OPNsense 25.1.6 released

[franco]

Hello!

After some back and forth today we are rolling back a console default
change done in FreeBSD 14.2 that we do not think is necessary at this
particular point in time.  The bridge configuration code was also
refactored to introduce it to MVC/API in an upcoming stable release.

A few more problems with the new captive portal backend have also been
addressed in order to make it match the behaviour of the previous one.
It is now possible to disable the automatic rules to further refine
the desired captive portal behaviour.

Last but not least: Kea DHCPv6 is here.  And with it full DHCP and router
advertisement support in Dnsmasq to bridge the gap for ISC users who do not
need or want Kea.  We are going to make Dnsmasq DHCP the default in new
installations starting with 25.7, too.  ISC DHCP will still be around as
a core component in 25.7 but likely moves to plugins for 26.1 next year.

Here are the full patch notes:

o system: kill gateways states for failback scenario when a higher priority gateway goes back online
o system: update to latest tzdata content for time zones and ISO 3166 definitions
o system: clean up a number of unused functions
o system: refactor a VIP access in auth.inc
o system: add field "boottime" to api/system/systemTime (contributed by eopo)
o reporting: replace insights totals chart with ChartJS variant
o reporting: minor style fixes and cleanups in health graphs
o interfaces: refactor bridge configuration backend
o interfaces: refactor wireless device assignment
o interfaces: allow literal comma by escape sequence in DHCP advanced option modifiers
o interfaces: fix refresh button in ARP page
o interfaces: fix "(de)select all" button in packet capture
o interfaces: rename ip_in_subnet() to reflect it is only for IPv4
o interfaces: remove unused get_vip_descr()
o firewall: prevent source/destination inversion when multiple nets are selected
o firewall: support comma separated alias targets in refactor() call
o firewall: added multi-select for ICMP type
o firewall: update user agent in alias URL fetch
o captive portal: fix display issue for pass rule when client not in zone
o captive portal: allow disabling automatic firewall rules
o captive portal: exclude portal table in destination
o dnsmasq: add full DHCP/RA support
o intrusion detection: fix a log reader regression in the alert view
o ipsec: copy "Split DNS name" to undocumented "25" option
o ipsec: fix more ACLs related to individual IPsec page use
o ipsec: add DH Group 2 for basic Azure VPN gateway compatibility
o ipsec: fix trimming NULL values
o isc-dhcp: use "lease_type" to key lease map in addition to "iaid_duid" (contributed by Alex Goodkind)
o isc-dhcp: fix invalid FQDN generation from DHCPv4 static map domains (contributed by Steven Zimmermann)
o kea-dhcp: add DHCPv6 support
o openvpn: simplify the VIP handling in legacy pages
o backend: support "errors:no" clause on actions
o mvc: allow referencing disabled interfaces in LinkAddressField
o mvc: fix scoping issue in CertificatesField
o plugins: os-ndproxy 1.1[1]
o plugnis: os-squid 1.2[2]
o plugins: os-theme-rebellion 1.9.3 (contributed by Team Rebellion)
o plugins: os-turnserver 1.0 (contributed by Frank Wall)
o src: caroot: update the root bundle
o src: openssl: import OpenSSL 3.0.16
o src: daemon: stop rebuilding the kqueue every restart of the child
o src: contrib/expat: update libexpat from 2.6.0 to 2.7.1
o src: contrib/tzdata: import tzdata 2025b
o src: pfctl: fix faulty rule anchor counter print
o src: pfctl: fix recursive printing of NAT rules
o src: pf: Use a macro to get the hash row in pf_find_state_byid()
o src: netinet6: work around synchronization issue in dying netgraph device
o src: wg: Improve wg_peer_alloc() to simplify the calling
o src: bnxt_en: Retrieve maximum of 128 APP TLVs
o src: Revert "amd64 GENERIC: Switch uart hints from isa to acpi"
o ports: curl 8.13.0[3]
o ports: expat 2.7.1[4]
o ports: kea 2.6.2[5]
o ports: monit 5.35.1[6]
o ports: nss 3.110[7]
o ports: openssh 10.0p1[8]
o ports: php 8.3.20[9]
o ports: phalcon 5.9.3[10]
o ports: python 3.11.12[11]
o ports: unbound 1.23.0[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/net/ndproxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/www/squid/pkg-descr
[3] https://curl.se/changes.html#8_13_0
[4] https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes
[5] https://downloads.isc.org/isc/kea/2.6.2/Kea-2.6.2-ReleaseNotes.txt
[6] https://mmonit.com/monit/changes/
[7] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_110.html
[8] https://www.openssh.com/txt/release-10.0
[9] https://www.php.net/ChangeLog-8.php#8.3.20
[10] https://github.com/phalcon/cphalcon/releases/tag/v5.9.3
[11] https://docs.python.org/release/3.11.12/whatsnew/changelog.html
[12] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-0