[Bug 277349] The net.inet.ip.source_address_validation should ignore CARP IP in backup state
Date: Tue, 27 Feb 2024 11:11:45 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277349 Bug ID: 277349 Summary: The net.inet.ip.source_address_validation should ignore CARP IP in backup state Product: Base System Version: 14.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: alexis.savin@efficientip.com The net source validation mechanism introduced in FreeBSD 14 (net.inet.ip.source_address_validation) which is enabled by default is a good security enhancement, however, it should ignore CARP backup addresses. The VIP address in a 'backup' state is not used for any traffic (on the backup carp node). However, it's common to see such a backup node pull information from the active one, using the VIP as a target and therefore receiving traffic from this VIP in the answer packets. I have noticed two open tickets/discussions about this behavior: * https://redmine.pfsense.org/issues/14026 * https://forum.netgate.com/topic/181163/strange-carp-behavioral-change-bug-in-ha-setup-after-upgrade-from-2-6-0-to-2-7-0 STR: Deploy two FreeBSD 14.0 Stable, configure carp on one interface of each node. Node A (Active) - 10.0.0.2/24 Node B (Backup) - 10.0.0.3/24 VIP - 10.0.0.1/24 Ensure net.inet.ip.source_address_validation is set to 1. From Node B, ping the VIP 10.0.0.1. Observe you do not get answers. Disable net.inet.ip.source_address_validation, set it to 0. From Node B, ping the VIP 10.0.0.1. Observe you do now get answers. Kindly appreciate feedback about this. -- You are receiving this mail because: You are the assignee for the bug.