Merge branch 'opnsense:master' into chrony-config

2026-05-28 04:34:15 -04:00 · 2026-01-06 11:09:16 -06:00 · 2026-01-06 11:09:16 -06:00 · 41abe29938
commit 41abe29938
parent 7043f2d644 565bd02235
13 changed files with 127 additions and 5 deletions
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.49
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@ -18,6 +18,7 @@ Plugin Changelog
 * Fix SNMP OSPF argument flags in RC configuration file
 * Fix STATIC template interface issue
 * Replace shell_exec() with mwexecfm()
+* Prevent errors in diagnostics view when a frr daemon is not started

 1.48

--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@ -33,137 +33,160 @@ message:request frr
 [diagnostics.general_running-config]
 command:/usr/local/bin/vtysh -c "show running-config"
 parameters:
+errors:no
 type:script_output
 message:FRR diagnosticts "show running-config"

 [diagnostics.general_route4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip route %s'
+errors:no
 type:script_output
 message:FRR diagnosticts "show ip route"

 [diagnostics.general_route6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 route %s'
+errors:no
 type:script_output
 message:FRR diagnosticts "show ipv6 route"

 [diagnostics.bgp_route4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 %s"

 [diagnostics.bgp_route6]
 command:/usr/local/bin/vtysh
 parameters:-c 'show bgp ipv6 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 %s"

 [diagnostics.bgp_summary]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp summary %s"

 [diagnostics.bgp_summary4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 summary %s"

 [diagnostics.bgp_summary6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv6 summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 summary %s"

 [diagnostics.bgp_neighbors]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp neighbors %s"

 [diagnostics.bgp_neighbors4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 neighbors %s"

 [diagnostics.bgp_neighbors6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv6 neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 neighbors %s"

 [diagnostics.ospf_overview]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf %s"

 [diagnostics.ospf_neighbor]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf neighbor %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf neighbor %s"

 [diagnostics.ospf_route]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf route %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf route %s"

 [diagnostics.ospf_interface]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf interface %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf interface %s"

 [diagnostics.bfd_neighbors]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers json %s"

 [diagnostics.bfd_summary]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers brief %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers brief %s"

 [diagnostics.bfd_counters]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers counters %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers counters %s"

 [diagnostics.ospf_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf database %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf database"

 [diagnostics.ospfv3_overview]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 %s"

 [diagnostics.ospfv3_route]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 route %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 route %s"

 [diagnostics.ospfv3_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 database %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 database json"

 [diagnostics.ospfv3_interface]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 interface %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 interface %s"
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@ -9,6 +9,7 @@ Plugin Changelog
 1.3

