On 28/05/17(Sun) 13:58, Florian Riehm wrote: > On 05/28/17 11:33, Martin Pieuchot wrote: > > On 28/05/17(Sun) 10:34, Florian Riehm wrote: > >> Hi, > >> > >> after the fix for carp balancing ip-stealth is in, here is the fix for > >> balancing ip. > > > > Great! > > > >> > >> Non-stealth balancing traffic needs some special treatment since it > >> contains > >> layer 3 unicast inside layer 2 multicast. > >> > >> Now the idea is to deal at layer 2 (ether_input()) with the multicast > >> frames > >> like regular multicast. After layer 2 processing is done, ip(6)_input() > >> resets > >> the M_MCAST flag and we are unicast. > >> > >> To achieve this I mark incoming packets matching to balancing mac > >> addresses with > >> a mbuf tag. In ip(6)_input() I remove M_MCAST from mbuf's m_flags if the > >> tag > >> exists. Thanks to mpi@ who brought me to this idea. > > > > Could you remove this flag in carp_lsdrop() instead? That would keep > > carp logic's in netinet/ip_carp.c which makes it more resilient to > > future changes. > > Actually I did this in my first attempt and basically it worked. > Then I decided to move it out of carp_lsdrop() because carp_lsdrop() > is called twice in ip(6)_input(). ICMP has to be handled later, > to make sure we don't drop the wrong ICMP packets. > > My intention was to remove the flag as early as possible to avoid any > potential problems. Before carp_lsdrop() is called for ICMP, ip_input() > is already dealing with the M_MCAST flag. As I saw that, I decided to move > my fix out of carp_lsdrop(). Even it would work at the moment, it would > be more fragile. In example a change in pf_test() in the future could > break it. > > So I think a direkt fix inside ip(6)_input() is a better solution. > What do you think?
If you need a special case for ICMP, then do this check inside carp_lsdrop().
