OPNsense 22.1 released

jan 27, 2022

OPNsense 22.1 "Observant Owl" released

Hi there,

For more than 7 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

22.1, nicknamed "Observant Owl", features the upgrade to FreeBSD 13,
switch to logging supporting RFC 5424 with severity filtering, improved
tunable sysctl value integration, faster boot sequence and interface
initiation and dynamic IPv6 host alias support amongst others.

On the flip side major operating system changes bear risk for regression
and feature removal, e.g. no longer supporting insecure cryptography in
the kernel for IPsec and switching the Realtek vendor driver back to its
FreeBSD counterpart which does not yet support the newer 2.5G models.
Circular logging support has also been removed.  Make sure to read the
known issues and limitations below before attempting to upgrade.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/22.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 21.7.7:

o system: improved visibility and flexibility of tunables
o system: move multiple sysctl manipulations to tunables framework to allow overriding them
o system: prevent more than one default route by default
o system: sync recovery utility contents with FreeBSD 13
o system: prevent syslog-ng from crashing after update due to "syslog-ng-ctl reload" use
o system: add severity to syslog output and allow to filter for it
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: fix general settings PHP warnings that only appear when validation fails
o system: allow additional search domain (Pierre Fevre)
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: fix new PPP CARP hook function call (contributed by Markus Reiter)
o system: separate core and thread count in information widget
o system: MSDOS file system awareness in information widget for new /boot/efi partition
o system: no longer display duplicated mounted partitions on the dashboard
o system: remove spurious XML validation that cannot cope with attributes from backup restore
o system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
o reporting: fix display of total in/out traffic values
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: improve LAGG/VLAN assignments via console option
o interfaces: repair get_interface_list() for console use
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: improve validations and fix defaults for bridges
o interfaces: allow bridges to attach to VXLAN on boot
o interfaces: background all interface reconfiguration script hooks
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o interfaces: remove defunct link support for GRE
o interfaces: align GIF configuration with base system options
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: removed the $aliastable cache
o firewall: support "no scrub" option in normalisation rules
o firewall: correctly handle IPv6 NAT in states view
o firewall: plain log default logging severity selection is now "informational"
o firewall: improve maximum shaper value validation and add Gbit/s support
o captive portal: prevent session removal crashing when no IP address was registered
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dhcp: rework router advertisement "static" mode flags to separate advanced options
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o dnsmasq: no-hosts option (contributed by agh1467)
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: implement cross-ABI reinstall of all packages for future use
o firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
o firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
o firmware: return product info for status endpoint even when no firmware check was done
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: add EFI partition as a default mount point
o installer: increase EFI partition size to 260 MB
o installer: improve disk and ZFS pool scan and display
o intrusion detection: prevent config migration from crashing
o intrusion detection: update to ET-Open to version 6
o ipsec: update security of default settings when creating new phase 1 and 2
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: migrated tunnel settings page to MVC
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add iburst option and stop using it by default (contributed by Patrick M. Hausen)
o network time: detach "limited" from "kod" option (contributed by Zsolt Zsiros)
o network time: remove PID file use as it can be unreliable
o openvpn: kill by common name when kill by address does not work
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o backend: unify use of configctl utility
o images: removed deprecated os-dyndns plugin from default installation
o mvc: fix logging of configd errors
o mvc: Add BlankDesc to ModelRelationField (contributed by agh1467)
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: add hint support for text fields (contributed by agh1467)
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o src: revert upstream permission change for /root directory
o src: fix kernel build creating wrong linkers.hint file
o src: carp: fix send error demotion recovery
o src: ixgbe: prevent subsequent I2C bus read timeouts
o src: reworked shared forwarding
o plugins: os-acme-client 3.8[2]
o plugins: os-bind 1.20[3]
o plugins: os-ddclient 1.0 as an eventual replacement for os-dyndns
o plugins: os-dyndns adds local copy of get_dyndns_ip()
o plugins: os-freeradius 1.9.18[4]
o plugins: os-frr 1.26[5]
o plugins: os-haproxy 3.10[6]
o plugins: os-nginx 1.26[7]
o plugins: os-openconnect 1.4.2[8]
o plugins: os-postfix 1.21[9]
o plugins: os-rfc2136 adds local copy of get_dyndns_ip()
o plugins: os-telegraf 1.12.4[10]
o plugins: os-wireguard 1.10[11]
o plugins: os-wol adds cron support for wake action (contributed by digitalshow)
o plugins: os-zabbix-proxy 1.7[12]
o ports: expat 2.4.2[13]
o ports: filterlog 0.6[14]
o ports: flock 2.37.2
o ports: hostapd 2.10[15]
o ports: lighttpd 1.4.63[16]
o ports: nss 3.74[17]
o ports: openssl 1.1.1m[18]
o ports: openvpn 2.5.5[19]
o ports: pecl-psr 1.2.0[20]
o ports: phalcon 4.1.3[21]
o ports: php 7.4.27[22]
o ports: pkg fixes validation failures on HTTPS fetch in static binary[23]
o ports: sqlite 3.37.2[24]
o ports: syslog-ng 3.35.1[25]
o ports: unbound 1.14.0[26]
o ports: wpa_supplicant 2.10[27]

Known issues and limitations:

o This release contains a new major operating system version and should be carried out with the necessary care.  Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.  Except for ZFS boot environments rollbacks between major operating system versions are extremely fragile and a reinstall of an older version should be attempted in the worst case.  For more information please consult the FreeBSD 13.0 release notes[28].
o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  If you are using MD5, Blowfish, DES, 3DES, or CAST128 in your phase 2 please move to more secure settings prior to the upgrade.  Note that phase 1 settings are unaffected, but insecure settings should still be avoided.  For more information see the FreeBSD commit in question[29].
o The Realtek vendor driver is no longer bundled with the updated FreeBSD kernel.  If unsure whether FreeBSD 13 supports your Realtek NIC please install the os-realtek-re plugin prior to upgrading to retain operability of your NICs.
o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduces unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
o Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required media settings.
o NTPD defaults changed to exclude the "iburst" option by default.  "limited" setting was detached from "kod" option.  In both cases configuration adjustments can achieve previous behaviour if required.
o Rebind checks through os-dyndns or os-rfc2136 will no longer work due to the deprecation of both plugins.  Please add your rebind hosts manually or disable rebind protection prior to the upgrade.
o GRE link1 support has been removed and needs a static route to function now.
o Circular logging support has been removed.  No user interaction is required.

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/net/haproxy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.1/security/openconnect/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.1/mail/postfix/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/telegraf/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/22.1/net/wireguard/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[13] https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes
[14] https://github.com/opnsense/ports/commit/2e27655d84
[15] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[16] https://www.lighttpd.net/2021/12/4/1.4.63/
[17] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.74_release_notes
[18] https://www.openssl.org/news/openssl-1.1.1-notes.html
[19] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.5
[20] https://pecl.php.net/package-changelog.php?package=psr&release=1.2.0
[21] https://github.com/phalcon/cphalcon/releases/tag/v4.1.3
[22] https://www.php.net/ChangeLog-7.php#7.4.27
[23] https://cgit.freebsd.org/ports/commit/?id=08342c9812d
[24] https://sqlite.org/releaselog/3_37_2.html
[25] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.35.1
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-14-0
[27] https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
[28] https://www.freebsd.org/releases/13.0R/relnotes/
[29] https://github.com/opnsense/src/commit/16aabb761c0a