article.xml revision 95057
1<articleinfo> 2 <title>&os;/&arch; &release.current; Release Notes</title> 3 4 <corpauthor>The FreeBSD Project</corpauthor> 5 6 <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 95057 2002-04-19 17:07:28Z bmah $</pubdate> 7 8 <copyright> 9 <year>2000</year> 10 <year>2001</year> 11 <year>2002</year> 12 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder> 13 </copyright> 14 15 <abstract> 16 <para>The release notes for &os; &release.current; contain a summary 17 of the changes made in the &os; base system since &release.prev;. 18 Both changes for kernel and userland are listed, as well as 19 applicable security advisories that were issued since the last 20 release. Some brief remarks on upgrading are also presented.</para> 21 </abstract> 22</articleinfo> 23 24<sect1> 25 <title>Introduction</title> 26 27 <para>This document contains the release notes for &os; 28 &release.current; on the &arch.print; hardware platform. It 29 describes new features of &os; that have been added (or changed) 30 since &release.prev;. It also provides some notes on upgrading 31 from previous versions of &os;.</para> 32 33<![ %release.type.snapshot [ 34 35 <para>The &release.type; distribution to which these release notes 36 apply represents a point along the &release.branch; development 37 branch between &release.prev; and the future &release.next;. Some 38 pre-built, binary &release.type; distributions along this branch 39 can be found at <ulink url="&release.url;"></ulink>.</para> 40 41]]> 42 43<![ %release.type.release [ 44 45 <para>This distribution of &os; &release.current; is a 46 &release.type; distribution. It can be found at <ulink 47 url="&release.url;"></ulink> or any of its mirrors. More 48 information on obtaining this (or other) &release.type; 49 distributions of &os; can be found in the <ulink 50 url="http://www.FreeBSD.org/handbook/mirrors.html"><quote>Obtaining 51 FreeBSD</quote> appendix</ulink> to the <ulink 52 url="http://www.FreeBSD.org/handbook/">FreeBSD 53 Handbook</ulink>.</para> 54 55]]> 56</sect1> 57 58<sect1> 59 <title>What's New</title> 60 61 <para>This section describes the most user-visible new or changed 62 features in &os; since &release.prev;. Typical release note items 63 document new drivers or hardware support, new commands or options, 64 major bugfixes, or contributed software upgrades. Security 65 advisories issued after &release.prev; are also listed. In 66 general, changes described here are unique to the &release.branch; 67 branch unless specifically marked as &merged; features.</para> 68 69 <para>Many additional changes were made to &os; that are not listed 70 here for lack of space. For example, documentation was corrected 71 and improved, minor bugs were fixed, insecure coding practices 72 were audited and corrected, and source code was cleaned up.</para> 73 74 <sect2 id="kernel"> 75 <title>Kernel Changes</title> 76 77 <para arch="i386">The &man.amdpm.4; driver has been added to 78 provide access to the system monitoring functions of the AMD 756 79 chipset. &merged;</para> 80 81 <para>The &man.agp.4; driver for AGP devices has been 82 added. &merged;</para> 83 84 <para>A new &man.ddb.4; command <command>show pcpu</command> lists 85 some of the per-CPU data.</para> 86 87 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and 88 <command>dhwatch</command>, have been introduced. Analogous to 89 <command>watch</command> and <command>dwatch</command>, they 90 install hardware watchpoints (as opposed to software 91 watchpoints) if supported by the architecture. &merged;</para> 92 93 <para>&man.devfs.5;, which allows entries in the 94 <filename>/dev</filename> directory to be built automatically 95 and supports more flexible attachment of devices, has been 96 largely reworked. &man.devfs.5; is now enabled by default and 97 can be disabled by the <literal>NODEVFS</literal> kernel 98 option.</para> 99 100 <para>The dgm driver has been removed in favor of the digi driver.</para> 101 102 <para>A new digi driver has been added to support PCI Xr-based and 103 ISA Xem Digiboard cards. A new &man.digictl.8; program is 104 (mainly) used to re-initialize cards that have external port 105 modules attached such as the PC/Xem.</para> 106 107 <para>An &man.eaccess.2; system call has been added, similar to 108 &man.access.2; except that the former uses effective credentials 109 rather than real credentials.</para> 110 111 <para arch="sparc64">Support has been added for EBus-based 112 devices.</para> 113 114 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA 115 (ICH) SMBus controller and compatibles has been 116 added. &merged;</para> 117 118 <para>Each &man.jail.2; environment can now run under its own 119 securelevel.</para> 120 121 <para>The tunable sysctl variables for &man.jail.2; have moved 122 from <varname>jail.*</varname> to the 123 <varname>security.*</varname> hierarchy. Other security-related 124 sysctl variables have moved from <varname>kern.security.*</varname> to 125 <varname>security.*</varname>.</para> 126 127 <para>The <varname>kern.maxvnodes</varname> limit now properly 128 limits the number of vnodes in use. Previously only vnodes with 129 no cached pages could be freed; this could allow the number of 130 vnodes to grow without limit on large-memory machines accessing 131 many small files. A <literal>vnlru</literal> kernel thread 132 helps to flush and reuse vnodes. &merged;</para> 133 134 <para>The kernel message buffer is now accessible by the 135 (machine-independent) <varname>kern.msgbuf</varname> sysctl 136 variable; &man.dmesg.8; no longer needs to be SGID 137 <groupname>kmem</groupname>. &merged;</para> 138 139 <para>The &man.kqueue.2; event notification facility was added to 140 the &os; kernel. This is a new interface which is able to 141 replace &man.poll.2;/&man.select.2;, offering improved 142 performance, as well as the ability to report many different 143 types of events. Support for monitoring changes in sockets, 144 pipes, fifos, and files are present, as well as for signals and 145 processes. &merged;</para> 146 147 <para arch="i386">A new <varname>KVA_SPACE</varname> kernel option 148 can be used to reconfigure the size of the kernel virtual 149 address space. &merged;</para> 150 151 <para>The &man.labpc.4; driver has been removed due to 152 <quote>bitrot</quote>.</para> 153 154 <para>The loader and kernel linker now look for files named 155 <filename>linker.hints</filename> in each directory with KLDs 156 for a module name and version to KLD filename mapping. The new 157 &man.kldxref.8; utility is used to generate these files.</para> 158 159 <para>Linux emulation now supports the kernel functionality 160 required by the 161 <filename role="package">emulators/linux_base-7</filename> 162 (RedHat 7.X emulation) port. &merged;</para> 163 164 <para>Linux emulation now requires <literal>options 165 SYSVSEM</literal> in the kernel configuration. &merged;</para> 166 167 <para>&man.lomac.4;, a Low-Watermark Mandatory Access Control 168 security facility, has been added as a kernel module. It 169 provides a drop-in security mechanism in addition to the 170 traditional UID-based security facilities, requiring no 171 additional configuration from the administrator. Work on this 172 feature was sponsored by DARPA and NAI Labs.</para> 173 174 <para>The <varname>maxusers</varname> kernel configuration 175 parameter is now a boot-time tunable variable. The kernel 176 parameters derived from <varname>maxusers</varname> are now also 177 tunables and can be overridden at boot-time. The 178 <varname>hz</varname> parameter is also now a 179 tunable. &merged;</para> 180 181 <para>Specifying a value of <literal>0</literal> for the 182 <varname>maxusers</varname> kernel configuration parameter will 183 now cause an appropriate value to be calculated at boot-time 184 (between 32 and 384, depending on the amount of memory present). 185 This value is now the default for all 186 <filename>GENERIC</filename> kernels. &merged;</para> 187 188 <para arch="alpha">A <varname>MAXMEM</varname> kernel option, 189 along with the <varname>hw.physmem</varname> loader tunable, can 190 be used to artificially reduce the memory size of a machine for 191 testing (or other purposes). &merged;</para> 192 193 <para>The kernel configuration parameters 194 <varname>MAXTSIZ</varname>, <varname>DFLDSIZ</varname>, 195 <varname>MAXDSIZ</varname>, <varname>DFLSSIZ</varname>, 196 <varname>MAXSSIZ</varname>, and <varname>SGROWSIZ</varname> are 197 all loader tunables (<varname>kern.maxtsiz</varname>, 198 <varname>kern.maxdfldsiz</varname>, etc.). &merged;</para> 199 200 <para>&man.mutex.9; profiling code has been added, enabled by the 201 <literal>MUTEX_PROFILING</literal> kernel configuration option. 202 It enables the <varname>debug.mutex.prof.*</varname> hierarchy 203 of sysctl variables.</para> 204 205 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>, 206 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel 207 configuration options, for configuring SMP kernels, have been 208 removed. <literal>NCPU</literal> is now set to a maximum of 16, 209 and the other, aforementioned options are now 210 dynamic. &merged;</para> 211 212 <para>A &man.nmdm.4; null-modem terminal driver has been added. 213 &merged;</para> 214 215 <para>The <literal>O_DIRECT</literal> flag has been added to 216 &man.open.2; and &man.fcntl.2;. Specifying this flag for open 217 files will attempt to minimize the cache effects of reading and 218 writing. &merged;</para> 219 220 <para>An &man.orm.4; device has been added to claim the option 221 ROMs in the ISA memory I/O space, to prevent other drivers from 222 mistakenly assigning addresses that conflict with these 223 ROMs. &merged;</para> 224 225 <para arch="i386">PECOFF (Win32 Execution file format) support has 226 been added.</para> 227 228 <para arch="i386">The pmc driver, which supports the power 229 management controller of the NEC PC-98NOTE, has been 230 added. &merged;</para> 231 232 <para>POSIX.1b Shared Memory Objects are now supported. The 233 implementation uses regular files, but automatically enables the 234 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para> 235 236 <para>Replaced the <literal>PQ_*CACHE</literal> options with a 237 single <literal>PQ_CACHESIZE</literal> option to be set to the 238 cache size in kilobytes. The old options are still supported 239 for backwards compatibility. &merged;</para> 240 241 <para arch="i386">The &man.puc.4; (PCI <quote>Universal</quote> 242 Communications) driver has been added, to help connect PCI-based 243 serial ports to the &man.sio.4; driver. &merged;</para> 244 245 <para>The &man.random.4; device has been rewritten to use the 246 <application>Yarrow</application> algorithm. It harvests 247 entropy from a variety of interrupt sources, including the 248 console devices, Ethernet and point-to-point network interfaces, 249 and mass-storage devices. Entropy from the &man.random.4; 250 device is now periodically saved to files in 251 <filename>/var/db/entropy</filename>, as well as at shutdown 252 time. The semantics of <filename>/dev/random</filename> have 253 changed; it never blocks waiting for entropy bits but generates 254 a stream of pseudo-random data and now behaves exactly as 255 <filename>/dev/urandom</filename>.</para> 256 257 <para>A new kernel option, <literal>options REGRESSION</literal>, 258 enables interfaces and functionality intended for use during 259 correctness and regression testing.</para> 260 261 <para arch="sparc64">Support has been added for SBus-based 262 devices.</para> 263 264 <para>The &man.snp.4; device is no longer static and can now be 265 compiled as a module. &merged;</para> 266 267 <para arch="i386">The &man.spic.4; driver, which provides access 268 to the Jog Dial device on some Sony laptops, has been 269 added. &man.moused.8; support for this device has also been 270 added. &merged;</para> 271 272 <para>The &man.syscons.4; driver now supports keyboard-controlled 273 pasting, by default bound to 274 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para> 275 276 <para>Support for USB devices was added to the 277 <filename>GENERIC</filename> kernel and to the installation 278 programs to support USB devices out of the box. Note that SRM 279 does not support USB devices at the moment, so you must still 280 use an AT keyboard if you are not using a serial 281 console. &merged;</para> 282 283 <para arch="i386">The umodem driver for USB modems has been added. 284 Support is provided for the 3Com 5605 and Metricom Ricochet GS 285 wireless USB modems. &merged;</para> 286 287 <para arch="i386">The &man.uscanner.4; driver for basic USB 288 scanner support using SANE has been added. See <ulink 289 url="http://www.mostang.com/sane/">the SANE home page</ulink> 290 for supported scanners. The HP ScanJet 4100C, 5200C and 6300C 291 are known to be working. &merged;</para> 292 293 <para>The ucom device driver has been added, to support USB 294 modems, serial devices, and other programs that need to look 295 like a tty. The related uplcom and uvscom drivers provide specific 296 support for the Prolific PL-2303 serial adapter and the SUNTAC 297 Slipper U VS-10U, respectively.</para> 298 299 <para>To increase security, the <literal>UCONSOLE</literal> kernel 300 configuration option has been removed.</para> 301 302 <para>The <literal>USER_LDT</literal> kernel option is now 303 activated by default.</para> 304 305 <para>A VESA S3 linear framebuffer driver has been added.</para> 306 307 <para arch="i386">The &man.viapm.4; driver for VIA SMBus 308 power management controllers has been added. &merged;</para> 309 310 <!-- Above this line, sort kernel changes by manpage/keyword--> 311 312 <para>Write combining for crashdumps has been implemented. This 313 feature is useful when write caching is disabled on both SCSI 314 and IDE disks, where large memory dumps could take up to an hour 315 to complete. &merged;</para> 316 317 <para>Extremely large swap areas (>67 GB) no longer panic the 318 system.</para> 319 320 <para arch="alpha">Support for threads under Linux emulation has 321 been added.</para> 322 323 <para>The <maketarget>buildkernel</maketarget> target now gets the 324 name of the configuration(s) to build from the 325 <varname>KERNCONF</varname> variable, not 326 <varname>KERNEL</varname>. It is no longer required, in some 327 cases, for a <maketarget>buildworld</maketarget> to precede a 328 <maketarget>buildkernel</maketarget>. (The 329 <maketarget>buildworld</maketarget> is still required when 330 upgrading across major releases, across 331 <application>binutil</application> updates and when 332 &man.config.8; changes version.) &merged;</para> 333 334 <para>The out-of-swap process termination code now begins killing 335 processes earlier to avoid deadlocks; it now also takes into 336 account the swap space used by processes when computing the 337 process sizes. &merged;</para> 338 339 <para>Linker sets are now self-contained; &man.gensetdefs.8; is 340 unnecessary and has been removed.</para> 341 342 <para>Network device cloning has been implemented, and the 343 &man.gif.4; device has been modified to take advantage of it. 344 Thus, instead of specifying how many &man.gif.4; interfaces are 345 available in kernel configuration files, &man.ifconfig.8;'s 346 <option>create</option> option should be used when another device 347 instance is desired. &merged;</para> 348 349 <para>It is now possible to hardwire kernel environment variables 350 (such as tuneables) at compile-time using &man.config.8;'s 351 <literal>ENV</literal> directive.</para> 352 353 <para>Idle zeroing of pages can be enabled with the 354 <varname>vm.idlezero_enable</varname> sysctl variable.</para> 355 356 <para arch="i386">The load addresses of kernels are now exported 357 to the symbol table and various hard-coded constants have been 358 removed so that utilities such as &man.ps.1; can work with 359 kernels compiled at different addresses. &merged;</para> 360 361 <para>Coredumps of large processes (or of a large number of 362 processes) no longer lock up the machine for long periods of 363 time. &merged;</para> 364 365 <para>The Kernel-Scheduled Entity project has made changes to the 366 kernel scheduler to more efficiently handle multi-threaded 367 programs.</para> 368 369 <para>The kernel now has support for multiple low-level console 370 devices. The new &man.conscontrol.8; utility helps to manage 371 the different consoles.</para> 372 373 <para arch="alpha">The console driver has gained support for 374 TGA-based display adapters.</para> 375 376 <para>The kernel on the installation CDs is now separated from the 377 <filename>mfsroot</filename> image. This permits the use of a 378 full kernel when installing from CD on machines that support CD 379 booting (instead of the stripped-down kernel used on 380 floppies). &merged;</para> 381 382 <para>The system load average computation now adds some jitter to 383 the timing of samples, in order to avoid synchronization with 384 processes that run periodically. &merged;</para> 385 386 <para>If a debugging kernel with modules is being built 387 (i.e. using <literal>makeoptions DEBUG=-g</literal>), the 388 modules will now be built with debugging support as well, for 389 completeness. A side effect of this change is that modules 390 built and installed with debugging kernels will now occupy more 391 space on disk than they did previously. &merged;</para> 392 393 <para>The kernel dump device can now be set via the 394 <varname>dumpdev</varname> loader tunable. As a result, it is 395 now possible to obtain crash dumps from panics during the late 396 stages of kernel initialization (before the system enters into 397 single-user mode). &merged;</para> 398 399 <para>The kernel memory allocator is now a slab memory allocator, 400 similar to that used in Solaris. This is a SMP-safe memory 401 allocator that has near-linear performance as the number of CPUs 402 increases. It also allows for reduced memory 403 fragmentation.</para> 404 405 <sect3> 406 <title>Processor/Motherboard Support</title> 407 408 <para>SMP support has been largely reworked, incorporating code 409 from BSD/OS 5.0. One of the main features of SMPng 410 (<quote>SMP Next Generation</quote>) is to allow more 411 processes to run in kernel, without the need for spin locks 412 that can dramatically reduce the efficiency of multiple 413 processors. Interrupt handlers now have contexts associated 414 with them that allow them to be blocked, which reduces the 415 need to lock out interrupts.