Merge branch 'opnsense:master' into wireguard-mtu-mss

8 months ago · efbf982e03
parent 07cf0eea64 f3b42ec79e
commit efbf982e03
14 changed files with 298 additions and 22 deletions
--- a/source/CE_releases.rst
+++ b/source/CE_releases.rst
@ -8,7 +8,7 @@ Community Edition
    :width: 600px
    :align: center

-As of January 2015 there have been *263* releases leading to the latest version *23.7.3*
+As of January 2015 there have been *265* releases leading to the latest version *23.7.5*
 named "Restless Roadrunner".


--- a/source/development/api/core/dhcpv4.rst
+++ b/source/development/api/core/dhcpv4.rst
@ -0,0 +1,19 @@
+Dhcpv4
+~~~~~~
+
+.. csv-table:: Resources (LeasesController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","dhcpv4","leases","delLease","$ip"
+    "``GET``","dhcpv4","leases","searchLease",""
+
+.. csv-table:: Service (ServiceController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","dhcpv4","service","reconfigure",""
+    "``POST``","dhcpv4","service","restart",""
+    "``POST``","dhcpv4","service","start",""
+    "``GET``","dhcpv4","service","status",""
+    "``POST``","dhcpv4","service","stop",""
--- a/source/development/api/core/dhcpv6.rst
+++ b/source/development/api/core/dhcpv6.rst
@ -0,0 +1,20 @@
+Dhcpv6
+~~~~~~
+
+.. csv-table:: Resources (LeasesController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","dhcpv6","leases","delLease","$ip"
+    "``GET``","dhcpv6","leases","searchLease",""
+    "``GET``","dhcpv6","leases","searchPrefix",""
+
+.. csv-table:: Service (ServiceController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","dhcpv6","service","reconfigure",""
+    "``POST``","dhcpv6","service","restart",""
+    "``POST``","dhcpv6","service","start",""
+    "``GET``","dhcpv6","service","status",""
+    "``POST``","dhcpv6","service","stop",""
--- a/source/development/api/core/interfaces.rst
+++ b/source/development/api/core/interfaces.rst
@ -1,6 +1,21 @@
 Interfaces
 ~~~~~~~~~~

+.. csv-table:: Resources (LaggSettingsController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","interfaces","lagg_settings","addItem",""
+    "``POST``","interfaces","lagg_settings","delItem","$uuid"
+    "``GET``","interfaces","lagg_settings","get",""
+    "``GET``","interfaces","lagg_settings","getItem","$uuid=null"
+    "``POST``","interfaces","lagg_settings","reconfigure",""
+    "``*``","interfaces","lagg_settings","searchItem",""
+    "``POST``","interfaces","lagg_settings","set",""
+    "``POST``","interfaces","lagg_settings","setItem","$uuid"
+
+    "``<<uses>>``", "", "", "", "*model* `Lagg.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Interfaces/Lagg.xml>`__"
+
 .. csv-table:: Resources (LoopbackSettingsController.php)
   :header: "Method", "Module", "Controller", "Command", "Parameters"
   :widths: 4, 15, 15, 30, 40
--- a/source/development/api/core/openvpn.rst
+++ b/source/development/api/core/openvpn.rst
@ -34,7 +34,7 @@ Openvpn
    "``POST``","openvpn","instances","add",""
    "``POST``","openvpn","instances","addStaticKey",""
    "``POST``","openvpn","instances","del","$uuid"
-    "``GET``","openvpn","instances","delStaticKey","$uuid"
+    "``POST``","openvpn","instances","delStaticKey","$uuid"
    "``GET``","openvpn","instances","genKey",""
    "``GET``","openvpn","instances","get","$uuid=null"
    "``GET``","openvpn","instances","get",""
--- a/source/development/api/core/unbound.rst
+++ b/source/development/api/core/unbound.rst
@ -16,7 +16,7 @@ Unbound
   :header: "Method", "Module", "Controller", "Command", "Parameters"
   :widths: 4, 15, 15, 30, 40

-    "``GET``","unbound","overview","Rolling","$timeperiod,$clients=false"
+    "``GET``","unbound","overview","Rolling","$timeperiod,$clients='0'"
    "``GET``","unbound","overview","isBlockListEnabled",""
    "``GET``","unbound","overview","isEnabled",""
