- OpenBSD 7.3 RELEASED -------------------------------------------------

April 10, 2023.

We are pleased to announce the official release of OpenBSD 7.3.
This is our 54th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 7.3 provides significant improvements,
including new features, in nearly all areas of the system:

 - Various kernel improvements:
    o Added waitid(2), wait for process state change.
    o Added pinsyscall(2), specify the call stub for a specific system
    o Added getthrname(2) and setthrname(2), get or set thread name.
    o Added WTRAPPED option for waitid(2) to control whether CLD_TRAPPED
      state changes, i.e., ptrace(2) on a process, are reported.
    o Introduced clockintr(9), a machine-independent clock interrupt
      scheduler. Switched all architectures to use this new kernel
    o Added a priority queue to clockintr(9).
    o Introduced a new kern.autoconf_serial sysctl(8) that can be used
      by userland to monitor state changes of the kernel device tree.
    o Fixed pmap(9) bugs involving entering an executable mapping for a
      page before synchronizing the data and instruction cache on arm64
      and riscv64.
    o Removed copystr(9) from public API.
    o Add getnsecruntime(9) to the kernel timecounting API. Together
      with getbinruntime(), it provides a fast, monotonic clock that
      only advances while the system is not suspended.
    o Add detection for Spectre-BHB Branch History Injection
      vulnerability related CLRBHB, ECBHB and CSV2_3/HCXT feature bits.
    o Prevent detaching ("bioctl -d detach") of a boot volume on a RAID
      managed by bioctl(8).
    o On arm64, avoid using 1GB mappings for the identity map in the
      early kernel bootstrap phase and when booting the secondary CPUs.
      This avoids accidentally mapping memory regions that should not be
      mapped (i.e. secure memory) as all mapped memory can be accessed
    o Added arm64 detection of EPAN feature bit. Enhanced Privileged
      Access Never (EPAN) allows Privileged Access Never to be used with
      Execute-only mappings.
    o On arm64, add a machdep.lidaction sysctl(8) for aplsmc(4) Apple
      Silicon laptops.
      The arm64 default for the machdep.lidaction is 1, making the
      system suspend when the lid is closed. aplsmc(4) provides support
      for the lid position sensor.
    o Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious
      wakeups while other CPUs are still active.
    o Added new dt(4) tracing ioctl DTIOCARGS to get the type of probe

 - SMP Improvements
    o Unlocked mmap(2), munmap(2), and mprotect(2).
    o Unlocked sched_yield(2).
    o Added support for per-cpu event counters, to be used for clock and
      IPI counters where the event counted occurs across all CPUs in the
    o Moved pf(4) purge tasks out from under the kernel lock.
    o Protected interface tables in pf(4) with PF_LOCK(), allowing
      removal of NET_LOCK() protection from the ioctl(2) code path in
    o Unlocked getsockopt(2) and setsockopt(2).
    o Completed removing kernel lock from IPv6 read ioctls.
    o Unlocked minherit(2).
    o Made tun(4) and tap(4) event filters MP-safe.
    o Unlocked utrace(2).
    o Stopped holding the vm_map lock while flushing pages in msync(2)
      and madvise(2). Prevents a 3-thread deadlock between msync(2),
      page-fault and mmap(2).
    o Unlocked select(2), pselect(2), poll(2), and ppoll(2).

 - Direct Rendering Manager and graphics drivers
    o Updated drm(4) to Linux 6.1.15
    o amdgpu(4): Added support for Ryzen 7000 "Raphael", Ryzen 7020
      series "Mendocino", Ryzen 7045 series "Dragon Range", Radeon RX
      7900 XT/XTX "Navi 31", Radeon RX 7600M (XT), 7700S, and 7600S
      "Navi 33."
    o Fixed frame buffer corruption and additional bugs after wakeup on
      Apple Silicon laptops and the Lenovo x13s.
    o Added support for the backlight connector property to amdgpu(4) as
      in inteldrm(4), making xbacklight(1) work when using the Xorg
      modesetting driver.

