FreeBSD The Power to Serve

FreeBSD 14.0-RELEASE Release Notes


The release notes for FreeBSD 14.0-RELEASE contain a summary of the changes made to the FreeBSD base system on the 14-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.


This document contains the release notes for FreeBSD 14.0-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.

The release distribution to which these release notes apply represents the latest point along the 14-STABLE development branch since 14-STABLE was created. Information regarding pre-built, binary release distributions along this branch can be found at

The release distribution to which these release notes apply represents a point along the 14-STABLE development branch between 13.2-RELEASE and the future 14.1-RELEASE. Information regarding pre-built, binary release distributions along this branch can be found at

This distribution of FreeBSD 14.0-RELEASE is a release distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.

All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 14.0-RELEASE can be found on the FreeBSD Web site.

This document describes the most user-visible new or changed features in FreeBSD since 13.2-RELEASE. In general, changes described here are unique to the 14-STABLE branch unless specifically marked as MERGED features.

Typical release note items document recent security advisories issued after 13.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

Upgrading from Previous Releases of FreeBSD

Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity. Note that freebsd-update cannot be used to roll back to the previous release after updating to a new major version.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.

There have been a number of improvements in the boot loaders, and upgrading the boot loader on the boot partition is recommended in most cases, in particular if the system boots via EFI. If the root is on a ZFS file system, updating the boot loader is mandatory if the pool is to be upgraded, and the boot loader update must be done first. Note that ZFS pool upgrades are not recommended for root file systems in most cases, but updating the boot loader can avoid making the system unbootable if the pool is upgraded in the future. The bootstrap update procedure depends on the boot method (EFI or BIOS), and also on the disk partitioning scheme. The next several sections address each in turn.

Notes for systems that boot via EFI, using either binary or source upgrades: There are one or more copies of the boot loader on the MS-DOS EFI System Partition (ESP), used by the firmware to boot the kernel. The location of the boot loader in use can be determined using the command efibootmgr -v. The value displayed for BootCurrent should be the number of the current boot configuration used to boot the system. The corresponding entry of the output should begin with a + sign, such as

+Boot0000* FreeBSD HD(1,GPT,f859c46d-19ee-4e40-8975-3ad1ab00ac09,0x800,0x82000)/File(\EFI\freebsd\loader.efi)
                      nda0p1:/EFI/freebsd/loader.efi (null)

The ESP may already be mounted on /boot/efi. Otherwise, the partition may be mounted manually, using the partition listed in the efibootmgr output (nda0p1 in this case): mount_msdosfs /dev/nda0p1 /boot/efi. See loader.efi(8) for another example.

The value in the File field in the efibootmgr -v output, \EFI\freebsd\loader.efi in this case, is the MS-DOS name for the boot loader in use on the ESP. If the mount point is /boot/efi, this file will translate to /boot/efi/efi/freebsd/loader.efi. (Case does not matter on MS-DOSFS file sytems; FreeBSD uses lower case.) Another common value for File would be \EFI\boot\bootXXX.efi, where XXX is x64 for amd64, aa64 for aarch64, or riscv64 for riscv64; this is the default bootstrap if none is configured. Both the configured and default boot loaders should be updated by copying from /boot/loader.efi to the correct path in /boot/efi.

For systems that boot via BIOS and use the GPT partition scheme, bootstrap upgrades are optional unless a ZFS root pool will be upgraded (which is discouraged). Upgrades are only possible if the freebsd-boot partition is at least 180K. (512K is now standard.) The device name and the partition index can be identified using the command gpart show, such as:

=>       34  246162605  ada0  GPT  (224G)
         34       1024     1  freebsd-boot  (512K)

When using ZFS, the bootcode can be updated by running the command gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0. If updating with a UFS root, the bootcode can be updated by running the command gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0, although this should not be necessary. Note that the freebsd-boot partition size is running up against a hard limit, and this scheme may not be supportable in the future. Users of such systems should consider an upgrade to EFI, possibly by carving space from an existing swap partition.

If the system boots via BIOS and uses the MBR partition scheme, or has a GPT freebsd-boot partition smaller than 180K, then it is not possible to update the bootcode, and therefore to upgrade the root ZFS storage pool.

Upgrading FreeBSD should only be attempted after backing up all data and configuration files.

Security and Errata

This section lists the various Security Advisories and Errata Notices since 13.2-RELEASE.

Security Advisories

Advisory Date Topic

No advisories.

Errata Notices

Errata Date Topic

No notices.

Significant changes merged into FreeBSD 13.1 and FreeBSD 13.2

FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0. Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13 minor releases.

For 64-bit architectures, the base system is built with Position Independent Executable (PIE) support enabled by default. It may be disabled using the WITHOUT_PIE knob. 9a227a2fd642 (Sponsored by Stormshield)

There is a new zfskeys rc(8) service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. The zfskeys startup script supports autoloading of keys stored on ZFS. See the rc.conf(5) manual page for more information. 33ff39796ffe, 8719e8a951b7, 97aeda224356 (Sponsored by Modirum and Klara Inc.)

