"Recent posts
#1
General Discussion / Re: ARC RAM usage
Last post by Isabella Borgward - Today at 03:21:58 PMDefault on this firewall is 791400. So wow, there must have been a lot of connections.
I need to work out how to track and alert on PF state exhaustion.
I need to work out how to track and alert on PF state exhaustion.
#2
26.1, 26,4 Series / Re: Kea + Unbound + Bind for l...
Last post by wootonius - Today at 03:05:34 PMQuote from: tkreagan on June 15, 2026, 09:25:12 PMHi all — I've been following this topic and wanted to share something I built that I think addresses exactly this problem.
**os-kea-ubnd-ddns** is an OPNsense plugin that bridges Kea DHCP → Unbound DNS directly, without Bind. It runs a lightweight RFC 2136 stub listener that receives DNS UPDATE packets from `kea-dhcp-ddns` and applies them to Unbound via `unbound-control` — so you get real-time hostname registration when a lease is issued - no zone files, no journal corruption, no `.jnl` cleanup.
This looks pretty neat, I'll take a look.
#3
General Discussion / Re: ARC RAM usage
Last post by Patrick M. Hausen - Today at 03:03:26 PMQuote from: Isabella Borgward on Today at 03:01:00 PMWill ARC memory usage cause problems for PF states being created?
No. The number of pfstates has got a kernel internal hard limit. You can increase it at
Firewall > Settings > Advanced > Firewall Maximum States
#4
General Discussion / Re: ARC RAM usage
Last post by Isabella Borgward - Today at 03:01:00 PMBefore I managed to disable hostwatch, I started getting alerts about the Zabbix agent on this host.
I checked the logs and saw
[zone: pf states] PF states limit reached
being logged every few minutes.
Will ARC memory usage cause problems for PF states being created?
I checked the logs and saw
[zone: pf states] PF states limit reached
being logged every few minutes.
Will ARC memory usage cause problems for PF states being created?
#5
26.1, 26,4 Series / Re: WAN Interface Statistics n...
Last post by OPNenthu - Today at 02:56:47 PMRun 'netstat -ib'.
Maybe this way we can at least rule out OPNsense and isolate the issue to FreeBSD.
Maybe this way we can at least rule out OPNsense and isolate the issue to FreeBSD.
#6
26.1, 26,4 Series / Re: WAN Interface Statistics n...
Last post by Component0002 - Today at 02:49:39 PMI have ran the reset of RRD Data but the issue persists unfortunately.
Surely I can't be the only person with a Melanox Connectx 3 Pro card. I wonder if other people have the same issue?
Although I have just gotten this card perhaps I need to dump it and look into swapping to an Intel card instead.
I've attached a screenshot of the issue too.
Surely I can't be the only person with a Melanox Connectx 3 Pro card. I wonder if other people have the same issue?
Although I have just gotten this card perhaps I need to dump it and look into swapping to an Intel card instead.
I've attached a screenshot of the issue too.
#7
General Discussion / Re: ARC RAM usage
Last post by Isabella Borgward - Today at 02:37:29 PMYes indeed this device has Hostwatch enabled and the others do not! I will disable it and see what happens. It had found 800 hosts, I wouldn't think that would require so much RAM to keep track of.
After a bit more reading, it seems like ARC memory usage on BSD can be considered as not really used, because it can be evicted as soon as memory is really needed by a process. That being the case, I think OpnSense management tools should take this in to account and not show me a scary yellow usage bar if it's not really "used".
After a bit more reading, it seems like ARC memory usage on BSD can be considered as not really used, because it can be evicted as soon as memory is really needed by a process. That being the case, I think OpnSense management tools should take this in to account and not show me a scary yellow usage bar if it's not really "used".
#8
General Discussion / Re: ARC RAM usage
Last post by OPNenthu - Today at 02:26:47 PMQuote from: Patrick M. Hausen on Today at 02:22:40 PMAt least TrueNAS remove the hard 50% limit AFAIK.