 - VMM/VMD improvements
    o Updated vmm(4) to allow guests to read MSR_HWCR and MSR_PSTATEDEF,
      which is necessary to determine the TSC frequency on AMD families
      17h and 19h.
    o Allocated reference for vm and vcpu SLISTs in vmm(4), keeping vmm
      from triggering excessive wakeup calls while iterating through the
      list of vms while servicing an ioctl(2).
    o Set vmm(4) RAX guest register state based on VMCB.
    o Removed locking in vmm(4) vmm_intr_pending, reducing slowdowns due
      to requests for a lock held while the VM is running.
    o Increased speed of delivery of interrupts to a running vcpu in
    o Made vmm(4) treat vcpu lists as immutable, removing the need to
      reference count individual vcpu objects and use a rwlock.
    o Implemented zero-copy operations on virtqueues in vmd(8).
    o Provided a detailed e820 memory map when booting vmd(8) guests
      with SeaBIOS. When a vm initializes memory ranges, we now track
      what each range represents. This information can be used to supply
      the e820 memory map to SeaBIOS via the fw_cfg interface allowing
      it to properly communicate memory ranges to a guest operating
      system. With this special cases in ports can be removed.
    o Added thread names to vm processes in vmd(8), visible in ps(1).
    o Hid the WAITPKG cpu feature from vmm(4) guests, preventing invalid
      instruction exceptions. Also added WAITPKG feature identification
      to i386 and amd64.
    o Changed vmd(8) to only open /dev/vmm once, having the parent
      process send the fd to the vmm child process.
    o Restricted vmm(4) exposed cpuid extended feature flags.
    o Adjusted vmd(8) error paths to avoid removal of
      configuration-defined (known) VMs on error.
    o Stopped being paranoid about hypervisor correct PKU handling.
      Added saving and restoring guest PKRU to vmm(4). Expose the PKU
      cpuid bit to the guest if in use on the host.
    o Made vmd(8) scan the PCI bus to determine bootorder strings.

 - Various new userland features:
    o Added kdump(1) argument support for msyscall, pledge, unveil,
      __realpath, ypconnect and __tmpfd.
    o Added mimmutable(2) and munmap(2) reporting to kdump(1).
    o Added lastcomm(1) reporting for process kills due to execve(2)
      from non-pinned syscall address.

 - Various bugfixes and tweaks in userland:
    o Allow TZ to contain absolute paths starting with
      /usr/share/zoneinfo. All absolute paths were ignored in 7.2 to
      avoid unveil(2) violations.
    o Made ldomctl(8) accept more descriptive name-based paths in
      addition to number-based paths in ldom.conf(5).
    o Dropped support for $rc_exec in rc.subr(8). The rc_exec function
      should be used instead.
    o Excluded /tmp/*.shm files from /tmp cleaning in daily(8). Removing
      them interferes with programs that use shared memory via
    o Added zap-to-char and zap-up-to-char to mg(1). Bound zap-to-char
      to M-z.
    o Fixed handling of escaped backslashes in vi(1) ex_range.
    o Added support to gunzip(1) for zip files that contain a single
    o Fixed ed(1) to print bytes read/written and the ? prompt to
      stdout, not stderr.
    o Modified the vmstat view in systat(1) to measure elapsed time
      using clock_gettime(2).
    o Implemented periodic display in iostat(8).
    o Corrected top(1) display of online CPUs which can change based on
      the sysctl(2) sysctl setting.
    o Added support for a personal units(1) library by passing -f
      multiple times.
    o Changed df(1) to round up fractional percentages.
    o Fixed unbounded variable expansion in pkg-config(1).
    o Switched to use llvm-strip(1) on architectures that use ld.lld(1).
    o Made rc(8) reorder libraries in parallel to netstart(8), as this
      does not depend on network access.
    o Made rc(8) print the name of each library before relinking as a
      signal to the operator that boot has not stalled.
    o Added the audioctl(8) -w option to display variables periodically.
    o Added short options for timeout(1) --foreground and
      Added signal as a full argument name for timeout(1) -s.
    o Fixed .wav files generated by aucat(1) by using extended header
    o In disklabel(8), use the size of the largest chunk of free space,
      not the total of all such chunks, when checking for sufficient
      space to add a partition.
    o Extended disklabel(8) template parsing to allow "[mount point] *"
      as the specification for putting the maximum available free space
      into a partition. Extended command line parsing to allow "T-" as
      the specification to read the template from stdin.
    o Repaired disklabel(8) to check for D_VENDOR flag in d_flags, not
    o Removed remnents of DEC standard 144 bad sector code from
      disklabel(8) and disktab(5).
    o Removed last references to d_drivedata field from disklabel(8)
    o Enhanced disklabel(8) auto allocation to use all possible free
    o Enhanced disklabel(8) to ensure valid partition offsets and sizes
      after rounding.
    o Enhanced disklabel(8) simple editor to allow '*' when the action
      is 'delete'.
    o Removed disklabel(8) code related to defunct disk types 'hd' and
    o Repaired fdisk(8) to set the correct 'bootable' bit in GPT
    o Repaired fdisk(8) to use GPT_UUID_NBSD_UFS for NetBSD GPT
      partition entries.
    o Added UEFI defined GPT partition type GPT_UUID_LEGACY_MBR to the
      partition types fdisk(8) recognizes.
    o Enhanced fdisk(8) to avoid spurious warnings when editing unused
      GPT partition.
    o Fixed cdio(1) error displays and plugged a leak in the error path.
    o Removed pointless :ob#0:pb#0:[tb=swap:] and :pb#N:ob#0: lines from
      various disktab(5) entries.

