ProHoster > Blog > internet news > FreeBSD 13.2 release with Netlink and WireGuard support

FreeBSD 13.2 release with Netlink and WireGuard support

After 11 months of development, FreeBSD 13.2 has been released. Installation images are generated for the amd64, i386, powerpc, powerpc64, powerpc64le, powerpcspe, armv6, armv7, aarch64, and riscv64 architectures. Additionally, builds have been prepared for virtualization systems (QCOW2, VHD, VMDK, raw) and Amazon EC2, Google Compute Engine and Vagrant cloud environments.

Key changes:

  • Implemented the ability to create snapshots of UFS and FFS file systems with logging enabled (soft updates). Also added support for saving dumps in the background (running dump with the "-L" flag) with the contents of mounted UFS file systems with journaling enabled. Of the features that are not available when using journaling, there is a background integrity check using the fsck utility.
  • The wg driver working at the kernel level with the implementation of the network interface for VPN WireGuard has been adopted as the main part. To use the cryptographic algorithms required by the driver, the FreeBSD kernel crypto subsystem API was extended, to which a binding was added that allows using algorithms from the libsodium library that are not supported in FreeBSD through the standard crypto API. During the development process, optimizations were also carried out to evenly balance the assignment of encryption and decryption tasks to CPU cores, which reduced the overhead of processing WireGuard packets.

    The last attempt to include WireGuard in FreeBSD was made in 2020, but ended in a scandal, as a result of which already added code was removed due to low quality, careless buffer handling, use of stubs instead of checks, incomplete implementation of the protocol and violation of the GPL license. A new implementation, jointly prepared by the core FreeBSD and WireGuard development teams, with input from Jason A. Donenfeld, author of VPN WireGuard, and John H. Baldwin, renowned FreeBSD developer. A full review of the changes was done with the support of the FreeBSD Foundation before the new code was accepted.

  • Implemented support for the Netlink communication protocol (RFC 3549), which is used in Linux to organize interaction between the kernel and processes in user space. The project is limited to supporting the NETLINK_ROUTE family of operations for managing the state of the network subsystem in the kernel, which allows FreeBSD to use the ip Linux utility from the iproute2 package to manage network interfaces, set IP addresses, configure routing, and manipulate nexthop objects that store state data used to forwarding the packet to the desired destination.
  • All base system executables on 64-bit platforms have Address Space Layout Randomization (ASLR) enabled by default. To selectively disable ASLR, you can use the commands "proccontrol -ma aslr -s disable" or "elfctl -e +noaslr".
  • ipfw uses Radix tables to look up MAC addresses, which allows you to create tables with MAC addresses and use them to filter traffic. For example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100 )' ipfw add deny lookup dst-mac 1
  • Added and available for loading via loader.conf are the dpdk_lpm4 and dpdk_lpm6 kernel modules with the implementation of the DIR-24-8 route search algorithm for IPv4/IPv6, which allows you to optimize routing functions for hosts with very large routing tables (tests show a speed increase of 25 %). The standard route utility can be used to configure modules (the FIB_ALGO option has been added).
  • The implementation of the ZFS file system has been updated to the release of OpenZFS 2.1.9. The zfskeys startup script provides automatic loading of keys stored in the ZFS file system. Added a new RC script zpoolreguid to assign a GUID to one or more zpools (useful for shared data virtualization environments, for example).
  • The Bhyve hypervisor and the vmm module support attaching more than 15 virtual CPUs to the guest system (adjustable via sysctl hw.vmm.maxcpu). The bhyve utility implements an emulation of the virtio-input device, with which you can substitute keyboard and mouse input events into the guest system.
  • KTLS, an implementation of the TLS protocol running at the FreeBSD kernel level, adds support for TLS 1.3 hardware acceleration by offloading some of the operations associated with processing encrypted incoming packets on the shoulders of the network card. Previously, this feature was available for TLS 1.1 and TLS 1.2.
  • In the growfs startup script, when expanding the root FS, it is ensured that a swap partition is added if such a partition was not originally present (for example, it is useful when installing a ready-made system image on an SD card). A new option, growfs_swap_size, has been added to rc.conf to control swap size.
  • The hostid startup script ensures that a random UUID is generated in case the /etc/hostid file is missing and the UUID cannot be obtained from the hardware. Also added is the /etc/machine-id file with a compact representation of the host id (no dashes).
  • The defaultrouter_fibN and ipv6_defaultrouter_fibN variables have been added to rc.conf, through which you can add default routes to FIB tables other than the primary one.
  • Support for SHA-512/224 hashes has been added to the libmd library.
  • The pthread library implements support for the semantics of functions used in Linux.
  • Support for decoding Linux system calls has been added to kdump. Support for Linux-style syscall tracing has been added to kdump and sysdecode.
  • The killall utility now has the ability to send a signal to processes bound to a specific terminal (for example, "killall -t pts/1").
  • Added nproc utility to display the number of computational units available to the current process.
  • Support for decoding ACS (Access Control Services) parameters has been added to the pciconf utility.
  • The SPLIT_KERNEL_DEBUG setting has been added to the kernel, which allows saving debugging information for the kernel and kernel modules into separate files.
  • The linux ABI is almost complete with support for the vDSO (virtual dynamic shared objects) mechanism, which provides a limited set of system calls available in user space without context switching. The linux ABI on ARM64 systems has been brought to parity with the implementation for the AMD64 architecture.
  • Improved hardware support. Added performance monitoring (hwpmc) support for Intel Alder Lake CPUs. Updated iwlwifi driver for Intel wireless cards with support for new chips and 802.11ac standard. Added rtw88 driver for Realtek PCI wireless cards. Extended the linuxkpi layer for use with FreeBSD Linux drivers.
  • The OpenSSL library has been updated to version 1.1.1t, LLVM/Сlang has been updated to version 14.0.5, and the SSH server and client have been updated to OpenSSH 9.2p1 (the previous version used OpenSSH 8.8p1). Also updated are bc 6.2.4, expat 2.5.0, file 5.43, less 608, libarchive 3.6.2, sendmail 8.17.1, sqlite 3.40.1, unbound 1.17.1, zlib 1.2.13.

Additionally, it has been deprecated and removed since the FreeBSD 14.0 branch for OPIE one-time passwords, ce and cp drivers, ISA card drivers, mergemaster and minigzip utilities, ATM components in netgraph (NgATM), the telnetd background process, and the VINUM class in geom.

Source: opennet.ru

Add a comment