Kirill A. Korinsky (kirill@) writes in with his guide to setting up an EdgeRouter 4 with OpenBSD/octeon to provide a failover gateway/router setup:
This article details the configuration process for setting up OpenBSD on an EdgeRouter 4 device to function as a home router, incorporating features such as private DNS resolution for clients and failover WAN connectivity.Read the whole thing at Kirill's site.
erspan(4), the ERSPAN collection driver created by David Gwynne (dlg@) [and about which we recently reported] has been committed to the tree:
CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/13 19:54:12 Modified files: sys/net : if_gre.c Log message: add support for the ERSPAN Type II protocol ERSPAN is a specific GRE 0 protocol id with GRE sequence numbers enabled, with it's own shim header, and then an Ethernet payload.Version 0.112 of Game of Trees has been released (and the port updated):
Omar Polo (op@) has announced the release of version 7.7.0p0 of OpenSMTPD:
[…] Changes in this release: ======================== - mail.lmtp: Correctly propagate LMTP permanent failures to smtpd. - Fixed connect filter request documentation in smtpd-filters.7. - Updated to new imsg APIs. […]See the full release announcement for all the details.
An early version of the code, but possibly close to being ready for further development in-tree was presented by David Gwynne (dlg@) in a message to tech@:
List: openbsd-tech Subject: erspan(4): ERSPAN Type II collection From: David Gwynne <david () gwynne ! id ! au> Date: 2025-05-12 1:27:59 we were exploring how to better let us see what's happening on access networks or specific ports on a switch at work. our switches are pretty much all cisco, which has ERSPAN. ERSPAN in it's various forms ships Ethernet packets over GRE for collection and analysis on another system. There's 3 types of ERSPAN encapsulation, but Type II seems broadly implemented.
Alexander Bluhm (bluhm@) has committed changes which eliminate contention by caching the socket lock in TCP input:
CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2025/05/07 08:10:19 Modified files: sys/net : if.c if_var.h sys/netinet : tcp_input.c tcp_var.h Log message: Cache socket lock during TCP input. Parallel TCP input is running for a few days now and looks quite stable. Final step is to implement caching of the socket lock. Without large receive offloading (LRO) in the driver layer, it is very likely that consecutive TCP segments are in the input queue. This leads to contention of the socket lock between TCP input and socket receive syscall from userland.Following its recent introduction on tech@ [See earlier article], David Gwynne (dlg@) has committed bpflogd(8) to the tree:
CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/06 19:41:59 Added files: usr.sbin/bpflogd: Makefile bpflogd.8 bpflogd.c log.c log.h Log message: bpflogd(8): capture packets from BPF and write them to a log file this is like pflogd(8), but different. the main differences are:Following its recent introduction on tech@ [See earlier article], David Gwynne (dlg@) has committed lldpd(8) to the tree:
CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2025/05/02 00:12:53 Added files: usr.sbin/lldpd : Makefile lldpctl.h lldpd.8 lldpd.c log.c log.h pdu.c pdu.h Log message: lldpd(8): a daemon that acts as an LLDP agent on Ethernet interfaces. lldpd uses the recently added AF_FRAME Ethernet sockets to listen for LLDP packets on all Ethernet interfaces in the system, and stores them so a lldp(8) client connecting to the control socket can fetch and display the packets.Damien Miller (djm@) has completed the planned [See previous articles] removal of DSA signature support from OpenSSH:
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/05/05 23:40:56 Modified files: usr.bin/ssh : sshkey.h sshkey.c sshd.c sshd-session.c sshd-auth.c sshconnect.c ssh_config ssh.c ssh-keysign.c ssh-keyscan.c ssh-keygen.c ssh-add.c readconf.c pathnames.h hostfile.c dns.c authfile.c authfd.c PROTOCOL Removed files: usr.bin/ssh : ssh-dss.c Log message: finally remove DSA signature support from OpenSSH. feedback/ok tb@, ok deraadt@The editors would like to encourage our readers to arrange a proper wake
for this one.
Please keep going until we can be quadruply sure it's all gone.
List: openbsd-tech Subject: die DSA die From: Damien Miller <djm () mindrot ! org> Date: 2025-05-05 6:34:15 This finally removes all the remaining bits of DSA support from OpenSSH and fixes up the regress tests that I could run. I'm not set up to run the ssh.com interop tests so it's possible they are broken by this. ok? Index: usr.bin/ssh/authfd.c [ … ]
followed by the diff that implements the change.
