We could stop on first problem but that woul likely break a number
of setups that use boot early/start hooks with sloppy coding.
Instead make the full run as an error and report it at the end.
The individual scripts should return an error and clean up
their state in case they aborted (which isn't too easy but
in most cases moving the relevant files to the final location
is a good way of dealing with this problem).
Make sure we are ready for reboot with kernel replaced but
not yet booted. This way we can run the migration in the
last possible correct spot. We might even abort on errors
here which might be handy to catch issues... to be discussed.
While this should work let's try not to assume how the interface
names look like and just match until the next known delimiter by
excluding it and accepting all other characters.
* VPN: OpenVPN: Instances - add new module using the same approach as introduced for IPsec in 23.1. Since we likely can't easily migrate the old cruft, we better focus on offering the correct options for openvpn following upstream documentation.
o add boilerplate
o implement a solution to keep vpnid's unique so device creation for legacy and mvc can function in similar ways.
o add some of the main "helper" options for clients and servers
o Implement certificate logic, selecting a certificate also implies an authority (which we validate)
o hook CRL generation into the exising openvpn_refresh_crls() event
o attach already refactored authentication to new MVC as well, OpenVPN->getInstanceById() is responsible for feeding the data needed during authentication and overwrite generation.
o when in client mode and in need for a username+password combination, flush these to file and link in "auth-user-pass"
o routes (remote) and push routes (local), combine IPv4 and IPv6 for ease of administration,
o keep alive [push] ping-[restart] defined as seperate fields for validation
o add various "push" to client options in Miscellaneous section
o add "auth-gen-token" lifetime for https://github.com/opnsense/core/issues/6135
o allow selection of redirect-gateway type for https://github.com/opnsense/core/issues/6220
o move tls-auth/crypt into separate static keys objects (tab in instances page)
o hook existing events (ovpn_event.py) and make sure they locate the server using getServerById() when needed
o use getInstanceById in openvpn_prepare() to return both legacy as MVC device configuration
o add ovpn_service_control.php for service control [stop|start|restart|configure] and glue this in openvpn_services() via configd
o change openvpn_interfaces() to use isEnabled() method on the model to query if any (legacy/mvc) instances are enabled
o move openvpn_config() from openvpn.inc to widget and extend with MVC instances
o extend ovpn_status.py to parse "instance-" sockets as well, since the filename doesn't explain the role, we're using the status call to figure out the use. uuid's are keys in this case
o server_id type to str in kill_session.py so we can match either legacy or mvc sockets
o hook ExportController to OpenVPN model using getInstanceById() to glue the Client Export utility to both components
o extend connection status with mvc sessions (descriptions)
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
Refactor the code to take advantage of the -S behaviour and
also ditch the extra service_control_status() since already
fetched the status ourselves and it's used nowhere else.
Previously it was thought that RENEW/REBIND do not reload properly but
this was eventually about another bug for when the server returns "no
binding" message and subsequently fixed in dhcp6c but not yet released
up to 23.1.8.
Ignore PD RENEW/REBIND as it will be the same value as REQUEST anyway.
3c7fb657e14dfc muted "delete" operations but also "add" which makes
it impossible to see failures like the latest regression fixed in
25e2c0a301e1. Since system_default_route() handles this accordingly
use the same approach here.
No jobs showed up in the cron GUI for development which was a
bit suspicious. The old default seemed to be empty string so
keep that behaviour instead of setting "None".
Cleanup would be better but ifctl is not the place for it (no symmetry).
Maybe in the future we can use output from
# pluginctl -r host_routes
to remove the routes safelty as they don't show if not used.
PR: https://forum.opnsense.org/index.php?topic=33831.0
Do not "leak" state transitions and also always log them to the
gateway log if they aren't being pushed through the rc.syshook
alarm path. While here consolidate the logging into the script
and make 10-dpinger script a stub for the "monitor" facility.
