Some call flows require this, others don't and on 22.7 we seem to miss
one that did. Instead of adding more monitor reloads in the possible
spots move the ones that are shared into the general routing reload since
the two are almost always clustered together.
Also use the $interface argument to figure out which monitors require
reloading. This will avoid quite a few spurious reloads on larger
setups.
Boot is a little special, but easy enough to ensure we don't call monitor
reload twice.
this is to adhere to the same logic as the domain overrides, since users may expect forwarded-to
servers to reply with a private address or in fact be a local controller, not setting this domain as either
private or insecure may break responses if either DNS rebinding checks (default) or DNSSEC are enabled.
ideally this should be seperate checks per entry in the future.
We are progressing steadly here, but now we need more visibility
of the sources of DNS routes to summarize servers and sources.
Also try not to deduplicate routes prematurely so that dynamic
hosts get priority over config-based ones like the override
setting actually implies as currently the last one won.
add some debug info
dont add cert to crl if cert_revoke() / crl_update() failed
check if CA can sign anything before CRL create
set "method" param to set Method select value
Later we want ifctl to add the scope to the link-local gateway
by default which will remove a more code, but for now we are
bound to undo the internal magic.
Interface name stops with first ":" or last "_". For the exclude
check use the correct array index, not the array itself.
In order to prevent the unpredictable behaviour of random PTR records being returned, which is not explicitly prohibited in RFC1035, it is best to restrict the creation of PTR records from every single host and alias (except for wildcard entries, no PTR records are created here), to only non-alias overrides (edit: the exception here is an alias whose parent does not create a PTR record, a wildcard entry). We also further restrict it to unique IP addresses so there can be no confusion in how to maintain the entries within the running Unbound instance.
Hopefully this can pave the way for adding PTR records as a separate type instead of generating them under the hood, as is done currently.
This change should at least address inconsistencies regarding random PTR records being returned as mentioned in https://github.com/opnsense/core/issues/5477
A slight refactor of the existing unbound code is also included here for code reduction purposes.
In some instances a suboptimal pattern was used missing several
networks included in the actual fe80::/10. The reference is
is_linklocal() function nowadays. Sync all patterns.
Tiptoeing around interface_configure() when the resulting
work is the same is counter-intuitive and the static ARP
case probably has some more side effects since we do not
check for static ARP flag?!
filter_configure() can take a long time. Skip alias stuff.