 - Improved hardware support and driver bugfixes, including:
    o Suspend/Resume improvements
       - Extended arm64 suspend/resume to include support for parking
         CPUs in a WFE/WFI loop.
       - Put CPUs in the lowest P-state before the final suspend step,
         needed for systems where we park CPUs in a low-power idle
         state ourselves.
    o system-on-chip devices
       - Added support for the Rockchip RK3566/RK3568 SoCs.
       - Added support for the Rockchip RK3568 processor.
       - Added support for the RK3568 PCIe controller to dwpcie(4).
       - Added qcdwusb(4), a driver controlling the interface logic
         for the Synopsys DesignWare USB 3.0 controller found on
         various Qualcomm Snapdragon SoCs.
       - Added support for the PCIe controller on the Qualcomm
         SC8280XP to dwpcie(4).
       - Added qcpmicgpio(4), a driver for the GPIO block inside the
         Qualcomm PMICs.
       - Added qcpmic(4), a driver for the SPMI-connected PMICs found
         on Qualcomm SoCs.
       - Added qcspmi(4), a driver for the SPMI PMIC Arbiter found on
         Qualcomm SoCs.
       - Added qcpdc(4), a driver for the Qualcomm Power Domain
         controller found on Qualcomm SoCs.
       - Added qcpwm(4), a driver for the PWM found on Qualcomm SoCs.
       - Added qcpon(4), a driver for the Qualcomm PMIC block that
         hosts the powerkey and reset input.
       - In rkgpio(4), handled different register layouts in modern
         Rockchip SoCs as seen in the RK356x and RK3588.
       - Added support for RK356x TSADC clocks to rkclock(4).
       - Added GMAC-related RK356x clocks to rkclock(4).
       - Added RK3588 support to rkclock(4) and rkpinctrl(4).
       - Added mvortc(4), a driver for the RTC on the ARMADA 38x
       - Added mvodog(4), a driver for the watchdog on the ARMADA 38x
       - Implemented rkpinctrl(4) support for explicit routing to use
         alternative pin muxings.
       - Added ytphy(4), a driver for the MotorComm YT8511 PHY.
       - Made rktemp(4) work on RK356x with U-Boot.
       - Added initialization code for RK356x in dwpcie(4) to prevent
         kernel hangs.
       - Implemented setting the parent clock for RK356x in
       - Added dwpcie(4) code to bring up the PCIe controller on the
       - Added rkpciephy(4), a driver for the PCIe 3.0 PHY found on
         the RK356x.
       - Added rkcomphy(4), a driver for the "naneng" combo PHY found
         on the RK356x (and RK3588). Only PCIe, SATA and USB3 support
         are implemented.
    o Improved support for Apple arm64 hardware
       - Made aplhidev(4) recognize M1 laptops with touchbars and
         translated Fn+(1-10,-,=) keys to F1-F12 on these systems.
       - Added suspend/resume support to aplns(4).
       - Implemented wakeup interrupt support in aplintc(4).
       - Added suspend/resume support to control the power domain to
       - Made the power button function as a wakeup button during
         suspend in aplsmc(4).
       - Added aplpwm(4), a driver for the PWM controller found on
         Apple Silicon.
       - Improve Apple support by increasing the apliic(4) transfer
         completion timeout to 100ms to accommodate USB Type-C PD
       - Added tipd(4), a driver fixing USB hotplug of type-C
         connectors on Apple Silicon hardware.
       - Improved aplpmu(4) range check to protect against overflow.
       - Added aplefuse(4), a driver for the eFuses on Apple Silicon
       - Enabled aplpcie(4) power management for PCI devices.
       - Disable the screen backlight with aplsmc(4) on Apple Silicon
         laptops when the lid is closed.
    o X13s support
       - Worked around incomplete ACPI tables on the Lenovo x13s by
         loading the alternate device tree binaries from disk.
       - Set console output to the framebuffer on Lenovo x13s
       - Made the USB ports work after a suspend/resume cycle on the
