Not sure where this comes from but the concensus is that
closelog() is relatively useless and testing verifies that
it works as expected without it.
Now we just have to make sure that each component using
openlog() will reopen the actual GUI log so that it can
keep logging correctly.
According to rfc5280 an CRL update should be issued before "next update", but does not seem to define a validity. Various sources seem to indicate updates should be fetched at least every couple of hours, in which case an hourly update sounds reasonable.
To avoid excessive writes, we compare each CRL offered with the last one received before flushing it to disk and keep track of actual changes. When nothing changes, no rehash is neede, which the configd action takes care of.
Distribution points could either be HTTP or LDAP, LDAPS and HTTPS may not be used according to the RFC (CAs SHOULD NOT include URIs that specify https, ldaps, or similar schemes in extensions.)
Recent feature addition to apply time constraint fails in cases where
a log line does not contain a timestamp, as in the case of multi-line
log entries. This change just moves on when a line contains no
timestamp, as we will eventually find the line that contains the
start of the log entry (and the timestamp).
fixes#7888
We actually only want the vpn_map event in the stable branch
and move to a backwards compatible format for 25.1 but as a
new coalesced (mapped) caller.
* System: Trust: Settings - add boilerplate and move existing store_intermediate_certs setting to new module including migration
* System: Trust: Settings - add configuration constraints and glue to flush CRL's to local trust store when requested.
This implements the following options:
* Enable/Disable legacy providers (enabled by default, which is the current default)
* Option to write specific configuration constraints, when enabled, CipherString, Ciphersuites and MinProtocol[DTS] can be configured
One last piece of the puzzle is the "crl" event action, which should deploy to the local trust store as well ehen requested.
* Update src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml
Co-authored-by: Franco Fichtner <franco@opnsense.org>
* System: Trust: Settings - process review comments https://github.com/opnsense/core/pull/7854
* System: Trust: Settings - flush CRL's when "Store CRL's" is selected
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
Since we deploy ca_root_nss in a directory with less priority, we can exclude the certificates already part of the base install.
When ca_root_nss contains a certificate not yet known in base, it will copy the certificate from the bundle in the "hashed" file, which also gurantees our packed bundles contain the same content as openssl would use by default.
While here, also include /usr/share/certs/untrusted, which contains the base blacklisted certs.
This commit adds support for deployment of CRL's, as the original implementation also does (but these files don't exist at our end at the moment).
Secondly it fixes a minor omission where cert files with more than one cert in them where not omitted.
Add RRD package with a simple factory class and a basic construct to define different rrd output types we support.
This package contains the following:
* RRD/Types -- Output definitions, responsible for generating RRD structures and feeding data
* RRD/Stats -- Statistics gathering classes
* Factory -- binds types and statistics together.
On my end on a simple test this is roughly 40% faster than running /var/db/rrd/updaterrd.sh, which makes caching of metadata (config access) less relevant.
The new script should be able to replace all existing rrd cruft and supports a debug mode to find discrepanties between defined outputs in types and collected data in stats.
```
Usage: updaterrd.php [-h] [-d]
-d debug mode, output errors to stdout
```
Everything has been converted and plugins do not ship with a
"vpn" event. "newwanip" is similar and the plugins have been
ensured to be moved to the new one in 24.7.3 already.
There appear to be no callers in plugins. We could argue
that the vpn/vpn_map event isn't really needed as it brings
just OpenVPN, IPsec and WireGuard to the table, but we can
decide on this later.
When searching large log files for messages that do not frequently occur, there is a large risk of reading all collected lines before returning the first results.
In most cases recent items are required, in which case going back for days of logs might not make sense.
This commit adds a simple "history" selection which translates into a "valid_from" filter on the log data. When timestamps are not parseable for whatever reason, the filter is ignored.
Only small downside is that we do need to translate timestamp again, when needed we could improve performance a bit by storing the original datetime value in NewBaseLogFormat so we don't have to parse it twice.
This probably needs more engineering later on which makes
it a little harder to ship but in reality we want people
to run the portable command easily in order to unbreak their
environments as pkg-upgrade tripping over its own temporary
files and directories keeps happening in user reports.
While here use "-s" while at it to speed up the script call.
This also pertains to "-e" which is its sibling.
Although all our examples always use vhid as a unique key per firewall, it is possible to add the same vhid to different interfaces.
When "disable preempt" is not selected, eventually all of them will switch between master/backup at the same time anyway, so we can assume all virtual ips switch simultaneously.
If preempt is disabled, our vhid matching might not be perfect, but likely better than before.
This pull request introduces a new feature to the OPNsense web interface,
allowing users to manage FreeBSD boot environments directly within OPNsense.
This integration provides an intuitive and seamless way for users to create,
manage, and switch between boot environments, enhancing system management
and recovery options.
Renamed the menu item to "Snapshots" in an attempt to explain the feature
to non-FreeBSD users.
