FreeBSD 14.3-RELEASE Release Notes

Fix -U flag of ps(1) to select processes by real user IDs. This is what POSIX mandates for option -U and arguably the behavior that most users actually need in most cases. Before, -U would select processes by their effective user IDs (which is the behavior mandated by POSIX for option -u). a2132d91739d. (Sponsored by The FreeBSD Foundation).

Make '-O' more versatile and predictable for ps(1). The ps(1) display’s list of columns is now first built without taking into account the -O options. In a second step, all columns passed via -O are finally inserted after the built-so-far display’s first PID column (if it exists, else at start), in their order of appearance as arguments to the -O options. 1fc8cb547cd4. (Sponsored by The FreeBSD Foundation).

Remove not-explicitly-requested columns with duplicate data in ps(1). Before this change, when stacking up more columns in the display through command-line options, if user requested to add some "canned" display (through options -j, -l, -u or -v), columns in it that were "duplicates" of already requested ones (meaning that they share the same keyword, regardless of whether their headers have been customized) were in the end omitted. 7aa2f4826717. (Sponsored by The FreeBSD Foundation).

Add flags to filter jail prison and vnet variables in sysctl(8) output. So users do not have to contact the source code to tell whether a variable is a jail prison / vnet one or not. 615c9ce250ee.

grep(1) no longer follows symbolic links by default for recursive searches. This matches the documented behavior in the manual page. 3a2ec5957ea9

llvm, clang, compiler-rt, libc++, libunwind, lld, lldb and openmp have been updated to llvm-project llvmorg-19.1.7-0-gcd708029e0b2(dc3f24ea8a25).

zfs(8): OpenZFS has been updated to zfs-2.2-release(2.2.7)(2ec8b6948070).

xz(1) has been updated to 5.8.1(9679eedea94c).

less(1) has been updated to v668(0bb4c188d363).

file(1) has been updated to 5.46(71c92e6b94f0).

expat(3) has been updated to 2.7.1(6f7ee9ac036e).

tzdata has been updated to 2025b(475082194ac8).

OpenSSH has been updated to 9.9p2(059b786b7db5). (Sponsored by The FreeBSD Foundation).

OpenSSL has been updated to 3.0.16(cb29db243bd0).

googletest has been updated from 1.14.0 to 1.15.2(1d67cec52542). One notable change is that GoogleTest 1.15.x now officially requires C-14 (1.14.x required C-11).

spleen has been updated to Spleen 2.1.0(26336203d32c).

Update deprecation warning to note that gvinum(8) is removed in 15.0(dec497a9fcbf).

Deprecation notice for syscons(4) has been added. syscons(4) is not compatible with UEFI, does not support UTF-8, and is Giant-locked. There is no specific timeline yet for removing it, but support for the Giant lock is expected to go away in one or two major release cycles. (8c922db4f3d9). (Sponsored by The FreeBSD Foundation).

OpenSSH plans to remove support for the DSA signature algorithm in early 2025.

publickey(5) stuffs has been deprecated. This uses DES and it is likely that nobody uses that in 2025. (9197c04a251b).

libcxxrt has been updated to upstream 6f2fdfebcd62(d9901a23bd2f).

Support legacy PCI hotplug on arm64. 355f02cddbf0. (Sponsored by Arm Ltd).

Define a common 'mac' node for MAC’s jail parameters for mac(3). To be used by mac_do(4). 66fb52a27279. (Sponsored by The FreeBSD Foundation).

New setcred() system call and associated MAC hooks. This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved UIDs, effective, real and saved GIDs, supplementary groups and the MAC label. Its advantage over standard credential-setting system calls (such as setuid(), seteuid(), etc.) is that it enables MAC modules, such as mac_do(4), to restrict the set of credentials some process may gain in a fine-grained manner. c1d7552dddb5. (Sponsored by The FreeBSD Foundation).

Support multiple users and groups as single rule’s targets in mac_do(4). Supporting group targets is a requirement for mac_do(4) to be able to enforce a limited set of valid new groups passed to setgroups(). Additionally, it must be possible for this set of groups to also depend on the target UID, since users and groups are quite tied in UNIX (users are automatically placed in only the groups specified through '/etc/passwd' (primary group) and '/etc/group' (supplementary ones)). 83ffc412b2e9. (Sponsored by The FreeBSD Foundation).

