We can set gateway to null as it is ignored when setting host
route. Also adhere to logic for interface selection in both
DNS modes, but only exclude from configuration list for dynamic
ones.
For the time being we don't need static/dymanic annotation
as the system doesn't care by design and we don't filter it
anywhere else. Might be something for the status page, but
that's a larger change to level expectations vs. dyamic
connectivity properties.
A couple of style issues here and there as well.
This PR pulls query forwarding over the current dot setup, so visually nothing changes.
All API calls are redirected to new Forward functions, which slightly modifies what is returned based on whether "Query Forwarding" or "DNS over TLS" is selected from the menu. This way backwards compatibility is preserved.
As an addition, a user is now able to specify a specific domain for a forward zone as well. Meaning that queries for this specific domain will skip a catch-all (".") domain (if specified), and instead use the server specified for this domain.
Entering a forward zone with a catch-all domain (".") in both Query Forwading and DNS over TLS is considered a duplicate by Unbound, so a static warning for this has been attached in the grid - however, it might be possible for a user to be warned dynamically over this.
Ideally rc.newwanip should be as lightweight as possible, with 8c49c7bfdd in place normal execution doesn't take much time, but it likely doesn't make sense to hook gif|gre interfaces either when nothing has changed.
closes https://github.com/opnsense/core/issues/5624
We add this here to ensure consistency between the functionalities
of these interface helper files. Not all instances have been
converted, but they can be as time permits. Tested on IPv6.
While here settle on "prefix" for pdinfo as a thing since we
renamed it already anyway.
Not sure about nameserver.sh name and scope yet so try to
hide it under a link. We can always change the name later
although having .sh suffix helps us lint the script more easily.
Also now we can grep for "interfaces_vlan_configure" to see both
and "interfaces" is the actual prefix to be used from interfaces.inc.
Later we should try to avoid calling "_" prefix functions from code
not in interfaces.inc.
We can now safely check packages kernel and base set version from
opnsense-update. The basic idea is still that a packages set marker
is included now so we can refrain from updating packages once we
are crossing over a major version barrier using said packages set.
Change the ping to size 1500 to emulate a typical download
scenario. Sometimes small pings will respond but not the
larger fetch.
Secondly, do a separate IPv4 and IPv6 update of the repository
depending on whether we got a corresponding address from the
host. It should clear up the question if IPv4 or IPv6 or both
is broken/defunct/disabled.
Routes only get added in system_resolvconf_generate() now where
the DNS override is properly checked. The nameservers are added
through the new script for convenience and removed from there as
well. As a bonus we still scrub the routes from the nameserver
file removal to avoid creating "state" about what was done elsewhere.
This is still subject to a lot of funky races for overlapping host
routes either by ISP, manual DNS, gateway monitors or static routes.
o wrap vlan set pcp in new function legacy_vlan_pcp()
o add legacy_vlan_remove_tag() to detach our vlan
o use legacy_vlan_remove_tag() + legacy_vlan_tag() to update vlan interfaces, in which case configuration remains as it was which would make future modifications which don't rely on "logical" names easier.
This was refactored previously and all the logic should live outside
dhclient-script but it seems it's only loosely handled over there.
For now put a check back in the old way and rework this later correctly
from the system.inc point of view: we do want to register nameserver
and searchdomain in the cache files, but should not add a route if
those are not required. It would be helpful to show them in the overview
regardless (as for DNS servers) but with a hint that they are not being
used.
PR: https://forum.opnsense.org/index.php?topic=26765.0
o Merge defaults and requirements.
o Get rid of get_default_sysctl_value().
o Manually set 'type' for e.g. boot enviroment tunables.
o Cache sysctl map once per boot.
o Edit system defaults for easier override.
While sysctls might change when (un)loading kernel modules the
risk of missing something vital is not given. We could always
flush the cache file in that case later.
o Batch the backend call calling from GUI once and
only if needed from configuration.
o Turn the configuration into a generic loop.
o Move advanced options to the back of the configuration.
o Warning level for both log messages.
As OpenSSH 8.8 disables RSA signatures using the SHA-1 hash algorithm
by default some older SSH clients might not be able to connect to
OPNsense anymore. Therefore, it might be needed to manually modify the
PubkeyAcceptedAlgorithms sshd config option.
Prevent generating of invalid configuration values for dynamic
crypto parameters (KexAlgorithms, Ciphers, MACs, HostKeyAlgorithms and
PubkeyAcceptedAlgorithms).
