(mod_openssl.c.2606) SSL: ssl.use-sslv2 is deprecated and will soon be removed. It is disabled by default. Many modern TLS libraries no longer support SSLv2.
(mod_openssl.c.2613) SSL: ssl.use-sslv3 is deprecated and will soon be removed. It is disabled by default. Many modern TLS libraries no longer support SSLv3.
Use the hardcoded _wlan0 append when we have the base interface already.
This only happens to "count" the number of existing clones.
We also get the opportunity to clean up get_real_interface() which was
a bit ironic calling interface_get_wireless_clone() three times and then
the other wireless code ignoring get_real_interface() in favour of
interface_get_wireless_clone().
Make the presence of <wireless/> node authoritative except
for the assignment page where we need to set this node in
the first place.
Now pivot away from a handrolled regex of devices names to
trust the output of the sysctl net.wlan.devices which is also
the prefix for our clones.
Restructure return value of legacy_interface_listget() to return
WLAN-only devices present in the system and avoid returning null
value to simplify the couple of callers (some already assumed as
much).
Assume that <wireless/> node is properly set since console.inc
always did store this. Not sure about wireless clones yet, but
will check and fix in the scope of this ticket anyway.
get_interface_list() moves to interfaces.lib.inc since it uses
most functions from there and util.inc should not want to know
about interface details in the first place. We need this later
when we work through interfaces_assign.php for device iteration
reasons.
Some call flows require this, others don't and on 22.7 we seem to miss
one that did. Instead of adding more monitor reloads in the possible
spots move the ones that are shared into the general routing reload since
the two are almost always clustered together.
Also use the $interface argument to figure out which monitors require
reloading. This will avoid quite a few spurious reloads on larger
setups.
Boot is a little special, but easy enough to ensure we don't call monitor
reload twice.
this is to adhere to the same logic as the domain overrides, since users may expect forwarded-to
servers to reply with a private address or in fact be a local controller, not setting this domain as either
private or insecure may break responses if either DNS rebinding checks (default) or DNSSEC are enabled.
ideally this should be seperate checks per entry in the future.
We are progressing steadly here, but now we need more visibility
of the sources of DNS routes to summarize servers and sources.
Also try not to deduplicate routes prematurely so that dynamic
hosts get priority over config-based ones like the override
setting actually implies as currently the last one won.
add some debug info
dont add cert to crl if cert_revoke() / crl_update() failed
check if CA can sign anything before CRL create
set "method" param to set Method select value
Later we want ifctl to add the scope to the link-local gateway
by default which will remove a more code, but for now we are
bound to undo the internal magic.
Interface name stops with first ":" or last "_". For the exclude
check use the correct array index, not the array itself.
In order to prevent the unpredictable behaviour of random PTR records being returned, which is not explicitly prohibited in RFC1035, it is best to restrict the creation of PTR records from every single host and alias (except for wildcard entries, no PTR records are created here), to only non-alias overrides (edit: the exception here is an alias whose parent does not create a PTR record, a wildcard entry). We also further restrict it to unique IP addresses so there can be no confusion in how to maintain the entries within the running Unbound instance.
Hopefully this can pave the way for adding PTR records as a separate type instead of generating them under the hood, as is done currently.
This change should at least address inconsistencies regarding random PTR records being returned as mentioned in https://github.com/opnsense/core/issues/5477
A slight refactor of the existing unbound code is also included here for code reduction purposes.
In some instances a suboptimal pattern was used missing several
networks included in the actual fe80::/10. The reference is
is_linklocal() function nowadays. Sync all patterns.
Tiptoeing around interface_configure() when the resulting
work is the same is counter-intuitive and the static ARP
case probably has some more side effects since we do not
check for static ARP flag?!
filter_configure() can take a long time. Skip alias stuff.