    "``GET``","unbound","overview","searchQueries",""
--- a/source/development/api/plugins/quagga.rst
+++ b/source/development/api/plugins/quagga.rst
@ -62,31 +62,22 @@ Quagga
    "``GET``","quagga","diagnostics","bfdcounters",""
    "``GET``","quagga","diagnostics","bfdneighbors",""
    "``GET``","quagga","diagnostics","bfdsummary",""
-    "``GET``","quagga","diagnostics","bgpneighbors","$format=""json"""
-    "``GET``","quagga","diagnostics","bgproute","$format=""json"""
-    "``GET``","quagga","diagnostics","bgproute4","$format=""json"""
-    "``GET``","quagga","diagnostics","bgproute6","$format=""json"""
-    "``GET``","quagga","diagnostics","bgpsummary","$format=""json"""
-    "``GET``","quagga","diagnostics","generalroute","$format=""json"""
-    "``GET``","quagga","diagnostics","generalroute4","$format=""json"""
-    "``GET``","quagga","diagnostics","generalroute6","$format=""json"""
+    "``GET``","quagga","diagnostics","bgpneighbors",""
+    "``GET``","quagga","diagnostics","bgpsummary",""
    "``GET``","quagga","diagnostics","generalrunningconfig",""
-    "``GET``","quagga","diagnostics","ospfdatabase","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfinterface","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfneighbor","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfoverview","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfroute","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfv3database","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfv3interface","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfv3neighbor","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfv3overview","$format=""json"""
-    "``GET``","quagga","diagnostics","ospfv3route","$format=""json"""
+    "``GET``","quagga","diagnostics","ospfdatabase",""
+    "``GET``","quagga","diagnostics","ospfinterface",""
+    "``GET``","quagga","diagnostics","ospfoverview",""
+    "``GET``","quagga","diagnostics","ospfv3interface",""
+    "``GET``","quagga","diagnostics","ospfv3overview",""
    "``GET``","quagga","diagnostics","searchBgproute4",""
    "``GET``","quagga","diagnostics","searchBgproute6",""
    "``GET``","quagga","diagnostics","searchGeneralroute4",""
    "``GET``","quagga","diagnostics","searchGeneralroute6",""
    "``GET``","quagga","diagnostics","searchOspfneighbor",""
    "``GET``","quagga","diagnostics","searchOspfroute",""
+    "``GET``","quagga","diagnostics","searchOspfv3database",""
+    "``GET``","quagga","diagnostics","searchOspfv3route","$format=""json"""

 .. csv-table:: Resources (GeneralController.php)
   :header: "Method", "Module", "Controller", "Command", "Parameters"
--- a/source/development/api/plugins/wazuhagent.rst
+++ b/source/development/api/plugins/wazuhagent.rst
@ -0,0 +1,23 @@
+Wazuhagent
+~~~~~~~~~~
+
+.. csv-table:: Service (ServiceController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","wazuhagent","service","reconfigure",""
+    "``POST``","wazuhagent","service","restart",""
+    "``POST``","wazuhagent","service","start",""
+    "``GET``","wazuhagent","service","status",""
+    "``POST``","wazuhagent","service","stop",""
+
+    "``<<uses>>``", "", "", "", "*model* `WazuhAgent.xml <https://github.com/opnsense/plugins/blob/master/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml>`__"
+
+.. csv-table:: Service (SettingsController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``GET``","wazuhagent","settings","get",""
+    "``POST``","wazuhagent","settings","set",""
+
+    "``<<uses>>``", "", "", "", "*model* `WazuhAgent.xml <https://github.com/opnsense/plugins/blob/master/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml>`__"
--- a/source/development/api/plugins/wireguard.rst
+++ b/source/development/api/plugins/wireguard.rst
@ -1,6 +1,60 @@
 Wireguard
 ~~~~~~~~~

