It looks like the action buttons lost their bindings, this commit restores the function, although it removes the batch function which previously splitted the set in parts.
Usually the size of the url shouldn't be that much of an issue.
This commit adds top-level groups that are always shown and visible, such as automatically generated, floating, group & interface rules. This first-level tree is not subject to local storage persistence, but state is kept to make sure these trees don't collapse if there are data changes in the grid to improve overall UX. The "category view" (previously "Tree view") is moved to a tree nested under the top-level groups. This tree is subject to local storage persistence.
Whether a top-level tree expands by default is determined by the interface type selection. If a user selects "floating rules", the floating rules section will expand, if instead a user selects an interface, the interface rules section will expand, while all other groups are collapsed.
This commit also fixes the case of the "select all" header checkbox, which was removed in the initial implementation as it wasn't functional. If a user now presses it, all selectable rules are selected, but only if they are visible under an expanded tree.
Firewall: add Source NAT mode bridge and outbound NAT migration
Reflect legacy `nat.outbound.mode` into the Firewall MVC model as volatile
`general.snat_mode` and expose it in the new Source NAT view. Persist the value
back into the legacy configuration through `serializeToConfig()` using a scoped
general-section setter to avoid unrelated model validation.
Adjust the Source NAT grid output based on the selected mode. Automatic and
hybrid modes include synthetic automatic rule rows for display purposes, while
advanced mode only shows manual rules and disabled mode hides the grid.
Extend the migration assistant with an outbound NAT migration tab and add a
configd exporter for legacy `nat.outbound.rule` entries. Exported rows
use empty UUIDs so imports create fresh MVC rule identifiers.
Add missing Source NAT parity fields for `tag` and `nosync`, include them in
generated rows, and export them from legacy outbound NAT rules.
Move the migration assistant menu item out of `Rules [legacy]` so it remains
available when firewall legacy rules no longer exist. Dynamically show the
legacy Outbound NAT menu item only when legacy outbound NAT rules are still
relevant.
Firewall: Source NAT - simplify `/api/firewall/source_nat/search_rule`
While reviewing the Source NAT grid handling for the mode-dependent output, the
rule extraction path was simplified as well. The Source NAT controller now uses
the same general strategy as the filter rule controller where possible: collect
the relevant record set once, then filter and update it consistently.
core/ACL: add uniform read-only write trap
Add a shared `throwReadOnly()` helper for the `user-config-readonly` privilege
check. Mutating API actions can call this when an operation changes
configuration, avoiding repeated local ACL checks with slightly different
patterns.
---------
Co-authored-by: Ad Schellevis <ad@opnsense.org>
In order to migrate the interface assignments, we need to think of a way to use the differently named xml nodes for interfaces (wan, lan, ..) into something that closely resembles a standard model implementation.
Since we can't match these nodes in our statically defined model xmls, the main idea is to flush all via an in-memory model with a separate load [construct] and save hook [serializeToConfig].
The next challenge is to "stash" updates and wait for "apply" in certain cases, for this we add a temporary database holding the changes which are synced after the actual system change has happend (pending_action, pending_if). When succesfully applied, the apply function cleans up the final stage of the configuration to make everything consistent again.
This database is a simple single json encoded file named /tmp/.interfaces.todo
This only pertains to the connectivity audit changes from
26.1.8. Treat the server from opnsense-update -M as the
primary one by not sorting the result.
PR: https://forum.opnsense.org/index.php?topic=52025.0
Since cmd_output was made the generic filter for subscriptions
the update log showed signs of excessive buffering. This brings
it back to where it was and also improves the old read case.
This is also a continuation of 770480715b. Moving the validation
inside the respective function makes sense. Also checking if the
name and expected file type is present before continuing.
Also bring in the PPS unlink() fix into GPS and always use the default
init string if nothing else given -- may be wrong but at least this
was the code intention only obscured by the wrong logic expression.
PR: GHSA-872g-g543-j37m
* Firewall: NAT: Add the same UI design to the NAT pages as the firewall page from 18533b4, but slightly adjusted as NAT rules do not have sort_order or priority groups, so all grouping happens either by category, or to a synthetic automatic category if the rules contain an is_automatic true boolean.
* Implement sort_order in DNAT controller so the same tree view logic as in firewall rules can be used, this eases maintainence
* Add sort order volatile fields to SourceNatRuleField shared by SNAT, ONAT and NPTv6 inside filter model.
* make sweep
* prio_group is static in NAT rules, so we can use it directly
* Add comment about prio_group inside filter_rule.volt
