[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #39 from Franco Fichtner <franco@opnsense.org> ---
The evidence is the original SA patch series which spans hundreds of lines of
code changes and a lack of actual test coverage. The lack of benefit of doubt
is strange in my opinion.

I can revert only these patches and the problem disappears. Do you want to know
which exact commit is responsible? I can offer you this information.

The further evidence is that pfctl -d fixes missing ND responses immediately on
affected systems.

You wouldn't see these issues unless you used pf heavily coupled with IPv6
connectivity.  These things are not prevalent in FreeBSD users, but they will
certainly manifest in pfSense quite soon as well.  I can see that with other
patch submissions I have done over the past few weeks for FreeBSD 14.1 none of
which have been wilfully been looked at by the relevant authors of bugs in
FreeBSD 14.0 and 14.1. I guess we can continue this hide and seek, but I would
rather have it that we work together to fix issues within FreeBSD production
releases together?


Cheers,
Franco

-- 
You are receiving this mail because:
You are the assignee for the bug.