[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #10 from commit-h...@freebsd.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d6e1ae659b11a13a9c289424735394173907c1d3 commit d6e1ae659b11a13a9c289424735394173907c1d3 Author: Gleb Smirnoff AuthorDate: 2024-03-19 18:48:59 + Commit: Gleb Smirnoff CommitDate: 2024-03-28 19:35:45 + carp: check CARP status in in_localip_fib(), in6_localip_fib() Don't report a BACKUP CARP address as local. These two functions are used only by source address validation for input packets, controlled by sysctls net.inet.ip.source_address_validation and net.inet6.ip6.source_address_validation. For this purpose we definitely want to treat BACKUP addresses as non local. This change is conservative and doesn't modify compat in_localip() and in6_localip(). They are used more widely than the FIB-aware versions. The change would modify the notion of ipfw(4) 'me' keyword. There might be other consequences as in_localip() is used by various tunneling protocols. PR: 277349 (cherry picked from commit 56f7860087eec14b4a65310b70bd704e79e1b48c) sys/netinet/in.c | 4 +++- sys/netinet6/in6.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 Gleb Smirnoff changed: What|Removed |Added Status|New |Closed Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #9 from Gleb Smirnoff --- On Thu Mar 21 13:07:55 2024 UTC, mickael.mail...@gmail.com wrote: > this fix will be merged in stable/14 ? I plan to merge next week. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 mickael.mail...@gmail.com changed: What|Removed |Added CC||mickael.mail...@gmail.com --- Comment #8 from mickael.mail...@gmail.com --- this fix will be merged in stable/14 ? -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #7 from commit-h...@freebsd.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=56f7860087eec14b4a65310b70bd704e79e1b48c commit 56f7860087eec14b4a65310b70bd704e79e1b48c Author: Gleb Smirnoff AuthorDate: 2024-03-19 18:48:59 + Commit: Gleb Smirnoff CommitDate: 2024-03-19 18:48:59 + carp: check CARP status in in_localip_fib(), in6_localip_fib() Don't report a BACKUP CARP address as local. These two functions are used only by source address validation for input packets, controlled by sysctls net.inet.ip.source_address_validation and net.inet6.ip6.source_address_validation. For this purpose we definitely want to treat BACKUP addresses as non local. This change is conservative and doesn't modify compat in_localip() and in6_localip(). They are used more widely than the FIB-aware versions. The change would modify the notion of ipfw(4) 'me' keyword. There might be other consequences as in_localip() is used by various tunneling protocols. PR: 277349 sys/netinet/in.c | 4 +++- sys/netinet6/in6.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #6 from Zhenlei Huang --- (In reply to Gleb Smirnoff from comment #1) > I think we had discussion on this some time ago. I suggested to make the > BACKUP IP address to be treated as non-local for all purposes except bind(2). Generally good. And, the bind socket should not accept any incoming connections even they are locally originated. > Here is a patch to try. I did not test it, but it gives an idea on what > am I talking about. It should change more that just source IP address > validation. The main question is whether there are any scenario that the > patch would break. The change seems good if we treat CARP BACKUP IP addresses as NOT **local**. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #5 from Gleb Smirnoff --- I'm not 100% sure there would be no unexpected consequences/regressions. The function modified isn't used by CARP only. I need to think more on that. I'd appreciate more eyes looking at code and evaluating the idea. For the reference I've found link to the discussion we had on that before, it is on Telegram, messages from https://t.me/freebsd_ru/482821 down to https://t.me/freebsd_ru/482859. The TLDR summary in English would be "seems like a good idea, but not one is 100% sure". -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349
mi...@bsd-box.net changed:
What|Removed |Added
CC||mi...@bsd-box.net
--- Comment #4 from mi...@bsd-box.net ---
Ran into the same issue this afternoon ("Holy POLA Batman, why can't our
redundancy pairs see the active partner after patching?").
Tested the attached patch and looks good: CARP backup can ping the VIP on
master.
Didn't do exhaustive tests but the patch is simple enough I don't think there
could be any unexpected consequences/regressions.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #3 from alexis.sa...@efficientip.com --- Just tested the proposed patch, it seems to work pretty fine. With this proposal, the CARP backup is able to ping the active VIP on the active node. I have ran a few tests and did not see specific regression or unexpected impact on network stack. I look forward seeing this merged into the official kernel. Many thanks for the quick feedback. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 Andrey V. Elsukov changed: What|Removed |Added Attachment #248813|application/octet-stream|text/plain mime type|| Attachment #248813|0 |1 is patch|| -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #2 from Gleb Smirnoff --- Created attachment 248813 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=248813=edit patch to not treat BACKUP address as a local Patch for review. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 --- Comment #1 from Gleb Smirnoff --- I think we had discussion on this some time ago. I suggested to make the BACKUP IP address to be treated as non-local for all purposes except bind(2). Here is a patch to try. I did not test it, but it gives an idea on what am I talking about. It should change more that just source IP address validation. The main question is whether there are any scenario that the patch would break. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 Mark Linimon changed: What|Removed |Added Assignee|b...@freebsd.org|n...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug.
