lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 09:04:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
16,332 Commits 1 Branch 0 Tags
Commit Graph

16332 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Franco Fichtner
3ca3bc5c8a Revert "system: exclude deprecated until Phalcon is fixed" 
This reverts commit 1ccb2c9430b92e3f40798d269a1f3dbc94635ef2.
 2024-02-12 15:12:44 +01:00
Ad Schellevis
1c96851043 Firewall: Automation: Filter - obey rule ordering including group sequence. closes https://github.com/opnsense/core/issues/7111 
After giving this some thought, it looks like a good idea to fix this bug anyway. There is a very small chance people combine legacy and mvc rules which contradict eachother, but in the long run this will lead to more issues. Since getPriority() skipped group priority, we'll add the same calculation as being used in db4b90d218/src/etc/inc/filter.lib.inc (L632-L638) too.
 2024-02-12 15:08:46 +01:00
Franco Fichtner
5f855524e3 mvc: fix Phalcon 5.4 and up 
See also: https://github.com/phalcon/cphalcon/issues/16460
 2024-02-12 14:46:52 +01:00
Ad Schellevis
0a17929ec7 VPN: OpenVPN: Instances - when cert_depth is left empty, it should ignore the value. https://github.com/opnsense/core/issues/7228#issuecomment-1938579724 
Changing allowed to the depth found should have this effect.
 2024-02-12 13:28:20 +01:00
Ad Schellevis
3d728420a5 VPN: OpenVPN: Instances - data-ciphers-fallback should be a single option as suggested in https://github.com/opnsense/core/issues/7228 , when multiple values are selected, the instance won't start. Which makes this a rather safe change without migration. 2024-02-12 13:16:13 +01:00
Ad Schellevis
833765fafe VPN: OpenVPN: Instances - tighten validation introduced in 66fd0e4699i closes https://github.com/opnsense/core/issues/7228 2024-02-12 11:02:28 +01:00
Ad Schellevis
0fa6e964ce VPN: WireGuard: Settings - partial revert e385b1cd3e6ebbc9c21b5730e1e0a7bb24e8f2ba as constraints should only apply on peers (not instances). closes https://github.com/opnsense/core/issues/7229 2024-02-12 09:53:53 +01:00
Ad Schellevis
e210c854c3 Services: Kea DHCP: Kea DHCPv4 / Reservations - add address constraint (address should lie inside requested netblock) 2024-02-12 09:46:30 +01:00
Ad Schellevis
27e27f25c5 Services: Kea DHCP: Kea DHCPv4 / Reservations - add unique constraint for mac address + subnet. closes https://github.com/opnsense/core/issues/7230 2024-02-12 09:27:07 +01:00
Ad Schellevis
30862f8711 VPN: WireGuard - Optimize "non fluent" reloading. When wireguard installs its own routes, we are not able to track them properly. If that's the case and the user reconfigures, drop all interface addresses instead of removing the interface (and creating it again). 
There is a small chance of remnants after the fact, but dropping the interface is more problematic to recover from as it will invalidate filter rulesets as well.
The user is still able to force a stop/start using the reload action, which also reloads the filter after the fact.

proposal for https://github.com/opnsense/core/issues/7148
 2024-02-10 21:45:10 +01:00
Ad Schellevis
bf9996989e Services: Kea DHCP : Kea DHCPv4 - be more explicit about what options are being overwritten when option_data_autocollect is used. closes https://github.com/opnsense/core/issues/7225 2024-02-10 09:47:22 +01:00
brotherla
25d06fd812
update traffic graph colors to be contrast and consistent (#7217) 
Co-authored-by: Ilya Bursov <ibursov@servicetitan.com>
 2024-02-09 11:11:42 +01:00
Franco Fichtner
03ffdf511d ipsec: same same but different; closes #6973 
In portait mode the __ml looks odd as the form-inline
is broken off to avoid wide form layouts so we use __mr
on the button div instead.
 2024-02-09 11:04:45 +01:00
Franco Fichtner
66b50c3d51 ipsec: enable placement on connections page for #6973 
Placing this right beside the apply button might make some people
think about not missing this option when using IPsec.
 2024-02-09 10:57:22 +01:00
Franco Fichtner
c1d2d18a72 wireguard: fix copy and paste refactor 2024-02-09 10:09:32 +01:00
Franco Fichtner
0d7d48eb17 wireguard: improve previous 
Since route add with subnet will revert to a strict subnet route
two separate entries 192.168.1.1/24 and 192.168.1.2/24 will both
be added as 192.168.1.0/24 and produce the same error.

