1 Release notes for FreeBSD 13.0.
3 This file describes new user-visible features, changes and updates relevant to
4 users of binary FreeBSD releases. Each entry should describe the change in no
5 more than several sentences and should reference manual pages where an
6 interested user can find more information. Entries should wrap after 80
7 columns. Each entry should begin with one or more commit IDs on one line,
8 specified as a comma separated list and/or range, followed by a colon and a
9 newline. Entries should be separated by a newline.
11 Changes to this file should not be MFCed.
13 68e86d5265bc,e58dfd0de589,59f5a5cb724e,6e272a78de36,4c4a4fd4a649,ba2ae2cca63a:
14 sendmail has been updated to the latest upstream version (8.17.1).
16 225443828ec6..c44d097dcf92:
17 bhyve now supports more than 16 vCPUs in a guest. By default
18 bhyve permits each guest to create the same number of vCPUs as
19 the count of physical CPUs on the host. This limit can be
20 adjusted via the loader tunable hw.vmm.maxcpu.
23 Kernel TLS offload now supports receive-side offload of TLS 1.3.
26 Change handling of the lowest address on an IPv4 (sub)net so that
27 packets are not sent as a broadcast unless this has been set as the
28 broadcast address. This makes the lowest address usable for a host.
29 The old behavior can be restored with the net.inet.ip.broadcast_lowest
30 sysctl. For more information, see
31 https://datatracker.ietf.org/doc/draft-schoen-intarea-lowest-address/.
33 33ff39796ffe,8719e8a951b7:
34 A new rc(8) service script zfskeys allows for automatic decryption
35 of ZFS datasets encrypted with ZFS native encryption during boot.
36 See the rc.conf(5) manual page for more information.
38 b7a2cf0d9102 - eae02d959363:
39 Upgrade bhyve's emulation to version 1.4 of the NVMe specification
41 0a6760a1de32, 3f3676a71266, 580c04df4db6:
45 Add support for the HiFive Unmatched RISC-V board.
48 Add a sysctl called vfs.nfsd.srvmaxio that can be used to
49 increase the NFS server's maximum I/O size from 128Kbytes
50 to any power of 2 up to 1Mbyte. It can only be set when
51 the nfsd threads are not running and will normally require
52 an increase in kern.ipc.maxsockbuf to at least the value
53 recommended by the console log message generated when
54 setting vfs.nfsd.srvmaxio is first attempted.
57 Add a new NFSv4.1/4.2 mount option "nconnect" that can
58 be used to specify the number of TCP connections that
59 will be used for the mount, up to a maximum of 16.
60 The first (default) TCP connection will be used for
61 all RPCs that consist of small RPC messages.
62 The RPCs that can consist of large RPC messages
63 (Read/Readdir/ReaddirPlus/Write) will be sent on the
64 additional TCP connections in a round robin fashion.
65 If either the NFS client or NFS server have multiple
66 network interfaces aggregated together or a network
67 interface that uses multiple queues, this can increase
68 NFS performance for the mount.
71 One True Awk has been updated to the latest from upstream
72 (20210215). All the FreeBSD patches, but one, have now been
73 either up streamed or discarded. Notable changes include:
74 o Locale is no longer used for ranges
76 o Better compatibility with gawk and mawk
78 The one FreeBSD change, likely to be removed in FreeBSD 14, is that
79 we still allow hex numbers, prefixed with 0x, to be parsed and
80 interpreted as hex numbers while all other awks (including one
81 true awk now) interpret them as 0 in line with awk's historic
85 Change the default minor version used for an NFSv4 mount
86 to the highest minor version supported by the NFSv4 server.
87 This default can be overridden by using the "minorversion"
90 2c76eebca71b, 59f6f5e23c1a:
91 Add two daemons rpc.tlsclntd(8) and rpc.tlsservd(8) that provide
92 support for NFS-over-TLS as described in the Internet Draft titled
93 "Towards Remote Procedure Call Encryption By Default".
94 These daemons are only built when WITH_OPENSSL_KTLS is specified
95 and are only tested on amd64 at this time.
96 They use KTLS to encrypt/decrypt all NFS RPC message traffic, plus
97 optional verification of machine identity via X.509 certificates.
100 Add AES-GCM support to armv8crypto(4) providing accelerated
101 support for KTLS, IPsec, and other crypto API consumers.
104 The aesni(4) and armv8crypto(4) devices are now included in
105 GENERIC on amd64, i386, and arm64.
108 Add support for enforcing W^X mapping policy for user
109 processes. The policy is not enforced by default but can be
110 enabled by setting the kern.elf32.allow_wx and
111 kern.elf64.allow_wx sysctls to 0. Individual binaries can be
112 exempted from the policy by elfctl(1) via the wxneeded
116 Add AES-XTS support to armv8crypto(4) providing accelerated
117 software support for the default GELI cipher on arm64 systems.
120 Add aio_writev(2) and aio_readv(2), vectored analogues of aio_write(2)
124 The fusefs(5) protocol has been updated to 7.28. Support for
125 FUSE_COPY_FILE_RANGE and FUSE_LSEEK is added.
128 GDB 6.1.1 was removed. Users of crashinfo(8) should install the
129 gdb package or devel/gdb port.
