summaryrefslogtreecommitdiffstats
path: root/src/plugins/adl/ip4_allowlist.c
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2021-08-25 17:09:34 -0500
committerDamjan Marion <dmarion@me.com>2021-09-08 14:40:23 +0000
commit0d56f60c8c9c3c86b6b47f369d23b8c79366aedf (patch)
tree7ec1fdc92e0b8f52ee48cbb8421ab37e1540b5b8 /src/plugins/adl/ip4_allowlist.c
parentf49734d3b9afb27e3f527e1477fee4952d546f9a (diff)
vrrp: fix source address on advertisements
Type: fix Advertisements are dropped by anti spoofing check in some situations. When a VR has "accept mode" enabled, we must add the virtual IP addresses to the interface when the VR transitions to master state. When this happens, fib_sas4_get() starts selecting the newly added virtual IP address as the source address for packets sent on the interface, so advertisements are sent with that source address. When the virtual IP address is being used as a NAT pool address on a peer in the backup state, the peer sees the address as a local address and drops incoming advertisements with that source address. RFC 5798 section 5.1.1.1 says advertisements should use the primary IPv4 address of the interface they are being sent on as the source IP address. Since the virtual IP address is only temporarily added while the VR is in the master state, the virtual IP address should probably not be considered the primary address of the interface. The definition of Primary IP Address in section 1.6 says that selecting the first address is a valid selection algorithm. Do that instead of calling fib_sas4_get(). Change-Id: Id92f0e3237c7fd491dd8d695bb27307d494f8573 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/plugins/adl/ip4_allowlist.c')
0 files changed, 0 insertions, 0 deletions