[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 (ping, tracertoute) states handling in pf firewall"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 09 Aug 2024 09:31:18 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #3 from doktornotor <doktornotor@mailinator.com> ---
(In reply to Kristof Provost from comment #1)

This bug is trivially reproducible.

- Dead simple WAN (DHCP) and LAN (static /24). 
- The traffic is a simple traceroute from a LAN machine.
- Ruleset attached above.

Broken with the SA applied:

> tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  gw.localdomain [192.168.1.1]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     8 ms     7 ms     8 ms  dns.google [8.8.8.8]


Working without the SA applied:

> tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  gw.localdomain [192.168.1.1]
  2     7 ms     6 ms     6 ms  <redacted>.tmcz.cz [redacted]
  3     *        *        *     Request timed out.
  4     8 ms     8 ms     8 ms  213.29.94.201
  5     8 ms     8 ms     8 ms  192.178.68.76
  6     8 ms     8 ms     8 ms  192.178.98.175
  7     8 ms     8 ms     8 ms  209.85.245.247
  8     7 ms     7 ms     7 ms  dns.google [8.8.8.8]

-- 
You are receiving this mail because:
You are the assignee for the bug.