</para> 416 417 <para arch="i386">Support for the 80386 processor has been 418 removed from the <filename>GENERIC</filename> kernel, as this 419 code seriously pessimizes performance on other IA32 420 processors. 421 The <literal>I386_CPU</literal> kernel option 422 to support the 80386 processor is now mutually exclusive with 423 support for other IA32 processors; this should slightly 424 improve performance on the 80386 due to the elimination of 425 runtime processor type checks. 426 Custom kernels that will run on the 80386 can 427 still be built by changing the cpu options in the kernel 428 configuration file to only include 429 <literal>I386_CPU</literal>.</para> 430 431 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has 432 been tested and works OK. Currently it does not want to boot 433 from CD or floppy but a transplanted disk that was installed 434 on another Alpha works well. &merged;</para> 435 436 <para arch="alpha">The API UP1100 mainboard has been verified to 437 work.</para> 438 439 <para arch="alpha">The API CS20 1U high server has been verified 440 to work.</para> 441 442 <para arch="alpha">The DEC3000 series support has been removed 443 from the mfsroot floppy image so that it fits on a 1.44 Mbyte 444 floppy again. As the DEC3000 is currently only usable diskless 445 this should not cause any problems.</para> 446 447 <para arch="alpha">Support for AlphaServer 2100A 448 (<quote>Lynx</quote>) has been added.</para> 449 450 <para arch="alpha">Kernel code has been added that allows older 451 generation Alpha CPUs (EV4 and EV5) to emulate instructions of 452 the newer Alpha CPU generations. This enables the use of 453 binary-only programs like <application>Adobe Acrobat 454 4</application> on EV4 and EV5.</para> 455 456 <para arch="alpha">SMP support for the Alpha is now operational.</para> 457 458 <para arch="i386">Detection for new processors, such as the 459 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and 460 Transmeta Crusoe LongRun, has been added. &merged;</para> 461 462 <para arch="alpha">Support for the following hardware has been 463 removed from the installation kernel to make it fit on a 464 1.44MB floppy again: Multia, NoName, PC64, EB64, Aspen Alpine, 465 sa (SCSI tape), amr, parallel port support, vx (3c590, 3c595), 466 pcn (AMD Am79C97x PCI 10/100), sf (Adaptec AIC-6915), sis (SiS 467 900/SiS 7016), ste (Sundance ST201 (D-Link DFE-550TX)), wb 468 (Winbond W89C840F).</para> 469 470 <para arch="i386">Support for Streaming <acronym>SIMD</acronym> 471 Extensions (<acronym>SSE</acronym>) has been introduced. The 472 <literal>CPU_ENABLE_SSE</literal> kernel option controls 473 whether support is compiled into the kernel. &merged;</para> 474 475 <para arch="i386">The <literal>CPU_ATHLON_SSE_HACK</literal> 476 kernel option has been added, which attempts to enable the SSE 477 feature bit on newer Athlon CPUs if the BIOS has forgotten to 478 enable it.</para> 479 480 <para arch="sparc64">The UltraSPARC platform is now supported by 481 &os;. The following machines are supported to at least some 482 degree: Ultra 1/2/5/10/30/60, Enterprise 220R/420R, Netra T1 AC200/DC200, Netra T 105, and Blade 483 100. SMP is supported, and has been tested on the 484 Ultra 2, Ultra 60, Enterprise 220R, and 485 Enterprise 420R.</para> 486 487 </sect3> 488 489 <sect3> 490 <title>Bootloader Changes</title> 491 492 <para arch="i386"><filename>boot2</filename> now supports a 493 <option>-n</option> option to disallow boot interruption by 494 keypresses. &merged;</para> 495 496 <para arch="i386">A new <filename>cdboot</filename> bootstrap 497 utility for CDROMs provides better compatability with some 498 BIOS implementations that do not completely implement the El 499 Torito bootable CDROM standard. This boot loader supports 500 <quote>no emulation</quote> mode booting, thus eliminating the 501 need for an emulated floppy disk image on a bootable 502 CDROM. &merged;</para> 503 504 <para arch="i386">The i386 boot loader now has support for a 505 <literal>nullconsole</literal> console type, for use on 506 systems with neither a video console nor a serial 507 port. &merged;</para> 508 509 <para arch="i386">The &man.loader.8; now has optional support 510 (enabled at compile-time, off by default) for loading 511 <application>bzip2</application>-compressed kernels and 512 modules. &merged;</para> 513 514 <para arch="i386">Support for Intel's Wired for Management 2.0 515 (PXE) was added to the &os; boot loader. Due to API 516 differences, the older PXE versions are not supported. This 517 allow network booting using DHCP. &merged;</para> 518 519 <!-- Above this line, order bootloader changes by keyword--> 520 521 <para arch="i386">The &os; boot loader now contains a workaround 522 to support CDROM booting on certain IBM BIOSs that expect the 523 first sector of the emulated floppy to contain a valid MS-DOS 524 BPB that they can modify. &merged;</para> 525 526 <para arch="i386">The &os; boot loader now supports a 527 <option>-p</option> flag to force the kernel to pause after 528 each line of output during the probing phase. &merged;</para> 529 530 <para arch="alpha,i386">The &os; boot loader is now capable of 531 booting from filesystems with block sizes larger than 532 8K. &merged;</para> 533 534 <para>The kernel and modules have been moved to the directory 535 <filename>/boot/kernel</filename>, so they can be easily 536 manipulated together. The boot loader has been updated to 537 make this change as seamless as possible.</para> 538 </sect3> 539 540 <sect3> 541 <title>Network Interface Support</title> 542 543 <para>The &man.an.4; driver for Cisco Aironet cards now supports 544 Wired Equivalent Privacy (WEP) encryption, settable via 545 &man.ancontrol.8;. &merged;</para> 546 547 <para>The &man.an.4; driver now supports the Cisco Aironet 350 548 series of adaptors. &merged;</para> 549 550 <para>The &man.an.4; driver now supports <quote>monitor</quote> 551 mode, settable via the <option>-M</option> option to 552 &man.ancontrol.8;. &merged;</para> 553 554 <para>The &man.an.4; driver now supports Cisco LEAP, as well as 555 the <quote>Home</quote> WEP key. The Linux Aironet utilities 556 are now supported under emulation. &merged;</para> 557 558 <para arch="i386">Generic support for ARCNET token-based 559 networks has been added. &merged;</para> 560 561 <para arch="i386">The &man.bge.4; driver has been added to 562 support the Broadcom BCM570x family of Gigabit Ethernet 563 controllers, including the 3Com 3c996-T, the SysKonnect 564 SK-9D21 and SK-9D41, and the built-in Gigabit Ethernet NICs on 565 Dell PowerEdge 2550 servers. Output TCP/IP checksum offload, 566 jumbo frames and VLAN tag insertion/stripping are supported, 567 as well as interrupt moderation. &merged;</para> 568 569 <para arch="i386">The cm driver has been added to support SMC 570 COM90cx6 ARCNET network adapters. &merged;</para> 571 572 <para>The &man.dc.4; driver now supports NICs based on the Xircom 573 3201 and Conexant LANfinity RS7112 chips.</para> 574 575 <para>The &man.dc.4; driver now has support for 576 VLANs. &merged;</para> 577 578 <para>The &man.de.4; driver now performs round-robin arbitration 579 between the transmit and receive units of the 21143, instead 580 of giving priority to the receive unit. This gives a 581 10–15% performance improvement in the forwarding rate 582 under heavy load. &merged;</para> 583 584 <para arch="alpha">The &man.ed.4; driver is now supported.</para> 585 586 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported 587 by the &man.ed.4; driver now require the addition of flag 588 <literal>0x80000</literal> to their config line in 589 &man.pccard.conf.5;. This flag is not optional. These 590 Linksys cards will not be recognized without 591 it. &merged;</para> 592 593 <para>A bug in the &man.ed.4; driver that could cause panics 594 with very short packets and BPF or bridging active has been 595 fixed. &merged;</para> 596 597 <para>The &man.ed.4; driver now has support for D-Link DL10022 598 chips, necessary for the NetGear FA-410TX and other cards. As 599 a result, <literal>device miibus</literal> is required in 600 kernel configurations using the &man.ed.4; 601 driver. &merged;</para> 602 603 <para arch="i386">The &man.el.4; driver can now be loaded as a 604 module.</para> 605 606 <para arch="i386">The &man.em.4; driver has been added to 607 support NICs based on the Intel 82542, 82543, and 82544 608 Gigabit Ethernet controller chips. The driver supports 609 transmit/receive checksum offload and jumbo frames on 82543 610 and 82544-based adapters. &merged;</para> 611 612 <para>The &man.faith.4; device is now loadable, unloadable, and 613 clonable. &merged;</para> 614 615 <para arch="i386">Support for Fujitsu MB86960A/MB86965A based 616 Ethernet PC-Cards has been added back in the &man.fe.4; 617 driver. &merged;</para> 618 619 <para arch="alpha">The &man.fpa.4; driver now supports Digital's 620 DEFPA FDDI adaptors on the Alpha. &merged;</para> 621 622 <para>The &man.fxp.4; driver now requires a <literal>device 623 miibus</literal> entry in the kernel configuration 624 file. &merged;</para> 625 626 <para>The &man.fxp.4; driver now contains a workaround for PCI 627 protocol violations caused by defects in some systems based on 628 the Intel ICH2/ICH2-M chip. The workaround is to rewrite the 629 EEPROM on the interface to disable Dynamic Standby Mode; once 630 the EEPROM is rewritten, the system needs to be rebooted for 631 the new settings to take effect. &merged;</para> 632 633 <para>The &man.fxp.4; driver now supports Intel's loadable 634 microcode to implement receive-side interrupt coalescing and 635 packet bundling, on NICs that support these features. This 636 support can be activated by the use of the 637 <option>link0</option> option to 638 &man.ifconfig.8;. &merged;</para> 639 640 <para arch="sparc64">The gem driver has been added to support 641 the Sun GEM Gigabit Ethernet and ERI Fast Ethernet 642 adapters.</para> 643 644 <para>The &man.gx.4; driver has been added to support NICs based 645 on the Intel 82542 and 82543 Gigabit Ethernet controller 646 chips. Both fiber and copper variants of the cards are 647 supported. Both boards support VLAN tagging/insertion, and 648 the 82543 additionally supports TCP/IP checksum 649 offload. &merged;</para> 650 651 <para arch="sparc64">The hme driver has been added to support 652 the Sun HME Fast Ethernet adapter, onboard on many Sun Ultra 653 series machines.</para> 654 655 <para>The &man.lge.4; driver has been added to support the Level 656 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This 657 device is used on some fiber optic GigE cards from SMC, D-Link 658 and Addtron. Jumbograms and TCP/IP checksum offload on 659 receive are supported, although hardware VLAN filtering is 660 not. &merged;</para> 661 662 <para>The my driver, which supports the Myson Fast Ethernet and 663 Gigabit Ethernet adapters, has been added. &merged;</para> 664 665 <para>Added the &man.nge.4; driver, which supports PCI Gigabit 666 Ethernet adapters based on the National Semiconductor DP83820 667 and DP83821 Gigabit Ethernet controller chips, including the 668 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante 669 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron AEG320T. 670 This driver supports transmit and receive checksum 671 offloading. &merged;</para> 672 673 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST, 674 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and 675 HomePNA adapters, has been added. Although these cards are 676 already supported by the &man.lnc.4; driver, the &man.pcn.4; 677 driver runs these chips in 32-bit mode and uses the RX 678 alignment feature to achieve zero-copy receive. This driver 679 is also machine-independent, so it will work on both the i386 680 and Alpha platforms. The &man.lnc.4; driver is still needed 681 to support non-PCI cards. &merged;</para> 682 683 <para>The &man.ray.4; driver, which supports the Webgear Aviator 684 wireless network cards, has been committed. The operation of 685 &man.ray.4; interfaces can be modified by 686 &man.raycontrol.8;. &merged;</para> 687 688 <para arch="i386">The sbni driver, for supporting the Granch 689 SBNI12 series of ISA and PCI point-to-point communications 690 interfaces, has been added. The <filename 691 role="package">sysutils/sbniconfig</filename> port in the &os; 692 Ports Collection can be used for configuring these 693 devices. &merged;</para> 694 695 <para>Added support for PCI Ethernet adapters based on the SiS 696 900 and SiS 7016 Fast Ethernet controller chips (for example, 697 as seen on the SiS 635 and 735 motherboard chipsets), as well 698 as the National Semiconductor DP83815 chipset (including the 699 NetGear FA311-TX and FA312-TX) in the form of the &man.sis.4; 700 driver. This device has support for VLANs. &merged;</para> 701 702 <para arch="i386">The snc driver for the National Semiconductor 703 DP8393X (SONIC) Ethernet controller has been added. 704 Currently, this driver is only used on the PC-98 705 architecture. &merged;</para> 706 707 <para>The &man.stf.4; device is now clonable.</para> 708 709 <para>The &man.tap.4; driver, a virtual Ethernet device driver 710 for bridged configurations, has been added. This device is 711 clonable. &merged;</para> 712 713 <para>The &man.ti.4; driver now supports the Alteon AceNIC 714 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT 715 Gigabit cards. &merged;</para> 716 717 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para> 718 719 <para>The &man.txp.4; driver has been added to support NICs 720 based on the 3Com 3XP Typhoon/Sidewinder (3CR990) 721 chipset. &merged;</para> 722 723 <para>&man.vlan.4; devices are now loadable, unloadable, and 724 clonable. &merged;</para> 725 726 <para>The &man.wi.4; driver now has support for Prism II and 727 Prism 2.5-based NICs. 104/128-bit WEP now works on Prism 728 cards. &merged;</para> 729 730 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 731 3C556B MiniPCI adapters used on some laptops. &merged;</para> 732 733 <para>The &man.xl.4; driver now supports reception of VLAN 734 tagged frames (on the <quote>Cyclone</quote> or newer 735 chipsets). &merged;</para> 736 737 <para>The &man.xl.4; driver now supports send- and receive-side 738 TCP/IP checksum offloading for NICs implementing this feature, 739 such as the 3C905B, 3C905C, and 3C980C. &merged;</para> 740 741 <para>A bug in the &man.xl.4; driver, related to statistics 742 overflow interrupt handling, was causing slowdowns at medium 743 to high packet rates; this has been fixed. &merged;</para> 744 745 <para>The per-interface <varname>ifnet</varname> structure now 746 has the ability to indicate a set of capabilities supported by 747 a network interface, and which ones are enabled. 748 &man.ifconfig.8; has support for querying these 749 capabilities. &merged;</para> 750 751 <para>Performance with hosts having a large number of IP aliases 752 has been improved, by replacing the per-interface 753 <varname>if_inaddr</varname> linear list with a hash table. &merged;</para> 754 755 <para>Network devices now automatically appear as special files in 756 <filename>/dev/net</filename>. Interface hardware ioctls (not 757 protocol or routing) can be performed on these devices. The 758 <varname>SIOCGIFCONF</varname> ioctl may be performed on the 759 special <filename>/dev/network</filename> node.</para> 760 761 <para>Selected network drivers now implement a semi-polling 762 mode, which makes systems much more resilient to attacks and 763 overloads. To enable polling, the following options are 764 required in a kernel configuration file: 765 766 <programlisting>options DEVICE_POLLING 767options HZ=1000 # not compulsory but strongly recommended</programlisting> 768 769 The <varname>kern.polling.enable</varname> sysctl variable 770 will then activate polling mode; with the 771 <varname>kern.polling.user_frac</varname> sysctl indicating 772 the percentage of CPU time to be reserved for userland. The 773 devices initially supporting polling are &man.dc.4;, 774 &man.fxp.4;, and &man.sis.4;. More details can be found in 775 the &man.polling.4; manual page. &merged;</para> 776 777 <para arch="i386">The packet-forwarding performance of certain 778 network drivers (specifically &man.dc.4; and &man.sis.4;) has 779 been enhanced by the elimination of unnecessary buffer 780 copies. &merged;</para> 781 </sect3> 782 783 <sect3> 784 <title>Network Protocols</title> 785 786 <para>&man.accept.filter.9;, a kernel feature to reduce 787 overheads when accepting and reading new connections on 788 listening sockets, has been added. &merged;</para> 789 790 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s 791 <option>-d</option> option has been renamed to 792 <literal>pub</literal>, for consistency with the 793 <option>-s</option> option. The <literal>only</literal> keyword 794 has been added to the <option>-s</option> and 795 <option>-S</option> flags, to be used in creating 796 <quote>proxy-only</quote> published entries. &merged;</para> 797 798 <para>The read timeout feature of &man.bpf.4; now works more 799 correctly with &man.select.2;/&man.poll.2;, and therefore with 800 pthreads. &merged;</para> 801 802 <para>&man.bridge.4; and &man.dummynet.4; have received some 803 enhancements and bug fixes, and are now loadable 804 modules. &merged;</para> 805 806 <para>&man.bridge.4; now has better support for multiple, 807 fully-independent bridging clusters, and is much more stable 808 in the presence of dynamic attachments and detatchments. Full 809 support for VLANs is also supported. &merged;</para> 810 811 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP 812 RSTs generated due to packets sent to open and unopen ports 813 are now limited by separate counters. Each rate limiting 814 queue now has its own description.</para> 815 816 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can 817 now RST TCP connections in the <literal>SYN_SENT</literal> 818 state if the correct sequence numbers are sent back, as 819 controlled by the 820 <varname>net.inet.tcp.icmp_may_rst</varname> sysctl. &merged;</para> 821 822 <para>IP multicast now works on VLAN devices. Several other 823 bugs in the VLAN code have also been fixed.