freebsd-doc/website/content/en/releases/15.0R/relnotes.adoc

---
title: "FreeBSD 15.0-RELEASE Release Notes"
sidenav: download
---

:localRel: 15.0
:releaseCurrent: 15.0-RELEASE
:releaseBranch: 15-STABLE
:releasePrev: 14.0-RELEASE
:releaseNext: 15.1-RELEASE
:releaseType: "release"

include::shared/en/urls.adoc[]

= FreeBSD {releaseCurrent} Release Notes
:doctype: article
:toc: macro
:toclevels: 2
:icons: font

== Abstract

[.abstract-title]
The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line.
This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland.
Some brief remarks on upgrading are also presented.

toc::[]

[[intro]]
== Introduction

This document contains the release notes for FreeBSD {releaseCurrent}.
It describes recently added, changed, or deleted features of FreeBSD.
It also provides some notes on upgrading from previous versions of FreeBSD.

The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created.
Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[].

The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}.
Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[].

This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution.
It can be found at https://www.FreeBSD.org/releases/[] or any of its mirrors.
More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}/mirrors[Obtaining FreeBSD appendix] to the link:{handbook}/[FreeBSD Handbook].

All users are encouraged to consult the release errata before installing FreeBSD.
The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release.
Typically, it contains information on known bugs, security advisories, and corrections to documentation.
An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site.

This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}.
In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features.

Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades.
They may also list changes to major ports/packages or release engineering practices.
Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

[[upgrade]]
== Upgrading from Previous Releases of FreeBSD

Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility.
See the release-specific upgrade procedure, link:../installation/#upgrade-binary[FreeBSD {releaseCurrent} upgrade information], with more details in the FreeBSD handbook link:{handbook}cutting-edge/#freebsdupdate-upgrade[binary upgrade procedure].
This will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release.
The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#.

[IMPORTANT]
====
Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files.
====

[[security-errata]]
== Included Security Fixes and Errata Patches

This section lists the various Security Advisories and Errata Notices since {releasePrev} that are fixed in {releaseCurrent}.

[[security]]
=== Fixed Security Advisories

[.informaltable]
[cols="1,1,1", frame="none", options="header"]
|===
| Advisory
| Date
| Topic

|https://www.freebsd.org/security/advisories/FreeBSD-SA-23:17.pf.asc[FreeBSD-SA-23:17.pf]
|05 December 2023
|TCP spoofing vulnerability in man:pf[4]

|https://www.freebsd.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc[FreeBSD-SA-23:18.nfsclient]
|12 December 2023
|NFS client data corruption and kernel memory disclosure

|https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc[FreeBSD-SA-23:19.openssh]
|19 December 2023
|Prefix Truncation Attack in the SSH protocol

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc[FreeBSD-SA-24:01.bhyveload]
|14 February 2024
|man:bhyveload[8] host file access

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:02.tty.asc[FreeBSD-SA-24:02.tty]
|14 February 2024
|man:jail[2] information leak

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:03.unbound.asc[FreeBSD-SA-24:03.unbound]
|28 March 2024
|Multiple vulnerabilities in unbound

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc[FreeBSD-SA-24:04.openssh]
|01 July 2024
|OpenSSH pre-authentication remote code execution

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:05.pf.asc[FreeBSD-SA-24:05.pf]
|07 August 2024
|pf incorrectly matches different ICMPv6 states in the state table

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:06.ktrace.asc[FreeBSD-SA-24:06.ktrace]
|07 August 2024
|man:ktrace[2] fails to detach when executing a setuid binary

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc[FreeBSD-SA-24:07.nfsclient]
|07 August 2024
|NFS client accepts file names containing path separators

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc[FreeBSD-SA-24:08.openssh]
|07 August 2024
|OpenSSH pre-authentication async signal safety issue

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc[FreeBSD-SA-24:09.libnv]
|04 September 2024
|Multiple vulnerabilities in libnv

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc[FreeBSD-SA-24:10.bhyve]
|04 September 2024
|man:bhyve[8] privileged guest escape via TPM device passthrough

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc[FreeBSD-SA-24:11.ctl]
|04 September 2024
|Multiple issues in man:ctl[4] CAM Target Layer

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc[FreeBSD-SA-24:12.bhyve]
|04 September 2024
|man:bhyve[8] privileged guest escape via USB controller

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc[FreeBSD-SA-24:13.openssl]
|04 September 2024
|Possible DoS in X.509 name checks in OpenSSL

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc[FreeBSD-SA-24:14.umtx]
|04 September 2024
|umtx Kernel panic or Use-After-Free

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc[FreeBSD-SA-24:15.bhyve]
|19 September 2024
|man:bhyve[8] out-of-bounds read access via XHCI emulation

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc[FreeBSD-SA-24:16.libnv]
|19 September 2024
|Integer overflow in libnv

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc[FreeBSD-SA-24:17.bhyve]
|29 October 2024
|Multiple issues in the bhyve hypervisor

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc[FreeBSD-SA-24:18.ctl]
|29 October 2024
|Unbounded allocation in man:ctl[4] CAM Target Layer

|https://www.freebsd.org/security/advisories/FreeBSD-SA-24:19.fetch.asc[FreeBSD-SA-24:19.fetch]
|29 October 2024
|Certificate revocation list man:fetch[1] option fails

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:01.openssh.asc[FreeBSD-SA-25:01.openssh]
|29 January 2025
|OpenSSH Keystroke Obfuscation Bypass

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:02.fs.asc[FreeBSD-SA-25:02.fs]
|29 January 2025
|Buffer overflow in some filesystems via NFS

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:03.etcupdate.asc[FreeBSD-SA-25:03.etcupdate]
|29 January 2025
|Unprivileged access to system files

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:04.ktrace.asc[FreeBSD-SA-25:04.ktrace]
|29 January 2025
|Uninitialized kernel memory disclosure via man:ktrace[2]

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:05.openssh.asc[FreeBSD-SA-25:05.openssh]
|21 February 2025
|Multiple vulnerabilities in OpenSSH

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:06.xz.asc[FreeBSD-SA-25:06.xz]
|02 July 2025
|Use-after-free in multi-threaded xz decoder

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc[FreeBSD-SA-25:07.libarchive]
|08 August 2025
|Integer overflow in libarchive leading to double free

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:08.openssl.asc[FreeBSD-SA-25:08.openssl]
|30 September 2025
|Multiple vulnerabilities in OpenSSL

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc[FreeBSD-SA-25:09.netinet]
|22 October 2025
|`SO_REUSEPORT_LB` breaks man:connect[2] for UDP sockets

|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:10.unbound.asc[FreeBSD-SA-25:10.unbound]
|26 November 2025
|Cache poison in local-unbound service
|===

[[errata]]
=== Patched Errata Notices

[.informaltable]
[cols="1,1,1", frame="none", options="header"]
|===
| Errata
| Date
| Topic

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc[FreeBSD-EN-23:15:sanitizer]
|01 December 2023
|Clang sanitizer failure with ASLR enabled

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc[FreeBSD-EN-23:16:openzfs]
|01 December 2023
|OpenZFS data corruption

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:17.ossl.asc[FreeBSD-EN-23:17:ossl]
|05 December 2023
|man:ossl[4]'s AES-GCM implementation may give incorrect results

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:18.openzfs.asc[FreeBSD-EN-23:18:openzfs]
|05 December 2023
|High CPU usage by ZFS kernel threads

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:19.pkgbase.asc[FreeBSD-EN-23:19:pkgbase]
|05 December 2023
|Incorrect pkgbase version number for FreeBSD {releasePrev}.

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:20.vm.asc[FreeBSD-EN-23:20:vm]
|05 December 2023
|Incorrect results from the kernel physical memory allocator

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:21.tty.asc[FreeBSD-EN-23:21:tty]
|24 November 2023
|man:tty[4] IUTF8 causes a kernel panic

|https://www.freebsd.org/security/advisories/FreeBSD-EN-23:22.vfs.asc[FreeBSD-EN-23:22:vfs]
|05 December 2023
|ZFS snapshot directories not accessible over NFS

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:01.tzdata.asc[FreeBSD-EN-24:01:tzdata]
|14 February 2024
|Timezone database information update

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:02.libutil.asc[FreeBSD-EN-24:02:libutil]
|14 February 2024
|Login class resource limits and CPU mask bypass

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc[FreeBSD-EN-24:03:kqueue]
|14 February 2024
|man:kqueue_close[2] page fault on exit using man:rfork[2]

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:04.ip.asc[FreeBSD-EN-24:04:ip]
|14 February 2024
|Kernel panic triggered by man:bind[2]

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:05.tty.asc[FreeBSD-EN-24:05:tty]
|28 March 2024
|TTY Kernel Panic

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:06.wireguard.asc[FreeBSD-EN-24:06:wireguard]
|28 March 2024
|Insufficient barriers in WireGuard man:if_wg[4]

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:07.clang.asc[FreeBSD-EN-24:07:clang]
|28 March 2024
|Clang crash when certain optimization is enabled

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:08.kerberos.asc[FreeBSD-EN-24:08:kerberos]
|28 March 2024
|Kerberos segfaults when using weak crypto

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:09.zfs.asc[FreeBSD-EN-24:09:zfs]
|24 April 2024
|High CPU usage by kernel threads related to ZFS

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:10.zfs.asc[FreeBSD-EN-24:10:zfs]
|19 June 2024
|Kernel memory leak in ZFS

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:11.ldns.asc[FreeBSD-EN-24:11:ldns]
|19 June 2024
|LDNS uses nameserver commented out in resolv.conf

