git: cea787c18f - main - 14.0 relnotes: additions to date

From: Mike Karels <>
Date: Wed, 18 Oct 2023 18:57:23 UTC
The branch main has been updated by karels:


commit cea787c18f647edc2a82310afab18cabcb79bdc3
Author:     Mike Karels <>
AuthorDate: 2023-10-18 18:56:41 +0000
Commit:     Mike Karels <>
CommitDate: 2023-10-18 18:56:41 +0000

    14.0 relnotes: additions to date
    Added items:
    * information on upgrading boot loader for ZFS
    * jail(8) .include directive
    * date -z
    * sleep(1) units
    * OpenSSH and OpenSSL upgrades (slightly premature)
    * AWS cloud additions
    * vfs.vnode sysctls
    * mention audible bell control
    * iwlwifi, rtw88 and related WiFi items
    * OpenZFS 2.2 and features
    * pf/pfsync additions
    Reviewed by:    grahamperrin, emaste
    Differential Revision:
 website/content/en/releases/14.0R/relnotes.adoc | 105 ++++++++++++++++++++++--
 1 file changed, 96 insertions(+), 9 deletions(-)

diff --git a/website/content/en/releases/14.0R/relnotes.adoc b/website/content/en/releases/14.0R/relnotes.adoc
index 536a77b864..705c0000a7 100644
--- a/website/content/en/releases/14.0R/relnotes.adoc
+++ b/website/content/en/releases/14.0R/relnotes.adoc
@@ -46,6 +46,22 @@ Binary upgrades between RELEASE versions (and snapshots of the various security
 Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#.
+Note for systems that boot from a ZFS root filesystem via EFI, using either binary or source upgrades:
+There are one or more copies of the boot loader on the MS-DOS EFI System Partition (ESP), used by the firmware to boot the kernel, and which must be able to support reading from the ZFS boot file system.
+After a system upgrade, but before doing a `zpool upgrade`, the boot loader on the ESP must be updated, or the system may become unbootable.
+The ESP is not always mounted, but a `noauto` entry is placed in the man:fstab[5] file; this allows the command `mount /boot/efi` to mount the file system.
+The location of the boot loader in use can be determined using the command `efibootmgr -v`.
+The value displayed for `BootCurrent` should be the number of the current boot configuration used to boot the system.
+The corresponding line of the output should begin with a `+` sign, such as
+ +Boot0000* FreeBSD HD(1,GPT,f859c46d-19ee-4e40-8975-3ad1ab00ac09,0x800,0x82000)/File(\EFI\freebsd\loader.efi)
+                       nda0p1:/EFI/freebsd/loader.efi (null)
+The value in the `File` field, `\EFI\freebsd\loader.efi` in this case, is the MS-DOS name for the boot loader in use on the ESP.
+If the mount point is `/boot/efi`, that file will translate to `/boot/efi/efi/freebsd/loader.efi`.
+Another common value for File would be `\EFI\boot\bootXXX.efi`, where `XXX` is `x64` for amd64, `aa64` for aarch64, or `riscv64` for riscv64; this is the default bootstrap if none is configured.
+Both the configured and default boot loaders should be updated by copying from [.filename]#/boot/loader.efi#.
 Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files.
@@ -110,6 +126,9 @@ gitref:a67b925ff3e5[repository=src]
 The `mta_start_script` configuration variable has been retired in man:rc.conf[5], along with the `othermta` startup script.
+man:jail[8] now supports `.include` directives in man:jail.conf[5] files, with support for filename globbing.
 The one-time password facility OPIE, man:opie[4], has been removed from the base system.
 If you still wish to use it, install the `security/opie` port.
 Otherwise, make sure to remove or comment out any mention of `pam_opie` and `pam_opieaccess` from your PAM policies.
@@ -136,6 +155,9 @@ The man:cpuset[8] utility has been moved from [.filename]#/usr/bin# to [.filenam
 [.filename]#/usr/bin/cpuset# is now a symbolic link.
+The man:date[1] utility now has a `-z` option for timezone conversion.
 The deprecated man:fmtree[8] utility has been removed.
@@ -174,6 +196,9 @@ The man:pw[8] and man:bsdinstall[8] programs now create home directories for use
 The default symbolic link for [.filename]#/home#, referencing [.filename]#/usr/home#, is no longer created.
+The man:sleep[1] utility now accepts units other than seconds, and accepts multiple delay values that are summed.
