FreeBSD/src 4578c15share/man/man5 pf.conf.5, tests/sys/netpfil/pf route_to.sh

pf: Document broadcast/multicast forwarding through route-to

pf_route() and pf_route6() forward broadcast and multicast traffic
when a route-to rule matches, without any check against the output
interface's broadcast domain. This is a deliberate property of the
route option code path, but it is not documented and the workaround
is non-obvious.

Document the behavior in pf.conf(5) with example block-out rules on
the target interface, scoped with the received-on qualifier so that
only forwarded traffic is dropped while the router's own broadcast
and multicast traffic continues to pass.

Add regression tests covering the full broadcast/multicast and
forwarded/local matrix on both IPv4 and IPv6.

Reviewed by:    glebius, kp
Approved by:    kp (mentor)
MFC after:      1 week

    [2 lines not shown]
DeltaFile
+346-0tests/sys/netpfil/pf/route_to.sh
+45-1share/man/man5/pf.conf.5
+391-12 files

FreeBSD/src aad4fecusr.sbin/ctld ctld.cc ctld.hh

ctld: Move the pidfile handle out to a global variable

This ensures it will be destroyed (removing the associated pidfile)
anytime the process exits, including from exit(3) calls.  This fixes
a few places that would "leak" the pidfile on certain errors.

This also removes the need for some convoluted logic where
configuration objects would hand-off ownership of the pidfile handle
from the old configuration to the new configuration.

Reviewed by:    asomers
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56527
DeltaFile
+13-29usr.sbin/ctld/ctld.cc
+1-6usr.sbin/ctld/ctld.hh
+14-352 files

FreeBSD/src 3df5cc3usr.sbin/ctld ctld.hh

ctld: Ports without a portal group are not dummy ports

The default implementation of is_dummy should return false.  Only
portal group ports should possibly return true.

PR:             293076
Reported by:    Ken J. Thomson <thomsonk at yandex.com>
Fixes:          6acc7afa34aa ("ctld: Convert struct port to a hierarchy of C++ classes")
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56524
DeltaFile
+1-1usr.sbin/ctld/ctld.hh
+1-11 files

FreeBSD/src 614ef71usr.sbin/ctld ctld.cc

ctld: Don't add an iscsi port for targets with only kernel ports

PR:             293076
Reviewed by:    asomers
Fixes:          969876fcee57 ("ctld: parse config file independently of getting kernel info")
Differential Revision:  https://reviews.freebsd.org/D56523
DeltaFile
+1-1usr.sbin/ctld/ctld.cc
+1-11 files

FreeBSD/ports 70dc439misc/comfyui Makefile distinfo

misc/comfyui: update 0.19.3 → 0.19.4
DeltaFile
+3-3misc/comfyui/Makefile
+3-3misc/comfyui/distinfo
+6-62 files

FreeBSD/ports 11125f2misc/py-comfyui-embedded-docs distinfo Makefile

misc/py-comfyui-embedded-docs: update 0.4.3 → 0.4.4
DeltaFile
+3-3misc/py-comfyui-embedded-docs/distinfo
+1-1misc/py-comfyui-embedded-docs/Makefile
+4-42 files

FreeBSD/ports 0fe061emisc/py-comfyui-workflow-templates distinfo Makefile

misc/py-comfyui-workflow-templates: update 0.9.57 → 0.9.61
DeltaFile
+3-3misc/py-comfyui-workflow-templates/distinfo
+1-1misc/py-comfyui-workflow-templates/Makefile
+4-42 files

FreeBSD/ports 07b5213misc/py-comfyui-workflow-templates-media-video distinfo Makefile

misc/py-comfyui-workflow-templates-media-video: update 0.3.78 → 0.3.80
DeltaFile
+3-3misc/py-comfyui-workflow-templates-media-video/distinfo
+1-1misc/py-comfyui-workflow-templates-media-video/Makefile
+4-42 files

FreeBSD/ports 6f855c8misc/py-comfyui-workflow-templates-media-other distinfo Makefile

misc/py-comfyui-workflow-templates-media-other: update 0.3.176 → 0.3.180
DeltaFile
+3-3misc/py-comfyui-workflow-templates-media-other/distinfo
+1-1misc/py-comfyui-workflow-templates-media-other/Makefile
+4-42 files

FreeBSD/ports d329039misc/py-comfyui-workflow-templates-media-image distinfo Makefile

misc/py-comfyui-workflow-templates-media-image: update 0.3.127 → 0.3.131
DeltaFile
+3-3misc/py-comfyui-workflow-templates-media-image/distinfo
+1-1misc/py-comfyui-workflow-templates-media-image/Makefile
+4-42 files

FreeBSD/ports f72b5bdmisc/py-comfyui-workflow-templates-media-api distinfo Makefile

misc/py-comfyui-workflow-templates-media-api: update 0.3.69 → 0.3.70
DeltaFile
+3-3misc/py-comfyui-workflow-templates-media-api/distinfo
+1-1misc/py-comfyui-workflow-templates-media-api/Makefile
+4-42 files