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:12.killpg.asc[FreeBSD-EN-24:12:killpg]
|19 June 2024
|Lock order reversal in killpg causing livelock

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:13.libc%2B%2B.asc[FreeBSD-EN-24:13:libc++]
|19 June 2024
|Incorrect size passed to heap allocated std::string delete

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:14.ifconfig.asc[FreeBSD-EN-24:14:ifconfig]
|07 August 2024
|Incorrect ifconfig netmask assignment

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:15.calendar.asc[FreeBSD-EN-24:15:calendar]
|04 September 2024
|man:cron[8] / man:periodic[8] session login

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:16.pf.asc[FreeBSD-EN-24:16:pf]
|19 September 2024
|Incorrect ICMPv6 state handling in pf

|https://www.freebsd.org/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc[FreeBSD-EN-24:17:pam_xdg]
|20 October 2024
|XDG runtime directory's file descriptor leak at login

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:01.rpc.asc[FreeBSD-EN-25:01.rpc]
|29 January 2025
| NULL pointer dereference in the NFSv4 client

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:02.audit.asc[FreeBSD-EN-25:02.audit]
|29 January 2025
|System call auditing disabled by DTrace

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:03.tzdata.asc[FreeBSD-EN-25:03.tzdata]
|29 January 2025
|Timezone database information update

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:04.tzdata.asc[FreeBSD-EN-25:04.tzdata]
|10 April 2025
|Timezone database information update

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:05.expat.asc[FreeBSD-EN-25:05.expat]
|10 April 2025
|Update expat to 2.7.1

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:06.daemon.asc[FreeBSD-EN-25:06.daemon]
|10 April 2025
|man:daemon[8] missing signals

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:07.openssl.asc[FreeBSD-EN-25:07.openssl]
|10 April 2025
|Update OpenSSL to 3.0.16

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:08.caroot.asc[FreeBSD-EN-25:08.caroot]
|10 April 2025
|Root certificate bundle update

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:09.libc.asc[FreeBSD-EN-25:09:libc]
|02 July 2025
|Dynamically-loaded C++ libraries crashing at exit

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:10.zfs.asc[FreeBSD-EN-25:10:zfs]
|02 July 2025
|Corruption in ZFS replication streams from encrypted datasets

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:11.ena.asc[FreeBSD-EN-25:11:ena]
|02 July 2025
|`ena` resets and kernel panic on Nitro v4 or newer instances

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:12.efi.asc[FreeBSD-EN-25:12:efi]
|08 August 2025
|man:bsdinstall[8] not copying the correct loader on systems with IA32 UEFI firmware.

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:13.wlan_tkip.asc[FreeBSD-EN-25:13:wlan_tkip]
|08 August 2025
|net80211 TKIP crypto support fails for some drivers

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:14.route.asc[FreeBSD-EN-25:14:route]
|08 August 2025
|man:route[8] monitor buffers too much when redirected to a file

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:15.arm64.asc[FreeBSD-EN-25:15:arm64]
|16 September 2025
|arm64 man:syscall[2] allows unprivileged user to panic kernel

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:16.vfs.asc[FreeBSD-EN-25:16:vfs]
|16 September 2025
|man:copy_file_range[2] fails to set output parameters

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:17.bnxt.asc[FreeBSD-EN-25:17:bnxt]
|16 September 2025
|man:bnxt[4] fails to set media type in some cases

|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc[FreeBSD-EN-25:18:freebsd-update]
|30 September 2025
|man:freebsd-update[8] installs libraries in incorrect order
|===

[[userland]]
== Userland

This section covers changes and additions to userland applications, contributed software, and system utilities.

[[userland-config]]
=== Userland Configuration Changes

The Kerberos v5 Authentication Service, man:krb5kdc[8], has gained a new `kdc_restart` variable under man:daemon[8].
Set `kdc_restart="YES"` in man:rc.conf[5] to auto restart kdc on abnormal termination.
Set `kdc_restart_delay="N"` to the number of seconds to delay before restarting the kdc.
gitref:abc4b3088941[repository=src]

The `daily` man:periodic[8] scripts now show less context in emails by default to reduce output size.
The behavior can be controlled by the `daily_diff_flags` variable in man:periodic.conf[5].
Similarly, the changes shown by the security scripts show less context than previously, controlled by the `security_status_diff_flags` variable in man:periodic.conf[5].
gitref:538994626b9f[repository=src], gitref:37dc394170a5[repository=src], gitref:128e78ffb084[repository=src]

The man:bsnmpd[1] daemon no longer supports legacy UDP transport.
Users, that have not updated their `/etc/snmpd.config` since 12.0-RELEASE or older will need to merge in the new configuration.
In particular, the transport definition shall be changed from begemotSnmpdPortStatus OID to begemotSnmpdTransInetStatus.
gitref:9ba51cce8bbd[repository=src]

[[userland-programs]]
=== Userland Application Changes

The man:adduser[8] utility, used by man:bsdinstall[8], will now create a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset.
A command-line option is available to disable use of a separate dataset.
ZFS encryption is also available.
gitref:516009ce8d38[repository=src]

The man:date[1] program now supports nanoseconds.
For example: `date -Ins` prints "2024-04-22T12:20:28,763742224+02:00" and `date +%N` prints "415050400".
gitref:eeb04a736cb9[repository=src]
{{< sponsored "Klara, Inc." >}}

The man:dtrace[1] utility can now generate machine-readable output in JSON, XML, and HTML using man:libxo[3].
gitref:aef4504139a4[repository=src] {{< sponsored "Innovate UK" >}}

The man:lastcomm[1] utility now displays timestamps with a precision of seconds.
gitref:692c0a2e80c1[repository=src] {{< sponsored "DSS Gmbh" >}}

The man:ldconfig[8] utility now supports hints files of either byte order.
The default format is the native byte-order of the host.
gitref:fa7b31166ddb[repository=src]

The man:usbconfig[8] utility now reads the descriptions of usb vendor and products from [.filename]#/usr/share/misc/usb_vendors# when available, similar to what man:pciconf[8] does.
gitref:7b9a772f9f64[repository=src]

The man:env[1] utility has gained an option to change the directory, which closely resembles the feature in the GNU version of env, although it does not support long options.
gitref:08e8554c4a39[repository=src] {{< sponsored "Klara, Inc." >}}

The man:ps[1] utility now automatically removes canned displays' columns that contain same data as some explicitly-requested columns.
Before this change, if some user requested to add some "canned display" (options `-j`, `-l`, `-u` or `-v`), columns in it that were duplicates of explicitly-requested ones earlier on the command line were omitted, but this did not work the other way around, when a canned display appears before explicitly-requested columns.
Additionally, columns with different keywords but which are aliases to the same
keyword are now also considered holding the same data, in addition to columns having the same keyword.
gitref:cd768a840644[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:ps[1] utility's `-O` option is now more versatile and predictable.
The man:ps[1] display's list of columns is now first built without taking into account the `-O` options.
In a second step, all columns passed via `-O` are finally inserted after the built-so-far display's first PID column (if it exists, else at start), in their order of appearance as arguments to the `-O` options.
gitref:5dad61d9b949[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:ps[1] utility's `-a` and `-A` options now always show all processes.
When combined with other options affecting the selection of processes, except for `-X` and `-x`, option `-a` would have no effect (and `-A` would reduce to just `-x`).
This was in contradiction with the rule applying to all other selection options stating that one process is listed as soon as any of these options has been specified and selects it, which is both mandated by POSIX and arguably a natural expectation.
As a practical consequence, specifying `-a` or `-A` now causes all processes to be listed regardless of other selection options such as `-U`, `-p`, `-G`, etc., except for the `-X` and `-x` filter options, which continue to apply.
In particular, to list only processes from specific jails, one must not use `-a` with `-J`.
Option `-J`, contrary to its apparent initial intent, never worked as a filter in practice, except by accident with only `-a` due to the bug.
gitref:93a94ce731a8[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:ps[1] utility now matches current user's processes using the effective user ID.
Previously, we would match using the real user ID.
This puts man:ps[1] in conformance with POSIX on that topic.
gitref:1aabbb25c9f9c4372[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:ps[1] utility's `-U` flag now selects processes by real user IDs.
This is what POSIX mandates for option `-U` and arguably the behavior that most users actually need in most cases.
Before, `-U` would select processes by their effective user IDs (which is the behavior mandated by POSIX for option `-u`).
gitref:995b690d1398[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:sysctl[8] utility has gained flags to filter jail prison and vnet variables,
so users do not have to contact the source code to tell whether a variable is a jail prison / vnet one or not.
gitref:615c9ce250ee[repository=src]

The man:grep[1] utility no longer follows symbolic links by default for recursive searches.
This matches the documented behavior in the manual page.
gitref:fc12c191c087[repository=src]

The man:mdo[1] utility now supports fully specifying all users and groups in the target credentials.
As a convenience, in addition to a full explicit specification, it allows starting from a baseline providing default values for all attributes, which is either the login credentials from some user in the password database or the current credentials, and then amending these attributes selectively.
The manual page has been updated to describe the new options and their interactions.
gitref:4ffcb1a4a99c[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}
{{< sponsored "Google LLC (GSoC 2025)" >}}

When booting in single-user mode, man:init[8] now changes the working directory to `/root`, using `/` only as a fallback.
The `/.profile` link to `/root/.profile` is no more installed.
gitref:b4b91207ab6f[repository=src],
gitref:ca771d7ae527[repository=src]

The deprecated man:ftpd[8] has been removed from the base system.
Users who still need it can install the `ftp/freebsd-ftpd` port.
gitref:259bb93b80c0[repository=src]

