If we want to extend the feature here make room so we
don't have to deal with a single string concatenation.
Also disabled IPv6 inside GIF IPv4 tunnel.
PR: https://forum.opnsense.org/index.php?topic=29654.0
Already noticed that "ipsec" devices were throwing wrenches into
the engine here so try to match exactly on the pseudo-interface
names given by the GUI.
Number of people noted spurious restarts of Unbound and this seems
to be the cause. However, the real cause of hammering rc.newwanip
is in 797c18641944 and to avoid other side effects like the GIF/GRE
stuff we should consider reverting part of it.
Purge the file on all known dynamic spots that run a deconfigure
of some sort. We probably need something for a forced reload as
well but for now let's see if this works in general.
rtsold resolvconf handing forces a lot of reloads now, something
also seen in rc.newwanip -- let's go the extra mile and lock the
cache IP in place until we do a full reconfigure.
We may have to build some sort of "expire" feature for the cached
IP since between forced reconnects we will want to reload again
anyway. But not sure where that is as rc.linkup is unreliable as
it has been messing with this before.
Ok so this might have been an issue in the past WRT DHCP client
and default route hanling which is now done another way but maybe
it shouldn't have. For now just see how this works in practice
and then decide later if more needs to be done or not.
* MVC / System status: first draft for backend implementation
* fix copyright
* fix permissions
* MVC / System Status: modify backend implementation and setup front-end
* MVC / System Status: minor cleanup, ACL check and fix reporting in production mode
* MVC / System Status: copy status sytem to legacy as well, remove the notices system, finish up front-end work
* MVC / System Status: remove useless constructor
* fix plist
* System Status: shorten previous
* System Status: add ACL check
* System Status: also remove legacy part
* System Status: also clean up on legacy page
* System Status: ACL check on dismiss action as well
* System Status: add readonly privilege check to dismiss action
* System Status: do not trust input
* System Status: address security concerns
* add default return
* System Status: move js code to separate script and make sure a logLocation is always provided
* System Status: clean up callout in both legacy page and volt template
After dismissing a message and closing the dialog, the old message was still bound to the dialog instance. re-registering the onclick callback solves this.
* System Status: adjust log location and kick off status system on alias errors
* System Status: let's hold off on throwing notifications for aliases for now
* System Status: add ACL entry for the dismiss API call, adjust to new deployment situation
Without the ACL entry, /api/core/system/dismissStatus calls are rejected for non-root users even when they should have rights to dismiss.
Also do a minor consistency improvement and also adjust to the new situation of production & development deployment types. We need to account for the possibility of 'deployment' being empty in the configuration, therefore a direct check of the 'development' type seems most fitting as this is unlikely to change or be subjected to any additions.
* System Status: also error out when unable to write new rules
* System Status: account for users without permissions
* System Status: name collision in FirmwareController
* System Status: replace old notices system with a global one (https://github.com/opnsense/core/pull/5875)
Review feedback / modifications in this commit:
o filter.inc
-- remove wedged message, when locked during parallel reloads it likely doesn't help to disable/enable
-- flush message to error trigger file
o SystemStatus.php
-- str_contains --> strpos; eases testing on OPNsense 22.1.x as str_contains is php 8 only
o Status collectors
-- simplify logic and propagate messages received from status file
o CrashReporterStatus
- the existence of a /tmp/PHP_errors.log file should be enough to know some process signaled the crash reporter
- remove shell exec
o FirewallStatus
-- as only /tmp/rules.error remains, remove loop to read for non existing files
o opnsense_status.js
-- add opn-status-group class to container and point css modifications in that single direction to prevent other objects from being affected by our status popup modifications
-- windows file endings replaced (^M)
o css:
keep menu_messages container to ease migration for theme developers
NOTE : ** get_crash_report() could likely be simplified as well
* filter: change to mwexec, redirection is implied
* System Status: handle potential undefined array key
seems to be a one-off error: Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/Core/Api/SystemController.php:90 - Undefined array key 0 (errno=2) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:159
Co-authored-by: Ad Schellevis <ad@opnsense.org>
IPv4 doesn't do this indicating that IPv6 shouldn't as well.
Also, ifctl is not handling this file either so we might as
well let system.inc deal with this.
PPPoE and DHCP still read the file but wouldn't consider this
a huge problem.
Also now makes sure the scope is added to link-local gateways,
which was a problem previously reported by @maurice-w.
Since we already kill routes in nameserver registrations we can
also take on the arp/pfctl magic moving the "router" file check
to its native utility.
It's debatable if we even need the pfctl or arp flush here.
To be continued...
We do want to eventually lean on exclusive ifctl use in order to
be able to improve logic in ifctl or make adjustments really easy in
the future without missing a spot (e.g. adding scope to link-local
routers).
New script to be invoked by rtsold when Router Advertisements with
RDNSS / DNSSL information are received. Uses ifctl to create the
/tmp/$if_routerv6 file and creates the /tmp/$if_defaultgwv6 file
directly. Fixes the issue that these files don't get created when
the M and O flags in RAs are not set. Also, passes RDNSS / DNSSL
info from RAs to ifctl.
Gets rid of package dependency which for dhcpleases6 simply
listens on the DHCPD lease file and runs the prefix.php command
unconditionally.
For now emulate this by issuing the command every 60 seconds
which can be adjusted later if someone complains, but seeing
how many bugs this script has had vs. how many people noticed
it (basically none) I doult this will have much impact overall.
Make sure to use a proper example from ISC dhcpd itself.
Here now we truncate the prefix and add the suffix, making
sure the suffix is correct. If the upper 64 bits are empty
we likely have the wrong format and we shift it up as
e.g. "::2" is not a prefix range value, but "::2:0:0:0:0" is.
Note that this is in contrast to static IPv6 where this has
to be configured correctly in the first place.
According to the manual "forever" is actually the correct keyword.
Also the double-pipe was senseless matching an empty expression
and there was a dash missing between month and day.
