In order to plan->do->act we need the current settings of the existing bridge, which is where legacy_interfaces_details() comes into play, which needs some additional parsing.
Next we can diff per type of setting and apply when changed.
Although this is highly uncommon, it's very annoying when the certificate path leads to an "Fatat error: Allowed memory size exhausted...".
If we do end in a loop (e.g. same ca already in the path), exit the calculation and return what we found sofar.
We do this for different reasons, but mainly for code maintenance
and simplicity. It also fixes a few aquire/display bugs with
overlapping linl-local VIPs across interfaces, but not all.
The length and input isn't bound but when writing resolv.conf
we will adhere to the requirement mentioned in the man page:
The search list is currently limited to six domains
with a total of 256 characters.
We simply don't always know how many the system was being provided
with from the ISP so it is what it is.
This commit adds a toggle which skips config file generation for kea-dhcp4.conf and lets the user handle it manuallt, service startup and control stays in place while manually configured.
When manual mode is selected, all other options will be hidden in the form, which should help people understand (and read) what the purpose of this toggle is (advanced mode).
* dnsmasq: Add full dhcp-host support for IPv4 and IPv6
* dnsmasq: Cleanup previous in dnsmasq.inc
* dnsmasq: Change comma placement in template to reduce one condition
* dnsmasq: Add validation to client_id
* dnsmasq: There can be multiple hardware addresses so change label accordingly
* dnsmasq: Change hostname validation so that client_id is also a valid choice without hostname defined.
* dnsmasq: Add validation that prevents duplicate IP addresses in dhcp-host set
* remove one stray newline
* Services: Dnsmasq DNS & DHCP - minor cleanups in https://github.com/opnsense/core/pull/8497
o fix possible race condition in validations
o simplify jinja template
---------
Co-authored-by: Ad Schellevis <ad@opnsense.org>
The node is now empty by default so code peeking into the items
should check beforehand or use a safe iterator like config_read_array().
This is for 25.7 with the infamous two security sysctls flipping back
to FreeBSD defaults.
After a bit of back and forth and issues reported with
bootstrapping it's better to get rid of the old keyword
which unifies the default selection under the empty value.
This inline-assign shouldn't happen anymore (likely a very early version
using the wlan device name implicitly). Maybe for 25.7, needs a tiny code
audit at one point but since the other cruft changes are in 25.1.3 this
makes sense to push.
We never rely on xml ordering, which means a "nosync" can always be appended or prepended into an existing dataset (as long as uuid's don't overlap, but that's a bit of a corner case).
This commits tracks the nosync items inside the dataset to sync and prepends them to the new target set, so all nosync items on the back remain where they belong.
The $sync_full construct always looked a bit weird, certainly as different other comparable config sections don't seem to have the same issue as mentioned in the original commit (1b99e1e53a). Tried the nat rules on an existing setup after this change, which still works like a charm.
* wizard: reimplement system setup, for https://github.com/opnsense/core/issues/8352
This commit implements our replacement for the setup wizard. The questions are roughly the same as in the legacy version.
Some less relevant options have been removed (pppoe ondemand for example) and isc-dhcpd has been replaced with dnsmasq.
Only standard tools have been used, a memory model to validate the data and simple input forms in tabs.
The in memory model acts as a wrapper around a legacy configuration data and a couple of component models to apply the requested settings.
Some legacy settings using isset() have been altered to use their empty() equivalent.
* wizard: as we're changing to dnsmasq as default, we need to make sure the console setup configures the same (https://github.com/opnsense/core/issues/8352)
Fix some small php arnings in the process, but further than that just rewrite the dhcpd console handling to use dnsmasq instead of isc.
Eventually we will need to rewrite the console tools as well, but let's try to keep this compatible with minimal impact.
* wizard: change other occurrences of isset($config['dnsallowoverride']) for https://github.com/opnsense/core/issues/8352
* wizard: sort listtags() and some other minor review comments for https://github.com/opnsense/core/issues/8352
* Captive Portal: WIP for migration to pf (https://github.com/opnsense/core/issues/8326)
Captive Portal: cleanup references to ipfw
Captive Portal: move accounting deletion to get action, update references and descriptions
Captive Portal: remove note
Captive Portal: move accounting to pf match rules
Captive Portal: cleanup and shorten code
Captive Portal: parser issue after refactor
Captive Portal: update logo in default login page
* Captive Portal: internal alias should not be editable
* Captive Portal: move to periodic accounting sync
* Captive Portal: update lighttpd zone config
* Captive Portal: ether rules for accounting
* Captive Portal: safe accounting fetch
* Captive Portal: move counter calculation to bgprocess
* Captive Portal: remove nested anchors, match anchors on interfaces as well
* Captive Portal: move service logic to captiveportal.inc
* Captive Portal: leftover test statement
* Captive Portal: properly initialize accounting result
* Captive Portal: cleanup sql
* Captive Portal: Implement backend requirements for RFC 8908
While here, the zoneid is provided to the client, even though there
there is no need to do so. Instead let lighttpd forward the
request with an added header containing the zoneid of the client
* Captive Portal: review feedback
* Captive Portal: from_not case
Rename previous "advanced settings" to "mobile & advanced settings" to guide people into the right direction, strongswan.conf contains both sets of data.
Keep legacy page for settings that are only relevant for the old components.
Since our pam authenticator hooks into the configuration, refactor to use the model as well.
Cleanup code in the model that was only used in the legacy glue.
Ideally these spots should not be needed as the frontend generates the configuration and on boot these are flushed as well, ... but, when interfaces change during boot or triggered by the wizard, these parts are not aware of these facts.
as discussed with @fichtner
This rather large commit implements most relevant dhcp options and rewrites dnsmasq's backend.
By default dnsmasq is disabled, eventually we do want dnsmasq enabled for dhcp services by default, but dns itself disabled. For this reason we support port "0" as implemented at dnsmasq (not listening for dns).
For cases where users want to integrate dns and dhcp services, the advise is to make dnsmasq listen on a non standard port and point unbound to the zones where dnsmasq is responsible for. This has the advantage of a direct connection between dhcp registered hosts and the requesting service. In these cases dnsmasq's dns service acts like a "connector".
In the long run we should deprecate `regdhcpstatic` and `regdhcp` as these either belong to legacy isc-dhcp or hook kea entries (which are better served via unbound).
The first mvc migration phase implemented IndexController.php, which we rename to SettingsController.php now as these results in more logical ui endpoints.
Since we don't bind to addresses directly (unless specifically configured and adviced only for static setups), we can skip the newwanip event which means we don't restart the service on interface changes. dnsmasq is able to filter the relevant networks on the fly, which is the advised scenario and can cope more easily with changes.
When different clients need to receive different options, we can use "tags" now. Requests can add tags to filter options which will be offered to the client, in the most simple scenario one would tag on a range or a host reservation, but more advanced choices can also be achieved using match statements (for example architecture [client-arch])
Make sure that 'pluginctl -s xxx stop' isn't used here as it
does not stop a disabled instance. The point is moot for
syslog-ng since you cannot disable it but that only leaves
a tiny amount of daemons that still use it in core (nothing
in plugins uses it).
Also consolidate away from service(8) since we expect and
call the rc.d script directly.
