From owner-freebsd-bugs@FreeBSD.ORG  Fri Mar  7 08:40:03 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D15FCC97
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri,  7 Mar 2014 08:40:03 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id AE8D5E32
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Fri,  7 Mar 2014 08:40:03 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s278e3sc085508
 for <freebsd-bugs@freefall.freebsd.org>; Fri, 7 Mar 2014 08:40:03 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s278e3Md085507;
 Fri, 7 Mar 2014 08:40:03 GMT (envelope-from gnats)
Resent-Date: Fri, 7 Mar 2014 08:40:03 GMT
Resent-Message-Id: <201403070840.s278e3Md085507@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Onno Molenkamp <onno@flox.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 67162B89
 for <freebsd-gnats-submit@FreeBSD.org>; Fri,  7 Mar 2014 08:34:49 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 54173DE7
 for <freebsd-gnats-submit@FreeBSD.org>; Fri,  7 Mar 2014 08:34:49 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
 by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s278Ym5v086501
 for <freebsd-gnats-submit@FreeBSD.org>; Fri, 7 Mar 2014 08:34:48 GMT
 (envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
 by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s278YmJe086496;
 Fri, 7 Mar 2014 08:34:48 GMT (envelope-from nobody)
Message-Id: <201403070834.s278YmJe086496@cgiserv.freebsd.org>
Date: Fri, 7 Mar 2014 08:34:48 GMT
From: Onno Molenkamp <onno@flox.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/187341: CARP addresses in backup state should't be used as source
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 08:40:04 -0000


>Number:         187341
>Category:       misc
>Synopsis:       CARP addresses in backup state should't be used as source
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 07 08:40:02 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Onno Molenkamp
>Release:        10.0
>Organization:
>Environment:
>Description:
Under certain conditions, FreeBSD chooses a CARP address that's in the backup state as source address for outgoing IPv6 traffic. In return, neighbors start sending traffic for the carp address to the backup node instead of the master.

I've seen this happen with neighbor advertisements, but I suppose the backup address may get used for any other type of traffic as well.
>How-To-Repeat:
Configure carp, choose a IPv6 carp address that should be selected as the best source address following the rules in in6_selectsrc() if it hadn't been a carp address, and generate traffic to (another) address of a backup node to make sure it will receive neighbor solicitations that it needs to respond to.

(the neighbor sending the solicitations needs to be using a public address as source address in those packets for the bug to occur, as in6_selectsrc() tries to use an address from the same scope)
>Fix:
I've attached a patch against HEAD that makes in6_selectsrc() always skip backup addresses.

Patch attached with submission follows:

Index: sys/netinet6/in6_src.c
===================================================================
--- sys/netinet6/in6_src.c	(revision 262885)
+++ sys/netinet6/in6_src.c	(working copy)
@@ -99,6 +99,7 @@
 #include <netinet/ip.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
+#include <netinet/ip_carp.h>
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
 
@@ -335,6 +336,8 @@
 		}
 		if (!V_ip6_use_deprecated && IFA6_IS_DEPRECATED(ia))
 			continue;
+		if (ia->ia_ifa.ifa_carp && !(*carp_master_p)(&ia->ia_ifa))
+			continue;
 
 		/* If jailed only take addresses of the jail into account. */
 		if (cred != NULL &&


>Release-Note:
>Audit-Trail:
>Unformatted: