1Release notes for FreeBSD 13.0. 2 3This file describes new user-visible features, changes and updates relevant to 4users of binary FreeBSD releases. Each entry should describe the change in no 5more than several sentences and should reference manual pages where an 6interested user can find more information. Entries should wrap after 80 7columns. Each entry should begin with one or more commit IDs on one line, 8specified as a comma separated list and/or range, followed by a colon and a 9newline. Entries should be separated by a newline. 10 11Changes to this file should not be MFCed. 12 13cd597b4bb194, ee931cf4a49c, acdc59f0924a: 14 The layout of NFS file handles for the cd9660 and ext2fs file systems 15 has changed. An NFS server that exports any of these file systems will 16 need its clients to unmount and remount the exports. 17 1835b193572545: 19 grep(1) no longer follows symbolic links by default for 20 recursive searches. This matches the documented behavior in 21 the manual page. 22 230644746d5091: 24 Add a new "syskrb5" mount option for Kerberized NFSv4.1/4.2 mounts. 25 Without this patch, a Kerberized NFSv4.1/4.2 mount must provide 26 a Kerberos credential for the client at mount time. 27 This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which 28 allows the state maintenance operations to be performed by any 29 authentication mechanism, so that these operations may be done via 30 AUTH_SYS instead of RPCSEC_GSS (KerberosV). As such, no Kerberos 31 credential is required at mount time. 32 See mount_nfs(8). 33 34b4805d577787 and many others: 35 Add support so that nfsd(8), nfsuserd(8), mountd(8), gssd(8) 36 and rpc.tlsservd(8) can be run in an appropriately configured 37 vnet prison. The vnet prison must be on its own file system, 38 have the "allow.nfsd" jail parameter set on it and enforce_statfs 39 cannot be set to "0". Use of UDP and pNFS server configurations 40 are not permitted. (ie. The nfsd command line options "-u", "-p" 41 and "-m" are not supported.) 42 See jail(8), nfsd(8) and mountd(8). 43 4468e86d5265bc,e58dfd0de589,59f5a5cb724e,6e272a78de36,4c4a4fd4a649,ba2ae2cca63a: 45 sendmail has been updated to the latest upstream version (8.17.1). 46 47225443828ec6..c44d097dcf92: 48 bhyve now supports more than 16 vCPUs in a guest. By default 49 bhyve permits each guest to create the same number of vCPUs as 50 the count of physical CPUs on the host. This limit can be 51 adjusted via the loader tunable hw.vmm.maxcpu. 52 531462dc95f796: 54 Kernel TLS offload now supports receive-side offload of TLS 1.3. 55 563ee882bf21af: 57 Change handling of the lowest address on an IPv4 (sub)net so that 58 packets are not sent as a broadcast unless this has been set as the 59 broadcast address. This makes the lowest address usable for a host. 60 The old behavior can be restored with the net.inet.ip.broadcast_lowest 61 sysctl. For more information, see 62 https://datatracker.ietf.org/doc/draft-schoen-intarea-lowest-address/. 63 6433ff39796ffe,8719e8a951b7: 65 A new rc(8) service script zfskeys allows for automatic decryption 66 of ZFS datasets encrypted with ZFS native encryption during boot. 67 See the rc.conf(5) manual page for more information. 68 69b7a2cf0d9102 - eae02d959363: 70 Upgrade bhyve's emulation to version 1.4 of the NVMe specification 71 720a6760a1de32, 3f3676a71266, 580c04df4db6: 73 Add WiFi 6 support. 74 75various: 76 Add support for the HiFive Unmatched RISC-V board. 77 789fb6e613373c: 79 Add a sysctl called vfs.nfsd.srvmaxio that can be used to 80 increase the NFS server's maximum I/O size from 128Kbytes 81 to any power of 2 up to 1Mbyte. It can only be set when 82 the nfsd threads are not running and will normally require 83 an increase in kern.ipc.maxsockbuf to at least the value 84 recommended by the console log message generated when 85 setting vfs.nfsd.srvmaxio is first attempted. 86 879ec7dbf46b0a: 88 Add a new NFSv4.1/4.2 mount option "nconnect" that can 89 be used to specify the number of TCP connections that 90 will be used for the mount, up to a maximum of 16. 91 The first (default) TCP connection will be used for 92 all RPCs that consist of small RPC messages. 93 The RPCs that can consist of large RPC messages 94 (Read/Readdir/ReaddirPlus/Write) will be sent on the 95 additional TCP connections in a round robin fashion. 96 If either the NFS client or NFS server have multiple 97 network interfaces aggregated together or a network 98 interface that uses multiple queues, this can increase 99 NFS performance for the mount. 