From nobody Wed Sep 04 08:54:20 2024 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzGWh0bH0z5TSB9 for ; Wed, 04 Sep 2024 08:54:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzGWg6HR3z4bNx for ; Wed, 4 Sep 2024 08:54:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725440063; a=rsa-sha256; cv=none; b=EqauPEEoMKLcvxKe4wxnljm/OdJj23ZwmunCkY0QeW0nys4T18q3yPzudCS0tZlfM64IWr AifxcI/24bMbDQsaCCrUyEK+0NxKW0gkQsO7ohMlpKoSpm0yNpcBFesjaZYPCTW7YHxIHR dtjRM9olzxjaN4Qkn+AUjSUdNPV4LA17CMYrFUxI2+rQtc8rmEMLs/om0ZftXKkO/c2uEe QGm7tzFxgjeERoHMhitysF75QMn6HzlBpBF9PsAxL0osa8MWKG8+M2e/cFWI26PsSqVJzk Jwqxu8i5fNHs7kra2UZldAEkiLBIYTQ3tldLtqULuUB6bfXC5QqbuWFn8tVNYA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725440063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6hDRaKSpuZ4imVceeZuMV1DytBd0c4u/ltFCnth4+w0=; b=v3vUMZAQ6FTglW5f0o+IW5aDCv1+KmX2COWB46THXQTXAJaY6g10moBOdSL2G84oPXMLJq bmaMUbKHiIysEoXyah2XLl6debsIqqvXXpA8HDgV3l3hjHF8ys58A0nrBxPadnF54DgtGw oquL2VYMXnwfiWfJVo36Y0cql6ufLNR0Et7GcwZu4Nrez9MVc0L/Fun8mpBNNp42vM0gBr Z8GviyeBYYUv/rz/VFutkMr4IFSVriZGWTiouLplkVcvJcmTpepTlhZbhF+nBd5aWdVHef QooC1U/7uxoNS8gKL4T/8P3ZbCcVKuyeL1lVqpPuX6NA6pOq/OlU06pnJjWjwg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzGWg5g8NzHnl for ; Wed, 4 Sep 2024 08:54:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4848sNm8037933 for ; Wed, 4 Sep 2024 08:54:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4848sNqb037932 for net@FreeBSD.org; Wed, 4 Sep 2024 08:54:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute) Date: Wed, 04 Sep 2024 08:54:20 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.1-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280701 --- Comment #71 from commit-hook@FreeBSD.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D0121a4baaca09049d130d830aa9179e3c= b9c9e88 commit 0121a4baaca09049d130d830aa9179e3cb9c9e88 Author: Kristof Provost AuthorDate: 2024-08-26 12:59:38 +0000 Commit: Kristof Provost CommitDate: 2024-09-04 08:38:15 +0000 pf: improve the ICMPv6 direction check Following bluhm's advice this changes the way we setup state keys and perform state lookups for ICMPv6 Neighbor Discovery packets: - replace the NS-dst with ND target address; - replace the NA-src with ND target address; - replace the NA-dst with unspecified address if it is a multicast. This allows pf to match Address Resolution, Neighbor Unreachability Detection and Duplicate Address Detection packets to the corresponding states without the need to create new ones or match unrelated ones. As a side effect we're doing now one state table lookup for ND packets instead of two. Fixes a bug uncovered by one of the previous commits that virtually breaks IPv6 connectivity after few minutes of use. ok stsp henning, with and ok bluhm PR: 280701 MFC after: 1 week Obtained from: OpenBSD, mikeb , 2633ae8c4c8a Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 5ab1e5f7e5585558a73b723f07528977a82cee82) sys/net/pfvar.h | 4 +- sys/netpfil/pf/pf.c | 116 ++++++++++++++++++++++++++++++++++-----------= ---- sys/netpfil/pf/pf_lb.c | 2 +- 3 files changed, 85 insertions(+), 37 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=