Teach sysctl(8) to attach and run itself in a jail. This allows the parent jail to retrieve or set kernel state when child does not have sysctl(8) installed (for example light weighted OCI containers or slim jails). This is especially useful when manipulating jail prison or vnet sysctls. For example, sysctl -j foo -Ja or sysctl -j foo net.fibs=2. 8d5d7e2ba3a6.

Enable vnet sysctl(9) variables to be loader tunable. In 3da1cf1e88f8, the meaning of the flag CTLFLAG_TUN is extended to automatically check if there is a kernel environment variable which shall initialize the SYSCTL during early boot. It works for all SYSCTL types both statically and dynamically created ones, except for the SYSCTLs which belong to VNETs. Note that the implementation has a limitation. It behaves the same way as that of non-vnet loader tunables. That is, after the kernel or modules being initialized, any changes (for example via kenv) to kernel environment variable will not affect the corresponding vnet variable of subsequently created VNETs. To overcome it, TUNABLE_XXX_FETCH can be used to fetch the kernel environment variable into those vnet variables during vnet constructing. 894efae09de4

sound(4): Allocate vchans on-demand. Refactor pcm_chnalloc() and merge with parts of vchan_setnew() (now removed) and dsp_open()’s channel creation into a new dsp_chn_alloc() function. The function is responsible for either using a free HW channel (if vchans are disabled), or allocating a new vchan. hw.snd.vchans_enable (previously hw.snd.maxautovchans) and dev.pcm.X.{play|rec}.vchans now work as tunables to only enable/disable vchans, as opposed to setting their number and/or (de-)allocating vchans. Since these sysctls do not trigger any (de-)allocations anymore, their effect is instantaneous, whereas before it could have frozen the machine (when trying to allocate new vchans) when setting dev.pcm.X.{play|rec}.vchans to a very large value. 960ee8094913. (Sponsored by The FreeBSD Foundation).

LinuxKPI: linux_alloc_pages() now honors __GFP_NORETRY. This is to fix slowdowns with drm-kmod that get worse over time as physical memory become more fragmented (and probably also depending on other factors). 831e6fb0baf6 (Sponsored by The FreeBSD Foundation).

mpi3mr(4) driver version has been updated to 8.14.0.2.0(e6d4b221ba7c).

mpi3mr(4) MPI Header has been updated to Version 36. This aligns with the latest MPI specification. This includes updated structures, field definitions, and constants required for compatibility with updated firmware. (60cf1576501d).

The mpi3mr(4) driver is now in GENERIC (e2b8fb2202c2).

rtw88(4): Merge Realtek’s rtw88 driver based on Linux v6.14 (8ef442451791). (Sponsored by The FreeBSD Foundation).

rtw89(4): Merge Realtek’s rtw89 driver based on Linux v6.14 (b6e8b845aeab). (Sponsored by The FreeBSD Foundation).

iwmbtfw(4): Add support for 9260/9560 bluetooth adaptors (8e62ae9693bd). Required firmware files are already included in to comms/iwmbt-firmware port.

ena(4) driver version has been updated to v2.8.1 (a1685d25601e). (Sponsored by Amazon, Inc.)

ix(4): Add support for 1000BASE-BX SFP modules x550(24491b4acce5).

bnxt(4): Enable NPAR support on BCM57504 10/25GbE NICs. (54f842ed8897).

bnxt(4): Add 5760X (Thor2) PCI IDs support. Add Thor2 PCI IDs. (45e161020c2d).

bnxt(4): Add support for 400G speed modules (32fdad17f060).

ix(4): Add support for 1000BASE-BX SFP modules. Add support for 1Gbit BiDi modules. (c34817d9aef7).

igc(4): Fix attach for I226-K and LMVP devices. The device IDs for these were in the driver’s list of PCI ids to attach to, but igc_set_mac_type() had never been setup to set the correct mac type for these devices. Fix this by adding these IDs to the switch block in order for them to be recognized by the driver instead of returning an error. This fixes the igc(4) attach for the I226-K LOM on the ASRock Z790 PG-ITX/TB4 motherboard, allowing it to be recognized and used. f034ddd2fa38.