    o Improved audio devices
       - Made aplaudio(4) calculate the bit clock based on numbers of
         channels, bytes/sample and sample rate.
       - Set sncodec(4) and tascodec(4) default volume to -30dB
         instead of the hardware default of 0dB (maximum).
       - Added sncodec(4), a driver for the TI SNO12776/TAS2764
         digital amplifier.
    o Other changes
       - Added support for the Wacom One M CTL-672 tablet to
       - Hooked up the same USB device drivers on riscv64 as done in
         the arm64 architecture kernel.
         Enabled access to usb(4), ugen(4), ulpt(4), ucom(4) and
       - Added uftdi(4) support for FTDI FT232R.
       - Added uhidpp(4) support for Bolt receivers and the Unified
         Battery feature often found on newer Logitech HID++ hardware.
       - Converted more RTC drivers to use todr_attach(). Quality of
         the RTC is set such that "discrete" RTC chips are preferred
         over RTCs integrated on a SoC.
       - Added support for the DS1339 RTC as found on the PiJuice.
       - Added qcrtc(4), a driver for the RTC found on Qualcomm PMICs.
       - Improved qcrtc(4) RTC reliability.
       - Added cursor back tab support to wscons(4) VT100 emulation.
         Added aixterm bright color sequences (SGR 90-97 and 100-107).
       - Added missing wscons(4) bounds checks when processing
         terminal escape sequences.
       - Replaced broken UTF-8 logic in wscons(4) with a better one
         borrowed from Citrus.
       - Introduced pijuice(4), an apm/sensor driver for the PiJuice
         HAT UPS.
       - Added pwmleds(4), a driver for PWM controlled LEDs.
       - Implemented dwpcie(4) support for the (optional) MSI
         controller of the Synopsys DesignWare PCIe host bridge.
       - Added icc(4) driver for I2C Consumer Control devices.
       - Prevented a possible crash when a ugen(4) device is detached.
       - Implemented wakeup interrupt handling in agintc(4).
       - Enabled pcagpio(4) and pcamux(4), making the SFP port on the
         ClearFog Base (CN9130) work.
       - Adopted a workaround for a bug in the ARM generic timer on
         the A64, disabling userland timecounter support on affected
         hardware pending a similar libc workaround.
       - Made amd64 cpuid recognize protection keys for Protection Key
         Supervisor (PKS).
       - Implemented access to EFI variables ESRT through an ioctl(2)
         interface compatible with what FreeBSD and NetBSD have.
         Created /dev/efi on amd64 and arm64.
       - Added dwge(4) support for "enhanced descriptor" mode found on
         some variants of the Synopsys DesignWare GMAC.
       - Removed the elansc(4) driver for AMD Elan SC520 System
       - Made ppb(4) bus range available after detaching, fixing
         unplugging and replugging thunderbolt devices that were
         plugged in when the machine was booted.
       - Reworked the arm64 architecture cpu_init_secondary() function
         to allow use for both initial powerup and wakeup from deeper
         sleep states.
       - Added ufshci(4), a driver for Universal Flash Storage (UFS)
         Host Controllers.
       - Added scmi(4), a driver for the ARM System Control and
         Management Interface.
       - Added support for the Shenzhen Tangcheng Technology TCS4525
         voltage regulator to fanpwr(4).
       - Added psci(4) (ARM Power State Coordination Interface)
         support for available deep idle states as advertised in
         device trees.
       - Added eephy(4), found on the Turris Omnia WAN port, to armv7.
       - Added polling to tipmic(4) driver when starting from a cold
         boot, fixing a hang on boot.
       - Added a workaround for Intel Braswell/Cherry Trail mwait
       - Added the Armada 380 temperature sensor to mvtemp(4) and
         enabled the driver on armv7.

