From: Janne Johansson <icepic.dz@gmail.com>
Subject: Re: veb(4): "lock" mac addresses on ports
To: Theo de Raadt <deraadt@openbsd.org>
Cc: David Gwynne <david@gwynne.id.au>, tech@openbsd.org
Date: Fri, 17 Oct 2025 07:56:57 +0200

Den tors 16 okt. 2025 kl 16:22 skrev Theo de Raadt <deraadt@openbsd.org>:
>
> Janne Johansson <icepic.dz@gmail.com> wrote:
>
> > Den tors 16 okt. 2025 kl 05:34 skrev David Gwynne <david@gwynne.id.au>:
> > >
> > > this adds a "locked" flags to ports in veb(4), which is modelled on the
> > > "locked" keyword and the associated behaviour in vm.conf. it requires
> > > the source mac address in frames received by a port have an address
> > > entry on the veb(4) that points to that same port.
> > >
> > > there's similar functionality in vmware vswitches (and probably other
> > > hypervisors too) when you configure MAC address changes and forged
> > > transmits to be rejected.
> >
> > This might warrant a note somewhere that it "breaks" carp, since those
> > packets/interfaces will have a different mac. Or that you need to add
> > the carp mac(s) to this list, whichever is more convenient.
>
> I think people using carp can figure that out themselves, because it is
> first principles.
>


-- 
May the most significant bit of your life be positive.