132 The hme(4) driver was removed.
135 Fixes the case where gssd will not startup because /usr is a separate
136 local file system that is not yet mounted. It does not fix the case
137 where /usr is a separately mounted remote file system (such as NFS).
138 This latter case can be fixed by adding mountcritremote to the
139 REQUIRED line. Unfortunately doing so implies that all Kerberized
140 NFS mounts in /etc/fstab will need the "late" mount option.
141 This was not done, since the requirement for "late" would introduce
145 This commit added a new startup scripts variable called
146 nfsv4_server_only which uses the -R option on mountd added by r367026.
147 When nfsv4_server_only is set to "YES" in /etc/rc.conf, the NFS server
148 only handles NFSv4 and does not register with rpcbind. As such, rpcbind
149 does not need to be running. Useful for sites which consider rpcbind a
153 Kernel option ACPI_DMAR was renamed to IOMMU. amd64's IOMMU subsystem
154 was split out from amd64 DMAR support and is now generic, i.e., it can
155 be used by all architectures.
158 A series of commits ending with r364896 added NFS over TLS
159 to the kernel. This is believed to be compatible with
160 the Internet Draft titled "Towards Remote Procedure Call Encryption
161 By Default" (expected to soon become an RFC).
162 The mount_nfs(8) and exports(5) man pages describe the mount and
163 export option(s) related to NFS over TLS.
164 For NFS over TLS to work, the rpctlscd(8) { client } or rpctlssd(8)
165 { server } must be running on a kernel built with "options KERN_TLS"
166 on an architecture where PMAP_HAS_DMAP != 0.
169 Changes to one obscure devd event generated on resume need to
170 be documented. The old form will still be generated in 13, but not
174 Applications using regex(3), e.g. sed/grep, will no longer accept
175 redundant escapes for most ordinary characters.
178 SCTP support has been removed from GENERIC kernel configurations.
179 The SCTP stack is now built as sctp.ko and can be dynamically loaded.
182 Merge sendmail 8.16.1: See contrib/sendmail/RELEASE_NOTES for details.
185 The safexcel(4) crypto offload driver has been added.
188 nc(1) now implements SCTP mode, enabled by specifying the --sctp option.
191 A new implementation of bc and dc has been imported. It offers
192 better standards compliance, performance, localization and comes
193 with extensive test cases that are optionally installed.
194 Use WITHOUT_GH_BC=yes to build and install the world with the
195 previous version instead of the new one, if required.
198 struct export_args has changed so that the "user" specified for
199 the -maproot and -mapall exports(5) options may be in more than
203 sed(1) has learned about hex escapes (e.g. \x27) and will now do the
204 right thing with them, removing the need for printf magic or obnoxious
205 escaping in many scenarios.
207 r361238, r361798, r361799:
208 ZFS will now unconditionally reject read(2) of a directory with EISDIR.
209 Additionally, read(2) of a directory is now rejected with EISDIR by
210 default and may be re-enabled for non-ZFS filesystems that allow it with
211 the sysctl(8) MIB 'security.bsd.allow_read_dir'.
213 Aliases for grep to default to '-d skip' may be desired if commonly
214 non-recursively grepping a list that includes directories and the
215 possibility of EISDIR errors in stderr is not tolerable. Example
216 aliases, commented out, have been installed in /root/.cshrc and
220 Add exec.prepare and exec.release hooks for jail(8) and jail.conf(5).
221 exec.prepare runs before mounts, so can be used to populate new jails.
222 exec.release runs after unmounts, so can be used to remove ephemeral
225 r360920,r360923,r360924,r360927,r360928,r360931,r360933,r360936:
226 Remove support for ARC4, Blowfish, Cast, DES, Triple DES, MD5,
227 MD5-KPDK, MD5-HMAC, SHA1-KPDK, and Skipjack algorithms from
228 the kernel open cryptographic framework (OCF).
231 Remove support for ARC4, Blowfish, Cast, DES, Triple DES,
232 MD5-HMAC, and Skipjack algorithms from /dev/crypto.
235 Remove support for DES, Triple DES, Blowfish, Cast, and
236 Camellia ciphers from IPsec(4). Remove support for MD5-HMAC,
237 Keyed MD5, Keyed SHA1, and RIPEMD160-HMAC from IPsec(4).
240 Remove support for Triple DES, Blowfish, and MD5 HMAC from
244 Remove support for DES, Triple DES, and RC4 from in-kernel GSS
251 init(8), service(8), and cron(8) will now adopt user/class environment
252 variables (excluding PATH, by default, which will be overwritten) by
253 default. Notably, environment variables for all cron jobs and rc
254 services can now be set via login.conf(5).
257 sparc64 has been removed from FreeBSD.
260 Adds support for NFSv4.2 (RFC-7862) and Extended Attributes
261 (RFC-8276) to the NFS client and server.
262 NFSv4.2 is comprised of several optional features that can be supported
263 in addition to NFSv4.1. This patch adds the following optional features:
264 - posix_fadvise(POSIX_FADV_WILLNEED/POSIX_FADV_DONTNEED)
266 - intra server file range copying via the copy_file_range(2) syscall
267 --> Avoiding data tranfer over the wire to/from the NFS client.
