OPNSense/core cdde24bMk lint.mk, Scripts class-import.sh

by Monviech on ⎇
lint: Add linter that finds unused imports in php classes
DeltaFile
+49-0Scripts/class-import.sh
+4-1Mk/lint.mk
+53-12 files

OPNSense/core e2bfad3src/opnsense/mvc/app/controllers/OPNsense/IDS/Api SettingsController.php, src/opnsense/mvc/app/controllers/OPNsense/Monit/Api SettingsController.php

by Monviech on ⎇
mvc: Remove UIModelGrid imports in IDS, Monit, Syslog SettingsController, unused
DeltaFile
+0-1src/opnsense/mvc/app/controllers/OPNsense/Monit/Api/SettingsController.php
+0-1src/opnsense/mvc/app/controllers/OPNsense/Syslog/Api/SettingsController.php
+0-1src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/SettingsController.php
+0-33 files

OPNSense/core b605816src/etc/inc/plugins.inc.d radvd.inc

by Franco Fichtner on ⎇
radvd: skipping disabled needs ignore list population too #10044
DeltaFile
+5-3src/etc/inc/plugins.inc.d/radvd.inc
+5-31 files

OPNSense/core fff53c4src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseListField.php

by Monviech via GitHub on ⎇
mvc: BaseListField replace empty check with isSet so a 0 value is considered a non empty selection (#10047)
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseListField.php
+1-11 files

OPNSense/core 66eafc3src/etc/inc/plugins.inc.d radvd.inc

by Franco Fichtner on ⎇
radvd: match radvd_enable() more closely for #10044

Users are confused why they can add an entry but their settings are not
being used.  This is specifically wrong according to the inventor of
"dhcpd6track6allowoverride" as it circumvents half of its use cases but
more closely matches user expectation.

May cause regression for some people, but not much we can do here other
than not doing it.
DeltaFile
+4-7src/etc/inc/plugins.inc.d/radvd.inc
+4-71 files

OPNSense/core 8c21361src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms dialogFilterRule.xml dialogNptRule.xml, src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt

by Monviech via GitHub on ⎇
Firewall: Remove tokenizer from categories and use selectpicker instead (#10049)

The issue with the tokenizer is the limit of items that is set to 10 per default, which does not always display all items. And you can increase it, but that also needs CSS changes. Additionally the tokenizer is not maintained anymore, and needs replacement. Cutting it out here decreases the need to clean this up later.

The fix here is that now all categories will be displayed and are searchable via the normal selectpicker search field.
DeltaFile
+2-8src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+0-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+0-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+0-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogOneToOneRule.xml
+0-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+0-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogDNatRule.xml
+2-136 files

OPNSense/core 8158609src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt

by Monviech on ⎇
Did not want to remove that newline
DeltaFile
+1-0src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+1-01 files

OPNSense/core 5d2fe0bsrc/opnsense/mvc/app/controllers/OPNsense/Firewall/forms dialogNptRule.xml dialogOneToOneRule.xml, src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

by Monviech on ⎇
Remove tokenizer from categories in filter and nat rules, to natively display all items without workarounds
DeltaFile
+2-16src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+0-5src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+0-2src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+0-2src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogOneToOneRule.xml
+0-2src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+0-2src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+2-291 files not shown
+2-317 files

OPNSense/core 88f5861src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms dialogNptRule.xml dialogOneToOneRule.xml, src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

by Monviech on ⎇
Firewall: Allow more items inside the category tokenizer dropdown
DeltaFile
+7-0src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+5-0src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+1-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+1-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogOneToOneRule.xml
+1-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+1-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+16-01 files not shown
+17-07 files

OPNSense/core 9ed8513src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseSetField.php, src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php KeaDhcpv4.php

by Franco Fichtner on ⎇
kea: move pool-in-subnet validation logic mostly to KeaPoolsField; closes #10040

While here use getValues() consistently and move the trim() calls to the
latest point in time to avoid generalized trimming of input (the subnet
notation isn't allowed to be trimmed).

An alternative would have been to allow " ?- ?" as a split-regex since the
trim() itself will allow the leading an trailing whitespaces of the pool line,
too.

Suggested by: @Astranox
DeltaFile
+32-6src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+6-16src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+1-1src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+1-1src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseSetField.php
+40-244 files

OPNSense/core 71ae01fsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseSetField.php, src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php

by Franco Fichtner on ⎇
kea: move pool-in-subnet validation logic mostly to KeaPoolsField
DeltaFile
+32-6src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+5-15src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+1-1src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseSetField.php
+38-223 files

OPNSense/core 234274fsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseSetField.php, src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php

by Franco Fichtner on ⎇
kea: move pool-in-subnet validation logic mostly to KeaPoolsField
DeltaFile
+40-14src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+5-15src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+1-1src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseSetField.php
+46-303 files

OPNSense/core 4c50808src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php

by Franco Fichtner on ⎇
foo
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+1-11 files