The Kerberos v5 database administration program learned how to dump the Heimdal KDC database in a format which can be loaded into the MIT KDC.
See https://wiki.freebsd.org/Kerberos/Heimdal2MIT_KDC_Migration for how to use `kadmin -l dump -f` to transfer/convert the KDC database.
gitref:9fd3b28d4e0d[repository=src],
gitref:23fbea8cf2f3[repository=src]

The man:bsdconfig[8] and man:bsdinstall[8] utilities now use man:bsddialog[1] instead of GNU dialog.
gitref:c36b3dbc99d1[repository=src],
gitref:04b465777a09[repository=src]

[[userland-contrib]]
=== Contributed Software

One True Awk (man:awk[1]) has been updated to 2nd Edition, with new -csv support and UTF-8 support.
The snapshot used is 20250804.
gitref:b45a181a74c8[repository=src]

The system reference manual toolchain, man:mandoc[1], has been updated to version 1.14.6 snapshot 2025-09-26. This version includes improved compatibility with groff and DocBook, improved html and markdown output, and the deprecation of the LIBRARY section.
gitref:c1c95add8c80[repository=src],
gitref:80c12959679a[repository=src],
gitref:4c07abdbacf4[repository=src],
gitref:06410c1b5163[repository=src],
gitref:59fc2b0166f7[repository=src]

The man:jemalloc[3] library has been updated to version 5.3.0.
gitref:c43cad871720[repository=src]

The man:bmake[1] build system has been upgraded to 20250804, providing many debugging
improvements, bug fixes such as detecting and rejecting `gmake`
syntax, and feature improvements such as a floating point argument to
`-j` being used as a multiple of the number of cpus available.

The man:sendmail[8] suite has been upgraded to version 8.18.1, addressing CVE-2023-51765.
gitref:58ae50f31e95[repository=src]

The man:bc[1] calculator has been upgraded to 7.1.0.
gitref:fdc4a7c8012b[repository=src]

The `blacklist` suite has been renamed upstream to `blocklist`.
Existing setups will continue to work emitting a warning.
The snapshot used is 20251026.
gitref:4afb96fdd272[repository=src]

The man:bsddialog[1] utility has been upgraded to 1.0.5.
gitref:0595e10ec773[repository=src]

The man:byacc[1] parser generator has been upgraded to 20240109.
gitref:822ca3276345[repository=src]

The `libarchive` library has been upgraded to 3.8.2.
gitref:8a0b57ba54f0[repository=src]

The `libcbor` library has been upgraded to 0.11.0.
gitref:1755b9daa693[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The `libcxxrt` library has been upgraded to vendor snapshot 6f2fdfebcd62.
gitref:d0dcee46d971[repository=src]

The `libfido2` library has been upgraded to 1.14.0.
gitref:128bace5102e[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The `libpcap` library has been upgraded to 1.10.5.
gitref:26f21a6494b4[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The man:ncurses[3] library has been upgraded to 6.5.
gitref:21817992b331[repository=src]

The man:tcpdump[1] utility has been upgraded to 4.99.5.
gitref:ec3da16d8bc1[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The `unbound` DNS validating resolver has been upgraded to 1.24.1.
gitref:a988846174e0[repository=src]

The `llvm` compiler infrastructure has been upgraded to 19.1.7-0-gcd708029e0b2.
gitref:dc3f24ea8a25[repository=src]

The OpenZFS filesystem has been updated to zfs-2.4.0-rc4.
gitref:7b5b0f43eb06[repository=src]

The man:xz[1] data compressors have been updated to 5.8.1.
gitref:128836d304d9[repository=src]

The man:less[1] pager has been updated to v679.
gitref:76bafc906926[repository=src]

The man:file[1] identifier has been updated to 5.46.
gitref:ae316d1d1cff[repository=src]

The man:zlib[3] data compression library has been updated to 1.3.1.
gitref:6255c67c3d1a[repository=src]

The Time Zone Database, `tzdata`, has been updated to 2025b.
gitref:475082194ac8[repository=src]

OpenSSH has been updated to 10.0p2.
.gitref:8e28d84935f2[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

OpenSSL has been updated to 3.5.4.
gitref:c0366f908ff4[repository=src]

The Google Test C++ testing framework has been updated to 1.15.2.
One notable change is that GoogleTest 1.15.x now officially requires C++-14 (1.14.x required C++-11).
gitref:1d67cec52542[repository=src]

The `spleen` man:vt[4] console font has been updated to version 2.1.0.
gitref:26336203d32c[repository=src]

MIT KRB5 1.22.1 Kerberos replaces Heimdal 1.5.2 by default.
Heimdal 1.5.2 can still be built using the `WITHOUT_MITKRB5` flag.
Heimdal Kerberos will be entirely removed in FreeBSD 16.
See also the note about the `-f` flag to `kadmin -l dump` under section <<userland-programs>>.
gitref:ee3960cba106[repository=src],
gitref:0b9a631e0724[repository=src],
gitref:60f970b85e44[repository=src],
gitref:0d1496f0f1e7[repository=src],
gitref:cbb6e747af98[repository=src],
gitref:0559f30a882d[repository=src],
gitref:ae07a5805b19[repository=src],
gitref:f58febc4cefa[repository=src],
gitref:805498e49ae4[repository=src],
gitref:4cb1baa7d85c[repository=src],
gitref:188138106b9f[repository=src],
gitref:4680e7fcc70a[repository=src],
gitref:e447c252d0ec[repository=src],
gitref:5f8493bbf479[repository=src],
gitref:110111a6cca1[repository=src],
gitref:2a454b05f2c1[repository=src],
gitref:98d46e05ab08[repository=src],
gitref:6b28571cb6ba[repository=src],
gitref:ca9ccf0ce9ad[repository=src],
gitref:b98d0566b2bd[repository=src],
gitref:fb1ccc04adfe[repository=src],
gitref:dd0ec030f8fd[repository=src],
gitref:6c4771c73470[repository=src],
gitref:7b68893ffa9b[repository=src],
gitref:624b7beed5ac[repository=src],
gitref:04764f21855a[repository=src],
gitref:73ed0c7992fd[repository=src],
gitref:40a5abfc3f66[repository=src],
gitref:543b875a8ee4[repository=src],
gitref:c791ea80b5f7[repository=src],
gitref:383e7290c0b5[repository=src],
gitref:9a726ef24134[repository=src],
gitref:a245dc5d68c7[repository=src],
gitref:e26259f48afe[repository=src],
gitref:7d2cfb27d62f[repository=src],
gitref:619feb9dd00e[repository=src],
gitref:10eecc467f32[repository=src],
gitref:0c13e9c3c464[repository=src],
gitref:89c82750da1a[repository=src],
gitref:18a870751b03[repository=src],
gitref:ce9c325a2e92[repository=src],
gitref:cb3eac927b5d[repository=src],
gitref:5105e1ebecc7[repository=src],
gitref:b9b0e105c357[repository=src],
gitref:929f5966a9fd[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:rtw88[4] driver has been updated to Linux v6.17.
A possible issue that devices cannot authenticate is still being investigated.
gitref:c1d365f39e08[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The man:rtw89[4] driver has been updated to Linux v6.17.
The driver is under-tested and may still have issues.
gitref:b35044b38f74[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The man:iwlwifi[4] driver has been updated to Linux v6.17.
The BE200 based chipsets will need newer firmware requiring further driver fixes which are not in this release.
gitref:69caa1cf3ce5[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

[[userland-libraries]]
=== Runtime Libraries and API

The man:setusercontext[3] routine in `libutil` will now set the process priority (nice) from the [.filename]#.login.conf# file from the home directory under appropriate conditions, as well as the system man:login.conf[5].
The priority can now have the value `inherit`, indicating that the priority should be unchanged from that of the parent process.
Similarly, the umask can have the value `inherit`.
gitref:c328e6c6ccaa[repository=src],
gitref:d162d7e2ad32[repository=src],
gitref:f2a0277d3e51[repository=src]
{{< sponsored "Kumacom SAS" >}}

Many string and memory operations in the C library now use SIMD (single instruction multiple data) extensions for improved performance when available on amd64 systems; see man:simd[7].
{{< sponsored "The FreeBSD Foundation" >}}

There is now a much better implementation of the 128-bit `tgammal` function in the math library, man:math[3], on platforms that support it.
gitref:8df6c930c151[repository=src]

man:fma[3] now returns correctly-signed zero when provided certain small inputs (as observed in the Python test suite).
gitref:dc39004bc670[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The `cap_rights_is_empty` function has been added.
It reports whether a `cap_rights_t` has no rights set.
gitref:e77813f7e4a3[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

`libcxxrt` has been updated to upstream 6f2fdfebcd62.
gitref:d9901a23bd2f[repository=src]

The accuracy of man:asinf[3] and man:acosf[3] has improved.
gitref:33c82f11c267[repository=src]

The man:setgroups[2] and man:getgroups[2] system calls and the man:initgroups[3] library function have been changed to avoid setting or reporting the effective group ID, now only concerning themselves with the supplementary groups.
The main purpose of this change is to avoid security issues going forward by becoming compatible with Linux/glibc, OpenBSD, NetBSD and illumos-based systems.
Consequently, almost all portable applications should already be compliant with this new behavior and will continue to work correctly or even get fixed in the process (see, e.g., gitref:239e8c98636a[repository=src] for an example affecting OpenSSH).
However, out of caution, porters, system administrators and users are advised to audit their applications using man:setgroups[2], man:getgroups[2] and man:initgroups[3], watching out for the following points.
Applications must be using man:setgid[2] or man:setegid[2] in addition to man:setgroups[2] or man:initgroups[3] to set the effective group ID.
They must not treat the first element of the array returned by man:getgroups[2] specially, but instead as any other supplementary group.
For more information, please consult the SECURITY CONSIDERATIONS sections that have been added to the man:setgroups[2], man:getgroups[2] and man:initgroups[3] manual pages.
Compatibility system calls and library functions have been provided so that binaries and libraries compiled on FreeBSD 14 systems or earlier will continue to work exactly as before.
gitref:9da2fe96ff2e[repository=src],
gitref:8878569103a3[repository=src],
gitref:7132fb5edbc9[repository=src],
gitref:2932e6f59bff[repository=src],
gitref:8878569103a3[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

