[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 24 Aug 2024 04:41:17 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #46 from Franco Fichtner <franco@opnsense.org> ---
Ok here we go:

https://cgit.freebsd.org/src/commit/?id=534ee17e61

This first SA commit adds state tracking to
ND_NEIGHBOR_SOLICIT/ND_NEIGHBOR_ADVERT that wasn't there before. From packet
captures you can see solicit being unanswered for a while with that commit
applied (or all other SA related commits).

As a stopgap I disabled state tracking via:

https://github.com/opnsense/src/commit/ee7b012c54

This brings the solicit/advertise back to the state before the SA was
introduced. All solicits are immediately answered. No solicits are repeated by
the external router.

These are to relevant commits from OpenBSD regarding the matter

https://github.com/openbsd/src/commit/2633ae8c4c8a
https://github.com/openbsd/src/commit/49f39043a02d

You can see that the second commit also disables state tracking for solicit
messages like the stopgap patch.  Since solicit is the one that is not being
answered by a system running the SA I am fairly certain that this is the same
problem scope.

Anyone got a thought why this could not be relevant to FreeBSD?


Cheers,
Franco

-- 
You are receiving this mail because:
You are the assignee for the bug.