lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-17 01:54:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,496 Commits 1 Branch 0 Tags
Commit Graph

16145 Commits

Author SHA1 Message Date
Ad Schellevis
fed2a35269
Firewall - adhere to best practices (#8010) 
* Firewall - adhere to best practices (https://www.openbsd.org/faq/pf/filter.html) and skip lo0 from processing. closes https://github.com/opnsense/core/issues/8009
 2024-10-29 20:13:46 +01:00
Ad Schellevis
57a7b5d89f Firewall: cleanup automatic rules. (merge part of https://github.com/opnsense/core/pull/8010) 
* When ipv6 is disabled, disable all IPv6 rules as well for clarity
* Only add carp rule when at least one carp virtual ip exists.
 2024-10-29 20:09:39 +01:00
Ad Schellevis
7561f69e47 firmware: add wrapper class for python to support using platform TLS settings (as far as possible). 
Unfortunately python requests/urllib3/ssl ignores platform openssl defaults, but do choose defaults which do not always match expectations.
Below per configuration item (system_default_sect) the current situation:

* CipherString --> supported, using ciphers list
* Ciphersuites --> not supported, but does seem to follow configuration defaults. When python adds support, we likely have to change something.
* SignatureAlgorithms --> not supported, but seem as above
* Groups (Curves) --> partly supported, only one may be offered, we select the first item in the list, knowing that is a bit flaky (see: set_ecdh_curve())
* MinProtocol --> supported
 2024-10-29 17:56:33 +01:00
Monviech
2616ace119
firewall: groups: Fix wording of 9425ca7 (#8025) 2024-10-29 17:36:36 +01:00
Ad Schellevis
052eea3253 System: Trust: Settings - add SignatureAlgorithms option and fix minor form glitch 
To prevent clients from offering SignatureAlgorithms beyond specific boundaries, offer the option to set the list manually.
Unfortunately we can't seem to query the options via openssl, so we will have to add the ones we know manually to an option group.

[*] https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
 2024-10-29 14:14:05 +01:00
Ad Schellevis
14c3eff319 System: Trust: Settings - add missing MinProtocol in template, missed a spot in https://github.com/opnsense/core/pull/7854 2024-10-28 18:38:59 +01:00
Monviech
9425ca700d
firewall: groups: Enhance validation that group name can not start or end with a digit. (#8022) 2024-10-28 16:39:36 +01:00
Franco Fichtner
528a634930 reporting: isset vs empty on RRD enable 
The config.xml.sample also has a <enable/> node and saving RRD by
disabling it produces an empty <rrd/> node in the code so isset()
is still the right thing to do.

PR: https://forum.opnsense.org/index.php?topic=43641.0
 2024-10-27 21:06:40 +01:00
Ad Schellevis
51492f629b mvc / locales - isset() vs !empty() to ease migrations (also required for https://github.com/opnsense/core/issues/7904) 2024-10-27 19:17:40 +01:00
Ad Schellevis
f5a754bd4e model - fix LegacyMapper when the mountpoint is not xml's root, found regression when working on https://github.com/opnsense/core/issues/7904 
Currently we seemed to dump new entries in /opnsense in all cases, but when these mappers address items deeper in the structure, they should use an xpath expression to get there.
 2024-10-27 18:39:31 +01:00
Monviech
69d6a46810
vpn: ipsec: Add description field to pre-shared-keys (#8015) 2024-10-25 16:11:07 +02:00
Roy Orbitson
301052443b
Logical health graph ranges (#7992) 2024-10-25 14:36:28 +02:00
Roy Orbitson
234f256462
ISO dates in health graphs (#7991) 
American date format is not the standard for most of the world. Slashes
indicate ambiguity for dates like 4/7, hindering readability.
 2024-10-25 14:35:48 +02:00
Ad Schellevis
9a04fcde59 Services: ISC DHCPv4: Leases - safeguard output type for json_decode() closes https://github.com/opnsense/core/issues/8013 2024-10-25 08:57:47 +02:00
Ad Schellevis
85bde6565c System: Access: Users - change isset() to !empty() for disabled status in preperation for https://github.com/opnsense/core/issues/7904 2024-10-24 19:41:01 +02:00
Ad Schellevis
9e01cc3191 Firewall: Settings: Advanced / syncookies - make lo0 state uncondition again as discussed with @fichtner (https://github.com/opnsense/core/issues/8008) 2024-10-24 11:32:43 +02:00
Stephan de Wit
87687b7c39 firewall: account for uuid in other rule parsing areas (2c4c5cf09b) 2024-10-24 08:35:24 +02:00
Ad Schellevis
e7e7e57dc1 Firewall: Settings: Advanced / syncookies - make stateless loopback rule conditional as a temporary solution and add a clear note about the state requirement. closes https://github.com/opnsense/core/issues/8008 2024-10-23 20:19:25 +02:00
Ad Schellevis
2c4c5cf09b Firewall: Automation: Filter - use uuid as rule labels to ease tracking. 2024-10-23 15:41:27 +02:00
Franco Fichtner
4219e86305 reporting: squelch a RRD warning 2024-10-23 09:32:50 +02:00
Franco Fichtner
bc2c878ec9 firmware: better naming for firmware crls; closes #7995 2024-10-22 14:30:44 +02:00
Franco Fichtner
30b8bfedbf firmware: for CRL verify to work need to explicitly set trust store 2024-10-22 13:14:48 +02:00
Franco Fichtner
c1d8bf6277 firmware: add a newline to CRLs just in case 2024-10-22 13:13:51 +02:00
Franco Fichtner
100c4870f4 system: fix hashval from capture 2024-10-22 12:56:34 +02:00
Ad Schellevis
316dd33855 MVC: add missing requests->hasQuery(), required for OPNcentral 2024-10-22 12:18:01 +02:00
Ad Schellevis
6cad352ca8 MVC: add missing requests->getScheme(), required for OPNcentral 2024-10-22 12:11:52 +02:00
Franco Fichtner
387e75b4a5 src: style sweep and plist 2024-10-22 12:08:26 +02:00
Ad Schellevis
dc25dbc5fb MVC - add missing request->getURI() 2024-10-22 11:53:25 +02:00
Ad Schellevis
aa8fe94ce0 Services: Unbound DNS: Overrides - move domain overrides to Query Forwarding, closes https://github.com/opnsense/core/issues/7243 2024-10-22 11:23:36 +02:00
Ad Schellevis
e33c4ab513 Services: Unbound DNS: Query Forwarding - add forward_tcp_upstream optioni and a description field, these are requirements for https://github.com/opnsense/core/issues/7243 2024-10-22 11:13:01 +02:00
Ad Schellevis
d9a22ba8d9 Services: Unbound DNS: Overrides - allow rfc2181 compatible names in host overrides. closes https://github.com/opnsense/core/issues/7976 2024-10-22 09:30:44 +02:00
Franco Fichtner
a5504ee744 firmware: missing HOSTS too #7995 2024-10-22 09:15:38 +02:00
Franco Fichtner
ddd78295b5 firmware: typo in previous #7995 2024-10-22 09:13:49 +02:00
Franco Fichtner
b7e7df8a1b firmware: use the trust store for CRL verification #7995 2024-10-22 09:10:12 +02:00
Franco Fichtner
3b09bc73f8 system: sync certctl to FreeBSD 14.1 base code 2024-10-22 08:27:10 +02:00
Franco Fichtner
8e41be2ebe src: styke sweep 2024-10-21 19:46:49 +02:00
Monviech
3a7cd41868
vpn: ipsec: Add swanctl.conf download button to settings.volt view (#7972) 
* vpn: ipsec: Add swanctl.conf download button to settings.volt view. Bootstrap dialogue warns user about sensitive file contents. Error scenarios like missing file or API errors are handled gracefully with error messages.

