OPNSense/core c35c8desrc/opnsense/mvc/app/controllers/OPNsense/Firewall FilterController.php

Firewall: Rules: Adapt getAdvancedIds() to the sectioned form structure introduced in 3d9cccfe (#10521)
DeltaFile
+4-4src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+4-41 files

OPNSense/core c5e4dffsrc/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api TrafficController.php, src/opnsense/scripts/interfaces traffic_stats.php

statistics: when interfaces disabled
DeltaFile
+4-1src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/TrafficController.php
+2-2src/opnsense/scripts/interfaces/traffic_stats.php
+6-32 files

OPNSense/core 8682ebasrc/opnsense/mvc/app/controllers/OPNsense/Firewall FilterController.php

Firewall: Rules: Adapt getAdvancedIds() to the sectioned form structure introduced in 3d9cccfe
DeltaFile
+4-4src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+4-41 files

OPNSense/core beb2226src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api GroupController.php

firewall: change interfage group render/apply order

Well, apply needs to be pushed to render interfaces.  Make
sure that we render before reloading filter which actually
calls ifgroup_setup() to rename groups.

(cherry picked from commit d47802bc88388fa5e26a07b9451b0ee63e971a0b)
(cherry picked from commit fa96a9a57b0d922c3642322c0c140c8995f14cdd)
DeltaFile
+6-12src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/GroupController.php
+6-121 files

OPNSense/core 68a9f7csrc/etc/inc interfaces.inc

interfaces: explicitly make explicit loopback network an actual loopback network

PR: https://forum.opnsense.org/index.php?topic=52341.0
(cherry picked from commit 6e18d2f5c9a886d075dc4f8eea371f6806396602)
DeltaFile
+1-1src/etc/inc/interfaces.inc
+1-11 files

OPNSense/core e9e3270src/opnsense/service/modules template.py

configd/templates - swap "strict" logic as it was reversed

(cherry picked from commit 27dcd10178d8a04534e50c753d732c80a74a5103)
DeltaFile
+1-1src/opnsense/service/modules/template.py
+1-11 files

OPNSense/core 6e18d2fsrc/etc/inc interfaces.inc

interfaces: explicitly make explicit loopback network an actual loopback network

PR: https://forum.opnsense.org/index.php?topic=52341.0
DeltaFile
+1-1src/etc/inc/interfaces.inc
+1-11 files

OPNSense/core 27dcd10src/opnsense/service/modules template.py

configd/templates - swap "strict" logic as it was reversed
DeltaFile
+1-1src/opnsense/service/modules/template.py
+1-11 files

OPNSense/core 1c2b98asrc/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv4.php KeaDhcpv6.php

Services: Kea DHCPv4/6: Switch custom DHCP option config generation to libdhcp_flex_option.so (#10514)

* Services: Kea DHCPv4: emit custom DHCPv4 options via flex-option hook

Route custom DHCPv4 option rows through libdhcp_flex_option instead of
regular option-data. The custom option framework (KeaOptionDataField) already serializes values
to final wire-format hex, but Kea's native option-data path still applies
built-in option definitions and may reinterpret or drop payloads for standard
or container options (e.g. 43 and 125).

Use flex-option supersede expressions to inject the serialized bytes directly
during response construction. Preserve the existing scoping model by translating
subnet scope to an additional class, and reservation scope to either MAC address
or client-id matching. Existing option match rules are kept as client-class
membership checks inside the same expression.

Built-in option_data fields remain unchanged and continue to use native Kea
option-data generation.

* Services: Kea DHCPv6: Add same flex option hook library support as in DHCPv4, with the limitation that it reservations need to be DUID based here.
DeltaFile
+70-43src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+63-44src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+133-872 files

OPNSense/core 7b32a46src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv4.php KeaDhcpv6.php

shorten expression
DeltaFile
+1-5src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+1-5src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+2-102 files

OPNSense/core fa96a9asrc/opnsense/mvc/app/controllers/OPNsense/Firewall/Api GroupController.php

firewall: revisit previous

Well, apply needs to be pushed to render interfaces.  Make
sure that we render before reloading filter which actually
calls ifgroup_setup() to rename groups.
DeltaFile
+6-4src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/GroupController.php
+6-41 files

OPNSense/core d47802bsrc/opnsense/mvc/app/controllers/OPNsense/Firewall/Api GroupController.php

Revert "firewall: properly render groups on apply"

This reverts commit 6183fbe205f7df44fd249c8c19b554b871e4698a.
DeltaFile
+0-8src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/GroupController.php
+0-81 files

OPNSense/core 3b093cbsrc/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php

Services: KEA DHCPv6: Add same flex option hook library support as in DHCPv4, with the limitation that it reservations need to be DUID based here.
DeltaFile
+67-44src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+67-441 files

OPNSense/core 2bd5a37src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv4.php

Add comment that explains that flex-option emission can be order sensitive in certain cases
DeltaFile
+5-1src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+5-11 files

OPNSense/core ef0f8bcsrc/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api AssignmentController.php, src/opnsense/mvc/app/models/OPNsense/Firewall Category.php Alias.php

firewall: fix one-to-one part of #10024

(cherry picked from commit a97ca7c0037f0790ff936e6b1e7a5901bee5b443)
DeltaFile
+2-2src/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api/AssignmentController.php
+1-2src/opnsense/mvc/app/models/OPNsense/Firewall/Category.php
+1-1src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php
+1-1src/opnsense/mvc/app/models/OPNsense/Firewall/Group.php
+5-64 files

OPNSense/core cdd4f61src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api GroupController.php

firewall: properly render groups on apply

(cherry picked from commit 6183fbe205f7df44fd249c8c19b554b871e4698a)
DeltaFile
+8-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/GroupController.php
+8-01 files

OPNSense/core c69c7f3src/opnsense/mvc/app/controllers/OPNsense/Core/Api DashboardController.php, src/opnsense/www/js opnsense_widget_manager.js

dashboard: include interfaces widget in dashboard default. Closes https://github.com/opnsense/core/issues/10456

This is the only one that makes sense from a functional perspective.
While here, adjust the resize/style logic a bit such that
updates are also propagated on first load, which makes sure the
interfaces table renders the correct amount of columns to prevent
wasted space.

(cherry picked from commit 83236171bb98b61b2aeb97e273f8ee28a53385f8)
DeltaFile
+37-33src/opnsense/www/js/widgets/BaseTableWidget.js
+18-18src/opnsense/www/js/opnsense_widget_manager.js
+3-1src/opnsense/www/js/widgets/Interfaces.js
+2-1src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php
+60-534 files

OPNSense/core b4afba8src/opnsense/mvc/app/models/OPNsense/Firewall Alias.php

firewall: adjust alias rename according to address_to_pconfig(); closes #10024

Looking at stable/25.7 where all three components where still in
the tree they all use the function which could potentially write
'address'.  It's better than not having those and strive for
consistency although in practice this will die with the removal
of legacy rules support.
DeltaFile
+6-3src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php
+6-31 files

OPNSense/core a97ca7csrc/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api AssignmentController.php, src/opnsense/mvc/app/models/OPNsense/Firewall Category.php Group.php

firewall: fix one-to-one part of #10024
DeltaFile
+2-2src/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api/AssignmentController.php
+1-2src/opnsense/mvc/app/models/OPNsense/Firewall/Category.php
+1-1src/opnsense/mvc/app/models/OPNsense/Firewall/Group.php
+1-1src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php
+5-64 files

OPNSense/core 6183fbesrc/opnsense/mvc/app/controllers/OPNsense/Firewall/Api GroupController.php

firewall: properly render groups on apply
DeltaFile
+8-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/GroupController.php
+8-01 files

OPNSense/core 8323617src/opnsense/mvc/app/controllers/OPNsense/Core/Api DashboardController.php, src/opnsense/www/js opnsense_widget_manager.js

dashboard: include interfaces widget in dashboard default. Closes https://github.com/opnsense/core/issues/10456

This is the only one that makes sense from a functional perspective.
While here, adjust the resize/style logic a bit such that
updates are also propagated on first load, which makes sure the
interfaces table renders the correct amount of columns to prevent
wasted space.
DeltaFile
+37-33src/opnsense/www/js/widgets/BaseTableWidget.js
+18-18src/opnsense/www/js/opnsense_widget_manager.js
+3-1src/opnsense/www/js/widgets/Interfaces.js
+2-1src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php
+60-534 files

OPNSense/core 1e07b7fsrc/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv4.php

Services: Kea DHCPv4: emit custom DHCPv4 options via flex-option hook

Route custom DHCPv4 option rows through libdhcp_flex_option instead of
regular option-data. The custom option framework already serializes values
to final wire-format hex, but Kea's native option-data path still applies
built-in option definitions and may reinterpret or drop payloads for standard
or container options.

Use flex-option supersede expressions to inject the serialized bytes directly
during response construction. Preserve the existing scoping model by translating
subnet scope to an additional class, and reservation scope to either MAC address
or client-id matching. Existing option match rules are kept as client-class
membership checks inside the same expression.

Built-in option_data fields remain unchanged and continue to use native Kea
option-data generation.
DeltaFile
+70-43src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+70-431 files

OPNSense/core 96ad1d3src/opnsense/scripts/firmware read.sh config.sh

firmware: cleansing using output_cmd is futile

Move the code back to where it was in early 26.1.  A number of
regressions could have been avoided.  The last straw was buffering
of "." characters for fetching.

The read-guard is still effective.  As it reads the file it does
not need to run unbuffered.  GUI reads are still properly filtered.

(cherry picked from commit 1eaefb6bc81052c5454d20333cbc32d1c1392ee1)
DeltaFile
+1-5src/opnsense/scripts/firmware/read.sh
+2-3src/opnsense/scripts/firmware/config.sh
+3-82 files

OPNSense/core 73b9ad0src/opnsense/mvc/app/models/OPNsense/Monit Monit.xml

monit: fix mail-format and poll-time validation; closes #10498

(cherry picked from commit d930c0412d7e472b48e11c0c91cf73a3620067dd)
DeltaFile
+6-1src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+6-11 files

OPNSense/core 8eada1fsrc/opnsense/mvc/app/models/OPNsense/Unbound Unbound.xml

Services: Unbound DNS: Overrides - missing NetMaskAllowed=N on override address, closes https://github.com/opnsense/core/issues/10499

(cherry picked from commit 0633bfa54f7949fdac75d871fc915ed6ec6ad58e)
DeltaFile
+1-0src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+1-01 files

OPNSense/core 9ea17c6.github pull_request_template.md, .github/ISSUE_TEMPLATE bug_report.md feature_request.md

github: add AI disclosure to issue templates

As the growing conclusions on bug reports look to be AI suggestions
that can make oblivious claims according to how the user steeres
the scope to the core repo it's better to (try to) make this visible.

(cherry picked from commit 241088f1fdd1154291feec2c6a0f14be067f115a)
DeltaFile
+6-0.github/ISSUE_TEMPLATE/bug_report.md
+6-0.github/ISSUE_TEMPLATE/feature_request.md
+6-0.github/ISSUE_TEMPLATE/question.md
+1-1.github/pull_request_template.md
+19-14 files

OPNSense/core f6717ba. AGENTS.md

git: create AGENTS.md with agent guidelines (#10507)

Added guidelines for coding agents working on the OPNsense core repository, including mission, core principles, architecture, code style, security expectations, and review checklist.

(cherry picked from commit 094ca0fff425ea1dcd7120cc6454b769542a7a55)
DeltaFile
+98-0AGENTS.md
+98-01 files

OPNSense/core f914914src/opnsense/mvc/app/library/OPNsense/Firewall FilterRule.php

firewall: avoid emitting reply-to on block rules as well (#10513)

Remove reply-to the same way that 20070de did it for route-to.

(cherry picked from commit d35b281636be5b06c7cb41e75603d36003a8d525)
DeltaFile
+3-3src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+3-31 files

OPNSense/core d35b281src/opnsense/mvc/app/library/OPNsense/Firewall FilterRule.php

firewall: avoid emitting reply-to on block rules as well (#10513)

Remove reply-to the same way that 20070de did it for route-to.
DeltaFile
+3-3src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+3-31 files

OPNSense/core 33d4828src/opnsense/mvc/app/library/OPNsense/Firewall FilterRule.php

firewall: reply-to also needs to be removed
DeltaFile
+3-3src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+3-31 files