+.. csv-table:: Resources (ClientController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","wireguard","client","addClient",""
+    "``POST``","wireguard","client","delClient","$uuid"
+    "``GET``","wireguard","client","get",""
+    "``GET``","wireguard","client","getClient","$uuid=null"
+    "``*``","wireguard","client","searchClient",""
+    "``POST``","wireguard","client","set",""
+    "``POST``","wireguard","client","setClient","$uuid"
+    "``POST``","wireguard","client","toggleClient","$uuid"
+
+    "``<<uses>>``", "", "", "", "*model* `Client.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml>`__"
+
+.. csv-table:: Service (GeneralController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``GET``","wireguard","general","get",""
+    "``GET``","wireguard","general","getStatus",""
+    "``POST``","wireguard","general","set",""
+
+    "``<<uses>>``", "", "", "", "*model* `General.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml>`__"
+
+.. csv-table:: Resources (ServerController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","wireguard","server","addServer","$uuid=null"
+    "``POST``","wireguard","server","delServer","$uuid"
+    "``GET``","wireguard","server","get",""
+    "``GET``","wireguard","server","getServer","$uuid=null"
+    "``*``","wireguard","server","searchServer",""
+    "``POST``","wireguard","server","set",""
+    "``POST``","wireguard","server","setServer","$uuid=null"
+    "``POST``","wireguard","server","toggleServer","$uuid"
+
+    "``<<uses>>``", "", "", "", "*model* `Server.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml>`__"
+
+.. csv-table:: Service (ServiceController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","wireguard","service","reconfigure",""
+    "``POST``","wireguard","service","restart",""
+    "``GET``","wireguard","service","showconf",""
+    "``GET``","wireguard","service","showhandshake",""
+    "``POST``","wireguard","service","start",""
+    "``GET``","wireguard","service","status",""
+    "``POST``","wireguard","service","stop",""
+
+    "``<<uses>>``", "", "", "", "*model* `General.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml>`__"
+
 .. csv-table:: Resources (ClientController.php)
   :header: "Method", "Module", "Controller", "Command", "Parameters"
   :widths: 4, 15, 15, 30, 40
@ -34,6 +88,7 @@ Wireguard
    "``POST``","wireguard","server","delServer","$uuid"
    "``GET``","wireguard","server","get",""
    "``GET``","wireguard","server","getServer","$uuid=null"
+    "``GET``","wireguard","server","keyPair",""
    "``*``","wireguard","server","searchServer",""
    "``POST``","wireguard","server","set",""
    "``POST``","wireguard","server","setServer","$uuid=null"
@ -45,8 +100,10 @@ Wireguard
   :header: "Method", "Module", "Controller", "Command", "Parameters"
   :widths: 4, 15, 15, 30, 40

+    "``POST``","wireguard","service","reconfigure",""
    "``POST``","wireguard","service","reconfigure",""
    "``POST``","wireguard","service","restart",""
+    "``GET``","wireguard","service","show",""
    "``GET``","wireguard","service","showconf",""
    "``GET``","wireguard","service","showhandshake",""
    "``POST``","wireguard","service","start",""
--- a/source/manual/backups.rst
+++ b/source/manual/backups.rst
@ -66,5 +66,5 @@ versions of your settings.

 .. Tip::

-    You can specify the number of backups to keep in this menu, which can be quite practical when a higher level of
+    You can specify the number of backups to keep in the backups menu, which can be quite practical when a higher level of
    auditability is required.
--- a/source/manual/how-tos/user-ldap.rst
+++ b/source/manual/how-tos/user-ldap.rst
@ -52,6 +52,7 @@ Enter the following information:
 **User naming attribute**        samAccountName           *Auto filled in based upon Initial Template*
 **Read properties**                                       *Fetch account details after successful login*
 **Synchronize groups**                                    *Enable to Synchronize groups, requires the option above*
+ **Constraint groups**                                     *Only consider groups inside the Authentication containers*
 **Limit groups**                                          *Select list of groups that may be considered during sync**
 **Automatic user creation**                               *When groups are automatically synchronized,
                                                           this offers the ability to automatically create the
--- a/source/releases/BE_23.4.rst
+++ b/source/releases/BE_23.4.rst
@ -110,6 +110,11 @@ Here are the full patch notes:
 * ports: strongswan upstream fix for VICI stalls `[18] <https://github.com/opnsense/core/issues/6308>`__ 
 * ports: suricata 6.0.13 `[19] <https://suricata.io/2023/06/15/suricata-6-0-13-released/>`__ 

