opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.38k stars 759 forks source link

Log filled with "pf: ICMP error message too short (ip6)" #7840

Open cloudz opened 2 months ago

cloudz commented 2 months ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

A clear and concise description of what the bug is, including last known working version (if any).

During the IPv6 traceroute/icmp issues I did enable the "Generate debug messages for various errors" under the Firewall > Settings > Advanced. This option started spamming my system logs at a rate of over 10/s with the error "pf: ICMP error message too short (ip6)" resulting over 350k per day.

In my search on why this was happening I used "tcpdump -i ax1 icmp6" as suggested by a forum member to look for an irregular IPv6 spammer but it immediately became clear that every Neighbour Solicitation & Neighbour Answer resulted in such a log entry.

I assume this is incorrect behaviour, hence the bug report.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

Steps to reproduce the behavior:

  1. Upgrade device to 24.7.3_1
  2. Enable DHCPv6 on WAN interface, Track Interface on LAN
  3. Enable Debug logging under Firewall > Settings > Advanced : Debug
  4. Watch the /var/log/system/latest.log fill with the error message.

Expected behavior

No errors on ND : NS/NA from pf

Describe alternatives you considered

Turning off the debug logging removes the excessive log spamming.

Screenshots

N/A.

Relevant log files

If applicable, information from log files supporting your claim.

Additional context

Add any other context about the problem here.

Environment

Software version used and hardware type if relevant, e.g.: DEC740 @ latest OS. Audit successful.

doktornotor commented 2 months ago

Just linking here for reference that this downstream issue that is gone with that ultimate revert kernel from https://github.com/opnsense/src/commit/164bfe67604

đŸ™„