Indeed :P
You cannot view this attachment.
#9
General Discussion / Re: ARC RAM usage
Last post by Patrick M. Hausen - Today at 02:22:40 PMQuote from: nero355 on Today at 02:01:43 PMIn theory ZFS should never use more than 50% of that IIRC so you should have nothing to worry about despite these values.
That used to be a hard limit set in Linux because Linux memory management had difficulties flushing ARC in case of memory pressure. In FreeBSD such a limit does not exist and ARC will happily use all available memory. This is not a problem. It will be freed if needed.
I don't know the current state on Linux. At least TrueNAS removed the hard 50% limit AFAIK.
#10
Announcements / OPNsense 26.4.1 business editi...
Last post by franco - Today at 02:21:04 PMThis business release is based on the OPNsense 26.1.9 community version
with additional reliability improvements.
Here are the full patch notes:
o system: refactor dashboard to use User model instead of direct config access
o system: throw UserException when dashboard size limit was reached on save
o system: add notes dashboard widget (contributed by Konstantinos Spartalis)
o system: fix traffic dashboard widget initialization race condition (contributed by Greelan)
o system: avoid side effect rendering sysctl item in config.xml during console assignment
o system: improve cron command and parameter escaping
o system: support RADIUS NAS-IP-Address attribute for authentication
o system: add compatibility layer to future route disable/enable migration
o system: only split first colon when reading sysctls
o system: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)
o system: fix missing newline when generating cron jobs due to a regression
o system: fix missing base64_decode() in JsonField which prevented user settings from saving
o system: link CA references after all changes
o system: parse certificate "key_type" and "digest"
o system: allow flushing legacy OpenVPN legacy config
o system: audit "staticroute" config access
o system: use safe config iteration in core_user_changed_groups()
o system: tighten landing page redirect (contributed by Konstantinos Spartalis)
o system: fix passing null into getRealInterface()
o system: fix regression in selective group delete introduced previously
o system: allow unregistered plugin cron actions to be deleted
o system: disable MAILTO for cron jobs
o system: dashboard: explicitly compact on layout shift if there is no predefined layout
o system: dashboard: update result on default restore
o reporting: render NaN values as empty values and omit leading empty records from data set for health graphs
o reporting: add max on Y axis for traffic graphs
o interfaces: refactor bridge reconfigure script
o interfaces: add missing config locks in device controllers
o interfaces: use safe iteration in backend code
o interfaces: adjust and annotate interface_dhcpv6_id()
o interfaces: account for multiple UUIDs in VIP deletion
o interfaces: more safe iteration through config_read_array()
o interfaces: fix wrong DUID-UUID format but keep accepting the wrong one
o interfaces: fix regression in selective device delete introduced previously
o interfaces: IAID selection and prefix range reservation for WAN DHCPv6
o interfaces: parse ifconfig output despite exit error in legacy_interfaces_details()
o interfaces: hostwatch: pin warning banner to enabled flag
o firewall: live view: decode HTML where necessary to aid filtering
o firewall: use save method from ApiMutableModelControllerBase for log command, move rule command and savepoint action
o firewall: safe config access in list_legacy_rules.php
o firewall: remove duplicated CSV button hook
o firewall: fix NPTv6 validation for empty external subnet
o firewall: make getRealInterface() a static utility function
o firewall: refactor searchRuleAction() to use the same filtering and sorting logic on MVC and legacy data
o firewall: fix inverted source/destination cosmetic issue in SNAT and One-to-One NAT grids
o firewall: fix search for floating rules in new rules GUI
o firewall: add an alias formatter to show content fields as "dynamic" when populated by other components
o firewall: fix Tabulator regression with alias batch delete
o firewall: use safe config iteration in interface registration
o firewall: fix unintended change in filtering logic for new rules GUI
o firewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUI
