[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #45 from Franco Fichtner <franco@opnsense.org> ---
> we are not seeing this issue manifest itself in the stock FreeBSD kernel once the fixes are applied

I appreciate the whole of FreeBSD insiders sticking together on this.

Though I'd like to verify what you said: Is this a statement based on
observation main, stable/14, releng/14.1, releng/13.3? One, all? And are you
talking about traceroute not working as initially suggested or neighbor
discoveries being ignored intermittently specifically as found out later? Or
both?

I agree that traceroute seems fixed.  This isn't in dispute.

The evidence for the neighbor discovery suggests otherwise as we tested each
commit in the original SA in an controlled environment that has no other
changes at all.  This is specifically with code from releng/14.1 although I
don't see how a commit within the scope of any applicable FreeBSD branch (or
downstream prjects) coupled with a relevant user side ruleset for pf would not
be affected in this case.

I'm reading hereby FreeBSD doesn't see a neighbor discovery problem. Whether or
not this is because it all works as expected is covered by test cases or purely
by evidence with existing machines by developers is left to be guessed.

I'm seeing intermittent IPv6 connectivity drops as well now. We have daily user
reports regarding this now. It's hard to pin it down which is likely where the
boldness in believing this doesn't apply to FreeBSD comes from. Fine, I
understand why this message is being put out.

I'm refraining from posting more links to our crowdsourced test methods for
lack of enthusiasm from this end in the meantime and report back when we have
proper evidence. I just don't want anyone to be surprised after the fact.


Cheers,
Franco

-- 
You are receiving this mail because:
You are the assignee for the bug.