Traceroute / ICMP issue after 24.7.1 update

Started by MeltdownSpectre, August 08, 2024, 07:16:38 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5 6 ... 11
User actions
August 12, 2024, 11:53:52 AM #45
Quote from: franco on August 12, 2024, 11:51:43 AM
Doesn't apply at first glance. Don't want to spend my time on this just yet.

Hah. That's probably why it's been omitted.  :D  :P
August 12, 2024, 11:55:24 AM #46
 8)
August 12, 2024, 04:30:41 PM #47
Here's another independent review :)

Started mtr on a pi behind the  FW and installed/rebooted the kernels starting with PF1.

PF4 is working as expected, the others don't.
August 13, 2024, 01:59:49 PM #48
New sponsored patch committed.  :P
August 13, 2024, 02:24:26 PM #49
# opnsense-update -zkr 24.7.1-icmp

It boots. Promising start?


Cheers,
Franco
August 13, 2024, 02:39:49 PM #50
Quote from: franco on August 13, 2024, 02:24:26 PM

It boots. Promising start?

8) Will test tonight  ;D
August 13, 2024, 04:39:33 PM #51
I just tested opnsense-update -zkr 24.7.1-icmp; results:
- traceroute is working but feels slower than usual
- mtr is working only in tcp/udp mode, it is not working in regular (icmp) mode
In theory there is no difference between theory and practice. In practice there is.
August 13, 2024, 04:49:19 PM #52 Last Edit: August 13, 2024, 04:53:43 PM by doktornotor
For me, traceroute is completely broken with ICMPv6 - even from the firewall itself, with the latest patch. Also as noted above, mtr does not work at all with ICMP, even with IPv4.
August 13, 2024, 04:58:33 PM #53
Ok, will likely revert (similar to pf4) for 24.7.2 until this has been completely addressed in FreeBSD 14.1. The MFC for the commit is said to be 1 week so I don't think we'll see this progress soon enough either way.


Cheers,
Franco
August 13, 2024, 11:11:30 PM #54
There is an upstream patch out today that I believe addresses this issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701#c14
August 13, 2024, 11:22:20 PM #55
I understand that was exactly the patch contained in the last kernel by Franco.

However, the first part of the patch only addresses test cases and the second part says something about icmp-in-icmp lookups, which I do not understand and which obviously did not solve the problem.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
August 14, 2024, 06:59:04 AM #56
Yep, 24.7.1-icmp was from this branch containing the two commits: https://github.com/opnsense/src/commits/pf_icmp/

It's safe to say the test case was fixed. The new test cases being the first traceroute test, however, means there is no coverage for further cases which then still need a fix. From early user feedback here that seems to be the case.

The size of the fix is also in no means equivalent to the OpenBSD pf patch fixing ICMP:

https://github.com/opnsense/src/commit/5c2b2da661

vs.

https://github.com/openbsd/src/commit/ef4bccd7509e

While it doesn't have to be it would suggest the same thing as the test case situation and early user feedback.

We'll be reverting this for 24.7.2 as mentioned because I don't think this will (or can?) move as urgently as it should.


Cheers,
Franco
August 14, 2024, 09:56:42 AM #57 Last Edit: August 14, 2024, 10:15:19 AM by doktornotor
Re-tested on another box. IPv6 is definitely still broken. (Now, even the first hop is not shown when you try ICMPv6 traceroute/mtr or similar from machines behind)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701#c15

Indeed seems best to revert the commits until fixed properly.
August 14, 2024, 10:00:56 AM #58
Thanks for following up in the FreeBSD bug tracker. <3
August 14, 2024, 10:08:22 AM #59
Quote from: franco on August 14, 2024, 10:00:56 AM
Thanks for following up in the FreeBSD bug tracker. <3

No problem. Did another reboot while applying the new PPPoE patch as well - that one works just fine.  ;D
Print
Go Up Pages 1 2 3 4 5 6 ... 11
User actions