===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- www/74.html 2023/10/14 21:13:43 1.80
+++ www/74.html 2023/10/14 22:32:04 1.81
@@ -100,6 +100,9 @@
catch up with box drawing characters which have
been standardized in unicode after the original wscons code was
written and chose placeholder values.
+ In wscons(4),
+ make sure we do not increase the escape sequence argument count beyond
+ usable bounds.
Take more functions in the network and routing code out
of kernel lock.
Implement dt(4)
@@ -119,6 +122,18 @@
detaching devices during suspend, must continue processing
command completion events. This fixes USB suspend/resume in Apple
M1/M2. -->
+ Update AMD CPU microcode if a newer patch is available.
+ Enable a workaround for the 'Zenbleed' AMD CPU bug.
+ Report speculation control bits in dmesg cpu lines.
+ To give the primary CPU an opportunity to perform clock interrupt
+ preparation in a machine-independent manner we need to separate the
+ "initialization" parts of cpu_initclocks() from the "start the clock
+ interrupt" parts. Separate cpu_initclocks() from cpu_startclock().
+ Fix a problem where CPU time accounting and RLIMIT_CPU was
+ unreliable on idle systems.
+ Improve the output of the "show proc" command of the kernel
+ debugger ddb(4) and show
+ both the PID and TID of the proc.
SMP Improvements
@@ -252,6 +267,15 @@
mostly used in network daemons.
In wsconsctl(8),
add button mappings for two- and three-finger clicks on clickpads.
+ Implement a non-interactive mode (-s) in bioctl(8) for use in
+ scripts.
+ In bioctl(8), use
+ a hardware based number of KDF rounds by default for passphrases.
+ Motivation is to provide a saner and more modern default, especially
+ for fresh installations utilizing new disk encryption question.
+
+
Various bugfixes and tweaks in userland:
@@ -378,6 +402,8 @@
pkg_add(1)
to speed up pkg_add -u now also works if -stable packages
are available.
+ Significantly increase the speed of pkg-config(1).
In seq(1), fix a check for rounding error and truncation.
In cron(8), introduce upstream fixes in the handling of @yearly, @monthly,
@weekly, @daily and @hourly entries.
@@ -394,6 +420,11 @@
Make rcctl(8)
check if a daemon exists before trying to disable it, thereby avoiding
parsing and printing of bogus characters.
+ Print to the console the fingerprint of a newly generated ssh(1) host key of the
+ preferred type (currently ED25519), typically when booting for the
+ first time. This simplifies a secure first ssh connection to a
+ freshly installed machine.
Improved hardware support and driver bugfixes, including:
@@ -479,6 +510,9 @@
making eMMC and microSD mostly work on the Starfive VisionFive 2.
Add driver qccpu(4)
for QC CPU Power States.
+ Add qcsdam(4),
+ a driver for the PMIC Shared Direct Access Memory found on
+ Qualcomm SoCs.
Add support for the RK3588 PCIe3 PHY to
rkpciephy(4).
The PHY controls 4 lanes that can be routed to 4 of 5 PCIe controllers.
@@ -488,6 +522,14 @@
Add mute control to tascodec(4). This makes
the mute button on laptops that use tascodec(4) work.
+ Improve the suspend/resume behavior of several drivers, reducing
+ power consumption during suspend.
+ Add support for the Synopsys DesignWare I2C controller
+ (dwiic(4)) and the X-Powers AXP Power Management IC (axppmic(4)).
+ Add stfrng(4), a
+ driver for the random number generator on the risc-v JH7110 SoC.
+ Enable the mbg(4)
+ timedelta sensor on amd64 and match the Meinberg PZF180PEX.
New or improved network hardware support:
@@ -518,6 +560,16 @@
dwge(4) implementations.
On bge(4), make hardware
counters available via kstats for BCM5705 and newer controller chips.
+ Make several improvements to vmx(4), the VMware VMXNET3
+ Virtual Interface Controller.
+ In em(4), stop
+ putting multicast addresses into the Receive Address Registers.
+ Instead hash them all into the Multicast Table Array.
+ Support Mellanox ConnectX-6 Lx in mcx(4).
+ In mcx(4), add 100GB
+ LR4 Ethernet capability and map it to IFM_100G_LR4.
