2 <title>&os;/&arch; &release.current; Release Notes</title>
4 <corpauthor>The FreeBSD Project</corpauthor>
6 <pubdate>$FreeBSD$</pubdate>
12 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
16 <para>The release notes for &os; &release.current; contain a summary
17 of the changes made in the &os; base system since &release.prev;.
18 Both changes for kernel and userland are listed, as well as
19 applicable security advisories that were issued since the last
20 release. Some brief remarks on upgrading are also presented.</para>
25 <title>Introduction</title>
27 <para>This document contains the release notes for &os; &release.current; on
28 the &arch.print; hardware platform. It describes new features of &os;
29 that have been added (or changed) since &release.prev;. It also
30 provides some notes on upgrading from previous versions of &os;.</para>
32 <![ %release.type.snapshot [
34 <para>The &release.type; distribution to which these release notes
35 apply represents a point along the &release.branch; development
36 branch between &release.prev; and the future &release.next;. Some pre-built,
37 binary &release.type; distributions along this branch can be found
38 at <ulink url="&release.url;"></ulink>.</para>
42 <![ %release.type.release [
44 <para>This distribution of &os; &release.current; is a &release.type;
45 distribution. It can be found at <ulink
46 url="&release.url;"></ulink> or any of its mirrors. More
47 information on obtaining this (or other) &release.type; distributions of
48 &os; can be found in the <ulink
49 url="http://www.FreeBSD.org/handbook/mirrors.html"><quote>Obtaining
50 FreeBSD</quote> appendix</ulink> to the <ulink
51 url="http://www.FreeBSD.org/handbook/">FreeBSD Handbook</ulink>.</para>
57 <title>What's New</title>
59 <para>This section describes the most user-visible new or changed
60 features in &os; since &release.prev;. Typical release note items
61 document new drivers or hardware support, new commands or options,
62 major bugfixes, or contributed software upgrades. Security
63 advisories issued after &release.prev; are also listed. In general, changes
64 described here are unique to the &release.branch; branch unless
65 specifically marked as &merged; features.</para>
67 <para>Many additional changes were made to &os; that are not listed
68 here for lack of space. For example, documentation was corrected
69 and improved, minor bugs were fixed, insecure coding practices were
70 audited and corrected, and source code was cleaned up.</para>
73 <title>Kernel Changes</title>
75 <para arch="i386">The &man.amdpm.4; driver has been added to
76 provide access to the system monitoring functions of the AMD 756
77 chipset. &merged;</para>
79 <para>The &man.agp.4; driver for AGP devices has been added. &merged;</para>
81 <para>A new &man.ddb.4; command <command>show pcpu</command> lists
82 some of the per-CPU data.</para>
84 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and
85 <command>dhwatch</command>, have been introduced. Analogous to
86 <command>watch</command> and <command>dwatch</command>, they install
87 hardware watchpoints (as opposed to software watchpoints) if supported
88 by the architecture. &merged;</para>
90 <para>&man.devfs.5;, which allows entries in the
91 <filename>/dev</filename> directory to be built automatically and
92 supports more flexible attachment of devices, has been largely
93 reworked. &man.devfs.5; is now enabled by default and can be
94 disabled by the <literal>NODEVFS</literal> kernel option.</para>
96 <para>The dgm driver has been removed in favor of the digi driver.</para>
98 <para>A new digi driver has been added to support PCI Xr-based and ISA
99 Xem Digiboard cards. A new &man.digictl.8; program is (mainly) used to
100 re-initialize cards that have external port modules attached such as
103 <para>An &man.eaccess.2; system call has been added, similar to
104 &man.access.2; except that the former uses effective credentials
105 rather than real credentials.</para>
107 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA
108 (ICH) SMBus controller and compatibles has been
109 added. &merged;</para>
111 <para>Each &man.jail.2; environment can now run under its own
114 <para>The tunable sysctl variables for &man.jail.2; have moved
115 from <varname>jail.*</varname> to the
116 <varname>security.*</varname> hierarchy. Other security-related
117 sysctl variables have moved from <varname>kern.security.*</varname> to
118 <varname>security.*</varname>.</para>
120 <para>The <varname>kern.maxvnodes</varname> limit now properly
121 limits the number of vnodes in use. Previously only vnodes with
122 no cached pages could be freed; this could allow the number of
123 vnodes to grow without limit on large-memory machines accessing
124 many small files. A <literal>vnlru</literal> kernel thread helps
125 to flush and reuse vnodes. &merged;</para>
127 <para>The kernel message buffer is now accessible by the
128 (machine-independent) <varname>kern.msgbuf</varname> sysctl
129 variable; &man.dmesg.8; no longer needs to be SGID
130 <groupname>kmem</groupname>.</para>
132 <para>The &man.kqueue.2; event notification facility was added to
133 the &os; kernel. This is a new interface which is able to
134 replace &man.poll.2;/&man.select.2;, offering improved performance,
135 as well as the ability to report many different types of events.
136 Support for monitoring changes in sockets, pipes, fifos, and files
137 are present, as well as for signals and processes. &merged;</para>
139 <para arch="i386">A new <varname>KVA_SPACE</varname> kernel option
140 can be used to reconfigure the size of the kernel virtual address
141 space. &merged;</para>
143 <para>The &man.labpc.4; driver has been removed due to
144 <quote>bitrot</quote>.</para>
146 <para>The loader and kernel linker now look for files named
147 <filename>linker.hints</filename> in each directory with KLDs for a
148 module name and version to KLD filename mapping. The new
149 &man.kldxref.8; utility is used to generate these files.</para>
151 <para>Linux emulation now supports the kernel functionality
153 <port>emulators/linux_base-7</port> (RedHat 7.X emulation)
154 port. &merged;</para>
156 <para>&man.lomac.4;, a Low-Watermark Mandatory Access Control
157 security facility, has been added as a kernel module. It provides
158 a drop-in security mechanism in addition to the traditional
159 UID-based security facilities, requiring no additional
160 configuration from the administrator. Work on this feature was
161 sponsored by DARPA and NAI Labs.</para>
163 <para>The <varname>maxusers</varname> kernel configuration
164 parameter is now a boot-time tunable variable. The kernel
165 parameters derived from <varname>maxusers</varname> are now also
166 tunables and can be overridden at boot-time. The
167 <varname>hz</varname> parameter is also now a tunable. &merged;</para>
169 <para>Specifying a value of <literal>0</literal> for the
170 <varname>maxusers</varname> kernel configuration parameter will
171 now cause an appropriate value to be calculated at boot-time
172 (between 32 and 512, depending on the amount of memory present).
173 This value is now the default for all
174 <filename>GENERIC</filename> kernels. &merged;</para>
176 <para arch="alpha">A <varname>MAXMEM</varname> kernel option,
177 along with the <varname>hw.physmem</varname> environment variable, can be
178 used to artificially reduce the memory size of a machine for
179 testing (or other purposes). &merged;</para>
181 <para>The kernel configuration parameters
182 <varname>MAXTSIZ</varname>, <varname>DFLDSIZ</varname>,
183 <varname>MAXDSIZ</varname>, <varname>DFLSSIZ</varname>,
184 <varname>MAXSSIZ</varname>, and <varname>SGROWSIZ</varname> are
185 all loader tunables (<varname>kern.maxtsiz</varname>,
186 <varname>kern.maxdfldsiz</varname>, etc.). &merged;</para>
188 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>,
189 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel
190 configuration options, for configuring SMP kernels, have been
191 removed. <literal>NCPU</literal> is now set to a maximum of 16,
192 and the other, aforementioned options are now
193 dynamic. &merged;</para>
195 <para>A &man.nmdm.4; null-modem terminal driver has been added.
198 <para>The <literal>O_DIRECT</literal> flag has been added to
199 &man.open.2; and &man.fcntl.2;. Specifying this flag for open
200 files will attempt to minimize the cache effects of reading and
201 writing. &merged;</para>
203 <para>An &man.orm.4; device has been added to claim the option
204 ROMs in the ISA memory I/O space, to prevent other drivers from
205 mistakenly assigning addresses that conflict with these ROMs. &merged;</para>
207 <para arch="i386">PECOFF (Win32 Execution file format) support has been
210 <para arch="i386">The pmc driver, which supports the power
211 management controller of the NEC PC-98NOTE, has been
212 added. &merged;</para>
214 <para>POSIX.1b Shared Memory Objects are now supported. The
215 implementation uses regular files, but automatically enables the
216 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>
218 <para>Replaced the <literal>PQ_*CACHE</literal> options with a
219 single <literal>PQ_CACHESIZE</literal> option to be set to
220 the cache size in kilobytes. The old options are still supported
221 for backwards compatibility. &merged;</para>
223 <para>The &man.random.4; device has been rewritten to use the
224 <application>Yarrow</application> algorithm. It harvests entropy
225 from a variety of interrupt sources, including the console
226 devices, Ethernet and point-to-point network interfaces, and
227 mass-storage devices. Entropy from the &man.random.4; device is
228 now periodically saved to files in
229 <filename>/var/db/entropy</filename>, as well as at
230 shutdown time. The semantics of <filename>/dev/random</filename>
231 have changed; it never blocks waiting for entropy bits but
232 generates a stream of pseudo-random data and now behaves exactly
233 as <filename>/dev/urandom</filename>.</para>
235 <para>A new kernel option, <literal>options REGRESSION</literal>,
236 enables interfaces and functionality intended for use during
237 correctness and regression testing.</para>
239 <para arch="i386">The &man.spic.4; driver, which provides access to the jog
240 dial device on some Sony laptops, has been added.</para>
242 <para>The &man.syscons.4; driver now supports keyboard-controlled
243 pasting, by default bound to
244 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>
246 <para>Support for USB devices was added to the
247 <filename>GENERIC</filename> kernel and to the installation
248 programs to support USB devices out of the box. Note that SRM
249 does not support USB devices at the moment, so you must still use
250 an AT keyboard if you are not using a serial console. &merged;</para>
252 <para arch="i386">The umodem driver for USB modems has been added.
253 Support is provided for the 3Com 5605 and Metricom Ricochet GS
254 wireless USB modems.</para>
256 <para arch="i386">The &man.uscanner.4; driver for basic USB scanner support
257 using SANE has been added. See <ulink
258 url="http://www.mostang.com/sane/">the SANE home page</ulink> for
259 supported scanners. The HP ScanJet 4100C, 5200C and 6300C are
260 known to be working.</para>
262 <para>The <literal>USER_LDT</literal> kernel option is now
263 activated by default.</para>
265 <para>A VESA S3 linear framebuffer driver has been added.</para>
267 <!-- Above this line, sort kernel changes by manpage/keyword-->
269 <para>Write combining for crashdumps has been implemented. This
270 feature is useful when write caching is disabled on both SCSI and
271 IDE disks, where large memory dumps could take up to an hour to
272 complete. &merged;</para>
274 <para>Extremely large swap areas (>67 GB) no longer panic the
277 <para arch="alpha">Support for threads under Linux emulation has been
280 <para>A number of cleanups and enhancements have been applied to
281 the PCI subsystem.</para>
283 <para>The <maketarget>buildkernel</maketarget> target now gets the
284 name of the configuration(s) to build from the
285 <varname>KERNCONF</varname> variable, not
286 <varname>KERNEL</varname>. It is no longer required, in some
287 cases, for a <maketarget>buildworld</maketarget> to precede a
288 <maketarget>buildkernel</maketarget>. (The
289 <maketarget>buildworld</maketarget> is still required when
290 upgrading across major releases, across
291 <application>binutil</application> updates and when &man.config.8;
292 changes version.) &merged;
295 <para>The out-of-swap process termination code now begins killing
296 processes earlier to avoid deadlocks; it now also takes into
297 account the swap space used by processes when computing the
298 process sizes. &merged;</para>
300 <para>Linker sets are now self-contained; &man.gensetdefs.8; is
301 unnecessary and has been removed.</para>
303 <para>Numerous SMP-friendly changes have been made to the kernel's
304 mbuf allocator.</para>
306 <para>Network device cloning has been implemented, and the &man.gif.4;
307 device has been modified to take advantage of it.