</para> 824 825 <para>A bug in the IPSec processing for IPv4, which caused the 826 inbound SPD checks to be ignored, has been fixed. &merged;</para> 827 828 <para>&man.ipfw.4; now filters correctly in the presence of ECN 829 bits in TCP segments. &merged;</para> 830 831 <para>A new &man.ng.etf.4; netgraph node allows Ethernet type 832 packets to be filtered to different hooks depending on 833 ethertype. &merged;</para> 834 835 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph 836 nodes, for operating on &man.gif.4; devices, have been 837 added.</para> 838 839 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP 840 packets into the main IP input processing code, has been 841 added.</para> 842 843 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have 844 been added to the &man.netgraph.4; subsystem. The 845 &man.ng.ether.4; node is now dynamically loadable. 846 Miscellaneous bug fixes and enhancements have also been 847 made. &merged;</para> 848 849 <para>A new netgraph node type &man.ng.one2many.4; for 850 multiplexing and demultiplexing packets over multiple links 851 has been added. &merged;</para> 852 853 <para>A new sysctl 854 <varname>net.inet.ip.check_interface</varname>, which is on by 855 default, causes IP to verify that an incoming packet arrives 856 on an interface that has an address matching the packet's 857 destination address. &merged;</para> 858 859 <para>A new sysctl 860 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has 861 been added to control the suppression of logging when ARP 862 replies arrive on the wrong interface. &merged;</para> 863 864 <para>A new <literal>options RANDOM_IP_ID</literal> kernel 865 option causes the ID field of IP packets to be randomized. 866 This closes a minor information leak which allows a remote 867 observer to determine the rate at which the machine is 868 generating packets, since the default behavior is to increment 869 a counter for each packet sent. &merged;</para> 870 871 <para arch="alpha">SLIP has been removed from the 872 <filename>mfsroot</filename> floppy image.</para> 873 874 <para>TCP has received some bug fixes for its delayed ACK 875 behavior. &merged;</para> 876 877 <para>TCP now supports the NewReno modification to the TCP Fast 878 Recovery algorithm. This behavior can be controlled via the 879 <varname>net.inet.tcp.newreno</varname> sysctl 880 variable. &merged;</para> 881 882 <para>TCP now uses a more aggressive timeout for initial SYN 883 segments; this allows initial connection attempts to be 884 dropped much faster. &merged;</para> 885 886 <para>The <literal>TCP_COMPAT_42</literal> kernel option has 887 been removed. &merged;</para> 888 889 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has 890 been removed. Similar functionality can be achieved with the 891 <varname>net.inet.tcp.blackhole</varname> sysctl 892 variable. &merged;</para> 893 894 <para>TCP now has RFC 1323 extensions enabled by default in 895 &man.rc.conf.5;. &merged;</para> 896 897 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for 898 a connection in progress if no response has been received by 899 the third SYN segment sent. This behavior tries to work 900 around (very old) terminal servers with buggy VJ header 901 compression implementations. &merged;</para> 902 903 <para>The TCP implementation no longer requires the allocation 904 of a TCP template structure for each connection; this should 905 reduce the buffer usage on large systems handling many 906 connections. &merged;</para> 907 908 <para>TCP's default buffer sizes, controlled by the 909 <varname>net.inet.tcp.sendspace</varname> and 910 <varname>net.inet.tcp.recvspace</varname> sysctl variables, 911 have been increased to 32K and 64K respectively. Previously, 912 the default for both buffer sizes was 16K. To try to avoid 913 increasing congestion, the default value for 914 <varname>net.inet.tcp.local_slowstart_flightsize</varname> has 915 been changed from infinity to 4. &merged; 916 917 <note> 918 <para>On busy hosts, the new larger buffer sizes may require 919 manually increasing the 920 <varname>NMBCLUSTERS</varname> parameter, either in the 921 kernel configuration file or via the 922 <varname>kern.ipc.nmbclusters</varname> loader tunable. 923 <command>netstat -mb</command> can be used to monitor the 924 state of mbuf clusters.</para> 925 </note> 926 </para> 927 928 <para>TCP now supports RFC 1948 (Defending Against Sequence 929 Number Attacks). This functionality is controlled by the 930 <varname>net.inet.tcp.strict_rfc1948</varname> and 931 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl 932 variables. &merged;</para> 933 934 <para>The TCP implementation in &os; now implements a cache of 935 outstanding, received SYN segments. Incoming SYN segments now 936 cause entries to be placed in the cache until the TCP 937 three-way handshake is complete, at which point, memory is 938 allocated for the connection as usual. In addition, all TCP 939 Initial Sequence Numbers (ISNs) are used as cookies, allowing 940 entries in the cache to be dropped, but still have their 941 corresponding ACKs accepted later. The combination of the 942 so-called 943 <quote>syncache</quote> and <quote>syncookies</quote> features 944 makes a host much more resistant to TCP-based Denial of 945 Service attacks. Work on this feature was sponsored by DARPA 946 and NAI Labs. &merged;</para> 947 948 <para>A bug in the TCP implementation, which could cause 949 connections to stall if a sender saw a zero-sized window, has 950 been corrected. &merged;</para> 951 952 <para>The TCP implementation now properly ignores packets 953 addressed to IP-layer broadcast addresses. &merged;</para> 954 955 <para>The ephemeral port range used for TCP and UDP has been 956 changed to 49152–65535 (the old default was 957 1024–5000). This increases the number of concurrent 958 outgoing connections/streams. &merged;</para> 959 </sect3> 960 961 <sect3> 962 <title>Disks and Storage</title> 963 964 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI 965 RAID controllers has been added, in the form of the 966 &man.aac.4; driver. This driver includes proper handling of 967 commands initiated by the adapter, addition/removal of disk 968 devices, crashdump functionality, and &man.ioctl.2; commands 969 necessary for the management CLI, and is fully qualified and 970 sanctioned by Adaptec. &merged;</para> 971 972 <para>The &man.ahc.4; driver has received numerous updates, 973 bugfixes, and enhancements. Among various improvements are 974 improved compatibility with chips in <quote>RAID Port</quote> 975 mode and systems with AAA and/or ARO cards installed, as well 976 as performance improvements. Some bugs were also fixed, 977 including a rare hang on Ultra2/U160 978 controllers. &merged;</para> 979 980 <para arch="i386">The &man.asr.4; driver, which provides support 981 for the Adaptec SCSI RAID controller family, as well as the 982 DPT SmartRAID V and VI families, has been 983 added. &merged;</para> 984 985 <para arch="i386">The &man.asr.4; driver now supports the 986 Adaptec 2000S and 2005S Zero-Channel RAID 987 controllers. &merged;</para> 988 989 <para>The &man.ata.4; driver now has support for ATA100 990 controllers. In addition, it now supports the ServerWorks 991 ROSB4 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 992 chipsets, and the Cyrix 5530. &merged;</para> 993 994 <para>To provide more flexible configuration, the various 995 options for the &man.ata.4; driver are now boot loader 996 tunables, rather than kernel configure-time 997 options. &merged;</para> 998 999 <para>The &man.ata.4; driver now has support for tagged queuing, 1000 which is enabled by the <varname>hw.ata.tags</varname> loader 1001 tunable. &merged;</para> 1002 1003 <para>The &man.ata.4; driver now has support for ATA 1004 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak 1005 and HighPoint HPT370 controllers. &merged;</para> 1006 1007 <para>The &man.ata.4; driver now supports a wider variety of SiS 1008 chipsets, as listed in the Hardware Notes. &merged;</para> 1009 1010 <para>The &man.ata.4; driver now has support for creating, 1011 deleting, querying, and rebuilding ATA RAIDs under control of 1012 &man.atacontrol.8;. &merged;</para> 1013 1014 <para>The BurnProof(TM) feature, for applicable ATAPI CD-ROM 1015 burners, is now supported. &merged;</para> 1016 1017 <para>The &man.ata.4; driver now has support for 48-bit 1018 addressing. Devices larger than 137GB are now 1019 supported. &merged;</para> 1020 1021 <para>The &man.ata.4; driver now contains fixes for some data 1022 corruption problems on systems using the VIA 82C686B 1023 Southbridge chip. &merged;</para> 1024 1025<!-- The following note needs to be made more specific or eliminated. --> 1026 <para>The CAM error recovery code has been updated.</para> 1027 1028 <para>The &man.cd.4; driver now has support for write 1029 operations. This allows writing to DVD-RAM, PD and similar 1030 drives that probe as CD devices. Note that change affects 1031 only random-access writeable devices, not sequential-only 1032 writeable devices such as CD-R drives, which are supported by 1033 &man.cdrecord.1; (a part of 1034 <filename role="package">sysutils/cdrtools</filename> in the 1035 Ports Collection. &merged;</para> 1036 1037 <para arch="i386">The ciss driver, for devices utilizing the 1038 Common Interface for SCSI-3 Support, has been added. This 1039 driver supports the Compaq SmartRAID 5* family of RAID 1040 controllers (5300, 532, 5i). &merged;</para> 1041 1042 <para>The &man.fdc.4; floppy disk has undergone a number of 1043 enhancements. Density selection for common settings is now 1044 automatic; the driver is also much more flexible in setting 1045 the densities of various subdevices.</para> 1046 1047 <para>The &man.geom.4; disk I/O request transformation framework 1048 has been added; this extensible framework is designed to 1049 support a wide variety of operations on I/O requests on their 1050 way from the upper kernel to the device drivers.</para> 1051 1052 <para>The ida disk driver now has crashdump 1053 support. &merged;</para> 1054 1055 <para arch="i386">The iir driver has been added to support the 1056 Intel Integrated RAID controllers, as well as prior ICP Vortex 1057 controllers.</para> 1058 1059 <para arch="alpha">A bug that made certain CDROM drives fail to 1060 attach when connected to a SCSI card driven by &man.isp.4; has 1061 been fixed. &merged;</para> 1062 1063 <para>The &man.isp.4; driver is now proactive about discovering 1064 Fibre Channel topology changes.</para> 1065 1066 <para>The &man.isp.4; driver now supports target mode for Qlogic 1067 SCSI cards, including Ultra2 and Ultra3 and dual bus 1068 cards.</para> 1069 1070 <para>The &man.isp.4; driver now supports the Qlogic 2300 and 1071 2312 Optical Fibre Channel PCI cards. &merged;</para> 1072 1073 <para>&man.md.4;, the memory disk device, has had the 1074 functionality of &man.vn.4; incorporated into it. &man.md.4; 1075 devices can now be configured by &man.mdconfig.8;. &man.vn.4; 1076 has been removed. The Memory Filesystem (MFS) has also been 1077 removed.</para> 1078 1079 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI 1080 AccelRAID and eXtremeRAID controllers with firmware 6.X and 1081 later, has been added. &merged;</para> 1082 1083 <para arch="i386">The ncv, nsp, and stg drivers have been ported 1084 from NetBSD/pc98. They support the NCR 53C50 / Workbit Ninja 1085 SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI controllers. 1086 All three drivers can be built and loaded as 1087 modules. &merged;</para> 1088 1089 <para>Some problems in &man.sa.4; error handling have been 1090 fixed, including the <quote>tape drive spinning indefinitely 1091 upon &man.mt.1; <option>stat</option></quote> problem.</para> 1092 1093 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has 1094 added. &merged;</para> 1095 1096<!-- The following note needs to be made more specific or eliminated. --> 1097 <para>The &man.vinum.4; volume manager has received some bug 1098 fixes and enhancements.</para> 1099 1100 <para>The &man.wd.4; compatibility devices were removed from the 1101 &man.ata.4; driver. &merged;</para> 1102 </sect3> 1103 1104 <sect3> 1105 <title>Filesystems</title> 1106 1107 <para>Support for named extended attributes was added to the 1108 &os; kernel. This allows the kernel, and appropriately 1109 privileged userland processes, to tag files and directories 1110 with attribute data. Extended attributes were added to 1111 support the TrustedBSD Project, in particular ACLs, capability 1112 data, and mandatory access control labels (see 1113 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for 1114 details).</para> 1115 1116 <para>Due to a licensing change, softupdates have been 1117 integrated into the main portion of the kernel source tree. 1118 As a consequence, softupdates are now available with the 1119 <filename>GENERIC</filename> kernel. &merged;</para> 1120 1121 <para>A filesystem snapshot capability has been added to FFS. 1122 Details can be found in 1123 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para> 1124 1125<!-- The following note needs to be made more specific or eliminated. --> 1126 <para>Softupdates for FFS have received some bug fixes and 1127 enhancements.</para> 1128 1129 <para>When running with softupdates, &man.statfs.2; and 1130 &man.df.1; will track the number of blocks and files that are 1131 committed to being freed.</para> 1132 1133 <para>A bug in FFS that could cause superblock corruption on 1134 very large filesystems has been corrected. &merged;</para> 1135 1136 <para>The Inode Filesystem (IFS) has been added; more 1137 information can be found in 1138 <filename>/usr/src/sys/ufs/ifs/README</filename>.</para> 1139 1140 <para>The ISO-9660 filesystem now has a hook that supports a 1141 loadable character conversion routine. The 1142 <filename role="package">sysutils/cd9660_unicode</filename> 1143 port contains a set of common conversions. &merged;</para> 1144 1145 <para>&man.kernfs.5; is obsolete and has been retired.</para> 1146 1147 <para>A bug in the NFS client that caused bogus access times with 1148 <literal>O_EXCL|O_CREAT</literal> opens was 1149 fixed. &merged;</para> 1150 1151 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash 1152 algorithm) has been implemented to improve NFS performance by 1153 increasing the efficiency of the <varname>nfsnode</varname> 1154 hash tables. &merged;</para> 1155 1156 <para>Client-side NFS locks have been implemented.</para> 1157 1158 <para>The client-side and server-side of the NFS code in the 1159 kernel used to be intertwined in various complex ways. They 1160 have been split apart for ease of maintenance and further 1161 development.</para> 1162 1163 <para>Support for file system Access Control Lists (ACLs) has 1164 been introduced, allowing more fine-grained control of 1165 discretionary access control on files and directories. This 1166 support was integrated from the TrustedBSD Project. More 1167 details can be found in 1168 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para> 1169 1170 <para>The directory layout preference algorithm for FFS 1171 (<literal>dirprefs</literal>) has been changed. Rather than 1172 scattering directory blocks across a disk, it attempts to 1173 group related directory blocks together. Operations 1174 traversing large directory hierarchies, such as the &os; Ports 1175 tree, have shown marked speedups. This change is transparent 1176 and automatic for new directories. &merged;</para> 1177 1178 <para arch="i386">smbfs (CIFS) support in kernel has been added. 1179 The userland programs &man.smbutil.1; and &man.mount.smbfs.8; 1180 can be used to work with SMB shares. Note that 1181 &man.mount.smbfs.8; will automatically load the 1182 <filename>smbfs.ko</filename> module into the kernel, even if 1183 <literal>LIBMCHAIN</literal> and 1184 <literal>LIBICONV</literal> were not compiled into the kernel. 1185 &merged;</para> 1186 1187 <para>For consistency, the fdesc, fifo, null, msdos, portal, 1188 umap, and union filesystems have been renamed to fdescfs, 1189 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where 1190 applicable, modules and mount_* programs have been renamed. 1191 Compatibility <quote>glue</quote> has been added to 1192 &man.mount.8; so that <literal>msdos</literal> filesystem 1193 entries in &man.fstab.5; will work without changes.</para> 1194 1195 <para>pseudofs, a pseudo-filesystem framework, has been added. 1196 &man.linprocfs.5; and &man.procfs.5; have been modified to use 1197 pseudofs.</para> 1198 1199 <para>A simple hash-based lookup optimization for large 1200 directories called <literal>dirhash</literal> has been added. 1201 Conditional on the 1202 <literal>UFS_DIRHASH</literal> kernel option (enabled by 1203 default in the <filename>GENERIC</filename> kernel), it 1204 improves the speed of operations on very large directories at 1205 the expense of some memory. &merged;</para> 1206 1207 <para>The virtual memory subsystem now backs UFS directory 1208 memory requirements by default (this behavior is controlled 1209 via the <varname>vfs.vmiodirenable</varname> sysctl 1210 variable). &merged;</para> 1211 1212 <para>A bug that prevented the root filesystem from being 1213 mounted from a SCSI CDROM has been fixed (ATAPI CDROMs were 1214 always supported). &merged;</para> 1215 1216 <para>A number of bugs in the filesystem code, discovered 1217 through the use of the <application>fsx</application> 1218 filesystem test tool, have been fixed. Under certain 1219 circumstances (primarily related to use of NFS), these bugs 1220 could cause data corruption or kernel panics. &merged;</para> 1221 1222 <para>Network filesystems (such as NFS and smbfs filesystems) 1223 listed in <filename>/etc/fstab</filename> can now be properly 1224 mounted during startup initialization; their mounts are 1225 deferred until after the network is initialized.</para> 1226 </sect3> 1227 1228 <sect3> 1229 <title>PCCARD Support</title> 1230 1231 <para arch="i386">The pccard driver and &man.pccardc.8; now 1232 support multiple <quote>beep types</quote> upon card insertion 1233 and removal. &merged;</para> 1234 1235 <para>On many modern hosts, PCCARD devices can be configured to 1236 route their interrupts via either the ISA or PCI interrupt 1237 paths. The &man.pcic.4; driver has been updated to support 1238 both interrupt paths (formerly, only routing via ISA was 1239 supported). &merged; In most cases, configuration of PCMCIA 1240 devices in laptops is simpler and more flexible. In addition, 1241 various Cardbus bridge PCI cards (such as those used by 1242 Orinoco PCI NICs) are now supported. Some hosts may 1243 experience problems, such as hangs or panics, with PCI 1244 interrupt routing; they can frequently be made to work by 1245 forcing the older-style ISA interrupt routing. The following 1246 lines, placed in <filename>/boot/loader.conf</filename>, may 1247 fix the problem:</para> 1248 1249 <programlisting>hw.pcic.intr_path="1" 1250 hw.pcic.irq="0"</programlisting> 1251 1252 <para>When installing &os; on such a system, typing the 1253 following lines to the boot loader may be helpful in starting 1254 up &os; for the first time:<para> 1255 1256 <screen><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput> 1257<prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen> 1258 1259 <para arch="i386">Preliminary Cardbus support under NEWCARD has 1260 been added. This code supports the TI113X, TI12XX, TI125X, 1261 Ricoh 5C46/5C47, Topic 95/97/100 and Cirrus Logic PD683X 1262 bridges. 