Topics

After a write_config(), getNodes() returns null/empty array for type ArrayField.
Don't know if this is a bug or me just missing how to refresh the config.

Example model test script attached.

No console menu after update

Before and after config diff doesn't show anything that would expect to disable/lock console menu.  Doesn't seem to be anything else unusual.  SSH as root still works.

Haven't seen anyone else mention it so may be a me thing.

Same for both production and devel.

opnsense-update -t opnsense

OPNsense 18.1.5-amd64
FreeBSD 11.1-RELEASE-p8
LibreSSL 2.6.4

opnsense-update -t opnsense-devel

OPNsense 18.7.a_264-amd64
FreeBSD 11.1-RELEASE-p8
LibreSSL 2.6.4

Forth place overall medal count.
Tied for third for gold medals.

How do I get my master repo to upgrade to 18.7.a?  It's stuck on 18.1.b.

When I check for upgrade it shows new version opnsense-devel 18.7.a and upgrade to that as expected.  But if I do a make upgrade from the master repo it reverts to reporting version 18.1.b.

Don't think there would be any code difference.  Just version reporting and always thinking there is an upgrade available.

Firmware release type is set to development.

Thanks

WinSCP opens a separate ssh session for direct duplication of remote files.

On OPNsense box "starting the session..." fails.

Works fine on other FreeBSD boxes.

Is there something specific about the OPNsense that would cause this?

Thanks

Trying to access the WebGUI via wan interface.  Have pass all rule at top of WAN firewall and it responds with SYN ACK to client IP address.  However it is to the default gateway MAC address so never reaches the client.

Why is it being sent to the gateway?  They are all on the same subnet (192.168.2.0/24).

Client x.x.x.10
OPNsense x.x.x.44
Default Gateway x.x.x.1

Thanks

Tinkering with the viewport settings and find that I like

this

Code Select Expand

<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />

better than this

Code Select Expand

<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />

Because it allows zooming in on something and then easily returning to the scale factor 1.

In the past I know Chrome was using or a combination of viewport settings to disable double click zoom.  But from what I understand they changed to triggering that by width set to device-width or less.

Preventing user scaling is typical beneficial for things such as maps where it is better for the app to handle the zooming by providing a higher resolution image of that map section.  Rather than the browser zooming in on the lower res image and pixelating.

What is the purpose of preventing user scaling here?

Thanks

I also want a couple of accessibility improvements here.

HTML/Usage/Headings/Missing
https://www.w3.org/wiki/HTML/Usage/Headings/Missing

Code Select Expand


grep -ERIisro '<section ' /usr/core/src/* | grep -c '<section '
grep -ERIisrc '<section ' /usr/core/src/* | grep -v ':0$' | grep -c ".*"
grep -ERIisrc '<section ' /usr/core/src/* | grep -v ':0$'

313 occurrences in 136 files

Code Select Expand


grep -ERIisro '<section ' /usr/plugins/* | grep -c '<section '
grep -ERIisrc '<section ' /usr/plugins/* | grep -v ':0$' | grep -c ".*"
grep -ERIisrc '<section ' /usr/plugins/* | grep -v ':0$'

79 occurrences in 34 files

https://validator.w3.org/
Warning: Section lacks heading. Consider using h2-h6 elements to add identifying headings to all sections.

Any plan to use virtual interface vlans (em0.1 vs em0_vlan1)?
https://www.freebsd.org/doc/handbook/network-vlan.html

I don't know what all the advantages are.  But I know it is much nicer to work with packet capturing.  Can just specify the virtual vlan interface (em0.n) rather than having to include the vlan tag in the capture filter.

