https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349
Bug ID: 277349
Summary: The net.inet.ip.source_address_validation should
ignore CARP IP in backup state
Product: Base System
Version: 14.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
The net source validation mechanism introduced in FreeBSD 14
(net.inet.ip.source_address_validation) which is enabled by default
is a good security enhancement, however, it should ignore CARP backup
addresses.
The VIP address in a 'backup' state is not used for any traffic (on the backup
carp node).
However, it's common to see such a backup node pull information from the active
one,
using the VIP as a target and therefore receiving traffic from this VIP in the
answer packets.
I have noticed two open tickets/discussions about this behavior:
* https://redmine.pfsense.org/issues/14026
*
https://forum.netgate.com/topic/181163/strange-carp-behavioral-change-bug-in-ha-setup-after-upgrade-from-2-6-0-to-2-7-0
STR:
Deploy two FreeBSD 14.0 Stable, configure carp on one interface of each node.
Node A (Active) - 10.0.0.2/24
Node B (Backup) - 10.0.0.3/24
VIP - 10.0.0.1/24
Ensure net.inet.ip.source_address_validation is set to 1.
From Node B, ping the VIP 10.0.0.1. Observe you do not get answers.
Disable net.inet.ip.source_address_validation, set it to 0.
From Node B, ping the VIP 10.0.0.1. Observe you do now get answers.
Kindly appreciate feedback about this.
--
You are receiving this mail because:
You are the assignee for the bug.
