Protocol hopopt

Started by Javier®, October 24, 2025, 10:16:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 24, 2025, 10:16:21 AM Last Edit: October 24, 2025, 12:13:21 PM by Javier®
Hello everyone, just one question, why is this protocol not allowed in Opnsense

RFC2710
MLD message types are a subset of the set of ICMPv6 messages, and MLD messages are identified in IPv6 packets by a preceding Next Header value of 58. All MLD messages described in this document are sent with a link-local IPv6 Source Address, an IPv6 Hop Limit of 1, and an IPv6 Router Alert option [RTR-ALERT] in a Hop-by-Hop Options header.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290407
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
October 24, 2025, 03:45:02 PM #1
Are you asking whether OPNsense is affected by the reported bug (which I can't conveniently view), or something else?
October 24, 2025, 04:39:15 PM #2
Yes, I'm asking if it's affected and that's why the protocol isn't allowed.
I know that protocol has been a vulnerable point.
I think it's necessary for MLD to function properly.
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
October 24, 2025, 06:26:49 PM #3 Last Edit: October 24, 2025, 06:28:31 PM by pfry Reason: typos!!!
OK, freebsd.org's "Anubis" bot detection bounces Brave. Grrr.

Anyway, I don't know enough about operating git to locate a commit by hash, so I can't tell when the bug was (supposedly) introduced. It was opened against and patched for 15.0.

But that says little about "OPNsense support", which could mean a couple of things, e.g.:

Base FreeBSD support: MLD appears to be built into the kernel, so support should be "generic FreeBSD 14.3". You might need to set some tunables for a specific application. I can't comment on option preservation in forwarded packets.

Filtering support: Outbound from the firewall should be allowed by the automatic outbound rule ("let out anything from firewall host itself"); this should also take care of outbound traversal, and session setup should handle inbound replies. For initial inbound you'd need an appropriate pass rule, likely with options enabled (under "Advanced features" in the rule definition). But that's a supposition, as I have not attempted to test such. (Note that the automatic rule allows options.)

So I don't see anything offhand other than the possible bug that would disallow MLD in OPNsense. I can't comment on the specifics of feature support and interoperability. Are you seeing an issue?
October 24, 2025, 07:52:53 PM #4
I really appreciate the response.
I have no problems, Opnsense works perfectly.
I receive Hop-by-Hop packets and the firewall rejects them, but it doesn't affect the connection.
Thanks for everything.
** ¯\_(ツ)_/¯ **  C'est la vie  ** ¯\_(ツ)_/¯ **
October 24, 2025, 10:09:02 PM #5 Last Edit: October 24, 2025, 10:28:36 PM by BrandyWine
Quote from: Javier® on October 24, 2025, 10:16:21 AMhttps://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290407
It does say the bug fix is for version 15-current. I assume the commit hash the comment was for was a v15 commit?

Are we trying to figure out if the same problem is in 14.3?

Interesting I now see a release schedule for a v14.4

Here's the commit(hash)
https://cgit.freebsd.org/src/commit/?h=releng/15.0&id=530c2c30b0c75f1a71df637ae1e09b352f8256cb

The comments made in the bugs link seems to indicate they are not clear as to when the problem came about, was it working in this 530c2c hash commit, or did that commit cause the issue?


Mini-pc N150 i226v x520, FREEDOM
Print
Go Up Pages1
User actions