Services: Intrusion Detection - refactor pcap/netmap selection to "Capture mode" and add new "divert" option.
With divert we can integrate suricata in firewall rules, which makes it easier to bypass large flows.
This change requires the new SO_REUSEPORT_LB option in the kernel in order to distribute traffic over multiple workers.
rtsold: check RA lifetime before triggering the one-shot always script
Historic context: rtsold is used by *sense to get a router address which
wasn't originally the daemon's purpose. We only ever get the first address
per interface lifetime so if the RA contains an invalid router with a zero
lifetime and we catch it we cannot get a valid one ever again.
This is suboptimal in a number of ways, but the obvious way to deal with
this is to ignore all RA messages from routers that do not advertise a
default route.
PR: https://github.com/opnsense/core/issues/9551
VPN: OpenVPN: Client Export - add "lazy loading" model support on Trust\Cert type and skip dynamic content when loading the model in our export. closes https://github.com/opnsense/core/pull/9552
Firewall: Rules [new]: Add multiselect icmp6type options (#9547)
* Firewall: Rules [new]: Add multiselect icmp6type options
* These should not be ignored in the grid.
* Firewall: Rules [new] - Add multiselect icmp6type options (minor cleanups)
Use icmpv6 parameter codes as defined in https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-8
---------
Co-authored-by: Ad Schellevis <ad at opnsense.org>
Feature/dnscrypt proxy blocklist support (#5083)
* Add ports to Events page
* fixes race condition updating the blocklist
* Native integration with DNSCrypt-proxy
Added Q-Feeds domains to the DNSBL list of DNSCrypt-Proxy. Changed since the initial way, this is more native. Q-Feeds domains txt files only created if DNSCrypt-proxy is installed and if the list (qf) is selected.
Firewall: NAT: Destination NAT: Add commands, category to Anti-Lockout rules (#9544)
* Add command to Anti-Lockout rules to redirect to the page they originate from for parity with old view. Add category to Anti-Lockout rules so they pool under Automatically generated rules for parity with the new firewall view. Change position of No RDR and hide it in advanced mode, for parity with the reworked SNAT views comparable option.
* Add sequence number so it appears behind enabled in grid, like in SNAT view
Add command to Anti-Lockout rules to redirect to the page they originate from for parity with old view. Add category to Anti-Lockout rules so they pool under Automatically generated rules for parity with the new firewall view. Change position of No RDR and hide it in advanced mode, for parity with the reworked SNAT views comparable option.
Revert "mvc: Add RegexField and RegexFieldTest that validate PCRE2 engine regular expressions (#9291)"
This reverts commit 03c8d0a36ffd374a0a93ee4eda7d688800577438.
It is a nice idea but it is not going to be used due to technical
complications. If this is needed later we can always bring it back.
ui: infosection larger than table width, adjust to bootgrid-footer
While here, bootgrid-footer only existed in the jquery bootgrid
files. Since we plan to drop these at some point, better make
sure they exist in out layout file
Revert "Interfaces: Assignments - ditch broken $is_ppp validation, the device should exist before allowing assignments (always)."
This reverts commit 5f1b2bb08847ee0c4da29846f7f06887dc0fef68.
Does not work as intended. PPP devices are not created before assignment.
(cherry picked from commit 9b8d8f4b8c9aa1c84ca776932a61e9a43f501425)
Revert "Interfaces: Assignments - ditch broken $is_ppp validation, the device should exist before allowing assignments (always)."
This reverts commit 5f1b2bb08847ee0c4da29846f7f06887dc0fef68.
Does not work as intended. PPP devices are not created before assignment.
