Upgrade to RC1 successful

[meyergru]

Another one: When I imported the rules after the patches, I got one "new style" rule that is not editable after importing (pressing edit just does nothing).

The imported rule was:

Code Select Expand

0b229e23-b728-4a32-85fc-4226bda46771,1,keep,,61,pass,1,0,"lan,opt1,opt2,VLANS,wireguard",in,inet46,TCP/UDP,,,,,0,0,0,0,0,,,,,,,,,,,,,,,,,,"LAN Rules",,,,,"Allow DNS to firewall",0,any,,0,(self),53

where VLANS is a group of VLAN interfaces.

I see an error in the browser console when pressing edit on that rule:

Code Select Expand

Uncaught Error: Syntax error, unrecognized expression: .protocol_tcp/udp:not(div)
    jQuery 7
    <anonymous> https://opnsense.localhost:488/ui/firewall/filter/:2327
    jQuery 8
    setFormData https://opnsense.localhost:488/ui/js/opnsense.js?v=72f71a09251c25b5:217
    each jQuery
    setFormData https://opnsense.localhost:488/ui/js/opnsense.js?v=72f71a09251c25b5:140
    jQuery 2
    setFormData https://opnsense.localhost:488/ui/js/opnsense.js?v=72f71a09251c25b5:132
    mapDataToFormUI https://opnsense.localhost:488/ui/js/opnsense_ui.js?v=72f71a09251c25b5:142
    jQuery 2
    mapDataToFormUI https://opnsense.localhost:488/ui/js/opnsense_ui.js?v=72f71a09251c25b5:139
    complete https://opnsense.localhost:488/ui/js/opnsense.js?v=72f71a09251c25b5:312
    jQuery 6
    ajaxGet https://opnsense.localhost:488/ui/js/opnsense.js?v=72f71a09251c25b5:304
    mapDataToFormUI https://opnsense.localhost:488/ui/js/opnsense_ui.js?v=72f71a09251c25b5:137
    each jQuery
    mapDataToFormUI https://opnsense.localhost:488/ui/js/opnsense_ui.js?v=72f71a09251c25b5:136
    show_edit_dialog https://opnsense.localhost:488/ui/js/opnsense_bootgrid.js?v=72f71a09251c25b5:1743
    show_edit_dialog https://opnsense.localhost:488/ui/js/opnsense_bootgrid.js?v=72f71a09251c25b5:1737
    command_edit https://opnsense.localhost:488/ui/js/opnsense_bootgrid.js?v=72f71a09251c25b5:1902
    _linkCellCommand https://opnsense.localhost:488/ui/js/opnsense_bootgrid.js?v=72f71a09251c25b5:947
    jQuery 2

P.S.: The old rule is editable....

[Monviech (Cedrik)]

Thanks for reporting this was a small oversight

https://github.com/opnsense/core/pull/9642

[Monviech (Cedrik)]

BTW: In the migration assistant list of steps, it says: "Deselect anti-lockout in advanced settings" - it should be "Enable anti-lockout in advanced settings".

It's an "enable to disable" kind of checkbox, so whatever way turn it, it's always a bit confusing I guess.

[meyergru]

Thanks for reporting this was a small oversight

https://github.com/opnsense/core/pull/9642

Code Select Expand

opnsense-patch 67668828146e80de49bc6b607db06acb12da8a61
configctl webgui restart

Works for me.

[Ametite]

From my side all seems working well, upgraded from 25.7.11_2 to 26.1-RC1.
I've already tested IPSEC, BIND, unbound, BGP with FFR, Wiregard, OVPN, Crowdsec, Suricata, and other plugins less deeply.
FW rules migrated completely.
The only thing that I noticed is that the auto-generated floating rules are visible correctly only on old rules, in the new section I see some blank rules.

I would also ask the diff between NAT outbound rules and SNAT.
Thanks :)

⚠️EDIT: it seems that floating rules apparently blank was in fact a very dangerous "any to any" and I rolled back to snapshot this time for being sure 100% that all is properly blocked as before

[Maurice]

Identity Association and ISC DHCPv6 are mutually exclusive, correct? ISC depends on Track Interface (legacy)?

(I'm stuck with ISC since neither Dnsmasq nor Kea support prefix delegation with dynamic prefixes.)

Cheers
Maurice

[franco]

No, Identity association mode is a trick that enforces "Allow manual adjustment of DHCPv6 and Router Advertisements" so you can still use RA and DHCPv6, but only if configured manually. You can also mix and match the Track interface mode and the new one for LANs.

The relevant patches illustrates this clearly for reference:

https://github.com/opnsense/core/commit/f8da6e147b2
https://github.com/opnsense/core/commit/e790033253c


Cheers,
Franco