			$tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} ";
+			$numberofnathosts++;
 		}
 		$natrules .= "\n# Subnets to NAT \n";
-		$tonathosts .= "127.0.0.0/8 0.0.0.0 ";
+		$tonathosts .= "127.0.0.0/8 ";
 		if($numberofnathosts > 4) {
 			$natrules .= "table <tonatsubnets> { {$tonathosts} }\n";
 			$macroortable = "<tonatsubnets>";
@ -1845,19 +1884,20 @@ function filter_nat_rules_generate() {
 					}
 				}

-				if($reflection_type == "proxy" && !isset($rule['nordr'])) {
-					$natrules .= filter_generate_reflection_proxy($rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $starting_localhost_port, $reflection_rules);
-					$nat_if_list = array($natif);
-
-					foreach ($reflection_rules as $txtline)
-						fwrite($inetd_fd, $txtline);
-				} else if($reflection_type == "purenat" || isset($rule['nordr'])) {
-					$rdr_if_list = implode(" ", $nat_if_list);
-					if(count($nat_if_list) > 1)
-						$rdr_if_list = "{ {$rdr_if_list} }";
-					$natrules .= "\n# Reflection redirect\n";
-					$natrules .= "{$nordr}rdr {$rdrpass}on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr_reflect}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
-					$nat_if_list = array_merge(array($natif), $nat_if_list);
+				if ($reflection_type != "none") {
+					if($reflection_type == "proxy" && !isset($rule['nordr'])) {
+						$natrules .= filter_generate_reflection_proxy($rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $starting_localhost_port, $reflection_rules);
+						$nat_if_list = array($natif);
+						foreach ($reflection_rules as $txtline)
+							fwrite($inetd_fd, $txtline);
+					} else if($reflection_type == "purenat" || isset($rule['nordr'])) {
+						$rdr_if_list = implode(" ", $nat_if_list);
+						if(count($nat_if_list) > 1)
+							$rdr_if_list = "{ {$rdr_if_list} }";
+						$natrules .= "\n# Reflection redirect\n";
+						$natrules .= "{$nordr}rdr {$rdrpass}on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr_reflect}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
+						$nat_if_list = array_merge(array($natif), $nat_if_list);
+					}
 				}

 				if(empty($nat_if_list))
@ -1908,13 +1948,47 @@ function filter_generate_user_rule_arr($rule) {
 	$ret['rule'] = $line;
 	$ret['interface'] = $rule['interface'];
 	if($rule['descr'] != "" and $line != "")
-		$ret['descr'] = "label \"USER_RULE: " . str_replace('"', '', substr($rule['descr'], 0, 52)) . "\"";
+		$ret['descr'] = "label \"" . fix_rule_label("USER_RULE: {$rule['descr']}") . "\"";
 	else
 		$ret['descr'] = "label \"USER_RULE\"";

 	return $ret;
 }

+function filter_generate_port(& $rule, $target = "source", $isnat = false) {
+
+	$src = "";
+
+	$rule['protocol'] = strtolower($rule['protocol']);
+	if(in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
+		if($rule[$target]['port']) {
+			$srcport = explode("-", $rule[$target]['port']);
+			$srcporta = alias_expand($srcport[0]);
+			if(!$srcporta)
+				log_error(sprintf(gettext("filter_generate_port: %s is not a valid {$target} port."), $srcport[0]));
+			else if((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
+				$src .= " port {$srcporta} ";
+			} else if(($srcport[0] == 1) && ($srcport[1] == 65535)) {
+			/* no need for a port statement here */
+			} else if ($isnat) {
+				$src .= " port {$srcport[0]}:{$srcport[1]}";
+			} else {
+				if(is_port($srcporta) && $srcport[1] == 65535) {
+					$src .= " port >= {$srcporta} ";
+				} else if($srcport[0] == 1) {
+					$src .= " port <= {$srcport[1]} ";
+				} else {
+					$srcport[0]--;
+					$srcport[1]++;
+					$src .= " port {$srcport[0]} >< {$srcport[1]} ";
+				}
+			}
+		}
+	}
+
+	return $src;
+}
+
 function filter_generate_address(& $rule, $target = "source", $isnat = false) {
 	global $FilterIflist, $config;
 	$src = "";
@ -2050,32 +2124,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) {
 		$src = " {$not} {$expsrc}";
 	}

-	$rule['protocol'] = strtolower($rule['protocol']);
-	if(in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
-		if($rule[$target]['port']) {
-			$srcport = explode("-", $rule[$target]['port']);
-			$srcporta = alias_expand($srcport[0]);
-			if(!$srcporta)
-				log_error(sprintf(gettext("filter_generate_address: %s is not a valid source port."), $srcport[0]));
-			else if((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
-				$src .= " port {$srcporta} ";
-			} else if(($srcport[0] == 1) && ($srcport[1] == 65535)) {
-			/* no need for a port statement here */
-			} else if ($isnat) {
-				$src .= " port {$srcport[0]}:{$srcport[1]}";
-			} else {
-				if(is_port($srcporta) && $srcport[1] == 65535) {
-					$src .= " port >= {$srcporta} ";
-				} else if($srcport[0] == 1) {
-					$src .= " port <= {$srcport[1]} ";
-				} else {
-					$srcport[0]--;
-					$srcport[1]++;
-					$src .= " port {$srcport[0]} >< {$srcport[1]} ";
-				}
-			}
-		}
-	}
+	$src .= filter_generate_port($rule, $target, $isnat);

 	return $src;
 }
@ -2144,12 +2193,14 @@ function filter_generate_user_rule($rule) {

 	/* check for unresolvable aliases */
 	if($rule['source']['address'] && !alias_expand($rule['source']['address'])) {
-		file_notice("Filter_Reload", "# unresolvable source aliases {$rule['descr']}");
-		return "# unresolvable source aliases {$rule['descr']}";
+		$error_text = "Unresolvable source alias '{$rule['source']['address']}' for rule '{$rule['descr']}'";
+		file_notice("Filter_Reload", $error_text);
+		return "# {$error_text}";
 	}
 	if($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) {
-		file_notice("Filter_Reload", "# unresolvable dest aliases {$rule['descr']}");
-		return "# unresolvable dest aliases {$rule['descr']}";
+		$error_text = "Unresolvable destination alias '{$rule['destination']['address']}' for rule '{$rule['descr']}'";
+		file_notice("Filter_Reload", $error_text);
+		return "# {$error_text}";
 	}
 	update_filter_reload_status("Setting up pass/block rules");
 	$type = $rule['type'];
@ -2253,8 +2304,19 @@ function filter_generate_user_rule($rule) {
 		$aline['tag'] = " tag " .$rule['tag']. " ";
 	if (!empty($rule['tagged']))
 		$aline['tagged'] = " tagged " .$rule['tagged'] . " ";
-	if (!empty($rule['dscp']))
-		$aline['dscp'] = " dscp " . $rule['dscp'] . " ";
+	if (!empty($rule['dscp'])) {
+		switch (strtolower($rule['dscp'])) {
+			case 'va':  $aline['dscp'] = " dscp 44 "; break;
+			case 'cs1': $aline['dscp'] = " dscp 8 ";  break;
+			case 'cs2': $aline['dscp'] = " dscp 16 "; break;
+			case 'cs3': $aline['dscp'] = " dscp 24 "; break;
+			case 'cs4': $aline['dscp'] = " dscp 32 "; break;
+			case 'cs5': $aline['dscp'] = " dscp 40 "; break;
+			case 'cs6': $aline['dscp'] = " dscp 48 "; break;
+			case 'cs7': $aline['dscp'] = " dscp 56 "; break;
+			default:    $aline['dscp'] = " dscp " . preg_replace('/\s.*$/', '', $rule['dscp']) . " "; break;
+		}
+	}
 	if (!empty($rule['vlanprio']) && ($rule['vlanprio'] != "none"))
 		$aline['vlanprio'] = " ieee8021q-pcp " . $rule['vlanprio'] . " ";
 	if (!empty($rule['vlanprioset']) && ($rule['vlanprioset'] != "none"))
@ -2262,39 +2324,40 @@ function filter_generate_user_rule($rule) {
 	if ($type == "pass") {
 		if (isset($rule['allowopts']))
 			$aline['allowopts'] = " allow-opts ";
-
-		$aline['flags'] = "";
-		if ($rule['protocol'] == "tcp") {
-			if (isset($rule['tcpflags_any']))
-				$aline['flags'] = "flags any ";
-			else if (!empty($rule['tcpflags2'])) {
-				$aline['flags'] = "flags ";
-				if (!empty($rule['tcpflags1'])) {
-					$flags1 = explode(",", $rule['tcpflags1']);
-					foreach ($flags1 as $flag1) {
-						// CWR flag needs special treatment
-						if($flag1[0] == "c")
-							$aline['flags'] .= "W";
-						else
-							$aline['flags'] .= strtoupper($flag1[0]);
-					}
+	}
+	$aline['flags'] = "";
+	if ($rule['protocol'] == "tcp") {
+		if (isset($rule['tcpflags_any']))
+			$aline['flags'] = "flags any ";
+		else if (!empty($rule['tcpflags2'])) {
+			$aline['flags'] = "flags ";
+			if (!empty($rule['tcpflags1'])) {
+				$flags1 = explode(",", $rule['tcpflags1']);
+				foreach ($flags1 as $flag1) {
+					// CWR flag needs special treatment
+					if($flag1[0] == "c")
+						$aline['flags'] .= "W";
+					else
+						$aline['flags'] .= strtoupper($flag1[0]);
 				}
-				$aline['flags'] .= "/";
-				if (!empty($rule['tcpflags2'])) {
-					$flags2 = explode(",", $rule['tcpflags2']);
-					foreach ($flags2 as $flag2) {
-						// CWR flag needs special treatment
-						if($flag2[0] == "c")
-							$aline['flags'] .= "W";
-						else
-							$aline['flags'] .= strtoupper($flag2[0]);
-					}
+			}
+			$aline['flags'] .= "/";
+			if (!empty($rule['tcpflags2'])) {
+				$flags2 = explode(",", $rule['tcpflags2']);
+				foreach ($flags2 as $flag2) {
+					// CWR flag needs special treatment
+					if($flag2[0] == "c")
+						$aline['flags'] .= "W";
+					else
+						$aline['flags'] .= strtoupper($flag2[0]);
 				}
-				$aline['flags'] .= " ";
-			} else
-				$aline['flags'] = "flags S/SA ";
+			}
+			$aline['flags'] .= " ";
+		} else {
+			$aline['flags'] = "flags S/SA ";
 		}
-
+	}
+	if ($type == "pass") {
 		/*
 		 *	# keep state
 		 *		works with TCP, UDP, and ICMP.
@ -2309,7 +2372,7 @@ function filter_generate_user_rule($rule) {
 		 *		queueing in certain situations. please check the faq.
 		 */
 		$noadvoptions = false;
-		if(isset($rule['statetype']) && $rule['statetype'] <> "") {
+		if (isset($rule['statetype']) && $rule['statetype'] <> "") {
 			switch($rule['statetype']) {
 				case "none":
 					$noadvoptions = true;
@ -2317,7 +2380,7 @@ function filter_generate_user_rule($rule) {
 					break;
 				case "modulate state":
 				case "synproxy state":
-					if($rule['protocol'] == "tcp")
+					if ($rule['protocol'] == "tcp")
 						$aline['flags'] .= "{$rule['statetype']} ";
 					break;
 				case "sloppy state":
@ -2331,32 +2394,38 @@ function filter_generate_user_rule($rule) {
 		} else
 			$aline['flags'] .= "keep state ";

-		if($noadvoptions == false || $l7_present)
-			if( (isset($rule['source-track']) and $rule['source-track'] <> "") or
+		if ($noadvoptions == false || $l7_present)
+			if ((isset($rule['source-track']) and $rule['source-track'] <> "") or
 			    (isset($rule['max']) and $rule['max'] <> "") or
 			    (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or
-			    (isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "") or
-			    (isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "") or
-			    (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or
 			    (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or
-			    (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or
+			    ((in_array($rule['protocol'], array("tcp","tcp/udp"))) and
+			     ((isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or
+			      (isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "") or
+			      (isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "") or
+			      (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> ""))) or
 			    isset($rule['sloppy']) or $l7_present) {
 					$aline['flags'] .= "( ";
 					if (isset($rule['sloppy']))
 						$aline['flags'] .= "sloppy ";
-					if(isset($rule['source-track']) and $rule['source-track'] <> "")
+					if (isset($rule['source-track']) and $rule['source-track'] <> "")
 						$aline['flags'] .= "source-track rule ";
-					if(isset($rule['max']) and $rule['max'] <> "")
+					if (isset($rule['max']) and $rule['max'] <> "")
 						$aline['flags'] .= "max " . $rule['max'] . " ";
-					if(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "")
+					if (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "")
 						$aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " ";
-					if(isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "")
+					if ((in_array($rule['protocol'], array("tcp","tcp/udp"))) 
+							and isset($rule['max-src-conn']) 
+							and $rule['max-src-conn'] <> "")
 						$aline['flags'] .= "max-src-conn " . $rule['max-src-conn'] . " ";
-					if(isset($rule['max-src-states']) and $rule['max-src-states'] <> "")
+					if (isset($rule['max-src-states']) and $rule['max-src-states'] <> "")
 						$aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " ";
-					if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "")
+					if ((in_array($rule['protocol'], array("tcp","tcp/udp"))) 
+							and isset($rule['statetimeout']) 
+							and $rule['statetimeout'] <> "")
 						$aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " ";
-					if(isset($rule['max-src-conn-rate'])
+					if ((in_array($rule['protocol'], array("tcp","tcp/udp"))) 
+							and isset($rule['max-src-conn-rate'])
 							and $rule['max-src-conn-rate'] <> ""
 							and isset($rule['max-src-conn-rates'])
 							and $rule['max-src-conn-rates'] <> "") {
@ -2370,10 +2439,6 @@ function filter_generate_user_rule($rule) {
 					$aline['flags'] .= " ) ";
 				}
 	}
-	if($type == "reject" && $rule['protocol'] == "tcp") {
-		/* special reject packet */
-		$aline['flags'] .= "flags S/SA ";
-	}
 	if($rule['defaultqueue'] <> "") {
 		$aline['queue'] = " queue (".$rule['defaultqueue'];
 		if($rule['ackqueue'] <> "")
@ -2419,7 +2484,7 @@ function filter_generate_user_rule($rule) {
 	/* rules with a gateway or pool should create another rule for routing to vpns */
 	if((($aline['route'] <> "") && (trim($aline['type']) == "pass") && strstr($dst, "any")) && (!isset($config['system']['disablenegate']))) {
 		/* negate VPN/PPTP/PPPoE/Static Route networks for load balancer/gateway rules */
-		$negate_networks = " to <negate_networks> ";
+		$negate_networks = " to <negate_networks> " . filter_generate_port($rule, "destination");
 		$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] .
 			$aline['interface'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] .
 			$negate_networks . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] .
@ -2434,6 +2499,7 @@ function filter_generate_user_rule($rule) {
 		$aline['divert'] . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] .
 		$aline['vlanprio'] . $aline['vlanprioset'] . $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'];

+	unset($aline);

 	return $line;
 }
@ -2441,6 +2507,8 @@ function filter_generate_user_rule($rule) {
 function filter_rules_generate() {
 	global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList;

+	$fix_rule_label = 'fix_rule_label';
+
 	update_filter_reload_status(gettext("Creating default rules"));
 	if(isset($config['system']['developerspew'])) {
 		$mt = microtime();
@ -2505,23 +2573,17 @@ block quick inet proto { tcp, udp } from any to any port = 0
 block quick inet6 proto { tcp, udp } from any port = 0 to any
 block quick inet6 proto { tcp, udp } from any to any port = 0

-
-EOD;
-
-	$ipfrules .= <<<EOD
-
 # Snort package
 block quick from <snort2c> to any label "Block snort2c hosts"
 block quick from any to <snort2c> label "Block snort2c hosts"

-
 EOD;

 	$ipfrules .= filter_process_carp_rules($log);

 	$ipfrules .= "\n# SSH lockout\n";
 	if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) {
-		$ipfrules .= "block in log quick proto tcp from <sshlockout> to any port ";
+		$ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port ";
 		$ipfrules .= $config['system']['ssh']['port'];
 		$ipfrules .= " label \"sshlockout\"\n";
 	} else {
@ -2530,7 +2592,7 @@ EOD;
 		else
 			$sshport = 22;
 		if($sshport)
-			$ipfrules .= "block in log quick proto tcp from <sshlockout> to any port {$sshport} label \"sshlockout\"\n";
+			$ipfrules .= "block in log quick proto tcp from <sshlockout> to (self) port {$sshport} label \"sshlockout\"\n";
 	}

 	$ipfrules .= "\n# webConfigurator lockout\n";
@ -2543,7 +2605,7 @@ EOD;
 		$webConfiguratorlockoutport = $config['system']['webgui']['port'];
 	}
 	if($webConfiguratorlockoutport)
-		$ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to any port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n";
+		$ipfrules .= "block in log quick proto tcp from <webConfiguratorlockout> to (self) port {$webConfiguratorlockoutport} label \"webConfiguratorlockout\"\n";

 	/*
 	 * Support for allow limiting of TCP connections by establishment rate
@ -2556,6 +2618,8 @@ EOD;
 	 */
 	if(is_array($config['captiveportal'])) {
 		foreach ($config['captiveportal'] as $cpcfg) {
+			if(!isset($cpcfg['enable']))
+				continue;
 			$cpinterfaces = explode(",", $cpcfg['interface']);
 			$cpiflist = array();
 			$cpiplist = array();
@ -2599,21 +2663,39 @@ EOD;
 		/* block bogon networks */
 		/* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */
 		/* file is automatically in cron every 3000 minutes */
+		if(!isset($config['syslog']['nologbogons']))
+			$bogonlog = "log";
+		else
+			$bogonlog = "";
+
 		if(isset($config['interfaces'][$on]['blockbogons'])) {
 			$ipfrules .= <<<EOD
-# block bogon networks
+# block bogon networks (IPv4)
 # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
-# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
-block in $log quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}"
+block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"

 EOD;
-			if(isset($config['system']['ipv6allow'])) {
-				$ipfrules .= <<<EOD
-block in $log quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}"
-
-EOD;
-			}
 		}
+
+		if(isset($config['system']['ipv6allow']) && ($oc['type6'] == "slaac" || $oc['type6'] == "dhcp6")) {
+			$ipfrules .= <<<EOD
+# allow our DHCPv6 client out to the {$oc['descr']}
+pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
+pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}"
+pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}"
+
+EOD;
+		}
+
+		if(isset($config['interfaces'][$on]['blockbogons']) && isset($config['system']['ipv6allow'])) {
+			$ipfrules .= <<<EOD
+# block bogon networks (IPv6)
+# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
+block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
+
+EOD;
+		}
+
 		$isbridged = false;
 		if(is_array($config['bridges']['bridged'])) {
 			foreach ($config['bridges']['bridged'] as $oc2) {
@ -2626,17 +2708,22 @@ EOD;
 		if($oc['ip'] && !($isbridged) && isset($oc['spoofcheck']))
 			$ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log);
 		/* block private networks ? */
+		if(!isset($config['syslog']['nologprivatenets']))
+			$privnetlog = "log";
+		else
+			$privnetlog = "";
+
 		if(isset($config['interfaces'][$on]['blockpriv'])) {
 			if($isbridged == false) {
 				$ipfrules .= <<<EOD
 # block anything from private networks on interfaces with the option set
 antispoof for \${$oc['descr']}
-block in $log quick on \${$oc['descr']} from 10.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 10/8"
-block in $log quick on \${$oc['descr']} from 127.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 127/8"
-block in $log quick on \${$oc['descr']} from 100.64.0.0/10 to any label "Block private networks from {$oc['descr']} block 100.64/10"
-block in $log quick on \${$oc['descr']} from 172.16.0.0/12 to any label "Block private networks from {$oc['descr']} block 172.16/12"
-block in $log quick on \${$oc['descr']} from 192.168.0.0/16 to any label "Block private networks from {$oc['descr']} block 192.168/16"
-block in $log quick on \${$oc['descr']} from fc00::/7 to any label "Block ULA networks from {$oc['descr']} block fc00::/7"
+block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
+block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
+block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}"
+block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
+block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
+block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"

 EOD;
 			}
@ -2645,16 +2732,16 @@ EOD;
 		case "pptp":
 				$ipfrules .= <<<EOD
 # allow PPTP client
-pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}"
-pass in on \${$oc['descr']} proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}"
+pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"
+pass in on \${$oc['descr']} proto gre from any to any keep state label "{$fix_rule_label("allow PPTP client on {$oc['descr']}")}"

 EOD;
 			break;
 		case "dhcp":
 			$ipfrules .= <<<EOD
 # allow our DHCP client out to the {$oc['descr']}
-pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "allow dhcp client out {$oc['descr']}"
-pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "allow dhcp client out {$oc['descr']}"
+pass in on \${$oc['descr']} proto udp from any port = 67 to any port = 68 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
+pass out on \${$oc['descr']} proto udp from any port = 68 to any port = 67 label "{$fix_rule_label("allow dhcp client out {$oc['descr']}")}"
 # Not installing DHCP server firewall rules for {$oc['descr']} which is configured for DHCP.

 EOD;
@ -2680,7 +2767,7 @@ pass out quick on \${$oc['descr']} proto udp from {$oc['ip']} port = 67 to any p
 EOD;
 				}

-				if(is_ipaddrv4($pc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") {
+				if(is_ipaddrv4($oc['ip']) && $config['dhcpd'][$on]['failover_peerip'] <> "") {
 					$ipfrules .= <<<EOD
 # allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
 pass in quick on \${$oc['descr']} proto { tcp udp } from {$config['dhcpd'][$on]['failover_peerip']} to {$oc['ip']} port = 519 label "allow access to DHCP failover"
@ -2693,27 +2780,18 @@ EOD;
 			break;
 		}
 		switch($oc['type6']) {
-		case "slaac":
-		case "dhcp6":
-			$ipfrules .= <<<EOD
-# allow our DHCPv6 client out to the {$oc['descr']}
-pass in quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in {$oc['descr']}"
-pass in quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in {$oc['descr']}"
-pass out quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out {$oc['descr']}"
-
-EOD;
-			break;
 		case "6rd":
 			$ipfrules .= <<<EOD
 # allow our proto 41 traffic from the 6RD border relay in
-pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any label "Allow 6in4 traffic in for 6rd on {$oc['descr']}"
-pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "Allow 6in4 traffic out for 6rd on {$oc['descr']}"
+pass in on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}"
+pass out on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}"

 EOD;
-		if (is_ipaddrv6($oc['ipv6'])) {
+		/* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */
+		if (0 && is_ipaddrv6($oc['ipv6'])) {
 			$ipfrules .= <<<EOD
-pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "Allow 6rd traffic in for 6rd on {$oc['descr']}"
-pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "Allow 6rd traffic out for 6rd on {$oc['descr']}"
+pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6rd traffic in for 6rd on {$oc['descr']}")}"
+pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6rd traffic out for 6rd on {$oc['descr']}")}"

 EOD;
 		}
@ -2722,21 +2800,23 @@ EOD;
 			if (is_ipaddrv4($oc['ip'])) {
 			$ipfrules .= <<<EOD
 # allow our proto 41 traffic from the 6to4 border relay in
-pass in on \${$oc['descr']} proto 41 from any to {$oc['ip']} label "Allow 6in4 traffic in for 6to4 on {$oc['descr']}"
-pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "Allow 6in4 traffic out for 6to4 on {$oc['descr']}"
+pass in on \${$oc['descr']} proto 41 from any to {$oc['ip']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
+pass out on \${$oc['descr']} proto 41 from {$oc['ip']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"

 EOD;
 		}
-		if (is_ipaddrv6($oc['ipv6'])) {
+		/* XXX: Really need to allow 6to4 traffic coming in for v6 this is against default behaviour! */
+		if (0 && is_ipaddrv6($oc['ipv6'])) {
 			$ipfrules .= <<<EOD
-pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "Allow 6in4 traffic in for 6to4 on {$oc['descr']}"
-pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "Allow 6in4 traffic out for 6to4 on {$oc['descr']}"
+pass in on \${$oc['descr']} inet6 from any to {$oc['ipv6']}/{$oc['snv6']} label "{$fix_rule_label("Allow 6in4 traffic in for 6to4 on {$oc['descr']}")}"
+pass out on \${$oc['descr']} inet6 from {$oc['ipv6']}/{$oc['snv6']} to any label "{$fix_rule_label("Allow 6in4 traffic out for 6to4 on {$oc['descr']}")}"

 EOD;
 		}
 			break;
 		default:
-			if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])) {
+			if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface']) 
+				|| (is_array($config['dhcrelay6']) && !empty($config['dhcrelay6']['interface']) && in_array($on, explode(',', $config['dhcrelay6']['interface'])))) {
 				$ipfrules .= <<<EOD
 # allow access to DHCPv6 server on {$oc['descr']}
 # We need inet6 icmp for stateless autoconfig and dhcpv6
@ -2759,8 +2839,8 @@ EOD;
 	}
 	/*
 	 * NB: The loopback rules are needed here since the antispoof would take precedence then.
-	 *		If you ever add the 'quick' keyword to the antispoof rules above move the looback
-	 *		rules before them.
+	 *	If you ever add the 'quick' keyword to the antispoof rules above move the looback
+	 *	rules before them.
 	 */
 	$ipfrules .= <<<EOD

@ -2778,6 +2858,7 @@ pass out inet all keep state allow-opts label "let out anything IPv4 from firewa
 pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"

 EOD;
+
 	foreach ($FilterIflist as $ifdescr => $ifcfg) {
 		if(isset($ifcfg['virtual']))
 			continue;
@ -2787,7 +2868,10 @@ EOD;
 			$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
 			if (is_array($ifcfg['vips'])) {
 				foreach ($ifcfg['vips'] as $vip)
-					$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$vip['ip']}/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
+					if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}"))
+						$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
+					else
+						$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
 			}
 		}

@ -2806,12 +2890,9 @@ EOD;

 	/* add ipsec interfaces */
 	if(isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable']))
-		$ipfrules .= <<<EOD
-pass out on \$IPsec all keep state label "IPsec internal host to host"
+		$ipfrules .= "pass out on \$IPsec all keep state label \"IPsec internal host to host\"\n";

-EOD;
-
-	if(!isset($config['system']['webgui']['noantilockout'])) {
+	if(is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
 		$alports = filter_get_antilockout_ports();

 		if(count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) {
@ -2833,7 +2914,9 @@ pass in quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } k

 EOD;
 		}
+		unset($alports);
 	}
+
 	/* PPTPd enabled? */
 	if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off") && !isset($config['system']['disablevpnrules'])) {
 		if($pptpdcfg['mode'] == "server")
@ -2843,7 +2926,7 @@ EOD;
 		if(is_ipaddr($pptpdtarget) and is_array($FilterIflist['wan'])) {
 			$ipfrules .= <<<EOD
 # PPTPd rules
-pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "allow pptpd {$pptpdtarget}"
+pass in on \${$FilterIflist['wan']['descr']} proto tcp from any to $pptpdtarget port = 1723 modulate state label "{$fix_rule_label("allow pptpd {$pptpdtarget}")}"
 pass in on \${$FilterIflist['wan']['descr']} proto gre from any to any keep state label "allow gre pptpd"

 EOD;
@ -2941,24 +3024,6 @@ EOD;
 		unset($rule_arr1, $rule_arr2, $rule_arr3);
 	}

-	$ipfrules .= "\n# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients\n";
-	/* add automatic LAN rules to allow IPv6 traffic out for dynamic IPv6 networks */
-	foreach ($FilterIflist as $ifdescr => $ifcfg) {
-		if (isset($ifcfg['track6-interface'])) {
-			if (is_ipaddrv6($ifcfg['ipv6'])) {
-				$trackifname = $ifcfg['track6-interface'];
-				$trackcfg = $FilterIflist[$trackifname];
-				$pdlen = 64 - calculate_ipv6_delegation_length($trackifname);
-				$prefix = Net_IPv6::getNetmask($ifcfg['ipv6'], $pdlen);
-				$ipfrules .= "pass in on \${$ifcfg['descr']} inet6 from $prefix/$pdlen to any keep state label \"Allow IPv6 on {$ifcfg['descr']} to any\"\n";
-				/* add rules on the WAN for traffic back in, let the downstream router
-				 * figure out what to do with the traffic */
-				if (is_ipaddrv6($trackcfg['ipv6']))
-					$ipfrules .= "pass in on \${$trackcfg['descr']} inet6 from any to $prefix/$pdlen keep state label \"Allow IPv6 in on {$trackcfg['descr']} to $prefix/$pdlen\"\n";
-			}
-		}
-	}
-
 	/*  pass traffic between statically routed subnets and the subnet on the
 	 *  interface in question to avoid problems with complicated routing
 	 *  topologies
@ -3005,10 +3070,7 @@ EOD;
 	update_filter_reload_status(gettext("Creating IPsec rules..."));
 	$ipfrules .= filter_generate_ipsec_rules();

-	$ipfrules .= <<<EOD
-anchor "tftp-proxy/*"
-
-EOD;
+	$ipfrules .= "\nanchor \"tftp-proxy/*\"\n";

 	update_filter_reload_status("Creating uPNP rules...");
 	if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd']['config'][0])) {
@ -3200,7 +3262,7 @@ function filter_tdr_hour($schedule) {
 	$now = strtotime("now");
 	if($g['debug'])
 		log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now");
-	if($now >= $starting_time and $now <= $ending_time)
+	if($now >= $starting_time and $now < $ending_time)
 		return true;
 	return false;
 }
@ -3342,9 +3404,11 @@ function filter_generate_ipsec_rules() {
 				$parentinterface = $ph1ent['interface'];
 			}
 			if (empty($FilterIflist[$parentinterface]['descr'])) {
-				$ipfrules = "# Could not locate interface for IPsec: {$descr}\n";
+				$ipfrules .= "# Could not locate interface for IPsec: {$descr}\n";
 				continue;
 			}
+
+			unset($gateway);
 			/* add endpoint routes to correct gateway on interface */
 			if((is_ipaddrv4($rgip)) && (interface_has_gateway($parentinterface))) {
 				$gateway = get_interface_gateway($parentinterface);
--- a/etc/inc/filter_log.inc
+++ b/etc/inc/filter_log.inc
@ -30,7 +30,7 @@
 	POSSIBILITY OF SUCH DAMAGE.
 */
 /*
-	pfSense_BUILDER_BINARIES:	/usr/sbin/fifolog_reader	/usr/bin/tail	/usr/sbin/clog
+	pfSense_BUILDER_BINARIES:	/usr/sbin/fifolog_reader	/usr/bin/tail	/usr/local/sbin/clog
 	pfSense_MODULE:	filter
 */

@ -55,9 +55,9 @@ function conv_log_filter($logfile, $nentries, $tail = 50, $filtertext = "", $fil
 	$logarr = "";

 	if(isset($config['system']['usefifolog']))
-		exec("/usr/sbin/fifolog_reader {$logfile} | /usr/bin/tail -r -n {$tail}", $logarr);
+		exec("/usr/sbin/fifolog_reader " . escapeshellarg($logfile) . " | /usr/bin/tail -r -n {$tail}", $logarr);
 	else
-		exec("/usr/sbin/clog {$logfile} | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr);
+		exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . " | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr);

 	$filterlog = array();
 	$counter = 0;
@ -90,20 +90,28 @@ function match_filter_line($flent, $filtertext = "") {
 }

 function match_filter_field($flent, $fields) {
-	foreach ($fields as $field) {
-		if ($fields[$field] == "All") continue;
-		if ((strpos($fields[$field], '!') === 0)) {
-			$fields[$field] = substr($fields[$field], 1);
-			if (preg_match("/act/i", $field)) {
-				if ( (in_arrayi($flent[$field], explode(",", str_replace(" ", ",", $fields[$field]))) ) ) return false;
-			} else if ( (preg_match("/{$fields[$field]}/i", $flent[$field])) ) return false;
+	foreach ($fields as $key => $field) {
+		if ($field == "All")
+			continue;
+		if ((strpos($field, '!') === 0)) {
+			$field = substr($field, 1);
+			if (strtolower($key) == 'act') {
+				if (in_arrayi($flent[$key], explode(" ", $field)))
+					return false;
+			} else {
+				if (@preg_match("/{$field}/i", $flent[$key]))
+					return false;
+			}
+		} else {
+			if (strtolower($key) == 'act') {
+				if (!in_arrayi($flent[$key], explode(" ", $field)))
+					return false;
+			} else {
+				if (!@preg_match("/{$field}/i", $flent[$key]))
+					return false;
+			}
 		}
-		else {
-			if (preg_match("/act/i", $field)) {
-				if ( !(in_arrayi($flent[$field], explode(",", str_replace(" ", ",", $fields[$field]))) ) ) return false;
-			} else if ( !(preg_match("/{$fields[$field]}/i", $flent[$field])) ) return false;
-		}
-	}	
+	}
 	return true;
 }

@ -191,6 +199,8 @@ function parse_filter_line($line) {
 		/* If it's still 'Options', then just ignore it. */
 		if ($flent['proto'] == "Options")
 			$flent['proto'] = "none";
+	} elseif (($flent['proto'] == "unknown") && (!(strpos($line, ':  pfsync') === FALSE))) {
+		$flent['proto'] = "PFSYNC";
 	}

 	/* If there is a src, a dst, and a time, then the line should be usable/good */
@ -205,7 +215,7 @@ function parse_filter_line($line) {
 }

 function parse_ipport($addr) {
-	$addr = rtrim($addr, ":");
+	$addr = trim(rtrim($addr, ":"));
 	if (substr($addr, 0, 4) == "kip ")
 		$addr = substr($addr, 4);
 	$port = '';
@ -292,7 +302,7 @@ function find_rule_by_number_buffer($rulenum, $type){
 	} else {
 		$ruleString = $buffer_rules_normal["@".$rulenum];
 		list(,$rulename,) = explode("\"",$ruleString);
-		$rulename = str_replace("USER_RULE: ",'<img src="/themes/'.$g['theme'].'/images/icons/icon_frmfld_user.png" width="11" height="12" title="USER_RULE" alt="USER_RULE"/> ',$rulename);
+		$rulename = str_replace("USER_RULE: ",'<img src="/themes/'.$g['theme'].'/images/icons/icon_frmfld_user.png" width="11" height="12" title="USER_RULE" alt="USER_RULE"/> ',htmlspecialchars($rulename));
 	}
 	return $rulename." (@".$rulenum.")";
 }
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@ -2,8 +2,8 @@
 /* $Id$ */
 /*
    globals.inc
-    part of pfSense (www.pfsense.com)
-    Copyright (C) 2004-2010 Scott Ullrich
+    part of pfSense (www.pfsense.org)
+    Copyright (C) 2004-2014 Electric Sheep Fencing LLC 

    Originally Part of m0n0wall
    Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
@ -34,6 +34,7 @@

 */

+global $g;
 $g = array(
 	"base_packages" => "siproxd", 
 	"event_address" => "unix:///var/run/check_reload_status",
@ -56,11 +57,11 @@ $g = array(
 	"xml_rootobj" => "pfsense",
 	"admin_group" => "admins",
 	"product_name" => "pfSense",
-	"product_copyright" => "BSD Perimeter LLC",
-	"product_copyright_url" => "http://www.bsdperimeter.com",
-	"product_copyright_years" => "2004 - 2013",
+	"product_copyright" => "Electric Sheep Fencing LLC",
+	"product_copyright_url" => "http://www.electricsheepfencing.com",
+	"product_copyright_years" => "2004 - 2014",
 	"product_website" => "www.pfsense.org",
-	"product_website_footer" => "http://www.pfsense.org/?gui21",
+	"product_website_footer" => "https://www.pfsense.org/?gui211",
 	"product_email" => "coreteam@pfsense.org",
 	"hideplatform" => false,
 	"hidedownloadbackup" => false,
@ -69,9 +70,9 @@ $g = array(
 	"disablehelpmenu" => false,
 	"disablehelpicon" => false,
 	"disablecrashreporter" => false,
-	"crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php",
+	"crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "9.5",
+	"latest_config" => "10.1",
 	"nopkg_platforms" => array("cdrom"),
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
@ -79,11 +80,11 @@ $g = array(
 	"minimum_nic_count_text" => "*AT LEAST* 1",	
 	"wan_interface_name" => "wan", 
 	"nopccard_platforms" => array("wrap", "net48xx"),
-	"xmlrpcbaseurl" => "www.pfsense.com",
+	"xmlrpcbaseurl" => "https://packages.pfsense.org",
 	"captiveportal_path" => "/usr/local/captiveportal",
 	"captiveportal_element_path" => "/var/db/cpelements",
 	"captiveportal_element_sizelimit" => 1048576,
-	"xmlrpcpath" => "/pfSense/xmlrpc.php",
+	"xmlrpcpath" => "/xmlrpc.php",
 	"embeddedbootupslice" => "/dev/ad0a",
 	"services_dhcp_server_enable" => true,
 	"wireless_regex" => "/^(ndis|wi|ath|an|ral|ural|iwi|wlan|rum|run|bwn|zyd|mwl|bwi|ipw|iwn|malo|uath|upgt|urtw|wpi)/",
@ -98,17 +99,19 @@ $tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

 if(file_exists("/etc/platform")) {
 	$arch = php_uname("m");
+	$arch = ($arch == "i386") ? "" : '/' . $arch;
+
+	/* Full installs and NanoBSD use the same update directory and manifest in 2.x */
+	$g['update_url']="https://updates.pfsense.org/_updaters{$arch}";
+	$g['update_manifest']="https://updates.pfsense.org/manifest";
+
 	$g['platform'] = trim(file_get_contents("/etc/platform"));
 	if($g['platform'] == "nanobsd") {
-		$g['update_url']="http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/{$arch}/pfSense_HEAD/.updaters/";
-		$g['update_manifest']="http://updates.pfSense.com/nanobsd/manifest";
 		$g['firmware_update_text']="pfSense-*.img.gz";
 		$g['hidedownloadbackup'] = true;
 		$g['hidebackupbeforeupgrade'] = true;

 	} else {
-		$g['update_url']="http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/{$arch}/pfSense_HEAD/.updaters/";
-		$g['update_manifest']="http://updates.pfSense.com/manifest";
 		$g['firmware_update_text']="pfSense-*.tgz";
 	}
 }
@ -152,6 +155,10 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024",
 	"net.inet.udp.checksum" => 1
 );

+/* Include override values for the above if needed. If the file doesn't exist, don't try to load it. */
+if (file_exists("/etc/inc/globals_override.inc"))
+	@include("globals_override.inc");
+
 $config_parsed = false;

 ?>
--- a/etc/inc/gwlb.inc
+++ b/etc/inc/gwlb.inc
@ -25,7 +25,7 @@
  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  POSSIBILITY OF SUCH DAMAGE.

-	pfSense_BUILDER_BINARIES:	/usr/bin/killall	/sbin/route	/usr/local/sbin/apinger
+	pfSense_BUILDER_BINARIES:	/sbin/route	/usr/local/sbin/apinger
 	pfSense_MODULE:	routing

 */
@ -58,7 +58,6 @@ function setup_gateways_monitor() {
 	}

 	$apinger_default = return_apinger_defaults();
-	$fd = fopen("{$g['varetc_path']}/apinger.conf", "w");
 	$apingerconfig = <<<EOD

 # pfSense apinger configuration file. Automatically Generated!
@ -163,21 +162,45 @@ EOD;
 			$gwifip = find_interface_ip($gateway['interface'], true);
 			if (!is_ipaddrv4($gwifip))
 				continue; //Skip this target
+
+			/*
+			 * If the gateway is the same as the monitor we do not add a
+			 * route as this will break the routing table.
+			 * Add static routes for each gateway with their monitor IP
+			 * not strictly necessary but is a added level of protection.
+			 */
+			if (is_ipaddrv4($gateway['gateway']) && $gateway['monitor'] != $gateway['gateway']) {
+				log_error("Removing static route for monitor {$gateway['monitor']} and adding a new route through {$gateway['gateway']}");
+				mwexec("/sbin/route change -host " . escapeshellarg($gateway['monitor']) .
+					" " . escapeshellarg($gateway['gateway']), true);
+			}
 		} else if (is_ipaddrv6($gateway['gateway'])) {
 			/* link locals really need a different src ip */
 			if(is_linklocal($gateway['gateway'])) {
-				$linklocal = explode("%", find_interface_ipv6_ll($gateway['interface'], true));
-				$gwifip = $linklocal[0];
-				$ifscope = "%". $linklocal[1];
+				$gwifip = find_interface_ipv6_ll($gateway['interface'], true);
 			} else {
 				$gwifip = find_interface_ipv6($gateway['interface'], true);
 			}
+			if (is_linklocal($gateway['monitor']) && !strstr($gateway['monitor'], '%'))
+				$gateway['monitor'] .= "%{$gateway['interface']}";
 			if (!is_ipaddrv6($gwifip))
 				continue; //Skip this target
+
+			/*
+			 * If the gateway is the same as the monitor we do not add a
+			 * route as this will break the routing table.
+			 * Add static routes for each gateway with their monitor IP
+			 * not strictly necessary but is a added level of protection.
+			 */
+			if (is_ipaddrv6($gateway['gateway']) && $gateway['monitor'] != $gateway['gateway']) {
+				log_error("Removing static route for monitor {$gateway['monitor']} and adding a new route through {$gateway['gateway']}");
+				mwexec("/sbin/route change -host -inet6 " . escapeshellarg($gateway['monitor']) .
+					" " . escapeshellarg($gateway['gateway']), true);
+			}
 		} else
 			continue;

-		$monitor_ips[] = monitor_ips;
+		$monitor_ips[] = $gateway['monitor'];
 		$apingercfg = "target \"{$gateway['monitor']}\" {\n";
 		$apingercfg .= "	description \"{$name}\"\n";
 		$apingercfg .= "	srcip \"{$gwifip}\"\n";
@ -234,31 +257,13 @@ EOD;
 		$apingercfg .= "	rrd file \"{$g['vardb_path']}/rrd/{$gateway['name']}-quality.rrd\"\n";
 		$apingercfg .= "}\n";
 		$apingercfg .= "\n";
-		/*
-		 * If the gateway is the same as the monitor we do not add a
-		 * route as this will break the routing table.
-		 * Add static routes for each gateway with their monitor IP
-		 * not strictly necessary but is a added level of protection.
-		 */
-		if (is_ipaddr($gateway['gateway']) && $gateway['monitor'] != $gateway['gateway']) {
-			log_error(sprintf(gettext('Removing static route for monitor %1$s and adding a new route through %2$s'), $gateway['monitor'], $gateway['gateway']));
-			if(is_ipaddrv6($gateway['gateway'])) {
-				$inetfamily = "-inet6";
-			} else {
-				$inetfamily = "-inet";
-			}
-			// mwexec("/sbin/route change {$inetfamily} -host " . escapeshellarg($gateway['monitor']) .
-			//	" " . escapeshellarg($gateway['gateway']), true);
-		}

 		$apingerconfig .= $alarmscfg;
 		$apingerconfig .= $apingercfg;
 	}
-	fwrite($fd, $apingerconfig);
-	fclose($fd);
+	@file_put_contents("{$g['varetc_path']}/apinger.conf", $apingerconfig);
 	unset($apingerconfig);

-	killbypid("{$g['varrun_path']}/apinger.pid");
 	if (is_dir("{$g['tmp_path']}"))
 		chmod("{$g['tmp_path']}", 01777);
 	if (!is_dir("{$g['vardb_path']}/rrd"))
@ -266,10 +271,16 @@ EOD;

 	@chown("{$g['vardb_path']}/rrd", "nobody");

-	/* start a new apinger process */
-	@unlink("{$g['varrun_path']}/apinger.status");
-	sleep(1);
-	mwexec_bg("/usr/local/sbin/apinger -c {$g['varetc_path']}/apinger.conf");
+	if (isvalidpid("{$g['varrun_path']}/apinger.pid"))
+		sigkillbypid("{$g['varrun_path']}/apinger.pid", "HUP");
+	else {
+		/* start a new apinger process */
+		@unlink("{$g['varrun_path']}/apinger.status");
+		sleep(1);
+		mwexec_bg("/usr/local/sbin/apinger -c {$g['varetc_path']}/apinger.conf");
+		sleep(1);
+		sigkillbypid("{$g['varrun_path']}/apinger.pid", "USR1");
+	}

 	return 0;
 }
@ -279,9 +290,13 @@ function return_gateways_status($byname = false) {
 	global $config, $g;

 	$apingerstatus = array();
+	/* Always get the latest status from apinger */
+	if (file_exists("{$g['varrun_path']}/apinger.pid"))
+                sigkillbypid("{$g['varrun_path']}/apinger.pid", "USR1");
 	if (file_exists("{$g['varrun_path']}/apinger.status")) {
 		$apingerstatus = file("{$g['varrun_path']}/apinger.status");
-	}
+	} else
+		$apingerstatus = array();

 	$status = array();
 	foreach($apingerstatus as $line) {
@ -352,26 +367,30 @@ function return_gateways_array($disabled = false, $localhost = false) {
 	$found_defaultv4 = 0;
 	$found_defaultv6 = 0;

+	// Ensure the interface cache is up to date first
+	$interfaces = get_interface_arr(true);
 	$interfaces_v4 = array();
 	$interfaces_v6 = array();

-	$i = 0;
+	$i = -1;
 	/* Process/add all the configured gateways. */
 	if (is_array($config['gateways']['gateway_item'])) {
 		foreach ($config['gateways']['gateway_item'] as $gateway) {
+			/* Increment it here to do not skip items */
+			$i++;
+
 			if (empty($config['interfaces'][$gateway['interface']]))
 				continue;
 			$wancfg = $config['interfaces'][$gateway['interface']];

 			/* skip disabled interfaces */
-			if (!isset($wancfg['enable']))
+			if ($disabled === false && !isset($wancfg['enable']))
 				continue;

