1 Release notes for FreeBSD 13.0.
3 This file describes new user-visible features, changes and updates relevant to
4 users of binary FreeBSD releases. Each entry should describe the change in no
5 more than several sentences and should reference manual pages where an
6 interested user can find more information. Entries should wrap after 80
7 columns. Each entry should begin with one or more commit IDs on one line,
8 specified as a comma separated list and/or range, followed by a colon and a
9 newline. Entries should be separated by a newline.
11 Changes to this file should not be MFCed.
14 Add a sysctl called vfs.nfsd.srvmaxio that can be used to
15 increase the NFS server's maximum I/O size from 128Kbytes
16 to any power of 2 up to 1Mbyte. It can only be set when
17 the nfsd threads are not running and will normally require
18 an increase in kern.ipc.maxsockbuf to at least the value
19 recommended by the console log message generated when
20 setting vfs.nfsd.srvmaxio is first attempted.
23 Add a new NFSv4.1/4.2 mount option "nconnect" that can
24 be used to specify the number of TCP connections that
25 will be used for the mount, up to a maximum of 16.
26 The first (default) TCP connection will be used for
27 all RPCs that consist of small RPC messages.
28 The RPCs that can consist of large RPC messages
29 (Read/Readdir/ReaddirPlus/Write) will be sent on the
30 additional TCP connections in a round robin fashion.
31 If either the NFS client or NFS server have multiple
32 network interfaces aggregated together or a network
33 interface that uses multiple queues, this can increase
34 NFS performance for the mount.
37 One True Awk has been updated to the latest from upstream
38 (20210215). All the FreeBSD patches, but one, have now been
39 either up streamed or discarded. Notable changes include:
40 o Locale is no longer used for ranges
42 o Better compatibility with gawk and mawk
44 The one FreeBSD change, likely to be removed in FreeBSD 14, is that
45 we still allow hex numbers, prefixed with 0x, to be parsed and
46 interpreted as hex numbers while all other awks (including one
47 true awk now) interpret them as 0 in line with awk's historic
51 Change the default minor version used for an NFSv4 mount
52 to the highest minor version supported by the NFSv4 server.
53 This default can be overridden by using the "minorversion"
56 2c76eebca71b, 59f6f5e23c1a:
57 Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide
58 support for NFS-over-TLS as described in the Internet Draft titled
59 "Towards Remote Procedure Call Encryption By Default".
60 These daemons are only built when WITH_OPENSSL_KTLS is specified
61 and are only tested on amd64 at this time.
62 They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus
63 optional verification of machine identity via X.509 certificates.
66 Add AES-GCM support to armv8crypto(4) providing accelerated
67 support for KTLS, IPsec, and other crypto API consumers.
70 The aesni(4) and armv8crypto(4) devices are now included in
71 GENERIC on amd64, i386, and arm64.
74 Add support for enforcing W^X mapping policy for user
75 processes. The policy is not enforced by default but can be
76 enabled by setting the kern.elf32.allow_wx and
77 kern.elf64.allow_wx sysctls to 0. Individual binaries can be
78 exempted from the policy by elfctl(1) via the wxneeded
82 Add AES-XTS support to armv8crypto(4) providing accelerated
83 software support for the default GELI cipher on arm64 systems.
86 Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2)
90 The fusefs(5) protocol has been updated to 7.28. Support for
91 FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added.
94 GDB 6.1.1 was removed. Users of crashinfo(8) should install the
95 gdb package or devel/gdb port.
98 The hme(4) driver was removed.
101 Fixes the case where gssd will not startup because /usr is a separate
102 local file system that is not yet mounted. It does not fix the case
103 where /usr is a separately mounted remote file system (such as NFS).
104 This latter case can be fixed by adding mountcritremote to the
105 REQUIRED line. Unfortunately doing so implies that all Kerberized
106 NFS mounts in /etc/fstab will need the "late" mount option.
107 This was not done, since the requirement for "late" would introduce
111 This commit added a new startup scripts variable called
112 nfsv4_server_only which uses the -R option on mountd added by r367026.
