o make sure we are not going to exit the start script if rm fails for whatever reason
o add stop action which stops the service and unmounts volumes mounted by start, the current state only kills unbounds primary pid (without optional dhcp integration or mountpoints)
Replaces the current blocklist implementation to use python instead of relying on unbound-control. The latter had the drawback of a very long execution time to administrate the local-data entries both locally and in Unbound. The memory footprint was also considerably larger due to unbound internals, while the python module keeps it all in memory in a simple dictionary - reducing the total amount of memory consumption by more than a factor of 10. A drawback is a potential decrease in performance of ~15%, although most setups shouldn't be affected by this as most hardware which is capable of running this should be scaled towards its intended use.
The option of returning NXDOMAIN has also been added (fixes#6027), which in this implementation is a lot easier than what we would have to do if local-data were to be used.
* VPN/IPsec - work in progress refactoring ipsec.conf to swanctl.conf for https://github.com/opnsense/core/issues/5636
Wrap the following blocks in functions:
o generation of strongswan.conf
o write and cleanup IPsec's CA database
o write certificates used by IPsec
o write RSA Key Pairs
o construct ipsec.secrets for swanctl, combining different sources, phase1 PSK's, certificates, keypairs
o replace VPN: IPsec: Lease Status with new mvc version that uses swanctl underneath
Remap ipsec.conf to swanctl.conf attributes using https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf
Remove lifetime defaults from phase 1 and 2 so new connections will use Strongswan's defaults and move the option in phase above Margintime/Rekeyfuzz as these combined are being migrated (see margintime in Fromipsecconf doc).
Restructure used path directives so we can use the default structure as descried in https://docs.strongswan.org/docs/5.9/swanctl/swanctlDir.html and installed via ports.
IPsec status overview needs a small fix as well (passthrough network seems to be returned by vici, but doesn't contain a class (which crashes list_status.py).)
While here, also remove some php warnings.
6255148,en,EU,Europe,,,0
Although the same applies for Asia, we can't use AS as country code here, so we do have to skip this for now until we find a better alternative.
6255147,en,AS,Asia,,,0
closes https://github.com/opnsense/core/issues/6063
Try to avoid touching default routes in dhclient-script which we
already partially do now. PPPoE linkdown certainly doesn't need
to handle the file as well to remove the default route then.
if bad input files are given, the root.key repair is triggered, which doesn't
make a lot of sense so just let unbound fail when this happens.
also remove the redirect to /dev/null to prevent possible file permission issues.
opnsense-update -K will handle subscription key return if found.
Fetch the license metadata if it exists, move it to core version
meta file and handle the contents dymanically if it exists.
The only issue for later is that changing the mirror away from
business we have a lingering license file until the next check
for updates is done.
Extends check.sh to fetch license json file when a uuid is found and flush this to /usr/local/opnsense/license.json.
The firmware page adds a license validity row, which is hidden by default and only shown when product.php returns 'product_license_valid_to'.
For the dashboard widget we'll add the "licensed until" string to the core product string when available.
Currently this doesn't work (yet), likely needs https://reviews.freebsd.org/D35848 so vlanproto can be set after the interface creation phase (now it's only possible to set proto there).
If `ifconfig XXXX vlanproto 802.1ad` sets the property, we do need this code to make sure we set these on QinQ parent vlan tags. As a workaround we could pass proto in legacy_interface_create() as well to make this (only) work on boot, but looking at the upstream fix, this might be something easy to pull in the near future.
for https://github.com/opnsense/core/issues/5893
o add basic workflow (start/stop/list)
o basic configd actions + implementation in capture.py script
o grid without actions to show current capture jobs
It's still debatable if ifctl is a tool to record data
for interfaces and act on it or if the latter part should
be handled by more authorative (interface) code.
Inspired by: https://github.com/opnsense/core/pull/5992
Some call flows require this, others don't and on 22.7 we seem to miss
one that did. Instead of adding more monitor reloads in the possible
spots move the ones that are shared into the general routing reload since
the two are almost always clustered together.
