Hello world,
It is time to move back to Suricata version 7 after identifying the relevant default option changes in order to keep IPS/Netmap happy when running it. Kea also received a number of tweaks and updates as well as our VPN service integrations.
Last but not least this includes FreeBSD 13.2-p10 and the recent DNS denial of service attack mitigation.
Here are the full patch notes:
- system: accept colon character in log queries
- system: add issuer and logo to OTP link
- system: fix gateway migration issue causing individual items to be skipped
- reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)
- interfaces: fix strpos() deprecation null haystack
- interfaces: add missing ACL entries for ARP/NDP tables
- interfaces: fix VXLAN validation
- firewall: change default traffic normalization behavior and choose "in" as standard direction for manual rules
- firewall: make select width more consistent on alias diagnostics table selection
- dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements
- dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP
- dhcp: make option_data_autocollect option more explicit in Kea
- dhcp: gather missing Kea leases another way since the logs are unreliable
- dhcp: add address constraint to Kea reservations
- dhcp: add unique constraint for MAC address + subnet in Kea
- dhcp: add domain-name to client configuration in Kea
- dhcp: loosen constraints for TFTP boot in Kea
- intrusion detection: adjust for default behaviour changes in Suricata 7
- ipsec: improve enable button placement on connections page
- ipsec: show EAP-RADIUS settings only when legacy tunnels are being used
- ipsec: allow % to support %any in ID for connections
- openvpn: when "cert_depth" is left empty it should ignore the value
- openvpn: data-ciphers-fallback should be a single option
- openvpn: fix support for /30 p2p/net30 instances
- openvpn: add "various_push_flags" field for simple boolean server push options in connections
- unbound: prevent os.write() on None when another thread closed the pipe in Python module
- wireguard: key constraints should only apply on peers and not instances
- wireguard: peer uniqueness should depend on pubkey + endpoint
- wireguard: skip attached instance address routes
- wireguard: remove duplicate ID columns
- mvc: fix Phalcon 5.4 and up
- src: jail: fix information leak[1]
- src: bhyveload: use a dirfd to support -h[2]
- src: EVFILT_SIGNAL: do not use target process pointer on detach[3]
- src: setusercontext(): apply personal settings only on matching effective UID[4]
- src: re: generate an address if there is none in the EEPROM
- src: wg: detect loops in netmap mode
- src: wg: detach bpf upon destroy as well
- src: wg: fix access to noise_local->l_has_identity and l_private
- src: wg: fix erroneous calculation in calculate_padding() for p_mtu == 0
- plugins: os-acme-client 4.1[5]
- plugins: os-ddclient 1.21[6]
- plugins: os-dnscrypt-proxy 1.15[7]
- ports: dnsmasq 2.90[8]
- ports: openvpn 2.6.9[9]
- ports: phalcon 5.6.1[10]
- ports: radvd adds upstream patch for RemoveAdvOnExit option
- ports: suricata 7.0.3[11]
- ports: unbound 1.19.1[12]
A hotfix release was issued as 24.1.2_1:
- system: fix dynamic gateway persisting its address
Stay safe,
Your OPNsense team