Traceroute / ICMP issue after 24.7.1 update

[doktornotor]

Doesn't apply at first glance. Don't want to spend my time on this just yet.

Hah. That's probably why it's been omitted.   

[franco]

 

[newsense]

Here's another independent review

Started mtr on a pi behind the  FW and installed/rebooted the kernels starting with PF1.

PF4 is working as expected, the others don't.

[doktornotor]

New sponsored patch committed. 

[franco]

# opnsense-update -zkr 24.7.1-icmp

It boots. Promising start?


Cheers,
Franco

[doktornotor]

It boots. Promising start?

  Will test tonight 

[dinguz]

I just tested opnsense-update -zkr 24.7.1-icmp; results:
- traceroute is working but feels slower than usual
- mtr is working only in tcp/udp mode, it is not working in regular (icmp) mode

[doktornotor]

For me, traceroute is completely broken with ICMPv6 - even from the firewall itself, with the latest patch. Also as noted above, mtr does not work at all with ICMP, even with IPv4.

[franco]

Ok, will likely revert (similar to pf4) for 24.7.2 until this has been completely addressed in FreeBSD 14.1. The MFC for the commit is said to be 1 week so I don't think we'll see this progress soon enough either way.


Cheers,
Franco

[jhiesey]

There is an upstream patch out today that I believe addresses this issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701#c14

[meyergru]

I understand that was exactly the patch contained in the last kernel by Franco.

However, the first part of the patch only addresses test cases and the second part says something about icmp-in-icmp lookups, which I do not understand and which obviously did not solve the problem.

[franco]

Yep, 24.7.1-icmp was from this branch containing the two commits: https://github.com/opnsense/src/commits/pf_icmp/

It's safe to say the test case was fixed. The new test cases being the first traceroute test, however, means there is no coverage for further cases which then still need a fix. From early user feedback here that seems to be the case.

The size of the fix is also in no means equivalent to the OpenBSD pf patch fixing ICMP:

https://github.com/opnsense/src/commit/5c2b2da661

vs.

https://github.com/openbsd/src/commit/ef4bccd7509e

While it doesn't have to be it would suggest the same thing as the test case situation and early user feedback.

We'll be reverting this for 24.7.2 as mentioned because I don't think this will (or can?) move as urgently as it should.


Cheers,
Franco

[doktornotor]

Re-tested on another box. IPv6 is definitely still broken. (Now, even the first hop is not shown when you try ICMPv6 traceroute/mtr or similar from machines behind)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701#c15

Indeed seems best to revert the commits until fixed properly.

[franco]

Thanks for following up in the FreeBSD bug tracker. <3

[doktornotor]

Thanks for following up in the FreeBSD bug tracker. <3

No problem. Did another reboot while applying the new PPPoE patch as well - that one works just fine.