16-bit PC Card support is not yet functional.</para> 1263 </sect3> 1264 1265 <sect3> 1266 <title>Multimedia Support</title> 1267 1268 <para arch="i386">The &man.pcm.4; driver now supports the ESS 1269 Solo 1, Maestro-1, Maestro-2, and Maestro-2e; Forte Media 1270 fm801, ESS Maestro-2e, and VIA Technologies VT82C686A sound 1271 card/chipsets, and has received some other updates. Separate 1272 drivers for the SoundBlaster 8 and SoundBlaster 16 now replace 1273 an older, unified driver. A driver for the CMedia 1274 CMI8338/CMI8738 sound chips has been added. A driver for the 1275 CS4281 sound chip has been added. A driver for the S3 1276 SonicVibes chipset has been added. &merged;</para> 1277 1278 <para arch="i386">A driver for the Avance Logic ALS4000 has been 1279 added. &merged;</para> 1280 1281 <para arch="i386">A driver for the ESS Maestro-3/Allegro has 1282 been added, however due to licensing restrictions, it cannot 1283 be compiled into the kernel. &merged; To use this driver, add 1284 the following line to 1285 <filename>/boot/loader.conf</filename>:</para> 1286 1287 <programlisting>snd_maestro3_load="YES"</programlisting> 1288 1289 <para>The &man.bktr.4; driver has been updated to 2.18. This 1290 update provides a number of new features. New tuner types 1291 have been added, and improvements to the KLD module and to 1292 memory allocation have been made. Bugs in &man.devfs.5; when 1293 unloading and reloading have been fixed. Support for new 1294 Hauppauge Model 44xxx WinTV Cards (the ones with no audio mux) 1295 has been added. &merged;</para> 1296 1297 <para arch="i386">The ufm driver, supporting the D-Link DSB-R100 1298 USB Radio, has been added. &merged;</para> 1299 1300 <para>When sound modules are built, one can now load all the 1301 drivers and infrastructure by <command>kldload 1302 snd</command>. &merged;</para> 1303 1304 <para>A new API has been added for sound cards with hardware 1305 volume control.</para> 1306 1307 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 1308 815E integrated sound devices has been added. &merged;</para> 1309 1310 <para arch="i386">The via82c686 sound driver now supports the VIA 1311 VT8233. &merged;</para> 1312 1313 <para arch="i386">The ich sound driver now support the SiS 1314 7012 chipset. &merged;</para> 1315 1316 </sect3> 1317 1318 <sect3> 1319 <title>Contributed Software</title> 1320 1321 <para>The Forth Inspired Command Language 1322 (<application>FICL</application>) used in the boot loader has 1323 been updated to 2.05.</para> 1324 1325 <para>Support for Advanced Configuration and Power Interface 1326 (ACPI), a multi-vendor standard for configuration and power 1327 management, has been added. This functionality has been 1328 provided by the <application>Intel ACPI Component 1329 Architecture</application> project, as of the ACPI CA 20020308 1330 snapshot. Some backward compatability for applications using 1331 the older APM standard has been provided.</para> 1332 1333 <sect4> 1334 <title>IPFilter</title> 1335 1336 <para><application>IPFilter</application> has been updated to 1337 3.4.25.</para> 1338 1339 <para><application>IPFilter</application> now supports 1340 IPv6. &merged;</para> 1341 1342 </sect4> 1343 1344 <sect4 arch="i386"> 1345 <title>isdn4bsd</title> 1346 1347 <para><application>isdn4bsd</application> has been updated to 1348 version 1.0.1. As a result of this update, users of the 1349 &man.i4bisppp.4; (kernel PPP over ISDN) driver 1350 <emphasis>must</emphasis> now use &man.ispppcontrol.8; 1351 instead of &man.spppcontrol.8; to configure and control these 1352 network interfaces. &merged;</para> 1353 1354 <para>The &man.ifpi.4; driver for supporting the AVM 1355 Fritz!Card PCI version 2 controller has been added. &merged;</para> 1356 1357 <para>The &man.ihfc.4; driver for supporting Cologne Chip 1358 Designs HFC devices under 1359 <application>isdn4bsd</application> has been 1360 added. &merged;</para> 1361 1362 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles 1363 PCI-TJ devices under <application>isdn4bsd</application> has 1364 been added. &merged;</para> 1365 1366 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and 1367 2.02 ISA PnP ISDN cards has been added to the &man.isic.4; 1368 <application>isdn4bsd</application> driver. &merged;</para> 1369 1370 <para>The &man.isic.4; driver now supports the Compaq Microcom 1371 610 ISDN ISA PnP card. &merged;</para> 1372 1373 <para>Active CAPI-based ISDN cards manufactured by AVM are now 1374 supported using the &man.i4bcapi.4; and the &man.iavc.4; 1375 driver. The supported cards are the AVM B1 PCI and AVM B1 1376 ISA Basic Rate cards and the AVM T1 Primary Rate 1377 cards. &merged;</para> 1378 1379 <para>A new <literal>maxconnecttime</literal> keyword is now 1380 accepted in &man.isdnd.rc.5; files to limit the time a 1381 connection may remain open. &merged;</para> 1382 1383 <para>&man.isdnphone.8; now supports a <option>-k</option> 1384 option for sending messages via the keypad facility to a PBX 1385 or exchange office. &merged;</para> 1386 </sect4> 1387 1388 <sect4 id="kame-kernel"> 1389 <title>KAME</title> 1390 1391 <para>The IPv6 stack is now based on a snapshot based on the 1392 KAME Project's IPv6 snapshot as of 28 May, 2001. Most of 1393 the items listed in this section are a result of this 1394 import. <xref linkend="kame-userland"> lists userland 1395 updates to the KAME IPv6 stack. &merged;</para> 1396 1397 <para>&man.gif.4; is now based on RFC 2893, rather than RFC 1398 1933. The <literal>IFF_LINK2</literal> interface flag can 1399 be used to control ingress filtering. &merged;</para> 1400 1401 <para><application>IPSec</application> has received some 1402 enhancements, including the ability to use the Rijndael and 1403 SHA2 algorithms. IPSec RC5 support has been removed due to 1404 patent issues. &merged;</para> 1405 1406 <para>&man.stf.4; now conforms to RFC 3056; the 1407 <literal>IFF_LINK2</literal> interface flag can be used to 1408 control ingress filtering. &merged;</para> 1409 1410 <para>IPv6 has better checking of illegal addresses (such as 1411 loopback addresses) on physical networks. &merged;</para> 1412 1413 <para>The <varname>IPV6_V6ONLY</varname> socket option is now 1414 completely supported. The kernel's default behavior with 1415 respect to this option is controlled by the 1416 <varname>net.inet6.ip6.v6only</varname> sysctl 1417 variable. &merged;</para> 1418 1419 <para>RFC 3041 (Privacy Extensions for Stateless Address 1420 Autoconfiguration) is now supported. It can be enabled via 1421 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl 1422 variable. &merged;</para> 1423 </sect4> 1424 </sect3> 1425 </sect2> 1426 <sect2 id="security"> 1427 <title>Security-Related Changes</title> 1428 1429 <para>&man.sysinstall.8; now allows the user to select one of two 1430 <quote>security profiles</quote> at install-time. These 1431 profiles enable different levels of system security by enabling 1432 or disabling various system services in &man.rc.conf.5; on new 1433 installs. &merged;</para> 1434 1435 <para>A bug in which malformed ELF executable images can hang the 1436 system has been fixed (see security advisory 1437 FreeBSD-SA-00:41). &merged;</para> 1438 1439 <para>A security hole in Linux emulation was fixed (see security 1440 advisory FreeBSD-SA-00:42). &merged;</para> 1441 1442 <para>String-handling library calls in many programs were fixed to 1443 reduce the possibility of buffer overflow-related exploits. 1444 &merged;</para> 1445 1446 <para>TCP now uses stronger randomness in choosing its initial 1447 sequence numbers (see security advisory 1448 FreeBSD-SA-00:52). &merged;</para> 1449 1450 <para>Several buffer overflows in &man.tcpdump.1; were corrected 1451 (see security advisory FreeBSD-SA-00:61). &merged;</para> 1452 1453 <para>A security hole in &man.top.1; was corrected (see security 1454 advisory FreeBSD-SA-00:62). &merged;</para> 1455 1456 <para>A potential security hole caused by an off-by-one-error in 1457 &man.gethostbyname.3; has been fixed (see security advisory 1458 FreeBSD-SA-00:63). &merged;</para> 1459 1460 <para>A potential buffer overflow in the &man.ncurses.3; library, 1461 which could cause arbitrary code to be run from within 1462 &man.systat.1;, has been corrected (see security advisory 1463 FreeBSD-SA-00:68). &merged;</para> 1464 1465 <para>A vulnerability in &man.telnetd.8; that could cause it to 1466 consume large amounts of server resources has been fixed (see 1467 security advisory FreeBSD-SA-00:69). &merged;</para> 1468 1469 <para>The <literal>nat deny_incoming</literal> command in 1470 &man.ppp.8; now works correctly (see security advisory 1471 FreeBSD-SA-00:70). &merged;</para> 1472 1473 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files 1474 that could allow overwriting of arbitrary user-writable files 1475 has been closed (see security advisory 1476 FreeBSD-SA-00:76). &merged;</para> 1477 1478 <para>The &man.ssh.1; binary is no longer SUID root by 1479 default. &merged;</para> 1480 1481 <para>Some fixes were applied to the Kerberos IV implementation 1482 related to environment variables, a possible buffer overrun, and 1483 overwriting ticket files. &merged;</para> 1484 1485 <para>&man.telnet.1; now does a better job of sanitizing its 1486 environment. &merged;</para> 1487 1488 <para>Several vulnerabilities in &man.procfs.5; were fixed (see 1489 security advisory FreeBSD-SA-00:77). &merged;</para> 1490 1491 <para>A bug in <application>OpenSSH</application> in which a 1492 server was unable to disable &man.ssh-agent.1; or 1493 <literal>X11Forwarding</literal> was fixed (see security 1494 advisory FreeBSD-SA-01:01). &merged;</para> 1495 1496 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP 1497 segments could incorrectly be treated as being part of an 1498 <literal>established</literal> connection has been fixed (see 1499 security advisory FreeBSD-SA-01:08). &merged;</para> 1500 1501 <para>A bug in &man.crontab.1; that could allow users to read any 1502 file on the system in valid &man.crontab.5; syntax has been 1503 fixed (see security advisory FreeBSD-SA-01:09). &merged;</para> 1504 1505 <para>A vulnerability in &man.inetd.8; that could allow 1506 read-access to the initial 16 bytes of 1507 <groupname>wheel</groupname>-accessible files has been fixed 1508 (see security advisory FreeBSD-SA-01:11). &merged;</para> 1509 1510 <para>A bug in &man.periodic.8; that used insecure temporary files 1511 has been corrected (see security advisory 1512 FreeBSD-SA-01:12). &merged;</para> 1513 1514 <para><application>OpenSSH</application> now has code to prevent 1515 (instead of just mitigating through connection limits) an attack 1516 that can lead to guessing the server key (not host key) by 1517 regenerating the server key when an RSA failure is detected (see 1518 security advisory FreeBSD-SA-01:24). &merged;</para> 1519 1520 <para>A number of programs have had output formatting strings 1521 corrected so as to reduce the risk of 1522 vulnerabilities. &merged;</para> 1523 1524 <para>A number of programs that use temporary files now do so more 1525 securely. &merged;</para> 1526 1527 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP 1528 <quote>sessions</quote> has been corrected. &merged;</para> 1529 1530 <para>A bug in &man.timed.8;, which caused it to crash if send 1531 certain malformed packets, has been corrected (see security 1532 advisory FreeBSD-SA-01:28). &merged;</para> 1533 1534 <para>A bug in &man.rwhod.8;, which caused it to crash if send 1535 certain malformed packets, has been corrected (see security 1536 advisory FreeBSD-SA-01:29). &merged;</para> 1537 1538 <para>A security hole in &os;'s FFS and EXT2FS implementations, 1539 which allowed a race condition that could cause users to have 1540 unauthorized access to data, has been fixed (see security 1541 advisory FreeBSD-SA-01:30). &merged;</para> 1542 1543 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has 1544 been closed (see security advisory 1545 FreeBSD-SA-01:31). &merged;</para> 1546 1547 <para>A security hole in <application>IPFilter</application>'s 1548 fragment cache has been closed (see security advisory 1549 FreeBSD-SA-01:32). &merged;</para> 1550 1551 <para>Buffer overflows in &man.glob.3;, which could cause 1552 arbitrary code to be run on an FTP server, have been closed. In 1553 addition, to prevent some forms of DOS attacks, &man.glob.3; 1554 allows specification of a limit on the number of pathname 1555 matches it will return. &man.ftpd.8; now uses this feature (see 1556 security advisory FreeBSD-SA-01:33). &merged;</para> 1557 1558 <para>Initial sequence numbers in TCP are more thoroughly 1559 randomized (see security advisory FreeBSD-SA-01:39). Due to 1560 some possible compatibility issues, the behavior of this 1561 security fix can be enabled or disabled via the 1562 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl 1563 variable.&merged;</para> 1564 1565 <para>A vulnerability in the &man.fts.3; routines (used by 1566 applications for recursively traversing a filesystem) could 1567 allow a program to operate on files outside the intended 1568 directory hierarchy. This bug has been fixed (see security 1569 advisory FreeBSD-SA-01:40). &merged;</para> 1570 1571 <para><application>OpenSSH</application> now switches to the 1572 user's UID before attempting to unlink the authentication 1573 forwarding file, nullifying the effects of a race.</para> 1574 1575 <para>A flaw allowed some signal handlers to remain in effect in a 1576 child process after being exec-ed from its parent. This allowed 1577 an attacker to execute arbitrary code in the context of a setuid 1578 binary. This flaw has been corrected (see security advisory 1579 FreeBSD-SA-01:42). &merged;</para> 1580 1581 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed 1582 (see security advisory FreeBSD-SA-01:48). &merged;</para> 1583 1584 <para>A remote buffer overflow in &man.telnetd.8; has been fixed 1585 (see security advisory FreeBSD-SA-01:49). &merged;</para> 1586 1587 <para>The new <varname>net.inet.ip.maxfragpackets</varname> and 1588 <varname>net.inet.ip6.maxfragpackets</varname> sysctl variables 1589 limit the amount of memory that can be consumed by IPv4 and IPv6 1590 packet fragments, which defends against some denial of service 1591 attacks (see security advisory 1592 FreeBSD-SA-01:52). &merged;</para> 1593 1594 <para>All services in <filename>inetd.conf</filename> are now 1595 disabled by default for new installations. &man.sysinstall.8; 1596 gives the option of enabling or disabling &man.inetd.8; on new 1597 installations, as well as editing 1598 <filename>inetd.conf</filename>. &merged;</para> 1599 1600 <para>A flaw in the implementation of the &man.ipfw.8; 1601 <literal>me</literal> rules on point-to-point links has been 1602 corrected. Formerly, <literal>me</literal> filter rules would 1603 match the remote IP address of a point-to-point interface in 1604 addition to the intended local IP address (see security advisory 1605 FreeBSD-SA-01:53). &merged;</para> 1606 1607 <para>A vulnerability in &man.procfs.5;, which could allow a 1608 process to read sensitive information from another process's 1609 memory space, has been closed (see security advisory 1610 FreeBSD-SA-01:55). &merged;</para> 1611 1612 <para>The <literal>PARANOID</literal> hostname checking in 1613 <application>tcp_wrappers</application> now works as advertised 1614 (see security advisory FreeBSD-SA-01:56). &merged;</para> 1615 1616 <para>A local root exploit in &man.sendmail.8; has been closed 1617 (see security advisory FreeBSD-SA-01:57). &merged;</para> 1618 1619 <para>A remote root vulnerability in &man.lpd.8; has been closed 1620 (see security advisory FreeBSD-SA-01:58). &merged;</para> 1621 1622 <para>A race condition in &man.rmuser.8; that briefly exposed a 1623 world-readable <filename>/etc/master.passwd</filename> has been 1624 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para> 1625 1626 <para>A vulnerability in <application>UUCP</application> has been 1627 closed (see security advisory FreeBSD-SA-01:62). All 1628 non-<username>root</username>-owned binaries in standard system 1629 paths now have the <literal>schg</literal> flag set to prevent 1630 exploit vectors when run by &man.cron.8;, by 1631 <username>root</username>, or by a user other then the one owning 1632 the binary. In addition, &man.uustat.1; is now run via 1633 <filename>/etc/periodic/daily/410.status-uucp</filename> as 1634 <username>uucp</username>, not <username>root</username>. In 1635 &os; -CURRENT, <application>UUCP</application> has since been 1636 moved to the Ports Collection and no longer a part of the base 1637 system. &merged;</para> 1638 1639 <para>A security hole in the form of a buffer overflow in the 1640 &man.semop.2; system call has been closed. &merged;</para> 1641 1642 <para>A security hole in <application>OpenSSH</application>, which 1643 could allow users to execute code with arbitrary privileges if 1644 <literal>UseLogin yes</literal> was set, has been closed. Note 1645 that the default value of this setting is 1646 <literal>UseLogin no</literal>. (See security advisory 1647 FreeBSD-SA-01:63.) &merged;</para> 1648 1649 <para>The use of an insecure temporary directory by 1650 &man.pkg.add.1; could permit a local attacker to modify the 1651 contents of binary packages while they were being installed. 1652 This hole has been closed. (See security advisory 1653 FreeBSD-SA-02:01.) &merged;</para> 1654 1655 <para>A race condition in &man.pw.8;, which could expose the 1656 contents of <filename>/etc/master.passwd</filename>, has been 1657 eliminated. (See security advisory FreeBSD-SA-02:02.) 