Our favorite operating system is in the process of aquiring Encapsulated Remote Switch Port Analyzer (ERSPAN) support, in the form of a new virtual network interface, dubbed erspan(4).

An early version of the code, but possibly close to being ready for further development in-tree was presented by David Gwynne (dlg@) in a message to tech@:

List:       openbsd-tech
Subject:    erspan(4): ERSPAN Type II collection
From:       David Gwynne <david () gwynne ! id ! au>
Date:       2025-05-12 1:27:59

we were exploring how to better let us see what's happening on access
networks or specific ports on a switch at work. our switches are
pretty much all cisco, which has ERSPAN.

ERSPAN in it's various forms ships Ethernet packets over GRE for
collection and analysis on another system. There's 3 types of ERSPAN
encapsulation, but Type II seems broadly implemented.

Over on tech@, Ted Unangst (tedu@) is airing a patch to introduce better support ACPI WMI, looking for tests and comments:

List:       openbsd-tech
Subject:    acpi wmi asus driver
From:       "Ted Unangst" <tedu () tedunangst ! com>
Date:       2025-05-11 1:57:07

My newish ASUS laptop needs WMI to handle hotkeys like backlight toggle.

More importantly, for me, it's needed to handle the Fn-F hotkey to switch
fan/performance profiles. The system is far more pleasant to use in whisper
mode. I also notice a substantial improvement in battery life, without much
performance difference. It affects the power limits, but more long term I
think.

Alexander Bluhm (bluhm@) has committed changes which eliminate contention by caching the socket lock in TCP input:

CVSROOT:	/cvs
Module name:	src
Changes by:	bluhm@cvs.openbsd.org	2025/05/07 08:10:19

Modified files:
	sys/net        : if.c if_var.h 
	sys/netinet    : tcp_input.c tcp_var.h 

Log message:
Cache socket lock during TCP input.

Parallel TCP input is running for a few days now and looks quite
stable.  Final step is to implement caching of the socket lock.
Without large receive offloading (LRO) in the driver layer, it is
very likely that consecutive TCP segments are in the input queue.
This leads to contention of the socket lock between TCP input and
socket receive syscall from userland.

Following its recent introduction on tech@ [See earlier article], David Gwynne (dlg@) has committed bpflogd(8) to the tree:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2025/05/06 19:41:59

Added files:
	usr.sbin/bpflogd: Makefile bpflogd.8 bpflogd.c log.c log.h 

Log message:
bpflogd(8): capture packets from BPF and write them to a log file

this is like pflogd(8), but different. the main differences are:

Following its recent introduction on tech@ [See earlier article], David Gwynne (dlg@) has committed lldpd(8) to the tree:

CVSROOT:	/cvs
Module name:	src
Changes by:	dlg@cvs.openbsd.org	2025/05/02 00:12:53

Added files:
	usr.sbin/lldpd : Makefile lldpctl.h lldpd.8 lldpd.c log.c log.h 
	                 pdu.c pdu.h 

Log message:
lldpd(8): a daemon that acts as an LLDP agent on Ethernet interfaces.

lldpd uses the recently added AF_FRAME Ethernet sockets to listen
for LLDP packets on all Ethernet interfaces in the system, and
stores them so a lldp(8) client connecting to the control socket
can fetch and display the packets.

Damien Miller (djm@) has completed the planned [See previous articles] removal of DSA signature support from OpenSSH:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2025/05/05 23:40:56

Modified files:
	usr.bin/ssh    : sshkey.h sshkey.c sshd.c sshd-session.c 
	                 sshd-auth.c sshconnect.c ssh_config ssh.c 
	                 ssh-keysign.c ssh-keyscan.c ssh-keygen.c 
	                 ssh-add.c readconf.c pathnames.h hostfile.c 
	                 dns.c authfile.c authfd.c PROTOCOL 
Removed files:
	usr.bin/ssh    : ssh-dss.c 

Log message:
finally remove DSA signature support from OpenSSH.

feedback/ok tb@, ok deraadt@

The editors would like to encourage our readers to arrange a proper wake for this one.
Please keep going until we can be quadruply sure it's all gone.

In a message to tech@ with the subject "die DSA die", Damien Miller (djm@) presents a diff that will remove the last bits of DSA support from OpenSSH:

List:       openbsd-tech
Subject:    die DSA die
From:       Damien Miller <djm () mindrot ! org>
Date:       2025-05-05 6:34:15

This finally removes all the remaining bits of DSA support from
OpenSSH and fixes up the regress tests that I could run.

I'm not set up to run the ssh.com interop tests so it's possible
they are broken by this.

ok?

Index: usr.bin/ssh/authfd.c
[ … ]

followed by the diff that implements the change.

(An earlier Undeadly article provides some background on DSA removal.)

Note that Damien asks for testing help here -- if you are able to help testing this change before it goes in for real, please do!

A long discussion on tech@ (initiated by a suggestion/patch from Jesper Wallin) has culminated in Damien Miller (djm@) committing changes which increase security by taking advantage of the use of unveil(2) elsewhere in the OpenBSD ecosystem:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2025/05/04 20:48:07

Modified files:
	usr.bin/ssh/sshd-session: Makefile 
	usr.bin/ssh/sshd-auth: Makefile 
	usr.bin/ssh/ssh-agent: Makefile 
	usr.bin/ssh    : ssh-agent.c ssh-agent.1 session.c pathnames.h 
	                 misc.h misc.c hostfile.c 

Log message:
Move agent listener sockets from /tmp to under ~/.ssh/agent for both
ssh-agent(1) and forwarded sockets in sshd(8).

This ensures processes (such as Firefox) that have restricted
filesystem access that includes /tmp (via unveil(3)) do not have the
ability to use keys in an agent.

Klemens Nanni (kn@) has committed the his proposed change [See previous article] such that the OpenBSD installer now prefers disks over 1GB when prompting for the root disk. The commit message explains the change:

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2025/05/04 06:32:41

Modified files:
	distrib/miniroot: install.sub 

Log message:
Prefer disks bigger than 1G as default root disk on install

-current picks the alphanumerically first disk as default, which isn't the
beset choice if install media, softraid(4) key disks or small external media
attaches before the disk one intends to use.