o firewall: use safe iteration over rules in filter_core_rules_user()
o firewall: add missing exclamation mark for "not" in scrub rules
o firewall: fix interface sorting by value for live log and groups
o firewall: add banner if no rules defined in new rules GUI to match legacy GUI
o firewall: use strnatcasecmp() for interface list in new rules GUI
o firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping
o firewall: escape shaper targets in rule edit[1] (contributed by lujiefsi)
o captive portal: remove redirection on HTTPS and ditch non-functional pass statement
o dnsmasq: change DHCP tag to DescriptionField
o dnsmasq: change widget link from settings to leases page
o firmware: opnsense-bootstrap: add "-B" bare bootstrap mode
o firmware: add repo configuration output to connectivity audit
o firmware: stop buffering in sed to fix chunked update log output
o firmware: retain ordering in update servers for connectivity check
o firmware: allow "local" business mirror subscription
o firmware: put clickable trailer for community plugins
o firmware: fix return value masking during updates
o firmware: opnsense-update: do not clean obsolete files on manual -r invokes
o intrusion detection: fix drop and alert buttons on rules tab
o ipsec: move swanctl.conf download button to the tab
o ipsec: restyle the connections page for clarity
o ipsec: disable scroll in authentication and children grids (contributed by Konstantinos Spartalis)
o ipsec: validate the use of refid in CA certificates[2] (reported by lujiefsi)
o kea: fix "Delegated length must be longer than or equal to prefix length" validation
o kea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnet
o kea: DDNS DNS server port can now be specified
o kea: add explicit reverse DDNS zones support (contributed by XtraLarge)
o kea: add DDNS manual config override
o kea: remove depend constraint of ddns_reverse_zone
o kea: plug socket into dynamic PD route installation script
o kea: add prefix to reservations to allow for static PD allocations based on DUID/MAC
o kea: infer IPv6 lease type in delete script via lease lookup so IA_NA/IA_PD can be deleted
o kea: DDNS add ddns-conflict-resolution-mode per subnet (contributed by chaispaquichui)
o kea: allow customizing "mac_sources" and change default to "ipv6-link-local"
o kea: add user-context object to config to emit description
o kea: fix option_data_autocollect mismatch in DHCPv6 page
o kea: enable internalModelSafeDelete due to increased model relation field usage
o kea: build reservation status from control socket output
o kea: add subnet vltime (partially contributed by Brandan Giles)
o kea: add client-id to DHCPv4 reservations
o kea: use JSON_UNESCAPED_UNICODE when writing the JSON configuration
o kea: dynamic prefix delegation support[3]
o kea: always start the prefix watcher when DHCPv6 is enabled
o kea: cleanups for IntegerField using isSet() and no negative numbers allowed
o kea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole pool
o kea: add subnet allocator field (contributed by Marcos Della)
o kea: add DHCPv4 compatibility options (contributed by Marcos Della)
o kea: hook up reservation.next_server (contributed by Ian Munsie)
o kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6
o network time: small cleanups in ntpd_configure_gps()
o openvpn: add tls-crypt-v2 support
o openvpn: allow restart action via cron
o openvpn: fix client export not showing common names
o openvpn: require an integer of at least 1 for "vpnid" field
o radvd: allow user controlled hop limit (contributed by BPplays)
o radvd: allow to start a manual configuration without primary IPv6
o unbound: improve hostname/domain override validation
o unbound: minor style/refactor for safe config access
o unbound: hide unused tree row in form output for overrides
o unbound: restyle statistics page
o unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)
o wireguard: use getValues() consistently in control script
o acl: some missing references and using camelCase pointers instead of snake_case
o backend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)
o backend: configctl: support -f cache flush parameter to fix cache invalidation preamble "!" pass
o lang: numerous updates and fixes in existing languages
o mvc: introduce JSON field type and refactor dashboard to use it
o mvc: fixed a number of class import statements
o mvc: remove unused UIModelGrid imports in IDS, Monit and Syslog controllers