+gitref:34978f7edd15[repository=src] gitref:be038c3afcae[repository=src]
 The man:sockstat[1] utility is now run in a sandbox with capsicum.
 gitref:94dc57159532[repository=src] gitref:c5a2d8c5f517[repository=src]
@@ -195,6 +220,7 @@ gitref:fe52b7f60ef4[repository=src] (Sponsored by The FreeBSD Foundation)
 Compressed debug sections in binaries are enabled by default on little-endian targets.
 gitref:47363e99d3d3[repository=src] (Sponsored by The FreeBSD Foundation)
+//XXX this was in 13.1; remove/place in MERGED section?
 Binaries for 64-bit architectures are now built with Position Independent Executables (PIE) enabled.
 gitref:9a227a2fd642[repository=src] (Sponsored by Stormshield)
@@ -219,9 +245,9 @@ gitref:f540a43052c1[repository=src] gitref:3e696dfb7009[repository=src] gitref:9
 The man:llvm-objdump[1] utility is now always installed as man:objdump[1].
 gitref:86edb11e7491[repository=src] (Sponsored by The FreeBSD Foundation)
-`OpenSSH` has been upgraded to version 9.4p1.
-Full release notes are at[].
-gitref:535af610a4fd[repository=src] (Sponsored by The FreeBSD Foundation)
+OpenSSH has been upgraded to version 9.5p1.
+Full release notes are at[].
+gitref:676824f5cdf9[repository=src] (Sponsored by The FreeBSD Foundation)
 The man:scp[1] utility now defaults to the SFTP protocol by default rather than the legacy scp/rcp protocol.
 This removes the need for double-quoting wildcard expansion characters.
@@ -232,18 +258,18 @@ It is possible to enable them on a per-host basis in a user's [.filename]#~/.ssh
 gitref:8c22023ca5e1[repository=src] (Sponsored by The FreeBSD Foundation)
 The `VerifyHostKeyDNS` option for man:ssh[1] now defaults to `no`,
-following the `OpenSSH` distribution.
+following the OpenSSH distribution.
 The `X11Forwarding` option also defaults to `no`.
 gitref:41ff5ea22cb9[repository=src] gitref:77934b7a1301[repository=src] (Sponsored by The FreeBSD Foundation)
-HPN option handling has been removed from `OpenSSH`.
+HPN option handling has been removed from OpenSSH.
 HPN support was deprecated long ago, but the configuration options were still accepted (and ignored) for backwards compatibility.
 gitref:348bea10b6f2[repository=src] (Sponsored by The FreeBSD Foundation)
 The `VersionAddendum` option has been removed from the man:ssh[1] client.
 gitref:bffe60ead024[repository=src] (Sponsored by The FreeBSD Foundation)
-`OpenSSL` has been upgraded to version 3.0.10.
+OpenSSL has been upgraded to version 3.0.11.
 This is a major upgrade from version 1.1.1, which is nearing its end of life.
 Many components of the base system use a backward-compatible API, but will be migrated later.
 gitref:aa7957345732[repository=src] gitref:b077aed33b7b[repository=src] (Sponsored by The FreeBSD Foundation)
@@ -278,6 +304,17 @@ The `COMPAT_LIB32` build option has been implemented for aarch64 (arm64) and is
 This provides armv7 32-bit-compatible libraries and header files for arm64 systems for building and running most armv7 32-bit binaries.
 gitref:f1d5183124d3[repository=src] gitref:d5d97bed4ab6[repository=src] gitref:a1b675731301[repository=src]
+== Cloud Support
+This section covers changes in support for cloud environments.
+FreeBSD now provides experimental ZFS-root EC2 AMIs on AWS.
+(Sponsored by[])
+FreeBSD now provides experimental cloud-init EC2 AMIs on AWS.
+See the package:net/cloud-init[] port for information.
+(Sponsored by[])
 == Kernel
@@ -335,6 +372,9 @@ gitref:38da497a4dfc[repository=src] (Sponsored by The FreeBSD Foundation)
 Support for asymmetric cryptographic operations has been removed from the kernel open cryptographic framework (OCF), as they are not used by modern OpenSSL versions.
+In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under `vfs.vnode` for greater visibility.
 == Devices and Drivers
@@ -353,6 +393,10 @@ It can be set with man:kbdcontrol[1] again.
 There is integration with man:devd[8] for people wishing to use their sound cards for the beep.
 gitref:ba48d52ca6c8[repository=src] gitref:4ac3d08a9693[repository=src] gitref:2533eca1c2b9[repository=src] (Sponsored by Netflix)
+When using the default man:vt[4] console, the audible bell is no longer enabled by default.