308 Thus, instead of specifying how many &man.gif.4; interfaces
309 are available in kernel configuration files, &man.ifconfig.8;'s
310 <option>create</option> option should be used when another device
311 instance is desired. &merged;</para>
313 <para>It is now possible to hardwire kernel environment variables (such
314 as tuneables) at compile-time using &man.config.8;'s
315 <literal>ENV</literal> directive.</para>
317 <para>Idle zeroing of pages can be enabled with the
318 <varname>vm.zeroidle_enable</varname> sysctl variable.</para>
320 <para arch="i386">The load addresses of kernels are now exported to the
321 symbol table and various hard-coded constants have been removed so that
322 utilities such as &man.ps.1; can work with kernels compiled at
323 different addresses. &merged;</para>
325 <para>Coredumps of large processes (or of a large number of
326 processes) no longer lock up the machine for long periods of
327 time. &merged;</para>
329 <para>The kernel is now aware of the concept that there are
330 smaller units of scheduling than a process (but only one thread
331 per process is allowed at this time).</para>
333 <para>The kernel now has support for multiple low-level console
334 devices. The new &man.conscontrol.8; utility helps to manage the
335 different consoles.</para>
337 <para arch="alpha">The console driver has gained support for TGA-based
338 display adapters.</para>
340 <para>The kernel on the installation CDs is now separated from the
341 <filename>mfsroot</filename> image. This permits the use of a
342 full kernel when installing from CD on machines that support CD
343 booting (instead of the stripped-down kernel used on
344 floppies). &merged;</para>
346 <para>The system load average computation now adds some jitter to
347 the timing of samples, in order to avoid synchronization with
348 processes that run periodically. &merged;</para>
350 <para>If a debugging kernel with modules is being built
351 (i.e. using <literal>makeoptions DEBUG=-g</literal>), the modules
352 will now be built with debugging support as well, for
353 completeness. A side effect of this change is that modules built
354 and installed with debugging kernels will now occupy more space on
355 disk than they did previously. &merged;</para>
358 <title>Processor/Motherboard Support</title>
360 <para>SMP support has been largely reworked, incorporating code
361 from BSD/OS 5.0. One of the main features of SMPng (<quote>SMP
362 Next Generation</quote>) is to allow more processes to run in
363 kernel, without the need for spin locks that can dramatically
364 reduce the efficiency of multiple processors. Interrupt
365 handlers now have contexts associated with them that allow them
366 to be blocked, which reduces the need to lock out
369 <para arch="i386">Support for the 80386 processor has been
370 removed from the <filename>GENERIC</filename> kernel, as this
371 code seriously pessimizes performance on other IA32
374 <para arch="i386">The <literal>I386_CPU</literal> kernel option
375 to support the 80386 processor is now mutually exclusive with
376 support for other IA32 processors; this should slightly improve
377 performance on the 80386 due to the elimination of runtime
378 processor type checks.</para>
380 <para arch="i386">Custom kernels that will run on the 80386 can
381 still be built by changing the cpu options in the kernel
382 configuration file to only include
383 <literal>I386_CPU</literal>.</para>
385 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has
386 been tested and works OK. Currently it does not want to boot
387 from CD or floppy but a transplanted disk that was installed on
388 another Alpha works well. &merged;</para>
390 <para arch="alpha">The API UP1100 mainboard has been verified to work.</para>
392 <para arch="alpha">The API CS20 1U high server has been verified to work.</para>
394 <para arch="alpha">The DEC3000 series support has been removed from the mfsroot
395 floppy image so that it fits on a 1.44 Mbyte floppy again. As the
396 DEC3000 is currently only usable diskless this should not cause
399 <para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been
402 <para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs
403 (EV4 and EV5) to emulate instructions of the newer Alpha CPU
404 generations. This enables the use of binary-only programs like <application>Adobe
405 Acrobat 4</application> on EV4 and EV5.</para>
407 <para arch="alpha">SMP support for the Alpha is now operational.</para>
409 <para arch="i386">Detection for new processors, such as the
410 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta
411 Crusoe LongRun, has been added. &merged;</para>
413 <para arch="alpha">Support for the following hardware has been removed
414 from the installation kernel to make it fit on a 1.44MB floppy again:
415 Multia, NoName, PC64, EB64, Aspen Alpine, sa (SCSI tape), amr, parallel
416 port support, vx (3c590, 3c595), pcn (AMD Am79C97x PCI 10/100),
417 sf (Adaptec AIC-6915), sis (SiS 900/SiS 7016), ste (Sundance ST201
418 (D-Link DFE-550TX)), wb (Winbond W89C840F).</para>
420 <para arch="i386">Support for Streaming <acronym>SIMD</acronym>
421 Extensions (<acronym>SSE</acronym>) has been introduced. The
422 <literal>CPU_ENABLE_SSE</literal> kernel option controls whether
423 support is compiled into the kernel. &merged;</para>
427 <title>Bootloader Changes</title>
429 <para arch="i386">A new <filename>cdboot</filename> bootstrap utility for CDROMs provides
430 better compatability with some BIOS implementations that do not
431 completely implement the El Torito bootable CDROM standard. This
432 boot loader supports <quote>no emulation</quote> mode booting,
433 thus eliminating the need for an emulated floppy disk image on
434 a bootable CDROM. &merged;</para>
436 <para arch="i386">The i386 boot loader now has support for a
437 <literal>nullconsole</literal>
438 console type, for use on systems with neither a video console nor
439 a serial port. &merged;</para>
441 <para arch="i386">The &man.loader.8; now has optional support
442 (enabled at compile-time, off by default) for loading
443 <application>bzip2</application>-compressed kernels and
444 modules. &merged;</para>
446 <para arch="i386">Support for Intel's Wired for Management 2.0 (PXE)
447 was added to the &os; boot loader. Due to API differences, the
448 older PXE versions are not supported. This allow network booting
449 using DHCP. &merged;</para>
451 <!-- Above this line, order bootloader changes by keyword-->
453 <para arch="i386">The &os; boot loader now contains a workaround
454 to support CDROM booting on certain IBM BIOSs that expect the
455 first sector of the emulated floppy to contain a valid MS-DOS BPB
456 that they can modify. &merged;</para>
458 <para arch="i386">The &os; boot loader now supports a
459 <option>-p</option> flag to force the kernel to pause after each
460 line of output during the probing phase. &merged;</para>
462 <para arch="alpha,i386">The &os; boot loader is now capable of
463 booting from filesystems with block sizes larger than 8K. &merged;</para>
465 <para>The kernel and modules have been moved to the directory
466 <filename>/boot/kernel</filename>, so they can be easily
467 manipulated together. The boot loader has been updated to make
468 this change as seamless as possible.</para>
472 <title>Network Interface Support</title>
474 <para>The &man.an.4; driver for Cisco Aironet cards now supports
475 Wired Equivalent Privacy (WEP) encryption, settable via
476 &man.ancontrol.8;. &merged;</para>
478 <para>The &man.an.4; driver now supports the Cisco Aironet 350
479 series of adaptors. &merged;</para>
481 <para>The &man.an.4; driver now supports <quote>monitor</quote>
482 mode, settable via the <option>-M</option> option to
483 &man.ancontrol.8;. &merged;</para>
485 <para arch="i386">Generic support for ARCNET token-based
486 networks has been added.</para>
488 <para arch="i386">The &man.bge.4; driver has been added to
489 support the Broadcom BCM570x family of Gigabit Ethernet
490 controllers, including the 3Com 3c996-T, the SysKonnect SK-9D21
491 and SK-9D41, and the built-in Gigabit Ethernet NICs on Dell
492 PowerEdge 2550 servers. Output TCP/IP checksum offload, jumbo frames
493 and VLAN tag insertion/stripping are supported, as well as
494 interrupt moderation. &merged;</para>
496 <para arch="i386">The cm driver has been added to support SMC
497 COM90cx6 ARCNET network adapters.</para>
499 <para>The &man.dc.4; driver now supports NICs based on the Xircom
500 3201 and Conexant LANfinity RS7112 chips.</para>
502 <para>The &man.dc.4; driver now has support for VLANs.</para>
504 <para>The &man.de.4; driver now performs round-robin arbitration
505 between the transmit and receive units of the 21143, instead of
506 giving priority to the receive unit. This gives a 10–15%
507 performance improvement in the forwarding rate under heavy
508 load. &merged;</para>
510 <para arch="alpha">The &man.ed.4; driver is now supported.</para>
512 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the
513 &man.ed.4; driver now require the addition of flag
514 <literal>0x80000</literal> to their config line in
515 &man.pccard.conf.5;. This flag is not optional. These Linksys
516 cards will not be recognized without it. &merged;</para>
518 <para>A bug in the &man.ed.4; driver that could cause panics with
519 very short packets and BPF or bridging active has been
520 fixed. &merged;</para>
522 <para>The &man.ed.4; driver now has support for D-Link
523 DL10022 chips, necessary for the NetGear FA-410TX and other
524 cards. As a result, <literal>device miibus</literal> is
525 required in kernel configurations using the &man.ed.4;
526 driver. &merged;</para>
528 <para arch="i386">The &man.el.4; driver can now be loaded as a
531 <para arch="i386">The &man.em.4; driver has been added to
532 support NICs based on the Intel 82542, 82543, and 82544 Gigabit
533 Ethernet controller chips. The driver supports transmit/receive
534 checksum offload and jumbo frames on 82543 and 82544-based
535 adapters. &merged;</para>
537 <para>The &man.faith.4; device is now loadable, unloadable, and
538 clonable. &merged;</para>
540 <para arch="i386">Support for Fujitsu MB86960A/MB86965A based Ethernet
541 PC-Cards has been added back in the &man.fe.4; driver. &merged;</para>
543 <para arch="alpha">The &man.fpa.4; driver now supports Digital's
544 DEFPA FDDI adaptors on the Alpha.</para>
546 <para>The &man.fxp.4; driver now requires a <literal>device
547 miibus</literal> entry in the kernel configuration file. &merged;</para>
549 <para>The &man.fxp.4; driver now contains a workaround for
550 PCI protocol violations caused by defects in some systems based
551 on the Intel ICH2/ICH2-M chip. The workaround is to rewrite the
552 EEPROM on the interface to disable Dynamic Standby Mode; once
553 the EEPROM is rewritten, the system needs to be rebooted for the
554 new settings to take effect. &merged;</para>
556 <para>The &man.fxp.4; driver now supports Intel's loadable
557 microcode to implement receive-side interrupt coalescing and
558 packet bundling, on NICs that support these features. This
559 support can be activated by the use of the
560 <option>link0</option> option to &man.ifconfig.8;. &merged;</para>
562 <para>The &man.gx.4; driver has been added to support NICs based
563 on the Intel 82542 and 82543 Gigabit Ethernet controller chips.
564 Both fiber and copper variants of the cards are supported. Both
565 boards support VLAN tagging/insertion, and the 82543 additionally
566 supports TCP/IP checksum offload. &merged;</para>
568 <para>The &man.lge.4; driver has been added to support the Level
569 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
570 device is used on some fiber optic GigE cards from SMC, D-Link
571 and Addtron. Jumbograms and TCP/IP checksum offload on receive
572 are supported, although hardware VLAN filtering is not. &merged;</para>
574 <para>Added the &man.nge.4; driver, which supports PCI Gigabit
575 Ethernet adapters based on the National Semiconductor DP83820
576 and DP83821 Gigabit Ethernet controller chips, including the
577 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
578 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron
579 AEG320T. This driver supports transmit and receive checksum
580 offloading. &merged;</para>
582 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
583 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA
584 adapters, has been added. Although these cards are already
585 supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs
586 these chips in 32-bit mode and uses the RX alignment feature to
587 achieve zero-copy receive. This driver is also
588 machine-independent, so it will work on both the i386 and Alpha
589 platforms. The &man.lnc.4; driver is still needed to support non-PCI
590 cards. &merged;</para>
592 <para>The &man.ray.4; driver, which supports the Webgear Aviator
593 wireless network cards, has been committed. The operation of
594 &man.ray.4; interfaces can be modified by
595 &man.raycontrol.8;. &merged;</para>
597 <para arch="i386">The sbni driver, for supporting the Granch
598 SBNI12 series of ISA and PCI point-to-point communications
599 interfaces, has been added. The <port>sysutil/sbniconfig</port>
600 port in the &os; Ports Collection can be used for configuring
601 these devices. &merged;</para>
603 <para>Added support for PCI Ethernet adapters based on the
604 SiS 900 and SiS 7016 Fast Ethernet controller chips (for
605 example, as seen on the SiS 635 and 735 motherboard chipsets), as well as the
606 National Semiconductor DP83815 chipset (including the NetGear
607 FA311-TX and FA312-TX) in the form of the &man.sis.4; driver.
608 This device has support for VLANs. &merged;</para>
610 <para arch="i386">The snc driver for the National Semiconductor
611 DP8393X (SONIC) Ethernet controller has been added. Currently,
612 this driver is only used on the PC-98 architecture. &merged;</para>
614 <para>The &man.stf.4; device is now clonable.</para>
616 <para>The &man.tap.4; driver, a virtual Ethernet device driver for
617 bridged configurations, has been added. This device is
618 clonable. &merged;</para>
620 <para>The &man.ti.4; driver now supports the Alteon AceNIC
621 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit
622 cards. &merged;</para>
624 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>
626 <para>The &man.txp.4; driver has been added to support NICs
627 based on the 3Com 3XP Typhoon/Sidewinder (3CR990) chipset. &merged;</para>
629 <para>&man.vlan.4; devices are now loadable, unloadable, and
630 clonable. &merged;</para>
632 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B
633 MiniPCI adapters used on some laptops. &merged;</para>
635 <para>The &man.xl.4; driver now supports reception of VLAN
636 tagged frames (on the <quote>Cyclone</quote> or newer
637 chipsets). &merged;</para>
639 <para>The &man.xl.4; driver now supports send- and receive-side TCP/IP
640 checksum offloading for NICs implementing this feature, such as
641 the 3C905B, 3C905C, and 3C980C. &merged;</para>
643 <para>A bug in the &man.xl.4; driver, related to statistics overflow
644 interrupt handling, was causing slowdowns at medium to high
645 packet rates; this has been fixed. &merged;</para>
647 <para>The per-interface <varname>ifnet</varname> structure now
648 has the ability to indicate a set of capabilities supported by a
649 network interface, and which ones are enabled. &man.ifconfig.8;
650 has support for querying these capabilities. &merged;</para>
652 <para>Performance with hosts having a large number of IP aliases
653 has been improved, by replacing the per-interface
654 <varname>if_inaddr</varname> linear list with a hash table. &merged;</para>
656 <para>Network devices now automatically appear as special files in
657 <filename>/dev/net</filename>. Interface hardware ioctls (not
658 protocol or routing) can be performed on these devices. The
659 <varname>SIOCGIFCONF</varname> ioctl may be performed on the
660 special <filename>/dev/network</filename> node.</para>
662 <para arch="i386">Selected network drivers now implement a
663 semi-polling mode, which makes systems much more resilient to
664 attacks and overloads. To enable polling, the following options
665 are required in a kernel configuration file:
667 <programlisting>options DEVICE_POLLING
668 options HZ=1000 # not compulsory but strongly recommended</programlisting>
670 The <varname>kern.polling.enable</varname> sysctl variable
671 will then activate polling mode; with the
672 <varname>kern.polling.user_frac</varname> sysctl indicating the
673 percentage of CPU time to be reserved for userland. The devices
674 initially supporting polling are &man.dc.4;, &man.fxp.4;, and
677 <para arch="i386">The packet-forwarding performance of certain
678 network drivers (specifically &man.dc.4; and &man.sis.4;) has
679 been enhanced by the elimination of unnecessary buffer
680 copies. &merged;</para>
684 <title>Network Protocols</title>
686 <para>&man.accept.filter.9;, a kernel feature to reduce overheads
687 when accepting and reading new connections on listening sockets,
688 has been added. &merged;</para>
690 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s
691 <option>-d</option> option has been renamed to
692 <literal>pub</literal>, for consistency with the
693 <option>-s</option> option. The <literal>only</literal> keyword
694 has been added to the <option>-s</option> and
695 <option>-S</option> flags, to be used in creating
696 <quote>proxy-only</quote> published entries.</para>
698 <para>The read timeout feature of &man.bpf.4; now works more
699 correctly with &man.select.2;/&man.poll.2;, and therefore with
700 pthreads. &merged;</para>
702 <para>&man.bridge.4; and &man.dummynet.4; have received some
703 enhancements and bug fixes, and are now loadable
704 modules. &merged;</para>
706 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs
707 generated due to packets sent to open and unopen ports are now
708 limited by separate counters. Each rate limiting queue now has
709 its own description.</para>
711 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
712 now RST TCP connections in the <literal>SYN_SENT</literal> state
713 if the correct sequence numbers are sent back, as controlled by the
714 <varname>net.inet.tcp.icmp_may_rst</varname>
717 <para>IP multicast now works on VLAN devices. Several other
718 bugs in the VLAN code have also been fixed.</para>
720 <para>&man.ipfw.4; now filters correctly in the presence of ECN bits in TCP
721 segments. &merged;</para>
723 <para>&man.netgraph.4; has received some updates and bugfixes.</para>
725 <para>A new &man.ng.eth.4; netgraph node allows Ethernet type
726 packets to be filtered to different hooks depending on
729 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph
730 nodes, for operating on &man.gif.4; devices, have been
733 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP
734 packets into the main IP input processing code, has been
737 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
738 been added to the &man.netgraph.4; subsystem. The &man.ng.ether.4; node
739 is now dynamically loadable. Miscellaneous bug fixes and
740 enhancements have also been made. &merged;</para>
742 <para>A new netgraph node type &man.ng.one2many.4; for multiplexing
743 and demultiplexing packets over multiple links has been added.
