o add template download configd call
o align controller and ui to use the download call (flush config to disk, request "active" error_pages)
o refactor deploy_error_pages.py to ease download_error_pages.py implementation
o change ProxyTemplates() class and move overlay functionality to callers (so we can reuse the same class to download the templates later)
o rename install_template.py to deploy_error_pages.py and use overlay_enabled() method to figure out if "custom" or "opnsense" is selected
o add a configd action to deploy the error pages, for future use.
o hook deploy_error_pages.py in start/stop/restart/reconfigure actions
o move templates to src/opnsense/data/proxy, avoid lint issues
o initial version of install script (overlay and embed css)
o change squid.conf output, when error_page is provided use error_directory /usr/local/etc/squid/errors/local directory (install location)
o flush template data to error_directory.in (json) which is used as override
overlay logic needs some work to be able to use something similar on download. install hook should be called before squid startup to ensure proper error_pages.
o cleanup default (English) error templates, rename to .html for easier editting. move css to include, which should be imported inline using our scripts.
o add frontend code
o extend model with template option.
o config: set disablevlanhwfilter by default, previous versions had issues with this, with FreeBSD 12.x it looks stable and is required for proper operation
o interface: move disablevlanhwfilter support to configure_interface_hardware(), in order for netmap to function properly all hardware support should be disabled (previous code location wasn't the right one)
o interface: exit configure_interface_hardware() when the caller is a vlan, there's no need to call legacy_interface_details() in that case (performance fix)
o tunables: set our default for hw.ixl.enable_head_writeback to 0, also hardware support and thus not compatible with netmap.
When gcm encryption is selected a hashing algorithm is not required.
The PHP warning raised by supplying in_array() with an empty string results in warning on the dashboard that links to:
[12-Jun-2020 17:08:01 Pacific/Auckland] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/vpn_ipsec_phase2.php on line 713
* Hardening: Disable PCRE JIT in PHP config
PCRE's JIT is incompatible with PaX NOEXEC. In order for PaX NOEXEC to
work well with PHP, disable PCRE's JIT.
pdinfo could get deleted by a renewal or event other than release or exit. These changes make the creation of the pdinfo file only on a REQUEST reply flag and only delete on a RELEASE or EXIT flag
This fixes an omission when groups are updated via ldap, the local system doesn't know about it.
Eventually we might consider moving some functionality from auth.inc and the system user management pages into the same event hooks, in which case the workflow would be more like the following:
[page updates config.xml data] --> [fires event] --> [event handler diffs current state agains the desired one and updates the system]
While 'forward-ssl-upstream' is indeed an alias/alternative syntax for the '*tls*' option, therefore it's more a cosmetic thing - specially because it's called DNS over TLS. Just to be consistent with terms used.
from dc7980a3e0
