Since we used to allow IP configuration ands VIPs are
a possibility we can avoid checking for missing IPs
and simply delete the status hash file which will
force an eventual reconfiguration.
While here avoid wireguard_prepare() from creating spurious
devices when there is no need for it as it happens with
manual invoke through "pluginctl -d wgX". wg-service-control
uses the same logic.
This field type is hardly used, but the intention was to generate a new uniqueid on creation and make it stick. Trying to remember the last know stored value is rather tricky (certainly when it comes to cloning), but making sure we ignore values saved isn't that hard.
Although this doesn't win the beauty contest, at least it does make sure uniqid() is called for every new field. Either when cloning the field or calling a set on an empty entry.
The rest of the system knows to use "opnsense" already. The page
throws the warning here but instead of hardcoding the theme name
just give it an empty string so the first one is selected even
though it might not be the right one. Hardcoding this doesn't
feel right...
This commit adds a new component linked in Interfaces/Neighbors which offers the ability to manually register static leases and provides application control from other modules such as dhcpd. To minimize the risk, we're reusing the existing interfaces_staticarp_configure() hooks while only adjusting how static arp entries are being attached to the interface (match on addresses assigned when triggering with an interface).
Entries registered via dhcp will be visible from the ui as well together with its origin.
The previous version didn't cleanup old static entries, this version triggers a cleanup when executed for all interfaces using all earlier modifications processed via the same function (interfaces_neighbors_configure()).
Make the restore area a multi-select since the xmlrpc_sync data
is already allowing merging separate sections and accomodate for
path traversal which also allows fine-grained restore of the
former "OPNsense addtions" selection.
Remove duplicated sections, hardcoded plugin sections or sections
not pertaining to interfaces/devices. rrddata is a special case
that can stay as well.
Handroll the configuration merge as it is easy enough to traverse
through the arrays without restructuring other files and functions.
This page will go away eventually anyway.
While here make sure the user knows that partial restores are
dangerous.
Since OPNsense 22.1 we are using FreeBSD 13 and it comes with a
base trust store which is also maintained there. In order to be
user-configurable there is also a tool called certctl which will
manage blocking and filling the OpenSSL trust store location
/etc/ssl/certs. The idea is to make this implicit and faster.
This, however, pseudo-obsoletes the trust bundle handling which
we mainly operate through /etc/ssl/cert.pem. By pseudo I mean
that ports will still want the real bundles and/or know/guess
this location at complile time. curl has such overrides for
example.
ca_root_nss's bundle is also pulled in thorough certctl so we
are going to have to jump through a few hoops now in order to
add our certificates cleanly and "prevent" breakage of the
resulting trust store.
Therefore now we write our CA content into separate files because
certctl only hashes the first certificate found in the file.
This is already a bit problematic for ca_root_nss having a
larage number of files in it... And against all odds the
first certificate I wrote for our bundle is blacklisted by
FreeBSD which made certctl discard all OPNsense authorities
added from the GUI.
To avoid further issues with certclt as a broker here I have
added it in passthru() mode to see eventual errors clearly.
Now when certcl is done all the files are linked in the
/etc/ssl/certs directory but we actually have to build the
full bundle for compatibility with old ports requiring one
of the locations that ca_root_nss ETCSYMLINK option provides.
A shortcoming of certctl is the lack of a bundle mode for
compatibility's sake which is causing a number of problems in
the ports tree at the moment (which is why we do this work now
and take a closer look before this is rolled out in full in
FreeBSD ports).
The bundle is created by iterating over all files in /etc/ssl/certs
and putting them in the expected locations. One caveat is that
this bloats the bundles to 1.5MB from previously 750KB. The whole
process is a lot slower, especially certctl doing the rehash.
Long story short: this is going to cause issues in the long run,
but for now we know how it is supposed to work and are ready
for FreeBSD ports to drop support for bundles in individual ports.
But that being said we will probably drag the bundles on for
a few years anyway.
This can slow down reconfiguration of a system with many
VLAN children on a single interface down/up. We likely
have to refactor rc.linkup to coalesce the interface
reload into a safer reload facility.
This is called through rc.linkup exhibiting the issue.
Sidestep the complexity of the situation by fixing the
issue first making it testable and easy to ship in a
stable relese.
For anyone not liking this net.inet6.ip6.dad_count can
be set to "0" to disable the sleep behaviour. This
needs to be extended one way or another. More soon.
Most of this code is quite old and originates from the beginning of our project. At the time it seemed to be problematic to render the full rrd stats in a d3 graph, which required the "resolution" option for faster page loading. It looks like we can safely remove this toggle and ditch quite some code in the process. There's still room for improvements in the html/javascript part, but that's probably for another day.
This commit also simplifies the api usage as unused parameters are being removed from the callers (from, to, ..)
* Update ipsec.widget.php
This change solves the problem of users having multiple IP addresses as leases and being counted per leased IP.
- Only "user" are counted now
- Each "user" can have several "lease"
- Each "lease" can have an individual online or offline status
- A user is online when at least one "lease" is "online = true"
* Update ipsec.widget.php
- Replaced multiple "array()" with "[]"
- Access keys "user", "address" and "online" directly from the $lease array without storping them first
- Merged two seperate foreach loops into one
o fix merge issue, as system_gateways_edit.php is not used in the new version, we do need to make sure it's hooked to the new code in master first. At a first glance dpinger_defaults() is the only missing part now.
