The dashboard widget's extend button was using JSON.stringify() to send
the seconds parameter, but the PHP controller reads it via getPost()
which expects form-encoded data. Changed to pass a plain object so
jQuery serializes it correctly as form data.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New plugin: os-autorollback - Automatic configuration rollback with safe mode.
Inspired by Juniper JUNOS "commit confirmed" and MikroTik RouterOS Safe Mode,
this plugin provides automatic configuration rollback for OPNsense. When safe
mode is activated, a timer begins counting down. If the administrator does not
confirm the changes before the timer expires, the configuration is automatically
rolled back to the pre-change state.
Features:
- Safe mode with configurable countdown timer (default 300s)
- Three rollback triggers: timer expiry, connectivity watchdog, boot recovery
- Connectivity watchdog monitors configurable targets every minute via cron
- Early boot recovery via syshook detects crashed safe mode sessions
- Dashboard widget with real-time countdown and one-click confirm/revert
- Global banner on every page during active safe mode
- Atomic config restore with safety backup and path traversal protection
- Firmware update awareness (blocks rollback during upgrades)
- Full MVC architecture with API endpoints and configd backend integration
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Security: Q-Feeds Connect - add new options as available in integrated blocklists, closes https://github.com/opnsense/plugins/issues/5197
This adds allowlists (regex patterns), source_nets Q-Feeds applies on, address to return and optional NXDOMAIN responses.
Please note this version is only compatible with current community versions, business edition installs will have to wait for 26.4.
* Security: Q-Feeds Connect - update version and changelog
When multiple bootstrap resolvers are configured in the "Fallback Resolver"
field (e.g., "1.1.1.1:53,9.9.9.9:53"), the generated config incorrectly
places the comma inside a single string:
bootstrap_resolvers = ['1.1.1.1:53,9.9.9.9:53']
This causes dnscrypt-proxy to fail with:
[FATAL] Bootstrap resolver [...]: Host does not parse as IP '1.1.1.1:53,9.9.9.9:53'
The fix applies the same split/join pattern already used for listen_addresses,
server_names, disabled_server_names, and relaylist in the same template:
bootstrap_resolvers = ['1.1.1.1:53','9.9.9.9:53']
This bug was introduced in commit 1eec51a65 which renamed fallback_resolver
to bootstrap_resolvers but did not update the template syntax from a single
string to a TOML array format.
Previously a path or header had to be specified. But with the
extended mapfile support, these are no longer required values.
A mapfile may be used instead.
This is necessary, because according to the documentation,
the modern syntax cannot be mixed with legacy syntax in
several cases:
"This fetch applies only to the 'gpc' array data_type (and not
to the legacy 'gpc0' nor 'gpc1' data_types)."
Fix critical syntax error in opnsense-fw active response script that prevents IPs from being added to the __wazuh_agent_drop alias.
## Problem
The script contains invalid Python syntax - a variable assignment inside a dictionary literal:
```python
"parameters":{
unique_key = "%s-%s" % (...) # Invalid Python syntax
"keys": [unique_key]
}
```
This causes the script to fail with a SyntaxError on all 'add' commands, meaning attacking IPs are never blocked.
## Changes
- Move unique_key assignment outside dictionary literal (fixes SyntaxError)
- Fix typo: 'even' -> 'event' in error message
- Add debug logging for easier troubleshooting
## Testing
- Verified syntax with `python3 -m py_compile`
- Tested active response add/delete operations on OPNsense 26.1
* security/acme-client: Add option for global token to TransIP
The TransIP dns api and the acme.sh api for TransIP support the possibility to create a global access token.
With a global access token, the api call to TransIP can be amde from every ip adress.
There is a new button in the client configuration for TransIP, and this will be added to the account configuration file, which is used by acme.sh