268 - lseek(SEEK_DATA/SEEK_HOLE)
269 - Extended attribute syscalls for "user" namespace attributes as defined
272 For the client, NFSv4.2 is only used if the mount command line option
273 minorversion=2 is specified.
274 For the server, two new sysctls called vfs.nfsd.server_min_minorversion4
275 and vfs.nfsd.server_max_minorversion4 have been added that allow
276 sysadmins to limit the minor versions of NFSv4 supported by the nfsd
278 Setting vfs.nfsd.server_max_minorversion4 to 0 or 1 will disable NFSv4.2
282 armv5 support has been removed from FreeBSD.
285 iwm(4) now supports most Intel 9260, 9460 and 9560 Wi-Fi devices.
288 sqlite3 is updated to sqlite3-3.30.1.
291 cron(8) now supports the -n (suppress mail on succesful run) and -q
292 (suppress logging of command execution) options in the crontab format.
293 See the crontab(5) manpage for details.
296 ntpd is no longer by default locked in memory. rlimit memlock 32
297 or rlimit memlock 0 can be used to restore this behaviour.
300 rc.subr(8) now honors ${name}_env in all rc(8) scripts. Previously,
301 environment variables set by a user via ${name}_env were ignored
302 if the service defined a custom *_cmd variable to control the behavior
303 of the run_rc_command function, e.g., start_cmd, instead of relying on
304 the variables like command and command_args,
306 r351770,r352920,r352922,r352923:
307 dd(1) now supports conv=fsync, conv=fdatasync, oflag=fsync, oflag=sync,
308 and iflag=fullblock flags, compatible with illumos and GNU.
311 Add kernel-side support for in-kernel Transport Layer Security
312 (KTLS). KTLS permits using sendfile(2) over sockets using
316 WPA is updated from 2.8 to 2.9.
319 Add probes for lockmgr(9) to the lockstat DTrace provider, add
320 corresponding lockstat(1) events, and document the new probes in
324 Intel RST is a new 'feature' that remaps NVMe devices from
325 their normal location to part of the AHCI bar space. This
326 will eliminate the need to set the BIOS SATA setting from RST
327 to AHCI causing the nvme drive to be erased before FreeBSD
328 will see the nvme drive. FreeBSD will now be able to see the
329 nvme drive now in the default config.
332 Add a vop_stdioctl() call, so that file systems that do not support
333 holes will have a trivial implementation of lseek(SEEK_DATA/SEEK_HOLE).
334 The algorithm appears to be compatible with the POSIX draft and
335 the implementation in Linux for the case of a file system that
336 does not support holes. Prior to this patch, lseek(2) would reply
337 -1 with errno set to ENOTTY for SEEK_DATA/SEEK_HOLE on files in
338 file systems that do not support holes.
339 r351372 maps ENOTTY to EINVAL for lseek(SEEK_DATA/SEEK_HOLE) for
340 any other cases, such as a ENOTTY return from vn_bmap_seekhole().
343 The fuse driver has been renamed to fusefs(5) and been substantially
344 rewritten. The new driver includes many bug fixes and performance
345 enhancements, as well as the following user-visible features:
346 * Optional kernel-side permissions checks (-o default_permissions)
347 * mknod(2), socket(2), and pipe(2) support
348 * server side locking with fcntl(2)
349 * FUSE operations are now interruptible when mounted with -o intr
350 * server side handling of UTIME_NOW during utimensat(2)
351 * mount options may be updated with "mount -u"
352 * fusefs file system may now be exported over NFS
353 * RLIMIT_FSIZE support
354 * support for fuse file systems using protocols as old as 7.4
356 FUSE file system developers should also take note of the following new
358 * The protocol level has been raised from 7.8 to 7.23
359 * kqueue support on /dev/fuse
360 * server-initiated cache invalidation via FUSE_NOTIFY_REPLY
363 gnop(8) can now configure a delay to be applied to read and write
364 request delays. See the -d, -q and -x parameters.
367 Adds a Linux compatible copy_file_range(2) syscall.
370 libcap_random(3) has been removed. Applications can use native
371 APIs to get random data in capability mode.
374 Add support for using unmapped mbufs with sendfile(2).
377 nand(4) and related components have been removed.
380 The UEFI loader now supports HTTP boot.
383 bhyve(8) now implements a High Definition Audio (HDA) driver, allowing
384 guests to play to and record audio data from the host.
387 swapon(8) can now erase a swap device immediately before enabling it,
388 similar to newfs(8)'s -E option. This behaviour can be specified by
389 adding -E to swapon(8)'s command-line parameters, or by adding the
390 "trimonce" option to a swap device's /etc/fstab entry.
393 The following network drivers have been removed: bm(4), cs(4), de(4),
394 ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4),
398 Wired page accounting has been split into kernel wirings and user
399 wirings (e.g., by mlock(2)). Kernel wirings no long count towards
400 the global limit, which is renamed to vm.max_user_wired. bhyve -S
401 allocates user-wired memory and is now subject to that limit.