* Update src/opnsense/mvc/app/views/OPNsense/IPsec/settings.volt

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* vpn: ipsec: make plist-fix

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
 2024-10-21 14:55:41 +02:00
Franco Fichtner
786bc2cf05 firmware: improve the health check a bit 
Allow for an extra argument as sometimes we just want one
component.  There's no way to access this easily but it makes
sense for testing.

Squelch the CRL warnings in the rquery as we want to parse
it correctly anyway intead of reading error messages.

Add version annotation to core check.
 2024-10-21 12:11:04 +02:00
Franco Fichtner
50a6cc86ba firmware: guard rm with -f to avoid spurious errors 2024-10-21 12:11:04 +02:00
Ad Schellevis
e78e243919 system: CRL/cert subject hash mismatch in certctl.py, closes https://github.com/opnsense/core/issues/7993 
Since pyOpenSSL doesn't support generating hashses for CRL's, we calculated one with the functions available in the libraries.
Unfortunately X509Name doesn't seem to support duplicate attributes, causing mismatches on our end.

This commit replaces the previous logic with a direct call to openssl, although it's slower, it will deliver the expected outcome.
 2024-10-21 11:52:17 +02:00
Franco Fichtner
3d34e7e54e firmware: restart cron on updates 
Specifically to deal with new RRD situation but it looks like an
old oversight not to reload here anyway.
 2024-10-21 09:50:52 +02:00
Ad Schellevis
ab0fc39a40 interfaces - parse part of sfp module information in legacy_interfaces_details(), adds 'module temperature' and 'lane X' information as well. 
`ifconfig` passes the information from `sfp.c` [1], which is has a fixed structure we can parse on our end.

[1] 6fbe7e4dd1/sbin/ifconfig/sfp.c (L75-L76)
 2024-10-20 17:29:32 +02:00
Ad Schellevis
cca972c05b interfaces - parse part of sfp module information in legacy_interfaces_details(), closes https://github.com/opnsense/core/pull/7986 
`ifconfig` passes the information from `sfp.c` [1], which is has a fixed structure we can parse on our end.

[1] 6fbe7e4dd1/sbin/ifconfig/sfp.c (L75-L76)
 2024-10-19 10:02:01 +02:00
Stephan de Wit
77036e161c firewall: cleanup previous 2024-10-18 15:49:51 +02:00
Stephan de Wit
c6a828f46e firewall: embed event count into throttled live log (https://github.com/opnsense/core/issues/7975) 2024-10-18 15:37:12 +02:00
Stephan de Wit
2e50dc12de firewall: throttle live logging (https://github.com/opnsense/core/issues/7975) 2024-10-18 10:43:18 +02:00
Franco Fichtner
a05e1c32fe src: style sweep 2024-10-18 09:35:39 +02:00
Ad Schellevis
8e234dc241 library / Firewall\Util::isIPInCIDR extend sanity checks, closes https://github.com/opnsense/core/pull/7978 
The existing sanity checks only prevented a non-ip address from being accepted, but ignored the fact a netmaskt might either be faulty or of a different ip familily.
This commit extends the test to the cidr part and ip family.
 2024-10-18 08:57:04 +02:00
Ad Schellevis
70df0a15f7 firmware: fix timeout in update-crl-fetch.py 2024-10-17 20:05:13 +02:00
Ad Schellevis
372c9c9806 firmware: move debug exception messages to regular message flow for clarity (https://forum.opnsense.org/index.php?topic=43474) 2024-10-17 19:43:18 +02:00