746 <para>A new sysctl <varname>net.inet.ip.check_interface</varname>,
747 which is on by default, causes IP to verify that an incoming
748 packet arrives on an interface that has an address matching the
749 packet's destination address. &merged;</para>
752 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
753 been added to control the suppression of logging when ARP replies
754 arrive on the wrong interface. &merged;</para>
756 <para>A new <literal>options RANDOM_IP_ID</literal> kernel
757 option causes the ID field of IP packets to be randomized. This
758 closes a minor information leak which allows a remote observer
759 to determine the rate at which the machine is generating
760 packets, since the default behavior is to increment a counter
761 for each packet sent. &merged;</para>
763 <para arch="alpha">SLIP has been removed from the
764 <filename>mfsroot</filename> floppy image.</para>
766 <para>TCP has received some bug fixes for its delayed ACK
767 behavior. &merged;</para>
769 <para>TCP now supports the NewReno modification to the TCP Fast Recovery
770 algorithm. This behavior can be controlled via the
771 <varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para>
773 <para>TCP now uses a more aggressive timeout for initial SYN segments; this
774 allows initial connection attempts to be dropped much
775 faster. &merged;</para>
777 <para>The <literal>TCP_COMPAT_42</literal> kernel option has
780 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has
781 been removed. Similar functionality can be achieved with the
782 <varname>net.inet.tcp.blackhole</varname> sysctl
783 variable. &merged;</para>
785 <para>TCP now has RFC 1323 extensions enabled by default in
786 &man.rc.conf.5;. &merged;</para>
788 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a
789 connection in progress if no response has been received by the
790 third SYN segment sent. This behavior tries to work around
791 (very old) terminal servers with buggy VJ header compression
792 implementations. &merged;</para>
794 <para>The TCP implementation no longer requires the
795 allocation of a TCP template structure for each connection; this
796 should reduce the buffer usage on large systems handling many
797 connections. &merged;</para>
799 <para>TCP's default buffer sizes, controlled by the
800 <varname>net.inet.tcp.sendspace</varname> and
801 <varname>net.inet.tcp.recvspace</varname> sysctl variables, have
802 been increased to 32K and 64K respectively. Previously, the
803 default for both buffer sizes was 16K. To try to avoid
804 increasing congestion, the default value for
805 <varname>net.inet.tcp.local_slowstart_flightsize</varname> has
806 been changed from infinity to 4. &merged;</para>
808 <para>TCP now supports RFC 1948 (Defending Against Sequence
809 Number Attacks). This functionality is controlled by the
810 <varname>net.inet.tcp.strict_rfc1948</varname> and
811 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl
812 variables. &merged;</para>
814 <para>The TCP implementation in &os; now implements a cache of
815 outstanding, received SYN segments. Incoming SYN segments now
816 cause entries to be placed in the cache until the TCP three-way
817 handshake is complete, at which point, memory is allocated for
818 the connection as usual. In addition, all TCP Initial Sequence
819 Numbers (ISNs) are used as cookies, allowing entries in the
820 cache to be dropped, but still have their corresponding ACKs
821 accepted later. The combination of the so-called
822 <quote>syncache</quote> and <quote>syncookies</quote> features
823 makes a host much more resistant to
824 TCP-based Denial of Service attacks. Work on this feature was
825 sponsored by DARPA and NAI Labs. &merged;</para>
827 <para>A bug in the TCP implementation, which could cause
828 connections to stall if a sender saw a zero-sized window, has
829 been corrected. &merged;</para>
833 <title>Disks and Storage</title>
835 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI
836 RAID controllers has been added, in the form of the &man.aac.4;
838 includes proper handling of commands initiated by the adapter,
839 addition/removal of disk devices, crashdump functionality, and
840 &man.ioctl.2; commands necessary for the management
841 CLI, and is fully qualified and sanctioned by Adaptec. &merged;</para>
843 <para>The &man.ahc.4; driver has received numerous updates,
844 bugfixes, and enhancements. Among various improvements are
845 improved compatibility with chips in <quote>RAID Port</quote> mode
846 and systems with AAA and/or ARO cards installed, as well as
847 performance improvements. Some bugs were also fixed, including a
848 rare hang on Ultra2/U160 controllers. &merged;</para>
850 <para arch="i386">The &man.asr.4; driver, which provides support
851 for the Adaptec SCSI RAID controller family, as well as the DPT
852 SmartRAID V and VI families, has been added. &merged;</para>
854 <para arch="i386">The &man.asr.4; driver now supports the Adaptec
855 2000S and 2005S Zero-Channel RAID controllers. &merged;</para>
857 <para>The &man.ata.4; driver now has support for ATA100
858 controllers. In addition, it now supports the ServerWorks ROSB4
859 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and
860 the Cyrix 5530. &merged;</para>
862 <para>To provide more flexible configuration, the various options for the
863 &man.ata.4; driver are now boot loader tunables, rather than kernel
864 configure-time options. &merged;</para>
866 <para>The &man.ata.4; driver now has support for tagged queuing,
867 which is enabled by the <varname>hw.ata.tags</varname> loader
868 tunable. &merged;</para>
870 <para>The &man.ata.4; driver now has support for ATA
871 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak and
872 HighPoint HPT370 controllers. &merged;</para>
874 <para>The &man.ata.4; driver now supports a wider variety of SiS
875 chipsets, as listed in the Hardware Notes. &merged;</para>
877 <para>The BurnProof(TM) feature, for applicable ATAPI CD-ROM burners, is now
878 supported. &merged;</para>
880 <para>The &man.ata.4; driver now has support for 48-bit
881 addressing. Devices larger than 137GB are now
882 supported. &merged;</para>
884 <para>The &man.ata.4; driver now contains fixes for some data
885 corruption problems on systems using the VIA 82C686B Southbridge
886 chip. &merged;</para>
888 <para>The CAM error recovery code has been updated.</para>
890 <para>The &man.cd.4; driver now has support for write operations.
891 This allows writing to DVD-RAM, PD and similar drives that probe
892 as CD devices. Note that change affects only random-access
893 writeable devices, not sequential-only writeable devices such as
894 CD-R drives, which are supported by &man.cdrecord.1; (a part of
895 <port>sysutils/cdrtools</port> in the Ports Collection. &merged;</para>
897 <para arch="i386">The ciss driver, for devices utilizing the Common
898 Interface for SCSI-3 Support, has been added. This driver
899 supports the Compaq SmartRAID 5* family of RAID controllers
900 (5300, 532, 5i). &merged;</para>
902 <para>The &man.fdc.4; floppy disk has undergone a number of
903 enhancements. Density selection for common settings is now
904 automatic; the driver is also much more flexible in setting the
905 densities of various subdevices.</para>
907 <para>The ida disk driver now has crashdump support. &merged;</para>
909 <para arch="alpha">A bug that made certain CDROM drives fail to
910 attach when connected to a SCSI card driven by &man.isp.4; has
911 been fixed. &merged;</para>
913 <para>The &man.isp.4; driver is now proactive about discovering
914 Fibre Channel topology changes.</para>
916 <para>The &man.isp.4; driver now supports target mode for Qlogic
917 SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para>
919 <para>The &man.isp.4; driver now supports the Qlogic 2300 and
920 2312 Optical Fibre Channel PCI cards. &merged;</para>
922 <para>&man.md.4;, the memory disk device, has had the
923 functionality of &man.vn.4; incorporated into it. &man.md.4;
924 devices can now be configured by &man.mdconfig.8;. &man.vn.4; has
925 been removed. The Memory Filesystem (MFS) has also been
928 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI
929 AccelRAID and eXtremeRAID controllers with firmware 6.X and
930 later, has been added. &merged;</para>
932 <para arch="i386">The ncv, nsp, and stg drivers have
933 been ported from NetBSD/pc98. They support the NCR 53C50 /
934 Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI
935 controllers. All three drivers can be built and loaded as
936 modules. &merged;</para>
938 <para>Some problems in &man.sa.4; error handling have been
939 fixed, including the <quote>tape drive spinning indefinitely
940 upon &man.mt.1; <option>stat</option></quote> problem.</para>
942 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para>
944 <para>The &man.vinum.4; volume manager has received some bug fixes and
947 <para>The &man.wd.4; compatibility devices were removed from the
948 &man.ata.4; driver. &merged;</para>
952 <title>Filesystems</title>
954 <para>Support for named extended attributes was added to the &os;
955 kernel. This allows the kernel, and appropriately privileged
956 userland processes, to tag files and directories with attribute
957 data. Extended attributes were added to support the TrustedBSD
958 Project, in particular ACLs, capability data, and mandatory access
960 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
963 <para>Due to a licensing change, softupdates have been integrated
964 into the main portion of the kernel source tree. As a
965 consequence, softupdates are now available with the
966 <filename>GENERIC</filename> kernel. &merged;</para>
968 <para>A filesystem snapshot capability has been added to FFS.
969 Details can be found in
970 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>
972 <para>Softupdates for FFS have received some bug fixes and
975 <para>When running with softupdates, &man.statfs.2; and
976 &man.df.1; will track the number of blocks and files that are
977 committed to being freed.</para>
979 <para>A bug in FFS that could cause superblock corruption on very large
980 filesystems has been corrected. &merged;</para>
982 <para>The Inode Filesystem (IFS) has been added; more information
984 <filename>/usr/src/sys/ufs/ifs/README</filename>.</para>
986 <para>The ISO-9660 filesystem now has a hook that supports a loadable
987 character conversion routine. The
988 <port>sysutils/cd9660_unicode</port> port
989 contains a set of common conversions.</para>
991 <para>&man.kernfs.5; is obsolete and has been retired.</para>
993 <para>A bug in the NFS client that caused bogus access times with
994 <literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para>
996 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash
997 algorithm) has been implemented to improve NFS performance by
998 increasing the efficiency of the <varname>nfsnode</varname> hash
999 tables. &merged;</para>
1001 <para>Client-side NFS locks have been implemented.</para>
1003 <para>The client-side and server-side of the NFS code in the
1004 kernel used to be intertwined in various complex ways. They
1005 have been split apart for ease of maintenance and further
1008 <para>Support for file system Access Control Lists (ACLs) has been
1009 introduced, allowing more fine-grained control of discretionary
1010 access control on files and directories. This support was
1011 integrated from the TrustedBSD Project. More details can be found in
1012 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>
1014 <para>The directory layout preference algorithm for FFS
1015 (<literal>dirprefs</literal>) has been changed. Rather than
1016 scattering directory blocks across a disk, it attempts to group
1017 related directory blocks together. Operations traversing large
1018 directory hierarchies, such as the &os; Ports tree, have shown
1019 marked speedups. This change is transparent and automatic for
1020 new directories. &merged;</para>
1022 <para arch="i386">smbfs (CIFS) support in kernel has been added.
1023 The userland programs &man.smbutil.1; and &man.mount.smbfs.8;
1024 can be used to work with SMB shares. Note that
1025 &man.mount.smbfs.8; will automatically load the <filename>smbfs.ko</filename>
1026 module into the kernel, even if <literal>LIBMCHAIN</literal> and
1027 <literal>LIBICONV</literal> were not compiled into the kernel.
1030 <para>For consistency, the fdesc, fifo, null, msdos, portal,
1031 umap, and union filesystems have been renamed to fdescfs,
1032 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where
1033 applicable, modules and mount_* programs have been
1034 renamed. Compatibility <quote>glue</quote> has been added to
1035 &man.mount.8; so that <literal>msdos</literal> filesystem
1036 entries in &man.fstab.5; will work without changes.</para>
1038 <para>pseudofs, a pseudo-filesystem framework, has been added.
1039 &man.linprocfs.5; and &man.procfs.5; have been modified to use pseudofs.</para>
1041 <para>A simple hash-based lookup optimization for large directories
1042 called <literal>dirhash</literal> has been added. Conditional on the
1043 <literal>UFS_DIRHASH</literal> kernel option (enabled by default
1044 in the <filename>GENERIC</filename> kernel), it improves the speed
1045 of operations on very large directories at the expense of some
1046 memory. &merged;</para>
1048 <para>The virtual memory subsystem now backs UFS directory
1049 memory requirements by default (this behavior is controlled via
1050 the <varname>vfs.vmiodirenable</varname> sysctl variable). &merged;</para>
1052 <para>A bug that prevented the root filesystem from being
1053 mounted from a SCSI CDROM has been fixed (ATAPI CDROMs were
1054 always supported). &merged;</para>
1056 <para>A number of bugs in the filesystem code, discovered
1057 through the use of the <application>fsx</application> filesystem test tool, have been fixed.
1058 Under certain circumstances (primarily related to use of NFS),
1059 these bugs could cause data corruption or kernel panics. &merged;</para>
1061 <para>Network filesystems (such as NFS and smbfs filesystems)
1062 listed in <filename>/etc/fstab</filename> can now be properly
1063 mounted during startup initialization; their mounts are deferred
1064 until after the network is initialized.</para>
1068 <title>PCCARD Support</title>
1070 <para arch="i386">The pccard driver and &man.pccardc.8; now support multiple
1071 <quote>beep types</quote> upon card insertion and removal. &merged;</para>
1073 <para>On many modern hosts, PCCARD devices can be configured to
1074 route their interrupts via either the ISA or PCI interrupt paths.
1075 The &man.pcic.4; driver has been updated to support both interrupt
1076 paths (formerly, only routing via ISA was supported). &merged; In most
1077 cases, configuration of PCMCIA devices in laptops is simpler and
1078 more flexible. In addition, various Cardbus bridge PCI cards
1079 (such as those used by Orinoco PCI NICs) are now supported. Some
1080 hosts may experience problems, such as hangs or panics, with PCI
1081 interrupt routing; they can frequently be made to work by forcing
1082 the older-style ISA interrupt routing. The following lines,
1083 placed in <filename>/boot/loader.conf</filename>, may fix the
1086 <programlisting>hw.pcic.intr_path="1"
1087 hw.pcic.irq="0"</programlisting>
1089 <para>When installing &os; on such a system, typing the following
1090 lines to the boot loader may be helpful in starting up &os; for
1091 the first time:<para>
1093 <screen><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput>
1094 <prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen>
1096 <para arch="i386">Preliminary Cardbus support under NEWCARD has been added.
