interfaces: prepare for #7647 by clustering the id-assoc blocks
This way we can retroactively render the full sections in the configuration.
Some research still needed for how dhcp6c tracks these numbers (also across
interfaces worst case).
The old $id logic with the increment doesn't make much sense at first glance
given the example config in the ticket.
security/wazuh-agent: Fix active response duplicate key causing false aborts (#5104)
When multiple IPs trigger the same rule simultaneously, they were
sharing the same check_keys value (only rule ID), causing the manager
to abort all but the first execution.
Changed the key to include both rule_id and srcip to make it unique
per source IP, allowing multiple simultaneous blocks while still
preventing duplicate blocks of the same IP.
Fixes #4738
interfaces: defer manual rtsold script execution; closes #9564
The 10 seconds default comes from the ticket that showed a 5 second delay.
Ideally a few seconds would be better but in order to be on the safe side
10 seconds is also okay. In most cases we do not need the manual execution
and it would disrupt the already acquired prefix use.
Services: Intrusion Detection - hook "divert-to" into our new firewall ui.
Currently we only support a single divert-to target, but if we would like to integrate in the future with other services, it's practical to be able to offer a list of them,
list_divert_sockets.php acts as a stepping stone for this purpose, which now just returns a static list of one (8000 -> idps).
Services: Intrusion Detection - refactor pcap/netmap selection to "Capture mode" and add new "divert" option.
With divert we can integrate suricata in firewall rules, which makes it easier to bypass large flows.
This change requires the new SO_REUSEPORT_LB option in the kernel in order to distribute traffic over multiple workers.
rtsold: check RA lifetime before triggering the one-shot always script
Historic context: rtsold is used by *sense to get a router address which
wasn't originally the daemon's purpose. We only ever get the first address
per interface lifetime so if the RA contains an invalid router with a zero
lifetime and we catch it we cannot get a valid one ever again.
This is suboptimal in a number of ways, but the obvious way to deal with
this is to ignore all RA messages from routers that do not advertise a
default route.
PR: https://github.com/opnsense/core/issues/9551
VPN: OpenVPN: Client Export - add "lazy loading" model support on Trust\Cert type and skip dynamic content when loading the model in our export. closes https://github.com/opnsense/core/pull/9552
Firewall: Rules [new]: Add multiselect icmp6type options (#9547)
* Firewall: Rules [new]: Add multiselect icmp6type options
* These should not be ignored in the grid.
* Firewall: Rules [new] - Add multiselect icmp6type options (minor cleanups)
Use icmpv6 parameter codes as defined in https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-8
---------
Co-authored-by: Ad Schellevis <ad at opnsense.org>