The chroot facility supports unprivileged operation, and the chroot(8) program has a -n option to enable its use. a40cf4175c90 (Sponsored by EPSRC)

md5sum(1) and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the -r option if the program name ends in sum. 086feed850c3 (Sponsored by Netflix)

The use of FIDO/U2F hardware authenticators has been enabled in ssh, using the new public key types ecdsa-sk and ed25519-sk, along with corresponding certificate types. FIDO/U2F support is described in e9a994639b2a (Sponsored by The FreeBSD Foundation)

The igc(4) driver for the Intel I225 Ethernet controller has been added, supporting 2.5 Gbps operation. 517904de5cca (Sponsored by Rubicon Communications, LLC ("Netgate"))

The mgb(4) network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. The driver has a number of caveats and limitations, but is functional. e0262ffbc6ae (Sponsored by The FreeBSD Foundation)

Two new daemons, rpc.tlsclntd(8) and rpc.tlsservd(8), are now built by default on amd64 and arm64. They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". These daemons are built when WITH_OPENSSL_KTLS is specified. They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. 2b9cbc85d727 59f6f5e23c1a

UEFI firmware boot compatibility is improved for amd64. See the loader.efi(8) amd64 Nocopy section for more detailed information. f75caed644a5(Sponsored by The FreeBSD Foundation)

Boot time performance improvements have been made to many kernel subsystems. (Sponsored by

nvme(4) error handling has been significantly improved.

The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address. This makes the lowest address usable for a host. The old behavior can be restored with the net.inet.ip.broadcast_lowest sysctl. See for background information. fd0765933c3c

The growfs(7) startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist. This is primarily useful when installing on an SD card using a raw image. A new rc.conf(5) variable has been added, growfs_swap_size, which can control the addition if necessary. See growfs(7) for details.

A new RC script, zpoolreguid has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets.

The hostid startup script will now generate a random (version 4) UUID if there is no /etc/hostid file and no valid UUID from hardware. Also, if there is no /etc/machine-id file, the hostid_save script will store a compact version of the hostid (one without hyphens) in /etc/machine-id. This file is used by libraries such as GLib. 62a149bf6219 862aab6281a5 baf1e9713969 ecad3f5c4d92 d6852eed98ed

It is now possible to add default routes for FIBs other than the primary by using the defaultrouter_fibN and ipv6_defaultrouter_fibN rc.conf(5) variables. 30659d1dcbcc (Sponsored by ScaleEngine Inc.)

The bhyve(8) utility has gained virtio-input device emulation support. This can be used to inject keyboard/mouse input events into a guest. The command line syntax is: -s <slot>,virtio-input,/dev/input/eventX. 054accac71e0

The kdump(1) utility has gained support for decoding Linux system calls.

An nproc(1) utility has been added, compatible with the Linux program of the same name.

The uuidgen(1) utility has a new option -r to generate a random UUID, version 4. f176fe8e7f63

The bhyve(8) hypervisor and kernel module vmm(4) now support more than 16 vCPUs in a guest. By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. This limit can be adjusted via the loader tunable hw.vmm.maxcpu. ee98f99d7a68

Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. To disable for a single invocation, use the proccontrol(1) command: proccontrol -m aslr -s disable command. To disable ASLR for all invocations of a binary, use the elfctl(1) command: elfctl -e +noaslr file. Problems should be reported via the problem reporting system,, or posting to the mailing list. b014e0f15bc7 (Sponsored by Stormshield)

LLVM’s AddressSanitizer can be used in amd64 kernels. See the kasan(9) manual page for more information. 38da497a4dfc (Sponsored by The FreeBSD Foundation)

A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. cde70e312c3f (Sponsored by The FreeBSD Foundation)

The state of the arm64 linux(4) ABI was brought to parity with the amd64 linux(4) ABI. ccc510b46340, 9931033bbfbe

In order to facilitate ABI compatibility of stable branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. This will facilitate increases to the size of the kernel set, MAXCPU. 47a57144af25 f35093f8d6d8 (Sponsored by Juniper Networks, Inc.)

It is now possible to take snapshots on UFS filesystems when running with journaled soft updates. Thus it is now possible to do background dumps on live filesystems running with journaled soft updates. Background dumps are requested by using the -L flag to dump(8). (In previous releases UFS snapshots were incompatible with journaled soft updates.) 78f412987605 (Sponsored by The FreeBSD Foundation)

The kernel wg(4) WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. 744bfb213144 (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation)

KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. 05a1d0f5d7ac (Sponsored by Netflix)

Radix tables and lookups are now supported for MAC addresses in ipfw(4). This allows MAC address tables to be constructed and used for filtering. 81cac3906eb9

Changes new to 14.0-RELEASE


This section covers changes and additions to userland applications, contributed software, and system utilities.

