Software-update: OPNsense 26.1.3
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben versie 26.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 26.1.3 releasedThis update finally brings in Python 3.13 after the struggle we had with 3.11 and missing security patches. A number of things were fixed for the new rules GUI as well as assorted minor things in all areas of the code base. Two FreeBSD security advisories are also included and a reboot is needed to finish this update.
Of note are the recent modifications of the firmware scripting as they follow a fix in 26.1.2 that seems to have resolved the partial upgrade failures people have been reporting over the last 2 years. It turned out that the issue was a cleanup routine in the core package that removed temporary files in the background while the package manager was still attempting to install more packages.
Here are the full patch notes:system: add note field to store comments for each snapshotsystem: add configurable "memberOf" attribute to LDAP connectorsystem: do not scrub unrelated IPv6 DHCP ranges from Dnsmasq LAN config during wizardsystem: adapt DHCP address shell setup for new config access functionssystem: adapt web GUI certificate renew for new config access functionsystem: adapt initial port configuration DHCP setting for new config access functionssystem: avoid using "(system)" user revision annotation to match legacy and MVC codesystem: fix log files 'go to page' edge case and row count persistence/maxsystem: ignore future backups when they exist to ensure new backups are savedsystem: ensure proper types are emitted in searchGatewayAction() when configd action failssystem: use safe iteration for cert/ca in system_trust_configure()system: fixed broken link in modal header when using HA and saving administration settingssystem: create a backup on factory resetsystem: unify pwd_changed_at usagereporting: restore canvas state in health graph to fix Firefox display buginterfaces: generalise the dhcp6c_script using the new IFNAME variableinterfaces: fix enter key in assignment description and general cleanupinterfaces: protect device reads against forcing empty arrays into $configfirewall: check for schedules in use in new rulesfirewall: add import/export function and missing lock on set actionfirewall: better focus selected alias updates to in crease performance when either --aliases or --types is usedfirewall: implement missing ICMP types in new rules GUI (contributed by Bjoern Jakobsen)firewall: adjust for parseReplace() for icmp-type "skip"firewall: fix NAT rule enabled checks display (contributed by Aaron Rogers)firewall: prevent separator char from being used in category namesfirewall: fix running into error using well known protocols with "-" in themfirewall: add validation to prevent using both gateway and reply-to in the same rule in new GUIfirewall: add a command button to open the live log with pre-filled rule ID in new GUIfirewall: move download and upload commands out of partial into global commands in new GUIfirewall: reduce complexity in URL hash handling and when using firewall_rule_lookup.php in new GUIfirewall: fix default ipprotocol mismatch so that when not specified both are indicatedfirewall: update destination NAT ACL to match our menu entryfirewall: fix issues with searching in the states pagefirewall: allow well known ports in local-port destination NATfirewall: adjust row selection behaviour for internal rules in MVC pagesfirewall: offer aliases the same was as the field type expects themdnsmasq: add IP address validations for some of the DHCPv4 and DHCPv6 options (contributed by Greelan)firmware: fix automatic advanced toggle in settingsfirmware: shorten the reboot message to fit the spinner on the same linefirmware: tweaks for update/upgrade cleanup behaviours between core and opnsense-updatefirmware: add support for aux repository handling in opnsense-updateinstaller: ufs: ignore errors when flushing the full diskintrusion detection: upgrade ET Open ruleset to version 8.0 (contributed by 0nnyx)openvpn: add options for legacy ciphers (contributed by Bjoern Jakobsen)radvd: use safe config array iteration over virtual IPsunbound: persist overrides PTR configuration and allow the user to deselect itbackend: removed mwexec() and mwexec_bg() functions following their deprecationbackend: add config_push_array() and config_merge_array() helpersbackend: remove constant configd cleanups as they may influence requests from other threads executing different commandsmvc: restructure menu items and system using findNodeByPath()/getItem() additionsmvc: BaseListField: generic implementation of static optionsmvc: PortField: make "well-known" port numbers known by allowing them to be mapped to their respective numbersmvc: collect UUID field so it can be searched, but only if the searchPhrase contains a valid UUIDtests: merge stable filter tests to double check upcoming changesui: batch bootgrid enable/disable-selected toggle by defaultui: swap order of custom bootgrid commands placement making sure they participate in command bindingplugins: os-acme-client 4.14plugins: os-caddy 2.1.0plugins: os-haproxy 5.1plugins: os-netbird 1.2plugins: os-nextcloud-backup 1.2plugins: os-q-feeds-connector 1.5plugins: os-tailscale 1.4plugins: os-theme-cicada 1.41plugins: os-theme-flexcolor 1.1plugins: os-theme-tukan 1.31plugins: os-theme-vicuna 1.51plugins: os-upnp 1.9src: igmp: do not upgrade IGMP version beyond net.inet.igmp.default_versionsrc: igmp: apply net.inet.igmp.default_version to existing interfacessrc: ice: handle allmulti flag in ice_if_promisc_set functionsrc: icmp6: clear csum_flags on mbuf reusesrc: file: qualify pointers to capsicum rights as constsrc: file: add a fd flag with O_RESOLVE_BENEATH semanticssrc: file: Fix the !CAPABILITIES buildsrc: unix: Set O_RESOLVE_BENEATH on fds transferred between jailssrc: rtsock: Fix stack overflowsrc: divert: Use a better source identifier for netisr_queue_src() callssrc: if_ovpn: add interface counterssrc: e1000: fix setting the promiscuous modesrc: pfctl: allow new page character (^L) in pf.confsrc: sctp: support bridge interfacessrc: ifconfig: assorted stable fixessrc: ip_mroute: assorted stable fixessrc: vtnet: assorted stable fixesports: libucl 0.9.4ports: nss 3.121ports: python 3.13.12
