Would it be useful for our system security to let daemons use the bpf(4) interface to filter on the sockets they handle?

In a recent message to tech@ titled bpf filtering on arbitrary sockets, Damien Miller (djm@) presents a preliminary patch and explains,

List:       openbsd-tech
Subject:    bpf filtering on arbitrary sockets
From:       Damien Miller <djm () mindrot ! org>
Date:       2025-10-30 5:03:00

Hi,

This is an idea that came up while talking with dlg@ about network
daemons.

Quite a few programs and daemons use SOCK_RAW to send link-level packets
after pledge(). E.g. usr.sbin/relayd/check_icmp.c wants to send ICMP
packets.

The problem with this is that, if they get compromised, they still hold
a very powerful socket that can send pretty much arbitrary packets. If
one of these programs gets compromised then the attacker can pretty
easily pivot through the existing raw socket.

As some readers tell us whenever they have the chance, the veb(4) virtual Ethernet bridge device is an OpenBSD feature that can make certain setups a lot more manageable than otherwise possible.

Now David Gwynne (dlg@) is fielding a patch on tech@ that would make veb(4) even more capable, by making the device vlan(4) aware.

In the message to tech@, David explains:

List:       openbsd-tech
Subject:    make veb(4) VLAN aware
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2025-10-29 5:54:42

veb(4) is currently vlan unaware, meaning that it assumes that there's a
single "namespace" for the mac addresses used by packets handled by the
bridge. by default it blocks vlan (and svlan) packets, but if you allow
it carry vlan packets it ignores the vlan tag when doing the mac address
lookups.

adding vlan awareness means that every mac address the bridge learns
is now associated with a vlan identifier (vid). ie, the same mac
in two different vlans will get separate entries in the forwarding
database.

The OpenBSD project has announced OpenBSD 7.8, its 59^th release.

The new release contains a number of significant improvements, including but certainly not limited to:

• Preliminary support for Raspberry Pi 5 added [See earlier report]
• New profiling subsystem [See earlier report]
• TCP input now runs in parallel [See earlier report]
• Parallel TCP input has been optimised [See earlier report]
• vmm(4)/vmd(8) now support SEV-ES on AMD processors
• vmd(8) send/receive functionality was removed [See commit]
• watch(1) utility added [See earlier report]
• New acpiwmi(4) driver for ACPI Windows Management Instrumentation (WMI) [See earlier report]
• New EFI boot(8) "machine fwsetup" command for rebooting into the firmware user interface
• The installer now prefers disks over 1GB [See earlier report]
• rc.d(8) and rcctl(8) gained "-q" options [See commits]
• Font caching no longer runs as root [See earlier report]
• New erspan(4) driver for ERSPAN Type II collection [See earlier report]
• LLDP daemon and tool have been added [See earlier report]
• bpflogd(8) has been added [See earlier report]
• pkg_add -u no longer advises file removal [See earlier report]
• Yubikey OTP support disabled [See earlier report]
• acme-client(1) now supports draft-ietf-acme-profiles-00 specifications for certificate profiles, such as those offered by Let's Encrypt - see acme-client.conf(5) "profile" keyword
• TearFree option backported to modesetting(4) driver [See earlier report]
• libpng has been bundled into libfreetype for improved font rendering [See commits]
• stdio(3)'s FILE is now opaque [See earlier report]
• clang(1)/llvm/lld(1) updated to version 19 [See earlier report]
• C++ library updated [See earlier report]
• OpenSMTPD 7.7.0p0 [See earlier report]
• LibreSSL 4.2.0[See earlier report]
• OpenSSH 10.2 [See earlier reports on releases of versions 10.2 & 10.1]:
  • ssh-agent(1) and sshd(8) listener sockets moved from /tmp to under ~/.ssh/agent [See earlier report]
  • DSA signature support removed [See earlier report]
  • New ssh(1) configuration directive, RefuseConnection [See earlier report]
  • It is now possible to use Ed25519 keys hosted on PKCS#11 tokens [See earlier report]
  • ssh(1) now issues a warning when the connection negotiates a non-post-quantum key agreement algorithm
  • OpenSSH will now adapt IP QoS to actual sessions and traffic [See earlier report]

See the full changelog for more details of the changes made over this latest six month development cycle.

The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).

Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!

Following a discussion on ports@, Robert Nagy (robert@) committed VA-API [hardware-assisted video - see previous report] support to the chromium, iridium, and ungoogled-chromium ports.

Note that:

• Updated (binary) packages for amd64 are just starting to become available.
• Intel GPUs requires ports graphics/intel-media-driver [and/]or graphics/intel-vaapi-driver.
• Firefox already has VA-API support.

Update:
Now disabled again. Plus, we were wrong about Firefox. Thanks for the comments!

The project to implement WPA3 support for OpenBSD 802.11 wireless has now been funded by a grant from the NLNet Foundation.

The work is to be carried out by Stefan Sperling (stsp@) and Chirpy Software.

The announcement states,

This project delivers the second open-source implementation of WPA3, the current industry standard for Wi-Fi encryption, specifically for the OpenBSD operating system. Its code can also be integrated by other operating systems to enable modern Wi-Fi encryption, thereby enhancing the diversity and resilience of the global IT ecosystem.

The project has an October 2025 start date, which likely means that work to implement even better Wi-Fi support in our favorite operating system is already under way. Read more from the announcement at the NLNet Foundation website.

We look forward to seeing the tangible results in future commits!

The LibreSSL project has announced their latest release LibreSSL 4.2.0, with numerous improvements. The release announcement reads,

List:       openbsd-announce
Subject:    LibreSSL 4.2.0 Released
From:       Brent Cook <busterb () gmail ! com>
Date:       2025-10-14 14:19:28


We have released LibreSSL 4.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 4.2.x branch, also to be available with OpenBSD 7.8

It includes the following changes from LibreSSL 4.1.0:

Cranking up the heat for the upcoming OpenBSD 7.8 release, the OpenSSH project has issued OpenSSH 10.2.

This is a bugfix release that supersedes the previously announced OpenSSH 10.1 in time for the general release.

From the release notes:

Changes since OpenSSH 10.1
==========================

This is a bugfix release, primarily to fix a problem that rendered
ssh(1) unusable when ControlPersist was enabled.

Jonathan Gray (jsg@) updated the version of OpenBSD -current from "7.8" to "7.8-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

The OpenSSH project has released OpenSSH 10.1, which is also the release that will be part of the upcoming OpenBSD 7.8 release.

The release was marked by a very unobtrusive sequence of www commits, with the first saying simply

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: www
From:       Damien Miller <djm () cvs ! openbsd ! org>
Date:       2025-10-06 7:11:57


CVSROOT:	/cvs
Module name:	www
Changes by:	djm@cvs.openbsd.org	2025/10/06 01:11:57

Added files:
	openssh/txt    : release-10.1 

Log message:
openssh-10.1 release notes

which points to the OpenSSH 10.1 release notes, giving a fuller description of the new release.

If you're running -current or jumping snapshot to snapshot, you should already be running code equal to or very close to this.