100 101various: 102 One True Awk has been updated to the latest from upstream 103 (20210215). All the FreeBSD patches, but one, have now been 104 either up streamed or discarded. Notable changes include: 105 o Locale is no longer used for ranges 106 o Various bugs fixed 107 o Better compatibility with gawk and mawk 108 109 The one FreeBSD change, likely to be removed in FreeBSD 14, is that 110 we still allow hex numbers, prefixed with 0x, to be parsed and 111 interpreted as hex numbers while all other awks (including one 112 true awk now) interpret them as 0 in line with awk's historic 113 behavior. 114 1158a04edfdcbd2: 116 Change the default minor version used for an NFSv4 mount 117 to the highest minor version supported by the NFSv4 server. 118 This default can be overridden by using the "minorversion" 119 mount option. 120 1212c76eebca71b, 59f6f5e23c1a: 122 Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide 123 support for NFS-over-TLS as described in the Internet Draft titled 124 "Towards Remote Procedure Call Encryption By Default". 125 These daemons are only built when WITH_OPENSSL_KTLS is specified 126 and are only tested on amd64 at this time. 127 They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus 128 optional verification of machine identity via X.509 certificates. 129 130f76393a6305b6: 131 Add AES-GCM support to armv8crypto(4) providing accelerated 132 support for KTLS, IPsec, and other crypto API consumers. 133 134074a91f746bd: 135 The aesni(4) and armv8crypto(4) devices are now included in 136 GENERIC on amd64, i386, and arm64. 137 1382e1c94aa1fd5: 139 Add support for enforcing W^X mapping policy for user 140 processes. The policy is not enforced by default but can be 141 enabled by setting the kern.elf32.allow_wx and 142 kern.elf64.allow_wx sysctls to 0. Individual binaries can be 143 exempted from the policy by elfctl(1) via the wxneeded 144 feature. 145 1464979620ece98: 147 Add AES-XTS support to armv8crypto(4) providing accelerated 148 software support for the default GELI cipher on arm64 systems. 149 150022ca2fc7fe0: 151 Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2) 152 and aio_read(2). 153 15492bbfe1f0d1f: 155 The fusefs(5) protocol has been updated to 7.28. Support for 156 FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added. 157 158r368667: 159 GDB 6.1.1 was removed. Users of crashinfo(8) should install the 160 gdb package or devel/gdb port. 161 162r368559: 163 The hme(4) driver was removed. 164 165r367660: 166 Fixes the case where gssd will not startup because /usr is a separate 167 local file system that is not yet mounted. It does not fix the case 168 where /usr is a separately mounted remote file system (such as NFS). 169 This latter case can be fixed by adding mountcritremote to the 170 REQUIRED line. Unfortunately doing so implies that all Kerberized 171 NFS mounts in /etc/fstab will need the "late" mount option. 172 This was not done, since the requirement for "late" would introduce 173 a POLA violation. 174 175r367423: 176 This commit added a new startup scripts variable called 177 nfsv4_server_only which uses the -R option on mountd added by r367026. 178 When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server 179 only handles NFSv4 and does not register with rpcbind. As such, rpcbind 180 does not need to be running. Useful for sites which consider rpcbind a 181 security issue. 182 183r366267: 184 Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem 185 was split out from amd64 DMAR support and is now generic, i.e., it can 186 be used by all architectures. 187 188r364896: 189 A series of commits ending with r364896 added NFS over TLS 190 to the kernel. This is believed to be compatible with 191 the Internet Draft titled "Towards Remote Procedure Call Encryption 192 By Default" (expected to soon become an RFC). 193 The mount_nfs(8) and exports(5) man pages describe the mount and 194 export option(s) related to NFS over TLS. 195 For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8) 196 { server } must be running on a kernel built with "options KERN_TLS" 197 on an architecture where PMAP_HAS_DMAP != 0. 198 199r364725: 200 Changes to one obscure devd event generated on resume need to 201 be documented. The old form will still be generated in 13, but not 202 in 14. 203 204r363679: 205 Applications using regex(3), e.g. sed/grep, will no longer accept 206 redundant escapes for most ordinary characters. 