From: Ryan McBride <mcbride@openbsd.org>
Subject: carp and pf interface

One side effect of the carpdev change is that in cases where the carp
interface and the physical interface have addresses on the same subnet,
incoming traffic goes through the carp interface, while outgoing traffic
goes through the physical interface.

This makes filtering on the interface more complicated, and breaks
if-bound states.

What I'd like to see is the work on interface groups completed, which
would allow you to add the physical interface and the carp interface to
the same group (we could even have automatically created groups, eg
fxp0:carp1).

	pass on fxp0:carp1 proto tcp ...

In the interim, how about the following diff which retains the old
behaviour (to pf, all traffic appears to flow on the physical interface):

Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.472
diff -u -r1.472 pf.c
--- pf.c	10 Dec 2004 22:13:25 -0000	1.472
+++ pf.c	13 Dec 2004 03:14:11 -0000
@@ -5603,6 +5603,9 @@
 	    (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL))
 		return (PF_PASS);
 
+	if (ifp->if_type == IFT_CARP && ifp->if_carpdev)
+		ifp = ifp->if_carpdev;
+
 	kif = pfi_index2kif[ifp->if_index];
 	if (kif == NULL)
 		return (PF_DROP);
@@ -5909,6 +5912,9 @@
 	if (!pf_status.running ||
 	    (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL))
 		return (PF_PASS);
+
+	if (ifp->if_type == IFT_CARP && ifp->if_carpdev)
+		ifp = ifp->if_carpdev;
 
 	kif = pfi_index2kif[ifp->if_index];
 	if (kif == NULL)