Revert previous here. Debug mode is "raw" error display
mode and non-debug forwards to crash reporter.
Crash reporter itself could be broken, but mostly because
the system / include chain is broken. Until PHP offers
a reliable way to intercept parse error 500 we will have
to live with this unless it causes other side effects.
Although we could agree that we should not emit link locals
without scope attached and/or that system_host_route() should
fix this by itself, there is only caller of system_host_route()
with the same problem and that one handles it correctly already.
Since we do not know the side effects and it is late into the
22.7 development with RC1 already out that we fix this issue here
fully with the least impact possible.
When setting up an IPv4-over-IPv6 or IPv4-over-IPv4 gif tunnel, IPv6 should be disabled inside the tunnel to prevent the automatic configuration of an IPv6 link-local address.
Although the risk of misuse is likely rather small, we better drop traffic if we don't know what should be allowed yet. Our default policy should take care of standard loopback behaviour, so the impact of this change should be relatively small.
It would be better if we didn't clean up as a side effect when running
a per-device configuration but the way vxlan/loopback were written that
only happens in batch mode so at least try to keep the other devices
as is and clean up any stray objects.
We could push this further, but as we can see the risk of regression
is real so do not try to touch the code any further for now.
This brings it in line with migrations although both hinge on
the idea that rc.configure_firmware is called to execute this
code. Both need a better integration but bringing them to the
same level seems to make the most sense.
After reboot the config is in a consistent state now too...
Remove previous plugins_interfaces() call and always use full
path to pluginctl like most spots already do.
We should catch $fp == null for whatever reason it
happens. Make sure the file exists and open for
read-only. Close pointer afterwards to avoid other
wonkiness.
When using multiple aliases per interface, disabling binding on one could
potentially disable binding for other aliases on the same interface, depending
on the order of the VIPs in the config. The 'alias' setting was evaluated
regardless of whether the subnet matched, so if a previous VIP for a matching
interface had matched on subnet, the current VIP's 'bind' setting would be
applied to the interface address even though the current VIP's subnet didn't
match.
o provide option to delete entries
o show Ikeid and Reqid including optional phase[1|2] description when provided
o extend fields with data provided from setkey -D
As we stopped using "required" in our spd entries we need other means to remove previously manually added ones.
This commit collects all policies that are likely inserted manually and removes the ones that are being used in active phase 2 entries (reqid) configured with manual entries.
Combined with the new diagnostics page a user should be able to manually remove entries we couldn't automatically cleanup due to the risk of removing unrelated manual entries.
Also cleanup the logging a bit as the previous messaged where added for temporary use.
