From owner-freebsd-net@FreeBSD.ORG  Thu Nov 16 16:15:10 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C759B16A47B
	for <freebsd-net@freebsd.org>; Thu, 16 Nov 2006 16:15:10 +0000 (UTC)
	(envelope-from jgordeev@dir.bg)
Received: from dir.bg (mail.dir.bg [194.145.63.28])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E3E0443D73
	for <freebsd-net@freebsd.org>; Thu, 16 Nov 2006 16:15:07 +0000 (GMT)
	(envelope-from jgordeev@dir.bg)
Received: from [87.118.128.195] (account jgordeev HELO [10.102.9.40])
	by dir.bg (CommuniGate Pro SMTP 4.2.10)
	with ESMTP-TLS id 26088137 for freebsd-net@freebsd.org;
	Thu, 16 Nov 2006 18:19:09 +0200
Message-ID: <455C8FC0.4050901@dir.bg>
Date: Thu, 16 Nov 2006 18:20:16 +0200
From: Jordan Gordeev <jgordeev@dir.bg>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20060627
X-Accept-Language: bg, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: patch for arpwatch to ignore CARP-generated ARP replies
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2006 16:15:10 -0000

Problem description: CARP answers ARP requests for a virtual IP with ARP 
replies that have the MAC of the physical interface in the Ethernet 
header and the virtual MAC in the contained ARP message. These strange 
ARP messages are logged by arpwatch as "ethernet mismatch".
There's a patch below that causes arpwatch (version 2.1a15) to ignore 
ARP replies generated by CARP, instead of reporting "ethernet mismatch" 
via syslog.
Please, share your opinions.


--- arpwatch.c.old	Wed Nov 15 19:39:16 2006
+++ arpwatch.c	Wed Nov 15 19:51:26 2006
@@ -105,6 +105,9 @@
  #define max(a,b) ((b)>(a)?(b):(a))
  #endif

+#define VRRP_PREFIX_LEN 5
+const unsigned char vrrp_prefix[VRRP_PREFIX_LEN] = { 0x00, 0x00, 0x5e, 
0x00, 0x01 };
+
  char *prog;

  int can_checkpoint;
@@ -391,6 +394,10 @@
  		return;
  	}

+	/* Check for CARP-generated ARP replies and ignore them */
+	if (MEMCMP(sha, vrrp_prefix, VRRP_PREFIX_LEN) == 0) {
+		/* do nothing */
+	} else
  	/* Double check ethernet addresses */
  	if (MEMCMP(sea, sha, 6) != 0) {
  		dosyslog(LOG_INFO, "ethernet mismatch", sia, sea, sha);