OpenBSD Journal

OpenBSD -current has moved to 7.6-beta in preparation for the next release with this commit.

The release is traditionally about November 1st, but we shall see what happens this year. Snapshots are already beginning to show up on the mirrors.

In an exciting move, Mike Larkin (mlarkin@) has requested hardware for vmm(4) development on the arm64 platform:

CVSROOT: /cvs Module name: www Changes by: mlarkin@cvs.openbsd.org 2024/07/27 18:31:12 Modified files: . : want.html Log message: Mac mini M2 needed for vmm(4) development.

This follows several earlier commits [by Dave Voutila (dv@)] splitting vmm(4)/vmd(8) into MI and MD parts.

Support for UDP parallel input [on which we reported previously] has been committed to -current by Alexander Bluhm (bluhm@):

CVSROOT: /cvs Module name: src Changes by: bluhm@cvs.openbsd.org 2024/07/26 08:38:20 Modified files: sys/netinet : in_proto.c sys/netinet6 : in6_proto.c Log message: Run UDP input on multiple CPU in parallel.

Read more…

UDP input is about to become faster and parallel on OpenBSD. In a message to tech@ titled UDP parallel input, Alexander Bluhm (bluhm@) offers a diff that enables parallel UDP input for -current.

The message reads,

List: openbsd-tech Subject: UDP parallel input From: Alexander Bluhm <bluhm () openbsd ! org> Date: 2024-07-23 13:40:21 Hi, mvs@ has completed the final bits to make socket buffer MP safe for UDP packets. This means that we can run UDP input on multiple threads. Diff below activates this.

Read more…

In this commit, Rafael Sadowski (rsadowski@) merged libva 2.22.0 into OpenBSD, enabling VA-API to accelerate video decoding and other hardware assisted operations:

Read more…

In a recent post to tech@ titled let's make pf(4) anchors and tables better friends (possibly originating at the ongoing hackathon) Alexandr Nedvedicky (sashan@) introduced code to enable creating local tables inside anchors in pf(4) rulesets:

Date: Sat, 13 Jul 2024 14:32:21 +0200 From: Alexandr Nedvedicky <sashan () fastmail ! net> To: tech@openbsd.org Subject: let's make pf(4) anchors and tables better friends Hello, the change presented in diff below allows user to define table inside the anchor. Consider rules here:

Read more…

Version 0.101 of Game of Trees has been released (and the port updated).

* got 0.101; 2024-07-11 see git repository history for per-change authorship information

Read more…

Crystal Kolipe writes in about a new article posted by the crew at Exotic Silicon on fun things to do with OpenBSD -- Implementing a self-managed, dual-stacked VPN.

Today we're showing you how to use iked to tunnel both IPv4 as well as IPv6 to a remote server for a self-managed VPN. We're doing all this with utilities from the OpenBSD base system so the setup is nice and sleek, completely avoiding the need to install countless programs from ports.

Not only that, but we'll also show you how to isolate the VPN traffic in it's own routing domain so it can be used only when required, (or if you're really clever like us, you can even configure more than one simultaneously).

Of course, the setup supports inbound connections too, so you can run servers from diverse physical locations whilst using the inbound address space and connectivity of the datacentre. Stuck without IPv6 or inbound connectivity at home? Not anymore! All this excitement and even more is right here waiting for you in setting up an IPv6 capable VPN. Read it today!

While we were busy with other things, Theo de Raadt (deraadt@) is continuing the work on bringing the clang option to clean return addresses off the stack, as reported upon earlier, to OpenBSD/arm64.

Theo posted an early version of the code to tech@, saying

List: openbsd-tech Subject: arm64 -fret-clean attempt From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2024-07-02 5:50:45 I've been trying to write -fret-clean for arm64. On a return-stack architecture like amd64, the callee has to clean up the word on the stack upon return. arm64, like some other risc architectures, is a link-register architecture. In this case, the return address is saved in some temporary location by the caller, who loads it into the link register before returning. Before that moment, the caller has to clean it up.

Read more…

In a fediverse post, Damien Miller (djm@) announced the availability of the new OpenSSH version 9.8: OpenSSH 9.8 has just been released. This release includes a fix for a critical race condition in sshd that could be exploited for remote code execution so you should definitely patch or upgrade. It also contains a fix for a minor issue in ssh that saw the recently-added ObscureKeystrokeTiming feature work the opposite way as intended.

There are some new features too. Please see the release notes at https://openssh.com/releasenotes.html for more details

Friends, dhclient(8) in OpenBSD is no more, at least for those of us running -current.

