"
To be a bit more clear: we'll try to see if 2.92 RC3 behaves normally memory leaks aside and provide a test package here if it looks ok some time next week.
Cheers,
Franco
Cheers,
Franco
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
25.7, 25.10 Series / Re: OPNCentral cannot provision somes services since 25.10.1 Business
Today at 02:19:47 PM
On Reddid we concluded the troubleshooting and now 25.10.1 offers an updated OPNBEcore package which reverts the bad code for the time being.
Cheers,
Franco
Cheers,
Franco
#4
25.7, 25.10 Series / Re: OPNCentral cannot provision somes services since 25.10.1 Business
Today at 11:41:12 AM
The downgrade is painless and on the fly. It only replaces the bad plugin update. Just need to issue the following command on each node in the shell:
# opnsense-revert -r 25.10p1 os-OPNBEcore
Cheers,
Franco
# opnsense-revert -r 25.10p1 os-OPNBEcore
Cheers,
Franco
#5
Announcements / Re: OPNsense 25.7.9 released
Today at 11:14:28 AM
A hotfix release was issued as 25.7.9_7:
o system: fix hidden syslog HA XMLRPC sync option
o firewall: aliases: add has_parser() to check if an alias has a valid parser available
o firewall: clean up rules edit cancel button
o unbound: fix condition in safesearch template
o unbound: fix "configctl unbound check" after 25.7.8
o system: fix hidden syslog HA XMLRPC sync option
o firewall: aliases: add has_parser() to check if an alias has a valid parser available
o firewall: clean up rules edit cancel button
o unbound: fix condition in safesearch template
o unbound: fix "configctl unbound check" after 25.7.8
#6
25.7, 25.10 Series / Re: OPNCentral cannot provision somes services since 25.10.1 Business
Today at 10:44:12 AM
Yes, this was a target fix for syncing network time servers (and other flat values described in XMLRPC sync data).
So the problem continues when all nodes are up to date?
In that case can you downgrade OPNBEcore everywhere?
# opnsense-revert -r 25.10p1 os-OPNBEcore
I don't mind removing the change via hotfix later today if it has these unforeseen issues, but I'd like to be 100% sure that is the problem.
Cheers,
Franco
So the problem continues when all nodes are up to date?
In that case can you downgrade OPNBEcore everywhere?
# opnsense-revert -r 25.10p1 os-OPNBEcore
I don't mind removing the change via hotfix later today if it has these unforeseen issues, but I'd like to be 100% sure that is the problem.
Cheers,
Franco
#7
25.7, 25.10 Series / Re: OPNCentral cannot provision somes services since 25.10.1 Business
Today at 09:49:48 AM
Are all nodes up to date?
We were discussing the same here:
https://www.reddit.com/r/opnsense/comments/1pj2uvz/comment/ntbofdo/
Cheers,
Franco
We were discussing the same here:
https://www.reddit.com/r/opnsense/comments/1pj2uvz/comment/ntbofdo/
Cheers,
Franco
#8
25.7, 25.10 Series / Re: Error popup: The release type "opnsense" is not available on this repository
December 10, 2025, 05:39:54 PM
https://github.com/opnsense/changelog/blob/master/community/25.7/25.7.6#L9-L14
It will forever be the most critical cosmetic stain on the firmware upgrade code in a ten year project history. If we could influence the behaviour of the package manager we would have, but it's basically a choice someone else made.
The package manager isn't bad at all, but sometimes you can see that Unix tools are written to be operated by people who can tolerate a different output. In this case the GUI which hasn't changed in years couldn't handle the new pkg behaviour. It was fixed immediately, but it requires an update which requires a package manager update which requires a time machine so I can go back in time and fix 25.7 just so that the bug would never appear.
Also a short shoutout to the console update which is immune to such package manager oddities on upgrades. That's how it was designed as it doesn't have to read the list of packages to be updated to display it to the user.
Just my 2 cents for due diligence. Don't take it too seriously.
Cheers,
Franco
It will forever be the most critical cosmetic stain on the firmware upgrade code in a ten year project history. If we could influence the behaviour of the package manager we would have, but it's basically a choice someone else made.
The package manager isn't bad at all, but sometimes you can see that Unix tools are written to be operated by people who can tolerate a different output. In this case the GUI which hasn't changed in years couldn't handle the new pkg behaviour. It was fixed immediately, but it requires an update which requires a package manager update which requires a time machine so I can go back in time and fix 25.7 just so that the bug would never appear.