 			/* if the gateway is dynamic and we can find the IPv4, Great! */
-			if (empty($gateway['gateway']) || $gateway['gateway'] == "dynamic" || $gateway['gateway'] == "dynamic6") {
+			if (empty($gateway['gateway']) || $gateway['gateway'] == "dynamic") {
 				if ($gateway['ipprotocol'] == "inet") {
 					/* we know which interfaces is dynamic, this should be made a function */
-					$gateway['ipprotocol'] = "inet";
 					$gateway['gateway'] = get_interface_gateway($gateway['interface']);
 					/* no IP address found, set to dynamic */
 					if (!is_ipaddrv4($gateway['gateway']))
@ -379,14 +398,13 @@ function return_gateways_array($disabled = false, $localhost = false) {
 					$gateway['dynamic'] = true;
 				}

-				/* if the gateway is dynamic6 and we can find the IPv6, Great! */
+				/* if the gateway is dynamic and we can find the IPv6, Great! */
 				else if ($gateway['ipprotocol'] == "inet6") {
 					/* we know which interfaces is dynamic, this should be made a function, and for v6 too */
-					$gateway['ipprotocol'] = "inet6";
 					$gateway['gateway'] = get_interface_gateway_v6($gateway['interface']);
-					/* no IPv6 address found, set to dynamic6 */
+					/* no IPv6 address found, set to dynamic */
 					if (!is_ipaddrv6($gateway['gateway']))
-						$gateway['gateway'] = "dynamic6";
+						$gateway['gateway'] = "dynamic";
 					$gateway['dynamic'] = true;
 				}
 			} else {
@ -407,10 +425,10 @@ function return_gateways_array($disabled = false, $localhost = false) {

 			/* special treatment for tunnel interfaces */
 			if ($gateway['ipprotocol'] == "inet6") {
-				$gateway['interface'] = get_real_interface($gateway['interface'], "inet6");
+				$gateway['interface'] = get_real_interface($gateway['interface'], "inet6", false, false);
 				$interfaces_v6[$gateway['friendlyiface']] = $gateway['friendlyiface'];
 			} else {
-				$gateway['interface'] = get_real_interface($gateway['interface']);
+				$gateway['interface'] = get_real_interface($gateway['interface'], "all", false, false);
 				$interfaces_v4[$gateway['friendlyiface']] = $gateway['friendlyiface'];
 			}

@ -428,7 +446,6 @@ function return_gateways_array($disabled = false, $localhost = false) {
 			$gateway['attribute'] = $i;

 			$gateways_arr[$gateway['name']] = $gateway;
-			$i++;
 		}
 	}
 	unset($gateway);
@ -536,8 +553,11 @@ function return_gateways_array($disabled = false, $localhost = false) {
 				$ctype = strtoupper($ifcfg['ipaddrv6']);
 				break;
 			default:
+				$tunnelif = substr($ifcfg['if'], 0, 3);
 				if (substr($ifcfg['if'], 0, 4) ==  "ovpn")
 					$ctype = "VPNv6";
+				else if ($tunnelif == "gif" || $tunnelif == "gre")
+					$ctype = "TUNNELv6";
 				break;
 		}
 		$ctype = "_". strtoupper($ctype);
@ -565,7 +585,7 @@ function return_gateways_array($disabled = false, $localhost = false) {

 		/* Loopback dummy for dynamic interfaces without a IP */
 		if (!is_ipaddrv6($gateway['gateway']) && $gateway['dynamic'] == true)
-			$gateway['gateway'] = "dynamic6";
+			$gateway['gateway'] = "dynamic";

 		/* automatically skip known static and dynamic gateways we have a array entry for */
 		foreach($gateways_arr as $gateway_item) {
@ -650,7 +670,7 @@ function fixup_default_gateway($ipprotocol, $gateways_status, $gateways_arr) {
 			$dfltgwdown = true;
 	}
 	if ($dfltgwdown == true && !empty($upgw)) {
-		if (preg_match("/dynamic/i", $gateways_arr[$upgw]['gateway']))
+		if ($gateways_arr[$upgw]['gateway'] == "dynamic")
 			$gateways_arr[$upgw]['gateway'] = get_interface_gateway($gateways_arr[$upgw]['friendlyiface']);
 		if (is_ipaddr($gateways_arr[$upgw]['gateway'])) {
 			log_error("Default gateway down setting {$upgw} as default!");
@ -692,7 +712,7 @@ function return_gateway_groups_array() {
 	if (is_array($config['gateways']['gateway_group'])) {
 		$carplist = get_configured_carp_interface_list();
 		foreach ($config['gateways']['gateway_group'] as $group) {
-			/* create array with group gateways members seperated by tier */
+			/* create array with group gateways members separated by tier */
 			$tiers = array();
 			$backupplan = array();
 			$gwvip_arr = array();
@ -700,7 +720,7 @@ function return_gateway_groups_array() {
 				list($gwname, $tier, $vipname) = explode("|", $item);

 				if (is_ipaddr($carplist[$vipname])) {
-					if (!is_array($group['name']))
+					if (!is_array($gwvip_arr[$group['name']]))
 						$gwvip_arr[$group['name']] = array();
 					$gwvip_arr[$group['name']][$gwname] = $vipname;
 				}
@ -767,15 +787,17 @@ function return_gateway_groups_array() {
 						else if (!empty($int))
 							$gatewayip = get_interface_gateway($gateway['friendlyiface']);

-						if (!empty($int) && is_ipaddr($gatewayip)) {
-							$groupmember = array();
-							$groupmember['int']  = $int;
-							$groupmember['gwip']  = $gatewayip;
-							$groupmember['weight']  = isset($gateway['weight']) ? $gateway['weight'] : 1;
-							if (is_array($gwvip_arr[$group['name']])&& !empty($gwvip_arr[$group['name']][$gwname]))
-								$groupmember['vip'] = $gwvip_arr[$group['name']][$gwname];
+						if (!empty($int)) {
 							$gateway_groups_array[$group['name']]['ipprotocol'] = $gateway['ipprotocol'];
-							$gateway_groups_array[$group['name']][] = $groupmember;
+							if (is_ipaddr($gatewayip)) {
+								$groupmember = array();
+								$groupmember['int']  = $int;
+								$groupmember['gwip']  = $gatewayip;
+								$groupmember['weight']  = isset($gateway['weight']) ? $gateway['weight'] : 1;
+								if (is_array($gwvip_arr[$group['name']])&& !empty($gwvip_arr[$group['name']][$member]))
+									$groupmember['vip'] = $gwvip_arr[$group['name']][$member];
+								$gateway_groups_array[$group['name']][] = $groupmember;
+							}
 						}
 					}
 				}
@ -862,7 +884,7 @@ function get_interface_gateway($interface, &$dynamic = false) {
 	if (!is_ipaddrv4($gw) && !is_ipaddrv4($gwcfg['ipaddr'])) {
 		$realif = get_real_interface($interface);
 		if (file_exists("{$g['tmp_path']}/{$realif}_router")) {
-				$gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n");
+			$gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n");
 			$dynamic = true;
 		}
 		if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw"))
--- a/etc/inc/interfaces.inc
+++ b/etc/inc/interfaces.inc
--- a/etc/inc/ipsec.attributes.php
+++ b/etc/inc/ipsec.attributes.php
@ -76,7 +76,7 @@ function parse_cisco_acl($attribs) {
 			} else if (strstr($rule[0], "route")) {
 				if (!is_array($attributes['routes']))
 					$attributes['routes'] = array();
-				$attributes['routes'][] = $route[1];
+				$attributes['routes'][] = $rule[1];
 				continue;
 			}	
 			$rindex = cisco_extract_index($rule[0]);
@ -120,7 +120,7 @@ function parse_cisco_acl($attribs) {
 				$tmprule .= "from any";
 				$index++;
 			} else {
-				$tmprule .= "from $rule[$index]";
+				$tmprule .= "from {$rule[$index]}";
 				$index++;
 				$netmask = cisco_to_cidr($rule[$index]);
 				$tmprule .= "/{$netmask} ";
@ -139,7 +139,7 @@ function parse_cisco_acl($attribs) {
 				$index++;
 				$tmprule .= "to any";
 			} else {
-				$tmprule .= "to $rule[$index]";
+				$tmprule .= "to {$rule[$index]}";
 				$index++;
 				$netmask = cisco_to_cidr($rule[$index]);
 				$tmprule .= "/{$netmask} ";
@ -175,9 +175,10 @@ function parse_cisco_acl($attribs) {

 $rules = parse_cisco_acl($attributes);
 if (!empty($rules)) {
-	@file_put_contents("/tmp/{$common_name}.rules", $rules);
-	mwexec("/sbin/pfctl -a \"ipsec/{$common_name}\" -f {$g['tmp_path']}/{$common_name}.rules");
-	@unlink("{$g['tmp_path']}/{$common_name}.rules");
+	$pid = posix_getpid();
+	@file_put_contents("/tmp/ipsec_{$pid}{$common_name}.rules", $rules);
+	mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f {$g['tmp_path']}/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
+	@unlink("{$g['tmp_path']}/ipsec_{$pid}{$common_name}.rules");
 }

 ?>
--- a/etc/inc/ipsec.auth-user.php
+++ b/etc/inc/ipsec.auth-user.php
@ -56,11 +56,10 @@ function getNasID()
 {
    global $g;

-    $nasId = "";
-    exec("/bin/hostname", $nasId);
-    if(!$nasId[0])
-        $nasId[0] = "{$g['product_name']}";
-    return $nasId[0];
+    $nasId = gethostname();
+    if(empty($nasId))
+        $nasId = $g['product_name'];
+    return $nasId;
 }
 }

--- a/etc/inc/led.inc
+++ b/etc/inc/led.inc
@ -61,7 +61,7 @@ function led_blink($led, $speed=0) {
 * Letters a-j are off from 1/10s to 1s
 */
 function led_pattern($led, $pattern, $repeat=true) {
-	/*  End with a . to stop after one interation. */
+	/*  End with a . to stop after one iteration. */
 	$end = $repeat ? "" : ".";
 	return led_ctl($led, "s{$pattern}{$end}");
 }
--- a/etc/inc/notices.inc
+++ b/etc/inc/notices.inc
@ -265,15 +265,12 @@ function are_notices_pending($category = "all") {
 * RESULT
 *   returns true if message was sent
 ******/
-function notify_via_smtp($message) {
+function notify_via_smtp($message, $force = false) {
 	global $config, $g;
 	if($g['booting'])
 		return;

-	if(!$config['notifications']['smtp']['ipaddress'])
-		return;
-
-	if(!$config['notifications']['smtp']['notifyemailaddress']) 
+	if(isset($config['notifications']['smtp']['disable']) && !$force)
 		return;

 	/* Do NOT send the same message twice */
@ -283,9 +280,26 @@ function notify_via_smtp($message) {
 			return;
 	}

+	/* Store last message sent to avoid spamming */
+	$fd = fopen("/var/db/notices_lastmsg.txt", "w");
+	fwrite($fd, $message);
+	fclose($fd);
+
+	send_smtp_message($message, "{$config['system']['hostname']}.{$config['system']['domain']} - Notification");
+	return;
+}
+
+function send_smtp_message($message, $subject = "(no subject)") {
+	global $config, $g;
 	require_once("sasl.inc");
 	require_once("smtp.inc");

+	if(!$config['notifications']['smtp']['ipaddress'])
+		return;
+
+	if(!$config['notifications']['smtp']['notifyemailaddress'])
+		return;
+
 	$smtp = new smtp_class;

 	$from = "pfsense@{$config['system']['hostname']}.{$config['system']['domain']}";
@ -296,6 +310,7 @@ function notify_via_smtp($message) {

 	$smtp->direct_delivery = 0;
 	$smtp->ssl = ($config['notifications']['smtp']['ssl'] == "checked") ? 1 : 0;
+	$smtp->tls = ($config['notifications']['smtp']['tls'] == "checked") ? 1 : 0;
 	$smtp->debug = 0;
 	$smtp->html_debug = 0;
 	$smtp->localhost=$config['system']['hostname'].".".$config['system']['domain'];
@ -314,15 +329,10 @@ function notify_via_smtp($message) {
 	$headers = array(
 		"From: {$from}",
 		"To: {$to}",
-		"Subject: {$config['system']['hostname']}.{$config['system']['domain']} - Notification",
+		"Subject: {$subject}",
 		"Date: ".date("r")
 	);

-	/* Store last message sent to avoid spamming */
-	$fd = fopen("/var/db/notices_lastmsg.txt", "w");
-	fwrite($fd, $message);
-	fclose($fd);
-
 	if($smtp->SendMessage($from, preg_split('/\s*,\s*/', trim($to)), $headers, $message)) {
 		log_error(sprintf(gettext("Message sent to %s OK"), $to));
 		return;
@ -330,10 +340,8 @@ function notify_via_smtp($message) {
 		log_error(sprintf(gettext('Could not send the message to %1$s -- Error: %2$s'), $to, $smtp->error));
 		return(sprintf(gettext('Could not send the message to %1$s -- Error: %2$s'), $to, $smtp->error));
 	}
-
 }

-
 /****f* notices/notify_via_growl
 * NAME
 *   notify_via_growl
@ -342,10 +350,13 @@ function notify_via_smtp($message) {
 * RESULT
 *   returns true if message was sent
 ******/
-function notify_via_growl($message) {
+function notify_via_growl($message, $force=false) {
 	require_once("growl.class");
 	global $config,$g;

+	if (isset($config['notifications']['growl']['disable']) && !$force)
+		return;
+
 	/* Do NOT send the same message twice */
 	if(file_exists("/var/db/growlnotices_lastmsg.txt")) {
 		$lastmsg = trim(file_get_contents("/var/db/growlnotices_lastmsg.txt"));
--- a/etc/inc/openvpn.attributes.php
+++ b/etc/inc/openvpn.attributes.php
@ -78,7 +78,7 @@ function parse_cisco_acl($attribs) {
 			} else if (strstr($rule[0], "route")) {
 				if (!is_array($attributes['routes']))
 					$attributes['routes'] = array();
-				$attributes['routes'][] = $route[1];
+				$attributes['routes'][] = $rule[1];
 				continue;
 			}	
 			$rindex = cisco_extract_index($rule[0]);
@ -122,7 +122,7 @@ function parse_cisco_acl($attribs) {
 				$tmprule .= "from any";
 				$index++;
 			} else {
-				$tmprule .= "from $rule[$index]";
+				$tmprule .= "from {$rule[$index]}";
 				$index++;
 				$netmask = cisco_to_cidr($rule[$index]);
 				$tmprule .= "/{$netmask} ";
@ -141,7 +141,7 @@ function parse_cisco_acl($attribs) {
 				$index++;
 				$tmprule .= "to any";
 			} else {
-				$tmprule .= "to $rule[$index]";
+				$tmprule .= "to {$rule[$index]}";
 				$index++;
 				$netmask = cisco_to_cidr($rule[$index]);
 				$tmprule .= "/{$netmask} ";
@ -177,9 +177,10 @@ function parse_cisco_acl($attribs) {

 $rules = parse_cisco_acl($attributes);
 if (!empty($rules)) {
-	@file_put_contents("/tmp/{$common_name}.rules", $rules);
-	mwexec("/sbin/pfctl -a \"openvpn/{$common_name}\" -f {$g['tmp_path']}/{$common_name}.rules");
-	@unlink("{$g['tmp_path']}/{$common_name}.rules");
+	$pid = posix_getpid();
+	@file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
+	mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
+	@unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
 }

 ?>
--- a/etc/inc/openvpn.auth-user.php
+++ b/etc/inc/openvpn.auth-user.php
@ -57,11 +57,10 @@ function getNasID()
 {
    global $g;

-    $nasId = "";
-    exec("/bin/hostname", $nasId);
-    if(!$nasId[0])
-        $nasId[0] = "{$g['product_name']}";
-    return $nasId[0];
+    $nasId = gethostname();
+    if(empty($nasId))
+        $nasId = $g['product_name'];
+    return $nasId;
 }
 }

--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@ -49,8 +49,10 @@ require_once("certs.inc");
 require_once('pfsense-utils.inc');
 require_once("auth.inc");

+global $openvpn_prots;
 $openvpn_prots = array("UDP", "UDP6", "TCP", "TCP6");

+global $openvpn_dev_mode;
 $openvpn_dev_mode = array("tun", "tap");

 /* 
@ -66,9 +68,11 @@ $openvpn_dev_mode = array("tun", "tap");
 * -mgrooms
 */

+global $openvpn_dh_lengths;
 $openvpn_dh_lengths = array(
 	1024, 2048, 4096 );

+global $openvpn_cert_depths;
 $openvpn_cert_depths = array(
 	1 => "One (Client+Server)",
 	2 => "Two (Client+Intermediate+Server)",
@ -77,6 +81,7 @@ $openvpn_cert_depths = array(
 	5 => "Five (Client+4xIntermediate+Server)"
 );

+global $openvpn_server_modes;
 $openvpn_server_modes = array(
 	'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
 	'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )"),
@ -84,6 +89,7 @@ $openvpn_server_modes = array(
 	'server_user' => gettext("Remote Access ( User Auth )"),
 	'server_tls_user' => gettext("Remote Access ( SSL/TLS + User Auth )"));

+global $openvpn_client_modes;
 $openvpn_client_modes = array(
 	'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
 	'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )") );
@ -393,13 +399,13 @@ function openvpn_reconfigure($mode, $settings) {

 		/* create the tap device if required */
 		if (!file_exists("/dev/{$tunname}"))
-			exec("/sbin/ifconfig {$tunname} create");
+			exec("/sbin/ifconfig " . escapeshellarg($tunname) . " create");

 		/* rename the device */
-		mwexec("/sbin/ifconfig {$tunname} name {$devname}");
+		mwexec("/sbin/ifconfig " . escapeshellarg($tunname) . " name " . escapeshellarg($devname));

 		/* add the device to the openvpn group */
-		mwexec("/sbin/ifconfig {$devname} group openvpn");
+		mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " group openvpn");
 	}

 	$pfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid";
@ -532,6 +538,7 @@ function openvpn_reconfigure($mode, $settings) {
 							$biface_sm=gen_subnet_mask(get_interface_subnet($settings['serverbridge_interface']));
 							if (is_ipaddrv4($biface_ip) && is_ipaddrv4($settings['serverbridge_dhcp_start']) && is_ipaddrv4($settings['serverbridge_dhcp_end'])) {
 								$conf .= "server-bridge {$biface_ip} {$biface_sm} {$settings['serverbridge_dhcp_start']} {$settings['serverbridge_dhcp_end']}\n";
+								$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
 							} else {
 								$conf .= "mode server\n";
 							}
@ -784,10 +791,18 @@ function openvpn_restart($mode, $settings) {
 	if (($mode == "client") && strstr($settings['interface'], "_vip") && (get_carp_interface_status($settings['interface']) == "BACKUP"))
 		return;

+	/* Check if client is bound to a gateway group */    
+	$a_groups = return_gateway_groups_array();
+	if (is_array($a_groups[$settings['interface']])) {
+		/* the interface is a gateway group. If a vip is defined and its a CARP backup then do not start */
+		if (($a_groups[$settings['interface']][0]['vip'] <> "") && (get_carp_interface_status($a_groups[$settings['interface']][0]['vip']) == "BACKUP"))
+			return;
+	}
+
 	/* start the new process */
 	$fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
 	openvpn_clear_route($mode, $settings);
-	mwexec_bg("/usr/local/sbin/openvpn --config {$fpath}");
+	mwexec_bg("/usr/local/sbin/openvpn --config " . escapeshellarg($fpath));

 	if (!$g['booting'])
 		send_event("filter reload");
@ -823,13 +838,23 @@ function openvpn_delete($mode, & $settings) {
 	}

 	/* remove the device from the openvpn group */
-	mwexec("/sbin/ifconfig {$devname} -group openvpn");
+	mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " -group openvpn");

 	/* restore the original adapter name */
-	mwexec("/sbin/ifconfig {$devname} name {$tunname}");
+	mwexec("/sbin/ifconfig " . escapeshellarg($devname) . " name " . escapeshellarg($tunname));

 	/* remove the configuration files */
-	mwexec("/bin/rm {$g['varetc_path']}/openvpn/{$mode_id}.*");
+	array_map('unlink', glob("{$g['varetc_path']}/openvpn/{$mode_id}.*"));
+}
+
+function openvpn_cleanup_csc($common_name) {
+	global $g, $config;
+	if (empty($common_name))
+		return;
+	$fpath = "{$g['varetc_path']}/openvpn-csc/" . basename($common_name);
+	if (is_file($fpath))
+		unlink_if_exists($fpath);
+	return;
 }

 function openvpn_resync_csc(& $settings) {
--- a/etc/inc/pfsense-utils.inc
+++ b/etc/inc/pfsense-utils.inc
@ -340,17 +340,17 @@ function get_carp_interface_status($carpinterface) {
 * get_pfsync_interface_status($pfsyncinterface): returns the status of a pfsync
 */
 function get_pfsync_interface_status($pfsyncinterface) {
-	$result = does_interface_exist($pfsyncinterface);
-	if($result <> true) return;
-	$status = exec_command("/sbin/ifconfig {$pfsyncinterface} | /usr/bin/awk '/pfsync:/ {print \$5}'");
-	return $status;
+	if (!does_interface_exist($pfsyncinterface))
+		return;
+
+	return exec_command("/sbin/ifconfig {$pfsyncinterface} | /usr/bin/awk '/pfsync:/ {print \$5}'");
 }

 /*
 * add_rule_to_anchor($anchor, $rule): adds the specified rule to an anchor
 */
 function add_rule_to_anchor($anchor, $rule, $label) {
-	mwexec("echo " . $rule . " | /sbin/pfctl -a " . $anchor . ":" . $label . " -f -");
+	mwexec("echo " . escapeshellarg($rule) . " | /sbin/pfctl -a " . escapeshellarg($anchor) . ":" . escapeshellarg($label) . " -f -");
 }

 /*
@ -619,7 +619,7 @@ if (!function_exists('php_check_syntax')){
 if (!function_exists('php_check_syntax')){
 	function php_check_syntax($code_to_check, &$errormessage){
 		return false;
-		$command = "/usr/local/bin/php -l " . $code_to_check;
+		$command = "/usr/local/bin/php -l " . escapeshellarg($code_to_check);
 		$output = exec_command($command);
 		if (stristr($output, "Errors parsing") == false) {
 			echo "false\n";
@ -661,17 +661,19 @@ function rmdir_recursive($path,$follow_links=false) {
 }

 /*
- * call_pfsense_method(): Call a method exposed by the pfsense.com XMLRPC server.
+ * call_pfsense_method(): Call a method exposed by the pfsense.org XMLRPC server.
 */
 function call_pfsense_method($method, $params, $timeout = 0) {
 	global $g, $config;

-	$ip = gethostbyname($g['product_website']);
-	if($ip == $g['product_website'])
-		return false;
-
 	$xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl'];
 	$xmlrpc_path = $g['xmlrpcpath'];
+	
+	$xmlrpcfqdn = preg_replace("(https?://)", "", $xmlrpc_base_url);
+	$ip = gethostbyname($xmlrpcfqdn);
+	if($ip == $xmlrpcfqdn)
+		return false;
+
 	$msg = new XML_RPC_Message($method, array(XML_RPC_Encode($params)));
 	$port = 0;
 	$proxyurl = "";
@ -711,9 +713,11 @@ function call_pfsense_method($method, $params, $timeout = 0) {
 */
 function check_firmware_version($tocheck = "all", $return_php = true) {
 	global $g, $config;
-
-	$ip = gethostbyname($g['product_website']);
-	if($ip == $g['product_website'])
+	
+	$xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl'];
+	$xmlrpcfqdn = preg_replace("(https?://)", "", $xmlrpc_base_url);
+	$ip = gethostbyname($xmlrpcfqdn);
+	if($ip == $xmlrpcfqdn)
 		return false;

 	$rawparams = array("firmware" => array("version" => trim(file_get_contents('/etc/version'))),
@ -749,10 +753,12 @@ function check_firmware_version($tocheck = "all", $return_php = true) {
 function host_firmware_version($tocheck = "") {
 	global $g, $config;

+	$os_version = trim(substr(php_uname("r"), 0, strpos(php_uname("r"), '-')));
+
 	return array(
 		"firmware" => array("version" => trim(file_get_contents('/etc/version', " \n"))),
-		"kernel"   => array("version" => trim(file_get_contents('/etc/version_kernel', " \n"))),
-		"base"     => array("version" => trim(file_get_contents('/etc/version_base', " \n"))),
+		"kernel"   => array("version" => $os_version),
+		"base"     => array("version" => $os_version),
 		"platform" => trim(file_get_contents('/etc/platform', " \n")),
 		"config_version" => $config['version']
 	);
@ -987,7 +993,7 @@ function setup_serial_port($when="save", $path="") {
 						fwrite($fd, "{$bcs}\n");
 				}
 			}
-			if(isset($config['system']['enableserial'])) {
+			if(isset($config['system']['enableserial']) || $g['enableserial_force']) {
 				fwrite($fd, "-D");
 			}
 			fclose($fd);
@ -1012,11 +1018,19 @@ function setup_serial_port($when="save", $path="") {
 					$new_boot_config[] = $bcs;

 			$serialspeed = (is_numeric($config['system']['serialspeed'])) ? $config['system']['serialspeed'] : "9600";
-			if(isset($config['system']['enableserial'])) {
+			if(isset($config['system']['enableserial']) || $g['enableserial_force']) {
 				$new_boot_config[] = 'boot_multicons="YES"';
 				$new_boot_config[] = 'boot_serial="YES"';
 				$new_boot_config[] = 'comconsole_speed="' . $serialspeed . '"';
-				$new_boot_config[] = 'console="comconsole,vidconsole"';
+				$primaryconsole = isset($g['primaryconsole_force']) ? $g['primaryconsole_force'] : $config['system']['primaryconsole'];
+				switch ($primaryconsole) {
+					case "video":
+						$new_boot_config[] = 'console="vidconsole,comconsole"';
+						break;
+					case "serial":
+					default:
+						$new_boot_config[] = 'console="comconsole,vidconsole"';
+				}
 			} elseif ($g['platform'] == "nanobsd") {
 				$new_boot_config[] = 'comconsole_speed="' . $serialspeed . '"';
 			}
@ -1031,7 +1045,7 @@ function setup_serial_port($when="save", $path="") {
 	$fd = fopen("/etc/ttys", "w");
 	foreach($ttys_split as $tty) {
 		if(stristr($tty, "ttyd0") or stristr($tty, "ttyu0")) {
-			if(isset($config['system']['enableserial'])) {
+			if(isset($config['system']['enableserial']) || $g['enableserial_force']) {
 				fwrite($fd, "ttyu0	\"/usr/libexec/getty bootupcli\"	cons25	on	secure\n");
 			} else {
 				fwrite($fd, "ttyu0	\"/usr/libexec/getty bootupcli\"	cons25	off	secure\n");
@ -1442,7 +1456,7 @@ function get_interface_info($ifdescr) {

 //returns cpu speed of processor. Good for determining capabilities of machine
 function get_cpu_speed() {
-	return exec("sysctl hw.clockrate | awk '{ print $2 }'");
+	return exec("/sbin/sysctl -n hw.clockrate");
 }

 function add_hostname_to_watch($hostname) {
@ -1452,7 +1466,7 @@ function add_hostname_to_watch($hostname) {
 	if((is_fqdn($hostname)) && (!is_ipaddr($hostname))) {
 		$domrecords = array();
 		$domips = array();
-		exec("host -t A $hostname", $domrecords, $rethost);
+		exec("host -t A " . escapeshellarg($hostname), $domrecords, $rethost);
 		if($rethost == 0) {
 			foreach($domrecords as $domr) {
 				$doml = explode(" ", $domr);
@ -1494,9 +1508,9 @@ function is_fqdn($fqdn) {
 function pfsense_default_state_size() {
 	/* get system memory amount */
 	$memory = get_memory();
-	$avail = $memory[1];
+	$physmem = $memory[0];
 	/* Be cautious and only allocate 10% of system memory to the state table */
-	$max_states = (int) ($avail/10)*1000;
+	$max_states = (int) ($physmem/10)*1000;
 	return $max_states;
 }

@ -1526,7 +1540,7 @@ function compare_hostname_to_dnscache($hostname) {
 	if((is_fqdn($hostname)) && (!is_ipaddr($hostname))) {
 		$domrecords = array();
 		$domips = array();
-		exec("host -t A $hostname", $domrecords, $rethost);
+		exec("host -t A " . escapeshellarg($hostname), $domrecords, $rethost);
 		if($rethost == 0) {
 			foreach($domrecords as $domr) {
 				$doml = explode(" ", $domr);
@ -1772,9 +1786,9 @@ function update_progress_bar($percent, $first_time) {

 /* Split() is being DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged. */
 if(!function_exists("split")) {
-	function split($seperator, $haystack, $limit = null) {
-		log_error("deprecated split() call with seperator '{$seperator}'");
-		return preg_split($seperator, $haystack, $limit);
+	function split($separator, $haystack, $limit = null) {
+		log_error("deprecated split() call with separator '{$separator}'");
+		return preg_split($separator, $haystack, $limit);
 	}
 }

@ -1835,9 +1849,6 @@ function update_alias_url_data() {
 				/* fetch down and add in */
 				$temp_filename = tempnam("{$g['tmp_path']}/", "alias_import");
 				unlink($temp_filename);
-				$fda = fopen("{$g['tmp_path']}/tmpfetch","w");
-				fwrite($fda, "/usr/bin/fetch -T 5 -q -o \"{$temp_filename}/aliases\" \"" . $alias_url . "\"");
-				fclose($fda);
 				mwexec("/bin/mkdir -p {$temp_filename}");
 				mwexec("/usr/bin/fetch -T 5 -q -o \"{$temp_filename}/aliases\" \"" . $alias_url . "\"");
 				/* if the item is tar gzipped then extract */
@ -1871,15 +1882,17 @@ function update_alias_url_data() {
 			}
 		}
 	}
-	if ($updated)
-		write_config();
 	unlock($lockkey);
+	if ($updated) {
+		write_config();
+		send_event("filter reload");
+	}
 }

 function process_alias_unzip($temp_filename) {
 	if(!file_exists("/usr/local/bin/unzip"))
 		return;
-	mwexec("/bin/mv {$temp_filename}/aliases {$temp_filename}/aliases.zip");
+	rename("{$temp_filename}/aliases", "{$temp_filename}/aliases.zip");
 	mwexec("/usr/local/bin/unzip {$temp_filename}/aliases.tgz -d {$temp_filename}/aliases/");
 	unlink("{$temp_filename}/aliases.zip");
 	$files_to_process = return_dir_as_array("{$temp_filename}/");
@ -1896,7 +1909,7 @@ function process_alias_unzip($temp_filename) {
 function process_alias_tgz($temp_filename) {
 	if(!file_exists("/usr/bin/tar"))
 		return;
-	mwexec("/bin/mv {$temp_filename}/aliases {$temp_filename}/aliases.tgz");
+	rename("{$temp_filename}/aliases", "{$temp_filename}/aliases.tgz");
 	mwexec("/usr/bin/tar xzf {$temp_filename}/aliases.tgz -C {$temp_filename}/aliases/");
 	unlink("{$temp_filename}/aliases.tgz");
 	$files_to_process = return_dir_as_array("{$temp_filename}/");
@ -2016,7 +2029,7 @@ function process_alias_urltable($name, $url, $freq, $forceupdate=false) {

 	// If the file doesn't exist or is older than update_freq days, fetch a new copy.
 	if (!file_exists($urltable_filename)
-		|| ((time() - filemtime($urltable_filename)) > ($freq * 86400))
+		|| ((time() - filemtime($urltable_filename)) > ($freq * 86400 - 90))
 		|| $forceupdate) {

 		// Try to fetch the URL supplied
@ -2029,7 +2042,7 @@ function process_alias_urltable($name, $url, $freq, $forceupdate=false) {
 			mwexec("/usr/bin/sed 's/\;.*//g' ". escapeshellarg($urltable_filename . ".tmp") . "| /usr/bin/egrep -v '^[[:space:]]*$|^#' > " . escapeshellarg($urltable_filename));
 			unlink_if_exists($urltable_filename . ".tmp");
 		} else
-			mwexec("/usr/bin/touch {$urltable_filename}");
+			touch($urltable_filename);
 		conf_mount_ro();
 		return true;
 	} else {
@ -2122,10 +2135,10 @@ function nanobsd_update_fstab($gslice, $complete_path, $oldufs, $newufs) {
 	$tmppath = "/tmp/{$gslice}";
 	$fstabpath = "/tmp/{$gslice}/etc/fstab";

-	exec("/bin/mkdir {$tmppath}");
+	mkdir($tmppath);
 	exec("/sbin/fsck_ufs -y /dev/{$complete_path}");
 	exec("/sbin/mount /dev/ufs/{$gslice} {$tmppath}");
-	exec("/bin/cp /etc/fstab {$fstabpath}");
+	copy("/etc/fstab", $fstabpath);

 	if (!file_exists($fstabpath)) {
 		$fstab = <<<EOF
@ -2140,7 +2153,7 @@ EOF;
 		$status = exec("sed -i \"\" \"s/pfsense{$oldufs}/pfsense{$newufs}/g\" {$fstabpath}");
 	}
 	exec("/sbin/umount {$tmppath}");
-	exec("/bin/rmdir {$tmppath}");
+	rmdir($tmppath);

 	return $status;
 }
--- a/etc/inc/pkg-utils.inc
+++ b/etc/inc/pkg-utils.inc
@ -57,7 +57,7 @@ if(!function_exists("update_status")) {
 }
 if(!function_exists("update_output_window")) {
 	function update_output_window($status) {
-		echo $status . "\n";
+		echo htmlspecialchars($status) . "\n";
 	}
 }

@ -102,7 +102,7 @@ function remove_freebsd_package($packagestring) {
 	// The packagestring passed in must be the full PBI package name, 
 	// as displayed by the pbi_info utility. e.g. "package-1.2.3_4-i386" 
 	// It must NOT have ".pbi" on the end.
-	exec("/usr/local/sbin/pbi_info {$packagestring} | /usr/bin/awk '/Prefix/ {print $2}'",$pbidir);
+	exec("/usr/local/sbin/pbi_info " . escapeshellarg($packagestring) . " | /usr/bin/awk '/Prefix/ {print $2}'",$pbidir);
 	$pbidir = $pbidir[0];
 	if ($pbidir == "") {
 		log_error("PBI dir for {$packagestring} was not found - cannot cleanup PBI files");
@ -127,7 +127,7 @@ function remove_freebsd_package($packagestring) {
 			}
 		}

-		exec("/usr/local/sbin/pbi_delete {$packagestring} 2>>/tmp/pbi_delete_errors.txt");
+		exec("/usr/local/sbin/pbi_delete " . escapeshellarg($packagestring) . " 2>>/tmp/pbi_delete_errors.txt");
 	}
 }

@ -188,7 +188,7 @@ function get_pkg_internal_name($package) {

 /****f* pkg-utils/get_pkg_info
 * NAME
- *   get_pkg_info - Retrieve package information from pfsense.com.
+ *   get_pkg_info - Retrieve package information from package server.
 * INPUTS
 *   $pkgs - 'all' to retrieve all packages, an array containing package names otherwise
 *   $info - 'all' to retrieve all information, an array containing keys otherwise
@ -279,7 +279,7 @@ function is_freebsd_pkg_installed($pkg) {
 	if(!$pkg) 
 		return;
 	$output = "";
-	exec("/usr/local/sbin/pbi_info \"{$pkg}\"", $output, $retval);
+	exec("/usr/local/sbin/pbi_info " . escapeshellarg($pkg), $output, $retval);

 	return (intval($retval) == 0);
 }
@ -361,19 +361,6 @@ function uninstall_package($pkg_name) {
 	global $config, $static_output;
 	global $builder_package_install;

-	// Back up /usr/local/lib libraries first if
-	// not running from the builder code.
-	// also take into account rrd binaries
-	if(!$builder_package_install) {
-		if(!file_exists("/tmp/pkg_libs.tgz")) {
-			$static_output .= "Backing up libraries... ";
-			update_output_window($static_output);
-			mwexec("/usr/bin/tar czPf /tmp/pkg_libs.tgz `/bin/cat /etc/pfSense_md5.txt | /usr/bin/grep 'local/lib' | /usr/bin/awk '{ print $2 }' | /usr/bin/cut -d'(' -f2 | /usr/bin/cut -d')' -f1`", true);
-			mwexec("/usr/bin/tar czPf /tmp/pkg_bins.tgz `/bin/cat /etc/pfSense_md5.txt | /usr/bin/grep 'rrd' | /usr/bin/awk '{ print $2 }' | /usr/bin/cut -d'(' -f2 | /usr/bin/cut -d')' -f1`", true);
-			$static_output .= "\n";
-		}
-	}
-
 	$id = get_pkg_id($pkg_name);
 	if ($id >= 0) {
 		stop_service(get_pkg_internal_name($config['installedpackages']['package'][$id]));
@ -397,20 +384,11 @@ function uninstall_package($pkg_name) {
 			}
 		}
 	}
-	delete_package_xml($pkg_name);
+	if (is_package_installed($pkg_name))
+		delete_package_xml($pkg_name);

-	// Restore libraries that we backed up if not 
-	// running from the builder code.
-	if(!$builder_package_install) {
-		$static_output .= "Cleaning up... ";
-		update_output_window($static_output);
-		mwexec("/usr/bin/tar xzPfk /tmp/pkg_libs.tgz -C /", true);
-		mwexec("/usr/bin/tar xzPfk /tmp/pkg_bins.tgz -C /", true);
-		@unlink("/tmp/pkg_libs.tgz");
-		@unlink("/tmp/pkg_bins.tgz");
-		$static_output .= gettext("done.") . "\n";
-		update_output_window($static_output);
-	}
+	$static_output .= gettext("done.") . "\n";
+	update_output_window($static_output);
 }

 function force_remove_package($pkg_name) {
@ -567,21 +545,32 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url =

 		$pkgaddout = "";

-		exec("/usr/local/sbin/pbi_add {$pkgstaging} -f -v --no-checksig {$fetchto} 2>&1", $pkgaddout);
-		pkg_debug($pkgname . " " . print_r($pkgaddout, true) . "\npbi_add successfully completed.\n");
-		setup_library_paths();
-		exec("/usr/local/sbin/pbi_info " . preg_replace('/\.pbi$/','',$filename) . " | /usr/bin/awk '/Prefix/ {print $2}'",$pbidir);
-		$pbidir = $pbidir[0];
-		$linkdirs = array('bin','sbin');
-		foreach($linkdirs as $dir) {
-			if(is_dir("{$pbidir}/{$dir}")) {
-				$files = scandir("{$pbidir}/{$dir}");
-				foreach($files as $f) {
-					if(!file_exists("/usr/local/{$dir}/{$f}")) {
-						symlink("{$pbidir}/{$dir}/{$f}","/usr/local/{$dir}/{$f}");
+		$result = exec("/usr/local/sbin/pbi_add " . $pkgstaging . " -f -v --no-checksig " . escapeshellarg($fetchto) . " 2>&1", $pkgaddout, $rc);
+		pkg_debug($pkgname . " " . print_r($pkgaddout, true) . "\n");
+		if ($rc == 0) {
+			setup_library_paths();
+			$result = exec("/usr/local/sbin/pbi_info " . escapeshellarg(preg_replace('/\.pbi$/','',$filename)) . " | /usr/bin/awk '/Prefix/ {print $2}'",$pbidir);
+			$pbidir = $pbidir[0];
+			$linkdirs = array('bin','sbin');
+			foreach($linkdirs as $dir) {
+				if(is_dir("{$pbidir}/{$dir}")) {
+					$files = scandir("{$pbidir}/{$dir}");
+					foreach($files as $f) {
+						if(!file_exists("/usr/local/{$dir}/{$f}")) {
+							@symlink("{$pbidir}/{$dir}/{$f}","/usr/local/{$dir}/{$f}");
+						}
 					}
 				}
 			}
+			pkg_debug("pbi_add successfully completed.\n");
+		} else {
+			if (is_array($pkgaddout))
+				foreach ($pkgaddout as $line)
+					$static_output .= " " . $line .= "\n";
+
+			update_output_window($static_output);
+			pkg_debug("pbi_add failed.\n");
+			return false;
 		}
 	}
 	return true;
@ -590,7 +579,7 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url =
 function install_package($package, $pkg_info = "", $force_install = false) {
 	global $g, $config, $static_output, $pkg_interface;

-	/* safe side. Write config below will send to ro again. */
+	/* safe side. */
 	conf_mount_rw();

 	if($pkg_interface == "console") 	
@ -803,7 +792,7 @@ function install_package_xml($pkg) {
 				if(stristr($filename, ".tgz") <> "") {
 					pkg_debug(gettext("Extracting tarball to -C for ") . $filename . "...\n");
 					$tarout = "";
-					exec("/usr/bin/tar xvzf " . $prefix . $filename . " -C / 2>&1", $tarout);
+					exec("/usr/bin/tar xvzf " . escapeshellarg($prefix . $filename) . " -C / 2>&1", $tarout);
 					pkg_debug(print_r($tarout, true) . "\n");
 				}
 				if($pkg_chmod <> "") {
@ -861,7 +850,7 @@ function install_package_xml($pkg) {
 				$pkg_name_for_pbi_match = strtolower($pkg) . "-";
 				exec("/usr/local/sbin/pbi_info | grep '^{$pkg_name_for_pbi_match}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray);
 				$pbidir0 = $pbidirarray[0];
-				exec("find /usr/local/etc/ -name *.conf | grep \"{$pkg}\"",$files);
+				exec("find /usr/local/etc/ -name *.conf | grep " . escapeshellarg($pkg),$files);
 				foreach($files as $f) {
 					$pbiconf = str_replace('/usr/local',$pbidir0,$f);
 					if(is_file($pbiconf) || is_link($pbiconf)) {
@ -1264,26 +1253,41 @@ function pkg_reinstall_all() {

 	@unlink('/conf/needs_package_sync');
 	if (is_array($config['installedpackages']['package'])) {
-		echo "One moment please, reinstalling packages...\n";
-		echo " >>> Trying to fetch package info...";
+		echo gettext("One moment please, reinstalling packages...\n");
+		echo gettext(" >>> Trying to fetch package info...");
+		log_error(gettext("Attempting to reinstall all packages"));
 		$pkg_info = get_pkg_info();
 		if ($pkg_info) {
 			echo " Done.\n";
 		} else {
 			$xmlrpc_base_url = isset($config['system']['altpkgrepo']['enable']) ? $config['system']['altpkgrepo']['xmlrpcbaseurl'] : $g['xmlrpcbaseurl'];
-			echo "\n" . sprintf(gettext(' >>> Unable to communicate with %1$s. Please verify DNS and interface configuration, and that %2$s has functional Internet connectivity.'), $xmlrpc_base_url, $g['product_name']) . "\n";
+			$error = sprintf(gettext(' >>> Unable to communicate with %1$s. Please verify DNS and interface configuration, and that %2$s has functional Internet connectivity.'), $xmlrpc_base_url, $g['product_name']);
+			echo "\n{$error}\n";
+			log_error(gettext("Cannot reinstall packages: ") . $error);
 			return;
 		}
 		$todo = array();
-		foreach($config['installedpackages']['package'] as $package)
+		$all_names = array();
+		foreach($config['installedpackages']['package'] as $package) {
 			$todo[] = array('name' => $package['name'], 'version' => $package['version']);
+			$all_names[] = $package['name'];
+		}
+		$package_name_list = gettext("List of packages to reinstall: ") . implode(", ", $all_names);
+		echo " >>> {$package_name_list}\n";
+		log_error($package_name_list);
+
 		foreach($todo as $pkgtodo) {
 			$static_output = "";
 			if($pkgtodo['name']) {
+				log_error(gettext("Uninstalling package") . " {$pkgtodo['name']}");
 				uninstall_package($pkgtodo['name']);
+				log_error(gettext("Finished uninstalling package") . " {$pkgtodo['name']}");
+				log_error(gettext("Reinstalling package") . " {$pkgtodo['name']}");
 				install_package($pkgtodo['name']);
+				log_error(gettext("Finished installing package") . " {$pkgtodo['name']}");
 			}
 		}
+		log_error(gettext("Finished reinstalling all packages."));
 	} else
 		echo "No packages are installed.";
 }
@ -1321,16 +1325,34 @@ function stop_packages() {
 		}
 	}

-	$shell = @popen("/bin/sh", "w");
-	if ($shell) {
-		foreach ($rcfiles as $rcfile => $number) {
+	foreach ($rcfiles as $rcfile => $number) {
+		$shell = @popen("/bin/sh", "w");
+		if ($shell) {
 			echo " Stopping {$rcfile}...";
-			fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1");
+			if (!@fwrite($shell, "{$rcfile} stop >>/tmp/bootup_messages 2>&1")) {
+				if ($shell)
+					pclose($shell);
+				$shell = @popen("/bin/sh", "w");
+			}
 			echo "done.\n";
+			pclose($shell);
 		}
-
-		pclose($shell);
 	}
 }

-?>
+function get_pkg_interfaces_select_source($include_localhost=false) {
+	$interfaces = get_configured_interface_with_descr();
+	$ssifs = array();
+	foreach ($interfaces as $iface => $ifacename) {
+		$tmp["name"]  = $ifacename;
+		$tmp["value"] = $iface;
+		$ssifs[] = $tmp;
+	}
+	if ($include_localhost) {
+		$tmp["name"]  = "Localhost";
+		$tmp["value"] = "lo0";
+		$ssifs[] = $tmp;
+	}
+	return $ssifs;
+}
+?>
--- a/etc/inc/priv.defs.inc
+++ b/etc/inc/priv.defs.inc
@ -54,6 +54,18 @@ $priv_list['page-diagnostics-factorydefaults']['descr'] = gettext("Allow access
 $priv_list['page-diagnostics-factorydefaults']['match'] = array();
 $priv_list['page-diagnostics-factorydefaults']['match'][] = "diag_defaults.php*";