Userland Configuration Changes

The default shell for the root user is now sh(1), which has many new features for interactive use. d410b585b6f0

The default mail transport agent (MTA) is now the Dragonfly Mail Agent (dma(8)) rather than sendmail(8). Configuration of the MTA is done via mailer.conf(5). sendmail(8) and its configuration remain available. a67b925ff3e5

The mta_start_script configuration variable has been retired from rc.conf(5), along with the othermta startup script. 616f32ea6da7

jail(8) now supports .include directives in jail.conf(5) files, with support for filename globbing. e82a62943529

The one-time password facility OPIE, opie(4), has been removed from the base system. If you still wish to use it, install the security/opie port. Otherwise, make sure to remove or comment out any mention of pam_opie and pam_opieaccess from your PAM policies. etcupdate(8) will normally take care of this for the stock policies. 0aa2700123e2

The SHARED_TOOLCHAIN build configuration option has been removed. Building a statically-linked toolchain is still possible using the general NO_SHARED option. 77f6be448408 (Sponsored by The FreeBSD Foundation)

Locale handing has been upgraded to CLDR 41.0 and Unicode 14.0. e87ec409fa9b

The layout configuration has been added for the new French bépo keyboard (version 1.1rc2) normalized by French national organization for standardization as "NF Z71‐300". abdcd967dc0c

An rc.d script (see rc(8)) is now allowed to have a status method even if it does not define procname or have a PID file. 2651609fcbd7

Userland Application Changes

The base64(1) utility has been added. 540a99289bb1

The bhyve(8) hypervisor now has optional TPM (Trusted Platform Module) passthrough support. This is not direct access, but commands from the guest are forwarded to the physical TPM. 67c26eb2a57c

GPU passthrough has been improved in bhyve(8) for AMD and Intel GPUs. This is a work in progress; passthrough does not work in all cases, and the configuration is not yet documented.

The cpuset(1) utility has been moved from /usr/bin to /bin so that it is always available during startup processing. /usr/bin/cpuset is now a symbolic link. f05948d4e98d

The date(1) utility now has a -z option for timezone conversion. 31edf56b1571

The diff(1) utility now supports a --color option for colorized output. f38702e5a52e

The deprecated fmtree(8) utility has been removed. e4d63c5d5ff8

freebsd-update(8) now documents that files under /var/db/freebsd-update may be deleted if an upgrade is not in progress and rollback will not be required. 80b003e81684 (Sponsored by The FreeBSD Foundation)

A new fwget(8) utility inspects the system for peripherals that need firmware, and installs the appropriate packages for them. For now, only the PCI subsystem is supported, and only video firmware for Intel and AMD GPUs is known. d198b8774d2c d198b8774d2c (Sponsored by Beckhoff Automation GmbH & Co. KG)

The usability of head(1) and tail(1) has been improved by consistently supporting the -q and -h options, allowing numbers with SI suffixes, and removing the 2^31 limit on lines for head(1). 643ac419fafb

makefs(8) now has experimental ZFS support. It can create a ZFS pool, backed by a single disk vdev, containing one or more datasets populated from the staging directory. 240afd8c1fcc (Sponsored by The FreeBSD Foundation)

The minigzip(1) utility has been removed. 278d080bad9F

The mandoc(1) utility has a workaround for lack of macro processing in list -width handling, resulting in more accurate widths for list columns. bbb2d2ce4220 (Sponsored by Dell EMC Isilon)

The mixer(8) utility no longer tries to guess whether a volume is absolute or a percent. It now accepts a percentage with % appended, otherwise a volume is absolute. 4014365e4219

The netcat utility nc(1) can now be an if_tun (tun(4)) broker. cef7ab70ff44 (Sponsored by Zenarmor) (Sponsored by OPNsense) (Sponsored by Klara, Inc.)

The netstat(1) utility now computes correct column widths with the -i option, making the -w option unnecessary. 372e3d561d82

The portsnap(8) utility has been removed. Users are encouraged to fetch the ports tree by using pkg install git and then git clone /usr/ports. df53ae0fdd98

The pw(8) and bsdinstall(8) programs now create home directories for users in /home by default rather than /usr/home. The default symbolic link for /home, referencing /usr/home, is no longer created. bbb2d2ce4220

The sleep(1) utility now accepts units other than seconds, and accepts multiple delay values that are summed (for example, 1h 30m). 34978f7edd15 be038c3afcae

The sockstat(1) utility is now run in a sandbox with capsicum. 94dc57159532 c5a2d8c5f517

The systat(1) utility has a new command, iolat, which reports I/O latencies computed by the CAM I/O scheduler. 22054f88914b (Sponsored by Netflix)

A new utility, tcpsso(8), is able to apply a socket option to an existing TCP endpoint, for example changing the congestion control module or the TCP stack. 881631a2a371 (Sponsored by Netflix)

The Telnet daemon, telnetd(8), has been removed. A port is available if necessary, net/freebsd-telnetd. The client is not affected. 0eea46fb1f83

The PROFILE option is disabled by default, thus profiled versions of system libraries are not provided. Hardware-based profiling (e.g. hwpmc(4)) is preferred. fe52b7f60ef4 (Sponsored by The FreeBSD Foundation)

