David Gwynne (dlg@) has introduced source and state limiters, which provide a massive increase in the flexibily of pf traffic limiting:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2025/11/10 21:06:20

Modified files:
	sbin/pfctl     : parse.y pfctl.8 pfctl.c pfctl_parser.c 
	                 pfctl_parser.h 
	share/man/man5 : pf.conf.5 
	sys/net        : pf.c pf_ioctl.c pf_table.c pfvar.h pfvar_priv.h 

Log message:
introduce source and state limiters in pf.

both source and state limiters can provide constraints on the number
of states that a set of rules can create, and optionally the rate
at which they are created. state limiters have a single limit, but
source limiters apply limits against a source address (or network).
the source address entries are dynamically created and destroyed,
and are also limited.

Several recent commits have improved sysupgrade(8) handling of low free disk space in /usr:

Firstly, Stuart Henderson (sthen@) modified the installer to increase free space prior to installing:

CVSROOT:	/cvs
Module name:	src
Changes by:	sthen@cvs.openbsd.org	2025/11/01 06:54:17

Modified files:
	distrib/miniroot: install.sub 

Log message:
Before extracting on an upgrade, remove share/relink/*, not just
share/relink/usr/lib/*. The old files aren't useful post-upgrade and
this increases the chance of successfully extracting base*.tgz files,
so that people low on space in /usr have a better chance of getting
into the system after a reboot.

"install.sub can delete the entire relink space" deraadt@

Following the previous reverted attempt [see earlier report], Robert Nagy (robert@) committed VA-API [hardware-assisted video - see previous report] support to the chromium and ungoogled-chromium ports. The iridium port can be expected to follow on next update.

Note that:

• Updated (binary) packages are not yet available at the time of writing.
• Intel GPUs requires ports graphics/intel-media-driver [and/]or graphics/intel-vaapi-driver.

Omar Polo (op@) has announced that OpenSMTPD 7.8.0p0 has been released.

Read on for salient changes from the release announcement:

Brent Cook has announced that LibreSSL 4.1.2 and 4.2.1 have been released.

The release notes read:

Would it be useful for our system security to let daemons use the bpf(4) interface to filter on the sockets they handle?

In a recent message to tech@ titled bpf filtering on arbitrary sockets, Damien Miller (djm@) presents a preliminary patch and explains,

List:       openbsd-tech
Subject:    bpf filtering on arbitrary sockets
From:       Damien Miller <djm () mindrot ! org>
Date:       2025-10-30 5:03:00

Hi,

This is an idea that came up while talking with dlg@ about network
daemons.

Quite a few programs and daemons use SOCK_RAW to send link-level packets
after pledge(). E.g. usr.sbin/relayd/check_icmp.c wants to send ICMP
packets.

The problem with this is that, if they get compromised, they still hold
a very powerful socket that can send pretty much arbitrary packets. If
one of these programs gets compromised then the attacker can pretty
easily pivot through the existing raw socket.

As some readers tell us whenever they have the chance, the veb(4) virtual Ethernet bridge device is an OpenBSD feature that can make certain setups a lot more manageable than otherwise possible.

Now David Gwynne (dlg@) is fielding a patch on tech@ that would make veb(4) even more capable, by making the device vlan(4) aware.

In the message to tech@, David explains:

List:       openbsd-tech
Subject:    make veb(4) VLAN aware
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2025-10-29 5:54:42

veb(4) is currently vlan unaware, meaning that it assumes that there's a
single "namespace" for the mac addresses used by packets handled by the
bridge. by default it blocks vlan (and svlan) packets, but if you allow
it carry vlan packets it ignores the vlan tag when doing the mac address
lookups.

adding vlan awareness means that every mac address the bridge learns
is now associated with a vlan identifier (vid). ie, the same mac
in two different vlans will get separate entries in the forwarding
database.

The OpenBSD project has announced OpenBSD 7.8, its 59^th release.

The new release contains a number of significant improvements, including but certainly not limited to:

• Preliminary support for Raspberry Pi 5 added [See earlier report]
• New profiling subsystem [See earlier report]
• TCP input now runs in parallel [See earlier report]
• Parallel TCP input has been optimised [See earlier report]
• vmm(4)/vmd(8) now support SEV-ES on AMD processors
• vmd(8) send/receive functionality was removed [See commit]
• watch(1) utility added [See earlier report]
• New acpiwmi(4) driver for ACPI Windows Management Instrumentation (WMI) [See earlier report]
• New EFI boot(8) "machine fwsetup" command for rebooting into the firmware user interface
• The installer now prefers disks over 1GB [See earlier report]
• rc.d(8) and rcctl(8) gained "-q" options [See commits]
• Font caching no longer runs as root [See earlier report]
• New erspan(4) driver for ERSPAN Type II collection [See earlier report]
• LLDP daemon and tool have been added [See earlier report]
• bpflogd(8) has been added [See earlier report]
• pkg_add -u no longer advises file removal [See earlier report]
• Yubikey OTP support disabled [See earlier report]
• acme-client(1) now supports draft-ietf-acme-profiles-00 specifications for certificate profiles, such as those offered by Let's Encrypt - see acme-client.conf(5) "profile" keyword
• TearFree option backported to modesetting(4) driver [See earlier report]
• libpng has been bundled into libfreetype for improved font rendering [See commits]
• stdio(3)'s FILE is now opaque [See earlier report]
• clang(1)/llvm/lld(1) updated to version 19 [See earlier report]
• C++ library updated [See earlier report]
• OpenSMTPD 7.7.0p0 [See earlier report]
• LibreSSL 4.2.0[See earlier report]
• OpenSSH 10.2 [See earlier reports on releases of versions 10.2 & 10.1]:
  • ssh-agent(1) and sshd(8) listener sockets moved from /tmp to under ~/.ssh/agent [See earlier report]
  • DSA signature support removed [See earlier report]
  • New ssh(1) configuration directive, RefuseConnection [See earlier report]
  • It is now possible to use Ed25519 keys hosted on PKCS#11 tokens [See earlier report]
  • ssh(1) now issues a warning when the connection negotiates a non-post-quantum key agreement algorithm
  • OpenSSH will now adapt IP QoS to actual sessions and traffic [See earlier report]

See the full changelog for more details of the changes made over this latest six month development cycle.

The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).

Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!

Following a discussion on ports@, Robert Nagy (robert@) committed VA-API [hardware-assisted video - see previous report] support to the chromium, iridium, and ungoogled-chromium ports.

Note that:

• Updated (binary) packages for amd64 are just starting to become available.
• Intel GPUs requires ports graphics/intel-media-driver [and/]or graphics/intel-vaapi-driver.
• Firefox already has VA-API support.

Update:
Now disabled again. Plus, we were wrong about Firefox. Thanks for the comments!