From bdf9379b22405946b281280796b39e75df6bc594 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 5 Jan 2025 23:23:24 +0100
Subject: [PATCH 01/50] security/acme-client: migrate cert+CA import/update to
 Trust MVC

---
 security/acme-client/pkg-descr                |   2 +
 .../OPNsense/AcmeClient/LeCertificate.php     | 171 ++++++++----------
 .../library/OPNsense/AcmeClient/LeUtils.php   |  82 +--------
 .../scripts/OPNsense/AcmeClient/lecert.php    |   3 +-
 .../OPNsense/AcmeClient/run_remote_ssh.php    |   1 -
 .../OPNsense/AcmeClient/upload_sftp.php       |  17 +-
 6 files changed, 91 insertions(+), 185 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ff97285f0..1536c9c9c 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,10 +18,12 @@ Added:
 
 Changed:
 * Convert Synology deploy hook variables to uppercase (#4286)
+* Migrate to MVC Trust storage
 
 Fixed:
 * SFTP/SSH automation results in fatal PHP error (#4363)
 * Typo in INWX password field name
+* Certs not fully functional after import into Trust storage (#4401)
 
 4.6
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 9df9e8808..9a5056fbe 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2024 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28,10 +28,12 @@
 
 namespace OPNsense\AcmeClient;
 
-// Load legacy functions
-require_once("certs.inc"); // used in import()
+require_once("script/load_phalcon.php");
 
 use OPNsense\Core\Config;
+use OPNsense\Trust\Ca;
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
 use OPNsense\AcmeClient\LeAccount;
 use OPNsense\AcmeClient\LeAutomationFactory;
 use OPNsense\AcmeClient\LeValidationFactory;
@@ -143,61 +145,54 @@ class LeCertificate extends LeCommon
         // Read contents from CA file
         $ca_content = @file_get_contents($this->cert_chain_file);
         if ($ca_content != false) {
-            $ca_subject = cert_get_subject($ca_content, false);
-            $ca_serial  = cert_get_serial($ca_content, false);
-            $ca_cn      = LeUtils::local_cert_get_cn($ca_content, false);
-            $ca_issuer  = cert_get_issuer($ca_content, false);
-            $ca_purpose = cert_get_purpose($ca_content, false);
+            $ca_details = CertStore::parseX509($ca_content);
+            $ca_subject = $ca_details['name'];
+            $ca_serial = $ca_details['serialNumber'];
+            $ca_cn = $ca_details['commonname'];
+            $ca_issuer = implode(",", $ca_details['issuer']);
         } else {
             LeUtils::log_error('unable to read CA certificate content from file');
             Config::getInstance()->unlock();
             return false;
         }
 
-        // Prepare CA for import in Cert Manager
+        // Prepare CA
+        $caModel = new Ca();
         $ca = array();
-        $ca['crt'] = base64_encode($ca_content);
         $ca['refid'] = uniqid();
+        $ca['descr'] = (string)$ca_cn . ' (ACME Client)';
         $ca_found = false;
 
         // Check if CA was previously imported
-        foreach (Config::getInstance()->object()->ca as $cacrt) {
-            $cacrt_subject = cert_get_subject($cacrt->crt, true);
-            $cacrt_issuer = cert_get_issuer($cacrt->crt, true);
+        foreach ($caModel->ca->iterateItems() as $cacrt) {
+            $cacrt_content = base64_decode((string)$cacrt->crt);
+            $cacrt_details = CertStore::parseX509($cacrt_content);
+            $cacrt_subject = $cacrt_details['name'];
+            $cacrt_issuer = implode(",", $cacrt_details['issuer']);
             if (($ca_subject === $cacrt_subject) and ($ca_issuer === $cacrt_issuer)) {
                 // Use old refid instead of generating a new one
                 $ca['refid'] = (string)$cacrt->refid;
+                // Update existing CA
+                $cacrt->descr = $ca['descr'];
                 $ca_found = true;
                 break;
             }
         }
 
-        // Collect required CA information
-        $ca_cn = LeUtils::local_cert_get_cn($ca_content, false);
-        $ca['descr'] = (string)$ca_cn . ' (ACME Client)';
-
-        // Prepare CA for import
-        LeUtils::local_ca_import($ca, $ca_content);
-
-        // Check if CA was found in config
-        if ($ca_found == true) {
-            // Update existing CA
-            foreach (Config::getInstance()->object()->ca as $cacrt) {
-                if ((string)$cacrt->refid == $ca['refid']) {
-                    $cacrt->crt = $ca['crt'];
-                    $cacrt->descr = $ca['descr'];
-                    break;
-                }
-            }
-        } else {
-            // Create new CA
-            LeUtils::log("importing ACME CA: {$ca_cn}");
-            $newca = Config::getInstance()->object()->addChild('ca');
+        // Create new CA
+        if ($ca_found == false) {
+            LeUtils::log("imported ACME CA: {$ca_cn} ({$ca['refid']})");
+            $newca = $caModel->ca->Add();
             foreach (array_keys($ca) as $cacfg) {
-                $newca->addChild($cacfg, (string)$ca[$cacfg]);
+                $newca->$cacfg = (string)$ca[$cacfg];
             }
+            $newca->crt = base64_encode($ca_content);
         }
 
+        // Serialize to config and save
+        $caModel->serializeToConfig();
+        Config::getInstance()->save();
+
         /**
          * Step 2: import certificate
          */
@@ -205,11 +200,11 @@ class LeCertificate extends LeCommon
         // Read contents from certificate file
         $cert_content = @file_get_contents($this->cert_file);
         if ($cert_content != false) {
-            $cert_subject = cert_get_subject($cert_content, false);
-            $cert_serial  = cert_get_serial($cert_content, false);
-            $cert_cn      = LeUtils::local_cert_get_cn($cert_content, false);
-            $cert_issuer  = cert_get_issuer($cert_content, false);
-            $cert_purpose = cert_get_purpose($cert_content, false);
+            $cert_details = CertStore::parseX509($cert_content);
+            $cert_subject = $cert_details['name'];
+            $cert_serial  = $cert_details['serialNumber'];
+            $cert_cn      = $cert_details['commonname'];
+            $cert_issuer  = implode(",", $cert_details['issuer']);
         } else {
             LeUtils::log_error('unable to read certificate content from file');
             Config::getInstance()->unlock();
@@ -217,34 +212,6 @@ class LeCertificate extends LeCommon
             return false;
         }
 
-        // Prepare certificate for import in Cert Manager
-        $cert = array();
-        $cert_refid = uniqid();
-        $cert['refid'] = $cert_refid;
-        $cert['caref'] = (string)$ca['refid'];
-        $import_log_message = 'imported';
-        $cert_found = false;
-
-        // Check if cert was previously imported
-        if (!empty((string)$this->config->certRefId)) {
-            // Check if the previously imported certificate can still be found
-            foreach (Config::getInstance()->object()->cert as $cfgCert) {
-                // Check if IDs match
-                if ((string)$this->config->certRefId == (string)$cfgCert->refid) {
-                    $cert_found = true;
-                    break;
-                }
-            }
-            // Existing cert?
-            if ($cert_found) {
-                // Use old refid instead of generating a new one
-                $cert_refid = (string)$this->config->certRefId;
-                $import_log_message = 'updated';
-            }
-        } else {
-            // Not found. Just import as new cert.
-        }
-
         // Read private key
         $key_content = @file_get_contents($this->cert_key_file);
         if ($key_content == false) {
@@ -254,28 +221,39 @@ class LeCertificate extends LeCommon
             return false;
         }
 
-        // Collect required cert information
-        $cert_cn = LeUtils::local_cert_get_cn($cert_content, false);
-        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
-        $cert['refid'] = $cert_refid;
-
-        // Prepare certificate for import
-        cert_import($cert, $cert_content, $key_content);
-
-        // Overwrite caref in order to use the correct CA (GH #2550).
-        // This is required because cert_import() uses lookup_ca_by_subject()
-        // to find a matching CA. If multiple CAs are using the same name, the
-        // first CA wins, but it may still be the wrong CA.
+        // Prepare certificate
+        $certModel = new Cert();
+        $cert = array();
+        $cert['refid'] = uniqid();
         $cert['caref'] = (string)$ca['refid'];
+        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
+        $import_log_message = 'imported';
+        $cert_found = false;
+
+        // Check if cert was previously imported.
+        // Otherwise just import as new cert.
+        if (!empty((string)$this->config->certRefId)) {
+            // Check if the previously imported certificate can still be found
+            foreach ($certModel->cert->iterateItems() as $cfgCert) {
+                // Check if IDs match
+                if ((string)$this->config->certRefId == (string)$cfgCert->refid) {
+                    // Use old refid instead of generating a new one
+                    $cert['refid'] = (string)$cfgCert->refid;
+                    $import_log_message = 'updated';
+                    $cert_found = true;
+                    break;
+                }
+            }
+        }
 
         // Check if cert was found in config
         if ($cert_found == true) {
             // Update existing cert
-            foreach (Config::getInstance()->object()->cert as $cfgCert) {
+            foreach ($certModel->cert->iterateItems() as $cfgCert) {
                 if ((string)$cfgCert->refid == $cert['refid']) {
-                    $cfgCert->crt = $cert['crt'];
-                    $cfgCert->prv = $cert['prv'];
                     $cfgCert->descr = $cert['descr'];
+                    $cfgCert->crt = base64_encode($cert_content);
+                    $cfgCert->prv = base64_encode($key_content);
                     // Update CA ref, because it may be signed by a different CA.
                     $cfgCert->caref = $cert['caref'];
                     break;
@@ -283,27 +261,32 @@ class LeCertificate extends LeCommon
             }
         } else {
             // Create new cert
-            $newcert = Config::getInstance()->object()->addChild('cert');
+            $newcert = $certModel->cert->Add();
             foreach (array_keys($cert) as $certcfg) {
-                $newcert->addChild($certcfg, (string)$cert[$certcfg]);
+                $newcert->$certcfg = (string)$cert[$certcfg];
             }
+            $newcert->crt = base64_encode($cert_content);
+            $newcert->prv = base64_encode($key_content);
         }
-        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$cert_cn}");
+        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$cert_cn} ({$cert['refid']})");
+
+        // Serialize to config and save
+        // Skip validation because the current in-memory model may not
+        // know about the CA item that was just created.
+        $certModel->serializeToConfig(false,true);
+        Config::getInstance()->save();
 
         /**
          * Step 3: update configuration
          */
 
-        // Add refid to certObj
-        $this->config->certRefId = $cert_refid;
-        // Set update/create time
+        // Update Acme cert config
+        $this->config->certRefId = $cert['refid'];
         $this->config->lastUpdate = time();
 
         // Serialize to config and save
         $this->model->serializeToConfig();
         Config::getInstance()->save();
-
-        // Reload to get most recent config
         Config::getInstance()->forceReload();
         $this->loadConfig(self::CONFIG_PATH, $this->uuid);
 
@@ -402,12 +385,12 @@ class LeCertificate extends LeCommon
             return false;
         }
 
-        // Run referenced automations.
-        $this->runAutomations();
-
         // Update cert status.
         $this->setStatus(200);
 
+        // Run referenced automations.
+        $this->runAutomations();
+
         return true;
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index 7514ed656..6dfd33eff 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2017-2024 Frank Wall
+ * Copyright (C) 2017-2025 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
@@ -70,86 +70,6 @@ class LeUtils
         return vsprintf($format, $args);
     }
 
-    // Copied from system_camanager.php.
-    public static function local_ca_import(&$ca, $str, $key = "", $serial = 0)
-    {
-        // Get config object.
-        $config = Config::getInstance()->object();
-
-        $ca['crt'] = base64_encode($str);
-        if (!empty($key)) {
-            $ca['prv'] = base64_encode($key);
-        }
-        if (!empty($serial)) {
-            $ca['serial'] = $serial;
-        }
-        $subject = cert_get_subject($str, false);
-        $issuer = cert_get_issuer($str, false);
-
-        // Find my issuer unless self-signed
-        if ($issuer != $subject) {
-            $issuer_crt =& lookup_ca_by_subject($issuer);
-            if ($issuer_crt) {
-                $ca['caref'] = $issuer_crt['refid'];
-            }
-        }
-
-        /* Correct if child certificate was loaded first */
-        if (is_array($config['ca'])) {
-            foreach ($config['ca'] as & $oca) {
-                $issuer = cert_get_issuer($oca['crt']);
-                if ($ca['refid'] != $oca['refid'] && $issuer == $subject) {
-                    $oca['caref'] = $ca['refid'];
-                }
-            }
-        }
-        if (is_array($config['cert'])) {
-            foreach ($config['cert'] as & $cert) {
-                $issuer = cert_get_issuer($cert['crt']);
-                if ($issuer == $subject) {
-                    $cert['caref'] = $ca['refid'];
-                }
-            }
-        }
-        return true;
-    }
-
-    // copied from certs.inc
-    public static function local_cert_get_cn($crt, $decode = true)
-    {
-        $sub = self::local_cert_get_subject_array($crt, $decode);
-        if (is_array($sub)) {
-            foreach ($sub as $s) {
-                if (strtoupper($s['a']) == "CN") {
-                    return $s['v'];
-                }
-            }
-        }
-        return "";
-    }
-
-    // copied from certs.inc
-    public static function local_cert_get_subject_array($str_crt, $decode = true)
-    {
-        if ($decode) {
-            $str_crt = base64_decode($str_crt);
-        }
-        $inf_crt = openssl_x509_parse($str_crt);
-        $components = $inf_crt['subject'];
-
-        if (!is_array($components)) {
-            return;
-        }
-
-        $subject_array = array();
-
-        foreach ($components as $a => $v) {
-            $subject_array[] = array('a' => $a, 'v' => $v);
-        }
-
-        return $subject_array;
-    }
-
     /**
      * log runtime information
      */
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index 73bb87ee2..0079a3a8f 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -30,7 +30,6 @@
 
 // Import legacy code
 @include_once('config.inc');
-@include_once('certs.inc');
 @include_once('util.inc');
 
 // Import classes
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
index 97e2b0809..019c44d81 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
@@ -94,7 +94,6 @@ const EXITCODE_ERROR_UNKNOWN_COMMAND = 254;
 
 // Optional imports
 @include_once("config.inc");
-@include_once("certs.inc");
 @include_once("util.inc");
 
 // Optional autoloader (for local dev environment)
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 052a1889c..40db45dbe 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -2,6 +2,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -124,8 +125,8 @@ const EXITCODE_ERROR_UNKNOWN_COMMAND = 255;
 
 // Optional imports
 @include_once("config.inc");
-@include_once("certs.inc");
 @include_once("util.inc");
+require_once("script/load_phalcon.php");
 
 // Optional autoloader (for local dev environment)
 if (!function_exists("log_error")) {
@@ -135,6 +136,8 @@ if (!function_exists("log_error")) {
 }
 
 // Importing classes
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
 use OPNsense\AcmeClient\SftpUploader;
 use OPNsense\AcmeClient\SftpClient;
 use OPNsense\AcmeClient\SSHKeys;
@@ -519,17 +522,17 @@ function findCertificates(array $certificate_ids_or_names, $load_content = true)
 function exportCertificates(array $cert_refids): array
 {
     $result = [];
-    $config = OPNsense\Core\Config::getInstance()->object();
-    foreach ($config->cert as $cert) {
+    $certModel = new Cert();
+    foreach ($certModel->cert->iterateItems() as $cert) {
         $refid = (string)$cert->refid;
         $item = [];
         if (in_array($refid, $cert_refids)) {
-            $item["cert"] = str_replace(["\n\n", "\r"], ["\n", ""], base64_decode($cert->crt));
-            $item["key"] = str_replace(["\n\n", "\r"], ["\n", ""], base64_decode($cert->prv));
+            $_tmp = CertStore::getCertificate($refid);
+            $item["cert"] = $_tmp["crt"];
+            $item["key"] = $_tmp["prv"];
             // check if a CA is linked
             if (!empty((string)$cert->caref)) {
-                $cert = (array)$cert;
-                $item["ca"] = ca_chain($cert);
+                $item["ca"] = $_tmp["ca"];;
                 // combine files to export a fullchain.pem
                 $item["fullchain"] = $item["cert"] . $item["ca"];
             }

From 4f44f8337bf36b6247c48084f8460852d94126d2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:05:22 +0100
Subject: [PATCH 02/50] www/caddy: Some small UX tweaks (#4442)

* www/caddy: Remove HTTP from terminology. It was added when Layer4 Proxy was still in the same tabs to distinguish the HTTP Proxy from the Layer4 Proxy. Now that everything has its own pages it improves readability and follows the caddy syntax more closely.

