Firewall: NAT: Source NAT: Allow empty target which means interface address (#10441)
* Firewall: NAT: Source NAT: Empty target means interface address, allow it in the model and add hints, fix legacy outbound rules exporter as well
* Firewall: NAT: Source NAT: Target cannot be any, pf refuses to load that
firewall: unify group names
The defaults in GroupField are still a bit weird as we are showing them
even though their mandatory path is from *_interfaces() plugin registration.
If we need the value 10 we should make it the implicit default and also
add the default to the group interface registration (or not at all).
GroupField could read them correctly from config.xml...
PR: https://www.reddit.com/r/opnsense/comments/1ucvh2y/is_there_a_way_to_change_the_openvpn_group/
mvc: give throwReadOnly() a sibling named throwNotFullAdmin() which validates if a user has full access rights and can be treated as "provides safe input".
Although there aren't a lot of cases where user input can't be validated strictly enough, there are still one or two edge cases which offer some sort of "advanced" input which we currently wouldn't accept and are thus hard to change for historic reasons. The most prominent one is Monit, which allows local commands being executed.
throwNotFullAdmin simply raises an exception and bails before persisting changes to the configuration, which can be set on a per action or controller (internalSaveRequiresAdmin).
rc: work around zpool-imporit disappearing devices nodes briefly
Observed this on 15.1 with the importer step of the installer not
seeing /dev/ada0p3 and opening the wrong one /dev/ada0p1 instead.
The issue wasn't the scripting but the fact that ada0p3 was briefly
unavailable. This was an full UFS system, no ZFS pools installed.
webui/authentication flow - add "local_uri" type in SanitizeFilter() and use it in the authgui.inc flow to ease reuse later.
The new filter is a bit more strict than it used to be, but for good reasons, we likely need the same cleansing in a couple of other areas like https://github.com/opnsense/core/issues/10433
mvc: guard BaseField::setNodes() against a list given for a scalar leaf (#10434)
setNodes() rejects a non-array given for a container node, but the leaf branch passed any value straight to setValue(). Posting a JSON array for a scalar/AsList field therefore reached field setters that assume a string, e.g. NetworkField::setValue() does strtolower() on it. producing a fatal "TypeError: strtolower(): array given" and an uncontrolled 500.
Mirror the container guard: throw an Exception so a mis-typed request yields a controlled error with a message for the log instead of a crash.
installer: fix "stty size" returning "0 0"
This breaks the keymap selection (and possibly more), but the fix
seems easy. Some sort of ordering change with shells and login
profiles makes this not work for us on 15.x anymore but it's easy
enough to enforce via the installer launcher.
Firewall: Rules: Remove safepoint actions (#10411)
* Remove safepoint actions, no callers should be left
* Remove rollback_cancel.php and rollback_timer.php and their configd actions
system: change the services widget to a flat tile layout
Make the names of the services shown a bit shorter. The colors
are debatable but they are matchin what alerts are using in
bootstrap.
system: deriving $_SERVER['argv'] from the query string is deprecated
Only used by Nginx plugin and probably able to simplify there. It's
a bit strange in this case. Allegedly the variable has no effect on
CLI applications.
routing: fix HTTP 500 when deleting a non-existent gateway (#10429)
delGatewayAction() dereferenced the result of getNodeByReference() without a null check, so an unknown uuid reached "(string)$gateway->name" on null and raised an error, which the API renders as HTTP 500 ("Unexpected error, check log for details").
Guard the lookup and return the already-initialised {"result":"failed"} instead, matching the inherited del* verbs and the adjacent toggleGatewayAction(), which already null-check getNodeByReference().
