* Security: Q-Feeds Connect - add new options as available in integrated blocklists, closes https://github.com/opnsense/plugins/issues/5197
This adds allowlists (regex patterns), source_nets Q-Feeds applies on, address to return and optional NXDOMAIN responses.
Please note this version is only compatible with current community versions, business edition installs will have to wait for 26.4.
* Security: Q-Feeds Connect - update version and changelog
When multiple bootstrap resolvers are configured in the "Fallback Resolver"
field (e.g., "1.1.1.1:53,9.9.9.9:53"), the generated config incorrectly
places the comma inside a single string:
bootstrap_resolvers = ['1.1.1.1:53,9.9.9.9:53']
This causes dnscrypt-proxy to fail with:
[FATAL] Bootstrap resolver [...]: Host does not parse as IP '1.1.1.1:53,9.9.9.9:53'
The fix applies the same split/join pattern already used for listen_addresses,
server_names, disabled_server_names, and relaylist in the same template:
bootstrap_resolvers = ['1.1.1.1:53','9.9.9.9:53']
This bug was introduced in commit 1eec51a65 which renamed fallback_resolver
to bootstrap_resolvers but did not update the template syntax from a single
string to a TOML array format.
Previously a path or header had to be specified. But with the
extended mapfile support, these are no longer required values.
A mapfile may be used instead.
This is necessary, because according to the documentation,
the modern syntax cannot be mixed with legacy syntax in
several cases:
"This fetch applies only to the 'gpc' array data_type (and not
to the legacy 'gpc0' nor 'gpc1' data_types)."
Fix critical syntax error in opnsense-fw active response script that prevents IPs from being added to the __wazuh_agent_drop alias.
## Problem
The script contains invalid Python syntax - a variable assignment inside a dictionary literal:
```python
"parameters":{
unique_key = "%s-%s" % (...) # Invalid Python syntax
"keys": [unique_key]
}
```
This causes the script to fail with a SyntaxError on all 'add' commands, meaning attacking IPs are never blocked.
## Changes
- Move unique_key assignment outside dictionary literal (fixes SyntaxError)
- Fix typo: 'even' -> 'event' in error message
- Add debug logging for easier troubleshooting
## Testing
- Verified syntax with `python3 -m py_compile`
- Tested active response add/delete operations on OPNsense 26.1
* security/acme-client: Add option for global token to TransIP
The TransIP dns api and the acme.sh api for TransIP support the possibility to create a global access token.
With a global access token, the api call to TransIP can be amde from every ip adress.
There is a new button in the client configuration for TransIP, and this will be added to the account configuration file, which is used by acme.sh