OPNSense/core b56c929src/opnsense/mvc/app/models/OPNsense/Base Validation.php

by Franco Fichtner on ⎇
avoid stacking messages optionally
DeltaFile
+11-2src/opnsense/mvc/app/models/OPNsense/Base/Validation.php
+11-21 files

OPNSense/core e8b2f30src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php

by Franco Fichtner on ⎇
kea: tweak messages
DeltaFile
+2-2src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+2-21 files

OPNSense/core 6eca63esrc/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes KeaPoolsField.php

by Franco Fichtner on ⎇
foo
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+1-11 files

OPNSense/core 6c17c84src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes KeaPoolsField.php

by Franco Fichtner on ⎇
kea: iterateinput does not filter empty strings
DeltaFile
+3-0src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+3-01 files

OPNSense/core 28758c5src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes KeaPoolsField.php

by Franco Fichtner on ⎇
fix issue
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+1-11 files

OPNSense/plugins d0d9a7fnet/frr pkg-descr Makefile, net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms bgp.xml

by Maxfield Allison via GitHub on ⎇
net/frr: add BGP maximum-paths support for ECMP (#5340)
DeltaFile
+14-0net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+10-0net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+6-0net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+4-0net/frr/pkg-descr
+1-1net/frr/Makefile
+35-15 files

OPNSense/core e886104src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes KeaPoolsField.php

by Franco Fichtner on ⎇
foo
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+1-11 files

OPNSense/core 9673e7dsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseSetField.php, src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php

by Franco Fichtner on ⎇
kea: move pool-in-subnet validation logic mostly to KeaPoolsField
DeltaFile
+37-14src/opnsense/mvc/app/models/OPNsense/Kea/FieldTypes/KeaPoolsField.php
+4-14src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+1-1src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseSetField.php
+42-293 files

OPNSense/core fa2794bsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseListField.php

by Monviech on ⎇
mvc: BaseListField replace empty check with isSet so a 0 value is considered a non empty selection
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseListField.php
+1-11 files

OPNSense/plugins fd6d2denet-mgmt/telegraf pkg-descr, security/clamav pkg-descr

by Konstantinos Spartalis via GitHub on ⎇
plugins: use Konstantinos' real name in historic mentions (#5352)
DeltaFile
+1-1net-mgmt/telegraf/pkg-descr
+1-1security/clamav/pkg-descr
+2-22 files

OPNSense/plugins 3ec12a4.github pull_request_template.md

by Konstantinos Spartalis via GitHub on ⎇
Contributing: typo (#5351)
DeltaFile
+1-1.github/pull_request_template.md
+1-11 files

OPNSense/core f5c3fb7src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv4.xml KeaDhcpv6.xml

by Franco Fichtner on ⎇
kea: small xml style update in model
DeltaFile
+1-2src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
+1-2src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.xml
+2-42 files

OPNSense/src 1ac8487. UPDATING, sys/conf newvers.sh

by Philip Paeps (philip) via Franco Fichtner on ⎇
Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+8-0UPDATING
+1-1sys/conf/newvers.sh
+9-12 files

OPNSense/src 4a49bf4lib/librpcsec_gss svc_rpcsec_gss.c, sys/rpc/rpcsec_gss svc_rpcsec_gss.c

by Mark Johnston (markj) via Franco Fichtner on ⎇
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:    so
Security:       FreeBSD-SA-26:08.rpcsec_gss
Security:       CVE-2026-4747
Reported by:    Nicholas Carlini <npc at anthropic.com>
Reviewed by:    rmacklem
Fixes:          a9148abd9da5d
DeltaFile
+9-1sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+8-1lib/librpcsec_gss/svc_rpcsec_gss.c
+17-22 files

OPNSense/src afd6de9sys/netinet tcp_subr.c

by Michael Tuexen (tuexen) via Franco Fichtner on ⎇
tcp: plug an mbuf leak

When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:    so
Security:       FreeBSD-SA-26:06.tcp
Security:       CVE-2026-4247
Reviewed by:    lstewart
Tested by:      lstewart
Sponsored by:   Netflix, Inc.
DeltaFile
+2-0sys/netinet/tcp_subr.c
+2-01 files

OPNSense/core 14c9eb1src/opnsense/mvc/app/controllers/OPNsense/Kea/forms dialogSubnet4.xml dialogSubnet6.xml, src/opnsense/mvc/app/models/OPNsense/Kea KeaDhcpv6.php KeaDhcpv4.php

by Monviech via GitHub on ⎇
Services: Kea: DDNS: Add subnet specific qualifying suffix and prevent updates if no server is set. (#10038)
DeltaFile
+12-4src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php
+12-4src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+10-1src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/dialogSubnet4.xml
+10-1src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/dialogSubnet6.xml
+1-0src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
+1-0src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.xml
+46-106 files

OPNSense/src ff0b11e. UPDATING, sys/conf newvers.sh

by Philip Paeps (philip) via Franco Fichtner on ⎇
Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+11-0UPDATING
+1-1sys/conf/newvers.sh
+12-12 files