 - New or improved network hardware support:
    o Enabled em(4) IPv4, TCP and UDP checksum offloading and hardware
      VLAN tagging on devices with 82575, 82576, i350 and i210 chipsets.
    o Improved mcx(4) performance by using interrupt-based command
    o Fixed a panic seen with rge(4) RTL8125 with MCLGETL.
    o Add dwqe(4), a driver for the Synopsys DesignWare Ethernet QoS
      controller used on the NXP i.MX8MP, the Rockchip RK35xx series and
      Intel Elkhart Lake.
    o Worked around an issue on the StarFive JH7100 SoC to make dwge(4)
      Ethernet work reliably on the StarFive VisionFive 1 board.
    o In mvneta(4), passed MII flags depending on the phy mode specified
      in the device tree, making the WAN port work on the Turris Omnia.

 - Added or improved wireless network drivers:
    o Bumped tsleep timeout for bwfm(4) PCI devices to help prevent
      failures loading firmware, particularly on Apple M2 laptops.
    o Implemented alternative mailbox handling mechanism required by
      newer bwfm(4) firmware.
    o Fixed bwfm(4) issues with suspend/resume and possible firmware
      crashes on the M2 MacBook Air.
    o Prevented an iwx(4) firmware error when authentication to the AP
      times out.
    o Fixed a crash in iwx(4) when connecting to WEP networks via
      ifconfig(8) join.
    o Fixed an alignment issue in iwx(4) Rx descriptors.
    o Avoided trying to remove keys while doing crypto in hardware if
      the station is not active in iwx(4) firmware, fixing a firmware
    o Prevented potential panics by disallowing the iwx(4) init task
      from running in parallel to wakeup code during resume.
    o Switched all iwx(4) devices to -77 firmware images.
    o Upgraded firmware images for iwm(4) 9260 and 9560 devices.
    o Made iwx(4) get the primary channel number from AP beacon info,
      preventing problems on 40/80Mhz channels if there is a mismatch.
    o Fixed iwx(4) session protection event duration.

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Made net80211 drop beacons received on secondary HT/VHT channels,
      preventing iwm(4) firmware panics and making association work with
      11ac APs which transmit beacons on channels other than their
    o Made WEP encryption work on bwfm(4).

 - Installer, upgrade and bootloader improvements:
    o Made installer answers ! and (S)hell drop into a ksh(1)
      environment rather than the more limited sh(1).
    o Added support for configuring interfaces by lladdr (MAC).
    o Made the installer skip interface configuration questions when no
      interfaces are available.
    o Fixed resizing partitions on an auto-allocated disk that had a
      boot partition.
    o Stopped the installer from asking to initialize disks that have
      softraid(4) chunks.
    o Made efiboot fdt support device trees with NOPs in them (like the
      kernel version).
    o Improved the default choice for the installer's install media disk
      question to show the first disk that (a) is not the root disk and
      (b) is not a disk with softraid chunks (hosting the root disk, for
    o Stopped offering WEP in the installer if not supported.
    o Fixed lock file error on installer exit/abort.
    o Made installboot(8) -p support softraid(4).
    o Made installboot(8) silently skip softraid(4) keydisks.
    o Fixed passing explicit stages files to installboot(8).
    o Added mount_nfs(8) to the sparc64 installer, to fetch sets over
    o Copy the apple-boot firmware to EFI system partition, enabling
      automatic bootloader updates on Apple Silicon computers.
    o Made the installer stop printing MD post installation instructions
      on upgrades.
    o Made it possible to set keyboard layout(s) in arm64's installer.
    o Added initial support in the installer for guided disk encryption
      for amd64, i386, riscv64 and sparc64.
    o Added passing of boot device information from the bootloader to
      the kernel on luna88k.
    o Switched luna88k boot loader to MI boot code.
    o Made the luna88k bootloader display a puffy boot logo.
    o Made ls(1) work correctly in the luna88k bootloader.
    o Made time(1) work correctly in the luna88k bootloader.
    o Removed dangerous user-settable "addr" variable from MI
      bootloader, only compiling tty-related code on platforms where it
      makes sense for the bootloader to control it.
    o Added "machine poweroff" command on luna88k bootloader.
    o Switched alpha to machine-independent boot blocks.
    o Switched all architectures' ramdisks (except alpha's and
      luna88k's) to use installboot(8) -p.
    o Fixed ofwboot OpenFirmware map call to unbreak boot on some
    o Reduced ofwboot.net size after libz update to unbreak netboot on
      some machines.
    o Made riscv64 bootloader support boot from RAID 1C softraid
    o Made installboot(8) support softraid(4) on riscv64.
    o Stopped creating defunct Vax (ra, rx), HP-300 (hd) and Sparc (xy,
      xd) devices in /dev.

