OPNSense/core f313783. AGENTS.md

Update agent guidelines in AGENTS.md

Clarified agent behavior regarding interactions and security reports.
DeltaFile
+5-2AGENTS.md
+5-21 files

OPNSense/core 1a2a012. AGENTS.md

git: create AGENTS.md with agent guidelines

Added guidelines for coding agents working on the OPNsense core repository, including mission, core principles, architecture, code style, security expectations, and review checklist.
DeltaFile
+96-0AGENTS.md
+96-01 files

OPNSense/core 7540fe2src/opnsense/scripts/firmware read.sh config.sh

firmware: cleansing using output_cmd is futile

Move the code back to where it was in early 26.1.  A number of
regressions could have been avoided.  The last straw was buffering
of "." characters for fetching.

The read-guard is still effective.  As it reads the file it does
not need to run unbuffered.  GUI reads are still properly filtered.

(cherry picked from commit 1eaefb6bc81052c5454d20333cbc32d1c1392ee1)
DeltaFile
+1-5src/opnsense/scripts/firmware/read.sh
+2-3src/opnsense/scripts/firmware/config.sh
+3-82 files

OPNSense/core 99ef568src/opnsense/mvc/app/library/OPNsense/Auth Radius.php, src/opnsense/scripts/captiveportal process_accounting_messages.php set_session_restrictions.py

captive portal: adjust accounting interval to Acct-Interim-Interval (#10474)

This changes the default interval to 600, which is the recommended
value according to RFC 2869.

(cherry picked from commit 1a50a7150f4ca570697d2c111e6658713181781b)
DeltaFile
+49-11src/opnsense/scripts/captiveportal/lib/db.py
+22-7src/opnsense/scripts/captiveportal/process_accounting_messages.php
+6-1src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
+2-1src/opnsense/scripts/captiveportal/set_session_restrictions.py
+2-0src/opnsense/scripts/captiveportal/sql/init.sql
+1-1src/opnsense/service/conf/actions.d/actions_captiveportal.conf
+82-211 files not shown
+83-217 files

OPNSense/core 9a911e5src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api SourceNatController.php, src/opnsense/mvc/app/views/OPNsense/Firewall nat_rule.volt

Firewall: NAT: Source NAT - constraint getAction to only general page and align setAction to do the same, closes https://github.com/opnsense/core/issues/10502

(cherry picked from commit 0b008892a6e4d8dd42528ede66a8c71126a90fc4)
DeltaFile
+14-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+1-1src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+15-22 files

OPNSense/core 81bc8d1src/opnsense/mvc/app/views/layout_partials form_input_tr.volt, src/opnsense/www/js opnsense_ui.js

mvc: add file type to forms, including required javascript initialisation code.

File type input serializes offered payload in base64 and returns both the field and the filename of the offered file.
This easy to use wrapper can be used to upload files of reasonable size (a couple of megabytes max) via either a select file or drag and drop option.

Collected output exists of the offered <id> combined with a field named <id>__name which contains the offered filename

(cherry picked from commit 991e0c7164009a7dd05b1e04f8e3adf0eef335ba)
DeltaFile
+72-0src/opnsense/www/js/opnsense_ui.js
+16-2src/opnsense/mvc/app/views/layout_partials/form_input_tr.volt
+88-22 files

OPNSense/core 1eaefb6src/opnsense/scripts/firmware read.sh config.sh

firmware: cleansing using output_cmd is futile

Move the code back to where it was in early 26.1.  A number of
regressions could have been avoided.  The last straw was buffering
of "." characters for fetching.

The read-guard is still effective.  As it reads the file it does
not need to run unbuffered.  GUI reads are still properly filtered.
DeltaFile
+1-5src/opnsense/scripts/firmware/read.sh
+2-3src/opnsense/scripts/firmware/config.sh
+3-82 files

OPNSense/core 0b00889src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api SourceNatController.php, src/opnsense/mvc/app/views/OPNsense/Firewall nat_rule.volt

Firewall: NAT: Source NAT - constraint getAction to only general page and align setAction to do the same, closes https://github.com/opnsense/core/issues/10502
DeltaFile
+14-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+1-1src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+15-22 files

OPNSense/core 1a50a71src/opnsense/mvc/app/library/OPNsense/Auth Radius.php, src/opnsense/scripts/captiveportal process_accounting_messages.php set_session_restrictions.py

captive portal: adjust accounting interval to Acct-Interim-Interval (#10474)

