There were error(s) loading the rules: /tmp/rules.debug:109: invalid use
of table <__lan_network> as the redirect address of a binat rule - The line
in question reads [109]: binat on igb1 inet6 from ff00:: -> $__lan_network
That also means aliases are useless here and we need to have an interface
selector anyway.
Also pconfig_to_addr() doesn't store /128 which may cause an error in the
prefix translation at the moment.
Currently when specifying a /30 network the server refuses to start anyway, but before enforcing using a validation, let's try if there are still options possible for these networks to be used given the options in the new instances intreface.
o export full overview instead of ifconfig output, for debugging purposes its better to have the full picture
o remove json_encode() from getInterfaceAction() and let the framework do its usual thing...
This function returns an array containing an attribute "pass" explaining if we're passed the test and the corresponing ocsp result ("result"), optionally if returns the first element of the ocsp command which appears to be the cert verify output (e.g. "Response verify OK")
A certificate can be passed when :
A] no OCSP - URI is configured for the offered CA
B] when /usr/bin/openssl ocsp returns a non 0 exit code
This is what certctl does and it was rightfully flagged as
"missing files" in the health audit, e.g.
/etc/ssl/blacklisted/80911ac.0 (wrong)
vs.
/etc/ssl/blacklisted/080911ac.0 (correct)
The merge is used as a test if a prefix is set at all (the legacy input
required a "prefix" but it was actually a suffix and verified as such)
but now that we prevent merging without a leading "::" the final compress
moves the compressed format from the front to the end because that sequence
is longer but the next merge doesn't like that. Do the test merge without
storing the result as we do not need it anyway.
This commit is a bit of an overhaul to add some functionality to test OCSP for https://github.com/opnsense/core/pull/7082.
o add "authorityInfoAccess" extention to add OCSP uri in authorities and certificates.
o remove some code duplication in both legacy files, requires 52fe119e0c
o trust/authorities: prevent certificate deletion when dropping a ca
o trust/authorities: add info button to check the CA contents, helps debugging issues
o trust/authorities: add camethod "Create an OCSP signing certificate" to create an ocsp signing cert
o trust/authorities: prefil dn fields when changing CA for ocsp and intermediate certs
I don't really know what the plan is here other than breaking
existing pluggable directories and wasting space.
We do clean this up but we can't stop and clean up all becase
we can't trust pkg doing the right thing right away?
For testing convenience you can run the scripts separately and
add standard output and only standard error will be reported
once included in system_firmware_configure() or
# pluginctl firmware_reload
In this post-valdation after passing validation we should make sure to prevent
validtion if not enabled. Contrary to IPv6 the range from/to is mandatory but
doesn't always match especially when changing the IP range or switching interface
assignments.
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/filter/update_tables.py", line 85, in <module>
alias_content = alias.cached() if use_cached(alias_name) else alias.resolve()
File "/usr/local/opnsense/scripts/filter/lib/alias/__init__.py", line 180, in resolve
for address in address_parser.iter_addresses(item):
File "/usr/local/opnsense/scripts/filter/lib/alias/auth.py", line 71, in iter_addresses
self._update()
File "/usr/local/opnsense/scripts/filter/lib/alias/auth.py", line 53, in _update
for server in ovpn_status.get('server', None):
TypeError: 'NoneType' object is not iterable
Additions may be written inside opnsense/service/conf/configd.conf.d/ using a name ending in .conf
Another use-case it to "lock-down" configd access by default using a newly default action, e.g.:
[action_defaults]
allowed_groups = wheel
