Date: Fri, 7 Jun 2024 21:55:09 +0800 From: Zhenlei Huang <zlei@FreeBSD.org> To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> Cc: Gleb Smirnoff <glebius@freebsd.org>, emaste@freebsd.org, freebsd-net@freebsd.org Subject: Re: ICMP6 Message-ID: <C83BFAA8-48C3-4501-81D7-9E903CFF048F@FreeBSD.org> In-Reply-To: <972cd3b3-e64a-46e6-a8ea-1bdd6ab7033e@plan-b.pwste.edu.pl> References: <972cd3b3-e64a-46e6-a8ea-1bdd6ab7033e@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jun 7, 2024, at 4:10 PM, Marek Zarychta = <zarychtam@plan-b.pwste.edu.pl> wrote: >=20 > Invaluable Committers, Dear Subscribers, >=20 > I found Gleb's fixes to ICMP6 error rate limiting extremely useful, = especially since this limiting is not working at all in stable/14 (as = far as I was able to test). It looks to me like IPv6 bits in FreeBSD are = not widely tested and seem to be neglected. In some places, they remain = as they were initially imported from KAME. Some time ago kaktus@ fixed = logging for unforwarded packets [1] [2]. Recently glebius@ fixed ICMP6 = error rate limiting, but there is still open PR 245103[3] and other = bugs. >=20 > It's appreciated by the community that Netflix uses IPv6 and their = programmers are working on the improvements. So please let me ask here = for the MFC of the few commits to the stable/14 branch. The commits I am = asking for have the following hashes: = 7142ab4790666022a2a3d85910e9cd8e241d9b87, = 9d7f17d7467ed8c9740730a8db7a82e4768e5177, = b508545ce044dbfdd83da772e73f969a3713d59d, = ac44739fd834f51cacb26485a4140fd482e20150, = c6c96aaba8dd74eb39469ed156ff19cc31d599b7, = 32aeee8ce7e72738fff236ccd5629d55035458f8, = 4f96be33fe7676c69c5abb476bb09bba0c63a3f4, = a03aff88a14448c3084a0384082ec996d7213897, = 4399e055ea610cdefa1470ad1ee614dd81ba5e56, = 75d15e893b14188b83c5fb5e4979fa21c557934f, = f7c4d12bcd5bd7f7fbf6bf9fa601c47e7f97bc5f. As discussed with Marek in Telegram, those looks pretty safe to MFC. I = can do the MFC if no explicit objections. >=20 > I have done the MFC in my local repo and while testing the stable/14 = built from it on the bunch of hosts, I found the set complete, = applicable, and most likely not breaking KBI. The only problem I spotted = was the too-low default value of net.inet6.icmp6.errppslimit[4]. = Fortunately, it's tunable, so bumping it to 200 fixed the error flooding = for Nextcloud hosts. Let me mention here, that the value of the similar = knob for IPv4 (net.inet.icmp.icmplim) was already bumped to 200 some = time ago. >=20 > Maybe some brave committer will take on this MFC of the above set of = commits to stable/14 and thus will contribute to preparing an even = better future 14.2-RELEASE. >=20 > 1. https://reviews.freebsd.org/D38644 > 2. https://reviews.freebsd.org/D38758 > 3. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D245103 > 4. = https://github.com/freebsd/freebsd-src/blob/main/sys/netinet6/icmp6.c#L273= 5 >=20 > Best regards >=20 > --=20 > Marek Zarychta >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C83BFAA8-48C3-4501-81D7-9E903CFF048F>