From nobody Wed Sep 04 07:37:37 2024 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzDq71DJXz5VK7Z for ; Wed, 04 Sep 2024 07:37:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzDq70B12z4FxC for ; Wed, 4 Sep 2024 07:37:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725435459; a=rsa-sha256; cv=none; b=nz2ZQIeWGABhue0zln6RF43xmpDdK46Thqu0ZbUhZ15OLc2g19XVpVJLyNjlNSABz5ZRtB jLd2ueUoA4ZknVgfHYyTMA13fs79f6bRhyqf8vf2hguxoB1NvIORCzvzCGELJXvpfnBLr9 X3SjDYw3O3rfGvFt6CDuMlQ78UfVddHv1Lj0Ip0UcdwCS+GQmvoROBF2QLXBHa1EmFVDlv orwt4VaNsx6lr6LXeFuUdSpFqL6rx1v7VfrQ4lZE/xk8ZzMW9T0HzkvED/AVhMPKhExVOb XeiDpsnrY9EuAj8bbwb3ZUwNNb1xiqQgCX6p1eHY7wOIPyZPEBGNNv+r2S6kkg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725435459; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4PisUkt+QESmbWbcn/X+/RYR7/Yc4CiWtoxlmw7eYhY=; b=OLCa6Lqw0VK0+0nprLEu3fGOjbrxRuQAeLDs/v0CMblnK/y8T7ByYRaRn92Y43F5Ne4Tl6 z6U4asIziF7xC49CAgQhnL7hJ/N4U6LI1R1lmydZNfFeGUqZh0ETu3MMDBrSlfQrchWWTh 7l/PV4z/k46uehu9dRF2HqNBbcEdffTn3G/8341xWh/28MQYaCNQqjXIdT7vEeEHc4sycl AKnBEtM8dPYQjfcP7siC6oei6QetG6EwfJ4Eoo1AXwPetAMBozw4ohAplZn1FDlxL2JmVV 82gLDm0pn1xQktOXf+N9iOve2ajY7Ys1a9TAE7BJIChLJjmAAZiCqrX1Ku5f1w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzDq66s1QzFb1 for ; Wed, 4 Sep 2024 07:37:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4847bcLo079985 for ; Wed, 4 Sep 2024 07:37:38 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4847bc7i079979 for net@FreeBSD.org; Wed, 4 Sep 2024 07:37:38 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute) Date: Wed, 04 Sep 2024 07:37:37 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.1-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: freebsd_email@congenio.de X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280701 --- Comment #70 from Dr. Uwe Meyer-Gruhl --- I am only speaking for me, but from a "downstream user" perspective and I do not want to sound disrespectful. I acknowledge and appreciate the hard work that has been put into FreeBSD. However, when the first problem with this specific SA was raised and test c= ases have been provided, a band-aid was tried, which did not fix all the problems the SA had created. Again this was repor= ted but quickly dismissed as "downstream problem" - which, AFAIK was not the first time to happen. Another band-aid was done, which reportedly still does not contain all of t= he fixes than OpenBSD had done in the years before. Discussing why this SA with that far of a reach was applied anyway is spill= ed milk (tm), but there is always a tradeoff between security and useability. If that SA really seemed so important, it should h= ave been handled with more care from the beginning. In both of these cases, the fixes were not discussed here (only automatic h= ints for other patches could be seen), test coverage seems barely sufficient and there was no comeback to us repor= ters to re-test anything. So, as far as communication goes, this is by far the worst I have seen so f= ar. There would two ways to solve this: 1. Tell us here what has been done so far and communicate to enable us to re-test specific bugs or 2. Point us to the "leading" bug report where the impact of the SA fixes are reported / handled and close this bug. Randomly changing code behind the scenes and expecting us to follow along is not the right way, IMHO. While it is true that the bugs caused by the SA may affect "normal" FreeBSD users less than those who use one of the downstream router platforms, networking is a core requirement for any decent OS anyway= . I do not know what proportion of all FreeBSD users uses those router platforms, but they are surely affected by the bugs. Thus, dismissing those problems as "downstream" is inadequate from any perspective. Of course, FreeBSD "owes" downstream nothing, but ironically, this SA and t= he bugs first and foremost affect the pf subsystem. pf is the most given reason not to migrate said router platforms to Linux, simply because Linux does not have it. From my point of view, pf is one of the crown jewels of FreeBSD - as opposed to, say, driver coverage. If that were not so, a migration like from TrueNAS Core to TrueNAS Scale mi= ght have happened already for the router platforms. So my take would be the FreeBSD project to consider if better coverage of exactly the pf / networking subsystem and taking reports of the downstream projects that actually use them, should be taken = more seriously. --=20 You are receiving this mail because: You are the assignee for the bug.=