OpenBSD developers have addressed a critical limitation in their PF firewall's queuing system, which previously capped bandwidth values at approximately 4.29 Gbps due to an internal 32-bit restriction on the HFSC service curve structure (struct hfsc_sc). This fix not only removes this bottleneck but also corrects a display issue with pftop(1), where bandwidth values above 4 Gbps were shown incorrectly. With the new patch, users can now configure PF queue bandwidth up to 999Gbps, making it suitable for modern high-speed network interfaces that support speeds of 10G, 25G, and beyond. Existing configurations below 4Gbps will continue to work without any changes.
For sysadmins running high-speed networks on OpenBSD, this patch is crucial as it ensures that bandwidth configurations are accurately implemented without any silent wrapping around or unpredictable scheduling behaviors. For example, a sysadmin managing a homelab with Proxmox VE and Docker containers connected via 10Gbps network interfaces can now configure PF queue bandwidth to match the full capacity of these links. This directly impacts scenarios where precise traffic shaping is required for optimal performance and resource allocation.
- The fix removes an internal 32-bit limitation in struct hfsc_sc, allowing bandwidth values up to 999Gbps, which caters to modern network interfaces with speeds of 10G, 25G, and beyond. This ensures that PF can handle the throughput these interfaces support.
- The patch corrects a display bug in pftop(1), ensuring accurate representation of bandwidth values above 4 Gbps. Sysadmins can now rely on the displayed data for monitoring network traffic accurately.
- Users can update their existing configurations to take advantage of the new bandwidth limits without any syntax changes, maintaining backward compatibility and ease of transition.
- The change impacts all OpenBSD users with high-speed networking needs, but it also benefits those who may upgrade in the future as the system is now prepared for higher throughput requirements.
- For environments running Proxmox VE or Docker on top of Linux distributions, if they're using PF from OpenBSD (e.g., via cross-compiling), this fix ensures consistent performance and reliability when setting up network policies.
This update directly affects users with homelab setups that include high-speed networking. For instance, sysadmins running Proxmox VE version 7.x or Docker on Linux may find themselves in a position where their OpenBSD-based firewalls need to be updated for full compatibility and performance.
- Upgrade PF firewall configurations to the latest -current snapshot of OpenBSD by following the official documentation at https://www.openbsd.org/faq/current.html. Ensure you're running a version that includes the patch post-March 20th, 2026.
- Review and adjust your pf.conf(5) file to include bandwidth values up to 999Gbps if needed for modern high-speed interfaces. Use commands like 'queue rootq on em0 bandwidth 10G' to set appropriate limits.
- Test the updated configurations using pftop(1) to ensure accurate display and correct behavior of bandwidth settings, especially above 4 Gbps.