Compressed debug sections in binaries are enabled by default on little-endian targets. 47363e99d3d3 (Sponsored by The FreeBSD Foundation)

Configuration has been added to produce armv7 distribution sets, which can be useful in building jails on arm64. ac099daf6742

Contributed Software

One True Awk (awk(1)) has been updated to 20210727, which is 1st edition. (2nd edition will be included in 14.1-RELEASE.) All the FreeBSD patches but one have now been either up-streamed or discarded. Notable changes include: locale is no longer used for ranges; better compatibility with gawk and mawk. Note that hex strings are interpreted as numbers as in earlier FreeBSD versions. This will change in FreeBSD 15 to agree with upstream and current POSIX standards. f39dd6a97844 23f24377b1a9 628bd30ab5a4

The bc(1) and dc(1) commands have been updated to version 6.6.0, which fixes a problem with line editing and complex scripts with multiple read() commands, and adds some functions to bc’s (non-standard) extended math library.

libbsdxml (expat, libbsdxml(3)) has been upgraded to version 2.4.7. 7ed8e142a00d

libfido2 has been upgraded to version 1.13.0. f540a43052c1 3e696dfb7009 95321fff46ec (Sponsored by The FreeBSD Foundation)

The llvm-objdump(1) utility is now always installed as objdump(1). 86edb11e7491 (Sponsored by The FreeBSD Foundation)

OpenSSH has been upgraded to version 9.5p1. Full release notes are at 676824f5cdf9 (Sponsored by The FreeBSD Foundation)

The scp(1) utility now defaults to the SFTP protocol, rather than the legacy scp/rcp protocol. This removes the need for double-quoting wildcard expansion characters. fb5aabcb990b (Sponsored by The FreeBSD Foundation)

RSA/SHA-1 signatures are now disabled by default in ssh(1). It is possible to enable them on a per-host basis in a user’s ~/.ssh/config file. 8c22023ca5e1 (Sponsored by The FreeBSD Foundation)

The VerifyHostKeyDNS option for ssh(1) now defaults to no, following the OpenSSH distribution. The X11Forwarding option also defaults to no. 41ff5ea22cb9 77934b7a1301 (Sponsored by The FreeBSD Foundation)

HPN option handling has been removed from OpenSSH. HPN support was deprecated long ago, but the configuration options were still accepted (and ignored) for backwards compatibility. 348bea10b6f2 (Sponsored by The FreeBSD Foundation)

The VersionAddendum option has been removed from the ssh(1) client. bffe60ead024 (Sponsored by The FreeBSD Foundation)

OpenSSL has been upgraded to version 3.0.12. This is a major upgrade from version 1.1.1, which has reached its end of life. Many components of the base system use a backward-compatible API, but will be migrated later. aa7957345732 930cec16d9ee b077aed33b7b (Sponsored by The FreeBSD Foundation)

tcpdump has been upgraded to version 4.99.4. ee67461e5682 171a7bbfc048 1ad8d2ee1f7d (Sponsored by The FreeBSD Foundation)

libpcap has been upgraded to version 1.10.4. 6f9cba8f8b5e dd744a896be3 (Sponsored by The FreeBSD Foundation)

xz has been upgraded to version 5.4.3.

zlib has been upgraded to version 1.3.

zstd has been upgraded to version 1.5.2. (Sponsored by Klara, Inc)

Deprecated Applications

mergemaster(8) has been deprecated. Its replacement is etcupdate(8). 398b12691b4f (Sponsored by The FreeBSD Foundation)

Runtime Libraries and API

The libncursesw library (see ncurses(3X)) has been split into libtinfow and libncursesw. Linker scripts should make this transparent for consumers. pkg-config(8) files are now installed, to ease ports detecting the ncurses setup from base. 396851c20aeb

The ncurses(3X) library is now able to use terminfo(5) as well as termcap(5), and uses terminfo preferentially. 61f66a1f4403

The default search path for terminfo databases in ncurses(3X) now includes /usr/local/share/terminfo, facilitating the use of a database from ports or packages. b75fb12b6827

The prototype of qsort_r(3) has been modified to match POSIX, which adopted the glibc-based interface. af3c78886fd8

The COMPAT_LIB32 build option has been implemented for aarch64 (arm64) and is enabled by default. This provides armv7 32-bit-compatible libraries and header files for arm64 systems for building and running most armv7 32-bit binaries. f1d5183124d3 d5d97bed4ab6 a1b675731301

Cloud Support

This section covers changes in support for cloud environments.

FreeBSD now provides experimental ZFS-root EC2 AMIs on AWS. (Sponsored by

FreeBSD now provides experimental cloud-init EC2 AMIs on AWS. See the net/cloud-init port for information. (Sponsored by

FreeBSD now provides arm64 as well as amd64 images for Azure. Both UFS and experimental ZFS images are available. Gen2 VMs are now supported. (Sponsored by The FreeBSD Foundation) (Sponsored by Microsoft)

The Microsoft Azure Network Adapter (MANA) VF (virtual function) is now supported. ce110ea12fce (Sponsored by Microsoft)

The Google Virtual NIC (gve(4)) is now supported. 54dfc97b0bd9 (Sponsored by Google)


This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.