1658 &merged;</para> 1659 1660 <para>A bug in &man.k5su.8; could have allowed a process that had 1661 given up superuser privileges to regain them. This bug has been 1662 fixed. (See security advisory FreeBSD-SA-02:07.) 1663 &merged;</para> 1664 1665 <para>An <quote>off-by-one</quote> bug has been fixed in 1666 <application>OpenSSH</application>'s multiplexing code. This bug 1667 could have allowed an authenticated remote user to cause 1668 &man.sshd.8; to execute arbitrary code with superuser 1669 privileges, or allowed a malicious SSH server to execute arbitrary 1670 code on the client system with the privileges of the client user. (See security 1671 advisory <ulink 1672 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc">FreeBSD-SA-02:13</ulink>.) 1673 &merged;</para> 1674 1675 <para>A programming error in <application>zlib</application> could 1676 result in attempts to free memory multiple times. The 1677 &man.malloc.3;/&man.free.3; routines used in &os; are not 1678 vulnerable to this error, but applications receiving 1679 specially-crafted blocks of invalid compressed data could 1680 be made to function incorrectly or abort. This 1681 <application>zlib</application> bug has been fixed. For a 1682 workaround and solutions, see security advisory <ulink 1683 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.asc">FreeBSD-SA-02:18</ulink>. 1684 &merged;</para> 1685 1686 <para>Bugs in the TCP SYN cache (<quote>syncache</quote>) and SYN 1687 cookie (<quote>syncookie</quote>) implementations, which could 1688 cause legitimate TCP/IP traffic to crash a machine, have been 1689 fixed. For a workaround and patches, see security advisory 1690 <ulink 1691 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc">FreeBSD-SA-02:20</ulink>. 1692 &merged;</para> 1693 1694 <para>A routing table memory leak, which could allow a remote 1695 attacker to exhaust the memory of a target machine, has been 1696 fixed. A workaround and patches can be found in security 1697 advisory <ulink 1698 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc">FreeBSD-SA-02:21</ulink>. 1699 &merged;</para> 1700 1701 </sect2> 1702 <sect2 id="userland"> 1703 <title>Userland Changes</title> 1704 1705 <para>If the first argument to &man.ancontrol.8; or 1706 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it 1707 is assumed to be an interface.</para> 1708 1709 <para>&man.apmd.8; now has the ability to monitor battery levels 1710 and execute commands based on percentage or minutes of battery 1711 life remaining via the <literal>apm_battery</literal> 1712 configuration directive. See the commented-out examples in 1713 <filename>/etc/apmd.conf</filename> for the 1714 syntax. &merged;</para> 1715 1716 <para>&man.arp.8; now prints the applicable interface name for 1717 each ARP entry. &merged;</para> 1718 1719 <para>&man.arp.8; now prints <literal>[fddi]</literal> or 1720 <literal>[atm]</literal> tags for addresses on interfaces of 1721 those types.</para> 1722 1723 <para>&man.atacontrol.8; has been added to control various aspects 1724 of the &man.ata.4; driver. &merged;</para> 1725 1726 <para arch="sparc64">The system &man.awk.1; refers to 1727 <application>BWK awk</application> on the &arch; platform. It 1728 remains <application>GNU awk</application> on other 1729 platforms.</para> 1730 1731 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager 1732 installation and configuration utility, has been 1733 added. &merged;</para> 1734 1735 <para>&man.burncd.8; now supports a <option>-m</option> option for 1736 multisession mode (the default behavior now is to close disks as 1737 single-session). A <option>-l</option> option to take a list of 1738 image files from a filename was also added; 1739 <filename>-</filename> can be used as a filename for 1740 <literal>stdin</literal>. &merged;</para> 1741 1742 <para>&man.burncd.8; now supports Disk At Once (DAO) mode, 1743 selectable via the <option>-d</option> flag.</para> 1744 1745 <para>&man.burncd.8; now has the ability to write VCDs/SVCDs.</para> 1746 1747 <para>&man.c89.1; has been converted from a shell script to a 1748 binary executable, fixing some minor bugs. &merged;</para> 1749 1750 <para arch="i386">A minimalized version of &man.camcontrol.8; is 1751 now available on the installation floppy. This allows it to 1752 rescan for devices that have been connected after booting, or to 1753 show the devices attached to SCSI busses (e. g. from within the 1754 <quote>emergency holographic shell</quote>). &merged;</para> 1755 1756 <para>&man.cat.1; now has the ability to read from UNIX-domain 1757 sockets. &merged;</para> 1758 1759 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal> 1760 command, which calculates and displays the CD serial number, 1761 using the same algorithm used by the CDDB 1762 database. &merged;</para> 1763 1764 <para>&man.cdcontrol.1; now uses the <envar>CDROM</envar> 1765 environment variable to pick a default device. &merged;</para> 1766 1767 <para>&man.cdcontrol.1; now supports <literal>next</literal> and 1768 <literal>prev</literal> commands to skip forwards or backwards a 1769 specified number of tracks while playing an audio 1770 CD. &merged;</para> 1771 1772 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename> 1773 to <filename>/bin</filename>.</para> 1774 1775 <para>&man.chio.1; now has the ability to specify elements by 1776 volume tag instead of by their physical location as well as the 1777 ability to return an element to its previous 1778 location. &merged;</para> 1779 1780 <para>&man.chmod.1; now supports a <option>-h</option> for 1781 changing the mode of a symbolic link.</para> 1782 1783 <para>&man.chown.8; now correctly follows symbolic links named as 1784 command line arguments if run without 1785 <option>-R</option>. &merged;</para> 1786 1787 <para>&man.chown.8; no longer takes <literal>.</literal> as a 1788 user/group delimeter. This change was made to support usernames 1789 containing a <literal>.</literal>.</para> 1790 1791 <para>Use of the <literal>CSMG_*</literal> macros no longer 1792 require inclusion of 1793 <filename><sys/param.h></filename></para> 1794 1795 <para>&man.col.1; now takes a <option>-p</option> flag to force 1796 unknown control sequences to be passed through 1797 unchanged. &merged;</para> 1798 1799 <para>The <filename>compat3x</filename> distribution has been 1800 updated to include libraries present in &os; 1801 3.5.1-RELEASE. &merged;</para> 1802 1803 <para>A <filename>compat4x</filename> distribution has been added 1804 for compatibility with &os; 4-STABLE.</para> 1805 1806 <para>&man.config.8; is now better about converting various 1807 warnings that should have been errors into actual fatal errors 1808 with an exit code. This ensures that <literal>make 1809 buildkernel</literal> doesn't quietly ignore them and build a 1810 bogus kernel without a human to read the errors. &merged;</para> 1811 1812 <para>A number of buffer overflows in &man.config.8; have been 1813 fixed. &merged;</para> 1814 1815 <para>&man.ctags.1; no longer creates a corrupt tags file if the 1816 source file used <literal>//</literal> (C++-style) 1817 comments. &merged;</para> 1818 1819 <para>The &man.daemon.8; program, a command-line interface to 1820 &man.daemon.3;, has been added. It detaches itself from its 1821 controlling terminal and executes a program specified on the 1822 command line. This allows the user to run an arbitrary program 1823 as if it were written to be a daemon.</para> 1824 1825 <para>devinfo, a simple tool to print the device tree and resource 1826 usage by devices, has been added.</para> 1827 1828 <para>&man.df.1; now takes a <option>-l</option> option to only 1829 display information about locally-mounted 1830 filesystems. &merged;</para> 1831 1832 <para>&man.disklabel.8; now supports partition sizes expressed in 1833 kilobytes, megabytes, or gigabytes, in addition to 1834 sectors. &merged;</para> 1835 1836 <para>&man.diskpart.8; has been declared obsolete, and has been 1837 removed.</para> 1838 1839 <para>&man.dmesg.8; now has a <option>-a</option> option to show 1840 the entire message buffer, including &man.syslogd.8; records and 1841 <filename>/dev/console</filename> output. &merged;</para> 1842 1843 <para>&man.du.1; now takes a <option>-I</option> command-line flag 1844 to ignore/skip files and subdirectories matching a specified 1845 shell-glob mask. &merged;</para> 1846 1847 <para>&man.dump.8; now supports inheritance of the 1848 <literal>nodump</literal> flag down a hierarchy. &merged;</para> 1849 1850 <para>The <option>-T</option> option to &man.dump.8; no longer 1851 swallows an extra argument. &merged;</para> 1852 1853 <para>&man.dump.8; has a new <option>-D</option> option, allowing 1854 the path to the <filename>/etc/dumpdates</filename> file to be 1855 changed. &merged;</para> 1856 1857 <para>&man.dump.8; now supplies progress information in its 1858 process title, useful for monitoring automated 1859 backups. &merged;</para> 1860 1861 <para>&man.dump.8; now supports a new <option>-S</option> to allow 1862 it to just print out the dump size estimates and exit.</para> 1863 1864 <para>&man.edquota.8; now takes a <option>-f</option> option to 1865 allow limiting the prototype quota distribution (specified with 1866 <option>-p</option>) to a single filesystem. &merged;</para> 1867 1868 <para><filename>/etc/rc.firewall</filename> and 1869 <filename>/etc/rc.firewall6</filename> will no longer add their own 1870 hardcoded rules in the cases of a rules file in the 1871 <varname>firewall_type</varname> variable or a non-existent 1872 firewall type. (The motivation for this change is to avoid 1873 acting on assumptions about a site's firewall policies.) In 1874 addition, the <literal>closed</literal> firewall type now works 1875 as documented in the &man.rc.firewall.8; manual page. &merged;</para> 1876 1877 <para>The functionality of <filename>/etc/security</filename> has 1878 been been moved into a set of scripts under the &man.periodic.8; 1879 framework, to make local customization easier and more 1880 maintainable. These scripts now reside in 1881 <filename>/etc/periodic/security/</filename>. &merged;</para> 1882 1883 <para>&man.fbtab.5; now accepts glob matching patterns for target 1884 devices, not just individual devices and directories.</para> 1885 1886 <para arch="i386">&man.fdisk.8; no longer attempts to search for a 1887 device if none has been specified on the command line, but 1888 instead tries to figure out the default device name from the 1889 root device.</para> 1890 1891 <para>&man.fdread.1;, a program to read data from floppy disks, 1892 has been added. It is a counterpart to &man.fdwrite.1; and is 1893 designed to provide a means of recovering at least some data 1894 from bad media, and to obviate for a complex invocation of 1895 &man.dd.1;.</para> 1896 1897 <para>&man.find.1; now takes the <option>-empty</option> flag, 1898 which returns true if a file or directory is 1899 empty. &merged;</para> 1900 1901 <para>&man.find.1; now takes the <option>-iname</option> and 1902 <option>-ipath</option> primaries for case-insensitive matches, 1903 and the <option>-regexp</option> and <option>-iregexp</option> 1904 primaries for regular-expression matches. The 1905 <option>-E</option> flag now enables extended regular 1906 expressions. &merged;</para> 1907 1908 <para>&man.find.1; now has the <option>-anewer</option>, 1909 <option>-cnewer</option>, <option>-mnewer</option>, 1910 <option>-okdir</option>, and <option>-newer[acm][acmt]</option> 1911 primaries for comparisons of file timestamps. The latter 1912 primaries can be specified with various units of 1913 time. &merged;</para> 1914 1915 <para>&man.finger.1; now has the ability to support fingering 1916 aliases, via the &man.finger.conf.5; file. &merged;</para> 1917 1918 <para>&man.finger.1; now has support for a 1919 <filename>.pubkey</filename> file.</para> 1920 1921 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number 1922 of bugs compared to its prior behavior. &merged;</para> 1923 1924 <para>&man.fmtcheck.3;, a function for checking consistency of 1925 format string arguments, has been added. &merged;</para> 1926 1927 <para>&man.fsck.8; wrappers have been imported; this feature 1928 provides infrastructure for &man.fsck.8; to work on different 1929 types of filesystems (analogous to &man.mount.8;).</para> 1930 1931 <para>The behavior of &man.fsck.8; when dealing with various 1932 passes (a la <filename>/etc/fstab</filename>) has been modified 1933 to accommodate multiple-disk filesystems.</para> 1934 1935 <para>&man.fsck.8; now has support for foreground 1936 (<option>-F</option>) and background (<option>-B</option>) 1937 checks. Traditionally, &man.fsck.8; is invoked before the 1938 filesystems are mounted and all checks are done to completion at 1939 that time. If background checking is available, &man.fsck.8; is 1940 invoked twice. It is first invoked at the traditional time, 1941 before the filesystems are mounted, with the <option>-F</option> 1942 flag to do checking on all the filesystems that cannot do 1943 background checking. It is then invoked a second time, after 1944 the system has completed going multiuser, with the 1945 <option>-B</option> flag to do checking on all the filesystems 1946 that can do background checking. Unlike the foreground 1947 checking, the background checking is started asynchronously so 1948 that other system activity can proceed even on the filesystems 1949 that are being checked. Boot-time enabling of this feature is 1950 controlled by the 1951 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para> 1952 1953 <para>Shortly after the receipt of a <literal>SIGINFO</literal> 1954 signal (normally control-T from the controlling tty), 1955 &man.fsck.ffs.8; will now output a line indicating the current 1956 phase number and progress information relevant to the current 1957 phase. &merged;</para> 1958 1959 <para>&man.fsck.ffs.8; now supports background filesystem checks 1960 to mounted FFS filesystems with the <option>-B</option> option 1961 (softupdates must be enabled on these filesystems). The 1962 <option>-F</option> flag now determines whether a specified 1963 filesystem needs foreground checking.</para> 1964 1965 <para>A new &man.fsck.msdosfs.8; utility has been added to check 1966 the consistency of MS-DOS filesystems. &merged;</para> 1967 1968 <para>&man.ftpd.8; now supports a <option>-r</option> flag for 1969 read-only mode and a <option>-E</option> flag to disable 1970 <literal>EPSV</literal>. It also has some fixes to reduce 1971 information leakage and the ability to specify compile-time port 1972 ranges. &merged;</para> 1973 1974 <para>&man.ftpd.8; now supports <option>-o</option> and 1975 <option>-O</option> options to disable the 1976 <literal>RETR</literal> command; the former for everybody, and 1977 the latter only for guest users. Coupled with 1978 <option>-A</option> and appropriate file permissions, these can 1979 be used to create a relatively safe anonymous FTP drop box for 1980 others to upload to.</para> 1981 1982 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the 1983 kernel's debug register + support that has been introduced in 1984 &os; 4.0). &merged;</para> 1985 1986 <para>The &man.getprogname.3; and &man.setprogname.3; library 1987 functions have been added to manipulate the name of the current 1988 program. They are used by error-reporting routines to produce 1989 consistent output. &merged;</para> 1990 1991 <para>&man.gprof.1; now has a <option>-K</option> option to enable 1992 dynamic symbol resolution from the currently-running kernel. 1993 With this change, properly-compiled KLD modules are now able to 1994 be profiled.</para> 1995 1996 <para>&man.growfs.8;, a utility for growing FFS filesystems, has 1997 been added. &man.ffsinfo.8;, a utility for dump all the 1998 meta-information of an existing filesystem, has also been 1999 added. &merged;</para> 2000 2001 <para>The &man.groups.1; and &man.whoami.1; shell scripts are now 2002 unnecessary; their functionality has been completely folded into 2003 &man.id.1;. &merged;</para> 2004 2005 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and 2006 &man.svr4.8; scripts, whose sole purpose was to load emulation 2007 kernel modules, have been removed. The kernel module system 2008 will automatically load them as needed to fulfill 2009 dependencies.</para> 2010 2011 <para>&man.indent.1; has gained some new formatting 2012 options. &merged;</para> 2013 2014 <para>&man.ifconfig.8; can set the link-layer address of 2015 an interface using the <option>link</option> parameter. 2016 &merged;</para> 2017 2018 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR 2019 notation. &merged;</para> 2020 2021 <para>&man.ifconfig.8; now has support for setting parameters for 2022 IEEE 802.11 wireless network devices. &man.wi.4; and &man.an.4; 2023 devices are supported, and partial support is provided for 2024 &man.awi.4; devices. &merged;</para> 2025 2026 <para>&man.ifconfig.8; no longer displays the list of supported 2027 media by default. Instead it displays it when the 2028 <option>-m</option> flag is given. &merged;</para> 2029 2030 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is 2031 now compatible with that of other BSDs. &merged;</para> 2032 2033 <para>The <literal>ident</literal> protocol support in 2034 &man.inetd.8; has been cleaned up and updated. &merged;</para> 2035 2036 <para>&man.inetd.8; now has the ability to manage UNIX-domain 2037 sockets. &merged;</para> 2038 2039 <para>&man.install.1; has a number of new features, including the 2040 <option>-b</option> and <option>-B</option> options for backing up 2041 existing target files and the <option>-S</option> option for 2042 <quote>safe</quote> (atomic copy) operation. The 2043 <option>-c</option> (copy) flag is now the default, and the 2044 <option>-D</option> (debugging) flag has been withdrawn. 2045 &man.install.1; now issues a warning if <option>-d</option> 2046 (create directories) and <option>-C</option> (copy changed files 2047 only) are used together. &merged;</para> 2048 2049 <para>IP Filter is now supported by the &man.rc.conf.5; boot-time 2050 configuration and initialization. &merged;</para> 2051 2052 <para>&man.ipfstat.8; now supports the <option>-t</option> option 2053 to turn on a &man.top.1;-like display. &merged;</para> 2054 2055 <para>&man.ipfw.8; will now avoid the display of dynamic firewall 2056 rules unless the <option>-d</option> flag is passed to it. The 2057 <option>-e</option> option lists expired dynamic 2058 rules. &merged;</para> 2059 2060 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that 2061 allows for packet matching on interfaces with 2062 dynamically-changing IP addresses. &merged;</para> 2063 2064 <para>&man.ipfw.8; has a new <literal>limit</literal> type of 2065 firewall rule, which limits the number of sessions between 2066 address pairs. &merged;</para> 2067 2068 <para>&man.ipfw.8; filter rules can now match on the value of the 2069 IPv4 precedence field.