(An earlier Undeadly article provides some background on DSA removal.)
Note that Damien asks for testing help here -- if you are able to help testing this change before it goes in for real, please do!
A long discussion on tech@ (initiated by a suggestion/patch from Jesper Wallin) has culminated in Damien Miller (djm@) committing changes which increase security by taking advantage of the use of unveil(2) elsewhere in the OpenBSD ecosystem:
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/05/04 20:48:07 Modified files: usr.bin/ssh/sshd-session: Makefile usr.bin/ssh/sshd-auth: Makefile usr.bin/ssh/ssh-agent: Makefile usr.bin/ssh : ssh-agent.c ssh-agent.1 session.c pathnames.h misc.h misc.c hostfile.c Log message: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.Klemens Nanni (kn@) has committed the his proposed change [See previous article] such that the OpenBSD installer now prefers disks over 1GB when prompting for the root disk. The commit message explains the change:
CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/05/04 06:32:41 Modified files: distrib/miniroot: install.sub Log message: Prefer disks bigger than 1G as default root disk on install -current picks the alphanumerically first disk as default, which isn't the beset choice if install media, softraid(4) key disks or small external media attaches before the disk one intends to use.[…] whenever install media, small USB sticks or softraid(4) keydisks attach before you actual disk, defaulting to sd0 is most certainly not what you want. An easy rule of thumb that works great for me is to reshuffle the list of valid root disks such that small ones come last.
The message with the patch reads: List: openbsd-tech Subject: installer: default root disk: prefer those bigger than 1G From: Klemens Nanni <kn () openbsd ! org> Date: 2025-05-01 15:41:25 Now we show all valid root disks and pick the first one, i.e. the alphanumerically lowest value, as default:
In a post to tech@, Martin Pieuchot (mpi@) has requested testing of a diff (against -current) to enable running the upper part of the fault handler in parallel :
Hello, Diff below enables running the fault handler in parallel. Please test an report back, with dmesg, if this increases or decreases the perfs of your usual setup. Thanks for the help, MartinLibreSSL version 4.1.0 has been released.
This is the version found in (the recently released) OpenBSD 7.7
The release notes read,
We have released LibreSSL 4.1.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 4.1.x branch, also available with OpenBSD 7.7 It includes the following changes from LibreSSL 4.0.0: * Portable changes - Added initial experimental support for loongarch64. - Fixed compilation for mips32 and reenable CI. - Fixed CMake builds on FreeBSD. - Fixed the --prefix option for cmake --install. - Fixed tests for MinGW due to missing sh(1).
Klemens Nanni (kn@) committed a change removing misleading messages on package update:
CVSROOT: /cvs Module name: src Changes by: kn@cvs.openbsd.org 2025/04/28 12:56:25 Modified files: usr.sbin/pkg_add/OpenBSD: Delete.pm Log message: Stop advising to remove files on update The following only make sense on for pkg_delete(1), yet pkg_add(1) prints them as well, which is confusing at best and trips up way too many people: "You should also run ..." (often "rm -rf /something/important*") "You should also remove ..." No longer print those when -u is used. There may be some commands "i like it" ian kirill OK phessler kmosQuieter and more accurate updates - what's not to like?
List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Alexander Bluhm <bluhm () openbsd ! org> Date: 2025-04-26 13:58:08 CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2025/04/26 07:58:08 Modified files: sys/netinet : in_proto.c sys/netinet6 : in6_proto.c Log message: Run TCP input in parallel on multiple CPUs.
The OpenBSD project has announced OpenBSD 7.7, its 58th release.
The new release contains a number of significant improvements, including but certainly not limited to:
See the full changelog for more details of the changes made over this latest six month development cycle.
The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).
Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!
List: openbsd-tech Subject: LLDP daemon and display tool From: David Gwynne <david () gwynne ! id ! au> Date: 2025-04-24 3:49:53 this adds a small daemon and command line tool for receiving and displaying LLDP messages from neighbors connected to Ethernet interfaces. the daemon is called olldpd(8) to avoid colliding with the existing lldpd from ports. the command line tool is lldp(8). it uses the AF_FRAME sockets that were recently added rather than BPF. this means it retains fewer privileges while it's running because it doesn't have to open and configure BPF devices when new interfaces appear in the system. avoiding BPF means it has basically 0 impact on the kernel packet path because AF_FRAME is handled as a last resort for packets rather than up front for every packet on an interface.