For some of us it is basically in muscle memory to type doas dhclient $wifiinterface when visiting somewhere, but from this day forward we will rely on dhcpleased(8) to do its job, which in my own experience does admirably.

In this commit, Theo de Raadt (deraadt@), executed the removal.

The commit message reads,

List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2024-06-30 17:30:54 CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2024/06/30 11:30:54 Modified files: distrib/sets/lists/base: mi distrib/sets/lists/man: mi etc : Makefile sbin : Makefile Removed files: etc/examples : dhclient.conf sbin/dhclient : Makefile bpf.c clparse.c conflex.c dhclient.8 dhclient.c dhclient.conf.5 dhclient.leases.5 dhcp.h dhcpd.h dhctoken.h dispatch.c kroute.c log.c log.h options.c packet.c parse.c privsep.c privsep.h

Read more…

Patrick McEvoy aka BSDTV writes in,

We are releasing an initial playlist of 28 BSDCan Videos.

The OpenBSD focused: Why rewrite fw_update(8)? By: Andrew Hewus Fresh

We have 6 videos in need of additional work and expect them to be released in the coming month. We will also release to Peertube. I will update this post accordingly. We now know how quite a few of us will spend the next few hours and possibly days, while we eagerly await the arrival of the final six.

The OpenBGPD project announced that a new version the Border Gateway Protocol dameon, OpenBGPD 8.5 has been released. The release comes with a number of new features and refinements, and marks another step in the development of secure and reliable routing management.

The announcement reads: List: openbsd-announce Subject: OpenBGPD 8.5 released From: Claudio Jeker <claudio () openbsd ! org> Date: 2024-06-26 19:10:13 We have released OpenBGPD 8.5, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release:

Read more…

Sebastian Benoit (benno@) announced the release of version 9.1 of rpki-client, the essential component for routing security.

See the full announcement for further details.

Here are some key excerpts from the release announcement:

Read more…

In a fediverse post, Stefan Sperling (stsp@) announced a new hosting service:

We are building the Game of Trees Hub, a Git repository hosting service based on gameoftrees and OpenBSD, funded via an open collective.

Read more…

When a new processor is released, how long would you expect it to take before your favorite operating system adds support for it?

In the case of OpenBSD/arm64, the time lag can occasionally be measured in days if not hours.

In a recent message to tech@, Patrick Wildt (patrick@) premiered the patch to add support for the Qualcomm Snapdragon Elite X processor the day after it was officially released.

Patrick's message reads, List: openbsd-tech Subject: Qualcomm Snapdragon X Elite minimal support From: Patrick Wildt <patrick () blueri ! se> Date: 2024-06-19 20:28:08 Hi there, the Qualcomm Snapdragon Elite X machines were released yesterday, I got a Lenovo Yoga Slim 7 today, and it's already booting up with working NVMe, USB and keyboard. Wonder if I beat my last record.

Read more…

In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively.

The commit message reads, List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2024-06-06 17:15:26 CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2024/06/06 11:15:26 Modified files: usr.bin/ssh : misc.c misc.h monitor.c monitor_wrap.c servconf.c servconf.h srclimit.c srclimit.h sshd-session.c sshd.c sshd_config.5 Log message: Add a facility to sshd(8) to penalise particular problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList.

Read more…

As noted earlier, OpenBSD-current now has IPv6 prefix delegation available via the new dhcp6leased(8) deamon.

Now before he committed the code, Florian Obser (florian@) wrote a blog post on the process of developing the new program in a piece called DHCPv6-PD - First steps.

The prologue leads in,

The single most requested feature missing in OpenBSD base directed at me is DHCPv6-PD. Recently I got a working setup at home using dhcpcd from ports and a donated Fritz!Box 6660 Cable1, 2. Time to hack on this.

He follows up with details on how the ideas and the code developed. Read the whole thing at DHCPv6-PD - First steps.

Version 0.100 of Game of Trees has been released (and the port updated).

* got 0.100; 2024-06-03 see git repository history for per-change authorship information

Read more…

Florian Obser (florian@) has committed (to -current) dhcp6leased(8), a DHCPv6 client for handling Prefix Delegation (PD):

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2024/06/02 06:28:05 Added files: sbin/dhcp6leased: Makefile control.c control.h dhcp6leased.8 dhcp6leased.c dhcp6leased.conf.5 dhcp6leased.h engine.c engine.h frontend.c frontend.h log.c log.h parse.y printconf.c Log message: Import dhcp6leased(8) dhcp6leased is a daemon to manage IPv6 prefix delegations. It requests a prefix from an upstream DHCPv6 server and configures downstream network interfaces. rad(8) can be used to advertise available prefixes to clients.

Read more…