`libc` contains compatibility functions enabling running executables/libraries compiled for older versions of FreeBSD.
Those that are themselves using compatibility system calls would not reference them correctly, causing misbehavior at runtime.
This has been fixed.
gitref:47f5f89dbd27[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:readdir_r[3] function is deprecated and may be removed in future releases.
Using it in a program will result in compile-time and link-time warnings.
gitref:2bd157bc732a[repository=src]
{{< sponsored "Klara, Inc." >}}

The runtime linker man:rtld[1] has grown support for the static linker flag specified by `-z initfirst`.
gitref:78aaab9f1cf359f[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

[[userland-misc]]
=== Miscellaneous

The Gallant font for man:vt[4] has been updated with more than 4300 new glyphs, including support for Greek, Cyrillic, International Phonetic Association Extensions, Extended Latin characters, Zapf Dingbats, Tons of arrows, Tons of mathematical symbols, Letterlike symbols and enclosed alphanumerics, Pixel-perfect box drawing, Currency symbols, More punctuation, Just enough Katakana to say コンニチハ, Powerline glyphs in the Private Use Area at U+e0a0.
gitref:9e8c1ab0976c[repository=src]

Unicode support has been updated to 16.0.0 and CLDR to 45.0.0.
gitref:ddfc6f84f242[repository=src]

[[userland-deprecated-programs]]
=== Deprecated Applications

man:fdisk[8] has been deprecated in favor of man:gpart[8] for a long time but has not been removed, running this application will show a warning to migrate to man:gpart[8].
gitref:3958be5c29da[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

Deprecation notice for man:syscons[4] has been added.
man:syscons[4] is not compatible with UEFI, does not support UTF-8, and is Giant-locked.
There is no specific timeline yet for removing it, but support for the Giant lock is expected to go away in one or two major release cycles.
gitref:8c922db4f3d9[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The cryptographically weak DSA signature algorithm was removed from OpenSSH, following upstream.

man:publickey[5] stuffs has been deprecated.
This uses DES and it is likely that nobody uses that in 2025.
gitref:9197c04a251b[repository=src]

[[cloud]]
== Cloud Support

This section covers changes in support for cloud environments.

{releaseCurrent} supports cloudinit, including the `nuageinit` startup script and support for a `config-drive` partition.
It is compatible with OpenStack and many hosting facilities.
See the https://cloud-init.io[cloud-init] web site and the commit messages,
gitref:16a6da44e28d[repository=src] gitref:227e7a205edf[repository=src] {{< sponsored "OVHcloud" >}}

Basic Cloudinit images no longer generate RSA host keys by default for
SSH.
gitref:b22be3bbb2de[repository=src]

The FreeBSD project is now publishing OCI-compatible container images.
gitref:8a688fcc242e[repository=src]

The FreeBSD project is now publishing Oracle Cloud Infrastructure images.
See the
link:https://cloudmarketplace.oracle.com/marketplace/app/freebsd-release[Oracle Cloud Infrastructure FreeBSD Listing]
for more information.
gitref:77b296a2582b[repository=src]

The "shutdown" and "reboot" API in the Amazon EC2 cloud now work for arm64 ("Graviton") instances.
gitref:28b881840df7[repository=src] {{< sponsored "Amazon" >}}

Several bug fixes and configuration changes collectively allow device hotplug on both x86 and arm64 ("Graviton") EC2 instances.
gitref:ce9a34b1614e[repository=src]
gitref:55c3348ed78f[repository=src]
gitref:d70bac252d30[repository=src]
{{< sponsored "Amazon" >}}

Users upgrading EC2 instances from earlier FreeBSD releases should set `hw.pci.intx_reroute=0` and `debug.acpi.quirks="56"` in `/boot/loader.conf`.

The FreeBSD project now publishes "small" EC2 images; these are the "base" images minus debug symbols, tests, 32-bit libraries, the LLDB debugger, the Amazon SSM Agent, and the AWS CLI.
gitref:953142d6baf3[repository=src] {{< sponsored "Amazon" >}}

The FreeBSD project now publishes "builder" EC2 images; these boot into a memory disk and extract a clean "base" image onto the root disk (mounted at `/mnt`) to be customized before creating an AMI.
gitref:584265890303[repository=src] {{< sponsored "Amazon" >}}

FreeBSD "base" EC2 images now boot up to 76% faster than corresponding {releasePrev} images, with the largest improvements found on arm64 ("Graviton") instances.

EC2 AMIs no longer generate RSA host keys by default for SSH.
RSA host key generation can be re-enabled by setting `sshd_rsa_enable="YES"` in
`/etc/rc.conf` if it is necessary to support very old SSH clients.
gitref:0aabcd75dbc2[repository=src]
{{< sponsored "Amazon" >}}

[[kernel]]
== Kernel

This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.

[[kernel-general]]
=== General Kernel Changes

ktrace(2) will now record detailed information about capability mode
violations.
The kdump(1) utility has been updated to display such
information.
gitref:9bec84131215[repository=src],
gitref:96c8b3e50988[repository=src],
gitref:05296a0ff616[repository=src],
gitref:6a4616a529c1[repository=src],
gitref:0cd9cde767c3[repository=src],
gitref:aa32d7cbc92c[repository=src]

FreeBSD now natively implements the Linux man:inotify[2] interface.
The system calls themselves are not API-compatible, but libc provides an API-compatible interface, so software which relies on inotify can be run unmodified.
gitref:f1f230439fa4[repository=src],
{{< sponsored "Klara, Inc." >}}

The `fpu_kern_enter` and `fpu_kern_leave` routines have been implemented for powerpc, allowing the use of man:ossl[4] crypto functions in the kernel that use floating point and vector registers.
gitref:91e53779b4fc[repository=src]

Support legacy PCI hotplug on arm64.
gitref:355f02cddbf0[repository=src].
{{< sponsored "Arm Ltd" >}}

Jails can now be accessed via jail descriptors in jail_set(2) and jail_get(2), as well as the new jail_attach_jd(2) and jail_remove_jd(2).  They allow manipulation of jails through the file descriptor interface without the race conditions inherent in jail IDs, and can also optionally control jail lifetime.
gitref:851dc7f859c2[repository=src]

Jails and jail descriptors now have associated kevent(2) filters that allow tracking jail creation, changes, attachment, and removal.
gitref:1bd74d201a53[repository=src]
gitref:9d7f89ef2607[repository=src]

A new common 'mac' node for MAC modules' jail parameters has been created.
All future MAC modules' jail parameters will appear under this node.
See man:mac[4] for an introduction to MAC.
First consumer is man:mac_do[4].
gitref:5041b20503db[repository=src], gitref:f3a06ced2568[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

man:mac_do[4] is now considered production-ready, after a number of important fixes.
gitref:bbf8af664dc9[repository=src],
gitref:292c814931d9[repository=src],
gitref:53d2e0d48549[repository=src],
gitref:add521c1a5d2[repository=src],
gitref:2a20ce91dc29[repository=src],
gitref:fa4352b74580[repository=src],
gitref:3d8d91a5b32c[repository=src],
gitref:8f7e8726e3f5[repository=src],
gitref:89958992b618[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

man:mac_do[4] now supports changing rules within jails with the `security.mac.do.rules` man:sysctl[8] knob.
gitref:b3f93680e39b[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Introduce the man:setcred[2] system call and associated MAC hooks.
This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved  user IDs, effective, real and saved group IDs, supplementary groups and the MAC label.
Besides providing atomicity, its advantage over standard credentials-setting system calls, such as `setuid()`, `seteuid()`, etc., is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner, as they can now see the final desired state and compare it with the initial one.
gitref:ddb3eb4efe55[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Support multiple users and groups as single rule's targets in man:mac_do[4].
Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups in the target credentials and to allow group-only credentials transitions.
The allowed groups are tied to one or multiple user IDs.
Multiple users and groups in a rule's target part are treated as alternatives (inclusive disjunction), except for the clauses expressing the mandatory presence or absence of a supplementary group.
The rules syntax has been changed incompatibly, but migrating existing rules is just a matter of adding `uid=` in front of the target part, substituting commas (`,`) with semi-colons (`;`) and colons (`:`) with greater-than signs (`>`).
Please consult the man:mac_do[4] manual page for more information.
gitref:83ffc412b2e9[repository=src],
gitref:8f7e8726e3f5[repository=src],
gitref:f01d26dec67f[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Teach man:sysctl[8] to attach and run itself in a jail.
This allows the parent jail to retrieve or set kernel state when child does not have man:sysctl[8] installed (for example light weighted OCI containers or slim jails).
This is especially useful when manipulating jail prison or vnet sysctls.
For example, `sysctl -j foo -Ja` or `sysctl -j foo net.fibs=2`.
gitref:8d5d7e2ba3a6[repository=src].