* www/caddy: Do not auto hide the access settings, its annoying

* www/caddy: Remove hints that are no real defaults or can change dynamically depending on configuration.
---
 .../OPNsense/Caddy/forms/dialogHandle.xml      |  2 --
 .../Caddy/forms/dialogReverseProxy.xml         |  3 ---
 .../OPNsense/Caddy/forms/dialogSubdomain.xml   |  1 -
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml    |  2 +-
 .../views/OPNsense/Caddy/reverse_proxy.volt    | 18 +++++++++---------
 5 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 3ada90d0b..7ece8310a 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -119,14 +119,12 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <hint>192.168.1.1</hint>
         <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode. When directive is "redir", only the first domain will be evaluated.]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
-        <hint>80</hint>
         <help><![CDATA[Leave empty to use the default port or choose a custom port for the upstream destination.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 522c916d4..014e1853e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -25,14 +25,12 @@
         <id>reverse.FromDomain</id>
         <label>Domain</label>
         <type>text</type>
-        <hint>example.com</hint>
         <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Using a wildcard domain with subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
         <label>Port</label>
         <type>text</type>
-        <hint>443</hint>
         <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.]]></help>
     </field>
     <field>
@@ -65,7 +63,6 @@
     <field>
         <type>header</type>
         <label>Access</label>
-        <collapse>true</collapse>
     </field>
     <field>
         <id>reverse.accesslist</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 8711c4a96..8a515e2ca 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -44,7 +44,6 @@
     <field>
         <type>header</type>
         <label>Access</label>
-        <collapse>true</collapse>
     </field>
     <field>
         <id>subdomain.accesslist</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f7da86b03..920f2cac2 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -206,7 +206,7 @@
                 <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
                 <CustomCertificate type="CertificateField">
-                    <BlankDesc>ACME (HTTP-01, TLS-ALPN-01)</BlankDesc>
+                    <BlankDesc>ACME</BlankDesc>
                 </CustomCertificate>
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 42036d604..b77bf8618 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -226,7 +226,7 @@
             toggleVisibility(currentTab);
         });
 
-        // Add click event listener for "Add HTTP Handler" button
+        // Add click event listener for "Add Handler" button
         $("#addHandleBtn").on("click", function() {
             if ($('#maintabs .active a').attr('href') === "#handlesTab") {
                 $("#addReverseHandleBtn").click();
@@ -317,9 +317,9 @@
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li id="tab-domains" class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
-    <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('HTTP Handlers') }}</a></li>
-    <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('HTTP Access') }}</a></li>
-    <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('HTTP Headers') }}</a></li>
+    <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('Handlers') }}</a></li>
+    <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('Access') }}</a></li>
+    <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('Headers') }}</a></li>
 </ul>
 
 <div class="tab-content content-box">
@@ -328,7 +328,7 @@
         <!-- Button group on the left -->
         <div>
             <button id="addDomainBtn" type="button" class="btn btn-secondary">{{ lang._('Step 1: Add Domain') }}</button>
-            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add HTTP Handler') }}</button>
+            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add Handler') }}</button>
         </div>
         <!-- Selectpicker and Clear All on the right -->
         <div class="filter-actions" style="display: flex; flex-direction: column; align-items: flex-end;">
@@ -418,7 +418,7 @@
     <!-- Handle Tab -->
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('HTTP Handlers') }}</h1>
+            <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -538,7 +538,7 @@
     <!-- Header Tab -->
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('HTTP Headers') }}</h1>
+            <h1 class="custom-header">{{ lang._('Headers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -593,7 +593,7 @@
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Domain')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Subdomain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit HTTP Handler')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit HTTP Header')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}

From d5b7c364c788d0638a56c367dce9f18ac1a1bfb0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:05:50 +0100
Subject: [PATCH 03/50] www/caddy: Mark DNS Providers optional that are not
 included per default (#4441)

* www/caddy: Mark DNS Providers optional that are not included in the shipped binary per default. These modules must be added on demand on the command line with caddy add-package. This lowers maintainance burden and deflates the binary of big unused structs and sdks, since providers like route53 or googleclouddns alone pull around 16MB into the binary. Remove duplicate Netcup.

* www/caddy: Make API Fields for DNS Providers clearer
---
 .../OPNsense/Caddy/forms/general.xml          | 23 +++++++++----------
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 23 +++++++++----------
 2 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 10976f164..488c9aeb2 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -98,46 +98,45 @@
             <id>caddy.general.TlsDnsProvider</id>
             <label>DNS Provider</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is mostly needed for Wildcard Certificates, and for Dynamic DNS. To use, enable the checkbox in a "Domain" or "Subdomain". For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+            <help><![CDATA[Select the DNS Provider for the DNS-01 Challenge and Dynamic DNS. Providers marked as "optional" must be installed manually, see https://caddyserver.com/docs/command-line#caddy-add-package. For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+        </field>
+        <field>
+            <type>header</type>
+            <label>API Fields</label>
         </field>
         <field>
             <id>caddy.general.TlsDnsApiKey</id>
-            <label>DNS API Standard Field</label>
+            <label>API Field 1</label>
             <type>text</type>
             <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token"]]></help>
         </field>
-        <field>
-            <type>header</type>
-            <label>Additional Fields</label>
-            <collapse>true</collapse>
-        </field>
         <field>
             <id>caddy.general.TlsDnsSecretApiKey</id>
-            <label>DNS API Additional Field 1</label>
+            <label>API Field 2</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField1</id>
-            <label>DNS API Additional Field 2</label>
+            <label>API Field 3</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField2</id>
-            <label>DNS API Additional Field 3</label>
+            <label>API Field 4</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField3</id>
-            <label>DNS API Additional Field 4</label>
+            <label>API Field 5</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField4</id>
-            <label>DNS API Additional Field 5</label>
+            <label>API Field 6</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
         </field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 920f2cac2..5fd4bf000 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -26,42 +26,41 @@
                 <OptionValues>
                     <cloudflare>Cloudflare</cloudflare>
                     <duckdns>Duck DNS</duckdns>
-                    <digitalocean>DigitalOcean</digitalocean>
                     <gandi>Gandi</gandi>
                     <ionos>IONOS</ionos>
                     <desec>Desec</desec>
                     <porkbun>Porkbun</porkbun>
-                    <route53>Route53</route53>
                     <acmedns>ACME-DNS</acmedns>
-                    <googleclouddns>Google Cloud DNS</googleclouddns>
                     <azure>Azure</azure>
                     <ovh>OVH</ovh>
                     <namecheap>Namecheap</namecheap>
-                    <netlify>Netlify</netlify>
                     <powerdns>PowerDNS</powerdns>
-                    <ddnss>DDNSS</ddnss>
-                    <njalla>Njalla</njalla>
                     <linode>Linode</linode>
-                    <tencentcloud>Tencent Cloud</tencentcloud>
-                    <dinahosting>Dinahosting</dinahosting>
                     <hexonet>Hexonet</hexonet>
                     <mailinabox>Mail-in-a-Box</mailinabox>
-                    <netcup>Netcup</netcup>
                     <rfc2136>RFC2136</rfc2136>
                     <dnsmadeeasy>DNS Made Easy</dnsmadeeasy>
                     <bunny>Bunny</bunny>
-                    <civo>Civo</civo>
                     <scaleway>Scaleway</scaleway>
                     <acmeproxy>ACME Proxy</acmeproxy>
                     <inwx>INWX</inwx>
                     <netcup>Netcup</netcup>
                     <namedotcom>Name.com</namedotcom>
-                    <easydns>EasyDNS</easydns>
                     <infomaniak>Infomaniak</infomaniak>
                     <directadmin>DirectAdmin</directadmin>
-                    <hosttech>Hosttech</hosttech>
                     <vultr>Vultr</vultr>
                     <hetzner>Hetzner</hetzner>
+                    <digitalocean>DigitalOcean (optional)</digitalocean>
+                    <route53>Route53 (optional)</route53>
+                    <googleclouddns>Google Cloud DNS (optional)</googleclouddns>
+                    <netlify>Netlify (optional)</netlify>
+                    <ddnss>DDNSS (optional)</ddnss>
+                    <njalla>Njalla (optional)</njalla>
+                    <tencentcloud>Tencent Cloud (optional)</tencentcloud>
+                    <dinahosting>Dinahosting (optional)</dinahosting>
+                    <civo>Civo (optional)</civo>
+                    <easydns>EasyDNS (optional)</easydns>
+                    <hosttech>Hosttech (optional)</hosttech>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>

From ed4c9a345b8d933f2b4fb9983631b23d7f16b63b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:06:43 +0100
Subject: [PATCH 04/50] www/caddy: Add syslog function; change visible name to
 Caddy (#4439)

* www/caddy: Add syslog function

* www/caddy: Bump version

* www/caddy: Add changelog, make sweep

* www/caddy: Change visible name from Caddy Web Server to Caddy

* www/caddy: Update changelog again

* www/caddy: Reduce diff in caddy.inc
---
 www/caddy/Makefile                                    |  2 +-
 www/caddy/pkg-descr                                   | 10 ++++++++++
 www/caddy/src/etc/inc/plugins.inc.d/caddy.inc         | 11 ++++++++---
 .../mvc/app/models/OPNsense/Caddy/Menu/Menu.xml       |  2 +-
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index f5a01d871..4264cd9b0 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.6
+PLUGIN_VERSION=		1.8.0
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 2ec24cd5e..f7217f7f6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,16 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.0
+
+* Build: Update to caddy-v2.9.0 and update dependencies (opnsense/plugins/issues/4437)
+* Build: Fix caddy-l4 timeout issue (opnsense/plugins/issues/4384)
+* Build: Mark DNS Providers optional that are not included per default (opnsense/plugins/pull/4441)
+         digitalocean, route53, googleclouddns, netlify, ddnss, njalla, tencentcloud
+         dinahosting, civo, easydns, hosttech; must be added via https://caddyserver.com/docs/command-line#caddy-add-package
+* Cleanup: Refactor caddy.inc and add syslog function, change name from Caddy Web Server to Caddy (opnsense/plugins/issues/4426)
+* Cleanup: Some small UI tweaks (opnsense/plugins/pull/4442)
+
 1.7.6
 
 * Fix: Web UI can still restart/stop Caddy when running as `www` user (opnsense/plugins/pull/4403)
diff --git a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
index 78da119b7..5e116933a 100644
--- a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
+++ b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2023-2024 Cedrik Pischem
+ * Copyright (C) 2023-2025 Cedrik Pischem
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@ function caddy_services()
         $config['Pischem']['caddy']['general']['enabled'] == 1
     ) {
         $services[] = array(
-            'description' => gettext('Caddy Web Server'),
+            'description' => gettext('Caddy'),
             'configd' => array(
                 'restart' => array('caddy restart'),
                 'start' => array('caddy start'),
@@ -56,7 +56,7 @@ function caddy_xmlrpc_sync()
     $result = array();
 
     $result[] = array(
-        'description' => gettext('Caddy Web Server'),
+        'description' => gettext('Caddy'),
         'section' => 'Pischem.caddy',
         'id' => 'caddy',
         'services' => ["caddy"],
@@ -64,3 +64,8 @@ function caddy_xmlrpc_sync()
 
     return $result;
 }
+
+function caddy_syslog()
+{
+    return ['caddy' => ['facility' => ['caddy']]];
+}
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
index 0a992a746..421560b53 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
@@ -1,6 +1,6 @@
 <menu>
     <Services>
-        <Caddy VisibleName="Caddy Web Server" cssClass="fa fa-globe fa-fw">
+        <Caddy cssClass="fa fa-globe fa-fw">
             <General VisibleName="General Settings" order="10" url="/ui/caddy/general"/>
             <ReverseProxy VisibleName="Reverse Proxy" order="20" url="/ui/caddy/reverse_proxy"/>
             <Layer4 VisibleName="Layer4 Proxy" order="30" url="/ui/caddy/layer4"/>

From 5816a723324e344a6fdf1bdab2fc93f74763c92e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 08:08:11 +0100
Subject: [PATCH 05/50] security/acme-client: style sweep

---
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php      | 2 +-
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 9a5056fbe..518a2c0f7 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -273,7 +273,7 @@ class LeCertificate extends LeCommon
         // Serialize to config and save
         // Skip validation because the current in-memory model may not
         // know about the CA item that was just created.
-        $certModel->serializeToConfig(false,true);
+        $certModel->serializeToConfig(false, true);
         Config::getInstance()->save();
 
         /**
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 40db45dbe..f5e00cc85 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -532,7 +532,8 @@ function exportCertificates(array $cert_refids): array
             $item["key"] = $_tmp["prv"];
             // check if a CA is linked
             if (!empty((string)$cert->caref)) {
-                $item["ca"] = $_tmp["ca"];;
+                $item['ca'] = $_tmp['ca'];
+
                 // combine files to export a fullchain.pem
                 $item["fullchain"] = $item["cert"] . $item["ca"];
             }

From fc23b6a7003af8b525b640d9d64fa64426d88267 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Wed, 8 Jan 2025 09:18:03 +0100
Subject: [PATCH 06/50] net/frr - style cleanup and unify forms (#4450)

* net/frr - style cleanup and unify forms

Apply frontend / api changes to align more with current core patterns.

* net/frr - change maintainer to core
---
 net/frr/Makefile                              |   2 +-
 .../OPNsense/Quagga/Api/BfdController.php     |  10 +-
 .../OPNsense/Quagga/Api/GeneralController.php |  46 +---
 .../Quagga/Api/OspfsettingsController.php     |  13 +-
 .../OPNsense/Quagga/Api/ServiceController.php | 119 +--------
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    | 108 ++++----
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 235 ++++++++----------
 .../app/views/OPNsense/Quagga/general.volt    |  51 ++--
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 210 ++++++++--------
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  |  59 ++---
 .../mvc/app/views/OPNsense/Quagga/rip.volt    |  62 +++--
 11 files changed, 367 insertions(+), 548 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 30b45d27b..d8e07f27a 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.42
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
-PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
+PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
index 4904f54c0..76fe62f70 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
  * Copyright (C) 2017-2021 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
@@ -39,17 +39,11 @@ class BfdController extends ApiMutableModelControllerBase
 
     public function searchNeighborAction()
     {
-        return $this->searchBase(
-            'neighbors.neighbor',
-            array("enabled",
-                  "description",
-                  "address")
-        );
+        return $this->searchBase('neighbors.neighbor');
     }
 
     public function getNeighborAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('neighbor', 'neighbors.neighbor', $uuid);
     }
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
index e27efec61..d8e615d6a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
  * All rights reserved.
  *
@@ -29,46 +29,10 @@
 
 namespace OPNsense\Quagga\Api;
 
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\Quagga\General;
-use OPNsense\Core\Config;
+use OPNsense\Base\ApiMutableModelControllerBase;
 
-class GeneralController extends ApiControllerBase
+class GeneralController extends ApiMutableModelControllerBase
 {
-    public function getAction()
-    {
-        // define list of configurable settings
-        $result = array();
-        if ($this->request->isGet()) {
-            $mdlGeneral = new General();
-            $result['general'] = $mdlGeneral->getNodes();
-        }
-        return $result;
-    }
-    public function setAction()
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost()) {
-            // load model and update with provided data
-            $mdlGeneral = new General();
-            $mdlGeneral->setNodes($this->request->getPost("general"));
-
-            // perform validation
-            $valMsgs = $mdlGeneral->performValidation();
-            foreach ($valMsgs as $field => $msg) {
-                if (!array_key_exists("validations", $result)) {
-                    $result["validations"] = array();
-                }
-                $result["validations"]["general." . $msg->getField()] = $msg->getMessage();
-            }
-
-            // serialize model to config and save
-            if ($valMsgs->count() == 0) {
-                $mdlGeneral->serializeToConfig();
-                Config::getInstance()->save();
-                $result["result"] = "saved";
-            }
-        }
-        return $result;
-    }
+    protected static $internalModelName = 'general';
+    protected static $internalModelClass = '\OPNsense\Quagga\General';
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
index ae4c6b128..cb495c1c2 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ *    Copyright (C) 2025 Deciso B.V.
  *    Copyright (C) 2017 Fabian Franz
  *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
  *    All rights reserved.
@@ -38,38 +39,34 @@ class OspfsettingsController extends ApiMutableModelControllerBase
 
     public function searchNetworkAction()
     {
-        return $this->searchBase('networks.network', array("enabled", "ipaddr", "netmask", "area"));
+        return $this->searchBase('networks.network');
     }
     public function searchInterfaceAction()
     {
-        return $this->searchBase('interfaces.interface', array("enabled", "interfacename", "networktype", "authtype", "area"));
+        return $this->searchBase('interfaces.interface');
     }
     public function searchPrefixlistAction()
     {
-        return $this->searchBase('prefixlists.prefixlist', array("enabled", "name", "seqnumber", "action", "network" ));
+        return $this->searchBase('prefixlists.prefixlist');
     }
     public function searchRoutemapAction()
     {
-        return $this->searchBase('routemaps.routemap', array("enabled", "name", "action", "id", "match2", "set"));
+        return $this->searchBase('routemaps.routemap');
     }
     public function getNetworkAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('network', 'networks.network', $uuid);
     }
     public function getInterfaceAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('interface', 'interfaces.interface', $uuid);
     }
     public function getPrefixlistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('prefixlist', 'prefixlists.prefixlist', $uuid);
     }
     public function getRoutemapAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('routemap', 'routemaps.routemap', $uuid);
     }
     public function addNetworkAction()
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
index a9935cfb5..c62632492 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
  * All rights reserved.
  *
@@ -29,121 +29,16 @@
 
 namespace OPNsense\Quagga\Api;
 
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Quagga\General;
+use OPNsense\Base\ApiMutableServiceControllerBase;
 
 /**
  * Class ServiceController
  * @package OPNsense\Quagga
  */
-class ServiceController extends ApiControllerBase
+class ServiceController extends ApiMutableServiceControllerBase
 {
-    /**
-     * start quagga service and reload filter rules to pass OSPF
-     * before the bogon filter kills the routing protocol packets
-     * @return array
-     */
-    public function startAction()
-    {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun('quagga start');
-            $backend->configdRun('filter reload');
-            return array('response' => $response);
-        } else {
-            return array('response' => array());
-        }
-    }
-
-    /**
-     * stop quagga service
-     * @return array
-     */
-    public function stopAction()
-    {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun('quagga stop');
-            return array('response' => $response);
-        } else {
-            return array('response' => array());
-        }
-    }
-
-    /**
-     * restart quagga service
-     * @return array
-     */
-    public function restartAction()
-    {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun('quagga restart');
-            $backend->configdRun('filter reload');
-            return array('response' => $response);
-        } else {
-            return array('response' => array());
-        }
-    }
-
-    /**
-     * retrieve status of quagga
-     * @return array
-     * @throws \Exception
-     */
-    public function statusAction()
-    {
-        $backend = new Backend();
-        $mdlGeneral = new General();
-        $response = $backend->configdRun('quagga status');
-
-        if (strpos($response, 'not running') > 0) {
-            if ($mdlGeneral->enabled->__toString() == 1) {
-                $status = 'stopped';
-            } else {
-                $status = 'disabled';
-            }
-        } elseif (strpos($response, 'is running') > 0) {
-            $status = 'running';
-        } elseif ($mdlGeneral->enabled->__toString() == 0) {
-            $status = 'disabled';
-        } else {
-            $status = 'unknown';
-        }
-
-
-        return array('status' => $status);
-    }
-
-    /**
-     * reconfigure quagga, generate config and reload
-     */
-    public function reconfigureAction()
-    {
-        if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
-            $mdlGeneral = new General();
-            $backend = new Backend();
-
-            $runStatus = $this->statusAction();
-
-            // stop quagga if it is running or not
-            $this->stopAction();
-
-            // generate template
-            $backend->configdRun('template reload OPNsense/Quagga');
-
-            // (res)start daemon
-            if ($mdlGeneral->enabled->__toString() == 1) {
-                $this->startAction();
-            }
-
-            return array('status' => 'ok');
-        } else {
-            return array('status' => 'failed');
-        }
-    }
+    protected static $internalServiceClass = '\OPNsense\Quagga\General';
+    protected static $internalServiceTemplate = 'OPNsense/Quagga';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'quagga';
 }
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index 3c56ad63e..4510e23ce 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 Copyright (C) 2017 Fabian Franz
 Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
@@ -27,20 +27,46 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
+
+<script>
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_bfd_settings':"/api/quagga/bfd/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#grid-neighbors").UIBootgrid({
+            'search':'/api/quagga/bfd/searchNeighbor',
+            'get':'/api/quagga/bfd/getNeighbor/',
+            'set':'/api/quagga/bfd/setNeighbor/',
+            'add':'/api/quagga/bfd/addNeighbor/',
+            'del':'/api/quagga/bfd/delNeighbor/',
+            'toggle':'/api/quagga/bfd/toggleNeighbor/'
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+              onPreAction: function() {
+                  const dfObj = new $.Deferred();
+                  saveFormToEndpoint("/api/quagga/bfd/set", 'frm_bfd_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                  return dfObj;
+              },
+              onAction: function(data, status) {
+                  updateServiceControlUI('quagga');
+              }
+        });
+    });
+</script>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
 </ul>
+
 <div class="tab-content content-box tab-content">
     <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':bfdForm,'id':'frm_bfd_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
-        </div>
+        {{ partial("layout_partials/base_form",['fields':bfdForm,'id':'frm_bfd_settings'])}}
     </div>
     <div id="neighbors" class="tab-pane fade in">
         <table id="grid-neighbors" class="table table-responsive" data-editDialog="DialogEditBFDNeighbor">
@@ -57,10 +83,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="10"></td>
-                    <td colspan="1">
+                    <td></td>
+                    <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -68,51 +94,19 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 </div>
 