Normalize here as well and get rid of the duplicates.  It should
also fix IPv6 compression mismatches.
 2024-02-09 09:59:12 +01:00
Ad Schellevis
56e5f99390 VPN: IPsec: Connections - allow % to support %any in id's. closes https://github.com/opnsense/core/issues/7220 2024-02-09 09:01:13 +01:00
Ad Schellevis
c8adc29212 ui / tokenizer - One minor annoyance of tokenizers is that it's impossible to edit the separate tokens. 
This commit adds a button to switching the items into a textarea and back which eases edits in these cases.
(only aavailable when new items are allowed in the form)
 2024-02-08 21:21:12 +01:00
Franco Fichtner
77fba066bd wireguard: skip attached instance address routes 
These are automatically created by ifconfig alias command above
and cause the (spurious) route add -q log messages.  Functionally
nothing changes because route add declined to add the routes
already.
 2024-02-08 19:57:24 +01:00
Franco Fichtner
84e96a53da src: style sweep 2024-02-08 19:57:05 +01:00
Franco Fichtner
7413ca696d wireguard: improve previous 
wg_start() can detect if the interface was removed, which is
ensured during 'restart' and a fresh 'configure'.  The device
could have been created from wireguard_prepare() in the plugin
code but that should normally be used by interfaces_configure()
which also configures the interface correctly (same as the
interfaces_restart_by_device() call).

We only reload the routing in such cases now either as in the
other case the routes should have been placed and remain.
 2024-02-08 19:27:54 +01:00
Franco Fichtner
b8665c9da0 wireguard: if instances are assigned as interfaces we need to reload them 2024-02-08 17:13:32 +01:00
Ad Schellevis
33894fc6a7 diagnostics/log - add colon [:] to acceptable query characters, closes https://github.com/opnsense/core/issues/7215 2024-02-08 12:36:35 +01:00
Ad Schellevis
20e9bdc459 Services: Kea DHCP: Leases DHCPv4 - gather missing leases by implementing the lease storage as documented in https://github.com/isc-projects/kea/blob/ef1f878f5272d/src/lib/dhcpsrv/memfile_lease_mgr.h#L1039-L1051 
The lfc process is responsible for lease cleanup, but apparantly uses multiple files to get the full picture, which unfortunately wasn't very clear from the upstream documentation (https://kea.readthedocs.io/en/latest/arm/lfc.html + https://kea.readthedocs.io/en/kea-2.0.2/arm/dhcp4-srv.html#memfile-basic-storage-for-leases). The wiki does offer a design document for lfc (https://gitlab.isc.org/isc-projects/kea/-/wikis/designs/Lease-File-Cleanup-design#file-names) which hints about multiple files, but also seem to be less explicit about where the active leases land, the source seem to be more clear in this case.

closes https://github.com/opnsense/core/issues/7204
 2024-02-08 11:27:35 +01:00
Ad Schellevis
ce8b3c878f VPN: WireGuard: Settings - Peer uniqueness should depend on pubkey+endpoint. closes https://github.com/opnsense/core/issues/7213 2024-02-07 18:24:36 +01:00
Ad Schellevis
43c3ca47af ISC DHCP / unbound / dnsmasq - be more explicit of what the feature offers. https://github.com/opnsense/core/issues/7209 2024-02-07 14:00:32 +01:00
Stephan de Wit
d8df599d0d network time: clarify help text for interface selection 
ntpd will also use these interfaces for syncing with a remote
server. Accompanies f85849736d
 2024-02-07 11:04:47 +01:00
Franco Fichtner
b2d6acc23e pkg: finally move back to original package 2024-02-07 09:23:23 +01:00
Ad Schellevis
e48d3f740e mvc - minor modification in for processing for multiselect tokenizers, when style contains "tokenize" as part of a list of styles, copy/paste buttons won't show. Unfortunately volt templates don't support an inline "split" operator, which means we need to embed php code to split the styles. 2024-02-06 19:57:24 +01:00
Ad Schellevis
12001a32f2 System: Access: Users - add issuer and logo to OTP link, for https://github.com/opnsense/core/issues/7126 2024-02-06 18:39:47 +01:00
Ad Schellevis
66fd0e4699 VPN: OpenVPN: Instances - Fix support for /30 p2p/net30 instances, 2758f9f649 only included a partial fix. Although we are able to configure openvpn with small nets, we should follow the same procedure the normal "server" directive would follow (as documented in https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/). 
This means the following configuration directives need to be set:

