Since "strongswan.conf" applies to both type of tunnels, make sure we can configure some shared settings for both options here (tunnels/connections). Eventually more settings might move out of the "IKE Extension" block, but for now it should be enough to isolate Xauth. The impact of configuring xauth when not being used is likely small, so when connections are used we always provide xauth-pam settings (the connection determines if it's actually used).
Removed the "is mobile" enabled in Auth/Services/IPsec.php, when only legacy is used, the behaviour should be the same (as xauth-pam isn't configured).
note that the header styling affects the plugins repo, but does not affect functionality. The original <h2> did not space and center the text correctly, so some more fluff was needed here.
Although I couldn't reproduce the exact same issue, if some values are empty ('') and some are null (None), weird things might happen. This commit makes sure there is a field delimiter, which logically shouldn't exist in the datastream itself and prevent null values being presented as "None".
Add connection child as option for manual SPDs, to make sure these are easily selectable we'll extend ModelRelationField to include a method to return it's value (so we can combine parent descriptions)
in cases where e.g. an internet connection is down, a reply will not be present should unbounds' iterator module return.
normally we marked this as a SERVFAIL, but Unbound already does this for us in the servfail callback.
This means entries were logged twice, once with a "Pass, Recursion, servfail", another one with "Drop, Local, servfail".
This is ambiguous and would skew the relevant statistics.
minor modifications for e08a96c6cd
[*] separate logger.stats_enabled and rrset handling so cnames are also resolved when logging is disabled
[*] set MODULE_FINISHED as default exit state, toggle to MODULE_ERROR when needed
[*] simplify logic a bit in operate()
There can be multiple CNAMEs in a RRset, so iterate the chain and check every fqdn. If one is encountered in any iteration that matches one in the blocklists, unconditionally block it.
This code unfortunately is utterly broken, the plain Javascript code is lenghty and buggy, this only tries to solve the escape issue, but it would be much better if all of this would be replaced with some simple jQuery constructtions.
Two things here:
1. I think historically the port was always missing since it must
be 53 somewhere to work correctly. This actually fixed that.
2. Bind could be integrated more tightly into this when both Unbound
and Dnsmasq are not used.
3. We assume that port 53 is actually a DNS service and not some
other misconfiguration, but it seems from previous code that
this is more than acceptable in the situation we are in.
Ok, that's three things then. ;)
service_by_name('*', ['ports' => ['53']]);
The filter has drawbacks with structured data, but this is good enough
for now and easy to change with only two consumers using it.
