BSD Commit Log Search

firewall: make getRealInterface() a static utility function #10251

Align implementation with get_real_interface() except that we shall
not give a fallback of $device = $interface since we want better
integrity in MVC code (and don't deal with devices in configuration
data there).

Services: Kea: DDNS: Fix whitespace in b684f28 (#10257)

Services: Kea: DDNS: Fix whitespace in b684f28

Services: Kea DHCPv4/v6: DDNS add ddns-conflict-resolution-mode per subnet(#10222)

---------

Co-authored-by: root <root at yeahhhhhhhhh.maison.be>
Co-authored-by: Monviech <79600909+Monviech at users.noreply.github.com>

Captive Portal: reload ipfw on captive portal reconfigure (#10253)

stray newline

Captive Portal: reload ipfw on captive portal reconfigure

Add grid formatter to mark values as dynamic if they are in a dynamic subnet

Hide fields used for static prefix configuration if the subnet and pd_pool are dynamic.

Captive Portal: remove redirection on HTTPS, ditch non-functional pass statement as well

In theory, clients only use HTTP to detect the presence of a portal.
If they were to use HTTPS, the 302 redirect would in most cases
not be accessible, as the certificate presented is most likely not
valid, cutting off the communication before any redirect to a login
page can happen.

The portal itself can and should remain accessible on HTTPS, as this
is the URL the redirect is pointing to. This may be attached to a
valid certificate as well, but the key point is that access to
this URL doesn't strictly need redirection for everything on port
443.

This should prevent clients opening bogus connections to the
captive portal, which consumes a lot of TLS traffic on the network
stack, bogging down lighttpd in bigger setups and creating
a lot of established states in pf.

firewall: fix NPTv6 validation; closes #10242

Add comment about possible overlap between identity association and prefix delegation. Cannot be cleanly solved, and if somebody doesn't use identity associaton in interface configurations it does not make sense to arbitrary reduce the size here.

Fix typo in previous

Remove config instantiation inside loops

Make prefix pool validation stricter, if only a /64 prefix exists there is nothing we can do if we offer both IA_NA and IA_PD, at least /63 would be required for one IA_NA and one IA_PD pool.

Add a mvp for the dynamic pd_pool, the pool is auto generated from the largets possible prefix that does not include the IA_NA generated address pool. Validation ensures the user can only change the delegated prefix length, but not anything about the pool itself. KEA is very strict about validations, auto generation is required here to ensure the model stays sane.

System: Trust: Certificates - link CA references after all changes, closes https://github.com/opnsense/core/issues/9357

Since the prefix_source is verbatim to a subnet, we only allow its usage once per unique constraint

Add validations that disallow users to configure subnet value, pool value and reservations for a dynamic prefix subnet. The subnet must be empty since it is auto configured, the pool is auto configured as ::1000-::2000 and seeded with initial prefix, reservations cannot be created because that would blow up as there is no concept like partial IPv6 addresses in KEA. We always want to bootstrap KEA with an initial working configuration.

System: Access: Users - missing base64_decode in JsonField leading to validation failures, closes https://github.com/opnsense/core/issues/10248

(cherry picked from commit b94cad4d724e4cb194508000dba2c0c4555604fe)

move this

use xpath to determine uses

update function docs here

Gateway Groups: typo and lazy-load model in gateway watcher

gateway groups: prepare controller logic, add missing lock on delete

remove line

remove legacy pages

gateways: do a bit of refactoring in the regular gateway controller and backend call to ease parsing for the group settings

Gateway Groups: MVC conversion: review feedback and add UI

tmp