Added or improved wireless network drivers:
@@ -562,34 +614,43 @@
Enable ufshci(4)
on arm64 install media.
On arm64 pine64 boards, stop writing pine64 firmware to disk.
- Make root on
+ When media has neither a GPT nor an MBR
+ installboot(8),
+ assume OpenBSD occupies the entire disk starting at sector 0.
+ Attempt to not overflow the ramdisk when extracting firmware on
+ Apple arm64 systems.
+ Add support for loading files from the EFI System Partition.
+ Fix a bug in the handling of SCSI drives in the bootloader on the luna88k architecture.
+ On luna88k, implement the chmod() signaling mechanism for
+ /bsd.upgrade to prevent re-upgrade, like other
+ architectures.
+
+ Support for softraid(4) disks in the
+ installer was improved:
+
+ - Make root on
softraid(4)
installations boot out of the box on Raspberry Pis (arm64).
-
- Support installations with root on
+
- Support installations with root on
softraid(4)
on arm64, tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
-
- On riscv64, enable softraid(4) in the ramdisk kernel and support
+
- On riscv64, enable softraid(4) in the ramdisk kernel and support
installations with root on
softraid(4)
-
- When installing on encrypted
+
- When installing on encrypted
softraid(4), determine
the disk for placing the root device automatically and make it default
as it is the only legit choice.
-
- Add arm64 to the list of architectures with support for guided disk
- encryption.
-
- Retain existing EFI System partitions on systems with APFSISC
+
- Add arm64 to the list of architectures with support for guided disk
+ encryption.
+
- Retain existing EFI System partitions on systems with APFSISC
partitions (arm64 Apple M1/M2) during installation with root on
softraid(4).
-
- When media has neither a GPT nor an MBR
- installboot(8),
- assume OpenBSD occupies the entire disk starting at sector 0.
-
- Attempt to not overflow the ramdisk when extracting firmware on
- Apple arm64 systems.
-
- Add support for loading files from the EFI System Partition.
-
- Fix a bug in the handling of SCSI drives in the bootloader on the luna88k architecture.
-
- On luna88k, implement the chmod() signaling mechanism for
-
/bsd.upgrade to prevent re-upgrade, like other
- architectures.
+ - Enable softraid(4) in ramdisk
+ on the powerpc64 architecture.
+
Security improvements:
@@ -676,39 +737,45 @@
when receiving a valid Neighbor Advertisement.
Implement RFC9131 and create new neighbor cache entries
when receiving a valid Neighbor Advertisement.
- If the driver of a network interface supports TCP segmentation
+
+ Initial support for TCP segmentation offload (TSO) and TCP large receive offload (LRO) was implemented:
+
+ - If the driver of a network interface supports TCP segmentation
offload (TSO), do not chop the packet in the network stack,
but pass it down to the interface layer for TSO.
-
- Provide a software TSO implementation, to be used as a fallback
+
- Provide a software TSO implementation, to be used as a fallback
if network hardware does not support TSO.
-
- Provide a new sysctl(2)
+
- Provide a new sysctl(2)
node net.inet.tcp.tso such that TSO can be globally disabled.
By default, it is enabled on all interfaces supporting it.
-
- In ifconfig(8),
+
- In ifconfig(8),
display separate
hwfeatures
for TCP segmentation offload (TSOv4, TSOv6)
and TCP large receive offload (LRO) and provide a
-tcplro
parameter to disable LRO.
-
- Enable TSO and forwarding of LRO packets via TSO in
+
- Enable TSO and forwarding of LRO packets via TSO in
ix(4).
-
- In ix(4), allocate
+
- In ix(4), allocate
less memory for tx buffers.
-
- Speed up TCP transfer on
+
- Speed up TCP transfer on
lo(4)
interfaces by using TSO and LRO.
-
- Enable Large Receive Offload (LRO) for TCP per default in network
+
- Enable Large Receive Offload (LRO) for TCP per default in network
drivers. LRO allows to receive aggregated packets larger than the MTU.
Receiving TCP streams becomes much faster. Currently only ix(4) and lo(4) devices support LRO, and
ix(4) is limited to IPv4 and hardware newer than the old 82598 model.
