The default listing had an issue bringing in both the dhcp6c
and the slaac files. Now act according to what we implemented
as a fallback approach for reading data files.
Since "nameserver.sh" was a working title for when we just wanted
to make sense of the nameserver registration mess going on this
no longer fully applies for good reasons.
Change the name to ifctl.sh for leaving syntax parsing in place
and leave the symlink in sbin/ directory. The same works nicely
for configctl.
Since we already kill routes in nameserver registrations we can
also take on the arp/pfctl magic moving the "router" file check
to its native utility.
It's debatable if we even need the pfctl or arp flush here.
To be continued...
This breaks the new feature in the interim since the router file
read is not yet supposed to read :slaac counterpart since the router
file is still read manually. Refactor to follow.
We do want to eventually lean on exclusive ifctl use in order to
be able to improve logic in ifctl or make adjustments really easy in
the future without missing a spot (e.g. adding scope to link-local
routers).
New script to be invoked by rtsold when Router Advertisements with
RDNSS / DNSSL information are received. Uses ifctl to create the
/tmp/$if_routerv6 file and creates the /tmp/$if_defaultgwv6 file
directly. Fixes the issue that these files don't get created when
the M and O flags in RAs are not set. Also, passes RDNSS / DNSSL
info from RAs to ifctl.
Just make a MD5 sum of the file and change polling to 20 seconds.
Call backend on first run as well without waiting. Interval could
be lower still, but as said earlier it doesn't matter much all
things considered.
Gets rid of package dependency which for dhcpleases6 simply
listens on the DHCPD lease file and runs the prefix.php command
unconditionally.
For now emulate this by issuing the command every 60 seconds
which can be adjusted later if someone complains, but seeing
how many bugs this script has had vs. how many people noticed
it (basically none) I doult this will have much impact overall.
'prefix' was never a key so this got never executed for whatever reason.
It remains broken in other projects and the question is if this script
really has any useful value.
This brings it in line with migrations although both hinge on
the idea that rc.configure_firmware is called to execute this
code. Both need a better integration but bringing them to the
same level seems to make the most sense.
After reboot the config is in a consistent state now too...
Remove previous plugins_interfaces() call and always use full
path to pluginctl like most spots already do.
o provide option to delete entries
o show Ikeid and Reqid including optional phase[1|2] description when provided
o extend fields with data provided from setkey -D
o add a remove button hooking spddelete to remove entries when not cleanedup correctly for some reason to ease maintenance
o add reqid to IPsec phase 2 tunnel view for clarity so we can easily inspect if traffic is trying to pass the right policy
o show Ikeid and Reqid including optional phase[1|2] description when provided
o extend fields with data provided from setkey -DP, but keep them deselected in the default view (e.g. Upperspec, Mode, Type, ..)
Displaying changelogs requires a different menu flow but for now focus
on providing a changelog opportunistically before performing the update,
but intentionally after starting it to keep previous flow for now.
This allows us to remove all DH handling remnants. If people
want to use a separate content they will have to let us know,
but it seems unlikely. The only impact seems to be a security
bump from 2k to 4k default.
as the previous version already build files in /var/db/aliastables and therefor future cleanup work, there might be some noise when patching this without a reboot (empty bogons or other external aliases). Without this patch the issue is only that aliases aren't removed, which doesn't make this a super high priority in my humble opinion.
o Since our filterlog does contain labels nowaydays (https://github.com/opnsense/core/issues/5014), we can stop parsing pfctl which can be quite time consuming
o Rate limit "filter rule stats" configd action to prevent excessive pfctl access on filter pages
* Unbound blocklists / OPNsense UI: strengthen error handling
Also changes the OPNsense UI error handling routine to display a 'status_msg' if provided. Otherwise just display 'status' to preserve backwards compatibility.
* unbound: make blocklist additions/removals dynamic to prevent a restart
This commit contains an optimization for the way unbound can be updated in its' configuration
without the need for restarting Unbound and by extension a loss of internet connectivity.
Hopefully this will pave the way for optimizations on other aspects of Unbounds' configuration as well.
We could for example look into making the provided wrapper function more generic.
The GUI has also been modified slightly to inform the user of the amount of RRs added/removed.
* Services: Unbound DNS: Blocklist, review comments for https://github.com/opnsense/core/pull/5747
Changed the following minor items:
o gettext() for human readable reponse message
o simplify comparison loop (only new or diff are actually the same operation)
o replace one-liner split into a loop with validation in case an empty record exists (or something that doesn't fit the pattern)
o remove optional (but always) set -f option
* unbound: blocklists: minor style fix and strip more agressively
Co-authored-by: Ad Schellevis <ad@opnsense.org>
