Page MenuHomeSoftware Heritage

Upgrade the firewalls to version 21.5.1
Closed, ResolvedPublic


A new version of OPNSence is available.

It will allow to write the upgrade procedure at the same time (T3203)

Event Timeline

vsellier changed the task status from Open to Work in Progress.Tue, May 4, 1:05 PM
vsellier triaged this task as Normal priority.
vsellier created this task.
vsellier moved this task from Backlog to in-progress on the System administration board.
vsellier updated the task description. (Show Details)

changelog for the 21.1.5 version

Good day everyone,

This is mainly a security and reliablility update. There are several FreeBSD security advisories and updates for third party tools such as curl.

The historic bsdinstaller has been replaced by a scriptable alternative based on the readily available bsdinstall bundled with the base system. And, yes, this brings ZFS installer support into the upcoming 21.7 release.

On the development side the migration to Phalcon 4 framework is now underway and brings improved UI/API responsiveness. One of the remaining road map goals is the migration to PHP 7.4 which can be carried out after said framework update is complete and released.

Here are the full patch notes:

system: return authentication errors for RADIUS also
system: better logic for serial console options -h and -D
system: reorder loader.conf settings to let tunables override all
system: lighttpd include directory for configuration (contributed by Greelan)
system: remove /dev/crypto GUI support
system: add route address family return on dynamic gateway
system: allow CPU temperature display in Fahrenheit in widget (contributed by Team Rebellion)
system: performance enhancement for local_sync_accounts()
system: move extensions out of a certificate DN (contributed by kulikov-a)
interfaces: treat deprecated addresses as non-primary
interfaces: improve guess_interface_from_ip() (contributed by vnxme)
firewall: resolve IP addresses in kernel for force gateway rule
firewall: use tables in the shaper to avoid breaking ipfw with too many addresses
firewall: clarify help text for firewall rules traffic direction (contributed by Greelan)
firewall: sticky filter-rule-association setting for none/pass on copied items
firewall: copy and paste for alias content (contributed by kulikov-a)
firewall: improve loopack visibility
reporting: format 24 hour timestamps in traffic graphs and widget
dhcp: add dhcpd_staticmap() and fix DHCPv6 leases page with it
dhcp: add "none" option to gateway setting of static mappings
firmware: fix bug with subscription read from mirror URL
firmware: separate update error for "forbidden"
firmware: update error if upstream core package is missing yet installed
installer: migrate to scripted solution using bsdinstall
ipsec: validation to prevent saving of route-based tunnels with "install policy" set
unbound: prefer domain list over host file format (contributed by Gareth Owen)
rc: attempt to create /tmp if it does not exist
rc: add opensolaris module load for ZFS
rc: reverse list on stop action
ui: prevent autocomplete in the quick navigation
plugins: os-bind 1.17[1]
plugins: os-chrony 1.2[2]
plugins: os-debug 1.4 changes debugging profile to new version
plugins: os-freeradius 1.9.11[3]
plugins: os-haproxy 3.2[4]
plugins: os-intrusion-detection-content-et-open 1.0
plugins: os-maltrail 1.7[5]
plugins: os-netdata 1.1[6]
plugins: os-nginx 1.22[7]
plugins: os-smart 2.2 JSON conversion (contributed by Arnav Singh)
plugins: os-telegraf 1.10.0[8]
plugins: os-theme-rebellion 1.8.7 (contributed by Team Rebellion)
plugins: os-wireguard 1.6[9]
plugins: os-zabbix5-proxy 1.4[10]
src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
src: accept_filter: fix filter parameter handling[11]
src: vm_fault: shoot down multiply mapped COW source page mappings[12]
src: mount: disallow mounting over a jail root[13]
src: em: add support for Intel I219 V10 device
src: em: fix a null de-reference in em_free_pci_resources
src: bsdinstall: switch to OPNsense branding
ports: curl 7.76.0[14]
ports: dnsmasq 2.85[15]
ports: expat 2.3.0
ports: hyperscan 5.4.0[16]
ports: monit 5.28.0[17]
ports: nettle 3.7.2
ports: phpseclib 2.0.31[18]
ports: pkg 1.16.3

Stay safe,
Your OPNsense team
vsellier moved this task from in-progress to done on the System administration board.

upgrade done without any problem:

  • CARP maintenance activated on pushkin -> glyptotek elected as primary
  • pushkin upgrade done
  • CARP maintenance deactivated on pushkin -> pushkin re-elected as primary
  • nothing wrong detected after a safety period of 1 hour
  • CARP maintenance mode activated on glyptotek to avoid an unexpected rebalance during the upgrade
  • glyptotek upgrade done
  • CARP maintenance mode deactivated on glyptotek