Skip to main content
Background Image
  1. Posts/

OpenBSD 7.8 highlights

·800 words·4 mins· loading · loading ·
Rafael Sadowski
Author
Rafael Sadowski
Shut up and hack
Table of Contents

Happiness is unlimited high-speed internet connectivity
#

I think the biggest commercial use case for OpenBSD is still in the area of network security. SSH gateway, firewall, etc. Or, as with my customer, as a secure, resilient server solution that simply works.

I am even more pleased that this is really gaining momentum in the network stack:

Softnet Threading: Up to 8 softnet threads now handle network input in parallel, with the actual number limited by available CPU cores. This represents a substantial improvement in how multi-core systems process incoming network traffic.

Parallel TCP Processing. The TCP stack now runs in parallel across multiple CPUs, utilizing up to 8 threads for TCP traffic processing. However, there’s an important limitation to understand: each individual TCP connection is still bound to a single CPU. To fully leverage this parallelization, you need:

  • Multiple concurrent streams/connections
  • Network interfaces with multi-queue capabilities for packet distribution

I can only urge everyone to watch Alexander Bluhm’s talk: Update on OpenBSD Networking Performance Improvements:

Qualcomm Snapdragon DRM
#

The Direct Rendering Manager has been updated to Linux 6.12.50, bringing the latest graphics stack improvements. Additionally, two new drivers—qcdrm(4) for Qualcomm Snapdragon DRM subsystem and qcdpc(4) for DisplayPort Controller—add support for Qualcomm graphics hardware.

You may have already read it on undeadly.org, but here is a brief summary:

compiler-rt, libunwind, libcxx, libcxxabi 19.1.7
#

I’m really happy we managed to get this done for 7.8, and I’m a bit proud that I conquered this huge update. This was my first big update in src. In the end, the compiler-rt, libunwind, libcxx, libcxxabi 19.1.7 update gives us a C++ implementation with new C++20, C++23 and C++26 features in the base system.

New profiling subsystem
#

deraadt@ has introduced a completely redesigned profiling subsystem that finally works with OpenBSD security features like pledge(), unveil(), privsep, and chroot environments. The old gprof system required programs to open files at exit time, which became impossible after privilege dropping—forcing developers to disable security features just to profile code. The new system lets the kernel handle all file operations safely at process termination in a secure manner.

New lldpd(8) Daemon for LLDP Network Discovery
#

OpenBSD now includes lldpd(8), a daemon that implements the Link Layer Discovery Protocol (LLDP) for automatic network topology discovery. LLDP allows network devices to advertise their identity, capabilities, and neighbors on Ethernet networks—essential for network documentation, troubleshooting, and automated configuration.

The daemon leverages OpenBSD’s recently introduced AF_FRAME Ethernet sockets to efficiently listen for LLDP packets across all Ethernet interfaces simultaneously. Received LLDP advertisements are stored and made available through a control socket, allowing the lldp(8) client to fetch and display information about neighboring network devices. This brings standards-based network discovery capabilities to OpenBSD without requiring external tools, making it easier to map network topologies and identify connected switches, routers, and other LLDP-capable devices.

Raspberry Pi 5 Support Landing in -current
#

OpenBSD now includes preliminary support for the Raspberry Pi 5. Thanks to work by Marcus Glocker (mglocker@) and Mark Kettenis (kettenis@), the popular single-board computer can now boot OpenBSD, though several features remain works-in-progress: PCIe storage HATs aren’t yet supported due to missing U-Boot functionality, WiFi on “d0” revision boards is non-functional, and the active cooling fan doesn’t work pending PWM and clock driver development.

Xenocara
#

libpng support brings emoji rendering in the base system. Without that, we don’t know what all the AI tools are trying to tell us in the terminal. So just 😎. We’re going with the hype!

SSH
#

OpenSSH 10.0 introduces intelligent IP Quality of Service (QoS) handling that dynamically adapts to actual session types and traffic patterns. Instead of applying static QoS markings, SSH now adjusts DSCP (Differentiated Services Code Point) values based on whether you’re running an interactive shell, transferring files, or forwarding other protocols.

A personal highlight: OpenSSH now forces the use of post-quantum key exchange algorithms by default:

** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

Daemons
#

Significant development continues across several core network daemons: bgpd(8) and rpki-client(8) receive regular improvements as part of OpenBSD’s focus on routing security and RPKI validation. LibreSSL maintains its steady evolution as OpenBSD’s TLS implementation, while OpenIKED released version 7.4 with further IPsec/IKEv2 enhancements. Game of Trees (got), a version control system, shows active development momentum with frequent feature additions and refinements.

However, development activity on httpd(8) and relayd(8) has noticeably slowed, with fewer commits and feature improvements compared to previous release cycles. Both tools remain functional and stable but lack the active development attention seen in other parts of the userland ecosystem.

It is premature to declare Layer 7 Userland “dead”, but it needs new maintainers.