General Kernel Changes

The SMP system now supports up to 1024 cores on amd64 and arm64. Many kernel CPU sets are now dynamically allocated to avoid consuming excessive memory. The kernel cpuset ABI has been updated to support the higher limit. 76887e84be97 d1639e43c589 9051987e40c5 e0c6e8910898 (Sponsored by The FreeBSD Foundation)

The ACPI system now supports the _CR3 critical standby (S3) threshold. b8a0dfb17e3b

The acpi_timer_test is disabled by default, forcing the use of ACPI-fast rather than ACPI-safe, and speeding the boot process. The broken-ACPI-timers workaround can be re-enabled by setting the hw.acpi.timer_test_enabled=1 tunable. If timekeeping issues are observed, please test with hw.acpi.timer_test_enabled=1 in loader.conf(8) and report if that fixes the problem. a8b89dff6ac0

boottrace(4) is a new kernel-userspace interface for capturing trace events during system boot and shutdown. Event annotations are present in the boot and shutdown paths in the kernel; system utilities (init(8), shutdown(8), reboot(8)); and rc(8) scripts (via boottrace(8)). boottrace(4) focuses on ease of use and is aimed primarily at system administrators. It is available in the default GENERIC kernel and can be enabled by toggling a sysctl(8) variable. da5b7e90e740 5a8fceb3bd9f 7b0a665d72c0 13ec1e3155c7 318d0db5fe8a 1ae2c59bcf21 (Sponsored by NetApp, Inc.) (Sponsored by Klara, Inc)

Support has been added to the kernel crypto for the XChaCha20-Poly1035 AEAD cipher. 8f35841f1f35 (Sponsored by The FreeBSD Foundation)

An API has been added to the kernel crypto for curve25519. 0c6274a819ff (Sponsored by The FreeBSD Foundation)

FreeBSD can now run inside the Firecracker VMM via the amd64 FIRECRACKER kernel configuration. 469ad8603127 (Sponsored by

FreeBSD now reboots faster. The kern.reboot_wait_time sysctl has been added to control the delay before rebooting after printing all kernel messages on the console. It defaults to 0. Setting it to 1 restores the previous behavior (1 second delay). 84ec7df0d796 (Sponsored by

A new DTrace provider, kinst, has been added; see dtrace_kinst(4). The provider allows kernel instructions to be traced, similar to the FBT (function boundary tracing) provider except that all instructions may be probed instead of just logical entry and return instructions. f0bc4ed144fc (Sponsored by Google, Inc. via GSoC 2022)

kinst was ported to arm64 and riscv. 07864a8a2466 2d7bb03adb43 (Sponsored by The FreeBSD Foundation)

LLVM’s MemorySanitizer can now be used in amd64 kernels. See the kmsan(9) manual page for more information. a422084abbda (Sponsored by The FreeBSD Foundation)

LLVM’s AddressSanitizer can now be used in arm64 kernels as well as amd64. See the kasan(9) manual page for more information. 89c52f9d59fa (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)

Support for asymmetric cryptographic operations has been removed from the kernel open cryptographic framework (OCF), as they are not used by modern OpenSSL versions. 76681661be28

A native timerfd(2) facility has been added to facilitate porting Linux programs that use timerfd. Previously, timerfd was only available under Linux emulation. For programs written only for FreeBSD, the kqueue(2) EVFILT_TIMER filter is preferred for establishing arbitrary timers. af93fea71038

The process visibility policy controlled by the security.bsd.see_jail_proc sysctl(8) knob was hardened by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. It was also made overridable by MAC policies, as are the other process visibility policies. 7e21c691f295 63c01c18a8d3 (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation)

The process visibility policy controlled by the security.bsd.see_other_gids sysctl(8) knob was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit, whereas they should not see processes launched by a privileged user that temporarily enters the user’s primary group. This new behavior is consistent with what security.bsd.see_other_uids has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID). 26ff4836c888 (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation)

The Zenbleed bug affecting AMD Zen2 processors is now automatically mitigated (via chicken bit), preventing misbehavior and data leaks on affected machines. If needed, applying the mitigation can be manually controlled via the machdep.mitigations.zenbleed.enable sysctl(8) knob. Please consult the new mitigations(7) manual page for more information. aea76bab1416 (Sponsored by The FreeBSD Foundation)

Devices and Drivers

This section covers changes and additions to devices and device drivers since 13.2-RELEASE.

