This brings it in line with migrations although both hinge on
the idea that rc.configure_firmware is called to execute this
code. Both need a better integration but bringing them to the
same level seems to make the most sense.
After reboot the config is in a consistent state now too...
Remove previous plugins_interfaces() call and always use full
path to pluginctl like most spots already do.
o provide option to delete entries
o show Ikeid and Reqid including optional phase[1|2] description when provided
o extend fields with data provided from setkey -D
o add a remove button hooking spddelete to remove entries when not cleanedup correctly for some reason to ease maintenance
o add reqid to IPsec phase 2 tunnel view for clarity so we can easily inspect if traffic is trying to pass the right policy
o show Ikeid and Reqid including optional phase[1|2] description when provided
o extend fields with data provided from setkey -DP, but keep them deselected in the default view (e.g. Upperspec, Mode, Type, ..)
Displaying changelogs requires a different menu flow but for now focus
on providing a changelog opportunistically before performing the update,
but intentionally after starting it to keep previous flow for now.
This allows us to remove all DH handling remnants. If people
want to use a separate content they will have to let us know,
but it seems unlikely. The only impact seems to be a security
bump from 2k to 4k default.
as the previous version already build files in /var/db/aliastables and therefor future cleanup work, there might be some noise when patching this without a reboot (empty bogons or other external aliases). Without this patch the issue is only that aliases aren't removed, which doesn't make this a super high priority in my humble opinion.
o Since our filterlog does contain labels nowaydays (https://github.com/opnsense/core/issues/5014), we can stop parsing pfctl which can be quite time consuming
o Rate limit "filter rule stats" configd action to prevent excessive pfctl access on filter pages
* Unbound blocklists / OPNsense UI: strengthen error handling
Also changes the OPNsense UI error handling routine to display a 'status_msg' if provided. Otherwise just display 'status' to preserve backwards compatibility.
* unbound: make blocklist additions/removals dynamic to prevent a restart
This commit contains an optimization for the way unbound can be updated in its' configuration
without the need for restarting Unbound and by extension a loss of internet connectivity.
Hopefully this will pave the way for optimizations on other aspects of Unbounds' configuration as well.
We could for example look into making the provided wrapper function more generic.
The GUI has also been modified slightly to inform the user of the amount of RRs added/removed.
* Services: Unbound DNS: Blocklist, review comments for https://github.com/opnsense/core/pull/5747
Changed the following minor items:
o gettext() for human readable reponse message
o simplify comparison loop (only new or diff are actually the same operation)
o replace one-liner split into a loop with validation in case an empty record exists (or something that doesn't fit the pattern)
o remove optional (but always) set -f option
* unbound: blocklists: minor style fix and strip more agressively
Co-authored-by: Ad Schellevis <ad@opnsense.org>
Always prefer cpu temp as before, when not available consider the folowing options
o hw.acpi.thermal.tz0.temperature --> ACPI temp
o hw.temperature.CPU --> apparantly used for arm devices.
Firewall / Aliases - various usability and visibility improvements
o change /api/firewall/alias/listNetworkAliases endpoint to return name and address
o add alias description as subtext in network group dropdown
o exclude row buttons for internal aliases
o support nesting of external aliases
o attach statistics to external aliases (like bogons and new interface network types)
o add preprocess in alias to handle non gui defined types
o network aliases will flush :network into the table
o aliases which aren't managed via configured settings will be fetched for nesting
o gather pf tables which aren't generated into filter_tables.conf as being external so the new imported static_aliases are usable without the need to import the settings in the template language
o initial work to support interface networks, register internal types and flush to alias template
o support imported static aliases using json definitions and move core aliases in there
We can set gateway to null as it is ignored when setting host
route. Also adhere to logic for interface selection in both
DNS modes, but only exclude from configuration list for dynamic
ones.
For the time being we don't need static/dymanic annotation
as the system doesn't care by design and we don't filter it
anywhere else. Might be something for the status page, but
that's a larger change to level expectations vs. dyamic
connectivity properties.
A couple of style issues here and there as well.
This PR pulls query forwarding over the current dot setup, so visually nothing changes.
All API calls are redirected to new Forward functions, which slightly modifies what is returned based on whether "Query Forwarding" or "DNS over TLS" is selected from the menu. This way backwards compatibility is preserved.
As an addition, a user is now able to specify a specific domain for a forward zone as well. Meaning that queries for this specific domain will skip a catch-all (".") domain (if specified), and instead use the server specified for this domain.
Entering a forward zone with a catch-all domain (".") in both Query Forwading and DNS over TLS is considered a duplicate by Unbound, so a static warning for this has been attached in the grid - however, it might be possible for a user to be warned dynamically over this.
Ideally rc.newwanip should be as lightweight as possible, with 8c49c7bfdd in place normal execution doesn't take much time, but it likely doesn't make sense to hook gif|gre interfaces either when nothing has changed.
closes https://github.com/opnsense/core/issues/5624
We add this here to ensure consistency between the functionalities
of these interface helper files. Not all instances have been
converted, but they can be as time permits. Tested on IPv6.
While here settle on "prefix" for pdinfo as a thing since we
renamed it already anyway.
