(Open) Widevine support added to the chromium port
Contributed by rueda on from the veni-vidi-vine dept.
(Open) Widevine support added to the
pf: make af-to less magical
Contributed by Peter N. M. Hansteen on from the raising my family dept.
Seasoned networkers will know to tell you that legacy IPv4 and modern IPv6 are, in fact, not directly compatible, and shipping traffic between IPv4 and IPv6 networks requires address family translation.
On our favorite operating system and its siblings, that special case has been handled via the af-to option and special case rules since back in the OpenBSD 5.1 days.
But that special case has always felt a bit awkward to some, and now David Gwynne (dlg@) is airing a patch on tech@ with a view to making af-to "less magical".
In the message titled pf: make af-to less magical, David explains the motivation,
List: openbsd-tech Subject: pf: make af-to less magical From: David Gwynne <david () gwynne ! id ! au> Date: 2026-01-16 2:11:57 Message-ID: aWmebWvdwBi6z98j () animata ! net i only recently figured out that af-to is very special in pf, but i dont think it should be. currently af-to has the following restrictions: 1. it only works for incoming packets, ie, you can only use it on "pass in" rules in pf. 2. it forces the translated packet to be forwarded. a consequence of these, and 2 in particular, is that only one state is created for an af-to connection over the firewall. this is unlike other forwarded connections where there's generally two states created, one when the packet comes in from the wire into the stack, and another when the packet goes out from the stack to the wire.
OpenBSD-current now runs as guest under Apple Hypervisor
Contributed by Peter N. M. Hansteen on from the hyper-armed dept.
Following a recent series of commits by Helg Bredow (
helg@) and Stefan Fritsch (sf@), OpenBSD/arm64 now works as a guest operating system under the Apple Hypervisor.
The commits read
List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Helg Bredow <helg () cvs ! openbsd ! org> Date: 2026-01-12 18:15:33 CVSROOT: /cvs Module name: src Changes by: helg@cvs.openbsd.org 2026/01/12 11:15:33 Modified files: sys/dev/pv : viogpu.c Log message: viogpu_wsmmap() returns a kva but instead should return a physical address via bus_dmamem_mmap(9). Without this, QEMU would only show a black screen when starting X11. On the Apple Hypervisor, the kernel would panic.
MAXCPUS on OpenBSD/amd64-current is now 255
Contributed by Peter N. M. Hansteen on from the strengthen your core muscles dept.
With these two commits, Mike Larkin (
mlarkin@) set the stage for, and next up, bumped the maximum number of processors supported on OpenBSD/amd64 from 64 to 255.
The first commit message reads,
List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Mike Larkin <mlarkin () cvs ! openbsd ! org> Date: 2026-01-14 21:25:26 CVSROOT: /cvs Module name: src Changes by: mlarkin@cvs.openbsd.org 2026/01/14 14:25:26 Modified files: sys/arch/amd64/amd64: pmap.c Log message: Support more than 64 bits for amd64 TLB shootdown IPI masks
rpki-client 9.7 released
Contributed by Peter N. M. Hansteen on from the not the roto rooter dept.
The rkpi-client project has made a new release, rkpi-client 9.7, available with important new features and bug fixes.
The announcement reads,
Subject: rpki-client 9.7 released From: Sebastian Benoit <benno () openbsd ! org> Date: 2026-01-13 21:05:05 rpki-client 9.7 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users upgrade to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.
LACP mode removed from trunk(4)
Contributed by rueda on from the nett-loss-of-netlock dept.
David Gwynne (dlg@)
has removed LACP mode from the
trunk(4) network driver.
The
commit message
explains the reasoning:
CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2026/01/11 21:38:15 Modified files: share/man/man4 : trunk.4 sys/conf : files sys/net : if_trunk.c Log message: removelacpsupport from trunk(4)lacpis better supported by aggr(4). users oflacpin trunk(4) should migrate to aggr(4). trunk(4) and thelacpsupport inside it is one of the last chunks of code that still requires the netlock in the ethernet stack. the last time i tried to fix this i ended up writing aggr(4), and nothing about this code has improved since then. the other protos such as failover and loadbalance are trivial in comparison and will be easy to improve in the future. discussed with and no objections from many
David also added an
entry
to the "Following current" FAQ
with additional details
and an example of migration to aggr(4).
Miod talks about HP/PA boot blocks
Contributed by Janne Johansson on from the HPPA me up before you go-og dept.
Veteran OpenBSD developer Miod Vallat (
miod@) has written another deep dive article on porting our favorite operating system to a new platform and maintaining the code, this time the OpenBSD/hppa platform.
The piece titled The scariest boot loader code certainly lives up to the title!
If you're the right type of person, you will know to set aside a goodly chunk of time for this piece.
OpenBGPD 9.0 released
Contributed by Peter N. M. Hansteen on from the all the good routers dept.
The OpenBGPD project have announced their new release, OpenBGPD 9.0.
The announcement reads,
List: openbsd-announce
Subject: OpenBGPD 9.0 released
From: Claudio Jeker <claudio () openbsd ! org>
Date: 2025-12-30 13:23:11
We have released OpenBGPD 9.0, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Rewrite the Adj-RIB-Out handling to be more memory efficent
and faster. For large IXP route server deployments a reduction
in memory usage of more than 50% should be feasible.
* Process UPDATE messages in two phases: first update Adj-RIB-In,
Loc-RIB, and FIB, then process all the Adj-RIB-Out tables.
This significantly reduces the latency since updating all the
Adj-RIB-Out tables could take a fair amount of time.
* Introduce CH hash tables - a scalable hash map implementation
that boosts performance through improved cache locality.
* Introduce new metrics that track the amount of time spent in
various parts of the main event loop of the route decision engine.
* Fix various non-criticial things uncovered by Coverity scanner.
fw_update(8) now checks dmesg(8) output in addition to dmesg.boot
Contributed by rueda on from the firmly-present dept.
Thanks to a
commit
by Andrew Hewus Fresh (afresh1@),
fw_update(8)
now checks
the output of [runtime]
dmesg(8)
in addition to the [boot-time] file
/var/run/dmesg.boot.
The commit message explains the rationale:
CVSROOT: /cvs Module name: src Changes by: afresh1@cvs.openbsd.org 2025/12/26 11:19:46 Modified files: usr.sbin/fw_update: fw_update.sh fw_update.8 Log message: Scan both dmesg.boot and dmesg(8) output for devices This allows us to detect newly plugged in devices that need firmware added while still making sure to detect devices available at boot even if dmesg rolls over with noisy messages. fixes and ok kn@ I think this is good deraadt@