Device Drivers

The default speed for serial communication in boot loaders, kernel, and userland is now 115200 bps. Note that the early x86 BIOS bootloader (i.e., boot0sio) does not support rates above 9600 bps and is not changed. boot0sio users may set BOOT_COMCONSOLE_SPEED=9600 to use 9600 for all of the boot components, or use the standard boot0 and have the boot2 stage start with the serial port at 115200. 4722ceb7d53e (Sponsored by The FreeBSD Foundation)

The default bell tone is now 800Hz. It can be set with kbdcontrol(1) again. There is integration with devd(8) for people wishing to use their sound cards for the beep. ba48d52ca6c8 4ac3d08a9693 2533eca1c2b9 (Sponsored by Netflix)

When using the default vt(4) console, the audible bell is no longer enabled by default. It can be enabled with these commands: sysctl kern.vt.enable_bell=1 and kbdcontrol -b normal. 225639e7db68

Improvements have been made in DPAA2 (second generation Data Path Acceleration Architecture — a hardware-level networking architecture found in some NXP SoCs). It runs NXP-supplied firmware which provides DPAA2 objects as an abstraction layer, and provides a dpni network interface. Separation between DPAA2 channels has been improved significantly in order to isolate access to the DMA resources and cleanup operations, and avoid kernel panics under heavy network load (1 Gbit/s links). Other improvements include FDT/ACPI MDIO support, netboot over DPAA2 and separate command portals (DPMCP) support.

Support for the Arm Corelink DMC-620 Memory Controller, and the CMN-600 Coherent Mesh Network Controller, have been added to hwpmc(4) and libpmc. See pmc.dmc-620(3) and pmc.cmn-600(3). 1459a22787ea 59191f3573f6 (Sponsored by ARM) (Sponsored by Ampere Computing)

A fix has been implemented for frame buffer addressing that affects frame buffers mapped above 4 GB physical on i386 and Book-E powerpc. a78bb831a17f

The iwlwifi(4) driver for Intel wireless interfaces has been updated to the latest version, supporting chipsets up to WiFi 6E AX411/AX211/AX210, and with preparations for upcoming BX and SC chipsets. (Sponsored by The FreeBSD Foundation)

The rtw88(4) driver for Realtek wireless PCI interfaces has been updated.

A kvm_clock driver has been added for the KVM paravirtualized clock. 6c69c6bb4c7f (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)

There have been stability fixes and enhancements to the KPI to support Linux device drivers, along with the net80211 layer for wireless drivers. (Sponsored by The FreeBSD Foundation)

NVMe disks are now nda devices by default, for example nda0; see nda(4). Symbolic links for the previous nvd(4) device names are created in /dev. However, configuration such as fstab(5) should be updated to refer to the new device names. Options to control the use of nda devices and symbolic links are described in nda(4). bdc81eeda05d (Sponsored by Netflix)

The previous qat(4) driver has been replaced with Intel’s QAT driver. The new version provides additional interfaces to the chipset’s cryptographic and compression offload functionality. This will have no visible change for most users; however, the new driver does not support Atom C2000 chipsets. To preserve support for those chipsets, the old driver has been renamed to qat_c2xxx. Users of qat(4) on C2000 hardware will thus need to ensure that qat_c2xxx(4) is loaded instead of qat(4). 78ee8d1c4cda f4f56ff43dbd (Sponsored by Intel Corporation)

Deprecated and Removed Drivers

The pms(4) driver, pmspcv, has been removed from the GENERIC kernel configurations for x86, as it was large and uncommonly used. It can be loaded as a module by placing pmspcv_load="YES" in loader.conf(5). 95e4f5ef7cce (Sponsored by Rubicon Communications, LLC ("Netgate"))

The VESA option has been removed from the x86 GENERIC and MINIMAL kernel configurations. It is still available as a kernel module. VESA is not used by the default console, vt(4). 777526ed8382 b8cf1c5c30a5 (Sponsored by The FreeBSD Foundation)

Drivers for ISA sound cards have been removed. 92e6b4712b53 df51e63eb5d7 aa83e9b189d6 754decef384a 5126e5eeeb5e 716924cb4832 9054e296819f (Sponsored by The FreeBSD Foundation)

The AHB bus front end has been removed from ath(4), as it was used only by MIPS. 37c8ee8847fa

The deprecated amr(4) driver has been removed. 60de2867c9fc (Sponsored by Netflix)

The obsolete iscsi_initiator(4) has been removed. Its replacement, iscsi(4), was introduced several major releases ago. 48cb3fee2586 (Sponsored by The FreeBSD Foundation)

The deprecated iir(4) driver has been removed. 399188a2c60c (Sponsored by Netflix)

The deprecated mn(4) sync serial driver has been removed. 0cff00ae682a (Sponsored by The FreeBSD Foundation)

The deprecated mly(4) driver has been removed. a9620045a5b9 (Sponsored by Netflix)

The deprecated nlmrsa(4) driver has been removed. 6a06b00a0d1f (Sponsored by Chelsio Communications)

The deprecated twa(4) driver has been removed. 8722e05ae149 (Sponsored by Netflix)


This section covers changes and additions to file systems and other storage subsystems, both local and networked.