-<script>
-
-function quagga_update_status() {
-    updateServiceControlUI('quagga');
-}
-
-$(document).ready(function() {
-  var data_get_map = {'frm_bfd_settings':"/api/quagga/bfd/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-  quagga_update_status();
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/bfd/set",formid='frm_bfd_settings',callback_ok=function(){
-          $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-          ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-              quagga_update_status();
-              $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-          });
-      });
-  });
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-        quagga_update_status();
-        $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-  $("#grid-neighbors").UIBootgrid(
-    { 'search':'/api/quagga/bfd/searchNeighbor',
-      'get':'/api/quagga/bfd/getNeighbor/',
-      'set':'/api/quagga/bfd/setNeighbor/',
-      'add':'/api/quagga/bfd/addNeighbor/',
-      'del':'/api/quagga/bfd/delNeighbor/',
-      'toggle':'/api/quagga/bfd/toggleNeighbor/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-});
-</script>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring BFD') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':'DialogEditBFDNeighbor','label':lang._('Edit Neighbor')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 82e62cfe6..b8385d546 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2024 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 Copyright (C) 2017 Fabian Franz
 Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
@@ -27,6 +27,77 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
+
+<script>
+    $(document).ready(function() {
+        mapDataToFormUI({'frm_bgp_settings':"/api/quagga/bgp/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/bgp/set", 'frm_bgp_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+        });
+
+        $("#grid-neighbors").UIBootgrid({
+            'search':'/api/quagga/bgp/searchNeighbor',
+            'get':'/api/quagga/bgp/getNeighbor/',
+            'set':'/api/quagga/bgp/setNeighbor/',
+            'add':'/api/quagga/bgp/addNeighbor/',
+            'del':'/api/quagga/bgp/delNeighbor/',
+            'toggle':'/api/quagga/bgp/toggleNeighbor/'
+        });
+        $("#grid-aspaths").UIBootgrid({
+            'search':'/api/quagga/bgp/searchAspath',
+            'get':'/api/quagga/bgp/getAspath/',
+            'set':'/api/quagga/bgp/setAspath/',
+            'add':'/api/quagga/bgp/addAspath/',
+            'del':'/api/quagga/bgp/delAspath/',
+            'toggle':'/api/quagga/bgp/toggleAspath/'
+        });
+        $("#grid-prefixlists").UIBootgrid({
+            'search':'/api/quagga/bgp/searchPrefixlist',
+            'get':'/api/quagga/bgp/getPrefixlist/',
+            'set':'/api/quagga/bgp/setPrefixlist/',
+            'add':'/api/quagga/bgp/addPrefixlist/',
+            'del':'/api/quagga/bgp/delPrefixlist/',
+            'toggle':'/api/quagga/bgp/togglePrefixlist/'
+        });
+        $("#grid-communitylists").UIBootgrid({
+            'search':'/api/quagga/bgp/searchCommunitylist',
+            'get':'/api/quagga/bgp/getCommunitylist/',
+            'set':'/api/quagga/bgp/setCommunitylist/',
+            'add':'/api/quagga/bgp/addCommunitylist/',
+            'del':'/api/quagga/bgp/delCommunitylist/',
+            'toggle':'/api/quagga/bgp/toggleCommunitylist/'
+        });
+        $("#grid-routemaps").UIBootgrid({
+            'search':'/api/quagga/bgp/searchRoutemap',
+            'get':'/api/quagga/bgp/getRoutemap/',
+            'set':'/api/quagga/bgp/setRoutemap/',
+            'add':'/api/quagga/bgp/addRoutemap/',
+            'del':'/api/quagga/bgp/delRoutemap/',
+            'toggle':'/api/quagga/bgp/toggleRoutemap/'
+        });
+        $("#grid-peergroups").UIBootgrid({
+            'search':'/api/quagga/bgp/searchPeergroup',
+            'get':'/api/quagga/bgp/getPeergroup/',
+            'set':'/api/quagga/bgp/setPeergroup/',
+            'add':'/api/quagga/bgp/addPeergroup/',
+            'del':'/api/quagga/bgp/delPeergroup/',
+            'toggle':'/api/quagga/bgp/togglePeergroup/'
+        });
+    });
+</script>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
@@ -41,10 +112,6 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="general" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':bgpForm,'id':'frm_bgp_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
         </div>
     </div>
     <div id="neighbors" class="tab-pane fade in">
@@ -67,11 +134,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="10"></td>
-                    <td colspan="1">
+                    <td></td>
+                    <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -94,11 +160,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -122,11 +187,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -150,11 +214,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -181,10 +244,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -210,10 +273,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="10"></td>
-                    <td colspan="1">
+                    <td></td>
+                    <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -221,102 +284,20 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 </div>
 
-<script>
-
-function quagga_update_status() {
-    updateServiceControlUI('quagga');
-}
-
-$(document).ready(function() {
-  var data_get_map = {'frm_bgp_settings':"/api/quagga/bgp/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-  quagga_update_status();
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/bgp/set",formid='frm_bgp_settings',callback_ok=function(){
-          $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-          ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-              quagga_update_status();
-              $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-          });
-      });
-  });
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-        quagga_update_status();
-        $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-  $("#grid-neighbors").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchNeighbor',
-      'get':'/api/quagga/bgp/getNeighbor/',
-      'set':'/api/quagga/bgp/setNeighbor/',
-      'add':'/api/quagga/bgp/addNeighbor/',
-      'del':'/api/quagga/bgp/delNeighbor/',
-      'toggle':'/api/quagga/bgp/toggleNeighbor/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-aspaths").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchAspath',
-      'get':'/api/quagga/bgp/getAspath/',
-      'set':'/api/quagga/bgp/setAspath/',
-      'add':'/api/quagga/bgp/addAspath/',
-      'del':'/api/quagga/bgp/delAspath/',
-      'toggle':'/api/quagga/bgp/toggleAspath/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-prefixlists").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchPrefixlist',
-      'get':'/api/quagga/bgp/getPrefixlist/',
-      'set':'/api/quagga/bgp/setPrefixlist/',
-      'add':'/api/quagga/bgp/addPrefixlist/',
-      'del':'/api/quagga/bgp/delPrefixlist/',
-      'toggle':'/api/quagga/bgp/togglePrefixlist/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-communitylists").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchCommunitylist',
-      'get':'/api/quagga/bgp/getCommunitylist/',
-      'set':'/api/quagga/bgp/setCommunitylist/',
-      'add':'/api/quagga/bgp/addCommunitylist/',
-      'del':'/api/quagga/bgp/delCommunitylist/',
-      'toggle':'/api/quagga/bgp/toggleCommunitylist/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-routemaps").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchRoutemap',
-      'get':'/api/quagga/bgp/getRoutemap/',
-      'set':'/api/quagga/bgp/setRoutemap/',
-      'add':'/api/quagga/bgp/addRoutemap/',
-      'del':'/api/quagga/bgp/delRoutemap/',
-      'toggle':'/api/quagga/bgp/toggleRoutemap/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-peergroups").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchPeergroup',
-      'get':'/api/quagga/bgp/getPeergroup/',
-      'set':'/api/quagga/bgp/setPeergroup/',
-      'add':'/api/quagga/bgp/addPeergroup/',
-      'del':'/api/quagga/bgp/delPeergroup/',
-      'toggle':'/api/quagga/bgp/togglePeergroup/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-    });
-</script>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring BGP') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':'DialogEditBGPNeighbor','label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':'DialogEditBGPASPaths','label':lang._('Edit AS Paths')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
index 01e1746bd..aacb7d557 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 All rights reserved.
 
@@ -26,32 +26,43 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
 
 <script>
     $( document ).ready(function() {
-        var data_get_map = {'frm_general_settings':"/api/quagga/general/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
+        mapDataToFormUI({'frm_general_settings':"/api/quagga/general/get"}).done(function(data){
             formatTokenizersUI();
             $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
         });
-        updateServiceControlUI('quagga');
 
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/quagga/general/set", formid='frm_general_settings',callback_ok=function(){
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-                    updateServiceControlUI('quagga');
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            }, true);
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/general/set", 'frm_general_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
         });
     });
 </script>
+
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring BFD') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index b68db50c8..9daaa0e14 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 All rights reserved.
 
@@ -27,25 +27,78 @@ POSSIBILITY OF SUCH DAMAGE.
 
 #}
 
-    <!-- Navigation bar -->
-    <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-        <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-        <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
-        <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
-        <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
-        <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
-    </ul>
-    <div class="tab-content content-box tab-content">
-        <div id="general" class="tab-pane fade in active">
-            <div class="content-box" style="padding-bottom: 1.5em;">
-                {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_ospf_settings'])}}
-                <div class="col-md-12">
-                    <hr />
-                    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-                </div>
-            </div>
-        </div>
+<script>
 
+    function quagga_update_status() {
+      updateServiceControlUI('quagga');
+    }
+
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_ospf_settings':"/api/quagga/ospfsettings/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/ospfsettings/set", 'frm_ospf_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+        });
+
+        $("#grid-networks").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchNetwork',
+            'get':'/api/quagga/ospfsettings/getNetwork/',
+            'set':'/api/quagga/ospfsettings/setNetwork/',
+            'add':'/api/quagga/ospfsettings/addNetwork/',
+            'del':'/api/quagga/ospfsettings/delNetwork/',
+            'toggle':'/api/quagga/ospfsettings/toggleNetwork/'
+        });
+        $("#grid-interfaces").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchInterface',
+            'get':'/api/quagga/ospfsettings/getInterface/',
+            'set':'/api/quagga/ospfsettings/setInterface/',
+            'add':'/api/quagga/ospfsettings/addInterface/',
+            'del':'/api/quagga/ospfsettings/delInterface/',
+            'toggle':'/api/quagga/ospfsettings/toggleInterface/'
+        });
+        $("#grid-prefixlists").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchPrefixlist',
+            'get':'/api/quagga/ospfsettings/getPrefixlist/',
+            'set':'/api/quagga/ospfsettings/setPrefixlist/',
+            'add':'/api/quagga/ospfsettings/addPrefixlist/',
+            'del':'/api/quagga/ospfsettings/delPrefixlist/',
+            'toggle':'/api/quagga/ospfsettings/togglePrefixlist/'
+        });
+        $("#grid-routemaps").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchRoutemap',
+            'get':'/api/quagga/ospfsettings/getRoutemap/',
+            'set':'/api/quagga/ospfsettings/setRoutemap/',
+            'add':'/api/quagga/ospfsettings/addRoutemap/',
+            'del':'/api/quagga/ospfsettings/delRoutemap/',
+            'toggle':'/api/quagga/ospfsettings/toggleRoutemap/'
+        });
+    });
+</script>
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
+    <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
+    <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
+    <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
+</ul>
+<div class="tab-content content-box tab-content">
+    <!-- Tab: General -->
+    <div id="general" class="tab-pane fade in active">
+        {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_ospf_settings'])}}
+    </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
       <table id="grid-networks" class="table table-responsive" data-editDialog="DialogEditNetwork">
@@ -63,17 +116,15 @@ POSSIBILITY OF SUCH DAMAGE.
           </tbody>
           <tfoot>
               <tr>
-                  <td colspan="5"></td>
+                  <td></td>
                   <td>
-                      <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                      <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                      <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                   </td>
               </tr>
           </tfoot>
       </table>
     </div>
-
     <!-- Tab: Interfaces -->
     <div id="interfaces" class="tab-pane fade in">
         <table id="grid-interfaces" class="table table-responsive" data-editDialog="DialogEditInterface">
@@ -85,22 +136,22 @@ POSSIBILITY OF SUCH DAMAGE.
                     <th data-column-id="authtype" data-type="string" data-visible="true">{{ lang._('Authentication Type') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-            </tr>
+                </tr>
             </thead>
             <tbody>
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
+    <!-- Tab: Prefixlists -->
     <div id="prefixlists" class="tab-pane fade in">
         <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditPrefixLists">
             <thead>
@@ -118,16 +169,16 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
+    <!-- Tab: Routemaps -->
     <div id="routemaps" class="tab-pane fade in">
         <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditRouteMaps">
             <thead>
@@ -146,95 +197,30 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <button class="btn btn-primary __mb __mt" id="reconfigureAct"
+                data-endpoint='/api/quagga/service/reconfigure'
+                data-label="{{ lang._('Apply') }}"
+                data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
+                data-service-widget="quagga"
+                type="button"
+            ></button>
+        </div>
     </div>
-
-<script>
-
-function quagga_update_status() {
-  updateServiceControlUI('quagga');
-}
-
-$( document ).ready(function() {
-  var data_get_map = {'frm_ospf_settings':"/api/quagga/ospfsettings/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-  quagga_update_status();
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/ospfsettings/set",formid='frm_ospf_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-          quagga_update_status();
-          $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-        });
-      });
-  });
-
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-      quagga_update_status();
-      $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-
-  $("#grid-networks").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchNetwork',
-      'get':'/api/quagga/ospfsettings/getNetwork/',
-      'set':'/api/quagga/ospfsettings/setNetwork/',
-      'add':'/api/quagga/ospfsettings/addNetwork/',
-      'del':'/api/quagga/ospfsettings/delNetwork/',
-      'toggle':'/api/quagga/ospfsettings/toggleNetwork/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-interfaces").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchInterface',
-      'get':'/api/quagga/ospfsettings/getInterface/',
-      'set':'/api/quagga/ospfsettings/setInterface/',
-      'add':'/api/quagga/ospfsettings/addInterface/',
-      'del':'/api/quagga/ospfsettings/delInterface/',
-      'toggle':'/api/quagga/ospfsettings/toggleInterface/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-prefixlists").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchPrefixlist',
-      'get':'/api/quagga/ospfsettings/getPrefixlist/',
-      'set':'/api/quagga/ospfsettings/setPrefixlist/',
-      'add':'/api/quagga/ospfsettings/addPrefixlist/',
-      'del':'/api/quagga/ospfsettings/delPrefixlist/',
-      'toggle':'/api/quagga/ospfsettings/togglePrefixlist/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-routemaps").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchRoutemap',
-      'get':'/api/quagga/ospfsettings/getRoutemap/',
-      'set':'/api/quagga/ospfsettings/setRoutemap/',
-      'add':'/api/quagga/ospfsettings/addRoutemap/',
-      'del':'/api/quagga/ospfsettings/delRoutemap/',
-      'toggle':'/api/quagga/ospfsettings/toggleRoutemap/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-});
-</script>
+</section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':'DialogEditNetwork','label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':'DialogEditInterface','label':lang._('Edit Interface')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 3a4774436..d0749ac7c 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2014-2024 Deciso B.V.
+ # Copyright (c) 2014-2025 Deciso B.V.
  # Copyright (c) 2017 Fabian Franz
  # Copyright (c) 2017 Michael Muenz <m.muenz@gmail.com>
  # All rights reserved.
@@ -32,18 +32,17 @@
         mapDataToFormUI({'frm_ospf6_settings':"/api/quagga/ospf6settings/get"}).done(function(data){
             formatTokenizersUI();
             $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
         });
 
-        updateServiceControlUI('quagga');
-
-        // link save button to API set action
-        $("#saveAct").SimpleActionButton({
+        $("#reconfigureAct").SimpleActionButton({
             onPreAction: function() {
                 const dfObj = new $.Deferred();
-                saveFormToEndpoint("/api/quagga/ospf6settings/set", 'frm_ospf6_settings', function(){
-                    dfObj.resolve();
-                });
+                saveFormToEndpoint("/api/quagga/ospf6settings/set", 'frm_ospf6_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
                 return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
             }
         });
 
@@ -53,11 +52,7 @@
             'set':'/api/quagga/ospf6settings/setNetwork/',
             'add':'/api/quagga/ospf6settings/addNetwork/',
             'del':'/api/quagga/ospf6settings/delNetwork/',
-            'toggle':'/api/quagga/ospf6settings/toggleNetwork/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/toggleNetwork/'
         });
         $("#grid-interfaces").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchInterface',
@@ -65,11 +60,7 @@
             'set':'/api/quagga/ospf6settings/setInterface/',
             'add':'/api/quagga/ospf6settings/addInterface/',
             'del':'/api/quagga/ospf6settings/delInterface/',
-            'toggle':'/api/quagga/ospf6settings/toggleInterface/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/toggleInterface/'
         });
         $("#grid-prefixlists").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchPrefixlist',
@@ -77,11 +68,7 @@
             'set':'/api/quagga/ospf6settings/setPrefixlist/',
             'add':'/api/quagga/ospf6settings/addPrefixlist/',
             'del':'/api/quagga/ospf6settings/delPrefixlist/',
-            'toggle':'/api/quagga/ospf6settings/togglePrefixlist/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/togglePrefixlist/'
         });
         $("#grid-routemaps").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchRoutemap',
@@ -89,11 +76,7 @@
             'set':'/api/quagga/ospf6settings/setRoutemap/',
             'add':'/api/quagga/ospf6settings/addRoutemap/',
             'del':'/api/quagga/ospf6settings/delRoutemap/',
-            'toggle':'/api/quagga/ospf6settings/toggleRoutemap/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/toggleRoutemap/'
         });
 
         // hook checkbox item with conditional options
@@ -142,10 +125,11 @@
           </tbody>
           <tfoot>
               <tr>
-                  <td colspan="5"></td>
-                  <td>
-                      <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                  </td>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                    </td>
               </tr>
           </tfoot>
       </table>
@@ -168,9 +152,10 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -195,9 +180,10 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -223,9 +209,10 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -236,7 +223,7 @@
 <section class="page-content-main">
     <div class="content-box">
         <div class="col-md-12">
-            <button class="btn btn-primary __mb __mt" id="saveAct"
+            <button class="btn btn-primary __mb __mt" id="reconfigureAct"
                 data-endpoint='/api/quagga/service/reconfigure'
                 data-label="{{ lang._('Apply') }}"
                 data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
index 8abc7a3f5..b0b7effca 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 All rights reserved.
 
