Our favorite operating system may be on the verge of having a LLDP (Link Layer Discovery Protocol) daemon added to the base system. David Gwynne (dlg@) is circulating a patch on tech@ that introduces the daemon,

List:       openbsd-tech
Subject:    LLDP daemon and display tool
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2025-04-24 3:49:53

this adds a small daemon and command line tool for receiving and
displaying LLDP messages from neighbors connected to Ethernet
interfaces.

the daemon is called olldpd(8) to avoid colliding with the existing
lldpd from ports. the command line tool is lldp(8).

it uses the AF_FRAME sockets that were recently added rather than BPF.
this means it retains fewer privileges while it's running because it
doesn't have to open and configure BPF devices when new interfaces
appear in the system. avoiding BPF means it has basically 0 impact on
the kernel packet path because AF_FRAME is handled as a last resort for
packets rather than up front for every packet on an interface.

In a recent post to tech@, David Gwynne (dlg@) introduced a new daemon to log packets from BPF.

The message reads

List:       openbsd-tech
Subject:    bpflogd(8): capture packets via BPF to log files
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2025-04-24 5:44:53

this is basically pflogd(8), but different.

the reason it exists is because i needed to continously log some packets
from span ports coming from multiple switches to try and help debug a
network issue that only seems to occur every couple of months. pflogd
provides that for a single pflog interface, but i needed it on multiple
ethernet interfaces.

Version 0.111 of Game of Trees has been released (and the port updated, with additional useful information in the commit message):

• introduce gotsysd: configure gotd servers by committing to gotsys.git repo
• make gotd run 'gotsys check' on gotsys.conf commits before accepting them
• make gotd run 'gotsys apply' when the gotsys.git repo receives changes
• add a missing malloc failure check to gotd's repo_write process
• make got clone/fetch work against Git servers which do not speak English
• stop processing more messages upon error in gotd repo_write process
• close file descriptors passed to gotd_imsg_compose_event() on failure
• potential fix for use-after-free in lib/repository.c's match_packed_object()
• make gotd return an informative error when the connection limit is exceeded
• in gotctl info, display the time when a client connection was created
• add reload support to gotd, triggered via 'gotctl reload', not via SIGHUP!
• test S_ISREG in parse_ref_file() explicitly rather than via getline(3)
• release ref-file lock when fstat fails in parse_ref_file()
• do not treat unhandled signals as a fatal error in gotwebd
• fix an edge case of tog spinning when 'B' is pressed in log view
• stop using got_repo_map_path() in gotwebd to fix spurious realpath(3) errors
• avoid creation of pack_fds array when not needed, saving file descriptors
• gotwebd now runs as the _gotwebd user by default, rather than "www"
• gotwebd can now serve repositories outside the /var/www chroot directory
• the gotwebd.conf repos_path directive is no longer relative to the chroot
• get rid of the gotwebd-specific libexec helpers in /var/www/bin/gotwebd
• improve gotwebd behaviour when sending data to already disconnected clients
• plug some memory leaks in got-send-pack and got-fetch-pack
• fix got-fetch-http performance when server sends chunked HTTP responses

Over on tech@, Alexander Bluhm (bluhm@) is airing a patch to improve parallel TCP input, and is looking for testers:

List:       openbsd-tech
Subject:    running TCP input in parallel
From:       Alexander Bluhm <bluhm () openbsd ! org>
Date:       2025-04-17 16:53:19

Hi,

To run tcp_input() in parallel efficently, we have to lock the
socket in a smart way.  I have measured multiple variants.

http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/perform.html

The relevant TCP graph is here.

http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/gnuplot/tcp.html
http://bluhm.genua.de/perform/results/2025-04-16T09:33:58Z/gnuplot/tcp6.html

First column (left) is no locking at all, just exclusive net lock.

The OpenBSD project has announced the release of version 9.5 of rpki-client:

rpki-client 9.5 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties to facilitate
validation of BGP announcements. The program queries the global RPKI
repository system and validates untrusted network inputs. The program
outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
in configuration formats suitable for OpenBGPD and BIRD, and supports
emitting CSV and JSON for consumption by other routing stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- rpki-client now includes arin.tal which is no longer legally encumbered.
  See https://www.arin.net/announcements/20250116-tal/

- rpki-client reports Certification Authorities that do not meaningfully 
  participate in the RPKI as non-functional CAs. By definition, a CA is
  non-functional if there is no currently valid Manifest. The number of
  such CAs is printed at the end of each run and more detailed information
  is available in the JSON (-j) and ometrics (-m) output.

- OpenBSD reliability errata 014:
  Incorrect internal RRDP state handling in rpki-client can lead to a
  denial of service. Affected are rpki-client versions 7.5 - 9.4. 

- Termination of rsync child processes with SIGTERM is no longer treated as
  an error if rpki-client has sent this signal. This only affects openrsync.

- Do not exit filemode with an error if a .gbr or a .tak object contains
  control characters in its UTF-8 strings. Instead, only warn and emit a
  sanitized version in JSON output.

Upcoming breaking change:

- Starting with release 9.6, rpki-client will emit all key identifiers
  (AKI and SKI) encoded in JSON as bare hex strings without colons.

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.7-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

The OpenBSD project has announced the release of OpenIKED 7.4:

We have released OpenIKED 7.4, which will be arriving in the OpenIKED
directory of your local OpenBSD mirror soon.

This release includes the following changes to the previous release:

 * Fixed a double free bug in ECDH

 * Added a natt config option that forces negotiation of nat-t
   (and udpencap) for a policy

 * Made config file verification not require root permissions

 * Fixed a bug where iked was retransmitting fragments too eagerly

 * Tightened apparmor sandboxing on Linux

 * Various other bug fixes, compatibility fixes and documentation
   improvements

The OpenSSH project has announced their latest release, OpenSSH 10.0.

The announcement and release notes read:

OpenSSH 10.0/10.0p1 (2025-04-09)

OpenSSH 10.0 was released on 2025-04-09. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Potentially-incompatible changes
--------------------------------

 * This release removes support for the weak DSA signature
   algorithm, completing the deprecation process that began in
   2015 (when DSA was disabled by default) and repeatedly warned
   over the last 12 months.

If you have ever been irked by having to enter a sequence of sysctl(8) commands to achieve things like enabling forwarding for IPv4 and IPv6 both, help is at hand.

In a recent commit, Klemens Nanni (kn@) added functionality to have the classic command read multiple settings from a file:

Subject:    CVS: cvs.openbsd.org: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2025-04-05 14:09:06
Message-ID: f3c322a675a4cd33 () cvs ! openbsd ! org
[Download RAW message or body]

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2025/04/05 08:09:06

Modified files:
	sbin/sysctl    : sysctl.8 sysctl.c 

Log message:
Add [-f file] to apply sysctl.conf in one go