+It can be enabled with these commands: `sysctl kern.vt.enable_bell=1` and `kbdcontrol -b normal`.
 Improvements have been made in DPAA2 (second generation Data Path Acceleration Architecture – a hardware-level networking architecture found in some NXP SoCs).
 It runs NXP-supplied firmware which provides DPAA2 objects as an abstraction layer, and provides a `dpni` network interface.
 Separation between DPAA2 channels has been improved significantly in order to isolate access to the DMA resources and cleanup operations, and avoid kernel panics under heavy network load (1 Gbit/s links).
@@ -367,9 +411,18 @@ gitref:37c8ee8847fa[repository=src]
 A fix has been implemented for frame buffer addressing that affects framebuffers mapped above 4 GB physical on i386 and Book-E powerpc.
+//XXX this was in 13.2; remove/place in MERGED section?
 The man:igc[4] driver for the Intel I225 Ethernet controller is included, supporting 2.5 Gbps operation.
 gitref:517904de5cca[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate"))
+The man:iwlwifi[4] driver for Intel wireless interfaces has been updated to the latest version, supporting the chipsets shipping as of release time.
+(Sponsored by The FreeBSD Foundation)
+The man:rtw88[4] driver for Realtek wireless PCI interfaces has been updated.
+There have been stability fixes and enhancements to the KPI to support Linux device drivers, along with the net80211 layer for wireless drivers.
+(Sponsored by The FreeBSD Foundation)
 The Microsoft Azure Network Adapter(MANA) VF (virtual function) is now supported.
 gitref:ce110ea12fce[repository=src] (Sponsored by Microsoft)
@@ -432,9 +485,6 @@ A new man:gunion[8] utility tracks changes to a read-only disk on a writable dis
 This can be useful for making tentative changes to the disk, such as file system repairs or software upgrades, and then either committing or reverting them.
-ZFS has been enabled on 32-bit `powerpc`/`powerpcspe`.
 === NFS Changes
@@ -472,6 +522,29 @@ That facility is used by the Linux NFSv4.1/4.2 client for Kerberized mounts.
 It was handled by a fallback in the past, but is now supported directly.
 gitref:330aa8acdec7[repository=src] gitref:ff2f1f691cdb[repository=src]
+=== ZFS Changes
+OpenZFS has been upgraded to version 2.2.
+New features include:
+* block cloning, which allows shallow copies of blocks in file copies.
+This is optional, and disabled by default; it can be enabled with `sysctl vfs.zfs.bclone_enabled=1`.
+* scrub error log (`zpool scrub -e`)
+* BLAKE3 checksums, which are fast, and are now the recommended secure checksums
+* corrective `zfs receive` can heal corrupted data
+* vdev and zpool user properties, similar to dataset user properties.
+Performance improvements include:
+* fully adaptive ARC, a unified ARC that minimizes the need for manual tuning
+* zstd early abort, improving efficiency with uncompressible data
+* I/O prefetch improvements
+* general optimization.
+ZFS has been enabled on 32-bit `powerpc`/`powerpcspe`.
 === Boot Loader Changes
@@ -506,6 +579,20 @@ gitref:22893e584032[repository=src]
 The deprecated `NgATM` (netgraph ATM support) and remaining ATM support have been removed.
+The man:pf[4] packet filter now supports scrubbing with OpenBSD syntax and behavior.
+If there are no FreeBSD scrub rules, a global flag `set reassemble yes | no [no-df]` determines whether packet reassembly is done.
+Scrubbing, like setting tos, ttl, etc, can be done in match and pass rules, which also makes it stateful.
+Match rules are now fully supported, as on OpenBSD, not only for man:dummynet[4] queues.
+gitref:39282ef356db[repository=src] (Sponsored by InnoGames GmbH)
+man:pfsync[4] can now use IPv6 transport.
+gitref:6fc7fc2dbb2b[repository=src] (Sponsored by InnoGames GmbH) (Sponsored by The FreeBSD Foundation)
+The man:pfsync[4] packet format has been extended to improve support for queuing, scrubbing and route-to rules.
+This format is incompatible with older releases.
+The old format can be selected using `ifconfig pfsync0 version 1301`.
+This is especially important if members of a pfsync cluster are not upgraded simultaneously.
 WiFi 6 support has been added to wpa (man:wpa_supplicant[8] and man:hostapd[8]).
 gitref:c1d255d3ffdb[repository=src] gitref:3968b47cd974[repository=src] gitref:bd452dcbede6[repository=src]