From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: make pf_test require a parent for carp interfaces
To: Alexandr Nedvedicky <sashan@fastmail.net>
Cc: David Gwynne <david@gwynne.id.au>, tech@openbsd.org
Date: Wed, 10 Dec 2025 11:10:15 +0100

On Wed, Dec 10, 2025 at 11:07:07AM +0100, Alexandr Nedvedicky wrote:
> Hello,
> 
> 
> On Wed, Dec 10, 2025 at 02:46:30PM +1000, David Gwynne wrote:
> > pf has a semantic where it uses the parent of carp interfaces when
> > applying policy, rather than the carp interface itself. eg, if you have
> > carp0 on top of em0, the kernel generally operates as if the packets
> > sent to the carp0 address were received by the carp0 interface, but
> > pf prefers to operate on em0 in this situation and does a lookup
> > to figure this out. this means you write rules to pass traffic on em0,
> > even if it was a carp interface that steered them toward you.
> > 
> > it is possible to run carp on top of an interface that can be detached,
> > which means it's possible to have a packet received by a carp interface
> > that can't be translated to the parent interface in pf.
> > 
> > currently, if that lookup fails, we run pf against the carp interface. i
> > think it's better to let pf drop the packet in this situation, which is
> > what this diff implements.
> > 
> > ok?
> 
>     it makes sense in my opinion, although my firewall set ups are simple,
>     no chance to put my hands on more complex set ups where carp is used.
> 
> anyway diff is OK sashan.
 
Also OK claudio@

-- 
:wq Claudio