207 208r363253: 209 SCTP support has been removed from GENERIC kernel configurations. 210 The SCTP stack is now built as sctp.ko and can be dynamically loaded. 211 212r363233: 213 Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details. 214 215r363180: 216 The safexcel(4) crypto offload driver has been added. 217 218r363084: 219 nc(1) now implements SCTP mode, enabled by specifying the --sctp option. 220 221r362681: 222 A new implementation of bc and dc has been imported. It offers 223 better standards compliance, performance, localization and comes 224 with extensive test cases that are optionally installed. 225 Use WITHOUT_GH_BC=yes to build and install the world with the 226 previous version instead of the new one, if required. 227 228r362158, r362163: 229 struct export_args has changed so that the "user" specified for 230 the -maproot and -mapall exports(5) options may be in more than 231 16 groups. 232 233r361884: 234 sed(1) has learned about hex escapes (e.g. \x27) and will now do the 235 right thing with them, removing the need for printf magic or obnoxious 236 escaping in many scenarios. 237 238r361238, r361798, r361799: 239 ZFS will now unconditionally reject read(2) of a directory with EISDIR. 240 Additionally, read(2) of a directory is now rejected with EISDIR by 241 default and may be re-enabled for non-ZFS filesystems that allow it with 242 the sysctl(8) MIB 'security.bsd.allow_read_dir'. 243 244 Aliases for grep to default to '-d skip' may be desired if commonly 245 non-recursively grepping a list that includes directories and the 246 possibility of EISDIR errors in stderr is not tolerable. Example 247 aliases, commented out, have been installed in /root/.cshrc and 248 /root/.shrc. 249 250r361066: 251 Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5). 252 exec.prepare runs before mounts, so can be used to populate new jails. 253 exec.release runs after unmounts, so can be used to remove ephemeral 254 jails. 255 256r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936: 257 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5, 258 MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from 259 the kernel open cryptographic framework (OCF). 260 261r360562: 262 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, 263 MD5-HMAC, and Skipjack algorithms from /dev/crypto. 264 265r360557: 266 Remove support for DES, Triple DES, Blowfish, Cast, and 267 Camellia ciphers from IPsec(4). Remove support for MD5-HMAC, 268 Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4). 269 270r359945: 271 Remove support for Triple DES, Blowfish, and MD5 HMAC from 272 geli(4). 273 274r359786-r359787: 275 Remove support for DES, Triple DES, and RC4 from in-kernel GSS 276 authentication. 277 278r357627: 279 remove elf2aout. 280 281r357560-r357565: 282 init(8), service(8), and cron(8) will now adopt user/class environment 283 variables (excluding PATH, by default, which will be overwritten) by 284 default. Notably, environment variables for all cron jobs and rc 285 services can now be set via login.conf(5). 286 287r357455: 288 sparc64 has been removed from FreeBSD. 289 290r355677: 291 Adds support for NFSv4.2 (RFC-7862) and Extended Attributes 292 (RFC-8276) to the NFS client and server. 293 NFSv4.2 is comprised of several optional features that can be supported 294 in addition to NFSv4.1. This patch adds the following optional features: 295 - posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED) 296 - posix_fallocate() 297 - intra server file range copying via the copy_file_range(2) syscall 298 --> Avoiding data tranfer over the wire to/from the NFS client. 299 - lseek(SEEK_DATA/SEEK_HOLE) 300 - Extended attribute syscalls for "user" namespace attributes as defined 301 by RFC-8276. 302 303 For the client, NFSv4.2 is only used if the mount command line option 304 minorversion=2 is specified. 305 For the server, two new sysctls called vfs.nfsd.server_min_minorversion4 306 and vfs.nfsd.server_max_minorversion4 have been added that allow 307 sysadmins to limit the minor versions of NFSv4 supported by the nfsd 308 server. 309 Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2 310 on the server. 311 312r356263: 313 armv5 support has been removed from FreeBSD. 314 315r354517: 316 iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices. 317 318r354269: 319 sqlite3 is updated to sqlite3-3.30.1. 320 321r352668: 322 cron(8) now supports the -n (suppress mail on succesful run) and -q 323 (suppress logging of command execution) options in the crontab format. 