Enable vnet man:sysctl[9] variables to be loader tunable.
In gitref:3da1cf1e88f8[repository=src], the meaning of the flag `CTLFLAG_TUN` is extended to automatically check if there is a kernel environment variable which shall initialize the `SYSCTL` during early boot.
It works for all `SYSCTL` types both statically and dynamically created ones, except for the `SYSCTLs` which belong to VNETs.
Note that the implementation has a limitation.
It behaves the same way as that of non-vnet loader tunables.
That is, after the kernel or modules being initialized, any changes (for example via `kenv`) to kernel environment variable will not affect the corresponding vnet variable of subsequently created VNETs.
To overcome it, `TUNABLE_XXX_FETCH` can be used to fetch the kernel environment variable into those vnet variables during vnet constructing.
gitref:894efae09de4[repository=src]

man:sound[4]: Allocate vchans on-demand.
Refactor `pcm_chnalloc()` and merge with parts of `vchan_setnew()` (now removed) and `dsp_open()`’s channel creation into a `new dsp_chn_alloc()` function.
The function is responsible for either using a free HW channel (if `vchans` are disabled), or allocating a new vchan.
`hw.snd.vchans_enable` (previously `hw.snd.maxautovchans`) and `dev.pcm.X.{play|rec}.vchans` now work as tunables to only enable/disable `vchans`, as opposed to setting their number and/or (de-)allocating vchans.
Since these sysctls do not trigger any (de-)allocations anymore, their effect is instantaneous, whereas before it could have frozen the machine (when trying to allocate new vchans) when setting `dev.pcm.X.{play|rec}.vchans` to a very large value.
gitref:960ee8094913[repository=src].
{{< sponsored "The FreeBSD Foundation" >}}

The `hw.snd.version` man:sysctl[8] knob was removed.
gitref:7398d1ece5cf[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The `unit.*` code in man:sound[4] was retired, and as part of that the `hw.snd.maxunit` man:loader[8] tunable was removed.
gitref:25723d66369f[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Gradual slowdowns and freezes experienced by owners of some AMD GPUs using the amdgpu DRM driver from the `drm-kmod` ports, starting with v5.15 (`graphics/drm-515-kmod` port), have been fixed.
In particular, owners of graphics cards with Green Sardine, Polaris 10 and 20 and Vega chips were known to be affected.
Recent Intel-based GPUs (gen 13+) may also have been affected.
gitref:718d1928f874[repository=src],
gitref:4ca9190251bb[repository=src],
gitref:986edb19a49c[repository=src],
gitref:9d1f3ce79d85[repository=src],
gitref:da257e519bc0[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The code iterating over memory domains (NUMA) was improved and fixed in a number of ways, resulting in particular in decreased latency for some graphical operations with DRM drivers.
gitref:da257e519bc0[repository=src],
gitref:83ad6d8d8eee[repository=src],
gitref:b15ff7214020[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The effective group ID is now stored in the new `cr_gid` field of `struct cred` and has been removed as the first element of `cr_groups[]`, which now only contains the supplementary groups.
All downstream and out-of-tree modules using `cr_groups[0]` must be fixed to use `cr_gid` instead, and surrounding code that loops on `cr_groups[]` elements excluding `cr_groups[0]`, i.e., that intends to act on supplementary groups only, also needs to be adjusted as now supplementary groups start at `&cr_groups[0]` instead of `&cr_groups[1]`.
Code that needs to be portable to both 15.0 and earlier versions can use `cr_gid`, which existed also previously as a macro, and can test the truth value of `&cr_groups[0] != &cr_gid` to know how to browse the supplementary groups adequately.
gitref:be1f7435ef218b1df35[repository=src]
{{< sponsored "the FreeBSD Foundation" >}}

[[kernel-architecture-specific]]
=== Architecture-Specific Changes

On amd64, FreeBSD now supports more than 4TB of RAM on modern machines that have the LA57 CPU feature.
gitref:d390633cf8cf[repository=src]
{{< sponsored "the FreeBSD Foundation" >}}

On amd64, handling of the `%fsbase`/`%gsbase` registers and tls base were reworked, making it more useful for apps that directly manipulate CPU context.
gitref:68ba38dad3[repository=src]
{{< sponsored "the FreeBSD Foundation" >}}

[[drivers]]
== Devices and Drivers

This section covers changes and additions to devices and device drivers since {releasePrev}.

[[drivers-device]]
=== Device Drivers

A driver is available for man:ice[4] Ethernet network controllers in the Intel E800 series, which support 100 Gb/s operation.
It was upgraded to version 1.43.2-k.
gitref:38a1655adcb3[repository=src] {{< sponsored "Intel Corporation" >}}

Numerous stability improvements have been in the man:iwlwifi[4] driver for Intel Wi-Fi devices.
{{< sponsored "The FreeBSD Foundation" >}}

Multiple PCI MCFG regions are now supported on amd64, allowing PCI configuration space access for domains (segments) other than 0.
gitref:4b5f64408804[repository=src]

The man:smsc[4] Ethernet driver can now fetch the value of `smsc95xx.macaddr` passed by some Raspberry Pi models and use it for the MAC address.
It always uses a stable MAC address even if there is no address in EEPROM.
gitref:028e4c6548e4[repository=src]

The `snd_clone` framework has been removed from the sound subsystem, including related sysctls, simplifying the system.
The per-channel nodes ([.filename]#/dev/dspX.Y#) are no longer created, just the primary device ([.filename]#/dev/dspX#).
gitref:e6c51f6db8d7[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

Audio now supports asynchronous device detach.
This greatly simplifies hot plugging and unplugging of things such as USB headsets, and eases use of PulseAudio in cases that require operating system sleep and wake (suspend and resume).
gitref:d692c314d29a[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

`ice_ddp` has been upgraded to 1.3.41.0.
gitref:a9d78bb714e3[repository=src] {{< sponsored "Intel Corporation" >}}

Tiger Lake-H support has been added to the man:hda[4] driver.
gitref:dbb6f488df6e[repository=src]

Meteor Lake support has been added to the man:ichsmb[4] driver.
gitref:14c22e28e4ee[repository=src]
{{< sponsored "Framework Computer Inc" >}}
{{< sponsored "The FreeBSD Foundation" >}}

Meteor Lake support has been added to the man:ig4[4] driver.
gitref:56f0fc0011c2[repository=src]

Support for Realtek 8156/8156B has been moved from man:cdce[4] to man:ure[4] for improved performance and reliability.
gitref:630077a84186[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

Support for ACPI GPIO _AEI objects has been added.
gitref:1db6ffb2a482[repository=src] {{< sponsored "Amazon" >}}

man:nvme[4] and man:nvmecontrol[8] have been enabled on all architectures.
gitref:24687a65dd7f[repository=src], gitref:aba2d7f89dcf[repository=src]
{{< sponsored "Chelsio Communications and Netflix" >}}

man:mpi3mr[4] driver version has been updated to 8.14.0.2.0.
gitref:e6d4b221ba7c[repository=src]

man:mpi3mr[4] MPI Header has been updated to Version 36.
This aligns with the latest MPI specification.
This includes updated structures, field definitions, and constants required for compatibility with updated firmware.
gitref:60cf1576501d[repository=src]

The man:mpi3mr[4] driver is now in GENERIC.
gitref:e2b8fb2202c2[repository=src]

man:iwmbtfw[4]: Add support for 9260/9560 bluetooth adapters.
Required firmware files are already included in to package:comms/iwmbt-firmware[] port.
gitref:8e62ae9693bd[repository=src]

man:ena[4] driver version has been updated to v2.8.1.
gitref:a1685d25601e[repository=src] {{< sponsored "Amazon, Inc." >}}

man:bnxt[4]: Enable NPAR support on BCM57504 10/25GbE NICs.
gitref:54f842ed8897[repository=src]

man:bnxt[4]: Add 5760X (Thor2) PCI IDs support.
Add Thor2 PCI IDs.
gitref:45e161020c2d[repository=src]

man:bnxt[4]: Add support for 400G speed modules.
gitref:32fdad17f060[repository=src]

man:ix[4]: Add support for 1000BASE-BX SFP modules.
Add support for 1Gbit BiDi modules.
Add support for Intel Ethernet Network Adapter E610.
gitref:89d4096950c4[repository=src]
gitref:dea5f973d0c8[repository=src]

man:igc[4]: Fix attach for I226-K and LMVP devices.
The device IDs for these were in the driver's list of PCI ids to attach to, but `igc_set_mac_type()` had never been setup to set the correct mac type for these devices.
Fix this by adding these IDs to the switch block in order for them to be recognized by the driver instead of returning an error.
This fixes the man:igc[4] attach for the I226-K LOM on the ASRock Z790 PG-ITX/TB4 motherboard, allowing it to be recognized and used.
gitref:f034ddd2fa38[repository=src].

Remove old itr sysctl handler from man:em[4].
This implementation had various bugs.  The unit conversion/scaling was wrong, and it also did not handle 82574L or man:igb[4] devices correctly.
With the new AIM code, it is expected most users will not need to manually tune this.
gitref:edf50670e215[repository=src]
{{< sponsored "BBOX.io" >}}

Added support for Brainboxes USB-to-Serial adapters in man:uftdi[4].
gitref:47db906375b5[repository=src]

The man:iwx[4] driver has been added, supporting the Intel Wi-Fi 6 series of M.2 wireless network adapters.
gitref:2ad0f7e91582[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

A new cellular modem driver supports USB network devices implementing the Mobile Broadband Interface Model (MBIM): man:umb[4].
The accompanying man:umbctl[8] tool is used to display or set MBIM cellular modem interface parameters (4G/LTE).
gitref:0f1bf1c22a0c[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

man:smbios[4] now searches for the SMBIOS v3 (64-bit) entry point first also if booted from BIOS.
This allows to detect and report the proper SMBIOS version with BIOSes that only provide the v3 table, as happens on Hetzner virtual machines.
For machines that provide both, leverage the v3 table in priority consistently with the EFI case.
gitref:bc7f6508363c[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:usbhid[4] driver is now enabled by default, and is used in preference to other USB HID drivers like man:ukbd[4], man:ums[4], and man:uhid[4].
Supported device classes now include:

- Absolute‐positioning mice in virtualized environments via man:hms[4]
- Digitizers and stylus devices via man:hpen[4]
- Compound HID devices, such as keyboards and mice that share
  a single USB interface
- Special keyboard function keys (volume, brightness, etc.) via man:hcons[4]
  and man:hsctrl[4]
- Game controllers, including Xbox 360 and PS4 gamepads via man:xb360gp[4] and
  man:ps4dshock[4], and generic controllers via man:hgame[4]
- Raw HID devices via man:hidraw[4]

FIDO/U2F security tokens continue to be supported through the autoloaded
man:u2f[4] driver. Device names and protocol handling for these devices are
unchanged.
gitref:74072e9f16c1[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The man:udbc[4] driver has been added enabling host side debugging of targets using xHC debug.
gitref:d566b6a70bcb[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The man:ufshci[4] driver has been added, supporting Universal Flash Storage (UFS) host controllers.
gitref:1349a733cf28[repository=src]  {{< sponsored "Samsung Electronics" >}}

The man:mlx5[4] driver now supports inline IPSEC offload on Nvidia ConnectX-6+ network cards, leveraging the new in-kernel IPSEC offload infrastructure.
gitref:e23731db48ef[repository=src]
{{< sponsored "NVIDIA networking" >}}

Support for the watchdog timer in Intel 6300ESB I/O controller hub has been included in the man:ichwd[4] driver.
This is intended primarily for QEMU users, where that watchdog timer serves as the default and only one for x86 virtual machines.
gitref:2b74ff5fceb6623f6[repository=src]

The man:qat[4] driver has grown support for the 402xx device with ID 0x4944/0x4945.
gitref:138e36514fe8[repository=src]
{{< sponsored "Intel Corporation" >}}

[[drivers-removals]]
=== Deprecated and Removed Drivers

man:agp[4] has been planned for removal in FreeBSD 16.0, and the man page now states that it is deprecated.
gitref:92af7c97e197[repository=src]
gitref:cadadd1a0398[repository=src]

man:syscons[4] has been planned for removal in future releases, and has been noted as deprecated in the man pages to notify users to migrate to man:vt[4].
gitref:2bc5b1d60512[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

[[storage]]
== Storage

This section covers changes and additions to file systems and other storage subsystems, both local and networked.

[[storage-nfs]]
=== NFS

The default value of the `nfs_reserved_port_only` man:rc.conf[5] setting has
changed.
The FreeBSD NFS server now requires the source port of requests to be in the
privileged port range (i.e., ≤ 1023), which generally requires the client to
have elevated privileges on their local system.
The previous behavior can be restored by setting `nfs_reserved_port_only=NO` in
man:rc.conf[5].
gitref:6d5ce2bb6344[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Define a new `-a` command line option man:mountd[8] that prevents exporting a file system with the `-alldirs` flag if the directory path is not a server file system mount point.
gitref:07cd69e272da[repository=src]

The layout of NFS file handles for the man:tarfs[4], man:tmpfs[4], man:cd9660[4], and man:ext2fs[4] file systems has changed.
An NFS server that exports any of these file systems will need its clients to unmount and remount the exports.
gitref:4db1b113b151[repository=src],
gitref:1ccbdf561f41[repository=src],
gitref:205659c43d87[repository=src],
gitref:cf0ede720391[repository=src],
gitref:8ae6247aa966[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:mountd[8] server has been modified to use man:strunvis[3] to decode directory names in man:exports[5] file(s).
This allows special characters, such as blanks, to be embedded in the directory name.
`vis -M` may be used to encode such directory names; see man:vis[1].
gitref:2c83f1ada435[repository=src]

New man:sysctl[8] variables have been added under `kern.rpc.unenc` and `kern.rpc.tls`, which allow an NFS server administrator to determine how much NFS-over-TLS is being used.
A large number of failed handshakes might indicate an NFS configuration problem.
gitref:b8e137d8d32d[repository=src]

The utilization of NFSv4.1/4.2 delegations was improved when the `nocto` mount option is used.
This requires an up-to-date NFSv4.1/4.2 server with delegations enabled.
For example, when building a FreeBSD kernel with both `src` and `obj` NFSv4 mounted, the total RPC count drops from 5461286 to 945643, with a 20% drop in elapsed time.
gitref:171f66b0c2ca[repository=src],
gitref:50e733f19b37[repository=src]

New support for the NFSv4.2 Clone operation, which uses block cloning to "copy on write" files on an NFS server.
This only works for exported ZFS file systems that have block cloning enabled, at this time.
gitref:cce64f2e6851[repository=src]

[[storage-ufs]]
=== UFS

Soft updates are now enabled by default when creating a new UFS file system with man:newfs[8].
gitref:6b2af2d88ffd[repository=src]

Reliability of UFS on volumes with more than 2G of inodes is significantly improved.
The underlying issue was the invalid interpretation of the 32-bit inode number as signed, which got sign-extended into `ino_t`.
gitref:c069ca085bd1[repository=src],
gitref:e36f069ecb47[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Defer the January 19, 2038 date limit in UFS1 filesystems to February 7, 2106.
This affects only filesystems with old UFS1 format.
See the commit message for details.
gitref:1111a44301da[repository=src]

[[storage-zfs]]
=== ZFS

Add support to `VOP_COPY_FILE_RANGE()` for block cloning.
At this time, ZFS is the only local file system that supports this and only if block cloning is enabled.
NFSv4.2 also supports it.
See `pathconf(2)` and `copy_file_range(2)` for more information.
gitref:37b2cb5ecb0f[repository=src]

[[storage-geom]]
=== GEOM

Support for vinum volumes has been removed.
gitref:f87bb5967670[repository=src],
gitref:e51036fbf3f8[repository=src]

[[storage-general]]
=== General Storage

Add Solaris style extended attributes (called named attributes in NFSv4).
At this time, only ZFS when the ZFS property called xattr=dir and NFSv4 support them.
The attributes are presented in a directory as regular files.
See named_attribute(7) for more information.
gitref:2ec2ba7e232d[repository=src],
gitref:df58e8b1506f[repository=src],
gitref:f61844833ee8[repository=src],
gitref:b1b607bd200f[repository=src],
gitref:ee95e4d02dbd[repository=src]

Allow to specify as many groups as configured to be supported by the system in `-maproot` or `-mapall` options in  man:exports[5].
Previously, the cap was `NGROUPS_MAX + 1`, where `NGROUPS_MAX` is just the minimum maximum of the number of allowed supplementary groups.
Now use the proper `{NGROUPS_MAX} + 1` value, with `{NGROUPS_MAX}` being fetched at runtime via man:sysconf[3].
gitref:e87848a8150e[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

Add support for accessing remote NVMe over Fabrics controllers over the TCP transport.
New commands added to man:nvmecontrol[8] are used to establish connections to remote controllers.
Once connections are established they are handed off to the man:nvmf[4] kernel module which creates `nvme__X__` devices and exports remote namespaces as man:nda[4] disks.
gitref:a1eda74167b5[repository=src],
gitref:1058c12197ab[repository=src]
{{< sponsored "Chelsio Communications" >}}

Add support for exporting namespaces to remote NVMe over Fabrics hosts over the TCP transport.
The man:nvmft[4] kernel module adds a new frontend to the CAM target layer which exports man:ctl[4] LUNs as NVMe namespaces to remote hosts.
The man:ctld[8] daemon now supports NVMe controllers in addition to iSCSI targets and is responsible for accepting incoming connection requests and handing off connected queue pairs to man:nvmft[4].
gitref:a15f7c96a276[repository=src],
gitref:66b5296f1b29[repository=src]
{{< sponsored "Chelsio Communications" >}}

Add support for dynamicly resizing NVMe namespaces.
The man:nvd[4] and man:nda[4] drivers now notify geom of sizes changes in real time.
gitref:86d3ec359a56[repository=src]
{{< sponsored "Netflix" >}}

[[boot-loader]]
== Boot Loader Changes

This section covers the boot loader, boot menu, and other boot-related changes.

The ASCII man:loader[8] art may once again be enabled on graphical systems via an optional `loader_gfx` variable in loader.conf[5].
gitref:bef6d85b6de5[repository=src]

The man:loader[8] now reads local configuration files listed in the variable `local_loader_conf_files` after other configuration files, defaulting to [.filename]#/boot/loader.conf.local#.
gitref:a25531db0fc2[repository=src]

The man:loader[8] can now be configured to read specific configuration files based on the planar maker, planar product, system product and uboot m_product variables from the SMBIOS.
For the moment, the best documentation is the git commit message,
gitref:3eb3a802a31b[repository=src].

Console detection in man:loader[8] has been improved on EFI systems.
If there is no ConOut variable, ConIn is checked.
If multiple devices are found, serial is preferred.
gitref:20a6f4779ac6[repository=src] {{< sponsored "Netflix" >}}

Frame buffer support in man:loader[8] can now use a text-only video driver, resulting in space savings.
gitref:57ca2848c0aa[repository=src] {{< sponsored "Netflix" >}}

The detection of ACPI is now done earlier in man:loader.efi[8] on arm64 systems.
The copy of [.filename]#loader.efi# on the EFI partition should be updated on arm64 systems using ACPI.
gitref:05cf4dda599a[repository=src] gitref:16c09de80135[repository=src]

The LinuxBoot loader can be used to boot FreeBSD from Linux on aarch64 systems as well as amd64.
gitref:46010641267[repository=src] {{< sponsored "Netflix" >}}

The BIOS boot loader added back support for gzip and bzip2, but removed support for graphics mode (by default) to address size problems.
(The EFI boot loader is unchanged with support for all of those.)
gitref:4d3b05a8530e[repository=src] {{< sponsored "Netflix" >}}

The BIOS boot loader will now use the SMBIOS v3 (64-bit) entry point if its table is below 4GB.
The BIOS boot loader is compiled 32-bit as a client of BTX even on amd64, so cannot access addresses beyond 4GB.
However, the 64-bit entry point may refer to a structure table below 4GB, which can be used if the BIOS does not provide a 32-bit entry point, as happens on Hetzner virtual machines.
gitref:7f005c6699f4[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The BIOS boot loader now favors the SMBIOS v3 (64-bit) entry point.
When both the 32-bit and 64-bit entry points are present, the SMBIOS specification says that the 64-bit entry point always has at least all the structures the 32-bit entry point refers to.
In other words, the 32-bit entry point is provided for compatibility, so it is assumed the 64-bit one has more chances to be filled with adequate values.
gitref:3f744fb8b2c5[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The EFI boot loader now favors the SMBIOS v3 (64-bit) entry point.
Consistently with what is done with BIOS boot.
There is a difference though: As the EFI loader runs in 64-bit mode on 64-bit platforms, there is no restriction that the v3 entry point's structure table should be below 4GB.
gitref:96f77576e9ea[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

[[network]]
== Networking

This section describes changes that affect networking in FreeBSD.

[[network-general]]
=== General Network

FreeBSD now implements the `SO_SPLICE` interface, originally from OpenBSD.
This features allows userspace applications to splice two connected TCP sockets together, after which data arriving on one socket is automatically forwarded through the socket to which it is spliced, instead of being delivered to the application.
gitref:a1da7dc1cdad[repository=src]
{{< sponsored "Klara, Inc." >}}
{{< sponsored "Stormshield" >}}

The man:ifconfig[8] utility will no longer accept assigning IP addresses to the underlying member interfaces of a man:bridge[4].
To temporarily bypass this safeguard, use the `net.link.bridge.member_ifaddrs` man:sysctl[8].
This sysctl is expected to be removed in FreeBSD 16.
gitref:b61850c4e6f6[repository=src]

ARP (man:arp[4]) support for 802-standard networks has been restored; it had been accidentally removed with FDDI support.
(This is different than the Ethernet standard encapsulation.)
gitref:d776dd5fbd48[repository=src]

It is possible to build a kernel with IPv6 support (INET6) without IPv4 (INET).
gitref:6df9fa1c6b83[repository=src] and others

The netgraph man:ng_ipfw[4] module no longer truncates cookies to 16 bits, allowing a full 32 bits.
gitref:dadf64c5586e[repository=src]

AIM(Adaptive Interrupt Moderation) support has been added to the man:igc[4] driver.
gitref:472a0ccf847a[repository=src] {{< sponsored "Rubicon Communications, LLC (\"Netgate\") and BBOX.io" >}}

This feature has also been added to the man:lem[4], man:em[4] and man:igb[4] drivers.
A major regression in UDP performance introduced in FreeBSD 12.0, including NFS over UDP, is believed to be fixed with this change.
gitref:49f12d5b38f6[repository=src] {{< sponsored "Rubicon Communications, LLC (\"Netgate\") and BBOX.io" >}}

Teach man:ip6addrctl[8] to attach and run itself in a jail.
This will make it easier to manage address selection policies of vnet jails, especially for those light weighted OCI containers or slim jails.
gitref:b709f7b38cc4[repository=src]

Convert `PF_DEFAULT_TO_DROP` into a vnet loader tunable 'net.pf.default_to_drop' for man:pf[4].
gitref:7f7ef494f11d[repository=src] introduced a compile time option `PF_DEFAULT_TO_DROP` to make the man:pf[4] default rule to drop.
While this change exposes a vnet loader tunable 'net.pf.default_to_drop' so that users can change the default rule without re-compiling the man:pf[4] module.
gitref:3965be101c43[repository=src]

A new man:pf[4] route-to pool option "prefer-ipv6-nexthop" allows for routing IPv4 packets over IPv6 gateways.
gitref:65c318630123[repository=src] gitref:d2761422eb0a[repository=src] {{< sponsored "InnoGames GmbH" >}}

man:pf[4] now supports the OpenBSD style NAT syntax.
It is possible to use "nat-to", "rdr-to" and "binat-to" on "pass" and "match" rules. The old "nat on ..." syntax can still be used.
gitref:e0fe26691fc9[repository=src] {{< sponsored "InnoGames GmbH" >}}

The man:pfsync[4] protocol has been updated to synchronize multiple missing attributes.
This fixes synchronizing of states with route-to, af-to, rtable, dummynet, tags, and scrub options.
If synchronization with an older version of FreeBSD is needed the protocol version can be configured with `ifconfig pfsync0 version $VERSION` where $VERSION is 1301 for 13.X relases or 1400 for 14.X.
It defaults to 1500 for synchronization between hosts running FreeBSD 15.0.
gitref:99475087d63b[repository=src] {{< sponsored "InnoGames GmbH" >}}

Kernel TLS support is now enabled by default in `GENERIC` (default) kernels for aarch64, amd64, powerpc64, and powerpc64le.
gitref:b2f7c53430c3[repository=src]
{{< sponsored "Chelsio Communications" >}}

The `net.inet.{tcp,udp,raw}.bind_all_fibs` tunables have been added.
They default to 1 for backwards compatibility.
Setting them to 0 modifies the corresponding protocol's socket behavior such that packets not originating from an interface in the same FIB as the socket are ignored.
In this case, TCP and UDP sockets belonging to different FIBs may also be bound to the same address.
The default behavior is unmodified.
gitref:5dc99e9bb985[repository=src],
gitref:08e638c089ab[repository=src],
gitref:4009a98fe80b[repository=src]
{{< sponsored "Klara, Inc." >}}
{{< sponsored "Stormshield" >}}

Making a connection to `INADDR_ANY`, i.e., using it as an alias for `localhost`, is now disabled by default.
This functionality can be re-enabled by setting the `net.inet.ip.connect_inaddr_wild` sysctl to 1.
gitref:cd240957d7ba[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

New in-kernel inline IPSEC offload infrastructure.
See also the note about the man:mlx5[4] driver supporting it.
gitref:ef2a572bf6[repository=src]
{{< sponsored "NVIDIA networking" >}}

A new man:ngctl[8] flag, `-j`, allows it to attach and run inside a jail, making it possible to manipulate netgraph nodes in a jail even if man:ngctl[8] is not installed inside it.
gitref:72d01e62b082[repository=src]

man:sockstat[4] will show UDP-Lite endpoints by default.
gitref:978615d7bf7c[repository=src]

Kernel compatibility code supporting man:ipfw[8] binaries from FreeBSD 7 and 8 has been removed.
gitref:660255be1ed9[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

[[network-protocols]]
=== Network Protocols

Lots of improvements to the network stack, including performance improvements and bug fixes for the man:sctp[4] stack.

Descriptors returned by man:sctp_peeloff[2] now inherit Capsicum capability man:rights[4] from the parent socket.
gitref:ae3d7e27abc9[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The default value of the sysctl variable `net.inet.tcp.nolocaltimewait` has changed from 1 to 0.
This means that FreeBSD does not skip the `TIME_WAIT` state anymore for endpoints for which the remote address is local.
The new sysctl variable `net.inet.tcp.msl_local` can be used to control the time these endpoints stay in the `TIME_WAIT` state.
The sysctl variable `net.inet.tcp.nolocaltimewait` is deprecated and intended to be removed in FreeBSD 16.
gitref:c3fc0db3bc50[repository=src]
{{< sponsored "Netflix" >}}

The local stream (AF_UNIX/SOCK_STREAM) and sequenced packet stream (AF_UNIX/SOCK_SEQPACKET) sockets have been improved for better bulk transfer and round trip times.
The SOCK_SEQPACKET socket has been brought to the specification and now behaves as a true stream socket, while in previous FreeBSD releases it could exhibit features of
a datagram socket.
Applications that were using SOCK_SEQPACKET incorrectly and relied on old implementation bugs may need to be adjusted.
gitref:d15792780760[repository=src]

[[wireless-networking]]
=== Wireless Networking

The LinuxKPI 802.11 compatibility layer man:linuxkpi_wlan[4] gained support for the Galois/Counter Mode Protocol (GCMP) from man:wlan_gcmp[4]. {{< sponsored "The FreeBSD Foundation" >}}

Following other drivers man:iwlwififw[4] firmware was removed from the base system in favor of the ports based solution and man:fwget[8] support.  In case of updating from earlier releases, users must install the firmware packages upfront. {{< sponsored "The FreeBSD Foundation" >}}

The man:iwlwifi[4] wireless driver supports 802.11ac (VHT) for some Intel Wi-Fi 5, and all of Intel Wi-Fi 6 and Wi-Fi 7 hardware. {{< sponsored "The FreeBSD Foundation" >}}
The man:iwx[4] wireless driver supports 802.11ac (VHT) for Intel Wi-Fi 6 hardware. {{< sponsored "The FreeBSD Foundation" >}}
The man:rtwn[4] wireless driver supports 802.11ac (VHT) for the RTL8812A and RTL8821A chipsets.
The man:rtw89[4] wireless driver supports 802.11g for some Realtek Wi-Fi 6 and Wi-Fi 7 hardware.
gitref:a2d1e07f6451[repository=src] {{< sponsored "The FreeBSD Foundation" >}}


[[hardware]]
== Hardware Support

This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not otherwise fit in other sections of this document.