o mvc: remove Util imports where not needed
o mvc: BaseField: add count() helper
o mvc: fix validation to use getValue instead of plain string cast
o mvc: UIModelGrid: remove flatten() method as getFlatNodes() is almost the same
o mvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem class
o mvc: stricter email address validation
o mvc: OptionsField: use key as value if no value is set
o mvc: unify migration message returns
o mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField
o mvc: strict alphanumeric-only regex for certificate refid[4] (contributed by eev4n)
o mvc: simplify assorted option values to reduce duplication
o mvc: static header support for forms
o rc: move system_powerd_configure() to bootup plugin hook
o shell: config access refactor in password and setaddr scripts
o shell: safe iteration for VLAN/LAGG in port assignment
o shell: use safe config iteration in live mode banner
o shell: fix syntax error in port assignment
o ui: generalize placeholders between controllers and JS
o ui: simplify and clean up debounce() usage
o ui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstable
o ui: add static dialog header support and fix bool/string compare
o ui: add type_formatter keyword to form rendering
o ui: add save/cancel button support to form rendering
o ui: remove "event" use from bootgrid showSaveAlert()
o ui: add support for binary file uploads
o ui: bootgrid: onRendered executed in wrong spot
o ui: clean up useRequestHandlerOnGet usage
o ui: use space in apply box for the apply reminder
o ui: improve form validation error append
o ui: tab exclusion for SimpleActionButton
o ui: split form button row render as some forms only use save
o ui: override selectpicker defaults for translations
o ui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)
o ui: bootgrid: align datakey with the rest of the options, but allow top-level placement
o ui: bootgrid: mark state variables as such
o ui: bootgrid: safeguard replace() function
o ui: bootgrid: remove unused getTotalRowCount() method
o ui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to all
o ui: bootgrid: clean up converter compatibility code
o ui: bootgrid: replace "append" with "replace" for ajax: false grids
o ui: bootgrid: adjust column persistence behavior to prevent horizontal dead space
o ui: bootgrid: allow column selection exclusions
o ui: allow passing of data attributes for select items in setFormData()
o ui: remove banner on inline reload if applicable
o ui: button padding when injecting next to apply button
o ui: fix spurious padding in apply button section (contributed by Konstantinos Spartalis)
o plugins: os-cloudflared 1.0 (contributed by Richard Aspden)
o plugins: os-ddclient 1.31[5]
o plugins: os-frr 1.53[6]
o plugins: os-netbird 1.3[7]
o plugins: os-q-feeds-connector 1.6[8]
o plugins: os-rfc2136 1.10[9]
o plugins: os-stunnel fix for missing include in script
o plugins: os-telegraf 1.12.15[10]
o plugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)
o plugins: os-turnserver 1.3[11]
o plugins: os-zabbix-agent 1.9[12]
o plugins: os-zabbix-proxy 1.7[13]
o plugins: use safe config iteration in interface registration code
o src: missing permission check in thr_kill2[14]
o src: arbitrary file overwrite via the KTLS receive path[15]
o src: multiple vulnerabilities in the sound mmap path[16]
o src: sigqueue missing capability mode restriction[17]
o src: use-after-free bug in the IPV6_MSFILTER socket option handler[18]
o src: flaw in Linuxulator execution of setugid binaries[19]
o src: ASLR bypass for setuid executables via procctl[20]
o src: integer overflow in vt CONS_HISTORY ioctl[21]
o src: openssl: fix multiple vulnerabilities[22]
o src: ldns: fix query response validation[23]
o src: netlink: fix lock leak in nl_find_nhop
o src: pf: avoid taking the pf rules write lock in a couple of ioctls
o src: ipfw: add ability to run ipfw binary with 15.0+ kernel module
o src: ipfw: treat ipv6 address with zero mask as "any"
o ports: curl 8.20.0[24]
o ports: dnsmasq 2.93[25]
o ports: filterlog 0.8 changes rule label fetch to libpfctl
o ports: kea 3.0.3[26]
o ports: krb5 1.22.2[27]
o ports: libxml 2.15.3[28]
o ports: nss 3.124[29]
o ports: openssh 10.3p1[30]
o ports: openssl 3.0.21[31]
o ports: openvpn 2.7.4[32]
o ports: phalcon 5.14.2[33]
o ports: php 8.3.31[34]
o ports: phpseclib 3.0.55[35]
o ports: py-duckdb 1.5.3[36]
o ports: py-numpy 2.4.6