Having trouble understanding the "for" attribute in the <tr> (line 45) and <span> (line 81) elements here.
Could someone please shed some light on how, when, and where these are made use of?
Thanks.

form_input_tr.volt
/usr/local/opnsense/mvc/app/views/layout_partials/

Code Select Expand


45: <tr for="{{ id }}" {% if advanced|default(false)=='true' %} data-advanced="true"{% endif %}>
. . .
        <input id="{{ id }}" ... >
. . .
80:     <td>
81:         <span class="help-block" for="{{ id }}" ></span>
82:     </td>
83: </tr>


System: Trust: Authorities: Add/Edit
(https://opnsense.office/system_camanager.php?act=edit&id=0)

The "Serial for next certificate" value decrements with each save.
full help: "Enter a decimal number to be used as the serial number for the next certificate to be created using this CA."

Should this value really be decremented by saving?  Doesn't seem like it should.  Maybe I'm not understanding the use case.

System: Firmware

Plugins tab shows "os-dyndns" as NOT installed.  But "Dynamic DNS" is in the "Services" menu (and configurable), and "configctl firmware plugin dyndns" returns "1" (installed).

I'm confused.  Please clarify.

Thanks.

Docs »
Development Manual »
Examples »
Hello world module & plugin

https://docs.opnsense.org/development/examples/helloworld.html#add-actions

This add actions section example code line...
$bckresult = trim($backend->configdRun("template reload OPNsense.HelloWorld"));

should be...
$bckresult = trim($backend->configdRun("template reload OPNsense/HelloWorld"));

The 300 ms click delay seems to have out lived it's usefulness.  Could we please remove it?

It's been eliminated for specifically for Chrome via the viewport meta tag width=device-width.  But that is browser specific and maybe even proprietary solution.

Think CSS is the W3C "recommending" solution.

body {
  touch-action: manipulation;
}

Background:
What Exactly Is..... The 300ms Click Delay
https://www.telerik.com/blogs/what-exactly-is.....-the-300ms-click-delay

Thanks

Python is using the certifi CA bundle (.../site-packages/certifi/cacert.pem).

Is there also an equivalent to the OpenSSL CAPATH?  A hash dir of CA's.  That Python/certifi can be configured to check if the CA is not found in cacert.pem?  Like OpenSSL does?
e.g. /etc/ssl/certs or /usr/local/openssl/certs

Could add own CA's to the cacert.pem, but that is ungainly approach.

Is OpenSSL going by the wayside in favor of Certifi?

18.1.b

System:Firmware:Plugins

Would like to see the installed plugins at top of the list.  Maybe split out into two tables.  Installed and Available.

Anybody else?

Running make upgrade clobbers custom /root/.ssh/authorized_keys.  Reverts it back to some default.

Would not have though /root would need to be modified.
Is this intended necessary behavior or a bug?
How to prevent and keep the customized authorized keys?

Several times every day the default route vanishes.
Save and apply gateway re-establishes the default route.

Is there a known issue or resolution?  If not could use guidance in troubleshooting this.

Thanks.

17.7.10 on VirtualBox 5.2.2

According to the documentation is sounds like after cloning core reop into /root/core that it should mount automatically during bootup.  But it is not happening.

It can be manually mounted and unmounted and seems to work as expected.  But it doesn't mount at boot up.

There must be a catch. ??
Or am I misunderstanding how it is supposed to work?

17.7.10 in VirtualBox 5.2.2

It's not that difficult to do in most cases and it prevents breakage.

Symptom:
Can't edit existing rfc2136 clients with IE11.

Cause:
Invalid HTML.
The element button must not appear as a descendant of the a element.

Page:
services_rfc2136.php

HTML Validation:
https://validator.w3.org/

Errors:
Error: A meta element with an http-equiv attribute whose value is X-UA-Compatible must have a content attribute with the value IE=edge.
Error: Duplicate ID __opnsense_csrf.
Error: The element button must not appear as a descendant of the a element.

Specification:
http://w3c.github.io/html/textlevel-semantics.html#the-a-element
"Allowed ARIA role attribute values: link (default - do not set), button, checkbox, radio, switch, tab or treeitem"
"The <a> element may be wrapped around entire paragraphs, lists, tables, and so forth, even entire sections, so long as there is no interactive content within (e.g., buttons or other links)."