same same as dd6a04a68a, but different.
Concerns fixed in this commit:
o archive shouldn't generate files so old "archived" files remain untouched
o "latest.log" should point to the latest version know, which could be todays or a file from the past
o better to not remove links when unchanged to prevent excessive writes
We shuffle the cron jobs around a bit to let the script start at
minute 1 of every hour which is close enough.
We might consider a soft-update of the link instead of removing
it every hour depending on how tail -f and such work, but for now
use what PHP has to offer.
PR: https://github.com/opnsense/core/issues/4993
Most of the system already uses it and users are informed about
it too. Might just be a good time to write a little manual page
for it...
While here some use of daemon -f suggests that configctl -d should
be used more widely than it is now.
To make verbatim script passthrough work we also need to introduce
a scripting option to reach the random sleep option afterwards.
We add a random delay of up to 25 minutes to the cron based operations
in order to give the update servers more room to breathe.
Download only if necessary, but verify and unpack unconditionally.
Add a cron job for nightly poll to be used with upcoming pending
script to "skim" the changelog for potential updates.
o allow repetitive metadata tags to be used, representing them as multiline options. Since \n can't exist in rules it should be rather save to concat repeating entries
o convert multiline items in the UI (rule info) (convert \n --> <br/>)
remove all remnants from syslogd and circular log support excluding support from the log readers. When a user upgrades and was using clog, the old files remain and are still readable from the ui, new entries are generated into our syslog-ng directory structure.
for https://github.com/opnsense/core/issues/5337
Also it seems that sysctl -ad returns sysctls that the kernel
considers sysctls with no value. These are likely read-only
of some type so bring them in as well with a blank value.
Mark unsupported and read-only with text-danger since their
use is not doing anything for the system.
o Only modify default sysctls when default is known
o Let user know a default is not available for tunable
o Parse system descripton and type and show in GUI
Omit rule info as this is already visible in the Firewall/Rules section, nat as well, although the statistics could be of use eventuallly elsewhere (pfctl -vvsnat)
commit 8a3fd0057817836c0f0baaa28123b61ccd8b39fd
Author: Ad Schellevis <ad@opnsense.org>
Date: Sat Oct 16 14:24:12 2021 +0200
system activity: show all threads and correct WCPU, minor cleanups for https://github.com/opnsense/core/pull/5277
commit a2e3ad0b5e971b48687fc6f1291e420ad4caef6e
Author: Franco Fichtner <franco@opnsense.org>
Date: Fri Oct 15 07:55:23 2021 +0200
interfaces: style update in previous
commit 5ab238d32e4a3f5bdebf1e0d0786672636c1fc2b
Author: Jason Crowley <65243090+jasonpcrowley@users.noreply.github.com>
Date: Thu Oct 14 14:23:40 2021 -0500
Updated guess_interface_from_ip to more accurately identify the interface using the subnet with the largest mask in the route table. (#5281)
commit c87a39efd6833ae091f47e0faec6f9d5b1a937f6
Author: Franco Fichtner <franco@opnsense.org>
Date: Thu Oct 14 14:49:11 2021 +0200
firmware: in case of fs integrity issues try not to break upgrades
File is always packaged, but we cannot trust the file system.
commit cd0e482fc24183918e5a49b8b9c0d28f80d40274
Author: Franco Fichtner <franco@opnsense.org>
Date: Thu Oct 14 11:11:37 2021 +0200
interfaces: undo restricting lookups to configured interfaces only
In practice call stack above get_interface_ip*() is too messy and
this will likely break a number of lookups.
commit d9831296220e65aefaa375f9a06b91b995c001f6
Author: Ad Schellevis <ad@opnsense.org>
Date: Thu Oct 14 10:56:42 2021 +0200
IPSec - VTI, ignore tunnel devices if local or remote endpoint can't be found.