Also a short shoutout to the console update which is immune to such package manager oddities on upgrades. That's how it was designed as it doesn't have to read the list of packages to be updated to display it to the user.
Just my 2 cents for due diligence. Don't take it too seriously.
Cheers,
Franco
#9
Announcements / OPNsense 25.10.1 business edition released
December 10, 2025, 02:40:16 PM
This business release is based on the OPNsense 25.7.8 community version
with additional reliability improvements, but without revamped Unbound
blocklists for the time being.
Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again. The fix is in this update, but impossible to install without upgrading
the package manager first. We hope this will only be a minor inconvenience
during the process.
Also, Python has reported security issues of which a DoS in http.client could
potentially affect existing installations given that an HTTP server sends
a malicious response which "can consume a large amount of memory and CPU time
and cause swapping". Python has not released an update for version 3.11 at
this point in time.
Here are the full patch notes:
o system: use new file_safe() in two instances
o system: improve the HA VIP sync code
o system: simplify RRD backup code and remove exec() usage[1] (reported by Alex Williams from Pellera Technologies working with Trend Zero Day Initiative)
o system: move valid_from search criteria to log_matcher for faster end of search
o system: use file_safe() in gateway monitor watcher
o system: refactor factory reset page to MVC and add a reset per component operating on models
o system: fix a HA sync regression introduced in 25.7.6 that prevented a sync from succeeding in an edge case
o system: defaults: properly delete empty model containers in the configuration
o system: switch int/bool to string in gateway properties
o system: ignore TypeErrors when parsing log lines in the backend
o system: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variants
o system: add host route deletion support to system_host_route()
o system: move the general page host route removal to system_host_route()
o system: add CA chain to PKCS12 export
o system: fix hidden syslog HA XMLRPC sync option
o interfaces: fix permission of packet capture file in strict security mode
o interfaces: ifctl: always allow reads to internal state files
o interfaces: fix overview details button not working
o interfaces: support link-local IPv6 mode
o interfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)
o interfaces: fix packet capture and ping buttons not working since 25.7.7
o interfaces: limit execution of sysctl scope in PPP device edit code
o interfaces: safer interfaces_pfsync_configure() handling
o firewall: refactor live log using a ring buffer
o firewall: add toggles to disable selected automatic rules
o firewall: enable "safe delete" for categories
o firewall: improved stats rendering on automation rules
o firewall: allow searching aliases in automation rules inspect mode by IP address
o firewall: automation: fix alias IP address search
o firewall: automation: allow interface parameter to contain a list of interfaces for API users
o firewall: aliases: replace invalid unicode chars (contributed by Marius Halden)
o firewall: live log: only execute redraw on visibility state transition
o firewall: live log: optimize viewbuffer rendering
o firewall: live log: prevent re-resolving in-flight requests and move host lookup to current filtered view
o firewall: live log: fix data ordering and add table/history limit options
o firewall: live log: use "badge" class like before
o firewall: live log: make this grid static and slightly adjust info column width
o firewall: live log: backwards compatibility for old "interface_name" field type
o firewall: live log: fix wrong variable scope
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: states: fix delete_selected firewall states (contributed by Alexander Sulfrian)
o firewall: do not allow nesting in GeoIP aliases
o firewall: automation: split search logic and normalize legacy output
o firewall: aliases: add a few GeoIP related logging messages
o firewall: mute pfctl-based table entry expire to avoid cron noise due to stderr use
o firewall: aliases: missing placeholder for username in basic auth type selection
o firewall: support "0" as valid rule ID in rule lookup redirect
o firewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"
o captive portal: fix selectpicker #voucher-groups not being re-rendered after change event
o captive portal: move grid init to tab show event
o dnsmasq: strict hostname and domain validation plus improved ipset validations
o dnsmasq: add optgroup support to DHCP option fields and expose all DHCPv4 options
o dnsmasq: switch to file_safe() use in backend
o dnsmasq: minor safe execution changes in backend
o firmware: package manager upgrade changes for pkg 2.x
o intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm
o ipsec: sessions: add datakey property for row mapping
o ipsec: status: search phase 2 triggered twice on click and cleanup tooltip event as well
o ipsec: disable model caching on SPD page
o ipsec: add AES256GCM16 to the child ESP proposals list
o ipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2
o ipsec: add "reqid_base" setting to advanced settings
o ipsec: sessions: fix missing commands translation
o ipsec: connections: prevent model caching when referring items within the same model
o isc-dhcp: adjust backend for safe execution
o kea-dhcp: automatic route support for PD leases
o kea-dhcp: case insensitive MAC address comparison
o openssh: minor safe execution change in backend
o openvpn: add support for pushing excluded routes via net_gateway (contributed by Patrice Damezin)
o openvpn: allow multiple domains settings for client connection (contributed by Krisztian Ivancso)
o openvpn: use file_safe() to write CRL files
o openvpn: swap description and mode in "tls_key" and require a description for static keys
o openvpn: one safe execution change
o openvpn: add fast-io option (contributed by mdten)
o radvd: safe execution changes
o unbound: use file_safe() for root hint creation
o unbound: deprecate unmaintained AdAway blocklist (contributed by Maurice Walker)
o unbound: duplicate pointer records due to not casting the field types
o unbound: missing lock in del_host_override action
o wireguard: add debug option to instances
o wireguard: fix wrong maximum value for "PersistentKeepalive"
o backend: add file_safe() helper for atomic file creation
o backend: rename "realif" variables to "device" in a number of spots
o backend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with that
o backend: exend shell_safe() to emulate exec() $output argument magic
o backend: reimplement existing command execution functions with Shell class implementation
o backend: replace mwexecf_bg() with mwexecfb() for clarity
o mvc: add RegexField to properly validate PCRE2 syntax
o mvc: support arrays in search clauses
o mvc: OptionField: properly translate optgroup
o mvc: JsonKeyValueStoreField: fix race condition when using SourceField in the model
o mvc: persist models description in root attribute of its respective configuration
o mvc: move translation to menu system and add "FixedName" property
o mvc: extend ModelRelationField so it can optionally disable caching
o mvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)
o mvc: fix default sort order being ignored in fetchBindRequest()
o mvc: make "data_change_message_content" configurable
o rc: do not clear /tmp on a diskless install
o rc: secure an exec() in the recovery script
o shell: assorted cleanups in console menu related scripts
o ui: assorted adjustments for dark theme
o ui: always show bootgrid reset button
o ui: improve grid responsiveness via minWidth()
o ui: remove this.dataIdentifier as datakey defines the key to be used when asking "row-id" or getSelectedRows
o ui: SimpleActionButton: add support for icons in action buttons
o ui: recompile default themes using dart sass (1.93.2) which changes color rendering
o ui: keyboard shortcuts for "a"dvanced and "h"elp in MVC pages (contributed by Konstantinos Spartalis)
o ui: bail out on dynamic grid resize if data is loading
o ui: bootgrid: prevent full table redraw without onDataProcessed trigger
o ui: bootgrid: add missing datakeys to two pages
o ui: fix tokenizer event trigger loop
o plugins: os-OPNWAF 2.1
o plugins: os-ddclient 1.28[2]
o plugins: os-freeradius 1.9.28[3]
o plugins: os-frr 1.49[4]
o plugins: os-git-backup 1.1[5]
o plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxy[6]
o plugins: os-q-feeds-connector 1.3[7]
o plugins: os-tailscale 1.3[8]
o plugins: os-tayga 1.3[9]
o plugins: os-theme-flexcolor 1.0 is a new 3-in one theme[10] (contributed by Schnuffel2008)
o plugins: os-zabbix-proxy 1.15[11]
o src: dhclient: improve UDP checksum handling
o src: dummynet: move excessive logging messages under debug output
o src: ice: add PCI IDs for E835 devices
o src: ice: add support for E835-XXV-4 adapter
o src: if_vxlan: fix byteorder of source port
o src: ifconfig: assorted stable branch improvements
o src: igb: fix out-of-bounds register access on VFs
o src: ipfw: check for errors from sooptcopyin() and sooptcopyout()
o src: ipfw: pmod: avoid further rule processing after tcp-mod failures
o src: ix/ixv: add support for new Intel Ethernet E610 family devices
o src: ixl: fix multicast promiscuous mode state tracking and filter management
o src: net: validate interface group names in ioctl handlers
o src: netlink: in snl_init_writer() do not overwrite error in case of failure
o src: pf: improve add state validation
o src: pf: improve DIOCRCLRTABLES validation
o src: pf: SCTP abort messages fully close the connection