1097 This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic
1098 95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support
1099 is not yet functional.</para>
1103 <title>Multimedia Support</title>
1105 <para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1,
1106 Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS
1107 Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets,
1108 and has received some other updates.
1109 Separate drivers for the SoundBlaster 8 and SoundBlaster 16 now
1110 replace an older, unified driver. A driver for the CMedia
1111 CMI8338/CMI8738 sound chips has been added. A driver for the
1112 CS4281 sound chip has been added. A driver for the S3
1113 SonicVibes chipset has been added. &merged;</para>
1115 <para arch="i386">A driver for the Avance Logic ALS4000 has
1116 been added. &merged;</para>
1118 <para arch="i386">A driver for the
1119 ESS Maestro-3/Allegro has been added, however due to licensing
1120 restrictions, it cannot be compiled into the kernel. &merged; To
1121 use this driver, add the following line to
1122 <filename>/boot/loader.conf</filename>:</para>
1124 <programlisting>snd_maestro3_load="YES"</programlisting>
1126 <para>The &man.bktr.4; driver has been updated to 2.18. This
1127 update provides a number of new features. New tuner
1128 types have been added, and improvements to the KLD module and to
1129 memory allocation have been made. Bugs in &man.devfs.5; when
1130 unloading and reloading have been fixed.
1131 Support for new Hauppauge Model 44xxx WinTV Cards (the ones with
1132 no audio mux) has been added.</para>
1134 <para>When sound modules are built, one can now load all the
1135 drivers and infrastructure by <command>kldload
1136 snd</command>.</para>
1138 <para>A new API has been added for sound cards with hardware
1139 volume control.</para>
1141 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E
1142 integrated sound devices has been added.</para>
1147 <title>Contributed Software</title>
1149 <para>The Forth Inspired Command Language
1150 (<application>FICL</application>) used in the boot loader has
1151 been updated to 2.05.</para>
1153 <para>Support for Advanced Configuration and Power Interface
1154 (ACPI), a multi-vendor standard for configuration and power
1155 management, has been added. This functionality has been
1156 provided by the <application>Intel ACPI Component
1157 Architecture</application> project, updated to the ACPI CA
1158 20011120 snapshot. Some backward compatability for
1159 applications using the older APM standard has been provided.</para>
1162 <title>IPFilter</title>
1164 <para><application>IPFilter</application> has been updated to
1165 3.4.20. &merged;</para>
1167 <para><application>IPFilter</application> now supports
1168 IPv6. &merged;</para>
1173 <title>isdn4bsd</title>
1175 <para><application>isdn4bsd</application> has been updated to
1176 version 1.0.1. As a result of this update, users of the
1177 &man.i4bisppp.4; (kernel PPP over ISDN) driver
1178 <emphasis>must</emphasis> now use &man.ispppcontrol.8; instead
1179 of &man.spppcontrol.8; to configure and control these
1180 network interfaces. &merged;</para>
1182 <para>The &man.ifpi.4; driver for supporting the AVM
1183 Fritz!Card PCI version 2 controller has been added.</para>
1185 <para>The &man.ihfc.4; driver for supporting Cologne Chip
1186 Designs HFC devices under <application>isdn4bsd</application>
1187 has been added. &merged;</para>
1189 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles
1190 PCI-TJ devices under <application>isdn4bsd</application> has
1191 been added. &merged;</para>
1193 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and
1194 2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
1195 <application>isdn4bsd</application> driver. &merged;</para>
1197 <para>The &man.isic.4; driver now supports the Compaq Microcom
1198 610 ISDN ISA PnP card. &merged;</para>
1200 <para>Active CAPI-based ISDN cards manufactured by AVM are now
1201 supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The
1202 supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate
1203 cards and the AVM T1 Primary Rate cards. &merged;</para>
1205 <para>A new <literal>maxconnecttime</literal> keyword is now
1206 accepted in &man.isdnd.rc.5; files to limit the time a
1207 connection may remain open. &merged;</para>
1209 <para>&man.isdnphone.8; now supports a <option>-k</option> option for
1210 sending messages via the keypad facility to a PBX or exchange
1211 office. &merged;</para>
1214 <sect4 id="kame-kernel">
1217 <para>The IPv6 stack is now based on a snapshot based on the KAME
1218 Project's IPv6 snapshot as of 28 May, 2001. Most of the
1219 items listed in this section are a result of this import.
1220 <xref linkend="kame-userland"> lists userland updates to the
1221 KAME IPv6 stack. &merged;</para>
1223 <para>&man.gif.4; is now based on RFC 2893, rather than RFC
1224 1933. The <literal>IFF_LINK2</literal> interface flag can
1225 be used to control ingress filtering. &merged;</para>
1227 <para><application>IPSec</application> has received some
1228 enhancements, including the ability to use the Rijndael and
1229 SHA2 algorithms. IPSec RC5 support has been removed due to
1230 patent issues. &merged;</para>
1232 <para>&man.stf.4; now conforms to RFC 3056; the
1233 <literal>IFF_LINK2</literal> interface flag can be used to
1234 control ingress filtering. &merged;</para>
1236 <para>IPv6 has better checking of illegal addresses (such as
1237 loopback addresses) on physical networks. &merged;</para>
1239 <para>The <varname>IPV6_V6ONLY</varname> socket option is
1240 now completely supported. The kernel's default behavior
1241 with respect to this option is controlled by the
1242 <varname>net.inet6.ip6.v6only</varname> sysctl
1243 variable. &merged;</para>
1245 <para>RFC 3041 (Privacy Extensions for Stateless Address
1246 Autoconfiguration) is now supported. It can be enabled via
1247 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
1248 variable. &merged;</para>
1252 <sect2 id="security">
1253 <title>Security-Related Changes</title>
1255 <para>&man.sysinstall.8; now allows the user to select one of two
1256 <quote>security profiles</quote> at install-time. These profiles enable
1257 different levels of system security by enabling or disabling
1258 various system services in &man.rc.conf.5; on new
1259 installs. &merged;</para>
1261 <para>A bug in which malformed ELF executable images can hang the
1262 system has been fixed (see security advisory
1263 FreeBSD-SA-00:41). &merged;</para>
1265 <para>A security hole in Linux emulation was fixed (see security
1266 advisory FreeBSD-SA-00:42). &merged;</para>
1268 <para>String-handling library calls in many programs were fixed to
1269 reduce the possibility of buffer overflow-related exploits.
1272 <para>TCP now uses stronger randomness in choosing its initial sequence
1273 numbers (see security advisory FreeBSD-SA-00:52). &merged;</para>
1275 <para>Several buffer overflows in &man.tcpdump.1; were corrected
1276 (see security advisory FreeBSD-SA-00:61). &merged;</para>
1278 <para>A security hole in &man.top.1; was corrected (see security advisory
1279 FreeBSD-SA-00:62). &merged;</para>
1281 <para>A potential security hole caused by an off-by-one-error in
1282 &man.gethostbyname.3; has been fixed (see security advisory
1283 FreeBSD-SA-00:63). &merged;</para>
1285 <para>A potential buffer overflow in the &man.ncurses.3; library,
1286 which could cause arbitrary code to be run from within
1287 &man.systat.1;, has been corrected (see security advisory
1288 FreeBSD-SA-00:68). &merged;</para>
1290 <para>A vulnerability in &man.telnetd.8; that could cause it to
1291 consume large amounts of server resources has been fixed (see
1292 security advisory FreeBSD-SA-00:69). &merged;</para>
1294 <para>The <literal>nat deny_incoming</literal> command in
1295 &man.ppp.8; now works correctly (see security advisory
1296 FreeBSD-SA-00:70). &merged;</para>
1298 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
1299 that could allow overwriting of arbitrary user-writable files has
1300 been closed (see security advisory FreeBSD-SA-00:76). &merged;</para>
1302 <para>The &man.ssh.1; binary is no longer SUID root by
1303 default. &merged;</para>
1305 <para>Some fixes were applied to the Kerberos
1306 IV implementation related to environment variables, a
1307 possible buffer overrun, and overwriting ticket files. &merged;</para>
1309 <para>&man.telnet.1; now does a better job of sanitizing its
1310 environment. &merged;</para>
1312 <para>Several vulnerabilities in &man.procfs.5; were fixed (see
1313 security advisory FreeBSD-SA-00:77). &merged;</para>
1315 <para>A bug in <application>OpenSSH</application> in which a
1316 server was unable to disable &man.ssh-agent.1; or
1317 <literal>X11Forwarding</literal> was fixed (see security advisory
1318 FreeBSD-SA-01:01). &merged;</para>
1320 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
1321 segments could incorrectly be treated as being part of an
1322 <literal>established</literal> connection has been fixed (see
1323 security advisory FreeBSD-SA-01:08). &merged;</para>
1325 <para>A bug in &man.crontab.1; that could allow users to read any
1326 file on the system in valid &man.crontab.5; syntax has been fixed
1327 (see security advisory FreeBSD-SA-01:09). &merged;</para>
1329 <para>A vulnerability in &man.inetd.8; that could allow
1330 read-access to the initial 16 bytes of
1331 <groupname>wheel</groupname>-accessible files has been fixed (see security
1332 advisory FreeBSD-SA-01:11). &merged;</para>
1334 <para>A bug in &man.periodic.8; that used insecure temporary files has been
1335 corrected (see security advisory FreeBSD-SA-01:12). &merged;</para>
1337 <para>A bug in &man.sort.1; in which an attacker might be able to
1338 cause it to abort processing has been fixed (see security advisory
1339 FreeBSD-SA-01:13). &merged;</para>
1341 <para><application>OpenSSH</application> now has code to prevent
1342 (instead of just mitigating through connection limits) an attack
1343 that can lead to guessing the server key (not host key) by
1344 regenerating the server key when an RSA failure is detected (see
1345 security advisory FreeBSD-SA-01:24). &merged;</para>
1347 <para>A number of programs have had output formatting strings
1348 corrected so as to reduce the risk of vulnerabilities. &merged;</para>
1350 <para>A number of programs that use temporary files now do so more
1351 securely. &merged;</para>
1353 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP
1354 <quote>sessions</quote> has been corrected. &merged;</para>
1356 <para>A bug in &man.timed.8;, which caused it to crash if send
1357 certain malformed packets, has been corrected (see security
1358 advisory FreeBSD-SA-01:28). &merged;</para>
1360 <para>A bug in &man.rwhod.8;, which caused it to crash if send
1361 certain malformed packets, has been corrected (see security
1362 advisory FreeBSD-SA-01:29). &merged;</para>
1364 <para>A security hole in &os;'s FFS and EXT2FS implementations,
1365 which allowed a race condition that could cause users to have
1366 unauthorized access to data, has been fixed (see security advisory
1367 FreeBSD-SA-01:30). &merged;</para>
1369 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has
1370 been closed (see security advisory FreeBSD-SA-01:31). &merged;</para>
1372 <para>A security hole in <application>IPFilter</application>'s
1373 fragment cache has been closed (see
1374 security advisory FreeBSD-SA-01:32). &merged;</para>
1376 <para>Buffer overflows in &man.glob.3;, which could cause
1377 arbitrary code to be run on an FTP server, have been closed. In
1378 addition, to prevent some forms of DOS attacks, &man.glob.3;
1379 allows specification of a limit on the number of pathname matches
1380 it will return. &man.ftpd.8; now uses this feature (see security
1381 advisory FreeBSD-SA-01:33). &merged;</para>
1383 <para>Initial sequence numbers in TCP are more thoroughly
1384 randomized (see security advisory FreeBSD-SA-01:39). Due to some
1385 possible compatibility issues, the behavior of this security fix
1386 can be enabled or disabled via the
1387 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl
1388 variable.&merged;</para>
1390 <para>A vulnerability in the &man.fts.3; routines (used by
1391 applications for recursively traversing a filesystem) could
1392 allow a program to operate on files outside the intended directory
1393 hierarchy. This bug has been fixed (see security advisory
1394 FreeBSD-SA-01:40). &merged;</para>
1396 <para>&os;'s TCP implementation has been made more resistant to
1397 SYN floods, by eliminating the RST segment normally sent when
1398 removing a connection from the listen queue.</para>
1400 <para><application>OpenSSH</application> now switches to the
1401 user's UID before attempting to unlink the authentication
1402 forwarding file, nullifying the effects of a race.</para>
1404 <para>A flaw allowed some signal handlers to remain in effect in a
1405 child process after being exec-ed from its parent. This allowed
1406 an attacker to execute arbitrary code in the context of a setuid
1407 binary. This flaw has been corrected (see security advisory
1408 FreeBSD-SA-01:42). &merged;</para>
1410 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed
1411 (see security advisory FreeBSD-SA-01:48). &merged;</para>
1413 <para>A remote buffer overflow in &man.telnetd.8; has been
1414 fixed (see security advisory FreeBSD-SA-01:49). &merged;</para>
1416 <para>The new <varname>net.inet.ip.maxfragpackets</varname>
1417 and <varname>net.inet.ip6.maxfragpackets</varname> sysctl
1418 variables limit the amount of memory that can be consumed by IPv4
1419 and IPv6 packet fragments, which defends against some denial of service
1420 attacks (see security advisory FreeBSD-SA-01:52). &merged;</para>
1422 <para>All services in <filename>inetd.conf</filename> are now
1423 disabled by default for new installations. &man.sysinstall.8;
1424 gives the option of enabling or disabling &man.inetd.8; on new
1425 installations, as well as editing
1426 <filename>inetd.conf</filename>. &merged;</para>
1428 <para>A flaw in the implementation of the &man.ipfw.8;
1429 <literal>me</literal> rules on point-to-point links has been
1430 corrected. Formerly, <literal>me</literal> filter rules would
1431 match the remote IP address of a point-to-point interface in
1432 addition to the intended local IP address (see security advisory
1433 FreeBSD-SA-01:53). &merged;</para>
1435 <para>A vulnerability in &man.procfs.5;, which could allow a
1436 process to read sensitive information from another process's
1437 memory space, has been closed (see security advisory
1438 FreeBSD-SA-01:55). &merged;</para>
1440 <para>The <literal>PARANOID</literal> hostname checking in
1441 <application>tcp_wrappers</application> now works as advertised
1442 (see security advisory FreeBSD-SA-01:56). &merged;</para>
1444 <para>A local root exploit in &man.sendmail.8; has been closed
1445 (see security advisory FreeBSD-SA-01:57). &merged;</para>
1447 <para>A remote root vulnerability in &man.lpd.8; has been closed
1448 (see security advisory FreeBSD-SA-01:58). &merged;</para>
1450 <para>A race condition in &man.rmuser.8; that briefly exposed a
1451 world-readable <filename>/etc/master.passwd</filename> has been
1452 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para>
1454 <para>A vulnerability in <application>UUCP</application> has been
1455 closed (see security advisory FreeBSD-SA-01:62).
