CARP puts the interface in promiscuous mode

K

koverskeid

Hi,

I would like to use CARP, but noticed that when CARP is configured on an interface, promiscuous mode is enabled. I had to check the source and sure, these lines are included:

Code: 
if ((error = ifpromisc(ifp0, 1)))
        return (error);

I'm not that eager to have promiscuous mode enabled for anything else than debugging purposes.

Why did the developers go through the trouble of making the "carp_join_multicast" function when promiscuous mode is enabled anyway?

I guess it's a simple way of receiving frames with a destination link layer address (00:00:5E:00:01:XX) not corresponding to the cards own mac address. Is there really no way of adding a single mac address to the cards filter rules or is there another reason why promiscuous needs to be enabled?
 
koverskeid said:
I would like to use CARP, but noticed that when CARP is configured on an interface, promiscuous mode is enabled. I had to check the source and sure, these lines are included:
Click to expand...
are you sure about it? How did you check promisc is enabled?
 
danger@ said:
are you sure about it? How did you check promisc is enabled?
Click to expand...
Well, I just tested with ifconfig, here's the commands and output:
Code: 
#ifconfig igb0
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 40:62:31:14:61:1a
        inet 10.14.2.181 netmask 0xffffff00 broadcast 10.14.2.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# ifconfig igb0 vhid 1 alias 10.14.2.211/24
# ifconfig igb0
igb0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500       
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 40:62:31:14:61:1a
        inet 10.14.2.181 netmask 0xffffff00 broadcast 10.14.2.255
        inet 10.14.2.211 netmask 0xffffff00 broadcast 10.14.2.255 vhid 1
        carp: MASTER vhid 1 advbase 1 advskew 0
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# ifconfig igb0 vhid 1 10.14.2.211/24 remove
# ifconfig igb0
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 40:62:31:14:61:1a
        inet 10.14.2.181 netmask 0xffffff00 broadcast 10.14.2.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

It's not possible to disable promiscuous mode while carp is configured on the interface. I tried with the command
Code: 
#ifconfig igb0 -promisc
But nothing changes

Code: 
# uname -a
FreeBSD prp1 13.0-RELEASE FreeBSD 13.0-RELEASE #0 releng/13.0-n244733-ea31abc261f: Fri Apr  9 04:24:09 UTC 2021
 
koverskeid said:
I guess it's a simple way of receiving frames with a destination link layer address (00:00:5E:00:01:XX) not corresponding to the cards own mac address. Is there really no way of adding a single mac address to the cards filter rules or is there another reason why promiscuous needs to be enabled?
Click to expand...
No. This is a part of the 802 Ethernet standard:
In non-promiscuous mode, when a NIC receives a frame, it drops it unless the frame is addressed to that NIC's MAC address or is a broadcast or multicast addressed frame. In promiscuous mode, however, the NIC allows all frames through, thus allowing the computer to read frames intended for other machines or network devices.
Click to expand...

Promiscuous mode - Wikipedia

en.wikipedia.org en.wikipedia.org
I know wiki is not always reliable, but it does appear to check out

(section 99.2.4.1.1 Address recognition)

(section 4.2.9 Frame reception)

(slide 9 on page 5)
 
You must log in or register to reply here.
Back
Top