@@ -27,33 +27,43 @@ POSSIBILITY OF SUCH DAMAGE.
 
 #}
 
+<script>
+      $( document ).ready(function() {
+        mapDataToFormUI({'frm_rip_settings':"/api/quagga/rip/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/rip/set", 'frm_rip_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+        });
+    });
+</script>
+
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':ripForm,'id':'frm_rip_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
 </div>
 
-<script>
-$(document).ready(function() {
-  var data_get_map = {'frm_rip_settings':"/api/quagga/rip/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
+<section class="page-content-main">
+  <div class="content-box">
+      <div class="col-md-12">
+          <br/>
+          <button class="btn btn-primary" id="reconfigureAct"
+                  data-endpoint='/api/quagga/service/reconfigure'
+                  data-label="{{ lang._('Apply') }}"
+                  data-error-title="{{ lang._('Error reconfiguring BFD') }}"
+                  type="button"
+          ></button>
+          <br/><br/>
+      </div>
+  </div>
+</section>
 
-  updateServiceControlUI('quagga');
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/rip/set",formid='frm_rip_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-          updateServiceControlUI('quagga');
-          $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-        });
-      });
-  });
-});
-</script>

From a4b774a9e4cef178b91d901d5baf50eaee8118c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 09:25:48 +0100
Subject: [PATCH 07/50] net/frr: glint and rev bump

---
 net/frr/Makefile                                            | 1 +
 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index d8e07f27a..a3813aca2 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.42
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
index b0b7effca..6e1c01c4c 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
@@ -66,4 +66,3 @@ POSSIBILITY OF SUCH DAMAGE.
       </div>
   </div>
 </section>
-

From 898100b9a60cd1a8bf8f64a4b35cc1056a14ea60 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 09:29:42 +0100
Subject: [PATCH 08/50] www/c-icap: bump rev

---
 www/c-icap/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 575fb3e90..90a88fdf1 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 04fb480492f1b33c2cf98a829dbce1b3aafab6df Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 09:31:02 +0100
Subject: [PATCH 09/50] security/clamav: rev bump

---
 security/clamav/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index afe24b92e..f4d90f209 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From dbe43dc186578da25d441e2dc8cb1b410c5d1131 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 10 Jan 2025 09:30:22 +0100
Subject: [PATCH 10/50] www/caddy: Implement reusable grid template (#4454)

See: https://github.com/opnsense/core/commit/a7a99fcdfe972dacc1a6beada7607e73a1689d05
---
 .../OPNsense/Caddy/Layer4Controller.php       |  10 +-
 .../OPNsense/Caddy/ReverseProxyController.php |  15 +-
 .../OPNsense/Caddy/forms/dialogAccessList.xml |  10 +
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  74 ++++++
 .../OPNsense/Caddy/forms/dialogHeader.xml     |   6 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  42 ++++
 .../Caddy/forms/dialogLayer4Openvpn.xml       |   3 +
 .../Caddy/forms/dialogReverseProxy.xml        |  32 +++
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  19 ++
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  |  72 +-----
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 228 +++---------------
 11 files changed, 243 insertions(+), 268 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
index 1a085eff4..b1366ab72 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2023-2025 Cedrik Pischem
  *
  *    All rights reserved.
  *
@@ -37,7 +37,11 @@ class Layer4Controller extends IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Caddy/layer4');
-        $this->view->formDialogLayer4 = $this->getForm("dialogLayer4");
-        $this->view->formDialogLayer4Openvpn = $this->getForm("dialogLayer4Openvpn");
+
+        $this->view->formDialogLayer4 = $this->getForm('dialogLayer4');
+        $this->view->formGridLayer4 = $this->getFormGrid('dialogLayer4', null, 'ConfChangeMessage');
+
+        $this->view->formDialogLayer4Openvpn = $this->getForm('dialogLayer4Openvpn');
+        $this->view->formGridLayer4Openvpn = $this->getFormGrid('dialogLayer4Openvpn', null, 'ConfChangeMessage');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index fde12d63c..e30315299 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -1,8 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2023-2024 Cedrik Pischem
- *    Copyright (C) 2015 Deciso B.V.
+ *    Copyright (C) 2023-2025 Cedrik Pischem
  *
  *    All rights reserved.
  *
@@ -38,11 +37,23 @@ class ReverseProxyController extends IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Caddy/reverse_proxy');
+
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
+        $this->view->formGridReverseProxy = $this->getFormGrid('dialogReverseProxy', null, 'ConfChangeMessage');
+
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
+        $this->view->formGridSubdomain = $this->getFormGrid('dialogSubdomain', null, 'ConfChangeMessage');
+
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
+        $this->view->formGridHandle = $this->getFormGrid('dialogHandle', null, 'ConfChangeMessage');
+
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
+        $this->view->formGridAccessList = $this->getFormGrid('dialogAccessList', null, 'ConfChangeMessage');
+
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
+        $this->view->formGridBasicAuth = $this->getFormGrid('dialogBasicAuth', null, 'ConfChangeMessage');
+
         $this->view->formDialogHeader = $this->getForm("dialogHeader");
+        $this->view->formGridHeader = $this->getFormGrid('dialogHeader', null, 'ConfChangeMessage');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 50c2718ab..774ebd997 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -18,6 +18,10 @@
         <label>Invert List</label>
         <type>checkbox</type>
         <help><![CDATA[If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).]]></help>
+        <grid_view>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.HttpResponseCode</id>
@@ -26,6 +30,9 @@
         <hint>abort</hint>
         <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. If empty, the connection is aborted with no response.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.HttpResponseMessage</id>
@@ -33,6 +40,9 @@
         <type>text</type>
         <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code. If empty, the default HTTP response message for the chosen HTTP response code will be used.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 7ece8310a..3efcdb8dd 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>handle.description</id>
@@ -38,6 +43,9 @@
         <type>dropdown</type>
         <help><![CDATA[Choose a handling type: "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HandlePath</id>
@@ -46,6 +54,9 @@
         <hint>any</hint>
         <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be handled by the chosen directive.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -58,6 +69,9 @@
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to restrict access to this handler. If unset, any local or remote client is allowed access.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.ForwardAuth</id>
@@ -65,6 +79,11 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -87,6 +106,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.header</id>
@@ -97,6 +119,9 @@
         <style>style_reverse_proxy selectpicker</style>
         <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpKeepalive</id>
@@ -106,6 +131,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTls</id>
@@ -133,6 +161,9 @@
         <type>text</type>
         <help><![CDATA[When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTlsInsecureSkipVerify</id>
@@ -140,6 +171,11 @@
         <type>checkbox</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
@@ -147,6 +183,9 @@
         <type>dropdown</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTlsServerName</id>
@@ -154,6 +193,9 @@
         <type>text</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpNtlm</id>
@@ -161,6 +203,11 @@
         <type>checkbox</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -174,6 +221,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.lb_retries</id>
@@ -183,6 +233,9 @@
         <hint>off</hint>
         <help><![CDATA[lb_retries is how many times to retry selecting available backends for each request if the next available host is down. If lb_try_duration is also configured, then retries may stop early if the duration is reached. In other words, the retry duration takes precedence over the retry count.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.lb_try_duration</id>
@@ -192,6 +245,9 @@
         <hint>0</hint>
         <help><![CDATA[lb_try_duration is a duration value that defines how long to try selecting available backends for each request if the next available host is down. Clients will wait for up to this long while the load balancer tries to find an available upstream host. A reasonable starting point might be 5s since the HTTP transport's default dial timeout is 3s, so that should allow for at least one retry if the first selected upstream cannot be reached.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.lb_try_interval</id>
@@ -201,6 +257,9 @@
         <hint>250</hint>
         <help><![CDATA[lb_try_interval is a duration value that defines how long to wait between selecting the next host from the pool. Only relevant when a request to an upstream host fails. Be aware that setting this to 0 with a non-zero lb_try_duration can cause the CPU to spin if all backends are down and latency is very low.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthFailDuration</id>
@@ -210,6 +269,9 @@
         <hint>off</hint>
         <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthMaxFails</id>
@@ -219,6 +281,9 @@
         <hint>1</hint>
         <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthUnhealthyStatus</id>
@@ -228,6 +293,9 @@
         <hint>off</hint>
         <help><![CDATA[unhealthy_status counts a request as failed if the response comes back with one of these status codes. Can be a 3-digit status code or a status code class ending in xx, for example: 404 or 5xx.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthUnhealthyLatency</id>
@@ -237,6 +305,9 @@
         <hint>off</hint>
         <help><![CDATA[unhealthy_latency is a duration value in ms that counts a request as failed if it takes this long to get a response.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthUnhealthyRequestCount</id>
@@ -246,5 +317,8 @@
         <hint>off</hint>
         <help><![CDATA[unhealthy_request_count is the permissible number of simultaneous requests to a backend before marking it as down. In other words, if a particular backend is currently handling this many requests, then it is considered "overloaded" and other backends will be preferred instead. This should be a reasonably large number; configuring this means that the proxy will have a limit of unhealthy_request_count × upstreams_count total simultaneous requests, and any requests after that point will result in an error due to no upstreams being available.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
index df19819f0..f7885bedd 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -16,12 +16,18 @@
         <label>Header Value</label>
         <type>text</type>
         <help><![CDATA[Enter a value for the selected header. One of the most common options is "{upstream_hostport}". It is also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>header.HeaderReplace</id>
         <label>Header Replace</label>
         <type>text</type>
         <help><![CDATA[If a regular expression is used to search for a Header Value, the replacement string can be set here. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, "$1" being the first capture group.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>header.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 8fa4fdcae..9cabfaf42 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>layer4.Sequence</id>
@@ -26,6 +31,9 @@
         <label>Routing Type</label>
         <type>dropdown</type>
         <help><![CDATA[Choose either "listener_wrappers" for multiplexing protocols on the default HTTP and HTTPS ports on OSI Layer 7, or "global" for raw TCP/UDP traffic routing on a custom "Local port" on OSI Layer 4 with optional OSI Layer 7 protocol matching.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.Protocol</id>
@@ -40,6 +48,9 @@
         <type>text</type>
         <style>style_type</style>
         <help><![CDATA[Choose a custom local port to listen on.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -65,6 +76,9 @@
         <type>dropdown</type>
         <style>style_matchers matchers_openvpn</style>
         <help><![CDATA[Select the mode matching the OpenVPN Server or Client.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.FromOpenvpnStaticKey</id>
@@ -74,6 +88,9 @@
         <hint>Any</hint>
         <size>5</size>
         <help><![CDATA[Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.InvertMatchers</id>
@@ -81,6 +98,11 @@
         <type>checkbox</type>
         <help><![CDATA[Invert the sense of the matcher. E.g., if the protocol is TLS, inverting will match all traffic that is not TLS. When domains have been chosen, these will be equally inverted.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>layer4.TerminateTls</id>
@@ -88,6 +110,11 @@
         <type>checkbox</type>
         <style>style_matchers matchers_domain</style>
         <help><![CDATA[Terminate TLS before routing to the upstream. Since this requires a certificate, ensure there is a domain configured in "Reverse Proxy" that matches the SNI of "Domain". The best matching SAN or wildcard certificate will be used automatically for this route.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -113,6 +140,9 @@
         <type>dropdown</type>
         <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -126,6 +156,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.PassiveHealthFailDuration</id>
@@ -135,6 +168,9 @@
         <hint>off</hint>
         <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.PassiveHealthMaxFails</id>
@@ -144,6 +180,9 @@
         <hint>1</hint>
         <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -156,5 +195,8 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <help><![CDATA[Enter one or multiple IP addresses and networks. Leaving this empty will allow any remote client to connect. If populated and the remote IP address of a client matches, the connection to the "Upstream Domain" is allowed, otherwise the connection is dropped. Due to restrictions with this matcher, this list can not be inverted.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
index ec225e85f..2ac852121 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
@@ -9,5 +9,8 @@
         <label>Static Key</label>
         <type>textbox</type>
         <help>Paste an OpenVPN Static key.</help>
+        <grid_view>
+            <ignore>true</ignore>
+        </grid_view>
     </field>
 </fields>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 014e1853e..a8163b33f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>reverse.description</id>
@@ -39,6 +44,9 @@
         <type>dropdown</type>
         <style>style_tls</style>
         <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.AcmePassthrough</id>
@@ -46,6 +54,9 @@
         <type>text</type>
         <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.DnsChallenge</id>
@@ -53,12 +64,22 @@
         <type>checkbox</type>
         <style>style_tls</style>
         <help><![CDATA[Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>reverse.DynDns</id>
         <label>Dynamic DNS</label>
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated. A wildcard domain will create a "*.example.com" record. A base domain will create a "example.com" or "opn.example.com" record. Some providers need subdomains to set records for domains like "opn.example.com"; in that case use the checkbox in the subdomains tab.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -69,6 +90,9 @@
         <label>Access List</label>
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to restrict access to this domain. If unset, any local or remote client is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.basicauth</id>
@@ -76,11 +100,19 @@
         <type>select_multiple</type>
         <size>5</size>
         <help><![CDATA[Select Users to restrict access to this domain. Basic Auth matches after Access Lists. If unset, any user is allowed access. When using CrowdSec, authorization failures will result in automatic bans.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.AccessLog</id>
         <label>HTTP Access Log</label>
         <type>checkbox</type>
         <help><![CDATA[Enable HTTP request logging for this domain and its subdomains. This option is mostly used for troubleshooting, audits and CrowdSec. It will log every single request.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 8a515e2ca..5db43f6f2 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this subdomain.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.description</id>
@@ -33,6 +38,11 @@
         <label>Dynamic DNS</label>
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this subdomain will be automatically updated.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.AcmePassthrough</id>
@@ -40,6 +50,9 @@
         <type>text</type>
         <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this subdomain.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -50,6 +63,9 @@
         <label>Access List</label>
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to restrict access to this subdomain. If unset, any local or remote client is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.basicauth</id>
@@ -57,5 +73,8 @@
         <type>select_multiple</type>
         <size>5</size>
         <help><![CDATA[Select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If unset, any user is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
index f1c57229c..be371635c 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2024 Cedrik Pischem
+ # Copyright (c) 2024-2025 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -27,7 +27,7 @@
 <script>
     $(document).ready(function() {
         // Bootgrid Setup
-        $("#Layer4Grid").UIBootgrid({
+        $("#{{formGridLayer4['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchLayer4/',
             get:'/api/caddy/ReverseProxy/getLayer4/',
             set:'/api/caddy/ReverseProxy/setLayer4/',
@@ -36,7 +36,7 @@
             toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
         });
 
-        $("#Layer4OpenvpnGrid").UIBootgrid({
+        $("#{{formGridLayer4Openvpn['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchLayer4Openvpn/',
             get:'/api/caddy/ReverseProxy/getLayer4Openvpn/',
             set:'/api/caddy/ReverseProxy/setLayer4Openvpn/',
@@ -137,44 +137,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
             <div style="display: block;">
-                <table id="Layer4Grid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="Sequence" data-type="string">{{ lang._('Sequence') }}</th>
-                            <th data-column-id="Type" data-type="string" data-visible="false">{{ lang._('Routing Type') }}</th>
-                            <th data-column-id="Protocol" data-type="string">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
-                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
-                            <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
-                            <th data-column-id="TerminateTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Terminate TLS') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="FromOpenvpnModes" data-type="string" data-visible="false">{{ lang._('OpenVPN Modes') }}</th>
-                            <th data-column-id="FromOpenvpnStaticKey" data-type="string" data-visible="false">{{ lang._('OpenVPN Static Key') }}</th>
-                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
-                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
-                            <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
-                            <th data-column-id="lb_policy" data-type="string" data-visible="false">{{ lang._('Load Balance Policy') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Passive Health Fail Duration') }}</th>
-                            <th data-column-id="PassiveHealthMaxFails" data-type="string" data-visible="false">{{ lang._('Passive Health Max Fails') }}</th>
-                            <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4)}}
             </div>
         </div>
     </div>
@@ -185,26 +148,7 @@
             <!-- OpenVPN Matcher -->
             <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
             <div style="display: block;">
-                <table id="Layer4OpenvpnGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4Openvpn" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addLayer4OpenvpnBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4Openvpn)}}
             </div>
         </div>
     </div>
@@ -226,12 +170,12 @@
             <!-- Message Area for error/success messages -->
             <div id="messageArea" class="alert alert-info" style="display: none;"></div>
             <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
-            <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
+            <div id="ConfChangeMessage" class="alert alert-info" style="display: none;">
             {{ lang._('Please do not forget to apply the configuration.') }}
             </div>
         </div>
     </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':'DialogLayer4Openvpn','label':lang._('Edit OpenVPN Static Key')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':formGridLayer4['edit_dialog_id'],'label':lang._('Edit Layer4 Route')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':formGridLayer4Openvpn['edit_dialog_id'],'label':lang._('Edit OpenVPN Static Key')])}}
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index b77bf8618..f95594d21 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2023-2024 Cedrik Pischem
+ # Copyright (c) 2023-2025 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -27,7 +27,7 @@
 <script>
     $(document).ready(function() {
         // Bootgrid Setup
-        $("#reverseProxyGrid").UIBootgrid({
+        $("#{{formGridReverseProxy['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchReverseProxy/',
             get:'/api/caddy/ReverseProxy/getReverseProxy/',
             set:'/api/caddy/ReverseProxy/setReverseProxy/',
@@ -40,7 +40,7 @@
             }
         });
 
-        $("#reverseSubdomainGrid").UIBootgrid({
+        $("#{{formGridSubdomain['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchSubdomain/',
             get:'/api/caddy/ReverseProxy/getSubdomain/',
             set:'/api/caddy/ReverseProxy/setSubdomain/',
@@ -53,7 +53,7 @@
             }
         });
 
-        $("#reverseHandleGrid").UIBootgrid({
+        $("#{{formGridHandle['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchHandle/',
             get:'/api/caddy/ReverseProxy/getHandle/',
             set:'/api/caddy/ReverseProxy/setHandle/',
@@ -65,7 +65,7 @@
             }
         });
 
