Firewall: NAT: Source NAT: skip rendering rules when mode is not advanced (manual) or hybrid (#10472)
(cherry picked from commit aa2a54a5a8a9988b7a63e6ccef18ab01a4777a83)
Firewall: NAT: Source NAT: Allow empty target which means interface address (#10441)
* Firewall: NAT: Source NAT: Empty target means interface address, allow it in the model and add hints, fix legacy outbound rules exporter as well
* Firewall: NAT: Source NAT: Target cannot be any, pf refuses to load that
(cherry picked from commit 08447de57ee17bc70737e2155a56bc292f92904d)
Interfaces: Neighbors: Automatic Discovery - properly format api times to ISO format and convert timezone part in the view consistent with how datetime is currently formatted. closes https://github.com/opnsense/core/issues/10467
certctl: make it worse, but consistent. closes https://github.com/opnsense/core/issues/10450
This commit changes the default mode of "link" generation to files instead of symlinks, using -l we can still generate the links as before.
It also removes the preludes which explains the certificate type to the ordinary user (e.g. "GlobalSign Root...") and switches the default mode from 644 to 444.
We can expect this to be slighly slower than the previous version, but not a lot as we're only doing a full file compare for a limited set of items.
On my end this seems to satisfy the mtree compare.
Firewall: NAT: Source NAT: Add migration for Outbound NAT into Source NAT page (#10373)
Firewall: add Source NAT mode bridge and outbound NAT migration
Reflect legacy `nat.outbound.mode` into the Firewall MVC model as volatile
`general.snat_mode` and expose it in the new Source NAT view. Persist the value
back into the legacy configuration through `serializeToConfig()` using a scoped
general-section setter to avoid unrelated model validation.
Adjust the Source NAT grid output based on the selected mode. Automatic and
hybrid modes include synthetic automatic rule rows for display purposes, while
advanced mode only shows manual rules and disabled mode hides the grid.
Extend the migration assistant with an outbound NAT migration tab and add a
configd exporter for legacy `nat.outbound.rule` entries. Exported rows
use empty UUIDs so imports create fresh MVC rule identifiers.
Add missing Source NAT parity fields for `tag` and `nosync`, include them in
generated rows, and export them from legacy outbound NAT rules.
[24 lines not shown]
Firewall: NAT: download/upload rules as csv (#10371)
* Firewall: Turn downloadRules and uploadRules into a protected function inside FilterBaseController, implement it in Firewall rules and NAT pages
(cherry picked from commit 2680128a735d921616297539f59e5f33a2ff3c96)
Firewall: NAT: Add the same UI design to the NAT pages as the firewall page (#10359)
* Firewall: NAT: Add the same UI design to the NAT pages as the firewall page from 18533b4, but slightly adjusted as NAT rules do not have sort_order or priority groups, so all grouping happens either by category, or to a synthetic automatic category if the rules contain an is_automatic true boolean.
* Implement sort_order in DNAT controller so the same tree view logic as in firewall rules can be used, this eases maintainence
* Add sort order volatile fields to SourceNatRuleField shared by SNAT, ONAT and NPTv6 inside filter model.
* make sweep
* prio_group is static in NAT rules, so we can use it directly
* Add comment about prio_group inside filter_rule.volt
(cherry picked from commit fedc3e5c5f632cc123c3ecb0453c34566e8690e8)
webui/authentication flow - add "local_uri" type in SanitizeFilter() and use it in the authgui.inc flow to ease reuse later.
The new filter is a bit more strict than it used to be, but for good reasons, we likely need the same cleansing in a couple of other areas like https://github.com/opnsense/core/issues/10433
(cherry picked from commit be43690f7abaf6823a93d6e4f292095bc4e5d56c)
Interfaces/DHCP - Further tighten security for https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm
As advanced fields should always require high level access, we should prevent accidental mistakes from administrators allowing non-admins from changing these items.
In the long run, we likely want to drop these options, but that requires at least bringing back some common options which we are able to validate properly.
(cherry picked from commit 28229ed22d4bdcff98cfa3baff2cf43391d69bb7)
widgets: enhance Live Log widget (#10086)
Uses client-side DOM for determining log endpoints, doesn't require any default target access, allows options for severity and search filter and variable log lines to show, which are displayed in summary in widget, and uses true log tailing plus backfill
---------
Co-authored-by: Stephan de Wit <stephan.de.wit at deciso.com>
(cherry picked from commit 956a256dbae339a893bc0001486122ce2a61565f)
firmware: fix small glitch that re-prompts for showing community plugins
It's already shown so no need to re-register.
(cherry picked from commit 9e1117e5242e9f0090f65ee0c99f25af69409bb4)