1456 All non-<username>root</username>-owned binaries in standard
1457 system paths now have the <literal>schg</literal> flag set to
1458 prevent exploit vectors when run by &man.cron.8;, by
1459 <username>root</username>, or by a user other then the one owning
1460 the binary. In addition, &man.uustat.1; is now run via
1461 <filename>/etc/periodic/daily/410.status-uucp</filename> as
1462 <username>uucp</username>, not <username>root</username>.
1463 In &os; -CURRENT, <application>UUCP</application> has since been moved
1464 to the Ports Collection and no longer a part of the base
1465 system. &merged;</para>
1467 <para>A security hole in the form of a buffer overflow in the
1468 &man.semop.2; system call has been closed. &merged;</para>
1470 <para>A security hole in <application>OpenSSH</application>,
1471 which could allow users to execute code with arbitrary privileges
1472 if <literal>UseLogin yes</literal> was set, has been
1473 closed. Note that the default value of this setting is
1474 <literal>UseLogin no</literal>. (See security advisory
1475 FreeBSD-SA-01:63.) &merged;</para>
1477 <para>The use of an insecure temporary directory by
1478 &man.pkg.add.1; could permit a local attacker to modify the
1479 contents of binary packages while they were being installed.
1480 This hole has been closed. (See security advisory
1481 FreeBSD-SA-02:01.) &merged;</para>
1483 <para>A race condition in &man.pw.8;, which could expose the
1484 contents of <filename>/etc/master.passwd</filename>, has been
1485 eliminated. (See security advisory FreeBSD-SA-02:02.) &merged;</para>
1487 <para>A bug in &man.k5su.8; could have allowed a process that had
1488 given up superuser privileges to regain them. This bug has been
1489 fixed. (See security advisory FreeBSD-SA-02:07.) &merged;</para>
1491 <sect2 id="userland">
1492 <title>Userland Changes</title>
1494 <para>If the first argument to &man.ancontrol.8; or
1495 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it is
1496 assumed to be an interface.</para>
1498 <para>&man.apmd.8; now has the ability to monitor battery levels and
1499 execute commands based on percentage or minutes of battery life
1500 remaining via the <literal>apm_battery</literal> configuration
1501 directive. See the commented-out examples in
1502 <filename>/etc/apmd.conf</filename> for the syntax. &merged;</para>
1504 <para>&man.arp.8; now prints the applicable interface name for
1505 each ARP entry. &merged</para>
1507 <para>&man.arp.8; now prints <literal>[fddi]</literal> or
1508 <literal>[atm]</literal> tags for addresses on interfaces of those
1511 <para>&man.atacontrol.8; has been added to control various aspects
1512 of the &man.ata.4; driver.</para>
1514 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and
1515 configuration utility, has been added. &merged;</para>
1517 <para>&man.burncd.8; now supports a <option>-m</option> option for
1518 multisession mode (the default behavior now is to close disks as
1519 single-session). A <option>-l</option> option to take a list of
1520 image files from a filename was also added; <filename>-</filename>
1521 can be used as a filename for <literal>stdin</literal>. &merged;</para>
1523 <para>&man.burncd.8; now supports Disk At Once (DAO) mode,
1524 selectable via the <option>-d</option> flag.</para>
1526 <para>&man.burncd.8; now has the ability to write VCDs/SVCDs.</para>
1528 <para>&man.c89.1; has been converted from a shell script to a
1529 binary executable, fixing some minor bugs. &merged;</para>
1531 <para>&man.cat.1; now has the ability to read from UNIX-domain
1532 sockets. &merged;</para>
1534 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal>
1535 command, which calculates and displays the CD serial number, using
1536 the same algorithm used by the CDDB database. &merged;</para>
1538 <para>&man.cdcontrol.1; now uses the <envar>CDROM</envar>
1539 environment variable to pick a default device. &merged;</para>
1541 <para>&man.cdcontrol.1; now supports <literal>next</literal> and
1542 <literal>prev</literal> commands to skip forwards or backwards a
1543 specified number of tracks while playing an audio CD. &merged;</para>
1545 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
1546 to <filename>/bin</filename>.</para>
1548 <para>&man.chio.1; now has the ability to specify elements by
1549 volume tag instead of by their physical location as well as the
1550 ability to return an element to its previous location. &merged;</para>
1552 <para>&man.chmod.1; now supports a <option>-h</option> for
1553 changing the mode of a symbolic link.</para>
1555 <para>&man.chown.8; now correctly follows symbolic links named as
1556 command line arguments if run without <option>-R</option>.</para>
1558 <para>&man.chown.8; no longer takes <literal>.</literal> as a
1559 user/group delimeter. This change was made to support usernames
1560 containing a <literal>.</literal>.</para>
1562 <para>Use of the <literal>CSMG_*</literal> macros no longer
1563 require inclusion of
1564 <filename><sys/param.h></filename></para>
1566 <para>&man.col.1; now takes a <option>-p</option> flag to force unknown
1567 control sequences to be passed through unchanged. &merged;</para>
1570 <filename>compat3x</filename> distribution has been updated to
1571 include libraries present in &os; 3.5.1-RELEASE. &merged;</para>
1573 <para>A <filename>compat4x</filename> distribution has been added
1574 for compatibility with &os; 4-STABLE.</para>
1576 <para>&man.config.8; is now better about converting various
1577 warnings that should
1578 have been errors into actual fatal errors with an exit code. This
1579 ensures that <literal>make buildkernel</literal>
1580 doesn't quietly ignore them and
1581 build a bogus kernel without a human to read the errors. &merged;</para>
1583 <para>A number of buffer overflows in &man.config.8; have been
1584 fixed. &merged;</para>
1586 <para>The &man.daemon.8; program, a command-line interface to
1587 &man.daemon.3;, has been added. It detaches itself from its
1588 controlling terminal and executes a program specified on the command
1589 line. This allows the user to run an arbitrary program as if it were
1590 written to be a daemon.</para>
1592 <para>devinfo, a simple tool to print the device tree and resource usage by
1593 devices, has been added.</para>
1595 <para>&man.df.1; now takes a <option>-l</option> option to only
1596 display information about locally-mounted filesystems. &merged;</para>
1598 <para>&man.disklabel.8; now supports partition sizes expressed in
1599 kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para>
1601 <para>&man.dmesg.8; now has a <option>-a</option> option to show
1602 the entire message buffer, including &man.syslogd.8; records and
1603 <filename>/dev/console</filename> output. &merged;</para>
1605 <para>&man.du.1; now takes a <option>-I</option> command-line flag
1606 to ignore/skip files and subdirectories matching a specified
1607 shell-glob mask. &merged;</para>
1609 <para>&man.dump.8; now supports inheritance of the
1610 <literal>nodump</literal> flag down a hierarchy. &merged;</para>
1612 <para>The <option>-T</option> option to &man.dump.8; no longer swallows
1613 an extra argument. &merged;</para>
1615 <para>&man.dump.8; has a new <option>-D</option> option, allowing
1616 the path to the <filename>/etc/dumpdates</filename> file to be
1617 changed. &merged;</para>
1619 <para>&man.edquota.8; now takes a <option>-f</option> option to
1620 allow limiting the prototype quota distribution (specified with
1621 <option>-p</option>) to a single filesystem. &merged;</para>
1623 <para>&man.fbtab.5; now accepts glob matching patterns for target
1624 devices, not just individual devices and directories.</para>
1626 <para arch="i386">&man.fdisk.8; no longer attempts to search for
1627 a device if none has been specified on the command line, but
1628 instead tries to figure out the default device name from the
1631 <para>&man.fdread.1;, a program to read data from floppy disks,
1632 has been added. It is a counterpart to &man.fdwrite.1; and is
1633 designed to provide a means of recovering at least some data from
1634 bad media, and to obviate for a complex invocation of
1637 <para>&man.find.1; now takes the <option>-empty</option> flag,
1638 which returns true if a file or directory is empty. &merged;</para>
1640 <para>&man.find.1; now takes the <option>-iname</option> and
1641 <option>-ipath</option> primaries for case-insensitive matches,
1642 and the <option>-regexp</option> and <option>-iregexp</option>
1643 primaries for regular-expression matches. The <option>-E</option>
1644 flag now enables extended regular expressions. &merged;</para>
1646 <para>&man.find.1; now has the <option>-anewer</option>,
1647 <option>-cnewer</option>, <option>-mnewer</option>,
1648 <option>-okdir</option>, and <option>-newer[acm][acmt]</option>
1649 primaries for comparisons of file timestamps. The latter
1650 primaries can be specified with various units of time. &merged;</para>
1652 <para>&man.finger.1; now has the ability to support fingering
1653 aliases, via the &man.finger.conf.5; file. &merged;</para>
1655 <para>&man.finger.1; now has support for a
1656 <filename>.pubkey</filename> file.</para>
1658 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number
1659 of bugs compared to its prior behavior. &merged;</para>
1661 <para>&man.fmtcheck.3;, a function for checking consistency of
1662 format string arguments, has been added. &merged;</para>
1664 <para>&man.fsck.8; wrappers have been imported; this feature
1665 provides infrastructure for &man.fsck.8; to work on different
1666 types of filesystems (analogous to &man.mount.8;).</para>
1668 <para>The behavior of &man.fsck.8; when dealing with various
1669 passes (a la <filename>/etc/fstab</filename>) has been modified to
1670 accommodate multiple-disk filesystems.</para>
1672 <para>&man.fsck.8; now has support for foreground
1673 (<option>-F</option>) and background (<option>-B</option>) checks.
1674 Traditionally, &man.fsck.8; is invoked before the filesystems are
1675 mounted and all checks are done to completion at that time. If
1676 background checking is available, &man.fsck.8; is invoked twice.
1677 It is first invoked at the traditional time, before the
1678 filesystems are mounted, with the <option>-F</option> flag to do
1679 checking on all the filesystems that cannot do background
1680 checking. It is then invoked a second time, after the system has
1681 completed going multiuser, with the <option>-B</option> flag to do
1682 checking on all the filesystems that can do background checking.
1683 Unlike the foreground checking, the background checking is started
1684 asynchronously so that other system activity can proceed even on
1685 the filesystems that are being checked. Boot-time enabling of
1686 this feature is controlled by the
1687 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para>
1689 <para>Shortly after the receipt of a <literal>SIGINFO</literal>
1690 signal (normally control-T from the controlling tty), &man.fsck.ffs.8;
1691 will now output a line indicating the current phase number and
1692 progress information relevant to the current phase. &merged;</para>
1694 <para>&man.fsck.ffs.8; now supports background filesystem checks
1695 to mounted FFS filesystems with the <option>-B</option> option
1696 (softupdates must be enabled on these filesystems). The
1697 <option>-F</option> flag now determines whether a specified
1698 filesystem needs foreground checking.</para>
1700 <para>A new &man.fsck.msdosfs.8; utility has been added to check
1701 the consistency of MS-DOS filesystems. &merged;</para>
1703 <para>&man.ftpd.8; now supports a <option>-r</option> flag for
1704 read-only mode and a <option>-E</option> flag to disable
1705 <literal>EPSV</literal>. It also has some fixes to reduce
1706 information leakage and the ability to specify compile-time port
1707 ranges. &merged;</para>
1709 <para>&man.ftpd.8; now supports <option>-o</option> and
1710 <option>-O</option> options to disable the <literal>RETR</literal>
1711 command; the former for everybody, and the latter only for guest users.
1712 Coupled with <option>-A</option> and appropriate file permissions,
1713 these can be used to create a relatively safe anonymous FTP drop box
1714 for others to upload to.</para>
1716 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the
1717 kernel's debug register + support that has been introduced in
1718 &os; 4.0). &merged;</para>
1720 <para>The &man.getprogname.3; and &man.setprogname.3; library
1721 functions have been added to manipulate the name of the current
1722 program. They are used by error-reporting routines to produce
1723 consistent output. &merged;</para>
1725 <para>&man.gprof.1; now has a <option>-K</option> option to enable
1726 dynamic symbol resolution from the currently-running kernel. With
1727 this change, properly-compiled KLD modules are now able to be
1730 <para>&man.growfs.8;, a utility for growing FFS filesystems, has
1731 been added. &man.ffsinfo.8;, a utility for dump all the
1732 meta-information of an existing filesystem, has also been
1733 added. &merged;</para>
1735 <para>The &man.groups.1; and &man.whoami.1; shell scripts are now
1736 unnecessary; their functionality has been completely folded into
1737 &man.id.1;. &merged;</para>
1739 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8;
1740 scripts, whose sole purpose was to load emulation
1741 kernel modules, have been removed. The kernel module system will
1742 automatically load them as needed to fulfill dependencies.</para>
1744 <para>&man.indent.1; has gained some new formatting
1745 options. &merged;</para>
1747 <para>&man.ifconfig.8; command can set the link-layer address
1748 of an interface using the <option>lladdr</option> parameter.
1751 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR
1752 notation. &merged;</para>
1754 <para>&man.ifconfig.8; now has support for setting parameters for
1755 IEEE 802.11 wireless network devices. &man.wi.4; and
1756 &man.an.4; devices are supported, and partial support is provided
1757 for &man.awi.4; devices. &merged;</para>
1759 <para>&man.ifconfig.8; no longer displays the list of supported
1760 media by default. Instead it displays it when the
1761 <option>-m</option> flag is given. &merged;</para>
1763 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is
1764 now compatible with that of other BSDs. &merged;</para>
1766 <para>The <literal>ident</literal> protocol support in &man.inetd.8; has
1767 been cleaned up and updated. &merged;</para>
1769 <para>&man.inetd.8; now has the ability to manage UNIX-domain
1770 sockets. &merged;</para>
1772 <para>&man.install.1; has a number of new features, including the
1773 <option>-b</option> and <option>-B</option> options for backing up
1774 existing target files and the <option>-S</option> option for
1775 <quote>safe</quote> (atomic copy) operation. The
1776 <option>-c</option> (copy) flag is now the default, and the
1777 <option>-D</option> (debugging) flag has been withdrawn.
