On 05/28/17 11:33, Martin Pieuchot wrote: > On 28/05/17(Sun) 10:34, Florian Riehm wrote: >> Hi, >> >> after the fix for carp balancing ip-stealth is in, here is the fix for >> balancing ip. > > Great! > >> >> Non-stealth balancing traffic needs some special treatment since it contains >> layer 3 unicast inside layer 2 multicast. >> >> Now the idea is to deal at layer 2 (ether_input()) with the multicast frames >> like regular multicast. After layer 2 processing is done, ip(6)_input() >> resets >> the M_MCAST flag and we are unicast. >> >> To achieve this I mark incoming packets matching to balancing mac addresses >> with >> a mbuf tag. In ip(6)_input() I remove M_MCAST from mbuf's m_flags if the tag >> exists. Thanks to mpi@ who brought me to this idea. > > Could you remove this flag in carp_lsdrop() instead? That would keep > carp logic's in netinet/ip_carp.c which makes it more resilient to > future changes.
Actually I did this in my first attempt and basically it worked. Then I decided to move it out of carp_lsdrop() because carp_lsdrop() is called twice in ip(6)_input(). ICMP has to be handled later, to make sure we don't drop the wrong ICMP packets. My intention was to remove the flag as early as possible to avoid any potential problems. Before carp_lsdrop() is called for ICMP, ip_input() is already dealing with the M_MCAST flag. As I saw that, I decided to move my fix out of carp_lsdrop(). Even it would work at the moment, it would be more fragile. In example a change in pf_test() in the future could break it. So I think a direkt fix inside ip(6)_input() is a better solution. What do you think? Regards, Florian