Please see link:https://www.freebsd.org/releases/{localRel}R/hardware[the list of hardware] supported by {releaseCurrent}, as well as link:https://www.freebsd.org/platforms/[the platforms page] for the complete list of supported CPU architectures.

[[hardware-virtualization]]
=== Virtualization Support

man:bhyve[8] and man:vmm[4] now support the arm64 and riscv platforms.
The `sysutils/u-boot-bhyve-arm64` and `sysutils/u-boot-bhyve-riscv` ports provide boot loaders for use on these platforms.
gitref:47e073941f4e[repository=src]
gitref:d3916eace506[repository=src]
{{< sponsored "Arm Ltd" >}}
{{< sponsored "Innovate UK" >}}
{{< sponsored "The FreeBSD Foundation" >}}
{{< sponsored "University Politehnica of Bucharest" >}}

man:bhyve[4] now supports a "slirp" networking backend, which enables unprivileged user networking.
Currently only inbound connections to the guest are supported, outbound connections from the guest are not.
This feature requires the `net/libslirp` port.
gitref:c5359e2af5ab[repository=src] {{< sponsored "Innovate UK" >}}

man:bhyve[4] now may configure a NUMA topology for guest memory.
Furthermore, it is possible to define a man:domainset[9] policy for each guest NUMA domain, wherein the host memory used to back the guest physical memory of each guest NUMA domain can be specified, akin to man:cpuset[1]'s `-n` option.
This is supported only for amd64 guests for now.
gitref:f1d705d4f431[repository=src]

The VNC server in man:bhyve[8] will now show the correct colors when using the package:www/novnc[] client.
gitref:f9e09dc5b1d5[repository=src]

When running man:bhyve[8] guests with a boot ROM, i.e., bhyveload(8) is not used, bhyve now assumes that the boot ROM will enable PCI BAR decoding.
This is incompatible with some boot ROMs, particularly outdated builds of `edk2-bhyve`.
To restore the old behavior, add `pci.enable_bars='true'` to your bhyve configuration.
Note that the `uefi-edk2-bhyve` package has been renamed to `edk2-bhyve`.
gitref:e962b37bf0ff[repository=src]
{{< sponsored "Innovate UK" >}}

amd64 man:bhyve[8]'s `lpc.bootrom` and `lpc.bootvars` options are deprecated.
Use the top-level `bootrom` and `bootvars` options instead.
gitref:43caa2e805c2[repository=src]
{{< sponsored "Innovate UK" >}}

The NVMM hypervisor is now detected.
gitref:34f40baca641[repository=src]

Under Hyper-V, TLB flushes are now performed using hypercalls rather than IPIs, providing up to a 40% improvement in TLB performance.
gitref:7ece5993b787[repository=src] {{< sponsored "Microsoft" >}}

[[linuxulator]]
=== Linux Binary Compatibility

The `AT_NO_AUTOMOUNT` flag is now ignored for all Linuxulator stat() variants (as the behavior specified by the flag already matches FreeBSD's), improving Linux application compatibility.
gitref:99d3ce80ba07[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The Linux man:inotify[2] system calls are now implemented in the Linuxulator.
{{< sponsored "Klara, Inc." >}}

[[multimedia]]
== Multimedia

Many improvements to the audio stack including support for hot-swapping in man:mixer[8], and the addition of man:mididump[1].
gitref:cf9d2fb18433[repository=src] {{< sponsored "The FreeBSD Foundation" >}}
gitref:7224e9f2d4af[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

A new utility man:sndctl[8] has been added to concentrate the various
interfaces for viewing and manipulating audio device settings (sysctls,
`/dev/sndstat`), into a single utility with a similar control-driven
interface to that of `mixer(8)`.
gitref:44e5a0150835[repository=src],
gitref:9a37f1024ceb[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

`virtual_oss` is imported to base.
The `audio/virtual_oss` port will stop being built from FreeBSD 15.0 onwards.
Regarding user-facing changes, the only practical difference is the installation process.
Everything is provided by the base system, except for the following optional components, which can be installed from ports:

* sndio backend support: `audio/virtual_oss_sndio`
* bluetooth backend support: `audio/virtual_oss_bluetooth`
* `virtual_equalizer(8)`: `audio/virtual_oss_equalizer`

Apart from that, `virtual_oss` should work as expected.
Users of `virtual_oss` can uninstall `audio/virtual_oss` and instead use the base system version from now on.
gitref:5a31c623143f[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

[[documentation]]
== Documentation

This section covers changes to manual (man:man[1]) pages and other documentation shipped with the base system.

[[man-pages]]
=== Man Pages

Filesystem manual pages have been moved to section four.
gitref:1687d77197c0[repository=src]

A new man:networking[7] manual page provides a quickstart guide to connecting the system to networks including Wi-Fi, and links to other manual pages and the handbook.
gitref:39f92a4c4c49[repository=src]

Refer to man:graid[8] and man:zfs[8] instead of man:gvinum[8] in man:ccdconfig[8]).
gitref:55cb3a33d920[repository=src]

The man:ps[1] manual page has been revamped to explain the general principles, and descriptions in there have been updated to match reality.
The preamble has been revamped to give a thorough overview of the different aspects of the man:ps[1] command.
The description of several options and some keywords have been fixed to match their actual behavior and/or expanded.
The STANDARDS and BUGS sections have been expanded.
gitref:ddf144a04b53[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The man:mac_do[4] manual page has been revamped as part of adding support for multiple users and groups as single rule's targets, which lead to changing the rules syntax.
In particular, it has grown a JAIL SUPPORT and SECURITY CONSIDERATIONS sections.
gitref:bc201841d139[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}

The existing content of the man:mdo[1] manual page has been enriched as part of documenting the new support for fully specifying all users and groups in the target credentials.
It has now a longer introduction and a new SECURITY CONSIDERATIONS section.
gitref:20ebb6ec5ac0[repository=src]
{{< sponsored "The FreeBSD Foundation" >}}
{{< sponsored "Google LLC (GSoC 2025)" >}}

man:firewire[4]: Add deprecation notice.
This was originally discussed as part of FreeBSD 15 planning, but did not happen in time.
Add the deprecation notice now, with an expectation that it will be removed before FreeBSD 16.
gitref:fc889167c319[repository=src].
{{< sponsored "The FreeBSD Foundation" >}}

The ethernet switch controllers, man:mtkswitch[4], man:ip17x[4], man:ar40xx[4], and man:e6000sw[4] have gained initial manual pages.

man:mount[8] has gained an example for remounting all filesystems read/write in single-user mode.

Manual pages for the lua man:loader[8] modules have had their descriptions reworded to optimize man:apropos[1] results.

The manual pages style guide, man:style.mdoc[5], has gained a section for listing supported hardware.
When listed this way, the supported hardware will be listed in link:https://www.freebsd.org/releases/{localRel}R/hardware[the supported hardware notes].
Many manuals have had this section added or reworded in this release.

Much work has gone into adding man:sysctl[8]s and environment variables to the manual.
Try searching for them with `apropos Va=here.is.the.sysctl` or `apropos Ev=here_is_the_environment_variable`.

The man:intro[5] to the File Formats manual has been revised, incorporating improvements from OpenBSD.

[[ports]]
== Ports Collection and Package Infrastructure

This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools.

A new `FreeBSD-kmods` repository is included in the default `/etc/pkg/FreeBSD.conf` man:pkg[8] configuration file.
This repository contains kernel modules compiled specifically for {releaseCurrent} rather than for the {releaseBranch} branch.
Installing kernel modules from this repository allows drivers with unstable kernel interfaces, in particular graphics drivers, to work even when the main {releaseBranch} repository has packages build on a previous release.
gitref:a47542f71511[repository=src]

The `FreeBSD` and `FreeBSD-kmods` repositories defined in `/etc/pkg/FreeBSD.conf` have been renamed to `FreeBSD-ports` and `FreeBSD-ports-kmods` respectively.
Users who override these in `/usr/local/etc/pkg/repos` will need to adjust their configuration to match the new names.

[[Installer]]
=== Installer

The FreeBSD installer, man:bsdinstall[8], now supports downloading and installing firmware packages after the FreeBSD base system installation is complete.
gitref:03c07bdc8b31[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

[[ports-packages]]
=== Packaging Changes

The bootonly ISO and mini-memstick image now include the package:net/wifi-firmware-iwlwifi-kmod[] and package:net/wifi-firmware-rtw88-kmod[] packages, making installations possible over a wireless connection (on systems supported by these firmware packages).
gitref:655fcdde1aff[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The package:net/wifi-firmware-kmod@release[] package has been added to the DVD ISO, providing firmware for a broader set of Wi-Fi drivers.
gitref:8c6df7ead19c[repository=src] {{< sponsored "The FreeBSD Foundation" >}}

The `FreeBSD-base` repository is now defined in `/etc/pkg/FreeBSD.conf`, disabled by default.
Systems which installed with pkgbase prior to 15.0-RC1 (if running `releng/15.0`) or November 15th (if running from `stable`/`main` snapshots) will need to remove the definition of the `FreeBSD-base` repository from `/usr/local/etc/pkg/repos/` and replace it with a single line `FreeBSD-base: { enabled: yes }`.
gitref:5d832135a971[repository=src]

[[future-releases]]
== General Notes Regarding Future FreeBSD Releases