This changes the default interval to 600, which is the recommended
value according to RFC 2869.
DeltaFile
+49-11src/opnsense/scripts/captiveportal/lib/db.py
+22-7src/opnsense/scripts/captiveportal/process_accounting_messages.php
+6-1src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php
+2-1src/opnsense/scripts/captiveportal/set_session_restrictions.py
+1-1src/opnsense/service/conf/actions.d/actions_captiveportal.conf
+2-0src/opnsense/scripts/captiveportal/sql/init.sql
+82-211 files not shown
+83-217 files

OPNSense/core e9dcc89src/opnsense/mvc/app/models/OPNsense/Monit Monit.xml

monit: fix mail-format and poll-time validation; closes #10498

(cherry picked from commit d930c0412d7e472b48e11c0c91cf73a3620067dd)
DeltaFile
+6-1src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+6-11 files

OPNSense/core f46f16bcontrib/IXR IXR_Library.php

contrib: Non-canonical cast (boolean) is deprecated, use the (bool) cast instead

(cherry picked from commit daf7b799fcfc0b98559cc2d28fdadd887de367d5)
DeltaFile
+1-1contrib/IXR/IXR_Library.php
+1-11 files

OPNSense/core d930c04src/opnsense/mvc/app/models/OPNsense/Monit Monit.xml

monit: fix mail-format and poll-time validation; closes #10498
DeltaFile
+6-1src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+6-11 files

OPNSense/core daf7b79contrib/IXR IXR_Library.php

contrib: Non-canonical cast (boolean) is deprecated, use the (bool) cast instead
DeltaFile
+1-1contrib/IXR/IXR_Library.php
+1-11 files

OPNSense/core 2eca14fsrc/opnsense/mvc/app/models/OPNsense/Core InitialSetup.php

wizard: annotate that gateways are cleared to prevent lingering misconfiguration #8976

The old code tried to update always based on the WAN_GW name, but there could
be associated side effects, see old code for comparison:

https://github.com/opnsense/core/blob/stable/25.1/src/wizard/system.xml#L603-L627
(cherry picked from commit f8eca8e751dae79fa79a99bd03dc97c0873ee3ca)
DeltaFile
+4-1src/opnsense/mvc/app/models/OPNsense/Core/InitialSetup.php
+4-11 files

OPNSense/core e62cf47src/etc/rc.d captiveportal, src/opnsense/mvc/app/library/OPNsense/Firewall Rule.php

src: two whitespace changes

(cherry picked from commit 8dfcd7f2623bc3aafc4bb66ef6f7994bb26d3a2a)
DeltaFile
+1-1src/etc/rc.d/captiveportal
+1-1src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
+2-22 files

OPNSense/core e5f67f0src/www firewall_nat_out.php

firewall: remove info box for now

Outbound NAT wasn't deprecated yet, but may follow in 26.7.x.
DeltaFile
+0-7src/www/firewall_nat_out.php
+0-71 files

OPNSense/core 8dfcd7fsrc/etc/rc.d captiveportal, src/opnsense/mvc/app/library/OPNsense/Firewall Rule.php

src: two whitespace changes
DeltaFile
+1-1src/etc/rc.d/captiveportal
+1-1src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php
+2-22 files

OPNSense/core f8eca8esrc/opnsense/mvc/app/models/OPNsense/Core InitialSetup.php

wizard: annotate that gateways are cleared to prevent lingering misconfiguration #8976

The old code tried to update always based on the WAN_GW name, but there could
be associated side effects, see old code for comparison:

https://github.com/opnsense/core/blob/stable/25.1/src/wizard/system.xml#L603-L627
DeltaFile
+4-1src/opnsense/mvc/app/models/OPNsense/Core/InitialSetup.php
+4-11 files

OPNSense/core 0aa5d52src/etc opnsense-update.conf.in

firmware: allow upgrade to 26.7-RC1
DeltaFile
+3-0src/etc/opnsense-update.conf.in
+3-01 files

OPNSense/core 3ac491dsrc/opnsense/mvc/app/models/OPNsense/Base/Menu MenuItem.php, src/opnsense/mvc/app/models/OPNsense/Firewall/Menu Menu.xml Menu.php

ui: fix menu registration not setting "active"

It's a bit complicated: we need to ignore all invisible pages.
The menu registration isn't really a value that does something
but it successfully hides the registration from the menu code
rendering the active flag.

(cherry picked from commit 12af1e401ca949efc53e4424cc521cd71734bc10)
DeltaFile
+5-5src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+5-1src/opnsense/mvc/app/models/OPNsense/Base/Menu/MenuItem.php
+1-0src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.php
+11-63 files

OPNSense/core 374447c. plist, src/etc/inc filter.lib.inc

firewall: legacy rules pages move to plugin #9947

Keep the logic of the migration assistant but pivot to assuming
MVC rules are used by default and that menu registration hinges
on the fact that the firewall legacy plugin is installed.

