Software-update: OPNsense 26.1

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben versie 26.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1 released

For over 11 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates, modern IPv6 support, as well as clear and stable 2-Clause BSD licensing.

26.1, nicknamed "Witty Woodpecker", features almost a full firewall MVC/API experience as automation rules have been promoted to the new rules GUI, Suricata version 8 with inline inspection mode using "divert", assorted IPv6 reliability and feature improvements, router advertisements MVC/API, full code shell command escaping revamp, default IPv6 mode now using Dnsmsaq for client connectivity, Unbound blocklist source selection, an automatic host discovery service, plus much more.

The upgrade path for 25.7 will likely be unlocked on January 29, which is probably tomorrow if anyone is asking why it is not there yet. We want to ensure the upgrade goes as smoothly as possible so please be patient!

Here are the full patch notes:

• system: factory reset and console tools now default to using Dnsmasq for DHCP
• system: wizard now offers an abort button and deployment type selections
• system: wizard can disable WAN or LAN interface now
• system: provide resolv.conf overrides via /etc/resolv.conf.local
• system: add XMLRPC option for hostwatch
• firewall: improve GeoIP alias expiry condition
• firewall: escape selector in rule_protocol
• firewall: "Port forward" was migrated to "Destination NAT" MVC/API
• firewall: unified look and feel of MVC/API pages formerly known as "automation"
• firewall: improved support of gateway groups in policy-based routing
• firewall: plugin support for "ether" rules has been removed
• firewall: add import/export to shaper queues and pipes
• firewall: "divert-to" support in new rules GUI
• firewall: added a rule migration page (use with care)
• firewall: make previously associated DNAT rules editable
• interfaces: a new IPv6 mode called "Identity association" was added
• interfaces: settings page was migrated to MVC/API
• interfaces: handle hostwatch user/group via package
• interfaces: force-reload IPv6 connectivity when PDINFO changes during renew
• interfaces: dhcp6c rapid-commit, request-dns and config write refactoring
• interfaces: generalise the rtsold_script code
• interfaces: use descriptive interface names in automatic discovery table
• interfaces: harden settings page with file_safe() and allowed_classes=false
• dhcrelay: relax the check for present addresses and CARP-related cleanups
• dnsmasq: add automatic RDNSS option when none is configured
• dnsmasq: fix log conditions
• firmware: opnsense-code: run configure script on upgrade if needed
• intrusion detection: add a "divert" intrusion prevention mode
• ipsec: expose ChaCha20-Poly1305 AEAD proposals in IKEv2 (contributed by Kota Shiratsuka)
• kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
• kea: exit prefix watcher script if no lease file exists
• kea: allow "hw-address" for reservations
• kea: add pool in subnet validation
• kea: minor code cleanups in model code
• openvpn: account for CARP status in start and restart cases as well
• openvpn: removed the stale TheGreenBow client export
• radvd: migrated to MVC/API
• radvd: remove faulty empty address exception
• radvd: remove configuration file if disabled
• radvd: implement RemoveAdvOnExit override
• radvd: add Base6Interface constructor
• radvd: support nat64prefix
• console: opnsense-log now supports "backend" and "php" aliases
• backend: safe execution changes in the whole code base
• backend: removed short-lived mwexecf_bg() function
• lang: various translation updates
• mvc: add ChangeCase support to ProtocolField for DNAT special case
• mvc: improve importCsv() to support either comma or semicolon
• mvc: removed long obsolete sessionClose() from ControllerRoot
• mvc: BaseModel: isEmptyAndRequired() has been removed
• mvc: removed unusued RegexField
• rc: replace camcontrol with diskinfo for TRIM check (contributed by Maurice Walker)
• ui: allow HTML tags in menu items and title
• ui: improve user readability in SimpleFileUploadDlg()
• plugins: os-acme-client 4.12
• plugins: os-ddclient 1.29
• plugins: os-freeradius 1.10
• plugins: os-isc-dhcp 1.0
• plugins: os-nextcloud-backup 1.1
• plugins: os-nginx 1.36
• plugins: os-postfix 1.24.1
• plugins: os-q-feeds-connector 1.4
• plugins: os-wazuh-agent 1.3
• src: assorted patches from stable/14 for LinuxKPI, QAT, and network stack
• src: e1000: revert "try auto-negotiation for fixed 100 or 10 configuration"
• src: if_ovpn: use epoch to free peers
• src: carp6: revise the generation of ND6 NA
• ports: dhcp6c v20260122
• ports: hostwatch 1.0.9

Migration notes, known issues and limitations:

• ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
• To accommodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
• Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.
• Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x. Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
• The function sessionClose() has also been removed from the MVC code and is no longer needed. Make sure to remove it from your custom code.
• The custom.yaml support has been removed from intrusion detection. Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
• The new host discovery service "hostwatch" is enabled by default (since 25.7.11). You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
• The firewall migration page is not something you need to jump into right away. Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities. Single interface from the floating interface will not be considered "floating" in priorities.
• Firewall: NAT: Port Forwarding is now called "Destination NAT". Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.
• Firewall: NAT: Source NAT is from the set of pages formerly known as automation, but Outbound NAT is still the main page for these types of rules.