We are progressing steadly here, but now we need more visibility
of the sources of DNS routes to summarize servers and sources.
Also try not to deduplicate routes prematurely so that dynamic
hosts get priority over config-based ones like the override
setting actually implies as currently the last one won.
add some debug info
dont add cert to crl if cert_revoke() / crl_update() failed
check if CA can sign anything before CRL create
set "method" param to set Method select value
Later we want ifctl to add the scope to the link-local gateway
by default which will remove a more code, but for now we are
bound to undo the internal magic.
Interface name stops with first ":" or last "_". For the exclude
check use the correct array index, not the array itself.
In order to prevent the unpredictable behaviour of random PTR records being returned, which is not explicitly prohibited in RFC1035, it is best to restrict the creation of PTR records from every single host and alias (except for wildcard entries, no PTR records are created here), to only non-alias overrides (edit: the exception here is an alias whose parent does not create a PTR record, a wildcard entry). We also further restrict it to unique IP addresses so there can be no confusion in how to maintain the entries within the running Unbound instance.
Hopefully this can pave the way for adding PTR records as a separate type instead of generating them under the hood, as is done currently.
This change should at least address inconsistencies regarding random PTR records being returned as mentioned in https://github.com/opnsense/core/issues/5477
A slight refactor of the existing unbound code is also included here for code reduction purposes.
In some instances a suboptimal pattern was used missing several
networks included in the actual fe80::/10. The reference is
is_linklocal() function nowadays. Sync all patterns.
Tiptoeing around interface_configure() when the resulting
work is the same is counter-intuitive and the static ARP
case probably has some more side effects since we do not
check for static ARP flag?!
filter_configure() can take a long time. Skip alias stuff.
primary will move to tracking interfaces or pick up any
SLAAC related address even though that is not being
actively configured. Similar to the dashboard only print
the scoped address without the need to do the logic in
the caller.
Maybe we could even return the assigned prefix here for
clarity, but then the prefix isn't a reachable address.
... a.k.a. rc.resolv_conf_generate. While here protect more
code with the IP change guard and clear the IP address if the
address lookup came up empty.
The wireless code "integration" is horrible even by moderate standards
in our code base. In the future the best way would be to ditch all of
it and rebuild (parts) required by users.
* Merge SLAAC interface dhcp6c config
Stateless DHCPv6 config for SLAAC WANs was generated, but not merged into dhcp6c.conf file.
* Add support for stateless DHCPv6 to dhcp6c script
Script had no code for processing stateless DHCPv6 replies (required for SLAAC without RDNSS / DNSSL).
* dhcp6c script, pass all search domains to ifctl
Only the first domain was used, all others were disregarded.
If we want to extend the feature here make room so we
don't have to deal with a single string concatenation.
Also disabled IPv6 inside GIF IPv4 tunnel.
PR: https://forum.opnsense.org/index.php?topic=29654.0
Already noticed that "ipsec" devices were throwing wrenches into
the engine here so try to match exactly on the pseudo-interface
names given by the GUI.
Number of people noted spurious restarts of Unbound and this seems
to be the cause. However, the real cause of hammering rc.newwanip
is in 797c18641944 and to avoid other side effects like the GIF/GRE
stuff we should consider reverting part of it.
Purge the file on all known dynamic spots that run a deconfigure
of some sort. We probably need something for a forced reload as
well but for now let's see if this works in general.