1778 &man.install.1; now issues a warning if <option>-d</option>
1779 (create directories) and <option>-C</option> (copy changed files
1780 only) are used together. &merged;</para>
1782 <para>IP Filter is now supported by the
1783 &man.rc.conf.5; boot-time configuration and
1784 initialization. &merged;</para>
1786 <para>&man.ipfstat.8; now supports the <option>-t</option> option
1787 to turn on a &man.top.1;-like display. &merged;</para>
1789 <para>&man.ipfw.8; will now avoid the display of dynamic
1790 firewall rules unless the <option>-d</option> flag is passed to
1791 it. The <option>-e</option> option lists expired dynamic
1792 rules. &merged;</para>
1794 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that
1795 allows for packet matching on interfaces with dynamically-changing
1796 IP addresses. &merged;</para>
1798 <para>&man.ipfw.8; has a new <literal>limit</literal> type of
1799 firewall rule, which limits the number of sessions between address
1800 pairs. &merged;</para>
1802 <para>&man.ipfw.8; filter rules can now match on the value of the
1803 IPv4 precedence field.</para>
1805 <para>&man.ip6fw.8; now has the ability to use a preprocessor
1806 and use the <option>-q</option> (quiet) flag when reading from a
1807 file. &merged;</para>
1809 <para>&man.kenv.1;, a command to dump the kernel environment, has
1810 been added. &merged;</para>
1812 <para>&man.keyinfo.1; is now a C program, rather than a Perl
1813 script. &merged;</para>
1815 <para>&man.killall.1; is now a C program, rather than a Perl
1816 script. As a result, its <option>-m</option> option now uses the
1817 regular expression syntax of &man.regex.3;, rather than that of
1818 &man.perl.1;. &merged;</para>
1820 <para>&man.killall.1; now allows non-root users to kill SUID root
1821 processes that they started, the same as the Perl version did.</para>
1823 <para>The &man.kldconfig.8; utility has been added to make it easier to
1824 manipulate the kernel module search path. &merged;</para>
1826 <para>&man.last.1; now implements a <option>-d</option> that
1827 provides a <quote>snapshot</quote> of who was logged in at a
1828 particular date and time. &merged;</para>
1830 <para>The &man.lastlogin.8; utility, which prints the last login
1831 time of each user, has been imported from
1832 NetBSD. &merged;</para>
1834 <para>&man.ldconfig.8; now checks directory ownerships and
1835 permissions for greater security; these checks can be disabled
1836 with the <option>-i</option> flag. &merged;</para>
1838 <para><filename>libc</filename> is now thread-safe by default;
1839 <filename>libc_r</filename> contains only thread functions.</para>
1841 <para><filename>libcrypt</filename> and
1842 <filename>libdescrypt</filename> have been unified to provide a
1843 configurable password authentication hash library. Both the md5
1844 and des hash methods are provided unless the des hash is
1845 specifically compiled out. &merged;</para>
1847 <para><filename>libcrypt</filename> now has support for Blowfish
1848 password hashing. &merged;</para>
1850 <para arch="i386"><filename>libdisk</filename> can now do
1851 install-time configuration of the <filename>boot0</filename>
1852 boot loader. &merged;</para>
1854 <para><filename>libstand</filename> now has support for
1855 filesystems containing <application>bzip2</application>-compressed
1856 files. &merged;</para>
1858 <para><filename>libstand</filename> now has support for
1859 overwriting the contents of a file on a UFS filesystem (it cannot
1860 expand or truncate files because the filesystem may be dirty or
1861 inconsistent).</para>
1863 <para>The default TCP port range used by
1864 <filename>libfetch</filename> for passive FTP retrievals has
1865 changed; this affects the behavior of &man.fetch.1;, which has
1866 gained the <option>-U</option> option to restore the old
1867 behavior. &merged;</para>
1869 <para><filename>libfetch</filename> now has support for an
1870 authentication callback. &merged;</para>
1872 <para><filename>libfetch</filename> now has support for a
1873 <envar>HTTP_USER_AGENT</envar> environment variable. &merged;</para>
1875 <para><filename>libgmp</filename> has been superceded by
1876 <filename>libmp</filename>.
1878 <para>The functions from <filename>libposix1e</filename> have been
1879 integrated into <filename>libc</filename>.</para>
1881 <para>&man.ln.1; now takes an <option>-i</option> option to
1882 request user confirmation before overwriting an existing
1883 file. &merged;</para>
1885 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid
1886 following a target that is a link, with a <option>-n</option> flag
1887 for compatibility with other implementations. &merged;</para>
1889 <para>&man.logger.1; can now send messages directly to a remote
1890 syslog. &merged;</para>
1892 <para>&man.login.1; now exports environment variables set by
1893 <application>PAM</application> modules. &merged;</para>
1895 <para>&man.lpc.8; has been improved; <command>lpc clean</command>
1896 is now somewhat safer, and a new <command>lpc tclean</command>
1897 command has been added to check to see what files would be removed
1898 by <command>lpc clean</command>. &merged;</para>
1900 <para>&man.lpd.8; now takes two new options: <option>-c</option>
1901 will log all connection errors to &man.syslogd.8;, while
1902 <option>-W</option> will allow connections from non-reserved
1903 ports. &merged;</para>
1905 <para>&man.lpd.8; now has some support for
1906 <literal>o</literal>-type print-file actions in its control files,
1907 which allows printing of PostScript files generated by
1908 <application>MacOS</application> 10.1. &merged;</para>
1910 <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a
1911 few minor enhancements. &merged;</para>
1913 <para>Catching up with most other network utilities in the base
1914 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
1915 &man.logger.1; are now all IPv6-capable. &merged;</para>
1917 <para><command>lprm -</command> now works for remote printer
1918 queues. &merged;</para>
1920 <para>&man.ls.1; can produce colorized listings with the
1921 <option>-G</option> flag (and appropriate terminal
1922 support). The <envar>CLICOLOR</envar> environment variable can be set
1923 to enable colorized listings by default. &merged;</para>
1925 <para>&man.mail.1; now takes a <option>-E</option> flag to avoid
1926 sending messages with empty bodies. &merged;</para>
1928 <para>&man.make.1; has gained the <literal>:C///</literal>
1929 (regular expression substitution), <literal>:L</literal>
1930 (lowercase), and <literal>:U</literal> (uppercase) variable
1931 modifiers. These were added to reduce the differences between the
1934 &man.make.1; programs. &merged; </para>
1936 <para>Bugs in &man.make.1;, among which include broken null suffix
1937 behavior, bad assumptions about current directory permissions, and
1938 potential buffer overflows, have been fixed. &merged;</para>
1940 <para>The new <varname>CPUTYPE</varname>
1941 <filename>make.conf</filename> variable controls the compilation
1942 of processor-specific optimizations in various pieces of code such
1943 as <application>OpenSSL</application>. &merged;</para>
1945 <para>The &os; <filename>Makefile</filename> infrastructure now
1946 supports the <varname>WARNS</varname> directive from NetBSD. This
1947 directive controls the addition of compiler warning flags to
1948 <varname>CFLAGS</varname> in a relatively compiler-neutral
1949 manner. &merged;</para>
1951 <para>&man.man.1; is no longer installed SUID
1952 <username>man</username>, in order to reduce vulnerabilities
1953 associated with generating <quote>catpages</quote> (preformatted
1954 manual pages cached for repeated viewing). As a result,
1955 &man.man.1; can no longer create system catpages on a regular
1956 user's behalf. It is still able to do so if the user has write
1957 permissions to the directory holding catpages (e.g. a user's own
1958 manpages) or if the running user is
1959 <username>root</username>.</para>
1961 <para>The &man.mdmfs.8; command has been added; it is a wrapper
1962 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
1963 &man.mount.8; that mimics the command line option set of the
1964 deprecated &man.mount.mfs.8;.</para>
1966 <para>&man.mergemaster.8; now sources an
1967 <filename>/etc/mergemaster.rc</filename> file and also prompts the
1968 user to run recommended commands (such as
1969 <command>newaliases</command>) as needed. &merged;</para>
1971 <para>&man.moused.8; now takes a <option>-a</option> option to control
1972 mouse acceleration. &merged;</para>
1974 <para>&man.mtree.8; now includes support for a file that lists
1975 pathnames to be excluded when creating and verifying prototypes.
1976 This makes it easier to use &man.mtree.8; as a part of an
1977 intrusion-detection system. &merged;</para>
1979 <para>&man.natd.8; now supports a
1980 <option>-log_ipfw_denied</option> option to log packets that
1981 cannot be re-injected because they are blocked by &man.ipfw.8;
1982 rules. &merged;</para>
1984 <para>The <quote>in use</quote> percentage metric displayed by
1985 &man.netstat.1; now really reflects the percentage of network
1986 mbufs used. &merged;</para>
1988 <para>&man.netstat.1; now has a <option>-W</option> flag that
1989 tells it not to truncate addresses, even if they're too long for
1990 the column they're printed in. &merged;</para>
1992 <para>&man.netstat.1; now keeps track of input and output packets
1993 on a per-address basis for each interface. &merged;</para>
1995 <para>&man.netstat.1; now has a <option>-z</option> flag to reset
1996 statistics. &merged;</para>
1998 <para>&man.netstat.1; now has a <option>-S</option> flag to print
1999 address numerically but port names symbolically. &merged;</para>
2001 <para>&man.newfs.8; now implements write combining, which can make
2002 creation of new filesystems up to seven times
2003 faster. &merged;</para>
2005 <para>&man.newfs.8; now takes a <option>-U</option> option to
2006 enable softupdates on a new filesystem. &merged;</para>
2008 <para>The default number of cylinders per group in &man.newfs.8;
2009 is now computed to be the maximum allowable given the current
2010 filesystem parameters. It can be overridden with the
2011 <option>-c</option> option. Formerly, the default was fixed at 16. This
2012 change leads to better &man.fsck.8; performance and reduced
2013 fragmentation. &merged;</para>
2015 <para><anchor id="newfs-block-frag-sizes">The default block and fragment sizes for new filesystems created
2016 by &man.newfs.8; are now 16384 and 2048 bytes, respectively (the
2017 old defaults were 8192 and 1024 bytes). This change generally
2018 provides increased performance, at the expense of some wasted disk
2019 space. &merged;</para>
2021 <para>&man.newsyslog.8; now has the ability to compress
2022 log files using &man.bzip2.1;. &merged;</para>
2024 <para><application>NFS</application> now works over IPv6.</para>
2026 <para>&man.nl.1;, a line numbering filter program, has been
2027 added. &merged;</para>
2029 <para><application>nsswitch</application> support has been merged from NetBSD. By creating
2030 an &man.nsswitch.conf.5; file, &os; can be configured so that
2031 various databases such as &man.passwd.5; and &man.group.5; can be
2032 looked up using flat files, NIS, or Hesiod. The old
2033 <filename>hosts.conf</filename> file is no longer used.</para>
2035 <para><application>PAM</application> support has been added for
2036 account management and sessions.</para>
2038 <para><application>PAM</application> configuration is now
2039 specified by files in <filename>/etc/pam.d/</filename>, rather
2040 than a single <filename>/etc/pam.conf</filename> file.
