Network-oriented readers will be familiar with the concept of overload tables, commonly used with state tracking options to create adaptive rulesets for such things as punishing password-guessing botnets.

A downside to tables that would tend to fill up indefinitely is that at some point they will be quite full, and the administrator would need to either manually run pfctl expire or set up a crontab entry to weed out old entries at intervals.

Now Alexandr Nedvedicky (sashan@) is airing a patch on tech@ that would add a timeout option to to tables declarations, doing away with the need to set up crontab entries to run pfctl expire.

The patch and the explanation can be found in the thread pf(4) add timeout option to ip address tables, with followup discussion where several developers and users pitch in.

The message reads,

List:       openbsd-tech
Subject:    pf(4) add timeout option to ip address tables
From:       Alexandr Nedvedicky <sashan () fastmail ! net>
Date:       2026-05-11 1:05:27

Hello,

diff below should help people who use 'overload' action in their
firewall configuration. This is how pf.conf(5) describes the
overload option:

Florian Obser (florian@) recently gave a BSD-NL talk entitled "Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs".

Florian takes us on a guided tour of how inet6 autoconf actually works, with enlightening and entertaining peeks into selected piece of OpenBSD source.

At the end, we are asked to "now, draw the rest of the owl".

Slides are available in the usual place, and video is also available.

Version 0.125 of Game of Trees has been released (and the port updated). Note the security fixes:

• security fix: reject versioned files inside .git, .got, or .cvg directories
• security fix: crafted tree entry names could cause writes outside work tree
• fix redundant pack file cleanup when repository contains symlinks
• prevent NULL pointer dereferences when empty tree objects are encountered

Due to hardware failure, the machine hosting undeadly has gone down last week. Thanks to the kind and swift help from OpenBSD.amsterdam, we're now back online. We will source new hardware for the original machine and hopefully move back again soon.

The LibreSSL project has announced the release of version 4.3.1 of the software:

We have released LibreSSL 4.3.1, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon.

This is a development release for the 4.3.x branch, so we appreciate
early testing and feedback. There will be no further API and ABI changes
on the 4.3 branch.

It includes a build fix from 4.3.0 and the following changes:

Jonathan Gray (jsg@) updated the version of OpenBSD -current from "7.9" to "7.9-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

Routing security matters to all of us (even those of us who seldom give the subject any thought), and the rpki-client project announced the release of a new version of their Resource Public Key Infrastructure (RPKI) client, with a number of improvements.

The announcement reads,

List:       openbsd-announce
Subject:    rpki-client 9.8 released
From:       Sebastian Benoit <benno () openbsd ! org>
Date:       2026-04-14 23:20:42


rpki-client 9.8 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

We're a little late reporting it but…

The familiar safeguard sysctl hw.smt is now deprecated, having been replaced by a more flexible mechanism which allows discriminating between different varieties of core type.

First, Theo de Raadt (deraadt@) enabled the mechanism for OpenBSD/amd64 in this commit:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2026/03/31 10:46:22

Modified files:
	sys/sys        : sched.h sysctl.h 
	sys/kern       : kern_sched.c kern_sysctl.c 
	sys/arch/amd64/amd64: identcpu.c machdep.c 
	sys/arch/amd64/include: cpu.h 
	lib/libc/sys   : sysctl.2 

Log message:
Some new intel machines have a new 3rd tier of cpus called LP-E which are
E-core (Atom) without L3 cache.  These v are Lethargic, and it sucks
when processes migrate to them.

OpenBSD 7.9 release cycle is entering its final phases…

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.9 (dropping the "-beta"):

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2026/04/13 11:22:23

Modified files:
	sys/conf       : newvers.sh 

Log message:
move out of -beta

For those unfamiliar with the process:
this is not the 7.9 release, but is part of the standard build-up to the release.

Remember: It's time to start using "-D snap" with pkg_add(1) (and pkg_info(1)).

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].