o ports: py-requests 2.33.1
o ports: python 3.13.14[37]
o ports: sqlite3 3.53.1[38]
o ports: strongswan 6.0.7[39]
--
[1] https://github.com/opnsense/core/security/advisories/GHSA-m4m3-v627-wgc2
[2] https://github.com/opnsense/core/security/advisories/GHSA-33q4-wcv7-r8fr
[3] https://docs.opnsense.org/manual/kea.html
[4] https://www.cve.org/cverecord?id=CVE-2026-53582
[5] https://github.com/opnsense/plugins/blob/stable/26.1/dns/ddclient/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/26.1/net/frr/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/26.1/security/netbird/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/26.1/security/q-feeds-connector/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/26.1/dns/rfc2136/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/telegraf/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/26.1/net/turnserver/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/zabbix-agent/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/zabbix-proxy/pkg-descr
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:25.thr.asc
[15] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc
[16] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:27.sound.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:28.capsicum.asc
[18] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc
[19] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:30.linux.asc
[20] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:32.elf.asc
[21] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:34.vt.asc
[22] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:35.openssl.asc
[23] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:36.ldns.asc
[24] https://curl.se/changes.html#8_20_0
[25] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[26] https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-3.0.3
[27] https://web.mit.edu/kerberos/krb5-1.22/
[28] https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.15.3/NEWS
[29] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_124.html
[30] https://www.openssh.com/txt/release-10.3
[31] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[32] https://github.com/OpenVPN/openvpn/blob/v2.7.4/Changes.rst
[33] https://github.com/phalcon/cphalcon/releases/tag/v5.14.2
[34] https://www.php.net/ChangeLog-8.php#8.3.31
[35] https://github.com/phpseclib/phpseclib/releases/tag/3.0.55
[36] https://github.com/duckdb/duckdb/releases/tag/v1.5.3
[37] https://docs.python.org/release/3.13.14/whatsnew/changelog.html
[38] https://sqlite.org/releaselog/3_53_1.html
[39] https://github.com/strongswan/strongswan/releases/tag/6.0.7
with additional reliability improvements.
Here are the full patch notes:
o system: refactor dashboard to use User model instead of direct config access
o system: throw UserException when dashboard size limit was reached on save
o system: add notes dashboard widget (contributed by Konstantinos Spartalis)
o system: fix traffic dashboard widget initialization race condition (contributed by Greelan)
o system: avoid side effect rendering sysctl item in config.xml during console assignment
o system: improve cron command and parameter escaping
o system: support RADIUS NAS-IP-Address attribute for authentication
o system: add compatibility layer to future route disable/enable migration
o system: only split first colon when reading sysctls
o system: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)
o system: fix missing newline when generating cron jobs due to a regression
o system: fix missing base64_decode() in JsonField which prevented user settings from saving
o system: link CA references after all changes
o system: parse certificate "key_type" and "digest"
o system: allow flushing legacy OpenVPN legacy config
o system: audit "staticroute" config access
o system: use safe config iteration in core_user_changed_groups()
o system: tighten landing page redirect (contributed by Konstantinos Spartalis)
o system: fix passing null into getRealInterface()
o system: fix regression in selective group delete introduced previously
o system: allow unregistered plugin cron actions to be deleted
o system: disable MAILTO for cron jobs
o system: dashboard: explicitly compact on layout shift if there is no predefined layout
o system: dashboard: update result on default restore
o reporting: render NaN values as empty values and omit leading empty records from data set for health graphs
