diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2021-01-08 23:31:54 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2021-01-08 23:31:54 +0000 |
| commit | 8fb065238b33f4eda8a03d659c747260ef3feaee (patch) | |
| tree | 8e1ee49e045a577264b3eb9e9732c18d8cf2286a | |
| parent | 0b2d6f595cf94785123d7e1c5fe2b3fe264263cd (diff) | |
don't check local carp addresses as part of the antispoof checks.
bridge(4) drops packets coming from somewhere else that have a
source MAC address that's owned by one of the interfaces that's a
member of the bridge. because this check was done with bridge_ourether,
it included the addresses of active carp interfaces hanging off
these member interfaces. this meant if the local machine is the
carp master while another machine is trying to preempt it by sending
hellos, the packets from the other machine were dropped because the
local one is already the master.
carp roles are supposed to move around a l2 network, so another
host sending a packet with a carp mac address is actually normal
and necessary.
found by and fix tested by stsp@
ok stsp@ claudio@
| -rw-r--r-- | sys/net/if_bridge.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index c39dd27ddf0..337e133661b 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.346 2021/01/02 13:16:04 mvs Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.347 2021/01/08 23:31:53 dlg Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -1156,7 +1156,8 @@ bridge_process(struct ifnet *ifp, struct mbuf *m) sc = brifp->if_softc; SMR_SLIST_FOREACH_LOCKED(bif, &sc->sc_iflist, bif_next) { - if (bridge_ourether(bif->ifp, eh->ether_shost)) + struct arpcom *ac = (struct arpcom *)bif->ifp; + if (memcmp(ac->ac_enaddr, eh->ether_shost, ETHER_ADDR_LEN) == 0) goto bad; if (bif->ifp == ifp) bif0 = bif; |