From nobody@FreeBSD.org  Fri Mar  7 08:34:49 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 67162B89
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  7 Mar 2014 08:34:49 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 54173DE7
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  7 Mar 2014 08:34:49 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s278Ym5v086501
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 7 Mar 2014 08:34:48 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s278YmJe086496;
	Fri, 7 Mar 2014 08:34:48 GMT
	(envelope-from nobody)
Message-Id: <201403070834.s278YmJe086496@cgiserv.freebsd.org>
Date: Fri, 7 Mar 2014 08:34:48 GMT
From: Onno Molenkamp <onno@flox.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: CARP addresses in backup state should't be used as source
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         187341
>Category:       kern
>Synopsis:       [netinet] [patch] CARP addresses in backup state should't be used as source
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 07 08:40:02 UTC 2014
>Closed-Date:    
>Last-Modified:  Sun Mar 09 15:38:22 UTC 2014
>Originator:     Onno Molenkamp
>Release:        10.0
>Organization:
>Environment:
>Description:
Under certain conditions, FreeBSD chooses a CARP address that's in the backup state as source address for outgoing IPv6 traffic. In return, neighbors start sending traffic for the carp address to the backup node instead of the master.

I've seen this happen with neighbor advertisements, but I suppose the backup address may get used for any other type of traffic as well.
>How-To-Repeat:
Configure carp, choose a IPv6 carp address that should be selected as the best source address following the rules in in6_selectsrc() if it hadn't been a carp address, and generate traffic to (another) address of a backup node to make sure it will receive neighbor solicitations that it needs to respond to.

(the neighbor sending the solicitations needs to be using a public address as source address in those packets for the bug to occur, as in6_selectsrc() tries to use an address from the same scope)
>Fix:
I've attached a patch against HEAD that makes in6_selectsrc() always skip backup addresses.

Patch attached with submission follows:

Index: sys/netinet6/in6_src.c
===================================================================
--- sys/netinet6/in6_src.c	(revision 262885)
+++ sys/netinet6/in6_src.c	(working copy)
@@ -99,6 +99,7 @@
 #include <netinet/ip.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
+#include <netinet/ip_carp.h>
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
 
@@ -335,6 +336,8 @@
 		}
 		if (!V_ip6_use_deprecated && IFA6_IS_DEPRECATED(ia))
 			continue;
+		if (ia->ia_ifa.ifa_carp && !(*carp_master_p)(&ia->ia_ifa))
+			continue;
 
 		/* If jailed only take addresses of the jail into account. */
 		if (cred != NULL &&


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Mar 9 15:37:50 UTC 2014 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=187341 
>Unformatted:
