22.7 “Powerful Panther” Series

For more than 7 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

22.7, nicknamed “Powerful Panther”, features the upgrade to FreeBSD 13.1, PHP 8.0, Phalcon 5, stacked VLAN and Intel QuickAssist (QAT) support, DDoS protection using syncookies, MVC/API pages for IPsec status and Unbound overrides, new APCUPSD and CrowdSec plugins plus much more.

LibreSSL flavour is scheduled for removal at the end of this series and will likely receive no further maintenance. Software failing to work properly starting with Tor will have its plugin removed from the flavour from now on to be able to keep updating the software to their latest versions in the OpenSSL flavour. The next major upgrade will automatically transition to the OpenSSL flavour, but we would encourage everyone to switch between 22.7.x for the least amount of possible impact.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

22.7.11 (January 18, 2023)

This will be the end of life release for the 22.7 series with only a small number of reliability updates. Upgrades to 23.1-RC1 are possible from the development version of this release. We do expect an online update for RC2 next week.

The final 23.1 release will be on January 26. As always the upgrade path from the community version will be added as a hotfix shortly after the final release announcement is published. However, this time around LibreSSL will no longer update and must be switched to the OpenSSL flavour prior to the upgrade.

Here are the full patch notes:

  • system: fix a few minor Coverity Scan reports in Python code [1]

  • firewall: show automated “port 0” rule as actual port “0” on PHP 8

  • reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics

  • unbound: safeguard retrieval of blocklist shortcode

  • mvc: fix IntegerField minimum value (contributed by xbb)

  • plugins: os-acme-client 3.15 [2]

  • plugins: os-stunnel fixes missing include in certificate script

  • ports: curl 7.87.0 [3]

  • ports: nss 3.87 [4]

  • ports: pcre 10.42 [5]

  • ports: phalcon 5.1.4 [6]

  • ports: php 8.0.27 [7]

  • ports: sqlite 3.40.1 [8]

  • ports: strongswan 5.9.9 [9]

  • ports: unbound 1.17.1 [10]

A hotfix release was issued as 22.7.11_1:

  • firmware: enable upgrade path to 23.1 (OpenSSL only)

22.7.10 (December 21, 2022)

Another small reliability update with additional RADIUS user creation support included. 23.1 is just around the corner now and most work for it has already been done. The major release is scheduled for January 26 with a release candidate coming out 2 weeks earlier.

Here are the full patch notes:

  • system: add group (class) sync and user creation for RADIUS authentication

  • system: show and search ACL endpoints in privilege selector

  • system: replace a number of log_error() calls with log_msg() equivalent

  • system: improve SSH lockout behaviour

  • firewall: sates page performance improvements and better address parsing in search

  • firewall: reuse “hostid” on filter reload events

  • ipsec: allow to search all phase 2 entries via API call

  • openvpn: remove unused “pool_enable” attribute

  • unbound: introduce blocklist module changes for upcoming 23.1

  • unbound: fix log message blocklist item count (contributed by kulikov-a)

  • unbound: also change working dir for unbound-checkconf in start script (contributed by kulikov-a)

  • ui: unicode content for tokenizer (contributed by kulikov-a)

  • plugins: os-clamav 1.8 [1]

  • plugins: os-ddclient IPv6 parsing fix [2]

  • plugins: os-rfc2136 1.7 fixes key format issue with latest bind-tools update

  • plugins: os-theme-cicada 1.31 (contributed by Team Rebellion)

  • plugins: os-theme-vicuna 1.43 (contributed by Team Rebellion)

  • plugins: os-wireguard post-start hook improvement for interface grouping

  • ports: curl 7.86.0 [3]

  • ports: dnsmasq 2.88 [4]

  • ports: nss 3.86 [5]

  • ports: phalcon 5.1.2 [6]

  • ports: phpseclib 3.0.18 [7]

  • ports: python 3.9.16 [8]

A hotfix release was issued as 22.7.10_2:

  • ipsec: default log should be set to “basic” but PHP 8 disagreed

  • unbound: fix missing query_reply property leading to an AttributeError

22.7.9 (December 01, 2022)

A quick update to address the new FreeBSD security advisory for ping utility as well as Suricata. The DNS block list was rewritten in Python and there will be a couple of cool additions for it in the foreseeable future. :)

Here are the full patch notes:

  • system: fix internal CRL check (contributed by kulikov-a)

  • system: fix a few minor Coverity Scan reports in PHP code [1]

  • interfaces: use get_interface_list() to identify hardware devices

  • interfaces: fix single ACL use for MVC/API interface pages

  • firewall: add category selection to aliases

  • unbound: rework DNSBL implementation to Python module

  • backend: clean up scripts/systemheath location

  • backend: moved log format definitions to new location for core and several plugins

  • mvc: change default sorting to case-insensitive

  • mvc: move JavaScript and CSS imports to base controller

  • mvc: make sure HostnameField with ZoneRootAllowed accepts “@.” prefix

  • plugins: os-telegraf 1.12.7 [2]

  • plugins: os-theme-cicada 1.30 (contributed by Team Rebellion)

  • plugins: os-theme-vicuna 1.42 (contributed by Team Rebellion)

  • plugins: os-wireguard now attempts to start tunnels again when all DNS is configured

  • src: ixgbe: workaround errata about UDP frames with zero checksum

  • src: hpet: Allow a MMIO window smaller than 1K

  • src: ping: fix handling of IP packet sizes [3]

  • ports: php 8.0.26 [4]

  • ports: sqlite 3.40.0 [5]

  • ports: suricata 6.0.9 [6]

A hotfix release was issued as 22.7.9_3:

  • unbound: fix blocklist use with DNS64 mode (contributed by kulikov-a)

  • unbound: change working directory before checking configuration

  • web proxy: fix broken “Google GSuite restricted” option

  • ports: suricata backs out new version 14 netmap API changes for now [7]

22.7.8 (November 17, 2022)

This is a small maintenance and security update. You will notice that LibreSSL no longer works with FreeRADIUS software due to hiding library internals that are used by the software. Your current install will continue to work, but we would recommend switching to OpenSSL to receive FreeRADIUS updates as they become available.

Also, the infamous log_error() message is being phased out in the development version to end the questions of “Why is this log message an error?” and so with log_msg() each log line receives a more appropriate log level between error, warning and notice.

Here are the full patch notes:

  • system: add statistics tree view containing vmstat memory characteristics

  • system: explicitly reopen main log file in case another log file was used and closed

  • system: tweak log_msg() to prepare log level adjustments migration away from log_error()

  • system: enforce config reload to fetch group membership in authentication tester

  • system: separate interface type icon from name column in interface widget

  • system: change system log default to “Notice”

  • system: UX tweaks on activity page

  • system: revised backend daemon startup delay

  • system: drop empty plugins_run() result

  • interfaces: migrate main clearing of interface data to ifctl

  • interfaces: fix display of special HTML characters in packet capture

  • interfaces: retain existing PPP settings on saving interface settings

  • interfaces: delete the correct lock of PPP device

  • interfaces: fix variable use in interface_proxyarp_configure()

  • firewall: wrap user rule registration in new function filter_core_rules_user()

  • firewall: simplify rule lookup by using filter_core_rules_user()

  • firewall: allow external dynamic address in NPT

  • firewall: remove extended VIP expansion from NAT rules

  • firewall: fix live view hostname lookup may result in HTTP 431 error

  • ipsec: remove side effect host route removal from Phase 1 page

  • unbound: do not stop on potential errors in start script

  • plugins: os-freeradius is no longer available for LibreSSL to allow updates of FreeRADIUS software

  • plugins: os-nginx 1.31 [1]

  • plugins: os-wireguard now skips invalid peers for dashboard widget (contributed by jkellerer)

  • ports: expat 2.5.0 [2]

  • ports: krb5 1.20.1 [3]

  • ports: nss 3.85 [4]

  • ports: phalcon 5.1.1 [5]

  • ports: sudo 1.9.12p1 [6]

22.7.7 (November 03, 2022)

We replaced the packet capture tool with a MVC/API rewrite and updated most plugins to use the new setup script facility when doing a start/restart/reload through the RC system.

A number of FreeBSD kernel improvements have been included as well.

Although OpenSSL is being updated keep in mind that the current popular vulnerability only exists in version 3 and we still use 1.1.1.

Here are the full patch notes:

  • system: fix getOID() call for phpseclib 3 while processing CSR

  • system: avoid error on installer user creation

  • system: show booting banner on dashboard

  • interfaces: show attached interface for VLAN device in overview

  • interfaces: packet capture MVC/API replacement

  • interfaces: fix ARP table name resolve backend issue (contributed by soif)

  • firewall: off-by-one in regex for target port range parse

  • firewall: support Maxmind unclassified “EU” as selectable country

  • firewall: fix possible race condition when changing limit in live log

  • firewall: fix sorting bug in aliases list

  • firewall: allow the use of “dynamic” interface types in shaper, e.g. IPsec devices

  • dnsmasq: remove expired root trust anchor (contributed by Johnny S. Lee)

  • firmware: always fetch the signature file to avoid signature issues after upgrades

  • firmware: use effective ABI in changelog fetch

  • firmware: ignore automatic business plugin and license hint

  • intrusion detection: missing OPNsense categories

  • ipsec: missing return in controller

  • openvpn: use ifctl in link up/down scripts

  • unbound: move the removal of pluggable files above the configuration check

  • unbound: remove 127/8 from private-address block when rebind protection is enabled

  • unbound: make the default private-address items configurable via the advanced page

  • unbound: fix possible error while opening DoT page

  • mvc: when multiple validation messages are returned wrap each message in a div tag

  • mvc: prevent UserExceptions to end up in the crash reporter

  • mvc: translate a base field error

  • backend: wait 1 second for configd socket to become available

  • console: store UUID for VLAN device

  • rc: remove obsolete NAME_var_script and NAME_var_mfs support

  • plugins: migrate all plugins to NAME_setup script use

  • plugins: $verbose argument in plugins_run() is spurious

  • plugins: os-acme-client 3.14 [1]

  • plugins: os-apcupsd 1.1 [2]

  • plugins: os-frr 1.31 [3]

  • plugins: os-haproxy 3.12 [4]

  • plugins: os-maltrail 1.10 [5]

  • plugins: os-openconnect 1.4.3 [6]

  • plugins: os-telegraf 1.12.6 [7]

  • plugins: os-tor 1.9 enables hardware acceleration (contributed by haarp)

  • plugins: os-wireguard 1.13 [8]

  • src: revert “e1000: try auto-negotiation for fixed 100 or 10 configuration”

  • src: vxlan: check the size of data available in mbuf before using them

  • src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations [9]

  • src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers [10]

  • src: loader: fix elf lookup_symbol type filtering [11]

  • src: zfs: fix a pair of bugs in zfs_fhtovp() [12]

  • src: zfs: fix use-after-free in btree code [13]

  • src: tcp: finish SACK loss recovery on sudden lack of SACK blocks [14]

  • src: igc: remove unnecessary PHY ID checks

  • src: ixl: add support for I710 devices and remove non-inclusive language

  • src: ixl: fix SR-IOV panics

  • src: rc: run NAME_setup before RC_ARG_precmd

  • src: u3g: add more USB IDs

  • ports: libxml 2.10.3 [15]

  • ports: nss 3.84 [16]

  • ports: openssl 1.1.1s [17]

  • ports: openvpn 2.5.8 [18]

  • ports: phalcon 5.1.0 [19]

  • ports: php 8.0.25 [20]

  • ports: python 3.9.15 [21]

  • ports: sudo 1.9.12 [22]

  • ports: unbound 1.17.0 [23]

A hotfix release was issued as 22.7.7_1:

  • openvpn: ifctl requires interface to operate

22.7.6 (October 12, 2022)

This update fixes CRL code handling with third party software and sandboxes the code to avoid dealing with boot-time issues ever again. However, due to the nature of the sandboxing no automatic fix can be made for the following case:

Creating and using an empty CRL in OpenVPN broke in 22.7.5 due to an ancient bug not populating the empty CRL in binary format: the side effect “correcting” this at runtime was removed. 22.7.6 will now correctly populate the binary format of the empty CRL upon creation in the config.xml as originally intended.

The options to manually fix existing empty CRLs are as follows:

  • Remove the CRL from OpenVPN as it is unused anyway, or

  • Add a dummy certificate to it to populate the CRL properly, or

  • Add and remove a random existing certificate to populate an empty CRL.

These fixes can be carried out on older installation without a problem as well prior to upgrading to avoid OpenVPN from not working post-upgrade.

Here are the full patch notes:

  • system: fix inconsistent is_crl_internal() implementation

  • system: make sure we always generate a CRL when saved

  • system: sandbox code handling CRL manipulation in the CRL manager page

  • system: wrap global product information handling into a singleton

  • system: move get_nameservers() to ifctl use

  • reporting: traffic graph polling interval selection and UX tweaks

  • interfaces: port 6RD/6to4 to ifctl use

  • interfaces: optionally use reverse DNS resolution for ARP table hostnames (contributed by soif)

  • interfaces: allow user-configurable VLAN device names with certain restrictions [1]

  • interfaces: small cleanup on get_real_interface()

  • firewall: simplify port forward rule logic for delete and toggle and make sure to toggle firewall rule as well

  • firewall: various performance and usability improvements in live log

  • firewall: extend all firewall rules with a UUID to align with MVC code upon edit

  • firmware: display license validity when applicable in business edition

  • ipsec: ACL fix for sessions users

  • unbound: support setting type value for DNS over TLS/Query Forwarding API (contributed by kulikov-a)

  • unbound: convert advanced settings to MVC/API

  • mvc: remove “clear all”, “copy” and “paste” options when only a single entry is allowed

  • mvc: fix typo in searchRecordsetBase()

  • ports: isc-dhcp 4.4.3P1 [2]

  • ports: phalcon 5.0.3 [3]

  • ports: php 8.0.24 [4]

  • ports: squid no-forgery patch fix

  • ports: strongswan 5.9.8 [5]

22.7.5 (October 05, 2022)

Today we are fixing a security issue involving the “installer” user and kernel-based TCP panics that some have been fighting with since FreeBSD 13. Some ports and plugins have also been updated now that the holiday season is coming to its inevitable end.

The security issue arises on fresh 22.7 installs only due to a boot-time optimization of user account handling since 22.1.8. Users are not reset on each boot anymore which improved boot times with many users but also made the “installer” user stick with the default password in this situation. Physical access to the console with this user was possible under these conditions even after installation and updates were completed. SSH access was also possible when both not restricting login to keys and allowing root login manually. The mandatory reboot after the update to 22.7.5 or higher remedies this problem.

In a default install the issue could only be exploited by manual console access. In general we want to advise users not to yield shell/console access to non-administrators, restrict physical access if applicable, and not offer SSH access based on user accounts, especially when SSH is accessible from the WAN side without a VPN.

In any case we recommend all users of 22.7.x to update immediately or take the necessary precautions to avoid the “installer” user from being accessed in an unauthorized fashion.

Here are the full patch notes:

  • system: remove stray installer account from fresh 22.7 installations

  • system: only use withPadding() for RSA based public keys in CRL code

  • system: remove unnecessary crl_update() calls in CRL code

  • system: extend pool options support in gateway groups

  • system: move get_searchdomains() to ifctl use and allow FQDN

  • system: add replacement hook for rc.resolv_conf_generate script

  • system: replace “dns reload” backend call with portable alternative

  • system: remove obsolete rc.resolv_conf_generate script

  • system: bring back the buttons action in OpenVPN dashboard widget (contributed by kulikov-a)

  • system: assorted cleanups for IXR library used for XMLRPC

  • system: catch errors in RSS dashboard widget

  • system: stop reading product info from global $g variable in system information dashboard widget

  • system: structurally improve boot sequence with regard to hosts/resolv.conf generation

  • system: add keyUsage extension and follow RFC on basicConstraints in CA config (contributed by kulikov-a)

  • interfaces: migrate wireless creation to legacy_interface_listget()

  • firewall: support TOS/DSCP matching in firewall rules

  • firewall: add os-firewall alias paths in getAliasSource() to prevent removal when being used

  • firewall: get lockout interface from get_primary_interface_from_list()

  • firewall: fix PHP 8 error in port forwarding page

  • firewall: fix PHP 8 error in aliases (contributed by kulikov-a)

  • firewall: parse pftop internal data conversion (contributed by kulikov-a)

  • firmware: opnsense-update: return subscription key via -K if it exists

  • ipsec: allow to set rightca in mobile phase 1 with EAP-TLS

  • ipsec: fix multiple phase 2 IP addresses on the same interface (contributed by Wagner Sartori Junior)

  • unbound: account for hostname during PTR creation

  • unbound: maintain a consistent dnsbl cache state

  • unbound: reduce blocklist read timeout (contributed by kulikov-a)

  • web proxy: update pattern to zst for the Arch packages (contributed by gacekjk)

  • plugins: os-crowdsec 1.0.1 [1]

  • plugins: os-ddclient 1.9 [2]

  • plugins: os-freeradius 1.9.21 [3]

  • plugins: os-nginx 1.30 [4]

  • src: ifconfig: print interface name on SIOCIFCREATE2 error

  • src: igc: do not start in promiscuous mode by default

  • src: tcp: correctly compute the retransmit length for all 64-bit platforms

  • src: tcp: fix cwnd restricted SACK retransmission loop

  • src: tcp: fix computation of offset

  • src: tcp: send ACKs when requested

  • ports: dnsmasq 2.87 [5]

  • ports: expat 2.4.9 [6]

  • ports: lighttpd 1.4.67 [7]

  • ports: nss 3.83 [8]

  • ports: phalcon 5.0.2 [9]

  • ports: php 8.0.23 [10]

  • ports: phpseclib 3.0.16 [11]

  • ports: python 3.9.14 [12]

  • ports: sqlite 3.39.3 [13]

  • ports: squid 5.7 [14]

  • ports: suricata 6.0.8 [15]

  • ports: unbound 1.16.3 [16]

22.7.4 (September 07, 2022)

This update addresses more issues with the somewhat unfortunate phpseclib 3 migration. WAN IPv6 SLAAC mode now works more reliably and TLS 1.3 web GUI configurations will enforce the expectations by software clients regarding interoperability.

Last but not least the “assign VLAN parent and enable” migration note from 22.1 is no longer required as the boot will attempt to configure all existing hardware devices once with the selected defaults.

Here are the full patch notes:

  • system: enforce RFC 8446 by requiring TLS_AES_128_GCM_SHA256 for TLS 1.3

  • system: consider CRL end dates after 2050 as “lifetime” in GeneralizedTime format

  • system: revert the default CRL hashing back to what it was in phpseclib 2

  • system: match TLS cipher suites and commands in web GUI settings (contributed by kulikov-a)

  • system: improve error message of CRL validation failure (contributed by kulikov-a)

  • system: fix phpseclib 3 use for CSR parsing on certificates page

  • system: add the default “-c” option to backend pluginctl invokes for consistency

  • system: rework console port assignment regarding wireless handling

  • interfaces: configure all hardware features for present devices

  • interfaces: bring up IPv6 device manually since SLAAC will not do that automatically

  • interfaces: merge DHCPv4 / DHCPv6 buttons on overview page (contributed by Maurice Walker)

  • interfaces: add support for requesting DNS info via stateless DHCPv6 (contributed by Maurice Walker)

  • dnsmasq: restart during “newwanip” event

  • ports: curl 7.85.0 [1]

  • ports: libxml 2.10.2 [2]

  • ports: sqlite 3.39.2 [3]

  • ports: syslog-ng 3.38.1 [4]

22.7.3 (September 01, 2022)

Pick up the new FreeBSD security advisories while also introducing assorted reliability improvements. CRL now works again for elliptic curve with the adoption of version 3 of phpseclib. Wireless handling was improved due to PHP 8 errors and coding style issues. It is also the subject of further work for 23.1.

Here are the full patch notes:

  • system: migrate CRL handling to phpseclib 3

  • system: run monitor reload inside system_routing_configure()

  • system: fix IPv6 link-local HTTP_REFERER check (contributed by Maurice Walker)

  • system: fix assorted PHP 8 warnings in the codebase

  • system: extend nameservers script return for debugging purposes, i.e. “configctl system list nameservers debug”

  • system: lighttpd obsoletion of server listing directive, disabled by default

  • system: decode stored CRL data before display (contributed by kulikov-a)

  • interfaces: update link-local matching pattern

  • interfaces: PPP is an exception, only created after interface configuration

  • interfaces: only remove known primary addresses in interface_bring_down()

  • interfaces: improve shell banner address return in prefix-only IPv6 case

  • interfaces: improve problematic <wireless/> node handling

  • interfaces: DHCP does not signal RELEASE

  • interfaces: web GUI locale sorts files differently when invoking ifctl

  • interfaces: improve legacy_interface_listget()

  • interfaces: only parse actual options in legacy_interfaces_details(), not nd6 options

  • firewall: implement a router file read fallback for new ifctl :slaac suffix

  • firewall: stick-address only in effect with pool option and multiple routers

  • firewall: remove dead pptpd server code

  • captive portal: lighttpd deprecation of legacy SSL options, disabled by default

  • dhcp: allow rapid-commit message exchange in IPv6 server (contributed by Maurice Walker)

  • firmware: major upgrade “pkgs” set was still unknown to plugin sync

  • intrusion detection: fix enable rule button and present active detail overwrite if present

  • ipsec: fixed widget link (contributed by Patrik Kernstock)

  • unbound: improve FQDN handling when address is moving in DHCP watcher

  • unbound: prevent DNS rebinding check and DNSSEC validation on explicit forwarded domains

  • unbound: restrict creation of PTR records for both the system domain and host overrides

  • unbound: add AAAA-only mode (contributed by Maurice Walker)

  • lang: fix syntax errors in French translation (contributed by kulikov-a)

  • ui: fix type cast issue in Bootgrid

  • plugins: os-ddclient relaxes validation of description field

  • plugins: os-frr 1.30 [1]

  • plugins: os-nginx now uses simplified NAME_setup service handling

  • plugins: os-wireguard 1.12 [2]

  • plugins: os-zabbix-agent 1.13 [3]

  • plugins: os-zabbix-proxy 1.9 [4]

  • src: rc: improve NAME_setup integration

  • src: zlib: fix a bug when getting a gzip header extra field with inflate() [5]

  • src: tzdata: import tzdata 2022b and 2022c [6]

  • ports: ldns 1.8.3 [7]

  • ports: liblz4 1.9.4

  • ports: libxml 2.10.1 [8]

  • ports: nss 3.82 [9]

  • ports: phpseclib 3.0.14 [10]

A hotfix release was issued as 22.7.3_2:

  • system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm

  • system: check for existing X509 class before doing CRL update

22.7.2 (August 17, 2022)

This update comes a little earlier than expected due to FreeBSD security advisories. Of special interest is the new firewall alias BGP ASN type and notices system which can also be implemented from plugins in the future.

Here are the full patch notes:

  • system: replace static notices system with a shared one based on MVC/API code

  • system: use new _setup script feature where setup.sh exists

  • system: PHP 8 issue when ldap_get_entries() returns false

  • system: wrong variable in scope addition on manual DNS server via link-local gateway

  • system: “passwordarea” support for sensitive backup values

  • interfaces: fix wireless clone assignment regression in 22.7.1

  • interfaces: update ifctl utility to latest version

  • firewall: add BGP ASN type to aliases [1]

  • dhcp: extend search list pull from DHCPv6 in router advertisements DNS option

  • dhcp: improve UI for disabling DNS part of router advertisements (contributed by Patrick M. Hausen)

  • dhcp: pushed wrong server to zone definition on local DNS selection

  • firmware: opnsense-patch: only remove “.sh” suffix for installer and update repos

  • firmware: opnsense-update: only set packages marker after successful upgrade

  • firmware: opnsense-bootstrap: set correct packages marker

  • firmware: revoke 22.1 fingerprint

  • plugins: os-radsecproxy is no longer available on LibreSSL due to upstream build issues

  • plugins: os-acme-client 3.13 [2]

  • plugins: os-bind 1.24 [3]

  • plugins: os-haproxy 3.11 [4]

  • plugins: os-git-backup hides SSH keys by default

  • plugins: os-postfix disables GSSAPI for the time being [5]

  • src: lib9p: remove potential buffer overwrite in l9p_puqids() [6]

  • src: vm_fault: shoot down shared mappings in vm_fault_copy_entry() [7]

  • src: elf_note_prpsinfo: handle more failures from proc_getargv() [8]

  • src: pam_exec: fix segfault when authtok is null [9]

  • src: kevent: fix an off-by-one in filt_timerexpire_l() [10]

  • src: cam: leep periph_links when restoring CCB in camperiphdone() [11]

  • src: pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash

  • src: restrict default /root permissions to 750

  • src: rc: add ${name}_setup script support

  • ports: lighttpd 1.4.66 [12]

  • ports: phalcon 5.0.0RC4 [13]

  • ports: php 8.0.22 [14]

22.7.1 (August 09, 2022)

This update first and foremost addresses reported regressions with the initial version and the required security update for Unbound. Expect follow-up releases to be a bit more noisy as we are going to introduce the new notification system and further IPv6 improvements plus new roadmap items to be announced in the upcoming weeks.

Here are the full patch notes:

  • system: fix regression in config backup due to timestamp key rename

  • system: fix assorted warnings generated by PHP 8

  • system: do not reload Unbound/Dnsmasq hosts configuration by default

  • system: use proper CRL id-ce-cRLReasons extension keyword ‘unspecified’

  • system: properly cleanse user input in Monit dashboard widget

  • system: remove dead code from login form

  • interfaces: fix get_interface_mac() not returning a cached MAC address

  • interfaces: hide nonexistent MAC info on wireless edit page

  • interfaces: stop DHCP from calling rc.newwanip when no changes are being done

  • interfaces: bring routes back unconditionally after reconfiguring 6to4/6rd IPv6 connectivity

  • interfaces: GIF/GRE IPv6 default remote network size selection is now “128” instead of “64”

  • dhcp: do not advertise DNS domain when DNS router advertisements are disabled (contributed by Patrick M. Hausen)

  • unbound: do not start DHCP watcher immediately after daemonizing Unbound itself

  • lang: fix reported issues with Italian and French translations

  • plugins: os-acme-client 3.12 [1]

  • plugins: os-freeradius 1.9.20 [2]

  • plugins: os-git-backup fixes git binary variable use

  • plugins: os-haproxy fixes deprecation notes in PHP 8 (contributed by Gavin Chappell)

  • plugins: os-maltrail 1.9 [3]

  • plugins: os-munin-node 1.1 [4]

  • plugins: os-netdata 1.2 [5]

  • plugins: os-nginx 1.29 [6]

  • ports: libxml 2.9.14 [7]

  • ports: nss 3.81 [8]

  • ports: rrdtool 1.8.0 [9]

  • ports: unbound 1.16.2 [10]

22.7 (July 28, 2022)

For more than 7 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

22.7, nicknamed “Powerful Panther”, features the upgrade to FreeBSD 13.1, PHP 8.0, Phalcon 5, stacked VLAN and Intel QuickAssist (QAT) support, DDoS protection using syncookies, MVC/API pages for IPsec status and Unbound overrides, new APCUPSD and CrowdSec plugins plus much more.

LibreSSL flavour is scheduled for removal at the end of this series and will likely receive no further maintenance. Software failing to work properly starting with Tor will have its plugin removed from the flavour from now on to be able to keep updating the software to their latest versions in the OpenSSL flavour. The next major upgrade will automatically transition to the OpenSSL flavour, but we would encourage everyone to switch between 22.7.x for the least amount of possible impact.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full patch notes against 22.1.10:

  • system: changed certificate revocation to use the phpseclib library

  • system: performance improvement for set_single_sysctl()

  • system: restart syslog fully and only once after all services have been started

  • system: new setting for deployment mode to control PHP error flow

  • system: /tmp MFS now uses a maximum of 50% of RAM by default and can be adjusted

  • system: /var MFS becomes /var/log MFS and uses a maximum of 50% of RAM by default and can be adjusted

  • system: previous special /var MFS content is now permanently stored under /var to ensure full operability

  • system: flush all core Python pyc files on updates

  • system: protect syslog-ng against out of memory kills

  • system: add filter to system log widget (contributed by kulikov-a)

  • system: disable RRD and NetFlow shutdown backups by default

  • system: render interfaces in convert_config()

  • system: apply default firewall policy before interface configuration

  • system: move remote backup script to proper file system location

  • system: disable flag was not removing static route

  • system: Net_IPv6::compress() should not compress “::” to “”

  • system: fix RADIUS config validation for port requirement (contributed by Josh Soref)

  • system: remove last bits of circular logging (CLOG) support

  • system: removed legacy Diffie-Hellman parameter handling

  • interfaces: refactored LAGG, wireless and static ARP handling

  • interfaces: provide automatic startup of Loopback, IPsec, OpenVPN, VXLAN devices

  • interfaces: removed the side effect reliance on /var/run/booting file

  • interfaces: add dynamic reload of required devices

  • interfaces: add WPA enterprise configuration for infrastructure mode (contributed by Manuel Faux)

  • interfaces: fix “Allow service binding” for multiple aliases per interface (contributed by Adam Dawidowski)

  • interfaces: auto-detect far gateway requirement for default route

  • interfaces: switch to MVC/API variant for DNS lookup page

  • interfaces: refactor DHCP and PPPoE scripts to use ifctl exclusively

  • interfaces: prevent the removal of default routes in dhclient-script

  • interfaces: fix inconsistencies in wireless handling

  • interfaces: fix unable to bring up multiple loopback (contributed Johnny S. Lee)

  • interfaces: fix unable to bring up multiple VXLAN

  • interfaces: check if int before passing to convert_seconds_to_hms()

  • interfaces: disable IPv6 inside 4in6 and 4in4 GIF tunnels (contributed by Maurice Walker)

  • interfaces: ping diagnostics tool must explicitly set IP version (contributed by Maurice Walker)

  • interfaces: remove other inconsistencies regarding ping utility changes in FreeBSD 13

  • interfaces: correct regex validation for dhcp6c expire statement (contributed by Josh Soref)

  • interfaces: add missing scope to link-local GIF host route

  • interfaces: add iwlwiwi(4) to wireless devices

  • firewall: improved port alias performance

  • firewall: obsoleted notices inside the synchronization code

  • firewall: support logging in NPT rules

  • firewall: append missing link-local to inet6 :network selector

  • firewall: move inspect action into its own async API action to prevent long page loads

  • firewall: internal aliases cannot be disabled

  • firewall: performance improvement for reading live log

  • firewall: ignore age/expire when not provided or empty in sessions page

  • firewall: add general firewall log for alias and filter system log messages

  • dhcp: no longer automatically add a link-local address to bridges if IPv6 service is running on it

  • dhcp: allow running relay service on bridges

  • dhcp: clean up IPv6 prefixes script

  • dhcp: include ddns-hostname and other cleanups (contributed by Sascha Buxhofer)

  • dhcp: remove duplicated ddnsupdate static mapping switch

  • dhcp: remove print_content_box() use

  • dhcp: switch to shell-based DHCPv6 lease watcher

  • dhcp: rewrite prefix merge for dynamic IPv6 tracking to support bitwise selection

  • dnsmasq: switch to a Python-based DHCP lease watcher

  • firmware: console script can now show changelog using “less” before update

  • firmware: disable crash reporter in development deployment mode

  • firmware: limit changelog-based update check on dashboard to release version

  • firmware: provide an upgrade log audit

  • intrusion detection: remove dead link to McAfee rule references

  • ipsec: add “IPv4+6” protocol for mobile phase 1 entries (contributed by vnxme)

  • ipsec: mobile property boolean duplication in phase 2

  • ipsec: remember phase 1 setting for next action

  • ipsec: switch to MVC/API variants of SPD, SAD and connection pages

  • ipsec: small UX tweaks in status page

  • openvpn: pinned Diffie-Hellman parameter to RFC 7919 4096 bit key

  • unbound: prevent crash of DHCP lease watcher due to unhandled CalledProcessError exception

  • lang: bring back Italian and update all languages to latest available translations

  • mvc: bugfix search and sort issues for searchRecordsetBase()

  • mvc: add support for non-persistent (memory) models

  • mvc: throw when no mount found in model (contributed by agh1467)

  • mvc: fix rowCount when all is selected in searchRecordsetBase()

  • mvc: fix two regressions in BaseField for Phalcon 5

  • mvc: store configuration changes only when actual changes exist

  • ui: removed Internet Explorer support

  • ui: boostrap-select ignored header height

  • ui: merge option objects instead of replacing them in bootgrid (contributed by agh1467)

  • ui: correct required API for command-info in bootgrid (contributed by agh1467)

  • ui: add catch undefined TypeError in SimpleActionButton (contributed by agh1467)

  • ui: fix assorted typos in the code base (contributed by Josh Soref)

  • ui: handle HTTP 500 error gracefully in MVC pages

  • plugins: os-apcupsd 1.0 [2] (contributed by David Berry, Dan Lundqvist and Nicola Pellegrini)

  • plugins: os-boot-delay is no longer available [3]

  • plugins: os-crowdsec 1.0 [4]

  • plugins: os-nginx fix for missing DH parameter file

  • plugins: os-postfix fix for missing DH parameter file

  • plugins: os-tayga 1.2 [5]

  • plugins: os-tor no longer available on LibreSSL due to incompatibilities with newer Tor versions

  • plugins: os-web-proxy-useracl is no longer available, no updates since 2017

  • src: FreeBSD 13.1-RELEASE [6]

  • src: axgbe: also validate configuration register in GPIO expander

  • src: pf: ensure that pfiio_name is always nul terminated

  • src: pf: make sure that pfi_update_status() always zeros counters

  • src: igc: change default duplex setting

  • src: e1000: try auto-negotiation for fixed 100 or 10 configuration

  • ports: php 8.0.20 [7]

  • ports: sqlite 3.39.0 [8]

  • ports: suricata 6.0.6 [9]

  • ports: unbound 1.16.1 [10]

A hotfix release was issued as 22.7_4:

  • system: IXR_Library using incorrect constructor format for PHP 8

  • interfaces: fix issues with PPP uptime display in PHP 8

  • firewall: do not emit link-local address on IPv6 network outbound NAT

  • mvc: remove stray error_reporting(E_ALL) calls

Known issues and limitations:

  • The DH parameter is no longer available in OpenVPN server configuration and now fixed to the RFC 7919 4096 bit key. The only downside may be lower performance on older machines.

  • The infamous /var MFS feature was reduced to the /var/log scope in order to avoid future issues with plugins requiring persistent storage under /var. In practice people who used /var MFS had no benefit over it with software that required persistent storage under /var to operate in the first place. Periodic configuration file writes to /var are negligible on SSD-based systems.

  • The os-dyndns plugin is still available due to the fact that ddclient did not release a non-development release so far since we started os-ddclient. Availability thereof might change later in 22.7.x.

  • The console firmware update will now display text-based changelogs for the update to be installed if available. Use the arrow keys to scroll the changelog and type “q” to resume the update process.