o reporting: add max on Y axis for traffic graphs
o interfaces: refactor bridge reconfigure script
o interfaces: add missing config locks in device controllers
o interfaces: use safe iteration in backend code
o interfaces: adjust and annotate interface_dhcpv6_id()
o interfaces: account for multiple UUIDs in VIP deletion
o interfaces: more safe iteration through config_read_array()
o interfaces: fix wrong DUID-UUID format but keep accepting the wrong one
o interfaces: fix regression in selective device delete introduced previously
o interfaces: IAID selection and prefix range reservation for WAN DHCPv6
o interfaces: parse ifconfig output despite exit error in legacy_interfaces_details()
o interfaces: hostwatch: pin warning banner to enabled flag
o firewall: live view: decode HTML where necessary to aid filtering
o firewall: use save method from ApiMutableModelControllerBase for log command, move rule command and savepoint action
o firewall: safe config access in list_legacy_rules.php
o firewall: remove duplicated CSV button hook
o firewall: fix NPTv6 validation for empty external subnet
o firewall: make getRealInterface() a static utility function
o firewall: refactor searchRuleAction() to use the same filtering and sorting logic on MVC and legacy data
o firewall: fix inverted source/destination cosmetic issue in SNAT and One-to-One NAT grids
o firewall: fix search for floating rules in new rules GUI
o firewall: add an alias formatter to show content fields as "dynamic" when populated by other components
o firewall: fix Tabulator regression with alias batch delete
o firewall: use safe config iteration in interface registration
o firewall: fix unintended change in filtering logic for new rules GUI
o firewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUI
o firewall: use safe iteration over rules in filter_core_rules_user()
o firewall: add missing exclamation mark for "not" in scrub rules
o firewall: fix interface sorting by value for live log and groups
o firewall: add banner if no rules defined in new rules GUI to match legacy GUI
o firewall: use strnatcasecmp() for interface list in new rules GUI
o firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping
o firewall: escape shaper targets in rule edit[1] (contributed by lujiefsi)
o captive portal: remove redirection on HTTPS and ditch non-functional pass statement
o dnsmasq: change DHCP tag to DescriptionField
o dnsmasq: change widget link from settings to leases page
o firmware: opnsense-bootstrap: add "-B" bare bootstrap mode
o firmware: add repo configuration output to connectivity audit
o firmware: stop buffering in sed to fix chunked update log output
o firmware: retain ordering in update servers for connectivity check
o firmware: allow "local" business mirror subscription
o firmware: put clickable trailer for community plugins
o firmware: fix return value masking during updates
o firmware: opnsense-update: do not clean obsolete files on manual -r invokes
o intrusion detection: fix drop and alert buttons on rules tab
o ipsec: move swanctl.conf download button to the tab
o ipsec: restyle the connections page for clarity
o ipsec: disable scroll in authentication and children grids (contributed by Konstantinos Spartalis)
o ipsec: validate the use of refid in CA certificates[2] (reported by lujiefsi)
o kea: fix "Delegated length must be longer than or equal to prefix length" validation
o kea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnet
o kea: DDNS DNS server port can now be specified
o kea: add explicit reverse DDNS zones support (contributed by XtraLarge)
o kea: add DDNS manual config override
o kea: remove depend constraint of ddns_reverse_zone
o kea: plug socket into dynamic PD route installation script
o kea: add prefix to reservations to allow for static PD allocations based on DUID/MAC
o kea: infer IPv6 lease type in delete script via lease lookup so IA_NA/IA_PD can be deleted
o kea: DDNS add ddns-conflict-resolution-mode per subnet (contributed by chaispaquichui)
o kea: allow customizing "mac_sources" and change default to "ipv6-link-local"
o kea: add user-context object to config to emit description
o kea: fix option_data_autocollect mismatch in DHCPv6 page
o kea: enable internalModelSafeDelete due to increased model relation field usage
o kea: build reservation status from control socket output
o kea: add subnet vltime (partially contributed by Brandan Giles)
