From nobody Fri Jun 07 13:55:09 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VwjQ02Kb3z5NXhH for ; Fri, 07 Jun 2024 13:55:20 +0000 (UTC) (envelope-from zlei@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VwjQ00NMnz4Yhs; Fri, 7 Jun 2024 13:55:20 +0000 (UTC) (envelope-from zlei@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717768520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X8ETePkpM4+NBK7rThjc7DJbPHjp7M2EoO3qd14X8yQ=; b=bmpBwtrdmXzLH0dvcS7bVhHBlD10gYDAJ1VMy2CuEjwmJ6S0utclRGTqvAdCGFH9MbPqo2 avfiVpRaU7sVHtcJHBJ28dST5aJ0rHEC12AYP7i5yJUfWlJnKT34J3pHCxx/b+guiQKcAg fMNkD5gKQg5EqpoAkgD8ti+ERiNRqFdXagowlo+4PaRzhGyrSmzkPGOkcgdWP7/taVbgtG lKG3n1iaJMz3JN+37yE3FlHXaLupI7aj6b5/KL1wTIwfpkM4uVz5S1/98Y0ZCu8ILG+TMp JFZgNcHhXc9EqbdfMR0LRUWPdbaakUn+gRNQeFpLClidHSvLtQMFthYzEugJGQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1717768520; a=rsa-sha256; cv=none; b=uC5c+H2nAkwaTiu4dXJjnujm0dv4RVhiUXrR9Ige0ooSCa4R7r0X6oUbCgt/3ExZZfN3oH EIjaPxaudlXIE8eQU2gbz5QtjuepjYZlG0k/w7/XKk3l/0lendU1oAwAm/cWv1+LJbzM+T geLcBM9/DV8p/Up/PTaCZRdLkQky3cp4jtZJFXL7jT1lOKz0QuQwcwYUd0kzPPEAc2aCx9 TgkpffLuoITQUp5OV+wPq/+a5aeoTnxdI90EHSL75JbM3TgMQ66dXt37V7jFd8V15kyKID JQFVu/7Rr/fatmbsLPF5BdT+6W78PP39rQd9j+WK0O/baUAvPevHWCWpDcyjHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717768520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X8ETePkpM4+NBK7rThjc7DJbPHjp7M2EoO3qd14X8yQ=; b=R+1Mn0HZZfDwJlTx0M63pwXffVIUD4NMEaus6k+W7POqqrzqqd+KS+OmfV8zpONDKVGUEi KBcgQso7rTMdtJnUNSwsSjUvPXuJdEyxa9Qzv/85/Wl50tTTfjPW+bkRqrw9MdaItUq9Sm pFpG/BRDn581wMqzUl5P78s979OwKNAvW78s5J9biN4D4S+seueRE/qQBNzeXfIG3g4WtZ 5QdXb7NpAvrI8TK0dHrP0cI73IyQe7kjT64OYCLKhLQxEOsshzDd2UwAszNyaYIJ4ocilH 6zxHi6NZtZWvUC8EELD3mJU3i6uvKI+m8ssjj9gk76bDhC8DJa1L0SCl1tnOgA== Received: from smtpclient.apple (ns1.oxydns.net [45.32.91.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: zlei/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4VwjPy4J53zQK1; Fri, 7 Jun 2024 13:55:18 +0000 (UTC) (envelope-from zlei@FreeBSD.org) Content-Type: text/plain; charset=us-ascii List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: ICMP6 From: Zhenlei Huang In-Reply-To: <972cd3b3-e64a-46e6-a8ea-1bdd6ab7033e@plan-b.pwste.edu.pl> Date: Fri, 7 Jun 2024 21:55:09 +0800 Cc: Gleb Smirnoff , emaste@freebsd.org, freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <972cd3b3-e64a-46e6-a8ea-1bdd6ab7033e@plan-b.pwste.edu.pl> To: Marek Zarychta X-Mailer: Apple Mail (2.3696.120.41.1.8) > On Jun 7, 2024, at 4:10 PM, Marek Zarychta = wrote: >=20 > Invaluable Committers, Dear Subscribers, >=20 > I found Gleb's fixes to ICMP6 error rate limiting extremely useful, = especially since this limiting is not working at all in stable/14 (as = far as I was able to test). It looks to me like IPv6 bits in FreeBSD are = not widely tested and seem to be neglected. In some places, they remain = as they were initially imported from KAME. Some time ago kaktus@ fixed = logging for unforwarded packets [1] [2]. Recently glebius@ fixed ICMP6 = error rate limiting, but there is still open PR 245103[3] and other = bugs. >=20 > It's appreciated by the community that Netflix uses IPv6 and their = programmers are working on the improvements. So please let me ask here = for the MFC of the few commits to the stable/14 branch. The commits I am = asking for have the following hashes: = 7142ab4790666022a2a3d85910e9cd8e241d9b87, = 9d7f17d7467ed8c9740730a8db7a82e4768e5177, = b508545ce044dbfdd83da772e73f969a3713d59d, = ac44739fd834f51cacb26485a4140fd482e20150, = c6c96aaba8dd74eb39469ed156ff19cc31d599b7, = 32aeee8ce7e72738fff236ccd5629d55035458f8, = 4f96be33fe7676c69c5abb476bb09bba0c63a3f4, = a03aff88a14448c3084a0384082ec996d7213897, = 4399e055ea610cdefa1470ad1ee614dd81ba5e56, = 75d15e893b14188b83c5fb5e4979fa21c557934f, = f7c4d12bcd5bd7f7fbf6bf9fa601c47e7f97bc5f. As discussed with Marek in Telegram, those looks pretty safe to MFC. I = can do the MFC if no explicit objections. >=20 > I have done the MFC in my local repo and while testing the stable/14 = built from it on the bunch of hosts, I found the set complete, = applicable, and most likely not breaking KBI. The only problem I spotted = was the too-low default value of net.inet6.icmp6.errppslimit[4]. = Fortunately, it's tunable, so bumping it to 200 fixed the error flooding = for Nextcloud hosts. Let me mention here, that the value of the similar = knob for IPv4 (net.inet.icmp.icmplim) was already bumped to 200 some = time ago. >=20 > Maybe some brave committer will take on this MFC of the above set of = commits to stable/14 and thus will contribute to preparing an even = better future 14.2-RELEASE. >=20 > 1. https://reviews.freebsd.org/D38644 > 2. https://reviews.freebsd.org/D38758 > 3. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D245103 > 4. = https://github.com/freebsd/freebsd-src/blob/main/sys/netinet6/icmp6.c#L273= 5 >=20 > Best regards >=20 > --=20 > Marek Zarychta >=20