2041 <filename>/etc/pam.d/README</filename> has more details.</para>
2043 <para>&man.passwd.1; and &man.pw.8; now select the password hash
2044 algorithm at run time. See the <literal>passwd_format</literal>
2045 attribute in <filename>/etc/login.conf</filename>. &merged;</para>
2047 <para>&man.pax.1; has received a number of enhancements, including
2048 &man.cpio.1; functionality, &man.tar.1; compatibility
2049 enhancements, <option>-z</option> and <option>-Z</option> flags
2050 for &man.gzip.1; and &man.compress.1; functionality, and a number
2051 of bug fixes.</para>
2053 <para>&man.pciconf.8; now supports a <option>-v</option> option to
2054 display the vendor/device information of configured devices,
2055 in conjunction with the <option>-l</option> option. The default
2056 vendor/device database can be found at
2057 <filename>/usr/share/misc/pci_vendors</filename>. &merged;</para>
2059 <para>The behavior of &man.periodic.8; is now controlled by
2060 <filename>/etc/defaults/periodic.conf</filename> and
2061 <filename>/etc/periodic.conf</filename>. &merged;</para>
2063 <para>&man.ping.8; now supports a <option>-m</option> option to
2064 set the TTL of outgoing packets. &merged;</para>
2066 <para>&man.ping.8; now supports a <option>-A</option> option to
2067 beep when packets are lost. &merged;</para>
2069 <para>Userland &man.ppp.8; has received a number of updates and
2070 bug fixes. &merged;</para>
2072 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
2073 option, which adjusts outgoing and incoming TCP SYN packets so that the maximum
2074 receive segment size is no larger than allowed by the interface
2075 MTU. &merged;</para>
2077 <para>&man.ppp.8; now supports IPv6.</para>
2079 <para>&man.pppd.8; (the control program for kernel-level PPP) is
2080 now installed mode <literal>4550</literal> and
2081 <username>root</username><literal>:</literal><groupname>dialer</groupname>,
2082 rather than mode <literal>4555</literal> (in other words, it is no
2083 longer world-executable). Users of &man.pppd.8; may need to
2084 change their group settings. &merged;</para>
2086 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to
2087 resolve pathnames to their underlying physical paths. &merged;</para>
2089 <para>The pseudo-random number generator implemented by
2090 &man.rand.3; has been improved to provide less biased results.</para>
2092 <para>&man.rc.8; now has an framework for handling dependencies between
2093 &man.rc.conf.5; variables. &merged;</para>
2095 <para>&man.rc.8; now deletes all non-directory files in
2096 <filename>/var/run</filename> and
2097 <filename>/var/spool/lock</filename> at boot time. &merged;</para>
2099 <para>&man.rcmd.3; now supports the use of the
2100 <envar>RSH</envar> environment variable to specify a program to
2101 use other than &man.rsh.1; for remote execution. As a result,
2102 programs such as &man.dump.8;, can use &man.ssh.1; for remote
2105 <para>&man.rdist.1; has been retired from the base system, but is still
2106 available from &os; Ports Collection as
2107 <port>net/44bsd-rdist</port>.</para>
2109 <para>The &man.resolver.3; in &os; now implements EDNS0 support,
2110 which will be necessary when working with IPv6 transport-ready
2111 resolvers/DNS servers. &merged;</para>
2113 <para>The &man.rfork.thread.3; library call has been added as a
2114 helper function to &man.rfork.2;. Using this function should
2115 avoid the need to implement complex stack swap
2116 code. &merged;</para>
2118 <para>The <option>-v</option> option to &man.rm.1; now displays
2119 the entire pathname of a file being removed.</para>
2121 <para>&man.route.8; is now more verbose when changing indirect
2122 routes, in the case of a gateway route that is the same route as
2123 the one being modified. &merged;</para>
2125 <para>&man.route.8; now uses
2126 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
2128 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
2129 syntax, for compatibility with &man.netstat.1;. &merged;</para>
2131 <para>&man.route.8; can now create <quote>proxy only</quote>
2132 published ARP entries. &merged;</para>
2134 <para>The &man.route.8; <option>add</option> command now supports
2135 the <option>-ifp</option> and <option>-ifa</option>
2136 modifiers. &merged;</para>
2138 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>
2140 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
2141 (as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para>
2143 <para>&man.rpc.lockd.8; has been imported from NetBSD. This
2144 daemon enables locking on NFS filesystems.</para>
2146 <para>The performance of the ELF dynamic linker &man.rtld.1; has
2147 been improved. &merged;</para>
2149 <para>RSA Security has waived all patent rights to the <application>RSA</application>
2151 result, the native <application>OpenSSL</application>
2152 implementation of the RSA algorithm is now activated by default,
2153 and the <port>security/rsaref</port> port and the
2154 <filename>librsaUSA</filename> and <filename>librsaINTL</filename>
2156 no longer required for USA and non-USA residents respectively. &merged;</para>
2158 <para>&man.savecore.8; now supports a <option>-k</option> option
2159 to prevent clearing a crash dump after saving it. It also
2160 attempts to avoid writing large stretches of zeros to crash dump
2161 files to save space and time. &merged;</para>
2163 <para>&man.savecore.8; now works correctly on machines with 2 GB
2164 or more of RAM. &merged;</para>
2166 <para>&man.sed.1; now takes a <option>-E</option> option for
2167 extended regular expression support. &merged;</para>
2169 <para>&man.send-pr.1; now takes a <option>-a</option> option to
2170 include a file into the <literal>Fix:</literal> section of a
2171 problem report. &merged;</para>
2173 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been
2174 added to manage file system Access Control Lists.</para>
2176 <para>&man.setproctitle.3; has been moved from
2177 <filename>libutil</filename> to
2178 <filename>libc</filename>. &merged;</para>
2180 <para>&man.sh.1; now implements <command>test</command> as a
2181 built-in command for improved efficiency. &merged;</para>
2183 <para>&man.sh.1; no longer
2184 implements <command>printf</command> as a built-in command because
2185 it was considered less valuable compared to the other built-in
2186 commands (this functionality is, of course, still available
2187 through the &man.printf.1; executable).</para>
2189 <para>&man.sockstat.1; now has <option>-c</option> and
2190 <option>-l</option> flags for listing connected and listening
2191 sockets, respectively. &merged;</para>
2193 <para>&man.split.1; now has the ability to split a file longer
2194 than 2GB. &merged;</para>
2196 <para>In preparation for meeting SUSv2/POSIX
2197 <filename><sys/select.h></filename> requirements,
2198 <literal>struct selinfo</literal> and related functions have been
2199 moved to <filename><sys/selinfo.h></filename>.</para>
2201 <para>The &man.strnstr.3; and &man.strcasestr.3; variants of
2202 &man.strstr.3; have been implemented.</para>
2204 <para>&man.stty.1; now has support for an
2205 <literal>erase2</literal> control character, so that, for example,
2206 both the <keycap>Delete</keycap> and <keycap>Backspace</keycap>
2207 keys can be used to erase characters. &merged;</para>
2209 <para>&man.style.perl.7;, a style guide for Perl code in the &os;
2210 base system, has been added.</para>
2212 <para>&man.su.1; now uses <application>PAM</application> for
2213 authentication.</para>
2215 <para>Boot-time &man.syscons.4; configuration was moved to a
2216 machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para>
2218 <para>&man.sysctl.8; now supports a <option>-N</option> option to
2219 print out variable names only. &merged;</para>
2221 <para>&man.sysctl.8; has replaced the <option>-A</option> and
2222 <option>-X</option> options with <option>-ao</option> and
2223 <option>-ax</option> respectively; the former options are now
2224 deprecated. The <option>-w</option> option is deprecated as well; it is
2225 not needed to determine the user's intentions. &merged;</para>
2227 <para>&man.sysctl.8; now supports a <option>-e</option> option to
2228 separate variable names and values by <literal>=</literal> rather
2229 than <literal>:</literal>. This feature is useful for producing
2230 output that can be fed back to &man.sysctl.8;. &merged;</para>
2232 <para>&man.sysinstall.8; now properly preserves
2233 <filename>/etc/mail</filename> during a binary upgrade. &merged;</para>
2235 <para>&man.sysinstall.8; now uses some more intuitive defaults
2236 thanks to some new dialog support functions. &merged;</para>
2238 <para>The default root partition in &man.sysinstall.8; is now
2239 100MB on the i386 and 120MB on the Alpha.</para>
2241 <para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>,
2242 which simplifies the installation process. The &man.sysinstall.8;
2243 manpage is also installed in a more consistent fashion now.</para>
2245 <para>&man.sysinstall.8; now has the ability to load KLDs as a
2246 part of the installation. &merged;</para>
2248 <para>&man.sysinstall.8; now enables Soft Updates by default on
2249 all filesystems it creates, except for the root
2250 filesystem. &merged;</para>
2252 <para>&man.sysinstall.8; has received updates for its
2253 <quote>auto</quote> partitioning mode which provide more
2254 reasonable defaults for the sizes of partitions that are created;
2255 auto-sized partitions can now also recover the space that becomes
2256 available when other partitions are deleted. &merged;</para>
2258 <para>&man.syslogd.8; can take a <option>-n</option> option to
2259 disable DNS queries for every request. &merged;</para>
2261 <para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal>
2262 facility (disabled by
2263 default), which can be used to log <filename>/dev/console</filename>
2264 output. &merged;</para>
2266 <para>&man.syslogd.8; now has the ability to bind to a specific
2267 address (as opposed to using every available one) via the
2268 <option>-b</option> option. &merged;</para>
2270 <para>&man.syslogd.8; now accepts a <option>-c</option> flag to
2271 disable repeated line compression. &merged;</para>
2273 <para>&man.tail.1; now has the ability to work on files longer
2274 than 2GB. &merged;</para>
2276 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname>
2277 variable, principally to enable the use of &man.ssh.1; as a
2278 transport. &merged;</para>
2280 <para>&man.telnet.1; now does autologin and encryption by default;
2281 a new <option>-y</option> option turns off encryption.</para>
2283 <para>&man.telnet.1; now supports a <option>-u</option> flag to
2284 allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
2285 sockets. &merged;</para>
2287 <para>&man.tftpd.8; now takes the <option>-c</option> and
2288 <option>-C</option> options, which allow the server to
2289 &man.chroot.2; based on the IP address of the connecting client.
2290 &man.tftp.1; and &man.tftpd.8; can now transfer files larger than
2291 65535 blocks. &merged;</para>
2293 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval
2294 and Transfer Size Options); this feature is required by some
2295 firmware like EFI boot managers (at least on HP i2000 Itanium
2296 servers) in order to boot an image using
2297 <application>TFTP</application>.</para>
2299 <para arch="alpha">&man.timed.8; now works on the alpha.</para>
2301 <para>A version of Transport Independent RPC
2302 (<application>TI-RPC</application>) has been imported.</para>
2304 <para>&man.tmpnam.3; will now use the <envar>TMPDIR</envar>
2305 environment variable, if set, to specify the location of temporary
2306 files. &merged;</para>
2308 <para>&man.tip.1; has been updated from
2309 <application>OpenBSD</application>, and has the ability to act as
2310 a &man.cu.1; substitute.</para>
2312 <para>&man.top.1; will now use the full width of its tty.</para>
2314 <para>&man.touch.1; now takes a <option>-h</option> option to
2315 operate on a symbolic link, rather than what the link points
2318 <para>The &man.truncate.1; utility, which truncates or extends the length
2319 of files, has been added. &merged;</para>
2321 <para>Ukrainian language support has been added to the &os;
2322 console. &merged;</para>
2324 <para><application>UUCP</application> has been removed from the
2325 base system. It can be found in
2326 the Ports Collection, in <port>net/freebsd-uucp</port>.</para>
2328 <para>&man.units.1; has received some updates and bugfixes. &merged;</para>
2330 <para>&man.vidcontrol.1; now accepts a <option>-g</option>
2331 parameter to select custom text geometry in the
2332 <literal>VESA_800x600</literal> raster text mode. &merged;</para>
2334 <para>&man.vidcontrol.1; now allows the user to omit the font size
2335 specification when loading a font, and has some better
2336 error-handling. &merged;</para>
2338 <para>&man.vidcontrol.1; now supports a <option>-p</option> option to
2339 take a snapshot of a &man.syscons.4; video buffer. These
2340 snapshots can be manipulated by the
2341 <port>graphics/scr2png</port> utility in the Ports
2342 Collection. &merged;</para>
2344 <para>&man.vidcontrol.1; now supports a <option>-C</option> option
2345 to clear the history buffer for a given tty, as well as a
2346 <option>-h</option> option to set the size of the history buffer. &merged;</para>
2348 <para>The default stripe size in &man.vinum.8; has been changed
2349 from 256KB to 279KB, to spread out superblocks more evenly between
2352 <para>&man.wall.1; now supports a <option>-g</option> flag to
2353 write a message to all users of a given group. &merged;</para>
2355 <para>&man.watch.8; now takes a <option>-f</option> option to
2356 specify a &man.snp.4; device to use.</para>
2358 <para>&man.which.1; is now a C program, rather than a Perl
2361 <para>&man.whois.1; now directs queries for IP addresses to
2362 ARIN. If a query to ARIN references APNIC or RIPE, the
2363 appropriate server will also be queried, provided that the
2364 <option>-Q</option> option is not specified. &merged;</para>
2366 <para>&man.whois.1; supports a <option>-c</option> option to
2367 specify a country code to help direct queries towards a particular
2368 whois server. &merged;</para>
2370 <para>&man.xargs.1; now supports a <option>-J</option>
2371 <replaceable>replstr</replaceable> option that allows the user to
2372 tell &man.xargs.1; to insert the data read from standard input at
2373 a specific point in the command line arguments rather than at the
2374 end. &merged;</para>
2376 <para>The compiler chain now uses the FSF-supplied C/C++ runtime
2377 initialization code. This change brings about better
2378 compatibility with code generated from the various egcs and gcc
2379 ports, as well as the stock public FSF source. &merged;</para>
2381 <para>The threads library has gained some signal handling changes,
2382 bug fixes, and performance enhancements (including zero system
2383 call thread switching). &man.gdb.1; thread support has been
2384 updated to match these changes. &merged;</para>
2386 <para>Significant additions have been made to internationalization
2387 support; &os; now has complete locale support for the
2388 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and
2389 <literal>LC_MESSAGES</literal> categories. A number of
2390 applications have been updated to take advantage of this
2393 <para>Locale names have been changed to improve compatibility with
2394 the names used by X11R6, as well as a number of other UNIX
2395 versions. As an example, the <literal>en_US.ISO_8859-1</literal>
2396 locale name has been changed to
2397 <literal>en_US.ISO8859-1</literal>. Entries in
2398 <filename>/etc/locale.alias</filename> provide backward
2399 compatibility. &merged;</para>
2401 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now
2402 contains a scalable Beastie graphic. &merged;</para>
2404 <para>As part of an ongoing process, many manual pages were
2405 improved, both in terms of their formatting markup and in their
2406 content. &merged;</para>
2409 <title>Contributed Software</title>
2411 <para><application>am-utils</application> has been updated to
2414 <para><application>bc</application> has been updated from 1.04 to
2415 1.06. &merged;</para>
2417 <para>The ISC library from the <application>BIND</application>
2418 distribution is now built as
2419 <filename>libisc</filename>. &merged;</para>
2421 <para><application>BIND</application> is now built with the
2422 <literal>NOADDITIONAL</literal> flag, which causes &man.named.8;
2423 to operate in a more consistent fashion for certain common
2424 misconfigurations. &merged;</para>
2426 <para><application>BIND</application> has been updated to
2427 8.2.4-REL. &merged;</para>
2429 <para><application>Binutils</application> have been updated to
2430 a 31 October 2001 snapshot from the FSF 2.11 branch.</para>
2432 <para><application>bzip2</application> 1.0.1 has been imported; this
2433 brings the &man.bzip2.1; program and the <filename>libbz2</filename>
2434 library to the base system. &merged;</para>
2436 <para>The &man.ee.1; <application>Easy Editor</application> has
2437 been updated to 1.4.2. &merged;</para>
2439 <para><application>file</application> has been updated to 3.37.</para>
2441 <para><application>gcc</application> has been updated to 2.95.3. &merged;</para>
2443 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename>
2444 rather than a separate one for threaded and non-threaded programs.
2445 <filename>/usr/lib/libgcc_r.a</filename> can be removed.
2448 <para>&man.gcc.1; now supports the environment variable
2449 <envar>GCC_OPTIONS</envar>, which can hold a set of default
2450 options for <application>GCC</application>. &merged;</para>
2452 <para><application>GNATS</application> has been updated to
2453 3.113. &merged;</para>
2455 <para><application>GNU awk</application> has been updated to
2458 <para><application>gperf</application> has been updated to 2.7.2.</para>
2460 <para><application>groff</application> and its related utilities
2461 have been updated to FSF version 1.17.2. This import brings in a
2462 new &man.mdoc.7; macro package (sometimes referred to as
2463 <literal>mdocNG</literal>), which removes many of the
2464 limitations of its predecessor. &merged;</para>
2466 <para><application>Heimdal</application> has been updated to
2469 <para>The version of <application>IPFilter</application>
2470 provided with &os; now includes the &man.ipfs.8; program, which
2471 allows state information created for NAT entries and stateful
2472 rules to be saved to disk and restored after a reboot.
