* Don't suggest using unreserved top-level domains.
* Use the reserved example.com|net domains for other examples.
* Encourage adoption of the special-purpose internal/site home.arpa (RFC 8375) domain.
o fixes some bugs in default form handling (UIModelGrid), get() vs getPost()
o when properly encoded, sort is an empty array in ApiControllerBase->searchRecordsetBase()
Replaces the current blocklist implementation to use python instead of relying on unbound-control. The latter had the drawback of a very long execution time to administrate the local-data entries both locally and in Unbound. The memory footprint was also considerably larger due to unbound internals, while the python module keeps it all in memory in a simple dictionary - reducing the total amount of memory consumption by more than a factor of 10. A drawback is a potential decrease in performance of ~15%, although most setups shouldn't be affected by this as most hardware which is capable of running this should be scaled towards its intended use.
The option of returning NXDOMAIN has also been added (fixes#6027), which in this implementation is a lot easier than what we would have to do if local-data were to be used.
This is due to e5bace2969c, but since we view the overview page here
I'm not even sure the decision about forward/dot can be correct since
there will be no POST data about 'dot' or the type.
[14-Oct-2022 08:28:20 Europe/Berlin] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php:67 - Trying to access array offset on value of type null (errno=2) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:159
Stack trace:
o minor style fixes and more strict json handling
o easier handle to add commands using a commands named array
$().UIBootgrid({
....
commands: {
myaction: {
method: function(){};
classname: 'fa fa-fw fa-remove',
sequence: 10
},
copy: {
classname: undefined // hide button
}
}
});
Without gettext() wrapping we never produce a string in the
translation for it. It gets passed to gettext() twice then
but that is matters not as the target string cannot be translated
again when called a second time.
* VPN/IPsec - work in progress refactoring ipsec.conf to swanctl.conf for https://github.com/opnsense/core/issues/5636
Wrap the following blocks in functions:
o generation of strongswan.conf
o write and cleanup IPsec's CA database
o write certificates used by IPsec
o write RSA Key Pairs
o construct ipsec.secrets for swanctl, combining different sources, phase1 PSK's, certificates, keypairs
o replace VPN: IPsec: Lease Status with new mvc version that uses swanctl underneath
Remap ipsec.conf to swanctl.conf attributes using https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf
Remove lifetime defaults from phase 1 and 2 so new connections will use Strongswan's defaults and move the option in phase above Margintime/Rekeyfuzz as these combined are being migrated (see margintime in Fromipsecconf doc).
Restructure used path directives so we can use the default structure as descried in https://docs.strongswan.org/docs/5.9/swanctl/swanctlDir.html and installed via ports.
IPsec status overview needs a small fix as well (passthrough network seems to be returned by vici, but doesn't contain a class (which crashes list_status.py).)
While here, also remove some php warnings.
6255148,en,EU,Europe,,,0
Although the same applies for Asia, we can't use AS as country code here, so we do have to skip this for now until we find a better alternative.
6255147,en,AS,Asia,,,0
closes https://github.com/opnsense/core/issues/6063
Try to avoid touching default routes in dhclient-script which we
already partially do now. PPPoE linkdown certainly doesn't need
to handle the file as well to remove the default route then.
if bad input files are given, the root.key repair is triggered, which doesn't
make a lot of sense so just let unbound fail when this happens.
also remove the redirect to /dev/null to prevent possible file permission issues.
In situations where a cache does not exist (mainly boot), a start/stop/restart of unbound
should make the system aware of the current dnsbl configuration in order to properly diff
on it. This includes unbound starting on boot.
Small addition to https://github.com/opnsense/core/pull/6050:
- Move private/insecure domains to advanced as its intended use has a larger scope than DNSBLs only. Fixes https://github.com/opnsense/core/issues/5256
- Extends the migration to also include these domains.
- leftover cleanup of legacy settings in migration.
- Adds the `serve-expired-reply-ttl`, `serve-expired-ttl`, `serve-expired-ttl-reset`, `serve-expired-client-timeout` options. These options are hidden until the `serve-expired` checkbox is checked, and indented to signify a relationship.
- Removes all dropdowns and instead provides numeric fields to input raw values for more control and less "guessing" of what is acceptable.
- Removes default settings to prevent mismatches with upstream in the future. It's probably best to refer to the Unbound documentation in our own documentation.
- Previously, `rrset-cache-size` and `outgoing-range` were implicitly set. These are now input fields. The migration code will take care of legacy setting assumptions.
Fixes https://github.com/opnsense/core/issues/5978
Fixes https://github.com/opnsense/core/issues/5795