o kea: add client-id to DHCPv4 reservations
o kea: use JSON_UNESCAPED_UNICODE when writing the JSON configuration
o kea: dynamic prefix delegation support[3]
o kea: always start the prefix watcher when DHCPv6 is enabled
o kea: cleanups for IntegerField using isSet() and no negative numbers allowed
o kea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole pool
o kea: add subnet allocator field (contributed by Marcos Della)
o kea: add DHCPv4 compatibility options (contributed by Marcos Della)
o kea: hook up reservation.next_server (contributed by Ian Munsie)
o kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6
o network time: small cleanups in ntpd_configure_gps()
o openvpn: add tls-crypt-v2 support
o openvpn: allow restart action via cron
o openvpn: fix client export not showing common names
o openvpn: require an integer of at least 1 for "vpnid" field
o radvd: allow user controlled hop limit (contributed by BPplays)
o radvd: allow to start a manual configuration without primary IPv6
o unbound: improve hostname/domain override validation
o unbound: minor style/refactor for safe config access
o unbound: hide unused tree row in form output for overrides
o unbound: restyle statistics page
o unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)
o wireguard: use getValues() consistently in control script
o acl: some missing references and using camelCase pointers instead of snake_case
o backend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)
o backend: configctl: support -f cache flush parameter to fix cache invalidation preamble "!" pass
o lang: numerous updates and fixes in existing languages
o mvc: introduce JSON field type and refactor dashboard to use it
o mvc: fixed a number of class import statements
o mvc: remove unused UIModelGrid imports in IDS, Monit and Syslog controllers
o mvc: remove Util imports where not needed
o mvc: BaseField: add count() helper
o mvc: fix validation to use getValue instead of plain string cast
o mvc: UIModelGrid: remove flatten() method as getFlatNodes() is almost the same
o mvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem class
o mvc: stricter email address validation
o mvc: OptionsField: use key as value if no value is set
o mvc: unify migration message returns
o mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField
o mvc: strict alphanumeric-only regex for certificate refid[4] (contributed by eev4n)
o mvc: simplify assorted option values to reduce duplication
o mvc: static header support for forms
o rc: move system_powerd_configure() to bootup plugin hook
o shell: config access refactor in password and setaddr scripts
o shell: safe iteration for VLAN/LAGG in port assignment
o shell: use safe config iteration in live mode banner
o shell: fix syntax error in port assignment
o ui: generalize placeholders between controllers and JS
o ui: simplify and clean up debounce() usage
o ui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstable
o ui: add static dialog header support and fix bool/string compare
o ui: add type_formatter keyword to form rendering
o ui: add save/cancel button support to form rendering
o ui: remove "event" use from bootgrid showSaveAlert()
o ui: add support for binary file uploads
o ui: bootgrid: onRendered executed in wrong spot
o ui: clean up useRequestHandlerOnGet usage
o ui: use space in apply box for the apply reminder
o ui: improve form validation error append
o ui: tab exclusion for SimpleActionButton
o ui: split form button row render as some forms only use save
o ui: override selectpicker defaults for translations
o ui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)
o ui: bootgrid: align datakey with the rest of the options, but allow top-level placement
o ui: bootgrid: mark state variables as such
o ui: bootgrid: safeguard replace() function
o ui: bootgrid: remove unused getTotalRowCount() method
o ui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to all
o ui: bootgrid: clean up converter compatibility code
o ui: bootgrid: replace "append" with "replace" for ajax: false grids
o ui: bootgrid: adjust column persistence behavior to prevent horizontal dead space
o ui: bootgrid: allow column selection exclusions
o ui: allow passing of data attributes for select items in setFormData()
o ui: remove banner on inline reload if applicable
o ui: button padding when injecting next to apply button
o ui: fix spurious padding in apply button section (contributed by Konstantinos Spartalis)
