* dnsmasq: Add router advertisement options
* dnsmasq: Add router advertisement options
* dnsmasq: Add router advertisement options, fix small issue with spurious newline
* dnsmasq: Selectively show and hide dhcpv4 and dhcpv6 related options without introducing a new selectpicker. Since the validation in dnsmasq.php uses : to determine IPv6, the front end behaves the same.
* dnsmasq: Fix small style issue in previous
* dnsmasq: Since router advertisements are not opt-out per dhcpv6 range, it makes more sense not to enable it implicitely, but explicitely as global option.
* dnsmasq: Add validation for ra_mode, fix template spot of ra_mode, improve help text
* dnsmasq: Clear helptext up regarding SLAAC and prefix length. Template ignores this by default when ra is enabled.
* dnsmasq: Fix terminology of ra-param and add MTU option for feature completeness
* Update src/opnsense/mvc/app/controllers/OPNsense/Dnsmasq/forms/dialogDHCPrange.xml
Co-authored-by: Franco Fichtner <franco@opnsense.org>
* Update src/opnsense/mvc/app/controllers/OPNsense/Dnsmasq/forms/dialogDHCPrange.xml
Co-authored-by: Franco Fichtner <franco@opnsense.org>
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
- Adds proper Termination Cause handling, requires addition of `delete_reason` column in the captiveportal sqlite database.
- Implements `Acct-Input|Output-Gigawords` accounting handling (Fixes https://github.com/opnsense/core/issues/6712)
- implements `Called|Calling-Station-Id`. (Fixes https://github.com/opnsense/core/issues/7844)
- `Called-Station-Id` implemented via additional optional input field
- `Calling-Station-Id` requires an extra preauth hook, which in general is useful to handle per-session authentication properties.
- While here, silence output of pf during state kills when client is disconnected
- `NAS-IP-Address` isn't added, RFC2865 states it should be either `NAS-Identifier` of `NAS-IP-Address`.
Since it touches this area, perhaps we can remove the deprecated `$zoneid` param in the captive portal SessionController.
This commit adds backwards compatible changes to the automation api and associated user interface. Although this is likely not the final state, it adds quite some improvements in making this a valid replacement for the current firewall user interface.
The node is now empty by default so code peeking into the items
should check beforehand or use a safe iterator like config_read_array().
This is for 25.7 with the infamous two security sysctls flipping back
to FreeBSD defaults.
This commit consists of two parts:
1) Add user portal privileges to "Lobby: Password" as this replaces the legacy item
2) Rewire password policy constraints to use "ui/user_portal", which will be redirected to the legacy page when BE is not installed.
The impact of this change should be small.
As we already supported a dot [.] terminated format, we should support both advanced queries as simple ones using "container1.container2", by prefixing the simple format with a dot, we can offer both options using the same parser.
While comparing jq with jsonpath, the first option seems to be most practical and easier to explain.
The use of custom tags is more advanced, so better to organize this further to the right. I have looked at combining topics, but tags don't really belong to either options or ranges as they can be used from most entities. Since we also support the default included interfaces as tags, in most cases people will only need ranges and options anyway.
Although it is practical to know that a client is calling an endpoint unauthenticated, we would like to know which client it is and which endpoint it tries to access to easier detect abuse.
The previous handling "skimmed" the blocklist using regular expressions, but when these lists include wildcards, you need to filter the exact item to exclude it (e.g. *.org.domain in a blocklist will still block a.org.domain in a passlist).
By moving the evaluation to the place where requests are evaluated, we can pass the likely intended domains by their provided regex.
Although there is a performance penalty, it should be limited since we only compile the regex once.