 * Add ratelimit for pfctl operations
+* Add CARP failover

 1.2

--- a/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy
+++ b/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy
@ -0,0 +1,53 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+require_once('util.inc');
+
+use OPNsense\NdpProxy\NdpProxy;
+
+$subsystem = $argv[1] ?? '';
+$type = $argv[2] ?? '';
+$model = new NdpProxy();
+
+if (
+    (!in_array($type, ['MASTER', 'BACKUP'], true)) ||  /* exclude INIT */
+    strpos($subsystem, '@') === false ||  /* only react to real CARP events */
+    $model->general->enabled->isEmpty() ||
+    $model->general->carp_depend_on->isEmpty()
+) {
+    exit(0);
+}
+
+$actions = [
+    'MASTER' => 'start',
+    'BACKUP' => 'stop',
+];
+
+mwexecfm('/usr/local/etc/rc.d/ndp-proxy-go ' . $actions[$type]);
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@ -9,6 +9,13 @@
        <type>checkbox</type>
        <help>Enable or disable this service.</help>
    </field>
+    <field>
+        <id>ndpproxy.general.carp_depend_on</id>
+        <label>Enable CARP failover</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>If any CARP VHID on this node is in MASTER state the service will be started, otherwise stopped. As NDP is stateless, a short interruption of IPv6 connectivity must be expected during CARP transitions.</help>
+    </field>
    <field>
        <type>header</type>
        <label>Proxy Settings</label>
@ -39,7 +46,8 @@
    </field>
    <field>
        <type>header</type>
-        <label>Performance Settings</label>
+        <label>Neighbor Settings</label>
+        <collapse>true</collapse>
    </field>
    <field>
        <id>ndpproxy.general.cache_ttl</id>
@ -61,6 +69,11 @@
        <type>checkbox</type>
        <help>Persist cache to file on service stop and load it on service start. Only neighbors with a valid cache lifetime are loaded. This helps on system reboots to minimize downtime of individual clients.</help>
    </field>
+    <field>
+        <type>header</type>
+        <label>Performance Settings</label>
+        <collapse>true</collapse>
+    </field>
    <field>
        <id>ndpproxy.general.route_qps</id>
        <label>Max route operations</label>
@ -82,6 +95,11 @@
        <hint>50</hint>
        <help>Controls CPU usage vs. NDP responsiveness. Lower values (e.g., 25 ms) minimize latency during cache refresh at the cost of more CPU. Higher values (100–250 ms) reduce CPU use but may introduce small latency spikes.</help>
    </field>
+    <field>
+        <type>header</type>
+        <label>Log Settings</label>
+        <collapse>true</collapse>
+    </field>
    <field>
        <id>ndpproxy.general.debug</id>
        <label>Debug log</label>
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@ -1,7 +1,7 @@
 <model>
    <mount>//OPNsense/ndpproxy</mount>
    <description>NDP Proxy model</description>
-    <version>1.0</version>
+    <version>1.1</version>
    <items>
        <general>
            <enabled type="BooleanField">
@ -43,6 +43,10 @@
                <Default>0</Default>
                <Required>Y</Required>
            </debug>
+            <carp_depend_on type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </carp_depend_on>
        </general>
        <aliases>
            <alias type="ArrayField">
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@ -2,6 +2,9 @@
 {% set general = helpers.getNodeByTag('OPNsense.ndpproxy.general') %}
 {% if general.enabled|default("0") == "1" and general.upstream and general.downstream %}
 ndp_proxy_go_enable="YES"
+{%     if general.carp_depend_on %}
+ndp_proxy_go_check_carp="YES"
+{%     endif %}
 ndp_proxy_go_upstream="{{ helpers.physical_interface(general.upstream) }}"
 {%     set downstream_interfaces = [] %}
 {%     for interface in general.downstream.split(',') %}
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@ -87,6 +87,16 @@
            active-response action.
        </help>
    </field>
+    <field>
+        <id>agent.active_response.repeated_offenders</id>
+        <label>Repeated offenders</label>
+        <type>text</type>
+        <help>
+            Comma-separated list of increasing timeout values in minutes for repeat offenders (e.g., 30,60,120,240).
+            When an IP triggers active response multiple times, each subsequent block uses the next timeout value.
+            Leave empty to disable repeated offender escalation.
+        </help>
+    </field>
    <field>
        <id>agent.active_response.remote_commands</id>
        <label>Wazuh remote commands</label>
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/WazuhAgent</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
    <description>Wazuh Agent</description>
    <items>
        <general>
@ -112,6 +112,11 @@
                </Model>
                <Required>N</Required>
            </fw_alias_ignore>
+            <repeated_offenders type="TextField">
+                <Required>N</Required>
+                <Mask>/^([0-9]+)(,[0-9]+)*$/</Mask>
+                <ValidationMessage>Enter comma-separated timeout values in minutes (e.g., 30,60,120,240)</ValidationMessage>
+            </repeated_offenders>
        </active_response>
    </items>
 </model>
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
@ -1,4 +1,4 @@
 [general]
 {% if not helpers.empty('OPNsense.WazuhAgent.active_response.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore) %}
-skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore).name}}
+skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore).name}}
 {% endif %}
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@ -22,7 +22,7 @@
  </client_buffer>

 {%  for sfilename in helpers.glob("OPNsense/WazuhAgent/ossec_config.d/*.conf") %}{%
-        include sfilename without context
+        include sfilename
 +%}

 {%  endfor %}
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
@ -1,4 +1,7 @@
  <!-- Active response -->
  <active-response>
    <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.active_response.enabled') %}no{% else %}yes{% endif %}</disabled>
+{% if not helpers.empty('OPNsense.WazuhAgent.active_response.repeated_offenders') %}
+    <repeated_offenders>{{ OPNsense.WazuhAgent.active_response.repeated_offenders }}</repeated_offenders>
+{% endif %}
  </active-response>