diff options
author | Matthew Smith <mgsmith@netgate.com> | 2021-08-25 17:09:34 -0500 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2021-09-08 14:40:23 +0000 |
commit | 0d56f60c8c9c3c86b6b47f369d23b8c79366aedf (patch) | |
tree | 7ec1fdc92e0b8f52ee48cbb8421ab37e1540b5b8 /src/plugins/crypto_openssl/main.c | |
parent | f49734d3b9afb27e3f527e1477fee4952d546f9a (diff) |
vrrp: fix source address on advertisements
Type: fix
Advertisements are dropped by anti spoofing check in some situations.
When a VR has "accept mode" enabled, we must add the virtual IP addresses
to the interface when the VR transitions to master state. When this
happens, fib_sas4_get() starts selecting the newly added virtual IP
address as the source address for packets sent on the interface, so
advertisements are sent with that source address.
When the virtual IP address is being used as a NAT pool address on a peer
in the backup state, the peer sees the address as a local address and
drops incoming advertisements with that source address.
RFC 5798 section 5.1.1.1 says advertisements should use the primary
IPv4 address of the interface they are being sent on as the source
IP address. Since the virtual IP address is only temporarily added
while the VR is in the master state, the virtual IP address should
probably not be considered the primary address of the interface. The
definition of Primary IP Address in section 1.6 says that selecting
the first address is a valid selection algorithm. Do that instead of
calling fib_sas4_get().
Change-Id: Id92f0e3237c7fd491dd8d695bb27307d494f8573
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/plugins/crypto_openssl/main.c')
0 files changed, 0 insertions, 0 deletions