o src: sctp, tcp, udp: improve deferred computation of checksums
o src: SO_REUSEPORT_LB breaks connect(2) for UDP sockets[12]
o src: vtnet: assorted stable branch improvements
o ports: curl 8.17.0[13]
o ports: kea 3.0.2[14]
o ports: libxml 2.14.6[15]
o ports: nss 3.118.1[16]
o ports: openssh 10.2p1[17]
o ports: openvpn 2.6.17[18]
o ports: pcre2 10.47[19]
o ports: php 8.3.28[20]
o ports: pkg 2.3.1
o ports: python 3.11.14[21]
o ports: sqlite 3.50.4[22]
o ports: strongswan 6.0.3[23]
o ports: suricata 8.0.2[24]
o ports: syslog-ng 4.10.2[25]
o ports: unbound 1.24.2[26]
Stay safe,
Your OPNsense team
--
[1] https://www.cve.org/cverecord?id=CVE-2025-13698
[2] https://github.com/opnsense/plugins/blob/stable/25.7/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/git-backup/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/25.7/net/tayga/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/25.7/misc/theme-flexcolor/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc
[13] https://curl.se/changes.html#8_17_0
[14] https://downloads.isc.org/isc/kea/3.0.2/Kea-3.0.2-ReleaseNotes.txt
[15] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html
[17] https://www.openssh.com/txt/release-10.2
[18] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[19] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.47
[20] https://www.php.net/ChangeLog-8.php#8.3.28
[21] https://docs.python.org/release/3.11.14/whatsnew/changelog.html
[22] https://sqlite.org/releaselog/3_50_4.html
[23] https://github.com/strongswan/strongswan/releases/tag/6.0.3
[24] https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/
[25] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.2
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
with additional reliability improvements, but without revamped Unbound
blocklists for the time being.
Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again. The fix is in this update, but impossible to install without upgrading
the package manager first. We hope this will only be a minor inconvenience
during the process.
Also, Python has reported security issues of which a DoS in http.client could
potentially affect existing installations given that an HTTP server sends
a malicious response which "can consume a large amount of memory and CPU time
and cause swapping". Python has not released an update for version 3.11 at
this point in time.
Here are the full patch notes:
o system: use new file_safe() in two instances
o system: improve the HA VIP sync code
o system: simplify RRD backup code and remove exec() usage[1] (reported by Alex Williams from Pellera Technologies working with Trend Zero Day Initiative)
o system: move valid_from search criteria to log_matcher for faster end of search
o system: use file_safe() in gateway monitor watcher
o system: refactor factory reset page to MVC and add a reset per component operating on models
o system: fix a HA sync regression introduced in 25.7.6 that prevented a sync from succeeding in an edge case
o system: defaults: properly delete empty model containers in the configuration
o system: switch int/bool to string in gateway properties
o system: ignore TypeErrors when parsing log lines in the backend
o system: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variants
o system: add host route deletion support to system_host_route()
o system: move the general page host route removal to system_host_route()
o system: add CA chain to PKCS12 export
o system: fix hidden syslog HA XMLRPC sync option
o interfaces: fix permission of packet capture file in strict security mode
o interfaces: ifctl: always allow reads to internal state files
o interfaces: fix overview details button not working
o interfaces: support link-local IPv6 mode
o interfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)
o interfaces: fix packet capture and ping buttons not working since 25.7.7
o interfaces: limit execution of sysctl scope in PPP device edit code
o interfaces: safer interfaces_pfsync_configure() handling
o firewall: refactor live log using a ring buffer
o firewall: add toggles to disable selected automatic rules
o firewall: enable "safe delete" for categories
o firewall: improved stats rendering on automation rules
o firewall: allow searching aliases in automation rules inspect mode by IP address
o firewall: automation: fix alias IP address search
o firewall: automation: allow interface parameter to contain a list of interfaces for API users
o firewall: aliases: replace invalid unicode chars (contributed by Marius Halden)
o firewall: live log: only execute redraw on visibility state transition
o firewall: live log: optimize viewbuffer rendering
o firewall: live log: prevent re-resolving in-flight requests and move host lookup to current filtered view
o firewall: live log: fix data ordering and add table/history limit options
o firewall: live log: use "badge" class like before
