This PR pulls query forwarding over the current dot setup, so visually nothing changes.
All API calls are redirected to new Forward functions, which slightly modifies what is returned based on whether "Query Forwarding" or "DNS over TLS" is selected from the menu. This way backwards compatibility is preserved.
As an addition, a user is now able to specify a specific domain for a forward zone as well. Meaning that queries for this specific domain will skip a catch-all (".") domain (if specified), and instead use the server specified for this domain.
Entering a forward zone with a catch-all domain (".") in both Query Forwading and DNS over TLS is considered a duplicate by Unbound, so a static warning for this has been attached in the grid - however, it might be possible for a user to be warned dynamically over this.
Not sure about nameserver.sh name and scope yet so try to
hide it under a link. We can always change the name later
although having .sh suffix helps us lint the script more easily.
Routes only get added in system_resolvconf_generate() now where
the DNS override is properly checked. The nameservers are added
through the new script for convenience and removed from there as
well. As a bonus we still scrub the routes from the nameserver
file removal to avoid creating "state" about what was done elsewhere.
This is still subject to a lot of funky races for overlapping host
routes either by ISP, manual DNS, gateway monitors or static routes.
* unbound: overrides: migrate to mvc model
* unbound: overrides: generate host_entries via model, revert template generation
* unbound: overrides migration: fix missing include
* unbound: overrides: clean up
Co-authored-by: Stephan de Wit <stephan.de.wit@deciso.com>
Wanted to do this every now and then since people were not
familiar with clog but never got around to do it. Now that
clog is gone it's easier to do so let's write a few lines
and extend as necessary. :)
It looks like `tail -f' doesn't watch the symlink and instead
tails the target file which makes nightly rotation invisible
and the log starts stalling so it means for any readers of
latest.log it shouldn't be a persistent read.
PR: https://github.com/opnsense/core/issues/4993
remove all remnants from syslogd and circular log support excluding support from the log readers. When a user upgrades and was using clog, the old files remain and are still readable from the ui, new entries are generated into our syslog-ng directory structure.
for https://github.com/opnsense/core/issues/5337
o Only modify default sysctls when default is known
o Let user know a default is not available for tunable
o Parse system descripton and type and show in GUI
opnsense-update can read the upgrade hint itself. We may have
to stash an ABI in there to reach to a different location without
the need to publish a symbolic link.
Move the firmware message to a data location for cleanliness.
o Remove revoked business fingerprints that were never used
o Revoke fingerprint for 21.1 as it is no longer needed
o Remove upgrade hint file to avoid development version upgrade loops
o Create a persistent directory to feed the unbound includes
o Move runtime data to /tmp directory
After reboot we use the old persistent list still available.
I am not sure if it's clear enough that the blacklists cannot
auto-update and therefore require a cron job or manual update
from the respective GUI page ("apply" essentially is "download
and apply").