+A hotfix release was issued as 23.4.2_1:
+
+* system: fix data cleansing issue in "column_count" and "sequence" values on dashboard
+* ports: krb5 1.21.2 `[8] <https://web.mit.edu/kerberos/krb5-1.21/>`__ 
+* ports: python 3.9.18 `[20] <https://docs.python.org/release/3.9.18/whatsnew/changelog.html>`__ 


 --------------------------------------------------------------------------
--- a/source/releases/CE_23.1.rst
+++ b/source/releases/CE_23.1.rst
@ -71,6 +71,10 @@ A hotfix release was issued as 23.1.11_1:
 * firmware: enable upgrade path to 23.7
 * ports: openssh 9.3p2 `[5] <https://www.openssh.com/txt/release-9.3p2>`__ 

+A hotfix release was issued as 23.1.11_2:
+
+* unbound: enable migration of Unbound DNS reports
+


 --------------------------------------------------------------------------
--- a/source/releases/CE_23.7.rst
+++ b/source/releases/CE_23.7.rst
@ -26,6 +26,147 @@ can be found below as well.
 * Full mirror list: https://opnsense.org/download/


+--------------------------------------------------------------------------
+23.7.5 (September 26, 2023)
+--------------------------------------------------------------------------
+
+
+Today introduces a change in MTU handling for parent interfaces mostly
+noticed by PPPoE use where the respective MTU values need to fit the
+parent plus the additional header of the VLAN or PPPoE.  Should the
+MTU already be misconfigured to a smaller value it will be used as
+configured so check your configuration and clear the MTU value if you
+want the system to decide about the effective parent MTU size.
+
+Another change in far gateway handling is also included which prevents
+a monitoring failure if that particular gateway was not being designated
+as default during boot which made the routing table miss the essential
+interface route and monitoring would always report it as down.  Now the
+interface route is ensured but not only when applying the default gateway
+so that it works all the time.
+
+Also fixed was the problematic migration of the Unbound interfaces settings
+which now clears the possibly unknown interfaces in order to proceed and
+have Unbound up and running post update which was not the case for some
+users previously.
+
+Other reliability improvements and third party security updates are
+included as well.  We also continue our effort to clean up the interface
+handling code and audit the MVC model files for consistency.  A missing
+change for out of the box DS-Lite support is also being tested on the
+development version now and will likely hit in 23.7.6.
+
+Here are the full patch notes:
+
+* system: pluginctl: allow -f mode to drop config properties
+* system: switch to /usr/sbin/nologin as authoritative command location
+* system: remove remaining spurious ifconfig data pass to Gateways class
+* system: fix data cleansing issue in "column_count" and "sequence" values on dashboard
+* system: start gateway monitors after firewall rules are in place (contributed by Daggolin)
+* system: refactor far gateway handling out of default route handling
+* interfaces: use interfaces_restart_by_device() where appropriate
+* interfaces: allow get_interface_ipv6() to return in all three IPv6 variants
+* interfaces: add GRE/GIF/bridge/wlan return values
+* interfaces: signal wlan device creation success/failure
+* interfaces: update link functions for GIF/GRE
+* interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload
+* interfaces: update read-only bridge member code
+* interfaces: redirect after successful interface add
+* interfaces: add interface return feature for use on bridges/assignment page
+* interfaces: VIP model style update
+* interfaces: implement interface_configure_mtu()
+* firewall: fix cleanup issue when renaming an alias
+* dhcp: make dhcrelay code use the Gateways class
+* ipsec: add local_port and remote_port to connections (contributed by Monviech)
+* openvpn: force instance interface down before handing it over to daemon
+* openvpn: add missing up and down scripts to instances (contributed by Daggolin)
+* unbound: properly set a default value for private address configuration
+* unbound: allow disabled interfaces in interface field
+* unbound: migrate active/outgoing interfaces discarding invalid values
+* unbound: UX improvements on several pages
+* unbound: update model
+* mvc: update diagnostics models
+* mvc: add isLinkLocal()
+* interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)
+* plugins: os-upnp replaces calls to obsolete get_interface_ip()
+* plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()
+* plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunnyvalley)
+* plugins: os-tinc adds missing subnet-down script (contributed by andrewhotlab)
+* ports: curl 8.3.0 `[1] <https://curl.se/changes.html#8_3_0>`__ 
+* ports: nss 3.93 `[2] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_93.html>`__ 
+* ports: openssl 1.1.1w `[3] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__ 
+* ports: phalcon 5.3.1 `[4] <https://github.com/phalcon/cphalcon/releases/tag/v5.3.1>`__ 
+* ports: phpseclib 3.0.23 `[5] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.23>`__ 
+* ports: sqlite 3.43.1 `[6] <https://sqlite.org/releaselog/3_43_1.html>`__ 
+* ports: suricata 6.0.14 `[7] <https://suricata.io/2023/09/14/suricata-6-0-14-released/>`__ 
+
+
+
+--------------------------------------------------------------------------
+23.7.4 (September 14, 2023)
+--------------------------------------------------------------------------
+
+
+The usual amount of improvements go out today with FreeBSD security
+advisories on top.  The new Python version was also picked up.
+
+Note that the WireGuard plugin improvement effort is still going on
+and this time we refreshed the dashboard widget as that was being
+requested a number of times.  The Polish language has been added to
+the GUI as well.
+
+Here are the full patch notes:
+
+* system: correctly set RFC 5424 on remote TLS system logging
+* system: remove hasGateways() and write DHCP router option unconditionally
+* system: avoid plugin system for gateways monitor status fetch
+* system: remove passing unused ifconfig data to Gateways class on static pages
+* system: remove passing unused ifconfig data on gateway monitor status fetch
+* system: remove the unused "alert interval" option from the gateway configuration
+* interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account
+* interfaces: teach ifctl to dump all files and its data for an interface
+* interfaces: remove dead link/hint in GIF table
+* interfaces: avoid duplicating $vfaces array
+* interfaces: introduce interfaces_restart_by_device()
+* firewall: remove old __empty__ options trick from shaper model
+* firewall: update models for clarity
+* firmware: update model for clarity
+* ipsec: omit conditional authentication properties when not applicable on connections
+* ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
+* ipsec: allow the use of eap_id = %any in instances
+* openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
+* openvpn: add CARP VHID tracking for client instances
+* openvpn: add tun-mtu/fragment/mssfix combo for instances
+* openvpn: add "route-gateway" advanced option to CSO
+* openvpn: use new File::file_put_contents() wrapper for instances
+* openvpn: updated model and clarified "auth" default option
+* mvc: remove "non-functional" hints from form input elements
+* mvc: uppercase default label in BaseListField is more likely
+* ui: add bytes format to standard formatters list
+* plugins: os-ddclient 1.16 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__ 
+* plugins: os-frr 1.36 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr>`__ 
+* plugins: os-wireguard 2.1 `[3] <https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr>`__ 
+* plugins: os-tinc 1.7 adds support for "StrictSubnets" variable (contributed by andrewhotlab)
+* lang: update translations and add Polish
+* src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)
+* src: axgbe: gracefully handle i2c bus failures
+* src: bnxt: do not restart on VLAN changes
+* src: ice: do not restart on VLAN changes
+* src: net: do not overwrite VLAN PCP
+* src: net: remove VLAN metadata on PCP / VLAN encapsulation
+* src: if_vlan: always default to 802.1
+* src: iflib: fix panic during driver reload stress test
+* src: iflib: fix white space and reduce some line lengths
+* src: ixgbe: define IXGBE_LE32_TO_CPUS
+* src: ixgbe: check for fw_recovery
+* src: net80211: fail for unicast traffic without unicast key `[4] <FREEBSD:FreeBSD-SA-23:11.wifi>`__ 
+* src: pcib: allocate the memory BAR with the MSI-X table `[5] <FREEBSD:FreeBSD-EN-23:10.pci>`__ 
+* ports: php 8.2.10 `[6] <https://www.php.net/ChangeLog-8.php#8.2.10>`__ 
+* ports: python 3.9.18 `[7] <https://docs.python.org/release/3.9.18/whatsnew/changelog.html>`__ 
+* ports: unbound 1.18.0 `[8] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0>`__ 
+
+
+
 --------------------------------------------------------------------------
 23.7.3 (August 30, 2023)
 --------------------------------------------------------------------------