certctl: make it worse, but consistent. closes https://github.com/opnsense/core/issues/10450
This commit changes the default mode of "link" generation to files instead of symlinks, using -l we can still generate the links as before.
It also removes the preludes which explains the certificate type to the ordinary user (e.g. "GlobalSign Root...") and switches the default mode from 644 to 444.
We can expect this to be slighly slower than the previous version, but not a lot as we're only doing a full file compare for a limited set of items.
On my end this seems to satisfy the mtree compare.
Firewall: NAT: Source NAT: Add migration for Outbound NAT into Source NAT page (#10373)
Firewall: add Source NAT mode bridge and outbound NAT migration
Reflect legacy `nat.outbound.mode` into the Firewall MVC model as volatile
`general.snat_mode` and expose it in the new Source NAT view. Persist the value
back into the legacy configuration through `serializeToConfig()` using a scoped
general-section setter to avoid unrelated model validation.
Adjust the Source NAT grid output based on the selected mode. Automatic and
hybrid modes include synthetic automatic rule rows for display purposes, while
advanced mode only shows manual rules and disabled mode hides the grid.
Extend the migration assistant with an outbound NAT migration tab and add a
configd exporter for legacy `nat.outbound.rule` entries. Exported rows
use empty UUIDs so imports create fresh MVC rule identifiers.
Add missing Source NAT parity fields for `tag` and `nosync`, include them in
generated rows, and export them from legacy outbound NAT rules.
[24 lines not shown]
Firewall: NAT: download/upload rules as csv (#10371)
* Firewall: Turn downloadRules and uploadRules into a protected function inside FilterBaseController, implement it in Firewall rules and NAT pages
(cherry picked from commit 2680128a735d921616297539f59e5f33a2ff3c96)
Firewall: NAT: Add the same UI design to the NAT pages as the firewall page (#10359)
* Firewall: NAT: Add the same UI design to the NAT pages as the firewall page from 18533b4, but slightly adjusted as NAT rules do not have sort_order or priority groups, so all grouping happens either by category, or to a synthetic automatic category if the rules contain an is_automatic true boolean.
* Implement sort_order in DNAT controller so the same tree view logic as in firewall rules can be used, this eases maintainence
* Add sort order volatile fields to SourceNatRuleField shared by SNAT, ONAT and NPTv6 inside filter model.
* make sweep
* prio_group is static in NAT rules, so we can use it directly
* Add comment about prio_group inside filter_rule.volt
(cherry picked from commit fedc3e5c5f632cc123c3ecb0453c34566e8690e8)
webui/authentication flow - add "local_uri" type in SanitizeFilter() and use it in the authgui.inc flow to ease reuse later.
The new filter is a bit more strict than it used to be, but for good reasons, we likely need the same cleansing in a couple of other areas like https://github.com/opnsense/core/issues/10433
(cherry picked from commit be43690f7abaf6823a93d6e4f292095bc4e5d56c)
Interfaces/DHCP - Further tighten security for https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm
As advanced fields should always require high level access, we should prevent accidental mistakes from administrators allowing non-admins from changing these items.
In the long run, we likely want to drop these options, but that requires at least bringing back some common options which we are able to validate properly.
(cherry picked from commit 28229ed22d4bdcff98cfa3baff2cf43391d69bb7)
widgets: enhance Live Log widget (#10086)
Uses client-side DOM for determining log endpoints, doesn't require any default target access, allows options for severity and search filter and variable log lines to show, which are displayed in summary in widget, and uses true log tailing plus backfill
---------
Co-authored-by: Stephan de Wit <stephan.de.wit at deciso.com>
(cherry picked from commit 956a256dbae339a893bc0001486122ce2a61565f)
firmware: fix small glitch that re-prompts for showing community plugins
It's already shown so no need to re-register.
(cherry picked from commit 9e1117e5242e9f0090f65ee0c99f25af69409bb4)
firewall: skip alias on rules GUI reload
Also align the alias load path in the controller with
how !skip_alias serializes the sequence after rules
reload inside filter_configure_sync().
Firewall: Rules: Improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request (#10449)
* Firewall: Rules: Improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request.
* Improve inverted interface condition, make it symmetric to positive interface match in final else condition
Firewall: Rules: Improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request.
firewall: skip alias on rules GUI reload
Also align the alias load path in the controller with
how !skip_alias serializes the sequence after rules
reload inside filter_configure_sync().
system: curl_close() is deprecated
This has been a no-op since 8.0.0, but deprecated since 8.5.0.
(cherry picked from commit 305741f06eeba35234a86a219194c24b3e3d8f4d)
