Followup to 5892cfc70e.
- Move the failover gateway group label code into its own function.
- Include the failover gateway group label in the default IPsec rules.
- Always include the active tier in the failover gateway group label. This
is accomplished by changing get_highest_failover_tier_online() to also
return the tier when the chosen tier is the highest tier (i.e. when the
failover gateway group is not in a failover state).
- Change get_highest_failover_tier_online() to use the gateway status from
filter_generate_gateways(). This ensures that the route-to macros in the
pf ruleset align with the failover gateway group labels. Do the same for
filter_rules_generate() when creating the gateway monitoring rules.
Interfaces with gateways (a.k.a WAN interfaces) have non-quick "pass out"
rules which catch traffic from the firewall host itself. By adding the
appropriate gateway labels to these rules, state killing on gateway
recovery can avoid killing states from policy routing user rules which
specify a lower-priority gateway (that's part of the default group).
When the RFC2136 config uses the option "usepublicip" the source address
is found by calling the function dyndnsCheckIP() which in turn calls
get_request_source_address(). A different code path is followed when
"usepublicip" is not used which can result in the wrong source address
being returned (e.g. when the interface is a failover gateway group). This
change aligns the logic used for determining the request address
regardless of the "usepublicip" option (except for "_stf" interfaces).
Move the removal of the configuration cache file from config_read_file()
to config_write_file(). With this change the cache does not have to be
manually removed after a change, including in the following cases:
- In config_provider_init(). The cache should be up-to-date regardless of
the configuration provider.
- In restore_config_section(). The "subsequent requests" will already use
an up-to-date cache (see a57d617019).
- In backup.inc execPost() when restoring a specific area. The previous
write already removes the cache.
- In backup.inc execPost() when doing a full restore. The call to
config_install() and write_config() already removes the cache.
- In rc.filter_configure. The cache should be up-to-date at this point.
- In write_config() when reading back the written config. The call to
config_write_file() already results in the cache being removed.
- In usermgrpasswd when re-reading the config in case of changes outside
the script, i.e. from the GUI.
- In interfaces.php when applying changes. It's no longer relevant since
there's no "FTP helper" (see b1c525eed2).
- In services_acb_backup.php when writing the change from a POST request.
The change also allows the cache to be used (if it exists) when starting
the following scripts since the cache should be up-to-date:
- /src/etc/phpshellsessions/disabledhcpd:
- /src/etc/phpshellsessions/disablereferercheck
- /src/etc/phpshellsessions/enableallowallwan
- /src/etc/phpshellsessions/enablesshd
- /src/etc/phpshellsessions/resetwebgui
- /src/etc/phpshellsessions/restartallwan
Other related changes:
- Deprecate generate_config_cache().
- Allow bypassing the cache when a config provider reads the config.
- Change the default behavior of config_read_file() to use the cache.
- Update callers of config_read_file() as needed.
- Remove the unnecessary cache deletion in config_read_file().
- Remove parse_config() since upgrades from 24.03 to now aren't supported.
- Remove dead code for $config_extra and config.extra.cache.
- Fix typos in related comments.
In OpenVPN server configurations OpenVPN sets the environment variable
"ifconfig_ipv6_remote" when an IPv6 tunnel network is specified. This is
not the case for IPv4 and its respective variables. These variables are
later used to create a gateway for assigned interfaces in which case the
gateway address should always be the local interface address.
When the option to overide the prefix is enabled, the destination type
should remain enabled so that the POST request contains the value and
triggers the correct input validation.
