Project

General

Profile

Bug #598

Need to block carp traffic to hosts self to avoid loops

Added by Scott Ullrich about 9 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
05/14/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

block in log quick proto carp from (self) to any

Without this change if the firewall sees traffic for itself (ethernet loop) then it will cause the host to go to backup mode.

Associated revisions

Revision 986a3acc (diff)
Added by Scott Ullrich about 9 years ago

block carp traffic to hosts self to avoid loops. fixes #598

History

#1 Updated by Jim Pingle about 9 years ago

  • Status changed from New to Resolved

The antispoof directive we already have on each interface should already prevent such looping, or any traffic from entering an interface that has a source address that belongs to the router itself.

#2 Updated by Chris Buechler about 9 years ago

  • Status changed from Resolved to New

That's not the case, I think because of the state that sending the traffic creates (maybe). Otherwise VMware's looping multicast bug wouldn't flake out CARP and OSPF.

#3 Updated by Scott Ullrich about 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to Resolved

#5 Updated by Michele Di Maria over 7 years ago

Hi,
this change is causing a lot of logs in the case there are two nics on the same network segment. See http://forum.pfsense.org/index.php/topic,43102.0.html.
Is it necessary to log this events?

Also available in: Atom PDF