- Adds proper Termination Cause handling, requires addition of `delete_reason` column in the captiveportal sqlite database.
- Implements `Acct-Input|Output-Gigawords` accounting handling (Fixes https://github.com/opnsense/core/issues/6712)
- implements `Called|Calling-Station-Id`. (Fixes https://github.com/opnsense/core/issues/7844)
- `Called-Station-Id` implemented via additional optional input field
- `Calling-Station-Id` requires an extra preauth hook, which in general is useful to handle per-session authentication properties.
- While here, silence output of pf during state kills when client is disconnected
- `NAS-IP-Address` isn't added, RFC2865 states it should be either `NAS-Identifier` of `NAS-IP-Address`.
Since it touches this area, perhaps we can remove the deprecated `$zoneid` param in the captive portal SessionController.
This commit adds backwards compatible changes to the automation api and associated user interface. Although this is likely not the final state, it adds quite some improvements in making this a valid replacement for the current firewall user interface.
The node is now empty by default so code peeking into the items
should check beforehand or use a safe iterator like config_read_array().
This is for 25.7 with the infamous two security sysctls flipping back
to FreeBSD defaults.
This commit consists of two parts:
1) Add user portal privileges to "Lobby: Password" as this replaces the legacy item
2) Rewire password policy constraints to use "ui/user_portal", which will be redirected to the legacy page when BE is not installed.
The impact of this change should be small.
As we already supported a dot [.] terminated format, we should support both advanced queries as simple ones using "container1.container2", by prefixing the simple format with a dot, we can offer both options using the same parser.
While comparing jq with jsonpath, the first option seems to be most practical and easier to explain.
The use of custom tags is more advanced, so better to organize this further to the right. I have looked at combining topics, but tags don't really belong to either options or ranges as they can be used from most entities. Since we also support the default included interfaces as tags, in most cases people will only need ranges and options anyway.
Although it is practical to know that a client is calling an endpoint unauthenticated, we would like to know which client it is and which endpoint it tries to access to easier detect abuse.
The previous handling "skimmed" the blocklist using regular expressions, but when these lists include wildcards, you need to filter the exact item to exclude it (e.g. *.org.domain in a blocklist will still block a.org.domain in a passlist).
By moving the evaluation to the place where requests are evaluated, we can pass the likely intended domains by their provided regex.
Although there is a performance penalty, it should be limited since we only compile the regex once.
* dnsmasq: Allow domain overrides to be optionally sorted by sequence number to support strict-order.
* dnsmasq: Make sequence required, default to 1 and bump model version, simplify sorting in template.
* dnsmasq: Use interface directly as tag in dhcp options
* dnsmasq: Always add tag to interface since set is automatic when interface receives DHCP Broadcast.
if no shaper (ipfw) rules are present, or these rules are disabled, ipfw will be disabled as well (firewall_enable="NO" and rc.ipfw onestop).
Traffic shaped via pf will not show up in the stats output of dnctl pipe|queue|sched show. Also, there is currently no logic to associate pipes/queues with pf rules.