Also use the $interface argument to figure out which monitors require
reloading. This will avoid quite a few spurious reloads on larger
setups.
Boot is a little special, but easy enough to ensure we don't call monitor
reload twice.
We are progressing steadly here, but now we need more visibility
of the sources of DNS routes to summarize servers and sources.
Also try not to deduplicate routes prematurely so that dynamic
hosts get priority over config-based ones like the override
setting actually implies as currently the last one won.
primary will move to tracking interfaces or pick up any
SLAAC related address even though that is not being
actively configured. Similar to the dashboard only print
the scoped address without the need to do the logic in
the caller.
Maybe we could even return the assigned prefix here for
clarity, but then the prefix isn't a reachable address.
... a.k.a. rc.resolv_conf_generate. While here protect more
code with the IP change guard and clear the IP address if the
address lookup came up empty.
This is a partial revert of 797c1864194 which has good intentions but rc.newwanip(v6)
isn't equipped with being called a lot of times yet. We want to improve this for 23.1.
Purge the file on all known dynamic spots that run a deconfigure
of some sort. We probably need something for a forced reload as
well but for now let's see if this works in general.
* MVC / System status: first draft for backend implementation
* fix copyright
* fix permissions
* MVC / System Status: modify backend implementation and setup front-end
* MVC / System Status: minor cleanup, ACL check and fix reporting in production mode
* MVC / System Status: copy status sytem to legacy as well, remove the notices system, finish up front-end work
* MVC / System Status: remove useless constructor
* fix plist
* System Status: shorten previous
* System Status: add ACL check
* System Status: also remove legacy part
* System Status: also clean up on legacy page
* System Status: ACL check on dismiss action as well
* System Status: add readonly privilege check to dismiss action
* System Status: do not trust input
* System Status: address security concerns
* add default return
* System Status: move js code to separate script and make sure a logLocation is always provided
* System Status: clean up callout in both legacy page and volt template
After dismissing a message and closing the dialog, the old message was still bound to the dialog instance. re-registering the onclick callback solves this.
* System Status: adjust log location and kick off status system on alias errors
* System Status: let's hold off on throwing notifications for aliases for now
* System Status: add ACL entry for the dismiss API call, adjust to new deployment situation
Without the ACL entry, /api/core/system/dismissStatus calls are rejected for non-root users even when they should have rights to dismiss.
Also do a minor consistency improvement and also adjust to the new situation of production & development deployment types. We need to account for the possibility of 'deployment' being empty in the configuration, therefore a direct check of the 'development' type seems most fitting as this is unlikely to change or be subjected to any additions.
* System Status: also error out when unable to write new rules
* System Status: account for users without permissions
* System Status: name collision in FirmwareController
* System Status: replace old notices system with a global one (https://github.com/opnsense/core/pull/5875)
Review feedback / modifications in this commit:
o filter.inc
-- remove wedged message, when locked during parallel reloads it likely doesn't help to disable/enable
-- flush message to error trigger file
o SystemStatus.php
-- str_contains --> strpos; eases testing on OPNsense 22.1.x as str_contains is php 8 only
o Status collectors
-- simplify logic and propagate messages received from status file
o CrashReporterStatus
- the existence of a /tmp/PHP_errors.log file should be enough to know some process signaled the crash reporter
- remove shell exec
o FirewallStatus
-- as only /tmp/rules.error remains, remove loop to read for non existing files
o opnsense_status.js
-- add opn-status-group class to container and point css modifications in that single direction to prevent other objects from being affected by our status popup modifications
-- windows file endings replaced (^M)
o css:
keep menu_messages container to ease migration for theme developers
NOTE : ** get_crash_report() could likely be simplified as well
* filter: change to mwexec, redirection is implied
* System Status: handle potential undefined array key
seems to be a one-off error: Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Core/Api/SystemController.php:90 - Undefined array key 0 (errno=2) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:159
Co-authored-by: Ad Schellevis <ad@opnsense.org>