324 See the crontab(5) manpage for details. 325 326r352304: 327 ntpd is no longer by default locked in memory. rlimit memlock 32 328 or rlimit memlock 0 can be used to restore this behaviour. 329 330r351863: 331 rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously, 332 environment variables set by a user via ${name}_env were ignored 333 if the service defined a custom *_cmd variable to control the behavior 334 of the run_rc_command function, e.g., start_cmd, instead of relying on 335 the variables like command and command_args, 336 337r351770,r352920,r352922,r352923: 338 dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync, 339 and iflag=fullblock flags, compatible with illumos and GNU. 340 341r351522: 342 Add kernel-side support for in-kernel Transport Layer Security 343 (KTLS). KTLS permits using sendfile(2) over sockets using 344 TLS. 345 346r351397: 347 WPA is updated from 2.8 to 2.9. 348 349r351361: 350 Add probes for lockmgr(9) to the lockstat DTrace provider, add 351 corresponding lockstat(1) events, and document the new probes in 352 dtrace_lockstat.4. 353 354r351356: 355 Intel RST is a new 'feature' that remaps NVMe devices from 356 their normal location to part of the AHCI bar space. This 357 will eliminate the need to set the BIOS SATA setting from RST 358 to AHCI causing the nvme drive to be erased before FreeBSD 359 will see the nvme drive. FreeBSD will now be able to see the 360 nvme drive now in the default config. 361 362r351201, r351372: 363 Add a vop_stdioctl() call, so that file systems that do not support 364 holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE). 365 The algorithm appears to be compatible with the POSIX draft and 366 the implementation in Linux for the case of a file system that 367 does not support holes. Prior to this patch, lseek(2) would reply 368 -1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in 369 file systems that do not support holes. 370 r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for 371 any other cases, such as a ENOTTY return from vn_bmap_seekhole(). 372 373r350665: 374 The fuse driver has been renamed to fusefs(5) and been substantially 375 rewritten. The new driver includes many bug fixes and performance 376 enhancements, as well as the following user-visible features: 377 * Optional kernel-side permissions checks (-o default_permissions) 378 * mknod(2), socket(2), and pipe(2) support 379 * server side locking with fcntl(2) 380 * FUSE operations are now interruptible when mounted with -o intr 381 * server side handling of UTIME_NOW during utimensat(2) 382 * mount options may be updated with "mount -u" 383 * fusefs file system may now be exported over NFS 384 * RLIMIT_FSIZE support 385 * support for fuse file systems using protocols as old as 7.4 386 387 FUSE file system developers should also take note of the following new 388 features: 389 * The protocol level has been raised from 7.8 to 7.23 390 * kqueue support on /dev/fuse 391 * server-initiated cache invalidation via FUSE_NOTIFY_REPLY 392 393r350471: 394 gnop(8) can now configure a delay to be applied to read and write 395 request delays. See the -d, -q and -x parameters. 396 397r350315, r350316: 398 Adds a Linux compatible copy_file_range(2) syscall. 399 400r350307: 401 libcap_random(3) has been removed. Applications can use native 402 APIs to get random data in capability mode. 403 404r349529,r349530: 405 Add support for using unmapped mbufs with sendfile(2). 406 407r349352: 408 nand(4) and related components have been removed. 409 410r349349: 411 The UEFI loader now supports HTTP boot. 412 413r349335: 414 bhyve(8) now implements a High Definition Audio (HDA) driver, allowing 415 guests to play to and record audio data from the host. 416 417r349286: 418 swapon(8) can now erase a swap device immediately before enabling it, 419 similar to newfs(8)'s -E option. This behaviour can be specified by 420 adding -E to swapon(8)'s command-line parameters, or by adding the 421 "trimonce" option to a swap device's /etc/fstab entry. 422 423r347908-r347923: 424 The following network drivers have been removed: bm(4), cs(4), de(4), 425 ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4), 426 vx(4), wb(4), xe(4). 427 428r347532: 429 Wired page accounting has been split into kernel wirings and user 430 wirings (e.g., by mlock(2)). Kernel wirings no long count towards 431 the global limit, which is renamed to vm.max_user_wired. bhyve -S 432 allocates user-wired memory and is now subject to that limit. 433