o firewall: live log: make this grid static and slightly adjust info column width
o firewall: live log: backwards compatibility for old "interface_name" field type
o firewall: live log: fix wrong variable scope
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: states: fix delete_selected firewall states (contributed by Alexander Sulfrian)
o firewall: do not allow nesting in GeoIP aliases
o firewall: automation: split search logic and normalize legacy output
o firewall: aliases: add a few GeoIP related logging messages
o firewall: mute pfctl-based table entry expire to avoid cron noise due to stderr use
o firewall: aliases: missing placeholder for username in basic auth type selection
o firewall: support "0" as valid rule ID in rule lookup redirect
o firewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"
o captive portal: fix selectpicker #voucher-groups not being re-rendered after change event
o captive portal: move grid init to tab show event
o dnsmasq: strict hostname and domain validation plus improved ipset validations
o dnsmasq: add optgroup support to DHCP option fields and expose all DHCPv4 options
o dnsmasq: switch to file_safe() use in backend
o dnsmasq: minor safe execution changes in backend
o firmware: package manager upgrade changes for pkg 2.x
o intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm
o ipsec: sessions: add datakey property for row mapping
o ipsec: status: search phase 2 triggered twice on click and cleanup tooltip event as well
o ipsec: disable model caching on SPD page
o ipsec: add AES256GCM16 to the child ESP proposals list
o ipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2
o ipsec: add "reqid_base" setting to advanced settings
o ipsec: sessions: fix missing commands translation
o ipsec: connections: prevent model caching when referring items within the same model
o isc-dhcp: adjust backend for safe execution
o kea-dhcp: automatic route support for PD leases
o kea-dhcp: case insensitive MAC address comparison
o openssh: minor safe execution change in backend
o openvpn: add support for pushing excluded routes via net_gateway (contributed by Patrice Damezin)
o openvpn: allow multiple domains settings for client connection (contributed by Krisztian Ivancso)
o openvpn: use file_safe() to write CRL files
o openvpn: swap description and mode in "tls_key" and require a description for static keys
o openvpn: one safe execution change
o openvpn: add fast-io option (contributed by mdten)
o radvd: safe execution changes
o unbound: use file_safe() for root hint creation
o unbound: deprecate unmaintained AdAway blocklist (contributed by Maurice Walker)
o unbound: duplicate pointer records due to not casting the field types
o unbound: missing lock in del_host_override action
o wireguard: add debug option to instances
o wireguard: fix wrong maximum value for "PersistentKeepalive"
o backend: add file_safe() helper for atomic file creation
o backend: rename "realif" variables to "device" in a number of spots
o backend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with that
o backend: exend shell_safe() to emulate exec() $output argument magic
o backend: reimplement existing command execution functions with Shell class implementation
o backend: replace mwexecf_bg() with mwexecfb() for clarity
o mvc: add RegexField to properly validate PCRE2 syntax
o mvc: support arrays in search clauses
o mvc: OptionField: properly translate optgroup
o mvc: JsonKeyValueStoreField: fix race condition when using SourceField in the model
o mvc: persist models description in root attribute of its respective configuration
o mvc: move translation to menu system and add "FixedName" property
o mvc: extend ModelRelationField so it can optionally disable caching
o mvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)
o mvc: fix default sort order being ignored in fetchBindRequest()
o mvc: make "data_change_message_content" configurable
o rc: do not clear /tmp on a diskless install
o rc: secure an exec() in the recovery script
o shell: assorted cleanups in console menu related scripts
o ui: assorted adjustments for dark theme
o ui: always show bootgrid reset button
o ui: improve grid responsiveness via minWidth()
o ui: remove this.dataIdentifier as datakey defines the key to be used when asking "row-id" or getSelectedRows
o ui: SimpleActionButton: add support for icons in action buttons
o ui: recompile default themes using dart sass (1.93.2) which changes color rendering
o ui: keyboard shortcuts for "a"dvanced and "h"elp in MVC pages (contributed by Konstantinos Spartalis)
o ui: bail out on dynamic grid resize if data is loading
o ui: bootgrid: prevent full table redraw without onDataProcessed trigger
o ui: bootgrid: add missing datakeys to two pages
o ui: fix tokenizer event trigger loop
o plugins: os-OPNWAF 2.1
o plugins: os-ddclient 1.28[2]
o plugins: os-freeradius 1.9.28[3]
o plugins: os-frr 1.49[4]
o plugins: os-git-backup 1.1[5]
o plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxy[6]
o plugins: os-q-feeds-connector 1.3[7]
o plugins: os-tailscale 1.3[8]
o plugins: os-tayga 1.3[9]
o plugins: os-theme-flexcolor 1.0 is a new 3-in one theme[10] (contributed by Schnuffel2008)
o plugins: os-zabbix-proxy 1.15[11]
o src: dhclient: improve UDP checksum handling
o src: dummynet: move excessive logging messages under debug output
o src: ice: add PCI IDs for E835 devices
o src: ice: add support for E835-XXV-4 adapter
o src: if_vxlan: fix byteorder of source port
o src: ifconfig: assorted stable branch improvements
o src: igb: fix out-of-bounds register access on VFs
o src: ipfw: check for errors from sooptcopyin() and sooptcopyout()
o src: ipfw: pmod: avoid further rule processing after tcp-mod failures
o src: ix/ixv: add support for new Intel Ethernet E610 family devices
o src: ixl: fix multicast promiscuous mode state tracking and filter management
o src: net: validate interface group names in ioctl handlers
o src: netlink: in snl_init_writer() do not overwrite error in case of failure
o src: pf: improve add state validation
o src: pf: improve DIOCRCLRTABLES validation
o src: pf: SCTP abort messages fully close the connection
o src: sctp, tcp, udp: improve deferred computation of checksums
o src: SO_REUSEPORT_LB breaks connect(2) for UDP sockets[12]
o src: vtnet: assorted stable branch improvements
o ports: curl 8.17.0[13]
o ports: kea 3.0.2[14]
o ports: libxml 2.14.6[15]
o ports: nss 3.118.1[16]
o ports: openssh 10.2p1[17]
o ports: openvpn 2.6.17[18]
o ports: pcre2 10.47[19]
o ports: php 8.3.28[20]
o ports: pkg 2.3.1
o ports: python 3.11.14[21]
o ports: sqlite 3.50.4[22]
o ports: strongswan 6.0.3[23]
o ports: suricata 8.0.2[24]
o ports: syslog-ng 4.10.2[25]
o ports: unbound 1.24.2[26]
Stay safe,
Your OPNsense team
--
[1] https://www.cve.org/cverecord?id=CVE-2025-13698
[2] https://github.com/opnsense/plugins/blob/stable/25.7/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/git-backup/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/25.7/net/tayga/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/25.7/misc/theme-flexcolor/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc
[13] https://curl.se/changes.html#8_17_0
[14] https://downloads.isc.org/isc/kea/3.0.2/Kea-3.0.2-ReleaseNotes.txt
[15] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html
[17] https://www.openssh.com/txt/release-10.2
[18] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[19] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.47
[20] https://www.php.net/ChangeLog-8.php#8.3.28
[21] https://docs.python.org/release/3.11.14/whatsnew/changelog.html
[22] https://sqlite.org/releaselog/3_50_4.html
[23] https://github.com/strongswan/strongswan/releases/tag/6.0.3
[24] https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/
[25] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.2
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
#10
General Discussion / Re: UPNP Broken
December 10, 2025, 11:58:08 AM
Hello,
Didn't do anything but happy it works now :)
Cheers,
Franco
Didn't do anything but happy it works now :)
Cheers,
Franco
#11
25.7, 25.10 Series / Re: Error popup: The release type "opnsense" is not available on this repository
December 10, 2025, 09:08:26 AM
Which is also documented and therefore intended.
Cheers,
Franco
Cheers,
Franco
#12
25.7, 25.10 Series / Re: Resolved: Update 25.7 -> 25.7.9 Unexpected error
December 08, 2025, 03:46:29 PM
No, you just get the popup during upgrades when the package manager removes vital files for a second before putting them back and the GUI needing them to render the page. It's not easily fixable, but also almost always benign.
We could hide the error, but at the cost of hiding real errors.
Cheers,
Franco
We could hide the error, but at the cost of hiding real errors.
Cheers,
Franco
#13
25.7, 25.10 Series / Re: vtnet offloading since 25.7.8
December 08, 2025, 08:05:33 AM
> fixed for good in releng/14
You mean stable/14?
releng/14.3 is likely not getting any better, but releng/14.4 could given stable/14 is complete ;)
Cheers,
Franco
You mean stable/14?
releng/14.3 is likely not getting any better, but releng/14.4 could given stable/14 is complete ;)
Cheers,
Franco
#14
25.7, 25.10 Series / Re: vtnet offloading since 25.7.8
December 07, 2025, 09:14:59 PM
I wanted to talk to Patrick about this, too. Our own testing was inconclusive.
Cheers,
Franco
Cheers,
Franco
#15
25.7, 25.10 Series / Re: 25.7.9: pkg exited on signal 11 after pkg update
December 07, 2025, 07:00:56 PM
No, 2.3.1 is our version. FreeBSD has 2.4.2 and it's broken in that regard.
We may update to 2.4.2 ourselves, but it's not necessary at the moment. And even then: do NOT use the FreeBSD version.
Cheers,
Franco
We may update to 2.4.2 ourselves, but it's not necessary at the moment. And even then: do NOT use the FreeBSD version.
Cheers,
Franco
