> It seems this is a fundamental flaw in the BSD network stack in that
> it doesn't keep arp-entries per-interface for all interfaces.

It kind of does, but the sense in which it does isn't very useful in
this case, actually.

ARP entries are actually routing-table routes with appropriate flag
bits set, and like all routing table entries, they go out an interface.
Yes, ARP entries have interfaces associated with them.  In particular,
it is possible to route traffic out an interface it would not normally
go out by installing an ARP entry specifically pointing to that
interface.  (You can't do this with any command-line tool I know of,
but by picking a value for sdl_index in the destination struct
sockaddr_dl, it's easy enough to do programmatically.  (I have code
that does it if anyone wants.)

What ISTM you want is for the ARP code to respond only when the request
came in on the interface the ARP entry points out of (possily with an
exception for proxy ARP entries).  A quick look makes me think this
could be done by hacking on in_arpinput (in netinet/if_arp.c), but it's
not entirely clear exactly where; I'd have to trace the code much more
carefully than I have time to right now.  I hope the pointer helps you.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B