 - Security improvements:
    o Permissions (RWX, MAP_STACK, etc.) on address space regions can be
      made immutable, so that mmap(2), mprotect(2) or munmap(2) fail
      with EPERM. Most of the program static address space is now
      automatically immutable (main program, ld.so, main stack,
      load-time shared libraries, and dlopen()'d libraries mapped
      without RTLD_NODELETE). Programmers can request non-immutable
      static data using the "openbsd.mutable" section, or manually bring
      immutability to (page aligned heap objects) using mimmutable(2).
      The main internal data of malloc(3) is marked immutable.
    o Some architectures now have non-readable code ("xonly"), both from
      the perspective of userland reading its own memory, or the kernel
      trying to read memory in a system call. Many sloppy practices in
      userland code had to be repaired to allow this. The linker
      (ld.lld(1)) option --execute-only is enabled by default. In order
      of development: arm64, riscv64, hppa, amd64, powerpc64, powerpc
      (G5 only), octeon, and sparc64 (sun4u only; unfinished).
    o On all architectures which lack hardware-enforcement of xonly,
      system calls are now prevented from reading (via
      copyin(9)/copyinst) inside the program's main text, ld.so text,
      sigtramp text, or libc.so text.
    o These can still benefit from switching to --execute-only binaries
      if the cpu generates different traps for instruction-fetch versus
      data-fetch. The VM system will not allow memory to be read before
      it was executed which is valuable together with library relinking.
      Architectures switched over include loongson.
    o ld.so(1) and crt0 register the location of the execve(2) stub with
      the kernel using pinsyscall(2), after which the kernel only
      accepts an execve call from that specific location.
    o Added execve(2) violations of pinsyscall(2) policy to the daily
      mail, available by setting rc.conf.local(5) accounting=YES.
    o Added retguard (consistency-check the return address on the stack)
      to amd64 syscalls.
    o sshd random relinking at boot: Randomly relink and install
      sshd(8), resulting in a sshd binary with unknown address layout
      after every reboot.
    o Add another mitigation against classic BROP on systems without
      execute-only mmu hardware-enforcement. A range-checking wrapper in
      front of copyin(9) and copyinstr(9) ensures the userland source
      address doesn't overlap the main program text and other text
      segments, thereby making these address ranges unreadable to the
      kernel. No programs have been discovered which require reading
      their own text segments with a system call.
    o On arm64, introduce mitigation of the Spectre-BHB (Branch History
      Injection) CPU vulnerability by using core-specific trampoline
    o Enabled the arm64 Data Independent Timing (DIT) feature in both
      the kernel and userland on CPUs that support it to mitigate timing
      side-channel attacks.

 - Changes in the network stack:
    o Made /dev/pf a clonable device to better track kernel resources
      used by processes.
    o Modified TCP receive buffer size auto-scaling to use the smoothed
      RTT (SRTT) instead of the timestamp option, which improves
      performance on high latency networks if the timestamp option isn't
    o Relaxed the requirement for multicast support of interfaces for
      configuring IPv6. This allows non-multicast interfaces such as
      point-to-point interfaces and the NBMA / point-to-multipoint
      interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6.
    o Use the new getnsecruntime(9) timer to check the TCP_KEEPALIVE
      timer only against the system runtime, not the uptime. Prevents
      TCP connections to fail after waking up from suspend.
    o Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
      hash/flowid for pf(4) state keys. With this change, pf will hash
      traffic the same way that hardware using a stoeplitz key will hash
      incoming traffic on rings. stoeplitz is also used by the TCP stack
      to generate a flow id, which is used to pick which transmit ring
      is used on nics with multiple queues, too. Using the same
      algorithm throughout the stack encourages affinity of packets to
      rings and softnet threads the whole way through.
    o Prevented possible kernel crashes by dropping TCP packets with
      destination port 0 in pf(4) and the stack.
    o Fixed an endian swap bug causing problems with vlan(4) on em(4)
      sparc64 systems.
    o Denied "pipex no" tunnel setting for pppx(4) interfaces.
    o Fixed pfsync(4) crashing on pf_state_key removal.
    o Fixed a panic in pfsync(4) when there is no data ready for bulk
    o Turned off TCP Segmentation Offload (TSO) if interface is added to
      layer 2 devices.
    o Improved vnet(4) to work better in busy conditions.
    o Added a bpf(4) timeout (BIOCSWTIMEOUT) between capturing a packet
      and making the buffer readable, preventing, for example, pflogd(8)
      waking every half second even if there is nothing to read. By
      default this buffer is infinite and must be filled to become
    o Avoided enabling TSO on interfaces which are already attached to a

