From nobody Thu Sep 19 13:04:41 2024 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8bMZ1vW8z5WYYv for ; Thu, 19 Sep 2024 13:04:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8bMY5Pgcz4vhY for ; Thu, 19 Sep 2024 13:04:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726751081; a=rsa-sha256; cv=none; b=Dc+Uyo2SBHlOl7WY9yan85awldcqqtz3xilOK2tvsKXdNGIPfQ6acGhXIGgZxuJo0+Aj4T b+hIavBAw4I0+g1uXPbeJXF/8P3YBNDfgLAn3CF7QmDaA7f7w9lenupLcnhbgxXriBuDIT WXfDGvOVb8TDLr0BFFz9O4Uc9910LfeodSg2zvN+N79G8lIxCM0SjVotCcSyuelDJ83HwR 4zKFl+xD4VcGT1L5Ug0H/M1hsb1IiiO8xKm88weXNEA5xh2O6+9pH88GyQcaZi7SIrA3AB ru5LzdXNrLyGNhhtNBB25PnO4QLU40tfy8ZQcX0ZEy3tkRs9EGNZr+fMUfTDMQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726751081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jP0ToVP5/J7KQq2ASKTJstm70YP57ShFpgW42wE6vRg=; b=kEUR6QNgL3wp5RKj52nF1gxDP5SrJDeXq4Q5WlF0tpIRdBDf1+l11Ap/DRscp+XHSnjHP5 2KFXmjj9vHa5RDd6u/9Ye2RmmHzDsyGfYEMQLD4W2PPPZY0gqVehDAfJv3qAGqLVQc4r1U iLtSGufU7KHWwbm7LabpZC23rmHRTOxyxCzU8sxjfh21kFEwEOvr0EaZyG/JPU/7xAsalI 5fpjki8DUg4o7ZFvqB2mkfxKr3BqaML0WGajshYdv4OmlJFi6V+HrQIZ++CzHtfJae2BpE PcJjj74Onyw6Eu5d4pD8Dz5BPtTwvVrdGt4ajS8EPeYGysn8bTTLEQxlQ8sFow== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8bMY4kDqz15pS for ; Thu, 19 Sep 2024 13:04:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 48JD4fVm086748 for ; Thu, 19 Sep 2024 13:04:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 48JD4fXR086747 for net@FreeBSD.org; Thu, 19 Sep 2024 13:04:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute) Date: Thu, 19 Sep 2024 13:04:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.1-RELEASE X-Bugzilla-Keywords: regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280701 --- Comment #88 from commit-hook@FreeBSD.org --- A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D2fd8437daed57e34e50beb50013910b64= b456f91 commit 2fd8437daed57e34e50beb50013910b64b456f91 Author: Kristof Provost AuthorDate: 2024-08-26 12:59:38 +0000 Commit: Mark Johnston CommitDate: 2024-09-19 12:58:25 +0000 pf: improve the ICMPv6 direction check Following bluhm's advice this changes the way we setup state keys and perform state lookups for ICMPv6 Neighbor Discovery packets: - replace the NS-dst with ND target address; - replace the NA-src with ND target address; - replace the NA-dst with unspecified address if it is a multicast. This allows pf to match Address Resolution, Neighbor Unreachability Detection and Duplicate Address Detection packets to the corresponding states without the need to create new ones or match unrelated ones. As a side effect we're doing now one state table lookup for ND packets instead of two. Fixes a bug uncovered by one of the previous commits that virtually breaks IPv6 connectivity after few minutes of use. ok stsp henning, with and ok bluhm Approved by: so Security: FreeBSD-EN-24:16.pf PR: 280701 MFC after: 1 week Obtained from: OpenBSD, mikeb , 2633ae8c4c8a Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 5ab1e5f7e5585558a73b723f07528977a82cee82) (cherry picked from commit 0121a4baaca09049d130d830aa9179e3cb9c9e88) sys/net/pfvar.h | 4 +- sys/netpfil/pf/pf.c | 116 ++++++++++++++++++++++++++++++++++-----------= ---- sys/netpfil/pf/pf_lb.c | 2 +- 3 files changed, 85 insertions(+), 37 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=