git: 56f7860087ee - main - carp: check CARP status in in_localip_fib(), in6_localip_fib()

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Tue, 19 Mar 2024 18:57:16 UTC 
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=56f7860087eec14b4a65310b70bd704e79e1b48c

commit 56f7860087eec14b4a65310b70bd704e79e1b48c
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2024-03-19 18:48:59 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2024-03-19 18:48:59 +0000

    carp: check CARP status in in_localip_fib(), in6_localip_fib()
    
    Don't report a BACKUP CARP address as local.  These two functions are used
    only by source address validation for input packets, controlled by sysctls
    net.inet.ip.source_address_validation and
    net.inet6.ip6.source_address_validation.  For this purpose we definitely
    want to treat BACKUP addresses as non local.
    
    This change is conservative and doesn't modify compat in_localip() and
    in6_localip().  They are used more widely than the FIB-aware versions.
    The change would modify the notion of ipfw(4) 'me' keyword.  There might
    be other consequences as in_localip() is used by various tunneling
    protocols.
    
    PR:                     277349
---
 sys/netinet/in.c   | 4 +++-
 sys/netinet6/in6.c | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/in.c b/sys/netinet/in.c
index 1c6e87485ace..940b197d9e95 100644
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -165,7 +165,7 @@ in_localip(struct in_addr in)
 }
 
 /*
- * Like in_localip(), but FIB-aware.
+ * Like in_localip(), but FIB-aware and carp(4)-aware.
  */
 bool
 in_localip_fib(struct in_addr in, uint16_t fib)
@@ -176,6 +176,8 @@ in_localip_fib(struct in_addr in, uint16_t fib)
 
 	CK_LIST_FOREACH(ia, INADDR_HASH(in.s_addr), ia_hash)
 		if (IA_SIN(ia)->sin_addr.s_addr == in.s_addr &&
+		    (ia->ia_ifa.ifa_carp == NULL ||
+		    carp_master_p(&ia->ia_ifa)) &&
 		    ia->ia_ifa.ifa_ifp->if_fib == fib)
 			return (true);
 
diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index aca98d2b86b2..20e19b2197d7 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -1805,7 +1805,7 @@ in6_localip(struct in6_addr *in6)
 }
 
 /*
- * Like in6_localip(), but FIB-aware.
+ * Like in6_localip(), but FIB-aware and carp(4)-aware.
  */
 bool
 in6_localip_fib(struct in6_addr *in6, uint16_t fib)
@@ -1816,6 +1816,8 @@ in6_localip_fib(struct in6_addr *in6, uint16_t fib)
 	IN6_IFADDR_RLOCK(&in6_ifa_tracker);
 	CK_LIST_FOREACH(ia, IN6ADDR_HASH(in6), ia6_hash) {
 		if (IN6_ARE_ADDR_EQUAL(in6, &ia->ia_addr.sin6_addr) &&
+		    (ia->ia_ifa.ifa_carp == NULL ||
+		    carp_master_p(&ia->ia_ifa)) &&
 		    ia->ia_ifa.ifa_ifp->if_fib == fib) {
 			IN6_IFADDR_RUNLOCK(&in6_ifa_tracker);
 			return (true);