With this commit policies functionally work, but there's still some refactoring todo.
o migrate download filters to a policy
o remove download filter option
o point to policies in the download section
o (maybe) move single rule overwrites to policies as well.
Following a discussion in FreeBSD ports to simplify ports handling
the missing @version will no longer trigger a warning in recent
syslog-ng releases so it's better to remove this to ease future
transitions of the port (merged into one "syslog-ng" port then).
rc.configure_plugins is likely fixed, but rc.configure_firmware
has the same issue so make this more maintanable by moving the
async request to the system function and put the former call back
with the async flag set.
Should fix syslog-ng related package configure hangs with regard
to pkg-based bug in recent versions.
In 6f76b5f the displayName attribute was added as the first camel case
attribute being read from the search result. As various[^1] comments[^2]
for `ldap_search` mention the attribute names must be lower case, even
though the LDAP server might return them differently.
Using all lower case to access the returned attribute results in the
value of displayName actually being used as the full name of the user.
[^1]: https://www.php.net/manual/en/function.ldap-search.php#37317
[^2]: https://www.php.net/manual/en/function.ldap-search.php#28991
The associated nat rules remain a terrible construct, ideally we would make sure the automated rule matches a regular one, but if they do, the firewall_rules_edit.php page has to handle all sorts of corner cases leading to other unexpected behaviour.
This fixes a bug, cleaning this up would either need proper validations in the filter page or no extra validations at all (create/update, only note the relation, but don't try to enforce anything when associated-rule-id is set.
Eventually some of the functionality in user/group management maybe moved to this hook, but to ensure a fast path to production, we'll keep duplicate work for now.
for https://github.com/opnsense/core/issues/4411
o in order for this to work properly we need to change when a config backup is made, previously we performed a backup before the fact, now we backup afterwards. which means the top level always represents the current change (and can thus be signaled to an event handler). After upgrade one might lose a single backup file due to this change, but that should be a small price to pay for progress.
o config backup count was defined incorrect (60 instead of 100 according to the gui)
o the syslog-ng event structure is using the existing configd handler and filters relevant events within a small time frame (which prevents flooding configd)
Since the event is loosely coupled, the risk for releasing this into an existing environment should be rather low.
For https://github.com/opnsense/core/issues/4388
sponsored by : Modirum (https://www.modirum.com/)
o move all templates into one standard ini file containing all required info for the blacklists
o add syslog output (in unbound log view) about processing and error handling
o validate "whitelist" regexp entries before usage
o lock process while performing download task
o don't try to download in parallel, the gain is relatively small and adds complexity.
o remove last unboundplus action, migrate cron jobs if they exist
This should be replaced with something more clever so for now
use this to keep an eye on the change until a strategy is clear.
We could remove the default and store unlimited backups although
that might hit a directory file limit sooner or later.
