Happiness is unlimited high-speed internet connectivity #
I think the biggest commercial use case for OpenBSD is still in the area of network security. SSH gateway, firewall, etc. Or, as with my customer, as a secure, resilient server solution that simply works.
I am even more pleased that this is really gaining momentum in the network stack:
Softnet Threading: Up to 8 softnet threads now handle network input in parallel, with the actual number limited by available CPU cores. This represents a substantial improvement in how multi-core systems process incoming network traffic.
Parallel TCP Processing. The TCP stack now runs in parallel across multiple CPUs, utilizing up to 8 threads for TCP traffic processing. However, there’s an important limitation to understand: each individual TCP connection is still bound to a single CPU. To fully leverage this parallelization, you need:
- Multiple concurrent streams/connections
- Network interfaces with multi-queue capabilities for packet distribution
I can only urge everyone to watch Alexander Bluhm’s talk: Update on OpenBSD Networking Performance Improvements:
Qualcomm Snapdragon DRM #
The Direct Rendering Manager has been updated to Linux 6.12.50, bringing the
latest graphics stack improvements. Additionally, two new
drivers—qcdrm(4) for Qualcomm Snapdragon DRM subsystem and qcdpc(4) for
DisplayPort Controller—add support for Qualcomm graphics hardware.
You may have already read it on undeadly.org, but here is a brief summary:
compiler-rt, libunwind, libcxx, libcxxabi 19.1.7 #
I’m really happy we managed to get this done for 7.8, and I’m a bit proud that I
conquered this huge update. This was my first big update in src. In the end,
the compiler-rt, libunwind, libcxx, libcxxabi 19.1.7 update gives us a C++
implementation with new C++20, C++23 and C++26 features in the base system.
New profiling subsystem #
deraadt@ has introduced a completely redesigned profiling subsystem that
finally works with OpenBSD security features like pledge(), unveil(),
privsep, and chroot environments. The old gprof system required programs to
open files at exit time, which became impossible after privilege
dropping—forcing developers to disable security features just to profile code.
The new system lets the kernel handle all file operations safely at process
termination in a secure manner.
New lldpd(8) Daemon for LLDP Network Discovery #
OpenBSD now includes lldpd(8), a daemon that implements the Link Layer
Discovery Protocol (LLDP) for automatic network topology discovery. LLDP allows
network devices to advertise their identity, capabilities, and neighbors on
Ethernet networks—essential for network documentation, troubleshooting, and
automated configuration.
The daemon leverages OpenBSD’s recently introduced AF_FRAME Ethernet sockets to
efficiently listen for LLDP packets across all Ethernet interfaces
simultaneously. Received LLDP advertisements are stored and made available
through a control socket, allowing the lldp(8) client to fetch and display
information about neighboring network devices. This brings standards-based
network discovery capabilities to OpenBSD without requiring external tools,
making it easier to map network topologies and identify connected switches,
routers, and other LLDP-capable devices.
Raspberry Pi 5 Support Landing in -current #
OpenBSD now includes preliminary support for the Raspberry Pi 5. Thanks to work by Marcus Glocker (mglocker@) and Mark Kettenis (kettenis@), the popular single-board computer can now boot OpenBSD, though several features remain works-in-progress: PCIe storage HATs aren’t yet supported due to missing U-Boot functionality, WiFi on “d0” revision boards is non-functional, and the active cooling fan doesn’t work pending PWM and clock driver development.
Xenocara #
libpng support brings emoji rendering in the base system. Without that, we don’t know what all the AI tools are trying to tell us in the terminal. So just 😎. We’re going with the hype!
SSH #
OpenSSH 10.0 introduces intelligent IP Quality of Service (QoS) handling that dynamically adapts to actual session types and traffic patterns. Instead of applying static QoS markings, SSH now adjusts DSCP (Differentiated Services Code Point) values based on whether you’re running an interactive shell, transferring files, or forwarding other protocols.
A personal highlight: OpenSSH now forces the use of post-quantum key exchange algorithms by default:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Daemons #
Significant development continues across several core network daemons: bgpd(8)
and rpki-client(8) receive regular improvements as part of OpenBSD’s focus on
routing security and RPKI validation. LibreSSL maintains its steady evolution
as OpenBSD’s TLS implementation, while OpenIKED released version 7.4 with
further IPsec/IKEv2 enhancements. Game of Trees (got), a version control
system, shows active development momentum with frequent feature additions and
refinements.
However, development activity on httpd(8) and relayd(8) has noticeably slowed,
with fewer commits and feature improvements compared to previous release
cycles. Both tools remain functional and stable but lack the active development
attention seen in other parts of the userland ecosystem.
It is premature to declare Layer 7 Userland “dead”, but it needs new maintainers.