o plugins: os-cloudflared 1.0 (contributed by Richard Aspden)
o plugins: os-ddclient 1.31[5]
o plugins: os-frr 1.53[6]
o plugins: os-netbird 1.3[7]
o plugins: os-q-feeds-connector 1.6[8]
o plugins: os-rfc2136 1.10[9]
o plugins: os-stunnel fix for missing include in script
o plugins: os-telegraf 1.12.15[10]
o plugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)
o plugins: os-turnserver 1.3[11]
o plugins: os-zabbix-agent 1.9[12]
o plugins: os-zabbix-proxy 1.7[13]
o plugins: use safe config iteration in interface registration code
o src: missing permission check in thr_kill2[14]
o src: arbitrary file overwrite via the KTLS receive path[15]
o src: multiple vulnerabilities in the sound mmap path[16]
o src: sigqueue missing capability mode restriction[17]
o src: use-after-free bug in the IPV6_MSFILTER socket option handler[18]
o src: flaw in Linuxulator execution of setugid binaries[19]
o src: ASLR bypass for setuid executables via procctl[20]
o src: integer overflow in vt CONS_HISTORY ioctl[21]
o src: openssl: fix multiple vulnerabilities[22]
o src: ldns: fix query response validation[23]
o src: netlink: fix lock leak in nl_find_nhop
o src: pf: avoid taking the pf rules write lock in a couple of ioctls
o src: ipfw: add ability to run ipfw binary with 15.0+ kernel module
o src: ipfw: treat ipv6 address with zero mask as "any"
o ports: curl 8.20.0[24]
o ports: dnsmasq 2.93[25]
o ports: filterlog 0.8 changes rule label fetch to libpfctl
o ports: kea 3.0.3[26]
o ports: krb5 1.22.2[27]
o ports: libxml 2.15.3[28]
o ports: nss 3.124[29]
o ports: openssh 10.3p1[30]
o ports: openssl 3.0.21[31]
o ports: openvpn 2.7.4[32]
o ports: phalcon 5.14.2[33]
o ports: php 8.3.31[34]
o ports: phpseclib 3.0.55[35]
o ports: py-duckdb 1.5.3[36]
o ports: py-numpy 2.4.6
o ports: py-requests 2.33.1
o ports: python 3.13.14[37]
o ports: sqlite3 3.53.1[38]
o ports: strongswan 6.0.7[39]
--
[1] https://github.com/opnsense/core/security/advisories/GHSA-m4m3-v627-wgc2
[2] https://github.com/opnsense/core/security/advisories/GHSA-33q4-wcv7-r8fr
[3] https://docs.opnsense.org/manual/kea.html
[4] https://www.cve.org/cverecord?id=CVE-2026-53582
[5] https://github.com/opnsense/plugins/blob/stable/26.1/dns/ddclient/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/26.1/net/frr/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/26.1/security/netbird/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/26.1/security/q-feeds-connector/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/26.1/dns/rfc2136/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/telegraf/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/26.1/net/turnserver/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/zabbix-agent/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/zabbix-proxy/pkg-descr
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:25.thr.asc
[15] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc
[16] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:27.sound.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:28.capsicum.asc
[18] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc
[19] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:30.linux.asc
[20] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:32.elf.asc
[21] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:34.vt.asc
[22] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:35.openssl.asc
[23] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:36.ldns.asc
[24] https://curl.se/changes.html#8_20_0
[25] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[26] https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-3.0.3
[27] https://web.mit.edu/kerberos/krb5-1.22/
[28] https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.15.3/NEWS
[29] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_124.html
[30] https://www.openssh.com/txt/release-10.3
[31] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[32] https://github.com/OpenVPN/openvpn/blob/v2.7.4/Changes.rst
[33] https://github.com/phalcon/cphalcon/releases/tag/v5.14.2
[34] https://www.php.net/ChangeLog-8.php#8.3.31
[35] https://github.com/phpseclib/phpseclib/releases/tag/3.0.55
[36] https://github.com/duckdb/duckdb/releases/tag/v1.5.3
[37] https://docs.python.org/release/3.13.14/whatsnew/changelog.html
[38] https://sqlite.org/releaselog/3_53_1.html
[39] https://github.com/strongswan/strongswan/releases/tag/6.0.7