+$priv_list['page-diagnostics-ndptable'] = array();
+$priv_list['page-diagnostics-ndptable']['name'] = gettext("Webcfg - Diagnostics: NDP Table page");
+$priv_list['page-diagnostics-ndptable']['descr'] = gettext("Allow access to the 'Diagnostics: NDP Table' page.");
+$priv_list['page-diagnostics-ndptable']['match'] = array();
+$priv_list['page-diagnostics-ndptable']['match'][] = "diag_ndp.php*";
+
+$priv_list['page-diagnostics-restore-full-backup'] = array();
+$priv_list['page-diagnostics-restore-full-backup']['name'] = gettext("Webcfg - Diagnostics: Restore full backup");
+$priv_list['page-diagnostics-restore-full-backup']['descr'] = gettext("Allow access to the 'Diagnostics: Restore Full Backup' page.");
+$priv_list['page-diagnostics-restore-full-backup']['match'] = array();
+$priv_list['page-diagnostics-restore-full-backup']['match'][] = "system_firmware_restorefullbackup.php";
+
 $priv_list['page-diagnostics-showstates'] = array();
 $priv_list['page-diagnostics-showstates']['name'] = gettext("WebCfg - Diagnostics: Show States page");
 $priv_list['page-diagnostics-showstates']['descr'] = gettext("Allow access to the 'Diagnostics: Show States' page.");
@ -66,6 +78,12 @@ $priv_list['page-diagnostics-sockets']['descr'] = gettext("Allow access to the '
 $priv_list['page-diagnostics-sockets']['match'] = array();
 $priv_list['page-diagnostics-sockets']['match'][] = "diag_sockets.php*";

+$priv_list['page-diagnostics-testport'] = array();
+$priv_list['page-diagnostics-testport']['name'] = gettext("Webcfg - Diagnostics: Test Port");
+$priv_list['page-diagnostics-testport']['descr'] = gettext("Allow access to the 'Diagnostics: Test Port' page.");
+$priv_list['page-diagnostics-testport']['match'] = array();
+$priv_list['page-diagnostics-testport']['match'][] = "diag_testport.php*";
+
 $priv_list['page-status-ipsec'] = array();
 $priv_list['page-status-ipsec']['name'] = gettext("WebCfg - Status: IPsec page");
 $priv_list['page-status-ipsec']['descr'] = gettext("Allow access to the 'Status: IPsec' page.");
@ -84,18 +102,18 @@ $priv_list['page-status-ipsec-spd']['descr'] = gettext("Allow access to the 'Sta
 $priv_list['page-status-ipsec-spd']['match'] = array();
 $priv_list['page-status-ipsec-spd']['match'][] = "diag_ipsec_spd.php*";

+$priv_list['page-status-ntp'] = array();
+$priv_list['page-status-ntp']['name'] = gettext("Webcfg - Status: NTP page");
+$priv_list['page-status-ntp']['descr'] = gettext("Allow access to the 'Status: NTP' page.");
+$priv_list['page-status-ntp']['match'] = array();
+$priv_list['page-status-ntp']['match'][] = "status_ntpd.php*";
+
 $priv_list['page-ipsecxml'] = array();
 $priv_list['page-ipsecxml']['name'] = gettext("WebCfg - Diag IPsec XML page");
 $priv_list['page-ipsecxml']['descr'] = gettext("Allow access to the 'Diag IPsec XML' page.");
 $priv_list['page-ipsecxml']['match'] = array();
 $priv_list['page-ipsecxml']['match'][] = "diag_ipsec_xml.php";

-$priv_list['page-diag-system-activity'] = array();
-$priv_list['page-diag-system-activity']['name'] = gettext("WebCfg - Diagnostics: System Activity");
-$priv_list['page-diag-system-activity']['descr'] = gettext("Allows access to the 'Diagnostics: System Activity' page");
-$priv_list['page-diag-system-activity']['match'] = array();
-$priv_list['page-diag-system-activity']['match'][] = "diag_system_activity*";
-
 $priv_list['page-diagnostics-logs-system'] = array();
 $priv_list['page-diagnostics-logs-system']['name'] = gettext("WebCfg - Diagnostics: Logs: System page");
 $priv_list['page-diagnostics-logs-system']['descr'] = gettext("Allow access to the 'Diagnostics: Logs: System' page.");
@ -132,12 +150,6 @@ $priv_list['page-diagnostics-logs-resolver']['descr'] = gettext("Allow access to
 $priv_list['page-diagnostics-logs-resolver']['match'] = array();
 $priv_list['page-diagnostics-logs-resolver']['match'][] = "diag_logs_resolver.php*";

-$priv_list['page-diagnostics-logs-wireless'] = array();
-$priv_list['page-diagnostics-logs-wireless']['name'] = gettext("WebCfg - Diagnostics: Logs: Wireless page");
-$priv_list['page-diagnostics-logs-wireless']['descr'] = gettext("Allow access to the 'Diagnostics: Logs: System: Wireless' page.");
-$priv_list['page-diagnostics-logs-wireless']['match'] = array();
-$priv_list['page-diagnostics-logs-wireless']['match'][] = "diag_logs_wireless.php*";
-
 $priv_list['page-hidden-nolongerincluded'] = array();
 $priv_list['page-hidden-nolongerincluded']['name'] = gettext("WebCfg - Hidden: No longer included page");
 $priv_list['page-hidden-nolongerincluded']['descr'] = gettext("Allow access to the 'Hidden: No longer included' page.");
@ -174,6 +186,18 @@ $priv_list['page-status-systemlogs-loadbalancer']['descr'] = gettext("Allow acce
 $priv_list['page-status-systemlogs-loadbalancer']['match'] = array();
 $priv_list['page-status-systemlogs-loadbalancer']['match'][] = "diag_logs_relayd.php*";

+$priv_list['page-status-systemlogs-routing'] = array();
+$priv_list['page-status-systemlogs-routing']['name'] = gettext("Webcfg - Status: System logs: Routing page");
+$priv_list['page-status-systemlogs-routing']['descr'] = gettext("Allow access to the 'Status: System logs: System: Routing' page.");
+$priv_list['page-status-systemlogs-routing']['match'] = array();
+$priv_list['page-status-systemlogs-routing']['match'][] = "diag_logs_routing.php*";
+
+$priv_list['page-status-systemlogs-wireless'] = array();
+$priv_list['page-status-systemlogs-wireless']['name'] = gettext("Webcfg - Status: System logs: Wireless page");
+$priv_list['page-status-systemlogs-wireless']['descr'] = gettext("Allow access to the 'Status: System logs: System: Wireless' page.");
+$priv_list['page-status-systemlogs-wireless']['match'] = array();
+$priv_list['page-status-systemlogs-wireless']['match'][] = "diag_logs_wireless.php*";
+
 $priv_list['page-diagnostics-logs-settings'] = array();
 $priv_list['page-diagnostics-logs-settings']['name'] = gettext("WebCfg - Diagnostics: Logs: Settings page");
 $priv_list['page-diagnostics-logs-settings']['descr'] = gettext("Allow access to the 'Diagnostics: Logs: Settings' page.");
@ -204,11 +228,29 @@ $priv_list['page-diagnostics-patters']['descr'] = gettext("Allow access to the '
 $priv_list['page-diagnostics-patters']['match'] = array();
 $priv_list['page-diagnostics-patters']['match'][] = "patterns.php*";

+$priv_list['page-diagnostics-limiter-info'] = array();
+$priv_list['page-diagnostics-limiter-info']['name'] = gettext("Diagnostics: Limiter Info");
+$priv_list['page-diagnostics-limiter-info']['descr'] = gettext("Allows access to the 'Diagnostics: Limiter Info' page");
+$priv_list['page-diagnostics-limiter-info']['match'] = array();
+$priv_list['page-diagnostics-limiter-info']['match'][] = "diag_limiter_info.php*";
+
+$priv_list['page-diagnostics-pf-info'] = array();
+$priv_list['page-diagnostics-pf-info']['name'] = gettext("Diagnostics: pfInfo");
+$priv_list['page-diagnostics-pf-info']['descr'] = gettext("Allows access to the 'Diagnostics: pfInfo' page");
+$priv_list['page-diagnostics-pf-info']['match'] = array();
+$priv_list['page-diagnostics-pf-info']['match'][] = "diag_pf_info.php*";
+
 $priv_list['page-diag-system-activity'] = array();
 $priv_list['page-diag-system-activity']['name'] = gettext("WebCfg - Diagnostics: System Activity");
 $priv_list['page-diag-system-activity']['descr'] = gettext("Allows access to the 'Diagnostics: System Activity' page");
 $priv_list['page-diag-system-activity']['match'] = array();
-$priv_list['page-diag-system-activity']['match'][] = "diag_system_activity*";
+$priv_list['page-diag-system-activity']['match'][] = "diag_system_activity.php*";
+
+$priv_list['page-diagnostics-system-pftop'] = array();
+$priv_list['page-diagnostics-system-pftop']['name'] = gettext("Diagnostics: pfTop");
+$priv_list['page-diagnostics-system-pftop']['descr'] = gettext("Allows access to the 'Diagnostics: pfTop' page");
+$priv_list['page-diagnostics-system-pftop']['match'] = array();
+$priv_list['page-diagnostics-system-pftop']['match'][] = "diag_system_pftop.php*";

 $priv_list['page-diagnostics-ping'] = array();
 $priv_list['page-diagnostics-ping']['name'] = gettext("WebCfg - Diagnostics: Ping page");
@ -240,18 +282,6 @@ $priv_list['page-diagnostics-statessummary']['descr'] = gettext("Allow access to
 $priv_list['page-diagnostics-statessummary']['match'] = array();
 $priv_list['page-diagnostics-statessummary']['match'][] = "diag_states_summary.php*";

-$priv_list['page-diag-system-activity'] = array();
-$priv_list['page-diag-system-activity']['name'] = gettext("WebCfg - Diagnostics: System Activity");
-$priv_list['page-diag-system-activity']['descr'] = gettext("Allows access to the 'Diagnostics: System Activity' page");
-$priv_list['page-diag-system-activity']['match'] = array();
-$priv_list['page-diag-system-activity']['match'][] = "diag_system_activity*";
-
-$priv_list['page-diag-system-activity'] = array();
-$priv_list['page-diag-system-activity']['name'] = gettext("WebCfg - Diagnostics: System Activity");
-$priv_list['page-diag-system-activity']['descr'] = gettext("Allows access to the 'Diagnostics: System Activity' page");
-$priv_list['page-diag-system-activity']['match'] = array();
-$priv_list['page-diag-system-activity']['match'][] = "diag_system_pftop.php*";
-
 $priv_list['page-diagnostics-tables'] = array();
 $priv_list['page-diagnostics-tables']['name'] = gettext("WebCfg - Diagnostics: PF Table IP addresses");
 $priv_list['page-diagnostics-tables']['descr'] = gettext("Allow access to the 'Diagnostics: Tables' page.");
@ -296,6 +326,18 @@ $priv_list['page-firewall-alias-import']['descr'] = gettext("Allow access to the
 $priv_list['page-firewall-alias-import']['match'] = array();
 $priv_list['page-firewall-alias-import']['match'][] = "firewall_aliases_import.php*";

+$priv_list['page-firewall-nat-npt'] = array();
+$priv_list['page-firewall-nat-npt']['name'] = gettext("Webcfg - Firewall: NAT: NPT page");
+$priv_list['page-firewall-nat-npt']['descr'] = gettext("Allow access to the 'Firewall: NAT: NPT' page.");
+$priv_list['page-firewall-nat-npt']['match'] = array();
+$priv_list['page-firewall-nat-npt']['match'][] = "firewall_nat_npt.php*";
+
+$priv_list['page-firewall-nat-npt-edit'] = array();
+$priv_list['page-firewall-nat-npt-edit']['name'] = gettext("Webcfg - Firewall: NAT: NPt: Edit page");
+$priv_list['page-firewall-nat-npt-edit']['descr'] = gettext("Allow access to the 'Firewall: NAT: NPt: Edit' page.");
+$priv_list['page-firewall-nat-npt-edit']['match'] = array();
+$priv_list['page-firewall-nat-npt-edit']['match'][] = "firewall_nat_npt_edit.php*";
+
 $priv_list['page-firewall-nat-portforward'] = array();
 $priv_list['page-firewall-nat-portforward']['name'] = gettext("WebCfg - Firewall: NAT: Port Forward page");
 $priv_list['page-firewall-nat-portforward']['descr'] = gettext("Allow access to the 'Firewall: NAT: Port Forward' page.");
@ -501,8 +543,8 @@ $priv_list['page-interfaces-groups']['match'] = array();
 $priv_list['page-interfaces-groups']['match'][] = "interfaces_groups.php*";

 $priv_list['page-interfacess-groups'] = array();
-$priv_list['page-interfacess-groups']['name'] = gettext("WebCfg - Interfaces: Groups: Edit page");
-$priv_list['page-interfacess-groups']['descr'] = gettext("Edit Interface groups");
+$priv_list['page-interfacess-groups']['name'] = gettext("Interfaces: Groups: Edit page");
+$priv_list['page-interfacess-groups']['descr'] = gettext("Allow access to the 'Interfaces: Groups: Edit' page.");
 $priv_list['page-interfacess-groups']['match'] = array();
 $priv_list['page-interfacess-groups']['match'][] = "interfaces_groups_edit.php*";

@ -513,8 +555,8 @@ $priv_list['page-interfacess-lagg']['match'] = array();
 $priv_list['page-interfacess-lagg']['match'][] = "interfaces_lagg.php*";

 $priv_list['page-interfacess-lagg'] = array();
-$priv_list['page-interfacess-lagg']['name'] = gettext("WebCfg - Interfaces: LAGG: Edit page");
-$priv_list['page-interfacess-lagg']['descr'] = gettext("Edit Interface LAGG");
+$priv_list['page-interfacess-lagg']['name'] = gettext("Interfaces: LAGG: Edit page");
+$priv_list['page-interfacess-lagg']['descr'] = gettext("Allow access to the 'Interfaces: LAGG: Edit' page.");
 $priv_list['page-interfacess-lagg']['match'] = array();
 $priv_list['page-interfacess-lagg']['match'][] = "interfaces_lagg_edit.php*";

@ -537,8 +579,8 @@ $priv_list['page-interfaces-qinq']['match'] = array();
 $priv_list['page-interfaces-qinq']['match'][] = "interfaces_qinq.php*";

 $priv_list['page-interfacess-qinq'] = array();
-$priv_list['page-interfacess-qinq']['name'] = gettext("WebCfg - Interfaces: QinQ: Edit page");
-$priv_list['page-interfacess-qinq']['descr'] = gettext("Edit Interface qinq");
+$priv_list['page-interfacess-qinq']['name'] = gettext("Interfaces: QinQ: Edit page");
+$priv_list['page-interfacess-qinq']['descr'] = gettext("Allow access to 'Interfaces: QinQ: Edit' page");
 $priv_list['page-interfacess-qinq']['match'] = array();
 $priv_list['page-interfacess-qinq']['match'][] = "interfaces_qinq_edit.php*";

@ -620,12 +662,24 @@ $priv_list['page-services-loadbalancer-relay-protocol-edit']['descr'] = gettext(
 $priv_list['page-services-loadbalancer-relay-protocol-edit']['match'] = array();
 $priv_list['page-services-loadbalancer-relay-protocol-edit']['match'][] = "load_balancer_relay_protocol_edit.php*";

+$priv_list['page-services-loadbalancer-setting'] = array();
+$priv_list['page-services-loadbalancer-setting']['name'] = gettext("Webcfg - Services: Load Balancer: setting page");
+$priv_list['page-services-loadbalancer-setting']['descr'] = gettext("Allow access to the 'Settings: Load Balancer: Settings' page.");
+$priv_list['page-services-loadbalancer-setting']['match'] = array();
+$priv_list['page-services-loadbalancer-setting']['match'][] = "load_balancer_setting.php*";
+
 $priv_list['page-services-loadbalancer-virtualservers'] = array();
 $priv_list['page-services-loadbalancer-virtualservers']['name'] = gettext("WebCfg - Services: Load Balancer: Virtual Servers page");
 $priv_list['page-services-loadbalancer-virtualservers']['descr'] = gettext("Allow access to the 'Services: Load Balancer: Virtual Servers' page.");
 $priv_list['page-services-loadbalancer-virtualservers']['match'] = array();
 $priv_list['page-services-loadbalancer-virtualservers']['match'][] = "load_balancer_virtual_server.php*";

+$priv_list['page-services-ntpd'] = array();
+$priv_list['page-services-ntpd']['name'] = gettext("Webcfg - Services: NTP");
+$priv_list['page-services-ntpd']['descr'] = gettext("Allow access to the 'Services: NTP' page.");
+$priv_list['page-services-ntpd']['match'] = array();
+$priv_list['page-services-ntpd']['match'][] = "services_ntpd.php*";
+
 $priv_list['page-loadbalancer-virtualserver-edit'] = array();
 $priv_list['page-loadbalancer-virtualserver-edit']['name'] = gettext("WebCfg - Load Balancer: Virtual Server: Edit page");
 $priv_list['page-loadbalancer-virtualserver-edit']['descr'] = gettext("Allow access to the 'Load Balancer: Virtual Server: Edit' page.");
@ -692,18 +746,6 @@ $priv_list['page-services-captiveportal-filemanager']['descr'] = gettext("Allow
 $priv_list['page-services-captiveportal-filemanager']['match'] = array();
 $priv_list['page-services-captiveportal-filemanager']['match'][] = "services_captiveportal_filemanager.php*";

-$priv_list['page-services-captiveportal-allowedhostnames'] = array();
-$priv_list['page-services-captiveportal-allowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Allowed IPs page");
-$priv_list['page-services-captiveportal-allowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed IPs' page.");
-$priv_list['page-services-captiveportal-allowedhostnames']['match'] = array();
-$priv_list['page-services-captiveportal-allowedhostnames']['match'][] = "services_captiveportal_ip.php*";
-
-$priv_list['page-services-captiveportal-editallowedhostnames'] = array();
-$priv_list['page-services-captiveportal-editallowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed IPs page");
-$priv_list['page-services-captiveportal-editallowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Edit Allowed IPs' page.");
-$priv_list['page-services-captiveportal-editallowedhostnames']['match'] = array();
-$priv_list['page-services-captiveportal-editallowedhostnames']['match'][] = "services_captiveportal_ip_edit.php*";
-
 $priv_list['page-services-captiveportal-allowedips'] = array();
 $priv_list['page-services-captiveportal-allowedips']['name'] = gettext("WebCfg - Services: Captive portal: Allowed IPs page");
 $priv_list['page-services-captiveportal-allowedips']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed IPs' page.");
@ -728,17 +770,23 @@ $priv_list['page-services-captiveportal-editmacaddresses']['descr'] = gettext("A
 $priv_list['page-services-captiveportal-editmacaddresses']['match'] = array();
 $priv_list['page-services-captiveportal-editmacaddresses']['match'][] = "services_captiveportal_mac_edit.php*";

-$priv_list['page-services-captiveportal-macaddresses'] = array();
-$priv_list['page-services-captiveportal-macaddresses']['name'] = gettext("WebCfg - Services: Captive portal: Allowed Hostnames page");
-$priv_list['page-services-captiveportal-macaddresses']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed Hostnames' page.");
-$priv_list['page-services-captiveportal-macaddresses']['match'] = array();
-$priv_list['page-services-captiveportal-macaddresses']['match'][] = "services_captiveportal_hostname.php*";
+$priv_list['page-services-captiveportal-allowedhostnames'] = array();
+$priv_list['page-services-captiveportal-allowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Allowed Hostnames page");
+$priv_list['page-services-captiveportal-allowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed Hostnames' page.");
+$priv_list['page-services-captiveportal-allowedhostnames']['match'] = array();
+$priv_list['page-services-captiveportal-allowedhostnames']['match'][] = "services_captiveportal_hostname.php*";

-$priv_list['page-services-captiveportal-editmacaddresses'] = array();
-$priv_list['page-services-captiveportal-editmacaddresses']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed Hostnames page");
-$priv_list['page-services-captiveportal-editmacaddresses']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed Hostnames' page.");
-$priv_list['page-services-captiveportal-editmacaddresses']['match'] = array();
-$priv_list['page-services-captiveportal-editmacaddresses']['match'][] = "services_captiveportal_hostname_edit.php*";
+$priv_list['page-services-captiveportal-editallowedhostnames'] = array();
+$priv_list['page-services-captiveportal-editallowedhostnames']['name'] = gettext("WebCfg - Services: Captive portal: Edit Allowed Hostnames page");
+$priv_list['page-services-captiveportal-editallowedhostnames']['descr'] = gettext("Allow access to the 'Services: Captive portal: Allowed Hostnames' page.");
+$priv_list['page-services-captiveportal-editallowedhostnames']['match'] = array();
+$priv_list['page-services-captiveportal-editallowedhostnames']['match'][] = "services_captiveportal_hostname_edit.php*";
+
+$priv_list['page-services-captiveportal-editzones'] = array();
+$priv_list['page-services-captiveportal-editzones']['name'] = gettext("Webcfg - Services: Captive portal: Edit Zones page");
+$priv_list['page-services-captiveportal-editzones']['descr'] = gettext("Allow access to the 'Services: Captive portal: Edit Zones' page.");
+$priv_list['page-services-captiveportal-editzones']['match'] = array();
+$priv_list['page-services-captiveportal-editzones']['match'][] = "services_captiveportal_zones_edit.php*";

 $priv_list['page-services-captiveportal-vouchers'] = array();
 $priv_list['page-services-captiveportal-vouchers']['name'] = gettext("WebCfg - Services: Captive portal Vouchers page");
@ -752,6 +800,12 @@ $priv_list['page-services-captiveportal-voucher-edit']['descr'] = "Allow access
 $priv_list['page-services-captiveportal-voucher-edit']['match'] = array();
 $priv_list['page-services-captiveportal-voucher-edit']['match'][] = "services_captiveportal_vouchers_edit.php*";

+$priv_list['page-services-captiveportal-zones'] = array();
+$priv_list['page-services-captiveportal-zones']['name'] = gettext("WebCfg - Services: Captiveprotal Zones page");
+$priv_list['page-services-captiveportal-zones']['descr'] = gettext("Allow access to the 'Services: CaptivePortal Zones' page.");
+$priv_list['page-services-captiveportal-zones']['match'] = array();
+$priv_list['page-services-captiveportal-zones']['match'][] = "services_captiveportal_zones.php*";
+
 $priv_list['page-services-dhcpserver'] = array();
 $priv_list['page-services-dhcpserver']['name'] = gettext("WebCfg - Services: DHCP server page");
 $priv_list['page-services-dhcpserver']['descr'] = gettext("Allow access to the 'Services: DHCP server' page.");
@ -770,11 +824,23 @@ $priv_list['page-services-dhcprelay']['descr'] = gettext("Allow access to the 'S
 $priv_list['page-services-dhcprelay']['match'] = array();
 $priv_list['page-services-dhcprelay']['match'][] = "services_dhcp_relay.php*";

-$priv_list['page-services-dhcprelay6'] = array();
-$priv_list['page-services-dhcprelay6']['name'] = gettext("WebCfg - Services: DHCPv6 Relay page");
-$priv_list['page-services-dhcprelay6']['descr'] = gettext("Allow access to the 'Services: DHCPv6 Relay' page.");
-$priv_list['page-services-dhcprelay6']['match'] = array();
-$priv_list['page-services-dhcprelay6']['match'][] = "services_dhcpv6_relay.php*";
+$priv_list['page-services-dhcpv6server'] = array();
+$priv_list['page-services-dhcpv6server']['name'] = gettext("Webcfg - Services: DHCPv6 server page");
+$priv_list['page-services-dhcpv6server']['descr'] = gettext("Allow access to the 'Services: DHCPv6 server' page.");
+$priv_list['page-services-dhcpv6server']['match'] = array();
+$priv_list['page-services-dhcpv6server']['match'][] = "services_dhcpv6.php*";
+
+$priv_list['page-services-dhcpserverv6-editstaticmapping'] = array();
+$priv_list['page-services-dhcpserverv6-editstaticmapping']['name'] = gettext("Webcfg - Services: DHCPv6 Server : Edit static mapping page");
+$priv_list['page-services-dhcpserverv6-editstaticmapping']['descr'] = gettext("Allow access to the 'Services: DHCPv6 Server : Edit static mapping' page.");
+$priv_list['page-services-dhcpserverv6-editstaticmapping']['match'] = array();
+$priv_list['page-services-dhcpserverv6-editstaticmapping']['match'][] = "services_dhcpv6_edit.php*";
+
+$priv_list['page-services-dhcpv6relay'] = array();
+$priv_list['page-services-dhcpv6relay']['name'] = gettext("Webcfg - Services: DHCPv6 Relay page");
+$priv_list['page-services-dhcpv6relay']['descr'] = gettext("Allow access to the 'Services: DHCPv6 Relay' page.");
+$priv_list['page-services-dhcpv6relay']['match'] = array();
+$priv_list['page-services-dhcpv6relay']['match'][] = "services_dhcpv6_relay.php*";

 $priv_list['page-services-dnsforwarder'] = array();
 $priv_list['page-services-dnsforwarder']['name'] = gettext("WebCfg - Services: DNS Forwarder page");
@ -812,11 +878,11 @@ $priv_list['page-services-igmpproxy']['descr'] = gettext("Allow access to the 'S
 $priv_list['page-services-igmpproxy']['match'] = array();
 $priv_list['page-services-igmpproxy']['match'][] = "services_igmpproxy.php*";

-$priv_list['page-services-igmpproxy'] = array();
-$priv_list['page-services-igmpproxy']['name'] = gettext("WebCfg - Firewall: Igmpproxy: Edit page");
-$priv_list['page-services-igmpproxy']['descr'] = gettext("Allow access to the 'Firewall: Igmpproxy' page.");
-$priv_list['page-services-igmpproxy']['match'] = array();
-$priv_list['page-services-igmpproxy']['match'][] = "services_igmpproxy_edit.php*";
+$priv_list['page-services-igmpproxy-edit'] = array();
+$priv_list['page-services-igmpproxy-edit']['name'] = gettext("Firewall: Igmpproxy: Edit page");
+$priv_list['page-services-igmpproxy-edit']['descr'] = gettext("Allow access to the 'Services: Igmpproxy: Edit' page.");
+$priv_list['page-services-igmpproxy-edit']['match'] = array();
+$priv_list['page-services-igmpproxy-edit']['match'][] = "services_igmpproxy_edit.php*";

 $priv_list['page-services-rfc2136clients'] = array();
 $priv_list['page-services-rfc2136clients']['name'] = gettext("WebCfg - Services: RFC 2136 clients page");
@ -824,6 +890,12 @@ $priv_list['page-services-rfc2136clients']['descr'] = gettext("Allow access to t
 $priv_list['page-services-rfc2136clients']['match'] = array();
 $priv_list['page-services-rfc2136clients']['match'][] = "services_rfc2136.php*";

+$priv_list['page-services-router-advertisements'] = array();
+$priv_list['page-services-router-advertisements']['name'] = gettext("Webcfg - Services: Router advertisementspage");
+$priv_list['page-services-router-advertisements']['descr'] = gettext("Allow access to the 'Services: Router Advertisements' page.");
+$priv_list['page-services-router-advertisements']['match'] = array();
+$priv_list['page-services-router-advertisements']['match'][] = "services_router_advertisements.php*";
+
 $priv_list['page-services-snmp'] = array();
 $priv_list['page-services-snmp']['name'] = gettext("WebCfg - Services: SNMP page");
 $priv_list['page-services-snmp']['descr'] = gettext("Allow access to the 'Services: SNMP' page.");
@ -860,6 +932,12 @@ $priv_list['page-status-captiveportal']['descr'] = gettext("Allow access to the
 $priv_list['page-status-captiveportal']['match'] = array();
 $priv_list['page-status-captiveportal']['match'][] = "status_captiveportal.php*";

+$priv_list['page-status-captiveportal-expire'] = array();
+$priv_list['page-status-captiveportal-expire']['name'] = gettext("Webcfg - Status: Captive portal Expire Vouchers page");
+$priv_list['page-status-captiveportal-expire']['descr'] = gettext("Allow access to the 'Status: Captive portal Expire Vouchers' page.");
+$priv_list['page-status-captiveportal-expire']['match'] = array();
+$priv_list['page-status-captiveportal-expire']['match'][] = "status_captiveportal_expire.php*";
+
 $priv_list['page-status-captiveportal-test'] = array();
 $priv_list['page-status-captiveportal-test']['name'] = gettext("WebCfg - Status: Captive portal test Vouchers page");
 $priv_list['page-status-captiveportal-test']['descr'] = gettext("Allow access to the 'Status: Captive portal Test Vouchers' page.");
@ -884,6 +962,12 @@ $priv_list['page-status-dhcpleases']['descr'] = gettext("Allow access to the 'St
 $priv_list['page-status-dhcpleases']['match'] = array();
 $priv_list['page-status-dhcpleases']['match'][] = "status_dhcp_leases.php*";

+$priv_list['page-status-dhcpv6leases'] = array();
+$priv_list['page-status-dhcpv6leases']['name'] = gettext("Webcfg - Status: DHCPv6 leases page");
+$priv_list['page-status-dhcpv6leases']['descr'] = gettext("Allow access to the 'Status: DHCPv6 leases' page.");
+$priv_list['page-status-dhcpv6leases']['match'] = array();
+$priv_list['page-status-dhcpv6leases']['match'][] = "status_dhcpv6_leases.php*";
+
 $priv_list['page-status-filterreloadstatus'] = array();
 $priv_list['page-status-filterreloadstatus']['name'] = gettext("WebCfg - Status: Filter Reload Status page");
 $priv_list['page-status-filterreloadstatus']['descr'] = gettext("Allow access to the 'Status: Filter Reload Status' page.");
@ -908,6 +992,8 @@ $priv_list['page-status-trafficgraph']['descr'] = gettext("Allow access to the '
 $priv_list['page-status-trafficgraph']['match'] = array();
 $priv_list['page-status-trafficgraph']['match'][] = "status_graph.php*";
 $priv_list['page-status-trafficgraph']['match'][] = "bandwidth_by_ip.php*";
+$priv_list['page-status-trafficgraph']['match'][] = "graph.php*";
+$priv_list['page-status-trafficgraph']['match'][] = "ifstats.php*";

 $priv_list['page-status-cpuload'] = array();
 $priv_list['page-status-cpuload']['name'] = gettext("WebCfg - Status: CPU load page");
@ -992,31 +1078,31 @@ $priv_list['page-system-advanced-firewall'] = array();
 $priv_list['page-system-advanced-firewall']['name'] = gettext("WebCfg - System: Advanced: Firewall and NAT page");
 $priv_list['page-system-advanced-firewall']['descr'] = gettext("Allow access to the 'System: Advanced: Firewall and NAT' page.");
 $priv_list['page-system-advanced-firewall']['match'] = array();
-$priv_list['page-system-advanced-firewall']['match'][] = "system_advanced.php*";
+$priv_list['page-system-advanced-firewall']['match'][] = "system_advanced_firewall.php*";

 $priv_list['page-system-advanced-misc'] = array();
 $priv_list['page-system-advanced-misc']['name'] = gettext("WebCfg - System: Advanced: Miscellaneous page");
 $priv_list['page-system-advanced-misc']['descr'] = gettext("Allow access to the 'System: Advanced: Miscellaneous' page.");
 $priv_list['page-system-advanced-misc']['match'] = array();
-$priv_list['page-system-advanced-misc']['match'][] = "system_advanced.php*";
+$priv_list['page-system-advanced-misc']['match'][] = "system_advanced_misc.php*";

 $priv_list['page-system-advanced-network'] = array();
 $priv_list['page-system-advanced-network']['name'] = gettext("WebCfg - System: Advanced: Network page");
 $priv_list['page-system-advanced-network']['descr'] = gettext("Allow access to the 'System: Advanced: Networking' page.");
 $priv_list['page-system-advanced-network']['match'] = array();
-$priv_list['page-system-advanced-network']['match'][] = "system_advanced-network.php*";
+$priv_list['page-system-advanced-network']['match'][] = "system_advanced_network.php*";

 $priv_list['page-system-advanced-notifications'] = array();
-$priv_list['page-system-advanced-notifications']['name'] = gettext("WebCfg - System: Advanced: Tunables page");
-$priv_list['page-system-advanced-notifications']['descr'] = gettext("Allow access to the 'System: Advanced: Tunables' page.");
+$priv_list['page-system-advanced-notifications']['name'] = gettext("WebCfg - System: Advanced: Notifications page");
+$priv_list['page-system-advanced-notifications']['descr'] = gettext("Allow access to the 'System: Advanced: Notifications' page.");
 $priv_list['page-system-advanced-notifications']['match'] = array();
-$priv_list['page-system-advanced-notifications']['match'][] = "system_advanced-sysctrl.php*";
+$priv_list['page-system-advanced-notifications']['match'][] = "system_advanced_notifications.php*";

 $priv_list['page-system-advanced-sysctl'] = array();
 $priv_list['page-system-advanced-sysctl']['name'] = gettext("WebCfg - System: Advanced: Tunables page");
 $priv_list['page-system-advanced-sysctl']['descr'] = gettext("Allow access to the 'System: Advanced: Tunables' page.");
 $priv_list['page-system-advanced-sysctl']['match'] = array();
-$priv_list['page-system-advanced-sysctl']['match'][] = "system_advanced-sysctl.php*";
+$priv_list['page-system-advanced-sysctl']['match'][] = "system_advanced_sysctl.php*";

 $priv_list['page-system-authservers'] = array();
 $priv_list['page-system-authservers']['name'] = gettext("WebCfg - System: Authentication Servers");
@ -1102,8 +1188,14 @@ $priv_list['page-system-groupmanager-addprivs']['descr'] = gettext("Allow access
 $priv_list['page-system-groupmanager-addprivs']['match'] = array();
 $priv_list['page-system-groupmanager-addprivs']['match'][] = "system_groupmanager_addprivs.php*";

+$priv_list['page-system-hasync'] = array();
+$priv_list['page-system-hasync']['name'] = gettext("Webcfg - System: High Availability Sync");
+$priv_list['page-system-hasync']['descr'] = gettext("Allow access to the 'System: High Availability Sync' page.");
+$priv_list['page-system-hasync']['match'] = array();
+$priv_list['page-system-hasync']['match'][] = "system_hasync.php*";
+
 $priv_list['page-system-staticroutes'] = array();
-$priv_list['page-system-staticroutes']['name'] =gettext("WebCfg - System: Static Routes page"); 
+$priv_list['page-system-staticroutes']['name'] = gettext("WebCfg - System: Static Routes page");
 $priv_list['page-system-staticroutes']['descr'] = gettext("Allow access to the 'System: Static Routes' page.");
 $priv_list['page-system-staticroutes']['match'] = array();
 $priv_list['page-system-staticroutes']['match'][] = "system_routes.php*";
@ -1234,11 +1326,11 @@ $priv_list['page-services-pppoeserver']['descr'] = gettext("Allow access to the
 $priv_list['page-services-pppoeserver']['match'] = array();
 $priv_list['page-services-pppoeserver']['match'][] = "vpn_pppoe.php*";

-$priv_list['page-services-pppoeserver-eidt'] = array();
-$priv_list['page-services-pppoeserver-eidt']['name'] = gettext("WebCfg - Services: PPPoE Server: Edit page");
-$priv_list['page-services-pppoeserver-eidt']['descr'] = gettext("Allow access to the 'Services: PPPoE Server: Edit' page.");
-$priv_list['page-services-pppoeserver-eidt']['match'] = array();
-$priv_list['page-services-pppoeserver-eidt']['match'][] = "vpn_pppoe_edit.php*";
+$priv_list['page-services-pppoeserver-edit'] = array();
+$priv_list['page-services-pppoeserver-edit']['name'] = gettext("WebCfg - Services: PPPoE Server: Edit page");
+$priv_list['page-services-pppoeserver-edit']['descr'] = gettext("Allow access to the 'Services: PPPoE Server: Edit' page.");
+$priv_list['page-services-pppoeserver-edit']['match'] = array();
+$priv_list['page-services-pppoeserver-edit']['match'][] = "vpn_pppoe_edit.php*";

 $priv_list['page-vpn-vpnpptp'] = array();
 $priv_list['page-vpn-vpnpptp']['name'] = gettext("WebCfg - VPN: VPN PPTP page");
@ -1270,6 +1362,11 @@ $priv_list['page-xmlrpclibrary']['descr'] = gettext("Allow access to the 'XMLRPC
 $priv_list['page-xmlrpclibrary']['match'] = array();
 $priv_list['page-xmlrpclibrary']['match'][] = "xmlrpc.php*";

+$priv_list['page-firewall-easyrule'] = array();
+$priv_list['page-firewall-easyrule']['name'] = gettext("WebCfg - Firewall: Easy Rule add/status page");
+$priv_list['page-firewall-easyrule']['descr'] = gettext("Allow access to the 'Firewall: Easy Rule' add/status page.");
+$priv_list['page-firewall-easyrule']['match'] = array();
+$priv_list['page-firewall-easyrule']['match'][] = "easyrule.php*";

 $priv_rmvd = array();

--- a/etc/inc/radius.inc
+++ b/etc/inc/radius.inc
@ -644,6 +644,16 @@ class Auth_RADIUS extends PEAR {
                    }
                }

+		elseif ($vendor == 9) { /* RADIUS_VENDOR_CISCO */
+			switch ($attrv) {
+			case 1: /* Cisco-AVPair */
+				if (!is_array($this->attributes['ciscoavpair']))
+					$this->attributes['ciscoavpair'] = array();
+				$this->attributes['ciscoavpair'][] = radius_cvt_string($datav);
+				break;
+			}
+		}
+
                elseif ($vendor == 8744) { /* Colubris / HP MSM wireless */
                    //documented at http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02704528/c02704528.pdf pg 15-67
                    if ($attrv == 0) { /* Colubris AV-Pair */
@ -676,7 +686,7 @@ class Auth_RADIUS extends PEAR {
                break;

            case 85: /* Acct-Interim-Interval: RFC 2869 */
-                $this->attributes['interim_interval'] = radius_cvt_int($datav[1]);
+                $this->attributes['interim_interval'] = radius_cvt_int($data);
                break;
            }
        }
--- a/etc/inc/rrd.inc
+++ b/etc/inc/rrd.inc
@ -36,10 +36,9 @@

 function dump_rrd_to_xml($rrddatabase, $xmldumpfile) {
 	$rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool";
-	if(file_exists($xmldumpfile))
-		mwexec("rm {$xmldumpfile}");
+	unlink_if_exists($xmldumpfile);

-	exec("$rrdtool dump {$rrddatabase} {$xmldumpfile} 2>&1", $dumpout, $dumpret);
+	exec("$rrdtool dump " . escapeshellarg($rrddatabase) . " {$xmldumpfile} 2>&1", $dumpout, $dumpret);
 	if ($dumpret <> 0) {
 		$dumpout = implode(" ", $dumpout);
 		log_error(sprintf(gettext('RRD dump failed exited with %1$s, the error is: %2$s'), $dumpret, $dumpout));
@ -48,7 +47,7 @@ function dump_rrd_to_xml($rrddatabase, $xmldumpfile) {
 }

 function restore_rrd() {
-	global $g;
+	global $g, $config;

 	$rrddbpath = "/var/db/rrd/";
 	$rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool";
@ -216,6 +215,7 @@ function enable_rrd_graphing() {
 	$spamd = "-spamd.rrd";
 	$proc = "-processor.rrd";
 	$mem = "-memory.rrd";
+	$mbuf = "-mbuf.rrd";
 	$cellular = "-cellular.rrd";
 	$vpnusers = "-vpnusers.rrd";
 	$captiveportalconcurrent = "-concurrent.rrd";
@ -243,6 +243,7 @@ function enable_rrd_graphing() {
 	$rrdlbpoolinterval = 60;
 	$rrdprocinterval = 60;
 	$rrdmeminterval = 60;
+	$rrdmbufinterval = 60;
 	$rrdcellularinterval = 60;
 	$rrdvpninterval = 60;
 	$rrdcaptiveportalinterval = 60;
@ -257,13 +258,14 @@ function enable_rrd_graphing() {
 	$lbpoolvalid = $rrdlbpoolinterval * 2;
 	$procvalid = $rrdlbpoolinterval * 2;
 	$memvalid = $rrdmeminterval * 2;
+	$mbufvalid = $rrdmbufinterval * 2;
 	$cellularvalid = $rrdcellularinterval * 2;
 	$vpnvalid = $rrdvpninterval * 2;
 	$captiveportalvalid = $rrdcaptiveportalinterval * 2;

-	/* Asume GigE for now */
-	$downstream = 125000000;
-	$upstream = 125000000;
+	/* Assume 2*10GigE for now */
+	$downstream = 2500000000;
+	$upstream = 2500000000;

 	/* read the shaper config */
 	read_altq_config();
@ -322,10 +324,10 @@ function enable_rrd_graphing() {
 				$rrdcreate .= "DS:outpass6:COUNTER:$trafficvalid:0:$upstream ";
 				$rrdcreate .= "DS:inblock6:COUNTER:$trafficvalid:0:$downstream ";
 				$rrdcreate .= "DS:outblock6:COUNTER:$trafficvalid:0:$upstream ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 				create_new_rrd($rrdcreate);
 				unset($rrdcreate);
@ -355,10 +357,10 @@ function enable_rrd_graphing() {
 				$rrdcreate .= "DS:outpass6:COUNTER:$packetsvalid:0:$upstream ";
 				$rrdcreate .= "DS:inblock6:COUNTER:$packetsvalid:0:$downstream ";
 				$rrdcreate .= "DS:outblock6:COUNTER:$packetsvalid:0:$upstream ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 				create_new_rrd($rrdcreate);
 				unset($rrdcreate);
@ -384,10 +386,10 @@ function enable_rrd_graphing() {
 					$rrdcreate .= "DS:snr:GAUGE:$wirelessvalid:0:1000 ";
 					$rrdcreate .= "DS:rate:GAUGE:$wirelessvalid:0:1000 ";
 					$rrdcreate .= "DS:channel:GAUGE:$wirelessvalid:0:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
@ -409,10 +411,10 @@ function enable_rrd_graphing() {
 				if (!file_exists("$rrddbpath$ifname$vpnusers")) {
 					$rrdcreate = "$rrdtool create $rrddbpath$ifname$vpnusers --step $rrdvpninterval ";
 					$rrdcreate .= "DS:users:GAUGE:$vpnvalid:0:10000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
@ -475,10 +477,10 @@ function enable_rrd_graphing() {
 						$rrdcreate .= "DS:$qname:COUNTER:$queuesvalid:0:$qbandwidth ";
 					}

-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
@ -492,10 +494,10 @@ function enable_rrd_graphing() {
 						$rrdcreate .= "DS:$qname:COUNTER:$queuesdropvalid:0:$qbandwidth ";
 					}

-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
@ -560,10 +562,10 @@ function enable_rrd_graphing() {
 					$rrdcreate .= "DS:rssi:GAUGE:$cellularvalid:0:100 ";
 					$rrdcreate .= "DS:upstream:GAUGE:$cellularvalid:0:100000000 ";
 					$rrdcreate .= "DS:downstream:GAUGE:$cellularvalid:0:100000000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";
 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
 				}
@ -593,10 +595,10 @@ function enable_rrd_graphing() {
 			$rrdcreate .= "DS:pfnat:GAUGE:$statesvalid:0:10000000 ";
 			$rrdcreate .= "DS:srcip:GAUGE:$statesvalid:0:10000000 ";
 			$rrdcreate .= "DS:dstip:GAUGE:$statesvalid:0:10000000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 			create_new_rrd($rrdcreate);
 			unset($rrdcreate);
@ -628,10 +630,10 @@ function enable_rrd_graphing() {
 			$rrdcreate .= "DS:system:GAUGE:$procvalid:0:10000000 ";
 			$rrdcreate .= "DS:interrupt:GAUGE:$procvalid:0:10000000 ";
 			$rrdcreate .= "DS:processes:GAUGE:$procvalid:0:10000000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";

 			create_new_rrd($rrdcreate);
 			unset($rrdcreate);
@ -658,18 +660,18 @@ function enable_rrd_graphing() {
 			$rrdcreate .= "DS:free:GAUGE:$memvalid:0:10000000 ";
 			$rrdcreate .= "DS:cache:GAUGE:$memvalid:0:10000000 ";
 			$rrdcreate .= "DS:wire:GAUGE:$memvalid:0:10000000 ";
-			$rrdcreate .= "RRA:MIN:0.5:1:1000 ";
-			$rrdcreate .= "RRA:MIN:0.5:5:1000 ";
-			$rrdcreate .= "RRA:MIN:0.5:60:1000 ";
-			$rrdcreate .= "RRA:MIN:0.5:720:3000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-			$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
-			$rrdcreate .= "RRA:MAX:0.5:1:1000 ";
-			$rrdcreate .= "RRA:MAX:0.5:5:1000 ";
-			$rrdcreate .= "RRA:MAX:0.5:60:1000 ";
-			$rrdcreate .= "RRA:MAX:0.5:720:3000";
+			$rrdcreate .= "RRA:MIN:0.5:1:1200 ";
+			$rrdcreate .= "RRA:MIN:0.5:5:720 ";
+			$rrdcreate .= "RRA:MIN:0.5:60:1860 ";
+			$rrdcreate .= "RRA:MIN:0.5:1440:2284 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";
+			$rrdcreate .= "RRA:MAX:0.5:1:1200 ";
+			$rrdcreate .= "RRA:MAX:0.5:5:720 ";
+			$rrdcreate .= "RRA:MAX:0.5:60:1860 ";
+			$rrdcreate .= "RRA:MAX:0.5:1440:2284";

 			create_new_rrd($rrdcreate);
 			unset($rrdcreate);
@ -688,6 +690,42 @@ function enable_rrd_graphing() {