-        $("#accessListGrid").UIBootgrid({
+        $("#{{formGridAccessList['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchAccessList/',
             get:'/api/caddy/ReverseProxy/getAccessList/',
             set:'/api/caddy/ReverseProxy/setAccessList/',
@@ -76,7 +76,7 @@
             }
         });
 
-        $("#basicAuthGrid").UIBootgrid({
+        $("#{{formGridBasicAuth['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchBasicAuth/',
             get:'/api/caddy/ReverseProxy/getBasicAuth/',
             set:'/api/caddy/ReverseProxy/setBasicAuth/',
@@ -87,7 +87,7 @@
             }
         });
 
-        $("#reverseHeaderGrid").UIBootgrid({
+        $("#{{formGridHeader['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchHeader/',
             get:'/api/caddy/ReverseProxy/getHeader/',
             set:'/api/caddy/ReverseProxy/setHeader/',
@@ -138,11 +138,11 @@
                         select.append($('<option>').val(item.id).text(item.domainPort));
                     });
                 } else {
-                    select.html('<option value="">{{ lang._('Failed to load data') }}</option>');
+                    select.html(`<option value="">{{ lang._('Failed to load data') }}</option>`);
                 }
                 select.selectpicker('refresh');
             }).fail(function() {
-                $('#reverseFilter').html('<option value="">{{ lang._('Failed to load data') }}</option>').selectpicker('refresh');
+                $('#reverseFilter').html(`<option value="">{{ lang._('Failed to load data') }}</option>`).selectpicker('refresh');
             });
         }
 
@@ -164,9 +164,9 @@
         }
 
         function reloadGrids() {
-            $("#reverseProxyGrid").bootgrid("reload");
-            $("#reverseSubdomainGrid").bootgrid("reload");
-            $("#reverseHandleGrid").bootgrid("reload");
+            $("#{{formGridReverseProxy['table_id']}}").bootgrid("reload");
+            $("#{{formGridSubdomain['table_id']}}").bootgrid("reload");
+            $("#{{formGridHandle['table_id']}}").bootgrid("reload");
         }
 
         // Hide message area when starting new actions
@@ -345,72 +345,16 @@
         <div style="padding-left: 16px;">
             <!-- Reverse Proxy -->
             <h1 class="custom-header">{{ lang._('Domains') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseProxyGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogReverseProxy" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="DisableTls" data-type="string">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="FromPort" data-type="string">{{ lang._('Port') }}</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
-                            <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
-                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('DNS-01 Challenge') }}</th>
-                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
-                            <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('HTTP Access Log') }}</th>
-                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">{{ lang._('Certificate') }}</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 Challenge Redirection') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseProxyBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy)}}
             </div>
         </div>
 
         <!-- Subdomains Tab -->
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseSubdomainGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogSubdomain" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Subdomain') }}</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
-                            <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
-                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 Challenge Redirection') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addSubdomainBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain)}}
             </div>
         </div>
     </div>
@@ -419,55 +363,8 @@
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="subdomain" data-type="string">{{ lang._('Subdomain') }}</th>
-                            <th data-column-id="HandleType" data-type="string" data-visible="false">{{ lang._('Handler') }}</th>
-                            <th data-column-id="HandlePath" data-type="string" data-visible="false">{{ lang._('Path') }}</th>
-                            <th data-column-id="header" data-type="string" data-visible="false">{{ lang._('HTTP Headers') }}</th>
-                            <th data-column-id="HandleDirective" data-type="string">{{ lang._('Directive') }}</th>
-                            <th data-column-id="HttpTls" data-type="string" data-visible="false">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
-                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
-                            <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
-                            <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
-                            <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
-                            <th data-column-id="HttpKeepalive" data-type="string" data-visible="false">{{ lang._('HTTP Keepalive') }}</th>
-                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS Trust Pool') }}</th>
-                            <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
-                            <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
-                            <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS Insecure Skip Verify') }}</th>
-                            <th data-column-id="lb_policy" data-type="string" data-visible="false">{{ lang._('Load Balance Policy') }}</th>
-                            <th data-column-id="lb_retries" data-type="string" data-visible="false">{{ lang._('Load Balance Retries') }}</th>
-                            <th data-column-id="lb_try_duration" data-type="string" data-visible="false">{{ lang._('Load Balance Try Duration') }}</th>
-                            <th data-column-id="lb_try_interval" data-type="string" data-visible="false">{{ lang._('Load Balance Try Interval') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Passive Health Fail Duration') }}</th>
-                            <th data-column-id="PassiveHealthMaxFails" data-type="string" data-visible="false">{{ lang._('Passive Health Max Fails') }}</th>
-                            <th data-column-id="PassiveHealthUnhealthyStatus" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Status') }}</th>
-                            <th data-column-id="PassiveHealthUnhealthyLatency" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Latency') }}</th>
-                            <th data-column-id="PassiveHealthUnhealthyRequestCount" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Request Count') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseHandleBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridHandle)}}
             </div>
         </div>
     </div>
@@ -478,31 +375,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Access Lists') }}</h1>
             <div style="display: block;">
-                <table id="accessListGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogAccessList" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="accesslistName" data-type="string">{{ lang._('Name') }}</th>
-                            <th data-column-id="clientIps" data-type="string">{{ lang._('Client IPs') }}</th>
-                            <th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">{{ lang._('Invert') }}</th>
-                            <th data-column-id="HttpResponseCode" data-type="string" data-visible="false">{{ lang._('HTTP Code') }}</th>
-                            <th data-column-id="HttpResponseMessage" data-type="string" data-visible="false">{{ lang._('HTTP Message') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addAccessListBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridAccessList)}}
             </div>
         </div>
 
@@ -510,27 +383,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Basic Auth') }}</h1>
             <div style="display: block;">
-                <table id="basicAuthGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogBasicAuth" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="basicauthuser" data-type="string">{{ lang._('User') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addBasicAuthBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridBasicAuth)}}
             </div>
         </div>
     </div>
@@ -539,31 +392,8 @@
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Headers') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="HeaderUpDown" data-type="string">{{ lang._('Header') }}</th>
-                            <th data-column-id="HeaderType" data-type="string">{{ lang._('Header Type') }}</th>
-                            <th data-column-id="HeaderValue" data-type="string" data-visible="false">{{ lang._('Header Value') }}</th>
-                            <th data-column-id="HeaderReplace" data-type="string" data-visible="false">{{ lang._('Header Replace') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseHeaderBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridHeader)}}
             </div>
         </div>
     </div>
@@ -584,16 +414,16 @@
             <!-- Message Area for error/success messages -->
             <div id="messageArea" class="alert alert-info" style="display: none;"></div>
             <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
-            <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
+            <div id="ConfChangeMessage" class="alert alert-info" style="display: none;">
             {{ lang._('Please do not forget to apply the configuration.') }}
             </div>
         </div>
     </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Domain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Subdomain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':formGridReverseProxy['edit_dialog_id'],'label':lang._('Edit Domain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':formGridSubdomain['edit_dialog_id'],'label':lang._('Edit Subdomain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':formGridHandle['edit_dialog_id'],'label':lang._('Edit Handler')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':formGridAccessList['edit_dialog_id'],'label':lang._('Edit Access List')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':formGridBasicAuth['edit_dialog_id'],'label':lang._('Edit Basic Auth')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':formGridHeader['edit_dialog_id'],'label':lang._('Edit Header')])}}

From 9e571ed7631f15718346e24b65f250b03205fee4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 7 Jan 2025 23:43:42 +0100
Subject: [PATCH 11/50] net/haproxy: migrate cert export to Trust MVC

---
 net/haproxy/pkg-descr                             |  5 +++++
 .../scripts/OPNsense/HAProxy/exportCerts.php      | 15 +++++++--------
 .../scripts/OPNsense/HAProxy/exportErrorFiles.php |  2 --
 .../scripts/OPNsense/HAProxy/exportLuaScripts.php |  2 --
 .../scripts/OPNsense/HAProxy/exportMapFiles.php   |  2 --
 5 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index d3e0b934f..f6ed896fa 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.5
+
+Changed:
+* migrate cert export to Trust MVC
+
 4.4
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 20b72fd3d..935844878 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2016-2024 Frank Wall
+ * Copyright (C) 2016-2025 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * All rights reserved.
  *
@@ -28,12 +28,11 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-// Use legacy code to export certificates to the filesystem.
+require_once('script/load_phalcon.php');
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
+use OPNsense\Trust\Store as CertStore;
 
 $export_path = '/tmp/haproxy/ssl/';
 
@@ -82,8 +81,9 @@ foreach ($configNodes as $key => $value) {
                                         $ocsp_conf = '';
                                         // CRLs require special export
                                         if ($type == 'crl') {
-                                            $crl =& lookup_crl($cert_refid);
-                                            $pem_content = base64_decode($crl['text']);
+                                            if (isset($cert->text)) {
+                                                $pem_content = base64_decode($cert->text);
+                                            }
                                         } else {
                                             $pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
                                             $pem_content .= "\n" . str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
@@ -91,9 +91,8 @@ foreach ($configNodes as $key => $value) {
                                             $ocsp_conf = hasOcspInfo($pem_content) ? ' [ocsp-update on]' : '';
                                             // check if a CA is linked
                                             if (!empty((string)$cert->caref)) {
-                                                $cert = (array)$cert;
-                                                $ca = ca_chain($cert);
                                                 // append the CA to the certificate data
+                                                $ca = CertStore::getCaChain((string)$cert->caref));
                                                 $pem_content .= "\n" . $ca;
                                                 // additionally export CA to it's own file,
                                                 // not required for HAProxy, but makes OCSP handling easier
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php
index 9ffaa95d9..f5417c754 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php
@@ -30,8 +30,6 @@
 
 // Use legacy code to export certificates to the filesystem.
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
index 840657281..30e8bd3b3 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
@@ -30,8 +30,6 @@
 
 // Use legacy code to export certificates to the filesystem.
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
index ee502e478..fe2e682f7 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
@@ -30,8 +30,6 @@
 
 // Use legacy code to export certificates to the filesystem.
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 

From b77ef8dc9bebcc830be83303ce7bea163e9a62af Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 9 Jan 2025 22:34:10 +0100
Subject: [PATCH 12/50] net/haproxy: switch to HAProxy 3.0, refs #4411

---
 net/haproxy/Makefile                                 |  4 ++--
 net/haproxy/pkg-descr                                |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml          | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogBackend.xml         | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogFcgi.xml            |  2 +-
 .../OPNsense/HAProxy/forms/dialogFrontend.xml        |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml         |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt        | 10 +++++-----
 .../scripts/OPNsense/HAProxy/exportCerts.php         |  2 +-
 .../service/templates/OPNsense/HAProxy/haproxy.conf  |  4 ++--
 10 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 81ea69ec0..e629b6ca0 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.4
+PLUGIN_VERSION=		4.5
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
+PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index f6ed896fa..daac185c3 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 4.5
 
 Changed:
+* upgrade to HAProxy 3.0 release series (#4411)
 * migrate cert export to Trust MVC
 
 4.4
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 7945ded64..e0e5e345d 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.8/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/3.0/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -468,6 +468,6 @@
         <id>action.fcgi_set_param</id>
         <label>Parameter</label>
         <type>text</type>
-        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
+        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 8411a6ad9..014b959ae 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -186,7 +186,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <sortable>true</sortable>
-        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.forwardFor</id>
@@ -213,7 +213,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -235,14 +235,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
index c02327bce..4ad9d1e94 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
@@ -33,7 +33,7 @@
         <id>fcgi.path_info</id>
         <label>Path Info</label>
         <type>text</type>
-        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.8/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/3.0/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <id>fcgi.log_stderr</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 2268abe72..a826ecfa8 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -350,14 +350,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -384,7 +384,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 4955c8519..554246fa4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 932c8814f..fd025cacc 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -717,7 +717,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/2.8/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/3.0/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -759,7 +759,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.8/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.0/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -774,7 +774,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.8/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.0/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -792,7 +792,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.8/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/3.0/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -810,7 +810,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.8/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.8/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/3.0/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/3.0/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 935844878..cccff6408 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -92,7 +92,7 @@ foreach ($configNodes as $key => $value) {
                                             // check if a CA is linked
                                             if (!empty((string)$cert->caref)) {
                                                 // append the CA to the certificate data
-                                                $ca = CertStore::getCaChain((string)$cert->caref));
+                                                $ca = CertStore::getCaChain((string)$cert->caref);
                                                 $pem_content .= "\n" . $ca;
                                                 // additionally export CA to it's own file,
                                                 // not required for HAProxy, but makes OCSP handling easier
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 3e40f63c0..642a84e4a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -990,10 +990,10 @@ global
 {# # check if OCSP is enabled #}
 {% if OPNsense.HAProxy.general.tuning.ocspUpdateEnabled|default('') == '1' %}
 {%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay') %}
-    tune.ssl.ocsp-update.mindelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay}}
+    ocsp-update.mindelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay}}
 {%   endif %}
 {%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay') %}
-    tune.ssl.ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
+    ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.resolversPrefer') %}

From be90096c4096ef53a583cc21e4fd8c3c853e4fd6 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:06:12 +0000
Subject: [PATCH 13/50] net/freeradius: Remove sessionClose()

---
 .../controllers/OPNsense/Freeradius/Api/AvpairController.php   | 1 -
 .../controllers/OPNsense/Freeradius/Api/ClientController.php   | 1 -
 .../app/controllers/OPNsense/Freeradius/Api/DhcpController.php | 1 -
 .../controllers/OPNsense/Freeradius/Api/LeaseController.php    | 1 -
 .../controllers/OPNsense/Freeradius/Api/ProxyController.php    | 3 ---
 .../controllers/OPNsense/Freeradius/Api/ServiceController.php  | 3 ---
 .../app/controllers/OPNsense/Freeradius/Api/UserController.php | 1 -
 7 files changed, 11 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php
index b22f665fc..e2500e13a 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php
@@ -42,7 +42,6 @@ class AvpairController extends ApiMutableModelControllerBase
     }
     public function getAvpairAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('avpair', 'avpairs.avpair', $uuid);
     }
     public function addAvpairAction()
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
index f00443fb1..3cd6cc46d 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
@@ -76,7 +76,6 @@ class ClientController extends ApiMutableModelControllerBase
 
     public function searchClientAction()
     {
-        $this->sessionClose();
         $mdlClient = $this->getModel();
         $grid = new UIModelGrid($mdlClient->clients->client);
         return $grid->fetchBindRequest(
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
index fb1dd5ebd..84be1d862 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
@@ -42,7 +42,6 @@ class DhcpController extends ApiMutableModelControllerBase
     }
     public function getDhcpAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('dhcp', 'dhcps.dhcp', $uuid);
     }
     public function addDhcpAction()
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
index 3cff21e0e..4d8960e72 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
@@ -42,7 +42,6 @@ class LeaseController extends ApiMutableModelControllerBase
     }
     public function getLeaseAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('lease', 'leases.lease', $uuid);
     }
     public function addLeaseAction()
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
index d19ac612b..118ffea5c 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
@@ -78,7 +78,6 @@ class ProxyController extends ApiMutableModelControllerBase
 
     public function searchRealmAction()
     {
-        $this->sessionClose();
         $mdlRealm = $this->getModel();
         $grid = new UIModelGrid($mdlRealm->realms->realm);
         return $grid->fetchBindRequest(
@@ -204,7 +203,6 @@ class ProxyController extends ApiMutableModelControllerBase
     }
     public function searchHomeserverAction()
     {
-        $this->sessionClose();
         $mdlHomeserver = $this->getModel();
         $grid = new UIModelGrid($mdlHomeserver->homeservers->homeserver);
         return $grid->fetchBindRequest(
@@ -306,7 +304,6 @@ class ProxyController extends ApiMutableModelControllerBase
     }
     public function searchHomeserverpoolAction()
     {
-        $this->sessionClose();
         $mdlHomeserverpool = $this->getModel();
         $grid = new UIModelGrid($mdlHomeserverpool->homeserverpools->homeserverpool);
         return $grid->fetchBindRequest(
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
index 777f14d5d..699c7c894 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
@@ -119,9 +119,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
index b6638e2c2..5a103278a 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
@@ -77,7 +77,6 @@ class UserController extends ApiMutableModelControllerBase
 
     public function searchUserAction()
     {
-        $this->sessionClose();
         $mdlUser = $this->getModel();
         $grid = new UIModelGrid($mdlUser->users->user);
         return $grid->fetchBindRequest(

From ff349682f8f1245bbe0e2a3e0faa4fca4dac1890 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:07:54 +0000
Subject: [PATCH 14/50] net/relayd: Remove sessionClose()

---
 .../app/controllers/OPNsense/Relayd/Api/ServiceController.php   | 2 --
 .../app/controllers/OPNsense/Relayd/Api/SettingsController.php  | 1 -
 .../app/controllers/OPNsense/Relayd/Api/StatusController.php    | 1 -
 3 files changed, 4 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
index 83eda0132..0bffec3e7 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
@@ -71,7 +71,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     {
         if ($this->request->isPost()) {
             $result['status'] = 'ok';
-            $this->sessionClose();
 
             $backend = new Backend();
 
@@ -96,7 +95,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     {
         if ($this->request->isPost()) {
             if ($this->lock()) {
-                $this->sessionClose();
                 $result['function'] = "reconfigure";
                 $result['status'] = 'failed';
                 $backend = new Backend();
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index 3b8a11437..f8cac66f1 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -240,7 +240,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function searchAction($nodeType = null)
     {
-        $this->sessionClose();
         if ($this->request->isPost() && $nodeType != null) {
             $this->validateNodeType($nodeType);
             $grid = new UIModelGrid($this->getModel()->$nodeType);
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index 879bd2211..40c1a3134 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -202,7 +202,6 @@ class StatusController extends ApiControllerBase
     {
         $result = ["result" => "failed", "function" => "toggle"];
         if ($this->request->isPost()) {
-            $this->sessionClose();
             $backend = new Backend();
             if (in_array($nodeType, ['redirect', 'table', 'host']) && in_array($action, ['enable', 'disable'])) {
                 if ($id != null && $id > 0) {

From 8e8e5772684b940f81c130b4487d35ac5cac2238 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:10:00 +0000
Subject: [PATCH 15/50] net/siproxd: Remove sessionClose()