commit 680f189fe5db2d6074bb2786e9b6b2df5c2ddb23
Author: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu Oct 14 22:44:49 2021 +0300
toggle 'top' to tid. get pid from 'procstat'
commit 355a337486bbc8a68cd193d091588119b4563b7f
Author: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu Oct 14 22:38:15 2021 +0300
add tid column and make it key
commit efacc976e2b691798dfbccacf62e15d8bc657ef4
Author: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu Oct 14 09:14:51 2021 +0300
Update src/opnsense/mvc/app/views/OPNsense/Diagnostics/systemactivity.volt
Co-authored-by: Franco Fichtner <franco@lastsummer.de>
commit c3bdf26795b9f276b1bbaa9f7355edbb8d3fa206
Author: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed Oct 13 22:32:03 2021 +0300
show all threads
commit 7c98ddaea935edd6806e8febdcf021735cc38d2e
Author: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed Oct 13 22:28:12 2021 +0300
request and grab second display
opnsense-update can read the upgrade hint itself. We may have
to stash an ABI in there to reach to a different location without
the need to publish a symbolic link.
Move the firmware message to a data location for cleanliness.
We need to make sure both the local and the remote IP belong to
the same CIDR range, which might not be the case if we just
calculate the subnet size required by their direct distance.
Rewrite find_smallest_cidr() to take an array of IPs to calculate
their smallest shared subnet mask. Code is actually pretty simple
and fast. However, we are not going to account for network and
broadcast address reservation unless that turns out to be an issue.
In the IPv6 case assume that /64 is a good approximation of the
result.
Remove code cruft in utilities while at it also replacing a simple
function only called once in setaddr.sh.
commit 46e0383625acfa59e723c390d0b5b2feed8a53aa
Author: Ad Schellevis <ad@opnsense.org>
Date: Mon Aug 23 11:05:53 2021 +0200
Firewall / Log - Live log : support rfc5424 format for https://github.com/opnsense/core/pull/5175
commit 0cf3030724d02181991436b324fe5fc70118d4d5
Author: Ad Schellevis <ad@opnsense.org>
Date: Sat Aug 21 09:36:56 2021 +0200
System logging - switch local logging to rfc5424 format.
Allow custom destinations to choose for rfc5424. closes https://github.com/opnsense/core/issues/4911
commit a46e39bcecca6dab1d5a68a0e7f481ea42c16034
Author: Ad Schellevis <ad@opnsense.org>
Date: Fri Aug 20 18:23:22 2021 +0200
System logging - switch local logging to rfc5424 format.
add severity filter to api and log pages
commit b0f38003d7745a01202ffca5e7b5b697ff211f1e
Author: Ad Schellevis <ad@opnsense.org>
Date: Fri Aug 20 15:42:58 2021 +0200
System logging - switch local logging to rfc5424 format.
Split BaseLogFormat into a generic LogFormat and a child NewBaseLogFormat to be able to support both property and method based parsers to keep (external) plugins compatible.
commit 264513f148185faf4a4509bc19aa35739c9844f9
Author: Ad Schellevis <ad@opnsense.org>
Date: Thu Aug 19 19:56:19 2021 +0200
System logging - switch local logging to rfc5424 format.
Refactor log parser (BaseLogFormat), since the plugins use this as well we might have to undo a bit or refactor those as well.
This will need a new version of py-dnspython (py-dnspython2 in ports) for dns.asyncresolver support. Some additional log messages have been added to gain more insights into the resolving process via the general log.
Intermediate results aren't saved to disk anymore, which also simplifies the resolve() function in the Alias class. An address parser can queue hostname lookups for later retrieval (see _parse_address()) so we can batch process the list of hostnames to be collected.
o add "Automatic user creation" option in System/Access/Servers (for ldap + derivatives)
o simple detached flow, updatePolicies() calculates differences between local and remote group membership, when there is something to sync (remote groups exists) and a local user doesn't exist a configd signal is send to create a new empty user without rights and a random password.
The user_dn field isn't populated, although this will cost additional queries to the remote host, it might be worth the flexibility of allowing to move users to different auth scopes.
* Allow DNS resolver to skip entry on EmptyLabel
A name like '.example.com' is not a valid name, but should be handled like a non existant name instead of throwing an exception