LRO can be turned off per interface with ifconfig -tcplro.
- - Do not calculate IP, TCP, and UDP checksums on
- lo(4) interfaces.
-
- Speed up the
+
+
+ The following changes were made to the pf(4) firewall:
+
+ - Speed up the
ioctl(2) request
DIOCGETRULE
such that pfctl(8)
@@ -723,19 +790,46 @@
In particular, snmpd(8)
and systat(1)
now do that.
-
- In pf(4),
+
- In pf(4),
relax the implementation of the
pass all rule so all
forms of neighbor advertisements are allowed in either direction.
- - In pf(4),
+
- In pf(4),
when redirecting locally generated IP packets to userland with
divert-packet rules, the packets may have no checksum
due to hardware offloading. Calculate the checksum in that case.
- - Fix a bug in pf(4)
+
- Fix a bug in pf(4)
where
nat-to could fail to insert a state
due to conflict on chosen source port number.
+ - pf(4) ignored 'keep
+ state' and 'nat-to' actions for unsolicited icmp error responses. With
+ OpenBSD 7.4, the rule matching logic is tightened so icmp error
+ responses no longer match 'keep state' rule. In typical scenarios icmp
+ errors (if solicited) should match existing state. The change is
+ going to bite firewalls which deal with asymmetric routes. In those
+ cases the 'keep state' action should be relaxed to sloppy or new 'no
+ state' rule to explicitly match icmp errors should be added.
+
+ Do not calculate IP, TCP, and UDP checksums on
+ lo(4) interfaces.
Convert the tcp_now() time counter to 64 bits to avoid 32 bits
wrap around after changing tcp_now() ticks to milliseconds.
-
+ Added initial support for route-based ipsec vpns.
+ Rather than use ipsec flows (aka, entries in the ipsec security
+ policy database) to decide which traffic should be encapsulated in
+ ipsec and sent to a peer, this changes security associations (SAs)
+ so they can also refer to a tunnel interface. When traffic is routed
+ over that tunnel interface, an ipsec SA is looked up and used to
+ encapsulate traffic before being sent to the peer on the SA. When
+ traffic is received from a peer using an interface SA, the specified
+ interface is looked up and the packet is handed to it so it looks
+ like packets come out of the tunnel.
+ Add sec(4) to support
+ route based ipsec vpns.
+ Introduce reference counting for TCP syn cache entries.
+ Have wg(4) copy the
+ priority from the inner packet to the outer encrypted packet, so that
+ higher priority packets are picked from hfsc queues for earlier
+ transmission.
Routing daemons and other userland network improvements:
@@ -929,6 +1023,27 @@
href="https://man.openbsd.org/dhcrelay6.8">dhcrelay6(8), do not
ignore the AF_LINK entries of carp(4) interfaces.
+ Allow libpcap to read files with some additional link-layer type values.
+ Improve the config parser of radiusd(8) to better handle
+ comments, improve error messages and plug a memory leak.
+ In radiusd(8),
+ add request or response decoration feature which is used through the
+ radiusd module interface. This makes additional modules can modify
+ RADIUS request or response messages. Also add new "radius_standard"
+ module which uses this new feature, provides some generic features
+ like "strip-atmark-realm" which removes the realm part from the
+ User-Name attribute.
+ Allow UDP for built-in inetd(8) services on
+ 127.0.0.1. This restriction was added in year 2000 due to IPv6 compatibleand
+ mapped addresses. Nowadays our kernel does not support these IPv6
+ features and blocks localhost addresses on non-loopback interfaces.
+ Make IPv4 127.0.0.1/8 and IPv6 ::1 behave identically and provide
+ local services if configured.
+ In spamd(8), log a
+ dummy "" IP address in the unlikely event that getnameinfo(3)
+ fails.
+
tmux(1) improvements and bug fixes:
@@ -942,6 +1057,12 @@
be sent again.
Add options to change the confirm key and default behaviour of
confirm-before.
+ Add iked support for route based sec(4) tunnels.
+ Add an option menu-selected-style to configure the currently
+ selected menu item.
+ Add -c to run-shell to set working directory.
+ Add detach-on-destroy previous and next,
+ Set visited flag on last windows when linking session.
LibreSSL version 3.8.2