The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=311ad5bc811d0d14da772cbb1333970266194ec7
commit 311ad5bc811d0d14da772cbb1333970266194ec7
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-05-28 08:46:26 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-06-06 11:16:01 +0000
UPDATING: document recent pf changes
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50664
---
UPDATING | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/UPDATING b/UPDATING
index bee8b348f113..b12d31f4bec9 100644
--- a/UPDATING
+++ b/UPDATING
@@ -31,6 +31,16 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 15.x IS SLOW:
LinuxKPI dma-mapping.h were pulled into the tree from drm-kmod.
Bump _FreeBSD_version to 1500045 to be able to detect this change.
+20250527:
+ pf changed extension header handling. It now treats AH headers on IPv4
just
+ like AH headers on IPv6 and skips over them, allowing filtering on the
inner
+ protocol.
+
+20250527:
+ pf now blocks IPv6 packets with a hop-by-hop or destination options
header by
+ default. Such packets can be passed by adding "allow-opts" to the rule.
IPv6
+ options are now handled just like their IPv4 counterparts.
+
20250527:
The CAM target layer userland, i.e. ctld(8), ctladm(8) and ctlstat(8),
has moved to the new FreeBSD-ctl package. If you use pkgbase and you