FreeBSD/ports 56ad6b2misc/py-comfyui-workflow-templates-core distinfo Makefile

misc/py-comfyui-workflow-templates-core: update 0.3.209 → 0.3.214
DeltaFile
+3-3misc/py-comfyui-workflow-templates-core/distinfo
+1-1misc/py-comfyui-workflow-templates-core/Makefile
+4-42 files

FreeBSD/ports dcd4163misc/github-copilot-cli distinfo pkg-plist, misc/github-copilot-cli/files package-lock.json

misc/github-copilot-cli: update 1.0.34 → 1.0.35.6
DeltaFile
+28-28misc/github-copilot-cli/files/package-lock.json
+3-3misc/github-copilot-cli/distinfo
+2-1misc/github-copilot-cli/pkg-plist
+1-1misc/github-copilot-cli/Makefile
+34-334 files

FreeBSD/src 7982985sys/security/mac mac_policy.h

kern: mac: bump the MAC_VERSION for 16.x

Reviewed by:    bapt
Differential Revision:  https://reviews.freebsd.org/D55703
DeltaFile
+2-1sys/security/mac/mac_policy.h
+2-11 files

FreeBSD/src 28b0084sys/security/mac mac_framework.c mac_policy.h

kern: mac: sprinkle a bit of const correctness

mpc_name and mpc_fullname are string literals in correct usage, so they
should really be const instead.

mpc_ops aren't typically const, but the framework shouldn't be doing
anything to clobber it; thus, good to constify it as a reminder.

Switch to using a slightly more semantically correct `void **` in the
fastpath bits while we're here, since we only do arithmetic on the outer
layer of pointer and compare the inner to a pointer-typed (NULL).

Reviewed by:    bapt
Differential Revision:  https://reviews.freebsd.org/D55702
DeltaFile
+5-5sys/security/mac/mac_framework.c
+3-3sys/security/mac/mac_policy.h
+8-82 files

FreeBSD/src 0faa88fsys/kern vfs_mount.c, sys/security/mac mac_vfs.c mac_policy.h

kern: vfs: add MAC checks for mount/unmount/update

The unmount check is straightforward and only really needs the
struct mount and flags used, in case a MAC policy wants to reject
force-unmounts or do special handling for FSID-based unmounts.

The mount check offers as much information as I think might be of
interest to a MAC policy: the vnode to be mounted on, vfsconf, and
applicable mount options.   XNU also has a later version that just takes
a struct mount for everything that VFS_MOUNT() has to offer, but my
draft policy doesn't need any of that.  It also doesn't really need the
unmount check, but it seems reasonable to add it while I'm here.

The update check similarly passes the flags/options for the operation,
along with the struct mount and label.

Reviewed by:    kib, olce
Differential Revision:  https://reviews.freebsd.org/D55601
DeltaFile
+50-0sys/security/mac/mac_vfs.c
+37-0sys/security/mac_test/mac_test.c
+28-0sys/security/mac_stub/mac_stub.c
+24-1sys/kern/vfs_mount.c
+12-0sys/security/mac/mac_policy.h
+7-0sys/security/mac/mac_framework.h
+158-16 files

FreeBSD/ports e1c6a3amisc/ollama Makefile, misc/ollama/files patch-x_imagegen_server.go

misc/ollama: Add missing patch

... that was accidentally dropped during the last port update.
DeltaFile
+13-0misc/ollama/files/patch-x_imagegen_server.go
+1-0misc/ollama/Makefile
+14-02 files

FreeBSD/ports 164e239deskutils/fet Makefile distinfo, deskutils/fet/files patch-CMakeLists.txt

deskutils/fet: Update to 7.8.5

Switch to cmake.
Add xorg to USES.

Changelogs: https://lalescu.ro/liviu/fet/news.html
DeltaFile
+7-4deskutils/fet/Makefile
+11-0deskutils/fet/files/patch-CMakeLists.txt
+3-3deskutils/fet/distinfo
+21-73 files

FreeBSD/ports 19e0394devel/py-lxml distinfo Makefile

devel/py-lxml: update to 6.1.0

Changelog: https://lxml.de/6.1/changes-6.1.0.html
DeltaFile
+3-3devel/py-lxml/distinfo
+1-1devel/py-lxml/Makefile
+4-42 files

FreeBSD/ports 186b8absecurity/strongswan distinfo Makefile

security/strongswan: Update 6.0.5 => 6.0.6 (fix 7 CVEs)

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.6

PR:             294718
Approved by:    blanket (fix CVEs)
Security:       CVE-2026-35328
Security:       CVE-2026-35329
Security:       CVE-2026-35330
Security:       CVE-2026-35331
Security:       CVE-2026-35332
Security:       CVE-2026-35333
Security:       CVE-2026-35334
Sponsored by:   UNIS Labs
MFH:            2026Q2

(cherry picked from commit 3b628bd6b80f25100a96ba921c45c6d9e5878061)
DeltaFile
+3-3security/strongswan/distinfo
+1-2security/strongswan/Makefile
+4-52 files

FreeBSD/ports bc430ffsecurity/strongswan Makefile

security/strongswan: Enable ML plugin by default to allow Post-Quantum Key Exchange Methods

Currently ML-DSA (used for Digital Signatures) is a draft in strongswan
(ETA Version 6.1.0 or later). So CNSA 2.0 cannot be fully supported yet.
https://linux-ipsec.org/slides/2025/steffen-pqc-auth-for-ikev2.pdf
But most firewalls (Palo Alto / Fortigate) already support ML-KEM Key
Exchange in addition to standard proposals.
E.g. aes128gcm16-ecp256-ke1_mlkem512.