113 When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server
114 only handles NFSv4 and does not register with rpcbind. As such, rpcbind
115 does not need to be running. Useful for sites which consider rpcbind a
119 Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem
120 was split out from amd64 DMAR support and is now generic, i.e., it can
121 be used by all architectures.
124 A series of commits ending with r364896 added NFS over TLS
125 to the kernel. This is believed to be compatible with
126 the Internet Draft titled "Towards Remote Procedure Call Encryption
127 By Default" (expected to soon become an RFC).
128 The mount_nfs(8) and exports(5) man pages describe the mount and
129 export option(s) related to NFS over TLS.
130 For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8)
131 { server } must be running on a kernel built with "options KERN_TLS"
132 on an architecture where PMAP_HAS_DMAP != 0.
135 Changes to one obscure devd event generated on resume need to
136 be documented. The old form will still be generated in 13, but not
140 Applications using regex(3), e.g. sed/grep, will no longer accept
141 redundant escapes for most ordinary characters.
144 SCTP support has been removed from GENERIC kernel configurations.
145 The SCTP stack is now built as sctp.ko and can be dynamically loaded.
148 Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details.
151 The safexcel(4) crypto offload driver has been added.
154 nc(1) now implements SCTP mode, enabled by specifying the --sctp option.
157 A new implementation of bc and dc has been imported. It offers
158 better standards compliance, performance, localization and comes
159 with extensive test cases that are optionally installed.
160 Use WITHOUT_GH_BC=yes to build and install the world with the
161 previous version instead of the new one, if required.
164 struct export_args has changed so that the "user" specified for
165 the -maproot and -mapall exports(5) options may be in more than
169 sed(1) has learned about hex escapes (e.g. \x27) and will now do the
170 right thing with them, removing the need for printf magic or obnoxious
171 escaping in many scenarios.
173 r361238, r361798, r361799:
174 ZFS will now unconditionally reject read(2) of a directory with EISDIR.
175 Additionally, read(2) of a directory is now rejected with EISDIR by
176 default and may be re-enabled for non-ZFS filesystems that allow it with
177 the sysctl(8) MIB 'security.bsd.allow_read_dir'.
179 Aliases for grep to default to '-d skip' may be desired if commonly
180 non-recursively grepping a list that includes directories and the
181 possibility of EISDIR errors in stderr is not tolerable. Example
182 aliases, commented out, have been installed in /root/.cshrc and
186 Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5).
187 exec.prepare runs before mounts, so can be used to populate new jails.
188 exec.release runs after unmounts, so can be used to remove ephemeral
191 r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936:
192 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5,
193 MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from
194 the kernel open cryptographic framework (OCF).
197 Remove support for ARC4, Blowfish, Cast, DES, Triple DES,
198 MD5-HMAC, and Skipjack algorithms from /dev/crypto.
201 Remove support for DES, Triple DES, Blowfish, Cast, and
202 Camellia ciphers from IPsec(4). Remove support for MD5-HMAC,
203 Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4).
206 Remove support for Triple DES, Blowfish, and MD5 HMAC from
210 Remove support for DES, Triple DES, and RC4 from in-kernel GSS
217 init(8), service(8), and cron(8) will now adopt user/class environment
218 variables (excluding PATH, by default, which will be overwritten) by
219 default. Notably, environment variables for all cron jobs and rc
220 services can now be set via login.conf(5).
223 sparc64 has been removed from FreeBSD.
226 Adds support for NFSv4.2 (RFC-7862) and Extended Attributes
227 (RFC-8276) to the NFS client and server.
228 NFSv4.2 is comprised of several optional features that can be supported
229 in addition to NFSv4.1. This patch adds the following optional features:
230 - posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED)
232 - intra server file range copying via the copy_file_range(2) syscall
233 --> Avoiding data tranfer over the wire to/from the NFS client.
234 - lseek(SEEK_DATA/SEEK_HOLE)
235 - Extended attribute syscalls for "user" namespace attributes as defined
238 For the client, NFSv4.2 is only used if the mount command line option
239 minorversion=2 is specified.