 		/* End Memory statistics */

+		/* mbuf, create mbuf statistics database */
+		if(! file_exists("$rrddbpath$ifname$mbuf")) {
+			$rrdcreate = "$rrdtool create $rrddbpath$ifname$mbuf --step $rrdmbufinterval ";
+			$rrdcreate .= "DS:current:GAUGE:$mbufvalid:0:10000000 ";
+			$rrdcreate .= "DS:cache:GAUGE:$mbufvalid:0:10000000 ";
+			$rrdcreate .= "DS:total:GAUGE:$mbufvalid:0:10000000 ";
+			$rrdcreate .= "DS:max:GAUGE:$mbufvalid:0:10000000 ";
+			$rrdcreate .= "RRA:MIN:0.5:1:1200 ";
+			$rrdcreate .= "RRA:MIN:0.5:5:720 ";
+			$rrdcreate .= "RRA:MIN:0.5:60:1860 ";
+			$rrdcreate .= "RRA:MIN:0.5:1440:2284 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+			$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";
+			$rrdcreate .= "RRA:MAX:0.5:1:1200 ";
+			$rrdcreate .= "RRA:MAX:0.5:5:720 ";
+			$rrdcreate .= "RRA:MAX:0.5:60:1860 ";
+			$rrdcreate .= "RRA:MAX:0.5:1440:2284";
+
+			create_new_rrd($rrdcreate);
+			unset($rrdcreate);
+		}
+
+		/* enter UNKNOWN values in the RRD so it knows we rebooted. */
+		if($g['booting']) {
+			mwexec("$rrdtool update $rrddbpath$ifname$mbuf N:U:U:U:U");
+		}
+
+		/* the mbuf stats gathering function. */
+		$rrdupdatesh .= "MBUF=`$netstat -m | ";
+		$rrdupdatesh .= " $awk '/mbuf clusters in use/ { gsub(/\//, \":\", $1); print $1; }'`\n";
+		$rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$mbuf N:\${MBUF}\n";
+
+		/* End mbuf statistics */
+
 		/* SPAMD, set up the spamd rrd file */
 		if (isset($config['installedpackages']['spamdsettings']) &&
 			 $config['installedpackages']['spamdsettings']['config'][0]['enablerrd']) {
@ -696,18 +734,18 @@ function enable_rrd_graphing() {
 				$rrdcreate = "$rrdtool create $rrddbpath$ifname$spamd --step $rrdspamdinterval ";
 				$rrdcreate .= "DS:conn:GAUGE:$spamdvalid:0:10000 ";
 				$rrdcreate .= "DS:time:GAUGE:$spamdvalid:0:86400 ";
-				$rrdcreate .= "RRA:MIN:0.5:1:1000 ";
-				$rrdcreate .= "RRA:MIN:0.5:5:1000 ";
-				$rrdcreate .= "RRA:MIN:0.5:60:1000 ";
-				$rrdcreate .= "RRA:MIN:0.5:720:3000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-				$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
-				$rrdcreate .= "RRA:MAX:0.5:1:1000 ";
-				$rrdcreate .= "RRA:MAX:0.5:5:1000 ";
-				$rrdcreate .= "RRA:MAX:0.5:60:1000 ";
-				$rrdcreate .= "RRA:MAX:0.5:720:3000 ";
+				$rrdcreate .= "RRA:MIN:0.5:1:1200 ";
+				$rrdcreate .= "RRA:MIN:0.5:5:720 ";
+				$rrdcreate .= "RRA:MIN:0.5:60:1860 ";
+				$rrdcreate .= "RRA:MIN:0.5:1440:2284 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+				$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";
+				$rrdcreate .= "RRA:MAX:0.5:1:1200 ";
+				$rrdcreate .= "RRA:MAX:0.5:5:720 ";
+				$rrdcreate .= "RRA:MAX:0.5:60:1860 ";
+				$rrdcreate .= "RRA:MAX:0.5:1440:2284 ";

 				create_new_rrd($rrdcreate);
 				unset($rrdcreate);
@ -732,22 +770,22 @@ function enable_rrd_graphing() {
 				if (!file_exists("$concurrent_filename")) {
 					$rrdcreate = "$rrdtool create $concurrent_filename --step $rrdcaptiveportalinterval ";
 					$rrdcreate .= "DS:concurrentusers:GAUGE:$captiveportalvalid:0:10000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
-					$rrdcreate .= "RRA:MIN:0.5:1:1000 ";
-					$rrdcreate .= "RRA:MIN:0.5:5:1000 ";
-					$rrdcreate .= "RRA:MIN:0.5:60:1000 ";
-					$rrdcreate .= "RRA:MIN:0.5:720:3000 ";
-					$rrdcreate .= "RRA:MAX:0.5:1:1000 ";
-					$rrdcreate .= "RRA:MAX:0.5:5:1000 ";
-					$rrdcreate .= "RRA:MAX:0.5:60:1000 ";
-					$rrdcreate .= "RRA:MAX:0.5:720:3000 ";
-					$rrdcreate .= "RRA:LAST:0.5:1:1000 ";
-					$rrdcreate .= "RRA:LAST:0.5:5:1000 ";
-					$rrdcreate .= "RRA:LAST:0.5:60:1000 ";
-					$rrdcreate .= "RRA:LAST:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";
+					$rrdcreate .= "RRA:MIN:0.5:1:1200 ";
+					$rrdcreate .= "RRA:MIN:0.5:5:720 ";
+					$rrdcreate .= "RRA:MIN:0.5:60:1860 ";
+					$rrdcreate .= "RRA:MIN:0.5:1440:2284 ";
+					$rrdcreate .= "RRA:MAX:0.5:1:1200 ";
+					$rrdcreate .= "RRA:MAX:0.5:5:720 ";
+					$rrdcreate .= "RRA:MAX:0.5:60:1860 ";
+					$rrdcreate .= "RRA:MAX:0.5:1440:2284 ";
+					$rrdcreate .= "RRA:LAST:0.5:1:1200 ";
+					$rrdcreate .= "RRA:LAST:0.5:5:720 ";
+					$rrdcreate .= "RRA:LAST:0.5:60:1860 ";
+					$rrdcreate .= "RRA:LAST:0.5:1440:2284 ";

 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
@ -761,29 +799,29 @@ function enable_rrd_graphing() {
 				/* the Captive Portal stats gathering function. */
 				$rrdupdatesh .= "\n";
 				$rrdupdatesh .= "# polling Captive Portal for number of concurrent users\n";
-				$rrdupdatesh .= "CP=`$php -q $captiveportal_gather '$cpkey' $concurrent`\n";
+				$rrdupdatesh .= "CP=`${php} -q ${captiveportal_gather} '${cpkey}' 'concurrent'`\n";
 				$rrdupdatesh .= "$rrdtool update $concurrent_filename \${CP}\n";

 				$loggedin_filename = $rrddbpath . $ifname . '-' . $cpkey . $captiveportalloggedin;
 				if (!file_exists("$loggedin_filename")) {
 					$rrdcreate = "$rrdtool create $loggedin_filename --step $rrdcaptiveportalinterval ";
 					$rrdcreate .= "DS:loggedinusers:GAUGE:$captiveportalvalid:0:10000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:1:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:5:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:60:1000 ";
-					$rrdcreate .= "RRA:AVERAGE:0.5:720:3000 ";
-					$rrdcreate .= "RRA:MIN:0.5:1:1000 ";
-					$rrdcreate .= "RRA:MIN:0.5:5:1000 ";
-					$rrdcreate .= "RRA:MIN:0.5:60:1000 ";
-					$rrdcreate .= "RRA:MIN:0.5:720:3000 ";
-					$rrdcreate .= "RRA:MAX:0.5:1:1000 ";
-					$rrdcreate .= "RRA:MAX:0.5:5:1000 ";
-					$rrdcreate .= "RRA:MAX:0.5:60:1000 ";
-					$rrdcreate .= "RRA:MAX:0.5:720:3000 ";
-					$rrdcreate .= "RRA:LAST:0.5:1:1000 ";
-					$rrdcreate .= "RRA:LAST:0.5:5:1000 ";
-					$rrdcreate .= "RRA:LAST:0.5:60:1000 ";
-					$rrdcreate .= "RRA:LAST:0.5:720:3000 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1:1200 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:5:720 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:60:1860 ";
+					$rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 ";
+					$rrdcreate .= "RRA:MIN:0.5:1:1200 ";
+					$rrdcreate .= "RRA:MIN:0.5:5:720 ";
+					$rrdcreate .= "RRA:MIN:0.5:60:1860 ";
+					$rrdcreate .= "RRA:MIN:0.5:1440:2284 ";
+					$rrdcreate .= "RRA:MAX:0.5:1:1200 ";
+					$rrdcreate .= "RRA:MAX:0.5:5:720 ";
+					$rrdcreate .= "RRA:MAX:0.5:60:1860 ";
+					$rrdcreate .= "RRA:MAX:0.5:1440:2284 ";
+					$rrdcreate .= "RRA:LAST:0.5:1:1200 ";
+					$rrdcreate .= "RRA:LAST:0.5:5:720 ";
+					$rrdcreate .= "RRA:LAST:0.5:60:1860 ";
+					$rrdcreate .= "RRA:LAST:0.5:1440:2284 ";

 					create_new_rrd($rrdcreate);
 					unset($rrdcreate);
@ -797,7 +835,7 @@ function enable_rrd_graphing() {
 				/* the Captive Portal stats gathering function. */
 				$rrdupdatesh .= "\n";
 				$rrdupdatesh .= "# polling Captive Portal for number of logged in users\n";
-				$rrdupdatesh .= "CP=`$php -q $captiveportal_gather $cpkey loggedin`\n";
+				$rrdupdatesh .= "CP=`${php} -q ${captiveportal_gather} '${cpkey}' 'loggedin'`\n";
 				$rrdupdatesh .= "$rrdtool update $loggedin_filename \${CP}\n";

 			}
--- a/etc/inc/service-utils.inc
+++ b/etc/inc/service-utils.inc
@ -43,6 +43,7 @@ require_once("openvpn.inc");
 require_once("ipsec.inc");
 require_once("vpn.inc");
 require_once("vslb.inc");
+require_once("gwlb.inc");

 define("RCFILEPREFIX", "/usr/local/etc/rc.d/");
 function write_rcfile($params) {
@ -66,7 +67,7 @@ function write_rcfile($params) {
 		$tokill =& $params['stop'];
 	} else if(!empty($params['executable'])) {
 		/* just nuke the executable */
-		$tokill = "/usr/bin/killall {$params['executable']}";
+		$tokill = "/usr/bin/killall " . escapeshellarg($params['executable']);
 	} else {
 		/* make an educated guess (bad) */
 		$tokill = array_pop(explode('/', array_shift(explode(' ', $params['start']))));
@ -143,7 +144,7 @@ function stop_service($name) {

 				if(!($service['rcfile'] or $service['stopcmd'])) {
 					if(is_process_running("{$service['executable']}"))
-						mwexec("/usr/bin/killall {$service['executable']}");
+						killbyname($service['executable']);
 					return;
 				}
 				break;
@ -151,8 +152,8 @@ function stop_service($name) {
 		}
 	}
 	/* finally if we get here lets simply kill the service name */
-	if(is_process_running("{$name}"))
-		mwexec("/usr/bin/killall {$name}");
+	if(is_process_running(escapeshellarg($name)))
+		killbyname(escapeshellarg($name));
 }

 function restart_service($name) {
@ -201,10 +202,13 @@ function is_service_enabled($service_name) {
 	global $config;
 	if ($service_name == "")
 		return false;
-	if (isset($config['installedpackages'][$service_name]['config'][0]['enable']) &&
-		((empty($config['installedpackages'][$service_name]['config'][0]['enable'])) ||
-		 ($config['installedpackages'][$service_name]['config'][0]['enable'] === 'off')))
-		return false;
+	if (is_array($config['installedpackages'])) {
+		if (isset($config['installedpackages'][$service_name]['config'][0]['enable']) &&
+			((empty($config['installedpackages'][$service_name]['config'][0]['enable'])) ||
+			($config['installedpackages'][$service_name]['config'][0]['enable'] === 'off'))) {
+			return false;
+		}
+	}
 	return true;
 }

@ -282,19 +286,21 @@ function get_services() {
 		if ($oc['if'] && (!link_interface_to_bridge($if)))
 			$iflist[$if] = $if;
 	}
-	$show_dhcprelay = false;
-	foreach($iflist as $if) {
-		if(isset($config['dhcrelay'][$if]['enable']))
-			$show_dhcprelay = true;
-	}

-	if($show_dhcprelay == true) {
+	if(isset($config['dhcrelay']['enable'])) {
 		$pconfig = array();
 		$pconfig['name'] = "dhcrelay";
 		$pconfig['description'] = gettext("DHCP Relay");
 		$services[] = $pconfig;
 	}

+	if(isset($config['dhcrelay6']['enable'])) {
+		$pconfig = array();
+		$pconfig['name'] = "dhcrelay6";
+		$pconfig['description'] = gettext("DHCPv6 Relay");
+		$services[] = $pconfig;
+	}
+
 	if(is_dhcp_server_enabled()) {
 		$pconfig = array();
 		$pconfig['name'] = "dhcpd";
@ -302,6 +308,14 @@ function get_services() {
 		$services[] = $pconfig;
 	}

+	$gateways_arr = return_gateways_array();
+	if (is_array($gateways_arr)) {
+		$pconfig = array();
+		$pconfig['name'] = "apinger";
+		$pconfig['description'] = gettext("Gateway Monitoring Daemon");
+		$services[] = $pconfig;
+	}
+
 	if(isset($config['snmpd']['enable'])) {
 		$pconfig = array();
 		$pconfig['name'] = "bsnmpd";
@ -417,6 +431,9 @@ function get_service_status($service) {
 		case "vhosts-http":
 			$running = is_pid_running("{$g['varrun_path']}/vhosts-http.pid");
 			break;
+		case "dhcrelay6":
+			$running = is_pid_running("{$g['varrun_path']}/dhcrelay6.pid");
+			break;
 		default:
 			$running = is_service_running($service['name']);
 	}
@ -428,23 +445,21 @@ function get_service_status_icon($service, $withtext = true, $smallicon = false)
 	$output = "";
 	if(get_service_status($service)) {
 		$statustext = gettext("Running");
-		$output .= '<td class="listr" align="center">' . "\n";
 		$output .= "<img style=\"vertical-align:middle\" title=\"" . sprintf(gettext("%s Service is"),$service["name"]) . " {$statustext}\" src=\"/themes/" . $g["theme"] . "/images/icons/";
 		$output .= ($smallicon) ? "icon_pass.gif" : "icon_service_running.gif";
 		$output .= "\" alt=\"status\" />";
 		if ($withtext)
 			$output .= "&nbsp;&nbsp;" . $statustext;
-		$output .= "</td>\n";
+		$output .= "\n";
 	} else {
 		$service_enabled = is_service_enabled($service['name']);
 		$statustext = ($service_enabled) ? gettext("Stopped") : gettext("Disabled");
-		$output .= '<td class="listbg" align="center">' . "\n";
 		$output .= "<img style=\"vertical-align:middle\" title=\"" . sprintf(gettext("%s Service is"),$service["name"]) . " {$statustext}\" src=\"/themes/" . $g["theme"] . "/images/icons/";
 		$output .= ($smallicon) ? "icon_block.gif" : "icon_service_stopped.gif";
 		$output .= "\" alt=\"status\" />";
 		if ($withtext)
 			$output .= "&nbsp;&nbsp;" . "<font color=\"white\">{$statustext}</font>";
-		$output .= "</td>\n";
+		$output .= "\n";
 	}
 	return $output;
 }
@ -503,16 +518,25 @@ function service_control_start($name, $extras) {
 			services_radvd_configure();
 			break;
 		case 'captiveportal':
-			$zone = $extras['zone'];
+			$zone = htmlspecialchars($extras['zone']);
 			captiveportal_init_webgui_zonename($zone);
 			break;
 		case 'ntpd':
 		case 'openntpd':
 			system_ntp_configure();
 			break;
+		case 'apinger':
+			setup_gateways_monitor();
+			break;
 		case 'bsnmpd':
 			services_snmpd_configure();
 			break;
+		case 'dhcrelay':
+			services_dhcrelay_configure();
+			break;
+		case 'dhcrelay6':
+			services_dhcrelay6_configure();
+			break;
 		case 'dnsmasq':
 			services_dnsmasq_configure();
 			break;
@ -529,9 +553,9 @@ function service_control_start($name, $extras) {
 			vpn_ipsec_force_reload();
 			break;
 		case 'openvpn':
-			$vpnmode = $extras['vpnmode'];
+			$vpnmode = isset($extras['vpnmode']) ? htmlspecialchars($extras['vpnmode']) : htmlspecialchars($extras['mode']);
 			if (($vpnmode == "server") || ($vpnmode == "client")) {
-				$id = $extras['id'];
+				$id = isset($extras['vpnid']) ? htmlspecialchars($extras['vpnid']) : htmlspecialchars($extras['id']);
 				$configfile = "{$g['varetc_path']}/openvpn/{$vpnmode}{$id}.conf";
 				if (file_exists($configfile))
 					openvpn_restart_by_vpnid($vpnmode, $id);
@ -553,7 +577,7 @@ function service_control_stop($name, $extras) {
 			killbypid("{$g['varrun_path']}/radvd.pid");
 			break;
 		case 'captiveportal':
-			$zone = $extras['zone'];
+			$zone = htmlspecialchars($extras['zone']);
 			killbypid("{$g['varrun_path']}/lighty-{$zone}-CaptivePortal.pid");
 			killbypid("{$g['varrun_path']}/lighty-{$zone}-CaptivePortal-SSL.pid");
 			break;
@ -563,6 +587,9 @@ function service_control_stop($name, $extras) {
 		case 'openntpd':
 			killbyname("openntpd");
 			break;
+		case 'apinger':
+			killbypid("{$g['varrun_path']}/apinger.pid");
+			break;
 		case 'bsnmpd':
 			killbypid("{$g['varrun_path']}/snmpd.pid");
 			break;
@ -575,6 +602,9 @@ function service_control_stop($name, $extras) {
 		case 'dhcrelay':
 			killbypid("{$g['varrun_path']}/dhcrelay.pid");
 			break;
+		case 'dhcrelay6':
+			killbypid("{$g['varrun_path']}/dhcrelay6.pid");
+			break;
 		case 'dnsmasq':
 			killbypid("{$g['varrun_path']}/dnsmasq.pid");
 			break;
@ -591,9 +621,9 @@ function service_control_stop($name, $extras) {
 			exec("killall -9 racoon");
 			break;
 		case 'openvpn':
-			$vpnmode = $extras['vpnmode'];
+			$vpnmode = htmlspecialchars($extras['vpnmode']);
 			if (($vpnmode == "server") or ($vpnmode == "client")) {
-				$id = $extras['id'];
+				$id = htmlspecialchars($extras['id']);
 				$pidfile = "{$g['varrun_path']}/openvpn_{$vpnmode}{$id}.pid";
 				killbypid($pidfile);
 			}
@ -614,7 +644,7 @@ function service_control_restart($name, $extras) {
 			services_radvd_configure();
 			break;
 		case 'captiveportal':
-			$zone = $extras['zone'];
+			$zone = htmlspecialchars($extras['zone']);
 			killbypid("{$g['varrun_path']}/lighty-{$zone}-CaptivePortal.pid");
 			killbypid("{$g['varrun_path']}/lighty-{$zone}-CaptivePortal-SSL.pid");
 			captiveportal_init_webgui_zonename($zone);
@ -623,9 +653,19 @@ function service_control_restart($name, $extras) {
 		case 'openntpd':
 			system_ntp_configure();
 			break;
+		case 'apinger':
+			killbypid("{$g['varrun_path']}/apinger.pid");
+			setup_gateways_monitor();
+			break;
 		case 'bsnmpd':
 			services_snmpd_configure();
 			break;
+		case 'dhcrelay':
+			services_dhcrelay_configure();
+			break;
+		case 'dhcrelay6':
+			services_dhcrelay6_configure();
+			break;
 		case 'dnsmasq':
 			services_dnsmasq_configure();
 			break;
@ -642,9 +682,9 @@ function service_control_restart($name, $extras) {
 			vpn_ipsec_force_reload();
 			break;
 		case 'openvpn':
-			$vpnmode = $extras['vpnmode'];
+			$vpnmode = htmlspecialchars($extras['vpnmode']);
 			if ($vpnmode == "server" || $vpnmode == "client") {
-				$id = $extras['id'];
+				$id = htmlspecialchars($extras['id']);
 				$configfile = "{$g['varetc_path']}/openvpn/{$vpnmode}{$id}.conf";
 				if (file_exists($configfile))
 					openvpn_restart_by_vpnid($vpnmode, $id);
--- a/etc/inc/services.inc
+++ b/etc/inc/services.inc
@ -1,7 +1,7 @@
 <?php
 /*
 	services.inc
-	part of the pfSense project (http://www.pfsense.com)
+	part of the pfSense project (https://www.pfsense.org)

 	originally part of m0n0wall (http://m0n0.ch/wall)
 	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
@ -32,18 +32,17 @@

 /*
 	pfSense_BUILDER_BINARIES:	/usr/bin/killall	/bin/pgrep	/bin/sh	/usr/local/sbin/dhcpd	/usr/local/sbin/igmpproxy
-	pfSense_BUILDER_BINARIES:	/sbin/ifconfig	/usr/sbin/arp	/sbin/ifconfig	/usr/local/sbin/dnsmasq
-	pfSense_BUILDER_BINARIES:	/usr/sbin/bsnmpd	/sbin/route
+	pfSense_BUILDER_BINARIES:	/sbin/ifconfig		/usr/local/sbin/dnsmasq
 	pfSense_BUILDER_BINARIES:	/usr/local/sbin/miniupnpd	/usr/sbin/radvd
-	pfSense_BUILDER_BINARIES:	/usr/local/sbin/dhcleases6
+	pfSense_BUILDER_BINARIES:	/usr/local/sbin/dhcleases6	/usr/sbin/bsnmpd
 	pfSense_MODULE:	utils
 */

-define('DYNDNS_PROVIDER_VALUES', 'dnsomatic dyndns dyndns-static dyndns-custom dhs dyns easydns noip noip-free ods zoneedit loopia freedns dnsexit opendns namecheap he-net he-net-tunnelbroker selfhost route53 custom');
-define('DYNDNS_PROVIDER_DESCRIPTIONS', 'DNS-O-Matic,DynDNS (dynamic),DynDNS (static),DynDNS (custom),DHS,DyNS,easyDNS,No-IP,No-IP (free),ODS.org,ZoneEdit,Loopia,freeDNS,DNSexit,OpenDNS,Namecheap,HE.net,HE.net Tunnelbroker,SelfHost,Route 53,Custom');
+define('DYNDNS_PROVIDER_VALUES', 'dnsomatic dyndns dyndns-static dyndns-custom dhs dyns easydns noip noip-free ods zoneedit loopia freedns dnsexit opendns namecheap he-net he-net-v6 he-net-tunnelbroker selfhost route53 custom custom-v6');
+define('DYNDNS_PROVIDER_DESCRIPTIONS', 'DNS-O-Matic,DynDNS (dynamic),DynDNS (static),DynDNS (custom),DHS,DyNS,easyDNS,No-IP,No-IP (free),ODS.org,ZoneEdit,Loopia,freeDNS,DNSexit,OpenDNS,Namecheap,HE.net,HE.net (v6),HE.net Tunnelbroker,SelfHost,Route 53,Custom,Custom (v6)');

 /* implement ipv6 route advertising deamon */
-function services_radvd_configure() {
+function services_radvd_configure($blacklist = array()) {
 	global $config, $g;
 	
 	if ($g['platform'] == 'jail') 
@ -73,6 +72,9 @@ function services_radvd_configure() {
 		if (!isset($config['interfaces'][$dhcpv6if]['enable']))
 			continue;

+		/* Do not put in the config an interface which is down */
+		if (isset($blacklist[$dhcpv6if]))
+			continue;
 		if (!isset($dhcpv6ifconf['ramode']))
 			$dhcpv6ifconf['ramode'] = $dhcpv6ifconf['mode'];

@ -93,10 +95,9 @@ function services_radvd_configure() {
 			}
 		}

-		$realif = get_real_interface($dhcpv6if);
-		if (in_array($realif, $radvdifs))
+		$realif = get_real_interface($dhcpv6if, "inet6");
+		if (isset($radvdifs[$realif]))
 			continue;
-		$radvdifs[] = $realif;

 		$ifcfgipv6 = get_interface_ipv6($dhcpv6if);
 		if (!is_ipaddrv6($ifcfgipv6))
@ -104,6 +105,7 @@ function services_radvd_configure() {

 		$ifcfgsnv6 = get_interface_subnetv6($dhcpv6if);
 		$subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6);
+		$radvdifs[$realif] = $realif;

 		$radvdconf .= "# Generated for DHCPv6 Server $dhcpv6if\n";
 		$radvdconf .= "interface {$realif} {\n";
@ -129,9 +131,8 @@ function services_radvd_configure() {
 		}
 		switch($dhcpv6ifconf['ramode']) {
 			case "managed":
-				$radvdconf .= "\tAdvManagedFlag on;\n";
-				break;
 			case "assist":
+				$radvdconf .= "\tAdvManagedFlag on;\n";
 				$radvdconf .= "\tAdvOtherConfigFlag on;\n";
 				break;
 		}
@ -212,67 +213,69 @@ function services_radvd_configure() {
 			continue;
 		if(!isset($config['interfaces'][$if]['enable']))
 			continue;
-			
-		$realif = get_real_interface($if);
-		/* prevent duplicate entries, manual overrides */
-		if(in_array($realif, $radvdifs))
+		/* Do not put in the config an interface which is down */
+		if (isset($blacklist[$if]))
 			continue;
-
-		$ifcfgipv6 = get_interface_ipv6($if);
-		if(!is_ipaddrv6($ifcfgipv6))
-			continue;
-
-		$ifcfgsnv6 = get_interface_subnetv6($if);
-		$subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6);
 		$trackif = $config['interfaces'][$if]['track6-interface'];
 		if (empty($config['interfaces'][$trackif]))
 			continue;
-		$radvdifs[] = $realif;
+
+		$realif = get_real_interface($if, "inet6");
+		/* prevent duplicate entries, manual overrides */
+		if (isset($radvdifs[$realif]))
+			continue;
+
+		$ifcfgipv6 = get_interface_ipv6($if);
+		if(!is_ipaddrv6($ifcfgipv6)) {
+			$subnetv6 = "::";
+			$ifcfgsnv6 = "64";
+		} else {
+			$ifcfgsnv6 = get_interface_subnetv6($if);
+			$subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6);
+		}
+		$radvdifs[$realif] = $realif;

 		$autotype = $config['interfaces'][$trackif]['ipaddrv6'];
 	
 		if ($g['debug'])
 			log_error("configuring RA on {$if} for type {$autotype} radvd subnet {$subnetv6}/{$ifcfgsnv6}");

-		$dnslist = array();
-		if(is_ipaddrv6($ifcfgipv6)) {
-			$radvdconf .= "# Generated config for {$autotype} delegation from {$trackif} on {$if}\n";
-			$radvdconf .= "interface {$realif} {\n";
-				$radvdconf .= "\tAdvSendAdvert on;\n";
-				$radvdconf .= "\tMinRtrAdvInterval 3;\n";
-				$radvdconf .= "\tMaxRtrAdvInterval 10;\n";
-				$mtu = get_interface_mtu($realif);
-				if (is_numeric($mtu))
-					$radvdconf .= "\tAdvLinkMTU {$mtu};\n";
-				else
-					$radvdconf .= "\tAdvLinkMTU 1280;\n";
-				$radvdconf .= "\tAdvOtherConfigFlag on;\n";
-					$radvdconf .= "\t\tprefix {$subnetv6}/{$ifcfgsnv6} {\n";
-					$radvdconf .= "\t\tAdvOnLink on;\n";
-					$radvdconf .= "\t\tAdvAutonomous on;\n";
-					$radvdconf .= "\t\tAdvRouterAddr on;\n";
-				$radvdconf .= "\t};\n";
+		$radvdconf .= "# Generated config for {$autotype} delegation from {$trackif} on {$if}\n";
+		$radvdconf .= "interface {$realif} {\n";
+		$radvdconf .= "\tAdvSendAdvert on;\n";
+		$radvdconf .= "\tMinRtrAdvInterval 3;\n";
+		$radvdconf .= "\tMaxRtrAdvInterval 10;\n";
+		$mtu = get_interface_mtu($realif);
+		if (is_numeric($mtu))
+			$radvdconf .= "\tAdvLinkMTU {$mtu};\n";
+		else
+			$radvdconf .= "\tAdvLinkMTU 1280;\n";
+		$radvdconf .= "\tAdvOtherConfigFlag on;\n";
+		$radvdconf .= "\t\tprefix {$subnetv6}/{$ifcfgsnv6} {\n";
+		$radvdconf .= "\t\tAdvOnLink on;\n";
+		$radvdconf .= "\t\tAdvAutonomous on;\n";
+		$radvdconf .= "\t\tAdvRouterAddr on;\n";
+		$radvdconf .= "\t};\n";

-				/* add DNS servers */
-				$dnslist = array();
-				if (isset($config['dnsmasq']['enable'])) {
-					$dnslist[] = $ifcfgipv6;
-				} elseif (is_array($config['system']['dnsserver']) && !empty($config['system']['dnsserver'])) {
-					foreach($config['system']['dnsserver'] as $server) {
-						if(is_ipaddrv6($server))
-							$dnslist[] = $server;
-					}
-				}
-				if (count($dnslist) > 0) {
-					$dnsstring = implode(" ", $dnslist);
-					if (!empty($dnsstring))
-						$radvdconf .= "\tRDNSS {$dnsstring} { };\n";
-				}
-				if (!empty($config['system']['domain'])) {
-					$radvdconf .= "\tDNSSL {$config['system']['domain']} { };\n";
-				}
-			$radvdconf .= "};\n";
+		/* add DNS servers */
+		$dnslist = array();
+		if (isset($config['dnsmasq']['enable'])) {
+			$dnslist[] = $ifcfgipv6;
+		} elseif (is_array($config['system']['dnsserver']) && !empty($config['system']['dnsserver'])) {
+			foreach($config['system']['dnsserver'] as $server) {
+				if(is_ipaddrv6($server))
+					$dnslist[] = $server;
+			}
 		}
+		if (count($dnslist) > 0) {
+			$dnsstring = implode(" ", $dnslist);
+			if (!empty($dnsstring))
+				$radvdconf .= "\tRDNSS {$dnsstring} { };\n";
+		}
+		if (!empty($config['system']['domain'])) {
+			$radvdconf .= "\tDNSSL {$config['system']['domain']} { };\n";
+		}
+		$radvdconf .= "};\n";
 	}

 	/* write radvd.conf */
@ -300,7 +303,7 @@ function services_radvd_configure() {
 	return 0;
 }

-function services_dhcpd_configure($family = "all") {
+function services_dhcpd_configure($family = "all", $blacklist = array()) {
 	global $config, $g;

 	/* configure DHCPD chroot once */
@ -315,8 +318,8 @@ function services_dhcpd_configure($family = "all") {
 	fwrite($fd, "/bin/mkdir -p {$g['dhcpd_chroot_path']}/lib\n");
 	fwrite($fd, "/bin/mkdir -p {$g['dhcpd_chroot_path']}/run\n");
 	fwrite($fd, "/usr/sbin/chown -R dhcpd:_dhcp {$g['dhcpd_chroot_path']}/*\n");
-	fwrite($fd, "/bin/cp /lib/libc.so.* {$g['dhcpd_chroot_path']}/lib/\n");
-	fwrite($fd, "/bin/cp /usr/local/sbin/dhcpd {$g['dhcpd_chroot_path']}/usr/local/sbin/\n");
+	fwrite($fd, "/bin/cp -n /lib/libc.so.* {$g['dhcpd_chroot_path']}/lib/\n");
+	fwrite($fd, "/bin/cp -n /usr/local/sbin/dhcpd {$g['dhcpd_chroot_path']}/usr/local/sbin/\n");
 	fwrite($fd, "/bin/chmod a+rx {$g['dhcpd_chroot_path']}/usr/local/sbin/dhcpd\n");

 	$status = `/sbin/mount | /usr/bin/grep -v grep  | /usr/bin/grep  "{$g['dhcpd_chroot_path']}/dev"`;
@ -328,8 +331,8 @@ function services_dhcpd_configure($family = "all") {
 	if ($family == "all" || $family == "inet")
 		services_dhcpdv4_configure();
 	if ($family == "all" || $family == "inet6") {
-		services_dhcpdv6_configure();
-		services_radvd_configure();
+		services_dhcpdv6_configure($blacklist);
+		services_radvd_configure($blacklist);
 	}
 }

@ -349,8 +352,6 @@ function services_dhcpdv4_configure() {
 	/* kill any running dhcpd */
 	if (isvalidpid("{$g['dhcpd_chroot_path']}{$g['varrun_path']}/dhcpd.pid"))
 		killbypid("{$g['dhcpd_chroot_path']}{$g['varrun_path']}/dhcpd.pid");
-	else
-		mwexec("/usr/bin/killall dhcpd", true);

 	/* DHCP enabled on any interfaces? */
 	if (!is_dhcp_server_enabled())
@ -385,6 +386,16 @@ function services_dhcpdv4_configure() {
 	$dhcpdcfg = $config['dhcpd'];
 	$Iflist = get_configured_interface_list();

+	/* Only consider DNS servers with IPv4 addresses for the IPv4 DHCP server. */
+	$dns_arrv4 = array();
+	if (is_array($syscfg['dnsserver'])) {
+		foreach($syscfg['dnsserver'] as $dnsserver) {
+			if (is_ipaddrv4($dnsserver)) {
+				$dns_arrv4[] = $dnsserver;
+			}
+		}
+	}
+
 	if ($g['booting'])
 		echo gettext("Starting DHCP service...");
 	else
@ -439,7 +450,6 @@ EOD;
 	/*    loop through and determine if we need to setup
 	 *    failover peer "bleh" entries
 	 */
-	$dhcpnum = 0;
 	foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) {

 		interfaces_staticarp_configure($dhcpif);
@ -466,11 +476,10 @@ EOD;
 					}
 				}
 			} else {
-				log_error(gettext("Warning!  DHCP Failover setup and no CARP virtual IP's defined!"));
+				log_error(gettext("Warning!  DHCP Failover setup and no CARP virtual IPs defined!"));
 			}
 			if($skew > 10) {
 				$type = "secondary";
-				$dhcpdconf_pri  = "mclt 600;\n";
 				$my_port = "520";
 				$peer_port = "519";
 			} else {
@ -481,7 +490,7 @@ EOD;
 				$dhcpdconf_pri .= "  mclt 600;\n";
 			}
 			$dhcpdconf .= <<<EOPP
-failover peer "dhcp{$dhcpnum}" {
+failover peer "dhcp_{$dhcpif}" {
  {$type};
  address {$intip};
  port {$my_port};
@ -492,14 +501,11 @@ failover peer "dhcp{$dhcpnum}" {
  {$dhcpdconf_pri}
  load balance max seconds 3;
 }
-
+\n
 EOPP;
-		$dhcpnum++;
 		}
 	}

-	$dhcpnum = 0;
-
 	foreach ($dhcpdcfg as $dhcpif => $dhcpifconf) {

 		$newzone = array();
@ -562,10 +568,10 @@ EOPP;
 			$dnscfg .= "	option domain-name-servers {$ifcfgip};";
 			if ($newzone['domain-name'] && is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0]))
 				$newzone['dns-servers'] = $syscfg['dnsserver'];
-		} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
-			$dnscfg .= "	option domain-name-servers " . join(",", $syscfg['dnsserver']) . ";";
+		} else if (!empty($dns_arrv4)) {
+			$dnscfg .= "	option domain-name-servers " . join(",", $dns_arrv4) . ";";
 			if ($newzone['domain-name'])
-				$newzone['dns-servers'] = $syscfg['dnsserver'];
+				$newzone['dns-servers'] = $dns_arrv4;
 		}

 		/* Create classes - These all contain comma separated lists. Join them into one 
@ -626,8 +632,7 @@ EOPP;
 				$dhcpdconf .= "		option routers {$poolconf['gateway']};\n";

 			if($dhcpifconf['failover_peerip'] <> "") {
-				$dhcpdconf .= "		failover peer \"dhcp{$dhcpnum}\";\n";
-				$dhcpnum++;
+				$dhcpdconf .= "		failover peer \"dhcp_{$dhcpif}\";\n";
 			}

 			$pdnscfg = "";
@ -845,21 +850,38 @@ EOD;
 	if ($need_ddns_updates) {
 		$dhcpdconf .= "ddns-update-style interim;\n";
 		if (is_array($ddns_zones)) {
+			$added_zones = array();
 			foreach ($ddns_zones as $zone) {
 				if (!is_array($zone) || empty($zone) || !is_array($zone['dns-servers']))
 					continue;
 				$primary = $zone['dns-servers'][0];
 				$secondary = empty($zone['dns-servers'][1]) ? "" : $zone['dns-servers'][1];
-				$dhcpdconf .= "zone {$zone['domain-name']} {\n";
-				$dhcpdconf .= "	primary {$primary};\n";
-				if (is_ipaddrv4($secondary))
-					$dhcpdconf .= "	secondary {$secondary};\n";
-				$dhcpdconf .= "}\n";
-				$dhcpdconf .= "zone {$zone['ptr-domain']} {\n";
-				$dhcpdconf .= "	primary {$primary};\n";
-				if (is_ipaddrv4($secondary))
-					$dhcpdconf .= "	secondary {$secondary};\n";
-				$dhcpdconf .= "}\n";
+				// Make sure we aren't using any invalid or IPv6 DNS servers.
+				if (!is_ipaddrv4($primary)) {
+					if (is_ipaddrv4($secondary)) {
+						$primary = $secondary;
+						$secondary = "";
+					} else {
+						continue;
+					}
+				}
+				// We don't need to add zones multiple times.
+				if (!in_array($zone['domain-name'], $added_zones)) {
+					$dhcpdconf .= "zone {$zone['domain-name']} {\n";
+					$dhcpdconf .= "	primary {$primary};\n";
+					if (is_ipaddrv4($secondary))
+						$dhcpdconf .= "	secondary {$secondary};\n";
+					$dhcpdconf .= "}\n";
+					$added_zones[] = $zone['domain-name'];
+				}
+				if (!in_array($zone['ptr-domain'], $added_zones)) {
+					$dhcpdconf .= "zone {$zone['ptr-domain']} {\n";
+					$dhcpdconf .= "	primary {$primary};\n";
+					if (is_ipaddrv4($secondary))
+						$dhcpdconf .= "	secondary {$secondary};\n";
+					$dhcpdconf .= "}\n";
+					$added_zones[] = $zone['ptr-domain'];
+				}
 			}
 		}
 	}
@ -876,6 +898,10 @@ EOD;
 	if (!file_exists("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases"))
 		@touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases");

+	/* make sure there isn't a stale dhcpd.pid file, which can make dhcpd fail to start.   */
+	/* if we get here, dhcpd has been killed and is not started yet                        */ 
+	unlink_if_exists("{$g['dhcpd_chroot_path']}{$g['varrun_path']}/dhcpd.pid");
+
 	/* fire up dhcpd in a chroot */
 	if (count($dhcpdifs) > 0) {
 		mwexec("/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot {$g['dhcpd_chroot_path']} -cf /etc/dhcpd.conf -pf {$g['varrun_path']}/dhcpd.pid " .
@ -888,7 +914,7 @@ EOD;
 	return 0;
 }

-function services_dhcpdv6_configure() {
+function services_dhcpdv6_configure($blacklist = array()) {
 	global $config, $g;

 	if($g['services_dhcp_server_enable'] == false)
@ -939,8 +965,11 @@ function services_dhcpdv6_configure() {

 	/* we add a fake entry for interfaces that are set to track6 another WAN */
 	foreach ($Iflist as $ifname) {
+		/* Do not put in the config an interface which is down */
+		if (isset($blacklist[$ifname]))
+			continue;
 		if (!empty($config['interfaces'][$ifname]['track6-interface'])) {
-			$realif = get_real_interface($ifname);
+			$realif = get_real_interface($ifname, "inet6");
 			$ifcfgipv6 = get_interface_ipv6($ifname);
 			if(!is_ipaddrv6($ifcfgipv6))
 				continue;
@ -975,6 +1004,7 @@ function services_dhcpdv6_configure() {

 				$dhcpdv6cfg[$ifname]['prefixrange']['from'] = Net_IPv6::compress($range['start']);
 				$dhcpdv6cfg[$ifname]['prefixrange']['to'] = Net_IPv6::compress($range['end']);
+				$dhcpdv6cfg[$ifname]['dns6ip'] = get_interface_ipv6($ifname);
 			}
 		}
 	}
@ -988,12 +1018,15 @@ function services_dhcpdv6_configure() {
 		}
 	}

+	if(isset($dhcpv6ifconf['netboot']) && !empty($dhcpv6ifconf['bootfile_url']))
+		$custoptionsv6 .= "option dhcp6.bootfile-url code 59 = string;\n";
+
 	$dhcpdv6conf = <<<EOD

 option domain-name "{$syscfg['domain']}";
 option ldap-server code 95 = text;
 option domain-search-list code 119 = text;
-{$custoptions}
+{$custoptionsv6}
 default-lease-time 7200;
 max-lease-time 86400;
 log-facility local7;
@ -1023,9 +1056,10 @@ EOD;
 		$ifcfgsnv6 = get_interface_subnetv6($dhcpv6if);
 		$subnetv6 = gen_subnetv6($ifcfgipv6, $ifcfgsnv6);

-		if($is_olsr_enabled == true)
+		if ($is_olsr_enabled == true) {
 			if($dhcpv6ifconf['netmask'])
 				$subnetmask = gen_subnet_maskv6($dhcpv6ifconf['netmask']);
+		}

 		$dnscfgv6 = "";

@ -1033,7 +1067,7 @@ EOD;
 			$dnscfgv6 .= "	option domain-name \"{$dhcpv6ifconf['domain']}\";\n";
 		}

-    		if($dhcpv6ifconf['domainsearchlist'] <> "") {
+    		if ($dhcpv6ifconf['domainsearchlist'] <> "") {
 			$dnscfgv6 .= "	option domain-search \"" . join("\",\"", preg_split("/[ ;]+/", $dhcpv6ifconf['domainsearchlist'])) . "\";\n";
    		}

@ -1051,7 +1085,7 @@ EOD;
 		} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
 			$dns_arrv6 = array();
 			foreach($syscfg['dnsserver'] as $dnsserver) {
-				if(is_ipaddrv6($dnsserver)) {
+				if (is_ipaddrv6($dnsserver)) {
 					$dns_arrv6[] = $dnsserver;
 				}
 			}
@ -1059,18 +1093,13 @@ EOD;
 				$dnscfgv6 .= "	option dhcp6.name-servers " . join(",", $dns_arrv6) . ";";
 		}

-		if(is_ipaddrv6($ifcfgipv6)) {
-			$dhcpdv6conf .= "subnet6 {$subnetv6}/{$ifcfgsnv6} {\n";
+		if (is_ipaddrv6($ifcfgipv6)) {
+			$dhcpdv6conf .= "subnet6 {$subnetv6}/{$ifcfgsnv6}";
 		} else {
 			$subnet6 = gen_subnetv6($dhcpv6ifconf['range']['from'], "64");
-			$dhcpdv6conf .= "subnet6 {$subnet6}/64 {\n";
+			$dhcpdv6conf .= "subnet6 {$subnet6}/64";
 		}
-
-		if($dhcpv6ifconf['failover_peerip'] <> "")
-			$dhcpdv6conf .= "		deny dynamic bootp clients;\n";
-
-		if (isset($dhcpv6ifconf['denyunknown']))
-		   $dhcpdv6conf .= "		deny unknown-clients;\n";
+		$dhcpdv6conf .= " {\n";

 		$dhcpdv6conf .= <<<EOD
 	range6 {$dhcpv6ifconf['range']['from']} {$dhcpv6ifconf['range']['to']};
@ -1078,9 +1107,11 @@ $dnscfgv6

 EOD;

-		if(is_ipaddrv6($dhcpv6ifconf['prefixrange']['from']) && is_ipaddrv6($dhcpv6ifconf['prefixrange']['to'])) {
+		if (is_ipaddrv6($dhcpv6ifconf['prefixrange']['from']) && is_ipaddrv6($dhcpv6ifconf['prefixrange']['to'])) {
 			$dhcpdv6conf .= "	prefix6 {$dhcpv6ifconf['prefixrange']['from']} {$dhcpv6ifconf['prefixrange']['to']}/{$dhcpv6ifconf['prefixrange']['prefixlength']};\n";
-
+		}
+		if (is_ipaddrv6($dhcpv6ifconf['dns6ip'])) {
+			$dhcpdv6conf .= "       option dhcp6.name-servers {$dhcpv6ifconf['dns6ip']};\n";
 		}
    		// default-lease-time
 		if ($dhcpv6ifconf['defaultleasetime'])
@ -1108,7 +1139,7 @@ EOD;

 		// Handle option, number rowhelper values
 		$dhcpdv6conf .= "\n";
-		if($dhcpv6ifconf['numberoptions']['item']) {
+		if ($dhcpv6ifconf['numberoptions']['item']) {
 			foreach($dhcpv6ifconf['numberoptions']['item'] as $itemv6idx => $itemv6) {
 				$dhcpdv6conf .= "	option custom-{$dhcpv6if}-{$itemv6idx} \"{$itemv6['value']}\";\n";
 			}
@ -1120,14 +1151,8 @@ EOD;