(cherry picked from commit 7fa3deeb6d9ff6e165fe8f45f2681937d69cb4b3)
(cherry picked from commit a4995f6a812fea0061057e57c3a21a97d861edbf)
(cherry picked from commit 4f4bec5c88ce2063a64c2f2ecc52d3bc569a23bb)
(cherry picked from commit 9d8c183b2bcf3e51be09b8e172ce9472fb7aca0e)
(cherry picked from commit 1b45d2b89f97b61c30fd0226b14d4664ea60526e)
DeltaFile
+0-1,827src/www/firewall_rules_edit.php
+0-1,109src/www/firewall_rules.php
+11-7src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.php
+5-2src/etc/inc/filter.lib.inc
+1-1src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+0-2plist
+17-2,9481 files not shown
+18-2,9497 files

OPNSense/core 20bb438src/opnsense/mvc/app/models/OPNsense/Unbound Unbound.xml

Services: Unbound DNS: Overrides - missing NetMaskAllowed=N on override address, closes https://github.com/opnsense/core/issues/10499

(cherry picked from commit 0633bfa54f7949fdac75d871fc915ed6ec6ad58e)
DeltaFile
+1-0src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+1-01 files

OPNSense/core 0633bfasrc/opnsense/mvc/app/models/OPNsense/Unbound Unbound.xml

Services: Unbound DNS: Overrides - missing NetMaskAllowed=N on override address, closes https://github.com/opnsense/core/issues/10499
DeltaFile
+1-0src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+1-01 files

OPNSense/core 991e0c7src/opnsense/mvc/app/views/layout_partials form_input_tr.volt, src/opnsense/www/js opnsense_ui.js

mvc: add file type to forms, including required javascript initialisation code.

File type input serializes offered payload in base64 and returns both the field and the filename of the offered file.
This easy to use wrapper can be used to upload files of reasonable size (a couple of megabytes max) via either a select file or drag and drop option.

Collected output exists of the offered <id> combined with a field named <id>__name which contains the offered filename
DeltaFile
+72-0src/opnsense/www/js/opnsense_ui.js
+16-2src/opnsense/mvc/app/views/layout_partials/form_input_tr.volt
+88-22 files

OPNSense/core d089c95src/opnsense/mvc/app/views/layout_partials form_input_tr.volt, src/opnsense/www/js opnsense_ui.js

mvc: add file type to forms, including required javascript initialisation code.

File type input serializes offered payload in base64 and returns both the field and the filename of the offered file.
This easy to use wrapper can be used to upload files of reasonable size (a couple of megabytes max) via either a select file or drag and drop option.

Collected output exists of the offered <id> combined with a field named <id>__name which contains the offered filename
DeltaFile
+72-0src/opnsense/www/js/opnsense_ui.js
+17-3src/opnsense/mvc/app/views/layout_partials/form_input_tr.volt
+89-32 files

OPNSense/core 7fa3deesrc/etc/inc filter.lib.inc

firewall: fix reference when plugin not installed #9947

Just hint at the migration assistant.  :)
DeltaFile
+5-2src/etc/inc/filter.lib.inc
+5-21 files

OPNSense/core 12af1e4src/opnsense/mvc/app/models/OPNsense/Base/Menu MenuItem.php, src/opnsense/mvc/app/models/OPNsense/Firewall/Menu Menu.xml Menu.php

ui: fix menu registration not setting "active"

It's a bit complicated: we need to ignore all invisible pages.
The menu registration isn't really a value that does something
but it successfully hides the registration from the menu code
rendering the active flag.
DeltaFile
+5-5src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+5-1src/opnsense/mvc/app/models/OPNsense/Base/Menu/MenuItem.php
+1-0src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.php
+11-63 files

OPNSense/core 4f4bec5src/opnsense/mvc/app/models/OPNsense/Core ACL.php

system: change comment to existing page
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+1-11 files

OPNSense/core 1b45d2bsrc/opnsense/mvc/app/views/OPNsense/Firewall group.volt

Firewall: Group: change link to new firewall rules (#10497)
DeltaFile
+1-1src/opnsense/mvc/app/views/OPNsense/Firewall/group.volt
+1-11 files

OPNSense/core 9d8c183src/opnsense/mvc/app/models/OPNsense/Firewall/Menu Menu.php

firewall: change menu registration rules for legacy rules #9947

Keep the logic of the migration assistant but pivot to assuming
MVC rules are used by default and that menu registration hinges
on the fact that the firewall legacy plugin is installed.

Also patch outbound NAT file check although it's not needed yet
as we may want to move quicker in 26.7.x to depreate it.  Since
we already have a plugin we can easily move the files there in
a minor iteration.
DeltaFile
+11-7src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.php
+11-71 files