Remove old itr sysctl handler from em(4). This implementation had various bugs. The unit conversion/scaling was wrong, and it also did not handle 82574L or igb(4) devices correctly. With the new AIM code, it is expected most users will not need to manually tune this. edf50670e215 (Sponsored by BBOX.io).

Added support for Brainboxes USB-to-Serial adapters in uftdi(4). (47db906375b5)

Define a new -a command line option mountd(8). When a file system was exported with the -alldirs flag, the export succeeded even if the directory path was not a server file system mount point. ead3cd3ef628

Document recent file handle layout changes. ca22082c01a7

Allow to pass {NGROUPS_MAX} + 1 groups in mountd(8). NGROUPS_MAX is just the minimum maximum of the number of allowed supplementary groups. The actual runtime value may be greater. Allow more groups to be specified accordingly (now that, a few commits ago, nmount(2) has been changed similarly). ca9614d8f64a (Sponsored by The FreeBSD Foundation).

Teach ip6addrctl(8) to attach and run itself in a jail. This will make it easier to manage address selection policies of vnet jails, especially for those light weighted OCI containers or slim jails. b709f7b38cc4

Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop' for pf(4). 7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make the pf(4) default rule to drop. While this change exposes a vnet loader tunable 'net.pf.default_to_drop' so that users can change the default rule without re-compiling the pf(4) module. 3965be101c43

The LinuxKPI, particularly for 802.11, has been enhanced to support crypto offload and 802.11n and 802.11ac standards. The iwlwifi(4) wireless driver is the first to make use of these new features supporting 802.11ac for some Intel Wi-Fi 5, and all of Intel Wi-Fi 6 and Wi-Fi 7 hardware. (Sponsored by The FreeBSD Foundation)

The rtw88(4) driver was made to work (associate) again and a memory leak got resolved. (Sponsored by The FreeBSD Foundation)

Following other drivers iwlwififw(4) firmware was removed from the base system in favor of the ports based solution and fwget(8) support. (Sponsored by The FreeBSD Foundation)

Several bug fixes and configuration changes collectively allow device hotplug on both x86 and arm64 ("Graviton") EC2 instances. Users upgrading EC2 instances from earlier FreeBSD releases should set hw.pci.intx_reroute=0 and debug.acpi.quirks="56" in /boot/loader.conf.

Refer to graid(8) and zfs(8) instead of gvinum(8) in ccdconfig(8)). (55cb3a33d920).

ps(1): Document change in behavior for -a/-A. Document the practical consequence of change 93a94ce731a8 that specifying -a/-A leads to printing all processes regardless of the presence of other process selection options (except for -x/-X, which command a filter). eed005b57895. (Sponsored by The FreeBSD Foundation).

ps(1): Change in behavior for option -U. 4e4739dd0745 (Sponsored by The FreeBSD Foundation).

ps(1): Change of how current user’s processes are matched. 7219648f60d1. (Sponsored by The FreeBSD Foundation).

ps(1): Match current user’s processes using effective UID. This puts ps(1) of FreeBSD in conformance with POSIX. 1e8dc267ca91. (Sponsored by The FreeBSD Foundation).

mac_do(4): Change of rules syntax; Provide hints and pointers. 0c3357dfa18f. (Sponsored by The FreeBSD Foundation).

firewire(4): Add deprecation notice. This was originally discussed as part of FreeBSD 15 planning, but did not happen in time. Add the deprecation notice now, with an expectation that it will be removed before FreeBSD 16. fc889167c319. (Sponsored by The FreeBSD Foundation).

The ethernet switch controllers, mtkswitch(4), ip17x(4), ar40xx(4), and e6000sw(4) have gained initial manual pages.

mount(8) has gained an example for remounting all filesystems read/write in single-user mode.

Manual pages for the lua loader(8) modules have had their desctiptions reworded to optimize apropos(1) results.

The manual pages style guide, style.mdoc(5), has gained a section for listing supported hardware. When listed this way, the supported hardware will be listed in the supported hardware notes. Many manuals have had this section added or reworded in this release.

Much work has gone into adding sysctl(8)s and environment variables to the manual. Try searching for them with apropos Va=here.is.the.sysctl or apropos Ev=here_is_the_environment_variable.

The intro(5) to the File Formats manual has been revised, incorporating improvements from OpenBSD.