240 For the server, two new sysctls called vfs.nfsd.server_min_minorversion4
241 and vfs.nfsd.server_max_minorversion4 have been added that allow
242 sysadmins to limit the minor versions of NFSv4 supported by the nfsd
244 Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2
248 armv5 support has been removed from FreeBSD.
251 iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices.
254 sqlite3 is updated to sqlite3-3.30.1.
257 cron(8) now supports the -n (suppress mail on succesful run) and -q
258 (suppress logging of command execution) options in the crontab format.
259 See the crontab(5) manpage for details.
262 ntpd is no longer by default locked in memory. rlimit memlock 32
263 or rlimit memlock 0 can be used to restore this behaviour.
266 rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously,
267 environment variables set by a user via ${name}_env were ignored
268 if the service defined a custom *_cmd variable to control the behavior
269 of the run_rc_command function, e.g., start_cmd, instead of relying on
270 the variables like command and command_args,
272 r351770,r352920,r352922,r352923:
273 dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync,
274 and iflag=fullblock flags, compatible with illumos and GNU.
277 Add kernel-side support for in-kernel Transport Layer Security
278 (KTLS). KTLS permits using sendfile(2) over sockets using
282 WPA is updated from 2.8 to 2.9.
285 Add probes for lockmgr(9) to the lockstat DTrace provider, add
286 corresponding lockstat(1) events, and document the new probes in
290 Intel RST is a new 'feature' that remaps NVMe devices from
291 their normal location to part of the AHCI bar space. This
292 will eliminate the need to set the BIOS SATA setting from RST
293 to AHCI causing the nvme drive to be erased before FreeBSD
294 will see the nvme drive. FreeBSD will now be able to see the
295 nvme drive now in the default config.
298 Add a vop_stdioctl() call, so that file systems that do not support
299 holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE).
300 The algorithm appears to be compatible with the POSIX draft and
301 the implementation in Linux for the case of a file system that
302 does not support holes. Prior to this patch, lseek(2) would reply
303 -1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in
304 file systems that do not support holes.
305 r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for
306 any other cases, such as a ENOTTY return from vn_bmap_seekhole().
309 The fuse driver has been renamed to fusefs(5) and been substantially
310 rewritten. The new driver includes many bug fixes and performance
311 enhancements, as well as the following user-visible features:
312 * Optional kernel-side permissions checks (-o default_permissions)
313 * mknod(2), socket(2), and pipe(2) support
314 * server side locking with fcntl(2)
315 * FUSE operations are now interruptible when mounted with -o intr
316 * server side handling of UTIME_NOW during utimensat(2)
317 * mount options may be updated with "mount -u"
318 * fusefs file system may now be exported over NFS
319 * RLIMIT_FSIZE support
320 * support for fuse file systems using protocols as old as 7.4
322 FUSE file system developers should also take note of the following new
324 * The protocol level has been raised from 7.8 to 7.23
325 * kqueue support on /dev/fuse
326 * server-initiated cache invalidation via FUSE_NOTIFY_REPLY
329 gnop(8) can now configure a delay to be applied to read and write
330 request delays. See the -d, -q and -x parameters.
333 Adds a Linux compatible copy_file_range(2) syscall.
336 libcap_random(3) has been removed. Applications can use native
337 APIs to get random data in capability mode.
340 Add support for using unmapped mbufs with sendfile(2).
343 nand(4) and related components have been removed.
346 The UEFI loader now supports HTTP boot.
349 bhyve(8) now implements a High Definition Audio (HDA) driver, allowing
350 guests to play to and record audio data from the host.
353 swapon(8) can now erase a swap device immediately before enabling it,
354 similar to newfs(8)'s -E option. This behaviour can be specified by
355 adding -E to swapon(8)'s command-line parameters, or by adding the
356 "trimonce" option to a swap device's /etc/fstab entry.
359 The following network drivers have been removed: bm(4), cs(4), de(4),
360 ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4),
364 Wired page accounting has been split into kernel wirings and user
365 wirings (e.g., by mlock(2)). Kernel wirings no long count towards
366 the global limit, which is renamed to vm.max_user_wired. bhyve -S
367 allocates user-wired memory and is now subject to that limit.