On Fri, May 19, 2006 at 12:42:57AM +0200, Daniel Hartmeier wrote: > Does this mean 'antispoof for carp0' is generally (always?) a mistake?
Yes. If you've got the same subnet on your physical interface, you can safely do antispoof there however. > As Chad showed, packets are seen by tcpdump on carp0, are they also > filtered by pf on carp0 (i.e. twice, on carp0 and the real interface)? No, they're only filtered on the real interface. This is because you can get asymetric routes with carp interfaces if there are addresses within the same subnet on the physical interface. Incoming traffic will go to the carp interface, but outgoing traffic will go through the physical interface. henning@ has raised some shortcomings in the current carp routing behaviour to me, so it's possible that as we make changes in this area we can somehow fix this problem as well. > Has this changed in the past? pf.c: ---------------------------- revision 1.477 date: 2005/01/07 18:58:39; author: mcbride; state: Exp; lines: +7 -1 Make carp(4) traffic always appear on the physical (carpdev) interface from pf's perspective.