@jimp:

Those are only better if you trust that ECC hasn't been compromised by the NSA, which seems to still be under debate/scrutiny.

Well, if you don't trust the ECC stuff, then you still would want the larger RSA key sizes, since 3072-bit RSA corresponds to AES-128 key strength.  If you do trust the ECC stuff, you can get a performance boost at the larger key-equivalent sizes to 192-bit and 256-bit AES (384-bit and 512-bit ECC), since you'd need 7680-bit and 15360-bit RSA respectively.  The former is slow, but probably tolerable in many applications; the latter is impractically slow.

I want to compile the images.  Which files should be changed?

Thanks Phil; that's helpful to understand.  It then seems like both the touch pfSense-build.conf, and the const char * fixes in check_reload_status need to be made to get the build to work.

Problem solved - after some reading through source in the git, a workaround was:

/home/pfsense/tools/builder_scripts
touch pfsense-build.conf

With an empty file in place, the builder scripts will populate it with default values.

Seems to be a bug in the builder_scripts/set_version.sh file.  Line 52 should check whether the file exists first.

Why would it be better to do it in userspace as you describe, rather than natively?

Please see this http://forum.pfsense.org/index.php/topic,63656.0.html thread for background, but for 2.1 basically all you need to do is:

A) Edit /boot/loader.conf.local to add ahci_load="YES" B) Reboot C) Perform the TRIM_set action at a shell: touch /root/TRIM_set     (if you need to remove: touch /root/TRIM_unset) D) Reboot E) Verify if TRIM is enabled with "tunefs -p /"

I haven't checked out the 2.2 installer, but it's likely you will see an option to enable TRIM during install with 2.2

I am going to figure out git before I go any further.  The link above is dead because I'm going to delete my repository and start over.

The installer code is in github with all the other code. Check in the tools repository.

I dont know mate! I havent checked TBH :)

Just wondering since Snort suffers from it.

Just an update - switching to a newer Xen 4.3 dom0 (Fedora 20) still has the same issue.

Patching xenstore.c using the above patch fixes the issue.

I do not think it really matters in pfSense builder case where you adopt git with FreeBSD or not.
Our patches apply to FreeBSD repo be it SVN/GIT/whatever.

Nowdays you can clone the freebsd git repo from github for the builder.
I do not see anything here related to git+freebsd.

It might be just a question of where the anchor is setuped.
If you move the relayd anchor below nat rules it would work as expected.

tnx.
i runed ./set_version.sh RELENG_2_1
but.i saw this error.
.
.
.
/usr/pfSensesrc/src/system.rej
/usr/pfSensesrc/src/passwd.rej

######################
sometime went wrong,check errors
######################
press enter to continue.
terminated!!
please help me.

We don't test with any "smaller" kernels, so only what we have is guaranteed to work.

That said, any drivers removed could be switched to modules and it might come out OK. Maybe.

For the binaries – yes, a pull request to put the port files into the tools tree is what is required.

The the pfSense package code, a pull request in the packages repository is required.

http://forum.pfsense.org/index.php/topic,68865.0.html

Yep, and now you can see where the .mtree file is and how it sets the permissions (the last line)

Yes.