Without gettext() wrapping we never produce a string in the
translation for it. It gets passed to gettext() twice then
but that is matters not as the target string cannot be translated
again when called a second time.
* VPN/IPsec - work in progress refactoring ipsec.conf to swanctl.conf for https://github.com/opnsense/core/issues/5636
Wrap the following blocks in functions:
o generation of strongswan.conf
o write and cleanup IPsec's CA database
o write certificates used by IPsec
o write RSA Key Pairs
o construct ipsec.secrets for swanctl, combining different sources, phase1 PSK's, certificates, keypairs
o replace VPN: IPsec: Lease Status with new mvc version that uses swanctl underneath
Remap ipsec.conf to swanctl.conf attributes using https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf
Remove lifetime defaults from phase 1 and 2 so new connections will use Strongswan's defaults and move the option in phase above Margintime/Rekeyfuzz as these combined are being migrated (see margintime in Fromipsecconf doc).
Restructure used path directives so we can use the default structure as descried in https://docs.strongswan.org/docs/5.9/swanctl/swanctlDir.html and installed via ports.
IPsec status overview needs a small fix as well (passthrough network seems to be returned by vici, but doesn't contain a class (which crashes list_status.py).)
While here, also remove some php warnings.
6255148,en,EU,Europe,,,0
Although the same applies for Asia, we can't use AS as country code here, so we do have to skip this for now until we find a better alternative.
6255147,en,AS,Asia,,,0
closes https://github.com/opnsense/core/issues/6063
Try to avoid touching default routes in dhclient-script which we
already partially do now. PPPoE linkdown certainly doesn't need
to handle the file as well to remove the default route then.
if bad input files are given, the root.key repair is triggered, which doesn't
make a lot of sense so just let unbound fail when this happens.
also remove the redirect to /dev/null to prevent possible file permission issues.
In situations where a cache does not exist (mainly boot), a start/stop/restart of unbound
should make the system aware of the current dnsbl configuration in order to properly diff
on it. This includes unbound starting on boot.
Small addition to https://github.com/opnsense/core/pull/6050:
- Move private/insecure domains to advanced as its intended use has a larger scope than DNSBLs only. Fixes https://github.com/opnsense/core/issues/5256
- Extends the migration to also include these domains.
- leftover cleanup of legacy settings in migration.
- Adds the `serve-expired-reply-ttl`, `serve-expired-ttl`, `serve-expired-ttl-reset`, `serve-expired-client-timeout` options. These options are hidden until the `serve-expired` checkbox is checked, and indented to signify a relationship.
- Removes all dropdowns and instead provides numeric fields to input raw values for more control and less "guessing" of what is acceptable.
- Removes default settings to prevent mismatches with upstream in the future. It's probably best to refer to the Unbound documentation in our own documentation.
- Previously, `rrset-cache-size` and `outgoing-range` were implicitly set. These are now input fields. The migration code will take care of legacy setting assumptions.
Fixes https://github.com/opnsense/core/issues/5978
Fixes https://github.com/opnsense/core/issues/5795
While here, simplify code as well, only store validation output (size, fingerprint) in model itself, although it would be cleaner to send this information via the controller (as overlay), it would mean duplicate work here.
Found while testing https://github.com/opnsense/core/issues/5636
In some cases early DNS works with direct upstream queries for
fixed DNS servers. For DHCP or other dynamic connectivity it
will likely never work as expected with interface-related host
lookup requests.
At least try to load /etc/resolv.conf along with /etc/hosts and
refresh when all interface configuration is active. This needs
to rely on running configuration to pick up DHCP and the like
as said before.
Adds a bit of code on the initialization but allows to trace the
information without magic globals.
Has been on the wishlist forever, but nowadays it's simple enough
to replace the few instances using it.