2473 Boot-time configuration of these features is supported by
2474 &man.rc.conf.5;. &merged;</para>
2476 <para>The <application>ISC DHCP</application> client has been
2477 updated to 2.0pl5. &merged;</para>
2479 <para><application>Kerberos IV</application> has been updated to
2480 1.0.5. &merged;</para>
2482 <para>The &man.more.1; command has been replaced by &man.less.1;,
2483 although it can still be run as
2484 <command>more</command>. &merged; Version 371 of <application>less</application> has
2485 been imported.</para>
2487 <para><application>libpcap</application> has been updated to
2488 0.6.2. &merged;</para>
2490 <para><application>libreadline</application> has been updated to
2493 <para><application>Linux-PAM</application> has been updated to
2494 0.75. &merged;</para>
2496 <para>A number of new <application>Linux-PAM</application> modules
2497 have been added, including: <filename>pam_ftp</filename>,
2498 <filename>pam_krb5</filename>,
2499 <filename>pam_nologin</filename>,
2500 <filename>pam_rootok</filename>,
2501 <filename>pam_securetty</filename>,
2502 <filename>pam_wheel</filename>.</para>
2504 <para><application>lukemftp</application> has replaced the &os;
2505 &man.ftp.1; program. Among its new features are more automation
2506 methods, better standards compliance, transfer rate throttling,
2507 and a customizable command-line prompt. Some environment
2508 variables and command-line arguments have changed.</para>
2510 <para><application>ncurses</application> has been updated to
2511 5.2-20010512.</para>
2513 <para>The <application>NTP</application> suite of programs has been
2514 updated to 4.1.0. &merged;</para>
2516 <para>The <application>OPIE</application> one-time-password suite
2517 has been updated to 2.32. &merged; It has completely replaced
2518 the functionality of <application>S/Key</application>.</para>
2520 <para><application>Perl</application> has been updated to version
2523 <para>&man.routed.8; has been updated to version 2.22. &merged;</para>
2525 <para arch="i386">Version 1.4.3 of the <application>smbfs</application>
2526 userland utilities have been imported. &merged;</para>
2528 <para><application>tcpdump</application> has been updated to
2529 3.6.3. &merged;</para>
2531 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;,
2532 although it can still be run as <command>csh</command>.
2533 <application>tcsh</application> has been updated to version
2534 6.11. &merged;</para>
2536 <para>The contributed version of
2537 <application>tcp_wrappers</application> now includes the
2538 &man.tcpd.8; helper daemon. While not strictly necessary in a
2539 standard &os; installation (because &man.inetd.8; already
2540 incorporates this functionality), this may be useful for
2541 &man.inetd.8; replacements such as
2542 <application>xinetd</application>.</para>
2544 <para>&man.traceroute.8; now takes its default maximum TTL value
2545 from the <varname>net.inet.ip.ttl</varname> sysctl
2546 variable. &merged;</para>
2548 <para>The timezone database has been updated to the
2549 <filename>tzdata2001d</filename> release. &merged;</para>
2554 <para><application>cvs</application> has been updated to
2555 1.11.1p1. &merged;</para>
2557 <para>The default value for &man.cvs.1;'s
2558 <envar>CVS_RSH</envar> variable is now <literal>ssh</literal>,
2559 rather than <literal>rsh</literal>. &merged;</para>
2561 <para>&man.cvs.1; now supports a <option>-T</option> option to
2562 update a sandbox's <filename>CVS/Template</filename> file from
2563 the repository. &merged;</para>
2565 <para>&man.cvs.1; <literal>diff</literal> now supports the
2566 <option>-j</option> option to perform differences against a
2567 revision relative to a branch tag. &merged;</para>
2571 <title>CVSup</title>
2573 <para><application>CVSup</application>, a frequently used
2574 utility in the &os; Ports Collection, was formerly installable
2575 using several ports and packages. The
2576 <port>net/cvsup-bin</port> and <port>net/cvsupd-bin</port>
2577 ports/packages are no longer necessary or available; the
2578 <port>net/cvsup</port> port should be used instead. &merged;</para>
2580 <para><application>CVSup</application> has been updated to
2581 16.1_3, which is available in the &os; Ports Collection as
2582 <port>net/cvsup</port>. This update fixes a long-standing
2583 (but only recently encountered) bug which affects the
2584 timestamps on all files after Sun Sep 9 01:46:40 UTC 2001
2585 (1,000,000,000 seconds after the UNIX epoch). &merged;</para>
2588 <sect4 id="kame-userland">
2591 <para>The IPv6 stack is now based on a snapshot based on the KAME
2592 Project's IPv6 snapshot as of 28 May, 2001. Most of the
2593 items listed in this section are a result of this import.
2594 <xref linkend="kame-kernel"> lists kernel updates to the KAME
2595 IPv6 stack. &merged;</para>
2597 <para>&man.faithd.8; now supports a configuration file for
2598 access control. &merged;</para>
2600 <para>&man.ifconfig.8; can now perform the functions of
2601 &man.gifconfig.8;. &merged;</para>
2603 <para>&man.ifconfig.8; can now perform the functions of
2604 &man.prefix.8;. &man.prefix.8; is now a shell script for
2605 partial backwards compatibility. &merged;</para>
2607 <para>&man.ndp.8; now implements garbage collection for stale
2608 NDP entries, as described in RFC 2461 (Neighbor Discovery for
2609 IP Version 6 (IPv6)). &merged;</para>
2611 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to
2612 restrictive licensing conditions. These programs are available
2613 in the ports collection as <port>net/pim6dd</port> and
2614 <port>net/pim6sd</port>. &merged;</para>
2616 <para>&man.route6d.8; now supports an <option>-n</option> flag
2617 to avoid updating the kernel forwarding table. &merged;</para>
2619 <para>The <option>-R</option> (router renumbering) option to
2620 &man.rtadvd.8; is currently ignored. &merged;</para>
2624 <title>OpenSSH</title>
2626 <para><application>OpenSSH</application> has been updated to
2627 2.9, which provides support for the SSH2 protocol (now the
2628 default) and DSA keys. &man.ssh-add.1; and &man.ssh-agent.1;
2629 can now handle DSA keys, with support for authentication
2630 forwarding. <application>OpenSSH</application> users in the
2631 USA no longer need to rely on the restrictively-licensed
2632 RSAREF toolkit which is required to handle RSA keys. Among
2633 other new features: A client and server for sftp has been
2634 added. &man.scp.1; can now handle files larger than 2 GBytes.
2635 A limit on the number of outstanding, unauthenticated
2636 connections in &man.sshd.8; has been added. Support has been
2637 added for the Rijndael encryption algorithm. Rekeying of
2638 existing sessions is now supported, and an experimental
2639 <application>SOCKS4</application> proxy has been added to
2642 <para><application>OpenSSH</application> can now authenticate
2643 using OPIE passwords in SSH1 mode. Support is not yet available
2644 in SSH2 mode. &merged;</para>
2646 <para><application>PAM</application> support for
2647 <application>OpenSSH</application> has been added.</para>
2649 <para>A long-standing bug in <application>OpenSSH</application>,
2650 which sometimes resulted in a dropped session when an
2651 X11-forwarded client was closed, was fixed.</para>
2653 <para><application>Kerberos</application> compatibility has been
2654 added to <application>OpenSSH</application>. &merged;</para>
2656 <para><application>OpenSSH</application> has been modified to be
2657 more resistant to traffic analysis by requiring that
2658 <quote>non-echoed</quote> characters are still echoed back in a
2659 null packet, as well as by padding passwords sent so as not to
2660 hint at password lengths. &merged;</para>
2662 <para>&man.sshd.8; is now enabled by default on new
2663 installs. &merged;</para>
2665 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned
2666 on by default on the server (any risk is to the client, where it
2667 is already disabled by default). &merged;</para>
2669 <para>In <filename>/etc/ssh/sshd_config</filename>, the
2670 <literal>ConnectionsPerPeriod</literal> parameter has been
2671 deprecated in favor of <literal>MaxStartups</literal>. &merged;</para>
2673 <para><application>OpenSSH</application> now has a
2674 <literal>VersionAddendum</literal> configuration setting for
2675 &man.sshd.8; to allow changing the part of the
2676 <application>OpenSSH</application> version string after the
2677 main version number.</para>
2681 <title>OpenSSL</title>
2683 <para><application>OpenSSL</application> has been updated to
2686 <para><application>OpenSSL</application> now has support for
2687 machine-dependent ASM optimizations, activated by the new
2688 <varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname>
2689 <filename>make.conf</filename> variables. &merged;</para>
2693 <title>sendmail</title>
2695 <para><application>sendmail</application> has been updated from
2696 version 8.9.3 to version 8.11.6. Important changes include: new
2697 default file locations (see
2698 <filename>/usr/src/contrib/sendmail/cf/README</filename>);
2699 &man.newaliases.1; is limited to <username>root</username> and
2700 trusted users; STARTTLS encryption; and the MSA port (587) is
2701 turned on by default. See
2702 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for
2703 more information. &merged;</para>
2705 <para>&man.mail.local.8; is no longer installed as a SUID binary.
2706 If you are using a <filename>/etc/mail/sendmail.cf</filename> from
2707 the default <filename>sendmail.cf</filename> included with &os;
2708 any time after 3.1.0, you are fine. If you are using a
2709 hand-configured <filename>sendmail.cf</filename> and
2710 <command>mail.local</command> for delivery, check to make sure the
2711 <literal>F=S</literal> flag is set on the
2712 <literal>Mlocal</literal> line. Those with
2713 <filename>.mc</filename> files who need to add the flag can do so
2714 by adding the following line to their <filename>.mc</filename>
2715 file and regenerating the <filename>sendmail.cf</filename>
2718 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>
2720 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already
2721 does this. &merged;</para>
2723 <para>The default <filename>/etc/mail/sendmail.cf</filename>
2724 disables the SMTP <literal>EXPN</literal> and
2725 <literal>VRFY</literal> commands. &merged;</para>
2727 <para>&man.vacation.1; has been updated to use the version included with
2728 <application>sendmail</application>. &merged;</para>
2730 <para>The <application>sendmail</application> configuration
2731 building tools are installed in
2732 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para>
2734 <para>New <filename>make.conf</filename> options:
2735 <varname>SENDMAIL_MC</varname> and
2736 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See
2737 <filename>/usr/share/examples/etc/make.conf</filename> for more
2738 information. &merged;</para>
2740 <para><filename>/etc/mail/Makefile</filename> now supports: the
2741 new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename>
2742 option; the ability to build <filename>.cf</filename> files from
2743 <filename>.mc</filename> files; generalized map rebuilding;
2744 rebuilding the aliases file; and the ability to stop, start, and
2745 restart <application>sendmail</application>. &merged;</para>
2750 <title>Ports/Packages Collection</title>
2752 <para><application>BSDPAN</application>, a collection of modules
2753 that provides tighter integration of
2754 <application>Perl</application> into the &os; Ports
2755 Collection, has been added.</para>
2757 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with
2758 packages that have been compressed using
2759 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
2760 environment variable to determine a mirror site for new
2761 packages. &merged;</para>
2763 <para>&man.pkg.create.1; now records dependencies in dependency
2764 order rather than in the order specified on the command line.
2765 This improves the functioning of <command>pkg_add
2766 -r</command>. &merged;</para>
2768 <para>&man.pkg.create.1; now supports a <option>-b</option> to
2769 create a package file from a locally-installed
2770 package. &merged;</para>
2772 <para>When requested to delete multiple packages,
2773 &man.pkg.delete.1; will now attempt to remove them in dependency
2774 order rather than the order specified on the command
2775 line. &merged;</para>
2777 <para>&man.pkg.delete.1; now can perform glob/regexp matching of
2778 package names. In addition, it supports a <option>-a</option>
2779 option for removing all packages and a <option>-i</option> option
2780 for &man.rm.1;-style interactive confirmation. &merged;</para>
2782 <para>&man.pkg.delete.1; now supports a <option>-r</option>
2783 option for recursive package removal. &merged;</para>
2785 <para>&man.pkg.info.1; now supports globbing against names of
2786 installed packages. The <option>-G</option> option disables this
2787 behavior, and the <option>-x</option> option causes regular
2788 expression matching instead of shell globbing. &merged;</para>
2790 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag for
2791 verifying an installed package against its recorded checksums (to
2792 see if it's been modified post-installation). Naturally, this
2793 mechanism is only as secure as the contents of
2794 <filename>/var/db/pkg</filename> if it's to be used for auditing
2795 purposes. &merged;</para>
2797 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to
2798 digitally sign and verify the signatures on binary package
2799 files. &merged;</para>
2801 <para>&man.pkg.update.1;, a utility to update installed packages
2802 and update their dependencies, has been added. &merged;</para>
2804 <para>&man.pkg.version.1; now has a version number comparison
2805 routine that corresponds to the Porters Handbook. It also has a
2806 <option>-t</option> option for testing address comparisons.
2809 <para>&man.pkg.version.1; now takes a <option>-s</option> flag
2810 to limit its operation to ports/packages matching a given
2811 string. &merged;</para>
2813 <para>Version numbers of installed packages have a new
2814 (backward-compatible) syntax, which supports the
2815 <varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname>
2816 variables in Ports Collection <filename>Makefile</filename>s.
2817 These changes help keep track of changes in the ports collection
2818 entries such as security patches or &os;-specific updates, which
2819 aren't reflected in the original, third-party software
2820 distributions. &man.pkg.version.1; can now compare these
2821 new-style version numbers. &merged;</para>
2823 <para>To improve performance and disk utilization, the <quote>ports
2824 skeletons</quote> in the &os; Ports Collection have been restructured.
2825 Installed ports and packages should not be affected. &merged;</para>
2827 <para>All packages and ports now contain an <quote>origin</quote>
2828 directive, which makes it easier for programs such as
2829 &man.pkg.version.1; to determine the directory from which a
2830 package was built. &merged;</para>
2836 <title>Upgrading from previous releases of &os;</title>
2838 <para>If you're upgrading from a previous release of &os;, you
2839 generally will have three options:
2843 <para>Using the binary upgrade option of &man.sysinstall.8;.
2844 This option is perhaps the quickest, although it presumes
2845 that your installation of &os; uses no special compilation
2849 <para>Performing a complete reinstall of &os;. Technically,
2850 this is not an upgrading method, and in any case is usually less
2851 convenient than a binary upgrade, in that it requires you to
2852 manually backup and restore the contents of
2853 <filename>/etc</filename>. However, it may be useful in
2854 cases where you want (or need) to change the partitioning of
2858 <para>From source code in <filename>/usr/src</filename>. This
2859 route is more flexible, but requires more disk space, time,
2860 and more technical expertise. Upgrading from very old
2861 versions of &os; may be problematic; in cases like this, it
2862 is usually more effective to perform a binary upgrade or a
2863 complete reinstall.</para>
2868 <para>Please read the <filename>INSTALL.TXT</filename> file for more
2869 information, preferably <emphasis>before</emphasis> beginning an
2870 upgrade. If you are upgrading from source, please be sure to read
2871 <filename>/usr/src/UPDATING</filename> as well.</para>
2873 <para>Finally, if you want to use one of various means to track the
2874 -STABLE or -CURRENT branches of &os;, please be sure to consult the
2876 url="http://www.FreeBSD.org/handbook/current-stable.html"><quote>-CURRENT
2877 vs. -STABLE</quote></ulink> section of the <ulink
2878 url="http://www.FreeBSD.org/handbook/">FreeBSD
2879 Handbook</ulink>.</para>
2882 <para>Upgrading &os; should, of course, only be attempted after
2883 backing up <emphasis>all</emphasis> data and configuration