---
 .../OPNsense/Siproxd/Api/DomainController.php            | 1 -
 .../OPNsense/Siproxd/Api/ServiceController.php           | 9 ---------
 .../controllers/OPNsense/Siproxd/Api/UserController.php  | 1 -
 3 files changed, 11 deletions(-)

diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
index 20c57f8ef..97c1e45cc 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
@@ -77,7 +77,6 @@ class DomainController extends ApiMutableModelControllerBase
 
     public function searchDomainAction()
     {
-        $this->sessionClose();
         $mdlDomain = $this->getModel();
         $grid = new UIModelGrid($mdlDomain->domains->domain);
         return $grid->fetchBindRequest(
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
index 6e934931a..2a48eec36 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
@@ -57,8 +57,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("siproxd start");
             return array("response" => $response);
@@ -74,8 +72,6 @@ class ServiceController extends ApiControllerBase
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("siproxd stop");
             return array("response" => $response);
@@ -91,8 +87,6 @@ class ServiceController extends ApiControllerBase
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("siproxd restart");
             return array("response" => $response);
@@ -135,9 +129,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
index 76645935c..ebb57998d 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
@@ -77,7 +77,6 @@ class UserController extends ApiMutableModelControllerBase
 
     public function searchUserAction()
     {
-        $this->sessionClose();
         $mdlUser = $this->getModel();
         $grid = new UIModelGrid($mdlUser->users->user);
         return $grid->fetchBindRequest(

From f882de47f0c8b713f31c5cc425ce1742600ac693 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:11:26 +0000
Subject: [PATCH 16/50] net-mgmt/telegraf: Remove sessionClose()

---
 .../controllers/OPNsense/Telegraf/Api/KeyController.php  | 1 -
 .../OPNsense/Telegraf/Api/ServiceController.php          | 9 ---------
 2 files changed, 10 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php
index 09acd8b41..64b5c0189 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php
@@ -43,7 +43,6 @@ class KeyController extends ApiMutableModelControllerBase
     }
     public function getKeyAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('key', 'keys.key', $uuid);
     }
     public function addKeyAction()
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
index 3f21c8b2a..b23981c3b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
@@ -46,8 +46,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("telegraf start");
             return array("response" => $response);
@@ -63,8 +61,6 @@ class ServiceController extends ApiControllerBase
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("telegraf stop");
             return array("response" => $response);
@@ -80,8 +76,6 @@ class ServiceController extends ApiControllerBase
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("telegraf restart");
             return array("response" => $response);
@@ -124,9 +118,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 

From f71b3e494108b41cf2038854159398882e84f0f9 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:15:05 +0000
Subject: [PATCH 17/50] net-mgmt/collectd: Remove sessionClose()

---
 .../OPNsense/Collectd/Api/ServiceController.php          | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
index 2d00ae311..822889941 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
@@ -46,8 +46,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("collectd start");
             return array("response" => $response);
@@ -63,8 +61,6 @@ class ServiceController extends ApiControllerBase
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("collectd stop");
             return array("response" => $response);
@@ -80,8 +76,6 @@ class ServiceController extends ApiControllerBase
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("collectd restart");
             return array("response" => $response);
@@ -124,9 +118,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 

From 7c2207999213fa3094973734eaa1d86b95d04f48 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:16:58 +0000
Subject: [PATCH 18/50] www/nginx: Remove sessionClose()

---
 .../OPNsense/Nginx/Api/SettingsController.php | 20 -------------------
 1 file changed, 20 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index c6d77d395..0458bc2aa 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -56,7 +56,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getuserlistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('userlist', 'userlist', $uuid);
     }
 
@@ -83,7 +82,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getcredentialAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('credential', 'credential', $uuid);
     }
 
@@ -110,7 +108,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getupstreamAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('upstream', 'upstream', $uuid);
     }
 
@@ -137,7 +134,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getupstreamserverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('upstream_server', 'upstream_server', $uuid);
     }
 
@@ -183,7 +179,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getlocationAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('location', 'location', $uuid);
     }
 
@@ -210,7 +205,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getcustompolicyAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('custompolicy', 'custom_policy', $uuid);
     }
 
@@ -237,7 +231,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getresolverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('resolver', 'resolver', $uuid);
     }
 
@@ -267,7 +260,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function gethttpserverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('httpserver', 'http_server', $uuid);
     }
 
@@ -294,7 +286,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getstreamserverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('streamserver', 'stream_server', $uuid);
     }
 
@@ -321,7 +312,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getnaxsiruleAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('naxsi_rule', 'naxsi_rule', $uuid);
     }
 
@@ -348,7 +338,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function gethttprewriteAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('httprewrite', 'http_rewrite', $uuid);
     }
 
@@ -448,7 +437,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getsecurityHeaderAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('security_header', 'security_header', $uuid);
     }
 
@@ -478,7 +466,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getlimitZoneAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('limit_zone', 'limit_zone', $uuid);
     }
 
@@ -505,7 +492,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function geterrorpageAction($uuid = null)
     {
-        $this->sessionClose();
         $data = $this->getBase('errorpage', 'errorpage', $uuid);
         // Decode base64 encoded page content
         $data['errorpage']['pagecontent'] = base64_decode($data['errorpage']['pagecontent']);
@@ -541,7 +527,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function gettlsFingerprintAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('tls_fingerprint', 'tls_fingerprint', $uuid);
     }
 
@@ -571,7 +556,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getlimitRequestConnectionAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('limit_request_connection', 'limit_request_connection', $uuid);
     }
 
@@ -600,7 +584,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getcachePathAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('cache_path', 'cache_path', $uuid);
     }
 
@@ -627,7 +610,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getsnifwdAction($uuid = null)
     {
-        $this->sessionClose();
         $base = $this->getBase('snihostname', 'sni_hostname_upstream_map', $uuid);
         return $this->convert_sni_fwd_for_client($base);
     }
@@ -672,7 +654,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getipaclAction($uuid = null)
     {
-        $this->sessionClose();
         $base = $this->getBase('ipacl', 'ip_acl', $uuid);
         return $this->convert_ipacl_for_client($base);
     }
@@ -827,7 +808,6 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function getsyslogTargetAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('syslog_target', 'syslog_target', $uuid);
     }
 

From 659b29eff55b2ed30df0b1f2cc59c35a1d0febc6 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:21:39 +0000
Subject: [PATCH 19/50] www/squid: Remove sessionClose()

---
 .../OPNsense/Proxy/Api/ServiceController.php           | 10 ----------
 .../OPNsense/Proxy/Api/SettingsController.php          |  7 -------
 .../OPNsense/Proxy/Api/TemplateController.php          |  1 -
 3 files changed, 18 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
index 3fa2f25a5..5caae55f4 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
@@ -84,8 +84,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     public function resetAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             return array('status' => $backend->configdRun('proxy reset'));
         } else {
@@ -101,8 +99,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     public function refreshTemplateAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             return array('status' => $backend->configdRun('template reload OPNsense/Proxy'));
         } else {
@@ -118,9 +114,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     public function fetchaclsAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $backend = new Backend();
             // generate template
             $backend->configdRun('template reload OPNsense/Proxy');
@@ -140,9 +133,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     public function downloadaclsAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $backend = new Backend();
             // generate template
             $backend->configdRun('template reload OPNsense/Proxy');
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
index e6f33dba0..faa8cfc6c 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
@@ -50,7 +50,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function searchRemoteBlacklistsAction()
     {
-        $this->sessionClose();
         $mdlProxy = $this->getModel();
         $grid = new UIModelGrid($mdlProxy->forward->acl->remoteACLs->blacklists->blacklist);
         return $grid->fetchBindRequest(
@@ -153,7 +152,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function searchPACRuleAction()
     {
-        $this->sessionClose();
         return $this->searchBase('pac.rule', array("enabled", "description", "proxies", "matches"), "description");
     }
 
@@ -164,7 +162,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function getPACRuleAction($uuid = null)
     {
-        $this->sessionClose();
         return array("pac" => $this->getBase('rule', 'pac.rule', $uuid));
     }
 
@@ -217,7 +214,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function searchPACProxyAction()
     {
-        $this->sessionClose();
         return $this->searchBase('pac.proxy', array("enabled","proxy_type", "name", "url", "description"), "description");
     }
 
@@ -228,7 +224,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function getPACProxyAction($uuid = null)
     {
-        $this->sessionClose();
         return array("pac" => $this->getBase('proxy', 'pac.proxy', $uuid));
     }
 
@@ -270,7 +265,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function searchPACMatchAction()
     {
-        $this->sessionClose();
         return $this->searchBase('pac.match', array("enabled", "name", "description", "negate", "match_type"), "name");
     }
 
@@ -281,7 +275,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function getPACMatchAction($uuid = null)
     {
-        $this->sessionClose();
         return array("pac" => $this->getBase('match', 'pac.match', $uuid));
     }
 
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
index 2f241f1cc..aab6b0ced 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
@@ -50,7 +50,6 @@ class TemplateController extends ApiMutableModelControllerBase
     public function setAction()
     {
         if ($this->request->isPost() && $this->request->hasPost("content")) {
-            $this->sessionClose();
             $mdl = $this->getModel();
             $mdl->error_pages->template = $this->request->getPost("content", "striptags");
             $result = $this->validate();

From 586f6379750bb87ceb80a75af0114eb9214a533b Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:24:00 +0000
Subject: [PATCH 20/50] security/acme-client: Remove sessionClose()

---
 .../OPNsense/AcmeClient/Api/AccountsController.php       | 1 -
 .../OPNsense/AcmeClient/Api/ActionsController.php        | 1 -
 .../OPNsense/AcmeClient/Api/CertificatesController.php   | 1 -
 .../OPNsense/AcmeClient/Api/ServiceController.php        | 9 ---------
 .../OPNsense/AcmeClient/Api/ValidationsController.php    | 1 -
 5 files changed, 13 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
index 120e7cd9c..87c3eeb0d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
@@ -48,7 +48,6 @@ class AccountsController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('account', 'accounts.account', $uuid);
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
index 441eb6fb0..761f8f511 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
@@ -46,7 +46,6 @@ class ActionsController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('action', 'actions.action', $uuid);
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
index b76adefd7..76927da11 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
@@ -48,7 +48,6 @@ class CertificatesController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('certificate', 'certificates.certificate', $uuid);
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
index 0e1a34a23..6e15abf0c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
@@ -50,8 +50,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("acmeclient http-start");
             return array("response" => $response);
@@ -67,8 +65,6 @@ class ServiceController extends ApiControllerBase
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("acmeclient http-stop");
             return array("response" => $response);
@@ -84,8 +80,6 @@ class ServiceController extends ApiControllerBase
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("acmeclient http-restart");
             return array("response" => $response);
@@ -128,9 +122,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $force_restart = false;
 
             $mdlAcme = new AcmeClient();
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
index 703a8fef3..c4c340349 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
@@ -47,7 +47,6 @@ class ValidationsController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('validation', 'validations.validation', $uuid);
     }
 

From 499b8ff7ca94f6a90e2bfa68acb339b22770a455 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:25:33 +0000
Subject: [PATCH 21/50] security/tor: Remove sessionClose()

---
 .../mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php | 1 -
 .../mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php | 1 -
 .../controllers/OPNsense/Tor/Api/HiddenserviceController.php   | 1 -
 .../OPNsense/Tor/Api/HiddenserviceaclController.php            | 1 -
 .../mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php | 3 ---
 .../app/controllers/OPNsense/Tor/Api/SocksaclController.php    | 1 -
 6 files changed, 8 deletions(-)

diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php
index 0e0beaa38..beb06d1cd 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php
@@ -43,7 +43,6 @@ class ExitaclController extends ApiMutableModelControllerBase
     }
     public function getaclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('exitpolicy', 'policy', $uuid);
     }
     public function addaclAction()
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
index b87068681..455057eda 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
@@ -82,7 +82,6 @@ class GeneralController extends ApiMutableModelControllerBase
 
     public function gethidservauthAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('client_auth', 'client_authentications.client_auth', $uuid);
     }
 
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php
index 7655546af..0079f3d53 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php
@@ -40,7 +40,6 @@ class HiddenserviceController extends ApiMutableModelControllerBase
     }
     public function getserviceAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('hiddenservice', 'service', $uuid);
     }
     public function addserviceAction()
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php
index 42d372b5f..75e302df9 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php
@@ -40,7 +40,6 @@ class HiddenserviceaclController extends ApiMutableModelControllerBase
     }
     public function getaclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('hiddenserviceacl', 'hiddenserviceacl', $uuid);
     }
     public function addaclAction()
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
index a5ae94af9..40d9cc066 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
@@ -132,9 +132,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $general = new General();
             $backend = new Backend();
 
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php
index 7add9c0fa..449fb38de 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php
@@ -40,7 +40,6 @@ class SocksaclController extends ApiMutableModelControllerBase
     }
     public function getaclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('policy', 'policy', $uuid);
     }
     public function addaclAction()

From f96d0023d097de52a9df4dcba16ae2d965a9b172 Mon Sep 17 00:00:00 2001
From: trantor1 <alexander.riedel@googlemail.com>
Date: Fri, 10 Jan 2025 14:49:15 +0100
Subject: [PATCH 22/50] mail/rspamd: fix wrong key in greylist.conf template
 for whitelisted ips (#4459)

Co-authored-by: Alexander Riedel <ariedel@compnetgmbh.de>
---
 .../opnsense/service/templates/OPNsense/Rspamd/greylist.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf
index 42e19b416..0d359054d 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf
@@ -11,5 +11,5 @@
   action = "soft reject"; # default greylisted action
   ipv4_mask = {{ OPNsense.Rspamd.graylist.ipv4mask|default('19') }};
   ipv6_mask = {{ OPNsense.Rspamd.graylist.ipv6mask|default('64') }};
-  whitelist_ip = "/usr/local/etc/rspamd/local.d/greylist_ip.wl";
+  whitelisted_ip = "/usr/local/etc/rspamd/local.d/greylist_ip.wl";
 {% endif %}

From 15cec3fee0fd548a56bc17371fd3d65ff6c17ba7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 10 Jan 2025 14:51:53 +0100
Subject: [PATCH 23/50] mail/rspamd: revision bump after fix

---
 mail/rspamd/Makefile  | 2 +-
 mail/rspamd/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index 6d672f7ff..a1e2148ce 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rspamd
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index c356fd21c..a1d6d33b6 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 1.13
 
 * Make local whitelist by e-mail address possible (contributed by itNGO)
+* Fix typo in "whitelisted_ip" option (contributed by Alexander Riedel)
 * Add phishing exclusion (contributed by Makss39)
 
 1.12

From 1e4674a853ea6145011ce1bcab5294eb219be917 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Jan 2025 13:56:34 +0100
Subject: [PATCH 24/50] plugins: address 'adress' typo like in core

---
 .../mvc/app/views/OPNsense/Relayd/index.volt  | 54 +++++++++----------
 .../AcmeClient/forms/dialogAction.xml         |  4 +-
 .../OPNsense/Tor/forms/acl_exitpolicy.xml     |  2 +-
 3 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
index 8c96a0ec3..11a7e3e0c 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
@@ -1,31 +1,29 @@
 {#
-
-Copyright © 2018 by EURO-LOG AG
-Copyright (c) 2021 Deciso B.V.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (c) 2018 EURO-LOG AG
+ # Copyright (c) 2021 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <script>
 
@@ -365,7 +363,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-                <th data-column-id="listen_address" data-type="string">{{ lang._('Adress') }}</th>
+                <th data-column-id="listen_address" data-type="string">{{ lang._('Address') }}</th>
                 <th data-column-id="listen_startport" data-formatter="listen_port" data-type="string">{{ lang._('Port') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit') }} | {{ lang._('Delete') }}</th>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 97d14b355..a2fb434eb 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -188,7 +188,7 @@
         <id>action.acme_synology_dsm_hostname</id>
         <label>Synology Hostname</label>
         <type>text</type>
-        <help>Hostname of IP adress of the Synology DSM, i.e. synology.example.com or 192.168.0.1.</help>
+        <help>Hostname of IP address of the Synology DSM, i.e. synology.example.com or 192.168.0.1.</help>
     </field>
     <field>
         <id>action.acme_synology_dsm_port</id>
@@ -340,7 +340,7 @@
         <id>action.acme_truenas_hostname</id>
         <label>TrueNAS hostname</label>
         <type>text</type>
-        <help>Hostname or IP adress of TrueNAS Core Server.</help>
+        <help>Hostname or IP address of TrueNAS Core Server.</help>
     </field>
     <field>
         <id>action.acme_truenas_scheme</id>
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml
index 0f1050ea7..6308f1b9f 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml
@@ -15,7 +15,7 @@
     <id>exitpolicy.network</id>
     <label>Network</label>
     <type>text</type>
-    <help>Network on which this ACL is applied. Enter 'any' to use wildcard adressing.</help>
+    <help>Network on which this ACL is applied. Enter 'any' to use wildcard addressing.</help>
   </field>
   <field>
     <id>exitpolicy.startport</id>

From 2f4e63b03ba7688cf9541073ef242fc1dd2ff863 Mon Sep 17 00:00:00 2001
From: RasAlGhul <razzaguhl@gmail.com>
Date: Tue, 14 Jan 2025 10:51:41 +0100
Subject: [PATCH 25/50] net/freeradius: EAP-TLS with multiple CAs (#4381)

* controller eap: changed from dropdown to select_multiple

* model eap: add mulitple option to CertificateField type ca

* script generate_certs: Multiple comma-separated refid values are possible. Use explode() and process them with a foreach loop
---
 .../OPNsense/Freeradius/forms/eap.xml         |  2 +-
 .../app/models/OPNsense/Freeradius/Eap.xml    |  1 +
 .../scripts/Freeradius/generate_certs.php     | 26 +++++++++++--------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 843862089..cb032d2fc 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -20,7 +20,7 @@
     <field>
         <id>eap.ca</id>
         <label>Root Certificate</label>
-        <type>dropdown</type>
+        <type>select_multiple</type>
         <help>Choose the Root CA. This CA will be trusted to issue client certificates for authentication.</help>
     </field>
     <field>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index c44c58ed3..991e9bd52 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -31,6 +31,7 @@
         <ca type="CertificateField">
             <Type>ca</Type>
             <Required>N</Required>
+            <multiple>Y</multiple>
         </ca>
         <certificate type="CertificateField">
             <Type>cert</Type>
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index efb5eabd0..a55e822d0 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -80,17 +80,21 @@ if (isset($configObj->OPNsense->freeradius)) {
         $cert_refid = (string)$find_cert->ca;
         // if eap has a ca-certificate attached, search for its contents
         if ($cert_refid != "") {
-            foreach ($configObj->ca as $ca) {
-                if ($cert_refid == (string)$ca->refid) {
-                    // generate cert pem file
-                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
-                        "\r",
-                        "",
-                        base64_decode((string)$ca->crt)
-                    )));
-
-                    $pem_content .= "\n";
-                    $ca_pem_content .= $pem_content;
+            // multiple comma-separated refid values are possible
+            $cert_refids = explode(',', $cert_refid);
+            foreach ($cert_refids as $current_refid) {
+                foreach ($configObj->ca as $ca) {
+                    if ($current_refid == (string)$ca->refid) {
+                        // generate cert pem file
+                        $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                            "\r",
+                            "",
+                            base64_decode((string)$ca->crt)
+                        )));
+    
+                        $pem_content .= "\n";
+                        $ca_pem_content .= $pem_content;
+                    }
                 }
             }
         }