  • The manual DHCPv6 tracking mode now requires a proper prefix range given like its counterpart with a static address. If a previous prefix ID type input is detected only setting the lower 64 bits of an IPv6 address, a warning is emitted and the ID is treated as the upper 64 bits of an IPv6 address instead. If your DHCPv6 server does not start please properly fix the given range.

The public key for the 22.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs9U1NFG2420gDDQO97iU
# S72sRdCaYCMoY2K8PpjrPGOkgDFN79YB+BYyUDZiO6aHJvy07yuDwhJcTiMWzuyF
# Ub6BqdB2ehjP0+/Sh2z9eOWecI6s7rDxJVwaZRSagA3f5pDYj2LKtAqIPnv3Avs1
# GTSHUZPR+V09UzUq/j0gRCNA+5hJrRwbyebaUGcp8QetUirmewAU5ArfXIBXvhn9
# L9i8+r0/M/QbueSA7mOA4v2BDZVMAo1X72O6GZmpt+SY6A2fA9uvgYU/19hlCJQY
# 6eL16U4TG2Z1tyR6TIsjGZ973UDAFdZqDO4nqPeW/Dm20fnY/X6ZJcU1McbeDftZ
# 10lquuZBrFgxVDB6zBYX5319p1ASeYnSdhvFlK02P8a6OJS6JWmCx5j1VRAU8Zh1
# W5xZRJJi6HmbX2b1ef2cy3ijtT/jviSNXEPR9V2otz9B+lc0g8P/hPwd7hpmdYj0
# +KYcPaa1kmR4/xf++hb5XbOLt2Wc4mbyBph4VPeXiLYUfYlpYNwfvuP56zdylk+p
# Mzw3XM1M36vA9oMXM9hLrrG67/UH6s4td//w4zdFPQ+A/rlVeF8EHsHICi6Salki
# Z+R9FCNM61wU9HdAPOSpDn1aPQdW3HPNVmeI0iHPg42jIT1n1T0720XgHRTfntyh
# E2+jioeukrqqEg1fzmszseMCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-22.7-OpenSSL-dvd-amd64.iso.bz2) = 9345057e993cd55dfa5280beefd33f1dc2243681defff3c5f11b84fa2c7910f8
# SHA256 (OPNsense-22.7-OpenSSL-nano-amd64.img.bz2) = 061ea4ca261bcd8397ae1a4acf2fb32f0fbbb6ac00d617e1f4151318f66cc77d
# SHA256 (OPNsense-22.7-OpenSSL-serial-amd64.img.bz2) = cf1603e20d4268d917b40344ddadd2f147c3e167dbe1f6cd254a2afcb586fb4d
# SHA256 (OPNsense-22.7-OpenSSL-vga-amd64.img.bz2) = 2537f37247d98e27634c34cdf23f30f95d0ed00ac0af01c2d9675580a790f8fb

22.7.r2 (July 20, 2022)

Quick update on the release candidate series with assorted improvements.

All relevant tickets have been closed and roadmap items completed. There are no visible blockers for 22.7 next week at the moment so we will still be targeting July 28 as the release date.

Here are the full patch notes:

  • system: apply default firewall policy before interface configuration

  • system: move remote backup script to proper file system location

  • system: remove support for displaying legacy logs in the GUI

  • system: disable flag was not removing static route

  • system: Net_IPv6::compress() should not compress “::” to “”

  • system: fix RADIUS config validation for port requirement (contributed by Josh Soref)

  • interfaces: disable IPv6 inside 4in6 and 4in4 GIF tunnels (contributed by Maurice Walker)

  • interfaces: ping diagnostics tool must explicitly set IP version (contributed by Maurice Walker)

  • interfaces: remove other inconsistencies regarding ping utility changes in FreeBSD 13

  • interfaces: correct regex validation for dhcp6c expire statement (contributed by Josh Soref)

  • interfaces: add missing scope to link-local GIF host route

  • dhcp: remove print_content_box() use

  • dnsmasq: switch to a Python-based DHCP lease watcher

  • firmware: limit changelog-based update check on dashboard to release version

  • firmware: provide an upgrade log audit

  • intrusion detection: remove dead link to McAfee rule references

  • unbound: prevent crash of DHCP lease watcher due to unhandled CalledProcessError exception

  • mvc: fix two regressions in BaseField for Phalcon 5

  • mvc: store configuration changes only when actual changes exist

  • ui: fix assorted typos in the code base (contributed by Josh Soref)

  • ui: handle HTTP 500 error gracefully in MVC pages

Stay safe, Your OPNsense team

22.7.r1 (July 13, 2022)

For more than 7 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full patch notes against 22.1.10:

  • system: removed legacy Diffie-Hellman parameter handling

  • system: changed certificate revocation to use the phpseclib library

  • system: performance improvement for set_single_sysctl()

  • system: restart syslog fully and only once after all services have been started

  • system: new setting for deployment mode to control PHP error flow

  • system: /tmp MFS now uses a maximum of 50% of RAM by default and can be adjusted

  • system: /var MFS becomes /var/log MFS and uses a maximum of 50% of RAM by default and can be adjusted

  • system: previous special /var MFS content is now permanently stored under /var to ensure full operability

  • system: flush all core Python pyc files on updates

  • system: protect syslog-ng against out of memory kills

  • system: add filter to system log widget (contributed by kulikov-a)

  • interfaces: refactored LAGG, wireless and static ARP handling

  • interfaces: provide automatic startup of Loopback, IPsec, OpenVPN, VXLAN devices

  • interfaces: removed the side effect reliance on /var/run/booting file

  • interfaces: add dynamic reload of required devices

  • interfaces: add WPA enterprise configuration for infrastructure mode (contributed by Manuel Faux)

  • interfaces: fix “Allow service binding” for multiple aliases per interface (contributed by Adam Dawidowski)

