Since OPNsense 22.1 we are using FreeBSD 13 and it comes with a
base trust store which is also maintained there. In order to be
user-configurable there is also a tool called certctl which will
manage blocking and filling the OpenSSL trust store location
/etc/ssl/certs. The idea is to make this implicit and faster.
This, however, pseudo-obsoletes the trust bundle handling which
we mainly operate through /etc/ssl/cert.pem. By pseudo I mean
that ports will still want the real bundles and/or know/guess
this location at complile time. curl has such overrides for
example.
ca_root_nss's bundle is also pulled in thorough certctl so we
are going to have to jump through a few hoops now in order to
add our certificates cleanly and "prevent" breakage of the
resulting trust store.
Therefore now we write our CA content into separate files because
certctl only hashes the first certificate found in the file.
This is already a bit problematic for ca_root_nss having a
larage number of files in it... And against all odds the
first certificate I wrote for our bundle is blacklisted by
FreeBSD which made certctl discard all OPNsense authorities
added from the GUI.
To avoid further issues with certclt as a broker here I have
added it in passthru() mode to see eventual errors clearly.
Now when certcl is done all the files are linked in the
/etc/ssl/certs directory but we actually have to build the
full bundle for compatibility with old ports requiring one
of the locations that ca_root_nss ETCSYMLINK option provides.
A shortcoming of certctl is the lack of a bundle mode for
compatibility's sake which is causing a number of problems in
the ports tree at the moment (which is why we do this work now
and take a closer look before this is rolled out in full in
FreeBSD ports).
The bundle is created by iterating over all files in /etc/ssl/certs
and putting them in the expected locations. One caveat is that
this bloats the bundles to 1.5MB from previously 750KB. The whole
process is a lot slower, especially certctl doing the rehash.
Long story short: this is going to cause issues in the long run,
but for now we know how it is supposed to work and are ready
for FreeBSD ports to drop support for bundles in individual ports.
But that being said we will probably drag the bundles on for
a few years anyway.
This can slow down reconfiguration of a system with many
VLAN children on a single interface down/up. We likely
have to refactor rc.linkup to coalesce the interface
reload into a safer reload facility.
This is called through rc.linkup exhibiting the issue.
Sidestep the complexity of the situation by fixing the
issue first making it testable and easy to ship in a
stable relese.
For anyone not liking this net.inet6.ip6.dad_count can
be set to "0" to disable the sleep behaviour. This
needs to be extended one way or another. More soon.
Most of this code is quite old and originates from the beginning of our project. At the time it seemed to be problematic to render the full rrd stats in a d3 graph, which required the "resolution" option for faster page loading. It looks like we can safely remove this toggle and ditch quite some code in the process. There's still room for improvements in the html/javascript part, but that's probably for another day.
This commit also simplifies the api usage as unused parameters are being removed from the callers (from, to, ..)
* Update ipsec.widget.php
This change solves the problem of users having multiple IP addresses as leases and being counted per leased IP.
- Only "user" are counted now
- Each "user" can have several "lease"
- Each "lease" can have an individual online or offline status
- A user is online when at least one "lease" is "online = true"
* Update ipsec.widget.php
- Replaced multiple "array()" with "[]"
- Access keys "user", "address" and "online" directly from the $lease array without storping them first
- Merged two seperate foreach loops into one
o fix merge issue, as system_gateways_edit.php is not used in the new version, we do need to make sure it's hooked to the new code in master first. At a first glance dpinger_defaults() is the only missing part now.
This commit imports part of the changes from @swhite2 which will keep the legacy handling intact for the first stage of the migration. It should be backwards compatible with the previous (23.7.x) code.
Changes new in this commit which where not in the original PR:
1) dpinger_status() missed $gwitem which rendered gateways statusses down
2) Model version number set to 0.0.1 so we can use the migration later to step into 1.0.0
3) Gateways->gatewayIterator() do not yield MVC records ensuring we are still using legacy config data when being called.
When multiple interfaces are selected, these will render into separate rules in which case it might not be clear what the outcome would be, specifically when choosing something else than "pass" (pass lan,wan would lead to two rules which match either lan or wan, block lan, wan would lead to random behavior for example).
For https://github.com/opnsense/core/issues/6902
Not pretty. Need to hook wireguard-kmod on life support for
the initial 24.1 at least because we don't know at build time
if the kernel to be installed will have its own kernel module
or not. Having both works, but the kernel one breaks wireguard-go.
Also implementations for kernel and port kmod seem to be "slightly"
different.
Before: server, client, local, endpoint, peer, interface, instance and
tunnel adapter were being used some times meaning the right thing but
often also displaced.
Now we try to stick to instance (a wireguard interface in its config),
device (pertaining to the actual network device in the system), peer
(a wireguard peer in its config) and endpoint (the actual "endpoint"
setting in a wireguard peer config).
But we can only rename the user facing GUI parts. The API and config
structure will not change.
While here also update the model and tweak a few form labels and help
texts.
Omit the dependency on wireguard-kmod as we will be targeting the kernel
module with 24.1. Some people may run into this but it's safer than
trying to rely on a package that won't be available going from 23.7 to
24.1.
Once upon a time we tried to treat this script as an external one
since it's still maintained somewhat in FreeBSD but the approach
of integration is much different so the script ends up with half
of its code not doing anything and perhaps more than it should.
Upstream fixes are also not full applicable anymore.
* Clear the writing of the host name. The system does that. Simply
keep the logging aspect of it (if given).
* Remove the $ARP flush on TIMEOUT/EXPIRE as it seems misplaced.
* Remove exit_with_hooks() and is_default_interface() as these are
tools that are not needed in our integration approach.
* While trailing TIMEOUT/EXPIRE failure case make sure to run
newwanip in optional mode in order to pick up missing configuration.
* Copyright the changes from 2021 onwards that offer substantial
changes to the way the script integration works or cooperates with
the rest of the system.
* Inline the one-time use of functions.
* Remove tip-toeing around $resolvconf_enable.
* Ignore dhclient-enter-hooks.
* Remove commented-out code.