From 8cb288309e715948363dbd711c7f62e172d53d9e Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Tue, 14 Jan 2025 10:57:20 +0000
Subject: [PATCH 26/50] Grid and Dashboard colour change (#4451)

Grid colour changes to improve readability
Dashboard cosmetic colour change for line.
---
 misc/theme-rebellion/Makefile                 |  2 +-
 .../themes/rebellion/build/css/dashboard.css  |  2 +-
 .../www/themes/rebellion/build/css/main.css   | 86 +++++++++----------
 3 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 4dbbe5585..c1628de98 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.9.1
+PLUGIN_VERSION=		1.9.2
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	martin@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
index 6f997d8a5..9ada40835 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
@@ -102,7 +102,7 @@ td {
     display: inline-block;
     height: 1px;
     width: 70%;
-    background: #121212;
+    background: #ea7105b8;
 	color: #f0f0f0;
     margin: 5px;
 }
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index 90ee518d4..356ce50ac 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -1121,7 +1121,7 @@ a.text-primary:hover {
   color: #b85904; }
 
 .text-success {
-  color: #7Ba255; }
+  color: #5b8a35; }
 
 a.text-success:hover {
   color: #628143; }
@@ -1152,7 +1152,7 @@ a.bg-primary:hover {
   background-color: #b85904; }
 
 .bg-success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 a.bg-success:hover {
   background-color: #628143; }
@@ -1851,7 +1851,7 @@ pre {
 
 table {
   background-color: transparent;
-  color: #ccc; }
+  color: #f1f1f1; }
 
 th {
   text-align: left; }
@@ -1956,22 +1956,22 @@ table td[class*=col-], table th[class*=col-] {
   background-color: #3b3b3b; }
 
 .table > thead > tr > td.success, .table > thead > tr > th.success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > thead > tr.success > td, .table > thead > tr.success > th {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tbody > tr > td.success, .table > tbody > tr > th.success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tbody > tr.success > td, .table > tbody > tr.success > th {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tfoot > tr > td.success, .table > tfoot > tr > th.success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tfoot > tr.success > td, .table > tfoot > tr.success > th {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table-hover > tbody > tr > td.success:hover, .table-hover > tbody > tr > th.success:hover {
   background-color: #6e914c; }
@@ -2701,10 +2701,10 @@ textarea.input-lg {
   line-height: 30px; }
 
 .has-success .help-block, .has-success .control-label, .has-success .radio, .has-success .checkbox, .has-success .radio-inline, .has-success .checkbox-inline {
-  color: #7Ba255; }
+  color: #5b8a35; }
 
 .has-success .form-control {
-  border-color: #7Ba255;
+  border-color: #5b8a35;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
   box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
   .has-success .form-control:focus {
@@ -2713,12 +2713,12 @@ textarea.input-lg {
     box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895; }
 
 .has-success .input-group-addon {
-  color: #7Ba255;
-  border-color: #7Ba255;
-  background-color: #7Ba255; }
+  color: #5b8a35;
+  border-color: #5b8a35;
+  background-color: #5b8a35; }
 
 .has-success .form-control-feedback {
-  color: #7Ba255; }
+  color: #5b8a35; }
 
 .has-warning .help-block, .has-warning .control-label, .has-warning .radio, .has-warning .checkbox, .has-warning .radio-inline, .has-warning .checkbox-inline {
   color: #f0ad4e; }
@@ -3023,7 +3023,7 @@ fieldset[disabled] .btn-primary {
 
 .btn-success {
   color: #eee;
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active {
     color: #eee;
@@ -3042,28 +3042,28 @@ fieldset[disabled] .btn-primary {
   background-image: none; }
 
 .btn-success.disabled {
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active {
-    background-color: #7Ba255;
+    background-color: #5b8a35;
     border-color: #6e914c; }
 
 .btn-success[disabled] {
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active {
-    background-color: #7Ba255;
+    background-color: #5b8a35;
     border-color: #6e914c; }
 
 fieldset[disabled] .btn-success {
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
-    background-color: #7Ba255;
+    background-color: #5b8a35;
     border-color: #6e914c; }
 
 .btn-success .badge {
-  color: #7Ba255;
+  color: #5b8a35;
   background-color: #eee; }
 
 .btn-info {
@@ -4444,7 +4444,7 @@ a.label:hover, a.label:focus {
     background-color: #b85904; }
 
 .label-success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
   .label-success[href]:hover, .label-success[href]:focus {
     background-color: #628143; }
 
@@ -4583,8 +4583,8 @@ a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active {
   color: inherit; }
 
 .alert-success {
-  background-color: #7Ba255;
-  border-color: #7Ba255;
+  background-color: #5b8a35;
+  border-color: #5b8a35;
   color: #485f32; }
   .alert-success hr {
     border-top-color: #6e914c; }
@@ -4683,7 +4683,7 @@ a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active {
   box-shadow: none; }
 
 .progress-bar-success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .progress-striped .progress-bar-success {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
@@ -4823,24 +4823,24 @@ a.list-group-item {
     width: 3px; }
 
 .list-group-item-success {
-  color: #7Ba255;
-  background-color: #7Ba255; }
+  color: #5b8a35;
+  background-color: #5b8a35; }
 
 a.list-group-item-success {
-  color: #7Ba255; }
+  color: #5b8a35; }
   a.list-group-item-success .list-group-item-heading {
     color: inherit; }
   a.list-group-item-success:hover, a.list-group-item-success:focus {
-    color: #7Ba255;
+    color: #5b8a35;
     background-color: #6e914c; }
   a.list-group-item-success.active {
     color: #222;
-    background-color: #7Ba255;
-    border-color: #7Ba255; }
+    background-color: #5b8a35;
+    border-color: #5b8a35; }
     a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
       color: #222;
-      background-color: #7Ba255;
-      border-color: #7Ba255; }
+      background-color: #5b8a35;
+      border-color: #5b8a35; }
 
 .list-group-item-info {
   color: #ffffff;
@@ -5143,18 +5143,18 @@ a.list-group-item-danger {
     border-bottom-color: #EA7105; }
 
 .panel-success {
-  border-color: #7Ba255; }
+  border-color: #5b8a35; }
   .panel-success > .panel-heading {
-    color: #7Ba255;
-    background-color: #7Ba255;
-    border-color: #7Ba255; }
+    color: #5b8a35;
+    background-color: #5b8a35;
+    border-color: #5b8a35; }
     .panel-success > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #7Ba255; }
+      border-top-color: #5b8a35; }
     .panel-success > .panel-heading .badge {
-      color: #7Ba255;
-      background-color: #7Ba255; }
+      color: #5b8a35;
+      background-color: #5b8a35; }
   .panel-success > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #7Ba255; }
+    border-bottom-color: #5b8a35; }
 
 .panel-info {
   border-color: #3b488e; }

From feccd9ce21d3a00808c72f9f04a539cf863776f3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Jan 2025 13:48:57 +0100
Subject: [PATCH 27/50] LICENSE: sync

---
 LICENSE | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/LICENSE b/LICENSE
index 5c3d5ae4b..5264977a0 100644
--- a/LICENSE
+++ b/LICENSE
@@ -7,14 +7,14 @@ Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
-Copyright (c) 2023-2024 Cedrik Pischem
+Copyright (c) 2023-2025 Cedrik Pischem
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
-Copyright (c) 2014-2024 Deciso B.V.
+Copyright (c) 2014-2025 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2023 Dmitry Shinkaruk
 Copyright (c) 2024 DollarSign23
@@ -25,7 +25,7 @@ Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
 Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2024 Frank Wall
+Copyright (c) 2016-2025 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
 Copyright (c) 2024 Hasan Ucak <hasan@sunnyvalley.io>
@@ -51,7 +51,7 @@ Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2024 Michał Brzeziński
 Copyright (c) 2024 Mike Shuey
-Copyright (c) 2023 Mikhail Kharisov
+Copyright (c) 2023-2024 Mikhail Kharisov
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
 Copyright (c) 2021-2024 Nicola Pellegrini
@@ -72,6 +72,7 @@ Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2024 txr13
+Copyright (c) 2024 W516
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 All rights reserved.

From f76eecd3b7c452af238067a4742c7417e172c49b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Jan 2025 14:49:42 +0100
Subject: [PATCH 28/50] net/freeradius: new version

---
 net/freeradius/Makefile                               |  2 +-
 net/freeradius/pkg-descr                              | 11 +++++++----
 .../opnsense/scripts/Freeradius/generate_certs.php    |  2 +-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index d9db167fa..b40352f96 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.26
+PLUGIN_VERSION=		1.9.27
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index d8aef153f..66640e76e 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -11,13 +11,19 @@ security, particularly in the academic community, including eduroam.
 
 The server is fast, feature-rich, modular, and scalable.
 
+WWW: https://www.freeradius.org
+
 
 Plugin Changelog
 ================
 
+1.9.27
+
+* Allow EAP-TLS with multiple CAs (contributed by RasAlGhul)
+
 1.9.26
 
-* Added support for `require_message_authenticator` in client configuration (contributed by Patrick M. Hausen)
+* Added support for "require_message_authenticator" in client configuration (contributed by Patrick M. Hausen)
 
 1.9.25
 
@@ -119,6 +125,3 @@ Plugin Changelog
 * Add DHCP support, serving only for DHCP relays
 * Allow usage of remote MySQL server
 * Rework service status UI
-
-
-WWW: https://www.freeradius.org
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index a55e822d0..e68d95971 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -91,7 +91,7 @@ if (isset($configObj->OPNsense->freeradius)) {
                             "",
                             base64_decode((string)$ca->crt)
                         )));
-    
+
                         $pem_content .= "\n";
                         $ca_pem_content .= $pem_content;
                     }

From dffc5ecc6ba3892f59efbdd015dc968f52cc1a94 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Jan 2025 14:54:34 +0100
Subject: [PATCH 29/50] www/squid: new version

---
 www/squid/Makefile  | 3 +--
 www/squid/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 67b5f77f7..30e2f86cd 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		squid
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index ba32c194e..3ffe8644c 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -5,6 +5,10 @@ content serving applications.
 Plugin Changelog
 ================
 
+1.1
+
+* Syslog corrections and implementation of "workers" (contributed by Andy Binder)
+
 1.0
 
 * Initial version based on the OPNsense 23.7.12 core code

From e195b2e49bcd26f895562d66933bf5da816548b2 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 16 Jan 2025 11:00:57 +0100
Subject: [PATCH 30/50] www/squid: Regex + hint (#4470)

---
 .../opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml | 3 ++-
 .../service/templates/OPNsense/Syslog/local/squid_access.conf  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 7671a7f47..998bd76b4 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -343,7 +343,8 @@
                 <id>proxy.forward.workers</id>
                 <label>Number of squid workers</label>
                 <type>text</type>
-                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart. Default: 1</help>
+                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart. Do not enable when using local cache.</help>
+                <hint>1</hint>
                 <advanced>true</advanced>
             </field>
             <field>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
index 159dcb563..1b81f08a7 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
@@ -2,5 +2,5 @@
 # Local syslog-ng configuration filter definition [squid_access].
 ###################################################################
 filter f_local_squid_access {
-    program("^(squid-|squid-coord-)\\d+");
+    program("squid-*");
 };

From 38b1c6815bb348b5261339803689c16eb760e684 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Jan 2025 12:28:20 +0100
Subject: [PATCH 31/50] wwww/squid: bump and fix model default not used

---
 www/squid/Makefile                                             | 1 +
 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 30e2f86cd..a70692d4f 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 1c04b1f6b..3d77eabfe 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -283,7 +283,6 @@
               <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
             </sslnobumpsites>
             <workers type="IntegerField">
-              <Default>1</Default>
               <MinimumValue>1</MinimumValue>
               <MaximumValue>100</MaximumValue>
               <ValidationMessage>worker number needs to be an integer value between 1 and 100</ValidationMessage>

From 3b8d735a9276ca7ec5393f002d6174bec90b88fd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Jan 2025 14:25:12 +0100
Subject: [PATCH 32/50] www/caddy: fix sort of a typo here

---
 www/caddy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index f7217f7f6..65e926dd6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -15,7 +15,7 @@ Plugin Changelog
 
 1.8.0
 
-* Build: Update to caddy-v2.9.0 and update dependencies (opnsense/plugins/issues/4437)
+* Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
 * Build: Fix caddy-l4 timeout issue (opnsense/plugins/issues/4384)
 * Build: Mark DNS Providers optional that are not included per default (opnsense/plugins/pull/4441)
          digitalocean, route53, googleclouddns, netlify, ddnss, njalla, tencentcloud

From 98b20bcc82031a3e0aab4430195c755ce05edf9e Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 17 Jan 2025 14:42:32 +0100
Subject: [PATCH 33/50] www/caddy: Add persistent banner notification if custom
 imports are used. (#4476)

---
 .../System/Status/CaddyOverrideStatus.php     | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php

diff --git a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
new file mode 100644
index 000000000..742adbac1
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
@@ -0,0 +1,54 @@
+<?php
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\System\Status;
+
+use OPNsense\System\AbstractStatus;
+use OPNsense\System\SystemStatusCode;
+
+class CaddyOverrideStatus extends AbstractStatus
+{
+    public function __construct()
+    {
+        $this->internalPriority = 2;
+        $this->internalPersistent = true;
+        $this->internalIsBanner = true;
+        $this->internalTitle = gettext('Caddy config override');
+        $this->internalScope = [
+            '/ui/caddy/layer4',
+            '/ui/caddy/diagnostics',
+            '/ui/caddy/reverse_proxy',
+            '/ui/caddy/general'
+        ];
+
+        if (count(glob('/usr/local/etc/caddy/caddy.d/*.*'))) {
+            $this->internalMessage = gettext('Custom configuration imports exist in "/usr/local/etc/caddy/caddy.d/".');
+            $this->internalStatus = SystemStatusCode::NOTICE;
+        }
+    }
+}

From 84aa445f5cc7ee8623d22fe3d73c1cd678fa62c3 Mon Sep 17 00:00:00 2001
From: abrychcy <abrychcy@users.noreply.github.com>
Date: Fri, 17 Jan 2025 23:22:10 +0100
Subject: [PATCH 34/50] security/acme-client: fix export of ca certs for SFTP
 upload

export correct array element for ca certs. fixes #4477
---
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index f5e00cc85..2f42e46e5 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -532,7 +532,7 @@ function exportCertificates(array $cert_refids): array
             $item["key"] = $_tmp["prv"];
             // check if a CA is linked
             if (!empty((string)$cert->caref)) {
-                $item['ca'] = $_tmp['ca'];
+                $item['ca'] = $_tmp['ca']['crt'];
 
                 // combine files to export a fullchain.pem
                 $item["fullchain"] = $item["cert"] . $item["ca"];

From 22939ae2fc74ac938525c4ee165afc4679238c43 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Jan 2025 12:09:51 +0100
Subject: [PATCH 35/50] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index e431857ae..f750997c0 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.7
+PLUGIN_VERSION=		4.8
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1536c9c9c..8dd171559 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.8
+
+Fixed:
+* SFTP automation unable to transfer certs (#4477)
+
 4.7
 
 Added:

From c4e2f2559f7976c31fdce85567b756a60ea057f8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Jan 2025 12:31:47 +0100
Subject: [PATCH 36/50] security/acme-client: add note regarding OCSP support

---
 security/acme-client/pkg-descr                             | 7 +++++++
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml        | 6 +++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 8dd171559..5d07a9eae 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,13 @@ Plugin Changelog
 
 4.8
 
+BREAKING CHANGE: Let's Encrypt ends support for the OCSP Must Staple
+extension on 30.01.2025. Issuance requests will fail if this option is
+still enabled past this date.
+
+Changed:
+* Add note regarding the support of OCSP
+
 Fixed:
 * SFTP automation unable to transfer certs (#4477)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index ddeda0b17..703b67d98 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -68,11 +68,15 @@
         <type>dropdown</type>
         <help><![CDATA[Specify the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.]]></help>
     </field>
+    <field>
+        <label><![CDATA[NOTE: OCSP is not supported by all CAs.]]></label>
+        <type>info</type>
+    </field>
     <field>
         <id>certificate.ocsp</id>
         <label>OCSP Must Staple</label>
         <type>checkbox</type>
-        <help>Generate and add OCSP Must Staple extension to the certificate.</help>
+        <help>Generate and add OCSP Must Staple extension to the certificate. When this option is enabled and issueance/renewal requests fail, then this extension is probably not supported by the CA.</help>
     </field>
     <field>
         <label>Advanced Settings</label>

From e2aa9e1dc5ee5d6f83d327356af4a931ef77d57b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 20 Jan 2025 11:29:37 +0100
Subject: [PATCH 37/50] www/caddy: Disable HTTP/3 to mitigate status 400 issue
 when reverse proxying the OPNsense WebGUI (#4482)

---
 www/caddy/Makefile                                        | 1 +
 www/caddy/pkg-descr                                       | 1 +
 .../mvc/app/controllers/OPNsense/Caddy/forms/general.xml  | 6 +++---
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml  | 8 ++++----
 .../opnsense/service/templates/OPNsense/Caddy/Caddyfile   | 2 +-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 4264cd9b0..ebfe26f13 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.8.0
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 65e926dd6..716a22aa4 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -22,6 +22,7 @@ Plugin Changelog
          dinahosting, civo, easydns, hosttech; must be added via https://caddyserver.com/docs/command-line#caddy-add-package
 * Cleanup: Refactor caddy.inc and add syslog function, change name from Caddy Web Server to Caddy (opnsense/plugins/issues/4426)
 * Cleanup: Some small UI tweaks (opnsense/plugins/pull/4442)
+* Change: Disable HTTP/3 to mitigate status 400 issue when reverse proxying the OPNsense WebGUI (opnsense/plugins/issues/4471)
 