system: add note field to store comments for each snapshotsystem: add configurable "memberOf" attribute to LDAP connectorsystem: do not scrub unrelated IPv6 DHCP ranges from Dnsmasq LAN config during wizardsystem: adapt DHCP address shell setup for new config access functionssystem: adapt web GUI certificate renew for new config access functionsystem: adapt initial port configuration DHCP setting for new config access functionssystem: avoid using "(system)" user revision annotation to match legacy and MVC codesystem: fix log files 'go to page' edge case and row count persistence/maxsystem: ignore future backups when they exist to ensure new backups are savedsystem: ensure proper types are emitted in searchGatewayAction() when configd action failssystem: use safe iteration for cert/ca in system_trust_configure()system: fixed broken link in modal header when using HA and saving administration settingssystem: create a backup on factory resetsystem: unify pwd_changed_at usagereporting: restore canvas state in health graph to fix Firefox display buginterfaces: generalise the dhcp6c_script using the new IFNAME variableinterfaces: fix enter key in assignment description and general cleanupinterfaces: protect device reads against forcing empty arrays into $configfirewall: check for schedules in use in new rulesfirewall: add import/export function and missing lock on set actionfirewall: better focus selected alias updates to in crease performance when either --aliases or --types is usedfirewall: implement missing ICMP types in new rules GUI (contributed by Bjoern Jakobsen)firewall: adjust for parseReplace() for icmp-type "skip"firewall: fix NAT rule enabled checks display (contributed by Aaron Rogers)firewall: prevent separator char from being used in category namesfirewall: fix running into error using well known protocols with "-" in themfirewall: add validation to prevent using both gateway and reply-to in the same rule in new GUIfirewall: add a command button to open the live log with pre-filled rule ID in new GUIfirewall: move download and upload commands out of partial into global commands in new GUIfirewall: reduce complexity in URL hash handling and when using firewall_rule_lookup.php in new GUIfirewall: fix default ipprotocol mismatch so that when not specified both are indicatedfirewall: update destination NAT ACL to match our menu entryfirewall: fix issues with searching in the states pagefirewall: allow well known ports in local-port destination NATfirewall: adjust row selection behaviour for internal rules in MVC pagesfirewall: offer aliases the same was as the field type expects themdnsmasq: add IP address validations for some of the DHCPv4 and DHCPv6 options (contributed by Greelan)firmware: fix automatic advanced toggle in settingsfirmware: shorten the reboot message to fit the spinner on the same linefirmware: tweaks for update/upgrade cleanup behaviours between core and opnsense-updatefirmware: add support for aux repository handling in opnsense-updateinstaller: ufs: ignore errors when flushing the full diskintrusion detection: upgrade ET Open ruleset to version 8.0 (contributed by 0nnyx)openvpn: add options for legacy ciphers (contributed by Bjoern Jakobsen)radvd: use safe config array iteration over virtual IPsunbound: persist overrides PTR configuration and allow the user to deselect itbackend: removed mwexec() and mwexec_bg() functions following their deprecationbackend: add config_push_array() and config_merge_array() helpersbackend: remove constant configd cleanups as they may influence requests from other threads executing different commandsmvc: restructure menu items and system using findNodeByPath()/getItem() additionsmvc: BaseListField: generic implementation of static optionsmvc: PortField: make "well-known" port numbers known by allowing them to be mapped to their respective numbersmvc: collect UUID field so it can be searched, but only if the searchPhrase contains a valid UUIDtests: merge stable filter tests to double check upcoming changesui: batch bootgrid enable/disable-selected toggle by defaultui: swap order of custom bootgrid commands placement making sure they participate in command bindingplugins: os-acme-client 4.14plugins: os-caddy 2.1.0plugins: os-haproxy 5.1plugins: os-netbird 1.2plugins: os-nextcloud-backup 1.2plugins: os-q-feeds-connector 1.5plugins: os-tailscale 1.4plugins: os-theme-cicada 1.41plugins: os-theme-flexcolor 1.1plugins: os-theme-tukan 1.31plugins: os-theme-vicuna 1.51plugins: os-upnp 1.9src: igmp: do not upgrade IGMP version beyond net.inet.igmp.default_versionsrc: igmp: apply net.inet.igmp.default_version to existing interfacessrc: ice: handle allmulti flag in ice_if_promisc_set functionsrc: icmp6: clear csum_flags on mbuf reusesrc: file: qualify pointers to capsicum rights as constsrc: file: add a fd flag with O_RESOLVE_BENEATH semanticssrc: file: Fix the !CAPABILITIES buildsrc: unix: Set O_RESOLVE_BENEATH on fds transferred between jailssrc: rtsock: Fix stack overflowsrc: divert: Use a better source identifier for netisr_queue_src() callssrc: if_ovpn: add interface counterssrc: e1000: fix setting the promiscuous modesrc: pfctl: allow new page character (^L) in pf.confsrc: sctp: support bridge interfacessrc: ifconfig: assorted stable fixessrc: ip_mroute: assorted stable fixessrc: vtnet: assorted stable fixesports: libucl 0.9.4ports: nss 3.121ports: python 3.13.12
Source:
Tweakers.net