[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 Gordon Tetlow changed: What|Removed |Added Resolution|FIXED |--- Status|Closed

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #47 from Franco Fichtner --- Also why was this excluded during the port from OpenBSD? Same for MLD_LISTENER_* BTW. https://github.com/openbsd/src/blob/master/sys/net/pf.c#L2699-L2704 -- You are receiving this mail because: Yo

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #46 from Franco Fichtner --- Ok here we go: https://cgit.freebsd.org/src/commit/?id=534ee17e61 This first SA commit adds state tracking to ND_NEIGHBOR_SOLICIT/ND_NEIGHBOR_ADVERT that wasn't there before. From packet captures y

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #45 from Franco Fichtner --- > we are not seeing this issue manifest itself in the stock FreeBSD kernel once > the fixes are applied I appreciate the whole of FreeBSD insiders sticking together on this. Though I'd like to ver

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 Gordon Tetlow changed: What|Removed |Added CC||gor...@freebsd.org --- Comment #44

[Bug 280599] net/aquantia-atlantic-kmod: No ethernet on common workstation targets using aquantia-atlantic-kmod

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280599 --- Comment #7 from Yuri Pankov --- Just for the note: unfortunately the aq NIC that I have is 5Gbps and the only other high-speed NIC that I have at the moment is bnxt which only negotiates to 10Gbase-T and 1000baseT, so the only results I

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #43 from Franco Fichtner --- > Again: is there any evidence that this problem still manifests on FreeBSD? Is there any evidence it wouldn't given a single FreeBSD commit? I think what you are implying is that someone else shoul

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #42 from Dr. Uwe Meyer-Gruhl --- Sigh, Franco, would a plain vanilla FreeBSD kernel like FreeBSD post-SA-24:05+corrections underneath OpnSense be feasible? If the ND problems persisted with that kernel (and I am sure they do, b

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #41 from Philip Paeps --- Problems with how FreeBSD code behaves when merged into a downstream product are beyond the scope of this bug tracker. As far as FreeBSD is concerned, an issue is resolved when it no longer manifests o

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #40 from doktornotor --- Ok, so... let's recap this: What original SA deals with - let me quote: "When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #39 from Franco Fichtner --- The evidence is the original SA patch series which spans hundreds of lines of code changes and a lack of actual test coverage. The lack of benefit of doubt is strange in my opinion. I can revert onl

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #38 from Philip Paeps --- What concrete evidence do you have that the neighbour discovery behaviour you are observing on opnsense is related to this regression on FreeBSD? Counters are not helpful here. Please submit a test ca

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #37 from Franco Fichtner --- I suspect it's a behavioural change in ICMPv6 state handling introduced WRT the ND discard observed which is not overly practical in production, downstream-related or not. I don't think closing this

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #36 from Dr. Uwe Meyer-Gruhl --- Just wanted to note that I see the delayed ND answers and rising counters as well on OpnSense. -- You are receiving this mail because: You are the assignee for the bug.

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 Kristof Provost changed: What|Removed |Added Status|In Progress |Closed Resolution|---

[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 Philip Paeps changed: What|Removed |Added Status|New |In Progress --- Comment #34 from Ph

[Bug 166724] if_re(4): watchdog timeout

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=166724 Michael Osipov changed: What|Removed |Added CC||micha...@freebsd.org --- Comment