 		// net boot information
 		if(isset($dhcpv6ifconf['netboot'])) {
-			if ($dhcpv6ifconf['nextserver'] <> "") {
-				$dhcpdv6conf .= "	next-server {$dhcpv6ifconf['nextserver']};\n";
-			}
-			if ($dhcpv6ifconf['filename'] <> "") {
-				$dhcpdv6conf .= "	filename \"{$dhcpv6ifconf['filename']}\";\n";
-			}
-			if ($dhcpv6ifconf['rootpath'] <> "") {
-				$dhcpdv6conf .= "	option root-path \"{$dhcpv6ifconf['rootpath']}\";\n";
+			if (!empty($dhcpv6ifconf['bootfile_url'])) {
+				$dhcpdv6conf .= "	option dhcp6.bootfile-url \"{$dhcpv6ifconf['bootfile_url']}\";\n";
 			}
 		}

@ -1162,12 +1187,12 @@ EOD;
 			}
 		}

-		if($config['dhcpdv6'][$dhcpv6if]['ramode'] <> "unmanaged") {
+		if ($config['dhcpdv6'][$dhcpv6if]['ramode'] <> "unmanaged") {
 			if(preg_match("/poes/si", $dhcpv6if)) {
 				/* magic here */
 				$dhcpdv6ifs = array_merge($dhcpdv6ifs, get_pppoes_child_interfaces($dhcpv6if));
 			} else {
-				$realif = get_real_interface($dhcpv6if);
+				$realif = get_real_interface($dhcpv6if, "inet6");
 				if (stristr("$realif", "bridge")) {
 					$mac = get_interface_mac($realif);
 					$v6address = generate_ipv6_from_mac($mac);
@ -1194,6 +1219,10 @@ EOD;
 	if (!file_exists("{$g['dhcpd_chroot_path']}/var/db/dhcpd6.leases"))
 		@touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd6.leases");

+        /* make sure there isn't a stale dhcpdv6.pid file, which may make dhcpdv6 fail to start.  */
+        /* if we get here, dhcpdv6 has been killed and is not started yet                         */
+        unlink_if_exists("{$g['dhcpd_chroot_path']}{$g['varrun_path']}/dhcpdv6.pid");
+
 	/* fire up dhcpd in a chroot */
 	if (count($dhcpdv6ifs) > 0) {
 		mwexec("/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot {$g['dhcpd_chroot_path']} -cf /etc/dhcpdv6.conf -pf {$g['varrun_path']}/dhcpdv6.pid " .
@ -1257,8 +1286,8 @@ EOD;
        fclose($igmpfl);
 	unset($igmpconf);

-	/* NOTE: -d 4 means everything LOG_WARNING and smaller */
-        mwexec("/usr/local/sbin/igmpproxy -d 4 -c {$g['tmp_path']}/igmpproxy.conf");
+	/* NOTE: -d4 means everything LOG_WARNING and smaller */
+        mwexec("/usr/local/sbin/igmpproxy -d4 -c {$g['tmp_path']}/igmpproxy.conf");
        log_error(gettext("Started IGMP proxy service."));

        return 0;
@ -1355,8 +1384,7 @@ function services_dhcrelay_configure() {
 			if (is_array($config['gateways']['gateway_item'])) {
 				foreach ($config['gateways']['gateway_item'] as $gateway) {
 					if (isset($gateway['defaultgw'])) {
-						$a_gateways = return_gateways_array(true);
-                                        	$destif = $a_gateways[$rtent['gateway']]['interface'];
+						$destif = get_real_interface($gateway['interface']);
 						break;
 					}
 				}
@ -1393,7 +1421,7 @@ function services_dhcrelay6_configure() {
 		return;
 	if(isset($config['system']['developerspew'])) {
 		$mt = microtime();
-		echo "services_dhcrelay_configure() being called $mt\n";
+		echo "services_dhcrelay6_configure() being called $mt\n";
 	}

 	/* kill any running dhcrelay */
@ -1474,8 +1502,7 @@ function services_dhcrelay6_configure() {
 			if (is_array($config['gateways']['gateway_item'])) {
 				foreach ($config['gateways']['gateway_item'] as $gateway) {
 					if (isset($gateway['defaultgw'])) {
-						$a_gateways = return_gateways_array(true);
-                                        	$destif = $a_gateways[$rtent['gateway']]['interface'];
+						$destif = $gateway['interface'];
 						break;
 					}
 				}
@ -1494,7 +1521,7 @@ function services_dhcrelay6_configure() {
 		return; /* XXX */
 	}

-	$cmd = "/usr/local/sbin/dhcrelay -6 -pf \"{$g['varetc_path']}/dhcrelay6.pid\"";
+	$cmd = "/usr/local/sbin/dhcrelay -6 -pf \"{$g['varrun_path']}/dhcrelay6.pid\"";
 	foreach ($dhcrelayifs as $dhcrelayif) {
 		$cmd .= " -l {$dhcrelayif}";
 	}
@ -1572,12 +1599,14 @@ function dyndnsCheckIP($int) {
 		// Avoid the long wait for the external check to timeout.
 		if (stristr($gateways_status[$config['interfaces'][$int]['gateway']]['status'],"down"))
 			return "down";
-		$hosttocheck = "checkip.dyndns.org";
-		$checkip = gethostbyname($hosttocheck);
-		$ip_ch = curl_init("http://{$checkip}");
+		$hosttocheck = "http://checkip.dyndns.org";
+		$ip_ch = curl_init($hosttocheck);
 		curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1);
 		curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE);
 		curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);
+		curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30');
+		curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120);
+		curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
 		$ip_result_page = curl_exec($ip_ch);
 		curl_close($ip_ch);
 		$ip_result_decoded = urldecode($ip_result_page);
@ -1633,8 +1662,18 @@ function services_dnsmasq_configure() {
 		if(isset($config['dnsmasq']['interface'])) {
 			$interfaces = explode(",", $config['dnsmasq']['interface']);
 			foreach ($interfaces as $interface) {
-				if (is_ipaddr($interface)) {
+				if (is_ipaddrv4($interface)) {
 					$listen_addresses .= " --listen-address={$interface} ";
+				} else if (is_ipaddrv6($interface)) {
+					/*
+					* XXX: Since dnsmasq does not support link-local address
+					* with scope specified. These checks are being done.
+					*/
+					if (is_linklocal($interface) && strstr($interface, "%")) {
+						$tmpaddrll6 = explode("%", $interface);
+						$listen_addresses .= " --listen-address={$tmpaddrll6[0]} ";
+					} else 
+						$listen_addresses .= " --listen-address={$interface} ";
 				} else {
 					$if = get_real_interface($interface);
 					if (does_interface_exist($if)) {
@ -1642,8 +1681,17 @@ function services_dnsmasq_configure() {
 						if (is_ipaddrv4($laddr))
 							$listen_addresses .= " --listen-address={$laddr} ";
 						$laddr6 = find_interface_ipv6($if);
-						if (is_ipaddrv6($laddr6) && !isset($config['dnsmasq']['strictbind']))
-							$listen_addresses .= " --listen-address={$laddr6} ";
+						if (is_ipaddrv6($laddr6) && !isset($config['dnsmasq']['strictbind'])) {
+							/*
+							 * XXX: Since dnsmasq does not support link-local address
+							 * with scope specified. These checks are being done.
+							 */
+							if (is_linklocal($laddr6) && strstr($laddr6, "%")) {
+								$tmpaddrll6 = explode("%", $laddr6);
+								$listen_addresses .= " --listen-address={$tmpaddrll6[0]} ";
+							} else 
+								$listen_addresses .= " --listen-address={$laddr6} ";
+						}
 					}
 				}
 			}
@ -1654,16 +1702,9 @@ function services_dnsmasq_configure() {
 			}
 		}

-		/* Setup forwarded domains */
-		if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) {
-			foreach($config['dnsmasq']['domainoverrides'] as $override) {
-				if ($override['ip'] == "!")
-					$override[ip] = "";
-				$args .= ' --server=/' . $override['domain'] . '/' . $override['ip'];
-			}
-		}
-
-		/* If selected, then forward reverse lookups for private IPv4 addresses to nowhere. */
+		/* If selected, then first forward reverse lookups for private IPv4 addresses to nowhere. */
+		/* If any of these are duplicated by a user-specified domain override (e.g. 10.in-addr.arpa) then */
+		/* the user-specified entry made later on the command line below will be the one that is effective. */
 		if (isset($config['dnsmasq']['no_private_reverse'])) {
 			/* Note: Carrier Grade NAT (CGN) addresses 100.64.0.0/10 are intentionally not here. */
 			/* End-users should not be aware of CGN addresses, so reverse lookups for these should not happen. */
@ -1676,6 +1717,15 @@ function services_dnsmasq_configure() {
 			}
 		}

+		/* Setup forwarded domains */
+		if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) {
+			foreach($config['dnsmasq']['domainoverrides'] as $override) {
+				if ($override['ip'] == "!")
+					$override[ip] = "";
+				$args .= ' --server=/' . $override['domain'] . '/' . $override['ip'];
+			}
+		}
+
 		/* Allow DNS Rebind for forwarded domains */
 		if (isset($config['dnsmasq']['domainoverrides']) && is_array($config['dnsmasq']['domainoverrides'])) {
 			if(!isset($config['system']['webgui']['nodnsrebindcheck'])) {
@ -1698,7 +1748,7 @@ function services_dnsmasq_configure() {

 		if ($config['dnsmasq']['custom_options'])
 			foreach (preg_split('/\s+/', $config['dnsmasq']['custom_options']) as $c) {
-				$args .= " --$c";
+				$args .= " " . escapeshellarg("--{$c}");
 				$p = explode('=', $c);
 				if (array_key_exists($p[0], $standard_args))
 					unset($standard_args[$p[0]]);
@ -1927,7 +1977,7 @@ EOD;
 	return 0;
 }

-function services_dnsupdate_process($int = "") {
+function services_dnsupdate_process($int = "", $updatehost = "", $forced = false) {
 	global $config, $g;
 	if(isset($config['system']['developerspew'])) {
 		$mt = microtime();
@ -1936,17 +1986,27 @@ function services_dnsupdate_process($int = "") {

 	/* Dynamic DNS updating active? */
 	if (is_array($config['dnsupdates']['dnsupdate'])) {
+		$notify_text = "";
 		foreach ($config['dnsupdates']['dnsupdate'] as $i => $dnsupdate) {
 			if (!isset($dnsupdate['enable']))
 				continue;
 			if (!empty($int) && $int != $dnsupdate['interface'])
 				continue;
+			if (!empty($updatehost) && ($updatehost != $dnsupdate['host']))
+				continue;

 			/* determine interface name */
 			$if = get_real_interface($dnsupdate['interface']);
-			$wanip = get_interface_ip($dnsupdate['interface']);
-			if ($wanip) {
+			if (isset($dnsupdate['usepublicip']))
+                                $wanip = dyndnsCheckIP($dnsupdate['interface']);
+                        else
+                                $wanip = get_interface_ip($dnsupdate['interface']);
+			
+			$wanipv6 = get_interface_ipv6($dnsupdate['interface']);
+			$cacheFile = "{$g['conf_path']}/dyndns_{$dnsupdate['interface']}_rfc2136_" . escapeshellarg($dnsupdate['host']) . "_{$dnsupdate['server']}.cache";
+			$currentTime = time();

+			if ($wanip || $wanipv6) {
 				$keyname = $dnsupdate['keyname'];
 				/* trailing dot */
 				if (substr($keyname, -1) != ".")
@ -1990,23 +2050,68 @@ EOD;
 				$upinst = "";
 				if (!empty($dnsupdate['server']))
 					$upinst .= "server {$dnsupdate['server']}\n";
-				$upinst .= "update delete {$dnsupdate['host']} A\n";
-				$upinst .= "update add {$dnsupdate['host']} {$dnsupdate['ttl']} A {$wanip}\n";
+
+				if (file_exists($cacheFile)) {
+					list($cachedipv4, $cacheTimev4) = explode("|", file_get_contents($cacheFile));
+				}
+				if (file_exists("{$cacheFile}.ipv6")) {
+					list($cachedipv6, $cacheTimev6) = explode("|", file_get_contents("{$cacheFile}.ipv6"));
+				}
+
+				// 25 Days
+				$maxCacheAgeSecs = 25 * 24 * 60 * 60;
+				$need_update = false;
+
+				conf_mount_rw();
+				/* Update IPv4 if we have it. */
+				if (is_ipaddrv4($wanip)) {
+					if (($wanip != $cachedipv4) || (($currentTime - $cacheTimev4) > $maxCacheAgeSecs) || $forced) {
+						$upinst .= "update delete {$dnsupdate['host']}. A\n";
+						$upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} A {$wanip}\n";
+						$notify_text .= sprintf(gettext("DynDNS updated IP Address (A) for {$dnsupdate['host']} on %s (%s) to %s"), convert_real_interface_to_friendly_descr($if), $if, $wanip) . "\n";
+						@file_put_contents($cacheFile, "{$wanip}|{$currentTime}");
+						log_error("phpDynDNS: updating cache file {$cacheFile}: {$wanip}");
+						$need_update = true;
+					} else {
+						log_error("phpDynDNS: Not updating {$dnsupdate['host']} A record because the IP address has not changed.");
+					}
+				} else
+					@unlink($cacheFile);
+
+				/* Update IPv6 if we have it. */
+				if (is_ipaddrv6($wanipv6)) {
+					if (($wanipv6 != $cachedipv6) || (($currentTime - $cacheTimev6) > $maxCacheAgeSecs) || $forced) {
+						$upinst .= "update delete {$dnsupdate['host']}. AAAA\n";
+						$upinst .= "update add {$dnsupdate['host']}. {$dnsupdate['ttl']} AAAA {$wanipv6}\n";
+						$notify_text .= sprintf(gettext("DynDNS updated IPv6 Address (AAAA) for {$dnsupdate['host']} on %s (%s) to %s"), convert_real_interface_to_friendly_descr($if), $if, $wanipv6) . "\n";
+						@file_put_contents("{$cacheFile}.ipv6", "{$wanipv6}|{$currentTime}");
+						log_error("phpDynDNS: updating cache file {$cacheFile}.ipv6: {$wanipv6}");
+						$need_update = true;
+					} else {
+						log_error("phpDynDNS: Not updating {$dnsupdate['host']} AAAA record because the IPv6 address has not changed.");
+					}
+				} else
+					@unlink("{$cacheFile}.ipv6");
+				conf_mount_ro();
+
 				$upinst .= "\n";	/* mind that trailing newline! */

-				@file_put_contents("{$g['varetc_path']}/nsupdatecmds{$i}", $upinst);
-				unset($upinst);
-
-				/* invoke nsupdate */
-				$cmd = "/usr/bin/nsupdate -k {$g['varetc_path']}/K{$i}{$keyname}+157+00000.key";
-				if (isset($dnsupdate['usetcp']))
-					$cmd .= " -v";
-				$cmd .= " {$g['varetc_path']}/nsupdatecmds{$i}";
-
-				mwexec_bg($cmd);
-				unset($cmd);
+				if ($need_update) {
+					@file_put_contents("{$g['varetc_path']}/nsupdatecmds{$i}", $upinst);
+					unset($upinst);
+					/* invoke nsupdate */
+					$cmd = "/usr/bin/nsupdate -k {$g['varetc_path']}/K{$i}{$keyname}+157+00000.key";
+					if (isset($dnsupdate['usetcp']))
+						$cmd .= " -v";
+					$cmd .= " {$g['varetc_path']}/nsupdatecmds{$i}";
+					mwexec_bg($cmd);
+					unset($cmd);
+				}
 			}
 		}
+		if (!empty($notify_text)) {
+			notify_all_remote($notify_text);
+		}
 	}

 	return 0;
@ -2135,7 +2240,7 @@ function install_cron_job($command, $active=false, $minute="0", $hour="*", $mont
 			write_config(sprintf(gettext("Updated cron job for %s"), $command));
 		}
 	} else {
-		if(($is_installed == true) && ($x > 0)) {
+		if($is_installed == true) {
 			unset($config['cron']['item'][$x]);
 			write_config(sprintf(gettext("Removed cron job for %s"), $command));
 		}
--- a/etc/inc/shaper.inc
+++ b/etc/inc/shaper.inc
@ -331,11 +331,11 @@ class altq_root_queue {
                if ($data['qlimit'] && (!is_numeric($data['qlimit'])))
 			$input_errors[] = gettext("Qlimit must be an integer.");
 	 	if ($data['qlimit'] < 0)
-			$input_errors[] = gettext("Qlimit must be an positive.");
+			$input_errors[] = gettext("Qlimit must be positive.");
                if ($data['tbrconfig'] && (!is_numeric($data['tbrconfig'])))
 			$input_errors[] = gettext("Tbrsize must be an integer.");
                if ($data['tbrconfig'] < 0)
-			$input_errors[] = gettext("Tbrsize must be an positive.");
+			$input_errors[] = gettext("Tbrsize must be positive.");
 	}

 	/* Implement this to shorten some code on the frontend page */
@ -530,6 +530,8 @@ class altq_root_queue {
 			$rules = " altq on  " . get_real_interface($this->GetInterface());
 			if ($this->GetScheduler())
 				$rules .= " ".strtolower($this->GetScheduler());
+			if ($this->GetQlimit() > 0)
+				$rules .= " qlimit " . $this->GetQlimit() . " ";
 			if ($this->GetBandwidth()) {
 				$rules .= " bandwidth ".trim($this->GetBandwidth());
 				if ($this->GetBwscale())
@ -1002,14 +1004,10 @@ class priq_queue {
 		$reqdfieldsn[] = gettext("Name");
 		shaper_do_input_validation($data, $reqdfields, $reqdfieldsn, $input_errors);

-                if ($data['bandwidth'] && (!is_numeric($data['bandwidth'])))
+		if ($data['bandwidth'] && (!is_numeric($data['bandwidth'])))
 			$input_errors[] = "Bandwidth must be an integer.";
-                if ($data['bandwidth'] < 0)
+		if ($data['bandwidth'] < 0)
 			$input_errors[] = "Bandwidth cannot be negative.";
-                if ($data['qlimit'] && (!is_numeric($data['qlimit'])))
-			$input_errors[] = "Qlimit must be an integer.";
-	 	if ($data['qlimit'] < 0)
-			$input_errors[] = "Qlimit must be an positive.";
 		if ($data['priority'] && (!is_numeric($data['priority'])
 		    || ($data['priority'] < 1) || ($data['priority'] > 15))) {
 			$input_errors[] = gettext("The priority must be an integer between 1 and 15.");
@ -1196,7 +1194,7 @@ class priq_queue {
 		$form .= "<td width=\"78%\" class=\"vtable\"> <input name=\"qlimit\" type=\"text\" id=\"qlimit\" size=\"8\" value=\"";
 		$form .= htmlspecialchars($this->GetQlimit());
 		$form .= "\" />";
-		$form .= "<br/> <span class=\"vexpl\">" . gettext("Queue limit in packets per second."); 
+		$form .= "<br/> <span class=\"vexpl\">" . gettext("Queue limit in packets."); 
 		$form .= "</span></td></tr>";
 		$form .= "<tr>";
 		$form .= "<td width=\"22%\" valign=\"middle\" class=\"vncell\">" . gettext("Scheduler options") . "</td>";
@ -1229,7 +1227,7 @@ class priq_queue {
 		$tmpvalue = $this->GetCodel();
 		if(!empty($tmpvalue)) 
 			$form .=  " checked=\"checked\"";
-		$form .= " /> <a target=\"_new\" href=\"http://http://www.bufferbloat.net/projects/codel/wiki\">" . gettext("Codel Active Queue") . "</a><br/>";
+		$form .= " /> <a target=\"_new\" href=\"http://www.bufferbloat.net/projects/codel/wiki\">" . gettext("Codel Active Queue") . "</a><br/>";
 		$form .= "<span class=\"vexpl\"><br/>" . gettext("Select options for this queue");
 		$form .= "</span></td></tr><tr>";
 		$form .= "<td width=\"22%\" class=\"vncellreq\">" . gettext("Description") . "</td>";
@ -1648,7 +1646,7 @@ class hfsc_queue extends priq_queue {
 				$input_errors[] = ("upperlimit m1 cannot be smaller than m2");

 			if (get_interface_bandwidth($this) < (0.8 * (floatval($bw_1) + floatval($bw_2))))
-				$input_errors[] = ("upperlimit specification excedd 80% of allowable allocation.");
+				$input_errors[] = ("upperlimit specification exceeds 80% of allowable allocation.");
 		}
 		*/
 		if ($data['linkshare1'] <> "" &&  $data['linkshare2'] == "")
@ -1674,7 +1672,7 @@ class hfsc_queue extends priq_queue {
                        	$input_errors[] = ("linkshare m1 cannot be smaller than m2");

 			if (get_interface_bandwidth($this) < (0.8 * (floatval($bw_1) + floatval($bw_2))))
-                        	$input_errors[] = ("linkshare specification excedd 80% of allowable allocation.");
+                        	$input_errors[] = ("linkshare specification exceeds 80% of allowable allocation.");
 		}
 		*/

@ -1693,7 +1691,7 @@ class hfsc_queue extends priq_queue {
                        	$input_errors[] = ("realtime m1 cannot be smaller than m2");

 			if (get_interface_bandwidth($this) < (0.8 * (floatval($bw_1) + floatval($bw_2))))
-				$input_errors[] = ("realtime specification excedd 80% of allowable allocation.");
+				$input_errors[] = ("realtime specification exceeds 80% of allowable allocation.");
 		}
 		*/
 	}
@ -2050,6 +2048,9 @@ class hfsc_queue extends priq_queue {
 		$cflink['ecn'] = trim($this->GetEcn());
 		if (empty($cflink['ecn']))
 			unset($cflink['ecn']);
+		$cflink['codel'] = trim($this->GetCodel());
+		if (empty($cflink['codel']))
+			unset($cflink['codel']);
 		if ($this->GetLinkshare() <> "") {
 			if ($this->GetL_m1() <> "") {
 				$cflink['linkshare1'] = $this->GetL_m1();
@ -2469,6 +2470,9 @@ class cbq_queue extends priq_queue {
 		$cflink['ecn'] = trim($this->GetEcn());
 		if (empty($cflink['ecn']))
 			unset($cflink['ecn']);
+		$cflink['codel'] = trim($this->GetCodel());
+		if (empty($cflink['codel']))
+			unset($cflink['codel']);
 		$cflink['borrow'] = trim($this->GetBorrow());
 		if (empty($cflink['borrow']))
 			unset($cflink['borrow']);
@ -2747,6 +2751,9 @@ class fairq_queue extends priq_queue {
 		$cflink['ecn'] = trim($this->GetEcn());
 		if (empty($cflink['ecn']))
 			unset($cflink['ecn']);
+		$cflink['codel'] = trim($this->GetCodel());
+		if (empty($cflink['codel']))
+			unset($cflink['codel']);
 		$cflink['buckets'] = trim($this->GetBuckets());
 		if (empty($cflink['buckets']))
 			unset($cflink['buckets']);
@ -2782,24 +2789,7 @@ class dummynet_class {
        var $mask;
        var $noerror;
        
-        var $ipv6allow;
-        
-        /* constructor */
-                
-        function __construct() {
-                global $config;
-                if (isset($config['system']['ipv6allow']))
-                        $this->ipv6allow = True;
-                else
-                        $this->ipv6allow = False;
-
-        }
-
        /* Accessor functions */
-        function IPV6Enabled() {
-                return $this->ipv6allow;
-        }
-        
        function SetLink($link) {
                $this->link = $link;
        }
@ -2883,14 +2873,11 @@ class dummynet_class {
 		$javascript .= "if ((e.options[e.selectedIndex].text == \"none\") || enable_over) {\n";
 		$javascript .= "document.iform.maskbits.disabled = 1;\n";
 		$javascript .= "document.iform.maskbits.value = \"\";\n";
-                if ($this->IPV6Enabled()) {
-                        $javascript .= "document.iform.maskbitsv6.disabled = 1;\n";
-                        $javascript .= "document.iform.maskbitsv6.value = \"\";\n";
-                }
+		$javascript .= "document.iform.maskbitsv6.disabled = 1;\n";
+		$javascript .= "document.iform.maskbitsv6.value = \"\";\n";
 		$javascript .= "} else {\n";
 		$javascript .= "document.iform.maskbits.disabled = 0;\n";
-                if ($this->IPV6Enabled())
-                        $javascript .= "document.iform.maskbitsv6.disabled = 0;\n";
+                $javascript .= "document.iform.maskbitsv6.disabled = 0;\n";
 		$javascript .= "}}\n";
 		$javascript .= "//]]>\n";
 		$javascript .= "</script>\n";
@ -2900,6 +2887,8 @@ class dummynet_class {
 	function validate_input($data, &$input_errors) {
 		$reqdfields[] = "bandwidth";
 		$reqdfieldsn[] = gettext("Bandwidth");
+		$reqdfields[] = "burst";
+		$reqdfieldsn[] = gettext("Burst");
 		$reqdfields[] = "bandwidthtype";
 		$reqdfieldsn[] = gettext("Bandwidthtype");
 		$reqdfields[] = "newname";
@ -2907,11 +2896,11 @@ class dummynet_class {

 		shaper_do_input_validation($data, $reqdfields, $reqdfieldsn, $input_errors);

-		if ($data['plr'] && ((!is_numeric($data['plr'])) ||
-			($data['plr'] <= 0 && $data['plr'] > 1))) 
-				$input_errors[] = gettext("Plr must be an integer between 1 and 100.");
-		if (($data['buckets'] && (!is_numeric($data['buckets']))) ||
-			($data['buckets'] < 1 && $data['buckets'] > 100)) 
+		if ($data['plr'] && (!is_numeric($data['plr']) ||
+			($data['plr'] < 0) || ($data['plr'] > 1))) 
+				$input_errors[] = gettext("Plr must be a value between 0 and 1.");
+		if ($data['buckets'] && (!is_numeric($data['buckets']) ||
+			($data['buckets'] < 16) || ($data['buckets'] > 65535)))
 				$input_errors[] = gettext("Buckets must be an integer between 16 and 65535.");
 		if ($data['qlimit'] && (!is_numeric($data['qlimit']))) 
            		$input_errors[] = gettext("Queue limit must be an integer");
@ -2922,11 +2911,9 @@ class dummynet_class {
                if (isset($data['maskbits']) && ($data['maskbits'] <> ""))
 			if ((!is_numeric($data['maskbits'])) || ($data['maskbits'] <= 0) || ($data['maskbits'] > 32))
 				$input_errors[] = gettext("IPV4 bit mask must be blank or numeric value between 1 and 32.");
-                if ($this->IPV6Enabled())
-                        if (isset($data['maskbitsv6']) && ($data['maskbitsv6'] <> "")) {
-				if ((!is_numeric($data['maskbitsv6'])) || ($data['maskbitsv6'] <= 0) || ($data['maskbitsv6'] > 128))
-					$input_errors[] = gettext("IPV6 bit mask must be blank or numeric value between 1 and 128.");
-			}
+		if (isset($data['maskbitsv6']) && ($data['maskbitsv6'] <> ""))
+			if ((!is_numeric($data['maskbitsv6'])) || ($data['maskbitsv6'] <= 0) || ($data['maskbitsv6'] > 128))
+				$input_errors[] = gettext("IPV6 bit mask must be blank or numeric value between 1 and 128.");
 	}
 	
 	function build_mask_rules(&$pfq_rule) {
@ -2936,24 +2923,20 @@ class dummynet_class {
 				$pfq_rule .= " mask";
 			switch ($mask['type']) {
 			case 'srcaddress':
-                                if ($this->IPV6Enabled()) {
-                                        if (!empty($mask['bitsv6']) && ($mask['bitsv6'] <> ""))
-                                                $pfq_rule .= " src-ip6 /" . $mask['bitsv6'];
-					else
-						$pfq_rule .= " src-ip6 /128";
-                                }
+				if (!empty($mask['bitsv6']) && ($mask['bitsv6'] <> ""))
+					$pfq_rule .= " src-ip6 /" . $mask['bitsv6'];
+				else
+					$pfq_rule .= " src-ip6 /128";
                                if (!empty($mask['bits']) && ($mask['bits'] <> ""))
                                        $pfq_rule .= sprintf(" src-ip 0x%x", gen_subnet_mask_long($mask['bits']));
                                else
 					$pfq_rule .= " src-ip 0xffffffff";
 				break;
 			case 'dstaddress':
-                                if ($this->IPV6Enabled()) {
-                                        if (!empty($mask['bitsv6']) && ($mask['bitsv6'] <> ""))
-                                                $pfq_rule .= " dst-ip6 /" . $mask['bitsv6'];
-					else
-						$pfq_rule .= " dst-ip6 /128";
-                                }
+				if (!empty($mask['bitsv6']) && ($mask['bitsv6'] <> ""))
+					$pfq_rule .= " dst-ip6 /" . $mask['bitsv6'];
+				else
+					$pfq_rule .= " dst-ip6 /128";
                                if (!empty($mask['bits']) && ($mask['bits'] <> ""))
                                        $pfq_rule .= sprintf(" dst-ip 0x%x", gen_subnet_mask_long($mask['bits']));
                                else
@ -2997,6 +2980,12 @@ class dnpipe_class extends dummynet_class {
        function SetBandwidth($bandwidth) {
                $this->qbandwidth = $bandwidth;
        }
+		function GetBurst() {
+				return $this->qburst;
+		}
+		function SetBurst($burst) {
+				$this->qburst = $burst;
+		}

 	function &add_queue($interface, &$queue, &$path, &$input_errors) {

@ -3065,6 +3054,8 @@ class dnpipe_class extends dummynet_class {
 			if (!empty($data["bandwidth{$i}"])) {
 				if (!is_numeric($data["bandwidth{$i}"]))
 					$input_errors[] = sprintf(gettext("Bandwidth for schedule %s must be an integer."), $data["bwsched{$i}"]);
+				else if (($data["burst{$i}"] != "") && (!is_numeric($data["burst{$i}"])))
+					$input_errors[] = sprintf(gettext("Burst for schedule %s must be an integer."), $data["bwsched{$i}"]);
 				else
 					$entries++;
 			}
@ -3095,6 +3086,7 @@ class dnpipe_class extends dummynet_class {
 				if (isset($q["bandwidth{$i}"]) && $q["bandwidth{$i}"] <> "") { 
 					$bw = array();
 					$bw['bw'] = $q["bandwidth{$i}"];
+					$bw['burst'] = $q["burst{$i}"];
 					if (isset($q["bwtype{$i}"]) && $q["bwtype{$i}"])
 						$bw['bwscale'] = $q["bwtype{$i}"];
 					if (isset($q["bwsched{$i}"]) && $q["bwsched{$i}"])
@ -3104,9 +3096,12 @@ class dnpipe_class extends dummynet_class {
 			}
 			$this->SetBandwidth($bandwidth);
 		}
-		if (is_array($q['bandwidth']) && is_array($q['bandwidth']['item']))
+		
+		if (is_array($q['bandwidth']) && is_array($q['bandwidth']['item'])) {
 			$this->SetBandwidth($q['bandwidth']['item']);
-
+			$this->SetBurst($q['burst']['item']);
+		}
+			
 		if (isset($q['qlimit']) && $q['qlimit'] <> "")
              		$this->SetQlimit($q['qlimit']);
 		else
@ -3177,6 +3172,8 @@ class dnpipe_class extends dummynet_class {
 							if ($bw['bwsched'] == $schedule['name']) {
 								if (filter_get_time_based_rule_status($schedule)) {
 									$pfq_rule .= " bw ".trim($bw['bw']).$bw['bwscale'];
+									if (is_numeric($bw['burst']) && ($bw['burst'] > 0))
+										$pfq_rule .= " burst ".trim($bw['burst']);
 									$found = true;
 									break;
 								}
@ -3189,6 +3186,8 @@ class dnpipe_class extends dummynet_class {
 					}
 				} else {
 					$pfq_rule .= " bw ".trim($bw['bw']).$bw['bwscale'];
+					if (is_numeric($bw['burst']) && ($bw['burst'] > 0))
+						$pfq_rule .= " burst ".trim($bw['burst']);
 					$found = true;
 					break;
 				}
@ -3199,7 +3198,7 @@ class dnpipe_class extends dummynet_class {
 			$pfq_rule .= " bw 0";

 		if ($this->GetQlimit())
-                    	$pfq_rule .= " queue " . $this->GetQlimit();
+			$pfq_rule .= " queue " . $this->GetQlimit();
 		if ($this->GetPlr())
 			$pfq_rule .= " plr " . $this->GetPlr();
 		if ($this->GetBuckets())
@ -3253,6 +3252,9 @@ var addBwRowTo = (function() {
 	td.innerHTML="<input type='hidden' value='" + totalrows +"' name='bandwidth_row-" + totalrows + "' /><input size='10' type='text' class='formfld unknown' name='bandwidth" + totalrows + "' id='bandwidth" + totalrows + "' />";
 	tr.appendChild(td);
 	td = d.createElement("td");
+	td.innerHTML="<input type='hidden' value='" + totalrows +"' name='burst_row-" + totalrows + "' /><input size='10' type='text' class='formfld unknown' name='burst" + totalrows + "' id='burst" + totalrows + "' />";
+	tr.appendChild(td);
+	td = d.createElement("td");
 	td.innerHTML="<input type='hidden' value='" + totalrows +"' name='bwtype_row-" + totalrows + "' /><select class='formselect' name='bwtype" + totalrows + "'>{$bwopt}</select>";
 	tr.appendChild(td);
 	td = d.createElement("td");
@ -3321,7 +3323,8 @@ EOD;
 		$form .= "</td><td class=\"vncellreq\">";
 		$form .= "<table id='maintable'>";
 		$form .= "<tbody><tr>";
-		$form .= "<td width='40%'><div id='onecolumn'>Bandwidth</div></td>";
+		$form .= "<td width='35%'><div id='onecolumn'>Bandwidth</div></td>";
+		$form .= "<td width='35%'><div id='fifthcolumn'>Burst</div></td>";
 		$form .= "<td width='20%'><div id='twocolumn'>Bw type</div></td>";
 		$form .= "<td width='35%' ><div id='thirdcolumn'>Schedule</div></td>";
 		$form .= "<td width='5%'><div id='fourthcolumn'></div></td>";
@ -3331,6 +3334,8 @@ EOD;
 				$form .= "\n<tr><td width='40%'>";
 				$form .= "<input class='formfld unknown' size='10' type=\"text\" id=\"bandwidth{$bwidx}\" name=\"bandwidth{$bwidx}\" value=\"{$bw['bw']}\" />";
 				$form .= "</td><td width='20%'>";
+				$form .= "<input class='formfld unknown' size='10' type=\"text\" id=\"burst{$bwidx}\" name=\"burst{$bwidx}\" value=\"{$bw['burst']}\" />";
+				$form .= "</td><td width='20%'>";
 				$form .= "<select id=\"bwtype{$bwidx}\" name=\"bwtype{$bwidx}\" class=\"formselect\">";
 				foreach (array("Kb" => "Kbit/s", "Mb" => "Mbit/s", "Gb" => "Gbit/s", "b" => "Bit/s") as $bwsidx => $bwscale) {
 					$form .= "<option value=\"{$bwsidx}\"";
@ -3356,6 +3361,7 @@ EOD;
 		$form .= "</tbody></table>";
 		$form .= "<a onclick=\"javascript:addBwRowTo('maintable'); return false;\" href='#'>";
 		$form .= "<img border='0' src='/themes/{$g['theme']}/images/icons/icon_plus.gif' alt='add' title='" . gettext("add another schedule") . "' /></a>";
+		$form .= "<br/><span class=\"vexpl\">" . gettext("Bandwidth is a rate (e.g. Mbit/s), burst is a total amount of data that will be transferred at full speed after an idle period.") . "</span><br />";
 		$form .= "</td></tr>";
 		$form .= "<tr><td valign=\"middle\" class=\"vncellreq\">" . gettext("Mask") . "</td>";
 		$form .= "<td class=\"vncellreq\">";
@ -3385,19 +3391,17 @@ EOD;
 		$form .= $mask['bits'];
 		$form .= "\"";
 		if ($mask['type'] == "none")
-			$form .= " disabled";
+			$form .= " disabled=\"disabled\"";
 		$form .= " />";
 		$form .= "&nbsp; IPV4 mask bits (1-32)<br/>";
-                if ($this->IPV6Enabled()) {
-                        $form .= "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/&nbsp;<input type=\"text\" class=\"formfld unknown\" size=\"2\" id=\"maskbitsv6\" name=\"maskbitsv6\" value=\"";
-                        if ($mask['type'] <> "none")
-                        $form .= $mask['bitsv6'];
-                        $form .= "\"";
-                        if ($mask['type'] == "none")
-                                $form .= " disabled";
-                        $form .= " />";
-                        $form .= "&nbsp; IPV6 mask bits (1-128)<br/>";
-                }
+		$form .= "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/&nbsp;<input type=\"text\" class=\"formfld unknown\" size=\"2\" id=\"maskbitsv6\" name=\"maskbitsv6\" value=\"";
+		if ($mask['type'] <> "none")
+		$form .= $mask['bitsv6'];
+		$form .= "\"";
+		if ($mask['type'] == "none")
+			$form .= " disabled=\"disabled\"";
+		$form .= " />";
+		$form .= "&nbsp; IPV6 mask bits (1-128)<br/>";
 		$form .= "<span class=\"vexpl\">" . gettext("If 'source' or 'destination' slots is chosen, \n"
 		      .  "leaving the mask bits blank will create one pipe per host. Otherwise specify \n"
 		      .  "the number of 'one' bits in the subnet mask used to group multiple hosts \n"
@ -3483,10 +3487,7 @@ EOD;
 		$mask = $this->GetMask();
 		$cflink['mask'] = $mask['type'];
 		$cflink['maskbits'] = $mask['bits'];
-                if ($this->IPV6Enabled())
-                        $cflink['maskbitsv6'] = $mask['bitsv6'];
-                else
-                        $cflink['maskbitsv6'] = "";
+                $cflink['maskbitsv6'] = $mask['bitsv6'];
 		$cflink['delay'] = $this->GetDelay();
 	}

@ -3572,6 +3573,14 @@ class dnqueue_class extends dummynet_class {
 		else
 			$maskbitsv6 = "";
 		$this->SetMask(array("type" => $masktype, "bits" => $maskbits, "bitsv6" => $maskbitsv6));
+		if (isset($q['buckets']) && $q['buckets'] <> "")
+			$this->SetBuckets($q['buckets']);
+		else
+			$this->SetBuckets("");
+		if (isset($q['plr']) && $q['plr'] <> "")
+			$this->SetPlr($q['plr']);
+		else
+			$this->SetPlr("");
       		if (isset($q['weight']) && $q['weight'] <> "")
            		$this->SetWeight($q['weight']);
 		else
@ -3663,19 +3672,17 @@ class dnqueue_class extends dummynet_class {
 		$form .= $mask['bits'];
 		$form .= "\"";
 		if ($mask['type'] == "none")
-			$form .= " disabled";
+			$form .= " disabled=\"disabled\"";
 		$form .= " />";
 		$form .= "&nbsp; IPV4 mask bits (1-32)<br/>";
-                if ($this->IPV6Enabled()) {
-                        $form .= "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/&nbsp;<input type=\"text\" class=\"formfld unknown\" size=\"2\" id=\"maskbitsv6\" name=\"maskbitsv6\" value=\"";
-                        if ($mask['type'] <> "none")
-                        $form .= $mask['bitsv6'];
-                        $form .= "\"";
-                        if ($mask['type'] == "none")
-                                $form .= " disabled";
-                        $form .= " />";
-                        $form .= "&nbsp; IPV6 mask bits (1-128)<br/>";
-                }
+		$form .= "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/&nbsp;<input type=\"text\" class=\"formfld unknown\" size=\"2\" id=\"maskbitsv6\" name=\"maskbitsv6\" value=\"";
+		if ($mask['type'] <> "none")
+		$form .= $mask['bitsv6'];
+		$form .= "\"";
+		if ($mask['type'] == "none")
+			$form .= " disabled=\"disabled\"";
+		$form .= " />";
+		$form .= "&nbsp; IPV6 mask bits (1-128)<br/>";
 		$form .= "<span class=\"vexpl\">" . gettext("If 'source' or 'destination' slots is chosen, \n"
 		      .  "leaving the mask bits blank will create one pipe per host. Otherwise specify \n"
 		      .  "the number of 'one' bits in the subnet mask used to group multiple hosts \n"
@ -3701,7 +3708,7 @@ class dnqueue_class extends dummynet_class {
 		$form .= "<input name=\"weight\" type=\"text\" id=\"weight\" size=\"5\" value=\"";
 		$form .= $this->GetWeight() . "\" />";
 		$form .= "&nbsp;<br/> <span class=\"vexpl\">" . gettext("Hint: For queues under the same parent "
-		      .  "this specifies the share that a queue gets(values range from 1 to 100, you can leave it blank otherwise)") . "</span>";
+		      .  "this specifies the share that a queue gets (values range from 1 to 100, higher values get a larger share. Can be left blank.)") . "</span>";
 		$form .= "</td></tr>";
 		$form .= "<tr style=\"display:none\" id=\"sprtable1\">";
 		$form .= "<td valign=\"middle\" class=\"vncellreq\">" . gettext("Packet loss rate") . "</td>";
@ -3758,10 +3765,7 @@ class dnqueue_class extends dummynet_class {
 		$mask = $this->GetMask();
 		$cflink['mask'] = $mask['type'];
 		$cflink['maskbits'] = $mask['bits'];
-                if ($this->IPV6Enabled())
-                        $cflink['maskbitsv6'] = $mask['bitsv6'];
-                else
-                        $cflink['maskbitsv6'] = "";
+                $cflink['maskbitsv6'] = $mask['bitsv6'];
 	}
 }

@ -4091,7 +4095,7 @@ function generate_layer7_files() {
 	if (!is_module_loaded("ipdivert.ko"))
 		mwexec("/sbin/kldload ipdivert.ko");

-	mwexec("rm -f {$g['tmp_path']}/*.l7");
+	array_map('unlink', glob("{$g['tmp_path']}/*.l7"));
    }
    
    foreach($layer7_rules_list as $l7rules) {
@ -4122,7 +4126,7 @@ function layer7_start_l7daemon() {
            $path = "{$g['tmp_path']}/" . $filename;

 	    unset($l7pid);
-	    /* Only reread the configuration rather than restart to avoid loosing information. */
+	    /* Only reread the configuration rather than restart to avoid losing information. */
 	    exec("/bin/pgrep -f 'ipfw-classifyd .* -p ". $l7rules->GetRPort() . "'", $l7pid);
 	    if (count($l7pid) > 0) {
 		log_error(sprintf(gettext("Sending HUP signal to %s"), $l7pid[0]));
@ -4306,7 +4310,7 @@ function read_altq_config() {
 			foreach ($conf['queue'] as $key1 => $q) {
 				array_push($path, $key1);
 				/* 
-				 * XXX: we compeletely ignore errors here but anyway we must have 
+				 * XXX: we completely ignore errors here but anyway we must have 
 				 *	checked them before so no harm should be come from this.
 				 */
 				$root->add_queue($root->GetInterface(), $q, &$path, $input_errors);
@ -4345,7 +4349,7 @@ function read_dummynet_config() {
 			foreach ($conf['queue'] as $key1 => $q) {
 				array_push($path, $key1);
 				/* 
-				 * XXX: we compeletely ignore errors here but anyway we must have 
+				 * XXX: we completely ignore errors here but anyway we must have 
 				 *	checked them before so no harm should be come from this.
 				 */	
 				$root->add_queue($root->GetQname(), $q, &$path, $input_errors);
@ -4405,7 +4409,7 @@ function dnqueue_find_nextnumber() {
 	$found = false;
 	foreach ($dnused as $dnnum) {
 		if (($dnnum - $dnnumber) > 1) {
-			$dnnumber = $dnnum + 1;
+			$dnnumber = $dnnum - 1;
 			$found = true;
 			break;
 		} else
@ -4431,7 +4435,7 @@ function dnpipe_find_nextnumber() {
 	$found = false;
 	foreach ($dnused as $dnnum) {
 		if (($dnnum - $dnnumber) > 1) {
-			$dnnumber = $dnnum + 1;
+			$dnnumber = $dnnum - 1;
 			$found = true;
 			break;
 		} else
--- a/etc/inc/simplepie/simplepie.inc
+++ b/etc/inc/simplepie/simplepie.inc
@ -1817,7 +1817,7 @@ function embed_wmedia(width, height, link) {
 	}

 	/**
-	 * Return the error message for the occured error
+	 * Return the error message for the occurred error
 	 *
 	 * @access public
 	 * @return string Error message
@ -10738,7 +10738,7 @@ class SimplePie_Misc
 		return (bool) preg_match('/^([A-Za-z0-9\-._~\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}!$&\'()*+,;=@]|(%[0-9ABCDEF]{2}))+$/u', $string);
 	}

-	function space_seperated_tokens($string)
+	function space_separated_tokens($string)
 	{
 		$space_characters = "\x20\x09\x0A\x0B\x0C\x0D";
 		$string_length = strlen($string);
@ -11830,7 +11830,7 @@ class SimplePie_Parse_Date
 	/**
 	 * Parse a superset of W3C-DTF (allows hyphens and colons to be omitted, as
 	 * well as allowing any of upper or lower case "T", horizontal tabs, or
-	 * spaces to be used as the time seperator (including more than one))
+	 * spaces to be used as the time separator (including more than one))
 	 *
 	 * @access protected
 	 * @return int Timestamp
@ -12904,7 +12904,7 @@ class SimplePie_Locator
 			}
 			if (isset($link['attribs']['href']['data']) && isset($link['attribs']['rel']['data']))
 			{
-				$rel = array_unique(SimplePie_Misc::space_seperated_tokens(strtolower($link['attribs']['rel']['data'])));
+				$rel = array_unique(SimplePie_Misc::space_separated_tokens(strtolower($link['attribs']['rel']['data'])));

 				if ($this->base_location < $link['offset'])
 				{
@ -13669,4 +13669,4 @@ class SimplePie_Sanitize
 	}
 }