 1.7.6
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 488c9aeb2..60d604eaf 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -33,10 +33,10 @@
             <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
         </field>
         <field>
-            <id>caddy.general.HttpVersion</id>
-            <label>HTTP Version</label>
+            <id>caddy.general.HttpVersions</id>
+            <label>HTTP Versions</label>
             <type>select_multiple</type>
-            <help><![CDATA[Select the HTTP Version for the frontend listeners. By default, QUIC (HTTP/3) is enabled. This means, UDP/443 will be used by Caddy. To free this protocol port combination for a different service, choose a different combination of protocols that does not include HTTP/3.]]></help>
+            <help><![CDATA[Select the HTTP versions for the frontend listeners. By default, QUIC (HTTP/3) is disabled.]]></help>
         </field>
         <field>
             <id>caddy.general.HttpPort</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 5fd4bf000..70f09cc37 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.3</version>
+    <version>1.3.4</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -98,16 +98,16 @@
                 <ValidationMessage>Please enter a valid Grace Period between 1 and 20 seconds.</ValidationMessage>
                 <Required>Y</Required>
             </GracePeriod>
-            <HttpVersion type="OptionField">
+            <HttpVersions type="OptionField">
                 <Required>Y</Required>
-                <Default>h1,h2,h3</Default>
+                <Default>h1,h2</Default>
                 <Multiple>Y</Multiple>
                 <OptionValues>
                     <h1>HTTP/1.1</h1>
                     <h2>HTTP/2</h2>
                     <h3>HTTP/3</h3>
                 </OptionValues>
-            </HttpVersion>
+            </HttpVersions>
             <LogCredentials type="BooleanField"/>
             <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 320eb8619..1e452f62c 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -81,7 +81,7 @@
     {% endif %}
 
     servers {
-        protocols {{ generalSettings.HttpVersion.split(',') | join(' ') }}
+        protocols {{ generalSettings.HttpVersions.split(',') | join(' ') }}
         {% if accessList %}
             trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
         {% endif %}

From dc225a57dde2aef7c9068a2d7d577d5dd918fa3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eirik=20=C3=98verby?= <ltning-github@anduin.net>
Date: Mon, 20 Jan 2025 19:17:03 +0100
Subject: [PATCH 38/50] www/nginx: Add basic support for forced caching (#4481)

---
 .../mvc/app/controllers/OPNsense/Nginx/forms/location.xml  | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml   | 3 +++
 .../service/templates/OPNsense/Nginx/location.conf         | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index c5ad99827..d6ee67abb 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -96,6 +96,13 @@
     <advanced>true</advanced>
     <help>Enter how often the resource must be hit before adding it to the cache.</help>
   </field>
+  <field>
+    <id>location.cache_valid</id>
+    <label>Cache: Force caching time</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Force caching of 200, 301 and 302 responses according to the request methods enabled for caching. Given in minutes; leave empty to rely on request/response headers from client and upstream.</help>
+  </field>
   <field>
     <id>location.cache_background_update</id>
     <label>Cache: Background Update</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 7c0e82167..22f15d3ff 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -349,6 +349,9 @@
         <Required>Y</Required>
         <default>1</default>
       </cache_min_uses>
+      <cache_valid type="IntegerField">
+        <Required>N</Required>
+      </cache_valid>
       <cache_background_update type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 80f2d3b02..9f9b57603 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -142,6 +142,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_cache {{ location.cache_path.replace('-', '') }};
 {%   if location.cache_use_stale is defined and location.cache_use_stale != '' %}
     proxy_cache_use_stale  {{ location.cache_use_stale.replace(',', ' ') }};
+{%   endif %}
+{%   if location.cache_valid is defined and location.cache_valid != '' %}
+    proxy_cache_valid  {{ location.cache_valid }}m;
 {%   endif %}
     proxy_cache_min_uses {{ location.cache_min_uses|default('1') }};
     proxy_cache_background_update {% if location.cache_background_update is defined and location.cache_background_update == '1' %}on{% else %}off{% endif %};

From 305af347b831d068dc6ee7b8eb1e2489afb5560b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Jan 2025 09:25:51 +0100
Subject: [PATCH 39/50] www/nginx: bump revision

---
 www/nginx/Makefile  | 2 +-
 www/nginx/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 9da0cf112..0b7db7007 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 35f74a4e0..464215e46 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 * Remove obsolete http2_push_preload directive
 * Migrate from the deprecated 'listen … http2' directive to the 'http2' directive
 * Limit CSP log file size (migration notice: if you want to keep CSP violations logged, you will need to enable logging in the security policy)
+* Add basic support for forced caching (contributed by Eirik Øverby)
 
 1.33
 

From 104fc7a12fcc4d262acb0dfa0e365e6aa0d0751e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 21 Jan 2025 16:30:08 +0100
Subject: [PATCH 40/50] net/relayd - regression in controller refactor
 (https://github.com/opnsense/core/issues/6389).

As StatusController->toggleAction creates an instance of ServiceController, it needs to pass $request in order to check for isPost().
---
 .../app/controllers/OPNsense/Relayd/Api/StatusController.php  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index 40c1a3134..d2a8b0d5d 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -224,7 +224,9 @@ class StatusController extends ApiControllerBase
                 $relaydMdl->serializeToConfig();
                 Config::getInstance()->save();
                 // invoke service controller
-                return (new ServiceController())->reconfigureAction();
+                $srv = new ServiceController();
+                $srv->request = $this->request;
+                return $srv->reconfigureAction();
             }
         }
         return $result;

From 600b364b1174c127e01a167d9769725eaf7442ab Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Jan 2025 08:25:49 +0100
Subject: [PATCH 41/50] net/relayd: bump revision

---
 net/relayd/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index bb65570d6..9abfcd222 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.9
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From 2b17488006fa02fd238fbb9b0bb721cc1a9bd2e1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Jan 2025 09:25:21 +0100
Subject: [PATCH 42/50] plugins: switch to 25.1 as the default

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index f6a290862..cb5cc80e9 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	24.7
+PLUGIN_ABI?=	25.1
 .endif
 
 PLUGIN_MAINS=	master main

From 8606b3572dfb3b1ba11c63fe6c69e6cded472c29 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Thu, 23 Jan 2025 07:36:46 +0000
Subject: [PATCH 43/50] dns/ddclient: Add support for altering IPv6 addresses
 in ddclient plugin (#4497)

* Add support for altering IPv6 addresses in ddclient plugin

* Refactoring of checkip

* dns/ddclient - minor cleanups for https://github.com/opnsense/plugins/pull/4491

* simplify network / host concat a bit
* add try...except for the curl fetch in case the other end doesn't return a valid address
* extend form help text for "Dynamic ipv6 host" a bit

---------

Co-authored-by: SaarLAN-Pissbeutel <183202051+SaarLAN-Pissbeutel@users.noreply.github.com>
Co-authored-by: Marc Philippi <mphilippi@t-online.de>
---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  7 +++++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  5 +++
 .../scripts/ddclient/lib/account/__init__.py  |  3 +-
 .../opnsense/scripts/ddclient/lib/address.py  | 31 ++++++++++++++++---
 .../templates/OPNsense/ddclient/ddclient.json |  1 +
 5 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index b47b38dda..eb0fb768e 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -91,6 +91,13 @@
         <label>Interface to monitor</label>
         <type>dropdown</type>
     </field>
+    <field>
+        <id>account.dynipv6host</id>
+        <label>Dynamic ipv6 host</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Swap the interface identifier of the ipv6 address with the given partial ipv6 address (the least significant 64 bits of the address)</help>
+    </field>
     <field>
         <id>account.checkip_timeout</id>
         <label>Check ip timeout</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 0888c87ac..600e17517 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -165,6 +165,11 @@
                         </check001>
                     </Constraints>
                 </checkip>
+                <dynipv6host type="TextField">
+                    <Required>N</Required>
+                    <mask>/^::(([0-9a-fA-F]{1,4}:){0,3}[0-9a-fA-F]{1,4})?$/u</mask>
+                    <ValidationMessage>Entry is not a valid partial ipv6 address definition (e.g. ::1000).</ValidationMessage>
+                </dynipv6host>
                 <checkip_timeout type="IntegerField">
                     <Default>10</Default>
                     <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index 4c3716b95..7b600eb57 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -118,7 +118,8 @@ class BaseAccount:
             service = self.settings.get('checkip'),
             proto = 'https' if self.settings.get('force_ssl', False) else 'http',
             timeout = str(self.settings.get('checkip_timeout', '10')),
-            interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None
+            interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None,
+            dynipv6host = self.settings['dynipv6host'] if self.settings.get('dynipv6host' ,'').strip() != '' else None
         )
 
         if self._current_address == None:
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index 5618d9aeb..d1dc1c6ab 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -1,5 +1,5 @@
 """
-    Copyright (c) 2022-2023 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2022-2025 Ad Schellevis <ad@opnsense.org>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -67,11 +67,29 @@ def extract_address(host, txt):
     return ""
 
 
-def checkip(service, proto='https', timeout='10', interface=None):
+def transform_ip(ip, ipv6host=None):
+    """ Changes ipv6 addresses if interface identifier is given
+        :param ip: ip address
+        :param ipv6host: 64 bit interface identifier
+        :return ipaddress.IPv4Address|ipaddress.IPv6Address
+        :raises ValueError: If the input can not be converted to an IPaddress
+    """
+    if ipv6host and ip.find(':') > 0:
+        # extract 64 bit long prefix and add ipv6host [64]bits
+        return ipaddress.ip_address(
+            ipaddress.ip_network("%s/64" % ip, strict=False).network_address.exploded[0:19] +
+            ipaddress.ip_address(ipv6host).exploded[19:]
+        )
+    else:
+        return ipaddress.ip_address(ip)
+
+
+def checkip(service, proto='https', timeout='10', interface=None, dynipv6host=None):
     """ find ip address using external services defined in checkip_service_list
         :param proto: protocol
         :param timeout: timeout in seconds
         :param interface: bind to interface
+        :param dynipv6host: optional partial ipv6 address
         :return: str
     """
     if service.startswith('web_'):
@@ -84,8 +102,13 @@ def checkip(service, proto='https', timeout='10', interface=None):
             params.append(interface)
         url = checkip_service_list[service] % proto
         params.append(url)
-        return extract_address(urlparse(url).hostname,
+        extracted_address = extract_address(urlparse(url).hostname,
             subprocess.run(params, capture_output=True, text=True).stdout)
+        try:
+            return str(transform_ip(extracted_address, dynipv6host))
+        except ValueError:
+            # invalid address
+            return ""
     elif service in ['if', 'if6'] and interface is not None:
         # return first non private IPv[4|6] interface address
         ifcfg = subprocess.run(['/sbin/ifconfig', interface], capture_output=True, text=True).stdout
@@ -94,7 +117,7 @@ def checkip(service, proto='https', timeout='10', interface=None):
                 parts = line.split()
                 if (parts[0] == 'inet' and service == 'if') or (parts[0] == 'inet6' and service == 'if6'):
                     try:
-                        address = ipaddress.ip_address(parts[1])
+                        address = transform_ip(parts[1], dynipv6host)
                         if address.is_global:
                             return str(address)
                     except ValueError:
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
index 79cf6fbbd..4a2cc7a85 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
@@ -22,6 +22,7 @@
             "zone": "{{ account.zone }}",
             "checkip": "{{ account.checkip }}",
             "interface": "{% if account.interface %}{{physical_interface(account.interface)}}{% endif %}",
+            "dynipv6host": "{{ account.dynipv6host }}",
             "checkip_timeout": {{ account.checkip_timeout }},
             "force_ssl": {{ "true" if account.force_ssl == '1' else "false"}},
             "ttl": "{{ account.ttl }}",

From 97e87d12902cfc536fc4103b7337154bfc3feba5 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 23 Jan 2025 09:01:36 +0000
Subject: [PATCH 44/50] www/caddy: Adjust status banner for
 https://github.com/opnsense/core/commit/cfdd2749794c1. Address some former
 feedback at same time.

---
 .../OPNsense/System/Status/CaddyOverrideStatus.php       | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
index 742adbac1..0acbacf7b 100644
--- a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
+++ b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
@@ -45,9 +45,14 @@ class CaddyOverrideStatus extends AbstractStatus
             '/ui/caddy/reverse_proxy',
             '/ui/caddy/general'
         ];
+    }
 
-        if (count(glob('/usr/local/etc/caddy/caddy.d/*.*'))) {
-            $this->internalMessage = gettext('Custom configuration imports exist in "/usr/local/etc/caddy/caddy.d/".');
+    public function collectStatus()
+    {
+        if (count(glob('/usr/local/etc/caddy/caddy.d/*'))) {
+            $this->internalMessage = gettext(
+                'The configuration contains manual overwrites, these may interfere with the settings configured here.'
+            );
             $this->internalStatus = SystemStatusCode::NOTICE;
         }
     }

From c206ed2c00de56cadf9a06b638257d5e120b26c3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 23 Jan 2025 10:09:51 +0100
Subject: [PATCH 45/50] www/caddy: revision to force reinstall

---
 www/caddy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index ebfe26f13..d876e47e5 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.8.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com

From 3cec3a107188496e45bbf79c1e50b66c2833522e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20=F0=9F=A6=84?=
 <43847817+codiflow@users.noreply.github.com>
Date: Thu, 23 Jan 2025 23:39:36 +0100
Subject: [PATCH 46/50] Fixing non-existing path

---
 .../opnsense/service/templates/OPNsense/Maltrail/maltrail.conf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index fcd0dd102..33a2170c4 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -36,7 +36,7 @@ SYSLOG_SERVER {{ OPNsense.maltrail.sensor.syslogserver }}:{{ OPNsense.maltrail.s
 {% endif %}
 
 SENSOR_NAME $HOSTNAME
-CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
+CUSTOM_TRAILS_DIR /usr/local/share/maltrail/trails/custom/
 PROCESS_COUNT $CPU_CORES
 DISABLE_CPU_AFFINITY false
 USE_FEED_UPDATES true

From 7745e63d0f43813ed74ef0a40a4f24728ee6bc81 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 24 Jan 2025 09:47:17 +0100
Subject: [PATCH 47/50] www/caddy: Add copy_headers selectpicker to Auth
 Provider tab. Authorization header added. (#4496)

---
 www/caddy/Makefile                            |  3 +--
 www/caddy/pkg-descr                           |  6 ++++++
 .../OPNsense/Caddy/forms/general.xml          |  7 +++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 21 +++++++++++++++++++
 .../OPNsense/Caddy/includeAuthProvider        | 12 +++++++++--
 5 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index d876e47e5..0a03f1284 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.8.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 716a22aa4..c9583ba43 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.1
+
+* Add: Optional "Authorization" header to forward_auth (opnsense/plugins/issues/4488)
+* Add: Persistent banner notification if custom imports are used (opnsense/plugins/issues/4244)
+* Cleanup: Implement reusable grid template in views (opnsense/plugins/pull/4454)
+
 1.8.0
 
 * Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 60d604eaf..ca6b843ec 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -227,6 +227,13 @@
             <type>text</type>
             <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
         </field>
+        <field>
+            <id>caddy.general.AuthCopyHeaders</id>
+            <label>Copy Headers</label>
+            <type>select_multiple</type>
+            <style>selectpicker</style>
+            <help><![CDATA[If nothing is selected, the correct default headers for the chosen provider will be used. If you change the default, you must select the required headers manually. "copy_headers" is a list of HTTP header fields to copy from the response to the original request, when the request has a success status code.]]></help>
+        </field>
     </tab>
     <activetab>general-settings</activetab>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 70f09cc37..49bd641f3 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -167,6 +167,27 @@
                 <Mask>/^(\/.*)?$/u</Mask>
                 <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
             </AuthToUri>
+            <AuthCopyHeaders type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <Authorization>Authorization</Authorization>
+                    <Remote-User>Remote-User</Remote-User>
+                    <Remote-Groups>Remote-Groups</Remote-Groups>
+                    <Remote-Name>Remote-Name</Remote-Name>
+                    <Remote-Email>Remote-Email</Remote-Email>
+                    <X-Authentik-Username>X-Authentik-Username</X-Authentik-Username>
+                    <X-Authentik-Groups>X-Authentik-Groups</X-Authentik-Groups>
+                    <X-Authentik-Email>X-Authentik-Email</X-Authentik-Email>
+                    <X-Authentik-Name>X-Authentik-Name</X-Authentik-Name>
+                    <X-Authentik-Uid>X-Authentik-Uid</X-Authentik-Uid>
+                    <X-Authentik-Jwt>X-Authentik-Jwt</X-Authentik-Jwt>
+                    <X-Authentik-Meta-Jwks>X-Authentik-Meta-Jwks</X-Authentik-Meta-Jwks>
+                    <X-Authentik-Meta-Outpost>X-Authentik-Meta-Outpost</X-Authentik-Meta-Outpost>
+                    <X-Authentik-Meta-Provider>X-Authentik-Meta-Provider</X-Authentik-Meta-Provider>
+                    <X-Authentik-Meta-App>X-Authentik-Meta-App</X-Authentik-Meta-App>
+                    <X-Authentik-Meta-Version>X-Authentik-Meta-Version</X-Authentik-Meta-Version>
+                </OptionValues>
+            </AuthCopyHeaders>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
index 8dd207f85..f179fc845 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@@ -12,7 +12,11 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% else %}
+        copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
     }
 {% elif generalSettings.AuthProvider == 'authentik' %}
     reverse_proxy /outpost.goauthentik.io/* {{ auth_url }} {
@@ -24,6 +28,10 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% else %}
+       copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
     }
 {% endif %}

From 9c87fed72814fa6e1824792cde6baf783bbdd0f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Jan 2025 09:53:52 +0100
Subject: [PATCH 48/50] security/maltrail: bump revision

---
 security/maltrail/Makefile  | 1 +
 security/maltrail/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index c13f207fe..5fe41603d 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		maltrail
 PLUGIN_VERSION=		1.10
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 42506909e..69ad13f61 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -14,6 +14,7 @@ Changelog
 1.10
 
 * Add CHECK_HOST_DOMAINS option
+* Fix CUSTOM_TRAILS_DIR (contributed by codiflow)
 
 1.9
 

From 57a224a3cd4ac799dc3dd14d1a93c48f5f1be42f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Jan 2025 09:57:39 +0100
Subject: [PATCH 49/50] dns/ddclient: lazy bump

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index d61c41810..f52ee87b0 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.26
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 7a7a3138a3170fc9a70d95ee9ae6f383eb2a0644 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Jan 2025 09:59:18 +0100
Subject: [PATCH 50/50] plugins: add reset target

---
 Mk/defaults.mk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index cb5cc80e9..9cf73ce3a 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2024 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2016-2025 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -161,3 +161,8 @@ push:
 	@git checkout ${PLUGIN_STABLE}
 	@git push
 	@git checkout ${PLUGIN_MAIN}
+
+reset:
+	@git checkout ${PLUGIN_STABLE}
+	@git reset --hard HEAD~1
+	@git checkout ${PLUGIN_MAIN}