hi tech,

This small diff does an additionnal check in pf_routable(),
If urpf failed and the interface the route is on is a carp interface,
then check wether the interface the packet was seen on is the carpdev of
the interface.

This allows carps on addressless interfaces (well it would work for
carps on interfaces which are on a different network too).

This was discussed with mcbride who thinks this might involve doing more
stuff, it works on my test machine.

Index: pf.c
================================================== =================
RCS file: /space/release/cvs/src/sys/net/pf.c,v
retrieving revision 1.518
diff -u -r1.518 pf.c
--- pf.c 31 Oct 2006 14:49:01 -0000 1.518
+++ pf.c 16 Nov 2006 16:18:04 -0000
@@ -5417,6 +5417,15 @@
if (kif != NULL && (kif->pfik_ifp == NULL ||
kif->pfik_ifp != ro.ro_rt->rt_ifp))
ret = 0;
+ /*
+ * If the interface is a carp one see if the packet was
+ * seen on the underlying interface
+ */
+ if (kif != NULL && ret == 0) {
+ if (ro.ro_rt->rt_ifp->if_type == IFT_CARP &&
+ ro.ro_rt->rt_ifp->if_carpdev == kif->pfik_ifp)
+ ret = 1;
+ }
RTFREE(ro.ro_rt);
} else
ret = 0;