</para> 2070 2071 <para>&man.ip6fw.8; now has the ability to use a preprocessor and 2072 use the <option>-q</option> (quiet) flag when reading from a 2073 file. &merged;</para> 2074 2075 <para>&man.kenv.1;, a command to dump the kernel environment, has 2076 been added. &merged;</para> 2077 2078 <para>&man.keyinfo.1; is now a C program, rather than a Perl 2079 script. &merged;</para> 2080 2081 <para>&man.killall.1; is now a C program, rather than a Perl 2082 script. As a result, its <option>-m</option> option now uses 2083 the regular expression syntax of &man.regex.3;, rather than that 2084 of &man.perl.1;. &merged;</para> 2085 2086 <para>&man.killall.1; now allows non-root users to kill SUID root 2087 processes that they started, the same as the Perl version 2088 did. &merged;</para> 2089 2090 <para>The &man.kldconfig.8; utility has been added to make it 2091 easier to manipulate the kernel module search 2092 path. &merged;</para> 2093 2094 <para>ktrdump, a utility to dump the ktr trace buffer from 2095 userland, has been added.</para> 2096 2097 <para>&man.last.1; now implements a <option>-d</option> that 2098 provides a <quote>snapshot</quote> of who was logged in at a 2099 particular date and time. &merged;</para> 2100 2101 <para>&man.last.1; now supports a <option>-y</option> flag, which 2102 causes the year to be included in the session start time.</para> 2103 2104 <para>The &man.lastlogin.8; utility, which prints the last login 2105 time of each user, has been imported from 2106 NetBSD. &merged;</para> 2107 2108 <para>&man.ldconfig.8; now checks directory ownerships and 2109 permissions for greater security; these checks can be disabled 2110 with the <option>-i</option> flag. &merged;</para> 2111 2112 <para>&man.ldd.1; can now be used on shared libraries, in addition 2113 to executables. &merged;</para> 2114 2115 <para>&man.ldd.1; now supports a <option>-a</option> flag to list 2116 all the objects that are needed by each loaded object.</para> 2117 2118 <para><filename>libc</filename> is now thread-safe by default; 2119 <filename>libc_r</filename> contains only thread 2120 functions.</para> 2121 2122 <para><filename>libcrypt</filename> and 2123 <filename>libdescrypt</filename> have been unified to provide a 2124 configurable password authentication hash library. Both the md5 2125 and des hash methods are provided unless the des hash is 2126 specifically compiled out. &merged;</para> 2127 2128 <para><filename>libcrypt</filename> now has support for Blowfish 2129 password hashing. &merged;</para> 2130 2131 <para arch="i386"><filename>libdisk</filename> can now do 2132 install-time configuration of the <filename>boot0</filename> 2133 boot loader. &merged;</para> 2134 2135 <para><filename>libstand</filename> now has support for 2136 filesystems containing 2137 <application>bzip2</application>-compressed 2138 files. &merged;</para> 2139 2140 <para><filename>libstand</filename> now has support for 2141 overwriting the contents of a file on a UFS filesystem (it 2142 cannot expand or truncate files because the filesystem may be 2143 dirty or inconsistent).</para> 2144 2145 <para><filename>libstand</filename> now has support for loading 2146 large kernels and modules split across several physical 2147 media. &merged;</para> 2148 2149 <para>The default TCP port range used by 2150 <filename>libfetch</filename> for passive FTP retrievals has 2151 changed; this affects the behavior of &man.fetch.1;, which has 2152 gained the <option>-U</option> option to restore the old 2153 behavior. &merged;</para> 2154 2155 <para><filename>libfetch</filename> now has support for an 2156 authentication callback. &merged;</para> 2157 2158 <para><filename>libfetch</filename> now has support for a 2159 <envar>HTTP_USER_AGENT</envar> environment 2160 variable. &merged;</para> 2161 2162 <para><filename>libgmp</filename> has been superceded by 2163 <filename>libmp</filename>. 2164 2165 <para>The functions from <filename>libposix1e</filename> have been 2166 integrated into <filename>libc</filename>.</para> 2167 2168 <para><filename>libusb</filename> has been renamed as 2169 <filename>libusbhid</filename>, following NetBSD's naming 2170 conventions. &merged;</para> 2171 2172 <para>&man.ln.1; now takes an <option>-i</option> option to 2173 request user confirmation before overwriting an existing 2174 file. &merged;</para> 2175 2176 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid 2177 following a target that is a link, with a <option>-n</option> 2178 flag for compatibility with other 2179 implementations. &merged;</para> 2180 2181 <para>&man.logger.1; can now send messages directly to a remote 2182 syslog. &merged;</para> 2183 2184 <para>&man.login.1; now exports environment variables set by 2185 <application>PAM</application> modules. &merged;</para> 2186 2187 <para>&man.lpc.8; has been improved; <command>lpc clean</command> 2188 is now somewhat safer, and a new <command>lpc tclean</command> 2189 command has been added to check to see what files would be 2190 removed by <command>lpc clean</command>. &merged;</para> 2191 2192 <para>&man.lpd.8; now takes two new options: <option>-c</option> 2193 will log all connection errors to &man.syslogd.8;, while 2194 <option>-W</option> will allow connections from non-reserved 2195 ports. &merged;</para> 2196 2197 <para>&man.lpd.8; now has some support for 2198 <literal>o</literal>-type print-file actions in its control 2199 files, which allows printing of PostScript files generated by 2200 <application>MacOS</application> 10.1. &merged;</para> 2201 2202 <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a 2203 few minor enhancements. &merged;</para> 2204 2205 <para>Catching up with most other network utilities in the base 2206 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and 2207 &man.logger.1; are now all IPv6-capable. &merged;</para> 2208 2209 <para><command>lprm -</command> now works for remote printer 2210 queues. &merged;</para> 2211 2212 <para>&man.ls.1; can produce colorized listings with the 2213 <option>-G</option> flag (and appropriate terminal support). 2214 The <envar>CLICOLOR</envar> environment variable can be set to 2215 enable colorized listings by default. &merged;</para> 2216 2217 <para>&man.mail.1; now takes a <option>-E</option> flag to avoid 2218 sending messages with empty bodies. &merged;</para> 2219 2220 <para>&man.make.1; has gained the <literal>:C///</literal> 2221 (regular expression substitution), <literal>:L</literal> 2222 (lowercase), and <literal>:U</literal> (uppercase) variable 2223 modifiers. These were added to reduce the differences between 2224 the &os; and OpenBSD/NetBSD &man.make.1; programs. 2225 &merged;</para> 2226 2227 <para>Bugs in &man.make.1;, among which include broken null suffix 2228 behavior, bad assumptions about current directory permissions, 2229 and potential buffer overflows, have been fixed. &merged;</para> 2230 2231 <para>The new <varname>CPUTYPE</varname> 2232 <filename>make.conf</filename> variable controls the compilation 2233 of processor-specific optimizations in various pieces of code 2234 such as <application>OpenSSL</application>. &merged;</para> 2235 2236 <para>The &os; <filename>Makefile</filename> infrastructure now 2237 supports the <varname>WARNS</varname> directive from NetBSD. 2238 This directive controls the addition of compiler warning flags 2239 to <varname>CFLAGS</varname> in a relatively compiler-neutral 2240 manner. &merged;</para> 2241 2242 <para>&man.man.1; is no longer installed SUID 2243 <username>man</username>, in order to reduce vulnerabilities 2244 associated with generating <quote>catpages</quote> (preformatted 2245 manual pages cached for repeated viewing). As a result, 2246 &man.man.1; can no longer create system catpages on a regular 2247 user's behalf. It is still able to do so if the user has write 2248 permissions to the directory holding catpages (e.g. a user's own 2249 manpages) or if the running user is 2250 <username>root</username>.</para> 2251 2252 <para>The &man.mdmfs.8; command has been added; it is a wrapper 2253 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and 2254 &man.mount.8; that mimics the command line option set of the 2255 deprecated &man.mount.mfs.8;.</para> 2256 2257 <para>&man.mergemaster.8; now sources an 2258 <filename>/etc/mergemaster.rc</filename> file and also prompts 2259 the user to run recommended commands (such as 2260 <command>newaliases</command>) as needed. &merged;</para> 2261 2262 <para>&man.moused.8; now takes a <option>-a</option> option to 2263 control mouse acceleration. &merged;</para> 2264 2265 <para>&man.mtree.8; now includes support for a file that lists 2266 pathnames to be excluded when creating and verifying prototypes. 2267 This makes it easier to use &man.mtree.8; as a part of an 2268 intrusion-detection system. &merged;</para> 2269 2270 <para>&man.natd.8; now supports a 2271 <option>-log_ipfw_denied</option> option to log packets that 2272 cannot be re-injected because they are blocked by &man.ipfw.8; 2273 rules. &merged;</para> 2274 2275 <para>The <quote>in use</quote> percentage metric displayed by 2276 &man.netstat.1; now really reflects the percentage of network 2277 mbufs used. &merged;</para> 2278 2279 <para>&man.netstat.1; now has a <option>-W</option> flag that 2280 tells it not to truncate addresses, even if they're too long for 2281 the column they're printed in. &merged;</para> 2282 2283 <para>&man.netstat.1; now keeps track of input and output packets 2284 on a per-address basis for each interface. &merged;</para> 2285 2286 <para>&man.netstat.1; now has a <option>-z</option> flag to reset 2287 statistics. &merged;</para> 2288 2289 <para>&man.netstat.1; now has a <option>-S</option> flag to print 2290 address numerically but port names symbolically. &merged;</para> 2291 2292 <para>&man.newfs.8; now implements write combining, which can make 2293 creation of new filesystems up to seven times 2294 faster. &merged;</para> 2295 2296 <para>&man.newfs.8; now takes a <option>-U</option> option to 2297 enable softupdates on a new filesystem. &merged;</para> 2298 2299 <para>The default number of cylinders per group in &man.newfs.8; 2300 is now computed to be the maximum allowable given the current 2301 filesystem parameters. It can be overridden with the 2302 <option>-c</option> option. Formerly, the default was fixed at 2303 16. This change leads to better &man.fsck.8; performance and 2304 reduced fragmentation. &merged;</para> 2305 2306 <para><anchor id="newfs-block-frag-sizes">The default block and 2307 fragment sizes for new filesystems created by &man.newfs.8; are 2308 now 16384 and 2048 bytes, respectively (the old defaults were 2309 8192 and 1024 bytes). This change generally provides increased 2310 performance, at the expense of some wasted disk 2311 space. &merged;</para> 2312 2313 <para>A number of archaic features of &man.newfs.8; have been 2314 removed; these implement tuning features that are essentially 2315 useless on modern hard disks. These features were controlled by 2316 the <option>-O</option>, <option>-d</option>, 2317 <option>-k</option>, <option>-l</option>, <option>-n</option>, 2318 <option>-p</option>, <option>-r</option>, <option>-t</option>, 2319 and <option>-x</option> flags.</para> 2320 2321 <para>&man.newsyslog.8; now has the ability to compress log files 2322 using &man.bzip2.1;. &merged;</para> 2323 2324 <para><application>NFS</application> now works over IPv6.</para> 2325 2326 <para>&man.ngctl.8; now supports a <option>write</option> command 2327 to send a data packet down a given hook. &merged;</para> 2328 2329 <para>&man.nl.1;, a line numbering filter program, has been 2330 added. &merged;</para> 2331 2332 <para><application>nsswitch</application> support has been merged 2333 from NetBSD. By creating an &man.nsswitch.conf.5; file, &os; 2334 can be configured so that various databases such as 2335 &man.passwd.5; and &man.group.5; can be looked up using flat 2336 files, NIS, or Hesiod. The old 2337 <filename>hosts.conf</filename> file is no longer used.</para> 2338 2339 <para><application>PAM</application> support has been added for 2340 account management and sessions.</para> 2341 2342 <para><application>PAM</application> configuration is now 2343 specified by files in <filename>/etc/pam.d/</filename>, rather 2344 than a single <filename>/etc/pam.conf</filename> file. 2345 <filename>/etc/pam.d/README</filename> has more details.</para> 2346 2347 <para>A number of new <application>PAM</application> 2348 modules have been added.</para> 2349 2350<!-- XXX List new PAM modules --> 2351 2352 <para>&man.passwd.1; and &man.pw.8; now select the password hash 2353 algorithm at run time. See the <literal>passwd_format</literal> 2354 attribute in 2355 <filename>/etc/login.conf</filename>. &merged;</para> 2356 2357 <para>&man.pax.1; has received a number of enhancements, including 2358 &man.cpio.1; functionality, &man.tar.1; compatibility 2359 enhancements, <option>-z</option> and <option>-Z</option> flags 2360 for &man.gzip.1; and &man.compress.1; functionality, and a 2361 number of bug fixes.</para> 2362 2363 <para>&man.pciconf.8; now supports a <option>-v</option> option to 2364 display the vendor/device information of configured devices, in 2365 conjunction with the <option>-l</option> option. The default 2366 vendor/device database can be found at 2367 <filename>/usr/share/misc/pci_vendors</filename>. &merged;</para> 2368 2369 <para>The behavior of &man.periodic.8; is now controlled by 2370 <filename>/etc/defaults/periodic.conf</filename> and 2371 <filename>/etc/periodic.conf</filename>. &merged;</para> 2372 2373 <para>&man.ping.8; now supports a <option>-m</option> option to 2374 set the TTL of outgoing packets. &merged;</para> 2375 2376 <para>&man.ping.8; now supports a <option>-A</option> option to 2377 beep when packets are lost. &merged;</para> 2378 2379 <para>Userland &man.ppp.8; has received a number of updates and 2380 bug fixes. &merged;</para> 2381 2382 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal> 2383 option, which adjusts outgoing and incoming TCP SYN packets so 2384 that the maximum receive segment size is no larger than allowed 2385 by the interface MTU. &merged;</para> 2386 2387 <para>&man.ppp.8; now supports IPv6.</para> 2388 2389 <para>&man.pppd.8; (the control program for kernel-level PPP) is 2390 now installed mode <literal>4550</literal> and 2391 <username>root</username><literal>:</literal><groupname>dialer</groupname>, 2392 rather than mode <literal>4555</literal> (in other words, it is 2393 no longer world-executable). Users of &man.pppd.8; may need to 2394 change their group settings. &merged;</para> 2395 2396 <para>The <option>-W</option> option to &man.ps.1; (to extract 2397 information from a specified swap device) has been useless for 2398 some time; it has been removed. &merged;</para> 2399 2400 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to 2401 resolve pathnames to their underlying physical 2402 paths. &merged;</para> 2403 2404 <para>The pseudo-random number generator implemented by 2405 &man.rand.3; has been improved to provide less biased 2406 results.</para> 2407 2408 <para>&man.rc.8; now has an framework for handling dependencies 2409 between &man.rc.conf.5; variables. &merged;</para> 2410 2411 <para>&man.rc.8; now deletes all non-directory files in 2412 <filename>/var/run</filename> and 2413 <filename>/var/spool/lock</filename> at boot 2414 time. &merged;</para> 2415 2416 <para>&man.rcmd.3; now supports the use of the 2417 <envar>RSH</envar> environment variable to specify a program to 2418 use other than &man.rsh.1; for remote execution. As a result, 2419 programs such as &man.dump.8;, can use &man.ssh.1; for remote 2420 transport.</para> 2421 2422 <para>&man.rdist.1; has been retired from the base system, but is 2423 still available from &os; Ports Collection as 2424 <filename role="package">net/44bsd-rdist</filename>.</para> 2425 2426 <para>The &man.resolver.3; in &os; now implements EDNS0 support, 2427 which will be necessary when working with IPv6 transport-ready 2428 resolvers/DNS servers. &merged;</para> 2429 2430 <para>The &man.rfork.thread.3; library call has been added as a 2431 helper function to &man.rfork.2;. Using this function should 2432 avoid the need to implement complex stack swap 2433 code. &merged;</para> 2434 2435 <para>The <option>-v</option> option to &man.rm.1; now displays 2436 the entire pathname of a file being removed.</para> 2437 2438 <para>&man.route.8; is now more verbose when changing indirect 2439 routes, in the case of a gateway route that is the same route as 2440 the one being modified. &merged;</para> 2441 2442 <para>&man.route.8; now uses 2443 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal> 2444 syntax instead of 2445 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal> 2446 syntax, for compatibility with &man.netstat.1;. &merged;</para> 2447 2448 <para>&man.route.8; can now create <quote>proxy only</quote> 2449 published ARP entries. &merged;</para> 2450 2451 <para>The &man.route.8; <option>add</option> command now supports 2452 the <option>-ifp</option> and <option>-ifa</option> 2453 modifiers. &merged;</para> 2454 2455 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para> 2456 2457 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename> 2458 (as on NetBSD), not 2459 <filename>/usr/libexec/cpp</filename>.</para> 2460 2461 <para>&man.rpc.lockd.8; has been imported from NetBSD. This 2462 daemon provides support for servicing client NFS locks.</para> 2463 2464 <para>The performance of the ELF dynamic linker &man.rtld.1; has 2465 been improved. &merged;</para> 2466 2467 <para>RSA Security has waived all patent rights to the 2468 <application>RSA</application> algorithm. As a result, the 2469 native <application>OpenSSL</application> implementation of the 2470 RSA algorithm is now activated by default, and the <filename 2471 role="package">security/rsaref</filename> port and the 2472 <filename>librsaUSA</filename> and 2473 <filename>librsaINTL</filename> libraries are no longer required 2474 for USA and non-USA residents respectively. &merged;</para> 2475 2476 <para>&man.rtld.1; will now print the names of all objects that 2477 cause each object to be loaded, if the 2478 <varname>LD_TRACE_LOADED_OBJECTS_ALL</varname> environment 2479 variable is defined.