webui/authentication flow - add "local_uri" type in SanitizeFilter() and use it in the authgui.inc flow to ease reuse later.
The new filter is a bit more strict than it used to be, but for good reasons, we likely need the same cleansing in a couple of other areas like https://github.com/opnsense/core/issues/10433
(cherry picked from commit be43690f7abaf6823a93d6e4f292095bc4e5d56c)
Interfaces/DHCP - Further tighten security for https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm
As advanced fields should always require high level access, we should prevent accidental mistakes from administrators allowing non-admins from changing these items.
In the long run, we likely want to drop these options, but that requires at least bringing back some common options which we are able to validate properly.
(cherry picked from commit 28229ed22d4bdcff98cfa3baff2cf43391d69bb7)
widgets: enhance Live Log widget (#10086)
Uses client-side DOM for determining log endpoints, doesn't require any default target access, allows options for severity and search filter and variable log lines to show, which are displayed in summary in widget, and uses true log tailing plus backfill
---------
Co-authored-by: Stephan de Wit <stephan.de.wit at deciso.com>
(cherry picked from commit 956a256dbae339a893bc0001486122ce2a61565f)
firmware: fix small glitch that re-prompts for showing community plugins
It's already shown so no need to re-register.
(cherry picked from commit 9e1117e5242e9f0090f65ee0c99f25af69409bb4)
firewall: skip alias on rules GUI reload
Also align the alias load path in the controller with
how !skip_alias serializes the sequence after rules
reload inside filter_configure_sync().
Firewall: Rules: Improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request (#10449)
* Firewall: Rules: Improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request.
* Improve inverted interface condition, make it symmetric to positive interface match in final else condition
Firewall: Rules: Improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request.
firewall: skip alias on rules GUI reload
Also align the alias load path in the controller with
how !skip_alias serializes the sequence after rules
reload inside filter_configure_sync().
system: curl_close() is deprecated
This has been a no-op since 8.0.0, but deprecated since 8.5.0.
(cherry picked from commit 305741f06eeba35234a86a219194c24b3e3d8f4d)
Firewall: NAT: Source NAT: Allow empty target which means interface address (#10441)
* Firewall: NAT: Source NAT: Empty target means interface address, allow it in the model and add hints, fix legacy outbound rules exporter as well
* Firewall: NAT: Source NAT: Target cannot be any, pf refuses to load that