More details:
https://docs.strongswan.org/docs/latest/config/proposals.html

PR:             294305
Approved by:    strongswan at Nanoteq.com (maintainer, timeout 2 weeks)
Sponsored by:   UNIS Labs

(cherry picked from commit fb347f77757066e2bc0989fd66c8f02c9bf862d9)
DeltaFile
+2-1security/strongswan/Makefile
+2-11 files

FreeBSD/ports 3b628bdsecurity/strongswan distinfo Makefile

security/strongswan: Update 6.0.5 => 6.0.6 (fix 7 CVEs)

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.6

PR:             294718
Approved by:    blanket (fix CVEs)
Security:       CVE-2026-35328
Security:       CVE-2026-35329
Security:       CVE-2026-35330
Security:       CVE-2026-35331
Security:       CVE-2026-35332
Security:       CVE-2026-35333
Security:       CVE-2026-35334
Sponsored by:   UNIS Labs
MFH:            2026Q2
DeltaFile
+3-3security/strongswan/distinfo
+1-2security/strongswan/Makefile
+4-52 files

FreeBSD/src 2ddefc8libexec/rtld-elf rtld.c

rtld: fix processing of preloaded z_initfirst objects

(cherry picked from commit 9b844b495e8e63439ffe523757ac7444a16317af)
DeltaFile
+5-0libexec/rtld-elf/rtld.c
+5-01 files

FreeBSD/src f3ca689usr.bin/kdump kdump.c Makefile

kdump: tweaks for the extended errors decoding

(cherry picked from commit 5c89d661a023c83a2001cf5b354b09c7d3ac91d8)
DeltaFile
+20-3usr.bin/kdump/kdump.c
+1-0usr.bin/kdump/Makefile
+21-32 files

FreeBSD/src 75ae51busr.bin/kdump kdump.c

kdump(1): add sys/ prefix for exterror source file name

(cherry picked from commit 4d062dbc20dce5a94da8dca1253ac9337b951c51)
DeltaFile
+1-1usr.bin/kdump/kdump.c
+1-11 files

FreeBSD/src 0b6f465libexec/rtld-elf rtld.c

rtld: fix processing of preloaded z_initfirst objects

(cherry picked from commit 9b844b495e8e63439ffe523757ac7444a16317af)
DeltaFile
+5-0libexec/rtld-elf/rtld.c
+5-01 files

FreeBSD/src 68d2339sys/sys param.h

Bump __FreeBSD_version for changing various kernel APIs to use pointers

Effort:         CHERI upstreaming
Sponsored by:   AFRL, DARPA
DeltaFile
+1-1sys/sys/param.h
+1-11 files

FreeBSD/src 9a6e9d7sys/amd64/amd64 pmap.c, sys/arm64/arm64 pmap.c

VM_PAGE_TO_DMAP: Wrapper macro to return direct map address for a page

Effort:         CHERI upstreaming
Reviewed by:    kib
Sponsored by:   AFRL, DARPA
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2068
DeltaFile
+18-24sys/powerpc/aim/mmu_radix.c
+20-21sys/amd64/amd64/pmap.c
+12-12sys/arm64/arm64/pmap.c
+5-17sys/powerpc/aim/mmu_oea64.c
+10-12sys/riscv/riscv/pmap.c
+10-12sys/opencrypto/criov.c
+75-9816 files not shown
+105-13922 files

FreeBSD/src 496453esys/amd64/amd64 pmap.c, sys/arm64/arm64 pmap.c

amd64/aarch64 pmap: Switch type of pmap_preinit_mapping.va to void *

Effort:         CHERI upstreaming
Reviewed by:    kib
Sponsored by:   AFRL, DARPA
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2068
DeltaFile
+17-15sys/amd64/amd64/pmap.c
+13-11sys/arm64/arm64/pmap.c
+30-262 files

FreeBSD/src 120a5e3sys/amd64/amd64 pmap.c, sys/arm64/arm64 pmap.c

DMAP_TO_VM_PAGE: Wrapper macro to map direct map address to a page

Effort:         CHERI upstreaming
Suggested by:   kib
Reviewed by:    kib
Sponsored by:   AFRL, DARPA
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2068
DeltaFile
+15-15sys/amd64/amd64/pmap.c
+5-5sys/powerpc/booke/pmap_64.c
+3-3sys/powerpc/aim/mmu_radix.c
+2-2sys/riscv/riscv/pmap.c
+2-2sys/arm64/arm64/pmap.c
+2-0sys/vm/vm_page.h
+29-273 files not shown
+32-309 files