We need to make sure both the local and the remote IP belong to
the same CIDR range, which might not be the case if we just
calculate the subnet size required by their direct distance.
Rewrite find_smallest_cidr() to take an array of IPs to calculate
their smallest shared subnet mask. Code is actually pretty simple
and fast. However, we are not going to account for network and
broadcast address reservation unless that turns out to be an issue.
In the IPv6 case assume that /64 is a good approximation of the
result.
Remove code cruft in utilities while at it also replacing a simple
function only called once in setaddr.sh.
o add "Automatic user creation" option in System/Access/Servers (for ldap + derivatives)
o simple detached flow, updatePolicies() calculates differences between local and remote group membership, when there is something to sync (remote groups exists) and a local user doesn't exist a configd signal is send to create a new empty user without rights and a random password.
The user_dn field isn't populated, although this will cost additional queries to the remote host, it might be worth the flexibility of allowing to move users to different auth scopes.
Type "s" for security audit, or "h" for health audit.
We don't add it to the option prompt to not clutter the menu flow.
This is mostly for debug and development purposes.
I see no easy way to untangle this for now. At least make sure
the user is asked for the defaults to be restored making this
a little better than before.
When there are a lot of interfaces, these calls consume quite some time and eventually the output of legacy_interfaces_details() is what matters to all of them.
Some back and forth between explicit and implicit requires while here.
The code is helplessly glued together and no plugin facility to get
data from a function call currently exists.
product_flavour is embedded in the release package but the
package itself does not insist on a particular flavour other
than having knowledge about the flavour the package was
built for originally. This is ok and direct crypto deps
seem to have failed to produce reliable upgrade / sidegrade
results in recent tests anyway.
Long story short: find out the real crypto flavour installed
from the OpenSSL binary or fall back to the metadata if said
binary cannot be found.
Now that we have metadata injection at build time read it instead
of its auxiliary files. Allow live-mount to snoop the metadata and
afterwards we can start to marry the version and firmware-product
file.
Last puzzle piece will be a tool called "opnsense-version" to read
the JSON metadata and return it in a piecemeal fashion of a part
of the system requires that info, especially from the shell.
This is only an improvement and unification of
`src/opnsense/scripts/shell/banner.php`.
Using `openssh_enabled()` both times in this file is preferred over one
time using `isset($config['system']['ssh']['enabled'])` and the other
time using `openssh_enabled()`.
Updates: 00f9b21cb78d9f76a8f94e8e62cbcefad65b7d99
Updates: 81e50abd0afba2d58ce487cdad60c7aedf899bbf
Updates: https://github.com/opnsense/core/pull/2481