General Storage

gconcat(8) and its kernel support now have the ability to append devices to the concatenated device that were not present when the gconcat device was created. d575e81fbcfa

A new gunion(8) utility tracks changes to a read-only disk on a writable disk. This can be useful for making tentative changes to the disk, such as file system repairs or software upgrades, and then either committing or reverting them. c7996ddf8000 (Sponsored by Netflix)

In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under vfs.vnode for greater visibility. d3e647891243

NFS Changes

NFS now supports running an NFS server in a VNET jail, including nfsd(8), nfsuserd(8), mountd(8), gssd(8), and rpc.tlsservd(8). The VNET jail must be on its own file system, have the allow.nfsd jail parameter set, and enforce_statfs cannot be set to 0. Use of UDP and pNFS server configurations is not permitted. 7344856e3a6d and many others

For NFSv4 mounts, the NFS client now uses the highest minor version of NFSv4 supported by the NFS server by default instead of minor version 0. The minorversion mount option may be used to override this default. a145cf3f73c7

The FreeBSD NFS client can now be set to use a 1 Mbyte I/O size via the vfs.maxbcachebuf tunable; the Linux NFS client can also do 1 Mbyte I/O. The value of kern.ipc.maxsockbuf will need to be increased to do this. A console message will suggest a setting for it. Note that the maximum I/O size for the FreeBSD NFS server can be increased to any power of 2 up to 1 Mbyte using the sysctl vfs.nfsd.srvmaxio while nfsd(8) is not running. ee29e6f31111

The NFSv4.1/4.2 client and server will now generate console messages if sessions are broken, suggesting that users check to ensure that the values in /etc/hostid strings are unique for all NFSv4.1/4.2 clients. b875d4f5ddcb 0685c73cfe88

NFSv4.1/4.2 mounts with the intr mount option are now fairly usable, although not 100% correct, so long as the nolockd mount option is used as well. See the mount_nfs(8) manual page for more information. 981ef32230b2 33721eb991d8

A new syskrb5 mount option is availble for Kerberized NFSv4.1/4.2 mounts. A feature of NFSv4.1/4.2 is used to provide AUTH_SYS authentication, and thus no Kerberos credential is required at mount time. See mount_nfs(8). 896516e54a8c

Support for SP4_MACH_CRED has been added in NFS mount protocol in the NFS server. That facility is used by the Linux NFSv4.1/4.2 client for Kerberized mounts. It was handled by a fallback in the past, but is now supported directly. 330aa8acdec7 ff2f1f691cdb

UFS Changes

It is now possible to perform background file system checks using a snapshot on UFS file systems running with journaled soft updates. (Sponsored by The FreeBSD Foundation)

Superblocks, cylinder group maps, and inodes have had check hashes added to detect corruption. Far more extensive checks are made of the superblock (120) and cylinder groups (20) than just the magic number check done previously. (Sponsored by The FreeBSD Foundation)

The libufs(3) library has been updated to include these checks so that they are now done by all the filesystem utilities. The checks are implemented in one kernel file that is also included by libufs. Another change to libufs is that the code to find alternate superblocks has been moved from fsck_ffs(8) into the shared file so it is now available in the kernel loader as well as all the filesystem utilities. (Sponsored by The FreeBSD Foundation)

ZFS Changes

OpenZFS has been upgraded to version 2.2. New features include:

  • block cloning, which allows shallow copies of blocks in file copies. This is optional, and disabled by default; it can be enabled with sysctl vfs.zfs.bclone_enabled=1.

  • scrub error log (zpool scrub -e)

  • BLAKE3 checksums, which are fast, and are now the recommended secure checksums

  • corrective zfs receive can heal corrupted data

  • vdev and zpool user properties, similar to dataset user properties.

Performance improvements include:

  • fully adaptive ARC, a unified ARC that minimizes the need for manual tuning

  • zstd early abort, improving efficiency with uncompressible data

  • I/O prefetch improvements

  • general optimization.

ZFS has been enabled on 32-bit powerpc/powerpcspe. 63715498ac6b

Other Storage Changes

The msdosfs(5) file system now records available directory entries in the root directory of FAT12 and FAT16 file systems (e.g. EFI boot partitions) and reports them as inodes. c33db74b5323

The msdosfs(5) file system now correctly calculates the available and used blocks of FAT12 and FAT16 file systems, and no longer rejects mounting file systems created using valid but uncommon parameters. 0728695c63e

The synthetic file systems (devfs(5), procfs(5), etc.) now report 0 blocks used so that they are not reported as 100% full. 88a795e80c03

The tarfs(5) file system has been added, which is backed by POSIX tar archives optionally compressed with zstd(1). 69d94f4c7608 (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)

Boot Changes

This section covers the boot loader, boot menu, and other boot-related changes.

Boot Loader Changes

The lua-flavored loader(8) will now interpret .lua files that appear in loader_conf_files as lua, and execute them in a sandbox. Existing loader environment variables are available as globals in the sandbox, and any global variable set, if not a table value, will be reflected in the loader environment upon successful execution of the configuration file. Environment variables with names that aren’t valid lua names may be accessed as indices of _ENV; e.g., _ENV['net.fibs']. 3cb2f5f369ec

EC2 instances now boot using UEFI where available, substantially speeding the boot process. b43d7aa09b3c bcf9147144f3 (Sponsored by


This section describes changes that affect networking in FreeBSD.