 - Routing daemons and other userland network improvements:
    o IPsec support was improved:
       - Added iked(8) support for configuring multiple name servers.
       - Synced proc.c from vmd(8) to iked(8) to enable fork + exec
         for all processes. This gives each process a fresh and unique
         address space to further improve randomization of ASLR and
         stack protector.
    o In bgpd(8), bgpctl(8) and bgplgd(8):
       - Improved performance by optimising the output filters.
       - Add Autonomous System Provider Authorization (ASPA)
         validation based on draft-ietf-sidrops-aspa-verification-12
       - Introduce avs (ASPA validation state) filter and bgpctl
         filter argument.
       - Add ASPA support for the RTR protocol based on
       - Improve open policy (RFC 9234) support and enable the
         capability automatically if a role is specified for the peer.
       - Introduce a per-neighbor 'role' configuration option to
         specify the session role used by ASPA verification and the
         open policy capability. The 'announce policy' statement was
         simplified at the same time.
       - Improve startup behaviour by introducing a small delay before
         opening the connection to a new peer.
       - Support for aspa-set table config which can be provided by
       - Make it possible to filter the RIB by invalid and leaked
         prefixes in bgpctl and bgplgd.
       - Add OpenMetrics output to bgpctl for various BGP statistics
         and add /metrics endpoint to bgplgd.
       - Fix of incorrect length checks that allowed an out-of-bounds
         read in bgpd.
    o rpki-client(8) saw some changes:
       - Add a new '-H' command line option to create a shortlist of
         repositories to synchronize to. For example, when invoking
         "rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the
         utility will not connect to any other hosts other than the
         two specified through the -H option.
       - Add support for validating Geofeed (RFC 9092) authenticators.
         To see an example download https://sobornost.net/geofeed.csv
         and run "rpki-client -f geofeed.csv"
       - Add support for validating Trust Anchor Key (TAK) objects.
         TAK objects can be used to produce new Trust Anchor Locators
         (TALs) signed by and verified against the previous Trust
         Anchor. See draft-ietf-sidrops-signed-tal for the full
       - Log lines related to RRDP/HTTPS connection problems now
         include the IP address of the problematic endpoint (in
       - Improve the error message when an invalid filename is
         encountered in the rpkiManifest field in the Subject Access
         Information (SIA) extension.
       - Emit a warning when unexpected X.509 extensions are
       - Restrict the ROA ipAddrBlocks field to only allow two
         ROAIPAddressFamily structures (one per address family). See
       - Check the absence of the Path Length constraint in the Basic
         Constraints extension.
       - Restrict the SIA extension to only allow the signedObject and
         rpkiNotify accessMethods.
       - Check that the Signed Object access method is present in ROA,
         MFT, ASPA, TAK, and GBR End-Entity certificates.
       - In addition to the 'rsync://' scheme, also permit other
         schemes (such as 'https://') in the SIA signedObject access
       - Check that the KeyUsage extension is set to nothing but
         digitalSignature on End-Entity certificates.
       - Check that the KeyUsage extension is set to nothing but
         keyCertSign and CRLSign on CA certificates.
       - Check that the ExtendedKeyUsage extension is absent on CA
       - Fix a bug in the handling of the port of http_proxy.
       - The '-r' command line option has been deprecated.
       - Filemode (-f) output is now presented as a text based table.
       - The 'expires' key in the JSON/CSV/OpenBGPD output formats is
         now calculated with more accuracy. The calculation takes into
         account the nextUpdate value of all intermediate CRLs in the
         signature path towards the trust anchor, in addition to the
         expiry moment of the leaf-CRL and CAs.
       - Handling of CRLs and Manifests in the face of inconsistent
         RRDP delta publications has been improved. A copy of an
         alternative version of the applicable CRL is kept in the
         staging area of the cache directory, in order to increase the
         potential for establishing a complete publication point, in
         cases where a single publication point update was smeared
         across multiple RRDP delta files.
       - The OpenBGPD configuration output now includes validated
         Autonomous System Provider Authorization (ASPA) payloads as
         an 'aspa-set {}' configuration block.
       - When rpki-client is invoked with increased verbosity ('-v'),
         the current RRDP Serial and Session ID are shown to aid
       - Self-signed X.509 certificates (such as Trust Anchor
         certificates) now are considered invalid if they contain an
         X.509 AuthorityInfoAccess extension.
       - Signed Objects where the CMS signing-time attribute contains
         a timestamp later then the X.509 certificate's notAfter
         timestamp are considered invalid.
       - Manifests where the CMS signing-time attribute contains a
         timestamp later then the Manifest eContent nextUpdate
         timestamp are considered invalid.
       - Any objects whose CRL Distribution Points extension contains
         a CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field
