We need to expire existing routes as well in order to get rid
of the old gateway, because deleting with the new gateway given
will not delete the existing route to another one.
Also bring back (and actually use) the active binding check
before storing an address or prefix for processing.
Use "null" to designate that these are expired, later overwritten
if an active lease is there.
"opnsense-update -u" changes to not apply the kernel and the upgrade
script will handle it. But in case this is going to be scripted by
the user we should just make sure this still needs to be taken care of
adding an extra reboot but that's ok.
We could stop on first problem but that woul likely break a number
of setups that use boot early/start hooks with sloppy coding.
Instead make the full run as an error and report it at the end.
The individual scripts should return an error and clean up
their state in case they aborted (which isn't too easy but
in most cases moving the relevant files to the final location
is a good way of dealing with this problem).
Make sure we are ready for reboot with kernel replaced but
not yet booted. This way we can run the migration in the
last possible correct spot. We might even abort on errors
here which might be handy to catch issues... to be discussed.
While this should work let's try not to assume how the interface
names look like and just match until the next known delimiter by
excluding it and accepting all other characters.
* VPN: OpenVPN: Instances - add new module using the same approach as introduced for IPsec in 23.1. Since we likely can't easily migrate the old cruft, we better focus on offering the correct options for openvpn following upstream documentation.
o add boilerplate
o implement a solution to keep vpnid's unique so device creation for legacy and mvc can function in similar ways.
o add some of the main "helper" options for clients and servers
o Implement certificate logic, selecting a certificate also implies an authority (which we validate)
o hook CRL generation into the exising openvpn_refresh_crls() event
o attach already refactored authentication to new MVC as well, OpenVPN->getInstanceById() is responsible for feeding the data needed during authentication and overwrite generation.
o when in client mode and in need for a username+password combination, flush these to file and link in "auth-user-pass"
o routes (remote) and push routes (local), combine IPv4 and IPv6 for ease of administration,
o keep alive [push] ping-[restart] defined as seperate fields for validation
o add various "push" to client options in Miscellaneous section
o add "auth-gen-token" lifetime for https://github.com/opnsense/core/issues/6135
o allow selection of redirect-gateway type for https://github.com/opnsense/core/issues/6220
o move tls-auth/crypt into separate static keys objects (tab in instances page)
o hook existing events (ovpn_event.py) and make sure they locate the server using getServerById() when needed
o use getInstanceById in openvpn_prepare() to return both legacy as MVC device configuration
o add ovpn_service_control.php for service control [stop|start|restart|configure] and glue this in openvpn_services() via configd
o change openvpn_interfaces() to use isEnabled() method on the model to query if any (legacy/mvc) instances are enabled
o move openvpn_config() from openvpn.inc to widget and extend with MVC instances
o extend ovpn_status.py to parse "instance-" sockets as well, since the filename doesn't explain the role, we're using the status call to figure out the use. uuid's are keys in this case
o server_id type to str in kill_session.py so we can match either legacy or mvc sockets
o hook ExportController to OpenVPN model using getInstanceById() to glue the Client Export utility to both components
o extend connection status with mvc sessions (descriptions)
---------
Co-authored-by: Franco Fichtner <franco@opnsense.org>
Refactor the code to take advantage of the -S behaviour and
also ditch the extra service_control_status() since already
fetched the status ourselves and it's used nowhere else.