General Network

carp(4) now supports configuration of the address to which carp messages are sent, allowing the use of unicast addresses. This is useful in certain virtual configurations. See carp(4) and ifconfig(8). 137818006de5

Layer 3 filtering on if_bridge(4) will do surprising things which aren’t fail-safe, so and now default to zero. 22893e584032

netlink(4) is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration. It has been expanded, improved, and enabled by default. A number of network configuration utilities have been converted to use netlink. 3091d980f581

The deprecated NgATM (netgraph ATM support) and remaining ATM support have been removed.

The pf(4) packet filter now supports scrubbing with OpenBSD syntax and behavior. If there are no FreeBSD scrub rules, a global flag set reassemble yes | no [no-df] determines whether packet reassembly is done. Scrubbing, like setting tos, ttl, etc, can be done in match and pass rules, which also makes it stateful. Match rules are now fully supported, as on OpenBSD, not only for dummynet(4) queues. 39282ef356db (Sponsored by InnoGames GmbH)

pfsync(4) can now use IPv6 transport. 6fc7fc2dbb2b (Sponsored by InnoGames GmbH) (Sponsored by The FreeBSD Foundation)

The pfsync(4) packet format has been extended to improve support for queuing, scrubbing and route-to rules. This format is incompatible with older releases. The old format can be selected using ifconfig pfsync0 version 1301. This is especially important if members of a pfsync cluster are not upgraded simultaneously.

WiFi 6 support has been added to wpa (wpa_supplicant(8) and hostapd(8)). c1d255d3ffdb 3968b47cd974 bd452dcbede6

Internet Networking

The 6to4 interface for IPv6 over IPv4, if_stf(4), now supports IPv6 Rapid Deployment (6rd) (RFC5969). 19dc64451179 (Sponsored by Rubicon Communications, LLC ("Netgate"))

The rtsol(8) and rtsold(8) programs now have a -i option to disable the random delay of up to a second that is used by default. The default options for these programs in rc.conf(5) include -i. 231bac4ccc43 e29711da2352 (Sponsored by

The handling of IPv6 nodeinfo (RFC 4620) has been disabled by default. b73183d1a243 (Sponsored by The FreeBSD Foundation)

The sysctl(8) option net.inet.tcp.nolocaltimewait is now enabled by default. This prevents creation of timewait entries for TCP connections that were terminated locally. 92b3e07229ba

The default congestion control mechanism for TCP is now CUBIC. For long duration data transfers, CUBIC allocates a slightly higher fraction of the available bandwidth, when competing against NewReno. bb1d472d79f7 (Sponsored by NetApp, Inc.)

IPv4 was changed not to broadcast the lowest address on a subnet (host 0) unless it is configured as the broadcast address. This allows the lowest address on a subnet to be used for a host. fd0765933c3c

Hardware Support

This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not fit in other sections of this document.

Please see the list of hardware supported by 14.0-RELEASE, as well as the platforms page for the complete list of supported CPU architectures.

Hardware Architecture Support

The project no longer provides armv6 artifacts with 14.0-RELEASE.

Support for the MIPS architecture, and related hardware, has been removed. MIPS will remain supported on the 13-STABLE branch for the duration of its lifetime.

Support for the software floating point variant of the RISC-V architecture, riscv64sf, has been retired. All available hardware is supported by the regular riscv64 architecture.

Virtualization Support


This section covers changes to manual (man(1)) pages and other documentation shipped with the base system.

Man Pages

Many tweaks and clean-ups have been made to improve the accuracy of the hier(7) page.

Many of the pages in section 9, kernel documentation, have been reviewed and updated for accuracy.

The introduction to the kernel documentation manual pages, intro(9), has been completely rewritten. 84f9f2c5cf78 (Sponsored by The FreeBSD Foundation)

The mi_switch(9) page has been rewritten and improved. 175db7b58270 (Sponsored by The FreeBSD Foundation)

A new kern_yield(9) page has been added. 30cd6fd75d46 (Sponsored by The FreeBSD Foundation)

Some obsolete section 9 pages have been removed. d1c7405ef68a 52f9a2823c64 b54391a1f831 (Sponsored by The FreeBSD Foundation)

Ports Collection and Package Infrastructure

This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools.

Packaging Changes

General Notes Regarding Future FreeBSD Releases

FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries.

We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release.

Support for executing 32-bit binaries on 64-bit platforms via the COMPAT_FREEBSD32 option will continue for at least the stable/15 and stable/16 branches. Support for compiling individual 32-bit applications via cc -m32 will also continue for at least the stable/15 branch, which includes suitable headers in /usr/include and libraries in /usr/lib32.

Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms.

The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms.

With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD 14.0-RELEASE. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of 14.0-RELEASE in November 2023, support for deprecated 32-bit platforms will end in November 2028.

The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD 14.0-RELEASE and following releases, or the stable/14 branch, to migrate off 32-bit platforms.

Last modified on: November 30, 2023 by Benedict Reuschling