* mode server
* tls-server
* push "topology XXX" << tell the other end which topology we are using
* ifconfig-pool  start-ip end-ip << a minimal pool containing one address, if we don't push one, openvpn doesn't know the client and will complain about "bad source address from client "
* ifconfig my-ip remote-ip
 2024-02-06 17:45:20 +01:00
Ad Schellevis
78c0e681ca Interfaces: Virtual IPs: Settings - fix Vip.xml subnet/network. see also https://github.com/opnsense/core/issues/7041 2024-02-06 09:46:19 +01:00
Ad Schellevis
efae7a5fd9 VPN: OpenVPN: Servers - cso_login_matching ignored during authentication, closes https://github.com/opnsense/core/issues/7199 2024-02-05 18:02:32 +01:00
Ad Schellevis
630ab193b6 Firewall: Settings: Normalization - change default traffic normalization behavior and choose "in" as standard direction for manual rules. closes https://github.com/opnsense/core/issues/7203 2024-02-05 15:27:03 +01:00
Franco Fichtner
c7d6f53797 interfaces: need this now #7202 2024-02-04 18:23:56 +01:00
Franco Fichtner
f1fbf811b2 interfaces: stop caching IPv6 address to decide if reload is required or not #7202 
The metric is flawed, because there could be a prefix or not, it could shift
or the user specified a client setting the server did not accept.

This is an experimental change that will stay on the development version for
a while.
 2024-02-04 18:06:38 +01:00
Ad Schellevis
0ab7a966b0 VPN: OpenVPN: Instances - add "various_push_flags" field for simple boolean server push options, while here also change output order a bit (so push rules are not at the top of the file, which is a bit easier on the eyes). closes https://github.com/opnsense/core/issues/7196 2024-02-04 15:07:55 +01:00
Stephan de Wit
ce87c2f68c intrusion detection: behaviour change in suricata 7 [3] 
Along with midstream-policy causing issues,
livedev.use-for-tracking=true breaks IPS so disable it here.
ref: https://redmine.openinfosecfoundation.org/issues/6726
 2024-02-02 15:31:48 +01:00
Franco Fichtner
c965e8d3f0 dhcp: set RemoveAdvOnExit to off in CARP mode #7194 2024-02-02 11:25:40 +01:00
Stephan de Wit
0168141566 dashboard: widgets: bring back interface statistics update interval 2024-02-01 17:09:55 +01:00
Ad Schellevis
b1685d8e46 Services: Kea DHCP [new]: Kea DHCPv4 - add optional automatic firewall rules for dhcpv4 access. closes https://github.com/opnsense/core/issues/7188 2024-02-01 14:05:12 +01:00
Ad Schellevis
46e0bc67bb VPN: WireGuard: Settings / Instances - allow instances to start their id at 0. closes https://github.com/opnsense/core/issues/7192 2024-02-01 09:27:14 +01:00
Franco Fichtner
c34427999b system: add a trust template reload hook in the... well.. trust function :) 2024-02-01 08:57:40 +01:00
Franco Fichtner
e68e7959ed pkg: fix plist 2024-02-01 08:55:23 +01:00
Ad Schellevis
d8ba131aad System/Trust - enable openssl legacy provider by default. closes https://github.com/opnsense/core/issues/7184 
Since exising gdrive backups are in legacy mode, these can only be parsed when legacy is enabled.
For more information about openssl_pkcs12_read() and used configuration, see https://www.php.net/manual/en/function.openssl-pkcs12-read.php

In order for this to work, one need to generate the template (handled on bootup https://github.com/opnsense/core/blob/master/src/etc/rc.syshook.d/early/15-templates) and restart the webgui.

To validate in a console if legacy mode is available, use the command below:

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.12
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.12
    status: active
 2024-01-31 18:12:02 +01:00
Ad Schellevis
7e994cab29 xmlrpc sync, on nat sync, all items in the OPNsense container are transfered. regression in 6ab8f8cf2d closes https://github.com/opnsense/core/issues/7173 2024-01-31 17:47:21 +01:00
Franco Fichtner
157a2d9f03 src: spurious whitespace (the other one is for the templating) 2024-01-31 15:43:15 +01:00
Franco Fichtner
fccaa2e548 pkg: avoid the problematic "suricata" package for now 2024-01-31 12:13:06 +01:00
Franco Fichtner
f28786db4a firmware: adjust wording 2024-01-31 11:23:29 +01:00
Ad Schellevis
4a5193900c Services: Kea DHCP [new]: Kea DHCPv4 - omit comma when control agent is disabled. should fix https://github.com/opnsense/core/issues/7183 2024-01-31 10:41:57 +01:00