[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #70 from Dr. Uwe Meyer-Gruhl <freebsd_email@congenio.de> ---
I am only speaking for me, but from a "downstream user" perspective and I do
not want to sound disrespectful.
I acknowledge and appreciate the hard work that has been put into FreeBSD.

However, when the first problem with this specific SA was raised and test cases
have been provided, a band-aid was tried,
which did not fix all the problems the SA had created. Again this was reported
but quickly dismissed as "downstream problem"
- which, AFAIK was not the first time to happen.

Another band-aid was done, which reportedly still does not contain all of the
fixes than OpenBSD had done in the years before.
Discussing why this SA with that far of a reach was applied anyway is spilled
milk (tm), but there is always a tradeoff between
security and useability. If that SA really seemed so important, it should have
been handled with more care from the beginning.

In both of these cases, the fixes were not discussed here (only automatic hints
for other patches could be seen),
test coverage seems barely sufficient and there was no comeback to us reporters
to re-test anything.

So, as far as communication goes, this is by far the worst I have seen so far.
There would two ways to solve this:

1. Tell us here what has been done so far and communicate to enable us to
re-test specific bugs or
2. Point us to the "leading" bug report where the impact of the SA fixes are
reported / handled and close this bug.

Randomly changing code behind the scenes and expecting us to follow along is
not the right way, IMHO.

While it is true that the bugs caused by the SA may affect "normal" FreeBSD
users less than those who use one of the downstream
router platforms, networking is a core requirement for any decent OS anyway. I
do not know what proportion of all FreeBSD
users uses those router platforms, but they are surely affected by the bugs.
Thus, dismissing those problems as "downstream" is
inadequate from any perspective.

Of course, FreeBSD "owes" downstream nothing, but ironically, this SA and the
bugs first and foremost affect the pf subsystem. pf is the most given reason
not to migrate said router platforms to Linux, simply because Linux does not
have it.
From my point of view, pf is one of the crown jewels of FreeBSD - as opposed
to, say, driver coverage.
If that were not so, a migration like from TrueNAS Core to TrueNAS Scale might
have happened already for the router platforms.
So my take would be the FreeBSD project to consider if better coverage of
exactly the pf / networking subsystem and taking
reports of the downstream projects that actually use them, should be taken more
seriously.

-- 
You are receiving this mail because:
You are the assignee for the bug.