[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349

            Bug ID: 277349
           Summary: The net.inet.ip.source_address_validation should
                    ignore CARP IP in backup state
           Product: Base System
           Version: 14.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: alexis.savin@efficientip.com

The net source validation mechanism introduced in FreeBSD 14
(net.inet.ip.source_address_validation) which is enabled by default
is a good security enhancement, however, it should ignore CARP backup
addresses.

The VIP address in a 'backup' state is not used for any traffic (on the backup
carp node).
However, it's common to see such a backup node pull information from the active
one,
using the VIP as a target and therefore receiving traffic from this VIP in the
answer packets.

I have noticed two open tickets/discussions about this behavior:
* https://redmine.pfsense.org/issues/14026
*
https://forum.netgate.com/topic/181163/strange-carp-behavioral-change-bug-in-ha-setup-after-upgrade-from-2-6-0-to-2-7-0

STR:

 Deploy two FreeBSD 14.0 Stable, configure carp on one interface of each node.
 Node A (Active) - 10.0.0.2/24
 Node B (Backup) - 10.0.0.3/24
 VIP - 10.0.0.1/24

 Ensure net.inet.ip.source_address_validation is set to 1.

 From Node B, ping the VIP 10.0.0.1. Observe you do not get answers.

 Disable net.inet.ip.source_address_validation, set it to 0.

 From Node B, ping the VIP 10.0.0.1. Observe you do now get answers.

Kindly appreciate feedback about this.

-- 
You are receiving this mail because:
You are the assignee for the bug.