TLDR: I enabled ZFS feature flags on the boot pool of OPNsense (by ignorance), and had to update UEFI boot code in order not to "brick" it.
I want to document this unsettling experience for anyone who has walked the same path and is desperately searching for remedy.
Background
I was doing OPNsense major version upgrade from 25.1 to 25.7. Things went pretty smoothly and I did some post-upgrade checks. One of the checks was zpool status -v and I discovered that there are new feature flags that can be enabled for ZFS pool.
Story
Without thinking too much (read: at all), I went ahead and did zpool upgrade -a. Here is the output:
root@OPNsense:/home/ewon # zpool upgrade -a
This system supports ZFS pool feature flags.
Enabled the following features on 'zroot':
edonr
zilsaxattr
head_errlog
blake3
block_cloning
vdev_zaps_v2
Pool 'zroot' has the bootfs property set, you might need to update
the boot code. See gptzfsboot(8) and loader.efi(8) for details.
root@OPNsense:/home/ewon #The seemingly casual sentence "you might need to update the boot code" caught my attention, I went searching for this and discovered this forum post. I feel a cold shiver runs down my spine and break into a sweat. If I hadn't caught this, the next reboot will send my home network to hell, literally.
Fix
Luckily, following that people shared in the post by updating UEFI code, I was able to avert a crisis.
cp /boot/loader.efi /boot/efi/efi/boot/bootx64.efi
cp /boot/loader.efi /boot/efi/efi/freebsd/loader.efiIf your machine is running in BIOS mode, do
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 2 da0From now on, I won't do zpool upgrade on OPNsense. It should be left alone as a network appliance, not a storage server.