23.09.1 New Features and Changes¶
This is a maintenance software release including new features and bug fixes.
Consult the Upgrade Guide before proceeding with any upgrade.
Security / Errata¶
FreeBSD Notices¶
This release includes corrections for several FreeBSD Errata Notices and Security Advisories, including:
FreeBSD-SA-23:17.pf - TCP spoofing vulnerability in pf(4)
FreeBSD-EN-23:16.openzfs - Potential ZFS Data Corruption
For more information about ZFS data corruption, see ZFS Data Corruption Details later in this document.
FreeBSD-EN-23:18.openzfs - High CPU usage by ZFS kernel threads
FreeBSD-EN-23:17.ossl - ossl(4)’s AES-GCM implementation may give incorrect results
FreeBSD-EN-23:20.vm - Incorrect results from the kernel physical memory allocator
Performance issues in OpenSSL have also been identified and corrected, notably with acceleration such as AES-NI.
EFI Issue on Proxmox® VE¶
Some users of pfSense® software running under Proxmox VE 7.4 have had issues booting Virtual Machines via EFI. This may also affect other versions of Proxmox VE and pfSense software as well as FreeBSD.
Adding a serial port to the VM hardware appears to work around the issue for the time being. A fix for the root cause is under investigation and development for future versions.
At this time the best practice to avoid potential problems is to add a serial port to the VM, then shutdown the VM and start it back up before beginning the pfSense software upgrade process.
See also
See EFI Boot Issues for additional recommendations.
ZFS Data Corruption Details¶
Two data corruption bugs were recently reported against ZFS, including the version of ZFS in recent releases of pfSense software. These bugs have been corrected upstream in FreeBSD and the fixes have been imported into this release.
One bug was in block cloning, which is disabled by default on pfSense software, and thus is unlikely to be a significant concern on this platform. The other bug has been present in ZFS for years and was difficult to trigger.
Given the history of data corruption problems due to hole reporting in files, the corrections for this issue include a preventive measure to disable hole reporting. The downside of disabling hole reporting is the possibly increased disk space usage.
Tip
Users on previous releases of pfSense software can reduce the likelihood of
encountering the data corruption issue by creating a System Tunable for vfs.zfs.dmu_offset_next_sync
with a
value of 0
.
pfSense Plus¶
Changes in this version of pfSense Plus software.
Aliases / Tables¶
Fixed: Rules using aliases of type
URL (IPs)
are not generated #14947
DHCP (IPv4)¶
Fixed: ISC DHCP responds from a random port #15011
DHCP (IPv6)¶
Fixed: PHP error on
services_dhcpv6.php
if the configuration contains an emptydhcpv6
section #14978
DHCP Relay¶
Fixed: Input validation prevents saving DHCPv6 Relay settings #14965
DNS Resolver¶
Changed: Update Unbound to 1.18.0_1 to address looping UDP retries when ENOBUFS is returned #14980
IPsec¶
Installer¶
Added: Add an appropriately named file to install images to indicate what they are #14887
Interfaces¶
OpenVPN¶
Changed: Update OpenVPN to 2.6.8_1 #15049
Operating System¶
Rules / NAT¶
Traffic Graphs¶
Fixed: Traffic graph filters apply incorrectly #14892
Upgrade¶
Fixed: pfSense-boot does not update the EFI loader #15007
Web Interface¶
Fixed: Firewall Maximum Table Entries “default size” is whatever is entered #11566