  • interfaces: auto-detect far gateway requirement for default route

  • interfaces: switch to MVC/API variant for DNS lookup page

  • interfaces: refactor DHCP and PPPoE scripts to use ifctl exclusively

  • interfaces: prevent the removal of default routes in dhclient-script

  • interfaces: fix inconsistencies in wireless handling

  • firewall: improved port alias performance

  • firewall: obsoleted notices inside the synchronization code

  • firewall: support logging in NPT rules

  • firewall: append missing link-local to inet6 :network selector

  • firewall: move inspect action into its own async API action to prevent long page loads

  • firewall: internal aliases cannot be disabled

  • firewall: performance improvement for reading live log

  • dhcp: no longer automatically add a link-local address to bridges if IPv6 service is running on it

  • dhcp: allow running relay service on bridges

  • dhcp: clean up IPv6 prefixes script

  • dhcp: include ddns-hostname and other cleanups (contributed by Sascha Buxhofer)

  • dhcp: remove duplicated ddnsupdate static mapping switch

  • firmware: added 22.7 series fingerprint

  • firmware: console script can now show changelog using “less” before update

  • firmware: disable crash reporter in development and debug deployments

  • ipsec: add “IPv4+6” protocol for mobile phase 1 entries (contributed by vnxme)

  • ipsec: mobile property boolean duplication in phase 2

  • ipsec: remember phase 1 setting for next action

  • ipsec: switch to MVC/API variants of SPD, SAD and connection pages

  • openvpn: pinned Diffie-Hellman parameter to RFC 7919 4096 bit key

  • lang: bring back Italian and update all languages to latest available translations

  • mvc: bugfix search and sort issues for searchRecordsetBase()

  • mvc: add support for non-persistent (memory) models

  • mvc: throw when no mount found in model (contributed by agh1467)

  • ui: removed Internet Explorer support

  • ui: boostrap-select ignored header height

  • ui: merge option objects instead of replacing them in bootgrid (contributed by agh1467)

  • ui: correct required API for command-info in bootgrid (contributed by agh1467)

  • ui: add catch undefined TypeError in SimpleActionButton (contributed by agh1467)

  • plugins: os-apcupsd 1.0 [2] (contributed by David Berry, Dan Lundqvist and Nicola Pellegrini)

  • plugins: os-boot-delay is no longer available [3]

  • plugins: os-tayga 1.2 [4]

  • plugins: os-tor no longer available on LibreSSL due to incompatibilities with newer Tor versions

  • plugins: os-web-proxy-useracl is no longer available, no updates since 2017

  • src: FreeBSD 13.1-RELEASE [5]

  • ports: php 8.0.20 [6]

  • ports: sqlite 3.39.0 [7]

A hotfix release was issued as 22.7.r1_8:

  • system: disable RRD and NetFlow shutdown backups by default

  • system: render interfaces in convert_config()

  • interfaces: fix unable to bring up multiple loopback (contributed Johnny S. Lee)

  • interfaces: fix unable to bring up multiple VXLAN

  • interfaces: check if int before passing to convert_seconds_to_hms()

  • ipsec: small UX tweaks in status page

  • mvc: fix rowCount when all is selected in searchRecordsetBase()

  • plugins: os-nginx fix for missing DH parameter file

  • plugins: os-postfix fix for missing DH parameter file

Known issues and limitations:

  • The DH parameter is no longer available in OpenVPN server configuration and now fixed to the RFC 7919 4096 bit key. The only downside may be lower performance on older machines.

  • The infamous /var MFS feature was reduced to the /var/log scope in order to avoid future issues with plugins requiring persistent storage under /var. In practice people who used /var MFS had no benefit over it with software that required persistent storage under /var to operate in the first place. Periodic configuration file writes to /var are negligible on SSD-based systems.

The public key for the 22.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs9U1NFG2420gDDQO97iU
# S72sRdCaYCMoY2K8PpjrPGOkgDFN79YB+BYyUDZiO6aHJvy07yuDwhJcTiMWzuyF
# Ub6BqdB2ehjP0+/Sh2z9eOWecI6s7rDxJVwaZRSagA3f5pDYj2LKtAqIPnv3Avs1
# GTSHUZPR+V09UzUq/j0gRCNA+5hJrRwbyebaUGcp8QetUirmewAU5ArfXIBXvhn9
# L9i8+r0/M/QbueSA7mOA4v2BDZVMAo1X72O6GZmpt+SY6A2fA9uvgYU/19hlCJQY
# 6eL16U4TG2Z1tyR6TIsjGZ973UDAFdZqDO4nqPeW/Dm20fnY/X6ZJcU1McbeDftZ
# 10lquuZBrFgxVDB6zBYX5319p1ASeYnSdhvFlK02P8a6OJS6JWmCx5j1VRAU8Zh1
# W5xZRJJi6HmbX2b1ef2cy3ijtT/jviSNXEPR9V2otz9B+lc0g8P/hPwd7hpmdYj0
# +KYcPaa1kmR4/xf++hb5XbOLt2Wc4mbyBph4VPeXiLYUfYlpYNwfvuP56zdylk+p
# Mzw3XM1M36vA9oMXM9hLrrG67/UH6s4td//w4zdFPQ+A/rlVeF8EHsHICi6Salki
# Z+R9FCNM61wU9HdAPOSpDn1aPQdW3HPNVmeI0iHPg42jIT1n1T0720XgHRTfntyh
# E2+jioeukrqqEg1fzmszseMCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-22.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 4c4a58de86b112e62721d53667e21745b85e4d6ba696ec0f52ab7bf7edcb21e4
# SHA256 (OPNsense-22.7.r1-OpenSSL-nano-amd64.img.bz2) = 325fd29d4ca191b6dd90845e4ddfeb96fff2ebcc03b2b675ac656660e8d58b0d
# SHA256 (OPNsense-22.7.r1-OpenSSL-serial-amd64.img.bz2) = d5adb1425e6d49386513f241fd6375ff466b65da01dc4142bc32dd58732c90a0
# SHA256 (OPNsense-22.7.r1-OpenSSL-vga-amd64.img.bz2) = ca846e3c53696ebe4a94364e45f5a358091b8493ea982690568eb16212dc0f75