</para> 2480 2481 <para>&man.savecore.8; now supports a <option>-k</option> option 2482 to prevent clearing a crash dump after saving it. It also 2483 attempts to avoid writing large stretches of zeros to crash dump 2484 files to save space and time. &merged;</para> 2485 2486 <para>&man.savecore.8; now works correctly on machines with 2 GB 2487 or more of RAM. &merged;</para> 2488 2489 <para>&man.sed.1; now takes a <option>-E</option> option for 2490 extended regular expression support. &merged;</para> 2491 2492 <para>&man.send-pr.1; now takes a <option>-a</option> option to 2493 include a file into the <literal>Fix:</literal> section of a 2494 problem report. &merged;</para> 2495 2496 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been 2497 added to manage file system Access Control Lists.</para> 2498 2499 <para>&man.setproctitle.3; has been moved from 2500 <filename>libutil</filename> to 2501 <filename>libc</filename>. &merged;</para> 2502 2503 <para>&man.sh.1; now implements <command>test</command> as a 2504 built-in command for improved efficiency. &merged;</para> 2505 2506 <para>&man.sh.1; no longer implements <command>printf</command> as 2507 a built-in command because it was considered less valuable 2508 compared to the other built-in commands (this functionality is, 2509 of course, still available through the &man.printf.1; 2510 executable).</para> 2511 2512 <para>&man.sockstat.1; now has <option>-c</option> and 2513 <option>-l</option> flags for listing connected and listening 2514 sockets, respectively. &merged;</para> 2515 2516 <para>&man.split.1; now has the ability to split a file longer 2517 than 2GB. &merged;</para> 2518 2519 <para>In preparation for meeting SUSv2/POSIX 2520 <filename><sys/select.h></filename> requirements, 2521 <literal>struct selinfo</literal> and related functions have been 2522 moved to <filename><sys/selinfo.h></filename>.</para> 2523 2524 <para>The &man.strnstr.3; and &man.strcasestr.3; variants of 2525 &man.strstr.3; have been implemented. &merged;</para> 2526 2527 <para>&man.stty.1; now has support for an 2528 <literal>erase2</literal> control character, so that, for 2529 example, both the <keycap>Delete</keycap> and 2530 <keycap>Backspace</keycap> keys can be used to erase 2531 characters. &merged;</para> 2532 2533 <para>&man.style.perl.7;, a style guide for Perl code in the &os; 2534 base system, has been added. &merged;</para> 2535 2536 <para>&man.su.1; now uses <application>PAM</application> for 2537 authentication.</para> 2538 2539 <para>Boot-time &man.syscons.4; configuration was moved to a 2540 machine-independent 2541 <filename>/etc/rc.syscons</filename>. &merged;</para> 2542 2543 <para>&man.sysctl.8; now supports a <option>-N</option> option to 2544 print out variable names only. &merged;</para> 2545 2546 <para>&man.sysctl.8; has replaced the <option>-A</option> and 2547 <option>-X</option> options with <option>-ao</option> and 2548 <option>-ax</option> respectively; the former options are now 2549 deprecated. The <option>-w</option> option is deprecated as 2550 well; it is not needed to determine the user's 2551 intentions. &merged;</para> 2552 2553 <para>&man.sysctl.8; now supports a <option>-e</option> option to 2554 separate variable names and values by <literal>=</literal> 2555 rather than <literal>:</literal>. This feature is useful for 2556 producing output that can be fed back to 2557 &man.sysctl.8;. &merged;</para> 2558 2559 <para>&man.sysinstall.8; now properly preserves 2560 <filename>/etc/mail</filename> during a binary 2561 upgrade. &merged;</para> 2562 2563 <para>&man.sysinstall.8; now uses some more intuitive defaults 2564 thanks to some new dialog support functions. &merged;</para> 2565 2566 <para>The default root partition in &man.sysinstall.8; is now 2567 100MB on the i386 and 120MB on the Alpha.</para> 2568 2569 <para>&man.sysinstall.8; now lives in 2570 <filename>/usr/sbin</filename>, which simplifies the 2571 installation process. The &man.sysinstall.8; manpage is also 2572 installed in a more consistent fashion now.</para> 2573 2574 <para>&man.sysinstall.8; now has the ability to load KLDs as a 2575 part of the installation. &merged;</para> 2576 2577 <para>When run from the installation media, &man.sysinstall.8; 2578 will automatically load any device drivers found in the 2579 <filename>/stand/modules</filename> directory of the 2580 <literal>mfsroot</literal> floppy or filesystem image. Note 2581 that any drivers so loaded will not appear in the kernel's boot 2582 messages; the &man.sysinstall.8; debugging screen will provide 2583 additional information. &merged;</para> 2584 2585 <para>&man.sysinstall.8; now enables Soft Updates by default on 2586 all filesystems it creates, except for the root 2587 filesystem. &merged;</para> 2588 2589 <para>&man.sysinstall.8; has received updates for its 2590 <quote>auto</quote> partitioning mode which provide more 2591 reasonable defaults for the sizes of partitions that are 2592 created; auto-sized partitions can now also recover the space 2593 that becomes available when other partitions are 2594 deleted. &merged;</para> 2595 2596 <para>&man.syslogd.8; can take a <option>-n</option> option to 2597 disable DNS queries for every request. &merged;</para> 2598 2599 <para>&man.syslogd.8; now supports a 2600 <literal>LOG_CONSOLE</literal> facility (disabled by default), 2601 which can be used to log <filename>/dev/console</filename> 2602 output. &merged;</para> 2603 2604 <para>&man.syslogd.8; now has the ability to bind to a specific 2605 address (as opposed to using every available one) via the 2606 <option>-b</option> option. &merged;</para> 2607 2608 <para>&man.syslogd.8; now accepts a <option>-c</option> flag to 2609 disable repeated line compression. &merged;</para> 2610 2611 <para>&man.tail.1; now has the ability to work on files longer 2612 than 2GB. &merged;</para> 2613 2614 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname> 2615 variable, principally to enable the use of &man.ssh.1; as a 2616 transport. &merged;</para> 2617 2618 <para>&man.telnet.1; now does autologin and encryption by default; 2619 a new <option>-y</option> option turns off encryption.</para> 2620 2621 <para>&man.telnet.1; now supports a <option>-u</option> flag to 2622 allow connections to UNIX-domain (<literal>AF_UNIX</literal>) 2623 sockets. &merged;</para> 2624 2625 <para>&man.tftpd.8; now takes the <option>-c</option> and 2626 <option>-C</option> options, which allow the server to 2627 &man.chroot.2; based on the IP address of the connecting client. 2628 &man.tftp.1; and &man.tftpd.8; can now transfer files larger 2629 than 65535 blocks. &merged;</para> 2630 2631 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval 2632 and Transfer Size Options); this feature is required by some 2633 firmware like EFI boot managers (at least on HP i2000 Itanium 2634 servers) in order to boot an image using 2635 <application>TFTP</application>.</para> 2636 2637 <para arch="alpha">&man.timed.8; now works on the alpha.</para> 2638 2639 <para>A version of Transport Independent RPC 2640 (<application>TI-RPC</application>) has been imported.</para> 2641 2642 <para>&man.tmpnam.3; will now use the <envar>TMPDIR</envar> 2643 environment variable, if set, to specify the location of 2644 temporary files. &merged;</para> 2645 2646 <para>&man.tip.1; has been updated from 2647 <application>OpenBSD</application>, and has the ability to act 2648 as a &man.cu.1; substitute.</para> 2649 2650 <para>&man.top.1; will now use the full width of its tty.</para> 2651 2652 <para>&man.touch.1; now takes a <option>-h</option> option to 2653 operate on a symbolic link, rather than what the link points 2654 to.</para> 2655 2656 <para>The &man.truncate.1; utility, which truncates or extends the 2657 length of files, has been added. &merged;</para> 2658 2659 <para>Ukrainian language support has been added to the &os; 2660 console. &merged;</para> 2661 2662 <para><application>UUCP</application> has been removed from the 2663 base system. It can be found in the Ports Collection, in 2664 <filename role="package">net/freebsd-uucp</filename>.</para> 2665 2666 <para>&man.units.1; has received some updates and 2667 bugfixes. &merged;</para> 2668 2669 <para>&man.usbdevs.8; now supports a <option>-d</option> flag to 2670 show the device driver associated with each device.</para> 2671 2672 <para>The &man.usbhidctl.1; utility has been added to manipulate 2673 USB Human Interface Devices. &merged;</para> 2674 2675 <para>&man.uudecode.1; now accepts a <option>-o</option> option to 2676 set its output file.</para> 2677 2678 <para>&man.vidcontrol.1; now accepts a <option>-g</option> 2679 parameter to select custom text geometry in the 2680 <literal>VESA_800x600</literal> raster text mode. &merged;</para> 2681 2682 <para>&man.vidcontrol.1; now allows the user to omit the font size 2683 specification when loading a font, and has some better 2684 error-handling. &merged;</para> 2685 2686 <para>&man.vidcontrol.1; now supports a <option>-p</option> option 2687 to take a snapshot of a &man.syscons.4; video buffer. These 2688 snapshots can be manipulated by the 2689 <filename role="package">graphics/scr2png</filename> utility in 2690 the Ports Collection. &merged;</para> 2691 2692 <para>&man.vidcontrol.1; now supports a <option>-C</option> option 2693 to clear the history buffer for a given tty, as well as a 2694 <option>-h</option> option to set the size of the history 2695 buffer. &merged;</para> 2696 2697 <para>The default stripe size in &man.vinum.8; has been changed 2698 from 256KB to 279KB, to spread out superblocks more evenly 2699 between stripes.</para> 2700 2701 <para>&man.wall.1; now supports a <option>-g</option> flag to 2702 write a message to all users of a given group. &merged;</para> 2703 2704 <para>&man.watch.8; now takes a <option>-f</option> option to 2705 specify a &man.snp.4; device to use. &merged;</para> 2706 2707 <para>&man.which.1; is now a C program, rather than a Perl 2708 script.</para> 2709 2710 <para>&man.whois.1; now directs queries for IP addresses to ARIN. 2711 If a query to ARIN references APNIC or RIPE, the appropriate 2712 server will also be queried, provided that the 2713 <option>-Q</option> option is not specified. &merged;</para> 2714 2715 <para>&man.whois.1; supports a <option>-c</option> option to 2716 specify a country code to help direct queries towards a 2717 particular whois server. &merged;</para> 2718 2719 <para>&man.xargs.1; now supports a <option>-J</option> 2720 <replaceable>replstr</replaceable> option that allows the user 2721 to tell &man.xargs.1; to insert the data read from standard 2722 input at a specific point in the command line arguments rather 2723 than at the end. &merged;</para> 2724 2725 <para>The compiler chain now uses the FSF-supplied C/C++ runtime 2726 initialization code. This change brings about better 2727 compatibility with code generated from the various egcs and gcc 2728 ports, as well as the stock public FSF source. &merged;</para> 2729 2730 <para>The threads library has gained some signal handling changes, 2731 bug fixes, and performance enhancements (including zero system 2732 call thread switching). &man.gdb.1; thread support has been 2733 updated to match these changes. &merged;</para> 2734 2735 <para>Significant additions have been made to internationalization 2736 support; &os; now has complete locale support for the 2737 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, 2738 and <literal>LC_MESSAGES</literal> categories. A number of 2739 applications have been updated to take advantage of this 2740 support. &merged;</para> 2741 2742 <para>Locale names have been changed to improve compatibility with 2743 the names used by X11R6, as well as a number of other UNIX 2744 versions. As an example, the 2745 <literal>en_US.ISO_8859-1</literal> locale name has been changed 2746 to 2747 <literal>en_US.ISO8859-1</literal>. Entries in 2748 <filename>/etc/locale.alias</filename> provide backward 2749 compatibility. &merged;</para> 2750 2751 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now 2752 contains a scalable Beastie graphic. &merged;</para> 2753 2754 <para>As part of an ongoing process, many manual pages were 2755 improved, both in terms of their formatting markup and in their 2756 content. &merged;</para> 2757 2758 <sect3> 2759 <title>Contributed Software</title> 2760 2761 <para><application>am-utils</application> has been updated to 2762 6.0.7.</para> 2763 2764 <para>A 10 February 2002 snapshot of <application>awk</application> from Bell Labs (variously 2765 known as <quote>BWK awk</quote> or <quote>The One True 2766 AWK</quote>) has been imported. It is available as 2767 <command>awk</command> on the sparc64 architecture, and 2768 <command>nawk</command> on other architectures.</para> 2769 2770 <para><application>bc</application> has been updated from 1.04 to 2771 1.06. &merged;</para> 2772 2773 <para>The ISC library from the <application>BIND</application> 2774 distribution is now built as 2775 <filename>libisc</filename>. &merged;</para> 2776 2777 <para><application>BIND</application> is now built with the 2778 <literal>NOADDITIONAL</literal> flag, which causes 2779 &man.named.8; to operate in a more consistent fashion for 2780 certain common misconfigurations. &merged;</para> 2781 2782 <para><application>BIND</application> has been updated to 2783 8.3.1-REL. &merged;</para> 2784 2785 <para><application>Binutils</application> has been updated to 2786 2.12.0.</para> 2787 2788 <para><application>bzip2</application> 1.0.2 has been imported; 2789 this brings the &man.bzip2.1; program and the 2790 <filename>libbz2</filename> library to the base 2791 system. &merged;</para> 2792 2793 <para>The &man.ee.1; <application>Easy Editor</application> has 2794 been updated to 1.4.2. &merged;</para> 2795 2796 <para><application>file</application> has been updated to 2797 3.37.</para> 2798 2799 <para><application>gcc</application> has been updated to 2800 a snapshot of the 2.95 development branch from 20 March 2002 2801 (this snapshot includes changes made after the release of 2802 <application>gcc</application>2.95.3).</para> 2803 2804 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename> 2805 rather than a separate one for threaded and non-threaded 2806 programs. <filename>/usr/lib/libgcc_r.a</filename> can be 2807 removed. &merged;</para> 2808 2809 <para>&man.gcc.1; now supports the environment variable 2810 <envar>GCC_OPTIONS</envar>, which can hold a set of default 2811 options for <application>GCC</application>. &merged;</para> 2812 2813 <para><application>GNATS</application> has been updated to 2814 3.113. &merged;</para> 2815 2816 <para><application>GNU awk</application> has been updated to 2817 3.1.0. It is available as <command>gawk</command> on the 2818 sparc64 architecture, and as <command>awk</command> on other 2819 architectures.</para> 2820 2821 <para><application>gperf</application> has been updated to 2822 2.7.2.</para> 2823 2824 <para><application>groff</application> and its related utilities 2825 have been updated to FSF version 1.17.2. This import brings 2826 in a new &man.mdoc.7; macro package (sometimes referred to as 2827 <literal>mdocNG</literal>), which removes many of the 2828 limitations of its predecessor. &merged;</para> 2829 2830 <para><application>Heimdal</application> has been updated to 2831 0.3f.</para> 2832 2833 <para>The version of <application>IPFilter</application> 2834 provided with &os; now includes the &man.ipfs.8; program, 2835 which allows state information created for NAT entries and 2836 stateful rules to be saved to disk and restored after a 2837 reboot. Boot-time configuration of these features is 2838 supported by &man.rc.conf.5;. &merged;</para> 2839 2840 <para>The <application>ISC DHCP</application> client has been 2841 updated to 3.0.1RC8. &merged;</para> 2842 2843 <para><application>Kerberos IV</application> has been updated to 2844 1.0.5. &merged;</para> 2845 2846 <para>The &man.more.1; command has been replaced by 2847 &man.less.1;, although it can still be run as 2848 <command>more</command>. &merged; Version 371 of 2849 <application>less</application> has been imported.</para> 2850 2851 <para><application>libpcap</application> has been updated to 2852 0.6.2. &merged;</para> 2853 2854 <para><application>libreadline</application> has been updated to 2855 4.2.</para> 2856 2857 <para><application>libz</application> has been updated to 2858 1.1.4.</para> 2859 2860 <para><application>lint</application> has been updated to 2861 snapshot of NetBSD &man.lint.1; as of 3 March 2002.</para> 2862 2863 <para><application>lukemftp</application> (the FTP client from 2864 NetBSD) has replaced the &os; &man.ftp.1; program. Among its 2865 new features are more automation methods, better standards 2866 compliance, transfer rate throttling, and a customizable 2867 command-line prompt. Some environment variables and 2868 command-line arguments have changed.</para> 2869 2870 <para>The FTP daemon from NetBSD, otherwise known as 2871 <application>lukemftpd</application>, has been imported and is 2872 available as &man.lukemftpd.8;.</para> 2873 2874 <para><application>ncurses</application> has been updated to 2875 5.2-20010512.</para> 2876 2877 <para>The <application>NTP</application> suite of programs has 2878 been updated to 4.1.0. &merged;</para> 2879 2880 <para><application>OpenPAM</application> 2881 (<quote>Cineraria</quote> release) has been imported, 2882 replacing 2883 <application>Linux-PAM</application>.</para> 2884 2885 <para>The <application>OPIE</application> one-time-password 2886 suite has been updated to 2.4. It has completely 2887 replaced the functionality of 2888 <application>S/Key</application>.</para> 2889 2890 <para><application>Perl</application> has been updated to version 2891 5.6.1.</para> 2892 2893 <para>&man.routed.8; has been updated to version 2894 2.22. &merged;</para> 2895 2896 <para arch="i386">Version 1.4.3 of the 2897 <application>smbfs</application> userland utilities have been 2898 imported. &merged;</para> 2899 2900 <para><application>tcpdump</application> has been updated to 2901 3.6.3. &merged;</para> 2902 2903 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;, 2904 although it can still be run as <command>csh</command>. 