===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- www/74.html	2023/10/14 16:02:49	1.66
+++ www/74.html	2023/10/14 17:21:15	1.67
@@ -604,10 +604,6 @@
 
 <li>Changes in the network stack:
   <ul>
-  <li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>,
-      when redirecting locally generated IP packets to
-	userland with divert-packet rules, the packets may have no checksum
-	due to hardware offloading.  Calculate the checksum in that case.
  <li>Sync the use of
      <a href="https://man.openbsd.org/getuptime.9">getuptime(9)</a>
      in the Neighbour Discovery (ND) code with ARP.
@@ -625,9 +621,6 @@
 	neighbor advertisement, as described in RFC9131, to the all-routers
 	multicast address so all routers on the same link will learn the path
 	back to the address.
- <li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>,
-	relax the implementation of the "pass all" rule so all
-	forms of neighbor advertisements are allowed in either direction.
  <li>Inbound portion of RFC9131.  Routers can create new neighbor cache entries
 	when receiving a valid Neighbor Advertisement.
  <li>Implement RFC9131 and create new neighbor cache entries
@@ -638,22 +631,37 @@
 	software, but pass it down to the interface layer. Add sysctl(8) net.inet.tcp.tso.
  <li>Do not calculate IP, TCP, UDP checksums on loopback
 	(<a href="https://man.openbsd.org/lo.4">lo(4)</a>) interfaces.
- <li>Fix a bug in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
-	where <code>nat-to</code> clould fail to insert a state
-	due to conflict on chosen source port number.
  <li>Implement TCP send offloading, for now in software only.  This is
 	meant as a fallback if network hardware does not support TSO.
  <li>Use TSO (TCP Segmentation Offload) and LRO (Large Receive Offload) on
 	the loopback interface to transfer TCP faster,
  <li>Fix path MTU discovery for TCP LRO/TSO when forwarding.
 	when <code>tcplro</code> is activated on lo(4).
- <li>Close all pf(4) transactions before opening a new one when
-	retrieving the ruleset. Fixes leaking transactions which can be
-	problematic when processes run a long time. Introduce a new ioctl
-	DIOCXEND in pf(4) so applications such as snmpd(8) and systat(1) can
-	safely retrieve rules.
- <li>Close all <a href="https://man.openbsd.org/pf.4">pf(4)</a>
-	transactions before opening a new one when
+ <li>Speed up the
+	<a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> request
+	<a href="https://man.openbsd.org/pf.4#DIOCGETRULE">DIOCGETRULE</a>
+	such that <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
+	can retrieve all <a href="https://man.openbsd.org/pf.4">pf(4)</a>
+	rules from the kernel in linear rather than in quadratic time.
+	To protect the kernel from memory exhaustion,
+	userland processes now have to release tickets obtained with
+	<a href="https://man.openbsd.org/pf.4#DIOCGETRULES">DIOCGETRULES</a>
+	by issuing the new
+	<a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> request
+	<a href="https://man.openbsd.org/pf.4#DIOCXEND">DIOCXEND</a>.
+	In particular, <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>
+	and <a href="https://man.openbsd.org/systat.1">systat(1)</a>
+	now do that.
+ <li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>,
+	relax the implementation of the <code>pass all</code> rule so all
+	forms of neighbor advertisements are allowed in either direction.
+ <li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>,
+	when redirecting locally generated IP packets to userland with
+	<code>divert-packet</code> rules, the packets may have no checksum
+	due to hardware offloading.  Calculate the checksum in that case.
+ <li>Fix a bug in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
+	where <code>nat-to</code> could fail to insert a state
+	due to conflict on chosen source port number.
  <li>Convert the tcp_now() time counter to 64 bits to avoid 32 bits
 	wrap around after changing tcp_now() ticks to milliseconds.
 
@@ -828,9 +836,6 @@
 	<a href="https://man.openbsd.org/rad.8">rad(8)</a>, update the default
 	timers for prefix preferred and valid lifetimes to use the values from
 	RFC 9096.
-  <li>In <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>,
-	speed up how <a href="https://man.openbsd.org/pf.4">pf(4)</a>
-	rules are retrieved from the kernel.
   <li>In <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>,
 	remove artificial limit of 2 hours on a PIO lifetime.
   <li>Make <a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>