From nobody Tue Jan 23 18:42:10 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TKGCp2ZbDz57t3D; Tue, 23 Jan 2024 18:42:14 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TKGCp28Yzz4MQn; Tue, 23 Jan 2024 18:42:14 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706035334; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XDdneEaffM/ExrqaNv2RfRPKd+oKiEYd4WWFPlgtbQ0=; b=EPLKbzBbugK65nG8NUpomAUmnX+LVhyBvEPZPkigzDS6dQrZUWXdmEHEcnCKuJkr+ckab0 gauzgddrETucygGqsFQ0FH22JQ/H7O7UeWoE6rkUlFVebtWtArtY/95udMnvU0Uw23IiG+ 8cA1p4mtM4shjYzuckjhU6elcf8TaBDDISG5q0Ib5z7Qt4fMmEgeqZ0sduNGwk491pvPpB QdyV8UT20Iuc2yhL3cIjr7fy8b7FAWs7IRBIziGr/XCVthBsdN+LzM4VAiUUGnXDdo2IYU QnfGgCzC69qwntUuVESnk+p8Evw8PccuKgNIky+MiXcogKuZxkkxF1KqNKopEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706035334; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XDdneEaffM/ExrqaNv2RfRPKd+oKiEYd4WWFPlgtbQ0=; b=EgneBWOlibvclG069nFFqblpMymj33FCg4Wcs+mMLLj/KWbhLNEyHkxlSHF9YMtErGjy4g jplMRQnmLYHnYiXpUW1QRtndd1LpgeWYoGgxh2OtfORMf1FmC1mClbrVPKcaLO/88XTdyR 1GI2kcxp9eLKa5y9NHSTXykNcEHARugC9MLkiVFJldyFfdaU0ohMN9g17gzJE3ZECC+0xV uJmRgUd/8eO5jbD3KKE0mq9b05nttlNxwF04Qq2BeFS3xDcYJW+BtT/nY6S0CPPTedT26j EAMVJ6pqrSoxzf69xaXrkAF90irMs/it3TeSHpo1TsuvU/bEiZQGeb+ArGr1tA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1706035334; a=rsa-sha256; cv=none; b=N+rg3G2JbTxLv4hWp0+vP2jownpdUnNKYmbMkKKHDllmUrwEmXh5C8mAcd7Tt7fWryd7Ur mWurqRPe1W9YhBlcRAYZwj5mjcXalQPRRaPLR2n+c7ttDpR7q3XPxawjjkatsC+NYqknxi KVrlbIf2RoFI5JnrHEMTUaVXRGJ1J2TjrqTry8Lp4OMuF+ufyWLYfYBrP99tLryL51zyiZ yD11y4bygZMBdQSBKFWa8uLQQKehyTb8YacFDlibrUf+TPjVsPWjdoCKvnrFsHDUw0jZTk 0nIfEsrKYeaUe3A/Vtmr7Y9pOvm6dxeYPySRKVQExZWyXnItQ20sGbitkk9ZMw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4TKGCp0V8yz1Q3F; Tue, 23 Jan 2024 18:42:14 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 75F5E1194F; Tue, 23 Jan 2024 19:42:11 +0100 (CET) From: Kristof Provost To: "Herbert J. Skuhra" Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 54c62e3e5d8c - main - pf: work around icmp6 packet-too-big not being sent when binat-ing Date: Tue, 23 Jan 2024 19:42:10 +0100 X-Mailer: MailMate (1.14r5937) Message-ID: <1E1C3472-0AF3-457B-A27A-89679770EA62@FreeBSD.org> In-Reply-To: <87v87jkii9.wl-herbert@gojira.at> References: <202401221252.40MCqpf6047526@gitrepo.freebsd.org> <87v87jkii9.wl-herbert@gojira.at> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On 23 Jan 2024, at 19:32, Herbert J. Skuhra wrote: > On Mon, 22 Jan 2024 13:52:51 +0100, Kristof Provost wrote: >> >> The branch main has been updated by kp: >> >> URL: https://cgit.FreeBSD.org/src/commit/?id=3D54c62e3e5d8cd90c5571a1d= 4c8c5f062d580480e >> >> commit 54c62e3e5d8cd90c5571a1d4c8c5f062d580480e >> Author: Kristof Provost >> AuthorDate: 2024-01-17 17:11:27 +0000 >> Commit: Kristof Provost >> CommitDate: 2024-01-22 11:52:14 +0000 >> >> pf: work around icmp6 packet-too-big not being sent when binat-ing= >> >> If we're applying NPTv6 we pass a packet with a modified source an= d/or >> destination address to the network stack. >> >> If that packet then turns out to be larger than the MTU of the sen= ding >> interface the stack will attempt to generate an icmp6 packet-too-b= ig >> error, but may fail to look up the appropriate source address for = that >> error message. Even if it does, pf would still have to undo the bi= nat >> operation inside the icmp6 packet so the sending host can make sen= se of >> the error. >> >> We can avoid both problems entirely by having pf also perform the = MTU >> check (taking the potential refragmentation into account), and >> generating the icmp6 error directly in pf. >> >> See also: https://redmine.pfsense.org/issues/14290 >> Sponsored by: Rubicon Communications, LLC ("Netgate") >> Differential Revision: https://reviews.freebsd.org/D43499 >> --- >> sys/net/pfvar.h | 1 + >> sys/netpfil/pf/pf.c | 12 ++++++++++++ >> sys/netpfil/pf/pf_norm.c | 15 +++++++++++++++ >> 3 files changed, 28 insertions(+) > > Does this change cause problems for others too? > > - ssh over IPv6 permanently disconnecting > (client_loop: send disconnect: Broken pipe) > - ssh connections over IPv6 hanging > - git pull not working > Fssh_ssh_dispatch_run_fatal: Connection to 2604:1380:4091:a001::24ca:1 = port 22: Permission denied > fatal: Could not read from remote repository. > Can you include your pf.conf and a packet capture demonstrating one of th= ese issues? Best regards, Kristof