2905 <application>tcsh</application> has been updated to version 2906 6.11. &merged;</para> 2907 2908 <para>The contributed version of 2909 <application>tcp_wrappers</application> now includes the 2910 &man.tcpd.8; helper daemon. While not strictly necessary in a 2911 standard &os; installation (because &man.inetd.8; already 2912 incorporates this functionality), this may be useful for 2913 &man.inetd.8; replacements such as 2914 <application>xinetd</application>.</para> 2915 2916 <para><application>texinfo</application> has been updated to 2917 4.1. &merged;</para> 2918 2919 <para><application>top</application> has been updated to version 2920 3.5b12.</para> 2921 2922 <para>&man.traceroute.8; now takes its default maximum TTL value 2923 from the <varname>net.inet.ip.ttl</varname> sysctl 2924 variable. &merged;</para> 2925 2926 <para>The timezone database has been updated to the 2927 <filename>tzdata2002c</filename> release. &merged;</para> 2928 2929 <sect4> 2930 <title>CVS</title> 2931 2932 <para><application>cvs</application> has been updated to 2933 1.11.1p1. &merged;</para> 2934 2935 <para>The default value for &man.cvs.1;'s 2936 <envar>CVS_RSH</envar> variable is now 2937 <literal>ssh</literal>, rather than 2938 <literal>rsh</literal>. &merged;</para> 2939 2940 <para>&man.cvs.1; now supports a <option>-T</option> option to 2941 update a sandbox's <filename>CVS/Template</filename> file 2942 from the repository. &merged;</para> 2943 2944 <para>&man.cvs.1; <literal>diff</literal> now supports the 2945 <option>-j</option> option to perform differences against a 2946 revision relative to a branch tag. &merged;</para> 2947 </sect4> 2948 2949 <sect4> 2950 <title>CVSup</title> 2951 2952 <para><application>CVSup</application>, a frequently used 2953 utility in the &os; Ports Collection, was formerly 2954 installable using several ports and packages. The 2955 <filename role="package">net/cvsup-bin</filename> and 2956 <filename role="package">net/cvsupd-bin</filename> 2957 ports/packages are no longer necessary or available; the 2958 <filename role="package">net/cvsup</filename> port should be 2959 used instead. &merged;</para> 2960 2961 <para><application>CVSup</application> has been updated to 2962 16.1_3, which is available in the &os; Ports Collection as 2963 <filename role="package">net/cvsup</filename>. This update 2964 fixes a long-standing (but only recently encountered) bug 2965 which affects the timestamps on all files after Sun Sep 9 2966 01:46:40 UTC 2001 (1,000,000,000 seconds after the UNIX 2967 epoch). &merged;</para> 2968 </sect4> 2969 2970 <sect4 id="kame-userland"> 2971 <title>KAME</title> 2972 2973 <para>The IPv6 stack is now based on a snapshot based on the 2974 KAME Project's IPv6 snapshot as of 28 May, 2001. Most of 2975 the items listed in this section are a result of this 2976 import. 2977 <xref linkend="kame-kernel"> lists kernel updates to the 2978 KAME IPv6 stack. &merged;</para> 2979 2980 <para>&man.faithd.8; now supports a configuration file for 2981 access control. &merged;</para> 2982 2983 <para>&man.ifconfig.8; can now perform the functions of 2984 &man.gifconfig.8;. &merged;</para> 2985 2986 <para>&man.ifconfig.8; can now perform the functions of 2987 &man.prefix.8;. &man.prefix.8; is now a shell script for 2988 partial backwards compatibility. &merged;</para> 2989 2990 <para>&man.ndp.8; now implements garbage collection for stale 2991 NDP entries, as described in RFC 2461 (Neighbor Discovery 2992 for IP Version 6 (IPv6)). &merged;</para> 2993 2994 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due 2995 to restrictive licensing conditions. These programs are 2996 available in the ports collection as 2997 <filename role="package">net/pim6dd</filename> and 2998 <filename role="package">net/pim6sd</filename>. &merged;</para> 2999 3000 <para>&man.route6d.8; now supports an <option>-n</option> flag 3001 to avoid updating the kernel forwarding 3002 table. &merged;</para> 3003 3004 <para>The <option>-R</option> (router renumbering) option to 3005 &man.rtadvd.8; is currently ignored. &merged;</para> 3006 </sect4> 3007 3008 <sect4> 3009 <title>OpenSSH</title> 3010 3011 <para><application>OpenSSH</application> has been updated to 3012 2.9, which provides support for the SSH2 protocol (now the 3013 default) and DSA keys. &man.ssh-add.1; and 3014 &man.ssh-agent.1; can now handle DSA keys, with support for 3015 authentication forwarding. 3016 <application>OpenSSH</application> users in the USA no 3017 longer need to rely on the restrictively-licensed RSAREF 3018 toolkit which is required to handle RSA keys. Among other 3019 new features: A client and server for &man.sftp.1; has been added. 3020 &man.scp.1; can now handle files larger than 2 GBytes. A 3021 limit on the number of outstanding, unauthenticated 3022 connections in &man.sshd.8; has been added. Support has 3023 been added for the Rijndael encryption algorithm. Rekeying 3024 of existing sessions is now supported, and an experimental 3025 <application>SOCKS4</application> proxy has been added to 3026 &man.ssh.1;. &merged;</para> 3027 3028 <para><application>OpenSSH</application> has been updated to 3029 version 3.1. Among the changes: 3030 <itemizedlist> 3031 <listitem> 3032 <para>The <filename>*2</filename> files are obsolete 3033 (for example, 3034 <filename>~/.ssh/known_hosts</filename> can hold the 3035 contents of 3036 <filename>~/.ssh/known_hosts2</filename>).</para> 3037 </listitem> 3038 <listitem> 3039 <para>&man.ssh-keygen.1; can import and export keys using 3040 the SECSH Public Key File Format, for key exchange 3041 with several commercial SSH implementations.</para> 3042 </listitem> 3043 <listitem> 3044 <para>&man.ssh-add.1; now adds all three default keys.</para> 3045 </listitem> 3046 <listitem> 3047 <para>&man.ssh-keygen.1; no longer defaults to a 3048 specific key type; one must be specified with the 3049 <option>-t</option> option.</para> 3050 </listitem> 3051 </itemizedlist> 3052 </para> 3053 3054 <para><application>OpenSSH</application> can now authenticate 3055 using <application>OPIE</application> passwords.</para> 3056 3057 <para><application>PAM</application> support for 3058 <application>OpenSSH</application> has been added.</para> 3059 3060 <para>A long-standing bug in 3061 <application>OpenSSH</application>, which sometimes resulted 3062 in a dropped session when an X11-forwarded client was 3063 closed, was fixed.</para> 3064 3065 <para><application>Kerberos</application> compatibility has 3066 been added to 3067 <application>OpenSSH</application>. &merged;</para> 3068 3069 <para><application>OpenSSH</application> has been modified to 3070 be more resistant to traffic analysis by requiring that 3071 <quote>non-echoed</quote> characters are still echoed back 3072 in a null packet, as well as by padding passwords sent so as 3073 not to hint at password lengths. &merged;</para> 3074 3075 <para>&man.sshd.8; is now enabled by default on new 3076 installs. &merged;</para> 3077 3078 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now 3079 turned on by default on the server (any risk is to the 3080 client, where it is already disabled by 3081 default). &merged;</para> 3082 3083 <para>In <filename>/etc/ssh/sshd_config</filename>, the 3084 <literal>ConnectionsPerPeriod</literal> parameter has been 3085 deprecated in favor of 3086 <literal>MaxStartups</literal>. &merged;</para> 3087 3088 <para><application>OpenSSH</application> now has a 3089 <literal>VersionAddendum</literal> configuration setting for 3090 &man.sshd.8; to allow changing the part of the 3091 <application>OpenSSH</application> version string after the 3092 main version number.</para> 3093 </sect4> 3094 3095 <sect4> 3096 <title>OpenSSL</title> 3097 3098 <para><application>OpenSSL</application> has been updated to 3099 0.9.6c.</para> 3100 3101 <para><application>OpenSSL</application> now has support for 3102 machine-dependent ASM optimizations, activated by the new 3103 <varname>MACHINE_CPU</varname> and/or 3104 <varname>CPUTYPE</varname> 3105 <filename>make.conf</filename> variables. &merged;</para> 3106 </sect4> 3107 3108 <sect4> 3109 <title>sendmail</title> 3110 3111 <para><application>sendmail</application> has been updated 3112 from version 8.9.3 to version 8.12.3. Important changes 3113 include: &man.sendmail.8; is no longer installed as a 3114 set-user-ID root binary (now set-group-ID smmsp); new 3115 default file locations (see 3116 <filename>/usr/src/contrib/sendmail/cf/README</filename>); 3117 &man.newaliases.1; is limited to <username>root</username> 3118 and trusted users; STARTTLS encryption; and the MSA port 3119 (587) is turned on by default. See 3120 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> 3121 for more information. &merged;</para> 3122 3123 <para>&man.mail.local.8; is no longer installed as a 3124 set-user-ID binary. If you are using a 3125 <filename>/etc/mail/sendmail.cf</filename> from the default 3126 <filename>sendmail.cf</filename> included with &os; any time 3127 after 3.1.0, you are fine. If you are using a 3128 hand-configured <filename>sendmail.cf</filename> and 3129 <command>mail.local</command> for delivery, check to make sure the 3130 <literal>F=S</literal> flag is set on the 3131 <literal>Mlocal</literal> line. Those with 3132 <filename>.mc</filename> files who need to add the flag can 3133 do so by adding the following line to their 3134 <filename>.mc</filename> file and regenerating the 3135 <filename>sendmail.cf</filename> file:</para> 3136 3137 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting> 3138 3139 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already 3140 does this. &merged;</para> 3141 3142 <para>The default <filename>/etc/mail/sendmail.cf</filename> 3143 disables the SMTP <literal>EXPN</literal> and 3144 <literal>VRFY</literal> commands. &merged;</para> 3145 3146 <para>&man.vacation.1; has been updated to use the version 3147 included with <application>sendmail</application>. &merged;</para> 3148 3149 <para>The <application>sendmail</application> configuration 3150 building tools are installed in 3151 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para> 3152 3153 <para>New <filename>make.conf</filename> options: 3154 <varname>SENDMAIL_MC</varname> and 3155 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See 3156 <filename>/usr/share/examples/etc/make.conf</filename> for more 3157 information. &merged;</para> 3158 3159 <para><filename>/etc/mail/Makefile</filename> now supports: 3160 the new <varname>SENDMAIL_MC</varname> 3161 <filename>make.conf</filename> option; the ability to build 3162 <filename>.cf</filename> files from 3163 <filename>.mc</filename> files; generalized map rebuilding; 3164 rebuilding the aliases file; and the ability to stop, start, 3165 and restart 3166 <application>sendmail</application>. &merged;</para> 3167 3168 <para>The <username>smmsp</username> and 3169 <username>mailnull</username> users have been added to 3170 <filename>/etc/master.passwd</filename>. In the absence of a 3171 <literal>confDEF_USER_ID</literal> setting, by default, 3172 <application>sendmail</application> will use the 3173 <username>mailnull</username> user for extra security. 3174 Previously, if the <username>mailnull</username> user did 3175 not exist, the <username>daemon</username> user was used. 3176 This change may generate some permissions issues when 3177 mailing to files or to programs (such as <filename 3178 role="package">mail/majordomo</filename>). &merged; The 3179 previous behavior can be restored by adding the following 3180 line to a system's 3181 <filename><replaceable>*</replaceable>.mc</filename> 3182 configuration file: 3183 3184 <programlisting>define(`confDEF_USER_ID', `daemon')</programlisting> 3185 </para> 3186 3187 <para>Beginning with the import of 3188 <application>sendmail</application> 8.12.2, multiple 3189 <application>sendmail</application> daemons (some required 3190 to handle outgoing mail) are started by &man.rc.8;, even if 3191 the <varname>sendmail_enable</varname> variable is set to 3192 <literal>NO</literal>. To completely disable 3193 <application>sendmail</application>, 3194 <varname>sendmail_enable</varname> must be set to 3195 <literal>NONE</literal>. Alternatively, for systems using a 3196 different MTA, the <varname>mta_start_script</varname> can 3197 be used to point to a different startup script (more details 3198 can be found in &man.rc.sendmail.8;). &merged;</para> 3199 3200 </sect4> 3201 </sect3> 3202 3203 <sect3> 3204 <title>Ports/Packages Collection</title> 3205 3206 <para><application>BSDPAN</application>, a collection of modules 3207 that provides tighter integration of 3208 <application>Perl</application> into the &os; Ports 3209 Collection, has been added.</para> 3210 3211 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with 3212 packages that have been compressed using 3213 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT 3214 environment variable to determine a mirror site for new 3215 packages. &merged;</para> 3216 3217 <para>&man.pkg.create.1; now records dependencies in dependency 3218 order rather than in the order specified on the command line. 3219 This improves the functioning of <command>pkg_add 3220 -r</command>. &merged;</para> 3221 3222 <para>&man.pkg.create.1; now supports a <option>-b</option> to 3223 create a package file from a locally-installed 3224 package. &merged;</para> 3225 3226 <para>When requested to delete multiple packages, 3227 &man.pkg.delete.1; will now attempt to remove them in 3228 dependency order rather than the order specified on the 3229 command line. &merged;</para> 3230 3231 <para>&man.pkg.delete.1; now can perform glob/regexp matching of 3232 package names. In addition, it supports a <option>-a</option> 3233 option for removing all packages and a <option>-i</option> 3234 option for &man.rm.1;-style interactive 3235 confirmation. &merged;</para> 3236 3237 <para>&man.pkg.delete.1; now supports a <option>-r</option> 3238 option for recursive package removal. &merged;</para> 3239 3240 <para>&man.pkg.info.1; now supports globbing against names of 3241 installed packages. The <option>-G</option> option disables 3242 this behavior, and the <option>-x</option> option causes 3243 regular expression matching instead of shell 3244 globbing. &merged;</para> 3245 3246 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag 3247 for verifying an installed package against its recorded 3248 checksums (to see if it's been modified post-installation). 3249 Naturally, this mechanism is only as secure as the contents of 3250 <filename>/var/db/pkg</filename> if it's to be used for auditing 3251 purposes. &merged;</para> 3252 3253 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to 3254 digitally sign and verify the signatures on binary package 3255 files. &merged;</para> 3256 3257 <para>&man.pkg.update.1;, a utility to update installed packages 3258 and update their dependencies, has been added. &merged;</para> 3259 3260 <para>&man.pkg.version.1; now has a version number comparison 3261 routine that corresponds to the Porters Handbook. It also has 3262 a <option>-t</option> option for testing address comparisons. 3263 &merged;</para> 3264 3265 <para>&man.pkg.version.1; now takes a <option>-s</option> flag 3266 to limit its operation to ports/packages matching a given 3267 string. &merged;</para> 3268 3269 <para>Version numbers of installed packages have a new 3270 (backward-compatible) syntax, which supports the 3271 <varname>PORTREVISION</varname> and 3272 <varname>PORTEPOCH</varname> variables in Ports Collection 3273 <filename>Makefile</filename>s. These changes help keep track 3274 of changes in the ports collection entries such as security 3275 patches or &os;-specific updates, which aren't reflected in 3276 the original, third-party software distributions. 3277 &man.pkg.version.1; can now compare these new-style version 3278 numbers. &merged;</para> 3279 3280 <para>To improve performance and disk utilization, the 3281 <quote>ports skeletons</quote> in the &os; Ports Collection 3282 have been restructured. Installed ports and packages should 3283 not be affected. &merged;</para> 3284 3285 <para>All packages and ports now contain an 3286 <quote>origin</quote> directive, which makes it easier for 3287 programs such as &man.pkg.version.1; to determine the 3288 directory from which a package was built. &merged;</para> 3289 </sect3> 3290 </sect2> 3291</sect1> 3292 3293<sect1> 3294 <title>Upgrading from previous releases of &os;</title> 3295 3296 <para>If you're upgrading from a previous release of &os;, you 3297 generally will have three options: 3298 3299 <itemizedlist> 3300 <listitem> 3301 <para>Using the binary upgrade option of &man.sysinstall.8;. 3302 This option is perhaps the quickest, although it presumes 3303 that your installation of &os; uses no special compilation 3304 options.</para> 3305 </listitem> 3306 <listitem> 3307 <para>Performing a complete reinstall of &os;. Technically, 3308 this is not an upgrading method, and in any case is usually less 3309 convenient than a binary upgrade, in that it requires you to 3310 manually backup and restore the contents of 3311 <filename>/etc</filename>. However, it may be useful in 3312 cases where you want (or need) to change the partitioning of 3313 your disks. 3314 </listitem> 3315 <listitem> 3316 <para>From source code in <filename>/usr/src</filename>. This 3317 route is more flexible, but requires more disk space, time, 3318 and more technical expertise. Upgrading from very old 3319 versions of &os; may be problematic; in cases like this, it 3320 is usually more effective to perform a binary upgrade or a 3321 complete reinstall.</para> 3322 </listitem> 3323 </itemizedlist> 3324 </para> 3325 3326 <para>Please read the <filename>INSTALL.TXT</filename> file for more 3327 information, preferably <emphasis>before</emphasis> beginning an 3328 upgrade. If you are upgrading from source, please be sure to read 3329 <filename>/usr/src/UPDATING</filename> as well.</para> 3330 3331 <para>Finally, if you want to use one of various means to track the 3332 -STABLE or -CURRENT branches of &os;, please be sure to consult 3333 the <ulink 3334 url="http://www.FreeBSD.org/handbook/current-stable.html"><quote>-CURRENT 3335 vs. -STABLE</quote></ulink> section of the <ulink 3336 url="http://www.FreeBSD.org/handbook/">FreeBSD 3337 Handbook</ulink>.</para> 3338 3339 <important> 3340 <para>Upgrading &os; should, of course, only be attempted after 3341 backing up <emphasis>all</emphasis> data and configuration 3342 files.</para> 3343 </important> 3344</sect1> 3345