git: 311ad5bc811d - main - UPDATING: document recent pf changes

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 06 Jun 2025 11:17:17 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=311ad5bc811d0d14da772cbb1333970266194ec7

commit 311ad5bc811d0d14da772cbb1333970266194ec7
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-05-28 08:46:26 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-06 11:16:01 +0000

    UPDATING: document recent pf changes
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D50664
---
 UPDATING | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/UPDATING b/UPDATING
index bee8b348f113..b12d31f4bec9 100644
--- a/UPDATING
+++ b/UPDATING
@@ -31,6 +31,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 15.x IS SLOW:
 	LinuxKPI dma-mapping.h were pulled into the tree from drm-kmod.
 	Bump _FreeBSD_version to 1500045 to be able to detect this change.
 
+20250527:
+	pf changed extension header handling. It now treats AH headers on IPv4 just
+	like AH headers on IPv6 and skips over them, allowing filtering on the inner
+	protocol.
+
+20250527:
+	pf now blocks IPv6 packets with a hop-by-hop or destination options header by
+	default. Such packets can be passed by adding "allow-opts" to the rule. IPv6
+	options are now handled just like their IPv4 counterparts.
+
 20250527:
 	The CAM target layer userland, i.e. ctld(8), ctladm(8) and ctlstat(8),
 	has moved to the new FreeBSD-ctl package.  If you use pkgbase and you