Hello,


On Wed, Dec 10, 2025 at 02:46:30PM +1000, David Gwynne wrote:
> pf has a semantic where it uses the parent of carp interfaces when
> applying policy, rather than the carp interface itself. eg, if you have
> carp0 on top of em0, the kernel generally operates as if the packets
> sent to the carp0 address were received by the carp0 interface, but
> pf prefers to operate on em0 in this situation and does a lookup
> to figure this out. this means you write rules to pass traffic on em0,
> even if it was a carp interface that steered them toward you.
> 
> it is possible to run carp on top of an interface that can be detached,
> which means it's possible to have a packet received by a carp interface
> that can't be translated to the parent interface in pf.
> 
> currently, if that lookup fails, we run pf against the carp interface. i
> think it's better to let pf drop the packet in this situation, which is
> what this diff implements.
> 
> ok?

    it makes sense in my opinion, although my firewall set ups are simple,
    no chance to put my hands on more complex set ups where carp is used.

anyway diff is OK sashan.

thanks and
regards
sashan