New OPNsense Release

OPNsense 21.1.3 released

Hello, hello,

Today we move ahead with the firmware UI and API rework as we are happy
with the new user experience.  You will also notice the new plugin conflict
dialog which will report that plugins have been installed previously but
not registered in the configuration.  This can be easily amended by reseting
the local conflicts, which essentially accepts the current plugin
configuration as the new default.

The HAProxy plugin was updated to version 3.0.  This release marks the
switch to the HAProxy 2.2 release series, which may result in incompatible
changes for some users.  Many new features were also added, including the
possibility to update SSL certificates in runtime.  These features should
be considered experimental.  We encourage everyone to install this version
in a test environment before using it in production.  As usual, please have
a look at the plugin changes[1] and report bugs on GitHub.

Here are the full patch notes:

o system: prevent duplicate dashboard traffic pollers mangling with the graphs
o system: added cron job "HA update and reconfigure backup"
o system: unify HA sync sections and remove legacy blocks
o system: adapt lighttpd ssl.privkey approach
o system: correctly remove routing entries directly connected to an interface
o interfaces: correct dhcp6c configuration issue on PPPoE link down (contributed by Team Rebellion)
o interfaces: better primary IPv6 address detection in diagnostic tools
o interfaces: handle disabled interfaces in overview
o interfaces: drop early return in PPPoE link down
o interfaces: remove unused global definitions
o firewall: typo in outbound alias use (contributed by kulikov-a)
o firewall: rules icon color after toggle fix (contributed by kulikov-a)
o reporting: prevent crash when NetFlow attributes are missing
o reporting: aggregate iftop results for traffic graphs
o firmware: opnsense-bootstrap shellcheck audit (contributed by Michael Adams)
o firmware: revamp the UI and API
o firmware: revoke old business key
o intrusion detection: add new Abuse.ch feed ThreatFox to detect indicators of compromise
o intrusion detection: make manual rule status boolean for policies (contributed by kulikov-a)
o ipsec: calculate netmask for provided tunnel addresses when using VTI
o ipsec: do not pin reqid in case of mobile connections
o openvpn: extend compression options (contributed by vnxme)
o unbound: handle DHCP client expiring and returning (contributed by Gareth Owen)
o ui: refactor bootgrid usage in ARP, NDP, captive portal session, system activity and routes
o ui: align layouts of select_multiple and dropdown types
o plugins: os-haproxy 3.0[1]
o plugins: os-nginx 1.21[2]
o plugins: os-node_exporter 1.1[3]
o src: jail: Handle a possible race between jail_remove(2) and fork(2)[4]
o src: jail: Change both root and working directories in jail_attach(2)[5]
o src: x86: free microcode memory later[6]
o src: xen-blkback: fix leak of grant maps on ring setup failure[7]
o src: rtsold: auto-probe point to point interfaces
o src: growfs: update check-hash when doing large filesystem expansions
o src: axgbe: change default parameters to prevent manual tunable settings
o src: arp: avoid segfaulting due to out-of-bounds memory access
o ports: cpdup 1.22[8]
o ports: krb5 1.19.1[9]
o ports: nss 3.62[10]
o ports: pkg now provides fallback for version mismatch on pkg-add
o ports: python 3.7.10[11]
o ports: syslog-ng 3.31.1[12]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/node_exporter/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:06.microcode.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:06.xen.asc
[8] https://github.com/DragonFlyBSD/cpdup/releases/tag/v1.22
[9] https://web.mit.edu/kerberos/krb5-1.19/
[10] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes
[11] https://docs.python.org/release/3.7.10/whatsnew/changelog.html#changelog
[12] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.31.1