         are considered invalid in accordance with RFC 6487 section
       - For every X.509 certificate the SHA-1 of the Subject Public
         Key is calculated and compared to the Subject Key Identifier
         (SKI). If a mismatch is found the certificate is not trusted.
       - Require the outside-TBS signature OID for every X.509
         intermediate CA certificate and CRL to be
       - Require the RSA key pair modulus and public exponent
         parameters to strictly conform to the RFC 7935 profile.
       - Ensure there is no trailing garbage present in Signed Objects
         beyond the self-embedded length field.
       - Require RRDP Session IDs to strictly be version 4 UUIDs.
       - When decoding and validating an individual RPKI file using
         filemode (rpki-client -f file), display the signature path
         towards the trust anchor and the timestamp when the signature
         path will expire.
       - When decoding and validating an individual RPKI file using
         filemode (rpki-client -f file), display the optional CMS
         signing-time, non-optional X.509 notBefore timestamp and
         non-optional X.509 notAfter timestamp.
    o Updated zlib to 1.2.13.
    o Fixed a long-standing bug in a libreadline header that broke the
      interactive Python command line interface.
    o Switched tftpd(8) to default to read-only unless -w is specified
      for write access (the previous default).
    o Stopped printing the prompt for non-interactive usage of tftp(1).
    o Changed rarpd(8) to only unveil /tftpboot if -t is specified.
    o Added client certificate authentication and an optional SASL
      EXTERNAL bind to ypldap(8).
    o Adjusted ipv6 address width to align the display columns better in
      the output of ndp(8), route(8) and netstat(1) as already available
      in systat(1)'s netstat.
    o Used stravis(3) to sanitize redirect URIs from ftp(1) fetch before
    o Prevent an unwind(8) crash when a TCP query is larger than the
      length field indicated.
    o Preserve the original order of nameservers as configured via
      resolv.conf(5) in resolvd(8).
    o Restrict the characters allowed in the hostname argument of
      getaddrinfo(3) to the set [A-z0-9-_.]. Additionally, two
      consecutive dots ('.') are not allowed nor can the string start
      with - or '.'. This removes characters like '$', '`', '\n' or '*'
      that can traverse the DNS without problems but have special
      meaning as in a shell.
    o Fixed a number of out of bounds reads in DNS response parsing of
      the async DNS resolver in libc.
    o Added ifconfig(8) -M (mac) to find the mac address on an interface
      and print it.
    o Added support for configuring interfaces by lladdr to support
      interface configurations bound to a specific hardware device. The
      "if" part of the hostname.if(5) configuration file can now be a
      MAC address.
    o Limited display of wireguard peers by ifconfig(8) to when either a
      wireguard interface is specified or the flag "-A" is used.
    o Implemented the RFC 8781 PREF64 router advertisement option in
      rad(8) which is used to communicate NAT64 prefixes to hosts.
    o Moved the documentation of flag mappings displayed by "route show"
      from the netstat(1) manpage to route(8).
    o Improvements in nc(1):
       - Stop claiming connection success in UDP mode unless true.
       - Do not test the connection in non-interactive mode. The test
         writes characters to the socket which can corrupt data that
         is possibly piped into nc.
       - Some refactoring and code cleanup.
    o Improvements in acme-client(1):
       - Added support for newlines inside the alternative names block
         in acme-client.conf(5).
       - Use proper data structures for retrieving subject alternative
         names in certificates rather than printing them to a buffer
         and tokenizing and parsing the undocumented string.
       - Simplified, corrected and modernized the use of libcrypto
       - Plugged various memory leaks.
       - Use ASN1_TIME_to_tm(3) instead of a poor man's hand-rolled
         version of it.
       - Use timegm(3) instead of mktime(3) to eliminate time-zone
       - Encode Subject Alternative Name (SAN) entries before
       - Prevent acme-client(1) from leaking an http get request when
         receiving a redirect without a location header.
    o Prevented smtpd(8) abort due to a connection from a local, scoped
      ipv6 address.
    o Fixed a potential NULL dereference in the unpriv child expanding
      %{mda} in smtpd(8).
    o Corrected the order of arguments for calls to shutdown(2) on the
      route socket of slaacd(8), dhcpleased(8) and unwind(8).
    o Made route(8) sourceaddr print the used addresses for inet and
      inet6, or "default" if no sourceaddr is set and the default
      algorithm is used.
    o Added -mpls option to the route(8) monitor command. It can be used
      to restrict displayed route messages to the mpls address family.
    o Fixed rsync(1) handling of port numbers in
      rsync://host[:port]/module URLS.
    o Made tcpdrop(8) accept netstat-style address.port syntax.
    o Ensured pfctl(8) correctly adds addresses to the
      undefined/inactive table.
    o Switched tftpd(8) to default to read-only unless -w is specified
      for write access (the previous default).
    o Changed rarpd(8) to only unveil /tftpboot if -t is specified.
    o Fixed the DIOCIGETIFACES ioctl so all network interfaces and
      interface groups are reported in pfctl(8).

 - tmux(1) improvements and bug fixes:
    o Added scroll-top and scroll-bottom tmux(1) commands to s