Since we used to allow IP configuration ands VIPs are
a possibility we can avoid checking for missing IPs
and simply delete the status hash file which will
force an eventual reconfiguration.
While here avoid wireguard_prepare() from creating spurious
devices when there is no need for it as it happens with
manual invoke through "pluginctl -d wgX". wg-service-control
uses the same logic.
This commit adds a new component linked in Interfaces/Neighbors which offers the ability to manually register static leases and provides application control from other modules such as dhcpd. To minimize the risk, we're reusing the existing interfaces_staticarp_configure() hooks while only adjusting how static arp entries are being attached to the interface (match on addresses assigned when triggering with an interface).
Entries registered via dhcp will be visible from the ui as well together with its origin.
The previous version didn't cleanup old static entries, this version triggers a cleanup when executed for all interfaces using all earlier modifications processed via the same function (interfaces_neighbors_configure()).
Since OPNsense 22.1 we are using FreeBSD 13 and it comes with a
base trust store which is also maintained there. In order to be
user-configurable there is also a tool called certctl which will
manage blocking and filling the OpenSSL trust store location
/etc/ssl/certs. The idea is to make this implicit and faster.
This, however, pseudo-obsoletes the trust bundle handling which
we mainly operate through /etc/ssl/cert.pem. By pseudo I mean
that ports will still want the real bundles and/or know/guess
this location at complile time. curl has such overrides for
example.
ca_root_nss's bundle is also pulled in thorough certctl so we
are going to have to jump through a few hoops now in order to
add our certificates cleanly and "prevent" breakage of the
resulting trust store.
Therefore now we write our CA content into separate files because
certctl only hashes the first certificate found in the file.
This is already a bit problematic for ca_root_nss having a
larage number of files in it... And against all odds the
first certificate I wrote for our bundle is blacklisted by
FreeBSD which made certctl discard all OPNsense authorities
added from the GUI.
To avoid further issues with certclt as a broker here I have
added it in passthru() mode to see eventual errors clearly.
Now when certcl is done all the files are linked in the
/etc/ssl/certs directory but we actually have to build the
full bundle for compatibility with old ports requiring one
of the locations that ca_root_nss ETCSYMLINK option provides.
A shortcoming of certctl is the lack of a bundle mode for
compatibility's sake which is causing a number of problems in
the ports tree at the moment (which is why we do this work now
and take a closer look before this is rolled out in full in
FreeBSD ports).
The bundle is created by iterating over all files in /etc/ssl/certs
and putting them in the expected locations. One caveat is that
this bloats the bundles to 1.5MB from previously 750KB. The whole
process is a lot slower, especially certctl doing the rehash.
Long story short: this is going to cause issues in the long run,
but for now we know how it is supposed to work and are ready
for FreeBSD ports to drop support for bundles in individual ports.
But that being said we will probably drag the bundles on for
a few years anyway.
This can slow down reconfiguration of a system with many
VLAN children on a single interface down/up. We likely
have to refactor rc.linkup to coalesce the interface
reload into a safer reload facility.
This is called through rc.linkup exhibiting the issue.
Sidestep the complexity of the situation by fixing the
issue first making it testable and easy to ship in a
stable relese.
For anyone not liking this net.inet6.ip6.dad_count can
be set to "0" to disable the sleep behaviour. This
needs to be extended one way or another. More soon.
This commit imports part of the changes from @swhite2 which will keep the legacy handling intact for the first stage of the migration. It should be backwards compatible with the previous (23.7.x) code.
Changes new in this commit which where not in the original PR:
1) dpinger_status() missed $gwitem which rendered gateways statusses down
2) Model version number set to 0.0.1 so we can use the migration later to step into 1.0.0
3) Gateways->gatewayIterator() do not yield MVC records ensuring we are still using legacy config data when being called.
Omit the dependency on wireguard-kmod as we will be targeting the kernel
module with 24.1. Some people may run into this but it's safer than
trying to rely on a package that won't be available going from 23.7 to
24.1.
Testing 3582242d0fe10 it appeared that link-local addresses were
rewritten as GUAs in the dhcpd configuration. The static map part
does this right, but all the other callers are not. Flip this
around as it was intended. The DHCPv6 page will now throw an out
of range error when it previously adjusted the explit prefix anyway.
dhcpd config with link local seems fine too, but more testing is
always good.
During bootup the gateway monitors were started before the firewall rules
were finished setting up. Under some circumstances this could lead to
incorrect data being reported by dpinger instances.