-?>
+?>
--- a/etc/inc/smtp.inc
+++ b/etc/inc/smtp.inc
@ -20,6 +20,7 @@ class smtp_class
 	var $host_name="";
 	var $host_port=25;
 	var $ssl=0;
+	var $tls=0;
 	var $localhost="";
 	var $timeout=0;
 	var $data_timeout=0;
@ -213,7 +214,7 @@ class smtp_class

 	Function ConnectToHost($domain, $port, $resolve_message)
 	{
-		if($this->ssl)
+		if($this->ssl || $this->tls)
 		{
 			$version=explode(".",function_exists("phpversion") ? phpversion() : "3.0.7");
 			$php_version=intval($version[0])*1000000+intval($version[1])*1000+intval($version[2]);
@ -461,62 +462,20 @@ class smtp_class
 			socket_set_timeout($this->connection,$timeout,0);
 		if($this->debug)
 			$this->OutputDebug(sprintf(gettext("Connected to SMTP server \"%s\"."), $domain));
-		if(!strcmp($localhost=$this->localhost,"")
-		&& !strcmp($localhost=getenv("SERVER_NAME"),"")
-		&& !strcmp($localhost=getenv("HOST"),"")
-		&& !strcmp($localhost=getenv("HOSTNAME"),"")
-		&& !strcmp($localhost=exec("/bin/hostname"),""))
-			$localhost="localhost";
-		$success=0;
 		if($this->VerifyResultLines("220",$responses)>0)
 		{
-			$fallback=1;
-			if($this->esmtp
-			|| strlen($this->user))
-			{
-				if($this->PutLine("EHLO $localhost"))
-				{
-					if(($success_code=$this->VerifyResultLines("250",$responses))>0)
-					{
-						$this->esmtp_host=$this->Tokenize($responses[0]," ");
-						for($response=1;$response<count($responses);$response++)
-						{
-							$extension=strtoupper($this->Tokenize($responses[$response]," "));
-							$this->esmtp_extensions[$extension]=$this->Tokenize("");
-						}
-						$success=1;
-						$fallback=0;
-					}
-					else
-					{
-						if($success_code==0)
-						{
-							$code=$this->Tokenize($this->error," -");
-							switch($code)
-							{
-								case "421":
-									$fallback=0;
-									break;
-							}
-						}
-					}
-				}
-				else
-					$fallback=0;
-			}
-			if($fallback)
-			{
-				if($this->PutLine("HELO $localhost")
-				&& $this->VerifyResultLines("250",$responses)>0)
-					$success=1;
-			}
+			// Send our HELLO
+			$success = $this->hello($this->hostname());
+			if ($this->tls)
+				$success = $this->startTLS();
+
 			if($success
 			&& strlen($this->user)
 			&& strlen($this->pop3_auth_host)==0)
 			{
 				if(!IsSet($this->esmtp_extensions["AUTH"]))
 				{
-					$this->error=gettext("server does not require authentication");
+					$this->error = gettext("server does not require authentication");
 					$success=0;
 				}
 				else
@ -599,6 +558,64 @@ class smtp_class
 		return($success);
 	}

+	Function hostname() {
+		if(!strcmp($localhost=$this->localhost,"")
+		&& !strcmp($localhost=getenv("SERVER_NAME"),"")
+		&& !strcmp($localhost=getenv("HOST"),"")
+		&& !strcmp($localhost=getenv("HOSTNAME"),"")
+		&& !strcmp($localhost=gethostname(),""))
+			$localhost="localhost";
+
+		return $localhost;
+	}
+
+	Function hello()
+	{
+		$success = 0;
+		$fallback = 1;
+		if ($this->esmtp || strlen($this->user)) {
+			if ($this->PutLine("EHLO ".$this->hostname())) {
+				if (($success_code = $this->VerifyResultLines("250",$responses)) > 0) {
+					$this->esmtp_host = $this->Tokenize($responses[0]," ");
+					for($response=1;$response<count($responses);$response++) {
+						$extension = strtoupper($this->Tokenize($responses[$response]," "));
+						$this->esmtp_extensions[$extension]=$this->Tokenize("");
+					}
+					$success = 1;
+					$fallback = 0;
+				} else {
+					if ($success_code == 0) {
+						$code = $this->Tokenize($this->error," -");
+						switch($code) {
+							case "421":
+								$fallback=0;
+								break;
+						}
+					}
+				}
+			} else
+				$fallback=0;
+		}
+
+		if ($fallback) {
+			if ($this->PutLine("HELO $localhost") && $this->VerifyResultLines("250",$responses)>0)
+				$success=1;
+		}
+		return $success;
+	}
+
+	Function startTLS() {
+		if ($this->PutLine("STARTTLS") && $this->VerifyResultLines("220",$responses)>0) {
+			if (!stream_socket_enable_crypto($this->connection,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+				return false;
+			} else {
+				// Resend HELO since session has been reset
+				return $this->hello($this->hostname);
+			}
+		} else
+			return false;
+	}
+
 	Function MailFrom($sender)
 	{
 		if($this->direct_delivery)
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@ -33,7 +33,7 @@
 	pfSense_BUILDER_BINARIES:	/usr/sbin/powerd	/usr/bin/killall	/sbin/sysctl	/sbin/route
 	pfSense_BUILDER_BINARIES:	/bin/hostname	/bin/ls	/usr/sbin/syslogd	
 	pfSense_BUILDER_BINARIES:	/usr/sbin/pccardd	/usr/local/sbin/lighttpd	/bin/chmod 	/bin/mkdir
-	pfSense_BUILDER_BINARIES:	/usr/bin/tar		/usr/local/bin/ntpd	/usr/sbin/ntpdate
+	pfSense_BUILDER_BINARIES:	/usr/bin/tar		/usr/local/sbin/ntpd	/usr/sbin/ntpdate
 	pfSense_BUILDER_BINARIES:	/usr/bin/nohup	/sbin/dmesg	/usr/local/sbin/atareinit	/sbin/kldload
 	pfSense_MODULE:	utils
 */
@ -154,12 +154,12 @@ function system_resolvconf_generate($dynupdate = false) {
 				if (is_ipaddrv4($gatewayip)) {
 					/* dns server array starts at 0 */
 					$dnscountermo = $dnscounter - 1;
-					mwexec("route change -host " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}");
+					mwexec("/sbin/route change -host " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}");
 				}
 				if (is_ipaddrv6($gatewayip)) {
 					/* dns server array starts at 0 */
 					$dnscountermo = $dnscounter - 1;
-					mwexec("route change -host -inet6 " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}");
+					mwexec("/sbin/route change -host -inet6 " . $syscfg['dnsserver'][$dnscountermo] . " {$gatewayip}");
 				}
 			}
 		}
@ -177,8 +177,8 @@ function get_searchdomains() {
 	
 	// Read in dhclient nameservers
 	$search_list = glob("/var/etc/searchdomain_*");
-	if (is_array($search_lists)) {
-		foreach($search_lists as $fdns) {
+	if (is_array($search_list)) {
+		foreach($search_list as $fdns) {
 			$contents = file($fdns, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
 			if (!is_array($contents))
 				continue;
@ -276,14 +276,22 @@ function system_hosts_generate() {
 			foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf)
 				if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable']))
 						foreach ($dhcpifconf['staticmap'] as $host)
-							if ($host['ipaddr'] && $host['hostname'])
+							if ($host['ipaddr'] && $host['hostname'] && $host['domain'])
+								$dhosts .= "{$host['ipaddr']}	{$host['hostname']}.{$host['domain']} {$host['hostname']}\n";
+							else if ($host['ipaddr'] && $host['hostname'] && $dhcpifconf['domain'])
+								$dhosts .= "{$host['ipaddr']}	{$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n";
+							else if ($host['ipaddr'] && $host['hostname'])
 								$dhosts .= "{$host['ipaddr']}	{$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n";
 		}
 		if (isset($dnsmasqcfg['regdhcpstatic']) && is_array($config['dhcpdv6'])) {
 			foreach ($config['dhcpdv6'] as $dhcpif => $dhcpifconf)
 				if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable']))
 						foreach ($dhcpifconf['staticmap'] as $host)
-							if ($host['ipaddrv6'] && $host['hostname'])
+							if ($host['ipaddrv6'] && $host['hostname'] && $host['domain'])
+								$dhosts .= "{$host['ipaddrv6']}	{$host['hostname']}.{$host['domain']} {$host['hostname']}\n";
+							else if ($host['ipaddrv6'] && $host['hostname'] && $dhcpifconf['domain'])
+								$dhosts .= "{$host['ipaddrv6']}	{$host['hostname']}.{$dhcpifconf['domain']} {$host['hostname']}\n";
+							else if ($host['ipaddrv6'] && $host['hostname'])
 								$dhosts .= "{$host['ipaddrv6']}	{$host['hostname']}.{$syscfg['domain']} {$host['hostname']}\n";
 		}

@ -327,8 +335,13 @@ function system_dhcpleases_configure() {
 			@touch("{$g['dhcpd_chroot_path']}/var/db/dhcpd.leases");
 		if (isvalidpid("{$g['varrun_path']}/dhcpleases.pid"))
 			sigkillbypid("{$g['varrun_path']}/dhcpleases.pid", "HUP");
-		else
+		else {
+			/* To ensure we do not start multiple instances of dhcpleases, perform some clean-up first. */
+			if (is_process_running("dhcpleases"))
+				mwexec('/bin/pkill dhcpleases');
+			@unlink("{$g['varrun_path']}/dhcpleases.pid");
 			mwexec("/usr/local/sbin/dhcpleases -l {$g['dhcpd_chroot_path']}/var/db/dhcpd.leases -d {$config['system']['domain']} -p {$g['varrun_path']}/dnsmasq.pid -h {$g['varetc_path']}/hosts");
+		}
 	} else {
 		sigkillbypid("{$g['varrun_path']}/dhcpleases.pid", "TERM");
 		@unlink("{$g['varrun_path']}/dhcpleases.pid");
@ -365,17 +378,17 @@ function system_routing_configure($interface = "") {

 	$gatewayip = "";
 	$interfacegw = "";
-	$foundgw = false;
 	$gatewayipv6 = "";
 	$interfacegwv6 = "";
+	$foundgw = false;
 	$foundgwv6 = false;
 	/* tack on all the hard defined gateways as well */
 	if (is_array($config['gateways']['gateway_item'])) {
-		mwexec("/bin/rm -f {$g['tmp_path']}/*_defaultgw {$g['tmp_path']}/*_defaultgwv6", true);
+		array_map('unlink', glob("{$g['tmp_path']}/*_defaultgw{,v6}", GLOB_BRACE));
 		foreach	($config['gateways']['gateway_item'] as $gateway) {
 			if (isset($gateway['defaultgw'])) {
-				if ($gateway['ipprotocol'] != "inet6" && (is_ipaddrv4($gateway['gateway']) || $gateway['gateway'] == "dynamic")) {
-					if(strstr($gateway['gateway'], ":"))
+				if ($foundgw == false && ($gateway['ipprotocol'] != "inet6" && (is_ipaddrv4($gateway['gateway']) || $gateway['gateway'] == "dynamic"))) {
+					if(strpos($gateway['gateway'], ":"))
 						continue;
 					if ($gateway['gateway'] == "dynamic")
 						$gateway['gateway'] = get_interface_gateway($gateway['interface']);
@ -387,8 +400,8 @@ function system_routing_configure($interface = "") {
 							@file_put_contents("{$g['tmp_path']}/{$defaultif}_defaultgw", $gateway['gateway']);
 					}
 					$foundgw = true;
-				} else if ($gateway['ipprotocol'] == "inet6" && (is_ipaddrv6($gateway['gateway']) || $gateway['gateway'] == "dynamic6")) {
-					if ($gateway['gateway'] == "dynamic6")
+				} else if ($foundgwv6 == false && ($gateway['ipprotocol'] == "inet6" && (is_ipaddrv6($gateway['gateway']) || $gateway['gateway'] == "dynamic"))) {
+					if ($gateway['gateway'] == "dynamic")
 						$gateway['gateway'] = get_interface_gateway_v6($gateway['interface']);
 					$gatewayipv6 = $gateway['gateway'];
 					$interfacegwv6 = $gateway['interface'];
@ -408,13 +421,13 @@ function system_routing_configure($interface = "") {
 		$defaultif = get_real_interface("wan");
 		$interfacegw = "wan";
 		$gatewayip = get_interface_gateway("wan");
-		@touch("{$g['tmp_path']}/{$defaultif}_defaultgw");
+		@file_put_contents("{$g['tmp_path']}/{$defaultif}_defaultgw", $gatewayip);
 	}	
 	if ($foundgwv6 == false) {
 		$defaultifv6 = get_real_interface("wan");
 		$interfacegwv6 = "wan";
 		$gatewayipv6 = get_interface_gateway_v6("wan");
-		@touch("{$g['tmp_path']}/{$defaultif}_defaultgwv6");
+		@file_put_contents("{$g['tmp_path']}/{$defaultifv6}_defaultgwv6", $gatewayipv6);
 	}
 	$dont_add_route = false;
 	/* if OLSRD is enabled, allow WAN to house DHCP. */
@ -431,16 +444,16 @@ function system_routing_configure($interface = "") {
 	if ($dont_add_route == false ) {
 		if (!empty($interface) && $interface != $interfacegw)
 			;
-		else if (($interfacegw <> "bgpd") && (is_ipaddrv4($gatewayip))) {
+		else if (is_ipaddrv4($gatewayip)) {
 			log_error("ROUTING: setting default route to $gatewayip");
 			mwexec("/sbin/route change -inet default " . escapeshellarg($gatewayip));
 		}

 		if (!empty($interface) && $interface != $interfacegwv6)
 			;
-		else if (($interfacegwv6 <> "bgpd") && (is_ipaddrv6($gatewayipv6))) {
+		else if (is_ipaddrv6($gatewayipv6)) {
 			$ifscope = "";
-			if(is_linklocal($gatewayipv6))
+			if (is_linklocal($gatewayipv6))
 				$ifscope = "%{$defaultifv6}";
 			log_error("ROUTING: setting IPv6 default route to {$gatewayipv6}{$ifscope}");
 			mwexec("/sbin/route change -inet6 default " . escapeshellarg($gatewayipv6) ."{$ifscope}");
@ -565,11 +578,11 @@ function system_syslogd_start() {
 	} else { // Defaults to CLOG
 		$log_directive = "%";
 		$log_size = "10240";
-		$log_create_directive = "/usr/sbin/clog -i -s ";
+		$log_create_directive = "/usr/local/sbin/clog -i -s ";
 	}
 	
 	if (isset($syslogcfg)) {
-		$separatelogfacilities = array('ntp','ntpd','ntpdate','racoon','openvpn','pptps','poes','l2tps','relayd','hostapd','dnsmasq','filterdns','unbound','dhcpd','dhcrelay','dhclient','apinger','radvd','routed','olsrd','zebra','ospfd','bgpd','miniupnpd');
+		$separatelogfacilities = array('ntp','ntpd','ntpdate','racoon','openvpn','pptps','poes','l2tps','relayd','hostapd','dnsmasq','filterdns','unbound','dhcpd','dhcrelay','dhclient','dhcp6c','apinger','radvd','routed','olsrd','zebra','ospfd','bgpd','miniupnpd');
 		$syslogconf = "";
 		if($config['installedpackages']['package']) {
 			foreach($config['installedpackages']['package'] as $package) {
@ -626,13 +639,11 @@ function system_syslogd_start() {
 		$syslogconf .= "!dnsmasq,filterdns,unbound\n";
 		if (!isset($syslogcfg['disablelocallogging']))
 			$syslogconf .= "*.*								{$log_directive}{$g['varlog_path']}/resolver.log\n";
-		if (isset($syslogcfg['apinger']))
-			$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.*");

-		$syslogconf .= "!dhcpd,dhcrelay,dhclient\n";
+		$syslogconf .= "!dhcpd,dhcrelay,dhclient,dhcp6c\n";
 		if (!isset($syslogcfg['disablelocallogging']))
 			$syslogconf .= "*.*								{$log_directive}{$g['varlog_path']}/dhcpd.log\n";
-		if (isset($syslogcfg['apinger']))
+		if (isset($syslogcfg['dhcp']))
 			$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "*.*");

 		$syslogconf .= "!relayd\n";
@ -702,7 +713,23 @@ EOD;
 		if (!is_dir("{$g['dhcpd_chroot_path']}/var/run"))
 			exec("/bin/mkdir -p {$g['dhcpd_chroot_path']}/var/run");

-		$retval = mwexec_bg("/usr/sbin/syslogd -s -c -c -l {$g['dhcpd_chroot_path']}/var/run/log -f {$g['varetc_path']}/syslog.conf");
+		$sourceip = "";
+		if (!empty($syslogcfg['sourceip'])) {
+			if ($syslogcfg['ipproto'] == "ipv6") {
+				$ifaddr = is_ipaddr($syslogcfg['sourceip']) ? $syslogcfg['sourceip'] : get_interface_ipv6($syslogcfg['sourceip']);
+				if (!is_ipaddr($ifaddr))
+					$ifaddr = get_interface_ip($syslogcfg['sourceip']);
+			} else {
+				$ifaddr = is_ipaddr($syslogcfg['sourceip']) ? $syslogcfg['sourceip'] : get_interface_ip($syslogcfg['sourceip']);
+				if (!is_ipaddr($ifaddr))
+					$ifaddr = get_interface_ipv6($syslogcfg['sourceip']);
+			}
+			if (is_ipaddr($ifaddr)) {
+				$sourceip = "-b {$ifaddr}";
+			}
+		}
+
+		$retval = mwexec_bg("/usr/sbin/syslogd -s -c -c -l {$g['dhcpd_chroot_path']}/var/run/log -f {$g['varetc_path']}/syslog.conf {$sourceip}");

 	} else {
 		$retval = mwexec_bg("/usr/sbin/syslogd -s -c -c -l {$g['dhcpd_chroot_path']}/var/run/log");
@ -740,6 +767,43 @@ function system_pccard_start() {
 	return $res;
 }

+function system_webgui_create_certificate() {
+	global $config, $g;
+
+	if (!is_array($config['ca']))
+		$config['ca'] = array();
+	$a_ca =& $config['ca'];
+	if (!is_array($config['cert']))
+		$config['cert'] = array();
+	$a_cert =& $config['cert'];
+	log_error("Creating SSL Certificate for this host");
+
+	$cert = array();
+	$cert['refid'] = uniqid();
+	$cert['descr'] = gettext("webConfigurator default ({$cert['refid']})");
+
+	$dn = array(
+		'countryName' => "US",
+		'stateOrProvinceName' => "State",
+		'localityName' => "Locality",
+		'organizationName' => "{$g['product_name']} webConfigurator Self-Signed Certificate",
+		'emailAddress' => "admin@{$config['system']['hostname']}.{$config['system']['domain']}",
+		'commonName' => "{$config['system']['hostname']}-{$cert['refid']}");
+	$old_err_level = error_reporting(0); /* otherwise openssl_ functions throw warings directly to a page screwing menu tab */
+	if (!cert_create($cert, null, 2048, 2000, $dn, "self-signed", "sha256")){
+		while($ssl_err = openssl_error_string()){
+			log_error("Error creating WebGUI Certificate: openssl library returns: " . $ssl_err);
+		}
+		error_reporting($old_err_level);
+		return null;
+	}
+	error_reporting($old_err_level);
+
+	$a_cert[] = $cert;
+	$config['system']['webgui']['ssl-certref'] = $cert['refid'];
+	write_config(gettext("Generated new self-signed HTTPS certificate ({$cert['refid']})"));
+	return $cert;
+}

 function system_webgui_start() {
 	global $config, $g;
@ -762,37 +826,14 @@ function system_webgui_start() {
 	if ($config['system']['webgui']['protocol'] == "https") {
 		// Ensure that we have a webConfigurator CERT
 		$cert =& lookup_cert($config['system']['webgui']['ssl-certref']);
-		if(!is_array($cert) && !$cert['crt'] && !$cert['prv']) {
-			if (!is_array($config['ca']))
-				$config['ca'] = array();
-			$a_ca =& $config['ca'];
-			if (!is_array($config['cert']))
-				$config['cert'] = array();
-			$a_cert =& $config['cert'];
-			log_error("Creating SSL Certificate for this host");
-			$cert = array();
-			$cert['refid'] = uniqid();
-			$cert['descr'] = gettext("webConfigurator default");
-			mwexec("/usr/local/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
-			mwexec("/usr/local/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
-			$crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
-			$key = file_get_contents("{$g['tmp_path']}/ssl.key");
-			unlink("{$g['tmp_path']}/ssl.key");
-			unlink("{$g['tmp_path']}/ssl.crt");
-			cert_import($cert, $crt, $key);
-			$a_cert[] = $cert;
-			$config['system']['webgui']['ssl-certref'] = $cert['refid'];
-			write_config(gettext("Importing HTTPS certificate"));
-			if(!$config['system']['webgui']['port'])
-				$portarg = "443";
-			$ca = ca_chain($cert);
-		} else {
-			$crt = base64_decode($cert['crt']);
-			$key = base64_decode($cert['prv']);
-			if(!$config['system']['webgui']['port'])
-				$portarg = "443";
-			$ca = ca_chain($cert);
-		}
+		if(!is_array($cert) || !$cert['crt'] || !$cert['prv'])
+			$cert = system_webgui_create_certificate();
+		$crt = base64_decode($cert['crt']);
+		$key = base64_decode($cert['prv']);
+
+		if(!$config['system']['webgui']['port'])
+			$portarg = "443";
+		$ca  = ca_chain($cert);
 	}

 	/* generate lighttpd configuration */
@ -851,8 +892,8 @@ function system_generate_lighty_config($filename,
 		$captive_portal_mod_evasive = "evasive.max-conns-per-ip = {$maxprocperip}";

 		$server_upload_dirs = "server.upload-dirs = ( \"{$g['tmp_path']}/captiveportal/\" )\n";
-		exec("mkdir -p {$g['tmp_path']}/captiveportal");
-		exec("chmod a-w {$g['tmp_path']}/captiveportal");
+		if (!is_dir("{$g['tmp_path']}/captiveportal"))
+			@mkdir("{$g['tmp_path']}/captiveportal", 0555);
 		$server_max_request_size = "server.max-request-size    = 384";
 		$cgi_config = "";
 	} else {
@ -870,21 +911,21 @@ function system_generate_lighty_config($filename,
 		$lighty_port = $port;

 	$memory = get_memory();
-	$avail = $memory[1];
+	$realmem = $memory[1];

 	// Determine web GUI process settings and take into account low memory systems
-	if ($avail < 255)
+	if ($realmem < 255)
 		$max_procs = 1;
 	else
 		$max_procs = ($config['system']['webgui']['max_procs']) ? $config['system']['webgui']['max_procs'] : 2;

 	// Ramp up captive portal max procs, assuming each PHP process can consume up to 64MB RAM 
 	if ($captive_portal !== false)  {
-		if ($avail > 135 and $avail < 256) {
+		if ($realmem > 135 and $realmem < 256) {
 			$max_procs += 1; // 2 worker processes
-		} else if ($avail > 255 and $avail < 513) {
+		} else if ($realmem > 255 and $realmem < 513) {
 			$max_procs += 2; // 3 worker processes
-		} else if ($avail > 512) {
+		} else if ($realmem > 512) {
 			$max_procs += 4; // 6 worker processes
 		}
 		if ($max_procs > 1)
@ -893,7 +934,7 @@ function system_generate_lighty_config($filename,
 			$max_php_children = 1;

 	} else {
-		if ($avail < 78)
+		if ($realmem < 78)
 			$max_php_children = 0;
 		else
 			$max_php_children = 1;
@ -904,6 +945,14 @@ function system_generate_lighty_config($filename,
 	else
 		$fast_cgi_path = "{$g['tmp_path']}/php-fastcgi.socket";

+	if(!isset($config['syslog']['nologlighttpd'])) {
+		$lighty_use_syslog = <<<EOD
+## where to send error-messages to
+server.errorlog-use-syslog="enable"
+EOD;
+	}
+
+
 	$fastcgi_config = <<<EOD
 #### fastcgi module
 ## read fastcgi.txt for more info
@ -952,8 +1001,7 @@ server.document-root        = "{$document_root}"
 # Maximum idle time with nothing being written (php downloading)
 server.max-write-idle = 999

-## where to send error-messages to
-server.errorlog-use-syslog="enable"
+{$lighty_use_syslog}

 # files to check for if .../ is requested
 server.indexfiles           = ( "index.php", "index.html",
@ -1118,7 +1166,28 @@ EOD;

 		// Harden SSL a bit for PCI conformance testing
 		$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
-		$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
+		$lighty_config .= "ssl.use-sslv3 = \"disable\"\n";
+
+		/* Hifn accelerators do NOT work with the BEAST mitigation code. Do not allow it to be enabled if a Hifn card has been detected. */
+		$fd = @fopen("{$g['varlog_path']}/dmesg.boot", "r");
+		if ($fd) {
+			while (!feof($fd)) {
+				$dmesgl = fgets($fd);
+				if (preg_match("/^hifn.: (.*?),/", $dmesgl, $matches) && isset($config['system']['webgui']['beast_protection'])) {
+						unset($config['system']['webgui']['beast_protection']);
+						log_error("BEAST Protection disabled because a conflicting cryptographic accelerator card has been detected (" . $matches[1] . ")");
+					break;
+				}
+			}
+			fclose($fd);
+		}
+
+		if (isset($config['system']['webgui']['beast_protection'])) {
+			$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
+			$lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
+		} else {
+			$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
+		}

 		if(!(empty($ca) || (strlen(trim($ca)) == 0)))
 			$lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n";
@ -1163,7 +1232,17 @@ function system_timezone_configure() {

 	/* extract appropriate timezone file */
 	$timezone = $syscfg['timezone'];
-	if (!$timezone)
+	if ($timezone) {
+		exec('/usr/bin/tar -tvzf /usr/share/zoneinfo.tgz', $tzs);
+		foreach ($tzs as $tz) {
+			if (preg_match(",{$timezone}$,", $tz))
+				break;
+			if (preg_match(",{$timezone} link to *(.*)$,", $tz, $matches)) {
+				$timezone = $matches[1];
+				break;
+			}
+		}
+	} else
 		$timezone = "Etc/UTC";

 	conf_mount_rw();
@ -1248,7 +1327,7 @@ function system_ntp_configure($start_ntpd=true) {
 	foreach (explode(' ', $config['system']['timeservers']) as $ts)
 		$ntpcfg .= "server {$ts} iburst maxpoll 9\n";

-	$ntpcfg .= "enable monitor\n";
+	$ntpcfg .= "disable monitor\n";
 	$ntpcfg .= "enable stats\n";
 	$ntpcfg .= "statistics clockstats\n";
 	$ntpcfg .= "statsdir {$statsdir}\n";
@ -1271,7 +1350,8 @@ function system_ntp_configure($start_ntpd=true) {
 			if (!is_ipaddr($interface)) {
 				$interface = get_real_interface($interface);
 			}
-			$ntpcfg .= "interface listen {$interface}\n";
+			if (!empty($interface))
+				$ntpcfg .= "interface listen {$interface}\n";
 		}
 	}

@ -1293,10 +1373,10 @@ function system_ntp_configure($start_ntpd=true) {

 	/* if /var/empty does not exist, create it */
 	if(!is_dir("/var/empty"))
-		exec("/bin/mkdir -p /var/empty && chmod ug+rw /var/empty/.");
+		mkdir("/var/empty", 0775, true);

 	/* start opentpd, set time now and use /var/etc/ntpd.conf */
-	mwexec("/usr/local/bin/ntpd -g -c {$g['varetc_path']}/ntpd.conf -p {$g['varrun_path']}/ntpd.pid", false, true);
+	mwexec("/usr/local/sbin/ntpd -g -c {$g['varetc_path']}/ntpd.conf -p {$g['varrun_path']}/ntpd.pid", false, true);
 	
 	// Note that we are starting up
 	log_error("NTPD is starting up.");
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@ -1991,7 +1991,7 @@ function upgrade_054_to_055() {
 		/* restore the databases, if we have one */
 		if (restore_rrd()) {
 			/* Make sure to move the rrd backup out of the way. We will make a new one after converting. */
-			exec("/bin/mv {$g['cf_conf_path']}/rrd.tgz {$g['cf_conf_path']}/backup");
+			@rename("{$g['cf_conf_path']}/rrd.tgz", "{$g['cf_conf_path']}/backup/rrd.tgz");
 		}
 	}

@ -2653,6 +2653,14 @@ function upgrade_080_to_081() {
 	$rrddbpath = "/var/db/rrd/";
 	$rrdtool = "/usr/bin/nice -n20 /usr/local/bin/rrdtool";

+	if ($g['platform'] != "pfSense") {
+		/* restore the databases, if we have one */
+		if (restore_rrd()) {
+			/* Make sure to move the rrd backup out of the way. We will make a new one after converting. */
+			@rename("{$g['cf_conf_path']}/rrd.tgz", "{$g['cf_conf_path']}/backup/rrd.tgz");
+		}
+	}
+
 	$rrdinterval = 60;
 	$valid = $rrdinterval * 2;

@ -2779,9 +2787,14 @@ function upgrade_080_to_081() {
 		file_put_contents("{$g['tmp_path']}/{$xmldumpnew}", $xml);
 		mwexec("$rrdtool restore -f {$g['tmp_path']}/{$xmldumpnew} {$rrddbpath}/{$database} 2>&1");
 		unset($xml);
-
+		# Default /tmp tmpfs is ~40mb, do not leave temp files around
+		unlink_if_exists("{$g['tmp_path']}/{$xmldump}");
+		unlink_if_exists("{$g['tmp_path']}/{$xmldumpnew}");
 	}
 	enable_rrd_graphing();
+	/* Let's save the RRD graphs after we run enable RRD graphing */
+	/* The function will restore the rrd.tgz so we will save it after */
+	exec("cd /; LANG=C NO_REMOUNT=1 RRDDBPATH='{$rrddbpath}' CF_CONF_PATH='{$g['cf_conf_path']}' /etc/rc.backup_rrd.sh");
 	if ($g['booting'])
 		echo "Updating configuration...";
 	foreach($config['filter']['rule'] as & $rule) {
@ -2792,9 +2805,7 @@ function upgrade_080_to_081() {
 }

 function upgrade_081_to_082() {
-	global $config, $g;
-	/* enable the allow IPv6 toggle */
-	$config['system']['ipv6allow'] = true;
+	/* don't enable the allow IPv6 toggle */
 }

 function upgrade_082_to_083() {
@ -2807,6 +2818,9 @@ function upgrade_082_to_083() {
 		$config['captiveportal']['cpzone'] = array();
 		$config['captiveportal']['cpzone'] = $tmpcp;
 		$config['captiveportal']['cpzone']['zoneid'] = 8000;
+		$config['captiveportal']['cpzone']['zone'] = "cpzone";
+		if ($config['captiveportal']['cpzone']['auth_method'] == "radius")
+			$config['captiveportal']['cpzone']['radius_protocol'] = "PAP";
 	}
 	if (!empty($config['voucher'])) {
 		$tmpcp = $config['voucher'];
@ -2889,16 +2903,11 @@ function upgrade_085_to_086() {
 		foreach ($config['virtualip']['vip'] as $vip) {
 			if ($vip['mode'] != "carp")
 				continue;
-			$vipchg[] = "s/\\([^_]\\)vip{$vip['vhid']}\\([^0-9]\\)/\\1{$vip['interface']}_vip{$vip['vhid']}\\2/g\n";
-		}
-		if (!empty($vipchg)) {
-			file_put_contents("{$g['tmp_path']}/vipreplace", $vipchg);
-			write_config();
-			mwexec("/usr/bin/sed -I \"\" -f {$g['tmp_path']}/vipreplace /conf/config.xml");
-			require_once("config.lib.inc");
-			unset($config);
-			$config = parse_config(true);
-			@unlink("{$g['tmp_path']}/vipreplace");
+			$config = array_replace_values_recursive(
+				$config,
+				'^vip' . $vip['vhid'] . '$',
+				"{$vip['interface']}_vip{$vip['vhid']}"
+			);
 		}
 	}
 }
@ -3086,4 +3095,91 @@ function upgrade_094_to_095() {
 				$config['interfaces'][$iface]['track6-prefix-id'] = 0;
 }

+function upgrade_095_to_096() {
+	global $config, $g;
+
+	$names = array("inpass", "outpass", "inblock", "outblock",
+		"inpass6", "outpass6", "inblock6", "outblock6");
+	$rrddbpath = "/var/db/rrd";
+	$rrdtool = "/usr/local/bin/rrdtool";
+
+	if ($g['platform'] != "pfSense") {
+		/* restore the databases, if we have one */
+		if (restore_rrd()) {
+			/* Make sure to move the rrd backup out of the way. We will make a new one after converting. */
+			@rename("{$g['cf_conf_path']}/rrd.tgz", "{$g['cf_conf_path']}/backup/rrd.tgz");
+		}
+	}
+
+	/* Assume 2*10GigE for now */
+	$stream = 2500000000;
+
+	/* build a list of traffic and packets databases */
+	$databases = return_dir_as_array($rrddbpath, '/-(traffic|packets)\.rrd$/');
+	rsort($databases);
+	foreach($databases as $database) {
+		if ($g['booting'])
+			echo "Update RRD database {$database}.\n";
+
+		$cmd = "{$rrdtool} tune {$rrddbpath}/{$database}";
+		foreach ($names as $name)
+			$cmd .= " -a {$name}:{$stream}";
+		mwexec("{$cmd} 2>&1");
+
+	}
+	enable_rrd_graphing();
+	/* Let's save the RRD graphs after we run enable RRD graphing */
+	/* The function will restore the rrd.tgz so we will save it after */
+	exec("cd /; LANG=C NO_REMOUNT=1 RRDDBPATH='{$rrddbpath}' CF_CONF_PATH='{$g['cf_conf_path']}' /etc/rc.backup_rrd.sh");
+}
+
+function upgrade_096_to_097() {
+	global $config, $g;
+	/* If the user had disabled default block rule logging before, then bogon/private network logging was already off, so respect their choice. */
+	if (isset($config['syslog']['nologdefaultblock'])) {
+		$config['syslog']['nologbogons'] = true;
+		$config['syslog']['nologprivatenets'] = true;
+	}
+}
+
+function upgrade_097_to_098() {
+	global $config, $g;
+	/* Disable kill_states by default */
+	$config['system']['kill_states'] = true;
+}
+
+function upgrade_098_to_099() {
+	global $config;
+
+	if (empty($config['dhcpd']) || !is_array($config['dhcpd']))
+		return;
+
+	foreach ($config['dhcpd'] as & $dhcpifconf) {
+		if (isset($dhcpifconf['next-server'])) {
+			$dhcpifconf['nextserver'] = $dhcpifconf['next-server'];
+			unset($dhcpifconf['next-server']);
+		}
+	}
+}
+
+function upgrade_099_to_100() {
+	require_once("/etc/inc/services.inc");
+	install_cron_job("/usr/bin/nice -n20 newsyslog", false);
+}
+
+function upgrade_100_to_101() {
+	global $config, $g;
+
+	if (!is_array($config['voucher']))
+		return;
+
+	foreach ($config['voucher'] as $cpzone => $cp) {
+		if (!is_array($cp['roll']))
+			continue;
+		foreach ($cp['roll'] as $ridx => $rcfg) {
+			if (!empty($rcfg['comment']))
+				$config['voucher'][$cpzone]['roll'][$ridx]['descr'] = $rcfg['comment'];
+		}
+	}
+}
 ?>
--- a/etc/inc/util.inc
+++ b/etc/inc/util.inc
@ -1,7 +1,7 @@
 <?php 
 /*
 	util.inc
-	part of the pfSense project (http://www.pfsense.com)
+	part of the pfSense project (https://www.pfsense.org)

 	originally part of m0n0wall (http://m0n0.ch/wall)
 	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
@ -52,7 +52,7 @@ function isvalidpid($pidfile) {

 function is_process_running($process) {
 	$output = "";
-	exec("/bin/pgrep -anx {$process}", $output, $retval);
+	exec("/bin/pgrep -anx " . escapeshellarg($process), $output, $retval);

 	return (intval($retval) == 0);
 }
@ -65,7 +65,7 @@ function isvalidproc($proc) {
 /* return 1 for success and 0 for a failure */
 function sigkillbypid($pidfile, $sig) {
 	if (file_exists($pidfile))
-		return mwexec("/bin/pkill -{$sig} -F {$pidfile}", true);
+		return mwexec("/bin/pkill " . escapeshellarg("-{$sig}") . " -F {$pidfile}", true);

 	return 0;
 }
@ -73,7 +73,7 @@ function sigkillbypid($pidfile, $sig) {
 /* kill a process by name */
 function sigkillbyname($procname, $sig) {
 	if(isvalidproc($procname))
-		return mwexec("/usr/bin/killall -{$sig} " . escapeshellarg($procname), true);
+		return mwexec("/usr/bin/killall " . escapeshellarg("-{$sig}") . " " . escapeshellarg($procname), true);
 }

 /* kill a process by name */
@ -394,6 +394,13 @@ function ip_range_to_subnet_array($startip, $endip) {
 		return array();
 	}

+	if (ip_greater_than($startip, $endip)) {
+		// Swap start and end so we can process sensibly.
+		$temp = $startip;
+		$startip = $endip;
+		$endip = $temp;
+	}
+
 	// Container for subnets within this range.
 	$rangesubnets = array();

@ -433,7 +440,7 @@ function ip_range_to_subnet_array($startip, $endip) {
 		}
 	}

-	// Some logic that will recursivly search from $startip to the first IP before the start of the subnet we just found.
+	// Some logic that will recursively search from $startip to the first IP before the start of the subnet we just found.
 	// NOTE: This may never be hit, the way the above algo turned out, but is left for completeness.
 	if ($startip != $targetsub_min) {
 		$rangesubnets = array_merge($rangesubnets, ip_range_to_subnet_array($startip, ip_before($targetsub_min)));
@ -477,6 +484,10 @@ function is_ipaddr($ipaddr) {
 function is_ipaddrv6($ipaddr) {
 	if (!is_string($ipaddr) || empty($ipaddr))
 		return false;
+	if (strstr($ipaddr, "%") && is_linklocal($ipaddr)) {
+		$tmpip = explode("%", $ipaddr);
+		$ipaddr = $tmpip[0];
+	}
 	return Net_IPv6::checkIPv6($ipaddr);
 }

@ -496,7 +507,15 @@ function is_ipaddrv4($ipaddr) {

 /* returns true if $ipaddr is a valid linklocal address */
 function is_linklocal($ipaddr) {
-	return preg_match('/^fe80:/i', $ipaddr);
+	return (strtolower(substr($ipaddr, 0, 5)) == "fe80:");
+}
+
+/* returns scope of a linklocal address */
+function get_ll_scope($addr) {
+	if (!is_linklocal($addr) || !strstr($addr, "%"))
+		return "";
+	list ($ll, $scope) = explode("%", $addr);
+	return $scope;
 }

 /* returns true if $ipaddr is a valid literal IPv6 address */
@ -701,6 +720,11 @@ function is_inrange_v6($test, $start, $end) {
 		return false;
 }

+/* returns true if $test is in the range between $start and $end */
+function is_inrange($test, $start, $end) {
+	return is_ipaddrv6($test) ? is_inrange_v6($test, $start, $end) : is_inrange_v4($test, $start, $end);
+}
+
 /* return the configured carp interface list */
 function get_configured_carp_interface_list() {
 	global $config;
@ -1014,6 +1038,10 @@ function get_interface_list($mode = "active", $keyby = "physical", $vfaces = "")
 function log_error($error) {
 	global $g;
 	$page = $_SERVER['SCRIPT_NAME'];
+	if (empty($page)) {
+		$files = get_included_files();
+		$page = basename($files[0]);
+	}
 	syslog(LOG_ERR, "$page: $error");
 	if ($g['debug'])
 		syslog(LOG_WARNING, var_dump(debug_backtrace()));
@ -1049,7 +1077,7 @@ function log_auth($error) {
 ******/
 function exec_command($command) {
 	$output = array();
-	exec($command . ' 2>&1 ', $output);
+	exec($command . ' 2>&1', $output);
 	return(implode("\n", $output));
 }

@ -1275,9 +1303,9 @@ function verify_digital_signature($fname) {

 /* obtain MAC address given an IP address by looking at the ARP table */
 function arp_get_mac_by_ip($ip) {
-	mwexec("/sbin/ping -c 1 -t 1 {$ip}", true);
+	mwexec("/sbin/ping -c 1 -t 1 " . escapeshellarg($ip), true);
 	$arpoutput = "";
-	exec("/usr/sbin/arp -n {$ip}", $arpoutput);
+	exec("/usr/sbin/arp -n " . escapeshellarg($ip), $arpoutput);

 	if ($arpoutput[0]) {
 		$arpi = explode(" ", $arpoutput[0]);
@ -1498,14 +1526,15 @@ function set_sysctl($values) {
 *     get_memory()
 *     returns an array listing the amount of
 *     memory installed in the hardware
- *     [0]real and [1]available
+ *     [0] net memory available for the OS (FreeBSD) after some is taken by BIOS, video or whatever - e.g. 235 MBytes
+ *     [1] real (actual) memory of the system, should be the size of the RAM card/s - e.g. 256 MBytes
 */
 function get_memory() {

-	$real = trim(`sysctl -n hw.physmem`, " \n");
-	$avail = trim(`sysctl -n hw.realmem`, " \n");
+	$physmem = trim(`sysctl -n hw.physmem`, " \n");
+	$realmem = trim(`sysctl -n hw.realmem`, " \n");
 	/* convert from bytes to megabytes */
-	return array(($real/1048576),($avail/1048576));
+	return array(($physmem/1048576),($realmem/1048576));
 }

 function mute_kernel_msgs() {
@ -1761,6 +1790,22 @@ function is_file_included($file = "") {
 	return false;
 }

+/*
+ * Replace a value on a deep associative array using regex
+ */
+function array_replace_values_recursive($data, $match, $replace) {
+	if (empty($data))
+		return $data;
+
+	if (is_string($data))
+		$data = preg_replace("/{$match}/", $replace, $data);
+	else if (is_array($data))
+		foreach ($data as $k => $v)
+			$data[$k] = array_replace_values_recursive($v, $match, $replace);
+
+	return $data;
+}
+
 /*
 	This function was borrowed from a comment on PHP.net at the following URL:
 	http://www.php.net/manual/en/function.array-merge-recursive.php#73843
--- a/etc/inc/voucher.inc
+++ b/etc/inc/voucher.inc
@ -40,7 +40,12 @@ if(!function_exists('captiveportal_syslog'))
 function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $username) {
 	global $g, $config, $cpzone;
 	require_once("xmlrpc.inc");
-	if ($port == "443") 
+
+	$protocol = "http";
+	if (is_array($config['system']) && is_array($config['system']['webgui']) && !empty($config['system']['webgui']['protocol']) &&
+	    $config['system']['webgui']['protocol'] == "https")
+		$protocol = "https";
+	if ($protocol == "https" || $port == "443")
 		$url = "https://{$syncip}";
 	else
 		$url = "http://{$syncip}";
@ -48,6 +53,7 @@ function xmlrpc_sync_voucher_expire($vouchers, $syncip, $port, $password, $usern
 	/* Construct code that is run on remote machine */
 	$method = 'pfsense.exec_php';
 	$execcmd  = <<<EOF
+	global \$cpzone;
 	require_once('/etc/inc/captiveportal.inc');
 	require_once('/etc/inc/voucher.inc');
 	\$cpzone = "$cpzone";
@ -88,7 +94,12 @@ EOF;
 function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $username, $term_cause = 1, $stop_time = null) {
 	global $g, $config, $cpzone;
 	require_once("xmlrpc.inc");
-	if ($port == "443") 
+
+	$protocol = "http";
+	if (is_array($config['system']) && is_array($config['system']['webgui']) && !empty($config['system']['webgui']['protocol']) &&
+	    $config['system']['webgui']['protocol'] == "https")
+		$protocol = "https";
+	if ($protocol == "https" || $port == "443")
 		$url = "https://{$syncip}";
 	else
 		$url = "http://{$syncip}";
@ -98,6 +109,7 @@ function xmlrpc_sync_voucher_disconnect($dbent, $syncip, $port, $password, $user
 	$tmp_stop_time = (isset($stop_time)) ? $stop_time : "null";
 	$method = 'pfsense.exec_php';
 	$execcmd  = <<<EOF
+	global \$cpzone;
 	require_once('/etc/inc/captiveportal.inc');
 	require_once('/etc/inc/voucher.inc');
 	\$cpzone = "$cpzone";
@ -140,7 +152,12 @@ EOF;
 function xmlrpc_sync_used_voucher($voucher_received, $syncip, $port, $password, $username) {
 	global $g, $config, $cpzone;
 	require_once("xmlrpc.inc");
-	if ($port == "443") 
+
+	$protocol = "http";
+	if (is_array($config['system']) && is_array($config['system']['webgui']) && !empty($config['system']['webgui']['protocol']) &&
+	    $config['system']['webgui']['protocol'] == "https")
+		$protocol = "https";
+	if ($protocol == "https" || $port == "443")
 		$url = "https://{$syncip}";
 	else
 		$url = "http://{$syncip}";
@ -148,6 +165,7 @@ function xmlrpc_sync_used_voucher($voucher_received, $syncip, $port, $password,
 	/* Construct code that is run on remote machine */
 	$method = 'pfsense.exec_php';
 	$execcmd  = <<<EOF
+	global \$cpzone;
 	require_once('/etc/inc/voucher.inc');
 	\$cpzone = "$cpzone";
 	\$timeleft = voucher_auth("$voucher_received");
@ -173,23 +191,26 @@ EOF;
 		$error = "A communications error occurred while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
 		log_error($error);
 		file_notice("CaptivePortalVoucherSync", $error, "Communications error occurred", "");
-		return 0; // $timeleft
+		return null; // $timeleft
 	} elseif($resp->faultCode()) {
 		$error = "An error code was received while attempting CaptivePortalVoucherSync XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
 		log_error($error);
 		file_notice("CaptivePortalVoucherSync", $error, "Error code received", "");
-		return 0; // $timeleft
+		return null; // $timeleft
 	} else {
 		log_error("CaptivePortalVoucherSync XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
 	}
 	$toreturn =  XML_RPC_Decode($resp->value());
 	if (!is_array($config['voucher']))
 		$config['voucher'] = array();
-	if (is_array($toreturn['voucher']) && (count($toreturn['voucher'][$cpzone]['roll']) <> count($config['voucher'][$cpzone]['roll']))) {
+
+	if (is_array($toreturn['voucher']) && is_array($toreturn['voucher']['roll'])) {
 		$config['voucher'][$cpzone]['roll'] = $toreturn['voucher']['roll'];
 		write_config("Captive Portal Voucher database synchronized with {$url}");
 		voucher_configure_zone(true);
-	}
+		unset($toreturn['voucher']);
+	} else if (!isset($toreturn['timeleft']))
+		return null;

 	return $toreturn['timeleft'];
 }
@ -421,9 +442,12 @@ function voucher_auth($voucher_received, $test = 0) {
 	}

