webui: "non root" user mode. closes https://github.com/opnsense/core/issues/8521
Allow the webui to run as wwwonly and move related (temp) files to their own directories so we limit the choice of mangling rights.
When trying to transition back from wwwonly to root, require a file (/var/run/www_non_root) to be removed via the console as an extra barrier.
When captive portal is used, the api dispatcher is forced to use wwwonly in all situations as the number of endpoints used is small and easy to validate (no legacy impact)
webui: "non root" user mode. (https://github.com/opnsense/core/issues/8521)
Allow the webui to run as wwwonly and move related (temp) files to their own directories so we limit the choice of mangling rights.
When trying to transition back from wwwonly to root, require a file (/var/run/www_non_root) to be removed via the console as an extra barrier.
When captive portal is used, the api dispatcher is forced to use wwwonly in all situations as the number of endpoints used is small and easy to validate (no legacy impact)
dnsmasq: Add checkbox to dialogHostOverride that can set domains as local (#8730)
Couple it with the dhcp-range domain dataset to ensure a unique dataset for all local domains.
This enables users to set domains as local in classic host overrides, if they want dnsmasq to handle this domain exclusively.
This should give flexibility for almost all DNS forwarding scenarios, even if DHCP is not used at all.
dnsmasq: Allow either empty IP or empty hostname for dhcp-host entries. (#8713)
* dnsmasq: Allow either empty IP or empty hostname for dhcp-host entries.
* Simplify previous
* Update src/opnsense/service/templates/OPNsense/Dnsmasq/dnsmasq.conf
Co-authored-by: Ad Schellevis <AdSchellevis at users.noreply.github.com>
* Update src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.php
Co-authored-by: Ad Schellevis <AdSchellevis at users.noreply.github.com>
* Update src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.php
Co-authored-by: Ad Schellevis <AdSchellevis at users.noreply.github.com>
* dnsmasq: Use array_filter to remove empty strings, use else statement for host overrides
[5 lines not shown]
Services: Dnsmasq DNS & DHCP - reload filter on service reload. closes https://github.com/opnsense/core/issues/8701
Add invokeFirewallReload() hook in ApiMutableServiceControllerBase similar to the interface registration one and start using it in dnsmasq.
dnsmasq: Add checkbox to hosts that can set domains as local. Couple it with the dhcp-range domain set to ensure a unique set for all local domains. This enables users to set domains as local in classic host overrides, if they want dnsmasq to handle this domain exclusively.
dnsmasq: Simplify controller, only track if IPv6 address exists before adding client_id to reservedKeys array. All hwaddr for IPv4 will be added regardless of if an IPv4 address exists, this is also in line with the expectation that a host can be created that only has a mac address and hostname (and no IP address) which is also a valid combination in dnsmasq.
dnsmasq: Show a Search Reservation button for static leases that uses the built in initialSearchPhrase capabilities of the bootgrid to search the hwaddr for ipv6 leases and duid for ipv6 leases. Fix the initial hash handling of the settings volt template.
dnsmasq: Add formatter for reservation row to improve UX. As just boolean, it might indicate that a dynamic lease is bad, and a static lease is good. With this, we say static and dynamic literally, which creates less psychological stress
dnsmasq: Improve logic to correctly track ipv6 and ipv6 reservations based on a combination of hwaddr and client_id with ip address family. Only pass either client_id or hwaddr in the link when creating a reservation based on same criteria. This ensures that in /most/ cases the frontend will show the correct information.
Firewall: Settings: Advanced / force gateway - Exclude interfaces with local links only when generating these rules, for https://github.com/opnsense/core/issues/8724
The intention of "force gateway" is to stick global address communication to the proper return path, but when there's no global address available, the generated rules may match traffic from other interfaces using the same link-local address.
Ideally, for ipv6, the "from" selector should match all addresses excluding link-local, but that would probably require a larger change (I couldn't find a simple alternative in pf.conf's manual) or installing additional non-quick rules matching the link-local space.
When there is a GUA, we have seen no issues with the current rule, which looks like:
pass out route-to ( pppoeX xxx:xxx:xxx::x) from {(pppoeX)} to {!(pppoeX:network)} keep state allow-opts label "" # let out anything from firewall host itself (force gw)
dnsmasq: Extend get_dnsmasq_leases.py, implement argparse to either return all leases, or a single lease, and allow the same to delete a single lease, or all leases.
