Traceroute / ICMP issue after 24.7.1 update

[doktornotor]

Is this supposed to revert to a kernel that has the expected ICMP behavior?

Yes.

[franco]

I'll publish a couple of revert kernels tomorrow to see which one is the culprit:

https://github.com/opnsense/src/commit/b34fe955
https://github.com/opnsense/src/commit/38384a54
https://github.com/opnsense/src/commit/f924c2e1f
https://github.com/opnsense/src/commit/9ceb7fda9

It's only a couple of hundreds of lines changed overall ;)


Cheers,
Franco

[newsense]

At such a late stage in the game, we might want to wait for FreeBSD 15.1-RELEASE to be out first ? Heard there's a couple extraordinary patches in the queue for FreeBSD 18.0-RELEASE written by a bunch of 13yo kids that they just committed.

[franco]

Let's be fair. From the looks of it it doesn't get better if we don't help out. That being said:

# opnsense-update -zkr 24.7.1-pf1 reverts b34fe955

# opnsense-update -zkr 24.7.1-pf2 also reverts 38384a54

# opnsense-update -zkr 24.7.1-pf3 also reverts f924c2e1f

# opnsense-update -zkr 24.7.1-pf4 reverts all (including 9ceb7fda9)



Cheers,
Franco

[staticznld]

opnsense-update -zkr 24.7.1-pf4 restores traceroute functionality.

[franco]

Thanks, that means somewhere in the biggest patch ;)

https://github.com/opnsense/src/commit/9ceb7fda9
2 changed files with 317 additions and 83 deletions.


Cheers,
Franco

[staticznld]

Great!

Can't help you with that.
But if more testing is needed today i can help.

[franco]

No worries, that helps a lot already. More confirmations of which kernel starts are welcome too so we can say "independently verified" :D

For some reason I cannot reproduce this at first glance on my end.


Cheers,
Franco

[doktornotor]

Thanks, that means somewhere in the biggest patch ;)

https://github.com/opnsense/src/commit/9ceb7fda9
2 changed files with 317 additions and 83 deletions.


Cheers,
Franco

Hmmm, so that's basically a 2009 OpenBSD patch, pretty much verbatim (on a very quick look)? Not even sure what to think about all of this...  How many of the subsequent 15 years of fixes have been missed? ??? ::)

https://github.com/openbsd/src/commit/70bf7555ef4c33faa35582dadab7c01bcf61b3ac

[franco]

I'm not even sure which one the security fix is per se, but it's correct that a lot has been pulled in to make the security fix happen. That's exactly why we are in this situation now and why I've advocated for better stable branch management and better bug report responses in FreeBSD to no avail. I'm not even making this up, but it's being ignored because I'm the annoying one helping run an adjacent project that gets responses such as this for raising concern and bug reports and fixes:

"FreeBSD is a volunteer project.  If you don't like what you get, contribute."

Quite the hot take. I mean a cherry-pick only costs 10 seconds of real work if you ask me that's been dragging on for weeks. But that's more of a general rant.


Cheers,
Franco

[doktornotor]

I can confirm that -pf3 is NOT sufficient to fix the regression. (Did not test -pf[12], trying to test on some real deployment and people at home are getting kinda angry of the reboots, seems pointless anyway.)

While browsing the OpenBSD github, I've seen some 15+ later commits regarding ICMP/ICMPv6 and states in pf.c alone.

Considering this pressing security issue apparently has been there for 15+ years unnoticed by anyone, let alone anyone exploiting echo replies via "crafted packets", eh... WTH really. #SMH

[doktornotor]

Probably relevant and as expected @franco - https://marc.info/?l=openbsd-misc&m=128218328308200&w=2 so that narrows the fix down to between the broken forward-ported patch from 2009 and OpenBSD 4.8 release.

[franco]

This one then? https://github.com/openbsd/src/commit/ef4bccd7509e

[doktornotor]

Likely... can you do a quick -pf5?  ;D Willing to annoy people at home once again.

[franco]

Doesn't apply at first glance. Don't want to spend my time on this just yet.


Cheers,
Franco