 	// If we did a XMLRPC sync earlier check the timeleft
-	if (!empty($config['voucher'][$cpzone]['vouchersyncdbip'])) 
-		if($remote_time_used < $total_minutes) 
+	if (!empty($config['voucher'][$cpzone]['vouchersyncdbip'])) {
+		if (!is_null($remote_time_used))
 			$total_minutes = $remote_time_used;
+		else if ($remote_time_used < $total_minutes) 
+			$total_minutes -= $remote_time_used;
+	}

 	// All given vouchers were valid and this isn't simply a test.
 	// Write back the used DB's
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@ -41,6 +41,8 @@
 	pfSense_MODULE:	vpn
 */

+require_once("ipsec.inc");
+
 /* include all configuration functions */

 function vpn_ipsec_failover_configure() {
@ -192,8 +194,11 @@ function vpn_ipsec_configure($ipchg = false)
 						if ($ph2ent['pinghost']) {
 							if (!is_array($iflist))
 								$iflist = get_configured_interface_list();
-							foreach ($iflist as $ifent => $ifname) {
-								if(is_ipaddrv6($ph2ent['pinghost'])) {
+							$viplist = get_configured_vips_list();
+							$srcip = null;
+							$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
+							if(is_ipaddrv6($ph2ent['pinghost'])) {
+								foreach ($iflist as $ifent => $ifname) {
 									$interface_ip = get_interface_ipv6($ifent);
 									if(!is_ipaddrv6($interface_ip))
 										continue;
@ -202,17 +207,27 @@ function vpn_ipsec_configure($ipchg = false)
 										$srcip = $interface_ip;
 										break;
 									}
-								} else {
+								}
+							} else {
+								foreach ($iflist as $ifent => $ifname) {
 									$interface_ip = get_interface_ip($ifent);
 									if(!is_ipaddrv4($interface_ip))
 										continue;
-									$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
 									if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
 										$srcip = $interface_ip;
 										break;
 									}
 								}
 							}
+							/* if no valid src IP was found in configured interfaces, try the vips */
+							if (is_null($srcip)) {
+								foreach ($viplist as $vip) {
+									if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
+										$srcip = $vip['ipaddr'];
+										break;
+									}
+								}
+							}
 							$dstip = $ph2ent['pinghost'];
 							if(is_ipaddrv6($dstip)) {
 								$family = "inet6";
@ -306,6 +321,7 @@ function vpn_ipsec_configure($ipchg = false)

 		/* begin racoon.conf */
 		$racoonconf = "";
+		$peerid_verify = "";
 		if ((is_array($a_phase1) && count($a_phase1)) || (is_array($a_phase2) && count($a_phase2))) {

 			$racoonconf .= "# This file is automatically generated. Do not edit\n";
@ -342,6 +358,11 @@ function vpn_ipsec_configure($ipchg = false)
 					$pool_address = long2ip32(ip2long($pool_address)+1);
 					$pool_size = (~ip2long($pool_netmask) & 0xFFFFFFFF) - 2;

+					if ($pool_size < 0) {
+						log_error(sprintf(gettext("Invalid mobile IPsec pool size: %s, using 0"), $pool_size));
+						$pool_size = 0;
+					}
+
 					$racoonconf .= "\tpool_size {$pool_size};\n";
 					$racoonconf .= "\tnetwork4 {$pool_address};\n";
 					$racoonconf .= "\tnetmask4 {$pool_netmask};\n";
@ -605,6 +626,8 @@ function vpn_ipsec_configure($ipchg = false)
 					/* Only specify peer ID if we are not dealing with a mobile PSK-only tunnel */
 					if (!(($ph1ent['authentication_method'] == "pre_shared_key") && isset($ph1ent['mobile']))) {
 						$peerid_spec = "peers_identifier {$peerid_type} {$peerid_data};";
+						if (isset($ph1ent['verify_identifier']))
+							$peerid_verify = "verify_identifier on;";
 					}

 					/* add remote section to configuration */
@ -617,6 +640,7 @@ remote {$rgip}
 	exchange_mode {$ph1ent['mode']};
 	my_identifier {$myid_type} {$myid_data};
 	{$peerid_spec}
+	{$peerid_verify}
 	ike_frag on;
 	generate_policy = {$genp};
 	initial_contact = {$init};
@ -869,7 +893,7 @@ EOD;

 				if(($ph2ent['mode'] == "tunnel") or ($ph2ent['mode'] == 'tunnel6')) {
 					// Error will be logged above, no need to log this twice. #2201
-					if (!is_subnet($localid))
+					if (!is_subnet($localid) && ($localid != "0.0.0.0/0"))
 						continue;

 					if($ph2ent['mode'] == "tunnel6")
@ -1835,7 +1859,10 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) {
 		} else {
 			add_hostname_to_watch($phase1['remote-gateway']);
 		}
-		if (!is_ipaddr($rgip)) {
+		if (isset($phase1['mobile'])) {
+			/* Don't log anything here, it's normal and we should skip it. */
+			return false;
+		} elseif (!is_ipaddr($rgip)) {
 			log_error("Could not determine VPN endpoint for '{$phase1['descr']}'");
 			return false;
 		}
@ -1900,7 +1927,7 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) {
 		}
 	}
 	/* add new SPD policies to replace them */
-	if (!isset($phase1['disabled'])) {
+	if (!isset($phase1['disabled']) && !isset($phase2['disabled'])) {
 		$spdconf .= "spdadd {$family} {$local_subnet} " .
 			"{$remote_subnet} any -P out ipsec " .
 			"{$phase2['protocol']}/tunnel/{$ep}-" .
@ -1921,6 +1948,9 @@ function reload_tunnel_spd_policy($phase1, $phase2, $old_phase1, $old_phase2) {
 	/* generate temporary spd.conf */
 	@file_put_contents($spdfile, $spdconf);
 	unset($spdconf);
+	/* remove static route to old gw */
+	if (is_ipaddr($old_gw))
+		mwexec("/sbin/route delete {$old_gw}", true);
 	return true;
 }

--- a/etc/inc/vslb.inc
+++ b/etc/inc/vslb.inc
@ -337,7 +337,7 @@ function relayd_configure($kill_first=false) {

 						$conf .= "  forward to <{$vs_a[$i]['poolname']}> port {$dest_port} {$lbmode} {$check_a[$pools[$vs_a[$i]['poolname']]['monitor']]} \n";

-						if (isset($vs_a[$i]['sitedown']) &&  strlen($vs_a[$i]['sitedown']) > 0)
+						if (isset($vs_a[$i]['sitedown']) &&  strlen($vs_a[$i]['sitedown']) > 0 && ($vs_a[$i]['relay_protocol'] != 'dns'))
 							$conf .= "  forward to <{$vs_a[$i]['sitedown']}> port {$dest_port} {$lbmode} {$check_a[$pools[$vs_a[$i]['poolname']]['monitor']]} \n";
 						$conf .= "}\n";
 					} else  {
@ -349,7 +349,7 @@ function relayd_configure($kill_first=false) {
 							$conf .= "  sticky-address\n";

 						/* sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing */
-						if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0)
+						if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0 && ($vs_a[$i]['relay_protocol'] != 'dns'))
 							$conf .= "  forward to <{$vs_a[$i]['sitedown']}> port {$dest_port} {$check_a[$pools[$vs_a[$i]['sitedown']]['monitor']]} \n";

 						$conf .= "}\n";
@ -365,6 +365,8 @@ function relayd_configure($kill_first=false) {
 		if (! empty($vs_a)) {
 			if ($kill_first) {
 				mwexec('pkill relayd');
+				/* Remove all active relayd anchors now that relayd is no longer running. */
+				cleanup_lb_anchor("*");
 				mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf");
 			} else {
 				// it's running and there is a config, just reload
@ -379,10 +381,14 @@ function relayd_configure($kill_first=false) {
 			 *  returns "command failed"
 			 */
 			mwexec('pkill relayd');
+			/* Remove all active relayd anchors now that relayd is no longer running. */
+			cleanup_lb_anchor("*");
 		}
 	} else {
 		if (! empty($vs_a)) {
 			// not running and there is a config, start it
+			/* Remove all active relayd anchors so it can start fresh. */
+			cleanup_lb_anchor("*");
 			mwexec("/usr/local/sbin/relayd -f {$g['varetc_path']}/relayd.conf");
 		}
 	}
@ -482,4 +488,73 @@ function get_lb_summary() {
 	return $relay_hosts;
 }

+/* Get a list of all relayd virtual server anchors */
+function get_lb_anchors() {
+	/* NOTE: These names come back prepended with "relayd/" e.g. "relayd/MyVSName" */
+	return explode("\n", trim(`/sbin/pfctl -sA -a relayd | /usr/bin/awk '{print $1;}'`));
+}
+
+/* Remove NAT rules from a relayd anchor that is no longer in use.
+	$anchorname can either be * to clear all anchors or a specific anchor name.*/
+function cleanup_lb_anchor($anchorname = "*") {
+	$lbanchors = get_lb_anchors();
+	foreach ($lbanchors as $lba) {
+		if (($anchorname == "*") || ($lba == "relayd/{$anchorname}")) {
+			/* Flush both the NAT and the Table for the anchor, so it will be completely removed by pf. */
+			mwexec("/sbin/pfctl -a " . escapeshellarg($lba) . " -F nat");
+			mwexec("/sbin/pfctl -a " . escapeshellarg($lba) . " -F Tables");
+		}
+	}
+}
+
+/* Mark an anchor for later cleanup. This will allow us to remove an old VS name */
+function cleanup_lb_mark_anchor($name) {
+	global $g;
+	/* Nothing to do! */
+	if (empty($name))
+		return;
+	$filename = "{$g['tmp_path']}/relayd_anchors_remove";
+	$cleanup_anchors = array();
+	/* Read in any currently unapplied name changes */
+	if (file_exists($filename))
+		$cleanup_anchors = explode("\n", file_get_contents($filename));
+	/* Only add the anchor to the list if it's not already there. */
+	if (!in_array($name, $cleanup_anchors))
+		$cleanup_anchors[] = $name;
+	file_put_contents($filename, implode("\n", $cleanup_anchors));
+}
+
+/* Cleanup relayd anchors that have been marked for cleanup. */
+function cleanup_lb_marked() {
+	global $g, $config;
+	$filename = "{$g['tmp_path']}/relayd_anchors_remove";
+	$cleanup_anchors = array();
+	/* Nothing to do! */
+	if (!file_exists($filename)) {
+		return;
+	} else {
+		$cleanup_anchors = explode("\n", file_get_contents($filename));
+		/* Nothing to do! */
+		if (empty($cleanup_anchors))
+			return;
+	}
+
+	/* Load current names so we can make sure we don't remove an anchor that is still in use. */
+	$vs_a = $config['load_balancer']['virtual_server'];
+	$active_vsnames = array();
+	if(is_array($vs_a)) {
+		foreach ($vs_a as $vs) {
+			$active_vsnames[] = $vs['name'];
+		}
+	}
+
+	foreach ($cleanup_anchors as $anchor) {
+		/* Only cleanup an anchor if it is not still active. */
+		if (!in_array($anchor, $active_vsnames)) {
+			cleanup_lb_anchor($anchor);
+		}
+	}
+	unlink_if_exists($filename);
+}
+
 ?>
--- a/etc/inc/wizardapp.inc
+++ b/etc/inc/wizardapp.inc
@ -1,6 +1,6 @@
 <?php
 /*
-        part of pfSense (http://www.pfsense.org/)
+        part of pfSense (https://www.pfsense.org/)

        Copyright (C) 2006 Bill Marquette - bill.marquette@gmail.com.
        Copyright (C) 2006 Scott Ullrich - sullrich@pfsense.com.
--- a/etc/inc/xmlparse.inc
+++ b/etc/inc/xmlparse.inc
@ -232,7 +232,14 @@ function dump_xml_config_sub($arr, $indent) {
 						$xmlconfig .= str_repeat("\t", $indent);
 						if((is_bool($cval) && $cval == true) || ($cval === "")) {
 							$xmlconfig .= "<$ent/>\n";
-						} else if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail")) {
+						} else if ((substr($ent, 0, 5) == "descr")
+							|| (substr($ent, 0, 6) == "detail")
+							|| (substr($ent, 0, 12) == "login_banner")
+							|| (substr($ent, 0, 9) == "ldap_attr")
+							|| (substr($ent, 0, 9) == "ldap_bind")
+							|| (substr($ent, 0, 11) == "ldap_basedn")
+							|| (substr($ent, 0, 18) == "ldap_authcn")
+							|| (substr($ent, 0, 19) == "ldap_extended_query")) {
 							$xmlconfig .= "<$ent><![CDATA[" . htmlentities($cval) . "]]></$ent>\n";
 						} else {
 							$xmlconfig .= "<$ent>" . htmlentities($cval) . "</$ent>\n";
@ -256,7 +263,14 @@ function dump_xml_config_sub($arr, $indent) {
 				$xmlconfig .= "<$ent/>\n";
 			} else if (!is_bool($val)) {
 				$xmlconfig .= str_repeat("\t", $indent);
-				if ((substr($ent, 0, 5) == "descr") || (substr($ent, 0, 6) == "detail"))
+				if ((substr($ent, 0, 5) == "descr")
+				|| (substr($ent, 0, 6) == "detail")
+				|| (substr($ent, 0, 12) == "login_banner")
+				|| (substr($ent, 0, 9) == "ldap_attr")
+				|| (substr($ent, 0, 9) == "ldap_bind")
+				|| (substr($ent, 0, 11) == "ldap_basedn")
+				|| (substr($ent, 0, 18) == "ldap_authcn")
+				|| (substr($ent, 0, 19) == "ldap_extended_query"))
 					$xmlconfig .= "<$ent><![CDATA[" . htmlentities($val) . "]]></$ent>\n";
 				else
 					$xmlconfig .= "<$ent>" . htmlentities($val) . "</$ent>\n";
--- a/etc/inc/xmlrpc_client.inc
+++ b/etc/inc/xmlrpc_client.inc
@ -1002,7 +1002,7 @@ class XML_RPC_Client extends XML_RPC_Base {
            return false;
        }
        if ($this->proxy) {
-            $this->headers = 'POST ' . $this->protocol . $this->server;
+            $this->headers = 'POST ' . ($this->protocol=='ssl://'?'https://':$this->protocol). $this->server;
            if ($this->proxy_port) {
                $this->headers .= ':' . $this->port;
            }
--- a/etc/inc/zeromq.inc
+++ b/etc/inc/zeromq.inc
@ -1,7 +1,7 @@
 <?php 
 /*
 	zeromq.inc
-	part of the pfSense project (http://www.pfsense.com)
+	part of the pfSense project (https://www.pfsense.org)
 	Copyright 2010 Scott Ullrich <sullrich@gmail.com>
 	All rights reserved.

--- a/etc/pf.os
+++ b/etc/pf.os
@ -1,5 +1,5 @@
-# $FreeBSD: src/etc/pf.os,v 1.4.10.2 2011/09/22 01:13:40 delphij Exp $
-# $OpenBSD: pf.os,v 1.25 2010/10/18 15:55:27 deraadt Exp $
+# $FreeBSD: stable/9/etc/pf.os 244647 2012-12-24 00:45:54Z delphij $
+# $OpenBSD: pf.os,v 1.26 2012/08/03 12:25:16 jsg Exp $
 # passive OS fingerprinting
 # -------------------------
 #
@ -226,7 +226,13 @@ S2:64:1:60:M*,S,T,N,W0:		Linux:2.4::Linux 2.4 (big boy)
 S3:64:1:60:M*,S,T,N,W0:		Linux:2.4:.18-21:Linux 2.4.18 and newer
 S4:64:1:60:M*,S,T,N,W0:		Linux:2.4::Linux 2.4/2.6 <= 2.6.7
 S4:64:1:60:M*,S,T,N,W0:		Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7
-S4:64:1:60:M*,S,T,N,W7:		Linux:2.6:8:Linux 2.6.8 and newer (?)
+
+S4:64:1:60:M*,S,T,N,W5:		Linux:2.6::Linux 2.6 (newer, 1)
+S4:64:1:60:M*,S,T,N,W6:		Linux:2.6::Linux 2.6 (newer, 2)
+S4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 3)
+T4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 4)
+
+S10:64:1:60:M*,S,T,N,W4:	Linux:3.0::Linux 3.0

 S3:64:1:60:M*,S,T,N,W1:		Linux:2.5::Linux 2.5 (sometimes 2.4)
 S4:64:1:60:M*,S,T,N,W1:		Linux:2.5-2.6::Linux 2.5/2.6
@ -429,6 +435,8 @@ S44:128:1:48:M*,N,N,S:			Windows:XP:SP1:Windows Pro SP1, 2000 SP3
 32767:128:1:48:M*,N,N,S:		Windows:2000:SP4:Windows SP1, 2000 SP4
 32767:128:1:48:M*,N,N,S:		Windows:XP:SP1:Windows SP1, 2000 SP4

+8192:128:1:52:M*,N,W2,N,N,S:		Windows:Vista::Windows Vista/7
+
 # Odds, ends, mods:

 S52:128:1:48:M1260,N,N,S:		Windows:2000:cisco:Windows XP/2000 via Cisco
--- a/etc/pfSense.obsoletedfiles
+++ b/etc/pfSense.obsoletedfiles
@ -55,3 +55,14 @@
 /usr/local/www/javascript/diag_backup/diag_backup.js
 /usr/local/www/progress.php
 /usr/local/www/upload_progress.php
+/usr/sbin/ntpd
+/usr/local/bin/ntp-wait
+/usr/local/bin/ntpd
+/usr/local/bin/ntpdate
+/usr/local/bin/ntpdc
+/usr/local/bin/ntpq
+/usr/local/bin/ntptime
+/usr/local/bin/ntptrace
+/usr/local/bin/sntp
+/usr/local/bin/tickadj
+/usr/sbin/clog
--- a/etc/phpshellsessions/enableallowallwan
+++ b/etc/phpshellsessions/enableallowallwan
@ -1,5 +1,5 @@
 global $config;
-require("filter.inc");
+require_once("filter.inc");
 require("shaper.inc");
 $config = parse_config(true);
 echo "Adding allow all rule...\n";
--- a/etc/phpshellsessions/generateguicert
+++ b/etc/phpshellsessions/generateguicert
@ -0,0 +1,8 @@
+require_once("system.inc");
+
+echo gettext("Generating a new self-signed SSL certificate for the GUI...");
+$cert = system_webgui_create_certificate();
+echo gettext("Done.\n");
+echo gettext("Restarting webConfigurator...");
+send_event("service restart webgui");
+echo gettext("Done.\n");
--- a/etc/phpshellsessions/gitsync
+++ b/etc/phpshellsessions/gitsync
@ -19,7 +19,8 @@ $GITSYNC_MERGE = "/root/.gitsync_merge";

 /* NOTE: Set branches here */
 $branches = array(
-	"master" => "2.1 development branch",
+	"master" => "2.2 development branch",
+	"RELENG_2_1" => "2.1.* release branch",
 	"RELENG_2_0" => "2.0.* release branch",
 	"RELENG_1_2" => "1.2.* release branch",
 	"build_commit" => "The commit originally used to build the image"
--- a/etc/rc
+++ b/etc/rc
@ -39,29 +39,6 @@ if [ -e /root/force_fsck ]; then
 	fi
 fi

-if [ -e /root/TRIM_set -o -e /root/TRIM_unset ]; then
-	TUNEFS_STATUS=`/sbin/tunefs -p / 2>&1 | /usr/bin/grep trim: | /usr/bin/awk '{print $4;}'`
-	if [ -e /root/TRIM_set ] && [ "${TUNEFS_STATUS}" = "disabled" ]; then
-		echo "Enabling TRIM support"
-		/sbin/tunefs -t enable /
-		if [ "$PLATFORM" = "nanobsd" ]; then
-			/sbin/tunefs -t enable /cf
-		fi
-		echo "Rebooting in 5 seconds after enabling TRIM..."
-		sleep 5
-		/sbin/reboot
-	elif [ -e /root/TRIM_unset ] && [ "${TUNEFS_STATUS}" = "enabled" ]; then
-		echo "Disabling TRIM support"
-		/sbin/tunefs -t disable /
-		if [ "$PLATFORM" = "nanobsd" ]; then
-			/sbin/tunefs -t disable /cf
-		fi
-		echo "Rebooting in 5 seconds after disabling TRIM..."
-		sleep 5
-		/sbin/reboot
-	fi
-fi
-
 # Mount memory file system if it exists
 echo "Mounting filesystems..."

@ -255,7 +232,7 @@ fi
 # Setup compatibility link for packages that
 # have trouble overriding the PREFIX configure
 # argument since we build our packages in a
-# seperated PREFIX area
+# separated PREFIX area
 # Only create if symlink does not exist. 
 if [ ! -h /tmp/tmp ]; then
    /bin/ln -hfs / /tmp/tmp
@ -310,7 +287,7 @@ for logfile in $LOG_FILES; do
 				# generate fifolog files
 				/usr/sbin/fifolog_create -s 511488 /var/log/$logfile.log
 			else 
-				/usr/sbin/clog -i -s 512144 /var/log/$logfile.log
+				/usr/local/sbin/clog -i -s 512144 /var/log/$logfile.log
 			fi
 		fi
 	fi 
@ -358,8 +335,8 @@ echo "done."

 # Ensure gettytab is of a sane size
 if [ `/bin/ls -la /etc/gettytab | /usr/bin/awk '{ print $5'}` -lt 512 ]; then
-	echo ">>> Restoring /etc/gettytab due to unusal size"
-	echo ">>> Restoring /etc/gettytab due to unusal size" | /usr/bin/logger
+	echo ">>> Restoring /etc/gettytab due to unusual size"
+	echo ">>> Restoring /etc/gettytab due to unusual size" | /usr/bin/logger
 	/bin/cp /etc/gettytab.bak /etc/gettytab
 fi

@ -400,6 +377,10 @@ echo -n "Launching the init system..."
 /usr/bin/touch $varrunpath/booting
 /etc/rc.bootup

+# /etc/rc.bootup unset $g['booting'], remove file right now to be
+# consistent
+/bin/rm $varrunpath/booting
+
 # If a shell was selected from recovery 
 # console then just drop to the shell now.
 if [ -f "/tmp/donotbootup" ]; then
@ -428,7 +409,6 @@ echo "done."
 /bin/chmod a+rw /tmp/.

 echo "Bootup complete"
-/bin/rm $varrunpath/booting

 /usr/local/bin/beep.sh start 2>&1 >/dev/null

--- a/etc/rc.bootup
+++ b/etc/rc.bootup
@ -128,7 +128,8 @@ echo ".";

 /* get system memory amount */
 $memory = get_memory();
-$avail = $memory[1];
+$physmem = $memory[0];
+$realmem = $memory[1];
 echo " done.\n";

 conf_mount_rw();
@ -295,8 +296,8 @@ echo "Synchronizing user settings...";
 local_sync_accounts();
 echo "done.\n";

-if($avail > 0 and $avail < 65) {
-	echo "System has less than 65 megabytes of ram {$avail}.  Delaying webConfigurator startup.\n";
+if($realmem > 0 and $realmem < 65) {
+	echo "System has less than 65 megabytes of ram {$realmem}.  Delaying webConfigurator startup.\n";
 	/* start webConfigurator up on final pass */
 	mwexec("/usr/local/sbin/pfSctl -c 'service restart webgui'");
 } else {
@ -340,6 +341,9 @@ system_dhcpleases_configure();
 /* start DHCP relay */
 services_dhcrelay_configure();

+/* start DHCP6 relay */
+services_dhcrelay6_configure();
+
 /* dyndns service updates */
 send_event("service reload dyndnsall");

@ -382,7 +386,7 @@ if($config['system']['afterbootupshellcmd'] <> "") {
 	mwexec($config['system']['afterbootupshellcmd']);
 }

-if($avail < $g['minimum_ram_warning']) {
+if($physmem < $g['minimum_ram_warning']) {
 	require_once("/etc/inc/notices.inc");
 	file_notice("{$g['product_name']}MemoryRequirements", "{$g['product_name']} requires at least {$g['minimum_ram_warning_text']} of RAM.  Expect unusual performance.  This platform is not supported.", "Memory", "", 1);
 	mwexec("/sbin/sysctl net.inet.tcp.recvspace=4096");
@ -433,6 +437,7 @@ unset($g['booting']);
 if ($ipsec_dynamic_hosts) {
 	vpn_ipsec_refresh_policies();
 	vpn_ipsec_configure();
+	filter_configure();
 }

 led_normalize();
--- a/etc/rc.captiveportal_configure
+++ b/etc/rc.captiveportal_configure
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.captiveportal_configure
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

@ -31,7 +31,7 @@

 require("config.inc");
 require("functions.inc");
-require("filter.inc");
+require_once("filter.inc");
 require("shaper.inc");
 require("captiveportal.inc");

--- a/etc/rc.carpbackup
+++ b/etc/rc.carpbackup
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.carpdown
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.carpmaster
+++ b/etc/rc.carpmaster
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.carpup
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

@ -50,5 +50,13 @@ if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-client'
 		}
 	}
 }
+if (is_array($config['openvpn']) && is_array($config['openvpn']['openvpn-server'])) {
+	foreach ($config['openvpn']['openvpn-server'] as $settings) {
+		if ($settings['interface'] == $argv[1]) {
+			log_error("Starting OpenVPN instance on {$settings['interface']} because of transition to CARP master.");
+			openvpn_restart('server', $settings);
+		}
+	}
+}

 ?>
--- a/etc/rc.conf_mount_ro
+++ b/etc/rc.conf_mount_ro
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.conf_mount_ro
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.conf_mount_rw
+++ b/etc/rc.conf_mount_rw
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.conf_mount_rw
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.dhclient_cron
+++ b/etc/rc.dhclient_cron
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.dhclient_cron
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2006 Scott Ullrich
    All rights reserved.

--- a/etc/rc.dyndns.update
+++ b/etc/rc.dyndns.update
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.dyndns.update
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.expireaccounts
+++ b/etc/rc.expireaccounts
@ -45,7 +45,7 @@
 			continue;
 		echo "1\n";
 		echo "User {$user['name']} expires {$user['expires']}\n";
-		if(!$user['expires'])
+		if(!$user['expires'] || isset($user['disabled']))
 			continue;
 		echo "1\n";
 		if(strtotime("-1 day") > strtotime($user['expires'])) {
--- a/etc/rc.filter_configure
+++ b/etc/rc.filter_configure
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.filter_configure
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.filter_configure_sync
+++ b/etc/rc.filter_configure_sync
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.filter_configure_sync
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.filter_synchronize
+++ b/etc/rc.filter_synchronize
@ -55,7 +55,7 @@ function backup_vip_config_section() {
 	$temp = array();
 	$temp['vip'] = array();
 	foreach($config['virtualip']['vip'] as $section) {
-		if(($section['mode'] == "proxyarp" || $section['mode'] == "ipalias") && !strstr($section['interface'], "_vip"))
+		if(($section['mode'] == "proxyarp" || $section['mode'] == "ipalias") && !(strstr($section['interface'], "_vip") || strstr($section['interface'], "lo0")))
 			continue;
 		if($section['advskew'] <> "") {
 			$section_val = intval($section['advskew']);
@ -107,7 +107,7 @@ function carp_check_version($url, $username, $password, $port = 80, $method = 'p
 		/* send our XMLRPC message and timeout after 240 seconds */
 		$resp = $cli->send($msg, "240");
 		if(!is_object($resp)) {
-			$error = "A communications error occured while attempting XMLRPC sync with username {$username} {$url}:{$port}.";
+			$error = "A communications error occurred while attempting XMLRPC sync with username {$username} {$url}:{$port}.";
 		} elseif($resp->faultCode()) {
 			$error = "An error code was received while attempting XMLRPC sync with username {$username} {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
 		} else {
@ -224,6 +224,8 @@ function carp_sync_xml($url, $username, $password, $sections, $port = 80, $metho
 				$xml['system'][$section] = $config_copy['system'][$section];
 				$xml['system']['nextgid'] = $config_copy['system']['nextgid'];
 				break;
+			case 'authserver':
+				$xml['system'][$section] = $config_copy['system'][$section];
 			default:
 				$xml[$section] = $config_copy[$section];
 		}
@ -245,7 +247,7 @@ function carp_sync_xml($url, $username, $password, $sections, $port = 80, $metho
 		/* send our XMLRPC message and timeout after 240 seconds */
 		$resp = $cli->send($msg, "240");
 		if(!is_object($resp)) {
-			$error = "A communications error occured while attempting XMLRPC sync with username {$username} {$url}:{$port}.";
+			$error = "A communications error occurred while attempting XMLRPC sync with username {$username} {$url}:{$port}.";
 			log_error($error);
 			file_notice("sync_settings", $error, "Settings Sync", "");
 		} elseif($resp->faultCode()) {
@ -378,6 +380,9 @@ if (is_array($config['hasync'])) {
 		$sections[] = 'user';
 		$sections[] = 'group';
 	} 
+	if ($hasync['synchronizeauthservers'] != "") {
+		$sections[] = 'authserver';
+	}
 	if ($hasync['synchronizednsforwarder'] != "" and is_array($config['dnsmasq']))
 		$sections[] = 'dnsmasq';
 	if ($hasync['synchronizeschedules'] != "" || $hasync['synchronizerules'] != "") {
@ -415,7 +420,7 @@ if (is_array($config['hasync'])) {
 	$resp = $cli->send($msg, "900");

 	if (!is_object($resp)) {
-		$error = "A communications error occured while attempting Filter sync with username {$username} {$synchronizetoip}:{$port}.";
+		$error = "A communications error occurred while attempting Filter sync with username {$username} {$synchronizetoip}:{$port}.";
 		log_error($error);
 		file_notice("sync_settings", $error, "Settings Sync", "");
 	} elseif($resp->faultCode()) {
--- a/etc/rc.initial
+++ b/etc/rc.initial
@ -61,9 +61,8 @@ fi
 product=`grep product_name /etc/inc/globals.inc | cut -d'"' -f4`
 hidebanner=`grep hidebanner /etc/inc/globals.inc | cut -d'"' -f4`

-# Check to see if SSH is listening.
-SSHD=`/usr/bin/sockstat -4l | grep "*.22" | wc -l`
-if [ "$SSHD" -gt 0 ]; then
+# Check to see if SSH is running.
+if pgrep -q -a -F /var/run/sshd.pid sshd >/dev/null 2>&1; then
 	sshd_option="14) Disable Secure Shell (sshd)";
 else
 	sshd_option="14) Enable Secure Shell (sshd)";
--- a/etc/rc.initial.firmware_update
+++ b/etc/rc.initial.firmware_update
@ -46,6 +46,7 @@ echo "Q) Quit\n";

 echo "\nPlease select an option to continue: ";

+$pkg_interface = 'console';
 $command = strtoupper(chop(fgets($fp)));

 switch ($command) {
@ -69,28 +70,20 @@ switch ($command) {
 		if($status) {
 			conf_mount_rw();
 			mark_subsystem_dirty('firmware');
-			if(file_exists("/root/firmware.tgz"))
-				unlink("/root/firmware.tgz");
-			echo "\nFetching file size...\n";
-			$file_size = exec("fetch -s \"$url\"");
-			$file_size = trim($file_size, "\r");
-			echo "\nFile size: $file_size\n";
-			echo "\nFetching file...\n";
-			exec("fetch -1 -w15 -a -v -o /root/firmware.tgz \"$url\"");
-			if($file_size <> filesize("/root/firmware.tgz")) {
-				echo "\nFile size mismatch.  Upgrade cancelled.\n\n";
-				fclose($fp);
-				die;
-			}			
+			unlink_if_exists("/root/firmware.tgz");
+			echo "\nFetching file... ";
+			download_file_with_progress_bar($url, '/root/firmware.tgz');
 			if(!file_exists("/root/firmware.tgz")) {
 				echo "Something went wrong during file transfer.  Exiting.\n\n";
 				fclose($fp);
+				clear_subsystem_dirty('firmware');
 				die;
 			}
 			$status = does_url_exist("$url.sha256");
 			if($status) { 
-				echo "\nFetching sha256...\n";
-				exec("fetch -1 -w15 -a -v -o /root/firmware.tgz.sha256 \"$url.sha256\"");
+				echo "\nFetching sha256... ";
+				download_file_with_progress_bar($url . ".sha256", '/root/firmware.tgz.sha256');
+				echo "\n";
 			} else {
 				echo "\n\nWARNING.\n";
 				echo "\nCould not locate a sha256 file.  We cannot verify the download once completed.\n\n";
@ -103,12 +96,13 @@ switch ($command) {
 				echo "Downloaded file sha256: $file_sha256\n";
 				if($source_sha256 <> $file_sha256) {
 					echo "\n\nsha256 checksum does not match.  Cancelling upgrade.\n\n";
-					exec("rm -f /root/*.sha256");
+					unlink_if_exists("/root/firmware.tgz.sha256");
 					fclose($fp);
+					clear_subsystem_dirty('firmware');
 					die -1;
 				}
 				echo "\nsha256 checksum matches.\n";
-				exec("rm -f /root/*.sha256");
+				unlink_if_exists("/root/firmware.tgz.sha256");
 			}
 			if(strstr($url,"bdiff")) {
 				echo "Binary DIFF upgrade file detected...\n";
@ -120,6 +114,7 @@ switch ($command) {
 				$type = "normal";
 			}
 			do_upgrade("/root/firmware.tgz", $type);
+			clear_subsystem_dirty('firmware');
 			exit;
 		}
 	case "2":
@ -136,6 +131,7 @@ switch ($command) {
 		if(file_exists($path)) {
 			mark_subsystem_dirty('firmware');
 			do_upgrade($path, $type);
+			clear_subsystem_dirty('firmware');
 		} else {
 			echo "\nCould not find file.\n\n";
 			fclose($fp);
--- a/etc/rc.initial.setlanip
+++ b/etc/rc.initial.setlanip
@ -253,67 +253,83 @@ function console_configure_ip_address($version) {
 	}
 		
 	if($isintdhcp == false or $interface <> "wan") {
-		do {
-			echo "\n" . sprintf(gettext("Enter the new %s %s address.  Press <ENTER> for none:"),
-			                    $upperifname, $label_IPvX) . "\n> ";
-			$intip = chop(fgets($fp));
-			$is_ipaddr = ($version === 6) ? is_ipaddrv6($intip) : is_ipaddrv4($intip);
-			if ($is_ipaddr && is_ipaddr_configured($intip, $interface, true)) {
-				$ip_conflict = true;
-				echo gettext("This IP address conflicts with another interface or a VIP") . "\n";
-			} else
-				$ip_conflict = false;
-		} while (($ip_conflict === true) || !($is_ipaddr || $intip == ''));
-		if ($intip != '') {
-			echo "\n" . sprintf(gettext("Subnet masks are entered as bit counts (as in CIDR notation) in %s."),
-			                    $g['product_name']) . "\n";
-			if ($version === 6) {
-				echo "e.g. ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00 = 120\n";
-				echo "     ffff:ffff:ffff:ffff:ffff:ffff:ffff:0    = 112\n";
-				echo "     ffff:ffff:ffff:ffff:ffff:ffff:0:0       =  96\n";
-				echo "     ffff:ffff:ffff:ffff:ffff:0:0:0          =  80\n";
-				echo "     ffff:ffff:ffff:ffff:0:0:0:0             =  64\n";
-			} else {
-				echo "e.g. 255.255.255.0 = 24\n";
-				echo "     255.255.0.0   = 16\n";
-				echo "     255.0.0.0     = 8\n";
-			}
+		while(true) {
 			do {
-				$upperifname = strtoupper($interface);
-				echo "\n" . sprintf(gettext("Enter the new %s %s subnet bit count:"),
-				                    $upperifname, $label_IPvX) . "\n> ";
-				$intbits = chop(fgets($fp));
-				$restart_dhcpd = true;
-			} while (!is_numeric($intbits) || ($intbits < 1) || ($intbits > $maxbits));
-
-			if ($version === 6) {
-				$subnet = gen_subnetv6($intip, $intbits);
-			} else {
-				$subnet = gen_subnet($intip, $intbits);
-			}
-			do {
-				echo "\n" . sprintf(gettext("Enter the new %s %s gateway address.  Press <ENTER> for none:"),
-				                    $upperifname, $label_IPvX) . "\n> ";
-				$gwip = chop(fgets($fp));
-				$is_ipaddr = ($version === 6) ? is_ipaddrv6($gwip) : is_ipaddrv4($gwip);
-				$is_in_subnet = $is_ipaddr && ip_in_subnet($gwip, $subnet . "/" . $intbits);
-				if ($gwip != '') {
-					if (!$is_ipaddr) {
-						echo sprintf(gettext("not an %s IP address!"), $label_IPvX) . "\n";
-					} else if (!$is_in_subnet) {
-						echo gettext("not in subnet!") . "\n";
-					}
+				echo "\n" . sprintf(gettext("Enter the new %s %s address.  Press <ENTER> for none:"),
+						    $upperifname, $label_IPvX) . "\n> ";
+				$intip = chop(fgets($fp));
+				$is_ipaddr = ($version === 6) ? is_ipaddrv6($intip) : is_ipaddrv4($intip);
+				if ($is_ipaddr && is_ipaddr_configured($intip, $interface, true)) {
+					$ip_conflict = true;
+					echo gettext("This IP address conflicts with another interface or a VIP") . "\n";
+				} else
+					$ip_conflict = false;
+			} while (($ip_conflict === true) || !($is_ipaddr || $intip == ''));
+			if ($intip != '') {
+				echo "\n" . sprintf(gettext("Subnet masks are entered as bit counts (as in CIDR notation) in %s."),
+						    $g['product_name']) . "\n";
+				if ($version === 6) {
+					echo "e.g. ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00 = 120\n";
+					echo "     ffff:ffff:ffff:ffff:ffff:ffff:ffff:0    = 112\n";
+					echo "     ffff:ffff:ffff:ffff:ffff:ffff:0:0       =  96\n";
+					echo "     ffff:ffff:ffff:ffff:ffff:0:0:0          =  80\n";
+					echo "     ffff:ffff:ffff:ffff:0:0:0:0             =  64\n";
+				} else {
+					echo "e.g. 255.255.255.0 = 24\n";
+					echo "     255.255.0.0   = 16\n";
+					echo "     255.0.0.0     = 8\n";
 				}
-			} while (!($gwip == '' || ($is_ipaddr && $is_in_subnet)));
+				do {
+					$upperifname = strtoupper($interface);
+					echo "\n" . sprintf(gettext("Enter the new %s %s subnet bit count:"),
+							    $upperifname, $label_IPvX) . "\n> ";
+					$intbits = chop(fgets($fp));
+					$intbits_ok = is_numeric($intbits) && (($intbits >= 1) || ($intbits <= $maxbits));
+					$restart_dhcpd = true;

-			if ($gwip != '') {
-				$inet_type = ($version === 6) ? "inet6" : "inet";
-				$gwname = add_gateway_to_config($interface, $gwip, $inet_type);
+					if ($version === 4 && $intbits < $maxbits) {
+						if ($intip == gen_subnet($intip, $intbits)) {
+							echo gettext("You cannot set network address to an interface");
+							continue 2;
+							$intbits_ok = false;
+						} else if ($intip == gen_subnet_max($intip, $intbits)) {
+							echo gettext("You cannot set broadcast address to an interface");
+							continue 2;
+							$intbits_ok = false;
+						}
+					}
+				} while (!$intbits_ok);
+
+				if ($version === 6) {
+					$subnet = gen_subnetv6($intip, $intbits);
+				} else {
+					$subnet = gen_subnet($intip, $intbits);
+				}
+				do {
+					echo "\n" . sprintf(gettext("For a WAN, enter the new %s %s upstream gateway address."), $upperifname, $label_IPvX) . "\n" .
+								gettext("For a LAN, press <ENTER> for none:") . "\n> ";
+					$gwip = chop(fgets($fp));
+					$is_ipaddr = ($version === 6) ? is_ipaddrv6($gwip) : is_ipaddrv4($gwip);
+					$is_in_subnet = $is_ipaddr && ip_in_subnet($gwip, $subnet . "/" . $intbits);
+					if ($gwip != '') {
+						if (!$is_ipaddr) {
+							echo sprintf(gettext("not an %s IP address!"), $label_IPvX) . "\n";
+						} else if (!$is_in_subnet) {
+							echo gettext("not in subnet!") . "\n";
+						}
+					}
+				} while (!($gwip == '' || ($is_ipaddr && $is_in_subnet)));
+
+				if ($gwip != '') {
+					$inet_type = ($version === 6) ? "inet6" : "inet";
+					$gwname = add_gateway_to_config($interface, $gwip, $inet_type);
+				}
 			}
+			$ifppp = console_get_interface_from_ppp(get_real_interface($interface));
+			if (!empty($ifppp))
+				$ifaceassigned = $ifppp;
+			break;
 		}
-		$ifppp = console_get_interface_from_ppp(get_real_interface($interface));
-		if (!empty($ifppp))
-			$ifaceassigned = $ifppp;
 	}

 	return array($intip, $intbits, $gwname);
@ -333,7 +349,7 @@ $config['interfaces'][$interface]['gatewayv6'] = $gwname6;
 $config['interfaces'][$interface]['enable']    = true;

 function console_configure_dhcpd($version = 4) {
-	global $g, $config, $restart_dhcpd, $fp, $interface, $dry_run;
+	global $g, $config, $restart_dhcpd, $fp, $interface, $dry_run, $intip, $intbits, $intip6, $intbits6;

 	$label_IPvX = ($version === 6) ? "IPv6"    : "IPv4";
 	$dhcpd      = ($version === 6) ? "dhcpdv6" : "dhcpd";
@ -341,25 +357,39 @@ function console_configure_dhcpd($version = 4) {
 	if($g['services_dhcp_server_enable'])
 		$yn = prompt_for_enable_dhcp_server($version);
 	if ($yn == "y") {
+		$subnet_start = ($version === 6) ? gen_subnetv6($intip6, $intbits6) : gen_subnet($intip, $intbits);
+		$subnet_end = ($version === 6) ? gen_subnetv6_max($intip6, $intbits6) : gen_subnet_max($intip, $intbits);
 		do {
-			echo sprintf(gettext("Enter the start address of the %s client address range:"), $label_IPvX) . " ";
-			$dhcpstartip = chop(fgets($fp));
-			if ($dhcpstartip === "") {
-				fclose($fp);
-				exit(0);
-			}
-			$is_ipaddr = ($version === 6) ? is_ipaddrv6($dhcpstartip) : is_ipaddrv4($dhcpstartip);
-		} while (!$is_ipaddr);
+			do {
+				echo sprintf(gettext("Enter the start address of the %s client address range:"), $label_IPvX) . " ";
+				$dhcpstartip = chop(fgets($fp));
+				if ($dhcpstartip === "") {
+					fclose($fp);
+					exit(0);
+				}
+				$is_ipaddr = ($version === 6) ? is_ipaddrv6($dhcpstartip) : is_ipaddrv4($dhcpstartip);
+				$is_inrange = is_inrange($dhcpstartip, $subnet_start, $subnet_end);
+				if (!$is_inrange)
+					echo gettext("This IP address must be in the interface's subnet") . "\n";
+			} while (!$is_ipaddr || !$is_inrange);

-		do {
-			echo sprintf(gettext("Enter the end address of the %s client address range:"), $label_IPvX) . " ";
-			$dhcpendip = chop(fgets($fp));
-			if ($dhcpendip === "") {
-				fclose($fp);
-				exit(0);
-			}
-			$is_ipaddr = ($version === 6) ? is_ipaddrv6($dhcpendip) : is_ipaddrv4($dhcpendip);
-		} while (!$is_ipaddr);
+			do {
+				echo sprintf(gettext("Enter the end address of the %s client address range:"), $label_IPvX) . " ";
+				$dhcpendip = chop(fgets($fp));
+				if ($dhcpendip === "") {
+					fclose($fp);
+					exit(0);
+				}
+				$is_ipaddr = ($version === 6) ? is_ipaddrv6($dhcpendip) : is_ipaddrv4($dhcpendip);
+				$is_inrange = is_inrange($dhcpendip, $subnet_start, $subnet_end);
+				if (!$is_inrange)
+					echo gettext("This IP address must be in the interface's subnet") . "\n";
+				$not_inorder = ($version === 6) ? (inet_pton($dhcpendip) < inet_pton($dhcpstartip)) : ip_less_than($dhcpendip, $dhcpstartip);
+				if ($not_inorder) {
+					echo gettext("The end address of the DHCP range must be >= the start address") . "\n";
+				}
+			} while (!$is_ipaddr || !$is_inrange);
+		} while ($not_inorder);
 		$restart_dhcpd = true;
 		$config[$dhcpd][$interface]['enable'] = true;
 		$config[$dhcpd][$interface]['range']['from'] = $dhcpstartip;
@ -466,7 +496,7 @@ if ($intip6 != '') {
 }

 if ($intip != '' || $intip6 != '') {
-	if (count($ifdescrs) == "1" or $interface = "lan") {
+	if (count($ifdescrs) == "1" or $interface == "lan") {
 		if ($debug) {
 			echo "ifdescrs count is " . count($ifdescrs) . "\n";
 			echo "interface is {$interface} \n";
--- a/etc/rc.interfaces_carp_configure
+++ b/etc/rc.interfaces_carp_configure
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.interfaces_carp_configure
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.interfaces_lan_configure
+++ b/etc/rc.interfaces_lan_configure
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.interfaces_lan_configure
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.interfaces_opt_configure
+++ b/etc/rc.interfaces_opt_configure
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.interfaces_opt_configure
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.interfaces_wan_configure
+++ b/etc/rc.interfaces_wan_configure
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.interfaces_wan_configure
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.kill_states
+++ b/etc/rc.kill_states
@ -3,7 +3,7 @@
 /*
 	rc.newwanip
 	Copyright (C) 2013 Renato Botelho (garga@pfsense.org)
-	part of pfSense (http://www.pfsense.com)
+	part of pfSense (https://www.pfsense.org)

 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
@ -63,6 +63,24 @@ if (!empty($local_ip)) {
 if (!isset($config['system']['kill_states'])) {
 	if (!empty($local_ip)) {
 		log_error("rc.kill_states: Removing states for IP {$local_ip}/{$subnet_bits}");
+		$nat_states = exec_command("/sbin/pfctl -i {$interface} -ss | " .
+			"/usr/bin/egrep '\-> +{$local_ip}:[0-9]+ +\->'");
+
+		$cleared_states = array();
+		foreach(explode("\n", $nat_states) as $nat_state) {
+			if (preg_match_all('/([\d\.]+):[\d]+[\s->]+/i', $nat_state, $matches, PREG_SET_ORDER) != 3)
+				continue;
+
+			$src = $matches[0][1];
+			$dst = $matches[2][1];
+
+			if (empty($src) || empty($dst) || in_array("{$src},{$dst}", $cleared_states))
+				continue;
+
+			$cleared_states[] = "{$src},{$dst}";
+			mwexec("/sbin/pfctl -k {$src} -k {$dst}", true);
+		}
+
 		mwexec("/sbin/pfctl -k 0.0.0.0/0 -k {$local_ip}/{$subnet_bits}", true);
 		mwexec("/sbin/pfctl -k {$local_ip}/{$subnet_bits}", true);
 		mwexec("/sbin/pfctl -K {$local_ip}/{$subnet_bits}", true);
--- a/etc/rc.linkup
+++ b/etc/rc.linkup
@ -51,7 +51,7 @@ function handle_argument_group($iface, $argument2) {
 		$staticv4 = is_ipaddrv4($ipaddr);
 	$staticv6 = false;
 	if (empty($ip6addr))
-		$statcv6 = true;
+		$staticv6 = true;
 	else
 		$staticv6 = is_ipaddrv6($ip6addr);
 	if ($staticv4 === true && $staticv6 === true) {
@ -60,7 +60,8 @@ function handle_argument_group($iface, $argument2) {
 		interfaces_staticarp_configure($iface);
 		$iface = get_real_interface($iface);
 		interfaces_bring_up($iface);
-		if ($argument2 == "start" || $argument2 == "up")
+		/* NOTE: Do not generate event for OpenVPN since the daemon does that for us. */
+		if (($argument2 == "start" || $argument2 == "up") && substr($iface, 0, 4) != "ovpn")
 			send_event("interface newip {$iface}");
 	} else {
 		switch ($argument2) {
@ -83,9 +84,7 @@ function handle_argument_group($iface, $argument2) {
 }

 global $g;
-if (file_exists("{$g['varrun_path']}/booting")) {
-	/* ignore all linkup events */
-} else {
+if (!file_exists("{$g['varrun_path']}/booting") && empty($g['booting'])) {
 	if ($argc < 3) {
 		log_error("HOTPLUG event: The number of required parameters not passed!");
 		exit;
--- a/etc/rc.newipsecdns
+++ b/etc/rc.newipsecdns
@ -44,9 +44,10 @@ require_once("vpn.inc");
 if (file_exists("{$g['varrun_path']}/booting"))
 	return;

-if (isset($config['ipsec']['enable']))
+if (isset($config['ipsec']['enable'])) {
+	sleep(15);
 	log_error("IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.");
-else
+} else
 	return;

 $ipseclck = lock('ipsecdns', LOCK_EX);
@ -60,5 +61,8 @@ vpn_ipsec_refresh_policies();

 vpn_ipsec_configure();

+if (isset($config['ipsec']['failoverforcereload']))
+	vpn_ipsec_force_reload();
+
 unlock($ipseclck);
 ?>
--- a/etc/rc.newwanip
+++ b/etc/rc.newwanip
@ -3,7 +3,7 @@
 /*
 	rc.newwanip
 	Copyright (C) 2006 Scott Ullrich (sullrich@gmail.com)
-	part of pfSense (http://www.pfsense.com)
+	part of pfSense (https://www.pfsense.org)

 	Originally part of m0n0wall (http://m0n0.ch)
 	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
@ -40,6 +40,7 @@ require_once("shaper.inc");
 require_once("ipsec.inc");
 require_once("vpn.inc");
 require_once("openvpn.inc");
+require_once("IPv6.inc");
 require_once("rrd.inc");

 // Do not process while booting
@ -61,26 +62,47 @@ $argument = str_replace("\n", "", $argv[1]);

 log_error("rc.newwanip: Informational is starting {$argument}.");

-if(empty($argument)) {
-	$curwanip = get_interface_ip();
+if (empty($argument)) {
 	$interface = "wan";
 	$interface_real = get_real_interface();
 } else {
 	$interface = convert_real_interface_to_friendly_interface_name($argument);
 	$interface_real = $argument;
+}
+
+$interface_descr = convert_friendly_interface_to_friendly_descr($interface);
+
+/* If the interface is configured and not enabled, bail. We do not need to change settings for disabled interfaces. #3313 */
+if (is_array($config['interfaces'][$interface]) && !isset($config['interfaces'][$interface]['enable'])) {
+	log_error("Interface is disabled, nothing to do.");
+	return;
+}
+
+if (empty($argument))
+	$curwanip = get_interface_ip();
+else {
 	$curwanip = find_interface_ip($interface_real, true);
 	if($curwanip == "")
 		$curwanip = get_interface_ip($interface);
 }

-log_error("rc.newwanip: on (IP address: {$curwanip}) (interface: {$interface}) (real interface: {$interface_real}).");
+log_error("rc.newwanip: on (IP address: {$curwanip}) (interface: {$interface_descr}[{$interface}]) (real interface: {$interface_real}).");

-if($curwanip == "0.0.0.0" || !is_ipaddr($curwanip)) {
-	log_error("rc.newwanip: Failed to update {$interface} IP, restarting...");
-	send_event("interface reconfigure {$interface}");
-	exit;
+/*
+ * NOTE: Take care of openvpn and no-ip interfaces or similar if you generate the event to reconfigure an interface.
+ *      i.e. OpenVPN might be in tap mode and not have an ip.
+ */
+if ($curwanip == "0.0.0.0" || !is_ipaddr($curwanip)) {
+	if (substr($interface_real, 0, 4) != "ovpn") {
+		if (!empty($config['interfaces'][$interface]['ipaddr'])) {
+			log_error("rc.newwanip: Failed to update {$interface} IP, restarting...");
+			send_event("interface reconfigure {$interface}");
+			exit;
+		}
+	}
 }

+/* XXX: This really possible? */
 if (empty($interface)) {
 	filter_configure();
 	restart_packages();
@ -95,7 +117,8 @@ if (file_exists("{$g['vardb_path']}/{$interface}_cacheip"))
 system_resolvconf_generate(true);

 /* write current WAN IP to file */
-file_put_contents("{$g['vardb_path']}/{$interface}_ip", $curwanip);
+if (is_ipaddr($curwanip))
+	@file_put_contents("{$g['vardb_path']}/{$interface}_ip", $curwanip);

 link_interface_to_vips($interface, "update");

@ -112,29 +135,26 @@ $grouptmp = link_interface_to_group($interface);
 if (!empty($grouptmp))
 	array_walk($grouptmp, 'interface_group_add_member');

-if ($linkupevent == false || substr($interface_real, 0, 4) == "ovpn") {
-	unset($bridgetmp);
-	$bridgetmp = link_interface_to_bridge($interface);
-	if (!empty($bridgetmp))
-		interface_bridge_add_member($bridgetmp, $interface_real);
-}
+unset($bridgetmp);
+$bridgetmp = link_interface_to_bridge($interface);
+if (!empty($bridgetmp))
+	interface_bridge_add_member($bridgetmp, $interface_real);

 /* make new hosts file */
-if ($interface == "lan")
-	system_hosts_generate();
+system_hosts_generate();

 /* check tunneled IPv6 interface tracking */
 switch($config['interfaces'][$interface]['ipaddrv6']) {
-	case "slaac":
-	case "dhcp6":
-		interface_dhcpv6_configure($interface, $config['interfaces'][$interface]);
-		break;
 	case "6to4":
 		interface_6to4_configure($interface, $config['interfaces'][$interface]);
 		break;
 	case "6rd":
 		interface_6rd_configure($interface, $config['interfaces'][$interface]);
 		break;
+	case "dhcp6":
+		if (isset($config['interfaces'][$interface]['dhcp6usev4iface']))
+			interface_dhcpv6_configure($interface, $config['interfaces'][$interface]);
+		break;
 }

 /* Check Gif tunnels */
@ -168,7 +188,8 @@ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interface
 	/* reconfigure our gateway monitor */
 	setup_gateways_monitor();

-	file_put_contents("{$g['vardb_path']}/{$interface}_cacheip", $curwanip);
+	if (is_ipaddr($curwanip))
+		@file_put_contents("{$g['vardb_path']}/{$interface}_cacheip", $curwanip);

 	/* perform RFC 2136 DNS update */
 	services_dnsupdate_process($interface);
--- a/etc/rc.newwanipv6
+++ b/etc/rc.newwanipv6
@ -3,7 +3,7 @@
 /*
        rc.newwanipv6
        Copyright (C) 2006 Scott Ullrich (sullrich@gmail.com)
-        part of pfSense (http://www.pfsense.com)
+        part of pfSense (https://www.pfsense.org)

 		Originally part of m0n0wall (http://m0n0.ch)
        Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
@ -55,24 +55,22 @@ function restart_packages() {
 }

 /* Interface IP address has changed */
-$argument = str_replace("\n", "", $argv[1]);
+$argument = trim($argv[1], " \n\t");

 log_error("rc.newwanipv6: Informational is starting {$argument}.");

-/* wait for the dhcp6c process to configure the LAN interface */
-sleep(5);
-
-if(empty($argument)) {
+if (empty($argument)) {
 	$interface = "wan";
-	$interface_real = get_real_interface($interface);
+	$interface_real = get_real_interface($interface, "inet6");
 	$curwanipv6 = get_interface_ipv6($interface, true);
 } else {
 	$interface_real = $argument;
 	$interface = convert_real_interface_to_friendly_interface_name($interface_real);
 	$curwanipv6 = get_interface_ipv6($interface, true);
-	$interface_realv6 = get_real_interface($interface, "inet6");
 }

+$interface_descr = convert_friendly_interface_to_friendly_descr($interface);
+
 if (empty($interface)) {
 	filter_configure();
 	// restart_packages();
@ -80,11 +78,15 @@ if (empty($interface)) {
 }

 //Do not process while booting
-if($g['booting'] && $config['interfaces'][$interface]['ipaddrv6'] != "dhcp6")
+if ($g['booting'] && $config['interfaces'][$interface]['ipaddrv6'] != "dhcp6")
 	exit;

-if(empty($curwanipv6) || !is_ipaddrv6($curwanipv6)) {
-        log_error("rc.newwanipv6: Failed to update {$interface} IPv6, restarting...");
+/*
+ * NOTE: Take care of openvpn and similar if you generate the event to reconfigure an interface.
+ *	i.e. OpenVPN might be in tap mode and not have an ip.
+ */
+if ((empty($curwanipv6) || !is_ipaddrv6($curwanipv6)) && substr($interface_real, 0, 4) != "ovpn") {
+        log_error("rc.newwanipv6: Failed to update {$interface_descr}[{$interface}] IPv6, restarting...");
 	// send_event("interface reconfigure {$interface}");
        exit;
 }
@ -93,20 +95,21 @@ if (!empty($_ENV['new_domain_name_servers'])) {
 	$name_servers = explode(" ", $_ENV['new_domain_name_servers']);
 	$valid_ns = array();
 	foreach($name_servers as $ns) {
-		if(is_ipaddrv6(trim($ns)))
+		if (is_ipaddrv6(trim($ns)))
 			$valid_ns[] = trim($ns);
 	}

-	if(count($valid_ns > 0))
+	if (count($valid_ns > 0))
 		file_put_contents("{$g['varetc_path']}/nameserver_v6{$interface}", implode("\n", $valid_ns));
 }
-if(!empty($_ENV['new_domain_name']))
+if (!empty($_ENV['new_domain_name']))
 	file_put_contents("{$g['varetc_path']}/searchdomain_v6{$interface}", $_ENV['new_domain_name']);

 /* write current WAN IPv6 to file */
-file_put_contents("{$g['vardb_path']}/{$interface}_ipv6", $curwanipv6);
+if (is_ipaddrv6($curwanipv6))
+	@file_put_contents("{$g['vardb_path']}/{$interface}_ipv6", $curwanipv6);

-log_error("rc.newwanipv6: on (IP address: {$curwanipv6}) (interface: {$interface}) (real interface: {$interface_realv6}).");
+log_error("rc.newwanipv6: on (IP address: {$curwanipv6}) (interface: {$interface}) (real interface: {$interface_real}).");

 $oldipv6 = "";
 if (file_exists("{$g['vardb_path']}/{$interface}_cacheipv6"))
@ -138,14 +141,15 @@ if (is_ipaddrv6($oldipv6)) {
 			vpn_ipsec_force_reload($interface);

 			/* start OpenVPN server & clients */
-			openvpn_resync_all($interface);
+			if (substr($interface_real, 0, 4) != "ovpn")
+				openvpn_resync_all($interface);
 		}
 		exit;
-	} else if (does_interface_exist($interface_realv6))
-		mwexec("/sbin/ifconfig {$interface_realv6} inet6 {$oldipv6} delete");
-}
+	} else if (does_interface_exist($interface_real))
+		mwexec("/sbin/ifconfig {$interface_real} inet6 {$oldipv6} delete");

-file_put_contents("{$g['vardb_path']}/{$interface}_cacheipv6", $curwanipv6);
+	file_put_contents("{$g['vardb_path']}/{$interface}_cacheipv6", $curwanipv6);
+}

 /* perform RFC 2136 DNS update */
 services_dnsupdate_process($interface);
--- a/etc/rc.notify_message
+++ b/etc/rc.notify_message
@ -2,7 +2,7 @@
 <?php
 /*
    rc.notify_message
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
    All rights reserved.

--- a/etc/rc.openvpn
+++ b/etc/rc.openvpn
@ -41,19 +41,26 @@ require_once("openvpn.inc");
 function openvpn_resync_if_needed ($mode, $ovpn_settings, $interface) {
 	global $g, $config;

-	$resync_needed = false;
-	if (empty($interface)) {
-		$resync_needed = true;
+	$resync_needed = true;
+	if (isset($ovpn_settings['disable'])) {
+		$resync_needed = false;
 	} else {
-		$mode_id = $mode . $ovpn_settings['vpnid'];
-		$fpath = "{$g['varetc_path']}/openvpn/{$mode_id}.interface";
-		$current_device = file_get_contents($fpath);
-		$new_device = get_failover_interface($ovpn_settings['interface']);
-		$this_device = $config['interfaces'][$interface]['if'];
-		if (($current_device != $new_device) || ($current_device == $this_device) || ($new_device == $this_device))
-			$resync_needed = true;
+		if (!empty($interface)) {
+			$mode_id = $mode . $ovpn_settings['vpnid'];
+			$fpath = "{$g['varetc_path']}/openvpn/{$mode_id}.interface";
+			if (file_exists($fpath)) {
+				$current_device = file_get_contents($fpath);
+				$current_device = trim($current_device, " \t\n");
+				$new_device = get_failover_interface($ovpn_settings['interface']);
+				if (isset($config['interfaces'][$interface])) {
+					$this_device = $config['interfaces'][$interface]['if'];
+					if (($current_device == $new_device) && ($current_device != $this_device))
+						$resync_needed = false;
+				}
+			}
+		}
 	}
-	if ($resync_needed) {
+	if ($resync_needed == true) {
 		log_error("OpenVPN: Resync " . $mode_id . " " . $ovpn_settings['description']);
 		openvpn_resync($mode, $ovpn_settings);
 	}
@ -63,42 +70,48 @@ function openvpn_resync_if_needed ($mode, $ovpn_settings, $interface) {
 if (file_exists("{$g['varrun_path']}/booting"))
 	return;

+/* Input argument is a comma-separated list of gateway names, blank or "all". */
 $argument = trim($argv[1], " \n");

 if(is_array($config['openvpn']['openvpn-server']) || is_array($config['openvpn']['openvpn-client'])) {
-	if (empty($argument) || $argument == "all")
+	if (empty($argument) || $argument == "all") {
+		$argument = "all"; 
 		$log_text = "all";
-	else
+	} else {
 		$log_text = "endpoints that may use " . $argument;
+	}
 	log_error("OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading " . $log_text . ".");
 } else
 	return;

-$gwgroups = array();
 $openvpnlck = lock('openvpn', LOCK_EX);
-if (empty($argument) || $argument == "all")
-	$interface = ""; 
-else {
-	// e.g. $argument = "WANGW", $interface = "wan"
-	$interface = lookup_gateway_interface_by_name($argument);
-	if (empty($interface))
-		$interface = $argument;
-	else
-		// e.g. $argument = "WANGW", $gwgroups = array of gateway groups that use "wan"
-		$gwgroups = gateway_is_gwgroup_member($argument);
-}
-
-if(is_array($config['openvpn']['openvpn-server'])) {
-	foreach($config['openvpn']['openvpn-server'] as &$server) {
-		if ($server['interface'] == $interface || empty($interface) || (!empty($gwgroups) && in_array($server['interface'], $gwgroups)))
-			openvpn_resync_if_needed('server', $server, $interface);
+$arg_array = explode(",",$argument);
+foreach ($arg_array as $arg_element) {
+	$gwgroups = array();
+	if ($arg_element == "all")
+		$interface = ""; 
+	else {
+		// e.g. $arg_element = "WANGW", $interface = "wan"
+		$interface = lookup_gateway_interface_by_name($arg_element);
+		if (empty($interface))
+			$interface = $arg_element;
+		else
+			// e.g. $arg_element = "WANGW", $gwgroups = array of gateway groups that use "wan"
+			$gwgroups = gateway_is_gwgroup_member($arg_element);
 	}
-}

-if (is_array($config['openvpn']['openvpn-client'])) {
-	foreach($config['openvpn']['openvpn-client'] as &$client) {
-		if ($client['interface'] == $interface || empty($interface) || (!empty($gwgroups) && in_array($client['interface'], $gwgroups)))
-			openvpn_resync_if_needed('client', $client, $interface);
+	if(is_array($config['openvpn']['openvpn-server'])) {
+		foreach($config['openvpn']['openvpn-server'] as &$server) {
+			if ($server['interface'] == $interface || empty($interface) || (!empty($gwgroups) && in_array($server['interface'], $gwgroups)))
+				openvpn_resync_if_needed('server', $server, $interface);
+		}
+	}
+
+	if (is_array($config['openvpn']['openvpn-client'])) {
+		foreach($config['openvpn']['openvpn-client'] as &$client) {
+			if ($client['interface'] == $interface || empty($interface) || (!empty($gwgroups) && in_array($client['interface'], $gwgroups)))
+				openvpn_resync_if_needed('client', $client, $interface);
+		}
 	}
 }

--- a/etc/rc.packages
+++ b/etc/rc.packages
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.packages
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.php_ini_setup
+++ b/etc/rc.php_ini_setup
@ -27,6 +27,7 @@

 # Set our operating platform
 PLATFORM=`/bin/cat /etc/platform`
+MIN_REALMEM_FOR_APC=512

 if [ -d /usr/local/lib/php/20090626 ]; then
 	EXTENSIONSDIR="/usr/local/lib/php/20090626/"
@ -46,22 +47,35 @@ if [ -z "$AVAILMEM" ]; then
 	AVAILMEM=`/bin/expr $MEM / 1048576`
 fi

-# Calculate APC SHM size according 
-# to detected memory values
-if [ "$AVAILMEM" -gt "135" ]; then
-	APCSHMEMSIZE="10M"
-fi
-if [ "$AVAILMEM" -gt "256" ]; then
-	APCSHMEMSIZE="20M"
-fi
-if [ "$AVAILMEM" -gt "384" ]; then
-	APCSHMEMSIZE="25M"
-fi
-if [ "$AVAILMEM" -gt "512" ]; then
-	APCSHMEMSIZE="30M"
-fi
-if [ "$AVAILMEM" -gt "784" ]; then
-	APCSHMEMSIZE="50M"
+
+# Get amount of ram installed on this system
+REALMEM=`/sbin/sysctl hw.realmem | /usr/bin/awk '{print $2/1048576}' | /usr/bin/awk -F '.' '{print $1}'`
+export REALMEM
+export LOWMEM
+
+if [  "$REALMEM" -lt "$MIN_REALMEM_FOR_APC" ]; then
+	LOWMEM="TRUE"
+	echo ">>> Under $MIN_REALMEM_FOR_APC megabytes of ram detected.  Not enabling APC."
+	echo ">>> Under $MIN_REALMEM_FOR_APC megabytes of ram detected.  Not enabling APC." | /usr/bin/logger -p daemon.info -i -t rc.php_ini_setup
+else
+
+	# Calculate APC SHM size according 
+	# to detected memory values
+	if [ "$AVAILMEM" -gt "135" ]; then
+		APCSHMEMSIZE="10M"
+	fi
+	if [ "$AVAILMEM" -gt "256" ]; then
+		APCSHMEMSIZE="20M"
+	fi
+	if [ "$AVAILMEM" -gt "384" ]; then
+		APCSHMEMSIZE="25M"
+	fi
+	if [ "$AVAILMEM" -gt "512" ]; then
+		APCSHMEMSIZE="30M"
+	fi
+	if [ "$AVAILMEM" -gt "784" ]; then
+		APCSHMEMSIZE="50M"
+	fi
 fi

 # Set upload directory
@ -74,7 +88,7 @@ fi
 # Define php modules.  Do not add .so, it will  
 # be done automatically by the script below.
 PHPMODULES="standard"
-if [  "$AVAILMEM" -gt 135 ]; then
+if [ "$LOWMEM" != "TRUE" ]; then
 	PHPMODULES="$PHPMODULES apc"
 fi
 # Config read/write
@ -121,6 +135,9 @@ PHPMODULES="$PHPMODULES pfSense"
 PHPMODULES="$PHPMODULES json"
 # bcmath
 PHPMODULES="$PHPMODULES bcmath"
+# filter
+PHPMODULES="$PHPMODULES filter"
+

 PHP_ZEND_MODULES="ioncube_loader"
 PHP_ZEND_MODULES_TS="ioncube_loader_ts"
@ -249,11 +266,8 @@ for EXT in $PHP_ZEND_MODULES_TS; do
 	fi
 done

-# Get amount of ram installed on this system
-RAM=`/sbin/sysctl hw.realmem | /usr/bin/awk '{print $2/1000000}' | /usr/bin/awk -F '.' '{print $1}'`
-export RAM
-export LOWMEM
-if [  "$RAM" -gt 135 ]; then
+
+if [ "$LOWMEM" != "TRUE" ]; then

 	/bin/cat >>/usr/local/lib/php.ini <<EOF

@ -263,11 +277,6 @@ apc.enable_cli="0"
 apc.shm_size="${APCSHMEMSIZE}"

 EOF
-
-else
-	LOWMEM="TRUE"
-	echo ">>> WARNING!  under 128 megabytes of ram detected.  Not enabling APC."
-	echo ">>> WARNING!  under 128 megabytes of ram detected.  Not enabling APC." | /usr/bin/logger -p daemon.info -i -t rc.php_ini_setup
 fi

 	/bin/cat >>/usr/local/lib/php.ini <<EOF
--- a/etc/rc.reload_all
+++ b/etc/rc.reload_all
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.reload_all
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.reload_interfaces
+++ b/etc/rc.reload_interfaces
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.reload_interfaces
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.restore_config_backup
+++ b/etc/rc.restore_config_backup
@ -51,7 +51,7 @@ function choose_backup() {
 	echo gettext("Which configuration would you like to restore?") . "\n";
 	echo " 1-" . count($confvers) . " : ";
 	$number = strtoupper(chop(fgets($fp)));
-	if (is_numeric($number) && ($number > 0) && ($number < count($confvers))) {
+	if (is_numeric($number) && ($number > 0) && ($number <= count($confvers))) {
 		return $number;
 	} else {
 		echo gettext("That is not a valid backup number.\n");
@ -61,7 +61,7 @@ function choose_backup() {

 function restore_history_backup($number) {
 	global $g, $fp, $confvers;
-	if (is_numeric($number) && ($number > 0) && ($number < count($confvers))) {
+	if (is_numeric($number) && ($number > 0) && ($number <= count($confvers))) {
 		$realnumber = $number - 1;
 		echo "\n" . gettext("Is this the backup you wish to restore?") . "\n";
 		list_backups($realnumber);
--- a/etc/rc.start_packages
+++ b/etc/rc.start_packages
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
    rc.start_packages
-    part of pfSense (http://www.pfSense.com)
+    part of pfSense (https://www.pfsense.org)
    Copyright (C) 2004 Scott Ullrich
    All rights reserved.

--- a/etc/rc.update_alias_url_data
+++ b/etc/rc.update_alias_url_data
@ -3,7 +3,7 @@
 /* $Id$ */
 /*
 	rc.update_alias_url-data.sh
-	part of pfSense (http://pfSense.org)
+	part of pfSense (https://www.pfsense.org)
 	
 	Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
 	All rights reserved.
--- a/etc/rc.update_bogons.sh
+++ b/etc/rc.update_bogons.sh
@ -2,7 +2,7 @@

 # Update bogons file
 # Part of the pfSense project
-# www.pfsense.com
+# https://www.pfsense.org

 # Global variables
 proc_error=""
@ -14,7 +14,7 @@ process_url() {
 	local filename=${url##*/}
 	local ext=${filename#*.}
 	
-	/usr/bin/fetch -q -o $file "${url}"
+	/usr/bin/fetch -a -T 30 -q -o $file "${url}"
 	
 	if [ ! -f $file ]; then
 		echo "Could not download ${url}" | logger
@ -84,9 +84,9 @@ if [ "$proc_error" != "" ]; then
 	exit
 fi

-BOGON_V4_CKSUM=`/usr/bin/fetch -q -o - "${v4urlcksum}" | awk '{ print $4 }'`
+BOGON_V4_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v4urlcksum}" | awk '{ print $4 }'`
 ON_DISK_V4_CKSUM=`md5 /tmp/bogons | awk '{ print $4 }'`
-BOGON_V6_CKSUM=`/usr/bin/fetch -q -o - "${v6urlcksum}" | awk '{ print $4 }'`
+BOGON_V6_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v6urlcksum}" | awk '{ print $4 }'`
 ON_DISK_V6_CKSUM=`md5 /tmp/bogonsv6 | awk '{ print $4 }'`

 if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
--- a/etc/rc.update_urltables
+++ b/etc/rc.update_urltables
@ -40,10 +40,10 @@ if (count($todo) > 0) {
 			exec("/sbin/pfctl -t " . escapeshellarg($t['name']) . " -T replace -f /var/db/aliastables/" . escapeshellarg($t['name']) . ".txt 2>&1", $result);
 			log_error("{$argv[0]}: Updated {$t['name']} content from {$t['url']}: {$result[0]}");
 		} elseif ($r == -1) {
-			log_error("{$argv[0]}: {$t['name']} does not need updated.");
+			log_error("{$argv[0]}: {$t['name']} does not need updating.");
 		} else {
 			log_error("{$argv[0]}: ERROR: could not update {$t['name']} content from {$t['url']}");
 		}
 	}
 }
-?>
+?>
--- a/etc/sshd
+++ b/etc/sshd
@ -121,6 +121,8 @@
 	$sshconf .= "Protocol 2\n";
 	/* Run the server on another port if we have one defined */
 	$sshconf .= "Port $sshport\n";
+	/* Hide FreeBSD version */
+	$sshconf .= "VersionAddendum \n";
 	
 	/* Apply package SSHDCond settings if config file exists */
 	if(file_exists("/etc/sshd_extra"))
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@ -103,7 +103,7 @@ distinguished_name=req_distinguished_name
 req_extensions = v3_req
 prompt=no

-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = privkey.pem
 distinguished_name      = req_distinguished_name
 attributes              = req_attributes
--- a/etc/version
+++ b/etc/version
@ -1 +1 @@
-2.1-RC0
+2.1.5-RELEASE
--- a/root/.hushlogin
+++ b/root/.hushlogin
--- a/root/.profile
+++ b/root/.profile
@ -0,0 +1,5 @@
+# Detect interactive logins and display the shell
+if [ `env | grep SSH_TTY | wc -l` -gt 0 ] || [ `env | grep cons25 | wc -l` -gt 0 ]; then
+	/etc/rc.initial
+	exit
+fi
--- a/root/.shrc
+++ b/root/.shrc
@ -1,2 +1,5 @@
-/etc/rc.initial
-exit
+# Detect interactive logins and display the shell
+if [ `env | grep SSH_TTY | wc -l` -gt 0 ] || [ `env | grep cons25 | wc -l` -gt 0 ]; then
+	/etc/rc.initial
+	exit
+fi
--- a/sbin/dhclient-script
+++ b/sbin/dhclient-script
@ -27,13 +27,14 @@ ROUTE=/sbin/route
 SED=/usr/bin/sed
 ARP=/usr/sbin/arp
 IFCONFIG=/sbin/ifconfig
+PFCTL=/sbin/pfctl

 LOCALHOST=127.0.0.1

 if [ -x /usr/bin/logger ]; then
 	LOGGER="/usr/bin/logger -s -p user.notice -t dhclient"
 else
-	LOGGER=echo
+	LOGGER="echo"
 fi

 #
@ -42,11 +43,9 @@ fi

 check_hostname() {
 	current_hostname=`$HOSTNAME`
-	if [ -z "$current_hostname" ]; then
-		$LOGGER "New Hostname ($interface): $new_host_name"
-		$HOSTNAME $new_host_name
-	elif [ "$current_hostname" = "$old_host_name" -a \
-	       "$new_host_name" != "$old_host_name" ]; then
+	if [ -z "$current_hostname" ] || \
+	   [ "$current_hostname" = "$old_host_name" -a \
+	     "$new_hostname" != "$old_host_name" ]; then
 		$LOGGER "New Hostname ($interface): $new_host_name"
 		$HOSTNAME $new_host_name
 	fi
@ -60,28 +59,30 @@ arp_flush() {

 delete_old_states() {
 	$LOGGER "Starting delete_old_states()"
+	_FLUSHED=0
 	# If the IP changed, remove states from the old one
 	if [ -f /var/db/${interface}_ip ]; then
-		OLD_IP = `cat /var/db/${interface}_ip`
+		OLD_IP=`cat /var/db/${interface}_ip`
 		$LOGGER "Comparing IPs: Old: ${OLD_IP} New: ${new_ip_address}"
 		if [ -n "${OLD_IP}" ] && [ "${OLD_IP}" != "${new_ip_address}" ]; then
 			$LOGGER "Removing states from old IP '${OLD_IP}' (new IP '${new_ip_address}')"
-			/sbin/pfctl -i $interface -Fs
-			pfctl -K ${OLD_IP}/32
+			${PFCTL} -i $interface -Fs
+			${PFCTL} -K ${OLD_IP}/32
+			_FLUSHED=1
 		fi
 	fi
 	# Delete states through old gateway if it's not the same
+	OLD_ROUTER=""
 	if [ -n "${old_routers}" ]; then
-		OLD_ROUTER = $old_routers
+		OLD_ROUTER=$old_routers
+	elif [ -f /tmp/${interface}_router ]; then
+		OLD_ROUTER=`cat /tmp/${interface}_router`
 	fi
-	if [ -z "${OLD_ROUTER}" ] && [ -f /tmp/${interface}_router ]; then
-		OLD_ROUTER = `cat /tmp/${interface}_router`
-	fi
-	if [ -n "${OLD_ROUTER}" ]; then
+	if [ ${_FLUSHED} -eq 0 -a -n "${OLD_ROUTER}" ]; then
 		$LOGGER "Comparing Routers: Old: ${OLD_ROUTER} New: ${new_routers}"
 		if [ "${OLD_ROUTER}" != "${new_routers}" ]; then
 			$LOGGER "Removing states through old gateway '${OLD_ROUTER}' (new gateway '${new_routers}')"
-			/sbin/pfctl -i $interface -Fs -G ${OLD_ROUTER}
+			${PFCTL} -i $interface -Fs
 		fi
 	fi
 }
@ -102,11 +103,12 @@ add_new_address() {
 		netmask $new_subnet_mask \
 		broadcast $new_broadcast_address \
 		$medium
+	$IFCONFIG $interface setfirst $new_ip_address

-		$LOGGER "New IP Address ($interface): $new_ip_address"
-		$LOGGER "New Subnet Mask ($interface): $new_subnet_mask"
-		$LOGGER "New Broadcast Address ($interface): $new_broadcast_address"
-		$LOGGER "New Routers ($interface): $new_routers"
+	$LOGGER "New IP Address ($interface): $new_ip_address"
+	$LOGGER "New Subnet Mask ($interface): $new_subnet_mask"
+	$LOGGER "New Broadcast Address ($interface): $new_broadcast_address"
+	$LOGGER "New Routers ($interface): $new_routers"


 	# This is necessary otherwise apinger will try to ping all 1s address
--- a/tmp/post_upgrade_command
+++ b/tmp/post_upgrade_command
@ -113,3 +113,18 @@ fi
 if [ -f /usr/local/sbin/php ]; then
 	rm /usr/local/sbin/php
 fi
+
+# Fixup permissions on installed files
+if [ "${PFSENSETYPE}" = "nanobsd" ]; then
+	MTREECHKDIR=/tmp/${1}/
+else
+	MTREECHKDIR=/
+fi
+if [ -f ${MTREECHKDIR}etc/installed_filesystem.mtree ]; then
+	/usr/sbin/mtree -U -e -q -f ${MTREECHKDIR}etc/installed_filesystem.mtree -p ${MTREECHKDIR} > /conf/mtree.log;
+fi;
+
+# Make sure to preserve existing time zone
+if [ "${PFSENSETYPE}" = "nanobsd" ] && [ -f /etc/localtime ]; then
+	/bin/cp -p /etc/localtime /tmp/${1}/etc/localtime 2>/dev/null
+fi
--- a/tmp/post_upgrade_command.php
+++ b/tmp/post_upgrade_command.php
@ -13,14 +13,15 @@
 			system("pfSsh.php playback gitsync " . escapeshellarg($config['system']['gitsync']['branch']) . " --upgrading");
 	}

-	if($g['platform'] == "embedded") {
+	$newslicedir = "";
+	if ($argv[1] != "")
+		$newslicedir = '/tmp/' . $argv[1];
+
+	if($g['platform'] == "embedded" || $g['enableserial_force'] || file_exists("{$newslicedir}/enableserial_force")) {
 		$config['system']['enableserial'] = true;
 		write_config();
 	}

-	$newslicedir = "";
-	if ($argv[1] != "")
-		$newslicedir = '/tmp/' . $argv[1];
 	system("echo \"Adding serial port settings ({$newslicedir})...\" >> /conf/upgrade_log.txt");
 	setup_serial_port("upgrade", $newslicedir);
 		
--- a/usr/local/bin/3gstats.php
+++ b/usr/local/bin/3gstats.php
@ -11,7 +11,7 @@ if(empty($argv[1])) {
 /* Huawei example */
 $device = "/dev/{$argv[1]}";
 $statfile = "/tmp/3gstats.{$argv[2]}";
-/* mode is a comma seperated value, thus submode is born */
+/* mode is a comma separated value, thus submode is born */
 $header = "#seconds,rssi,mode,submode,upstream,downstream,sentbytes,receivedbyts,bwupstream,bwdownstream,simstate,service\n";

 $i = 0;
--- a/usr/local/bin/captiveportal_gather_stats.php
+++ b/usr/local/bin/captiveportal_gather_stats.php
@ -55,6 +55,7 @@ if(empty($type))

 /* echo the rrd required syntax */
 echo "N:";
+$result = "NaN";

 if ($type == "loggedin") {

@ -101,7 +102,7 @@ if ($type == "loggedin") {
 	else {
 		$result = $current_user_count;
 	}
-} else
+} elseif ($type == "concurrent")
 	$result = $no_users;

 echo "$result";
--- a/usr/local/bin/mail.php
+++ b/usr/local/bin/mail.php
@ -0,0 +1,24 @@
+#!/usr/local/bin/php -q
+<?php
+require_once("config.inc");
+require_once("globals.inc");
+require_once("notices.inc");
+$options = getopt("s::");
+
+$message = "";
+
+if($options['s'] <> "") {
+	$subject = $options['s'];
+}
+
+
+$in = file("php://stdin");
+foreach($in as $line){
+	$message .= "$line";
+}
+
+if (!empty($subject))
+	send_smtp_message($message, $subject);
+else
+	send_smtp_message($message);
+?>
--- a/usr/local/bin/ping_hosts.sh
+++ b/usr/local/bin/ping_hosts.sh
@ -40,7 +40,7 @@ if [ -f /var/db/pkgpinghosts ]; then
 	PKGHOSTS="/var/db/pkgpinghosts"
 fi

-cat $PKGHOSTS $HOSTS $IPSECHOSTS >/tmp/tmpHOSTS
+cat $PKGHOSTS $HOSTS $CURRENTIPSECHOSTS >/tmp/tmpHOSTS

 if [ ! -d /var/db/pingstatus ]; then
 	/bin/mkdir -p /var/db/pingstatus
@ -75,29 +75,31 @@ for TOPING in $PINGHOSTS ; do
 	fi
 	echo Processing $DSTIP
 	# Look for a service being down
+	# Read in previous status
+	PREVIOUSSTATUS=""
+	if [ -f "/var/db/pingstatus/${DSTIP}" ]; then
+		PREVIOUSSTATUS=`cat /var/db/pingstatus/$DSTIP`
+	fi
 	$PINGCMD -c $COUNT -S $SRCIP $DSTIP
 	if [ $? -eq 0 ]; then
 		# Host is up
-		# Read in previous status
-		PREVIOUSSTATUS=`cat /var/db/pingstatus/$DSTIP`
-		if [ "$PREVIOUSSTATUS" = "DOWN" ]; then
+		if [ "$PREVIOUSSTATUS" != "UP" ]; then
 			# Service restored
+			echo "UP" > /var/db/pingstatus/$DSTIP
 			if [ "$SERVICERESTOREDSCRIPT" != "" ]; then
 				echo "$DSTIP is UP, previous state was DOWN .. Running $SERVICERESTOREDSCRIPT"
 				echo "$DSTIP is UP, previous state was DOWN .. Running $SERVICERESTOREDSCRIPT" | logger -p daemon.info -i -t PingMonitor
-				echo "UP" > /var/db/pingstatus/$DSTIP
 				sh -c $SERVICERESTOREDSCRIPT
 			fi
 		fi
 	else
 		# Host is down
-		PREVIOUSSTATUS=`cat /var/db/pingstatus/$DSTIP`
-		if [ "$PREVIOUSSTATUS" = "UP" ]; then
+		if [ "$PREVIOUSSTATUS" != "DOWN" ]; then
 			# Service is down
+			echo "DOWN" > /var/db/pingstatus/$DSTIP
 			if [ "$FAILURESCRIPT" != "" ]; then
 				echo "$DSTIP is DOWN, previous state was UP ..  Running $FAILURESCRIPT"
 				echo "$DSTIP is DOWN, previous state was UP ..  Running $FAILURESCRIPT" | logger -p daemon.info -i -t PingMonitor
-				echo "DOWN" > /var/db/pingstatus/$DSTIP
 				sh -c $FAILURESCRIPT
 			fi
 		fi
@ -108,7 +110,7 @@ for TOPING in $PINGHOSTS ; do
 	echo "Ping returned $?"
 	echo $PINGTIME > /var/db/pingmsstatus/$DSTIP
 	if [ "$THRESHOLD" != "" ]; then
-		if [ "$PINGTIME" -gt "$THRESHOLD" ]; then
+		if [ $(echo "${PINGTIME} > ${THRESHOLD}" | /usr/bin/bc) -eq 1 ]; then
 			echo "$DSTIP has exceeded ping threshold $PINGTIME / $THRESHOLD .. Running $FAILURESCRIPT"
 			echo "$DSTIP has exceeded ping threshold $PINGTIME / $THRESHOLD .. Running $FAILURESCRIPT" | logger -p daemon.info -i -t PingMonitor
 			sh -c $FAILURESCRIPT
@ -118,8 +120,8 @@ for TOPING in $PINGHOSTS ; do
 	#WANTIME=`rrdtool fetch /var/db/rrd/wan-quality.rrd AVERAGE -r 120 -s -1min -e -1min | grep ":" | cut -f3 -d" " | cut -d"e" -f1`
 	echo "Checking wan ping time $WANTIME"
 	echo $WANTIME > /var/db/wanaverage
-	if [ "$WANTHRESHOLD" != "" ]; then
-		if [ "$WANTIME" -gt "$WANTHRESHOLD" ]; then
+	if [ "$WANTHRESHOLD" != "" -a "$WANTIME" != "" ]; then
+		if [ $(echo "${WANTIME} > ${WANTHRESHOLD}" | /usr/bin/bc) -eq 1 ]; then
 			echo "$DSTIP has exceeded wan ping threshold $WANTIME / $WANTHRESHOLD .. Running $FAILURESCRIPT"
 			echo "$DSTIP has exceeded wan ping threshold $WANTIME / $WANTHRESHOLD .. Running $FAILURESCRIPT" | logger -p daemon.info -i -t PingMonitor
 			sh -c $FAILURESCRIPT
--- a/usr/local/captiveportal/radius_accounting.inc
+++ b/usr/local/captiveportal/radius_accounting.inc
@ -44,33 +44,6 @@

 define('GIGAWORDS_RIGHT_OPERAND', '4294967296'); // 2^32

-/**
- * Get the NAS-IP-Address based on the current wan address
- *
- * Use functions in interfaces.inc to find this out
- *
- */
-if (!function_exists('getNasIP')) {
-	function getNasIP()
-	{
-		global $config, $cpzone;
-
-		if (empty($config['captiveportal'][$cpzone]['radiussrcip_attribute'])) {
-				$nasIp = get_interface_ip();
-		} else {
-			if (is_ipaddr($config['captiveportal'][$cpzone]['radiussrcip_attribute']))
-				$nasIp = $config['captiveportal'][$cpzone]['radiussrcip_attribute'];
-			else
-				$nasIp = get_interface_ip($config['captiveportal'][$cpzone]['radiussrcip_attribute']);
-		}
-
-		if(!is_ipaddr($nasIp))
-			$nasIp = "0.0.0.0";
-
-		return $nasIp;
-	}
-}
-
 /*
 RADIUS ACCOUNTING START 
 -----------------------
@ -96,6 +69,8 @@ function RADIUS_ACCOUNTING_START($ruleno, $username, $sessionid, $radiusservers,
        break;

        default:
+            if (!function_exists('getNasIP'))
+                require_once("captiveportal.inc");
 	$calledstationid = getNasIP();
        $callingstationid = $clientmac;
 	break;
--- a/usr/local/captiveportal/radius_authentication.inc
+++ b/usr/local/captiveportal/radius_authentication.inc
@ -41,33 +41,6 @@
 	pfSense_MODULE:	captiveportal
 */

-/**
- * Get the NAS-IP-Address based on the current wan address
- *
- * Use functions in interfaces.inc to find this out
- *
- */
-if (!function_exists('getNasIP')) {
-        function getNasIP()
-        {
-                global $config, $cpzone;
-
-                if (empty($config['captiveportal'][$cpzone]['radiussrcip_attribute'])) {
-                                $nasIp = get_interface_ip();
-                } else {
-                        if (is_ipaddr($config['captiveportal'][$cpzone]['radiussrcip_attribute']))
-                                $nasIp = $config['captiveportal'][$cpzone]['radiussrcip_attribute'];
-                        else
-                                $nasIp = get_interface_ip($config['captiveportal'][$cpzone]['radiussrcip_attribute']);
-                }
-
-                if(!is_ipaddr($nasIp))
-                        $nasIp = "0.0.0.0";
-
-                return $nasIp;
-        }
-}
-
 /*
 RADIUS AUTHENTICATION
 ---------------------
@ -95,6 +68,8 @@ function RADIUS_AUTHENTICATION($username,$password,$radiusservers,$clientip,$cli
        	$callingstationid = $clientip;
        	break;
        default:
+            if (!function_exists('getNasIP'))
+                require_once("captiveportal.inc");
        	$calledstationid = getNasIP();
        	$callingstationid = $clientmac;
 		break;
--- a/Show More
+++ b/Show More